fix(tui): use secure random temp files in external editor to prevent symlink attacks

The external editor was using predictable temp filenames based on PID
(cortex_prompt_{PID}.md), making it vulnerable to symlink attacks where
an attacker could:
1. Predict the filename before cortex creates it
2. Create a symlink pointing to a sensitive file
3. When cortex writes to the temp file, it overwrites the symlink target

This fix uses the tempfile crate which:
- Creates files with cryptographically random names (16 random bytes)
- Uses O_EXCL flag to fail if file exists (preventing TOCTOU races)
- Sets restrictive permissions (0600 on Unix)

Changes:
- Replace predictable PID-based filenames with random tempfile names
- Use tempfile::Builder for secure temp file creation
- Update both async and sync versions of open_external_editor
- Add tempfile as a runtime dependency (was already dev dependency)

Security Impact:
Prevents local privilege escalation via symlink attacks on temp files.

Fixes: issue #5405

Author: echobt

src/cortex-tui/Cargo.toml

@@ -65,6 +65,7 @@ walkdir = { workspace = true }
 
 # External editor
 which = { workspace = true }
+tempfile = { workspace = true }
 
 # Audio notifications
 rodio = { workspace = true }

src/cortex-tui/src/external_editor.rs

@@ -162,17 +162,25 @@ pub async fn open_external_editor(initial_content: &str) -> Result<String, Edito
     // Get the editor command
     let editor_cmd = get_editor()?;
 
-    // Create a temporary file
-    let temp_dir = std::env::temp_dir();
-    let temp_file = temp_dir.join(format!("cortex_prompt_{}.md", std::process::id()));
-
-    // Write initial content
+    // Create a temporary file with a secure random name to prevent symlink attacks.
+    // Using tempfile crate ensures proper security (O_EXCL, restricted permissions).
+    let temp_file = tempfile::Builder::new()
+        .prefix("cortex_prompt_")
+        .suffix(".md")
+        .rand_bytes(16)
+        .tempfile()
+        .map_err(EditorError::Io)?;
+
+    // Write initial content using the secure file handle
     {
-        let mut file = std::fs::File::create(&temp_file)?;
+        let mut file = temp_file.reopen().map_err(EditorError::Io)?;
         file.write_all(initial_content.as_bytes())?;
         file.flush()?;
     }
 
+    // Keep the temp file alive (don't let it be deleted yet)
+    let temp_file = temp_file.into_temp_path();
+
     // Parse the editor command
     let parts: Vec<&str> = editor_cmd.split_whitespace().collect();
     let (editor, args) = match parts.split_first() {
@@ -219,17 +227,25 @@ pub fn open_external_editor_sync(initial_content: &str) -> Result<String, Editor
     // Get the editor command
     let editor_cmd = get_editor()?;
 
-    // Create a temporary file
-    let temp_dir = std::env::temp_dir();
-    let temp_file = temp_dir.join(format!("cortex_prompt_{}.md", std::process::id()));
+    // Create a temporary file with a secure random name to prevent symlink attacks.
+    // Using tempfile crate ensures proper security (O_EXCL, restricted permissions).
+    let temp_file = tempfile::Builder::new()
+        .prefix("cortex_prompt_")
+        .suffix(".md")
+        .rand_bytes(16)
+        .tempfile()
+        .map_err(EditorError::Io)?;
 
-    // Write initial content
+    // Write initial content using the secure file handle
     {
-        let mut file = std::fs::File::create(&temp_file)?;
+        let mut file = temp_file.reopen().map_err(EditorError::Io)?;
         file.write_all(initial_content.as_bytes())?;
         file.flush()?;
     }
 
+    // Keep the temp file alive (don't let it be deleted yet)
+    let temp_file = temp_file.into_temp_path();
+
     // Parse the editor command
     let parts: Vec<&str> = editor_cmd.split_whitespace().collect();
     let (editor, args) = match parts.split_first() {
@@ -264,12 +280,13 @@ pub fn open_external_editor_sync(initial_content: &str) -> Result<String, Editor
     Ok(content.trim().to_string())
 }
 
-/// Gets the path to the temporary file that would be used.
+/// Gets an example path pattern for temporary files.
 ///
-/// Useful for displaying to the user.
+/// Note: Actual temp files use random suffixes for security.
+/// This function returns a pattern showing the general location.
 pub fn get_temp_file_path() -> PathBuf {
     let temp_dir = std::env::temp_dir();
-    temp_dir.join(format!("cortex_prompt_{}.md", std::process::id()))
+    temp_dir.join("cortex_prompt_XXXXXXXXXXXXXXXX.md")
 }
 
 // ============================================================