Fix Tailscale peer discovery in notarized builds

[andyhtran]

Summary

• Notarized release was silently returning an empty Tailscale peer list (visible in v0.3.0 production install)
• Root cause: the bundled Tailscale binary detects context — from a notarized app's subprocess (no TTY) it relaunches the GUI instead of running as CLI, so peer JSON never came back. See tailscale/tailscale#16063 and #7140
• Setting `TAILSCALE_BE_CLI=1` in the subprocess env forces CLI mode
• Bonus: `runShell` now accepts an optional env dict; added an info log on successful Tailscale status with the peer count, so future regressions are diagnosable

Test plan

• Local notarized RB build with the fix shows full peer list (reproduced prod conditions exactly: Developer ID + hardened runtime + same entitlements + notarized + stapled)
• Ship 0.3.1, `brew reinstall --cask copycat`, verify SSH hosts → Tailscale peers shows entries
• Existing local-only `runShell` callers (just `pbpaste`/etc in Broadcast) unaffected — env stays default when not passed

🤖 Generated with Claude Code