feat(clean): add dirs_cleaner cleanup command

README.md

@@ -119,6 +119,8 @@ Space freed: 95.5GB | Free space now: 223.5GB
 
 Note: In `mo clean` -> Developer tools, Mole removes unused CoreSimulator `Volumes/Cryptex` entries and skips `IN_USE` items.
 
+During system cleanup, Mole also audits `/private/var/dirs_cleaner` for unusually large or stale macOS cleanup staging entries. The default check is report-only: it shows size, age, ownership metadata, and review commands. To explicitly clean stale top-level or shallow staging entries, preview with `mo clean --dirs-cleaner --dry-run`, then run `mo clean --dirs-cleaner`.
+
 ### Smart App Uninstaller
 
 ```bash

SECURITY_AUDIT.md

@@ -79,6 +79,7 @@ Some subpaths under otherwise protected roots are explicitly allowlisted for bou
 - `/private/var/db/DiagnosticPipeline`
 - `/private/var/db/powerlog`
 - `/private/var/db/reportmemoryexception`
+- `/private/var/dirs_cleaner/<top-level-or-shallow-child>` (only via explicit stale staging cleanup; never the parent)
 
 This design keeps cleanup scoped to known-safe maintenance targets instead of broad root-level deletion patterns.
 
@@ -110,6 +111,7 @@ Some subpaths under protected roots are explicitly allowlisted:
 - `/private/var/db/DiagnosticPipeline`
 - `/private/var/db/powerlog`
 - `/private/var/db/reportmemoryexception`
+- `/private/var/dirs_cleaner/<top-level-or-shallow-child>` (explicit cleanup only)
 
 ### Protected Categories
 

bin/clean.sh

@@ -25,6 +25,7 @@ SYSTEM_CLEAN=false
 DRY_RUN=false
 PROTECT_FINDER_METADATA=false
 EXTERNAL_VOLUME_TARGET=""
+DIRS_CLEANER_CLEAN=false
 IS_M_SERIES=$([[ "$(uname -m)" == "arm64" ]] && echo "true" || echo "false")
 
 EXPORT_LIST_FILE="$HOME/.config/mole/clean-list.txt"
@@ -1323,6 +1324,36 @@ run_cloud_and_office_cleanup() {
     clean_office_applications
 }
 
+run_dirs_cleaner_cleanup_command() {
+    export MOLE_CURRENT_COMMAND="clean"
+    log_operation_session_start "clean"
+
+    printf '\n'
+    echo -e "${PURPLE_BOLD}Clean macOS Cleanup Staging${NC}"
+    echo -e "${GRAY}/private/var/dirs_cleaner${NC}"
+    echo ""
+
+    if [[ "$DRY_RUN" == "true" ]]; then
+        echo -e "${YELLOW}Dry Run Mode${NC}, Preview only, no deletions"
+        echo ""
+    fi
+
+    if ! ensure_sudo_session "macOS cleanup staging requires admin access"; then
+        echo -e "${YELLOW}Authentication failed${NC}, cleanup staging skipped"
+        log_operation_session_end "clean" 0 0
+        return 1
+    fi
+
+    hide_cursor
+    local rc=0
+    clean_dirs_cleaner_staging || rc=$?
+    show_cursor
+
+    log_operation_session_end "clean" 0 0
+    printf '\n'
+    return "$rc"
+}
+
 main() {
     while [[ $# -gt 0 ]]; do
         case "$1" in
@@ -1345,6 +1376,9 @@ main() {
                 fi
                 EXTERNAL_VOLUME_TARGET=$(validate_external_volume_target "$1") || exit 1
                 ;;
+            "--dirs-cleaner")
+                DIRS_CLEANER_CLEAN=true
+                ;;
             "--whitelist")
                 source "$SCRIPT_DIR/../lib/manage/whitelist.sh"
                 manage_whitelist "clean"
@@ -1369,6 +1403,16 @@ main() {
         shift
     done
 
+    if [[ "$DIRS_CLEANER_CLEAN" == "true" ]]; then
+        if [[ -n "$EXTERNAL_VOLUME_TARGET" ]]; then
+            echo "mo clean --dirs-cleaner cannot be combined with --external" >&2
+            exit 1
+        fi
+
+        run_dirs_cleaner_cleanup_command
+        exit $?
+    fi
+
     start_cleanup
     hide_cursor
     perform_cleanup