release: add launch-at-login and signed update channel

[haasonsaas]

Summary

After notarization proof lands, add production-shaped desktop lifecycle support: launch-at-login via native macOS ServiceManagement and a signed update channel for distributing patched agentd builds.

Why

A desktop memory agent is not viable as a one-off manually launched app. We need a native, inspectable way to start at login and an update path that preserves Developer ID, notarization, and evidence. This should follow #24/#25, not replace them.

SOTA notes

• Apple recommends native ServiceManagement APIs such as SMAppService for login/background items on modern macOS.
• Sparkle is the de facto open-source macOS update framework and supports signed update feeds/artifacts.
• Apple's notarization docs require Developer ID signing, hardened runtime, notarytool, and stapling for trusted outside-App-Store distribution.

Acceptance

• Add a launch-at-login preference using native ServiceManagement APIs; no ad hoc LaunchAgent plist install from the app.
• Menu-bar UI shows launch-at-login state and lets the user enable/disable it.
• Add a signed update-channel design: Sparkle or an explicitly justified native/manual alternative.
• Release artifacts include update metadata/checksums/signatures and notarization evidence.
• CI or manual release workflow validates the shipped update artifact, not only the .app bundle.
• Docs explain the release order: package, sign, notarize, staple, validate, publish update metadata.

References

• Apple notarization docs: notarytool + stapler + hardened runtime.
• Sparkle publishing docs: signed appcast/update artifacts.
• Existing release proof issue: Run Developer ID notarization for packaged agentd app #24.