f2b6ff29bd
Mantis #324 narrowly tightened fs.go from 0644/0755→0600/0700. Athena audit during task #20 closure-verification (2026-04-25) found sibling files in the same directory still using 0755 for MkdirAll, leaving parent dirs world-listable even when file content is 0600. This commit applies the same hardening to: - .core/reference/error.go:393 — crash-report parent dir 0755→0700 - .core/reference/embed.go:514/567/656 — workspace template extract dirs 0755→0700 - .core/reference/embed.go:595/660 — os.Create→os.OpenFile(...0600) for template renders + standard-file copies (default umask 0644 was leaking workspace-template content to other users on shared hosts) - pkg/lib/workspace/default/.core/reference/error.go:414 — same crash-report fix - pkg/lib/workspace/default/.core/reference/embed.go:518/571/660 — same template fixes Workspace-template duplicates are kept in sync so newly-scaffolded workspaces inherit the hardened perms instead of regressing to 0755/0644. Closes Mantis #988. Co-authored-by: Codex <noreply@openai.com> |
||
|---|---|---|
| .. | ||
| .core/reference | ||
| CLAUDE.md.tmpl | ||
| CODEX-PHP.md.tmpl | ||
| CODEX.md.tmpl | ||
| CONTEXT.md.tmpl | ||
| go.work.tmpl | ||
| PROMPT.md.tmpl | ||
| TODO.md.tmpl | ||