feat: re-enable sandbox with minimal entitlements

- Re-enable app-sandbox
- Add network.client entitlement (required for Sparkle updates)
- Keep build script passing entitlements to codesign
- Use ditto for ZIP to preserve code signatures

This is a minimal sandbox configuration focused on security while
keeping updates working.

scripts/build_release.sh

@@ -165,6 +165,7 @@ if [[ -n "${CODESIGN_IDENTITY:-}" ]]; then
     --force \
     --options runtime \
     --timestamp \
+    --entitlements "$ROOT_DIR/iKeyMon.entitlements" \
     --sign "$CODESIGN_IDENTITY" \
     "$APP_PATH"
 else