#18924: fix(security): tighten permissions on cron/, browser/, settings/ dirs…

… (#18866) The fixSecurityFootguns function was missing coverage for several sensitive directories that contain user data: - cron/: Contains scheduled task details including payload/message content - cron/jobs.json: Contains job configurations with potentially sensitive payloads - browser/: Contains session state and cookies - settings/: Contains user settings This change adds permission fixes for these directories (700) and the cron job files (600), preventing world-readable access to sensitive data. Fixes #18866 ## Summary Describe the problem and fix in 2–5 bullets: - Problem: - Why it matters: - What changed: - What did NOT change (scope boundary): ## Change Type (select all) - [ ] Bug fix - [ ] Feature - [ ] Refactor - [ ] Docs - [ ] Security hardening - [ ] Chore/infra ## Scope (select all touched areas) - [ ] Gateway / orchestration - [ ] Skills / tool execution - [ ] Auth / tokens - [ ] Memory / storage - [ ] Integrations - [ ] API / contracts - [ ] UI / DX - [ ] CI/CD / infra ## Linked Issue/PR - Closes # - Related # ## User-visible / Behavior Changes List user-visible changes (including defaults/config). If none, write `None`. ## Security Impact (required) - New permissions/capabilities? (`Yes/No`) - Secrets/tokens handling changed? (`Yes/No`) - New/changed network calls? (`Yes/No`) - Command/tool execution surface changed? (`Yes/No`) - Data access scope changed? (`Yes/No`) - If any `Yes`, explain risk + mitigation: ## Repro + Verification ### Environment - OS: - Runtime/container: - Model/provider: - Integration/channel (if any): - Relevant config (redacted): ### Steps 1. 2. 3. ### Expected - ### Actual - ## Evidence Attach at least one: - [ ] Failing test/log before + passing after - [ ] Trace/log snippets - [ ] Screenshot/recording - [ ] Perf numbers (if relevant) ## Human Verification (required) What you personally verified (not just CI), and how: - Verified scenarios: - Edge cases checked: - What you did **not** verify: ## Compatibility / Migration - Backward compatible? (`Yes/No`) - Config/env changes? (`Yes/No`) - Migration needed? (`Yes/No`) - If yes, exact upgrade steps: ## Failure Recovery (if this breaks) - How to disable/revert this change quickly: - Files/config to restore: - Known bad symptoms reviewers should watch for: ## Risks and Mitigations List only real risks for this PR. Add/remove entries as needed. If none, write `None`. - Risk: - Mitigation: <!-- greptile_comment --> <h3>Greptile Summary</h3> Added permission hardening for three sensitive directories (`cron/`, `browser/`, `settings/`) that were missing from the existing `fixSecurityFootguns` function. The change sets directory permissions to 700 and tightens cron job files (`jobs.json`, `jobs.json.bak`) to 600, preventing world-readable access to user data like scheduled task payloads, browser cookies/session state, and user settings. The implementation follows the existing pattern used for credentials and agent state directories, correctly using `applyPerms` to handle both Unix (chmod) and Windows (icacls) platforms. - Added permissions fixes for `cron/`, `browser/`, and `settings/` directories (mode 700) - Added permissions fixes for cron job configuration files (mode 600) - Comprehensive test coverage validates the fix for all three directories and both job files - Implementation correctly uses the existing `applyPerms` abstraction for cross-platform compatibility <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk - The implementation follows established patterns in the codebase, includes comprehensive test coverage, correctly handles both Unix and Windows platforms through the existing `applyPerms` abstraction, and addresses a genuine security gap by tightening permissions on sensitive directories containing user data - No files require special attention _{Last reviewed commit: 2e09c06} <!-- greptile_other_comments_section --> _{(3/5) Reply to the agent's comments like "Can you suggest a fix for this @greptileai?" or ask follow-up questions!} <!-- /greptile_comment -->