fix(knowledge): tighten sentinel perms to 0600 and silence fd gosec warnings

Author: ysyneu

workspace/knowledge.go

@@ -96,19 +96,20 @@ func withSentinelLock(sentinelPath string, fn func() error) error {
 	// Open or create the sentinel file just to acquire the lock fd.
 	// We do NOT read/write through this fd to keep flock + atomic-write
 	// concerns separate.
-	lockFile, err := os.OpenFile(sentinelPath, os.O_RDWR|os.O_CREATE, 0o644)
+	lockFile, err := os.OpenFile(sentinelPath, os.O_RDWR|os.O_CREATE, 0o600)
 	if err != nil {
 		return fmt.Errorf("failed to open sentinel for locking: %w", err)
 	}
 	defer func() {
 		_ = lockFile.Close()
 	}()
 
-	if err := syscall.Flock(int(lockFile.Fd()), syscall.LOCK_EX); err != nil {
+	fd := int(lockFile.Fd()) //nolint:gosec // os.File.Fd returns uintptr but the underlying OS fd is always a valid int on unix
+	if err := syscall.Flock(fd, syscall.LOCK_EX); err != nil {
 		return fmt.Errorf("failed to acquire sentinel lock: %w", err)
 	}
 	defer func() {
-		_ = syscall.Flock(int(lockFile.Fd()), syscall.LOCK_UN)
+		_ = syscall.Flock(fd, syscall.LOCK_UN)
 	}()
 
 	return fn()