#17943: fix: use 0o644 for inbound media files to allow sandbox read access

## Summary Fixes #17941 Inbound media files were saved with `0o600` permissions (`-rw-------`), making them unreadable from Docker sandbox containers running as different users. ## Changes - Change file mode from `0o600` to `0o644` in `saveMediaSource()` and `saveMediaBuffer()` ## Why 0o644? - Owner can read/write - Group and others can read (required for sandbox access) - The containing directory already uses `0o700`, so only users with directory access can see filenames - Media files are not sensitive credentials — they're user-uploaded attachments --- 🤖 Generated with Claude Code <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR changes media file permissions from `0o600` to `0o644` in `saveMediaSource()` (local file path) and `saveMediaBuffer()` to allow Docker sandbox containers running as different users to read inbound media files. The rationale is sound — media files are user-uploaded attachments (not credentials), and the parent directory already uses `0o700` to restrict directory-level access. However, the fix is **incomplete for URL-sourced media**: - The `downloadToFile` helper at line 152 still uses `createWriteStream(dest, { mode: 0o600 })`. When `saveMediaSource` processes a URL, it calls `downloadToFile` to write a `.tmp` file, then renames it. Since `fs.rename` preserves permissions, the final file retains `0o600` — leaving URL-downloaded media unreadable from the sandbox. <h3>Confidence Score: 2/5</h3> - This PR partially fixes the sandbox read-access issue but misses the URL download path, leaving the bug unfixed for a significant code path. - The two changed lines are correct on their own, but the `downloadToFile` function (line 152) was not updated, which means URL-sourced media still gets `0o600` permissions. This is a functional gap that undermines the stated goal of the PR. - `src/media/store.ts` — the `downloadToFile` function at line 152 still uses `0o600` and needs to be updated to `0o644`. _{Last reviewed commit: 7c006bb} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->