feat: harden user file handling and gate LaunchServices rebuild (#159)

- add ensure_user_dir/ensure_user_file helpers in lib/core/base.sh, including
  sudo-aware ownership correction under the invoking user’s home
- use the helpers across clean/optimize/purge/uninstall/whitelist to create
  cache and export files safely (no naked mkdir/touch), including log files and
  dry-run exports
- ensure purge stats/count files and update message caches are pre-created with
  safe permissions
- add Darwin version helpers and skip LaunchServices/dyld rebuild on macOS 15+,
  keeping the existing corruption protection for earlier versions
- guard brew cache timestamp writes and TCC permission flags with safe file
  creation to avoid root-owned artifacts

lib/clean/brew.sh

@@ -116,7 +116,7 @@ clean_homebrew() {
 
     # Update cache timestamp on successful completion
     if [[ "$brew_success" == "true" || "$autoremove_success" == "true" ]]; then
-        mkdir -p "$(dirname "$brew_cache_file")"
+        ensure_user_file "$brew_cache_file"
         date +%s > "$brew_cache_file"
     fi
 }

lib/clean/caches.sh

@@ -52,8 +52,7 @@ check_tcc_permissions() {
     fi
 
     # Mark permissions as granted (won't prompt again)
-    mkdir -p "$(dirname "$permission_flag")" 2> /dev/null || true
-    touch "$permission_flag" 2> /dev/null || true
+    ensure_user_file "$permission_flag"
 }
 
 # Clean browser Service Worker cache, protecting web editing tools (capcut, photopea, pixlr)