fix: add permanent swtpm ACL fix script for libvirt TPM permissions

Added scripts/fix-swtpm-permissions.sh that sets default ACLs on
/var/lib/libvirt/swtpm/ so new per-VM state directories inherit
libvirt-qemu access. This permanently fixes the "CMD_INIT: 0x9" error
caused by libvirtd creating swtpm dirs as root:root.

The user runs this ONCE with sudo. ACLs persist across reboots and
apply to all new VMs automatically.

Updated vm_create error message to reference the fix script.
Updated AGENTS.md with corrected swtpm setup instructions.

All 523 tests pass, 0 lint warnings.

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

run.sh

@@ -307,10 +307,10 @@ vm_create() {
             vm_uuid=$(virsh -c "$LIBVIRT_URI" dominfo "$VM_NAME" 2>/dev/null | grep "UUID:" | awk '{print $2}')
             local swtpm_vm_dir="/var/lib/libvirt/swtpm/${vm_uuid}"
             if [[ -d "$swtpm_vm_dir" ]]; then
-                log_error "TPM initialization failed - likely a swtpm permission issue"
-                log_error "Libvirt created swtpm state dir as root: $swtpm_vm_dir"
-                log_error "Fix by running:"
-                log_error "  sudo chown -R libvirt-qemu:libvirt-qemu /var/lib/libvirt/swtpm/"
+                log_error "TPM initialization failed - swtpm permission issue"
+                log_error "Libvirt creates per-VM swtpm state dirs as root:root."
+                log_error "Permanent fix (run once with sudo):"
+                log_error "  sudo bash ${SCRIPT_DIR}/scripts/fix-swtpm-permissions.sh"
                 log_error "Then retry: ./run.sh test:iso destroy && ./run.sh test:iso create"
                 # Undefine so user can retry after fixing
                 virsh -c "$LIBVIRT_URI" undefine "$VM_NAME" --nvram 2>/dev/null || true