# macOS Bundle Inspector with Capability Overlays

## Module
Scanner

## Status
VERIFIED

## Description
Inspects macOS .app/.framework bundles, parsing Info.plist for metadata and entitlements for security capability analysis (sandbox, hardened runtime, network access flags).

## Implementation Details
- **Bundle Analyzer**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.MacOsBundle/MacOsBundleAnalyzer.cs` - `MacOsBundleAnalyzer` inspects macOS .app/.framework bundles, extracting metadata and security capabilities
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.MacOsBundle/MacOsBundleAnalyzerPlugin.cs` - Plugin registration for the macOS bundle analyzer
- **Parsers**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.MacOsBundle/InfoPlistParser.cs` - `InfoPlistParser` parses Info.plist files for bundle metadata (CFBundleIdentifier, version, minimum OS)
  - `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS.MacOsBundle/EntitlementsParser.cs` - `EntitlementsParser` parses entitlements XML for security capability analysis (sandbox, hardened runtime, network access)
- **Mach-O Analysis**:
  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/MachOReader.cs` - `MachOReader` reads Mach-O binary format headers and load commands
  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/MachOCodeSignature.cs` - `MachOCodeSignature` extracts code signature information from Mach-O binaries

## E2E Test Plan
- [ ] Scan a container image containing a macOS .app bundle and verify Info.plist metadata is extracted (bundle identifier, version, minimum OS version)
- [ ] Verify entitlements are parsed and security capabilities (sandbox, hardened runtime) are identified
- [ ] Verify network access entitlements (com.apple.security.network.client/server) are detected and reported as capability overlays
- [ ] Verify .framework bundles are also inspected with the same metadata extraction
- [ ] Verify Mach-O code signature information is extracted and linked to the bundle analysis
- [ ] Verify bundles without entitlements are handled gracefully with appropriate defaults

---

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |