release: configure code-signing + auto-updater secrets

[victorlucss]

Tracking issue for the one-time setup needed to ship signed, notarised, auto-updateable releases. The codebase is already wired (release workflow, `tauri-plugin-updater`, `createUpdaterArtifacts`, capability permission). What's missing is keys/secrets.

Steps (full instructions in `docs/RELEASE.md`):

• Generate Tauri updater Ed25519 keypair locally; save private key off-tree.
• Replace `pubkey` placeholder in `src-tauri/tauri.conf.json` with the real public key.
• Add repo secrets:
  • `TAURI_SIGNING_PRIVATE_KEY`, `TAURI_SIGNING_PRIVATE_KEY_PASSWORD`
• Apple Developer Program membership ($99/yr).
• Create "Developer ID Application" certificate; export as .p12.
• Add Apple secrets:
  • `APPLE_CERTIFICATE`, `APPLE_CERTIFICATE_PASSWORD`, `APPLE_SIGNING_IDENTITY`
  • For notarisation: `APPLE_ID`, `APPLE_PASSWORD` (app-specific), `APPLE_TEAM_ID`, `APPLE_NOTARIZE=true`
• Cut a test release, install previous version, verify in-app updater finds + verifies + installs the new one.