core/agent
8
0
Fork 0
Code Issues 5 Pull requests Projects Releases Packages Wiki Activity Actions
agent/pkg/lib/workspace/default
History
Snider f293d48006 fix(agent): tighten workspace file perms 0644→0600 to protect extracted secrets (Cerberus #324) 
.core/reference/fs.go (canonical) + pkg/lib/workspace/default/.core/reference/fs.go (embedded copy):
- Write/WriteAtomic/Create/Append default to 0600
- Parent directories use 0700 (was 0755)
- WriteMode reapplies the requested mode after writes so overwriting an
  existing file also tightens permissions

Test (pkg/lib/lib_test.go) keeps embedded fs.go synced with canonical +
asserts extracted workspaces carry the secure permission defaults.

tests/cli/extract copy not hand-edited — that flows from regeneration.

Co-authored-by: Codex <noreply@openai.com>
Closes tasks.lthn.sh/view.php?id=324
2026-04-25 04:19:30 +01:00
..
.core/reference fix(agent): tighten workspace file perms 0644→0600 to protect extracted secrets (Cerberus #324) 2026-04-25 04:19:30 +01:00
CLAUDE.md.tmpl revert fcb9c189e5 2026-04-23 12:32:57 +01:00
CODEX-PHP.md.tmpl revert fcb9c189e5 2026-04-23 12:32:57 +01:00
CODEX.md.tmpl revert fcb9c189e5 2026-04-23 12:32:57 +01:00
CONTEXT.md.tmpl revert fcb9c189e5 2026-04-23 12:32:57 +01:00
go.work.tmpl revert fcb9c189e5 2026-04-23 12:32:57 +01:00
PROMPT.md.tmpl revert fcb9c189e5 2026-04-23 12:32:57 +01:00
TODO.md.tmpl revert fcb9c189e5 2026-04-23 12:32:57 +01:00