Centralize file and directory permission mode usage.

Author: peteski22

cmd/config/export/export.go

@@ -13,6 +13,7 @@ import (
 	"github.com/mozilla-ai/mcpd/v2/internal/config"
 	"github.com/mozilla-ai/mcpd/v2/internal/context"
 	"github.com/mozilla-ai/mcpd/v2/internal/flags"
+	"github.com/mozilla-ai/mcpd/v2/internal/perms"
 	"github.com/mozilla-ai/mcpd/v2/internal/runtime"
 )
 
@@ -141,5 +142,5 @@ func writeDotenvFile(path string, data map[string]string) error {
 		}
 	}
 
-	return os.WriteFile(path, []byte(b.String()), 0o644)
+	return os.WriteFile(path, []byte(b.String()), perms.RegularFile)
 }

internal/cache/cache.go

@@ -42,7 +42,7 @@ func NewCache(logger hclog.Logger, opts ...Option) (*Cache, error) {
 
 	// Only create cache directory if caching is enabled.
 	if options.enabled {
-		if err := context.EnsureDirectoryExists(options.dir); err != nil {
+		if err := context.EnsureRegularDir(options.dir); err != nil {
 			return nil, fmt.Errorf("failed to create cache directory: %w", err)
 		}
 	}

internal/cmd/basecmd.go

@@ -11,6 +11,7 @@ import (
 	"github.com/mozilla-ai/mcpd/v2/internal/cmd/output"
 	"github.com/mozilla-ai/mcpd/v2/internal/config"
 	"github.com/mozilla-ai/mcpd/v2/internal/flags"
+	"github.com/mozilla-ai/mcpd/v2/internal/perms"
 	"github.com/mozilla-ai/mcpd/v2/internal/provider/mcpm"
 	"github.com/mozilla-ai/mcpd/v2/internal/provider/mozilla_ai"
 	"github.com/mozilla-ai/mcpd/v2/internal/registry"
@@ -59,7 +60,7 @@ func (c *BaseCmd) Logger() (hclog.Logger, error) {
 	// Configure logger output based on the log file path
 	output := io.Discard // Default to discarding log output.
 	if logPath != "" {
-		f, err := os.OpenFile(logPath, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0o644)
+		f, err := os.OpenFile(logPath, os.O_CREATE|os.O_APPEND|os.O_WRONLY, perms.RegularFile)
 		if err != nil {
 			return nil, fmt.Errorf("failed to open log file (%s): %w", logPath, err)
 		} else {

internal/config/config.go

@@ -9,6 +9,7 @@ import (
 	"github.com/BurntSushi/toml"
 
 	"github.com/mozilla-ai/mcpd/v2/internal/flags"
+	"github.com/mozilla-ai/mcpd/v2/internal/perms"
 )
 
 // Init creates the base skeleton configuration file for the mcpd project.
@@ -21,7 +22,7 @@ func (d *DefaultLoader) Init(path string) error {
 
 	content := `servers = []`
 
-	if err := os.WriteFile(path, []byte(content), 0o644); err != nil {
+	if err := os.WriteFile(path, []byte(content), perms.RegularFile); err != nil {
 		return fmt.Errorf("failed to write %s: %w", path, err)
 	}
 
@@ -158,7 +159,7 @@ func (c *Config) saveConfig() error {
 		return err
 	}
 
-	return os.WriteFile(c.configFilePath, data, 0o644)
+	return os.WriteFile(c.configFilePath, data, perms.RegularFile)
 }
 
 // validate orchestrates validation of all aspects of the configuration.

internal/context/context.go

@@ -11,6 +11,8 @@ import (
 	"strings"
 
 	"github.com/BurntSushi/toml"
+
+	"github.com/mozilla-ai/mcpd/v2/internal/perms"
 )
 
 const (
@@ -217,12 +219,12 @@ func (c *ExecutionContextConfig) SaveConfig() error {
 	}
 
 	// Ensure the directory exists before creating the file.
-	if err := EnsureDirectoryExists(filepath.Dir(path)); err != nil {
+	if err := EnsureSecureDir(filepath.Dir(path)); err != nil {
 		return fmt.Errorf("could not ensure execution context directory exists: %w", err)
 	}
 
 	// owner: rw-, group: ---, others: ---
-	f, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600)
+	f, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, perms.SecureFile)
 	if err != nil {
 		return fmt.Errorf("could not create file '%s': %w", path, err)
 	}
@@ -293,11 +295,20 @@ func AppDirName() string {
 	return "mcpd"
 }
 
-// EnsureDirectoryExists creates a directory with secure permissions if it doesn't exist.
-// The directory is created with mode 0740 (owner: rwx, group: r--, others: ---).
-func EnsureDirectoryExists(path string) error {
-	if err := os.MkdirAll(path, 0o740); err != nil {
-		return fmt.Errorf("could not ensure directory exists for '%s': %w", path, err)
+// EnsureSecureDir creates a directory with secure permissions if it doesn't exist.
+// Used for directories containing sensitive data like execution context.
+func EnsureSecureDir(path string) error {
+	if err := os.MkdirAll(path, perms.SecureDir); err != nil {
+		return fmt.Errorf("could not ensure secure directory exists for '%s': %w", path, err)
+	}
+	return nil
+}
+
+// EnsureRegularDir creates a directory with standard permissions if it doesn't exist.
+// Used for cache directories, data directories, and documentation.
+func EnsureRegularDir(path string) error {
+	if err := os.MkdirAll(path, perms.RegularDir); err != nil {
+		return fmt.Errorf("could not ensure regular directory exists for '%s': %w", path, err)
 	}
 	return nil
 }