Exercises the full run() pipeline using fake shell scripts on PATH that
record their argv to a temp RECORD_DIR. Verifies all external commands
were invoked, outputs contain the expected version/app/artifact values,
ditto was called twice (pre- and post-staple), and security delete-keychain
ran during cleanup.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
DeveloperIDCertBase64 is the .p12 contents and equally sensitive as
the password — register it with the log scrubber so a future code
path that accidentally wraps cfg in a debug log can't leak it. Also
documents why maskSecrets writes to stdout rather than stderr.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
