# shellcheck shell=bash
# Helper to warn if a credential file has loose permissions

# require_private <file>
# Emits a warning to stderr if the file is group- or world-readable.
require_private() {
    local file="$1"
    [[ -f "$file" ]] || return 0
    local perms
    perms=$(stat -c %a "$file" 2>/dev/null) || {
        echo "bash.d: WARNING: cannot check permissions on $file (stat failed)" >&2
        return 1
    }
    # Check that group and other bits are both zero (e.g., 600, 700)
    # Uses arithmetic on octal value to handle both 3- and 4-digit modes
    if (( (8#$perms) & 8#077 )); then
        echo "bash.d: WARNING: $file is group/world-accessible (mode $perms). Run: chmod 600 $file" >&2
    fi
}