fix: harden macOS CLI detection candidates

[quippy-dev]

Summary

Follow-up to #466 (and referencing #406): fixes remaining macOS Tailscale detection edge cases where Detect Tailscale can select a non-usable candidate and then fail parsing status --json output.

This change hardens candidate selection and validation so CLI wrapper paths are preferred, and unexpected tailscale version output is rejected before status parsing.

Key Changes

• macOS candidate resolution
  • Keep canonical app path support:
    • /Applications/Tailscale.app/Contents/MacOS/Tailscale
  • Keep compatibility fallback:
    • /Applications/Tailscale.app/Contents/MacOS/tailscale
  • Prefer CLI/wrapper locations first:
    • tailscale (PATH)
    • /opt/homebrew/bin/tailscale
    • /usr/local/bin/tailscale
    • /usr/local/bin/Tailscale
• Added looks_like_tailscale_version(...) guard
  • Candidate is accepted only when tailscale version succeeds and stdout contains a plausible version token.
  • Success exit codes with unexpected stdout (for example GUI error text) are rejected and resolution continues.
• Updated macOS missing-CLI hint to canonical app path casing.
• Added focused tests for:
  • macOS candidate presence/order
  • valid version output acceptance
  • GUI error output rejection
  • empty output rejection

Behavior Notes

• Prevents false-positive candidate selection from leading to JSON parse failures in Detect Tailscale.
• Keeps existing Tailscale status/degraded-status contracts intact.
• No frontend API or schema changes.

Before Fix (macOS)

Observed on click Detect Tailscale:

Invalid tailscale status JSON: expected value at line 1 column 1 (stdout: The Tailscale GUI failed to start: The operation couldn’t be completed. (Tailscale.CLIError error 3.))
Version: The Tailscale GUI failed to start: The operation couldn’t be completed. (Tailscale.CLIError error 3.)

Validation Run

• pnpm run lint (passes; 1 pre-existing warning in src/features/app/hooks/useRemoteThreadLiveConnection.ts)
• cd src-tauri && cargo test tailscale::
• cd src-tauri && cargo check

[quippy-dev]

@Dimillian I'm still out of codex cloud review credits lol
do you have yours set up with any custom/more strict instructions for PRs (or a specific model)? I cannot seem to reproduce the nitpicks and findings when running /review locally with codex 5.3

[Dimillian]

@codex review

[Dimillian]

@Dimillian I'm still out of codex cloud review credits lol do you have yours set up with any custom/more strict instructions for PRs (or a specific model)? I cannot seem to reproduce the nitpicks and findings when running /review locally with codex 5.3

No, the cloud model really behaves differently for now, but it's a good first pass. I also do a lot of custom /review locally because, yeah, it's better for now.

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Hooray!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".