feat: switch macOS daemon from user-based to group-based pf routing

Sandboxed commands previously ran as `sudo -u _greywall`, breaking user
identity (home dir, SSH keys, git config). Now uses `sudo -u #<uid> -g
_greywall` so the process keeps the real user's identity while pf
matches
on EGID for traffic routing.

Key changes:
- pf rules use `group <GID>` instead of `user _greywall`
- GID resolved dynamically at daemon startup (not hardcoded, since macOS
  system groups like com.apple.access_ssh may claim preferred IDs)
- Sudoers rule installed at /etc/sudoers.d/greywall (validated with
visudo)
- Invoking user added to _greywall group via dscl (not dseditgroup,
which
  clobbers group attributes)
- tun2socks device discovery scans both stdout and stderr (fixes 10s
  timeout caused by STACK message going to stdout)
- Always-on daemon logging for session create/destroy events

internal/daemon/launchd_stub.go

@@ -0,0 +1,37 @@
+//go:build !darwin
+
+package daemon
+
+import "fmt"
+
+const (
+	LaunchDaemonLabel     = "co.greyhaven.greywall"
+	LaunchDaemonPlistPath = "/Library/LaunchDaemons/co.greyhaven.greywall.plist"
+	InstallBinaryPath     = "/usr/local/bin/greywall"
+	InstallLibDir         = "/usr/local/lib/greywall"
+	SandboxUserName       = "_greywall"
+	SandboxUserUID        = "399"
+	SandboxGroupName      = "_greywall"
+	SudoersFilePath       = "/etc/sudoers.d/greywall"
+	DefaultSocketPath     = "/var/run/greywall.sock"
+)
+
+// Install is only supported on macOS.
+func Install(currentBinaryPath, tun2socksPath string, debug bool) error {
+	return fmt.Errorf("daemon install is only supported on macOS")
+}
+
+// Uninstall is only supported on macOS.
+func Uninstall(debug bool) error {
+	return fmt.Errorf("daemon uninstall is only supported on macOS")
+}
+
+// IsInstalled always returns false on non-macOS platforms.
+func IsInstalled() bool {
+	return false
+}
+
+// IsRunning always returns false on non-macOS platforms.
+func IsRunning() bool {
+	return false
+}