macOS: migrate deprecated SecKeychain APIs to SecItem

[nvk]

Title: macOS: migrate deprecated SecKeychain APIs to SecItem

Summary

Replace deprecated macOS SecKeychain* calls with modern SecItem* equivalents.

Scope

• migrate namespace search/list paths to SecItemCopyMatching
• migrate value lookup to SecItemCopyMatching
• migrate write/delete paths to SecItemAdd, SecItemUpdate, and SecItemDelete
• preserve the existing --set, --unset, --list, -p, and -P CLI behavior
• leave the Linux backend unchanged

Notes

• -p now uses SecAccessControlCreateWithFlags(..., kSecAccessControlUserPresence, ...)
• -P uses SecAccessCreate to preserve the existing self-trusted/no-prompt behavior as closely as possible
• changing the access mode on an existing item now preflights the new mode and restores the previous value if the re-add fails

Non-goals

• no new authentication modes
• no helper binaries
• no shell-wrapper workflow changes
• no changes outside the macOS backend, except the help text line that still describes -p / -P

Verification

• make -B on macOS
• run ./envchain and verify usage output
• confirm the branch diff is limited to envchain_osx.c plus the help text line in envchain.c

[nvk]

i'm maintaining a fork here https://github.com/nvk/envchain-xtra