From 9a5b5350a1a9c7c612c4bce968fcd1db1d4c2089 Mon Sep 17 00:00:00 2001
From: "Matthew (OpenClaw)" <matthew@vulturelabs.io>
Date: Wed, 27 May 2026 23:18:05 +0000
Subject: [PATCH] fix: writePEM uses O_EXCL to prevent silent overwrite
 (PILOT-142)

writePEM used O_TRUNC which silently overwrites existing keys and
certificates without warning. If two operators or CI jobs race for the
same hostname, the second silently replaces the first's cert.

Fix: use O_EXCL so the open fails with EEXIST when the file already
exists. This prevents accidental overwrites and surfaces the race.

Closes PILOT-142
---
 main.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.go b/main.go
index 8ec4330..7a82e01 100644
--- a/main.go
+++ b/main.go
@@ -287,7 +287,7 @@ func mustMarshalPKCS8(key any) []byte {
 }
 
 func writePEM(path, blockType string, der []byte, mode os.FileMode) error {
-	f, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, mode)
+	f, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_EXCL, mode)
 	if err != nil {
 		return fmt.Errorf("open %s: %w", path, err)
 	}