claude-nomad 0.32.2 → 0.32.4

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [0.32.4](https://github.com/funkadelic/claude-nomad/compare/v0.32.3...v0.32.4) (2026-05-30)
+
+
+### Fixed
+
+* **push:** honor drop-wins for allow in recovery dispatch ([#194](https://github.com/funkadelic/claude-nomad/issues/194)) ([9731ecf](https://github.com/funkadelic/claude-nomad/commit/9731ecf9b3d65a6f10fd3e7fc8e520f839640b25))
+
+## [0.32.3](https://github.com/funkadelic/claude-nomad/compare/v0.32.2...v0.32.3) (2026-05-30)
+
+
+### Fixed
+
+* **push:** hard-block sensitive never-sync files under extras ([#191](https://github.com/funkadelic/claude-nomad/issues/191)) ([6509387](https://github.com/funkadelic/claude-nomad/commit/6509387b5724d13e8aa2122eb99cdd80e58da2ee))
+
 ## [0.32.2](https://github.com/funkadelic/claude-nomad/compare/v0.32.1...v0.32.2) (2026-05-30)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-nomad",
-  "version": "0.32.2",
+  "version": "0.32.4",
   "type": "module",
   "description": "Sync Claude Code config (~/.claude/) across machines via a private Git repo, with path remapping and per-host settings overrides.",
   "keywords": [

package/src/commands.push.allowlist.ts

@@ -1,4 +1,10 @@
-import { NEVER_SYNC, PUSH_ALLOWED_STATIC, SUPPORTED_EXTRAS, type PathMap } from './config.ts';
+import {
+  ALWAYS_NEVER_SYNC,
+  NEVER_SYNC,
+  PUSH_ALLOWED_STATIC,
+  SUPPORTED_EXTRAS,
+  type PathMap,
+} from './config.ts';
 import { isValidSharedDir } from './config.sharedDirs.guard.ts';
 import { fail, NomadFatal } from './utils.ts';
 
@@ -22,17 +28,18 @@ function isAllowed(path: string, allowed: readonly string[]): boolean {
 }
 
 /**
- * True when any path segment matches a `NEVER_SYNC` entry (hard-block list).
- * Scope exception (Pitfall 6): paths beginning with `shared/extras/` are
- * exempt. The segment list was authored against `~/.claude/` semantics for
- * ephemeral Claude Code state (`todos/`, `shell-snapshots/`, etc.); inside
- * the extras tree, `.planning/todos/` is a meaningful GSD-managed path. The
- * narrowed scope preserves the original hard-block for all other surface.
+ * True when any path segment matches a hard-block entry. Outside the extras
+ * tree the full `NEVER_SYNC` set applies. Inside `shared/extras/` only the
+ * `ALWAYS_NEVER_SYNC` subset applies (Pitfall 6): the broader set was authored
+ * against `~/.claude/` semantics for ephemeral state, so `.planning/todos/` and
+ * similar legitimate GSD content must pass, but genuinely-sensitive host-local
+ * files (`.credentials.json`, `settings.local.json`, `.claude.json`, ...) stay
+ * blocked even when nested inside a synced extras dir.
  */
 function isNeverSync(path: string): boolean {
-  if (path.startsWith('shared/extras/')) return false;
+  const blockSet = path.startsWith('shared/extras/') ? ALWAYS_NEVER_SYNC : NEVER_SYNC;
   for (const segment of path.split('/')) {
-    if (NEVER_SYNC.has(segment)) return true;
+    if (blockSet.has(segment)) return true;
   }
   return false;
 }

package/src/commands.push.recovery.actions.ts

@@ -46,64 +46,65 @@ export async function collectActions(
     const sid = sessionIdFromFinding(f);
     const header =
       `\nFinding: ${f.RuleID} in ${f.File} line ${f.StartLine}` +
-      (sid !== null ? ` (session: ${sid})` : '') +
+      (sid === null ? '' : ` (session: ${sid})`) +
       '\n  [R]edact  [A]llow  [D]rop session  [S]kip (default)\n';
     actions.set(findingKey(f), parseAction(await prompt(header + '> ')));
   }
   return actions;
 }
 
+/**
+ * Loop-invariant context for `dispatchOne`, built once by `dispatchActions`
+ * before iterating findings. Bundling these keeps `dispatchOne` to two
+ * parameters. The `redactedSids` and `droppedSids` sets are mutated in place so
+ * per-session de-duplication is maintained across the caller's loop.
+ */
+type DispatchCtx = {
+  findings: Finding[];
+  actions: Map<string, FindingAction>;
+  ts: string;
+  map: PathMap;
+  nowMs: () => number;
+  scan: (p: string) => Finding[] | null;
+  drop: (sid: string, map: PathMap) => boolean;
+  redactedSids: Set<string>;
+  droppedSids: Set<string>;
+};
+
 /**
  * Apply one finding's triaged action against local state. Extracted from
  * `dispatchActions` so each function stays under the cognitive-complexity gate.
- * `redactedSids` and `droppedSids` are mutated in place so per-session
- * de-duplication is maintained across the caller's loop. Drop wins: once a
- * session id appears in `droppedSids`, subsequent redact or allow actions for
- * findings in that session are skipped.
+ * Drop wins: once a session id appears in `ctx.droppedSids`, subsequent redact
+ * or allow actions for findings in that session are skipped.
  *
  * @param f The finding to act on.
- * @param findings Full findings list (passed to `applyRedact` for per-session redaction).
- * @param actions The action map returned by `collectActions`.
- * @param ts Backup timestamp.
- * @param map Parsed path-map.
- * @param nowMs Injectable clock.
- * @param scan Injectable scan function for `applyRedact`.
- * @param drop Injectable staged-copy remover for the Drop action.
- * @param redactedSids Set of already-redacted session ids (mutated in place).
- * @param droppedSids Set of already-dropped session ids (mutated in place).
+ * @param ctx Loop-invariant dispatch context (see `DispatchCtx`).
  */
-function dispatchOne(
-  f: Finding,
-  findings: Finding[],
-  actions: Map<string, FindingAction>,
-  ts: string,
-  map: PathMap,
-  nowMs: () => number,
-  scan: (p: string) => Finding[] | null,
-  drop: (sid: string, map: PathMap) => boolean,
-  redactedSids: Set<string>,
-  droppedSids: Set<string>,
-): void {
-  const action = actions.get(findingKey(f)) ?? 'skip';
+function dispatchOne(f: Finding, ctx: DispatchCtx): void {
+  const action = ctx.actions.get(findingKey(f)) ?? 'skip';
   if (action === 'skip') return;
+  const sid = sessionIdFromFinding(f);
+  // Drop wins: a dropped session short-circuits every later action for it,
+  // including allow, so a stale fingerprint is never written for content that
+  // was held back from the push.
+  if (sid !== null && ctx.droppedSids.has(sid)) return;
   if (action === 'allow') {
     applyAllow(f);
     return;
   }
-  const sid = sessionIdFromFinding(f);
   if (sid === null) return;
-  if (droppedSids.has(sid)) return;
   if (action === 'drop') {
-    droppedSids.add(sid);
-    if (drop(sid, map)) {
+    ctx.droppedSids.add(sid);
+    if (ctx.drop(sid, ctx.map)) {
       log(
         `dropped session ${sid} from this push (local transcript kept; the secret remains in your local copy)`,
       );
     }
     return;
   }
-  if (action === 'redact' && !redactedSids.has(sid)) {
-    if (applyRedact(f, findings, ts, map, nowMs, scan)) redactedSids.add(sid);
+  if (action === 'redact' && !ctx.redactedSids.has(sid)) {
+    if (applyRedact(f, ctx.findings, ctx.ts, ctx.map, ctx.nowMs, ctx.scan))
+      ctx.redactedSids.add(sid);
   }
 }
 
@@ -130,10 +131,19 @@ export function dispatchActions(
   scan: (p: string) => Finding[] | null = scanFile,
   drop: (sid: string, map: PathMap) => boolean = dropSessionFromStaged,
 ): void {
-  const redactedSids = new Set<string>();
-  const droppedSids = new Set<string>();
+  const ctx: DispatchCtx = {
+    findings,
+    actions,
+    ts,
+    map,
+    nowMs,
+    scan,
+    drop,
+    redactedSids: new Set<string>(),
+    droppedSids: new Set<string>(),
+  };
   for (const f of findings) {
-    dispatchOne(f, findings, actions, ts, map, nowMs, scan, drop, redactedSids, droppedSids);
+    dispatchOne(f, ctx);
   }
 }
 

package/src/commands.redact.ts

@@ -153,7 +153,8 @@ export function cmdRedact(
     }
 
     if (findings.length === 0) {
-      log(`no findings${rule !== undefined ? ` for rule ${rule}` : ''} in session ${id}`);
+      const ruleClause = rule === undefined ? '' : ` for rule ${rule}`;
+      log(`no findings${ruleClause} in session ${id}`);
       return;
     }
 

package/src/config.ts

@@ -106,19 +106,28 @@ export function allSharedLinks(map: PathMap): string[] {
 }
 
 /**
- * Whitelist of names allowed in `path-map.json`'s top-level `extras` field.
- * Each entry is either a directory name (e.g. `.planning`) OR a single
- * root-level file name (e.g. `CLAUDE.md`); both are validated the same way
- * and copied verbatim under `shared/extras/<logical>/<name>`. Gates the
- * named-extras opt-in mechanism: only entries appearing in this list are
- * eligible for sync. Widening to include `.notes`, `.scratch`, `AGENTS.md`,
- * etc. is a one-line edit here with no schema migration required (the field
- * is additive on the consumer side). Mirrors `SHARED_LINKS` in shape and
- * intent: a short, append-only `as const` tuple that downstream callers
- * narrow against.
+ * Whitelist of names allowed in the `extras` field of `path-map.json`. Each
+ * entry is a directory (e.g. `.planning`) or root-level file (`CLAUDE.md`)
+ * copied under `shared/extras/<logical>/<name>`. Only listed names are
+ * eligible for sync; widening is a one-line edit with no migration required.
  */
 export const SUPPORTED_EXTRAS = ['.planning', 'CLAUDE.md'] as const;
 
+/**
+ * Credential and host-config file names blocked even under `shared/extras/`,
+ * where the broader `NEVER_SYNC` segment scan is narrowed to avoid
+ * false-blocking ephemeral dir names (`todos`, `plans`, etc.) inside synced
+ * `.planning/` trees (Pitfall 6). Strict subset of `NEVER_SYNC`; doctor
+ * display and sharedDirs guard use the full set.
+ */
+export const ALWAYS_NEVER_SYNC = new Set([
+  '.claude.json',
+  '.credentials.json',
+  'settings.local.json',
+  'history.jsonl',
+  'stats-cache.json',
+]);
+
 /**
  * Path segments that must never cross the sync boundary in either direction.
  * Defense-in-depth pair with `PUSH_ALLOWED_STATIC`: even if the allow-list
@@ -142,8 +151,7 @@ export const NEVER_SYNC = new Set([
   'statsig',
   'telemetry',
   'ide',
-  // Host-local caches and runtime state: never useful to share, and named here
-  // so the sharedDirs guard rejects an accidental opt-in.
+  // Host-local caches and runtime state (sharedDirs guard also rejects these).
   'cache',
   'backups',
   'paste-cache',