[AUTOMATION] fix(clawpatch): address daily finding

[michiosw]

Where We Are

Claude hook install and uninstall rewrote ~/.claude/settings.json and the backup file with 0644. That makes a private Claude settings file readable by other local users after a guard hook change.

Where We Want To Go

Keep the existing Claude settings permissions when we rewrite the file. If the file is created fresh, default it to 0600.

How do we get there

Read the current file mode before writing settings.json or its backup, then reuse that mode instead of hard-coding 0644. Added regression coverage for both install and uninstall to assert the rewritten settings file and the backup stay 0600. Verified with go test ./..., go vet ./..., npm exec --yes --package pnpm@10.0.0 -- pnpm install --frozen-lockfile, npm exec --yes --package pnpm@10.0.0 -- pnpm --dir web/guard-dashboard typecheck, and git diff --check.

[michiosw]

• [AUTOMATION] fix(clawpatch): address daily finding #290 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[greptile-apps]

Greptile Summary

This PR updates Claude hook settings rewrites to preserve file permissions. The main changes are:

• Reads the current Claude settings mode before writing settings or backups.
• Defaults newly created settings files to 0600.
• Adds install and uninstall tests for preserving 0600 on settings and backups.

Confidence Score: 3/5

This should be fixed before merging.

• Existing affected settings.json files can remain readable after the updated rewrite path.

• Backup rewrites can collide within one second and keep broader permissions on the existing backup.

• The tests cover preserving a private file, but not repairing an already widened file.

• internal/guard/cli/cli.go

Security Review

• Existing Claude settings permissions can remain overly broad in writeJSONFile, leaving previously widened settings.json files readable by other local users.
• Backup filename collisions in backupFile can preserve broad permissions on an existing backup file.

Important Files Changed

Filename	Overview
internal/guard/cli/cli.go	Adds permission-preserving writes for Claude settings and backups, but relies on os.WriteFile in existing-file cases.
internal/guard/cli/cli_test.go	Adds coverage for preserving 0600, but does not cover already-widened files or backup filename collisions.

_{Reviews (1): Last reviewed commit: "fix(clawpatch): address daily finding" | Re-trigger Greptile}

[greptile-apps]

Existing modes stay broad

os.WriteFile only applies the mode argument when it creates a new file. When settings.json already exists, this call truncates and rewrites it without changing its permissions. A user whose Claude settings were already widened to 0644 by an earlier install/uninstall will still have a world-readable settings file after running this fixed path, so the affected local privacy issue remains in place.

[greptile-apps]

Backup collisions keep permissions

The backup filename has only second-level precision, and this write overwrites an existing backup if two hook operations run in the same second. Since os.WriteFile does not chmod an existing file, a colliding backup that was first created with broader permissions can stay broad even when this call computes 0600; it can also replace the earlier backup contents.