feat(security): file permission validation at startup (TASK-036)

Adds FilePermissionValidator to core, called during execute command
startup after job config is parsed:

- Config files: warn if readable by group or others (chmod 640 advice)
- Seed files (type: file): fail fast with SecurityException if readable
  by group or others (chmod 600 required)
- Windows: all checks silently skipped (no POSIX permissions)
- 9 unit tests (1 skipped on non-Windows), SpotBugs clean

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: mferretti

cli/src/main/java/com/datagenerator/cli/ExecuteCommand.java

@@ -19,6 +19,7 @@
 import ch.qos.logback.classic.Level;
 import ch.qos.logback.classic.Logger;
 import com.datagenerator.core.engine.GenerationEngine;
+import com.datagenerator.core.security.FilePermissionValidator;
 import com.datagenerator.core.seed.SeedConfig;
 import com.datagenerator.core.seed.SeedResolver;
 import com.datagenerator.core.structure.StructureLoader;
@@ -379,6 +380,13 @@ public Integer call() throws Exception {
     JobConfig jobConfig = jobParser.parse(jobFile);
     log.info("Loaded job config: source={}, type={}", jobConfig.getSource(), jobConfig.getType());
 
+    // 1a. Validate file permissions
+    FilePermissionValidator permValidator = new FilePermissionValidator();
+    permValidator.validateConfigFile(jobFile);
+    if (jobConfig.getSeed() instanceof SeedConfig.FileSeed fileSeed) {
+      permValidator.validateSeedFile(Path.of(fileSeed.getPath()));
+    }
+
     // 2. Resolve seed
     long seed = resolveSeed(jobConfig);
     log.info("Using seed: {}", seed);

core/src/main/java/com/datagenerator/core/security/FilePermissionValidator.java

@@ -0,0 +1,94 @@
+/*
+ * Copyright 2026 Marco Ferretti
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.datagenerator.core.security;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.attribute.PosixFilePermission;
+import java.util.Locale;
+import java.util.Set;
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * Validates file permissions for configuration and seed files.
+ *
+ * <p>On Unix-like systems, warns when configuration files are readable by group or others, and
+ * fails fast when seed files have the same permissive permissions (seed files may contain sensitive
+ * values and should be owner-only: {@code chmod 600}).
+ *
+ * <p>On Windows, POSIX permissions are not available — all checks are silently skipped.
+ */
+@Slf4j
+public class FilePermissionValidator {
+
+  private static final boolean IS_POSIX =
+      !System.getProperty("os.name", "").toLowerCase(Locale.ROOT).contains("win");
+
+  /**
+   * Warns if the given configuration file is readable by group or others.
+   *
+   * @param configFile path to the configuration file
+   */
+  public void validateConfigFile(Path configFile) {
+    if (!IS_POSIX || !Files.exists(configFile)) {
+      return;
+    }
+    try {
+      Set<PosixFilePermission> perms = Files.getPosixFilePermissions(configFile);
+      if (perms.contains(PosixFilePermission.GROUP_READ)
+          || perms.contains(PosixFilePermission.OTHERS_READ)) {
+        log.warn(
+            "Configuration file {} has permissive permissions (readable by group or others). "
+                + "Consider restricting to owner-only: chmod 640 {}",
+            configFile,
+            configFile);
+      }
+    } catch (IOException e) {
+      log.debug("Could not read permissions for config file {}: {}", configFile, e.getMessage());
+    }
+  }
+
+  /**
+   * Fails fast if the given seed file is readable by group or others.
+   *
+   * <p>Seed files may contain sensitive values and must be restricted to owner read/write only
+   * ({@code chmod 600}).
+   *
+   * @param seedFile path to the seed file
+   * @throws SecurityException if the seed file has insecure permissions
+   */
+  public void validateSeedFile(Path seedFile) {
+    if (!IS_POSIX || !Files.exists(seedFile)) {
+      return;
+    }
+    try {
+      Set<PosixFilePermission> perms = Files.getPosixFilePermissions(seedFile);
+      if (perms.contains(PosixFilePermission.GROUP_READ)
+          || perms.contains(PosixFilePermission.OTHERS_READ)) {
+        throw new SecurityException(
+            "Seed file has insecure permissions (readable by group or others). "
+                + "Restrict to owner-only: chmod 600 "
+                + seedFile);
+      }
+    } catch (SecurityException e) {
+      throw e;
+    } catch (IOException e) {
+      log.debug("Could not read permissions for seed file {}: {}", seedFile, e.getMessage());
+    }
+  }
+}

core/src/main/java/com/datagenerator/core/security/package-info.java

@@ -0,0 +1,18 @@
+/*
+ * Copyright 2026 Marco Ferretti
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/** Security utilities for file permission validation and startup checks. */
+package com.datagenerator.core.security;

core/src/test/java/com/datagenerator/core/security/FilePermissionValidatorTest.java

@@ -0,0 +1,129 @@
+/*
+ * Copyright 2026 Marco Ferretti
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.datagenerator.core.security;
+
+import static org.assertj.core.api.Assertions.*;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.attribute.PosixFilePermission;
+import java.nio.file.attribute.PosixFilePermissions;
+import java.util.Set;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.condition.DisabledOnOs;
+import org.junit.jupiter.api.condition.EnabledOnOs;
+import org.junit.jupiter.api.condition.OS;
+import org.junit.jupiter.api.io.TempDir;
+
+class FilePermissionValidatorTest {
+
+  @TempDir Path tempDir;
+
+  private FilePermissionValidator validator;
+
+  @BeforeEach
+  void setUp() {
+    validator = new FilePermissionValidator();
+  }
+
+  // ── Config file tests (Unix only) ────────────────────────────────────────
+
+  @Test
+  @DisabledOnOs(OS.WINDOWS)
+  void shouldNotWarnWhenConfigFileIsOwnerOnly() throws IOException {
+    Path file = createFileWithPermissions("config.yaml", "rw-------");
+    // No exception expected — just a log warn check (hard to assert without log capture)
+    assertThatNoException().isThrownBy(() -> validator.validateConfigFile(file));
+  }
+
+  @Test
+  @DisabledOnOs(OS.WINDOWS)
+  void shouldNotThrowWhenConfigFileIsGroupReadable() throws IOException {
+    Path file = createFileWithPermissions("config.yaml", "rw-r-----");
+    // warn only — no exception
+    assertThatNoException().isThrownBy(() -> validator.validateConfigFile(file));
+  }
+
+  @Test
+  @DisabledOnOs(OS.WINDOWS)
+  void shouldNotThrowWhenConfigFileIsWorldReadable() throws IOException {
+    Path file = createFileWithPermissions("config.yaml", "rw-r--r--");
+    // warn only — no exception
+    assertThatNoException().isThrownBy(() -> validator.validateConfigFile(file));
+  }
+
+  @Test
+  void shouldSilentlySkipConfigFileWhenItDoesNotExist() {
+    Path missing = tempDir.resolve("nonexistent.yaml");
+    assertThatNoException().isThrownBy(() -> validator.validateConfigFile(missing));
+  }
+
+  // ── Seed file tests (Unix only) ──────────────────────────────────────────
+
+  @Test
+  @DisabledOnOs(OS.WINDOWS)
+  void shouldPassWhenSeedFileIsOwnerOnly() throws IOException {
+    Path file = createFileWithPermissions("seed.txt", "rw-------");
+    assertThatNoException().isThrownBy(() -> validator.validateSeedFile(file));
+  }
+
+  @Test
+  @DisabledOnOs(OS.WINDOWS)
+  void shouldFailWhenSeedFileIsGroupReadable() throws IOException {
+    Path file = createFileWithPermissions("seed.txt", "rw-r-----");
+    assertThatThrownBy(() -> validator.validateSeedFile(file))
+        .isInstanceOf(SecurityException.class)
+        .hasMessageContaining("insecure permissions")
+        .hasMessageContaining("chmod 600");
+  }
+
+  @Test
+  @DisabledOnOs(OS.WINDOWS)
+  void shouldFailWhenSeedFileIsWorldReadable() throws IOException {
+    Path file = createFileWithPermissions("seed.txt", "rw-r--r--");
+    assertThatThrownBy(() -> validator.validateSeedFile(file))
+        .isInstanceOf(SecurityException.class)
+        .hasMessageContaining("insecure permissions");
+  }
+
+  @Test
+  void shouldSilentlySkipSeedFileWhenItDoesNotExist() {
+    Path missing = tempDir.resolve("nonexistent.seed");
+    assertThatNoException().isThrownBy(() -> validator.validateSeedFile(missing));
+  }
+
+  // ── Windows: all checks silently skipped ─────────────────────────────────
+
+  @Test
+  @EnabledOnOs(OS.WINDOWS)
+  void shouldSkipAllChecksOnWindows() throws IOException {
+    Path file = Files.createTempFile(tempDir, "test", ".yaml");
+    assertThatNoException().isThrownBy(() -> validator.validateConfigFile(file));
+    assertThatNoException().isThrownBy(() -> validator.validateSeedFile(file));
+  }
+
+  // ── helpers ──────────────────────────────────────────────────────────────
+
+  private Path createFileWithPermissions(String name, String posixString) throws IOException {
+    Set<PosixFilePermission> perms = PosixFilePermissions.fromString(posixString);
+    Path file =
+        Files.createFile(tempDir.resolve(name), PosixFilePermissions.asFileAttribute(perms));
+    return file;
+  }
+}

docs/internal/tasks/README.md

@@ -95,7 +95,7 @@ Each task lists dependencies on other tasks. Always complete dependencies before
 ### Phase 9: Security & Compliance (🔄 In Progress)
 - [TASK-034: Security - Secret Management](TASK-034-security-secrets.md) ⏸️
 - [TASK-035: Security - Dependency Vulnerability Scanning](TASK-035-security-dependencies.md) ✅
-- [TASK-036: Security - File Permission Checks](TASK-036-security-permissions.md) ⏸️
+- [TASK-036: Security - File Permission Checks](TASK-036-security-permissions.md) ✅
 - [TASK-044: Extras Directory — External JARs and Custom Datafaker Providers](TASK-044-extras-directory-plugin-loading.md) ✅
 
 ### Phase 10: Future Enhancements (🔄 In Progress)

docs/internal/tasks/TASK-036-security-permissions.md

@@ -1,6 +1,7 @@
 # TASK-036: Security - File Permission Checks
 
-**Status**: ⏸️ Not Started  
+**Status**: ✅ Complete
+**Completion Date**: March 15, 2026
 **Priority**: P2 (Medium)  
 **Phase**: 9 - Security & Compliance  
 **Dependencies**: TASK-016 (File Destination)