Module fs_secure 

Filesystem helpers that create files with owner-only permissions (0o600) on Unix.

Every sensitive file written by Zeph (vault ciphertext, audit JSONL, debug dumps, router state, transcript sidecars) must be created through one of these helpers so that the permission guarantee is auditable in a single location.

Unix vs non-Unix

On Unix the helpers set mode 0o600 via OpenOptionsExt::mode. On non-Unix platforms (Windows) the helpers fall back to plain OpenOptions without extra permissions — Windows uses ACLs rather than mode bits, and proper ACL hardening requires additional platform-specific code (TODO: tracked for a follow-up issue). The Windows fallback is not atomic for atomic_write_private: std::fs::rename fails with ERROR_ALREADY_EXISTS when the destination already exists, unlike the POSIX atomic-replace semantics.

Residual risks

• The fixed .tmp suffix in atomic_write_private is a symlink-race target on shared directories. Callers that open files in directories they do not own must use tempfile::NamedTempFile::persist instead.
• SQLite WAL/SHM sidecar files (.db-wal, .db-shm) are created by sqlx after the pool opens and inherit the process umask. There is no way to prevent this without upstream sqlx support; see zeph-db for best-effort post-open chmod.

Functions

append_private

Open path in append mode, creating it with mode 0o600 on Unix if it does not exist.

atomic_write_private

Write data to path via a crash-safe replace: write to <path>.tmp (0o600 on Unix), fsync the tmp file, rename it over the target, then fsync the parent directory.

open_private_truncate

Create or truncate path with owner-read/write-only permissions on Unix (0o600).

write_private

Write data to path, creating or truncating the file with mode 0o600 on Unix.