@hasna/accounts 0.1.19 → 0.1.20

package/dist/mcp.js

@@ -16665,57 +16665,126 @@ class AccountsError extends Error {
 
 // src/storage.ts
 import { homedir } from "node:os";
-import { join } from "node:path";
+import { join as join2 } from "node:path";
 import { chmodSync, existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync, writeFileSync } from "node:fs";
 
 // src/lib/safe-path.ts
 import { existsSync, lstatSync, mkdirSync, realpathSync } from "node:fs";
-import { dirname, resolve } from "node:path";
+import { dirname, isAbsolute, join, parse as parse5, relative, resolve, sep } from "node:path";
+function lstatIfExists(path) {
+  try {
+    return lstatSync(path);
+  } catch (err) {
+    if (err.code !== "ENOENT")
+      throw err;
+    return;
+  }
+}
 function throwIfSymlink(path, label) {
-  if (existsSync(path) && lstatSync(path).isSymbolicLink()) {
+  if (lstatIfExists(path)?.isSymbolicLink()) {
     throw new AccountsError(`${label}: ${path}`);
   }
 }
-function assertDirChainSafe(targetFile, mustStayUnder) {
-  const absFile = resolve(targetFile);
-  const parent = dirname(absFile);
-  const base = mustStayUnder ? resolve(mustStayUnder) : undefined;
-  if (base) {
-    const rel = absFile.startsWith(base + "/") ? absFile.slice(base.length + 1) : "";
-    if (!rel && absFile !== base) {
-      throw new AccountsError(`refusing to write outside profile directory: ${targetFile}`);
-    }
-    const segments = rel.split("/").filter(Boolean);
-    if (segments.some((s) => s === "..")) {
-      throw new AccountsError(`refusing path traversal: ${targetFile}`);
-    }
-    let cursor = base;
-    for (let i = 0;i < segments.length - 1; i++) {
-      cursor = resolve(cursor, segments[i]);
-      throwIfSymlink(cursor, "refusing to write under symlink directory");
-    }
-  } else {
-    let cursor = parent;
-    for (;; ) {
-      throwIfSymlink(cursor, "refusing to write under symlink directory");
-      const next = dirname(cursor);
-      if (next === cursor)
-        break;
-      cursor = next;
+function isAllowedSystemDirectorySymlink(path) {
+  if (path !== "/var" && path !== "/tmp")
+    return false;
+  try {
+    return realpathSync(path) === `/private${path}`;
+  } catch {
+    return false;
+  }
+}
+function assertDirectory(path, label, opts) {
+  const stat = lstatIfExists(path);
+  if (!stat) {
+    throw new AccountsError(`refusing to write under missing directory: ${path}`);
+  }
+  if (stat.isSymbolicLink()) {
+    if (opts?.allowSystemSymlink && isAllowedSystemDirectorySymlink(path))
+      return;
+    throw new AccountsError(`${label}: ${path}`);
+  }
+  if (!stat.isDirectory()) {
+    throw new AccountsError(`refusing to write under non-directory path: ${path}`);
+  }
+}
+function assertInsideBase(absPath, base, originalPath) {
+  const rel = relative(base, absPath);
+  if (rel === "")
+    return rel;
+  if (rel === ".." || rel.startsWith(".." + sep) || isAbsolute(rel)) {
+    throw new AccountsError(`refusing to write outside profile directory: ${originalPath}`);
+  }
+  return rel;
+}
+function assertExistingDirectoryComponentsSafe(path, label) {
+  const root = parse5(path).root;
+  const rel = relative(root, path);
+  const segments = rel ? rel.split(sep).filter(Boolean) : [];
+  let cursor = root;
+  assertDirectory(cursor, label, { allowSystemSymlink: true });
+  for (const segment of segments) {
+    cursor = join(cursor, segment);
+    if (!lstatIfExists(cursor))
+      return;
+    assertDirectory(cursor, label, { allowSystemSymlink: true });
+  }
+}
+function ensureBoundaryRootSafe(base) {
+  const missing = [];
+  let cursor = base;
+  while (!lstatIfExists(cursor)) {
+    missing.unshift(cursor);
+    const parent = dirname(cursor);
+    if (parent === cursor)
+      break;
+    cursor = parent;
+  }
+  assertDirectory(cursor, "refusing to use symlink base directory");
+  for (const dir of missing) {
+    if (lstatIfExists(dir)) {
+      assertDirectory(dir, "refusing to use symlink base directory");
+    } else {
+      mkdirSync(dir);
+      assertDirectory(dir, "refusing to use symlink base directory");
+    }
+  }
+  assertDirectory(base, "refusing to use symlink base directory");
+}
+function ensureDirectoryChainSafe(parent, startAt) {
+  const root = startAt ?? parse5(parent).root;
+  const rel = relative(root, parent);
+  const segments = rel ? rel.split(sep).filter(Boolean) : [];
+  let cursor = root;
+  if (startAt)
+    assertDirectory(startAt, "refusing to write under symlink directory");
+  for (const segment of segments) {
+    cursor = join(cursor, segment);
+    if (lstatIfExists(cursor)) {
+      assertDirectory(cursor, "refusing to write under symlink directory");
+    } else {
+      mkdirSync(cursor);
+      assertDirectory(cursor, "refusing to write under symlink directory");
     }
   }
 }
 function assertSafeWritePath(filePath, opts) {
   const absFile = resolve(filePath);
   const parent = dirname(absFile);
-  if (!existsSync(parent))
-    mkdirSync(parent, { recursive: true });
+  const base = opts?.mustStayUnder ? resolve(opts.mustStayUnder) : undefined;
+  if (base) {
+    assertInsideBase(absFile, base, filePath);
+    assertExistingDirectoryComponentsSafe(base, "refusing to use symlink base directory");
+    ensureBoundaryRootSafe(base);
+    ensureDirectoryChainSafe(parent, base);
+  } else {
+    ensureDirectoryChainSafe(parent);
+  }
   throwIfSymlink(absFile, "refusing to write through symlink");
-  assertDirChainSafe(absFile, opts?.mustStayUnder);
   const resolved = realpathSync(existsSync(absFile) ? absFile : parent);
-  if (opts?.mustStayUnder) {
-    const base = realpathSync(resolve(opts.mustStayUnder));
-    if (resolved !== base && !resolved.startsWith(base + "/")) {
+  if (base) {
+    const realBase = realpathSync(base);
+    if (resolved !== realBase && !resolved.startsWith(realBase + sep)) {
       throw new AccountsError(`refusing to write outside profile directory: ${filePath}`);
     }
   }
@@ -16744,13 +16813,13 @@ function accountsHome() {
   const override = process.env.ACCOUNTS_HOME;
   if (override && override.trim())
     return validateEnvPath(override, "ACCOUNTS_HOME");
-  return join(homedir(), ".hasna", "accounts");
+  return join2(homedir(), ".hasna", "accounts");
 }
 function storePath() {
   const override = process.env.ACCOUNTS_STORE_PATH;
   if (override && override.trim())
     return validateEnvPath(override, "ACCOUNTS_STORE_PATH");
-  return join(accountsHome(), "accounts.json");
+  return join2(accountsHome(), "accounts.json");
 }
 var EMPTY_STORE = { version: 1, current: {}, applied: {}, profiles: [], tools: [] };
 function loadStore() {
@@ -16793,7 +16862,7 @@ function loadStore() {
 function saveStore(store) {
   const path = storePath();
   assertSafeWritePath(path, { mustStayUnder: accountsHome() });
-  mkdirSync2(join(path, ".."), { recursive: true });
+  mkdirSync2(join2(path, ".."), { recursive: true });
   if (existsSync2(path))
     chmodSync(path, 384);
   writeFileSync(path, JSON.stringify(store, null, 2) + `
@@ -16803,7 +16872,7 @@ function saveStore(store) {
 
 // src/lib/tools.ts
 import { homedir as homedir2 } from "node:os";
-import { join as join2 } from "node:path";
+import { join as join3 } from "node:path";
 var BUILTIN_TOOLS = [
   {
     id: "claude",
@@ -16812,7 +16881,7 @@ var BUILTIN_TOOLS = [
     extraEnv: {
       TELEGRAM_STATE_DIR: "{profileDir}/channels/telegram"
     },
-    defaultDir: join2(homedir2(), ".claude"),
+    defaultDir: join3(homedir2(), ".claude"),
     bin: "claude",
     loginHint: "run /login inside Claude, then /exit when done",
     resumeArgs: ["--continue"],
@@ -16832,7 +16901,7 @@ var BUILTIN_TOOLS = [
     id: "codex-app",
     label: "Codex App",
     envVar: "CODEX_HOME",
-    defaultDir: join2(homedir2(), ".codex"),
+    defaultDir: join3(homedir2(), ".codex"),
     bin: "/Applications/Codex.app/Contents/MacOS/Codex",
     loginHint: "sign in inside Codex.app, then quit the app when the profile is ready",
     launchArgs: ["--user-data-dir={profileDir}/electron-user-data"],
@@ -16842,7 +16911,7 @@ var BUILTIN_TOOLS = [
     id: "codex",
     label: "Codex CLI",
     envVar: "CODEX_HOME",
-    defaultDir: join2(homedir2(), ".codex"),
+    defaultDir: join3(homedir2(), ".codex"),
     bin: "codex",
     loginArgs: ["login"],
     loginHint: "complete the Codex login flow for this CODEX_HOME",
@@ -16855,7 +16924,7 @@ var BUILTIN_TOOLS = [
     id: "takumi",
     label: "Takumi",
     envVar: "TAKUMI_CONFIG_DIR",
-    defaultDir: join2(homedir2(), ".takumi"),
+    defaultDir: join3(homedir2(), ".takumi"),
     bin: "takumi",
     loginHint: "complete Takumi auth in this TAKUMI_CONFIG_DIR",
     resumeArgs: ["--continue"],
@@ -16875,7 +16944,7 @@ var BUILTIN_TOOLS = [
     id: "gemini",
     label: "Gemini CLI",
     envVar: "GEMINI_CONFIG_DIR",
-    defaultDir: join2(homedir2(), ".gemini"),
+    defaultDir: join3(homedir2(), ".gemini"),
     bin: "gemini",
     loginHint: "complete Gemini auth in this GEMINI_CONFIG_DIR",
     permissionArgs: {
@@ -16893,7 +16962,7 @@ var BUILTIN_TOOLS = [
       XDG_CONFIG_HOME: "{profileDir}/xdg-config",
       XDG_DATA_HOME: "{profileDir}/xdg-data"
     },
-    defaultDir: join2(homedir2(), ".config", "opencode"),
+    defaultDir: join3(homedir2(), ".config", "opencode"),
     bin: "opencode",
     loginArgs: ["auth", "login"],
     loginHint: "complete opencode auth login for this isolated config/data root",
@@ -16903,7 +16972,7 @@ var BUILTIN_TOOLS = [
     id: "cursor",
     label: "Cursor Agent",
     envVar: "CURSOR_CONFIG_DIR",
-    defaultDir: join2(homedir2(), ".cursor"),
+    defaultDir: join3(homedir2(), ".cursor"),
     bin: "cursor-agent",
     loginArgs: ["login"],
     loginHint: "complete cursor-agent login for this CURSOR_CONFIG_DIR"
@@ -16912,7 +16981,7 @@ var BUILTIN_TOOLS = [
     id: "pi",
     label: "Pi Coding Agent",
     envVar: "PI_CODING_AGENT_HOME",
-    defaultDir: join2(homedir2(), ".pi"),
+    defaultDir: join3(homedir2(), ".pi"),
     bin: "pi",
     loginHint: "complete Pi coding agent auth in this PI_CODING_AGENT_HOME"
   },
@@ -16920,7 +16989,7 @@ var BUILTIN_TOOLS = [
     id: "hermes",
     label: "Hermes",
     envVar: "HERMES_HOME",
-    defaultDir: join2(homedir2(), ".hermes"),
+    defaultDir: join3(homedir2(), ".hermes"),
     bin: "hermes",
     loginHint: "complete Hermes auth in this HERMES_HOME",
     permissionArgs: {
@@ -16932,7 +17001,7 @@ var BUILTIN_TOOLS = [
     id: "kimi",
     label: "Kimi Code",
     envVar: "KIMI_CODE_HOME",
-    defaultDir: join2(homedir2(), ".kimi-code"),
+    defaultDir: join3(homedir2(), ".kimi-code"),
     bin: "kimi",
     loginArgs: ["login"],
     loginHint: "complete kimi login for this KIMI_CODE_HOME",
@@ -16947,7 +17016,7 @@ var BUILTIN_TOOLS = [
     id: "grok",
     label: "Grok Build",
     envVar: "HOME",
-    defaultDir: join2(homedir2(), ".grok"),
+    defaultDir: join3(homedir2(), ".grok"),
     bin: "grok",
     loginArgs: ["login"],
     loginHint: "complete grok login in this process-scoped HOME; prefer launch/shell over exporting HOME globally"
@@ -17067,11 +17136,11 @@ function currentProfile(toolId) {
 
 // src/lib/claude-auth.ts
 import { copyFileSync, existsSync as existsSync3, lstatSync as lstatSync2, mkdirSync as mkdirSync3, readFileSync as readFileSync2, statSync, unlinkSync, writeFileSync as writeFileSync2 } from "node:fs";
-import { dirname as dirname3, join as join4 } from "node:path";
+import { dirname as dirname3, join as join5 } from "node:path";
 
 // src/lib/claude-layout.ts
 import { homedir as homedir3 } from "node:os";
-import { dirname as dirname2, join as join3 } from "node:path";
+import { dirname as dirname2, join as join4 } from "node:path";
 var CLAUDE_KEYCHAIN_SERVICE = "Claude Code-credentials";
 var ACCOUNTS_AUTH_DIR = ".accounts-auth";
 var OAUTH_SNAPSHOT = "oauth-account.json";
@@ -17083,32 +17152,32 @@ function liveClaudeBase() {
 }
 function liveClaudePaths() {
   const base = liveClaudeBase();
-  const configDir = join3(base, ".claude");
+  const configDir = join4(base, ".claude");
   return {
     configDir,
-    homeJson: join3(base, ".claude.json"),
-    credentialsFile: join3(configDir, ".credentials.json")
+    homeJson: join4(base, ".claude.json"),
+    credentialsFile: join4(configDir, ".credentials.json")
   };
 }
 function profileAccountJsonPaths(profileDir, tool) {
   if (!tool.accountFile)
     return [];
-  const paths = [join3(profileDir, tool.accountFile)];
+  const paths = [join4(profileDir, tool.accountFile)];
   if (profileDir === tool.defaultDir)
-    paths.push(join3(dirname2(profileDir), tool.accountFile));
+    paths.push(join4(dirname2(profileDir), tool.accountFile));
   return paths;
 }
 function profileAuthDir(profileDir) {
-  return join3(profileDir, ACCOUNTS_AUTH_DIR);
+  return join4(profileDir, ACCOUNTS_AUTH_DIR);
 }
 function profileOAuthSnapshot(profileDir) {
-  return join3(profileAuthDir(profileDir), OAUTH_SNAPSHOT);
+  return join4(profileAuthDir(profileDir), OAUTH_SNAPSHOT);
 }
 function profileCredentialsSnapshot(profileDir) {
-  return join3(profileAuthDir(profileDir), CREDENTIALS_SNAPSHOT);
+  return join4(profileAuthDir(profileDir), CREDENTIALS_SNAPSHOT);
 }
 function profileKeychainSnapshot(profileDir) {
-  return join3(profileAuthDir(profileDir), KEYCHAIN_SNAPSHOT);
+  return join4(profileAuthDir(profileDir), KEYCHAIN_SNAPSHOT);
 }
 
 // src/lib/keychain.ts
@@ -17262,7 +17331,7 @@ function mergeOAuthInto(paths, oauth, allowDelete, stayUnder) {
   }
 }
 function sanitizeSettingsFile(configDir, stayUnder) {
-  const settingsPath = join4(configDir, "settings.json");
+  const settingsPath = join5(configDir, "settings.json");
   const settings = readJsonFile(settingsPath);
   if (!settings)
     return false;
@@ -17309,7 +17378,7 @@ function liveOAuthEmail() {
 }
 function snapshotLiveAuthToProfile(profileDir, _tool) {
   const authDir = profileAuthDir(profileDir);
-  assertSafeWritePath(join4(authDir, OAUTH_SNAPSHOT), { mustStayUnder: profileDir });
+  assertSafeWritePath(join5(authDir, OAUTH_SNAPSHOT), { mustStayUnder: profileDir });
   mkdirSync3(authDir, { recursive: true });
   const live = liveClaudePaths();
   const oauth = readOAuthFromPaths([live.homeJson]);
@@ -17328,14 +17397,14 @@ function snapshotLiveAuthToProfile(profileDir, _tool) {
 }
 function ensureProfileAuthSnapshot(profileDir, tool, opts = {}) {
   const authDir = profileAuthDir(profileDir);
-  assertSafeWritePath(join4(authDir, OAUTH_SNAPSHOT), { mustStayUnder: profileDir });
+  assertSafeWritePath(join5(authDir, OAUTH_SNAPSHOT), { mustStayUnder: profileDir });
   mkdirSync3(authDir, { recursive: true });
   const oauthSource = findOAuthSource(profileAccountJsonPaths(profileDir, tool));
   const oauthSnap = profileOAuthSnapshot(profileDir);
   if (oauthSource && (opts.overwrite || snapshotIsStale(oauthSource.path, oauthSnap))) {
     writeJsonFile(oauthSnap, { oauthAccount: oauthSource.oauth }, profileDir);
   }
-  const credFile = join4(profileDir, ".credentials.json");
+  const credFile = join5(profileDir, ".credentials.json");
   const credSnap = profileCredentialsSnapshot(profileDir);
   if (existsSync3(credFile) && (opts.overwrite || snapshotIsStale(credFile, credSnap))) {
     assertSafeWritePath(credSnap, { mustStayUnder: profileDir });
@@ -17397,9 +17466,9 @@ function hasAuthSnapshot(profileDir) {
 
 // src/lib/apply-lock.ts
 import { closeSync, existsSync as existsSync4, mkdirSync as mkdirSync4, openSync, unlinkSync as unlinkSync2, writeFileSync as writeFileSync3 } from "node:fs";
-import { join as join5 } from "node:path";
+import { join as join6 } from "node:path";
 function lockPath() {
-  return join5(accountsHome(), ".apply.lock");
+  return join6(accountsHome(), ".apply.lock");
 }
 function withApplyLock(fn) {
   const home = accountsHome();
@@ -17470,7 +17539,7 @@ function applyProfileUnlocked(name, toolId) {
 
 // src/lib/codex-app.ts
 import { existsSync as existsSync5, mkdirSync as mkdirSync5, readFileSync as readFileSync3, writeFileSync as writeFileSync4 } from "node:fs";
-import { join as join6 } from "node:path";
+import { join as join7 } from "node:path";
 var FILE_CREDENTIALS_LINE = 'cli_auth_credentials_store = "file"';
 function insertRootConfigLine(config2, line) {
   if (config2.trim() === "")
@@ -17497,7 +17566,7 @@ ${after}${after.endsWith(`
 }
 function ensureCodexAppProfileConfig(profileDir) {
   mkdirSync5(profileDir, { recursive: true });
-  const configPath = join6(profileDir, "config.toml");
+  const configPath = join7(profileDir, "config.toml");
   const current = existsSync5(configPath) ? readFileSync3(configPath, "utf8") : "";
   if (/^\s*cli_auth_credentials_store\s*=/.test(current))
     return;
@@ -17582,20 +17651,20 @@ function switchProfile(name, opts = {}) {
 import { createHash } from "node:crypto";
 import { existsSync as existsSync6, mkdirSync as mkdirSync6, readFileSync as readFileSync4, readdirSync, rmSync, writeFileSync as writeFileSync5 } from "node:fs";
 import { createConnection, createServer } from "node:net";
-import { basename, join as join7 } from "node:path";
+import { basename, join as join8 } from "node:path";
 var STATE_SUFFIX = ".json";
 function supervisorDir() {
-  return join7(accountsHome(), "supervisors");
+  return join8(accountsHome(), "supervisors");
 }
 function supervisorStatePath(toolId) {
-  return join7(supervisorDir(), `${toolId}${STATE_SUFFIX}`);
+  return join8(supervisorDir(), `${toolId}${STATE_SUFFIX}`);
 }
 function supervisorSocketPath(toolId) {
   if (process.platform === "win32") {
     const hash = createHash("sha1").update(accountsHome()).digest("hex").slice(0, 12);
     return `\\\\.\\pipe\\hasna-accounts-${hash}-${toolId}`;
   }
-  return join7(supervisorDir(), `${toolId}.sock`);
+  return join8(supervisorDir(), `${toolId}.sock`);
 }
 function parseState(raw) {
   const data = JSON.parse(raw);

package/dist/storage.js

@@ -18,7 +18,7 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 // src/storage.ts
 import { homedir } from "node:os";
 import { hostname } from "node:os";
-import { join } from "node:path";
+import { join as join2 } from "node:path";
 import { chmodSync, existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync, writeFileSync } from "node:fs";
 
 // node_modules/zod/v3/external.js
@@ -4038,52 +4038,121 @@ class AccountsError extends Error {
 
 // src/lib/safe-path.ts
 import { existsSync, lstatSync, mkdirSync, realpathSync } from "node:fs";
-import { dirname, resolve } from "node:path";
+import { dirname, isAbsolute, join, parse, relative, resolve, sep } from "node:path";
+function lstatIfExists(path) {
+  try {
+    return lstatSync(path);
+  } catch (err) {
+    if (err.code !== "ENOENT")
+      throw err;
+    return;
+  }
+}
 function throwIfSymlink(path, label) {
-  if (existsSync(path) && lstatSync(path).isSymbolicLink()) {
+  if (lstatIfExists(path)?.isSymbolicLink()) {
     throw new AccountsError(`${label}: ${path}`);
   }
 }
-function assertDirChainSafe(targetFile, mustStayUnder) {
-  const absFile = resolve(targetFile);
-  const parent = dirname(absFile);
-  const base = mustStayUnder ? resolve(mustStayUnder) : undefined;
-  if (base) {
-    const rel = absFile.startsWith(base + "/") ? absFile.slice(base.length + 1) : "";
-    if (!rel && absFile !== base) {
-      throw new AccountsError(`refusing to write outside profile directory: ${targetFile}`);
-    }
-    const segments = rel.split("/").filter(Boolean);
-    if (segments.some((s) => s === "..")) {
-      throw new AccountsError(`refusing path traversal: ${targetFile}`);
-    }
-    let cursor = base;
-    for (let i = 0;i < segments.length - 1; i++) {
-      cursor = resolve(cursor, segments[i]);
-      throwIfSymlink(cursor, "refusing to write under symlink directory");
+function isAllowedSystemDirectorySymlink(path) {
+  if (path !== "/var" && path !== "/tmp")
+    return false;
+  try {
+    return realpathSync(path) === `/private${path}`;
+  } catch {
+    return false;
+  }
+}
+function assertDirectory(path, label, opts) {
+  const stat = lstatIfExists(path);
+  if (!stat) {
+    throw new AccountsError(`refusing to write under missing directory: ${path}`);
+  }
+  if (stat.isSymbolicLink()) {
+    if (opts?.allowSystemSymlink && isAllowedSystemDirectorySymlink(path))
+      return;
+    throw new AccountsError(`${label}: ${path}`);
+  }
+  if (!stat.isDirectory()) {
+    throw new AccountsError(`refusing to write under non-directory path: ${path}`);
+  }
+}
+function assertInsideBase(absPath, base, originalPath) {
+  const rel = relative(base, absPath);
+  if (rel === "")
+    return rel;
+  if (rel === ".." || rel.startsWith(".." + sep) || isAbsolute(rel)) {
+    throw new AccountsError(`refusing to write outside profile directory: ${originalPath}`);
+  }
+  return rel;
+}
+function assertExistingDirectoryComponentsSafe(path, label) {
+  const root = parse(path).root;
+  const rel = relative(root, path);
+  const segments = rel ? rel.split(sep).filter(Boolean) : [];
+  let cursor = root;
+  assertDirectory(cursor, label, { allowSystemSymlink: true });
+  for (const segment of segments) {
+    cursor = join(cursor, segment);
+    if (!lstatIfExists(cursor))
+      return;
+    assertDirectory(cursor, label, { allowSystemSymlink: true });
+  }
+}
+function ensureBoundaryRootSafe(base) {
+  const missing = [];
+  let cursor = base;
+  while (!lstatIfExists(cursor)) {
+    missing.unshift(cursor);
+    const parent = dirname(cursor);
+    if (parent === cursor)
+      break;
+    cursor = parent;
+  }
+  assertDirectory(cursor, "refusing to use symlink base directory");
+  for (const dir of missing) {
+    if (lstatIfExists(dir)) {
+      assertDirectory(dir, "refusing to use symlink base directory");
+    } else {
+      mkdirSync(dir);
+      assertDirectory(dir, "refusing to use symlink base directory");
     }
-  } else {
-    let cursor = parent;
-    for (;; ) {
-      throwIfSymlink(cursor, "refusing to write under symlink directory");
-      const next = dirname(cursor);
-      if (next === cursor)
-        break;
-      cursor = next;
+  }
+  assertDirectory(base, "refusing to use symlink base directory");
+}
+function ensureDirectoryChainSafe(parent, startAt) {
+  const root = startAt ?? parse(parent).root;
+  const rel = relative(root, parent);
+  const segments = rel ? rel.split(sep).filter(Boolean) : [];
+  let cursor = root;
+  if (startAt)
+    assertDirectory(startAt, "refusing to write under symlink directory");
+  for (const segment of segments) {
+    cursor = join(cursor, segment);
+    if (lstatIfExists(cursor)) {
+      assertDirectory(cursor, "refusing to write under symlink directory");
+    } else {
+      mkdirSync(cursor);
+      assertDirectory(cursor, "refusing to write under symlink directory");
     }
   }
 }
 function assertSafeWritePath(filePath, opts) {
   const absFile = resolve(filePath);
   const parent = dirname(absFile);
-  if (!existsSync(parent))
-    mkdirSync(parent, { recursive: true });
+  const base = opts?.mustStayUnder ? resolve(opts.mustStayUnder) : undefined;
+  if (base) {
+    assertInsideBase(absFile, base, filePath);
+    assertExistingDirectoryComponentsSafe(base, "refusing to use symlink base directory");
+    ensureBoundaryRootSafe(base);
+    ensureDirectoryChainSafe(parent, base);
+  } else {
+    ensureDirectoryChainSafe(parent);
+  }
   throwIfSymlink(absFile, "refusing to write through symlink");
-  assertDirChainSafe(absFile, opts?.mustStayUnder);
   const resolved = realpathSync(existsSync(absFile) ? absFile : parent);
-  if (opts?.mustStayUnder) {
-    const base = realpathSync(resolve(opts.mustStayUnder));
-    if (resolved !== base && !resolved.startsWith(base + "/")) {
+  if (base) {
+    const realBase = realpathSync(base);
+    if (resolved !== realBase && !resolved.startsWith(realBase + sep)) {
       throw new AccountsError(`refusing to write outside profile directory: ${filePath}`);
     }
   }
@@ -4122,16 +4191,16 @@ function accountsHome() {
   const override = process.env.ACCOUNTS_HOME;
   if (override && override.trim())
     return validateEnvPath(override, "ACCOUNTS_HOME");
-  return join(homedir(), ".hasna", "accounts");
+  return join2(homedir(), ".hasna", "accounts");
 }
 function storePath() {
   const override = process.env.ACCOUNTS_STORE_PATH;
   if (override && override.trim())
     return validateEnvPath(override, "ACCOUNTS_STORE_PATH");
-  return join(accountsHome(), "accounts.json");
+  return join2(accountsHome(), "accounts.json");
 }
 function profilesDir() {
-  return join(accountsHome(), "profiles");
+  return join2(accountsHome(), "profiles");
 }
 var EMPTY_STORE = { version: 1, current: {}, applied: {}, profiles: [], tools: [] };
 function loadStore() {
@@ -4174,7 +4243,7 @@ function loadStore() {
 function saveStore(store) {
   const path = storePath();
   assertSafeWritePath(path, { mustStayUnder: accountsHome() });
-  mkdirSync2(join(path, ".."), { recursive: true });
+  mkdirSync2(join2(path, ".."), { recursive: true });
   if (existsSync2(path))
     chmodSync(path, 384);
   writeFileSync(path, JSON.stringify(store, null, 2) + `

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/accounts",
-  "version": "0.1.19",
+  "version": "0.1.20",
   "description": "Manage and switch between multiple Claude Code (and other AI coding tool) profiles/accounts locally — isolated config dirs, per-account email, one-command switching.",
   "type": "module",
   "main": "dist/index.js",