Swahili · physician / healer

The honest macOS optimizer.

A CleanMyMac-class utility that wins on honesty, safety, and measurable speed. No scareware, no fake "GB freed", no resident background hog. A Rust core does the throughput work; a Tauri shell renders it.

Build it How it works

v0.1.4 Rust core Tauri v2 shell 110 tests macOS 13+ · Apple Silicon + Intel

Principles

Safety > honesty > performance > features

The cleanup logic is the easy 20%. The discipline around it (safety invariants, benchmark gates, honest UX) is the product.

Safety-first

Scanning is read-only behind a denylist guard. Reclaim is the only mutating path: it writes an undo manifest before touching anything and trashes rather than deletes.

Honest

Reports measured freed bytes, never estimates. No inflated counts, no marketing. When a metric needs root we say "unavailable" rather than fake it.

Measurable

Criterion benchmarks with a >5% regression gate. Property tests and golden-image tests defend the safety invariants on every merge.

What it does

One scan, full review, nothing removed until you choose

◎

Smart Scan

Streaming scan across caches, temp, logs, and large old files. A live radar loader with per-category chips. Review every item first.

⧉

Duplicates

Whole-home blake3 funnel: size group → head hash → full hash. Pick which copies go.

⌦

Uninstaller

Remove apps and trace their leftover support files; disk-wide orphan scan for apps already gone.

⌘

Developer / CLI

Homebrew analysis + safe cleanup. brew cleanup/autoremove previews; every formula sized with install date. Removal is delegated to brew itself.

▤

Disk & Memory

Treemap of what's eating space; live CPU/memory graphs, force-quit, Rosetta flagging.

⛨

Security

Adware and rogue-profile heuristics with a locked quarantine vault. It never deletes and never fakes a verdict.

Architecture

One language, end to end

All logic is Rust; the view layer is the web platform. The Tauri backend depends on the core crates by path and exposes them as commands. There is no FFI bridge (ADR-0003 superseded the original Swift + C-ABI design).

flowchart LR subgraph UI["app/src · web UI"] A["sidebar · scan flow
review · treemap"] end subgraph BE["app/src-tauri · Rust"] B["#[tauri::command]s"] S["system.rs
macOS facts"] end subgraph CORE["core/ · crates"] E["engine + scanners
(in-process)"] end A -- "invoke / Channel
(serde, no FFI)" --> B B -- "path dependency" --> E S --- B

Frontend ⇄ Rust backend ⇄ core crates. Streaming results use a Tauri Channel; commands run off the main thread.

The only mutating path

Reclaim, with an undo written first

Every selected item is re-validated against the denylist and tier rules. Protected paths are skipped per item (recorded, never touched) while everything safe is reclaimed. Freed bytes are measured, not estimated.

flowchart TD A["Selected CleanupItems"] --> B{"Per item:
denylist + tier check"} B -- "protected" --> K["Skip · record as
'left untouched'"] B -- "non-Safe destructive" --> X["Fail fast
(UI never produces this)"] B -- "ok" --> C["Write undo manifest
to disk"] C --> D["Trash / Delete / Truncate
· measure before & after"] D --> E["Report: measured bytes,
per-item failures listed honestly"] K --> E

The denylist invariant, that no returned path escapes the allowed roots, is property-tested against a deliberately malicious scanner.

Streaming scan

Concurrent scanners, live results

A scan spawns one thread per scanner; every item streams through the denylist guard into a single sink and out over a Tauri Channel, so the UI fills in as discovery happens.

sequenceDiagram participant UI as Web UI participant CMD as tauri::command (worker thread) participant ENG as smart_scan participant SC as scanners (1 thread each) UI->>CMD: invoke("scan", Channel) CMD->>ENG: spawn → smart_scan ENG->>SC: one thread per scanner loop each item found SC->>ENG: emit(CleanupItem) ENG->>ENG: denylist guard (drop + count if denied) ENG-->>UI: Channel → row appears live (radar + chips) end SC->>ENG: done / error per scanner ENG-->>UI: summary → per-scanner truth

Cancel any time. Tokens fire at directory boundaries; commands run off the main thread so the UI never freezes.

Duplicates

A three-stage funnel

Hashing every file is wasteful. Tabibu groups by size, then hashes only a head sample, then does a full blake3 hash on the survivors. Each stage shrinks the candidate set.

flowchart LR A["All files"] --> B["Stage 1
group by size"] B --> C["Stage 2
head-sample hash"] C --> D["Stage 3
full blake3 hash"] D --> E["Confirmed
duplicate sets"]

Only files that collide at every stage are confirmed duplicates. The newest copy is kept by default.

core/crates

The Rust workspace

tabibu-engine

Traits, SafetyTier, denylist, undo manifest, scan orchestration.

the safety backbone

tabibu-walk

Parallel filesystem traversal and size tree.

rayon

tabibu-dupes

Three-stage blake3 duplicate funnel.

size → head → full

tabibu-junk

Cache / temp / log / trash / large-old scanners.

rayon-parallel sizing

tabibu-uninstall

Remnants, orphans, unused apps, stale binaries.

artifact tracing

tabibu-brew

Homebrew analysis + safe cleanup; delegates removal to brew.

reads on-disk receipts

tabibu-malware

Adware / rogue-profile heuristics + quarantine vault.

never deletes

tabibu-monitor

sysinfo system + per-process sampling; Rosetta detection.

honest RSS budget

tabibu-telemetry

Opt-in, content-free deselection signal.

no PII, no paths

Quick start

Build & test

Prerequisites: Rust (rustup) and Node + npm (for the Tauri CLI only). The frontend is static, with no bundler and no build step.

# run the app with hot reload (compiles the Rust backend + core)
cd app && npm install && npm run dev

# bundle the .app + DMG
cd app && npx tauri build

# the core test suite (110 tests: unit, property, golden-image)
cd core && cargo test --workspace
cargo clippy --workspace --all-targets -- -D warnings
cargo fmt --check

✓

Safety

Property tests + golden-image reclaim (snapshot → reclaim → assert exactly the intended files changed).

✓

Lint

clippy::all denied; pedantic advisory (its lint set drifts between toolchains).

✓

CI

fmt · clippy · test · cargo-deny · bench-smoke · app build, all on macOS runners.

Honest status

Current limitations

Not distributable yet. No Developer ID / notarization credentials, so bundles are unsigned. The pipeline is wired and conditional.
ClamAV is a feature-gated stub; v1 ships native adware heuristics. Real-time (Endpoint Security) scanning is deferred behind an Apple entitlement.
Exact CPU die temperature & GPU powermetrics need root. Tabibu ships the honest thermal-pressure signal (pmset -g therm) instead.
Tray is minimal: a status item with a live CPU/memory tooltip; a rich health popover is a follow-up. No privileged helper (all features are user-space).

Documentation

Dig deeper

Per-crate guides and decision records. These pages are generated from the Markdown in docs/ and rendered into this same design on publish.

Engine

Traits, SafetyTier, denylist, undo, orchestration.

Duplicates

The three-stage blake3 funnel.

Junk

Cache / temp / log / trash / large-old scanners.

Uninstall

Remnants, orphans, unused apps, stale binaries.

Malware

Heuristics + quarantine vault; ClamAV boundary.

Walk

Parallel filesystem traversal + size tree.

Telemetry

Opt-in, content-free deselection signal.

ADR-0003

Tauri shell supersedes the Swift + C-ABI design.

Setup & release

Clean-machine build; signing & notarization.