fix: handle empty USERNAME and add debug log for icacls success

- Check for empty USERNAME env var before running icacls to avoid a doomed invocation with ":F" grant argument - Log a clear warning when USERNAME is empty - Add tracing::debug on successful permission set Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-15 00:29:22 +01:00 · 2026-02-15 00:29:22 +01:00 · 6fd4b2d750
commit 6fd4b2d750
parent 2942e5607d
1 changed files with 25 additions and 18 deletions
--- a/src/security/secrets.rs
+++ b/src/security/secrets.rs
@ -191,13 +191,17 @@ impl SecretStore {
            #[cfg(windows)]
            {
                // On Windows, use icacls to restrict permissions to current user only
+                let username = std::env::var("USERNAME").unwrap_or_default();
+                if username.is_empty() {
+                    tracing::warn!(
+                        "USERNAME environment variable is empty; \
+                         cannot restrict key file permissions via icacls"
+                    );
+                } else {
                    match std::process::Command::new("icacls")
                        .arg(&self.key_path)
                        .args(["/inheritance:r", "/grant:r"])
-                    .arg(format!(
-                        "{}:F",
-                        std::env::var("USERNAME").unwrap_or_default()
-                    ))
+                        .arg(format!("{username}:F"))
                        .output()
                    {
                        Ok(o) if !o.status.success() => {
@ -209,7 +213,10 @@ impl SecretStore {
                        Err(e) => {
                            tracing::warn!("Could not set key file permissions: {e}");
                        }
-                    _ => {}
+                        _ => {
+                            tracing::debug!("Key file permissions restricted via icacls");
+                        }
+                    }
                }
            }