Skip to content

[AAASM-4323] 🔒 (core): Warn when config.yaml is group/other-readable#225

Merged
Chisanan232 merged 3 commits into
masterfrom
v0.0.1/AAASM-4323/fix/config_yaml_perm_warn
Jul 8, 2026
Merged

[AAASM-4323] 🔒 (core): Warn when config.yaml is group/other-readable#225
Chisanan232 merged 3 commits into
masterfrom
v0.0.1/AAASM-4323/fix/config_yaml_perm_warn

Conversation

@Chisanan232

@Chisanan232 Chisanan232 commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Description

Adds a defense-in-depth permission check to the gateway config loader. When ~/.aasm/config.yaml (which can hold an api_key) is stat'ed and found to have any group/other bits set (mode & 0o077 != 0), emit a logger.warning(...) suggesting chmod 600. Does NOT refuse the read — matches AWS CLI / gcloud / docker behavior.

Type of Change

  • ✨ New feature (small helper)
  • 🔒 Security improvement (defense-in-depth)

Breaking Changes

  • No — behavior is a warning only; no config file is refused.

Related Issues

Testing

  • Unit tests added (helper: 0600 no-warn, 0644 warns)
  • Manual verification: chmod 644 ~/.aasm/config.yaml; python -c "import agent_assembly; agent_assembly.init_assembly()" prints warning; chmod 600 silences it.

Checklist

  • Follows Gitmoji convention (multi-commit: helper -> wire-up -> test)
  • Non-behavior-breaking (warning only)

🤖 Generated with Claude Code

Introduces a small module-level helper on gateway_resolver that stats a
config file path and emits a logger.warning when the mode has any group/
other bits set (mode & 0o077 != 0). Suggests `chmod 600`. Does not raise
— defense-in-depth to match AWS CLI / gcloud / docker convention.

Refs AAASM-4323.
Wires _warn_if_world_readable into _load_config_file immediately after
the existence check and before read_text. The config file can hold an
api_key, so a group/other-readable mode is a defense-in-depth concern
worth surfacing to the operator without refusing the load.

Refs AAASM-4323.
Two cases: mode 0600 emits no warning; mode 0644 emits a single WARNING
record containing both the octal mode and the "chmod 600" remediation
hint. Skipped on Windows where POSIX permission bits do not apply.

Refs AAASM-4323.
@codecov

codecov Bot commented Jul 8, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 81.81818% with 2 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
agent_assembly/core/gateway_resolver.py 81.81% 2 Missing ⚠️

📢 Thoughts on this report? Let us know!

@sonarqubecloud

sonarqubecloud Bot commented Jul 8, 2026

Copy link
Copy Markdown

@Chisanan232

Copy link
Copy Markdown
Contributor Author

Claude Code — 11th-sweep review

Verdict: READY to merge

  • CI: all functional checks green (Analyze python, Build docs, CodeQL, all unit/integration/contract/coverage jobs, LangChain contract test, SonarCloud, CI Success).
  • ⚠️ Codecov/patch failing — acceptance-tier only, per project rule this is not blocking. The added helper + wire-up + test are collectively low LOC; codecov's per-patch threshold may not consider the test file's contribution. Not a functional regression.
  • Scope match: three atomic commits — helper (_warn_if_world_readable) → wire-up in _load_config_file → unit test (TestWarnIfWorldReadable with 0600 no-warn + 0644 warn cases, Windows-skipped). Emits logger.warning(...) on mode & 0o077 != 0; never raises. Matches AWS CLI / gcloud precedent.
  • Side effects: none. Warning-only defense-in-depth; no behavior change on the config-parse path.
  • Confidence: HIGH.

Reviewed by Claude Code as part of the AAASM-4307 fix wave.

@Chisanan232 Chisanan232 merged commit b118273 into master Jul 8, 2026
25 of 26 checks passed
@Chisanan232 Chisanan232 deleted the v0.0.1/AAASM-4323/fix/config_yaml_perm_warn branch July 8, 2026 05:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant