mcp/pkg at e2bc724bb43bb695ceab722ff17df47cd3785400 - core/mcp

core/mcp

History

Snider e2bc724bb4 fix(mcp/brain/client): enforce 0600 on ~/.claude/brain.key Refuse to load brain.key when its mode is more permissive than 0600 — NewFromEnvironment carries the config error into Call() so callers get a clear "brain.key has insecure permissions, expected 0600" rather than a silent credential leak. Read path stats first; does not auto-chmod (would mask the misconfiguration). Write path uses coreio.Local.WriteMode and follows up with explicit os.Chmod 0600, correcting any pre-existing 0644 file on next write. Tests: write overwrites 0644 → 0600; read of 0644 fixture errors and leaves the mode untouched. Co-authored-by: Codex <noreply@openai.com> Closes tasks.lthn.sh/view.php?id=998	2026-04-25 17:58:13 +01:00
..
mcp	fix(mcp/brain/client): enforce 0600 on ~/.claude/brain.key	2026-04-25 17:58:13 +01:00

Snider e2bc724bb4 fix(mcp/brain/client): enforce 0600 on ~/.claude/brain.key

Refuse to load brain.key when its mode is more permissive than 0600 —
NewFromEnvironment carries the config error into Call() so callers
get a clear "brain.key has insecure permissions, expected 0600"
rather than a silent credential leak. Read path stats first; does not
auto-chmod (would mask the misconfiguration).

Write path uses coreio.Local.WriteMode and follows up with explicit
os.Chmod 0600, correcting any pre-existing 0644 file on next write.

Tests: write overwrites 0644 → 0600; read of 0644 fixture errors and
leaves the mode untouched.

Co-authored-by: Codex <noreply@openai.com>
Closes tasks.lthn.sh/view.php?id=998

2026-04-25 17:58:13 +01:00

mcp

fix(mcp/brain/client): enforce 0600 on ~/.claude/brain.key

2026-04-25 17:58:13 +01:00