Generated by Offband issue reporting.
Summary
Code review: flowstate Token file is written before restrictive permissions are applied
Routing
- Repo:
offband/FlowState
- Repo class:
public_tool
- Rule id:
code_review.security_surface
- Candidate key:
code-review:flowstate:write-token
- Category:
code-review
- Severity:
warning
- Review profile:
code_review
- Review target:
flowstate
- Labels:
offband-report, weekly, needs-owner, code-review
- Source:
code_review.bounded_ai
Expected
Product repositories should avoid actionable code risks identified by bounded source review.
Observed
src/flowstate_runtime/auth.py:16: _write_token writes the bearer token to disk with path.write_text(...) and only then calls _make_private(path) to chmod it to 0600.
Why It Matters
On systems with a permissive umask, the token file can be created with broader default permissions before chmod is applied, exposing the runtime bearer token to other local users during creation.
Decision Needed
Create the token file with restrictive permissions at open time, or otherwise ensure permissions are set before token bytes are written.
Policy Source
config/issue-reporting.json: code_review
Evidence
{
"artifact_path": "<redacted-path>",
"canonical_topic": "write-token",
"dedupe_core": "write-token",
"dedupe_subject": "identifier:write-token",
"finding": {
"confidence": "high",
"finding_class": "security_surface",
"impact": "On systems with a permissive umask, the token file can be created with broader default permissions before chmod is applied, exposing the runtime bearer token to other local users during creation.",
"line": 16,
"owner_decision": "Create the token file with restrictive permissions at open time, or otherwise ensure permissions are set before token bytes are written.",
"path": "src/flowstate_runtime/auth.py",
"summary": "`_write_token` writes the bearer token to disk with `path.write_text(...)` and only then calls `_make_private(path)` to chmod it to `0600`.",
"title": "Token file is written before restrictive permissions are applied"
},
"line": 16,
"path": "src/flowstate_runtime/auth.py",
"semantic_topic": "write-token"
}
Suggested Resolution
Create the token file with restrictive permissions at open time, or otherwise ensure permissions are set before token bytes are written.
Report
- Report generated:
2026-07-01T09:46:16Z
- Candidate key:
code-review:flowstate:write-token
Generated by Offband issue reporting.
Summary
Code review: flowstate Token file is written before restrictive permissions are applied
Routing
offband/FlowStatepublic_toolcode_review.security_surfacecode-review:flowstate:write-tokencode-reviewwarningcode_reviewflowstateoffband-report, weekly, needs-owner, code-reviewcode_review.bounded_aiExpected
Product repositories should avoid actionable code risks identified by bounded source review.
Observed
src/flowstate_runtime/auth.py:16:
_write_tokenwrites the bearer token to disk withpath.write_text(...)and only then calls_make_private(path)to chmod it to0600.Why It Matters
On systems with a permissive umask, the token file can be created with broader default permissions before chmod is applied, exposing the runtime bearer token to other local users during creation.
Decision Needed
Create the token file with restrictive permissions at open time, or otherwise ensure permissions are set before token bytes are written.
Policy Source
config/issue-reporting.json: code_review
Evidence
{ "artifact_path": "<redacted-path>", "canonical_topic": "write-token", "dedupe_core": "write-token", "dedupe_subject": "identifier:write-token", "finding": { "confidence": "high", "finding_class": "security_surface", "impact": "On systems with a permissive umask, the token file can be created with broader default permissions before chmod is applied, exposing the runtime bearer token to other local users during creation.", "line": 16, "owner_decision": "Create the token file with restrictive permissions at open time, or otherwise ensure permissions are set before token bytes are written.", "path": "src/flowstate_runtime/auth.py", "summary": "`_write_token` writes the bearer token to disk with `path.write_text(...)` and only then calls `_make_private(path)` to chmod it to `0600`.", "title": "Token file is written before restrictive permissions are applied" }, "line": 16, "path": "src/flowstate_runtime/auth.py", "semantic_topic": "write-token" }Suggested Resolution
Create the token file with restrictive permissions at open time, or otherwise ensure permissions are set before token bytes are written.
Report
2026-07-01T09:46:16Zcode-review:flowstate:write-token