fix(iso): harden colibri rc.conf host + service dir perms (Sam & Hermes/Claude)

Two minor polish items from the rc.d/release-gate audit:

- build.sh wrote `colibri_daemon_host="$(hostname)"` to rc.conf with a bare
  command; use `$(/bin/hostname)` to match the rc.d default and rc.conf.sample,
  avoiding a PATH-dependent lookup at early boot.
- The colibri service dirs (/var/db, /var/run, /var/log/colibri) shipped at
  0755; the rc.d prestart creates them 0750. Ship 0750 so the image doesn't
  start world-readable before first boot corrects it.

Checks: sh -n build.sh.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

build.sh

@@ -883,7 +883,10 @@ install_colibri_service() {
         /var/db/colibri \
         /var/run/colibri \
         /var/log/colibri
-    chmod 0755 \
+    # 0750 matches the rc.d prestart (install -d -m 0750); the daemon dirs hold
+    # the SQLite DB and logs and should not be world-readable. The operator
+    # reaches them via the colibri group, not "other".
+    chmod 0750 \
         "${MOUNT_POINT}/var/db/colibri" \
         "${MOUNT_POINT}/var/run/colibri" \
         "${MOUNT_POINT}/var/log/colibri"
@@ -902,7 +905,7 @@ install_colibri_service() {
     set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_db_path="/var/db/colibri/colibri.sqlite"'
     set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_logfile="/var/log/colibri/daemon.log"'
     set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_provider_env="/usr/local/etc/colibri/provider.env"'
-    set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_host="$(hostname)"'
+    set_config_line "${MOUNT_POINT}/etc/rc.conf" 'colibri_daemon_host="$(/bin/hostname)"'
     set_config_line "${MOUNT_POINT}/etc/rc.conf" "colibri_daemon_cost_mode=\"${COLIBRI_COST_MODE:-smart}\""
 
     if [ ! -x "${MOUNT_POINT}/usr/local/bin/colibri-daemon" ] || \