claude-nomad 0.32.1 → 0.32.2

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [0.32.2](https://github.com/funkadelic/claude-nomad/compare/v0.32.1...v0.32.2) (2026-05-30)
+
+
+### Fixed
+
+* **remap:** reject path-traversal in path-map logical keys ([#190](https://github.com/funkadelic/claude-nomad/issues/190)) ([1526fbb](https://github.com/funkadelic/claude-nomad/commit/1526fbbbb7c6beb258d882c1c26cd45447ab226b))
+
+
+### Changed
+
+* **sonar:** source projectVersion from package.json at scan time ([#188](https://github.com/funkadelic/claude-nomad/issues/188)) ([c00dd6a](https://github.com/funkadelic/claude-nomad/commit/c00dd6a5135a8753d56cf4165cf5b9782c9bde3e))
+
 ## [0.32.1](https://github.com/funkadelic/claude-nomad/compare/v0.32.0...v0.32.1) (2026-05-30)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-nomad",
-  "version": "0.32.1",
+  "version": "0.32.2",
   "type": "module",
   "description": "Sync Claude Code config (~/.claude/) across machines via a private Git repo, with path remapping and per-host settings overrides.",
   "keywords": [

package/src/config.sharedDirs.guard.ts

@@ -1,11 +1,40 @@
 import { NEVER_SYNC } from './config.ts';
+import { NomadFatal } from './utils.ts';
+
+/**
+ * `logical` keys in `path-map.json` are project identifiers (e.g. `ha-acwd`,
+ * `foo`), never path fragments. A crafted key like `../escape` or `foo/bar`
+ * would escape `shared/projects/` (or `shared/extras/`) via `join()` (which
+ * normalizes `..`) and land content somewhere unexpected on the filesystem.
+ * The push allow-list catches such commits at the `git add` boundary, but the
+ * filesystem mutation has already happened by then. This check fails fast
+ * before any write. The pattern matches what every reasonable project name
+ * looks like and rejects everything else.
+ */
+const SAFE_LOGICAL = /^[A-Za-z0-9._-]+$/;
+
+/**
+ * Throw `NomadFatal` unless `logical` is a path-separator-free project
+ * identifier (see `SAFE_LOGICAL`). Path-traversal defense-in-depth; called
+ * before any filesystem mutation by every remap and extras op that joins
+ * `logical` into a filesystem path.
+ *
+ * @param logical - A `path-map.json` projects key to validate.
+ */
+export function assertSafeLogical(logical: string): void {
+  if (!SAFE_LOGICAL.test(logical) || logical === '.' || logical === '..') {
+    throw new NomadFatal(
+      `invalid logical name in path-map.json: ${JSON.stringify(logical)} (must match [A-Za-z0-9._-]+; no path separators or '..')`,
+    );
+  }
+}
 
 /**
  * Single-segment path characters allowed in a `sharedDirs` entry. Mirrors
- * `SAFE_LOGICAL` in `extras-sync.guards.ts` but applied to global support
- * directory names rather than per-project logical names. Must match
- * `^[A-Za-z0-9._-]+$` so no path separator, no shell-special character, no
- * leading dot that would collide with a hidden state directory.
+ * `SAFE_LOGICAL` above but applied to global support directory names rather
+ * than per-project logical names. Must match `^[A-Za-z0-9._-]+$` so no path
+ * separator, no shell-special character, no leading dot that would collide
+ * with a hidden state directory.
  */
 const SAFE_SEGMENT = /^[A-Za-z0-9._-]+$/;
 

package/src/extras-sync.guards.ts

@@ -2,30 +2,7 @@ import { isAbsolute, normalize } from 'node:path';
 
 import { NomadFatal } from './utils.ts';
 
-/**
- * `logical` keys in `path-map.json` are project identifiers (e.g. `ha-acwd`,
- * `foo`), never path fragments. A crafted key like `../escape` or `foo/bar`
- * would escape `shared/extras/` via `join()` (which normalizes `..`) and land
- * content somewhere unexpected on the filesystem. The push allow-list catches
- * such commits at the `git add` boundary, but the filesystem mutation has
- * already happened by then. This check fails fast before any write. The
- * pattern matches what every reasonable project name looks like and rejects
- * everything else; tighten only if a real project needs broader characters.
- */
-const SAFE_LOGICAL = /^[A-Za-z0-9._-]+$/;
-
-/**
- * Throw `NomadFatal` unless `logical` is a path-separator-free project
- * identifier (see `SAFE_LOGICAL`). Path-traversal defense-in-depth; called
- * before any filesystem mutation by every extras op.
- */
-export function assertSafeLogical(logical: string): void {
-  if (!SAFE_LOGICAL.test(logical) || logical === '.' || logical === '..') {
-    throw new NomadFatal(
-      `invalid logical name in path-map.json extras: ${JSON.stringify(logical)} (must match [A-Za-z0-9._-]+; no path separators or '..')`,
-    );
-  }
-}
+export { assertSafeLogical } from './config.sharedDirs.guard.ts';
 
 /**
  * Reject `localRoot` values that contain unnormalized segments (`..`,

package/src/remap.ts

@@ -1,6 +1,7 @@
 import { cpSync, existsSync, mkdirSync, readdirSync, rmSync, statSync } from 'node:fs';
 import { join, relative, sep } from 'node:path';
 
+import { assertSafeLogical } from './config.sharedDirs.guard.ts';
 import { CLAUDE_HOME, HOST, REPO_HOME, type PathMap } from './config.ts';
 import { die, log } from './utils.ts';
 import { backupBeforeWrite, backupRepoWrite } from './utils.fs.ts';
@@ -81,6 +82,7 @@ export function remapPull(
   if (!dryRun) mkdirSync(localProjects, { recursive: true });
 
   for (const [logical, hosts] of Object.entries(map.projects)) {
+    assertSafeLogical(logical);
     const localPath = hosts[HOST];
     if (!localPath || localPath === 'TBD') {
       unmapped++;
@@ -126,6 +128,7 @@ function buildReverseMap(map: PathMap): Map<string, string> {
   const reverse = new Map<string, string>();
   const encodedPaths = new Map<string, string>();
   for (const [logical, hosts] of Object.entries(map.projects)) {
+    assertSafeLogical(logical);
     const p = hosts[HOST];
     if (!p || p === 'TBD') continue;
     const encoded = encodePath(p);