Make Finder debug launcher just work without a signing identity

[morluto]

Issue

Double-clicking Launch RepoPrompt CE.command on a Mac without an Apple Development signing identity drops into a r/s/x/q retry loop that never succeeds. The launcher looks like a simple app launcher, but it is really a small retry UI around a build+package+relaunch pipeline:

Finder double-click
-> Launch RepoPrompt CE.command
-> ./conductor app relaunch
-> Scripts/run.sh
-> Scripts/package_app.sh debug
-> swift build RepoPrompt
-> swift build repoprompt-mcp
-> stop/open the app only after packaging succeeds

Because packaging runs before the app lifecycle step, any deterministic packaging failure returns the launcher to the same retry prompt. Pressing r reruns the same environment and hits the same failure again. There is no hint that the user is expected to set an environment variable in a separate Terminal.

What is confusing

The launcher presents itself as a one-click "build and relaunch" button, so a retry loop that never recovers reads as a broken app, not as a missing signing identity. The actual error (Debug ad-hoc signing is disabled by default. Set ALLOW_ADHOC_SIGNING=1 ...) is buried in the build log and the launcher never surfaces it as actionable guidance. The README documents the ALLOW_ADHOC_SIGNING=1 ./conductor app relaunch workaround, but a Finder-double-click user has no reason to read the README before clicking the launcher.

There were three layered blockers in that one pre-launch path, each masking the next:

1. On Macs without an Apple Development signing identity, debug packaging refused ad-hoc signing unless ALLOW_ADHOC_SIGNING=1 was set. The Finder launcher did not set that, so every retry failed at signing preflight.
2. Once ad-hoc signing was enabled, packaging reached SwiftPM and failed compiling KeyboardShortcuts because its design-time #Preview blocks required preview macro support that the command-line build does not load.
3. After that, first-party SwiftUI @Entry environment values hit the same class of command-line macro-plugin loading failure.

So even a user who found the ALLOW_ADHOC_SIGNING=1 workaround in the README would still hit two more build failures before the app opened.

Fix: the launcher just works

Launch RepoPrompt CE.command now detects the no-identity case up front and exports ALLOW_ADHOC_SIGNING=1 for its own conductor relaunch jobs, with a clear warning that debug secure storage will be in-memory. The double-click flow no longer requires the user to open Terminal or read the README first — the launcher just works.

A reactive fallback message was also added: if signing is still refused after the proactive configuration (e.g. environment mismatch or an invalid SIGN_IDENTITY), the launcher surfaces the explicit ALLOW_ADHOC_SIGNING=1 ./conductor app relaunch and SIGN_IDENTITY="Apple Development: ..." Terminal commands at the point of failure instead of just the generic retry prompt.

The two downstream build blockers are also fixed so the package phase actually completes:

• KeyboardShortcuts packaging patch: the existing SwiftPM checkout patcher now applies the resource lookup patch and a new preview-removal patch independently, so already-patched checkouts still get the preview fix.
• SwiftUI macro compatibility: first-party @Entry environment values are expanded into explicit EnvironmentKey definitions, with narrow SwiftFormat guards so formatting does not collapse them back to @Entry.

What changed

• Launch RepoPrompt CE.command: proactive configure_debug_signing detection that auto-enables ad-hoc signing when no Apple Development identity is found, plus a reactive fallback message if signing is still refused.
• Scripts/test_debug_app_process.py: hermetic launcher test with fake security and fake conductor commands to prove the fallback environment is passed through.
• Scripts/patch_keyboard_shortcuts_resource_lookup.sh + Scripts/patches/keyboardshortcuts-2.3.0-remove-previews.patch: independent application of the resource lookup and preview-removal patches.
• Sources/RepoPrompt/App/FontPreset.swift, Sources/RepoPrompt/Features/AgentMode/Views/AgentMessageBubble.swift, Sources/RepoPrompt/Features/AgentMode/Views/ToolCards/ToolCardContainer.swift, Sources/RepoPrompt/Infrastructure/UI/Markdown/MarkdownFileLinkInteraction.swift: @Entry -> explicit EnvironmentKey shims.

Reviewer guide

The branch is split into two commits:

1. 33a4680 Allow Finder debug launcher ad-hoc signing

   • Review first if you only care about the original Finder retry failure.
   • Important files: Launch RepoPrompt CE.command, Scripts/test_debug_app_process.py.

2. ca00bf6 Avoid SwiftUI macro plugin failures in debug packaging

   • Review second if you want the full debug package path to work under command-line SwiftPM.
   • Important files: Scripts/patch_keyboard_shortcuts_resource_lookup.sh, Scripts/patches/keyboardshortcuts-2.3.0-remove-previews.patch, and the four EnvironmentKey shims.

Notes

• Ad-hoc signing remains opt-in at the lower-level packager. This PR only makes the double-click Finder launcher opt in when it can prove there is no Apple Development identity and the caller did not already choose signing settings.
• The @Entry replacements are intended to be behavior-preserving. They avoid depending on SwiftUI macro plugins during command-line package builds.
• The KeyboardShortcuts preview patch removes design-time #Preview blocks only; it does not affect runtime library code.

Validation

• python3 Scripts/test_debug_app_process.py
• bash -n 'Launch RepoPrompt CE.command' Scripts/patch_keyboard_shortcuts_resource_lookup.sh
• ALLOW_ADHOC_SIGNING=1 ./conductor build --request-key debug-adhoc-signing-final
• .agents/skills/rpce-contribution-check/scripts/preflight.sh push