build: require signing identity for mac packaging

scripts/codesign-mac-app.sh

@@ -2,7 +2,7 @@
 set -euo pipefail
 
 APP_BUNDLE="${1:-dist/Clawdis.app}"
-IDENTITY="${SIGN_IDENTITY:--}"
+IDENTITY="${SIGN_IDENTITY:-}"
 ENT_TMP=$(mktemp /tmp/clawdis-entitlements.XXXXXX.plist)
 
 if [ ! -d "$APP_BUNDLE" ]; then
@@ -10,6 +10,38 @@ if [ ! -d "$APP_BUNDLE" ]; then
   exit 1
 fi
 
+select_identity() {
+  local preferred available first
+
+  # Prefer a Developer ID Application cert.
+  preferred="$(security find-identity -p codesigning -v 2>/dev/null \
+    | awk -F'\"' '/Developer ID Application/ { print $2; exit }')"
+
+  if [ -n "$preferred" ]; then
+    echo "$preferred"
+    return
+  fi
+
+  # Fallback to the first valid signing identity.
+  available="$(security find-identity -p codesigning -v 2>/dev/null \
+    | sed -n 's/.*\"\\(.*\\)\"/\\1/p')"
+
+  if [ -n "$available" ]; then
+    first="$(printf '%s\n' "$available" | head -n1)"
+    echo "$first"
+    return
+  fi
+
+  return 1
+}
+
+if [ -z "$IDENTITY" ]; then
+  if ! IDENTITY="$(select_identity)"; then
+    echo "ERROR: No signing identity found. Set SIGN_IDENTITY to a valid codesigning certificate." >&2
+    exit 1
+  fi
+fi
+
 echo "Using signing identity: $IDENTITY"
 
 cat > "$ENT_TMP" <<'PLIST'

scripts/package-mac-app.sh

@@ -88,7 +88,7 @@ fi
 echo "⏹  Stopping any running Clawdis"
 killall -q Clawdis 2>/dev/null || true
 
-echo "🔏 Signing bundle (ad-hoc by default; set SIGN_IDENTITY for real cert)"
-SIGN_IDENTITY="${SIGN_IDENTITY:--}" "$ROOT_DIR/scripts/codesign-mac-app.sh" "$APP_ROOT"
+echo "🔏 Signing bundle (auto-selects signing identity if SIGN_IDENTITY is unset)"
+"$ROOT_DIR/scripts/codesign-mac-app.sh" "$APP_ROOT"
 
 echo "✅ Bundle ready at $APP_ROOT"