Maintenance round (May 2026): fix #6, add tooling, license, README rewrite

[ph33nx]

Summary

One bundled maintenance round on the repo. Goals: actually fix #6, make the repo legally clean (no LICENSE file existed despite the README claim), and stand up enough automation that the script does not silently drift.

Closes

• Closes Adobe AcroCEF (acrocef.exe) detected this .exe wants to connect to internet #6

On #6 specifically

The recursive for /R *.exe loop in the previous script does reach acrobat\acrocef_1\acrocef.exe, so a "missing path" patch alone would not have fixed the report. The actual cause for nearly every "AcroCEF still leaks" report breaks down three ways:

1. Acrobat was updated after the user last ran the script. New CEF children land under paths the old rules do not cover.
2. The duplicate-rule check made one PowerShell call per executable. On a full Adobe install (100+ exes) this took five minutes or more. Users killed the run before the Adobe walk completed, and AcroCEF was simply never reached. This is the single largest fix in this PR. A single up-front Get-NetFirewallRule call now caches the existing rule names, and the per-exe duplicate check is a findstr against that cache. Adobe walks complete in seconds.
3. Adobe placed components under %LOCALAPPDATA%\Adobe\ and %APPDATA%\Adobe\. The previous path table only covered C:\Program Files\Adobe, C:\Program Files\Common Files\Adobe, C:\Program Files (x86)\Adobe, C:\Program Files (x86)\Common Files\Adobe and C:\ProgramData\Adobe. The new table uses %ProgramFiles%, %ProgramFiles(x86)%, %CommonProgramFiles%, %CommonProgramFiles(x86)%, %ProgramData%, %LOCALAPPDATA% and %APPDATA%, which also handles non-C: Windows installs.

On top of the recursive walk, an Adobe-specific known-CEF sweep explicitly looks for acrocef.exe, RdrCEF.exe, AcroCEF.exe, Acrobat.exe, AcroRd32.exe, AdobeNotificationClient.exe, AdobeIPCBroker.exe, AGSService.exe, AdobeUpdateService.exe and Creative Cloud.exe under every Adobe path. Belt-and-suspenders for installs the walk cannot reach (custom drives, vendor-renamed sub-folders).

tools/audit-coverage.sh is the regression guard: it asserts these executables and these path variables remain referenced in the script, and it runs in CI on every PR. If a future commit drops AcroCEF coverage, CI fails.

A new menu option 98 (Update Adobe) gives the right answer to "what do I do after Acrobat updates": re-run the script, the cache makes it cheap, only the new executables get new rules.

What is in the PR

Script (WinMasterBlocker.bat, v2.0.0)

• Bulk rule cache (one PowerShell call instead of N).
• Env-resolved paths covering %LOCALAPPDATA% and %APPDATA%.
• Adobe known-CEF sweep.
• WHATIF=1 dry-run, transcript log at %TEMP%\WinMasterBlocker-YYYYMMDDhhmmss.log.
• Menu option 98 (Update Adobe).
• Unattended IT-pro mode via WMB_VENDOR, WMB_ACTION, WMB_QUIET.
• SPDX-License-Identifier: MIT header.

License and citation

• LICENSE (MIT, copyright 2024-2026 ph33nx). The GitHub API was previously reporting license: null.
• CITATION.cff for the GitHub Cite button and clean LLM citations.

Tooling

• lefthook.yml (pre-commit and pre-push).
• tools/lint-bat.sh (admin guard, setlocal balance, label drift, unquoted netsh, BOM, SPDX).
• tools/format-check.sh (CRLF, trailing whitespace, final newline, no tabs).
• tools/audit-coverage.sh (regression guard for Adobe AcroCEF (acrocef.exe) detected this .exe wants to connect to internet #6).
• .editorconfig and .gitattributes (CRLF on .bat).

CI

• .github/workflows/ci.yml: lint on ubuntu-latest, WHATIF integration test on windows-latest that stages a fake Adobe install tree (including acrocef_1\acrocef.exe and RdrCEF.exe), runs the script with WHATIF=1, and asserts the transcript log contains both binaries.

Issue template

• .github/ISSUE_TEMPLATE/bug_report.yml asks for Windows version, app version, exe path and a transcript log excerpt up front.

README and SEO surface

• README rewritten for May 2026: hero banner, comparison table vs SimpleWall / NetLimiter / GlassWire, AcroCEF-aware FAQ and troubleshooting, IT-pro section.
• llms.txt for AI-search citation.
• SECURITY.md for the GitHub security badge.
• assets/banner.svg and assets/banner.png (1280x640 social-preview spec).

Test plan

• bash tools/lint-bat.sh WinMasterBlocker.bat passes locally
• bash tools/format-check.sh WinMasterBlocker.bat passes locally
• bash tools/audit-coverage.sh WinMasterBlocker.bat passes locally
• CI green on PR open (lint + windows integration with WHATIF)
• Manual run on a Windows VM with a real Adobe Acrobat DC install: confirm transcript log lists acrocef.exe and RdrCEF.exe, confirm Wireshark / Resource Monitor show no outbound from acrocef.exe
• Manual re-run with menu option 98: confirm no duplicate rules added

Followups (not in this PR, will open as separate issues)

• Profile-aware rules (Domain / Private / Public).
• Whitelist mode for legitimate updaters.
• Group Policy XML export.
• Restore-point creation before mass changes.
• netsh import bulk-add (single .wfw file with all rules).

Post-merge checklist for the maintainer

• Settings -> Social preview -> upload assets/banner.png.
• Settings -> Topics -> add: windows-firewall, netsh, adobe-blocker, firewall-rules, windows-batch, internet-blocker, simplewall-alternative, outbound-firewall, application-firewall, windows-sysadmin.
• Reply on Adobe AcroCEF (acrocef.exe) detected this .exe wants to connect to internet #6 linking this PR.