Roadmap: real-hardware verification of Phase 3 broker on notarized build

[jmcte]

Context

docs/NATIVE_ONLY_REDESIGN.md lines 225-231 explicitly call out a Phase 3 exit blocker:

The integration is unverified against a notarized build with associated-domain entitlements wired (the macOS build cannot be exercised from CI on Linux). A follow-up validation pass on a real macOS host is required before declaring Phase 3 complete.

Issue #13 wired AuthenticationServices into BrokerCore, but no end-to-end run on a notarized bundle exists. Until this lands, v2.0.0 GA cannot be honestly claimed as "Phase 3 complete."

Scope

• Build a notarized APW.app (depends on Feature: add Apple notarization step to release CI pipeline #7) with webcredentials:example.com (or another test domain) entitlement.
• Run the full E2E flow on a real macOS host: apw app install → apw app launch → apw login https://<domain> and verify the iCloud Keychain picker appears.
• Verify the documented error paths: cancel, denied, timeout, unsupported domain.
• Capture a short manual test report under docs/ (or expand SECURITY_POSTURE_AND_TESTING.md) so future releases have a checklist.

Acceptance criteria

• Verified successful apw login returning a real iCloud Keychain credential on at least one notarized host.
• All five error paths (success/cancel/denied/timeout/unsupported) reproduced with documented broker error codes.
• Phase 3 exit blocker prose in docs/NATIVE_ONLY_REDESIGN.md removed or updated to reflect verification.

[jmcte]

Material PR submitted: #83

Current status:

• The PR adds a fail-closed notarized-host validation harness, operator report template, and documentation updates for Phase 3 hardware validation.
• CI is green on the PR.

Remaining acceptance proof before this issue should be closed:

• Run the harness on a real notarized macOS host.
• Record success, cancel, denied, timeout, and unsupported-domain observations.
• Attach the completed validation report.