feat: switch macOS learning mode from fs_usage to eslogger

Replace fs_usage (reports Mach thread IDs, requiring process name matching
with false positives) with eslogger (Endpoint Security framework, reports
real Unix PIDs via audit_token.pid plus fork events for process tree tracking).

Key changes:
- Daemon starts eslogger instead of fs_usage, with early-exit detection
  and clear Full Disk Access error messaging
- New two-pass eslogger JSON parser: pass 1 builds PID tree from fork
  events, pass 2 filters filesystem events by PID set
- Remove runtime PID polling (StartPIDTracking, pollDescendantPIDs) —
  process tree is now built post-hoc from the eslogger log
- Platform-specific generateLearnedTemplatePlatform() for darwin/linux/stub
- Refactor TraceResult and GenerateLearnedTemplate to be platform-agnostic

internal/daemon/client.go

@@ -71,6 +71,43 @@ func (c *Client) DestroySession(sessionID string) error {
 	return nil
 }
 
+// StartLearning asks the daemon to start an fs_usage trace for learning mode.
+func (c *Client) StartLearning() (*Response, error) {
+	req := Request{
+		Action: "start_learning",
+	}
+
+	resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, fmt.Errorf("start learning request failed: %w", err)
+	}
+
+	if !resp.OK {
+		return resp, fmt.Errorf("start learning failed: %s", resp.Error)
+	}
+
+	return resp, nil
+}
+
+// StopLearning asks the daemon to stop the fs_usage trace for the given learning session.
+func (c *Client) StopLearning(learningID string) error {
+	req := Request{
+		Action:     "stop_learning",
+		LearningID: learningID,
+	}
+
+	resp, err := c.sendRequest(req)
+	if err != nil {
+		return fmt.Errorf("stop learning request failed: %w", err)
+	}
+
+	if !resp.OK {
+		return fmt.Errorf("stop learning failed: %s", resp.Error)
+	}
+
+	return nil
+}
+
 // Status queries the daemon for its current status.
 func (c *Client) Status() (*Response, error) {
 	req := Request{