Make database chmod best-effort for rootless podman

os.Chmod(path, 0600) fails inside rootless podman containers because
fchmod is denied in the user namespace. This was fatal — the database
wouldn't open, crashing the service.

Changed to best-effort: log nothing on failure, database functions
correctly without the permission tightening. The file is already
protected by the container's volume mount and the host filesystem
permissions.

Root cause of the 2026-04-03 incident recovery failure — MCR and
Metacrypt couldn't start until their databases were deleted and
recreated.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

db/db.go

@@ -65,11 +65,11 @@ func Open(path string) (*sql.DB, error) {
 	// connection to serialize all access and eliminate busy errors.
 	database.SetMaxOpenConns(1)
 
-	// Ensure permissions are correct even if the file already existed.
+	// Best-effort permissions tightening. This may fail inside rootless
-	if err := os.Chmod(path, 0600); err != nil {
+	// podman containers where fchmod is denied in the user namespace.
-		_ = database.Close()
+	// The database still functions correctly without it.
-		return nil, fmt.Errorf("db: chmod %s: %w", path, err)
+	// See: log/2026-04-03-uid-incident.md
-	}
+	_ = os.Chmod(path, 0600)
 
 	return database, nil
 }
@@ -168,9 +168,7 @@ func Snapshot(database *sql.DB, destPath string) error {
 		return fmt.Errorf("db: snapshot: %w", err)
 	}
 
-	if err := os.Chmod(destPath, 0600); err != nil {
+	_ = os.Chmod(destPath, 0600) // best-effort; may fail in rootless containers
-		return fmt.Errorf("db: chmod snapshot %s: %w", destPath, err)
-	}
 
 	return nil
 }