diff --git a/apps/cli/package.json b/apps/cli/package.json
index 462a7ce..b05ea02 100644
--- a/apps/cli/package.json
+++ b/apps/cli/package.json
@@ -1,6 +1,6 @@
 {
   "name": "claudemesh-cli",
-  "version": "1.35.0",
+  "version": "1.35.1",
   "description": "Peer mesh for Claude Code sessions — CLI + MCP server.",
   "keywords": [
     "claude-code",
diff --git a/apps/cli/src/commands/launch.ts b/apps/cli/src/commands/launch.ts
index c276bde..7400c50 100644
--- a/apps/cli/src/commands/launch.ts
+++ b/apps/cli/src/commands/launch.ts
@@ -763,10 +763,16 @@ export async function runLaunch(flags: LaunchFlags, rawArgs: string[]): Promise<
     ...(parsedGroups.length > 0 ? { groups: parsedGroups } : {}),
     messageMode,
   };
+  // mode 0600: this config embeds the mesh keypair (secret key). Written
+  // without a mode it lands at 0644 (world/group-readable) — which
+  // `claudemesh status` flags as "perms 0644 — expected 0600". The
+  // enclosing tmpDir is already 0700, but lock the file down too so the
+  // secret is never world-readable even for a moment. The file is freshly
+  // created in a new mkdtemp dir, so the mode applies on create.
   writeFileSync(
     join(tmpDir, "config.json"),
     JSON.stringify(sessionConfig, null, 2) + "\n",
-    "utf-8",
+    { encoding: "utf-8", mode: 0o600 },
   );
 
   // 4b. Mint a per-session IPC token, persist it under tmpDir, and