Merge branch 'main' into dev

.gitignore

@@ -41,6 +41,9 @@ temp/
 
 # AI Assistant Instructions
 .claude/
+.gemini/
+CLAUDE.md
+GEMINI.md
 .cursorrules
 
 # Go build artifacts (development)

CLAUDE.md

@@ -1 +0,0 @@
-AGENT.md

GEMINI.md

@@ -1 +0,0 @@
-AGENT.md

SECURITY_AUDIT.md

@@ -1,8 +1,8 @@
 # Mole Security Audit Report
 
-**Date:** December 12, 2025
+**Date:** December 14, 2025
 
-**Audited Version:** Current `main` branch
+**Audited Version:** Current `main` branch (V1.12.25)
 
 **Status:** Passed
 
@@ -53,7 +53,7 @@ Mole's "Smart Uninstall" and orphan detection (`lib/clean/apps.sh`) are intentio
 - **Active Uninstallation Heuristics**
     When a user explicitly selects an app for uninstallation, Mole employs advanced heuristics to find scattered remnants (e.g., "Visual Studio Code" -> `~/.vscode`, `~/Library/Application Support/VisualStudioCode`).
   - **Sanitized Name Matching**: We search for app name variations to catch non-standard folder naming.
-  - **Safety Constraints**: Fuzzy matching and sanitized name searches are **strictly disabled** for app names shorter than 4 characters to prevent false positives.
+  - **Safety Constraints**: Fuzzy matching and sanitized name searches are **strictly disabled** for app names shorter than 3 characters to prevent false positives.
   - **System Scope**: Mole scans specific system-level directories (`/Library/LaunchAgents`, etc.) for related components.
 
 - **System Integrity Protection (SIP) Awareness**
@@ -65,6 +65,12 @@ Mole's "Smart Uninstall" and orphan detection (`lib/clean/apps.sh`) are intentio
 - **VPN & Proxy Protection**
     Mole includes a comprehensive protection layer for VPN and Proxy applications (e.g., Shadowsocks, V2Ray, Tailscale). It protects both their application bundles and data directories from automated cleanup to prevent network configuration loss.
 
+- **AI & LLM Data Protection (New in v1.12.25)**
+    Mole now explicitly protects data for AI tools (Cursor, Claude, ChatGPT, Ollama, LM Studio, etc.). Both the automated cleaning logic (`bin/clean.sh`) and orphan detection (`lib/core/app_protection.sh`) exclude these applications to prevent loss of:
+  - Local LLM models (which can be gigabytes in size).
+  - Authentication tokens and session states.
+  - Chat history and local configurations.
+
 ## 4. Atomic Operations & Crash Safety
 
 We anticipate that scripts can be interrupted (e.g., power loss, `Ctrl+C`).

bin/clean.sh

@@ -223,7 +223,7 @@ safe_clean() {
 
         # Hard-coded protection for critical apps (cannot be disabled by user)
         case "$path" in
-            *clash* | *Clash* | *surge* | *Surge* | *mihomo* | *openvpn* | *OpenVPN* | *verge* | *Verge* | *shadowsocks* | *Shadowsocks* | *v2ray* | *V2Ray* | *sing-box* | *tailscale* | *nordvpn* | *NordVPN* | *expressvpn* | *ExpressVPN* | *protonvpn* | *ProtonVPN* | *mullvad* | *Mullvad* | *hiddify* | *Hiddify* | *loon* | *Loon*)
+            *clash* | *Clash* | *surge* | *Surge* | *mihomo* | *openvpn* | *OpenVPN* | *verge* | *Verge* | *shadowsocks* | *Shadowsocks* | *v2ray* | *V2Ray* | *sing-box* | *tailscale* | *nordvpn* | *NordVPN* | *expressvpn* | *ExpressVPN* | *protonvpn* | *ProtonVPN* | *mullvad* | *Mullvad* | *hiddify* | *Hiddify* | *loon* | *Loon* | *Cursor* | *cursor* | *Claude* | *claude* | *ChatGPT* | *chatgpt* | *Ollama* | *ollama* | *lmstudio* | *Chatbox* | *Gemini* | *gemini* | *Perplexity* | *perplexity* | *Windsurf* | *windsurf* | *Poe* | *poe* | *DiffusionBee* | *diffusionbee* | *DrawThings* | *drawthings*)
                 skip=true
                 ((skipped_count++))
                 ;;

lib/clean/user.sh

@@ -137,7 +137,9 @@ clean_sandboxed_app_caches() {
                     # Clean contents safely
                     # We know this is a user cache path, so rm -rf is acceptable here
                     # provided we keep the Cache directory itself
-                    rm -rf "${cache_dir:?}"/* 2> /dev/null || true
+                    for item in "${cache_dir:?}"/*; do
+                        safe_remove "$item" true || true
+                    done
                 fi
             fi
         fi

lib/core/app_protection.sh

@@ -109,6 +109,30 @@ readonly DATA_PROTECTED_BUNDLES=(
     "abnerworks.Typora"            # Typora (Markdown editor)
     "com.uranusjr.macdown"         # MacDown
 
+    # ============================================================================
+    # AI & LLM Tools
+    # ============================================================================
+    "com.todesktop.*"             # Cursor (often uses generic todesktop ID)
+    "Cursor"                      # Cursor App Support
+    "com.anthropic.claude*"       # Claude
+    "Claude"                      # Claude App Support
+    "com.openai.chat*"            # ChatGPT
+    "ChatGPT"                     # ChatGPT App Support
+    "com.ollama.ollama"           # Ollama
+    "Ollama"                      # Ollama App Support
+    "com.lmstudio.lmstudio"       # LM Studio
+    "LM Studio"                   # LM Studio App Support
+    "co.supertool.chatbox"        # Chatbox
+    "page.jan.jan"                # Jan
+    "com.huggingface.huggingchat" # HuggingChat
+    "Gemini"                      # Gemini
+    "com.perplexity.Perplexity"   # Perplexity
+    "com.drawthings.DrawThings"   # Draw Things
+    "com.divamgupta.diffusionbee" # DiffusionBee
+    "com.exafunction.windsurf"    # Windsurf
+    "com.quora.poe.electron"      # Poe
+    "chat.openai.com.*"           # OpenAI web wrappers
+
     # ============================================================================
     # Development Tools - Database Clients
     # ============================================================================

mole

@@ -22,7 +22,7 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "$SCRIPT_DIR/lib/core/common.sh"
 
 # Version info
-VERSION="1.12.24"
+VERSION="1.12.25"
 MOLE_TAGLINE="can dig deep to clean your Mac."
 
 # Check if Touch ID is already configured