Add hardened app packaging

[haasonsaas]

Summary

• add scripts/package_app.sh to build a release .app, sign it with hardened runtime, and archive it
• support Developer ID signing plus optional notarytool submit/staple when release credentials are present
• run packaging in CI and document the release/notarization env vars

Testing

• scripts/package_app.sh
• swift test
• swift build -Xswiftc -warnings-as-errors
• xcrun swift-format lint --strict --recursive Sources Tests Package.swift
• git diff --check

[cursor]

PR Summary

Medium Risk
Medium risk because it changes the CI pipeline and introduces codesigning/notarization steps that can fail due to environment/credential differences, affecting build/release reliability.

Overview
Adds scripts/package_app.sh to build a release .app bundle, apply hardened-runtime codesign (ad-hoc by default, Developer ID via AGENTD_CODESIGN_IDENTITY), produce dist/agentd.zip, and optionally notarize/staple via notarytool.

CI now runs this packaging step to continuously validate bundle shape/signing, dist/ is added to .gitignore, and the README documents the new release/notarization environment variables and outputs.

^{Reviewed by Cursor Bugbot for commit 4871305. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.}

^{Reviewed by Cursor Bugbot for commit 4871305. Configure here.}