Add SHA-256 checksum verification to menubar installer

The installer now downloads and verifies a .sha256 companion file
before extracting and launching the menubar app. Build script and
CI workflow generate the checksum alongside the zip. Adds SECURITY.md
with reporting instructions.

Addresses #215.

.github/workflows/release-menubar.yml

@@ -65,5 +65,7 @@ jobs:
             quarantine, and launches it. If you download the zip from this page directly
             and macOS shows "cannot verify developer", right-click the app in Finder and
             pick Open to whitelist it once.
-          files: mac/.build/dist/CodeBurnMenubar-*.zip
+          files: |
+            mac/.build/dist/CodeBurnMenubar-*.zip
+            mac/.build/dist/CodeBurnMenubar-*.zip.sha256
           fail_on_unmatched_files: true