i18ntk 2.4.0 → 2.5.0

package/README.md

@@ -1,4 +1,4 @@
-# i18ntk v2.4.0
+# i18ntk v2.5.0
 
 Zero-dependency internationalization toolkit for setup, scanning, analysis, validation, usage tracking, and translation completion.
 
@@ -9,12 +9,12 @@ Zero-dependency internationalization toolkit for setup, scanning, analysis, vali
 [![node](https://img.shields.io/badge/node-%3E%3D16-339933)](https://nodejs.org)
 [![dependencies](https://img.shields.io/badge/dependencies-0-success)](https://www.npmjs.com/package/i18ntk)
 [![license](https://img.shields.io/badge/license-MIT-yellow.svg)](LICENSE)
-[![socket](https://socket.dev/api/badge/npm/package/i18ntk/2.4.0)](https://socket.dev/npm/package/i18ntk/overview/2.4.0)
+[![socket](https://socket.dev/api/badge/npm/package/i18ntk/2.5.0)](https://socket.dev/npm/package/i18ntk/overview/2.5.0)
 
 ## Upgrade Notice
 
-Versions earlier than `2.4.0` may contain known stability and security issues.
-They are considered unsupported for production use. Upgrade to `2.4.0` or newer.
+Versions earlier than `2.5.0` may contain known stability and security issues.
+They are considered unsupported for production use. Upgrade to `2.5.0` or newer.
 
 ## What i18ntk Does
 
@@ -154,7 +154,7 @@ Example `.i18ntk-config`:
 
 ```json
 {
-  "version": "2.4.0",
+  "version": "2.5.0",
   "sourceDir": "./locales",
   "i18nDir": "./locales",
   "outputDir": "./i18ntk-reports",
@@ -177,6 +177,7 @@ See [docs/api/CONFIGURATION.md](docs/api/CONFIGURATION.md) for the full configur
 - [Runtime API Guide](docs/runtime.md)
 - [Scanner Guide](docs/scanner-guide.md)
 - [Environment Variables](docs/environment-variables.md)
+- [Migration Guide v2.5.0](docs/migration-guide-v2.5.0.md)
 - [Migration Guide v2.4.0](docs/migration-guide-v2.4.0.md)
 - [Optimization Prompt](docs/development/package-optimization-prompt.md)
 

package/main/manage/commands/FixerCommand.js

@@ -27,21 +27,21 @@ class FixerCommand {
         // Initialize fixer properties
         this.sourceDir = null;
         this.outputDir = null;
-        this.backupDir = null;
-        this.dryRun = false;
-        this.force = false;
-    }
-
-    isExcludedLanguageDirectory(name) {
-        if (!name || typeof name !== 'string') return true;
-        const lowered = name.toLowerCase();
-        return lowered.startsWith('backup-') ||
-               lowered === 'backup' ||
-               lowered === 'backups' ||
-               lowered === 'i18ntk-backups' ||
-               lowered === 'reports' ||
-               lowered === 'i18ntk-reports';
-    }
+        this.backupDir = null;
+        this.dryRun = false;
+        this.force = false;
+    }
+
+    isExcludedLanguageDirectory(name) {
+        if (!name || typeof name !== 'string') return true;
+        const lowered = name.toLowerCase();
+        return lowered.startsWith('backup-') ||
+               lowered === 'backup' ||
+               lowered === 'backups' ||
+               lowered === 'i18ntk-backups' ||
+               lowered === 'reports' ||
+               lowered === 'i18ntk-reports';
+    }
 
     /**
      * Set runtime dependencies for interactive operations
@@ -79,7 +79,7 @@ class FixerCommand {
 
             this.sourceDir = this.config.sourceDir;
             this.outputDir = this.config.outputDir;
-            this.backupDir = path.resolve(this.config.backup?.location || './i18ntk-backups', 'fixer');
+            this.backupDir = path.resolve(this.config.backup?.location || './i18ntk-backups', 'fixer');
 
             // Validate source directory exists
             const { validateSourceDir } = require('../../../utils/config-helper');
@@ -138,15 +138,15 @@ class FixerCommand {
             const languages = [];
 
             // Check for directory-based structure
-            const directories = items
-                .filter(item => item.isDirectory())
-                .map(item => item.name)
-                .filter(name =>
-                    name !== 'node_modules' &&
-                    !name.startsWith('.') &&
-                    name !== this.config.sourceLanguage &&
-                    !this.isExcludedLanguageDirectory(name)
-                );
+            const directories = items
+                .filter(item => item.isDirectory())
+                .map(item => item.name)
+                .filter(name =>
+                    name !== 'node_modules' &&
+                    !name.startsWith('.') &&
+                    name !== this.config.sourceLanguage &&
+                    !this.isExcludedLanguageDirectory(name)
+                );
 
             // Check for monolith files (language.json files)
             const files = items
@@ -158,13 +158,13 @@ class FixerCommand {
 
             // Add monolith files as languages (without .json extension)
             const monolithLanguages = files
-                .map(file => file.replace('.json', ''))
-                .filter(lang =>
-                    !languages.includes(lang) &&
-                    lang !== this.config.sourceLanguage &&
-                    !this.isExcludedLanguageDirectory(lang)
-                );
-            languages.push(...monolithLanguages);
+                .map(file => file.replace('.json', ''))
+                .filter(lang =>
+                    !languages.includes(lang) &&
+                    lang !== this.config.sourceLanguage &&
+                    !this.isExcludedLanguageDirectory(lang)
+                );
+            languages.push(...monolithLanguages);
 
             return [...new Set(languages)].sort();
         } catch (error) {
@@ -299,21 +299,21 @@ class FixerCommand {
     }
 
     // Create backup of translation files
-    async createBackup() {
-        if (this.dryRun) return;
-
-        try {
-            const backupEnabled = this.config?.backup?.enabled === true;
-            if (!backupEnabled) {
-                this.backupDir = null;
-                return;
-            }
-
-            const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
-            const backupRoot = path.resolve(this.config?.backup?.location || './i18ntk-backups');
-            this.backupDir = path.join(backupRoot, 'fixer', `backup-${timestamp}`);
-
-            console.log(t('fixer.creatingBackup', { dir: this.backupDir }));
+    async createBackup() {
+        if (this.dryRun) return;
+
+        try {
+            const backupEnabled = this.config?.backup?.enabled === true;
+            if (!backupEnabled) {
+                this.backupDir = null;
+                return;
+            }
+
+            const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+            const backupRoot = path.resolve(this.config?.backup?.location || './i18ntk-backups');
+            this.backupDir = path.join(backupRoot, 'fixer', `backup-${timestamp}`);
+
+            console.log(t('fixer.creatingBackup', { dir: this.backupDir }));
 
             // Ensure backup directory exists
             const dirCreated = SecurityUtils.safeMkdirSync(this.backupDir, process.cwd(), { recursive: true });
@@ -326,8 +326,8 @@ class FixerCommand {
             const languages = this.getAvailableLanguages();
             languages.push(this.config.sourceLanguage); // Include source language
 
-            for (const language of languages) {
-                const languageFiles = this.getLanguageFiles(language);
+            for (const language of languages) {
+                const languageFiles = this.getLanguageFiles(language);
 
                 for (const fileName of languageFiles) {
                     const sourcePath = path.join(this.sourceDir, language, fileName);
@@ -343,42 +343,42 @@ class FixerCommand {
                         SecurityUtils.safeWriteFileSync(backupPath, content, process.cwd(), 'utf8');
                     }
                 }
-            }
-
-            this.cleanupOldBackups();
-
-            console.log(t('fixer.backupCreated'));
-        } catch (error) {
-            console.warn(`Failed to create backup: ${error.message}`);
-        }
-    }
-
-    cleanupOldBackups() {
-        try {
-            const fixerBackupRoot = path.resolve(this.config?.backup?.location || './i18ntk-backups', 'fixer');
-            if (!SecurityUtils.safeExistsSync(fixerBackupRoot, process.cwd())) return;
-
-            const configuredKeep = parseInt(this.config?.backup?.maxBackups, 10);
-            const keepCount = Number.isInteger(configuredKeep) ? Math.min(Math.max(configuredKeep, 1), 3) : 1;
-
-            const backupDirs = SecurityUtils.safeReaddirSync(fixerBackupRoot, process.cwd(), { withFileTypes: true })
-                .filter(entry => entry.isDirectory() && entry.name.startsWith('backup-'))
-                .map(entry => {
-                    const dirPath = path.join(fixerBackupRoot, entry.name);
-                    const stat = SecurityUtils.safeStatSync(dirPath, process.cwd());
-                    return { name: entry.name, path: dirPath, mtimeMs: stat ? stat.mtimeMs : 0 };
-                })
-                .sort((a, b) => b.mtimeMs - a.mtimeMs);
-
-            if (backupDirs.length <= keepCount) return;
-
-            for (const staleDir of backupDirs.slice(keepCount)) {
-                fs.rmSync(staleDir.path, { recursive: true, force: true });
-            }
-        } catch (error) {
-            console.warn(`Failed to clean old backups: ${error.message}`);
-        }
-    }
+            }
+
+            this.cleanupOldBackups();
+
+            console.log(t('fixer.backupCreated'));
+        } catch (error) {
+            console.warn(`Failed to create backup: ${error.message}`);
+        }
+    }
+
+    cleanupOldBackups() {
+        try {
+            const fixerBackupRoot = path.resolve(this.config?.backup?.location || './i18ntk-backups', 'fixer');
+            if (!SecurityUtils.safeExistsSync(fixerBackupRoot, process.cwd())) return;
+
+            const configuredKeep = parseInt(this.config?.backup?.maxBackups, 10);
+            const keepCount = Number.isInteger(configuredKeep) ? Math.min(Math.max(configuredKeep, 1), 3) : 1;
+
+            const backupDirs = SecurityUtils.safeReaddirSync(fixerBackupRoot, process.cwd(), { withFileTypes: true })
+                .filter(entry => entry.isDirectory() && entry.name.startsWith('backup-'))
+                .map(entry => {
+                    const dirPath = path.join(fixerBackupRoot, entry.name);
+                    const stat = SecurityUtils.safeStatSync(dirPath, process.cwd());
+                    return { name: entry.name, path: dirPath, mtimeMs: stat ? stat.mtimeMs : 0 };
+                })
+                .sort((a, b) => b.mtimeMs - a.mtimeMs);
+
+            if (backupDirs.length <= keepCount) return;
+
+            for (const staleDir of backupDirs.slice(keepCount)) {
+                fs.rmSync(staleDir.path, { recursive: true, force: true });
+            }
+        } catch (error) {
+            console.warn(`Failed to clean old backups: ${error.message}`);
+        }
+    }
 
     // Analyze translation issues for fixing
     analyzeIssues(language, fileName) {
@@ -420,7 +420,7 @@ class FixerCommand {
                         type: 'missing_key',
                         key,
                         sourceValue,
-                        fix: () => this.setValueByPath(targetObj, key, sourceValue)
+                        fix: (obj) => this.setValueByPath(obj, key, sourceValue)
                     });
                 } else if (targetValue === '') {
                     // Empty value
@@ -428,7 +428,7 @@ class FixerCommand {
                         type: 'empty_value',
                         key,
                         sourceValue,
-                        fix: () => this.setValueByPath(targetObj, key, sourceValue)
+                        fix: (obj) => this.setValueByPath(obj, key, sourceValue)
                     });
                 } else {
                     const markers = this.config.notTranslatedMarkers || [this.config.notTranslatedMarker];
@@ -438,7 +438,7 @@ class FixerCommand {
                             type: 'untranslated_marker',
                             key,
                             sourceValue,
-                            fix: () => this.setValueByPath(targetObj, key, sourceValue)
+                            fix: (obj) => this.setValueByPath(obj, key, sourceValue)
                         });
                     }
                 }
@@ -486,7 +486,7 @@ class FixerCommand {
 
                         for (const issue of issues) {
                             if (typeof issue.fix === 'function') {
-                                issue.fix();
+                                issue.fix(targetObj);
                                 fixes.files[fileName].fixed++;
                                 fixes.fixedIssues++;
                             }
@@ -494,7 +494,7 @@ class FixerCommand {
 
                         // Write back the fixed content
                         const fixedContent = JSON.stringify(targetObj, null, 2);
-                        SecurityUtils.safeWriteFileSync(targetFilePath, fixedContent, process.cwd(), 'utf8');
+                        SecurityUtils.safeWriteFileSync(targetFilePath, fixedContent, this.sourceDir, 'utf8');
 
                     } catch (error) {
                         console.warn(`Error fixing ${language}/${fileName}: ${error.message}`);
@@ -527,9 +527,9 @@ class FixerCommand {
             }
 
             // Create backup unless disabled
-            if (!args.noBackup && !this.dryRun && this.config?.backup?.enabled === true) {
-                await this.createBackup();
-            }
+            if (!args.noBackup && !this.dryRun && this.config?.backup?.enabled === true) {
+                await this.createBackup();
+            }
 
             const languages = this.getAvailableLanguages();
 
@@ -591,9 +591,9 @@ class FixerCommand {
             console.log(t('fixer.totalIssues', { count: totalIssues }));
             console.log(t('fixer.totalFixed', { count: totalFixed }));
 
-            if (this.backupDir && !args.noBackup && this.config?.backup?.enabled === true) {
-                console.log(t('fixer.backupLocation', { dir: this.backupDir }));
-            }
+            if (this.backupDir && !args.noBackup && this.config?.backup?.enabled === true) {
+                console.log(t('fixer.backupLocation', { dir: this.backupDir }));
+            }
 
             console.log(t('fixer.completed'));
 
@@ -677,4 +677,4 @@ class FixerCommand {
     }
 }
 
-module.exports = FixerCommand;
+module.exports = FixerCommand;

package/main/manage/managers/DebugMenu.js

@@ -3,10 +3,11 @@
  * @module managers/DebugMenu
  */
 
-const path = require('path');
-const fs = require('fs');
-const { t } = require('../../../utils/i18n-helper');
-const cliHelper = require('../../../utils/cli-helper');
+const path = require('path');
+const fs = require('fs');
+const { t } = require('../../../utils/i18n-helper');
+const cliHelper = require('../../../utils/cli-helper');
+const SecurityUtils = require('../../../utils/security');
 
 module.exports = class DebugMenu {
   constructor(manager) {
@@ -22,7 +23,7 @@ module.exports = class DebugMenu {
     const authRequired = await this.adminAuth.isAuthRequiredForScript('debugMenu');
     if (authRequired) {
       console.log(`\n${t('adminPin.protectedAccess')}`);
-      const pin = await cliHelper.promptPin(t('adminPin.enterPin') + ': ');
+      const pin = await cliHelper.promptPin(t('adminPin.enterPin') + ': ');
       const isValid = await this.adminAuth.verifyPin(pin);
 
       if (!isValid) {
@@ -66,7 +67,7 @@ module.exports = class DebugMenu {
     console.log(t('debug.runningDebugTool', { displayName }));
     try {
       const toolPath = path.join(__dirname, '..', '..', 'scripts', 'debug', toolName);
-      if (fs.existsSync(toolPath)) {
+      if (SecurityUtils.safeExistsSync(toolPath, path.dirname(toolPath))) {
         console.log(`Debug tool available: ${toolName}`);
         console.log(`To run this tool manually: node "${toolPath}"`);
         console.log(`Working directory: ${path.join(__dirname, '..', '..')}`);
@@ -90,7 +91,7 @@ module.exports = class DebugMenu {
 
     try {
       const logsDir = path.join(__dirname, '..', '..', 'scripts', 'debug', 'logs');
-      if (fs.existsSync(logsDir)) {
+      if (SecurityUtils.safeExistsSync(logsDir, path.dirname(logsDir))) {
         const files = fs.readdirSync(logsDir)
           .filter(file => file.endsWith('.log') || file.endsWith('.txt'))
           .sort((a, b) => {
@@ -111,7 +112,7 @@ module.exports = class DebugMenu {
           const fileIndex = parseInt(choice) - 1;
 
           if (fileIndex >= 0 && fileIndex < files.length) {
-            const logContent = fs.readFileSync(path.join(logsDir, files[fileIndex]), 'utf8');
+            const logContent = SecurityUtils.safeReadFileSync(path.join(logsDir, files[fileIndex]), logsDir, 'utf8');
             console.log(`\n${t('debug.contentOf', { filename: files[fileIndex] })}:`);
             console.log('============================================================');
             console.log(logContent.slice(-2000)); // Show last 2000 characters
@@ -137,4 +138,4 @@ module.exports = class DebugMenu {
   async show() {
     return this.showDebugMenu();
   }
-};
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "i18ntk",
-  "version": "2.4.0",
+  "version": "2.5.0",
   "description": "🚀 The fastest internationalization toolkit with 97% performance boost! Zero-dependency, enterprise-grade internationalization for React, Vue, Angular, Python, Java, PHP & more. Features PIN protection, auto framework detection, 7+ UI languages, and comprehensive translation management. Perfect for startups to enterprises.",
   "keywords": [
     "i18n",
@@ -131,9 +131,6 @@
       "default": "./runtime/enhanced.js"
     },
     "./runtime/*": "./runtime/*",
-    "./main/*": "./main/*",
-    "./utils/*": "./utils/*",
-    "./settings/*": "./settings/*",
     "./ui-locales/*": "./ui-locales/*",
     "./package.json": "./package.json"
   },
@@ -158,20 +155,57 @@
     "test": "tests"
   },
   "files": [
-    "main/",
+    "main/i18ntk-analyze.js",
+    "main/i18ntk-backup-class.js",
+    "main/i18ntk-backup.js",
+    "main/i18ntk-complete.js",
+    "main/i18ntk-doctor.js",
+    "main/i18ntk-fixer.js",
+    "main/i18ntk-init.js",
+    "main/i18ntk-scanner.js",
+    "main/i18ntk-setup.js",
+    "main/i18ntk-sizing.js",
+    "main/i18ntk-summary.js",
+    "main/i18ntk-ui.js",
+    "main/i18ntk-usage.js",
+    "main/i18ntk-validate.js",
+    "main/manage/",
     "runtime/",
-    "utils/",
-    "settings/",
+    "settings/language-config.json",
+    "settings/settings-cli.js",
+    "settings/settings-manager.js",
     "ui-locales/",
     "!main/manage/index-fixed.js",
-    "!main/i18ntk-manage.js",
-    "!main/i18ntk-py.js",
-    "!main/i18ntk-js.js",
-    "!main/i18ntk-java.js",
-    "!main/i18ntk-php.js",
-    "!main/i18ntk-go.js",
-    "!main/i18ntk-settings.js",
-    "!utils/security-fixed.js",
+    "utils/admin-auth.js",
+    "utils/admin-cli.js",
+    "utils/cli-helper.js",
+    "utils/cli.js",
+    "utils/colors-new.js",
+    "utils/config-helper.js",
+    "utils/config-manager.js",
+    "utils/config.js",
+    "utils/env-manager.js",
+    "utils/exit-codes.js",
+    "utils/extractor-manager.js",
+    "utils/extractors/regex.js",
+    "utils/format-manager.js",
+    "utils/formats/json.js",
+    "utils/framework-detector.js",
+    "utils/i18n-helper.js",
+    "utils/init-helper.js",
+    "utils/json-output.js",
+    "utils/locale-optimizer.js",
+    "utils/logger.js",
+    "utils/npm-version-warning.js",
+    "utils/plugin-loader.js",
+    "utils/prompt-helper.js",
+    "utils/prompt.js",
+    "utils/secure-errors.js",
+    "utils/security.js",
+    "utils/setup-enforcer.js",
+    "utils/terminal-icons.js",
+    "utils/version-utils.js",
+    "utils/watch-locales.js",
     "LICENSE",
     "package.json",
     "README.md"
@@ -203,6 +237,7 @@
     "security:audit": "npm run security:check && npm run security:test",
     "test": "npm run security:test",
     "test:all": "npm run security:audit",
+    "release:reset": "node scripts/reset-release-state.js",
     "prepublishOnly": "npm run security:audit",
     "prepare": "npm run security:check",
     "backup:create": "node main/i18ntk-backup.js create",
@@ -224,29 +259,23 @@
   },
   "preferGlobal": true,
   "versionInfo": {
-    "version": "2.4.0",
-    "releaseDate": "16/04/2026",
-    "lastUpdated": "16/04/2026",
+    "version": "2.5.0",
+    "releaseDate": "29/04/2026",
+    "lastUpdated": "29/04/2026",
     "maintainer": "Vlad Noskov",
     "changelog": "./CHANGELOG.md",
     "documentation": "./README.md",
     "apiReference": "./docs/api/API_REFERENCE.md",
     "majorChanges": [
-      "LOGGING: Introduced centralized structured logger with silent-by-default production behavior and DEBUG_MODE/JSON_LOG toggles.",
-      "SECURITY: Added internal path whitelist detection to prevent false-positive traversal warnings for package/project internals.",
-      "I18N: Added missing-key warning TTL cache to eliminate repeated translation-key spam during builds.",
-      "HOTFIX: Removed deprecated package-path fallback that caused production build warnings for non-exported subpaths.",
-      "CRITICAL FIX: Resolved sizing and usage-analysis regressions in v2 command flow.",
-      "PACKAGING: Reduced publish footprint by removing internal development scripts and legacy fixed-file artifacts.",
-      "SECURITY: Hardened release checks and added explicit support guidance to update from pre-2.3.5 versions.",
-      "CONFIG: Added cross-process file locking for .i18ntk-config writes to prevent production rename races.",
-      "CONFIG: Made autosave runtime-safe with non-throwing save failures and I18NTK_DISABLE_AUTOSAVE support.",
-      "SECURITY: Hardened reset/backup path handling and disabled manager backup-route execution in current builds.",
-      "CLI: Removed npm registry startup update checks to eliminate outbound network calls in scanner-restricted environments.",
-      "I18N: Completed internal UI locale parity and actionable untranslated-key cleanup across supported languages."
+      "SECURITY: Centralized environment-variable access behind an explicit allowlist.",
+      "SECURITY: Hardened path containment checks to reject sibling-prefix traversal cases.",
+      "SECURITY: Added timing-safe admin PIN hash comparison and fixed expired-session cleanup.",
+      "SECURITY: Expanded release security scanning to nested production source files.",
+      "FIXER: Fixed translation fixer writes for absolute source directories and confirmed applied fixes persist.",
+      "PACKAGING: Updated package and documentation metadata for the 2.5.0 release."
     ],
     "breakingChanges": [],
-    "nextVersion": "2.4.1",
+    "nextVersion": "2.5.1",
     "supportedNodeVersions": ">=16.0.0",
     "supportedFrameworks": {
       "react-i18next": ">=11.0.0",
@@ -268,7 +297,7 @@
       "spring-boot": ">=2.5.0",
       "laravel": ">=8.0.0"
     },
-    "supportPolicy": "Versions earlier than 2.4.0 may be unstable or insecure. Upgrade to 2.4.0 or newer."
+    "supportPolicy": "Versions earlier than 2.5.0 may be unstable or insecure. Upgrade to 2.5.0 or newer."
   },
   "_comment": "This package is zero-dependency and uses only native Node.js modules"
 }

package/runtime/index.js

@@ -6,6 +6,7 @@
 const fs = require('fs');
 const path = require('path');
 const SecurityUtils = require('../utils/security');
+const { envManager } = require('../utils/env-manager');
 
 let configManager = null;
 try { configManager = require('../utils/config-manager'); } catch (_) { /* optional */ }
@@ -54,15 +55,18 @@ function resolveBaseDir(explicitBaseDir) {
   // 1) Highest priority: explicit option
   if (explicitBaseDir) return path.resolve(explicitBaseDir);
   // 2) Environment override for CI/explicit control
-  if (process.env.I18NTK_RUNTIME_DIR) {
-    return path.resolve(process.env.I18NTK_RUNTIME_DIR);
+  const runtimeDir = envManager.get('I18NTK_RUNTIME_DIR');
+  if (runtimeDir) {
+    return path.resolve(runtimeDir);
   }
   // 2b) Respect config-style env overrides, even without config-manager
-  if (process.env.I18NTK_I18N_DIR) {
-    return path.resolve(process.env.I18NTK_I18N_DIR);
+  const envI18nDir = envManager.get('I18NTK_I18N_DIR');
+  if (envI18nDir) {
+    return path.resolve(envI18nDir);
   }
-  if (process.env.I18NTK_SOURCE_DIR) {
-    return path.resolve(process.env.I18NTK_SOURCE_DIR);
+  const envSourceDir = envManager.get('I18NTK_SOURCE_DIR');
+  if (envSourceDir) {
+    return path.resolve(envSourceDir);
   }
   // 3) Use config-manager if available (single source of truth: i18ntk-config.json)
   try {
@@ -72,11 +76,13 @@ function resolveBaseDir(explicitBaseDir) {
     // If config-manager resolved absolute paths, use as-is; otherwise resolve from project cwd
     const isAbs = typeof base === 'string' && path.isAbsolute(base);
     if (isAbs) return base;
-    const root = process.env.I18NTK_PROJECT_ROOT ? path.resolve(process.env.I18NTK_PROJECT_ROOT) : process.cwd();
+    const envProjectRoot = envManager.get('I18NTK_PROJECT_ROOT');
+    const root = envProjectRoot ? path.resolve(envProjectRoot) : process.cwd();
     return path.resolve(root, base);
   } catch (_) {
     // 4) Fallback to conventional './locales' from project CWD
-    const root = process.env.I18NTK_PROJECT_ROOT ? path.resolve(process.env.I18NTK_PROJECT_ROOT) : process.cwd();
+    const envProjectRoot = envManager.get('I18NTK_PROJECT_ROOT');
+    const root = envProjectRoot ? path.resolve(envProjectRoot) : process.cwd();
     return path.resolve(root, './locales');
   }
 }