docs: document security hardening improvements
Some checks failed
Push Validation / validate (push) Failing after 3m49s
Some checks failed
Push Validation / validate (push) Failing after 3m49s
This commit is contained in:
Micheal Wilkinson
@@ -13,6 +13,11 @@ A `### Breaking` section is used in addition to Keep a Changelog's standard sect
|
|||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
- Security hardening: file and directory creation now uses restrictive permissions (`0o750` for directories, `0o600` for files) instead of world-accessible defaults. Executable wrapper scripts are created with restricted permissions and then explicitly made executable via `chmod`.
|
||||||
|
- Security: `Open()` now executes the editor directly without shell intermediary to prevent injection through the `$EDITOR` environment variable.
|
||||||
|
|
||||||
- CI validation now runs `gosec` and `govulncheck` security scanning on push and pull request workflows.
|
- CI validation now runs `gosec` and `govulncheck` security scanning on push and pull request workflows.
|
||||||
- `cmd/homesick` now includes entrypoint-focused tests that exercise both the CLI run path and `main` process path.
|
- `cmd/homesick` now includes entrypoint-focused tests that exercise both the CLI run path and `main` process path.
|
||||||
- `rc` command: executes all executable scripts inside a castle's `.homesick.d/` directory in sorted order, with the castle root as the working directory. stdout/stderr from each script is forwarded to the caller.
|
- `rc` command: executes all executable scripts inside a castle's `.homesick.d/` directory in sorted order, with the castle root as the working directory. stdout/stderr from each script is forwarded to the caller.
|
||||||
|
|||||||
Reference in New Issue
Block a user