fix: restrict .openclaude-profile.json permissions to owner-only (0600)

The profile file may contain API keys (OPENAI_API_KEY, CODEX_API_KEY,
GEMINI_API_KEY) in plain text. Without explicit permissions, writeFileSync
uses the process umask — on systems with permissive umask (0022), the file
is world-readable (644), exposing credentials to other users.

Relates to #24

Co-Authored-By: Juan Camilo <juancamilo.auriti@gmail.com>

scripts/provider-bootstrap.ts

@@ -123,7 +123,7 @@ async function main(): Promise<void> {
   }
 
   const outputPath = resolve(process.cwd(), '.openclaude-profile.json')
-  writeFileSync(outputPath, JSON.stringify(profile, null, 2), 'utf8')
+  writeFileSync(outputPath, JSON.stringify(profile, null, 2), { encoding: 'utf8', mode: 0o600 })
 
   console.log(`Saved profile: ${selected}`)
   console.log(`Path: ${outputPath}`)