diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..9282611
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2026-02-24 - Insecure Backup Permissions
+**Vulnerability:** Backup archives created by `tools/backup-projects.sh` were readable by all users on the system (0644 default permissions). These archives contain sensitive project files and potentially secrets.
+**Learning:** Shell scripts using `zip` or `tar` often inherit default umask settings, which are typically permissive. Creating backups in shared environments (even multi-user home machines) requires explicit permission handling.
+**Prevention:** Enforce `umask 0077` (or strict `chmod`) when creating sensitive files or archives in shell scripts. Always assume the default environment is insecure.
diff --git a/tools/backup-projects.sh b/tools/backup-projects.sh
index 1b7f6d2..d3b5282 100755
--- a/tools/backup-projects.sh
+++ b/tools/backup-projects.sh
@@ -410,6 +410,8 @@ cmd_backup() {
         exclude_args=$(build_exclude_args)
 
         (
+            # Restrict permissions for backup file (owner read/write only)
+            umask 0077
             cd "$HOME" || exit 1
             if [[ "$VERBOSE" == true ]]; then
                 # shellcheck disable=SC2086