Add macOS atomic firing tests (experimental CI leg)

[Karib0u]

What

Extends the atomic firing-test suite to macOS, mirroring the existing Linux/Windows coverage.

• 10 macOS atomic actions under tests/atomic/atomics/macos/ — one per macOS rule (8 Sigma + coinminer YARA + shared EICAR IOC).
• Matching manifest.json entries; test_status flipped none → atomic on the 8 Sigma rules + the YARA rule.
• A non-gating macOS leg added to .github/workflows/atomic.yml.
• Docs updated (tests/atomic/README.md, run_atomics.py docstring).

Safe-by-design actions

Each action produces only the telemetry the rule keys on — no destructive branch is exercised:

• Gatekeeper rule → xattr -d com.apple.quarantine on a throwaway temp file (not spctl --master-disable).
• Local-admin rule → dscl -create /Users/… against the read-only /Search node, so no account is ever written (even when run as root).
• Reverse shell / download cradle → closed local port; nothing connects or executes.
• LaunchAgent persistence → writes then deletes a .plist, never launchctl load-ed.

macOS ships no GNU timeout, so long-running actions are backgrounded-and-killed or bounded with curl --max-time. All 10 were run locally on macOS: each exits 0, stays bounded, and self-cleans.

Why the macOS leg is non-gating

continue-on-error: true (via a matrix.experimental flag). The engine needs an EndpointSecurity entitlement and root; whether ES initializes on a GitHub-hosted runner is unproven. This run is effectively that first experiment — run_atomics.py exits 2 if the engine never starts — without blocking the build. Flip experimental off once a green run proves it.

Dependency: assumes Karib0u/rustinel's install.sh publishes a signed, ES-entitled macOS release. If macOS artifacts don't exist yet, the install step fails harmlessly (leg is non-gating).

Verification

• run_atomics.py --list --platform macos → all 10 join keys resolve
• --check-coverage --strict-essential → exit 0
• validate.py (44 artifacts), build_packs/build_catalog → clean