From 5a153934718e70843004fcf70728f008f6da04c2 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Tue, 3 Feb 2026 04:47:56 +0000
Subject: [PATCH] Fix SSH key creation race condition by using umask 077

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 .jules/sentinel.md      |  4 ++++
 tools/setup-ssh-keys.sh | 10 ++++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..7877f7f
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2025-02-03 - File Creation Race Conditions
+**Vulnerability:** SSH private keys were created with default umask permissions (world-readable) before being restricted with `chmod`.
+**Learning:** Shell redirection (`>`) creates files with default umask permissions immediately. `chmod` after creation leaves a window of exposure (race condition).
+**Prevention:** Use `umask 077` in a subshell or block before creating sensitive files to ensure they are born secure.
diff --git a/tools/setup-ssh-keys.sh b/tools/setup-ssh-keys.sh
index bde52fd..ad32583 100755
--- a/tools/setup-ssh-keys.sh
+++ b/tools/setup-ssh-keys.sh
@@ -149,11 +149,17 @@ cmd_restore() {
     say "Restoring SSH key from 1Password..."
 
     # Create SSH directory
-    mkdir -p "$SSH_DIR"
+    (
+        umask 077
+        mkdir -p "$SSH_DIR"
+    )
     chmod 700 "$SSH_DIR"
 
     # Read private key from 1Password and save locally
-    op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
+    (
+        umask 077
+        op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
+    )
     chmod 600 "$PRIVATE_KEY_FILE"
 
     # Read public key from 1Password and save locally