From a4842cc3cef230e82c3e08a0b1b0badb581f589f Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Fri, 27 Feb 2026 04:44:58 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL]?=
 =?UTF-8?q?=20Fix=20backup=20system=20availability=20and=20confidentiality?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Fixed path to `backup-projects.sh` in `cron/backup.sh` (was pointing to non-existent `scripts/backup/`)
- Enforced strict permissions on backup directories (`chmod 700`) in `tools/backup-projects.sh`
- Enforced strict permissions on backup archives (`umask 077` -> `600`) in `tools/backup-projects.sh`
- Refactored `exclude_args` to use bash arrays to prevent argument splitting and injection
- Created `.jules/sentinel.md` journal for security learnings

Co-authored-by: kidchenko <5432753+kidchenko@users.noreply.github.com>
---
 .jules/sentinel.md       |  7 +++++++
 cron/backup.sh           |  2 +-
 tools/backup-projects.sh | 21 ++++++++++-----------
 3 files changed, 18 insertions(+), 12 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..d14c3a4
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,7 @@
+# Sentinel Journal
+
+This journal records CRITICAL security learnings from the codebase.
+format: `## YYYY-MM-DD - [Title]
+**Vulnerability:** [What you found]
+**Learning:** [Why it existed]
+**Prevention:** [How to avoid next time]`
diff --git a/cron/backup.sh b/cron/backup.sh
index 5d4a660..f46151e 100755
--- a/cron/backup.sh
+++ b/cron/backup.sh
@@ -10,7 +10,7 @@ set -e
 # Paths
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 DOTFILES_DIR="$(dirname "$SCRIPT_DIR")"
-BACKUP_SCRIPT="$DOTFILES_DIR/scripts/backup/backup-projects.sh"
+BACKUP_SCRIPT="$DOTFILES_DIR/tools/backup-projects.sh"
 LOG_DIR="${XDG_STATE_HOME:-$HOME/.local/state}/dotfiles"
 LOG_FILE="$LOG_DIR/backup-cron.log"
 BACKUP_DIR="${XDG_DATA_HOME:-$HOME/.local/share}/dotfiles/backups"
diff --git a/tools/backup-projects.sh b/tools/backup-projects.sh
index 1b7f6d2..623c068 100755
--- a/tools/backup-projects.sh
+++ b/tools/backup-projects.sh
@@ -234,11 +234,10 @@ parse_args() {
 
 # --- Build Exclude Arguments for Zip ---
 build_exclude_args() {
-    local args=()
+    EXCLUDE_ARGS=()
     for pattern in "${EXCLUDE_PATTERNS[@]}"; do
-        args+=("-x" "*/${pattern}/*" "-x" "*/${pattern}")
+        EXCLUDE_ARGS+=("-x" "*/${pattern}/*" "-x" "*/${pattern}")
     done
-    echo "${args[@]}"
 }
 
 # --- Git Sync ---
@@ -351,10 +350,12 @@ cmd_backup() {
     # Setup directories
     if [[ "$DRY_RUN" != true ]]; then
         mkdir -p "$BACKUP_TEMP_DIR"
+        chmod 700 "$BACKUP_TEMP_DIR"
         mkdir -p "$LOG_DIR"
+        chmod 700 "$LOG_DIR"
     else
-        debug "Would create: $BACKUP_TEMP_DIR"
-        debug "Would create: $LOG_DIR"
+        debug "Would create: $BACKUP_TEMP_DIR (mode 700)"
+        debug "Would create: $LOG_DIR (mode 700)"
     fi
 
     # Sync git repositories first
@@ -406,17 +407,15 @@ cmd_backup() {
             done
         fi
     else
-        local exclude_args
-        exclude_args=$(build_exclude_args)
+        build_exclude_args
 
         (
             cd "$HOME" || exit 1
+            umask 077
             if [[ "$VERBOSE" == true ]]; then
-                # shellcheck disable=SC2086
-                zip -r "$archive_path" "${relative_paths[@]}" $exclude_args
+                zip -r "$archive_path" "${relative_paths[@]}" "${EXCLUDE_ARGS[@]}"
             else
-                # shellcheck disable=SC2086
-                zip -r -q "$archive_path" "${relative_paths[@]}" $exclude_args
+                zip -r -q "$archive_path" "${relative_paths[@]}" "${EXCLUDE_ARGS[@]}"
             fi
         )