Summary

src/auth/token-secret.js:14 defaults the persisted-secret location to the OS home dir:

export const DEFAULT_SECRET_PATH = path.join(os.homedir(), '.jss', 'token.secret');

On Android (nodejs-mobile) os.homedir() resolves to /data (or /), which the app process can't write to. readOrWritePersistedSecret() then fails the mkdirSync with EACCES:

WARNING: Could not persist TOKEN_SECRET (EACCES: permission denied, mkdir '/data/.jss'). Using ephemeral secret; tokens will not survive restarts.

Result: every restart rotates the secret, so sessions/tokens don't survive an app restart.

Impact

Degraded (ephemeral-secret) auth on any runtime where os.homedir() isn't writable — embedded Node, some containers, locked-down deploys.

Inconsistent with configPath

src/config.js:139 already uses a cwd-relative config dir (configPath: './.jss'). The token secret is the odd one out, anchoring to os.homedir() instead of the same base.

Suggested fix

Anchor the default secret path to the same base as the rest of JSS config (cwd-relative ./.jss, or a root/config-dir-derived path) rather than os.homedir(). TOKEN_SECRET env and the secretPath param already exist as overrides — this is only about a writable, consistent default.

Location

• src/auth/token-secret.js:14 (and resolveTokenSecret / readOrWritePersistedSecret below it)