rollout: chmod session JSONL files to 0o600

`open_log_file` previously created session rollout files via
`OpenOptions::new().append(true).create(true).open(path)` and parent
directories via `fs::create_dir_all`, neither of which set a Unix mode.
With the standard macOS / Linux default umask of 022, this yielded files
at 0o644 (world-readable) and directories at 0o755 (world-traversable).

Rollout JSONL holds the full conversation transcript: user prompts,
model responses, and every tool I/O — file contents read by the agent,
command stdout/stderr, and reasoning traces. On any host with more than
one local UID (shared dev boxes, CI runners, JupyterHub nodes,
multi-user macOS, build farms), other unprivileged users could `cat`
the victim's complete Codex history without privilege escalation.

The sibling `codex-rs/message-history` crate already implements the
correct pattern for `~/.codex/history.jsonl`: `OpenOptions::mode(0o600)`
plus an `ensure_owner_only_permissions` post-hoc chmod. This change
mirrors that pattern in the rollout recorder:

  * `DirBuilder::mode(0o700)` so newly-created session directories are
    owner-only.
  * `OpenOptions::mode(0o600)` so newly-created rollout files are
    owner-only.
  * A post-open `set_permissions` belt-and-suspenders so files created
    by older Codex versions at 0o644 get tightened on next reopen.

Existing parent directories are left alone (`DirBuilder::mode` only
applies on creation); operators on shared hosts may want to
`chmod 0700 ~/.codex` once after upgrade. Future work could extend the
post-hoc tightening to directory metadata as well.

Author: ioleksiuk

codex-rs/rollout/src/recorder.rs

@@ -4,6 +4,12 @@ use std::collections::HashSet;
 use std::fs;
 use std::fs::File;
 use std::io::Error as IoError;
+#[cfg(unix)]
+use std::os::unix::fs::DirBuilderExt;
+#[cfg(unix)]
+use std::os::unix::fs::OpenOptionsExt;
+#[cfg(unix)]
+use std::os::unix::fs::PermissionsExt;
 use std::path::Path;
 use std::path::PathBuf;
 use std::sync::Arc;
@@ -1410,11 +1416,39 @@ fn open_log_file(path: &Path) -> std::io::Result<File> {
             path.display()
         )));
     };
+
+    // Create the parent chain owner-only on Unix so newly-introduced session
+    // dirs do not become world-traversable under the default umask. Existing
+    // directories are left alone (DirBuilder::mode only applies on creation).
+    #[cfg(unix)]
+    std::fs::DirBuilder::new()
+        .recursive(true)
+        .mode(0o700)
+        .create(parent)?;
+    #[cfg(not(unix))]
     fs::create_dir_all(parent)?;
-    std::fs::OpenOptions::new()
-        .append(true)
-        .create(true)
-        .open(path)
+
+    let mut opts = std::fs::OpenOptions::new();
+    opts.append(true).create(true);
+    #[cfg(unix)]
+    opts.mode(0o600);
+    let file = opts.open(path)?;
+
+    // Belt-and-suspenders: if the rollout file already existed at a looser
+    // mode (e.g. created by an older Codex version under default umask),
+    // tighten it to 0o600 on first reopen. Mirrors the
+    // `ensure_owner_only_permissions` helper in `codex-rs/message-history`.
+    #[cfg(unix)]
+    {
+        let metadata = file.metadata()?;
+        if metadata.permissions().mode() & 0o777 != 0o600 {
+            let mut perms = metadata.permissions();
+            perms.set_mode(0o600);
+            std::fs::set_permissions(path, perms)?;
+        }
+    }
+
+    Ok(file)
 }
 
 /// Mutable state owned by the background rollout writer.