RajwanYair
diff --git a/‎.github/ISSUE_TEMPLATE/new_tweak.md‎
Lines changed: 21 additions & 14 deletions b/‎.github/ISSUE_TEMPLATE/new_tweak.md‎
Lines changed: 21 additions & 14 deletions
diff --git a/‎.github/ISSUE_TEMPLATE/performance_issue.md‎
Lines changed: 21 additions & 12 deletions b/‎.github/ISSUE_TEMPLATE/performance_issue.md‎
Lines changed: 21 additions & 12 deletions
diff --git a/‎.github/workflows/powershell.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/powershell.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎SECURITY.md‎
Lines changed: 111 additions & 0 deletions b/‎SECURITY.md‎
Lines changed: 111 additions & 0 deletions
diff --git a/‎docs/COVERAGE.md‎
Lines changed: 127 additions & 0 deletions b/‎docs/COVERAGE.md‎
Lines changed: 127 additions & 0 deletions
@@ -8,50 +8,57 @@ assignees: ''
 
 ## Tweak Details
 
-- **ID (kebab-case):** `example-disable-feature`
+- **ID (kebab-case):** `category-disable-feature`  (prefix must match a slug in `copilot-instructions.md`)
 - **Label:** Disable Feature
-- **Category:** (existing category or new one)
-- **Needs admin:** Yes / No
-- **Corp safe:** Yes / No
+- **Category:** (must be one of the 69 existing categories, or propose a new one)
+- **Needs admin:** Yes / No  (HKLM = Yes, HKCU-only = No)
+- **Corp safe:** Yes / No  (HKCU-only and non-policy = Yes)
+- **Min build:** 0 (or specific Windows build, e.g. 22000 for Windows 11)
+- **Source URL:** <https://learn.microsoft.com/>...  (KB article or doc reference)
 
 ## Registry Keys
 
 ```
 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\...
-  ValueName (REG_DWORD) = 1
+  ValueName (REG_DWORD) = 1    # applied state
+  (absent or 0)                # default / removed state
 ```
 
 ## What It Does
 
 Description of what the tweak changes and why a user would want it.
+Include `Default: 0. Recommended: 1.` in the description field.
 
 ## Apply Logic
 
 ```python
-SESSION.set_dword(r"HKLM\SOFTWARE\Policies\...", "ValueName", 1)
+SESSION.set_dword(r"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\...", "ValueName", 1)
 ```
 
 ## Remove Logic (revert to default)
 
 ```python
-SESSION.delete_value(r"HKLM\SOFTWARE\Policies\...", "ValueName")
+SESSION.delete_value(r"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\...", "ValueName")
 ```
 
 ## Detect Logic
 
 ```python
-SESSION.read_dword(r"HKLM\SOFTWARE\Policies\...", "ValueName") == 1
+SESSION.read_dword(r"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\...", "ValueName") == 1
 ```
 
 ## References
 
 - Microsoft docs link
-- Related Group Policy setting
-- Windows version requirements (10/11, specific builds)
+- Related Group Policy Object (GPO) setting name
+- Windows version and build requirements
 
 ## Checklist
 
-- [ ] I've verified the registry path exists on a fresh Windows install
-- [ ] I've tested apply + remove manually via `reg add` / `reg delete`
-- [ ] The tweak is reversible (remove restores the default state)
-- [ ] The ID doesn't conflict with existing tweaks (`python -m regilattice --list`)
+- [ ] Registry path verified on a clean Windows install
+- [ ] Tested apply + remove manually (`reg add` / `reg delete` or `regedit`)
+- [ ] Tweak is reversible — remove restores exact default state
+- [ ] ID is globally unique: `python -m regilattice --list` shows no conflicts
+- [ ] Smoke test passes: `python -m pytest tests/test_tweaks_smoke.py -x --tb=short`
+- [ ] Lint passes: `python -m ruff check regilattice/ tests/`
+- [ ] Validate passes: `python -m regilattice --validate`
@@ -1,6 +1,6 @@
 ---
 name: Performance Issue
-about: Report a performance problem (slow execution, high memory, etc.)
+about: Report a performance problem (slow startup, slow detection, high memory, etc.)
 title: "[Perf] "
 labels: performance
 assignees: ''
@@ -10,36 +10,45 @@ assignees: ''
 
 Brief description of the performance issue.
 
-## Project / Component
+## Component
 
-Which project and operation is slow? (e.g., `Scripts.DupDetector / file scan`)
+Which operation is slow? (e.g., `all_tweaks()` load, `status_map()` detection, GUI startup, `--list`)
 
 ## Observed Performance
 
-- **Operation:** (e.g., scanning 10,000 files)
-- **Time taken:** (e.g., 45 seconds)
-- **Expected time:** (e.g., ~5 seconds)
-- **Memory used:** (e.g., 2 GB peak)
+- **Operation:** (e.g., `status_map()` over 1 292 tweaks)
+- **Time taken:** (e.g., 12 seconds)
+- **Expected time:** (e.g., ~2 seconds)
+- **Memory used:** (e.g., 150 MB peak)
 
 ## Profiling Data
 
 <details>
 <summary>Profile output (optional)</summary>
 
 ```
-Paste cProfile / line_profiler / memory_profiler output here
+# Run: python -m cProfile -s cumtime -m regilattice --list
+Paste cProfile / line_profiler output here
 ```
 
 </details>
 
+## Benchmark Result
+
+```powershell
+# Run: python -m pytest tests/test_benchmarks.py -v
+Paste benchmark output here
+```
+
 ## Environment
 
-- **OS:** (e.g., Windows 11 / Ubuntu 24.04)
+- **OS:** Windows 11 (build ...)
 - **CPU:** (e.g., Intel Core i7-12700K)
 - **RAM:** (e.g., 32 GB)
-- **Storage:** (e.g., NVMe SSD / HDD)
-- **Python:** (e.g., 3.12.3)
+- **Python:** (`python -m regilattice --version` / `python --version`)
+- **RegiLattice:** (version from `--version`)
+- **Tweaks loaded:** (number from `--stats`)
 
 ## Additional Context
 
-Dataset size, file types, specific flags used, etc.
+Any relevant flags used, specific category or tweak subset, etc.
@@ -11,11 +11,11 @@ name: PSScriptAnalyzer
 
 on:
   push:
-    branches: [ "main" ]
+    branches: ["main"]
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
   schedule:
-    - cron: '43 13 * * 5'
+    - cron: "43 13 * * 5"
 
 permissions:
   contents: read
 
@@ -0,0 +1,111 @@
+# Security Policy
+
+This document describes the security policy for **RegiLattice** and how to
+report security vulnerabilities responsibly.
+
+---
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| 1.0.x (latest) | ✅ Active security fixes |
+| < 1.0 | ❌ No longer supported |
+
+---
+
+## Reporting a Vulnerability
+
+**Do NOT create a public GitHub issue for security vulnerabilities.**
+
+To report a security concern:
+
+1. Open a [GitHub Security Advisory](https://github.com/RajwanYair/RegiLattice/security/advisories/new) (preferred — private disclosure).
+2. Alternatively, email the maintainer with the subject line `[SECURITY] RegiLattice - <short description>`.
+
+Please include:
+
+- A clear description of the vulnerability
+- Steps to reproduce the issue
+- The potential impact and affected versions
+- Any suggested remediation or patches
+
+You will receive an acknowledgement within **72 hours** and a full response
+within **7 days**.
+
+---
+
+## Security Model
+
+RegiLattice modifies the Windows registry. This carries inherent risk:
+
+| Risk | Mitigation |
+|------|-----------|
+| Irreversible registry changes | `RegistrySession.backup()` called before every write |
+| Privilege escalation | UAC prompt shown before any HKLM write; `assert_admin()` gate |
+| Corporate policy violations | `corpguard.py` detects domain/AAD/VPN/GPO/Intune; `corp_safe` flag per tweak |
+| Plugin code execution | Plugins loaded from `~/.regilattice/plugins/` only; path escapes rejected |
+| Supply-chain injection | Zero runtime dependencies; stdlib only |
+
+---
+
+## Secure Coding Practices
+
+All contributors are expected to follow these practices:
+
+### No Hardcoded Credentials
+
+Never commit passwords, API keys, tokens, or proxy credentials. Use environment
+variables or the system keyring.
+
+### No Hardcoded Paths
+
+Use `Path(__file__).parent.resolve()` or `Path.home()` for all paths.
+Never hardcode `C:\Users\...`.
+
+### Input Validation
+
+Validate all user-supplied tweak IDs, registry paths, and file paths at
+the entry points (`cli.py`, `gui.py`). Reject inputs with `..` path
+traversal sequences.
+
+### Parameterised Commands
+
+Never concatenate user input into shell command strings. All `subprocess`
+calls use list arguments, not `shell=True`.
+
+### Least Privilege
+
+- Request admin (UAC) only when performing HKLM writes.
+- `corp_safe=True` tweaks touch only `HKCU` — no admin required.
+- Never request `SeDebugPrivilege` or `SeTcbPrivilege`.
+
+### No Secrets in Version Control
+
+`.env` files, `.regilattice.toml` with credentials, and all `*.key` / `*.pem`
+files are listed in `.gitignore`.
+
+---
+
+## OWASP Compliance Checklist
+
+| OWASP Category | Status |
+|---|---|
+| Broken Access Control | ✅ `assert_admin()` + `corp_guard()` gates |
+| Cryptographic Failures | ✅ No encryption used; no secrets stored |
+| Injection (command) | ✅ All subprocess calls use list args |
+| Injection (path traversal) | ✅ Plugin paths validated; no `..` allowed |
+| Insecure Design | ✅ Backup-before-write, dry-run mode |
+| Security Misconfiguration | ✅ No external services; no default credentials |
+| Vulnerable Components | ✅ Zero runtime deps; Dependabot enabled |
+| Authentication Failures | N/A — local desktop tool, no auth |
+| Software Integrity Failures | ✅ Hatchling build; pinned CI actions |
+| Security Logging | ✅ `RegistrySession.log()` records all writes |
+| SSRF | N/A — no outbound HTTP at runtime |
+
+---
+
+## Changelog
+
+Security-relevant changes are documented in [CHANGELOG.md](CHANGELOG.md)
+and tagged with `[security]`.
@@ -0,0 +1,127 @@
+# RegiLattice — Coverage Report
+
+> Per-module test coverage baseline. Last measured: 2026-03-08 · v1.0.1
+> Command: `python -m pytest tests/ --cov=regilattice --cov-report=term-missing`
+
+---
+
+## Summary
+
+| Scope | Coverage |
+|---|---|
+| **Core modules (non-tweak)** | ~81 % average |
+| **Tweak modules (apply/remove/detect fns)** | ~49 % average (intentionally limited — registry calls are not exercised in CI) |
+| **Overall total** | ~51 % |
+
+The low overall percentage is dominated by the 69 tweak category modules, where
+the `_apply_*` / `_remove_*` / `_detect_*` functions touch real registry keys
+and are intentionally **not** invoked in automated tests. All tweak signatures,
+IDs, and `detect_fn` callability are verified via `test_tweaks_smoke.py`.
+
+---
+
+## Core Module Coverage
+
+| Module | Statements | Missed | Coverage | Notes |
+|---|---|---|---|---|
+| `__init__.py` | 5 | 0 | **100 %** | ✅ |
+| `analytics.py` | 61 | 0 | **100 %** | ✅ |
+| `config.py` | 50 | 5 | **90 %** | tomllib fallback path (Python < 3.11) |
+| `corpguard.py` | 252 | 62 | **75 %** | VPN / SCCM detection paths |
+| `deps.py` | 73 | 0 | **100 %** | ✅ |
+| `elevation.py` | 44 | 2 | **95 %** | Non-Windows uid path |
+| `gui.py` | 1096 | 955 | **13 %** | 🔴 Highest priority — needs GUI test harness |
+| `gui_dialogs.py` | 171 | 76 | **56 %** | Dialog show/interact paths |
+| `gui_theme.py` | 97 | 2 | **98 %** | ✅ |
+| `gui_tooltip.py` | 97 | 25 | **74 %** | `Tooltip.show()` visual paths |
+| `gui_widgets.py` | 241 | 138 | **43 %** | 🔴 Widget event handlers |
+| `hwinfo.py` | 280 | 5 | **98 %** | ✅ |
+| `locale.py` | 28 | 0 | **100 %** | ✅ |
+| `marketplace.py` | 75 | 4 | **95 %** | ✅ |
+| `menu.py` | 166 | 11 | **93 %** | ✅ |
+| `ratings.py` | 60 | 2 | **97 %** | ✅ |
+| `registry.py` | 361 | 56 | **84 %** | Backup dir / edge cases |
+| `cli.py` | 572 | 77 | **87 %** | `--gui`, export edge cases |
+| `tweaks/__init__.py` | ~800 | ~80 | **~90 %** | ✅ Core engine well-covered |
+
+---
+
+## Tweak Module Coverage (average ~49 %)
+
+The low coverage in tweak modules is **by design**:
+
+- `_apply_*` and `_remove_*` functions call `winreg.SetValueEx` / `winreg.DeleteValue`,
+  which require a real Windows registry and admin rights.
+- These are tested in integration tests on a CI runner with registry access.
+- `detect_fn` callability is validated in `test_tweaks_smoke.py`.
+
+| Module | Coverage | Notes |
+|---|---|---|
+| `tweaks/accessibility.py` | ~51 % | Apply/remove paths uncovered |
+| `tweaks/explorer.py` | ~42 % | Largest module (504 stmts) |
+| `tweaks/shell.py` | ~35 % | Complex multi-step tweaks |
+| `tweaks/win11.py` | ~43 % | Large module (376 stmts) |
+| `tweaks/wsl.py` | ~44 % | WSL integration paths |
+| *(all others)* | 40–63 % | Pattern consistent across categories |
+
+---
+
+## Coverage Targets
+
+| Target | Current | Goal | Priority |
+|---|---|---|---|
+| `gui.py` | 13 % | ≥ 80 % | 🔴 P1 (Sprint 4) |
+| `gui_widgets.py` | 43 % | ≥ 80 % | 🔴 P1 (Sprint 4) |
+| `gui_dialogs.py` | 56 % | ≥ 80 % | 🟡 P2 (Sprint 4) |
+| `corpguard.py` | 75 % | ≥ 90 % | 🟡 P2 (Sprint 4) |
+| `registry.py` | 84 % | ≥ 95 % | 🟡 P2 (Sprint 4) |
+| `gui_tooltip.py` | 74 % | ≥ 90 % | 🟡 P2 (Sprint 4) |
+| Overall (non-tweak) | ~81 % | ≥ 95 % | P1 |
+
+---
+
+## Running Coverage Locally
+
+```powershell
+# Full report with missing lines
+python -m pytest tests/ --cov=regilattice --cov-report=term-missing
+
+# HTML report (open htmlcov/index.html)
+python -m pytest tests/ --cov=regilattice --cov-report=html
+
+# Coverage for a specific module only
+python -m pytest tests/test_registry.py --cov=regilattice.registry --cov-report=term-missing
+```
+
+---
+
+## Improving Coverage
+
+### GUI modules (`gui.py`, `gui_widgets.py`, `gui_dialogs.py`)
+
+Use `unittest.mock.patch` with `tkinter` mocked:
+
+```python
+import sys
+from unittest.mock import MagicMock, patch
+
+# Mock the entire tkinter module before importing gui
+sys.modules["tkinter"] = MagicMock()
+sys.modules["tkinter.ttk"] = MagicMock()
+sys.modules["tkinter.messagebox"] = MagicMock()
+
+from regilattice import gui
+```
+
+### Registry modules (apply/remove/detect)
+
+Use the `dry_session` pytest fixture from `conftest.py`:
+
+```python
+def test_apply_tweak(dry_session, monkeypatch):
+    from regilattice.registry import SESSION
+    monkeypatch.setattr("regilattice.tweaks.explorer.SESSION", dry_session)
+    from regilattice.tweaks.explorer import _apply_show_extensions
+    _apply_show_extensions(require_admin=False)
+    assert dry_session._write_log  # verify a write was recorded
+```