From 71401b1d501f4dd67a4dff141b3e90c699a4c019 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20Guti=C3=A9rrez?= <35082514+alezmad@users.noreply.github.com> Date: Tue, 2 Jun 2026 18:30:47 +0100 Subject: [PATCH] fix(cli): session config.json written 0600, not 0644 (1.35.1) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The per-session config written to the launch tmpdir embeds the mesh keypair (secret key) but was created without a mode → 0644 (world/group-readable), which `claudemesh status` flags as "perms 0644 — expected 0600". The enclosing mkdtemp dir is 0700, but lock the file down too so the secret is never world-readable. File is freshly created in a new tmpdir, so the mode applies on create. Co-Authored-By: Claude Opus 4.8 (1M context) --- apps/cli/package.json | 2 +- apps/cli/src/commands/launch.ts | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/apps/cli/package.json b/apps/cli/package.json index 462a7ce..b05ea02 100644 --- a/apps/cli/package.json +++ b/apps/cli/package.json @@ -1,6 +1,6 @@ { "name": "claudemesh-cli", - "version": "1.35.0", + "version": "1.35.1", "description": "Peer mesh for Claude Code sessions — CLI + MCP server.", "keywords": [ "claude-code", diff --git a/apps/cli/src/commands/launch.ts b/apps/cli/src/commands/launch.ts index c276bde..7400c50 100644 --- a/apps/cli/src/commands/launch.ts +++ b/apps/cli/src/commands/launch.ts @@ -763,10 +763,16 @@ export async function runLaunch(flags: LaunchFlags, rawArgs: string[]): Promise< ...(parsedGroups.length > 0 ? { groups: parsedGroups } : {}), messageMode, }; + // mode 0600: this config embeds the mesh keypair (secret key). Written + // without a mode it lands at 0644 (world/group-readable) — which + // `claudemesh status` flags as "perms 0644 — expected 0600". The + // enclosing tmpDir is already 0700, but lock the file down too so the + // secret is never world-readable even for a moment. The file is freshly + // created in a new mkdtemp dir, so the mode applies on create. writeFileSync( join(tmpDir, "config.json"), JSON.stringify(sessionConfig, null, 2) + "\n", - "utf-8", + { encoding: "utf-8", mode: 0o600 }, ); // 4b. Mint a per-session IPC token, persist it under tmpDir, and