claude-nomad 0.53.1 → 0.53.2

package/.gitleaks.toml

@@ -14,10 +14,14 @@ useDefault = true
 # context anywhere in the repo. Scoping to `shared/projects/<logical>/.../*.jsonl`
 # with `condition = "AND"` (matching every other block below) confines the
 # suppression to synced transcripts: a real secret in a source file still fires.
+# The Sonar-issue-key regex is length-bounded to the real key shape (`AY` + 17-22
+# base64url chars = 19-24 total, matching the sibling `key:`/`rule:` block) and
+# token-anchored with `\b` on both ends, so it cannot suppress a longer or
+# embedded `AY`-prefixed credential as a substring (an unbounded `{20,}` could).
 [[allowlists]]
 description = "claude-nomad: structurally-distinguishable tool-output noise in synced session transcripts"
 regexes = [
-    '''AY[A-Za-z0-9_-]{20,}''',
+    '''\bAY[A-Za-z0-9_-]{17,22}\b''',
     '''[\w./-]+\.[A-Za-z0-9]+:[\w-]+:\d+''',
     '''"id"\s*:\s*"[a-f0-9]{40,64}"''',
     '''key=[a-f0-9]{8,} [\w./-]+\.\w+:\d+''',

package/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## [0.53.2](https://github.com/funkadelic/claude-nomad/compare/v0.53.1...v0.53.2) (2026-06-26)
+
+
+### Fixed
+
+* **security:** close pull-side path-write and push-side scan-bypass vectors ([#339](https://github.com/funkadelic/claude-nomad/issues/339)) ([99f0320](https://github.com/funkadelic/claude-nomad/commit/99f0320d1181333fc00ea983fda7e675377def47))
+
+
+### Dependencies
+
+* bump actions/checkout from 6.0.3 to 7.0.0 ([#336](https://github.com/funkadelic/claude-nomad/issues/336)) ([6df79cf](https://github.com/funkadelic/claude-nomad/commit/6df79cfcfe9bd5eaa72130d15fdcb074019822a8))
+* bump the dev-dependencies group with 3 updates ([#337](https://github.com/funkadelic/claude-nomad/issues/337)) ([dd5a8ea](https://github.com/funkadelic/claude-nomad/commit/dd5a8eaffe70fe96f9d6f0921eaead8c3caf323b))
+
 ## [0.53.1](https://github.com/funkadelic/claude-nomad/compare/v0.53.0...v0.53.1) (2026-06-21)
 
 

package/dist/nomad.mjs

@@ -42,7 +42,13 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 
 // src/config.never-sync.ts
-var NEVER_SYNC, CLAUDE_EXTRA_NEVER_SYNC;
+function isSecretFileName(name) {
+  return SECRET_FILE_PATTERNS.some((re) => re.test(name));
+}
+function isDeniedName(blockSet, name) {
+  return blockSet.has(name) || blockSet.has(name.toLowerCase()) || isSecretFileName(name);
+}
+var NEVER_SYNC, CLAUDE_EXTRA_NEVER_SYNC, SECRET_FILE_PATTERNS;
 var init_config_never_sync = __esm({
   "src/config.never-sync.ts"() {
     "use strict";
@@ -72,6 +78,20 @@ var init_config_never_sync = __esm({
       "sessions"
     ]);
     CLAUDE_EXTRA_NEVER_SYNC = /* @__PURE__ */ new Set([...NEVER_SYNC, "projects"]);
+    SECRET_FILE_PATTERNS = [
+      /^\.env(\..+)?$/i,
+      // .env, .env.local, .env.production
+      /\.pem$/i,
+      /\.key$/i,
+      /\.p12$/i,
+      /\.pfx$/i,
+      /^id_(rsa|dsa|ecdsa|ed25519)$/i,
+      /^\.netrc$/i,
+      /^\.npmrc$/i,
+      /^\.pgpass$/i,
+      /^\.git-credentials$/i,
+      /^credentials$/i
+    ];
   }
 });
 
@@ -667,6 +687,37 @@ function resolveTomlPath(repo = repoHome()) {
   const bundled = fileURLToPath(new URL("../.gitleaks.toml", import.meta.url));
   return existsSync13(bundled) ? bundled : null;
 }
+function assertOverlayAllowlistsScoped(overlayBody) {
+  if (OVERLAY_INLINE_ALLOWLIST_RE.test(overlayBody)) {
+    throw new NomadFatal(
+      ".gitleaks.overlay.toml must declare allowlists as [[allowlists]] table blocks, not the dotted-key (allowlist.x = ...) or inline-table (allowlist = { ... }) form, which bypasses path-scope validation. Use a [[allowlists]] block with a `paths` entry."
+    );
+  }
+  let inAllowlist = false;
+  let hasPaths = false;
+  const closeBlock = () => {
+    if (inAllowlist && !hasPaths) {
+      throw new NomadFatal(
+        ".gitleaks.overlay.toml allowlist must be path-scoped: every [[allowlists]] block needs a `paths` entry so it cannot suppress findings repo-wide. Anchor `paths` to the files you intend to allow (e.g. shared/projects/<logical>/...jsonl)."
+      );
+    }
+  };
+  for (const line of overlayBody.split("\n")) {
+    if (TABLE_HEADER_RE.test(line)) {
+      closeBlock();
+      inAllowlist = OVERLAY_ALLOWLIST_HEADER_RE.test(line);
+      hasPaths = false;
+    } else if (inAllowlist) {
+      if (PATHS_KEY_RE.test(line)) hasPaths = true;
+      if (CATCH_ALL_RE.test(line)) {
+        throw new NomadFatal(
+          ".gitleaks.overlay.toml allowlist contains a catch-all pattern (.* or .+) that would suppress every finding. Replace it with a specific, anchored pattern."
+        );
+      }
+    }
+  }
+  closeBlock();
+}
 function buildOverlayTempConfig(overlayBody, bundled) {
   const tempBody = `[extend]
 path = ${JSON.stringify(bundled)}
@@ -701,6 +752,7 @@ function resolveTomlConfig() {
         ".gitleaks.overlay.toml must not contain an [extend] block; it is generated automatically. Remove the [extend] section and retry."
       );
     }
+    assertOverlayAllowlistsScoped(overlayBody);
     const { configPath, tempPath } = buildOverlayTempConfig(overlayBody, bundled);
     return { path: configPath, tempPath };
   } catch (err) {
@@ -711,13 +763,18 @@ function resolveTomlConfig() {
     return { path: bundled, tempPath: null };
   }
 }
-var OVERLAY_EXTEND_RE;
+var OVERLAY_EXTEND_RE, TABLE_HEADER_RE, OVERLAY_ALLOWLIST_HEADER_RE, OVERLAY_INLINE_ALLOWLIST_RE, PATHS_KEY_RE, CATCH_ALL_RE;
 var init_push_gitleaks_config = __esm({
   "src/push-gitleaks.config.ts"() {
     "use strict";
     init_config();
     init_utils();
     OVERLAY_EXTEND_RE = /^\s*(?:\[\s*extend\s*\]|extend\s*[.=])/m;
+    TABLE_HEADER_RE = /^\s*\[/;
+    OVERLAY_ALLOWLIST_HEADER_RE = /^\s*\[\[?\s*allowlists?\s*\]\]?/;
+    OVERLAY_INLINE_ALLOWLIST_RE = /^[ \t]*allowlists?[ \t]*[.=]/m;
+    PATHS_KEY_RE = /^\s*paths\s*=/;
+    CATCH_ALL_RE = /('''|"""|'|")\^?\(?\.[*+]\)?\$?\1/;
   }
 });
 
@@ -2700,12 +2757,31 @@ init_config();
 
 // src/remap.ts
 init_config_sharedDirs_guard();
+import { cpSync as cpSync4, existsSync as existsSync17, mkdirSync as mkdirSync4, readdirSync as readdirSync6, renameSync as renameSync3, rmSync as rmSync7, statSync as statSync4 } from "node:fs";
+import { join as join22, relative as relative3, sep as sep3 } from "node:path";
+
+// src/extras-sync.guards.ts
+init_utils();
+init_config_sharedDirs_guard();
+import { isAbsolute, normalize } from "node:path";
+function assertSafeLocalRoot(localRoot, logical) {
+  if (!isAbsolute(localRoot)) {
+    throw new NomadFatal(
+      `invalid localRoot for ${logical} in path-map.json: ${JSON.stringify(localRoot)} (must be absolute)`
+    );
+  }
+  if (localRoot !== normalize(localRoot)) {
+    throw new NomadFatal(
+      `invalid localRoot for ${logical} in path-map.json: ${JSON.stringify(localRoot)} (must be already-normalized; no '..' or redundant segments)`
+    );
+  }
+}
+
+// src/remap.ts
 init_config();
 init_utils();
 init_utils_fs();
 init_utils_json();
-import { cpSync as cpSync4, existsSync as existsSync17, mkdirSync as mkdirSync4, readdirSync as readdirSync6, renameSync as renameSync3, rmSync as rmSync7, statSync as statSync4 } from "node:fs";
-import { join as join22, relative as relative3, sep as sep3 } from "node:path";
 var TMP_SUFFIX = ".nomad-tmp";
 function atomicMirror(src, dst, options) {
   const tmp = `${dst}${TMP_SUFFIX}`;
@@ -2760,6 +2836,7 @@ function remapPull(ts, opts = {}) {
       unmapped++;
       continue;
     }
+    assertSafeLocalRoot(localPath, logical);
     const src = join22(repoProjects, logical);
     if (!existsSync17(src)) continue;
     const dst = join22(localProjects, encodePath(localPath));
@@ -3530,7 +3607,7 @@ import { createInterface as createInterface2 } from "node:readline/promises";
 // src/commands.push.recovery.actions.ts
 init_config();
 import { readFileSync as readFileSync12 } from "node:fs";
-import { isAbsolute, resolve as resolve3, sep as sep5 } from "node:path";
+import { isAbsolute as isAbsolute2, resolve as resolve3, sep as sep5 } from "node:path";
 
 // src/commands.push.recovery.redact.ts
 init_config();
@@ -3937,7 +4014,7 @@ function makeDefaultReadLine(repo) {
     try {
       const repoRoot = resolve3(repo);
       const target = resolve3(repoRoot, file);
-      if (isAbsolute(file) || target !== repoRoot && !target.startsWith(repoRoot + sep5)) {
+      if (isAbsolute2(file) || target !== repoRoot && !target.startsWith(repoRoot + sep5)) {
         return null;
       }
       const content = readFileSync12(target, "utf8");
@@ -4846,25 +4923,6 @@ function listDivergingFiles(a, b) {
 init_config();
 import { cpSync as cpSync6, existsSync as existsSync32, lstatSync as lstatSync9, readdirSync as readdirSync11, rmSync as rmSync11 } from "node:fs";
 import { basename, join as join38 } from "node:path";
-
-// src/extras-sync.guards.ts
-init_utils();
-init_config_sharedDirs_guard();
-import { isAbsolute as isAbsolute2, normalize } from "node:path";
-function assertSafeLocalRoot(localRoot, logical) {
-  if (!isAbsolute2(localRoot)) {
-    throw new NomadFatal(
-      `invalid localRoot for ${logical} in path-map.json: ${JSON.stringify(localRoot)} (must be absolute)`
-    );
-  }
-  if (localRoot !== normalize(localRoot)) {
-    throw new NomadFatal(
-      `invalid localRoot for ${logical} in path-map.json: ${JSON.stringify(localRoot)} (must be already-normalized; no '..' or redundant segments)`
-    );
-  }
-}
-
-// src/extras-sync.core.ts
 init_utils();
 init_utils_json();
 function loadValidatedExtras(opts) {
@@ -4902,13 +4960,28 @@ function* eachExtrasTarget(v, counts) {
     }
   }
 }
+function stripCollidingDstSymlinks(src, dst, isExcluded) {
+  if (!existsSync32(dst)) return;
+  for (const name of readdirSync11(src)) {
+    if (isExcluded(name)) continue;
+    const dstPath = join38(dst, name);
+    const dstStat = lstatSync9(dstPath, { throwIfNoEntry: false });
+    if (dstStat === void 0) continue;
+    if (dstStat.isSymbolicLink()) {
+      rmSync11(dstPath, { recursive: true, force: true });
+    } else if (dstStat.isDirectory() && lstatSync9(join38(src, name)).isDirectory()) {
+      stripCollidingDstSymlinks(join38(src, name), dstPath, isExcluded);
+    }
+  }
+}
 function copyExtrasOverlayFiltered(src, dst, blockSet) {
+  stripCollidingDstSymlinks(src, dst, (name) => isDeniedName(blockSet, name));
   try {
     cpSync6(src, dst, {
       recursive: true,
       force: true,
       verbatimSymlinks: true,
-      filter: (srcEntry) => srcEntry === src || !blockSet.has(basename(srcEntry))
+      filter: (srcEntry) => srcEntry === src || !isDeniedName(blockSet, basename(srcEntry))
     });
   } catch (err) {
     const e = err;
@@ -4933,12 +5006,12 @@ function copyExtrasFiltered(src, dst, blockSet) {
     recursive: true,
     force: true,
     verbatimSymlinks: true,
-    filter: (srcEntry) => srcEntry === src || !blockSet.has(basename(srcEntry))
+    filter: (srcEntry) => srcEntry === src || !isDeniedName(blockSet, basename(srcEntry))
   });
 }
 function prunePreservingDenied(src, dst, blockSet) {
   for (const name of readdirSync11(dst)) {
-    if (blockSet.has(name)) continue;
+    if (isDeniedName(blockSet, name)) continue;
     const dstPath = join38(dst, name);
     const srcStat = lstatSync9(join38(src, name), { throwIfNoEntry: false });
     if (srcStat === void 0) {
@@ -4959,11 +5032,12 @@ function copyExtrasFilteredPreserving(src, dst, blockSet) {
     if (dstStat.isDirectory()) prunePreservingDenied(src, dst, blockSet);
     else rmSync11(dst, { recursive: true, force: true });
   }
+  stripCollidingDstSymlinks(src, dst, (name) => isDeniedName(blockSet, name));
   cpSync6(src, dst, {
     recursive: true,
     force: true,
     verbatimSymlinks: true,
-    filter: (srcEntry) => srcEntry === src || !blockSet.has(basename(srcEntry))
+    filter: (srcEntry) => srcEntry === src || !isDeniedName(blockSet, basename(srcEntry))
   });
 }
 function prunePreservingBy(src, dst, isPreserved) {
@@ -4989,6 +5063,7 @@ function copyExtrasFilteredPreservingBy(src, dst, isPreserved) {
     if (dstStat.isDirectory()) prunePreservingBy(src, dst, isPreserved);
     else rmSync11(dst, { recursive: true, force: true });
   }
+  stripCollidingDstSymlinks(src, dst, isPreserved);
   cpSync6(src, dst, {
     recursive: true,
     force: true,
@@ -5266,7 +5341,7 @@ function isGsdOwned(name) {
   return name.startsWith(GSD_PREFIX);
 }
 function isSkillExcluded(name) {
-  return isGsdOwned(name) || ALWAYS_NEVER_SYNC.has(name);
+  return isGsdOwned(name) || isDeniedName(ALWAYS_NEVER_SYNC, name);
 }
 function copySkillsPush(src, dst) {
   const srcNames = readdirSync13(src, { encoding: "utf8" });
@@ -5925,7 +6000,7 @@ function isNeverSync(path) {
   const blockSet = blockSetFor(segments);
   const scan = segments[0] === "shared" && segments[1] === "extras" ? segments.slice(4) : segments;
   for (const segment of scan) {
-    if (blockSet.has(segment)) return true;
+    if (isDeniedName(blockSet, segment)) return true;
   }
   return false;
 }
@@ -6843,7 +6918,7 @@ function parsePushArgs(argv) {
 // package.json
 var package_default = {
   name: "claude-nomad",
-  version: "0.53.1",
+  version: "0.53.2",
   type: "module",
   description: "Sync Claude Code config (~/.claude/) across machines via a private Git repo, with path remapping and per-host settings overrides.",
   keywords: [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-nomad",
-  "version": "0.53.1",
+  "version": "0.53.2",
   "type": "module",
   "description": "Sync Claude Code config (~/.claude/) across machines via a private Git repo, with path remapping and per-host settings overrides.",
   "keywords": [