diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..fd1d85f
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,5 @@
+## 2026-04-10 - [TOCTOU vulnerability in SSH key generation]
+
+**Vulnerability:** Private SSH keys written to disk using shell redirection (`> "$PRIVATE_KEY_FILE"`) followed by `chmod 600`.
+**Learning:** Shell redirection creates the file according to the system's `umask`. If the `umask` allows, the file might briefly be readable by other users before `chmod 600` executes, causing a Time-of-Check to Time-of-Use (TOCTOU) vulnerability.
+**Prevention:** Wrap file creation steps that handle sensitive data in a subshell using `(umask 077 && command > file)` so that the file is created with secure permissions right from the start.
diff --git a/tools/setup-ssh-keys.sh b/tools/setup-ssh-keys.sh
index bde52fd..6ecd8db 100755
--- a/tools/setup-ssh-keys.sh
+++ b/tools/setup-ssh-keys.sh
@@ -153,7 +153,7 @@ cmd_restore() {
     chmod 700 "$SSH_DIR"
 
     # Read private key from 1Password and save locally
-    op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE"
+    (umask 077 && op read "op://$VAULT/$KEY_NAME/private_key" > "$PRIVATE_KEY_FILE")
     chmod 600 "$PRIVATE_KEY_FILE"
 
     # Read public key from 1Password and save locally