feat(preservation): add .openclaw, harden home dir permissions

Signed-off-by: Ryan Yin <xiaoyin_c@qq.com>

hardening/bwraps/wechat.nix

@@ -19,7 +19,7 @@ let
       version = "4.1.0.13";
       src = fetchurl {
         url = "https://dldir1v6.qq.com/weixin/Universal/Linux/WeChatLinux_arm64.AppImage";
-        hash = "";
+        hash = "sha256-o6a7773agYqrP4dXsjzSUT2Du77gZ4wN1F2e0uvEzVc=";
       };
     };
     x86_64-linux = {

hosts/idols-ai/preservation.nix

@@ -1,5 +1,6 @@
 {
   preservation,
+  lib,
   pkgs,
   myvars,
   ...
@@ -148,6 +149,7 @@ in
         # ai agents
         ".claude"
         ".gemini"
+        ".openclaw"
 
         # nvim
         ".local/share/nvim"
@@ -230,10 +232,15 @@ in
           directory = ".pki";
           mode = "0700";
         }
-
-        ".local/share/password-store"
-        # gnmome keyrings
-        ".local/share/keyrings"
+        {
+          directory = ".local/share/password-store";
+          mode = "0700";
+        }
+        {
+          # gnmome keyrings
+          directory = ".local/share/keyrings";
+          mode = "0700";
+        }
 
         # ======================================
         # Games / Media
@@ -291,7 +298,10 @@ in
         ".local/share/containers"
         ".local/share/flatpak"
         # flatpak/nixpak app's data
-        ".var"
+        {
+          directory = ".var";
+          mode = "0700";
+        }
 
         # ======================================
         # Misc
@@ -358,8 +368,8 @@ in
     let
       permission = {
         user = username;
-        group = "users";
-        mode = "0755";
+        group = lib.mkForce username;
+        mode = lib.mkForce "0750";
       };
     in
     {

hosts/k8s/kubevirt-shoryu/preservation.nix

@@ -1,5 +1,6 @@
 {
   preservation,
+  lib,
   pkgs,
   myvars,
   ...
@@ -74,8 +75,8 @@ in
     let
       permission = {
         user = username;
-        group = "users";
-        mode = "0755";
+        group = lib.mkForce username;
+        mode = lib.mkForce "0750";
       };
     in
     {