Fix: Change file permissions from 0644 to 0600 for security

The gosec linter (G302) requires file permissions to be 0600 or less for security. Updated atomicWriteFile to use 0600 (owner read/write only) instead of 0644 (world readable). This affects config files written by bd setup commands (cursor, aider, claude), making them only accessible by the owner. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-23 20:11:45 -08:00
parent c5210ff2a9
commit b6870de7f8
2 changed files with 4 additions and 4 deletions
--- a/cmd/bd/setup/utils.go
+++ b/cmd/bd/setup/utils.go
@@ -31,8 +31,8 @@ func atomicWriteFile(path string, data []byte) error {
 		return fmt.Errorf("close temp file: %w", err)
 	}

-	// Set permissions to 0644
-	if err := os.Chmod(tmpPath, 0644); err != nil {
+	// Set permissions to 0600 (owner read/write only)
+	if err := os.Chmod(tmpPath, 0600); err != nil {
 		_ = os.Remove(tmpPath) // Best effort cleanup
 		return fmt.Errorf("set permissions: %w", err)
 	}
--- a/cmd/bd/setup/utils_test.go
+++ b/cmd/bd/setup/utils_test.go
@@ -35,8 +35,8 @@ func TestAtomicWriteFile(t *testing.T) {
 	}

 	mode := info.Mode()
-	if mode.Perm() != 0644 {
-		t.Errorf("file permissions mismatch: got %o, want %o", mode.Perm(), 0644)
+	if mode.Perm() != 0600 {
+		t.Errorf("file permissions mismatch: got %o, want %o", mode.Perm(), 0600)
 	}

 	// Test overwriting existing file