From b5dd77904c237841f07afcddc46b05a830888247 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Mon, 5 Jan 2026 00:47:19 +0000
Subject: [PATCH] Security fix: Restrict file permissions to 0600 in
 file_tracker.go
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Changed file permissions from 0644 to 0600 in RollbackModifiedFiles
- Files restored during rollback now have owner-only read/write permissions
- Follows security best practices and principle of least privilege
- Fixes gosec alert #378 (G306 - Expect WriteFile permissions to be 0600 or less)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 pkg/cli/file_tracker.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkg/cli/file_tracker.go b/pkg/cli/file_tracker.go
index 95dffd2c310..aa8de2899f6 100644
--- a/pkg/cli/file_tracker.go
+++ b/pkg/cli/file_tracker.go
@@ -155,7 +155,8 @@ func (ft *FileTracker) RollbackModifiedFiles(verbose bool) error {
 
 		// Restore original content if we have it
 		if originalContent, exists := ft.OriginalContent[file]; exists {
-			if err := os.WriteFile(file, originalContent, 0644); err != nil {
+			// Use owner-only read/write permissions (0600) for security best practices
+			if err := os.WriteFile(file, originalContent, 0600); err != nil {
 				errors = append(errors, fmt.Sprintf("failed to restore %s: %v", file, err))
 			}
 		} else {