Igor,
I can not replicate your issue, as I can launch my copies of Lazarus either from the command line or clicking on the "startlazarus" or "Lazarus.app" icons in the finder.
However, with this version of MacOS, it is clear that clicking an icon from the finder has different privileges than running the same application from the terminal. Here is what I have observed when clicking in the finder that does not happen when running in the terminal:
1. The app will receive an argument with a unique process serial number, e.g. "-psn_0_989382", so if a Pascal program uses ParamStr(), it needs to ignore this.
2. The app will refuse to open any file that has the executable bit set on. Perhaps git clone is copying some files with this bit on. You could check this for your files (e.g. 'ls -l ~/.fpc.cfg' and switch this bit off 'chmod -x ~/.fpc.cfg')
3. The app will refuse to open any files that are not within its sandbox. The files that are permitted to be opened can change when the application is recompiled, as the OS seems to decide the user has not explicitly provided access to the file. I found this really tricky, as I have a most-recently-used menu item that allows the user to quickly open recently seen files. If the app is rebuilt, the FileExists() function reports the file exists, the fpAccess() function does not give sensible information, and the FileSize reports the correct file size even though the user does not have read access.
I would propose that fpAccess should be updated for recent MacOS versions (sounds like a Dmitry's expertise) so R_OK correctly reflects if the user can open a file. Additionally, it might be nice to have the pascal file reading routines give a meaningful message if the file is outside the sandbox. Troubleshooting these routines is a bit of a pain, as trusted applications work fine, but the same application works differently when run from the finder.
My brute-force method to find out if the executable has permission to read a file is to read the first byte from the file. A try..except block keeps the program from crashing.
function IsReadable(fnm: string): boolean;
label 222;
var
f: file;
b: byte;
begin
result := false;
if not fileexists(fnm) then goto 222;
if FSize(fnm) < 2 then goto 222;
AssignFile(f, fnm);
{$I+}
try
FileMode := fmOpenRead; //Set file access to read only
Reset(f, 1);
if ioresult <> 0 then
exit;
b := 0;
BlockRead(f, b, sizeof(b)); //Byte-order Identifier
CloseFile(f);
result := true;
except
result := false;
end;
222:
if result then exit;
printf('Unable to read file (not in sandbox?): '+fnm);
end;