v5.0.7-506cefb

v5.0.7

App Bundle Tamper Protection

New protection layer that detects and blocks unauthorised modifications to app bundles. ClearanceKit monitors code-signing validity and routes bundle write operations through a dedicated evaluator with a TTL-backed codesign cache. A new Bundle Updater allowlist lets you authorise specific signed updater processes — managed from the sidebar in the GUI.

Bundle protection now covers /Users/*/Applications in addition to /Applications. com.apple.DesktopServicesHelper and macOS platform binaries are permitted as trusted bundle-modifying processes. The self-signer check is relaxed to team ID comparison (rather than full certificate chain) to accommodate re-signed bundles in common update flows.

Touch ID Authorization

Rules can now require Touch ID confirmation before access is granted. A non-activating HUD overlay appears near the menu bar showing the requesting process, its team ID, and the full ancestry chain. Sessions are keyed by ancestry chain and parent PID version — preventing session hijack across process restarts. Authorization state and requireValidSigning are persisted in the database.

New Presets

• SSH config tamper protection — blocks unauthorised writes to ~/.ssh/config and related files
• Added com.apple.intents.intents-helper to the baseline system allowlist

Performance

XPC server now starts before the process-tree scan, reducing latency on initial GUI connection.

Bug Fixes

• Repaired Bundle Updater view layout, entry form, and sidebar icon
• Fixed session key mismatch (rule prefix was being confused with file path)
• Fixed layout jump in the authorization HUD