diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..c559a48
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2026-02-21 - Insecure Backup Permissions
+**Vulnerability:** `tools/backup-projects.sh` created project backups with default umask permissions (often 644/755), making them world-readable.
+**Learning:** Scripts generating sensitive artifacts (backups, keys, logs) must explicitly set permissions. Default umask is insufficient for privacy.
+**Prevention:** Enforce `umask 077` at the start of any script that handles sensitive data or artifacts.
diff --git a/tools/backup-projects.sh b/tools/backup-projects.sh
index 1b7f6d2..a4af270 100755
--- a/tools/backup-projects.sh
+++ b/tools/backup-projects.sh
@@ -27,6 +27,9 @@
 # Pipestatus
 set -o pipefail
 
+# Set strict permissions for created files/directories (rwx------)
+umask 077
+
 # --- Configuration ---
 CONFIG_FILE="${XDG_CONFIG_HOME:-$HOME/.config}/dotfiles/config.yaml"
 LOG_DIR="${XDG_STATE_HOME:-$HOME/.local/state}/dotfiles"