bb5f847093
Enforces owner-only permissions on files and directories that contain secrets or sensitive data. Previously, all files were created with default umask permissions, which could allow other users on shared systems to read API keys, config, and cron job data. Changes: - hermes_cli/config.py: Added _secure_dir()/_secure_file() helpers, ensure_hermes_home() sets 0700 on all dirs, save_config() sets 0600 (save_env_value already had this from a prior commit) - cron/jobs.py: Added matching helpers, ensure_dirs() sets 0700, save_jobs() and save_job_output() set 0600/0700 - cli.py: save_config_value() sets 0600 after writing config - 8 new tests in tests/test_file_permissions.py All chmod calls wrapped in try/except for Windows compatibility. Cherry-picked from PR #757, rebased onto current main with conflict resolution (save_config now uses atomic_yaml_write). Closes #757