bootstrap: set UNIX socket permissions to 770

[ungeskriptet]

This grants other processes access to the socket, provided they are in the correct group.

Summary by CodeRabbit

• Bug Fixes
  • Enhanced UNIX socket permission configuration when the application is configured to run on a UNIX socket, with improved error handling for permission operations.

[coderabbitai]

📝 Walkthrough

Walkthrough

When the application is configured to run on a UNIX socket, the startup sequence now spawns a goroutine that applies file permissions (0770) to the socket path and logs a fatal error if the operation fails.

Changes

UNIX Socket Permission Setup

Layer / File(s)	Summary
Socket Permission Configuration internal/bootstrap/app_bootstrap.go	A goroutine is spawned to apply 0770 permissions to the UNIX socket via os.Chmod(), with fatal error logging if the operation fails.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A socket wakes and needs its guard,
With 0770 perms, no task too hard,
A goroutine whispers, calm and fleet,
Permissions bloom, the setup's neat,
Secure and swift—the hares all greet! 🐇

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'bootstrap: set UNIX socket permissions to 770' clearly and concisely summarizes the main change in the pull request, which is setting UNIX socket permissions to 770 in the bootstrap process.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@internal/bootstrap/app_bootstrap.go`:
- Around line 218-223: The os.Chmod call for app.config.Server.SocketPath must
be moved out of the fire-and-forget goroutine and executed immediately after the
UNIX socket is created in the unix-socket startup path (i.e., after
router.RunUnix(...) or the call that binds/creates the socket) so it runs
deterministically once the socket exists and before accepting connections;
remove the goroutine, call os.Chmod(app.config.Server.SocketPath, 0770) right
after the successful bind in the same control flow, and keep the current error
handling (use tlog.App.Fatal().Err(err).Msg(...)) if Chmod fails so startup
fails fast on permission issues.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: cab04b9c-8310-4324-b98d-35938504224e

📥 Commits

Reviewing files that changed from the base of the PR and between 956d2f5 and 12169f2.

📒 Files selected for processing (1)

• internal/bootstrap/app_bootstrap.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Apply the chmod after the socket is bound, not in a fire-and-forget goroutine.

os.Chmod can run before router.RunUnix(...) creates the socket, which makes startup nondeterministic: the goroutine may hit ENOENT and fatal the process even on a healthy boot. It also leaves a window where the socket still has the old permissions.

Please move the permission update into the unix-socket startup path so it runs once the socket exists and before connections are accepted.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/bootstrap/app_bootstrap.go` around lines 218 - 223, The os.Chmod
call for app.config.Server.SocketPath must be moved out of the fire-and-forget
goroutine and executed immediately after the UNIX socket is created in the
unix-socket startup path (i.e., after router.RunUnix(...) or the call that
binds/creates the socket) so it runs deterministically once the socket exists
and before accepting connections; remove the goroutine, call
os.Chmod(app.config.Server.SocketPath, 0770) right after the successful bind in
the same control flow, and keep the current error handling (use
tlog.App.Fatal().Err(err).Msg(...)) if Chmod fails so startup fails fast on
permission issues.

[scottmckendry]

Maybe I'm out of the loop, but could you also describe some use cases for this change?

[scottmckendry]

I think umask would be the more correct approach here, rather than chmod.