noid-privacy/Modules/AdvancedSecurity/Private/Test-SRPCompliance.ps1

function Test-SRPCompliance {
    <#
    .SYNOPSIS
        Verifies Software Restriction Policies (SRP) configuration for CVE-2025-9491
        
    .DESCRIPTION
        Tests whether SRP rules are correctly configured to block .lnk execution from Temp/Downloads.
        Returns compliance status for CVE-2025-9491 mitigation.
        
    .EXAMPLE
        Test-SRPCompliance
        
    .OUTPUTS
        PSCustomObject with compliance results
    #>
    
    [CmdletBinding()]
    param()
    
    try {
        $configPath = Join-Path $PSScriptRoot "..\Config\SRP-Rules.json"
        
        if (-not (Test-Path $configPath)) {
            return [PSCustomObject]@{
                Feature = "SRP Configuration"
                Status = "Not Configured"
                Compliant = $false
                Details = "SRP-Rules.json not found"
            }
        }
        
        $config = Get-Content $configPath -Raw | ConvertFrom-Json
        $policyRoot = $config.RegistryPaths.PolicyRoot
        
        # Check if SRP policy exists
        if (-not (Test-Path $policyRoot)) {
            Write-Log -Level WARNING -Message "SRP Check Failed: Policy root not found ($policyRoot)" -Module "AdvancedSecurity"
            return [PSCustomObject]@{
                Feature = "SRP CVE-2025-9491"
                Status = "Not Configured"
                Compliant = $false
                Details = "SRP policy root not found"
            }
        }
        
        # Check Default Level
        $defaultLevel = Get-ItemProperty -Path $policyRoot -Name "DefaultLevel" -ErrorAction SilentlyContinue
        if ($null -eq $defaultLevel -or $defaultLevel.DefaultLevel -ne 262144) {
            Write-Log -Level WARNING -Message "SRP Check Failed: DefaultLevel is not Unrestricted (262144)" -Module "AdvancedSecurity"
            return [PSCustomObject]@{
                Feature = "SRP CVE-2025-9491"
                Status = "Misconfigured"
                Compliant = $false
                Details = "Default level not set to Unrestricted (262144)"
            }
        }
        
        # Check Path Rules
        $pathRulesRoot = $config.RegistryPaths.PathRules
        
        if (-not (Test-Path $pathRulesRoot)) {
            Write-Log -Level WARNING -Message "SRP Check Failed: PathRules root not found ($pathRulesRoot)" -Module "AdvancedSecurity"
            return [PSCustomObject]@{
                Feature = "SRP CVE-2025-9491"
                Status = "Incomplete"
                Compliant = $false
                Details = "Path rules not configured"
            }
        }
        
        # Count configured rules
        $configuredRules = Get-ChildItem -Path $pathRulesRoot -ErrorAction SilentlyContinue
        $ruleCount = if ($configuredRules) { $configuredRules.Count } else { 0 }
        
        # Check for Windows 11 bug
        $bugFixPath = $config.RegistryPaths.Win11BugFix
        $hasBuggyKeys = $false
        
        if (Test-Path $bugFixPath) {
            foreach ($keyName in $config.Windows11BugFix.KeysToRemove) {
                $keyExists = Get-ItemProperty -Path $bugFixPath -Name $keyName -ErrorAction SilentlyContinue
                if ($null -ne $keyExists) {
                    $hasBuggyKeys = $true
                    break
                }
            }
        }
        
        if ($hasBuggyKeys) {
            Write-Log -Level WARNING -Message "SRP Check Failed: Windows 11 buggy keys present (RuleCount/LastWriteTime)" -Module "AdvancedSecurity"
            return [PSCustomObject]@{
                Feature = "SRP CVE-2025-9491"
                Status = "Windows 11 Bug Detected"
                Compliant = $false
                Details = "Buggy registry keys present (RuleCount/LastWriteTime) - SRP may not work"
            }
        }
        
        # All checks passed
        if ($ruleCount -ge 2) {
            return [PSCustomObject]@{
                Feature = "SRP CVE-2025-9491"
                Status = "Protected"
                Compliant = $true
                Details = "$ruleCount path rules configured, Windows 11 bug fix applied"
            }
        }
        else {
            Write-Log -Level WARNING -Message "SRP Check Failed: Insufficient rules found ($ruleCount, expected 2+)" -Module "AdvancedSecurity"
            return [PSCustomObject]@{
                Feature = "SRP CVE-2025-9491"
                Status = "Incomplete"
                Compliant = $false
                Details = "Only $ruleCount path rules found (expected 2+)"
            }
        }
    }
    catch {
        return [PSCustomObject]@{
            Feature = "SRP CVE-2025-9491"
            Status = "Error"
            Compliant = $false
            Details = "Test failed: $_"
        }
    }
}