File size: 914 Bytes
ce9684e | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | """Regression: a pre-existing loose `~/.sibyl-memory` must be tightened to 0700.
`mkdir(mode=0o700)` is a no-op when the directory already exists, so a dir that
was created earlier at 0755 kept loose permissions on the credentials directory.
`write_credentials_atomic` now chmods the parent to 0700 explicitly.
Source: beta security report (dor_alpha, 2026-06-01).
"""
import os
import stat
from sibyl_memory_cli.cli import write_credentials_atomic
def test_preexisting_loose_dir_is_tightened(tmp_path):
d = tmp_path / ".sibyl-memory"
d.mkdir()
os.chmod(d, 0o755) # simulate a pre-existing loose directory
assert stat.S_IMODE(d.stat().st_mode) == 0o755
write_credentials_atomic({"tenant_id": "t"}, path=d / "credentials.json")
assert stat.S_IMODE(d.stat().st_mode) == 0o700, "parent dir not tightened to 0700"
assert stat.S_IMODE((d / "credentials.json").stat().st_mode) == 0o600
|