claude-nomad 0.32.4 → 0.34.0

package/src/nomad.ts

@@ -1,4 +1,4 @@
-#!/usr/bin/env -S npx tsx
+#!/usr/bin/env -S node --disable-warning=ExperimentalWarning
 /**
  * claude-nomad: Claude Code config sync wrapper over a private Git repo.
  *
@@ -25,7 +25,7 @@ import { cmdUpdate } from './commands.update.ts';
 import { HOME } from './config.ts';
 import { cmdDiff } from './diff.ts';
 import { cmdInit } from './init.ts';
-import { parseFlags, parseRedactArgs } from './nomad.dispatch.ts';
+import { parseFlags, parseInitArgs, parseRedactArgs } from './nomad.dispatch.ts';
 import { DEFAULT_HELP } from './nomad.help.ts';
 import { resumeCmd } from './resume.ts';
 import { fail, NomadFatal } from './utils.ts';
@@ -89,15 +89,20 @@ try {
       break;
     }
     case 'init': {
-      // Set-based parse so flag order does not matter and duplicates are
-      // rejected. Unknown flags hit the same usage-error pattern as other
-      // subcommands.
-      const seen = parseFlags(process.argv, new Set(['--snapshot', '--keep-actions']));
-      if (seen === null) {
-        console.error('usage: nomad init [--snapshot] [--keep-actions]');
+      // parseInitArgs handles boolean flags (--snapshot, --keep-actions) and
+      // the value-bearing --repo <name>. Returns null on any parse error:
+      // unknown flag, duplicate, --repo with no value or a value starting with
+      // '--'.
+      const initArgs = parseInitArgs(process.argv);
+      if (initArgs === null) {
+        console.error('usage: nomad init [--snapshot] [--keep-actions] [--repo <name>]');
         process.exit(1);
       }
-      cmdInit({ snapshot: seen.has('--snapshot'), keepActions: seen.has('--keep-actions') });
+      cmdInit({
+        snapshot: initArgs.snapshot,
+        keepActions: initArgs.keepActions,
+        repoName: initArgs.repoName,
+      });
       break;
     }
     case 'diff':
@@ -111,19 +116,13 @@ try {
       cmdDiff();
       break;
     case 'update': {
-      // Set-based parse so flag order does not matter and duplicates are
-      // rejected (`--dry-run --dry-run` is a typo, not a no-op). Unknown
-      // flags hit the same usage-error pattern as other subcommands.
-      const seen = parseFlags(process.argv, new Set(['--dry-run', '--force', '--push-origin']));
-      if (seen === null) {
-        console.error('usage: nomad update [--dry-run] [--force] [--push-origin]');
+      // No flags accepted; any extra argv is a usage error (same length-check
+      // pattern as the --version arm).
+      if (process.argv.length !== 3) {
+        console.error('usage: nomad update');
         process.exit(1);
       }
-      cmdUpdate({
-        dryRun: seen.has('--dry-run'),
-        force: seen.has('--force'),
-        pushOrigin: seen.has('--push-origin'),
-      });
+      cmdUpdate();
       break;
     }
     case 'adopt': {

package/src/push-checks.ts

@@ -18,11 +18,12 @@
  */
 
 import { execFileSync } from 'node:child_process';
-import { existsSync, readdirSync, type Dirent } from 'node:fs';
+import { readdirSync, rmSync, type Dirent } from 'node:fs';
 import { homedir, platform } from 'node:os';
 import { join } from 'node:path';
 
 import { REPO_HOME } from './config.ts';
+import { resolveTomlConfig } from './push-gitleaks.config.ts';
 import { NomadFatal } from './utils.ts';
 
 /**
@@ -114,18 +115,21 @@ export function findGitlinks(dir: string): string[] {
  * ENOENT; throws NomadFatal with the error message on any other failure.
  * Used by `cmdPush` (top-of-flow probe) and `cmdDoctor` (read-only).
  *
- * Conditionally passes `--config <REPO_HOME>/.gitleaks.toml` when that file
- * exists at call time. `gitleaks version` ignores the flag empirically on
- * 8.30.1, so the wiring here is conservative: symmetric with
- * `runGitleaksScan` and surfaces a malformed toml early if a future gitleaks
- * version starts parsing the config on the `version` subcommand. When the
- * toml is missing (e.g., fresh clone predating the allowlist) the flag is
- * omitted entirely; behavior reverts silently to the default gitleaks ruleset.
+ * Passes `--config <toml>` resolved via `resolveTomlConfig`, which applies the
+ * user-owned `.gitleaks.overlay.toml` allowlist on top of the bundled base (or
+ * delegates to the two-tier `resolveTomlPath` lookup when no overlay exists).
+ * `gitleaks version` ignores the flag empirically on 8.30.1, so the wiring is
+ * conservative: symmetric with `runGitleaksScan` and surfaces a malformed toml
+ * early if a future gitleaks version starts parsing the config on the `version`
+ * subcommand. Omits the flag when no config resolves; behavior reverts to the
+ * default ruleset. When the overlay merge generates a temp config its `tempPath`
+ * is removed in the `finally` on every path. Throws NomadFatal with the install
+ * hint on ENOENT; throws NomadFatal with the error message on any other failure.
  */
 export function probeGitleaks(): string {
-  const tomlPath = join(REPO_HOME, '.gitleaks.toml');
+  const { path: toml, tempPath } = resolveTomlConfig();
   const args: string[] = ['version'];
-  if (existsSync(tomlPath)) args.push('--config', tomlPath);
+  if (toml !== null) args.push('--config', toml);
   try {
     return execFileSync('gitleaks', args, { stdio: ['ignore', 'pipe', 'pipe'] })
       .toString()
@@ -134,6 +138,8 @@ export function probeGitleaks(): string {
     const e = err as NodeJS.ErrnoException;
     if (e.code === 'ENOENT') throw new NomadFatal(gitleaksInstallHint());
     throw new NomadFatal(`gitleaks --version failed: ${e.message}`);
+  } finally {
+    if (tempPath !== null) rmSync(tempPath, { recursive: true, force: true });
   }
 }
 

package/src/push-gitleaks.config.ts

@@ -0,0 +1,161 @@
+/**
+ * Resolves the gitleaks `--config` path for every scan site, layering a
+ * user-owned `REPO_HOME/.gitleaks.overlay.toml` allowlist ON TOP of the
+ * package-bundled `.gitleaks.toml` via a generated temp `[extend]` chain.
+ *
+ * Split out of `push-gitleaks.scan.ts` (which keeps the two-tier
+ * `resolveTomlPath` lookup) so the overlay-merge logic, its `[extend]` guard,
+ * and the D-04 generation-failure fallback live under the source-line cap
+ * without crowding the scan primitives. Dependency flows one way
+ * (`push-gitleaks.scan.ts` + `push-checks.ts` -> this module); this module
+ * imports only `config.ts`, `push-gitleaks.scan.ts` (for `resolveTomlPath`),
+ * `utils.fs.ts`, and `utils.ts`, so there is no cycle.
+ */
+
+import { existsSync, mkdtempSync, readFileSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+
+import { REPO_HOME } from './config.ts';
+import { resolveTomlPath } from './push-gitleaks.scan.ts';
+import { NomadFatal, warn } from './utils.ts';
+
+/**
+ * Result of `resolveTomlConfig`. A discriminated union (TYPE, not enum or
+ * class, to satisfy `erasableSyntaxOnly`):
+ *   - `tempPath: null`  -> no temp config was generated (no overlay, S-01
+ *     precedence, bundled-base absent, or the D-04 generation-failure fallback);
+ *     `path` is whatever `resolveTomlPath` would return (possibly `null`).
+ *   - `tempPath: string` -> an overlay was merged into a generated temp config;
+ *     `tempPath` is the private temp DIRECTORY holding it, `path` is the config
+ *     file inside that directory, and the caller MUST remove `tempPath`
+ *     recursively (`rmSync(tempPath, { recursive: true, force: true })`) in a
+ *     `finally` once gitleaks has run.
+ */
+export type TomlConfigResult =
+  | { path: string | null; tempPath: null }
+  | { path: string; tempPath: string };
+
+/**
+ * Regex matching an `[extend]` definition at the start of a line (D-05). Covers
+ * every TOML-equivalent form so the guard cannot be bypassed by whitespace or
+ * key syntax: the table header `[extend]` with optional inner whitespace
+ * (`[ extend ]`), the dotted-key form (`extend.path = ...`), and the inline-table
+ * form (`extend = { ... }`). All three load the `extend` table in gitleaks' TOML
+ * parser and would build the depth-3 chain that silently drops the default
+ * ruleset, so all three must fail LOUD.
+ */
+const OVERLAY_EXTEND_RE = /^\s*(?:\[\s*extend\s*\]|extend\s*[.=])/m;
+
+/**
+ * Read the overlay body and write the generated temp config that chains it onto
+ * the bundled base. Separated from `resolveTomlConfig` so the I/O try/catch
+ * (D-04 fallback) is a tight seam and the caller stays under the
+ * cognitive-complexity gate. The `[extend]` guard is intentionally NOT here: it
+ * runs in `resolveTomlConfig` BEFORE this call so its `NomadFatal` (D-05) is
+ * never swallowed by the D-04 fallback catch.
+ *
+ * The temp body is `[extend]\npath = <bundled abs path JSON>\n\n<overlay body>`,
+ * written as `config.toml` inside a private directory created atomically with
+ * `mkdtempSync` (mode 0o700) under `tmpdir()` with a `nomad-gitleaks-cfg-` prefix
+ * (CWE-377: the private dir plus the `wx` exclusive-create flag defeat a
+ * symlink-redirect in the world-writable temp dir). The config file is written
+ * mode 0o600. The `[extend] path` is the ABSOLUTE bundled path (D-02, Pitfall 1)
+ * because the scan CWD is uncontrolled at the `scanFile` and `probeGitleaks` sites.
+ *
+ * @param overlayBody The already-read overlay body (read once by the caller so a
+ *   single buffer is both guarded and spliced, closing the guard/build TOCTOU).
+ * @param bundled Absolute path to the bundled `.gitleaks.toml` (from `resolveTomlPath`).
+ * @returns The generated temp directory and the config file path inside it.
+ */
+function buildOverlayTempConfig(
+  overlayBody: string,
+  bundled: string,
+): { configPath: string; tempPath: string } {
+  const tempBody = `[extend]\npath = ${JSON.stringify(bundled)}\n\n${overlayBody}`;
+  const tempPath = mkdtempSync(join(tmpdir(), 'nomad-gitleaks-cfg-'));
+  const configPath = join(tempPath, 'config.toml');
+  writeFileSync(configPath, tempBody, { mode: 0o600, flag: 'wx' });
+  return { configPath, tempPath };
+}
+
+/**
+ * Resolve the gitleaks `--config` path, applying a user-owned
+ * `REPO_HOME/.gitleaks.overlay.toml` allowlist ON TOP of the package-bundled
+ * `.gitleaks.toml` (which itself `[extend] useDefault = true` chains the gitleaks
+ * default ruleset). Implements Approach A (chain), empirically verified at
+ * gitleaks 8.30.1: the generated temp config `[extend] path = <bundled abs>` plus
+ * the overlay body loads as temp -> bundled(useDefault) -> default, exactly the
+ * depth-2 `maxExtendDepth` limit (depth 3 SILENTLY drops the default ruleset).
+ * The caller owns cleanup: when `tempPath` is non-null it MUST be removed in a
+ * `finally`.
+ *
+ * Branches:
+ *   - No overlay file: delegates to `resolveTomlPath()`, `tempPath: null`. Byte
+ *     identical to the pre-overlay behavior.
+ *   - S-01 precedence: if a full `REPO_HOME/.gitleaks.toml` exists,
+ *     `resolveTomlPath()` returns IT first; the overlay is ignored with a single
+ *     `warn`, `tempPath: null`. A full repo toml signals manual control and may
+ *     itself `[extend]`, so interposing the overlay would risk the depth-3 silent
+ *     drop; the repo toml wins outright to keep the chain at the safe depth-2 max.
+ *   - Overlay present, no full repo toml, bundled base absent: D-04 fallback,
+ *     `{ path: null, tempPath: null }` so gitleaks still runs with its default
+ *     ruleset (never no-scan, never skipped).
+ *   - Overlay present with its own `[extend]` block: throws `NomadFatal` (D-05)
+ *     BEFORE generating the temp, so a dangerous/malformed overlay fails LOUD and
+ *     aborts the push rather than silently weakening the scan.
+ *   - Overlay present, bundled base resolvable: generates the temp config and
+ *     returns `{ path: tempPath, tempPath }`.
+ *   - D-04 "for ANY reason" generation failure: if reading the overlay or writing
+ *     the temp throws (ENOSPC, EACCES, EROFS, missing tmpdir, unreadable overlay,
+ *     etc.), `warn` once and fall back to the BUNDLED base path so the scan STILL
+ *     runs with the full bundled allowlist. Never returns `path: null` here, never
+ *     throws, never skips. The `[extend]` `NomadFatal` (D-05) is thrown outside the
+ *     fallback try, so it is never swallowed by this catch.
+ *
+ * @returns A `TomlConfigResult`; the caller passes `path` to `--config` (omitting
+ *   the flag on `null`) and removes a non-null `tempPath` in a `finally`.
+ */
+export function resolveTomlConfig(): TomlConfigResult {
+  const overlayPath = join(REPO_HOME, '.gitleaks.overlay.toml');
+  const repoToml = join(REPO_HOME, '.gitleaks.toml');
+  const bundled = resolveTomlPath();
+  if (!existsSync(overlayPath)) {
+    return { path: bundled, tempPath: null };
+  }
+  // S-01: a full REPO_HOME/.gitleaks.toml wins outright; resolveTomlPath returns
+  // it before the bundled copy, so compare to detect that case and short-circuit
+  // before generating a temp (keeps the chain at the safe depth-2 max).
+  if (bundled === repoToml) {
+    warn(
+      '.gitleaks.overlay.toml ignored: REPO_HOME/.gitleaks.toml takes precedence (full manual control)',
+    );
+    return { path: bundled, tempPath: null };
+  }
+  // D-04: no bundled base to chain onto; run with the default ruleset, never skip.
+  if (bundled === null) {
+    return { path: null, tempPath: null };
+  }
+  // D-04: any overlay-read or temp-generation I/O failure falls back to the
+  // bundled base so the scan still runs with the full bundled allowlist (never
+  // null, never thrown). The overlay is read ONCE here and the same buffer is
+  // both guarded and spliced, closing the guard-vs-build TOCTOU. The D-05
+  // [extend] NomadFatal is re-thrown from the catch so it is never swallowed by
+  // this fallback.
+  try {
+    const overlayBody = readFileSync(overlayPath, 'utf8');
+    if (OVERLAY_EXTEND_RE.test(overlayBody)) {
+      throw new NomadFatal(
+        '.gitleaks.overlay.toml must not contain an [extend] block; it is generated automatically. Remove the [extend] section and retry.',
+      );
+    }
+    const { configPath, tempPath } = buildOverlayTempConfig(overlayBody, bundled);
+    return { path: configPath, tempPath };
+  } catch (err) {
+    if (err instanceof NomadFatal) throw err;
+    warn(
+      `.gitleaks.overlay.toml merge failed (${(err as Error).message}); falling back to the bundled allowlist`,
+    );
+    return { path: bundled, tempPath: null };
+  }
+}

package/src/push-gitleaks.scan.ts

@@ -16,10 +16,27 @@ import { execFileSync, type ExecFileSyncOptions } from 'node:child_process';
 import { existsSync, mkdirSync, readFileSync, rmSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
+import { fileURLToPath } from 'node:url';
 
 import { REPO_HOME } from './config.ts';
+import { resolveTomlConfig } from './push-gitleaks.config.ts';
 import { nowTimestamp } from './utils.fs.ts';
 
+/**
+ * Two-tier `.gitleaks.toml` lookup: returns `REPO_HOME/.gitleaks.toml` when
+ * present, else the package-bundled copy resolved via `import.meta.url`
+ * (always current with the installed binary, critical for standalone repos
+ * that have no git update path for the allowlist), else `null`. Callers omit
+ * `--config` on a `null` return so gitleaks uses its default ruleset; scanning
+ * is never disabled. Exported for reuse in `push-checks.ts` `probeGitleaks`.
+ */
+export function resolveTomlPath(): string | null {
+  const repoToml = join(REPO_HOME, '.gitleaks.toml');
+  if (existsSync(repoToml)) return repoToml;
+  const bundled = fileURLToPath(new URL('../.gitleaks.toml', import.meta.url));
+  return existsSync(bundled) ? bundled : null;
+}
+
 /**
  * Subset of gitleaks 8.x JSON report fields the parser consumes. The
  * report is an array of objects (one per finding) emitted to the
@@ -74,12 +91,14 @@ export function readGitleaksReport(reportPath: string): Finding[] | null {
  * In `repoDir`, runs `git init` then `git add -A` (no commit, no user identity:
  * `git add` does not require one), writes the gitleaks JSON report to a
  * collision-resistant path under `~/.cache/claude-nomad/`, and invokes
- * `gitleaks protect --staged`. Conditionally passes `--config
- * <REPO_HOME>/.gitleaks.toml` when that file exists at call time (missing toml
- * = silent fallback to the default ruleset). Returns `[]` on a clean exit, the
+ * `gitleaks protect --staged`. Passes `--config <toml>` resolved via
+ * `resolveTomlConfig`, which layers a user-owned `.gitleaks.overlay.toml` on the
+ * two-tier `resolveTomlPath` base by generating a temp `[extend]` config (removed
+ * in the `finally`); omits the flag when no base exists so gitleaks uses its
+ * default ruleset. Returns `[]` on a clean exit, the
  * parsed `Finding[]` on a non-zero exit with a readable report, or `null` when
- * the report is missing or unparseable (the scan-failed signal). The temp
- * report file is removed in a `finally` on every path. ENOENT (gitleaks or git
+ * the report is missing or unparseable (the scan-failed signal). The temp report
+ * file and any generated overlay temp-config are removed in a `finally` on every path. ENOENT (gitleaks or git
  * absent) is re-thrown, not swallowed, so each caller keeps its own
  * missing-binary handling (push -> install-hint FATAL; doctor -> scan-failed
  * FAIL row). All calls use `execFileSync` argv-array form (no shell), the
@@ -98,7 +117,7 @@ export function scanStagedTree(repoDir: string, forwardStreams = false): Finding
   const cacheDir = join(homedir(), '.cache', 'claude-nomad');
   mkdirSync(cacheDir, { recursive: true });
   const reportPath = join(cacheDir, `gitleaks-${nowTimestamp()}-${process.pid}.json`);
-  const tomlPath = join(REPO_HOME, '.gitleaks.toml');
+  const { path: toml, tempPath } = resolveTomlConfig();
   const args: string[] = [
     'protect',
     '--staged',
@@ -107,7 +126,7 @@ export function scanStagedTree(repoDir: string, forwardStreams = false): Finding
     '--report-format=json',
     `--report-path=${reportPath}`,
   ];
-  if (existsSync(tomlPath)) args.push('--config', tomlPath);
+  if (toml !== null) args.push('--config', toml);
   const opts: ExecFileSyncOptions = { cwd: repoDir, stdio: ['ignore', 'pipe', 'pipe'] };
   try {
     execFileSync('git', ['init', '-q'], opts);
@@ -124,6 +143,7 @@ export function scanStagedTree(repoDir: string, forwardStreams = false): Finding
     }
     return report;
   } finally {
+    if (tempPath !== null) rmSync(tempPath, { recursive: true, force: true });
     rmSync(reportPath, { force: true });
   }
 }
@@ -154,9 +174,11 @@ export function scanStagedTree(repoDir: string, forwardStreams = false): Finding
  * streams so the caller can surface it. On the findings path the streams are
  * suppressed; the structured `Finding[]` fully describes the result.
  *
- * Conditionally passes `--config <REPO_HOME>/.gitleaks.toml` when that file
- * exists, mirroring the `scanStagedTree` convention so allow-list entries apply
- * consistently across staged and non-staged scans.
+ * Passes `--config <toml>` resolved via `resolveTomlConfig` (the
+ * `.gitleaks.overlay.toml` merge over the two-tier `resolveTomlPath` base, with a
+ * generated temp config cleaned up in the `finally`), mirroring the
+ * `scanStagedTree` convention so allow-list entries apply consistently across
+ * staged and non-staged scans. Omits the flag when no base config exists.
  *
  * @param filePath Absolute path to the file to scan.
  * @param forwardStreams Forward gitleaks stderr/stdout to process streams on
@@ -167,7 +189,7 @@ export function scanFile(filePath: string, forwardStreams = false): Finding[] |
   const cacheDir = join(homedir(), '.cache', 'claude-nomad');
   mkdirSync(cacheDir, { recursive: true });
   const reportPath = join(cacheDir, `gitleaks-file-${nowTimestamp()}-${process.pid}.json`);
-  const tomlPath = join(REPO_HOME, '.gitleaks.toml');
+  const { path: toml, tempPath } = resolveTomlConfig();
   const args: string[] = [
     'detect',
     '--no-git',
@@ -176,7 +198,7 @@ export function scanFile(filePath: string, forwardStreams = false): Finding[] |
     '--report-format=json',
     `--report-path=${reportPath}`,
   ];
-  if (existsSync(tomlPath)) args.push('--config', tomlPath);
+  if (toml !== null) args.push('--config', toml);
   const opts: ExecFileSyncOptions = { stdio: ['ignore', 'pipe', 'pipe'] };
   try {
     execFileSync('gitleaks', args, opts);
@@ -191,6 +213,7 @@ export function scanFile(filePath: string, forwardStreams = false): Finding[] |
     }
     return report;
   } finally {
+    if (tempPath !== null) rmSync(tempPath, { recursive: true, force: true });
     rmSync(reportPath, { force: true });
   }
 }

package/src/commands.update.git.ts

@@ -1,90 +0,0 @@
-import { execFileSync } from 'node:child_process';
-
-import { REPO_HOME } from './config.ts';
-import { log, NomadFatal } from './utils.ts';
-
-/**
- * Get the current Git branch name for the repository at REPO_HOME.
- *
- * Wraps the failure path so a corrupt or missing `.git` directory surfaces as
- * ``✗ ...`` via the top-level dispatcher's `NomadFatal` catch
- * rather than a raw `ExecException` stack trace.
- *
- * @returns The current branch name (trimmed).
- * @throws NomadFatal when the git command fails; if the command produced stderr, that stderr is written to process.stderr before the exception is thrown.
- */
-export function currentBranch(): string {
-  try {
-    return execFileSync('git', ['rev-parse', '--abbrev-ref', 'HEAD'], {
-      cwd: REPO_HOME,
-      stdio: ['ignore', 'pipe', 'pipe'],
-    })
-      .toString()
-      .trim();
-  } catch (err) {
-    const e = err as Error & { stderr?: Buffer };
-    if (e.stderr) process.stderr.write(e.stderr);
-    throw new NomadFatal('git rev-parse --abbrev-ref HEAD failed');
-  }
-}
-
-/**
- * Read and return the current `HEAD` commit SHA from the repository.
- *
- * Used to pin the pre-update commit so the post-update lockfile diff is
- * exact regardless of whether the pull was a fast-forward, a no-op, or a
- * merge. `HEAD@{1}` is unreliable here: a no-op `git pull --ff-only` does
- * not always write a reflog entry, and a freshly cloned repo has no
- * `HEAD@{1}` at all.
- *
- * @returns The `HEAD` commit SHA as a trimmed string.
- * @throws NomadFatal if `git rev-parse HEAD` fails (stderr is written to stderr when present).
- */
-export function headSha(): string {
-  try {
-    return execFileSync('git', ['rev-parse', 'HEAD'], {
-      cwd: REPO_HOME,
-      stdio: ['ignore', 'pipe', 'pipe'],
-    })
-      .toString()
-      .trim();
-  } catch (err) {
-    const e = err as Error & { stderr?: Buffer };
-    if (e.stderr) process.stderr.write(e.stderr);
-    throw new NomadFatal('git rev-parse HEAD failed');
-  }
-}
-
-/**
- * List files changed between the given commit and the current HEAD.
- *
- * @param beforeSha - Commit SHA to compare against HEAD
- * @returns An array of file paths changed between `beforeSha` and `HEAD`; an empty array if there are no changes
- */
-export function changedFilesSince(beforeSha: string): string[] {
-  const out = execFileSync('git', ['diff', '--name-only', `${beforeSha}..HEAD`], {
-    cwd: REPO_HOME,
-    stdio: ['ignore', 'pipe', 'pipe'],
-  }).toString();
-  return out.split('\n').filter((line) => line !== '');
-}
-
-/**
- * Run `npm install` in the repository only if `package-lock.json` changed since a given commit.
- *
- * If `package-lock.json` did not change between `beforeSha` and `HEAD`, logs
- * a skip message; otherwise runs `npm install` with working directory set to
- * `REPO_HOME`. Routing through `execFileSync` (no shell) keeps the call
- * mockable in tests and prevents any chance of argv injection.
- *
- * @param beforeSha - Commit SHA to compare against `HEAD` when determining whether the lockfile changed
- */
-export function reinstallIfNeeded(beforeSha: string): void {
-  const changed = changedFilesSince(beforeSha);
-  if (!changed.includes('package-lock.json')) {
-    log('skipping npm install (lockfile unchanged)');
-    return;
-  }
-  log('package-lock.json changed, running npm install');
-  execFileSync('npm', ['install'], { cwd: REPO_HOME, stdio: 'inherit' });
-}

package/src/commands.update.resolve.ts

@@ -1,138 +0,0 @@
-import { execFileSync } from 'node:child_process';
-import { closeSync, openSync, readSync } from 'node:fs';
-
-import type { CmdUpdateOpts } from './commands.update.ts';
-import { REPO_HOME } from './config.ts';
-import { gitOrFatal, log } from './utils.ts';
-
-/**
- * Default y/N prompt used when `opts.prompt` is not injected.
- *
- * Reads from `/dev/tty` byte-by-byte until newline so the call returns after
- * the user presses Enter (cooked-mode TTY line buffering). The naive
- * `readFileSync(0)` approach reads until EOF, which hangs interactive use
- * until Ctrl-D. Opening `/dev/tty` directly also means the prompt still
- * works when stdin is piped or redirected.
- *
- * @param question - Prompt text written to stdout before reading input.
- * @returns The user's trimmed answer; `''` on any failure (no controlling TTY, read error), which `runFork` treats as "no" and skips the push.
- */
-export function defaultPrompt(question: string): string {
-  process.stdout.write(question);
-  let fd: number;
-  try {
-    fd = openSync('/dev/tty', 'r');
-  } catch {
-    return '';
-  }
-  try {
-    const buf = Buffer.alloc(1);
-    let answer = '';
-    while (true) {
-      const n = readSync(fd, buf, 0, 1, null);
-      if (n === 0) break;
-      const ch = buf.toString('utf8', 0, 1);
-      if (ch === '\n' || ch === '\r') break;
-      answer += ch;
-    }
-    return answer.trim();
-  } catch {
-    return '';
-  } finally {
-    closeSync(fd);
-  }
-}
-
-/**
- * Files release-please touches as a set on every release commit. Multi-file
- * merge conflicts in `nomad update` that consist entirely of paths from this
- * set are diagnostic for a release landing upstream while the mirror has its
- * own local commits on these artifacts. Taking upstream is the canonical
- * resolution (these are all generated artifacts the user has no business
- * editing on a mirror), but multi-file is more aggressive than the lone
- * lockfile case so we prompt before mutating.
- */
-const RELEASE_PLEASE_ARTIFACTS: ReadonlySet<string> = new Set([
-  'package.json',
-  'package-lock.json',
-  'CHANGELOG.md',
-  '.release-please-manifest.json',
-]);
-
-/**
- * Resolve a merge conflict by taking upstream's version of every listed path,
- * regenerating the lockfile via `npm install`, and committing the merge.
- * Shared body for the lone-lockfile auto-resolve and the release-please
- * multi-file prompted auto-resolve.
- *
- * @param paths - Unmerged paths to resolve via `git checkout --theirs`.
- */
-export function resolveByTakingTheirs(paths: readonly string[]): void {
-  for (const p of paths) {
-    gitOrFatal(['checkout', '--theirs', '--', p], `git checkout --theirs ${p}`, REPO_HOME);
-  }
-  gitOrFatal(['add', ...paths], `git add ${paths.join(' ')}`, REPO_HOME);
-  execFileSync('npm', ['install'], { cwd: REPO_HOME, stdio: 'inherit' });
-  gitOrFatal(['add', 'package-lock.json'], 'git add package-lock.json', REPO_HOME);
-  gitOrFatal(['commit', '--no-edit'], 'git commit --no-edit', REPO_HOME);
-  log(`auto-resolved merge conflict (took upstream for ${paths.join(', ')}, reinstalled)`);
-}
-
-/**
- * Auto-resolve a merge conflict in the two scenarios both caused by
- * release-please landing upstream while the mirror has local commits:
- *
- * 1. **Sole `package-lock.json`** (silent): the lone-lockfile case from PR
- *    #96. Any host that has run `npm install` against the mirror will hit
- *    this on the next `nomad update`; take upstream + reinstall is the
- *    semantically-correct fix and surprise-free for a generated artifact.
- *
- * 2. **All paths in `RELEASE_PLEASE_ARTIFACTS` and more than one path**
- *    (prompted): a release commit conflicting on `package.json`,
- *    `CHANGELOG.md`, `.release-please-manifest.json` together with the
- *    lockfile. Same semantic resolution, but more files are touched so we
- *    require explicit y/N consent before mutating.
- *
- * Returns `false` for any other conflict shape (including probe failure);
- * the caller re-throws the original merge `NomadFatal` unchanged.
- *
- * @param opts - Update options; only `prompt` is consulted (used for the multi-file release-please consent prompt).
- * @returns `true` when the conflict was auto-resolved and the merge committed; `false` when the conflict shape does not match either auto-resolve case (caller should re-throw the original failure).
- */
-export function tryAutoResolveMergeConflict(opts: CmdUpdateOpts): boolean {
-  let unmerged: string[];
-  try {
-    unmerged = execFileSync('git', ['diff', '--name-only', '--diff-filter=U'], {
-      cwd: REPO_HOME,
-      stdio: ['ignore', 'pipe', 'pipe'],
-    })
-      .toString()
-      .split('\n')
-      .filter((line) => line !== '');
-  } catch {
-    // Probe failure must not mask the original merge NomadFatal. Returning
-    // false lets the caller re-throw the merge error unchanged.
-    return false;
-  }
-
-  if (unmerged.length === 1 && unmerged[0] === 'package-lock.json') {
-    resolveByTakingTheirs(['package-lock.json']);
-    return true;
-  }
-
-  if (unmerged.length > 1 && unmerged.every((p) => RELEASE_PLEASE_ARTIFACTS.has(p))) {
-    const promptFn = opts.prompt ?? defaultPrompt;
-    log(`merge conflict in release-please artifacts: ${unmerged.join(', ')}`);
-    const answer = promptFn(
-      'Auto-resolve by taking upstream + `npm install` + commit? [y/N] ',
-    ).toLowerCase();
-    if (answer !== 'y' && answer !== 'yes') {
-      log('skipping auto-resolve (resolve manually then re-run `nomad update`)');
-      return false;
-    }
-    resolveByTakingTheirs(unmerged);
-    return true;
-  }
-
-  return false;
-}