From c954c3f367caf6f1b91a0f8850482aae0235ec49 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sat, 31 Jan 2026 04:48:42 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20Fix=20SSH?=
 =?UTF-8?q?=20private=20key=20race=20condition?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Use umask 077 when restoring private keys to ensure they are created with secure permissions (0600) atomically, eliminating a window where they might be readable by other users.

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 .jules/sentinel.md      | 4 ++++
 tools/setup-ssh-keys.sh | 4 +++-
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..3f4e897
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2025-01-31 - Secure File Creation with 1Password CLI
+**Vulnerability:** Race condition in `tools/setup-ssh-keys.sh` where private keys were written to disk with default permissions before being restricted, exposing them to other users on the system.
+**Learning:** Shell redirection `>` creates files with default umask (often 022/644) before `chmod` can run.
+**Prevention:** Use `(umask 077; command > file)` subshell pattern to ensure sensitive files are created with 0600 permissions atomically.
diff --git a/tools/setup-ssh-keys.sh b/tools/setup-ssh-keys.sh
index bde52fd..9960c12 100755
--- a/tools/setup-ssh-keys.sh
+++ b/tools/setup-ssh-keys.sh
@@ -153,7 +153,9 @@ cmd_restore() {
     chmod 700 "$SSH_DIR"
 
     # Read private key from 1Password and save locally
-    op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
+    # Use umask 077 to ensure the file is created with 0600 permissions
+    (umask 077; op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE")
+    # chmod is redundant if umask worked, but good for clarity/double-check
     chmod 600 "$PRIVATE_KEY_FILE"
 
     # Read public key from 1Password and save locally