Parallelize status metric collection, enhance debug logging with a dedicated file and system info, update security audit for swap clearing, and remove orphaned cask cleaning.

lib/core/app_protection.sh

@@ -685,6 +685,107 @@ find_app_system_files() {
     if [[ ${#system_files[@]} -gt 0 ]]; then
         printf '%s\n' "${system_files[@]}"
     fi
+
+    # Find files from receipts (Deep Scan)
+    find_app_receipt_files "$bundle_id"
+}
+
+# Find files from installation receipts (Bom files)
+find_app_receipt_files() {
+    local bundle_id="$1"
+
+    # Skip if no bundle ID
+    [[ -z "$bundle_id" || "$bundle_id" == "unknown" ]] && return 0
+
+    local -a receipt_files=()
+    local -a bom_files=()
+
+    # Find receipts matching the bundle ID
+    # Usually in /var/db/receipts/
+    if [[ -d /private/var/db/receipts ]]; then
+        while IFS= read -r -d '' bom; do
+            bom_files+=("$bom")
+        done < <(find /private/var/db/receipts -name "${bundle_id}*.bom" -print0 2> /dev/null)
+    fi
+
+    for bom_file in "${bom_files[@]}"; do
+        [[ ! -f "$bom_file" ]] && continue
+
+        # Parse bom file
+        # lsbom -f: file paths only
+        # -s: suppress output (convert to text)
+        local bom_content
+        bom_content=$(lsbom -f -s "$bom_file" 2> /dev/null)
+
+        while IFS= read -r file_path; do
+            # Standardize path (remove leading dot)
+            local clean_path="${file_path#.}"
+
+            # Ensure it starts with /
+            if [[ "$clean_path" != /* ]]; then
+                clean_path="/$clean_path"
+            fi
+
+            # ------------------------------------------------------------------------
+            # SAFETY FILTER: Only allow specific removal paths
+            # ------------------------------------------------------------------------
+            local is_safe=false
+
+            # Whitelisted prefixes
+            case "$clean_path" in
+                /Applications/*) is_safe=true ;;
+                /Users/*)        is_safe=true ;;
+                /usr/local/*)    is_safe=true ;;
+                /opt/*)          is_safe=true ;;
+                /Library/*)
+                    # Filter sub-paths in /Library to avoid system damage
+                    # Allow safely: Application Support, Caches, Logs, Preferences
+                    case "$clean_path" in
+                        /Library/Application\ Support/*) is_safe=true ;;
+                        /Library/Caches/*)               is_safe=true ;;
+                        /Library/Logs/*)                 is_safe=true ;;
+                        /Library/Preferences/*)          is_safe=true ;;
+                        /Library/PrivilegedHelperTools/*) is_safe=true ;;
+                        /Library/LaunchAgents/*)         is_safe=true ;;
+                        /Library/LaunchDaemons/*)        is_safe=true ;;
+                        /Library/Internet\ Plug-Ins/*)   is_safe=true ;;
+                        /Library/Audio/Plug-Ins/*)       is_safe=true ;;
+                        /Library/Extensions/*)           is_safe=false ;; # Default unsafe
+                        *) is_safe=false ;;
+                    esac
+                    ;;
+            esac
+
+            # Hard blocks
+            case "$clean_path" in
+                /System/*|/usr/bin/*|/usr/lib/*|/bin/*|/sbin/*) is_safe=false ;;
+            esac
+
+            if [[ "$is_safe" == "true" && -e "$clean_path" ]]; then
+                # Only valid files
+                # Don't delete directories if they are non-empty parents?
+                # lsbom lists directories too.
+                # If we return a directory, `safe_remove` logic handles it.
+                # `uninstall.sh` uses `remove_file_list`.
+                # If `lsbom` lists `/Applications` (it shouldn't, only contents), we must be careful.
+                # `lsbom` usually lists `./Applications/MyApp.app`.
+                # If it lists `./Applications`, we must skip it.
+
+                # Extra check: path must be deep enough?
+                # If path is just "/Applications", skip.
+                if [[ "$clean_path" == "/Applications" || "$clean_path" == "/Library" || "$clean_path" == "/usr/local" ]]; then
+                   continue
+                fi
+
+                receipt_files+=("$clean_path")
+            fi
+
+        done <<< "$bom_content"
+    done
+
+    if [[ ${#receipt_files[@]} -gt 0 ]]; then
+        printf '%s\n' "${receipt_files[@]}"
+    fi
 }
 
 # Force quit an application

lib/core/common.sh

@@ -15,6 +15,7 @@ _MOLE_CORE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # Load core modules in dependency order
 source "$_MOLE_CORE_DIR/base.sh"
 source "$_MOLE_CORE_DIR/log.sh"
+
 source "$_MOLE_CORE_DIR/timeout.sh"
 source "$_MOLE_CORE_DIR/file_ops.sh"
 source "$_MOLE_CORE_DIR/ui.sh"

lib/core/log.sh

@@ -22,6 +22,7 @@ fi
 # ============================================================================
 
 readonly LOG_FILE="${HOME}/.config/mole/mole.log"
+readonly DEBUG_LOG_FILE="${HOME}/.config/mole/mole_debug_session.log"
 readonly LOG_MAX_SIZE_DEFAULT=1048576 # 1MB
 
 # Ensure log directory exists
@@ -53,28 +54,44 @@ rotate_log_once() {
 # Args: $1 - message
 log_info() {
     echo -e "${BLUE}$1${NC}"
-    echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" >> "$LOG_FILE" 2> /dev/null || true
+    local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
+    echo "[$timestamp] INFO: $1" >> "$LOG_FILE" 2> /dev/null || true
+    if [[ "${MO_DEBUG:-}" == "1" ]]; then
+        echo "[$timestamp] INFO: $1" >> "$DEBUG_LOG_FILE" 2> /dev/null || true
+    fi
 }
 
 # Log success message
 # Args: $1 - message
 log_success() {
     echo -e "  ${GREEN}${ICON_SUCCESS}${NC} $1"
-    echo "[$(date '+%Y-%m-%d %H:%M:%S')] SUCCESS: $1" >> "$LOG_FILE" 2> /dev/null || true
+    local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
+    echo "[$timestamp] SUCCESS: $1" >> "$LOG_FILE" 2> /dev/null || true
+    if [[ "${MO_DEBUG:-}" == "1" ]]; then
+        echo "[$timestamp] SUCCESS: $1" >> "$DEBUG_LOG_FILE" 2> /dev/null || true
+    fi
 }
 
 # Log warning message
 # Args: $1 - message
 log_warning() {
     echo -e "${YELLOW}$1${NC}"
-    echo "[$(date '+%Y-%m-%d %H:%M:%S')] WARNING: $1" >> "$LOG_FILE" 2> /dev/null || true
+    local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
+    echo "[$timestamp] WARNING: $1" >> "$LOG_FILE" 2> /dev/null || true
+    if [[ "${MO_DEBUG:-}" == "1" ]]; then
+        echo "[$timestamp] WARNING: $1" >> "$DEBUG_LOG_FILE" 2> /dev/null || true
+    fi
 }
 
 # Log error message
 # Args: $1 - message
 log_error() {
     echo -e "${RED}${ICON_ERROR}${NC} $1" >&2
-    echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" >> "$LOG_FILE" 2> /dev/null || true
+    local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
+    echo "[$timestamp] ERROR: $1" >> "$LOG_FILE" 2> /dev/null || true
+    if [[ "${MO_DEBUG:-}" == "1" ]]; then
+        echo "[$timestamp] ERROR: $1" >> "$DEBUG_LOG_FILE" 2> /dev/null || true
+    fi
 }
 
 # Debug logging - only shown when MO_DEBUG=1
@@ -82,9 +99,46 @@ log_error() {
 debug_log() {
     if [[ "${MO_DEBUG:-}" == "1" ]]; then
         echo -e "${GRAY}[DEBUG]${NC} $*" >&2
+        echo "[$(date '+%Y-%m-%d %H:%M:%S')] DEBUG: $*" >> "$DEBUG_LOG_FILE" 2> /dev/null || true
     fi
 }
 
+# Log system information for debugging
+log_system_info() {
+    # Only allow once per session
+    [[ -n "${MOLE_SYS_INFO_LOGGED:-}" ]] && return 0
+    export MOLE_SYS_INFO_LOGGED=1
+
+    # Reset debug log file for this new session
+    : > "$DEBUG_LOG_FILE"
+
+    # Start block in debug log file
+    {
+        echo "----------------------------------------------------------------------"
+        echo "Mole Debug Session - $(date '+%Y-%m-%d %H:%M:%S')"
+        echo "----------------------------------------------------------------------"
+        echo "User: $USER"
+        echo "Hostname: $(hostname)"
+        echo "Architecture: $(uname -m)"
+        echo "Kernel: $(uname -r)"
+        if command -v sw_vers > /dev/null; then
+            echo "macOS: $(sw_vers -productVersion) ($(sw_vers -buildVersion))"
+        fi
+        echo "Shell: ${SHELL:-unknown} (${TERM:-unknown})"
+
+        # Check sudo status non-interactively
+        if sudo -n true 2>/dev/null; then
+            echo "Sudo Access: Active"
+        else
+            echo "Sudo Access: Required"
+        fi
+        echo "----------------------------------------------------------------------"
+    } >> "$DEBUG_LOG_FILE" 2> /dev/null || true
+
+    # Notification to stderr
+    echo -e "${GRAY}[DEBUG] Debug logging enabled. Session log: $DEBUG_LOG_FILE${NC}" >&2
+}
+
 # ============================================================================
 # Command Execution Wrappers
 # ============================================================================
@@ -100,9 +154,17 @@ run_silent() {
 # Returns: command exit code
 run_logged() {
     local cmd="$1"
-    if ! "$@" 2>&1 | tee -a "$LOG_FILE" > /dev/null; then
-        log_warning "Command failed: $cmd"
-        return 1
+    # Log to main file, and also to debug file if enabled
+    if [[ "${MO_DEBUG:-}" == "1" ]]; then
+        if ! "$@" 2>&1 | tee -a "$LOG_FILE" | tee -a "$DEBUG_LOG_FILE" > /dev/null; then
+            log_warning "Command failed: $cmd"
+            return 1
+        fi
+    else
+        if ! "$@" 2>&1 | tee -a "$LOG_FILE" > /dev/null; then
+            log_warning "Command failed: $cmd"
+            return 1
+        fi
     fi
     return 0
 }
@@ -143,6 +205,11 @@ print_summary_block() {
         echo -e "${detail}"
     done
     echo "$divider"
+
+    # If debug mode is on, remind user about the log file location
+    if [[ "${MO_DEBUG:-}" == "1" ]]; then
+        echo -e "${GRAY}Debug session log saved to:${NC} ${DEBUG_LOG_FILE}"
+    fi
 }
 
 # ============================================================================
@@ -151,3 +218,8 @@ print_summary_block() {
 
 # Perform log rotation check on module load
 rotate_log_once
+
+# If debug mode is enabled, log system info immediately
+if [[ "${MO_DEBUG:-}" == "1" ]]; then
+    log_system_info
+fi