diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..cf3bc43
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2026-02-26 - Insecure Backup Permissions
+**Vulnerability:** The backup script `tools/backup-projects.sh` created project archives and log files with default umask permissions (often 644/755), making them readable by other users on the system.
+**Learning:** Shell scripts creating sensitive archives often default to system umask, which is usually designed for collaboration, not secrecy.
+**Prevention:** Explicitly set `umask 077` in a subshell before running archival commands like `zip` or `tar`, and use `chmod 700` on sensitive directories immediately after creation.
diff --git a/tools/backup-projects.sh b/tools/backup-projects.sh
index 1b7f6d2..2523472 100755
--- a/tools/backup-projects.sh
+++ b/tools/backup-projects.sh
@@ -351,7 +351,9 @@ cmd_backup() {
     # Setup directories
     if [[ "$DRY_RUN" != true ]]; then
         mkdir -p "$BACKUP_TEMP_DIR"
+        chmod 700 "$BACKUP_TEMP_DIR"
         mkdir -p "$LOG_DIR"
+        chmod 700 "$LOG_DIR"
     else
         debug "Would create: $BACKUP_TEMP_DIR"
         debug "Would create: $LOG_DIR"
@@ -410,6 +412,7 @@ cmd_backup() {
         exclude_args=$(build_exclude_args)
 
         (
+            umask 077
             cd "$HOME" || exit 1
             if [[ "$VERBOSE" == true ]]; then
                 # shellcheck disable=SC2086