Restrict .thinktank/ result file permissions to prevent credential exposure

[that-github-user]

Summary

Result JSON files in .thinktank/ include full agent.output and agent.error fields, which may contain:

• Claude API debug logs
• Stderr from failed builds (could include secrets/env vars)
• Sensitive code content

Files are written with default permissions (world-readable on Unix).

Proposed fix

1. Write files with mode: 0o600 (owner read/write only)
2. Consider option to strip stdout/stderr from saved results (--no-output flag)
3. Add warning to README that .thinktank/ may contain sensitive info
4. Ensure .thinktank/ is in the default .gitignore (already done ✓)

Severity

Medium — files are gitignored but still accessible on the filesystem.

[that-github-user]

Fixed in #39. Result JSON files now written with mode 0o600 (owner read/write only). Agent stdout/stderr redacted from saved results to prevent credential leakage from build output or Claude debug logs. Worktrees still available for full output inspection.