Add run_onchange to chmod 600 ~/.omp/agent/models.yml

The encrypted models.yml is named private_encrypted_models.yml.age so
chezmoi *should* set 600 on decrypt, but on boxes where the file
already existed from a prior apply (before the rename), the perm stays
at umask default (644). This run_onchange script normalizes to 600.

Runs only when the script body changes (chezmoi hashes the rendered
content). On a fresh apply, it brings the perm to 600 once, then stays
silent on subsequent applies until the body changes again.

run_onchange_35-ensure-omp-models-perms.sh.tmpl

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+# =============================================================================
+#  run_onchange_35-ensure-omp-models-perms.sh.tmpl
+#  Force chmod 600 on ~/.omp/agent/models.yml. The encrypted file is named
+#  `private_encrypted_models.yml.age` so chezmoi SHOULD set 600 on first apply,
+#  but if the file already exists from a prior apply (when it was named
+#  `encrypted_models.yml.age` without the `private_` prefix), the perm stays
+#  at whatever umask gave it (typically 644). This script normalizes the perm
+#  to 600 so the literal zai API key in models.yml isn't world-readable.
+#
+#  Triggered by the body hash changing; current hash = sha256 of body.
+#  Runs on all OSes (no os_family gate).
+# =============================================================================
+set -euo pipefail
+
+MODELS_YML="${HOME}/.omp/agent/models.yml"
+
+log() { printf '\033[1;34m[omp-models-perms]\033[0m %s\n' "$*"; }
+
+if [[ ! -f "$MODELS_YML" ]]; then
+    log "models.yml not present on this box (omp not installed?) — skipping"
+    exit 0
+fi
+
+current_perm=$(stat -c '%a' "$MODELS_YML")
+if [[ "$current_perm" == "600" ]]; then
+    log "models.yml already 600 — nothing to do"
+    exit 0
+fi
+
+log "models.yml perm is $current_perm, fixing to 600"
+chmod 600 "$MODELS_YML"
+log "models.yml perm now $(stat -c '%a' "$MODELS_YML")"