From 8697ffa09b4597911f44597fb487c50836b0df1d Mon Sep 17 00:00:00 2001
From: Garry Tan <garrytan@gmail.com>
Date: Mon, 13 Apr 2026 09:34:27 -0700
Subject: [PATCH] fix(security): restrict session file permissions to
 owner-only

Design session files written to /tmp with default umask (0644) were
world-readable on shared systems. Sessions contain design prompts and
feedback history.

Set mode 0o600 (owner read/write only) on both create and update paths.

Closes #859

Co-Authored-By: Gus <garagon@users.noreply.github.com>
---
 design/src/session.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/design/src/session.ts b/design/src/session.ts
index 16d6f0ee..01986618 100644
--- a/design/src/session.ts
+++ b/design/src/session.ts
@@ -49,7 +49,7 @@ export function createSession(
     updatedAt: new Date().toISOString(),
   };
 
-  fs.writeFileSync(sessionPath(id), JSON.stringify(session, null, 2));
+  fs.writeFileSync(sessionPath(id), JSON.stringify(session, null, 2), { mode: 0o600 });
   return session;
 }