From a19bcd97b3e37492d15eab3765b40c219026531f Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Fri, 6 Mar 2026 00:45:54 -0500
Subject: [PATCH] Cron store tests: cover existing directory permission
 hardening

---
 src/cron/store.test.ts | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/cron/store.test.ts b/src/cron/store.test.ts
index 049096aece0..f511636fb85 100644
--- a/src/cron/store.test.ts
+++ b/src/cron/store.test.ts
@@ -97,6 +97,21 @@ describe("cron store", () => {
       expect(backupMode).toBe(0o600);
     },
   );
+
+  it.skipIf(process.platform === "win32")(
+    "hardens an existing cron store directory to owner-only permissions",
+    async () => {
+      const store = await makeStorePath();
+      const storeDir = path.dirname(store.storePath);
+      await fs.mkdir(storeDir, { recursive: true, mode: 0o755 });
+      await fs.chmod(storeDir, 0o755);
+
+      await saveCronStore(store.storePath, makeStore("job-1", true));
+
+      const storeDirMode = (await fs.stat(storeDir)).mode & 0o777;
+      expect(storeDirMode).toBe(0o700);
+    },
+  );
 });
 
 describe("saveCronStore", () => {