security(cli): fix config file permissions and login alias api_key dest

1. Config file now written with 0600 permissions (owner read/write only)
   instead of default 0644. Prevents other users on shared systems from
   reading stored API keys from ~/.config/roboflow/config.json.

2. Login alias --api-key flag now uses dest="login_api_key" to match
   what _login() handler reads, fixing a dead code path where the
   alias's --api-key value was silently ignored.

278 tests pass, all linting clean.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: yeldarby

roboflow/cli/handlers/_aliases.py

@@ -22,7 +22,7 @@ def register(subparsers: argparse._SubParsersAction) -> None:  # type: ignore[ty
     from roboflow.cli.handlers.auth import _login
 
     login_p = subparsers.add_parser("login", help="Log in to Roboflow (alias for 'auth login')")
-    login_p.add_argument("--api-key", dest="api_key_flag", default=None, help="API key (skip interactive login)")
+    login_p.add_argument("--api-key", dest="login_api_key", default=None, help="API key (skip interactive login)")
     login_p.add_argument("--force", "-f", action="store_true", help="Force re-login")
     login_p.set_defaults(func=_login)
 

roboflow/cli/handlers/auth.py

@@ -78,10 +78,13 @@ def _load_config() -> dict:
 def _save_config(config: dict) -> None:
     import json
     import os
+    import stat
 
     path = _get_config_path()
     os.makedirs(os.path.dirname(path), exist_ok=True)
-    with open(path, "w") as f:
+    # Write with owner-only permissions (0600) since the file contains API keys
+    fd = os.open(path, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, stat.S_IRUSR | stat.S_IWUSR)
+    with os.fdopen(fd, "w") as f:
         json.dump(config, f, indent=2)