Add Privacy Guides integration

- Introduced a new supplement for applying Privacy Guides recommendations on top of existing presets or custom settings.
- Updated documentation to include instructions for using the Privacy Guides feature in README.md, CONTRIBUTING.md, and new PRIVACY-GUIDES.md.
- Enhanced the TUI to allow users to select a base preset when applying Privacy Guides.
- Implemented backend logic to merge Privacy Guides settings with existing presets, ensuring no overlap.
- Added tests for loading and merging Privacy Guides settings.

Author: miguelmartens

CONTRIBUTING.md

@@ -77,6 +77,7 @@ Thank you for your interest in contributing. This document explains how to get s
 
 - [README.md](README.md) — Install, usage, presets
 - [docs/ADDING-PRESETS.md](docs/ADDING-PRESETS.md) — How to add a preset
+- [docs/PRIVACY-GUIDES.md](docs/PRIVACY-GUIDES.md) — Privacy Guides supplement
 - [docs/PROJECT-LAYOUT.md](docs/PROJECT-LAYOUT.md) — Directory structure
 - [docs/FUTURE.md](docs/FUTURE.md) — Possible improvements
 - [.github/workflows/README.md](.github/workflows/README.md) — CI workflows

README.md

@@ -76,6 +76,7 @@ cowardly
 ```
 
 - **Apply a preset** — Choose a preset (Quick Debloat, Maximum Privacy, Balanced, Performance, Developer, Strict Parental) and apply it.
+- **Privacy Guides recommendations** — Apply [Privacy Guides](https://www.privacyguides.org/en/desktop-browsers/#brave) Brave config as a supplement on top of any preset or Custom (Quick Debloat by default; no overlap with presets).
 - **Custom** — Toggle individual settings by category (Telemetry, Privacy & Security, Brave Features, Performance & Bloat), then apply.
 - **View current settings** — See which policy keys are set.
 - **Reset all to default** — Remove all Brave policy settings (restore defaults).
@@ -95,6 +96,14 @@ After applying or resetting, **restart Brave Browser** for changes to take effec
   cowardly --apply=max-privacy
   ```
 
+- **Privacy Guides recommendations** — Apply [Privacy Guides](https://www.privacyguides.org/en/desktop-browsers/#brave) supplement on top of any preset or Custom:
+
+  ```bash
+  cowardly --privacy-guides              # base from config or Quick Debloat
+  cowardly --privacy-guides=max-privacy  # base: Maximum Privacy
+  cowardly --privacy-guides=custom       # base: your saved Custom settings
+  ```
+
 - **Apply from a YAML file** (same format as preset `settings`):
 
   ```bash
@@ -191,7 +200,7 @@ Use **Space** to toggle, **Enter** to apply, **a** to select all, **n** to selec
 
 ## Project layout
 
-The repo follows the [Standard Go Project Layout](https://github.com/golang-standards/project-layout). See **[docs/PROJECT-LAYOUT.md](docs/PROJECT-LAYOUT.md)** for the directory overview, **[docs/PLATFORMS.md](docs/PLATFORMS.md)** for current and possible future platform support (macOS / Linux / Windows), and **[docs/POLICY-ENFORCEMENT.md](docs/POLICY-ENFORCEMENT.md)** for how policy enforcement works on macOS (managed vs user preferences, raw XML plist, AppleScript auth). A summary of implemented features is in **[docs/FEATURES.md](docs/FEATURES.md)**; possible future improvements are in **[docs/FUTURE.md](docs/FUTURE.md)**.
+The repo follows the [Standard Go Project Layout](https://github.com/golang-standards/project-layout). See **[docs/PROJECT-LAYOUT.md](docs/PROJECT-LAYOUT.md)** for the directory overview, **[docs/PLATFORMS.md](docs/PLATFORMS.md)** for current and possible future platform support (macOS / Linux / Windows), and **[docs/POLICY-ENFORCEMENT.md](docs/POLICY-ENFORCEMENT.md)** for how policy enforcement works on macOS (managed vs user preferences, raw XML plist, AppleScript auth). A summary of implemented features is in **[docs/FEATURES.md](docs/FEATURES.md)**; possible future improvements are in **[docs/FUTURE.md](docs/FUTURE.md)**. For the Privacy Guides supplement, see **[docs/PRIVACY-GUIDES.md](docs/PRIVACY-GUIDES.md)**.
 
 ## Development
 

cmd/cowardly/main.go

@@ -46,6 +46,12 @@ func main() {
 		case strings.HasPrefix(arg, "apply="):
 			applyPreset(strings.TrimPrefix(arg, "apply="))
 			return
+		case arg == "privacy-guides":
+			applyPrivacyGuides(parsePrivacyGuidesBase("privacy-guides"))
+			return
+		case strings.HasPrefix(arg, "privacy-guides="):
+			applyPrivacyGuides(strings.TrimPrefix(arg, "privacy-guides="))
+			return
 		case arg == "dry-run":
 			dryRun("quick")
 			return
@@ -105,6 +111,22 @@ func versionInfo() {
 	}
 }
 
+// parsePrivacyGuidesBase returns the base preset ID if presetID is privacy-guides form, else "".
+// "privacy-guides" -> config base if set, else "quick"; "privacy-guides:max-privacy" -> "max-privacy".
+func parsePrivacyGuidesBase(presetID string) string {
+	if presetID == "privacy-guides" {
+		base, _ := userconfig.PrivacyGuidesBaseFromConfig()
+		if base != "" {
+			return base
+		}
+		return presets.PrivacyGuidesBasePresetID
+	}
+	if strings.HasPrefix(presetID, "privacy-guides:") {
+		return strings.TrimPrefix(presetID, "privacy-guides:")
+	}
+	return ""
+}
+
 func findPreset(id string) *presets.Preset {
 	plist, _ := presets.AllWithError()
 	if plist == nil {
@@ -118,22 +140,59 @@ func findPreset(id string) *presets.Preset {
 	return nil
 }
 
+func privacyGuidesSettings(baseID string) ([]brave.Setting, error) {
+	if baseID == "custom" {
+		desired, _ := userconfig.Read()
+		if desired == nil || len(desired.Settings) == 0 {
+			return nil, fmt.Errorf("no custom settings in config to use as base")
+		}
+		supplement, err := presets.LoadPrivacyGuides()
+		if err != nil {
+			return nil, err
+		}
+		return presets.MergeSettingsWithSupplement(desired.Settings, supplement), nil
+	}
+	return presets.PrivacyGuidesMerged(baseID)
+}
+
 func dryRun(presetID string) {
-	p := findPreset(presetID)
-	if p == nil {
-		fmt.Fprintf(os.Stderr, "Preset %q not found.\n", presetID)
-		os.Exit(1)
+	var settings []brave.Setting
+	if baseID := parsePrivacyGuidesBase(presetID); baseID != "" {
+		var err error
+		settings, err = privacyGuidesSettings(baseID)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "privacy-guides: %v\n", err)
+			os.Exit(1)
+		}
+	} else {
+		p := findPreset(presetID)
+		if p == nil {
+			fmt.Fprintf(os.Stderr, "Preset %q not found.\n", presetID)
+			os.Exit(1)
+		}
+		settings = p.Settings
 	}
-	fmt.Println(brave.DryRun(p.Settings))
+	fmt.Println(brave.DryRun(settings))
 }
 
 func diffPreset(presetID string) {
-	p := findPreset(presetID)
-	if p == nil {
-		fmt.Fprintf(os.Stderr, "Preset %q not found.\n", presetID)
-		os.Exit(1)
+	var settings []brave.Setting
+	if baseID := parsePrivacyGuidesBase(presetID); baseID != "" {
+		var err error
+		settings, err = privacyGuidesSettings(baseID)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "privacy-guides: %v\n", err)
+			os.Exit(1)
+		}
+	} else {
+		p := findPreset(presetID)
+		if p == nil {
+			fmt.Fprintf(os.Stderr, "Preset %q not found.\n", presetID)
+			os.Exit(1)
+		}
+		settings = p.Settings
 	}
-	diff := brave.Diff(p.Settings)
+	diff := brave.Diff(settings)
 	if diff == "" {
 		fmt.Println("No changes (current values match preset).")
 		return
@@ -142,6 +201,41 @@ func diffPreset(presetID string) {
 	fmt.Println(diff)
 }
 
+func applyPrivacyGuides(basePresetID string) {
+	if basePresetID == "" {
+		basePresetID = presets.PrivacyGuidesBasePresetID
+	}
+	if !brave.BraveInstalled() {
+		fmt.Fprintln(os.Stderr, "Brave Browser not found in /Applications.")
+		os.Exit(1)
+	}
+	if brave.BraveRunning() {
+		fmt.Fprintln(os.Stderr, "Warning: Brave is running. Quit Brave for a clean apply.")
+	}
+	settings, err := privacyGuidesSettings(basePresetID)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "privacy-guides: %v\n", err)
+		os.Exit(1)
+	}
+	if path, err := brave.BackupUserPlist(); err == nil {
+		fmt.Fprintf(os.Stderr, "Backed up user plist to %s\n", path)
+	}
+	managed, err := brave.ApplySettings(settings)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "apply failed: %v\n", err)
+		os.Exit(1)
+	}
+	if managed {
+		fmt.Printf("Applied Privacy Guides recommendations (enforced). Restart Brave for changes to take effect.\n")
+	} else {
+		fmt.Printf("Applied Privacy Guides recommendations. Restart Brave. For enforced policies, approve the macOS authentication dialog when you run apply.\n")
+	}
+	fmt.Fprintf(os.Stderr, "Source: %s\n", presets.PrivacyGuidesURL)
+	if err := userconfig.WritePrivacyGuides(basePresetID); err != nil {
+		fmt.Fprintf(os.Stderr, "Note: could not save desired state to ~/.config/cowardly: %v\n", err)
+	}
+}
+
 func applyPreset(presetID string) {
 	if !brave.BraveInstalled() {
 		fmt.Fprintln(os.Stderr, "Brave Browser not found in /Applications.")
@@ -459,6 +553,7 @@ Usage:
   cowardly                        Start the TUI
   cowardly --apply, -a             Apply Quick Debloat preset and exit
   cowardly --apply=<id>            Apply preset by ID (e.g. quick, max-privacy)
+  cowardly --privacy-guides [=base] Apply Privacy Guides supplement (default base: quick)
   cowardly --apply-file=<path>    Apply settings from a YAML file
   cowardly --reapply              Re-apply last saved desired state (~/.config/cowardly)
   cowardly --install-login-hook    Install Launch Agent to run --reapply at login

configs/README.md

@@ -6,4 +6,10 @@ Configuration file templates and default configs.
 
 Brave debloat presets are **YAML** files here. Each file (e.g. `01-quick.yaml`) is one preset; order in the TUI is by filename. To add a preset, add a new `.yaml` file in **configs/presets/** and rebuild. See **[docs/ADDING-PRESETS.md](../docs/ADDING-PRESETS.md)** for the format and instructions.
 
+## supplements/
+
+Supplements apply on top of presets (or Custom). Each subdirectory (e.g. **privacy-guides/**) is one supplement.
+
+- **privacy-guides/** — [Privacy Guides](https://www.privacyguides.org/en/desktop-browsers/#brave) recommended Brave configuration (Shields, P3A, De-AMP, etc.). Contains only settings not in presets. Apply via TUI or `--privacy-guides` / `--privacy-guides=<base>` (base: quick, max-privacy, custom, etc.).
+
 This directory is reserved per the [Standard Go Project Layout](https://github.com/golang-standards/project-layout). Tool configs (e.g. `.golangci.yml`, `renovate.json`) remain at repository root by convention.

configs/embed.go

@@ -9,3 +9,9 @@ import "embed"
 //
 //go:embed presets/*.yaml
 var PresetsFS embed.FS
+
+// PrivacyGuidesFS contains the Privacy Guides recommended Brave configuration.
+// See https://www.privacyguides.org/en/desktop-browsers/#brave
+//
+//go:embed supplements/privacy-guides/*.yaml
+var PrivacyGuidesFS embed.FS

configs/supplements/privacy-guides/recommendations.yaml

@@ -0,0 +1,46 @@
+# Privacy Guides supplement — applies on top of Quick Debloat preset
+# Source: https://www.privacyguides.org/en/desktop-browsers/#brave
+#
+# Contains only settings NOT in presets. Apply Privacy Guides = Quick Debloat + this.
+# Policy keys from Brave policy templates (brave-core).
+#
+# No policy available (configure manually in Brave):
+#   - Use default filter lists (behavioral recommendation)
+#   - Block Scripts (optional; disables JS entirely)
+#   - Uncheck social media components (Shields UI)
+#   - Automatically remove permissions from unused sites
+#   - Use Google services for push messaging
+settings:
+  # Data Collection — P3A, daily usage ping (Brave-specific; not in presets)
+  - key: BraveP3AEnabled
+    value: false
+    type: bool
+  - key: BraveStatsPingEnabled
+    value: false
+    type: bool
+  # Shields — Trackers, HTTPS, fingerprinting, forget on close
+  - key: DefaultBraveAdblockSetting
+    value: 2
+    type: integer
+  - key: DefaultBraveHttpsUpgradeSetting
+    value: 2
+    type: integer
+  - key: DefaultBraveFingerprintingV2Setting
+    value: 3
+    type: integer
+  - key: DefaultBraveRemember1PStorageSetting
+    value: 2
+    type: integer
+  # Privacy & Security — AMP, tracking redirects, language FP, V8 JIT
+  - key: BraveDeAmpEnabled
+    value: true
+    type: bool
+  - key: BraveDebouncingEnabled
+    value: true
+    type: bool
+  - key: BraveReduceLanguageEnabled
+    value: true
+    type: bool
+  - key: DefaultJavaScriptJitSetting
+    value: 2
+    type: integer