diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..1457064
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2026-02-23 - Insecure Permissions on Backups
+**Vulnerability:** `tools/backup-projects.sh` created backup zip archives and logs with default umask permissions (often 022/644), making them world-readable on multi-user systems. These backups contain source code and logs contain remote URLs (potentially with tokens).
+**Learning:** Shell scripts creating sensitive files must explicitly manage permissions, as default system umasks are often permissive.
+**Prevention:** Use `umask 077` at the start of scripts handling sensitive data to ensure files are only readable by the owner by default.
diff --git a/tools/backup-projects.sh b/tools/backup-projects.sh
index 1b7f6d2..607b6d0 100755
--- a/tools/backup-projects.sh
+++ b/tools/backup-projects.sh
@@ -27,6 +27,9 @@
 # Pipestatus
 set -o pipefail
 
+# Security: Ensure backups and logs are only readable by the owner
+umask 077
+
 # --- Configuration ---
 CONFIG_FILE="${XDG_CONFIG_HOME:-$HOME/.config}/dotfiles/config.yaml"
 LOG_DIR="${XDG_STATE_HOME:-$HOME/.local/state}/dotfiles"