The OpenRouter OAuth onboarding path in `aider/onboarding.py` was changed to stop creating `~/.aider/oauth-keys.env` with default umask permissions, which could make the API key readable by other local users.
Scattered source updates, isolated context, and manual follow-up across multiple feeds.
Implemented permission hardening for persisted OpenRouter credentials by explicitly `chmod`-ing `~/.aider` to `0o700`, creating new key files with `os.open(... O_WRONLY|O_CREAT|O_TRUNC, 0o600)` wrapped by `os.fdopen`, and `chmod`-ing existing key files to `0o600` after write.
Developers and operators using aider on shared Unix systems are now far less likely to have their OpenRouter token silently reused by another account, so leaked credits or unauthorized prompt traffic from a local co-tenant is materially reduced. The change blocks the previous default-umask path that left `oauth-keys.env` at `0o644`, and it closes a TOCTOU window by creating new files directly with mode `0o600` while also tightening existing directories/files. Continue watching for non-Unix environments (where chmod errors are swallowed) to ensure the project does not overstate security guarantees, and for any other credential write paths that may still use default-mode file creation.
Developers and operators using aider on shared Unix systems are now far less likely to have their OpenRouter token silently reused by another account, so leaked credits or unauthorized prompt traffic from a local co-tenant is materially reduced. The change blocks the previous default-umask path that left `oauth-keys.env` at `0o644`, and it closes a TOCTOU window by creating new files directly with mode `0o600` while also tightening existing directories/files. Continue watching for non-Unix environments (where chmod errors are swallowed) to ensure the project does not overstate security guarantees, and for any other credential write paths that may still use default-mode file creation.