From 24043fc5859bc064ec8623ec45900fb161dbbfa6 Mon Sep 17 00:00:00 2001
From: Ettore Di Giacinto <mudler@localai.io>
Date: Sat, 20 Jun 2026 12:55:31 +0000
Subject: [PATCH] fix(mcp): write alias config 0600 to satisfy gosec G306

The inproc createAlias path wrote the alias YAML with 0644, which gosec
flags as a new G306 finding on the PR. The LocalAI process is the sole
reader/writer of model configs, so 0600 is correct and keeps the scan clean.

Assisted-by: Claude:claude-opus-4-8 [Claude Code]
Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
---
 pkg/mcp/localaitools/inproc/client.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/mcp/localaitools/inproc/client.go b/pkg/mcp/localaitools/inproc/client.go
index 26bba2b46..e62934ccc 100644
--- a/pkg/mcp/localaitools/inproc/client.go
+++ b/pkg/mcp/localaitools/inproc/client.go
@@ -352,7 +352,9 @@ func (c *Client) createAlias(name, target string) error {
 	if err != nil {
 		return fmt.Errorf("marshal alias config: %w", err)
 	}
-	if err := os.WriteFile(filepath.Join(modelsPath, name+".yaml"), yamlData, 0644); err != nil {
+	// 0600: the LocalAI process is the sole reader/writer of model configs,
+	// and a tighter mode keeps the gosec G306 scan clean for this new write.
+	if err := os.WriteFile(filepath.Join(modelsPath, name+".yaml"), yamlData, 0600); err != nil {
 		return fmt.Errorf("write alias config: %w", err)
 	}
 	if err := c.ConfigLoader.LoadModelConfigsFromPath(modelsPath, c.AppConfig.ToConfigLoaderOptions()...); err != nil {