feat(chat): surface macOS TCC denials as in-card affordance

[ljagiello]

Summary

When the chat agent's run_code (or file-io) tool hits Operation not permitted against a TCC-protected user folder (~/Downloads, ~/Desktop, ~/Documents), the chat now renders a yellow macOS permission needed card with a one-click deeplink to System Settings → Privacy & Security → Files & Folders.

Before: agent saw the raw shell error, dumped it at the user, and asked them to debug it.

After: structured affordance the model can point at — and a clickable surface the user can act on directly.

Scope: macOS only. On Linux/Windows the same error usually means a real ACL issue and the raw error is the right signal — the detector is gated on process.platform === "darwin".

Edge case clarification: this card is the fallback for the already-denied state (user previously clicked Don't Allow, or revoked via System Settings → auth_value=0 in TCC.db). The first-encounter path is still handled by macOS's native consent dialog.

What's in the change

• packages/system/agents/workspace-chat/tools/tcc-detect.ts — pure detector. Recognizes three error formats (find:, ls:, Python PermissionError), returns a structured TccDenial with deeplink + optional mv suggestion. 12 unit tests.
• code-exec.ts — attaches tcc_denied?: TccDenial to RunCodeSuccess when the script exited non-zero and the stderr matches.
• file-io.ts — same wiring via a shared toFileErr helper. Forward-defensive — the existing path-resolution gates keep these tools inside the scratch dir, so TCC isn't reachable today.
• tools/agent-playground/.../tcc-denied-card.svelte — the actual card component, 4 SSR tests.
• tool-call-card.svelte — typed readTccDenied extractor + render branch.
• tool-call-utils.ts — extends needsUserAction to recognize tcc_denied, which is what auto-opens the tool-burst <details> so the card is actually visible.

QA

Real-TCC reproduction on a Tahoe VM (192.168.64.17) with the daemon's Downloads grant revoked via tccutil reset:

#	Case	Result
1	Unit prechecks (detector, file-io, card SSR)	18/18 PASS
2	Build + deploy to VM, launcher bounced, hashes verified	PASS
3	ls ~/Downloads → card renders with eyebrow, guidance, path, Settings button	PASS
4	ls ~/Downloads/qa-test → both buttons render; Move button writes correct mv '<src>' '<dst>' to clipboard	PASS
5	Settings button payload = correct x-apple.systempreferences: deeplink (structural)	PASS
6	ls /tmp (success) → no false card	PASS
7	ls /nonexistent (ENOENT) → no false card	PASS

QA found two bugs that are folded into this PR:

1. UI card never rendered — tool-burst wraps tool calls in a collapsed <details> and needsUserAction didn't recognize tcc_denied, so the card was in the DOM but hidden. Embarrassingly, the model could see tcc_denied in its tool result JSON and would describe "a shortcut button above" that wasn't actually on screen. Fix: extend needsUserAction.
2. No-op mv suggestion when user attempted the protected root directly (mv '~/Downloads' '~/Downloads'). Fix: only push the Move action when attemptedPath !== root. New unit test locks this in.

Test plan

• CI runs the 18 new unit tests (detector + card SSR + run_code wiring + file-io wiring)
• Revoke Downloads access for Friday Studio (tccutil reset SystemPolicyDownloadsFolder ai.hellofriday.studio + click Don't Allow when prompted), then ask the chat run ls -la ~/Downloads — verify yellow card appears
• Same with ~/Desktop and ~/Documents to cover the other two protected dirs
• Confirm clean runs (ls /tmp) and ENOENT runs (ls /nonexistent) don't trigger the affordance