msix

0.70.5

msix.psd1

                                @{

    ModuleVersion     = '0.70.5'

    GUID              = 'a3f1c2d4-8e5b-4f7a-9c3d-1b2e4f6a8c0d'

    Author            = 'Sander de Wit'

    Description       = 'Enterprise-grade MSIX packaging automation. PSF (TMurgent) injection with the full RegLegacy + MFR fixup palette, context menus, signing, CI/CD pipeline, compatibility investigation (procmon + DebugView trace parsing), sandbox debug helper, App Attach VHDX/CIM generator, Win32 App Isolation, AppData helpers, accelerator import, PSADT-style standard scripts, TMEditX-style heuristic auto-fixers (uninstaller / Run-key / VC runtime / capability / splash / alias / version-bump), package compare, and a Pester test suite.'

    PowerShellVersion = '5.1'

    RootModule        = 'MSIX.psm1'

    FunctionsToExport = @(

        'Add-MsixAlias',

        'Add-MsixAppIsolation',

        'Add-MsixCapability',

        'Add-MsixComServerExtension',

        'Add-MsixDiagnosticTrace',

        'Add-MsixEvidence',

        'Add-MsixFileExplorerContextMenu',

        'Add-MsixFileTypeAssociation',

        'Add-MsixFirewallRule',

        'Add-MsixFontExtension',

        'Add-MsixLegacyContextMenu',

        'Add-MsixLoaderSearchPathOverride',

        'Add-MsixManifestNamespace',

        'Add-MsixProtocolHandler',

        'Add-MsixPsfV2',

        'Add-MsixShellVerbExtension',

        'Add-MsixSplashScreen',

        'Add-MsixStandardScript',

        'Add-MsixStartMenuFolder',

        'Add-MsixStartupTask',

        'Add-MsixVcRuntimeBundle',

        'Assert-MsixProcessSuccess',

        'Compare-MsixPackage',

        'Compare-MsixTrace',

        'ConvertFrom-MsixTraceLine',

        'ConvertFrom-MsixTraceToFinding',

        'ConvertFrom-MsixYamlAccelerator',

        'ConvertTo-MsixFinding',

        'ConvertTo-MsixLegacyFinding',

        'ConvertTo-MsixSarif',

        'ConvertTo-MsixReportHtml',

        'Copy-MsixHostAppDataIntoPackage',

        'Export-MsixRemediationPlan',

        'Dismount-MsixAppAttachImage',

        'Find-MsixPlaybook',

        'Get-MsixAliasCandidate',

        'Get-MsixAppRuntimeVersion',

        'Get-MsixCapabilityHint',

        'Get-MsixCompatibilityReport',

        'Get-MsixComServerEntry',

        'Get-MsixContainerAppData',

        'Get-MsixDebugRecommendation',

        'Get-MsixDebugViewVersion',

        'Get-MsixDesktopShortcutCandidate',

        'Get-MsixFindingConfidence',

        'Get-MsixFontCandidate',

        'Get-MsixHeuristicFinding',

        'Get-MsixInfo',

        'Get-MsixIsolationCapability',

        'Get-MsixKnownCapability',

        'Get-MsixLimitation',

        'Get-MsixManifest',

        'Get-MsixManifestApplication',

        'Get-MsixManifestApplications',

        'Get-MsixManifestNamespaceUri',

        'Get-MsixMfrKnownFolder',

        'Get-MsixMgrVersion',

        'Get-MsixNestedPackageCandidate',

        'Get-MsixOrphanedAppData',

        'Get-MsixPackageStorageSummary',

        'Get-MsixPlaybook',

        'Get-MsixPluginExtensionPoint',

        'Get-MsixProcMonFailure',

        'Get-MsixPsfBinariesVersion',

        'Get-MsixPublisherId',

        'Get-MsixRequiredAppRuntimeChannel',

        'Get-MsixRunKeyEntry',

        'Get-MsixSdkToolsVersion',

        'Get-MsixShellContextMenuEntry',

        'Get-MsixStandardScript',

        'Get-MsixStaticAnalysis',

        'Get-MsixToolsRoot',

        'Get-MsixTraceFailure',

        'Get-MsixTraceOutput',

        'Get-MsixUninstallerCandidate',

        'Get-MsixUninstallRegistryEntry',

        'Get-MsixUpdaterCandidate',

        'Get-MsixVcRuntimeReference',

        'Import-MsixAccelerator',

        'Import-MsixRemediationPlan',

        'Import-MsixSparseShellExtension',

        'Initialize-MsixToolchain',

        'Install-MsixAppRuntime',

        'Install-MsixDebugView',

        'Install-MsixMgr',

        'Install-MsixProcMon',

        'Install-MsixPsfBinary',

        'Install-MsixSdkTool',

        'Invoke-MsixAccelerator',

        'Invoke-MsixAutoFix',

        'Invoke-MsixAutoFixFromAnalysis',

        'Invoke-MsixAutoFixLoop',

        'Invoke-MsixCommand',

        'Invoke-MsixContainerCommand',

        'Invoke-MsixInvestigation',

        'Invoke-MsixManifestTransform',

        'Invoke-MsixPipeline',

        'Invoke-MsixPlaybook',

        'Invoke-MsixProcess',

        'Invoke-MsixRemediationPlan',

        'Invoke-MsixProcMonCapture',

        'Invoke-MsixSelfSignAndDebug',

        'Invoke-MsixSigning',

        'Merge-MsixFinding',

        'Mount-MsixAppAttachImage',

        'New-MsixAppAttachImage',

        'New-MsixFinding',

        'New-MsixManifestDocument',

        'New-MsixRemediationPlan',

        'New-MsixMfrLocalRule',

        'New-MsixMfrTraditionalRule',

        'New-MsixPsfArgument',

        'New-MsixPsfConfig',

        'New-MsixPsfDynamicLibraryConfig',

        'New-MsixPsfEnvVarConfig',

        'New-MsixPsfFileRedirectionConfig',

        'New-MsixPsfJson',

        'New-MsixPsfMfrConfig',

        'New-MsixPsfRegLegacyConfig',

        'New-MsixPsfStartScriptConfig',

        'New-MsixPsfTraceConfig',

        'New-MsixPsfWaitForDebuggerConfig',

        'New-MsixSandboxConfig',

        'New-MsixSelfSignedCertificate',

        'New-MsixStandardScript',

        'New-MsixWorkspace',

        'Remove-MsixAppIsolation',

        'Remove-MsixDesktopShortcut',

        'Remove-MsixStartMenuEntry',

        'Remove-MsixShellRegistryArtifact',

        'Remove-MsixUninstallerArtifact',

        'Remove-MsixUpdaterArtifact',

        'Resolve-MsixDebugViewPath',

        'Resolve-MsixMgrPath',

        'Resolve-MsixProcMonPath',

        'Save-MsixManifest',

        'Select-MsixManifestNode',

        'Select-MsixManifestNodes',

        'Set-MsixBrandMetadata',

        'Set-MsixFileSystemWriteVirtualization',

        'Set-MsixInstalledLocationVirtualization',

        'Set-MsixLogFile',

        'Set-MsixLogLevel',

        'Set-MsixManifestIdentity',

        'Set-MsixManifestMaxVersionTested',

        'Set-MsixManifestPublisher',

        'Set-MsixRegistryWriteVirtualization',

        'Set-MsixScriptSignature',

        'Set-MsixToolsRoot',

        'Start-MsixDebugSession',

        'Start-MsixSandbox',

        'Test-MsixAgainstLimitation',

        'Test-MsixAppAttachImage',

        'Test-MsixManifest',

        'Test-MsixPsfConfig',

        'Test-MsixRemediationPlan',

        'Test-MsixSignature',

        'Update-MsixAppRuntime',

        'Update-MsixDebugView',

        'Update-MsixMgr',

        'Update-MsixPackageVersion',

        'Update-MsixProcMon',

        'Update-MsixPsfBinary',

        'Update-MsixSdkTool',

        'Update-MsixSigner',

        'Write-MsixLog'

    )

    AliasesToExport   = @(

        'add-MsixPsf',

        'ConvertFrom-MsixTraceToFindings',

        'Get-MsixAliasCandidates',

        'Get-MsixCapabilityHints',

        'Get-MsixComServerEntries',

        'Get-MsixDebugRecommendations',

        'Get-MsixDesktopShortcutCandidates',

        'Get-MsixFontCandidates',

        'Get-MsixHeuristicFindings',

        'Get-MsixIsolationCapabilities',

        'Get-MsixKnownCapabilities',

        'Get-MsixLimitations',

        'Get-MsixMfrKnownFolders',

        'Get-MsixNestedPackageCandidates',

        'Get-MsixPluginExtensionPoints',

        'Get-MsixProcMonFailures',

        'Get-MsixRunKeyEntries',

        'Get-MsixShellContextMenuEntries',

        'Get-MsixStandardScripts',

        'Get-MsixTraceFailures',

        'Get-MsixUninstallerCandidates',

        'Get-MsixUninstallRegistryEntries',

        'Get-MsixUpdaterCandidates',

        'Get-MsixVcRuntimeReferences',

        'Get-PublisherIdFromPublisher',

        'Install-MsixPsfBinaries',

        'Install-MsixSdkTools',

        'Invoke-MsixCmd',

        'New-MsixPsfArguments',

        'Remove-MsixDesktopShortcuts',

        'Remove-MsixUninstallerArtifacts',

        'start-MsixCmd',

        'Test-MsixAgainstLimitations',

        'Update-MsixPsfBinaries',

        'Update-MsixSdkTools'

    )

    PrivateData = @{

        PSData = @{

            Tags        = @('MSIX','PSF','Packaging','AppX','WindowsApps',

                            'ContextMenu','Investigation','ProcMon','Accelerator',

                            'AppData','AppAttach','VHDX','CIM','AppIsolation',

                            'Sandbox','TMurgent','MFR','VcRuntime','Compare',

                            'TMEditX','Enterprise','CICD','Pester','PSADT')

            ProjectUri  = 'https://github.com/microsoft/MSIX-PackageSupportFramework'

            ReleaseNotes = @'

## v0.70.5

### Tier-2 remediation orchestration: #30 + #31 + #32

- Compare-MsixTrace (#31): before/after correlation of two runtime

  trace captures (DebugView .log/.txt or ProcMon .pml). Classifies

  every observed failure row as Resolved / Persisted / Introduced

  based on a (Function x Path x Result) match key. -Sarif emits a

  three-run SARIF 2.1.0 document so regressions show up as errors,

  fixes show up as notes.

- New/Export/Import/Test/Invoke-MsixRemediationPlan (#32):

  serialise a remediation plan to YAML, route through change-control,

  and replay it deterministically against a later package build.

  Strict cmdlet-safety guard (only MSIX module cmdlets may appear in

  appliedFixes), identity + SHA-256 fingerprint drift detection,

  single-sign-at-end semantics matching Invoke-MsixPlaybook.

  YAML emitter/parser is dependency-free and scalar-only - same

  security stance as the accelerator YAML.

- Invoke-MsixAutoFixLoop (#30): multi-pass remediation pipeline.

  Per-pass artefacts under $env:TEMP\msix-autofix-loop-<runId>\pass-N\,

  optional Compare-MsixTrace integration for NoRegressions stop

  condition, MinConfidence gate from the evidence model, signs once

  at the end. Closes the loop on chained MSIX issues where fixing

  one problem reveals the next.

### PowerShell 5.1 compatibility

- Removed PS7-only null-coalescing operator (??) from Merge-MsixFinding

  and Invoke-MsixAutoFixLoop.

- Stripped em-dashes from string literals in MSIX.RemediationPlan.ps1

  and MSIX.AutoFixLoop.ps1: the UTF-8 byte 0x94 was read as a curly

  double-quote terminator under CP-1252 when files lack a BOM, which

  is the default on Windows PowerShell 5.1.

### Quality bar

- Pester: 351 pass / 0 fail / 1 skip on PowerShell 7

  (27 new tests for the Tier-2 features).

- PSScriptAnalyzer (scoped to MSIX module): 0 findings.

## v0.70.4

### Tier-1 foundation: unified evidence model + confidence scoring (#29)

- New MSIX.Evidence.ps1: New-MsixFinding / Add-MsixEvidence /

  Merge-MsixFinding / Get-MsixFindingConfidence /

  ConvertTo-MsixFinding (legacy adapter) / ConvertTo-MsixLegacyFinding.

- Invoke-MsixAutoFixFromAnalysis: new -MinConfidence gate (default 0.85).

  Legacy findings without EvidenceItems are treated as confident so the

  migration is incremental and nothing regresses.

- SARIF emitter surfaces evidenceItems[] and confidence in

  result.properties when the analyzer populated them.

- Unblocks #30 (Invoke-MsixAutoFixLoop), #31 (Compare-MsixTrace),

  #32 (Export/Import/Invoke-MsixRemediationPlan).

### PSSA cleanup

- Get-MsixManifestApplication: per-parameter-set OutputType (XmlNode

  for First/ById, XmlNode[] for All), plus return-site casts so PSSA's

  static type inference matches.

- Get-MsixRequiredAppRuntimeChannel: returns [string[]] (was Object[]).

- Tests: trailing whitespace stripped from Recommendations test file.

- PSScriptAnalyzer (scoped to MSIX module): 0 findings.

- Pester: 325 pass / 0 fail / 1 skip.

## v0.70.0

### Security hardening

- Authenticode verification for every downloaded toolchain binary

  (PSF, Procmon, msixmgr, SDK tools) before use.

- SecureString for all signing/PFX secrets end-to-end. ConvertTo-SecureString

  -AsPlainText -Force is banned; tests use ConvertTo-TestSecureString instead.

- Secret non-leakage: Get-MsixDebugRecommendation emits a Read-Host

  -AsSecureString placeholder, never the real value. SignTool with -Pfx

  now emits a -WarningVariable-capturable warning about cmdline exposure.

- XML hardening: all manifest loading via _MsixLoadXmlSecure

  (DtdProcessing=Prohibit, MaxCharactersFromEntities=1MB). XXE and

  billion-laughs payloads are rejected.

- powershell-yaml dependency removed; accelerator parser is a restricted

  scalar-only implementation that cannot instantiate .NET objects from

  untrusted YAML.

### Reliability & architecture

- Atomic pack-sign-move: Invoke-MsixPipeline packs to a scratch path,

  signs at the scratch, then Move-Item to the target only on success.

  UnsignedOutputPath preserves the scratch when signing fails.

- Consistent -WhatIf semantics across every mutating cmdlet.

- Pure manifest transforms: Invoke-MsixManifestTransform,

  Set-MsixManifestPublisher, Set-MsixManifestIdentity (in-memory XML

  only, no pack/sign).

- Three signing backends: SignTool (default), TrustedSigning,

  AzureSignTool. PFX password is a SecureString throughout.

- offreg.dll integration: Get-MsixUninstallRegistryEntry,

  Get-MsixShellContextMenuEntry, Get-MsixComServerEntry, and the

  Remove-MsixUninstallerArtifact registry-cleanup path no longer

  require elevation. reg.exe load (admin-only) replaced with the

  Offline Registry API.

- Shell-extension context menus generated via the TMEditX-verified

  desktop4 + desktop5 schema. New AppExecutionAlias autofix stage.

  Alias inheritance from parent Application Executable.

### Documentation & testing

- EXAMPLES.md: 19 copy-paste recipes covering all major use cases.

- TEST-PLAN.md: 13 integration scenarios + release checklist.

- CONTRIBUTING.md: coding standards (SecureString hygiene, XML loading,

  WhatIf semantics, Authenticode requirements).

- 230+ Pester tests; CI runs PSScriptAnalyzer (Error+Warning) and Pester

  on every push/PR. All tests import via .psd1 (not .psm1).

Full release history: see CHANGELOG.md in the project repository.

'@

        }

    }

}