TIN-1758 harden macOS rollout readiness checks

[Jesssullivan]

Summary

Harden the macOS TCFS rollout readiness helper after the Neo switch exposed two readiness gaps:

• Home Manager's wrapped LaunchAgent command can include too much path metadata if printed directly.
• A single FileProvider extension ID is not enough; PlugInKit can point the extension at a rejected shadow app while the accepted package app still exists.

Changes

• stop printing ProgramArguments:2 from the TCFS LaunchAgent
• report only argv0 and mark launch command inspection as redacted
• replace launchctl print gui/... with the summary launchctl list table for the service-present check
• default --app-path to /Applications/TCFSProvider.app
• verify the PlugInKit registration points at the expected app path, not just that the extension ID exists
• extend the fake-platform regression test to prove both command redaction and shadow-registration detection

Test plan

• task test passes locally
• task lazy:test-macos-tcfs-rollout-readiness
• bash -n scripts/macos-tcfs-rollout-readiness.sh scripts/test-macos-tcfs-rollout-readiness.sh
• shellcheck scripts/macos-tcfs-rollout-readiness.sh scripts/test-macos-tcfs-rollout-readiness.sh
• git diff --check
• live Neo readiness run before cleanup failed on PlugInKit path mismatch while Gatekeeper accepted /Applications/TCFSProvider.app
• live Neo readiness run after cleanup passed with Gatekeeper accepted, PlugInKit path matching /Applications/TCFSProvider.app, storage ok, and NATS connected

Checklist

• Docs updated (if user-facing behavior changed)
• CHANGELOG.md updated (if applicable)
• No secrets or credentials in diff

Linear: TIN-1758