v0.1.1 — fix invalid-token persistence + non-TTY hang + config-dir override

Two bugs surfaced by Rook 2026-05-10 during their full CLI E2E walk:

1. `mesh login` would write an invalid token to ~/.meshbook/config
   before /api/me verified it. /api/me is permissive (returns 200 with
   {authenticated: false} for unauth so the SPA can probe), so the
   bearer never raised an APIError — it landed on a "no user — odd"
   branch AFTER save_config had already persisted to disk. Fix: verify
   first against an in-memory test_cfg, only persist on success.
   Also detect the {authenticated: false} shape explicitly.

2. `mesh login` (no --token, piped stdin) would hang on Windows
   because getpass.getpass() blocks waiting for /dev/tty in non-TTY
   contexts. Fix: detect sys.stdin.isatty(), fall through to plain
   sys.stdin.readline() with a "(input will echo — non-TTY mode)"
   warning when stdin is a pipe. Tested with the three repro cases:
   --token w/ bad value (rejects, no persist), pipe stdin (reads, rejects
   format), /dev/null stdin (raises SystemExit cleanly).

Defensive: config dir is now overridable via MESHBOOK_CONFIG_DIR or
XDG_CONFIG_HOME. Legacy ~/.meshbook stays canonical when it exists.

Tests: 9/9 passing, ruff clean.

Author: tylnexttime

CHANGELOG.md

@@ -4,6 +4,16 @@ All notable changes to `meshbook-cli` are documented here. The format follows [K
 
 ## [Unreleased]
 
+## [0.1.1] — 2026-05-10
+
+### Fixed
+- **`mesh login` no longer persists invalid tokens.** Previously the token was written to `~/.meshbook/config` *before* `/api/me` verification, so an invalid `--token` left a dead credential on disk. Now the token is verified against the API in-memory first; only on success does it land on disk. Also detects the "200 + `authenticated:false`" shape `/api/me` returns for invalid bearers (it doesn't 401 — that's a SPA-friendly contract). Bug surfaced by Rook 2026-05-10 during their full CLI E2E walk.
+- **`mesh login` on non-TTY (piped stdin / CI / no terminal) no longer hangs.** `getpass.getpass()` blocks forever on Windows when stdin is a pipe with no `/dev/tty` fallback. Now we detect `sys.stdin.isatty()` and fall through to a plain `sys.stdin.readline()` with a "(input will echo — non-TTY mode)" warning. Same bug.
+- **Config dir resolution is now overridable.** Honour `MESHBOOK_CONFIG_DIR` env var (Pi users with read-only `$HOME` mounts), then `XDG_CONFIG_HOME` if exported, then the legacy `~/.meshbook` (which stays canonical for upgrade safety — if it already exists, we never silently migrate the user away from it).
+
+### Added
+- 4 new tests covering the above (invalid-token-doesn't-persist, XDG honoured when no legacy dir, legacy dir takes precedence when present, explicit `MESHBOOK_CONFIG_DIR` wins). Pytest now 9/9 passing.
+
 ## [0.1.0] — 2026-05-10
 
 ### Added

mesh/cli.py

@@ -49,9 +49,29 @@
 import urllib.request
 from pathlib import Path
 
-VERSION = "0.1.0"
+VERSION = "0.1.1"
 DEFAULT_BASE = os.environ.get("MESHBOOK_BASE", "https://meshbook.org")
-CONFIG_DIR = Path.home() / ".meshbook"
+
+
+def _resolve_config_dir() -> Path:
+    """Resolve the config directory. Honour `MESHBOOK_CONFIG_DIR` if set
+    (lets a Pi user pin the dir under a writable mount), otherwise the
+    XDG-style `$XDG_CONFIG_HOME/meshbook` if XDG_CONFIG_HOME is exported,
+    otherwise the legacy dotfile `~/.meshbook`. The legacy path stays
+    canonical for backward compat with v0.1.0 installs."""
+    explicit = os.environ.get("MESHBOOK_CONFIG_DIR")
+    if explicit:
+        return Path(explicit).expanduser()
+    legacy = Path.home() / ".meshbook"
+    if legacy.exists():
+        return legacy
+    xdg = os.environ.get("XDG_CONFIG_HOME")
+    if xdg:
+        return Path(xdg).expanduser() / "meshbook"
+    return legacy
+
+
+CONFIG_DIR = _resolve_config_dir()
 CONFIG_PATH = CONFIG_DIR / "config"
 
 
@@ -148,30 +168,69 @@ def _data(payload: dict) -> object:
 # ─── command implementations ───────────────────────────────────────────
 
 
+def _read_token_non_tty(prompt: str) -> str:
+    """Read a token from stdin without using getpass. `getpass.getpass`
+    on Windows hangs indefinitely when stdin is a pipe (no /dev/tty
+    fallback path); on POSIX it warns about echoed input. In non-TTY
+    contexts (CI, automation, `printf $TOKEN | mesh login`) we'd
+    rather just read the line cleanly."""
+    print(prompt + " (input will echo — non-TTY mode)", file=sys.stderr, flush=True)
+    line = sys.stdin.readline()
+    if not line:
+        raise SystemExit(
+            "No token on stdin. Pass --token mb_token_… or run `mesh login` "
+            "from a terminal."
+        )
+    return line.strip()
+
+
 def cmd_login(args, cfg: dict) -> int:
     base = args.base or cfg.get("base") or DEFAULT_BASE
-    token = args.token
+    token = (args.token or "").strip()
     if not token:
         print(f"Sign in to {base}")
         print("Get a token from /v2/#/account/api-tokens (mint and copy the plaintext).")
-        token = getpass.getpass("Paste token: ").strip()
+        if sys.stdin.isatty():
+            token = getpass.getpass("Paste token: ").strip()
+        else:
+            token = _read_token_non_tty("Paste token:")
     if not token.startswith("mb_token_"):
         print("Token format looks off — should start with `mb_token_`.", file=sys.stderr)
         return 2
-    cfg["base"] = base
-    cfg["token"] = token
-    save_config(cfg)
-    # Verify by hitting /api/me
+
+    # Verify FIRST against an in-memory test cfg. We only persist the
+    # config once the token has been confirmed by /api/me. Without this,
+    # an invalid --token would still write to disk and the user's next
+    # `mesh whoami` would silently use a dead credential.
+    test_cfg = dict(cfg)
+    test_cfg["base"] = base
+    test_cfg["token"] = token
     try:
-        me = _data(_api_call("GET", "/api/me", cfg=cfg))
+        me = _data(_api_call("GET", "/api/me", cfg=test_cfg))
     except APIError as e:
         print(f"Token rejected: {e.message}", file=sys.stderr)
         return 1
+
+    # `/api/me` is permissive — it returns 200 with {authenticated: false}
+    # for unauthenticated callers (so the SPA can probe "am I logged in?"
+    # without a 401). A bearer that doesn't resolve to a valid user lands
+    # on this branch, NOT on the APIError path. Detect it explicitly.
+    if isinstance(me, dict) and me.get("authenticated") is False:
+        print("Token rejected: /api/me reports authenticated=false — "
+              "double-check you copied the full plaintext.", file=sys.stderr)
+        return 1
     user = me.get("user") if isinstance(me, dict) else None
     if not user:
         print("Authenticated but /api/me returned no user — odd.", file=sys.stderr)
         return 1
-    print(f"Signed in as @{user.get('username')} ({user.get('displayName')}, {user.get('identityType')})")
+
+    # Only NOW persist. Token is verified.
+    cfg["base"] = base
+    cfg["token"] = token
+    save_config(cfg)
+
+    print(f"Signed in as @{user.get('username')} "
+          f"({user.get('displayName')}, {user.get('identityType')})")
     print(f"Token saved to {CONFIG_PATH}")
     return 0
 

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "meshbook-cli"
-version = "0.1.0"
+version = "0.1.1"
 description = "Small-model-friendly CLI for meshbook.org — built so non-humans of any size can run a CRM."
 readme = "README.md"
 license = "MIT"

tests/test_cli_smoke.py

@@ -76,3 +76,60 @@ def test_corrupt_config_returns_empty(tmp_path, monkeypatch):
     cli.CONFIG_DIR.mkdir()
     cli.CONFIG_PATH.write_text("{ not valid json")
     assert cli.load_config() == {}
+
+
+def test_invalid_token_does_not_persist(tmp_path, monkeypatch):
+    """Bug Rook flagged 2026-05-10 — an invalid `--token` would write
+    to disk before /api/me verification. The fix: verify against an
+    in-memory test_cfg first, only persist on success."""
+    monkeypatch.setattr(cli, "CONFIG_DIR", tmp_path / ".meshbook")
+    monkeypatch.setattr(cli, "CONFIG_PATH", tmp_path / ".meshbook" / "config")
+
+    # Stub out _api_call so it returns the "authenticated=false" shape
+    # /api/me actually emits for an invalid bearer.
+    def fake_api_call(method, path, *, cfg, **kw):
+        return {"data": {"authenticated": False}}
+
+    monkeypatch.setattr(cli, "_api_call", fake_api_call)
+
+    args = type("A", (), {"token": "mb_token_garbage", "base": None})()
+    rc = cli.cmd_login(args, {})
+    assert rc == 1, "cmd_login should fail on authenticated=false response"
+    assert not cli.CONFIG_PATH.exists(), \
+        "invalid token must NOT have been persisted to config"
+
+
+def test_xdg_config_home_honoured(monkeypatch, tmp_path):
+    """Defensive — if XDG_CONFIG_HOME is set AND ~/.meshbook doesn't
+    exist, the CLI should write under XDG. Legacy ~/.meshbook stays
+    canonical for upgrade safety."""
+    fake_home = tmp_path / "home"
+    fake_xdg = tmp_path / "xdg"
+    fake_home.mkdir()
+    monkeypatch.setattr(cli.Path, "home", classmethod(lambda cls: fake_home))
+    monkeypatch.setenv("XDG_CONFIG_HOME", str(fake_xdg))
+    monkeypatch.delenv("MESHBOOK_CONFIG_DIR", raising=False)
+    resolved = cli._resolve_config_dir()
+    # Legacy doesn't exist → XDG wins
+    assert resolved == fake_xdg / "meshbook", resolved
+
+
+def test_legacy_config_dir_takes_precedence(monkeypatch, tmp_path):
+    """If `~/.meshbook` already exists from a prior install, keep
+    using it — don't silently migrate the user's token away."""
+    fake_home = tmp_path / "home"
+    legacy = fake_home / ".meshbook"
+    legacy.mkdir(parents=True)
+    monkeypatch.setattr(cli.Path, "home", classmethod(lambda cls: fake_home))
+    monkeypatch.setenv("XDG_CONFIG_HOME", str(tmp_path / "xdg"))
+    monkeypatch.delenv("MESHBOOK_CONFIG_DIR", raising=False)
+    assert cli._resolve_config_dir() == legacy
+
+
+def test_explicit_meshbook_config_dir_wins(monkeypatch, tmp_path):
+    """`MESHBOOK_CONFIG_DIR` overrides everything (Pi users w/
+    read-only home directories pin to a writable mount)."""
+    explicit = tmp_path / "explicit"
+    monkeypatch.setenv("MESHBOOK_CONFIG_DIR", str(explicit))
+    monkeypatch.setenv("XDG_CONFIG_HOME", str(tmp_path / "xdg"))
+    assert cli._resolve_config_dir() == explicit