kidchenko · kidchenko · Feb 26, 2026 · coderabbitai · Feb 26, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2026-02-26 - Insecure Backup Permissions
+**Vulnerability:** The backup script `tools/backup-projects.sh` created project archives and log files with default umask permissions (often 644/755), making them readable by other users on the system.
+**Learning:** Shell scripts creating sensitive archives often default to system umask, which is usually designed for collaboration, not secrecy.
+**Prevention:** Explicitly set `umask 077` in a subshell before running archival commands like `zip` or `tar`, and use `chmod 700` on sensitive directories immediately after creation.
-## 2026-02-26 - Insecure Backup Permissions
-**Vulnerability:** The backup script `tools/backup-projects.sh` created project archives and log files with default umask permissions (often 644/755), making them readable by other users on the system.
-**Learning:** Shell scripts creating sensitive archives often default to system umask, which is usually designed for collaboration, not secrecy.
-**Prevention:** Explicitly set `umask 077` in a subshell before running archival commands like `zip` or `tar`, and use `chmod 700` on sensitive directories immediately after creation.
+# Sentinel Security Findings
+
+## 2026-02-26 - Insecure Backup Permissions
+
+**Vulnerability:** The backup script `tools/backup-projects.sh` created project
+archives and log files with default umask permissions (often 644/755), making
+them readable by other users on the system.
+
+**Learning:** Shell scripts creating sensitive archives often default to system
+umask, which is usually designed for collaboration, not secrecy.
+
+**Prevention:** Explicitly set `umask 077` in a subshell before running
+archival commands like `zip` or `tar`, and use `chmod 700` on sensitive
+directories immediately after creation.
-## 2026-02-26 - Insecure Backup Permissions
-**Vulnerability:** The backup script `tools/backup-projects.sh` created project archives and log files with default umask permissions (often 644/755), making them readable by other users on the system.
-**Learning:** Shell scripts creating sensitive archives often default to system umask, which is usually designed for collaboration, not secrecy.
-**Prevention:** Explicitly set `umask 077` in a subshell before running archival commands like `zip` or `tar`, and use `chmod 700` on sensitive directories immediately after creation.
+# Sentinel Security Findings
+
+## 2026-02-26 - Insecure Backup Permissions
+
+**Vulnerability:** The backup script `tools/backup-projects.sh` created project
+archives and log files with default umask permissions (often 644/755), making
+them readable by other users on the system.
+
+**Learning:** Shell scripts creating sensitive archives often default to system
+umask, which is usually designed for collaboration, not secrecy.
+
+**Prevention:** Explicitly set `umask 077` in a subshell before running
+archival commands like `zip` or `tar`, and use `chmod 700` on sensitive
+directories immediately after creation.
diff --git a/tools/backup-projects.sh b/tools/backup-projects.sh
@@ -351,7 +351,9 @@ cmd_backup() {
     # Setup directories
     if [[ "$DRY_RUN" != true ]]; then
         mkdir -p "$BACKUP_TEMP_DIR"
+        chmod 700 "$BACKUP_TEMP_DIR"
         mkdir -p "$LOG_DIR"
+        chmod 700 "$LOG_DIR"
     else
         debug "Would create: $BACKUP_TEMP_DIR"
         debug "Would create: $LOG_DIR"
@@ -410,6 +412,7 @@ cmd_backup() {
         exclude_args=$(build_exclude_args)
 
         (
+            umask 077
             cd "$HOME" || exit 1
             if [[ "$VERBOSE" == true ]]; then
                 # shellcheck disable=SC2086