fix: skip config permission check on Windows/NTFS (#1)

NTFS does not support Unix permission bits; reported mode is always 0666
regardless of ACL settings. The check is now skipped on Windows.
Added documentation for securing config files via NTFS ACLs as an
alternative to chmod.

Closes #1

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: magifd2

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.0.3] - 2026-03-31
+
+### Fixed
+- Skip config file permission check on Windows/NTFS (always reports 0666 regardless of ACLs)
+- Document NTFS ACL-based alternative for securing config files on Windows
+
 ## [2.0.2] - 2026-03-27
 
 ### Added

README.ja.md

@@ -66,6 +66,20 @@ token = "your-token"
 
 **優先順位（高い順）:** CLI フラグ → 環境変数 → 設定ファイル
 
+### Windows: 設定ファイルのセキュリティ
+
+Unix/macOS では、設定ファイルが他ユーザーから読み取り可能な場合に警告が表示されます（`chmod 600` を推奨）。Windows (NTFS) では、NTFS が Unix パーミッションビットをサポートしないため、このチェックは自動的にスキップされます。
+
+**ただし、設定ファイルには認証情報が含まれる可能性があるため、保護は必要です。** Windows では NTFS ACL でアクセスを制限してください:
+
+```powershell
+# PowerShell: 設定ファイルを現在のユーザーのみに制限
+$path = "$env:USERPROFILE\.config\splunk-cli\config.toml"
+icacls $path /inheritance:r /grant:r "${env:USERNAME}:(R,W)"
+```
+
+または、設定ファイルに認証情報を保存せず、環境変数（`SPLUNK_TOKEN` 等）を使用する方法もあります。
+
 | 環境変数 | 説明 |
 |---|---|
 | `SPLUNK_HOST` | Splunk サーバー URL（ポート含む） |

README.md

@@ -66,6 +66,20 @@ token = "your-token"
 
 **Priority order (highest first):** CLI flags → environment variables → config file
 
+### Windows: Config File Security
+
+On Unix/macOS, splunk-cli warns if the config file is readable by other users (`chmod 600` is expected). On Windows (NTFS), this check is automatically skipped because NTFS does not support Unix permission bits.
+
+**However, the config file may contain credentials and should still be protected.** On Windows, restrict access using NTFS ACLs:
+
+```powershell
+# PowerShell: restrict config file to current user only
+$path = "$env:USERPROFILE\.config\splunk-cli\config.toml"
+icacls $path /inheritance:r /grant:r "${env:USERNAME}:(R,W)"
+```
+
+Alternatively, use environment variables (`SPLUNK_TOKEN`, etc.) instead of storing credentials in the config file.
+
 | Environment variable | Description |
 |---|---|
 | `SPLUNK_HOST` | Splunk server URL (including port) |

internal/config/config.go

@@ -5,6 +5,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"time"
 
@@ -120,6 +121,13 @@ func ApplyEnvVars(cfg *Config) {
 }
 
 func checkPermissions(path string, info os.FileInfo) {
+	// NTFS does not support Unix permission bits; reported mode is always
+	// 0666 regardless of ACL settings, making this check meaningless.
+	// On Windows, users should restrict access via NTFS ACLs instead.
+	// See README.md "Windows: Config File Security" for guidance.
+	if runtime.GOOS == "windows" {
+		return
+	}
 	if info.Mode().Perm()&0077 != 0 {
 		_, _ = fmt.Fprintf(Stderr,
 			"Warning: config file %s has permissions %#o; expected 0600.\n"+