fix(release): adhoc re-sign darwin binaries to prevent AMFI SIGKILL on macOS 26.4

[Alan-TheGentleman]

Summary

Closes #402 — the released darwin_arm64 binary got SIGKILL (exit 137) on macOS 26.4 because it carried only a Go-linker adhoc signature (flags=0x20002 adhoc,linker-signed), which AMFI on recent macOS rejects.

Change

.goreleaser.yaml: add a post-build hook that adhoc-re-signs darwin binaries with codesign --force --sign - (produces flags=0x2 adhoc, which AMFI accepts). Free — no Apple Developer certificate required.

Note: goreleaser v2 has no filter: goos field, so the hook uses a shell conditional gated on {{ .Os }} plus command -v codesign, which no-ops safely on Linux CI runners.

Test plan

goreleaser check passes. Cannot exercise macOS signing in CI; manual verification on a macOS 26.4 arm64 host: codesign -dvv ./engram must NOT show linker-signed, and ./engram --version must exit 0 (not 137).

Notes

Passed adversarial review — {{ .Os }} and {{ .Path }} verified against goreleaser v2 source; hook fires per-binary for both darwin archs; fails safe on Linux.

[Copilot]

Pull request overview

Adds an ad-hoc re-sign step to the GoReleaser pipeline intended to ensure released macOS (darwin) binaries are signed in a way that avoids AMFI SIGKILL on macOS 26.4.

Changes:

• Adds a GoReleaser build post hook that runs codesign --force --sign - for darwin targets when codesign is available.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.