Create ~/.aws/credentials at 0o600 (CWE-732 hardening)

[JAE0Y2N]

What

When granted exports AWS credentials for the first time, pkg/cfaws/cred_exporter.go:22 uses os.Create(credPath) which masks the mode through the current umask. On a stock Linux / macOS install (umask 022), the new ~/.aws/credentials file lands at 0o644 — world-readable.

This PR swaps the call for os.OpenFile(credPath, O_WRONLY|O_CREATE|O_TRUNC, 0o600), which sets the on-creation mode explicitly to owner-only (-rw-------). Same pattern aws-cli uses for the same file.

Why

aws_access_key_id + aws_secret_access_key in ~/.aws/credentials grant full programmatic access scoped to that profile. On multi-user hosts (shared CI runners, multi-tenant servers, containers that mount the host's home dir), the umask-default 0o644 lets any other UID on the box read the keys.

Existing credentials files are not touched — only newly-created ones get the tighter mode. No API surface change, no behavioral difference for the user.

How to verify

rm -f ~/.aws/credentials
granted assume <some-profile>      # triggers ExportCredsToProfile
stat -f '%Sp' ~/.aws/credentials   # expect: -rw-------

Before this PR: -rw-r--r--. After this PR: -rw-------.

Context

This was originally sent as a security disclosure via security@commonfate.io, then re-routed through fwdcloudsec@ after the commonfate.* addresses started bouncing. Filing it as a public PR now since the project is open-source and the fix is small / defensive — no embargo concerns.

Surface

One file, ~5 LOC of code + 5 lines of explanatory comment. No new dependencies.