From 3c2cc24a371a2a26312fa56cac74d0edb1b9694f Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sat, 21 Feb 2026 04:58:04 +0000
Subject: [PATCH] feat(security): enforce strict file permissions in
 backup-projects.sh

This change adds `umask 077` to `tools/backup-projects.sh` to ensure that
all created files (including backup archives and logs) are only readable
by the owner (rw-------). Previously, backups were created with default
permissions (often rw-rw-r--), potentially exposing sensitive project code.

Fixes: Insecure file permissions for project backups.

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 .jules/sentinel.md       | 4 ++++
 tools/backup-projects.sh | 3 +++
 2 files changed, 7 insertions(+)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..c559a48
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2026-02-21 - Insecure Backup Permissions
+**Vulnerability:** `tools/backup-projects.sh` created project backups with default umask permissions (often 644/755), making them world-readable.
+**Learning:** Scripts generating sensitive artifacts (backups, keys, logs) must explicitly set permissions. Default umask is insufficient for privacy.
+**Prevention:** Enforce `umask 077` at the start of any script that handles sensitive data or artifacts.
diff --git a/tools/backup-projects.sh b/tools/backup-projects.sh
index 1b7f6d2..a4af270 100755
--- a/tools/backup-projects.sh
+++ b/tools/backup-projects.sh
@@ -27,6 +27,9 @@
 # Pipestatus
 set -o pipefail
 
+# Set strict permissions for created files/directories (rwx------)
+umask 077
+
 # --- Configuration ---
 CONFIG_FILE="${XDG_CONFIG_HOME:-$HOME/.config}/dotfiles/config.yaml"
 LOG_DIR="${XDG_STATE_HOME:-$HOME/.local/state}/dotfiles"