fix: enforce file permissions on credential overwrite

suryaiyer95 · claude · suryaiyer95 · commit 69fb5f2c52b2 · 2026-03-15T16:00:34.000-07:00
`Filesystem.write()` passes `mode` to `writeFile()`, but Node.js only applies the mode on file creation — not when overwriting an existing file. Add explicit `chmod()` after write to ensure `0o600` permissions are always enforced on `~/.altimate/altimate.json`, even on subsequent logins. Addresses Sentry review finding on PR #162. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/packages/opencode/src/util/filesystem.ts b/packages/opencode/src/util/filesystem.ts
@@ -55,6 +55,7 @@ export namespace Filesystem {
     try {
       if (mode) {
         await writeFile(p, content, { mode })
+        await chmod(p, mode)
       } else {
         await writeFile(p, content)
       }
@@ -63,6 +64,7 @@ export namespace Filesystem {
         await mkdir(dirname(p), { recursive: true })
         if (mode) {
           await writeFile(p, content, { mode })
+          await chmod(p, mode)
         } else {
           await writeFile(p, content)
         }
