Add actionable permission-error message with macOS Full Disk Access hint

When the scanner hits a permission-denied error (TCC-protected
directories on macOS without Full Disk Access, or any other EPERM),
the error now names the offending path and includes platform-specific
remediation instructions. On macOS it points the user at System
Settings -> Privacy & Security -> Full Disk Access. On other
platforms it suggests --skip-errors.

The error wraps os.ErrPermission so errors.Is still works for callers
that care about the underlying error.

README quickstart and snapshot create docs now mention the macOS FDA
requirement.

internal/snapshot/permission_error_test.go

@@ -0,0 +1,42 @@
+package snapshot
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"runtime"
+	"strings"
+	"testing"
+)
+
+func TestWrapPermissionError(t *testing.T) {
+	// Non-permission errors pass through unchanged.
+	plain := errors.New("disk on fire")
+	if got := wrapPermissionError("/some/path", plain); got != plain {
+		t.Errorf("non-permission error should pass through, got %v", got)
+	}
+
+	// Permission errors get remediation instructions.
+	permErr := fmt.Errorf("open /x: %w", os.ErrPermission)
+	wrapped := wrapPermissionError("/Users/u/Library/Calendars", permErr)
+
+	if !errors.Is(wrapped, os.ErrPermission) {
+		t.Error("wrapped error should still match os.ErrPermission")
+	}
+	if !strings.Contains(wrapped.Error(), "/Users/u/Library/Calendars") {
+		t.Error("wrapped error should name the offending path")
+	}
+
+	if runtime.GOOS == "darwin" {
+		if !strings.Contains(wrapped.Error(), "Full Disk Access") {
+			t.Errorf("macOS permission error should mention Full Disk Access:\n%s", wrapped.Error())
+		}
+		if !strings.Contains(wrapped.Error(), "System Settings") {
+			t.Errorf("macOS permission error should point at System Settings:\n%s", wrapped.Error())
+		}
+	} else {
+		if !strings.Contains(wrapped.Error(), "--skip-errors") {
+			t.Errorf("non-macOS permission error should mention --skip-errors:\n%s", wrapped.Error())
+		}
+	}
+}