Expand description
Atomic write helper for files holding sensitive content.
write_secret_file writes via a temp file + rename so partial writes
are never observable, and on Unix opens the temp file with mode 0600
so the bytes are never world-readable even between create and rename.
Functionsยง
- ensure_
secret_ file - Ensure a sensitive append-only file exists with mode 0600 set at creation time. Subsequent appends inherit the mode. No-op if the file already exists.
- write_
secret_ file - Atomically write
contentstopath. Creates parent dirs as needed. On Unix the temp file is opened with mode 0o600.