Refactor cmux bundle signing into a shared script with checked-in entitlements (#2908)

Two changes consolidate the inside-out signing work introduced by
PRs #2902, #2905, and #2906 into something a future reader can
understand without reading two 40-line YAML blocks:

- Check in cmux.release.entitlements and cmux.nightly.entitlements,
  each with the right application-identifier and team-identifier
  baked in. Replaces the PlistBuddy-at-sign-time injection that
  copies cmux.entitlements and mutates it per workflow run.
- Extract the five-step inside-out signing logic (helpers, plugins,
  frameworks, main bundle, verification) into
  scripts/sign-cmux-bundle.sh. Both nightly.yml and release.yml
  shrink to one line that calls the script with the right
  entitlements file.

No behavior change versus PR #2906 at steady state: same order, same
--deep boundaries, same grep-based post-sign asserts. The script
also refuses to sign if a helper ends up with the main app's
application-identifier, so future regressions surface at build time
rather than on launch under amfi.

Co-authored-by: Lawrence Chen <lawrencecchen@users.noreply.github.com>