From a92ab1a29c2c26f8d1556cfbce0d84af6afd5105 Mon Sep 17 00:00:00 2001
From: Micheal Wilkinson <micheal.wilkinson@createfuture.com>
Date: Sat, 21 Mar 2026 13:08:24 +0000
Subject: [PATCH] docs: document security hardening improvements

---
 CHANGELOG.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4bdb235..70c3f29 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,11 @@ A `### Breaking` section is used in addition to Keep a Changelog's standard sect
 
 ### Added
 
+### Changed
+
+- Security hardening: file and directory creation now uses restrictive permissions (`0o750` for directories, `0o600` for files) instead of world-accessible defaults. Executable wrapper scripts are created with restricted permissions and then explicitly made executable via `chmod`.
+- Security: `Open()` now executes the editor directly without shell intermediary to prevent injection through the `$EDITOR` environment variable.
+
 - CI validation now runs `gosec` and `govulncheck` security scanning on push and pull request workflows.
 - `cmd/homesick` now includes entrypoint-focused tests that exercise both the CLI run path and `main` process path.
 - `rc` command: executes all executable scripts inside a castle's `.homesick.d/` directory in sorted order, with the castle root as the working directory. stdout/stderr from each script is forwarded to the caller.