@plexor-dev/claude-code-plugin 0.1.0-beta.30 → 0.1.0-beta.32

package/commands/plexor-enabled.js

@@ -14,26 +14,84 @@
 const fs = require('fs');
 const path = require('path');
 
-// Import settings manager for automatic Claude Code configuration
-const { settingsManager, PLEXOR_STAGING_URL, PLEXOR_PROD_URL } = require('../lib/settings-manager');
-
-const CONFIG_PATH = path.join(process.env.HOME, '.plexor', 'config.json');
-const PLEXOR_DIR = path.join(process.env.HOME, '.plexor');
+// Import centralized constants with HOME directory validation
+const { PLEXOR_DIR, CONFIG_PATH } = require('../lib/constants');
+
+// Import settings manager with error handling for missing lib
+let settingsManager, PLEXOR_STAGING_URL, PLEXOR_PROD_URL;
+try {
+  const lib = require('../lib/settings-manager');
+  settingsManager = lib.settingsManager;
+  PLEXOR_STAGING_URL = lib.PLEXOR_STAGING_URL;
+  PLEXOR_PROD_URL = lib.PLEXOR_PROD_URL;
+} catch (err) {
+  if (err.code === 'MODULE_NOT_FOUND') {
+    console.error('Error: Plexor plugin files are missing or corrupted.');
+    console.error('       Please reinstall: npm install @plexor-dev/claude-code-plugin');
+    process.exit(1);
+  }
+  throw err;
+}
 
 function loadConfig() {
   try {
+    if (!fs.existsSync(CONFIG_PATH)) {
+      return { version: 1, auth: {}, settings: {} };
+    }
     const data = fs.readFileSync(CONFIG_PATH, 'utf8');
-    return JSON.parse(data);
-  } catch {
+    if (!data || data.trim() === '') {
+      return { version: 1, auth: {}, settings: {} };
+    }
+    const config = JSON.parse(data);
+    if (typeof config !== 'object' || config === null) {
+      console.warn('Warning: Config file has invalid format, using defaults');
+      return { version: 1, auth: {}, settings: {} };
+    }
+    return config;
+  } catch (err) {
+    if (err instanceof SyntaxError) {
+      console.warn('Warning: Config file is corrupted, using defaults');
+      // Backup corrupted file
+      try {
+        fs.copyFileSync(CONFIG_PATH, CONFIG_PATH + '.corrupted');
+      } catch { /* ignore */ }
+    }
     return { version: 1, auth: {}, settings: {} };
   }
 }
 
 function saveConfig(config) {
-  if (!fs.existsSync(PLEXOR_DIR)) {
-    fs.mkdirSync(PLEXOR_DIR, { recursive: true, mode: 0o700 });
+  try {
+    if (!fs.existsSync(PLEXOR_DIR)) {
+      fs.mkdirSync(PLEXOR_DIR, { recursive: true, mode: 0o700 });
+    }
+
+    // Atomic write: write to temp file, then rename
+    const crypto = require('crypto');
+    const tempId = crypto.randomBytes(8).toString('hex');
+    const tempPath = path.join(PLEXOR_DIR, `.config.${tempId}.tmp`);
+
+    fs.writeFileSync(tempPath, JSON.stringify(config, null, 2), { mode: 0o600 });
+    fs.renameSync(tempPath, CONFIG_PATH);
+    return true;
+  } catch (err) {
+    if (err.code === 'EACCES' || err.code === 'EPERM') {
+      console.error(`Error: Cannot write to ~/.plexor/config.json`);
+      console.error('       Check file permissions or run with appropriate access.');
+    } else {
+      console.error('Failed to save config:', err.message);
+    }
+    return false;
   }
-  fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), { mode: 0o600 });
+}
+
+/**
+ * Validate API key format
+ * @param {string} key - API key to validate
+ * @returns {boolean} true if valid format
+ */
+function isValidApiKeyFormat(key) {
+  return key && typeof key === 'string' && key.startsWith('plx_') && key.length >= 20;
 }
 
 function main() {
@@ -80,27 +138,69 @@ function main() {
     process.exit(1);
   }
 
-  // Update Plexor plugin config
-  config.settings = config.settings || {};
-  config.settings.enabled = newEnabled;
-  saveConfig(config);
-
   // THE KEY FEATURE: Update Claude Code settings.json routing
   let routingUpdated = false;
+  let missingApiKey = false;
+  let invalidApiKey = false;
+
   if (newEnabled) {
-    // Enable routing - need API key from config
-    if (apiKey) {
+    // Enable routing - need valid API key from config
+    if (!apiKey) {
+      missingApiKey = true;
+    } else if (!isValidApiKeyFormat(apiKey)) {
+      invalidApiKey = true;
+    } else {
+      // Update Plexor plugin config first
+      config.settings = config.settings || {};
+      config.settings.enabled = newEnabled;
+      if (!saveConfig(config)) {
+        process.exit(1);
+      }
+
+      // PRODUCTION PACKAGE - uses production API
       const apiUrl = config.settings?.apiUrl || 'https://api.plexor.dev';
       const useStaging = apiUrl.includes('staging');
       routingUpdated = settingsManager.enablePlexorRouting(apiKey, { useStaging });
-    } else {
-      console.log('⚠ No API key found. Run /plexor-login first.');
     }
   } else {
+    // Update Plexor plugin config
+    config.settings = config.settings || {};
+    config.settings.enabled = newEnabled;
+    if (!saveConfig(config)) {
+      process.exit(1);
+    }
+
     // Disable routing - remove env vars from settings.json
     routingUpdated = settingsManager.disablePlexorRouting();
   }
 
+  // Show error if no API key when enabling
+  if (missingApiKey) {
+    console.log(`┌─────────────────────────────────────────────┐`);
+    console.log(`│  ✗ Cannot Enable Plexor                     │`);
+    console.log(`├─────────────────────────────────────────────┤`);
+    console.log(`│  No API key configured.                     │`);
+    console.log(`│  Run /plexor-login <api-key> first.         │`);
+    console.log(`├─────────────────────────────────────────────┤`);
+    console.log(`│  Get your API key at:                       │`);
+    console.log(`│  https://plexor.dev/dashboard/api-keys      │`);
+    console.log(`└─────────────────────────────────────────────┘`);
+    process.exit(1);
+  }
+
+  // Show error if API key format is invalid
+  if (invalidApiKey) {
+    console.log(`┌─────────────────────────────────────────────┐`);
+    console.log(`│  ✗ Cannot Enable Plexor                     │`);
+    console.log(`├─────────────────────────────────────────────┤`);
+    console.log(`│  Invalid API key format in config.          │`);
+    console.log(`│  Keys must start with "plx_" (20+ chars).   │`);
+    console.log(`├─────────────────────────────────────────────┤`);
+    console.log(`│  Run /plexor-login <api-key> to fix.        │`);
+    console.log(`└─────────────────────────────────────────────┘`);
+    process.exit(1);
+  }
+
   const newStatus = newEnabled ? '● Enabled' : '○ Disabled';
   const prevStatus = currentEnabled ? 'Enabled' : 'Disabled';
   const routingMsg = routingUpdated

package/commands/plexor-login.js

@@ -13,27 +13,67 @@ const path = require('path');
 const https = require('https');
 const http = require('http');
 
-// Import settings manager for automatic Claude Code configuration
-const { settingsManager } = require('../lib/settings-manager');
+// Import centralized constants with HOME directory validation
+const { PLEXOR_DIR, CONFIG_PATH, DEFAULT_API_URL } = require('../lib/constants');
 
-const CONFIG_PATH = path.join(process.env.HOME, '.plexor', 'config.json');
-const PLEXOR_DIR = path.join(process.env.HOME, '.plexor');
-const DEFAULT_API_URL = 'https://api.plexor.dev';
+// Import settings manager with error handling for missing lib
+let settingsManager;
+try {
+  settingsManager = require('../lib/settings-manager').settingsManager;
+} catch (err) {
+  if (err.code === 'MODULE_NOT_FOUND') {
+    console.error('Error: Plexor plugin files are missing or corrupted.');
+    console.error('       Please reinstall: npm install @plexor-dev/claude-code-plugin');
+    process.exit(1);
+  }
+  throw err;
+}
 
 function loadConfig() {
   try {
+    if (!fs.existsSync(CONFIG_PATH)) {
+      return { version: 1, auth: {}, settings: {} };
+    }
     const data = fs.readFileSync(CONFIG_PATH, 'utf8');
-    return JSON.parse(data);
-  } catch {
+    if (!data || data.trim() === '') {
+      return { version: 1, auth: {}, settings: {} };
+    }
+    const config = JSON.parse(data);
+    if (typeof config !== 'object' || config === null) {
+      return { version: 1, auth: {}, settings: {} };
+    }
+    return config;
+  } catch (err) {
+    if (err instanceof SyntaxError) {
+      console.warn('Warning: Config file is corrupted, will be overwritten');
+    }
     return { version: 1, auth: {}, settings: {} };
   }
 }
 
 function saveConfig(config) {
-  if (!fs.existsSync(PLEXOR_DIR)) {
-    fs.mkdirSync(PLEXOR_DIR, { recursive: true, mode: 0o700 });
+  try {
+    if (!fs.existsSync(PLEXOR_DIR)) {
+      fs.mkdirSync(PLEXOR_DIR, { recursive: true, mode: 0o700 });
+    }
+
+    // Atomic write: write to temp file, then rename
+    const crypto = require('crypto');
+    const tempId = crypto.randomBytes(8).toString('hex');
+    const tempPath = path.join(PLEXOR_DIR, `.config.${tempId}.tmp`);
+
+    fs.writeFileSync(tempPath, JSON.stringify(config, null, 2), { mode: 0o600 });
+    fs.renameSync(tempPath, CONFIG_PATH);
+    return true;
+  } catch (err) {
+    if (err.code === 'EACCES' || err.code === 'EPERM') {
+      console.error('Error: Cannot write to ~/.plexor/config.json');
+      console.error('       Check file permissions or run with appropriate access.');
+    } else {
+      console.error('Failed to save config:', err.message);
+    }
+    return false;
   }
-  fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), { mode: 0o600 });
 }
 
 function validateApiKey(apiUrl, apiKey) {
@@ -79,9 +119,62 @@ function validateApiKey(apiUrl, apiKey) {
   });
 }
 
+/**
+ * Read API key from stdin (for piped input)
+ * @returns {Promise<string>} The API key read from stdin
+ */
+function readFromStdin() {
+  return new Promise((resolve, reject) => {
+    let data = '';
+    const timeout = setTimeout(() => {
+      reject(new Error('Timeout reading from stdin'));
+    }, 5000);
+
+    process.stdin.setEncoding('utf8');
+    process.stdin.on('data', (chunk) => {
+      data += chunk;
+    });
+    process.stdin.on('end', () => {
+      clearTimeout(timeout);
+      resolve(data.trim());
+    });
+    process.stdin.on('error', (err) => {
+      clearTimeout(timeout);
+      reject(err);
+    });
+    process.stdin.resume();
+  });
+}
+
 async function main() {
   const args = process.argv.slice(2);
-  let apiKey = args[0];
+  let apiKey = null;
+  let keySource = null;
+
+  // SECURITY FIX: Check for API key in order of preference
+  // 1. Environment variable (most secure for scripts/CI)
+  // 2. Stdin pipe (secure for interactive use)
+  // 3. Command line argument (warns about security risk)
+
+  // Check environment variable first (most secure)
+  if (process.env.PLEXOR_API_KEY) {
+    apiKey = process.env.PLEXOR_API_KEY;
+    keySource = 'environment';
+  }
+  // Check if stdin has data (piped input)
+  else if (!process.stdin.isTTY && args.length === 0) {
+    try {
+      apiKey = await readFromStdin();
+      keySource = 'stdin';
+    } catch {
+      // Stdin read failed, continue to check args
+    }
+  }
+  // Check command line argument (least secure - shows in ps)
+  else if (args[0]) {
+    apiKey = args[0];
+    keySource = 'argument';
+  }
 
   // Check for existing login
   const config = loadConfig();
@@ -93,14 +186,14 @@ async function main() {
     console.log(`├─────────────────────────────────────────────┤`);
     console.log(`│  API Key: ${(existingKey.substring(0, 8) + '...').padEnd(33)}│`);
     console.log(`│  To re-login, provide a new key:            │`);
-    console.log(`│    /plexor-login <api-key>                  │`);
+    console.log(`│    echo $PLEXOR_API_KEY | /plexor-login     │`);
     console.log(`│  To logout:                                 │`);
     console.log(`│    /plexor-logout                           │`);
     console.log(`└─────────────────────────────────────────────┘`);
     return;
   }
 
-  // If no key provided, prompt for it
+  // If no key provided, show secure usage options
   if (!apiKey) {
     console.log(`┌─────────────────────────────────────────────┐`);
     console.log(`│  Plexor Login                               │`);
@@ -108,11 +201,25 @@ async function main() {
     console.log(`│  Get your API key at:                       │`);
     console.log(`│  https://plexor.dev/dashboard/api-keys      │`);
     console.log(`├─────────────────────────────────────────────┤`);
-    console.log(`│  Usage: /plexor-login <api-key>             │`);
+    console.log(`│  Secure usage (recommended):                │`);
+    console.log(`│    echo "plx_..." | /plexor-login           │`);
+    console.log(`│    PLEXOR_API_KEY=plx_... /plexor-login     │`);
+    console.log(`├─────────────────────────────────────────────┤`);
+    console.log(`│  Direct usage (visible in ps):              │`);
+    console.log(`│    /plexor-login <api-key>                  │`);
     console.log(`└─────────────────────────────────────────────┘`);
     return;
   }
 
+  // Warn if API key was passed as command line argument
+  if (keySource === 'argument') {
+    console.log(`⚠ Security note: API key passed as argument is visible in`);
+    console.log(`  process list (ps aux). For better security, use:`);
+    console.log(`    echo "plx_..." | /plexor-login`);
+    console.log(`    PLEXOR_API_KEY=plx_... /plexor-login`);
+    console.log('');
+  }
+
   // Validate key format
   if (!apiKey.startsWith('plx_') || apiKey.length < 20) {
     console.error(`Error: Invalid API key format`);
@@ -131,7 +238,9 @@ async function main() {
     config.auth.api_key = apiKey;
     config.settings = config.settings || {};
     config.settings.enabled = true;
-    saveConfig(config);
+    if (!saveConfig(config)) {
+      process.exit(1);
+    }
 
     // AUTO-CONFIGURE CLAUDE CODE ROUTING
     // This is the key feature: automatically set ANTHROPIC_BASE_URL and ANTHROPIC_AUTH_TOKEN

package/commands/plexor-logout.js

@@ -8,25 +8,68 @@
 const fs = require('fs');
 const path = require('path');
 
-const PLEXOR_DIR = path.join(process.env.HOME, '.plexor');
-const CONFIG_PATH = path.join(PLEXOR_DIR, 'config.json');
-const SESSION_PATH = path.join(PLEXOR_DIR, 'session.json');
-const CACHE_PATH = path.join(PLEXOR_DIR, 'cache.json');
+// Import centralized constants with HOME directory validation
+const { PLEXOR_DIR, CONFIG_PATH, SESSION_PATH, CACHE_PATH } = require('../lib/constants');
+
+// Import settings manager for Claude Code routing cleanup
+let settingsManager;
+try {
+  const lib = require('../lib/settings-manager');
+  settingsManager = lib.settingsManager;
+} catch (err) {
+  if (err.code === 'MODULE_NOT_FOUND') {
+    console.error('Error: Plexor plugin files are missing or corrupted.');
+    console.error('       Please reinstall: npm install @plexor-dev/claude-code-plugin');
+    process.exit(1);
+  }
+  throw err;
+}
 
 function loadConfig() {
   try {
+    if (!fs.existsSync(CONFIG_PATH)) {
+      return null;
+    }
     const data = fs.readFileSync(CONFIG_PATH, 'utf8');
-    return JSON.parse(data);
-  } catch {
+    if (!data || data.trim() === '') {
+      return null;
+    }
+    const config = JSON.parse(data);
+    if (typeof config !== 'object' || config === null) {
+      return null;
+    }
+    return config;
+  } catch (err) {
+    if (err instanceof SyntaxError) {
+      console.warn('Warning: Config file is corrupted');
+    }
     return null;
   }
 }
 
 function saveConfig(config) {
-  if (!fs.existsSync(PLEXOR_DIR)) {
-    fs.mkdirSync(PLEXOR_DIR, { recursive: true, mode: 0o700 });
+  try {
+    if (!fs.existsSync(PLEXOR_DIR)) {
+      fs.mkdirSync(PLEXOR_DIR, { recursive: true, mode: 0o700 });
+    }
+
+    // Atomic write: write to temp file, then rename
+    const crypto = require('crypto');
+    const tempId = crypto.randomBytes(8).toString('hex');
+    const tempPath = path.join(PLEXOR_DIR, `.config.${tempId}.tmp`);
+
+    fs.writeFileSync(tempPath, JSON.stringify(config, null, 2), { mode: 0o600 });
+    fs.renameSync(tempPath, CONFIG_PATH);
+    return true;
+  } catch (err) {
+    if (err.code === 'EACCES' || err.code === 'EPERM') {
+      console.error('Error: Cannot write to ~/.plexor/config.json');
+      console.error('       Check file permissions or run with appropriate access.');
+    } else {
+      console.error('Failed to save config:', err.message);
+    }
+    return false;
   }
-  fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), { mode: 0o600 });
 }
 
 function deleteFile(filePath) {
@@ -61,7 +104,14 @@ function main() {
   delete config.auth.api_key;
   config.settings = config.settings || {};
   config.settings.enabled = false;
-  saveConfig(config);
+  if (!saveConfig(config)) {
+    process.exit(1);
+  }
+
+  // CRITICAL FIX: Disable Claude Code routing in ~/.claude/settings.json
+  // This removes ANTHROPIC_BASE_URL and ANTHROPIC_AUTH_TOKEN so Claude Code
+  // no longer tries to route through Plexor with removed credentials
+  const routingDisabled = settingsManager.disablePlexorRouting();
 
   // Clear session
   deleteFile(SESSION_PATH);
@@ -76,12 +126,13 @@ function main() {
   console.log(`│  ✓ Logged Out                               │`);
   console.log(`├─────────────────────────────────────────────┤`);
   console.log(`│  ✓ API key removed                          │`);
-  console.log(`│  ✓ Plexor proxy disabled                    │`);
+  console.log(`│  ${routingDisabled ? '✓' : '○'} Claude Code routing disabled             │`);
   console.log(`│  ✓ Session cleared                          │`);
   if (clearCache) {
     console.log(`│  ${cacheCleared ? '✓' : '○'} Cache cleared                            │`);
   }
   console.log(`├─────────────────────────────────────────────┤`);
+  console.log(`│  Claude Code now connects directly.         │`);
   console.log(`│  Run /plexor-login to re-authenticate.      │`);
   if (!clearCache) {
     console.log(`│  Use --clear-cache to also clear cache.     │`);

package/commands/plexor-status.js

@@ -9,10 +9,9 @@ const fs = require('fs');
 const path = require('path');
 const https = require('https');
 
-const CONFIG_PATH = path.join(process.env.HOME, '.plexor', 'config.json');
-const SESSION_PATH = path.join(process.env.HOME, '.plexor', 'session.json');
-const CLAUDE_SETTINGS_PATH = path.join(process.env.HOME, '.claude', 'settings.json');
-const SESSION_TIMEOUT_MS = 30 * 60 * 1000; // 30 minutes
+// Import centralized constants with HOME directory validation
+const { HOME_DIR, CONFIG_PATH, SESSION_PATH, SESSION_TIMEOUT_MS } = require('../lib/constants');
+const CLAUDE_SETTINGS_PATH = path.join(HOME_DIR, '.claude', 'settings.json');
 
 /**
  * Check if Claude Code is actually routing through Plexor
@@ -49,13 +48,63 @@ function loadSessionStats() {
   }
 }
 
-async function main() {
-  // Read config
-  let config;
+/**
+ * Validate API key format
+ * @param {string} key - API key to validate
+ * @returns {boolean} true if valid format
+ */
+function isValidApiKeyFormat(key) {
+  return key && typeof key === 'string' && key.startsWith('plx_') && key.length >= 20;
+}
+
+/**
+ * Load config file with integrity checking
+ * @returns {Object|null} config object or null if invalid
+ */
+function loadConfig() {
   try {
+    if (!fs.existsSync(CONFIG_PATH)) {
+      return null;
+    }
     const data = fs.readFileSync(CONFIG_PATH, 'utf8');
-    config = JSON.parse(data);
+    if (!data || data.trim() === '') {
+      return null;
+    }
+    const config = JSON.parse(data);
+    if (typeof config !== 'object' || config === null) {
+      return null;
+    }
+    return config;
   } catch (err) {
+    if (err instanceof SyntaxError) {
+      console.log('Config file is corrupted. Run /plexor-login to reconfigure.');
+    }
+    return null;
+  }
+}
+
+/**
+ * Check for environment mismatch between config and routing
+ */
+function checkEnvironmentMismatch(configApiUrl, routingBaseUrl) {
+  if (!configApiUrl || !routingBaseUrl) return null;
+
+  const configIsStaging = configApiUrl.includes('staging');
+  const routingIsStaging = routingBaseUrl.includes('staging');
+
+  if (configIsStaging !== routingIsStaging) {
+    return {
+      config: configIsStaging ? 'staging' : 'production',
+      routing: routingIsStaging ? 'staging' : 'production'
+    };
+  }
+  return null;
+}
+
+async function main() {
+  // Read config with integrity checking
+  const config = loadConfig();
+  if (!config) {
     console.log('Not configured. Run /plexor-login first.');
     process.exit(1);
   }
@@ -72,6 +121,13 @@ async function main() {
     process.exit(1);
   }
 
+  // Validate API key format
+  if (!isValidApiKeyFormat(apiKey)) {
+    console.log('Invalid API key format. Keys must start with "plx_" and be at least 20 characters.');
+    console.log('Run /plexor-login with a valid API key.');
+    process.exit(1);
+  }
+
   // Fetch user info and stats
   let user = { email: 'Unknown', tier: { name: 'Free', limits: {} } };
   let stats = { period: {}, summary: {} };
@@ -165,6 +221,16 @@ ${line(`└── Cost saved: $${sessionCostSaved}`)}
   const routingIndicator = routing.active ? '🟢 PLEXOR MODE: ON' : '🔴 PLEXOR MODE: OFF';
   const envLabel = routing.isStaging ? '(staging)' : '(production)';
 
+  // Check for environment mismatch
+  const envMismatch = checkEnvironmentMismatch(apiUrl, routing.baseUrl);
+  const mismatchWarning = envMismatch
+    ? `  ⚠ Warning: Config uses ${envMismatch.config} but routing is ${envMismatch.routing}\n`
+    : '';
+
+  if (mismatchWarning) {
+    console.log(mismatchWarning);
+  }
+
   console.log(`  ┌─────────────────────────────────────────────┐
 ${line(routingIndicator + (routing.active ? ' ' + envLabel : ''))}
   ├─────────────────────────────────────────────┤
@@ -192,7 +258,8 @@ ${line('Settings')}
 ${line(`├── Optimization: ${optEnabled}`)}
 ${line(`├── Local cache: ${cacheEnabled}`)}
 ${line(`├── Mode: ${mode}`)}
-${line(`└── Provider routing: ${provider}`)}
+${line(`├── Provider routing: ${provider}`)}
+${line(`└── Endpoint: ${routing.baseUrl ? routing.baseUrl.replace('https://', '').substring(0, 30) : 'not configured'}`)}
   └─────────────────────────────────────────────┘
 
   Dashboard: ${dashboardUrl}
@@ -201,7 +268,13 @@ ${line(`└── Provider routing: ${provider}`)}
 
 function fetchJson(apiUrl, endpoint, apiKey) {
   return new Promise((resolve, reject) => {
-    const url = new URL(`${apiUrl}${endpoint}`);
+    let url;
+    try {
+      url = new URL(`${apiUrl}${endpoint}`);
+    } catch {
+      reject(new Error('Invalid API URL'));
+      return;
+    }
 
     const options = {
       hostname: url.hostname,
@@ -217,18 +290,48 @@ function fetchJson(apiUrl, endpoint, apiKey) {
       let data = '';
       res.on('data', chunk => data += chunk);
       res.on('end', () => {
+        // Check HTTP status code first
+        if (res.statusCode === 401) {
+          reject(new Error('Invalid API key'));
+          return;
+        }
+        if (res.statusCode === 403) {
+          reject(new Error('Access denied'));
+          return;
+        }
+        if (res.statusCode >= 500) {
+          reject(new Error('Server error'));
+          return;
+        }
+        if (res.statusCode !== 200) {
+          reject(new Error(`HTTP ${res.statusCode}`));
+          return;
+        }
+
+        // Check for empty response
+        if (!data || data.trim() === '') {
+          reject(new Error('Empty response'));
+          return;
+        }
+
+        // Parse JSON
         try {
-          resolve(JSON.parse(data));
+          const parsed = JSON.parse(data);
+          if (parsed === null) {
+            reject(new Error('Null response'));
+            return;
+          }
+          resolve(parsed);
         } catch {
-          reject(new Error('Invalid response'));
+          reject(new Error('Invalid JSON response'));
         }
       });
     });
 
-    req.on('error', reject);
+    req.on('error', (err) => reject(new Error(`Connection failed: ${err.message}`)));
     req.setTimeout(5000, () => {
       req.destroy();
-      reject(new Error('Timeout'));
+      reject(new Error('Request timeout'));
     });
     req.end();
   });

package/lib/constants.js

@@ -4,7 +4,23 @@
 
 const path = require('path');
 
-const PLEXOR_DIR = path.join(process.env.HOME || process.env.USERPROFILE || '', '.plexor');
+/**
+ * Get the user's home directory with proper validation
+ * @returns {string} Home directory path
+ * @throws {Error} If HOME is not set or empty
+ */
+function getHomeDir() {
+  const home = process.env.HOME || process.env.USERPROFILE;
+  if (!home || home.trim() === '') {
+    console.error('Error: HOME environment variable is not set.');
+    console.error('       Please set HOME to your user directory before running Plexor commands.');
+    process.exit(1);
+  }
+  return home;
+}
+
+const HOME_DIR = getHomeDir();
+const PLEXOR_DIR = path.join(HOME_DIR, '.plexor');
 const CONFIG_PATH = path.join(PLEXOR_DIR, 'config.json');
 const SESSION_PATH = path.join(PLEXOR_DIR, 'session.json');
 const CACHE_PATH = path.join(PLEXOR_DIR, 'cache.json');
@@ -15,6 +31,8 @@ const DEFAULT_API_URL = 'https://api.plexor.dev';
 const DEFAULT_TIMEOUT = 5000;
 
 module.exports = {
+  getHomeDir,
+  HOME_DIR,
   PLEXOR_DIR,
   CONFIG_PATH,
   SESSION_PATH,

package/lib/settings-manager.js

@@ -12,9 +12,12 @@
 
 const fs = require('fs');
 const path = require('path');
+const os = require('os');
+const crypto = require('crypto');
 
 const CLAUDE_DIR = path.join(process.env.HOME || process.env.USERPROFILE || '', '.claude');
 const SETTINGS_PATH = path.join(CLAUDE_DIR, 'settings.json');
+const LOCK_TIMEOUT_MS = 5000; // 5 second lock timeout
 
 // Plexor gateway endpoints
 const PLEXOR_STAGING_URL = 'https://staging.api.plexor.dev/gateway/anthropic';
@@ -27,8 +30,8 @@ class ClaudeSettingsManager {
   }
 
   /**
-   * Load current Claude settings
-   * @returns {Object} settings object or empty object if not found
+   * Load current Claude settings with integrity checking
+   * @returns {Object} settings object or empty object if not found/corrupted
    */
   load() {
     try {
@@ -36,18 +39,60 @@ class ClaudeSettingsManager {
         return {};
       }
       const data = fs.readFileSync(this.settingsPath, 'utf8');
-      return JSON.parse(data);
+
+      // Check for empty file
+      if (!data || data.trim() === '') {
+        return {};
+      }
+
+      const parsed = JSON.parse(data);
+
+      // Basic schema validation - must be an object
+      if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+        console.warn('Warning: Claude settings file has invalid format, using defaults');
+        this._backupCorruptedFile();
+        return {};
+      }
+
+      return parsed;
     } catch (err) {
-      // Log unexpected errors (not ENOENT which is handled above)
-      if (err.code !== 'ENOENT') {
-        console.warn('Warning: Failed to load Claude settings:', err.message);
+      if (err.code === 'ENOENT') {
+        return {};
+      }
+      // JSON parse error or corrupted file
+      if (err instanceof SyntaxError) {
+        console.warn('Warning: Claude settings file is corrupted, using defaults');
+        console.warn('         A backup has been saved to settings.json.corrupted');
+        this._backupCorruptedFile();
+        return {};
+      }
+      // Permission error
+      if (err.code === 'EACCES' || err.code === 'EPERM') {
+        console.warn(`Warning: Cannot read ${this.settingsPath} (permission denied)`);
+        return {};
       }
+      console.warn('Warning: Failed to load Claude settings:', err.message);
       return {};
     }
   }
 
   /**
-   * Save Claude settings
+   * Backup a corrupted settings file for debugging
+   */
+  _backupCorruptedFile() {
+    try {
+      if (fs.existsSync(this.settingsPath)) {
+        const backupPath = this.settingsPath + '.corrupted';
+        fs.copyFileSync(this.settingsPath, backupPath);
+      }
+    } catch {
+      // Ignore backup errors
+    }
+  }
+
+  /**
+   * Save Claude settings using atomic write pattern
+   * Prevents race conditions by writing to temp file then renaming
    * @param {Object} settings - settings object to save
    * @returns {boolean} success status
    */
@@ -58,10 +103,27 @@ class ClaudeSettingsManager {
         fs.mkdirSync(this.claudeDir, { recursive: true });
       }
 
-      fs.writeFileSync(this.settingsPath, JSON.stringify(settings, null, 2), { mode: 0o600 });
+      // Atomic write: write to temp file, then rename
+      // This prevents race conditions where concurrent writes corrupt the file
+      const tempId = crypto.randomBytes(8).toString('hex');
+      const tempPath = path.join(this.claudeDir, `.settings.${tempId}.tmp`);
+
+      // Write to temp file
+      const content = JSON.stringify(settings, null, 2);
+      fs.writeFileSync(tempPath, content, { mode: 0o600 });
+
+      // Atomic rename (on POSIX systems, rename is atomic)
+      fs.renameSync(tempPath, this.settingsPath);
+
       return true;
     } catch (err) {
-      console.error('Failed to save Claude settings:', err.message);
+      // Clean error message for permission errors
+      if (err.code === 'EACCES' || err.code === 'EPERM') {
+        console.error(`Error: Cannot write to ${this.settingsPath}`);
+        console.error('       Check file permissions or run with appropriate access.');
+      } else {
+        console.error('Failed to save Claude settings:', err.message);
+      }
       return false;
     }
   }
@@ -77,7 +139,7 @@ class ClaudeSettingsManager {
    * @returns {boolean} success status
    */
   enablePlexorRouting(apiKey, options = {}) {
-    // Default to production. Use useStaging: true for staging keys.
+    // PRODUCTION PACKAGE - defaults to production API
     const { useStaging = false } = options;
     const apiUrl = useStaging ? PLEXOR_STAGING_URL : PLEXOR_PROD_URL;
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@plexor-dev/claude-code-plugin",
-  "version": "0.1.0-beta.30",
+  "version": "0.1.0-beta.32",
   "description": "LLM cost optimization plugin for Claude Code - Save up to 90% on AI costs",
   "main": "lib/constants.js",
   "bin": {

package/scripts/postinstall.js

@@ -70,12 +70,15 @@ function chownRecursive(dirPath, uid, gid) {
 
 const HOME_DIR = getHomeDir();
 const COMMANDS_SOURCE = path.join(__dirname, '..', 'commands');
+const LIB_SOURCE = path.join(__dirname, '..', 'lib');
 const CLAUDE_COMMANDS_DIR = path.join(HOME_DIR, '.claude', 'commands');
 const PLEXOR_PLUGINS_DIR = path.join(HOME_DIR, '.claude', 'plugins', 'plexor', 'commands');
+const PLEXOR_LIB_DIR = path.join(HOME_DIR, '.claude', 'plugins', 'plexor', 'lib');
 const PLEXOR_CONFIG_DIR = path.join(HOME_DIR, '.plexor');
 const PLEXOR_CONFIG_FILE = path.join(PLEXOR_CONFIG_DIR, 'config.json');
 
 // Default configuration for new installs
+// PRODUCTION PACKAGE - uses production API
 const DEFAULT_CONFIG = {
   version: 1,
   auth: {
@@ -101,6 +104,9 @@ function main() {
     // Create ~/.claude/plugins/plexor/commands/ for JS executors
     fs.mkdirSync(PLEXOR_PLUGINS_DIR, { recursive: true });
 
+    // Create ~/.claude/plugins/plexor/lib/ for shared modules
+    fs.mkdirSync(PLEXOR_LIB_DIR, { recursive: true });
+
     // Create ~/.plexor/ with secure permissions (owner only)
     fs.mkdirSync(PLEXOR_CONFIG_DIR, { recursive: true, mode: 0o700 });
 
@@ -161,6 +167,40 @@ function main() {
       jsInstalled.push(file);
     }
 
+    // Copy lib files to ~/.claude/plugins/plexor/lib/
+    // CRITICAL: These are required for commands to work
+    const libInstalled = [];
+    if (fs.existsSync(LIB_SOURCE)) {
+      const libFiles = fs.readdirSync(LIB_SOURCE).filter(f => f.endsWith('.js'));
+      if (libFiles.length === 0) {
+        console.warn('  ⚠ Warning: No lib files found in package. Commands may not work.');
+      }
+      for (const file of libFiles) {
+        try {
+          const src = path.join(LIB_SOURCE, file);
+          const dest = path.join(PLEXOR_LIB_DIR, file);
+          fs.copyFileSync(src, dest);
+          libInstalled.push(file);
+        } catch (err) {
+          console.error(`  ✗ Failed to copy lib/${file}: ${err.message}`);
+        }
+      }
+    } else {
+      console.error('  ✗ CRITICAL: lib/ directory not found in package.');
+      console.error('    Commands will fail. Please reinstall the package.');
+      console.error(`    Expected location: ${LIB_SOURCE}`);
+    }
+
+    // Verify critical lib file exists
+    const criticalLibFile = path.join(PLEXOR_LIB_DIR, 'settings-manager.js');
+    if (!fs.existsSync(criticalLibFile)) {
+      console.error('');
+      console.error('  ✗ CRITICAL: settings-manager.js was not installed.');
+      console.error('    This file is required for commands to work.');
+      console.error('    Try reinstalling: npm install @plexor-dev/claude-code-plugin');
+      console.error('');
+    }
+
     // Fix file ownership when running with sudo
     // Files are created as root but should be owned by the original user
     if (targetUser) {
@@ -190,7 +230,10 @@ function main() {
     }
     console.log(`  ✓ Installed ${installed.length} slash commands to ~/.claude/commands/`);
     if (jsInstalled.length > 0) {
-      console.log(`  ✓ Installed ${jsInstalled.length} executors to ~/.claude/plugins/plexor/`);
+      console.log(`  ✓ Installed ${jsInstalled.length} executors to ~/.claude/plugins/plexor/commands/`);
+    }
+    if (libInstalled.length > 0) {
+      console.log(`  ✓ Installed ${libInstalled.length} lib modules to ~/.claude/plugins/plexor/lib/`);
     }
     if (targetUser) {
       console.log(`  ✓ Set file ownership to ${targetUser.user}`);

package/scripts/uninstall.js

@@ -11,11 +11,32 @@ const fs = require('fs');
 const path = require('path');
 const os = require('os');
 
+// Import settings manager for Claude Code routing cleanup
+let settingsManager;
+try {
+  const lib = require('../lib/settings-manager');
+  settingsManager = lib.settingsManager;
+} catch (err) {
+  // If settings manager can't be loaded during uninstall, continue anyway
+  settingsManager = null;
+}
+
 const COMMANDS_SOURCE = path.join(__dirname, '..', 'commands');
 const CLAUDE_COMMANDS_DIR = path.join(os.homedir(), '.claude', 'commands');
 
 function main() {
   try {
+    // CRITICAL: Disable Claude Code routing before removing commands
+    // This ensures users don't get stuck with Plexor routing after uninstall
+    let routingDisabled = false;
+    if (settingsManager) {
+      try {
+        routingDisabled = settingsManager.disablePlexorRouting();
+      } catch (e) {
+        // Continue with uninstall even if routing cleanup fails
+      }
+    }
+
     // Get list of our command files
     const files = fs.readdirSync(COMMANDS_SOURCE)
       .filter(f => f.endsWith('.md'));
@@ -39,12 +60,21 @@ function main() {
       }
     }
 
-    if (removed.length > 0) {
+    if (removed.length > 0 || routingDisabled) {
       console.log('');
       console.log('  Plexor plugin uninstalled');
       console.log('');
-      console.log('  Removed commands:');
-      removed.forEach(cmd => console.log(`    /${cmd}`));
+
+      if (routingDisabled) {
+        console.log('  ✓ Claude Code routing disabled');
+        console.log('    (Claude Code now connects directly to Anthropic)');
+        console.log('');
+      }
+
+      if (removed.length > 0) {
+        console.log('  Removed commands:');
+        removed.forEach(cmd => console.log(`    /${cmd}`));
+      }
 
       if (restored.length > 0) {
         console.log('');