Handle permission denied error in Nexus HandleScheduleCommand (temporalio#8442)

## What changed?
Nexus HandleScheduleCommand handles PermissionDenied by failing the WFT.


## Why?
We want to distinguish between Nexus endpoint not found and caller
namespace unauthorized errors.

## How did you test it?
- [ ] built
- [ ] run locally and tested manually
- [ ] covered by existing tests
- [x] added new unit test(s)
- [ ] added new functional test(s)



<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Handle `PermissionDenied` from endpoint lookup by failing the workflow
task and add a targeted unit test.
> 
> - **Workflow command handling**
(`components/nexusoperations/workflow/commands.go`):
> - On `GetByName` error `PermissionDenied`, return
`FailWorkflowTaskError` with cause
`WORKFLOW_TASK_FAILED_CAUSE_BAD_SCHEDULE_NEXUS_OPERATION_ATTRIBUTES` and
an authorization message, instead of propagating the error.
> - **Tests** (`components/nexusoperations/workflow/commands_test.go`):
> - Extend fake endpoint registry to simulate `PermissionDenied` for a
specific endpoint name.
> - Add test "caller namespace unauthorized" asserting WFT failure and
no history events.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
7585f5a. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Author: nikki-dag

components/nexusoperations/workflow/commands.go

@@ -63,6 +63,11 @@ func (ch *commandHandler) HandleScheduleCommand(
 				}
 			}
 			// Ignore, and let the operation fail when the task is executed.
+		} else if errors.As(err, new(*serviceerror.PermissionDenied)) {
+			return workflow.FailWorkflowTaskError{
+				Cause:   enumspb.WORKFLOW_TASK_FAILED_CAUSE_BAD_SCHEDULE_NEXUS_OPERATION_ATTRIBUTES,
+				Message: fmt.Sprintf("caller namespace %q unauthorized for %q", ns.Name(), attrs.Endpoint),
+			}
 		} else {
 			return err
 		}

components/nexusoperations/workflow/commands_test.go

@@ -59,7 +59,9 @@ var defaultConfig = &nexusoperations.Config{
 func newTestContext(t *testing.T, cfg *nexusoperations.Config) testContext {
 	endpointReg := nexustest.FakeEndpointRegistry{
 		OnGetByName: func(ctx context.Context, namespaceID namespace.ID, endpointName string) (*persistencespb.NexusEndpointEntry, error) {
-			if endpointName != "endpoint" {
+			if endpointName == "endpoint caller namespace unauthorized" {
+				return nil, serviceerror.NewPermissionDenied("caller namespace unauthorized", "")
+			} else if endpointName != "endpoint" {
 				return nil, serviceerror.NewNotFound("endpoint not found")
 			}
 			// Only the ID is taken here.
@@ -168,6 +170,24 @@ func TestHandleScheduleCommand(t *testing.T) {
 		require.Equal(t, 1, len(tcx.history.Events))
 	})
 
+	t.Run("caller namespace unauthorized", func(t *testing.T) {
+		tcx := newTestContext(t, defaultConfig)
+		err := tcx.scheduleHandler(context.Background(), tcx.ms, commandValidator{maxPayloadSize: 1}, 1, &commandpb.Command{
+			Attributes: &commandpb.Command_ScheduleNexusOperationCommandAttributes{
+				ScheduleNexusOperationCommandAttributes: &commandpb.ScheduleNexusOperationCommandAttributes{
+					Endpoint:  "endpoint caller namespace unauthorized",
+					Service:   "service",
+					Operation: "op",
+				},
+			},
+		})
+		var failWFTErr workflow.FailWorkflowTaskError
+		require.ErrorAs(t, err, &failWFTErr)
+		require.False(t, failWFTErr.TerminateWorkflow)
+		require.Equal(t, enumspb.WORKFLOW_TASK_FAILED_CAUSE_BAD_SCHEDULE_NEXUS_OPERATION_ATTRIBUTES, failWFTErr.Cause)
+		require.Equal(t, 0, len(tcx.history.Events))
+	})
+
 	t.Run("exceeds max service length", func(t *testing.T) {
 		tcx := newTestContext(t, defaultConfig)
 		err := tcx.scheduleHandler(context.Background(), tcx.ms, commandValidator{maxPayloadSize: 1}, 1, &commandpb.Command{