Changelog

Every feature, fix, and change across all Rockxy releases.

Unreleased

Added

•Documentation pages for Request Diff, JavaScript Scripting, and Sessions & HAR features
•Entry points tables (menu paths, keyboard shortcuts) added to all feature documentation pages
•Simplified single-group navigation structure in docs replacing the two-tab layout
•Diff integration: select 2 transactions, right-click "Compare Selected" to open side-by-side diff window (Cmd+Option+D)
•Session metadata dialog after opening a .rockxysession file showing transaction count, log entries, date range, and version
•Scripting window empty state with capability list and "Create Your First Script" button
•Script sidebar error visibility: plugins in error state show the error message inline
•Script console surfaces load-time errors automatically
•Specific error messages for script timeouts and JS exceptions with actionable hints
•"Edit and Repeat" replay sheet: right-click splits "Repeat" (fast) from "Edit and Repeat" (editable sheet)
•Unified rule management: Map Local, Map Remote, and Block List windows now route through RuleSyncService
•Persistent direct-mode proxy backup survives crashes and force-quits
•Launch-time stale proxy recovery: detects and restores leftover Rockxy proxy overrides on app launch
•Ownership-aware proxy disable: detects whether proxy is owned by direct mode or helper
•Response breakpoints: proxy pipeline intercepts upstream responses for user editing
•Editable query parameters in breakpoint editor with add/remove buttons
•"Add Breakpoint for Selected Request" command in Tools menu and toolbar dropdown
•Breakpoints window (Cmd+Shift+B) with queue-backed BreakpointManager
•Live bandwidth metering in footer: cumulative totals, instantaneous throughput via 1s sliding window
•Helper tool unreachable status with XPC diagnostic properties and retry/reinstall actions
•Advanced Proxy Settings helper section redesigned with 3-zone layout
•RuleEngine converted to shared singleton actor for thread-safe rule evaluation
•RuleSyncService centralizes all rule mutations with automatic disk persistence
•Breakpoint window two-section sidebar showing both rules and paused items

Changed

•Documentation license reference corrected from MIT to Apache 2.0
•GraphQL documentation narrowed to "GraphQL-over-HTTP detection" to match actual scope
•Request replay docs rewritten to reflect proxy-bypass session behavior
•README roadmap split into Shipped and Planned sections
•Root CA key type corrected from RSA 2048-bit to P-256 (ECDSA) in HTTPS docs
•Import error dialogs now show specific titles and messages per failure type
•Removed iOS Simulator Certificate step from Welcome screen
•Privacy Settings rewritten with honest disclosure and "No Data Collected" badge
•MCP Settings replaced with informational Labs Preview surface
•Root CA private key storage is now Keychain-primary with automatic migration from disk PEM

Fixed

•Replay requests now bypass the local proxy via shared proxyBypassSession, preventing infinite loops
•Multi-selection in request list no longer collapses to single selection
•Diff window refreshes when a new comparison is triggered while already open
•Response headers now displayed in the replay sheet
•SystemProxyWarningBanner now displays the actual warning message instead of hardcoded text
•Response breakpoint edits now recorded in transaction
•Stale pendingBreakpointPhase no longer leaks across requests
•Context menu "Add Breakpoint" now routes through addRule() for JSON persistence
•CertificateStore no longer writes plaintext PEM to disk after successful Keychain save
•Import size-validation errors now show NSAlert instead of being silently logged
•HTTP breakpoint port, Content-Length, body, URL, and scheme handling fixes
•HTTPS breakpoint URL field now constrains editing to path and query only
•XPC caller validation hardened with two-layer defense-in-depth
•Map Local directory path containment bypass fixed

Earlier Development

Added

•Quick search bar with field picker: search by URL, host, path, method, status code, headers, query, comment, or color
•Active filter summary strip with removable chips and "Clear All" button
•Filter operators: "Is Not" (notEqual) and "Regex" for advanced filter rules
•Native .rockxysession format for saving and opening full debug sessions
•HAR import (File → Import HAR) for Chrome DevTools, Firefox, and other tools
•Allow List: capture-level filter restricting recording to specific domains
•No Caching toggle: injects Cache-Control/Pragma headers to force fresh responses
•Breakpoint end-to-end wiring: pauses HTTP and HTTPS requests in NIO pipeline
•Multiple workspace tabs (Cmd+T new, Cmd+W close, Cmd+1-9 switch)
•"Copy as" submenu: Headers, Body, Cookies, URL, cURL, JSON, HAR, Raw
•Custom Previewer Tabs: JSON Treeview, HTML Preview, Hex, Raw, CSS, JavaScript, XML, Images
•Custom Header Columns: add request/response header columns to flow table
•Map Local Directory support with subpath resolution, index.html fallback, MIME detection
•Sidebar right-click context menu (Pin, SSL Proxying, Sort, Tools, Export, Delete)
•Bypass Proxy List window (Tools → Bypass Proxy List, Cmd+Opt+B)
•Helper tool certificate trust management via XPC
•Map Local rules: configurable status code, rule import/export to JSON
•Right-click context menu: Copy URL/cURL/cell/JSON/HAR/raw, Repeat, Pin, Highlight, Tools, Export
•Transaction highlight colors (red, orange, yellow, green, blue, purple)
•User-Agent app identification from HTTP headers
•Column auto-sizing with double-click column dividers
•Process identification via lsof with 2-second batch caching
•Real macOS app icons in sidebar and client column
•JavaScript plugin ecosystem with JavaScriptCore, plugin manifests, filesystem discovery
•$rockxy bridge API for JS plugins: logging, crypto, encoding, storage, environment
•Plugin request hooks and read-only response hooks in proxy pipeline
•Welcome/Getting Started window with live setup checklist
•Map Local, Map Remote, Block List, SSL Proxying List, Diff, and Scripting windows
•Rule Hub: grid layout with toggle/name/pattern/action/priority, search, presets, import/export
•Engine status pills in toolbar showing Proxy/Logs/Plugins state
•Enhanced status bar: request count, session timer, error count, selected request info
•Privileged Helper Tool: SMAppService-based daemon for instant system proxy changes
•SSL Proxying List: per-domain control over HTTPS interception

Changed

•filteredTransactions converted from computed property to cached stored property
•Batch timer interval increased from 100ms to 250ms for larger batches
•Batch delivery decoupled from lsof: process resolution runs asynchronously
•Incremental NSTableView updates: insertRows instead of full reloadData
•O(1) domain tree lookup with dictionary-backed index
•Process resolution moved off main thread to TrafficSessionManager actor
•TLS failure transactions hidden from traffic list by default
•Helper tool auto-updates on version mismatch
•System proxy now configures all enabled network services
•Helper tool XPC validation uses certificate chain comparison

Fixed

•Proxy blocking all internet traffic: added 5-second connection timeouts and 30-second read timeouts
•Leaked connections on failed TLS handshakes now properly closed
•Lost HTTPS transactions when upstream server closes without TLS close_notify
•Chrome ERR_CERT_AUTHORITY_INVALID: SHA-256 fingerprint-based root CA, clean stale duplicates
•Removed keyEncipherment from ECDSA leaf cert (wrong for ECDHE, BoringSSL rejection)
•Fail-closed trust validation at proxy start
•Port conflict detection before proxy bind
•Replaced 60-second connection lifetime cap with idle timeout (300s) that resets on data activity
•TLS handshake race condition where both success and error handlers fire
•XPC stale connection reuse after error or timeout
•Auto-passthrough for strict TLS clients (ChatGPT, certificate-pinned apps)
•Proxy blocking all internet traffic after ~5 minutes: fixed leaked NIO channels
•App crash after ~40 minutes: added eviction observer for bufferEvictionRequested
•Chrome privacy interstitial on first TLS rejection: downgrade to raw passthrough
•RecentFailureTracker crash during high-volume TLS failures (UInt64 underflow race)
•HTTPS MITM fatal crash: correct NIOSSLServerHandler pipeline placement
•"Certificate not yet valid" errors: backdate notValidBefore by 2 days
•CONNECT tunnel TLS handshake (WRONG_VERSION_NUMBER): forward-based ProtocolDetectorHandler
•HTTPS interception TLS handshake: Content-Length: 0 on CONNECT 200 response
•XPC continuation leak: flattened nested timeout/continuation into single scope
•Helper tool version mismatch causing reinstall cycles
•VPN/tunnel detection: warning banner when traffic may not be captured
•Blank main window after welcome, frozen Start button, and numerous proxy startup fixes
•Rule engine: mapRemote, modifyHeader, and throttle actions now properly forward requests
•HTTPS proxy relay now evaluates rules (previously bypassed all rules)
•Search field selection ignored: filtering always searched URL regardless of picker
•"Save Session" menu item exporting HAR instead of native session format
•Blank main window visible behind welcome screen on first launch
•Path traversal protection for Map Local rules
•Plugin reinstall from already-deleted bundle path

Security

•Helper tool ConnectionValidator compares code signing certificate chains (immune to Info.plist tampering)
•Port validation (1024-65535) on helper proxy override XPC calls
•Rate limiting (2s cooldown) on proxy change XPC calls
•TOCTOU vulnerability fix in CrashRecovery (try/catch instead of fileExists)
•Restrictive file permissions (0o600) on proxy backup files
•Rule import rejects files larger than 5 MB
•Plugin install validates source directory and sanitizes names
•Helper tool entitlements deny unsigned executable memory and dyld environment variables

For the full commit history, see the GitHub repository.