fix: resolve arg parsing, subshell variable loss, and decrypt issues (v0.2.1)

- Global flags (--user, --registry, --password) now work after subcommand name
- Fix raw_http variables lost in subshells by persisting to temp files
- Remove config inline-comment stripping that truncated base64 ciphertext
- Add trailing newline to openssl decrypt pipe input
- Move config path to ~/.config/hubmanager.conf
- Add "Cleaning up empty repositories" section to README

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

CLAUDE.md

@@ -10,6 +10,47 @@ authentication detection (bearer token or HTTP basic auth).
 
 ---
 
+## What Changed (Session 2026-03-01)
+
+### Bug fixes and improvements (v0.2.1)
+
+1. **Global arg parsing fix** (`parse_global_args`): global flags like `--user`,
+   `--registry`, `--password` placed after the subcommand name (e.g.
+   `hubmanager login --user ...`) were not recognised. The `*` catch-all used
+   `remaining+=("$@"); break` which stopped parsing. Changed to
+   `remaining+=("$1"); shift` so parsing continues through all arguments.
+
+2. **Subshell variable fix** (`raw_http` / `registry_request`): `HM_LAST_HTTP_CODE`
+   and `HM_LAST_HEADERS_FILE` were set inside `raw_http`, but callers used
+   `body=$(raw_http ...)` which runs in a subshell — variables set inside never
+   propagated back. Fixed by adding two global temp files (`HM_HTTP_CODE_FILE`,
+   `HM_HEADERS_REF_FILE`) that `raw_http` writes to; callers read them back after
+   the subshell returns.
+
+3. **Config inline-comment stripping removed** (`load_config`): the parser stripped
+   everything after the first `#` in config values (`value="${value%%#*}"`), which
+   could truncate base64 ciphertext containing `#`. Removed since comment-only
+   lines are already skipped.
+
+4. **Decrypt newline fix** (`_decrypt_value`): `printf '%s'` piped ciphertext to
+   `openssl enc -d -a` without a trailing newline, causing `openssl` to fail with
+   "error reading input file". Changed to `printf '%s\n'`.
+
+5. **Config path moved**: `~/.hubmanager.conf` → `~/.config/hubmanager.conf`.
+   `login --save` now runs `mkdir -p` on the parent directory before writing.
+
+6. **README**: added "Cleaning up empty repositories" section explaining the
+   server-side steps needed to remove empty repos (registry v2 API limitation).
+
+### New global variables
+
+| Variable | Purpose |
+| --- | --- |
+| `HM_HTTP_CODE_FILE` | Temp file for HTTP code (survives subshells) |
+| `HM_HEADERS_REF_FILE` | Temp file for headers path (survives subshells) |
+
+---
+
 ## What Changed (Session 2026-02-21)
 
 ### Encrypted config values (`--encrypt`)
@@ -57,7 +98,7 @@ Both `load_config()` and `resolve_registry_alias()` detect the prefix and call
 
 | Command | Description |
 | --- | --- |
-| `login` | Test credentials against a registry; `--save` writes to `~/.hubmanager.conf` |
+| `login` | Test credentials against a registry; `--save` writes to `~/.config/hubmanager.conf` |
 | `list` | List repositories (`_catalog` for self-hosted; Hub REST API for Docker Hub) |
 | `tags` | List tags for an image with pagination |
 | `inspect` | Show manifest digest, size, OS/arch, layers, labels; multi-arch support |
@@ -120,7 +161,7 @@ main "$@"
    - `delete` and `prune` are blocked (Hub v2 API doesn't support deletion)
    - Hub REST API uses a separate JWT from `hub.docker.com/v2/users/login`
 
-6. **Config file** (`~/.hubmanager.conf`):
+6. **Config file** (`~/.config/hubmanager.conf`):
    - `KEY=VALUE` format, parsed with `while IFS='=' read` (not `source`)
    - Supports named registry aliases: `REGISTRY_<ALIAS>_URL/USERNAME/PASSWORD`
    - Aliases are resolved in `resolve_registry_alias()` before any operations