fix(security): Set secure file permissions (0600) for config files

- Add secure-fs.ts utility with writeFileSecure and ensureSecureDir
- Config files now created with 0600 (user read/write only)
- Directories created with 0700 (user only)
- Updated sms-notify.ts, sms-action-runner.ts, sms-webhook.ts, auto-background.ts

Prevents other local users from reading sensitive config data.

Author: jonathanpeterwu

src/hooks/auto-background.ts

@@ -3,9 +3,10 @@
  * Automatically backgrounds long-running or specific commands
  */
 
-import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs';
+import { existsSync, readFileSync } from 'fs';
 import { join } from 'path';
 import { homedir } from 'os';
+import { writeFileSecure, ensureSecureDir } from './secure-fs.js';
 
 export interface AutoBackgroundConfig {
   enabled: boolean;
@@ -101,11 +102,8 @@ export function loadConfig(): AutoBackgroundConfig {
 
 export function saveConfig(config: AutoBackgroundConfig): void {
   try {
-    const dir = join(homedir(), '.stackmemory');
-    if (!existsSync(dir)) {
-      mkdirSync(dir, { recursive: true });
-    }
-    writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2));
+    ensureSecureDir(join(homedir(), '.stackmemory'));
+    writeFileSecure(CONFIG_PATH, JSON.stringify(config, null, 2));
   } catch {
     // Silently fail
   }

src/hooks/secure-fs.ts

@@ -0,0 +1,42 @@
+/**
+ * Secure file system utilities for hooks
+ * Ensures config files have restricted permissions (0600)
+ */
+
+import { writeFileSync, mkdirSync, chmodSync, existsSync } from 'fs';
+import { dirname } from 'path';
+
+/**
+ * Write file with secure permissions (0600 - user read/write only)
+ * Also ensures parent directory has 0700 permissions
+ */
+export function writeFileSecure(filePath: string, data: string): void {
+  const dir = dirname(filePath);
+
+  // Create directory with secure permissions if needed
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true, mode: 0o700 });
+  }
+
+  // Write file
+  writeFileSync(filePath, data);
+
+  // Set secure permissions (user read/write only)
+  chmodSync(filePath, 0o600);
+}
+
+/**
+ * Ensure directory exists with secure permissions (0700)
+ */
+export function ensureSecureDir(dirPath: string): void {
+  if (!existsSync(dirPath)) {
+    mkdirSync(dirPath, { recursive: true, mode: 0o700 });
+  } else {
+    // Set permissions on existing directory
+    try {
+      chmodSync(dirPath, 0o700);
+    } catch {
+      // Ignore if we can't change permissions (not owner)
+    }
+  }
+}

src/hooks/sms-action-runner.ts

@@ -5,11 +5,12 @@
  * Security: Uses allowlist-based action execution to prevent command injection
  */
 
-import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs';
+import { existsSync, readFileSync } from 'fs';
 import { join } from 'path';
 import { homedir } from 'os';
 import { execSync, execFileSync } from 'child_process';
 import { randomBytes } from 'crypto';
+import { writeFileSecure, ensureSecureDir } from './secure-fs.js';
 
 // Allowlist of safe action patterns
 const SAFE_ACTION_PATTERNS: Array<{
@@ -77,11 +78,8 @@ export function loadActionQueue(): ActionQueue {
 
 export function saveActionQueue(queue: ActionQueue): void {
   try {
-    const dir = join(homedir(), '.stackmemory');
-    if (!existsSync(dir)) {
-      mkdirSync(dir, { recursive: true });
-    }
-    writeFileSync(QUEUE_PATH, JSON.stringify(queue, null, 2));
+    ensureSecureDir(join(homedir(), '.stackmemory'));
+    writeFileSecure(QUEUE_PATH, JSON.stringify(queue, null, 2));
   } catch {
     // Silently fail
   }

src/hooks/sms-notify.ts

@@ -6,10 +6,11 @@
  * Optional feature - requires Twilio setup
  */
 
-import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs';
+import { existsSync, readFileSync } from 'fs';
 import { join } from 'path';
 import { homedir } from 'os';
 import { config as loadDotenv } from 'dotenv';
+import { writeFileSecure, ensureSecureDir } from './secure-fs.js';
 
 export type MessageChannel = 'whatsapp' | 'sms';
 
@@ -232,15 +233,12 @@ function applyEnvVars(config: SMSConfig): void {
 
 export function saveSMSConfig(config: SMSConfig): void {
   try {
-    const dir = join(homedir(), '.stackmemory');
-    if (!existsSync(dir)) {
-      mkdirSync(dir, { recursive: true });
-    }
+    ensureSecureDir(join(homedir(), '.stackmemory'));
     // Don't save sensitive credentials to file
     const safeConfig = { ...config };
     delete safeConfig.accountSid;
     delete safeConfig.authToken;
-    writeFileSync(CONFIG_PATH, JSON.stringify(safeConfig, null, 2));
+    writeFileSecure(CONFIG_PATH, JSON.stringify(safeConfig, null, 2));
   } catch {
     // Silently fail
   }

src/hooks/sms-webhook.ts

@@ -12,13 +12,14 @@
 
 import { createServer, IncomingMessage, ServerResponse } from 'http';
 import { parse as parseUrl } from 'url';
-import { existsSync, writeFileSync, mkdirSync, readFileSync } from 'fs';
+import { existsSync, readFileSync } from 'fs';
 import { join } from 'path';
 import { homedir } from 'os';
 import { createHmac } from 'crypto';
 import { execFileSync } from 'child_process';
 import { processIncomingResponse, loadSMSConfig } from './sms-notify.js';
 import { queueAction, executeActionSafe } from './sms-action-runner.js';
+import { writeFileSecure, ensureSecureDir } from './secure-fs.js';
 
 // Security constants
 const MAX_BODY_SIZE = 50 * 1024; // 50KB max body
@@ -96,12 +97,13 @@ function storeLatestResponse(
   response: string,
   action?: string
 ): void {
-  const dir = join(homedir(), '.stackmemory');
-  if (!existsSync(dir)) {
-    mkdirSync(dir, { recursive: true });
-  }
-  const responsePath = join(dir, 'sms-latest-response.json');
-  writeFileSync(
+  ensureSecureDir(join(homedir(), '.stackmemory'));
+  const responsePath = join(
+    homedir(),
+    '.stackmemory',
+    'sms-latest-response.json'
+  );
+  writeFileSecure(
     responsePath,
     JSON.stringify({
       promptId,
@@ -215,7 +217,7 @@ function triggerResponseNotification(response: string): void {
   // Write signal file for other processes
   try {
     const signalPath = join(homedir(), '.stackmemory', 'sms-signal.txt');
-    writeFileSync(
+    writeFileSecure(
       signalPath,
       JSON.stringify({
         type: 'sms_response',
@@ -366,7 +368,7 @@ export function startWebhookServer(port: number = 3456): void {
               ? JSON.parse(readFileSync(statusPath, 'utf8'))
               : {};
             statuses[payload['MessageSid']] = payload['MessageStatus'];
-            writeFileSync(statusPath, JSON.stringify(statuses, null, 2));
+            writeFileSecure(statusPath, JSON.stringify(statuses, null, 2));
 
             res.writeHead(200, { 'Content-Type': 'text/plain' });
             res.end('OK');