Fix code review issues: file perms, key rotate .mcp.json, deactivate match

- atomicWriteJson: write tmp file with mode 0o600 (was world-readable)
- key rotate: also update .mcp.json Authorization header (was left stale)
- key deactivate: use includes() not startsWith() for key_prefix match
  (key_prefix is 8 hex chars from the secret, not a prefix of fullKey)
- Warn when hooks/ not found in package during init

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: RusDyn

cli/src/commands/key.ts

@@ -347,6 +347,26 @@ export async function keyRotateCommand(nameOrId: string) {
       }
     }
 
+    // Update .mcp.json if present
+    const mcpPath = join(process.cwd(), '.mcp.json');
+    if (existsSync(mcpPath)) {
+      try {
+        const mcpConfig = JSON.parse(readFileSync(mcpPath, 'utf-8'));
+        if (mcpConfig.mcpServers?.writbase?.headers?.Authorization || mcpConfig.writbase?.headers?.Authorization) {
+          const entry = mcpConfig.mcpServers?.writbase ?? mcpConfig.writbase;
+          if (entry?.headers) {
+            entry.headers.Authorization = `Bearer ${fullKey}`;
+            const mcpTmpPath = mcpPath + '.tmp';
+            writeFileSync(mcpTmpPath, JSON.stringify(mcpConfig, null, 2) + '\n', { mode: 0o600 });
+            renameSync(mcpTmpPath, mcpPath);
+            success('Updated agent key in .mcp.json');
+          }
+        }
+      } catch {
+        // Non-critical — skip
+      }
+    }
+
     console.log();
     warn('Save this new key — it cannot be retrieved later:');
     console.log();
@@ -676,7 +696,7 @@ export async function keyDeactivateCommand(nameOrId: string) {
     if (existsSync(localSettingsPath)) {
       try {
         const ls = JSON.parse(readFileSync(localSettingsPath, 'utf-8'));
-        if (ls.env?.WRITBASE_AGENT_KEY?.startsWith(key.key_prefix)) {
+        if (ls.env?.WRITBASE_AGENT_KEY?.includes(key.key_prefix)) {
           removeLocalEnv('WRITBASE_AGENT_KEY');
           warn('Removed deactivated key from .claude/settings.local.json — create a new key for hooks to work');
         }

cli/src/lib/claude-code.ts

@@ -6,7 +6,7 @@ import { WRITBASE_HOME } from './config.js';
 
 export function atomicWriteJson(filePath: string, content: string) {
   const tmpPath = filePath + '.tmp';
-  writeFileSync(tmpPath, content);
+  writeFileSync(tmpPath, content, { mode: 0o600 });
   renameSync(tmpPath, filePath);
 }
 
@@ -22,8 +22,12 @@ export function installSkills(supabaseUrl?: string) {
   const skillsSource = join(packageRoot, 'skills');
   cpSync(skillsSource, join(WRITBASE_HOME, 'skills'), { recursive: true });
 
-  // Copy hooks from package (if present)
+  // Copy hooks from package
   const hooksSource = join(packageRoot, 'hooks');
+  if (!existsSync(hooksSource)) {
+    // eslint-disable-next-line no-console
+    console.warn('⚠ Hooks not found in package — PostToolUse and SubagentStop hooks will not be registered');
+  }
   if (existsSync(hooksSource)) {
     mkdirSync(join(WRITBASE_HOME, 'hooks'), { recursive: true });
     cpSync(hooksSource, join(WRITBASE_HOME, 'hooks'), { recursive: true });