fix: preserve gatekeeper state in optimize

bin/optimize.sh

@@ -312,11 +312,8 @@ collect_security_fix_actions() {
             SECURITY_FIXES+=("firewall|Enable macOS firewall")
         fi
     fi
-    if [[ "${GATEKEEPER_DISABLED:-}" == "true" ]]; then
-        if ! is_whitelisted "gatekeeper"; then
-            SECURITY_FIXES+=("gatekeeper|Enable Gatekeeper, app download protection")
-        fi
-    fi
+    # Gatekeeper state is intentionally user-managed. Optimize may report it,
+    # but it must not change the user's "Anywhere" preference.
     if touchid_supported && ! touchid_configured; then
         if ! is_whitelisted "check_touchid"; then
             SECURITY_FIXES+=("touchid|Enable Touch ID for sudo")
@@ -370,16 +367,6 @@ apply_firewall_fix() {
     return 1
 }
 
-apply_gatekeeper_fix() {
-    if sudo spctl --master-enable 2> /dev/null; then
-        echo -e "  ${GREEN}${ICON_SUCCESS}${NC} Gatekeeper enabled"
-        GATEKEEPER_DISABLED=false
-        return 0
-    fi
-    echo -e "  ${GRAY}${ICON_WARNING}${NC} Failed to enable Gatekeeper"
-    return 1
-}
-
 apply_touchid_fix() {
     if "$SCRIPT_DIR/bin/touchid.sh" enable; then
         return 0
@@ -400,9 +387,6 @@ perform_security_fixes() {
             firewall)
                 apply_firewall_fix && ((applied++))
                 ;;
-            gatekeeper)
-                apply_gatekeeper_fix && ((applied++))
-                ;;
             touchid)
                 apply_touchid_fix && ((applied++))
                 ;;

tests/optimize.bats

@@ -141,6 +141,12 @@ EOF
     [[ "$output" == *"Font cache cleared"* ]]
 }
 
+@test "optimize does not auto-fix Gatekeeper anymore" {
+    run grep -n "spctl --master-enable\\|SECURITY_FIXES+=([\"']gatekeeper|" "$PROJECT_ROOT/bin/optimize.sh"
+
+    [ "$status" -eq 1 ]
+}
+
 @test "opt_font_cache_rebuild skips when Firefox helpers are running" {
     run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc <<'EOF'
 set -euo pipefail