From 389ecf0499e93f446c414c42820b2beca6d51077 Mon Sep 17 00:00:00 2001
From: Le Song <781226451@qq.com>
Date: Sun, 22 Feb 2026 00:56:36 +0800
Subject: [PATCH] fix(config): add test for 0600 permissions on config file
 save

(cherry picked from commit a50877dbd2fe069c10ac41ff2f53fcf81864e690)
---
 src/config/schema.rs | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/src/config/schema.rs b/src/config/schema.rs
index 0b6a76bad..7ed46fd49 100644
--- a/src/config/schema.rs
+++ b/src/config/schema.rs
@@ -4591,6 +4591,7 @@ mod tests {
     use tokio::test;
     use tokio_stream::wrappers::ReadDirStream;
     use tokio_stream::StreamExt;
+    use tempfile::TempDir;
 
     // ── Defaults ─────────────────────────────────────────────
 
@@ -4660,6 +4661,27 @@ mod tests {
         );
     }
 
+    #[cfg(unix)]
+    #[test]
+    async fn save_sets_config_permissions_on_new_file() {
+        let temp = TempDir::new().expect("temp dir");
+        let config_path = temp.path().join("config.toml");
+        let workspace_dir = temp.path().join("workspace");
+
+        let mut config = Config::default();
+        config.config_path = config_path.clone();
+        config.workspace_dir = workspace_dir;
+
+        config.save().await.expect("save config");
+
+        let mode = std::fs::metadata(&config_path)
+            .expect("config metadata")
+            .permissions()
+            .mode()
+            & 0o777;
+        assert_eq!(mode, 0o600);
+    }
+
     #[test]
     async fn observability_config_default() {
         let o = ObservabilityConfig::default();