cclaw-cli 0.48.2 → 0.48.3

package/dist/content/opencode-plugin.js

@@ -2,7 +2,8 @@ import { RUNTIME_ROOT } from "../constants.js";
 import { META_SKILL_NAME } from "./meta-skill.js";
 export function opencodePluginJs(_options = {}) {
     return `// cclaw OpenCode plugin — generated by cclaw sync
-import { existsSync, mkdirSync, readFileSync } from "node:fs";
+import { existsSync, mkdirSync } from "node:fs";
+import { readFile, stat } from "node:fs/promises";
 import { join } from "node:path";
 
 export default function cclawPlugin(ctx) {
@@ -33,9 +34,9 @@ export default function cclawPlugin(ctx) {
     }
   }
 
-  function readFlowState() {
+  async function readFlowState() {
     try {
-      const raw = readFileSync(flowStatePath, "utf8");
+      const raw = await readFile(flowStatePath, "utf8");
       const state = JSON.parse(raw);
       return {
         stage: typeof state.currentStage === "string" ? state.currentStage : "none",
@@ -47,23 +48,23 @@ export default function cclawPlugin(ctx) {
     }
   }
 
-  function readFileText(filePath) {
+  async function readFileText(filePath) {
     try {
-      return readFileSync(filePath, "utf8");
+      return await readFile(filePath, "utf8");
     } catch {
       return "";
     }
   }
 
-  function readTailLines(filePath, maxLines) {
-    const text = readFileText(filePath).trim();
+  async function readTailLines(filePath, maxLines) {
+    const text = (await readFileText(filePath)).trim();
     if (!text) return [];
     return text.split(/\\r?\\n/).slice(-maxLines);
   }
 
-  function readCheckpointSummary() {
+  async function readCheckpointSummary() {
     try {
-      const raw = readFileText(checkpointPath);
+      const raw = await readFileText(checkpointPath);
       if (!raw) return "";
       const cp = JSON.parse(raw);
       return \`Checkpoint: stage=\${cp.stage || "none"}, status=\${cp.status || "unknown"}, run=\${cp.runId || "none"}, at=\${cp.timestamp || "unknown"}\`;
@@ -72,10 +73,10 @@ export default function cclawPlugin(ctx) {
     }
   }
 
-  function readContextMode() {
+  async function readContextMode() {
     let mode = "default";
     try {
-      const parsed = JSON.parse(readFileText(contextModePath));
+      const parsed = JSON.parse(await readFileText(contextModePath));
       if (parsed && typeof parsed.activeMode === "string" && parsed.activeMode.trim().length > 0) {
         mode = parsed.activeMode.trim();
       }
@@ -87,9 +88,9 @@ export default function cclawPlugin(ctx) {
     return { mode, guide };
   }
 
-  function readRecentActivity() {
+  async function readRecentActivity() {
     try {
-      const lines = readTailLines(activityPath, 5);
+      const lines = await readTailLines(activityPath, 5);
       if (lines.length === 0) return [];
       return lines
         .map((line) => {
@@ -106,9 +107,9 @@ export default function cclawPlugin(ctx) {
     }
   }
 
-  function readLatestContextWarning() {
+  async function readLatestContextWarning() {
     try {
-      const line = readTailLines(contextWarningsPath, 1)[0];
+      const line = (await readTailLines(contextWarningsPath, 1))[0];
       if (!line) return "";
       try {
         const parsed = JSON.parse(line);
@@ -122,8 +123,8 @@ export default function cclawPlugin(ctx) {
     }
   }
 
-  function readKnowledgeDigest() {
-    const digest = readFileText(knowledgeDigestPath).trim();
+  async function readKnowledgeDigest() {
+    const digest = (await readFileText(knowledgeDigestPath)).trim();
     if (!digest) {
       return readTailLines(knowledgePath, 12);
     }
@@ -134,68 +135,219 @@ export default function cclawPlugin(ctx) {
       .filter((line) => !line.startsWith("#"));
   }
 
-  function buildBootstrap() {
-    const flow = readFlowState();
+  const BOOTSTRAP_MARKER = "<!-- cclaw-bootstrap-v1 -->";
+
+  async function buildBootstrap() {
+    const flow = await readFlowState();
     const parts = [
+      BOOTSTRAP_MARKER,
       \`cclaw loaded. Flow: stage=\${flow.stage} (\${flow.completed}/8 completed, run=\${flow.activeRunId}). Active artifacts: ${RUNTIME_ROOT}/artifacts/\`
     ];
-    const contextMode = readContextMode();
+    const contextMode = await readContextMode();
     parts.push(
       contextMode.guide
         ? \`Context mode: \${contextMode.mode} (guide: \${contextMode.guide})\`
         : \`Context mode: \${contextMode.mode}\`
     );
 
-    const checkpoint = readCheckpointSummary();
+    const checkpoint = await readCheckpointSummary();
     if (checkpoint) parts.push(checkpoint);
 
-    const digest = readFileText(sessionDigestPath).trim();
+    const digest = (await readFileText(sessionDigestPath)).trim();
     if (digest) parts.push("Last session:", digest);
 
-    const activity = readRecentActivity();
+    const activity = await readRecentActivity();
     if (activity.length > 0) parts.push("Recent stage activity:", ...activity);
 
-    const warning = readLatestContextWarning();
+    const warning = await readLatestContextWarning();
     if (warning) parts.push("Latest context warning:", warning);
 
-    const knowledge = readKnowledgeDigest();
+    const knowledge = await readKnowledgeDigest();
     if (knowledge.length > 0) parts.push("Knowledge digest (top relevant entries):", ...knowledge);
 
     parts.push(
       "If you discover a non-obvious rule or pattern, append one strict-schema JSON line to .cclaw/knowledge.jsonl using type: rule, pattern, lesson, or compound."
     );
 
-    const meta = readFileText(metaSkillPath).trim();
+    const meta = (await readFileText(metaSkillPath)).trim();
     if (meta) parts.push("", meta);
     return parts.join("\\n");
   }
 
   let bootstrapCache = "";
+  let bootstrapMtimes = new Map();
+  let bootstrapRefreshPromise = null;
+  const BOOTSTRAP_SOURCE_PATHS = [
+    flowStatePath,
+    checkpointPath,
+    activityPath,
+    contextWarningsPath,
+    contextModePath,
+    sessionDigestPath,
+    knowledgePath,
+    knowledgeDigestPath,
+    metaSkillPath
+  ];
+
+  async function readMtimeMs(filePath) {
+    try {
+      const st = await stat(filePath);
+      return Number.isFinite(st.mtimeMs) ? st.mtimeMs : 0;
+    } catch {
+      return 0;
+    }
+  }
+
+  async function snapshotBootstrapMtimes() {
+    const next = new Map();
+    for (const filePath of BOOTSTRAP_SOURCE_PATHS) {
+      next.set(filePath, await readMtimeMs(filePath));
+    }
+    return next;
+  }
+
+  async function bootstrapNeedsRefresh() {
+    if (!bootstrapCache) return true;
+    for (const filePath of BOOTSTRAP_SOURCE_PATHS) {
+      const prev = bootstrapMtimes.get(filePath) ?? 0;
+      const now = await readMtimeMs(filePath);
+      if (prev !== now) return true;
+    }
+    return false;
+  }
 
-  function refreshBootstrapCache() {
-    bootstrapCache = buildBootstrap();
+  async function refreshBootstrapCache(force = false) {
+    if (!force && !(await bootstrapNeedsRefresh())) {
+      return bootstrapCache;
+    }
+    if (bootstrapRefreshPromise) {
+      return bootstrapRefreshPromise;
+    }
+    bootstrapRefreshPromise = (async () => {
+      const nextBootstrap = await buildBootstrap();
+      const nextMtimes = await snapshotBootstrapMtimes();
+      bootstrapCache = nextBootstrap;
+      bootstrapMtimes = nextMtimes;
+      return bootstrapCache;
+    })();
+    try {
+      return await bootstrapRefreshPromise;
+    } finally {
+      bootstrapRefreshPromise = null;
+    }
   }
 
   function getBootstrap() {
-    if (!bootstrapCache) refreshBootstrapCache();
     return bootstrapCache;
   }
 
+  const MAX_CONCURRENT_HOOKS = 2;
+  let runningHookTasks = 0;
+  const pendingHookTasks = [];
+
+  function runNextHookTask() {
+    if (runningHookTasks >= MAX_CONCURRENT_HOOKS) return;
+    const queued = pendingHookTasks.shift();
+    if (!queued) return;
+    runningHookTasks += 1;
+    queued()
+      .catch(() => false)
+      .finally(() => {
+        runningHookTasks -= 1;
+        runNextHookTask();
+      });
+  }
+
+  function scheduleHookTask(task) {
+    return new Promise((resolve) => {
+      const wrapped = async () => {
+        try {
+          resolve(await task());
+        } catch {
+          resolve(false);
+        }
+      };
+      pendingHookTasks.push(wrapped);
+      runNextHookTask();
+    });
+  }
+
   async function runHookScript(scriptFileName, payload = {}) {
-    const { spawnSync } = await import("node:child_process");
+    const { spawn } = await import("node:child_process");
     const scriptPath = join(root, "${RUNTIME_ROOT}/hooks/" + scriptFileName);
     const input = typeof payload === "string" ? payload : JSON.stringify(payload ?? {});
-    try {
-      const result = spawnSync("bash", [scriptPath], {
-        cwd: root,
-        timeout: 20000,
-        stdio: ["pipe", "ignore", "ignore"],
-        input
+    return scheduleHookTask(() => new Promise((resolve) => {
+      let stderr = "";
+      let settled = false;
+      const finish = (ok) => {
+        if (settled) return;
+        settled = true;
+        resolve(ok);
+      };
+
+      let child;
+      try {
+        child = spawn("bash", [scriptPath], {
+          cwd: root,
+          stdio: ["pipe", "ignore", "pipe"]
+        });
+      } catch {
+        finish(false);
+        return;
+      }
+
+      const timer = setTimeout(() => {
+        child.kill("SIGKILL");
+        if (stderr.length > 0) {
+          console.error("[cclaw] opencode hook timeout: " + scriptFileName + " stderr=" + stderr.slice(-1200));
+        }
+        finish(false);
+      }, 20_000);
+
+      child.stderr?.on("data", (chunk) => {
+        stderr += String(chunk ?? "");
+        if (stderr.length > 4000) {
+          stderr = stderr.slice(-4000);
+        }
       });
-      return typeof result.status === "number" ? result.status === 0 : false;
-    } catch {
-      return false;
-    }
+      child.on("error", () => {
+        clearTimeout(timer);
+        finish(false);
+      });
+      child.on("close", (code) => {
+        clearTimeout(timer);
+        const ok = code === 0;
+        if (!ok && stderr.length > 0) {
+          console.error("[cclaw] opencode hook failed: " + scriptFileName + " stderr=" + stderr.slice(-1200));
+        }
+        finish(ok);
+      });
+      if (child.stdin) {
+        child.stdin.on("error", (error) => {
+          const code =
+            error && typeof error === "object" && "code" in error
+              ? String(error.code)
+              : "";
+          if (code === "EPIPE" || code === "ERR_STREAM_DESTROYED") {
+            return;
+          }
+          clearTimeout(timer);
+          finish(false);
+        });
+        try {
+          child.stdin.end(input);
+        } catch (error) {
+          const code =
+            error && typeof error === "object" && "code" in error
+              ? String(error.code)
+              : "";
+          if (code !== "EPIPE" && code !== "ERR_STREAM_DESTROYED") {
+            clearTimeout(timer);
+            finish(false);
+          }
+        }
+      }
+    }));
   }
 
   function normalizeToolPayload(input, output) {
@@ -207,9 +359,15 @@ export default function cclawPlugin(ctx) {
     if (typeof payload === "string") return payload;
     if (payload && typeof payload === "object") {
       if (typeof payload.type === "string") return payload.type;
+      if (typeof payload.eventType === "string") return payload.eventType;
+      if (typeof payload.kind === "string") return payload.kind;
+      if (typeof payload.topic === "string") return payload.topic;
       if (typeof payload.name === "string") return payload.name;
       if (payload.event && typeof payload.event === "object") {
         if (typeof payload.event.type === "string") return payload.event.type;
+        if (typeof payload.event.eventType === "string") return payload.event.eventType;
+        if (typeof payload.event.kind === "string") return payload.event.kind;
+        if (typeof payload.event.topic === "string") return payload.event.topic;
         if (typeof payload.event.name === "string") return payload.event.name;
       }
     }
@@ -217,18 +375,40 @@ export default function cclawPlugin(ctx) {
   }
 
   function resolveEventData(payload) {
-    if (payload && typeof payload === "object" && payload.event && typeof payload.event === "object") {
-      return payload.event;
+    if (payload && typeof payload === "object") {
+      if (payload.event && typeof payload.event === "object") {
+        if (payload.event.data && typeof payload.event.data === "object") {
+          return payload.event.data;
+        }
+        if (payload.event.payload && typeof payload.event.payload === "object") {
+          return payload.event.payload;
+        }
+        return payload.event;
+      }
+      if (payload.data && typeof payload.data === "object") {
+        return payload.data;
+      }
+      if (payload.payload && typeof payload.payload === "object") {
+        return payload.payload;
+      }
     }
     return payload;
   }
 
   ensureRuntimeDirs();
+  void refreshBootstrapCache(true);
 
   return {
     event: async (payload) => {
       const eventType = resolveEventType(payload);
       const eventData = resolveEventData(payload);
+      if (!eventType) {
+        const keys =
+          payload && typeof payload === "object"
+            ? Object.keys(payload).slice(0, 10).join(", ")
+            : typeof payload;
+        console.error("[cclaw] opencode unknown event payload keys: " + keys);
+      }
       if (
         eventType === "session.created" ||
         eventType === "session.resumed" ||
@@ -242,7 +422,7 @@ export default function cclawPlugin(ctx) {
         // session.updated covers config reloads and artifact/rules edits
         // that happen mid-session; without it the cache would stay stale
         // until the next compaction or restart.
-        refreshBootstrapCache();
+        await refreshBootstrapCache(true);
       }
       if (eventType === "session.compacted") {
         await runHookScript("pre-compact.sh", eventData ?? {});
@@ -264,14 +444,16 @@ export default function cclawPlugin(ctx) {
     "tool.execute.after": async (input, output) => {
       const payload = normalizeToolPayload(input, output);
       await runHookScript("context-monitor.sh", payload);
+      void refreshBootstrapCache(false);
     },
     "experimental.chat.system.transform": (payload) => {
       const bootstrap = getBootstrap();
+      if (!bootstrap) return payload;
       if (typeof payload === "string") {
-        return payload.includes("cclaw loaded.") ? payload : \`\${payload}\\n\\n\${bootstrap}\`;
+        return payload.includes(BOOTSTRAP_MARKER) ? payload : \`\${payload}\\n\\n\${bootstrap}\`;
       }
       if (payload && typeof payload === "object" && typeof payload.system === "string") {
-        if (payload.system.includes("cclaw loaded.")) return payload;
+        if (payload.system.includes(BOOTSTRAP_MARKER)) return payload;
         return { ...payload, system: \`\${payload.system}\\n\\n\${bootstrap}\` };
       }
       return payload;

package/dist/content/stage-schema.js

@@ -198,7 +198,7 @@ const STAGE_AUTO_SUBAGENT_DISPATCH = {
         {
             agent: "doc-updater",
             mode: "proactive",
-            when: "When public behavior, APIs, or config surfaces change.",
+            when: "Proactive in tdd when public behavior, APIs, or config surfaces change.",
             purpose: "Prevent code/docs drift before review and ship.",
             requiresUserGate: false
         }

package/dist/delegation.js

@@ -238,7 +238,7 @@ export async function appendDelegation(projectRoot, entry) {
             runId: activeRunId,
             entries: [...prior.entries, stamped]
         };
-        await writeFileSafe(filePath, `${JSON.stringify(ledger, null, 2)}\n`);
+        await writeFileSafe(filePath, `${JSON.stringify(ledger, null, 2)}\n`, { mode: 0o600 });
     });
 }
 /**

package/dist/doctor.js

@@ -5,7 +5,7 @@ import { pathToFileURL } from "node:url";
 import { promisify } from "node:util";
 import { REQUIRED_DIRS, RUNTIME_ROOT, UTILITY_COMMANDS } from "./constants.js";
 import { CCLAW_AGENTS } from "./content/core-agents.js";
-import { detectAdvancedKeys, readConfig } from "./config.js";
+import { detectAdvancedKeys, InvalidConfigError, readConfig } from "./config.js";
 import { exists } from "./fs-utils.js";
 import { gitignoreHasRequiredPatterns } from "./gitignore.js";
 import { HARNESS_ADAPTERS, CCLAW_MARKER_START, CCLAW_MARKER_END, harnessShimFileNames, harnessShimSkillNames } from "./harness-adapters.js";
@@ -209,6 +209,15 @@ async function readJsonObjectStatus(filePath) {
         };
     }
 }
+async function readPermissionBits(filePath) {
+    try {
+        const stat = await fs.stat(filePath);
+        return stat.mode & 0o777;
+    }
+    catch {
+        return null;
+    }
+}
 function normalizeOpenCodePluginEntry(entry) {
     if (typeof entry === "string" && entry.trim().length > 0)
         return entry.trim();
@@ -457,6 +466,7 @@ export async function doctorChecks(projectRoot, options = {}) {
         checks.push({
             name: "config:valid",
             ok: false,
+            severity: error instanceof InvalidConfigError ? "error" : "warning",
             details: error instanceof Error ? error.message : "Invalid config"
         });
     }
@@ -1373,6 +1383,30 @@ export async function doctorChecks(projectRoot, options = {}) {
         ok: activeRunId.length > 0,
         details: `${RUNTIME_ROOT}/state/flow-state.json must include activeRunId`
     });
+    const sensitivePermissionTargets = [
+        path.join(projectRoot, RUNTIME_ROOT, "state", "flow-state.json"),
+        path.join(projectRoot, RUNTIME_ROOT, "state", "delegation-log.json"),
+        path.join(projectRoot, RUNTIME_ROOT, "state", "reconciliation-notices.json"),
+        path.join(projectRoot, RUNTIME_ROOT, "state", "worktrees.json"),
+        path.join(projectRoot, RUNTIME_ROOT, "state", "active-feature.json"),
+        path.join(projectRoot, RUNTIME_ROOT, "knowledge.jsonl")
+    ];
+    const permissiveStateFiles = [];
+    for (const targetPath of sensitivePermissionTargets) {
+        const bits = await readPermissionBits(targetPath);
+        if (bits === null)
+            continue;
+        if (bits > 0o640) {
+            permissiveStateFiles.push(`${path.relative(projectRoot, targetPath)}:${bits.toString(8)}`);
+        }
+    }
+    checks.push({
+        name: "warning:state:file_permissions",
+        ok: true,
+        details: permissiveStateFiles.length === 0
+            ? "sensitive state files are <=0640 permissions"
+            : `warning: sensitive state files are overly permissive (${permissiveStateFiles.join(", ")}). Run \`chmod 600 .cclaw/state/*.json .cclaw/state/*.jsonl .cclaw/knowledge.jsonl\` if this machine is multi-user.`
+    });
     const reconciliationNotices = await readReconciliationNotices(projectRoot);
     checks.push({
         name: "state:reconciliation_notices_parse",

package/dist/eval/runner.js

@@ -524,6 +524,34 @@ function stagesInResults(caseResults) {
         set.add(c.stage);
     return FLOW_STAGES.filter((s) => set.has(s));
 }
+const MAX_PARALLEL_CASES = 4;
+async function runCasesWithBoundedConcurrency(items, concurrency, worker) {
+    if (items.length === 0) {
+        return [];
+    }
+    const limit = Math.max(1, Math.min(concurrency, items.length));
+    if (limit === 1) {
+        const results = [];
+        for (let i = 0; i < items.length; i += 1) {
+            results.push(await worker(items[i], i));
+        }
+        return results;
+    }
+    const results = new Array(items.length);
+    let cursor = 0;
+    const runners = Array.from({ length: limit }, async () => {
+        while (true) {
+            const index = cursor;
+            cursor += 1;
+            if (index >= items.length) {
+                return;
+            }
+            results[index] = await worker(items[index], index);
+        }
+    });
+    await Promise.all(runners);
+    return results;
+}
 /**
  * Main eval runner. Dispatches between fixture-backed verification, the
  * single-stage agent-with-tools loop, and the multi-stage workflow
@@ -653,8 +681,11 @@ export async function runEval(options) {
         }
     }
     else {
-        for (let i = 0; i < corpus.length; i += 1) {
-            const item = corpus[i];
+        // Only parallelize fixture/rules verification passes that do not depend on
+        // LLM judge/agent loops. Those modes touch cost guards and retries where
+        // ordered execution is safer.
+        const caseConcurrency = flags.runJudge || flags.runAgent ? 1 : MAX_PARALLEL_CASES;
+        const results = await runCasesWithBoundedConcurrency(corpus, caseConcurrency, async (item, i) => {
             progress.emit({
                 kind: "case-start",
                 caseId: item.id,
@@ -682,8 +713,9 @@ export async function runEval(options) {
                 durationMs: result.durationMs,
                 ...(result.costUsd !== undefined ? { costUsd: result.costUsd } : {})
             });
-            caseResults.push(result);
-        }
+            return result;
+        });
+        caseResults.push(...results);
     }
     const stages = stagesInResults(caseResults);
     const baselines = await loadBaselinesByStage(options.projectRoot, stages);

package/dist/feature-system.js

@@ -178,7 +178,7 @@ async function writeRegistry(projectRoot, registry) {
         updatedAt: registry.updatedAt,
         entries: dedupeEntries(registry.entries)
     };
-    await writeFileSafe(worktreeRegistryPath(projectRoot), `${JSON.stringify(normalized, null, 2)}\n`);
+    await writeFileSafe(worktreeRegistryPath(projectRoot), `${JSON.stringify(normalized, null, 2)}\n`, { mode: 0o600 });
 }
 async function readActiveFeatureMetaInternal(projectRoot) {
     const filePath = activeFeatureMetaPath(projectRoot);
@@ -213,7 +213,7 @@ async function writeActiveFeatureMeta(projectRoot, meta) {
         activeFeature: normalizedFeatureId(meta.activeFeature),
         updatedAt: meta.updatedAt
     };
-    await writeFileSafe(activeFeatureMetaPath(projectRoot), `${JSON.stringify(normalized, null, 2)}\n`);
+    await writeFileSafe(activeFeatureMetaPath(projectRoot), `${JSON.stringify(normalized, null, 2)}\n`, { mode: 0o600 });
 }
 function registryHasFeature(registry, featureId) {
     return registry.entries.some((entry) => entry.featureId === featureId);

package/dist/fs-utils.d.ts

@@ -18,7 +18,10 @@ export interface DirectoryLockOptions {
  * The lock is removed in a finally block.
  */
 export declare function withDirectoryLock<T>(lockPath: string, fn: () => Promise<T>, options?: DirectoryLockOptions): Promise<T>;
-export declare function writeFileSafe(filePath: string, content: string): Promise<void>;
+export interface WriteFileSafeOptions {
+    mode?: number;
+}
+export declare function writeFileSafe(filePath: string, content: string, options?: WriteFileSafeOptions): Promise<void>;
 export declare function exists(filePath: string): Promise<boolean>;
 export declare function removeIfExists(targetPath: string): Promise<void>;
 export declare function resolveProjectPath(cwd: string, relativePath: string): string;

package/dist/fs-utils.js

@@ -70,12 +70,16 @@ export async function withDirectoryLock(lockPath, fn, options = {}) {
         });
     }
 }
-export async function writeFileSafe(filePath, content) {
+export async function writeFileSafe(filePath, content, options = {}) {
     await ensureDir(path.dirname(filePath));
     const tempPath = path.join(path.dirname(filePath), `.${path.basename(filePath)}.tmp-${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`);
-    await fs.writeFile(tempPath, content, "utf8");
+    const targetMode = options.mode;
+    await fs.writeFile(tempPath, content, { encoding: "utf8", ...(targetMode !== undefined ? { mode: targetMode } : {}) });
     try {
         await fs.rename(tempPath, filePath);
+        if (targetMode !== undefined) {
+            await fs.chmod(filePath, targetMode).catch(() => undefined);
+        }
     }
     catch (error) {
         const code = error?.code;
@@ -87,6 +91,9 @@ export async function writeFileSafe(filePath, content) {
         if (code === "EXDEV") {
             try {
                 await fs.copyFile(tempPath, filePath);
+                if (targetMode !== undefined) {
+                    await fs.chmod(filePath, targetMode).catch(() => undefined);
+                }
             }
             finally {
                 await fs.unlink(tempPath).catch(() => undefined);

package/dist/gate-evidence.js

@@ -133,7 +133,7 @@ async function writeReconciliationNotices(projectRoot, payload) {
     await writeFileSafe(filePath, `${JSON.stringify({
         schemaVersion: RECONCILIATION_NOTICES_SCHEMA_VERSION,
         notices: payload.notices
-    }, null, 2)}\n`);
+    }, null, 2)}\n`, { mode: 0o600 });
 }
 export function classifyReconciliationNotices(flowState, notices) {
     const activeBlocked = [];