From 2f674f1e45b266ad281ae9f8f2c059a13182b2c7 Mon Sep 17 00:00:00 2001
From: Panniantong <panniantong@users.noreply.github.com>
Date: Wed, 25 Feb 2026 14:16:08 +0100
Subject: [PATCH] security: doctor warns if config.yaml permissions are too
 open

Adds a check in 'agent-reach doctor' that warns when ~/.agent-reach/config.yaml
is readable by other users (group/world). Suggests chmod 600 to fix.

Ref: #6
---
 agent_reach/doctor.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/agent_reach/doctor.py b/agent_reach/doctor.py
index c4e8796..3b71c2a 100644
--- a/agent_reach/doctor.py
+++ b/agent_reach/doctor.py
@@ -74,4 +74,18 @@ def format_report(results: Dict[str, dict]) -> str:
     if ok_count < total:
         lines.append("运行 `agent-reach setup` 解锁更多渠道")
 
+    # Security check: config file permissions
+    import os
+    import stat
+    config_path = Config.CONFIG_DIR / "config.yaml"
+    if config_path.exists():
+        try:
+            mode = config_path.stat().st_mode
+            if mode & (stat.S_IRGRP | stat.S_IROTH):
+                lines.append("")
+                lines.append("⚠️  安全提示：config.yaml 权限过宽（其他用户可读）")
+                lines.append("   修复：chmod 600 ~/.agent-reach/config.yaml")
+        except OSError:
+            pass
+
     return "\n".join(lines)