biblioplex 0.1.1 → 0.2.0

package/src/oauth.mjs

@@ -1,10 +1,13 @@
-// OAuth 2.1 authorization-code + PKCE with an RFC 8252 loopback redirect, plus
-// refresh and revoke. Talks to the biblioplex worker's /authorize, /token and
-// /revoke endpoints. fetchImpl + openBrowser are injectable for tests.
+// OAuth 2.0 authorization-code + PKCE (S256) against the Biblioplex MCP OAuth
+// endpoints, using dynamic client registration (RFC 7591) and an RFC 8252
+// loopback redirect. The Biblioplex worker has no revocation endpoint, so
+// logout is local-only (see commands/logout.mjs).
+//
+// fetchImpl + openBrowser are injectable for tests.
 import http from 'node:http';
 import { execFile } from 'node:child_process';
 import { createPkce, randomState } from './pkce.mjs';
-import { CLI_CLIENT_ID } from './constants.mjs';
+import { CLIENT_LABEL } from './constants.mjs';
 import { CliError } from './errors.mjs';
 
 const SUCCESS_HTML = `<!doctype html><meta charset="utf-8"><title>biblioplex</title>
@@ -14,116 +17,251 @@ const SUCCESS_HTML = `<!doctype html><meta charset="utf-8"><title>biblioplex</ti
 </body>`;
 
 export function defaultOpenBrowser(url) {
-  const cmds = process.platform === 'darwin'
-    ? ['open', [url]]
-    : process.platform === 'win32'
-      ? ['cmd', ['/c', 'start', '', url]]
-      : ['xdg-open', [url]];
+  const cmds =
+    process.platform === 'darwin'
+      ? ['open', [url]]
+      : process.platform === 'win32'
+        ? ['cmd', ['/c', 'start', '', url]]
+        : ['xdg-open', [url]];
   return new Promise((resolve) => {
     execFile(cmds[0], cmds[1], (err) => resolve(!err));
   });
 }
 
-function postForm(base, path, body, fetchImpl) {
-  return fetchImpl(base + path, {
+function postJson(url, body, fetchImpl) {
+  return fetchImpl(url, {
     method: 'POST',
     headers: { 'Content-Type': 'application/json', Accept: 'application/json' },
     body: JSON.stringify(body),
   });
 }
 
-export async function exchangeCode({ base, code, verifier, redirectUri, fetchImpl = fetch }) {
-  const res = await postForm(base, '/token', {
-    grant_type: 'authorization_code',
-    code,
-    client_id: CLI_CLIENT_ID,
-    redirect_uri: redirectUri,
-    code_verifier: verifier,
-  }, fetchImpl);
+// An endpoint advertised in server metadata may be absolute or origin-relative.
+function resolveEndpoint(origin, value, fallbackPath) {
+  if (!value) return origin + fallbackPath;
+  try {
+    return new URL(value).href;
+  } catch {
+    return origin + (value.startsWith('/') ? value : '/' + value);
+  }
+}
+
+// GET /.well-known/oauth-authorization-server -> normalized endpoint set.
+export async function discover(origin, fetchImpl = fetch) {
+  let res;
+  try {
+    res = await fetchImpl(origin + '/.well-known/oauth-authorization-server', {
+      headers: { Accept: 'application/json' },
+    });
+  } catch (e) {
+    throw new CliError(`could not reach ${origin}: ${e.message}`);
+  }
+  if (!res.ok) throw new CliError(`OAuth discovery failed (${res.status}) at ${origin}`);
+  const meta = await res.json().catch(() => ({}));
+  const methods = meta.code_challenge_methods_supported || ['S256'];
+  if (!methods.includes('S256')) {
+    throw new CliError('server does not advertise PKCE S256 — cannot log in safely');
+  }
+  return {
+    authorizationEndpoint: resolveEndpoint(origin, meta.authorization_endpoint, '/authorize'),
+    tokenEndpoint: resolveEndpoint(origin, meta.token_endpoint, '/token'),
+    registrationEndpoint: resolveEndpoint(origin, meta.registration_endpoint, '/register'),
+    raw: meta,
+  };
+}
+
+// Dynamic client registration (RFC 7591) for a public, loopback client.
+export async function registerClient({
+  registrationEndpoint,
+  redirectUris,
+  scope,
+  fetchImpl = fetch,
+}) {
+  const res = await postJson(
+    registrationEndpoint,
+    {
+      client_name: CLIENT_LABEL,
+      redirect_uris: redirectUris,
+      token_endpoint_auth_method: 'none',
+      grant_types: ['authorization_code', 'refresh_token'],
+      response_types: ['code'],
+      scope,
+    },
+    fetchImpl,
+  );
   const data = await res.json().catch(() => ({}));
-  if (!res.ok) throw new CliError('token exchange failed: ' + (data.error_description || data.error || res.status));
+  if (!res.ok || !data.client_id) {
+    throw new CliError(
+      'client registration failed: ' + (data.error_description || data.error || res.status),
+      3,
+    );
+  }
   return data;
 }
 
-export async function refreshTokens({ base, refreshToken, fetchImpl = fetch }) {
-  const res = await postForm(base, '/token', {
-    grant_type: 'refresh_token',
-    refresh_token: refreshToken,
-    client_id: CLI_CLIENT_ID,
-  }, fetchImpl);
+export async function exchangeCode({
+  tokenEndpoint,
+  clientId,
+  code,
+  verifier,
+  redirectUri,
+  fetchImpl = fetch,
+}) {
+  const res = await postJson(
+    tokenEndpoint,
+    {
+      grant_type: 'authorization_code',
+      code,
+      client_id: clientId,
+      redirect_uri: redirectUri,
+      code_verifier: verifier,
+    },
+    fetchImpl,
+  );
   const data = await res.json().catch(() => ({}));
-  if (!res.ok) throw new CliError('session expired — run `bp login` again', 3);
+  if (!res.ok) {
+    throw new CliError(
+      'token exchange failed: ' + (data.error_description || data.error || res.status),
+      3,
+    );
+  }
   return data;
 }
 
-export async function revokeToken({ base, token, fetchImpl = fetch }) {
-  try {
-    await postForm(base, '/revoke', { token }, fetchImpl);
-  } catch { /* logout is best-effort; local creds are cleared regardless */ }
+// Single-use rotating refresh. On invalid_client the caller should re-login
+// (the dynamic registration likely expired). Distinguishes the error cause so
+// the caller can react.
+export async function refreshTokens({ tokenEndpoint, clientId, refreshToken, fetchImpl = fetch }) {
+  const res = await postJson(
+    tokenEndpoint,
+    { grant_type: 'refresh_token', refresh_token: refreshToken, client_id: clientId },
+    fetchImpl,
+  );
+  const data = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    const err = new CliError('session expired — run `bp login` again', 3);
+    err.oauthError = data.error || String(res.status);
+    err.invalidClient = data.error === 'invalid_client';
+    throw err;
+  }
+  return data;
 }
 
-// Runs the interactive browser login. Returns the raw /token response.
+// Interactive browser login. Starts a loopback listener, registers a public
+// client bound to that exact redirect URI, runs the authorization-code+PKCE
+// flow, and exchanges the code. Returns { tokens, clientId } to persist.
 export async function login({
-  base, scope, out, noBrowser = false,
-  openBrowser = defaultOpenBrowser, fetchImpl = fetch, timeoutMs = 300000,
+  origin,
+  scope,
+  out,
+  noBrowser = false,
+  openBrowser = defaultOpenBrowser,
+  fetchImpl = fetch,
+  timeoutMs = 300000,
 }) {
+  const meta = await discover(origin, fetchImpl);
   const { verifier, challenge, method } = createPkce();
   const state = randomState();
 
+  let clientId = null;
   const { code, redirectUri } = await new Promise((resolve, reject) => {
     let redirect = '';
     let timer;
-    function cleanup() { clearTimeout(timer); try { server.close(); } catch {} }
+    const cleanup = () => {
+      clearTimeout(timer);
+      try {
+        server.close();
+      } catch {
+        /* already closed */
+      }
+    };
 
     const server = http.createServer((req, res) => {
       const url = new URL(req.url, 'http://127.0.0.1');
-      if (url.pathname === '/favicon.ico') { res.writeHead(204); res.end(); return; }
-      if (url.pathname !== '/callback') { res.writeHead(404); res.end('not found'); return; }
-
+      if (url.pathname === '/favicon.ico') {
+        res.writeHead(204);
+        res.end();
+        return;
+      }
+      if (url.pathname !== '/callback') {
+        res.writeHead(404);
+        res.end('not found');
+        return;
+      }
       const params = url.searchParams;
-      // Validate CSRF state first — including on error responses — so a stray
-      // local request can't abort or influence the in-flight login.
+      // Validate CSRF state first — even on error responses — so a stray local
+      // request cannot abort or influence the in-flight login.
       if (params.get('state') !== state) {
         res.writeHead(400, { 'Content-Type': 'text/plain' });
         res.end('state mismatch');
-        cleanup(); reject(new CliError('login aborted: OAuth state mismatch (possible CSRF)', 3));
+        cleanup();
+        reject(new CliError('login aborted: OAuth state mismatch (possible CSRF)', 3));
         return;
       }
       if (params.get('error')) {
         res.writeHead(400, { 'Content-Type': 'text/plain' });
         res.end('authorization failed: ' + params.get('error'));
-        cleanup(); reject(new CliError('authorization denied: ' + params.get('error'), 3));
+        cleanup();
+        reject(new CliError('authorization denied: ' + params.get('error'), 3));
         return;
       }
       res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
       res.end(SUCCESS_HTML);
-      const code = params.get('code');
+      const received = params.get('code');
       cleanup();
-      resolve({ code, redirectUri: redirect });
+      resolve({ code: received, redirectUri: redirect });
+    });
+
+    server.on('error', (e) => {
+      cleanup();
+      reject(new CliError('could not start local login listener: ' + e.message));
     });
 
-    server.on('error', (e) => { cleanup(); reject(new CliError('could not start local login listener: ' + e.message)); });
     server.listen(0, '127.0.0.1', async () => {
-      redirect = `http://127.0.0.1:${server.address().port}/callback`;
-      const authUrl = new URL(base + '/authorize');
-      authUrl.searchParams.set('response_type', 'code');
-      authUrl.searchParams.set('client_id', CLI_CLIENT_ID);
-      authUrl.searchParams.set('redirect_uri', redirect);
-      authUrl.searchParams.set('code_challenge', challenge);
-      authUrl.searchParams.set('code_challenge_method', method);
-      authUrl.searchParams.set('scope', scope);
-      authUrl.searchParams.set('state', state);
-
-      out.info('opening your browser to sign in…');
-      out.info('if it does not open, visit:\n  ' + authUrl.href + '\n');
-      timer = setTimeout(() => { cleanup(); reject(new CliError('login timed out after ' + Math.round(timeoutMs / 1000) + 's', 3)); }, timeoutMs);
-      if (!noBrowser) {
-        const opened = await openBrowser(authUrl.href);
-        if (!opened) out.info('(could not launch a browser automatically — open the link above)');
+      try {
+        redirect = `http://127.0.0.1:${server.address().port}/callback`;
+        const reg = await registerClient({
+          registrationEndpoint: meta.registrationEndpoint,
+          redirectUris: [redirect],
+          scope,
+          fetchImpl,
+        });
+        clientId = reg.client_id;
+
+        const authUrl = new URL(meta.authorizationEndpoint);
+        authUrl.searchParams.set('response_type', 'code');
+        authUrl.searchParams.set('client_id', clientId);
+        authUrl.searchParams.set('redirect_uri', redirect);
+        authUrl.searchParams.set('code_challenge', challenge);
+        authUrl.searchParams.set('code_challenge_method', method);
+        authUrl.searchParams.set('scope', scope);
+        authUrl.searchParams.set('state', state);
+
+        out.info('opening your browser to sign in…');
+        out.info('if it does not open, visit:\n  ' + authUrl.href + '\n');
+        timer = setTimeout(() => {
+          cleanup();
+          reject(new CliError('login timed out after ' + Math.round(timeoutMs / 1000) + 's', 3));
+        }, timeoutMs);
+        if (!noBrowser) {
+          const opened = await openBrowser(authUrl.href);
+          if (!opened) out.info('(could not launch a browser automatically — open the link above)');
+        }
+      } catch (e) {
+        cleanup();
+        reject(e);
       }
     });
   });
 
   if (!code) throw new CliError('no authorization code received', 3);
-  return exchangeCode({ base, code, verifier, redirectUri, fetchImpl });
+  const tokens = await exchangeCode({
+    tokenEndpoint: meta.tokenEndpoint,
+    clientId,
+    code,
+    verifier,
+    redirectUri,
+    fetchImpl,
+  });
+  return { tokens, clientId, tokenEndpoint: meta.tokenEndpoint };
 }

package/src/output.mjs

@@ -5,8 +5,13 @@
 // stays a single clean JSON document.
 
 const COLORS = {
-  reset: '\x1b[0m', dim: '\x1b[2m', bold: '\x1b[1m',
-  red: '\x1b[31m', green: '\x1b[32m', yellow: '\x1b[33m', cyan: '\x1b[36m',
+  reset: '\x1b[0m',
+  dim: '\x1b[2m',
+  bold: '\x1b[1m',
+  red: '\x1b[31m',
+  green: '\x1b[32m',
+  yellow: '\x1b[33m',
+  cyan: '\x1b[36m',
 };
 
 export function createOutput({ json = false, color = true } = {}) {
@@ -17,12 +22,12 @@ export function createOutput({ json = false, color = true } = {}) {
     json,
     useColor,
     c: {
-      dim: s => paint(COLORS.dim, s),
-      bold: s => paint(COLORS.bold, s),
-      red: s => paint(COLORS.red, s),
-      green: s => paint(COLORS.green, s),
-      yellow: s => paint(COLORS.yellow, s),
-      cyan: s => paint(COLORS.cyan, s),
+      dim: (s) => paint(COLORS.dim, s),
+      bold: (s) => paint(COLORS.bold, s),
+      red: (s) => paint(COLORS.red, s),
+      green: (s) => paint(COLORS.green, s),
+      yellow: (s) => paint(COLORS.yellow, s),
+      cyan: (s) => paint(COLORS.cyan, s),
     },
 
     // Primary success payload. JSON mode prints one envelope; otherwise calls
@@ -49,15 +54,17 @@ export function createOutput({ json = false, color = true } = {}) {
     table(columns, rows) {
       if (json || !rows.length) return;
       const widths = columns.map((col, i) =>
-        Math.max(col.header.length, ...rows.map(r => String(r[i] ?? '').length)));
-      const fmt = cells => cells
-        .map((cell, i) => {
-          const s = String(cell ?? '');
-          return columns[i].align === 'right' ? s.padStart(widths[i]) : s.padEnd(widths[i]);
-        })
-        .join('  ')
-        .replace(/\s+$/, '');
-      process.stdout.write(this.c.dim(fmt(columns.map(c => c.header))) + '\n');
+        Math.max(col.header.length, ...rows.map((r) => String(r[i] ?? '').length)),
+      );
+      const fmt = (cells) =>
+        cells
+          .map((cell, i) => {
+            const s = String(cell ?? '');
+            return columns[i].align === 'right' ? s.padStart(widths[i]) : s.padEnd(widths[i]);
+          })
+          .join('  ')
+          .replace(/\s+$/, '');
+      process.stdout.write(this.c.dim(fmt(columns.map((c) => c.header))) + '\n');
       for (const row of rows) process.stdout.write(fmt(row) + '\n');
     },
 
@@ -70,7 +77,9 @@ export function createOutput({ json = false, color = true } = {}) {
     error(err) {
       const message = err?.message || String(err);
       if (json) {
-        process.stdout.write(JSON.stringify({ ok: false, error: { message, ...(err?.extra || {}) } }, null, 2) + '\n');
+        process.stdout.write(
+          JSON.stringify({ ok: false, error: { message, ...(err?.extra || {}) } }, null, 2) + '\n',
+        );
       } else {
         process.stderr.write(this.c.red('error: ') + message + '\n');
       }

package/src/render.mjs

@@ -1,35 +1,140 @@
-// Shared rendering for card lists: aligned table rows and CSV (via the app's
-// adapters, so exports round-trip with the web app).
-import { formatLocationLabel } from '../vendor/collection.js';
-import { getAdapter, canonicalAdapter } from '../vendor/adapters.js';
-
-const COND_ABBR = { near_mint: 'NM', lightly_played: 'LP', moderately_played: 'MP', heavily_played: 'HP', damaged: 'DMG' };
-const FINISH_LABEL = { normal: '', foil: 'foil', etched: 'etched' };
-
-export const CARD_COLUMNS = [
-  { header: 'qty', align: 'right' },
-  { header: 'name' },
-  { header: 'set' },
-  { header: 'finish' },
-  { header: 'cond' },
-  { header: 'price', align: 'right' },
-  { header: 'location' },
+// Shape-tolerant rendering for MCP structuredContent results. The --json path
+// always emits the raw structuredContent (the stable, agent-facing contract);
+// human mode renders a best-effort table. Error statuses map to exit codes.
+import { EXIT } from './constants.mjs';
+import { CliError } from './errors.mjs';
+
+const ROW_KEYS = [
+  'rows',
+  'results',
+  'items',
+  'cards',
+  'inventory',
+  'containers',
+  'decklist',
+  'changes',
+  'history',
+  'candidates',
+  'data',
 ];
+const ERROR_STATUSES = new Set([
+  'parse_error',
+  'needs_input',
+  'invalid',
+  'not_found',
+  'unsafe',
+  'error',
+]);
+
+export function pickRows(sc) {
+  if (Array.isArray(sc)) return sc;
+  if (!sc || typeof sc !== 'object') return [];
+  for (const k of ROW_KEYS) if (Array.isArray(sc[k])) return sc[k];
+  return [];
+}
+
+function statusToExit(status) {
+  switch (status) {
+    case 'parse_error':
+    case 'needs_input':
+    case 'invalid':
+      return EXIT.USAGE;
+    case 'not_found':
+      return EXIT.NOT_FOUND;
+    case 'unsafe':
+      return EXIT.CONFLICT;
+    default:
+      return EXIT.ERROR;
+  }
+}
 
-export function cardRow(c) {
-  const price = typeof c.price === 'number' ? '$' + c.price.toFixed(2) : '';
-  return [
-    String(c.qty ?? ''),
-    c.resolvedName || c.name || '',
-    ((c.setCode || '').toUpperCase() + ' ' + (c.cn || '')).trim(),
-    FINISH_LABEL[c.finish] ?? c.finish ?? '',
-    COND_ABBR[c.condition] || c.condition || '',
-    price,
-    formatLocationLabel(c.location),
-  ];
+export function fmtMoney(v) {
+  if (v == null || v === '') return '—';
+  const n = typeof v === 'number' ? v : Number(v);
+  return Number.isFinite(n) ? '$' + n.toFixed(2) : String(v);
 }
 
-export function cardsToCsv(cards, format = 'canonical') {
-  const adapter = getAdapter(format) || canonicalAdapter;
-  return adapter.export(cards);
+function locLabel(v) {
+  if (!v) return '';
+  if (typeof v === 'string') return v;
+  if (typeof v === 'object') {
+    if (v.name) return v.type ? `${v.type}:${v.name}` : v.name;
+    return v.type || JSON.stringify(v);
+  }
+  return String(v);
 }
+
+function cell(value, col) {
+  if (value == null) return '';
+  if (col.loc) return locLabel(value);
+  if (col.money) return fmtMoney(value);
+  if (Array.isArray(value)) return value.join(',');
+  if (typeof value === 'object') return JSON.stringify(value);
+  return String(value);
+}
+
+function inferColumns(row) {
+  return Object.keys(row)
+    .slice(0, 6)
+    .map((key) => ({ key, header: key }));
+}
+
+export function renderTable(out, rows, columns) {
+  if (!rows.length) {
+    out.line('(no results)');
+    return;
+  }
+  // Keep only columns actually present in the data, so a projected SELECT or a
+  // shape we didn't anticipate still renders sensibly.
+  let cols =
+    columns && columns.length
+      ? columns.filter((c) => c.get || rows.some((r) => r[c.key] != null))
+      : [];
+  if (!cols.length) cols = inferColumns(rows[0]);
+  out.table(
+    cols.map((c) => ({ header: c.header || c.key, align: c.align })),
+    rows.map((r) => cols.map((c) => cell(c.get ? c.get(r) : r[c.key], c))),
+  );
+}
+
+// Standard read handler: raise error statuses (mapped to exit codes), else emit
+// JSON or a human table. Returns the exit code.
+export function emitResult(ctx, sc, { columns, render } = {}) {
+  const status = sc && typeof sc === 'object' ? sc.status : undefined;
+  if (status && ERROR_STATUSES.has(status)) {
+    throw new CliError(sc.message || sc.error || `request ${status}`, statusToExit(status), sc);
+  }
+  ctx.out.emit(sc, () => {
+    if (render) render(ctx.out, sc);
+    else renderTable(ctx.out, pickRows(sc), columns);
+    if (sc && (sc.hasMore || sc.nextCursor)) {
+      ctx.out.info(`… more available${sc.nextCursor ? ` (--cursor ${sc.nextCursor})` : ''}`);
+    }
+  });
+  return EXIT.OK;
+}
+
+export const INVENTORY_COLUMNS = [
+  { key: 'qty', header: 'qty', align: 'right' },
+  { key: 'name', header: 'name' },
+  { key: 'setCode', header: 'set' },
+  { key: 'finish', header: 'finish' },
+  { key: 'location', header: 'loc', loc: true },
+  { key: 'price', header: 'price', align: 'right', money: true },
+];
+
+export const CONTAINER_COLUMNS = [
+  { key: 'name', header: 'name' },
+  { key: 'type', header: 'type' },
+  // Physical cards in the container live in `stats`; deckListCount is the deck
+  // recipe size (0 for storage), so it can't be the "cards" count.
+  { header: 'cards', align: 'right', get: (r) => r.stats?.total ?? r.deckListCount ?? 0 },
+  { header: 'value', align: 'right', money: true, get: (r) => r.stats?.value },
+];
+
+export const DECKLIST_COLUMNS = [
+  { key: 'qty', header: 'qty', align: 'right' },
+  { key: 'name', header: 'name' },
+  { key: 'board', header: 'board' },
+  { key: 'typeLine', header: 'type' },
+];

package/src/store.mjs

@@ -1,22 +1,51 @@
 // Local persistence for credentials and config. The refresh token is a 30-day
 // bearer secret, so the file is 0600 inside a 0700 directory on POSIX. (Windows
-// relies on per-user ACLs; chmod is skipped there.)
-import { readFileSync, writeFileSync, mkdirSync, rmSync, existsSync, chmodSync } from 'node:fs';
-import { join } from 'node:path';
+// relies on per-user ACLs; chmod is skipped there.) Credential writes are
+// atomic (tmp + rename) so an interrupted refresh can't truncate the file.
+import {
+  readFileSync,
+  writeFileSync,
+  mkdirSync,
+  rmSync,
+  existsSync,
+  chmodSync,
+  renameSync,
+} from 'node:fs';
 import { credentialsPath, configPath, configDir } from './constants.mjs';
 
-const undoPath = () => join(configDir(), 'undo.json');
-
 const POSIX = process.platform !== 'win32';
 
 function readJson(path) {
-  try { return JSON.parse(readFileSync(path, 'utf8')); }
-  catch { return null; }
+  try {
+    return JSON.parse(readFileSync(path, 'utf8'));
+  } catch {
+    return null;
+  }
 }
 
 function ensureDir() {
   mkdirSync(configDir(), { recursive: true });
-  if (POSIX) { try { chmodSync(configDir(), 0o700); } catch {} }
+  if (POSIX) {
+    try {
+      chmodSync(configDir(), 0o700);
+    } catch {
+      /* best effort */
+    }
+  }
+}
+
+function writeAtomic(path, data) {
+  ensureDir();
+  const tmp = path + '.tmp';
+  writeFileSync(tmp, data, { mode: 0o600 });
+  if (POSIX) {
+    try {
+      chmodSync(tmp, 0o600);
+    } catch {
+      /* best effort */
+    }
+  }
+  renameSync(tmp, path);
 }
 
 export function loadCredentials() {
@@ -24,10 +53,7 @@ export function loadCredentials() {
 }
 
 export function saveCredentials(creds) {
-  ensureDir();
-  const path = credentialsPath();
-  writeFileSync(path, JSON.stringify(creds, null, 2) + '\n', { mode: 0o600 });
-  if (POSIX) { try { chmodSync(path, 0o600); } catch {} }
+  writeAtomic(credentialsPath(), JSON.stringify(creds, null, 2) + '\n');
 }
 
 export function clearCredentials() {
@@ -39,15 +65,5 @@ export function loadConfig() {
 }
 
 export function saveConfig(config) {
-  ensureDir();
-  writeFileSync(configPath(), JSON.stringify(config, null, 2) + '\n', { mode: 0o600 });
+  writeAtomic(configPath(), JSON.stringify(config, null, 2) + '\n');
 }
-
-export function saveUndo(record) {
-  ensureDir();
-  writeFileSync(undoPath(), JSON.stringify(record, null, 2) + '\n', { mode: 0o600 });
-}
-
-export function loadUndo() { return readJson(undoPath()); }
-
-export function clearUndo() { if (existsSync(undoPath())) rmSync(undoPath()); }