fix: add hardened runtime and notarization status check (v2.4.1) - Add --options runtime to codesign (required for Apple notarization) - Capture notarytool output and fail explicitly if status != Accepted - Prevents stapler from running when notarization is rejected Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>