Skip to content

fix(security): create session transcript files with 0o600 permissions#18066

Merged
sebslight merged 2 commits intoopenclaw:mainfrom
brandonwise:fix/session-transcript-permissions
Feb 16, 2026
Merged

fix(security): create session transcript files with 0o600 permissions#18066
sebslight merged 2 commits intoopenclaw:mainfrom
brandonwise:fix/session-transcript-permissions

Conversation

@brandonwise
Copy link
Contributor

@brandonwise brandonwise commented Feb 16, 2026
edited by greptile-apps bot
Loading

Summary

Session transcript JSONL files contain full conversation history which may include sensitive information (API keys, tokens, credentials accidentally pasted). These files were being created with default umask permissions (typically 0o644, world-readable).

Changes

  • Set mode: 0o600 when creating new session transcript files in:
    • src/gateway/server-methods/chat.ts (ensureTranscriptFile)
    • src/config/sessions/transcript.ts (ensureSessionHeader)
  • Add .jsonl files to openclaw security audit --fix scope in src/security/fix.ts

This ensures session transcripts are user-only readable, matching the security model applied to other sensitive files like openclaw.json and auth-profiles.json.

Testing

  • pnpm exec vitest run src/security/fix.test.ts — 5/5 passing
  • pnpm exec vitest run src/config/sessions/sessions.test.ts — 7/7 passing
  • pnpm lint — 0 errors

Fixes #7862

Greptile Summary

Restricts session transcript files to user-only permissions (0o600) to prevent world-readable exposure of sensitive conversation data. The fix applies to both new file creation and existing files via openclaw security audit --fix.

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk
  • The changes correctly address a legitimate security vulnerability by restricting file permissions on sensitive session transcripts. The implementation follows established patterns in the codebase, covers both sync/async file creation paths, and includes retroactive fixing of existing files. The fix is minimal, focused, and aligns with the security model already applied to other sensitive files.
  • No files require special attention

Last reviewed commit: c2d63f4

@openclaw-barnacle openclaw-barnacle bot added app: web-ui App: web-ui gateway Gateway runtime size: XS labels Feb 16, 2026
@sebslight sebslight self-assigned this Feb 16, 2026
@sebslight sebslight force-pushed the fix/session-transcript-permissions branch from c2d63f4 to 35a9002 Compare February 16, 2026 13:30
brandonwise and others added 2 commits February 16, 2026 08:31
@brandonwise @sebslight
fix(security): create session transcript files with 0o600 permissions
ad46491 
Session transcript JSONL files contain full conversation history which may
include sensitive information (API keys, tokens, credentials). These files
were being created with default umask permissions (typically 0o644, world-readable).

Changes:
- Set mode: 0o600 when creating new session transcript files in:
  - src/gateway/server-methods/chat.ts (ensureTranscriptFile)
  - src/config/sessions/transcript.ts (ensureSessionHeader)
- Add JSONL files to security audit --fix scope in src/security/fix.ts

This ensures session transcripts are user-only readable, matching the
security model applied to other sensitive files like openclaw.json and
auth-profiles.json.

Fixes openclaw#7862
@sebslight
test: add transcript permission regression coverage
962f497
@sebslight sebslight force-pushed the fix/session-transcript-permissions branch from 35a9002 to 962f497 Compare February 16, 2026 13:32
@sebslight sebslight merged commit 095d522 into openclaw:main Feb 16, 2026
23 checks passed
@sebslight
Copy link
Member

sebslight commented Feb 16, 2026

Merged via squash.

Thanks @brandonwise!

@github-actions github-actions bot mentioned this pull request Feb 16, 2026
Open
treygoff24 pushed a commit to treygoff24/openclaw that referenced this pull request Feb 16, 2026
@brandonwise
fix(security): create session transcript files with 0o600 permissions (
2f1d5e0 
…openclaw#18066)

Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 962f497
Co-authored-by: brandonwise <[email protected]>
Co-authored-by: sebslight <[email protected]>
Reviewed-by: @sebslight

(cherry picked from commit 095d522)
xinhuagu added a commit to xinhuagu/openclaw that referenced this pull request Feb 16, 2026
@xinhuagu
fix(security): harden file permissions for remaining session transcri…
edd2369 
…pt and memory write paths

Session transcript files created via forkSessionFromParent and the
pi-embedded session-manager-init, plus session-memory hook files, were
written with default umask permissions instead of 0o600.

This is a follow-up to openclaw#18066 which hardened the primary transcript
write path but missed these additional call sites.

Changes:
- auto-reply/reply/session.ts: chmod branched session files to 0o600
  after createBranchedSession, and set mode on fallback writeFileSync
- pi-embedded-runner/session-manager-init.ts: set mode 0o600 on reset
- session-memory/handler.ts: set mode 0o600 on memory file writes
- Added permission assertion in session fork test
@xinhuagu xinhuagu mentioned this pull request Feb 16, 2026
Closed
xinhuagu added a commit to xinhuagu/openclaw that referenced this pull request Feb 16, 2026
@xinhuagu
fix(security): set 0o600 on remaining session file write paths
2b43cc5 
Follow-up to openclaw#18066 — three session file write sites were missed:

- auto-reply/reply/session.ts: forked session transcript header
- pi-embedded-runner/session-manager-init.ts: session file reset
- gateway/server-methods/sessions.ts: compacted transcript rewrite

All now use mode 0o600 consistent with transcript.ts and chat.ts.
@xinhuagu xinhuagu mentioned this pull request Feb 16, 2026
Merged
steipete pushed a commit that referenced this pull request Feb 16, 2026
@xinhuagu @steipete
fix(security): set 0o600 on remaining session file write paths
ae0b110 
Follow-up to #18066 — three session file write sites were missed:

- auto-reply/reply/session.ts: forked session transcript header
- pi-embedded-runner/session-manager-init.ts: session file reset
- gateway/server-methods/sessions.ts: compacted transcript rewrite

All now use mode 0o600 consistent with transcript.ts and chat.ts.
@greptile-apps greptile-apps bot mentioned this pull request Feb 17, 2026
Merged
@github-actions github-actions bot mentioned this pull request Feb 18, 2026
Open
@jiulingyun jiulingyun mentioned this pull request Feb 18, 2026
Open
6 tasks
archerhpagent pushed a commit to howardpark/openclaw that referenced this pull request Feb 18, 2026
@brandonwise @sebslight
fix(security): create session transcript files with 0o600 permissions (
17f3032 
…openclaw#18066)

Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 962f497
Co-authored-by: brandonwise <[email protected]>
Co-authored-by: sebslight <[email protected]>
Reviewed-by: @sebslight
archerhpagent pushed a commit to howardpark/openclaw that referenced this pull request Feb 18, 2026
@xinhuagu
fix(security): set 0o600 on remaining session file write paths
f9e5fe6 
Follow-up to openclaw#18066 — three session file write sites were missed:

- auto-reply/reply/session.ts: forked session transcript header
- pi-embedded-runner/session-manager-init.ts: session file reset
- gateway/server-methods/sessions.ts: compacted transcript rewrite

All now use mode 0o600 consistent with transcript.ts and chat.ts.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@sebslight sebslight

Labels

app: web-ui App: web-ui gateway Gateway runtime size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: Session transcript files (.jsonl) created with 644 permissions instead of 600

2 participants

@brandonwise @sebslight

Comments