docs: update CHANGELOG and ROADMAP after security hardening pass (10 items shipped)

SysAdminDoc · SysAdminDoc · commit 8489cc6b8e4c · 2026-06-17T10:46:49.000-04:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,11 +17,23 @@ All notable changes to DeepPurge will be documented in this file.
 - **Screen-reader narration** — `AutomationProperties.Name` and `.HelpText` on all v0.9 SYSTEM TOOLS panels (drivers, startup impact, shortcuts, duplicates, winapp2, repair, schedule, install monitor, about).
 - **Localization infrastructure** — `Properties/Resources.resx` with top 20 UI strings and a strongly-typed `Resources.Designer.cs` accessor. Ready for Crowdin submission.
 
+### Security hardening (research round 2)
+- **CVE-2025-30399 mitigation** — `TargetLatestRuntimePatch` enabled via `Directory.Build.props` to pin .NET runtime ≥8.0.17.
+- **DuplicateFinder thread-safety** — replaced `Dictionary` with `ConcurrentDictionary` for hash cache to prevent data corruption under concurrent scans.
+- **Symlink/junction traversal guards** — all recursive deletion paths in FileLeftoverScanner, JunkFilesCleaner, and EvidenceRemover now check `FileAttributes.ReparsePoint` before traversal. `GetDirectorySize` uses `EnumerationOptions.AttributesToSkip`.
+- **Registry symlink detection** — `SafetyGuard.IsRegistrySymlink()` checks for `REG_LINK` class before any registry write/delete in UninstallEngine. Prevents TOCTOU privilege escalation via registry symbolic links.
+- **NuGet supply chain hardening** — `packages.lock.json` generated for all projects, CI uses `--locked-mode`, NuGet audit enabled at `moderate` level, package source mapping in `NuGet.Config`.
+- **Silent catch logging** — 22 empty `catch { }` blocks in RegistryLeftoverScanner replaced with `Log.Warn()` calls for field debugging.
+- **ManagementObject disposal** — WMI `ManagementObject` instances in SystemRestoreManager and SecureDelete now properly disposed via `using`.
+- **Always-keep protection** — `ProtectedPrograms` persisted list excludes marked programs from batch uninstall. `IsProtected` flag on `InstalledProgram`.
+- **External signature loading** — `LeftoverSignatureDb` now loads `*.signatures.json` files from `DataPaths.Cleaners` alongside the embedded database for community contributions.
+- **Toast notification migration** — replaced deprecated `Microsoft.Toolkit.Uwp.Notifications` with direct WinRT `Windows.UI.Notifications` API. Removes transitive `System.Drawing.Common` 4.7.0 vulnerability.
+
 ### Changed
 - TFM updated from `net8.0-windows` to `net8.0-windows10.0.17763.0` across all 4 projects to enable WinRT toast notification APIs.
 
 ### Dependencies
-- New: `Microsoft.Toolkit.Uwp.Notifications 7.1.3` — Windows 10/11 toast notifications.
+- Removed: `Microsoft.Toolkit.Uwp.Notifications 7.1.3` — deprecated, replaced with WinRT API.
 
 ### Research-driven additions (competitive analysis pass)
 - **Leftover signature database** — embedded JSON database with 50 application profiles (Chrome, Firefox, Adobe, Steam, etc.) for known leftover paths. Signature-matched leftovers are flagged as Safe confidence before heuristic matching runs.
diff --git a/ROADMAP.md b/ROADMAP.md
@@ -14,11 +14,11 @@ Blocked items live in `Roadmap_Blocked.md`.
   Acceptance: Scan detects orphaned services (exe missing), orphaned tasks (action exe missing), firewall rules referencing deleted programs, and PATH entries pointing to non-existent directories. Results shown in a unified "Orphans" panel.
   Complexity: L
 
-- [ ] P1 — **Upgrade to .NET 9 + CommunityToolkit.Mvvm 8.4.2**
-  Why: .NET 9 brings SearchValues SIMD acceleration for path scanning, FrozenDictionary for lookup tables, native WPF Fluent theme. Toolkit 8.4.2 adds partial properties — eliminates magic field pattern.
-  Evidence: .NET 9 release notes; CommunityToolkit 8.4 announcement; System.IO.Hashing 9.0.13 SIMD optimizations.
-  Touches: All 4 `.csproj` files (TFM `net9.0-windows10.0.17763.0`), `CommunityToolkit.Mvvm` → 8.4.2, `System.IO.Hashing` → 9.0.13, ViewModels (partial property migration)
-  Acceptance: Build succeeds on net9.0, all 111+ tests pass, ViewModels use `[ObservableProperty] public partial` syntax.
+- [ ] P1 — **Target .NET 10 LTS + CommunityToolkit.Mvvm 8.4.2**
+  Why: .NET 8 EOL Nov 2026. .NET 10 is LTS through Nov 2028. Toolkit 8.4.2 adds partial properties. Includes SearchValues SIMD, FrozenDictionary, native WPF Fluent theme.
+  Evidence: .NET 10 release notes; .NET 9 STS EOL Nov 2026; breaking changes audit.
+  Touches: All 4 `.csproj` files (TFM `net10.0-windows10.0.17763.0`), `CommunityToolkit.Mvvm` → 8.4.2, `System.IO.Hashing` → 10.0.9, ViewModels (partial property migration)
+  Acceptance: Build succeeds on net10.0, all tests pass, ViewModels use `[ObservableProperty] public partial` syntax.
   Complexity: M
 
 - [ ] P1 — **CsWin32 type-safe PInvoke**
@@ -42,10 +42,24 @@ Blocked items live in `Roadmap_Blocked.md`.
   Acceptance: User clicks "Hunter Mode" → overlay appears → drag crosshair onto any window → program identified → jump to its entry in the Programs panel.
   Complexity: M
 
+- [ ] P1 — **Expand leftover signature database to 200+ profiles**
+  Why: Current 50 profiles cover common apps but benchmark accuracy requires broader coverage. Target: ≥85% accuracy in Uninstalr benchmark.
+  Evidence: Uninstalr 2026 benchmark — HiBit 90%, Total Uninstall 86%; Revo Logs Database covers 12.5k programs. Also fix: duplicate Spotify entry.
+  Touches: `Core/Data/leftover-signatures.json`, `Core/Data/LeftoverSignatureDb.cs`
+  Acceptance: 200+ profiles. Matching algorithm enhanced to handle publisher-based grouping. Duplicate Spotify entry removed.
+  Complexity: M
+
+- [ ] P1 — **Portable app detection**
+  Why: Only Uninstalr detects portable apps. All 8 other tested tools scored 0. Significant unmet demand.
+  Evidence: Uninstalr 2026 benchmark — portable app detection section; BCU's folder scan concept.
+  Touches: New `Core/Packages/PortableAppScanner.cs`, `Core/Packages/PackageManagerScanner.cs`
+  Acceptance: Scan common portable locations for executables without matching registry entries. Show as "Portable" source in program list.
+  Complexity: M
+
 ### P2 — Quality, reliability, developer experience
 
 - [ ] P2 — **Mutation testing on safety-critical code**
-  Why: 111 tests for 15.8k LOC is thin. SafetyGuard and deletion logic are safety-critical — need verification that tests actually catch regressions.
+  Why: 116 tests for ~14k LOC is thin. SafetyGuard and deletion logic are safety-critical — need verification that tests actually catch regressions.
   Evidence: Stryker.NET 4.14.2; mutation testing best practice for safety-critical paths.
   Touches: `tests/`, `.github/workflows/build.yml`
   Acceptance: Stryker runs in CI on `SafetyGuard.cs`, `SecureDelete.cs`, `UninstallEngine.cs`. Mutation score >80% on these files.
@@ -65,6 +79,13 @@ Blocked items live in `Roadmap_Blocked.md`.
   Acceptance: New sidebar panel with checkboxes for ~15 removable Windows components. Each shows current size. Delete through SafetyGuard with dry-run support.
   Complexity: S
 
+- [ ] P2 — **winget COM API migration**
+  Why: `winget list --output json` is not a supported CLI option. The `Microsoft.Management.Deployment` COM API is the official programmatic interface.
+  Evidence: microsoft/winget-cli#4965 (feature request still open); winget export uses schema 2.0 JSON.
+  Touches: `Core/Packages/PackageManagerScanner.cs`
+  Acceptance: Use `winget export` for JSON package list or COM API for real-time queries. Remove `ParseWingetTable` fallback.
+  Complexity: M
+
 ### P3 — Polish, differentiation
 
 - [ ] P3 — **Health dashboard**
@@ -88,114 +109,6 @@ Blocked items live in `Roadmap_Blocked.md`.
   Acceptance: Steam (libraryfolders.vdf), Epic (LauncherInstalled.dat), GOG (Galaxy DB) apps appear in the unified programs list with platform badges.
   Complexity: M
 
-## Research-Driven Additions (Round 2)
-
-### P0 — Security hardening (act now)
-
-- [ ] P0 — **Pin .NET runtime ≥8.0.17 for CVE-2025-30399**
-  Why: Untrusted search path RCE affects .NET 8.0 ≤8.0.16. DeepPurge runs elevated — this is a privilege escalation vector.
-  Evidence: NVD CVE-2025-30399 (CVSS 7.5); .NET security advisory June 2025.
-  Touches: All 4 `.csproj` files — add `<RuntimeFrameworkVersion>8.0.17</RuntimeFrameworkVersion>` or target net10.0
-  Acceptance: `dotnet --info` shows runtime 8.0.17+. CI build pins the minimum version.
-  Complexity: S
-
-- [ ] P0 — **Fix DuplicateFinder._cache thread-safety**
-  Why: `_cache` dictionary at `Core/FileSystem/DuplicateFinder.cs:41` is accessed without synchronization. Concurrent `FindAsync` calls corrupt the cache.
-  Evidence: Code review — `Dictionary<string, HashCacheEntry>` with no lock around reads/writes in TryGetCachedHead, TryGetCachedFull, UpdateCache.
-  Touches: `Core/FileSystem/DuplicateFinder.cs`
-  Acceptance: Replace `Dictionary` with `ConcurrentDictionary` or add lock around all cache access. Verify with concurrent scan test.
-  Complexity: S
-
-- [ ] P0 — **Symlink/junction traversal guard in deletion paths**
-  Why: File deletion in FileLeftoverScanner, JunkFilesCleaner, EvidenceRemover does not check for reparse points before recursive deletion. BleachBit shipped a CVE-class fix for this exact pattern. DuplicateFinder.SafeEnumerate already has the guard but other scanners don't.
-  Evidence: BleachBit 6.0 release notes (symlink/junction safety); FluentCleaner reparse point skip.
-  Touches: `Core/FileSystem/FileLeftoverScanner.cs`, `Core/FileSystem/JunkFilesCleaner.cs`, `Core/Privacy/EvidenceRemover.cs`
-  Acceptance: All recursive directory deletion checks `FileAttributes.ReparsePoint` before traversal. Add test with a junction-loop directory structure.
-  Complexity: S
-
-- [ ] P0 — **Registry symlink detection before writes**
-  Why: Elevated process writes to enumerated registry keys without checking for symlinks. Unprivileged attacker can redirect writes to critical system keys via registry symbolic links. CVE-2025-6231 and CVE-2026-20815 exploited this exact pattern.
-  Evidence: Security research — registry TOCTOU privilege escalation; Project Zero Windows Administrator Protection bypass.
-  Touches: `Core/Registry/RegistryLeftoverScanner.cs`, `Core/Uninstall/UninstallEngine.cs`
-  Acceptance: Before any registry write/delete, verify key is not a symlink (REG_LINK class check). Fail-closed: if check fails, skip the key and log warning.
-  Complexity: S
-
-- [ ] P0 — **NuGet supply chain hardening**
-  Why: No lock file, no audit, no package source mapping. Dependency confusion and typosquatting attacks possible.
-  Evidence: .NET supply chain security best practices; NuGet audit (NU1901-NU1904 warnings).
-  Touches: All `.csproj` files (add `RestorePackagesWithLockFile`), `NuGet.Config` (add `packageSourceMapping`), `.github/workflows/build.yml` (add `--locked-mode`)
-  Acceptance: `packages.lock.json` committed. CI build uses `--locked-mode`. `NuGetAudit` enabled at `moderate` level. Package sources mapped explicitly.
-  Complexity: S
-
-### P1 — Accuracy + platform currency
-
-- [ ] P1 — **Expand leftover signature database to 200+ profiles**
-  Why: Current 50 profiles cover common apps but benchmark accuracy requires broader coverage. Target: ≥85% accuracy (≤61 leftovers out of 406 artifacts) to reach top-3 in Uninstalr benchmark.
-  Evidence: Uninstalr 2026 benchmark — HiBit 90%, Total Uninstall 86%; Revo Logs Database covers 12.5k programs. Also fix: duplicate Spotify entry in current DB.
-  Touches: `Core/Data/leftover-signatures.json`, `Core/Data/LeftoverSignatureDb.cs`
-  Acceptance: 200+ profiles. Matching algorithm enhanced to handle publisher-based grouping (e.g., all Adobe products share Adobe paths). Duplicate Spotify entry removed.
-  Complexity: M
-
-- [ ] P1 — **Portable app detection**
-  Why: Only Uninstalr detects portable apps (Notepad++ Portable, Brave Portable). All 8 other tested tools scored 0. Significant unmet demand.
-  Evidence: Uninstalr 2026 benchmark — portable app detection section; BCU's folder scan concept in Ideas list.
-  Touches: New `Core/Packages/PortableAppScanner.cs`, `Core/Packages/PackageManagerScanner.cs`
-  Acceptance: Scan common portable locations (Desktop, Downloads, USB roots, PortableApps.com folder) for executables without matching registry entries. Show as "Portable" source in program list.
-  Complexity: M
-
-- [ ] P1 — **Target .NET 10 LTS instead of .NET 9 STS**
-  Why: .NET 9 STS ends Nov 2026 (too soon). .NET 10 is LTS through Nov 2028. CommunityToolkit.Mvvm 8.4.2 partial properties require .NET 9+ SDK but target any runtime. Includes all .NET 9 benefits plus WPF improvements.
-  Evidence: .NET 10 release notes; .NET 9 STS EOL Nov 2026; breaking changes audit (empty Grid defs, DynamicResource crashes, P/Invoke search path changes).
-  Touches: All 4 `.csproj` files — TFM `net10.0-windows10.0.17763.0`. Review P/Invoke DLL loading paths for single-file compatibility.
-  Acceptance: Build succeeds on net10.0, all tests pass. Note: this supersedes the existing ".NET 9" ROADMAP item — implementer should do .NET 10 directly.
-  Complexity: M
-
-- [ ] P1 — **Migrate toast notifications from deprecated package**
-  Why: `Microsoft.Toolkit.Uwp.Notifications` 7.1.3 is archived/unmaintained. No security patches. Windows App SDK `AppNotificationManager` is the supported replacement.
-  Evidence: NuGet package status (archived); Microsoft migration guidance.
-  Touches: `Core/Diagnostics/ToastNotifier.cs`, `Core/DeepPurge.Core.csproj`
-  Acceptance: Toast notifications work on Windows 10 1809+ and Windows 11. Remove `Microsoft.Toolkit.Uwp.Notifications` NuGet reference.
-  Complexity: S
-
-### P2 — Reliability + developer experience
-
-- [ ] P2 — **Add logging to silent catch blocks in RegistryLeftoverScanner**
-  Why: 16+ `catch { }` blocks with no logging make field debugging impossible. 88 total silent catches across Core.
-  Evidence: Code review — `Core/Registry/RegistryLeftoverScanner.cs` has the highest density.
-  Touches: `Core/Registry/RegistryLeftoverScanner.cs`, other Core files with silent catches
-  Acceptance: All catch blocks in RegistryLeftoverScanner call `Log.Warn()` with the exception message. Other high-density files (FileLeftoverScanner) follow suit.
-  Complexity: S
-
-- [ ] P2 — **Fix ManagementObject disposal leak**
-  Why: `SystemRestoreManager.cs` line 48: WMI `ManagementObject` instances in foreach are never disposed. COM object leak.
-  Evidence: Code review — foreach loop over `ManagementObjectSearcher.Get()` without disposal.
-  Touches: `Core/Safety/SystemRestoreManager.cs`
-  Acceptance: ManagementObject instances disposed after use. Verify no WMI handle leaks under repeated calls.
-  Complexity: S
-
-- [ ] P2 — **"Always keep" protection flag per program**
-  Why: Users want to protect critical apps from accidental batch uninstall. Table-stakes safety UX.
-  Evidence: BCU issue #935 (most-requested safety feature); Revo Pro has similar "exclude" feature.
-  Touches: `Core/Models/InstalledProgram.cs`, `Core/App/DataPaths.cs` (persist list), `App/Views/MainWindow.xaml` (context menu + visual indicator)
-  Acceptance: Right-click → "Always Keep" marks a program. Marked programs are excluded from batch uninstall and show a lock icon. Persisted in DataPaths.Config.
-  Complexity: S
-
-- [ ] P2 — **winget COM API migration**
-  Why: `winget list --output json` is not a supported CLI option. Current fallback to table parsing is fragile. The `Microsoft.Management.Deployment` COM API is the official programmatic interface.
-  Evidence: microsoft/winget-cli#4965 (feature request still open); winget export uses schema 2.0 JSON.
-  Touches: `Core/Packages/PackageManagerScanner.cs`
-  Acceptance: Use `winget export` for JSON package list or COM API for real-time queries. Remove `ParseWingetTable` fallback. Add test with sample JSON output.
-  Complexity: M
-
-- [ ] P2 — **External leftover signature loading**
-  Why: Current DB is embedded-resource only — no way for users or community to contribute profiles without recompilation.
-  Evidence: RESEARCH.md architecture assessment; BleachBit CleanerML community model; Winapp2 repo (969 stars).
-  Touches: `Core/Data/LeftoverSignatureDb.cs`, `Core/App/DataPaths.cs`
-  Acceptance: On startup, scan `DataPaths.Cleaners/*.signatures.json` and merge with embedded DB. User-contributed files take precedence over embedded entries for the same app name.
-  Complexity: S
-
-### P3 — Polish + differentiation
-
 - [ ] P3 — **Expert/safe mode toggle**
   Why: BleachBit's expert mode hides dangerous operations from novice users. Reduces support burden and builds trust.
   Evidence: BleachBit 6.0 expert mode; FluentCleaner's anti-bloat philosophy.
@@ -225,11 +138,9 @@ Things worth considering but not on a timeline:
   programs list, analogous to the existing winget + scoop path
 - **OEM bloat scoring** — heuristics (publisher=Dell/HP/Lenovo, install source=OEM)
   to recommend batch-uninstall candidates on factory images
-- **Portable app detection** — BCU-style folder scan for unregistered apps
 - **Tray icon** — background scheduled cleaning with tray notifications
 - **Registry ETW tracing** — add `Microsoft.Diagnostics.Tracing.TraceEvent` for
   real-time registry change capture alongside USN journal filesystem tracking
-- **Android companion** — nope, scope creep, documented here only to flag it
 
 ## What we will NOT ship
 
