From 3927acd64f470db967ecdb5f5429b548f625c173 Mon Sep 17 00:00:00 2001 From: rain Date: Tue, 23 Jun 2026 19:45:03 -0400 Subject: [PATCH] Add run_onchange to chmod 600 ~/.omp/agent/models.yml The encrypted models.yml is named private_encrypted_models.yml.age so chezmoi *should* set 600 on decrypt, but on boxes where the file already existed from a prior apply (before the rename), the perm stays at umask default (644). This run_onchange script normalizes to 600. Runs only when the script body changes (chezmoi hashes the rendered content). On a fresh apply, it brings the perm to 600 once, then stays silent on subsequent applies until the body changes again. --- ...nchange_35-ensure-omp-models-perms.sh.tmpl | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 run_onchange_35-ensure-omp-models-perms.sh.tmpl diff --git a/run_onchange_35-ensure-omp-models-perms.sh.tmpl b/run_onchange_35-ensure-omp-models-perms.sh.tmpl new file mode 100644 index 0000000..7c1e19f --- /dev/null +++ b/run_onchange_35-ensure-omp-models-perms.sh.tmpl @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +# ============================================================================= +# run_onchange_35-ensure-omp-models-perms.sh.tmpl +# Force chmod 600 on ~/.omp/agent/models.yml. The encrypted file is named +# `private_encrypted_models.yml.age` so chezmoi SHOULD set 600 on first apply, +# but if the file already exists from a prior apply (when it was named +# `encrypted_models.yml.age` without the `private_` prefix), the perm stays +# at whatever umask gave it (typically 644). This script normalizes the perm +# to 600 so the literal zai API key in models.yml isn't world-readable. +# +# Triggered by the body hash changing; current hash = sha256 of body. +# Runs on all OSes (no os_family gate). +# ============================================================================= +set -euo pipefail + +MODELS_YML="${HOME}/.omp/agent/models.yml" + +log() { printf '\033[1;34m[omp-models-perms]\033[0m %s\n' "$*"; } + +if [[ ! -f "$MODELS_YML" ]]; then + log "models.yml not present on this box (omp not installed?) — skipping" + exit 0 +fi + +current_perm=$(stat -c '%a' "$MODELS_YML") +if [[ "$current_perm" == "600" ]]; then + log "models.yml already 600 — nothing to do" + exit 0 +fi + +log "models.yml perm is $current_perm, fixing to 600" +chmod 600 "$MODELS_YML" +log "models.yml perm now $(stat -c '%a' "$MODELS_YML")"