fix(clean): make Docker cleanup safe by default

Author: tw93

lib/clean/dev.sh

@@ -253,38 +253,10 @@ check_rust_toolchains() {
 # Docker caches (guarded by daemon check).
 clean_dev_docker() {
     if command -v docker > /dev/null 2>&1; then
-        if [[ "$DRY_RUN" != "true" ]]; then
-            start_section_spinner "Checking Docker daemon..."
-            local docker_running=false
-            if run_with_timeout 3 docker info > /dev/null 2>&1; then
-                docker_running=true
-            fi
-            stop_section_spinner
-            if [[ "$docker_running" == "true" ]]; then
-                # Remove unused images, stopped containers, unused networks, and
-                # anonymous volumes in one pass. This maps better to the large
-                # reclaimable "docker system df" buckets users typically see.
-                # Skip if Docker paths are whitelisted: docker system prune operates
-                # through the daemon API and bypasses filesystem-level whitelist checks.
-                if is_path_whitelisted "$HOME/.docker" ||
-                    is_path_whitelisted "$HOME/Library/Containers/com.docker.docker" ||
-                    is_path_whitelisted "$HOME/Library/Group Containers/group.com.docker"; then
-                    echo -e "  ${GRAY}${ICON_WARNING}${NC} Docker unused data · skipped (whitelisted)"
-                    echo -e "  ${GRAY}${ICON_REVIEW}${NC} ${GRAY}Review: mo clean --whitelist, protect Docker Desktop data to disable this prune${NC}"
-                    debug_log "Docker cleanup skipped: Docker paths found in whitelist"
-                else
-                    clean_tool_cache "Docker unused data" docker system prune -af --volumes
-                fi
-            else
-                echo -e "  ${GRAY}${ICON_WARNING}${NC} Docker unused data · skipped (daemon not running)"
-                note_activity
-                debug_log "Docker daemon not running, skipping Docker cache cleanup"
-            fi
-        else
-            note_activity
-            echo -e "  ${YELLOW}${ICON_DRY_RUN}${NC} Docker unused data · would clean"
-            echo -e "  ${GRAY}${ICON_REVIEW}${NC} ${GRAY}Review: mo clean --whitelist, protect Docker Desktop data to disable this prune${NC}"
-        fi
+        note_activity
+        echo -e "  ${GRAY}${ICON_WARNING}${NC} Docker unused data · skipped by default"
+        echo -e "  ${GRAY}${ICON_REVIEW}${NC} ${GRAY}Review: docker system df${NC}"
+        debug_log "Docker daemon-managed cleanup skipped by default"
     fi
     safe_clean ~/.docker/buildx/cache/* "Docker BuildX cache"
 }

lib/manage/whitelist.sh

@@ -142,7 +142,7 @@ Firefox browser cache|$HOME/Library/Caches/Firefox/*|browser_cache
 Brave browser cache|$HOME/Library/Caches/BraveSoftware/Brave-Browser/*|browser_cache
 Surge proxy cache|$HOME/Library/Caches/com.nssurge.surge-mac/*|network_tools
 Surge configuration and data|$HOME/Library/Application Support/com.nssurge.surge-mac/*|network_tools
-Docker Desktop data (skip Docker unused data prune)|$HOME/Library/Containers/com.docker.docker/Data/*|container_cache
+Docker BuildX cache|$HOME/.docker/buildx/cache/*|container_cache
 Podman container cache|$HOME/.local/share/containers/cache/*|container_cache
 Font cache|$HOME/Library/Caches/com.apple.FontRegistry/*|system_cache
 Spotlight metadata cache|$HOME/Library/Caches/com.apple.spotlight/*|system_cache

tests/clean_dev_caches.bats

@@ -287,61 +287,51 @@ EOF
     [[ "$output" != *"Orphaned bun cache"* ]]
 }
 
-@test "clean_dev_docker skips when daemon not running" {
+@test "clean_dev_docker skips daemon-managed cleanup by default" {
     run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" DRY_RUN=false bash --noprofile --norc <<'EOF'
 set -euo pipefail
 source "$PROJECT_ROOT/lib/core/common.sh"
 source "$PROJECT_ROOT/lib/clean/dev.sh"
-start_section_spinner() { :; }
-stop_section_spinner() { :; }
-run_with_timeout() { return 1; }
+clean_tool_cache() { echo "$1|$*"; }
 safe_clean() { echo "$2"; }
+note_activity() { :; }
 debug_log() { :; }
-docker() { return 1; }
+docker() { echo "docker called"; return 0; }
 export -f docker
 clean_dev_docker
 EOF
 
     [ "$status" -eq 0 ]
-    [[ "$output" == *"Docker unused data · skipped (daemon not running)"* ]]
+    [[ "$output" == *"Docker unused data · skipped by default"* ]]
+    [[ "$output" == *"Review: docker system df"* ]]
     [[ "$output" == *"Docker BuildX cache"* ]]
-    [[ "$output" != *"Docker unused data|Docker unused data docker system prune -af --volumes"* ]]
+    [[ "$output" != *"docker called"* ]]
+    [[ "$output" != *"docker system prune"* ]]
 }
 
-@test "clean_dev_docker prunes unused docker data when daemon is running" {
+@test "clean_dev_docker keeps BuildX cache cleanup" {
     run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" DRY_RUN=false bash --noprofile --norc <<'EOF'
 set -euo pipefail
 source "$PROJECT_ROOT/lib/core/common.sh"
 source "$PROJECT_ROOT/lib/clean/dev.sh"
-start_section_spinner() { :; }
-stop_section_spinner() { :; }
-run_with_timeout() { shift; "$@"; }
 clean_tool_cache() { echo "$1|$*"; }
-safe_clean() { :; }
+safe_clean() { echo "$2|$1"; }
 note_activity() { :; }
 debug_log() { :; }
-docker() {
-    if [[ "$1" == "info" ]]; then
-        return 0
-    fi
-    return 0
-}
+docker() { return 0; }
 export -f docker
 clean_dev_docker
 EOF
 
     [ "$status" -eq 0 ]
-    [[ "$output" == *"Docker unused data|Docker unused data docker system prune -af --volumes"* ]]
+    [[ "$output" == *"Docker BuildX cache|$HOME/.docker/buildx/cache/*"* ]]
 }
 
-@test "clean_dev_docker skips prune when Docker paths are whitelisted" {
+@test "clean_dev_docker no longer depends on whitelist to avoid prune" {
     run env HOME="$HOME" PROJECT_ROOT="$PROJECT_ROOT" DRY_RUN=false bash --noprofile --norc <<'EOF'
 set -euo pipefail
 source "$PROJECT_ROOT/lib/core/common.sh"
 source "$PROJECT_ROOT/lib/clean/dev.sh"
-start_section_spinner() { :; }
-stop_section_spinner() { :; }
-run_with_timeout() { shift; "$@"; }
 clean_tool_cache() { echo "$1|$*"; }
 safe_clean() { :; }
 note_activity() { :; }
@@ -351,18 +341,16 @@ is_path_whitelisted() {
     return 1
 }
 export -f is_path_whitelisted
-docker() {
-    if [[ "$1" == "info" ]]; then
-        return 0
-    fi
-    return 0
-}
+docker() { echo "docker called"; return 0; }
 export -f docker
 clean_dev_docker
 EOF
 
     [ "$status" -eq 0 ]
-    [[ "$output" == *"Docker unused data · skipped (whitelisted)"* ]]
+    [[ "$output" == *"Docker unused data · skipped by default"* ]]
+    [[ "$output" != *"whitelisted"* ]]
+    [[ "$output" != *"mo clean --whitelist"* ]]
+    [[ "$output" != *"docker called"* ]]
     [[ "$output" != *"docker system prune"* ]]
 }