fix(desktop): repair macOS updater helper

[helix4u]

What does this PR do?

Repairs the staged macOS updater helper before Hermes Desktop hands off an in-app update to it.

Desktop launches ~/.hermes/hermes-setup --update ... when a staged bootstrap installer exists. On affected macOS installs, Gatekeeper can reject that helper as damaged before it ever runs. The existing macOS relaunch repair handles the rebuilt Hermes.app bundle, but the separately staged helper was copied into HERMES_HOME without any quarantine/signature repair.

This adds best-effort macOS repair in both places that matter:

• after the bootstrap installer copies itself to ~/.hermes/hermes-setup
• immediately before Desktop spawns an already-staged helper for update handoff

The repair clears quarantine and only ad-hoc signs the helper when codesign --verify fails, so a valid signed helper is not force-re-signed.

Related Issue

N/A - observed in Discord support thread 1512387943531286718 from a macOS Desktop update failure where the log showed Desktop launching ~/.hermes/hermes-setup --update --branch main --target-app ..., and the screenshot showed macOS rejecting hermes-setup as damaged.

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 🔒 Security fix
• 📝 Documentation update
• ✅ Tests (adding or improving test coverage)
• ♻️ Refactor (no behavior change)
• 🎯 New skill (bundled or hub)

Changes Made

• apps/bootstrap-installer/src-tauri/src/paths.rs: repair the staged macOS helper after copying the installer into HERMES_HOME.
• apps/desktop/electron/main.cjs: repair an existing staged macOS helper before Desktop spawns it for in-app update handoff.

How to Test

1. On macOS, install Hermes Desktop through the bootstrap installer so ~/.hermes/hermes-setup exists.
2. Apply quarantine to the staged helper, or reproduce from a downloaded/quarantined helper that macOS reports as damaged.
3. Press Update now in Hermes Desktop and confirm the helper is repaired before update handoff instead of being blocked by Gatekeeper.

Local validation performed:

• node --check apps/desktop/electron/main.cjs
• git diff --check -- apps/bootstrap-installer/src-tauri/src/paths.rs apps/desktop/electron/main.cjs

Not run locally:

• cargo fmt / rustfmt / Rust compile checks: Rust tooling is not installed in this WSL environment.
• Full pytest suite: not relevant to this Electron/Rust installer helper path, and left to CI.

Checklist

Code

• I've read the Contributing Guide
• My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
• I searched for existing PRs to make sure this isn't a duplicate
• My PR contains only changes related to this fix/feature (no unrelated commits)
• I've run pytest tests/ -q and all tests pass
• I've added tests for my changes (required for bug fixes, strongly encouraged for features)
• I've tested on my platform: WSL/Linux syntax checks only; macOS validation needed

Documentation & Housekeeping

• I've updated relevant documentation (README, docs/, docstrings) — or N/A
• I've updated cli-config.yaml.example if I added/changed config keys — or N/A
• I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — or N/A
• I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A
• I've updated tool descriptions/schemas if I changed tool behavior — or N/A

Screenshots / Logs

Support evidence:

• macOS screenshot: "hermes-setup" is damaged and can't be opened. You should move it to the Bin.
• Desktop log: repeated update handoff to ~/.hermes/hermes-setup --update --branch main --target-app .../Hermes.app

[tonydwb]

Approved. Narrow macOS updater helper repair — well-scoped, no issues.