diff --git a/SECURITY_AUDIT.md b/SECURITY_AUDIT.md
index 7606abc..3663832 100644
--- a/SECURITY_AUDIT.md
+++ b/SECURITY_AUDIT.md
@@ -119,6 +119,7 @@ In addition to path blocking, these categories are protected:
- Browser history and cookies
- Time Machine data (during active backup)
- `com.apple.*` LaunchAgents/LaunchDaemons
+- user-owned `~/Library/LaunchAgents/*.plist` automation/configuration
- iCloud-synced `Mobile Documents`
## Implementation Details
@@ -145,6 +146,7 @@ Protected or conservatively handled categories include:
- browser history and cookies
- Time Machine data while backup state is active or ambiguous
- `com.apple.*` LaunchAgents and LaunchDaemons
+- user-owned `~/Library/LaunchAgents/*.plist` automation/configuration
- iCloud-synced `Mobile Documents` data
Project purge also uses conservative heuristics:
diff --git a/bin/clean.sh b/bin/clean.sh
index 039fd33..4549454 100755
--- a/bin/clean.sh
+++ b/bin/clean.sh
@@ -976,7 +976,7 @@ perform_cleanup() {
start_section "Orphaned data"
clean_orphaned_app_data
clean_orphaned_system_services
- clean_orphaned_launch_agents
+ show_user_launch_agent_hint_notice
end_section
# ===== 11. Apple Silicon =====
diff --git a/lib/clean/apps.sh b/lib/clean/apps.sh
index 75402f3..9966ed0 100644
--- a/lib/clean/apps.sh
+++ b/lib/clean/apps.sh
@@ -597,195 +597,11 @@ clean_orphaned_system_services() {
}
# ============================================================================
-# Orphaned LaunchAgent/LaunchDaemon Cleanup (Generic Detection)
+# User LaunchAgents
# ============================================================================
-# Extract program path from plist (supports both ProgramArguments and Program)
-_extract_program_path() {
- local plist="$1"
- local program=""
-
- program=$(plutil -extract ProgramArguments.0 raw "$plist" 2> /dev/null)
- if [[ -z "$program" ]]; then
- program=$(plutil -extract Program raw "$plist" 2> /dev/null)
- fi
-
- echo "$program"
-}
-
-# Extract associated bundle identifier from plist
-_extract_associated_bundle() {
- local plist="$1"
- local associated=""
-
- # Try array format first
- associated=$(plutil -extract AssociatedBundleIdentifiers.0 raw "$plist" 2> /dev/null)
- if [[ -z "$associated" ]] || [[ "$associated" == "1" ]]; then
- # Try string format
- associated=$(plutil -extract AssociatedBundleIdentifiers raw "$plist" 2> /dev/null)
- # Filter out dict/array markers
- if [[ "$associated" == "{"* ]] || [[ "$associated" == "["* ]]; then
- associated=""
- fi
- fi
-
- echo "$associated"
-}
-
-# Check if a LaunchAgent/LaunchDaemon is orphaned using multi-layer verification
-# Returns 0 if orphaned, 1 if not orphaned
-is_launch_item_orphaned() {
- local plist="$1"
-
- # Layer 1: Check if program path exists
- local program=$(_extract_program_path "$plist")
-
- # No program path - skip (not a standard launch item)
- [[ -z "$program" ]] && return 1
-
- # Program exists -> not orphaned
- [[ -e "$program" ]] && return 1
-
- # Layer 2: Check AssociatedBundleIdentifiers
- local associated=$(_extract_associated_bundle "$plist")
- if [[ -n "$associated" ]]; then
- # Check if associated app exists via mdfind
- if run_with_timeout 2 mdfind "kMDItemCFBundleIdentifier == '$associated'" 2> /dev/null | head -1 | grep -q .; then
- return 1 # Associated app found -> not orphaned
- fi
-
- # Extract vendor name from bundle ID (com.vendor.app -> vendor)
- local vendor=$(echo "$associated" | cut -d'.' -f2)
- if [[ -n "$vendor" ]] && [[ ${#vendor} -ge 3 ]]; then
- # Check if any app from this vendor exists
- if find /Applications ~/Applications -maxdepth 2 -iname "*${vendor}*" -type d 2> /dev/null | grep -iq "\.app"; then
- return 1 # Vendor app exists -> not orphaned
- fi
- fi
- fi
-
- # Layer 3: Check Application Support directory activity
- if [[ "$program" =~ /Library/Application\ Support/([^/]+)/ ]]; then
- local app_support_name="${BASH_REMATCH[1]}"
-
- # Check both user and system Application Support
- for base in "$HOME/Library/Application Support" "/Library/Application Support"; do
- local support_path="$base/$app_support_name"
- if [[ -d "$support_path" ]]; then
- # Check if there are files modified in last 7 days (active usage)
- local recent_file=$(find "$support_path" -type f -mtime -7 2> /dev/null | head -1)
- if [[ -n "$recent_file" ]]; then
- return 1 # Active Application Support -> not orphaned
- fi
- fi
- done
- fi
-
- # Layer 4: Check if app name from program path exists
- if [[ "$program" =~ /Applications/([^/]+)\.app/ ]]; then
- local app_name="${BASH_REMATCH[1]}"
- # Look for apps with similar names (case-insensitive)
- if find /Applications ~/Applications -maxdepth 2 -iname "*${app_name}*" -type d 2> /dev/null | grep -iq "\.app"; then
- return 1 # Similar app exists -> not orphaned
- fi
- fi
-
- # Layer 5: PrivilegedHelper special handling
- if [[ "$program" =~ ^/Library/PrivilegedHelperTools/ ]]; then
- local filename=$(basename "$plist")
- local bundle_id="${filename%.plist}"
-
- # Extract app hint from bundle ID (com.vendor.app.helper -> vendor)
- local app_hint=$(echo "$bundle_id" | sed 's/com\.//; s/\..*helper.*//')
-
- if [[ -n "$app_hint" ]] && [[ ${#app_hint} -ge 3 ]]; then
- # Look for main app
- if find /Applications ~/Applications -maxdepth 2 -iname "*${app_hint}*" -type d 2> /dev/null | grep -iq "\.app"; then
- return 1 # Helper's main app exists -> not orphaned
- fi
- fi
- fi
-
- # All checks failed -> likely orphaned
+# User-level LaunchAgents are user-owned automation/configuration, not generic
+# cleanup targets. `mo clean` must not delete them automatically.
+clean_orphaned_launch_agents() {
return 0
}
-
-# Clean orphaned user-level LaunchAgents
-# Only processes ~/Library/LaunchAgents (safer than system-level)
-clean_orphaned_launch_agents() {
- local launch_agents_dir="$HOME/Library/LaunchAgents"
-
- [[ ! -d "$launch_agents_dir" ]] && return 0
-
- start_section_spinner "Scanning orphaned launch agents..."
-
- local -a orphaned_items=()
- local total_orphaned_kb=0
-
- # Scan user LaunchAgents
- while IFS= read -r -d '' plist; do
- local filename=$(basename "$plist")
-
- # Skip Apple's LaunchAgents
- [[ "$filename" == com.apple.* ]] && continue
-
- local bundle_id="${filename%.plist}"
-
- # Check if orphaned using multi-layer verification
- if is_launch_item_orphaned "$plist"; then
- local size_kb=$(get_path_size_kb "$plist")
- orphaned_items+=("$bundle_id|$plist")
- total_orphaned_kb=$((total_orphaned_kb + size_kb))
- fi
- done < <(find "$launch_agents_dir" -maxdepth 1 -name "*.plist" -print0 2> /dev/null)
-
- stop_section_spinner
-
- local orphaned_count=${#orphaned_items[@]}
-
- if [[ $orphaned_count -eq 0 ]]; then
- return 0
- fi
-
- # Clean the orphaned items automatically
- local removed_count=0
- local dry_run_count=0
- local is_dry_run=false
- if [[ "${MOLE_DRY_RUN:-0}" == "1" ]]; then
- is_dry_run=true
- fi
- for item in "${orphaned_items[@]}"; do
- IFS='|' read -r bundle_id plist_path <<< "$item"
-
- if [[ "$is_dry_run" == "true" ]]; then
- dry_run_count=$((dry_run_count + 1))
- log_operation "clean" "DRY_RUN" "$plist_path" "orphaned launch agent"
- continue
- fi
-
- # Try to unload first (if currently loaded)
- launchctl unload "$plist_path" 2> /dev/null || true
-
- # Remove the plist file
- if safe_remove "$plist_path" false; then
- removed_count=$((removed_count + 1))
- log_operation "clean" "REMOVED" "$plist_path" "orphaned launch agent"
- else
- log_operation "clean" "FAILED" "$plist_path" "permission denied"
- fi
- done
-
- if [[ "$is_dry_run" == "true" ]]; then
- if [[ $dry_run_count -gt 0 ]]; then
- local cleaned_mb=$(echo "$total_orphaned_kb" | awk '{printf "%.1f", $1/1024}')
- echo " ${YELLOW}${ICON_DRY_RUN}${NC} Would remove $dry_run_count orphaned launch agent(s), ${cleaned_mb}MB"
- note_activity
- fi
- else
- if [[ $removed_count -gt 0 ]]; then
- local cleaned_mb=$(echo "$total_orphaned_kb" | awk '{printf "%.1f", $1/1024}')
- echo " ${GREEN}${ICON_SUCCESS}${NC} Removed $removed_count orphaned launch agent(s), ${cleaned_mb}MB"
- note_activity
- fi
- fi
-}
diff --git a/lib/clean/hints.sh b/lib/clean/hints.sh
index f6538bf..0ac04dd 100644
--- a/lib/clean/hints.sh
+++ b/lib/clean/hints.sh
@@ -54,6 +54,65 @@ hint_get_path_size_kb_with_timeout() {
printf '%s\n' "$size_kb"
}
+# shellcheck disable=SC2329
+hint_extract_launch_agent_program_path() {
+ local plist="$1"
+ local program=""
+
+ program=$(plutil -extract ProgramArguments.0 raw "$plist" 2> /dev/null || echo "")
+ if [[ -z "$program" ]]; then
+ program=$(plutil -extract Program raw "$plist" 2> /dev/null || echo "")
+ fi
+
+ printf '%s\n' "$program"
+}
+
+# shellcheck disable=SC2329
+hint_extract_launch_agent_associated_bundle() {
+ local plist="$1"
+ local associated=""
+
+ associated=$(plutil -extract AssociatedBundleIdentifiers.0 raw "$plist" 2> /dev/null || echo "")
+ if [[ -z "$associated" ]] || [[ "$associated" == "1" ]]; then
+ associated=$(plutil -extract AssociatedBundleIdentifiers raw "$plist" 2> /dev/null || echo "")
+ if [[ "$associated" == "{"* ]] || [[ "$associated" == "["* ]]; then
+ associated=""
+ fi
+ fi
+
+ printf '%s\n' "$associated"
+}
+
+# shellcheck disable=SC2329
+hint_is_app_scoped_launch_target() {
+ local program="$1"
+
+ case "$program" in
+ /Applications/Setapp/*.app/* | \
+ /Applications/*.app/* | \
+ "$HOME"/Applications/*.app/* | \
+ /Library/Input\ Methods/*.app/* | \
+ /Library/PrivilegedHelperTools/*)
+ return 0
+ ;;
+ esac
+
+ return 1
+}
+
+# shellcheck disable=SC2329
+hint_launch_agent_bundle_exists() {
+ local bundle_id="$1"
+
+ [[ -z "$bundle_id" ]] && return 1
+
+ if run_with_timeout 2 mdfind "kMDItemCFBundleIdentifier == '$bundle_id'" 2> /dev/null | head -1 | grep -q .; then
+ return 0
+ fi
+
+ return 1
+}
+
# shellcheck disable=SC2329
record_project_artifact_hint() {
local path="$1"
@@ -351,3 +410,58 @@ show_project_artifact_hint_notice() {
fi
echo -e " ${GRAY}${ICON_REVIEW}${NC} Review: mo purge"
}
+
+# shellcheck disable=SC2329
+show_user_launch_agent_hint_notice() {
+ local launch_agents_dir="$HOME/Library/LaunchAgents"
+ [[ -d "$launch_agents_dir" ]] || return 0
+
+ local max_hits=3
+ local -a labels=()
+ local -a reasons=()
+ local -a targets=()
+ local plist
+
+ while IFS= read -r -d '' plist; do
+ local filename
+ filename=$(basename "$plist")
+ [[ "$filename" == com.apple.* ]] && continue
+
+ local reason=""
+ local target=""
+ local program=""
+ local associated=""
+
+ program=$(hint_extract_launch_agent_program_path "$plist")
+ if [[ -n "$program" ]] && hint_is_app_scoped_launch_target "$program" && [[ ! -e "$program" ]]; then
+ reason="Missing app/helper target"
+ target="${program/#$HOME/~}"
+ else
+ associated=$(hint_extract_launch_agent_associated_bundle "$plist")
+ if [[ -n "$associated" ]] && ! hint_launch_agent_bundle_exists "$associated"; then
+ reason="Associated app not found"
+ target="$associated"
+ fi
+ fi
+
+ if [[ -n "$reason" ]]; then
+ labels+=("$filename")
+ reasons+=("$reason")
+ targets+=("$target")
+ if [[ ${#labels[@]} -ge $max_hits ]]; then
+ break
+ fi
+ fi
+ done < <(find "$launch_agents_dir" -maxdepth 1 -name "*.plist" -print0 2> /dev/null)
+
+ [[ ${#labels[@]} -eq 0 ]] && return 0
+
+ note_activity
+
+ local i
+ for i in "${!labels[@]}"; do
+ echo -e " ${GREEN}${ICON_LIST}${NC} Potential stale login item: ${labels[$i]}"
+ echo -e " ${GRAY}${ICON_SUBLIST}${NC} ${reasons[$i]}: ${GRAY}${targets[$i]}${NC}"
+ done
+ echo -e " ${GRAY}${ICON_REVIEW}${NC} Review: open ~/Library/LaunchAgents and remove only items you recognize"
+}
diff --git a/tests/clean_apps.bats b/tests/clean_apps.bats
index 0fafe10..2fc7cdd 100644
--- a/tests/clean_apps.bats
+++ b/tests/clean_apps.bats
@@ -412,142 +412,31 @@ EOF
[[ "$output" != *"launchctl-called"* ]]
}
-@test "is_launch_item_orphaned detects orphan when program missing" {
- run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc <<'EOF'
-set -euo pipefail
-source "$PROJECT_ROOT/lib/core/common.sh"
-source "$PROJECT_ROOT/lib/clean/apps.sh"
-
-tmp_dir="$(mktemp -d)"
-tmp_plist="$tmp_dir/com.test.orphan.plist"
-
-cat > "$tmp_plist" << 'PLIST'
-
-
-
-
- Label
- com.test.orphan
- ProgramArguments
-
- /nonexistent/app/program
-
-
-
-PLIST
-
-run_with_timeout() { shift; "$@"; }
-
-if is_launch_item_orphaned "$tmp_plist"; then
- echo "orphan"
-fi
-
-rm -rf "$tmp_dir"
-EOF
-
- [ "$status" -eq 0 ]
- [[ "$output" == *"orphan"* ]]
-}
-
-@test "is_launch_item_orphaned protects when program exists" {
- run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc <<'EOF'
-set -euo pipefail
-source "$PROJECT_ROOT/lib/core/common.sh"
-source "$PROJECT_ROOT/lib/clean/apps.sh"
-
-tmp_dir="$(mktemp -d)"
-tmp_plist="$tmp_dir/com.test.active.plist"
-tmp_program="$tmp_dir/program"
-touch "$tmp_program"
-
-cat > "$tmp_plist" << PLIST
-
-
-
-
- Label
- com.test.active
- ProgramArguments
-
- $tmp_program
-
-
-
-PLIST
-
-run_with_timeout() { shift; "$@"; }
-
-if is_launch_item_orphaned "$tmp_plist"; then
- echo "orphan"
-else
- echo "not-orphan"
-fi
-
-rm -rf "$tmp_dir"
-EOF
-
- [ "$status" -eq 0 ]
- [[ "$output" == *"not-orphan"* ]]
-}
-
-@test "is_launch_item_orphaned protects when app support active" {
- run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc <<'EOF'
-set -euo pipefail
-source "$PROJECT_ROOT/lib/core/common.sh"
-source "$PROJECT_ROOT/lib/clean/apps.sh"
-
-tmp_dir="$(mktemp -d)"
-tmp_plist="$tmp_dir/com.test.appsupport.plist"
-
-mkdir -p "$HOME/Library/Application Support/TestApp"
-touch "$HOME/Library/Application Support/TestApp/recent.txt"
-
-cat > "$tmp_plist" << 'PLIST'
-
-
-
-
- Label
- com.test.appsupport
- ProgramArguments
-
- $HOME/Library/Application Support/TestApp/Current/app
-
-
-
-PLIST
-
-run_with_timeout() { shift; "$@"; }
-
-if is_launch_item_orphaned "$tmp_plist"; then
- echo "orphan"
-else
- echo "not-orphan"
-fi
-
-rm -rf "$tmp_dir"
-rm -rf "$HOME/Library/Application Support/TestApp"
-EOF
-
- [ "$status" -eq 0 ]
- [[ "$output" == *"not-orphan"* ]]
-}
-
-@test "clean_orphaned_launch_agents skips when no orphans" {
+@test "clean_orphaned_launch_agents preserves user launch agents" {
run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc <<'EOF'
set -euo pipefail
source "$PROJECT_ROOT/lib/core/common.sh"
source "$PROJECT_ROOT/lib/clean/apps.sh"
mkdir -p "$HOME/Library/LaunchAgents"
+cat > "$HOME/Library/LaunchAgents/com.example.custom-task.plist" <<'PLIST'
+
+
+
+
+ Label
+ com.example.custom-task
+
+
+PLIST
start_section_spinner() { :; }
stop_section_spinner() { :; }
note_activity() { :; }
-get_path_size_kb() { echo "1"; }
-run_with_timeout() { shift; "$@"; }
clean_orphaned_launch_agents
+
+[[ -f "$HOME/Library/LaunchAgents/com.example.custom-task.plist" ]]
EOF
[ "$status" -eq 0 ]
diff --git a/tests/clean_core.bats b/tests/clean_core.bats
index 836c15e..30bed50 100644
--- a/tests/clean_core.bats
+++ b/tests/clean_core.bats
@@ -98,6 +98,29 @@ run_clean_dry_run() {
[ -f "$HOME/Library/Caches/TestApp/cache.tmp" ]
}
+@test "mo clean --dry-run reports stale login item without deleting it" {
+ mkdir -p "$HOME/Library/LaunchAgents"
+ cat > "$HOME/Library/LaunchAgents/com.example.stale.plist" <<'PLIST'
+
+
+
+
+ Label
+ com.example.stale
+ ProgramArguments
+
+ /Applications/Missing.app/Contents/MacOS/Missing
+
+
+
+PLIST
+
+ run env HOME="$HOME" MOLE_TEST_MODE=1 "$PROJECT_ROOT/mole" clean --dry-run
+ [ "$status" -eq 0 ]
+ [[ "$output" == *"Potential stale login item: com.example.stale.plist"* ]]
+ [ -f "$HOME/Library/LaunchAgents/com.example.stale.plist" ]
+}
+
@test "mo clean honors whitelist entries" {
mkdir -p "$HOME/Library/Caches/WhitelistedApp"
echo "keep me" > "$HOME/Library/Caches/WhitelistedApp/data.tmp"
@@ -322,4 +345,3 @@ EOF
[ "$status" -eq 0 ]
[[ "$output" == *"Time Machine backup in progress, skipping cleanup"* ]]
}
-
diff --git a/tests/clean_hints.bats b/tests/clean_hints.bats
index 04ab24f..c3138a6 100644
--- a/tests/clean_hints.bats
+++ b/tests/clean_hints.bats
@@ -97,3 +97,65 @@ EOT3
[[ "$output" == *"~/Library/Developer/Xcode/DerivedData"* ]]
[[ "$output" == *"Review: mo analyze, Device backups, docker system df"* ]]
}
+
+@test "show_user_launch_agent_hint_notice reports missing app-backed target" {
+ mkdir -p "$HOME/Library/LaunchAgents"
+ cat > "$HOME/Library/LaunchAgents/com.example.stale.plist" <<'PLIST'
+
+
+
+
+ Label
+ com.example.stale
+ ProgramArguments
+
+ /Applications/Missing.app/Contents/MacOS/Missing
+
+
+
+PLIST
+
+ run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc <<'EOT4'
+set -euo pipefail
+source "$PROJECT_ROOT/lib/core/common.sh"
+source "$PROJECT_ROOT/lib/clean/hints.sh"
+note_activity() { :; }
+show_user_launch_agent_hint_notice
+EOT4
+
+ [ "$status" -eq 0 ]
+ [[ "$output" == *"Potential stale login item: com.example.stale.plist"* ]]
+ [[ "$output" == *"Missing app/helper target"* ]]
+ [[ "$output" == *"Review: open ~/Library/LaunchAgents"* ]]
+}
+
+@test "show_user_launch_agent_hint_notice skips custom shell wrappers" {
+ mkdir -p "$HOME/Library/LaunchAgents"
+ cat > "$HOME/Library/LaunchAgents/com.example.custom.plist" <<'PLIST'
+
+
+
+
+ Label
+ com.example.custom
+ ProgramArguments
+
+ /bin/bash
+ -c
+ $HOME/bin/custom-task
+
+
+
+PLIST
+
+ run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc <<'EOT5'
+set -euo pipefail
+source "$PROJECT_ROOT/lib/core/common.sh"
+source "$PROJECT_ROOT/lib/clean/hints.sh"
+note_activity() { :; }
+show_user_launch_agent_hint_notice
+EOT5
+
+ [ "$status" -eq 0 ]
+ [[ -z "$output" ]]
+}