archbyte 0.3.4 → 0.4.0

package/dist/cli/auth.js

@@ -4,6 +4,7 @@ import * as http from "http";
 import { spawn } from "child_process";
 import chalk from "chalk";
 import { CONFIG_DIR, CREDENTIALS_PATH, API_BASE, CLI_CALLBACK_PORT, OAUTH_TIMEOUT_MS, } from "./constants.js";
+import { confirm, select, textInput } from "./ui.js";
 export async function handleLogin(provider) {
     console.log();
     console.log(chalk.bold.cyan("ArchByte Login"));
@@ -32,10 +33,39 @@ export async function handleLogin(provider) {
             // Offline — use cached tier
         }
         console.log(chalk.green(`Already logged in as ${chalk.bold(existing.email)} (${existing.tier} tier)`));
-        console.log(chalk.gray("Run `archbyte logout` to sign out."));
+        console.log();
+        const addAnother = await confirm("Add a different account?");
+        if (!addAnother) {
+            console.log(chalk.gray("Run `archbyte logout` to sign out."));
+            return;
+        }
+        console.log();
+    }
+    // Pick provider: use explicit flag, or show interactive picker
+    let selectedProvider = provider ?? "github";
+    if (!provider) {
+        const providers = ["GitHub", "Google", "Email & Password"];
+        const idx = await select("Sign in with:", providers);
+        selectedProvider = ["github", "google", "email"][idx];
+        console.log();
+    }
+    // Email/password flow — direct API call, no browser
+    if (selectedProvider === "email") {
+        try {
+            const credentials = await emailPasswordFlow();
+            saveCredentials(credentials);
+            cacheVerifiedTier(credentials.tier === "premium" ? "premium" : "free", credentials.email);
+            console.log();
+            console.log(chalk.green(`Logged in as ${chalk.bold(credentials.email)} (${credentials.tier} tier)`));
+            console.log(chalk.gray(`Credentials saved to ${CREDENTIALS_PATH}`));
+        }
+        catch (err) {
+            console.error(chalk.red(`Login failed: ${err instanceof Error ? err.message : "Unknown error"}`));
+            process.exit(1);
+        }
         return;
     }
-    const selectedProvider = provider ?? "github";
+    // OAuth flow (GitHub / Google)
     console.log(chalk.gray(`Opening browser for ${selectedProvider} sign-in...`));
     console.log();
     try {
@@ -92,26 +122,57 @@ export async function handleLoginWithToken(token) {
     }
 }
 // === Logout ===
-export async function handleLogout() {
+export async function handleLogout(options) {
     console.log();
-    const creds = loadCredentials();
-    if (!creds) {
+    const store = loadStore();
+    if (!store) {
         console.log(chalk.gray("Not logged in."));
         return;
     }
-    try {
-        fs.unlinkSync(CREDENTIALS_PATH);
+    const emails = Object.keys(store.accounts);
+    // Logout all accounts
+    if (options?.all) {
+        try {
+            fs.unlinkSync(CREDENTIALS_PATH);
+        }
+        catch { /* Ignore */ }
+        try {
+            fs.unlinkSync(TIER_CACHE_PATH);
+        }
+        catch { /* Ignore */ }
+        resetOfflineActions();
+        console.log(chalk.green(`Logged out of ${emails.length} account${emails.length === 1 ? "" : "s"}.`));
+        return;
     }
-    catch {
-        // Ignore
+    // Determine which account to remove
+    const targetEmail = options?.email ?? store.active;
+    if (!store.accounts[targetEmail]) {
+        console.log(chalk.yellow(`No account found for ${targetEmail}.`));
+        return;
     }
-    // Clean up tier cache and offline action tracker
-    try {
-        fs.unlinkSync(TIER_CACHE_PATH);
+    delete store.accounts[targetEmail];
+    const remaining = Object.keys(store.accounts);
+    if (remaining.length === 0) {
+        // Last account — delete the file entirely
+        try {
+            fs.unlinkSync(CREDENTIALS_PATH);
+        }
+        catch { /* Ignore */ }
+        try {
+            fs.unlinkSync(TIER_CACHE_PATH);
+        }
+        catch { /* Ignore */ }
+        resetOfflineActions();
     }
-    catch { /* Ignore */ }
-    resetOfflineActions();
-    console.log(chalk.green(`Logged out (was ${creds.email}).`));
+    else {
+        // Auto-switch if we removed the active account
+        if (store.active === targetEmail) {
+            store.active = remaining[0];
+            console.log(chalk.gray(`Switched active account to ${store.active}`));
+        }
+        saveStore(store);
+    }
+    console.log(chalk.green(`Logged out (was ${targetEmail}).`));
 }
 // === Status ===
 export async function handleStatus() {
@@ -145,32 +206,105 @@ export async function handleStatus() {
     }
     console.log();
 }
+// === Accounts ===
+export async function handleAccounts() {
+    console.log();
+    console.log(chalk.bold.cyan("ArchByte Accounts"));
+    console.log();
+    const store = loadStore();
+    if (!store || Object.keys(store.accounts).length === 0) {
+        console.log(chalk.yellow("No accounts. Run `archbyte login` to sign in."));
+        return;
+    }
+    for (const [email, creds] of Object.entries(store.accounts)) {
+        const isActive = email === store.active;
+        const marker = isActive ? chalk.green("*") : " ";
+        const tier = creds.tier === "premium" ? chalk.green("Pro") : "Basic";
+        const expired = isExpired(creds) ? chalk.red(" (expired)") : "";
+        console.log(`  ${marker} ${chalk.bold(email)}  ${tier}${expired}`);
+    }
+    console.log();
+    console.log(chalk.gray("* = active account"));
+    console.log(chalk.gray("Switch: archbyte accounts switch [email]"));
+    console.log();
+}
+export async function handleAccountSwitch(email) {
+    console.log();
+    const store = loadStore();
+    if (!store || Object.keys(store.accounts).length === 0) {
+        console.log(chalk.yellow("No accounts. Run `archbyte login` to sign in."));
+        return;
+    }
+    const emails = Object.keys(store.accounts);
+    if (emails.length === 1) {
+        console.log(chalk.gray(`Only one account: ${emails[0]}`));
+        return;
+    }
+    let target = email;
+    if (!target) {
+        // Interactive selection
+        const idx = await select("Switch to account:", emails.map((e) => {
+            const active = e === store.active ? chalk.green(" (active)") : "";
+            const tier = store.accounts[e].tier === "premium" ? " Pro" : "";
+            return `${e}${tier}${active}`;
+        }));
+        target = emails[idx];
+    }
+    if (!store.accounts[target]) {
+        console.log(chalk.red(`Account not found: ${target}`));
+        console.log(chalk.gray(`Available: ${emails.join(", ")}`));
+        return;
+    }
+    if (store.active === target) {
+        console.log(chalk.gray(`Already active: ${target}`));
+        return;
+    }
+    store.active = target;
+    saveStore(store);
+    console.log(chalk.green(`Switched to ${chalk.bold(target)}`));
+}
 // === Credential Helpers (exported for license gate) ===
-export function loadCredentials() {
+function isMultiAccountStore(data) {
+    return (typeof data === "object" &&
+        data !== null &&
+        data.version === 2 &&
+        typeof data.active === "string" &&
+        typeof data.accounts === "object" &&
+        data.accounts !== null);
+}
+function loadStore() {
     try {
-        if (fs.existsSync(CREDENTIALS_PATH)) {
-            const data = JSON.parse(fs.readFileSync(CREDENTIALS_PATH, "utf-8"));
-            // Validate structure — reject malformed credentials
-            if (typeof data?.token !== "string" ||
-                typeof data?.email !== "string" ||
-                typeof data?.tier !== "string" ||
-                typeof data?.expiresAt !== "string") {
-                return null;
-            }
-            return data;
+        if (!fs.existsSync(CREDENTIALS_PATH))
+            return null;
+        const raw = JSON.parse(fs.readFileSync(CREDENTIALS_PATH, "utf-8"));
+        // Already multi-account format
+        if (isMultiAccountStore(raw))
+            return raw;
+        // Auto-migrate old single-account format
+        if (typeof raw?.token === "string" &&
+            typeof raw?.email === "string" &&
+            typeof raw?.tier === "string" &&
+            typeof raw?.expiresAt === "string") {
+            const creds = raw;
+            const store = {
+                version: 2,
+                active: creds.email,
+                accounts: { [creds.email]: creds },
+            };
+            saveStore(store);
+            return store;
         }
+        return null;
     }
     catch {
-        // Ignore — corrupt file treated as no credentials
+        return null;
     }
-    return null;
 }
-function saveCredentials(creds) {
+function saveStore(store) {
     if (!fs.existsSync(CONFIG_DIR)) {
         fs.mkdirSync(CONFIG_DIR, { recursive: true });
     }
-    fs.writeFileSync(CREDENTIALS_PATH, JSON.stringify(creds, null, 2), "utf-8");
-    // Restrict permissions (owner-only read/write)
+    fs.writeFileSync(CREDENTIALS_PATH, JSON.stringify(store, null, 2), "utf-8");
     try {
         fs.chmodSync(CREDENTIALS_PATH, 0o600);
     }
@@ -178,8 +312,41 @@ function saveCredentials(creds) {
         // Windows doesn't support chmod
     }
 }
+export function loadCredentials() {
+    const store = loadStore();
+    if (!store)
+        return null;
+    const creds = store.accounts[store.active];
+    if (!creds ||
+        typeof creds.token !== "string" ||
+        typeof creds.email !== "string" ||
+        typeof creds.tier !== "string" ||
+        typeof creds.expiresAt !== "string") {
+        return null;
+    }
+    return creds;
+}
+function saveCredentials(creds) {
+    const store = loadStore() ?? {
+        version: 2,
+        active: creds.email,
+        accounts: {},
+    };
+    store.accounts[creds.email] = creds;
+    store.active = creds.email;
+    saveStore(store);
+}
+/**
+ * Check if credentials are expired. Treats invalid/unparseable dates
+ * as expired (fail-closed) to prevent corrupted files from bypassing
+ * expiry checks.
+ */
 function isExpired(creds) {
-    return new Date(creds.expiresAt) < new Date();
+    const expiry = new Date(creds.expiresAt);
+    // Invalid Date — treat as expired (fail-closed)
+    if (isNaN(expiry.getTime()))
+        return true;
+    return expiry < new Date();
 }
 function parseJWTPayload(token) {
     try {
@@ -268,6 +435,9 @@ const OFFLINE_MAX_FREE = 0; // Free users: 0 offline actions (must verify online
 /**
  * Check if an offline action is allowed. Returns true if within limits.
  * Increments the counter when allowed.
+ *
+ * Uses atomic write-to-temp-then-rename to prevent race conditions
+ * between concurrent CLI invocations.
  */
 export function checkOfflineAction() {
     const tier = getVerifiedTier();
@@ -293,13 +463,15 @@ export function checkOfflineAction() {
                 reason: `Offline action limit reached (${maxActions}/${maxActions}). Reconnect to the license server to continue.`,
             };
         }
-        // Increment and save
+        // Increment and save atomically (write to temp file, then rename)
         data.count++;
-        fs.writeFileSync(OFFLINE_ACTIONS_PATH, JSON.stringify(data), "utf-8");
+        const tmpPath = OFFLINE_ACTIONS_PATH + `.${process.pid}.tmp`;
+        fs.writeFileSync(tmpPath, JSON.stringify(data), "utf-8");
         try {
-            fs.chmodSync(OFFLINE_ACTIONS_PATH, 0o600);
+            fs.chmodSync(tmpPath, 0o600);
         }
         catch { /* Windows */ }
+        fs.renameSync(tmpPath, OFFLINE_ACTIONS_PATH);
         return { allowed: true };
     }
     catch {
@@ -319,54 +491,121 @@ export function resetOfflineActions() {
         // Non-critical
     }
 }
+// === Email/Password Flow ===
+async function emailPasswordFlow() {
+    const email = await textInput("Email");
+    if (!email)
+        throw new Error("Email is required.");
+    const password = await textInput("Password", { mask: true });
+    if (!password)
+        throw new Error("Password is required.");
+    const res = await fetch(`${API_BASE}/api/v1/auth/login`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ email, password }),
+    });
+    if (res.status === 401) {
+        console.log();
+        console.log(chalk.yellow("No account found with those credentials."));
+        const shouldSignUp = await confirm("Create a new account?");
+        if (!shouldSignUp)
+            throw new Error("Login cancelled.");
+        return emailSignupFlow(email, password);
+    }
+    if (!res.ok) {
+        const body = await res.json().catch(() => ({ error: "Unknown error" }));
+        throw new Error(body.error ?? `Login failed (${res.status})`);
+    }
+    return parseTokenResponse(await res.json());
+}
+async function emailSignupFlow(email, password) {
+    const name = await textInput("Name (optional)");
+    const res = await fetch(`${API_BASE}/api/v1/auth/signup`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ email, password, name: name || undefined }),
+    });
+    if (!res.ok) {
+        const body = await res.json().catch(() => ({ error: "Unknown error" }));
+        throw new Error(body.error ?? `Signup failed (${res.status})`);
+    }
+    return parseTokenResponse(await res.json());
+}
+function parseTokenResponse(data) {
+    const { token, user } = data;
+    const payload = parseJWTPayload(token);
+    return {
+        token,
+        email: user.email,
+        tier: user.tier,
+        expiresAt: payload?.exp
+            ? new Date(payload.exp * 1000).toISOString()
+            : new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString(),
+    };
+}
 // === OAuth Flow ===
 function startOAuthFlow(provider = "github") {
     return new Promise((resolve, reject) => {
+        let resolved = false;
         const timeout = setTimeout(() => {
             server.close();
-            reject(new Error("Login timed out (60s). Try again or use --token."));
+            if (!resolved) {
+                resolved = true;
+                reject(new Error("Login timed out (60s). Try again or use --token."));
+            }
         }, OAUTH_TIMEOUT_MS);
         const server = http.createServer(async (req, res) => {
             const url = new URL(req.url ?? "/", `http://localhost:${CLI_CALLBACK_PORT}`);
-            if (url.pathname === "/callback") {
-                // Extract token from raw query string, not URLSearchParams
-                // (URLSearchParams decodes '+' as space per x-www-form-urlencoded, corrupting JWT signatures)
-                const rawQuery = (req.url ?? "").split("?")[1] ?? "";
-                const tokenMatch = rawQuery.match(/(?:^|&)token=([^&]+)/);
-                const token = tokenMatch ? decodeURIComponent(tokenMatch[1]) : null;
-                if (!token) {
-                    res.writeHead(400, { "Content-Type": "text/html" });
-                    res.end("<h1>Login failed</h1><p>No token received. Close this window and try again.</p>");
-                    return;
-                }
+            // Only handle /callback — return 404 for everything else
+            if (url.pathname !== "/callback") {
+                res.writeHead(404, { "Content-Type": "text/html" });
+                res.end("<h1>Not found</h1><p>This server only handles OAuth callbacks.</p>");
+                return;
+            }
+            // Prevent double-processing (e.g. browser retry, double-click)
+            if (resolved) {
                 res.writeHead(200, { "Content-Type": "text/html" });
-                res.end("<h1>Login successful!</h1><p>You can close this window and return to your terminal.</p>");
-                clearTimeout(timeout);
-                server.close();
-                // Fetch user info with the token
-                try {
-                    const meRes = await fetch(`${API_BASE}/api/v1/me`, {
-                        headers: { Authorization: `Bearer ${token}` },
-                    });
-                    if (!meRes.ok) {
-                        const errBody = await meRes.text().catch(() => "");
-                        reject(new Error(`Failed to fetch user info (${meRes.status}: ${errBody})`));
-                        return;
-                    }
-                    const { user } = (await meRes.json());
-                    const payload = parseJWTPayload(token);
-                    resolve({
-                        token,
-                        email: user.email,
-                        tier: user.tier,
-                        expiresAt: payload?.exp
-                            ? new Date(payload.exp * 1000).toISOString()
-                            : new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString(),
-                    });
-                }
-                catch (err) {
-                    reject(err);
+                res.end("<h1>Already processed</h1><p>You can close this window.</p>");
+                return;
+            }
+            // Extract token from raw query string, not URLSearchParams
+            // (URLSearchParams decodes '+' as space per x-www-form-urlencoded, corrupting JWT signatures)
+            const rawQuery = (req.url ?? "").split("?")[1] ?? "";
+            const tokenMatch = rawQuery.match(/(?:^|&)token=([^&]+)/);
+            const token = tokenMatch ? decodeURIComponent(tokenMatch[1]) : null;
+            if (!token) {
+                res.writeHead(400, { "Content-Type": "text/html" });
+                res.end("<h1>Login failed</h1><p>No token received. Close this window and try again.</p>");
+                return;
+            }
+            res.writeHead(200, { "Content-Type": "text/html" });
+            res.end("<h1>Login successful!</h1><p>You can close this window and return to your terminal.</p>");
+            resolved = true;
+            clearTimeout(timeout);
+            server.close();
+            // Fetch user info with the token
+            try {
+                const meRes = await fetch(`${API_BASE}/api/v1/me`, {
+                    headers: { Authorization: `Bearer ${token}` },
+                });
+                if (!meRes.ok) {
+                    const errBody = await meRes.text().catch(() => "");
+                    reject(new Error(`Failed to fetch user info (${meRes.status}: ${errBody})`));
+                    return;
                 }
+                const { user } = (await meRes.json());
+                const payload = parseJWTPayload(token);
+                resolve({
+                    token,
+                    email: user.email,
+                    tier: user.tier,
+                    expiresAt: payload?.exp
+                        ? new Date(payload.exp * 1000).toISOString()
+                        : new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString(),
+                });
+            }
+            catch (err) {
+                reject(err);
             }
         });
         server.listen(CLI_CALLBACK_PORT, "127.0.0.1", () => {

package/dist/cli/config.d.ts

@@ -1,6 +1,7 @@
 import type { ArchByteConfig } from "../agents/runtime/types.js";
 interface ConfigOptions {
     args: string[];
+    raw?: boolean;
 }
 export declare function handleConfig(options: ConfigOptions): Promise<void>;
 /**

package/dist/cli/config.js

@@ -1,7 +1,9 @@
 import * as fs from "fs";
+import { execSync } from "child_process";
 import chalk from "chalk";
 import { CONFIG_DIR, CONFIG_PATH } from "./constants.js";
-const VALID_PROVIDERS = ["anthropic", "openai", "google"];
+import { maskKey } from "./utils.js";
+const VALID_PROVIDERS = ["anthropic", "openai", "google", "claude-sdk"];
 export async function handleConfig(options) {
     const [action, key, value] = options.args;
     if (!action || action === "show") {
@@ -22,7 +24,7 @@ export async function handleConfig(options) {
             console.error(chalk.red("Usage: archbyte config get <key>"));
             process.exit(1);
         }
-        getConfig(key);
+        getConfig(key, options.raw);
         return;
     }
     if (action === "path") {
@@ -52,6 +54,13 @@ function saveConfig(config) {
         fs.mkdirSync(CONFIG_DIR, { recursive: true });
     }
     fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), "utf-8");
+    // Restrict permissions — config contains API keys in profiles
+    try {
+        fs.chmodSync(CONFIG_PATH, 0o600);
+    }
+    catch {
+        // Windows doesn't support chmod
+    }
 }
 function showConfig() {
     const config = loadConfig();
@@ -66,7 +75,8 @@ function showConfig() {
         console.log(chalk.gray("  archbyte init"));
         return;
     }
-    console.log(`  ${chalk.bold("provider")}: ${config.provider ?? chalk.gray("not set")}`);
+    const providerDisplay = config.provider === "claude-sdk" ? "Claude Code (SDK)" : config.provider;
+    console.log(`  ${chalk.bold("provider")}: ${providerDisplay ?? chalk.gray("not set")}`);
     // Show profiles
     if (configured.length > 0) {
         console.log();
@@ -100,8 +110,10 @@ function setConfig(key, value) {
                 process.exit(1);
             }
             config.provider = value;
-            // Check if this provider has a stored profile
-            if (profiles[value]?.apiKey) {
+            if (value === "claude-sdk") {
+                console.log(chalk.green("Switched to Claude Code (SDK) — no API key needed."));
+            }
+            else if (profiles[value]?.apiKey) {
                 console.log(chalk.green(`Switched to ${value} (credentials on file)`));
             }
             else {
@@ -149,7 +161,7 @@ function setConfig(key, value) {
         console.log(chalk.green(`Set ${key} = ${key.includes("key") ? maskKey(value) : value}`));
     }
 }
-function getConfig(key) {
+function getConfig(key, raw = false) {
     const config = loadConfig();
     const profiles = (config.profiles ?? {});
     const active = config.provider;
@@ -160,9 +172,13 @@ function getConfig(key) {
             break;
         case "api-key":
         case "apiKey":
-        case "key":
-            console.log(profile?.apiKey ?? config.apiKey ?? "");
+        case "key": {
+            const apiKey = profile?.apiKey ?? config.apiKey ?? "";
+            // Mask by default to prevent accidental exposure in logs/recordings.
+            // Use `archbyte config get api-key --raw` for the unmasked value.
+            console.log(raw ? apiKey : (apiKey ? maskKey(apiKey) : ""));
             break;
+        }
         case "model":
             console.log(profile?.model ?? config.model ?? "");
             break;
@@ -171,11 +187,6 @@ function getConfig(key) {
             process.exit(1);
     }
 }
-function maskKey(key) {
-    if (key.length <= 8)
-        return "****";
-    return key.slice(0, 6) + "..." + key.slice(-4);
-}
 /**
  * Resolve the full ArchByteConfig from config file + env vars.
  * Supports profiles (new) and legacy flat config (backward compat).
@@ -184,8 +195,11 @@ function maskKey(key) {
 export function resolveConfig() {
     const config = loadConfig();
     const provider = process.env.ARCHBYTE_PROVIDER ?? config.provider;
-    // Reject unknown providers
+    // Reject unknown providers with a helpful message
     if (provider && !VALID_PROVIDERS.includes(provider)) {
+        if (process.env.ARCHBYTE_PROVIDER) {
+            console.error(chalk.red(`Invalid ARCHBYTE_PROVIDER="${provider}". Must be: ${VALID_PROVIDERS.join(", ")}`));
+        }
         return null;
     }
     // Resolve API key + model from profiles first, then legacy flat keys
@@ -193,8 +207,20 @@ export function resolveConfig() {
     const profile = provider ? profiles[provider] : undefined;
     const apiKey = process.env.ARCHBYTE_API_KEY ?? profile?.apiKey ?? config.apiKey;
     const model = process.env.ARCHBYTE_MODEL ?? profile?.model ?? config.model;
-    // Auto-detect from known env vars if nothing explicit
+    // claude-sdk provider doesn't need an API key
+    if (provider === "claude-sdk") {
+        return {
+            provider,
+            model: model,
+        };
+    }
+    // Auto-detect if nothing explicitly configured
     if (!provider && !apiKey) {
+        // Claude Code on PATH → zero-config, preferred
+        if (isClaudeCodeOnPath()) {
+            return { provider: "claude-sdk" };
+        }
+        // Fall back to API key env vars
         if (process.env.ANTHROPIC_API_KEY) {
             return { provider: "anthropic", apiKey: process.env.ANTHROPIC_API_KEY };
         }
@@ -217,3 +243,13 @@ export function resolveConfig() {
         model: model,
     };
 }
+function isClaudeCodeOnPath() {
+    try {
+        const cmd = process.platform === "win32" ? "where claude" : "which claude";
+        execSync(cmd, { stdio: "pipe" });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}

package/dist/cli/constants.js

@@ -1,6 +1,7 @@
 // Shared constants for the ArchByte CLI.
 // Single source of truth for URLs, ports, paths, and timeouts.
 import * as path from "path";
+import { resolveHome } from "./utils.js";
 // ─── API ───
 export const API_BASE = process.env.ARCHBYTE_API_URL ?? "https://api.heartbyte.io";
 export const SITE_URL = "https://archbyte.heartbyte.io";
@@ -8,7 +9,9 @@ export const SITE_URL = "https://archbyte.heartbyte.io";
 export const DEFAULT_PORT = 3847;
 export const CLI_CALLBACK_PORT = 19274;
 // ─── Paths ───
-export const CONFIG_DIR = path.join(process.env.HOME ?? process.env.USERPROFILE ?? ".", ".archbyte");
+// resolveHome() throws if HOME/USERPROFILE is unset (e.g. in bare containers),
+// giving a clear error instead of silently writing to "./.archbyte".
+export const CONFIG_DIR = path.join(resolveHome(), ".archbyte");
 export const CONFIG_PATH = path.join(CONFIG_DIR, "config.json");
 export const CREDENTIALS_PATH = path.join(CONFIG_DIR, "credentials.json");
 /** Project-local .archbyte directory name */