From 32980e64300d3ba70c9cddfe088e1dd6de0b39a3 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Fri, 2 Jan 2026 04:23:59 +0000
Subject: [PATCH] security: fix incorrect file permissions in
 compile_orchestrator.go (Alert #384)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Changed os.WriteFile permissions from 0644 to 0600 for campaign orchestrator
file generation to follow security best practices and principle of least privilege.

🤖 Generated with Claude Code(https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 pkg/cli/compile_orchestrator.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkg/cli/compile_orchestrator.go b/pkg/cli/compile_orchestrator.go
index a5f20af580..abe4d862f6 100644
--- a/pkg/cli/compile_orchestrator.go
+++ b/pkg/cli/compile_orchestrator.go
@@ -173,7 +173,8 @@ func generateAndCompileCampaignOrchestrator(
 
 	if !noEmit {
 		content := renderGeneratedCampaignOrchestratorMarkdown(data, campaignSpecPath)
-		if err := os.WriteFile(orchestratorPath, []byte(content), 0644); err != nil {
+		// Write with restrictive permissions (0600) to follow security best practices
+		if err := os.WriteFile(orchestratorPath, []byte(content), 0600); err != nil {
 			return "", fmt.Errorf("failed to write generated campaign orchestrator %s: %w", orchestratorPath, err)
 		}
 		if verbose {