fix(state): heal ~/.nemoclaw directory and file permissions on read path

[kagura-agent]

Summary

readConfigFile() did not call ensureConfigDir(), so read-only CLI commands (e.g. nemoclaw list) never triggered permission drift healing. If a user manually changed ~/.nemoclaw to 755, only a write operation would repair it back to 700.

Changes

• Call ensureConfigDir() in readConfigFile() before reading the file, ensuring parent directory permissions are healed (755 → 700) on every config access, not just writes
• After a successful read, check file-level permissions and tighten group/world bits (e.g. 644 → 600) to prevent credential exposure
• Add two tests in config-io.test.ts:
  • readConfigFile repairs a 755 parent directory to 700
  • readConfigFile repairs a 644 file to 600

Root Cause

readConfigFile() was a straight-through read with no security posture enforcement. ensureConfigDir() — which already handles permission drift healing — was only called from writeConfigFile(). This meant CLI commands that only read config (listing, status, etc.) would silently operate with weakened directory/file permissions.

Testing

All 13 tests pass in config-io.test.ts (11 existing + 2 new). Typecheck clean.

Fixes #4546

Signed-off-by: kagura-agent kagura.agent.ai@gmail.com

Summary by CodeRabbit

• Tests

  • Expanded test coverage for permission-repair and symlink-safety behavior around reading and ensuring config directories.

• Bug Fixes

  • Config handling now auto-tightens overly-permissive config file and root-level file permissions in the host user state directory, without following or modifying symlink targets.
  • Permission repairs are scoped: they skip mutable sandbox config trees and won’t block reads when noncritical healing fails.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: bf2b0e47-ad99-44b6-8d24-ffd87a2c8914

📥 Commits

Reviewing files that changed from the base of the PR and between 89ec19c and 6f40d44.

📒 Files selected for processing (2)

• src/lib/state/config-io.test.ts
• src/lib/state/config-io.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• src/lib/state/config-io.test.ts
• src/lib/state/config-io.ts

---

📝 Walkthrough

Walkthrough

Scoped predicates and a new healer tighten host config directory (700) and root-level files (600); readConfigFile now ensures parent dir, parses JSON, and best-effort tightens the file. Tests add sibling-heal and symlink-safety coverage and verify scope boundaries using a temporary HOME.

Changes

Config permission healing

Layer / File(s)	Summary
Host vs sandbox path scoping utilities src/lib/state/config-io.ts	Adds predicates to detect the host ~/.nemoclaw root and to identify mutable-sandbox OpenClaw config paths so healing is scoped correctly.
Root-level healing helper and ensureConfigDir integration src/lib/state/config-io.ts	Adds healRootLevelFiles(dirPath) which scans direct entries and best-effort tightens regular files to 0o600 (skips symlinks/subdirs); ensureConfigDir conditionally normalizes dir mode and invokes the healer only for the host ~/.nemoclaw root.
readConfigFile read-time behavior and file permission tighten src/lib/state/config-io.ts	readConfigFile attempts ensureConfigDir for the parent (rethrowing ConfigPermissionError, ignoring other dir errors), reads/parses JSON, then best-effort lstat+chmod the specific config file to 0o600 when group/world bits are present (skips sandbox paths and symlinks); healing failures are non-fatal.
Permission and symlink tests src/lib/state/config-io.test.ts	Adds Vitest cases: parent-dir tighten test (0o755→0o700), file-tighten test (0o644→0o600), directory-wide sibling healing to 0o600, ensure root-level heal skips symlinks, defensive test that read-time heal does not chmod symlink targets, and scope-boundary tests using a temporary HOME.

Sequence Diagram

sequenceDiagram
  participant Caller
  participant readConfigFile
  participant ensureConfigDir
  participant healRootLevelFiles
  participant FS
  Caller->>readConfigFile: request read
  readConfigFile->>ensureConfigDir: ensure/validate parent dir
  ensureConfigDir->>healRootLevelFiles: scan root entries
  healRootLevelFiles->>FS: lstat / chmod on regular files (skip symlinks)
  readConfigFile->>FS: read file (may ENOENT)
  readConfigFile->>FS: lstat + chmod on file (best-effort, skip symlinks)
  FS-->>readConfigFile: file contents / status
  readConfigFile-->>Caller: parsed JSON (or fallback)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

fix

🐰 I nibble bits of chmod lore,

Tighten doors to guard the store.
Dir to seven-zero, files to six-oh-oh,
Symlinks spared where soft winds blow,
A tiny hop—now safety grows.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 44.44% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: healing ~/.nemoclaw directory and file permissions during the read path (config reads).
Linked Issues check	✅ Passed	The PR fully addresses #4546 objectives: it heals ~/.nemoclaw directory permissions (755→700) and file permissions (644→600) on read operations, includes scope boundaries for non-host/sandbox paths, and provides comprehensive test coverage as required.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to #4546: config-io.ts adds healing helpers and integrates into read path; config-io.test.ts adds permission repair and symlink-safety tests. No unrelated modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wscurran]

✨ Thanks for submitting this detailed PR about fixing the permission drift issue in the ~/.nemoclaw directory and file permissions. This proposes a way to heal the directory and file permissions on every config access, not just writes.

---

Related open issues:

• #4546 [Ubuntu 24.04][Security] ~/.nemoclaw directory perms stay 755 after manual change instead of being auto-repaired to 700

[cjagwani]

Approving. Pushed one follow-up commit (2e56702) to widen the heal to all root-level files in ~/.nemoclaw/ and close the symlink hole. full context:

• File coverage: #4546's acceptance criteria call out 5 root-level files (sandboxes.json, onboard-session.json, ollama-proxy-token, ollama-auth-proxy.pid, usage-notice.json). The original PR healed sandboxes.json via readConfigFile's per-file tighten — the other four are written by code paths that don't flow through readConfigFile/writeConfigFile (e.g. inference/ollama/proxy.ts, state/onboard-session.ts, onboard/usage-notice.ts). Added a healRootLevelFiles walk in ensureConfigDir so every nemoclaw invocation that touches the config dir restores the entire root level to 600.
• Symlink hole: both heal sites (healRootLevelFiles and readConfigFile's per-file tighten) now use lstat before chmod so a symlinked entry inside ~/.nemoclaw/ doesn't get chmodded through to a target outside the config dir.

Tests: 16/16 pass. Added 3 new — multi-sibling heal mirroring the issue's reproducer file list, plus two symlink-guard cases (one for the dir walk, one for the per-file heal).

Original directory healing logic + per-file heal kept intact — additive change only.

[cv]

Scope the host-state permission contract explicitly before the helper. This gives us a cheap guardrail so the 700/600 healer does not become a generic permission normalizer for mutable sandbox config paths.

Suggested change

	function healRootLevelFiles(dirPath: string): void {
	function hostNemoclawDir(): string {
	const home = process.env.HOME ?? os.homedir();
	return path.resolve(home, ".nemoclaw");
	}
	function isHostNemoclawRoot(dirPath: string): boolean {
	return path.resolve(dirPath) === hostNemoclawDir();
	}
	function isMutableSandboxConfigPath(targetPath: string): boolean {
	const resolved = path.resolve(targetPath);
	return resolved === "/sandbox/.openclaw" || resolved.startsWith("/sandbox/.openclaw/");
	}
	function healRootLevelFiles(dirPath: string): void {

[cv]

Track whether this call is touching the mutable OpenClaw sandbox tree. That path has its own permission contract and should not be normalized to host-state defaults.

Suggested change

	rejectSymlinksOnPath(dirPath);
	rejectSymlinksOnPath(dirPath);
	const mutableSandboxPath = isMutableSandboxConfigPath(dirPath);

[cv]

Please scope the root-level sibling sweep to the exact host NemoClaw state root. This preserves #4546 while avoiding another #4538-style regression if a future caller routes a mutable sandbox config directory through ensureConfigDir(). When applying this, also update the directory-mode chmod above to skip mutableSandboxPath.

Suggested change

	// Heal every root-level file in the dir, not just the one being read.
	// Issue #4546 expects auto-repair across all root-level files
	// (sandboxes.json, onboard-session.json, ollama-auth-proxy.pid,
	// ollama-proxy-token, usage-notice.json, etc.) — most of which are written
	// by code paths that don't flow through readConfigFile/writeConfigFile.
	// Doing the walk here means every nemoclaw invocation that touches the
	// config dir restores the entire root level to mode 600.
	healRootLevelFiles(dirPath);
	if (isHostNemoclawRoot(dirPath)) {
	// Heal every root-level file in the host NemoClaw state dir, not just the
	// one being read. Issue #4546 expects auto-repair across root-level files
	// such as sandboxes.json, onboard-session.json, and ollama-proxy-token.
	//
	// Keep this scoped to ~/.nemoclaw. Mutable sandbox config paths such as
	// /sandbox/.openclaw deliberately use group-writable permissions.
	healRootLevelFiles(dirPath);
	}

[cv]

Same boundary on the per-file heal: do not chmod through the generic read path when the file is a mutable sandbox OpenClaw config file.

Suggested change

	if (st.isFile() && (st.mode & 0o077) !== 0) {
	if (!isMutableSandboxConfigPath(filePath) && st.isFile() && (st.mode & 0o077) !== 0) {

[cv]

Please add regression coverage for the scope boundary. The important guarantee is: root-level sibling healing happens under the host ~/.nemoclaw root, but not in arbitrary config directories that may have a different permission contract.

Suggested change

	it("ensureConfigDir heals every root-level file in the dir, not just the one being read (#4546)", () => {
	// #4546 expects auto-repair across all root-level files. Most of those
	// files (onboard-session.json, ollama-proxy-token, etc.) are written by
	// code paths that don't flow through readConfigFile, so the read-time
	// per-file heal alone misses them. The dir walk in ensureConfigDir is
	// what covers them — verify by writing several siblings at 644 and
	// confirming a single read tightens all of them to 600.
	const dir = makeTempDir();
	fs.chmodSync(dir, 0o700);
	const target = path.join(dir, "config.json");
	fs.writeFileSync(target, JSON.stringify({ ok: true }), { mode: 0o600 });
	const siblings = [
	"onboard-session.json",
	"ollama-proxy-token",
	"ollama-auth-proxy.pid",
	"usage-notice.json",
	];
	for (const name of siblings) {
	fs.writeFileSync(path.join(dir, name), "stale", { mode: 0o644 });
	}
	readConfigFile(target, null);
	for (const name of siblings) {
	const mode = fs.statSync(path.join(dir, name)).mode & 0o777;
	expect(mode, `${name} should be tightened to 600`).toBe(0o600);
	}
	});
	it("ensureConfigDir skips symlinks during the root-level heal", () => {
	// A chmod on a symlink follows to the target — if ~/.nemoclaw/X is a
	// symlink to /etc/passwd, healing must NOT chmod /etc/passwd. lstat
	// before chmod keeps the heal scoped to real files inside the dir.
	//
	// Positive control: a regular sibling at 0o644 proves the walker
	// actually ran (it should be tightened to 0o600). Without the
	// control, this test would pass vacuously if the walker were a no-op.
	const dir = makeTempDir();
	fs.chmodSync(dir, 0o700);
	const target = path.join(dir, "config.json");
	fs.writeFileSync(target, JSON.stringify({ ok: true }), { mode: 0o600 });
	const sibling = path.join(dir, "should-be-healed.json");
	fs.writeFileSync(sibling, "stale", { mode: 0o644 });
	// Use mkdtempSync (via makeTempDir) for an unguessable outside path —
	// a predictable os.tmpdir()+pid path is a CodeQL "insecure temporary
	// file" pattern and lets a coresident attacker pre-create the target.
	const outsideDir = makeTempDir();
	const outside = path.join(outsideDir, "target");
	fs.writeFileSync(outside, "outside", { mode: 0o644 });
	const linkPath = path.join(dir, "rogue-link");
	fs.symlinkSync(outside, linkPath);
	readConfigFile(target, null);
	expect(
	fs.statSync(sibling).mode & 0o777,
	"positive control: walker tightened the regular sibling",
	).toBe(0o600);
	expect(
	fs.statSync(outside).mode & 0o777,
	"symlink target must not be chmodded through the link",
	).toBe(0o644);
	// Cleanup of linkPath and outside happens via afterEach (both live
	// inside dirs in tmpDirs).
	});
	it("readConfigFile does not chmod through a symlink even via the per-file heal", () => {
	// Defensive duplicate of the symlink check, this time for the per-file
	// heal in readConfigFile itself (not the dir walk in ensureConfigDir).
	const dir = makeTempDir();
	fs.chmodSync(dir, 0o700);
	const outsideDir = makeTempDir();
	const outside = path.join(outsideDir, "target.json");
	fs.writeFileSync(outside, JSON.stringify({ outside: true }), { mode: 0o644 });
	const symlinkPath = path.join(dir, "config.json");
	fs.symlinkSync(outside, symlinkPath);
	// Reading through the symlink should not chmod the target file.
	readConfigFile(symlinkPath, null);
	expect(fs.statSync(outside).mode & 0o777).toBe(0o644);
	// Cleanup via afterEach (both dirs are tracked in tmpDirs).
	});
	function withHome<T>(home: string, fn: () => T): T {
	const previous = process.env.HOME;
	process.env.HOME = home;
	try {
	return fn();
	} finally {
	if (previous === undefined) {
	delete process.env.HOME;
	} else {
	process.env.HOME = previous;
	}
	}
	}
	it("ensureConfigDir heals every root-level file in the host state root, not just the one being read (#4546)", () => {
	// #4546 expects auto-repair across all root-level files. Most of those
	// files (onboard-session.json, ollama-proxy-token, etc.) are written by
	// code paths that don't flow through readConfigFile, so the read-time
	// per-file heal alone misses them. The dir walk in ensureConfigDir is
	// what covers them - verify by writing several siblings at 644 and
	// confirming a single read tightens all of them to 600.
	const home = makeTempDir();
	const dir = path.join(home, ".nemoclaw");
	fs.mkdirSync(dir, { mode: 0o700 });
	const target = path.join(dir, "config.json");
	fs.writeFileSync(target, JSON.stringify({ ok: true }), { mode: 0o600 });
	const siblings = [
	"onboard-session.json",
	"ollama-proxy-token",
	"ollama-auth-proxy.pid",
	"usage-notice.json",
	];
	for (const name of siblings) {
	fs.writeFileSync(path.join(dir, name), "stale", { mode: 0o644 });
	}
	withHome(home, () => readConfigFile(target, null));
	for (const name of siblings) {
	const mode = fs.statSync(path.join(dir, name)).mode & 0o777;
	expect(mode, `${name} should be tightened to 600`).toBe(0o600);
	}
	});
	it("does not heal sibling files outside the host state root", () => {
	const home = makeTempDir();
	const dir = path.join(home, "other-config");
	fs.mkdirSync(dir, { mode: 0o700 });
	const target = path.join(dir, "config.json");
	const sibling = path.join(dir, "group-writable.json");
	fs.writeFileSync(target, JSON.stringify({ ok: true }), { mode: 0o600 });
	fs.writeFileSync(sibling, "keep-mutable", { mode: 0o660 });
	fs.chmodSync(sibling, 0o660);
	withHome(home, () => readConfigFile(target, null));
	expect(fs.statSync(sibling).mode & 0o777).toBe(0o660);
	});
	it("ensureConfigDir skips symlinks during the root-level heal", () => {
	// A chmod on a symlink follows to the target - if ~/.nemoclaw/X is a
	// symlink to /etc/passwd, healing must NOT chmod /etc/passwd. lstat
	// before chmod keeps the heal scoped to real files inside the dir.
	//
	// Positive control: a regular sibling at 0o644 proves the walker
	// actually ran (it should be tightened to 0o600). Without the
	// control, this test would pass vacuously if the walker were a no-op.
	const home = makeTempDir();
	const dir = path.join(home, ".nemoclaw");
	fs.mkdirSync(dir, { mode: 0o700 });
	const target = path.join(dir, "config.json");
	fs.writeFileSync(target, JSON.stringify({ ok: true }), { mode: 0o600 });
	const sibling = path.join(dir, "should-be-healed.json");
	fs.writeFileSync(sibling, "stale", { mode: 0o644 });
	const outsideDir = makeTempDir();
	const outside = path.join(outsideDir, "target");
	fs.writeFileSync(outside, "outside", { mode: 0o644 });
	fs.chmodSync(outside, 0o644);
	const linkPath = path.join(dir, "rogue-link");
	fs.symlinkSync(outside, linkPath);
	withHome(home, () => readConfigFile(target, null));
	expect(
	fs.statSync(sibling).mode & 0o777,
	"positive control: walker tightened the regular sibling",
	).toBe(0o600);
	expect(
	fs.statSync(outside).mode & 0o777,
	"symlink target must not be chmodded through the link",
	).toBe(0o644);
	});
	it("readConfigFile does not chmod through a symlink even via the per-file heal", () => {
	// Defensive duplicate of the symlink check, this time for the per-file
	// heal in readConfigFile itself (not the dir walk in ensureConfigDir).
	const dir = makeTempDir();
	fs.chmodSync(dir, 0o700);
	const outsideDir = makeTempDir();
	const outside = path.join(outsideDir, "target.json");
	fs.writeFileSync(outside, JSON.stringify({ outside: true }), { mode: 0o644 });
	fs.chmodSync(outside, 0o644);
	const symlinkPath = path.join(dir, "config.json");
	fs.symlinkSync(outside, symlinkPath);
	// Reading through the symlink should not chmod the target file.
	readConfigFile(symlinkPath, null);
	expect(fs.statSync(outside).mode & 0o777).toBe(0o644);
	});

[cjagwani]

@cv addressed in 6f40d44:

• Added hostNemoclawDir() / isHostNemoclawRoot() / isMutableSandboxConfigPath() predicates per your suggestion.
• ensureConfigDir: dir-mode chmod now skipped when path is a mutable-sandbox path; healRootLevelFiles runs only when path IS the host ~/.nemoclaw root.
• readConfigFile: per-file chmod skipped when path is mutable-sandbox.
• Added 2 scope-boundary regression tests (negative: arbitrary dir → no heal; positive: host root → heal fires). Updated the existing multi-sibling + symlink-positive-control tests to use a withHome helper so they place files under <HOME>/.nemoclaw and respect the new boundary.

18/18 tests pass. The previous APPROVED review still stands; rebased on latest main while I was here.