ci(release): publish macOS desktop assets

[fettpl]

Summary

Addresses #147 by wiring stable releases to build and attach macOS desktop assets.

This PR is stacked on #149 because the release asset filenames and app metadata need semantic-release's computed version before desktop:dist runs. Once #149 is merged, this branch should be rebased so this PR only contains the macOS asset publishing changes.

Changes

• Runs the release job on macos-latest so Electron Builder can produce macOS DMG/ZIP artifacts.
• Passes signing/notarization secrets into the release step: CSC_LINK, CSC_KEY_PASSWORD, APPLE_ID, APPLE_APP_SPECIFIC_PASSWORD, and APPLE_TEAM_ID.
• Fails the release prepare step before building if those required owner-managed secrets are missing.
• Builds the desktop distribution with npm --prefix frontend run desktop:dist after applying the semantic-release version.
• Verifies versioned arm64 DMG, ZIP, DMG blockmap, ZIP blockmap, and latest-mac.yml before publishing assets.
• Configures @semantic-release/github to attach the DMG, ZIP, blockmaps, and update metadata to the GitHub Release.
• Documents the release secret requirements in CONTRIBUTING.md.

Owner-Pending Steps

@0xSero needs to configure the repository secrets before this can publish usable stable artifacts:

• CSC_LINK
• CSC_KEY_PASSWORD
• APPLE_ID
• APPLE_APP_SPECIFIC_PASSWORD
• APPLE_TEAM_ID

The certificate in CSC_LINK also needs to match the configured Electron Builder identity, currently sherif cherfa (TZ447KHNZL), or the identity/config should be adjusted before release.

After the first release run, the owner or maintainer should verify the produced DMG/ZIP with codesign, spctl, and a first-run launch on a clean macOS install path. That final artifact validation is what unblocks the Homebrew cask PR.

Test Plan

• RED: node --test scripts/test-validate-desktop-release-env.mjs failed before scripts/validate-desktop-release-env.mjs existed.
• RED: node --test scripts/test-verify-desktop-release-assets.mjs failed before scripts/verify-desktop-release-assets.mjs existed.
• RED/GREEN: added blockmap expectations, saw scripts/test-verify-desktop-release-assets.mjs fail until blockmap checks were implemented.
• npm run test:release-assets
• npm run test:release-version
• git diff --check --cached
• node scripts/validate-desktop-release-env.mjs exits 1 without the owner secrets and reports all required missing env vars.
• node -e 'const c=require("./release.config.cjs"); const gh=c.plugins.find((p)=>Array.isArray(p)&&p[0]==="@semantic-release/github"); console.log(JSON.stringify({branches:c.branches, githubAssetCount:gh?.[1]?.assets?.length, prepare:c.plugins.find((p)=>Array.isArray(p)&&p[0]==="@semantic-release/exec")?.[1]?.prepareCmd.includes("desktop:dist")}, null, 2))'
• npm run check:structure
• npm run check:controller
• npm run check:cli
• npm --prefix frontend run check:quality
• Pre-push hook reran npm --prefix frontend run check:quality successfully.

Known unrelated check state:

• npm run check:contracts currently fails on main because AggregatedSession is exported in both frontend/src/app/api/agent/sessions/all/route.ts and frontend/src/features/agent/session-contracts.ts.

AI Assistance Disclosure

AI assistance was used to inspect the release workflow, draft the implementation, write focused tests, run validation commands, and prepare this PR body. The code and command output were reviewed before submission.