Skip to content

Code review: flowstate Token file is written before permissions are restricted #10

Description

@ajbeaver

Generated by Offband issue reporting.

Summary

Code review: flowstate Token file is written before permissions are restricted

Routing

  • Repo: offband/FlowState
  • Repo class: public_tool
  • Rule id: code_review.security_surface
  • Candidate key: code-review:flowstate:auth-permission-secret
  • Category: code-review
  • Severity: warning
  • Review profile: code_review
  • Review target: flowstate
  • Labels: offband-report, weekly, needs-owner, code-review
  • Source: code_review.bounded_ai

Expected

Product repositories should avoid actionable code risks identified by bounded source review.

Observed

src/flowstate_runtime/auth.py:16: _write_token writes the bearer token with Path.write_text() and only then applies chmod(0o600).

Why It Matters

On systems with a permissive umask or during the brief create/write window, the runtime bearer token can be created with broader filesystem permissions than intended before being tightened, exposing the secret used to authenticate MCP requests.

Decision Needed

Create the token file with private permissions from the start, or otherwise ensure the write is atomic and never observable with broader permissions.

Policy Source

config/issue-reporting.json: code_review

Evidence

{
  "artifact_path": "<redacted-path>",
  "canonical_topic": "auth-permission-secret",
  "dedupe_core": "write-token",
  "dedupe_subject": "symbol:write-token",
  "finding": {
    "confidence": "high",
    "finding_class": "security_surface",
    "impact": "On systems with a permissive umask or during the brief create/write window, the runtime bearer token can be created with broader filesystem permissions than intended before being tightened, exposing the secret used to authenticate MCP requests.",
    "line": 16,
    "owner_decision": "Create the token file with private permissions from the start, or otherwise ensure the write is atomic and never observable with broader permissions.",
    "path": "src/flowstate_runtime/auth.py",
    "summary": "_write_token writes the bearer token with Path.write_text() and only then applies chmod(0o600).",
    "title": "Token file is written before permissions are restricted"
  },
  "line": 16,
  "path": "src/flowstate_runtime/auth.py",
  "semantic_topic": "auth-permission-secret"
}

Suggested Resolution

Create the token file with private permissions from the start, or otherwise ensure the write is atomic and never observable with broader permissions.

Report

  • Report generated: 2026-07-05T23:05:46Z
  • Candidate key: code-review:flowstate:auth-permission-secret

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions