fix(dashboard): use secure temp file for batch analysis scripts

Batch portfolio analysis was writing scripts to /tmp with default
permissions (0o644), exposing the API key to other local users.
Switch to tempfile.mkstemp + chmod 0o600, matching the single-analysis
pattern. Also fix cancel_task cleanup to use glob patterns for
tempfile-generated paths.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

web_dashboard/backend/main.py

@@ -457,12 +457,12 @@ async def cancel_task(task_id: str):
         _save_task_status(task_id, app.state.task_results[task_id])
         await broadcast_progress(task_id, app.state.task_results[task_id])
 
-    # Clean up temp script
+    # Clean up temp script (may use tempfile.mkstemp with random suffix)
-    script_path = Path(f"/tmp/analysis_{task_id}.py")
+    for p in Path("/tmp").glob(f"analysis_{task_id}_*.py"):
-    try:
+        try:
-        script_path.unlink()
+            p.unlink()
-    except Exception:
+        except Exception:
-        pass
+            pass
 
     # Remove persisted task state
     _delete_task_status(task_id)
@@ -874,6 +874,12 @@ async def start_portfolio_analysis():
                     clean_env["ANTHROPIC_API_KEY"] = api_key
                     clean_env["ANTHROPIC_BASE_URL"] = "https://api.minimaxi.com/anthropic"
 
+                    fd, script_path_str = tempfile.mkstemp(suffix=".py", prefix=f"analysis_{task_id}_{i}_")
+                    script_path = Path(script_path_str)
+                    os.chmod(script_path, 0o600)
+                    with os.fdopen(fd, "w") as f:
+                        f.write(ANALYSIS_SCRIPT_TEMPLATE)
+
                     proc = await asyncio.create_subprocess_exec(
                         str(ANALYSIS_PYTHON), str(script_path), ticker, date, str(REPO_ROOT),
                         stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE,