[codex] reduce keychain prompt churn during dev runs

[ngutman]

Purpose

Reduce repeated macOS Keychain prompts during local CodexBar development runs.

Two prompt sources were addressed:

• compile_and_run.sh could fall back to ad-hoc signing even when the developer had a valid local signing identity. Ad-hoc signing changes the app identity across rebuilds, which makes Keychain approvals unstable.
• KeychainCacheStore.store tried to rewrite the CodexBar Cache item ACL on every cache update. Updating kSecAttrAccess can trigger the "change the owner" login keychain prompt even when CodexBar only needs to refresh cached data.

Changes

• Auto-detect a stable local code signing identity in Scripts/compile_and_run.sh before falling back to ad-hoc signing.
• Derive APP_TEAM_ID from the detected identity when possible, while preserving explicit APP_IDENTITY / APP_TEAM_ID overrides and Peter's existing preferred identity path.
• Update existing KeychainCacheStore entries by writing only kSecValueData.
• Keep the existing ACL setup for newly-created CodexBar Cache entries.

Verified behavior

• Confirmed the local run script now selects a real Developer ID identity instead of ad-hoc signing on a machine with valid identities:
  • Developer ID Application: Nimrod Gutman (GZS353X62E)
• Confirmed KeychainCacheStore still stores, overwrites, loads, clears, and lists cache entries through the focused test suite.
• Confirmed new cache entries still attach the existing trusted app/CLI helper ACL path; only existing-entry updates avoid ACL rewrites.
• Confirmed CodexBar can be packaged, signed, and launched with the updated script. The normal packaging path hit the existing widget App Intents metadata timeout, so the app was launched with CODEXBAR_ALLOW_MISSING_WIDGET_METADATA=1; the script reported OK: CodexBar is running.

Validation

• swift test --filter KeychainCacheStoreTests
  • Passed: 8 tests
• make check
  • Passed: SwiftFormat reported 0 files requiring formatting
  • Passed: SwiftLint reported 0 violations
• CODEXBAR_ALLOW_MISSING_WIDGET_METADATA=1 ./Scripts/compile_and_run.sh --wait
  • Passed: packaged, signed, launched, and confirmed CodexBar stayed running

Notes

Existing cache items with stale ACLs are no longer repaired during routine cache refreshes. That is intentional: the ACL repair attempt was the prompt trigger, and these entries are caches. If a local cache item is already in a bad state, deleting the com.steipete.codexbar.cache generic-password items lets CodexBar recreate them with the current ACL.