Skip to content

SimpleZip 1.0.0

Latest

Choose a tag to compare

@github-actions github-actions released this 21 Jun 21:06
85b6938

feat

User-facing

  • AI suggestions now live inside the file browser instead of a separate sidebar. The 1.0.0 AI work was re-scoped from the visible AI sidebar into the existing file and archive rows: archive rows can expand into model-produced summaries and action suggestions; file rows can show model-picked actions such as SHA-256, recommended open-with apps, URL opening, activity links, installer hints, relevant archive entries and inline read-only reports; and cached folder-group suggestions render as extra collapsible AI rows without hiding the real files. The old hard-coded drawer suggestions are gone — if the on-device model produces nothing, the drawer stays empty — and every write-capable action still routes through SimpleZip's normal confirmation/task flow while read-only checks can show inline results.
  • Background AI indexing and preread became opt-in infrastructure for those suggestions. The background worker keeps the whitelist-only, read-only index and content-preread switches, uses AI-ranked preread queues for files and archives, skips unchanged fingerprints, respects power/activity budgets, and can queue safe read-only checks such as hash/test to run later when conditions allow.
  • Background AI suggestions are now baked while SimpleZip is closed. When silent background indexing is on, the background helper doesn't just collect metadata — it runs the on-device model itself to pre-bake the actual suggestions in your interface language, so they're already there next time you open the app instead of being computed live. It now covers the full set: one-line file summaries and per-file action picks, web-link suggestions, disk-image "drag to Applications" hints, in-archive "files you might want" picks and one-line "what kind of package this is", per-file/per-type toolbar action ranking, folder grouping and "tidy into a new folder" suggestions, a "this file has recent activity" reminder for files that match a recent task's output, the queued read-only checks (hash, integrity test, and — only when something looks off — a one-line path-safety / release-inspection note), and the Activity Center workbench (failure explanations, named real clusters, "what to handle next", filter ordering). It keeps baking until a per-run time budget is reached (the whole backlog, not a tiny per-cycle cap) and continues where it left off on the next scheduled run; large CJK documents whose first chunk landed mid-character now summarize correctly too. It reads the same 7-Zip/RAR backend and settings the app uses, so it can list and test archives on its own.
  • Silent background indexing now registers its own scheduler, and the Health pane can check and repair it. Turning on "silent background indexing" registers a background service that the system wakes on a schedule — even when SimpleZip is closed — to keep the AI index fresh; turning it off unregisters it. Settings → Health shows whether that service is registered and offers a one-tap repair, which re-registers it to clear the rare "stale" state that can follow an app update or a change of signing identity. If you've switched the service off in System Settings → Login Items, SimpleZip respects that: it never silently turns it back on, and instead points you to Login Items to re-enable it yourself. On launch it quietly registers the service if it's missing, and refreshes it after an app update, while a service you turned off is left untouched. And while SimpleZip itself is open it owns indexing, so the background service steps aside instead of doing the same work at the same time.
  • The toolbar's contextual buttons now learn your habits — and, with AI on, pre-bake what's most useful per file. The two selection-sensitive buttons in the toolbar now draw their candidates from the same complete action set as the item's right-click menu (instead of a small fixed list), and reorder so the actions you actually use — whether you reach them from the toolbar or the right-click menu — rise to the front for each kind of selection. Multi-selections share one set of suggestions, and an action a given format doesn't support simply never appears, so there are no dead buttons. A new "Learn my toolbar habits" switch in Settings → General controls the habit part (on by default, fully local, never any file content). When the AI assistant is on, the background helper additionally pre-bakes, for files it already considers worth a suggestion (and per file type for the rest), which toolbar actions are most useful for that file — folded in on top of your habits so the most relevant action surfaces first; with AI off it's pure habit ordering.
  • The welcome assistant gains an AI page, and upgrading users get a short update assistant. First-run setup now includes an on-device-intelligence page where you turn the AI assistant, suggestions, and the optional background indexing / content preread on or off right there — the advanced background toggles live in a second card that springs in once the assistant is enabled. When you update to a new version, instead of nothing (or the whole welcome again), a short update assistant pops up showing only what's new this release plus a "done" step. It's automatic: every welcome card carries a "seen" mark, so any card added in a future release shows up in the update assistant for existing users on its own, with no version checks.
  • Optional faster streaming extraction for zip and tar archives — for whole-archive and selected-item extraction. Both the whole-archive and the "extract selected items" dialogs gain a "Faster streaming extraction" switch for unencrypted zip and tar-family archives (.zip, .tar, .tar.gz / .tgz, .tar.bz2 / .tbz2, .tar.xz / .txz, .tar.zst). It reads the archive in physical order instead of jumping around by its directory index — much faster over a network share or for a very large archive — and for a partial extraction it matches the chosen entries by name in that same single sequential pass. It's opt-in and only offered when there's no password; turning it on hides the password and decryption-method options it can't use, and if the streaming read ever fails the extraction falls back to the standard engine automatically.
  • Paste a web archive URL into the address bar to download-and-extract it, streaming. Typing an http(s) URL that points to a zip or tar-family archive (e.g. a GitHub release …/v1.0.zip) into the location bar opens a dedicated Download & Extract panel instead of treating it as a local path. It first checks whether the server actually serves a streamable archive — showing the URL, the resolved filename and a clear "can stream-extract / not supported" status, and it never pretends — then streams the download straight through the extractor: the bytes flow from the network into extraction on the fly, so the whole archive is never written to disk (an opt-in checkbox keeps a copy of the downloaded archive if you want one). It extracts into a subfolder of the folder you're viewing (changeable), through the same untrusted-archive safety checks as any local extraction, and cleans up on cancel or failure. Only streaming-capable formats qualify — encrypted archives and formats that need random access don't, by design.

UX

User-facing

  • The Activity Center opens larger. It now opens at a roomier default size instead of feeling cramped.
  • Settings gets the unified hero look and stays immersive. Each settings pane now opens with a colored hero header — an icon tile, the title and a one-line description of what's inside — and the sidebar uses the same gradient tiles as the Activity Center. The window opens taller and is now freely resizable in both width and height (and can go fullscreen), just like the Activity Center, while keeping the frosted, edge-to-edge immersive chrome throughout.
  • AI settings get their own page. The AI assistant switch moves out of the Automation page into a dedicated AI & Smart Suggestions settings page — its own home, with a short privacy note reminding you that the assistant runs entirely on your Mac and never receives passwords, encrypted contents or keys. The page's "clear" control now names what it actually does — it wipes everything the AI has built in the background (its file index, suggestions and learned ranking), never your real files and never your Spotlight results.
  • AI settings spell out the privacy contract. The AI pane adds a collapsible privacy note that summarizes what local data can be indexed, what is never read, and how the on-device model is used.
  • The Activity Center gains a read-only AI Workbench. When the AI assistant is enabled, task-list panes gain a right-side workbench that reads the current pane and tells you what's most worth dealing with right now and why. The list keeps its familiar time order with running tasks on top; the workbench summarizes the current list and calls out unseen failures. Expanding a failed task shows a short plain-language explanation of what likely went wrong — and for file moves and copies, which have no backend log, the per-file failure reasons now feed that explanation so it stays concrete instead of generic — with an "Open full AI explanation" button, plus one-click next actions wired to that task's own safe handlers: open report, resume from the failed step, rerun, rerun with changes, copy diagnostics. Its suggested filters are AI-named real clusters: the app deterministically finds genuinely recurring task groups by crossing source / type / diagnostic dimensions — failure groups, plus common operation groups so there are suggestions even with no failures — and the on-device model gives the worthwhile ones a short natural-language name (e.g. "Finder extractions that failed", "all compress tasks") — the predefined category filters stay as a fallback when the model has nothing; the filters you apply most float to the top over time. Alongside them is an AI-recommended time range — today / this week / this month — that flags which window is worth a look (the most recent one with unseen failures); a time range stacks with a suggested filter, so you can narrow to, say, "today" and "Finder extractions that failed" at once. Every active filter and time range shows in a single "active filters" strip with a one-tap clear for each, and the workbench has a drag-resizable left edge. A "learned habits" summary surfaces your recent go-to sources, formats and locations (summary only, never full paths), and when a manual action keeps repeating an automation hint suggests turning it into a Shortcut or CLI workflow (it only suggests and opens Shortcuts — never builds the workflow for you). Everything is built from the local task index and runs as background-baked, read-only analysis: it only ranks, explains, filters or locates tasks and never reruns or changes anything.
  • The Help page covers the latest features. Settings → Help gains an AI Assistance section — AI suggestions, smart presets & toolbar, and background preread & privacy — plus new cards for streaming fast extraction and downloading & extracting straight from a URL.
  • The About blurb is refreshed. The description now leads with what stands out today: a fast, private, all-on-your-Mac archive manager with streaming extraction for huge or web-hosted archives and optional on-device AI assistance.
  • The welcome and update assistants say "Skip" instead of "Cancel." The left-hand button is now labeled Skip, making it clear it simply steps past the assistant rather than undoing the choices you've already made.

Developer-facing

  • Release history entries can be deleted. Each row in the Release Assistant's release ledger gains a delete button, so you can prune old or mistaken entries — the record only, your real artifacts are never touched — and the release-package Spotlight index updates to match.
  • The simplezip CLI and Shortcuts gain the archive verbs they were missing. The command-line tool adds list (entries as kind/size/name, or --json), inspect (the Release Assistant's package check without extracting — file/folder counts, total size, macOS junk, empty directories, executables, symlinks and suspicious entry paths; exit 1 when suspicious), extract (into a uniquely named folder through the same vetted safe path as Finder auto-extract, --to to choose the destination) and hash (CRC32/MD5/SHA-1/SHA-256/SHA-512, default SHA-256, BSD-tag output that verify reads back). It also gains the analysis and release tools that were GUI-only: space (disk-usage breakdown — largest files/folders/extensions, ratio, junk), rescue (best-effort recovery from a damaged archive into a (rescued) folder), checkup (batch integrity test + suspicious/junk/encrypted counts over several archives or a whole folder), duplicates (find structurally-identical archives), reproduce (pack a folder twice and report whether the two builds are byte-identical, plus which factors aren't normalized), audit (release-directory checksum coverage, stale entries, broken VERIFY references and orphans) and verify-group (a fast name-only "is this release verifiable" snapshot). All honor --json/--quiet, are recorded in the Activity Center, and prompt for a password on encrypted archives (or read SIMPLEZIP_PASSWORD) — never on the command line; shell completions (zsh/bash/fish) cover them. Shortcuts gains matching actions too — Compute File Hash (returns the hex digests for chaining), plus Analyze Archive Space, Rescue Damaged Archive, Check Up Archives, Find Duplicate Archives, Check Reproducible Packing, Audit Release Directory and Quick Verify Release Group — so the same tools are scriptable from Shortcuts, not just the command line.

bugfix

User-facing

  • Shortcuts & Siri are clearly marked unavailable when the app isn't signed with an Apple Developer ID. On macOS 26 the App Intents execution path requires a validated bundle (a code signature with a Team Identifier), so an ad-hoc / unsigned build can never run a SimpleZip action — the system rejects the connection and Shortcuts reports "couldn't communicate with the app." The actions still get registered with the system and keep showing up in the Shortcuts app (the app can't remove them from there), so instead of hiding the in-app section, Settings → Automation now shows it with a clear "unavailable" notice, and the Health pane flags Shortcuts & Siri with a yellow warning explaining why. Everything returns to normal automatically on a properly signed build. The CLI, URL scheme, Finder services and Spotlight channels are unaffected.
  • Turning the AI assistant off now hides its buttons right away. AI entry points — the inline advisories in the create/extract dialogs, the "explain this" buttons on reports and failed tasks, and the AI search fields — used to re-check the master switch only when their view happened to rebuild, so toggling it in Settings didn't make them appear or disappear until something else redrew. They now react to the switch the instant it changes.
  • AI/Spotlight indexing is less likely to freeze startup. Persistent Spotlight indexing now skips unchanged work, runs serially, honors the power profile and keeps encrypted-volume work off the main thread.
  • AI background work no longer stalls after the first pass. The background index heartbeat keeps running and rotates scopes progressively, so cached suggestions and diagnostics can continue updating.
  • Archive-row AI actions are visible again. Model-picked inspect, test and hash actions for archives can surface without waiting for the charging-only gate, and activity-based suggestions now use the completed task's real output path.
  • The Health pane's "last checked" time keeps counting up. It could get stuck on "just now" — the relative time only recomputed when the pane happened to redraw, so right after a check it could freeze at zero. It now updates itself every second.
  • Folder-level release tools no longer demand you select a sub-folder first. "Quick verify release group", "audit release directory", "check reproducibility" and folder checkup used to fail with "open or select a supported archive" when nothing was selected — even though you were already inside the folder you wanted to check. They now act on the folder you're currently viewing when nothing is selected, and "find duplicate archives" reports an accurate "need at least two archives in this folder" instead of the misleading archive message.
  • Opening, browsing and extracting archives and folders with very many entries no longer freezes the app. Opening a large archive, browsing a folder of tens of thousands of files, opening the extract dialog, generating an extract task, and Finder auto-extract / right-click "extract with SimpleZip" all used to lock up the main window. Those paths now stay responsive throughout, and password-free ZIPs extract with the bundled 7-Zip engine by default (the macOS engine stays as a fallback). Opening a very large archive also uses far less memory now, so a huge archive (millions of entries) no longer risks being killed by the system for running out of memory.
  • Expanding an AI suggestion no longer collapses it on the next click. Inside a nested folder, opening a file's AI drawer and then clicking anything could snap the just-opened drawer shut. Newly-revealed rows are no longer mistaken for "changed" ones, so the drawer you just opened stays open.
  • Broad security hardening. A range of safety surfaces were tightened: untrusted archive entry / file names are kept clear of command-flag parsing for the bundled and system tools; output and extraction targets can no longer be steered outside the folder you chose (including download filenames and typed archive names); signing now writes to a temporary file and only atomically replaces the original on success, so a cancelled or failed sign never loses your existing file; DMG extraction no longer copies symlinks that point outside the image; importing a malformed settings backup can't crash the app; archive entry names keep their exact leading/trailing spaces so delete and rename act on the right entry; and the optional AI helper's process boundary is size-bounded. Factory reset now also clears everything the AI built in the background, and turning the AI assistant off now reliably stops every background indexing and suggestion task — the activity-workbench passes included — so none of them can finish writing a now-stale suggestion after you've switched it off.

Developer-facing

  • Heavy archive work that looked off-main was still running on the main thread; profiling found four stalls and each is now genuinely moved off it. (1) Marking an async helper nonisolated does not move it off the calling actor on this toolchain — a @MainActor caller still ran the whole body, so the 7zz listing parse executed on the main thread (measured ~1.4 s on a big archive). The listing call and the ZIP central-directory encryption probe are now wrapped in Task.detached, which is the only thing that reliably hops to the cooperative pool. (2) The per-entry 7-Zip / unzip date parsing used DateFormatter, whose first parse triggers an ICU locale-symbol cold start (~hundreds of ms) plus per-call overhead; it now parses the fixed yyyy-MM-dd HH:mm:ss shape by hand into a reused Calendar, avoiding ICU entirely. (3) The file browser's outline diff built its layout fingerprint with URL.standardizedFileURL, which stat()s every file on every SwiftUI reconcile (measured ~2.4 s); it now uses the plain path string. (4) The menu-bar command tree is rebuilt on every FSEvents tick (~120 ms) and one of its enablement getters (canDropIntoOpenArchive) ran fileManager.fileExists — a stat() on the open archive — each time, hanging the main thread on a slow or disconnected network volume (measured ~2.5 s); that getter no longer touches the filesystem, since the open archive already has an FSEvents watcher that reacts to it disappearing. The ZIP encryption type is also detected once when an archive is opened (off-main) and cached on the session, so the extract / test / open-entry / password-prompt paths read the cached value instead of each re-reading the whole central directory (some read it twice). That encryption detection also reads only the archive's central directory through a bounded tail read (seek to the end-of-central-directory record, then read just that region) instead of memory-mapping the whole file — so on a multi-GB ZIP over a network share, where mmap degrades to real I/O, it no longer pulls the entire file across the wire just to detect encryption. The extract dialog reuses the listing loaded at open, the pre-extract safety check reuses those preloaded items, post-extract staging scans run off-main, and the Finder / right-click auto-extract and one-click-create floating windows coalesce per-file progress through the same ~80 ms ProgressCoalescer the main window uses.
  • Exhaustive main-thread audit eliminated all remaining per-frame stat() calls in the file browser. A second profiling pass (audit of every hot path, not just sampled stalls) found three more FSEvents-cycle-rate standardizedFileURL.path sites and two compile-per-call ICU regex sites. FileItem now pre-computes and stores its standardizedPath once in the background at construction time (FileBrowserService), so the outline view's expansion-memory lookups, AI-group path tables, and folder-key computation all read a plain String with no stat(). The folder-mode URL in currentFolderKey now uses .path directly (already canonical — comes from open panels / FSEvents). NSRegularExpression instances for the benchmark parser's integer and time-value patterns are hoisted to nonisolated static let constants so ICU compiles each pattern exactly once for the process lifetime. DiskImageBackend.extract's synchronous copyContents loop (directory listing + per-file copy) is now dispatched to Task.detached, preventing it from blocking the main actor if called from a @MainActor context.
  • The 7zz listing is stream-parsed instead of buffered whole, and the post-extract merge's per-item stats moved off the main actor. Opening a very large archive used to hold the entire 7zz l -slt output string, a \r-stripped copy of it, and the parsed entry array in memory simultaneously — several GB for an archive with millions of entries, enough for the OS to kill the process. The listing is now consumed chunk-by-chunk through an incremental SevenZipListStreamParser that strips \r per line and emits entries as it goes, so the raw output string and its copy are never materialized (the whole-string parseSevenZipList entry point delegates to the same parser, so the existing fixtures still cover the logic, and new per-character-chunk tests guard the streaming boundaries). The extract-merge's per-item resourceValues / fileExists probes — which can hit a slow network destination — now run in a background task rather than on the @MainActor coordinator, while the symlink-escape containment checks deliberately stay on the main actor unchanged.

improvements

User-facing

  • Releases are now Developer ID signed and notarized by Apple. Builds published from the release pipeline are code-signed with an Apple Developer ID certificate and notarized by Apple — the bundled 7zz / rar helpers and the whole app sign with the hardened runtime, and the notarization ticket is stapled into the DMG — so a clean Mac opens the app on a double-click with no "unidentified developer / can't be checked for malicious software" Gatekeeper warning, even offline. And because the published build now carries a validated Apple Team Identifier, its Shortcuts & Siri actions work normally instead of being marked unavailable.
  • "Find Archive Containing File" is now instant and predictable. It no longer asks the on-device model to turn your wording into a keyword before searching — it matches what you typed directly against the names in the archives you've opened, so it's faster and works the same with the AI assistant off (it's just a search of the local listing cache now). The results list also leaves room for the scrollbar so it no longer covers the "open" buttons.
  • AI settings are searchable in Spotlight. Background AI indexing and silent-indexing settings now turn up in Spotlight settings search and jump straight to the right place; the privacy-sensitive ones can be found and opened but, like other data-gathering switches, can't be toggled by Siri/Spotlight.
  • Browsing large archives and folders is smoother and lighter on memory. Moving between folders inside a big archive no longer rebuilds its directory tree on every step, searching an archive filters the list once per refresh instead of twice, and scrolling a huge folder caps how many file icons load at once instead of firing hundreds of fetches. The AI assistant also rebuilds its per-file lookup table only when the browser actually shows a suggestion (and caps its failure-explanation cache), so background indexing keeps a smaller footprint.

Developer-facing

  • A unified on-device AI data layer (the foundation for richer, still-private AI). SimpleZip is building a shared, fully-tested foundation for how it feeds Apple's on-device model — the positioning is local fact index + small-model organizer: the app gathers, filters, redacts and budgets local facts into structured envelopes that each carry an explicit privacy descriptor (on-device execution, a standard/deep local-context mode, and red-line categories confirmed excluded) and an "omissions" list (what was withheld and why), plus reusable evidence cards and validated source references; the model only explains, names, ranks, groups and drafts. Every path, task id and archive-entry id the model returns is validated against what the app actually provided, and any dangerous action always returns to the native confirmation flow. Passwords, key material, encrypted-archive entry names, ciphertext and decrypted plaintext never enter this layer — enforced by contract, with deterministic encoding so the exact facts sent can be unit-tested and exported for inspection. (A deliberately non-AI cousin lives in the security layer, not this one: a password-entry context hint that surfaces only low-sensitivity recall cues — file-name / folder tokens, a where-from domain — and hard-rejects anything that looks like an actual secret, never reads the clipboard, never auto-tries, and always requires a manual click.) On top of the envelope sit deterministic organizing primitives the model only refines: archive profiles and role classification, a controlled semantic-tag vocabulary the model can only pick from and re-rank (with deterministic scores, evidence and user-correction demotion), failure-diagnostic tags and per-tag remediation playbooks, low-sensitivity location context, per-task and per-archive AI indexes, file-type classification and folder profiles (role + suggested-lens derivation), dependency-ecosystem sniffing from marker files (Node / SwiftPM / Python / Rust / Go / Java / …) that records sensitive configs like .npmrc / .env as present-only and never reads their contents, saved query plans, "lens" views (release / source / failures / signing / cleanup) that re-group already-indexed objects, an at-a-glance internal map of an archive's contents, a templated pre-release checklist (test / verify hash / check signature / inspect report — state filled from deterministic facts, GPG items hidden when GPG is off, the model only arranges it), version-relation labelling (same content / new build / source-vs-binary / volume set / old backup / localized variant), deterministic candidate-encoding scoring for garbled (mojibake) filenames — decoding raw bytes through Shift-JIS / EUC / GBK / Big5 / CP437 / UTF-8 and ranking by script coherence so the model only re-orders candidates and never invents a name (encrypted entries excluded), a deterministic next-best-action ranker, an intervention-threshold gate that decides how loud the AI may be (silent → status → inline hint → advice cards) so a harmless Finder double-click stays quiet and an auto-extract is never interrupted, fuzzy-search rewriting into executable local queries, an AST-based context compactor that shortens the long, repeated JSON keys/values before the model sees them (lowering first-token latency) and expands them back on output — never via string regex, skipped under 1.5 KB, virtual AI workspaces, allow-listed background-prefetch scopes with hard default-exclude rules (system / key / cache / dev-dependency / temp-decrypt directories), implicit interest / feedback signals, a time-of-day-aware startup-directory ranker, and a global suggestion-bus contract (per-surface request → validated, dismissible cards), a deterministic "why no suggestions" explainer, a failure-degradation matrix (every AI failure — model unavailable, bad JSON, invalid reference, dangerous action, redaction block — maps to a deterministic fallback and a debug category, so the AI is never the sole data source and a failure never blocks the user with an alert), and a capability-tiered engine-negotiation contract (deterministic / on-device / advanced-optional) that keeps the AI surface always-on while gating only the model enhancements, a create/extract auto-tune safety gate (a per-field policy table that lets the model pre-fill form options but never auto-changes passwords, GPG material, encryption strength, the destination path or destructive cleanup, drops any change touching encrypted content, and won't overwrite a field the user already touched), and a deterministic create/extract advice-card rule engine (turns dry-run / pre-flight facts straight into actionable cards — rename output, review security, strip single root, skip symlinks — carrying only stable rule ids, evidence tokens and allow-listed actions, so it works with no model and any model-invented action is dropped), and a deterministic comparison explainer (turns an already-computed archive / release diff — added / removed / changed and hash-changed counts plus release signals like added checksums, a signature or an app bundle — straight into stable attention and next-action ids such as looks-like-release-build / release-notes-may-need-sync / run-inspection / draft-release-body; the model only writes the one-line summary and any id outside the allow-list is dropped), and a deterministic preset recommender (maps an input profile — role, extensions, marker files and a media-heavy flag — to a preset kind and a set of safe option hints such as exclude-junk / test-after-create / reproducible / store-level compression, and matches it against the user's available presets; passwords, encryption and GPG options are never hintable — only the user sets those — and any hint outside that safe allow-list is dropped), and a security-attention summary with a hard floor (the app's deterministic scan sets a minimum attention level — none / info / caution / stop — from risk hints like path-traversal, executable or symlink; the model may sharpen the wording but a single clamp covering every path forbids it from lowering the level, forces "open the security report" at the stop level, and never lets a mild summary talk the user past a real warning), and a natural-language selection query (turns "select everything that looks like a release artifact but hasn't been tested yet" into a structured filter — controlled semantic tags, extensions, keywords and a task-state — that the app executes over its own index to highlight or scope items; the model returns the filter, never paths, tags outside the controlled vocabulary are dropped, and an empty filter selects nothing rather than everything), and a settings doctor (merges the current settings state — AI on/off, background-activity level, archive pre-read, folder pre-index, Spotlight indexing — with the user's stated intent and answers in one line, suggesting only actions that are actually applicable to the current state, so a no-op or invented action is dropped; every suggestion is an AI / background / Spotlight preference or an "open this settings page" — never an encryption, password or GPG change — and nothing is applied automatically, it routes back to the native Settings pane the user confirms), and a task / batch planner (turns "check everything in this folder that looks like a release" into an ordered plan of steps — or a grouping of a multi-selection — drawn only from a fixed action catalog; the model never emits a shell command, the step actions and group actions are allow-listed, every item id a group references is validated against the real selection so the model can't conjure one, and "requires user review" is a constant true the model cannot switch off, so the plan is always shown for confirmation before any existing action runs), and a scenario router that makes the AI feel like one coherent thing instead of scattered buttons (one sentence like "what's wrong with this package" is routed — deterministically from the current surface and selection — to the right AI scenario: activity filter, archive search, operation preview, failure explanation, settings assistant, workspace, action recommendation or report explanation; the model only assists at low confidence, its chosen destination must be one the app currently offers or it falls back to the deterministic route, and confidence is clamped to a real 0–1), and a background-scheduling rule set that decides how deep low-load AI work may go right now (none → deterministic index → model pre-warm → deep context) from a pure runtime snapshot — nothing runs in the first minute after launch or while a heavy archive task is in flight, low battery or power-saver only ever permits read-only indexing, model work waits for the user to go idle, and the deepest tier requires charging-and-idle — so the assistant stays warm without ever fighting the user's work for power or CPU), and a data-lifecycle policy map that makes retention and clearing predictable and auditable (each AI data category carries a retention policy — prompt facts never persist, the debug log keeps at most 20 entries for a day, derived indexes follow the archive cache, feedback rolls off at 30 days, habit summaries at 90; turning a data switch off maps to a stable "disabled by user" omission the builders record; and each clear entry point declares exactly which derived categories it cascades to — never any real file, task or archive), and the on-device file-fact + virtual-folder layer now reused by the file/archive suggestion surfaces: a unified file fact (full current path plus POSIX permissions / owner / default-and-candidate open apps / role tags / same-directory-failure group / project-root hint) with a deterministic content-readability gate that blocks no-read-permission, sensitive (.ssh / .gnupg / keychain), temp-decrypt, secret-looking-name and user-excluded files and records exactly why; a controlled read-only enrichment-action set (hash / test-archive / refresh-listing / fingerprint / refresh-facts / refresh-open-apps) the model may only suggest — validated against the candidate set, refused for encrypted / no-read / excluded inputs, and producing only derived signals, never file contents; a persistable virtual-folder tree the content area renders through a display-time sanitizer that drops invented references and unsafe nodes and strips any destructive primary action so a disk delete can never be the one-tap action; an action vocabulary widened to SimpleZip's native tool entries (hash / create / test / convert / inspect / open-with-app) and the AI-folder's own virtual management (merge / split / move-nodes / remove-refs / add-seed / delete-workspace) plus real-disk copy and delete, each carrying a per-case safety so any write or task-start requires confirmation and a disk delete is destructive-and-confirmed (never auto, never primary); a workspace candidate pool that emits evidence-gap cards (each bound to its remediation enrichment action), a deterministic "why suppressed" reason and Jaccard-overlap merge candidates; a user "AI-folder seed" (theme prompts, pinned and excluded references the AI re-derives from rather than a static favourites list) with split groups validated against the candidate pool; a tool-interaction outcome that scores create / extract feedback by accepted-vs-reverted patches and the terminal result instead of dwell time (so a quick, correct extract reads as positive rather than a dismissal) alongside an archive-open session that keeps only an encrypted-entry count; and a main-window "AI suggestion layer" surface that uniquely forbids the deterministic fallback so it only ever shows real model output; a set of type-system boundaries that move the red lines from caller-discipline into the types themselves (the context envelope can only be built through a throwing factory that refuses blocked-sensitive payloads; source-ref identity is a 64-bit stable id paired with an empty-reference-rejecting validator and a within-candidate-set collision registry; the context compactor is field-aware, so a user file literally named mv is never rewritten into a diagnostic token and a token collision falls back to uncompressed; log tailing scans for private-key blocks before truncating and withholds rather than leak a cut key; sensitive-directory detection matches path components so the directory itself — not just its children — is blocked, and temp-decrypt detection fires only under real system temp roots; and a file fact reaches a prompt only through a projection that omits the absolute path by default); a per-surface interaction-signal layer that folds lightweight shown / expanded / clicked / dismissed signals deterministically into 7-day / 30-day counters and interaction affinities (evidence tokens redacted on the way in, a quick close never mistaken for a rejection); and a deterministic background planner that turns the current runtime tier, evidence gaps, stale workspaces / surfaces and what the user keeps engaging with into a tier-gated, never-over-budget set of cancellable pre-warm jobs — every one a pure value type that works with no model at all and stays fully testable, now wired to actually run — the planner reads real workspace evidence gaps (members still missing a checksum, small archives left untested) and feeds its hash and integrity-test jobs into the existing charge-gated background pending-check pipeline so idle time fills them (the remaining job kinds staged behind them); plus the AI-folder back-half retained as reusable internal infrastructure: a cross-location semantic clusterer (connected components over shared name tokens — including CJK substrings — and shared task / archive lineage, where location never decides membership and a theme's identity comes from its members rather than any path), a decaying-suppression ledger (a not-interested dismiss is a permanent, time-decayed, repeat-strengthened down-weight, matched fuzzily so a one-file change can't dodge it and a strong theme can resurface once it decays), a thin virtual-folder plan plus a deterministic tree builder (the model only titles groups and assigns candidates; the app derives every node action and runs the display-time sanitizer), a multi-source discovery pipeline (file index + task records → candidates → clustering → a quality-and-count policy → suppression), a persistent file-memory index container, an AI-weighted workspace ranking (theme strength + open frequency + decaying recency, so a click nudges rather than pins and a frequently-used weak folder rises over time), a recommendation policy that promotes only complete, substantial themes and caps how many appear, a learning loop that feeds your own curation — the items you keep, the ones you remove, the kinds you favour, and the names (and where the items live) you give its groups — straight back into the on-device model so each folder grows toward your taste instead of being re-sorted from scratch every time, and an opt-in, whitelist-only background file indexer — read-only, metadata-only, budget-bounded, idle-scheduled and adversarially hardened against whitelist escape (symlinks, network volumes, .., hidden and sensitive directories) and credential leakage (secret-looking filenames and credential directories are dropped before anything is indexed).

  • Developer Tools can inspect the local data available to AI, live. The hidden Developer Tools panel's read-only AI section now refreshes once per second and shows assistant readiness, archive-memory size, Spotlight donation counts, background-index scope/file/profile counts, content-summary and suggestion-token counts, explicit gate status, per-pass candidate diagnostics, feedback/pending-check counts, and copy actions for both the AI index and the full Spotlight donation dataset. Encrypted contents, passwords and keys are still outside this surface because they never enter AI.

  • The AI suggestion pipeline gained structured caches and power-aware read-only check queues. Suggestions now use typed actions with payloads, per-token suppression and feedback, AI-ranked preread of files and archive listings, cached folder groups, and a three-stage pending-check queue that records hash/test work, stores it app-side, then executes safe read-only checks later under power gates.

  • The AI sidebar experiment was pulled back from the shipped UI. The reusable virtual-folder components, ranking, review, theme-boundary learning, feedback and benchmark work remain in the internal foundation, but the visible 1.0.0 surface is file/archive drawer suggestions rather than a separate sidebar entry.

  • Main-toolbar action recommendations now have a testable provider seam. The contextual toolbar's existing two-button choices now come from a deterministic ContextualToolbarActionProvider snapshot and can pass through the next-action ranker, while the visible buttons and their model calls stay behavior-identical. This is the first app-side step toward the whitepaper's dynamic recommendation engine without changing the main-window workflow.

  • AI workspace token extraction now correctly handles version numbers. The function that converts a file's display name into a set of semantic tokens was splitting on every non-letter/non-digit character one character at a time, so "1.0.0" produced the three one-character fragments "0", "4" and "5" — all below the minimum token length and all discarded. A supplemental segment-split pass now also splits on hyphens, underscores and spaces and keeps each whole segment, so "SimpleZip-1.0.0-macos-arm64.dmg" correctly yields "1.0.0" as a five-character token. This raised the candidate-pool semantic coverage (strong-token coverage rate) from 80% to 100% on the release-workflow benchmark.

  • AI workspace prompt facts carry more intent tokens. The AIWorkspacePromptFact initializer previously capped the token list fed into each workspace's prompt envelope at 12 items; workspaces built from a wide query plan (many semantic tags, task tags and keywords combined) had their lower-priority intent tokens silently cut. The cap is raised to 14, ensuring that a typical release-workflow workspace reaches full coverage of its four task-tag intent tokens in addition to all semantic and keyword tokens.

  • On-device AI is moving into a separate process instead of the main app binary. SimpleZip's AI inference and background indexing are being lifted out of the main app: foreground requests run through a bundled XPC Service (launched on demand, not a Login Item and not gated by "allow in background"), and background indexing runs in a dedicated agent that launchd can wake on a schedule even when the app is closed. The shared scan, index and content-preread code now lives in SimpleZipCore and is reused by both the app and the agent rather than copied — the same single scan orchestration, the whitelist-only / read-only / budget-bounded metadata walk, content-preread redaction and the progressive "least-recently-scanned" coverage all run in either process. The app pushes its AI settings to the agent through a versioned config file, with the AI master switch enforced as a hard red line (the agent refuses all generation when AI is off); the agent reads the whitelist, runs one bounded round, writes the records back to the shared derived-data store and self-throttles to the configured interval, with a per-run time cap (over-budget scopes simply continue on the next wake) and ProcessType=Background so the OS handles power-aware deferral. A scheduled background-indexing LaunchAgent is declared for this (off by default, activated only when silent background indexing is opted into), and dev vs release builds use isolated bundle ids, Mach service names and LaunchAgent labels so a self-signed dev copy and the released app never collide; the embedded agent helper is code-signed under the app's bundle-id namespace (rather than the default bare tool name) to match the app and XPC service. Every on-device model pass now runs entirely in that engine process through one typed generate(kind:) XPC contract — the report and explanation prose, the file- and archive-row suggestions, the AI-folder plan / review / grouping / misfit-check, and the natural-language archive and settings queries — so the main app binary no longer creates a language-model session at all, with each pass's prompt-building, parsing and validation living in the shared engine layer so the background agent can run them without ever launching the main app. Even the read-only "is the on-device model available" check now goes through the engine over XPC (cached so the UI reads it synchronously), so the main app binary no longer imports the on-device model framework at all.

  • DevTools: on-device AI engine + background-scheduler monitors. The hidden AI data lab gains read-only probes for the separate-process pipeline: a unified generate(kind:) contract self-test, a passive engine-pass tally (which passes ran since the engine started, how many times, pass/fail), a background-scheduling preview (what tier-gated jobs AIBackgroundPlanner would plan from the current runtime and signals), and a workspace evidence-gap readout (which workspace members still lack a checksum or archive-integrity test — the input that drives the planner's background hash/test back-fill), a pending-check queue readout (the downstream — checks queued for charge-time execution and how many are done), and an interaction/interest summary readout (the planner's other two inputs — cross-surface signal counts and archive-open location affinities, confirming interest collection actually feeds the scheduler). All deterministic, instant, never touch the model, with results pinned to a copyable status card.

  • On-device AI passes budget their prompts to the model's fixed context window. The on-device model has a fixed context size, and a pass whose prompt exceeds it fails outright and silently produces nothing. Every pass that feeds the model a list or a long excerpt — archive entries, file / folder / workspace suggestion candidates, activity clusters and chips, the natural-language settings catalog, and report / summary / file-description prose — now caps each item's length and the total prompt size with a conservative, CJK-aware budget, so a huge archive, a long file or a fully-localized settings catalog degrades to a bounded prompt that still runs instead of overflowing and coming up empty. (Surfaced by the DevTools engine-pass tally, which caught two background passes silently overflowing.)