npm - claude-nomad - Versions diffs - 0.45.0 → 0.47.0 - Mend

claude-nomad 0.45.0 → 0.47.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/nomad.mjs CHANGED Viewed

@@ -33,7 +33,7 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 // src/config.never-sync.ts
-var NEVER_SYNC;
+var NEVER_SYNC, CLAUDE_EXTRA_NEVER_SYNC;
 var init_config_never_sync = __esm({
   "src/config.never-sync.ts"() {
     "use strict";
@@ -62,6 +62,7 @@ var init_config_never_sync = __esm({
       "security",
       "sessions"
     ]);
+    CLAUDE_EXTRA_NEVER_SYNC = /* @__PURE__ */ new Set([...NEVER_SYNC, "projects"]);
   }
 });
@@ -407,7 +408,7 @@ var init_config = __esm({
       "my-statusline.cjs",
       "hooks"
     ];
-    SUPPORTED_EXTRAS = [".planning", "CLAUDE.md"];
+    SUPPORTED_EXTRAS = [".planning", "CLAUDE.md", ".claude"];
     ALWAYS_NEVER_SYNC = /* @__PURE__ */ new Set([
       ".claude.json",
       ".credentials.json",
@@ -1400,8 +1401,8 @@ function cmdEject(opts = {}, roots = defaultEjectRoots()) {
 }
 // src/commands.doctor.ts
-import { existsSync as existsSync23 } from "node:fs";
-import { join as join27 } from "node:path";
+import { existsSync as existsSync27 } from "node:fs";
+import { join as join33 } from "node:path";
 // src/commands.doctor.checks.repo.ts
 init_color();
@@ -2931,420 +2932,144 @@ function reportNodeEngineCheck(section2) {
   addItem(section2, `${green(okGlyph)} node: ${process.version} (satisfies >=${min})`);
 }
-// src/commands.doctor.gitleaks-version.ts
+// src/spinner.ts
 init_color();
-import { execFileSync as execFileSync7 } from "node:child_process";
-import { existsSync as existsSync22 } from "node:fs";
-import { join as join26 } from "node:path";
+import { existsSync as existsSync25 } from "node:fs";
+import { fileURLToPath as fileURLToPath4 } from "node:url";
+import { Worker } from "node:worker_threads";
+// src/commands.push.recovery.ts
 init_config();
-var SEMVER_MAJOR_MINOR = /^(\d+)\.(\d+)\.\d+$/;
-var GITLEAKS_TIMEOUT_MS = 5e3;
-function majorMinorOf(value) {
-  const m = SEMVER_MAJOR_MINOR.exec(value);
-  return m === null ? null : [m[1], m[2]];
-}
-function readGitleaksVersion(run, tomlExists) {
-  const tomlPath = join26(repoHome(), ".gitleaks.toml");
-  const args = ["version"];
-  if (tomlExists(tomlPath)) args.push("--config", tomlPath);
-  try {
-    return run("gitleaks", args, {
-      stdio: ["ignore", "pipe", "pipe"],
-      timeout: GITLEAKS_TIMEOUT_MS
-    }).toString().trim();
-  } catch {
-    return null;
-  }
-}
-function reportGitleaksVersionCheck(section2, run = execFileSync7, tomlExists = existsSync22) {
-  const raw = readGitleaksVersion(run, tomlExists);
-  if (raw === null) return;
-  const local = majorMinorOf(raw);
-  if (local === null) return;
-  const pin = majorMinorOf(GITLEAKS_PINNED_VERSION);
-  if (pin === null) return;
-  const sameMajorMinor = local[0] === pin[0] && local[1] === pin[1];
-  if (sameMajorMinor) {
-    addItem(section2, `${green(okGlyph)} gitleaks: ${raw} (matches pinned ${pin[0]}.${pin[1]})`);
-    return;
-  }
-  addItem(
-    section2,
-    `${yellow(warnGlyph)} gitleaks: ${raw} -> ${GITLEAKS_PINNED_VERSION} (CI pins this; local drift may change scan results)`
-  );
-}
+import { readFileSync as readFileSync13, rmSync as rmSync9, writeFileSync as writeFileSync5 } from "node:fs";
+import { join as join31 } from "node:path";
+import { createInterface } from "node:readline/promises";
-// src/commands.doctor.checks.deps.ts
-init_color();
-import { execFileSync as execFileSync8 } from "node:child_process";
-var VERSION_TOKEN = /(\d{1,9}\.\d{1,9}\.\d{1,9})/;
-var PROBE_TIMEOUT_MS = 3e3;
-var FETCHER_BASE = "HTTP fetcher";
-function parseFirstVersion(line) {
-  const m = VERSION_TOKEN.exec(line);
-  return m ? m[1] : null;
-}
-function probeOptionalDep(bin, run) {
-  try {
-    const firstLine = run(bin, ["--version"], {
-      stdio: ["ignore", "pipe", "pipe"],
-      timeout: PROBE_TIMEOUT_MS
-    }).toString().split("\n")[0].trim();
-    const version = parseFirstVersion(firstLine);
-    return { status: "present", version };
-  } catch (err) {
-    if (err.code === "ENOENT") {
-      return { status: "not-installed" };
+// src/commands.push.recovery.actions.ts
+init_config();
+import { readFileSync as readFileSync12 } from "node:fs";
+import { isAbsolute, resolve as resolve3, sep as sep4 } from "node:path";
+// src/commands.push.recovery.redact.ts
+init_config();
+init_config_sharedDirs_guard();
+import { cpSync as cpSync5, existsSync as existsSync24, mkdirSync as mkdirSync6, statSync as statSync7 } from "node:fs";
+import { dirname as dirname6, join as join29, sep as sep3 } from "node:path";
+// src/commands.redact.ts
+init_config();
+import { existsSync as existsSync23, statSync as statSync6 } from "node:fs";
+import { dirname as dirname5, join as join28 } from "node:path";
+// src/commands.redact.subtree.ts
+import { existsSync as existsSync22, lstatSync as lstatSync7, readFileSync as readFileSync10, readdirSync as readdirSync9, statSync as statSync5, writeFileSync as writeFileSync3 } from "node:fs";
+import { join as join26 } from "node:path";
+init_utils_fs();
+function collectFiles(dir, out) {
+  if (!existsSync22(dir)) return;
+  const st = lstatSync7(dir);
+  if (!st.isDirectory()) return;
+  for (const entry of readdirSync9(dir)) {
+    const abs = join26(dir, entry);
+    const lst = lstatSync7(abs);
+    if (lst.isSymbolicLink()) continue;
+    if (lst.isDirectory()) {
+      collectFiles(abs, out);
+      continue;
     }
-    return { status: "present", version: null };
+    if (lst.isFile()) out.push(abs);
   }
 }
-function reportFetcherRow(section2, run) {
-  const curl = probeOptionalDep("curl", run);
-  const wget = probeOptionalDep("wget", run);
-  if (curl.status === "present") {
-    addItem(section2, `${green(okGlyph)} ${FETCHER_BASE}: curl ${curl.version ?? "(present)"}`);
-  } else if (wget.status === "present") {
-    addItem(section2, `${green(okGlyph)} ${FETCHER_BASE}: wget ${wget.version ?? "(present)"}`);
-  } else {
-    addItem(
-      section2,
-      `${yellow(warnGlyph)} ${FETCHER_BASE} (curl or wget): not installed (optional; needed for release-version staleness check + nomad doctor --check-schema)`
-    );
+function listSubtreeFiles(sessionDir) {
+  const out = [];
+  collectFiles(sessionDir, out);
+  return out.sort((a, b) => a.localeCompare(b));
+}
+function newestSubtreeMtimeMs(mainPath, subtreeFiles, statMtime = (p) => statSync5(p).mtimeMs) {
+  let newest = statMtime(mainPath);
+  for (const filePath of subtreeFiles) {
+    const t = statMtime(filePath);
+    if (t > newest) newest = t;
   }
+  return newest;
 }
-function reportOptionalDeps(section2, run = execFileSync8) {
-  const gh = probeOptionalDep("gh", run);
-  if (gh.status === "present") {
-    addItem(section2, `${green(okGlyph)} gh: ${gh.version ?? "present"}`);
-  } else {
-    addItem(
-      section2,
-      `${yellow(warnGlyph)} gh: not installed (optional; needed for nomad init Actions auto-disable + the Actions-drift check)`
-    );
+function applySubtreeRedactions(mainPath, mainFindings, subtreeFiles, rule, ts, scan, dryRun) {
+  const dirty = [];
+  if (mainFindings.length > 0) dirty.push({ path: mainPath, findings: mainFindings });
+  for (const filePath of subtreeFiles) {
+    const raw = scan(filePath);
+    if (raw === null || raw.length === 0) continue;
+    const filtered = rule === void 0 ? raw : raw.filter((f) => f.RuleID === rule);
+    if (filtered.length === 0) continue;
+    dirty.push({ path: filePath, findings: filtered });
   }
-  reportFetcherRow(section2, run);
+  const total = dirty.reduce((n, e) => n + e.findings.length, 0);
+  if (!dryRun && total > 0) {
+    for (const { path: filePath, findings } of dirty) {
+      backupBeforeWrite(filePath, ts);
+      writeFileSync3(filePath, applyRedactions(readFileSync10(filePath, "utf8"), findings), "utf8");
+    }
+  }
+  return { total, dirty };
 }
-// src/commands.doctor.actions-drift.ts
-init_color();
-import { execFileSync as execFileSync10 } from "node:child_process";
-init_config();
+// src/commands.redact.ts
+init_push_gitleaks_scan();
+init_utils_fs();
+init_utils_json();
+init_utils();
-// src/gh-actions.ts
-import { execFileSync as execFileSync9 } from "node:child_process";
-var GH_TIMEOUT_MS = 5e3;
-function parseGitHubRemote(remoteUrl) {
-  const normalized = remoteUrl.trim().replace(/\/$/, "");
-  const m = /github\.com[:/]([^/]+)\/([^/]+?)(?:\.git)?$/.exec(normalized);
-  if (m === null) return null;
-  return { owner: m[1], repo: m[2] };
+// src/utils.lockfile.ts
+init_config();
+init_utils();
+import { closeSync as closeSync3, mkdirSync as mkdirSync5, openSync as openSync3, readFileSync as readFileSync11, unlinkSync, writeFileSync as writeFileSync4 } from "node:fs";
+import { dirname as dirname4, join as join27 } from "node:path";
+function lockFilePath() {
+  return join27(home(), ".cache", "claude-nomad", "nomad.lock");
 }
-function ghAuthStatus(run = execFileSync9) {
+function acquireLock(verb) {
+  const lp = lockFilePath();
+  mkdirSync5(dirname4(lp), { recursive: true });
   try {
-    run("gh", ["auth", "status"], {
-      stdio: ["ignore", "ignore", "ignore"],
-      timeout: GH_TIMEOUT_MS
-    });
-    return null;
+    const fd = openSync3(lp, "wx");
+    try {
+      writeFileSync4(fd, String(process.pid));
+    } catch (writeErr) {
+      try {
+        closeSync3(fd);
+      } catch {
+      }
+      try {
+        unlinkSync(lp);
+      } catch {
+      }
+      throw writeErr;
+    }
+    return { fd, path: lp };
   } catch (err) {
-    const e = err;
-    if (e.code === "ENOENT") return "gh-not-installed";
-    if (typeof e.status === "number") return "gh-not-authed";
-    return "gh-probe-error";
+    const code = err.code;
+    if (code !== "EEXIST") throw err;
+    return checkStaleAndRetry(verb, lp);
   }
 }
-function isRepoPrivate(ref, run = execFileSync9) {
-  const out = run("gh", ["repo", "view", `${ref.owner}/${ref.repo}`, "--json", "isPrivate"], {
-    stdio: ["ignore", "pipe", "ignore"],
-    timeout: GH_TIMEOUT_MS
-  }).toString();
-  const parsed = JSON.parse(out);
-  return parsed.isPrivate === true;
-}
-function isActionsEnabled(ref, run = execFileSync9) {
-  const out = run(
-    "gh",
-    ["api", `repos/${ref.owner}/${ref.repo}/actions/permissions`, "--jq", ".enabled"],
-    { stdio: ["ignore", "pipe", "ignore"], timeout: GH_TIMEOUT_MS }
-  ).toString().trim();
-  return out === "true";
-}
-function disableActions(ref, run = execFileSync9) {
-  run(
-    "gh",
-    [
-      "api",
-      "-X",
-      "PUT",
-      `repos/${ref.owner}/${ref.repo}/actions/permissions`,
-      "-F",
-      "enabled=false"
-    ],
-    { stdio: ["ignore", "ignore", "pipe"], timeout: GH_TIMEOUT_MS }
-  );
-}
-function readOriginRemote(cwd, run = execFileSync9) {
-  return run("git", ["remote", "get-url", "origin"], {
-    cwd,
-    stdio: ["ignore", "pipe", "ignore"]
-  }).toString().trim();
-}
-// src/commands.doctor.actions-drift.ts
-function reportActionsDrift(section2, run = execFileSync10) {
-  let remote;
+function releaseLock(handle) {
+  if (handle === null) return;
+  const lp = handle.path;
   try {
-    remote = readOriginRemote(repoHome(), run);
+    closeSync3(handle.fd);
   } catch {
-    return;
   }
-  const ref = parseGitHubRemote(remote);
-  if (ref === null) return;
-  const auth = ghAuthStatus(run);
-  if (auth === "gh-not-installed" || auth === "gh-not-authed") return;
-  let isPrivate;
   try {
-    isPrivate = isRepoPrivate(ref, run);
-  } catch {
-    return;
+    unlinkSync(lp);
+  } catch (err) {
+    if (err.code !== "ENOENT") throw err;
   }
-  if (!isPrivate) return;
-  let enabled2;
+}
+function unlinkIfSamePid(expectedPidStr, lp) {
+  let current;
   try {
-    enabled2 = isActionsEnabled(ref, run);
+    current = readFileSync11(lp, "utf8").trim();
   } catch {
-    return;
-  }
-  if (!enabled2) return;
-  addItem(
-    section2,
-    `${yellow(warnGlyph)} Actions: enabled on private repo ${ref.owner}/${ref.repo} (re-disable with 'gh api -X PUT repos/${ref.owner}/${ref.repo}/actions/permissions -F enabled=false')`
-  );
-}
-// src/commands.doctor.verdict.ts
-init_color();
-function isFailLine(item2) {
-  return item2.includes(failGlyph);
-}
-function isWarnLine(item2) {
-  return !isFailLine(item2) && item2.includes(warnGlyph);
-}
-function buildVerdictSection(sections) {
-  const summary = section("Summary");
-  const lines = sections.flatMap((s) => s.items).map((item2) => item2.replace(/^\t/, ""));
-  const failures = lines.filter(isFailLine);
-  const warnings = lines.filter(isWarnLine);
-  for (const line of [...failures, ...warnings]) addItem(summary, line);
-  if (failures.length > 0) {
-    addItem(
-      summary,
-      `${red(failGlyph)} ${failures.length} failure(s), ${warnings.length} warning(s)`
-    );
-  } else if (warnings.length > 0) {
-    addItem(summary, `${yellow(warnGlyph)} ${warnings.length} warning(s)`);
-  } else {
-    addItem(summary, `${green(okGlyph)} healthy`);
-  }
-  return summary;
-}
-// src/commands.doctor.ts
-function cmdDoctor(opts = {}) {
-  const host = section("Environment");
-  reportHostAndPaths(host);
-  reportRepoState(host);
-  const links = section("Shared links");
-  const mapPath = join27(repoHome(), "path-map.json");
-  const rawMap = existsSync23(mapPath) ? readJsonSafe(mapPath, mapPath, links) : null;
-  const map = rawMap ?? { projects: {} };
-  reportSharedLinks(links, map);
-  const hooksScan = section("Hook targets");
-  reportHooksTargetCheck(hooksScan);
-  reportHookScopeCheck(hooksScan);
-  reportPreserveSymlinksCheck(hooksScan);
-  const settings = section("Settings");
-  const base = loadBaseSettings(settings);
-  const parsedSettings = loadAndReportSettings(settings);
-  reportHostOverrides(settings, base, parsedSettings);
-  reportSettingsDriftCheck(settings);
-  const pathMap = section("Path map");
-  reportPathMap(pathMap);
-  const neverSync = section("Never-sync");
-  reportNeverSync(neverSync);
-  const repository = section("Repository");
-  const gitleaksReady = reportGitleaksProbe(repository);
-  reportGitlinks(repository);
-  reportRemote(repository);
-  reportRebaseClean(repository);
-  reportRebaseState(repository);
-  reportActionsDrift(repository);
-  const nomadVersion = section("Nomad Version");
-  reportVersionCheck(nomadVersion);
-  const housekeeping = section("Housekeeping");
-  reportBackupsCheck(housekeeping);
-  const depVersions = section("Dependency Versions");
-  reportNodeEngineCheck(depVersions);
-  reportGitleaksVersionCheck(depVersions);
-  reportOptionalDeps(depVersions);
-  const sharedScan = section("Shared scan");
-  if (opts.checkShared === true) reportCheckShared(sharedScan, gitleaksReady);
-  const schemaScan = section("Schema scan");
-  if (opts.checkSchema === true) reportCheckSchema(schemaScan);
-  const body = [
-    nomadVersion,
-    depVersions,
-    host,
-    links,
-    hooksScan,
-    settings,
-    pathMap,
-    neverSync,
-    repository,
-    housekeeping,
-    sharedScan,
-    schemaScan
-  ];
-  renderDoctor([...body, buildVerdictSection(body)]);
-}
-// src/commands.drop-session.ts
-init_config();
-import { execFileSync as execFileSync12 } from "node:child_process";
-import { existsSync as existsSync25, readdirSync as readdirSync9, statSync as statSync5 } from "node:fs";
-import { join as join30, relative as relative4 } from "node:path";
-// src/commands.drop-session.git.ts
-import { execFileSync as execFileSync11 } from "node:child_process";
-function expandStagedDir(dirRel, repo) {
-  try {
-    const out = execFileSync11("git", ["ls-files", "-z", "--", dirRel], {
-      cwd: repo,
-      stdio: ["ignore", "pipe", "pipe"]
-    });
-    return out.toString().split("\0").filter((p) => p !== "");
-  } catch {
-    return [];
-  }
-}
-function isTrackedInHead(rel, repo) {
-  try {
-    execFileSync11("git", ["cat-file", "-e", `HEAD:${rel}`], {
-      cwd: repo,
-      stdio: ["ignore", "pipe", "pipe"]
-    });
-    return true;
-  } catch {
-    return false;
-  }
-}
-function isInIndex(rel, repo) {
-  try {
-    const out = execFileSync11("git", ["ls-files", "--", rel], {
-      cwd: repo,
-      stdio: ["ignore", "pipe", "pipe"]
-    });
-    return out.toString().trim() !== "";
-  } catch {
-    return false;
-  }
-}
-// src/commands.drop-session.scrub-hint.ts
-init_config();
-init_utils();
-init_utils_json();
-import { existsSync as existsSync24 } from "node:fs";
-import { join as join28 } from "node:path";
-var SHARED_PROJECT_LOGICAL = /^shared\/projects\/([^/]+)\//;
-function reportScrubHint(id, matches) {
-  const live = resolveLiveTranscript(id, matches);
-  const target = live ?? `~/.claude/projects/<encoded>/${id}.jsonl`;
-  log(
-    `note: this only un-stages the session from the next push.
-  The local source still contains the secret, so nomad push re-stages it
-  on the next run and nomad doctor --check-shared keeps reporting it.
-  To fully remediate: rotate the credential, then run:
-    nomad redact ${id}
-  (or scrub ${target} manually)`
-  );
-}
-function resolveLiveTranscript(id, matches) {
-  try {
-    const mapPath = join28(repoHome(), "path-map.json");
-    if (!existsSync24(mapPath)) return null;
-    const projects = readJson(mapPath).projects;
-    const claude = claudeHome();
-    for (const rel of matches) {
-      const logical = SHARED_PROJECT_LOGICAL.exec(rel)?.[1];
-      if (logical === void 0) continue;
-      const abs = projects[logical]?.[HOST];
-      if (abs === void 0) continue;
-      const live = join28(claude, "projects", encodePath(abs), `${id}.jsonl`);
-      if (existsSync24(live)) return live;
-    }
-    return null;
-  } catch {
-    return null;
-  }
-}
-// src/commands.drop-session.ts
-init_utils();
-// src/utils.lockfile.ts
-init_config();
-init_utils();
-import { closeSync as closeSync3, mkdirSync as mkdirSync5, openSync as openSync3, readFileSync as readFileSync10, unlinkSync, writeFileSync as writeFileSync3 } from "node:fs";
-import { dirname as dirname4, join as join29 } from "node:path";
-function lockFilePath() {
-  return join29(home(), ".cache", "claude-nomad", "nomad.lock");
-}
-function acquireLock(verb) {
-  const lp = lockFilePath();
-  mkdirSync5(dirname4(lp), { recursive: true });
-  try {
-    const fd = openSync3(lp, "wx");
-    try {
-      writeFileSync3(fd, String(process.pid));
-    } catch (writeErr) {
-      try {
-        closeSync3(fd);
-      } catch {
-      }
-      try {
-        unlinkSync(lp);
-      } catch {
-      }
-      throw writeErr;
-    }
-    return { fd, path: lp };
-  } catch (err) {
-    const code = err.code;
-    if (code !== "EEXIST") throw err;
-    return checkStaleAndRetry(verb, lp);
-  }
-}
-function releaseLock(handle) {
-  if (handle === null) return;
-  const lp = handle.path;
-  try {
-    closeSync3(handle.fd);
-  } catch {
-  }
-  try {
-    unlinkSync(lp);
-  } catch (err) {
-    if (err.code !== "ENOENT") throw err;
-  }
-}
-function unlinkIfSamePid(expectedPidStr, lp) {
-  let current;
-  try {
-    current = readFileSync10(lp, "utf8").trim();
-  } catch {
-    return false;
+    return false;
   }
   if (current !== expectedPidStr) return false;
   try {
@@ -3357,7 +3082,7 @@ function unlinkIfSamePid(expectedPidStr, lp) {
 function checkStaleAndRetry(verb, lp) {
   let pidStr;
   try {
-    pidStr = readFileSync10(lp, "utf8").trim();
+    pidStr = readFileSync11(lp, "utf8").trim();
   } catch {
     pidStr = "";
   }
@@ -3386,7 +3111,7 @@ function retryOnce(verb, lp) {
   try {
     const fd = openSync3(lp, "wx");
     try {
-      writeFileSync3(fd, String(process.pid));
+      writeFileSync4(fd, String(process.pid));
     } catch {
       try {
         closeSync3(fd);
@@ -3406,193 +3131,59 @@ function retryOnce(verb, lp) {
   }
 }
-// src/commands.drop-session.ts
-function cmdDropSession(id) {
+// src/commands.redact.ts
+function resolveLiveTranscript(id) {
+  try {
+    const mapPath = join28(repoHome(), "path-map.json");
+    if (!existsSync23(mapPath)) return null;
+    const projects = readJson(mapPath).projects;
+    const claude = claudeHome();
+    for (const hostMap of Object.values(projects)) {
+      const abs = hostMap[HOST];
+      if (abs === void 0) continue;
+      const live = join28(claude, "projects", encodePath(abs), `${id}.jsonl`);
+      if (existsSync23(live)) return live;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function resolveRedactFindings(localPath, rawFindings, rule, scan) {
+  const source = rawFindings ?? scan(localPath);
+  if (source === null) return null;
+  return source.filter((f) => rule === void 0 || f.RuleID === rule);
+}
+function cmdRedact(opts, nowMs = Date.now, scan = scanFile) {
+  const { id, rule, dryRun = false, findings: rawFindings } = opts;
   if (id.length === 0 || id.length > 128 || !/^[A-Za-z0-9_-]+$/.test(id)) {
     fail(`invalid session id: ${id}`);
     process.exit(1);
   }
   const repo = repoHome();
-  if (!existsSync25(repo)) die(`repo not cloned at ${repo}`);
-  const handle = acquireLock("drop-session");
+  const backup = backupBase();
+  if (!existsSync23(repo)) die(`repo not cloned at ${repo}`);
+  const handle = acquireLock("redact");
   if (handle === null) process.exit(0);
   try {
-    const repoProjects = join30(repo, "shared", "projects");
-    if (!existsSync25(repoProjects)) {
-      throw new NomadFatal(`no staged session matches ${id}`);
+    const localPath = resolveLiveTranscript(id);
+    if (localPath === null || !existsSync23(localPath)) {
+      fail(`could not resolve local transcript for session ${id} on this host`);
+      process.exitCode = 1;
+      return;
     }
-    const matches = collectMatches(repoProjects, id, repo);
-    if (matches.length === 0) {
-      throw new NomadFatal(`no staged session matches ${id}`);
-    }
-    for (const rel of matches) unstageOne(rel, repo);
-    reportScrubHint(id, matches);
-  } catch (err) {
-    if (!(err instanceof NomadFatal)) {
-      throw err;
-    }
-    fail(err.message);
-    process.exitCode = 1;
-  } finally {
-    releaseLock(handle);
-  }
-}
-function collectMatches(repoProjects, id, repo) {
-  const matches = [];
-  for (const logical of readdirSync9(repoProjects)) {
-    const candidate = join30(repoProjects, logical, `${id}.jsonl`);
-    if (existsSync25(candidate)) {
-      matches.push(relative4(repo, candidate));
-    }
-    const dir = join30(repoProjects, logical, id);
-    if (existsSync25(dir) && statSync5(dir).isDirectory()) {
-      const dirRel = relative4(repo, dir);
-      const staged = expandStagedDir(dirRel, repo);
-      if (staged.length > 0) matches.push(...staged);
-      else matches.push(dirRel);
-    }
-  }
-  return matches;
-}
-function unstageOne(rel, repo) {
-  if (!isInIndex(rel, repo)) {
-    item(`dropped ${rel} (already absent from index)`);
-    return;
-  }
-  try {
-    if (isTrackedInHead(rel, repo)) {
-      execFileSync12("git", ["restore", "--staged", "--worktree", "--", rel], {
-        cwd: repo,
-        stdio: ["ignore", "pipe", "pipe"]
-      });
-    } else {
-      execFileSync12("git", ["rm", "--cached", "-f", "--", rel], {
-        cwd: repo,
-        stdio: ["ignore", "pipe", "pipe"]
-      });
-    }
-  } catch (err) {
-    const e = err;
-    const detail = e.stderr?.toString().trim() ?? e.message;
-    throw new NomadFatal(`git failed to unstage ${rel}: ${detail}`);
-  }
-  item(`dropped ${rel}`);
-}
-// src/commands.redact.ts
-init_config();
-import { existsSync as existsSync27, statSync as statSync7 } from "node:fs";
-import { dirname as dirname5, join as join32 } from "node:path";
-// src/commands.redact.subtree.ts
-import { existsSync as existsSync26, lstatSync as lstatSync7, readFileSync as readFileSync11, readdirSync as readdirSync10, statSync as statSync6, writeFileSync as writeFileSync4 } from "node:fs";
-import { join as join31 } from "node:path";
-init_utils_fs();
-function collectFiles(dir, out) {
-  if (!existsSync26(dir)) return;
-  const st = lstatSync7(dir);
-  if (!st.isDirectory()) return;
-  for (const entry of readdirSync10(dir)) {
-    const abs = join31(dir, entry);
-    const lst = lstatSync7(abs);
-    if (lst.isSymbolicLink()) continue;
-    if (lst.isDirectory()) {
-      collectFiles(abs, out);
-      continue;
-    }
-    if (lst.isFile()) out.push(abs);
-  }
-}
-function listSubtreeFiles(sessionDir) {
-  const out = [];
-  collectFiles(sessionDir, out);
-  return out.sort((a, b) => a.localeCompare(b));
-}
-function newestSubtreeMtimeMs(mainPath, subtreeFiles, statMtime = (p) => statSync6(p).mtimeMs) {
-  let newest = statMtime(mainPath);
-  for (const filePath of subtreeFiles) {
-    const t = statMtime(filePath);
-    if (t > newest) newest = t;
-  }
-  return newest;
-}
-function applySubtreeRedactions(mainPath, mainFindings, subtreeFiles, rule, ts, scan, dryRun) {
-  const dirty = [];
-  if (mainFindings.length > 0) dirty.push({ path: mainPath, findings: mainFindings });
-  for (const filePath of subtreeFiles) {
-    const raw = scan(filePath);
-    if (raw === null || raw.length === 0) continue;
-    const filtered = rule === void 0 ? raw : raw.filter((f) => f.RuleID === rule);
-    if (filtered.length === 0) continue;
-    dirty.push({ path: filePath, findings: filtered });
-  }
-  const total = dirty.reduce((n, e) => n + e.findings.length, 0);
-  if (!dryRun && total > 0) {
-    for (const { path: filePath, findings } of dirty) {
-      backupBeforeWrite(filePath, ts);
-      writeFileSync4(filePath, applyRedactions(readFileSync11(filePath, "utf8"), findings), "utf8");
-    }
-  }
-  return { total, dirty };
-}
-// src/commands.redact.ts
-init_push_gitleaks_scan();
-init_utils_fs();
-init_utils_json();
-init_utils();
-function resolveLiveTranscript2(id) {
-  try {
-    const mapPath = join32(repoHome(), "path-map.json");
-    if (!existsSync27(mapPath)) return null;
-    const projects = readJson(mapPath).projects;
-    const claude = claudeHome();
-    for (const hostMap of Object.values(projects)) {
-      const abs = hostMap[HOST];
-      if (abs === void 0) continue;
-      const live = join32(claude, "projects", encodePath(abs), `${id}.jsonl`);
-      if (existsSync27(live)) return live;
-    }
-    return null;
-  } catch {
-    return null;
-  }
-}
-function resolveRedactFindings(localPath, rawFindings, rule, scan) {
-  const source = rawFindings ?? scan(localPath);
-  if (source === null) return null;
-  return source.filter((f) => rule === void 0 || f.RuleID === rule);
-}
-function cmdRedact(opts, nowMs = Date.now, scan = scanFile) {
-  const { id, rule, dryRun = false, findings: rawFindings } = opts;
-  if (id.length === 0 || id.length > 128 || !/^[A-Za-z0-9_-]+$/.test(id)) {
-    fail(`invalid session id: ${id}`);
-    process.exit(1);
-  }
-  const repo = repoHome();
-  const backup = backupBase();
-  if (!existsSync27(repo)) die(`repo not cloned at ${repo}`);
-  const handle = acquireLock("redact");
-  if (handle === null) process.exit(0);
-  try {
-    const localPath = resolveLiveTranscript2(id);
-    if (localPath === null || !existsSync27(localPath)) {
-      fail(`could not resolve local transcript for session ${id} on this host`);
-      process.exitCode = 1;
-      return;
-    }
-    const sessionDir = join32(dirname5(localPath), id);
-    const subtreeFiles = listSubtreeFiles(sessionDir);
-    const subtreeMtime = newestSubtreeMtimeMs(localPath, subtreeFiles, (p) => statSync7(p).mtimeMs);
-    if (isRecentlyModified(subtreeMtime, nowMs())) {
-      log(
-        `session ${id} was modified recently and may be active.
-  Refusing to rewrite a potentially live transcript.
-  To proceed: wait for the session to end, then re-run nomad redact.
-  Or drop from the staged tree: nomad drop-session ${id}
-  Or skip this finding during nomad push.`
-      );
-      return;
+    const sessionDir = join28(dirname5(localPath), id);
+    const subtreeFiles = listSubtreeFiles(sessionDir);
+    const subtreeMtime = newestSubtreeMtimeMs(localPath, subtreeFiles, (p) => statSync6(p).mtimeMs);
+    if (isRecentlyModified(subtreeMtime, nowMs())) {
+      log(
+        `session ${id} was modified recently and may be active.
+  Refusing to rewrite a potentially live transcript.
+  To proceed: wait for the session to end, then re-run nomad redact.
+  Or drop from the staged tree: nomad drop-session ${id}
+  Or skip this finding during nomad push.`
+      );
+      return;
     }
     const mainFindings = resolveRedactFindings(localPath, rawFindings, rule, scan);
     if (mainFindings === null) {
@@ -3633,1142 +3224,1651 @@ ${lines}`);
   }
 }
-// src/commands.pull.ts
-import { existsSync as existsSync35, mkdirSync as mkdirSync8 } from "node:fs";
-import { join as join41 } from "node:path";
-// src/commands.push.sections.ts
-init_color();
-// src/summary.ts
-init_color();
+// src/commands.push.recovery.redact.ts
+init_push_gitleaks_scan();
+init_utils_json();
 init_utils();
-function summaryText(verb, unmapped, collisions = 0, extrasSkipped = 0) {
-  const extras = extrasSkipped > 0 ? `, ${extrasSkipped} extras skipped` : "";
-  if (verb === "push") {
-    if (unmapped === 0 && collisions === 0 && extrasSkipped === 0) {
-      return { text: "summary: clean", clean: true };
-    }
-    const base = `summary: ${unmapped} unmapped on push, ${collisions} collisions`;
-    return { text: `${base}${extras} (run nomad doctor to list)`, clean: false };
-  }
-  if (unmapped === 0 && extrasSkipped === 0) {
-    return { text: "summary: clean", clean: true };
-  }
-  return {
-    text: `summary: ${unmapped} unmapped on ${verb}${extras} (run nomad doctor to list)`,
-    clean: false
-  };
-}
-function summaryRow(verb, unmapped, collisions = 0, extrasSkipped = 0) {
-  const { text, clean } = summaryText(verb, unmapped, collisions, extrasSkipped);
-  return clean ? `${green(okGlyph)} ${text}` : `${yellow(warnGlyph)} ${text}`;
-}
-// src/commands.push.sections.ts
-function collapsedSkipRow(n, noun) {
-  if (n <= 0) return null;
-  return `${dim(infoGlyph)} ${n} ${noun}`;
-}
-function buildSettingsSection(label) {
-  const s = section("Settings");
-  addItem(s, `${green(okGlyph)} settings.json (base + ${label})`);
-  return s;
-}
-function buildSessionsSection(items, unmapped) {
-  const s = section("Sessions");
-  for (const logical of items) addItem(s, `${green(okGlyph)} ${logical}`);
-  const skip = collapsedSkipRow(unmapped, "not in path-map (run nomad doctor to list)");
-  if (skip !== null) addItem(s, skip);
-  return s;
-}
-function buildExtrasSection(items, extrasSkipped) {
-  const s = section("Extras");
-  for (const entry of items) addItem(s, `${green(okGlyph)} ${entry}`);
-  const skip = collapsedSkipRow(extrasSkipped, "extras skipped");
-  if (skip !== null) addItem(s, skip);
-  return s;
-}
-function syncedSections(st) {
-  const sessions = st.dryRun ? st.remap.wouldPush : st.remap.pushed;
-  const extras = st.dryRun ? st.extras.wouldPush : st.extras.pushed;
-  return [
-    buildSessionsSection(sessions, st.remap.unmapped),
-    buildExtrasSection(extras, st.extras.skipped)
-  ];
+// src/commands.push.recovery.seams.ts
+init_push_gitleaks();
+var MASK_LEAD = 4;
+var MASK_BODY = "************";
+var CONTEXT_WINDOW = 40;
+var CONTROL_CHARS = /[\x00-\x1f\x7f]/g;
+function findingKey(f) {
+  return `${f.File}:${f.StartLine}:${f.StartColumn}:${f.RuleID}`;
 }
-function summarySection(st) {
-  const s = section("Summary");
-  const unmapped = st.remap.unmapped + st.extras.unmapped;
-  addItem(s, summaryRow("push", unmapped, st.remap.collisions, st.extras.skipped));
-  return s;
+var VALID_SID = /^[A-Za-z0-9_-]+$/;
+function sessionIdFromFinding(f) {
+  const m = SESSION_PATH.exec(f.File) ?? /^shared\/projects\/[^/]+\/([^/]+)\//.exec(f.File);
+  if (m === null) return null;
+  const sid = m[1];
+  return VALID_SID.test(sid) ? sid : null;
 }
-function renderPushTree(st, verdict) {
-  const leakScan = section("Leak scan");
-  addItem(leakScan, verdict.verdictRow);
-  renderTree([...syncedSections(st), leakScan, summarySection(st)]);
+function parseAction(raw) {
+  const t = raw.trim().toLowerCase();
+  if (t === "r" || t === "redact") return "redact";
+  if (t === "a" || t === "allow") return "allow";
+  if (t === "d" || t === "drop") return "drop";
+  return "skip";
 }
-function renderNoScanTree(st, opts = {}) {
-  const sections = [];
-  if (opts.noMapHint === true) {
-    const pathMap = section("Path map");
-    addItem(pathMap, `${dim(infoGlyph)} no path-map.json (nothing to preview)`);
-    sections.push(pathMap);
+function maskSecret(secret) {
+  return secret.slice(0, MASK_LEAD) + MASK_BODY;
+}
+function buildFindingContext(finding, readLine) {
+  const raw = readLine(finding.File, finding.StartLine);
+  if (raw !== null) {
+    const len = raw.length;
+    const startCol = Math.max(1, Math.min(finding.StartColumn, len + 1));
+    const endCol = Math.max(startCol, Math.min(finding.EndColumn, len));
+    const spanStart = startCol - 1;
+    const spanEnd = endCol;
+    const secret = raw.slice(spanStart, spanEnd);
+    const masked = maskSecret(secret);
+    const fullPrefix = raw.slice(0, spanStart);
+    const fullSuffix = raw.slice(spanEnd);
+    const prefixTruncated = fullPrefix.length > CONTEXT_WINDOW;
+    const suffixTruncated = fullSuffix.length > CONTEXT_WINDOW;
+    const prefix = prefixTruncated ? fullPrefix.slice(fullPrefix.length - CONTEXT_WINDOW) : fullPrefix;
+    const suffix = suffixTruncated ? fullSuffix.slice(0, CONTEXT_WINDOW) : fullSuffix;
+    const excerpt = (prefixTruncated ? "..." : "") + prefix + masked + suffix + (suffixTruncated ? "..." : "");
+    const stripped = excerpt.replace(CONTROL_CHARS, "");
+    if (stripped.trim().length > 0) return stripped;
+  }
+  if (finding.Match.length > 0) {
+    return maskSecret(finding.Match).replace(CONTROL_CHARS, "");
   }
-  renderTree([...sections, ...syncedSections(st), summarySection(st)]);
+  return null;
 }
-// src/commands.pull.ts
-init_config();
-// src/extras-sync.ts
-init_config();
-import { existsSync as existsSync30 } from "node:fs";
-import { join as join35 } from "node:path";
-// src/extras-sync.diff.ts
-init_utils();
-import { execFileSync as execFileSync13 } from "node:child_process";
-function labelDiffLine(line) {
-  const tab = line.indexOf("	");
-  if (tab === -1) return line;
-  const status = line.slice(0, tab);
-  const path = line.slice(tab + 1);
-  if (status === "D") return `${path} (local only)`;
-  if (status === "A") return `${path} (repo only)`;
-  return path;
-}
-function parseDiffOutput(stdout) {
-  return stdout.split("\n").filter((line) => line.length > 0).map(labelDiffLine);
-}
-function listDivergingFiles(a, b) {
-  try {
-    const stdout = execFileSync13("git", ["diff", "--no-index", "--name-status", a, b], {
-      stdio: ["ignore", "pipe", "pipe"]
-    }).toString();
-    return parseDiffOutput(stdout);
-  } catch (err) {
-    const e = err;
-    if (e.status === 1 && e.stdout !== void 0) {
-      return parseDiffOutput(e.stdout.toString());
-    }
-    if (e.code === "ENOENT") {
-      warn(`git not on PATH; divergence check skipped for ${a}`);
-      return [];
+// src/commands.push.recovery.redact.ts
+function resolveStagedDir(localPath, map, claude, repo) {
+  for (const [logical, hostMap] of Object.entries(map.projects)) {
+    assertSafeLogical(logical);
+    const abs = hostMap[HOST];
+    if (abs === void 0) continue;
+    if (localPath.startsWith(join29(claude, "projects", encodePath(abs)) + sep3)) {
+      return join29(repo, "shared", "projects", logical);
     }
-    warn(`divergence check failed for ${a}: ${e.message ?? String(err)}`);
-    return [];
   }
+  return null;
 }
-// src/extras-sync.core.ts
-init_config();
-import { cpSync as cpSync5, existsSync as existsSync28, rmSync as rmSync8 } from "node:fs";
-import { join as join33 } from "node:path";
-// src/extras-sync.guards.ts
-init_utils();
-init_config_sharedDirs_guard();
-import { isAbsolute, normalize } from "node:path";
-function assertSafeLocalRoot(localRoot, logical) {
-  if (!isAbsolute(localRoot)) {
-    throw new NomadFatal(
-      `invalid localRoot for ${logical} in path-map.json: ${JSON.stringify(localRoot)} (must be absolute)`
+function applyRedact(f, ts, map, nowMs, scan = scanFile) {
+  const refuse = (msg) => {
+    log(msg);
+    return false;
+  };
+  const claude = claudeHome();
+  const repo = repoHome();
+  const sid = sessionIdFromFinding(f);
+  if (sid === null) {
+    return refuse(
+      `could not locate the local transcript for this finding; choose Skip or Drop session.`
     );
   }
-  if (localRoot !== normalize(localRoot)) {
-    throw new NomadFatal(
-      `invalid localRoot for ${logical} in path-map.json: ${JSON.stringify(localRoot)} (must be already-normalized; no '..' or redundant segments)`
+  const localPath = resolveLiveTranscript(sid);
+  if (localPath === null) {
+    return refuse(
+      `could not locate the local transcript for session ${sid}; choose Skip or Drop session.`
     );
   }
-}
-// src/extras-sync.core.ts
-init_utils();
-init_utils_json();
-function loadValidatedExtras(opts) {
-  const repo = repoHome();
-  const mapPath = join33(repo, "path-map.json");
-  const repoExtras = join33(repo, "shared", "extras");
-  if (!existsSync28(mapPath) || opts.requireRepoExtras === true && !existsSync28(repoExtras)) {
-    if (opts.missingMsg !== void 0) log(opts.missingMsg);
-    return null;
-  }
-  const map = readPathMap(mapPath);
-  const extrasMap = map.extras ?? {};
-  if (Object.keys(extrasMap).length === 0) return null;
-  for (const logical of Object.keys(extrasMap)) {
-    assertSafeLogical(logical);
-    const localRoot = map.projects[logical]?.[HOST];
-    if (localRoot && localRoot !== "TBD") assertSafeLocalRoot(localRoot, logical);
+  const sessionDir = join29(dirname6(localPath), sid);
+  const subtreeFiles = listSubtreeFiles(sessionDir);
+  const subtreeMtime = newestSubtreeMtimeMs(localPath, subtreeFiles, (p) => statSync7(p).mtimeMs);
+  if (isRecentlyModified(subtreeMtime, nowMs())) {
+    return refuse(
+      `session ${sid} looks active (modified within the last 5 minutes); refusing to redact, no changes made.
+  End the session and choose Redact again, or choose Drop session (holds this session back from the push, local copy kept) or Skip.`
+    );
   }
-  return { map, extrasMap };
-}
-function* eachExtrasTarget(v, counts) {
-  const whitelist = SUPPORTED_EXTRAS;
-  for (const [logical, dirnames] of Object.entries(v.extrasMap)) {
-    const localRoot = v.map.projects[logical]?.[HOST];
-    if (!localRoot || localRoot === "TBD") {
-      counts.unmapped++;
-      continue;
-    }
-    for (const dirname7 of dirnames) {
-      if (!whitelist.includes(dirname7)) {
-        counts.skipped++;
-        continue;
-      }
-      yield { logical, localRoot, dirname: dirname7 };
-    }
+  const stagedProjectDir = resolveStagedDir(localPath, map, claude, repo);
+  if (stagedProjectDir === null) {
+    return refuse(
+      `could not map the local transcript for session ${sid} to a staged copy; choose Drop session or Skip.`
+    );
   }
-}
-function copyExtras(src, dst) {
-  rmSync8(dst, { recursive: true, force: true });
-  cpSync5(src, dst, { recursive: true, force: true, verbatimSymlinks: true });
-}
-// src/extras-sync.ts
-init_utils();
-init_utils_json();
-// src/extras-sync.remap.ts
-init_config();
-import { existsSync as existsSync29, mkdirSync as mkdirSync6 } from "node:fs";
-import { join as join34 } from "node:path";
-init_utils_fs();
-function runExtrasOp(v, dryRun, paths, backup) {
-  const counts = { unmapped: 0, skipped: 0 };
-  const done = [];
-  const would = [];
-  for (const t of eachExtrasTarget(v, counts)) {
-    const { src, dst } = paths(t);
-    if (!existsSync29(src)) continue;
-    const item2 = `${t.logical}/${t.dirname}`;
-    if (dryRun) {
-      would.push(item2);
-      continue;
-    }
-    backup(dst, t.localRoot);
-    copyExtras(src, dst);
-    done.push(item2);
+  const mainFindings = scan(localPath);
+  if (mainFindings === null) {
+    return refuse(`re-scan of the transcript failed; choose Skip or Drop session.`);
   }
-  return { ...counts, done, would };
-}
-function remapExtrasPush(ts, opts = {}) {
-  const dryRun = opts.dryRun === true;
-  const v = loadValidatedExtras({ missingMsg: "no path-map.json; skipping extras push" });
-  if (v === null) return { unmapped: 0, skipped: 0, pushed: [], wouldPush: [] };
-  const repo = repoHome();
-  const repoExtras = join34(repo, "shared", "extras");
-  if (!dryRun) mkdirSync6(repoExtras, { recursive: true });
-  const { unmapped, skipped, done, would } = runExtrasOp(
-    v,
-    dryRun,
-    ({ localRoot, logical, dirname: dirname7 }) => ({
-      src: join34(localRoot, dirname7),
-      dst: join34(repoExtras, logical, dirname7)
-    }),
-    (dst) => backupRepoWrite(dst, ts, repo)
-  );
-  return { unmapped, skipped, pushed: done, wouldPush: would };
-}
-function remapExtrasPull(ts, opts = {}) {
-  const dryRun = opts.dryRun === true;
-  const v = loadValidatedExtras({
-    requireRepoExtras: true,
-    missingMsg: "no path-map or repo extras dir; skipping extras remap"
-  });
-  if (v === null) return { unmapped: 0, skipped: 0, pulled: [], wouldPull: [] };
-  const repoExtras = join34(repoHome(), "shared", "extras");
-  const { unmapped, skipped, done, would } = runExtrasOp(
-    v,
-    dryRun,
-    ({ localRoot, logical, dirname: dirname7 }) => ({
-      src: join34(repoExtras, logical, dirname7),
-      dst: join34(localRoot, dirname7)
-    }),
-    // Snapshot the host-side dst BEFORE copyExtras clobbers it. Anchor on
-    // localRoot so the backup tree mirrors the project layout.
-    (dst, localRoot) => backupExtrasWrite(dst, ts, localRoot)
+  const { total: anyTotal } = applySubtreeRedactions(
+    localPath,
+    mainFindings,
+    subtreeFiles,
+    void 0,
+    ts,
+    scan,
+    false
   );
-  return { unmapped, skipped, pulled: done, wouldPull: would };
+  if (anyTotal === 0) {
+    return refuse(
+      `nothing to redact in the local transcript for session ${sid}; choose Skip or Drop session.`
+    );
+  }
+  mkdirSync6(stagedProjectDir, { recursive: true });
+  cpSync5(localPath, join29(stagedProjectDir, `${sid}.jsonl`), { force: true });
+  if (existsSync24(sessionDir)) {
+    cpSync5(sessionDir, join29(stagedProjectDir, sid), { force: true, recursive: true });
+  }
+  return true;
 }
-// src/extras-sync.ts
-function divergenceCheckExtras(ts) {
-  const v = loadValidatedExtras({});
-  if (v === null) return;
-  const counts = { unmapped: 0, skipped: 0 };
-  const backupRoot = join35(backupBase(), ts, "extras");
+// src/commands.push.recovery.drop.ts
+init_config();
+import { rmSync as rmSync8 } from "node:fs";
+import { join as join30 } from "node:path";
+function dropSessionFromStaged(sid, map) {
+  const logicals = Object.keys(map.projects);
+  if (logicals.length === 0) return false;
   const repo = repoHome();
-  for (const { logical, localRoot, dirname: dirname7 } of eachExtrasTarget(v, counts)) {
-    const local = join35(localRoot, dirname7);
-    const repoEntry = join35(repo, "shared", "extras", logical, dirname7);
-    if (!existsSync30(local) || !existsSync30(repoEntry)) continue;
-    const diff = listDivergingFiles(local, repoEntry);
-    if (diff.length === 0) continue;
-    const projectBackupRoot = join35(backupRoot, encodePath(localRoot));
-    warn(
-      `local ${dirname7} for ${logical} diverges from origin in ${diff.length} file(s); next remapExtrasPull will overwrite them (backups at ${projectBackupRoot}/)`
-    );
-    for (const f of diff) warn(`  ${f}`);
+  for (const logical of logicals) {
+    const jsonl = join30(repo, "shared", "projects", logical, `${sid}.jsonl`);
+    const dir = join30(repo, "shared", "projects", logical, sid);
+    rmSync8(jsonl, { force: true });
+    rmSync8(dir, { recursive: true, force: true });
   }
+  return true;
 }
-// src/links.ts
-init_config();
+// src/commands.push.recovery.actions.ts
+init_push_gitleaks_scan();
 init_utils();
-init_utils_fs();
-init_utils_json();
-import { existsSync as existsSync31, lstatSync as lstatSync8, rmSync as rmSync9 } from "node:fs";
-import { join as join36 } from "node:path";
-function emitAutoMove(onPreview, linkPath, ts, name) {
-  if (onPreview) {
-    onPreview({ kind: "auto-move", from: linkPath, to: `backup/${ts}/${name}` });
-  } else {
-    log(`would auto-move non-symlink: ${linkPath} -> backup/${ts}/${name}`);
-  }
+function applyAllow(f, repo) {
+  appendGitleaksIgnore(f.Fingerprint, repo);
 }
-function emitCreate(onPreview, from, to) {
-  if (onPreview) {
-    onPreview({ kind: "create", from, to });
-  } else {
-    log(`would create symlink: ${from} -> ${to}`);
+function allowAllFindings(findings, repo) {
+  for (const f of findings) {
+    appendGitleaksIgnore(f.Fingerprint, repo);
   }
 }
-function applySharedLinks(ts, map, opts = {}) {
-  const dryRun = opts.dryRun === true;
-  const claude = claudeHome();
-  const repo = repoHome();
-  const linkNames = allSharedLinks(map);
-  for (const name of linkNames) {
-    const linkPath = join36(claude, name);
-    const target = join36(repo, "shared", name);
-    if (!existsSync31(linkPath)) continue;
-    if (lstatSync8(linkPath).isSymbolicLink()) continue;
-    if (!existsSync31(target)) continue;
-    if (dryRun) {
-      emitAutoMove(opts.onPreview, linkPath, ts, name);
-      continue;
-    }
-    backupBeforeWrite(linkPath, ts);
-    rmSync9(linkPath, { recursive: true, force: true });
-  }
-  for (const name of linkNames) {
-    const target = join36(repo, "shared", name);
-    if (!existsSync31(target)) continue;
-    if (dryRun) {
-      emitCreate(opts.onPreview, join36(claude, name), target);
-      continue;
+function allowFindingsByRule(findings, ruleId, repo) {
+  let count = 0;
+  for (const f of findings) {
+    if (f.RuleID === ruleId) {
+      appendGitleaksIgnore(f.Fingerprint, repo);
+      count++;
     }
-    ensureSymlink(join36(claude, name), target);
   }
+  return count;
 }
-function regenerateSettings(ts, opts = {}) {
-  const dryRun = opts.dryRun === true;
-  const repo = repoHome();
-  const claude = claudeHome();
-  const basePath = join36(repo, "shared", "settings.base.json");
-  const hostPath = join36(repo, "hosts", `${HOST}.json`);
-  if (!existsSync31(basePath)) {
-    die("repo not initialized; run 'nomad init' to scaffold");
-  }
-  const base = readJson(basePath);
-  const hasOverrides = existsSync31(hostPath);
-  const overrides = hasOverrides ? readJson(hostPath) : {};
-  const merged = deepMerge(base, overrides);
-  const settingsPath = join36(claude, "settings.json");
-  if (!hasOverrides && existsSync31(settingsPath)) {
+function makeDefaultReadLine(repo) {
+  return (file, line) => {
     try {
-      const existing = readJson(settingsPath);
-      const baseKeys = new Set(Object.keys(base));
-      const drift = Object.keys(existing).filter((k) => !baseKeys.has(k));
-      if (drift.length > 0) {
-        warn(
-          `no hosts/${HOST}.json found; existing settings has unbased keys ${JSON.stringify(drift)}. Set NOMAD_HOST to match a hosts/*.json or rerun 'nomad doctor' for candidates.`
-        );
+      const repoRoot = resolve3(repo);
+      const target = resolve3(repoRoot, file);
+      if (isAbsolute(file) || target !== repoRoot && !target.startsWith(repoRoot + sep4)) {
+        return null;
       }
+      const content = readFileSync12(target, "utf8");
+      const lines = content.split(/\r?\n/);
+      const idx = line - 1;
+      if (idx < 0 || idx >= lines.length) return null;
+      return lines[idx] ?? null;
     } catch {
-      warn("existing settings.json is malformed; skipping drift-check and regenerating.");
+      return null;
     }
+  };
+}
+async function collectActions(findings, prompt, readLine) {
+  const reader = readLine ?? makeDefaultReadLine(repoHome());
+  const actions = /* @__PURE__ */ new Map();
+  for (const f of findings) {
+    const sid = sessionIdFromFinding(f);
+    const ctx = buildFindingContext(f, reader);
+    const header = `
+Finding: ${f.RuleID} in ${f.File} line ${f.StartLine}` + (sid === null ? "" : ` (session: ${sid})`) + (ctx === null ? "" : `
+  context: ${ctx}`) + "\n  [R]edact  [A]llow  [D]rop session  [S]kip (default)\n";
+    actions.set(findingKey(f), parseAction(await prompt(header + "> ")));
   }
-  const overrideLabel = hasOverrides ? `${HOST}.json` : "no host overrides";
-  if (dryRun) {
-    log(`would write settings.json (base + ${overrideLabel})`);
-    return { label: overrideLabel };
-  }
-  backupBeforeWrite(settingsPath, ts);
-  writeJsonAtomic(settingsPath, merged);
-  return { label: overrideLabel };
+  return actions;
 }
-// src/preview.ts
-init_config();
-import { existsSync as existsSync32 } from "node:fs";
-import { join as join37 } from "node:path";
-// node_modules/diff/libesm/diff/base.js
-var Diff = class {
-  diff(oldStr, newStr, options = {}) {
-    let callback;
-    if (typeof options === "function") {
-      callback = options;
-      options = {};
-    } else if ("callback" in options) {
-      callback = options.callback;
-    }
-    const oldString = this.castInput(oldStr, options);
-    const newString = this.castInput(newStr, options);
-    const oldTokens = this.removeEmpty(this.tokenize(oldString, options));
-    const newTokens = this.removeEmpty(this.tokenize(newString, options));
-    return this.diffWithOptionsObj(oldTokens, newTokens, options, callback);
+function dispatchOne(f, ctx) {
+  const action = ctx.actions.get(findingKey(f)) ?? "skip";
+  if (action === "skip") return;
+  const sid = sessionIdFromFinding(f);
+  if (sid !== null && ctx.droppedSids.has(sid)) return;
+  if (action === "allow") {
+    applyAllow(f, ctx.repo);
+    return;
   }
-  diffWithOptionsObj(oldTokens, newTokens, options, callback) {
-    var _a;
-    const done = (value) => {
-      value = this.postProcess(value, options);
-      if (callback) {
-        setTimeout(function() {
-          callback(value);
-        }, 0);
-        return void 0;
-      } else {
-        return value;
-      }
-    };
-    const newLen = newTokens.length, oldLen = oldTokens.length;
-    let editLength = 1;
-    let maxEditLength = newLen + oldLen;
-    if (options.maxEditLength != null) {
-      maxEditLength = Math.min(maxEditLength, options.maxEditLength);
-    }
-    const maxExecutionTime = (_a = options.timeout) !== null && _a !== void 0 ? _a : Infinity;
-    const abortAfterTimestamp = Date.now() + maxExecutionTime;
-    const bestPath = [{ oldPos: -1, lastComponent: void 0 }];
-    let newPos = this.extractCommon(bestPath[0], newTokens, oldTokens, 0, options);
-    if (bestPath[0].oldPos + 1 >= oldLen && newPos + 1 >= newLen) {
-      return done(this.buildValues(bestPath[0].lastComponent, newTokens, oldTokens));
-    }
-    let minDiagonalToConsider = -Infinity, maxDiagonalToConsider = Infinity;
-    const execEditLength = () => {
-      for (let diagonalPath = Math.max(minDiagonalToConsider, -editLength); diagonalPath <= Math.min(maxDiagonalToConsider, editLength); diagonalPath += 2) {
-        let basePath;
-        const removePath = bestPath[diagonalPath - 1], addPath = bestPath[diagonalPath + 1];
-        if (removePath) {
-          bestPath[diagonalPath - 1] = void 0;
-        }
-        let canAdd = false;
-        if (addPath) {
-          const addPathNewPos = addPath.oldPos - diagonalPath;
-          canAdd = addPath && 0 <= addPathNewPos && addPathNewPos < newLen;
-        }
-        const canRemove = removePath && removePath.oldPos + 1 < oldLen;
-        if (!canAdd && !canRemove) {
-          bestPath[diagonalPath] = void 0;
-          continue;
-        }
-        if (!canRemove || canAdd && removePath.oldPos < addPath.oldPos) {
-          basePath = this.addToPath(addPath, true, false, 0, options);
-        } else {
-          basePath = this.addToPath(removePath, false, true, 1, options);
-        }
-        newPos = this.extractCommon(basePath, newTokens, oldTokens, diagonalPath, options);
-        if (basePath.oldPos + 1 >= oldLen && newPos + 1 >= newLen) {
-          return done(this.buildValues(basePath.lastComponent, newTokens, oldTokens)) || true;
-        } else {
-          bestPath[diagonalPath] = basePath;
-          if (basePath.oldPos + 1 >= oldLen) {
-            maxDiagonalToConsider = Math.min(maxDiagonalToConsider, diagonalPath - 1);
-          }
-          if (newPos + 1 >= newLen) {
-            minDiagonalToConsider = Math.max(minDiagonalToConsider, diagonalPath + 1);
-          }
-        }
-      }
-      editLength++;
-    };
-    if (callback) {
-      (function exec() {
-        setTimeout(function() {
-          if (editLength > maxEditLength || Date.now() > abortAfterTimestamp) {
-            return callback(void 0);
-          }
-          if (!execEditLength()) {
-            exec();
-          }
-        }, 0);
-      })();
-    } else {
-      while (editLength <= maxEditLength && Date.now() <= abortAfterTimestamp) {
-        const ret = execEditLength();
-        if (ret) {
-          return ret;
-        }
-      }
+  if (sid === null) return;
+  if (action === "drop") {
+    ctx.droppedSids.add(sid);
+    if (ctx.drop(sid, ctx.map)) {
+      log(
+        `dropped session ${sid} from this push (local transcript kept; the secret remains in your local copy)`
+      );
     }
+    return;
   }
-  addToPath(path, added, removed, oldPosInc, options) {
-    const last = path.lastComponent;
-    if (last && !options.oneChangePerToken && last.added === added && last.removed === removed) {
-      return {
-        oldPos: path.oldPos + oldPosInc,
-        lastComponent: { count: last.count + 1, added, removed, previousComponent: last.previousComponent }
-      };
-    } else {
-      return {
-        oldPos: path.oldPos + oldPosInc,
-        lastComponent: { count: 1, added, removed, previousComponent: last }
-      };
-    }
+  if (action === "redact" && !ctx.redactedSids.has(sid)) {
+    if (applyRedact(f, ctx.ts, ctx.map, ctx.nowMs, ctx.scan)) ctx.redactedSids.add(sid);
   }
-  extractCommon(basePath, newTokens, oldTokens, diagonalPath, options) {
-    const newLen = newTokens.length, oldLen = oldTokens.length;
-    let oldPos = basePath.oldPos, newPos = oldPos - diagonalPath, commonCount = 0;
-    while (newPos + 1 < newLen && oldPos + 1 < oldLen && this.equals(oldTokens[oldPos + 1], newTokens[newPos + 1], options)) {
-      newPos++;
-      oldPos++;
-      commonCount++;
-      if (options.oneChangePerToken) {
-        basePath.lastComponent = { count: 1, previousComponent: basePath.lastComponent, added: false, removed: false };
-      }
-    }
-    if (commonCount && !options.oneChangePerToken) {
-      basePath.lastComponent = { count: commonCount, previousComponent: basePath.lastComponent, added: false, removed: false };
-    }
-    basePath.oldPos = oldPos;
-    return newPos;
+}
+function dispatchActions(findings, actions, opts) {
+  const { ts, map, nowMs, repo, scan = scanFile, drop = dropSessionFromStaged } = opts;
+  const ctx = {
+    actions,
+    ts,
+    map,
+    nowMs,
+    repo,
+    scan,
+    drop,
+    redactedSids: /* @__PURE__ */ new Set(),
+    droppedSids: /* @__PURE__ */ new Set()
+  };
+  for (const f of findings) {
+    dispatchOne(f, ctx);
   }
-  equals(left, right, options) {
-    if (options.comparator) {
-      return options.comparator(left, right);
-    } else {
-      return left === right || !!options.ignoreCase && left.toLowerCase() === right.toLowerCase();
-    }
+}
+function redactAllFindings(findings, ts, map, nowMs, scan = scanFile) {
+  const redactedSids = /* @__PURE__ */ new Set();
+  for (const f of findings) {
+    const sid = sessionIdFromFinding(f);
+    if (sid === null || redactedSids.has(sid)) continue;
+    if (applyRedact(f, ts, map, nowMs, scan)) redactedSids.add(sid);
   }
-  removeEmpty(array) {
-    const ret = [];
-    for (let i = 0; i < array.length; i++) {
-      if (array[i]) {
-        ret.push(array[i]);
-      }
-    }
-    return ret;
+}
+// src/commands.push.recovery.ts
+init_push_gitleaks_scan();
+init_push_gitleaks();
+init_utils();
+function isTTY(stdin = process.stdin, stdout = process.stdout) {
+  return stdin.isTTY === true && stdout.isTTY === true;
+}
+function hasUnresolved(actions) {
+  for (const action of actions.values()) {
+    if (action === "skip") return true;
   }
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars
-  castInput(value, options) {
-    return value;
+  return false;
+}
+function printRecoveryLegend(print = console.log) {
+  print("");
+  print("Recovery actions:");
+  print("  Redact       - scrub the secret from the local transcript, push the cleaned copy");
+  print("  Allow        - mark as false positive (adds a .gitleaksignore fingerprint), push as-is");
+  print("  Drop session - exclude this session from this push (local transcript kept, running");
+  print("                 session is not stopped)");
+  print("  Skip         - leave unresolved (the push aborts)");
+  print("");
+}
+function applyThenRescan(scanVerdict, repoHome2) {
+  gitOrFatal(["add", "-A"], "git add", repoHome2);
+  const next = scanVerdict(repoHome2);
+  if (next.leak) {
+    const { bySession, other } = partitionFindings(next.findings);
+    throw new NomadFatal(buildSessionAwareFatal(bySession, other));
   }
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars
-  tokenize(value, options) {
-    return Array.from(value);
+  return next;
+}
+function allowThenRescan(append, scanVerdict, repoHome2) {
+  const ignPath = join31(repoHome2, ".gitleaksignore");
+  let before;
+  try {
+    before = readFileSync13(ignPath, "utf8");
+  } catch {
+    before = null;
+  }
+  append();
+  try {
+    return applyThenRescan(scanVerdict, repoHome2);
+  } catch (err) {
+    if (before === null) rmSync9(ignPath, { force: true });
+    else writeFileSync5(ignPath, before, "utf8");
+    throw err;
+  }
+}
+function makeRealPrompt() {
+  return async (prompt) => {
+    const rl = createInterface({
+      input: process.stdin,
+      output: process.stdout,
+      terminal: true
+    });
+    try {
+      return await rl.question(prompt);
+    } finally {
+      rl.close();
+    }
+  };
+}
+async function resolveLeakFindings(verdict, ts, map, deps = {}) {
+  const {
+    isTTYCheck = isTTY,
+    nowMs = Date.now,
+    redactAll = false,
+    allowAll = false,
+    allowRule,
+    makePrompt: makePromptFn = makeRealPrompt,
+    scan = scanFile,
+    printLegend = printRecoveryLegend
+  } = deps;
+  const scanVerdict = deps.scanVerdict ?? (await Promise.resolve().then(() => (init_push_leak_verdict(), push_leak_verdict_exports))).scanPushVerdict;
+  const repo = repoHome();
+  let current = verdict;
+  if (redactAll) {
+    redactAllFindings(current.findings, ts, map, nowMs, scan);
+    return applyThenRescan(scanVerdict, repo);
+  }
+  if (allowAll) {
+    return allowThenRescan(() => allowAllFindings(current.findings, repo), scanVerdict, repo);
+  }
+  if (allowRule !== void 0) {
+    return allowThenRescan(
+      () => {
+        const matched = allowFindingsByRule(current.findings, allowRule, repo);
+        if (matched === 0) log(`no findings matched rule ${allowRule}; re-scanning`);
+      },
+      scanVerdict,
+      repo
+    );
+  }
+  if (!isTTYCheck()) {
+    throw new NomadFatal(current.recovery ?? "gitleaks detected secrets");
+  }
+  const prompt = makePromptFn();
+  printLegend();
+  while (current.leak && current.findings.length > 0) {
+    const actions = await collectActions(current.findings, prompt);
+    if (hasUnresolved(actions)) {
+      const unresolved = current.findings.filter((f) => actions.get(findingKey(f)) === "skip");
+      const { bySession, other } = partitionFindings(unresolved);
+      throw new NomadFatal(buildSessionAwareFatal(bySession, other));
+    }
+    dispatchActions(current.findings, actions, { ts, map, nowMs, repo, scan });
+    gitOrFatal(["add", "-A"], "git add", repo);
+    current = scanVerdict(repo);
+  }
+  return current;
+}
+// src/spinner.ts
+function formatElapsed(ms) {
+  return `${(ms / 1e3).toFixed(1)}s`;
+}
+function writePlainStart(out, label) {
+  out.write(`${label}...
+`);
+}
+function writePlainDone(out, label, ms) {
+  out.write(`${label} done (${formatElapsed(ms)})
+`);
+}
+function writeAnimatedDone(out, label, ms, useTTY) {
+  out.write("\r\x1B[K");
+  const glyph = useTTY ? green(okGlyph) : okGlyph;
+  out.write(`${glyph} ${label} (${formatElapsed(ms)})
+`);
+}
+function resolveWorkerPath(deps = {}) {
+  const check = deps.existsSyncFn ?? existsSync25;
+  const base = deps.baseUrl ?? import.meta.url;
+  const mjs = fileURLToPath4(new URL("./nomad.worker.mjs", base));
+  if (check(mjs)) return mjs;
+  return fileURLToPath4(new URL("./spinner.worker.ts", base));
+}
+function makeRealWorker() {
+  return new Worker(resolveWorkerPath());
+}
+function startSpinner(label, deps = {}) {
+  const ttyCheck = deps.isTTYCheck ?? (() => isTTY());
+  const env = deps.env ?? process.env;
+  const out = deps.out ?? process.stderr;
+  const now = deps.now ?? Date.now;
+  const startMs = now();
+  const animate = ttyCheck() && !env.CI;
+  let worker = null;
+  let degraded = false;
+  let finalized = false;
+  if (animate) {
+    const factory = deps.makeWorker ?? makeRealWorker;
+    try {
+      worker = factory();
+      worker.unref?.();
+      worker.postMessage({ type: "start", label });
+    } catch {
+      degraded = true;
+      worker = null;
+      writePlainStart(out, label);
+    }
+  } else {
+    writePlainStart(out, label);
+  }
+  function finalize(success, doneLabel) {
+    if (finalized) return;
+    finalized = true;
+    const dl = doneLabel ?? label;
+    const elapsed = now() - startMs;
+    if (animate && !degraded && worker !== null) {
+      worker.postMessage({ type: "pause" });
+      worker.terminate();
+      worker = null;
+      if (success) writeAnimatedDone(out, dl, elapsed, ttyCheck());
+      else out.write("\r\x1B[K");
+    } else if (success) {
+      writePlainDone(out, dl, elapsed);
+    }
+  }
+  return {
+    succeed: (doneLabel) => finalize(true, doneLabel),
+    stop: () => finalize(false)
+  };
+}
+function withSpinner(label, fn, deps) {
+  const sp = startSpinner(label, deps);
+  try {
+    const result = fn();
+    sp.succeed();
+    return result;
+  } finally {
+    sp.stop();
+  }
+}
+// src/commands.doctor.gitleaks-version.ts
+init_color();
+import { execFileSync as execFileSync7 } from "node:child_process";
+import { existsSync as existsSync26 } from "node:fs";
+import { join as join32 } from "node:path";
+init_config();
+var SEMVER_MAJOR_MINOR = /^(\d+)\.(\d+)\.\d+$/;
+var GITLEAKS_TIMEOUT_MS = 5e3;
+function majorMinorOf(value) {
+  const m = SEMVER_MAJOR_MINOR.exec(value);
+  return m === null ? null : [m[1], m[2]];
+}
+function readGitleaksVersion(run, tomlExists) {
+  const tomlPath = join32(repoHome(), ".gitleaks.toml");
+  const args = ["version"];
+  if (tomlExists(tomlPath)) args.push("--config", tomlPath);
+  try {
+    return run("gitleaks", args, {
+      stdio: ["ignore", "pipe", "pipe"],
+      timeout: GITLEAKS_TIMEOUT_MS
+    }).toString().trim();
+  } catch {
+    return null;
+  }
+}
+function reportGitleaksVersionCheck(section2, run = execFileSync7, tomlExists = existsSync26) {
+  const raw = readGitleaksVersion(run, tomlExists);
+  if (raw === null) return;
+  const local = majorMinorOf(raw);
+  if (local === null) return;
+  const pin = majorMinorOf(GITLEAKS_PINNED_VERSION);
+  if (pin === null) return;
+  const sameMajorMinor = local[0] === pin[0] && local[1] === pin[1];
+  if (sameMajorMinor) {
+    addItem(section2, `${green(okGlyph)} gitleaks: ${raw} (matches pinned ${pin[0]}.${pin[1]})`);
+    return;
+  }
+  addItem(
+    section2,
+    `${yellow(warnGlyph)} gitleaks: ${raw} -> ${GITLEAKS_PINNED_VERSION} (CI pins this; local drift may change scan results)`
+  );
+}
+// src/commands.doctor.checks.deps.ts
+init_color();
+import { execFileSync as execFileSync8 } from "node:child_process";
+var VERSION_TOKEN = /(\d{1,9}\.\d{1,9}\.\d{1,9})/;
+var PROBE_TIMEOUT_MS = 3e3;
+var FETCHER_BASE = "HTTP fetcher";
+function parseFirstVersion(line) {
+  const m = VERSION_TOKEN.exec(line);
+  return m ? m[1] : null;
+}
+function probeOptionalDep(bin, run) {
+  try {
+    const firstLine = run(bin, ["--version"], {
+      stdio: ["ignore", "pipe", "pipe"],
+      timeout: PROBE_TIMEOUT_MS
+    }).toString().split("\n")[0].trim();
+    const version = parseFirstVersion(firstLine);
+    return { status: "present", version };
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      return { status: "not-installed" };
+    }
+    return { status: "present", version: null };
+  }
+}
+function reportFetcherRow(section2, run) {
+  const curl = probeOptionalDep("curl", run);
+  const wget = probeOptionalDep("wget", run);
+  if (curl.status === "present") {
+    addItem(section2, `${green(okGlyph)} ${FETCHER_BASE}: curl ${curl.version ?? "(present)"}`);
+  } else if (wget.status === "present") {
+    addItem(section2, `${green(okGlyph)} ${FETCHER_BASE}: wget ${wget.version ?? "(present)"}`);
+  } else {
+    addItem(
+      section2,
+      `${yellow(warnGlyph)} ${FETCHER_BASE} (curl or wget): not installed (optional; needed for release-version staleness check + nomad doctor --check-schema)`
+    );
+  }
+}
+function reportOptionalDeps(section2, run = execFileSync8) {
+  const gh = probeOptionalDep("gh", run);
+  if (gh.status === "present") {
+    addItem(section2, `${green(okGlyph)} gh: ${gh.version ?? "present"}`);
+  } else {
+    addItem(
+      section2,
+      `${yellow(warnGlyph)} gh: not installed (optional; needed for nomad init Actions auto-disable + the Actions-drift check)`
+    );
+  }
+  reportFetcherRow(section2, run);
+}
+// src/commands.doctor.actions-drift.ts
+init_color();
+import { execFileSync as execFileSync10 } from "node:child_process";
+init_config();
+// src/gh-actions.ts
+import { execFileSync as execFileSync9 } from "node:child_process";
+var GH_TIMEOUT_MS = 5e3;
+function parseGitHubRemote(remoteUrl) {
+  const normalized = remoteUrl.trim().replace(/\/$/, "");
+  const m = /github\.com[:/]([^/]+)\/([^/]+?)(?:\.git)?$/.exec(normalized);
+  if (m === null) return null;
+  return { owner: m[1], repo: m[2] };
+}
+function ghAuthStatus(run = execFileSync9) {
+  try {
+    run("gh", ["auth", "status"], {
+      stdio: ["ignore", "ignore", "ignore"],
+      timeout: GH_TIMEOUT_MS
+    });
+    return null;
+  } catch (err) {
+    const e = err;
+    if (e.code === "ENOENT") return "gh-not-installed";
+    if (typeof e.status === "number") return "gh-not-authed";
+    return "gh-probe-error";
+  }
+}
+function isRepoPrivate(ref, run = execFileSync9) {
+  const out = run("gh", ["repo", "view", `${ref.owner}/${ref.repo}`, "--json", "isPrivate"], {
+    stdio: ["ignore", "pipe", "ignore"],
+    timeout: GH_TIMEOUT_MS
+  }).toString();
+  const parsed = JSON.parse(out);
+  return parsed.isPrivate === true;
+}
+function isActionsEnabled(ref, run = execFileSync9) {
+  const out = run(
+    "gh",
+    ["api", `repos/${ref.owner}/${ref.repo}/actions/permissions`, "--jq", ".enabled"],
+    { stdio: ["ignore", "pipe", "ignore"], timeout: GH_TIMEOUT_MS }
+  ).toString().trim();
+  return out === "true";
+}
+function disableActions(ref, run = execFileSync9) {
+  run(
+    "gh",
+    [
+      "api",
+      "-X",
+      "PUT",
+      `repos/${ref.owner}/${ref.repo}/actions/permissions`,
+      "-F",
+      "enabled=false"
+    ],
+    { stdio: ["ignore", "ignore", "pipe"], timeout: GH_TIMEOUT_MS }
+  );
+}
+function readOriginRemote(cwd, run = execFileSync9) {
+  return run("git", ["remote", "get-url", "origin"], {
+    cwd,
+    stdio: ["ignore", "pipe", "ignore"]
+  }).toString().trim();
+}
+// src/commands.doctor.actions-drift.ts
+function reportActionsDrift(section2, run = execFileSync10) {
+  let remote;
+  try {
+    remote = readOriginRemote(repoHome(), run);
+  } catch {
+    return;
+  }
+  const ref = parseGitHubRemote(remote);
+  if (ref === null) return;
+  const auth = ghAuthStatus(run);
+  if (auth === "gh-not-installed" || auth === "gh-not-authed") return;
+  let isPrivate;
+  try {
+    isPrivate = isRepoPrivate(ref, run);
+  } catch {
+    return;
+  }
+  if (!isPrivate) return;
+  let enabled2;
+  try {
+    enabled2 = isActionsEnabled(ref, run);
+  } catch {
+    return;
+  }
+  if (!enabled2) return;
+  addItem(
+    section2,
+    `${yellow(warnGlyph)} Actions: enabled on private repo ${ref.owner}/${ref.repo} (re-disable with 'gh api -X PUT repos/${ref.owner}/${ref.repo}/actions/permissions -F enabled=false')`
+  );
+}
+// src/commands.doctor.verdict.ts
+init_color();
+function isFailLine(item2) {
+  return item2.includes(failGlyph);
+}
+function isWarnLine(item2) {
+  return !isFailLine(item2) && item2.includes(warnGlyph);
+}
+function buildVerdictSection(sections) {
+  const summary = section("Summary");
+  const lines = sections.flatMap((s) => s.items).map((item2) => item2.replace(/^\t/, ""));
+  const failures = lines.filter(isFailLine);
+  const warnings = lines.filter(isWarnLine);
+  for (const line of [...failures, ...warnings]) addItem(summary, line);
+  if (failures.length > 0) {
+    addItem(
+      summary,
+      `${red(failGlyph)} ${failures.length} failure(s), ${warnings.length} warning(s)`
+    );
+  } else if (warnings.length > 0) {
+    addItem(summary, `${yellow(warnGlyph)} ${warnings.length} warning(s)`);
+  } else {
+    addItem(summary, `${green(okGlyph)} healthy`);
   }
-  join(chars) {
-    return chars.join("");
+  return summary;
+}
+// src/commands.doctor.ts
+function gatherDoctorSections(opts) {
+  const host = section("Environment");
+  reportHostAndPaths(host);
+  reportRepoState(host);
+  const links = section("Shared links");
+  const mapPath = join33(repoHome(), "path-map.json");
+  const rawMap = existsSync27(mapPath) ? readJsonSafe(mapPath, mapPath, links) : null;
+  const map = rawMap ?? { projects: {} };
+  reportSharedLinks(links, map);
+  const hooksScan = section("Hook targets");
+  reportHooksTargetCheck(hooksScan);
+  reportHookScopeCheck(hooksScan);
+  reportPreserveSymlinksCheck(hooksScan);
+  const settings = section("Settings");
+  const base = loadBaseSettings(settings);
+  const parsedSettings = loadAndReportSettings(settings);
+  reportHostOverrides(settings, base, parsedSettings);
+  reportSettingsDriftCheck(settings);
+  const pathMap = section("Path map");
+  reportPathMap(pathMap);
+  const neverSync = section("Never-sync");
+  reportNeverSync(neverSync);
+  const repository = section("Repository");
+  const gitleaksReady = reportGitleaksProbe(repository);
+  reportGitlinks(repository);
+  reportRemote(repository);
+  reportRebaseClean(repository);
+  reportRebaseState(repository);
+  reportActionsDrift(repository);
+  const nomadVersion = section("Nomad Version");
+  reportVersionCheck(nomadVersion);
+  const housekeeping = section("Housekeeping");
+  reportBackupsCheck(housekeeping);
+  const depVersions = section("Dependency Versions");
+  reportNodeEngineCheck(depVersions);
+  reportGitleaksVersionCheck(depVersions);
+  reportOptionalDeps(depVersions);
+  const sharedScan = section("Shared scan");
+  if (opts.checkShared === true) reportCheckShared(sharedScan, gitleaksReady);
+  const schemaScan = section("Schema scan");
+  if (opts.checkSchema === true) reportCheckSchema(schemaScan);
+  const body = [
+    nomadVersion,
+    depVersions,
+    host,
+    links,
+    hooksScan,
+    settings,
+    pathMap,
+    neverSync,
+    repository,
+    housekeeping,
+    sharedScan,
+    schemaScan
+  ];
+  return [...body, buildVerdictSection(body)];
+}
+function cmdDoctor(opts = {}) {
+  const makeSpinner = opts.startSpinner ?? startSpinner;
+  const sp = makeSpinner("Running checks");
+  let report;
+  try {
+    report = gatherDoctorSections(opts);
+  } finally {
+    sp.stop();
   }
-  postProcess(changeObjects, options) {
-    return changeObjects;
+  renderDoctor(report);
+}
+// src/commands.drop-session.ts
+init_config();
+import { execFileSync as execFileSync12 } from "node:child_process";
+import { existsSync as existsSync29, readdirSync as readdirSync10, statSync as statSync8 } from "node:fs";
+import { join as join35, relative as relative4 } from "node:path";
+// src/commands.drop-session.git.ts
+import { execFileSync as execFileSync11 } from "node:child_process";
+function expandStagedDir(dirRel, repo) {
+  try {
+    const out = execFileSync11("git", ["ls-files", "-z", "--", dirRel], {
+      cwd: repo,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    return out.toString().split("\0").filter((p) => p !== "");
+  } catch {
+    return [];
   }
-  get useLongestToken() {
+}
+function isTrackedInHead(rel, repo) {
+  try {
+    execFileSync11("git", ["cat-file", "-e", `HEAD:${rel}`], {
+      cwd: repo,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    return true;
+  } catch {
     return false;
   }
-  buildValues(lastComponent, newTokens, oldTokens) {
-    const components = [];
-    let nextComponent;
-    while (lastComponent) {
-      components.push(lastComponent);
-      nextComponent = lastComponent.previousComponent;
-      delete lastComponent.previousComponent;
-      lastComponent = nextComponent;
-    }
-    components.reverse();
-    const componentLen = components.length;
-    let componentPos = 0, newPos = 0, oldPos = 0;
-    for (; componentPos < componentLen; componentPos++) {
-      const component = components[componentPos];
-      if (!component.removed) {
-        if (!component.added && this.useLongestToken) {
-          let value = newTokens.slice(newPos, newPos + component.count);
-          value = value.map(function(value2, i) {
-            const oldValue = oldTokens[oldPos + i];
-            return oldValue.length > value2.length ? oldValue : value2;
-          });
-          component.value = this.join(value);
-        } else {
-          component.value = this.join(newTokens.slice(newPos, newPos + component.count));
-        }
-        newPos += component.count;
-        if (!component.added) {
-          oldPos += component.count;
-        }
-      } else {
-        component.value = this.join(oldTokens.slice(oldPos, oldPos + component.count));
-        oldPos += component.count;
-      }
+}
+function isInIndex(rel, repo) {
+  try {
+    const out = execFileSync11("git", ["ls-files", "--", rel], {
+      cwd: repo,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    return out.toString().trim() !== "";
+  } catch {
+    return false;
+  }
+}
+// src/commands.drop-session.scrub-hint.ts
+init_config();
+init_utils();
+init_utils_json();
+import { existsSync as existsSync28 } from "node:fs";
+import { join as join34 } from "node:path";
+var SHARED_PROJECT_LOGICAL = /^shared\/projects\/([^/]+)\//;
+function reportScrubHint(id, matches) {
+  const live = resolveLiveTranscript2(id, matches);
+  const target = live ?? `~/.claude/projects/<encoded>/${id}.jsonl`;
+  log(
+    `note: this only un-stages the session from the next push.
+  The local source still contains the secret, so nomad push re-stages it
+  on the next run and nomad doctor --check-shared keeps reporting it.
+  To fully remediate: rotate the credential, then run:
+    nomad redact ${id}
+  (or scrub ${target} manually)`
+  );
+}
+function resolveLiveTranscript2(id, matches) {
+  try {
+    const mapPath = join34(repoHome(), "path-map.json");
+    if (!existsSync28(mapPath)) return null;
+    const projects = readJson(mapPath).projects;
+    const claude = claudeHome();
+    for (const rel of matches) {
+      const logical = SHARED_PROJECT_LOGICAL.exec(rel)?.[1];
+      if (logical === void 0) continue;
+      const abs = projects[logical]?.[HOST];
+      if (abs === void 0) continue;
+      const live = join34(claude, "projects", encodePath(abs), `${id}.jsonl`);
+      if (existsSync28(live)) return live;
     }
-    return components;
+    return null;
+  } catch {
+    return null;
   }
-};
+}
-// node_modules/diff/libesm/diff/line.js
-var LineDiff = class extends Diff {
-  constructor() {
-    super(...arguments);
-    this.tokenize = tokenize;
+// src/commands.drop-session.ts
+init_utils();
+function cmdDropSession(id) {
+  if (id.length === 0 || id.length > 128 || !/^[A-Za-z0-9_-]+$/.test(id)) {
+    fail(`invalid session id: ${id}`);
+    process.exit(1);
   }
-  equals(left, right, options) {
-    if (options.ignoreWhitespace) {
-      if (!options.newlineIsToken || !left.includes("\n")) {
-        left = left.trim();
-      }
-      if (!options.newlineIsToken || !right.includes("\n")) {
-        right = right.trim();
-      }
-    } else if (options.ignoreNewlineAtEof && !options.newlineIsToken) {
-      if (left.endsWith("\n")) {
-        left = left.slice(0, -1);
-      }
-      if (right.endsWith("\n")) {
-        right = right.slice(0, -1);
-      }
+  const repo = repoHome();
+  if (!existsSync29(repo)) die(`repo not cloned at ${repo}`);
+  const handle = acquireLock("drop-session");
+  if (handle === null) process.exit(0);
+  try {
+    const repoProjects = join35(repo, "shared", "projects");
+    if (!existsSync29(repoProjects)) {
+      throw new NomadFatal(`no staged session matches ${id}`);
     }
-    return super.equals(left, right, options);
+    const matches = collectMatches(repoProjects, id, repo);
+    if (matches.length === 0) {
+      throw new NomadFatal(`no staged session matches ${id}`);
+    }
+    for (const rel of matches) unstageOne(rel, repo);
+    reportScrubHint(id, matches);
+  } catch (err) {
+    if (!(err instanceof NomadFatal)) {
+      throw err;
+    }
+    fail(err.message);
+    process.exitCode = 1;
+  } finally {
+    releaseLock(handle);
   }
-};
-var lineDiff = new LineDiff();
-function diffLines(oldStr, newStr, options) {
-  return lineDiff.diff(oldStr, newStr, options);
 }
-function tokenize(value, options) {
-  if (options.stripTrailingCr) {
-    value = value.replace(/\r\n/g, "\n");
+function collectMatches(repoProjects, id, repo) {
+  const matches = [];
+  for (const logical of readdirSync10(repoProjects)) {
+    const candidate = join35(repoProjects, logical, `${id}.jsonl`);
+    if (existsSync29(candidate)) {
+      matches.push(relative4(repo, candidate));
+    }
+    const dir = join35(repoProjects, logical, id);
+    if (existsSync29(dir) && statSync8(dir).isDirectory()) {
+      const dirRel = relative4(repo, dir);
+      const staged = expandStagedDir(dirRel, repo);
+      if (staged.length > 0) matches.push(...staged);
+      else matches.push(dirRel);
+    }
   }
-  const retLines = [], linesAndNewlines = value.split(/(\n|\r\n)/);
-  if (!linesAndNewlines[linesAndNewlines.length - 1]) {
-    linesAndNewlines.pop();
+  return matches;
+}
+function unstageOne(rel, repo) {
+  if (!isInIndex(rel, repo)) {
+    item(`dropped ${rel} (already absent from index)`);
+    return;
   }
-  for (let i = 0; i < linesAndNewlines.length; i++) {
-    const line = linesAndNewlines[i];
-    if (i % 2 && !options.newlineIsToken) {
-      retLines[retLines.length - 1] += line;
+  try {
+    if (isTrackedInHead(rel, repo)) {
+      execFileSync12("git", ["restore", "--staged", "--worktree", "--", rel], {
+        cwd: repo,
+        stdio: ["ignore", "pipe", "pipe"]
+      });
     } else {
-      retLines.push(line);
+      execFileSync12("git", ["rm", "--cached", "-f", "--", rel], {
+        cwd: repo,
+        stdio: ["ignore", "pipe", "pipe"]
+      });
     }
+  } catch (err) {
+    const e = err;
+    const detail = e.stderr?.toString().trim() ?? e.message;
+    throw new NomadFatal(`git failed to unstage ${rel}: ${detail}`);
   }
-  return retLines;
+  item(`dropped ${rel}`);
 }
-// src/diff-lines.ts
+// src/commands.pull.ts
+import { existsSync as existsSync35, mkdirSync as mkdirSync8 } from "node:fs";
+import { join as join41 } from "node:path";
+// src/commands.push.sections.ts
 init_color();
-function diffLinesToUnified(oldStr, newStr) {
-  const parts = diffLines(oldStr, newStr);
-  const lines = [];
-  for (const part of parts) {
-    const partLines = part.value.split("\n");
-    if (partLines.at(-1) === "") {
-      partLines.pop();
-    }
-    let prefix;
-    if (part.removed) prefix = (line) => red(`-${line}`);
-    else if (part.added) prefix = (line) => green(`+${line}`);
-    else prefix = (line) => ` ${line}`;
-    for (const line of partLines) {
-      lines.push(prefix(line));
+// src/summary.ts
+init_utils();
+function summaryText(verb, unmapped, collisions = 0, extrasSkipped = 0) {
+  const extras = extrasSkipped > 0 ? `, ${extrasSkipped} extras skipped` : "";
+  if (verb === "push") {
+    if (unmapped === 0 && collisions === 0 && extrasSkipped === 0) {
+      return { text: "summary: clean", clean: true };
     }
+    const base = `summary: ${unmapped} unmapped on push, ${collisions} collisions`;
+    return { text: `${base}${extras} (run nomad doctor to list)`, clean: false };
   }
-  return lines;
+  if (unmapped === 0 && extrasSkipped === 0) {
+    return { text: "summary: clean", clean: true };
+  }
+  return {
+    text: `summary: ${unmapped} unmapped on ${verb}${extras} (run nomad doctor to list)`,
+    clean: false
+  };
+}
+function summaryRow(verb, unmapped, collisions = 0, extrasSkipped = 0) {
+  const { text } = summaryText(verb, unmapped, collisions, extrasSkipped);
+  return text.replace(/^summary: /, "");
 }
-// src/preview.ts
-init_utils_json();
-var CANONICAL_ORDER_NOTE = "settings.json will be rewritten in canonical key order; no value changes";
-function diffJsonStrings(currentJsonText, newJsonText) {
-  if (currentJsonText === newJsonText) return "";
-  const lines = [
-    "--- ~/.claude/settings.json",
-    "+++ would write",
-    ...diffLinesToUnified(currentJsonText, newJsonText)
+// src/commands.push.sections.ts
+function collapsedSkipRow(n, noun) {
+  if (n <= 0) return null;
+  return `${dim(infoGlyph)} ${n} ${noun}`;
+}
+function buildSettingsSection(label) {
+  const s = section("Settings");
+  addItem(s, `${green(okGlyph)} settings.json (base + ${label})`);
+  return s;
+}
+function buildSessionsSection(items, unmapped) {
+  const s = section("Sessions");
+  for (const logical of items) addItem(s, `${green(okGlyph)} ${logical}`);
+  const skip = collapsedSkipRow(unmapped, "not in path-map (run nomad doctor to list)");
+  if (skip !== null) addItem(s, skip);
+  return s;
+}
+function buildExtrasSection(items, extrasSkipped) {
+  const s = section("Extras");
+  for (const entry of items) addItem(s, `${green(okGlyph)} ${entry}`);
+  const skip = collapsedSkipRow(extrasSkipped, "extras skipped");
+  if (skip !== null) addItem(s, skip);
+  return s;
+}
+function syncedSections(st) {
+  const sessions = st.dryRun ? st.remap.wouldPush : st.remap.pushed;
+  const extras = st.dryRun ? st.extras.wouldPush : st.extras.pushed;
+  return [
+    buildSessionsSection(sessions, st.remap.unmapped),
+    buildExtrasSection(extras, st.extras.skipped)
   ];
-  return lines.join("\n");
 }
-function readJsonOrNull(path) {
-  if (!existsSync32(path)) return null;
+function summarySection(st) {
+  const s = section("Summary");
+  const unmapped = st.remap.unmapped + st.extras.unmapped;
+  addItem(s, summaryRow("push", unmapped, st.remap.collisions, st.extras.skipped));
+  return s;
+}
+function renderPushTree(st, verdict) {
+  const leakScan = section("Leak scan");
+  addItem(leakScan, verdict.verdictRow);
+  renderTree([...syncedSections(st), leakScan, summarySection(st)]);
+}
+function renderNoScanTree(st, opts = {}) {
+  const sections = [];
+  if (opts.noMapHint === true) {
+    const pathMap = section("Path map");
+    addItem(pathMap, `${dim(infoGlyph)} no path-map.json (nothing to preview)`);
+    sections.push(pathMap);
+  }
+  renderTree([...sections, ...syncedSections(st), summarySection(st)]);
+}
+// src/commands.pull.ts
+init_config();
+// src/extras-sync.ts
+init_config();
+import { existsSync as existsSync32 } from "node:fs";
+import { join as join38 } from "node:path";
+// src/extras-sync.diff.ts
+init_utils();
+import { execFileSync as execFileSync13 } from "node:child_process";
+function labelDiffLine(line) {
+  const tab = line.indexOf("	");
+  if (tab === -1) return line;
+  const status = line.slice(0, tab);
+  const path = line.slice(tab + 1);
+  if (status === "D") return `${path} (local only)`;
+  if (status === "A") return `${path} (repo only)`;
+  return path;
+}
+function parseDiffOutput(stdout) {
+  return stdout.split("\n").filter((line) => line.length > 0).map(labelDiffLine);
+}
+function listDivergingFiles(a, b) {
   try {
-    return readJson(path);
-  } catch {
-    return null;
+    const stdout = execFileSync13("git", ["diff", "--no-index", "--name-status", a, b], {
+      stdio: ["ignore", "pipe", "pipe"]
+    }).toString();
+    return parseDiffOutput(stdout);
+  } catch (err) {
+    const e = err;
+    if (e.status === 1 && e.stdout !== void 0) {
+      return parseDiffOutput(e.stdout.toString());
+    }
+    if (e.code === "ENOENT") {
+      warn(`git not on PATH; divergence check skipped for ${a}`);
+      return [];
+    }
+    warn(`divergence check failed for ${a}: ${e.message ?? String(err)}`);
+    return [];
   }
 }
-function previewSettings(basePath, hostPath, settingsPath) {
-  const base = readJsonOrNull(basePath);
-  if (base === null) {
-    return { diff: "", notes: ["section skipped (base or current missing)"] };
+// src/extras-sync.core.ts
+init_config();
+import { cpSync as cpSync6, existsSync as existsSync30, rmSync as rmSync10 } from "node:fs";
+import { basename, join as join36 } from "node:path";
+// src/extras-sync.guards.ts
+init_utils();
+init_config_sharedDirs_guard();
+import { isAbsolute as isAbsolute2, normalize } from "node:path";
+function assertSafeLocalRoot(localRoot, logical) {
+  if (!isAbsolute2(localRoot)) {
+    throw new NomadFatal(
+      `invalid localRoot for ${logical} in path-map.json: ${JSON.stringify(localRoot)} (must be absolute)`
+    );
   }
-  const notes = [];
-  const hostOverrides = readJsonOrNull(hostPath);
-  if (hostOverrides === null && existsSync32(hostPath)) {
-    notes.push(`malformed hosts/${HOST}.json; ignoring overrides`);
+  if (localRoot !== normalize(localRoot)) {
+    throw new NomadFatal(
+      `invalid localRoot for ${logical} in path-map.json: ${JSON.stringify(localRoot)} (must be already-normalized; no '..' or redundant segments)`
+    );
   }
-  const merged = deepMerge(base, hostOverrides ?? {});
-  const current = readJsonOrNull(settingsPath);
-  if (current === null && existsSync32(settingsPath)) {
-    return { diff: "", notes: [...notes, "malformed; skipping diff"] };
+}
+// src/extras-sync.core.ts
+init_utils();
+init_utils_json();
+function loadValidatedExtras(opts) {
+  const repo = repoHome();
+  const mapPath = join36(repo, "path-map.json");
+  const repoExtras = join36(repo, "shared", "extras");
+  if (!existsSync30(mapPath) || opts.requireRepoExtras === true && !existsSync30(repoExtras)) {
+    if (opts.missingMsg !== void 0) log(opts.missingMsg);
+    return null;
   }
-  const rawEqual = JSON.stringify(current ?? {}, null, 2) === JSON.stringify(merged, null, 2);
-  const diff = diffJsonStrings(
-    JSON.stringify(sortKeysDeep(current ?? {}), null, 2),
-    JSON.stringify(sortKeysDeep(merged), null, 2)
-  );
-  if (diff === "" && !rawEqual) notes.push(CANONICAL_ORDER_NOTE);
-  return { diff, notes };
+  const map = readPathMap(mapPath);
+  const extrasMap = map.extras ?? {};
+  if (Object.keys(extrasMap).length === 0) return null;
+  for (const logical of Object.keys(extrasMap)) {
+    assertSafeLogical(logical);
+    const localRoot = map.projects[logical]?.[HOST];
+    if (localRoot && localRoot !== "TBD") assertSafeLocalRoot(localRoot, logical);
+  }
+  return { map, extrasMap };
 }
-function formatLinkRow(e) {
-  return `${e.kind}  ${e.from} -> ${e.to}`;
+function* eachExtrasTarget(v, counts) {
+  const whitelist = SUPPORTED_EXTRAS;
+  for (const [logical, dirnames] of Object.entries(v.extrasMap)) {
+    const localRoot = v.map.projects[logical]?.[HOST];
+    if (!localRoot || localRoot === "TBD") {
+      counts.unmapped++;
+      continue;
+    }
+    for (const dirname7 of dirnames) {
+      if (!whitelist.includes(dirname7)) {
+        counts.skipped++;
+        continue;
+      }
+      yield { logical, localRoot, dirname: dirname7 };
+    }
+  }
 }
-function formatSessionRow(e) {
-  return e.kind === "overwrite" ? `overwrite  ${e.dst} (from ${e.src})` : e.text;
+function copyExtras(src, dst) {
+  rmSync10(dst, { recursive: true, force: true });
+  cpSync6(src, dst, { recursive: true, force: true, verbatimSymlinks: true });
 }
-function buildSettingsSectionForPreview(result) {
-  const s = section("settings.json", true);
-  if (result.diff !== "") {
-    for (const line of result.diff.split("\n")) {
-      addItem(s, line);
+function extrasDenySet(dirname7) {
+  return dirname7 === ".claude" ? CLAUDE_EXTRA_NEVER_SYNC : ALWAYS_NEVER_SYNC;
+}
+function copyExtrasFiltered(src, dst, blockSet) {
+  rmSync10(dst, { recursive: true, force: true });
+  cpSync6(src, dst, {
+    recursive: true,
+    force: true,
+    verbatimSymlinks: true,
+    filter: (srcEntry) => srcEntry === src || !blockSet.has(basename(srcEntry))
+  });
+}
+// src/extras-sync.ts
+init_utils();
+init_utils_json();
+// src/extras-sync.remap.ts
+init_config();
+import { existsSync as existsSync31, mkdirSync as mkdirSync7 } from "node:fs";
+import { join as join37 } from "node:path";
+init_utils_fs();
+function runExtrasOp(v, dryRun, paths, backup, copy) {
+  const counts = { unmapped: 0, skipped: 0 };
+  const done = [];
+  const would = [];
+  for (const t of eachExtrasTarget(v, counts)) {
+    const { src, dst } = paths(t);
+    if (!existsSync31(src)) continue;
+    const item2 = `${t.logical}/${t.dirname}`;
+    if (dryRun) {
+      would.push(item2);
+      continue;
     }
+    backup(dst, t.localRoot);
+    copy(src, dst, t.dirname);
+    done.push(item2);
   }
-  for (const note of result.notes) {
-    addItem(s, `note: ${note}`);
-  }
-  return s;
+  return { ...counts, done, would };
 }
-function computePreview(ts, map, verb = "pull") {
+function remapExtrasPush(ts, opts = {}) {
+  const dryRun = opts.dryRun === true;
+  const v = loadValidatedExtras({ missingMsg: "no path-map.json; skipping extras push" });
+  if (v === null) return { unmapped: 0, skipped: 0, pushed: [], wouldPush: [] };
   const repo = repoHome();
-  const claude = claudeHome();
-  console.log(`would pull on host=${HOST} (dry-run; no mutation)`);
-  console.log("");
-  const links = section("Symlinks");
-  applySharedLinks(ts, map, {
-    dryRun: true,
-    onPreview: (e) => addItem(links, formatLinkRow(e))
-  });
-  const settingsResult = previewSettings(
-    join37(repo, "shared", "settings.base.json"),
-    join37(repo, "hosts", `${HOST}.json`),
-    join37(claude, "settings.json")
+  const repoExtras = join37(repo, "shared", "extras");
+  if (!dryRun) mkdirSync7(repoExtras, { recursive: true });
+  const { unmapped, skipped, done, would } = runExtrasOp(
+    v,
+    dryRun,
+    ({ localRoot, logical, dirname: dirname7 }) => ({
+      src: join37(localRoot, dirname7),
+      dst: join37(repoExtras, logical, dirname7)
+    }),
+    (dst) => backupRepoWrite(dst, ts, repo),
+    // Push filters every extra by its per-name denylist: `.claude` gets the
+    // full NEVER_SYNC boundary, `.planning` keeps the narrow ALWAYS_NEVER_SYNC.
+    (src, dst, dirname7) => copyExtrasFiltered(src, dst, extrasDenySet(dirname7))
   );
-  const settingsSection = buildSettingsSectionForPreview(settingsResult);
-  const sessions = section("Sessions");
-  const remapResult = remapPull(ts, {
-    dryRun: true,
-    onPreview: (e) => addItem(sessions, formatSessionRow(e))
+  return { unmapped, skipped, pushed: done, wouldPush: would };
+}
+function remapExtrasPull(ts, opts = {}) {
+  const dryRun = opts.dryRun === true;
+  const v = loadValidatedExtras({
+    requireRepoExtras: true,
+    missingMsg: "no path-map or repo extras dir; skipping extras remap"
   });
-  const summary = section("Summary");
-  addItem(summary, summaryRow(verb, remapResult.unmapped));
-  renderTree([links, settingsSection, sessions, summary]);
-  return { unmapped: remapResult.unmapped, collisions: 0 };
+  if (v === null) return { unmapped: 0, skipped: 0, pulled: [], wouldPull: [] };
+  const repoExtras = join37(repoHome(), "shared", "extras");
+  const { unmapped, skipped, done, would } = runExtrasOp(
+    v,
+    dryRun,
+    ({ localRoot, logical, dirname: dirname7 }) => ({
+      src: join37(repoExtras, logical, dirname7),
+      dst: join37(localRoot, dirname7)
+    }),
+    // Snapshot the host-side dst BEFORE copyExtras clobbers it. Anchor on
+    // localRoot so the backup tree mirrors the project layout.
+    (dst, localRoot) => backupExtrasWrite(dst, ts, localRoot),
+    // Pull filters `.claude` against its NEVER_SYNC boundary so a repo poisoned
+    // out-of-band cannot restore a blocked per-host file (e.g. settings.local.json)
+    // onto this host. Other extras use the exact-mirror copyExtras: the repo is
+    // clean once push filters, and exact mirror is the documented restore for
+    // `.planning`.
+    (src, dst, dirname7) => dirname7 === ".claude" ? copyExtrasFiltered(src, dst, extrasDenySet(dirname7)) : copyExtras(src, dst)
+  );
+  return { unmapped, skipped, pulled: done, wouldPull: would };
 }
-// src/spinner.ts
-init_color();
-import { existsSync as existsSync34 } from "node:fs";
-import { fileURLToPath as fileURLToPath4 } from "node:url";
-import { Worker } from "node:worker_threads";
-// src/commands.push.recovery.ts
-init_config();
-import { readFileSync as readFileSync12, rmSync as rmSync11, writeFileSync as writeFileSync5 } from "node:fs";
-import { join as join40 } from "node:path";
-import { createInterface } from "node:readline/promises";
+// src/extras-sync.ts
+function divergenceCheckExtras(ts) {
+  const v = loadValidatedExtras({});
+  if (v === null) return;
+  const counts = { unmapped: 0, skipped: 0 };
+  const backupRoot = join38(backupBase(), ts, "extras");
+  const repo = repoHome();
+  for (const { logical, localRoot, dirname: dirname7 } of eachExtrasTarget(v, counts)) {
+    const local = join38(localRoot, dirname7);
+    const repoEntry = join38(repo, "shared", "extras", logical, dirname7);
+    if (!existsSync32(local) || !existsSync32(repoEntry)) continue;
+    const diff = listDivergingFiles(local, repoEntry);
+    if (diff.length === 0) continue;
+    const projectBackupRoot = join38(backupRoot, encodePath(localRoot));
+    warn(
+      `local ${dirname7} for ${logical} diverges from origin in ${diff.length} file(s); next remapExtrasPull will overwrite them (backups at ${projectBackupRoot}/)`
+    );
+    for (const f of diff) warn(`  ${f}`);
+  }
+}
-// src/commands.push.recovery.redact.ts
+// src/links.ts
 init_config();
-init_config_sharedDirs_guard();
-import { cpSync as cpSync6, existsSync as existsSync33, mkdirSync as mkdirSync7, statSync as statSync8 } from "node:fs";
-import { dirname as dirname6, join as join38, sep as sep3 } from "node:path";
-init_push_gitleaks_scan();
-init_utils_json();
 init_utils();
-// src/commands.push.recovery.seams.ts
-init_push_gitleaks();
-function findingKey(f) {
-  return `${f.File}:${f.StartLine}:${f.StartColumn}:${f.RuleID}`;
+init_utils_fs();
+init_utils_json();
+import { existsSync as existsSync33, lstatSync as lstatSync8, rmSync as rmSync11 } from "node:fs";
+import { join as join39 } from "node:path";
+function emitAutoMove(onPreview, linkPath, ts, name) {
+  if (onPreview) {
+    onPreview({ kind: "auto-move", from: linkPath, to: `backup/${ts}/${name}` });
+  } else {
+    log(`would auto-move non-symlink: ${linkPath} -> backup/${ts}/${name}`);
+  }
 }
-var VALID_SID = /^[A-Za-z0-9_-]+$/;
-function sessionIdFromFinding(f) {
-  const m = SESSION_PATH.exec(f.File) ?? /^shared\/projects\/[^/]+\/([^/]+)\//.exec(f.File);
-  if (m === null) return null;
-  const sid = m[1];
-  return VALID_SID.test(sid) ? sid : null;
+function emitCreate(onPreview, from, to) {
+  if (onPreview) {
+    onPreview({ kind: "create", from, to });
+  } else {
+    log(`would create symlink: ${from} -> ${to}`);
+  }
 }
-function parseAction(raw) {
-  const t = raw.trim().toLowerCase();
-  if (t === "r" || t === "redact") return "redact";
-  if (t === "a" || t === "allow") return "allow";
-  if (t === "d" || t === "drop") return "drop";
-  return "skip";
+function isAlreadySymlink(linkPath) {
+  return existsSync33(linkPath) && lstatSync8(linkPath).isSymbolicLink();
 }
-// src/commands.push.recovery.redact.ts
-function resolveStagedDir(localPath, map, claude, repo) {
-  for (const [logical, hostMap] of Object.entries(map.projects)) {
-    assertSafeLogical(logical);
-    const abs = hostMap[HOST];
-    if (abs === void 0) continue;
-    if (localPath.startsWith(join38(claude, "projects", encodePath(abs)) + sep3)) {
-      return join38(repo, "shared", "projects", logical);
+function runAutoMovePasses(linkNames, claude, repo, ts, dryRun, onPreview) {
+  for (const name of linkNames) {
+    const linkPath = join39(claude, name);
+    const target = join39(repo, "shared", name);
+    if (!existsSync33(linkPath)) continue;
+    if (lstatSync8(linkPath).isSymbolicLink()) continue;
+    if (!existsSync33(target)) continue;
+    if (dryRun) {
+      emitAutoMove(onPreview, linkPath, ts, name);
+      continue;
     }
+    backupBeforeWrite(linkPath, ts);
+    rmSync11(linkPath, { recursive: true, force: true });
   }
-  return null;
 }
-function applyRedact(f, ts, map, nowMs, scan = scanFile) {
-  const refuse = (msg) => {
-    log(msg);
-    return false;
-  };
+function applySharedLinks(ts, map, opts = {}) {
+  const dryRun = opts.dryRun === true;
   const claude = claudeHome();
   const repo = repoHome();
-  const sid = sessionIdFromFinding(f);
-  if (sid === null) {
-    return refuse(
-      `could not locate the local transcript for this finding; choose Skip or Drop session.`
-    );
-  }
-  const localPath = resolveLiveTranscript2(sid);
-  if (localPath === null) {
-    return refuse(
-      `could not locate the local transcript for session ${sid}; choose Skip or Drop session.`
-    );
-  }
-  const sessionDir = join38(dirname6(localPath), sid);
-  const subtreeFiles = listSubtreeFiles(sessionDir);
-  const subtreeMtime = newestSubtreeMtimeMs(localPath, subtreeFiles, (p) => statSync8(p).mtimeMs);
-  if (isRecentlyModified(subtreeMtime, nowMs())) {
-    return refuse(
-      `session ${sid} looks active (modified within the last 5 minutes); refusing to redact, no changes made.
-  End the session and choose Redact again, or choose Drop session (holds this session back from the push, local copy kept) or Skip.`
-    );
-  }
-  const stagedProjectDir = resolveStagedDir(localPath, map, claude, repo);
-  if (stagedProjectDir === null) {
-    return refuse(
-      `could not map the local transcript for session ${sid} to a staged copy; choose Drop session or Skip.`
-    );
+  const linkNames = allSharedLinks(map);
+  runAutoMovePasses(linkNames, claude, repo, ts, dryRun, opts.onPreview);
+  for (const name of linkNames) {
+    const target = join39(repo, "shared", name);
+    if (!existsSync33(target)) continue;
+    const linkPath = join39(claude, name);
+    if (isAlreadySymlink(linkPath)) continue;
+    if (dryRun) {
+      emitCreate(opts.onPreview, linkPath, target);
+      continue;
+    }
+    ensureSymlink(linkPath, target);
   }
-  const mainFindings = scan(localPath);
-  if (mainFindings === null) {
-    return refuse(`re-scan of the transcript failed; choose Skip or Drop session.`);
+}
+function regenerateSettings(ts, opts = {}) {
+  const dryRun = opts.dryRun === true;
+  const repo = repoHome();
+  const claude = claudeHome();
+  const basePath = join39(repo, "shared", "settings.base.json");
+  const hostPath = join39(repo, "hosts", `${HOST}.json`);
+  if (!existsSync33(basePath)) {
+    die("repo not initialized; run 'nomad init' to scaffold");
   }
-  const { total: anyTotal } = applySubtreeRedactions(
-    localPath,
-    mainFindings,
-    subtreeFiles,
-    void 0,
-    ts,
-    scan,
-    false
-  );
-  if (anyTotal === 0) {
-    return refuse(
-      `nothing to redact in the local transcript for session ${sid}; choose Skip or Drop session.`
-    );
+  const base = readJson(basePath);
+  const hasOverrides = existsSync33(hostPath);
+  const overrides = hasOverrides ? readJson(hostPath) : {};
+  const merged = deepMerge(base, overrides);
+  const settingsPath = join39(claude, "settings.json");
+  if (!hasOverrides && existsSync33(settingsPath)) {
+    try {
+      const existing = readJson(settingsPath);
+      const baseKeys = new Set(Object.keys(base));
+      const drift = Object.keys(existing).filter((k) => !baseKeys.has(k));
+      if (drift.length > 0) {
+        warn(
+          `no hosts/${HOST}.json found; existing settings has unbased keys ${JSON.stringify(drift)}. Set NOMAD_HOST to match a hosts/*.json or rerun 'nomad doctor' for candidates.`
+        );
+      }
+    } catch {
+      warn("existing settings.json is malformed; skipping drift-check and regenerating.");
+    }
   }
-  mkdirSync7(stagedProjectDir, { recursive: true });
-  cpSync6(localPath, join38(stagedProjectDir, `${sid}.jsonl`), { force: true });
-  if (existsSync33(sessionDir)) {
-    cpSync6(sessionDir, join38(stagedProjectDir, sid), { force: true, recursive: true });
+  const overrideLabel = hasOverrides ? `${HOST}.json` : "no host overrides";
+  if (dryRun) {
+    log(`would write settings.json (base + ${overrideLabel})`);
+    return { label: overrideLabel };
   }
-  return true;
+  backupBeforeWrite(settingsPath, ts);
+  writeJsonAtomic(settingsPath, merged);
+  return { label: overrideLabel };
 }
-// src/commands.push.recovery.drop.ts
+// src/preview.ts
 init_config();
-import { rmSync as rmSync10 } from "node:fs";
-import { join as join39 } from "node:path";
-function dropSessionFromStaged(sid, map) {
-  const logicals = Object.keys(map.projects);
-  if (logicals.length === 0) return false;
-  const repo = repoHome();
-  for (const logical of logicals) {
-    const jsonl = join39(repo, "shared", "projects", logical, `${sid}.jsonl`);
-    const dir = join39(repo, "shared", "projects", logical, sid);
-    rmSync10(jsonl, { force: true });
-    rmSync10(dir, { recursive: true, force: true });
-  }
-  return true;
-}
+import { existsSync as existsSync34 } from "node:fs";
+import { join as join40 } from "node:path";
-// src/commands.push.recovery.actions.ts
-init_push_gitleaks_scan();
-init_utils();
-function applyAllow(f, repo) {
-  appendGitleaksIgnore(f.Fingerprint, repo);
-}
-function allowAllFindings(findings, repo) {
-  for (const f of findings) {
-    appendGitleaksIgnore(f.Fingerprint, repo);
+// node_modules/diff/libesm/diff/base.js
+var Diff = class {
+  diff(oldStr, newStr, options = {}) {
+    let callback;
+    if (typeof options === "function") {
+      callback = options;
+      options = {};
+    } else if ("callback" in options) {
+      callback = options.callback;
+    }
+    const oldString = this.castInput(oldStr, options);
+    const newString = this.castInput(newStr, options);
+    const oldTokens = this.removeEmpty(this.tokenize(oldString, options));
+    const newTokens = this.removeEmpty(this.tokenize(newString, options));
+    return this.diffWithOptionsObj(oldTokens, newTokens, options, callback);
   }
-}
-function allowFindingsByRule(findings, ruleId, repo) {
-  let count = 0;
-  for (const f of findings) {
-    if (f.RuleID === ruleId) {
-      appendGitleaksIgnore(f.Fingerprint, repo);
-      count++;
+  diffWithOptionsObj(oldTokens, newTokens, options, callback) {
+    var _a;
+    const done = (value) => {
+      value = this.postProcess(value, options);
+      if (callback) {
+        setTimeout(function() {
+          callback(value);
+        }, 0);
+        return void 0;
+      } else {
+        return value;
+      }
+    };
+    const newLen = newTokens.length, oldLen = oldTokens.length;
+    let editLength = 1;
+    let maxEditLength = newLen + oldLen;
+    if (options.maxEditLength != null) {
+      maxEditLength = Math.min(maxEditLength, options.maxEditLength);
+    }
+    const maxExecutionTime = (_a = options.timeout) !== null && _a !== void 0 ? _a : Infinity;
+    const abortAfterTimestamp = Date.now() + maxExecutionTime;
+    const bestPath = [{ oldPos: -1, lastComponent: void 0 }];
+    let newPos = this.extractCommon(bestPath[0], newTokens, oldTokens, 0, options);
+    if (bestPath[0].oldPos + 1 >= oldLen && newPos + 1 >= newLen) {
+      return done(this.buildValues(bestPath[0].lastComponent, newTokens, oldTokens));
+    }
+    let minDiagonalToConsider = -Infinity, maxDiagonalToConsider = Infinity;
+    const execEditLength = () => {
+      for (let diagonalPath = Math.max(minDiagonalToConsider, -editLength); diagonalPath <= Math.min(maxDiagonalToConsider, editLength); diagonalPath += 2) {
+        let basePath;
+        const removePath = bestPath[diagonalPath - 1], addPath = bestPath[diagonalPath + 1];
+        if (removePath) {
+          bestPath[diagonalPath - 1] = void 0;
+        }
+        let canAdd = false;
+        if (addPath) {
+          const addPathNewPos = addPath.oldPos - diagonalPath;
+          canAdd = addPath && 0 <= addPathNewPos && addPathNewPos < newLen;
+        }
+        const canRemove = removePath && removePath.oldPos + 1 < oldLen;
+        if (!canAdd && !canRemove) {
+          bestPath[diagonalPath] = void 0;
+          continue;
+        }
+        if (!canRemove || canAdd && removePath.oldPos < addPath.oldPos) {
+          basePath = this.addToPath(addPath, true, false, 0, options);
+        } else {
+          basePath = this.addToPath(removePath, false, true, 1, options);
+        }
+        newPos = this.extractCommon(basePath, newTokens, oldTokens, diagonalPath, options);
+        if (basePath.oldPos + 1 >= oldLen && newPos + 1 >= newLen) {
+          return done(this.buildValues(basePath.lastComponent, newTokens, oldTokens)) || true;
+        } else {
+          bestPath[diagonalPath] = basePath;
+          if (basePath.oldPos + 1 >= oldLen) {
+            maxDiagonalToConsider = Math.min(maxDiagonalToConsider, diagonalPath - 1);
+          }
+          if (newPos + 1 >= newLen) {
+            minDiagonalToConsider = Math.max(minDiagonalToConsider, diagonalPath + 1);
+          }
+        }
+      }
+      editLength++;
+    };
+    if (callback) {
+      (function exec() {
+        setTimeout(function() {
+          if (editLength > maxEditLength || Date.now() > abortAfterTimestamp) {
+            return callback(void 0);
+          }
+          if (!execEditLength()) {
+            exec();
+          }
+        }, 0);
+      })();
+    } else {
+      while (editLength <= maxEditLength && Date.now() <= abortAfterTimestamp) {
+        const ret = execEditLength();
+        if (ret) {
+          return ret;
+        }
+      }
     }
   }
-  return count;
-}
-async function collectActions(findings, prompt) {
-  const actions = /* @__PURE__ */ new Map();
-  for (const f of findings) {
-    const sid = sessionIdFromFinding(f);
-    const header = `
-Finding: ${f.RuleID} in ${f.File} line ${f.StartLine}` + (sid === null ? "" : ` (session: ${sid})`) + "\n  [R]edact  [A]llow  [D]rop session  [S]kip (default)\n";
-    actions.set(findingKey(f), parseAction(await prompt(header + "> ")));
-  }
-  return actions;
-}
-function dispatchOne(f, ctx) {
-  const action = ctx.actions.get(findingKey(f)) ?? "skip";
-  if (action === "skip") return;
-  const sid = sessionIdFromFinding(f);
-  if (sid !== null && ctx.droppedSids.has(sid)) return;
-  if (action === "allow") {
-    applyAllow(f, ctx.repo);
-    return;
+  addToPath(path, added, removed, oldPosInc, options) {
+    const last = path.lastComponent;
+    if (last && !options.oneChangePerToken && last.added === added && last.removed === removed) {
+      return {
+        oldPos: path.oldPos + oldPosInc,
+        lastComponent: { count: last.count + 1, added, removed, previousComponent: last.previousComponent }
+      };
+    } else {
+      return {
+        oldPos: path.oldPos + oldPosInc,
+        lastComponent: { count: 1, added, removed, previousComponent: last }
+      };
+    }
   }
-  if (sid === null) return;
-  if (action === "drop") {
-    ctx.droppedSids.add(sid);
-    if (ctx.drop(sid, ctx.map)) {
-      log(
-        `dropped session ${sid} from this push (local transcript kept; the secret remains in your local copy)`
-      );
+  extractCommon(basePath, newTokens, oldTokens, diagonalPath, options) {
+    const newLen = newTokens.length, oldLen = oldTokens.length;
+    let oldPos = basePath.oldPos, newPos = oldPos - diagonalPath, commonCount = 0;
+    while (newPos + 1 < newLen && oldPos + 1 < oldLen && this.equals(oldTokens[oldPos + 1], newTokens[newPos + 1], options)) {
+      newPos++;
+      oldPos++;
+      commonCount++;
+      if (options.oneChangePerToken) {
+        basePath.lastComponent = { count: 1, previousComponent: basePath.lastComponent, added: false, removed: false };
+      }
     }
-    return;
+    if (commonCount && !options.oneChangePerToken) {
+      basePath.lastComponent = { count: commonCount, previousComponent: basePath.lastComponent, added: false, removed: false };
+    }
+    basePath.oldPos = oldPos;
+    return newPos;
   }
-  if (action === "redact" && !ctx.redactedSids.has(sid)) {
-    if (applyRedact(f, ctx.ts, ctx.map, ctx.nowMs, ctx.scan)) ctx.redactedSids.add(sid);
+  equals(left, right, options) {
+    if (options.comparator) {
+      return options.comparator(left, right);
+    } else {
+      return left === right || !!options.ignoreCase && left.toLowerCase() === right.toLowerCase();
+    }
   }
-}
-function dispatchActions(findings, actions, opts) {
-  const { ts, map, nowMs, repo, scan = scanFile, drop = dropSessionFromStaged } = opts;
-  const ctx = {
-    actions,
-    ts,
-    map,
-    nowMs,
-    repo,
-    scan,
-    drop,
-    redactedSids: /* @__PURE__ */ new Set(),
-    droppedSids: /* @__PURE__ */ new Set()
-  };
-  for (const f of findings) {
-    dispatchOne(f, ctx);
+  removeEmpty(array) {
+    const ret = [];
+    for (let i = 0; i < array.length; i++) {
+      if (array[i]) {
+        ret.push(array[i]);
+      }
+    }
+    return ret;
   }
-}
-function redactAllFindings(findings, ts, map, nowMs, scan = scanFile) {
-  const redactedSids = /* @__PURE__ */ new Set();
-  for (const f of findings) {
-    const sid = sessionIdFromFinding(f);
-    if (sid === null || redactedSids.has(sid)) continue;
-    if (applyRedact(f, ts, map, nowMs, scan)) redactedSids.add(sid);
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  castInput(value, options) {
+    return value;
   }
-}
-// src/commands.push.recovery.ts
-init_push_gitleaks_scan();
-init_push_gitleaks();
-init_utils();
-function isTTY(stdin = process.stdin, stdout = process.stdout) {
-  return stdin.isTTY === true && stdout.isTTY === true;
-}
-function hasUnresolved(actions) {
-  for (const action of actions.values()) {
-    if (action === "skip") return true;
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  tokenize(value, options) {
+    return Array.from(value);
   }
-  return false;
-}
-function printRecoveryLegend(print = console.log) {
-  print("");
-  print("Recovery actions:");
-  print("  Redact       - scrub the secret from the local transcript, push the cleaned copy");
-  print("  Allow        - mark as false positive (adds a .gitleaksignore fingerprint), push as-is");
-  print("  Drop session - exclude this session from this push (local transcript kept, running");
-  print("                 session is not stopped)");
-  print("  Skip         - leave unresolved (the push aborts)");
-  print("");
-}
-function applyThenRescan(scanVerdict, repoHome2) {
-  gitOrFatal(["add", "-A"], "git add", repoHome2);
-  const next = scanVerdict(repoHome2);
-  if (next.leak) {
-    const { bySession, other } = partitionFindings(next.findings);
-    throw new NomadFatal(buildSessionAwareFatal(bySession, other));
+  join(chars) {
+    return chars.join("");
   }
-  return next;
-}
-function allowThenRescan(append, scanVerdict, repoHome2) {
-  const ignPath = join40(repoHome2, ".gitleaksignore");
-  let before;
-  try {
-    before = readFileSync12(ignPath, "utf8");
-  } catch {
-    before = null;
+  postProcess(changeObjects, options) {
+    return changeObjects;
   }
-  append();
-  try {
-    return applyThenRescan(scanVerdict, repoHome2);
-  } catch (err) {
-    if (before === null) rmSync11(ignPath, { force: true });
-    else writeFileSync5(ignPath, before, "utf8");
-    throw err;
+  get useLongestToken() {
+    return false;
   }
-}
-function makeRealPrompt() {
-  return async (prompt) => {
-    const rl = createInterface({
-      input: process.stdin,
-      output: process.stdout,
-      terminal: true
-    });
-    try {
-      return await rl.question(prompt);
-    } finally {
-      rl.close();
+  buildValues(lastComponent, newTokens, oldTokens) {
+    const components = [];
+    let nextComponent;
+    while (lastComponent) {
+      components.push(lastComponent);
+      nextComponent = lastComponent.previousComponent;
+      delete lastComponent.previousComponent;
+      lastComponent = nextComponent;
+    }
+    components.reverse();
+    const componentLen = components.length;
+    let componentPos = 0, newPos = 0, oldPos = 0;
+    for (; componentPos < componentLen; componentPos++) {
+      const component = components[componentPos];
+      if (!component.removed) {
+        if (!component.added && this.useLongestToken) {
+          let value = newTokens.slice(newPos, newPos + component.count);
+          value = value.map(function(value2, i) {
+            const oldValue = oldTokens[oldPos + i];
+            return oldValue.length > value2.length ? oldValue : value2;
+          });
+          component.value = this.join(value);
+        } else {
+          component.value = this.join(newTokens.slice(newPos, newPos + component.count));
+        }
+        newPos += component.count;
+        if (!component.added) {
+          oldPos += component.count;
+        }
+      } else {
+        component.value = this.join(oldTokens.slice(oldPos, oldPos + component.count));
+        oldPos += component.count;
+      }
     }
-  };
-}
-async function resolveLeakFindings(verdict, ts, map, deps = {}) {
-  const {
-    isTTYCheck = isTTY,
-    nowMs = Date.now,
-    redactAll = false,
-    allowAll = false,
-    allowRule,
-    makePrompt: makePromptFn = makeRealPrompt,
-    scan = scanFile,
-    printLegend = printRecoveryLegend
-  } = deps;
-  const scanVerdict = deps.scanVerdict ?? (await Promise.resolve().then(() => (init_push_leak_verdict(), push_leak_verdict_exports))).scanPushVerdict;
-  const repo = repoHome();
-  let current = verdict;
-  if (redactAll) {
-    redactAllFindings(current.findings, ts, map, nowMs, scan);
-    return applyThenRescan(scanVerdict, repo);
+    return components;
   }
-  if (allowAll) {
-    return allowThenRescan(() => allowAllFindings(current.findings, repo), scanVerdict, repo);
+};
+// node_modules/diff/libesm/diff/line.js
+var LineDiff = class extends Diff {
+  constructor() {
+    super(...arguments);
+    this.tokenize = tokenize;
   }
-  if (allowRule !== void 0) {
-    return allowThenRescan(
-      () => {
-        const matched = allowFindingsByRule(current.findings, allowRule, repo);
-        if (matched === 0) log(`no findings matched rule ${allowRule}; re-scanning`);
-      },
-      scanVerdict,
-      repo
-    );
+  equals(left, right, options) {
+    if (options.ignoreWhitespace) {
+      if (!options.newlineIsToken || !left.includes("\n")) {
+        left = left.trim();
+      }
+      if (!options.newlineIsToken || !right.includes("\n")) {
+        right = right.trim();
+      }
+    } else if (options.ignoreNewlineAtEof && !options.newlineIsToken) {
+      if (left.endsWith("\n")) {
+        left = left.slice(0, -1);
+      }
+      if (right.endsWith("\n")) {
+        right = right.slice(0, -1);
+      }
+    }
+    return super.equals(left, right, options);
   }
-  if (!isTTYCheck()) {
-    throw new NomadFatal(current.recovery ?? "gitleaks detected secrets");
+};
+var lineDiff = new LineDiff();
+function diffLines(oldStr, newStr, options) {
+  return lineDiff.diff(oldStr, newStr, options);
+}
+function tokenize(value, options) {
+  if (options.stripTrailingCr) {
+    value = value.replace(/\r\n/g, "\n");
   }
-  const prompt = makePromptFn();
-  printLegend();
-  while (current.leak && current.findings.length > 0) {
-    const actions = await collectActions(current.findings, prompt);
-    if (hasUnresolved(actions)) {
-      const unresolved = current.findings.filter((f) => actions.get(findingKey(f)) === "skip");
-      const { bySession, other } = partitionFindings(unresolved);
-      throw new NomadFatal(buildSessionAwareFatal(bySession, other));
+  const retLines = [], linesAndNewlines = value.split(/(\n|\r\n)/);
+  if (!linesAndNewlines[linesAndNewlines.length - 1]) {
+    linesAndNewlines.pop();
+  }
+  for (let i = 0; i < linesAndNewlines.length; i++) {
+    const line = linesAndNewlines[i];
+    if (i % 2 && !options.newlineIsToken) {
+      retLines[retLines.length - 1] += line;
+    } else {
+      retLines.push(line);
     }
-    dispatchActions(current.findings, actions, { ts, map, nowMs, repo, scan });
-    gitOrFatal(["add", "-A"], "git add", repo);
-    current = scanVerdict(repo);
   }
-  return current;
+  return retLines;
 }
-// src/spinner.ts
-function formatElapsed(ms) {
-  return `${(ms / 1e3).toFixed(1)}s`;
+// src/diff-lines.ts
+init_color();
+function diffLinesToUnified(oldStr, newStr) {
+  const parts = diffLines(oldStr, newStr);
+  const lines = [];
+  for (const part of parts) {
+    const partLines = part.value.split("\n");
+    if (partLines.at(-1) === "") {
+      partLines.pop();
+    }
+    let prefix;
+    if (part.removed) prefix = (line) => red(`-${line}`);
+    else if (part.added) prefix = (line) => green(`+${line}`);
+    else prefix = (line) => ` ${line}`;
+    for (const line of partLines) {
+      lines.push(prefix(line));
+    }
+  }
+  return lines;
 }
-function writePlainStart(out, label) {
-  out.write(`${label}...
-`);
+// src/preview.ts
+init_utils_json();
+var CANONICAL_ORDER_NOTE = "settings.json will be rewritten in canonical key order; no value changes";
+function diffJsonStrings(currentJsonText, newJsonText) {
+  if (currentJsonText === newJsonText) return "";
+  const lines = [
+    "--- ~/.claude/settings.json",
+    "+++ would write",
+    ...diffLinesToUnified(currentJsonText, newJsonText)
+  ];
+  return lines.join("\n");
 }
-function writePlainDone(out, label, ms) {
-  out.write(`${label} done (${formatElapsed(ms)})
-`);
+function readJsonOrNull(path) {
+  if (!existsSync34(path)) return null;
+  try {
+    return readJson(path);
+  } catch {
+    return null;
+  }
 }
-function writeAnimatedDone(out, label, ms, useTTY) {
-  out.write("\r\x1B[K");
-  const glyph = useTTY ? green(okGlyph) : okGlyph;
-  out.write(`${glyph} ${label} (${formatElapsed(ms)})
-`);
+function previewSettings(basePath, hostPath, settingsPath) {
+  const base = readJsonOrNull(basePath);
+  if (base === null) {
+    return { diff: "", notes: ["section skipped (base or current missing)"] };
+  }
+  const notes = [];
+  const hostOverrides = readJsonOrNull(hostPath);
+  if (hostOverrides === null && existsSync34(hostPath)) {
+    notes.push(`malformed hosts/${HOST}.json; ignoring overrides`);
+  }
+  const merged = deepMerge(base, hostOverrides ?? {});
+  const current = readJsonOrNull(settingsPath);
+  if (current === null && existsSync34(settingsPath)) {
+    return { diff: "", notes: [...notes, "malformed; skipping diff"] };
+  }
+  const rawEqual = JSON.stringify(current ?? {}, null, 2) === JSON.stringify(merged, null, 2);
+  const diff = diffJsonStrings(
+    JSON.stringify(sortKeysDeep(current ?? {}), null, 2),
+    JSON.stringify(sortKeysDeep(merged), null, 2)
+  );
+  if (diff === "" && !rawEqual) notes.push(CANONICAL_ORDER_NOTE);
+  return { diff, notes };
 }
-function resolveWorkerPath(deps = {}) {
-  const check = deps.existsSyncFn ?? existsSync34;
-  const base = deps.baseUrl ?? import.meta.url;
-  const mjs = fileURLToPath4(new URL("./nomad.worker.mjs", base));
-  if (check(mjs)) return mjs;
-  return fileURLToPath4(new URL("./spinner.worker.ts", base));
+function formatLinkRow(e) {
+  return `${e.kind}  ${e.from} -> ${e.to}`;
 }
-function makeRealWorker() {
-  return new Worker(resolveWorkerPath());
+function formatSessionRow(e) {
+  return e.kind === "overwrite" ? `overwrite  ${e.dst} (from ${e.src})` : e.text;
 }
-function startSpinner(label, deps = {}) {
-  const ttyCheck = deps.isTTYCheck ?? (() => isTTY());
-  const env = deps.env ?? process.env;
-  const out = deps.out ?? process.stderr;
-  const now = deps.now ?? Date.now;
-  const startMs = now();
-  const animate = ttyCheck() && !env.CI;
-  let worker = null;
-  let degraded = false;
-  let finalized = false;
-  if (animate) {
-    const factory = deps.makeWorker ?? makeRealWorker;
-    try {
-      worker = factory();
-      worker.unref?.();
-      worker.postMessage({ type: "start", label });
-    } catch {
-      degraded = true;
-      worker = null;
-      writePlainStart(out, label);
+function buildSettingsSectionForPreview(result) {
+  const s = section("settings.json", true);
+  if (result.diff !== "") {
+    for (const line of result.diff.split("\n")) {
+      addItem(s, line);
     }
-  } else {
-    writePlainStart(out, label);
   }
-  function finalize(success, doneLabel) {
-    if (finalized) return;
-    finalized = true;
-    const dl = doneLabel ?? label;
-    const elapsed = now() - startMs;
-    if (animate && !degraded && worker !== null) {
-      worker.postMessage({ type: "pause" });
-      worker.terminate();
-      worker = null;
-      if (success) writeAnimatedDone(out, dl, elapsed, ttyCheck());
-      else out.write("\r\x1B[K");
-    } else if (success) {
-      writePlainDone(out, dl, elapsed);
-    }
+  for (const note of result.notes) {
+    addItem(s, `note: ${note}`);
   }
-  return {
-    succeed: (doneLabel) => finalize(true, doneLabel),
-    stop: () => finalize(false)
-  };
+  return s;
 }
-function withSpinner(label, fn, deps) {
-  const sp = startSpinner(label, deps);
-  try {
-    const result = fn();
-    sp.succeed();
-    return result;
-  } finally {
-    sp.stop();
-  }
+function computePreview(ts, map, verb = "pull") {
+  const repo = repoHome();
+  const claude = claudeHome();
+  console.log(`would pull on host=${HOST} (dry-run; no mutation)`);
+  console.log("");
+  const links = section("Symlinks");
+  applySharedLinks(ts, map, {
+    dryRun: true,
+    onPreview: (e) => addItem(links, formatLinkRow(e))
+  });
+  const settingsResult = previewSettings(
+    join40(repo, "shared", "settings.base.json"),
+    join40(repo, "hosts", `${HOST}.json`),
+    join40(claude, "settings.json")
+  );
+  const settingsSection = buildSettingsSectionForPreview(settingsResult);
+  const sessions = section("Sessions");
+  const remapResult = remapPull(ts, {
+    dryRun: true,
+    onPreview: (e) => addItem(sessions, formatSessionRow(e))
+  });
+  const summary = section("Summary");
+  addItem(summary, summaryRow(verb, remapResult.unmapped));
+  renderTree([links, settingsSection, sessions, summary]);
+  return { unmapped: remapResult.unmapped, collisions: 0 };
 }
 // src/commands.pull.recovery.ts
@@ -4977,9 +5077,15 @@ function isAllowed(path, allowed) {
   }
   return false;
 }
+function blockSetFor(segments) {
+  if (segments[0] !== "shared" || segments[1] !== "extras") return NEVER_SYNC;
+  return segments[3] === ".claude" ? CLAUDE_EXTRA_NEVER_SYNC : ALWAYS_NEVER_SYNC;
+}
 function isNeverSync(path) {
-  const blockSet = path.startsWith("shared/extras/") ? ALWAYS_NEVER_SYNC : NEVER_SYNC;
-  for (const segment of path.split("/")) {
+  const segments = path.split("/");
+  const blockSet = blockSetFor(segments);
+  const scan = segments[0] === "shared" && segments[1] === "extras" ? segments.slice(4) : segments;
+  for (const segment of scan) {
     if (blockSet.has(segment)) return true;
   }
   return false;
@@ -5724,7 +5830,7 @@ function parsePushArgs(argv) {
 // package.json
 var package_default = {
   name: "claude-nomad",
-  version: "0.45.0",
+  version: "0.47.0",
   type: "module",
   description: "Sync Claude Code config (~/.claude/) across machines via a private Git repo, with path remapping and per-host settings overrides.",
   keywords: [
@@ -5747,7 +5853,6 @@ var package_default = {
   },
   files: [
     "dist/",
-    "shared/.gitignore",
     ".gitleaks.toml",
     "README.md",
     "CHANGELOG.md",
@@ -5926,7 +6031,7 @@ var DEFAULT_HELP = [
 init_config();
 init_utils();
 init_utils_json();
-import { existsSync as existsSync41, readFileSync as readFileSync13, readdirSync as readdirSync12 } from "node:fs";
+import { existsSync as existsSync41, readFileSync as readFileSync14, readdirSync as readdirSync12 } from "node:fs";
 import { join as join47 } from "node:path";
 function resumeCmd(sessionId) {
   if (!/^[A-Za-z0-9_-]+$/.test(sessionId) || sessionId.length > 128) {
@@ -5978,7 +6083,7 @@ function findTranscriptPath(projectsRoot, sessionId) {
   return null;
 }
 function extractRecordedCwd(jsonlPath) {
-  for (const line of readFileSync13(jsonlPath, "utf8").split("\n")) {
+  for (const line of readFileSync14(jsonlPath, "utf8").split("\n")) {
     if (!line.trim()) continue;
     try {
       const obj = JSON.parse(line);