claude-nomad 0.34.0 → 0.35.0

package/dist/nomad.mjs

@@ -0,0 +1,4843 @@
+#!/usr/bin/env node
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __commonJS = (cb, mod) => function __require() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// node_modules/picocolors/picocolors.js
+var require_picocolors = __commonJS({
+  "node_modules/picocolors/picocolors.js"(exports, module) {
+    var p = process || {};
+    var argv = p.argv || [];
+    var env = p.env || {};
+    var isColorSupported = !(!!env.NO_COLOR || argv.includes("--no-color")) && (!!env.FORCE_COLOR || argv.includes("--color") || p.platform === "win32" || (p.stdout || {}).isTTY && env.TERM !== "dumb" || !!env.CI);
+    var formatter = (open, close, replace = open) => (input) => {
+      let string = "" + input, index = string.indexOf(close, open.length);
+      return ~index ? open + replaceClose(string, close, replace, index) + close : open + string + close;
+    };
+    var replaceClose = (string, close, replace, index) => {
+      let result = "", cursor = 0;
+      do {
+        result += string.substring(cursor, index) + replace;
+        cursor = index + close.length;
+        index = string.indexOf(close, cursor);
+      } while (~index);
+      return result + string.substring(cursor);
+    };
+    var createColors = (enabled2 = isColorSupported) => {
+      let f = enabled2 ? formatter : () => String;
+      return {
+        isColorSupported: enabled2,
+        reset: f("\x1B[0m", "\x1B[0m"),
+        bold: f("\x1B[1m", "\x1B[22m", "\x1B[22m\x1B[1m"),
+        dim: f("\x1B[2m", "\x1B[22m", "\x1B[22m\x1B[2m"),
+        italic: f("\x1B[3m", "\x1B[23m"),
+        underline: f("\x1B[4m", "\x1B[24m"),
+        inverse: f("\x1B[7m", "\x1B[27m"),
+        hidden: f("\x1B[8m", "\x1B[28m"),
+        strikethrough: f("\x1B[9m", "\x1B[29m"),
+        black: f("\x1B[30m", "\x1B[39m"),
+        red: f("\x1B[31m", "\x1B[39m"),
+        green: f("\x1B[32m", "\x1B[39m"),
+        yellow: f("\x1B[33m", "\x1B[39m"),
+        blue: f("\x1B[34m", "\x1B[39m"),
+        magenta: f("\x1B[35m", "\x1B[39m"),
+        cyan: f("\x1B[36m", "\x1B[39m"),
+        white: f("\x1B[37m", "\x1B[39m"),
+        gray: f("\x1B[90m", "\x1B[39m"),
+        bgBlack: f("\x1B[40m", "\x1B[49m"),
+        bgRed: f("\x1B[41m", "\x1B[49m"),
+        bgGreen: f("\x1B[42m", "\x1B[49m"),
+        bgYellow: f("\x1B[43m", "\x1B[49m"),
+        bgBlue: f("\x1B[44m", "\x1B[49m"),
+        bgMagenta: f("\x1B[45m", "\x1B[49m"),
+        bgCyan: f("\x1B[46m", "\x1B[49m"),
+        bgWhite: f("\x1B[47m", "\x1B[49m"),
+        blackBright: f("\x1B[90m", "\x1B[39m"),
+        redBright: f("\x1B[91m", "\x1B[39m"),
+        greenBright: f("\x1B[92m", "\x1B[39m"),
+        yellowBright: f("\x1B[93m", "\x1B[39m"),
+        blueBright: f("\x1B[94m", "\x1B[39m"),
+        magentaBright: f("\x1B[95m", "\x1B[39m"),
+        cyanBright: f("\x1B[96m", "\x1B[39m"),
+        whiteBright: f("\x1B[97m", "\x1B[39m"),
+        bgBlackBright: f("\x1B[100m", "\x1B[49m"),
+        bgRedBright: f("\x1B[101m", "\x1B[49m"),
+        bgGreenBright: f("\x1B[102m", "\x1B[49m"),
+        bgYellowBright: f("\x1B[103m", "\x1B[49m"),
+        bgBlueBright: f("\x1B[104m", "\x1B[49m"),
+        bgMagentaBright: f("\x1B[105m", "\x1B[49m"),
+        bgCyanBright: f("\x1B[106m", "\x1B[49m"),
+        bgWhiteBright: f("\x1B[107m", "\x1B[49m")
+      };
+    };
+    module.exports = createColors();
+    module.exports.createColors = createColors;
+  }
+});
+
+// src/color.ts
+var import_picocolors, enabled, red, yellow, green, cyan, blue, dim, bold, wslNarrowPad, okGlyph, failGlyph, warnGlyph, infoGlyph;
+var init_color = __esm({
+  "src/color.ts"() {
+    "use strict";
+    import_picocolors = __toESM(require_picocolors(), 1);
+    enabled = import_picocolors.default.isColorSupported;
+    red = (s) => enabled ? import_picocolors.default.red(s) : s;
+    yellow = (s) => enabled ? import_picocolors.default.yellow(s) : s;
+    green = (s) => enabled ? import_picocolors.default.green(s) : s;
+    cyan = (s) => enabled ? import_picocolors.default.cyan(s) : s;
+    blue = (s) => enabled ? import_picocolors.default.blue(s) : s;
+    dim = (s) => enabled ? import_picocolors.default.dim(s) : s;
+    bold = (s) => enabled ? import_picocolors.default.bold(s) : s;
+    wslNarrowPad = process.env.WSL_DISTRO_NAME ? " " : "";
+    okGlyph = `\u2713${wslNarrowPad}`;
+    failGlyph = `\u2717${wslNarrowPad}`;
+    warnGlyph = "\u26A0\uFE0E";
+    infoGlyph = "\u2139\uFE0E";
+  }
+});
+
+// src/utils.ts
+import { execFileSync } from "node:child_process";
+function gitOrFatal(args, context, cwd) {
+  try {
+    execFileSync("git", args, { cwd, stdio: ["ignore", "pipe", "pipe"] });
+  } catch (err) {
+    const e = err;
+    if (e.stderr) process.stderr.write(e.stderr);
+    throw new NomadFatal(`${context} failed`);
+  }
+}
+var log, ok, warn, fail, NomadFatal, die, gitStatusPorcelainZ;
+var init_utils = __esm({
+  "src/utils.ts"() {
+    "use strict";
+    init_color();
+    log = (msg) => console.log(`${dim(infoGlyph)} ${msg}`);
+    ok = (msg) => console.log(`${green(okGlyph)} ${msg}`);
+    warn = (msg) => {
+      console.error(`${yellow(warnGlyph)} ${msg}`);
+    };
+    fail = (msg) => {
+      console.error(`${red(failGlyph)} ${msg}`);
+    };
+    NomadFatal = class extends Error {
+      constructor(message) {
+        super(message);
+        this.name = "NomadFatal";
+      }
+    };
+    die = (msg) => {
+      throw new NomadFatal(msg);
+    };
+    gitStatusPorcelainZ = (cwd, opts = {}) => {
+      const args = ["status", "--porcelain=v1", "-z"];
+      if (opts.untrackedAll === true) args.push("--untracked-files=all");
+      return execFileSync("git", args, {
+        cwd,
+        stdio: ["ignore", "pipe", "pipe"]
+      }).toString();
+    };
+  }
+});
+
+// src/config.sharedDirs.guard.ts
+function assertSafeLogical(logical) {
+  if (!SAFE_LOGICAL.test(logical) || logical === "." || logical === "..") {
+    throw new NomadFatal(
+      `invalid logical name in path-map.json: ${JSON.stringify(logical)} (must match [A-Za-z0-9._-]+; no path separators or '..')`
+    );
+  }
+}
+function isValidSharedDir(entry) {
+  if (typeof entry !== "string") return false;
+  if (!SAFE_SEGMENT.test(entry) || entry === "." || entry === "..") return false;
+  if (NEVER_SYNC.has(entry)) return false;
+  if (RESERVED_SHARED.has(entry)) return false;
+  return true;
+}
+var SAFE_LOGICAL, SAFE_SEGMENT, RESERVED_SHARED;
+var init_config_sharedDirs_guard = __esm({
+  "src/config.sharedDirs.guard.ts"() {
+    "use strict";
+    init_config();
+    init_utils();
+    SAFE_LOGICAL = /^[A-Za-z0-9._-]+$/;
+    SAFE_SEGMENT = /^[A-Za-z0-9._-]+$/;
+    RESERVED_SHARED = /* @__PURE__ */ new Set([
+      "settings.base.json",
+      "CLAUDE.md",
+      "agents",
+      "skills",
+      "commands",
+      "rules",
+      "my-statusline.cjs",
+      "hooks",
+      "hosts",
+      "path-map.json",
+      "extras",
+      "projects"
+    ]);
+  }
+});
+
+// src/settings-keys.ts
+var SCHEMA_KEYS, APP_ONLY_KEYS, KNOWN_SETTINGS_KEYS;
+var init_settings_keys = __esm({
+  "src/settings-keys.ts"() {
+    "use strict";
+    SCHEMA_KEYS = [
+      "$schema",
+      "agent",
+      "allowedChannelPlugins",
+      "allowedHttpHookUrls",
+      "allowedMcpServers",
+      "allowManagedHooksOnly",
+      "allowManagedMcpServersOnly",
+      "allowManagedPermissionRulesOnly",
+      "alwaysThinkingEnabled",
+      "apiKeyHelper",
+      "attribution",
+      "autoMemoryDirectory",
+      "autoMemoryEnabled",
+      "autoMode",
+      "autoUpdatesChannel",
+      "availableModels",
+      "awsAuthRefresh",
+      "awsCredentialExport",
+      "blockedMarketplaces",
+      "channelsEnabled",
+      "claudeMdExcludes",
+      "cleanupPeriodDays",
+      "companyAnnouncements",
+      "defaultShell",
+      "deniedMcpServers",
+      "disableAllHooks",
+      "disableDeepLinkRegistration",
+      "disabledMcpjsonServers",
+      "disableSkillShellExecution",
+      "effortLevel",
+      "enableAllProjectMcpServers",
+      "enabledMcpjsonServers",
+      "enabledPlugins",
+      "env",
+      "extraKnownMarketplaces",
+      "fastMode",
+      "fastModePerSessionOptIn",
+      "feedbackSurveyRate",
+      "fileSuggestion",
+      "forceLoginMethod",
+      "forceLoginOrgUUID",
+      "forceRemoteSettingsRefresh",
+      "hooks",
+      "httpHookAllowedEnvVars",
+      "includeCoAuthoredBy",
+      "includeGitInstructions",
+      "language",
+      "minimumVersion",
+      "model",
+      "modelOverrides",
+      "otelHeadersHelper",
+      "outputStyle",
+      "parentSettingsBehavior",
+      "permissions",
+      "plansDirectory",
+      "pluginConfigs",
+      "pluginTrustMessage",
+      "prefersReducedMotion",
+      "prUrlTemplate",
+      "respectGitignore",
+      "sandbox",
+      "showClearContextOnPlanAccept",
+      "showThinkingSummaries",
+      "showTurnDuration",
+      "skillOverrides",
+      "skipDangerousModePermissionPrompt",
+      "skippedMarketplaces",
+      "skippedPlugins",
+      "skipWebFetchPreflight",
+      "spinnerTipsEnabled",
+      "spinnerTipsOverride",
+      "spinnerVerbs",
+      "statusLine",
+      "strictKnownMarketplaces",
+      "strictPluginOnlyCustomization",
+      "subagentStatusLine",
+      "teammateMode",
+      "terminalProgressBarEnabled",
+      "tui",
+      "useAutoModeDuringPlan",
+      "viewMode",
+      "voiceEnabled",
+      "worktree",
+      "wslInheritsWindowsSettings"
+    ];
+    APP_ONLY_KEYS = [
+      "agentPushNotifEnabled",
+      "agents",
+      "apiKeyHelperTimeoutMs",
+      "awsLoginRefresh",
+      "awsRegion",
+      "awsRetryMode",
+      "disableNonEssentialModelCalls",
+      "enabledExperimentalFeatures",
+      "inputNeededNotifEnabled",
+      "installMethod",
+      "pluginGroups",
+      "pluginRepositoryEnabled",
+      "pluginsLocalConfig",
+      "proxy",
+      "skipAutoPermissionPrompt",
+      "statsig",
+      "subagents",
+      "theme"
+    ];
+    KNOWN_SETTINGS_KEYS = /* @__PURE__ */ new Set([...SCHEMA_KEYS, ...APP_ONLY_KEYS]);
+  }
+});
+
+// src/config.ts
+import { homedir, hostname } from "node:os";
+import { join, resolve } from "node:path";
+function allSharedLinks(map) {
+  const extras = [];
+  for (const entry of map.sharedDirs ?? []) {
+    if (isValidSharedDir(entry)) {
+      extras.push(entry);
+    } else {
+      warn(
+        `sharedDirs entry ${JSON.stringify(entry)} is invalid (path separator, reserved name, or NEVER_SYNC); skipping`
+      );
+    }
+  }
+  return [...SHARED_LINKS, ...extras];
+}
+var HOME, CLAUDE_HOME, BACKUP_BASE, REPO_HOME, SETTINGS_SCHEMA_URL, GITLEAKS_PINNED_VERSION, HOST, SHARED_LINKS, SUPPORTED_EXTRAS, ALWAYS_NEVER_SYNC, NEVER_SYNC, PUSH_ALLOWED_STATIC;
+var init_config = __esm({
+  "src/config.ts"() {
+    "use strict";
+    init_config_sharedDirs_guard();
+    init_utils();
+    init_settings_keys();
+    HOME = homedir();
+    CLAUDE_HOME = resolve(HOME, ".claude");
+    BACKUP_BASE = join(HOME, ".cache", "claude-nomad", "backup");
+    REPO_HOME = process.env.NOMAD_REPO || resolve(HOME, "claude-nomad");
+    SETTINGS_SCHEMA_URL = "https://json.schemastore.org/claude-code-settings.json";
+    GITLEAKS_PINNED_VERSION = "8.30.1";
+    HOST = (process.env.NOMAD_HOST || hostname()).toLowerCase();
+    SHARED_LINKS = [
+      "CLAUDE.md",
+      "agents",
+      "skills",
+      "commands",
+      "rules",
+      "my-statusline.cjs",
+      "hooks"
+    ];
+    SUPPORTED_EXTRAS = [".planning", "CLAUDE.md"];
+    ALWAYS_NEVER_SYNC = /* @__PURE__ */ new Set([
+      ".claude.json",
+      ".credentials.json",
+      "settings.local.json",
+      "history.jsonl",
+      "stats-cache.json"
+    ]);
+    NEVER_SYNC = /* @__PURE__ */ new Set([
+      ".claude.json",
+      ".credentials.json",
+      "history.jsonl",
+      "settings.local.json",
+      "stats-cache.json",
+      "todos",
+      "shell-snapshots",
+      "debug",
+      "file-history",
+      "plans",
+      "session-env",
+      "statsig",
+      "telemetry",
+      "ide",
+      // Host-local caches and runtime state (sharedDirs guard also rejects these).
+      "cache",
+      "backups",
+      "paste-cache",
+      "daemon",
+      "jobs",
+      "tasks",
+      "security",
+      "sessions"
+    ]);
+    PUSH_ALLOWED_STATIC = [
+      "shared/CLAUDE.md",
+      "shared/my-statusline.cjs",
+      "shared/settings.base.json",
+      "shared/agents/",
+      "shared/skills/",
+      "shared/commands/",
+      "shared/rules/",
+      "shared/.gitignore",
+      "shared/hooks/",
+      "hosts/",
+      "path-map.json",
+      ".gitleaksignore",
+      // written by nomad push Allow action (D-04)
+      ".gitleaks.overlay.toml"
+      // user-owned gitleaks allowlist overlay layered on the bundled base
+    ];
+  }
+});
+
+// src/utils.json.ts
+import { readFileSync } from "node:fs";
+function readJson(path) {
+  const data = JSON.parse(readFileSync(path, "utf8"));
+  return data;
+}
+function readPathMap(mapPath) {
+  try {
+    return readJson(mapPath);
+  } catch (err) {
+    const verb = err instanceof SyntaxError ? "parse" : "read";
+    throw new NomadFatal(`could not ${verb} path-map.json: ${err.message}`);
+  }
+}
+function deepMerge(target, source) {
+  const out = { ...target };
+  for (const [key, value] of Object.entries(source)) {
+    const existing = out[key];
+    const bothObjects = value !== null && typeof value === "object" && !Array.isArray(value) && existing !== null && typeof existing === "object" && !Array.isArray(existing);
+    out[key] = bothObjects ? deepMerge(existing, value) : value;
+  }
+  return out;
+}
+var encodePath;
+var init_utils_json = __esm({
+  "src/utils.json.ts"() {
+    "use strict";
+    init_config();
+    init_utils();
+    encodePath = (absPath) => absPath.replaceAll("/", "-");
+  }
+});
+
+// src/utils.fs.ts
+import {
+  closeSync,
+  cpSync,
+  existsSync,
+  fsyncSync,
+  lstatSync,
+  mkdirSync,
+  openSync,
+  renameSync,
+  statSync,
+  symlinkSync,
+  writeFileSync
+} from "node:fs";
+import { dirname, join as join2, relative } from "node:path";
+function writeJsonAtomic(path, data) {
+  const mode = existsSync(path) ? statSync(path).mode & 511 : 384;
+  const tmp = `${path}.tmp.${process.pid}`;
+  const fd = openSync(tmp, "w", mode);
+  try {
+    writeFileSync(fd, JSON.stringify(data, null, 2) + "\n");
+    fsyncSync(fd);
+  } finally {
+    closeSync(fd);
+  }
+  renameSync(tmp, path);
+  const dirFd = openSync(dirname(path), "r");
+  try {
+    fsyncSync(dirFd);
+  } finally {
+    closeSync(dirFd);
+  }
+}
+function nowTimestamp() {
+  const d = /* @__PURE__ */ new Date();
+  const pad = (n) => n.toString().padStart(2, "0");
+  return d.getFullYear().toString() + pad(d.getMonth() + 1) + pad(d.getDate()) + "-" + pad(d.getHours()) + pad(d.getMinutes()) + pad(d.getSeconds());
+}
+function freshBackupTs(backupRoot) {
+  const base = nowTimestamp();
+  if (!existsSync(join2(backupRoot, base))) return base;
+  let n = 1;
+  while (existsSync(join2(backupRoot, `${base}-${n}`))) n++;
+  return `${base}-${n}`;
+}
+function ensureSymlink(linkPath, target) {
+  if (existsSync(linkPath)) {
+    if (lstatSync(linkPath).isSymbolicLink()) return;
+    die(`${linkPath} exists and is not a symlink. Move it aside first.`);
+  }
+  mkdirSync(dirname(linkPath), { recursive: true });
+  symlinkSync(target, linkPath);
+  log(`linked ${linkPath} -> ${target}`);
+}
+function backupBeforeWrite(absPath, ts) {
+  if (!existsSync(absPath)) return;
+  const rel = relative(CLAUDE_HOME, absPath);
+  if (rel.startsWith("..") || rel === "") return;
+  const backupRoot = join2(HOME, ".cache", "claude-nomad", "backup", ts);
+  const dst = join2(backupRoot, rel);
+  mkdirSync(dirname(dst), { recursive: true });
+  cpSync(absPath, dst, { recursive: true, force: false, preserveTimestamps: true });
+}
+function backupRepoWrite(absPath, ts, repoHome) {
+  if (!existsSync(absPath)) return;
+  const rel = relative(repoHome, absPath);
+  if (rel.startsWith("..") || rel === "") return;
+  const backupRoot = join2(HOME, ".cache", "claude-nomad", "backup", ts, "repo");
+  const dst = join2(backupRoot, rel);
+  mkdirSync(dirname(dst), { recursive: true });
+  cpSync(absPath, dst, { recursive: true, force: false, preserveTimestamps: true });
+}
+function backupExtrasWrite(absPath, ts, projectRoot) {
+  if (!existsSync(absPath)) return;
+  const rel = relative(projectRoot, absPath);
+  if (rel.startsWith("..") || rel === "") return;
+  const backupRoot = join2(HOME, ".cache", "claude-nomad", "backup", ts, "extras");
+  const dst = join2(backupRoot, encodePath(projectRoot), rel);
+  mkdirSync(dirname(dst), { recursive: true });
+  cpSync(absPath, dst, { recursive: true, force: false, preserveTimestamps: true });
+}
+var init_utils_fs = __esm({
+  "src/utils.fs.ts"() {
+    "use strict";
+    init_config();
+    init_utils_json();
+    init_utils();
+  }
+});
+
+// src/push-gitleaks.scan.ts
+import { execFileSync as execFileSync2 } from "node:child_process";
+import { existsSync as existsSync8, mkdirSync as mkdirSync2, readFileSync as readFileSync2, rmSync as rmSync3 } from "node:fs";
+import { homedir as homedir2 } from "node:os";
+import { join as join9 } from "node:path";
+import { fileURLToPath } from "node:url";
+function resolveTomlPath() {
+  const repoToml = join9(REPO_HOME, ".gitleaks.toml");
+  if (existsSync8(repoToml)) return repoToml;
+  const bundled = fileURLToPath(new URL("../.gitleaks.toml", import.meta.url));
+  return existsSync8(bundled) ? bundled : null;
+}
+function readGitleaksReport(reportPath) {
+  try {
+    const raw = readFileSync2(reportPath, "utf8");
+    const parsed = JSON.parse(raw);
+    if (!Array.isArray(parsed)) return null;
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+function scanStagedTree(repoDir, forwardStreams = false) {
+  const cacheDir = join9(homedir2(), ".cache", "claude-nomad");
+  mkdirSync2(cacheDir, { recursive: true });
+  const reportPath = join9(cacheDir, `gitleaks-${nowTimestamp()}-${process.pid}.json`);
+  const { path: toml, tempPath } = resolveTomlConfig();
+  const args = [
+    "protect",
+    "--staged",
+    "--redact",
+    "-v",
+    "--report-format=json",
+    `--report-path=${reportPath}`
+  ];
+  if (toml !== null) args.push("--config", toml);
+  const opts = { cwd: repoDir, stdio: ["ignore", "pipe", "pipe"] };
+  try {
+    execFileSync2("git", ["init", "-q"], opts);
+    execFileSync2("git", ["add", "-A"], opts);
+    execFileSync2("gitleaks", args, opts);
+    return [];
+  } catch (err) {
+    const e = err;
+    if (e.code === "ENOENT") throw err;
+    const report = readGitleaksReport(reportPath);
+    if (forwardStreams && report === null) {
+      if (e.stderr) process.stderr.write(e.stderr);
+      if (e.stdout) process.stdout.write(e.stdout);
+    }
+    return report;
+  } finally {
+    if (tempPath !== null) rmSync3(tempPath, { recursive: true, force: true });
+    rmSync3(reportPath, { force: true });
+  }
+}
+function scanFile(filePath, forwardStreams = false) {
+  const cacheDir = join9(homedir2(), ".cache", "claude-nomad");
+  mkdirSync2(cacheDir, { recursive: true });
+  const reportPath = join9(cacheDir, `gitleaks-file-${nowTimestamp()}-${process.pid}.json`);
+  const { path: toml, tempPath } = resolveTomlConfig();
+  const args = [
+    "detect",
+    "--no-git",
+    "--source",
+    filePath,
+    "--report-format=json",
+    `--report-path=${reportPath}`
+  ];
+  if (toml !== null) args.push("--config", toml);
+  const opts = { stdio: ["ignore", "pipe", "pipe"] };
+  try {
+    execFileSync2("gitleaks", args, opts);
+    return [];
+  } catch (err) {
+    const e = err;
+    if (e.code === "ENOENT") return null;
+    const report = readGitleaksReport(reportPath);
+    if (forwardStreams && report === null) {
+      if (e.stderr) process.stderr.write(e.stderr);
+      if (e.stdout) process.stdout.write(e.stdout);
+    }
+    return report;
+  } finally {
+    if (tempPath !== null) rmSync3(tempPath, { recursive: true, force: true });
+    rmSync3(reportPath, { force: true });
+  }
+}
+var init_push_gitleaks_scan = __esm({
+  "src/push-gitleaks.scan.ts"() {
+    "use strict";
+    init_config();
+    init_push_gitleaks_config();
+    init_utils_fs();
+  }
+});
+
+// src/push-gitleaks.config.ts
+import { existsSync as existsSync9, mkdtempSync, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "node:fs";
+import { tmpdir } from "node:os";
+import { join as join10 } from "node:path";
+function buildOverlayTempConfig(overlayBody, bundled) {
+  const tempBody = `[extend]
+path = ${JSON.stringify(bundled)}
+
+${overlayBody}`;
+  const tempPath = mkdtempSync(join10(tmpdir(), "nomad-gitleaks-cfg-"));
+  const configPath = join10(tempPath, "config.toml");
+  writeFileSync2(configPath, tempBody, { mode: 384, flag: "wx" });
+  return { configPath, tempPath };
+}
+function resolveTomlConfig() {
+  const overlayPath = join10(REPO_HOME, ".gitleaks.overlay.toml");
+  const repoToml = join10(REPO_HOME, ".gitleaks.toml");
+  const bundled = resolveTomlPath();
+  if (!existsSync9(overlayPath)) {
+    return { path: bundled, tempPath: null };
+  }
+  if (bundled === repoToml) {
+    warn(
+      ".gitleaks.overlay.toml ignored: REPO_HOME/.gitleaks.toml takes precedence (full manual control)"
+    );
+    return { path: bundled, tempPath: null };
+  }
+  if (bundled === null) {
+    return { path: null, tempPath: null };
+  }
+  try {
+    const overlayBody = readFileSync3(overlayPath, "utf8");
+    if (OVERLAY_EXTEND_RE.test(overlayBody)) {
+      throw new NomadFatal(
+        ".gitleaks.overlay.toml must not contain an [extend] block; it is generated automatically. Remove the [extend] section and retry."
+      );
+    }
+    const { configPath, tempPath } = buildOverlayTempConfig(overlayBody, bundled);
+    return { path: configPath, tempPath };
+  } catch (err) {
+    if (err instanceof NomadFatal) throw err;
+    warn(
+      `.gitleaks.overlay.toml merge failed (${err.message}); falling back to the bundled allowlist`
+    );
+    return { path: bundled, tempPath: null };
+  }
+}
+var OVERLAY_EXTEND_RE;
+var init_push_gitleaks_config = __esm({
+  "src/push-gitleaks.config.ts"() {
+    "use strict";
+    init_config();
+    init_push_gitleaks_scan();
+    init_utils();
+    OVERLAY_EXTEND_RE = /^\s*(?:\[\s*extend\s*\]|extend\s*[.=])/m;
+  }
+});
+
+// src/push-checks.ts
+import { execFileSync as execFileSync3 } from "node:child_process";
+import { readdirSync as readdirSync3, rmSync as rmSync4 } from "node:fs";
+import { homedir as homedir3, platform } from "node:os";
+import { join as join11 } from "node:path";
+function gitleaksInstallHint() {
+  const head = "gitleaks not on PATH (required for nomad push). Install:";
+  const plat = platform();
+  if (plat === "darwin") {
+    return `${head}
+  brew install gitleaks`;
+  }
+  if (plat === "linux") {
+    const archMap = { x64: "x64", arm64: "arm64", arm: "armv7" };
+    const arch = archMap[process.arch];
+    const lines = [
+      head,
+      arch ? `  1. Download the linux_${arch} tarball: https://github.com/gitleaks/gitleaks/releases` : `  1. Download the linux artifact for arch=${process.arch}: https://github.com/gitleaks/gitleaks/releases`,
+      "  2. Install (replace TARBALL with the path to your download):",
+      "       mkdir -p ~/.local/bin",
+      "       tar -xzf TARBALL -C ~/.local/bin gitleaks",
+      "       chmod +x ~/.local/bin/gitleaks",
+      "       ~/.local/bin/gitleaks version   # verify"
+    ];
+    const localBin = `${homedir3()}/.local/bin`;
+    const paths = (process.env.PATH ?? "").split(":");
+    if (!paths.includes(localBin)) {
+      lines.push(
+        "  3. ~/.local/bin is not on PATH; add to your shell rc:",
+        '       export PATH="$HOME/.local/bin:$PATH"'
+      );
+    }
+    return lines.join("\n");
+  }
+  return `${head}
+  See https://github.com/gitleaks/gitleaks/releases`;
+}
+function findGitlinks(dir) {
+  const hits = [];
+  function walk(current) {
+    let entries;
+    try {
+      entries = readdirSync3(current, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const e of entries) {
+      const p = join11(current, e.name);
+      if (e.name === ".git") {
+        hits.push(p);
+        continue;
+      }
+      if (e.isDirectory()) walk(p);
+    }
+  }
+  walk(dir);
+  return hits;
+}
+function probeGitleaks() {
+  const { path: toml, tempPath } = resolveTomlConfig();
+  const args = ["version"];
+  if (toml !== null) args.push("--config", toml);
+  try {
+    return execFileSync3("gitleaks", args, { stdio: ["ignore", "pipe", "pipe"] }).toString().trim();
+  } catch (err) {
+    const e = err;
+    if (e.code === "ENOENT") throw new NomadFatal(gitleaksInstallHint());
+    throw new NomadFatal(`gitleaks --version failed: ${e.message}`);
+  } finally {
+    if (tempPath !== null) rmSync4(tempPath, { recursive: true, force: true });
+  }
+}
+function rebaseBeforePush() {
+  try {
+    execFileSync3("git", ["pull", "--rebase", "--autostash"], {
+      cwd: REPO_HOME,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+  } catch (err) {
+    const e = err;
+    if (e.stderr) process.stderr.write(e.stderr);
+    throw new NomadFatal(
+      'rebase failed; if a conflict was reported, resolve it in ~/claude-nomad/ and run "git rebase --continue" (or "git rebase --abort" to give up). Re-run nomad push after resolution.'
+    );
+  }
+}
+var init_push_checks = __esm({
+  "src/push-checks.ts"() {
+    "use strict";
+    init_config();
+    init_push_gitleaks_config();
+    init_utils();
+  }
+});
+
+// src/push-gitleaks.ts
+function partitionFindings(findings) {
+  const bySession = /* @__PURE__ */ new Map();
+  const other = [];
+  for (const f of findings) {
+    const m = SESSION_PATH.exec(f.File);
+    if (m === null) {
+      other.push(f);
+      continue;
+    }
+    const sid = m[1];
+    if (sid === void 0) continue;
+    let counts = bySession.get(sid);
+    if (counts === void 0) {
+      counts = /* @__PURE__ */ new Map();
+      bySession.set(sid, counts);
+    }
+    counts.set(f.RuleID, (counts.get(f.RuleID) ?? 0) + 1);
+  }
+  return { bySession, other };
+}
+function formatOtherFinding(f) {
+  const loc = Number.isInteger(f.StartLine) && f.StartLine > 0 ? `:${f.StartLine}` : "";
+  return `  ${f.File}${loc}  ${f.RuleID}`;
+}
+function otherFindingHint(f) {
+  const m = SUBAGENT_SESSION_PATH.exec(f.File);
+  if (m !== null) {
+    const sid = m[1];
+    if (sid === void 0) return "  Review with: git diff --cached, then unstage manually.";
+    return `  Recover with: nomad drop-session ${sid}  (or: nomad redact ${sid})`;
+  }
+  return "  Review with: git diff --cached, then unstage manually.";
+}
+function buildSessionAwareFatal(bySession, other) {
+  if (bySession.size === 0) return LEGACY_FATAL;
+  const lines = [];
+  lines.push(
+    `gitleaks detected secrets in ${bySession.size} session transcript(s).`,
+    "nomad drop-session also clears each session's sibling subagent transcript directory."
+  );
+  for (const [sid, counts] of bySession) {
+    const summary = [...counts.entries()].map(([rule, n]) => `${rule} (${n})`).join(", ");
+    lines.push("", `Session ${sid}:`, `  ${summary}`, `  Recover with: nomad drop-session ${sid}`);
+  }
+  if (other.length > 0) {
+    for (const f of other) {
+      lines.push("", "Also found:", formatOtherFinding(f), otherFindingHint(f));
+    }
+  }
+  lines.push("", "After recovery, re-run nomad push.");
+  return lines.join("\n");
+}
+var SESSION_PATH, SUBAGENT_SESSION_PATH, LEGACY_FATAL;
+var init_push_gitleaks = __esm({
+  "src/push-gitleaks.ts"() {
+    "use strict";
+    init_config();
+    init_push_checks();
+    init_push_gitleaks_scan();
+    init_utils();
+    init_push_gitleaks_scan();
+    SESSION_PATH = /^shared\/projects\/[^/]+\/([^/]+)\.jsonl$/;
+    SUBAGENT_SESSION_PATH = /^shared\/projects\/[^/]+\/([^/]+)\//;
+    LEGACY_FATAL = "gitleaks detected secrets; review staged changes with git diff --cached and unstage offending files before retry";
+  }
+});
+
+// src/push-leak-verdict.ts
+var push_leak_verdict_exports = {};
+__export(push_leak_verdict_exports, {
+  failRow: () => failRow,
+  leakVerdictRow: () => leakVerdictRow,
+  noLeaksRow: () => noLeaksRow,
+  scanPushVerdict: () => scanPushVerdict,
+  verdictFromFindings: () => verdictFromFindings,
+  verdictScanError: () => verdictScanError
+});
+function leakVerdictRow(findings) {
+  const { bySession } = partitionFindings(findings);
+  const n = bySession.size > 0 ? bySession.size : findings.length;
+  return failRow(`gitleaks detected secrets in ${n} session transcript(s)`);
+}
+function leakFound(findings) {
+  const { bySession, other } = partitionFindings(findings);
+  return {
+    leak: true,
+    verdictRow: leakVerdictRow(findings),
+    recovery: buildSessionAwareFatal(bySession, other),
+    findings
+  };
+}
+function verdictFromFindings(findings) {
+  if (findings === null) {
+    process.exitCode = 1;
+    return {
+      leak: false,
+      verdictRow: failRow("scan failed, no parseable report"),
+      recovery: null,
+      findings: []
+    };
+  }
+  if (findings.length === 0) {
+    return { leak: false, verdictRow: noLeaksRow(), recovery: null, findings: [] };
+  }
+  process.exitCode = 1;
+  return leakFound(findings);
+}
+function verdictScanError(text) {
+  process.exitCode = 1;
+  return { leak: false, verdictRow: failRow(text), recovery: null, findings: [] };
+}
+function scanPushVerdict() {
+  let findings;
+  try {
+    findings = scanStagedTree(REPO_HOME, true);
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      return {
+        leak: true,
+        verdictRow: failRow("gitleaks not found"),
+        recovery: gitleaksInstallHint(),
+        findings: []
+      };
+    }
+    throw err;
+  }
+  if (findings === null) {
+    return {
+      leak: true,
+      verdictRow: failRow("scan failed, no parseable report"),
+      recovery: "gitleaks scan failed: no parseable JSON report. Review the gitleaks output above.",
+      findings: []
+    };
+  }
+  if (findings.length === 0) {
+    return { leak: false, verdictRow: noLeaksRow(), recovery: null, findings: [] };
+  }
+  return leakFound(findings);
+}
+var noLeaksRow, failRow;
+var init_push_leak_verdict = __esm({
+  "src/push-leak-verdict.ts"() {
+    "use strict";
+    init_color();
+    init_config();
+    init_push_checks();
+    init_push_gitleaks();
+    noLeaksRow = () => `${green(okGlyph)} no leaks`;
+    failRow = (text) => `${red(failGlyph)} ${text}`;
+  }
+});
+
+// src/commands.adopt.ts
+init_config();
+init_config_sharedDirs_guard();
+init_utils();
+init_utils_fs();
+init_utils_json();
+import { cpSync as cpSync2, existsSync as existsSync2, lstatSync as lstatSync2, rmSync } from "node:fs";
+import { join as join3 } from "node:path";
+var ADOPT_PUSH_HINT = "run `nomad push` to share with other hosts";
+function lexists(p) {
+  try {
+    lstatSync2(p);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function readMapIfPresent(repoHome) {
+  const mapPath = join3(repoHome, "path-map.json");
+  return existsSync2(mapPath) ? readPathMap(mapPath) : { projects: {} };
+}
+function isConfiguredTarget(name, map) {
+  return SHARED_LINKS.includes(name) || (map.sharedDirs?.includes(name) ?? false);
+}
+function isValidAdoptName(name) {
+  if (SHARED_LINKS.includes(name)) return true;
+  return isValidSharedDir(name);
+}
+function performAdoptMove(name, linkPath, sharedTarget) {
+  const backupBase = join3(HOME, ".cache", "claude-nomad", "backup");
+  const ts = freshBackupTs(backupBase);
+  backupBeforeWrite(linkPath, ts);
+  cpSync2(linkPath, sharedTarget, { recursive: true, force: true, preserveTimestamps: true });
+  rmSync(linkPath, { recursive: true, force: true });
+  ensureSymlink(linkPath, sharedTarget);
+  const rel = join3("shared", name);
+  gitOrFatal(["add", "--", rel], `git add shared/${name}`, REPO_HOME);
+  log(`adopted ${name}; ${ADOPT_PUSH_HINT}`);
+}
+function cmdAdopt(name, opts = {}) {
+  const dryRun = opts.dryRun === true;
+  if (!isValidAdoptName(name)) {
+    fail(`invalid name: ${JSON.stringify(name)}`);
+    process.exit(1);
+  }
+  const map = readMapIfPresent(REPO_HOME);
+  if (!isConfiguredTarget(name, map)) {
+    fail(
+      `${name}: not a configured shared target. Add it to sharedDirs in path-map.json first, then re-run adopt.`
+    );
+    process.exit(1);
+  }
+  const linkPath = join3(CLAUDE_HOME, name);
+  const sharedTarget = join3(REPO_HOME, "shared", name);
+  if (!existsSync2(linkPath)) {
+    log(`${name}: nothing to adopt (not present in ~/.claude/)`);
+    return;
+  }
+  if (lstatSync2(linkPath).isSymbolicLink()) {
+    log(`${name}: already adopted (already a symlink)`);
+    return;
+  }
+  if (lexists(sharedTarget)) {
+    fail(`${name}: shared/${name} already exists; would clobber. Remove it first.`);
+    process.exit(1);
+  }
+  if (dryRun) {
+    const backupBase = join3(HOME, ".cache", "claude-nomad", "backup");
+    const ts = freshBackupTs(backupBase);
+    log(`would backup: ${linkPath} -> backup/${ts}/${name}`);
+    log(`would move: ${linkPath} -> shared/${name}`);
+    log(`would stage: shared/${name}`);
+    return;
+  }
+  try {
+    performAdoptMove(name, linkPath, sharedTarget);
+  } catch (err) {
+    if (!(err instanceof NomadFatal)) throw err;
+    fail(err.message);
+    process.exitCode = 1;
+  }
+}
+
+// src/commands.clean.ts
+init_config();
+init_utils();
+import { existsSync as existsSync3, lstatSync as lstatSync3, readdirSync, rmSync as rmSync2, statSync as statSync2 } from "node:fs";
+import { join as join4 } from "node:path";
+var TS_SHAPE = /^\d{8}-\d{6}(-\d+)?$/;
+var DURATION_RE = /^(\d+)([dhm])$/;
+var UNIT_MS = { d: 864e5, h: 36e5, m: 6e4 };
+var CLEAN_DEFAULT_OLDER_THAN_MS = 14 * 24 * 60 * 60 * 1e3;
+function isTsDir(name) {
+  return TS_SHAPE.test(name);
+}
+function parseDuration(s) {
+  const m = DURATION_RE.exec(s);
+  if (!m) return null;
+  return Number(m[1]) * UNIT_MS[m[2]];
+}
+function listBackupDirs(backupBase) {
+  if (!existsSync3(backupBase)) return [];
+  return readdirSync(backupBase).filter(isTsDir).map((name) => ({ name, mtimeMs: statSync2(join4(backupBase, name)).mtimeMs })).sort((a, b) => b.mtimeMs - a.mtimeMs);
+}
+function prunableByAge(dirs, olderThanMs, nowMs) {
+  return dirs.filter((d) => nowMs - d.mtimeMs > olderThanMs).map((d) => d.name);
+}
+function prunableByCount(dirs, keep) {
+  return dirs.slice(keep).map((d) => d.name);
+}
+function safeDelete(backupBase, name) {
+  if (!isTsDir(name)) return;
+  const full = join4(backupBase, name);
+  const st = lstatSync3(full, { throwIfNoEntry: false });
+  if (!st || st.isSymbolicLink() || !st.isDirectory()) return;
+  rmSync2(full, { recursive: true, force: true });
+}
+function resolveTargets(dirs, olderThanMs, keep) {
+  if (keep !== void 0) return prunableByCount(dirs, keep);
+  return prunableByAge(dirs, olderThanMs, Date.now());
+}
+function cmdClean(opts, backupBase = BACKUP_BASE) {
+  const { dryRun, olderThan, keep } = opts;
+  if (olderThan !== void 0 && keep !== void 0) {
+    fail("--older-than and --keep are mutually exclusive");
+    process.exit(1);
+  }
+  let olderThanMs = CLEAN_DEFAULT_OLDER_THAN_MS;
+  if (olderThan !== void 0) {
+    const parsed = parseDuration(olderThan);
+    if (parsed === null) {
+      fail(`invalid --older-than duration: ${olderThan} (expected e.g. 14d, 24h, 30m)`);
+      process.exit(1);
+    }
+    olderThanMs = parsed;
+  }
+  const dirs = listBackupDirs(backupBase);
+  const targets = resolveTargets(dirs, olderThanMs, keep);
+  if (dryRun) {
+    for (const name of targets) log(`would remove ${name}`);
+    log(`dry-run: ${targets.length} backup(s) would be removed`);
+    return;
+  }
+  for (const name of targets) safeDelete(backupBase, name);
+  log(`removed ${targets.length} backup(s)`);
+}
+
+// src/commands.doctor.ts
+import { existsSync as existsSync18 } from "node:fs";
+import { join as join21 } from "node:path";
+
+// src/commands.doctor.checks.repo.ts
+init_color();
+init_config();
+import { existsSync as existsSync5, lstatSync as lstatSync4, statSync as statSync3 } from "node:fs";
+import { join as join6 } from "node:path";
+
+// src/commands.doctor.format.ts
+init_color();
+
+// src/output-tree.ts
+init_color();
+var FAIL_GLYPH_BARE = "\u2717";
+function section(header) {
+  return { header, items: [] };
+}
+function addItem(s, text) {
+  s.items.push(text);
+}
+function sectionFailed(s) {
+  return s.items.some((line) => line.includes(failGlyph));
+}
+function renderSection(s) {
+  const header = sectionFailed(s) ? `${red(FAIL_GLYPH_BARE)} ${s.header}` : s.header;
+  console.log(header);
+  const lastContent = s.items.reduce((acc, item, j) => item !== "" ? j : acc, -1);
+  for (let j = 0; j < s.items.length; j++) {
+    if (s.items[j] === "") console.log("");
+    else console.log(`${j === lastContent ? "  \u2514 " : "  \u251C "}${s.items[j]}`);
+  }
+}
+function renderTree(sections) {
+  const visible = sections.filter((s) => s.items.length > 0);
+  for (let i = 0; i < visible.length; i++) {
+    if (i > 0) console.log("");
+    renderSection(visible[i]);
+  }
+}
+var renderDoctor = renderTree;
+
+// src/commands.doctor.format.ts
+init_utils_json();
+function readJsonSafe(path, label, section2) {
+  try {
+    return readJson(path);
+  } catch (err) {
+    addItem(section2, `${red(failGlyph)} ${label} malformed JSON: ${err.message}`);
+    process.exitCode = 1;
+    return null;
+  }
+}
+
+// src/init.classify.ts
+init_config();
+init_utils_json();
+import { existsSync as existsSync4 } from "node:fs";
+import { join as join5 } from "node:path";
+function classifyRepoState(repoHome, host) {
+  const basePath = join5(repoHome, "shared", "settings.base.json");
+  const mapPath = join5(repoHome, "path-map.json");
+  const hostPath = join5(repoHome, "hosts", `${host}.json`);
+  const hasBase = existsSync4(basePath);
+  const hasMap = existsSync4(mapPath);
+  const hasHost = existsSync4(hostPath);
+  let mapEntryCount = 0;
+  if (hasMap) {
+    try {
+      const map = readJson(mapPath);
+      mapEntryCount = Object.keys(map.projects).length;
+    } catch {
+      mapEntryCount = 0;
+    }
+  }
+  if (!hasBase && mapEntryCount === 0) return "empty";
+  if (hasBase && mapEntryCount > 0 && hasHost) return "populated";
+  return "partial";
+}
+function reasonForPartial(repoHome, host) {
+  const basePath = join5(repoHome, "shared", "settings.base.json");
+  const mapPath = join5(repoHome, "path-map.json");
+  const hostPath = join5(repoHome, "hosts", `${host}.json`);
+  if (!existsSync4(basePath)) return "- shared/settings.base.json missing";
+  if (!existsSync4(mapPath)) return "- path-map.json missing";
+  let mapEntryCount;
+  try {
+    const map = readJson(mapPath);
+    mapEntryCount = Object.keys(map.projects).length;
+  } catch {
+    mapEntryCount = 0;
+  }
+  if (mapEntryCount === 0) return "- path-map.json.projects has no entries";
+  if (!existsSync4(hostPath)) return `- hosts/${host}.json missing`;
+  return "- partial state (unknown gap)";
+}
+
+// src/commands.doctor.checks.repo.ts
+function isOverrideActive() {
+  return Boolean(process.env.NOMAD_REPO);
+}
+function reportHostAndPaths(section2) {
+  addItem(section2, `${dim(infoGlyph)} host: ${cyan(HOST)}`);
+  addItem(
+    section2,
+    `${existsSync5(REPO_HOME) ? green(okGlyph) : yellow(warnGlyph)} repo: ${blue(REPO_HOME)}`
+  );
+  addItem(
+    section2,
+    `${existsSync5(CLAUDE_HOME) ? green(okGlyph) : yellow(warnGlyph)} claude home: ${blue(CLAUDE_HOME)}`
+  );
+}
+function reportRepoState(section2) {
+  const state = classifyRepoState(REPO_HOME, HOST);
+  const overrideLabel = isOverrideActive() ? " (NOMAD_REPO)" : "";
+  if (state === "populated") {
+    addItem(section2, `${green(okGlyph)} repo state: populated${overrideLabel}`);
+  } else if (state === "partial") {
+    addItem(
+      section2,
+      `${yellow(warnGlyph)} repo state: partial ${reasonForPartial(REPO_HOME, HOST)}${overrideLabel}`
+    );
+  } else {
+    addItem(
+      section2,
+      `${red(failGlyph)} repo state: empty - run 'nomad init' to scaffold${overrideLabel}`
+    );
+    process.exitCode = 1;
+  }
+}
+function repoHasSharedSource(name) {
+  return existsSync5(join6(REPO_HOME, "shared", name));
+}
+function classifySharedLink(name, p) {
+  let stat;
+  try {
+    stat = lstatSync4(p);
+  } catch (err) {
+    const code = err.code;
+    if (code === "ENOENT") {
+      return repoHasSharedSource(name) ? {
+        line: `${yellow(warnGlyph)} ${name}: missing (run \`nomad pull\` to restore)`,
+        fail: false
+      } : { line: `${dim(infoGlyph)} ${name}: not synced (nothing in shared/)`, fail: false };
+    }
+    return { line: `${red(failGlyph)} ${name}: could not stat (${String(code)})`, fail: true };
+  }
+  if (!stat.isSymbolicLink()) {
+    return {
+      line: `${red(failGlyph)} ${name}: NOT a symlink (blocks sync); run \`nomad adopt ${name}\` to fix`,
+      fail: true
+    };
+  }
+  return classifySymlinkTarget(name, p);
+}
+function classifySymlinkTarget(name, p) {
+  try {
+    statSync3(p);
+    return { line: `${green(okGlyph)} ${name}: symlink`, fail: false };
+  } catch (err) {
+    const code = err.code;
+    if (code === "ENOENT") {
+      return repoHasSharedSource(name) ? {
+        line: `${yellow(warnGlyph)} ${name}: broken symlink (target missing, run \`nomad pull\`)`,
+        fail: false
+      } : {
+        line: `${dim(infoGlyph)} ${name}: stale symlink (no longer in shared/, safe to remove)`,
+        fail: false
+      };
+    }
+    return {
+      line: `${yellow(warnGlyph)} ${name}: symlink target unreadable (${String(code)})`,
+      fail: false
+    };
+  }
+}
+function reportSharedLinks(section2, map) {
+  for (const name of allSharedLinks(map)) {
+    const p = join6(CLAUDE_HOME, name);
+    const { line, fail: fail2 } = classifySharedLink(name, p);
+    addItem(section2, line);
+    if (fail2) process.exitCode = 1;
+  }
+}
+
+// src/commands.doctor.checks.settings.ts
+init_color();
+init_config();
+import { existsSync as existsSync6, readdirSync as readdirSync2 } from "node:fs";
+import { join as join7 } from "node:path";
+function loadBaseSettings(section2) {
+  const basePath = join7(REPO_HOME, "shared", "settings.base.json");
+  if (!existsSync6(basePath)) {
+    addItem(section2, `${red(failGlyph)} shared/settings.base.json missing at ${blue(basePath)}`);
+    process.exitCode = 1;
+    return null;
+  }
+  return readJsonSafe(basePath, basePath, section2);
+}
+function loadAndReportSettings(section2) {
+  const settingsPath = join7(CLAUDE_HOME, "settings.json");
+  if (!existsSync6(settingsPath)) return null;
+  const settings = readJsonSafe(settingsPath, settingsPath, section2);
+  if (settings === null) return null;
+  const unknownKeys = Object.keys(settings).filter((k) => !KNOWN_SETTINGS_KEYS.has(k));
+  if (unknownKeys.length > 0) {
+    addItem(
+      section2,
+      `${yellow(warnGlyph)} settings.json has unknown keys (schema drift?): ${unknownKeys.join(", ")}`
+    );
+  } else {
+    addItem(section2, `${green(okGlyph)} settings.json schema: known keys only`);
+  }
+  return settings;
+}
+function reportHostOverrides(section2, base, settings) {
+  const hostFile = join7(REPO_HOME, "hosts", `${HOST}.json`);
+  let drift = [];
+  if (base !== null && settings !== null) {
+    const baseKeys = new Set(Object.keys(base));
+    drift = Object.keys(settings).filter((k) => !baseKeys.has(k));
+  }
+  if (existsSync6(hostFile)) {
+    if (readJsonSafe(hostFile, hostFile, section2) !== null) {
+      addItem(section2, `${green(okGlyph)} host overrides: ${blue(hostFile)}`);
+    }
+  } else if (drift.length > 0) {
+    addItem(
+      section2,
+      `${red(failGlyph)} no hosts/${HOST}.json AND settings.json has unbased keys ${JSON.stringify(drift)}`
+    );
+    const hostsDir = join7(REPO_HOME, "hosts");
+    if (existsSync6(hostsDir)) {
+      const cands = readdirSync2(hostsDir).filter((f) => f.endsWith(".json"));
+      if (cands.length > 0) addItem(section2, `${dim(infoGlyph)} candidates: ${cands.join(", ")}`);
+    }
+    process.exitCode = 1;
+  } else {
+    addItem(
+      section2,
+      `${green(okGlyph)} host overrides: none (base-only is fine, no settings drift)`
+    );
+  }
+}
+
+// src/commands.doctor.checks.pathmap.ts
+init_color();
+init_config();
+import { existsSync as existsSync7 } from "node:fs";
+import { join as join8 } from "node:path";
+init_utils_json();
+function reportMappedProjects(section2, map) {
+  const mapped = Object.entries(map.projects).filter(([, hosts]) => hosts[HOST]);
+  addItem(
+    section2,
+    `${dim(infoGlyph)} mapped projects for ${cyan(HOST)}: ${dim(String(mapped.length))}`
+  );
+  for (const [name, hosts] of mapped) {
+    addItem(section2, `      ${name} -> ${blue(hosts[HOST])}`);
+  }
+}
+function reportPathCollisions(section2, map) {
+  const seen = /* @__PURE__ */ new Map();
+  let collisionCount = 0;
+  for (const hosts of Object.values(map.projects)) {
+    for (const abspath of Object.values(hosts)) {
+      if (!abspath || abspath === "TBD") continue;
+      const encoded = encodePath(abspath);
+      const prior = seen.get(encoded);
+      if (prior !== void 0 && prior !== abspath) {
+        addItem(
+          section2,
+          `${red(failGlyph)} path-encoding collision: ${prior} and ${abspath} both encode to ${encoded}`
+        );
+        collisionCount++;
+      } else {
+        seen.set(encoded, abspath);
+      }
+    }
+  }
+  if (collisionCount > 0) process.exitCode = 1;
+  else addItem(section2, `${green(okGlyph)} path-encoding: no collisions`);
+}
+function reportPathMap(section2) {
+  const mapPath = join8(REPO_HOME, "path-map.json");
+  if (!existsSync7(mapPath)) {
+    addItem(section2, `${red(failGlyph)} path-map.json missing at ${blue(mapPath)}`);
+    process.exitCode = 1;
+    return;
+  }
+  const map = readJsonSafe(mapPath, mapPath, section2);
+  if (map === null) return;
+  const projects = map.projects;
+  if (projects === null || typeof projects !== "object" || Array.isArray(projects)) {
+    addItem(
+      section2,
+      `${red(failGlyph)} path-map.json invalid schema: "projects" must be an object`
+    );
+    process.exitCode = 1;
+    return;
+  }
+  for (const [name, hosts] of Object.entries(projects)) {
+    if (hosts === null || typeof hosts !== "object" || Array.isArray(hosts)) {
+      addItem(
+        section2,
+        `${red(failGlyph)} path-map.json invalid schema: project "${name}" hosts must be an object`
+      );
+      process.exitCode = 1;
+      return;
+    }
+    for (const [hostName, mappedPath] of Object.entries(hosts)) {
+      if (typeof mappedPath !== "string") {
+        addItem(
+          section2,
+          `${red(failGlyph)} path-map.json invalid schema: project "${name}" host "${hostName}" path must be a string`
+        );
+        process.exitCode = 1;
+        return;
+      }
+    }
+  }
+  reportMappedProjects(section2, map);
+  reportPathCollisions(section2, map);
+}
+function reportNeverSync(section2) {
+  addItem(section2, `${dim(infoGlyph)} never-sync items: ${[...NEVER_SYNC].join(", ")}`);
+}
+
+// src/commands.doctor.checks.repository.ts
+init_color();
+init_config();
+import { execFileSync as execFileSync4 } from "node:child_process";
+import { existsSync as existsSync10 } from "node:fs";
+import { join as join12, relative as relative2 } from "node:path";
+init_push_checks();
+init_utils();
+function reportGitleaksProbe(section2) {
+  try {
+    const v = execFileSync4("gitleaks", ["version"], { stdio: ["ignore", "pipe", "pipe"] }).toString().trim();
+    addItem(section2, `${green(okGlyph)} gitleaks: ${dim(v)}`);
+    return true;
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      addItem(section2, `${yellow(warnGlyph)} gitleaks: not on PATH (required for nomad push)`);
+    } else {
+      addItem(section2, `${red(failGlyph)} gitleaks: probe failed: ${err.message}`);
+      process.exitCode = 1;
+    }
+    return false;
+  }
+}
+function reportGitlinks(section2) {
+  const sharedDir = join12(REPO_HOME, "shared");
+  if (existsSync10(sharedDir)) {
+    const gitlinks = findGitlinks(sharedDir);
+    for (const p of gitlinks) {
+      const rel = relative2(REPO_HOME, p);
+      addItem(
+        section2,
+        `${red(failGlyph)} gitlink: ${blue(rel)} would push as submodule (run: rm -rf ${rel} or remove the nested repo)`
+      );
+    }
+    if (gitlinks.length > 0) {
+      process.exitCode = 1;
+    } else {
+      addItem(section2, `${green(okGlyph)} gitlink scan: no nested .git in shared/`);
+    }
+  }
+}
+function reportRemote(section2) {
+  try {
+    const url = execFileSync4("git", ["remote", "get-url", "origin"], {
+      cwd: REPO_HOME,
+      stdio: ["ignore", "pipe", "pipe"]
+    }).toString().trim();
+    addItem(section2, `${dim(infoGlyph)} remote origin: ${cyan(url)}`);
+  } catch {
+    addItem(section2, `${dim(infoGlyph)} remote origin: not configured`);
+  }
+}
+function reportRebaseClean(section2) {
+  try {
+    const status = gitStatusPorcelainZ(REPO_HOME);
+    if (status.length > 0) {
+      addItem(
+        section2,
+        `${yellow(warnGlyph)} ${blue("~/claude-nomad/")} has uncommitted changes (nomad push will --autostash these)`
+      );
+    }
+  } catch {
+  }
+}
+
+// src/commands.doctor.checks.backups.ts
+init_color();
+import { existsSync as existsSync11, lstatSync as lstatSync5, readdirSync as readdirSync4 } from "node:fs";
+import { join as join13 } from "node:path";
+init_config();
+var TS_SHAPE2 = /^\d{8}-\d{6}(-\d+)?$/;
+function safeReaddir(dir) {
+  try {
+    return readdirSync4(dir);
+  } catch {
+    return [];
+  }
+}
+var DOCTOR_BACKUP_COUNT_WARN = 20;
+var DOCTOR_BACKUP_SIZE_WARN_MB = 200;
+var BYTES_PER_MB = 1024 * 1024;
+function dirSizeBytes(dir) {
+  let bytes = 0;
+  for (const entry of safeReaddir(dir)) {
+    const full = join13(dir, entry);
+    const st = lstatSync5(full, { throwIfNoEntry: false });
+    if (!st) continue;
+    if (st.isSymbolicLink()) continue;
+    if (st.isDirectory()) bytes += dirSizeBytes(full);
+    else bytes += st.size;
+  }
+  return bytes;
+}
+function totalSizeMb(backupBase, dirs) {
+  let bytes = 0;
+  for (const name of dirs) bytes += dirSizeBytes(join13(backupBase, name));
+  return bytes / BYTES_PER_MB;
+}
+function reportBackupsCheck(section2, backupBase = BACKUP_BASE) {
+  if (!existsSync11(backupBase)) return;
+  const dirs = safeReaddir(backupBase).filter((n) => TS_SHAPE2.test(n));
+  const count = dirs.length;
+  const sizeMb = totalSizeMb(backupBase, dirs);
+  if (count > DOCTOR_BACKUP_COUNT_WARN || sizeMb > DOCTOR_BACKUP_SIZE_WARN_MB) {
+    addItem(
+      section2,
+      `${yellow(warnGlyph)} backups: ${count} dirs / ${sizeMb.toFixed(1)} MB (run 'nomad clean --backups')`
+    );
+  }
+}
+
+// src/commands.doctor.check-schema.ts
+init_color();
+import { execFileSync as execFileSync5 } from "node:child_process";
+import { existsSync as existsSync12 } from "node:fs";
+import { join as join14 } from "node:path";
+init_config();
+function fetchSchemaKeys() {
+  try {
+    const raw = execFileSync5("curl", ["-fsSL", "-m", "3", SETTINGS_SCHEMA_URL], {
+      stdio: ["ignore", "pipe", "pipe"]
+    }).toString();
+    const parsed = JSON.parse(raw);
+    if (typeof parsed.properties !== "object" || parsed.properties === null) return null;
+    return Object.keys(parsed.properties);
+  } catch {
+    return null;
+  }
+}
+function reportCheckSchema(section2) {
+  const settingsPath = join14(CLAUDE_HOME, "settings.json");
+  if (!existsSync12(settingsPath)) {
+    addItem(section2, `${dim(infoGlyph)} no ~/.claude/settings.json to check`);
+    return;
+  }
+  const settings = readJsonSafe(settingsPath, settingsPath, section2);
+  if (settings === null) return;
+  const liveKeys = fetchSchemaKeys();
+  if (liveKeys === null) {
+    addItem(
+      section2,
+      `${yellow(warnGlyph)} schema check skipped (offline, curl missing, or schema unreachable)`
+    );
+    return;
+  }
+  const liveSet = new Set(liveKeys);
+  const candidates = Object.keys(settings).filter((k) => !liveSet.has(k));
+  if (candidates.length === 0) {
+    addItem(section2, `${green(okGlyph)} settings.json keys all present in the published schema`);
+  } else {
+    addItem(
+      section2,
+      `${yellow(warnGlyph)} settings.json keys absent from published schema (APP_ONLY_KEYS candidates): ${candidates.join(", ")}`
+    );
+  }
+}
+
+// src/commands.doctor.check-shared.ts
+init_color();
+import { randomBytes } from "node:crypto";
+import { execFileSync as execFileSync6 } from "node:child_process";
+import { existsSync as existsSync14, mkdirSync as mkdirSync4, readdirSync as readdirSync6, rmSync as rmSync6 } from "node:fs";
+import { homedir as homedir4 } from "node:os";
+import { join as join17 } from "node:path";
+
+// src/commands.doctor.check-shared.scan.ts
+init_color();
+import { join as join15 } from "node:path";
+init_config();
+init_push_gitleaks();
+function scrubPath(logical, sid, logicalToEncoded) {
+  const encoded = logicalToEncoded.get(logical) ?? logical;
+  return join15(CLAUDE_HOME, "projects", encoded, `${sid}.jsonl`);
+}
+function reportSessionFindings(section2, bySession) {
+  for (const [sid, counts] of bySession) {
+    const summary = [...counts.entries()].map(([rule, n]) => `${rule} (${n})`).join(", ");
+    addItem(section2, `${red(failGlyph)} ${red(summary)} in session ${sid}`);
+  }
+  process.exitCode = 1;
+}
+function reportOtherFindings(section2, other) {
+  for (const f of other) {
+    addItem(section2, `${red(failGlyph)} ${red(f.RuleID)} leak in ${f.File}`);
+  }
+  process.exitCode = 1;
+}
+function reportRemediation(section2, bySession, logicalBySession, logicalToEncoded) {
+  addItem(section2, "");
+  addItem(section2, bold("Remediation"));
+  for (const [sid] of bySession) {
+    const logical = logicalBySession.get(sid);
+    if (logical !== void 0) {
+      const rotateLine = dim(
+        `- rotate the credential, then scrub ${scrubPath(logical, sid, logicalToEncoded)}`
+      );
+      addItem(section2, `  ${rotateLine}`);
+    }
+  }
+  addItem(section2, `  ${dim("- false positive? add a pattern to .gitleaks.toml")}`);
+}
+var SESSION_PATH_LOGICAL = /^shared\/projects\/([^/]+)\/([^/]+)\.jsonl$/;
+function emitClean(section2, staged) {
+  addItem(section2, `${green(okGlyph)} ${staged} project(s) scanned, no leaks`);
+}
+function buildLogicalBySession(findings) {
+  const logicalBySession = /* @__PURE__ */ new Map();
+  for (const f of findings) {
+    const m = SESSION_PATH_LOGICAL.exec(f.File);
+    if (m?.[2] !== void 0 && !logicalBySession.has(m[2])) {
+      logicalBySession.set(m[2], m[1] ?? "");
+    }
+  }
+  return logicalBySession;
+}
+function emitDescriptionLegend(section2, findings) {
+  const descByRule = /* @__PURE__ */ new Map();
+  for (const f of findings) {
+    if (f.Description && !descByRule.has(f.RuleID)) descByRule.set(f.RuleID, f.Description);
+  }
+  if (descByRule.size === 0) return;
+  addItem(section2, "");
+  addItem(section2, bold("Finding types"));
+  for (const [rule, desc] of descByRule) {
+    const ruleLabel = red(`- [${rule}]`);
+    addItem(section2, `  ${ruleLabel}: ${dim(desc)}`);
+  }
+}
+function scanAndReport(section2, tmpRoot, staged, logicalToEncoded) {
+  let findings;
+  try {
+    findings = scanStagedTree(tmpRoot);
+  } catch (err) {
+    addItem(section2, `${red(failGlyph)} scan failed: ${err.message}`);
+    process.exitCode = 1;
+    return;
+  }
+  if (findings === null) {
+    addItem(section2, `${red(failGlyph)} scan failed: no parseable gitleaks report`);
+    process.exitCode = 1;
+    return;
+  }
+  const { bySession, other } = partitionFindings(findings);
+  if (bySession.size === 0 && other.length === 0) {
+    emitClean(section2, staged);
+    return;
+  }
+  if (other.length > 0) reportOtherFindings(section2, other);
+  if (bySession.size > 0) reportSessionFindings(section2, bySession);
+  if (bySession.size > 0) {
+    reportRemediation(section2, bySession, buildLogicalBySession(findings), logicalToEncoded);
+  }
+  emitDescriptionLegend(section2, findings);
+}
+
+// src/commands.doctor.check-shared.ts
+init_config();
+
+// src/remap.ts
+init_config_sharedDirs_guard();
+init_config();
+init_utils();
+init_utils_fs();
+init_utils_json();
+import { cpSync as cpSync3, existsSync as existsSync13, mkdirSync as mkdirSync3, readdirSync as readdirSync5, rmSync as rmSync5, statSync as statSync4 } from "node:fs";
+import { join as join16, relative as relative3, sep } from "node:path";
+function copyDir(src, dst) {
+  rmSync5(dst, { recursive: true, force: true });
+  cpSync3(src, dst, { recursive: true, force: true });
+}
+function copyDirJsonlOnly(src, dst) {
+  rmSync5(dst, { recursive: true, force: true });
+  cpSync3(src, dst, {
+    recursive: true,
+    force: true,
+    filter: (srcPath) => {
+      const rel = relative3(src, srcPath);
+      if (rel === "") return true;
+      if (rel.split(sep).length > 1) return true;
+      if (statSync4(srcPath).isDirectory()) return true;
+      if (srcPath.endsWith(".jsonl")) return true;
+      log(`skip ${rel}: extension not in allowlist`);
+      return false;
+    }
+  });
+}
+function remapPull(ts, opts = {}) {
+  const dryRun = opts.dryRun === true;
+  let unmapped = 0;
+  const pulled = [];
+  const wouldPull = [];
+  const mapPath = join16(REPO_HOME, "path-map.json");
+  const repoProjects = join16(REPO_HOME, "shared", "projects");
+  if (!existsSync13(mapPath) || !existsSync13(repoProjects)) {
+    log("no path-map or repo projects dir; skipping session remap");
+    return { unmapped: 0, pulled, wouldPull };
+  }
+  const map = readJson(mapPath);
+  const localProjects = join16(CLAUDE_HOME, "projects");
+  if (!dryRun) mkdirSync3(localProjects, { recursive: true });
+  for (const [logical, hosts] of Object.entries(map.projects)) {
+    assertSafeLogical(logical);
+    const localPath = hosts[HOST];
+    if (!localPath || localPath === "TBD") {
+      unmapped++;
+      continue;
+    }
+    const src = join16(repoProjects, logical);
+    if (!existsSync13(src)) continue;
+    const dst = join16(localProjects, encodePath(localPath));
+    if (dryRun) {
+      wouldPull.push(logical);
+      log(`would overwrite: ${dst} (from ${src})`);
+      continue;
+    }
+    backupBeforeWrite(dst, ts);
+    copyDir(src, dst);
+    pulled.push(logical);
+  }
+  return { unmapped, pulled, wouldPull };
+}
+function buildReverseMap(map) {
+  const reverse = /* @__PURE__ */ new Map();
+  const encodedPaths = /* @__PURE__ */ new Map();
+  for (const [logical, hosts] of Object.entries(map.projects)) {
+    assertSafeLogical(logical);
+    const p = hosts[HOST];
+    if (!p || p === "TBD") continue;
+    const encoded = encodePath(p);
+    const prior = encodedPaths.get(encoded);
+    if (prior !== void 0) {
+      if (prior !== p) {
+        die(
+          `encoded-path collision in path-map.json: "${prior}" and "${p}" both encode to "${encoded}" (encodePath replaces every / with -). Edit path-map.json so the two paths do not encode identically. Run nomad doctor for the full list of collisions.`
+        );
+      }
+      die(
+        `duplicate path in path-map.json: logical names "${reverse.get(encoded)}" and "${logical}" both map to "${p}" for ${HOST}, so only one could be pushed and the other's shared/projects/ copy would be orphaned. Edit path-map.json so each host path maps to a single logical name.`
+      );
+    }
+    encodedPaths.set(encoded, p);
+    reverse.set(encoded, logical);
+  }
+  return reverse;
+}
+function remapPush(ts, opts = {}) {
+  const dryRun = opts.dryRun === true;
+  let unmapped = 0;
+  const pushed = [];
+  const wouldPush = [];
+  const mapPath = join16(REPO_HOME, "path-map.json");
+  if (!existsSync13(mapPath)) {
+    log("no path-map.json; skipping session export");
+    return { unmapped: 0, collisions: 0, pushed, wouldPush };
+  }
+  const map = readJson(mapPath);
+  const localProjects = join16(CLAUDE_HOME, "projects");
+  const repoProjects = join16(REPO_HOME, "shared", "projects");
+  const reverse = buildReverseMap(map);
+  if (!existsSync13(localProjects)) return { unmapped, collisions: 0, pushed, wouldPush };
+  if (!dryRun) mkdirSync3(repoProjects, { recursive: true });
+  for (const dir of readdirSync5(localProjects)) {
+    const logical = reverse.get(dir);
+    if (!logical) {
+      unmapped++;
+      continue;
+    }
+    const repoDst = join16(repoProjects, logical);
+    if (dryRun) {
+      wouldPush.push(logical);
+      continue;
+    }
+    backupRepoWrite(repoDst, ts, REPO_HOME);
+    copyDirJsonlOnly(join16(localProjects, dir), repoDst);
+    pushed.push(logical);
+  }
+  return { unmapped, collisions: 0, pushed, wouldPush };
+}
+
+// src/commands.doctor.check-shared.ts
+init_utils_fs();
+init_utils_json();
+function buildScanTree(tmpRoot) {
+  const logicalToEncoded = /* @__PURE__ */ new Map();
+  let staged = 0;
+  const mapPath = join17(REPO_HOME, "path-map.json");
+  if (!existsSync14(mapPath)) return { logicalToEncoded, staged, malformed: false };
+  let map;
+  try {
+    map = readJson(mapPath);
+  } catch {
+    return { logicalToEncoded, staged, malformed: true };
+  }
+  if (typeof map.projects !== "object" || map.projects === null) {
+    return { logicalToEncoded, staged, malformed: false };
+  }
+  const reverse = /* @__PURE__ */ new Map();
+  for (const [logical, hosts] of Object.entries(map.projects)) {
+    if (typeof hosts !== "object" || hosts === null) continue;
+    const p = hosts[HOST];
+    if (!p || p === "TBD") continue;
+    reverse.set(encodePath(p), logical);
+  }
+  const localProjects = join17(CLAUDE_HOME, "projects");
+  if (!existsSync14(localProjects)) return { logicalToEncoded, staged, malformed: false };
+  for (const dir of readdirSync6(localProjects)) {
+    const logical = reverse.get(dir);
+    if (!logical) continue;
+    copyDirJsonlOnly(join17(localProjects, dir), join17(tmpRoot, "shared", "projects", logical));
+    logicalToEncoded.set(logical, dir);
+    staged++;
+  }
+  return { logicalToEncoded, staged, malformed: false };
+}
+function probeGitleaksForScan() {
+  try {
+    execFileSync6("gitleaks", ["version"], { stdio: ["ignore", "pipe", "pipe"] });
+    return "ok";
+  } catch (err) {
+    if (err.code === "ENOENT") return "missing";
+    return { fail: err.message };
+  }
+}
+function ensureGitleaksReady(section2, gitleaksReady) {
+  if (gitleaksReady === true) return true;
+  const probe = probeGitleaksForScan();
+  if (probe === "missing") {
+    addItem(section2, `${yellow(warnGlyph)} gitleaks not on PATH; shared scan skipped`);
+    return false;
+  }
+  if (probe !== "ok") {
+    addItem(section2, `${red(failGlyph)} gitleaks probe failed: ${probe.fail}`);
+    process.exitCode = 1;
+    return false;
+  }
+  return true;
+}
+function reportCheckShared(section2, gitleaksReady) {
+  if (!ensureGitleaksReady(section2, gitleaksReady)) return;
+  const cacheDir = join17(homedir4(), ".cache", "claude-nomad");
+  mkdirSync4(cacheDir, { recursive: true });
+  const stamp = `${nowTimestamp()}-${process.pid}-${randomBytes(4).toString("hex")}`;
+  const reportPath = join17(cacheDir, `check-shared-${stamp}.json`);
+  const tmpRoot = join17(cacheDir, `check-shared-tree-${stamp}`);
+  try {
+    const { logicalToEncoded, staged, malformed } = buildScanTree(tmpRoot);
+    if (malformed) {
+      addItem(section2, `${red(failGlyph)} path-map.json malformed JSON; shared scan skipped`);
+      process.exitCode = 1;
+      return;
+    }
+    if (staged === 0) {
+      emitClean(section2, 0);
+      return;
+    }
+    scanAndReport(section2, tmpRoot, staged, logicalToEncoded);
+  } finally {
+    rmSync6(reportPath, { force: true });
+    rmSync6(tmpRoot, { recursive: true, force: true });
+  }
+}
+
+// src/commands.doctor.checks.hooks.scope.ts
+init_color();
+import { existsSync as existsSync15, readFileSync as readFileSync4, readdirSync as readdirSync7, realpathSync } from "node:fs";
+import { dirname as dirname2, extname, join as join18 } from "node:path";
+init_config();
+function typeFromPackageJson(pkgPath) {
+  try {
+    const parsed = JSON.parse(readFileSync4(pkgPath, "utf8"));
+    return parsed.type === "module" ? "esm" : "cjs";
+  } catch {
+    return "cjs";
+  }
+}
+function effectiveType(hookPath) {
+  const ext = extname(hookPath);
+  if (ext === ".mjs") return "esm";
+  if (ext === ".cjs") return "cjs";
+  let real;
+  try {
+    real = realpathSync(hookPath);
+  } catch {
+    return null;
+  }
+  let dir = dirname2(real);
+  for (; ; ) {
+    const pkg = join18(dir, "package.json");
+    if (existsSync15(pkg)) return typeFromPackageJson(pkg);
+    const parent = dirname2(dir);
+    if (parent === dir) return "cjs";
+    dir = parent;
+  }
+}
+function stripCommentsAndStrings(src) {
+  return src.replace(/\/\*[\s\S]*?\*\/|\/\/[^\n]*|'[^']*'|"[^"]*"|`[^`]*`/g, (match) => {
+    const open = match[0];
+    if (open === "'") return "''";
+    if (open === '"') return '""';
+    if (open === "`") return "``";
+    return " ";
+  });
+}
+function classifySource(src) {
+  const code = stripCommentsAndStrings(src);
+  const cjs = /\brequire\s*\(/.test(code) || /\bmodule\.exports\b/.test(code) || /\bexports\.\w/.test(code);
+  const esm = /^[^\S\r\n]*import\s/m.test(code) || /^[^\S\r\n]*export\s/m.test(code) || /\bimport\.meta\b/.test(code);
+  if (cjs && !esm) return "cjs";
+  if (esm && !cjs) return "esm";
+  if (cjs && esm) return "cjs";
+  return "unknown";
+}
+function remedy(family) {
+  return family === "cjs" ? 'rename to .cjs, or add { "type": "commonjs" } to the hooks dir' : "rename to .mjs (a synced hooks/ dir treats .js as CommonJS)";
+}
+function safeReaddir2(dir) {
+  try {
+    return readdirSync7(dir);
+  } catch {
+    return [];
+  }
+}
+function safeRead(path) {
+  try {
+    return readFileSync4(path, "utf8");
+  } catch {
+    return null;
+  }
+}
+function reportHookScopeCheck(section2) {
+  const hooksDir = join18(CLAUDE_HOME, "hooks");
+  if (!existsSync15(hooksDir)) {
+    addItem(section2, `${dim(infoGlyph)} no ~/.claude/hooks; skipping module-scope check`);
+    return;
+  }
+  let anyWarn = false;
+  for (const name of safeReaddir2(hooksDir)) {
+    if (extname(name) !== ".js") continue;
+    const abs = join18(hooksDir, name);
+    const eff = effectiveType(abs);
+    if (eff === null) continue;
+    const src = safeRead(abs);
+    if (src === null) continue;
+    const fam = classifySource(src);
+    if (fam === "unknown" || fam === eff) continue;
+    addItem(
+      section2,
+      `${yellow(warnGlyph)} hooks/${name}: ${fam} source loads as ${eff} (${remedy(fam)})`
+    );
+    anyWarn = true;
+  }
+  if (!anyWarn) {
+    addItem(section2, `${green(okGlyph)} hooks: module type consistent`);
+  }
+}
+
+// src/commands.doctor.checks.hooks.ts
+init_color();
+import { existsSync as existsSync16 } from "node:fs";
+import { join as join19 } from "node:path";
+init_config();
+function expandHome(token) {
+  return token.replace(/^\$\{HOME\}/, HOME).replace(/^\$HOME/, HOME).replace(/^~/, HOME);
+}
+function stripShellPunctuation(token) {
+  return token.replace(/^['"]+/, "").replace(/['"`;)|&>]+$/, "");
+}
+function* claudePathsIn(command) {
+  const claudePrefix = `${CLAUDE_HOME}/`;
+  for (const segment of command.split(/&&|\|\||;|\|/)) {
+    for (const raw of segment.trim().split(/\s+/).filter(Boolean)) {
+      const expanded = expandHome(stripShellPunctuation(raw));
+      if (expanded.startsWith(claudePrefix)) yield expanded;
+    }
+  }
+}
+function* commandsFromFlat(entries) {
+  for (const entry of entries) {
+    if (typeof entry !== "object" || entry === null) continue;
+    const e = entry;
+    if (e.type === "command" && typeof e.command === "string") yield e.command;
+  }
+}
+function* commandsFromGroup(group) {
+  if (typeof group !== "object" || group === null) return;
+  const g = group;
+  if (Array.isArray(g.hooks)) {
+    yield* commandsFromFlat(g.hooks);
+    return;
+  }
+  if (g.type === "command" && typeof g.command === "string") yield g.command;
+}
+function checkEventGroups(section2, event, groups) {
+  let anyFail = false;
+  for (const group of groups) {
+    for (const cmd of commandsFromGroup(group)) {
+      for (const resolved of claudePathsIn(cmd)) {
+        if (existsSync16(resolved)) continue;
+        addItem(section2, `${red(failGlyph)} hooks/${event}: command target missing: ${resolved}`);
+        process.exitCode = 1;
+        anyFail = true;
+      }
+    }
+  }
+  return anyFail;
+}
+function reportHooksTargetCheck(section2) {
+  const settingsPath = join19(CLAUDE_HOME, "settings.json");
+  if (!existsSync16(settingsPath)) {
+    addItem(section2, `${dim(infoGlyph)} no ~/.claude/settings.json; skipping hook target check`);
+    return;
+  }
+  const settings = readJsonSafe(settingsPath, settingsPath, section2);
+  if (settings === null) return;
+  const hooks = settings.hooks;
+  if (typeof hooks !== "object" || hooks === null || Array.isArray(hooks)) {
+    addItem(section2, `${green(okGlyph)} hooks: all command targets present`);
+    return;
+  }
+  let anyFail = false;
+  for (const [event, groups] of Object.entries(hooks)) {
+    if (!Array.isArray(groups)) continue;
+    if (checkEventGroups(section2, event, groups)) anyFail = true;
+  }
+  if (!anyFail) {
+    addItem(section2, `${green(okGlyph)} hooks: all command targets present`);
+  }
+}
+
+// src/commands.doctor.ts
+init_config();
+
+// src/commands.doctor.engine.ts
+init_color();
+import { readFileSync as readFileSync6 } from "node:fs";
+import { fileURLToPath as fileURLToPath3 } from "node:url";
+
+// src/commands.doctor.version.ts
+init_color();
+import { execFileSync as execFileSync7 } from "node:child_process";
+import { readFileSync as readFileSync5 } from "node:fs";
+import { fileURLToPath as fileURLToPath2 } from "node:url";
+var STRICT_SEMVER = /^\d+\.\d+\.\d+$/;
+var STRICT_SEMVER_PREFIX = /^(\d+\.\d+\.\d+)(?:[-+]|$)/;
+function compareSemver(a, b) {
+  if (!STRICT_SEMVER.test(a) || !STRICT_SEMVER.test(b)) return 0;
+  const [aMajor, aMinor, aPatch] = a.split(".").map((x) => Number.parseInt(x, 10));
+  const [bMajor, bMinor, bPatch] = b.split(".").map((x) => Number.parseInt(x, 10));
+  if (aMajor !== bMajor) return aMajor < bMajor ? -1 : 1;
+  if (aMinor !== bMinor) return aMinor < bMinor ? -1 : 1;
+  if (aPatch !== bPatch) return aPatch < bPatch ? -1 : 1;
+  return 0;
+}
+function readLocalVersion() {
+  try {
+    const pkgPath = fileURLToPath2(new URL("../package.json", import.meta.url));
+    const parsed = JSON.parse(readFileSync5(pkgPath, "utf8"));
+    if (typeof parsed.version === "string" && parsed.version.length > 0) {
+      return parsed.version;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function fetchLatestVersion() {
+  try {
+    const url = "https://registry.npmjs.org/claude-nomad/latest";
+    const raw = execFileSync7("curl", ["-fsSL", "-m", "3", url], {
+      stdio: ["ignore", "pipe", "pipe"]
+    }).toString();
+    const parsed = JSON.parse(raw);
+    if (typeof parsed.version !== "string") return null;
+    if (!STRICT_SEMVER.test(parsed.version)) return null;
+    return parsed.version;
+  } catch {
+    return null;
+  }
+}
+function reportVersionCheck(section2) {
+  const local = readLocalVersion();
+  if (local === null) return;
+  const localPure = STRICT_SEMVER_PREFIX.exec(local)?.[1] ?? null;
+  if (localPure === null) return;
+  const latest = fetchLatestVersion();
+  if (latest === null) return;
+  const cmp = compareSemver(localPure, latest);
+  if (cmp === 0) {
+    addItem(section2, `${green(okGlyph)} claude-nomad: ${local} (latest)`);
+  } else if (cmp === -1) {
+    addItem(
+      section2,
+      `${yellow(warnGlyph)} claude-nomad: ${local} -> ${latest} (run \`nomad update\`)`
+    );
+  } else {
+    addItem(
+      section2,
+      `${dim(infoGlyph)} claude-nomad: ${local} (ahead of latest release ${latest})`
+    );
+  }
+}
+
+// src/commands.doctor.engine.ts
+var ENGINES_GTE = /^>=\s*(\d+\.\d+\.\d+)$/;
+function parseMinVersion(spec) {
+  const m = ENGINES_GTE.exec(spec);
+  return m ? m[1] : null;
+}
+function readEnginesNode() {
+  try {
+    const pkgPath = fileURLToPath3(new URL("../package.json", import.meta.url));
+    const parsed = JSON.parse(readFileSync6(pkgPath, "utf8"));
+    const node = parsed.engines?.node;
+    if (typeof node === "string" && node.length > 0) return node;
+    return null;
+  } catch {
+    return null;
+  }
+}
+function reportNodeEngineCheck(section2) {
+  const required = readEnginesNode();
+  if (required === null) return;
+  const min = parseMinVersion(required);
+  if (min === null) return;
+  const current = process.version.replace(/^v/, "");
+  if (!/^\d+\.\d+\.\d+$/.test(current)) return;
+  const cmp = compareSemver(current, min);
+  if (cmp === -1) {
+    addItem(
+      section2,
+      `${yellow(warnGlyph)} node: ${process.version} (below required >=${min}, run \`nvm install\`)`
+    );
+    return;
+  }
+  addItem(section2, `${green(okGlyph)} node: ${process.version} (satisfies >=${min})`);
+}
+
+// src/commands.doctor.gitleaks-version.ts
+init_color();
+import { execFileSync as execFileSync8 } from "node:child_process";
+import { existsSync as existsSync17 } from "node:fs";
+import { join as join20 } from "node:path";
+init_config();
+var SEMVER_MAJOR_MINOR = /^(\d+)\.(\d+)\.\d+$/;
+var GITLEAKS_TIMEOUT_MS = 5e3;
+function majorMinorOf(value) {
+  const m = SEMVER_MAJOR_MINOR.exec(value);
+  return m === null ? null : [m[1], m[2]];
+}
+function readGitleaksVersion(run, tomlExists) {
+  const tomlPath = join20(REPO_HOME, ".gitleaks.toml");
+  const args = ["version"];
+  if (tomlExists(tomlPath)) args.push("--config", tomlPath);
+  try {
+    return run("gitleaks", args, {
+      stdio: ["ignore", "pipe", "pipe"],
+      timeout: GITLEAKS_TIMEOUT_MS
+    }).toString().trim();
+  } catch {
+    return null;
+  }
+}
+function reportGitleaksVersionCheck(section2, run = execFileSync8, tomlExists = existsSync17) {
+  const raw = readGitleaksVersion(run, tomlExists);
+  if (raw === null) return;
+  const local = majorMinorOf(raw);
+  if (local === null) return;
+  const pin = majorMinorOf(GITLEAKS_PINNED_VERSION);
+  if (pin === null) return;
+  const sameMajorMinor = local[0] === pin[0] && local[1] === pin[1];
+  if (sameMajorMinor) {
+    addItem(section2, `${green(okGlyph)} gitleaks: ${raw} (matches pinned ${pin[0]}.${pin[1]})`);
+    return;
+  }
+  addItem(
+    section2,
+    `${yellow(warnGlyph)} gitleaks: ${raw} -> ${GITLEAKS_PINNED_VERSION} (CI pins this; local drift may change scan results)`
+  );
+}
+
+// src/commands.doctor.checks.deps.ts
+init_color();
+import { execFileSync as execFileSync9 } from "node:child_process";
+var VERSION_TOKEN = /(\d{1,9}\.\d{1,9}\.\d{1,9})/;
+function parseFirstVersion(line) {
+  const m = VERSION_TOKEN.exec(line);
+  return m ? m[1] : null;
+}
+function probeOptionalDep(bin, run) {
+  try {
+    const firstLine = run(bin, ["--version"], { stdio: ["ignore", "pipe", "pipe"] }).toString().split("\n")[0].trim();
+    const version = parseFirstVersion(firstLine);
+    return { status: "present", version };
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      return { status: "not-installed" };
+    }
+    return { status: "present", version: null };
+  }
+}
+function reportOptionalDeps(section2, run = execFileSync9) {
+  const gh = probeOptionalDep("gh", run);
+  if (gh.status === "present") {
+    addItem(section2, `${green(okGlyph)} gh: ${gh.version ?? "present"}`);
+  } else {
+    addItem(
+      section2,
+      `${yellow(warnGlyph)} gh: not installed (optional; needed for nomad init Actions auto-disable + mirror-Actions drift check)`
+    );
+  }
+  const curl = probeOptionalDep("curl", run);
+  if (curl.status === "present") {
+    addItem(section2, `${green(okGlyph)} curl: ${curl.version ?? "present"}`);
+  } else {
+    addItem(
+      section2,
+      `${yellow(warnGlyph)} curl: not installed (optional; needed for release-version staleness check + nomad doctor --check-schema)`
+    );
+  }
+}
+
+// src/commands.doctor.mirror-actions.ts
+init_color();
+import { execFileSync as execFileSync11 } from "node:child_process";
+init_config();
+
+// src/gh-actions.ts
+import { execFileSync as execFileSync10 } from "node:child_process";
+var GH_TIMEOUT_MS = 5e3;
+function parseGitHubRemote(remoteUrl) {
+  const normalized = remoteUrl.trim().replace(/\/$/, "");
+  const m = /github\.com[:/]([^/]+)\/([^/]+?)(?:\.git)?$/.exec(normalized);
+  if (m === null) return null;
+  return { owner: m[1], repo: m[2] };
+}
+function ghAuthStatus(run = execFileSync10) {
+  try {
+    run("gh", ["auth", "status"], {
+      stdio: ["ignore", "ignore", "ignore"],
+      timeout: GH_TIMEOUT_MS
+    });
+    return null;
+  } catch (err) {
+    const e = err;
+    if (e.code === "ENOENT") return "gh-not-installed";
+    if (typeof e.status === "number") return "gh-not-authed";
+    return "gh-probe-error";
+  }
+}
+function isRepoPrivate(ref, run = execFileSync10) {
+  const out = run("gh", ["repo", "view", `${ref.owner}/${ref.repo}`, "--json", "isPrivate"], {
+    stdio: ["ignore", "pipe", "ignore"],
+    timeout: GH_TIMEOUT_MS
+  }).toString();
+  const parsed = JSON.parse(out);
+  return parsed.isPrivate === true;
+}
+function isActionsEnabled(ref, run = execFileSync10) {
+  const out = run(
+    "gh",
+    ["api", `repos/${ref.owner}/${ref.repo}/actions/permissions`, "--jq", ".enabled"],
+    { stdio: ["ignore", "pipe", "ignore"], timeout: GH_TIMEOUT_MS }
+  ).toString().trim();
+  return out === "true";
+}
+function disableActions(ref, run = execFileSync10) {
+  run(
+    "gh",
+    [
+      "api",
+      "-X",
+      "PUT",
+      `repos/${ref.owner}/${ref.repo}/actions/permissions`,
+      "-F",
+      "enabled=false"
+    ],
+    { stdio: ["ignore", "ignore", "pipe"], timeout: GH_TIMEOUT_MS }
+  );
+}
+function readOriginRemote(cwd, run = execFileSync10) {
+  return run("git", ["remote", "get-url", "origin"], {
+    cwd,
+    stdio: ["ignore", "pipe", "ignore"]
+  }).toString().trim();
+}
+
+// src/commands.doctor.mirror-actions.ts
+function reportMirrorActions(section2, run = execFileSync11) {
+  let remote;
+  try {
+    remote = readOriginRemote(REPO_HOME, run);
+  } catch {
+    return;
+  }
+  const ref = parseGitHubRemote(remote);
+  if (ref === null) return;
+  const auth = ghAuthStatus(run);
+  if (auth === "gh-not-installed" || auth === "gh-not-authed") return;
+  let isPrivate;
+  try {
+    isPrivate = isRepoPrivate(ref, run);
+  } catch {
+    return;
+  }
+  if (!isPrivate) return;
+  let enabled2;
+  try {
+    enabled2 = isActionsEnabled(ref, run);
+  } catch {
+    return;
+  }
+  if (!enabled2) return;
+  addItem(
+    section2,
+    `${yellow(warnGlyph)} mirror Actions: enabled on private mirror ${ref.owner}/${ref.repo} (re-disable with 'gh api -X PUT repos/${ref.owner}/${ref.repo}/actions/permissions -F enabled=false')`
+  );
+}
+
+// src/commands.doctor.ts
+function cmdDoctor(opts = {}) {
+  const host = section("Host");
+  reportHostAndPaths(host);
+  reportRepoState(host);
+  const links = section("Shared links");
+  const mapPath = join21(REPO_HOME, "path-map.json");
+  const rawMap = existsSync18(mapPath) ? readJsonSafe(mapPath, mapPath, links) : null;
+  const map = rawMap ?? { projects: {} };
+  reportSharedLinks(links, map);
+  const hooksScan = section("Hook targets");
+  reportHooksTargetCheck(hooksScan);
+  reportHookScopeCheck(hooksScan);
+  const settings = section("Settings");
+  const base = loadBaseSettings(settings);
+  const parsedSettings = loadAndReportSettings(settings);
+  reportHostOverrides(settings, base, parsedSettings);
+  const pathMap = section("Path map");
+  reportPathMap(pathMap);
+  const neverSync = section("Never-sync");
+  reportNeverSync(neverSync);
+  const repository = section("Repository");
+  const gitleaksReady = reportGitleaksProbe(repository);
+  reportGitlinks(repository);
+  reportRemote(repository);
+  reportRebaseClean(repository);
+  reportMirrorActions(repository);
+  const version = section("Version Checks");
+  reportVersionCheck(version);
+  reportNodeEngineCheck(version);
+  reportGitleaksVersionCheck(version);
+  reportOptionalDeps(version);
+  reportBackupsCheck(version);
+  const sharedScan = section("Shared scan");
+  if (opts.checkShared === true) reportCheckShared(sharedScan, gitleaksReady);
+  const schemaScan = section("Schema scan");
+  if (opts.checkSchema === true) reportCheckSchema(schemaScan);
+  renderDoctor([
+    version,
+    host,
+    links,
+    hooksScan,
+    settings,
+    pathMap,
+    neverSync,
+    repository,
+    sharedScan,
+    schemaScan
+  ]);
+}
+
+// src/commands.drop-session.ts
+init_config();
+import { execFileSync as execFileSync13 } from "node:child_process";
+import { existsSync as existsSync20, readdirSync as readdirSync8, statSync as statSync5 } from "node:fs";
+import { join as join24, relative as relative4 } from "node:path";
+
+// src/commands.drop-session.git.ts
+init_config();
+import { execFileSync as execFileSync12 } from "node:child_process";
+function expandStagedDir(dirRel) {
+  try {
+    const out = execFileSync12("git", ["ls-files", "-z", "--", dirRel], {
+      cwd: REPO_HOME,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    return out.toString().split("\0").filter((p) => p !== "");
+  } catch {
+    return [];
+  }
+}
+function isTrackedInHead(rel) {
+  try {
+    execFileSync12("git", ["cat-file", "-e", `HEAD:${rel}`], {
+      cwd: REPO_HOME,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function isInIndex(rel) {
+  try {
+    const out = execFileSync12("git", ["ls-files", "--", rel], {
+      cwd: REPO_HOME,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    return out.toString().trim() !== "";
+  } catch {
+    return false;
+  }
+}
+
+// src/commands.drop-session.scrub-hint.ts
+init_config();
+init_utils();
+init_utils_json();
+import { existsSync as existsSync19 } from "node:fs";
+import { join as join22 } from "node:path";
+var SHARED_PROJECT_LOGICAL = /^shared\/projects\/([^/]+)\//;
+function reportScrubHint(id, matches) {
+  const live = resolveLiveTranscript(id, matches);
+  const target = live ?? `~/.claude/projects/<encoded>/${id}.jsonl`;
+  log(
+    `note: this only un-stages the session from the next push.
+  The local source still contains the secret, so nomad push re-stages it
+  on the next run and nomad doctor --check-shared keeps reporting it.
+  To fully remediate: rotate the credential, then run:
+    nomad redact ${id}
+  (or scrub ${target} manually)`
+  );
+}
+function resolveLiveTranscript(id, matches) {
+  try {
+    const mapPath = join22(REPO_HOME, "path-map.json");
+    if (!existsSync19(mapPath)) return null;
+    const projects = readJson(mapPath).projects;
+    for (const rel of matches) {
+      const logical = SHARED_PROJECT_LOGICAL.exec(rel)?.[1];
+      if (logical === void 0) continue;
+      const abs = projects[logical]?.[HOST];
+      if (abs === void 0) continue;
+      const live = join22(CLAUDE_HOME, "projects", encodePath(abs), `${id}.jsonl`);
+      if (existsSync19(live)) return live;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+// src/commands.drop-session.ts
+init_utils();
+
+// src/utils.lockfile.ts
+init_config();
+init_utils();
+import { closeSync as closeSync2, mkdirSync as mkdirSync5, openSync as openSync2, readFileSync as readFileSync7, unlinkSync, writeFileSync as writeFileSync3 } from "node:fs";
+import { dirname as dirname3, join as join23 } from "node:path";
+var LOCK_PATH = join23(HOME, ".cache", "claude-nomad", "nomad.lock");
+function acquireLock(verb) {
+  mkdirSync5(dirname3(LOCK_PATH), { recursive: true });
+  try {
+    const fd = openSync2(LOCK_PATH, "wx");
+    try {
+      writeFileSync3(fd, String(process.pid));
+    } catch (writeErr) {
+      try {
+        closeSync2(fd);
+      } catch {
+      }
+      try {
+        unlinkSync(LOCK_PATH);
+      } catch {
+      }
+      throw writeErr;
+    }
+    return { fd };
+  } catch (err) {
+    const code = err.code;
+    if (code !== "EEXIST") throw err;
+    return checkStaleAndRetry(verb);
+  }
+}
+function releaseLock(handle) {
+  if (handle === null) return;
+  try {
+    closeSync2(handle.fd);
+  } catch {
+  }
+  try {
+    unlinkSync(LOCK_PATH);
+  } catch (err) {
+    if (err.code !== "ENOENT") throw err;
+  }
+}
+function unlinkIfSamePid(expectedPidStr) {
+  let current;
+  try {
+    current = readFileSync7(LOCK_PATH, "utf8").trim();
+  } catch {
+    return false;
+  }
+  if (current !== expectedPidStr) return false;
+  try {
+    unlinkSync(LOCK_PATH);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function checkStaleAndRetry(verb) {
+  let pidStr;
+  try {
+    pidStr = readFileSync7(LOCK_PATH, "utf8").trim();
+  } catch {
+    pidStr = "";
+  }
+  const pid = Number.parseInt(pidStr, 10);
+  if (!Number.isFinite(pid) || pid <= 0) {
+    if (unlinkIfSamePid(pidStr)) return retryOnce(verb);
+    warn(`another nomad ${verb} running, skipping`);
+    return null;
+  }
+  try {
+    process.kill(pid, 0);
+    warn(`another nomad ${verb} running, skipping`);
+    return null;
+  } catch (err) {
+    const code = err.code;
+    if (code === "ESRCH") {
+      if (unlinkIfSamePid(pidStr)) return retryOnce(verb);
+      warn(`another nomad ${verb} running, skipping`);
+      return null;
+    }
+    warn(`another nomad ${verb} running, skipping`);
+    return null;
+  }
+}
+function retryOnce(verb) {
+  try {
+    const fd = openSync2(LOCK_PATH, "wx");
+    try {
+      writeFileSync3(fd, String(process.pid));
+    } catch {
+      try {
+        closeSync2(fd);
+      } catch {
+      }
+      try {
+        unlinkSync(LOCK_PATH);
+      } catch {
+      }
+      warn(`another nomad ${verb} running, skipping`);
+      return null;
+    }
+    return { fd };
+  } catch {
+    warn(`another nomad ${verb} running, skipping`);
+    return null;
+  }
+}
+
+// src/commands.drop-session.ts
+function cmdDropSession(id) {
+  if (id.length === 0 || id.length > 128 || !/^[A-Za-z0-9_-]+$/.test(id)) {
+    fail(`invalid session id: ${id}`);
+    process.exit(1);
+  }
+  if (!existsSync20(REPO_HOME)) die(`repo not cloned at ${REPO_HOME}`);
+  const handle = acquireLock("drop-session");
+  if (handle === null) process.exit(0);
+  try {
+    const repoProjects = join24(REPO_HOME, "shared", "projects");
+    if (!existsSync20(repoProjects)) {
+      throw new NomadFatal(`no staged session matches ${id}`);
+    }
+    const matches = collectMatches(repoProjects, id);
+    if (matches.length === 0) {
+      throw new NomadFatal(`no staged session matches ${id}`);
+    }
+    for (const rel of matches) unstageOne(rel);
+    reportScrubHint(id, matches);
+  } catch (err) {
+    if (!(err instanceof NomadFatal)) {
+      throw err;
+    }
+    fail(err.message);
+    process.exitCode = 1;
+  } finally {
+    releaseLock(handle);
+  }
+}
+function collectMatches(repoProjects, id) {
+  const matches = [];
+  for (const logical of readdirSync8(repoProjects)) {
+    const candidate = join24(repoProjects, logical, `${id}.jsonl`);
+    if (existsSync20(candidate)) {
+      matches.push(relative4(REPO_HOME, candidate));
+    }
+    const dir = join24(repoProjects, logical, id);
+    if (existsSync20(dir) && statSync5(dir).isDirectory()) {
+      const dirRel = relative4(REPO_HOME, dir);
+      const staged = expandStagedDir(dirRel);
+      if (staged.length > 0) matches.push(...staged);
+      else matches.push(dirRel);
+    }
+  }
+  return matches;
+}
+function unstageOne(rel) {
+  if (!isInIndex(rel)) {
+    log(`dropped ${rel} (already absent from index)`);
+    return;
+  }
+  try {
+    if (isTrackedInHead(rel)) {
+      execFileSync13("git", ["restore", "--staged", "--worktree", "--", rel], {
+        cwd: REPO_HOME,
+        stdio: ["ignore", "pipe", "pipe"]
+      });
+    } else {
+      execFileSync13("git", ["rm", "--cached", "-f", "--", rel], {
+        cwd: REPO_HOME,
+        stdio: ["ignore", "pipe", "pipe"]
+      });
+    }
+  } catch (err) {
+    const e = err;
+    const detail = e.stderr?.toString().trim() ?? e.message;
+    throw new NomadFatal(`git failed to unstage ${rel}: ${detail}`);
+  }
+  log(`dropped ${rel}`);
+}
+
+// src/commands.redact.ts
+init_config();
+import { existsSync as existsSync21, readFileSync as readFileSync8, statSync as statSync6, writeFileSync as writeFileSync4 } from "node:fs";
+import { join as join26 } from "node:path";
+
+// src/commands.redact.core.ts
+init_config();
+import { appendFileSync } from "node:fs";
+import { join as join25 } from "node:path";
+function collectMatchIntervals(content, findings) {
+  const intervals = [];
+  for (const f of findings) {
+    const match = f.Match;
+    if (match === "") continue;
+    let from = 0;
+    let pos = content.indexOf(match, from);
+    while (pos !== -1) {
+      intervals.push({ start: pos, end: pos + match.length, ruleId: f.RuleID });
+      from = pos + match.length;
+      pos = content.indexOf(match, from);
+    }
+  }
+  return intervals;
+}
+function mergeIntervals(intervals) {
+  if (intervals.length === 0) return [];
+  const sorted = [...intervals].sort((a, b) => a.start - b.start || b.end - a.end);
+  let last = { ...sorted[0] };
+  const merged = [last];
+  for (let i = 1; i < sorted.length; i++) {
+    const cur = sorted[i];
+    if (cur.start <= last.end) {
+      if (cur.end > last.end) last.end = cur.end;
+    } else {
+      last = { ...cur };
+      merged.push(last);
+    }
+  }
+  return merged;
+}
+function applyRedactions(content, findings) {
+  const raw = collectMatchIntervals(content, findings);
+  if (raw.length === 0) return content;
+  const merged = mergeIntervals(raw);
+  let result = content;
+  for (let i = merged.length - 1; i >= 0; i--) {
+    const { start, end, ruleId } = merged[i];
+    result = result.slice(0, start) + `[REDACTED:${ruleId}]` + result.slice(end);
+  }
+  return result;
+}
+function formatFingerprint(fingerprint) {
+  return fingerprint.replace(/[\r\n]/g, "") + "\n";
+}
+function isRecentlyModified(mtimeMs, nowMs, thresholdMs = 5 * 60 * 1e3) {
+  return nowMs - mtimeMs < thresholdMs;
+}
+function appendGitleaksIgnore(fingerprint) {
+  appendFileSync(join25(REPO_HOME, ".gitleaksignore"), formatFingerprint(fingerprint), "utf8");
+}
+
+// src/commands.redact.ts
+init_push_gitleaks_scan();
+init_utils_fs();
+init_utils_json();
+init_utils();
+function resolveLiveTranscript2(id) {
+  try {
+    const mapPath = join26(REPO_HOME, "path-map.json");
+    if (!existsSync21(mapPath)) return null;
+    const projects = readJson(mapPath).projects;
+    for (const hostMap of Object.values(projects)) {
+      const abs = hostMap[HOST];
+      if (abs === void 0) continue;
+      const live = join26(CLAUDE_HOME, "projects", encodePath(abs), `${id}.jsonl`);
+      if (existsSync21(live)) return live;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function resolveRedactFindings(localPath, rawFindings, rule, scan) {
+  const source = rawFindings ?? scan(localPath);
+  if (source === null) return null;
+  return source.filter((f) => rule === void 0 || f.RuleID === rule);
+}
+function cmdRedact(opts, nowMs = Date.now, scan = scanFile) {
+  const { id, rule, dryRun = false, findings: rawFindings } = opts;
+  if (id.length === 0 || id.length > 128 || !/^[A-Za-z0-9_-]+$/.test(id)) {
+    fail(`invalid session id: ${id}`);
+    process.exit(1);
+  }
+  if (!existsSync21(REPO_HOME)) die(`repo not cloned at ${REPO_HOME}`);
+  const handle = acquireLock("redact");
+  if (handle === null) process.exit(0);
+  try {
+    const localPath = resolveLiveTranscript2(id);
+    if (localPath === null || !existsSync21(localPath)) {
+      fail(`could not resolve local transcript for session ${id} on this host`);
+      process.exitCode = 1;
+      return;
+    }
+    const mtimeMs = statSync6(localPath).mtimeMs;
+    if (isRecentlyModified(mtimeMs, nowMs())) {
+      log(
+        `session ${id} was modified recently and may be active.
+  Refusing to rewrite a potentially live transcript.
+  To proceed: wait for the session to end, then re-run nomad redact.
+  Or drop from the staged tree: nomad drop-session ${id}
+  Or skip this finding during nomad push.`
+      );
+      return;
+    }
+    const findings = resolveRedactFindings(localPath, rawFindings, rule, scan);
+    if (findings === null) {
+      fail(`gitleaks scan failed for session ${id} (is gitleaks installed?)`);
+      process.exitCode = 1;
+      return;
+    }
+    if (findings.length === 0) {
+      const ruleClause = rule === void 0 ? "" : ` for rule ${rule}`;
+      log(`no findings${ruleClause} in session ${id}`);
+      return;
+    }
+    if (dryRun) {
+      log(
+        `dry-run: would redact ${findings.length} finding(s) in ${localPath}
+` + findings.map((f) => `  line ${f.StartLine} [${f.RuleID}]`).join("\n")
+      );
+      return;
+    }
+    const backupBase = join26(HOME, ".cache", "claude-nomad", "backup");
+    const ts = freshBackupTs(backupBase);
+    backupBeforeWrite(localPath, ts);
+    const original = readFileSync8(localPath, "utf8");
+    const redacted = applyRedactions(original, findings);
+    writeFileSync4(localPath, redacted, "utf8");
+    log(`redacted ${findings.length} finding(s) in ${localPath} (backup: ${ts})`);
+  } catch (err) {
+    if (!(err instanceof NomadFatal)) {
+      throw err;
+    }
+    fail(err.message);
+    process.exitCode = 1;
+  } finally {
+    releaseLock(handle);
+  }
+}
+
+// src/commands.pull.ts
+import { existsSync as existsSync27, mkdirSync as mkdirSync7 } from "node:fs";
+import { join as join32 } from "node:path";
+
+// src/commands.push.sections.ts
+init_color();
+
+// src/summary.ts
+init_color();
+init_utils();
+function summaryText(verb, unmapped, collisions = 0, extrasSkipped = 0) {
+  const extras = extrasSkipped > 0 ? `, ${extrasSkipped} extras skipped` : "";
+  if (verb === "push") {
+    if (unmapped === 0 && collisions === 0 && extrasSkipped === 0) {
+      return { text: "summary: clean", clean: true };
+    }
+    const base = `summary: ${unmapped} unmapped on push, ${collisions} collisions`;
+    return { text: `${base}${extras} (run nomad doctor to list)`, clean: false };
+  }
+  if (unmapped === 0 && extrasSkipped === 0) {
+    return { text: "summary: clean", clean: true };
+  }
+  return {
+    text: `summary: ${unmapped} unmapped on ${verb}${extras} (run nomad doctor to list)`,
+    clean: false
+  };
+}
+function summaryRow(verb, unmapped, collisions = 0, extrasSkipped = 0) {
+  const { text, clean } = summaryText(verb, unmapped, collisions, extrasSkipped);
+  return clean ? `${green(okGlyph)} ${text}` : `${yellow(warnGlyph)} ${text}`;
+}
+function emitSummary(verb, unmapped, collisions = 0, extrasSkipped = 0) {
+  const { text, clean } = summaryText(verb, unmapped, collisions, extrasSkipped);
+  if (clean) {
+    ok(text);
+    return;
+  }
+  warn(text);
+}
+
+// src/commands.push.sections.ts
+function collapsedSkipRow(n, noun) {
+  if (n <= 0) return null;
+  return `${dim(infoGlyph)} ${n} ${noun}`;
+}
+function buildSettingsSection(label) {
+  const s = section("Settings");
+  addItem(s, `${green(okGlyph)} settings.json (base + ${label})`);
+  return s;
+}
+function buildSessionsSection(items, unmapped) {
+  const s = section("Sessions");
+  for (const logical of items) addItem(s, `${green(okGlyph)} ${logical}`);
+  const skip = collapsedSkipRow(unmapped, "not in path-map (run nomad doctor to list)");
+  if (skip !== null) addItem(s, skip);
+  return s;
+}
+function buildExtrasSection(items, extrasSkipped) {
+  const s = section("Extras");
+  for (const entry of items) addItem(s, `${green(okGlyph)} ${entry}`);
+  const skip = collapsedSkipRow(extrasSkipped, "extras skipped");
+  if (skip !== null) addItem(s, skip);
+  return s;
+}
+function syncedSections(st) {
+  const sessions = st.dryRun ? st.remap.wouldPush : st.remap.pushed;
+  const extras = st.dryRun ? st.extras.wouldPush : st.extras.pushed;
+  return [
+    buildSessionsSection(sessions, st.remap.unmapped),
+    buildExtrasSection(extras, st.extras.skipped)
+  ];
+}
+function summarySection(st) {
+  const s = section("Summary");
+  const unmapped = st.remap.unmapped + st.extras.unmapped;
+  addItem(s, summaryRow("push", unmapped, st.remap.collisions, st.extras.skipped));
+  return s;
+}
+function renderPushTree(st, verdict) {
+  const leakScan = section("Leak scan");
+  addItem(leakScan, verdict.verdictRow);
+  renderTree([...syncedSections(st), leakScan, summarySection(st)]);
+}
+function renderNoScanTree(st, opts = {}) {
+  const sections = [];
+  if (opts.noMapHint === true) {
+    const pathMap = section("Path map");
+    addItem(pathMap, `${dim(infoGlyph)} no path-map.json (nothing to preview)`);
+    sections.push(pathMap);
+  }
+  renderTree([...sections, ...syncedSections(st), summarySection(st)]);
+}
+
+// src/commands.pull.ts
+init_config();
+
+// src/extras-sync.ts
+init_config();
+import { existsSync as existsSync24 } from "node:fs";
+import { join as join29 } from "node:path";
+
+// src/extras-sync.diff.ts
+init_utils();
+import { execFileSync as execFileSync14 } from "node:child_process";
+function listDivergingFiles(a, b) {
+  try {
+    const stdout = execFileSync14("git", ["diff", "--no-index", "--name-only", a, b], {
+      stdio: ["ignore", "pipe", "pipe"]
+    }).toString();
+    return stdout.split("\n").filter((line) => line.length > 0);
+  } catch (err) {
+    const e = err;
+    if (e.status === 1 && e.stdout !== void 0) {
+      return e.stdout.toString().split("\n").filter((line) => line.length > 0);
+    }
+    if (e.code === "ENOENT") {
+      warn(`git not on PATH; divergence check skipped for ${a}`);
+      return [];
+    }
+    warn(`divergence check failed for ${a}: ${e.message ?? String(err)}`);
+    return [];
+  }
+}
+
+// src/extras-sync.core.ts
+init_config();
+import { cpSync as cpSync4, existsSync as existsSync22, rmSync as rmSync7 } from "node:fs";
+import { join as join27 } from "node:path";
+
+// src/extras-sync.guards.ts
+init_utils();
+init_config_sharedDirs_guard();
+import { isAbsolute, normalize } from "node:path";
+function assertSafeLocalRoot(localRoot, logical) {
+  if (!isAbsolute(localRoot)) {
+    throw new NomadFatal(
+      `invalid localRoot for ${logical} in path-map.json: ${JSON.stringify(localRoot)} (must be absolute)`
+    );
+  }
+  if (localRoot !== normalize(localRoot)) {
+    throw new NomadFatal(
+      `invalid localRoot for ${logical} in path-map.json: ${JSON.stringify(localRoot)} (must be already-normalized; no '..' or redundant segments)`
+    );
+  }
+}
+
+// src/extras-sync.core.ts
+init_utils();
+init_utils_json();
+function loadValidatedExtras(opts) {
+  const mapPath = join27(REPO_HOME, "path-map.json");
+  const repoExtras = join27(REPO_HOME, "shared", "extras");
+  if (!existsSync22(mapPath) || opts.requireRepoExtras === true && !existsSync22(repoExtras)) {
+    if (opts.missingMsg !== void 0) log(opts.missingMsg);
+    return null;
+  }
+  const map = readPathMap(mapPath);
+  const extrasMap = map.extras ?? {};
+  if (Object.keys(extrasMap).length === 0) return null;
+  for (const logical of Object.keys(extrasMap)) {
+    assertSafeLogical(logical);
+    const localRoot = map.projects[logical]?.[HOST];
+    if (localRoot && localRoot !== "TBD") assertSafeLocalRoot(localRoot, logical);
+  }
+  return { map, extrasMap };
+}
+function* eachExtrasTarget(v, counts) {
+  const whitelist = SUPPORTED_EXTRAS;
+  for (const [logical, dirnames] of Object.entries(v.extrasMap)) {
+    const localRoot = v.map.projects[logical]?.[HOST];
+    if (!localRoot || localRoot === "TBD") {
+      counts.unmapped++;
+      continue;
+    }
+    for (const dirname4 of dirnames) {
+      if (!whitelist.includes(dirname4)) {
+        counts.skipped++;
+        continue;
+      }
+      yield { logical, localRoot, dirname: dirname4 };
+    }
+  }
+}
+function copyExtras(src, dst) {
+  rmSync7(dst, { recursive: true, force: true });
+  cpSync4(src, dst, { recursive: true, force: true, verbatimSymlinks: true });
+}
+
+// src/extras-sync.ts
+init_utils();
+init_utils_json();
+
+// src/extras-sync.remap.ts
+init_config();
+import { existsSync as existsSync23, mkdirSync as mkdirSync6 } from "node:fs";
+import { join as join28 } from "node:path";
+init_utils_fs();
+function runExtrasOp(v, dryRun, paths, backup) {
+  const counts = { unmapped: 0, skipped: 0 };
+  const done = [];
+  const would = [];
+  for (const t of eachExtrasTarget(v, counts)) {
+    const { src, dst } = paths(t);
+    if (!existsSync23(src)) continue;
+    const item = `${t.logical}/${t.dirname}`;
+    if (dryRun) {
+      would.push(item);
+      continue;
+    }
+    backup(dst, t.localRoot);
+    copyExtras(src, dst);
+    done.push(item);
+  }
+  return { ...counts, done, would };
+}
+function remapExtrasPush(ts, opts = {}) {
+  const dryRun = opts.dryRun === true;
+  const v = loadValidatedExtras({ missingMsg: "no path-map.json; skipping extras push" });
+  if (v === null) return { unmapped: 0, skipped: 0, pushed: [], wouldPush: [] };
+  const repoExtras = join28(REPO_HOME, "shared", "extras");
+  if (!dryRun) mkdirSync6(repoExtras, { recursive: true });
+  const { unmapped, skipped, done, would } = runExtrasOp(
+    v,
+    dryRun,
+    ({ localRoot, logical, dirname: dirname4 }) => ({
+      src: join28(localRoot, dirname4),
+      dst: join28(repoExtras, logical, dirname4)
+    }),
+    (dst) => backupRepoWrite(dst, ts, REPO_HOME)
+  );
+  return { unmapped, skipped, pushed: done, wouldPush: would };
+}
+function remapExtrasPull(ts, opts = {}) {
+  const dryRun = opts.dryRun === true;
+  const v = loadValidatedExtras({
+    requireRepoExtras: true,
+    missingMsg: "no path-map or repo extras dir; skipping extras remap"
+  });
+  if (v === null) return { unmapped: 0, skipped: 0, pulled: [], wouldPull: [] };
+  const repoExtras = join28(REPO_HOME, "shared", "extras");
+  const { unmapped, skipped, done, would } = runExtrasOp(
+    v,
+    dryRun,
+    ({ localRoot, logical, dirname: dirname4 }) => ({
+      src: join28(repoExtras, logical, dirname4),
+      dst: join28(localRoot, dirname4)
+    }),
+    // Snapshot the host-side dst BEFORE copyExtras clobbers it. Anchor on
+    // localRoot so the backup tree mirrors the project layout.
+    (dst, localRoot) => backupExtrasWrite(dst, ts, localRoot)
+  );
+  return { unmapped, skipped, pulled: done, wouldPull: would };
+}
+
+// src/extras-sync.ts
+function divergenceCheckExtras(ts) {
+  const v = loadValidatedExtras({});
+  if (v === null) return;
+  const counts = { unmapped: 0, skipped: 0 };
+  const backupRoot = join29(HOME, ".cache", "claude-nomad", "backup", ts, "extras");
+  for (const { logical, localRoot, dirname: dirname4 } of eachExtrasTarget(v, counts)) {
+    const local = join29(localRoot, dirname4);
+    const repo = join29(REPO_HOME, "shared", "extras", logical, dirname4);
+    if (!existsSync24(local) || !existsSync24(repo)) continue;
+    const diff = listDivergingFiles(local, repo);
+    if (diff.length === 0) continue;
+    const projectBackupRoot = join29(backupRoot, encodePath(localRoot));
+    warn(
+      `local ${dirname4} for ${logical} diverges from origin in ${diff.length} file(s); next remapExtrasPull will overwrite them (backups at ${projectBackupRoot}/)`
+    );
+    for (const f of diff) warn(`  ${f}`);
+  }
+}
+
+// src/links.ts
+init_config();
+init_utils();
+init_utils_fs();
+init_utils_json();
+import { existsSync as existsSync25, lstatSync as lstatSync6, rmSync as rmSync8 } from "node:fs";
+import { join as join30 } from "node:path";
+function applySharedLinks(ts, map, opts = {}) {
+  const dryRun = opts.dryRun === true;
+  const linkNames = allSharedLinks(map);
+  for (const name of linkNames) {
+    const linkPath = join30(CLAUDE_HOME, name);
+    const target = join30(REPO_HOME, "shared", name);
+    if (!existsSync25(linkPath)) continue;
+    if (lstatSync6(linkPath).isSymbolicLink()) continue;
+    if (!existsSync25(target)) continue;
+    if (dryRun) {
+      log(`would auto-move non-symlink: ${linkPath} -> backup/${ts}/${name}`);
+      continue;
+    }
+    backupBeforeWrite(linkPath, ts);
+    rmSync8(linkPath, { recursive: true, force: true });
+  }
+  for (const name of linkNames) {
+    const target = join30(REPO_HOME, "shared", name);
+    if (!existsSync25(target)) continue;
+    if (dryRun) {
+      log(`would create symlink: ${join30(CLAUDE_HOME, name)} -> ${target}`);
+      continue;
+    }
+    ensureSymlink(join30(CLAUDE_HOME, name), target);
+  }
+}
+function regenerateSettings(ts, opts = {}) {
+  const dryRun = opts.dryRun === true;
+  const basePath = join30(REPO_HOME, "shared", "settings.base.json");
+  const hostPath = join30(REPO_HOME, "hosts", `${HOST}.json`);
+  if (!existsSync25(basePath)) {
+    die("repo not initialized; run 'nomad init' to scaffold");
+  }
+  const base = readJson(basePath);
+  const hasOverrides = existsSync25(hostPath);
+  const overrides = hasOverrides ? readJson(hostPath) : {};
+  const merged = deepMerge(base, overrides);
+  const settingsPath = join30(CLAUDE_HOME, "settings.json");
+  if (!hasOverrides && existsSync25(settingsPath)) {
+    try {
+      const existing = readJson(settingsPath);
+      const baseKeys = new Set(Object.keys(base));
+      const drift = Object.keys(existing).filter((k) => !baseKeys.has(k));
+      if (drift.length > 0) {
+        warn(
+          `no hosts/${HOST}.json found; existing settings has unbased keys ${JSON.stringify(drift)}. Set NOMAD_HOST to match a hosts/*.json or rerun 'nomad doctor' for candidates.`
+        );
+      }
+    } catch {
+      warn("existing settings.json is malformed; skipping drift-check and regenerating.");
+    }
+  }
+  const overrideLabel = hasOverrides ? `${HOST}.json` : "no host overrides";
+  if (dryRun) {
+    log(`would write settings.json (base + ${overrideLabel})`);
+    return { label: overrideLabel };
+  }
+  backupBeforeWrite(settingsPath, ts);
+  writeJsonAtomic(settingsPath, merged);
+  return { label: overrideLabel };
+}
+
+// src/preview.ts
+init_config();
+import { existsSync as existsSync26 } from "node:fs";
+import { join as join31 } from "node:path";
+
+// node_modules/diff/libesm/diff/base.js
+var Diff = class {
+  diff(oldStr, newStr, options = {}) {
+    let callback;
+    if (typeof options === "function") {
+      callback = options;
+      options = {};
+    } else if ("callback" in options) {
+      callback = options.callback;
+    }
+    const oldString = this.castInput(oldStr, options);
+    const newString = this.castInput(newStr, options);
+    const oldTokens = this.removeEmpty(this.tokenize(oldString, options));
+    const newTokens = this.removeEmpty(this.tokenize(newString, options));
+    return this.diffWithOptionsObj(oldTokens, newTokens, options, callback);
+  }
+  diffWithOptionsObj(oldTokens, newTokens, options, callback) {
+    var _a;
+    const done = (value) => {
+      value = this.postProcess(value, options);
+      if (callback) {
+        setTimeout(function() {
+          callback(value);
+        }, 0);
+        return void 0;
+      } else {
+        return value;
+      }
+    };
+    const newLen = newTokens.length, oldLen = oldTokens.length;
+    let editLength = 1;
+    let maxEditLength = newLen + oldLen;
+    if (options.maxEditLength != null) {
+      maxEditLength = Math.min(maxEditLength, options.maxEditLength);
+    }
+    const maxExecutionTime = (_a = options.timeout) !== null && _a !== void 0 ? _a : Infinity;
+    const abortAfterTimestamp = Date.now() + maxExecutionTime;
+    const bestPath = [{ oldPos: -1, lastComponent: void 0 }];
+    let newPos = this.extractCommon(bestPath[0], newTokens, oldTokens, 0, options);
+    if (bestPath[0].oldPos + 1 >= oldLen && newPos + 1 >= newLen) {
+      return done(this.buildValues(bestPath[0].lastComponent, newTokens, oldTokens));
+    }
+    let minDiagonalToConsider = -Infinity, maxDiagonalToConsider = Infinity;
+    const execEditLength = () => {
+      for (let diagonalPath = Math.max(minDiagonalToConsider, -editLength); diagonalPath <= Math.min(maxDiagonalToConsider, editLength); diagonalPath += 2) {
+        let basePath;
+        const removePath = bestPath[diagonalPath - 1], addPath = bestPath[diagonalPath + 1];
+        if (removePath) {
+          bestPath[diagonalPath - 1] = void 0;
+        }
+        let canAdd = false;
+        if (addPath) {
+          const addPathNewPos = addPath.oldPos - diagonalPath;
+          canAdd = addPath && 0 <= addPathNewPos && addPathNewPos < newLen;
+        }
+        const canRemove = removePath && removePath.oldPos + 1 < oldLen;
+        if (!canAdd && !canRemove) {
+          bestPath[diagonalPath] = void 0;
+          continue;
+        }
+        if (!canRemove || canAdd && removePath.oldPos < addPath.oldPos) {
+          basePath = this.addToPath(addPath, true, false, 0, options);
+        } else {
+          basePath = this.addToPath(removePath, false, true, 1, options);
+        }
+        newPos = this.extractCommon(basePath, newTokens, oldTokens, diagonalPath, options);
+        if (basePath.oldPos + 1 >= oldLen && newPos + 1 >= newLen) {
+          return done(this.buildValues(basePath.lastComponent, newTokens, oldTokens)) || true;
+        } else {
+          bestPath[diagonalPath] = basePath;
+          if (basePath.oldPos + 1 >= oldLen) {
+            maxDiagonalToConsider = Math.min(maxDiagonalToConsider, diagonalPath - 1);
+          }
+          if (newPos + 1 >= newLen) {
+            minDiagonalToConsider = Math.max(minDiagonalToConsider, diagonalPath + 1);
+          }
+        }
+      }
+      editLength++;
+    };
+    if (callback) {
+      (function exec() {
+        setTimeout(function() {
+          if (editLength > maxEditLength || Date.now() > abortAfterTimestamp) {
+            return callback(void 0);
+          }
+          if (!execEditLength()) {
+            exec();
+          }
+        }, 0);
+      })();
+    } else {
+      while (editLength <= maxEditLength && Date.now() <= abortAfterTimestamp) {
+        const ret = execEditLength();
+        if (ret) {
+          return ret;
+        }
+      }
+    }
+  }
+  addToPath(path, added, removed, oldPosInc, options) {
+    const last = path.lastComponent;
+    if (last && !options.oneChangePerToken && last.added === added && last.removed === removed) {
+      return {
+        oldPos: path.oldPos + oldPosInc,
+        lastComponent: { count: last.count + 1, added, removed, previousComponent: last.previousComponent }
+      };
+    } else {
+      return {
+        oldPos: path.oldPos + oldPosInc,
+        lastComponent: { count: 1, added, removed, previousComponent: last }
+      };
+    }
+  }
+  extractCommon(basePath, newTokens, oldTokens, diagonalPath, options) {
+    const newLen = newTokens.length, oldLen = oldTokens.length;
+    let oldPos = basePath.oldPos, newPos = oldPos - diagonalPath, commonCount = 0;
+    while (newPos + 1 < newLen && oldPos + 1 < oldLen && this.equals(oldTokens[oldPos + 1], newTokens[newPos + 1], options)) {
+      newPos++;
+      oldPos++;
+      commonCount++;
+      if (options.oneChangePerToken) {
+        basePath.lastComponent = { count: 1, previousComponent: basePath.lastComponent, added: false, removed: false };
+      }
+    }
+    if (commonCount && !options.oneChangePerToken) {
+      basePath.lastComponent = { count: commonCount, previousComponent: basePath.lastComponent, added: false, removed: false };
+    }
+    basePath.oldPos = oldPos;
+    return newPos;
+  }
+  equals(left, right, options) {
+    if (options.comparator) {
+      return options.comparator(left, right);
+    } else {
+      return left === right || !!options.ignoreCase && left.toLowerCase() === right.toLowerCase();
+    }
+  }
+  removeEmpty(array) {
+    const ret = [];
+    for (let i = 0; i < array.length; i++) {
+      if (array[i]) {
+        ret.push(array[i]);
+      }
+    }
+    return ret;
+  }
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  castInput(value, options) {
+    return value;
+  }
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  tokenize(value, options) {
+    return Array.from(value);
+  }
+  join(chars) {
+    return chars.join("");
+  }
+  postProcess(changeObjects, options) {
+    return changeObjects;
+  }
+  get useLongestToken() {
+    return false;
+  }
+  buildValues(lastComponent, newTokens, oldTokens) {
+    const components = [];
+    let nextComponent;
+    while (lastComponent) {
+      components.push(lastComponent);
+      nextComponent = lastComponent.previousComponent;
+      delete lastComponent.previousComponent;
+      lastComponent = nextComponent;
+    }
+    components.reverse();
+    const componentLen = components.length;
+    let componentPos = 0, newPos = 0, oldPos = 0;
+    for (; componentPos < componentLen; componentPos++) {
+      const component = components[componentPos];
+      if (!component.removed) {
+        if (!component.added && this.useLongestToken) {
+          let value = newTokens.slice(newPos, newPos + component.count);
+          value = value.map(function(value2, i) {
+            const oldValue = oldTokens[oldPos + i];
+            return oldValue.length > value2.length ? oldValue : value2;
+          });
+          component.value = this.join(value);
+        } else {
+          component.value = this.join(newTokens.slice(newPos, newPos + component.count));
+        }
+        newPos += component.count;
+        if (!component.added) {
+          oldPos += component.count;
+        }
+      } else {
+        component.value = this.join(oldTokens.slice(oldPos, oldPos + component.count));
+        oldPos += component.count;
+      }
+    }
+    return components;
+  }
+};
+
+// node_modules/diff/libesm/diff/line.js
+var LineDiff = class extends Diff {
+  constructor() {
+    super(...arguments);
+    this.tokenize = tokenize;
+  }
+  equals(left, right, options) {
+    if (options.ignoreWhitespace) {
+      if (!options.newlineIsToken || !left.includes("\n")) {
+        left = left.trim();
+      }
+      if (!options.newlineIsToken || !right.includes("\n")) {
+        right = right.trim();
+      }
+    } else if (options.ignoreNewlineAtEof && !options.newlineIsToken) {
+      if (left.endsWith("\n")) {
+        left = left.slice(0, -1);
+      }
+      if (right.endsWith("\n")) {
+        right = right.slice(0, -1);
+      }
+    }
+    return super.equals(left, right, options);
+  }
+};
+var lineDiff = new LineDiff();
+function diffLines(oldStr, newStr, options) {
+  return lineDiff.diff(oldStr, newStr, options);
+}
+function tokenize(value, options) {
+  if (options.stripTrailingCr) {
+    value = value.replace(/\r\n/g, "\n");
+  }
+  const retLines = [], linesAndNewlines = value.split(/(\n|\r\n)/);
+  if (!linesAndNewlines[linesAndNewlines.length - 1]) {
+    linesAndNewlines.pop();
+  }
+  for (let i = 0; i < linesAndNewlines.length; i++) {
+    const line = linesAndNewlines[i];
+    if (i % 2 && !options.newlineIsToken) {
+      retLines[retLines.length - 1] += line;
+    } else {
+      retLines.push(line);
+    }
+  }
+  return retLines;
+}
+
+// src/diff-lines.ts
+init_color();
+function diffLinesToUnified(oldStr, newStr) {
+  const parts = diffLines(oldStr, newStr);
+  const lines = [];
+  for (const part of parts) {
+    const partLines = part.value.split("\n");
+    if (partLines.at(-1) === "") {
+      partLines.pop();
+    }
+    let prefix;
+    if (part.removed) prefix = (line) => red(`-${line}`);
+    else if (part.added) prefix = (line) => green(`+${line}`);
+    else prefix = (line) => ` ${line}`;
+    for (const line of partLines) {
+      lines.push(prefix(line));
+    }
+  }
+  return lines;
+}
+
+// src/preview.ts
+init_utils();
+init_utils_json();
+function diffJsonStrings(currentJsonText, newJsonText) {
+  if (currentJsonText === newJsonText) return "";
+  const lines = [
+    "--- ~/.claude/settings.json",
+    "+++ would write",
+    ...diffLinesToUnified(currentJsonText, newJsonText)
+  ];
+  return lines.join("\n");
+}
+function readJsonOrNull(path) {
+  if (!existsSync26(path)) return null;
+  try {
+    return readJson(path);
+  } catch {
+    return null;
+  }
+}
+function previewSettings(basePath, hostPath, settingsPath) {
+  const base = readJsonOrNull(basePath);
+  if (base === null) {
+    log("settings.json: section skipped (base or current missing)");
+    return;
+  }
+  const hostOverrides = readJsonOrNull(hostPath);
+  if (hostOverrides === null && existsSync26(hostPath)) {
+    log(`settings.json: malformed hosts/${HOST}.json; ignoring overrides`);
+  }
+  const merged = deepMerge(base, hostOverrides ?? {});
+  const current = readJsonOrNull(settingsPath);
+  if (current === null && existsSync26(settingsPath)) {
+    log("settings.json: malformed; skipping diff");
+    return;
+  }
+  const diff = diffJsonStrings(
+    JSON.stringify(current ?? {}, null, 2),
+    JSON.stringify(merged, null, 2)
+  );
+  if (diff === "") {
+    log("settings.json: no changes");
+  } else {
+    log("settings.json:");
+    for (const line of diff.split("\n")) log(line);
+  }
+}
+function computePreview(ts, map) {
+  log(`would pull on host=${HOST} (dry-run; no mutation)`);
+  applySharedLinks(ts, map, { dryRun: true });
+  previewSettings(
+    join31(REPO_HOME, "shared", "settings.base.json"),
+    join31(REPO_HOME, "hosts", `${HOST}.json`),
+    join31(CLAUDE_HOME, "settings.json")
+  );
+  const remapResult = remapPull(ts, { dryRun: true });
+  return { unmapped: remapResult.unmapped, collisions: 0 };
+}
+
+// src/commands.pull.ts
+init_utils();
+init_utils_fs();
+init_utils_json();
+function applyWetPull(ts, map) {
+  applySharedLinks(ts, map);
+  const { label } = regenerateSettings(ts);
+  const remapResult = remapPull(ts);
+  const extrasResult = remapExtrasPull(ts);
+  const summary = section("Summary");
+  addItem(
+    summary,
+    summaryRow("pull", remapResult.unmapped + extrasResult.unmapped, 0, extrasResult.skipped)
+  );
+  renderTree([
+    buildSettingsSection(label),
+    buildSessionsSection(remapResult.pulled, remapResult.unmapped),
+    buildExtrasSection(extrasResult.pulled, extrasResult.skipped),
+    summary
+  ]);
+}
+function cmdPull(opts = {}) {
+  const dryRun = opts.dryRun === true;
+  if (!existsSync27(REPO_HOME)) die(`repo not cloned at ${REPO_HOME}`);
+  if (!existsSync27(join32(REPO_HOME, "shared", "settings.base.json"))) {
+    die("repo not initialized; run 'nomad init' to scaffold");
+  }
+  const handle = acquireLock("pull");
+  if (handle === null) process.exit(0);
+  try {
+    const ts = freshBackupTs(BACKUP_BASE);
+    if (!dryRun) {
+      const backupRoot = join32(BACKUP_BASE, ts);
+      try {
+        mkdirSync7(backupRoot, { recursive: true });
+      } catch (err) {
+        die(`could not create backup dir: ${err.message}`);
+      }
+    }
+    log(
+      dryRun ? `pulling on host=${HOST} (backup=${ts}; dry-run)` : `pull on host=${HOST} (backup=${ts})`
+    );
+    gitOrFatal(["pull", "--rebase", "--autostash"], "git pull --rebase", REPO_HOME);
+    const mapPath = join32(REPO_HOME, "path-map.json");
+    const map = existsSync27(mapPath) ? readPathMap(mapPath) : { projects: {} };
+    divergenceCheckExtras(ts);
+    if (dryRun) {
+      const previewResult = computePreview(ts, map);
+      log("dry-run complete; no mutation");
+      emitSummary("pull", previewResult.unmapped);
+    } else {
+      applyWetPull(ts, map);
+    }
+  } catch (err) {
+    if (err instanceof NomadFatal) {
+      fail(err.message);
+      process.exitCode = 1;
+    } else {
+      throw err;
+    }
+  } finally {
+    releaseLock(handle);
+  }
+}
+
+// src/commands.push.ts
+init_config();
+import { existsSync as existsSync29 } from "node:fs";
+import { join as join36, relative as relative5 } from "node:path";
+
+// src/commands.push.allowlist.ts
+init_config();
+init_config_sharedDirs_guard();
+init_utils();
+function isAllowed(path, allowed) {
+  for (const entry of allowed) {
+    if (path === entry) return true;
+    if (entry === "hosts/") {
+      if (/^hosts\/[^/]+\.json$/.test(path)) return true;
+      continue;
+    }
+    if (entry.endsWith("/") && path.startsWith(entry)) return true;
+  }
+  return false;
+}
+function isNeverSync(path) {
+  const blockSet = path.startsWith("shared/extras/") ? ALWAYS_NEVER_SYNC : NEVER_SYNC;
+  for (const segment of path.split("/")) {
+    if (blockSet.has(segment)) return true;
+  }
+  return false;
+}
+function parsePorcelainZ(statusPorcelain) {
+  const records = statusPorcelain.split("\0");
+  const paths = [];
+  for (let i = 0; i < records.length; i++) {
+    const rec = records[i];
+    if (rec === void 0 || rec === "") continue;
+    if (rec.length < 4) continue;
+    const xy = rec.slice(0, 2);
+    const newPath = rec.slice(3);
+    paths.push(newPath);
+    if (/[RC]/.test(xy)) {
+      const oldPath = records[i + 1];
+      if (oldPath !== void 0 && oldPath !== "") paths.push(oldPath);
+      i++;
+    }
+  }
+  return paths;
+}
+function enforceAllowList(statusPorcelain, map) {
+  const extrasWhitelist = SUPPORTED_EXTRAS;
+  const allowed = [
+    ...PUSH_ALLOWED_STATIC,
+    ...Object.keys(map.projects).map((l) => `shared/projects/${l}/`),
+    ...Object.entries(map.extras ?? {}).flatMap(
+      ([l, names]) => names.filter((n) => extrasWhitelist.includes(n)).flatMap((n) => [`shared/extras/${l}/${n}`, `shared/extras/${l}/${n}/`])
+    ),
+    ...(map.sharedDirs ?? []).filter((d) => isValidSharedDir(d)).map((d) => `shared/${d}/`)
+  ];
+  const neverSyncHits = [];
+  const violations = [];
+  for (const path of parsePorcelainZ(statusPorcelain)) {
+    if (isNeverSync(path)) {
+      neverSyncHits.push(path);
+    } else if (!isAllowed(path, allowed)) {
+      violations.push(path);
+    }
+  }
+  if (neverSyncHits.length === 0 && violations.length === 0) return;
+  for (const p of neverSyncHits) {
+    fail(`${p} is in NEVER_SYNC and must never be pushed`);
+  }
+  for (const p of violations) {
+    fail(`to sync ${p}, add to PUSH_ALLOWED in src/config.ts`);
+  }
+  throw new NomadFatal("push allow-list violations");
+}
+
+// src/commands.push.recovery.ts
+init_config();
+import { createInterface } from "node:readline/promises";
+
+// src/commands.push.recovery.redact.ts
+init_config();
+import { cpSync as cpSync5, readFileSync as readFileSync9, statSync as statSync7, writeFileSync as writeFileSync5 } from "node:fs";
+import { join as join33, sep as sep2 } from "node:path";
+init_push_gitleaks_scan();
+init_utils_fs();
+init_utils_json();
+init_utils();
+
+// src/commands.push.recovery.seams.ts
+init_push_gitleaks();
+function findingKey(f) {
+  return `${f.File}:${f.StartLine}:${f.StartColumn}:${f.RuleID}`;
+}
+var VALID_SID = /^[A-Za-z0-9_-]+$/;
+function sessionIdFromFinding(f) {
+  const m = SESSION_PATH.exec(f.File) ?? /^shared\/projects\/[^/]+\/([^/]+)\//.exec(f.File);
+  if (m === null) return null;
+  const sid = m[1];
+  return VALID_SID.test(sid) ? sid : null;
+}
+function parseAction(raw) {
+  const t = raw.trim().toLowerCase();
+  if (t === "r" || t === "redact") return "redact";
+  if (t === "a" || t === "allow") return "allow";
+  if (t === "d" || t === "drop") return "drop";
+  return "skip";
+}
+
+// src/commands.push.recovery.redact.ts
+function applyRedact(f, allFindings, ts, map, nowMs, scan = scanFile) {
+  const refuse = (msg) => {
+    log(msg);
+    return false;
+  };
+  const sid = sessionIdFromFinding(f);
+  if (sid === null) {
+    return refuse(
+      `could not locate the local transcript for this finding; choose Skip or Drop session.`
+    );
+  }
+  const localPath = resolveLiveTranscript2(sid);
+  if (localPath === null) {
+    return refuse(
+      `could not locate the local transcript for session ${sid}; choose Skip or Drop session.`
+    );
+  }
+  if (isRecentlyModified(statSync7(localPath).mtimeMs, nowMs())) {
+    return refuse(
+      `session ${sid} looks active (modified within the last 5 minutes); refusing to redact, no changes made.
+  End the session and choose Redact again, or choose Drop session (holds this session back from the push, local copy kept) or Skip.`
+    );
+  }
+  const realFindings = scan(localPath);
+  if (realFindings === null) {
+    return refuse(`re-scan of the transcript failed; choose Skip or Drop session.`);
+  }
+  if (realFindings.length === 0) {
+    return refuse(
+      `nothing to redact in the local transcript for session ${sid}; choose Skip or Drop session.`
+    );
+  }
+  backupBeforeWrite(localPath, ts);
+  writeFileSync5(localPath, applyRedactions(readFileSync9(localPath, "utf8"), realFindings), "utf8");
+  let copied = false;
+  for (const [logical, hostMap] of Object.entries(map.projects)) {
+    const abs = hostMap[HOST];
+    if (abs === void 0) continue;
+    if (localPath.startsWith(join33(CLAUDE_HOME, "projects", encodePath(abs)) + sep2)) {
+      cpSync5(localPath, join33(REPO_HOME, "shared", "projects", logical, `${sid}.jsonl`), {
+        force: true
+      });
+      copied = true;
+      break;
+    }
+  }
+  if (!copied) {
+    return refuse(
+      `could not map the local transcript for session ${sid} to a staged copy; choose Drop session or Skip.`
+    );
+  }
+  return true;
+}
+
+// src/commands.push.recovery.drop.ts
+init_config();
+import { rmSync as rmSync9 } from "node:fs";
+import { join as join34 } from "node:path";
+function dropSessionFromStaged(sid, map) {
+  const logicals = Object.keys(map.projects);
+  if (logicals.length === 0) return false;
+  for (const logical of logicals) {
+    const jsonl = join34(REPO_HOME, "shared", "projects", logical, `${sid}.jsonl`);
+    const dir = join34(REPO_HOME, "shared", "projects", logical, sid);
+    rmSync9(jsonl, { force: true });
+    rmSync9(dir, { recursive: true, force: true });
+  }
+  return true;
+}
+
+// src/commands.push.recovery.actions.ts
+init_push_gitleaks_scan();
+init_utils();
+function applyAllow(f) {
+  appendGitleaksIgnore(f.Fingerprint);
+}
+async function collectActions(findings, prompt) {
+  const actions = /* @__PURE__ */ new Map();
+  for (const f of findings) {
+    const sid = sessionIdFromFinding(f);
+    const header = `
+Finding: ${f.RuleID} in ${f.File} line ${f.StartLine}` + (sid === null ? "" : ` (session: ${sid})`) + "\n  [R]edact  [A]llow  [D]rop session  [S]kip (default)\n";
+    actions.set(findingKey(f), parseAction(await prompt(header + "> ")));
+  }
+  return actions;
+}
+function dispatchOne(f, ctx) {
+  const action = ctx.actions.get(findingKey(f)) ?? "skip";
+  if (action === "skip") return;
+  const sid = sessionIdFromFinding(f);
+  if (sid !== null && ctx.droppedSids.has(sid)) return;
+  if (action === "allow") {
+    applyAllow(f);
+    return;
+  }
+  if (sid === null) return;
+  if (action === "drop") {
+    ctx.droppedSids.add(sid);
+    if (ctx.drop(sid, ctx.map)) {
+      log(
+        `dropped session ${sid} from this push (local transcript kept; the secret remains in your local copy)`
+      );
+    }
+    return;
+  }
+  if (action === "redact" && !ctx.redactedSids.has(sid)) {
+    if (applyRedact(f, ctx.findings, ctx.ts, ctx.map, ctx.nowMs, ctx.scan))
+      ctx.redactedSids.add(sid);
+  }
+}
+function dispatchActions(findings, actions, ts, map, nowMs, scan = scanFile, drop = dropSessionFromStaged) {
+  const ctx = {
+    findings,
+    actions,
+    ts,
+    map,
+    nowMs,
+    scan,
+    drop,
+    redactedSids: /* @__PURE__ */ new Set(),
+    droppedSids: /* @__PURE__ */ new Set()
+  };
+  for (const f of findings) {
+    dispatchOne(f, ctx);
+  }
+}
+function redactAllFindings(findings, ts, map, nowMs, scan = scanFile) {
+  const redactedSids = /* @__PURE__ */ new Set();
+  for (const f of findings) {
+    const sid = sessionIdFromFinding(f);
+    if (sid === null || redactedSids.has(sid)) continue;
+    if (applyRedact(f, findings, ts, map, nowMs, scan)) redactedSids.add(sid);
+  }
+}
+
+// src/commands.push.recovery.ts
+init_push_gitleaks_scan();
+init_push_gitleaks();
+init_utils();
+function isTTY(stdin = process.stdin, stdout = process.stdout) {
+  return stdin.isTTY === true && stdout.isTTY === true;
+}
+function hasUnresolved(actions) {
+  for (const action of actions.values()) {
+    if (action === "skip") return true;
+  }
+  return false;
+}
+function printRecoveryLegend(print = console.log) {
+  print("");
+  print("Recovery actions:");
+  print("  Redact       - scrub the secret from the local transcript, push the cleaned copy");
+  print("  Allow        - mark as false positive (adds a .gitleaksignore fingerprint), push as-is");
+  print("  Drop session - exclude this session from this push (local transcript kept, running");
+  print("                 session is not stopped)");
+  print("  Skip         - leave unresolved (the push aborts)");
+  print("");
+}
+function makeRealPrompt() {
+  return async (prompt) => {
+    const rl = createInterface({
+      input: process.stdin,
+      output: process.stdout,
+      terminal: true
+    });
+    try {
+      return await rl.question(prompt);
+    } finally {
+      rl.close();
+    }
+  };
+}
+async function resolveLeakFindings(verdict, ts, map, deps = {}) {
+  const {
+    isTTYCheck = isTTY,
+    nowMs = Date.now,
+    redactAll = false,
+    makePrompt: makePromptFn = makeRealPrompt,
+    scan = scanFile,
+    printLegend = printRecoveryLegend
+  } = deps;
+  const scanVerdict = deps.scanVerdict ?? (await Promise.resolve().then(() => (init_push_leak_verdict(), push_leak_verdict_exports))).scanPushVerdict;
+  let current = verdict;
+  if (redactAll) {
+    redactAllFindings(current.findings, ts, map, nowMs, scan);
+    gitOrFatal(["add", "-A"], "git add", REPO_HOME);
+    const next = scanVerdict();
+    if (next.leak) {
+      const { bySession, other } = partitionFindings(next.findings);
+      throw new NomadFatal(buildSessionAwareFatal(bySession, other));
+    }
+    return next;
+  }
+  if (!isTTYCheck()) {
+    throw new NomadFatal(current.recovery ?? "gitleaks detected secrets");
+  }
+  const prompt = makePromptFn();
+  printLegend();
+  while (current.leak && current.findings.length > 0) {
+    const actions = await collectActions(current.findings, prompt);
+    if (hasUnresolved(actions)) {
+      const unresolved = current.findings.filter((f) => actions.get(findingKey(f)) === "skip");
+      const { bySession, other } = partitionFindings(unresolved);
+      throw new NomadFatal(buildSessionAwareFatal(bySession, other));
+    }
+    dispatchActions(current.findings, actions, ts, map, nowMs, scan);
+    gitOrFatal(["add", "-A"], "git add", REPO_HOME);
+    current = scanVerdict();
+  }
+  return current;
+}
+
+// src/commands.push.ts
+init_push_leak_verdict();
+init_push_checks();
+
+// src/push-preview.ts
+init_color();
+init_config();
+import { randomBytes as randomBytes2 } from "node:crypto";
+import { existsSync as existsSync28, mkdirSync as mkdirSync8, readdirSync as readdirSync9, rmSync as rmSync10 } from "node:fs";
+import { homedir as homedir5 } from "node:os";
+import { join as join35 } from "node:path";
+init_push_leak_verdict();
+init_push_gitleaks();
+init_utils_fs();
+init_utils_json();
+var NOTHING_TO_SCAN_ROW = `${dim(infoGlyph)} nothing to scan, no leaks`;
+function stageSessions(tmpRoot, map) {
+  if (typeof map.projects !== "object" || map.projects === null) return 0;
+  const reverse = /* @__PURE__ */ new Map();
+  for (const [logical, hosts] of Object.entries(map.projects)) {
+    assertSafeLogical(logical);
+    const p = hosts[HOST];
+    if (!p || p === "TBD") continue;
+    reverse.set(encodePath(p), logical);
+  }
+  const localProjects = join35(CLAUDE_HOME, "projects");
+  if (!existsSync28(localProjects)) return 0;
+  let staged = 0;
+  for (const dir of readdirSync9(localProjects)) {
+    const logical = reverse.get(dir);
+    if (!logical) continue;
+    copyDirJsonlOnly(join35(localProjects, dir), join35(tmpRoot, "shared", "projects", logical));
+    staged++;
+  }
+  return staged;
+}
+function stageExtras(tmpRoot, map) {
+  if (typeof map.projects !== "object" || map.projects === null) return 0;
+  const extrasMap = map.extras ?? {};
+  const whitelist = SUPPORTED_EXTRAS;
+  let staged = 0;
+  for (const [logical, dirnames] of Object.entries(extrasMap)) {
+    assertSafeLogical(logical);
+    const localRoot = map.projects[logical]?.[HOST];
+    if (!localRoot || localRoot === "TBD") continue;
+    for (const dirname4 of dirnames) {
+      if (!whitelist.includes(dirname4)) continue;
+      const src = join35(localRoot, dirname4);
+      if (!existsSync28(src)) continue;
+      const dst = join35(tmpRoot, "shared", "extras", logical, dirname4);
+      copyExtras(src, dst);
+      staged++;
+    }
+  }
+  return staged;
+}
+function previewPushLeaks(map) {
+  const cacheDir = join35(homedir5(), ".cache", "claude-nomad");
+  mkdirSync8(cacheDir, { recursive: true });
+  const stamp = `${nowTimestamp()}-${process.pid}-${randomBytes2(4).toString("hex")}`;
+  const tmpRoot = join35(cacheDir, `push-preview-tree-${stamp}`);
+  try {
+    const sessionCount = stageSessions(tmpRoot, map);
+    const extrasCount = stageExtras(tmpRoot, map);
+    if (sessionCount + extrasCount === 0) {
+      return { leak: false, verdictRow: NOTHING_TO_SCAN_ROW, recovery: null, findings: [] };
+    }
+    let findings;
+    try {
+      findings = scanStagedTree(tmpRoot);
+    } catch (err) {
+      if (err.code === "ENOENT") {
+        return verdictScanError("scan error (git or gitleaks not on PATH)");
+      }
+      return verdictScanError(`scan error: ${err.message}`);
+    }
+    return verdictFromFindings(findings);
+  } finally {
+    rmSync10(tmpRoot, { recursive: true, force: true });
+  }
+}
+
+// src/commands.push.ts
+init_utils();
+init_utils_fs();
+init_utils_json();
+function guardGitlinks() {
+  const gitlinks = findGitlinks(join36(REPO_HOME, "shared"));
+  if (gitlinks.length === 0) return;
+  for (const p of gitlinks) {
+    const rel = relative5(REPO_HOME, p);
+    fail(`gitlink: ${rel} would push as submodule (run: rm -rf ${rel} or remove the nested repo)`);
+  }
+  const noun = gitlinks.length === 1 ? "entry" : "entries";
+  throw new NomadFatal(
+    `gitlink trap: ${gitlinks.length} nested .git ${noun} in shared/; remove before retry`
+  );
+}
+async function commitAndPush(st, ts, map, redactAll) {
+  gitOrFatal(["add", "-A"], "git add", REPO_HOME);
+  let verdict = scanPushVerdict();
+  if (verdict.leak) {
+    renderPushTree(st, verdict);
+    verdict = await resolveLeakFindings(verdict, ts, map, { redactAll });
+  }
+  gitOrFatal(["commit", "-m", `chore: sync from ${HOST}`], "git commit", REPO_HOME);
+  gitOrFatal(["push"], "git push", REPO_HOME);
+  renderPushTree(st, verdict);
+}
+function runDryRunPreview(st, map) {
+  if (map === null) {
+    renderNoScanTree(st, { noMapHint: true });
+    return;
+  }
+  const verdict = previewPushLeaks(map);
+  renderPushTree(st, verdict);
+  if (verdict.recovery !== null) fail(verdict.recovery);
+}
+async function cmdPush(opts = {}) {
+  const dryRun = opts.dryRun === true;
+  const redactAll = opts.redactAll === true;
+  if (!existsSync29(REPO_HOME)) die(`repo not cloned at ${REPO_HOME}`);
+  const handle = acquireLock("push");
+  if (handle === null) process.exit(0);
+  try {
+    console.log(dryRun ? `push on host=${HOST} (dry-run)` : `push on host=${HOST}`);
+    probeGitleaks();
+    rebaseBeforePush();
+    const ts = freshBackupTs(BACKUP_BASE);
+    const remap = remapPush(ts, { dryRun });
+    const extras = remapExtrasPush(ts, { dryRun });
+    const st = { dryRun, remap, extras };
+    guardGitlinks();
+    const status = gitStatusPorcelainZ(REPO_HOME, { untrackedAll: true });
+    if (!dryRun && !status) {
+      log("nothing to commit");
+      renderNoScanTree(st);
+      return;
+    }
+    const mapPath = join36(REPO_HOME, "path-map.json");
+    if (!existsSync29(mapPath)) {
+      if (dryRun) return runDryRunPreview(st, null);
+      die("path-map.json missing, cannot enforce push allow-list");
+    }
+    const map = readPathMap(mapPath);
+    if (status) enforceAllowList(status, map);
+    if (dryRun) return runDryRunPreview(st, map);
+    await commitAndPush(st, ts, map, redactAll);
+  } catch (err) {
+    if (err instanceof NomadFatal) {
+      fail(err.message);
+      process.exitCode = 1;
+    } else {
+      throw err;
+    }
+  } finally {
+    releaseLock(handle);
+  }
+}
+
+// src/commands.update.ts
+import { execFileSync as execFileSync15 } from "node:child_process";
+init_utils();
+function cmdUpdate(run = execFileSync15) {
+  try {
+    run("npm", ["update", "-g", "claude-nomad"], { stdio: "inherit" });
+  } catch (err) {
+    const e = err;
+    if (e.code === "ENOENT") {
+      throw new NomadFatal("npm not found on PATH; install Node.js/npm and retry.");
+    }
+    throw new NomadFatal(`npm update -g claude-nomad failed: ${e.message}`);
+  }
+}
+
+// src/nomad.ts
+init_config();
+
+// src/diff.ts
+init_config();
+import { existsSync as existsSync30 } from "node:fs";
+import { join as join37 } from "node:path";
+init_utils();
+init_utils_fs();
+init_utils_json();
+function cmdDiff() {
+  try {
+    if (!existsSync30(REPO_HOME)) die(`repo not cloned at ${REPO_HOME}`);
+    const ts = freshBackupTs(BACKUP_BASE);
+    const mapPath = join37(REPO_HOME, "path-map.json");
+    const map = existsSync30(mapPath) ? readPathMap(mapPath) : { projects: {} };
+    const result = computePreview(ts, map);
+    emitSummary("diff", result.unmapped);
+  } catch (err) {
+    if (err instanceof NomadFatal) {
+      fail(err.message);
+      process.exitCode = 1;
+      return;
+    }
+    throw err;
+  }
+}
+
+// src/init.ts
+init_config();
+import { existsSync as existsSync32, mkdirSync as mkdirSync9, writeFileSync as writeFileSync6 } from "node:fs";
+import { join as join39 } from "node:path";
+
+// src/init.gh-onboard.ts
+init_config();
+import { execFileSync as execFileSync16 } from "node:child_process";
+init_utils();
+var DEFAULT_REPO_NAME = "claude-nomad-config";
+function isValidRepoName(name) {
+  return /^[A-Za-z0-9._-]{1,100}$/.test(name);
+}
+var GH_NETWORK_TIMEOUT_MS = 3e4;
+function ensureOriginRepo(repoName, run = execFileSync16) {
+  if (!isValidRepoName(repoName)) {
+    die(
+      `invalid repo name: ${JSON.stringify(repoName)}. Use only letters, digits, hyphens, underscores, and dots (1-100 chars).`
+    );
+  }
+  try {
+    readOriginRemote(REPO_HOME, run);
+    return;
+  } catch {
+  }
+  const ghStatus = ghAuthStatus(run);
+  if (ghStatus === "gh-not-installed") {
+    die("gh CLI is required for nomad init. Install: https://cli.github.com");
+  }
+  if (ghStatus === "gh-probe-error") {
+    die("could not verify gh CLI status (network issue?). Retry, or check `gh auth status`.");
+  }
+  if (ghStatus !== null) {
+    die("gh CLI is not authenticated. Run `gh auth login` and retry.");
+  }
+  try {
+    run("git", ["init", "-b", "main"], { cwd: REPO_HOME, stdio: ["ignore", "ignore", "pipe"] });
+  } catch (err) {
+    const e = err;
+    throw new NomadFatal(`git init failed: ${e.message}`);
+  }
+  try {
+    run("gh", ["repo", "create", repoName, "--private"], {
+      stdio: ["ignore", "pipe", "pipe"],
+      timeout: GH_NETWORK_TIMEOUT_MS
+    });
+  } catch (err) {
+    const e = err;
+    const detail = String(e.stderr ?? "") + e.message;
+    if (!/already exists/i.test(detail)) {
+      throw new NomadFatal(`gh repo create failed: ${e.message}`);
+    }
+    log(`repo ${repoName} already exists on your account; reusing it and wiring origin`);
+  }
+  let owner;
+  try {
+    owner = run("gh", ["api", "user", "--jq", ".login"], {
+      stdio: ["ignore", "pipe", "ignore"],
+      timeout: GH_NETWORK_TIMEOUT_MS
+    }).toString().trim();
+  } catch (err) {
+    const e = err;
+    throw new NomadFatal(`gh api user failed: ${e.message}`);
+  }
+  if (owner.length === 0 || owner === "null") {
+    throw new NomadFatal("gh api user returned an empty login; cannot wire origin remote.");
+  }
+  try {
+    run("git", ["remote", "add", "origin", `git@github.com:${owner}/${repoName}.git`], {
+      cwd: REPO_HOME,
+      stdio: ["ignore", "ignore", "pipe"]
+    });
+  } catch (err) {
+    const e = err;
+    throw new NomadFatal(`git remote add failed: ${e.message}`);
+  }
+  log(`created private repo ${owner}/${repoName} and wired origin`);
+}
+
+// src/init.snapshot.ts
+init_config();
+init_utils();
+init_utils_fs();
+init_utils_json();
+import { copyFileSync, cpSync as cpSync6, existsSync as existsSync31, rmSync as rmSync11, statSync as statSync8 } from "node:fs";
+import { join as join38 } from "node:path";
+function snapshotIntoShared(map) {
+  for (const name of allSharedLinks(map)) {
+    const src = join38(CLAUDE_HOME, name);
+    if (!existsSync31(src)) continue;
+    const dst = join38(REPO_HOME, "shared", name);
+    if (statSync8(src).isDirectory()) {
+      const gk = join38(dst, ".gitkeep");
+      if (existsSync31(gk)) rmSync11(gk);
+      cpSync6(src, dst, { recursive: true, force: false, errorOnExist: true });
+    } else {
+      copyFileSync(src, dst);
+    }
+    log(`snapshotted shared/${name} from ${src}`);
+  }
+  const userSettings = join38(CLAUDE_HOME, "settings.json");
+  if (existsSync31(userSettings)) {
+    let parsed;
+    try {
+      parsed = readJson(userSettings);
+    } catch (err) {
+      return die(`malformed ${userSettings}: ${err.message}`);
+    }
+    const hostFile = join38(REPO_HOME, "hosts", `${HOST}.json`);
+    writeJsonAtomic(hostFile, parsed);
+    log(`snapshotted hosts/${HOST}.json from ${userSettings}`);
+  }
+}
+
+// src/init.ts
+init_utils();
+init_utils_fs();
+var SHARED_CLAUDE_MD = "<!-- claude-nomad shared CLAUDE.md; symlinked into ~/.claude/CLAUDE.md by nomad pull -->\n";
+var SHARED_KEEP_DIRS = ["agents", "skills", "commands", "rules", "hooks"];
+function preflightConflict(repoHome) {
+  const candidates = [
+    join39(repoHome, "shared", "settings.base.json"),
+    join39(repoHome, "shared", "CLAUDE.md"),
+    join39(repoHome, "path-map.json"),
+    join39(repoHome, "hosts"),
+    join39(repoHome, "shared")
+  ];
+  for (const c of candidates) {
+    if (existsSync32(c)) return c;
+  }
+  return null;
+}
+function cmdInit(opts = {}) {
+  const snapshot = opts.snapshot === true;
+  const keepActions = opts.keepActions === true;
+  mkdirSync9(REPO_HOME, { recursive: true });
+  const conflict = preflightConflict(REPO_HOME);
+  if (conflict !== null) {
+    die(`already initialized; refusing to clobber ${conflict}`);
+  }
+  ensureOriginRepo(opts.repoName ?? DEFAULT_REPO_NAME, opts.run);
+  mkdirSync9(join39(REPO_HOME, "shared"), { recursive: true });
+  mkdirSync9(join39(REPO_HOME, "hosts"), { recursive: true });
+  for (const name of SHARED_KEEP_DIRS) {
+    mkdirSync9(join39(REPO_HOME, "shared", name), { recursive: true });
+  }
+  const userClaudeMd = join39(CLAUDE_HOME, "CLAUDE.md");
+  if (!snapshot || !existsSync32(userClaudeMd)) {
+    writeFileSync6(join39(REPO_HOME, "shared", "CLAUDE.md"), SHARED_CLAUDE_MD);
+    log("created shared/CLAUDE.md");
+  }
+  for (const name of SHARED_KEEP_DIRS) {
+    writeFileSync6(join39(REPO_HOME, "shared", name, ".gitkeep"), "");
+    log(`created shared/${name}/.gitkeep`);
+  }
+  writeFileSync6(join39(REPO_HOME, "hosts", ".gitkeep"), "");
+  log("created hosts/.gitkeep");
+  writeJsonAtomic(join39(REPO_HOME, "shared", "settings.base.json"), {});
+  log("created shared/settings.base.json");
+  writeJsonAtomic(join39(REPO_HOME, "path-map.json"), { projects: {} });
+  log("created path-map.json");
+  if (snapshot) {
+    snapshotIntoShared({ projects: {} });
+    log(`snapshot staged in shared/; review, then 'nomad push' to share with other hosts.`);
+    log("~/.claude/ originals were NOT removed.");
+  }
+  if (!keepActions) {
+    maybeDisableMirrorActions(REPO_HOME, opts.run);
+  }
+  log("init complete");
+}
+function maybeDisableMirrorActions(repoHome, run) {
+  let remote;
+  try {
+    remote = readOriginRemote(repoHome, run);
+  } catch {
+    return;
+  }
+  const ref = parseGitHubRemote(remote);
+  if (ref === null) return;
+  const ghStatus = ghAuthStatus(run);
+  if (ghStatus === "gh-not-installed") {
+    log(
+      `tip: install gh CLI and run 'gh api -X PUT repos/${ref.owner}/${ref.repo}/actions/permissions -F enabled=false' to disable Actions on your private mirror.`
+    );
+    return;
+  }
+  if (ghStatus === "gh-not-authed") {
+    log(
+      `tip: run 'gh auth login' then 'gh api -X PUT repos/${ref.owner}/${ref.repo}/actions/permissions -F enabled=false' to disable Actions on your private mirror.`
+    );
+    return;
+  }
+  let isPrivate;
+  try {
+    isPrivate = isRepoPrivate(ref, run);
+  } catch {
+    log(
+      `could not determine privacy for ${ref.owner}/${ref.repo}; run 'gh api -X PUT repos/${ref.owner}/${ref.repo}/actions/permissions -F enabled=false' manually if it is private.`
+    );
+    return;
+  }
+  if (!isPrivate) return;
+  let alreadyDisabled = false;
+  try {
+    alreadyDisabled = !isActionsEnabled(ref, run);
+  } catch {
+  }
+  if (alreadyDisabled) {
+    log(`actions already disabled on ${ref.owner}/${ref.repo}`);
+    return;
+  }
+  try {
+    disableActions(ref, run);
+    log(`disabled GitHub Actions on private mirror ${ref.owner}/${ref.repo}`);
+  } catch {
+    log(
+      `could not auto-disable Actions on ${ref.owner}/${ref.repo}; run 'gh api -X PUT repos/${ref.owner}/${ref.repo}/actions/permissions -F enabled=false' manually.`
+    );
+  }
+}
+
+// src/nomad.dispatch.ts
+function parseFlags(argv, known) {
+  const seen = /* @__PURE__ */ new Set();
+  for (let i = 3; i < argv.length; i++) {
+    const flag = argv[i];
+    if (!known.has(flag) || seen.has(flag)) {
+      return null;
+    }
+    seen.add(flag);
+  }
+  return seen;
+}
+function extractFlagValue(argv, i) {
+  const val = argv[i + 1];
+  if (val === void 0 || val.startsWith("--")) return null;
+  return val;
+}
+function applyInitToken(argv, i, st) {
+  const token = argv[i];
+  if (token === "--snapshot") {
+    if (st.sawSnapshot) return { ok: false, advance: 0 };
+    st.sawSnapshot = true;
+    st.snapshot = true;
+    return { ok: true, advance: 1 };
+  }
+  if (token === "--keep-actions") {
+    if (st.sawKeepActions) return { ok: false, advance: 0 };
+    st.sawKeepActions = true;
+    st.keepActions = true;
+    return { ok: true, advance: 1 };
+  }
+  if (token === "--repo") {
+    if (st.sawRepo) return { ok: false, advance: 0 };
+    st.sawRepo = true;
+    const val = extractFlagValue(argv, i);
+    if (val === null) return { ok: false, advance: 0 };
+    st.repoName = val;
+    return { ok: true, advance: 2 };
+  }
+  return { ok: false, advance: 0 };
+}
+function parseInitArgs(argv) {
+  const st = {
+    snapshot: false,
+    keepActions: false,
+    repoName: void 0,
+    sawSnapshot: false,
+    sawKeepActions: false,
+    sawRepo: false
+  };
+  let i = 3;
+  while (i < argv.length) {
+    const { ok: ok2, advance } = applyInitToken(argv, i, st);
+    if (!ok2) return null;
+    i += advance;
+  }
+  return { snapshot: st.snapshot, keepActions: st.keepActions, repoName: st.repoName };
+}
+function parseRedactArgs(argv) {
+  const id = argv[3];
+  if (typeof id !== "string" || !/^\w[\w-]{0,127}$/.test(id)) {
+    return null;
+  }
+  let rule;
+  let dryRun = false;
+  let sawRule = false;
+  let sawDryRun = false;
+  let i = 4;
+  while (i < argv.length) {
+    const token = argv[i];
+    if (token === "--dry-run") {
+      if (sawDryRun) return null;
+      sawDryRun = true;
+      dryRun = true;
+      i++;
+    } else if (token === "--rule") {
+      if (sawRule) return null;
+      sawRule = true;
+      const val = argv[i + 1];
+      if (val === void 0 || val.startsWith("--")) return null;
+      rule = val;
+      i += 2;
+    } else {
+      return null;
+    }
+  }
+  return { id, rule, dryRun };
+}
+
+// src/nomad.dispatch.clean.ts
+var REJECT = { ok: false, advance: 0 };
+function applyOlderThan(argv, i, st) {
+  if (st.olderThan !== void 0) return REJECT;
+  const val = extractFlagValue(argv, i);
+  if (val === null) return REJECT;
+  st.olderThan = val;
+  return { ok: true, advance: 2 };
+}
+function applyKeep(argv, i, st) {
+  if (st.keep !== void 0) return REJECT;
+  const val = extractFlagValue(argv, i);
+  if (val === null || !/^\d+$/.test(val)) return REJECT;
+  st.keep = Number(val);
+  return { ok: true, advance: 2 };
+}
+function applyBool(seen, set) {
+  if (seen) return REJECT;
+  set();
+  return { ok: true, advance: 1 };
+}
+function applyCleanToken(argv, i, st) {
+  switch (argv[i]) {
+    case "--backups":
+      return applyBool(st.backups, () => st.backups = true);
+    case "--dry-run":
+      return applyBool(st.dryRun, () => st.dryRun = true);
+    case "--older-than":
+      return applyOlderThan(argv, i, st);
+    case "--keep":
+      return applyKeep(argv, i, st);
+    default:
+      return REJECT;
+  }
+}
+function parseCleanArgs(argv) {
+  const st = {
+    backups: false,
+    dryRun: false,
+    olderThan: void 0,
+    keep: void 0
+  };
+  let i = 3;
+  while (i < argv.length) {
+    const { ok: ok2, advance } = applyCleanToken(argv, i, st);
+    if (!ok2) return null;
+    i += advance;
+  }
+  if (!st.backups) return null;
+  if (st.olderThan !== void 0 && st.keep !== void 0) return null;
+  return { dryRun: st.dryRun, olderThan: st.olderThan, keep: st.keep };
+}
+
+// package.json
+var package_default = {
+  name: "claude-nomad",
+  version: "0.35.0",
+  type: "module",
+  description: "Sync Claude Code config (~/.claude/) across machines via a private Git repo, with path remapping and per-host settings overrides.",
+  keywords: [
+    "claude",
+    "claude-code",
+    "sync",
+    "dotfiles"
+  ],
+  repository: {
+    type: "git",
+    url: "git+https://github.com/funkadelic/claude-nomad.git"
+  },
+  homepage: "https://github.com/funkadelic/claude-nomad#readme",
+  bugs: {
+    url: "https://github.com/funkadelic/claude-nomad/issues"
+  },
+  license: "MIT",
+  bin: {
+    nomad: "./dist/nomad.mjs"
+  },
+  files: [
+    "dist/",
+    "shared/.gitignore",
+    ".gitleaks.toml",
+    "README.md",
+    "CHANGELOG.md",
+    "LICENSE"
+  ],
+  engines: {
+    node: ">=22.22.1"
+  },
+  scripts: {
+    pull: "node src/nomad.ts pull",
+    push: "node src/nomad.ts push",
+    doctor: "node src/nomad.ts doctor",
+    update: "bash scripts/update.sh",
+    build: "node scripts/build.mjs",
+    test: "vitest run",
+    coverage: "vitest run --coverage",
+    typecheck: "tsc --noEmit",
+    lint: "eslint .",
+    "lint:fix": "eslint . --fix",
+    "lint:md": "markdownlint-cli2",
+    format: "prettier --write .",
+    "format:check": "prettier --check .",
+    prepack: "npm run build",
+    prepublishOnly: "npm run lint && npm run typecheck && npm run test && npm run build && node scripts/verify-tarball.cjs",
+    prepare: "husky"
+  },
+  "lint-staged": {
+    "*.ts": [
+      "eslint --fix",
+      "prettier --write"
+    ],
+    "*.{js,mjs,cjs,json}": [
+      "prettier --write"
+    ],
+    "*.md": [
+      "markdownlint-cli2 --fix",
+      "prettier --write"
+    ]
+  },
+  devDependencies: {
+    "@commitlint/cli": "^21.0.1",
+    "@commitlint/config-conventional": "^21.0.1",
+    "@eslint/js": "^10.0.1",
+    "@types/node": "^22.0.0",
+    "@vitest/coverage-v8": "^4.1.6",
+    diff: "^9.0.0",
+    esbuild: "^0.28.0",
+    eslint: "^10.4.0",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-plugin-sonarjs": "^4.0.3",
+    globals: "^17.6.0",
+    husky: "^9.1.7",
+    "lint-staged": "^17.0.5",
+    "markdownlint-cli2": "^0.22.1",
+    picocolors: "^1.1.1",
+    prettier: "^3.8.3",
+    typescript: "^6.0.3",
+    "typescript-eslint": "^8.59.4",
+    vitest: "^4.1.6"
+  }
+};
+
+// src/nomad.help.ts
+var DESC_COL = 26;
+var row = (label, desc) => label.padEnd(DESC_COL) + desc;
+var cont = (text) => " ".repeat(DESC_COL) + text;
+var DEFAULT_HELP = [
+  `claude-nomad v${package_default.version}`,
+  "",
+  "usage: nomad <command> [flags]",
+  "",
+  "Commands:",
+  row("  pull", "Sync ~/.claude/ from the shared repo (settings, symlinks, sessions)."),
+  row("       --dry-run", "Run lock + git pull, then preview every mutation without writing."),
+  "",
+  row("  push", "Rebase, run safety checks (gitleaks, gitlinks, allow-list), commit, push."),
+  row("       --dry-run", "Run pre-checks (rebase, gitleaks probe, gitlink scan) and preview"),
+  cont("remap, without staging or pushing."),
+  row("       --redact-all", "Redact all findings non-interactively (backup, no prompt); no TTY"),
+  cont("required. Does not auto-Allow."),
+  "",
+  row("  diff", "Offline preview of what `pull` would change against local repo state."),
+  cont("No git pull, no lock acquired."),
+  "",
+  row(
+    "  init",
+    "Create a private GitHub repo via gh (if none exists), scaffold shared/, hosts/, path-map."
+  ),
+  row("       --snapshot", "Overlay the current ~/.claude/ into shared/ as the initial seed."),
+  row("       --keep-actions", "Skip auto-disabling GitHub Actions on the private mirror."),
+  row(
+    "       --repo <name>",
+    "Name for the new GitHub repo (default: claude-nomad-config). No-op when origin exists."
+  ),
+  "",
+  row("  doctor", "Read-only health check (symlinks, host file, path-map,"),
+  cont("gitleaks, gitlinks)."),
+  row("       --check-shared", "Preflight gitleaks scan of the session transcripts a"),
+  cont("`nomad push` would stage (a temp copy, never the live dir)."),
+  row("       --check-schema", "Flag settings.json keys absent from the live published"),
+  cont("Claude Code settings schema (needs network; degrades offline)."),
+  row("       --resume-cmd <id>", "Print `cd <abspath> && claude --resume <id>` for a session id"),
+  cont("from ~/.claude/projects/."),
+  "",
+  row(
+    "  drop-session <id>",
+    "Unstage shared/projects/<logical>/<id>.jsonl from the staged tree (local ~/.claude/projects is never touched)."
+  ),
+  "",
+  row(
+    "  adopt <name>",
+    "Move a pre-existing ~/.claude/<name> dir into shared/<name>, recreate the"
+  ),
+  cont("symlink, and stage for push. <name> must be in SHARED_LINKS or sharedDirs."),
+  row("       --dry-run", "Preview backup, move, and git-add without writing."),
+  "",
+  row(
+    "  redact <session-id>",
+    "Rewrite the secret span in the local source transcript for a session,"
+  ),
+  cont("backed up to ~/.cache/claude-nomad/backup/. Safe to re-run."),
+  row("       --rule <id>", "Limit redaction to one gitleaks rule id."),
+  row("       --dry-run", "Show what would change without writing."),
+  "",
+  row("  update", "Update the claude-nomad CLI to the latest npm release."),
+  "",
+  row("  clean", "Prune old backup snapshots under ~/.cache/claude-nomad/backup/."),
+  row("       --backups", "Required: confirm backup pruning is the intended target."),
+  row("       --dry-run", "List the snapshots that would be removed without deleting."),
+  row("       --older-than <dur>", "Delete snapshots older than a duration (e.g. 14d, 24h, 30m)."),
+  cont("Default when no retention flag is given: 14d."),
+  row("       --keep <N>", "Keep the N most-recent snapshots, delete the rest. Mutually"),
+  cont("exclusive with --older-than."),
+  "",
+  row("  --version", "Print the installed CLI version as bare semver to stdout; exits 0."),
+  "",
+  "Run `nomad doctor` to validate your setup. Edit shared/ or hosts/<HOST>.json",
+  "in the repo, never ~/.claude/settings.json directly (it is regenerated on",
+  "every pull)."
+].join("\n");
+
+// src/resume.ts
+init_config();
+init_utils();
+init_utils_json();
+import { existsSync as existsSync33, readFileSync as readFileSync10, readdirSync as readdirSync10 } from "node:fs";
+import { join as join40 } from "node:path";
+function resumeCmd(sessionId) {
+  if (!/^[A-Za-z0-9_-]+$/.test(sessionId) || sessionId.length > 128) {
+    fail(`invalid session id: ${sessionId}`);
+    process.exit(1);
+  }
+  const projectsRoot = join40(CLAUDE_HOME, "projects");
+  if (!existsSync33(projectsRoot)) {
+    fail(`${projectsRoot} does not exist`);
+    process.exit(1);
+  }
+  const jsonlPath = findTranscriptPath(projectsRoot, sessionId);
+  if (jsonlPath === null) {
+    fail(`session ${sessionId} not found in any ~/.claude/projects/<encoded>/`);
+    process.exit(1);
+  }
+  const recordedCwd = extractRecordedCwd(jsonlPath);
+  if (recordedCwd === null) {
+    fail(`no cwd field found in ${jsonlPath}`);
+    process.exit(1);
+  }
+  const mapPath = join40(REPO_HOME, "path-map.json");
+  if (!existsSync33(mapPath)) {
+    fail("path-map.json missing");
+    process.exit(1);
+  }
+  const map = readJson(mapPath);
+  const schemaError = validatePathMap(map);
+  if (schemaError !== null) {
+    fail(schemaError);
+    process.exit(1);
+  }
+  const hit = lookupLocalPath(map, recordedCwd);
+  if (hit === null) {
+    fail(`cwd ${recordedCwd} from session ${sessionId} not found in path-map.json`);
+    process.exit(1);
+  }
+  if (hit.localPath === void 0) {
+    fail(`session ${sessionId} not mapped on this host; add the logical to path-map.json`);
+    process.exit(1);
+  }
+  console.log(`cd ${shQuote(hit.localPath)} && claude --resume ${shQuote(sessionId)}`);
+}
+function findTranscriptPath(projectsRoot, sessionId) {
+  for (const dir of readdirSync10(projectsRoot)) {
+    const candidate = join40(projectsRoot, dir, `${sessionId}.jsonl`);
+    if (existsSync33(candidate)) return candidate;
+  }
+  return null;
+}
+function extractRecordedCwd(jsonlPath) {
+  for (const line of readFileSync10(jsonlPath, "utf8").split("\n")) {
+    if (!line.trim()) continue;
+    try {
+      const obj = JSON.parse(line);
+      if (obj.type === "file-history-snapshot") continue;
+      if (typeof obj.cwd === "string" && obj.cwd.length > 0) return obj.cwd;
+    } catch {
+    }
+  }
+  return null;
+}
+function validatePathMap(raw) {
+  if (raw === null || typeof raw !== "object" || Array.isArray(raw)) {
+    return "path-map.json invalid schema: top-level value must be an object";
+  }
+  const projects = raw.projects;
+  if (projects === null || typeof projects !== "object" || Array.isArray(projects)) {
+    return 'path-map.json invalid schema: "projects" must be an object';
+  }
+  for (const [name, hosts] of Object.entries(projects)) {
+    if (hosts === null || typeof hosts !== "object" || Array.isArray(hosts)) {
+      return `path-map.json invalid schema: project "${name}" hosts must be an object`;
+    }
+    for (const [host, value] of Object.entries(hosts)) {
+      if (typeof value !== "string") {
+        return `path-map.json invalid schema: project "${name}" host "${host}" path must be a string`;
+      }
+    }
+  }
+  return null;
+}
+function lookupLocalPath(map, recordedCwd) {
+  for (const [logical, hosts] of Object.entries(map.projects)) {
+    const isUnderMappedPath = Object.values(hosts).some(
+      (p) => recordedCwd === p || recordedCwd.startsWith(`${p}/`)
+    );
+    if (isUnderMappedPath) {
+      const localPath = hosts[HOST];
+      return { logical, localPath: localPath === "TBD" ? void 0 : localPath };
+    }
+  }
+  return null;
+}
+function shQuote(s) {
+  const escaped = s.replaceAll("'", String.raw`'\''`);
+  return `'${escaped}'`;
+}
+
+// src/nomad.ts
+init_utils();
+if (!HOME) {
+  fail(
+    "could not determine home directory (HOME env unset and no uid mapping). Set HOME and retry."
+  );
+  process.exit(1);
+}
+try {
+  const cmd = process.argv[2];
+  switch (cmd) {
+    case "--version":
+      if (process.argv.length !== 3) {
+        console.error("usage: nomad --version (no extra arguments)");
+        process.exit(1);
+      }
+      console.log(package_default.version);
+      break;
+    case "pull": {
+      const sub = process.argv[3];
+      if (sub === void 0) {
+        cmdPull();
+      } else if (sub === "--dry-run" && process.argv.length === 4) {
+        cmdPull({ dryRun: true });
+      } else {
+        console.error("usage: nomad pull [--dry-run]");
+        process.exit(1);
+      }
+      break;
+    }
+    case "push": {
+      const seen = parseFlags(process.argv, /* @__PURE__ */ new Set(["--dry-run", "--redact-all"]));
+      if (seen === null) {
+        console.error("usage: nomad push [--dry-run] [--redact-all]");
+        process.exit(1);
+      }
+      await cmdPush({ dryRun: seen.has("--dry-run"), redactAll: seen.has("--redact-all") });
+      break;
+    }
+    case "init": {
+      const initArgs = parseInitArgs(process.argv);
+      if (initArgs === null) {
+        console.error("usage: nomad init [--snapshot] [--keep-actions] [--repo <name>]");
+        process.exit(1);
+      }
+      cmdInit({
+        snapshot: initArgs.snapshot,
+        keepActions: initArgs.keepActions,
+        repoName: initArgs.repoName
+      });
+      break;
+    }
+    case "diff":
+      if (process.argv.length > 3) {
+        console.error("usage: nomad diff");
+        process.exit(1);
+      }
+      cmdDiff();
+      break;
+    case "update": {
+      if (process.argv.length !== 3) {
+        console.error("usage: nomad update");
+        process.exit(1);
+      }
+      cmdUpdate();
+      break;
+    }
+    case "adopt": {
+      const name = process.argv[3];
+      const sub = process.argv[4];
+      if (typeof name !== "string" || name.length === 0 || name.startsWith("-") || sub !== void 0 && (sub !== "--dry-run" || process.argv.length !== 5)) {
+        console.error("usage: nomad adopt <name> [--dry-run]");
+        process.exit(1);
+      }
+      cmdAdopt(name, { dryRun: sub === "--dry-run" });
+      break;
+    }
+    case "doctor":
+      if (process.argv[3] === void 0) {
+        cmdDoctor();
+      } else if (process.argv[3] === "--check-shared" && process.argv.length === 4) {
+        cmdDoctor({ checkShared: true });
+      } else if (process.argv[3] === "--check-schema" && process.argv.length === 4) {
+        cmdDoctor({ checkSchema: true });
+      } else if (process.argv[3] === "--resume-cmd") {
+        const id = process.argv[4];
+        if (process.argv.length !== 5 || typeof id !== "string" || id.length === 0) {
+          console.error("usage: nomad doctor --resume-cmd <session-id>");
+          process.exit(1);
+        }
+        resumeCmd(id);
+      } else {
+        console.error(
+          "usage: nomad doctor [--check-shared | --check-schema | --resume-cmd <session-id>]"
+        );
+        process.exit(1);
+      }
+      break;
+    case "drop-session": {
+      const id = process.argv[3];
+      if (process.argv.length !== 4 || typeof id !== "string" || !/^\w[\w-]{0,127}$/.test(id)) {
+        console.error("usage: nomad drop-session <id>");
+        process.exit(1);
+      }
+      cmdDropSession(id);
+      break;
+    }
+    case "redact": {
+      const redactArgs = parseRedactArgs(process.argv);
+      if (redactArgs === null) {
+        console.error("usage: nomad redact <session-id> [--rule <rule-id>] [--dry-run]");
+        process.exit(1);
+      }
+      cmdRedact(redactArgs);
+      break;
+    }
+    case "clean": {
+      const cleanArgs = parseCleanArgs(process.argv);
+      if (cleanArgs === null) {
+        console.error("usage: nomad clean --backups [--dry-run] [--older-than <dur> | --keep <N>]");
+        process.exit(1);
+      }
+      cmdClean(cleanArgs);
+      break;
+    }
+    default:
+      console.error(DEFAULT_HELP);
+      process.exit(1);
+  }
+} catch (err) {
+  if (err instanceof NomadFatal) {
+    fail(err.message);
+    process.exit(1);
+  }
+  throw err;
+}