From ee1f2bd3726e871f809486b0b27a4e605bf368b3 Mon Sep 17 00:00:00 2001
From: Luke Bullimore <112502129+injuxtice@users.noreply.github.com>
Date: Wed, 25 Feb 2026 02:22:56 +0000
Subject: [PATCH] Fix --dry-run hiding system cleanup preview (#493)

The dry-run mode hardcoded SYSTEM_CLEAN=false, which meant
the entire system section was silently skipped during preview.
Users had no way to see what /Library/Caches, /private/var/log,
diagnostics, or other sudo-required paths would be cleaned.

Now dry-run checks for a cached sudo session (sudo -n) and
includes the system preview when available. When sudo isn't
cached, a hint tells the user how to get the full preview
without running the whole script as root.
---
 bin/clean.sh          | 12 +++++++++++-
 tests/clean_core.bats | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/bin/clean.sh b/bin/clean.sh
index c0e7d01..b5f16ea 100755
--- a/bin/clean.sh
+++ b/bin/clean.sh
@@ -717,7 +717,6 @@ start_cleanup() {
     if [[ "$DRY_RUN" == "true" ]]; then
         echo -e "${YELLOW}Dry Run Mode${NC}, Preview only, no deletions"
         echo ""
-        SYSTEM_CLEAN=false
 
         ensure_user_file "$EXPORT_LIST_FILE"
         cat > "$EXPORT_LIST_FILE" << EOF
@@ -732,6 +731,17 @@ start_cleanup() {
 #
 
 EOF
+
+        # Preview system section when sudo is already cached (no password prompt).
+        if sudo -n true 2> /dev/null; then
+            SYSTEM_CLEAN=true
+            echo -e "${GREEN}${ICON_SUCCESS}${NC} Admin access available, system preview included"
+            echo ""
+        else
+            SYSTEM_CLEAN=false
+            echo -e "${GRAY}${ICON_WARNING} System caches need sudo, run ${NC}sudo -v && mo clean --dry-run${GRAY} for full preview${NC}"
+            echo ""
+        fi
         return
     fi
 
diff --git a/tests/clean_core.bats b/tests/clean_core.bats
index 3994c64..0b78f6a 100644
--- a/tests/clean_core.bats
+++ b/tests/clean_core.bats
@@ -34,6 +34,42 @@ setup() {
     [[ "$output" != *"Deep system-level cleanup"* ]]
 }
 
+@test "mo clean --dry-run includes system preview when sudo is cached" {
+    local mock_bin="$HOME/bin"
+    mkdir -p "$mock_bin"
+    cat > "$mock_bin/sudo" << 'MOCK'
+#!/bin/bash
+# Shim: sudo -n true succeeds, all other sudo calls are no-ops.
+if [[ "$1" == "-n" && "$2" == "true" ]]; then exit 0; fi
+if [[ "$1" == "test" ]]; then exit 1; fi
+if [[ "$1" == "find" ]]; then exit 0; fi
+exit 0
+MOCK
+    chmod +x "$mock_bin/sudo"
+
+    run env HOME="$HOME" MOLE_TEST_MODE=1 PATH="$mock_bin:$PATH" \
+        "$PROJECT_ROOT/mole" clean --dry-run
+    [ "$status" -eq 0 ]
+    [[ "$output" == *"system preview included"* ]]
+}
+
+@test "mo clean --dry-run shows hint when sudo is not cached" {
+    local mock_bin="$HOME/bin"
+    mkdir -p "$mock_bin"
+    cat > "$mock_bin/sudo" << 'MOCK'
+#!/bin/bash
+# Shim: sudo -n always fails (no cached credentials).
+exit 1
+MOCK
+    chmod +x "$mock_bin/sudo"
+
+    run env HOME="$HOME" MOLE_TEST_MODE=1 PATH="$mock_bin:$PATH" \
+        "$PROJECT_ROOT/mole" clean --dry-run
+    [ "$status" -eq 0 ]
+    [[ "$output" == *"sudo -v"* ]]
+    [[ "$output" == *"full preview"* ]]
+}
+
 @test "mo clean --dry-run reports user cache without deleting it" {
     mkdir -p "$HOME/Library/Caches/TestApp"
     echo "cache data" > "$HOME/Library/Caches/TestApp/cache.tmp"