generated from coulomb/repo-seed
refactor(local-identity): post-Stage4 cleanups and micro-fixes
- audit: chmod only on file creation, not every append (TOCTOU fix) - jwt_utils: add extract_unverified_payload() helper - cli: use extract_unverified_payload + JWTError instead of inline decode - keys: extract _public_key_bytes() helper, import _b64url from jwt_utils - security: FileNotFoundError try/except instead of path.exists() (TOCTOU fix) - serve: cache JWK response at server init instead of per-request recompute 138 tests passing. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -33,8 +33,10 @@ def log_event(command: str, username: str | None, outcome: str) -> None:
|
||||
entry = f"{timestamp}\t{command}\t{username or '-'}\t{outcome}\n"
|
||||
path = _audit_log_path()
|
||||
try:
|
||||
is_new = not path.exists()
|
||||
with open(path, "a", encoding="utf-8") as fh:
|
||||
fh.write(entry)
|
||||
os.chmod(path, 0o600)
|
||||
if is_new:
|
||||
os.chmod(path, 0o600)
|
||||
except OSError:
|
||||
pass
|
||||
|
||||
Reference in New Issue
Block a user