Rockxy 0.11.0 (build 14)

Rockxy 0.11.0 (build 14)

Added

• Sparkle-powered automatic updates for signed public releases.
• Bundled Rockxy MCP support for local developer-tool integrations.
• Rockxy Pro activation and entitlement-aware upgrade foundations.

Changed

• Hardened the release pipeline with production signing, notarization, stapling, checksum, and update-feed validation.
• Refreshed public documentation, localized README content, and release metadata for the 0.11.0 release.
• Improved Xcode project and build configuration reproducibility for fresh checkouts.

Fixed

• Improved paid-license activation recovery and product validation reliability.
• Closed release-readiness gaps around production licensing configuration and update metadata.
• Fixed release signing settings required for Apple notarization and Gatekeeper acceptance.

Rockxy 0.10.0 (build 13)

Rockxy 0.10.0 (build 13)

Added

• Developer Setup Hub: dedicated rows for Postman, Insomnia, and Paw under Browsers & Clients, each with its own proxy + certificate workflow.
• Developer Setup Hub: tvOS / watchOS and Vision Pro rows under Devices, documented as iOS-class guide-only targets with honest limitations.
• Developer Setup Hub: guide content for iOS Device, iOS Simulator, Android Device, Android Emulator, Flutter, and React Native — bind/listen, certificate trust, and platform-specific caveats (Android network-security-config, iOS simulator trust, Metro restarts).
• Developer Setup Hub: validated manual snippets + httpbin validation watcher for eight additional targets — Java VMs (keytool import + HttpClient sample), Firefox (Network Settings + authority-store import + cURL verification), Postman, Insomnia, and Paw (proxy + CA settings snippet + cURL verification), Docker (throwaway docker run probe mounting the CA via host.docker.internal), ElectronJS (--proxy-server CLI flag and session.setProxy main-process snippet, both with NODE_EXTRA_CA_CERTS), and Next.js (App Router route handler with NODE_EXTRA_CA_CERTS + HTTPS_PROXY for next dev).

Changed

• Developer Setup Hub: removed the combined HTTP Clients row in favor of individual client targets; the neutrality test now allows Vision Pro as a proper noun while still rejecting standalone packaging terms.
• Developer Setup Hub: promoted Java VMs, Firefox, Postman, Insomnia, Paw, Docker, ElectronJS, and Next.js from guideOnly to availableNow — each now ships a real snippet path with the in-app validation watcher instead of just guide tips.
• Inspector: request and response tabs now use a single-line scrolling tab strip, and short tabs such as Query stay top-aligned in both right and bottom inspector layouts.
• Request table: added Status, Request, Response, and SSL columns, restored the ID header, and made the SSL icon reflect effective interception state instead of URL scheme alone.

Fixed

• MCP Settings: config JSON no longer shows escaped forward slashes (\/) in the command path — output now matches standard local JSON configuration files.
• SSL Proxying controls: the encrypted HTTPS response prompt, sidebar actions, and the main request table now stay in sync when enabling or disabling interception by domain or app.
• Request table: CONNECT tunnel rows no longer show placeholder request/response byte counts, and duration now falls back to measured tunnel timing when detailed timing data is unavailable.

Rockxy 0.9.0 (build 12)

Rockxy 0.9.0 (build 12)

Added

• MCP Server: embedded Model Context Protocol (MCP 2025-11-25) backend — exposes proxy traffic, rules, and status via JSON-RPC 2.0 over a local HTTP server with token-based authentication.
• MCP Server: 10 read-only tools — get_version, get_proxy_status, get_certificate_status, get_recent_flows, get_flow_detail, search_flows, filter_flows, export_flow_curl, list_rules, get_ssl_proxying_list.
• MCP Server: rockxy-mcp stdio CLI binary bundled in the app for standard MCP stdio transport with automatic session tracking.
• MCP Server: privacy-first redaction — sensitive headers, URL query parameters, and body fields (JSON, form-encoded, XML, plain-text Bearer tokens) redacted by default. Live toggle without server restart.
• MCP Server: Settings > MCP tab with enable/disable toggle, running status indicator, copyable connection config, and redaction privacy controls.
• MCP Server: auto-starts on app launch when previously enabled; survives Settings window close; falls back to SessionStore when main window is closed.

Changed

• MCP Server: initialize requests now negotiate compatible MCP protocol versions, recycle stale per-connection sessions, and harden transport/session validation.
• MCP Server: handshake writes now create restricted 0o600 files up front; flow-query fallback filtering, URL/cURL redaction, and port/config validation are stricter and more deterministic.
• MCP Server: recent-flow SessionStore fallback no longer under-filters when callers request a small limit with host/method/status filters.
• MCP Server: transport/tool error payloads now stay valid JSON even when messages contain quotes, backslashes, or control characters.

Rockxy 0.8.0 (build 11)

Rockxy 0.8.0 (build 11)

Added

• Scripting: dedicated Scripting List window (sidebar idiom matching Allow List / Block List / SSL Proxying List) with three-column table (Name / Method / Matching Rule), folder grouping with rename-in-place, slide-up filter bar, bottom bar with + − New Folder ? / Filter / Advance / More.
• Scripting: dedicated Script Editor window with Matching Rule header (Name, URL, method picker, Wildcard/Regex picker, "Test your Rule", "Include all subpaths"), Run-on row (Request / Response / Run as Mock + saved-and-active dot), code editor with line-number ruler + the multi-arg default template, right-side console panel with eye-icon log-level filter (Errors / Warnings / User Logs / System), footer (More / Beautify ⌘B / Snippet Code / Save & Activate ⌘S / console eye toggle).
• Scripting: multi-arg JS API support — onRequest(context, url, request) and onResponse(context, url, request, response) with request.headers / request.queries / request.body / response.statusCode / response.headers / response.body / response.bodyFilePath. Single-arg onRequest(ctx) / onResponse(ctx) continues to work; the runtime dispatches by JS function length.
• Scripting: response.bodyFilePath — load a local file (sandboxed to user home, capped at ProxyLimits.maxResponseBodySize) as the response body.
• Scripting: Advance menu — "Allow Scripts to read System Environment Variables" exposes $rockxy.env.system(key); "Allow Running Multiple Scripts for one Request" enables id-sorted chained execution. Both persisted in AppSettings.
• Scripting: "Enable Scripting Tool" toggle in the Scripting List title row, persisted as AppSettings.scriptingToolEnabled.
• Scripting: folder grouping persisted as a single JSON blob in UserDefaults; ScriptFolderStore reconciles the index against live plugin ids on every refresh.
• Scripting: enabled scripts now run on live HTTP and HTTPS traffic without the Scripting or Settings window needing to be open. PluginManager.ensureLoadedOnce() is awaited on the capture-start path and called at app launch.
• Scripting: optional scriptBehavior block on PluginManifest (matchCondition, runOnRequest, runOnResponse, runAsMock) — opt-in per-script matching and mode gating.
• Scripting: response-side hook now actually mutates what the client receives and what Rockxy persists. ScriptResponseContext is mutable with setStatus, setHeader, setBody JS helpers and a Swift apply-back to HTTPResponseData.
• Scripting: inline mock responses via runAsMock=true. onRequest(ctx) returns a { statusCode, headers?, body? } object; the request never goes upstream. Invalid mock output fails locally with HTTP 502.
• Scripting: CommonJS module.exports = { onRequest, onResponse } compatibility added alongside the existing direct-global pattern.

Changed

• Scripting: forwarded request head is now rebuilt from the (possibly script-mutated) HTTPRequestData via ProxyHandlerShared.buildForwardHead(from:originalHead:). Method, path, query, headers, and body-derived Content-Length reach upstream as expected. Host, port, and scheme mutations from scripts are dropped (with a one-time warning per plugin); use the Map Remote rule action for cross-host rewrites.
• Scripting: deterministic id-sorted plugin execution order; first-match wins on both request and response side.
• Scripting: response hook runs between response-header rule operations and breakpoint dispatch. When the upstream body exceeds ProxyLimits.maxResponseBodySize, response-side scripting is skipped for that request and the existing full streaming behavior is preserved.

Fixed

• Scripting: legacy onResponse(ctx) scripts can once again mutate top-level ctx.statusCode, ctx.responseHeaders, and ctx.body directly.
• Scripting: legacy ctx.setBody("plain text") now actually replaces the outgoing request body instead of silently falling back to the original bytes.
• Scripting: Save & Activate truthfully enables a script on save; the UI no longer reports an inactive script as active. Quota-reached and load-error paths surface explicit status messages.
• Scripting: request and response framing headers (Content-Length / Transfer-Encoding) are recomputed after any script body mutation so downstream receivers stay in sync.
• Scripting: oversize responses no longer flush early when a response breakpoint is armed — breakpoint semantics take precedence over the scripting fast-path.
• Scripting: request and response hooks no-op when the Enable Scripting Tool toggle is off, even for already-enabled scripts.
• Scripting: legacy openWindow(id: "scripting") call sites updated to the new scriptingList window id.

Rockxy 0.7.1 (build 10)

Fixed

• Align live-history cap with actor accounting, guard clearSession reentry, clear ruleLoadTask on completion
• Finalize upstream normalization cleanup
• Cross-suite RuleEngine serialization via RuleTestLock and clearSession regression test
• Replace fire-and-forget engine restore with awaited cleanup in rule tests
• Eliminate MainActor starvation in rule tests and close clearSession generation gap
• Synchronous sessionGeneration in clearSession, atomic rule store writes, and detached syncAll disk I/O
• ClearSession generation sync, deterministic rollback polls, and test isolation
• ClearSession race, rule test isolation, and docs product-name normalization
• Testable ConnectionValidator seam with accept-path and audit-token coverage
• Generation-safe accepted-count reporting and audit-token SecCode extraction seam
• Real caller-validation entrypoint, generation-safe session clear, and bridge defaults isolation
• Real caller-validation tests, correct history accounting, and full plugin environment normalization
• Session clear race, plugin environment normalization, and test serialization
• Hermetic plugin test isolation, real runtime transition test, and error-status assertion
• Refresh VM on failed enable, isolate plugin fixtures, guard small-buffer eviction, and tighten signing tests
• Use Task.sleep instead of Task.yield for VM rollback test stability
• Single-flight rule loading via ensureRulesLoaded()
• Harden plugin/rule race conditions, quota logic, and error surfacing
• Short-circuit re-enable for already-enabled plugins
• Snapshot plugin IDs across await and fix exclusive netcond quota
• Rule loading race and exclusive network-condition quota bypass
• Make quota paths truly atomic and isolate gate policy from tests
• Address final review findings for gates, bulk replace, and selection
• Make script enable atomic and propagate missing-plugin errors
• Address review findings for policy gate correctness
• Make RuleQuotaTests immune to cross-suite singleton state

Changed

• Correct batched-update interval to 100ms and qualify large-body storage path per build
• Validate loadInitialRules reuses in-flight ruleLoadTask and clears it on completion
• Harden plugin env cleanup, dedupe allowed-caller constants, remove hardcoded audit_token_t ObjC encoding, guarantee rule lock release
• Delegate RockxyIdentity bundle init to infoDictionary init
• Tighten .gitignore entries, fix README badges, correct architecture and security diagrams
• Exercise real audit-token revalidation branch in isValidCaller
• Full isValidCaller accept path and NSValue audit-token branch via TestXPCConnection
• Stabilize ConnectionValidator tests and remove infeasible XPC harness
• Direct ConnectionValidator coverage via Shared/ relocation
• Prove enable transition through real default-init production singleton
• Prove default-init VMs load consistent state through real production path
• Restore default-init wiring coverage via pluginManagerIdentity seam
• Isolate default-wiring plugin test from real app-support state
• Complete helper signing diagnostics, toggle rollback, and engine-state assertions
• Strengthen actor eviction, default VM wiring, and concurrent enable postconditions
• Cover default plugin runtime wiring
• Cover coordinator rule wiring, VM quota rollback, and script default paths
• Extract shared temp plugin helpers to TestFixtures
• Remove dead SessionStore coupling from eviction and strengthen history retention tests
• Add helper caller validation matrix
• Annotate identity fallbacks and bind tests to live config
• Add identity and helper trust matrix coverage
• Unify ScriptPluginManager ownership and add script quota
• Cap live history buffer at policy-defined limit
• Add RulePolicyGate and route rule mutations through it
• Add domain favorites capacity at coordinator boundary
• Inject workspace capacity via init
• Remove edition leakage and introduce AppPolicy
• Split family config from product identity

Rockxy Community 0.7.0 (build 9)

Added

• Redesign SSL Proxying List with Include/Exclude tabs and import support

Fixed

• Empty include list no longer intercepts all traffic, rebuild bypass cache on import
• Reconcile selection on visible-list changes and batch Add-App saves
• Reject unrelated JSON in SSL importer, route context menu to clicked row
• Detect helper signing mismatch and BTM desync instead of looping
• Refresh snapshot after HAR/session import, add picker flow + coordinator path tests
• Refresh snapshot on clear/rebuild/enrichment, restore Select control, add picker flow tests
• Add App uses real observed domains — no manual fallback or guessed wildcards
• Add App picker shows both Apps and Domains sections from live traffic
• Restore Add App picker UI matching Figma design
• Cleanup pass — remove misleading app picker, fix bypass help text, add sidebar tests
• Harden SSL Proxying List — cache loading, import validation, sidebar toggle, wildcard matching

Changed

• Assert only newly added slice in addRulesAddsMultipleDomains
• Harden SSL importer normalization, domain validation, snapshot dedupe, and test isolation
• Add coordinator-entrypoint regression tests for sidebar SSL toggle

Rockxy Community 0.6.0 (build 8)

Added

• Redesign Allow List with full URL pattern matching and dedicated management window
• Redesign breakpoint rules window with dedicated management UI

Changed

• Sync changelog surfaces
• Trim Allow List rule name before persisting
• Noun-phrase inflection for paused header, trim and regex-safe Allow List save
• Allow List and Breakpoint cleanup pass — normalize method, tighten logs, localize headers, tighten tests

Rockxy Community 0.5.0 (build 7)

Added

• Security hardening, docs honesty, trust recovery, helper lifecycle, architecture cleanup

Fixed

• Wire JSONInspectorView into response body tab, deterministic tab selection
• Code review follow-up — thread safety, fail-closed backup, honest docs, UI polish

Changed

• Sync changelog release surfaces

Rockxy Community 0.4.0 (build 6)

Added

• Redesign rule editor with Proxyman-style dropdowns and enlarged window

Fixed

• Prevent selectPlugin load failure from being overwritten by success status
• Surface UI feedback when applyTemplate receives unknown name
• Tighten scripting template fallback, scope subpaths toggle, localize provenance
• Address code review findings for block-list PR
• Restore quick-create handoff, remove nonfunctional controls, enforce honest UI

Changed

• Merge remote-tracking branch 'origin/main'
• Add multilingual README translations
• Add localized readmes

Rockxy Community 0.3.0 (build 4)

Added

• Add edition capability model, replay toast, and product naming

Fixed

• Satisfy release doctor swiftlint check
• Stop swallowing non-3 launchctl errors in watchdog removal
• Replace precondition with throwing resolver in neutrality tests
• Address review findings for community core cleanup
• Remove release scripts from tracking
• Guard universal web download release sync

Changed

• Clean public repo language and harden release script guards
• Remove placeholder surfaces and dead settings code
• Apply swiftformat across codebase