fix: resolve extracted minitiad path and preserve binary permissions

[restorenode]

• Preserve executable permissions during tar extraction so minitiad remains runnable after download.
• Make binary detection work before executable permissions are restored, then normalize permissions with chmod.
• Add regression coverage for extracted binary discovery and permission preservation.
• Validate the MiniEVM weave init flow on both Linux and macOS.

Description

Closes: #XXXX

---

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow-up issues.

I have...

• included the correct type prefix in the PR title, you can find examples of the prefixes below:
• confirmed ! in the type prefix if API or client breaking change
• targeted the correct branch
• provided a link to the relevant issue or specification
• reviewed "Files changed" and left comments if necessary
• included the necessary unit and integration tests
• updated the relevant documentation or specification, including comments for documenting Go code
• confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

• confirmed the correct type prefix in the PR title
• confirmed all author checklist items have been addressed
• reviewed state machine logic, API design and naming, documentation is accurate, tests and test coverage

Summary by CodeRabbit

• Bug Fixes

  • Tar extraction preserves file permissions, ensures extracted files are placed safely inside the target directory, and rejects archive entries that would escape the destination.
  • Binary discovery now recognizes matching filenames even if the file lacks execute permissions.

• Tests

  • Added tests verifying preserved extracted file modes and rejection of path-traversal entries; adjusted binary discovery test for non-executable files.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: d908ce3e-0bbe-45e0-a267-c7d5bf465cf4

📥 Commits

Reviewing files that changed from the base of the PR and between 8f22e19 and 21e3e02.

📒 Files selected for processing (3)

• cosmosutils/binary_test.go
• io/filesystem.go
• io/filesystem_test.go

✅ Files skipped from review due to trivial changes (1)

• io/filesystem_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• cosmosutils/binary_test.go
• io/filesystem.go

---

Walkthrough

FindBinaryDir now matches target executables by filename only (removes executable-permission check). ExtractTarGz was hardened: destination resolved to absolute, archive entry paths are validated against path traversal, parent directories are created, files are created with header modes and then chmod'd; tests updated/added accordingly.

Changes

Cohort / File(s)	Summary
Binary detection cosmosutils/binary.go, cosmosutils/binary_test.go	FindBinaryDir now matches by info.Name() == binaryName without requiring execute bits. Test updated to expect a directory match for a non-executable file and tightened test error handling (use of t.Fatal on setup errors).
Tar extraction & safety io/filesystem.go, io/filesystem_test.go	ExtractTarGz now resolves dest to an absolute root, uses safeArchivePath to reject path-traversal entries, ensures parent dirs via os.MkdirAll, creates files with os.OpenFile using header modes, defers close with error propagation, and applies os.Chmod to preserve header.Mode. Tests added for preserving file mode and rejecting traversal entries; imports updated for tar/gzip helpers.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇 I sniffed the binary by name at night,
Skipped the bit that said "executable" in sight.
I unwrapped tar gifts, kept modes intact,
Blocked any sneaky paths trying to hack,
I hop away smiling — tidy and light. 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 10.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: resolving binary path detection and preserving file permissions during extraction, which are core objectives of this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/minievm-binary-resolution-and-extraction

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Benzbeeb]