fix(security): create session transcript files with 0o600 permissions (#18066)

Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: 962f497d242c5affa9b610f38f3dc7844426198d Co-authored-by: brandonwise <21148772+brandonwise@users.noreply.github.com> Co-authored-by: sebslight <19554889+sebslight@users.noreply.github.com> Reviewed-by: @sebslight
2026-02-16 08:33:40 -05:00
parent 6931f0fb50
commit 095d522099
6 changed files with 32 additions and 2 deletions
--- a/src/gateway/server-methods/chat.ts
+++ b/src/gateway/server-methods/chat.ts
@@ -119,7 +119,10 @@ function ensureTranscriptFile(params: { transcriptPath: string; sessionId: strin
      timestamp: new Date().toISOString(),
      cwd: process.cwd(),
    };
-    fs.writeFileSync(params.transcriptPath, `${JSON.stringify(header)}\n`, "utf-8");
+    fs.writeFileSync(params.transcriptPath, `${JSON.stringify(header)}\n`, {
+      encoding: "utf-8",
+      mode: 0o600,
+    });
    return { ok: true };
  } catch (err) {
    return { ok: false, error: err instanceof Error ? err.message : String(err) };