Issue for this PR

Closes #28421

Type of change

• Bug fix
• New feature
• Refactor / code improvement
• Documentation

What does this PR do?

OpenCode creates several managed directories under the user data, cache, config, state, and temp roots. On Unix-like systems those directories could be created with permissions widened by the process umask, or existing directories could remain at 0755, making user-specific files readable by other local users.

This PR centralizes global directory creation through ensurePrivateDir(), creates each managed directory with mode 0700, and then applies chmod 0700 so existing directories are tightened as well. It also includes the cache root in the module-load initialization list, since bin lives under it.

The regression test imports src/global.ts in a fresh process with isolated XDG roots and verifies the data, cache, config, state, temp, log, bin, and repos directories are all 0700, including an existing data directory that starts as 0755.

How did you verify your code works?

• npx -y bun@1.3.14 test test/global.test.ts from packages/core
• npx -y bun@1.3.14 typecheck from packages/core
• git diff --check
• npx -y prettier@3.6.2 --check packages/core/src/global.ts packages/core/test/global.test.ts

Screenshots / recordings

N/A - filesystem permissions change with automated test coverage.

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR