fix(install): ad-hoc sign corvus so curl|bash works on Apple Silicon, add uninstall.sh

[raulpenate]

Hotfix: corvus install broken on Apple Silicon + new uninstall.sh

This PR ships two things:

1. A fix for the curl | bash installer, which currently places a binary that is SIGKILL'd on launch on Apple Silicon.
2. A new uninstall.sh companion script for symmetric teardown.

A follow-up commit (3eaa245) tightens the UX and de-duplicates the signing logic; see the "Follow-up" section below.

---

1. Install fix

Problem

curl -fsSL .../install.sh | bash completes successfully, but corvus --version exits 137 on arm64 Macs with a "cannot verify developer / Apple ID required" Gatekeeper dialog.

Root cause

Bun's bun build --compile output carries a malformed LC_CODE_SIGNATURE stub (load command declares datasize=140912, embedded blob header declares 480562). Any codesign --sign - call reads the broken stub first and bails with invalid or unsupported format for signature. The arm64 kernel then refuses to exec the unsigned Mach-O.

Three places should have caught this and all three silently swallowed the failure:

• install.sh — codesign --sign - … 2>/dev/null || true
• cli-ts/scripts/build.sh — same pattern
• .github/workflows/cli-build.yml — no verification, so the broken binary was published to cli-latest as code object is not signed at all

The fix

Two-command sequence, applied in all three places:

codesign --remove-signature <binary>   # strip Bun's malformed stub
codesign --force --sign - <binary>     # ad-hoc sign (no Apple Developer cert)

Ad-hoc signing (identity -) is the $0 path used by Homebrew bottles, uv, fnm, etc. It satisfies the kernel's "must have a valid signature" check without a $99 Developer ID.

CI regression guard

Added codesign -dv "$outfile" after signing in cli-build.yml. This is what would have caught today's bug — without it, CI can silently ship an unsigned binary again.

---

2. New uninstall.sh

Symmetric companion to install.sh, for clean teardown and for testing install/reinstall cycles.

Behavior

• Removes corvus from /usr/local/bin and ~/.local/bin
• Falls back to sudo rm when the target directory isn't user-writable
• Idempotent — running it twice prints "nothing to remove" on the second run
• Leaves user-installed skills alone (those belong to corvus uninstall <skill>)

Usage

curl -fsSL https://raw.githubusercontent.com/ravnhq/ai-toolkit/main/uninstall.sh | bash

---

Follow-up: tightening (commit 3eaa245)

A small round of UX and robustness fixes on top of the hotfix. Scripts grew from 50 + 27 lines to ~80 + ~80; no new dependencies.

install.sh

• trap 'rm -f "$TMP"' EXIT — mid-run failures no longer orphan temp files in /tmp.
• curl -fL --progress-bar (was -fsSL) — visible download progress instead of silent pause.
• Hard-fail on codesign failure on Darwin. The previous warn-and-continue still installed an unsigned binary the kernel was about to kill. Now it aborts and points at xcode-select --install.
• Detects an existing install and logs Replacing existing corvus (<version>)… so re-runs aren't silent overwrites.
• ~/.local/bin fallback now (a) only prints the PATH nag if the dir isn't already on $PATH, and (b) tailors the suggestion to the user's $SHELL (zsh/bash/fish) — exact copy-pasteable command instead of a vague "add it to your PATH".

uninstall.sh

• --purge flag — also removes ~/.corvus/ (config + corvus install <skill> state) after listing its contents and asking [y/N]. Requires a TTY; piped stdin is refused.
• Verifies each rm actually removed the target; exits non-zero if anything is still present afterward.
• Rejects unknown args with a usage line and exit 2.

scripts/sign-macos.sh (new)

Extracts the xattr/remove-signature/ad-hoc-sign sequence into a shared helper. cli-ts/scripts/build.sh and .github/workflows/cli-build.yml now call it instead of inlining. install.sh keeps an inline copy (curl|bash has no repo checkout) with a comment flagging it as the mirror — future Bun fixes touch two places instead of three.

---

Testing

What's verified

• Bug reproduced against main on macOS 26.2 / Apple Silicon: corvus --version → exit 137, codesign -dv → code object is not signed at all.
• Fix verified on this branch: corvus --version → 0.1.1 exit 0, codesign -dv → Signature=adhoc.
• uninstall.sh removes the binary and is idempotent.
• All shell scripts pass bash -n.
• sign-macos.sh rejects missing arg (exit 2) and missing file (exit 1).
• uninstall.sh --purge refuses without a TTY; uninstall.sh --bogus exits 2 with usage.

Still to check

• CI run on this PR: new codesign -dv step passes for both darwin slices.
• Post-merge: the republished cli-latest binary is Signature=adhoc directly from the release, not relying on client-side fixup.
• End-to-end: bash install.sh against the rebuilt release, then bash uninstall.sh --purge in an interactive shell.

Try it without merging

# wipe any prior install
sudo rm -f /usr/local/bin/corvus; rm -f ~/.local/bin/corvus

# install from this branch
curl -fsSL https://raw.githubusercontent.com/raulpenate/ai-toolkit/hotfix/workaround-for-running-bin-without-apple-dev-account/install.sh | bash
corvus --version
codesign -dv "$(command -v corvus)"

# undo
curl -fsSL https://raw.githubusercontent.com/raulpenate/ai-toolkit/hotfix/workaround-for-running-bin-without-apple-dev-account/uninstall.sh | bash
# or, nuclear:
curl -fsSL .../uninstall.sh | bash -s -- --purge   # note: --purge needs a TTY; run locally

---

Out of scope

• Proper Developer ID signing / notarization (still $99/yr — what this PR deliberately avoids).
• Upstreaming the Bun signature-stub bug to oven-sh/bun (worth a follow-up issue).
• SHA256 checksum verification in install.sh (requires publishing checksums from the release workflow — separate PR).