feat(lume): restructure release binary as .app bundle for bridged networking

[f-trycua]

Summary

• Restructures the lume release artifact from a standalone CLI binary into a macOS .app bundle so that a provisioning profile can be loaded, enabling the com.apple.vm.networking restricted entitlement for bridged networking in release builds
• Adds Info.plist template, re-adds com.apple.vm.networking to lume.entitlements, and updates all build/install/uninstall scripts to handle the .app bundle format
• Updates CD workflow to inject provisioning profile from a GitHub secret (PROVISIONING_PROFILE_BASE64)

Details

The .app bundle is purely a packaging mechanism — lume remains a CLI tool. A shell wrapper script at the install location (~/.local/bin/lume) exec's into the binary inside the .app bundle (~/.local/share/lume/lume.app/Contents/MacOS/lume).

Files changed

• libs/lume/resources/Info.plist (new) — Template with __VERSION__ placeholder, LSUIElement: true
• libs/lume/resources/lume.entitlements — Re-added com.apple.vm.networking
• libs/lume/scripts/build/build-release-notarized.sh — Assembles .app bundle, signs inner binary + outer bundle, embeds provisioning profile
• libs/lume/scripts/build/build-release.sh — Assembles .app bundle with ad-hoc signing
• libs/lume/scripts/install.sh — Installs .app bundle, creates wrapper script, auto-updater handles both formats
• libs/lume/scripts/install-local.sh — Conditional .app bundle when --bridged-entitlement is used
• libs/lume/scripts/uninstall.sh — Cleans up .app bundle and share directory
• .github/workflows/cd-swift-lume.yml — Adds PROVISIONING_PROFILE_BASE64 secret + install step

Still needed (manual steps)

• Obtain the provisioning profile from Apple Developer portal (Developer ID profile with com.apple.vm.networking for bundle ID com.trycua.lume)
• Add PROVISIONING_PROFILE_BASE64 as a GitHub Actions secret
• Commit embedded.provisionprofile to libs/lume/resources/

Closes #1076

Test plan

• Run build-release.sh locally, verify .app bundle structure and binary launches from inside it
• Verify Bundle.module resource resolution: lume.app/Contents/MacOS/lume config network interfaces
• Test wrapper script delegates correctly
• Run install-local.sh --bridged-entitlement, verify .app is installed and wrapper works
• Run uninstall.sh, verify all artifacts are cleaned up
• Test migration from standalone binary to .app bundle via install.sh
• CI: verify CD workflow succeeds with provisioning profile secret set

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Feb 13, 2026 2:19am

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🏷️ Required labels (at least one) (1)

• rabbit

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch lume-app-bundle

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📦 Publishable packages changed

• lume

Add release:<service> labels to auto-release on merge (+ optional bump:minor or bump:major, default is patch).
Or add no-release to skip.

[github-actions]

📦 Publishable packages changed

• lume

Add release:<service> labels to auto-release on merge (+ optional bump:minor or bump:major, default is patch).
Or add no-release to skip.