fix(config): harden backup file permissions and clean orphan .bak files

[YUJIE2002]

Summary

Addresses #31699 — config .bak files persist indefinitely with sensitive data (API keys, tokens, credentials).

Changes

1. Explicit permission hardening on .bak files

copyFile does not guarantee permission preservation on all platforms (Windows, some NFS mounts). After creating each backup, we now explicitly chmod 0o600 all files in the rotation ring — belt-and-suspenders alongside the atomic write.

2. Orphan .bak cleanup

Interrupted writes, PID-stamped temp files, and manual backups can leave stale .bak.* files that persist indefinitely with full credentials. The rotation step now removes any .bak.* file whose suffix doesn't match the valid ring indices (.bak.1 through .bak.4).

Real-world example from my own server:

openclaw.json.bak              # ring: valid
openclaw.json.bak.1            # ring: valid
openclaw.json.bak.1772352289   # orphan (PID-stamped)
openclaw.json.bak.before-marketing  # orphan (manual)

3. Tests

• hardenBackupPermissions: verifies all backups get 0o600 even when created with permissive mode
• cleanOrphanBackups: verifies orphans are removed while valid ring files and the main config are preserved

What's preserved

The 5-deep backup ring is unchanged — it's a valuable recovery mechanism. This PR only hardens the security surface.

Verification

✓ src/config/config.backup-rotation.test.ts (3 tests) 52ms
✓ src/config/io.write-config.test.ts (15 tests) 222ms

[greptile-apps]

Greptile Summary

Addresses security vulnerability where config backup files persist with sensitive credentials in overly permissive modes or as orphaned files.

• Explicitly hardens all backup file permissions to 0o600 after creation, ensuring owner-only access even on platforms where copyFile doesn't preserve permissions (Windows, NFS mounts)
• Implements cleanup of orphaned .bak.* files that fall outside the managed rotation ring (e.g., PID-stamped backups like .bak.1772352289 or manual backups like .bak.before-marketing)
• Preserves the existing 5-deep backup rotation ring while hardening its security surface
• Includes comprehensive tests verifying permission hardening and orphan cleanup while ensuring valid backups remain untouched
• Uses best-effort error handling appropriate for backup operations

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - it's a focused security hardening fix with comprehensive test coverage
• The implementation is logically sound with proper error handling, comprehensive tests verify both new functions work correctly, the changes are backwards-compatible and non-breaking, and the security fixes directly address the stated vulnerability without introducing new attack vectors
• No files require special attention

_{Last reviewed commit: ff791be}

[steipete]

Landed via temp rebase onto main.

• Gate: pnpm -s vitest run src/config/config.backup-rotation.test.ts
• Land commit: 285575d
• Merge commit: 259f654

Thanks @YUJIE2002!