#5649: fix(security): harden file permissions and header merging

## Summary Defensive security hardening for two low-severity issues. ## Changes - Atomic file permissions in JSON writes (CWE-377) - Filter prototype pollution keys in header merging (CWE-1321) ## Test plan - [x] `pnpm lint` passes - [x] `pnpm build` passes <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR hardens two security-sensitive areas: - **JSON writes** (`src/infra/json-file.ts`): sets file mode during `writeFileSync` to reduce a race window where secrets could be briefly world-readable, with a best-effort `chmodSync` fallback. - **Embedding client header merging** (`src/memory/embeddings*.ts`): replaces `Object.assign` with a dedicated `sanitizeHeaders()` helper that filters prototype-pollution keys when combining configured and remote header overrides. The changes fit cleanly into existing infrastructure utilities (`saveJsonFile`) and the embeddings provider setup path (OpenAI/Gemini client resolution), without altering the higher-level provider selection logic. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk. - Changes are narrowly scoped, maintain existing behavior, and add defensive hardening in two well-defined places (file mode during writes and header merging). No functional regressions were identified in the modified code paths. - No files require special attention <!-- greptile_other_comments_section --> <!-- /greptile_comment -->