Preserve file permissions when editing through symlinks

Both LocalRuntime and SSHRuntime now preserve the original file
permissions when editing through symlinks. If the target file exists,
its permissions are read before writing and restored after. For new
files, default permissions apply (600 for SSH, system defaults for local).

Added integration test verifying permissions are preserved across edits.

Author: ammar-agent

src/runtime/LocalRuntime.ts

@@ -242,15 +242,20 @@ export class LocalRuntime implements Runtime {
     let tempPath: string;
     let writer: WritableStreamDefaultWriter<Uint8Array>;
     let resolvedPath: string;
+    let originalMode: number | undefined;
 
     return new WritableStream<Uint8Array>({
       async start() {
         // Resolve symlinks to write through them (preserves the symlink)
         try {
           resolvedPath = await fsPromises.realpath(filePath);
+          // Save original permissions to restore after write
+          const stat = await fsPromises.stat(resolvedPath);
+          originalMode = stat.mode;
         } catch {
-          // If file doesn't exist, use the original path
+          // If file doesn't exist, use the original path and default permissions
           resolvedPath = filePath;
+          originalMode = undefined;
         }
 
         // Create parent directories if they don't exist
@@ -270,6 +275,10 @@ export class LocalRuntime implements Runtime {
         // Close the writer and rename to final location
         await writer.close();
         try {
+          // If we have original permissions, apply them to temp file before rename
+          if (originalMode !== undefined) {
+            await fsPromises.chmod(tempPath, originalMode);
+          }
           await fsPromises.rename(tempPath, resolvedPath);
         } catch (err) {
           throw new RuntimeErrorClass(

src/runtime/SSHRuntime.ts

@@ -263,15 +263,16 @@ export class SSHRuntime implements Runtime {
 
   /**
    * Write file contents over SSH atomically from a stream
-   * Preserves symlinks by resolving them first, then writing to the target
+   * Preserves symlinks and file permissions by resolving and copying metadata
    */
   writeFile(path: string): WritableStream<Uint8Array> {
     const tempPath = `${path}.tmp.${Date.now()}`;
     // Resolve symlinks to get the actual target path, preserving the symlink itself
-    // If path doesn't exist, readlink fails and we use the original path
+    // If target exists, save its permissions to restore after write
+    // If path doesn't exist, use 600 as default
     // Then write atomically using mv (all-or-nothing for readers)
     // Use shescape.quote for safe path escaping
-    const writeCommand = `RESOLVED=$(readlink -f ${shescape.quote(path)} 2>/dev/null || echo ${shescape.quote(path)}) && mkdir -p $(dirname "$RESOLVED") && cat > ${shescape.quote(tempPath)} && chmod 600 ${shescape.quote(tempPath)} && mv ${shescape.quote(tempPath)} "$RESOLVED"`;
+    const writeCommand = `RESOLVED=$(readlink -f ${shescape.quote(path)} 2>/dev/null || echo ${shescape.quote(path)}) && PERMS=$(stat -c '%a' "$RESOLVED" 2>/dev/null || echo 600) && mkdir -p $(dirname "$RESOLVED") && cat > ${shescape.quote(tempPath)} && chmod "$PERMS" ${shescape.quote(tempPath)} && mv ${shescape.quote(tempPath)} "$RESOLVED"`;
 
     // Need to get the exec stream in async callbacks
     let execPromise: Promise<ExecStream> | null = null;

tests/runtime/runtime.test.ts

@@ -372,6 +372,51 @@ describeIntegration("Runtime integration tests", () => {
           const targetContent = await readFileString(runtime, targetPath);
           expect(targetContent).toBe("new content");
         });
+
+        test.concurrent("preserves file permissions when editing through symlink", async () => {
+          const runtime = createRuntime();
+          await using workspace = await TestWorkspace.create(runtime, type);
+
+          // Create a target file with specific permissions (755)
+          const targetPath = `${workspace.path}/target.txt`;
+          await writeFileString(runtime, targetPath, "original content");
+          
+          // Set permissions to 755
+          const chmodResult = await execBuffered(runtime, "chmod 755 target.txt", {
+            cwd: workspace.path,
+            timeout: 30,
+          });
+          expect(chmodResult.exitCode).toBe(0);
+
+          // Verify initial permissions
+          const statBefore = await execBuffered(runtime, "stat -c '%a' target.txt", {
+            cwd: workspace.path,
+            timeout: 30,
+          });
+          expect(statBefore.stdout.trim()).toBe("755");
+
+          // Create a symlink to the target
+          const linkPath = `${workspace.path}/link.txt`;
+          const lnResult = await execBuffered(runtime, "ln -s target.txt link.txt", {
+            cwd: workspace.path,
+            timeout: 30,
+          });
+          expect(lnResult.exitCode).toBe(0);
+
+          // Edit the file via the symlink
+          await writeFileString(runtime, linkPath, "new content");
+
+          // Verify permissions are preserved
+          const statAfter = await execBuffered(runtime, "stat -c '%a' target.txt", {
+            cwd: workspace.path,
+            timeout: 30,
+          });
+          expect(statAfter.stdout.trim()).toBe("755");
+
+          // Verify content was updated
+          const content = await readFileString(runtime, targetPath);
+          expect(content).toBe("new content");
+        });
       });
 
       describe("stat() - File metadata", () => {