op-devstack: use file-based sequencer key loading for kona

[DenseDenise]

kona now supports loading sequencer keys from files (op-rs/kona#2871), switched from KONA_NODE_P2P_SEQUENCER_KEY to KONA_NODE_P2P_SEQUENCER_KEY_PATH to match the pattern used for regular p2p keys

[wiz-inc-a178a98b5d]

Wiz Scan Summary

Scanner	Findings
Vulnerabilities	-
Sensitive Data	-
Secrets	-
IaC Misconfigurations	-
SAST Findings	1
Total	1

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

[almanax-ai]

Access Control: Insecure file permissions for sequencer P2P key in WriteFile

The sequencer P2P private key is written to a file with 0o644 permissions (world-readable), while other sensitive keys in the codebase (JWT secrets, P2P node keys) are correctly written with 0o600 permissions (owner read/write only). This exposes the sequencer's private key to any user on the system who can read the temp directory.

Change the file permissions from 0o644 to 0o600 to match the security pattern used elsewhere in the codebase (e.g., op_rbuilder.go:163, orchestrator.go:136).

Suggested change

	p.Require().NoError(os.WriteFile(tempSeqKeyPath, []byte(p2pKeyHex), 0o644))
	p.Require().NoError(os.WriteFile(tempSeqKeyPath, []byte(p2pKeyHex), 0o600))

---

Don't like this finding? Reply "dismiss" and it won't appear again in future scans.

If it's acknowledged or addressed, reply "resolve" to mark it resolved.

[opgitgovernance]

This pr has been automatically marked as stale and will be closed in 5 days if no updates

[DenseDenise]

@bitwiseguy @ajsutton @Inphi Hi guys, mind checking this? has been hold for a while. thanks!

[Inphi]

LGTM! Thanks

[Inphi]

/ci authorize ff08204

[DenseDenise]

CI looks good! cc @Inphi