chore(mdm): always-skip TCC by default + add PPPC config guide

[shubham-stepsecurity]

What does this PR do?

Type of change

• Bug fix
• Enhancement
• Documentation

Testing

• Tested on macOS (version: ___)
• Binary runs without errors: ./stepsecurity-dev-machine-guard --verbose
• JSON output is valid: ./stepsecurity-dev-machine-guard --json | python3 -m json.tool
• No secrets or credentials included
• Lint passes: make lint
• Tests pass: make test

Related Issues

[Copilot]

Pull request overview

This PR changes Dev Machine Guard’s macOS TCC handling to skip TCC-protected directories by default in all runs (community CLI and enterprise/launchd) to avoid triggering permission prompts, and adds documentation for opting back into scanning via Full Disk Access (PPPC/MDM or manual) plus the include_tcc_protected config/flag.

Changes:

• Make the TCC “skipper” default to on unless include_tcc_protected is explicitly set to true.
• Update CLI/config help text and unit tests to reflect the new default semantics.
• Add a macOS PPPC/TCC configuration guide and link it from the README.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
README.md	Adds link to the new macOS TCC permissions guide.
internal/tcc/tcc.go	Changes default behavior to always skip TCC-protected paths unless explicitly included.
internal/tcc/tcc_darwin_test.go	Updates tests to match the new default skipper behavior.
internal/config/config.go	Updates the config field documentation for include_tcc_protected.
internal/cli/cli.go	Updates flag documentation/help text for --include-tcc-protected defaults and precedence.
docs/macos-tcc-permissions.md	Adds a new guide covering default skipping behavior and PPPC/FDA rollout guidance.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.