Introduce a Security validation GitHub Actions workflow and tests, add a .gitignore for __pycache__, and harden many scripts across the repo. Changes include: atomic, ACL-restricted state handling and CSV safety for Monitor-ADGroupChanges.ps1; safer Watch-Command.ps1 using a scriptblock param; stricter shell scripts (set -Eeuo pipefail, input validation, umask, safer tmp files) and retire/disable unsafe installers (example-deploy.sh, gitlab-clone-group.sh). Improve utilities (docker-debug-container, expand_root_volume, gcp-subnets-enable-flow-logs, git-delete-merged-branches, github-latest-tag, gitlab image/tag checks), tighten container invocation for TeX PDF generation (digest-pinned image, reduced privileges), JS/HTML DOM updates in file-manager, and add tests/test_security_regressions.py. Overall focus: automated parsing/testing, input validation, least-privilege execution, safer file handling, and retiring unsafe prototypes.