feat: re-enable sandbox with minimal entitlements

- Re-enable app-sandbox
- Add network.client entitlement (required for Sparkle updates)
- Keep build script passing entitlements to codesign
- Use ditto for ZIP to preserve code signatures

This is a minimal sandbox configuration focused on security while
keeping updates working.

iKeyMon.entitlements

@@ -2,5 +2,9 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+	<key>com.apple.security.network.client</key>
+	<true/>
 </dict>
 </plist>

scripts/build_release.sh

@@ -165,6 +165,7 @@ if [[ -n "${CODESIGN_IDENTITY:-}" ]]; then
     --force \
     --options runtime \
     --timestamp \
+    --entitlements "$ROOT_DIR/iKeyMon.entitlements" \
     --sign "$CODESIGN_IDENTITY" \
     "$APP_PATH"
 else