1 files changed, 15 insertions, 8 deletions

diff --git a/gn_auth/wsgi.py b/gn_auth/wsgi.py
index 2db44fe..bab9991 100644
--- a/gn_auth/wsgi.py
+++ b/gn_auth/wsgi.py
@@ -174,12 +174,12 @@ def __parse_user_spec__(spec: str) -> dict:
 
 
 def __write_output__(data: dict, output_path) -> None:
-    """Write JSON data to a file with 0600 permissions, or stdout."""
+    """Write JSON data to a file with 0644 permissions, or stdout."""
     text = json.dumps(data, indent=2)
     if output_path is None:
         print(text)
         return
-    fd = os.open(output_path, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
+    fd = os.open(output_path, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o644)
     with os.fdopen(fd, "w") as outfile:
         outfile.write(text)
 
@@ -315,7 +315,7 @@ _DEFAULT_SCOPES_ = (
 )
 
 
-def __create_one_client__(
+def __create_one_client__(# pylint: disable=[too-many-arguments, too-many-positional-arguments]
         conn,
         client_name: str,
         owner_user,
@@ -369,8 +369,15 @@ def __create_one_client__(
               help="URI to the client's public JWKS (optional)")
 @click.option("--output", "output_path", type=click.Path(), default=None,
               help="Write credentials as JSON to this file (default: stdout)")
-def create_oauth2_client(client_name, owner_id, redirect_uris, scopes,
-                         grant_types, jwks_uri, output_path):
+def create_oauth2_client(# pylint: disable=[too-many-arguments, too-many-positional-arguments]
+        client_name,
+        owner_id,
+        redirect_uris,
+        scopes,
+        grant_types,
+        jwks_uri,
+        output_path
+):
     """Create an OAuth2 client with specified parameters.
 
     Scopes and grant types default to the full standard set if not provided.
@@ -405,7 +412,7 @@ def create_test_oauth2_client(session_timestamp, users_file, owner_role,
     owner. Client name and secret are auto-generated using the session
     timestamp. Output is written with 0600 permissions.
     """
-    with open(users_file) as f:
+    with open(users_file, encoding="utf8") as f:
         users_data = json.load(f)
 
     owner_record = next(
@@ -445,7 +452,7 @@ def delete_oauth2_client(credentials_path):
     Reads the client_id from the given credentials file and removes the
     client and all associated tokens from the database.
     """
-    with open(credentials_path) as f:
+    with open(credentials_path, encoding="utf8") as f:
         data = json.load(f)
 
     client_id_str = data.get("client", {}).get("client_id")
@@ -474,7 +481,7 @@ def delete_test_users(credentials_path):
     all listed users unconditionally, bypassing policy checks. Intended
     for CI test teardown.
     """
-    with open(credentials_path) as f:
+    with open(credentials_path, encoding="utf8") as f:
         data = json.load(f)
 
     user_ids = tuple(