[App Store] CodePeek+ – Free syntax-highlighted Quick Look previews for code files

https://redd.it/1rs1216
@macappsbackup

Megathread The App Pile - March/April, 2026

https://preview.redd.it/4ggm47m192qg1.jpg?width=7176&format=pjpg&auto=webp&s=fba906a7f82a78a0906d171a6f17b414aea17510

Welcome to The App Pile

You must promote your apps here if you do not qualify to post in the main feed through Trust or Transparency, explained here.

If you:

Are below 10 r/MacApps karma.
NOT in the Mac App Store (MAS).
Not yet granted a developer flair (500+ r/MacApps karma AND Moderator’s discretion)
Do not have an established GitHub history (1yr old repo AND 100+ stars)
Do not provide meaningful public transparency
Created yet another dictation app (speech to text).

Then you are required to limit promotion to this megathread.

All promotion must follow the PCP format:

App Name/Title \[Screenshot encouraged\]
Problem: What problem does your app solve.
Comparison: Name 1–2 top alternatives and describe how what you offer is better.
Pricing Amounts+Link

P.s. Promotion here counts towards the 30-day limited promotion (Rule 3).

Pro tip for everyone else: >!Please remember to upvote gems and downvote spam/clones... !<This will help inform a secret community project I hope to announce next month.

https://redd.it/1rybab4
@macappsbackup

r/MacApps Mods Went Too Far! What’s Changing (Phase 3)

[TLDR graphic, but please, read the rest if you spend time in r\/MacApps.](https://preview.redd.it/7w1n09di02qg1.jpg?width=3584&format=pjpg&auto=webp&s=94a21c274db43342aec12f8a497bb612066cc8a6)

**Phase 2 Report:** [Last month we introduced PCPCA post formatting requirements](https://www.reddit.com/r/macapps/comments/1r6d06r/new_post_requirements_to_combat_low_quality/) to include detail minimums in every app promotion (Problem, Compare, Pricing, Changelog, AI Disclaimer). This caused way too much work, with 2,700+ items removed and 1,400 modmail messages sent. With the mods runing everything, user engagement dropped with views down 204k. That's okay, though; quality over quantity. Still, this is Reddit, and you should retain the power to promote or bury posts.

# Change 1: Simplify Posts (PCPCA → PCP)

Moving forward, we are reducing post-formatting expectations to: Problem, Comparison, Pricing (PCP). 

* **Problem:** What problem does your app solve.
* **Comparison:** Name 1–2 top alternatives and describe how what you offer is better.
* **Pricing** Amounts+Link

Requiring changelogs and AI disclaimers was unsuccessful to meaningfully differentiate quality apps from spam. Nearly all posts claimed sufficient knowledge and experience for “Human validation” of AI code. Let's move on. 😅

# Change 2: Trust, Transparency, or The App Pile [Megathread]

We have been discussing how to better protect the sub from low-effort app spam, throwaway-account promotion, and unknown software links, without making life harder for legitimate developers. 

Our idea is simple: **The less trust your distribution path provides, the more transparency you should need.**

* In the **Mac App Store**? Apple is screening you for us. 
* If you have an **established GitHub project**, that can also build trust. 
* **But** if you are asking people to install software from a random site or brand-new repo, we need more reason to trust.

To make this clearer, we are experimenting with a **three-tier** approach for the next month:

# Tier 1: The Trust Path = Post to Main feed.

These devs have the easiest route to posting in the main r/MacApps feed:

* **Mac App Store developers (Paid developer accounts)**
* **User-Flaired Developers (already well-known / trusted in** r/MacApps)
* **Developers with established GitHub projects** (1yr+), consistent development history, or real community interest (100+ stars).

These trust signals allow you to post in r/MacApps, as long as you meet the 10 local karma minimum.

# Tier 2: The Transparency Path = Post to Main feed.

If you are NOT in the Mac App Store and are not already an established dev, you may still qualify for main-feed posting by being open about who you are and giving users reasons to trust you.

**This includes app promotion posts that include a minimum of BOTH:**

1. A developer portfolio with a real life identity, LinkedIn, and real contact details (e.g. established **company / business presence**)
2. A website with a Privacy Policy and Terms of Service

These trust signals should show you are not just a throwaway account dropping unknown software for us to try.

This is basically the middle ground: you may not yet have a major reputation, but you are willing to stand behind your app in public and work to gain a good reputation.

# Tier 3: Everyone else: “The App Pile” [Megathread]

If you do **not** qualify through either trust or transparency, your app promo belongs in **the Megathread** rather than the main feed.

That means if you are:

* Not in the App Store
* Not granted a developer flair as an established / recognized dev yet (500+ r/MacApps participation karma AND Moderator’s discretion)
* Do not have an established GitHub history (1yr old repo OR 100+ stars)
* Do not provide meaningful public transparency

…then you are headed to **The App Pile**.

This is not meant as an insult or a blanket statement that new apps are bad. It is just the lowest-risk place for unproven or low-context app promotion until trust is earned.

Users can check

your app out, up/downvote your comments, and as you gain community karma you may eventually receive an app-flair that allows you to promote outside of the megathread.

# Promotion Frequency Revision (Rule 3)

>Infrequent self-promotion is permitted; however, it is not permitted more than once per developer in 30 days. This is counted from the last app post, even if it was removed. **For established, App-Flaired devs, once per app per month.**
You must also disclose your relationship to your software in comments promoting your app, but **Promoting your own app in comments is disallowed until you earn 10 karma in** r/MacApps.

The bold sections are added because some users whose promo posts were blocked were immediately trying to hijack other posts with comments as a workaround. Classy!

Sharing useful alternatives and healthy competition is still welcome, but using the comment section in someone else’s post as a backdoor for self-promo and SEO is not always in good taste and does not make r/MacApps a better place.

# The Community's Role:

* Please use your votes and reports especially in the Megathread to help recognize hidden gems. 
* Bury what looks low-effort, suspicious, misleading, or privacy-invasive.

A better r/MacApps depends not just on our rules, but on you helping surface good apps while pushing bad ones out of the way.

\-----

**FAQ:** 
**I followed the rules, why was my post/comment removed?** 

1. AI assisted comments are a huge trigger for Reddit auto-removals because of recognizable patterns (e.g. “—” em dashes).
2. Repeatedly posting the same thing (comments, links, etc.) = Triggers Reddit spam algorithms. 
3. You didn’t verify your email in your profile, and/or you have multiple accounts. 
4. You missed one or more rules and tried to repost rather than editing and letting us restore it. This leaves a strike on your account.

**How do I check my** r/MacApps **community Karma?** Visit [here](https://old.reddit.com/user/me/) and click "show karma breakdown by subreddit"

**Prior updates:**
\- 2026: [New Post Requirements to Combat Low Quality Content (Phase 2) ](https://www.reddit.com/r/macapps/comments/1r6d06r/new_post_requirements_to_combat_low_quality/)
\- 2026: [\[OS\]+Pricing Guidelines](https://www.reddit.com/r/macapps/comments/1qghsc5/new_post_guidelines_and_updates_on_rmacapps/)
\- 2025: [Townhall on Post Quality](https://www.reddit.com/r/macapps/comments/1otrfsc/meta_townhall_on_post_quality/), [Rule Updates](https://www.reddit.com/r/macapps/comments/1o01a9f/rmacapps_rule_updates_on_promotion_vibe_coding/)

https://redd.it/1ryaeex
@macappsbackup

[OS] SlowQuit: A macOS menu bar app that prevents accidental app quits by adding a delay to Cmd-Q.
https://github.com/dudukee/SlowQuit

https://redd.it/1ryjzuk
@macappsbackup

[macOS] DynamicHorizon — A Minimal Notch App That Blends Into the Notch Instead of Becoming a Bloated Dashboard

https://redd.it/1rya7xv
@macappsbackup

AppMeta a native macOS App Store Connect client
https://redd.it/1ryo49u
@macappsbackup

[OS] DMGMaker - Premium macOS DMG creation with live SwiftUI Mesh Gradients and No-Halo links

https://redd.it/1ry06j6
@macappsbackup

Octarine Achieves Power and Versatility Without The PKM Rabbit-hole Effect

[Octarine](https://preview.redd.it/z4gqs84rm2qg1.png?width=1747&format=png&auto=webp&s=387643bc3aeb4ec6c5db86d93c21d260bbfcdee6)

I’ve been hearing about [Octarine ](https://octarine.app/)for a while. It’s one of those apps that people whose opinions I trust talk about with a lot of respect. After spending serious time testing it, I understand why.

Octarine is a tool for creating, editing, and organizing information using **plain Markdown files**. Notes stay independent but connected through links, tags, and metadata. It supports images, video, PDFs, and other files, which open in their native apps.

It’s flexible enough to cover several real workflows:

* journaling
* writing and drafting
* documentation
* PKM / linked notes
* project tracking
* task management

# Setup

Octarine runs on **Mac, Windows, and Linux**, but it’s not a heavy Electron app. The download is about **30 MB** and it launches basically instantly.

Installation on macOS is the usual:

1. Open the DMG
2. Drag **Octarine.app** to `/Applications`

On first launch you create or open a **Workspace**, which is just a folder of Markdown files.

That’s the entire setup.

# Filesystem First

Octarine stores everything as **normal Markdown files in normal folders**.

That means:

* You can manage notes in **Finder**
* Open them in **BBEdit, Typora, or any editor**
* Sync them with **iCloud, Google Drive, Syncthing, or Git**

I confirmed this by editing a note in **Typora** and watching Octarine instantly render the change.

It also supports **wikilinks** (`[[note]]` style), so building a network of connected notes is quick.

There’s also a knowledge graph if you’re into that. Just don’t post screenshots of it online unless you enjoy being teased.

# Writing and Formatting

Formatting is handled through a **slash command menu (**`/`**)**. It exposes all the usual Markdown tools plus some extras:

* headers and text styles
* callouts
* code blocks
* Mermaid diagrams
* LaTeX
* tables
* colored text
* templates

You could use Octarine purely as a **Markdown writing environment**. It renders formatting instantly, similar to Typora, but the underlying file is still plain Markdown.

It also converts **pasted HTML to Markdown**, which is surprisingly useful.

# Organization

The sidebar shows a **folder tree** of your workspace.

Beyond folders, Octarine adds structure with:

* **tags**
* **metadata fields**
* **Views**

Views are essentially **dynamic tables of notes** filtered by rules you define.

Think “saved smart searches that behave like a lightweight database.”

For project notes or research collections, this ends up being one of the most powerful features.

# AI (Optional)

Octarine’s AI tools work with:

* **Ollama or LM Studio** for local models
* **Apple Intelligence**
* **OpenAI, Anthropic, and Gemini APIs**

AI operates on the **current note as context**, letting you summarize, rewrite, or expand content.

Pro users can also install a **90 MB local model** that indexes the workspace and provides basic RAG features.

# Pricing

Most features are available in the **free version**.

The **Pro license** is currently **$70 (early supporter price)** and unlocks AI features plus future upgrades.

Not cheap, but it’s in the same ballpark as tools like **iA Writer ($69)**.

# Bottom Line

Octarine feels like what you’d get if someone built a **PKM / Markdown workspace from scratch** without the plugin ecosystem complexity.

If you like the *idea* of tools like Obsidian but don’t want to spend weeks dialing in plugins and settings, Octarine is worth a look.

Curious if anyone here has been using it long-term.

https://redd.it/1rydhb1
@macappsbackup

[unusual proposal] App idea - fully thought through and designed // Giveaway.

https://redd.it/1ryt9o6
@macappsbackup

I tested every “lifetime” Mac app posted on r/macapps for 7 weeks – 32 apps, 32 bypasses

**TL;DR:** Over 7 weeks I tested 32 “lifetime” Mac apps posted on r/macapps (non–App Store, direct downloads). Every single one had at least one real way to bypass its licensing or Pro checks using only local tools, no binary patching. For most users that just means “someone can get free Pro”, but a few apps had issues serious enough that, in the wrong hands, they could be abused for malicious updates or other supply‑chain style attacks. I named every app and privately reported all issues to the developers. The top two devs (Resurf and How To Convert) handled things almost perfectly. The bottom two (Glyph and Droppy) either blocked me or turned hostile after initially asking how to donate.

I recommend reading this full post or reading the write-up I did of all 32 apps, methodology, and responses.: [https://kamidevs.com/blog/macapps-audit](https://kamidevs.com/blog/macapps-audit)

\---

# Well, before we start, I think it's fair to say, who am I?

Well, kind user, thank you for asking! I'm Kami, also known as SenpaiHunters. I am a developer and a security research engineer. I've been cracking apps for over 7 years, so I've gained enough skills during this time to figure out how a Mac app will always run, whether it is native code like Swift or cross-platform like Electron.

You may also know me as a core developer of Loop, a FOSS window manager.

It's important to tell you that throughout this review, I am not affiliated with, paid for an increased rating, personally know, or otherwise act in disingenuous behavior to benefit a singular or multiple developers to gain a paid or better audience. All of the messages I sent were the first time doing so, and if you'd like more knowledge on an app I've reviewed, you're free to ask!

# What did I do?

From 20 January to 10 March 2026, I opened every post on r/macapps that used the “Lifetime” flair. I skipped Mac App Store–only apps and downloaded every other app that offered a paid lifetime license via direct download.

Every app I looked at was:

* distributed outside the Mac App Store
* signed with a valid Developer ID and passed Gatekeeper / notarization when installed

For each one, I asked a single question:

*"Can I bypass this app’s licensing as a normal user without patching the binary?"*

I limited myself to what a determined but “normal” user could do on their own Mac. I did use a local HTTPS proxy, `defaults`, `plutil`, `security`, Keychain Access, and edits to files under `~/Library` and other common directories. I did not use a disassembler, patch or re‑sign binaries, or attach a debugger to change code in memory. The idea was to see what someone can do with off‑the‑shelf tools, while still running the official build.

In that seven‑week window, I ended up with 32 lifetime‑license Mac apps. All of them passed Gatekeeper and notarization. All of them were bypassable at the licensing level using only local tools.

# Why this matters for normal r/macapps users

You might be asking me, “So if I install a vibe-coded app, am I at greater risk of having my email, passwords, or data exposed?”

Most of the issues I found are license and trial bypasses. For the typical user, that’s not immediately catastrophic, it mostly means:

* some people can get Pro without paying
* trials can be reset indefinitely
* the developer is losing revenue and doesn’t realise how flimsy their checks are

Where it becomes a real user‑safety problem is when the same “vibe‑coded” mindset hits the backend or update logic. In a few apps I saw problems like:

* Supabase row‑level security that allowed authenticated users to edit license or release tables (including update URLs)
* Credentials or tokens that could, if abused, be used to push malicious updates as if they were official

Those are the cases where, yes, installing the app could put you at greater risk. Not because the developer is necessarily malicious, but because they shipped something where an attacker could hijack the update channel or tamper with

data.

Because at the end of the day, you're deciding if this product is for you and if this money to spend is worth it. Also, consider who the developer is, whether you are willing to give it a shot, and if you believe you should do a quick review yourself.

If you need to think about it, here's what I suggest.

* Gatekeeper and notarization say “this probably isn’t obvious malware right now”, they do not say “this licensing, backend, and updater are robust”. Every app in this audit passed Apple’s checks, and every one was bypassable on the licensing side.
* Vibe‑coded apps (stitched together from docs/AI/snippets) tend to have the same security mistakes: trusting any JSON with `success: true`, keeping license state in UserDefaults or flat files, or misconfigured Supabase where users can edit their own license rows.
* A developer’s reaction to private reports is a strong signal. Some devs treated this as free security work, fixed things, and stayed professional. Others read the report, then ghosted or blocked me. If someone blocks you for reporting a bug, that is not the kind of person you want in charge of your update pipeline.

So if you’re about to buy a “lifetime” app from here and store anything sensitive in it (notes, API tokens, documents, whatever), it is worth taking a couple of minutes to see who built it, whether they have a real contact/security channel, and how they respond to issues.

# The app reviews?

Now, let's get to the fun and reviews. This is only a small snippet, and it will include the top two apps, scoring 10/10, and the bottom two apps, scoring 0/10. The entire write-up of all 32 apps is posted on my blog for you to read. You can quickly use cmd+f to search to see if your installed or favorite app was tested, how they responded, if it is fixed, and what the issue is or was.



**Top 2: best developer responses**

*Resurf* – rating 10/10

This is an Electron app. I found ways to bump it to Pro using both network‑level tricks and local state manipulation. The developer ( u/Hungry_Spite3574 ) responded in roughly 6 hours, asked good questions, and shipped a fix within a day. Communication was respectful and focused on understanding and resolving the problem, not arguing about it.

Email: [[email protected]](mailto:[email protected])

Response time: about 6 hours

Fix: about 1 day

Code quality: some AI usage, but the dev clearly understands their own app and trade‑offs



*How To Convert* – rating 10/10

Here the core issue was a Supabase auth bug that allowed a licensing bypass. I reported it through GitHub’s security process. The developer ( u/jakecoolguy ) fixed it within roughly the same window and there was no drama: no defensiveness, no arguing, just “here’s the issue, here’s the fix”.

Response time: about 10 hours

Fix: about 10 hours

Code quality: clean and understandable



**Bottom 2: worst developer responses**

*Glyph* \- rating 0/10

Glyph uses Gumroad for licensing. The app trusts the JSON response from the Gumroad API directly. With a local HTTPS proxy you can change the response so it looks like a successful activation, and the app unlocks Pro.

I reported this by DM. The DM was ignored and I was then blocked. There was no attempt to engage with the report, no follow‑up questions, and no visible fix.

Response: blocked after report

Fix: none implemented or communicated



*Droppy* \- rating 0/10

Droppy’s backend itself is not the worst in the list, but the client still trusts JSON from the backend too much. A local proxy can flip `valid: false` to `true` and the app accepts it. That’s the technical part.

The interaction was the real problem. The developer was very positive at first, calling the report “awesome” and asking for a way to donate. I sent a Polar link. After that there were more than 9 days of silence despite clear activity elsewhere. When I followed up via email ([[email protected]](mailto:[email protected])), the reply was defensive and described me as “demanding”.

From both a security‑process and user‑support perspective, this was the worst

interaction in the entire run. If that is how security reports are handled, I would not recommend an app developed by this person.

Response: initially positive, then ghosted, then defensive

Fix: none

Code quality: entirely vibe coded



# What next?

Now that we see these apps, we're at a crossroads. What next? Well, I'll first give some recommendations to you, the user, and then to a developer who may have these issues or wish to look further at their app.

I always recommend that, no matter how much money or how little data it is, you first believe that the developer is telling the truth, is able to actually code (although this is a lot harder; check for common "vibe coding," i.e., emojis, bolded text, gradients, and other junk), how they respond, and whether it is honestly worth it. At the end of the day, I'm not here to tell you how you should spend your time or money; I can only give you tips and help you make an informed decision.

So, let's move on, shall we?

# Common failure patterns I kept seeing?

This is a TL:DR of what's posted in my blog, but,

* Trusting plain JSON from Gumroad / Lemon Squeezy / Polar or custom APIs and only checking simple flags like `success: true` or `activated: true`
* Storing critical license or trial data in UserDefaults or unprotected JSON/MessagePack files in Application Support
* Misconfigured Supabase row‑level security, allowing users to modify their own license rows or even release/update tables
* Treating a specific Keychain item’s existence as “Pro is on”, which can be faked with normal macOS tooling

Now, for those who are looking to develop or have an app that may have a flaw listed here, how can we fix it?

* Validate more than one “success” flag in JSON. Check product IDs, users, expiry, and signatures.
* Keep real license decisions on the server where possible; treat local data as a cache.
* Lock down Supabase RLS so users cannot modify license or release rows they shouldn’t touch.
* Sign or MAC cached license state on disk.
* Publish a clear way to report security issues, and respond like you actually want your app to survive.

Good examples of how to react include Resurf, How To Convert, LowTechGuys (Pipiri), InfiniDesk, Taphouse, Seam, and OS‑Engine. None of them were perfect; they just treated reports as a chance to improve, not as a personal attack.

# The end

If you wish to have your own app reviewed, you can see https://kamidevs.com/application-security. I aim to do free reviews for a developer's first app if they're a student or cannot afford one (see the 32 I just reviewed). For those who wish for a review but are unsure of pricing, discounts may apply.

I am free and open to any and all questions you might have, such as, can you give me tips on managing an app's security in Swift, or other questions, or what an app was like, expanded, i.e., you wish to know my thoughts on the app's UI/UX and security for any of the posted ones, or in general, how was your night? This post is, however, made at the time of posting, 23:50, so I will be going to bed, but you can expect a reply in 12 hours if this post wasn't mass reported or removed!

Now, this, is the end of the post, it's just a small post, on what is fully written in my blog, see that for,

* all 32 apps, names and links
* per‑app notes, ratings, and interaction summaries
* more detailed explanation of “vibe‑coded” apps
* concrete advice for better licensing and update security

Full writeup: [https://kamidevs.com/blog/macapps-audit](https://kamidevs.com/blog/macapps-audit)

# NOTICE

If you’re a developer whose app is on the list and you think I’ve been unfair, or you want a follow-up review, contact me privately; my details are at the end of the blog or in the messages/emails I've previously sent. If you wish for a proper conversation, please send me a message on Discord. I do not like Reddit chats as it lacks functions I normally use.

https://redd.it/1ryvdei
@macappsbackup

I got tired of tabbing out to random websites mid-coding, so I built this

https://redd.it/1ryvmc0
@macappsbackup