test: LaunchAgent lifecycle and file permission verification

[smartwatermelon]

Context

The plex-watchdog deploys a LaunchAgent, config files, and scripts with specific ownership and permission requirements. These cannot be tested in BATS unit tests but are critical for correct operation.

Scope

Evaluate testing approaches for:

1. LaunchAgent validity: plutil -lint on the generated plist (could be a BATS test)
2. File permissions: Verify mode 600 on token file and msmtp config
3. Ownership: Verify operator:staff ownership on all deployed files
4. LaunchAgent lifecycle: Load, verify running, unload, verify stopped
5. Credential isolation: Verify non-operator users cannot read token/password files

Considerations

• Permission/ownership tests require running as admin with sudo
• LaunchAgent tests require the operator GUI session
• Some of these could be post-deployment verification in the setup script
• plex-watchdog-setup.sh already does basic verification in Section 6

Related

• app-setup/plex-watchdog-setup.sh Section 6 (Verification)
• docs/keychain-credential-management.md (credential pattern)