claude-nomad 0.50.2 → 0.50.3

package/.gitleaks.toml

@@ -6,14 +6,26 @@
 [extend]
 useDefault = true
 
+# Path-scoped: this tool-output noise (gitleaks fingerprints, coverage
+# line-keys, npm audit JSON id hashes, Sonar issue keys) accumulates in Claude
+# Code session transcripts when a conversation runs those tools. Two of these
+# regexes are structurally generic enough that, left global, they could suppress
+# a real credential that happened to sit in a `path:word:digit` or hex-`id`
+# context anywhere in the repo. Scoping to `shared/projects/<logical>/.../*.jsonl`
+# with `condition = "AND"` (matching every other block below) confines the
+# suppression to synced transcripts: a real secret in a source file still fires.
 [[allowlists]]
-description = "claude-nomad: structurally-distinguishable tool-output noise"
+description = "claude-nomad: structurally-distinguishable tool-output noise in synced session transcripts"
 regexes = [
     '''AY[A-Za-z0-9_-]{20,}''',
     '''[\w./-]+\.[A-Za-z0-9]+:[\w-]+:\d+''',
     '''"id"\s*:\s*"[a-f0-9]{40,64}"''',
     '''key=[a-f0-9]{8,} [\w./-]+\.\w+:\d+''',
 ]
+paths = [
+    '''^shared/projects/[^/]+/.*\.jsonl$''',
+]
+condition = "AND"
 
 # Path-scoped: the documented test-fixture github-pat literal AND the three
 # entropy-variant placeholders (zero-suffix, alphabet, repeat-A) accumulate

package/CHANGELOG.md

@@ -1,5 +1,35 @@
 # Changelog
 
+## [0.50.3](https://github.com/funkadelic/claude-nomad/compare/v0.50.2...v0.50.3) (2026-06-17)
+
+
+### Fixed
+
+* **gitleaks:** scope tool-output noise allowlist to session transcripts ([#305](https://github.com/funkadelic/claude-nomad/issues/305)) ([ca76680](https://github.com/funkadelic/claude-nomad/commit/ca766803a425d21747f959606d6436989ce249e6))
+* **push:** make --redact-all all-or-nothing ([#302](https://github.com/funkadelic/claude-nomad/issues/302)) ([f2cffeb](https://github.com/funkadelic/claude-nomad/commit/f2cffeb9204b68fb046ee55c9768e065272fb431))
+* **push:** warn when drop-session/redact target is already in pushed history ([#304](https://github.com/funkadelic/claude-nomad/issues/304)) ([739676f](https://github.com/funkadelic/claude-nomad/commit/739676ffbf1345fc7ff124ac7eafb9802ba09be4))
+* **redact:** warn when a finding match is not located in the file ([#310](https://github.com/funkadelic/claude-nomad/issues/310)) ([db1442b](https://github.com/funkadelic/claude-nomad/commit/db1442b311db04944b655ece91a56ef23a39abe1))
+* **remap:** make session-transcript mirror copy atomic ([4fc518f](https://github.com/funkadelic/claude-nomad/commit/4fc518fd80ce7fffb56ba2a6d135e6f6b795bc91))
+* **utils:** guard deepMerge against prototype pollution ([#299](https://github.com/funkadelic/claude-nomad/issues/299)) ([8e57539](https://github.com/funkadelic/claude-nomad/commit/8e575393a320386dd7329aab8071fd84557ec4e9))
+
+
+### Changed
+
+* **config:** centralize path-map.json shape validation ([#306](https://github.com/funkadelic/claude-nomad/issues/306)) ([88edda3](https://github.com/funkadelic/claude-nomad/commit/88edda3f45954d4dc89d65e2ec55a7d9d5b6b3f8))
+* **dispatch:** share argv token-parser primitives ([#307](https://github.com/funkadelic/claude-nomad/issues/307)) ([9f62b51](https://github.com/funkadelic/claude-nomad/commit/9f62b5156bbc3b7e03f8a81fe0f844cbeb1da3fa))
+* **doctor:** rename repository check module to git-state ([#309](https://github.com/funkadelic/claude-nomad/issues/309)) ([b6a0d5c](https://github.com/funkadelic/claude-nomad/commit/b6a0d5c8461c2f63af7d77464db9558271d46f46))
+* **utils:** dedup backup helpers and document lock/exit conventions ([#308](https://github.com/funkadelic/claude-nomad/issues/308)) ([4c2d59d](https://github.com/funkadelic/claude-nomad/commit/4c2d59d97c875851733175e4b4346e5714c48a32))
+
+
+### Documentation
+
+* **recovery:** reflect session-scoped allowlist and redact no-match warning ([#311](https://github.com/funkadelic/claude-nomad/issues/311)) ([7faf564](https://github.com/funkadelic/claude-nomad/commit/7faf5647d7dfd30822950d687fd8be15b5c49910))
+
+
+### Testing
+
+* **push:** add full-pipeline cmdPush E2E against real git and gitleaks ([#303](https://github.com/funkadelic/claude-nomad/issues/303)) ([3c01262](https://github.com/funkadelic/claude-nomad/commit/3c012629e7b99dcf4c5e679d93acb353ee6c3409))
+
 ## [0.50.2](https://github.com/funkadelic/claude-nomad/compare/v0.50.1...v0.50.2) (2026-06-15)
 
 

package/README.md

@@ -100,6 +100,8 @@ When `nomad push` detects a potential secret, it drops into an interactive menu
 a recovery hint (non-TTY/CI). Three non-interactive recovery paths are available without the menu:
 
 - `nomad push --redact-all` -- scrub every finding from the local transcript in place, then push.
+  All-or-nothing: if any finding cannot be redacted (an active session, or one that does not map to
+  a synced transcript), nothing is changed and the push stops so you can handle those sessions.
 - `nomad push --allow <rule>` -- record findings matching one gitleaks rule id as false positives
   (appends their fingerprints to `.gitleaksignore`), then re-scan and push.
 - `nomad push --allow-all` -- record every current finding as a false positive, then re-scan and

package/dist/nomad.mjs

@@ -451,16 +451,41 @@ function readJson(path) {
   return data;
 }
 function readPathMap(mapPath) {
+  let parsed;
   try {
-    return readJson(mapPath);
+    parsed = readJson(mapPath);
   } catch (err) {
     const verb = err instanceof SyntaxError ? "parse" : "read";
     throw new NomadFatal(`could not ${verb} path-map.json: ${err.message}`);
   }
+  const shapeError = validatePathMapShape(parsed);
+  if (shapeError !== null) throw new NomadFatal(shapeError);
+  return parsed;
+}
+function validatePathMapShape(raw) {
+  if (raw === null || typeof raw !== "object" || Array.isArray(raw)) {
+    return "path-map.json invalid schema: top-level value must be an object";
+  }
+  const projects = raw.projects;
+  if (projects === null || typeof projects !== "object" || Array.isArray(projects)) {
+    return 'path-map.json invalid schema: "projects" must be an object';
+  }
+  for (const [name, hosts] of Object.entries(projects)) {
+    if (hosts === null || typeof hosts !== "object" || Array.isArray(hosts)) {
+      return `path-map.json invalid schema: project "${name}" hosts must be an object`;
+    }
+    for (const [host, value] of Object.entries(hosts)) {
+      if (typeof value !== "string") {
+        return `path-map.json invalid schema: project "${name}" host "${host}" path must be a string`;
+      }
+    }
+  }
+  return null;
 }
 function deepMerge(target, source) {
   const out = { ...target };
   for (const [key, value] of Object.entries(source)) {
+    if (key === "__proto__" || key === "constructor" || key === "prototype") continue;
     const existing = out[key];
     const bothObjects = value !== null && typeof value === "object" && !Array.isArray(value) && existing !== null && typeof existing === "object" && !Array.isArray(existing);
     out[key] = bothObjects ? deepMerge(existing, value) : value;
@@ -502,7 +527,7 @@ import {
   symlinkSync,
   writeFileSync
 } from "node:fs";
-import { dirname, join as join2, relative } from "node:path";
+import { dirname, join as join2, relative, sep } from "node:path";
 function writeJsonAtomic(path, data) {
   const mode = existsSync(path) ? statSync(path).mode & 511 : 384;
   const tmp = `${path}.tmp.${process.pid}`;
@@ -542,33 +567,22 @@ function ensureSymlink(linkPath, target) {
   symlinkSync(target, linkPath);
   log(`linked ${linkPath} -> ${target}`);
 }
-function backupBeforeWrite(absPath, ts) {
+function backupUnder(absPath, anchor, destRoot) {
   if (!existsSync(absPath)) return;
-  const claude = claudeHome();
-  const rel = relative(claude, absPath);
-  if (rel.startsWith("..") || rel === "") return;
-  const backupRoot = join2(backupBase(), ts);
-  const dst = join2(backupRoot, rel);
+  const rel = relative(anchor, absPath);
+  if (rel === "" || rel === ".." || rel.startsWith(`..${sep}`)) return;
+  const dst = join2(destRoot, rel);
   mkdirSync(dirname(dst), { recursive: true });
   cpSync(absPath, dst, { recursive: true, force: false, preserveTimestamps: true });
 }
+function backupBeforeWrite(absPath, ts) {
+  backupUnder(absPath, claudeHome(), join2(backupBase(), ts));
+}
 function backupRepoWrite(absPath, ts, repoHome2) {
-  if (!existsSync(absPath)) return;
-  const rel = relative(repoHome2, absPath);
-  if (rel.startsWith("..") || rel === "") return;
-  const backupRoot = join2(backupBase(), ts, "repo");
-  const dst = join2(backupRoot, rel);
-  mkdirSync(dirname(dst), { recursive: true });
-  cpSync(absPath, dst, { recursive: true, force: false, preserveTimestamps: true });
+  backupUnder(absPath, repoHome2, join2(backupBase(), ts, "repo"));
 }
 function backupExtrasWrite(absPath, ts, projectRoot) {
-  if (!existsSync(absPath)) return;
-  const rel = relative(projectRoot, absPath);
-  if (rel.startsWith("..") || rel === "") return;
-  const backupRoot = join2(backupBase(), ts, "extras");
-  const dst = join2(backupRoot, encodePath(projectRoot), rel);
-  mkdirSync(dirname(dst), { recursive: true });
-  cpSync(absPath, dst, { recursive: true, force: false, preserveTimestamps: true });
+  backupUnder(absPath, projectRoot, join2(backupBase(), ts, "extras", encodePath(projectRoot)));
 }
 var init_utils_fs = __esm({
   "src/utils.fs.ts"() {
@@ -1319,7 +1333,7 @@ init_config();
 init_utils();
 init_utils_json();
 import { cpSync as cpSync3, existsSync as existsSync5, lstatSync as lstatSync4, realpathSync, renameSync as renameSync2, rmSync as rmSync3 } from "node:fs";
-import { join as join6, sep } from "node:path";
+import { join as join6, sep as sep2 } from "node:path";
 function ejectChecklist() {
   return [
     "Manual steps remaining to finish leaving claude-nomad on this host:",
@@ -1361,7 +1375,7 @@ function resolveSharedRoot(repoHome2) {
   }
 }
 function isManagedTarget(target, sharedRoot) {
-  return target.startsWith(sharedRoot + sep);
+  return target.startsWith(sharedRoot + sep2);
 }
 function materializeOne(name, linkPath, sharedRoot) {
   const target = realpathSync(linkPath);
@@ -1841,35 +1855,12 @@ function reportPathMap(section2) {
   }
   const map = readJsonSafe(mapPath, mapPath, section2);
   if (map === null) return;
-  const projects = map.projects;
-  if (projects === null || typeof projects !== "object" || Array.isArray(projects)) {
-    addItem(
-      section2,
-      `${red(failGlyph)} path-map.json invalid schema: "projects" must be an object`
-    );
+  const shapeError = validatePathMapShape(map);
+  if (shapeError !== null) {
+    addItem(section2, `${red(failGlyph)} ${shapeError}`);
     process.exitCode = 1;
     return;
   }
-  for (const [name, hosts] of Object.entries(projects)) {
-    if (hosts === null || typeof hosts !== "object" || Array.isArray(hosts)) {
-      addItem(
-        section2,
-        `${red(failGlyph)} path-map.json invalid schema: project "${name}" hosts must be an object`
-      );
-      process.exitCode = 1;
-      return;
-    }
-    for (const [hostName, mappedPath] of Object.entries(hosts)) {
-      if (typeof mappedPath !== "string") {
-        addItem(
-          section2,
-          `${red(failGlyph)} path-map.json invalid schema: project "${name}" host "${hostName}" path must be a string`
-        );
-        process.exitCode = 1;
-        return;
-      }
-    }
-  }
   reportMappedProjects(section2, map);
   reportUnmappedProjects(section2, map);
   reportPathCollisions(section2, map);
@@ -1883,7 +1874,7 @@ function reportNeverSync(section2) {
   );
 }
 
-// src/commands.doctor.checks.repository.ts
+// src/commands.doctor.checks.git-state.ts
 init_color();
 init_config();
 import { execFileSync as execFileSync4 } from "node:child_process";
@@ -2203,21 +2194,27 @@ init_config();
 init_utils();
 init_utils_fs();
 init_utils_json();
-import { cpSync as cpSync4, existsSync as existsSync15, mkdirSync as mkdirSync3, readdirSync as readdirSync6, rmSync as rmSync6, statSync as statSync4 } from "node:fs";
-import { join as join19, relative as relative3, sep as sep2 } from "node:path";
-function copyDir(src, dst) {
+import { cpSync as cpSync4, existsSync as existsSync15, mkdirSync as mkdirSync3, readdirSync as readdirSync6, renameSync as renameSync3, rmSync as rmSync6, statSync as statSync4 } from "node:fs";
+import { join as join19, relative as relative3, sep as sep3 } from "node:path";
+var TMP_SUFFIX = ".nomad-tmp";
+function atomicMirror(src, dst, options) {
+  const tmp = `${dst}${TMP_SUFFIX}`;
+  rmSync6(tmp, { recursive: true, force: true });
+  cpSync4(src, tmp, options);
   rmSync6(dst, { recursive: true, force: true });
-  cpSync4(src, dst, { recursive: true, force: true });
+  renameSync3(tmp, dst);
+}
+function copyDir(src, dst) {
+  atomicMirror(src, dst, { recursive: true, force: true });
 }
 function copyDirJsonlOnly(src, dst) {
-  rmSync6(dst, { recursive: true, force: true });
-  cpSync4(src, dst, {
+  atomicMirror(src, dst, {
     recursive: true,
     force: true,
     filter: (srcPath) => {
       const rel = relative3(src, srcPath);
       if (rel === "") return true;
-      if (rel.split(sep2).length > 1) return true;
+      if (rel.split(sep3).length > 1) return true;
       if (statSync4(srcPath).isDirectory()) return true;
       if (srcPath.endsWith(".jsonl")) return true;
       item(`skip ${rel}: extension not in allowlist`);
@@ -2243,7 +2240,7 @@ function remapPull(ts, opts = {}) {
     emitPreview(opts.onPreview, { kind: "note", text }, text);
     return { unmapped: 0, pulled, wouldPull };
   }
-  const map = readJson(mapPath);
+  const map = readPathMap(mapPath);
   const localProjects = join19(claude, "projects");
   if (!dryRun) mkdirSync3(localProjects, { recursive: true });
   for (const [logical, hosts] of Object.entries(map.projects)) {
@@ -2307,13 +2304,14 @@ function remapPush(ts, opts = {}) {
     log("no path-map.json; skipping session export");
     return { unmapped: 0, collisions: 0, pushed, wouldPush };
   }
-  const map = readJson(mapPath);
+  const map = readPathMap(mapPath);
   const localProjects = join19(claude, "projects");
   const repoProjects = join19(repo, "shared", "projects");
   const reverse = buildReverseMap(map);
   if (!existsSync15(localProjects)) return { unmapped, collisions: 0, pushed, wouldPush };
   if (!dryRun) mkdirSync3(repoProjects, { recursive: true });
   for (const dir of readdirSync6(localProjects)) {
+    if (dir.endsWith(TMP_SUFFIX)) continue;
     const logical = reverse.get(dir);
     if (!logical) {
       unmapped++;
@@ -3051,13 +3049,13 @@ import { createInterface } from "node:readline/promises";
 // src/commands.push.recovery.actions.ts
 init_config();
 import { readFileSync as readFileSync12 } from "node:fs";
-import { isAbsolute, resolve as resolve3, sep as sep4 } from "node:path";
+import { isAbsolute, resolve as resolve3, sep as sep5 } from "node:path";
 
 // src/commands.push.recovery.redact.ts
 init_config();
 init_config_sharedDirs_guard();
 import { cpSync as cpSync5, existsSync as existsSync24, mkdirSync as mkdirSync6, statSync as statSync7 } from "node:fs";
-import { dirname as dirname6, join as join29, sep as sep3 } from "node:path";
+import { dirname as dirname6, join as join29, sep as sep4 } from "node:path";
 
 // src/commands.redact.ts
 init_config();
@@ -3068,6 +3066,7 @@ import { dirname as dirname5, join as join28 } from "node:path";
 import { existsSync as existsSync22, lstatSync as lstatSync7, readFileSync as readFileSync10, readdirSync as readdirSync9, statSync as statSync5, writeFileSync as writeFileSync3 } from "node:fs";
 import { join as join26 } from "node:path";
 init_utils_fs();
+init_utils();
 function collectFiles(dir, out) {
   if (!existsSync22(dir)) return;
   const st = lstatSync7(dir);
@@ -3110,12 +3109,67 @@ function applySubtreeRedactions(mainPath, mainFindings, subtreeFiles, rule, ts,
   if (!dryRun && total > 0) {
     for (const { path: filePath, findings } of dirty) {
       backupBeforeWrite(filePath, ts);
-      writeFileSync3(filePath, applyRedactions(readFileSync10(filePath, "utf8"), findings), "utf8");
+      const before = readFileSync10(filePath, "utf8");
+      const after = applyRedactions(before, findings);
+      if (after === before) {
+        log(
+          `warning: no redaction applied to ${filePath}: finding match values were not located in the file. Inspect it manually; the push re-scan still blocks a real leak.`
+        );
+      }
+      writeFileSync3(filePath, after, "utf8");
     }
   }
   return { total, dirty };
 }
 
+// src/commands.pushed-history.ts
+init_utils();
+import { execFileSync as execFileSync8 } from "node:child_process";
+function pushedRef(repo) {
+  try {
+    const ref = execFileSync8("git", ["rev-parse", "--abbrev-ref", "--symbolic-full-name", "@{u}"], {
+      cwd: repo,
+      stdio: ["ignore", "pipe", "ignore"]
+    }).toString().trim();
+    return ref.length > 0 ? ref : null;
+  } catch {
+    return null;
+  }
+}
+function sessionInPushedHistory(id, repo) {
+  const ref = pushedRef(repo);
+  if (ref === null) return false;
+  try {
+    const out = execFileSync8(
+      "git",
+      [
+        "log",
+        ref,
+        "--oneline",
+        "-1",
+        "--",
+        `shared/projects/*/${id}.jsonl`,
+        `shared/projects/*/${id}/*`
+      ],
+      { cwd: repo, stdio: ["ignore", "pipe", "ignore"] }
+    ).toString().trim();
+    return out.length > 0;
+  } catch {
+    return false;
+  }
+}
+function warnIfSessionPushed(id, repo) {
+  if (!sessionInPushedHistory(id, repo)) return;
+  log(
+    `warning: session ${id} is already in pushed history (origin).
+  This command only changes your local copy and the next push; it does NOT
+  remove the secret from commits already on the remote.
+  To fully remediate a real secret: rotate the credential, then rewrite
+  history (e.g. with git filter-repo) and force-push, coordinating with
+  anyone else who has cloned the repo.`
+  );
+}
+
 // src/commands.redact.ts
 init_push_gitleaks_scan();
 init_utils_fs();
@@ -3317,6 +3371,7 @@ ${lines}`);
       return;
     }
     log(`redacted ${totalCount} finding(s) in ${localPath} (backup: ${ts})`);
+    warnIfSessionPushed(id, repo);
   } catch (err) {
     if (!(err instanceof NomadFatal)) {
       throw err;
@@ -3391,12 +3446,28 @@ function resolveStagedDir(localPath, map, claude, repo) {
     assertSafeLogical(logical);
     const abs = hostMap[HOST];
     if (abs === void 0) continue;
-    if (localPath.startsWith(join29(claude, "projects", encodePath(abs)) + sep3)) {
+    if (localPath.startsWith(join29(claude, "projects", encodePath(abs)) + sep4)) {
       return join29(repo, "shared", "projects", logical);
     }
   }
   return null;
 }
+function preflightRedactable(f, map, nowMs) {
+  const sid = sessionIdFromFinding(f);
+  if (sid === null) return "a finding has no resolvable session id (not a session transcript)";
+  const localPath = resolveLiveTranscript(sid);
+  if (localPath === null) return `session ${sid}: local transcript not found`;
+  const sessionDir = join29(dirname6(localPath), sid);
+  const subtreeFiles = listSubtreeFiles(sessionDir);
+  const subtreeMtime = newestSubtreeMtimeMs(localPath, subtreeFiles, (p) => statSync7(p).mtimeMs);
+  if (isRecentlyModified(subtreeMtime, nowMs())) {
+    return `session ${sid}: looks active (modified within the last 5 minutes)`;
+  }
+  if (resolveStagedDir(localPath, map, claudeHome(), repoHome()) === null) {
+    return `session ${sid}: not mapped to a staged copy`;
+  }
+  return null;
+}
 function applyRedact(f, ts, map, nowMs, scan = scanFile) {
   const refuse = (msg) => {
     log(msg);
@@ -3500,7 +3571,7 @@ function makeDefaultReadLine(repo) {
     try {
       const repoRoot = resolve3(repo);
       const target = resolve3(repoRoot, file);
-      if (isAbsolute(file) || target !== repoRoot && !target.startsWith(repoRoot + sep4)) {
+      if (isAbsolute(file) || target !== repoRoot && !target.startsWith(repoRoot + sep5)) {
         return null;
       }
       const content = readFileSync12(target, "utf8");
@@ -3567,6 +3638,22 @@ function dispatchActions(findings, actions, opts) {
   }
 }
 function redactAllFindings(findings, ts, map, nowMs, scan = scanFile) {
+  const refusals = [];
+  const preflighted = /* @__PURE__ */ new Set();
+  for (const f of findings) {
+    const dedupeKey = sessionIdFromFinding(f) ?? findingKey(f);
+    if (preflighted.has(dedupeKey)) continue;
+    preflighted.add(dedupeKey);
+    const reason = preflightRedactable(f, map, nowMs);
+    if (reason !== null) refusals.push(reason);
+  }
+  if (refusals.length > 0) {
+    throw new NomadFatal(
+      `--redact-all cannot redact every finding, so no changes were made:
+` + refusals.map((r) => `  - ${r}`).join("\n") + `
+  Re-run without --redact-all to triage these interactively (Drop session / Skip), or end any active session and retry.`
+    );
+  }
   const redactedSids = /* @__PURE__ */ new Set();
   for (const f of findings) {
     const sid = sessionIdFromFinding(f);
@@ -3773,7 +3860,7 @@ function withSpinner(label, fn, deps) {
 
 // src/commands.doctor.gitleaks-version.ts
 init_color();
-import { execFileSync as execFileSync8 } from "node:child_process";
+import { execFileSync as execFileSync9 } from "node:child_process";
 import { existsSync as existsSync26 } from "node:fs";
 import { join as join32 } from "node:path";
 init_config();
@@ -3796,7 +3883,7 @@ function readGitleaksVersion(run, tomlExists) {
     return null;
   }
 }
-function reportGitleaksVersionCheck(section2, run = execFileSync8, tomlExists = existsSync26) {
+function reportGitleaksVersionCheck(section2, run = execFileSync9, tomlExists = existsSync26) {
   const raw = readGitleaksVersion(run, tomlExists);
   if (raw === null) return;
   const local = majorMinorOf(raw);
@@ -3816,7 +3903,7 @@ function reportGitleaksVersionCheck(section2, run = execFileSync8, tomlExists =
 
 // src/commands.doctor.checks.deps.ts
 init_color();
-import { execFileSync as execFileSync9 } from "node:child_process";
+import { execFileSync as execFileSync10 } from "node:child_process";
 var VERSION_TOKEN = /(\d{1,9}\.\d{1,9}\.\d{1,9})/;
 var PROBE_TIMEOUT_MS = 3e3;
 var FETCHER_BASE = "HTTP fetcher";
@@ -3853,7 +3940,7 @@ function reportFetcherRow(section2, run) {
     );
   }
 }
-function reportOptionalDeps(section2, run = execFileSync9) {
+function reportOptionalDeps(section2, run = execFileSync10) {
   const gh = probeOptionalDep("gh", run);
   if (gh.status === "present") {
     addItem(section2, `${green(okGlyph)} gh: ${gh.version ?? "present"}`);
@@ -3868,11 +3955,11 @@ function reportOptionalDeps(section2, run = execFileSync9) {
 
 // src/commands.doctor.actions-drift.ts
 init_color();
-import { execFileSync as execFileSync11 } from "node:child_process";
+import { execFileSync as execFileSync12 } from "node:child_process";
 init_config();
 
 // src/gh-actions.ts
-import { execFileSync as execFileSync10 } from "node:child_process";
+import { execFileSync as execFileSync11 } from "node:child_process";
 var GH_TIMEOUT_MS = 5e3;
 function parseGitHubRemote(remoteUrl) {
   const normalized = remoteUrl.trim().replace(/\/$/, "");
@@ -3880,7 +3967,7 @@ function parseGitHubRemote(remoteUrl) {
   if (m === null) return null;
   return { owner: m[1], repo: m[2] };
 }
-function ghAuthStatus(run = execFileSync10) {
+function ghAuthStatus(run = execFileSync11) {
   try {
     run("gh", ["auth", "status"], {
       stdio: ["ignore", "ignore", "ignore"],
@@ -3894,7 +3981,7 @@ function ghAuthStatus(run = execFileSync10) {
     return "gh-probe-error";
   }
 }
-function isRepoPrivate(ref, run = execFileSync10) {
+function isRepoPrivate(ref, run = execFileSync11) {
   const out = run("gh", ["repo", "view", `${ref.owner}/${ref.repo}`, "--json", "isPrivate"], {
     stdio: ["ignore", "pipe", "ignore"],
     timeout: GH_TIMEOUT_MS
@@ -3902,7 +3989,7 @@ function isRepoPrivate(ref, run = execFileSync10) {
   const parsed = JSON.parse(out);
   return parsed.isPrivate === true;
 }
-function isActionsEnabled(ref, run = execFileSync10) {
+function isActionsEnabled(ref, run = execFileSync11) {
   const out = run(
     "gh",
     ["api", `repos/${ref.owner}/${ref.repo}/actions/permissions`, "--jq", ".enabled"],
@@ -3910,7 +3997,7 @@ function isActionsEnabled(ref, run = execFileSync10) {
   ).toString().trim();
   return out === "true";
 }
-function disableActions(ref, run = execFileSync10) {
+function disableActions(ref, run = execFileSync11) {
   run(
     "gh",
     [
@@ -3924,7 +4011,7 @@ function disableActions(ref, run = execFileSync10) {
     { stdio: ["ignore", "ignore", "pipe"], timeout: GH_TIMEOUT_MS }
   );
 }
-function readOriginRemote(cwd, run = execFileSync10) {
+function readOriginRemote(cwd, run = execFileSync11) {
   return run("git", ["remote", "get-url", "origin"], {
     cwd,
     stdio: ["ignore", "pipe", "ignore"]
@@ -3932,7 +4019,7 @@ function readOriginRemote(cwd, run = execFileSync10) {
 }
 
 // src/commands.doctor.actions-drift.ts
-function reportActionsDrift(section2, run = execFileSync11) {
+function reportActionsDrift(section2, run = execFileSync12) {
   let remote;
   try {
     remote = readOriginRemote(repoHome(), run);
@@ -4061,15 +4148,15 @@ function cmdDoctor(opts = {}) {
 
 // src/commands.drop-session.ts
 init_config();
-import { execFileSync as execFileSync13 } from "node:child_process";
+import { execFileSync as execFileSync14 } from "node:child_process";
 import { existsSync as existsSync29, readdirSync as readdirSync10, statSync as statSync8 } from "node:fs";
 import { join as join35, relative as relative4 } from "node:path";
 
 // src/commands.drop-session.git.ts
-import { execFileSync as execFileSync12 } from "node:child_process";
+import { execFileSync as execFileSync13 } from "node:child_process";
 function expandStagedDir(dirRel, repo) {
   try {
-    const out = execFileSync12("git", ["ls-files", "-z", "--", dirRel], {
+    const out = execFileSync13("git", ["ls-files", "-z", "--", dirRel], {
       cwd: repo,
       stdio: ["ignore", "pipe", "pipe"]
     });
@@ -4080,7 +4167,7 @@ function expandStagedDir(dirRel, repo) {
 }
 function isTrackedInHead(rel, repo) {
   try {
-    execFileSync12("git", ["cat-file", "-e", `HEAD:${rel}`], {
+    execFileSync13("git", ["cat-file", "-e", `HEAD:${rel}`], {
       cwd: repo,
       stdio: ["ignore", "pipe", "pipe"]
     });
@@ -4091,7 +4178,7 @@ function isTrackedInHead(rel, repo) {
 }
 function isInIndex(rel, repo) {
   try {
-    const out = execFileSync12("git", ["ls-files", "--", rel], {
+    const out = execFileSync13("git", ["ls-files", "--", rel], {
       cwd: repo,
       stdio: ["ignore", "pipe", "pipe"]
     });
@@ -4162,6 +4249,7 @@ function cmdDropSession(id) {
     }
     for (const rel of matches) unstageOne(rel, repo);
     reportScrubHint(id, matches);
+    warnIfSessionPushed(id, repo);
   } catch (err) {
     if (!(err instanceof NomadFatal)) {
       throw err;
@@ -4196,12 +4284,12 @@ function unstageOne(rel, repo) {
   }
   try {
     if (isTrackedInHead(rel, repo)) {
-      execFileSync13("git", ["restore", "--staged", "--worktree", "--", rel], {
+      execFileSync14("git", ["restore", "--staged", "--worktree", "--", rel], {
         cwd: repo,
         stdio: ["ignore", "pipe", "pipe"]
       });
     } else {
-      execFileSync13("git", ["rm", "--cached", "-f", "--", rel], {
+      execFileSync14("git", ["rm", "--cached", "-f", "--", rel], {
         cwd: repo,
         stdio: ["ignore", "pipe", "pipe"]
       });
@@ -4316,7 +4404,7 @@ import { join as join39 } from "node:path";
 
 // src/extras-sync.diff.ts
 init_utils();
-import { execFileSync as execFileSync14 } from "node:child_process";
+import { execFileSync as execFileSync15 } from "node:child_process";
 function labelDiffLine(line) {
   const tab = line.indexOf("	");
   if (tab === -1) return line;
@@ -4331,7 +4419,7 @@ function parseDiffOutput(stdout) {
 }
 function listDivergingFiles(a, b) {
   try {
-    const stdout = execFileSync14("git", ["diff", "--no-index", "--name-status", a, b], {
+    const stdout = execFileSync15("git", ["diff", "--no-index", "--name-status", a, b], {
       stdio: ["ignore", "pipe", "pipe"]
     }).toString();
     return parseDiffOutput(stdout);
@@ -4511,10 +4599,10 @@ init_utils_json();
 // src/extras-sync.remap.ts
 init_config();
 import { existsSync as existsSync31, mkdirSync as mkdirSync7, readdirSync as readdirSync12, realpathSync as realpathSync4, rmSync as rmSync11 } from "node:fs";
-import { dirname as dirname7, join as join38, sep as sep6 } from "node:path";
+import { dirname as dirname7, join as join38, sep as sep7 } from "node:path";
 
 // src/extras-sync.planning-diff.ts
-import { join as join37, normalize as normalize2, sep as sep5 } from "node:path";
+import { join as join37, normalize as normalize2, sep as sep6 } from "node:path";
 init_utils();
 function processRecord(fields, i, changed, deleted) {
   const status = fields[i];
@@ -4567,7 +4655,7 @@ function planningDeleteTargets(opts) {
   const logicalPrefix = "shared/extras/" + logical + "/";
   const prefix = logicalPrefix + ".planning/";
   const planningRoot = join37(localRoot, ".planning");
-  const planningRootBoundary = planningRoot + sep5;
+  const planningRootBoundary = planningRoot + sep6;
   const targets = [];
   for (const repoPath of deleted) {
     if (!repoPath.startsWith(prefix)) {
@@ -4609,7 +4697,7 @@ function runExtrasOp(v, dryRun, paths, backup, copy) {
 }
 function pruneEmptyAncestors(target, planningRoot) {
   let dir = dirname7(target);
-  while (dir !== planningRoot && dir.startsWith(planningRoot + sep6)) {
+  while (dir !== planningRoot && dir.startsWith(planningRoot + sep7)) {
     try {
       if (readdirSync12(dir).length > 0) break;
       rmSync11(dir, { recursive: true, force: true });
@@ -4627,7 +4715,7 @@ function tryRealpath(dir) {
   }
 }
 function isInsidePlanningRoot(parentReal, rootReal) {
-  return parentReal === rootReal || parentReal.startsWith(rootReal + sep6);
+  return parentReal === rootReal || parentReal.startsWith(rootReal + sep7);
 }
 function deletePlanningTarget(target, planningRoot, repoCounterpart) {
   if (existsSync31(repoCounterpart)) return;
@@ -4669,7 +4757,7 @@ function propagatePlanningDeletes(v, ts, prePostHeads, repo) {
     backupExtrasWrite(join38(t.localRoot, t.dirname), ts, t.localRoot);
     const planningRoot = join38(t.localRoot, ".planning");
     for (const target of targets) {
-      const relToLocal = target.slice(t.localRoot.length + sep6.length);
+      const relToLocal = target.slice(t.localRoot.length + sep7.length);
       deletePlanningTarget(target, planningRoot, join38(repoExtras, t.logical, relToLocal));
     }
   }
@@ -5274,9 +5362,9 @@ init_config();
 init_commands_pull_wedge();
 init_utils();
 init_utils_fs();
-import { execFileSync as execFileSync15 } from "node:child_process";
+import { execFileSync as execFileSync16 } from "node:child_process";
 function gitCapture(args, cwd) {
-  return execFileSync15("git", args, {
+  return execFileSync16("git", args, {
     cwd,
     stdio: ["ignore", "pipe", "pipe"],
     maxBuffer: 64 * 1024 * 1024
@@ -5593,7 +5681,7 @@ function enforceAllowList(statusPorcelain, map) {
 
 // src/push-global-config.ts
 init_config();
-import { execFileSync as execFileSync16 } from "node:child_process";
+import { execFileSync as execFileSync17 } from "node:child_process";
 var STATUS_LABELS = {
   A: "add",
   M: "modify",
@@ -5633,7 +5721,7 @@ function isInScope(filePath, exactPrefixes, dirPrefixes) {
 }
 function collectGlobalConfigChanges(repoHome2, hostname2, opts) {
   const args = opts.staged ? ["diff", "--cached", "--name-status", "-z"] : ["diff", "HEAD", "--name-status", "-z"];
-  const raw = execFileSync16("git", args, {
+  const raw = execFileSync17("git", args, {
     cwd: repoHome2,
     stdio: ["ignore", "pipe", "pipe"]
   }).toString();
@@ -5862,16 +5950,16 @@ async function cmdPush(opts = {}) {
 }
 
 // src/commands.update.ts
-import { execFileSync as execFileSync17 } from "node:child_process";
+import { execFileSync as execFileSync18 } from "node:child_process";
 init_utils();
-function readInstalledVersion(run = execFileSync17) {
+function readInstalledVersion(run = execFileSync18) {
   try {
     return run("nomad", ["--version"], { encoding: "utf8" }).toString().trim() || null;
   } catch {
     return null;
   }
 }
-function cmdUpdate(run = execFileSync17) {
+function cmdUpdate(run = execFileSync18) {
   console.log("Updating claude-nomad CLI via npm...");
   try {
     run("npm", ["update", "-g", "claude-nomad"], { stdio: "inherit" });
@@ -5925,14 +6013,14 @@ import { join as join48 } from "node:path";
 
 // src/init.gh-onboard.ts
 init_config();
-import { execFileSync as execFileSync18 } from "node:child_process";
+import { execFileSync as execFileSync19 } from "node:child_process";
 init_utils();
 var DEFAULT_REPO_NAME = "claude-nomad-config";
 function isValidRepoName(name) {
   return /^[A-Za-z0-9._-]{1,100}$/.test(name);
 }
 var GH_NETWORK_TIMEOUT_MS = 3e4;
-function ensureOriginRepo(repoName, run = execFileSync18) {
+function ensureOriginRepo(repoName, run = execFileSync19) {
   if (!isValidRepoName(repoName)) {
     die(
       `invalid repo name: ${JSON.stringify(repoName)}. Use only letters, digits, hyphens, underscores, and dots (1-100 chars).`
@@ -6145,86 +6233,20 @@ function maybeDisableRepoActions(repoHome2, run) {
   }
 }
 
-// src/nomad.dispatch.ts
+// src/nomad.dispatch.helpers.ts
+var REJECT = { ok: false, advance: 0 };
+function applyBool(seen, set) {
+  if (seen) return REJECT;
+  set();
+  return { ok: true, advance: 1 };
+}
 function extractFlagValue(argv, i) {
   const val = argv[i + 1];
   if (val === void 0 || val.startsWith("--")) return null;
   return val;
 }
-function applyInitToken(argv, i, st) {
-  const token = argv[i];
-  if (token === "--snapshot") {
-    if (st.sawSnapshot) return { ok: false, advance: 0 };
-    st.sawSnapshot = true;
-    st.snapshot = true;
-    return { ok: true, advance: 1 };
-  }
-  if (token === "--keep-actions") {
-    if (st.sawKeepActions) return { ok: false, advance: 0 };
-    st.sawKeepActions = true;
-    st.keepActions = true;
-    return { ok: true, advance: 1 };
-  }
-  if (token === "--repo") {
-    if (st.sawRepo) return { ok: false, advance: 0 };
-    st.sawRepo = true;
-    const val = extractFlagValue(argv, i);
-    if (val === null) return { ok: false, advance: 0 };
-    st.repoName = val;
-    return { ok: true, advance: 2 };
-  }
-  return { ok: false, advance: 0 };
-}
-function parseInitArgs(argv) {
-  const st = {
-    snapshot: false,
-    keepActions: false,
-    repoName: void 0,
-    sawSnapshot: false,
-    sawKeepActions: false,
-    sawRepo: false
-  };
-  let i = 3;
-  while (i < argv.length) {
-    const { ok: ok2, advance } = applyInitToken(argv, i, st);
-    if (!ok2) return null;
-    i += advance;
-  }
-  return { snapshot: st.snapshot, keepActions: st.keepActions, repoName: st.repoName };
-}
-function parseRedactArgs(argv) {
-  const id = argv[3];
-  if (typeof id !== "string" || !/^\w[\w-]{0,127}$/.test(id)) {
-    return null;
-  }
-  let rule;
-  let dryRun = false;
-  let sawRule = false;
-  let sawDryRun = false;
-  let i = 4;
-  while (i < argv.length) {
-    const token = argv[i];
-    if (token === "--dry-run") {
-      if (sawDryRun) return null;
-      sawDryRun = true;
-      dryRun = true;
-      i++;
-    } else if (token === "--rule") {
-      if (sawRule) return null;
-      sawRule = true;
-      const val = argv[i + 1];
-      if (val === void 0 || val.startsWith("--")) return null;
-      rule = val;
-      i += 2;
-    } else {
-      return null;
-    }
-  }
-  return { id, rule, dryRun };
-}
 
 // src/nomad.dispatch.clean.ts
-var REJECT = { ok: false, advance: 0 };
 function applyOlderThan(argv, i, st) {
   if (st.olderThan !== void 0) return REJECT;
   const val = extractFlagValue(argv, i);
@@ -6239,11 +6261,6 @@ function applyKeep(argv, i, st) {
   st.keep = Number(val);
   return { ok: true, advance: 2 };
 }
-function applyBool(seen, set) {
-  if (seen) return REJECT;
-  set();
-  return { ok: true, advance: 1 };
-}
 function applyCleanToken(argv, i, st) {
   switch (argv[i]) {
     case "--backups":
@@ -6293,6 +6310,79 @@ function parseEjectArgs(argv) {
   return { dryRun };
 }
 
+// src/nomad.dispatch.ts
+function applyInitToken(argv, i, st) {
+  const token = argv[i];
+  if (token === "--snapshot") {
+    if (st.sawSnapshot) return REJECT;
+    st.sawSnapshot = true;
+    st.snapshot = true;
+    return { ok: true, advance: 1 };
+  }
+  if (token === "--keep-actions") {
+    if (st.sawKeepActions) return REJECT;
+    st.sawKeepActions = true;
+    st.keepActions = true;
+    return { ok: true, advance: 1 };
+  }
+  if (token === "--repo") {
+    if (st.sawRepo) return REJECT;
+    st.sawRepo = true;
+    const val = extractFlagValue(argv, i);
+    if (val === null) return REJECT;
+    st.repoName = val;
+    return { ok: true, advance: 2 };
+  }
+  return REJECT;
+}
+function parseInitArgs(argv) {
+  const st = {
+    snapshot: false,
+    keepActions: false,
+    repoName: void 0,
+    sawSnapshot: false,
+    sawKeepActions: false,
+    sawRepo: false
+  };
+  let i = 3;
+  while (i < argv.length) {
+    const { ok: ok2, advance } = applyInitToken(argv, i, st);
+    if (!ok2) return null;
+    i += advance;
+  }
+  return { snapshot: st.snapshot, keepActions: st.keepActions, repoName: st.repoName };
+}
+function parseRedactArgs(argv) {
+  const id = argv[3];
+  if (typeof id !== "string" || !/^\w[\w-]{0,127}$/.test(id)) {
+    return null;
+  }
+  let rule;
+  let dryRun = false;
+  let sawRule = false;
+  let sawDryRun = false;
+  let i = 4;
+  while (i < argv.length) {
+    const token = argv[i];
+    if (token === "--dry-run") {
+      if (sawDryRun) return null;
+      sawDryRun = true;
+      dryRun = true;
+      i++;
+    } else if (token === "--rule") {
+      if (sawRule) return null;
+      sawRule = true;
+      const val = extractFlagValue(argv, i);
+      if (val === null) return null;
+      rule = val;
+      i += 2;
+    } else {
+      return null;
+    }
+  }
+  return { id, rule, dryRun };
+}
+
 // src/nomad.dispatch.allow.ts
 function parseAllowArgs(argv) {
   const positionals = argv.slice(3);
@@ -6326,32 +6416,26 @@ function parsePullArgs(argv) {
 }
 
 // src/nomad.dispatch.push.ts
-var REJECT2 = { ok: false, advance: 0 };
-function applyBool2(seen, set) {
-  if (seen) return REJECT2;
-  set();
-  return { ok: true, advance: 1 };
-}
 var RULE_ID_RE = /^\w[\w-]*$/;
 function applyAllow2(argv, i, st) {
-  if (st.allowRule !== void 0) return REJECT2;
+  if (st.allowRule !== void 0) return REJECT;
   const val = extractFlagValue(argv, i);
-  if (val === null || !RULE_ID_RE.test(val)) return REJECT2;
+  if (val === null || !RULE_ID_RE.test(val)) return REJECT;
   st.allowRule = val;
   return { ok: true, advance: 2 };
 }
 function applyPushToken(argv, i, st) {
   switch (argv[i]) {
     case "--dry-run":
-      return applyBool2(st.dryRun, () => st.dryRun = true);
+      return applyBool(st.dryRun, () => st.dryRun = true);
     case "--redact-all":
-      return applyBool2(st.redactAll, () => st.redactAll = true);
+      return applyBool(st.redactAll, () => st.redactAll = true);
     case "--allow-all":
-      return applyBool2(st.allowAll, () => st.allowAll = true);
+      return applyBool(st.allowAll, () => st.allowAll = true);
     case "--allow":
       return applyAllow2(argv, i, st);
     default:
-      return REJECT2;
+      return REJECT;
   }
 }
 function parsePushArgs(argv) {
@@ -6383,7 +6467,7 @@ function parsePushArgs(argv) {
 // package.json
 var package_default = {
   name: "claude-nomad",
-  version: "0.50.2",
+  version: "0.50.3",
   type: "module",
   description: "Sync Claude Code config (~/.claude/) across machines via a private Git repo, with path remapping and per-host settings overrides.",
   keywords: [
@@ -6612,7 +6696,7 @@ function resumeCmd(sessionId) {
     process.exit(1);
   }
   const map = readJson(mapPath);
-  const schemaError = validatePathMap(map);
+  const schemaError = validatePathMapShape(map);
   if (schemaError !== null) {
     fail(schemaError);
     process.exit(1);
@@ -6647,26 +6731,6 @@ function extractRecordedCwd(jsonlPath) {
   }
   return null;
 }
-function validatePathMap(raw) {
-  if (raw === null || typeof raw !== "object" || Array.isArray(raw)) {
-    return "path-map.json invalid schema: top-level value must be an object";
-  }
-  const projects = raw.projects;
-  if (projects === null || typeof projects !== "object" || Array.isArray(projects)) {
-    return 'path-map.json invalid schema: "projects" must be an object';
-  }
-  for (const [name, hosts] of Object.entries(projects)) {
-    if (hosts === null || typeof hosts !== "object" || Array.isArray(hosts)) {
-      return `path-map.json invalid schema: project "${name}" hosts must be an object`;
-    }
-    for (const [host, value] of Object.entries(hosts)) {
-      if (typeof value !== "string") {
-        return `path-map.json invalid schema: project "${name}" host "${host}" path must be a string`;
-      }
-    }
-  }
-  return null;
-}
 function lookupLocalPath(map, recordedCwd) {
   for (const [logical, hosts] of Object.entries(map.projects)) {
     const isUnderMappedPath = Object.values(hosts).some(

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-nomad",
-  "version": "0.50.2",
+  "version": "0.50.3",
   "type": "module",
   "description": "Sync Claude Code config (~/.claude/) across machines via a private Git repo, with path remapping and per-host settings overrides.",
   "keywords": [