feat: add git-managed PAI context and session sync

[pascalandr]

Summary

• Adds explicit Git-managed PAI root support outside the project worktree.
• Adds scoped global/workspace PAI context injection while keeping NomadWorks docs/tasks/SCRs as workflow source of truth.
• Adds native OpenCode session export/import tools backed by the workspace PAI manifest.
• Adds Git sync status/pull/push tools with explicit failure/no-change behavior.

Why

Long-term AI memory should be portable, auditable, and mergeable through Git rather than hidden inside the project worktree or a custom merge format. Session export/import belongs with this PR because sessions are part of the same portability story: sync the PAI repo, then import/export OpenCode sessions through native OpenCode commands.

Review notes

• Independent PR targeting dev.
• Excludes auto-onboarding load-time repo scaffolding.
• PAI is subordinate context/memory; it does not replace NomadWorks tasks, SCRs, evidence, docs, or CodeMaps.
• The PAI root is required to be external to the workspace to avoid branch-local memory pollution.

Verification

• Branch verification: npm test — PASS, 20 tests.

[pascalandr]

@CodeNomadBot

I want you to perform the gatekeeper checks for latest PR state

check for regressions
check for better possible implementations
Be the PR gatekeeper
Be ruthless about code quality

[codenomadbot]

Request understood: I reviewed the latest PR state as a gatekeeper for regressions, implementation quality, and better alternatives. Assumption: this was a review-only request, not a request to patch the PR.

Gatekeeper Result: Changes Requested

Findings

1. High: workspace PAI identity is worktree-local, not repository-stable

   src/index.js:94-100 and src/index.js:114-116 derive the PAI workspace path from path.basename(worktree). In CodeNomad this PR's worktree basename is codenomad-pr-5, and other branches/clones/users will have different basenames. That means the same repository can write to different WORKSPACES/<id>/ folders depending on checkout path, which defeats the PR goal of portable, mergeable, repo-scoped PAI memory and risks branch/worktree memory fragmentation.

   Better implementation: derive the workspace ID from a stable repository identity, such as normalized Git remote URL/full name, with an explicit config override like pai.workspace.id for edge cases. Add a test proving two different worktree paths for the same repo resolve to the same PAI workspace ID.

2. High: session export stores raw OpenCode exports in Git by default instead of using native sanitization

   src/index.js:225-235 runs opencode export <sessionId> and writes the result directly into the PAI repo after only a local regex scan. The OpenCode CLI supports opencode export --sanitize, and this feature is explicitly writing session data to a Git-managed memory repo. Regex screening is not a sufficient secret boundary for transcripts, file snapshots, or provider/tool outputs.

   Better implementation: export sanitized session JSON by default, and only allow raw export through an explicit opt-in argument with clear naming and documentation. Add tests that the spawned export command includes --sanitize by default and that raw export is deliberate if supported.

3. Medium: tools can create/use a non-Git PAI root despite the feature being Git-managed

   src/index.js:118-130 validates that the configured PAI root is outside the workspace, but it does not validate that the root is a Git repository. Then src/index.js:203-205 creates workspace export folders under whatever external path was configured. This allows durable PAI/session state to accumulate outside Git while docs and tool messages describe the root as Git-managed and syncable.

   Better implementation: require .git for mutating sync/session tools, or make the behavior explicit by separating unmanaged local PAI from Git-backed PAI. At minimum, nomadworks_session_export should fail fast when the configured root is not a Git repository if the product contract is Git-managed portability.

Verification

• npm ci completed successfully, but reported 3 dependency audit findings from the current dependency tree.
• npm test passed: 2 suites, 20 tests.
• npm run build passed: dist/ built successfully.
• git diff --check origin/dev...HEAD passed with no whitespace errors.

Merge Recommendation

Do not merge yet. The implementation is close, but the workspace identity bug is a core portability regression, and raw session export into a Git-backed memory repo is too risky for the stated feature goals.

--
Yours,
CodeNomadBot

[pascalandr]

@CodeNomadBot
same review

[codenomadbot]

Request understood: I reran the same gatekeeper review against the latest PR state. Assumption: this was a review-only request, not a request to patch the branch.

Gatekeeper Result: No Blocking Findings

The two follow-up commits materially address the prior blockers:

• Workspace PAI identity is no longer derived only from the local worktree basename. src/index.js now prefers pai.workspace.id, then Git remote identity, then package repository identity, with fallback only at the end. Tests cover stable identity across separate worktree paths and explicit override behavior.
• Session export now uses opencode export --sanitize <sessionID> by default and records sanitized: true in the manifest entry. Raw export requires explicit raw_export: true, and tests cover both paths.
• Session import/export now fail fast when the configured PAI root is not a Git repository, preventing unmanaged durable PAI/session state from being silently written outside Git.

Review Notes

I did not find a current regression severe enough to block merge. The implementation is still somewhat large inside src/index.js, but the added behavior is cohesive with the existing plugin structure and is now covered by targeted tests.

One non-blocking caution: npm audit --audit-level=high reports existing dependency advisories, including a high-severity picomatch advisory and moderate yaml/brace-expansion advisories. This PR does not appear to change the dependency graph, so I would not block this PR on that unless the project treats audits as a merge gate.

Verification

• git diff --check origin/dev...HEAD passed with no whitespace errors.
• npm test passed: 3 suites, 27 tests.
• npm run build passed: dist/ built successfully.
• Worktree remained clean after verification.

Merge Recommendation

Mergeable from this gatekeeper pass.

--
Yours,
CodeNomadBot