feat(mac): native Swift menubar app + one-command install

Introduces mac/ with a native SwiftUI menubar app that replaces the
previous SwiftBar plugin entirely. Install via `npx codeburn menubar`,
which downloads the .app from GitHub Releases, strips Gatekeeper
quarantine, and drops it into ~/Applications.

Highlights

- mac/ SwiftUI app: agent tabs, Today/7/30/Month/All period switcher,
  Trend/Forecast/Pulse/Stats/Plan insights, activity + model
  breakdowns, optimize findings, CSV/JSON export, Star-on-GitHub
  banner, live 60s refresh, instant currency switching with offline FX
  cache.
- Security: CodeburnCLI argv-based spawn (no shell interpretation),
  SafeFile symlink guards + O_NOFOLLOW writes, FX rate clamping to
  [0.0001, 1_000_000], keychain filtered to account == "default",
  removed byte-window credential log, in-flight refresh guard, POSIX
  flock on config.json writes, TerminalLauncher validates argv before
  AppleScript interpolation.
- Performance: shared static NumberFormatter (thousands of allocations
  per popover redraw eliminated), concurrent pipe drain with 20 MB cap
  + 60s timeout in DataClient, Observation-tracked reactive UI, 5-min
  payload cache keyed on (period, provider).
- CLI: new `codeburn menubar` subcommand that downloads + installs +
  launches the .app (no clone, no build). New `status --format
  menubar-json` payload builder. `export` rewritten to produce a
  folder of one-table-per-file CSVs with a `.codeburn-export` marker
  so arbitrary -o paths cannot be silently deleted.
- Removed: src/menubar.ts (SwiftBar plugin generator),
  install-menubar / uninstall-menubar subcommands, `status --format
  menubar` directive output, tests/menubar.test.ts,
  tests/security/menubar-injection.test.ts.
- Release: .github/workflows/release-menubar.yml builds universal
  binary, assembles .app, ad-hoc signs, zips, uploads on mac-v* tag
  push. Runs on the free macos-latest runner.

Tests

- 230 TypeScript tests pass
- 10 Swift CapacityEstimator tests pass
- TypeScript typecheck clean
- Swift release build clean

mac/Sources/CodeBurnMenubar/Security/TerminalLauncher.swift

@@ -0,0 +1,40 @@
+import AppKit
+import Foundation
+
+/// Opens a codeburn subcommand in the user's Terminal. The argv is validated through
+/// `CodeburnCLI.isSafe` before it's interpolated into AppleScript so there's no path for a
+/// rogue environment variable to smuggle shell metacharacters into the `do script` call.
+/// Falls back to a detached headless spawn on machines without Terminal.app (iTerm/Ghostty/Warp
+/// users) so the subcommand still runs.
+enum TerminalLauncher {
+    private static let terminalPaths = [
+        "/System/Applications/Utilities/Terminal.app",
+        "/Applications/Utilities/Terminal.app",
+    ]
+
+    static func open(subcommand: [String]) {
+        let argv = CodeburnCLI.baseArgv() + subcommand
+        guard argv.allSatisfy(CodeburnCLI.isSafe) else {
+            NSLog("CodeBurn: refusing to open terminal with unsafe argv")
+            return
+        }
+        let command = argv.joined(separator: " ")
+
+        if terminalPaths.contains(where: FileManager.default.fileExists(atPath:)) {
+            let script = """
+            tell application "Terminal"
+                activate
+                do script "\(command)"
+            end tell
+            """
+            let process = Process()
+            process.executableURL = URL(fileURLWithPath: "/usr/bin/osascript")
+            process.arguments = ["-e", script]
+            try? process.run()
+            return
+        }
+
+        let headless = CodeburnCLI.makeProcess(subcommand: subcommand)
+        try? headless.run()
+    }
+}