fix(CodeSigningPlugin): sign assets at processAssets ANALYSE stage before REPORT

[JhohellsDL]

Summary

Fixes #1377

CodeSigningPlugin was signing bundles in compiler.hooks.assetEmitted,
which fires after processAssets completes. When using withZephyr(),
Zephyr captures and uploads assets at PROCESS_ASSETS_STAGE_REPORT (5000)
— before assetEmitted fires — resulting in unsigned bundles being uploaded
to the CDN, making verifyScriptSignature: 'strict' ineffective.

Changes

• Moved signing logic from assetEmitted to processAssets at
  PROCESS_ASSETS_STAGE_ANALYSE (2000), before Zephyr's REPORT stage (5000)
• Assets are now signed in memory via compilation.updateAsset()
  instead of reading/writing from disk
• Removed chunkFilenames Set and emit hook — no longer needed since
  signing iterates compilation.chunks directly inside processAssets
• Added test verifying assets are signed before REPORT stage
• Updated documentation with ## Behavior section explaining the signing stage

Testing

• All existing tests pass
• Added new test simulating a plugin at REPORT stage confirming
  assets are already signed when captured
• Verified end-to-end in production with withZephyr() — bundles
  uploaded to CDN now contain the signature and verifyScriptSignature: 'strict'
  works correctly

[changeset-bot]

🦋 Changeset detected

Latest commit: dc3d3fe

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 6 packages

Name	Type
@callstack/repack	Patch
@callstack/repack-plugin-expo-modules	Patch
@callstack/repack-plugin-nativewind	Patch
@callstack/repack-plugin-reanimated	Patch
@callstack/repack-dev-server	Patch
@callstack/repack-init	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

@JhohellsDL is attempting to deploy a commit to the Callstack Team on Vercel.

A member of the Team first needs to authorize it.