docs(quality): update all instruction/prompt/skill docs with 2026 learnings

- testing.instructions.md: 0-fatals gate row; Minimum>=90%/Prefer>=95% coverage;
  flaky test prevention (timestamp strip, CorporateGuard stub, ParseArgs nullable guard)
- cicd.instructions.md: canonical action versions table (v6/v5/v7);
  fix Standard CI pattern (per-project tests, paths-ignore, MSBUILDDISABLENODEREUSE,
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24, remove --no-build from test steps)
- csharp.instructions.md: add NOLINT/HACK/csharpier-ignore to fully enumerate
  all forbidden suppression/waiver patterns; add them to What NOT to Do
- fix-quality.prompt.md: add 0-fatals bullet; expand suppression list to all variants
- code-review.prompt.md: expand suppression checklist to all variants; add coverage >=95% pref
- write-tests.prompt.md: >=95% coverage preference; CorporateGuard.StubCorporate req;
  timestamp-stripping requirement for generated output comparisons
- debug-fix/SKILL.md: add CRLF/.runsettings XML error; GUI.Tests --no-build failure;
  PublishTrimmed IL2026 error; strengthen forbidden patterns to all waiver variants
- testing/SKILL.md: 0-fatals row; Preferred >=95% column; full suppression list;
  new Flaky Test Prevention section (timestamp strip, perf budget, CorporateGuard stub)

Author: RajwanYair

.github/instructions/cicd.instructions.md

@@ -42,6 +42,31 @@ to GitHub Releases as soon as the version is tagged.
 - Run on both push to main and pull_request
 - Windows-only project — run on `windows-latest`
 
+## Canonical Action Versions (verified 2026-04-07)
+
+> **Before adding or bumping any action, verify the version exists on the action's GitHub releases page.**
+> Pinning a non-existent version silently fails the CI step.
+
+| Action | Stable Version |
+|--------|---------------|
+| `actions/checkout` | `@v6` |
+| `actions/setup-dotnet` | `@v5` |
+| `actions/cache` | `@v5` |
+| `actions/upload-artifact` | `@v7` |
+| `codecov/codecov-action` | `@v6` |
+| `github/codeql-action/init` | `@v4` |
+| `github/codeql-action/analyze` | `@v4` |
+| `github/codeql-action/upload-sarif` | `@v4` |
+| `actions/dependency-review-action` | `@v4` |
+| `actions/labeler` | `@v6` |
+| `actions/github-script` | `@v8` |
+| `actions/stale` | `@v10` |
+
+```powershell
+# Verify a version exists before pinning:
+gh release list --repo actions/upload-artifact --limit 5
+```
+
 ## Standard .NET CI Workflow Pattern
 
 ```yaml
@@ -50,6 +75,12 @@ name: CI
 on:
     push:
         branches: [main]
+        paths-ignore:
+            - 'docs/**'
+            - '**.md'
+            - '**.svg'
+            - '**.txt'
+            - '.github/instructions/**'
     pull_request:
         branches: [main]
 
@@ -59,16 +90,19 @@ permissions:
 jobs:
     build-and-test:
         runs-on: windows-latest
+        env:
+            MSBUILDDISABLENODEREUSE: 1
+            FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@v6
 
-            - uses: actions/setup-dotnet@v4
+            - uses: actions/setup-dotnet@v5
               with:
                   dotnet-version: "10.0.x"
 
             - name: Cache NuGet
-              uses: actions/cache@v4
+              uses: actions/cache@v5
               with:
                   path: ~/.nuget/packages
                   key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
@@ -78,19 +112,26 @@ jobs:
               run: dotnet restore RegiLattice.sln
 
             - name: Build
-              run: dotnet build RegiLattice.sln -c Release --no-restore
+              run: dotnet build RegiLattice.sln -c Release --no-restore --verbosity minimal
+
+            # Run each project individually to avoid cross-assembly file-write races
+            - name: Test (Core)
+              run: dotnet test tests/RegiLattice.Core.Tests/RegiLattice.Core.Tests.csproj -c Release --no-restore --settings tests/.runsettings --blame-hang-timeout 60s --collect:"XPlat Code Coverage" --logger "console;verbosity=normal"
+
+            - name: Test (CLI)
+              run: dotnet test tests/RegiLattice.CLI.Tests/RegiLattice.CLI.Tests.csproj -c Release --no-restore --settings tests/.runsettings --blame-hang-timeout 60s --logger "console;verbosity=normal"
 
-            - name: Test with coverage
-              run: dotnet test RegiLattice.sln -c Release --no-build --collect:"XPlat Code Coverage" --logger "console;verbosity=normal"
+            - name: Test (GUI)
+              run: dotnet test tests/RegiLattice.GUI.Tests/RegiLattice.GUI.Tests.csproj -c Release --no-restore --settings tests/.runsettings --blame-hang-timeout 60s --logger "console;verbosity=normal"
 
             - name: Upload coverage artifact
-              uses: actions/upload-artifact@v4
+              uses: actions/upload-artifact@v7
               with:
                   name: coverage-report
                   path: "**/coverage.cobertura.xml"
 
             - name: Upload coverage to Codecov
-              uses: codecov/codecov-action@v5
+              uses: codecov/codecov-action@v6
               with:
                   token: ${{ secrets.CODECOV_TOKEN }}
                   files: "**/coverage.cobertura.xml"
@@ -100,11 +141,14 @@ jobs:
         needs: build-and-test
         if: github.ref == 'refs/heads/main' && github.event_name == 'push'
         runs-on: windows-latest
+        env:
+            MSBUILDDISABLENODEREUSE: 1
+            FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@v6
 
-            - uses: actions/setup-dotnet@v4
+            - uses: actions/setup-dotnet@v5
               with:
                   dotnet-version: "10.0.x"
 
@@ -115,7 +159,7 @@ jobs:
                   -p:PublishSingleFile=true -p:IncludeNativeLibrariesForSelfExtract=true
 
             - name: Upload artifact
-              uses: actions/upload-artifact@v4
+              uses: actions/upload-artifact@v7
               with:
                   name: RegiLattice-win-x64
                   path: src/RegiLattice.GUI/bin/Release/net10.0-windows/win-x64/publish/
@@ -204,13 +248,17 @@ Use: `gh issue close <N> --repo RajwanYair/RegiLattice --comment "CI now green a
 ## CI Best Practices
 
 - **NuGet cache**: key on `.csproj` hash to invalidate on dependency changes
-- **Build once, test from build**: use `--no-build` in test step after `dotnet build`
+- **Build once, test without `--no-build`**: omit `--no-build` to let each test step do a fast incremental build — safer than relying on a prior Build step to produce all DLLs, especially for GUI.Tests which requires Windows SDK runtime packs
 - **Per-project test runs — MANDATORY**: NEVER use `dotnet test RegiLattice.sln`. Always run each
   test project individually (Core → CLI → GUI). `dotnet test RegiLattice.sln` spawns Core.Tests and
   GUI.Tests concurrently as separate processes, both writing to the same `compliance-history.json`
   file, causing non-deterministic failures. See `tests/.runsettings` MaxCpuCount note.
-- **Codecov**: use `codecov-action@v5`; set `fail_ci_if_error: false`
+- **`MSBUILDDISABLENODEREUSE: 1`**: Set at job level in every CI job — prevents MSBuild worker nodes from holding file locks across builds on the OneDrive-hosted workspace (MSB3492)
+- **`FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true`**: Set at job level — ensures JS-based actions (checkout, cache, codecov) run on Node 24 without deprecation warnings
+- **`paths-ignore` for docs-only changes**: Add to `on.push` to avoid a full build/test run when only `.md`, `.svg`, `.txt`, or instruction files changed
+- **Codecov**: use `codecov-action@v6`; set `fail_ci_if_error: false`
 - **Windows-only**: no matrix needed — single `windows-latest` runner
 - **Self-contained publish**: `-r win-x64 --self-contained true -p:PublishSingleFile=true`
-- **Stryker mutation testing**: runs from `src/RegiLattice.Core/` directory with `STRYKER_BUILD=1`; explicit `<TargetFramework>` required in Core and Core.Tests .csproj files for Buildalyzer compatibility
+- **Stryker mutation testing**: runs from `src/RegiLattice.Core/` directory with `STRYKER_BUILD=1`; explicit `<TargetFramework>` required in Core and Core.Tests .csproj files for Buildalyzer compatibility; move to **weekly schedule** (cron) to avoid adding ~15 min per push
 - **`dotnet build` verbosity**: NEVER use `-q`/`--verbosity quiet` — causes question-build aborts; use no flag or `--verbosity minimal`
+- **Action version verification**: verify every action version exists before committing — a non-existent tag silently fails the step

.github/instructions/csharp.instructions.md

@@ -37,6 +37,17 @@ When the compiler or analyzer emits a diagnostic, **fix the root cause**. The fo
 // NOSONAR
 // NCA
 // ReSharper disable ...
+// NOLINT
+// HACK: (used to sidestep a quality check)
+```
+
+**Inline quality gate waivers are also forbidden** — they are indistinguishable from suppressions:
+
+```csharp
+// ❌ FORBIDDEN — lint ignore / bypass comments
+// csharpier-ignore
+// dotnet-stryker-exclude
+// coverage: ignore
 ```
 
 **Resolution patterns** (fix instead of suppress):
@@ -266,6 +277,8 @@ public async Task<string> ExportJsonAsync(string path)
 - Don't catch `Exception` without re-throwing or explicit justification
 - Don't use `#pragma warning disable` — fix the root cause instead
 - Don't use `[SuppressMessage(...)]` — fix the root cause instead
+- Don't use `// NOSONAR`, `// NCA`, `// ReSharper disable`, `// NOLINT`, or any inline suppression/waiver pattern
 - Don't leave `TODO` or `FIXME` comments — complete the work or open a GitHub Issue
 - Don't use `null!` to suppress CS8618 — use `required` + `init` or assign a real default
 - Don't use `!` (null-forgiving) unless the value is provably non-null at that point
+- Don't skip tests with `[Fact(Skip=...)]` or `[Theory(Skip=...)]` — fix the test or the code it tests

.github/instructions/testing.instructions.md

@@ -189,19 +189,20 @@ reportgenerator -reports:"**/coverage.cobertura.xml" -targetdir:"htmlcov" -repor
 
 ### Coverage Targets
 
-> **Target: ≥90% line coverage on all testable components. Prefer higher. Branch coverage at 60%+.**
-> Any PR that drops line coverage below 90% on `RegiLattice.Core.Tests` must be accompanied by a
-> documented justification. Coverage regressions from the baseline are treated as build failures.
-
-| Component          | Target    | Notes                                                        |
-| ------------------ | --------- | ------------------------------------------------------------ |
-| TweakDef model     | **100%**  | Pure logic, fully testable with declarative assertions       |
-| TweakEngine        | **90%+**  | Core business logic — all public API paths must be tested   |
-| RegistrySession    | **85%+**  | DryRun mode enables safe testing of all write/read paths     |
-| Services           | **90%+**  | All services with deterministic logic must have full tests   |
-| GUI (Theme)        | **90%+**  | Theme records are pure data with no external dependencies    |
-| GUI (Forms)        | **60%+**  | WinForms UI event handling is hard to unit test              |
-| **Overall (Core)** | **≥90%** | **Line coverage gate enforced in CI via Codecov threshold**  |
+> **Minimum: ≥90% line coverage (enforced gate). Preferred: ≥95% where achievable. Branch coverage ≥60%.**
+> Any PR that drops line coverage below 90% on `RegiLattice.Core.Tests` is blocked.
+> Coverage regressions from the baseline are treated as build failures and must not be merged.
+> Strive for 95%+ on all new code — 90% is the floor, not the goal.
+
+| Component          | Minimum   | Preferred | Notes                                                        |
+| ------------------ | --------- | --------- | ------------------------------------------------------------ |
+| TweakDef model     | **100%**  | **100%**  | Pure logic, fully testable with declarative assertions       |
+| TweakEngine        | **90%+**  | **95%+**  | Core business logic — all public API paths must be tested   |
+| RegistrySession    | **85%+**  | **92%+**  | DryRun mode enables safe testing of all write/read paths     |
+| Services           | **90%+**  | **95%+**  | All services with deterministic logic must have full tests   |
+| GUI (Theme)        | **90%+**  | **95%+**  | Theme records are pure data with no external dependencies    |
+| GUI (Forms)        | **60%+**  | **75%+**  | WinForms UI event handling is hard to unit test              |
+| **Overall (Core)** | **≥90%**  | **≥95%**  | **Line coverage gate enforced in CI via Codecov threshold**  |
 
 ### Coverage by TweakKind
 
@@ -231,15 +232,18 @@ These components require external tools, network, or system state that cannot be
 
 Every test run and every CI build must meet these conditions before merging:
 
-| Gate                   | Requirement                                                          |
-| ---------------------- | -------------------------------------------------------------------- |
-| Build warnings         | **0** — `TreatWarningsAsErrors=true`; any warning blocks CI            |
-| Build errors           | **0** — hard fail                                                     |
-| Test failures          | **0** — all 3,230+ tests must pass                                    |
-| Skipped tests          | **0** — `[Fact(Skip=...)]` and `[Theory(Skip=...)]` are forbidden       |
-| Inline suppressions    | **0** — `#pragma warning disable` / `[SuppressMessage]` are forbidden  |
-| TODO / FIXME in tests  | **0** — open a GitHub Issue instead                                   |
-| Line coverage (Core)   | **≥90%** — Codecov enforced; PR dropped below gate = block           |
+| Gate                   | Requirement                                                                           |
+| ---------------------- | ------------------------------------------------------------------------------------- |
+| Build fatals           | **0** — hard CI fail                                                                  |
+| Build errors           | **0** — hard CI fail                                                                  |
+| Build warnings         | **0** — `TreatWarningsAsErrors=true`; any warning blocks CI                           |
+| Test failures          | **0** — all 3,230+ tests must pass                                                    |
+| Skipped tests          | **0** — `[Fact(Skip=...)]` and `[Theory(Skip=...)]` are forbidden                    |
+| Inline suppressions    | **0** — `#pragma warning disable`, `[SuppressMessage]`, `// NOSONAR`, `// NCA`,      |
+|                        |           `// ReSharper disable`, `// NOLINT` — all forbidden; fix root cause instead |
+| TODO / FIXME in tests  | **0** — deferred work belongs in a GitHub Issue, not inline comments                  |
+| Waivers / lint ignores | **0** — no inline quality gate bypasses of any kind                                   |
+| Line coverage (Core)   | **≥90%** minimum (gate enforced) — **≥95% preferred**                                |
 
 ```powershell
 # Verify the full quality gate locally before every commit:
@@ -249,6 +253,62 @@ dotnet test tests/RegiLattice.CLI.Tests/RegiLattice.CLI.Tests.csproj  --settings
 dotnet test tests/RegiLattice.GUI.Tests/RegiLattice.GUI.Tests.csproj  --settings tests/.runsettings --blame-hang-timeout 60s
 ```
 
+## Flaky Test Prevention
+
+### Strip timestamps before comparing generated output
+
+Any method that embeds `DateTime.Now` internally can straddle a clock second when called twice:
+
+```csharp
+// ❌ BAD — can fail at second boundaries (non-deterministic)
+Assert.Equal(gen.Build(map), File.ReadAllText(path));
+
+// ✅ GOOD — strip timestamps before comparing
+static string StripTimestamp(string s) =>
+    System.Text.RegularExpressions.Regex.Replace(
+        s, @"\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}", "TIMESTAMP");
+Assert.Equal(StripTimestamp(gen.Build(map)), StripTimestamp(File.ReadAllText(path)));
+```
+
+### Performance budget comments are mandatory
+
+```csharp
+// ✅ GOOD — document the budget with context so future changes are deliberate
+// Budget: 150ms — search over 7,000+ tweaks with synonym expansion; ~60ms on dev machine.
+// Raise threshold if tweak count exceeds 10,000.
+Assert.True(sw.ElapsedMilliseconds < 150, $"Search took {sw.ElapsedMilliseconds}ms (budget: 150ms)");
+```
+
+### CorporateGuard isolation in test fixtures
+
+Any test that touches code paths reaching `CorporateGuard` **must** stub it to avoid Intune/SCCM
+registry read latency on corporate machines:
+
+```csharp
+public sealed class MyTestFixture : IDisposable
+{
+    public MyTestFixture() => CorporateGuard.StubCorporate = false;
+    public void Dispose() => CorporateGuard.StubCorporate = null;
+}
+```
+
+### `ParseArgs()` nullable guard — always `Assert.NotNull` first
+
+`Program.ParseArgs()` returns `CliArgs?`. Accessing any property without a null guard emits CS8602:
+
+```csharp
+// ❌ BAD — CS8602: dereference of possibly null reference
+var a = ParseArgs(new[] { "--list" });
+Assert.True(a.ShowList);
+
+// ✅ GOOD — Assert.NotNull satisfies nullable flow analysis
+var a = ParseArgs(new[] { "--list" });
+Assert.NotNull(a);
+Assert.True(a.ShowList);
+```
+
+---
+
 ## What NOT to Do in Tests
 
 - Don't test implementation details — test behaviour
@@ -259,6 +319,9 @@ dotnet test tests/RegiLattice.GUI.Tests/RegiLattice.GUI.Tests.csproj  --settings
 - Don't create real registry keys in tests — use `DryRun = true` on RegistrySession
 - Don't create actual WinForms windows in CI — test data models and logic only
 - Don't use `Assert.True(condition)` when a specific assertion exists (e.g., `Assert.Equal`, `Assert.Contains`)
-- Don't use `[Fact(Skip=...)]` or `[Theory(Skip=...)]` — fix the test or the code it tests; skips are forbidden
-- Don't use `#pragma warning disable` in test code — all warnings must be fixed
+- Don't use `[Fact(Skip=...)]` or `[Theory(Skip=...)]` — fix the test or the code it tests; skips are **forbidden**
+- Don't use `#pragma warning disable`, `[SuppressMessage]`, `// NOSONAR`, or any inline suppression — fix root cause
 - Don't use inline assertion workarounds (`Assert.Equal(expected, actual)` inverted) to hide test logic errors
+- Don't use waivers or lint-ignore comments — there are no circumstances where these are acceptable in tests
+- Don't use `DateTime.Now` in two separate calls when comparing generated output — strip timestamps instead
+- Don't hardcode wall-clock performance budgets without a comment stating the tweak count at time of writing

.github/prompts/code-review.prompt.md

@@ -17,10 +17,11 @@ Selection: `${selection}`
 ### Build Quality Gate
 
 - [ ] Build produces **0 fatals, 0 errors, 0 warnings** (`TreatWarningsAsErrors=true`)
-- [ ] No `#pragma warning disable` / `[SuppressMessage]` / `// NOSONAR` suppressions
+- [ ] No `#pragma warning disable` / `[SuppressMessage]` / `// NOSONAR` / `// NCA` / `// ReSharper disable` / `// NOLINT` suppressions
+- [ ] No inline quality gate waivers (`// csharpier-ignore`, `// coverage: ignore`, `// HACK:` to bypass checks)
 - [ ] No `TODO` or `FIXME` comments (open GitHub Issues instead)
 - [ ] No `[Fact(Skip=...)]` or `[Theory(Skip=...)]` in tests
-- [ ] Core test coverage ≥90% for new/changed code
+- [ ] Core test coverage ≥90% for new/changed code (prefer ≥95%)
 
 ### Security (OWASP Top 10)
 

.github/prompts/fix-quality.prompt.md

@@ -9,9 +9,13 @@ Fix all quality issues in: `${file}`
 
 ## Quality Gate (MUST achieve before done)
 
+- **0 build fatals** — no fatal MSBuild or compiler errors
 - **0 build warnings** — `TreatWarningsAsErrors=true` is global; every warning is a build error
 - **0 build errors**
-- **No suppressions allowed** — `#pragma warning disable`, `[SuppressMessage]`, `// NOSONAR` are **FORBIDDEN** — fix the root cause instead
+- **No suppressions or waivers allowed** — the following are **FORBIDDEN** — fix the root cause instead:
+  - `#pragma warning disable` / `[SuppressMessage]` / `// NOSONAR` / `// NCA`
+  - `// ReSharper disable` / `// NOLINT` / `// csharpier-ignore` / `// coverage: ignore`
+  - `// HACK:` (when used to bypass a quality check)
 - **No TODO / FIXME comments** — open a GitHub Issue instead; note it in the commit footer
 
 ## What to Fix