diff --git a/backend/.golangci.yml b/backend/.golangci.yml
index a60c343..fc89962 100644
--- a/backend/.golangci.yml
+++ b/backend/.golangci.yml
@@ -86,6 +86,9 @@ issues:
       linters:
         - gocyclo
         - gocritic
-    - path: '(internal/provider/client\.go|internal/service/model_service_impl\.go|internal/service/stats_buffer\.go|internal/handler/proxy_handler\.go|cmd/(desktop|server)/main\.go)'
+    - path: '(internal/provider/client\.go|internal/service/model_service_impl\.go|internal/service/stats_buffer\.go|internal/handler/proxy_handler\.go|cmd/(desktop|server|versionctl)/main\.go)'
       linters:
         - gocyclo
+    - path: 'cmd/versionctl/'
+      linters:
+        - forbidigo
diff --git a/backend/pkg/projectversion/version.go b/backend/pkg/projectversion/version.go
index e4f8eb1..af6b051 100644
--- a/backend/pkg/projectversion/version.go
+++ b/backend/pkg/projectversion/version.go
@@ -109,7 +109,7 @@ func Sync(root string) error {
 		return err
 	}
 
-	if err := os.WriteFile(packageJSONPath, []byte(updatedPackageJSON), 0o644); err != nil {
+	if err := os.WriteFile(packageJSONPath, []byte(updatedPackageJSON), 0o600); err != nil {
 		return fmt.Errorf("写入 frontend/package.json 失败: %w", err)
 	}
 
@@ -121,7 +121,7 @@ func Sync(root string) error {
 		}
 
 		updated := UpsertEnvVar(string(content), "VITE_APP_VERSION", version)
-		if err := os.WriteFile(fullPath, []byte(updated), 0o644); err != nil {
+		if err := os.WriteFile(fullPath, []byte(updated), 0o600); err != nil {
 			return fmt.Errorf("写入 %s 失败: %w", relPath, err)
 		}
 	}
diff --git a/backend/pkg/projectversion/version_test.go b/backend/pkg/projectversion/version_test.go
index dbde286..3d4f1d6 100644
--- a/backend/pkg/projectversion/version_test.go
+++ b/backend/pkg/projectversion/version_test.go
@@ -52,12 +52,12 @@ func TestUpsertEnvVar(t *testing.T) {
 
 func TestSyncAndCheck(t *testing.T) {
 	root := t.TempDir()
-	require.NoError(t, os.WriteFile(filepath.Join(root, "VERSION"), []byte("1.2.3\n"), 0o644))
+	require.NoError(t, os.WriteFile(filepath.Join(root, "VERSION"), []byte("1.2.3\n"), 0o600))
 	require.NoError(t, os.MkdirAll(filepath.Join(root, "frontend"), 0o755))
-	require.NoError(t, os.WriteFile(filepath.Join(root, "frontend", "package.json"), []byte("{\n  \"name\": \"frontend\",\n  \"version\": \"0.0.0\"\n}\n"), 0o644))
-	require.NoError(t, os.WriteFile(filepath.Join(root, "frontend", ".env.production"), []byte("VITE_API_BASE=/api\n"), 0o644))
-	require.NoError(t, os.WriteFile(filepath.Join(root, "frontend", ".env.development"), []byte("VITE_API_BASE=\n"), 0o644))
-	require.NoError(t, os.WriteFile(filepath.Join(root, "frontend", ".env.desktop"), []byte("VITE_API_BASE=\n"), 0o644))
+	require.NoError(t, os.WriteFile(filepath.Join(root, "frontend", "package.json"), []byte("{\n  \"name\": \"frontend\",\n  \"version\": \"0.0.0\"\n}\n"), 0o600))
+	require.NoError(t, os.WriteFile(filepath.Join(root, "frontend", ".env.production"), []byte("VITE_API_BASE=/api\n"), 0o600))
+	require.NoError(t, os.WriteFile(filepath.Join(root, "frontend", ".env.development"), []byte("VITE_API_BASE=\n"), 0o600))
+	require.NoError(t, os.WriteFile(filepath.Join(root, "frontend", ".env.desktop"), []byte("VITE_API_BASE=\n"), 0o600))
 
 	require.NoError(t, Sync(root))
 	require.NoError(t, Check(root))
@@ -75,7 +75,7 @@ func TestSyncAndCheck(t *testing.T) {
 
 func TestVerifyTag(t *testing.T) {
 	root := t.TempDir()
-	require.NoError(t, os.WriteFile(filepath.Join(root, "VERSION"), []byte("1.2.3\n"), 0o644))
+	require.NoError(t, os.WriteFile(filepath.Join(root, "VERSION"), []byte("1.2.3\n"), 0o600))
 
 	require.NoError(t, VerifyTag(root, "v1.2.3"))
 	assert.Error(t, VerifyTag(root, "1.2.3"))