feat(macos): add macOS as a supported platform

[mostafa]

Summary

Introduces macOS as a first-class platform so the project builds, lints, tests, and runs the shared detection pipeline on macOS, ahead of the native sensors that follow. No telemetry is collected yet: a no-op placeholder sensor keeps the runtime exercised end to end.

• Add Platform::MacOS and route it through Sigma logsource handling, DNS alias generation, and ECS host.os mapping (using the darwin OS family).
• Add macOS allowlist defaults and POSIX path normalization, which previously fell through to the Windows backslash handling on non-Linux unix.
• Reuse the SIGKILL active-response path on macOS.
• Add the macOS runtime entry (main, runtime builder, run_macos_edr) mirroring the Linux path, backed by a placeholder sensor.

Type of change

• feat / enhancement - new feature

Test plan

• Tested on Windows
• Tested on Linux
• Tested on macOS (arm64): builds, loads rules, starts, and shuts down cleanly
• Existing tests pass (cargo test)
• New tests added (platform routing and ECS host.os mapping)

Note: all changes are gated to macOS, so Windows and Linux behavior is unchanged.

Checklist

• Label added to this PR
• Docs updated (if behaviour changed)

Notes

This is the first PR from a series of four, all part of #41.

[Karib0u]

Thanks for this — the production side is clean, well-commented, and it builds + clippies green on macOS locally. One blocker before merge, plus a coverage suggestion and a heads-up on CI.

Blocker: tests/reload.rs fails on macOS

host_platform() (line 18) maps any non-Windows host to Platform::Linux, so on macOS it writes a product: linux rule — but the reload worker rebuilds its engine via current_platform(), which your PR now (correctly) returns as MacOS. Product mismatch → the reloaded network rule no longer matches → sigma_reload_swaps_valid_rules_and_rejects_empty_rules fails on macOS. Fix is to add a MacOS arm to host_platform() and turn the product ternary into a 3-way match.

Suggestion: actually exercise macOS in the pipeline tests

The loops in pipeline_sigma.rs (×3) and the generic-rule loop in platform_mapping.rs still only iterate [Windows, Linux], so macOS isn't run end-to-end despite the PR description. Adding Platform::MacOS to those loops gives real coverage.

I've prepped both changes as a reference commit you can cherry-pick (verified: full suite green on macOS arm64):

• test fix — 0c6d06c
• branch: https://github.com/Karib0u/rustinel/tree/feat/macos-platform

git fetch https://github.com/Karib0u/rustinel.git feat/macos-platform
git cherry-pick 0c6d06c1b41e943fbd6c955dd3e7de2c890c19f4

Heads-up: CI doesn't cover macOS yet

ci-cd.yml only has Linux + Windows runners, so nothing in the #41 series is guarded on macOS. I'll land a small macos-latest clippy + test job separately (reference commit) so once it's in, your next push here will get a Tests (macOS) check automatically.

[Karib0u]

Update on the CI side — please pull both reference commits into this PR, not just the test fix.

I initially planned to land the macos-latest CI job as a separate PR ahead of this one, but that doesn't work: main isn't macOS-clean until this PR lands. The new macOS runner immediately fails on main with dead-code/unused-import errors under -D warnings (AlertSink + tracing_subscriber imports, build_daily_writer, try_build_daily_writer in src/runtime/logging.rs, and handle_service_command in src/main.rs) — all of which your PR already fixes via the init_logging gating and the macOS main(). Verified: cargo clippy --locked --all-targets -- -D clippy::all for macOS is exit-0 clean on this branch.

So the macOS CI job and the macOS code are coupled and should land together. Both reference commits are on the same branch:

git fetch https://github.com/Karib0u/rustinel.git feat/macos-platform
git cherry-pick 0c6d06c1b41e943fbd6c955dd3e7de2c890c19f4   # test fix
git cherry-pick d6479ea7144d5da6a0ce9f1c33a9f1f6800c8f38   # macos-latest CI jobs

With both applied, this PR builds + lints + tests green on macOS in CI, and you get the Clippy (macOS) / Tests (macOS) checks on this and every future PR in the #41 series. (The standalone CI PR has been closed.)

[mostafa]

Thanks for the detailed review and the reference commits. I've cherry-picked both into this PR (authorship preserved):

• 0c6d06c test(macos): exercise Platform::MacOS in reload and pipeline tests
• d6479ea ci: build, lint, and test on macOS

Verified locally on macOS arm64:

• cargo test --locked: 124 passed, 0 failed. The previously failing sigma_reload_swaps_valid_rules_and_rejects_empty_rules now passes, and pipeline_sigma.rs plus platform_mapping.rs now exercise Platform::MacOS end to end.
• cargo clippy --locked --all-targets -- -D clippy::all: clean.
• cargo fmt --all -- --check: clean.

Agreed on coupling the macOS CI with the macOS code. The init_logging gating and the macOS main() in this PR are what make the runner clean, so landing them together is the right call.

Heads-up for the rest of the #41 series: the later PRs add the macOS release build and signing jobs on top of these clippy-macos and test-macos jobs. I'll rebase those onto this branch once it lands and drop any duplicate job definitions so there's no double-up.

[Karib0u]

Merged! 🙌 Thanks again Mostafa, really glad to have you on this. Solid first piece, can't wait to see where you take the next steps.

[mostafa]

Thanks for building this. 🙏