@kendoo.agentdesk/agentdesk 0.6.5 → 0.6.6

package/cli/login.mjs

@@ -104,8 +104,8 @@ export async function runLogin() {
 
       if (apiKey) {
         // Save credentials
-        if (!existsSync(CONFIG_DIR)) mkdirSync(CONFIG_DIR, { recursive: true });
-        writeFileSync(CREDENTIALS_PATH, JSON.stringify({ apiKey, name, savedAt: Date.now() }, null, 2));
+        if (!existsSync(CONFIG_DIR)) mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+        writeFileSync(CREDENTIALS_PATH, JSON.stringify({ apiKey, name, savedAt: Date.now() }, null, 2), { mode: 0o600 });
 
         res.writeHead(200, { "Content-Type": "text/html" });
         res.end(`<html><body style="background:#0f172a;color:#e2e8f0;font-family:system-ui;display:flex;align-items:center;justify-content:center;height:100vh;margin:0"><div style="text-align:center"><h2 style="color:#2dd4bf">Logged in to AgentDesk</h2><p>You can close this tab and return to your terminal.</p></div></body></html>`);
@@ -145,11 +145,11 @@ export async function runLogin() {
   console.log("");
   console.log("  Waiting for authentication...");
 
-  // Open browser
-  const { exec } = await import("child_process");
+  // Open browser (use execFile to avoid shell injection)
+  const { execFile } = await import("child_process");
   const platform = process.platform;
   const cmd = platform === "darwin" ? "open" : platform === "win32" ? "start" : "xdg-open";
-  exec(`${cmd} "${loginUrl}"`);
+  execFile(cmd, [loginUrl], () => {});
 
   // Timeout after 5 minutes
   setTimeout(() => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kendoo.agentdesk/agentdesk",
-  "version": "0.6.5",
+  "version": "0.6.6",
   "description": "AI team orchestrator for Claude Code — run collaborative agent sessions from your terminal",
   "type": "module",
   "bin": {