tokenmix 1.5.1 → 1.5.3

package/dist/agents/claude.js

@@ -2,6 +2,7 @@ import os from 'os';
 import path from 'path';
 import fs from 'fs-extra';
 import { run } from '../utils/exec.js';
+import { writeFileAtomic } from '../utils/fs.js';
 import { npmInstallCheck, npmInstallGlobal } from './helpers.js';
 import { t } from '../i18n/index.js';
 const CLAUDE_BIN = 'claude';
@@ -16,11 +17,16 @@ async function configure(apiKey, baseUrl, _defaultModel) {
     const settingsPath = path.join(os.homedir(), '.claude', 'settings.json');
     let existing = {};
     try {
-        const raw = await fs.readFile(settingsPath, 'utf-8');
-        existing = JSON.parse(raw);
+        const parsed = JSON.parse(await fs.readFile(settingsPath, 'utf-8'));
+        // Valid JSON that isn't a plain object (null, array, string) must be treated as
+        // "start fresh" — otherwise `existing.env` below throws (JSON.parse("null") →
+        // null → null.env → TypeError, which would block `tokenmix claude` entirely).
+        if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+            existing = parsed;
+        }
     }
     catch {
-        // first run
+        // first run, or unreadable/corrupt — start fresh
     }
     const existingEnv = existing.env || {};
     // Detect that we're about to overwrite a user's OWN (non-tokenmix) Anthropic
@@ -42,11 +48,17 @@ async function configure(apiKey, baseUrl, _defaultModel) {
     // Stash the user's original Anthropic env creds on the FIRST overwrite, so
     // cleanup() can put them back instead of leaving Claude Code broken. Once the
     // stored key is ours, replacingForeign is false — so we never clobber the backup.
-    const prevTm = existing.tokenmix;
-    const alreadyBackedUp = !!(prevTm && typeof prevTm === 'object' && 'claudeEnvBackup' in prevTm);
+    // Guard: `existing.tokenmix` could be any JSON (a user or another tool might set
+    // it to a string/array). Only spread it when it's a real object — otherwise a
+    // string would explode into numeric-index keys and pollute settings.json.
+    const prevTmRaw = existing.tokenmix;
+    const prevTm = prevTmRaw && typeof prevTmRaw === 'object' && !Array.isArray(prevTmRaw)
+        ? prevTmRaw
+        : {};
+    const alreadyBackedUp = 'claudeEnvBackup' in prevTm;
     if (replacingForeign && !alreadyBackedUp) {
         next.tokenmix = {
-            ...(prevTm ?? {}),
+            ...prevTm,
             claudeEnvBackup: {
                 ANTHROPIC_API_KEY: prevKey ?? null,
                 ANTHROPIC_BASE_URL: prevBase ?? null,
@@ -54,13 +66,7 @@ async function configure(apiKey, baseUrl, _defaultModel) {
         };
     }
     await fs.ensureDir(path.dirname(settingsPath));
-    await fs.writeFile(settingsPath, JSON.stringify(next, null, 2));
-    try {
-        await fs.chmod(settingsPath, 0o600);
-    }
-    catch {
-        // ignore
-    }
+    await writeFileAtomic(settingsPath, JSON.stringify(next, null, 2), 0o600);
     // Claude Pro/Max users sign in via OAuth (creds live in ~/.claude/.credentials.json
     // or the OS keychain — NOT in settings.json env). Claude Code prefers
     // ANTHROPIC_API_KEY over the OAuth subscription, so injecting our key silently
@@ -101,7 +107,11 @@ async function cleanup() {
     const settingsPath = path.join(os.homedir(), '.claude', 'settings.json');
     let existing;
     try {
-        existing = JSON.parse(await fs.readFile(settingsPath, 'utf-8'));
+        const parsed = JSON.parse(await fs.readFile(settingsPath, 'utf-8'));
+        if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+            return { reverted: false, configPath: settingsPath };
+        }
+        existing = parsed;
     }
     catch {
         return { reverted: false };
@@ -148,13 +158,7 @@ async function cleanup() {
         else
             existing.tokenmix = tm;
     }
-    await fs.writeFile(settingsPath, JSON.stringify(existing, null, 2));
-    try {
-        await fs.chmod(settingsPath, 0o600);
-    }
-    catch {
-        // ignore
-    }
+    await writeFileAtomic(settingsPath, JSON.stringify(existing, null, 2), 0o600);
     return {
         reverted: true,
         configPath: settingsPath,

package/dist/agents/codex.js

@@ -29,16 +29,22 @@ async function configure(apiKey, baseUrl, defaultModel) {
 // OpenAI-compatible provider. wire_api MUST be "responses": Codex 0.135+ dropped
 // support for "chat" (openai/codex#7782), and tokenmix's gateway implements the
 // Responses API specifically for Codex clients (POST /v1/responses).
+// Escape a value for a TOML double-quoted string (codex `--config key="value"`),
+// so a user-set model/baseUrl containing " \ or a newline can't break the parse
+// or inject extra config keys (e.g. overwrite base_url via an embedded newline).
+function tomlStr(v) {
+    return v.replace(/\\/g, '\\\\').replace(/"/g, '\\"').replace(/\r/g, '\\r').replace(/\n/g, '\\n');
+}
 export function providerOverrides(baseUrl, model) {
     return [
         '--config',
         `model_provider="${PROVIDER_ID}"`,
         '--config',
-        `model="${model}"`,
+        `model="${tomlStr(model)}"`,
         '--config',
         `model_providers.${PROVIDER_ID}.name="TokenMix"`,
         '--config',
-        `model_providers.${PROVIDER_ID}.base_url="${baseUrl}"`,
+        `model_providers.${PROVIDER_ID}.base_url="${tomlStr(baseUrl)}"`,
         '--config',
         `model_providers.${PROVIDER_ID}.env_key="${KEY_ENV}"`,
         '--config',

package/dist/agents/continue.js

@@ -11,6 +11,9 @@ async function configure(apiKey, baseUrl, defaultModel) {
     // plus apiBase/apiKey for an OpenAI-compatible endpoint). We PRINT a ready-to-use
     // config rather than write the file, so we never clobber a user's existing
     // ~/.continue/config.yaml (and need no YAML dependency or cleanup step).
+    // Quote user-controlled scalars as YAML single-quoted strings so a model/baseUrl
+    // containing ':' '#' etc. can't break the structure when pasted into config.yaml.
+    const ys = (v) => `'${v.replace(/'/g, "''")}'`;
     const yaml = [
         'name: TokenMix',
         'version: 1.0.0',
@@ -18,9 +21,9 @@ async function configure(apiKey, baseUrl, defaultModel) {
         'models:',
         '  - name: TokenMix',
         '    provider: openai',
-        `    model: ${defaultModel}`,
-        `    apiBase: ${v1Url(baseUrl)}`,
-        `    apiKey: ${apiKey}`,
+        `    model: ${ys(defaultModel)}`,
+        `    apiBase: ${ys(v1Url(baseUrl))}`,
+        `    apiKey: ${ys(apiKey)}`,
     ].join('\n');
     return {
         notes: [

package/dist/agents/opencode.js

@@ -4,6 +4,7 @@ import fs from 'fs-extra';
 import { run } from '../utils/exec.js';
 import { npmInstallCheck, npmInstallGlobal } from './helpers.js';
 import { v1Url } from '../config/store.js';
+import { writeFileAtomic } from '../utils/fs.js';
 import { t } from '../i18n/index.js';
 const OPENCODE_BIN = 'opencode';
 const OPENCODE_NPM_PACKAGE = 'opencode-ai';
@@ -22,11 +23,13 @@ async function configure(apiKey, baseUrl, defaultModel) {
     const filePath = configPath();
     let existing = {};
     try {
-        const raw = await fs.readFile(filePath, 'utf-8');
-        existing = JSON.parse(raw);
+        const parsed = JSON.parse(await fs.readFile(filePath, 'utf-8'));
+        if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+            existing = parsed;
+        }
     }
     catch {
-        // not present yet
+        // not present yet, or corrupt — start fresh
     }
     // Register tokenmix as an OpenAI-compatible provider.
     // OpenCode uses @ai-sdk/openai-compatible under the hood for custom providers.
@@ -52,7 +55,7 @@ async function configure(apiKey, baseUrl, defaultModel) {
         },
     };
     await fs.ensureDir(path.dirname(filePath));
-    await fs.writeFile(filePath, JSON.stringify(next, null, 2));
+    await writeFileAtomic(filePath, JSON.stringify(next, null, 2));
     return {
         configPath: filePath,
         notes: [t('opencode.noteModel', { model: defaultModel }), t('opencode.noteSwitch')],
@@ -67,7 +70,11 @@ async function cleanup() {
     const filePath = configPath();
     let existing;
     try {
-        existing = JSON.parse(await fs.readFile(filePath, 'utf-8'));
+        const parsed = JSON.parse(await fs.readFile(filePath, 'utf-8'));
+        if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+            return { reverted: false, configPath: filePath };
+        }
+        existing = parsed;
     }
     catch {
         return { reverted: false };
@@ -86,7 +93,7 @@ async function cleanup() {
     }
     if (!changed)
         return { reverted: false, configPath: filePath };
-    await fs.writeFile(filePath, JSON.stringify(existing, null, 2));
+    await writeFileAtomic(filePath, JSON.stringify(existing, null, 2));
     return { reverted: true, configPath: filePath };
 }
 export const OpenCodeAgent = {

package/dist/agents/openhands.js

@@ -23,7 +23,7 @@ async function configure(apiKey, baseUrl, defaultModel) {
     return {
         envVars: {
             LLM_API_KEY: apiKey,
-            LLM_MODEL: `openai/${defaultModel}`,
+            LLM_MODEL: defaultModel.includes('/') ? defaultModel : `openai/${defaultModel}`,
             LLM_BASE_URL: v1Url(baseUrl),
             OPENHANDS_SUPPRESS_BANNER: '1',
         },

package/dist/api/client.js

@@ -9,7 +9,10 @@ export class ApiError extends Error {
 }
 export function unwrap(resp) {
     const body = resp.data;
-    if (body && typeof body.code === 'number' && body.code !== 0) {
+    // Normalize `code` with Number() — a backend/proxy could serialize it as a string
+    // ("1"), which a strict `typeof === 'number'` check would miss, silently swallowing
+    // a real error and passing the error body downstream as if it were data.
+    if (body && body.code != null && Number(body.code) !== 0) {
         throw new ApiError(0, body.message || 'API error');
     }
     // Standard success envelope → return the inner `data`. A body with no envelope
@@ -31,7 +34,8 @@ function handleAxios(err) {
 // timeout (override with TOKENMIX_TIMEOUT_MS) and automatic retry of transient
 // TRANSPORT failures (no HTTP response) with exponential backoff. HTTP errors
 // (4xx/5xx) are real answers and are NEVER retried.
-export const REQUEST_TIMEOUT_MS = Number(process.env.TOKENMIX_TIMEOUT_MS) || 20000;
+const envTimeout = Number(process.env.TOKENMIX_TIMEOUT_MS);
+export const REQUEST_TIMEOUT_MS = Number.isFinite(envTimeout) && envTimeout > 0 ? envTimeout : 20000;
 const MAX_RETRIES = 2;
 export async function withRetry(fn) {
     let lastErr;
@@ -78,9 +82,19 @@ export async function verifyApiKey(apiKey, baseUrl) {
             timeout: REQUEST_TIMEOUT_MS,
             validateStatus: () => true,
         }));
-        return r.status === 200;
+        if (r.status === 200)
+            return true;
+        // 401/403 = a genuinely invalid/expired key → false. But 5xx/429 are server-side
+        // problems, NOT a bad key — throw so callers report "API unavailable" instead of
+        // falsely telling the user to re-create a perfectly good key.
+        if (r.status >= 500 || r.status === 429) {
+            throw new ApiError(r.status, `TokenMix API is temporarily unavailable (HTTP ${r.status}). Please try again in a moment.`);
+        }
+        return false;
     }
     catch (err) {
+        if (err instanceof ApiError)
+            throw err;
         handleAxios(err);
     }
 }
@@ -121,18 +135,38 @@ const DEFAULT_EXPIRES_IN_S = 900;
 // Throws DeviceFlowError with code ∈ {expired_token, access_denied, api_key_limit_reached, timeout} on terminal failures.
 // onTick is called once per polling iteration with the seconds remaining (for progress display).
 export async function pollDeviceToken(baseUrl, auth, onTick) {
-    let intervalMs = Math.max(1, Number(auth.interval) || DEFAULT_POLL_INTERVAL_S) * 1000;
-    const expiresIn = Number(auth.expires_in) > 0 ? Number(auth.expires_in) : DEFAULT_EXPIRES_IN_S;
+    // Clamp the server-provided interval/deadline so a malicious or buggy server can't
+    // drive a ~1ms busy-loop — Infinity/NaN/huge values slip past a bare Math.max.
+    // Interval ∈ [1s, 60s]; the overall deadline is capped at 1h.
+    const clampIntervalMs = (s) => {
+        const ms = (Number.isFinite(s) && s > 0 ? s : DEFAULT_POLL_INTERVAL_S) * 1000;
+        return Math.min(60_000, Math.max(1000, ms));
+    };
+    let intervalMs = clampIntervalMs(Number(auth.interval));
+    const expiresInRaw = Number(auth.expires_in);
+    const expiresIn = Number.isFinite(expiresInRaw) && expiresInRaw > 0
+        ? Math.min(expiresInRaw, 3600)
+        : DEFAULT_EXPIRES_IN_S;
     const deadline = Date.now() + expiresIn * 1000;
     while (Date.now() < deadline) {
         await new Promise((r) => setTimeout(r, intervalMs));
         if (onTick) {
-            onTick(Math.max(0, Math.round((deadline - Date.now()) / 1000)));
+            try {
+                onTick(Math.max(0, Math.round((deadline - Date.now()) / 1000)));
+            }
+            catch {
+                // a progress callback must never be able to abort the login flow
+            }
         }
         try {
             const r = await axios.post(`${baseUrl}/api/auth/device/token`, { device_code: auth.device_code }, { timeout: REQUEST_TIMEOUT_MS, validateStatus: () => true });
             if (r.status === 200 && r.data?.code === 0) {
                 const body = r.data.data;
+                // A 200/code:0 with no usable token would otherwise be written to config as
+                // `apiKey: undefined` and look like a successful login. Treat it as an error.
+                if (!body || typeof body.access_token !== 'string') {
+                    throw new DeviceFlowError('unknown', 'Server returned a success response without a token.');
+                }
                 return {
                     apiKey: body.access_token,
                     apiKeyId: body.api_key_id,
@@ -147,7 +181,7 @@ export async function pollDeviceToken(baseUrl, auth, onTick) {
                 case 'slow_down': {
                     const ra = parseInt(String(r.headers['retry-after'] ?? '5'), 10);
                     if (Number.isFinite(ra) && ra > 0)
-                        intervalMs = ra * 1000;
+                        intervalMs = clampIntervalMs(ra);
                     continue;
                 }
                 case 'expired_token':

package/dist/commands/agent-runner.js

@@ -38,6 +38,7 @@ export function registerAgentCommands(program, runner = runAgent) {
             .description(t('cmd.agent', { name: agent.displayName }))
             .allowUnknownOption(true)
             .passThroughOptions(true) // forward --version / --help / --any to the underlying agent
+            .helpOption(false) // so `tokenmix <agent> --help` reaches the agent, not commander's wrapper help
             .action(async (args = []) => {
             await runner(agent, args);
         });

package/dist/config/store.js

@@ -1,5 +1,8 @@
 import fs from 'fs-extra';
 import { configDir, configFile } from './paths.js';
+import { writeFileAtomic } from '../utils/fs.js';
+import { logger } from '../utils/logger.js';
+import { t } from '../i18n/index.js';
 export const DEFAULT_API_BASE = 'https://api.tokenmix.ai';
 // The model agents default to when the user hasn't chosen one (overridable via
 // the TOKENMIX_DEFAULT_MODEL env var or stored config). Single source of truth.
@@ -10,24 +13,28 @@ export function v1Url(baseUrl) {
     return `${baseUrl.replace(/\/+$/, '')}/v1`;
 }
 export async function readConfig() {
+    let raw;
+    try {
+        raw = await fs.readFile(configFile(), 'utf-8');
+    }
+    catch {
+        return {}; // not logged in yet — the config file simply doesn't exist
+    }
     try {
-        const raw = await fs.readFile(configFile(), 'utf-8');
         return JSON.parse(raw);
     }
     catch {
+        // The file exists but is corrupt (e.g. a crash truncated it mid-write). Don't
+        // silently treat it as "logged out" — warn so the user knows to re-login.
+        logger.warn(t('config.corrupt'));
         return {};
     }
 }
 export async function writeConfig(cfg) {
     await fs.ensureDir(configDir());
-    await fs.writeFile(configFile(), JSON.stringify(cfg, null, 2));
-    // Restrict to owner read/write only (best-effort on Windows).
-    try {
-        await fs.chmod(configFile(), 0o600);
-    }
-    catch {
-        // ignore on filesystems that don't support chmod
-    }
+    // Atomic write so a crash or a concurrent writer can't truncate the config to
+    // 0 bytes and silently lose the apiKey. 0600 = owner read/write only.
+    await writeFileAtomic(configFile(), JSON.stringify(cfg, null, 2), 0o600);
 }
 export async function updateConfig(patch) {
     const current = await readConfig();

package/dist/i18n/index.js

@@ -23,11 +23,10 @@ export function getLocale() {
 // Translate a key for the active locale, filling {placeholders} from params.
 // Falls back to English, then to the raw key, so a partial catalog never throws.
 export function t(key, params) {
-    let s = catalogs[current]?.[key] ?? en[key] ?? key;
-    if (params) {
-        for (const [k, v] of Object.entries(params)) {
-            s = s.split(`{${k}}`).join(String(v));
-        }
-    }
-    return s;
+    const s = catalogs[current]?.[key] ?? en[key] ?? key;
+    if (!params)
+        return s;
+    // Single-pass replacement so a value that itself contains "{other}" is NOT
+    // re-substituted by a later param (order-independent and injection-safe).
+    return s.replace(/\{(\w+)\}/g, (match, name) => Object.prototype.hasOwnProperty.call(params, name) ? String(params[name]) : match);
 }

package/dist/i18n/messages.js

@@ -6,6 +6,8 @@
 // `{name}`-style placeholders are filled by t() at call time.
 export const en = {
     'common.notLoggedIn': 'Not logged in. Run `tokenmix login` first.',
+    'cli.unknownCommand': 'Unknown command: {cmd}. Run `tokenmix --help` to see available commands.',
+    'config.corrupt': 'Your TokenMix config file was corrupt and has been ignored — run `tokenmix login` to re-create it.',
     // welcome screen (bare `tokenmix`, no args — onboarding for first-time users)
     'welcome.tagline': 'one account, 160+ models, every open-source coding agent',
     'welcome.why': 'The model you pick is the model you get — no silent swaps, billed at real usage.',
@@ -184,6 +186,8 @@ export const en = {
 };
 export const zh = {
     'common.notLoggedIn': '未登录，请先运行 `tokenmix login`。',
+    'cli.unknownCommand': '未知命令：{cmd}。运行 `tokenmix --help` 查看可用命令。',
+    'config.corrupt': 'TokenMix 配置文件已损坏，已忽略 —— 请运行 `tokenmix login` 重新创建。',
     'welcome.tagline': '一个账户、160+ 模型、对接所有开源编程 agent',
     'welcome.why': '你选的模型就是你用的模型 —— 不偷换、不降级,按真实用量计费。',
     'welcome.start': '快速开始：',
@@ -354,6 +358,8 @@ export const zh = {
 };
 export const ja = {
     'common.notLoggedIn': 'ログインしていません。まず `tokenmix login` を実行してください。',
+    'cli.unknownCommand': '不明なコマンド: {cmd}。`tokenmix --help` で利用可能なコマンドを確認してください。',
+    'config.corrupt': 'TokenMix の設定ファイルが破損していたため無視しました —— `tokenmix login` を実行して再作成してください。',
     'welcome.tagline': '1 つのアカウントで 160+ モデル、あらゆるオープンソース・コーディング agent に対応',
     'welcome.why': '選んだモデルがそのまま使われます —— すり替えなし、実使用量で課金。',
     'welcome.start': 'はじめに：',
@@ -509,6 +515,8 @@ export const ja = {
 };
 export const ko = {
     'common.notLoggedIn': '로그인되어 있지 않습니다. 먼저 `tokenmix login`을 실행하세요.',
+    'cli.unknownCommand': '알 수 없는 명령: {cmd}. `tokenmix --help`로 사용 가능한 명령을 확인하세요.',
+    'config.corrupt': 'TokenMix 설정 파일이 손상되어 무시했습니다 —— `tokenmix login`을 실행해 다시 만드세요.',
     'welcome.tagline': '하나의 계정으로 160+ 모델, 모든 오픈소스 코딩 agent 지원',
     'welcome.why': '선택한 모델 그대로 실행됩니다 —— 몰래 바꾸지 않고 실사용량으로 과금합니다.',
     'welcome.start': '시작하기:',
@@ -664,6 +672,8 @@ export const ko = {
 };
 export const es = {
     'common.notLoggedIn': 'No has iniciado sesión. Ejecuta `tokenmix login` primero.',
+    'cli.unknownCommand': 'Comando desconocido: {cmd}. Ejecuta `tokenmix --help` para ver los comandos disponibles.',
+    'config.corrupt': 'Tu archivo de configuración de TokenMix estaba dañado y se ha ignorado: ejecuta `tokenmix login` para volver a crearlo.',
     'welcome.tagline': 'una cuenta, 160+ modelos, todos los agentes de programación de código abierto',
     'welcome.why': 'El modelo que eliges es el que usas: sin cambios ocultos, facturado por uso real.',
     'welcome.start': 'Empezar:',
@@ -819,6 +829,8 @@ export const es = {
 };
 export const fr = {
     'common.notLoggedIn': 'Non connecté. Exécutez d’abord `tokenmix login`.',
+    'cli.unknownCommand': 'Commande inconnue : {cmd}. Exécutez `tokenmix --help` pour voir les commandes disponibles.',
+    'config.corrupt': 'Votre fichier de configuration TokenMix était corrompu et a été ignoré — exécutez `tokenmix login` pour le recréer.',
     'welcome.tagline': 'un seul compte, 160+ modèles, tous les agents de codage open source',
     'welcome.why': 'Le modèle que vous choisissez est celui que vous utilisez — sans substitution, facturé à l’usage réel.',
     'welcome.start': 'Démarrer :',

package/dist/program.js

@@ -9,6 +9,7 @@ import { listCommand } from './commands/list.js';
 import { doctorCommand } from './commands/doctor.js';
 import { welcomeCommand } from './commands/welcome.js';
 import { registerAgentCommands } from './commands/agent-runner.js';
+import { logger } from './utils/logger.js';
 import { t } from './i18n/index.js';
 // Read version from package.json so we never have to bump it in two places.
 const pkg = createRequire(import.meta.url)('../package.json');
@@ -25,7 +26,15 @@ export function buildProgram(deps = {}) {
         .description(t('cmd.program'))
         .version(pkg.version)
         // Bare `tokenmix` (no command) shows a friendly onboarding screen, not raw help.
-        .action(welcomeCommand);
+        // An unrecognized command would otherwise be swallowed into this default action
+        // (printing welcome + exiting 0), so reject it explicitly instead.
+        .action((_options, command) => {
+        if (command.args.length > 0) {
+            logger.error(t('cli.unknownCommand', { cmd: command.args.join(' ') }));
+            process.exit(1);
+        }
+        return welcomeCommand();
+    });
     program
         .command('login')
         .description(t('cmd.login'))

package/dist/utils/browser.js

@@ -2,15 +2,24 @@ import open from 'open';
 import { logger } from './logger.js';
 import { t } from '../i18n/index.js';
 export async function openInBrowser(url) {
-    await open(url);
+    const child = await open(url);
+    // open() spawns a detached, unref'd child; if the launcher binary is missing its
+    // async 'error' event would otherwise be uncaught (→ process crash). Swallow it —
+    // callers print the URL and treat a browser failure as non-fatal.
+    child.on('error', () => { });
 }
-// Try to open the browser; on failure (headless / SSH / no desktop environment),
-// print the URL so the user can open it manually instead of crashing.
+// Print the URL, then best-effort open the browser. We print UNCONDITIONALLY and
+// first: without `{ wait: true }`, open() resolves immediately even when no browser
+// actually launches (headless / SSH / container / no desktop), so a catch-based
+// fallback would never fire and the user would be left staring at nothing. Printing
+// first guarantees they can always copy the link.
 export async function openOrHint(url) {
+    logger.info(t('browser.manual', { url }));
     try {
-        await open(url);
+        const child = await open(url);
+        child.on('error', () => { }); // swallow async spawn errors; the URL is already shown
     }
     catch {
-        logger.info(t('browser.manual', { url }));
+        // best-effort — the URL is already shown above
     }
 }

package/dist/utils/fs.js

@@ -0,0 +1,31 @@
+import fs from 'fs-extra';
+// Atomically write a file: write to a temp file alongside the target, then rename
+// it over the target. Rename is atomic on the same filesystem, so a crash or a
+// concurrent writer can never observe a half-written / 0-byte target — which is how
+// a plain `fs.writeFile` (open with O_TRUNC) would otherwise corrupt user config
+// (e.g. truncating ~/.claude/settings.json or our own config.json to 0 bytes).
+export async function writeFileAtomic(filePath, data, mode) {
+    const tmp = `${filePath}.${process.pid}.tmp`;
+    try {
+        await fs.writeFile(tmp, data);
+        if (mode !== undefined) {
+            try {
+                await fs.chmod(tmp, mode);
+            }
+            catch {
+                // chmod unsupported (e.g. Windows) — non-fatal, keep going.
+            }
+        }
+        await fs.rename(tmp, filePath);
+    }
+    catch (err) {
+        // Best-effort cleanup of the temp file if the rename never happened.
+        try {
+            await fs.remove(tmp);
+        }
+        catch {
+            // ignore
+        }
+        throw err;
+    }
+}

package/dist/utils/prompt.js

@@ -5,7 +5,7 @@ export async function promptApiKey() {
         type: 'password',
         name: 'apiKey',
         message: t('prompt.pasteKey'),
-        validate: (v) => (v && v.startsWith('sk-tm-') ? true : t('login.keyMustStart')),
+        validate: (v) => (v && v.trim().startsWith('sk-tm-') ? true : t('login.keyMustStart')),
     });
     const key = r.apiKey?.trim();
     return key || null;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tokenmix",
-  "version": "1.5.1",
+  "version": "1.5.3",
   "description": "Zero-config CLI to use any open-source coding agent with TokenMix as the unified LLM backend.",
   "type": "module",
   "bin": {