Harden gateway auth and file boundaries

pkg/config/config.go

@@ -804,7 +804,7 @@ func SaveConfig(path string, cfg *Config) error {
 		return err
 	}
 
-	return os.WriteFile(path, data, 0644)
+	return os.WriteFile(path, data, 0600)
 }
 
 func (c *Config) WorkspacePath() string {

pkg/config/config_save_test.go

@@ -0,0 +1,28 @@
+package config
+
+import (
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+)
+
+func TestSaveConfigUsesOwnerOnlyPermissions(t *testing.T) {
+	t.Parallel()
+
+	if runtime.GOOS == "windows" {
+		t.Skip("permission bits are not reliable on windows")
+	}
+
+	path := filepath.Join(t.TempDir(), "config.json")
+	if err := SaveConfig(path, DefaultConfig()); err != nil {
+		t.Fatalf("save config: %v", err)
+	}
+	info, err := os.Stat(path)
+	if err != nil {
+		t.Fatalf("stat config: %v", err)
+	}
+	if got := info.Mode().Perm(); got != 0o600 {
+		t.Fatalf("expected 0600 permissions, got %o", got)
+	}
+}