fix(brew): handle root-owned config dir from sudo installs (#288)

## Problem

Two errors were reported during Homebrew post-install of v0.12.0:

1. `SQLiteError: unable to open database file` (SQLITE_CANTOPEN) — setup
aborts
2. `Warning: read-only database` + `EPERM` on zsh completions — setup
aborts

Root cause: `sudo brew install` creates root-owned `~/.sentry/` and
`~/.local/share/zsh/` files. The setup command had no error handling, so
any failure aborted the entire post-install script and Homebrew showed a
scary error even though the binary installed fine.

The same root cause explains the recurring "attempt to write a readonly
database" Sentry telemetry issues (8 issues, 19 events, 100% macOS).
Moving the config directory would not help — the same permission
problems would occur at any path if created by root. macOS TCC does not
restrict `~/.sentry/`.

## Changes

### Non-fatal setup steps (`setup.ts`)
Added a `bestEffort()` wrapper around each post-install configuration
step. Permission failures now log a warning instead of aborting. The
binary is already installed — these steps are nice-to-have side effects.

### Root-owned file detection in `tryRepairReadonly` (`telemetry.ts`)
Before attempting `chmod` (which fails silently on root-owned files),
now checks `stat().uid`. If the file is owned by root, emits a targeted
actionable message with the actual username:
```
Warning: Sentry CLI config directory is owned by root.
  Path:  /Users/am/.sentry
  Fix:   sudo chown -R am "/Users/am/.sentry"
  Or:    sudo sentry cli fix
```
Username is inferred from `SUDO_USER` → `USER` → `USERNAME` →
`os.userInfo()`.

### Ownership repair in `sentry cli fix` (`fix.ts`)
- Ownership check runs **before** permissions (chmod fails on root-owned
files anyway)
- **Not root**: prints `sudo chown -R <user> <configDir>` and `sudo
sentry cli fix` instructions, exits with code 1
- **Running as root** (`sudo sentry cli fix`): resolves the real user's
UID via `id -u <username>`, then performs `chown` to transfer ownership
back

Fixes CLI-7Q, CLI-7K, CLI-6N, CLI-6D, CLI-4Z, CLI-51, CLI-4E, CLI-2E

Author: BYK

AGENTS.md

@@ -77,7 +77,7 @@ Read the full guidelines in `.cursor/rules/bun-cli.mdc`.
 | Write file | `await Bun.write(path, content)` | `fs.writeFileSync()` |
 | Check file exists | `await Bun.file(path).exists()` | `fs.existsSync()` |
 | Spawn process | `Bun.spawn()` | `child_process.spawn()` |
-| Shell commands | `Bun.$\`command\`` | `child_process.exec()` |
+| Shell commands | `Bun.$\`command\`` ⚠️ | `child_process.exec()` |
 | Find executable | `Bun.which("git")` | `which` package |
 | Glob patterns | `new Bun.Glob()` | `glob` / `fast-glob` packages |
 | Sleep | `await Bun.sleep(ms)` | `setTimeout` with Promise |
@@ -89,6 +89,12 @@ import { mkdirSync } from "node:fs";
 mkdirSync(dir, { recursive: true, mode: 0o700 });
 ```
 
+**Exception**: `Bun.$` (shell tagged template) has no shim in `script/node-polyfills.ts` and will crash on the npm/node distribution. Until a shim is added, use `execSync` from `node:child_process` for shell commands that must work in both runtimes:
+```typescript
+import { execSync } from "node:child_process";
+const result = execSync("id -u username", { encoding: "utf-8", stdio: ["pipe", "pipe", "ignore"] });
+```
+
 ## Architecture
 
 ```