diff --git a/SECURITY_AUDIT.md b/SECURITY_AUDIT.md index 5943c4c..54fb445 100644 --- a/SECURITY_AUDIT.md +++ b/SECURITY_AUDIT.md @@ -13,6 +13,25 @@ Version 1.27.0 | 2026-02-21 - Group Containers cleanup now builds an explicit candidate list first, then filters protected/whitelisted items before deletion. - `bin/clean.sh` dry-run export temp files rely on tracked temp lifecycle (`create_temp_file()` + trap cleanup) to avoid orphan temp artifacts. - Added/updated regression coverage in `tests/clean_system_maintenance.bats`, `tests/clean_core.bats`, and `tests/clean_user_core.bats` for the new safe-deletion flow. +- Added conservative support-cache cleanup in `lib/clean/user.sh`: + - `~/Library/Application Support/CrashReporter` files older than 30 days + - `~/Library/Application Support/com.apple.idleassetsd` files older than 30 days + - `~/Library/Messages/StickerCache` and `~/Library/Messages/Caches/Previews/*` caches only +- Explicitly kept `~/Library/Messages/Attachments` and `~/Library/Metadata/CoreSpotlight` out of automatic cleanup to avoid user-data or indexing risk. +- Added low-risk cache coverage in `lib/clean/app_caches.sh`: + - `~/Library/Logs/CoreSimulator/*` + - Adobe media cache (`~/Library/Application Support/Adobe/Common/Media Cache Files/*`) + - Steam app/depot/shader/log caches and Minecraft/Lunar Client log/cache directories + - Legacy Microsoft Teams cache/log/temp directories under `~/Library/Application Support/Microsoft/Teams/*` + - `~/.cacher/logs/*` and `~/.kite/logs/*` +- Added conservative third-party system log cleanup in `lib/clean/system.sh`: + - `/Library/Logs/Adobe/*` and `/Library/Logs/CreativeCloud/*` older files only + - `/Library/Logs/adobegc.log` only when older than log retention +- Explicitly did not add high-risk cleanup defaults for: + - `/private/var/folders/*` broad deletion + - `~/Library/Application Support/MobileSync/Backup/*` + - Browser history/cookie databases (e.g., Arc History/Cookies/Web Data) + - Destructive container/image pruning commands by default **Uninstall audit, Jan 2026:** diff --git a/lib/clean/app_caches.sh b/lib/clean/app_caches.sh index c4ae7a7..d99ebea 100644 --- a/lib/clean/app_caches.sh +++ b/lib/clean/app_caches.sh @@ -13,12 +13,15 @@ clean_xcode_tools() { safe_clean ~/Library/Caches/com.apple.dt.Xcode/* "Xcode cache" safe_clean ~/Library/Developer/Xcode/iOS\ Device\ Logs/* "iOS device logs" safe_clean ~/Library/Developer/Xcode/watchOS\ Device\ Logs/* "watchOS device logs" + safe_clean ~/Library/Logs/CoreSimulator/* "CoreSimulator logs" safe_clean ~/Library/Developer/Xcode/Products/* "Xcode build products" if [[ "$xcode_running" == "false" ]]; then safe_clean ~/Library/Developer/Xcode/DerivedData/* "Xcode derived data" safe_clean ~/Library/Developer/Xcode/Archives/* "Xcode archives" + safe_clean ~/Library/Developer/Xcode/DocumentationCache/* "Xcode documentation cache" + safe_clean ~/Library/Developer/Xcode/DocumentationIndex/* "Xcode documentation index" else - echo -e " ${GRAY}${ICON_WARNING}${NC} Xcode is running, skipping DerivedData and Archives cleanup" + echo -e " ${GRAY}${ICON_WARNING}${NC} Xcode is running, skipping DerivedData/Archives/Documentation cleanup" fi } # Code editors. @@ -43,6 +46,12 @@ clean_communication_apps() { safe_clean ~/Library/Caches/com.tencent.meeting/* "Tencent Meeting cache" safe_clean ~/Library/Caches/com.tencent.WeWorkMac/* "WeCom cache" safe_clean ~/Library/Caches/com.feishu.*/* "Feishu cache" + safe_clean ~/Library/Application\ Support/Microsoft/Teams/Cache/* "Microsoft Teams legacy cache" + safe_clean ~/Library/Application\ Support/Microsoft/Teams/Application\ Cache/* "Microsoft Teams legacy application cache" + safe_clean ~/Library/Application\ Support/Microsoft/Teams/Code\ Cache/* "Microsoft Teams legacy code cache" + safe_clean ~/Library/Application\ Support/Microsoft/Teams/GPUCache/* "Microsoft Teams legacy GPU cache" + safe_clean ~/Library/Application\ Support/Microsoft/Teams/logs/* "Microsoft Teams legacy logs" + safe_clean ~/Library/Application\ Support/Microsoft/Teams/tmp/* "Microsoft Teams legacy temp files" } # DingTalk. clean_dingtalk() { @@ -64,6 +73,7 @@ clean_design_tools() { safe_clean ~/Library/Caches/Adobe/* "Adobe cache" safe_clean ~/Library/Caches/com.adobe.*/* "Adobe app caches" safe_clean ~/Library/Caches/com.figma.Desktop/* "Figma cache" + safe_clean ~/Library/Application\ Support/Adobe/Common/Media\ Cache\ Files/* "Adobe media cache files" # Raycast cache is protected (clipboard history, images). } # Video editing tools. @@ -150,12 +160,25 @@ clean_download_managers() { clean_gaming_platforms() { safe_clean ~/Library/Caches/com.valvesoftware.steam/* "Steam cache" safe_clean ~/Library/Application\ Support/Steam/htmlcache/* "Steam web cache" + safe_clean ~/Library/Application\ Support/Steam/appcache/* "Steam app cache" + safe_clean ~/Library/Application\ Support/Steam/depotcache/* "Steam depot cache" + safe_clean ~/Library/Application\ Support/Steam/steamapps/shadercache/* "Steam shader cache" + safe_clean ~/Library/Application\ Support/Steam/logs/* "Steam logs" safe_clean ~/Library/Caches/com.epicgames.EpicGamesLauncher/* "Epic Games cache" safe_clean ~/Library/Caches/com.blizzard.Battle.net/* "Battle.net cache" safe_clean ~/Library/Application\ Support/Battle.net/Cache/* "Battle.net app cache" safe_clean ~/Library/Caches/com.ea.*/* "EA Origin cache" safe_clean ~/Library/Caches/com.gog.galaxy/* "GOG Galaxy cache" safe_clean ~/Library/Caches/com.riotgames.*/* "Riot Games cache" + safe_clean ~/Library/Application\ Support/minecraft/logs/* "Minecraft logs" + safe_clean ~/Library/Application\ Support/minecraft/crash-reports/* "Minecraft crash reports" + safe_clean ~/Library/Application\ Support/minecraft/webcache/* "Minecraft web cache" + safe_clean ~/Library/Application\ Support/minecraft/webcache2/* "Minecraft web cache 2" + safe_clean ~/.lunarclient/game-cache/* "Lunar Client game cache" + safe_clean ~/.lunarclient/launcher-cache/* "Lunar Client launcher cache" + safe_clean ~/.lunarclient/logs/* "Lunar Client logs" + safe_clean ~/.lunarclient/offline/*/logs/* "Lunar Client offline logs" + safe_clean ~/.lunarclient/offline/files/*/logs/* "Lunar Client offline file logs" } # Translation/dictionary apps. clean_translation_apps() { @@ -185,6 +208,8 @@ clean_shell_utils() { safe_clean ~/.lesshst "less history" safe_clean ~/.viminfo.tmp "Vim temporary files" safe_clean ~/.wget-hsts "wget HSTS cache" + safe_clean ~/.cacher/logs/* "Cacher logs" + safe_clean ~/.kite/logs/* "Kite logs" } # Input methods and system utilities. clean_system_utils() { diff --git a/lib/clean/system.sh b/lib/clean/system.sh index 755288e..e73f5b8 100644 --- a/lib/clean/system.sh +++ b/lib/clean/system.sh @@ -47,6 +47,25 @@ clean_deep_system() { fi stop_section_spinner log_success "System logs" + start_section_spinner "Cleaning third-party system logs..." + local -a third_party_log_dirs=( + "/Library/Logs/Adobe" + "/Library/Logs/CreativeCloud" + ) + local third_party_logs_cleaned=0 + local third_party_log_dir="" + for third_party_log_dir in "${third_party_log_dirs[@]}"; do + if sudo test -d "$third_party_log_dir" 2> /dev/null; then + safe_sudo_find_delete "$third_party_log_dir" "*" "$MOLE_LOG_AGE_DAYS" "f" || true + third_party_logs_cleaned=1 + fi + done + if sudo find "/Library/Logs" -maxdepth 1 -type f -name "adobegc.log" -mtime "+$MOLE_LOG_AGE_DAYS" -print -quit 2> /dev/null | grep -q .; then + safe_sudo_remove "/Library/Logs/adobegc.log" || true + third_party_logs_cleaned=1 + fi + stop_section_spinner + [[ $third_party_logs_cleaned -eq 1 ]] && log_success "Third-party system logs" start_section_spinner "Scanning system library updates..." if [[ -d "/Library/Updates" && ! -L "/Library/Updates" ]]; then local updates_cleaned=0 @@ -143,6 +162,7 @@ clean_deep_system() { log_success "Power logs" start_section_spinner "Cleaning memory exception reports..." local mem_reports_dir="/private/var/db/reportmemoryexception/MemoryLimitViolations" + local mem_cleaned=0 if sudo test -d "$mem_reports_dir" 2> /dev/null; then # Count and size old files before deletion local file_count=0 @@ -155,10 +175,12 @@ clean_deep_system() { done < <(sudo find "$mem_reports_dir" -type f -mtime +30 -print0 2> /dev/null || true) if [[ "$file_count" -gt 0 ]]; then - if [[ "${MOLE_DRY_RUN:-0}" != "1" ]]; then - safe_sudo_find_delete "$mem_reports_dir" "*" "30" "f" || true + if [[ "${DRY_RUN:-false}" != "true" ]]; then + if safe_sudo_find_delete "$mem_reports_dir" "*" "30" "f"; then + mem_cleaned=1 + fi # Log summary to operations.log - if oplog_enabled && [[ "$total_size_kb" -gt 0 ]]; then + if [[ $mem_cleaned -eq 1 ]] && oplog_enabled && [[ "$total_size_kb" -gt 0 ]]; then local size_human size_human=$(bytes_to_human "$((total_size_kb * 1024))") log_operation "clean" "REMOVED" "$mem_reports_dir" "$file_count files, $size_human" @@ -169,7 +191,10 @@ clean_deep_system() { fi fi stop_section_spinner - log_success "Memory exception reports" + if [[ $mem_cleaned -eq 1 ]]; then + log_success "Memory exception reports" + fi + return 0 } # Incomplete Time Machine backups. clean_time_machine_failed_backups() { diff --git a/lib/clean/user.sh b/lib/clean/user.sh index 8020778..3871003 100644 --- a/lib/clean/user.sh +++ b/lib/clean/user.sh @@ -394,6 +394,33 @@ clean_finder_metadata() { fi clean_ds_store_tree "$HOME" "Home directory, .DS_Store" } + +# Conservative cleanup for support caches not covered by generic rules. +clean_support_app_data() { + local support_age_days="${MOLE_SUPPORT_CACHE_AGE_DAYS:-30}" + [[ "$support_age_days" =~ ^[0-9]+$ ]] || support_age_days=30 + + local crash_reporter_dir="$HOME/Library/Application Support/CrashReporter" + if [[ -d "$crash_reporter_dir" && ! -L "$crash_reporter_dir" ]]; then + safe_find_delete "$crash_reporter_dir" "*" "$support_age_days" "f" || true + fi + + # Keep recent wallpaper assets to avoid large re-downloads. + local idle_assets_dir="$HOME/Library/Application Support/com.apple.idleassetsd" + if [[ -d "$idle_assets_dir" && ! -L "$idle_assets_dir" ]]; then + safe_find_delete "$idle_assets_dir" "*" "$support_age_days" "f" || true + fi + + # Do not touch Messages attachments, only preview/sticker caches. + if pgrep -x "Messages" > /dev/null 2>&1; then + echo -e " ${GRAY}${ICON_WARNING}${NC} Messages is running ยท preview cache cleanup skipped" + return 0 + fi + safe_clean ~/Library/Messages/StickerCache/* "Messages sticker cache" + safe_clean ~/Library/Messages/Caches/Previews/Attachments/* "Messages preview attachment cache" + safe_clean ~/Library/Messages/Caches/Previews/StickerCache/* "Messages preview sticker cache" +} + # App caches (merged: macOS system caches + Sandboxed apps). clean_app_caches() { # macOS system caches (merged from clean_macos_system_caches) @@ -413,6 +440,7 @@ clean_app_caches() { safe_clean ~/Library/Suggestions/* "Siri suggestions cache" || true safe_clean ~/Library/Calendars/Calendar\ Cache "Calendar cache" || true safe_clean ~/Library/Application\ Support/AddressBook/Sources/*/Photos.cache "Address Book photo cache" || true + clean_support_app_data # Sandboxed app caches stop_section_spinner diff --git a/tests/clean_app_caches.bats b/tests/clean_app_caches.bats index 8be5da0..067664f 100644 --- a/tests/clean_app_caches.bats +++ b/tests/clean_app_caches.bats @@ -21,7 +21,7 @@ teardown_file() { } @test "clean_xcode_tools skips derived data when Xcode running" { - run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" /bin/bash --noprofile --norc <<'EOF' + run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" /bin/bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/core/common.sh" source "$PROJECT_ROOT/lib/clean/app_caches.sh" @@ -34,10 +34,28 @@ EOF [[ "$output" == *"Xcode is running"* ]] [[ "$output" != *"derived data"* ]] [[ "$output" != *"archives"* ]] + [[ "$output" != *"documentation cache"* ]] +} + +@test "clean_xcode_tools cleans documentation caches when Xcode is not running" { + run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" /bin/bash --noprofile --norc << 'EOF' +set -euo pipefail +source "$PROJECT_ROOT/lib/core/common.sh" +source "$PROJECT_ROOT/lib/clean/app_caches.sh" +pgrep() { return 1; } +safe_clean() { echo "$2"; } +clean_xcode_tools +EOF + + [ "$status" -eq 0 ] + [[ "$output" == *"Xcode derived data"* ]] + [[ "$output" == *"Xcode archives"* ]] + [[ "$output" == *"Xcode documentation cache"* ]] + [[ "$output" == *"Xcode documentation index"* ]] } @test "clean_media_players protects spotify offline cache" { - run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" /bin/bash --noprofile --norc <<'EOF' + run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" /bin/bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/core/common.sh" source "$PROJECT_ROOT/lib/clean/app_caches.sh" @@ -53,7 +71,7 @@ EOF } @test "clean_user_gui_applications calls all sections" { - run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" /bin/bash --noprofile --norc <<'EOF' + run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" /bin/bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/core/common.sh" source "$PROJECT_ROOT/lib/clean/app_caches.sh" @@ -72,7 +90,7 @@ EOF } @test "clean_ai_apps calls expected caches" { - run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc <<'EOF' + run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/clean/app_caches.sh" safe_clean() { echo "$2"; } @@ -85,7 +103,7 @@ EOF } @test "clean_design_tools calls expected caches" { - run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc <<'EOF' + run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/clean/app_caches.sh" safe_clean() { echo "$2"; } @@ -98,7 +116,7 @@ EOF } @test "clean_dingtalk calls expected caches" { - run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc <<'EOF' + run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/clean/app_caches.sh" safe_clean() { echo "$2"; } @@ -111,7 +129,7 @@ EOF } @test "clean_download_managers calls expected caches" { - run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc <<'EOF' + run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/clean/app_caches.sh" safe_clean() { echo "$2"; } @@ -124,7 +142,7 @@ EOF } @test "clean_productivity_apps calls expected caches" { - run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc <<'EOF' + run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/clean/app_caches.sh" safe_clean() { echo "$2"; } @@ -137,7 +155,7 @@ EOF } @test "clean_screenshot_tools calls expected caches" { - run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc <<'EOF' + run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/clean/app_caches.sh" safe_clean() { echo "$2"; } @@ -150,7 +168,7 @@ EOF } @test "clean_office_applications calls expected caches" { - run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc <<'EOF' + run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/clean/user.sh" stop_section_spinner() { :; } @@ -162,3 +180,31 @@ EOF [[ "$output" == *"Microsoft Word cache"* ]] [[ "$output" == *"Apple iWork cache"* ]] } + +@test "clean_communication_apps includes Microsoft Teams legacy caches" { + run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc << 'EOF' +set -euo pipefail +source "$PROJECT_ROOT/lib/clean/app_caches.sh" +safe_clean() { echo "$2"; } +clean_communication_apps +EOF + + [ "$status" -eq 0 ] + [[ "$output" == *"Microsoft Teams legacy cache"* ]] + [[ "$output" == *"Microsoft Teams legacy logs"* ]] +} + +@test "clean_gaming_platforms includes steam and minecraft related caches" { + run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc << 'EOF' +set -euo pipefail +source "$PROJECT_ROOT/lib/clean/app_caches.sh" +safe_clean() { echo "$2"; } +clean_gaming_platforms +EOF + + [ "$status" -eq 0 ] + [[ "$output" == *"Steam app cache"* ]] + [[ "$output" == *"Steam shader cache"* ]] + [[ "$output" == *"Minecraft logs"* ]] + [[ "$output" == *"Lunar Client logs"* ]] +} diff --git a/tests/clean_system_maintenance.bats b/tests/clean_system_maintenance.bats index e9f2302..9cbd115 100644 --- a/tests/clean_system_maintenance.bats +++ b/tests/clean_system_maintenance.bats @@ -21,7 +21,7 @@ teardown_file() { } @test "clean_deep_system issues safe sudo deletions" { - run bash --noprofile --norc <<'EOF' + run bash --noprofile --norc << 'EOF' set -euo pipefail CALL_LOG="$HOME/system_calls.log" > "$CALL_LOG" @@ -73,7 +73,7 @@ EOF } @test "clean_deep_system does not touch /Library/Updates when directory absent" { - run bash --noprofile --norc <<'EOF' + run bash --noprofile --norc << 'EOF' set -euo pipefail CALL_LOG="$HOME/system_calls_skip.log" > "$CALL_LOG" @@ -100,8 +100,61 @@ EOF [[ "$output" != *"/Library/Updates"* ]] } +@test "clean_deep_system cleans third-party adobe logs conservatively" { + run bash --noprofile --norc << 'EOF' +set -euo pipefail +CALL_LOG="$HOME/system_calls_adobe.log" +> "$CALL_LOG" +source "$PROJECT_ROOT/lib/core/common.sh" +source "$PROJECT_ROOT/lib/clean/system.sh" + +sudo() { + if [[ "$1" == "test" ]]; then + return 0 + fi + if [[ "$1" == "find" ]]; then + case "$2" in + /Library/Caches) printf '%s\0' "/Library/Caches/test.log" ;; + /private/var/log) printf '%s\0' "/private/var/log/system.log" ;; + /Library/Logs) echo "/Library/Logs/adobegc.log" ;; + esac + return 0 + fi + if [[ "$1" == "stat" ]]; then + echo "0" + return 0 + fi + return 0 +} +safe_sudo_find_delete() { + echo "safe_sudo_find_delete:$1:$2" >> "$CALL_LOG" + return 0 +} +safe_sudo_remove() { + echo "safe_sudo_remove:$1" >> "$CALL_LOG" + return 0 +} +log_success() { :; } +start_section_spinner() { :; } +stop_section_spinner() { :; } +is_sip_enabled() { return 1; } +get_file_mtime() { echo 0; } +get_path_size_kb() { echo 0; } +find() { return 0; } +run_with_timeout() { shift; "$@"; } + +clean_deep_system +cat "$CALL_LOG" +EOF + + [ "$status" -eq 0 ] + [[ "$output" == *"safe_sudo_find_delete:/Library/Logs/Adobe:*"* ]] + [[ "$output" == *"safe_sudo_find_delete:/Library/Logs/CreativeCloud:*"* ]] + [[ "$output" == *"safe_sudo_remove:/Library/Logs/adobegc.log"* ]] +} + @test "clean_time_machine_failed_backups exits when tmutil has no destinations" { - run bash --noprofile --norc <<'EOF' + run bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/core/common.sh" source "$PROJECT_ROOT/lib/clean/system.sh" @@ -124,7 +177,7 @@ EOF } @test "clean_local_snapshots reports snapshot count" { - run bash --noprofile --norc <<'EOF' + run bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/core/common.sh" source "$PROJECT_ROOT/lib/clean/system.sh" @@ -148,7 +201,7 @@ EOF } @test "clean_local_snapshots is quiet when no snapshots" { - run bash --noprofile --norc <<'EOF' + run bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/core/common.sh" source "$PROJECT_ROOT/lib/clean/system.sh" @@ -166,9 +219,8 @@ EOF [[ "$output" != *"Time Machine local snapshots"* ]] } - @test "clean_homebrew skips when cleaned recently" { - run bash --noprofile --norc <<'EOF' + run bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/core/common.sh" source "$PROJECT_ROOT/lib/clean/brew.sh" @@ -186,7 +238,7 @@ EOF } @test "clean_homebrew runs cleanup with timeout stubs" { - run bash --noprofile --norc <<'EOF' + run bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/core/common.sh" source "$PROJECT_ROOT/lib/clean/brew.sh" @@ -231,7 +283,7 @@ EOF } @test "check_appstore_updates is skipped for performance" { - run bash --noprofile --norc <<'EOF' + run bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/core/common.sh" source "$PROJECT_ROOT/lib/check/all.sh" @@ -245,7 +297,7 @@ EOF } @test "check_macos_update avoids slow softwareupdate scans" { - run bash --noprofile --norc <<'EOF' + run bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/core/common.sh" source "$PROJECT_ROOT/lib/check/all.sh" @@ -285,7 +337,7 @@ EOF } @test "check_macos_update clears update flag when softwareupdate reports no updates" { - run bash --noprofile --norc <<'EOF' + run bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/core/common.sh" source "$PROJECT_ROOT/lib/check/all.sh" @@ -325,7 +377,7 @@ EOF } @test "check_macos_update keeps update flag when softwareupdate times out" { - run bash --noprofile --norc <<'EOF' + run bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/core/common.sh" source "$PROJECT_ROOT/lib/check/all.sh" @@ -359,7 +411,7 @@ EOF } @test "check_macos_update keeps update flag when softwareupdate returns empty output" { - run bash --noprofile --norc <<'EOF' + run bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/core/common.sh" source "$PROJECT_ROOT/lib/check/all.sh" @@ -393,7 +445,7 @@ EOF } @test "check_macos_update skips softwareupdate when defaults shows no updates" { - run bash --noprofile --norc <<'EOF' + run bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/core/common.sh" source "$PROJECT_ROOT/lib/check/all.sh" @@ -416,7 +468,7 @@ EOF } @test "check_macos_update outputs debug info when MO_DEBUG set" { - run bash --noprofile --norc <<'EOF' + run bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/core/common.sh" source "$PROJECT_ROOT/lib/check/all.sh" @@ -467,7 +519,6 @@ EOF [ "$status" -eq 124 ] } - @test "opt_saved_state_cleanup removes old saved states" { local state_dir="$HOME/Library/Saved Application State" mkdir -p "$state_dir/com.example.app.savedState" @@ -502,7 +553,7 @@ EOF @test "opt_saved_state_cleanup continues on permission denied (silent exit)" { local state_dir="$HOME/Library/Saved Application State" mkdir -p "$state_dir/com.example.old.savedState" - touch -t 202301010000 "$state_dir/com.example.old.savedState" 2>/dev/null || true + touch -t 202301010000 "$state_dir/com.example.old.savedState" 2> /dev/null || true run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc << 'EOF' set -euo pipefail @@ -556,7 +607,6 @@ EOF [[ "$output" == *"QuickLook thumbnails refreshed"* ]] } - @test "get_path_size_kb returns zero for missing directory" { run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" MO_DEBUG=0 bash --noprofile --norc << 'EOF' set -euo pipefail @@ -571,7 +621,7 @@ EOF @test "get_path_size_kb calculates directory size" { mkdir -p "$HOME/test_size" - dd if=/dev/zero of="$HOME/test_size/file.dat" bs=1024 count=10 2>/dev/null + dd if=/dev/zero of="$HOME/test_size/file.dat" bs=1024 count=10 2> /dev/null run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" MO_DEBUG=0 bash --noprofile --norc << 'EOF' set -euo pipefail @@ -584,9 +634,8 @@ EOF [ "$output" -ge 10 ] } - @test "opt_fix_broken_configs reports fixes" { - run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc <<'EOF' + run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc << 'EOF' set -euo pipefail source "$PROJECT_ROOT/lib/core/common.sh" source "$PROJECT_ROOT/lib/optimize/maintenance.sh" @@ -603,9 +652,8 @@ EOF [[ "$output" == *"Repaired 2 corrupted preference files"* ]] } - @test "clean_deep_system cleans memory exception reports" { - run bash --noprofile --norc <<'EOF' + run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc << 'EOF' set -euo pipefail CALL_LOG="$HOME/memory_exception_calls.log" > "$CALL_LOG" @@ -645,12 +693,97 @@ EOF [ "$status" -eq 0 ] [[ "$output" == *"reportmemoryexception/MemoryLimitViolations"* ]] - [[ "$output" == *"-mtime +30"* ]] # 30-day retention + [[ "$output" == *"-mtime +30"* ]] # 30-day retention [[ "$output" == *"safe_sudo_find_delete"* ]] } +@test "clean_deep_system memory exception respects DRY_RUN flag" { + run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" DRY_RUN=true bash --noprofile --norc << 'EOF' +set -euo pipefail +CALL_LOG="$HOME/memory_exception_dryrun_calls.log" +> "$CALL_LOG" +source "$PROJECT_ROOT/lib/core/common.sh" +source "$PROJECT_ROOT/lib/clean/system.sh" + +sudo() { + if [[ "$1" == "test" ]]; then + [[ "$2" == "/private/var/db/reportmemoryexception/MemoryLimitViolations" ]] && return 0 + return 1 + fi + if [[ "$1" == "find" ]]; then + if [[ "$2" == "/private/var/db/reportmemoryexception/MemoryLimitViolations" ]]; then + printf '%s\0' "/private/var/db/reportmemoryexception/MemoryLimitViolations/report.bin" + fi + return 0 + fi + if [[ "$1" == "stat" ]]; then + echo "1024" + return 0 + fi + return 0 +} +safe_sudo_find_delete() { + echo "safe_sudo_find_delete:$1:$2" >> "$CALL_LOG" + return 0 +} +safe_sudo_remove() { return 0; } +log_success() { :; } +log_info() { echo "$*"; } +is_sip_enabled() { return 1; } +find() { return 0; } +run_with_timeout() { shift; "$@"; } + +clean_deep_system +cat "$CALL_LOG" +EOF + + [ "$status" -eq 0 ] + [[ "$output" == *"[DRY-RUN] Would remove"* ]] + [[ "$output" != *"safe_sudo_find_delete:/private/var/db/reportmemoryexception/MemoryLimitViolations"* ]] +} + +@test "clean_deep_system does not log memory exception success when nothing cleaned" { + run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" DRY_RUN=false bash --noprofile --norc << 'EOF' +set -euo pipefail +CALL_LOG="$HOME/memory_exception_success_calls.log" +> "$CALL_LOG" +source "$PROJECT_ROOT/lib/core/common.sh" +source "$PROJECT_ROOT/lib/clean/system.sh" + +sudo() { + if [[ "$1" == "test" ]]; then + [[ "$2" == "/private/var/db/reportmemoryexception/MemoryLimitViolations" ]] && return 0 + return 1 + fi + if [[ "$1" == "find" ]]; then + return 0 + fi + if [[ "$1" == "stat" ]]; then + echo "0" + return 0 + fi + return 0 +} +safe_sudo_find_delete() { + echo "safe_sudo_find_delete:$1:$2" >> "$CALL_LOG" + return 0 +} +safe_sudo_remove() { return 0; } +log_success() { echo "SUCCESS:$1" >> "$CALL_LOG"; } +is_sip_enabled() { return 1; } +find() { return 0; } +run_with_timeout() { shift; "$@"; } + +clean_deep_system +cat "$CALL_LOG" +EOF + + [ "$status" -eq 0 ] + [[ "$output" != *"SUCCESS:Memory exception reports"* ]] +} + @test "clean_deep_system cleans diagnostic trace logs" { - run bash --noprofile --norc <<'EOF' + run bash --noprofile --norc << 'EOF' set -euo pipefail CALL_LOG="$HOME/diag_calls.log" > "$CALL_LOG" @@ -697,76 +830,98 @@ EOF [[ "$output" == *"tracev3"* ]] } -@test "clean_deep_system validates symbolication cache size before cleaning" { - run bash --noprofile --norc <<'EOF' +@test "clean_deep_system cleans code_sign_clone caches via safe_sudo_remove" { + run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc << 'EOF' set -euo pipefail +CALL_LOG="$HOME/code_sign_clone_calls.log" +> "$CALL_LOG" +source "$PROJECT_ROOT/lib/core/common.sh" +source "$PROJECT_ROOT/lib/clean/system.sh" -symbolication_size_mb="2048" # 2GB - -if [[ -n "$symbolication_size_mb" && "$symbolication_size_mb" =~ ^[0-9]+$ ]]; then - if [[ $symbolication_size_mb -gt 1024 ]]; then - echo "WOULD_CLEAN=yes" - else - echo "WOULD_CLEAN=no" +sudo() { + if [[ "$1" == "test" ]]; then + return 1 fi -else - echo "WOULD_CLEAN=no" -fi + if [[ "$1" == "find" ]]; then + return 0 + fi + return 0 +} +safe_sudo_find_delete() { return 0; } +safe_sudo_remove() { + echo "safe_sudo_remove:$1" >> "$CALL_LOG" + return 0 +} +log_success() { echo "SUCCESS:$1" >> "$CALL_LOG"; } +start_section_spinner() { :; } +stop_section_spinner() { :; } +is_sip_enabled() { return 1; } +find() { return 0; } +run_with_timeout() { + local _timeout="$1" + shift + if [[ "${1:-}" == "command" && "${2:-}" == "find" && "${3:-}" == "/private/var/folders" ]]; then + printf '%s\0' "/private/var/folders/test/a/X/demo.code_sign_clone" + return 0 + fi + "$@" +} + +clean_deep_system +cat "$CALL_LOG" EOF [ "$status" -eq 0 ] - [[ "$output" == *"WOULD_CLEAN=yes"* ]] + [[ "$output" == *"safe_sudo_remove:/private/var/folders/test/a/X/demo.code_sign_clone"* ]] + [[ "$output" == *"SUCCESS:Browser code signature caches"* ]] } -@test "clean_deep_system skips symbolication cache when small" { - run bash --noprofile --norc <<'EOF' +@test "clean_deep_system skips code_sign_clone success when removal fails" { + run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc << 'EOF' set -euo pipefail +CALL_LOG="$HOME/code_sign_clone_fail_calls.log" +> "$CALL_LOG" +source "$PROJECT_ROOT/lib/core/common.sh" +source "$PROJECT_ROOT/lib/clean/system.sh" -symbolication_size_mb="500" # 500MB < 1GB - -if [[ -n "$symbolication_size_mb" && "$symbolication_size_mb" =~ ^[0-9]+$ ]]; then - if [[ $symbolication_size_mb -gt 1024 ]]; then - echo "WOULD_CLEAN=yes" - else - echo "WOULD_CLEAN=no" +sudo() { + if [[ "$1" == "test" ]]; then + return 1 fi -else - echo "WOULD_CLEAN=no" -fi + if [[ "$1" == "find" ]]; then + return 0 + fi + return 0 +} +safe_sudo_find_delete() { return 0; } +safe_sudo_remove() { + echo "safe_sudo_remove:$1" >> "$CALL_LOG" + return 1 +} +log_success() { echo "SUCCESS:$1" >> "$CALL_LOG"; } +start_section_spinner() { :; } +stop_section_spinner() { :; } +is_sip_enabled() { return 1; } +find() { return 0; } +run_with_timeout() { + local _timeout="$1" + shift + if [[ "${1:-}" == "command" && "${2:-}" == "find" && "${3:-}" == "/private/var/folders" ]]; then + printf '%s\0' "/private/var/folders/test/a/X/demo.code_sign_clone" + return 0 + fi + "$@" +} + +clean_deep_system +cat "$CALL_LOG" EOF [ "$status" -eq 0 ] - [[ "$output" == *"WOULD_CLEAN=no"* ]] + [[ "$output" == *"safe_sudo_remove:/private/var/folders/test/a/X/demo.code_sign_clone"* ]] + [[ "$output" != *"SUCCESS:Browser code signature caches"* ]] } -@test "clean_deep_system handles symbolication cache size check failure" { - run bash --noprofile --norc <<'EOF' -set -euo pipefail - -symbolication_size_mb="" # Empty - simulates failure - -if [[ -n "$symbolication_size_mb" && "$symbolication_size_mb" =~ ^[0-9]+$ ]]; then - if [[ $symbolication_size_mb -gt 1024 ]]; then - echo "WOULD_CLEAN=yes" - else - echo "WOULD_CLEAN=no" - fi -else - echo "WOULD_CLEAN=no" -fi -EOF - - [ "$status" -eq 0 ] - [[ "$output" == *"WOULD_CLEAN=no"* ]] -} - - - - - - - - @test "opt_memory_pressure_relief skips when pressure is normal" { run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc << 'EOF' set -euo pipefail diff --git a/tests/clean_user_core.bats b/tests/clean_user_core.bats index 437f476..7fae621 100644 --- a/tests/clean_user_core.bats +++ b/tests/clean_user_core.bats @@ -58,6 +58,56 @@ EOF [[ "$output" == *"Saved application states"* ]] || [[ "$output" == *"App caches"* ]] } +@test "clean_support_app_data targets crash, wallpaper, and messages preview caches only" { + local support_home="$HOME/support-cache-home-1" + run env HOME="$support_home" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc <<'EOF' +set -euo pipefail +mkdir -p "$HOME" +source "$PROJECT_ROOT/lib/core/common.sh" +source "$PROJECT_ROOT/lib/clean/user.sh" +safe_clean() { echo "$2"; } +safe_find_delete() { echo "FIND:$1:$3:$4"; } +pgrep() { return 1; } + +mkdir -p "$HOME/Library/Application Support/CrashReporter" +mkdir -p "$HOME/Library/Application Support/com.apple.idleassetsd" + +clean_support_app_data + +rm -rf "$HOME/Library/Application Support/CrashReporter" +rm -rf "$HOME/Library/Application Support/com.apple.idleassetsd" +EOF + + [ "$status" -eq 0 ] + [[ "$output" == *"FIND:$support_home/Library/Application Support/CrashReporter:30:f"* ]] + [[ "$output" == *"FIND:$support_home/Library/Application Support/com.apple.idleassetsd:30:f"* ]] + [[ "$output" == *"Messages sticker cache"* ]] + [[ "$output" == *"Messages preview attachment cache"* ]] + [[ "$output" == *"Messages preview sticker cache"* ]] + [[ "$output" != *"Messages attachments"* ]] +} + +@test "clean_support_app_data skips messages preview caches while Messages is running" { + local support_home="$HOME/support-cache-home-2" + run env HOME="$support_home" PROJECT_ROOT="$PROJECT_ROOT" bash --noprofile --norc <<'EOF' +set -euo pipefail +mkdir -p "$HOME" +source "$PROJECT_ROOT/lib/core/common.sh" +source "$PROJECT_ROOT/lib/clean/user.sh" +safe_clean() { echo "$2"; } +safe_find_delete() { :; } +pgrep() { return 0; } + +clean_support_app_data +EOF + + [ "$status" -eq 0 ] + [[ "$output" == *"Messages is running"* ]] + [[ "$output" != *"Messages sticker cache"* ]] + [[ "$output" != *"Messages preview attachment cache"* ]] + [[ "$output" != *"Messages preview sticker cache"* ]] +} + @test "clean_app_caches skips protected containers" { run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" DRY_RUN=true /bin/bash --noprofile --norc <<'EOF' set -euo pipefail