Database files and .cc-switch directory lack explicit permission restrictions

Problem

The ~/.cc-switch/ directory and database files (cc-switch.db) are created without explicit permissions, inheriting the system default umask (typically 0o755 for directories and 0o644 for files). This allows other users on the same machine to read these files.

Current State

Some sensitive files already have strict permissions set:

• settings.json → 0o600 (settings.rs:504)
• copilot_auth.json → 0o600 (copilot_auth.rs:1282,1288)
• codex_oauth_auth.json → 0o600 (codex_oauth_auth.rs:817,823)
• Gemini .env file → 0o600, parent dir → 0o700 (gemini_config.rs:170,185)

However, the following locations lack permission protection:

• ~/.cc-switch/ directory itself — created via multiple create_dir_all() calls with no explicit permissions (config.rs:184,198,206, database/mod.rs:101, database/backup.rs:63,309, etc.)
• cc-switch.db database — created via rusqlite::Connection::open() with no explicit permissions (database/mod.rs:104)
• Backup database files — same issue (database/backup.rs:324)
• atomic_write first-time writes — when the target file doesn't exist, fs::metadata() fails silently and the new file gets default umask permissions (config.rs:230-237)

Suggested Fix

1. Set 0o700 permissions on the ~/.cc-switch/ directory when first created
2. Set 0o600 permissions on database files after creation
3. Have atomic_write set reasonable default permissions (e.g., 0o600) when the target file doesn't exist yet

Environment

• macOS / Linux (all permission-related code is inside #[cfg(unix)] blocks)
• Windows uses ACLs and is not affected