quadwork 1.10.1 → 1.11.1

package/server/config.js

@@ -74,7 +74,7 @@ function migrateAgentKeys(config) {
   }
   if (changed) {
     try {
-      fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2));
+      writeSecureFile(CONFIG_PATH, JSON.stringify(config, null, 2));
     } catch {}
   }
   return config;
@@ -89,9 +89,9 @@ function readConfig() {
       // Config file doesn't exist — create default
       const dir = path.dirname(CONFIG_PATH);
       if (!fs.existsSync(dir)) {
-        fs.mkdirSync(dir, { recursive: true });
+        ensureSecureDir(dir);
       }
-      fs.writeFileSync(CONFIG_PATH, JSON.stringify(DEFAULT_CONFIG, null, 2));
+      writeSecureFile(CONFIG_PATH, JSON.stringify(DEFAULT_CONFIG, null, 2));
       return { ...DEFAULT_CONFIG };
     }
     throw new Error(`Cannot read config at ${CONFIG_PATH}: ${err.message}`);
@@ -198,10 +198,34 @@ async function syncChattrToken(projectId) {
       const realToken = match[1];
       if (project.agentchattr_token !== realToken) {
         project.agentchattr_token = realToken;
-        fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2));
+        writeSecureFile(CONFIG_PATH, JSON.stringify(config, null, 2));
       }
     }
   } catch {}
 }
 
-module.exports = { readConfig, resolveAgentCwd, resolveAgentCommand, resolveProjectChattr, resolveChattrSpawn, syncChattrToken, sanitizeOperatorName, CONFIG_PATH };
+// --- #540: Secure file/directory helpers ---
+// All paths under ~/.quadwork/ may contain secrets (tokens, configs,
+// chat exports). Use these helpers instead of raw fs calls to ensure
+// restrictive permissions on multi-user systems.
+
+/** Create a directory with 0o700 (owner-only). Hardens existing dirs too. */
+function ensureSecureDir(dir) {
+  fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+  // mkdirSync mode only applies on creation — chmod existing dirs.
+  try { fs.chmodSync(dir, 0o700); } catch {}
+}
+
+/** Write a file with 0o600 (owner-only read/write). Hardens existing files too. */
+function writeSecureFile(filePath, data, extraOpts = {}) {
+  fs.writeFileSync(filePath, data, { mode: 0o600, ...extraOpts });
+  // writeFileSync mode only applies on creation — chmod existing files.
+  try { fs.chmodSync(filePath, 0o600); } catch {}
+}
+
+/** Write config.json atomically with 0o600 permissions. */
+function writeConfig(cfg) {
+  writeSecureFile(CONFIG_PATH, JSON.stringify(cfg, null, 2));
+}
+
+module.exports = { readConfig, resolveAgentCwd, resolveAgentCommand, resolveProjectChattr, resolveChattrSpawn, syncChattrToken, sanitizeOperatorName, CONFIG_PATH, ensureSecureDir, writeSecureFile, writeConfig };

package/server/index.js

@@ -6,7 +6,7 @@ const os = require("os");
 const { WebSocketServer } = require("ws");
 const pty = require("node-pty");
 const { spawn } = require("child_process");
-const { readConfig, resolveAgentCwd, resolveAgentCommand, resolveProjectChattr, resolveChattrSpawn, syncChattrToken, CONFIG_PATH } = require("./config");
+const { readConfig, resolveAgentCwd, resolveAgentCommand, resolveProjectChattr, resolveChattrSpawn, syncChattrToken, CONFIG_PATH, ensureSecureDir, writeSecureFile, writeConfig } = require("./config");
 const routes = require("./routes");
 const {
   patchAgentchattrConfigForDiscordBridge,
@@ -43,11 +43,11 @@ app.get("/api/health", (_req, res) => {
 
 // --- CLI status detection ---
 
-const { execSync } = require("child_process");
+const { execFileSync } = require("child_process");
 
 function isCliInstalled(cmd) {
   try {
-    execSync(`which ${cmd}`, { encoding: "utf-8", stdio: "pipe" });
+    execFileSync("which", [cmd], { encoding: "utf-8", stdio: "pipe" });
     return true;
   } catch {
     return false;
@@ -264,8 +264,8 @@ function readPersistedAgentToken(projectId, agentId) {
 function writePersistedAgentToken(projectId, agentId, token) {
   try {
     const configDir = path.join(os.homedir(), ".quadwork", projectId);
-    if (!fs.existsSync(configDir)) fs.mkdirSync(configDir, { recursive: true });
-    fs.writeFileSync(_agentTokenPath(projectId, agentId), token, { mode: 0o600 });
+    ensureSecureDir(configDir);
+    writeSecureFile(_agentTokenPath(projectId, agentId), token);
   } catch {
     // non-fatal — stale-slot reclaim will degrade but registration still works
   }
@@ -278,7 +278,7 @@ function clearPersistedAgentToken(projectId, agentId) {
 function writeMcpConfigFile(projectId, agentId, mcpHttpPort, token) {
   const os = require("os");
   const configDir = path.join(os.homedir(), ".quadwork", projectId);
-  if (!fs.existsSync(configDir)) fs.mkdirSync(configDir, { recursive: true });
+  ensureSecureDir(configDir);
   const filePath = path.join(configDir, `mcp-${agentId}.json`);
   const url = `http://127.0.0.1:${mcpHttpPort}/mcp`;
   const config = {
@@ -290,7 +290,7 @@ function writeMcpConfigFile(projectId, agentId, mcpHttpPort, token) {
       },
     },
   };
-  fs.writeFileSync(filePath, JSON.stringify(config, null, 2));
+  writeSecureFile(filePath, JSON.stringify(config, null, 2));
   return filePath;
 }
 
@@ -431,7 +431,7 @@ function buildAgentEnv(projectId, agentId) {
   if (cliBase === "gemini" && project.mcp_http_port) {
     const os = require("os");
     const configDir = path.join(os.homedir(), ".quadwork", projectId);
-    if (!fs.existsSync(configDir)) fs.mkdirSync(configDir, { recursive: true });
+    ensureSecureDir(configDir);
     const settingsPath = path.join(configDir, `mcp-${agentId}-settings.json`);
     const url = `http://127.0.0.1:${project.mcp_http_port}/mcp`;
     const settings = {
@@ -443,7 +443,7 @@ function buildAgentEnv(projectId, agentId) {
         },
       },
     };
-    fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2));
+    writeSecureFile(settingsPath, JSON.stringify(settings, null, 2));
     env.GEMINI_CLI_SYSTEM_SETTINGS_PATH = settingsPath;
   }
 
@@ -555,6 +555,7 @@ async function spawnAgentPty(project, agent) {
       queueWatcherHandle: null,
       // #418: ring buffer of recent PTY output so reconnecting WS
       // clients see the terminal state instead of a blank panel.
+      // #538: scrollback is scrubbed of likely secrets before replay.
       scrollback: Buffer.alloc(0),
     };
     agentSessions.set(key, session);
@@ -730,7 +731,7 @@ const HISTORY_SNAPSHOT_LIMIT = 5;
 async function snapshotProjectHistory(projectId) {
   try {
     const snapDir = path.join(require("os").homedir(), ".quadwork", projectId, "history-snapshots");
-    if (!fs.existsSync(snapDir)) fs.mkdirSync(snapDir, { recursive: true });
+    ensureSecureDir(snapDir);
     const res = await fetch(`http://127.0.0.1:${PORT}/api/project-history?project=${encodeURIComponent(projectId)}`, {
       signal: AbortSignal.timeout(30000),
     });
@@ -809,7 +810,7 @@ async function handleAgentChattr(req, res) {
     try {
       let content = fs.readFileSync(projectConfigToml, "utf-8");
       content = content.replace(/^port = \d+/m, `port = ${chattrPort}`);
-      fs.writeFileSync(projectConfigToml, content);
+      writeSecureFile(projectConfigToml, content);
     } catch {}
   }
 
@@ -866,7 +867,7 @@ async function handleAgentChattr(req, res) {
   // lose their tracked reference when the Node process recycles).
   function killProcessOnPort(port) {
     try {
-      const pids = execSync(`lsof -ti TCP:${port} -sTCP:LISTEN`, {
+      const pids = execFileSync("lsof", ["-ti", `TCP:${port}`, "-sTCP:LISTEN"], {
         encoding: "utf-8",
         timeout: 5000,
         stdio: ["pipe", "pipe", "pipe"],
@@ -889,7 +890,7 @@ async function handleAgentChattr(req, res) {
     return new Promise((resolve) => {
       function check() {
         try {
-          execSync(`lsof -ti TCP:${port} -sTCP:LISTEN`, {
+          execFileSync("lsof", ["-ti", `TCP:${port}`, "-sTCP:LISTEN"], {
             encoding: "utf-8",
             timeout: 2000,
             stdio: ["pipe", "pipe", "pipe"],
@@ -1045,8 +1046,6 @@ async function handleAgentChattr(req, res) {
       return res.status(400).json({ ok: false, error: "AgentChattr not installed at " + (acDir || "unknown") });
     }
     try {
-      const { execSync } = require("child_process");
-
       // Stop running process before pulling. Snapshot first so a
       // botched git pull can still be rolled back from disk.
       // #424 / quadwork#304: best-effort.
@@ -1070,14 +1069,14 @@ async function handleAgentChattr(req, res) {
         await waitForPortFree(chattrPort, 3000);
       }
 
-      const pullResult = execSync("git pull 2>&1", { cwd: acDir, encoding: "utf-8", timeout: 30000 }).trim();
+      const pullResult = execFileSync("git", ["pull"], { cwd: acDir, encoding: "utf-8", timeout: 30000, stdio: "pipe" }).trim();
       // #388: re-apply sender-overflow CSS patch after git pull
       patchAgentchattrCss(acDir);
       const venvPython = path.join(acDir, ".venv", "bin", "python");
       let pipResult = "";
       const reqFile = path.join(acDir, "requirements.txt");
       if (fs.existsSync(venvPython) && fs.existsSync(reqFile)) {
-        pipResult = execSync(`"${venvPython}" -m pip install -r requirements.txt 2>&1`, { cwd: acDir, encoding: "utf-8", timeout: 120000 }).trim();
+        pipResult = execFileSync(venvPython, ["-m", "pip", "install", "-r", "requirements.txt"], { cwd: acDir, encoding: "utf-8", timeout: 120000, stdio: "pipe" }).trim();
       }
 
       // Restart if it was running before the update
@@ -1403,7 +1402,12 @@ async function sendTriggerMessage(projectId) {
             console.log(`[auto-trigger] ${projectId}: caffeinate auto-stopped (no active triggers remain)`);
           }
           // #518: also stop bridges when batch completes
-          await autoStopBridges(projectId, project, qwPort);
+          // #542: transition guard — only stop if not already stopped for this completion
+          const prev = _bridgeBatchPrev.get(projectId);
+          _bridgeBatchPrev.set(projectId, { complete: true, hasItems: !!(bp.items && bp.items.length) });
+          if (!prev || !prev.complete) {
+            await autoStopBridges(projectId, project, qwPort);
+          }
           return;
         }
       }
@@ -1533,7 +1537,7 @@ app.post("/api/triggers/:project/start", (req, res) => {
       if (typeof message === "string" && message.length > 0) entry.trigger_message = message;
       if (Number.isFinite(interval) && interval > 0) entry.trigger_interval_min = interval;
       if (Number.isFinite(duration) && duration >= 0) entry.trigger_duration_min = duration;
-      fs.writeFileSync(CONFIG_PATH, JSON.stringify(cfg, null, 2));
+      writeConfig(cfg);
     }
   } catch (e) { /* non-fatal — timer still runs with its in-memory values */ }
 
@@ -1624,7 +1628,7 @@ app.put("/api/queue", express.json({ limit: "512kb" }), (req, res) => {
   if (content === null) return res.status(400).json({ error: "Missing content" });
   const p = queuePathFor(projectId);
   try {
-    fs.mkdirSync(path.dirname(p), { recursive: true });
+    ensureSecureDir(path.dirname(p));
     fs.writeFileSync(p, content);
     return res.json({ ok: true });
   } catch (e) { return res.status(500).json({ error: e.message }); }
@@ -1642,7 +1646,7 @@ app.post("/api/queue", (req, res) => {
     let content = fs.readFileSync(tpl, "utf-8");
     content = content.replace(/\{\{project_name\}\}/g, project.name || projectId);
     content = content.replace(/\{\{repo\}\}/g, project.repo || "");
-    fs.mkdirSync(path.dirname(p), { recursive: true });
+    ensureSecureDir(path.dirname(p));
     fs.writeFileSync(p, content);
     return res.json({ ok: true, existed: false });
   } catch (e) { return res.status(500).json({ error: e.message }); }
@@ -1719,6 +1723,9 @@ app.use((req, res, next) => {
   }
 });
 
+// --- #538: PTY output secret scrubbing (extracted to scrub-secrets.js) ---
+const { scrubSecrets, scrubScrollback } = require("./scrub-secrets");
+
 // --- WebSocket + PTY ---
 // WS connects to an existing PTY session (started via lifecycle API)
 // or spawns a new one if none exists.
@@ -1760,10 +1767,10 @@ wss.on("connection", async (ws, req) => {
   // {"type":"replay"} to avoid the timing race where eager replay
   // arrived before the client's onmessage handler was registered.
 
-  // PTY → client
+  // PTY → client (#538: scrub secrets from live output)
   const dataHandler = session.term.onData((data) => {
     if (ws.readyState === ws.OPEN) {
-      ws.send(data);
+      ws.send(scrubSecrets(data));
     }
   });
 
@@ -1773,8 +1780,17 @@ wss.on("connection", async (ws, req) => {
     const str = msg.toString();
     try {
       const parsed = JSON.parse(str);
-      if (parsed.type === "resize" && parsed.cols && parsed.rows) {
-        session.term.resize(parsed.cols, parsed.rows);
+      if (parsed.type === "resize") {
+        // #541: strict numeric type check and bounds validation before
+        // passing to PTY. The dashboard client (TerminalPanel.tsx) sends
+        // xterm.js cols/rows which are always numbers. Reject anything
+        // else at the boundary.
+        if (typeof parsed.cols === "number" && typeof parsed.rows === "number" &&
+            Number.isFinite(parsed.cols) && Number.isFinite(parsed.rows) &&
+            parsed.cols >= 1 && parsed.cols <= 500 &&
+            parsed.rows >= 1 && parsed.rows <= 500) {
+          session.term.resize(parsed.cols, parsed.rows);
+        }
         return;
       }
       // #461: client requests scrollback replay after xterm is fully
@@ -1784,7 +1800,8 @@ wss.on("connection", async (ws, req) => {
       // synthetic status line so the terminal isn't completely blank.
       if (parsed.type === "replay") {
         if (session.scrollback && session.scrollback.length > 0) {
-          ws.send(session.scrollback);
+          // #538: scrub likely secrets before replaying accumulated output.
+          ws.send(scrubScrollback(session.scrollback));
         } else {
           ws.send(`\x1b[2m[agent online — waiting for input]\x1b[0m\r\n`);
         }
@@ -1874,7 +1891,8 @@ async function autoStopPollingTick() {
           }
         }
         // #518: also stop bridges when batch completes
-        if (hasBridgeAuto) {
+        // #542: only fire on the transition (incomplete→complete), not every tick
+        if (hasBridgeAuto && (!prev || !prev.complete)) {
           await autoStopBridges(project.id, project, qwPort);
         }
       }

package/server/install-agentchattr.js

@@ -14,7 +14,7 @@
 // Self-contained — depends only on Node built-ins so it's safe to require
 // from anywhere in the project (CLI bin, server routes, future tests).
 
-const { execSync } = require("child_process");
+const { execFileSync } = require("child_process");
 const fs = require("fs");
 const path = require("path");
 
@@ -28,8 +28,8 @@ const INSTALL_LOCK_STALE_MS = 10 * 60 * 1000; // 10 min
 const INSTALL_LOCK_WAIT_TOTAL_MS = 30 * 1000;  // wait up to 30s for a peer
 const INSTALL_LOCK_POLL_MS = 500;
 
-function _run(cmd, opts = {}) {
-  try { return execSync(cmd, { encoding: "utf-8", stdio: "pipe", ...opts }).trim(); }
+function _run(cmd, args = [], opts = {}) {
+  try { return execFileSync(cmd, args, { encoding: "utf-8", stdio: "pipe", ...opts }).trim(); }
   catch { return null; }
 }
 
@@ -102,14 +102,15 @@ function installAgentChattr(dir) {
 
   // --- Per-target lock ---
   const lockFile = `${dir}.install.lock`;
-  try { fs.mkdirSync(path.dirname(lockFile), { recursive: true }); }
+  try { fs.mkdirSync(path.dirname(lockFile), { recursive: true, mode: 0o700 }); }
   catch (e) { return setError(`Cannot create parent of ${dir}: ${e.message}`); }
 
   let acquired = false;
   const deadline = Date.now() + INSTALL_LOCK_WAIT_TOTAL_MS;
   while (!acquired) {
     try {
-      fs.writeFileSync(lockFile, `${process.pid}:${Date.now()}`, { flag: "wx" });
+      fs.writeFileSync(lockFile, `${process.pid}:${Date.now()}`, { mode: 0o600, flag: "wx" });
+      try { fs.chmodSync(lockFile, 0o600); } catch {}
       acquired = true;
     } catch (e) {
       if (e.code !== "EEXIST") return setError(`Cannot create install lock ${lockFile}: ${e.message}`);
@@ -129,7 +130,7 @@ function installAgentChattr(dir) {
         const info = _readLock(lockFile) || { pid: "?", ts: 0 };
         return setError(`Another install is in progress at ${dir} (pid ${info.pid}); timed out after ${INSTALL_LOCK_WAIT_TOTAL_MS}ms. Re-run after it finishes, or remove ${lockFile} if stale.`);
       }
-      try { execSync(`sleep ${INSTALL_LOCK_POLL_MS / 1000}`); }
+      try { execFileSync("sleep", [String(INSTALL_LOCK_POLL_MS / 1000)], { stdio: "pipe" }); }
       catch { /* sleep interrupted; loop will recheck */ }
     }
   }
@@ -158,7 +159,7 @@ function _installAgentChattrLocked(dir, setError) {
         try { fs.rmSync(dir, { recursive: true, force: true }); }
         catch (e) { return setError(`Cannot remove empty dir ${dir}: ${e.message}`); }
       } else if (fs.existsSync(path.join(dir, ".git"))) {
-        const remote = _run(`git -C "${dir}" remote get-url origin 2>/dev/null`);
+        const remote = _run("git", ["-C", dir, "remote", "get-url", "origin"]);
         if (remote && remote.includes("agentchattr")) {
           try { fs.rmSync(dir, { recursive: true, force: true }); }
           catch (e) { return setError(`Cannot remove failed clone at ${dir}: ${e.message}`); }
@@ -169,16 +170,16 @@ function _installAgentChattrLocked(dir, setError) {
         return setError(`Refusing to overwrite ${dir}: directory exists with unrelated content`);
       }
     }
-    try { fs.mkdirSync(path.dirname(dir), { recursive: true }); }
+    try { fs.mkdirSync(path.dirname(dir), { recursive: true, mode: 0o700 }); }
     catch (e) { return setError(`Cannot create parent of ${dir}: ${e.message}`); }
-    const cloneResult = _run(`git clone "${AGENTCHATTR_REPO}" "${dir}" 2>&1`, { timeout: 60000 });
+    const cloneResult = _run("git", ["clone", AGENTCHATTR_REPO, dir], { timeout: 60000 });
     if (cloneResult === null) return setError(`git clone of ${AGENTCHATTR_REPO} into ${dir} failed`);
     if (!fs.existsSync(runPy)) return setError(`Clone completed but run.py missing at ${dir}`);
   }
 
   // 2. Create venv if missing.
   if (!fs.existsSync(venvPython)) {
-    const venvResult = _run(`python3 -m venv "${path.join(dir, ".venv")}" 2>&1`, { timeout: 60000 });
+    const venvResult = _run("python3", ["-m", "venv", path.join(dir, ".venv")], { timeout: 60000 });
     if (venvResult === null) return setError(`python3 -m venv failed at ${dir}/.venv (is python3 installed?)`);
     if (!fs.existsSync(venvPython)) return setError(`venv created but ${venvPython} missing`);
     venvJustCreated = true;
@@ -188,7 +189,7 @@ function _installAgentChattrLocked(dir, setError) {
   if (venvJustCreated) {
     const reqFile = path.join(dir, "requirements.txt");
     if (fs.existsSync(reqFile)) {
-      const pipResult = _run(`"${venvPython}" -m pip install -r "${reqFile}" 2>&1`, { timeout: 120000 });
+      const pipResult = _run(venvPython, ["-m", "pip", "install", "-r", reqFile], { timeout: 120000 });
       if (pipResult === null) return setError(`pip install -r ${reqFile} failed`);
     }
   }

package/server/routes.js

@@ -36,8 +36,8 @@ function readConfigFile() {
 
 function writeConfigFile(cfg) {
   const dir = path.dirname(CONFIG_PATH);
-  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
-  fs.writeFileSync(CONFIG_PATH, JSON.stringify(cfg, null, 2));
+  ensureSecureDir(dir);
+  writeConfig(cfg);
 }
 
 // ─── Config ────────────────────────────────────────────────────────────────
@@ -66,8 +66,8 @@ router.put("/api/config", (req, res) => {
   try {
     const body = req.body;
     const dir = path.dirname(CONFIG_PATH);
-    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
-    fs.writeFileSync(CONFIG_PATH, JSON.stringify(body, null, 2));
+    ensureSecureDir(dir);
+    writeConfig(body);
     // Trigger sync is handled internally since we're in the same process now
     if (typeof req.app.get("syncTriggers") === "function") {
       req.app.get("syncTriggers")();
@@ -80,7 +80,7 @@ router.put("/api/config", (req, res) => {
 
 // ─── Chat (AgentChattr proxy) ──────────────────────────────────────────────
 
-const { resolveProjectChattr, sanitizeOperatorName } = require("./config");
+const { resolveProjectChattr, sanitizeOperatorName, ensureSecureDir, writeSecureFile, writeConfig } = require("./config");
 const { installAgentChattr, findAgentChattr } = require("./install-agentchattr");
 
 /**
@@ -96,7 +96,7 @@ function writeOvernightQueueFileSafe(projectId, projectName, repo) {
     if (fs.existsSync(queuePath)) return;
     const tpl = path.join(TEMPLATES_DIR, "OVERNIGHT-QUEUE.md");
     if (!fs.existsSync(tpl)) return;
-    fs.mkdirSync(path.dirname(queuePath), { recursive: true });
+    ensureSecureDir(path.dirname(queuePath));
     let content = fs.readFileSync(tpl, "utf-8");
     content = content.replace(/\{\{project_name\}\}/g, projectName || projectId || "");
     content = content.replace(/\{\{repo\}\}/g, repo || "");
@@ -404,7 +404,7 @@ router.put("/api/loop-guard", async (req, res) => {
       const trailing = content.endsWith("\n") ? "" : "\n";
       content += `${trailing}\n[routing]\ndefault = "none"\nmax_agent_hops = ${value}\n`;
     }
-    fs.writeFileSync(tomlPath, content);
+    writeSecureFile(tomlPath, content);
   } catch (err) {
     return res.status(500).json({ error: "Failed to write config.toml", detail: err.message });
   }
@@ -838,7 +838,7 @@ router.post("/api/activity/log", (req, res) => {
   const row = { agent, start, end: ts, duration_ms: Math.max(0, ts - start) };
   try {
     const p = activityLogPath(project);
-    fs.mkdirSync(path.dirname(p), { recursive: true });
+    ensureSecureDir(path.dirname(p));
     fs.appendFileSync(p, JSON.stringify(row) + "\n");
     // Invalidate the stats cache so the next read sees the new row.
     _activityStatsCache.ts = 0;
@@ -1029,7 +1029,7 @@ const uploadStorage = multer.diskStorage({
     const projectId = req.query.project || "";
     if (!projectId || /[/\\]/.test(projectId)) return cb(new Error("Invalid project"));
     const dir = path.join(CONFIG_DIR, projectId, "uploads");
-    fs.mkdirSync(dir, { recursive: true });
+    ensureSecureDir(dir);
     cb(null, dir);
   },
   filename: (_req, file, cb) => {
@@ -1340,7 +1340,7 @@ function readBatchSnapshot(projectId) {
 function writeBatchSnapshot(projectId, snapshot) {
   try {
     const p = batchSnapshotPath(projectId);
-    fs.mkdirSync(path.dirname(p), { recursive: true });
+    ensureSecureDir(path.dirname(p));
     fs.writeFileSync(p, JSON.stringify(snapshot));
   } catch {
     // Non-fatal — panel still works from the live parse.
@@ -1850,8 +1850,8 @@ router.post("/api/setup/save-token", (req, res) => {
   if (!token) return res.status(400).json({ error: "Missing token" });
   const tokenPath = path.join(os.homedir(), ".quadwork", "reviewer-token");
   const dir = path.dirname(tokenPath);
-  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
-  fs.writeFileSync(tokenPath, token.trim() + "\n", { mode: 0o600 });
+  ensureSecureDir(dir);
+  writeSecureFile(tokenPath, token.trim() + "\n");
   try { fs.chmodSync(tokenPath, 0o600); } catch {}
   res.json({ ok: true, path: tokenPath });
 });
@@ -1890,7 +1890,7 @@ router.post("/api/setup", (req, res) => {
       const workingDir = body.workingDir;
       if (!workingDir) return res.json({ ok: false, error: "Missing working directory" });
       if (!fs.existsSync(path.join(workingDir, ".git"))) {
-        if (!fs.existsSync(workingDir)) fs.mkdirSync(workingDir, { recursive: true });
+        if (!fs.existsSync(workingDir)) ensureSecureDir(workingDir);
         if (!REPO_RE.test(body.repo)) return res.json({ ok: false, error: "Invalid repo" });
         const clone = exec("gh", ["repo", "clone", body.repo, workingDir]);
         if (!clone.ok) return res.json({ ok: false, error: `Clone failed: ${clone.output}` });
@@ -2026,7 +2026,7 @@ router.post("/api/setup", (req, res) => {
         }
       }
       const dataDir = path.join(projectConfigDir, "data");
-      fs.mkdirSync(dataDir, { recursive: true });
+      ensureSecureDir(dataDir);
       const tomlPath = path.join(projectConfigDir, "config.toml");
 
       // Resolve per-project ports: prefer explicit body params (from setup wizard),
@@ -2067,7 +2067,7 @@ router.post("/api/setup", (req, res) => {
       // operator to type /continue. AC clamps to [1, 50] internally.
       content += `[routing]\ndefault = "none"\nmax_agent_hops = 30\n\n`;
       content += `[mcp]\nhttp_port = ${mcp_http}\nsse_port = ${mcp_sse}\n`;
-      fs.writeFileSync(tomlPath, content);
+      writeSecureFile(tomlPath, content);
 
       // Restart this project's AgentChattr instance (not global)
       try {
@@ -2158,8 +2158,8 @@ router.post("/api/setup", (req, res) => {
         agentchattr_dir: perProjectDir,
       });
       const dir = path.dirname(CONFIG_PATH);
-      if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
-      fs.writeFileSync(CONFIG_PATH, JSON.stringify(cfg, null, 2));
+      ensureSecureDir(dir);
+      writeConfig(cfg);
 
       // Batch 25 / #204: seed the per-project OVERNIGHT-QUEUE.md at
       // ~/.quadwork/{id}/OVERNIGHT-QUEUE.md.
@@ -2495,8 +2495,7 @@ function writeEnvToken(key, value) {
   const line = `${key}=${value}`;
   if (regex.test(content)) content = content.replace(regex, line);
   else content = content.trimEnd() + (content ? "\n" : "") + line + "\n";
-  fs.writeFileSync(ENV_PATH, content, { mode: 0o600 });
-  fs.chmodSync(ENV_PATH, 0o600);
+  writeSecureFile(ENV_PATH, content);
 }
 
 function resolveToken(value) {
@@ -2558,7 +2557,7 @@ router.get("/api/telegram", async (req, res) => {
         if (data && data.ok && data.result && typeof data.result.username === "string") {
           botUsername = data.result.username;
           project.telegram.bot_username = botUsername;
-          try { fs.writeFileSync(CONFIG_PATH, JSON.stringify(cfg, null, 2)); } catch {}
+          try { writeConfig(cfg); } catch {}
         }
       }
     } catch { /* non-fatal — widget will just show no username */ }
@@ -2718,8 +2717,7 @@ router.post("/api/telegram", async (req, res) => {
       // #383 Bug 2: write agentchattr_url inside [telegram]; the
       // bridge's load_config only reads from that section.
       const tomlContent = buildTelegramBridgeToml(tg, projectId);
-      fs.writeFileSync(tomlPath, tomlContent, { mode: 0o600 });
-      fs.chmodSync(tomlPath, 0o600);
+      writeSecureFile(tomlPath, tomlContent);
       // #353: pre-flight import check so a fresh install with no
       // `requests` module produces a readable error instead of the
       // Start → Running → Stopped flicker that the v1 code path
@@ -2852,7 +2850,7 @@ router.post("/api/telegram", async (req, res) => {
         const project = cfg.projects?.find((p) => p.id === projectId);
         if (project?.telegram) {
           project.telegram.bot_token = `env:${envKey}`;
-          fs.writeFileSync(CONFIG_PATH, JSON.stringify(cfg, null, 2));
+          writeConfig(cfg);
         }
       } catch {}
       return res.json({ ok: true, env_key: envKey });
@@ -2885,7 +2883,7 @@ router.post("/api/telegram", async (req, res) => {
           // will re-fetch it from Telegram's getMe for the new token.
           bot_username: "",
         };
-        fs.writeFileSync(CONFIG_PATH, JSON.stringify(cfg, null, 2));
+        writeConfig(cfg);
         return res.json({ ok: true, env_key: envKey });
       } catch (err) {
         return res.json({ ok: false, error: err.message || "Config write failed" });
@@ -3030,7 +3028,7 @@ router.get("/api/discord", async (req, res) => {
           if (r.ok && data.username) {
             botUsername = data.username;
             project.discord.bot_username = botUsername;
-            try { fs.writeFileSync(CONFIG_PATH, JSON.stringify(cfg, null, 2)); } catch {}
+            try { writeConfig(cfg); } catch {}
           }
         }
       } catch { /* non-fatal — widget will just show no username */ }
@@ -3088,7 +3086,7 @@ router.post("/api/discord", async (req, res) => {
         // #506: always copy bundled bridge files (not just on first install)
         // so re-installing after a QuadWork upgrade refreshes the script.
         if (!fs.existsSync(DISCORD_BRIDGE_DIR)) {
-          fs.mkdirSync(DISCORD_BRIDGE_DIR, { recursive: true });
+          ensureSecureDir(DISCORD_BRIDGE_DIR);
         }
         fs.cpSync(
           path.join(DISCORD_BRIDGE_SRC, "discord_bridge.py"),
@@ -3165,8 +3163,7 @@ router.post("/api/discord", async (req, res) => {
       if (!dc || !dc.bot_token || !dc.channel_id) return res.json({ ok: false, error: "Save bot_token and channel_id in project settings first." });
       const tomlPath = discordConfigToml(projectId);
       const tomlContent = buildDiscordBridgeToml(dc, projectId);
-      fs.writeFileSync(tomlPath, tomlContent, { mode: 0o600 });
-      fs.chmodSync(tomlPath, 0o600);
+      writeSecureFile(tomlPath, tomlContent);
       const depCheck = checkDiscordBridgePythonDeps(venvPython);
       if (!depCheck.ok) {
         const msg =
@@ -3273,7 +3270,7 @@ router.post("/api/discord", async (req, res) => {
           channel_id,
           bot_username: "",
         };
-        fs.writeFileSync(CONFIG_PATH, JSON.stringify(cfg, null, 2));
+        writeConfig(cfg);
         return res.json({ ok: true, env_key: envKey });
       } catch (err) {
         return res.json({ ok: false, error: err.message || "Config write failed" });
@@ -3345,7 +3342,7 @@ router.put("/api/project/:projectId/agent-models/:agentId", (req, res) => {
       else a.reasoning_effort = reasoning;
     }
     project.agents[agentId] = a;
-    fs.writeFileSync(CONFIG_PATH, JSON.stringify(cfg, null, 2));
+    writeConfig(cfg);
     return res.json({ ok: true, agent: { agent_id: agentId, model: a.model || "", reasoning_effort: a.reasoning_effort || "" } });
   } catch (err) {
     return res.json({ ok: false, error: err.message || "write failed" });

package/server/scrub-secrets.js

@@ -0,0 +1,51 @@
+// --- #538: PTY output secret scrubbing ---
+// Redact likely secrets from both live PTY streaming and scrollback
+// replay so echoed credentials are not exposed to dashboard clients.
+//
+// Threat model: QuadWork binds to 127.0.0.1 only. The scrub is
+// defense-in-depth — it reduces exposure if a secret is accidentally
+// echoed, but cannot catch every possible format. Operators who handle
+// highly sensitive credentials should avoid echoing them in agent
+// terminals.
+//
+// Live chunks from term.onData() are typically line-aligned (shell
+// flushes on newline), so per-chunk scrubbing catches the vast majority
+// of secrets. A secret split across two chunks is a theoretical edge
+// case that the scrollback scrub (which sees the full buffer) covers
+// on reconnect.
+
+// Patterns that indicate a line contains a secret value.
+const _SECRET_NAME_RE = /\b\w*(KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL|PASSPHRASE|AUTH)\w*\s*[=:]/i;
+// Known API key prefixes (Anthropic, GitHub, OpenAI, etc.).
+const _API_KEY_PREFIX_RE = /\b(sk-ant-api\d{2}-[A-Za-z0-9_-]{20,}|ghp_[A-Za-z0-9]{36,}|ghu_[A-Za-z0-9]{36,}|ghs_[A-Za-z0-9]{36,}|sk-[A-Za-z0-9]{20,}|xoxb-[A-Za-z0-9-]{20,}|xoxp-[A-Za-z0-9-]{20,})\b/;
+// Bearer authorization headers.
+const _BEARER_RE = /\bBearer\s+[A-Za-z0-9_.+/=-]{20,}/i;
+const _REDACTED = "[REDACTED]";
+
+function scrubSecrets(text) {
+  if (!text) return text;
+  return text.split("\n").map((line) => {
+    // Strip ANSI escape codes for pattern matching, but redact the
+    // original line (preserves terminal formatting around non-secret
+    // lines while ensuring secrets inside styled output are caught).
+    const plain = line.replace(/\x1b\[[0-9;]*[A-Za-z]/g, "");
+    if (_SECRET_NAME_RE.test(plain)) {
+      // Redact the value portion after the = or : delimiter.
+      return line.replace(/([=:])\s*\S.*/, `$1 ${_REDACTED}`);
+    }
+    if (_API_KEY_PREFIX_RE.test(plain)) {
+      return line.replace(_API_KEY_PREFIX_RE, _REDACTED);
+    }
+    if (_BEARER_RE.test(plain)) {
+      return line.replace(/\bBearer\s+[A-Za-z0-9_.+/=-]{20,}/gi, `Bearer ${_REDACTED}`);
+    }
+    return line;
+  }).join("\n");
+}
+
+function scrubScrollback(buf) {
+  if (!buf || buf.length === 0) return buf;
+  return Buffer.from(scrubSecrets(buf.toString("utf-8")), "utf-8");
+}
+
+module.exports = { scrubSecrets, scrubScrollback, _REDACTED };