Fix chains live viewpoint blockers

[TacoRocket]

What changed

• fix current-identity permissions scope shaping so reduced viewpoints only summarize real RBAC assignment scopes
• reuse a shared scope formatter so single resource-group control no longer renders as subscription-wide across permissions, escalation-path, and compute-control summaries
• let grouped chains family runs degrade into surfaced issues and still emit artifacts when a supporting collector fails instead of aborting before output write
• add regression coverage for reduced-view current-identity scope shaping, escalation direct-control wording, grouped family collector failure fallback, and the updated compute-control scope text

Why

The live Terraform lab exposed two blockers in AzureFox itself:

1. reduced viewpoints were inflating current-identity scope from whoami subscription context into permissions, which then overstated chains escalation-path
2. grouped family runs could fail closed when a supporting collector raised, which is exactly the wrong behavior for live reduced-visibility or partial-read runs

Validation

• python3 -m ruff check src/azurefox/scope_hints.py src/azurefox/permissions_hints.py src/azurefox/collectors/provider.py src/azurefox/collectors/commands.py src/azurefox/chains/runner.py src/azurefox/chains/compute_control.py tests/test_collectors.py tests/test_chain_semantics.py tests/test_cli_smoke.py
• PYTHONPATH=src pytest -q tests/test_collectors.py -k "collect_permissions or permissions_current_identity" tests/test_chain_semantics.py -k "escalation" tests/test_cli_smoke.py -k "deployment_path or escalation_path or compute_control" tests/test_compute_control.py
• guarded push hook: PYTHONPATH=src git push -u origin fix/chains-live-viewpoint-blockers ran repo lint plus 417 passed, 2 deselected

Notes

• I could not perform the repo CCR clean-context subagent review in this session because this thread did not authorize delegation or subagents.