#17463: fix: write config files with explicit 0o600 mode instead of post-write chmod

Closes #17440 ## Changes ### Problem Config files containing API keys/secrets were written with default umask permissions, then `chmod 0o600` was called separately. This created: 1. A race window where secrets could be world-readable between write and chmod 2. Silent failures when chmod failed (errors were swallowed with empty `.catch(() => {})`) ### Fix - **`src/infra/json-file.ts`**: Pass `{ mode: 0o600 }` directly to `writeFileSync` so files are created with correct permissions atomically. Keep `chmodSync` as best-effort fallback for pre-existing files whose permissions drifted. - **`src/config/io.ts`**: Replace silent `.catch(() => {})` with a warning log when chmod fails in the Windows rename-fallback path. - **`src/infra/tls/gateway.ts`**: Replace silent `.catch(() => {})` with warning logs when TLS key/cert chmod fails. Added `warn` to the log type signature. ### Tests - Added `src/infra/json-file.test.ts` — verifies 0o600 permissions, JSON content, overwrite behavior, and parent dir creation (0o700). - Added `src/config/io.permissions.test.ts` — verifies writeConfigFile creates files with 0o600 and logs warnings on chmod failure (mocked fs). <!-- greptile_comment --> <h3>Greptile Summary</h3> Closes a security race condition where config files containing API keys/secrets were briefly world-readable between write and chmod operations. The fix passes `mode: 0o600` atomically to `writeFileSync` and sets a restrictive umask before TLS certificate generation, eliminating the race window. Silent error handlers have been replaced with warning logs for better observability. - `src/infra/json-file.ts`: atomic permission setting via `writeFileSync` mode option - `src/infra/tls/gateway.ts`: umask protection (0o077) around openssl cert generation - `src/config/io.ts`: warning logs when chmod fails in Windows fallback path - Comprehensive test coverage for permission verification and error logging <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with no identified issues - The security fix is well-implemented with atomic permission setting, comprehensive test coverage validates the changes on Unix systems, error handling has been improved with proper logging, and the umask approach for TLS certificate generation is a best practice for closing race windows - No files require special attention _{Last reviewed commit: 5d5dede} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->