Running `atomic-rollback check` as non-root on Fedora hits
permission-denied reading /boot/efi/EFI/fedora/grub.cfg (root-readable
only on Fedora). Before this change, the tool reported "Boot chain has
problems" and exited 1, conflating "we could not verify" with
"we found problems." Scripts relying on exit codes could not tell
apart the two.

Two semantically distinct facts now have distinct representations:

- grub.rs: new GrubContextError enum with PermissionDenied and Other
  variants. The io::ErrorKind from fs::read_to_string is preserved at
  the source instead of collapsing into a String.
- check.rs: new BootStatus::Inaccessible { reason, hint } variant.
  verify_bootable and verify_snapshot_bootable map PermissionDenied to
  Inaccessible, Other to Fail.
- main.rs Check: new match arm prints "Cannot verify boot chain:
  <reason>" with hint, exits 3.
- kernel_hook.rs: treats Inaccessible as a warning (log, do not abort
  kernel-install).
- rollback.rs: treats Inaccessible as Fail (abort rather than proceed
  with an unverified snapshot).
- check.rs gate: treats Inaccessible as Fail (migration runs as root;
  reaching this branch is unexpected and should fail safe).

Exit codes:
- 0: Pass
- 1: Fail (real boot-chain problem)
- 2: Warn (valid with warnings)
- 3: Inaccessible (could not verify; try sudo)

Verified on Fedora 43 VM: as root exits 0, as non-root exits 3 with
"permission denied reading /boot/efi/EFI/fedora/grub.cfg" and a
"Run: sudo atomic-rollback check" hint. The "Boot chain has problems"
message no longer fires for non-root.

Closes #14.