feat: switch macOS learning mode from fs_usage to eslogger

Replace fs_usage (reports Mach thread IDs, requiring process name matching
with false positives) with eslogger (Endpoint Security framework, reports
real Unix PIDs via audit_token.pid plus fork events for process tree tracking).

Key changes:
- Daemon starts eslogger instead of fs_usage, with early-exit detection
  and clear Full Disk Access error messaging
- New two-pass eslogger JSON parser: pass 1 builds PID tree from fork
  events, pass 2 filters filesystem events by PID set
- Remove runtime PID polling (StartPIDTracking, pollDescendantPIDs) —
  process tree is now built post-hoc from the eslogger log
- Platform-specific generateLearnedTemplatePlatform() for darwin/linux/stub
- Refactor TraceResult and GenerateLearnedTemplate to be platform-agnostic

internal/sandbox/learning_stub.go

@@ -1,21 +1,10 @@
-//go:build !linux
+//go:build !linux && !darwin
 
 package sandbox
 
 import "fmt"
 
-// StraceResult holds parsed read and write paths from an strace log.
-type StraceResult struct {
-	WritePaths []string
-	ReadPaths  []string
-}
-
-// CheckStraceAvailable returns an error on non-Linux platforms.
-func CheckStraceAvailable() error {
-	return fmt.Errorf("learning mode is only available on Linux (requires strace and bubblewrap)")
-}
-
-// ParseStraceLog returns an error on non-Linux platforms.
-func ParseStraceLog(logPath string, debug bool) (*StraceResult, error) {
-	return nil, fmt.Errorf("strace log parsing is only available on Linux")
+// CheckLearningAvailable returns an error on unsupported platforms.
+func CheckLearningAvailable() error {
+	return fmt.Errorf("learning mode is only available on Linux (requires strace) and macOS (requires eslogger + daemon)")
 }