CEF and Sparkle signing hardened

This bug-fix release fixes packaged-browser signing for release builds. The release script now signs Sparkle, the Chromium Embedded Framework libraries, CEF helper apps, KajiHookClient, and the app bundle in a more deliberate inside-out order.

Basically: fewer mysterious release-only browser failures, more boring builds. Boring is good here.

• Added reusable release signing helpers with a default ad-hoc signing identity
• Signed Sparkle, CEF framework libraries, CEF helper apps, KajiHookClient, and the final app bundle
• Extended bundle validation to check CEF framework, helper app, and full app signatures
• Added a CEF log file under the browser profile for easier release debugging

Resource bundle layout cleaned up

Kaji_Kaji.bundle now lives only where the packaged app expects it: inside Contents/Resources. The validator also fails if the resource bundle accidentally lands at the app bundle root again.

• Removed the duplicate root-level resource bundle copy from release packaging
• Added validation for correct Kaji_Kaji.bundle placement
• Bumped Kaji to 0.1.5 build 535