Lock down a macOS app with a sandbox profile

Generates a minimal Seatbelt sandbox config that restricts app permissions to only what it needs—file access, network, system calls—with an allowlist approach.

Best for: Engineers hardening a macOS app or enforcing least-privilege access controls.