diff --git a/AGENTS.md b/AGENTS.md
index 885b4284b..86ee71c72 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -163,10 +163,10 @@ Note: Across our public documentation, official images, and in production, the c
 ### Filesystem Permissions & io/fs Aliasing (Go)
 
 - Always use our shared permission variables from `pkg/fs` when creating files/directories:
-  - Directories: `fs.ModeDir` (default 0o755)
-  - Regular files: `fs.ModeFile` (default 0o644)
+  - Directories: `fs.ModeDir` (0o755 with umask)
+  - Regular files: `fs.ModeFile` (0o644 with umask)
   - Config files: `fs.ModeConfigFile` (default 0o664)
-  - Secrets/tokens: `fs.ModeSecret` (default 0o600)
+  - Secrets/tokens: `fs.ModeSecretFile` (default 0o600)
   - Backups: `fs.ModeBackupFile` (default 0o600)
 - Do not pass stdlib `io/fs` flags (e.g., `fs.ModeDir`) to functions expecting permission bits.
   - When importing the stdlib package, alias it to avoid collisions: `iofs "io/fs"` or `gofs "io/fs"`.
diff --git a/CODEMAP.md b/CODEMAP.md
index 7f4357b6c..a3dbad2ee 100644
--- a/CODEMAP.md
+++ b/CODEMAP.md
@@ -177,7 +177,7 @@ Conventions & Rules of Thumb
 
 Filesystem Permissions & io/fs Aliasing
 - Use `github.com/photoprism/photoprism/pkg/fs` permission variables when creating files/dirs:
-  - `fs.ModeDir` (0o755), `fs.ModeFile` (0o644), `fs.ModeConfigFile` (0o664), `fs.ModeSecret` (0o600), `fs.ModeBackupFile` (0o600).
+  - `fs.ModeDir` (0o755 with umask), `fs.ModeFile` (0o644 with umask), `fs.ModeConfigFile` (0o664), `fs.ModeSecretFile` (0o600), `fs.ModeBackupFile` (0o600).
 - Do not use stdlib `io/fs` mode bits as permission arguments. When importing stdlib `io/fs`, alias it (`iofs`/`gofs`) to avoid `fs.*` collisions with our package.
 - Prefer `filepath.Join` for filesystem paths across platforms; use `path.Join` for URLs only.