feat: switch macOS learning mode from fs_usage to eslogger

Replace fs_usage (reports Mach thread IDs, requiring process name matching
with false positives) with eslogger (Endpoint Security framework, reports
real Unix PIDs via audit_token.pid plus fork events for process tree tracking).

Key changes:
- Daemon starts eslogger instead of fs_usage, with early-exit detection
  and clear Full Disk Access error messaging
- New two-pass eslogger JSON parser: pass 1 builds PID tree from fork
  events, pass 2 filters filesystem events by PID set
- Remove runtime PID polling (StartPIDTracking, pollDescendantPIDs) —
  process tree is now built post-hoc from the eslogger log
- Platform-specific generateLearnedTemplatePlatform() for darwin/linux/stub
- Refactor TraceResult and GenerateLearnedTemplate to be platform-agnostic

cmd/greywall/main.go

@@ -267,7 +267,7 @@ func runCommand(cmd *cobra.Command, args []string) error {
 
 	// Learning mode setup
 	if learning {
-		if err := sandbox.CheckStraceAvailable(); err != nil {
+		if err := sandbox.CheckLearningAvailable(); err != nil {
 			return err
 		}
 		fmt.Fprintf(os.Stderr, "[greywall] Learning mode: tracing filesystem access for %q\n", cmdName)
@@ -305,6 +305,7 @@ func runCommand(cmd *cobra.Command, args []string) error {
 
 	if debug {
 		fmt.Fprintf(os.Stderr, "[greywall] Sandboxed command: %s\n", sandboxedCommand)
+		fmt.Fprintf(os.Stderr, "[greywall] Executing: sh -c %q\n", sandboxedCommand)
 	}
 
 	hardenedEnv := sandbox.GetHardenedEnv()
@@ -328,6 +329,11 @@ func runCommand(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to start command: %w", err)
 	}
 
+	// Record root PID for macOS learning mode (eslogger uses this for process tree tracking)
+	if learning && platform.Detect() == platform.MacOS && execCmd.Process != nil {
+		manager.SetLearningRootPID(execCmd.Process.Pid)
+	}
+
 	// Start Linux monitors (eBPF tracing for filesystem violations)
 	var linuxMonitors *sandbox.LinuxMonitors
 	if monitor && execCmd.Process != nil {