fix(security): set restrictive permissions (0o600) on background process log files

[Vist233]

Summary

Background process log files were created via fs.createWriteStream without an
explicit mode, causing them to inherit the process umask (typically 0o022).
On a standard Linux/macOS system this results in 0o644 (rw-r--r--) —
world-readable — even though the parent directory is correctly restricted to
0o700.

This PR fixes the issue by explicitly passing mode: 0o600 to
createWriteStream, ensuring log files are always created with owner-only
read/write permissions regardless of the environment's umask.

Details

The root cause is a single missing option in ShellExecutionService.background():

- const stream = fs.createWriteStream(logPath, { flags: 'wx' });
+ const stream = fs.createWriteStream(logPath, {
+   flags: 'wx',
+   mode: 0o600,
+ });

Why 0o600?

• Consistent with the parent directory's 0o700 policy: owner-only access.
• Log files need read + write (rw-), but no execute bit.
• Explicitly setting mode prevents the permissions from depending on the
  caller's umask.

Defense-in-depth: relying solely on the parent directory's 0o700 is
insufficient — umask values vary across environments, and directory permissions
can be changed independently of the files inside.

A regression test is included to verify that createWriteStream is always
called with { flags: 'wx', mode: 0o600 }.

Related Issues

Fixes #26779

How to Validate

1. Unit tests (mock-based, verifies correct arguments are passed):

   npm test -w @google/gemini-cli-core -- src/services/shellExecutionService.test.ts

   Expected: all 67 tests pass, including
   should create background log file with restrictive permissions (0o600).

2. Lint & typecheck:

   npm run lint -w @google/gemini-cli-core
   npm run typecheck -w @google/gemini-cli-core

   Both exit with code 0.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request improves the security posture of background process logging by ensuring that log files are created with restrictive owner-only permissions. By explicitly setting the file mode, the application avoids relying on potentially insecure default umask settings, ensuring sensitive output remains protected.

Highlights

• Security Hardening: Updated background process log file creation to explicitly set file permissions to 0o600, preventing world-readable files regardless of the system umask.
• Regression Testing: Added a new unit test to verify that the file stream is initialized with the correct security mode.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request enhances security by ensuring that background log files are created with restrictive permissions (0o600). It updates the ShellExecutionService to pass the mode option to fs.createWriteStream and adds a corresponding unit test to verify this behavior. I have no feedback to provide.