scripts/security/secure-env-permissions.sh

#!/usr/bin/env bash
# Secure .env file permissions (Quick Win). Run from project root.
# Usage: bash scripts/security/secure-env-permissions.sh [--dry-run]

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
DRY_RUN=false
[[ "${1:-}" == "--dry-run" ]] && DRY_RUN=true

cd "$PROJECT_ROOT"

# Files to secure (relative to project root)
ENV_FILES=(
    ".env"
    "unifi-api/.env"
    "smom-dbis-138/.env"
    "dbis_core/.env"
)

for f in "${ENV_FILES[@]}"; do
    if [ -f "$f" ]; then
        perms=$(stat -c "%a" "$f" 2>/dev/null || stat -f "%A" "$f" 2>/dev/null)
        if [ "$perms" != "600" ]; then
            if [[ "$DRY_RUN" == true ]]; then
                echo "[DRY-RUN] would chmod 600 $f (current: $perms)"
            else
                chmod 600 "$f"
                echo "chmod 600 $f"
            fi
        fi
    fi
done
echo "Done. Ensure ownership: chown \$USER:\$USER .env (and other env files) if needed."
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates - ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com> 2026-02-12 15:46:57 -08:00			`#!/usr/bin/env bash`
			`# Secure .env file permissions (Quick Win). Run from project root.`
			`# Usage: bash scripts/security/secure-env-permissions.sh [--dry-run]`

			`set -euo pipefail`

			`SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"`
			`PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"`
			`DRY_RUN=false`
			`[[ "${1:-}" == "--dry-run" ]] && DRY_RUN=true`

			`cd "$PROJECT_ROOT"`

			`# Files to secure (relative to project root)`
			`ENV_FILES=(`
			`".env"`
			`"unifi-api/.env"`
			`"smom-dbis-138/.env"`
			`"dbis_core/.env"`
			`)`

			`for f in "${ENV_FILES[@]}"; do`
			`if [ -f "$f" ]; then`
			`perms=$(stat -c "%a" "$f" 2>/dev/null \|\| stat -f "%A" "$f" 2>/dev/null)`
			`if [ "$perms" != "600" ]; then`
			`if [[ "$DRY_RUN" == true ]]; then`
			`echo "[DRY-RUN] would chmod 600 $f (current: $perms)"`
			`else`
			`chmod 600 "$f"`
			`echo "chmod 600 $f"`
			`fi`
			`fi`
			`fi`
			`done`
			`echo "Done. Ensure ownership: chown \$USER:\$USER .env (and other env files) if needed."`