Why Noxen ships via Developer ID, not the Mac App Store

The question I get every time I mention Noxen to another Mac dev: "MAS, right?" And the answer is no — or at least, not at launch. This is the reasoning.

Reason 1 — App Review risk on "vulnerability scanner"

Apple's App Review Guidelines explicitly name-check anti-malware-style marketing (4.5.6). The macOS "vulnerability scanner" category isn't named, but it's adjacent, and Fing only gets on the store by calling itself network discovery.

During Phase 0, Noxen ran an App Store Connect dry-run — push a real draft listing with vulnerability scanner in the keywords, submit nothing, watch what ASC automated flags. Interestingly: nothing was flagged at the automated layer. But the automated layer isn't the concern. App Review is performed by humans, it's much less predictable, and a rejection two weeks into launch is expensive.

If Noxen ever does go to MAS it'll likely need to rebrand ("Homelab Auditor" or similar) to match Fing's hedging. That's a v2+ discussion, not a v1 launch decision.

Reason 2 — Sandbox is fine, App Review is the risk

Noxen's scan pipeline is genuinely sandbox-compatible:

Network client over SSH / TCP / TLS — com.apple.security.network.client.
~/.ssh/config via NSOpenPanel + user-selected file access.
Scheduled scans via SMAppService instead of dropping a raw LaunchAgent plist.
Local-network port scan needs the Local Network entitlement on macOS 15+. Normal.
Keychain, CloudKit, SwiftData, PDFKit, Network.framework — all fine.

So the technical path to MAS exists. Pareto Security famously can't ship on MAS because their checks need system state outside the sandbox. Noxen is the opposite: it lives entirely within the sandbox because it talks to remote boxes, not the local one.

Reason 3 — Sparkle is better than MAS auto-update for a security tool

Here's the case I care about: a critical CVE in the CPE normaliser or the matcher itself. I want to ship a fix in hours. MAS needs at minimum several days: submit → review → release. Sparkle ships in ten minutes after we run fastlane release.

For a tool whose job is helping people close security windows quickly, the update channel shouldn't itself be the delay.

Reason 4 — Economics

Apple takes 30% of everything, dropping to 15% under the Small Business Program (under $1M/year). Lemon Squeezy + Stripe take a bit over 5%. For a one-time $79 product, that's the difference between $59 and $74 per sale — a 25% revenue uplift on the direct channel, which materially changes whether the project supports its development budget.

Also: direct sales mean actual customer emails, which means I can email customers about security patches when they matter. MAS doesn't expose buyer emails by design.

Reason 5 — Lemon Squeezy handles EU / UK VAT for us

This is underrated as a reason. Noxen is built in South Africa. If I sold into the EU, UK, and US directly, we'd need a merchant of record, or we'd need to register for VAT in multiple jurisdictions. Lemon Squeezy (MoR) absorbs that complexity for the same 5% fee. That's a better deal than Apple's 30%, even ignoring the App Review risk.

What Developer ID direct actually requires

Apple Developer Program membership ($99/year). Already have.
Developer ID certificate — free once you're in the program.
Notarisation — free Apple service that inspects each release binary for malware.
Sparkle — free open-source auto-updater; Ed25519 private key lives in your login Keychain.
Lemon Squeezy store — setup in 15 minutes; 5.5% + 50¢ per transaction.

Fastlane orchestrates all five into a single release lane.

When MAS might make sense

Year 2 or 3, once Noxen has a stable buyer base through direct channel:

Setapp inclusion — passive audience, $200–800/mo baseline.
MAS with a "Homelab Auditor" rebrand — if the A/B test says it's worth it.
Volume purchasing for teams — requires ASC anyway.

But at v1.0, with a single developer and limited review-queue patience, Developer ID direct is the obvious choice. It just doesn't look obvious if you've only ever shipped apps to MAS.