[AAASM-4323] 🔒 (core): Warn when config.yaml is group/other-readable#225
Merged
Merged
Conversation
Introduces a small module-level helper on gateway_resolver that stats a config file path and emits a logger.warning when the mode has any group/ other bits set (mode & 0o077 != 0). Suggests `chmod 600`. Does not raise — defense-in-depth to match AWS CLI / gcloud / docker convention. Refs AAASM-4323.
Wires _warn_if_world_readable into _load_config_file immediately after the existence check and before read_text. The config file can hold an api_key, so a group/other-readable mode is a defense-in-depth concern worth surfacing to the operator without refusing the load. Refs AAASM-4323.
Two cases: mode 0600 emits no warning; mode 0644 emits a single WARNING record containing both the octal mode and the "chmod 600" remediation hint. Skipped on Windows where POSIX permission bits do not apply. Refs AAASM-4323.
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
|
Contributor
Author
Claude Code — 11th-sweep reviewVerdict: READY to merge
Reviewed by Claude Code as part of the AAASM-4307 fix wave. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Description
Adds a defense-in-depth permission check to the gateway config loader. When
~/.aasm/config.yaml(which can hold anapi_key) is stat'ed and found to have any group/other bits set (mode & 0o077 != 0), emit alogger.warning(...)suggestingchmod 600. Does NOT refuse the read — matches AWS CLI / gcloud / docker behavior.Type of Change
Breaking Changes
Related Issues
Testing
chmod 644 ~/.aasm/config.yaml; python -c "import agent_assembly; agent_assembly.init_assembly()"prints warning;chmod 600silences it.Checklist
🤖 Generated with Claude Code