Set restrictive file permissions for seed file

Previously, seed files were created using `fs::File::create()` which
inherits the default umask, potentially making the sensitive seed
material world-readable on Unix systems.

This change:
- Creates seed files with mode 0o600 (owner read/write only) on Unix
- Uses `create_new` instead of `create` to atomically fail if the file
  already exists, providing defense-in-depth against TOCTOU race
  conditions

Co-Authored-By: Claude AI

Author: tnull

src/io/utils.rs

@@ -5,12 +5,15 @@
 // http://opensource.org/licenses/MIT>, at your option. You may not use this file except in
 // accordance with one or both of these licenses.
 
-use std::fs;
+use std::fs::{self, OpenOptions};
 use std::io::Write;
 use std::ops::Deref;
 use std::path::Path;
 use std::sync::Arc;
 
+#[cfg(unix)]
+use std::os::unix::fs::OpenOptionsExt;
+
 use bdk_chain::indexer::keychain_txout::ChangeSet as BdkIndexerChangeSet;
 use bdk_chain::local_chain::ChangeSet as BdkLocalChainChangeSet;
 use bdk_chain::miniscript::{Descriptor, DescriptorPublicKey};
@@ -78,7 +81,14 @@ pub(crate) fn read_or_generate_seed_file(
 			fs::create_dir_all(parent_dir)?;
 		}
 
-		let mut f = fs::File::create(keys_seed_path)?;
+		// Create file with restrictive permissions (owner read/write only on Unix)
+		// to protect the sensitive seed material. We use `create_new` to fail if the
+		// file already exists, providing defense-in-depth against race conditions.
+		#[cfg(unix)]
+		let mut f = { OpenOptions::new().write(true).create_new(true).mode(0o600).open(keys_seed_path)? };
+
+		#[cfg(not(unix))]
+		let mut f = OpenOptions::new().write(true).create_new(true).open(keys_seed_path)?;
 
 		f.write_all(&key)?;