🛡️ Sentinel: [CRITICAL] Fix TOCTOU vulnerability in SSH key generation

.jules/sentinel.md

@@ -0,0 +1,16 @@
+# Sentinel Journal
+
+## 2025-04-12 - Prevent TOCTOU vulnerabilities in file creation
+
+**Vulnerability:** SSH private keys and other sensitive files were being written
+to disk and subsequently restricted using `chmod 600`. This creates a
+Time-of-Check to Time-of-Use (TOCTOU) race condition where the file is briefly
+readable with default permissions before `chmod` executes.
+**Learning:** Shell scripts generating sensitive files must ensure the file is
+created with secure permissions from the moment of creation. Explicitly calling
+`chmod` after creation leaves a brief window for local privilege escalation or
+unauthorized read access.
+**Prevention:** Wrap the file creation logic in a subshell `(...)` and set
+`umask 077` immediately before the command that writes the file. This ensures
+the file is created with 600 permissions without affecting the global script's
+umask.

CHANGELOG.md

@@ -8,33 +8,38 @@
 ## [Unreleased]
 
 ### Added
+
 - Brave browser extensions management (`tools/install-brave-extensions.sh`)
 - Windows support documentation in README and CLAUDE.md
 - CHANGELOG.md for tracking changes
 - SECURITY.md for security policy
 - CONTRIBUTING.md for contributor guidelines
 
 ### Changed
+
 - Standardized script naming to kebab-case (e.g., `install-global-tools.sh`)
 - Updated Go version to 1.23.4 in apt.sh
 - Updated yq version to v4.44.6 in apt.sh
 - Updated lsd version to 1.1.5 in apt.sh
 - Fixed Yarn installation to use modern `signed-by` method instead of deprecated `apt-key`
 - Fixed `cron/update.sh` to detect Homebrew path (supports both Apple Silicon and Intel Macs)
 - Fixed `destroy.sh` to be compatible with macOS (removed GNU-specific `xargs -r`)
 
 ### Removed
+
 - Removed broken test suite (was referencing non-existent files)
 - Removed example hook scripts (`scripts/custom/`)
 - Removed invalid `[brew]` and `[cron]` sections from `.chezmoi.toml.tmpl`
 
 ### Fixed
+
 - Fixed `build.sh` references to deleted directories
 - Fixed Composer installation in apt.sh that would exit the entire script
 
 ## [1.0.0] - 2024-12-01
 
 ### Added
+
 - Initial release with Chezmoi-based dotfiles management
 - Cross-platform support (macOS, Linux, Windows)
 - 1Password CLI integration for SSH key management
@@ -48,6 +53,7 @@
 - Templated configurations for Git, Zsh, Neovim, Tmux
 
 ### Documentation
+
 - README with quick start guide
 - Installation guide with prerequisites
 - Customization guide for forking

CLAUDE.md

@@ -1,10 +1,10 @@
 # CLAUDE.md
 
 This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
 
 ## Overview
 
 Cross-platform dotfiles (macOS, Linux & Windows) managed with [Chezmoi](https://chezmoi.io/), following XDG Base Directory conventions.
 
 ## Common Commands
 
@@ -35,20 +35,24 @@
 ## Architecture
 
 ### Chezmoi Template System
+
 - Source files live in `home/` directory with Chezmoi naming conventions
 - `dot_` prefix → `.` (e.g., `dot_gitconfig.tmpl` → `~/.gitconfig`)
 - `.tmpl` suffix indicates Go template processing
 - Machine-specific config via `.chezmoidata.yaml` in repo root (defines variables like `email`, `name`, `is_work_machine`)
 - Chezmoi stores source at `~/.local/share/chezmoi`, config at `~/.config/chezmoi/chezmoi.toml`
 
 ### XDG Directory Structure
+
 All configs follow XDG conventions:
+
 - `~/.config` (XDG_CONFIG_HOME) - App configurations
 - `~/.local/share` (XDG_DATA_HOME) - App data, Zsh history, NVM, SDKMAN
 - `~/.cache` (XDG_CACHE_HOME) - Cache files
 - `~/.local/bin` (XDG_BIN_HOME) - User binaries
 
 ### Key Directories
+
 - `home/` - Chezmoi-managed dotfile templates
 - `home/dot_config/` - XDG config files (zsh, nvim, tmux, git, etc.)
 - `tools/` - Bootstrap and management scripts
@@ -57,19 +61,24 @@
 - `Brewfile` - Homebrew package manifest
 
 ### Bootstrap Flow
+
 `tools/bootstrap.sh` runs: Homebrew install → Chezmoi install → Apply dotfiles → Essential packages (Brewfile.essential) → Oh My Zsh → Zsh plugins → Cron setup
 
 After bootstrap, run `dotfiles setup` for complete installation (packages, extensions, ssh, defaults).
 
 ### Global Tools Config
+
 Edit `~/.config/dotfiles/config.yaml` to manage npm/pip/dotnet global tools, then run `dotfiles packages global`.
 
 ### Extensions
+
 Edit extension config files, then run `dotfiles packages extensions`:
+
 - `~/.config/dotfiles/vscode-extensions.txt` - VS Code extension IDs (one per line)
 - `~/.config/dotfiles/brave-extensions.txt` - Brave extension IDs (one per line)
 
 ### Windows Support
+
 - PowerShell profile at `~/Documents/PowerShell/` sources modular config from `~/.config/powershell/`
 - Windows bootstrap: `tools/os_installers/setup.ps1`
 - Chocolatey packages: `tools/os_installers/choco.ps1`

CONTRIBUTING.md

@@ -21,17 +21,20 @@ Thanks for your interest in contributing! This document provides guidelines for
 ### Local Development
 
 1. **Fork and clone the repository:**
+
    ```bash
    git clone https://github.com/YOUR_USERNAME/dotfiles.git
    cd dotfiles
    ```
 
 2. **Run the build script to validate:**
+
    ```bash
    ./build.sh
    ```
 
 3. **Test specific components:**
+
    ```bash
    ./build.sh lint      # Lint shell scripts
    ./build.sh syntax    # Check bash syntax
@@ -44,16 +47,19 @@ Thanks for your interest in contributing! This document provides guidelines for
 Before submitting a PR:
 
 1. **Run the full build:**
+
    ```bash
    ./build.sh all
    ```
 
 2. **Test bootstrap in dry-run mode:**
+
    ```bash
    ./tools/bootstrap.sh --dry-run
    ```
 
 3. **Test on a fresh environment** (optional but recommended):
+
    ```bash
    # Using a VM or container
    docker run -it ubuntu:latest bash
@@ -92,11 +98,13 @@ Before submitting a PR:
 ### Before Submitting
 
 1. **Create a branch** from `main`:
+
    ```bash
    git checkout -b feature/your-feature-name
    ```
 
 2. **Make your changes** and commit with clear messages:
+
    ```bash
    git commit -m "feat: add new feature X"
    ```
@@ -106,6 +114,7 @@ Before submitting a PR:
 4. **Update CHANGELOG.md** under `[Unreleased]`
 
 5. **Run the build** to ensure everything passes:
+
    ```bash
    ./build.sh
    ```
@@ -123,6 +132,7 @@ Follow [Conventional Commits](https://www.conventionalcommits.org/):
 - `chore:` Maintenance tasks
 
 Examples:
+
 ```
 feat: add Brave browser extension sync
 fix: correct Homebrew path detection on Intel Macs
@@ -181,6 +191,7 @@ dotfiles/
    - `private_` prefix for sensitive files
 
 2. Use Go templating for machine-specific config:
+
    ```
    {{ if eq .chezmoi.os "darwin" }}
    # macOS specific

README.md

@@ -102,6 +102,7 @@ dotfiles ssh                 # Interactive menu for SSH key management
 ```
 
 Options:
+
 - **restore** - Restore existing key from 1Password to `~/.ssh/`
 - **generate** - Generate new Ed25519 key directly in 1Password
 - **show** - Display your public key (for adding to GitHub/GitLab)
@@ -124,19 +125,22 @@ Keys are stored at `op://development/SSH Key/` and restored automatically when y
 Six cron jobs are set up automatically:
 
 **Security & Updates**
+
 | Schedule | Task | Description |
 |----------|------|-------------|
 | Daily 8am | `outdated.sh` | Check for outdated packages |
 | Monday 9am | `update.sh` | Update Homebrew packages |
 | Sunday 10am | `cleanup.sh` | Cleanup brew cache & temp files |
 
 **Backups & Maintenance**
+
 | Schedule | Task | Description |
 |----------|------|-------------|
 | Sunday 2am | `backup.sh` | Backup projects (git sync + archive) |
 | Saturday 4am | `git-maintenance.sh` | Run git gc on repositories |
 
 **Health Monitoring**
+
 | Schedule | Task | Description |
 |----------|------|-------------|
 | Daily 7am | `health.sh` | System health check |

SECURITY.md

@@ -27,16 +27,19 @@ bash -c "$(curl -fsSL https://raw.githubusercontent.com/kidchenko/dotfiles/main/
 **Before running this command:**
 
 1. **Review the script first:**
+
    ```bash
    curl -fsSL https://raw.githubusercontent.com/kidchenko/dotfiles/main/tools/bootstrap.sh | less
    ```
 
 2. **Use a specific release** (recommended for stability):
+
    ```bash
    bash -c "$(curl -fsSL https://raw.githubusercontent.com/kidchenko/dotfiles/v1.0.0/tools/bootstrap.sh)"
    ```
 
 3. **Run in dry-run mode** to preview changes:
+
    ```bash
    bash -c "$(curl -fsSL https://raw.githubusercontent.com/kidchenko/dotfiles/main/tools/bootstrap.sh)" -- --dry-run
    ```
@@ -50,6 +53,7 @@ This project uses **1Password CLI** for secrets management:
 - No secrets are stored in the repository
 
 **If you don't use 1Password:**
+
 - The bootstrap will skip 1Password integration
 - You'll need to manage SSH keys manually
 - Set `onepassword = false` in your Chezmoi config

docs/auto-update.md

@@ -345,7 +345,7 @@ echo "[$(date)] Running my task..." >> "$LOG_FILE"
 # Your task here
 ```
 
-2. Add entry to `cron/setup-cron.sh`:
+1. Add entry to `cron/setup-cron.sh`:
 
 ```bash
 CRON_JOBS=(
@@ -355,7 +355,7 @@ CRON_JOBS=(
 )
 ```
 
-3. Run setup:
+1. Run setup:
 
 ```bash
 dotfiles cron setup

docs/commands/backup.md

@@ -38,6 +38,7 @@ Default location: `~/Backups/tmp_project_backups/`
 ## Backup Retention
 
 When run via cron, only **2 backups** are kept:
+
 - Current week's backup
 - Previous week's backup
 
@@ -46,11 +47,13 @@ Older backups are automatically deleted.
 ## Scheduled Backups
 
 A cron job runs backups automatically:
+
 - **Schedule:** Sunday 2am
 - **Script:** `cron/backup.sh`
 - **Log:** `~/.local/log/backup-cron.log`
 
 Check scheduled backups:
+
 ```bash
 dotfiles cron
 ```
@@ -74,13 +77,15 @@ dotfiles logs backup
 ## Backup Location
 
 Backups are stored at:
+
 ```
 ~/Backups/tmp_project_backups/project-backup-YYYY-MM-DD.zip
 ```
 
 ## Configuring Backups
 
 Edit `scripts/backup/backup-projects.sh` to customize:
+
 - Which directories to backup
 - Backup destination
 - Exclusion patterns