Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .PSScriptAnalyzerSettings.psd1
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
@{
IncludeDefaultRules = $true
ExcludeRules = @(
'PSAvoidUsingWriteHost'
'PSUseShouldProcessForStateChangingFunctions'
'PSReviewUnusedParameter'
'PSUseDeclaredVarsMoreThanAssignments'
'PSAvoidGlobalVars'
'PSUseSingularNouns'
)
}
32 changes: 31 additions & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -110,10 +110,40 @@ jobs:
shell: pwsh
run: |
pwsh -NoProfile -File scripts/maintainer/test/Test-HealthSmoke.ps1
pwsh -NoProfile -File scripts/maintainer/test/Test-HealthResilience.ps1
pwsh -NoProfile -File scripts/maintainer/test/Test-DevShellStressMatrix.ps1

pester:
runs-on: windows-latest
steps:
- uses: actions/checkout@v4
- name: Install Pester
shell: pwsh
run: Install-Module Pester -Force -Scope CurrentUser -MinimumVersion 5.5.0 -SkipPublisherCheck
- name: Pester unit tests
shell: pwsh
run: Invoke-Pester -Path tests/pester -Output Detailed -CI

script-analysis:
runs-on: windows-latest
steps:
- uses: actions/checkout@v4
- name: Install PSScriptAnalyzer
shell: pwsh
run: Install-Module PSScriptAnalyzer -Force -Scope CurrentUser -MinimumVersion 1.21.0
- name: PSScriptAnalyzer (lib + maintainer)
shell: pwsh
run: |
$paths = @('lib', 'scripts/maintainer/invoke', 'scripts/maintainer/test', 'devshell.ps1', 'install.ps1')
$errors = Invoke-ScriptAnalyzer -Path $paths -Recurse -Settings .PSScriptAnalyzerSettings.psd1 -Severity Error
if ($errors) {
$errors | Format-Table RuleName, ScriptName, Line, Message -AutoSize
throw "PSScriptAnalyzer errors: $($errors.Count)"
}

release-assets:
if: startsWith(github.ref, 'refs/tags/v')
needs: [release-version, command-health, platform-hardening, install-smoke, init-smoke, privacy-smoke, doctor-smoke, health-smoke]
needs: [release-version, command-health, platform-hardening, install-smoke, init-smoke, privacy-smoke, doctor-smoke, health-smoke, pester, script-analysis]
runs-on: windows-latest
permissions:
contents: write
Expand Down
29 changes: 28 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,36 @@ Format: [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) · Versioning:

## [Unreleased]

### Added

- **`devshell health -Sections`** — optional subset (`developer`, `privacy`, `browser`, `network`)
- **Pester** unit tests (`tests/pester/Health.Baseline.Tests.ps1`)
- **PSScriptAnalyzer** CI gate (`.PSScriptAnalyzerSettings.psd1`)
- **`Measure-DevShellHealthProfile.ps1`** — maintainer timing helper

See [docs/ROADMAP.md](docs/ROADMAP.md) for the stabilization contract.

---

## [3.0.1] - 2026-06-28

### Fixed

- **`Compare-DevShellHealthBaseline`** — graceful handling of missing or corrupt `baseline.json`
- **`Show-DevShellHealthHistory`** — skip invalid jsonl lines instead of failing
- **`devshell verify -Json`** — structured errors `no_baseline` and `baseline_invalid`

### Added

- **`Test-HealthResilience.ps1`**, **`Test-DevShellStressMatrix.ps1`** — offline CI resilience matrix
- CI: resilience + stress tests in **health-smoke** job

### Changed

- **`SECURITY.md`** — supported versions updated for 3.0.x

---

## [3.0.0] - 2026-06-29

**Unified health & API freeze** — platform spec `1.0.0` LOCKED.
Expand Down Expand Up @@ -286,7 +312,8 @@ Pre–HomeBase DevShell iterations. See git history before public OSS rename.

---

[Unreleased]: https://github.com/XKush/homebase-devshell/compare/v3.0.0...HEAD
[Unreleased]: https://github.com/XKush/homebase-devshell/compare/v3.0.1...HEAD
[3.0.1]: https://github.com/XKush/homebase-devshell/compare/v3.0.0...v3.0.1
[3.0.0]: https://github.com/XKush/homebase-devshell/releases/tag/v3.0.0
[2.3.0]: https://github.com/XKush/homebase-devshell/releases/tag/v2.3.0
[2.2.2]: https://github.com/XKush/homebase-devshell/releases/tag/v2.2.2
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,14 @@ A workstation **readiness and privacy configuration auditing toolkit** for Windo

![DevReady — install, devshell health, Ready to work](docs/assets/devready-demo.gif)

**Inspect before run:** [`install.ps1` @ v3.0.0](https://github.com/XKush/homebase-devshell/blob/v3.0.0/install.ps1) · `devshell init` (dry-run, no changes) · [zip + SHA256](packaging/README.md)
**Inspect before run:** [`install.ps1` @ v3.0.1](https://github.com/XKush/homebase-devshell/blob/v3.0.1/install.ps1) · `devshell init` (dry-run, no changes) · [zip + SHA256](packaging/README.md)

---

## 30-second start

```powershell
irm https://raw.githubusercontent.com/XKush/homebase-devshell/v3.0.0/install.ps1 | iex
irm https://raw.githubusercontent.com/XKush/homebase-devshell/v3.0.1/install.ps1 | iex
```

Close the terminal. Open a new one. Run:
Expand Down
4 changes: 2 additions & 2 deletions README.ru.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,14 @@

![DevReady — install, devshell health, Ready to work](docs/assets/devready-demo.gif)

**Проверьте до запуска:** [`install.ps1` @ v3.0.0](https://github.com/XKush/homebase-devshell/blob/v3.0.0/install.ps1) · `devshell init` (dry-run) · [zip + SHA256](packaging/README.md)
**Проверьте до запуска:** [`install.ps1` @ v3.0.1](https://github.com/XKush/homebase-devshell/blob/v3.0.1/install.ps1) · `devshell init` (dry-run) · [zip + SHA256](packaging/README.md)

---

## Старт за 30 секунд

```powershell
irm https://raw.githubusercontent.com/XKush/homebase-devshell/v3.0.0/install.ps1 | iex
irm https://raw.githubusercontent.com/XKush/homebase-devshell/v3.0.1/install.ps1 | iex
```

Закройте терминал. Откройте снова:
Expand Down
44 changes: 20 additions & 24 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,24 +4,21 @@

| Version | Supported |
|---------|-----------|
| 2.0.x | ✅ |
| < 2.0 | ❌ |
| **3.0.x** | ✅ Current |
| 2.x | Best effort (no new features) |
| < 2.0 | ❌ |

## Reporting a vulnerability

If you discover a security issue in HOME BASE:
If you discover a security issue in **HomeBase DevShell** / DevReady:

1. **Do not** open a public issue for exploitable vulnerabilities.
2. Report privately with:
2. Use **[GitHub Private vulnerability reporting](https://github.com/XKush/homebase-devshell/security/advisories/new)** (preferred).
3. Include:
- description and impact;
- steps to reproduce;
- affected commands or scripts;
- HOME BASE version (`ModuleVersion` from `modules/KGreen.Workstation.psd1`).
3. Allow reasonable time for a fix before public disclosure.

When the repository is published, prefer **GitHub Security Advisories** (Private vulnerability reporting).

Until then, contact the maintainer directly through your established private channel.
- version from `devshell version` or `modules/KGreen.Workstation.psd1` `ModuleVersion`.

## Response expectations

Expand All @@ -35,29 +32,28 @@ Until then, contact the maintainer directly through your established private cha

**In scope:**

- Destructive operations (`Remove-Item`, backup rotation, restore)
- Product CLI: `install`, `health`, `doctor`, `privacy`, `repair` (`-Fix`)
- Destructive module commands (`restoreconfig`, `cleanup`, backup rotation)
- Profile / terminal deployment scripts
- PGP key handling (`pgp-*`)
- Firewall and privacy hardening scripts
- Trust system integrity (`trustcheck`, SelfCheck)
- Privacy repair scripts (registry/DNS)
- Path / module load issues leading to privilege or data loss

**Out of scope:**

- Tor network anonymity guarantees (operational security is user responsibility)
- Third-party tools installed via winget (not bundled in this repo)
- Misuse of security scripts without authorization
- Tor network anonymity guarantees
- Third-party tools installed via winget
- Misuse on systems you are not authorized to manage

## Safe use

HOME BASE includes security-related automation intended for **authorized lab use** on systems you own or are permitted to manage.

- Users are responsible for compliance with local laws.
- Microsoft Defender AV is **intentionally not enabled** by this project design.
- Always run `backupconfig` before mutating operations.
- Use `-WhatIf` on `cleanup` and similar commands before execution.
- Intended for **systems you own or may manage**.
- Microsoft Defender AV is **never enabled** by this project.
- Run `backupconfig` before destructive module operations.
- Use `-WhatIf` on `cleanup` where supported.

## Related documentation

- [internal-docs/charter/SECURITY-POLICY.md](internal-docs/charter/SECURITY-POLICY.md) — operational security chain
- [internal-docs/charter/BACKUP-POLICY.md](internal-docs/charter/BACKUP-POLICY.md) — backup and rollback
- [MANIFESTO](docs/MANIFESTO.md) — trust boundaries
- [PROJECT-PRINCIPLES](docs/PROJECT-PRINCIPLES.md) — repair and privacy rules
- [RELEASE-CRITERIA](docs/RELEASE-CRITERIA.md) — release gates
3 changes: 3 additions & 0 deletions devshell.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ param(
[switch]$Json,
[ValidateSet('html')]
[string]$Export,
[string[]]$Sections,
[ValidateSet('Chrome', 'Edge', 'Firefox', 'All')]
[string]$Browser = 'All',
[int]$Last = 20
Expand Down Expand Up @@ -55,6 +56,7 @@ HomeBase DevShell — workstation readiness & privacy auditing

devshell health Unified dashboard (developer + privacy + browser + network)
devshell health -Json Machine-readable report
devshell health -Sections developer,privacy Subset of sections (faster)
devshell health -Export html HTML report in Logs folder
devshell history Privacy/configuration score trend
devshell baseline Save configuration baseline
Expand Down Expand Up @@ -95,6 +97,7 @@ switch ($Command) {
$healthArgs = @{ Tier = $Tier }
if ($Json) { $healthArgs['Json'] = $true }
if ($Export) { $healthArgs['Export'] = $Export }
if ($Sections) { $healthArgs['SectionFilter'] = $Sections }
if ($Argument) { $healthArgs['OutFile'] = $Argument }
& (Join-Path $repoRoot 'scripts\maintainer\invoke\Invoke-DevShellHealth.ps1') @healthArgs
exit $LASTEXITCODE
Expand Down
1 change: 1 addition & 0 deletions docs/API-STABILITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ Frozen **product CLI** commands — semver **major** bump required to break beha
- `-Json` / `-JsonOnly` on `doctor`, `privacy`, `health`, `verify`
- `-Fix` on `doctor`, `privacy`
- `-Tier Core|Full` on `doctor`, `health`
- `-Sections developer,privacy,browser,network` on `health` (optional subset; comma-separated)
- `-Export html` on `health`

## JSON schemas (versioned)
Expand Down
2 changes: 1 addition & 1 deletion docs/ROADMAP.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

This is a **contract** with users — not a wishlist. Items move only after community signal or maintainer review.

**Current product version:** 3.0.0 · **Platform spec:** 1.0.0 LOCKED
**Current product version:** 3.0.1 · **Next minor:** 3.1.0 (in development) · **Platform spec:** 1.0.0 LOCKED

---

Expand Down
4 changes: 2 additions & 2 deletions install.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
.SYNOPSIS
HomeBase DevShell one-line bootstrap installer.
.EXAMPLE
irm https://raw.githubusercontent.com/XKush/homebase-devshell/v3.0.0/install.ps1 | iex
irm https://raw.githubusercontent.com/XKush/homebase-devshell/v3.0.1/install.ps1 | iex
.EXAMPLE
pwsh -File install.ps1
.EXAMPLE
Expand All @@ -21,7 +21,7 @@ param(
)

$ErrorActionPreference = 'Stop'
$script:DevShellReleaseTag = 'v3.0.0'
$script:DevShellReleaseTag = 'v3.0.1'

function Test-DevShellRepo {
param([string]$Path)
Expand Down
Loading
Loading