security: fix TOCTOU temp files + add path canonicalization in verify pipeline

Finding 8: chmod 600 temp files immediately after mktemp in beacon-init.sh
and update-state.sh — closes the TOCTOU window between file creation and
write on shared systems (CI runners, multi-user hosts).

Finding 9: add Step 0.5 pre-verification guards to beacon-verify skill:
- Assert BEACON_RESULT_PATH is canonically inside WORKTREE_PATH (symlink escape)
- Assert git diff main...HEAD is non-empty before spawning reviewer —
  mandatory FAIL if agent reported COMPLETE without committing any changes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Maleick

hooks/beacon-init.sh

@@ -205,6 +205,7 @@ init_token_ledger() {
     # without quoting/escaping issues.
     local session_tmp
     session_tmp=$(mktemp)
+    chmod 600 "$session_tmp"   # close TOCTOU window before writing session data
     printf '%s' "$new_session" > "$session_tmp"
     # Pass paths as positional args ($1, $2) to avoid injection from special chars in paths
     lockf -k "$lock" bash -c '

hooks/update-state.sh

@@ -165,6 +165,7 @@ append_ledger_record() {
   elif command -v lockf >/dev/null 2>&1; then
     local record_tmp
     record_tmp=$(mktemp)
+    chmod 600 "$record_tmp"   # close TOCTOU window before writing record data
     printf '%s' "$record" > "$record_tmp"
     # Pass paths as positional args ($1, $2) to avoid shell injection from special chars in paths
     lockf -k "$lock" bash -c '

skills/beacon-verify/SKILL.md

@@ -22,6 +22,37 @@ Before verification, determine the repo's test command. Check in order:
 
 Cache the discovered command in `.beacon/state.json` under `test_command` so subsequent verifications skip discovery.
 
+## Step 0.5: Pre-Verification Guards
+
+Before spawning the reviewer, run these assertions. Any failure → immediate FAIL, no reviewer spawned.
+
+**1. Path canonicalization** — assert `BEACON_RESULT_PATH` is inside `WORKTREE_PATH`:
+
+```bash
+REAL_RESULT=$(realpath "$BEACON_RESULT_PATH" 2>/dev/null)
+REAL_WORKTREE=$(realpath "$WORKTREE_PATH" 2>/dev/null)
+if [[ -z "$REAL_RESULT" || "$REAL_RESULT" != "$REAL_WORKTREE"/* ]]; then
+  echo "VERDICT: FAIL — BEACON_RESULT_PATH is outside worktree (possible symlink escape)"
+  # Mark issue blocked, skip to escalation
+fi
+```
+
+This prevents a worker agent from writing `BEACON_RESULT.md` as a symlink pointing outside the worktree.
+
+**2. Non-empty diff** — assert the agent actually made changes:
+
+```bash
+DIFF_OUTPUT=$(git -C "$WORKTREE_PATH" diff main...HEAD 2>/dev/null)
+if [[ -z "$DIFF_OUTPUT" ]]; then
+  echo "VERDICT: FAIL — git diff main...HEAD is empty. No changes were committed."
+  # Mark issue blocked, skip to escalation
+fi
+```
+
+An empty diff means the agent reported COMPLETE without committing anything. The reviewer **must not** be allowed to PASS an empty diff — this guard is mandatory and cannot be overridden by the result file contents.
+
+---
+
 ## Step 1: Initial Verification
 
 Spawn the `beacon-reviewer` agent with these structured variables: