Merge pull request #33 from auriti/fix/profile-file-permissions

fix: restrict .openclaude-profile.json to owner-only permissions (0600)

scripts/provider-bootstrap.ts

@@ -148,7 +148,7 @@ async function main(): Promise<void> {
   const profile = createProfileFile(selected, env)
 
   const outputPath = resolve(process.cwd(), '.openclaude-profile.json')
-  writeFileSync(outputPath, JSON.stringify(profile, null, 2), 'utf8')
+  writeFileSync(outputPath, JSON.stringify(profile, null, 2), { encoding: 'utf8', mode: 0o600 })
 
   console.log(`Saved profile: ${selected}`)
   console.log(`Goal: ${goal}`)