diff --git a/bin/optimize.sh b/bin/optimize.sh index 4cf2c12..b9b8584 100755 --- a/bin/optimize.sh +++ b/bin/optimize.sh @@ -312,11 +312,8 @@ collect_security_fix_actions() { SECURITY_FIXES+=("firewall|Enable macOS firewall") fi fi - if [[ "${GATEKEEPER_DISABLED:-}" == "true" ]]; then - if ! is_whitelisted "gatekeeper"; then - SECURITY_FIXES+=("gatekeeper|Enable Gatekeeper, app download protection") - fi - fi + # Gatekeeper state is intentionally user-managed. Optimize may report it, + # but it must not change the user's "Anywhere" preference. if touchid_supported && ! touchid_configured; then if ! is_whitelisted "check_touchid"; then SECURITY_FIXES+=("touchid|Enable Touch ID for sudo") @@ -370,16 +367,6 @@ apply_firewall_fix() { return 1 } -apply_gatekeeper_fix() { - if sudo spctl --master-enable 2> /dev/null; then - echo -e " ${GREEN}${ICON_SUCCESS}${NC} Gatekeeper enabled" - GATEKEEPER_DISABLED=false - return 0 - fi - echo -e " ${GRAY}${ICON_WARNING}${NC} Failed to enable Gatekeeper" - return 1 -} - apply_touchid_fix() { if "$SCRIPT_DIR/bin/touchid.sh" enable; then return 0 @@ -400,9 +387,6 @@ perform_security_fixes() { firewall) apply_firewall_fix && ((applied++)) ;; - gatekeeper) - apply_gatekeeper_fix && ((applied++)) - ;; touchid) apply_touchid_fix && ((applied++)) ;; diff --git a/tests/optimize.bats b/tests/optimize.bats index e1edf41..2d67b00 100644 --- a/tests/optimize.bats +++ b/tests/optimize.bats @@ -141,6 +141,12 @@ EOF [[ "$output" == *"Font cache cleared"* ]] } +@test "optimize does not auto-fix Gatekeeper anymore" { + run grep -n "spctl --master-enable\\|SECURITY_FIXES+=([\"']gatekeeper|" "$PROJECT_ROOT/bin/optimize.sh" + + [ "$status" -eq 1 ] +} + @test "opt_font_cache_rebuild skips when Firefox helpers are running" { run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc <<'EOF' set -euo pipefail