fix: preserve file permissions in ConflictResolver atomic write

[Copilot]

The atomic write in ConflictResolver used a hardcoded mode 0o644 when creating the temp file, silently stripping execute bits and any non-default permissions from the resolved file on rename.

Changes

• ConflictResolver.ts: Before opening the temp file, lstat() the target to get its current mode and apply mode & 0o777 to the fs.open() call. Falls back to 0o644 when the target doesn't exist yet.
  • Uses lstat (not stat) to avoid following symlinks — consistent with O_NOFOLLOW already used on the temp file open.

let fileMode = 0o644;
try {
  const stat = await fs.lstat(targetPath);
  fileMode = stat.mode & 0o777;
} catch {
  // Target does not exist; use default mode 0o644
}
const tempHandle = await fs.open(tempPath, O_CREAT | O_EXCL | O_WRONLY | O_NOFOLLOW, fileMode);

Related Issue

Closes #

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to change)
• 📝 Documentation update
• 🔧 Refactor / internal improvement
• 🤖 CI/CD or tooling change
• ⬆️ Dependency update

Checklist

• I have read the CONTRIBUTING guidelines (if present)
• My code follows the existing code style
• I have added or updated tests that cover my changes
• All existing tests pass locally
• I have updated the documentation where necessary
• My changes do not introduce new security vulnerabilities

How Has This Been Tested?

TypeScript compilation verified. CodeQL analysis returned no alerts.

Screenshots (if applicable)

N/A

Additional Notes

The fix is localized to the temp file creation step — the rename and error cleanup paths are unchanged.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.