@fnclaude/cli 1.1.0 → 2.0.0

package/src/pty.ts

@@ -1,380 +0,0 @@
-/**
- * Shared PTY scaffolding — RingBuffer, cross-cwd detection regex,
- * reconstructArgv helper, ensureCWD safety wrapper, and the platform-
- * dispatching `runWithPTY` entry point.
- *
- * Ported from src/pty_run.go in the Go reference (fnclaude@fnrhombus).
- *
- * Platform-specific spawn lives in:
- *   - src/pty/unix.ts    — node-pty under POSIX
- *   - src/pty/windows.ts — direct child_process.spawn, no PTY (stub)
- */
-
-import { mkdir, rmdir, stat } from 'node:fs/promises';
-import type { Stats } from 'node:fs';
-import { dirname, isAbsolute, resolve as resolvePath } from 'node:path';
-import type { Config } from './config.js';
-import { errorMessage } from './errors.js';
-import type { HandoffSpec } from './handoff.js';
-import { isFlag, isMagicWord, preserveArgs, splitLeadingMagic } from './args/preserve.js';
-
-// ── RingBuffer ─────────────────────────────────────────────────────────────
-
-/**
- * Capacity of the PTY output tail kept for the post-exit cross-cwd scan.
- *
- * Sized to comfortably hold the cross-cwd message plus all the screen-cleanup
- * escapes claude emits while tearing down its TUI on exit. An earlier 4 KB
- * value was just big enough for the original captured fixture but failed in
- * the wild when claude 2.1.143 emitted more trailing cleanup before exit —
- * the message rotated out of the tail and the intercept silently failed.
- */
-export const RING_BUFFER_SIZE = 64 * 1024;
-
-/**
- * Fixed-capacity circular byte buffer. Writes that overflow the capacity
- * discard the oldest data. Only the most recent `cap` bytes are kept, which
- * is all we need for post-exit pattern scanning.
- *
- * Implementation note: backed by a Node Buffer (vs Uint8Array) so the
- * outbound `bytes()` slice is already in the form that node:net /
- * RegExp.exec(buffer.toString('utf8' | 'binary')) callers expect.
- */
-export class RingBuffer {
-  private readonly buf: Buffer;
-  readonly cap: number;
-  private pos = 0;
-  private full = false;
-
-  constructor(capacity: number) {
-    if (!Number.isInteger(capacity) || capacity <= 0) {
-      throw new RangeError(`RingBuffer capacity must be a positive integer, got ${capacity}`);
-    }
-    this.cap = capacity;
-    this.buf = Buffer.alloc(capacity);
-  }
-
-  /** Append data, dropping oldest bytes when full. */
-  write(p: Buffer | Uint8Array | string): void {
-    const data = typeof p === 'string' ? Buffer.from(p) : Buffer.from(p);
-    if (data.length === 0) return;
-    // For oversize writes (> cap) skip ahead — the prefix we'd write would
-    // be immediately overwritten by the suffix. Land on a clean state where
-    // pos = 0, full = true, and we copy the trailing `cap` bytes in one go.
-    let src = 0;
-    if (data.length > this.cap) {
-      src = data.length - this.cap;
-      this.full = true;
-      this.pos = 0;
-    }
-    // Copy in up to two chunks: from src to end-of-buf, then wrapped around
-    // from start-of-buf for the remainder. `Buffer.copy` is a memcpy under
-    // the hood — substantially cheaper than the per-byte assignment loop
-    // this replaces, for the same final buffer state.
-    while (src < data.length) {
-      const writable = Math.min(data.length - src, this.cap - this.pos);
-      data.copy(this.buf, this.pos, src, src + writable);
-      src += writable;
-      this.pos = (this.pos + writable) % this.cap;
-      if (this.pos === 0) this.full = true;
-    }
-  }
-
-  /** Return ring contents in chronological order (oldest first). */
-  bytes(): Buffer {
-    if (!this.full) {
-      return Buffer.from(this.buf.subarray(0, this.pos));
-    }
-    return Buffer.concat([
-      this.buf.subarray(this.pos),
-      this.buf.subarray(0, this.pos),
-    ]);
-  }
-}
-
-// ── cross-cwd detection ────────────────────────────────────────────────────
-
-/**
- * Matches the cd-and-resume line claude prints when the selected session
- * belongs to a different directory. SOURCE OF TRUTH — keep byte-for-byte
- * identical to src/pty_run.go's `crossCwdRe`.
- *
- * We can't anchor on the "This conversation is from a different directory."
- * preamble: claude's TUI emits cursor-right escapes (e.g. `\x1b[1C`) between
- * words instead of literal spaces, so that sentence is never plain-text in
- * the PTY stream. The "To resume, run:" line, by contrast, is rendered as
- * plain ASCII with real spaces, as is the `cd <path> && claude --resume <uuid>`
- * command — both anchors survive the TUI rendering intact.
- *
- * The `[\s\S]*?` between anchors swallows whatever ANSI / CR / cursor-move
- * goo appears between the two lines (varies by terminal width and TUI
- * layout — observed: `\x1b[K\r\x1b[1C\x1b[1B`).
- */
-export const crossCwdRe =
-  /To resume, run:[\s\S]*?cd (\S+) && claude --resume ([0-9a-fA-F-]{36})/g;
-
-export interface CrossCwdMatch {
-  dest: string;
-  uuid: string;
-}
-
-/**
- * Scan `tail` for the cross-cwd redirect message. Returns undefined when no
- * match is found OR when the captured `dest` fails safety validation.
- * When multiple matches appear (unlikely but defensive), the LAST match
- * wins.
- *
- * Security note: the `dest` capture flows into `silentRelaunch` and
- * becomes the cwd for the relaunched process. The PTY stream is not a
- * trusted channel — a hostile MCP tool (or any subprocess that prints to
- * claude's terminal) can emit a fake "To resume, run: cd /tmp/evil &&
- * claude --resume <uuid>" line and steer the parent into relaunching in
- * an attacker-controlled directory. We refuse to act on a dest unless
- * it's an absolute path that survives canonicalisation unchanged and
- * contains no null bytes / `..` segments.
- */
-export function detectCrossCwd(tail: Buffer): CrossCwdMatch | undefined {
-  // Decode as Latin-1 so every byte maps to a code unit; the regex matches
-  // ASCII anchors so the multi-byte representation of any non-ASCII bytes
-  // never participates in a match. This is the JS equivalent of Go's
-  // []byte-scanning behavior.
-  const s = tail.toString('latin1');
-  // matchAll iterates from a fresh internal cursor each call — no
-  // module-level `lastIndex` to reset. The exported `crossCwdRe` stays
-  // `g`-flagged (matchAll requires it) but is only ever consumed as an
-  // anchor for tests / the source-of-truth comparison.
-  let last: RegExpMatchArray | undefined;
-  for (const m of s.matchAll(crossCwdRe)) {
-    last = m;
-  }
-  if (last === undefined) return undefined;
-  const dest = last[1]!;
-  if (!isSafeDest(dest)) return undefined;
-  return { dest, uuid: last[2]! };
-}
-
-/**
- * Reject `dest` values that shouldn't be honored as relaunch cwds:
- *  - contains a null byte
- *  - is not an absolute path (a relative dest would resolve against
- *    whatever the current cwd happens to be — non-obvious to a user
- *    reading the relaunch and easy to abuse)
- *  - contains a `..` segment delimited by `/` (path traversal)
- *  - doesn't round-trip through `path.resolve` (catches `/foo/./bar`,
- *    trailing slashes, and any other non-canonical form a peer might
- *    cook up to slip past parent-segment detection)
- *
- * On Windows we'd also want backslash handling; the cross-cwd-resume
- * flow is POSIX-only by design (the Windows PTY stub disables it) so
- * this validator targets POSIX paths.
- */
-function isSafeDest(dest: string): boolean {
-  if (dest.includes('\x00')) return false;
-  if (!isAbsolute(dest)) return false;
-  if (dest.split('/').includes('..')) return false;
-  if (resolvePath(dest) !== dest) return false;
-  return true;
-}
-
-// ── reconstructArgv ────────────────────────────────────────────────────────
-
-/**
- * Build the new fnclaude argument list when silently relaunching after a
- * cross-cwd session resume.
- *
- * `origArgs` is `process.argv.slice(2)` from the original invocation.
- * `dest` is the destination directory extracted from claude's message;
- * `uuid` is the session id to resume.
- *
- * Algorithm (delegated to preserveArgs): keep leading magic words, strip
- * positional path tokens, keep everything from the first flag onward (no
- * denylist — cross-cwd resume preserves all flags).
- *
- * Result: preserved_magic + [dest] + ["--resume", uuid] + rest.
- *
- * Note: if the original argv already contained --resume / -r / --continue /
- * -c, the picker wouldn't have been shown, the cross-cwd pattern wouldn't
- * have been emitted, and this function wouldn't be called. No special-case
- * is needed for those flags.
- */
-export function reconstructArgv(
-  origArgs: readonly string[],
-  dest: string,
-  uuid: string,
-): string[] {
-  const preserved = preserveArgs(origArgs, null, null);
-  const { magic, rest } = splitLeadingMagic(preserved);
-  return [...magic, dest, '--resume', uuid, ...rest];
-}
-
-// Re-export magic helpers so callers can do everything via the pty module.
-export { isFlag, isMagicWord, splitLeadingMagic };
-
-// ── clearScreen ────────────────────────────────────────────────────────────
-
-/**
- * Write the ANSI escape sequence that clears the screen and moves the
- * cursor to the top-left. Called before relaunching to hide the brief
- * flicker of the "different directory" message that already scrolled to
- * the terminal before we detected it.
- */
-export function clearScreen(out: NodeJS.WriteStream = process.stdout): void {
-  out.write('\x1b[2J\x1b[H');
-}
-
-// ── ensureCWD ──────────────────────────────────────────────────────────────
-
-export interface EnsureCWDHandle {
-  /**
-   * Best-effort tear-down of any directory tree fabricated by ensureCWD.
-   * Walks back through the dirs we created (deepest first). A dir that
-   * was already removed by something else is treated as success
-   * (postcondition already satisfied). A dir that's unexpectedly
-   * non-empty surfaces as a thrown error.
-   */
-  cleanup(): Promise<void>;
-}
-
-/**
- * Guarantee `dir` exists at the moment of process spawn.
- *
- * Motivation: when fnclaude resumes a session whose stored cwd no longer
- * exists on disk, the kernel returns ENOENT during exec — but Node /
- * Bun formats that against the binary path ("ENOENT … spawn …"), which
- * falsely blames the claude binary. The fix is to ensure the cwd exists
- * before spawn. When it doesn't, we fabricate the full tree, then
- * IMMEDIATELY unwind it after the child has been spawned — once claude
- * has chdir'd into the dir its kernel cwd is held by inode reference and
- * the path on disk is no longer needed.
- *
- * If the path exists but isn't a directory, ensureCWD rejects without
- * touching the filesystem. If the path doesn't exist and an ancestor is
- * a file, ensureCWD likewise rejects without touching the filesystem.
- */
-export async function ensureCWD(dir: string): Promise<EnsureCWDHandle> {
-  let info: Stats | undefined;
-  try {
-    info = await stat(dir);
-  } catch (err) {
-    if ((err as NodeJS.ErrnoException).code !== 'ENOENT') throw err;
-  }
-  if (info !== undefined) {
-    if (!info.isDirectory()) {
-      throw new Error(`session cwd ${dir} exists but is not a directory`);
-    }
-    return { cleanup: async () => undefined };
-  }
-
-  // Walk up to find the deepest pre-existing ancestor, recording every
-  // missing level shallowest-first. We mkdir each level explicitly (rather
-  // than calling mkdir({recursive: true})) so cleanup only touches dirs
-  // we actually created.
-  const missing: string[] = [];
-  let p = dir;
-  for (;;) {
-    missing.unshift(p);
-    const parent = dirname(p);
-    if (parent === p) {
-      throw new Error(`session cwd ${dir} does not exist and has no existing ancestor`);
-    }
-    let parentInfo: Stats | undefined;
-    try {
-      parentInfo = await stat(parent);
-    } catch (err) {
-      if ((err as NodeJS.ErrnoException).code !== 'ENOENT') throw err;
-    }
-    if (parentInfo !== undefined) {
-      if (!parentInfo.isDirectory()) {
-        throw new Error(
-          `session cwd ${dir} cannot be created: ancestor ${parent} is not a directory`,
-        );
-      }
-      break;
-    }
-    p = parent;
-  }
-
-  const created: string[] = []; // shallowest-first; cleanup reverses
-  for (const level of missing) {
-    try {
-      await mkdir(level, { mode: 0o755 });
-    } catch (err) {
-      // Roll back what we already created so we leave the filesystem
-      // exactly as we found it.
-      for (let i = created.length - 1; i >= 0; i--) {
-        try {
-          await rmdir(created[i]!);
-        } catch {
-          // best-effort
-        }
-      }
-      throw new Error(
-        `session cwd ${dir} does not exist and could not be created: ${errorMessage(err)}`,
-      );
-    }
-    created.push(level);
-  }
-
-  return {
-    cleanup: async () => {
-      for (let i = created.length - 1; i >= 0; i--) {
-        const level = created[i]!;
-        try {
-          // rmdir() — non-recursive — so a non-empty dir surfaces as an
-          // error rather than nuking unexpected content.
-          await rmdir(level);
-        } catch (err) {
-          const code = (err as NodeJS.ErrnoException).code;
-          if (code === 'ENOENT') continue; // already gone — fine
-          throw new Error(`could not clean up auto-created ${level}: ${errorMessage(err)}`);
-        }
-      }
-    },
-  };
-}
-
-// ── runWithPTY ─────────────────────────────────────────────────────────────
-
-/**
- * Result returned by `runWithPTY`. `tail` is the ring buffer contents at
- * the moment the child exited; `handoffArgv` is populated only when the
- * socket listener fired `triggered()` and stashed a relaunch argv.
- *
- * On Windows the tail is undefined (no PTY, no ring buffer,
- * cross-cwd-resume is a no-op).
- */
-export interface RunResult {
-  exitCode: number;
-  tail: Buffer | undefined;
-  handoffArgv: string[] | undefined;
-}
-
-export interface RunOptions {
-  /**
-   * argv to invoke. claudeArgv[0] is conventionally the program name and
-   * is ignored by the spawn; claudeArgv.slice(1) is passed as positional
-   * args to the child.
-   */
-  claudeArgv: string[];
-  launchCWD: string;
-  cfg: Config;
-  /** Undefined disables handoff (no env injection, no listener). */
-  handoff: HandoffSpec | undefined;
-}
-
-/**
- * Spawn claude under a PTY (POSIX) or with inherited stdio (Windows),
- * starting the AF_UNIX listener first when `handoff` is set so the socket
- * is ready the moment the child starts.
- *
- * The implementation lives in pty/unix.ts or pty/windows.ts; this is the
- * dispatcher.
- */
-export async function runWithPTY(opts: RunOptions): Promise<RunResult> {
-  if (process.platform === 'win32') {
-    const mod = await import('./pty/windows.js');
-    return mod.runWithPTY(opts);
-  }
-  const mod = await import('./pty/unix.js');
-  return mod.runWithPTY(opts);
-}

package/src/repoRef.ts

@@ -1,158 +0,0 @@
-// Parse user-typed repo references into structured RepoRef values.
-// Ported from src/repo_ref.go.
-//
-// Supported input forms (with optional "+workspace" suffix on any of them):
-//
-//   <name>                                    → { name }
-//   <name>@<owner>                            → { name, owner }
-//   <owner>/<name>                            → { owner, name }
-//   gh:<owner>/<name>                         → { owner, name, host: "github.com" }
-//   https://<host>/<owner>/<name>[.git]       → { host, owner, name }
-//   git@<host>:<owner>/<name>[.git]           → { host, owner, name }
-//   ssh://[user@]<host>/<owner>/<name>[.git]  → { host, owner, name }
-//
-// Inputs starting with `/` or `~/` are NOT repo refs (they're paths); the
-// caller short-circuits before this function.
-//
-// Returns undefined when the input is empty or otherwise unparseable. The
-// Go version returns (RepoRef, error); the TS port branches on undefined
-// instead, which matches the rest of the CLI's "no exceptions for
-// user-input validation" style.
-
-export interface RepoRef {
-  /**
-   * Host is the resolved hostname (e.g. "github.com"). Empty when the user
-   * didn't include one (bare name, owner/name, name@owner). Callers default
-   * to "github.com" when empty (see `effectiveHost`).
-   */
-  readonly host: string;
-
-  /**
-   * Owner is the repo's owner/org. Empty when the user typed only a bare
-   * name; the resolver fills it by searching the user's orgs.
-   */
-  readonly owner: string;
-
-  /** Repo name. Always populated after a successful parse. */
-  readonly name: string;
-
-  /**
-   * Workspace is the "+workspace" suffix when present. Maps to claude's
-   * --worktree flag and the plugin's worktreeTemplate.
-   */
-  readonly workspace: string;
-
-  /** Original raw input, retained for error messages. */
-  readonly original: string;
-
-  /** True when owner was supplied explicitly (no org search needed). */
-  readonly hasResolvedOwner: boolean;
-
-  /** Host if set, else "github.com". */
-  readonly effectiveHost: string;
-}
-
-const URL_RE =
-  /^(?:(?:https?|ssh):\/\/(?:[^@/]+@)?)([^:/]+)\/([^/]+)\/([^/]+?)(?:\.git)?\/?$/;
-const SCP_RE = /^git@([^:]+):([^/]+)\/([^/]+?)(?:\.git)?\/?$/;
-
-export function parseRepoRef(input: string): RepoRef | undefined {
-  if (input === '') return undefined;
-
-  // Split off workspace suffix first.
-  let body = input;
-  let workspace = '';
-  const plusIdx = body.indexOf('+');
-  if (plusIdx >= 0) {
-    workspace = body.slice(plusIdx + 1);
-    body = body.slice(0, plusIdx);
-    if (workspace === '') return undefined; // trailing `+` with no workspace
-  }
-
-  // URL forms.
-  // RegExp.exec returns null for "no match" — third-party API shape, kept
-  // verbatim rather than coerced.
-  const urlMatch = URL_RE.exec(body);
-  if (urlMatch !== null) {
-    return finalise({
-      host: urlMatch[1]!,
-      owner: urlMatch[2]!,
-      name: urlMatch[3]!,
-      workspace,
-      original: input,
-    });
-  }
-  const scpMatch = SCP_RE.exec(body);
-  if (scpMatch !== null) {
-    return finalise({
-      host: scpMatch[1]!,
-      owner: scpMatch[2]!,
-      name: scpMatch[3]!,
-      workspace,
-      original: input,
-    });
-  }
-
-  // gh:owner/name shorthand.
-  if (body.startsWith('gh:')) {
-    const rest = body.slice(3);
-    const slashIdx = rest.indexOf('/');
-    if (slashIdx > 0 && slashIdx < rest.length - 1) {
-      const owner = rest.slice(0, slashIdx);
-      const name = rest.slice(slashIdx + 1);
-      if (containsAny(owner, '/@:') || containsAny(name, '/@:')) return undefined;
-      return finalise({ host: 'github.com', owner, name, workspace, original: input });
-    }
-    return undefined;
-  }
-
-  // owner/name (single slash, no scheme).
-  const slashIdx = body.indexOf('/');
-  if (slashIdx > 0) {
-    // Reject multiple slashes (ambiguous).
-    if (body.indexOf('/', slashIdx + 1) >= 0) return undefined;
-    const owner = body.slice(0, slashIdx);
-    const name = body.slice(slashIdx + 1);
-    if (containsAny(owner, '@:') || containsAny(name, '@:')) return undefined;
-    if (owner === '' || name === '') return undefined;
-    return finalise({ host: '', owner, name, workspace, original: input });
-  }
-
-  // name@owner.
-  const atIdx = body.indexOf('@');
-  if (atIdx > 0) {
-    const name = body.slice(0, atIdx);
-    const owner = body.slice(atIdx + 1);
-    if (containsAny(owner, '@:/') || containsAny(name, '@:/')) return undefined;
-    if (owner === '' || name === '') return undefined;
-    return finalise({ host: '', owner, name, workspace, original: input });
-  }
-
-  // Bare name. Defense-in-depth: reject anything that looks like a special
-  // form we already had a chance to match.
-  if (containsAny(body, '/@:')) return undefined;
-  return finalise({ host: '', owner: '', name: body, workspace, original: input });
-}
-
-interface RepoRefCore {
-  host: string;
-  owner: string;
-  name: string;
-  workspace: string;
-  original: string;
-}
-
-function finalise(core: RepoRefCore): RepoRef {
-  return {
-    ...core,
-    hasResolvedOwner: core.owner !== '',
-    effectiveHost: core.host === '' ? 'github.com' : core.host,
-  };
-}
-
-function containsAny(s: string, chars: string): boolean {
-  for (const c of chars) {
-    if (s.includes(c)) return true;
-  }
-  return false;
-}

package/src/repoSettings.ts

@@ -1,144 +0,0 @@
-// Port of src/repo_settings.go (fnclaude/fnclaude Go reference).
-//
-// Read the `repoSettings` block from Claude Code's four settings tiers,
-// shallow-merged per field. Documented precedence (highest → lowest):
-//
-//   managed > local > project > user
-//
-// Mirrors the JS plugin's settings.ts behavior so both consumers agree on
-// what each tier provides.
-
-import { readFileSync } from 'node:fs';
-import { homedir, platform } from 'node:os';
-import { join } from 'node:path';
-import { errorMessage } from './errors.js';
-
-/**
- * fnclaude's view of the shared `repoSettings` block. Only the keys
- * fnclaude consumes are documented as load-bearing here; the plugin-only
- * keys (worktreeTemplate, branchTemplate, gateEnvVar) are decoded for
- * completeness so callers can inspect them, but fnclaude doesn't act on
- * them.
- */
-export interface RepoSettings {
-  /** Template fnclaude uses to compute where a freshly-cloned repo should live. */
-  cloneTemplate?: string;
-  /** Template the worktree-paths plugin uses for `claude --worktree`. */
-  worktreeTemplate?: string;
-  /** Template the worktree-paths plugin uses for newly-created worktree branch names. */
-  branchTemplate?: string;
-  /** Env-var name the plugin uses to conditionally apply its templates. */
-  gateEnvVar?: string;
-}
-
-interface SettingsFile {
-  repoSettings?: RepoSettings;
-}
-
-function home(): string {
-  return process.env.HOME ?? homedir();
-}
-
-/**
- * Result of a repo-settings load: the merged settings plus any non-fatal
- * warnings (e.g. malformed JSON files that were skipped). Mirrors
- * `LoadConfigResult` so the caller can thread warnings into the deferred
- * flush.
- */
-export interface LoadRepoSettingsResult {
-  settings: RepoSettings;
-  warnings: readonly string[];
-}
-
-/**
- * Resolve the four-tier merge for the user's environment.
- * `projectRoot` is the cwd Claude Code anchors project/local tiers
- * against — typically the launch cwd or the resolved git toplevel.
- */
-export function loadRepoSettings(
-  homeDir: string,
-  projectRoot: string,
-): LoadRepoSettingsResult {
-  const paths: string[] = [
-    join(homeDir, '.claude', 'settings.json'), // user
-    join(projectRoot, '.claude', 'settings.json'), // project
-    join(projectRoot, '.claude', 'settings.local.json'), // local
-  ];
-  const mp = managedSettingsPath();
-  if (mp) paths.push(mp);
-  return mergeRepoSettings(paths);
-}
-
-/**
- * Read each path (if it exists) and merge per-field with later entries
- * winning over earlier ones. Missing files are silently skipped (the
- * fail-soft posture the plugin matches); malformed files produce a
- * warning so the user can fix them rather than wondering why their
- * settings don't apply.
- */
-export function mergeRepoSettings(paths: string[]): LoadRepoSettingsResult {
-  const merged: RepoSettings = {};
-  const warnings: string[] = [];
-  for (const p of paths) {
-    const { settings: f, warning } = readRepoSettings(p);
-    if (warning !== undefined) warnings.push(warning);
-    if (!f) continue;
-    // Shallow-merge per field: only overwrite when the higher tier sets
-    // a non-empty value.
-    if (f.cloneTemplate) merged.cloneTemplate = f.cloneTemplate;
-    if (f.worktreeTemplate) merged.worktreeTemplate = f.worktreeTemplate;
-    if (f.branchTemplate) merged.branchTemplate = f.branchTemplate;
-    if (f.gateEnvVar) merged.gateEnvVar = f.gateEnvVar;
-  }
-  return { settings: merged, warnings };
-}
-
-interface ReadRepoSettingsResult {
-  settings: RepoSettings | undefined;
-  warning: string | undefined;
-}
-
-function readRepoSettings(path: string): ReadRepoSettingsResult {
-  let data: string;
-  try {
-    data = readFileSync(path, 'utf8');
-  } catch {
-    // Missing file is the common path — stay silent.
-    return { settings: undefined, warning: undefined };
-  }
-  let f: SettingsFile;
-  try {
-    f = JSON.parse(data) as SettingsFile;
-  } catch (err) {
-    return {
-      settings: undefined,
-      warning: `fnclaude: repo-settings file ${path} is malformed, skipping: ${errorMessage(err)}`,
-    };
-  }
-  return { settings: f.repoSettings ?? undefined, warning: undefined };
-}
-
-/**
- * Platform-specific path to Claude Code's managed-settings.json, or
- * `undefined` on platforms with no such convention.
- */
-export function managedSettingsPath(): string | undefined {
-  switch (platform()) {
-    case 'linux':
-      return '/etc/claude-code/managed-settings.json';
-    case 'darwin':
-      return '/Library/Application Support/ClaudeCode/managed-settings.json';
-    case 'win32': {
-      const pd = process.env.ProgramData;
-      if (pd) return join(pd, 'ClaudeCode', 'managed-settings.json');
-      return undefined;
-    }
-    default:
-      return undefined;
-  }
-}
-
-// Re-export for callers that don't pass homeDir explicitly.
-export function userHome(): string {
-  return home();
-}