claude-nomad 0.44.1 → 0.46.0

package/dist/nomad.mjs

@@ -1400,8 +1400,8 @@ function cmdEject(opts = {}, roots = defaultEjectRoots()) {
 }
 
 // src/commands.doctor.ts
-import { existsSync as existsSync22 } from "node:fs";
-import { join as join26 } from "node:path";
+import { existsSync as existsSync27 } from "node:fs";
+import { join as join33 } from "node:path";
 
 // src/commands.doctor.checks.repo.ts
 init_color();
@@ -2686,17 +2686,150 @@ function reportPreserveSymlinksCheck(section2) {
   }
 }
 
+// src/commands.doctor.checks.settings-drift.ts
+init_color();
+import { existsSync as existsSync21, readFileSync as readFileSync7 } from "node:fs";
+import { join as join25 } from "node:path";
+init_config();
+init_utils_json();
+function arraysEqual(a, b) {
+  if (a.length !== b.length) return false;
+  for (let i = 0; i < a.length; i++) {
+    if (!deepEqual(a[i], b[i])) return false;
+  }
+  return true;
+}
+function objectsEqual(a, b) {
+  const aKeys = Object.keys(a);
+  const bKeys = Object.keys(b);
+  if (aKeys.length !== bKeys.length) return false;
+  for (const k of aKeys) {
+    if (!Object.hasOwn(b, k)) return false;
+    if (!deepEqual(a[k], b[k])) return false;
+  }
+  return true;
+}
+function deepEqual(a, b) {
+  if (a === b) return true;
+  if (a === null || b === null) return false;
+  if (Array.isArray(a) && Array.isArray(b)) return arraysEqual(a, b);
+  if (Array.isArray(a) || Array.isArray(b)) return false;
+  if (typeof a === "object" && typeof b === "object") {
+    return objectsEqual(a, b);
+  }
+  return false;
+}
+function diffMergedSettings(merged, settings) {
+  const missing = [];
+  const changed = [];
+  const extra = [];
+  const settingsKeys = new Set(Object.keys(settings));
+  for (const key of Object.keys(merged)) {
+    if (!settingsKeys.has(key)) {
+      missing.push(key);
+    } else if (!deepEqual(merged[key], settings[key])) {
+      changed.push(key);
+    }
+  }
+  const mergedKeys = new Set(Object.keys(merged));
+  for (const key of Object.keys(settings)) {
+    if (!mergedKeys.has(key)) extra.push(key);
+  }
+  const collator = (a, b) => a.localeCompare(b, "en");
+  return {
+    missing: missing.toSorted(collator),
+    changed: changed.toSorted(collator),
+    extra: extra.toSorted(collator)
+  };
+}
+function tryReadJson(filePath) {
+  try {
+    const raw = readFileSync7(filePath, "utf8");
+    const parsed = JSON.parse(raw);
+    if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) return null;
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+function reportSettingsDriftCheck(section2) {
+  const claude = claudeHome();
+  const repo = repoHome();
+  const host = HOST;
+  const settingsPath = join25(claude, "settings.json");
+  const basePath = join25(repo, "shared", "settings.base.json");
+  const hostPath = join25(repo, "hosts", `${host}.json`);
+  if (!existsSync21(settingsPath)) {
+    addItem(section2, `${dim(infoGlyph)} no ~/.claude/settings.json; skipping merge-drift check`);
+    return;
+  }
+  if (!existsSync21(basePath)) {
+    addItem(
+      section2,
+      `${dim(infoGlyph)} shared/settings.base.json missing; skipping merge-drift check`
+    );
+    return;
+  }
+  const base = tryReadJson(basePath);
+  if (base === null) {
+    addItem(
+      section2,
+      `${dim(infoGlyph)} shared/settings.base.json unparseable; skipping merge-drift check`
+    );
+    return;
+  }
+  const settings = tryReadJson(settingsPath);
+  if (settings === null) {
+    return;
+  }
+  const hostExists = existsSync21(hostPath);
+  const hostObj = hostExists ? tryReadJson(hostPath) : null;
+  if (hostExists && hostObj === null) {
+    addItem(
+      section2,
+      `${yellow(warnGlyph)} hosts/${host}.json unparseable; 'nomad pull' will fail (fix the host file)`
+    );
+    return;
+  }
+  const merged = deepMerge(base, hostObj ?? {});
+  const { missing, changed, extra } = diffMergedSettings(merged, settings);
+  emitDriftRows(section2, missing, changed, extra, host, hostExists);
+}
+function emitDriftRows(section2, missing, changed, extra, host, hostFileExists) {
+  if (missing.length > 0) {
+    addItem(
+      section2,
+      `${yellow(warnGlyph)} settings.json drift: merged keys missing locally: ${missing.join(", ")} (external writer clobbered settings.json; run 'nomad pull')`
+    );
+  }
+  if (changed.length > 0) {
+    addItem(
+      section2,
+      `${yellow(warnGlyph)} settings.json drift: merged keys with changed values: ${changed.join(", ")} (run 'nomad pull')`
+    );
+  }
+  if (extra.length > 0 && hostFileExists) {
+    addItem(
+      section2,
+      `${dim(infoGlyph)} settings.json has ${extra.length} local-only key(s) not in base+host merge: ${extra.join(", ")} (promotion candidates for shared/settings.base.json or hosts/${host}.json)`
+    );
+  }
+  if (missing.length === 0 && changed.length === 0 && extra.length === 0) {
+    addItem(section2, `${green(okGlyph)} settings.json matches base+host merge`);
+  }
+}
+
 // src/commands.doctor.ts
 init_config();
 
 // src/commands.doctor.engine.ts
 init_color();
-import { readFileSync as readFileSync8 } from "node:fs";
+import { readFileSync as readFileSync9 } from "node:fs";
 import { fileURLToPath as fileURLToPath3 } from "node:url";
 
 // src/commands.doctor.version.ts
 init_color();
-import { readFileSync as readFileSync7 } from "node:fs";
+import { readFileSync as readFileSync8 } from "node:fs";
 import { fileURLToPath as fileURLToPath2 } from "node:url";
 init_config();
 var STRICT_SEMVER = /^\d+\.\d+\.\d+$/;
@@ -2713,7 +2846,7 @@ function compareSemver(a, b) {
 function readLocalVersion() {
   try {
     const pkgPath = fileURLToPath2(new URL("../package.json", import.meta.url));
-    const parsed = JSON.parse(readFileSync7(pkgPath, "utf8"));
+    const parsed = JSON.parse(readFileSync8(pkgPath, "utf8"));
     if (typeof parsed.version === "string" && parsed.version.length > 0) {
       return parsed.version;
     }
@@ -2772,7 +2905,7 @@ function parseMinVersion(spec) {
 function readEnginesNode() {
   try {
     const pkgPath = fileURLToPath3(new URL("../package.json", import.meta.url));
-    const parsed = JSON.parse(readFileSync8(pkgPath, "utf8"));
+    const parsed = JSON.parse(readFileSync9(pkgPath, "utf8"));
     const node = parsed.engines?.node;
     if (typeof node === "string" && node.length > 0) return node;
     return null;
@@ -2798,398 +2931,123 @@ function reportNodeEngineCheck(section2) {
   addItem(section2, `${green(okGlyph)} node: ${process.version} (satisfies >=${min})`);
 }
 
-// src/commands.doctor.gitleaks-version.ts
+// src/spinner.ts
 init_color();
-import { execFileSync as execFileSync7 } from "node:child_process";
-import { existsSync as existsSync21 } from "node:fs";
-import { join as join25 } from "node:path";
+import { existsSync as existsSync25 } from "node:fs";
+import { fileURLToPath as fileURLToPath4 } from "node:url";
+import { Worker } from "node:worker_threads";
+
+// src/commands.push.recovery.ts
 init_config();
-var SEMVER_MAJOR_MINOR = /^(\d+)\.(\d+)\.\d+$/;
-var GITLEAKS_TIMEOUT_MS = 5e3;
-function majorMinorOf(value) {
-  const m = SEMVER_MAJOR_MINOR.exec(value);
-  return m === null ? null : [m[1], m[2]];
-}
-function readGitleaksVersion(run, tomlExists) {
-  const tomlPath = join25(repoHome(), ".gitleaks.toml");
-  const args = ["version"];
-  if (tomlExists(tomlPath)) args.push("--config", tomlPath);
-  try {
-    return run("gitleaks", args, {
-      stdio: ["ignore", "pipe", "pipe"],
-      timeout: GITLEAKS_TIMEOUT_MS
-    }).toString().trim();
-  } catch {
-    return null;
-  }
-}
-function reportGitleaksVersionCheck(section2, run = execFileSync7, tomlExists = existsSync21) {
-  const raw = readGitleaksVersion(run, tomlExists);
-  if (raw === null) return;
-  const local = majorMinorOf(raw);
-  if (local === null) return;
-  const pin = majorMinorOf(GITLEAKS_PINNED_VERSION);
-  if (pin === null) return;
-  const sameMajorMinor = local[0] === pin[0] && local[1] === pin[1];
-  if (sameMajorMinor) {
-    addItem(section2, `${green(okGlyph)} gitleaks: ${raw} (matches pinned ${pin[0]}.${pin[1]})`);
-    return;
-  }
-  addItem(
-    section2,
-    `${yellow(warnGlyph)} gitleaks: ${raw} -> ${GITLEAKS_PINNED_VERSION} (CI pins this; local drift may change scan results)`
-  );
-}
+import { readFileSync as readFileSync13, rmSync as rmSync9, writeFileSync as writeFileSync5 } from "node:fs";
+import { join as join31 } from "node:path";
+import { createInterface } from "node:readline/promises";
 
-// src/commands.doctor.checks.deps.ts
-init_color();
-import { execFileSync as execFileSync8 } from "node:child_process";
-var VERSION_TOKEN = /(\d{1,9}\.\d{1,9}\.\d{1,9})/;
-var PROBE_TIMEOUT_MS = 3e3;
-var FETCHER_BASE = "HTTP fetcher";
-function parseFirstVersion(line) {
-  const m = VERSION_TOKEN.exec(line);
-  return m ? m[1] : null;
-}
-function probeOptionalDep(bin, run) {
-  try {
-    const firstLine = run(bin, ["--version"], {
-      stdio: ["ignore", "pipe", "pipe"],
-      timeout: PROBE_TIMEOUT_MS
-    }).toString().split("\n")[0].trim();
-    const version = parseFirstVersion(firstLine);
-    return { status: "present", version };
-  } catch (err) {
-    if (err.code === "ENOENT") {
-      return { status: "not-installed" };
+// src/commands.push.recovery.actions.ts
+init_config();
+import { readFileSync as readFileSync12 } from "node:fs";
+import { isAbsolute, resolve as resolve3, sep as sep4 } from "node:path";
+
+// src/commands.push.recovery.redact.ts
+init_config();
+init_config_sharedDirs_guard();
+import { cpSync as cpSync5, existsSync as existsSync24, mkdirSync as mkdirSync6, statSync as statSync7 } from "node:fs";
+import { dirname as dirname6, join as join29, sep as sep3 } from "node:path";
+
+// src/commands.redact.ts
+init_config();
+import { existsSync as existsSync23, statSync as statSync6 } from "node:fs";
+import { dirname as dirname5, join as join28 } from "node:path";
+
+// src/commands.redact.subtree.ts
+import { existsSync as existsSync22, lstatSync as lstatSync7, readFileSync as readFileSync10, readdirSync as readdirSync9, statSync as statSync5, writeFileSync as writeFileSync3 } from "node:fs";
+import { join as join26 } from "node:path";
+init_utils_fs();
+function collectFiles(dir, out) {
+  if (!existsSync22(dir)) return;
+  const st = lstatSync7(dir);
+  if (!st.isDirectory()) return;
+  for (const entry of readdirSync9(dir)) {
+    const abs = join26(dir, entry);
+    const lst = lstatSync7(abs);
+    if (lst.isSymbolicLink()) continue;
+    if (lst.isDirectory()) {
+      collectFiles(abs, out);
+      continue;
     }
-    return { status: "present", version: null };
+    if (lst.isFile()) out.push(abs);
   }
 }
-function reportFetcherRow(section2, run) {
-  const curl = probeOptionalDep("curl", run);
-  const wget = probeOptionalDep("wget", run);
-  if (curl.status === "present") {
-    addItem(section2, `${green(okGlyph)} ${FETCHER_BASE}: curl ${curl.version ?? "(present)"}`);
-  } else if (wget.status === "present") {
-    addItem(section2, `${green(okGlyph)} ${FETCHER_BASE}: wget ${wget.version ?? "(present)"}`);
-  } else {
-    addItem(
-      section2,
-      `${yellow(warnGlyph)} ${FETCHER_BASE} (curl or wget): not installed (optional; needed for release-version staleness check + nomad doctor --check-schema)`
-    );
+function listSubtreeFiles(sessionDir) {
+  const out = [];
+  collectFiles(sessionDir, out);
+  return out.sort((a, b) => a.localeCompare(b));
+}
+function newestSubtreeMtimeMs(mainPath, subtreeFiles, statMtime = (p) => statSync5(p).mtimeMs) {
+  let newest = statMtime(mainPath);
+  for (const filePath of subtreeFiles) {
+    const t = statMtime(filePath);
+    if (t > newest) newest = t;
   }
+  return newest;
 }
-function reportOptionalDeps(section2, run = execFileSync8) {
-  const gh = probeOptionalDep("gh", run);
-  if (gh.status === "present") {
-    addItem(section2, `${green(okGlyph)} gh: ${gh.version ?? "present"}`);
-  } else {
-    addItem(
-      section2,
-      `${yellow(warnGlyph)} gh: not installed (optional; needed for nomad init Actions auto-disable + the Actions-drift check)`
-    );
+function applySubtreeRedactions(mainPath, mainFindings, subtreeFiles, rule, ts, scan, dryRun) {
+  const dirty = [];
+  if (mainFindings.length > 0) dirty.push({ path: mainPath, findings: mainFindings });
+  for (const filePath of subtreeFiles) {
+    const raw = scan(filePath);
+    if (raw === null || raw.length === 0) continue;
+    const filtered = rule === void 0 ? raw : raw.filter((f) => f.RuleID === rule);
+    if (filtered.length === 0) continue;
+    dirty.push({ path: filePath, findings: filtered });
   }
-  reportFetcherRow(section2, run);
+  const total = dirty.reduce((n, e) => n + e.findings.length, 0);
+  if (!dryRun && total > 0) {
+    for (const { path: filePath, findings } of dirty) {
+      backupBeforeWrite(filePath, ts);
+      writeFileSync3(filePath, applyRedactions(readFileSync10(filePath, "utf8"), findings), "utf8");
+    }
+  }
+  return { total, dirty };
 }
 
-// src/commands.doctor.actions-drift.ts
-init_color();
-import { execFileSync as execFileSync10 } from "node:child_process";
-init_config();
+// src/commands.redact.ts
+init_push_gitleaks_scan();
+init_utils_fs();
+init_utils_json();
+init_utils();
 
-// src/gh-actions.ts
-import { execFileSync as execFileSync9 } from "node:child_process";
-var GH_TIMEOUT_MS = 5e3;
-function parseGitHubRemote(remoteUrl) {
-  const normalized = remoteUrl.trim().replace(/\/$/, "");
-  const m = /github\.com[:/]([^/]+)\/([^/]+?)(?:\.git)?$/.exec(normalized);
-  if (m === null) return null;
-  return { owner: m[1], repo: m[2] };
+// src/utils.lockfile.ts
+init_config();
+init_utils();
+import { closeSync as closeSync3, mkdirSync as mkdirSync5, openSync as openSync3, readFileSync as readFileSync11, unlinkSync, writeFileSync as writeFileSync4 } from "node:fs";
+import { dirname as dirname4, join as join27 } from "node:path";
+function lockFilePath() {
+  return join27(home(), ".cache", "claude-nomad", "nomad.lock");
 }
-function ghAuthStatus(run = execFileSync9) {
+function acquireLock(verb) {
+  const lp = lockFilePath();
+  mkdirSync5(dirname4(lp), { recursive: true });
   try {
-    run("gh", ["auth", "status"], {
-      stdio: ["ignore", "ignore", "ignore"],
-      timeout: GH_TIMEOUT_MS
-    });
-    return null;
+    const fd = openSync3(lp, "wx");
+    try {
+      writeFileSync4(fd, String(process.pid));
+    } catch (writeErr) {
+      try {
+        closeSync3(fd);
+      } catch {
+      }
+      try {
+        unlinkSync(lp);
+      } catch {
+      }
+      throw writeErr;
+    }
+    return { fd, path: lp };
   } catch (err) {
-    const e = err;
-    if (e.code === "ENOENT") return "gh-not-installed";
-    if (typeof e.status === "number") return "gh-not-authed";
-    return "gh-probe-error";
-  }
-}
-function isRepoPrivate(ref, run = execFileSync9) {
-  const out = run("gh", ["repo", "view", `${ref.owner}/${ref.repo}`, "--json", "isPrivate"], {
-    stdio: ["ignore", "pipe", "ignore"],
-    timeout: GH_TIMEOUT_MS
-  }).toString();
-  const parsed = JSON.parse(out);
-  return parsed.isPrivate === true;
-}
-function isActionsEnabled(ref, run = execFileSync9) {
-  const out = run(
-    "gh",
-    ["api", `repos/${ref.owner}/${ref.repo}/actions/permissions`, "--jq", ".enabled"],
-    { stdio: ["ignore", "pipe", "ignore"], timeout: GH_TIMEOUT_MS }
-  ).toString().trim();
-  return out === "true";
-}
-function disableActions(ref, run = execFileSync9) {
-  run(
-    "gh",
-    [
-      "api",
-      "-X",
-      "PUT",
-      `repos/${ref.owner}/${ref.repo}/actions/permissions`,
-      "-F",
-      "enabled=false"
-    ],
-    { stdio: ["ignore", "ignore", "pipe"], timeout: GH_TIMEOUT_MS }
-  );
-}
-function readOriginRemote(cwd, run = execFileSync9) {
-  return run("git", ["remote", "get-url", "origin"], {
-    cwd,
-    stdio: ["ignore", "pipe", "ignore"]
-  }).toString().trim();
-}
-
-// src/commands.doctor.actions-drift.ts
-function reportActionsDrift(section2, run = execFileSync10) {
-  let remote;
-  try {
-    remote = readOriginRemote(repoHome(), run);
-  } catch {
-    return;
-  }
-  const ref = parseGitHubRemote(remote);
-  if (ref === null) return;
-  const auth = ghAuthStatus(run);
-  if (auth === "gh-not-installed" || auth === "gh-not-authed") return;
-  let isPrivate;
-  try {
-    isPrivate = isRepoPrivate(ref, run);
-  } catch {
-    return;
-  }
-  if (!isPrivate) return;
-  let enabled2;
-  try {
-    enabled2 = isActionsEnabled(ref, run);
-  } catch {
-    return;
-  }
-  if (!enabled2) return;
-  addItem(
-    section2,
-    `${yellow(warnGlyph)} Actions: enabled on private repo ${ref.owner}/${ref.repo} (re-disable with 'gh api -X PUT repos/${ref.owner}/${ref.repo}/actions/permissions -F enabled=false')`
-  );
-}
-
-// src/commands.doctor.verdict.ts
-init_color();
-function isFailLine(item2) {
-  return item2.includes(failGlyph);
-}
-function isWarnLine(item2) {
-  return !isFailLine(item2) && item2.includes(warnGlyph);
-}
-function buildVerdictSection(sections) {
-  const summary = section("Summary");
-  const lines = sections.flatMap((s) => s.items).map((item2) => item2.replace(/^\t/, ""));
-  const failures = lines.filter(isFailLine);
-  const warnings = lines.filter(isWarnLine);
-  for (const line of [...failures, ...warnings]) addItem(summary, line);
-  if (failures.length > 0) {
-    addItem(
-      summary,
-      `${red(failGlyph)} ${failures.length} failure(s), ${warnings.length} warning(s)`
-    );
-  } else if (warnings.length > 0) {
-    addItem(summary, `${yellow(warnGlyph)} ${warnings.length} warning(s)`);
-  } else {
-    addItem(summary, `${green(okGlyph)} healthy`);
-  }
-  return summary;
-}
-
-// src/commands.doctor.ts
-function cmdDoctor(opts = {}) {
-  const host = section("Environment");
-  reportHostAndPaths(host);
-  reportRepoState(host);
-  const links = section("Shared links");
-  const mapPath = join26(repoHome(), "path-map.json");
-  const rawMap = existsSync22(mapPath) ? readJsonSafe(mapPath, mapPath, links) : null;
-  const map = rawMap ?? { projects: {} };
-  reportSharedLinks(links, map);
-  const hooksScan = section("Hook targets");
-  reportHooksTargetCheck(hooksScan);
-  reportHookScopeCheck(hooksScan);
-  reportPreserveSymlinksCheck(hooksScan);
-  const settings = section("Settings");
-  const base = loadBaseSettings(settings);
-  const parsedSettings = loadAndReportSettings(settings);
-  reportHostOverrides(settings, base, parsedSettings);
-  const pathMap = section("Path map");
-  reportPathMap(pathMap);
-  const neverSync = section("Never-sync");
-  reportNeverSync(neverSync);
-  const repository = section("Repository");
-  const gitleaksReady = reportGitleaksProbe(repository);
-  reportGitlinks(repository);
-  reportRemote(repository);
-  reportRebaseClean(repository);
-  reportRebaseState(repository);
-  reportActionsDrift(repository);
-  const nomadVersion = section("Nomad Version");
-  reportVersionCheck(nomadVersion);
-  const housekeeping = section("Housekeeping");
-  reportBackupsCheck(housekeeping);
-  const depVersions = section("Dependency Versions");
-  reportNodeEngineCheck(depVersions);
-  reportGitleaksVersionCheck(depVersions);
-  reportOptionalDeps(depVersions);
-  const sharedScan = section("Shared scan");
-  if (opts.checkShared === true) reportCheckShared(sharedScan, gitleaksReady);
-  const schemaScan = section("Schema scan");
-  if (opts.checkSchema === true) reportCheckSchema(schemaScan);
-  const body = [
-    nomadVersion,
-    depVersions,
-    host,
-    links,
-    hooksScan,
-    settings,
-    pathMap,
-    neverSync,
-    repository,
-    housekeeping,
-    sharedScan,
-    schemaScan
-  ];
-  renderDoctor([...body, buildVerdictSection(body)]);
-}
-
-// src/commands.drop-session.ts
-init_config();
-import { execFileSync as execFileSync12 } from "node:child_process";
-import { existsSync as existsSync24, readdirSync as readdirSync9, statSync as statSync5 } from "node:fs";
-import { join as join29, relative as relative4 } from "node:path";
-
-// src/commands.drop-session.git.ts
-import { execFileSync as execFileSync11 } from "node:child_process";
-function expandStagedDir(dirRel, repo) {
-  try {
-    const out = execFileSync11("git", ["ls-files", "-z", "--", dirRel], {
-      cwd: repo,
-      stdio: ["ignore", "pipe", "pipe"]
-    });
-    return out.toString().split("\0").filter((p) => p !== "");
-  } catch {
-    return [];
-  }
-}
-function isTrackedInHead(rel, repo) {
-  try {
-    execFileSync11("git", ["cat-file", "-e", `HEAD:${rel}`], {
-      cwd: repo,
-      stdio: ["ignore", "pipe", "pipe"]
-    });
-    return true;
-  } catch {
-    return false;
-  }
-}
-function isInIndex(rel, repo) {
-  try {
-    const out = execFileSync11("git", ["ls-files", "--", rel], {
-      cwd: repo,
-      stdio: ["ignore", "pipe", "pipe"]
-    });
-    return out.toString().trim() !== "";
-  } catch {
-    return false;
-  }
-}
-
-// src/commands.drop-session.scrub-hint.ts
-init_config();
-init_utils();
-init_utils_json();
-import { existsSync as existsSync23 } from "node:fs";
-import { join as join27 } from "node:path";
-var SHARED_PROJECT_LOGICAL = /^shared\/projects\/([^/]+)\//;
-function reportScrubHint(id, matches) {
-  const live = resolveLiveTranscript(id, matches);
-  const target = live ?? `~/.claude/projects/<encoded>/${id}.jsonl`;
-  log(
-    `note: this only un-stages the session from the next push.
-  The local source still contains the secret, so nomad push re-stages it
-  on the next run and nomad doctor --check-shared keeps reporting it.
-  To fully remediate: rotate the credential, then run:
-    nomad redact ${id}
-  (or scrub ${target} manually)`
-  );
-}
-function resolveLiveTranscript(id, matches) {
-  try {
-    const mapPath = join27(repoHome(), "path-map.json");
-    if (!existsSync23(mapPath)) return null;
-    const projects = readJson(mapPath).projects;
-    const claude = claudeHome();
-    for (const rel of matches) {
-      const logical = SHARED_PROJECT_LOGICAL.exec(rel)?.[1];
-      if (logical === void 0) continue;
-      const abs = projects[logical]?.[HOST];
-      if (abs === void 0) continue;
-      const live = join27(claude, "projects", encodePath(abs), `${id}.jsonl`);
-      if (existsSync23(live)) return live;
-    }
-    return null;
-  } catch {
-    return null;
-  }
-}
-
-// src/commands.drop-session.ts
-init_utils();
-
-// src/utils.lockfile.ts
-init_config();
-init_utils();
-import { closeSync as closeSync3, mkdirSync as mkdirSync5, openSync as openSync3, readFileSync as readFileSync9, unlinkSync, writeFileSync as writeFileSync3 } from "node:fs";
-import { dirname as dirname4, join as join28 } from "node:path";
-function lockFilePath() {
-  return join28(home(), ".cache", "claude-nomad", "nomad.lock");
-}
-function acquireLock(verb) {
-  const lp = lockFilePath();
-  mkdirSync5(dirname4(lp), { recursive: true });
-  try {
-    const fd = openSync3(lp, "wx");
-    try {
-      writeFileSync3(fd, String(process.pid));
-    } catch (writeErr) {
-      try {
-        closeSync3(fd);
-      } catch {
-      }
-      try {
-        unlinkSync(lp);
-      } catch {
-      }
-      throw writeErr;
-    }
-    return { fd, path: lp };
-  } catch (err) {
-    const code = err.code;
-    if (code !== "EEXIST") throw err;
-    return checkStaleAndRetry(verb, lp);
+    const code = err.code;
+    if (code !== "EEXIST") throw err;
+    return checkStaleAndRetry(verb, lp);
   }
 }
 function releaseLock(handle) {
@@ -3208,7 +3066,7 @@ function releaseLock(handle) {
 function unlinkIfSamePid(expectedPidStr, lp) {
   let current;
   try {
-    current = readFileSync9(lp, "utf8").trim();
+    current = readFileSync11(lp, "utf8").trim();
   } catch {
     return false;
   }
@@ -3223,7 +3081,7 @@ function unlinkIfSamePid(expectedPidStr, lp) {
 function checkStaleAndRetry(verb, lp) {
   let pidStr;
   try {
-    pidStr = readFileSync9(lp, "utf8").trim();
+    pidStr = readFileSync11(lp, "utf8").trim();
   } catch {
     pidStr = "";
   }
@@ -3252,7 +3110,7 @@ function retryOnce(verb, lp) {
   try {
     const fd = openSync3(lp, "wx");
     try {
-      writeFileSync3(fd, String(process.pid));
+      writeFileSync4(fd, String(process.pid));
     } catch {
       try {
         closeSync3(fd);
@@ -3272,152 +3130,18 @@ function retryOnce(verb, lp) {
   }
 }
 
-// src/commands.drop-session.ts
-function cmdDropSession(id) {
-  if (id.length === 0 || id.length > 128 || !/^[A-Za-z0-9_-]+$/.test(id)) {
-    fail(`invalid session id: ${id}`);
-    process.exit(1);
-  }
-  const repo = repoHome();
-  if (!existsSync24(repo)) die(`repo not cloned at ${repo}`);
-  const handle = acquireLock("drop-session");
-  if (handle === null) process.exit(0);
-  try {
-    const repoProjects = join29(repo, "shared", "projects");
-    if (!existsSync24(repoProjects)) {
-      throw new NomadFatal(`no staged session matches ${id}`);
-    }
-    const matches = collectMatches(repoProjects, id, repo);
-    if (matches.length === 0) {
-      throw new NomadFatal(`no staged session matches ${id}`);
-    }
-    for (const rel of matches) unstageOne(rel, repo);
-    reportScrubHint(id, matches);
-  } catch (err) {
-    if (!(err instanceof NomadFatal)) {
-      throw err;
-    }
-    fail(err.message);
-    process.exitCode = 1;
-  } finally {
-    releaseLock(handle);
-  }
-}
-function collectMatches(repoProjects, id, repo) {
-  const matches = [];
-  for (const logical of readdirSync9(repoProjects)) {
-    const candidate = join29(repoProjects, logical, `${id}.jsonl`);
-    if (existsSync24(candidate)) {
-      matches.push(relative4(repo, candidate));
-    }
-    const dir = join29(repoProjects, logical, id);
-    if (existsSync24(dir) && statSync5(dir).isDirectory()) {
-      const dirRel = relative4(repo, dir);
-      const staged = expandStagedDir(dirRel, repo);
-      if (staged.length > 0) matches.push(...staged);
-      else matches.push(dirRel);
-    }
-  }
-  return matches;
-}
-function unstageOne(rel, repo) {
-  if (!isInIndex(rel, repo)) {
-    item(`dropped ${rel} (already absent from index)`);
-    return;
-  }
-  try {
-    if (isTrackedInHead(rel, repo)) {
-      execFileSync12("git", ["restore", "--staged", "--worktree", "--", rel], {
-        cwd: repo,
-        stdio: ["ignore", "pipe", "pipe"]
-      });
-    } else {
-      execFileSync12("git", ["rm", "--cached", "-f", "--", rel], {
-        cwd: repo,
-        stdio: ["ignore", "pipe", "pipe"]
-      });
-    }
-  } catch (err) {
-    const e = err;
-    const detail = e.stderr?.toString().trim() ?? e.message;
-    throw new NomadFatal(`git failed to unstage ${rel}: ${detail}`);
-  }
-  item(`dropped ${rel}`);
-}
-
-// src/commands.redact.ts
-init_config();
-import { existsSync as existsSync26, statSync as statSync7 } from "node:fs";
-import { dirname as dirname5, join as join31 } from "node:path";
-
-// src/commands.redact.subtree.ts
-import { existsSync as existsSync25, lstatSync as lstatSync7, readFileSync as readFileSync10, readdirSync as readdirSync10, statSync as statSync6, writeFileSync as writeFileSync4 } from "node:fs";
-import { join as join30 } from "node:path";
-init_utils_fs();
-function collectFiles(dir, out) {
-  if (!existsSync25(dir)) return;
-  const st = lstatSync7(dir);
-  if (!st.isDirectory()) return;
-  for (const entry of readdirSync10(dir)) {
-    const abs = join30(dir, entry);
-    const lst = lstatSync7(abs);
-    if (lst.isSymbolicLink()) continue;
-    if (lst.isDirectory()) {
-      collectFiles(abs, out);
-      continue;
-    }
-    if (lst.isFile()) out.push(abs);
-  }
-}
-function listSubtreeFiles(sessionDir) {
-  const out = [];
-  collectFiles(sessionDir, out);
-  return out.sort((a, b) => a.localeCompare(b));
-}
-function newestSubtreeMtimeMs(mainPath, subtreeFiles, statMtime = (p) => statSync6(p).mtimeMs) {
-  let newest = statMtime(mainPath);
-  for (const filePath of subtreeFiles) {
-    const t = statMtime(filePath);
-    if (t > newest) newest = t;
-  }
-  return newest;
-}
-function applySubtreeRedactions(mainPath, mainFindings, subtreeFiles, rule, ts, scan, dryRun) {
-  const dirty = [];
-  if (mainFindings.length > 0) dirty.push({ path: mainPath, findings: mainFindings });
-  for (const filePath of subtreeFiles) {
-    const raw = scan(filePath);
-    if (raw === null || raw.length === 0) continue;
-    const filtered = rule === void 0 ? raw : raw.filter((f) => f.RuleID === rule);
-    if (filtered.length === 0) continue;
-    dirty.push({ path: filePath, findings: filtered });
-  }
-  const total = dirty.reduce((n, e) => n + e.findings.length, 0);
-  if (!dryRun && total > 0) {
-    for (const { path: filePath, findings } of dirty) {
-      backupBeforeWrite(filePath, ts);
-      writeFileSync4(filePath, applyRedactions(readFileSync10(filePath, "utf8"), findings), "utf8");
-    }
-  }
-  return { total, dirty };
-}
-
 // src/commands.redact.ts
-init_push_gitleaks_scan();
-init_utils_fs();
-init_utils_json();
-init_utils();
-function resolveLiveTranscript2(id) {
+function resolveLiveTranscript(id) {
   try {
-    const mapPath = join31(repoHome(), "path-map.json");
-    if (!existsSync26(mapPath)) return null;
+    const mapPath = join28(repoHome(), "path-map.json");
+    if (!existsSync23(mapPath)) return null;
     const projects = readJson(mapPath).projects;
     const claude = claudeHome();
     for (const hostMap of Object.values(projects)) {
       const abs = hostMap[HOST];
       if (abs === void 0) continue;
-      const live = join31(claude, "projects", encodePath(abs), `${id}.jsonl`);
-      if (existsSync26(live)) return live;
+      const live = join28(claude, "projects", encodePath(abs), `${id}.jsonl`);
+      if (existsSync23(live)) return live;
     }
     return null;
   } catch {
@@ -3437,19 +3161,19 @@ function cmdRedact(opts, nowMs = Date.now, scan = scanFile) {
   }
   const repo = repoHome();
   const backup = backupBase();
-  if (!existsSync26(repo)) die(`repo not cloned at ${repo}`);
+  if (!existsSync23(repo)) die(`repo not cloned at ${repo}`);
   const handle = acquireLock("redact");
   if (handle === null) process.exit(0);
   try {
-    const localPath = resolveLiveTranscript2(id);
-    if (localPath === null || !existsSync26(localPath)) {
+    const localPath = resolveLiveTranscript(id);
+    if (localPath === null || !existsSync23(localPath)) {
       fail(`could not resolve local transcript for session ${id} on this host`);
       process.exitCode = 1;
       return;
     }
-    const sessionDir = join31(dirname5(localPath), id);
+    const sessionDir = join28(dirname5(localPath), id);
     const subtreeFiles = listSubtreeFiles(sessionDir);
-    const subtreeMtime = newestSubtreeMtimeMs(localPath, subtreeFiles, (p) => statSync7(p).mtimeMs);
+    const subtreeMtime = newestSubtreeMtimeMs(localPath, subtreeFiles, (p) => statSync6(p).mtimeMs);
     if (isRecentlyModified(subtreeMtime, nowMs())) {
       log(
         `session ${id} was modified recently and may be active.
@@ -3499,1142 +3223,1630 @@ ${lines}`);
   }
 }
 
-// src/commands.pull.ts
-import { existsSync as existsSync34, mkdirSync as mkdirSync8 } from "node:fs";
-import { join as join40 } from "node:path";
+// src/commands.push.recovery.redact.ts
+init_push_gitleaks_scan();
+init_utils_json();
+init_utils();
 
-// src/commands.push.sections.ts
-init_color();
+// src/commands.push.recovery.seams.ts
+init_push_gitleaks();
+var MASK_LEAD = 4;
+var MASK_BODY = "************";
+var CONTEXT_WINDOW = 40;
+var CONTROL_CHARS = /[\x00-\x1f\x7f]/g;
+function findingKey(f) {
+  return `${f.File}:${f.StartLine}:${f.StartColumn}:${f.RuleID}`;
+}
+var VALID_SID = /^[A-Za-z0-9_-]+$/;
+function sessionIdFromFinding(f) {
+  const m = SESSION_PATH.exec(f.File) ?? /^shared\/projects\/[^/]+\/([^/]+)\//.exec(f.File);
+  if (m === null) return null;
+  const sid = m[1];
+  return VALID_SID.test(sid) ? sid : null;
+}
+function parseAction(raw) {
+  const t = raw.trim().toLowerCase();
+  if (t === "r" || t === "redact") return "redact";
+  if (t === "a" || t === "allow") return "allow";
+  if (t === "d" || t === "drop") return "drop";
+  return "skip";
+}
+function maskSecret(secret) {
+  return secret.slice(0, MASK_LEAD) + MASK_BODY;
+}
+function buildFindingContext(finding, readLine) {
+  const raw = readLine(finding.File, finding.StartLine);
+  if (raw !== null) {
+    const len = raw.length;
+    const startCol = Math.max(1, Math.min(finding.StartColumn, len + 1));
+    const endCol = Math.max(startCol, Math.min(finding.EndColumn, len));
+    const spanStart = startCol - 1;
+    const spanEnd = endCol;
+    const secret = raw.slice(spanStart, spanEnd);
+    const masked = maskSecret(secret);
+    const fullPrefix = raw.slice(0, spanStart);
+    const fullSuffix = raw.slice(spanEnd);
+    const prefixTruncated = fullPrefix.length > CONTEXT_WINDOW;
+    const suffixTruncated = fullSuffix.length > CONTEXT_WINDOW;
+    const prefix = prefixTruncated ? fullPrefix.slice(fullPrefix.length - CONTEXT_WINDOW) : fullPrefix;
+    const suffix = suffixTruncated ? fullSuffix.slice(0, CONTEXT_WINDOW) : fullSuffix;
+    const excerpt = (prefixTruncated ? "..." : "") + prefix + masked + suffix + (suffixTruncated ? "..." : "");
+    const stripped = excerpt.replace(CONTROL_CHARS, "");
+    if (stripped.trim().length > 0) return stripped;
+  }
+  if (finding.Match.length > 0) {
+    return maskSecret(finding.Match).replace(CONTROL_CHARS, "");
+  }
+  return null;
+}
 
-// src/summary.ts
-init_color();
-init_utils();
-function summaryText(verb, unmapped, collisions = 0, extrasSkipped = 0) {
-  const extras = extrasSkipped > 0 ? `, ${extrasSkipped} extras skipped` : "";
-  if (verb === "push") {
-    if (unmapped === 0 && collisions === 0 && extrasSkipped === 0) {
-      return { text: "summary: clean", clean: true };
+// src/commands.push.recovery.redact.ts
+function resolveStagedDir(localPath, map, claude, repo) {
+  for (const [logical, hostMap] of Object.entries(map.projects)) {
+    assertSafeLogical(logical);
+    const abs = hostMap[HOST];
+    if (abs === void 0) continue;
+    if (localPath.startsWith(join29(claude, "projects", encodePath(abs)) + sep3)) {
+      return join29(repo, "shared", "projects", logical);
     }
-    const base = `summary: ${unmapped} unmapped on push, ${collisions} collisions`;
-    return { text: `${base}${extras} (run nomad doctor to list)`, clean: false };
-  }
-  if (unmapped === 0 && extrasSkipped === 0) {
-    return { text: "summary: clean", clean: true };
   }
-  return {
-    text: `summary: ${unmapped} unmapped on ${verb}${extras} (run nomad doctor to list)`,
-    clean: false
+  return null;
+}
+function applyRedact(f, ts, map, nowMs, scan = scanFile) {
+  const refuse = (msg) => {
+    log(msg);
+    return false;
   };
+  const claude = claudeHome();
+  const repo = repoHome();
+  const sid = sessionIdFromFinding(f);
+  if (sid === null) {
+    return refuse(
+      `could not locate the local transcript for this finding; choose Skip or Drop session.`
+    );
+  }
+  const localPath = resolveLiveTranscript(sid);
+  if (localPath === null) {
+    return refuse(
+      `could not locate the local transcript for session ${sid}; choose Skip or Drop session.`
+    );
+  }
+  const sessionDir = join29(dirname6(localPath), sid);
+  const subtreeFiles = listSubtreeFiles(sessionDir);
+  const subtreeMtime = newestSubtreeMtimeMs(localPath, subtreeFiles, (p) => statSync7(p).mtimeMs);
+  if (isRecentlyModified(subtreeMtime, nowMs())) {
+    return refuse(
+      `session ${sid} looks active (modified within the last 5 minutes); refusing to redact, no changes made.
+  End the session and choose Redact again, or choose Drop session (holds this session back from the push, local copy kept) or Skip.`
+    );
+  }
+  const stagedProjectDir = resolveStagedDir(localPath, map, claude, repo);
+  if (stagedProjectDir === null) {
+    return refuse(
+      `could not map the local transcript for session ${sid} to a staged copy; choose Drop session or Skip.`
+    );
+  }
+  const mainFindings = scan(localPath);
+  if (mainFindings === null) {
+    return refuse(`re-scan of the transcript failed; choose Skip or Drop session.`);
+  }
+  const { total: anyTotal } = applySubtreeRedactions(
+    localPath,
+    mainFindings,
+    subtreeFiles,
+    void 0,
+    ts,
+    scan,
+    false
+  );
+  if (anyTotal === 0) {
+    return refuse(
+      `nothing to redact in the local transcript for session ${sid}; choose Skip or Drop session.`
+    );
+  }
+  mkdirSync6(stagedProjectDir, { recursive: true });
+  cpSync5(localPath, join29(stagedProjectDir, `${sid}.jsonl`), { force: true });
+  if (existsSync24(sessionDir)) {
+    cpSync5(sessionDir, join29(stagedProjectDir, sid), { force: true, recursive: true });
+  }
+  return true;
 }
-function summaryRow(verb, unmapped, collisions = 0, extrasSkipped = 0) {
-  const { text, clean } = summaryText(verb, unmapped, collisions, extrasSkipped);
-  return clean ? `${green(okGlyph)} ${text}` : `${yellow(warnGlyph)} ${text}`;
+
+// src/commands.push.recovery.drop.ts
+init_config();
+import { rmSync as rmSync8 } from "node:fs";
+import { join as join30 } from "node:path";
+function dropSessionFromStaged(sid, map) {
+  const logicals = Object.keys(map.projects);
+  if (logicals.length === 0) return false;
+  const repo = repoHome();
+  for (const logical of logicals) {
+    const jsonl = join30(repo, "shared", "projects", logical, `${sid}.jsonl`);
+    const dir = join30(repo, "shared", "projects", logical, sid);
+    rmSync8(jsonl, { force: true });
+    rmSync8(dir, { recursive: true, force: true });
+  }
+  return true;
 }
 
-// src/commands.push.sections.ts
-function collapsedSkipRow(n, noun) {
-  if (n <= 0) return null;
-  return `${dim(infoGlyph)} ${n} ${noun}`;
+// src/commands.push.recovery.actions.ts
+init_push_gitleaks_scan();
+init_utils();
+function applyAllow(f, repo) {
+  appendGitleaksIgnore(f.Fingerprint, repo);
 }
-function buildSettingsSection(label) {
-  const s = section("Settings");
-  addItem(s, `${green(okGlyph)} settings.json (base + ${label})`);
-  return s;
+function allowAllFindings(findings, repo) {
+  for (const f of findings) {
+    appendGitleaksIgnore(f.Fingerprint, repo);
+  }
 }
-function buildSessionsSection(items, unmapped) {
-  const s = section("Sessions");
-  for (const logical of items) addItem(s, `${green(okGlyph)} ${logical}`);
-  const skip = collapsedSkipRow(unmapped, "not in path-map (run nomad doctor to list)");
-  if (skip !== null) addItem(s, skip);
-  return s;
+function allowFindingsByRule(findings, ruleId, repo) {
+  let count = 0;
+  for (const f of findings) {
+    if (f.RuleID === ruleId) {
+      appendGitleaksIgnore(f.Fingerprint, repo);
+      count++;
+    }
+  }
+  return count;
 }
-function buildExtrasSection(items, extrasSkipped) {
-  const s = section("Extras");
-  for (const entry of items) addItem(s, `${green(okGlyph)} ${entry}`);
-  const skip = collapsedSkipRow(extrasSkipped, "extras skipped");
-  if (skip !== null) addItem(s, skip);
-  return s;
+function makeDefaultReadLine(repo) {
+  return (file, line) => {
+    try {
+      const repoRoot = resolve3(repo);
+      const target = resolve3(repoRoot, file);
+      if (isAbsolute(file) || target !== repoRoot && !target.startsWith(repoRoot + sep4)) {
+        return null;
+      }
+      const content = readFileSync12(target, "utf8");
+      const lines = content.split(/\r?\n/);
+      const idx = line - 1;
+      if (idx < 0 || idx >= lines.length) return null;
+      return lines[idx] ?? null;
+    } catch {
+      return null;
+    }
+  };
 }
-function syncedSections(st) {
-  const sessions = st.dryRun ? st.remap.wouldPush : st.remap.pushed;
-  const extras = st.dryRun ? st.extras.wouldPush : st.extras.pushed;
-  return [
-    buildSessionsSection(sessions, st.remap.unmapped),
-    buildExtrasSection(extras, st.extras.skipped)
-  ];
+async function collectActions(findings, prompt, readLine) {
+  const reader = readLine ?? makeDefaultReadLine(repoHome());
+  const actions = /* @__PURE__ */ new Map();
+  for (const f of findings) {
+    const sid = sessionIdFromFinding(f);
+    const ctx = buildFindingContext(f, reader);
+    const header = `
+Finding: ${f.RuleID} in ${f.File} line ${f.StartLine}` + (sid === null ? "" : ` (session: ${sid})`) + (ctx === null ? "" : `
+  context: ${ctx}`) + "\n  [R]edact  [A]llow  [D]rop session  [S]kip (default)\n";
+    actions.set(findingKey(f), parseAction(await prompt(header + "> ")));
+  }
+  return actions;
 }
-function summarySection(st) {
-  const s = section("Summary");
-  const unmapped = st.remap.unmapped + st.extras.unmapped;
-  addItem(s, summaryRow("push", unmapped, st.remap.collisions, st.extras.skipped));
-  return s;
+function dispatchOne(f, ctx) {
+  const action = ctx.actions.get(findingKey(f)) ?? "skip";
+  if (action === "skip") return;
+  const sid = sessionIdFromFinding(f);
+  if (sid !== null && ctx.droppedSids.has(sid)) return;
+  if (action === "allow") {
+    applyAllow(f, ctx.repo);
+    return;
+  }
+  if (sid === null) return;
+  if (action === "drop") {
+    ctx.droppedSids.add(sid);
+    if (ctx.drop(sid, ctx.map)) {
+      log(
+        `dropped session ${sid} from this push (local transcript kept; the secret remains in your local copy)`
+      );
+    }
+    return;
+  }
+  if (action === "redact" && !ctx.redactedSids.has(sid)) {
+    if (applyRedact(f, ctx.ts, ctx.map, ctx.nowMs, ctx.scan)) ctx.redactedSids.add(sid);
+  }
 }
-function renderPushTree(st, verdict) {
-  const leakScan = section("Leak scan");
-  addItem(leakScan, verdict.verdictRow);
-  renderTree([...syncedSections(st), leakScan, summarySection(st)]);
+function dispatchActions(findings, actions, opts) {
+  const { ts, map, nowMs, repo, scan = scanFile, drop = dropSessionFromStaged } = opts;
+  const ctx = {
+    actions,
+    ts,
+    map,
+    nowMs,
+    repo,
+    scan,
+    drop,
+    redactedSids: /* @__PURE__ */ new Set(),
+    droppedSids: /* @__PURE__ */ new Set()
+  };
+  for (const f of findings) {
+    dispatchOne(f, ctx);
+  }
 }
-function renderNoScanTree(st, opts = {}) {
-  const sections = [];
-  if (opts.noMapHint === true) {
-    const pathMap = section("Path map");
-    addItem(pathMap, `${dim(infoGlyph)} no path-map.json (nothing to preview)`);
-    sections.push(pathMap);
+function redactAllFindings(findings, ts, map, nowMs, scan = scanFile) {
+  const redactedSids = /* @__PURE__ */ new Set();
+  for (const f of findings) {
+    const sid = sessionIdFromFinding(f);
+    if (sid === null || redactedSids.has(sid)) continue;
+    if (applyRedact(f, ts, map, nowMs, scan)) redactedSids.add(sid);
   }
-  renderTree([...sections, ...syncedSections(st), summarySection(st)]);
 }
 
-// src/commands.pull.ts
-init_config();
-
-// src/extras-sync.ts
-init_config();
-import { existsSync as existsSync29 } from "node:fs";
-import { join as join34 } from "node:path";
-
-// src/extras-sync.diff.ts
+// src/commands.push.recovery.ts
+init_push_gitleaks_scan();
+init_push_gitleaks();
 init_utils();
-import { execFileSync as execFileSync13 } from "node:child_process";
-function labelDiffLine(line) {
-  const tab = line.indexOf("	");
-  if (tab === -1) return line;
-  const status = line.slice(0, tab);
-  const path = line.slice(tab + 1);
-  if (status === "D") return `${path} (local only)`;
-  if (status === "A") return `${path} (repo only)`;
-  return path;
+function isTTY(stdin = process.stdin, stdout = process.stdout) {
+  return stdin.isTTY === true && stdout.isTTY === true;
 }
-function parseDiffOutput(stdout) {
-  return stdout.split("\n").filter((line) => line.length > 0).map(labelDiffLine);
+function hasUnresolved(actions) {
+  for (const action of actions.values()) {
+    if (action === "skip") return true;
+  }
+  return false;
 }
-function listDivergingFiles(a, b) {
+function printRecoveryLegend(print = console.log) {
+  print("");
+  print("Recovery actions:");
+  print("  Redact       - scrub the secret from the local transcript, push the cleaned copy");
+  print("  Allow        - mark as false positive (adds a .gitleaksignore fingerprint), push as-is");
+  print("  Drop session - exclude this session from this push (local transcript kept, running");
+  print("                 session is not stopped)");
+  print("  Skip         - leave unresolved (the push aborts)");
+  print("");
+}
+function applyThenRescan(scanVerdict, repoHome2) {
+  gitOrFatal(["add", "-A"], "git add", repoHome2);
+  const next = scanVerdict(repoHome2);
+  if (next.leak) {
+    const { bySession, other } = partitionFindings(next.findings);
+    throw new NomadFatal(buildSessionAwareFatal(bySession, other));
+  }
+  return next;
+}
+function allowThenRescan(append, scanVerdict, repoHome2) {
+  const ignPath = join31(repoHome2, ".gitleaksignore");
+  let before;
   try {
-    const stdout = execFileSync13("git", ["diff", "--no-index", "--name-status", a, b], {
-      stdio: ["ignore", "pipe", "pipe"]
-    }).toString();
-    return parseDiffOutput(stdout);
+    before = readFileSync13(ignPath, "utf8");
+  } catch {
+    before = null;
+  }
+  append();
+  try {
+    return applyThenRescan(scanVerdict, repoHome2);
   } catch (err) {
-    const e = err;
-    if (e.status === 1 && e.stdout !== void 0) {
-      return parseDiffOutput(e.stdout.toString());
-    }
-    if (e.code === "ENOENT") {
-      warn(`git not on PATH; divergence check skipped for ${a}`);
-      return [];
-    }
-    warn(`divergence check failed for ${a}: ${e.message ?? String(err)}`);
-    return [];
+    if (before === null) rmSync9(ignPath, { force: true });
+    else writeFileSync5(ignPath, before, "utf8");
+    throw err;
   }
 }
-
-// src/extras-sync.core.ts
-init_config();
-import { cpSync as cpSync5, existsSync as existsSync27, rmSync as rmSync8 } from "node:fs";
-import { join as join32 } from "node:path";
-
-// src/extras-sync.guards.ts
-init_utils();
-init_config_sharedDirs_guard();
-import { isAbsolute, normalize } from "node:path";
-function assertSafeLocalRoot(localRoot, logical) {
-  if (!isAbsolute(localRoot)) {
-    throw new NomadFatal(
-      `invalid localRoot for ${logical} in path-map.json: ${JSON.stringify(localRoot)} (must be absolute)`
-    );
+function makeRealPrompt() {
+  return async (prompt) => {
+    const rl = createInterface({
+      input: process.stdin,
+      output: process.stdout,
+      terminal: true
+    });
+    try {
+      return await rl.question(prompt);
+    } finally {
+      rl.close();
+    }
+  };
+}
+async function resolveLeakFindings(verdict, ts, map, deps = {}) {
+  const {
+    isTTYCheck = isTTY,
+    nowMs = Date.now,
+    redactAll = false,
+    allowAll = false,
+    allowRule,
+    makePrompt: makePromptFn = makeRealPrompt,
+    scan = scanFile,
+    printLegend = printRecoveryLegend
+  } = deps;
+  const scanVerdict = deps.scanVerdict ?? (await Promise.resolve().then(() => (init_push_leak_verdict(), push_leak_verdict_exports))).scanPushVerdict;
+  const repo = repoHome();
+  let current = verdict;
+  if (redactAll) {
+    redactAllFindings(current.findings, ts, map, nowMs, scan);
+    return applyThenRescan(scanVerdict, repo);
   }
-  if (localRoot !== normalize(localRoot)) {
-    throw new NomadFatal(
-      `invalid localRoot for ${logical} in path-map.json: ${JSON.stringify(localRoot)} (must be already-normalized; no '..' or redundant segments)`
+  if (allowAll) {
+    return allowThenRescan(() => allowAllFindings(current.findings, repo), scanVerdict, repo);
+  }
+  if (allowRule !== void 0) {
+    return allowThenRescan(
+      () => {
+        const matched = allowFindingsByRule(current.findings, allowRule, repo);
+        if (matched === 0) log(`no findings matched rule ${allowRule}; re-scanning`);
+      },
+      scanVerdict,
+      repo
     );
   }
+  if (!isTTYCheck()) {
+    throw new NomadFatal(current.recovery ?? "gitleaks detected secrets");
+  }
+  const prompt = makePromptFn();
+  printLegend();
+  while (current.leak && current.findings.length > 0) {
+    const actions = await collectActions(current.findings, prompt);
+    if (hasUnresolved(actions)) {
+      const unresolved = current.findings.filter((f) => actions.get(findingKey(f)) === "skip");
+      const { bySession, other } = partitionFindings(unresolved);
+      throw new NomadFatal(buildSessionAwareFatal(bySession, other));
+    }
+    dispatchActions(current.findings, actions, { ts, map, nowMs, repo, scan });
+    gitOrFatal(["add", "-A"], "git add", repo);
+    current = scanVerdict(repo);
+  }
+  return current;
 }
 
-// src/extras-sync.core.ts
-init_utils();
-init_utils_json();
-function loadValidatedExtras(opts) {
-  const repo = repoHome();
-  const mapPath = join32(repo, "path-map.json");
-  const repoExtras = join32(repo, "shared", "extras");
-  if (!existsSync27(mapPath) || opts.requireRepoExtras === true && !existsSync27(repoExtras)) {
-    if (opts.missingMsg !== void 0) log(opts.missingMsg);
-    return null;
-  }
-  const map = readPathMap(mapPath);
-  const extrasMap = map.extras ?? {};
-  if (Object.keys(extrasMap).length === 0) return null;
-  for (const logical of Object.keys(extrasMap)) {
-    assertSafeLogical(logical);
-    const localRoot = map.projects[logical]?.[HOST];
-    if (localRoot && localRoot !== "TBD") assertSafeLocalRoot(localRoot, logical);
-  }
-  return { map, extrasMap };
+// src/spinner.ts
+function formatElapsed(ms) {
+  return `${(ms / 1e3).toFixed(1)}s`;
 }
-function* eachExtrasTarget(v, counts) {
-  const whitelist = SUPPORTED_EXTRAS;
-  for (const [logical, dirnames] of Object.entries(v.extrasMap)) {
-    const localRoot = v.map.projects[logical]?.[HOST];
-    if (!localRoot || localRoot === "TBD") {
-      counts.unmapped++;
-      continue;
+function writePlainStart(out, label) {
+  out.write(`${label}...
+`);
+}
+function writePlainDone(out, label, ms) {
+  out.write(`${label} done (${formatElapsed(ms)})
+`);
+}
+function writeAnimatedDone(out, label, ms, useTTY) {
+  out.write("\r\x1B[K");
+  const glyph = useTTY ? green(okGlyph) : okGlyph;
+  out.write(`${glyph} ${label} (${formatElapsed(ms)})
+`);
+}
+function resolveWorkerPath(deps = {}) {
+  const check = deps.existsSyncFn ?? existsSync25;
+  const base = deps.baseUrl ?? import.meta.url;
+  const mjs = fileURLToPath4(new URL("./nomad.worker.mjs", base));
+  if (check(mjs)) return mjs;
+  return fileURLToPath4(new URL("./spinner.worker.ts", base));
+}
+function makeRealWorker() {
+  return new Worker(resolveWorkerPath());
+}
+function startSpinner(label, deps = {}) {
+  const ttyCheck = deps.isTTYCheck ?? (() => isTTY());
+  const env = deps.env ?? process.env;
+  const out = deps.out ?? process.stderr;
+  const now = deps.now ?? Date.now;
+  const startMs = now();
+  const animate = ttyCheck() && !env.CI;
+  let worker = null;
+  let degraded = false;
+  let finalized = false;
+  if (animate) {
+    const factory = deps.makeWorker ?? makeRealWorker;
+    try {
+      worker = factory();
+      worker.unref?.();
+      worker.postMessage({ type: "start", label });
+    } catch {
+      degraded = true;
+      worker = null;
+      writePlainStart(out, label);
     }
-    for (const dirname7 of dirnames) {
-      if (!whitelist.includes(dirname7)) {
-        counts.skipped++;
-        continue;
-      }
-      yield { logical, localRoot, dirname: dirname7 };
+  } else {
+    writePlainStart(out, label);
+  }
+  function finalize(success, doneLabel) {
+    if (finalized) return;
+    finalized = true;
+    const dl = doneLabel ?? label;
+    const elapsed = now() - startMs;
+    if (animate && !degraded && worker !== null) {
+      worker.postMessage({ type: "pause" });
+      worker.terminate();
+      worker = null;
+      if (success) writeAnimatedDone(out, dl, elapsed, ttyCheck());
+      else out.write("\r\x1B[K");
+    } else if (success) {
+      writePlainDone(out, dl, elapsed);
     }
   }
+  return {
+    succeed: (doneLabel) => finalize(true, doneLabel),
+    stop: () => finalize(false)
+  };
 }
-function copyExtras(src, dst) {
-  rmSync8(dst, { recursive: true, force: true });
-  cpSync5(src, dst, { recursive: true, force: true, verbatimSymlinks: true });
+function withSpinner(label, fn, deps) {
+  const sp = startSpinner(label, deps);
+  try {
+    const result = fn();
+    sp.succeed();
+    return result;
+  } finally {
+    sp.stop();
+  }
 }
 
-// src/extras-sync.ts
-init_utils();
-init_utils_json();
-
-// src/extras-sync.remap.ts
+// src/commands.doctor.gitleaks-version.ts
+init_color();
+import { execFileSync as execFileSync7 } from "node:child_process";
+import { existsSync as existsSync26 } from "node:fs";
+import { join as join32 } from "node:path";
 init_config();
-import { existsSync as existsSync28, mkdirSync as mkdirSync6 } from "node:fs";
-import { join as join33 } from "node:path";
-init_utils_fs();
-function runExtrasOp(v, dryRun, paths, backup) {
-  const counts = { unmapped: 0, skipped: 0 };
-  const done = [];
-  const would = [];
-  for (const t of eachExtrasTarget(v, counts)) {
-    const { src, dst } = paths(t);
-    if (!existsSync28(src)) continue;
-    const item2 = `${t.logical}/${t.dirname}`;
-    if (dryRun) {
-      would.push(item2);
-      continue;
-    }
-    backup(dst, t.localRoot);
-    copyExtras(src, dst);
-    done.push(item2);
-  }
-  return { ...counts, done, would };
+var SEMVER_MAJOR_MINOR = /^(\d+)\.(\d+)\.\d+$/;
+var GITLEAKS_TIMEOUT_MS = 5e3;
+function majorMinorOf(value) {
+  const m = SEMVER_MAJOR_MINOR.exec(value);
+  return m === null ? null : [m[1], m[2]];
 }
-function remapExtrasPush(ts, opts = {}) {
-  const dryRun = opts.dryRun === true;
-  const v = loadValidatedExtras({ missingMsg: "no path-map.json; skipping extras push" });
-  if (v === null) return { unmapped: 0, skipped: 0, pushed: [], wouldPush: [] };
-  const repo = repoHome();
-  const repoExtras = join33(repo, "shared", "extras");
-  if (!dryRun) mkdirSync6(repoExtras, { recursive: true });
-  const { unmapped, skipped, done, would } = runExtrasOp(
-    v,
-    dryRun,
-    ({ localRoot, logical, dirname: dirname7 }) => ({
-      src: join33(localRoot, dirname7),
-      dst: join33(repoExtras, logical, dirname7)
-    }),
-    (dst) => backupRepoWrite(dst, ts, repo)
-  );
-  return { unmapped, skipped, pushed: done, wouldPush: would };
+function readGitleaksVersion(run, tomlExists) {
+  const tomlPath = join32(repoHome(), ".gitleaks.toml");
+  const args = ["version"];
+  if (tomlExists(tomlPath)) args.push("--config", tomlPath);
+  try {
+    return run("gitleaks", args, {
+      stdio: ["ignore", "pipe", "pipe"],
+      timeout: GITLEAKS_TIMEOUT_MS
+    }).toString().trim();
+  } catch {
+    return null;
+  }
 }
-function remapExtrasPull(ts, opts = {}) {
-  const dryRun = opts.dryRun === true;
-  const v = loadValidatedExtras({
-    requireRepoExtras: true,
-    missingMsg: "no path-map or repo extras dir; skipping extras remap"
-  });
-  if (v === null) return { unmapped: 0, skipped: 0, pulled: [], wouldPull: [] };
-  const repoExtras = join33(repoHome(), "shared", "extras");
-  const { unmapped, skipped, done, would } = runExtrasOp(
-    v,
-    dryRun,
-    ({ localRoot, logical, dirname: dirname7 }) => ({
-      src: join33(repoExtras, logical, dirname7),
-      dst: join33(localRoot, dirname7)
-    }),
-    // Snapshot the host-side dst BEFORE copyExtras clobbers it. Anchor on
-    // localRoot so the backup tree mirrors the project layout.
-    (dst, localRoot) => backupExtrasWrite(dst, ts, localRoot)
+function reportGitleaksVersionCheck(section2, run = execFileSync7, tomlExists = existsSync26) {
+  const raw = readGitleaksVersion(run, tomlExists);
+  if (raw === null) return;
+  const local = majorMinorOf(raw);
+  if (local === null) return;
+  const pin = majorMinorOf(GITLEAKS_PINNED_VERSION);
+  if (pin === null) return;
+  const sameMajorMinor = local[0] === pin[0] && local[1] === pin[1];
+  if (sameMajorMinor) {
+    addItem(section2, `${green(okGlyph)} gitleaks: ${raw} (matches pinned ${pin[0]}.${pin[1]})`);
+    return;
+  }
+  addItem(
+    section2,
+    `${yellow(warnGlyph)} gitleaks: ${raw} -> ${GITLEAKS_PINNED_VERSION} (CI pins this; local drift may change scan results)`
   );
-  return { unmapped, skipped, pulled: done, wouldPull: would };
 }
 
-// src/extras-sync.ts
-function divergenceCheckExtras(ts) {
-  const v = loadValidatedExtras({});
-  if (v === null) return;
-  const counts = { unmapped: 0, skipped: 0 };
-  const backupRoot = join34(backupBase(), ts, "extras");
-  const repo = repoHome();
-  for (const { logical, localRoot, dirname: dirname7 } of eachExtrasTarget(v, counts)) {
-    const local = join34(localRoot, dirname7);
-    const repoEntry = join34(repo, "shared", "extras", logical, dirname7);
-    if (!existsSync29(local) || !existsSync29(repoEntry)) continue;
-    const diff = listDivergingFiles(local, repoEntry);
-    if (diff.length === 0) continue;
-    const projectBackupRoot = join34(backupRoot, encodePath(localRoot));
-    warn(
-      `local ${dirname7} for ${logical} diverges from origin in ${diff.length} file(s); next remapExtrasPull will overwrite them (backups at ${projectBackupRoot}/)`
-    );
-    for (const f of diff) warn(`  ${f}`);
+// src/commands.doctor.checks.deps.ts
+init_color();
+import { execFileSync as execFileSync8 } from "node:child_process";
+var VERSION_TOKEN = /(\d{1,9}\.\d{1,9}\.\d{1,9})/;
+var PROBE_TIMEOUT_MS = 3e3;
+var FETCHER_BASE = "HTTP fetcher";
+function parseFirstVersion(line) {
+  const m = VERSION_TOKEN.exec(line);
+  return m ? m[1] : null;
+}
+function probeOptionalDep(bin, run) {
+  try {
+    const firstLine = run(bin, ["--version"], {
+      stdio: ["ignore", "pipe", "pipe"],
+      timeout: PROBE_TIMEOUT_MS
+    }).toString().split("\n")[0].trim();
+    const version = parseFirstVersion(firstLine);
+    return { status: "present", version };
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      return { status: "not-installed" };
+    }
+    return { status: "present", version: null };
   }
 }
-
-// src/links.ts
-init_config();
-init_utils();
-init_utils_fs();
-init_utils_json();
-import { existsSync as existsSync30, lstatSync as lstatSync8, rmSync as rmSync9 } from "node:fs";
-import { join as join35 } from "node:path";
-function emitAutoMove(onPreview, linkPath, ts, name) {
-  if (onPreview) {
-    onPreview({ kind: "auto-move", from: linkPath, to: `backup/${ts}/${name}` });
+function reportFetcherRow(section2, run) {
+  const curl = probeOptionalDep("curl", run);
+  const wget = probeOptionalDep("wget", run);
+  if (curl.status === "present") {
+    addItem(section2, `${green(okGlyph)} ${FETCHER_BASE}: curl ${curl.version ?? "(present)"}`);
+  } else if (wget.status === "present") {
+    addItem(section2, `${green(okGlyph)} ${FETCHER_BASE}: wget ${wget.version ?? "(present)"}`);
   } else {
-    log(`would auto-move non-symlink: ${linkPath} -> backup/${ts}/${name}`);
+    addItem(
+      section2,
+      `${yellow(warnGlyph)} ${FETCHER_BASE} (curl or wget): not installed (optional; needed for release-version staleness check + nomad doctor --check-schema)`
+    );
   }
 }
-function emitCreate(onPreview, from, to) {
-  if (onPreview) {
-    onPreview({ kind: "create", from, to });
+function reportOptionalDeps(section2, run = execFileSync8) {
+  const gh = probeOptionalDep("gh", run);
+  if (gh.status === "present") {
+    addItem(section2, `${green(okGlyph)} gh: ${gh.version ?? "present"}`);
   } else {
-    log(`would create symlink: ${from} -> ${to}`);
+    addItem(
+      section2,
+      `${yellow(warnGlyph)} gh: not installed (optional; needed for nomad init Actions auto-disable + the Actions-drift check)`
+    );
   }
-}
-function applySharedLinks(ts, map, opts = {}) {
-  const dryRun = opts.dryRun === true;
-  const claude = claudeHome();
-  const repo = repoHome();
-  const linkNames = allSharedLinks(map);
-  for (const name of linkNames) {
-    const linkPath = join35(claude, name);
-    const target = join35(repo, "shared", name);
-    if (!existsSync30(linkPath)) continue;
-    if (lstatSync8(linkPath).isSymbolicLink()) continue;
-    if (!existsSync30(target)) continue;
-    if (dryRun) {
-      emitAutoMove(opts.onPreview, linkPath, ts, name);
-      continue;
-    }
-    backupBeforeWrite(linkPath, ts);
-    rmSync9(linkPath, { recursive: true, force: true });
-  }
-  for (const name of linkNames) {
-    const target = join35(repo, "shared", name);
-    if (!existsSync30(target)) continue;
-    if (dryRun) {
-      emitCreate(opts.onPreview, join35(claude, name), target);
-      continue;
-    }
-    ensureSymlink(join35(claude, name), target);
-  }
-}
-function regenerateSettings(ts, opts = {}) {
-  const dryRun = opts.dryRun === true;
-  const repo = repoHome();
-  const claude = claudeHome();
-  const basePath = join35(repo, "shared", "settings.base.json");
-  const hostPath = join35(repo, "hosts", `${HOST}.json`);
-  if (!existsSync30(basePath)) {
-    die("repo not initialized; run 'nomad init' to scaffold");
-  }
-  const base = readJson(basePath);
-  const hasOverrides = existsSync30(hostPath);
-  const overrides = hasOverrides ? readJson(hostPath) : {};
-  const merged = deepMerge(base, overrides);
-  const settingsPath = join35(claude, "settings.json");
-  if (!hasOverrides && existsSync30(settingsPath)) {
-    try {
-      const existing = readJson(settingsPath);
-      const baseKeys = new Set(Object.keys(base));
-      const drift = Object.keys(existing).filter((k) => !baseKeys.has(k));
-      if (drift.length > 0) {
-        warn(
-          `no hosts/${HOST}.json found; existing settings has unbased keys ${JSON.stringify(drift)}. Set NOMAD_HOST to match a hosts/*.json or rerun 'nomad doctor' for candidates.`
-        );
-      }
-    } catch {
-      warn("existing settings.json is malformed; skipping drift-check and regenerating.");
-    }
-  }
-  const overrideLabel = hasOverrides ? `${HOST}.json` : "no host overrides";
-  if (dryRun) {
-    log(`would write settings.json (base + ${overrideLabel})`);
-    return { label: overrideLabel };
-  }
-  backupBeforeWrite(settingsPath, ts);
-  writeJsonAtomic(settingsPath, merged);
-  return { label: overrideLabel };
+  reportFetcherRow(section2, run);
 }
 
-// src/preview.ts
+// src/commands.doctor.actions-drift.ts
+init_color();
+import { execFileSync as execFileSync10 } from "node:child_process";
 init_config();
-import { existsSync as existsSync31 } from "node:fs";
-import { join as join36 } from "node:path";
 
-// node_modules/diff/libesm/diff/base.js
-var Diff = class {
-  diff(oldStr, newStr, options = {}) {
-    let callback;
-    if (typeof options === "function") {
-      callback = options;
-      options = {};
-    } else if ("callback" in options) {
-      callback = options.callback;
-    }
-    const oldString = this.castInput(oldStr, options);
-    const newString = this.castInput(newStr, options);
-    const oldTokens = this.removeEmpty(this.tokenize(oldString, options));
-    const newTokens = this.removeEmpty(this.tokenize(newString, options));
-    return this.diffWithOptionsObj(oldTokens, newTokens, options, callback);
-  }
-  diffWithOptionsObj(oldTokens, newTokens, options, callback) {
-    var _a;
-    const done = (value) => {
-      value = this.postProcess(value, options);
-      if (callback) {
-        setTimeout(function() {
-          callback(value);
-        }, 0);
-        return void 0;
-      } else {
-        return value;
-      }
-    };
-    const newLen = newTokens.length, oldLen = oldTokens.length;
-    let editLength = 1;
-    let maxEditLength = newLen + oldLen;
-    if (options.maxEditLength != null) {
-      maxEditLength = Math.min(maxEditLength, options.maxEditLength);
-    }
-    const maxExecutionTime = (_a = options.timeout) !== null && _a !== void 0 ? _a : Infinity;
-    const abortAfterTimestamp = Date.now() + maxExecutionTime;
-    const bestPath = [{ oldPos: -1, lastComponent: void 0 }];
-    let newPos = this.extractCommon(bestPath[0], newTokens, oldTokens, 0, options);
-    if (bestPath[0].oldPos + 1 >= oldLen && newPos + 1 >= newLen) {
-      return done(this.buildValues(bestPath[0].lastComponent, newTokens, oldTokens));
-    }
-    let minDiagonalToConsider = -Infinity, maxDiagonalToConsider = Infinity;
-    const execEditLength = () => {
-      for (let diagonalPath = Math.max(minDiagonalToConsider, -editLength); diagonalPath <= Math.min(maxDiagonalToConsider, editLength); diagonalPath += 2) {
-        let basePath;
-        const removePath = bestPath[diagonalPath - 1], addPath = bestPath[diagonalPath + 1];
-        if (removePath) {
-          bestPath[diagonalPath - 1] = void 0;
-        }
-        let canAdd = false;
-        if (addPath) {
-          const addPathNewPos = addPath.oldPos - diagonalPath;
-          canAdd = addPath && 0 <= addPathNewPos && addPathNewPos < newLen;
-        }
-        const canRemove = removePath && removePath.oldPos + 1 < oldLen;
-        if (!canAdd && !canRemove) {
-          bestPath[diagonalPath] = void 0;
-          continue;
-        }
-        if (!canRemove || canAdd && removePath.oldPos < addPath.oldPos) {
-          basePath = this.addToPath(addPath, true, false, 0, options);
-        } else {
-          basePath = this.addToPath(removePath, false, true, 1, options);
-        }
-        newPos = this.extractCommon(basePath, newTokens, oldTokens, diagonalPath, options);
-        if (basePath.oldPos + 1 >= oldLen && newPos + 1 >= newLen) {
-          return done(this.buildValues(basePath.lastComponent, newTokens, oldTokens)) || true;
-        } else {
-          bestPath[diagonalPath] = basePath;
-          if (basePath.oldPos + 1 >= oldLen) {
-            maxDiagonalToConsider = Math.min(maxDiagonalToConsider, diagonalPath - 1);
-          }
-          if (newPos + 1 >= newLen) {
-            minDiagonalToConsider = Math.max(minDiagonalToConsider, diagonalPath + 1);
-          }
-        }
-      }
-      editLength++;
-    };
-    if (callback) {
-      (function exec() {
-        setTimeout(function() {
-          if (editLength > maxEditLength || Date.now() > abortAfterTimestamp) {
-            return callback(void 0);
-          }
-          if (!execEditLength()) {
-            exec();
-          }
-        }, 0);
-      })();
-    } else {
-      while (editLength <= maxEditLength && Date.now() <= abortAfterTimestamp) {
-        const ret = execEditLength();
-        if (ret) {
-          return ret;
-        }
-      }
-    }
-  }
-  addToPath(path, added, removed, oldPosInc, options) {
-    const last = path.lastComponent;
-    if (last && !options.oneChangePerToken && last.added === added && last.removed === removed) {
-      return {
-        oldPos: path.oldPos + oldPosInc,
-        lastComponent: { count: last.count + 1, added, removed, previousComponent: last.previousComponent }
-      };
-    } else {
-      return {
-        oldPos: path.oldPos + oldPosInc,
-        lastComponent: { count: 1, added, removed, previousComponent: last }
-      };
-    }
+// src/gh-actions.ts
+import { execFileSync as execFileSync9 } from "node:child_process";
+var GH_TIMEOUT_MS = 5e3;
+function parseGitHubRemote(remoteUrl) {
+  const normalized = remoteUrl.trim().replace(/\/$/, "");
+  const m = /github\.com[:/]([^/]+)\/([^/]+?)(?:\.git)?$/.exec(normalized);
+  if (m === null) return null;
+  return { owner: m[1], repo: m[2] };
+}
+function ghAuthStatus(run = execFileSync9) {
+  try {
+    run("gh", ["auth", "status"], {
+      stdio: ["ignore", "ignore", "ignore"],
+      timeout: GH_TIMEOUT_MS
+    });
+    return null;
+  } catch (err) {
+    const e = err;
+    if (e.code === "ENOENT") return "gh-not-installed";
+    if (typeof e.status === "number") return "gh-not-authed";
+    return "gh-probe-error";
   }
-  extractCommon(basePath, newTokens, oldTokens, diagonalPath, options) {
-    const newLen = newTokens.length, oldLen = oldTokens.length;
-    let oldPos = basePath.oldPos, newPos = oldPos - diagonalPath, commonCount = 0;
-    while (newPos + 1 < newLen && oldPos + 1 < oldLen && this.equals(oldTokens[oldPos + 1], newTokens[newPos + 1], options)) {
-      newPos++;
-      oldPos++;
-      commonCount++;
-      if (options.oneChangePerToken) {
-        basePath.lastComponent = { count: 1, previousComponent: basePath.lastComponent, added: false, removed: false };
-      }
-    }
-    if (commonCount && !options.oneChangePerToken) {
-      basePath.lastComponent = { count: commonCount, previousComponent: basePath.lastComponent, added: false, removed: false };
-    }
-    basePath.oldPos = oldPos;
-    return newPos;
+}
+function isRepoPrivate(ref, run = execFileSync9) {
+  const out = run("gh", ["repo", "view", `${ref.owner}/${ref.repo}`, "--json", "isPrivate"], {
+    stdio: ["ignore", "pipe", "ignore"],
+    timeout: GH_TIMEOUT_MS
+  }).toString();
+  const parsed = JSON.parse(out);
+  return parsed.isPrivate === true;
+}
+function isActionsEnabled(ref, run = execFileSync9) {
+  const out = run(
+    "gh",
+    ["api", `repos/${ref.owner}/${ref.repo}/actions/permissions`, "--jq", ".enabled"],
+    { stdio: ["ignore", "pipe", "ignore"], timeout: GH_TIMEOUT_MS }
+  ).toString().trim();
+  return out === "true";
+}
+function disableActions(ref, run = execFileSync9) {
+  run(
+    "gh",
+    [
+      "api",
+      "-X",
+      "PUT",
+      `repos/${ref.owner}/${ref.repo}/actions/permissions`,
+      "-F",
+      "enabled=false"
+    ],
+    { stdio: ["ignore", "ignore", "pipe"], timeout: GH_TIMEOUT_MS }
+  );
+}
+function readOriginRemote(cwd, run = execFileSync9) {
+  return run("git", ["remote", "get-url", "origin"], {
+    cwd,
+    stdio: ["ignore", "pipe", "ignore"]
+  }).toString().trim();
+}
+
+// src/commands.doctor.actions-drift.ts
+function reportActionsDrift(section2, run = execFileSync10) {
+  let remote;
+  try {
+    remote = readOriginRemote(repoHome(), run);
+  } catch {
+    return;
   }
-  equals(left, right, options) {
-    if (options.comparator) {
-      return options.comparator(left, right);
-    } else {
-      return left === right || !!options.ignoreCase && left.toLowerCase() === right.toLowerCase();
-    }
+  const ref = parseGitHubRemote(remote);
+  if (ref === null) return;
+  const auth = ghAuthStatus(run);
+  if (auth === "gh-not-installed" || auth === "gh-not-authed") return;
+  let isPrivate;
+  try {
+    isPrivate = isRepoPrivate(ref, run);
+  } catch {
+    return;
   }
-  removeEmpty(array) {
-    const ret = [];
-    for (let i = 0; i < array.length; i++) {
-      if (array[i]) {
-        ret.push(array[i]);
-      }
-    }
-    return ret;
+  if (!isPrivate) return;
+  let enabled2;
+  try {
+    enabled2 = isActionsEnabled(ref, run);
+  } catch {
+    return;
   }
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars
-  castInput(value, options) {
-    return value;
+  if (!enabled2) return;
+  addItem(
+    section2,
+    `${yellow(warnGlyph)} Actions: enabled on private repo ${ref.owner}/${ref.repo} (re-disable with 'gh api -X PUT repos/${ref.owner}/${ref.repo}/actions/permissions -F enabled=false')`
+  );
+}
+
+// src/commands.doctor.verdict.ts
+init_color();
+function isFailLine(item2) {
+  return item2.includes(failGlyph);
+}
+function isWarnLine(item2) {
+  return !isFailLine(item2) && item2.includes(warnGlyph);
+}
+function buildVerdictSection(sections) {
+  const summary = section("Summary");
+  const lines = sections.flatMap((s) => s.items).map((item2) => item2.replace(/^\t/, ""));
+  const failures = lines.filter(isFailLine);
+  const warnings = lines.filter(isWarnLine);
+  for (const line of [...failures, ...warnings]) addItem(summary, line);
+  if (failures.length > 0) {
+    addItem(
+      summary,
+      `${red(failGlyph)} ${failures.length} failure(s), ${warnings.length} warning(s)`
+    );
+  } else if (warnings.length > 0) {
+    addItem(summary, `${yellow(warnGlyph)} ${warnings.length} warning(s)`);
+  } else {
+    addItem(summary, `${green(okGlyph)} healthy`);
   }
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars
-  tokenize(value, options) {
-    return Array.from(value);
+  return summary;
+}
+
+// src/commands.doctor.ts
+function gatherDoctorSections(opts) {
+  const host = section("Environment");
+  reportHostAndPaths(host);
+  reportRepoState(host);
+  const links = section("Shared links");
+  const mapPath = join33(repoHome(), "path-map.json");
+  const rawMap = existsSync27(mapPath) ? readJsonSafe(mapPath, mapPath, links) : null;
+  const map = rawMap ?? { projects: {} };
+  reportSharedLinks(links, map);
+  const hooksScan = section("Hook targets");
+  reportHooksTargetCheck(hooksScan);
+  reportHookScopeCheck(hooksScan);
+  reportPreserveSymlinksCheck(hooksScan);
+  const settings = section("Settings");
+  const base = loadBaseSettings(settings);
+  const parsedSettings = loadAndReportSettings(settings);
+  reportHostOverrides(settings, base, parsedSettings);
+  reportSettingsDriftCheck(settings);
+  const pathMap = section("Path map");
+  reportPathMap(pathMap);
+  const neverSync = section("Never-sync");
+  reportNeverSync(neverSync);
+  const repository = section("Repository");
+  const gitleaksReady = reportGitleaksProbe(repository);
+  reportGitlinks(repository);
+  reportRemote(repository);
+  reportRebaseClean(repository);
+  reportRebaseState(repository);
+  reportActionsDrift(repository);
+  const nomadVersion = section("Nomad Version");
+  reportVersionCheck(nomadVersion);
+  const housekeeping = section("Housekeeping");
+  reportBackupsCheck(housekeeping);
+  const depVersions = section("Dependency Versions");
+  reportNodeEngineCheck(depVersions);
+  reportGitleaksVersionCheck(depVersions);
+  reportOptionalDeps(depVersions);
+  const sharedScan = section("Shared scan");
+  if (opts.checkShared === true) reportCheckShared(sharedScan, gitleaksReady);
+  const schemaScan = section("Schema scan");
+  if (opts.checkSchema === true) reportCheckSchema(schemaScan);
+  const body = [
+    nomadVersion,
+    depVersions,
+    host,
+    links,
+    hooksScan,
+    settings,
+    pathMap,
+    neverSync,
+    repository,
+    housekeeping,
+    sharedScan,
+    schemaScan
+  ];
+  return [...body, buildVerdictSection(body)];
+}
+function cmdDoctor(opts = {}) {
+  const makeSpinner = opts.startSpinner ?? startSpinner;
+  const sp = makeSpinner("Running checks");
+  let report;
+  try {
+    report = gatherDoctorSections(opts);
+  } finally {
+    sp.stop();
   }
-  join(chars) {
-    return chars.join("");
+  renderDoctor(report);
+}
+
+// src/commands.drop-session.ts
+init_config();
+import { execFileSync as execFileSync12 } from "node:child_process";
+import { existsSync as existsSync29, readdirSync as readdirSync10, statSync as statSync8 } from "node:fs";
+import { join as join35, relative as relative4 } from "node:path";
+
+// src/commands.drop-session.git.ts
+import { execFileSync as execFileSync11 } from "node:child_process";
+function expandStagedDir(dirRel, repo) {
+  try {
+    const out = execFileSync11("git", ["ls-files", "-z", "--", dirRel], {
+      cwd: repo,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    return out.toString().split("\0").filter((p) => p !== "");
+  } catch {
+    return [];
   }
-  postProcess(changeObjects, options) {
-    return changeObjects;
+}
+function isTrackedInHead(rel, repo) {
+  try {
+    execFileSync11("git", ["cat-file", "-e", `HEAD:${rel}`], {
+      cwd: repo,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    return true;
+  } catch {
+    return false;
   }
-  get useLongestToken() {
+}
+function isInIndex(rel, repo) {
+  try {
+    const out = execFileSync11("git", ["ls-files", "--", rel], {
+      cwd: repo,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    return out.toString().trim() !== "";
+  } catch {
     return false;
   }
-  buildValues(lastComponent, newTokens, oldTokens) {
-    const components = [];
-    let nextComponent;
-    while (lastComponent) {
-      components.push(lastComponent);
-      nextComponent = lastComponent.previousComponent;
-      delete lastComponent.previousComponent;
-      lastComponent = nextComponent;
-    }
-    components.reverse();
-    const componentLen = components.length;
-    let componentPos = 0, newPos = 0, oldPos = 0;
-    for (; componentPos < componentLen; componentPos++) {
-      const component = components[componentPos];
-      if (!component.removed) {
-        if (!component.added && this.useLongestToken) {
-          let value = newTokens.slice(newPos, newPos + component.count);
-          value = value.map(function(value2, i) {
-            const oldValue = oldTokens[oldPos + i];
-            return oldValue.length > value2.length ? oldValue : value2;
-          });
-          component.value = this.join(value);
-        } else {
-          component.value = this.join(newTokens.slice(newPos, newPos + component.count));
-        }
-        newPos += component.count;
-        if (!component.added) {
-          oldPos += component.count;
-        }
-      } else {
-        component.value = this.join(oldTokens.slice(oldPos, oldPos + component.count));
-        oldPos += component.count;
-      }
+}
+
+// src/commands.drop-session.scrub-hint.ts
+init_config();
+init_utils();
+init_utils_json();
+import { existsSync as existsSync28 } from "node:fs";
+import { join as join34 } from "node:path";
+var SHARED_PROJECT_LOGICAL = /^shared\/projects\/([^/]+)\//;
+function reportScrubHint(id, matches) {
+  const live = resolveLiveTranscript2(id, matches);
+  const target = live ?? `~/.claude/projects/<encoded>/${id}.jsonl`;
+  log(
+    `note: this only un-stages the session from the next push.
+  The local source still contains the secret, so nomad push re-stages it
+  on the next run and nomad doctor --check-shared keeps reporting it.
+  To fully remediate: rotate the credential, then run:
+    nomad redact ${id}
+  (or scrub ${target} manually)`
+  );
+}
+function resolveLiveTranscript2(id, matches) {
+  try {
+    const mapPath = join34(repoHome(), "path-map.json");
+    if (!existsSync28(mapPath)) return null;
+    const projects = readJson(mapPath).projects;
+    const claude = claudeHome();
+    for (const rel of matches) {
+      const logical = SHARED_PROJECT_LOGICAL.exec(rel)?.[1];
+      if (logical === void 0) continue;
+      const abs = projects[logical]?.[HOST];
+      if (abs === void 0) continue;
+      const live = join34(claude, "projects", encodePath(abs), `${id}.jsonl`);
+      if (existsSync28(live)) return live;
     }
-    return components;
+    return null;
+  } catch {
+    return null;
   }
-};
+}
 
-// node_modules/diff/libesm/diff/line.js
-var LineDiff = class extends Diff {
-  constructor() {
-    super(...arguments);
-    this.tokenize = tokenize;
+// src/commands.drop-session.ts
+init_utils();
+function cmdDropSession(id) {
+  if (id.length === 0 || id.length > 128 || !/^[A-Za-z0-9_-]+$/.test(id)) {
+    fail(`invalid session id: ${id}`);
+    process.exit(1);
   }
-  equals(left, right, options) {
-    if (options.ignoreWhitespace) {
-      if (!options.newlineIsToken || !left.includes("\n")) {
-        left = left.trim();
-      }
-      if (!options.newlineIsToken || !right.includes("\n")) {
-        right = right.trim();
-      }
-    } else if (options.ignoreNewlineAtEof && !options.newlineIsToken) {
-      if (left.endsWith("\n")) {
-        left = left.slice(0, -1);
-      }
-      if (right.endsWith("\n")) {
-        right = right.slice(0, -1);
-      }
+  const repo = repoHome();
+  if (!existsSync29(repo)) die(`repo not cloned at ${repo}`);
+  const handle = acquireLock("drop-session");
+  if (handle === null) process.exit(0);
+  try {
+    const repoProjects = join35(repo, "shared", "projects");
+    if (!existsSync29(repoProjects)) {
+      throw new NomadFatal(`no staged session matches ${id}`);
     }
-    return super.equals(left, right, options);
+    const matches = collectMatches(repoProjects, id, repo);
+    if (matches.length === 0) {
+      throw new NomadFatal(`no staged session matches ${id}`);
+    }
+    for (const rel of matches) unstageOne(rel, repo);
+    reportScrubHint(id, matches);
+  } catch (err) {
+    if (!(err instanceof NomadFatal)) {
+      throw err;
+    }
+    fail(err.message);
+    process.exitCode = 1;
+  } finally {
+    releaseLock(handle);
   }
-};
-var lineDiff = new LineDiff();
-function diffLines(oldStr, newStr, options) {
-  return lineDiff.diff(oldStr, newStr, options);
 }
-function tokenize(value, options) {
-  if (options.stripTrailingCr) {
-    value = value.replace(/\r\n/g, "\n");
+function collectMatches(repoProjects, id, repo) {
+  const matches = [];
+  for (const logical of readdirSync10(repoProjects)) {
+    const candidate = join35(repoProjects, logical, `${id}.jsonl`);
+    if (existsSync29(candidate)) {
+      matches.push(relative4(repo, candidate));
+    }
+    const dir = join35(repoProjects, logical, id);
+    if (existsSync29(dir) && statSync8(dir).isDirectory()) {
+      const dirRel = relative4(repo, dir);
+      const staged = expandStagedDir(dirRel, repo);
+      if (staged.length > 0) matches.push(...staged);
+      else matches.push(dirRel);
+    }
   }
-  const retLines = [], linesAndNewlines = value.split(/(\n|\r\n)/);
-  if (!linesAndNewlines[linesAndNewlines.length - 1]) {
-    linesAndNewlines.pop();
+  return matches;
+}
+function unstageOne(rel, repo) {
+  if (!isInIndex(rel, repo)) {
+    item(`dropped ${rel} (already absent from index)`);
+    return;
   }
-  for (let i = 0; i < linesAndNewlines.length; i++) {
-    const line = linesAndNewlines[i];
-    if (i % 2 && !options.newlineIsToken) {
-      retLines[retLines.length - 1] += line;
+  try {
+    if (isTrackedInHead(rel, repo)) {
+      execFileSync12("git", ["restore", "--staged", "--worktree", "--", rel], {
+        cwd: repo,
+        stdio: ["ignore", "pipe", "pipe"]
+      });
     } else {
-      retLines.push(line);
+      execFileSync12("git", ["rm", "--cached", "-f", "--", rel], {
+        cwd: repo,
+        stdio: ["ignore", "pipe", "pipe"]
+      });
     }
+  } catch (err) {
+    const e = err;
+    const detail = e.stderr?.toString().trim() ?? e.message;
+    throw new NomadFatal(`git failed to unstage ${rel}: ${detail}`);
   }
-  return retLines;
+  item(`dropped ${rel}`);
 }
 
-// src/diff-lines.ts
+// src/commands.pull.ts
+import { existsSync as existsSync35, mkdirSync as mkdirSync8 } from "node:fs";
+import { join as join41 } from "node:path";
+
+// src/commands.push.sections.ts
 init_color();
-function diffLinesToUnified(oldStr, newStr) {
-  const parts = diffLines(oldStr, newStr);
-  const lines = [];
-  for (const part of parts) {
-    const partLines = part.value.split("\n");
-    if (partLines.at(-1) === "") {
-      partLines.pop();
-    }
-    let prefix;
-    if (part.removed) prefix = (line) => red(`-${line}`);
-    else if (part.added) prefix = (line) => green(`+${line}`);
-    else prefix = (line) => ` ${line}`;
-    for (const line of partLines) {
-      lines.push(prefix(line));
+
+// src/summary.ts
+init_utils();
+function summaryText(verb, unmapped, collisions = 0, extrasSkipped = 0) {
+  const extras = extrasSkipped > 0 ? `, ${extrasSkipped} extras skipped` : "";
+  if (verb === "push") {
+    if (unmapped === 0 && collisions === 0 && extrasSkipped === 0) {
+      return { text: "summary: clean", clean: true };
     }
+    const base = `summary: ${unmapped} unmapped on push, ${collisions} collisions`;
+    return { text: `${base}${extras} (run nomad doctor to list)`, clean: false };
   }
-  return lines;
+  if (unmapped === 0 && extrasSkipped === 0) {
+    return { text: "summary: clean", clean: true };
+  }
+  return {
+    text: `summary: ${unmapped} unmapped on ${verb}${extras} (run nomad doctor to list)`,
+    clean: false
+  };
+}
+function summaryRow(verb, unmapped, collisions = 0, extrasSkipped = 0) {
+  const { text } = summaryText(verb, unmapped, collisions, extrasSkipped);
+  return text.replace(/^summary: /, "");
 }
 
-// src/preview.ts
-init_utils_json();
-var CANONICAL_ORDER_NOTE = "settings.json will be rewritten in canonical key order; no value changes";
-function diffJsonStrings(currentJsonText, newJsonText) {
-  if (currentJsonText === newJsonText) return "";
-  const lines = [
-    "--- ~/.claude/settings.json",
-    "+++ would write",
-    ...diffLinesToUnified(currentJsonText, newJsonText)
+// src/commands.push.sections.ts
+function collapsedSkipRow(n, noun) {
+  if (n <= 0) return null;
+  return `${dim(infoGlyph)} ${n} ${noun}`;
+}
+function buildSettingsSection(label) {
+  const s = section("Settings");
+  addItem(s, `${green(okGlyph)} settings.json (base + ${label})`);
+  return s;
+}
+function buildSessionsSection(items, unmapped) {
+  const s = section("Sessions");
+  for (const logical of items) addItem(s, `${green(okGlyph)} ${logical}`);
+  const skip = collapsedSkipRow(unmapped, "not in path-map (run nomad doctor to list)");
+  if (skip !== null) addItem(s, skip);
+  return s;
+}
+function buildExtrasSection(items, extrasSkipped) {
+  const s = section("Extras");
+  for (const entry of items) addItem(s, `${green(okGlyph)} ${entry}`);
+  const skip = collapsedSkipRow(extrasSkipped, "extras skipped");
+  if (skip !== null) addItem(s, skip);
+  return s;
+}
+function syncedSections(st) {
+  const sessions = st.dryRun ? st.remap.wouldPush : st.remap.pushed;
+  const extras = st.dryRun ? st.extras.wouldPush : st.extras.pushed;
+  return [
+    buildSessionsSection(sessions, st.remap.unmapped),
+    buildExtrasSection(extras, st.extras.skipped)
   ];
-  return lines.join("\n");
 }
-function readJsonOrNull(path) {
-  if (!existsSync31(path)) return null;
+function summarySection(st) {
+  const s = section("Summary");
+  const unmapped = st.remap.unmapped + st.extras.unmapped;
+  addItem(s, summaryRow("push", unmapped, st.remap.collisions, st.extras.skipped));
+  return s;
+}
+function renderPushTree(st, verdict) {
+  const leakScan = section("Leak scan");
+  addItem(leakScan, verdict.verdictRow);
+  renderTree([...syncedSections(st), leakScan, summarySection(st)]);
+}
+function renderNoScanTree(st, opts = {}) {
+  const sections = [];
+  if (opts.noMapHint === true) {
+    const pathMap = section("Path map");
+    addItem(pathMap, `${dim(infoGlyph)} no path-map.json (nothing to preview)`);
+    sections.push(pathMap);
+  }
+  renderTree([...sections, ...syncedSections(st), summarySection(st)]);
+}
+
+// src/commands.pull.ts
+init_config();
+
+// src/extras-sync.ts
+init_config();
+import { existsSync as existsSync32 } from "node:fs";
+import { join as join38 } from "node:path";
+
+// src/extras-sync.diff.ts
+init_utils();
+import { execFileSync as execFileSync13 } from "node:child_process";
+function labelDiffLine(line) {
+  const tab = line.indexOf("	");
+  if (tab === -1) return line;
+  const status = line.slice(0, tab);
+  const path = line.slice(tab + 1);
+  if (status === "D") return `${path} (local only)`;
+  if (status === "A") return `${path} (repo only)`;
+  return path;
+}
+function parseDiffOutput(stdout) {
+  return stdout.split("\n").filter((line) => line.length > 0).map(labelDiffLine);
+}
+function listDivergingFiles(a, b) {
   try {
-    return readJson(path);
-  } catch {
-    return null;
+    const stdout = execFileSync13("git", ["diff", "--no-index", "--name-status", a, b], {
+      stdio: ["ignore", "pipe", "pipe"]
+    }).toString();
+    return parseDiffOutput(stdout);
+  } catch (err) {
+    const e = err;
+    if (e.status === 1 && e.stdout !== void 0) {
+      return parseDiffOutput(e.stdout.toString());
+    }
+    if (e.code === "ENOENT") {
+      warn(`git not on PATH; divergence check skipped for ${a}`);
+      return [];
+    }
+    warn(`divergence check failed for ${a}: ${e.message ?? String(err)}`);
+    return [];
   }
 }
-function previewSettings(basePath, hostPath, settingsPath) {
-  const base = readJsonOrNull(basePath);
-  if (base === null) {
-    return { diff: "", notes: ["section skipped (base or current missing)"] };
+
+// src/extras-sync.core.ts
+init_config();
+import { cpSync as cpSync6, existsSync as existsSync30, rmSync as rmSync10 } from "node:fs";
+import { join as join36 } from "node:path";
+
+// src/extras-sync.guards.ts
+init_utils();
+init_config_sharedDirs_guard();
+import { isAbsolute as isAbsolute2, normalize } from "node:path";
+function assertSafeLocalRoot(localRoot, logical) {
+  if (!isAbsolute2(localRoot)) {
+    throw new NomadFatal(
+      `invalid localRoot for ${logical} in path-map.json: ${JSON.stringify(localRoot)} (must be absolute)`
+    );
   }
-  const notes = [];
-  const hostOverrides = readJsonOrNull(hostPath);
-  if (hostOverrides === null && existsSync31(hostPath)) {
-    notes.push(`malformed hosts/${HOST}.json; ignoring overrides`);
+  if (localRoot !== normalize(localRoot)) {
+    throw new NomadFatal(
+      `invalid localRoot for ${logical} in path-map.json: ${JSON.stringify(localRoot)} (must be already-normalized; no '..' or redundant segments)`
+    );
   }
-  const merged = deepMerge(base, hostOverrides ?? {});
-  const current = readJsonOrNull(settingsPath);
-  if (current === null && existsSync31(settingsPath)) {
-    return { diff: "", notes: [...notes, "malformed; skipping diff"] };
+}
+
+// src/extras-sync.core.ts
+init_utils();
+init_utils_json();
+function loadValidatedExtras(opts) {
+  const repo = repoHome();
+  const mapPath = join36(repo, "path-map.json");
+  const repoExtras = join36(repo, "shared", "extras");
+  if (!existsSync30(mapPath) || opts.requireRepoExtras === true && !existsSync30(repoExtras)) {
+    if (opts.missingMsg !== void 0) log(opts.missingMsg);
+    return null;
   }
-  const rawEqual = JSON.stringify(current ?? {}, null, 2) === JSON.stringify(merged, null, 2);
-  const diff = diffJsonStrings(
-    JSON.stringify(sortKeysDeep(current ?? {}), null, 2),
-    JSON.stringify(sortKeysDeep(merged), null, 2)
-  );
-  if (diff === "" && !rawEqual) notes.push(CANONICAL_ORDER_NOTE);
-  return { diff, notes };
+  const map = readPathMap(mapPath);
+  const extrasMap = map.extras ?? {};
+  if (Object.keys(extrasMap).length === 0) return null;
+  for (const logical of Object.keys(extrasMap)) {
+    assertSafeLogical(logical);
+    const localRoot = map.projects[logical]?.[HOST];
+    if (localRoot && localRoot !== "TBD") assertSafeLocalRoot(localRoot, logical);
+  }
+  return { map, extrasMap };
 }
-function formatLinkRow(e) {
-  return `${e.kind}  ${e.from} -> ${e.to}`;
+function* eachExtrasTarget(v, counts) {
+  const whitelist = SUPPORTED_EXTRAS;
+  for (const [logical, dirnames] of Object.entries(v.extrasMap)) {
+    const localRoot = v.map.projects[logical]?.[HOST];
+    if (!localRoot || localRoot === "TBD") {
+      counts.unmapped++;
+      continue;
+    }
+    for (const dirname7 of dirnames) {
+      if (!whitelist.includes(dirname7)) {
+        counts.skipped++;
+        continue;
+      }
+      yield { logical, localRoot, dirname: dirname7 };
+    }
+  }
 }
-function formatSessionRow(e) {
-  return e.kind === "overwrite" ? `overwrite  ${e.dst} (from ${e.src})` : e.text;
+function copyExtras(src, dst) {
+  rmSync10(dst, { recursive: true, force: true });
+  cpSync6(src, dst, { recursive: true, force: true, verbatimSymlinks: true });
 }
-function buildSettingsSectionForPreview(result) {
-  const s = section("settings.json", true);
-  if (result.diff !== "") {
-    for (const line of result.diff.split("\n")) {
-      addItem(s, line);
+
+// src/extras-sync.ts
+init_utils();
+init_utils_json();
+
+// src/extras-sync.remap.ts
+init_config();
+import { existsSync as existsSync31, mkdirSync as mkdirSync7 } from "node:fs";
+import { join as join37 } from "node:path";
+init_utils_fs();
+function runExtrasOp(v, dryRun, paths, backup) {
+  const counts = { unmapped: 0, skipped: 0 };
+  const done = [];
+  const would = [];
+  for (const t of eachExtrasTarget(v, counts)) {
+    const { src, dst } = paths(t);
+    if (!existsSync31(src)) continue;
+    const item2 = `${t.logical}/${t.dirname}`;
+    if (dryRun) {
+      would.push(item2);
+      continue;
     }
+    backup(dst, t.localRoot);
+    copyExtras(src, dst);
+    done.push(item2);
   }
-  for (const note of result.notes) {
-    addItem(s, `note: ${note}`);
-  }
-  return s;
+  return { ...counts, done, would };
+}
+function remapExtrasPush(ts, opts = {}) {
+  const dryRun = opts.dryRun === true;
+  const v = loadValidatedExtras({ missingMsg: "no path-map.json; skipping extras push" });
+  if (v === null) return { unmapped: 0, skipped: 0, pushed: [], wouldPush: [] };
+  const repo = repoHome();
+  const repoExtras = join37(repo, "shared", "extras");
+  if (!dryRun) mkdirSync7(repoExtras, { recursive: true });
+  const { unmapped, skipped, done, would } = runExtrasOp(
+    v,
+    dryRun,
+    ({ localRoot, logical, dirname: dirname7 }) => ({
+      src: join37(localRoot, dirname7),
+      dst: join37(repoExtras, logical, dirname7)
+    }),
+    (dst) => backupRepoWrite(dst, ts, repo)
+  );
+  return { unmapped, skipped, pushed: done, wouldPush: would };
 }
-function computePreview(ts, map, verb = "pull") {
-  const repo = repoHome();
-  const claude = claudeHome();
-  console.log(`would pull on host=${HOST} (dry-run; no mutation)`);
-  console.log("");
-  const links = section("Symlinks");
-  applySharedLinks(ts, map, {
-    dryRun: true,
-    onPreview: (e) => addItem(links, formatLinkRow(e))
+function remapExtrasPull(ts, opts = {}) {
+  const dryRun = opts.dryRun === true;
+  const v = loadValidatedExtras({
+    requireRepoExtras: true,
+    missingMsg: "no path-map or repo extras dir; skipping extras remap"
   });
-  const settingsResult = previewSettings(
-    join36(repo, "shared", "settings.base.json"),
-    join36(repo, "hosts", `${HOST}.json`),
-    join36(claude, "settings.json")
+  if (v === null) return { unmapped: 0, skipped: 0, pulled: [], wouldPull: [] };
+  const repoExtras = join37(repoHome(), "shared", "extras");
+  const { unmapped, skipped, done, would } = runExtrasOp(
+    v,
+    dryRun,
+    ({ localRoot, logical, dirname: dirname7 }) => ({
+      src: join37(repoExtras, logical, dirname7),
+      dst: join37(localRoot, dirname7)
+    }),
+    // Snapshot the host-side dst BEFORE copyExtras clobbers it. Anchor on
+    // localRoot so the backup tree mirrors the project layout.
+    (dst, localRoot) => backupExtrasWrite(dst, ts, localRoot)
   );
-  const settingsSection = buildSettingsSectionForPreview(settingsResult);
-  const sessions = section("Sessions");
-  const remapResult = remapPull(ts, {
-    dryRun: true,
-    onPreview: (e) => addItem(sessions, formatSessionRow(e))
-  });
-  const summary = section("Summary");
-  addItem(summary, summaryRow(verb, remapResult.unmapped));
-  renderTree([links, settingsSection, sessions, summary]);
-  return { unmapped: remapResult.unmapped, collisions: 0 };
+  return { unmapped, skipped, pulled: done, wouldPull: would };
 }
 
-// src/spinner.ts
-init_color();
-import { existsSync as existsSync33 } from "node:fs";
-import { fileURLToPath as fileURLToPath4 } from "node:url";
-import { Worker } from "node:worker_threads";
-
-// src/commands.push.recovery.ts
-init_config();
-import { readFileSync as readFileSync11, rmSync as rmSync11, writeFileSync as writeFileSync5 } from "node:fs";
-import { join as join39 } from "node:path";
-import { createInterface } from "node:readline/promises";
+// src/extras-sync.ts
+function divergenceCheckExtras(ts) {
+  const v = loadValidatedExtras({});
+  if (v === null) return;
+  const counts = { unmapped: 0, skipped: 0 };
+  const backupRoot = join38(backupBase(), ts, "extras");
+  const repo = repoHome();
+  for (const { logical, localRoot, dirname: dirname7 } of eachExtrasTarget(v, counts)) {
+    const local = join38(localRoot, dirname7);
+    const repoEntry = join38(repo, "shared", "extras", logical, dirname7);
+    if (!existsSync32(local) || !existsSync32(repoEntry)) continue;
+    const diff = listDivergingFiles(local, repoEntry);
+    if (diff.length === 0) continue;
+    const projectBackupRoot = join38(backupRoot, encodePath(localRoot));
+    warn(
+      `local ${dirname7} for ${logical} diverges from origin in ${diff.length} file(s); next remapExtrasPull will overwrite them (backups at ${projectBackupRoot}/)`
+    );
+    for (const f of diff) warn(`  ${f}`);
+  }
+}
 
-// src/commands.push.recovery.redact.ts
+// src/links.ts
 init_config();
-init_config_sharedDirs_guard();
-import { cpSync as cpSync6, existsSync as existsSync32, mkdirSync as mkdirSync7, statSync as statSync8 } from "node:fs";
-import { dirname as dirname6, join as join37, sep as sep3 } from "node:path";
-init_push_gitleaks_scan();
-init_utils_json();
 init_utils();
-
-// src/commands.push.recovery.seams.ts
-init_push_gitleaks();
-function findingKey(f) {
-  return `${f.File}:${f.StartLine}:${f.StartColumn}:${f.RuleID}`;
+init_utils_fs();
+init_utils_json();
+import { existsSync as existsSync33, lstatSync as lstatSync8, rmSync as rmSync11 } from "node:fs";
+import { join as join39 } from "node:path";
+function emitAutoMove(onPreview, linkPath, ts, name) {
+  if (onPreview) {
+    onPreview({ kind: "auto-move", from: linkPath, to: `backup/${ts}/${name}` });
+  } else {
+    log(`would auto-move non-symlink: ${linkPath} -> backup/${ts}/${name}`);
+  }
 }
-var VALID_SID = /^[A-Za-z0-9_-]+$/;
-function sessionIdFromFinding(f) {
-  const m = SESSION_PATH.exec(f.File) ?? /^shared\/projects\/[^/]+\/([^/]+)\//.exec(f.File);
-  if (m === null) return null;
-  const sid = m[1];
-  return VALID_SID.test(sid) ? sid : null;
+function emitCreate(onPreview, from, to) {
+  if (onPreview) {
+    onPreview({ kind: "create", from, to });
+  } else {
+    log(`would create symlink: ${from} -> ${to}`);
+  }
 }
-function parseAction(raw) {
-  const t = raw.trim().toLowerCase();
-  if (t === "r" || t === "redact") return "redact";
-  if (t === "a" || t === "allow") return "allow";
-  if (t === "d" || t === "drop") return "drop";
-  return "skip";
+function isAlreadySymlink(linkPath) {
+  return existsSync33(linkPath) && lstatSync8(linkPath).isSymbolicLink();
 }
-
-// src/commands.push.recovery.redact.ts
-function resolveStagedDir(localPath, map, claude, repo) {
-  for (const [logical, hostMap] of Object.entries(map.projects)) {
-    assertSafeLogical(logical);
-    const abs = hostMap[HOST];
-    if (abs === void 0) continue;
-    if (localPath.startsWith(join37(claude, "projects", encodePath(abs)) + sep3)) {
-      return join37(repo, "shared", "projects", logical);
+function runAutoMovePasses(linkNames, claude, repo, ts, dryRun, onPreview) {
+  for (const name of linkNames) {
+    const linkPath = join39(claude, name);
+    const target = join39(repo, "shared", name);
+    if (!existsSync33(linkPath)) continue;
+    if (lstatSync8(linkPath).isSymbolicLink()) continue;
+    if (!existsSync33(target)) continue;
+    if (dryRun) {
+      emitAutoMove(onPreview, linkPath, ts, name);
+      continue;
     }
+    backupBeforeWrite(linkPath, ts);
+    rmSync11(linkPath, { recursive: true, force: true });
   }
-  return null;
 }
-function applyRedact(f, ts, map, nowMs, scan = scanFile) {
-  const refuse = (msg) => {
-    log(msg);
-    return false;
-  };
+function applySharedLinks(ts, map, opts = {}) {
+  const dryRun = opts.dryRun === true;
   const claude = claudeHome();
   const repo = repoHome();
-  const sid = sessionIdFromFinding(f);
-  if (sid === null) {
-    return refuse(
-      `could not locate the local transcript for this finding; choose Skip or Drop session.`
-    );
-  }
-  const localPath = resolveLiveTranscript2(sid);
-  if (localPath === null) {
-    return refuse(
-      `could not locate the local transcript for session ${sid}; choose Skip or Drop session.`
-    );
-  }
-  const sessionDir = join37(dirname6(localPath), sid);
-  const subtreeFiles = listSubtreeFiles(sessionDir);
-  const subtreeMtime = newestSubtreeMtimeMs(localPath, subtreeFiles, (p) => statSync8(p).mtimeMs);
-  if (isRecentlyModified(subtreeMtime, nowMs())) {
-    return refuse(
-      `session ${sid} looks active (modified within the last 5 minutes); refusing to redact, no changes made.
-  End the session and choose Redact again, or choose Drop session (holds this session back from the push, local copy kept) or Skip.`
-    );
-  }
-  const stagedProjectDir = resolveStagedDir(localPath, map, claude, repo);
-  if (stagedProjectDir === null) {
-    return refuse(
-      `could not map the local transcript for session ${sid} to a staged copy; choose Drop session or Skip.`
-    );
+  const linkNames = allSharedLinks(map);
+  runAutoMovePasses(linkNames, claude, repo, ts, dryRun, opts.onPreview);
+  for (const name of linkNames) {
+    const target = join39(repo, "shared", name);
+    if (!existsSync33(target)) continue;
+    const linkPath = join39(claude, name);
+    if (isAlreadySymlink(linkPath)) continue;
+    if (dryRun) {
+      emitCreate(opts.onPreview, linkPath, target);
+      continue;
+    }
+    ensureSymlink(linkPath, target);
   }
-  const mainFindings = scan(localPath);
-  if (mainFindings === null) {
-    return refuse(`re-scan of the transcript failed; choose Skip or Drop session.`);
+}
+function regenerateSettings(ts, opts = {}) {
+  const dryRun = opts.dryRun === true;
+  const repo = repoHome();
+  const claude = claudeHome();
+  const basePath = join39(repo, "shared", "settings.base.json");
+  const hostPath = join39(repo, "hosts", `${HOST}.json`);
+  if (!existsSync33(basePath)) {
+    die("repo not initialized; run 'nomad init' to scaffold");
   }
-  const { total: anyTotal } = applySubtreeRedactions(
-    localPath,
-    mainFindings,
-    subtreeFiles,
-    void 0,
-    ts,
-    scan,
-    false
-  );
-  if (anyTotal === 0) {
-    return refuse(
-      `nothing to redact in the local transcript for session ${sid}; choose Skip or Drop session.`
-    );
+  const base = readJson(basePath);
+  const hasOverrides = existsSync33(hostPath);
+  const overrides = hasOverrides ? readJson(hostPath) : {};
+  const merged = deepMerge(base, overrides);
+  const settingsPath = join39(claude, "settings.json");
+  if (!hasOverrides && existsSync33(settingsPath)) {
+    try {
+      const existing = readJson(settingsPath);
+      const baseKeys = new Set(Object.keys(base));
+      const drift = Object.keys(existing).filter((k) => !baseKeys.has(k));
+      if (drift.length > 0) {
+        warn(
+          `no hosts/${HOST}.json found; existing settings has unbased keys ${JSON.stringify(drift)}. Set NOMAD_HOST to match a hosts/*.json or rerun 'nomad doctor' for candidates.`
+        );
+      }
+    } catch {
+      warn("existing settings.json is malformed; skipping drift-check and regenerating.");
+    }
   }
-  mkdirSync7(stagedProjectDir, { recursive: true });
-  cpSync6(localPath, join37(stagedProjectDir, `${sid}.jsonl`), { force: true });
-  if (existsSync32(sessionDir)) {
-    cpSync6(sessionDir, join37(stagedProjectDir, sid), { force: true, recursive: true });
+  const overrideLabel = hasOverrides ? `${HOST}.json` : "no host overrides";
+  if (dryRun) {
+    log(`would write settings.json (base + ${overrideLabel})`);
+    return { label: overrideLabel };
   }
-  return true;
+  backupBeforeWrite(settingsPath, ts);
+  writeJsonAtomic(settingsPath, merged);
+  return { label: overrideLabel };
 }
 
-// src/commands.push.recovery.drop.ts
+// src/preview.ts
 init_config();
-import { rmSync as rmSync10 } from "node:fs";
-import { join as join38 } from "node:path";
-function dropSessionFromStaged(sid, map) {
-  const logicals = Object.keys(map.projects);
-  if (logicals.length === 0) return false;
-  const repo = repoHome();
-  for (const logical of logicals) {
-    const jsonl = join38(repo, "shared", "projects", logical, `${sid}.jsonl`);
-    const dir = join38(repo, "shared", "projects", logical, sid);
-    rmSync10(jsonl, { force: true });
-    rmSync10(dir, { recursive: true, force: true });
-  }
-  return true;
-}
+import { existsSync as existsSync34 } from "node:fs";
+import { join as join40 } from "node:path";
 
-// src/commands.push.recovery.actions.ts
-init_push_gitleaks_scan();
-init_utils();
-function applyAllow(f, repo) {
-  appendGitleaksIgnore(f.Fingerprint, repo);
-}
-function allowAllFindings(findings, repo) {
-  for (const f of findings) {
-    appendGitleaksIgnore(f.Fingerprint, repo);
+// node_modules/diff/libesm/diff/base.js
+var Diff = class {
+  diff(oldStr, newStr, options = {}) {
+    let callback;
+    if (typeof options === "function") {
+      callback = options;
+      options = {};
+    } else if ("callback" in options) {
+      callback = options.callback;
+    }
+    const oldString = this.castInput(oldStr, options);
+    const newString = this.castInput(newStr, options);
+    const oldTokens = this.removeEmpty(this.tokenize(oldString, options));
+    const newTokens = this.removeEmpty(this.tokenize(newString, options));
+    return this.diffWithOptionsObj(oldTokens, newTokens, options, callback);
   }
-}
-function allowFindingsByRule(findings, ruleId, repo) {
-  let count = 0;
-  for (const f of findings) {
-    if (f.RuleID === ruleId) {
-      appendGitleaksIgnore(f.Fingerprint, repo);
-      count++;
+  diffWithOptionsObj(oldTokens, newTokens, options, callback) {
+    var _a;
+    const done = (value) => {
+      value = this.postProcess(value, options);
+      if (callback) {
+        setTimeout(function() {
+          callback(value);
+        }, 0);
+        return void 0;
+      } else {
+        return value;
+      }
+    };
+    const newLen = newTokens.length, oldLen = oldTokens.length;
+    let editLength = 1;
+    let maxEditLength = newLen + oldLen;
+    if (options.maxEditLength != null) {
+      maxEditLength = Math.min(maxEditLength, options.maxEditLength);
+    }
+    const maxExecutionTime = (_a = options.timeout) !== null && _a !== void 0 ? _a : Infinity;
+    const abortAfterTimestamp = Date.now() + maxExecutionTime;
+    const bestPath = [{ oldPos: -1, lastComponent: void 0 }];
+    let newPos = this.extractCommon(bestPath[0], newTokens, oldTokens, 0, options);
+    if (bestPath[0].oldPos + 1 >= oldLen && newPos + 1 >= newLen) {
+      return done(this.buildValues(bestPath[0].lastComponent, newTokens, oldTokens));
+    }
+    let minDiagonalToConsider = -Infinity, maxDiagonalToConsider = Infinity;
+    const execEditLength = () => {
+      for (let diagonalPath = Math.max(minDiagonalToConsider, -editLength); diagonalPath <= Math.min(maxDiagonalToConsider, editLength); diagonalPath += 2) {
+        let basePath;
+        const removePath = bestPath[diagonalPath - 1], addPath = bestPath[diagonalPath + 1];
+        if (removePath) {
+          bestPath[diagonalPath - 1] = void 0;
+        }
+        let canAdd = false;
+        if (addPath) {
+          const addPathNewPos = addPath.oldPos - diagonalPath;
+          canAdd = addPath && 0 <= addPathNewPos && addPathNewPos < newLen;
+        }
+        const canRemove = removePath && removePath.oldPos + 1 < oldLen;
+        if (!canAdd && !canRemove) {
+          bestPath[diagonalPath] = void 0;
+          continue;
+        }
+        if (!canRemove || canAdd && removePath.oldPos < addPath.oldPos) {
+          basePath = this.addToPath(addPath, true, false, 0, options);
+        } else {
+          basePath = this.addToPath(removePath, false, true, 1, options);
+        }
+        newPos = this.extractCommon(basePath, newTokens, oldTokens, diagonalPath, options);
+        if (basePath.oldPos + 1 >= oldLen && newPos + 1 >= newLen) {
+          return done(this.buildValues(basePath.lastComponent, newTokens, oldTokens)) || true;
+        } else {
+          bestPath[diagonalPath] = basePath;
+          if (basePath.oldPos + 1 >= oldLen) {
+            maxDiagonalToConsider = Math.min(maxDiagonalToConsider, diagonalPath - 1);
+          }
+          if (newPos + 1 >= newLen) {
+            minDiagonalToConsider = Math.max(minDiagonalToConsider, diagonalPath + 1);
+          }
+        }
+      }
+      editLength++;
+    };
+    if (callback) {
+      (function exec() {
+        setTimeout(function() {
+          if (editLength > maxEditLength || Date.now() > abortAfterTimestamp) {
+            return callback(void 0);
+          }
+          if (!execEditLength()) {
+            exec();
+          }
+        }, 0);
+      })();
+    } else {
+      while (editLength <= maxEditLength && Date.now() <= abortAfterTimestamp) {
+        const ret = execEditLength();
+        if (ret) {
+          return ret;
+        }
+      }
     }
   }
-  return count;
-}
-async function collectActions(findings, prompt) {
-  const actions = /* @__PURE__ */ new Map();
-  for (const f of findings) {
-    const sid = sessionIdFromFinding(f);
-    const header = `
-Finding: ${f.RuleID} in ${f.File} line ${f.StartLine}` + (sid === null ? "" : ` (session: ${sid})`) + "\n  [R]edact  [A]llow  [D]rop session  [S]kip (default)\n";
-    actions.set(findingKey(f), parseAction(await prompt(header + "> ")));
-  }
-  return actions;
-}
-function dispatchOne(f, ctx) {
-  const action = ctx.actions.get(findingKey(f)) ?? "skip";
-  if (action === "skip") return;
-  const sid = sessionIdFromFinding(f);
-  if (sid !== null && ctx.droppedSids.has(sid)) return;
-  if (action === "allow") {
-    applyAllow(f, ctx.repo);
-    return;
+  addToPath(path, added, removed, oldPosInc, options) {
+    const last = path.lastComponent;
+    if (last && !options.oneChangePerToken && last.added === added && last.removed === removed) {
+      return {
+        oldPos: path.oldPos + oldPosInc,
+        lastComponent: { count: last.count + 1, added, removed, previousComponent: last.previousComponent }
+      };
+    } else {
+      return {
+        oldPos: path.oldPos + oldPosInc,
+        lastComponent: { count: 1, added, removed, previousComponent: last }
+      };
+    }
   }
-  if (sid === null) return;
-  if (action === "drop") {
-    ctx.droppedSids.add(sid);
-    if (ctx.drop(sid, ctx.map)) {
-      log(
-        `dropped session ${sid} from this push (local transcript kept; the secret remains in your local copy)`
-      );
+  extractCommon(basePath, newTokens, oldTokens, diagonalPath, options) {
+    const newLen = newTokens.length, oldLen = oldTokens.length;
+    let oldPos = basePath.oldPos, newPos = oldPos - diagonalPath, commonCount = 0;
+    while (newPos + 1 < newLen && oldPos + 1 < oldLen && this.equals(oldTokens[oldPos + 1], newTokens[newPos + 1], options)) {
+      newPos++;
+      oldPos++;
+      commonCount++;
+      if (options.oneChangePerToken) {
+        basePath.lastComponent = { count: 1, previousComponent: basePath.lastComponent, added: false, removed: false };
+      }
     }
-    return;
+    if (commonCount && !options.oneChangePerToken) {
+      basePath.lastComponent = { count: commonCount, previousComponent: basePath.lastComponent, added: false, removed: false };
+    }
+    basePath.oldPos = oldPos;
+    return newPos;
   }
-  if (action === "redact" && !ctx.redactedSids.has(sid)) {
-    if (applyRedact(f, ctx.ts, ctx.map, ctx.nowMs, ctx.scan)) ctx.redactedSids.add(sid);
+  equals(left, right, options) {
+    if (options.comparator) {
+      return options.comparator(left, right);
+    } else {
+      return left === right || !!options.ignoreCase && left.toLowerCase() === right.toLowerCase();
+    }
   }
-}
-function dispatchActions(findings, actions, opts) {
-  const { ts, map, nowMs, repo, scan = scanFile, drop = dropSessionFromStaged } = opts;
-  const ctx = {
-    actions,
-    ts,
-    map,
-    nowMs,
-    repo,
-    scan,
-    drop,
-    redactedSids: /* @__PURE__ */ new Set(),
-    droppedSids: /* @__PURE__ */ new Set()
-  };
-  for (const f of findings) {
-    dispatchOne(f, ctx);
+  removeEmpty(array) {
+    const ret = [];
+    for (let i = 0; i < array.length; i++) {
+      if (array[i]) {
+        ret.push(array[i]);
+      }
+    }
+    return ret;
   }
-}
-function redactAllFindings(findings, ts, map, nowMs, scan = scanFile) {
-  const redactedSids = /* @__PURE__ */ new Set();
-  for (const f of findings) {
-    const sid = sessionIdFromFinding(f);
-    if (sid === null || redactedSids.has(sid)) continue;
-    if (applyRedact(f, ts, map, nowMs, scan)) redactedSids.add(sid);
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  castInput(value, options) {
+    return value;
   }
-}
-
-// src/commands.push.recovery.ts
-init_push_gitleaks_scan();
-init_push_gitleaks();
-init_utils();
-function isTTY(stdin = process.stdin, stdout = process.stdout) {
-  return stdin.isTTY === true && stdout.isTTY === true;
-}
-function hasUnresolved(actions) {
-  for (const action of actions.values()) {
-    if (action === "skip") return true;
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  tokenize(value, options) {
+    return Array.from(value);
   }
-  return false;
-}
-function printRecoveryLegend(print = console.log) {
-  print("");
-  print("Recovery actions:");
-  print("  Redact       - scrub the secret from the local transcript, push the cleaned copy");
-  print("  Allow        - mark as false positive (adds a .gitleaksignore fingerprint), push as-is");
-  print("  Drop session - exclude this session from this push (local transcript kept, running");
-  print("                 session is not stopped)");
-  print("  Skip         - leave unresolved (the push aborts)");
-  print("");
-}
-function applyThenRescan(scanVerdict, repoHome2) {
-  gitOrFatal(["add", "-A"], "git add", repoHome2);
-  const next = scanVerdict(repoHome2);
-  if (next.leak) {
-    const { bySession, other } = partitionFindings(next.findings);
-    throw new NomadFatal(buildSessionAwareFatal(bySession, other));
+  join(chars) {
+    return chars.join("");
   }
-  return next;
-}
-function allowThenRescan(append, scanVerdict, repoHome2) {
-  const ignPath = join39(repoHome2, ".gitleaksignore");
-  let before;
-  try {
-    before = readFileSync11(ignPath, "utf8");
-  } catch {
-    before = null;
+  postProcess(changeObjects, options) {
+    return changeObjects;
   }
-  append();
-  try {
-    return applyThenRescan(scanVerdict, repoHome2);
-  } catch (err) {
-    if (before === null) rmSync11(ignPath, { force: true });
-    else writeFileSync5(ignPath, before, "utf8");
-    throw err;
+  get useLongestToken() {
+    return false;
   }
-}
-function makeRealPrompt() {
-  return async (prompt) => {
-    const rl = createInterface({
-      input: process.stdin,
-      output: process.stdout,
-      terminal: true
-    });
-    try {
-      return await rl.question(prompt);
-    } finally {
-      rl.close();
+  buildValues(lastComponent, newTokens, oldTokens) {
+    const components = [];
+    let nextComponent;
+    while (lastComponent) {
+      components.push(lastComponent);
+      nextComponent = lastComponent.previousComponent;
+      delete lastComponent.previousComponent;
+      lastComponent = nextComponent;
     }
-  };
-}
-async function resolveLeakFindings(verdict, ts, map, deps = {}) {
-  const {
-    isTTYCheck = isTTY,
-    nowMs = Date.now,
-    redactAll = false,
-    allowAll = false,
-    allowRule,
-    makePrompt: makePromptFn = makeRealPrompt,
-    scan = scanFile,
-    printLegend = printRecoveryLegend
-  } = deps;
-  const scanVerdict = deps.scanVerdict ?? (await Promise.resolve().then(() => (init_push_leak_verdict(), push_leak_verdict_exports))).scanPushVerdict;
-  const repo = repoHome();
-  let current = verdict;
-  if (redactAll) {
-    redactAllFindings(current.findings, ts, map, nowMs, scan);
-    return applyThenRescan(scanVerdict, repo);
+    components.reverse();
+    const componentLen = components.length;
+    let componentPos = 0, newPos = 0, oldPos = 0;
+    for (; componentPos < componentLen; componentPos++) {
+      const component = components[componentPos];
+      if (!component.removed) {
+        if (!component.added && this.useLongestToken) {
+          let value = newTokens.slice(newPos, newPos + component.count);
+          value = value.map(function(value2, i) {
+            const oldValue = oldTokens[oldPos + i];
+            return oldValue.length > value2.length ? oldValue : value2;
+          });
+          component.value = this.join(value);
+        } else {
+          component.value = this.join(newTokens.slice(newPos, newPos + component.count));
+        }
+        newPos += component.count;
+        if (!component.added) {
+          oldPos += component.count;
+        }
+      } else {
+        component.value = this.join(oldTokens.slice(oldPos, oldPos + component.count));
+        oldPos += component.count;
+      }
+    }
+    return components;
   }
-  if (allowAll) {
-    return allowThenRescan(() => allowAllFindings(current.findings, repo), scanVerdict, repo);
+};
+
+// node_modules/diff/libesm/diff/line.js
+var LineDiff = class extends Diff {
+  constructor() {
+    super(...arguments);
+    this.tokenize = tokenize;
   }
-  if (allowRule !== void 0) {
-    return allowThenRescan(
-      () => {
-        const matched = allowFindingsByRule(current.findings, allowRule, repo);
-        if (matched === 0) log(`no findings matched rule ${allowRule}; re-scanning`);
-      },
-      scanVerdict,
-      repo
-    );
+  equals(left, right, options) {
+    if (options.ignoreWhitespace) {
+      if (!options.newlineIsToken || !left.includes("\n")) {
+        left = left.trim();
+      }
+      if (!options.newlineIsToken || !right.includes("\n")) {
+        right = right.trim();
+      }
+    } else if (options.ignoreNewlineAtEof && !options.newlineIsToken) {
+      if (left.endsWith("\n")) {
+        left = left.slice(0, -1);
+      }
+      if (right.endsWith("\n")) {
+        right = right.slice(0, -1);
+      }
+    }
+    return super.equals(left, right, options);
   }
-  if (!isTTYCheck()) {
-    throw new NomadFatal(current.recovery ?? "gitleaks detected secrets");
+};
+var lineDiff = new LineDiff();
+function diffLines(oldStr, newStr, options) {
+  return lineDiff.diff(oldStr, newStr, options);
+}
+function tokenize(value, options) {
+  if (options.stripTrailingCr) {
+    value = value.replace(/\r\n/g, "\n");
   }
-  const prompt = makePromptFn();
-  printLegend();
-  while (current.leak && current.findings.length > 0) {
-    const actions = await collectActions(current.findings, prompt);
-    if (hasUnresolved(actions)) {
-      const unresolved = current.findings.filter((f) => actions.get(findingKey(f)) === "skip");
-      const { bySession, other } = partitionFindings(unresolved);
-      throw new NomadFatal(buildSessionAwareFatal(bySession, other));
+  const retLines = [], linesAndNewlines = value.split(/(\n|\r\n)/);
+  if (!linesAndNewlines[linesAndNewlines.length - 1]) {
+    linesAndNewlines.pop();
+  }
+  for (let i = 0; i < linesAndNewlines.length; i++) {
+    const line = linesAndNewlines[i];
+    if (i % 2 && !options.newlineIsToken) {
+      retLines[retLines.length - 1] += line;
+    } else {
+      retLines.push(line);
     }
-    dispatchActions(current.findings, actions, { ts, map, nowMs, repo, scan });
-    gitOrFatal(["add", "-A"], "git add", repo);
-    current = scanVerdict(repo);
   }
-  return current;
+  return retLines;
 }
 
-// src/spinner.ts
-function formatElapsed(ms) {
-  return `${(ms / 1e3).toFixed(1)}s`;
+// src/diff-lines.ts
+init_color();
+function diffLinesToUnified(oldStr, newStr) {
+  const parts = diffLines(oldStr, newStr);
+  const lines = [];
+  for (const part of parts) {
+    const partLines = part.value.split("\n");
+    if (partLines.at(-1) === "") {
+      partLines.pop();
+    }
+    let prefix;
+    if (part.removed) prefix = (line) => red(`-${line}`);
+    else if (part.added) prefix = (line) => green(`+${line}`);
+    else prefix = (line) => ` ${line}`;
+    for (const line of partLines) {
+      lines.push(prefix(line));
+    }
+  }
+  return lines;
 }
-function writePlainStart(out, label) {
-  out.write(`${label}...
-`);
+
+// src/preview.ts
+init_utils_json();
+var CANONICAL_ORDER_NOTE = "settings.json will be rewritten in canonical key order; no value changes";
+function diffJsonStrings(currentJsonText, newJsonText) {
+  if (currentJsonText === newJsonText) return "";
+  const lines = [
+    "--- ~/.claude/settings.json",
+    "+++ would write",
+    ...diffLinesToUnified(currentJsonText, newJsonText)
+  ];
+  return lines.join("\n");
 }
-function writePlainDone(out, label, ms) {
-  out.write(`${label} done (${formatElapsed(ms)})
-`);
+function readJsonOrNull(path) {
+  if (!existsSync34(path)) return null;
+  try {
+    return readJson(path);
+  } catch {
+    return null;
+  }
 }
-function writeAnimatedDone(out, label, ms, useTTY) {
-  out.write("\r\x1B[K");
-  const glyph = useTTY ? green(okGlyph) : okGlyph;
-  out.write(`${glyph} ${label} (${formatElapsed(ms)})
-`);
+function previewSettings(basePath, hostPath, settingsPath) {
+  const base = readJsonOrNull(basePath);
+  if (base === null) {
+    return { diff: "", notes: ["section skipped (base or current missing)"] };
+  }
+  const notes = [];
+  const hostOverrides = readJsonOrNull(hostPath);
+  if (hostOverrides === null && existsSync34(hostPath)) {
+    notes.push(`malformed hosts/${HOST}.json; ignoring overrides`);
+  }
+  const merged = deepMerge(base, hostOverrides ?? {});
+  const current = readJsonOrNull(settingsPath);
+  if (current === null && existsSync34(settingsPath)) {
+    return { diff: "", notes: [...notes, "malformed; skipping diff"] };
+  }
+  const rawEqual = JSON.stringify(current ?? {}, null, 2) === JSON.stringify(merged, null, 2);
+  const diff = diffJsonStrings(
+    JSON.stringify(sortKeysDeep(current ?? {}), null, 2),
+    JSON.stringify(sortKeysDeep(merged), null, 2)
+  );
+  if (diff === "" && !rawEqual) notes.push(CANONICAL_ORDER_NOTE);
+  return { diff, notes };
 }
-function resolveWorkerPath(deps = {}) {
-  const check = deps.existsSyncFn ?? existsSync33;
-  const base = deps.baseUrl ?? import.meta.url;
-  const mjs = fileURLToPath4(new URL("./nomad.worker.mjs", base));
-  if (check(mjs)) return mjs;
-  return fileURLToPath4(new URL("./spinner.worker.ts", base));
+function formatLinkRow(e) {
+  return `${e.kind}  ${e.from} -> ${e.to}`;
 }
-function makeRealWorker() {
-  return new Worker(resolveWorkerPath());
+function formatSessionRow(e) {
+  return e.kind === "overwrite" ? `overwrite  ${e.dst} (from ${e.src})` : e.text;
 }
-function startSpinner(label, deps = {}) {
-  const ttyCheck = deps.isTTYCheck ?? (() => isTTY());
-  const env = deps.env ?? process.env;
-  const out = deps.out ?? process.stderr;
-  const now = deps.now ?? Date.now;
-  const startMs = now();
-  const animate = ttyCheck() && !env.CI;
-  let worker = null;
-  let degraded = false;
-  let finalized = false;
-  if (animate) {
-    const factory = deps.makeWorker ?? makeRealWorker;
-    try {
-      worker = factory();
-      worker.unref?.();
-      worker.postMessage({ type: "start", label });
-    } catch {
-      degraded = true;
-      worker = null;
-      writePlainStart(out, label);
+function buildSettingsSectionForPreview(result) {
+  const s = section("settings.json", true);
+  if (result.diff !== "") {
+    for (const line of result.diff.split("\n")) {
+      addItem(s, line);
     }
-  } else {
-    writePlainStart(out, label);
   }
-  function finalize(success, doneLabel) {
-    if (finalized) return;
-    finalized = true;
-    const dl = doneLabel ?? label;
-    const elapsed = now() - startMs;
-    if (animate && !degraded && worker !== null) {
-      worker.postMessage({ type: "pause" });
-      worker.terminate();
-      worker = null;
-      if (success) writeAnimatedDone(out, dl, elapsed, ttyCheck());
-      else out.write("\r\x1B[K");
-    } else if (success) {
-      writePlainDone(out, dl, elapsed);
-    }
+  for (const note of result.notes) {
+    addItem(s, `note: ${note}`);
   }
-  return {
-    succeed: (doneLabel) => finalize(true, doneLabel),
-    stop: () => finalize(false)
-  };
+  return s;
 }
-function withSpinner(label, fn, deps) {
-  const sp = startSpinner(label, deps);
-  try {
-    const result = fn();
-    sp.succeed();
-    return result;
-  } finally {
-    sp.stop();
-  }
+function computePreview(ts, map, verb = "pull") {
+  const repo = repoHome();
+  const claude = claudeHome();
+  console.log(`would pull on host=${HOST} (dry-run; no mutation)`);
+  console.log("");
+  const links = section("Symlinks");
+  applySharedLinks(ts, map, {
+    dryRun: true,
+    onPreview: (e) => addItem(links, formatLinkRow(e))
+  });
+  const settingsResult = previewSettings(
+    join40(repo, "shared", "settings.base.json"),
+    join40(repo, "hosts", `${HOST}.json`),
+    join40(claude, "settings.json")
+  );
+  const settingsSection = buildSettingsSectionForPreview(settingsResult);
+  const sessions = section("Sessions");
+  const remapResult = remapPull(ts, {
+    dryRun: true,
+    onPreview: (e) => addItem(sessions, formatSessionRow(e))
+  });
+  const summary = section("Summary");
+  addItem(summary, summaryRow(verb, remapResult.unmapped));
+  renderTree([links, settingsSection, sessions, summary]);
+  return { unmapped: remapResult.unmapped, collisions: 0 };
 }
 
 // src/commands.pull.recovery.ts
@@ -4781,8 +4993,8 @@ function cmdPull(opts = {}) {
   const forceRemote = opts.forceRemote === true;
   const repo = repoHome();
   const backup = backupBase();
-  if (!existsSync34(repo)) die(`repo not cloned at ${repo}`);
-  if (!existsSync34(join40(repo, "shared", "settings.base.json"))) {
+  if (!existsSync35(repo)) die(`repo not cloned at ${repo}`);
+  if (!existsSync35(join41(repo, "shared", "settings.base.json"))) {
     die("repo not initialized; run 'nomad init' to scaffold");
   }
   const handle = acquireLock("pull");
@@ -4791,7 +5003,7 @@ function cmdPull(opts = {}) {
     const ts = freshBackupTs(backup);
     handleWedge(repo, forceRemote);
     if (!dryRun) {
-      const backupRoot = join40(backup, ts);
+      const backupRoot = join41(backup, ts);
       try {
         mkdirSync8(backupRoot, { recursive: true });
       } catch (err) {
@@ -4802,8 +5014,8 @@ function cmdPull(opts = {}) {
       dryRun ? `pulling on host=${HOST} (backup=${ts}; dry-run)` : `pull on host=${HOST} (backup=${ts})`
     );
     gitOrFatal(["pull", "--rebase", "--autostash"], "git pull --rebase", repo);
-    const mapPath = join40(repo, "path-map.json");
-    const map = existsSync34(mapPath) ? readPathMap(mapPath) : { projects: {} };
+    const mapPath = join41(repo, "path-map.json");
+    const map = existsSync35(mapPath) ? readPathMap(mapPath) : { projects: {} };
     divergenceCheckExtras(ts);
     if (dryRun) {
       computePreview(ts, map, "pull");
@@ -4825,8 +5037,8 @@ function cmdPull(opts = {}) {
 
 // src/commands.push.ts
 init_config();
-import { existsSync as existsSync36 } from "node:fs";
-import { join as join42, relative as relative5 } from "node:path";
+import { existsSync as existsSync37 } from "node:fs";
+import { join as join43, relative as relative5 } from "node:path";
 
 // src/commands.push.allowlist.ts
 init_config();
@@ -4906,9 +5118,9 @@ init_color();
 init_config();
 init_config_sharedDirs_guard();
 import { randomBytes as randomBytes2 } from "node:crypto";
-import { copyFileSync, existsSync as existsSync35, mkdirSync as mkdirSync9, readdirSync as readdirSync11, rmSync as rmSync12 } from "node:fs";
+import { copyFileSync, existsSync as existsSync36, mkdirSync as mkdirSync9, readdirSync as readdirSync11, rmSync as rmSync12 } from "node:fs";
 import { homedir as homedir5 } from "node:os";
-import { join as join41 } from "node:path";
+import { join as join42 } from "node:path";
 init_push_leak_verdict();
 init_push_gitleaks();
 init_utils_fs();
@@ -4923,13 +5135,13 @@ function stageSessions(tmpRoot, map) {
     if (!p || p === "TBD") continue;
     reverse.set(encodePath(p), logical);
   }
-  const localProjects = join41(claudeHome(), "projects");
-  if (!existsSync35(localProjects)) return 0;
+  const localProjects = join42(claudeHome(), "projects");
+  if (!existsSync36(localProjects)) return 0;
   let staged = 0;
   for (const dir of readdirSync11(localProjects)) {
     const logical = reverse.get(dir);
     if (!logical) continue;
-    copyDirJsonlOnly(join41(localProjects, dir), join41(tmpRoot, "shared", "projects", logical));
+    copyDirJsonlOnly(join42(localProjects, dir), join42(tmpRoot, "shared", "projects", logical));
     staged++;
   }
   return staged;
@@ -4945,9 +5157,9 @@ function stageExtras(tmpRoot, map) {
     if (!localRoot || localRoot === "TBD") continue;
     for (const dirname7 of dirnames) {
       if (!whitelist.includes(dirname7)) continue;
-      const src = join41(localRoot, dirname7);
-      if (!existsSync35(src)) continue;
-      const dst = join41(tmpRoot, "shared", "extras", logical, dirname7);
+      const src = join42(localRoot, dirname7);
+      if (!existsSync36(src)) continue;
+      const dst = join42(tmpRoot, "shared", "extras", logical, dirname7);
       copyExtras(src, dst);
       staged++;
     }
@@ -4955,19 +5167,19 @@ function stageExtras(tmpRoot, map) {
   return staged;
 }
 function previewPushLeaks(map) {
-  const cacheDir = join41(homedir5(), ".cache", "claude-nomad");
+  const cacheDir = join42(homedir5(), ".cache", "claude-nomad");
   mkdirSync9(cacheDir, { recursive: true });
   const stamp = `${nowTimestamp()}-${process.pid}-${randomBytes2(4).toString("hex")}`;
-  const tmpRoot = join41(cacheDir, `push-preview-tree-${stamp}`);
+  const tmpRoot = join42(cacheDir, `push-preview-tree-${stamp}`);
   try {
     const sessionCount = stageSessions(tmpRoot, map);
     const extrasCount = stageExtras(tmpRoot, map);
     if (sessionCount + extrasCount === 0) {
       return { leak: false, verdictRow: NOTHING_TO_SCAN_ROW, recovery: null, findings: [] };
     }
-    const ignoreFile = join41(repoHome(), ".gitleaksignore");
-    if (existsSync35(ignoreFile)) {
-      copyFileSync(ignoreFile, join41(tmpRoot, ".gitleaksignore"));
+    const ignoreFile = join42(repoHome(), ".gitleaksignore");
+    if (existsSync36(ignoreFile)) {
+      copyFileSync(ignoreFile, join42(tmpRoot, ".gitleaksignore"));
     }
     let findings;
     try {
@@ -4989,7 +5201,7 @@ init_utils();
 init_utils_fs();
 init_utils_json();
 function guardGitlinks(repo) {
-  const gitlinks = findGitlinks(join42(repo, "shared"));
+  const gitlinks = findGitlinks(join43(repo, "shared"));
   if (gitlinks.length === 0) return;
   for (const p of gitlinks) {
     const rel = relative5(repo, p);
@@ -5043,7 +5255,7 @@ async function cmdPush(opts = {}) {
   guardResolutionModeConflicts(dryRun, redactAll, allowAll, allowRule);
   const repo = repoHome();
   const backup = backupBase();
-  if (!existsSync36(repo)) die(`repo not cloned at ${repo}`);
+  if (!existsSync37(repo)) die(`repo not cloned at ${repo}`);
   const handle = acquireLock("push");
   if (handle === null) process.exit(0);
   try {
@@ -5061,8 +5273,8 @@ async function cmdPush(opts = {}) {
       renderNoScanTree(st);
       return;
     }
-    const mapPath = join42(repo, "path-map.json");
-    if (!existsSync36(mapPath)) {
+    const mapPath = join43(repo, "path-map.json");
+    if (!existsSync37(mapPath)) {
       if (dryRun) return runDryRunPreview(st, null);
       die("path-map.json missing, cannot enforce push allow-list");
     }
@@ -5102,18 +5314,18 @@ init_config();
 
 // src/diff.ts
 init_config();
-import { existsSync as existsSync37 } from "node:fs";
-import { join as join43 } from "node:path";
+import { existsSync as existsSync38 } from "node:fs";
+import { join as join44 } from "node:path";
 init_utils();
 init_utils_fs();
 init_utils_json();
 function cmdDiff() {
   try {
     const repo = repoHome();
-    if (!existsSync37(repo)) die(`repo not cloned at ${repo}`);
+    if (!existsSync38(repo)) die(`repo not cloned at ${repo}`);
     const ts = freshBackupTs(backupBase());
-    const mapPath = join43(repo, "path-map.json");
-    const map = existsSync37(mapPath) ? readPathMap(mapPath) : { projects: {} };
+    const mapPath = join44(repo, "path-map.json");
+    const map = existsSync38(mapPath) ? readPathMap(mapPath) : { projects: {} };
     computePreview(ts, map, "diff");
   } catch (err) {
     if (err instanceof NomadFatal) {
@@ -5127,8 +5339,8 @@ function cmdDiff() {
 
 // src/init.ts
 init_config();
-import { existsSync as existsSync39, mkdirSync as mkdirSync10, writeFileSync as writeFileSync6 } from "node:fs";
-import { join as join45 } from "node:path";
+import { existsSync as existsSync40, mkdirSync as mkdirSync10, writeFileSync as writeFileSync6 } from "node:fs";
+import { join as join46 } from "node:path";
 
 // src/init.gh-onboard.ts
 init_config();
@@ -5210,33 +5422,33 @@ init_config();
 init_utils();
 init_utils_fs();
 init_utils_json();
-import { copyFileSync as copyFileSync2, cpSync as cpSync7, existsSync as existsSync38, rmSync as rmSync13, statSync as statSync9 } from "node:fs";
-import { join as join44 } from "node:path";
+import { copyFileSync as copyFileSync2, cpSync as cpSync7, existsSync as existsSync39, rmSync as rmSync13, statSync as statSync9 } from "node:fs";
+import { join as join45 } from "node:path";
 function snapshotIntoShared(map) {
   const repo = repoHome();
   const claude = claudeHome();
   for (const name of allSharedLinks(map)) {
-    const src = join44(claude, name);
-    if (!existsSync38(src)) continue;
-    const dst = join44(repo, "shared", name);
+    const src = join45(claude, name);
+    if (!existsSync39(src)) continue;
+    const dst = join45(repo, "shared", name);
     if (statSync9(src).isDirectory()) {
-      const gk = join44(dst, ".gitkeep");
-      if (existsSync38(gk)) rmSync13(gk);
+      const gk = join45(dst, ".gitkeep");
+      if (existsSync39(gk)) rmSync13(gk);
       cpSync7(src, dst, { recursive: true, force: false, errorOnExist: true });
     } else {
       copyFileSync2(src, dst);
     }
     log(`snapshotted shared/${name} from ${src}`);
   }
-  const userSettings = join44(claude, "settings.json");
-  if (existsSync38(userSettings)) {
+  const userSettings = join45(claude, "settings.json");
+  if (existsSync39(userSettings)) {
     let parsed;
     try {
       parsed = readJson(userSettings);
     } catch (err) {
       return die(`malformed ${userSettings}: ${err.message}`);
     }
-    const hostFile = join44(repo, "hosts", `${HOST}.json`);
+    const hostFile = join45(repo, "hosts", `${HOST}.json`);
     writeJsonAtomic(hostFile, parsed);
     log(`snapshotted hosts/${HOST}.json from ${userSettings}`);
   }
@@ -5249,14 +5461,14 @@ var SHARED_CLAUDE_MD = "<!-- claude-nomad shared CLAUDE.md; symlinked into ~/.cl
 var SHARED_KEEP_DIRS = ["agents", "skills", "commands", "rules", "hooks"];
 function preflightConflict(repoHome2) {
   const candidates = [
-    join45(repoHome2, "shared", "settings.base.json"),
-    join45(repoHome2, "shared", "CLAUDE.md"),
-    join45(repoHome2, "path-map.json"),
-    join45(repoHome2, "hosts"),
-    join45(repoHome2, "shared")
+    join46(repoHome2, "shared", "settings.base.json"),
+    join46(repoHome2, "shared", "CLAUDE.md"),
+    join46(repoHome2, "path-map.json"),
+    join46(repoHome2, "hosts"),
+    join46(repoHome2, "shared")
   ];
   for (const c of candidates) {
-    if (existsSync39(c)) return c;
+    if (existsSync40(c)) return c;
   }
   return null;
 }
@@ -5271,25 +5483,25 @@ function cmdInit(opts = {}) {
     die(`already initialized; refusing to clobber ${conflict}`);
   }
   ensureOriginRepo(opts.repoName ?? DEFAULT_REPO_NAME, opts.run);
-  mkdirSync10(join45(repo, "shared"), { recursive: true });
-  mkdirSync10(join45(repo, "hosts"), { recursive: true });
+  mkdirSync10(join46(repo, "shared"), { recursive: true });
+  mkdirSync10(join46(repo, "hosts"), { recursive: true });
   for (const name of SHARED_KEEP_DIRS) {
-    mkdirSync10(join45(repo, "shared", name), { recursive: true });
+    mkdirSync10(join46(repo, "shared", name), { recursive: true });
   }
-  const userClaudeMd = join45(claude, "CLAUDE.md");
-  if (!snapshot || !existsSync39(userClaudeMd)) {
-    writeFileSync6(join45(repo, "shared", "CLAUDE.md"), SHARED_CLAUDE_MD);
+  const userClaudeMd = join46(claude, "CLAUDE.md");
+  if (!snapshot || !existsSync40(userClaudeMd)) {
+    writeFileSync6(join46(repo, "shared", "CLAUDE.md"), SHARED_CLAUDE_MD);
     item("created shared/CLAUDE.md");
   }
   for (const name of SHARED_KEEP_DIRS) {
-    writeFileSync6(join45(repo, "shared", name, ".gitkeep"), "");
+    writeFileSync6(join46(repo, "shared", name, ".gitkeep"), "");
     item(`created shared/${name}/.gitkeep`);
   }
-  writeFileSync6(join45(repo, "hosts", ".gitkeep"), "");
+  writeFileSync6(join46(repo, "hosts", ".gitkeep"), "");
   item("created hosts/.gitkeep");
-  writeJsonAtomic(join45(repo, "shared", "settings.base.json"), {});
+  writeJsonAtomic(join46(repo, "shared", "settings.base.json"), {});
   item("created shared/settings.base.json");
-  writeJsonAtomic(join45(repo, "path-map.json"), { projects: {} });
+  writeJsonAtomic(join46(repo, "path-map.json"), { projects: {} });
   item("created path-map.json");
   if (snapshot) {
     snapshotIntoShared({ projects: {} });
@@ -5590,7 +5802,7 @@ function parsePushArgs(argv) {
 // package.json
 var package_default = {
   name: "claude-nomad",
-  version: "0.44.1",
+  version: "0.46.0",
   type: "module",
   description: "Sync Claude Code config (~/.claude/) across machines via a private Git repo, with path remapping and per-host settings overrides.",
   keywords: [
@@ -5792,15 +6004,15 @@ var DEFAULT_HELP = [
 init_config();
 init_utils();
 init_utils_json();
-import { existsSync as existsSync40, readFileSync as readFileSync12, readdirSync as readdirSync12 } from "node:fs";
-import { join as join46 } from "node:path";
+import { existsSync as existsSync41, readFileSync as readFileSync14, readdirSync as readdirSync12 } from "node:fs";
+import { join as join47 } from "node:path";
 function resumeCmd(sessionId) {
   if (!/^[A-Za-z0-9_-]+$/.test(sessionId) || sessionId.length > 128) {
     fail(`invalid session id: ${sessionId}`);
     process.exit(1);
   }
-  const projectsRoot = join46(claudeHome(), "projects");
-  if (!existsSync40(projectsRoot)) {
+  const projectsRoot = join47(claudeHome(), "projects");
+  if (!existsSync41(projectsRoot)) {
     fail(`${projectsRoot} does not exist`);
     process.exit(1);
   }
@@ -5814,8 +6026,8 @@ function resumeCmd(sessionId) {
     fail(`no cwd field found in ${jsonlPath}`);
     process.exit(1);
   }
-  const mapPath = join46(repoHome(), "path-map.json");
-  if (!existsSync40(mapPath)) {
+  const mapPath = join47(repoHome(), "path-map.json");
+  if (!existsSync41(mapPath)) {
     fail("path-map.json missing");
     process.exit(1);
   }
@@ -5838,13 +6050,13 @@ function resumeCmd(sessionId) {
 }
 function findTranscriptPath(projectsRoot, sessionId) {
   for (const dir of readdirSync12(projectsRoot)) {
-    const candidate = join46(projectsRoot, dir, `${sessionId}.jsonl`);
-    if (existsSync40(candidate)) return candidate;
+    const candidate = join47(projectsRoot, dir, `${sessionId}.jsonl`);
+    if (existsSync41(candidate)) return candidate;
   }
   return null;
 }
 function extractRecordedCwd(jsonlPath) {
-  for (const line of readFileSync12(jsonlPath, "utf8").split("\n")) {
+  for (const line of readFileSync14(jsonlPath, "utf8").split("\n")) {
     if (!line.trim()) continue;
     try {
       const obj = JSON.parse(line);