captains-deck.com ~/guides/admin G.04.C · 5 min read ↑ updated 2026-02-12 --:--:--
Advanced G.04.C 5 min read Pro feature

When you need root.

Captain’s Deck doesn’t want elevated privileges by default — and that’s a feature. When you do need them, admin mode is explicit, scoped, and noisy in all the right ways.

Enabling admin mode

Admin mode is off by default and must be explicitly enabled in Preferences → Advanced → Allow administrator mode. Once enabled, the option to elevate appears in the menu bar and as a contextual action when you try to write to a protected location.

After the helper is installed, subsequent operations during the same launch reuse the helper without further prompts. Quitting the app or rebooting reverts the helper to a dormant state until needed again.

How auth works

Captain’s Deck uses the standard macOS Authorization Services framework. When you elevate, a small privileged helper is launched, performs the requested operation, and exits. The helper:

  • Is signed and notarised by the same team certificate as the main app
  • Runs only for the duration of the operation
  • Has its own scope — file IO only, no network, no shell exec
  • Logs every call to a tamper-evident audit log

What admin can do

  • Read / write any file on the local volume (subject to SIP)
  • Change ownership and permissions (chown, chmod)
  • Set extended attributes & ACLs
  • Work inside protected folders like /etc, /usr/local, /Library

It cannot bypass System Integrity Protection. It cannot mount disks. It cannot execute scripts. (We thought hard about this — the surface stays small on purpose.)

Safety nets

  • Destructive operations show an extra confirmation showing exactly which paths will be touched
  • Bulk delete on system paths requires typing the parent path (no muscle-memory enter)
  • Admin mode auto-exits after 60 seconds of pane inactivity
Admin mode does not provide undo. F8 in admin mode does not move to Trash — it deletes immediately. Treat it accordingly.

Audit log

Every admin operation appends a JSON line to ~/Library/Logs/CaptainsDeck/admin.log with timestamp, operation, args, and outcome. The log uses an HMAC chain — each record is signed with a key derived from the previous record’s signature, so editing or truncating an entry breaks every entry that follows it.

Settings → General → Admin Mode has two buttons:

  • Reveal Audit Log — opens the log file in Finder.
  • Verify Chain — walks the file end-to-end and reports the first broken link, if any. A clean log shows “All N records match the HMAC chain.”

The signing key is generated on first use and stored in your Keychain, so the chain only verifies on the same Mac that wrote it.

Tweaks

Theme
Motion