nix(desktop): patches not re-applied after Electron migration; .app unsigned on darwin

[jerome-benoit]

Description

Two small regressions from #16163 (Tauri → Electron migration in nix/desktop.nix).

1. patches dropped from the inherit list

The previous Tauri-era derivation had:

inherit (opencode) version src node_modules patches;

The new Electron derivation drops patches:

inherit (opencode) version src node_modules;

Flake consumers that layer patches onto pkgs.opencode via overrideAttrs lose them on the desktop derivation. The desktop build does need them: packages/desktop/scripts/prepare.ts imports @opencode-ai/script, so any patch a downstream applies to packages/script/src/ no longer reaches the desktop build path.

2. The produced .app is completely unsigned on darwin

The buildPhase invokes electron-builder with --config.mac.identity=null, which makes electron-builder skip signing entirely (no ad-hoc fallback). On Apple Silicon, the kernel refuses to launch unsigned arm64 Mach-O binaries — the .app is killed with code signature invalid. PR #16163 was tested on x86_64-linux only, so this didn't surface there.

codesign -dv result/Applications/OpenCode.app reports code object is not signed at all.

Plugins

N/A

OpenCode version

dev @ c5db39f6 (any rev after #16163)

Steps to reproduce

Codesign issue (macOS arm64):

nix build .#opencode-desktop
open result/Applications/OpenCode.app
# → killed (code signature invalid)

Patch issue (any platform):

opencode = pkgs.opencode.overrideAttrs (old: {
  patches = (old.patches or [ ]) ++ [ ./my-patch.patch ];
});
desktop = pkgs.opencode-desktop.override { inherit opencode; };
# → desktop's src is unpatched; my-patch.patch silently doesn't apply

Operating System

macOS 14+ on Apple Silicon (codesign); any (patch inheritance)

Terminal

N/A — build-time / launch-time