From 3226d4c5ebf7d0f507d9c8d3ae1cb31eca2489a0 Mon Sep 17 00:00:00 2001
From: mesutoezdil <mesudozdil@gmail.com>
Date: Sat, 13 Jun 2026 09:18:58 +0200
Subject: [PATCH] fix(adk): write materialized secret files with 0600
 permissions

config.json contains model API keys and kagent-token is a k8s
service account token. Writing them world-readable (0644) exposes
credentials to other processes in the container.

Signed-off-by: mesutoezdil <mesudozdil@gmail.com>
---
 go/adk/pkg/config/config_loader_test.go | 13 +++++++++++++
 go/adk/pkg/config/config_materialize.go |  5 ++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/go/adk/pkg/config/config_loader_test.go b/go/adk/pkg/config/config_loader_test.go
index 9befa7e0a2..82421b34b3 100644
--- a/go/adk/pkg/config/config_loader_test.go
+++ b/go/adk/pkg/config/config_loader_test.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"os"
 	"path/filepath"
+	"runtime"
 	"testing"
 )
 
@@ -110,6 +111,18 @@ func TestMaterializeFromEnv(t *testing.T) {
 	if string(srtData) != `{"skills":[]}` {
 		t.Fatalf("srt settings = %q", string(srtData))
 	}
+
+	if runtime.GOOS != "windows" {
+		for _, name := range []string{"config.json", "agent-card.json", srtSettingsFile} {
+			fi, err := os.Stat(filepath.Join(tmpDir, name))
+			if err != nil {
+				t.Fatalf("stat %s: %v", name, err)
+			}
+			if perm := fi.Mode().Perm(); perm != 0o600 {
+				t.Errorf("%s permissions = %o, want 0600", name, perm)
+			}
+		}
+	}
 }
 
 func TestMaterializeFromEnv_SkipsUnset(t *testing.T) {
diff --git a/go/adk/pkg/config/config_materialize.go b/go/adk/pkg/config/config_materialize.go
index 442088d341..dc7c6cb6b0 100644
--- a/go/adk/pkg/config/config_materialize.go
+++ b/go/adk/pkg/config/config_materialize.go
@@ -43,8 +43,11 @@ func materializeEnvToFile(envKey, path string) error {
 	if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
 		return fmt.Errorf("create directory for %s: %w", path, err)
 	}
-	if err := os.WriteFile(path, []byte(value), 0o644); err != nil {
+	if err := os.WriteFile(path, []byte(value), 0o600); err != nil {
 		return fmt.Errorf("write %s: %w", path, err)
 	}
+	if err := os.Chmod(path, 0o600); err != nil {
+		return fmt.Errorf("chmod %s: %w", path, err)
+	}
 	return nil
 }