This project's implementation is generated by Claude Code under the direction and supervision of LordBlacksun. Every change is reviewed and approved by a human before being committed. Community review is a core part of how this project stays safe.

This tool has a minimal attack surface by design:

• No network access by default. The application makes zero network connections unless the user enables optional artwork downloads (Steam CDN only) or update checks (GitHub Releases API only). No telemetry, no analytics.
• No kernel access. This is a userspace application using standard Windows APIs.
• No credentials. The application does not store, transmit, or process any credentials, tokens, or authentication material.
• Local config only. Configuration is a JSON file at %APPDATA%\X3DCCDInspector\config.json. It contains process names and UI preferences. No sensitive data.
• No IPC. No named pipes, no shared memory, no sockets, no COM objects exposed.

For transparency, here is what the application interacts with:

• Process enumeration -- reads the list of running processes via System.Diagnostics.Process
• Process affinity (fallback mode only) -- calls SetProcessAffinityMask via P/Invoke to change which CPU cores the game process can run on. This is a standard, reversible Windows API call. Only applies to the detected game process, never to background processes. Protected process list enforced.
• AMD driver registry -- reads and writes per-app CCD preference profiles at HKLM\SYSTEM\CurrentControlSet\Services\amd3dvcache\Preferences\App\. These are the same registry entries that AMD's own tools use.
• CPU topology -- queries CPU cache topology via GetLogicalProcessorInformationEx and WMI
• Performance counters -- reads per-core CPU load and frequency via PDH counters
• ETW kernel events -- traces process start/stop events for game detection
• Foreground window -- calls GetForegroundWindow for overlay game-only visibility
• File system -- reads/writes its own config, log, and game database files in %APPDATA%\X3DCCDInspector\

All of these are standard, documented Windows APIs.

If you find a security issue, please report it responsibly:

1. Do not open a public issue. Use GitHub's private vulnerability reporting feature on the repository.
2. Include a description of the vulnerability and steps to reproduce.
3. Allow reasonable time for a fix before public disclosure.

The following are not security vulnerabilities in this project:

• Anticheat detection. Per-game CCD preference uses AMD's own registry interface and does not modify any game process. Affinity pinning (fallback) modifies the game's CPU affinity mask, which is a standard Windows feature but may interact with some aggressive anti-cheat systems.
• Access denied errors. The tool intentionally skips system processes it cannot modify. Protected process list enforcement is correct behavior.
• Config file tampering. The config file is in the user's own %APPDATA% directory. If an attacker has write access there, they already have far more dangerous options.