From 4e928827241805bf41144cf351f4610bc222bc81 Mon Sep 17 00:00:00 2001
From: le king fu <lekingfu@protonmail.com>
Date: Fri, 10 Apr 2026 15:14:31 -0400
Subject: [PATCH] fix: restrict last_check file perms + add useAuth to
 architecture docs

- Use write_restricted() for auth/last_check file (consistent 0600)
- Add useAuth hook to the hooks table in docs/architecture.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docs/architecture.md                    | 3 ++-
 src-tauri/src/commands/auth_commands.rs | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/docs/architecture.md b/docs/architecture.md
index 9730258..3266c19 100644
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -39,7 +39,7 @@ simpl-resultat/
 │   │   ├── shared/               # 6 composants réutilisables
 │   │   └── transactions/         # 5 composants
 │   ├── contexts/                 # ProfileContext (état global profil)
-│   ├── hooks/                    # 13 hooks custom (useReducer)
+│   ├── hooks/                    # 14 hooks custom (useReducer)
 │   ├── pages/                    # 10 pages
 │   ├── services/                 # 14 services métier
 │   ├── shared/                   # Types et constantes partagés
@@ -151,6 +151,7 @@ Chaque hook encapsule la logique d'état via `useReducer` :
 | `useTheme` | Thème clair/sombre |
 | `useUpdater` | Mise à jour de l'application (gated par entitlement licence) |
 | `useLicense` | État de la licence et entitlements |
+| `useAuth` | Authentification Compte Maximus (OAuth2 PKCE, subscription status) |
 
 ## Commandes Tauri (25)
 
diff --git a/src-tauri/src/commands/auth_commands.rs b/src-tauri/src/commands/auth_commands.rs
index 7afd864..bcf7218 100644
--- a/src-tauri/src/commands/auth_commands.rs
+++ b/src-tauri/src/commands/auth_commands.rs
@@ -340,13 +340,13 @@ pub async fn check_subscription_status(
     match refresh_auth_token(app.clone()).await {
         Ok(account) => {
             // Update last check timestamp
-            let _ = fs::write(&last_check_path, now.to_string());
+            let _ = write_restricted(&last_check_path, &now.to_string());
             Ok(Some(account))
         }
         Err(_) => {
             // Network error or expired session — graceful degradation.
             // Still update the timestamp to avoid hammering on every launch.
-            let _ = fs::write(&last_check_path, now.to_string());
+            let _ = write_restricted(&last_check_path, &now.to_string());
             get_account_info(app)
         }
     }