Fix CodeQL TOCTOU: use fchmod before fclose on gate script

CodeQL cpp/toctou-race-condition #32: fopen then chmod on the same
path allows a race where the file could be swapped between write
and chmod. Fix: use fchmod(fileno(f)) before fclose on POSIX.
Windows falls back to chmod (no fchmod).

Author: DeusData

src/cli/cli.c

@@ -1559,8 +1559,14 @@ static void cbm_install_hook_gate_script(const char *home) {
                "is not indexed yet, call index_repository first. Fall back to Grep/Glob/Read "
                "only for text content search. If you need Grep, retry.' >&2\n"
                "exit 2\n");
+    /* fchmod before close to avoid TOCTOU race (CodeQL cpp/toctou-race-condition) */
+#ifndef _WIN32
+    fchmod(fileno(f), 0755);
+#endif
     fclose(f);
+#ifdef _WIN32
     chmod(script_path, 0755);
+#endif
 }
 
 #define GEMINI_HOOK_MATCHER "google_search|read_file|grep_search"