From 903fd7945427d656699227f9594d3d5e3768ae43 Mon Sep 17 00:00:00 2001
From: "Claude (M3 Studio)" <developers@lethean.io>
Date: Tue, 10 Feb 2026 11:15:52 +0000
Subject: [PATCH] fix(bugseti): update config file permissions to 0600

This commit updates the file permissions for the BugSETI configuration file from 0644 to 0600, ensuring owner-only access. This addresses the security concern where the GitHub token stored in the config file was world-readable.

Fixes #53
---
 internal/bugseti/config.go      |  2 +-
 internal/bugseti/config_test.go | 37 +++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 internal/bugseti/config_test.go

diff --git a/internal/bugseti/config.go b/internal/bugseti/config.go
index 3a8af7b5..88ad9678 100644
--- a/internal/bugseti/config.go
+++ b/internal/bugseti/config.go
@@ -149,7 +149,7 @@ func (c *ConfigService) saveUnsafe() error {
 	if err != nil {
 		return err
 	}
-	return os.WriteFile(c.path, data, 0644)
+	return os.WriteFile(c.path, data, 0600)
 }
 
 // mergeDefaults fills in default values for any unset fields.
diff --git a/internal/bugseti/config_test.go b/internal/bugseti/config_test.go
new file mode 100644
index 00000000..19ed143a
--- /dev/null
+++ b/internal/bugseti/config_test.go
@@ -0,0 +1,37 @@
+package bugseti
+
+import (
+	"os"
+	"testing"
+)
+
+func TestConfigPermissions(t *testing.T) {
+	// Get a temporary file path
+	f, err := os.CreateTemp("", "bugseti-config-*.json")
+	if err != nil {
+		t.Fatal(err)
+	}
+	name := f.Name()
+	f.Close()
+	os.Remove(name) // Ensure it doesn't exist
+	defer os.Remove(name)
+
+	c := &ConfigService{
+		path: name,
+		config: &Config{},
+	}
+
+	if err := c.Save(); err != nil {
+		t.Fatalf("Save failed: %v", err)
+	}
+
+	info, err := os.Stat(name)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	mode := info.Mode().Perm()
+	if mode != 0600 {
+		t.Errorf("expected file permissions 0600, got %04o", mode)
+	}
+}