Add actionable permission-error message with macOS Full Disk Access hint

When the scanner hits a permission-denied error (TCC-protected
directories on macOS without Full Disk Access, or any other EPERM),
the error now names the offending path and includes platform-specific
remediation instructions. On macOS it points the user at System
Settings -> Privacy & Security -> Full Disk Access. On other
platforms it suggests --skip-errors.

The error wraps os.ErrPermission so errors.Is still works for callers
that care about the underlying error.

README quickstart and snapshot create docs now mention the macOS FDA
requirement.

README.md

@@ -24,8 +24,12 @@ grep 'public key' vaultik_backup_private_key.txt
 vaultik config set age_recipients.0 age1YOUR_PUBLIC_KEY_HERE
 vaultik config set storage_url "file:///Volumes/usbstick/mybackup"
 
-# back up your home directory (the default config includes a "home"
-# snapshot of ~ with sensible excludes)
+# macOS only: grant your terminal app Full Disk Access first
+# (System Settings → Privacy & Security → Full Disk Access), otherwise
+# the backup will abort with a permission error on protected directories
+
+# run your first backup (the default config backs up ~ and /Applications
+# with sensible excludes)
 vaultik snapshot create
 
 # see what you have
@@ -159,6 +163,10 @@ in the file are preserved; intermediate maps are created as needed.
 
 **`snapshot create`**: Perform incremental backup of configured snapshots.
 * Optional snapshot names argument to create specific snapshots (default: all)
+* On macOS, the terminal application running vaultik needs Full Disk Access
+  (System Settings → Privacy & Security → Full Disk Access) to read
+  TCC-protected directories; without it the backup aborts with a permission
+  error that explains how to fix it
 * `--cron`: Silent unless error (for crontab)
 * `--prune`: After backup, drop older snapshots of each backed-up name and
   remove orphaned blobs from remote storage. By default keeps only the latest