fix: ensure deadman_live.ok file has secure 0o600 permissions in both live readiness and guard scripts.

3 months ago · 8009f0e40e
parent 3b670f0270
commit 8009f0e40e
2 changed files with 3 additions and 1 deletions
--- a/scripts/gates/p40_live_readiness.sh
+++ b/scripts/gates/p40_live_readiness.sh
@ -95,6 +95,7 @@ if [ "$GATE_MODE" == "pos" ]; then
    
    # Enable Deadman
    touch user_data/secrets/deadman_live.ok
+    chmod 600 user_data/secrets/deadman_live.ok
    touch -m user_data/secrets/deadman_live.ok

    export FT_ENABLE_LIVE_ORDERS=1
--- a/scripts/p30_check_live_guard.py
+++ b/scripts/p30_check_live_guard.py
@ -63,12 +63,13 @@ def verify_p30_guard():
    }
    exchange.breeze = mock_breeze

-    # Create Deadman File for P40 Compliance
+    # Create Deadman File for P40 Compliance with secure permissions
    from pathlib import Path

    deadman_file = Path("user_data/secrets/deadman_live.ok")
    deadman_file.parent.mkdir(parents=True, exist_ok=True)
    deadman_file.touch()
+    os.chmod(deadman_file, 0o600)

    # Mock RiskGuard to avoid 'intraday_cutoff' or other risk blocks
    exchange.risk_guard = MagicMock()