meshcode 2.10.42__tar.gz → 2.10.45__tar.gz

{meshcode-2.10.42 → meshcode-2.10.45}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: meshcode
-Version: 2.10.42
+Version: 2.10.45
 Summary: Real-time communication between AI agents — Supabase-backed CLI
 Author-email: MeshCode <hello@meshcode.io>
 License: MIT

{meshcode-2.10.42 → meshcode-2.10.45}/meshcode/__init__.py

@@ -1,2 +1,2 @@
 """MeshCode — Real-time communication between AI agents."""
-__version__ = "2.10.42"
+__version__ = "2.10.45"

{meshcode-2.10.42 → meshcode-2.10.45}/meshcode/comms_v4.py

@@ -315,10 +315,14 @@ def mark_nudged(project, name):
 
 
 def _sanitize_notification_text(text: str) -> str:
-    """Strip characters that could escape shell/PS quoting contexts."""
-    # Remove quotes, backticks, dollar signs, semicolons, pipes, and backslashes
-    # to prevent injection in osascript, PowerShell, and notify-send.
-    return "".join(c for c in text if c not in '"\'`$;|\\<>(){}')
+    """Whitelist-sanitize text for safe use in shell notification commands.
+
+    Only allows alphanumeric, spaces, and safe punctuation. This is a
+    whitelist (not blocklist) to prevent injection in osascript, PowerShell,
+    and notify-send even if new shell metacharacters are discovered.
+    """
+    import re
+    return re.sub(r'[^a-zA-Z0-9 _\-.,!?:@#/\u00c0-\u024f\u2190-\u21ff]', '', text)[:200]
 
 
 def send_notification(project, name, from_agent, pending=1):
@@ -332,19 +336,20 @@ def send_notification(project, name, from_agent, pending=1):
                 f'display notification "{body}" with title "{title}" sound name "Ping"'],
                 capture_output=True, timeout=3)
         elif sys.platform == "win32":
-            # PowerShell: use single-quoted strings (no variable expansion)
-            # and pass title/body via -replace to avoid any interpolation
+            # PowerShell: read title/body from environment variables instead of
+            # interpolating into the script string — prevents PS injection.
             ps_script = (
                 '[Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime] | Out-Null; '
                 '$xml = [Windows.UI.Notifications.ToastNotificationManager]::GetTemplateContent(0); '
                 '$text = $xml.GetElementsByTagName("text"); '
-                f"$text[0].AppendChild($xml.CreateTextNode('{title}')); "
-                f"$text[1].AppendChild($xml.CreateTextNode('{body}')); "
+                '$text[0].AppendChild($xml.CreateTextNode($env:MC_NOTIFY_TITLE)); '
+                '$text[1].AppendChild($xml.CreateTextNode($env:MC_NOTIFY_BODY)); '
                 '$toast = [Windows.UI.Notifications.ToastNotification]::new($xml); '
                 '[Windows.UI.Notifications.ToastNotificationManager]::CreateToastNotifier("MeshCode").Show($toast)'
             )
+            env = {**os.environ, "MC_NOTIFY_TITLE": title, "MC_NOTIFY_BODY": body}
             subprocess.run(['powershell', '-NoProfile', '-Command', ps_script],
-                capture_output=True, timeout=5)
+                capture_output=True, timeout=5, env=env)
         else:
             # Linux: notify-send takes title and body as separate args (no shell)
             subprocess.run(['notify-send', title, body], capture_output=True, timeout=3)
@@ -352,6 +357,48 @@ def send_notification(project, name, from_agent, pending=1):
         pass
 
 
+def _nudge_windows_terminal(name, pending, tty, pid):
+    """Activate the agent's terminal window on Windows.
+
+    Uses PowerShell + kernel32 to find the console window by process ID and
+    bring it to the foreground. Does NOT send keystrokes — that would risk
+    confirming prompts or interrupting bypass mode. The window activation
+    combined with the desktop notification is enough to alert the user.
+    """
+    if not pid:
+        return
+    try:
+        pid = int(pid)
+    except (ValueError, TypeError):
+        return
+    try:
+        ps_script = f'''
+$proc = Get-Process -Id {pid} -ErrorAction SilentlyContinue
+if ($proc -and $proc.MainWindowHandle -ne 0) {{
+    Add-Type @"
+    using System;
+    using System.Runtime.InteropServices;
+    public class WinApi {{
+        [DllImport("user32.dll")] public static extern bool SetForegroundWindow(IntPtr hWnd);
+        [DllImport("user32.dll")] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
+    }}
+"@
+    [WinApi]::ShowWindow($proc.MainWindowHandle, 9)
+    [WinApi]::SetForegroundWindow($proc.MainWindowHandle)
+}}
+'''
+        subprocess.run(
+            ["powershell", "-NoProfile", "-Command", ps_script],
+            stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
+            timeout=10,
+        )
+        log_msg(f"[nudge] Windows: activated terminal for {name} (pid={pid})")
+    except subprocess.TimeoutExpired:
+        log_msg(f"[nudge] Windows: PowerShell timed out for {name}")
+    except Exception as e:
+        log_msg(f"[nudge] Windows: failed for {name}: {e}")
+
+
 def _is_pid_alive(pid):
     """Return True iff the given pid corresponds to a live process."""
     if not pid:
@@ -796,8 +843,10 @@ def nudge_agent(project, name, from_agent=""):
     message = f"Tienes {pending} mensaje(s). Revisa: meshcode read {project} {name}"
     escaped_message = message.replace('\\', '\\\\').replace('"', '\\"')
 
-    # Only attempt AppleScript nudge on macOS
+    # Non-macOS: use platform-specific terminal nudge
     if sys.platform != "darwin":
+        if sys.platform == "win32":
+            _nudge_windows_terminal(name, pending, tty, cached_pid)
         send_notification(project, name, from_agent, pending)
         mark_nudged(project, name)
         return True
@@ -2691,12 +2740,35 @@ if __name__ == "__main__":
                 cur = get_permission_mode()
                 print(f"permission_mode: {cur or '(unset — will prompt on next run)'}")
                 sys.exit(0)
+        elif sub == "claude-version":
+            from meshcode.preferences import load_prefs, save_prefs
+            if len(sys.argv) > 3:
+                ver = sys.argv[3].strip()
+                if ver in ("reset", "unpin", "latest"):
+                    prefs = load_prefs()
+                    prefs.pop("claude_version", None)
+                    save_prefs(prefs)
+                    print("[meshcode] Claude Code version pin removed — will use installed version")
+                else:
+                    prefs = load_prefs()
+                    prefs["claude_version"] = ver
+                    save_prefs(prefs)
+                    print(f"[meshcode] Claude Code version pinned to: {ver}")
+                    print(f"[meshcode] meshcode run will use npx @anthropic-ai/claude-code@{ver}")
+                sys.exit(0)
+            else:
+                from meshcode.preferences import load_prefs
+                cur = load_prefs().get("claude_version")
+                print(f"claude_version: {cur or '(not pinned — using installed version)'}")
+                sys.exit(0)
         elif sub == "reset":
             reset_permission_mode()
             print("[meshcode] preferences reset")
             sys.exit(0)
         else:
             print("Usage: meshcode prefs permission-mode [bypass|safe|ask]")
+            print("       meshcode prefs claude-version [version|reset]")
+            print("       meshcode prefs auto-update [on|off|reset]")
             print("       meshcode prefs reset")
             sys.exit(1)
 

{meshcode-2.10.42 → meshcode-2.10.45}/meshcode/meshcode_mcp/server.py

@@ -108,14 +108,14 @@ _SEEN_TTL = 300.0  # 5 minutes
 # ============================================================
 # Auto-wake: when agent is NOT in meshcode_wait and a message
 # arrives, inject text into the terminal to wake the agent.
-# DEFAULT: ON. Disable with MESHCODE_AUTO_WAKE=0 if you don't want it.
 # ============================================================
 _IN_WAIT = False  # True while meshcode_wait is blocking
-# Default OFF as of 2.10.27 — the AppleScript/PowerShell keystroke injection
-# wrote nudge text directly into the user's terminal, which corrupts stdin on
-# terminals that don't interpret ANSI, interrupts the user mid-typing, and
-# duplicates what the dashboard already surfaces. Opt-in with
-# MESHCODE_AUTO_WAKE=1 for users who want the legacy behavior.
+# Default OFF — keystroke injection can corrupt stdin on some terminals.
+# The primary nudge path is now in comms_v4.nudge_agent() which uses
+# platform-specific window activation (SetForegroundWindow on Windows,
+# AppleScript on macOS) + desktop notification.
+# Set MESHCODE_AUTO_WAKE=1 to also inject text into the terminal from
+# the MCP server side (useful if comms_v4 nudge doesn't reach the agent).
 _AUTO_WAKE = os.environ.get("MESHCODE_AUTO_WAKE", "0").lower() in ("1", "true", "yes")
 
 
@@ -174,10 +174,12 @@ def _try_auto_wake(from_agent: str, preview: str) -> None:
     system = platform.system()
     try:
         if system == "Darwin":
-            # Use xdotool-style approach: pass nudge as argument, not interpolated script
+            # Sanitize app_name — TERM_PROGRAM is an env var, not DB-sourced,
+            # but defense-in-depth: only allow known terminal app names.
             parent_app = os.environ.get("TERM_PROGRAM", "Terminal")
             app_name = "iTerm" if "iTerm" in parent_app else "Terminal"
-            # Escape for AppleScript string: replace backslash and double-quote
+            # Escape for AppleScript string: replace backslash and double-quote.
+            # nudge is already whitelist-sanitized (alphanum + _-.,!? space only).
             as_safe = nudge.replace("\\", "\\\\").replace('"', '\\"')
             script = f'''
             tell application "{app_name}"
@@ -191,14 +193,16 @@ def _try_auto_wake(from_agent: str, preview: str) -> None:
                              stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
             log.info(f"auto-wake: injected nudge via {app_name} AppleScript")
         elif system == "Windows":
-            # Sanitize for SendKeys: strip braces and special SendKeys metacharacters
-            sk_safe = nudge.replace("{", "").replace("}", "").replace("+", "").replace("^", "").replace("%", "").replace("~", "")
-            ps_script = f'''
+            # Pass nudge text via environment variable instead of interpolating
+            # into a PowerShell string — prevents any PS injection.
+            ps_script = '''
             Add-Type -AssemblyName System.Windows.Forms
-            [System.Windows.Forms.SendKeys]::SendWait("{sk_safe}{{ENTER}}")
+            [System.Windows.Forms.SendKeys]::SendWait($env:MC_NUDGE_TEXT + "{ENTER}")
             '''
-            subprocess.Popen(["powershell", "-Command", ps_script],
-                             stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
+            env = {**os.environ, "MC_NUDGE_TEXT": nudge}
+            subprocess.run(["powershell", "-NoProfile", "-Command", ps_script],
+                           stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
+                           timeout=10, env=env)
             log.info("auto-wake: injected nudge via PowerShell SendKeys")
         else:
             # Linux — xdotool takes args directly, not shell-interpolated (safe)
@@ -3026,6 +3030,25 @@ def meshcode_recall_search(query: str) -> Dict[str, Any]:
     })
 
 
+# ----------------- BUG REPORTING -----------------
+
+@mcp.tool()
+@with_working_status
+def meshcode_report_bug(description: str) -> Dict[str, Any]:
+    """Report a bug from within the mesh. Visible in admin panel.
+
+    Args:
+        description: What went wrong — include steps to reproduce if possible.
+    """
+    api_key = _get_api_key()
+    return be.sb_rpc("mc_report_bug", {
+        "p_api_key": api_key,
+        "p_description": description,
+        "p_meshwork_name": PROJECT_NAME,
+        "p_agent_name": AGENT_NAME,
+    })
+
+
 # ----------------- HEALTH CHECK -----------------
 
 @mcp.tool()

{meshcode-2.10.42 → meshcode-2.10.45}/meshcode/run_agent.py

@@ -351,6 +351,106 @@ def _list_local_projects_for_agent(agent: str) -> list:
     return out
 
 
+STABLE_CLAUDE_VERSION = "2.1.104"  # Known-good version: ESC does NOT kill MCP
+
+
+def _get_claude_version(editor_cmd: str) -> Optional[str]:
+    """Get the installed Claude Code version. Returns None on failure."""
+    try:
+        use_shell = sys.platform == "win32" and editor_cmd.lower().endswith((".cmd", ".bat"))
+        r = subprocess.run(
+            [editor_cmd, "--version"],
+            capture_output=True, text=True, timeout=10,
+            shell=use_shell,
+        )
+        # Output is typically just the version string, e.g. "2.1.104"
+        version = r.stdout.strip().split('\n')[0].strip()
+        if version:
+            return version
+    except Exception:
+        pass
+    return None
+
+
+def _fetch_global_claude_version() -> Optional[str]:
+    """Fetch the admin-pinned Claude Code version from mc_global_config.
+
+    Uses the user's API key to authenticate the RPC call. Returns None
+    on any failure (no network, no key, etc.) — caller falls back to
+    local preferences or installed version.
+    """
+    try:
+        from .secrets import get_api_key
+        api_key = get_api_key()
+        if not api_key:
+            return None
+        from .setup_clients import _load_supabase_env
+        env = _load_supabase_env()
+        url = env.get("SUPABASE_URL", "")
+        anon_key = env.get("SUPABASE_KEY", "")
+        if not url or not anon_key:
+            return None
+        from urllib.request import Request, urlopen
+        import json as _json
+        req = Request(
+            f"{url}/rest/v1/rpc/mc_get_global_config_by_key",
+            data=_json.dumps({"p_api_key": api_key, "p_config_key": "claude_version"}).encode(),
+            headers={
+                "Content-Type": "application/json",
+                "apikey": anon_key,
+                "Authorization": f"Bearer {anon_key}",
+            },
+        )
+        with urlopen(req, timeout=5) as resp:
+            raw = _json.loads(resp.read())
+            # RPC returns the JSONB value directly — could be a string or object
+            if isinstance(raw, str) and raw not in ("latest", ""):
+                return raw
+    except Exception:
+        pass
+    return None
+
+
+def _resolve_pinned_claude(editor_cmd: str) -> str:
+    """Check if a specific Claude Code version is pinned and resolve the command.
+
+    Version pin sources (first wins):
+      1. MESHCODE_CLAUDE_VERSION env var (per-launch override)
+      2. mc_global_config 'claude_version' from DB (admin-controlled)
+      3. claude_version in ~/.meshcode/preferences.json (local fallback)
+      4. No pin — use whatever is installed
+
+    If a pin is set and the installed version doesn't match, uses npx to
+    run the exact pinned version.
+    """
+    from .preferences import load_prefs
+
+    pinned = os.environ.get("MESHCODE_CLAUDE_VERSION", "").strip()
+    if not pinned:
+        # Check global admin config from DB
+        global_ver = _fetch_global_claude_version()
+        if global_ver:
+            pinned = global_ver
+            print(f"[meshcode] Global admin pin: Claude Code v{pinned}", file=sys.stderr)
+    if not pinned:
+        pinned = load_prefs().get("claude_version", "")
+    if not pinned:
+        return editor_cmd  # No pin — use installed version
+
+    current = _get_claude_version(editor_cmd)
+    if current == pinned:
+        print(f"[meshcode] Claude Code version {current} matches pin ✓", file=sys.stderr)
+        return editor_cmd
+
+    print(f"[meshcode] Version pin: {pinned} (installed: {current or 'unknown'})", file=sys.stderr)
+    print(f"[meshcode] Using npx to run pinned version...", file=sys.stderr)
+
+    # Use npx to run the exact pinned version. npx will download it if needed.
+    # We set an env var so the launch path knows to prepend npx args.
+    os.environ["_MESHCODE_NPX_CLAUDE_VERSION"] = pinned
+    return editor_cmd  # Still return the editor — launch path handles npx
+
+
 def _claude_supports_bypass(editor_cmd: str) -> bool:
     """Check if the Claude Code binary supports --dangerously-skip-permissions.
 
@@ -363,13 +463,30 @@ def _claude_supports_bypass(editor_cmd: str) -> bool:
     """
     try:
         use_shell = sys.platform == "win32" and editor_cmd.lower().endswith((".cmd", ".bat"))
+        print(f"[meshcode] bypass-detect: checking '{editor_cmd}' (shell={use_shell})", file=sys.stderr)
         r = subprocess.run(
             [editor_cmd, "--help"],
             capture_output=True, text=True, timeout=10,
             shell=use_shell,
         )
-        return "--dangerously-skip-permissions" in r.stdout
-    except Exception:
+        found = "--dangerously-skip-permissions" in r.stdout
+        if found:
+            print(f"[meshcode] bypass-detect: ✓ flag found — bypass mode available", file=sys.stderr)
+        else:
+            stdout_len = len(r.stdout)
+            stderr_preview = (r.stderr or "")[:200]
+            print(f"[meshcode] bypass-detect: ✗ flag NOT found in --help output ({stdout_len} chars, exit={r.returncode})", file=sys.stderr)
+            if stderr_preview:
+                print(f"[meshcode] bypass-detect: stderr: {stderr_preview}", file=sys.stderr)
+        return found
+    except subprocess.TimeoutExpired:
+        print(f"[meshcode] bypass-detect: ✗ '{editor_cmd} --help' timed out after 10s", file=sys.stderr)
+        return False
+    except FileNotFoundError:
+        print(f"[meshcode] bypass-detect: ✗ '{editor_cmd}' not found in PATH", file=sys.stderr)
+        return False
+    except Exception as e:
+        print(f"[meshcode] bypass-detect: ✗ unexpected error: {e}", file=sys.stderr)
         return False
 
 
@@ -377,17 +494,22 @@ def _detect_editor() -> Optional[str]:
     """Pick the user's preferred MCP-aware editor."""
     override = os.environ.get("MESHCODE_EDITOR", "").strip().lower()
     if override:
-        if shutil.which(override):
-            return override
+        resolved = shutil.which(override)
+        if resolved:
+            # On Windows, return resolved path to preserve .cmd/.bat extension
+            return resolved if sys.platform == "win32" else override
         print(f"[meshcode] WARNING: MESHCODE_EDITOR='{override}' not found in PATH", file=sys.stderr)
 
     # Detection order: most likely to be installed + best per-workspace MCP
     # support first. codex is last because its MCP config is GLOBAL only —
     # launching it doesn't take a workspace-scoped .mcp.json, so it should
     # only be picked if nothing else is available.
+    # On Windows, return the fully-resolved path so .cmd/.bat extension is
+    # preserved — needed for shell=True detection in bypass and launch paths.
     for cmd in ("claude", "cursor", "code", "windsurf", "codex"):
-        if shutil.which(cmd):
-            return cmd
+        resolved = shutil.which(cmd)
+        if resolved:
+            return resolved if sys.platform == "win32" else cmd
 
     # Windows fallback: check common install locations not in PATH
     if sys.platform == "win32":
@@ -641,10 +763,14 @@ def run(agent: str, project: Optional[str] = None, editor_override: Optional[str
     print(f"[meshcode]   Closing the editor will flip this agent offline.")
     print()
 
+    # On Windows, editor is the fully-resolved path (e.g. 'c:\...\claude.cmd')
+    # so we compare against the stem (filename without extension).
+    editor_stem = Path(editor).stem.lower() if sys.platform == "win32" else editor
+
     # Set editor type so MCP server can report it to the dashboard
-    os.environ["MESHCODE_EDITOR_TYPE"] = editor
+    os.environ["MESHCODE_EDITOR_TYPE"] = editor_stem
 
-    if editor == "claude":
+    if editor_stem == "claude":
         # Claude Code: run from inside the workspace and let Claude Code
         # auto-discover .mcp.json as a PROJECT-scoped MCP. We used to pass
         # --mcp-config + --strict-mcp-config here, but that categorises the
@@ -654,10 +780,24 @@ def run(agent: str, project: Optional[str] = None, editor_override: Optional[str
         # scoped MCPs (loaded from ./.mcp.json at cwd) live in the "Local
         # MCP" bucket and survive ESC. Verified with a minimal FastMCP
         # repro side-by-side: Built-in dies, Local survives, same SDK code.
+        # Check for version pin before building launch command
+        effective_editor = _resolve_pinned_claude(editor)
+        pinned_version = os.environ.get("_MESHCODE_NPX_CLAUDE_VERSION", "")
+
         mode = resolve_permission_mode(permission_override)
-        cmd = [editor]
+        print(f"[meshcode]   Editor resolved: {editor}", file=sys.stderr)
+        print(f"[meshcode]   Permission mode resolved: {mode}", file=sys.stderr)
+
+        if pinned_version:
+            # Use npx to run the exact pinned version
+            cmd = ["npx", f"@anthropic-ai/claude-code@{pinned_version}"]
+            print(f"[meshcode]   Using pinned version via npx: {pinned_version}")
+        else:
+            cmd = [effective_editor]
+
         if mode == "bypass":
-            if _claude_supports_bypass(editor):
+            bypass_check_cmd = effective_editor if not pinned_version else "claude"
+            if pinned_version or _claude_supports_bypass(bypass_check_cmd):
                 cmd.append("--dangerously-skip-permissions")
                 print(f"[meshcode]   Permission mode: bypass (autonomous loop, no prompts)")
             else:
@@ -678,17 +818,17 @@ def run(agent: str, project: Optional[str] = None, editor_override: Optional[str
             os.chdir(ws)
         except Exception as e:
             print(f"[meshcode] WARNING: chdir to workspace failed: {e}", file=sys.stderr)
-    elif editor == "cursor":
+    elif editor_stem == "cursor":
         # Cursor reads .cursor/mcp.json from the workspace cwd.
         cmd = [editor, str(ws)]
-    elif editor == "code":
+    elif editor_stem == "code":
         # VS Code (Cline reads .vscode/mcp.json from workspace cwd).
         cmd = [editor, str(ws)]
-    elif editor == "windsurf":
+    elif editor_stem == "windsurf":
         # Windsurf (Codeium fork of VS Code) — reads workspace cwd the same
         # way VS Code does; global MCP config at ~/.codeium/windsurf/mcp_config.json.
         cmd = [editor, str(ws)]
-    elif editor == "codex":
+    elif editor_stem == "codex":
         # Codex CLI reads ~/.codex/config.toml globally. There's no per-
         # workspace flag, so launching is just `codex` with cwd set to the
         # workspace dir so any file ops the agent does land there.
@@ -745,7 +885,14 @@ def run(agent: str, project: Optional[str] = None, editor_override: Optional[str
             # workspace even if os.chdir() didn't stick (shell=True can
             # reset cwd via cmd.exe).
             import subprocess as _sp
-            use_shell = cmd[0].lower().endswith((".cmd", ".bat"))
+            # .cmd/.bat files need shell=True. Also check if the resolved
+            # path of cmd[0] is a .cmd (e.g., "npx" resolves to "npx.cmd").
+            cmd0 = cmd[0].lower()
+            use_shell = cmd0.endswith((".cmd", ".bat"))
+            if not use_shell:
+                resolved_cmd0 = shutil.which(cmd[0])
+                if resolved_cmd0 and resolved_cmd0.lower().endswith((".cmd", ".bat")):
+                    use_shell = True
             if use_shell:
                 print(f"[meshcode]   (Windows: launching via shell for .cmd wrapper)")
             launch_cwd = str(ws) if os.path.isdir(ws) else None

{meshcode-2.10.42 → meshcode-2.10.45}/meshcode/secrets.py

@@ -47,6 +47,33 @@ DEFAULT_PROFILE = "default"
 LEGACY_CREDS_FILE = Path.home() / ".meshcode" / "credentials.json"
 
 
+# ============================================================
+# File permission helpers
+# ============================================================
+
+
+def _restrict_perms(path: "Path") -> None:
+    """Restrict file to owner-only access on all platforms.
+
+    On Windows, os.chmod(0o600) is a no-op — must use icacls to remove
+    inherited ACLs and grant only the current user Full Control.
+    """
+    try:
+        if sys.platform == "win32":
+            import subprocess
+            username = os.environ.get("USERNAME", os.environ.get("USER", ""))
+            if username:
+                subprocess.run(
+                    ["icacls", str(path), "/inheritance:r",
+                     "/grant:r", f"{username}:(F)"],
+                    capture_output=True, timeout=5,
+                )
+        else:
+            os.chmod(path, 0o600)
+    except Exception:
+        pass
+
+
 # ============================================================
 # Keyring backend probe
 # ============================================================
@@ -129,10 +156,7 @@ def _save_index(idx: Dict[str, Any]) -> None:
     PROFILE_INDEX.parent.mkdir(parents=True, exist_ok=True)
     tmp = PROFILE_INDEX.with_suffix(".tmp")
     tmp.write_text(json.dumps(idx, indent=2), encoding="utf-8")
-    try:
-        os.chmod(tmp, 0o600)
-    except Exception:
-        pass
+    _restrict_perms(tmp)
     tmp.replace(PROFILE_INDEX)
 
 
@@ -182,10 +206,7 @@ def set_api_key(api_key: str, profile: str = DEFAULT_PROFILE,
     fallback_path = Path.home() / ".meshcode" / f"credentials.{profile}.json"
     fallback_path.parent.mkdir(parents=True, exist_ok=True)
     fallback_path.write_text(json.dumps({"api_key": api_key, **(meta or {})}, indent=2), encoding="utf-8")
-    try:
-        os.chmod(fallback_path, 0o600)
-    except Exception:
-        pass
+    _restrict_perms(fallback_path)
     _index_set(profile, {"backend": "file-fallback", **(meta or {})})
     return True
 

{meshcode-2.10.42 → meshcode-2.10.45}/meshcode/setup_clients.py

@@ -204,11 +204,31 @@ def _build_server_block(project: str, project_id: str, agent: str, role: str,
     }
 
 
+def _restrict_perms(path: Path) -> None:
+    """Restrict file to owner-only access (Windows-aware)."""
+    try:
+        if sys.platform == "win32":
+            import subprocess
+            username = os.environ.get("USERNAME", os.environ.get("USER", ""))
+            if username:
+                subprocess.run(
+                    ["icacls", str(path), "/inheritance:r",
+                     "/grant:r", f"{username}:(F)"],
+                    capture_output=True, timeout=5,
+                )
+        else:
+            os.chmod(path, 0o600)
+    except Exception:
+        pass
+
+
 def _atomic_write_json(path: Path, data: dict) -> None:
     path.parent.mkdir(parents=True, exist_ok=True)
     tmp = path.with_suffix(path.suffix + ".tmp")
     tmp.write_text(json.dumps(data, indent=2), encoding="utf-8")
+    _restrict_perms(tmp)
     tmp.replace(path)
+    _restrict_perms(path)
 
 
 def _toml_escape(s: str) -> str:

{meshcode-2.10.42 → meshcode-2.10.45}/meshcode.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: meshcode
-Version: 2.10.42
+Version: 2.10.45
 Summary: Real-time communication between AI agents — Supabase-backed CLI
 Author-email: MeshCode <hello@meshcode.io>
 License: MIT

{meshcode-2.10.42 → meshcode-2.10.45}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "meshcode"
-version = "2.10.42"
+version = "2.10.45"
 description = "Real-time communication between AI agents — Supabase-backed CLI"
 readme = "README.md"
 license = {text = "MIT"}