fix(container): make source tree world-readable for non-root coverage

The fuzzing platform runs containers as UID 65534 (nobody). Source
files and build artifacts copied from the builder stage were only
readable by root, causing llvm-cov to emit "Permission denied" for
every file during HTML report generation.

- Move CRS into /home/fuzzer/aztec-packages/.bb-crs so one chmod
  covers source tree, build-fuzzing-cov, and CRS in a single layer
- Replace chmod -R 755 with chmod -R a+rX (adds read for all, execute
  only on dirs and already-executable files — no over-grant on data)

Author: randyquaye

container-builds/fuzzing-container/src/Dockerfile

@@ -104,10 +104,15 @@ WORKDIR /home/fuzzer/aztec-packages/barretenberg/cpp
 # Copy full cov-build to keep LLVM links and external dependencies for coverage report
 COPY --from=builder /home/fuzzer/aztec-packages/barretenberg/cpp/build-fuzzing-cov/ ./build-fuzzing-cov/
 
-# Copy CRS to a world-readable location so non-root containers can access it
-COPY --from=builder /root/.bb-crs /opt/bb-crs
-RUN chmod -R 755 /opt/bb-crs
-ENV CRS_PATH=/opt/bb-crs
+# Copy CRS into the source tree so one chmod covers everything
+COPY --from=builder /root/.bb-crs /home/fuzzer/aztec-packages/.bb-crs
+ENV CRS_PATH=/home/fuzzer/aztec-packages/.bb-crs
+
+# The container runs as a non-root UID (65534/nobody) on the fuzzing platform.
+# Source files, build artifacts, and CRS must be world-readable so llvm-cov
+# can read them when generating HTML coverage reports.  Without this, llvm-cov
+# emits "Permission denied" for every source file and produces empty reports.
+RUN chmod -R a+rX /home/fuzzer/aztec-packages/
 
 # Copy flattened target binaries
 COPY --from=builder /targets/ /targets/