workstation: setup-devvm.sh hardens the admin's unlocked tree (o-rx, not world-readable)

Codifies the leak fix found during the emo cutover: /home/wizard/code is git-crypt-DECRYPTED in the admin's working tree, but was mode 0775 (o+rx) — so any devvm user (even outside code-shared) could read decrypted secrets by path (verified: emo read certificate.pfx as plaintext DER). setup-devvm.sh now chmod o-rx the admin tree so a rebuild keeps it. Live fix already applied (now drwxrws---).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

scripts/workstation/setup-devvm.sh

@@ -68,4 +68,13 @@ log "skel: launcher + tmux + inheritance symlinks (base=$CONFIG_BASE)"
 install -m 0755 "$HERE/../t3-provision-users.sh" /usr/local/bin/t3-provision-users
 log "t3-provision-users -> /usr/local/bin/ (roster-driven)"
 
+# 7) harden the admin's unlocked tree: it holds git-crypt-DECRYPTED secrets, so it
+#    must NOT be world-readable — only the admin + code-shared. Without this, ANY
+#    devvm user (even outside code-shared) could read decrypted secrets by path.
+ADMIN_CODE="${ADMIN_CODE:-/home/wizard/code}"
+if [[ -d "$ADMIN_CODE" ]]; then
+  chmod o-rx "$ADMIN_CODE"
+  log "hardened $ADMIN_CODE (o-rx — not world-readable)"
+fi
+
 log "OK (idempotent)"