security: doctor warns if config.yaml permissions are too open

Adds a check in 'agent-reach doctor' that warns when ~/.agent-reach/config.yaml is readable by other users (group/world). Suggests chmod 600 to fix. Ref: #6
2026-02-25 14:16:08 +01:00 · 2026-02-25 14:16:08 +01:00 · 2f674f1e45
commit 2f674f1e45
parent c642e18e1f
1 changed files with 14 additions and 0 deletions
--- a/agent_reach/doctor.py
+++ b/agent_reach/doctor.py
@ -74,4 +74,18 @@ def format_report(results: Dict[str, dict]) -> str:
    if ok_count < total:
        lines.append("运行 `agent-reach setup` 解锁更多渠道")

+    # Security check: config file permissions
+    import os
+    import stat
+    config_path = Config.CONFIG_DIR / "config.yaml"
+    if config_path.exists():
+        try:
+            mode = config_path.stat().st_mode
+            if mode & (stat.S_IRGRP | stat.S_IROTH):
+                lines.append("")
+                lines.append("⚠️  安全提示：config.yaml 权限过宽（其他用户可读）")
+                lines.append("   修复：chmod 600 ~/.agent-reach/config.yaml")
+        except OSError:
+            pass
+
    return "\n".join(lines)