v0.9.0: ten-feature competitive pass, headless CLI, OSS hygiene, audit hardening

Adds DeepPurge.Cli (asInvoker scriptable headless companion) and a 7-panel
SYSTEM TOOLS section in the GUI covering Driver Store, Startup Impact,
Broken Shortcuts, Duplicate Files, Community Cleaners (winapp2), Repair
Windows (sfc/DISM/chkdsk/cache rebuild), Scheduled Cleaning, plus an
About/Updates panel. Ships portable mode, install-manifest snapshot+replay,
GitHub Releases update check, and a 14-point "doctor" self-test.

Ten new Core services: DataPaths, DriverStoreScanner, StartupImpactCalculator,
WindowsRepairEngine, ShortcutRepairScanner, Winapp2Parser+Runner,
DuplicateFinder, InstallSnapshotEngine, ScheduleManager, UpdateChecker,
plus supporting Log + SelfTest + SafeListConverters.

Production hardening pass closed real defects uncovered during audit:
UpdateChecker 3-part-vs-4-part version-compare false positive;
ScheduleManager quote-escape + per-job .cmd wrapper; StartupImpact
namespace-safe XML walk; Winapp2 DetectOS/DetectFile bucket routing;
ShortcutRepairScanner STA apartment + COM release + Recycle Bin delete;
DriverStoreScanner schema-agnostic XML + text parser + OEM codepage;
DuplicateFinder ArrayPool + sort-safety; InstallSnapshotEngine parallel
walks + gzip + pruning + atomic write; WindowsRepairEngine narrow cache
deletes + correct encoding; DataPaths error propagation; MainViewModel
CTS lifetime via RenewCts helper; AutorunScanner ProcessNameSet snapshot
eliminating per-entry Process handle leak and O(N*M) re-enumeration;
UninstallEngine silent-mode stdout + empty-string guard + HKU + no silent
recycle-to-permanent fallback; App.xaml.cs version from assembly; XAML
binding safety via FirstOrEmpty/Count converters; Repair output StringBuilder
coalesced flush; v0.9 panel MaybeAutoLoad guard.

Ships OSS hygiene: SECURITY, CONTRIBUTING, ARCHITECTURE, ROADMAP, issue +
PR templates, dependabot weekly scan, CodeQL security-and-quality workflow,
.gitattributes line-ending discipline, .gitignore polish; Authenticode
signing hooks (Build.ps1 -Sign with SecureString), -Test switch; winget
+ Scoop manifests with real SHA256 hashes; GitHub Actions build + release
workflows; xUnit test project (105 tests) locking in parser /
sanitiser / threshold behaviour.

Build: 6 projects, 0 errors, 0 warnings. dotnet test: 105 passed.
Publish: GUI 65.3 MB + CLI 65.1 MB (self-contained, compressed).

Author: SysAdminDoc

.gitattributes

@@ -0,0 +1,40 @@
+# Normalise line endings. Text in the repo is LF; tooling handles CRLF on checkout.
+* text=auto eol=lf
+
+# Source: always LF.
+*.cs     text eol=lf diff=csharp
+*.csproj text eol=lf
+*.sln    text eol=lf
+*.md     text eol=lf
+*.yml    text eol=lf
+*.yaml   text eol=lf
+*.json   text eol=lf
+*.xml    text eol=lf
+*.xaml   text eol=lf
+
+# Windows scripts must keep CRLF or they won't parse correctly.
+*.bat    text eol=crlf
+*.cmd    text eol=crlf
+*.ps1    text eol=crlf
+*.psm1   text eol=crlf
+*.psd1   text eol=crlf
+*.manifest text eol=crlf
+
+# Binary assets — no line-ending conversion, no diff.
+*.exe    binary
+*.dll    binary
+*.ico    binary
+*.png    binary
+*.jpg    binary
+*.jpeg   binary
+*.gif    binary
+*.webp   binary
+*.pfx    binary
+*.snk    binary
+*.zip    binary
+*.7z     binary
+*.tar.gz binary
+
+# GitHub linguist — mark generated / packaging from language stats.
+packaging/** linguist-vendored
+.github/**   linguist-generated=false

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,75 @@
+name: Bug report
+description: Something is wrong or isn't doing what it claims.
+title: "[bug] "
+labels: ["bug", "triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for reporting. A few things that make this fast to triage:
+        1. Run `deeppurgecli doctor` from an elevated shell and paste the output.
+        2. Tell me which panel / CLI command you were using.
+        3. If it's a UI issue, a screenshot helps more than a description.
+
+  - type: input
+    id: version
+    attributes:
+      label: DeepPurge version
+      description: From the About panel, or `deeppurgecli version`.
+      placeholder: "0.9.0"
+    validations:
+      required: true
+
+  - type: dropdown
+    id: surface
+    attributes:
+      label: Surface
+      options:
+        - GUI
+        - CLI
+        - Both
+    validations:
+      required: true
+
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened
+      description: What did you expect, and what actually happened?
+    validations:
+      required: true
+
+  - type: textarea
+    id: repro
+    attributes:
+      label: Reproduction steps
+      placeholder: |
+        1. Open the Drivers panel
+        2. Click Rescan
+        3. ...
+    validations:
+      required: true
+
+  - type: textarea
+    id: doctor
+    attributes:
+      label: deeppurgecli doctor output
+      description: Paste the full doctor output from an elevated shell.
+      render: text
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log lines
+      description: From %LocalAppData%\DeepPurge\Logs\deeppurge.log (or Data\Logs\ in portable mode).
+      render: text
+
+  - type: checkboxes
+    id: confirms
+    attributes:
+      label: Confirm
+      options:
+        - label: I am running the latest 0.9.x release
+          required: true
+        - label: I am not reporting a security vulnerability (those go to SECURITY.md)
+          required: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security vulnerability
+    url: https://github.com/SysAdminDoc/DeepPurge/blob/main/SECURITY.md
+    about: Please report security issues privately — see SECURITY.md.
+  - name: Ask a question (discussion)
+    url: https://github.com/SysAdminDoc/DeepPurge/discussions
+    about: For usage questions or design discussion, use Discussions rather than Issues.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,38 @@
+name: Feature request
+description: Suggest a new capability or a change to an existing one.
+title: "[feature] "
+labels: ["enhancement", "triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Before filing, skim [ROADMAP.md](../../blob/main/ROADMAP.md) — the feature may already be queued,
+        or explicitly on the "will not ship" list with a reason.
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem
+      description: What are you trying to do that DeepPurge doesn't support?
+    validations:
+      required: true
+
+  - type: textarea
+    id: proposal
+    attributes:
+      label: Proposed solution
+      description: What would a good user experience look like?
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives considered
+      description: Existing tools / workarounds. Helps me understand how much leverage this gives.
+
+  - type: textarea
+    id: references
+    attributes:
+      label: Reference implementations
+      description: BCU / BleachBit / Revo / etc. that already solve this. Links welcome.

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,26 @@
+<!-- Short, single-concern PRs merge fastest. If this is a bug fix + new feature, split. -->
+
+## What
+
+<!-- One or two sentences describing the change. -->
+
+## Why
+
+<!-- The motivation. Linked issue number if any: closes #123 -->
+
+## How
+
+<!-- Brief technical notes: which files / patterns / tradeoffs. -->
+
+## Merge checklist
+
+- [ ] `dotnet build DeepPurge.sln -c Release` — 0 errors, 0 warnings
+- [ ] `dotnet test tests/DeepPurge.Tests/DeepPurge.Tests.csproj` — all tests pass
+- [ ] If parser / sanitiser / detector: added a test that locks in the new behaviour
+- [ ] CHANGELOG.md updated (under Unreleased or the next version heading)
+- [ ] Version bumped if user-visible (see CONTRIBUTING.md "Version bump")
+- [ ] No direct `%LocalAppData%\DeepPurge` references — all per-user paths go through `DataPaths`
+- [ ] No new `bool` arguments on destructive pipelines — extend `DeleteOptions` instead
+- [ ] SafetyGuard still blocks all previously-protected paths (no regressions in SafetyGuardTests)
+
+<!-- Thanks! -->

.github/dependabot.yml

@@ -0,0 +1,28 @@
+version: 2
+updates:
+  - package-ecosystem: "nuget"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "05:00"
+    open-pull-requests-limit: 5
+    groups:
+      test-stack:
+        patterns:
+          - "xunit*"
+          - "Microsoft.NET.Test.Sdk"
+      mvvm:
+        patterns:
+          - "CommunityToolkit.*"
+    labels:
+      - "dependencies"
+      - "nuget"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "ci"

.github/workflows/build.yml

@@ -0,0 +1,59 @@
+name: Build
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: windows-latest
+    timeout-minutes: 20
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup .NET 8
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: '8.0.x'
+
+      - name: Restore
+        run: dotnet restore DeepPurge.sln
+
+      - name: Build
+        run: dotnet build DeepPurge.sln -c Release --no-restore
+
+      - name: Test
+        run: dotnet test tests/DeepPurge.Tests/DeepPurge.Tests.csproj -c Release --no-build --verbosity normal
+
+      - name: Publish GUI
+        run: >
+          dotnet publish src/DeepPurge.App/DeepPurge.App.csproj
+          -c Release -r win-x64 --self-contained true
+          -p:PublishSingleFile=true -p:EnableCompressionInSingleFile=true
+          -p:DebugType=none -p:DebugSymbols=false
+          --output build --nologo
+
+      - name: Publish CLI
+        run: >
+          dotnet publish src/DeepPurge.Cli/DeepPurge.Cli.csproj
+          -c Release -r win-x64 --self-contained true
+          -p:PublishSingleFile=true -p:EnableCompressionInSingleFile=true
+          -p:DebugType=none -p:DebugSymbols=false
+          --output build --nologo
+
+      - name: Drop extras
+        shell: pwsh
+        run: |
+          Get-ChildItem build -Exclude 'DeepPurge.exe','DeepPurgeCli.exe' |
+            Remove-Item -Force -Recurse -ErrorAction SilentlyContinue
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: DeepPurge-win-x64
+          path: build/*.exe
+          retention-days: 14

.github/workflows/codeql.yml

@@ -0,0 +1,46 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Weekly scan on Sunday 03:17 UTC — off-hours, avoids the Monday dependabot burst.
+    - cron: "17 3 * * 0"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    runs-on: windows-latest
+    timeout-minutes: 45
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['csharp']
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup .NET 8
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: '8.0.x'
+
+      - name: Init CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-and-quality
+
+      - name: Build
+        run: dotnet build DeepPurge.sln -c Release
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"