E1002 -- ~/.controlzero directory is world-readable

Severity: WARN. Run chmod 700 ~/.controlzero to fix.

What happened

controlzero doctor found that the directory holding your API key and policy state has POSIX permissions other than 0700 (owner-only). Other local users on the same machine can read its contents, including config.yaml (which holds your API key in plaintext).

Why it matters

Even if config.yaml itself is mode 0600, an open parent directory lets other local users:

See which files exist (so they know an API key is on this box).
Tail audit log files like ~/.controlzero/audit.log.
On some systems, traverse via group or other-readable subdirectories.

For a single-user laptop this is low-risk. For a shared dev box, CI runner, or jump host it is a real exposure.

How to fix

chmod 700 ~/.controlzero

Run controlzero doctor again to confirm the warning is gone.

When this happens

Most common causes:

A pre-1.5.3 install path created the directory with the umask default (often 755) instead of explicitly setting 700.
A backup or sync tool restored the directory and reset perms.
A teammate with sudo ran controlzero install as root and the directory landed owned by root with permissive perms.

controlzero install <agent> on 1.5.3 and later sets 0700 on the directory at every install. If doctor keeps reporting this on a machine that re-runs install, check whether something is resetting perms after install (a launchd / systemd unit, a corp-wide policy manager, etc).

E1001 -- API key found in agent settings file
E1003 -- config.yaml is world-readable
E1004 -- API key found in shell history

What happened​

Why it matters​

How to fix​

When this happens​

Related​

What happened

Why it matters

How to fix

When this happens

Related