Make database chmod best-effort for rootless podman

os.Chmod(path, 0600) fails inside rootless podman containers because
fchmod is denied in the user namespace. This was fatal — the database
wouldn't open, crashing the service.

Changed to best-effort: log nothing on failure, database functions
correctly without the permission tightening. The file is already
protected by the container's volume mount and the host filesystem
permissions.

Root cause of the 2026-04-03 incident recovery failure — MCR and
Metacrypt couldn't start until their databases were deleted and
recreated.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

db/db.go

@@ -65,11 +65,11 @@ func Open(path string) (*sql.DB, error) {
 	// connection to serialize all access and eliminate busy errors.
 	database.SetMaxOpenConns(1)
 
-	// Ensure permissions are correct even if the file already existed.
+	// Best-effort permissions tightening. This may fail inside rootless
-	if err := os.Chmod(path, 0600); err != nil {
+	// podman containers where fchmod is denied in the user namespace.
-		_ = database.Close()
+	// The database still functions correctly without it.
-		return nil, fmt.Errorf("db: chmod %s: %w", path, err)
+	// See: log/2026-04-03-uid-incident.md
-	}
+	_ = os.Chmod(path, 0600)
 
 	return database, nil
 }
@@ -168,9 +168,7 @@ func Snapshot(database *sql.DB, destPath string) error {
 		return fmt.Errorf("db: snapshot: %w", err)
 	}
 
-	if err := os.Chmod(destPath, 0600); err != nil {
+	_ = os.Chmod(destPath, 0600) // best-effort; may fail in rootless containers
-		return fmt.Errorf("db: chmod snapshot %s: %w", destPath, err)
-	}
 
 	return nil
 }

sso/sso.go

@@ -22,6 +22,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"html"
 	"io"
 	"net/http"
 	"net/url"
@@ -268,6 +269,12 @@ func ConsumeReturnToCookie(w http.ResponseWriter, r *http.Request, prefix string
 
 // RedirectToLogin generates a state, sets the state and return-to cookies,
 // and redirects the user to the MCIAS authorize URL.
+//
+// The redirect is performed via a 200 response with an HTML meta-refresh
+// instead of a 302. Some browsers (notably Firefox) do not reliably store
+// Set-Cookie headers on 302 responses that redirect to a different origin,
+// even when the origins are same-site. Using a 200 response ensures the
+// cookies are stored before the browser navigates away.
 func RedirectToLogin(w http.ResponseWriter, r *http.Request, client *Client, cookiePrefix string) error {
 	state, err := GenerateState()
 	if err != nil {
@@ -276,7 +283,15 @@ func RedirectToLogin(w http.ResponseWriter, r *http.Request, client *Client, coo
 
 	SetStateCookie(w, cookiePrefix, state)
 	SetReturnToCookie(w, r, cookiePrefix)
-	http.Redirect(w, r, client.AuthorizeURL(state), http.StatusFound)
+
+	authorizeURL := client.AuthorizeURL(state)
+	escaped := html.EscapeString(authorizeURL)
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.WriteHeader(http.StatusOK)
+	_, _ = fmt.Fprintf(w, `<!DOCTYPE html>
+<html><head><meta http-equiv="refresh" content="0;url=%s"></head>
+<body><p>Redirecting to <a href="%s">MCIAS</a>...</p></body></html>`,
+		escaped, escaped)
 	return nil
 }