From 191cc01bf5833a4c7636f8fc4d9b4c5066982822 Mon Sep 17 00:00:00 2001
From: Brian de Alwis <bsd@acm.org>
Date: Fri, 8 Aug 2025 23:05:30 -0400
Subject: [PATCH] fix(core): restrict  oauth_creds.json file permissions
 (#5245)

Co-authored-by: cornmander <shikhman@google.com>
---
 packages/core/src/code_assist/oauth2.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/core/src/code_assist/oauth2.ts b/packages/core/src/code_assist/oauth2.ts
index f1046416..dc1ec490 100644
--- a/packages/core/src/code_assist/oauth2.ts
+++ b/packages/core/src/code_assist/oauth2.ts
@@ -366,7 +366,7 @@ async function cacheCredentials(credentials: Credentials) {
   await fs.mkdir(path.dirname(filePath), { recursive: true });
 
   const credString = JSON.stringify(credentials, null, 2);
-  await fs.writeFile(filePath, credString);
+  await fs.writeFile(filePath, credString, { mode: 0o600 });
 }
 
 function getCachedCredentialPath(): string {