fix(release): ad-hoc sign macOS .app before DMG sealing

[Ron537]

Follow-up to #45 / #56 — addresses the unsigned-bundle issue raised by @raphapizzi.

Problem

Published macOS DMGs through v0.14.1 ship an entirely unsigned .app:

$ codesign -dvvv /Volumes/DPlex\ 0.14.0/DPlex.app
/Volumes/DPlex 0.14.0/DPlex.app: code object is not signed at all

This forces users to manually xattr -dr com.apple.quarantine on first launch and can trigger AMFI / "Team IDs differ" errors on macOS 14+.

Root cause

Two things compound:

1. identity: null in electron-builder.yml disables electron-builder's signing path entirely. The existing comment explains the original motivation: when electron-builder did partial ad-hoc signing, the bundled Electron Framework.framework ended up with a different Team ID than the main binary, breaking the load on macOS 14+.
2. The release workflow's Ad-hoc sign macOS app step is dead code. It runs after npm run build:mac:ci -- --publish always, by which point electron-builder has already created and uploaded the DMG containing the unsigned .app. The post-build codesign is applied to a file on the runner that nothing downloads.

Fix

Move the ad-hoc signing into an electron-builder afterPack hook that runs after pack but before DMG sealing:

• New scripts/mac-adhoc-sign.mjs — runs codesign --force --deep --sign - <.app>. A single recursive call signs every nested Mach-O (main binary, helpers, framework, dylibs) with the same empty/ad-hoc identity, so the "Team IDs differ" mismatch never arises. No-op on Windows/Linux; no-op on macOS when CSC_LINK is set so real Developer ID signing can take over later.
• electron-builder.yml — wires the hook via afterPack:, and rewrites the identity: null comment to explain why we still disable electron-builder's own broken per-component path.
• .github/workflows/release.yml — removes the dead post-build Ad-hoc sign macOS app step (its job is now handled correctly by the hook).
• package.json / CHANGELOG.md — patch bump to v0.14.2 + customer-facing changelog entry.

What this gets us

• ✅ codesign -dvvv reports a valid ad-hoc signature on the published .app
• ✅ macOS 14+ loads the bundled Electron Framework without "Team IDs differ"
• ✅ The "DPlex is damaged and can't be opened" Gatekeeper hard-reject path goes away

What this does NOT get us

Still not signed by a Developer ID, so:

• Users still see the unidentified-developer warning on first launch
• Users may still need xattr -dr com.apple.quarantine /Applications/DPlex.app

Both are unavoidable until we add a paid Developer ID + notarization.

Local verification

Smoke-tested the hook against a real .app (Calculator stand-in):

=== before ===
/tmp/sign-test/DPlex.app: code object is not signed at all

=== after ===
flags=0x2(adhoc)
/tmp/sign-test/DPlex.app: valid on disk
/tmp/sign-test/DPlex.app: satisfies its Designated Requirement

Pre-release verification

Same recipe as #56 — dry-run the release workflow on this PR, download the macOS artifact, and run:

hdiutil attach DPlex-x64.dmg -nobrowse
codesign -dvvv "/Volumes/DPlex 0.14.2/DPlex.app"
# Expect: flags=0x2(adhoc), "satisfies its Designated Requirement"
hdiutil detach "/Volumes/DPlex 0.14.2"

Tests

• npm run lint — no new issues
• npm run typecheck — clean
• npm run test:unit — 325/325 pass
• Manual codesign smoke test (above)

Diff

+90 / −26 across 5 files (~30 lines of actual hook logic, the rest is comment, workflow cleanup, version bump, changelog entry).