feat(release): production Apple builds — notarized macOS dmg + iOS TestFlight

release.yml (v* tags / dispatch, macos-arm64 runner): universal mac +
iOS xcframework -> xcodebuild archive -> Developer ID export ->
notarytool + staple -> dmg on the Gitea release; iOS archive uploads
to TestFlight (app-store-connect/upload). Per-run throwaway keychain;
ASC API key authenticates notarization, upload, and automatic-signing
profile fetch. macOS App Store lane deferred (needs App Sandbox);
tvOS deferred (tier-3 Rust targets).

All app targets now share bundle ID io.unom.punktfunk — ONE App Store
listing with universal purchase (decided pre-submission; effectively
unchangeable after). ITSAppUsesNonExemptEncryption=false declared
(standard-algorithm AES-GCM, exempt).

build-xcframework.sh resolves Apple toolchains itself: cargo's HOST
artifacts (proc-macros, build scripts) are loaded by the running OS,
and a newer-than-OS beta Xcode ld emits LINKEDIT layouts dyld rejects
("mis-aligned LINKEDIT string pool" -> misleading E0463) — so prefer
a non-beta Xcode for everything, fall back to CLT for mac-only slices
(env untouched: an explicit DEVELOPER_DIR=<CLT> trips xcrun's license
check), refuse iOS/tvOS without a real Xcode (CLT has no iOS SDK).
The runner plist no longer injects DEVELOPER_DIR for the same reason.

punktfunk_Logo.icon: dropped the Xcode-27-beta-only Icon Composer
features (refractivity, specular-location) — 26.5's actool crashes on
them, and store builds must use release Xcode. Visual delta is the
refraction/specular nuance only; re-author when 27 ships.

Validated on home-mac-mini-1 with Xcode 26.5: mac+iOS xcframework
slices, unified bundle IDs, signing-free app build.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

scripts/build-xcframework.sh

@@ -14,6 +14,45 @@ TARGETS_MAC=(aarch64-apple-darwin x86_64-apple-darwin)
 BUILD_IOS="${BUILD_IOS:-0}" # BUILD_IOS=1 adds iOS device + simulator slices (rustup targets aarch64-apple-ios{,-sim})
 BUILD_TVOS="${BUILD_TVOS:-0}" # BUILD_TVOS=1 adds tvOS slices — TIER-3 Rust targets: needs `rustup toolchain install nightly` + `rustup component add rust-src --toolchain nightly`
 
+# Toolchain resolution. Cargo's HOST artifacts (proc-macros, build scripts) are loaded by
+# the RUNNING OS, so their linker must not be newer than it: a beta Xcode's ld emits
+# LINKEDIT layouts the current dyld rejects ("mis-aligned LINKEDIT string pool"), and
+# every proc-macro then dies with a misleading E0463 "can't find crate" — with the bad
+# artifacts cached (cargo doesn't fingerprint the linker; rm -rf target after fixing).
+# CLT is always dyld-safe but ships no iOS/tvOS SDKs. Resolution: a NON-BETA full Xcode
+# for everything; with only a beta installed, macOS slices build against CLT and
+# iOS/tvOS slices are refused.
+pick_nonbeta_xcode() {
+    local app
+    for app in /Applications/Xcode.app /Applications/Xcode*.app; do
+        case "$app" in *[Bb]eta*) continue ;; esac
+        [ -x "$app/Contents/Developer/usr/bin/xcodebuild" ] && { echo "$app/Contents/Developer"; return; }
+    done
+}
+case "${DEVELOPER_DIR:-}" in *[Bb]eta*) unset DEVELOPER_DIR ;; esac # never let a beta in via env
+if [[ -z "${DEVELOPER_DIR:-}" ]]; then
+    DEFAULT_DIR="$(xcode-select -p 2>/dev/null || true)"
+    case "$DEFAULT_DIR" in
+    *[Bb]eta*|*CommandLineTools*|'')
+        NONBETA="$(pick_nonbeta_xcode || true)"
+        if [[ -n "$NONBETA" ]]; then
+            export DEVELOPER_DIR="$NONBETA"
+        elif [[ "$BUILD_IOS" == "1" || "$BUILD_TVOS" == "1" ]]; then
+            echo "ERROR: iOS/tvOS slices need a full NON-BETA Xcode in /Applications" >&2
+            echo "       (CLT has no iOS SDK; a beta's ld breaks host proc-macro dylibs)." >&2
+            exit 1
+        elif [[ "$DEFAULT_DIR" != *CommandLineTools* ]]; then
+            echo "ERROR: xcode-select default is a beta (or missing) and no non-beta Xcode/CLT" >&2
+            echo "       fallback exists — install CLT or a release Xcode." >&2
+            exit 1
+        fi
+        # else: the default IS CLT — dyld-safe for the mac slices; deliberately leave the
+        # env untouched (an EXPLICIT DEVELOPER_DIR=<CLT> export trips xcrun's Xcode
+        # license check when a full Xcode is also installed).
+        ;;
+    esac # a non-beta xcode-select default is fine as-is
+fi
+
 # Deployment targets must match Package.swift's platforms, or every consumer link emits
 # "object file was built for newer macOS version" warnings.
 for t in "${TARGETS_MAC[@]}"; do
@@ -91,6 +130,19 @@ for obj in "$STAGE"/macos/libpunktfunk_core.a; do
     fi
 done
 
+# -create-xcframework needs a full Xcode (CLT has no xcodebuild) but does NO linking —
+# it only copies the libs and writes the bundle plist, so a beta Xcode is safe here.
+XCODEBUILD=(xcodebuild)
+if ! xcodebuild -version >/dev/null 2>&1; then
+    for app in /Applications/Xcode.app /Applications/Xcode*.app; do
+        if DEVELOPER_DIR="$app/Contents/Developer" xcodebuild -version >/dev/null 2>&1; then
+            XCODEBUILD=(env DEVELOPER_DIR="$app/Contents/Developer" xcodebuild)
+            echo "==> using $app for -create-xcframework"
+            break
+        fi
+    done
+fi
+
 rm -rf clients/apple/PunktfunkCore.xcframework
-xcodebuild -create-xcframework "${ARGS[@]}" -output clients/apple/PunktfunkCore.xcframework
+"${XCODEBUILD[@]}" -create-xcframework "${ARGS[@]}" -output clients/apple/PunktfunkCore.xcframework
 echo "OK: clients/apple/PunktfunkCore.xcframework"

scripts/ci/setup-macos-runner.sh

@@ -91,20 +91,10 @@ fi
 # runner ships as a root LaunchDaemon; installing it needs sudo once. Without sudo this
 # script still leaves a working (but reboot-volatile) nohup daemon behind.
 # PATH must carry the CLT tools, cargo, node and act_runner itself; jobs inherit it.
-# If the system developer dir is CLT-only but a full Xcode is installed, hand jobs a
-# DEVELOPER_DIR override — the per-process equivalent of `xcode-select -s`, no sudo needed.
-DEVELOPER_DIR_XML=""
-DEV_DIR=""
-if ! /usr/bin/xcodebuild -version >/dev/null 2>&1; then
-    for app in /Applications/Xcode.app /Applications/Xcode*.app; do
-        if DEVELOPER_DIR="$app/Contents/Developer" /usr/bin/xcodebuild -version >/dev/null 2>&1; then
-            DEV_DIR="$app/Contents/Developer"
-            DEVELOPER_DIR_XML="<key>DEVELOPER_DIR</key><string>$DEV_DIR</string>"
-            echo "==> using full Xcode at $app via DEVELOPER_DIR"
-            break
-        fi
-    done
-fi
+# Deliberately NO DEVELOPER_DIR here: cargo (rust ld) must stay on the system default —
+# a newer-than-OS Xcode's ld emits dylibs the running dyld rejects ("mis-aligned
+# LINKEDIT string pool"), breaking every proc-macro build. Steps that need a full Xcode
+# (xcodebuild) resolve it themselves (build-xcframework.sh, release.yml).
 
 PLIST_STAGE="$RUNNER_HOME/io.gitea.act_runner.plist"
 PLIST_SYSTEM="/Library/LaunchDaemons/io.gitea.act_runner.plist"
@@ -128,7 +118,6 @@ cat > "$PLIST_STAGE" <<EOF
         <key>PATH</key>
         <string>$HOME/.cargo/bin:$BIN_DIR:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
         <key>HOME</key><string>$HOME</string>
-        $DEVELOPER_DIR_XML
     </dict>
     <key>RunAtLoad</key><true/>
     <key>KeepAlive</key><true/>
@@ -150,7 +139,6 @@ else
         echo "==> no sudo: starting an interim daemon (dies on reboot)"
         (cd "$RUNNER_HOME" && \
             PATH="$HOME/.cargo/bin:$BIN_DIR:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin" \
-            ${DEV_DIR:+DEVELOPER_DIR="$DEV_DIR"} \
             nohup "$BIN_DIR/act_runner" daemon --config config.yaml >> runner.log 2>&1 &)
     fi
     echo "==> for the permanent (reboot-safe) runner, run once on the Mac:"
@@ -161,9 +149,8 @@ fi
 sleep 2
 tail -5 "$RUNNER_HOME/runner.log" 2>/dev/null || true
 
-if ! /usr/bin/xcodebuild -version >/dev/null 2>&1 && [ -z "$DEVELOPER_DIR_XML" ]; then
-    echo "WARNING: xcodebuild not usable (Command Line Tools only, no full Xcode found) —"
-    echo "         apple.yml's xcframework step needs a full Xcode in /Applications, with"
-    echo "         its license accepted once: sudo xcodebuild -license accept"
+if ! /usr/bin/xcodebuild -version >/dev/null 2>&1 && ! ls -d /Applications/Xcode*.app >/dev/null 2>&1; then
+    echo "WARNING: no full Xcode found — the xcframework/release steps need one in"
+    echo "         /Applications, with its license accepted once: sudo xcodebuild -license accept"
 fi
 echo "OK: runner '$RUNNER_NAME' labels=$LABELS instance=$INSTANCE"