claude-nomad 0.32.1 → 0.32.3

package/CHANGELOG.md

@@ -1,5 +1,24 @@
 # Changelog
 
+## [0.32.3](https://github.com/funkadelic/claude-nomad/compare/v0.32.2...v0.32.3) (2026-05-30)
+
+
+### Fixed
+
+* **push:** hard-block sensitive never-sync files under extras ([#191](https://github.com/funkadelic/claude-nomad/issues/191)) ([6509387](https://github.com/funkadelic/claude-nomad/commit/6509387b5724d13e8aa2122eb99cdd80e58da2ee))
+
+## [0.32.2](https://github.com/funkadelic/claude-nomad/compare/v0.32.1...v0.32.2) (2026-05-30)
+
+
+### Fixed
+
+* **remap:** reject path-traversal in path-map logical keys ([#190](https://github.com/funkadelic/claude-nomad/issues/190)) ([1526fbb](https://github.com/funkadelic/claude-nomad/commit/1526fbbbb7c6beb258d882c1c26cd45447ab226b))
+
+
+### Changed
+
+* **sonar:** source projectVersion from package.json at scan time ([#188](https://github.com/funkadelic/claude-nomad/issues/188)) ([c00dd6a](https://github.com/funkadelic/claude-nomad/commit/c00dd6a5135a8753d56cf4165cf5b9782c9bde3e))
+
 ## [0.32.1](https://github.com/funkadelic/claude-nomad/compare/v0.32.0...v0.32.1) (2026-05-30)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-nomad",
-  "version": "0.32.1",
+  "version": "0.32.3",
   "type": "module",
   "description": "Sync Claude Code config (~/.claude/) across machines via a private Git repo, with path remapping and per-host settings overrides.",
   "keywords": [

package/src/commands.push.allowlist.ts

@@ -1,4 +1,10 @@
-import { NEVER_SYNC, PUSH_ALLOWED_STATIC, SUPPORTED_EXTRAS, type PathMap } from './config.ts';
+import {
+  ALWAYS_NEVER_SYNC,
+  NEVER_SYNC,
+  PUSH_ALLOWED_STATIC,
+  SUPPORTED_EXTRAS,
+  type PathMap,
+} from './config.ts';
 import { isValidSharedDir } from './config.sharedDirs.guard.ts';
 import { fail, NomadFatal } from './utils.ts';
 
@@ -22,17 +28,18 @@ function isAllowed(path: string, allowed: readonly string[]): boolean {
 }
 
 /**
- * True when any path segment matches a `NEVER_SYNC` entry (hard-block list).
- * Scope exception (Pitfall 6): paths beginning with `shared/extras/` are
- * exempt. The segment list was authored against `~/.claude/` semantics for
- * ephemeral Claude Code state (`todos/`, `shell-snapshots/`, etc.); inside
- * the extras tree, `.planning/todos/` is a meaningful GSD-managed path. The
- * narrowed scope preserves the original hard-block for all other surface.
+ * True when any path segment matches a hard-block entry. Outside the extras
+ * tree the full `NEVER_SYNC` set applies. Inside `shared/extras/` only the
+ * `ALWAYS_NEVER_SYNC` subset applies (Pitfall 6): the broader set was authored
+ * against `~/.claude/` semantics for ephemeral state, so `.planning/todos/` and
+ * similar legitimate GSD content must pass, but genuinely-sensitive host-local
+ * files (`.credentials.json`, `settings.local.json`, `.claude.json`, ...) stay
+ * blocked even when nested inside a synced extras dir.
  */
 function isNeverSync(path: string): boolean {
-  if (path.startsWith('shared/extras/')) return false;
+  const blockSet = path.startsWith('shared/extras/') ? ALWAYS_NEVER_SYNC : NEVER_SYNC;
   for (const segment of path.split('/')) {
-    if (NEVER_SYNC.has(segment)) return true;
+    if (blockSet.has(segment)) return true;
   }
   return false;
 }

package/src/config.sharedDirs.guard.ts

@@ -1,11 +1,40 @@
 import { NEVER_SYNC } from './config.ts';
+import { NomadFatal } from './utils.ts';
+
+/**
+ * `logical` keys in `path-map.json` are project identifiers (e.g. `ha-acwd`,
+ * `foo`), never path fragments. A crafted key like `../escape` or `foo/bar`
+ * would escape `shared/projects/` (or `shared/extras/`) via `join()` (which
+ * normalizes `..`) and land content somewhere unexpected on the filesystem.
+ * The push allow-list catches such commits at the `git add` boundary, but the
+ * filesystem mutation has already happened by then. This check fails fast
+ * before any write. The pattern matches what every reasonable project name
+ * looks like and rejects everything else.
+ */
+const SAFE_LOGICAL = /^[A-Za-z0-9._-]+$/;
+
+/**
+ * Throw `NomadFatal` unless `logical` is a path-separator-free project
+ * identifier (see `SAFE_LOGICAL`). Path-traversal defense-in-depth; called
+ * before any filesystem mutation by every remap and extras op that joins
+ * `logical` into a filesystem path.
+ *
+ * @param logical - A `path-map.json` projects key to validate.
+ */
+export function assertSafeLogical(logical: string): void {
+  if (!SAFE_LOGICAL.test(logical) || logical === '.' || logical === '..') {
+    throw new NomadFatal(
+      `invalid logical name in path-map.json: ${JSON.stringify(logical)} (must match [A-Za-z0-9._-]+; no path separators or '..')`,
+    );
+  }
+}
 
 /**
  * Single-segment path characters allowed in a `sharedDirs` entry. Mirrors
- * `SAFE_LOGICAL` in `extras-sync.guards.ts` but applied to global support
- * directory names rather than per-project logical names. Must match
- * `^[A-Za-z0-9._-]+$` so no path separator, no shell-special character, no
- * leading dot that would collide with a hidden state directory.
+ * `SAFE_LOGICAL` above but applied to global support directory names rather
+ * than per-project logical names. Must match `^[A-Za-z0-9._-]+$` so no path
+ * separator, no shell-special character, no leading dot that would collide
+ * with a hidden state directory.
  */
 const SAFE_SEGMENT = /^[A-Za-z0-9._-]+$/;
 

package/src/config.ts

@@ -106,19 +106,28 @@ export function allSharedLinks(map: PathMap): string[] {
 }
 
 /**
- * Whitelist of names allowed in `path-map.json`'s top-level `extras` field.
- * Each entry is either a directory name (e.g. `.planning`) OR a single
- * root-level file name (e.g. `CLAUDE.md`); both are validated the same way
- * and copied verbatim under `shared/extras/<logical>/<name>`. Gates the
- * named-extras opt-in mechanism: only entries appearing in this list are
- * eligible for sync. Widening to include `.notes`, `.scratch`, `AGENTS.md`,
- * etc. is a one-line edit here with no schema migration required (the field
- * is additive on the consumer side). Mirrors `SHARED_LINKS` in shape and
- * intent: a short, append-only `as const` tuple that downstream callers
- * narrow against.
+ * Whitelist of names allowed in the `extras` field of `path-map.json`. Each
+ * entry is a directory (e.g. `.planning`) or root-level file (`CLAUDE.md`)
+ * copied under `shared/extras/<logical>/<name>`. Only listed names are
+ * eligible for sync; widening is a one-line edit with no migration required.
  */
 export const SUPPORTED_EXTRAS = ['.planning', 'CLAUDE.md'] as const;
 
+/**
+ * Credential and host-config file names blocked even under `shared/extras/`,
+ * where the broader `NEVER_SYNC` segment scan is narrowed to avoid
+ * false-blocking ephemeral dir names (`todos`, `plans`, etc.) inside synced
+ * `.planning/` trees (Pitfall 6). Strict subset of `NEVER_SYNC`; doctor
+ * display and sharedDirs guard use the full set.
+ */
+export const ALWAYS_NEVER_SYNC = new Set([
+  '.claude.json',
+  '.credentials.json',
+  'settings.local.json',
+  'history.jsonl',
+  'stats-cache.json',
+]);
+
 /**
  * Path segments that must never cross the sync boundary in either direction.
  * Defense-in-depth pair with `PUSH_ALLOWED_STATIC`: even if the allow-list
@@ -142,8 +151,7 @@ export const NEVER_SYNC = new Set([
   'statsig',
   'telemetry',
   'ide',
-  // Host-local caches and runtime state: never useful to share, and named here
-  // so the sharedDirs guard rejects an accidental opt-in.
+  // Host-local caches and runtime state (sharedDirs guard also rejects these).
   'cache',
   'backups',
   'paste-cache',

package/src/extras-sync.guards.ts

@@ -2,30 +2,7 @@ import { isAbsolute, normalize } from 'node:path';
 
 import { NomadFatal } from './utils.ts';
 
-/**
- * `logical` keys in `path-map.json` are project identifiers (e.g. `ha-acwd`,
- * `foo`), never path fragments. A crafted key like `../escape` or `foo/bar`
- * would escape `shared/extras/` via `join()` (which normalizes `..`) and land
- * content somewhere unexpected on the filesystem. The push allow-list catches
- * such commits at the `git add` boundary, but the filesystem mutation has
- * already happened by then. This check fails fast before any write. The
- * pattern matches what every reasonable project name looks like and rejects
- * everything else; tighten only if a real project needs broader characters.
- */
-const SAFE_LOGICAL = /^[A-Za-z0-9._-]+$/;
-
-/**
- * Throw `NomadFatal` unless `logical` is a path-separator-free project
- * identifier (see `SAFE_LOGICAL`). Path-traversal defense-in-depth; called
- * before any filesystem mutation by every extras op.
- */
-export function assertSafeLogical(logical: string): void {
-  if (!SAFE_LOGICAL.test(logical) || logical === '.' || logical === '..') {
-    throw new NomadFatal(
-      `invalid logical name in path-map.json extras: ${JSON.stringify(logical)} (must match [A-Za-z0-9._-]+; no path separators or '..')`,
-    );
-  }
-}
+export { assertSafeLogical } from './config.sharedDirs.guard.ts';
 
 /**
  * Reject `localRoot` values that contain unnormalized segments (`..`,

package/src/remap.ts

@@ -1,6 +1,7 @@
 import { cpSync, existsSync, mkdirSync, readdirSync, rmSync, statSync } from 'node:fs';
 import { join, relative, sep } from 'node:path';
 
+import { assertSafeLogical } from './config.sharedDirs.guard.ts';
 import { CLAUDE_HOME, HOST, REPO_HOME, type PathMap } from './config.ts';
 import { die, log } from './utils.ts';
 import { backupBeforeWrite, backupRepoWrite } from './utils.fs.ts';
@@ -81,6 +82,7 @@ export function remapPull(
   if (!dryRun) mkdirSync(localProjects, { recursive: true });
 
   for (const [logical, hosts] of Object.entries(map.projects)) {
+    assertSafeLogical(logical);
     const localPath = hosts[HOST];
     if (!localPath || localPath === 'TBD') {
       unmapped++;
@@ -126,6 +128,7 @@ function buildReverseMap(map: PathMap): Map<string, string> {
   const reverse = new Map<string, string>();
   const encodedPaths = new Map<string, string>();
   for (const [logical, hosts] of Object.entries(map.projects)) {
+    assertSafeLogical(logical);
     const p = hosts[HOST];
     if (!p || p === 'TBD') continue;
     const encoded = encodePath(p);