Implement "at least as secure" permission semantics and fix export directory permissions

* Separate export and runtime config save methods with appropriate permissions
* Add SaveExportedConfig() for portable configs (0755/0644 permissions)
* Rename permission functions to EnsureAtLeastSecureDir/EnsureAtLeastRegularDir
* Implement isPermissionAcceptable() using bitwise logic for "more restrictive" checks
* Add comprehensive permission acceptance tests with umask handling
* Update export functionality to use regular permissions instead of secure
* Reorder context.go to follow Go conventions (exported before unexported, alphabetical)
* Add detailed comments explaining umask override in tests

Author: peteski22

internal/cache/cache.go

@@ -42,7 +42,7 @@ func NewCache(logger hclog.Logger, opts ...Option) (*Cache, error) {
 
 	// Only create cache directory if caching is enabled.
 	if options.enabled {
-		if err := context.EnsureRegularDir(options.dir); err != nil {
+		if err := context.EnsureAtLeastRegularDir(options.dir); err != nil {
 			return nil, fmt.Errorf("failed to create cache directory: %w", err)
 		}
 	}

internal/context/context.go

@@ -23,49 +23,23 @@ const (
 	EnvVarXDGCacheHome = "XDG_CACHE_HOME"
 )
 
+// DefaultLoader loads execution context configurations.
+type DefaultLoader struct{}
+
+// ExecutionContextConfig stores execution context data for all configured MCP servers.
+type ExecutionContextConfig struct {
+	Servers  map[string]ServerExecutionContext `toml:"servers"`
+	filePath string                            `toml:"-"`
+}
+
 // ServerExecutionContext stores execution context data for an MCP server.
 type ServerExecutionContext struct {
 	Name string            `toml:"-"`
 	Args []string          `toml:"args,omitempty"`
 	Env  map[string]string `toml:"env,omitempty"`
 }
 
-func (s *ServerExecutionContext) Equals(b ServerExecutionContext) bool {
-	if s.Name != b.Name {
-		return false
-	}
-
-	if !equalSlices(s.Args, b.Args) {
-		return false
-	}
-
-	if len(s.Env) != len(b.Env) || !maps.Equal(s.Env, b.Env) {
-		return false
-	}
-
-	return true
-}
-
-func equalSlices(a []string, b []string) bool {
-	if len(a) != len(b) {
-		return false
-	}
-
-	sortedA := slices.Clone(a)
-	slices.Sort(sortedA)
-
-	sortedB := slices.Clone(b)
-	slices.Sort(sortedB)
-
-	return slices.Equal(sortedA, sortedB)
-}
-
-func (s *ServerExecutionContext) IsEmpty() bool {
-	return len(s.Args) == 0 && len(s.Env) == 0
-}
-
-type DefaultLoader struct{}
-
+// Load loads an execution context configuration from the specified path.
 func (d *DefaultLoader) Load(path string) (Modifier, error) {
 	path = strings.TrimSpace(path)
 	if path == "" {
@@ -85,30 +59,7 @@ func (d *DefaultLoader) Load(path string) (Modifier, error) {
 	return cfg, nil
 }
 
-// ExecutionContextConfig stores execution context data for all configured MCP servers.
-type ExecutionContextConfig struct {
-	Servers  map[string]ServerExecutionContext `toml:"servers"`
-	filePath string                            `toml:"-"`
-}
-
-// NewExecutionContextConfig returns a newly initialized ExecutionContextConfig.
-func NewExecutionContextConfig(path string) *ExecutionContextConfig {
-	return &ExecutionContextConfig{
-		Servers:  map[string]ServerExecutionContext{},
-		filePath: strings.TrimSpace(path),
-	}
-}
-
-func (c *ExecutionContextConfig) List() []ServerExecutionContext {
-	servers := slices.Collect(maps.Values(c.Servers))
-
-	slices.SortFunc(servers, func(a, b ServerExecutionContext) int {
-		return cmp.Compare(strings.ToLower(a.Name), strings.ToLower(b.Name))
-	})
-
-	return servers
-}
-
+// Get retrieves the execution context for the specified server name.
 func (c *ExecutionContextConfig) Get(name string) (ServerExecutionContext, bool) {
 	name = strings.TrimSpace(name)
 	if name == "" {
@@ -126,6 +77,29 @@ func (c *ExecutionContextConfig) Get(name string) (ServerExecutionContext, bool)
 	return ServerExecutionContext{}, false
 }
 
+// List returns all server execution contexts sorted by name.
+func (c *ExecutionContextConfig) List() []ServerExecutionContext {
+	servers := slices.Collect(maps.Values(c.Servers))
+
+	slices.SortFunc(servers, func(a, b ServerExecutionContext) int {
+		return cmp.Compare(strings.ToLower(a.Name), strings.ToLower(b.Name))
+	})
+
+	return servers
+}
+
+// SaveConfig saves the execution context configuration to a file with secure permissions.
+// Used for runtime execution contexts that may contain sensitive data.
+func (c *ExecutionContextConfig) SaveConfig() error {
+	return c.saveConfig(EnsureAtLeastSecureDir, perms.SecureFile)
+}
+
+// SaveExportedConfig saves the execution context configuration to a file with regular permissions.
+// Used for exported configurations that are sanitized and suitable for sharing.
+func (c *ExecutionContextConfig) SaveExportedConfig() error {
+	return c.saveConfig(EnsureAtLeastRegularDir, perms.RegularFile)
+}
+
 // Upsert updates the execution context for the given server name.
 // If the context is empty and does not exist in config, it does nothing.
 // If the context is empty and previously existed in config, it deletes the entry.
@@ -169,6 +143,120 @@ func (c *ExecutionContextConfig) Upsert(ec ServerExecutionContext) (UpsertResult
 	return op, nil
 }
 
+// Equals checks if this ServerExecutionContext is equal to another.
+func (s *ServerExecutionContext) Equals(b ServerExecutionContext) bool {
+	if s.Name != b.Name {
+		return false
+	}
+
+	if !equalSlices(s.Args, b.Args) {
+		return false
+	}
+
+	if len(s.Env) != len(b.Env) || !maps.Equal(s.Env, b.Env) {
+		return false
+	}
+
+	return true
+}
+
+// IsEmpty returns true if the ServerExecutionContext has no args or env vars.
+func (s *ServerExecutionContext) IsEmpty() bool {
+	return len(s.Args) == 0 && len(s.Env) == 0
+}
+
+// AppDirName returns the name of the application directory for use in user-specific operations where data is being written.
+func AppDirName() string {
+	return "mcpd"
+}
+
+// EnsureAtLeastRegularDir creates a directory with standard permissions if it doesn't exist,
+// and verifies that it has at least the required regular permissions if it already exists.
+// It does not attempt to repair ownership or permissions: if they are wrong, it returns an error.
+// Used for cache directories, data directories, and documentation.
+func EnsureAtLeastRegularDir(path string) error {
+	return ensureAtLeastDir(path, perms.RegularDir)
+}
+
+// EnsureAtLeastSecureDir creates a directory with secure permissions if it doesn't exist,
+// and verifies that it has at least the required secure permissions if it already exists.
+// It does not attempt to repair ownership or permissions: if they are wrong,
+// it returns an error.
+func EnsureAtLeastSecureDir(path string) error {
+	return ensureAtLeastDir(path, perms.SecureDir)
+}
+
+// NewExecutionContextConfig returns a newly initialized ExecutionContextConfig.
+func NewExecutionContextConfig(path string) *ExecutionContextConfig {
+	return &ExecutionContextConfig{
+		Servers:  map[string]ServerExecutionContext{},
+		filePath: strings.TrimSpace(path),
+	}
+}
+
+// UserSpecificCacheDir returns the directory that should be used to store any user-specific cache files.
+// It adheres to the XDG Base Directory Specification, respecting the XDG_CACHE_HOME environment variable.
+// When XDG_CACHE_HOME is not set, it defaults to ~/.cache/mcpd/
+// See: https://specifications.freedesktop.org/basedir-spec/latest/
+func UserSpecificCacheDir() (string, error) {
+	return userSpecificDir(EnvVarXDGCacheHome, ".cache")
+}
+
+// UserSpecificConfigDir returns the directory that should be used to store any user-specific configuration.
+// It adheres to the XDG Base Directory Specification, respecting the XDG_CONFIG_HOME environment variable.
+// When XDG_CONFIG_HOME is not set, it defaults to ~/.config/mcpd/
+// See: https://specifications.freedesktop.org/basedir-spec/latest/
+func UserSpecificConfigDir() (string, error) {
+	return userSpecificDir(EnvVarXDGConfigHome, ".config")
+}
+
+// ensureAtLeastDir creates a directory with the specified permissions if it doesn't exist,
+// and verifies that it has at least the required permissions if it already exists.
+// It does not attempt to repair ownership or permissions: if they are wrong, it returns an error.
+func ensureAtLeastDir(path string, perm os.FileMode) error {
+	if err := os.MkdirAll(path, perm); err != nil {
+		return fmt.Errorf("could not ensure directory exists for '%s': %w", path, err)
+	}
+
+	info, err := os.Stat(path)
+	if err != nil {
+		return fmt.Errorf("could not stat directory '%s': %w", path, err)
+	}
+
+	if !isPermissionAcceptable(info.Mode().Perm(), perm) {
+		return fmt.Errorf(
+			"incorrect permissions for directory '%s' (%#o, want %#o or more restrictive)",
+			path, info.Mode().Perm(),
+			perm,
+		)
+	}
+
+	return nil
+}
+
+// equalSlices compares two string slices for equality, ignoring order.
+func equalSlices(a []string, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+
+	sortedA := slices.Clone(a)
+	slices.Sort(sortedA)
+
+	sortedB := slices.Clone(b)
+	slices.Sort(sortedB)
+
+	return slices.Equal(sortedA, sortedB)
+}
+
+// isPermissionAcceptable checks if the actual permissions are acceptable for the required permissions.
+// It returns true if the actual permissions are equal to or more restrictive than required.
+// "More restrictive" means: no permission bit set in actual that isn't also set in required.
+func isPermissionAcceptable(actual, required os.FileMode) bool {
+	// Check that actual doesn't grant any permissions that required doesn't grant
+	return (actual & ^required) == 0
+}
+
 // loadExecutionContextConfig loads a runtime execution context file from disk and expands environment variables.
 //
 // The function parses the TOML file at the specified path and automatically expands all ${VAR} references
@@ -210,21 +298,19 @@ func loadExecutionContextConfig(path string) (*ExecutionContextConfig, error) {
 	return cfg, nil
 }
 
-// SaveConfig writes the ExecutionContextConfig to disk as a TOML file,
-// creating parent directories and setting secure file permissions.
-func (c *ExecutionContextConfig) SaveConfig() error {
+// saveConfig saves the execution context configuration to a file with the specified directory and file permissions.
+func (c *ExecutionContextConfig) saveConfig(ensureDirFunc func(string) error, fileMode os.FileMode) error {
 	path := c.filePath
 	if path == "" {
 		return fmt.Errorf("config file path not present")
 	}
 
 	// Ensure the directory exists before creating the file.
-	if err := EnsureSecureDir(filepath.Dir(path)); err != nil {
+	if err := ensureDirFunc(filepath.Dir(path)); err != nil {
 		return fmt.Errorf("could not ensure execution context directory exists: %w", err)
 	}
 
-	// owner: rw-, group: ---, others: ---
-	f, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, perms.SecureFile)
+	f, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, fileMode)
 	if err != nil {
 		return fmt.Errorf("could not create file '%s': %w", path, err)
 	}
@@ -273,64 +359,3 @@ func userSpecificDir(envVar string, dir string) (string, error) {
 
 	return filepath.Join(homeDir, dir, AppDirName()), nil
 }
-
-// UserSpecificConfigDir returns the directory that should be used to store any user-specific configuration.
-// It adheres to the XDG Base Directory Specification, respecting the XDG_CONFIG_HOME environment variable.
-// When XDG_CONFIG_HOME is not set, it defaults to ~/.config/mcpd/
-// See: https://specifications.freedesktop.org/basedir-spec/latest/
-func UserSpecificConfigDir() (string, error) {
-	return userSpecificDir(EnvVarXDGConfigHome, ".config")
-}
-
-// UserSpecificCacheDir returns the directory that should be used to store any user-specific cache files.
-// It adheres to the XDG Base Directory Specification, respecting the XDG_CACHE_HOME environment variable.
-// When XDG_CACHE_HOME is not set, it defaults to ~/.cache/mcpd/
-// See: https://specifications.freedesktop.org/basedir-spec/latest/
-func UserSpecificCacheDir() (string, error) {
-	return userSpecificDir(EnvVarXDGCacheHome, ".cache")
-}
-
-// AppDirName returns the name of the application directory for use in user-specific operations where data is being written.
-func AppDirName() string {
-	return "mcpd"
-}
-
-// ensureDir creates a directory with the specified permissions if it doesn't exist,
-// and verifies that it has the expected permissions if it already exists.
-// It does not attempt to repair ownership or permissions: if they are wrong, it returns an error.
-func ensureDir(path string, perm os.FileMode) error {
-	if err := os.MkdirAll(path, perm); err != nil {
-		return fmt.Errorf("could not ensure directory exists for '%s': %w", path, err)
-	}
-
-	info, err := os.Stat(path)
-	if err != nil {
-		return fmt.Errorf("could not stat directory '%s': %w", path, err)
-	}
-
-	if info.Mode().Perm() != perm {
-		return fmt.Errorf(
-			"incorrect permissions for directory '%s' (%#o, want %#o)",
-			path, info.Mode().Perm(),
-			perm,
-		)
-	}
-
-	return nil
-}
-
-// EnsureSecureDir creates a directory with secure permissions if it doesn't exist,
-// and verifies that it has the expected permissions if it already exists.
-// It does not attempt to repair ownership or permissions: if they are wrong,
-// it returns an error.
-func EnsureSecureDir(path string) error {
-	return ensureDir(path, perms.SecureDir)
-}
-
-// EnsureRegularDir creates a directory with standard permissions if it doesn't exist,
-// and verifies that it has the expected permissions if it already exists.
-// It does not attempt to repair ownership or permissions: if they are wrong, it returns an error.
-// Used for cache directories, data directories, and documentation.
-func EnsureRegularDir(path string) error {
-	return ensureDir(path, perms.RegularDir)
-}