ci: de-nix macOS binary libiconv via install_name_tool + re-sign

libiconv is the only /nix/store dep the darwin stdenv bakes in (everything
else is system frameworks + libSystem/libobjc). The smoke-test now rewrites
that load path to /usr/lib/libiconv.2.dylib (ABI-compatible, present on
every Mac), re-signs ad-hoc (install_name_tool breaks the sig; arm64
requires a valid one), then verifies no /nix/store paths remain, the
signature is valid, and the native binary launches. Flake comment updated
to reflect the propagated-libiconv reality.

flake.nix

@@ -63,11 +63,12 @@
           buildInputs = buildInputs ++ pkgs.lib.optionals pkgs.stdenv.isDarwin [
             # macOS release builds (aarch64/x86_64-apple-darwin) link AppKit
             # (arboard) + libSystem; the Apple SDK provides those framework/
-            # system-lib stubs as *system* paths (/usr/lib, /System/Library), so
-            # the resulting binary is portable. NOTE: do NOT add `pkgs.libiconv`
-            # — it makes the linker prefer the nix-store libiconv.dylib, baking a
-            # /nix/store path into the binary (non-portable). The SDK's own
-            # libiconv stub resolves `-liconv` to /usr/lib/libiconv instead.
+            # system-lib stubs as *system* paths (/usr/lib, /System/Library).
+            # NOTE: the darwin stdenv still propagates a *nix-store* libiconv and
+            # links it regardless of inputs, so the release workflow rewrites that
+            # one load path to /usr/lib/libiconv.2.dylib (install_name_tool) and
+            # re-signs — see release-macos / the macOS smoke-test. Adding
+            # `pkgs.libiconv` here would only reinforce the wrong path, so don't.
             pkgs.apple-sdk
           ];
           nativeBuildInputs = nativeBuildInputs ++ [