…occode-dev

Aligns package-lock.json with the ticket-039 branding rename already applied
to package.json and other manifests.

Co-Authored-By: Claude Haiku 4.5 <[email protected]>

Add conditional guards to macOS build steps that require Apple signing
and notarization secrets. Steps will skip gracefully when:
- APPLE_CERTIFICATE_P12_BASE64 is missing (skips signing)
- APPLE_API_KEY_P8 is missing (skips notarization)

This allows macOS builds to complete successfully on feature branches
and forks without signing secrets, while still producing artifacts.
Mirrors the existing Windows conditional signing pattern.

Steps that skip when P12 certificate missing:
- Import certificate to keychain
- Sign app
- Verify signature

Steps that skip when both P12 and API key missing:
- Notarize
- Staple notarization ticket
- Re-zip stapled app

Always-run steps (no change):
- Zip signed app
- Upload signed app artifact
- Create GitHub Release

Co-Authored-By: Claude Haiku 4.5 <[email protected]>

Add comprehensive build caching to reduce CI build times:

**Workflow changes** (.github/workflows/build-macos.yml):
- Extend npm tarball cache to cover apps/editor/build/package-lock.json
  (previously only cached main package-lock.json)
- Add per-platform node_modules caching keyed on OS+arch+lockfile hash
  - macOS: keys like node-modules-macOS-arm64-<hash>
  - Windows: keys like node-modules-Windows-x64-<hash>
- Add Electron gyp headers caching keyed on OS+arch+Electron version
  - macOS: caches ~/.electron-gyp
  - Windows: caches ~/AppData/Roaming/electron-gyp
- Pass CI_DEPS_READY flag from cache-hit output to build env

**Makefile changes** (build-core target):
- Add conditional to skip npm ci when CI_DEPS_READY=true
- Required because npm ci always deletes node_modules before installing
- Avoids redundant compilation of native modules on cache hit

**Expected improvements**:
- Windows builds: ~25-35% faster on warm cache (skip npm rebuild)
- macOS builds: ~20-25% faster on warm cache
- npm tarball re-downloads eliminated for build toolchain

First run populates cache; second run benefits from hits.
Fallback restore-keys allow partial hits when lock files change.

**New ticket**: .tickets/ticket-050-ci-build-caching/prd.md

Co-Authored-By: Claude Haiku 4.5 <[email protected]>

The CI caching changes skipped npm ci on cache hit, which prevented
postinstall.js from running and native module rebuilds. This broke Windows
builds because native modules like vscode-policy-watcher.node weren't compiled.

Now @electron/rebuild always runs after npm install (cache hit or not),
using the explicit Electron 34.3.2 version and architecture targeting.
This ensures:
- Native modules are compiled for Electron 34.3.2 on every build
- Uses the same approach as v3.5.2 (before the issue was introduced)
- Explicit version/arch targeting is more reliable than relying on npm rebuild
- Cache hit doesn't cause missing .node binaries at startup
- Windows CI builds succeed consistently

Fixes v3.5.3+ "could not locate vscode-policy-watcher.node" startup error.

Co-Authored-By: Claude Haiku 4.5 <[email protected]>

The upload and GitHub Release steps were looking for the signed zip
(-signed.zip), which only exists when APPLE_CERTIFICATE_P12_BASE64 is
present. When secrets are missing, only the unsigned zip is created,
but the upload step failed silently.

Now both artifact upload and GitHub Release steps accept multiple paths
(signed and unsigned), and will upload whichever artifacts exist.
This allows macOS builds without signing secrets to still publish
artifacts and release builds.

Changes:
- Upload step path: accepts both -signed.zip and .zip
- GitHub Release step files: accepts both -signed.zip and .zip
- Both use continue-on-error: true to handle missing files gracefully

Impact:
- Feature branch builds (no secrets) now publish unsigned artifacts
- Release builds (with secrets) still publish signed artifacts
- CI is more graceful when secrets are missing

Co-Authored-By: Claude Haiku 4.5 <[email protected]>