fix: harden permission controls across iOS and Android

[thymikee]

Summary

Harden permission controls and session/runtime handling across iOS + Android.

• Restart daemon when code signature changes to prevent stale daemon behavior.
• Improve Android session app resolution on open and preserve/clear package semantics correctly for intent/deeplink flows.
• Rework Android notifications permission behavior using pm + appops for grant / deny / reset.
• Expand permission target support to align with simctl privacy services and fail strictly on unsupported runtime services.
• Improve iOS notifications behavior with runtime-aware handling:
  • map unsupported deny/grant runtime behavior to clear UNSUPPORTED_OPERATION
  • add reset notifications fallback to reset all when runtime blocks direct reset
• Update command help/errors and tests for all changed behavior.

Touched files: 13.
Scope note: expanded beyond a single command module to include daemon client/runtime compatibility and both platform permission backends due cross-platform correctness requirements.

Known gaps/follow-ups:

• iOS simulator notifications deny/grant remains runtime/toolchain dependent and can be unsupported by simctl privacy on some runtimes; command now fails explicitly with guidance.

Validation

• pnpm typecheck
• pnpm test:unit
• pnpm test:smoke