security: restrict permissions of imported WireGuard profiles to 0600

WireGuard profile files contain sensitive private keys. Previously, these files were written with 0644 permissions, making them world-readable. This commit changes the file mode to 0600 to ensure only the owner can read and write the profiles. - Updated `handleProfileImport` to use 0600 permissions. - Added tests to verify that imported profiles have the correct permissions.
author: James O'Doherty <james@theodohertyfamily.com> 2026-06-07 21:51:48 -0400
committer: James O'Doherty <james@theodohertyfamily.com> 2026-06-07 21:51:48 -0400
commit: 7010768877c227c9410a06908e4cb3e54db403bd (patch)
tree: 317512603d9358b272240d53ea4b09b1b81eacd3 /internal/cli/cli.go
parent: 184deac4efe2062db6ecd2285ec8db1e919f9441 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/internal/cli/cli.go b/internal/cli/cli.go
index a4b9a9a..d100d4f 100644
--- a/internal/cli/cli.go
+++ b/internal/cli/cli.go
@@ -324,7 +324,7 @@ func (a *App) handleProfileImport(srcPath string, name string) error {
 		return fmt.Errorf("failed to read source file: %w", err)
 	}
 
-	if err := os.WriteFile(destPath, data, 0644); err != nil {
+	if err := os.WriteFile(destPath, data, 0600); err != nil {
 		return fmt.Errorf("failed to write profile to %s: %w", destPath, err)
 	}
author	James O'Doherty <james@theodohertyfamily.com>	2026-06-07 21:51:48 -0400
committer	James O'Doherty <james@theodohertyfamily.com>	2026-06-07 21:51:48 -0400
commit	7010768877c227c9410a06908e4cb3e54db403bd (patch)
tree	317512603d9358b272240d53ea4b09b1b81eacd3 /internal/cli/cli.go
parent	184deac4efe2062db6ecd2285ec8db1e919f9441 (diff)