Repo audit cleanup, dead code removal, doc fixes (v0.4.5)

- Remove dead code: Get-ProcessParentId, Get-ProcessCommandLine, unused
  $maxPenalty, unused $Color param in CI Write-SummaryLine
- Remove unreachable whitelist guard in Check-Processes.ps1
- Add TrustedAppDirs and Suppressions defaults to Get-DefaultConfig
- Track fix-bom.ps1 (was gitignored but referenced by docs/pre-commit)
- Update fix-bom.ps1 to use $PSScriptRoot instead of hardcoded path
- Fix README CI JSON example: add suppressed key, correct version
- Add 0.4.x to SECURITY.md supported versions

Made-with: Cursor

Author: TMHSDigital

.gitignore

@@ -17,4 +17,3 @@ desktop.ini
 .claude/
 *.swp
 *.swo
-fix-bom.ps1

AmIHacked.ps1

@@ -80,7 +80,7 @@ if ($script:NonInteractive) {
 $script:RedactMap = @{}
 $script:SuppressedCount = 0
 
-$script:Version = "0.4.4"
+$script:Version = "0.4.5"
 
 # ── Helpers (loaded first) ───────────────────────────────────────────────────
 
@@ -341,22 +341,20 @@ if ($script:NonInteractive) {
     Write-Host "  |$verdictPad|"
     Write-Host "  +$hbar+"
 
-    function Write-SummaryLine { param($Label, $Value, $Color, $Width)
-        $content = "  $Label$Value"
-        $innerWidth = $Width - 2
+    function Write-SummaryLine { param($Label, $Value, $Width)
         $line = "  | $Label$Value".PadRight($Width + 3) + " |"
         Write-Host $line
     }
 
-    Write-SummaryLine "CRITICAL  " "$critCount" "Red" $w
-    Write-SummaryLine "WARNING   " "$warnCount" "Yellow" $w
-    Write-SummaryLine "INFO      " "$infoCount" "DarkCyan" $w
-    Write-SummaryLine "Suppressed " "$($script:SuppressedCount)" "DarkGray" $w
+    Write-SummaryLine "CRITICAL  " "$critCount" $w
+    Write-SummaryLine "WARNING   " "$warnCount" $w
+    Write-SummaryLine "INFO      " "$infoCount" $w
+    Write-SummaryLine "Suppressed " "$($script:SuppressedCount)" $w
     Write-Host "  |  $(' ' * ($w - 2))  |"
-    Write-SummaryLine "Total     " "$totalCount findings" "White" $w
-    Write-SummaryLine "Duration  " "$durationStr" "DarkGray" $w
+    Write-SummaryLine "Total     " "$totalCount findings" $w
+    Write-SummaryLine "Duration  " "$durationStr" $w
     Write-Host "  |  $(' ' * ($w - 2))  |"
-    Write-SummaryLine "Report    " "See path below" "DarkGray" $w
+    Write-SummaryLine "Report    " "See path below" $w
     Write-Host "  +$hbar+"
 } else {
     Write-Host "  ╔$('═' * $w)╗" -ForegroundColor DarkCyan

CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [0.4.5] - 2026-03-15
+
+### Fixed
+- **README CI JSON example** -- updated to include `suppressed` key and correct version
+- **SECURITY.md** -- added 0.4.x to supported versions table
+- **Dead code cleanup** -- removed unused `Get-ProcessParentId`, `Get-ProcessCommandLine` from Helpers.ps1, unused `$maxPenalty` from ReportGenerator.ps1, unused `$Color` parameter from CI summary writer
+- **Redundant guard in Check-Processes.ps1** -- removed unreachable `System32 + whitelist` check (already handled by earlier whitelist guard)
+- **`Get-DefaultConfig` missing fields** -- added `TrustedAppDirs` and `Suppressions` defaults so configless runs don't silently skip filtering
+
+### Changed
+- **`fix-bom.ps1` now tracked** -- removed from `.gitignore` and updated to use `$PSScriptRoot` instead of hardcoded path; new clones now include the BOM-fix utility referenced by the pre-commit hook and CONTRIBUTING.md
+
 ## [0.4.4] - 2026-03-15
 
 ### Added

README.md

@@ -12,7 +12,7 @@
 [![PowerShell 5.1+](https://img.shields.io/badge/PowerShell-5.1%2B-0d1117?style=for-the-badge&logo=powershell&logoColor=5391FE)](https://docs.microsoft.com/powershell/)
 [![Windows 10/11](https://img.shields.io/badge/Windows-10%20%2F%2011-0d1117?style=for-the-badge&logo=windows&logoColor=white)](https://www.microsoft.com/windows)
 [![License: MIT](https://img.shields.io/badge/License-MIT-0d1117?style=for-the-badge&logoColor=white)](LICENSE)
-[![Version](https://img.shields.io/badge/Version-0.4.4-FF6B6B?style=for-the-badge)](#changelog)
+[![Version](https://img.shields.io/badge/Version-0.4.5-FF6B6B?style=for-the-badge)](#changelog)
 
 [![Zero Dependencies](https://img.shields.io/badge/Dependencies-Zero-0d1117?style=flat-square&labelColor=0d1117)](#)
 [![MITRE ATT&CK](https://img.shields.io/badge/MITRE%20ATT%26CK-40%2B%20Techniques-ff3333?style=flat-square&labelColor=0d1117)](#mitre-attck-coverage)
@@ -140,7 +140,7 @@ Baselines enable **change detection** — the most powerful signal for catching
 
 ```
 ---AMIHACKED-SUMMARY-JSON---
-{"verdict":"CAUTION","critical":0,"warning":3,"info":12,"total":15,"duration":28.4,"reportPath":"...","version":"0.4.3"}
+{"verdict":"CAUTION","critical":0,"warning":3,"info":12,"suppressed":0,"total":15,"duration":28.4,"reportPath":"...","version":"0.4.5"}
 ```
 
 - Exit code reflects findings: **0** = clean, **1** = warnings only, **2** = critical findings detected

SECURITY.md

@@ -4,6 +4,7 @@
 
 | Version | Supported |
 |---------|-----------|
+| 0.4.x   | Yes       |
 | 0.3.x   | Yes       |
 | < 0.3   | No        |
 

fix-bom.ps1

@@ -0,0 +1,6 @@
+$enc = New-Object System.Text.UTF8Encoding $true
+$root = if ($PSScriptRoot) { $PSScriptRoot } else { Split-Path -Parent $MyInvocation.MyCommand.Path }
+foreach ($f in (Get-ChildItem $root -Recurse -Filter '*.ps1')) {
+    [System.IO.File]::WriteAllText($f.FullName, [System.IO.File]::ReadAllText($f.FullName, [System.Text.Encoding]::UTF8), $enc)
+}
+Write-Host "BOM applied to all .ps1 files under $root"

lib/Helpers.ps1

@@ -284,11 +284,15 @@ function Get-DefaultConfig {
             "Apple Inc.", "Adobe Inc.", "Valve Corporation"
         )
 
+        TrustedAppDirs = @()
+
         TrustedDomainSuffixes = @(
             ".microsoft.com", ".windowsupdate.com", ".akamaized.net",
             ".cloudfront.net", ".slack-msgs.com", ".googleapis.com",
             ".gstatic.com", ".steamcontent.com"
         )
+
+        Suppressions = @()
     }
 }
 
@@ -307,26 +311,6 @@ function New-DefaultConfig {
 
 # ── Utility Functions ────────────────────────────────────────────────────────
 
-function Get-ProcessParentId {
-    param([int]$ProcessId)
-    try {
-        $proc = Get-CimInstance Win32_Process -Filter "ProcessId = $ProcessId" -ErrorAction SilentlyContinue
-        return $proc.ParentProcessId
-    } catch {
-        return $null
-    }
-}
-
-function Get-ProcessCommandLine {
-    param([int]$ProcessId)
-    try {
-        $proc = Get-CimInstance Win32_Process -Filter "ProcessId = $ProcessId" -ErrorAction SilentlyContinue
-        return $proc.CommandLine
-    } catch {
-        return ""
-    }
-}
-
 function Test-IsTrustedIP {
     param([string]$IP)
 

lib/ReportGenerator.ps1

@@ -17,7 +17,6 @@ function Generate-HtmlReport {
     $infoCount = ($Findings | Where-Object { $_.Severity -eq "INFO" }).Count
     $totalCount = $Findings.Count
 
-    $maxPenalty = [math]::Max(1, $totalCount)
     $penalty = ($critCount * 25) + ($warnCount * 5) + ($infoCount * 0.5)
     $score = [math]::Max(0, [math]::Min(100, [math]::Round(100 - $penalty)))
     $scoreColor = if ($score -ge 80) { "#22c55e" } elseif ($score -ge 50) { "#f59e0b" } else { "#ef4444" }

modules/Check-Processes.ps1

@@ -28,7 +28,6 @@ function Invoke-ProcessesChecks {
 
         if ($whitelist -contains $procName) { continue }
         if (-not $procPath) { continue }
-        if ($procPath -match "^C:\\Windows\\System32" -and $whitelist -contains $procName) { continue }
         if ($procPath -match '^C:\\Program Files\\WindowsApps\\') { continue }
         if ($script:Config.TrustedAppDirs) {
             $inTrustedDir = $false