fix(cli): session config.json written 0600, not 0644 (1.35.1)

The per-session config written to the launch tmpdir embeds the mesh keypair (secret key) but was created without a mode → 0644 (world/group-readable), which `claudemesh status` flags as "perms 0644 — expected 0600". The enclosing mkdtemp dir is 0700, but lock the file down too so the secret is never world-readable. File is freshly created in a new tmpdir, so the mode applies on create. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-02 18:30:47 +01:00
parent 2b88784005
commit 71401b1d50
2 changed files with 8 additions and 2 deletions
--- a/apps/cli/package.json
+++ b/apps/cli/package.json
@@ -1,6 +1,6 @@
 {
  "name": "claudemesh-cli",
-  "version": "1.35.0",
+  "version": "1.35.1",
  "description": "Peer mesh for Claude Code sessions — CLI + MCP server.",
  "keywords": [
    "claude-code",
--- a/apps/cli/src/commands/launch.ts
+++ b/apps/cli/src/commands/launch.ts
@@ -763,10 +763,16 @@ export async function runLaunch(flags: LaunchFlags, rawArgs: string[]): Promise<
    ...(parsedGroups.length > 0 ? { groups: parsedGroups } : {}),
    messageMode,
  };
+  // mode 0600: this config embeds the mesh keypair (secret key). Written
+  // without a mode it lands at 0644 (world/group-readable) — which
+  // `claudemesh status` flags as "perms 0644 — expected 0600". The
+  // enclosing tmpDir is already 0700, but lock the file down too so the
+  // secret is never world-readable even for a moment. The file is freshly
+  // created in a new mkdtemp dir, so the mode applies on create.
  writeFileSync(
    join(tmpDir, "config.json"),
    JSON.stringify(sessionConfig, null, 2) + "\n",
-    "utf-8",
+    { encoding: "utf-8", mode: 0o600 },
  );

  // 4b. Mint a per-session IPC token, persist it under tmpDir, and