Description

Session transcript files in ~/.openclaw/agents/<agentId>/sessions/*.jsonl are being created with 644 (world-readable) permissions instead of 600 (user-only).

These files contain full conversation history, which may include sensitive information like API keys, tokens, or credentials that were discussed or accidentally pasted.

Expected Behavior

Session files should be created with 0o600 permissions, matching the security model applied to other sensitive files like openclaw.json, auth-profiles.json, etc.

Actual Behavior

New .jsonl session files are created with 0o644 permissions:

-rw-r--r--  1 user  staff  5019 Feb  2 23:47 56690efd-4f5f-4876-9c3a-9d3893982d15.jsonl

Evidence

1. openclaw security audit --fix correctly sets directory permissions but does not iterate over individual session transcript files
2. Source code in json-file.js and config/io.js shows explicit chmod 600 calls, but these don't appear to be applied to session transcripts
3. New files created after manually fixing permissions still have 644

Environment

• OpenClaw version: 2026.1.29
• OS: macOS (Darwin 24.6.0)
• System umask: 022 (default)

Workaround

find ~/.openclaw/agents -name '*.jsonl' -exec chmod 600 {} \;

Suggested Fix

1. Ensure session transcript writes use explicit mode: 0o600
2. Add .jsonl files to openclaw security audit --fix scope