Error handling, ServiceWhitelist, test assertions, DefaultConfig fix (v0.4.6)

- Add Write-Verbose/Write-Status/Write-Warning to empty catch blocks in
  Check-Network.ps1, Helpers.ps1, and AmIHacked.ps1
- Implement ServiceWhitelist in Check-Processes.ps1 service analysis
- Expand Invoke-MockScan.ps1 with Assert-FindingCount, double-extension
  detection, category coverage, severity/remediation/MITRE validation
- Fix New-DefaultConfig $PSScriptRoot resolving to lib/ instead of repo root

Made-with: Cursor

Author: TMHSDigital

AmIHacked.ps1

@@ -80,7 +80,7 @@ if ($script:NonInteractive) {
 $script:RedactMap = @{}
 $script:SuppressedCount = 0
 
-$script:Version = "0.4.5"
+$script:Version = "0.4.6"
 
 # ── Helpers (loaded first) ───────────────────────────────────────────────────
 
@@ -92,6 +92,7 @@ if (Test-Path $ConfigPath) {
     try {
         $script:Config = Get-Content $ConfigPath -Raw | ConvertFrom-Json
     } catch {
+        Write-Warning "Failed to parse config at '$ConfigPath': $_. Using built-in defaults."
         $script:Config = Get-DefaultConfig
     }
 } else {

CHANGELOG.md

@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [0.4.6] - 2026-03-15
+
+### Added
+- **ServiceWhitelist implementation** -- `ServiceWhitelist` config field is now applied in Check-Processes.ps1 service analysis, skipping whitelisted services from unquoted-path, user-directory, and SYSTEM-outside-standard-dirs checks
+- **Test assertions** -- `Assert-FindingCount` helper, double-extension detection assertion, category coverage checks, severity/remediation/MITRE field validation, CIMode JSON `suppressed` key check
+
+### Fixed
+- **Error handling** -- replaced empty `catch {}` blocks with `Write-Verbose`/`Write-Status`/`Write-Warning` in Check-Network.ps1 (DNS reverse-lookup, AbuseIPDB), lib/Helpers.ps1 (Run key enumeration), and AmIHacked.ps1 (config parse fallback)
+- **`New-DefaultConfig` `$PSScriptRoot` fix** -- default path now resolves via `Split-Path $PSScriptRoot -Parent` at call-time instead of during `param()` evaluation (which pointed to `lib/` instead of project root)
+
 ## [0.4.5] - 2026-03-15
 
 ### Fixed

CLAUDE.md

@@ -138,5 +138,5 @@ $summary = $jsonLine | ConvertFrom-Json
 
 ## Code Conventions
 
-- All `.ps1` files **must** be saved with UTF-8 BOM (`EF BB BF`). PowerShell 5.1 defaults to Windows-1252, which misinterprets multi-byte UTF-8 sequences (e.g. `✓`, `╔`) as string delimiters, causing parse errors. **Some edit tools strip BOM on save** -- run `.\fix-bom.ps1` (gitignored dev utility) to re-apply after editing.
+- All `.ps1` files **must** be saved with UTF-8 BOM (`EF BB BF`). PowerShell 5.1 defaults to Windows-1252, which misinterprets multi-byte UTF-8 sequences (e.g. `✓`, `╔`) as string delimiters, causing parse errors. **Some edit tools strip BOM on save** -- run `.\fix-bom.ps1` to re-apply after editing.
 - See `CONTRIBUTING.md` for the full module authoring guide and test harness documentation.

README.md

@@ -12,7 +12,7 @@
 [![PowerShell 5.1+](https://img.shields.io/badge/PowerShell-5.1%2B-0d1117?style=for-the-badge&logo=powershell&logoColor=5391FE)](https://docs.microsoft.com/powershell/)
 [![Windows 10/11](https://img.shields.io/badge/Windows-10%20%2F%2011-0d1117?style=for-the-badge&logo=windows&logoColor=white)](https://www.microsoft.com/windows)
 [![License: MIT](https://img.shields.io/badge/License-MIT-0d1117?style=for-the-badge&logoColor=white)](LICENSE)
-[![Version](https://img.shields.io/badge/Version-0.4.5-FF6B6B?style=for-the-badge)](#changelog)
+[![Version](https://img.shields.io/badge/Version-0.4.6-FF6B6B?style=for-the-badge)](#changelog)
 
 [![Zero Dependencies](https://img.shields.io/badge/Dependencies-Zero-0d1117?style=flat-square&labelColor=0d1117)](#)
 [![MITRE ATT&CK](https://img.shields.io/badge/MITRE%20ATT%26CK-40%2B%20Techniques-ff3333?style=flat-square&labelColor=0d1117)](#mitre-attck-coverage)
@@ -140,7 +140,7 @@ Baselines enable **change detection** — the most powerful signal for catching
 
 ```
 ---AMIHACKED-SUMMARY-JSON---
-{"verdict":"CAUTION","critical":0,"warning":3,"info":12,"suppressed":0,"total":15,"duration":28.4,"reportPath":"...","version":"0.4.5"}
+{"verdict":"CAUTION","critical":0,"warning":3,"info":12,"suppressed":0,"total":15,"duration":28.4,"reportPath":"...","version":"0.4.6"}
 ```
 
 - Exit code reflects findings: **0** = clean, **1** = warnings only, **2** = critical findings detected

lib/Helpers.ps1

@@ -297,7 +297,11 @@ function Get-DefaultConfig {
 }
 
 function New-DefaultConfig {
-    param([string]$Path = (Join-Path $PSScriptRoot "config\config.json"))
+    param([string]$Path = "")
+    if (-not $Path) {
+        $repoRoot = Split-Path $PSScriptRoot -Parent
+        $Path = Join-Path $repoRoot "config\config.json"
+    }
 
     $dir = Split-Path $Path -Parent
     if (-not (Test-Path $dir)) {
@@ -487,7 +491,9 @@ function Export-Baseline {
                                 @{ Key = $key; Name = $_.Name; Value = $_.Value }
                             }
                         }
-                    } catch {}
+                    } catch {
+                        Write-Verbose "Could not read Run key '${key}': $_"
+                    }
                 }
             )
 

modules/Check-Network.ps1

@@ -63,7 +63,9 @@ function Invoke-NetworkChecks {
                         $severity = "INFO"
                     }
                 }
-            } catch {}
+            } catch {
+                Write-Verbose "Reverse-DNS lookup failed for ${ip}: $_"
+            }
 
             Add-Finding -Severity $severity -Category "Network" `
                 -Title "High Connection Count to $ip ($($connList.Count) connections)" `
@@ -131,7 +133,9 @@ function Invoke-NetworkChecks {
                         } `
                         -MITRE @("T1071.001")
                 }
-            } catch {}
+            } catch {
+                Write-Status "AbuseIPDB lookup failed for ${ip}: $_" -Color Yellow
+            }
         }
         Write-Status "Checked $checkedCount IPs against AbuseIPDB."
     } elseif ($script:OfflineMode -and $externalIPs.Count -gt 0) {

modules/Check-Processes.ps1

@@ -12,6 +12,11 @@ function Invoke-ProcessesChecks {
         $whitelist = $script:Config.ProcessWhitelist | ForEach-Object { $_.ToLower() }
     }
 
+    $serviceWhitelist = @()
+    if ($script:Config.ServiceWhitelist) {
+        $serviceWhitelist = $script:Config.ServiceWhitelist | ForEach-Object { $_.ToLower() }
+    }
+
     $processCount = 0
     $flaggedCount = 0
 
@@ -188,6 +193,7 @@ function Invoke-ProcessesChecks {
     foreach ($svc in $services) {
         $svcPath = $svc.PathName
         if (-not $svcPath) { continue }
+        if ($serviceWhitelist -contains $svc.Name.ToLower()) { continue }
 
         if ($svcPath -match "\\Temp\\" -or $svcPath -match "\\AppData\\" -or $svcPath -match "\\Users\\[^\\]+\\Desktop\\") {
             Add-Finding -Severity "CRITICAL" -Category "Process" `

tests/Invoke-MockScan.ps1

@@ -43,6 +43,23 @@ function Assert-FindingExists {
     }
 }
 
+function Assert-FindingCount {
+    param(
+        [object[]]$Findings,
+        [string]$Category,
+        [int]$MinCount,
+        [string]$TestName
+    )
+    $count = ($Findings | Where-Object { $_.Category -eq $Category }).Count
+    if ($count -ge $MinCount) {
+        Write-Host "  [PASS] $TestName ($count findings in '$Category')" -ForegroundColor Green
+        $script:TestsPassed++
+    } else {
+        Write-Host "  [FAIL] $TestName — expected >= $MinCount in '$Category', got $count" -ForegroundColor Red
+        $script:TestsFailed++
+    }
+}
+
 # ── Setup: Create mock artifacts ─────────────────────────────────────────────
 
 Write-Host "`n  ╔══════════════════════════════════════════╗" -ForegroundColor Magenta
@@ -112,24 +129,53 @@ if (-not $jsonFiles) {
 
     Assert-FindingExists -Findings $findings -TitlePattern "Stealer Output File.*passwords" -TestName "Detected stealer output file pattern"
 
-    # Check that JSON structure is valid
-    Write-TestHeader "JSON Structure Validation"
-    if ($results.Version -and $results.SystemInfo -and $results.Findings -and $results.Duration) {
-        Write-Host "  [PASS] JSON structure contains all required fields" -ForegroundColor Green
+    Assert-FindingExists -Findings $findings -TitlePattern "Double Extension.*\.exe" -TestName "Detected double-extension file (invoice.pdf.exe)"
+
+    # Category coverage: each active module should produce at least one finding
+    Write-TestHeader "Module Coverage"
+    Assert-FindingCount -Findings $findings -Category "FileSystem" -MinCount 1 -TestName "FileSystem module produced findings"
+    Assert-FindingCount -Findings $findings -Category "General"    -MinCount 1 -TestName "General module produced findings"
+
+    # Severity field is always one of the three valid values
+    Write-TestHeader "Severity Field Validity"
+    $invalidSeverity = $findings | Where-Object { $_.Severity -notin @("CRITICAL","WARNING","INFO") }
+    if ($invalidSeverity.Count -eq 0) {
+        Write-Host "  [PASS] All $($findings.Count) findings have valid Severity" -ForegroundColor Green
         $script:TestsPassed++
     } else {
-        Write-Host "  [FAIL] JSON structure missing required fields" -ForegroundColor Red
+        Write-Host "  [FAIL] $($invalidSeverity.Count) findings have invalid Severity: $(($invalidSeverity | Select-Object -ExpandProperty Severity) -join ', ')" -ForegroundColor Red
+        $script:TestsFailed++
+    }
+
+    # Every finding has non-empty Remediation
+    Write-TestHeader "Remediation Field Coverage"
+    $noRemediation = $findings | Where-Object { -not $_.Remediation }
+    if ($noRemediation.Count -eq 0) {
+        Write-Host "  [PASS] All findings have Remediation text" -ForegroundColor Green
+        $script:TestsPassed++
+    } else {
+        Write-Host "  [FAIL] $($noRemediation.Count) findings missing Remediation: $(($noRemediation | Select-Object -First 3 -ExpandProperty Title) -join '; ')" -ForegroundColor Red
+        $script:TestsFailed++
+    }
+
+    # Every finding has at least one MITRE tag
+    Write-TestHeader "MITRE Tag Coverage"
+    $noMitre = $findings | Where-Object { -not $_.MITRE -or $_.MITRE.Count -eq 0 }
+    if ($noMitre.Count -eq 0) {
+        Write-Host "  [PASS] All findings have MITRE ATT&CK tags" -ForegroundColor Green
+        $script:TestsPassed++
+    } else {
+        Write-Host "  [FAIL] $($noMitre.Count) findings missing MITRE tags: $(($noMitre | Select-Object -First 3 -ExpandProperty Title) -join '; ')" -ForegroundColor Red
         $script:TestsFailed++
     }
 
-    # Check MITRE tags are present on findings
-    Write-TestHeader "MITRE ATT&CK Tags"
-    $mitreTagged = $findings | Where-Object { $_.MITRE -and $_.MITRE.Count -gt 0 }
-    if ($mitreTagged -and $mitreTagged.Count -gt 0) {
-        Write-Host "  [PASS] $($mitreTagged.Count) findings have MITRE ATT&CK tags" -ForegroundColor Green
+    # Check that JSON structure is valid
+    Write-TestHeader "JSON Structure Validation"
+    if ($results.Version -and $results.SystemInfo -and $results.Findings -and $results.Duration) {
+        Write-Host "  [PASS] JSON structure contains all required fields" -ForegroundColor Green
         $script:TestsPassed++
     } else {
-        Write-Host "  [FAIL] No findings have MITRE ATT&CK tags" -ForegroundColor Red
+        Write-Host "  [FAIL] JSON structure missing required fields" -ForegroundColor Red
         $script:TestsFailed++
     }
 
@@ -206,7 +252,8 @@ if (-not $jsonFiles) {
         try {
             $ciSummary = $jsonLine | ConvertFrom-Json
             if ($ciSummary.verdict -and $null -ne $ciSummary.critical -and $null -ne $ciSummary.warning -and
-                $null -ne $ciSummary.info -and $null -ne $ciSummary.total -and $ciSummary.reportPath) {
+                $null -ne $ciSummary.info -and $null -ne $ciSummary.suppressed -and
+                $null -ne $ciSummary.total -and $ciSummary.reportPath) {
                 Write-Host "  [PASS] CIMode JSON summary contains all required fields" -ForegroundColor Green
                 $script:TestsPassed++
             } else {