fix: secure .key file permissions and add integrity validation (#706) #803

Open

sleepy wants to merge 0 commits from fix/key-file-permissions-706 into main

pull from: fix/key-file-permissions-706

merge into: sleepy:main

sleepy:main

sleepy:dev

sleepy:fix/effective-mode-undefined

sleepy:fix/async-generator-500

sleepy:refactor/split-small-routes-779

sleepy:refactor/split-session-routes-778

sleepy:refactor/split-llm-core-700

sleepy:refactor/split-chat-routes-724

sleepy:refactor/split-model-routes-701

sleepy:refactor/split-skills-routes-777

sleepy:refactor/split-document-routes-769

sleepy:refactor/split-ai-interaction-722

sleepy:refactor/split-cookbook-routes-775

sleepy:refactor/split-builtin-actions-723

sleepy:refactor/split-task-scheduler-774

sleepy:refactor/tool-execution-split-667

sleepy:fix/rag-health-coordinator-756

sleepy:fix/agent-core-missing-round-loop

sleepy:fix/rag-health-check-756

sleepy:fix/missing-readmes-782

sleepy:fix/search-files-split-772

sleepy:fix/dedup-search-impl-771

sleepy:fix/mcp-integrations-split-781

sleepy:fix/cookbook-helpers-split-785

sleepy:fix/search-cross-feature-776

sleepy:fix/graceful-llm-degradation-770

sleepy:fix/dedup-research-handler-773

sleepy:fix/cross-route-coupling-780

sleepy:fix/skills-typed-request-762

sleepy:fix/chat-stream-pydantic-731

sleepy:fix/chat-handler-imports-737

sleepy:fix/public-llm-exports-730

sleepy:fix/dedup-search-content-784

sleepy:fix/dedup-stream-parse-735

sleepy:fix/stream-error-boundary-734

sleepy:fix/typed-event-names-786

sleepy:fix/dedup-js-utilities-792

sleepy:fix/skills-index-lookup-761

sleepy:fix/xss-charname-innerhtml-788

sleepy:fix/coderunner-document-write-789

sleepy:fix/ai-interaction-thread-safety-729

sleepy:fix/client-side-api-key-regex-793

sleepy:fix/dead-loadingtext-796

sleepy:fix/active-streams-eviction-736

sleepy:fix/builtin-actions-sqlite-orm-732

sleepy:fix/llm-core-thread-safety-709

sleepy:fix/singleton-thread-safety-768

sleepy:fix/video-upload-multimodal-826

sleepy:fix/mic-button-audio-825

sleepy:fix/multimodal-capabilities-827

sleepy:fix/dedup-system-msg-717

sleepy:fix/service-dead-calls-750

sleepy:fix/db-session-context-manager-757

sleepy:fix/dedup-llmconfig-710

sleepy:fix/keyword-lists-764-v2

sleepy:fix/keyword-lists-764

sleepy:fix/llm-cache-ttl-708

sleepy:fix/validate-config-711

sleepy:fix/totp-constant-time-689

sleepy:fix/admin-tools-constant-681

sleepy:fix/dedup-truncate-670

sleepy:fix/threadsafe-extractions-audit-754

sleepy:fix/dedup-json-io-767

sleepy:fix/695-deduplicate-admin-check

sleepy:fix/upload-auth-dedup-765

sleepy:fix/705-deduplicate-network-constants

sleepy:fix/deduplicate-chunking-749

sleepy:fix/760-deduplicate-embed

sleepy:fix/dedup-validation-759

sleepy:fix/748-deduplicate-tokenization

sleepy:fix/add-readmes-728-742-782

sleepy:fix/embedding-retry-766

sleepy:fix/deterministic-doc-ids-753

sleepy:fix/search-facade-783

sleepy:fix/remove-dead-memory-746

sleepy:fix/remove-rag-manager-747

sleepy:fix/dead-docstring-763

sleepy:refactor/split-tool-schemas-666

sleepy:refactor/split-agent-loop-664

sleepy:refactor/split-tool-implementations-665

sleepy:fix/mark-stopped-500-663

sleepy:fix/streamingtts-scope-662

sleepy:fix/code-block-tool-parsing-661

Conversation 0 Commits - Files changed -

sleepy commented 2026-06-03 16:00:12 +02:00

Owner

Copy link

Fixes #706

Summary

Three security improvements to src/api_key_manager.py:

1. File permissions (0o600): The .key file is now chmod 0o600 immediately after creation, using the project's existing safe_chmod from core.platform_compat (same pattern as secret_storage.py and integrations.py). No-ops on Windows.

2. Key file integrity validation: get_or_create_key() now checks the key file length (Fernet keys are 44 bytes url-safe base64). If the file is corrupt, empty, or wrong length, it logs an error and regenerates the key.

3. Code cleanup: Extracted _generate_key() helper to centralize key creation + permission setting.

Out of scope

• Issue item 4 (load() decrypts all keys on every call) is out of scope for this fix.

Testing

• 6 new tests in tests/test_api_key_manager.py (all passing)
• Existing security regression tests unaffected (48/48 pass)

Fixes #706 ## Summary Three security improvements to src/api_key_manager.py: 1. **File permissions (0o600)**: The .key file is now chmod 0o600 immediately after creation, using the project's existing safe_chmod from core.platform_compat (same pattern as secret_storage.py and integrations.py). No-ops on Windows. 2. **Key file integrity validation**: get_or_create_key() now checks the key file length (Fernet keys are 44 bytes url-safe base64). If the file is corrupt, empty, or wrong length, it logs an error and regenerates the key. 3. **Code cleanup**: Extracted _generate_key() helper to centralize key creation + permission setting. ### Out of scope - Issue item 4 (load() decrypts all keys on every call) is out of scope for this fix. ### Testing - 6 new tests in tests/test_api_key_manager.py (all passing) - Existing security regression tests unaffected (48/48 pass)

sleepy added 1 commit 2026-06-03 16:00:12 +02:00

fix: secure .key file permissions and add integrity validation ... 46863f5529

Issue: #706

- Add safe_chmod(path, 0o600) after writing the Fernet key file, using
  the project's existing core.platform_compat.safe_chmod (cross-platform,
  no-ops on Windows).
- Validate key file length (must be 44 bytes / url-safe base64) before
  use; regenerate with a warning if corrupt or wrong length.
- Extract _generate_key() helper to avoid duplication.
- Add tests: 0o600 permissions, corrupt/empty key regeneration,
  encrypt/decrypt round-trip, save/load.

This branch is already included in the target branch. There is nothing to merge.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin fix/key-file-permissions-706:fix/key-file-permissions-706

git switch fix/key-file-permissions-706

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main

git merge --no-ff fix/key-file-permissions-706

git switch fix/key-file-permissions-706

git rebase main

git switch main

git merge --ff-only fix/key-file-permissions-706

git switch fix/key-file-permissions-706

git rebase main

git switch main

git merge --no-ff fix/key-file-permissions-706

git switch main

git merge --squash fix/key-file-permissions-706

git switch main

git merge --ff-only fix/key-file-permissions-706

git switch main

git merge fix/key-file-permissions-706

git push origin main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

area:chat

  

area:core

  

area:llm

  

area:routes

  

area:tools

  

bug

Something isn't working

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

enhancement

New feature or request

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

question

Further information is requested

  

refactor

  

wontfix

This will not be worked on

No labels

area:chat

area:core

area:llm

area:routes

area:tools

bug

documentation

duplicate

enhancement

good first issue

help wanted

invalid

question

refactor

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

sleepy/odysseus!803

No description provided.