Fix mcp logs permission error for rootless podman journald driver

Rootless podman writes container logs to the user journal, but
journalctl without --user only reads the system journal. Add --user
when the agent is running as a non-root user.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/runtime/podman.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"os"
 	"os/exec"
 	"strings"
 	"time"
@@ -207,8 +208,14 @@ func (p *Podman) Logs(ctx context.Context, containerName string, tail int, follo
 }
 
 // journalLogs returns a journalctl command filtered by container name.
+// For rootless podman, container logs go to the user journal, so we
+// need --user to read them.
 func (p *Podman) journalLogs(ctx context.Context, containerName string, tail int, follow bool, since string) *exec.Cmd {
-	args := []string{"--no-pager", "--output", "cat", "CONTAINER_NAME=" + containerName}
+	args := []string{"--no-pager", "--output", "cat"}
+	if os.Getuid() != 0 {
+		args = append(args, "--user")
+	}
+	args = append(args, "CONTAINER_NAME="+containerName)
 	if tail > 0 {
 		args = append(args, "--lines", fmt.Sprintf("%d", tail))
 	}