Conversation history written 0o644 — leaks Q&A across 6 providers

[rafeegnash]

Problem

Six provider conversation-history files are written with mode 0o644, making them world-readable. They contain operator questions and full LLM answers that frequently include account IDs, ARNs, IPs, role names, and (in iam) entire policy fragments. Sentry/Linear/Notion correctly use 0o600; the rest don't.

Where

• internal/cloudflare/conversation.go:164
• internal/k8s/conversation.go:190
• internal/iam/conversation.go:159
• internal/flyio/conversation.go:121
• internal/railway/conversation.go:123
• internal/vercel/conversation.go:117

Fix

Standardize on 0o600 for all Save paths:

if err := os.WriteFile(path, data, 0o600); err != nil { ... }

Better: extract a shared internal/convhistory package that encapsulates Load/Save with the tight perms (related issue: "Extract internal/convhistory"). For this ticket, just change the literals.

Also Chmod existing files on Load (idempotent) so installed users get auto-repaired.

Acceptance criteria

• All six listed files use 0o600 on save
• stat ~/.clanker/cloudflare-*.json etc shows 0600
• On load, files with weaker perms are Chmod'd to 0o600 (logged at debug level)
• Tests verify the mode after Save

[rafeegnash]

Fixed in upstream bgdnvk#188 (merged). All ten provider conversation-history modules now route Save/Load through internal/secfile (0o600 files, 0o700 dirs, fd-based chmod-on-load auto-repair). A new AST-based drift test guards the build against any future conversation.go slipping back to os.WriteFile/os.ReadFile/os.MkdirAll direct calls. The drift test caught a 10th provider (verda) that wasn't in the original audit — also fixed in the same PR. Will land here on the next fork sync.