diff --git a/powershell/Maester.Format.ps1xml b/powershell/Maester.Format.ps1xml
index 57eb7dd89..dfeeddb68 100644
--- a/powershell/Maester.Format.ps1xml
+++ b/powershell/Maester.Format.ps1xml
@@ -103,6 +103,28 @@
                   }
                 </ScriptBlock>
               </ListItem>
+              <ListItem>
+                <ItemSelectionCondition>
+                  <ScriptBlock>
+                    $null -ne $_.GitHub
+                  </ScriptBlock>
+                </ItemSelectionCondition>
+                <Label>GitHub</Label>
+                <ScriptBlock>
+                  if ($_.GitHub) {
+                    $connectedText = if ($_.GitHub.Connected) { 'Connected' } else { 'Not connected' }
+                    "$connectedText`n" +
+                    "Organization:                       $($_.GitHub.Organization)`n" +
+                    "Token Login:                        $($_.GitHub.TokenLogin)`n" +
+                    "API Base URI:                       $($_.GitHub.ApiBaseUri)`n" +
+                    "Role:                               $($_.GitHub.Role)`n" +
+                    "Role State:                         $($_.GitHub.RoleState)`n" +
+                    "Administration Permission Verified: $($_.GitHub.AdministrationPermissionVerified)`n"
+                  } else {
+                    ''
+                  }
+                </ScriptBlock>
+              </ListItem>
             </ListItems>
           </ListEntry>
         </ListEntries>
diff --git a/powershell/Maester.psd1 b/powershell/Maester.psd1
index a8142ff5c..cbf02acf2 100644
--- a/powershell/Maester.psd1
+++ b/powershell/Maester.psd1
@@ -57,9 +57,9 @@
     # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.
     FunctionsToExport    = @(
         'Add-MtMaesterAppFederatedCredential', 'Add-MtTestResultDetail', 'Clear-MtDnsCache', 'Clear-MtExoCache',
-        'Clear-MtGraphCache', 'Compare-MtJsonObject', 'Compare-MtTestResult', 'Connect-Maester', 'Convert-MtResultsToFlatObject',
+        'Clear-MtGraphCache', 'Compare-MtJsonObject', 'Compare-MtTestResult', 'Connect-Maester', 'Connect-MtGitHub', 'Convert-MtResultsToFlatObject',
         'ConvertFrom-MailAuthenticationRecordDkim', 'ConvertFrom-MailAuthenticationRecordDmarc',
-        'ConvertFrom-MailAuthenticationRecordMx', 'ConvertFrom-MailAuthenticationRecordSpf', 'Disconnect-Maester',
+        'ConvertFrom-MailAuthenticationRecordMx', 'ConvertFrom-MailAuthenticationRecordSpf', 'Disconnect-Maester', 'Disconnect-MtGitHub',
         'Get-MailAuthenticationRecord', 'Get-MtAdminPortalUrl', 'Get-MtAuthenticationMethodPolicyConfig',
         'Get-MtAzureManagementGroup', 'Get-MtConditionalAccessPolicy', 'Get-MtExo', 'Get-MtExoThreatPolicyMalware',
         'Get-MtGraphScope', 'Get-MtGroupMember', 'Get-MtHtmlReport', 'Get-MtLicenseInformation', 'Get-MtMaesterApp', 'Get-MtRole',
@@ -128,7 +128,10 @@
         'Test-MtCisConnectionFilterSafeList', 'Test-MtCisCreateTenantDisallowed', 'Test-MtCisCustomerLockBox',
         'Test-MtCisDevicesWithoutCompliancePolicyMarked', 'Test-MtCisDkim', 'Test-MtCisEnsureGuestAccessRestricted',
         'Test-MtCisEnsureGuestUserDynamicGroup', 'Test-MtCisEnsureUserConsentToAppsDisallowed', 'Test-MtCisExoAdditionalStorageProvider',
-        'Test-MtCisFormsPhishingProtectionEnabled', 'Test-MtCisGlobalAdminCount', 'Test-MtCisHostedConnectionFilterPolicy',
+        'Test-MtCisFormsPhishingProtectionEnabled', 'Test-MtCisGitHubIssueDeletionLimited',
+        'Test-MtCisGitHubRepositoryCreationLimited', 'Test-MtCisGitHubRepositoryDeletionLimited',
+        'Test-MtCisGitHubStrictBasePermission', 'Test-MtCisGitHubTeamCreationLimited',
+        'Test-MtCisGlobalAdminCount', 'Test-MtCisHostedConnectionFilterPolicy',
         'Test-MtCisInternalMalwareNotification', 'Test-MtCisOutboundSpamFilterPolicy', 'Test-MtCisPasswordExpiry',
         'Test-MtCisSafeAntiPhishingPolicy', 'Test-MtCisSafeAttachment', 'Test-MtCisSafeAttachmentsAtpPolicy',
         'Test-MtCisSafeLink', 'Test-MtCisSharedMailboxSignIn', 'Test-MtCisTeamsLobbyBypass',
diff --git a/powershell/Maester.psm1 b/powershell/Maester.psm1
index 1cb989e9f..3dd22854f 100644
--- a/powershell/Maester.psm1
+++ b/powershell/Maester.psm1
@@ -25,6 +25,7 @@ $__MtSession = @{
 	DataverseApiBase = $null       # Resolved Dataverse OData API base URL (e.g. https://org123.api.crm.dynamics.com/api/data/v9.2)
 	DataverseResourceUrl = $null   # Dataverse resource URL for token acquisition (e.g. https://org123.crm.dynamics.com)
 	DataverseEnvironmentId = $null # Environment identifier for display (e.g. org123.crm.dynamics.com)
+	GitHubCache = @{}              # Per-session REST response cache; cleared each Invoke-Maester run
 }
 New-Variable -Name __MtSession -Value $__MtSession -Scope Script -Force
 
diff --git a/powershell/internal/Clear-ModuleVariable.ps1 b/powershell/internal/Clear-ModuleVariable.ps1
index 17879e660..bb456aabd 100644
--- a/powershell/internal/Clear-ModuleVariable.ps1
+++ b/powershell/internal/Clear-ModuleVariable.ps1
@@ -21,5 +21,8 @@
     Clear-MtExoCache
     $__MtSession.AIAgentInfo = $null
     $__MtSession.AzureDevOpsConnection = $null
+    # Do not clear GitHubConnection or GitHubAuthHeader — the user calls Connect-MtGitHub before
+    # Invoke-Maester; the session must persist across runs. Only the per-run cache is reset.
+    $__MtSession.GitHubCache = @{}
     # $__MtSession.Connections = @() # Do not clear connections as they are used to track the connection state. This module variable should only be set by Connect-Maester and Disconnect-Maester.
 }
diff --git a/powershell/internal/Get-MtGitHubCacheKey.ps1 b/powershell/internal/Get-MtGitHubCacheKey.ps1
new file mode 100644
index 000000000..a34a2c53b
--- /dev/null
+++ b/powershell/internal/Get-MtGitHubCacheKey.ps1
@@ -0,0 +1,17 @@
+function Get-MtGitHubCacheKey {
+    <#
+    .SYNOPSIS
+    Internal: Builds the per-session GitHub REST cache key.
+    #>
+    [CmdletBinding()]
+    [OutputType([string])]
+    param(
+        [Parameter(Mandatory = $true)]
+        [string] $ApiVersion,
+
+        [Parameter(Mandatory = $true)]
+        [string] $AbsoluteUri
+    )
+
+    return "$ApiVersion|$AbsoluteUri"
+}
diff --git a/powershell/internal/Get-MtGitHubErrorMessage.ps1 b/powershell/internal/Get-MtGitHubErrorMessage.ps1
new file mode 100644
index 000000000..43b4151b3
--- /dev/null
+++ b/powershell/internal/Get-MtGitHubErrorMessage.ps1
@@ -0,0 +1,27 @@
+function Get-MtGitHubErrorMessage {
+    <#
+    .SYNOPSIS
+    Internal: Extracts the most useful GitHub API error message from an ErrorRecord.
+
+    .DESCRIPTION
+    Prefers a JSON ErrorDetails.Message `message` property when present, falls back to
+    the raw error-details string, then to the exception message or full ErrorRecord text.
+    #>
+    param([Parameter(Mandatory)] $ErrorRecord)
+    if (-not [string]::IsNullOrEmpty($ErrorRecord.ErrorDetails.Message)) {
+        try {
+            $parsed = $ErrorRecord.ErrorDetails.Message | ConvertFrom-Json -ErrorAction Stop
+            if ($parsed.PSObject.Properties.Name -contains 'message' -and
+                -not [string]::IsNullOrEmpty($parsed.message)) {
+                return $parsed.message
+            }
+        } catch {
+            Write-Debug "Get-MtGitHubErrorMessage: ErrorDetails.Message is not JSON, returning raw string."
+        }
+        return $ErrorRecord.ErrorDetails.Message
+    }
+    if (-not [string]::IsNullOrEmpty($ErrorRecord.Exception.Message)) {
+        return $ErrorRecord.Exception.Message
+    }
+    return ($ErrorRecord | Out-String)
+}
diff --git a/powershell/internal/Get-MtGitHubErrorStatusCode.ps1 b/powershell/internal/Get-MtGitHubErrorStatusCode.ps1
new file mode 100644
index 000000000..d1769dfc2
--- /dev/null
+++ b/powershell/internal/Get-MtGitHubErrorStatusCode.ps1
@@ -0,0 +1,19 @@
+function Get-MtGitHubErrorStatusCode {
+    <#
+    .SYNOPSIS
+    Internal: Extracts an HTTP status code from a GitHub API ErrorRecord.
+
+    .DESCRIPTION
+    Returns the integer status code when the ErrorRecord includes an HTTP response, or
+    $null for transport failures where no HTTP response was produced.
+    #>
+    param([Parameter(Mandatory)] $ErrorRecord)
+    try {
+        if ($ErrorRecord.Exception.Response -and $ErrorRecord.Exception.Response.StatusCode) {
+            return [int]$ErrorRecord.Exception.Response.StatusCode
+        }
+    } catch {
+        Write-Debug "Get-MtGitHubErrorStatusCode: $($_.Exception.Message)"
+    }
+    return $null
+}
diff --git a/powershell/internal/Get-MtGitHubOrganization.ps1 b/powershell/internal/Get-MtGitHubOrganization.ps1
new file mode 100644
index 000000000..fcbaa2e0d
--- /dev/null
+++ b/powershell/internal/Get-MtGitHubOrganization.ps1
@@ -0,0 +1,17 @@
+function Get-MtGitHubOrganization {
+    <#
+    .SYNOPSIS
+    Internal: Gets the connected GitHub organization object using the session cache.
+    #>
+    [CmdletBinding()]
+    param()
+
+    if ($null -eq $__MtSession.GitHubConnection -or
+        $__MtSession.GitHubConnection.Connected -ne $true) {
+        throw "Not connected to GitHub. Call Connect-MtGitHub first."
+    }
+
+    # Connect-MtGitHub stores the raw organization login; encode it here for the path segment.
+    $encodedOrg = [System.Uri]::EscapeDataString($__MtSession.GitHubConnection.Organization)
+    Invoke-MtGitHubRequest -RelativeUri "/orgs/$encodedOrg"
+}
diff --git a/powershell/internal/Get-MtGitHubRateLimitMessage.ps1 b/powershell/internal/Get-MtGitHubRateLimitMessage.ps1
new file mode 100644
index 000000000..f55609689
--- /dev/null
+++ b/powershell/internal/Get-MtGitHubRateLimitMessage.ps1
@@ -0,0 +1,75 @@
+function Get-MtGitHubRateLimitMessage {
+    <#
+    .SYNOPSIS
+    Internal: Returns a GitHub rate-limit message for an ErrorRecord, or $null when the
+    error is not a rate-limit response.
+
+    .DESCRIPTION
+    Mirrors the rate-limit detection in Invoke-MtGitHubRequest so that bootstrap callers
+    (Connect-MtGitHub) can distinguish HTTP 403/429 caused by rate limiting from
+    permission, token, or org-access failures.
+
+    Returns:
+      - "GitHub API rate limit encountered (HTTP <code>). Resets at: <time>" when the
+        response carries x-ratelimit-remaining = 0 (primary rate limit).
+      - "GitHub secondary rate limit encountered (HTTP <code>). Retry after: <n>s" when
+        the response carries retry-after (secondary rate limit / abuse detection).
+      - "GitHub secondary rate limit encountered (HTTP <code>). Retry after at least 60s."
+        when the response body indicates secondary-limit / abuse-detection wording but
+        no retry-after header is present.
+      - $null for any other error, including 403/429 without rate-limit headers.
+    #>
+    param(
+        [Parameter(Mandatory)] $ErrorRecord
+    )
+
+    $code = Get-MtGitHubErrorStatusCode -ErrorRecord $ErrorRecord
+    if ($code -notin 403, 429) { return $null }
+
+    $response = $null
+    try {
+        if ($null -ne $ErrorRecord.Exception) { $response = $ErrorRecord.Exception.Response }
+    } catch {
+        Write-Debug "Get-MtGitHubRateLimitMessage: $($_.Exception.Message)"
+    }
+    if ($null -eq $response) { return $null }
+
+    $headers = $null
+    try { $headers = $response.Headers } catch {
+        Write-Debug "Get-MtGitHubRateLimitMessage headers: $($_.Exception.Message)"
+    }
+    if ($null -eq $headers) { return $null }
+
+    $remaining = Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'x-ratelimit-remaining'
+    $remainingValue = 0
+    $remainingParsed = $null -ne $remaining -and [int]::TryParse([string]$remaining, [ref]$remainingValue)
+    if ($remainingParsed -and $remainingValue -eq 0) {
+        $reset = Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'x-ratelimit-reset'
+        $resetSeconds = 0L
+        $resetTime = 'unknown'
+        if ($null -ne $reset -and [long]::TryParse([string]$reset, [ref]$resetSeconds)) {
+            try { $resetTime = [DateTimeOffset]::FromUnixTimeSeconds($resetSeconds).LocalDateTime } catch {
+                Write-Debug "Get-MtGitHubRateLimitMessage reset conversion: $($_.Exception.Message)"
+            }
+        }
+        return "GitHub API rate limit encountered (HTTP $code). Resets at: $resetTime"
+    }
+
+    $retryAfter = Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'retry-after'
+    if ($null -ne $retryAfter) {
+        return "GitHub secondary rate limit encountered (HTTP $code). Retry after: ${retryAfter}s"
+    }
+
+    # Some secondary-limit responses omit retry-after entirely (e.g. older abuse-detection
+    # responses, or responses where the proxy strips the header). Fall back to body wording -
+    # GitHub's documented messages include phrases like "secondary rate limit" and
+    # "abuse detection mechanism". When matched, recommend the 60-second minimum backoff
+    # documented at https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api.
+    $bodyMessage = Get-MtGitHubErrorMessage -ErrorRecord $ErrorRecord
+    if (-not [string]::IsNullOrEmpty($bodyMessage) -and
+        $bodyMessage -match '(?i)secondary\s+rate\s+limit|abuse\s+detection') {
+        return "GitHub secondary rate limit encountered (HTTP $code). Retry after at least 60s."
+    }
+
+    return $null
+}
diff --git a/powershell/internal/Get-MtGitHubResponseHeaderValue.ps1 b/powershell/internal/Get-MtGitHubResponseHeaderValue.ps1
new file mode 100644
index 000000000..37af59949
--- /dev/null
+++ b/powershell/internal/Get-MtGitHubResponseHeaderValue.ps1
@@ -0,0 +1,36 @@
+function Get-MtGitHubResponseHeaderValue {
+    param(
+        [Parameter()] $Headers,
+        [Parameter(Mandatory)] [string] $Name
+    )
+    if ($null -eq $Headers) { return $null }
+    # IDictionary covers PS 5.1 WebHeaderCollection and PS 7 Dictionary.
+    # Iterate keys with -ieq for case-insensitive match (plain hashtables are case-sensitive).
+    if ($Headers -is [System.Collections.IDictionary]) {
+        foreach ($key in $Headers.Keys) {
+            if ($key -ieq $Name) {
+                $value = $Headers[$key]
+                if ($value -is [array]) { return $value[0] }
+                return $value
+            }
+        }
+        return $null
+    }
+    # HttpResponseHeaders in PS 7 exposes GetValues / TryGetValues
+    if ($Headers.PSObject.Methods.Name -contains 'GetValues') {
+        try { return ($Headers.GetValues($Name) | Select-Object -First 1) } catch {
+            Write-Debug "Get-MtGitHubResponseHeaderValue GetValues: $($_.Exception.Message)"
+        }
+    }
+    if ($Headers.PSObject.Methods.Name -contains 'TryGetValues') {
+        try {
+            $values = $null
+            if ($Headers.TryGetValues($Name, [ref]$values)) {
+                return ($values | Select-Object -First 1)
+            }
+        } catch {
+            Write-Debug "Get-MtGitHubResponseHeaderValue TryGetValues: $($_.Exception.Message)"
+        }
+    }
+    return $null
+}
diff --git a/powershell/internal/Get-MtSkippedReason.ps1 b/powershell/internal/Get-MtSkippedReason.ps1
index 3e7c806ac..fb298dfbf 100644
--- a/powershell/internal/Get-MtSkippedReason.ps1
+++ b/powershell/internal/Get-MtSkippedReason.ps1
@@ -14,6 +14,7 @@
         "NotConnectedSecurityCompliance" { "Not connected to Security & Compliance. See [Connecting to Security & Compliance](https://maester.dev/docs/connect-maester/#connect-to-azure-exchange-online-and-teams)"; break}
         "NotConnectedTeams" { "Not connected to Teams. See [Connecting to Teams](https://maester.dev/docs/connect-maester/#connect-to-azure-exchange-online-and-teams)"; break}
         "NotConnectedAzureDevOps" { "Not connected to Azure DevOps. See [Connecting to Azure DevOps](https://maester.dev/docs/connect-maester/#connect-to-azure-devops-optional)"; break}
+        "NotConnectedGitHub" { "Not connected to GitHub. Call Connect-MtGitHub with a valid PAT and organization name. See [Connect-MtGitHub](https://maester.dev/docs/commands/Connect-MtGitHub)"; break}
         "NotConnectedGraph" { "Not connected to Graph. See [Connect-Maester](https://maester.dev/docs/commands/Connect-Maester#examples)"; break}
         "NotDotGovDomain" { "This test is only for federal, executive branch, departments and agencies. To override use [Test-MtCisaDmarcAggregateCisa -Force](https://maester.dev/docs/commands/Test-MtCisaDmarcAggregateCisa)"; break}
         "NotLicensedEntraIDP1" { "This test is for tenants that are licensed for Entra ID P1. See [Entra ID licensing](https://learn.microsoft.com/entra/fundamentals/licensing)"; break}
diff --git a/powershell/internal/Invoke-MtGitHubRequest.ps1 b/powershell/internal/Invoke-MtGitHubRequest.ps1
new file mode 100644
index 000000000..fa3cb7e85
--- /dev/null
+++ b/powershell/internal/Invoke-MtGitHubRequest.ps1
@@ -0,0 +1,152 @@
+function Invoke-MtGitHubRequest {
+    <#
+    .SYNOPSIS
+    Internal: Authenticated read-only GET request to GitHub REST API with caching and pagination.
+
+    .DESCRIPTION
+    Uses Invoke-WebRequest for PowerShell 5.1 compatibility (Invoke-RestMethod
+    -ResponseHeadersVariable is PowerShell 7+ only). Provides per-session caching,
+    explicit opt-in pagination, and rate-limit detection.
+
+    Cache key: ApiVersion|absoluteUri (cleared on reconnect and by Clear-ModuleVariable).
+    Rate-limit detection: checks x-ratelimit-remaining in both success and error responses.
+
+    .PARAMETER RelativeUri
+    Path relative to ApiBaseUri. URL-encode path segments with [Uri]::EscapeDataString.
+
+    .PARAMETER Paginate
+    Follows Link header rel="next" and appends per_page=100. Use for list endpoints only.
+
+    .PARAMETER DisableCache
+    Bypasses session cache; makes a live API call.
+    #>
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true, Position = 0)]
+        [string] $RelativeUri,
+        [switch] $Paginate,
+        [switch] $DisableCache
+    )
+
+    if ($null -eq $__MtSession.GitHubConnection -or
+        $__MtSession.GitHubConnection.Connected -ne $true) {
+        throw "Not connected to GitHub. Call Connect-MtGitHub first."
+    }
+
+    $baseUri = $__MtSession.GitHubConnection.ApiBaseUri
+    $version = $__MtSession.GitHubConnection.ApiVersion
+    $headers = $__MtSession.GitHubAuthHeader
+
+    $absUri = "$baseUri/$($RelativeUri.TrimStart('/'))"
+    if ($Paginate -and $absUri -notmatch '[?&]per_page=') {
+        $sep = if ($absUri -match '\?') { '&' } else { '?' }
+        $absUri = "${absUri}${sep}per_page=100"
+    }
+
+    $cacheKey = Get-MtGitHubCacheKey -ApiVersion $version -AbsoluteUri $absUri
+    if (-not $DisableCache -and $__MtSession.GitHubCache.ContainsKey($cacheKey)) {
+        Write-Verbose "GitHub cache hit: $absUri"
+        return $__MtSession.GitHubCache[$cacheKey]
+    }
+
+    function Invoke-Page ([string]$Uri) {
+        try {
+            $wr = Invoke-WebRequest -Uri $Uri -Headers $headers -Method GET -UseBasicParsing -ErrorAction Stop
+
+            $body = if (-not [string]::IsNullOrWhiteSpace($wr.Content)) {
+                # ConvertFrom-Json '[]' yields $null because it enumerates the (empty)
+                # array, so pagination can't distinguish "no items" from "one null item"
+                # without short-circuiting the empty-array case here.
+                if ($wr.Content.Trim() -eq '[]') {
+                    ,@()
+                } else {
+                    $wr.Content | ConvertFrom-Json
+                }
+            } else {
+                $null
+            }
+
+            # Rate-limit warning on successful response — do NOT throw; the response body is valid.
+            # TryParse rather than [int] cast: a malformed header (e.g. an upstream proxy
+            # rewriting the value) must not raise a parse exception that masks a successful response.
+            $remaining = Get-MtGitHubResponseHeaderValue -Headers $wr.Headers -Name 'x-ratelimit-remaining'
+            $remainingValue = 0
+            if ($null -ne $remaining -and [int]::TryParse([string]$remaining, [ref]$remainingValue) -and $remainingValue -eq 0) {
+                $reset = Get-MtGitHubResponseHeaderValue -Headers $wr.Headers -Name 'x-ratelimit-reset'
+                $resetValue = 0L
+                $resetTime = 'unknown'
+                if ($reset -and [long]::TryParse([string]$reset, [ref]$resetValue)) {
+                    # FromUnixTimeSeconds throws ArgumentOutOfRangeException for values
+                    # outside [-62135596800, 253402300799]. A bogus reset epoch must not
+                    # mask the successful response — fall back to 'unknown' instead.
+                    try {
+                        $resetTime = [DateTimeOffset]::FromUnixTimeSeconds($resetValue).LocalDateTime
+                    } catch {
+                        $resetTime = 'unknown'
+                    }
+                }
+                Write-Verbose "GitHub API rate limit remaining is 0 after this successful response. Resets at: $resetTime"
+            }
+
+            $linkHeader = Get-MtGitHubResponseHeaderValue -Headers $wr.Headers -Name 'Link'
+            return [PSCustomObject]@{ Body = $body; Link = $linkHeader }
+        } catch {
+            $rateLimitMessage = Get-MtGitHubRateLimitMessage -ErrorRecord $_
+            if ($rateLimitMessage) { throw $rateLimitMessage }
+            throw
+        }
+    }
+
+    function Get-NextLink ([string]$Link) {
+        if ([string]::IsNullOrEmpty($Link)) { return $null }
+        $m = [regex]::Match($Link, '<([^>]+)>;\s*rel="next"')
+        if ($m.Success) { return $m.Groups[1].Value }
+        return $null
+    }
+
+    # Refuse to follow a Link rel="next" that points outside the configured ApiBaseUri.
+    # A malicious or buggy upstream that injects a foreign URL would otherwise receive
+    # the Authorization header on a cross-origin request. Compare scheme + host + port
+    # + base path prefix so GHE bases like https://host/api/v3 are honored.
+    function Test-NextLinkSameOrigin ([string]$NextUri, [string]$BaseUri) {
+        $baseParsed = $null
+        $nextParsed = $null
+        if (-not [uri]::TryCreate($BaseUri, [UriKind]::Absolute, [ref]$baseParsed)) { return $false }
+        if (-not [uri]::TryCreate($NextUri, [UriKind]::Absolute, [ref]$nextParsed)) { return $false }
+        if ($baseParsed.Scheme -ne $nextParsed.Scheme) { return $false }
+        if (-not [string]::Equals($baseParsed.Host, $nextParsed.Host, [System.StringComparison]::OrdinalIgnoreCase)) { return $false }
+        if ($baseParsed.Port -ne $nextParsed.Port) { return $false }
+        $basePath = $baseParsed.AbsolutePath.TrimEnd('/')
+        $nextPath = $nextParsed.AbsolutePath
+        if ([string]::IsNullOrEmpty($basePath)) { return $true }
+        return $nextPath -eq $basePath -or $nextPath.StartsWith("$basePath/", [System.StringComparison]::Ordinal)
+    }
+
+    $first = Invoke-Page $absUri
+
+    if (-not $Paginate) {
+        $result = $first.Body
+    } else {
+        $all = [System.Collections.Generic.List[object]]::new()
+        # Filter $null per page so an empty-content or `[]` page does not contribute
+        # spurious null items to the merged result.
+        foreach ($item in @($first.Body)) {
+            if ($null -ne $item) { $all.Add($item) }
+        }
+        $next = Get-NextLink $first.Link
+        while ($null -ne $next) {
+            if (-not (Test-NextLinkSameOrigin -NextUri $next -BaseUri $baseUri)) {
+                throw "GitHub pagination refused: next link '$next' is outside the configured ApiBaseUri '$baseUri'."
+            }
+            $page = Invoke-Page $next
+            foreach ($item in @($page.Body)) {
+                if ($null -ne $item) { $all.Add($item) }
+            }
+            $next = Get-NextLink $page.Link
+        }
+        $result = $all.ToArray()
+    }
+
+    if (-not $DisableCache) { $__MtSession.GitHubCache[$cacheKey] = $result }
+    return $result
+}
diff --git a/powershell/internal/Test-MtGitHubObjectProperty.ps1 b/powershell/internal/Test-MtGitHubObjectProperty.ps1
new file mode 100644
index 000000000..de1cc1762
--- /dev/null
+++ b/powershell/internal/Test-MtGitHubObjectProperty.ps1
@@ -0,0 +1,24 @@
+function Test-MtGitHubObjectProperty {
+    <#
+    .SYNOPSIS
+    Internal: Returns true when a GitHub response object includes a property.
+
+    .DESCRIPTION
+    Shared readability helper for property-presence checks. It checks the response
+    object's property names rather than the property's value, so $false values are
+    still treated as present evidence.
+    #>
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param(
+        [Parameter(Mandatory = $true)]
+        [AllowNull()]
+        [object] $InputObject,
+
+        [Parameter(Mandatory = $true)]
+        [string] $PropertyName
+    )
+
+    if ($null -eq $InputObject) { return $false }
+    return $InputObject.PSObject.Properties.Name -contains $PropertyName
+}
diff --git a/powershell/public/Add-MtTestResultDetail.ps1 b/powershell/public/Add-MtTestResultDetail.ps1
index 93cff417e..290d70954 100644
--- a/powershell/public/Add-MtTestResultDetail.ps1
+++ b/powershell/public/Add-MtTestResultDetail.ps1
@@ -77,7 +77,7 @@
         [ValidateSet('NotConnectedAzure', 'NotConnectedExchange', 'NotConnectedGraph', 'NotDotGovDomain', 'NotLicensedEntraIDP1', 'NotConnectedSecurityCompliance', 'NotConnectedTeams',
             'NotLicensedEntraIDP2', 'NotLicensedEntraIDGovernance', 'NotLicensedEntraWorkloadID', 'NotLicensedExoDlp', "LicensedEntraIDPremium", 'NotSupported', 'Custom',
             'NotLicensedMdo', 'NotLicensedMdoP2', 'NotLicensedMdoP1', 'NotLicensedAdvAudit', 'NotLicensedEop', 'Error', 'NotSupportedAppPermission', 'LimitedPermissions', 'NotLicensedDefenderXDR',
-            'NotLicensedCustomerLockbox','NotAuthorized', 'NotLicensedIntune', 'NotConnectedAzureDevOps'
+            'NotLicensedCustomerLockbox','NotAuthorized', 'NotLicensedIntune', 'NotConnectedAzureDevOps', 'NotConnectedGitHub'
         )]
         [string] $SkippedBecause,
 
diff --git a/powershell/public/Disconnect-Maester.ps1 b/powershell/public/Disconnect-Maester.ps1
index 8918dd355..860b55168 100644
--- a/powershell/public/Disconnect-Maester.ps1
+++ b/powershell/public/Disconnect-Maester.ps1
@@ -11,6 +11,10 @@
     Disconnect-MgGraph
     ```
 
+    When invoked as Disconnect-Maester or Disconnect-MtMaester, also clears any active GitHub
+    REST session (token, connection metadata, per-session cache). The Disconnect-MtGraph alias
+    keeps its narrow Graph-only semantic and does NOT clear GitHub state.
+
     .Example
     Disconnect-MtGraph
 
@@ -27,26 +31,44 @@
    [CmdletBinding()]
    param()
 
-   if($__MtSession.Connections -contains "Graph" -or $__MtSession.Connections -contains "All"){
-      Write-Verbose -Message "Disconnecting from Microsoft Graph."
-      Disconnect-MgGraph
+   # Strip module qualifier (e.g. 'Maester\Disconnect-Maester') so module-qualified
+   # invocation still routes to the GitHub-clearing branch. PowerShell uses '\' for
+   # the qualifier on all OSes, so split on the literal char rather than Split-Path.
+   # Computed up-front so a failure in any service-disconnect call below cannot
+   # leave GitHub state behind: cleanup runs from the finally block.
+   $invokedAs = if ([string]::IsNullOrEmpty($MyInvocation.InvocationName)) {
+      $MyInvocation.MyCommand.Name
+   } else {
+      ($MyInvocation.InvocationName -split '\\')[-1]
    }
+   $shouldDisconnectGitHub = $invokedAs -iin @('Disconnect-Maester','Disconnect-MtMaester')
 
-   if($__MtSession.Connections -contains "Azure" -or $__MtSession.Connections -contains "Dataverse" -or $__MtSession.Connections -contains "All"){
-      Write-Verbose -Message "Disconnecting from Microsoft Azure."
-      try {
-         Disconnect-AzAccount -ErrorAction Stop | Out-Null
-      } catch {
-         Write-Verbose "Disconnect-AzAccount encountered an error: $($_.Exception.Message)"
+   try {
+      if($__MtSession.Connections -contains "Graph" -or $__MtSession.Connections -contains "All"){
+         Write-Verbose -Message "Disconnecting from Microsoft Graph."
+         Disconnect-MgGraph
       }
-   }
 
-   if($__MtSession.Connections -contains "ExchangeOnline" -or $__MtSession.Connections -contains "SecurityCompliance" -or $__MtSession.Connections -contains "All"){
-      Write-Verbose -Message "Disconnecting from Microsoft Exchange Online."
-      Disconnect-ExchangeOnline
-   }
-   if($__MtSession.Connections -contains "Teams" -or $__MtSession.Connections -contains "All"){
-      Write-Verbose -Message "Disconnecting from Microsoft Teams."
-      Disconnect-MicrosoftTeams
+      if($__MtSession.Connections -contains "Azure" -or $__MtSession.Connections -contains "Dataverse" -or $__MtSession.Connections -contains "All"){
+         Write-Verbose -Message "Disconnecting from Microsoft Azure."
+         try {
+            Disconnect-AzAccount -ErrorAction Stop | Out-Null
+         } catch {
+            Write-Verbose "Disconnect-AzAccount encountered an error: $($_.Exception.Message)"
+         }
+      }
+
+      if($__MtSession.Connections -contains "ExchangeOnline" -or $__MtSession.Connections -contains "SecurityCompliance" -or $__MtSession.Connections -contains "All"){
+         Write-Verbose -Message "Disconnecting from Microsoft Exchange Online."
+         Disconnect-ExchangeOnline
+      }
+      if($__MtSession.Connections -contains "Teams" -or $__MtSession.Connections -contains "All"){
+         Write-Verbose -Message "Disconnecting from Microsoft Teams."
+         Disconnect-MicrosoftTeams
+      }
+   } finally {
+      if ($shouldDisconnectGitHub) {
+         Disconnect-MtGitHub
+      }
    }
 }
diff --git a/powershell/public/cis/Test-MtCisGitHubIssueDeletionLimited.md b/powershell/public/cis/Test-MtCisGitHubIssueDeletionLimited.md
new file mode 100644
index 000000000..39ec35551
--- /dev/null
+++ b/powershell/public/cis/Test-MtCisGitHubIssueDeletionLimited.md
@@ -0,0 +1,47 @@
+1.2.4 (L1) Ensure issue deletion is limited to specific users
+
+CIS Benchmark: CIS GitHub Benchmark v1.2.0
+
+Assessment Status: Manual
+
+#### Rationale
+
+Issues often capture defects, milestones, operational history, and security-relevant discussion. Broad issue deletion rights can disrupt development records or remove evidence of suspicious activity, so deletion should be limited to trusted users.
+
+#### Impact
+
+Members without the required repository or organization role will not be able to delete issues. Organizations may need a documented escalation path for legitimate issue cleanup.
+
+#### Maester automation note
+
+CIS marks this recommendation as Manual. This Maester test collects the organization setting evidence that maps to CIS GH 1.2.4, then reports Investigate because CIS still requires a human trust review.
+
+When `members_can_delete_issues` is `true`, CIS requires verifying that repository admin members are trusted and qualified. When it is `false`, CIS still requires verifying that organization owners are trusted and qualified.
+
+#### API evidence
+
+Endpoint: `GET /orgs/{org}`
+
+Evidence field: `members_can_delete_issues`
+
+When this field is returned, the test records the actual value and returns Investigate so the remaining CIS manual review path is visible in Maester results.
+
+#### Permissions required
+
+GitHub requires organization-owner visibility for full organization details. Use `Connect-MtGitHub` with a classic PAT that has `admin:org`, or a fine-grained PAT with organization Members read and Administration read permissions.
+
+#### Remediation summary
+
+In the organization settings, open **Member privileges** and disable the option that allows members to delete issues for the organization. If the setting remains enabled, manually verify that repository administrators are limited to trusted users and document the review. If the setting is disabled, verify that organization owners are limited to trusted users and document the review.
+
+#### Known limitations
+
+This test verifies the organization setting only. It does not enumerate repository administrators, organization owners, or decide whether those users are trusted.
+
+#### Related links
+
+* [CIS GitHub Benchmark v1.2.0 - Section 1.2.4](https://www.cisecurity.org/benchmark/github)
+* [GitHub REST API: Get an organization](https://docs.github.com/en/rest/orgs/orgs#get-an-organization)
+
+<!--- Results --->
+%TestResult%
diff --git a/powershell/public/cis/Test-MtCisGitHubIssueDeletionLimited.ps1 b/powershell/public/cis/Test-MtCisGitHubIssueDeletionLimited.ps1
new file mode 100644
index 000000000..bb22b9cdf
--- /dev/null
+++ b/powershell/public/cis/Test-MtCisGitHubIssueDeletionLimited.ps1
@@ -0,0 +1,65 @@
+function Test-MtCisGitHubIssueDeletionLimited {
+    <#
+    .SYNOPSIS
+    CIS.GH.1.2.4: Ensure issue deletion is limited to specific users.
+
+    .DESCRIPTION
+    CIS GitHub Benchmark v1.2.0 section 1.2.4 marks this recommendation as
+    Manual. This test collects organization setting evidence from
+    GET /orgs/{org} and marks the result as Investigate because CIS GH 1.2.4
+    still requires a manual trust review for either repository administrators
+    or organization owners.
+
+    .EXAMPLE
+    Test-MtCisGitHubIssueDeletionLimited
+
+    Returns Investigate when the GitHub organization setting is available.
+
+    .LINK
+    https://maester.dev/docs/commands/Test-MtCisGitHubIssueDeletionLimited
+    #>
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if (!(Test-MtConnection GitHub)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGitHub
+        return $null
+    }
+
+    try {
+        Write-Verbose 'Retrieving GitHub organization settings for CIS.GH.1.2.4.'
+        $org = Get-MtGitHubOrganization
+        $field = 'members_can_delete_issues'
+        if (-not (Test-MtGitHubObjectProperty -InputObject $org -PropertyName $field)) {
+            Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason "GitHub organization response did not include required field '$field'. This field is required to evaluate CIS.GH.1.2.4 and may be missing because of permissions, plan, API version, or organization type."
+            return $null
+        }
+
+        $resultMarkdown = @"
+CIS.GH.1.2.4 automated evidence from ``GET /orgs/{org}``.
+
+| Field | Actual | Expected |
+| --- | --- | --- |
+| ``$field`` | ``$($org.$field)`` | ``False`` |
+"@
+
+        if ($org.$field -eq $true) {
+            $resultMarkdown += @"
+
+Manual review required - ``members_can_delete_issues`` is true. CIS GH 1.2.4 audit requires verifying repository admin members are trusted and qualified; document the review.
+"@
+        } else {
+            $resultMarkdown += @"
+
+Manual review required - ``members_can_delete_issues`` is false. CIS GH 1.2.4 audit still requires verifying organization owners are trusted and qualified; document the review.
+"@
+        }
+
+        Add-MtTestResultDetail -Result $resultMarkdown -Investigate
+        return $null
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+}
diff --git a/powershell/public/cis/Test-MtCisGitHubRepositoryCreationLimited.md b/powershell/public/cis/Test-MtCisGitHubRepositoryCreationLimited.md
new file mode 100644
index 000000000..99d8d0ce3
--- /dev/null
+++ b/powershell/public/cis/Test-MtCisGitHubRepositoryCreationLimited.md
@@ -0,0 +1,52 @@
+1.2.2 (L1) Ensure repository creation is limited to specific members
+
+CIS Benchmark: CIS GitHub Benchmark v1.2.0
+
+Assessment Status: Manual
+
+#### Rationale
+
+Repository sprawl makes source ownership, visibility, and review harder to manage. Limiting who can create public and private repositories reduces the chance that organization code or data is exposed through an unmanaged repository and keeps the repository inventory easier to monitor.
+
+#### Impact
+
+Members who previously created repositories directly may need an owner, administrator, or approved internal process to create new repositories for them.
+
+#### Maester automation note
+
+CIS marks this recommendation as Manual. This Maester test automates the portion of CIS GH 1.2.2 that maps to documented GitHub REST API evidence. It should be treated as automated evidence collection for the corresponding GitHub setting, not as a claim that every possible manual review path has been fully evaluated.
+
+This test checks the organization member privilege settings returned by `GET /orgs/{org}`.
+
+#### API evidence
+
+Endpoint: `GET /orgs/{org}`
+
+Evidence fields:
+
+- `members_can_create_public_repositories`
+- `members_can_create_private_repositories`
+- `members_can_create_internal_repositories` when returned, shown as informational
+- `members_allowed_repository_creation_type` is displayed when returned, but is not decisive
+
+The test passes when public and private repository creation are `false`. Internal repository creation is shown as additional enterprise/GHEC context only because the CIS GH 1.2.2 literal audit covers public and private repository creation.
+
+#### Permissions required
+
+GitHub requires organization-owner visibility for full organization details. Use `Connect-MtGitHub` with a classic PAT that has `admin:org`, or a fine-grained PAT with organization Members read and Administration read permissions.
+
+#### Remediation summary
+
+In the organization settings, open **Member privileges** and clear the public and private repository creation options for members. For GHEC organizations associated with an enterprise, review internal repository creation separately as an enterprise governance decision.
+
+#### Known limitations
+
+This test uses the granular repository creation fields because GitHub is replacing the legacy `members_allowed_repository_creation_type` umbrella field. That umbrella value is displayed when returned, but is not decisive. If required granular fields are not returned, the test skips with a field-specific reason.
+
+#### Related links
+
+* [CIS GitHub Benchmark v1.2.0 - Section 1.2.2](https://www.cisecurity.org/benchmark/github)
+* [GitHub REST API: Get an organization](https://docs.github.com/en/rest/orgs/orgs#get-an-organization)
+
+<!--- Results --->
+%TestResult%
diff --git a/powershell/public/cis/Test-MtCisGitHubRepositoryCreationLimited.ps1 b/powershell/public/cis/Test-MtCisGitHubRepositoryCreationLimited.ps1
new file mode 100644
index 000000000..301f81264
--- /dev/null
+++ b/powershell/public/cis/Test-MtCisGitHubRepositoryCreationLimited.ps1
@@ -0,0 +1,98 @@
+function Test-MtCisGitHubRepositoryCreationLimited {
+    <#
+    .SYNOPSIS
+    CIS.GH.1.2.2: Ensure repository creation is limited to specific members.
+
+    .DESCRIPTION
+    CIS GitHub Benchmark v1.2.0 section 1.2.2 marks this recommendation as
+    Manual. This test automates the organization member-privileges fields
+    exposed by GET /orgs/{org}. Public and private repository creation decide
+    the test result; internal repository creation is shown as informational
+    evidence when GitHub returns it.
+
+    .EXAMPLE
+    Test-MtCisGitHubRepositoryCreationLimited
+
+    Returns true when members cannot create public or private repositories.
+
+    .LINK
+    https://maester.dev/docs/commands/Test-MtCisGitHubRepositoryCreationLimited
+    #>
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if (!(Test-MtConnection GitHub)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGitHub
+        return $null
+    }
+
+    try {
+        Write-Verbose 'Retrieving GitHub organization settings for CIS.GH.1.2.2.'
+        $org = Get-MtGitHubOrganization
+        $requiredFields = @('members_can_create_public_repositories', 'members_can_create_private_repositories')
+        $missingFields = @($requiredFields | Where-Object { -not (Test-MtGitHubObjectProperty -InputObject $org -PropertyName $_) })
+
+        if ($missingFields.Count -gt 0) {
+            Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason "GitHub organization response did not include required field(s): $($missingFields -join ', '). These fields are required to evaluate CIS.GH.1.2.2 and may be missing because of permissions, plan, API version, or organization type."
+            return $null
+        }
+
+        $checks = @(
+            [PSCustomObject]@{
+                Field    = 'members_can_create_public_repositories'
+                Actual   = $org.members_can_create_public_repositories
+                Expected = $false
+                Decisive = $true
+                Pass     = $org.members_can_create_public_repositories -eq $false
+            }
+            [PSCustomObject]@{
+                Field    = 'members_can_create_private_repositories'
+                Actual   = $org.members_can_create_private_repositories
+                Expected = $false
+                Decisive = $true
+                Pass     = $org.members_can_create_private_repositories -eq $false
+            }
+        )
+
+        $internalRepositoryNote = $null
+        if (Test-MtGitHubObjectProperty -InputObject $org -PropertyName 'members_can_create_internal_repositories') {
+            $internalRepositoryCheck = [PSCustomObject]@{
+                Field    = 'members_can_create_internal_repositories'
+                Actual   = $org.members_can_create_internal_repositories
+                Expected = 'Informational'
+                Decisive = $false
+                Pass     = $true
+            }
+            $checks = $checks + $internalRepositoryCheck
+            $internalRepositoryNote = "The internal-repository row is informational. CIS GH 1.2.2's literal audit covers public and private only."
+        }
+
+        $result = @($checks | Where-Object { $_.Decisive -eq $true -and $_.Pass -ne $true }).Count -eq 0
+        $detailRows = $checks | ForEach-Object {
+            "| ``$($_.Field)`` | ``$($_.Actual)`` | ``$($_.Expected)`` |"
+        }
+        $legacyValue = if (Test-MtGitHubObjectProperty -InputObject $org -PropertyName 'members_allowed_repository_creation_type') {
+            "Deprecated umbrella field ``members_allowed_repository_creation_type`` was returned as ``$($org.members_allowed_repository_creation_type)``. The granular fields above are the decisive checks."
+        } else {
+            "Deprecated umbrella field ``members_allowed_repository_creation_type`` was not returned. The granular fields above are the decisive checks."
+        }
+
+        $resultMarkdown = @"
+CIS.GH.1.2.2 automated evidence from ``GET /orgs/{org}``.
+
+| Field | Actual | Expected |
+| --- | --- | --- |
+$($detailRows -join "`n")
+
+$internalRepositoryNote
+
+$legacyValue
+"@
+        Add-MtTestResultDetail -Result $resultMarkdown
+        return $result
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+}
diff --git a/powershell/public/cis/Test-MtCisGitHubRepositoryDeletionLimited.md b/powershell/public/cis/Test-MtCisGitHubRepositoryDeletionLimited.md
new file mode 100644
index 000000000..bbfd69025
--- /dev/null
+++ b/powershell/public/cis/Test-MtCisGitHubRepositoryDeletionLimited.md
@@ -0,0 +1,47 @@
+1.2.3 (L1) Ensure repository deletion is limited to specific users
+
+CIS Benchmark: CIS GitHub Benchmark v1.2.0
+
+Assessment Status: Manual
+
+#### Rationale
+
+Deleting repositories can cause major source loss, break delivery workflows, and hide malicious or accidental activity. Repository deletion should therefore be limited to a small set of trusted people whose access is reviewed intentionally.
+
+#### Impact
+
+Members without the required repository or organization role will not be able to delete or transfer repositories. Teams may need a documented owner-led process for repository retirement.
+
+#### Maester automation note
+
+CIS marks this recommendation as Manual. This Maester test collects the organization setting evidence that maps to CIS GH 1.2.3, then reports Investigate because CIS still requires a human trust review.
+
+When `members_can_delete_repositories` is `true`, CIS requires verifying that repository admin members are trusted and qualified. When it is `false`, CIS still requires verifying that organization owners are trusted and qualified.
+
+#### API evidence
+
+Endpoint: `GET /orgs/{org}`
+
+Evidence field: `members_can_delete_repositories`
+
+When this field is returned, the test records the actual value and returns Investigate so the remaining CIS manual review path is visible in Maester results.
+
+#### Permissions required
+
+GitHub requires organization-owner visibility for full organization details. Use `Connect-MtGitHub` with a classic PAT that has `admin:org`, or a fine-grained PAT with organization Members read and Administration read permissions.
+
+#### Remediation summary
+
+In the organization settings, open **Member privileges** and disable the option that allows members to delete or transfer repositories for the organization. If the setting remains enabled, manually verify that repository administrators are limited to trusted users and document the review. If the setting is disabled, verify that organization owners are limited to trusted users and document the review.
+
+#### Known limitations
+
+This test verifies the organization setting only. It does not enumerate repository administrators, organization owners, or decide whether those users are trusted.
+
+#### Related links
+
+* [CIS GitHub Benchmark v1.2.0 - Section 1.2.3](https://www.cisecurity.org/benchmark/github)
+* [GitHub REST API: Get an organization](https://docs.github.com/en/rest/orgs/orgs#get-an-organization)
+
+<!--- Results --->
+%TestResult%
diff --git a/powershell/public/cis/Test-MtCisGitHubRepositoryDeletionLimited.ps1 b/powershell/public/cis/Test-MtCisGitHubRepositoryDeletionLimited.ps1
new file mode 100644
index 000000000..bd95cb3c9
--- /dev/null
+++ b/powershell/public/cis/Test-MtCisGitHubRepositoryDeletionLimited.ps1
@@ -0,0 +1,65 @@
+function Test-MtCisGitHubRepositoryDeletionLimited {
+    <#
+    .SYNOPSIS
+    CIS.GH.1.2.3: Ensure repository deletion is limited to specific users.
+
+    .DESCRIPTION
+    CIS GitHub Benchmark v1.2.0 section 1.2.3 marks this recommendation as
+    Manual. This test collects organization setting evidence from
+    GET /orgs/{org} and marks the result as Investigate because CIS GH 1.2.3
+    still requires a manual trust review for either repository administrators
+    or organization owners.
+
+    .EXAMPLE
+    Test-MtCisGitHubRepositoryDeletionLimited
+
+    Returns Investigate when the GitHub organization setting is available.
+
+    .LINK
+    https://maester.dev/docs/commands/Test-MtCisGitHubRepositoryDeletionLimited
+    #>
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if (!(Test-MtConnection GitHub)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGitHub
+        return $null
+    }
+
+    try {
+        Write-Verbose 'Retrieving GitHub organization settings for CIS.GH.1.2.3.'
+        $org = Get-MtGitHubOrganization
+        $field = 'members_can_delete_repositories'
+        if (-not (Test-MtGitHubObjectProperty -InputObject $org -PropertyName $field)) {
+            Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason "GitHub organization response did not include required field '$field'. This field is required to evaluate CIS.GH.1.2.3 and may be missing because of permissions, plan, API version, or organization type."
+            return $null
+        }
+
+        $resultMarkdown = @"
+CIS.GH.1.2.3 automated evidence from ``GET /orgs/{org}``.
+
+| Field | Actual | Expected |
+| --- | --- | --- |
+| ``$field`` | ``$($org.$field)`` | ``False`` |
+"@
+
+        if ($org.$field -eq $true) {
+            $resultMarkdown += @"
+
+Manual review required - ``members_can_delete_repositories`` is true. CIS GH 1.2.3 audit requires verifying repository admin members are trusted and qualified; document the review.
+"@
+        } else {
+            $resultMarkdown += @"
+
+Manual review required - ``members_can_delete_repositories`` is false. CIS GH 1.2.3 audit still requires verifying organization owners are trusted and qualified; document the review.
+"@
+        }
+
+        Add-MtTestResultDetail -Result $resultMarkdown -Investigate
+        return $null
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+}
diff --git a/powershell/public/cis/Test-MtCisGitHubStrictBasePermission.md b/powershell/public/cis/Test-MtCisGitHubStrictBasePermission.md
new file mode 100644
index 000000000..aaa4f5959
--- /dev/null
+++ b/powershell/public/cis/Test-MtCisGitHubStrictBasePermission.md
@@ -0,0 +1,45 @@
+1.3.8 (L1) Ensure strict base permissions are set for repositories
+
+CIS Benchmark: CIS GitHub Benchmark v1.2.0
+
+Assessment Status: Manual
+
+#### Rationale
+
+Base permissions apply broadly across organization repositories. Keeping the default at none or read follows least privilege and lowers the chance that every member can change code where they do not have a specific business need.
+
+#### Impact
+
+Some members may lose default write access and require explicit repository, team, or role assignments before they can contribute changes.
+
+#### Maester automation note
+
+CIS marks this recommendation as Manual. This Maester test automates the portion of CIS GH 1.3.8 that maps to documented GitHub REST API evidence. It should be treated as automated evidence collection for the corresponding GitHub setting, not as a claim that every possible manual review path has been fully evaluated.
+
+#### API evidence
+
+Endpoint: `GET /orgs/{org}`
+
+Evidence field: `default_repository_permission`
+
+The test passes when `default_repository_permission` is `none` or `read`. It fails when the value is `write` or `admin`.
+
+#### Permissions required
+
+GitHub requires organization-owner visibility for full organization details. Use `Connect-MtGitHub` with a classic PAT that has `admin:org`, or a fine-grained PAT with organization Members read and Administration read permissions.
+
+#### Remediation summary
+
+In the organization settings, open **Member privileges** and set **Base permissions** to **None** or **Read**.
+
+#### Known limitations
+
+This test verifies the organization default repository permission only. It does not review per-repository collaborators, teams, or custom access grants.
+
+#### Related links
+
+* [CIS GitHub Benchmark v1.2.0 - Section 1.3.8](https://www.cisecurity.org/benchmark/github)
+* [GitHub REST API: Get an organization](https://docs.github.com/en/rest/orgs/orgs#get-an-organization)
+
+<!--- Results --->
+%TestResult%
diff --git a/powershell/public/cis/Test-MtCisGitHubStrictBasePermission.ps1 b/powershell/public/cis/Test-MtCisGitHubStrictBasePermission.ps1
new file mode 100644
index 000000000..17846f2eb
--- /dev/null
+++ b/powershell/public/cis/Test-MtCisGitHubStrictBasePermission.ps1
@@ -0,0 +1,53 @@
+function Test-MtCisGitHubStrictBasePermission {
+    <#
+    .SYNOPSIS
+    CIS.GH.1.3.8: Ensure strict base permissions are set for repositories.
+
+    .DESCRIPTION
+    CIS GitHub Benchmark v1.2.0 section 1.3.8 marks this recommendation as
+    Manual. This test automates the organization default repository permission
+    exposed by GET /orgs/{org} and requires the value to be none or read.
+
+    .EXAMPLE
+    Test-MtCisGitHubStrictBasePermission
+
+    Returns true when default_repository_permission is none or read.
+
+    .LINK
+    https://maester.dev/docs/commands/Test-MtCisGitHubStrictBasePermission
+    #>
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if (!(Test-MtConnection GitHub)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGitHub
+        return $null
+    }
+
+    try {
+        Write-Verbose 'Retrieving GitHub organization settings for CIS.GH.1.3.8.'
+        $org = Get-MtGitHubOrganization
+        $field = 'default_repository_permission'
+        if (-not (Test-MtGitHubObjectProperty -InputObject $org -PropertyName $field)) {
+            Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason "GitHub organization response did not include required field '$field'. This field is required to evaluate CIS.GH.1.3.8 and may be missing because of permissions, plan, API version, or organization type."
+            return $null
+        }
+
+        $allowedValues = @('none', 'read')
+        $actual = [string]$org.$field
+        $result = $allowedValues -contains $actual
+        $resultMarkdown = @"
+CIS.GH.1.3.8 automated evidence from ``GET /orgs/{org}``.
+
+| Field | Actual | Expected |
+| --- | --- | --- |
+| ``$field`` | ``$actual`` | ``none`` or ``read`` |
+"@
+        Add-MtTestResultDetail -Result $resultMarkdown
+        return $result
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+}
diff --git a/powershell/public/cis/Test-MtCisGitHubTeamCreationLimited.md b/powershell/public/cis/Test-MtCisGitHubTeamCreationLimited.md
new file mode 100644
index 000000000..fe57d50a3
--- /dev/null
+++ b/powershell/public/cis/Test-MtCisGitHubTeamCreationLimited.md
@@ -0,0 +1,45 @@
+1.3.2 (L1) Ensure team creation is limited to specific members
+
+CIS Benchmark: CIS GitHub Benchmark v1.2.0
+
+Assessment Status: Manual
+
+#### Rationale
+
+Teams can inherit access and quickly become part of the organization's permission model. Restricting team creation helps prevent shadow teams, accidental privilege expansion, and unnecessary organizational clutter.
+
+#### Impact
+
+Members who previously created teams directly may need an owner, administrator, or approved access-management process to create new teams.
+
+#### Maester automation note
+
+CIS marks this recommendation as Manual. This Maester test automates the portion of CIS GH 1.3.2 that maps to documented GitHub REST API evidence. It should be treated as automated evidence collection for the corresponding GitHub setting, not as a claim that every possible manual review path has been fully evaluated.
+
+#### API evidence
+
+Endpoint: `GET /orgs/{org}`
+
+Evidence field: `members_can_create_teams`
+
+The test passes when `members_can_create_teams` is `false`.
+
+#### Permissions required
+
+GitHub requires organization-owner visibility for full organization details. Use `Connect-MtGitHub` with a classic PAT that has `admin:org`, or a fine-grained PAT with organization Members read and Administration read permissions.
+
+#### Remediation summary
+
+In the organization settings, open **Member privileges** and disable **Allow members to create teams**.
+
+#### Known limitations
+
+This test verifies the organization-level team creation setting. It does not review custom operational processes for who may request or approve new teams.
+
+#### Related links
+
+* [CIS GitHub Benchmark v1.2.0 - Section 1.3.2](https://www.cisecurity.org/benchmark/github)
+* [GitHub REST API: Get an organization](https://docs.github.com/en/rest/orgs/orgs#get-an-organization)
+
+<!--- Results --->
+%TestResult%
diff --git a/powershell/public/cis/Test-MtCisGitHubTeamCreationLimited.ps1 b/powershell/public/cis/Test-MtCisGitHubTeamCreationLimited.ps1
new file mode 100644
index 000000000..b732c66b1
--- /dev/null
+++ b/powershell/public/cis/Test-MtCisGitHubTeamCreationLimited.ps1
@@ -0,0 +1,52 @@
+function Test-MtCisGitHubTeamCreationLimited {
+    <#
+    .SYNOPSIS
+    CIS.GH.1.3.2: Ensure team creation is limited to specific members.
+
+    .DESCRIPTION
+    CIS GitHub Benchmark v1.2.0 section 1.3.2 marks this recommendation as
+    Manual. This test automates the organization member-privileges field
+    exposed by GET /orgs/{org} and requires members_can_create_teams to be
+    false.
+
+    .EXAMPLE
+    Test-MtCisGitHubTeamCreationLimited
+
+    Returns true when members cannot create teams.
+
+    .LINK
+    https://maester.dev/docs/commands/Test-MtCisGitHubTeamCreationLimited
+    #>
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if (!(Test-MtConnection GitHub)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedGitHub
+        return $null
+    }
+
+    try {
+        Write-Verbose 'Retrieving GitHub organization settings for CIS.GH.1.3.2.'
+        $org = Get-MtGitHubOrganization
+        $field = 'members_can_create_teams'
+        if (-not (Test-MtGitHubObjectProperty -InputObject $org -PropertyName $field)) {
+            Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason "GitHub organization response did not include required field '$field'. This field is required to evaluate CIS.GH.1.3.2 and may be missing because of permissions, plan, API version, or organization type."
+            return $null
+        }
+
+        $result = $org.$field -eq $false
+        $resultMarkdown = @"
+CIS.GH.1.3.2 automated evidence from ``GET /orgs/{org}``.
+
+| Field | Actual | Expected |
+| --- | --- | --- |
+| ``$field`` | ``$($org.$field)`` | ``False`` |
+"@
+        Add-MtTestResultDetail -Result $resultMarkdown
+        return $result
+    } catch {
+        Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_
+        return $null
+    }
+}
diff --git a/powershell/public/core/Connect-MtGitHub.ps1 b/powershell/public/core/Connect-MtGitHub.ps1
new file mode 100644
index 000000000..fc28561ff
--- /dev/null
+++ b/powershell/public/core/Connect-MtGitHub.ps1
@@ -0,0 +1,475 @@
+function Connect-MtGitHub {
+    <#
+    .SYNOPSIS
+    Establishes a GitHub Enterprise Cloud organization REST API session for Maester.
+
+    .DESCRIPTION
+    Establishes a GitHub Enterprise Cloud organization REST API session for Maester CIS
+    benchmark tests. This is an organization-scoped session, not a full enterprise-admin
+    session: enterprise-admin endpoints under /enterprises/{enterprise} are not verified
+    by this command and would require a future enterprise-access probe if CIS controls
+    need them.
+
+    Validates the PAT via four probes. The first three are blocking (any failure aborts
+    the connection); the fourth is non-blocking (failure emits a warning but the session
+    is still established):
+      1. GET /user                            — token identity (blocking)
+      2. GET /orgs/{org}                      — org metadata (blocking)
+      3. GET /orgs/{org}/memberships/{user}   — org-access proof, state + role (blocking)
+      4. GET /orgs/{org}/actions/permissions  — administration access probe (non-blocking)
+
+    The membership probe is the real access gate: /orgs/{org} returns public metadata
+    even for tokens with no relationship to the organization. A 4xx, malformed body,
+    or missing state/role on probe 3 aborts with FailureReason = 'OrgMembershipFailed'.
+    A successful response whose membership state is anything other than 'active'
+    (e.g. 'pending' for an invitation that has not been accepted) also aborts the
+    connection, with FailureReason = 'OrgMembershipPending' — only an active
+    membership proves the user can act on the organization.
+
+    Probe 4 verifies the token can reach an org-administration endpoint. GitHub
+    documents /orgs/{org}/actions/permissions as requiring classic PAT 'admin:org' or
+    fine-grained 'Organization Administration: read'. Failure here records
+    AdministrationPermissionVerified = $false and emits a warning, but does not flip
+    Connected to $false — the session remains usable for controls that don't require
+    org administration access.
+
+    On success, Role = 'admin' + RoleState = 'active' + AdministrationPermissionVerified
+    = $true is the no-warning path. Other active roles (member, billing_manager, etc.)
+    or admin-probe failure still connect but emit warnings indicating limited CIS
+    coverage. Non-active membership states do not connect at all.
+
+    A non-rate-limited HTTP 403 from GET /user aborts with FailureReason =
+    'TokenForbidden'. Common causes include SAML SSO enforcement, IP allowlists,
+    token/account blocking, or other authorization policies. A rate-limited 403
+    is still classified as FailureReason = 'RateLimited'.
+
+    A malformed JSON response from GET /orgs/{org} aborts with FailureReason =
+    'OrgAccessFailed' and identifies the response parsing problem instead of
+    blaming the PAT scope, organization name, or API base URI.
+
+    The successful GET /orgs/{org} response is cached only after the full
+    connection succeeds, so failed connection attempts do not seed org data.
+
+    Token resolution order:
+      1. -Token parameter (SecureString)
+      2. MAESTER_GITHUB_TOKEN environment variable
+      3. GH_TOKEN environment variable (GitHub CLI convention)
+
+    Required permissions:
+      Classic PAT:        admin:org
+      Fine-grained PAT:   Organization Members: read + Organization Administration: read
+      Required role for full coverage: organization owner/admin
+
+    Note: Connection success proves token validity and org access, not that all
+    CIS control fields will be visible. Each CIS test validates field availability
+    and skips with an informative message if required fields are absent.
+
+    .PARAMETER Organization
+    GitHub organization login name. Falls back to GitHubOrganization in maester-config.json.
+
+    .PARAMETER Token
+    PAT as SecureString. Falls back to MAESTER_GITHUB_TOKEN or GH_TOKEN env vars.
+
+    .PARAMETER ApiBaseUri
+    GitHub API base URI. Falls back to GitHubApiBaseUri config, then https://api.github.com.
+    Set to https://api.{subdomain}.ghe.com for GHE.com EMU deployments.
+
+    .PARAMETER ApiVersion
+    GitHub REST API version date. Falls back to GitHubApiVersion config, then 2022-11-28.
+    GitHub defaults requests without X-GitHub-Api-Version to 2022-11-28.
+
+    .EXAMPLE
+    Connect-MtGitHub -Organization 'mycompany'
+
+    .EXAMPLE
+    Connect-MtGitHub -Organization 'mycompany' -ApiBaseUri 'https://api.myco.ghe.com'
+
+    .LINK
+    https://maester.dev/docs/commands/Connect-MtGitHub
+    #>
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWriteHost', '', Justification = 'Consistent with other Connect-* functions')]
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $false)]
+        [string] $Organization,
+
+        [Parameter(Mandatory = $false)]
+        [securestring] $Token,
+
+        [Parameter(Mandatory = $false)]
+        [string] $ApiBaseUri,
+
+        [Parameter(Mandatory = $false)]
+        [string] $ApiVersion
+    )
+
+    # Clear prior GitHub session state (prevents stale data on reconnect)
+    $__MtSession.GitHubConnection = $null
+    $__MtSession.GitHubAuthHeader = $null
+    $__MtSession.GitHubCache = @{}
+
+    # Lazy-load config once if MaesterConfig is not yet set and any config-backed parameter is
+    # omitted. This makes the config fallback work when Connect-MtGitHub is called before
+    # Invoke-Maester (the normal pre-run workflow). Get-MtMaesterConfig walks up to 5 parent
+    # directories from the given path, so it finds the config from anywhere in the test tree.
+    if ($null -eq $__MtSession.MaesterConfig -and (
+            [string]::IsNullOrWhiteSpace($Organization) -or
+            [string]::IsNullOrWhiteSpace($ApiBaseUri) -or
+            [string]::IsNullOrWhiteSpace($ApiVersion))) {
+        $__MtSession.MaesterConfig = Get-MtMaesterConfig -Path (Get-Location).Path
+    }
+
+    # Resolve organization (param -> config -> error)
+    if ([string]::IsNullOrWhiteSpace($Organization)) {
+        $Organization = Get-MtMaesterConfigGlobalSetting -SettingName 'GitHubOrganization'
+    }
+    if ([string]::IsNullOrWhiteSpace($Organization)) {
+        Write-Host "`nNo GitHub organization specified. Provide -Organization or set GitHubOrganization in maester-config.json." -ForegroundColor Red
+        $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'NotConfigured' }
+        return
+    }
+    # Surrounding whitespace from a config file or shell-quoted parameter would otherwise
+    # be URL-encoded into the probe paths and silently 404 against GitHub.
+    $Organization = $Organization.Trim()
+
+    # Resolve ApiBaseUri (param -> config -> default).
+    $resolvedApiBaseUri = $ApiBaseUri
+    if ([string]::IsNullOrWhiteSpace($resolvedApiBaseUri)) {
+        $configApiBaseUri = Get-MtMaesterConfigGlobalSetting -SettingName 'GitHubApiBaseUri'
+        if (-not [string]::IsNullOrWhiteSpace($configApiBaseUri)) { $resolvedApiBaseUri = $configApiBaseUri }
+    }
+    if ([string]::IsNullOrWhiteSpace($resolvedApiBaseUri)) { $resolvedApiBaseUri = 'https://api.github.com' }
+    $resolvedApiBaseUri = $resolvedApiBaseUri.Trim().TrimEnd('/')
+
+    # Validate the fully-resolved URI. Done in-body (not via parameter [ValidatePattern]) so
+    # config-supplied values are checked too, and so an invalid value records InvalidApiBaseUri
+    # after the session-clearing logic at the top of this function rather than throwing before it.
+    # Host allowlist prevents the PAT from being sent to arbitrary HTTPS hosts: only the
+    # documented GitHub API endpoints — api.github.com (SaaS) and api.<subdomain>.ghe.com
+    # (GHE.com data residency) — are accepted. GHES on-prem is intentionally not supported.
+    $parsedUri = $null
+    if (-not [uri]::TryCreate($resolvedApiBaseUri, [UriKind]::Absolute, [ref]$parsedUri) -or $parsedUri.Scheme -cne 'https') {
+        Write-Host "`nGitHub API base URI must be an absolute https:// URI. Got: '$resolvedApiBaseUri'." -ForegroundColor Red
+        $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'InvalidApiBaseUri' }
+        return
+    }
+    $uriHost = $parsedUri.Host.ToLowerInvariant()
+    $isGitHubSaas = $uriHost -eq 'api.github.com'
+    $isGheCom     = $uriHost -match '^api\.[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.ghe\.com$'
+    $hasRootPath  = [string]::IsNullOrEmpty($parsedUri.AbsolutePath) -or $parsedUri.AbsolutePath -eq '/'
+    # Reject query strings, fragments, and non-default ports — none are valid for the
+    # GitHub API base, and accepting them would let an attacker-supplied config redirect
+    # the PAT to an unexpected listener (e.g. a debug proxy on :8443) while still passing
+    # the host allowlist.
+    $hasNoQuery    = [string]::IsNullOrEmpty($parsedUri.Query)
+    $hasNoFragment = [string]::IsNullOrEmpty($parsedUri.Fragment)
+    $hasDefaultPort = $parsedUri.IsDefaultPort
+    if (-not (($isGitHubSaas -or $isGheCom) -and $hasRootPath -and $hasNoQuery -and $hasNoFragment -and $hasDefaultPort)) {
+        Write-Host "`nGitHub API base URI must be https://api.github.com or https://api.<subdomain>.ghe.com (no path, query, fragment, or non-default port). Got: '$resolvedApiBaseUri'." -ForegroundColor Red
+        $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'InvalidApiBaseUri' }
+        return
+    }
+    $ApiBaseUri = $resolvedApiBaseUri
+
+    # Resolve ApiVersion (param -> config -> default). Validation runs on the resolved value
+    # so the same FailureReason path applies whether the bad value came from -ApiVersion or
+    # GitHubApiVersion config — a parameter [ValidatePattern] would otherwise throw before
+    # the session-clearing logic at the top of this function ran.
+    $resolvedApiVersion = $ApiVersion
+    if ([string]::IsNullOrWhiteSpace($resolvedApiVersion)) {
+        $configApiVersion = Get-MtMaesterConfigGlobalSetting -SettingName 'GitHubApiVersion'
+        if (-not [string]::IsNullOrWhiteSpace($configApiVersion)) { $resolvedApiVersion = $configApiVersion }
+    }
+    # 2022-11-28 is GitHub's initial REST API version and the documented default for
+    # unversioned requests. Re-test before changing this pin: GitHub documents that
+    # API versions are supported for at least 24 months after a successor is released.
+    # Latest documented REST API version as of May 2026: 2026-03-10.
+    # See: https://docs.github.com/en/rest/about-the-rest-api/api-versions
+    if ([string]::IsNullOrWhiteSpace($resolvedApiVersion)) { $resolvedApiVersion = '2022-11-28' }
+    $resolvedApiVersion = $resolvedApiVersion.Trim()
+
+    if ($resolvedApiVersion -notmatch '^\d{4}-\d{2}-\d{2}$') {
+        Write-Host "`nGitHub API version must use YYYY-MM-DD format. Got: '$resolvedApiVersion'." -ForegroundColor Red
+        $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'InvalidApiVersion' }
+        return
+    }
+    $ApiVersion = $resolvedApiVersion
+
+    # Resolve token (param -> MAESTER_GITHUB_TOKEN -> GH_TOKEN)
+    $plainToken = $null
+    $bstr = [IntPtr]::Zero
+    try {
+        if ($Token) {
+            $bstr = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($Token)
+            $plainToken = [Runtime.InteropServices.Marshal]::PtrToStringBSTR($bstr)
+        } elseif (-not [string]::IsNullOrEmpty($env:MAESTER_GITHUB_TOKEN)) {
+            $plainToken = $env:MAESTER_GITHUB_TOKEN
+        } elseif (-not [string]::IsNullOrEmpty($env:GH_TOKEN)) {
+            $plainToken = $env:GH_TOKEN
+        }
+    } finally {
+        if ($bstr -ne [IntPtr]::Zero) { [Runtime.InteropServices.Marshal]::ZeroFreeBSTR($bstr) }
+    }
+    if ([string]::IsNullOrEmpty($plainToken)) {
+        Write-Host "`nNo GitHub token found. Provide -Token, or set MAESTER_GITHUB_TOKEN or GH_TOKEN." -ForegroundColor Red
+        $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'NoToken' }
+        return
+    }
+
+    # Auth headers — token stored here, NOT in the connection object
+    $authHeaders = @{
+        Authorization          = "Bearer $plainToken"
+        Accept                 = 'application/vnd.github+json'
+        'X-GitHub-Api-Version' = $ApiVersion
+        'User-Agent'           = 'Maester-GitHubCis'
+    }
+    Remove-Variable -Name plainToken -ErrorAction SilentlyContinue
+
+    # Probe 1: token identity
+    try {
+        $userResponse = Invoke-WebRequest -Uri "$ApiBaseUri/user" -Headers $authHeaders -Method GET -UseBasicParsing -ErrorAction Stop
+        $user = $userResponse.Content | ConvertFrom-Json
+        Write-Verbose "GitHub token identity: $($user.login)"
+    } catch {
+        $rateLimitMessage = Get-MtGitHubRateLimitMessage -ErrorRecord $_
+        if ($rateLimitMessage) {
+            Write-Host "`n$rateLimitMessage" -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'RateLimited' }
+            return
+        }
+        $code   = Get-MtGitHubErrorStatusCode -ErrorRecord $_
+        $apiMsg = Get-MtGitHubErrorMessage    -ErrorRecord $_
+        # 410 = unsupported API version. 400 with a message about API/version support
+        # also indicates an unsupported X-GitHub-Api-Version header value — GitHub's
+        # documented wording includes "Not a supported version" and "version is not supported".
+        $isUnsupportedApiVersion = $code -eq 410 -or ($code -eq 400 -and $apiMsg -match '(?i)api\s+version|x-github-api-version|not\s+.*supported.*version|version.*not\s+.*supported')
+        if ($isUnsupportedApiVersion) {
+            Write-Host "`nGitHub API version '$ApiVersion' is not supported by GitHub. Update GitHubApiVersion or omit it to use the default." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'InvalidApiVersion' }
+            return
+        }
+        # $null status code means no HTTP response was produced (DNS failure, TLS handshake
+        # failure, connection refused, hostname unreachable). The PAT was never evaluated and
+        # the URI itself didn't resolve to a working endpoint — commonly a wrong GHE base URI.
+        if ($null -eq $code) {
+            Write-Host "`nGitHub API base URI '$ApiBaseUri' is not reachable (no response). Verify network connectivity, DNS/TLS, and the GitHubApiBaseUri value (use https://api.{subdomain}.ghe.com for GHE.com)." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'ApiBaseUriFailed' }
+            return
+        }
+        # 5xx means GitHub responded but the endpoint is failing — the URI is fine, the
+        # service is unavailable. Don't conflate with token or base-URI problems.
+        if ($code -ge 500 -and $code -le 599) {
+            Write-Host "`nGitHub API request failed (HTTP $code). The GitHub service may be temporarily unavailable; check https://www.githubstatus.com/ and retry." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'ApiUnavailable' }
+            return
+        }
+        if ($code -eq 401) {
+            Write-Host "`nGitHub token validation failed (HTTP 401). Verify the PAT is valid and not expired." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'TokenInvalid' }
+            return
+        }
+        if ($code -eq 403) {
+            Write-Host "`nGitHub token validation failed (HTTP 403). The token is forbidden from accessing /user. Verify SAML SSO authorization, organization IP allowlists, and whether the token or account is blocked." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'TokenForbidden' }
+            return
+        }
+        Write-Host "`nGitHub token validation failed (HTTP $code). Verify the PAT is valid and not expired." -ForegroundColor Red
+        $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'TokenInvalid' }
+        return
+    }
+
+    # Probe 2: org access
+    $encodedOrg = [System.Uri]::EscapeDataString($Organization)
+    try {
+        $orgResponse = Invoke-WebRequest -Uri "$ApiBaseUri/orgs/$encodedOrg" -Headers $authHeaders -Method GET -UseBasicParsing -ErrorAction Stop
+        $orgData = $null
+        try {
+            $orgData = $orgResponse.Content | ConvertFrom-Json -ErrorAction Stop
+        } catch {
+            $orgData = $null
+        }
+
+        if ($null -eq $orgData) {
+            Write-Host "`nGitHub organization API returned a response that could not be parsed as JSON. Verify no proxy is modifying response bodies and retry." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'OrgAccessFailed' }
+            return
+        }
+    } catch {
+        $rateLimitMessage = Get-MtGitHubRateLimitMessage -ErrorRecord $_
+        if ($rateLimitMessage) {
+            Write-Host "`n$rateLimitMessage" -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'RateLimited' }
+            return
+        }
+        $code = Get-MtGitHubErrorStatusCode -ErrorRecord $_
+        $apiMsg = Get-MtGitHubErrorMessage -ErrorRecord $_
+        # Same transport/5xx classification as /user — a probe that gets to the network can
+        # still fail for reasons unrelated to org access (DNS hiccup, partial outage), and
+        # those should report ApiBaseUriFailed / ApiUnavailable rather than OrgAccessFailed.
+        if ($null -eq $code) {
+            Write-Host "`nGitHub API base URI '$ApiBaseUri' is not reachable (no response) while probing /orgs/$Organization. Verify network connectivity, DNS/TLS, and the GitHubApiBaseUri value." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'ApiBaseUriFailed' }
+            return
+        }
+        if ($code -ge 500 -and $code -le 599) {
+            Write-Host "`nGitHub API request failed (HTTP $code) while probing /orgs/$Organization. The GitHub service may be temporarily unavailable; check https://www.githubstatus.com/ and retry." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'ApiUnavailable' }
+            return
+        }
+        $msg = switch ($code) {
+            403     { "Access denied (403). Verify the PAT has 'admin:org' scope and is used by an organization owner. GitHub API: $apiMsg" }
+            404     { "Organization '$Organization' not found (404). Check the organization login name. GitHub API: $apiMsg" }
+            default { "HTTP $code. $apiMsg" }
+        }
+        Write-Host "`nFailed to access GitHub organization: $msg" -ForegroundColor Red
+        $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'OrgAccessFailed' }
+        return
+    }
+
+    # Null-safe plan name (not visible for all token types/roles)
+    $planName = $null
+    if ($orgData.PSObject.Properties.Name -contains 'plan' -and $null -ne $orgData.plan) {
+        $planName = $orgData.plan.name
+    }
+
+    # Probe 3: org membership / role — blocking proof of org access.
+    # /orgs/{org} returns public org metadata even for tokens with no relationship to the org,
+    # so membership is the real access gate. Any failure here aborts the connection.
+    $role         = $null
+    $roleState    = $null
+    $roleWarning  = $null
+
+    $encodedLogin = [System.Uri]::EscapeDataString($user.login)
+    try {
+        $membershipResponse = Invoke-WebRequest -Uri "$ApiBaseUri/orgs/$encodedOrg/memberships/$encodedLogin" -Headers $authHeaders -Method GET -UseBasicParsing -ErrorAction Stop
+
+        $membershipData = $null
+        try {
+            $membershipData = $membershipResponse.Content | ConvertFrom-Json -ErrorAction Stop
+        } catch {
+            $membershipData = $null
+        }
+
+        $hasState = $null -ne $membershipData -and $membershipData.PSObject.Properties.Name -contains 'state' -and -not [string]::IsNullOrWhiteSpace([string]$membershipData.state)
+        $hasRole  = $null -ne $membershipData -and $membershipData.PSObject.Properties.Name -contains 'role'  -and -not [string]::IsNullOrWhiteSpace([string]$membershipData.role)
+
+        if (-not ($hasState -and $hasRole)) {
+            Write-Host "`nGitHub organization membership could not be verified: malformed response from /orgs/$Organization/memberships/$($user.login)." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'OrgMembershipFailed' }
+            return
+        }
+
+        $role      = [string]$membershipData.role
+        $roleState = [string]$membershipData.state
+
+        # Only an 'active' membership proves the user can actually act on the org.
+        # 'pending' (invitation not accepted) and any other non-active state should
+        # not be treated as a usable session — org-scoped controls would silently
+        # fail or report misleading data. Fail closed and do not retain auth state.
+        if ($roleState -ne 'active') {
+            Write-Host "`nGitHub organization membership is not active (state: '$roleState'). Accept the organization invitation in GitHub and reconnect." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'OrgMembershipPending' }
+            return
+        }
+
+        if ($role -ne 'admin') {
+            $roleWarning = "GitHub organization admin/owner permissions required for full CIS coverage. Current role: '$role'. Some controls may skip or report limited visibility."
+        }
+    } catch {
+        $rateLimitMessage = Get-MtGitHubRateLimitMessage -ErrorRecord $_
+        if ($rateLimitMessage) {
+            Write-Host "`n$rateLimitMessage" -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'RateLimited' }
+            return
+        }
+        $code   = Get-MtGitHubErrorStatusCode -ErrorRecord $_
+        $apiMsg = Get-MtGitHubErrorMessage    -ErrorRecord $_
+        # Same transport/5xx classification as /user — separating "the network/service broke"
+        # from "the token cannot prove membership" matters for actionable diagnostics.
+        if ($null -eq $code) {
+            Write-Host "`nGitHub API base URI '$ApiBaseUri' is not reachable (no response) while probing membership for '$($user.login)' in '$Organization'." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'ApiBaseUriFailed' }
+            return
+        }
+        if ($code -ge 500 -and $code -le 599) {
+            Write-Host "`nGitHub API request failed (HTTP $code) while probing membership for '$($user.login)' in '$Organization'. Service may be temporarily unavailable; check https://www.githubstatus.com/ and retry." -ForegroundColor Red
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'ApiUnavailable' }
+            return
+        }
+        $msg = switch ($code) {
+            403     { "Membership probe forbidden (403). The token cannot prove membership in '$Organization'. GitHub API: $apiMsg" }
+            404     { "User '$($user.login)' is not a member of organization '$Organization' (404). GitHub API: $apiMsg" }
+            default { "Membership probe failed (HTTP $code). $apiMsg" }
+        }
+        Write-Host "`nFailed to verify GitHub organization membership: $msg" -ForegroundColor Red
+        $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'OrgMembershipFailed' }
+        return
+    }
+
+    # Probe 4: organization administration access (non-blocking).
+    # /orgs/{org}/actions/permissions requires classic PAT 'admin:org' or fine-grained
+    # 'Organization Administration: read' — a closer match to the permissions needed by
+    # CIS org-admin controls than the membership endpoint. Failure here records the
+    # outcome and emits a warning, but does not flip Connected to $false.
+    $adminVerified           = $false
+    $adminFailureReason      = $null
+    $adminStatusCode         = $null
+    $adminAcceptedPermissions = $null
+    $adminWarning            = $null
+    try {
+        $adminResponse = Invoke-WebRequest -Uri "$ApiBaseUri/orgs/$encodedOrg/actions/permissions" -Headers $authHeaders -Method GET -UseBasicParsing -ErrorAction Stop
+        $adminVerified   = $true
+        $adminStatusCode = 200
+        if ($adminResponse.PSObject.Properties.Name -contains 'StatusCode' -and $null -ne $adminResponse.StatusCode) {
+            $adminStatusCode = [int]$adminResponse.StatusCode
+        }
+    } catch {
+        $adminStatusCode    = Get-MtGitHubErrorStatusCode -ErrorRecord $_
+        $adminApiMsg        = Get-MtGitHubErrorMessage    -ErrorRecord $_
+        $respHeaders        = $null
+        if ($null -ne $_.Exception -and $null -ne $_.Exception.Response) {
+            $respHeaders = $_.Exception.Response.Headers
+        }
+        $adminAcceptedPermissions = Get-MtGitHubResponseHeaderValue -Headers $respHeaders -Name 'x-accepted-github-permissions'
+        $adminRateLimitMessage = Get-MtGitHubRateLimitMessage -ErrorRecord $_
+        if ($adminRateLimitMessage) {
+            $adminFailureReason = $adminRateLimitMessage
+            $adminWarning = "GitHub organization administration API access was not verified due to a GitHub API rate limit. Detail: $adminRateLimitMessage"
+        } else {
+            $adminFailureReason = switch ($adminStatusCode) {
+                403     { "HTTP 403 from /orgs/$Organization/actions/permissions. $adminApiMsg" }
+                404     { "HTTP 404 from /orgs/$Organization/actions/permissions. $adminApiMsg" }
+                default { "HTTP $adminStatusCode from /orgs/$Organization/actions/permissions. $adminApiMsg" }
+            }
+            $adminWarning = "GitHub organization administration API access was not verified. Some CIS controls requiring org administration may skip or report limited visibility. Required token permissions — classic PAT: admin:org; fine-grained PAT: Organization Administration: read. Detail: $adminFailureReason"
+        }
+    }
+
+    $__MtSession.GitHubAuthHeader = $authHeaders
+    $__MtSession.GitHubConnection = [PSCustomObject]@{
+        Connected                                   = $true
+        Organization                                = $Organization
+        ApiBaseUri                                  = $ApiBaseUri
+        ApiVersion                                  = $ApiVersion
+        TokenLogin                                  = $user.login
+        Plan                                        = $planName
+        Role                                        = $role
+        RoleState                                   = $roleState
+        RoleVerified                                = $true
+        RoleVerificationFailureReason               = $null
+        AdministrationPermissionVerified            = $adminVerified
+        AdministrationPermissionFailureReason       = $adminFailureReason
+        AdministrationPermissionStatusCode          = $adminStatusCode
+        AdministrationPermissionAcceptedPermissions = $adminAcceptedPermissions
+        FailureReason                               = $null
+    }
+
+    $orgCacheKey = Get-MtGitHubCacheKey -ApiVersion $ApiVersion -AbsoluteUri "$ApiBaseUri/orgs/$encodedOrg"
+    $__MtSession.GitHubCache[$orgCacheKey] = $orgData
+
+    if ($roleWarning)  { Write-Warning $roleWarning }
+    if ($adminWarning) { Write-Warning $adminWarning }
+
+    $planDisplay = if ($planName) { " (plan: $planName)" } else { '' }
+    Write-Host "Connected to GitHub organization '$($orgData.login)' as '$($user.login)'$planDisplay." -ForegroundColor Green
+}
diff --git a/powershell/public/core/Disconnect-MtGitHub.ps1 b/powershell/public/core/Disconnect-MtGitHub.ps1
new file mode 100644
index 000000000..a641eca94
--- /dev/null
+++ b/powershell/public/core/Disconnect-MtGitHub.ps1
@@ -0,0 +1,38 @@
+function Disconnect-MtGitHub {
+    <#
+    .SYNOPSIS
+    Clears the current GitHub REST session in Maester.
+
+    .DESCRIPTION
+    Removes the GitHub PAT-derived auth header, the connection metadata, and the per-session
+    REST response cache from the Maester module's session state. Idempotent — safe to call when
+    no GitHub session is active.
+
+    Use this when you want to drop the in-memory token, switch organizations, or clean up
+    troubleshooting state. Disconnect-Maester also calls this automatically (Disconnect-MtGraph
+    alias does not, to preserve its narrow Graph-only semantic).
+
+    .EXAMPLE
+    Disconnect-MtGitHub
+
+    Clears any active GitHub session.
+
+    .LINK
+    https://maester.dev/docs/commands/Disconnect-MtGitHub
+    #>
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWriteHost', '', Justification = 'Consistent with other Connect/Disconnect-* functions')]
+    [CmdletBinding()]
+    param()
+
+    $hadState = ($null -ne $__MtSession.GitHubConnection) -or ($null -ne $__MtSession.GitHubAuthHeader)
+
+    $__MtSession.GitHubConnection = $null
+    $__MtSession.GitHubAuthHeader = $null
+    $__MtSession.GitHubCache = @{}
+
+    if ($hadState) {
+        Write-Host 'Disconnected from GitHub.' -ForegroundColor Green
+    } else {
+        Write-Verbose 'No GitHub session to disconnect.'
+    }
+}
diff --git a/powershell/public/core/Get-MtSession.ps1 b/powershell/public/core/Get-MtSession.ps1
index d5d81d5cd..80d841f8c 100644
--- a/powershell/public/core/Get-MtSession.ps1
+++ b/powershell/public/core/Get-MtSession.ps1
@@ -1,4 +1,4 @@
-function Get-MtSession {
+function Get-MtSession {
     <#
     .SYNOPSIS
     Gets the current Maester session information which includes the current Graph base uri and other details.
@@ -7,6 +7,9 @@
     .DESCRIPTION
     The session information can be used to troubleshoot issues with the Maester module.
 
+    For security, the GitHubAuthHeader Authorization value is redacted on output so a copied
+    session dump cannot leak the GitHub PAT. The live session used by internal callers is unchanged.
+
     .EXAMPLE
     Get-MtSession
 
@@ -19,5 +22,28 @@
     param()
 
     Write-Verbose 'Getting the current Maester session information.'
-    Write-Output $__MtSession
+
+    $sessionCopy = @{}
+    foreach ($key in $__MtSession.Keys) {
+        $sessionCopy[$key] = $__MtSession[$key]
+    }
+
+    $authHeader = $__MtSession['GitHubAuthHeader']
+    if ($null -ne $authHeader) {
+        if ($authHeader -is [System.Collections.IDictionary]) {
+            $redactedHeader = [ordered]@{}
+            foreach ($k in $authHeader.Keys) {
+                if ($k -ieq 'Authorization') {
+                    $redactedHeader[$k] = '<redacted>'
+                } else {
+                    $redactedHeader[$k] = $authHeader[$k]
+                }
+            }
+            $sessionCopy['GitHubAuthHeader'] = $redactedHeader
+        } else {
+            $sessionCopy['GitHubAuthHeader'] = '<redacted>'
+        }
+    }
+
+    Write-Output $sessionCopy
 }
diff --git a/powershell/public/core/Test-MtConnection.ps1 b/powershell/public/core/Test-MtConnection.ps1
index 3c2157426..28f717d82 100644
--- a/powershell/public/core/Test-MtConnection.ps1
+++ b/powershell/public/core/Test-MtConnection.ps1
@@ -7,7 +7,9 @@
     Tests the connection for each service and returns $true if the session is connected to the specified service.
 
     .PARAMETER Service
-    The service to check the connection for. Valid values are 'All', 'Azure', 'AzureDevOps', 'ExchangeOnline', 'Graph', 'SecurityCompliance' (or 'EOP'), and 'Teams'. Default is 'Graph'.
+    The service to check the connection for. Valid values are 'All', 'Azure', 'AzureDevOps', 'ExchangeOnline', 'GitHub', 'Graph', 'SecurityCompliance' (or 'EOP'), and 'Teams'. Default is 'Graph'.
+
+    GitHub requires an explicit Connect-MtGitHub call before testing - unlike other services it has no auto-detection. When checked via -Service All, GitHub is evaluated only after Connect-MtGitHub has been called in the current session; otherwise GitHub is skipped and does not affect the result.
 
     .PARAMETER Details
     Return the full details of all connections instead of just a boolean value.
@@ -15,18 +17,24 @@
     .EXAMPLE
     Test-MtConnection -Service All
 
-    Checks if the current session is connected to all services including Azure, Microsoft Graph, Exchange Online, Exchange Online Protection (SecurityCompliance), and Microsoft Teams. Returns a Boolean value.
+    Checks if the current session is connected to all services including Azure, Microsoft Graph, Exchange Online, Exchange Online Protection (SecurityCompliance), Microsoft Teams, and GitHub (only after Connect-MtGitHub has been called in the current session). Returns a Boolean value.
 
     .EXAMPLE
     Test-MtConnection -Service All -Details
 
-    Checks if the current session is connected to all services including Azure, Microsoft Graph, Exchange Online, Exchange Online Protection (SecurityCompliance), and Microsoft Teams. Returns a custom object that contains the connection details for all services.
+    Checks if the current session is connected to all services including Azure, Microsoft Graph, Exchange Online, Exchange Online Protection (SecurityCompliance), Microsoft Teams, and GitHub (only after Connect-MtGitHub has been called in the current session). Returns a custom object that contains the connection details for all services.
 
     .EXAMPLE
     Test-MtConnection -Service Azure
 
     Checks if the current session is connected to Azure and returns a Boolean result.
 
+    .EXAMPLE
+    Test-MtConnection -Service GitHub
+
+    Checks if the current session is connected to GitHub and returns a Boolean result.
+    Returns $false if Connect-MtGitHub has not been called in this session.
+
     .LINK
     https://maester.dev/docs/commands/Test-MtConnection
     #>
@@ -35,7 +43,7 @@
     [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWriteHost', 'AvoidUsingWriteHost', Justification = 'Sending colorful output to host in addition to rich object output.')]
     param(
         # Checks if the current session is connected to the specified service
-        [ValidateSet('All', 'Azure', 'AzureDevOps', 'ExchangeOnline', 'EOP', 'Graph', 'SecurityCompliance', 'Teams')]
+        [ValidateSet('All', 'Azure', 'AzureDevOps', 'ExchangeOnline', 'EOP', 'GitHub', 'Graph', 'SecurityCompliance', 'Teams')]
         [Parameter(Position = 0)]
         [string[]]$Service = 'Graph',
 
@@ -49,6 +57,7 @@
             PSTypeName  = 'Maester.Connections'
             Azure = $null
             AzureDevOps = $null
+            GitHub = $null
             Graph = $null
             ExchangeOnline = $null
             ExchangeOnlineProtection = $null
@@ -181,6 +190,27 @@
         }
         #endregion AzureDevOps
 
+        #region GitHub
+        if ($Service -contains 'GitHub' -or (
+            $Service -contains 'All' -and
+            $null -ne $__MtSession.GitHubConnection -and
+            $__MtSession.GitHubConnection.FailureReason -ne 'NotCalled'
+        )) {
+            $IsConnected = $false
+            if ($null -ne $__MtSession.GitHubConnection) {
+                if ($__MtSession.GitHubConnection.Connected -eq $true) {
+                    $MtConnections.GitHub = $__MtSession.GitHubConnection
+                    $IsConnected = $true
+                }
+            } else {
+                # No session state — GitHub requires explicit Connect-MtGitHub (no module auto-detect)
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'NotCalled' }
+            }
+            Write-Verbose "GitHub: $IsConnected"
+            if (!$IsConnected) { $ConnectionState = $false }
+        }
+        #endregion GitHub
+
         $MtConnections.AllConnected = $ConnectionState
 
     }
diff --git a/powershell/tests/functions/Clear-ModuleVariable.Tests.ps1 b/powershell/tests/functions/Clear-ModuleVariable.Tests.ps1
new file mode 100644
index 000000000..23afa4bb0
--- /dev/null
+++ b/powershell/tests/functions/Clear-ModuleVariable.Tests.ps1
@@ -0,0 +1,51 @@
+BeforeAll {
+    Import-Module "$PSScriptRoot/../../Maester.psd1" -Force
+}
+
+Describe 'Clear-ModuleVariable — GitHub session lifecycle' {
+    BeforeEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+            $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer testtoken' }
+            $__MtSession.GitHubCache      = @{ somekey = 'cached-value' }
+        }
+    }
+
+    AfterEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection = $null
+            $__MtSession.GitHubAuthHeader = $null
+            $__MtSession.GitHubCache      = @{}
+        }
+    }
+
+    It 'Preserves GitHubConnection after Clear-ModuleVariable' {
+        InModuleScope Maester {
+            Clear-ModuleVariable
+            $__MtSession.GitHubConnection | Should -Not -BeNullOrEmpty
+            $__MtSession.GitHubConnection.Connected | Should -BeTrue
+        }
+    }
+
+    It 'Preserves GitHubAuthHeader after Clear-ModuleVariable' {
+        InModuleScope Maester {
+            Clear-ModuleVariable
+            $__MtSession.GitHubAuthHeader | Should -Not -BeNullOrEmpty
+            $__MtSession.GitHubAuthHeader['Authorization'] | Should -Be 'Bearer testtoken'
+        }
+    }
+
+    It 'Resets GitHubCache to empty after Clear-ModuleVariable' {
+        InModuleScope Maester {
+            Clear-ModuleVariable
+            $__MtSession.GitHubCache.Count | Should -Be 0
+        }
+    }
+
+    It 'Test-MtConnection GitHub still returns True after Clear-ModuleVariable' {
+        InModuleScope Maester {
+            Clear-ModuleVariable
+            Test-MtConnection -Service GitHub | Should -BeTrue
+        }
+    }
+}
diff --git a/powershell/tests/functions/Connect-MtGitHub.Tests.ps1 b/powershell/tests/functions/Connect-MtGitHub.Tests.ps1
new file mode 100644
index 000000000..9ddb670ad
--- /dev/null
+++ b/powershell/tests/functions/Connect-MtGitHub.Tests.ps1
@@ -0,0 +1,1428 @@
+BeforeAll {
+    Import-Module "$PSScriptRoot/../../Maester.psd1" -Force
+}
+
+Describe 'Connect-MtGitHub' {
+    BeforeEach {
+        $script:savedMaesterGitHubToken = $env:MAESTER_GITHUB_TOKEN
+        $script:savedGhToken            = $env:GH_TOKEN
+        $env:MAESTER_GITHUB_TOKEN       = $null
+        $env:GH_TOKEN                   = $null
+
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection = $null
+            $__MtSession.GitHubAuthHeader = $null
+            $__MtSession.GitHubCache      = @{}
+            # Pre-load an empty config so the lazy-load path is skipped in most tests.
+            # Tests that exercise lazy-load explicitly reset this to $null.
+            $__MtSession.MaesterConfig = [PSCustomObject]@{
+                GlobalSettings = [PSCustomObject]@{}
+            }
+        }
+    }
+
+    AfterEach {
+        $env:MAESTER_GITHUB_TOKEN = $script:savedMaesterGitHubToken
+        $env:GH_TOKEN             = $script:savedGhToken
+
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection = $null
+            $__MtSession.GitHubAuthHeader = $null
+            $__MtSession.GitHubCache      = @{}
+            $__MtSession.MaesterConfig    = $null
+        }
+    }
+
+    Context 'Failure: NotConfigured' {
+        It 'Sets FailureReason = NotConfigured when no org and config has no GitHubOrganization' {
+            Connect-MtGitHub
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected     | Should -BeFalse
+                $__MtSession.GitHubConnection.FailureReason | Should -Be 'NotConfigured'
+            }
+        }
+    }
+
+    Context 'Failure: NoToken' {
+        It 'Sets FailureReason = NoToken when org is given but no token is available' {
+            # Token env vars are cleared in BeforeEach; no -Token param
+            Connect-MtGitHub -Organization 'myorg'
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected     | Should -BeFalse
+                $__MtSession.GitHubConnection.FailureReason | Should -Be 'NoToken'
+            }
+        }
+    }
+
+    Context 'Failure: TokenInvalid' {
+        It 'Sets FailureReason = TokenInvalid on HTTP 401 from /user' {
+            $env:MAESTER_GITHUB_TOKEN = 'bad-token'
+            $fakeResp = [PSCustomObject]@{ StatusCode = 401; Headers = @{} }
+            $ex = [System.Exception]::new('Unauthorized')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg'
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected     | Should -BeFalse
+                $__MtSession.GitHubConnection.FailureReason | Should -Be 'TokenInvalid'
+            }
+        }
+    }
+
+    Context 'Failure: ApiBaseUriFailed' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+        }
+
+        It 'Sets FailureReason = ApiBaseUriFailed when /user throws with no Response/StatusCode (DNS/TLS/transport)' {
+            # Plain exception with no Response — Get-MtGitHubErrorStatusCode returns $null,
+            # which models DNS failure, TLS handshake failure, connection refused, or an
+            # unreachable GHE base URI. Must not be classified as TokenInvalid.
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                throw [System.Exception]::new('No such host is known')
+            }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'ApiBaseUriFailed'
+                $c.FailureReason | Should -Not -Be 'TokenInvalid'
+                # Security property: failed connection must not leave a Bearer header in session.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context 'Failure: ApiUnavailable' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+        }
+
+        It 'Sets FailureReason = ApiUnavailable when /user returns HTTP 500 (server error, URI is fine)' {
+            # 5xx means GitHub responded — the base URI resolved and TLS succeeded — but the
+            # service itself is failing. Must not be conflated with TokenInvalid or ApiBaseUriFailed.
+            $fakeResp = [PSCustomObject]@{ StatusCode = 500; Headers = @{} }
+            $ex = [System.Exception]::new('Internal Server Error')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Get-MtGitHubErrorStatusCode -ModuleName Maester { 500 }
+            Mock Get-MtGitHubErrorMessage    -ModuleName Maester { 'Internal Server Error' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'ApiUnavailable'
+                $c.FailureReason | Should -Not -Be 'TokenInvalid'
+                $c.FailureReason | Should -Not -Be 'ApiBaseUriFailed'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'Sets FailureReason = ApiUnavailable when /user returns HTTP 503' {
+            $fakeResp = [PSCustomObject]@{ StatusCode = 503; Headers = @{} }
+            $ex = [System.Exception]::new('Service Unavailable')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Get-MtGitHubErrorStatusCode -ModuleName Maester { 503 }
+            Mock Get-MtGitHubErrorMessage    -ModuleName Maester { 'Service Unavailable' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'ApiUnavailable'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context 'Failure: OrgAccessFailed' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+        }
+
+        It 'Sets FailureReason = OrgAccessFailed on HTTP 403 from /orgs/{org}' {
+            $fakeResp = [PSCustomObject]@{ StatusCode = 403; Headers = @{} }
+            $ex = [System.Exception]::new('Forbidden')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg'
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected     | Should -BeFalse
+                $__MtSession.GitHubConnection.FailureReason | Should -Be 'OrgAccessFailed'
+            }
+        }
+
+        It 'Sets FailureReason = OrgAccessFailed on HTTP 404 from /orgs/{org}' {
+            $fakeResp = [PSCustomObject]@{ StatusCode = 404; Headers = @{} }
+            $ex = [System.Exception]::new('Not Found')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg'
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected     | Should -BeFalse
+                $__MtSession.GitHubConnection.FailureReason | Should -Be 'OrgAccessFailed'
+            }
+        }
+
+        It 'Sets FailureReason = ApiBaseUriFailed when /orgs/{org} throws transport exception (no Response)' {
+            # /user succeeded, then DNS/TLS fails on the second probe. Must not be classified
+            # as OrgAccessFailed — the org access can't be determined when there's no HTTP response.
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/' } {
+                throw [System.Exception]::new('Connection reset by peer')
+            }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'ApiBaseUriFailed'
+                $c.FailureReason | Should -Not -Be 'OrgAccessFailed'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'Sets FailureReason = ApiUnavailable when /orgs/{org} returns HTTP 500' {
+            $fakeResp = [PSCustomObject]@{ StatusCode = 500; Headers = @{} }
+            $ex = [System.Exception]::new('Internal Server Error')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Get-MtGitHubErrorStatusCode -ModuleName Maester { 500 }
+            Mock Get-MtGitHubErrorMessage    -ModuleName Maester { 'Internal Server Error' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'ApiUnavailable'
+                $c.FailureReason | Should -Not -Be 'OrgAccessFailed'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context 'Successful connection' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{"enabled_repositories":"all"}'; StatusCode = 200 }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg","plan":{"name":"enterprise"}}' }
+            }
+        }
+
+        It 'Sets Connected = $true and stores GitHubAuthHeader' {
+            Connect-MtGitHub -Organization 'myorg' 3>$null
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected                        | Should -BeTrue
+                $__MtSession.GitHubConnection.Organization                     | Should -Be 'myorg'
+                $__MtSession.GitHubConnection.TokenLogin                       | Should -Be 'testuser'
+                $__MtSession.GitHubConnection.AdministrationPermissionVerified | Should -BeTrue
+                $__MtSession.GitHubAuthHeader                                  | Should -Not -BeNullOrEmpty
+                $__MtSession.GitHubAuthHeader['Authorization']                 | Should -Match '^Bearer '
+            }
+        }
+
+        It 'All four probes use the configured ApiBaseUri and X-GitHub-Api-Version header' {
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://api.myco.ghe.com' -ApiVersion '2024-01-01' 3>$null
+
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 4 -ParameterFilter {
+                $Uri -match 'api\.myco\.ghe\.com' -and $Headers['X-GitHub-Api-Version'] -eq '2024-01-01'
+            }
+        }
+
+        It 'GHE.com data residency: all four endpoint paths target the configured base URI' {
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://api.octocorp.ghe.com' 3>$null
+
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 1 -ParameterFilter {
+                $Uri -eq 'https://api.octocorp.ghe.com/user'
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 1 -ParameterFilter {
+                $Uri -eq 'https://api.octocorp.ghe.com/orgs/myorg'
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 1 -ParameterFilter {
+                $Uri -eq 'https://api.octocorp.ghe.com/orgs/myorg/memberships/testuser'
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 1 -ParameterFilter {
+                $Uri -eq 'https://api.octocorp.ghe.com/orgs/myorg/actions/permissions'
+            }
+        }
+    }
+
+    Context 'Role probe' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{}'; StatusCode = 200 }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+        }
+
+        It 'admin + active: no warning, Role=admin, RoleVerified=$true, RoleState=active' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            $warns = @()
+            Connect-MtGitHub -Organization 'myorg' -WarningAction SilentlyContinue -WarningVariable warns 3>$null
+            $warns.Count | Should -Be 0
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeTrue
+                $c.Role          | Should -Be 'admin'
+                $c.RoleState     | Should -Be 'active'
+                $c.RoleVerified  | Should -BeTrue
+                $c.RoleVerificationFailureReason | Should -BeNullOrEmpty
+                $c.AdministrationPermissionVerified | Should -BeTrue
+            }
+        }
+
+        It 'admin + pending: fails connection with FailureReason = OrgMembershipPending and clears auth header' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"pending","role":"admin"}' }
+            }
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'OrgMembershipPending'
+                # Security property: failed connection must not leave a Bearer header in session.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'member + pending: fails connection with FailureReason = OrgMembershipPending' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"pending","role":"member"}' }
+            }
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'OrgMembershipPending'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'member + active: warning matches admin/owner phrasing (not "owner role"); Role=member, RoleVerified=$true' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"member"}' }
+            }
+            $warns = @()
+            Connect-MtGitHub -Organization 'myorg' -WarningAction SilentlyContinue -WarningVariable warns 3>$null
+            $warns.Count | Should -BeGreaterOrEqual 1
+            ($warns -join ' ') | Should -Match 'admin/owner|full CIS coverage'
+            ($warns -join ' ') | Should -Not -Match 'owner role'
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected    | Should -BeTrue
+                $c.Role         | Should -Be 'member'
+                $c.RoleVerified | Should -BeTrue
+            }
+        }
+
+        It 'unexpected role string: warning emitted; fields populated as returned' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"billing_manager"}' }
+            }
+            $warns = @()
+            Connect-MtGitHub -Organization 'myorg' -WarningAction SilentlyContinue -WarningVariable warns 3>$null
+            $warns.Count | Should -BeGreaterOrEqual 1
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected    | Should -BeTrue
+                $c.Role         | Should -Be 'billing_manager'
+                $c.RoleState    | Should -Be 'active'
+                $c.RoleVerified | Should -BeTrue
+            }
+        }
+
+    }
+
+    Context 'Administration permission probe' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+        }
+
+        It 'admin + active + admin probe 200: Connected=true, AdministrationPermissionVerified=true, no admin warning, four IWR calls' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{"enabled_repositories":"all"}'; StatusCode = 200 }
+            }
+
+            $warns = @()
+            Connect-MtGitHub -Organization 'myorg' -WarningAction SilentlyContinue -WarningVariable warns 3>$null
+
+            ($warns -join ' ') | Should -Not -Match 'administration API access'
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected                                    | Should -BeTrue
+                $c.AdministrationPermissionVerified             | Should -BeTrue
+                $c.AdministrationPermissionFailureReason        | Should -BeNullOrEmpty
+                $c.AdministrationPermissionStatusCode           | Should -Be 200
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 4
+        }
+
+        It 'admin + active + admin probe 403: Connected=true, FailureReason=null, AdministrationPermissionVerified=false, warning mentions both permission models' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            $fakeResp = [PSCustomObject]@{
+                StatusCode = 403
+                Headers    = @{ 'x-accepted-github-permissions' = 'administration=read' }
+            }
+            $ex = [System.Exception]::new('Forbidden')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Get-MtGitHubErrorStatusCode -ModuleName Maester { 403 }
+            Mock Get-MtGitHubErrorMessage    -ModuleName Maester { 'Resource not accessible by personal access token' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } { throw $ex }
+
+            $warns = @()
+            Connect-MtGitHub -Organization 'myorg' -WarningAction SilentlyContinue -WarningVariable warns 3>$null
+
+            $combined = $warns -join ' '
+            $combined | Should -Match 'admin:org'
+            $combined | Should -Match 'Administration: read'
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected                                    | Should -BeTrue
+                $c.FailureReason                                | Should -BeNullOrEmpty
+                $c.Role                                         | Should -Be 'admin'
+                $c.AdministrationPermissionVerified             | Should -BeFalse
+                $c.AdministrationPermissionStatusCode           | Should -Be 403
+                $c.AdministrationPermissionFailureReason        | Should -Match 'HTTP 403'
+                $c.AdministrationPermissionAcceptedPermissions  | Should -Be 'administration=read'
+            }
+        }
+
+        It 'member + active + admin probe 403: emits both role and admin-permission warnings' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"member"}' }
+            }
+            $fakeResp = [PSCustomObject]@{ StatusCode = 403; Headers = @{} }
+            $ex = [System.Exception]::new('Forbidden')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Get-MtGitHubErrorStatusCode -ModuleName Maester { 403 }
+            Mock Get-MtGitHubErrorMessage    -ModuleName Maester { 'Resource not accessible' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } { throw $ex }
+
+            $warns = @()
+            Connect-MtGitHub -Organization 'myorg' -WarningAction SilentlyContinue -WarningVariable warns 3>$null
+
+            $warns.Count | Should -BeGreaterOrEqual 2
+            $combined = $warns -join ' '
+            $combined | Should -Match 'admin/owner|full CIS coverage'
+            $combined | Should -Match 'administration API access|Administration: read'
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected                        | Should -BeTrue
+                $c.Role                             | Should -Be 'member'
+                $c.AdministrationPermissionVerified | Should -BeFalse
+            }
+        }
+    }
+
+    Context 'Failure: OrgMembershipFailed' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+        }
+
+        It 'Membership HTTP 403 fails connection with FailureReason = OrgMembershipFailed' {
+            $fakeResp = [PSCustomObject]@{ StatusCode = 403; Headers = @{} }
+            $ex = [System.Exception]::new('Forbidden')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Get-MtGitHubErrorStatusCode -ModuleName Maester { 403 }
+            Mock Get-MtGitHubErrorMessage    -ModuleName Maester { 'Insufficient permissions to read membership.' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'OrgMembershipFailed'
+                # Security property: failed connection must not leave a Bearer header in session.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'Membership HTTP 404 fails connection with FailureReason = OrgMembershipFailed' {
+            $fakeResp = [PSCustomObject]@{ StatusCode = 404; Headers = @{} }
+            $ex = [System.Exception]::new('Not Found')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Get-MtGitHubErrorStatusCode -ModuleName Maester { 404 }
+            Mock Get-MtGitHubErrorMessage    -ModuleName Maester { 'Not Found' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'OrgMembershipFailed'
+                # Security property: failed connection must not leave a Bearer header in session.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It '200 with malformed JSON body fails connection with FailureReason = OrgMembershipFailed' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = 'not-json{' }
+            }
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'OrgMembershipFailed'
+                # Security property: failed connection must not leave a Bearer header in session.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It '200 with valid JSON missing role field fails connection with FailureReason = OrgMembershipFailed' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active"}' }
+            }
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'OrgMembershipFailed'
+                # Security property: failed connection must not leave a Bearer header in session.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It '200 with valid JSON missing state field fails connection with FailureReason = OrgMembershipFailed' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"role":"admin"}' }
+            }
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'OrgMembershipFailed'
+                # Security property: failed connection must not leave a Bearer header in session.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'Sets FailureReason = ApiBaseUriFailed when /memberships/ throws transport exception (no Response)' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                throw [System.Exception]::new('No such host is known')
+            }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'ApiBaseUriFailed'
+                $c.FailureReason | Should -Not -Be 'OrgMembershipFailed'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'Sets FailureReason = ApiUnavailable when /memberships/ returns HTTP 503' {
+            $fakeResp = [PSCustomObject]@{ StatusCode = 503; Headers = @{} }
+            $ex = [System.Exception]::new('Service Unavailable')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Get-MtGitHubErrorStatusCode -ModuleName Maester { 503 }
+            Mock Get-MtGitHubErrorMessage    -ModuleName Maester { 'Service Unavailable' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'ApiUnavailable'
+                $c.FailureReason | Should -Not -Be 'OrgMembershipFailed'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context 'Failure: RateLimited' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+        }
+
+        It '/user 403 with x-ratelimit-remaining=0 sets FailureReason=RateLimited and clears auth header' {
+            $fakeResp = [PSCustomObject]@{
+                StatusCode = 403
+                Headers    = @{ 'x-ratelimit-remaining' = '0'; 'x-ratelimit-reset' = '9999999999' }
+            }
+            $ex = [System.Exception]::new('Forbidden')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'RateLimited'
+                $c.FailureReason | Should -Not -Be 'TokenInvalid'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It '/orgs/{org} 429 with retry-after sets FailureReason=RateLimited (not OrgAccessFailed)' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            $fakeResp = [PSCustomObject]@{
+                StatusCode = 429
+                Headers    = @{ 'retry-after' = '60' }
+            }
+            $ex = [System.Exception]::new('Too Many Requests')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'RateLimited'
+                $c.FailureReason | Should -Not -Be 'OrgAccessFailed'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It '/memberships/ 403 with x-ratelimit-remaining=0 sets FailureReason=RateLimited (not OrgMembershipFailed)' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+            $fakeResp = [PSCustomObject]@{
+                StatusCode = 403
+                Headers    = @{ 'x-ratelimit-remaining' = '0'; 'x-ratelimit-reset' = '9999999999' }
+            }
+            $ex = [System.Exception]::new('Forbidden')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'RateLimited'
+                $c.FailureReason | Should -Not -Be 'OrgMembershipFailed'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'Admin probe 429 with retry-after: Connected=true, FailureReason=null, admin permission marked rate-limited, warning mentions rate limit' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            $fakeResp = [PSCustomObject]@{
+                StatusCode = 429
+                Headers    = @{ 'retry-after' = '90' }
+            }
+            $ex = [System.Exception]::new('Too Many Requests')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } { throw $ex }
+
+            $warns = @()
+            Connect-MtGitHub -Organization 'myorg' -WarningAction SilentlyContinue -WarningVariable warns 3>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected                                | Should -BeTrue
+                $c.FailureReason                            | Should -BeNullOrEmpty
+                $c.AdministrationPermissionVerified         | Should -BeFalse
+                $c.AdministrationPermissionStatusCode       | Should -Be 429
+                $c.AdministrationPermissionFailureReason    | Should -Match 'rate limit'
+            }
+            ($warns -join ' ') | Should -Match 'rate limit'
+        }
+    }
+
+    Context 'Failure: TokenForbidden' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+        }
+
+        It '/user 403 with x-ratelimit-remaining=0 remains RateLimited' {
+            $fakeResp = [PSCustomObject]@{
+                StatusCode = 403
+                Headers    = @{ 'x-ratelimit-remaining' = '0'; 'x-ratelimit-reset' = '9999999999' }
+            }
+            $ex = [System.Exception]::new('Forbidden')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'RateLimited'
+                $c.FailureReason | Should -Not -Be 'TokenForbidden'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It '/user 403 without rate-limit headers sets FailureReason = TokenForbidden' {
+            $fakeResp = [PSCustomObject]@{ StatusCode = 403; Headers = @{} }
+            $ex = [System.Exception]::new('Forbidden')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'TokenForbidden'
+                $c.FailureReason | Should -Not -Be 'RateLimited'
+                $c.FailureReason | Should -Not -Be 'TokenInvalid'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context 'Cache seeding' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{"enabled_repositories":"all"}'; StatusCode = 200 }
+            }
+            Mock Get-MtGitHubCacheKey -ModuleName Maester {
+                "$ApiVersion|$AbsoluteUri"
+            }
+        }
+
+        It 'Seeds the connected organization response with the exact Invoke-MtGitHubRequest cache key' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/acme-co-2024$' } {
+                [PSCustomObject]@{ Content = '{"login":"acme-co-2024","plan":{"name":"enterprise"}}' }
+            }
+
+            Connect-MtGitHub -Organization 'acme-co-2024' 3>$null
+
+            InModuleScope Maester {
+                # Literal-key assertion protects the encoding contract; GitHub org logins are ASCII.
+                $__MtSession.GitHubCache.ContainsKey('2022-11-28|https://api.github.com/orgs/acme-co-2024') | Should -BeTrue
+                $__MtSession.GitHubCache.Count | Should -Be 1
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Exactly -Times 4
+            Should -Invoke Get-MtGitHubCacheKey -ModuleName Maester -Exactly -Times 1 -ParameterFilter {
+                $ApiVersion -eq '2022-11-28' -and $AbsoluteUri -eq 'https://api.github.com/orgs/acme-co-2024'
+            }
+
+            InModuleScope Maester {
+                $org = Get-MtGitHubOrganization
+                $org.login | Should -Be 'acme-co-2024'
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Exactly -Times 4
+            Should -Invoke Get-MtGitHubCacheKey -ModuleName Maester -Exactly -Times 2 -ParameterFilter {
+                $ApiVersion -eq '2022-11-28' -and $AbsoluteUri -eq 'https://api.github.com/orgs/acme-co-2024'
+            }
+        }
+
+        It 'Probe 2 malformed JSON returns OrgAccessFailed without seeding cache or auth state' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = 'not-json{' }
+            }
+
+            $info = @()
+            Connect-MtGitHub -Organization 'myorg' -InformationAction SilentlyContinue -InformationVariable info
+
+            ($info -join ' ') | Should -Match 'could not be parsed as JSON|proxy is modifying response bodies'
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'OrgAccessFailed'
+                $c.FailureReason | Should -Not -Be 'ApiBaseUriFailed'
+                $__MtSession.GitHubCache.Count | Should -Be 0
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'Probe 3 failure leaves cache empty and auth state unset' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = 'not-json{' }
+            }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'OrgMembershipFailed'
+                $__MtSession.GitHubCache.Count | Should -Be 0
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'Probe 4 failure still connects and still seeds the organization cache' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+            $fakeResp = [PSCustomObject]@{ StatusCode = 403; Headers = @{} }
+            $ex = [System.Exception]::new('Forbidden')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } { throw $ex }
+
+            $warns = @()
+            Connect-MtGitHub -Organization 'myorg' -WarningAction SilentlyContinue -WarningVariable warns 3>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected | Should -BeTrue
+                $c.AdministrationPermissionVerified | Should -BeFalse
+                $__MtSession.GitHubCache.ContainsKey('2022-11-28|https://api.github.com/orgs/myorg') | Should -BeTrue
+                $__MtSession.GitHubCache.Count | Should -Be 1
+            }
+        }
+    }
+
+    Context 'Failure: InvalidApiBaseUri' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+        }
+
+        It 'Config http:// URI fails before any web request' {
+            InModuleScope Maester {
+                $__MtSession.MaesterConfig = [PSCustomObject]@{
+                    GlobalSettings = [PSCustomObject]@{
+                        GitHubApiBaseUri = 'http://api.example.com'
+                    }
+                }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiBaseUri is invalid' }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiBaseUri'
+                # Security property: invalid URI must short-circuit before headers are stored.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It 'Config non-URI value fails before any web request' {
+            InModuleScope Maester {
+                $__MtSession.MaesterConfig = [PSCustomObject]@{
+                    GlobalSettings = [PSCustomObject]@{
+                        GitHubApiBaseUri = 'not-a-uri'
+                    }
+                }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiBaseUri is invalid' }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiBaseUri'
+                # Security property: invalid URI must short-circuit before headers are stored.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It 'Parameter -ApiBaseUri http:// fails before any web request and clears prior session state' {
+            # Pre-seed a stale session to prove the parameter validation path no longer throws
+            # before the session-clear step at the top of Connect-MtGitHub runs.
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'stale' }
+                $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer stale-token' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiBaseUri is invalid' }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'http://api.example.com' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiBaseUri'
+                # Stale session state must be cleared even when the parameter value is rejected.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It 'Parameter -ApiBaseUri "not-a-uri" fails before any web request and clears prior session state' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'stale' }
+                $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer stale-token' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiBaseUri is invalid' }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'not-a-uri' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiBaseUri'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It 'Parameter https URI with trailing slash still works and is trimmed' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{}'; StatusCode = 200 }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://api.github.com/' 3>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected  | Should -BeTrue
+                $c.ApiBaseUri | Should -Be 'https://api.github.com'
+            }
+        }
+
+        It 'api.github.com (SaaS) passes the host allowlist' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{}'; StatusCode = 200 }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://api.github.com' 3>$null
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected  | Should -BeTrue
+                $__MtSession.GitHubConnection.ApiBaseUri | Should -Be 'https://api.github.com'
+            }
+        }
+
+        It 'api.<subdomain>.ghe.com (GHE.com data residency) passes the host allowlist' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{}'; StatusCode = 200 }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://api.octocorp.ghe.com' 3>$null
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected  | Should -BeTrue
+                $__MtSession.GitHubConnection.ApiBaseUri | Should -Be 'https://api.octocorp.ghe.com'
+            }
+        }
+
+        It 'Non-allowlisted https host fails before any web request and clears prior session state' {
+            # Pre-seed a stale session to confirm session-clear runs before host validation rejects the URI.
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'stale' }
+                $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer stale-token' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiBaseUri host is not allowlisted' }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://evil.example.com' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiBaseUri'
+                # Security property: PAT must never be sent to non-GitHub hosts; auth header must be cleared.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It 'Non-allowlisted https host with /api/v3 path (GHES on-prem shape) is rejected' {
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiBaseUri host is not allowlisted' }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://github.example.com/api/v3' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiBaseUri'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It 'Allowlisted host with a query string is rejected before any web request' {
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiBaseUri has a query string' }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://api.github.com?foo=bar' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiBaseUri'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It 'Allowlisted host with a fragment is rejected before any web request' {
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiBaseUri has a fragment' }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://api.github.com#frag' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiBaseUri'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It 'Allowlisted host with non-default port is rejected before any web request' {
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiBaseUri uses a non-default port' }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://api.github.com:8443' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiBaseUri'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It 'Allowlisted host with extra path component is rejected' {
+            # api.github.com/api/v3 has the right host but a non-root path; reject so the PAT isn't
+            # sent to an unexpected endpoint that could be a proxy or path-rewriting middleware.
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiBaseUri has a non-root path' }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://api.github.com/api/v3' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiBaseUri'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+    }
+
+    Context 'Config fallback: pre-loaded MaesterConfig' {
+        It 'Resolves org from pre-loaded MaesterConfig without calling Get-MtMaesterConfig' {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+            InModuleScope Maester {
+                $__MtSession.MaesterConfig = [PSCustomObject]@{
+                    GlobalSettings = [PSCustomObject]@{
+                        GitHubOrganization = 'config-org'
+                    }
+                }
+            }
+            Mock Get-MtMaesterConfig -ModuleName Maester { throw 'Get-MtMaesterConfig must not be called when config is pre-loaded' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{}'; StatusCode = 200 }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"config-org"}' }
+            }
+
+            Connect-MtGitHub 3>$null
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected    | Should -BeTrue
+                $__MtSession.GitHubConnection.Organization | Should -Be 'config-org'
+            }
+        }
+    }
+
+    Context 'Config fallback: lazy-load when MaesterConfig is null' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+
+            # Reset to null so the lazy-load path fires
+            InModuleScope Maester { $__MtSession.MaesterConfig = $null }
+
+            $fakeConfig = [PSCustomObject]@{
+                GlobalSettings = [PSCustomObject]@{
+                    GitHubOrganization = 'lazy-org'
+                    GitHubApiBaseUri   = 'https://api.lazy.ghe.com'
+                    GitHubApiVersion   = '2024-06-01'
+                }
+            }
+            Mock Get-MtMaesterConfig -ModuleName Maester { $fakeConfig }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{}'; StatusCode = 200 }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"lazy-org"}' }
+            }
+        }
+
+        It 'Lazy-loads config and resolves org when MaesterConfig is null and no -Organization supplied' {
+            Connect-MtGitHub 3>$null
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected    | Should -BeTrue
+                $__MtSession.GitHubConnection.Organization | Should -Be 'lazy-org'
+                # $__MtSession.MaesterConfig is now set; real Get-MtMaesterConfigGlobalSetting reads it
+                $__MtSession.MaesterConfig.GlobalSettings.GitHubOrganization | Should -Be 'lazy-org'
+            }
+        }
+
+        It 'Lazy-loads config for ApiBaseUri and ApiVersion when -Organization is supplied but others are omitted' {
+            Connect-MtGitHub -Organization 'myorg' 3>$null
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected  | Should -BeTrue
+                $__MtSession.GitHubConnection.ApiBaseUri | Should -Be 'https://api.lazy.ghe.com'
+                $__MtSession.GitHubConnection.ApiVersion | Should -Be '2024-06-01'
+            }
+        }
+
+        It 'All three config-backed values (org, ApiBaseUri, ApiVersion) are resolved from lazy-loaded config' {
+            Connect-MtGitHub 3>$null
+
+            InModuleScope Maester {
+                $conn = $__MtSession.GitHubConnection
+                $conn.Organization | Should -Be 'lazy-org'
+                $conn.ApiBaseUri   | Should -Be 'https://api.lazy.ghe.com'
+                $conn.ApiVersion   | Should -Be '2024-06-01'
+            }
+        }
+    }
+
+    Context 'Failure: InvalidApiVersion' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+        }
+
+        It 'Config GitHubApiVersion = "latest" fails before any web request' {
+            InModuleScope Maester {
+                $__MtSession.MaesterConfig = [PSCustomObject]@{
+                    GlobalSettings = [PSCustomObject]@{
+                        GitHubApiVersion = 'latest'
+                    }
+                }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiVersion is invalid' }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiVersion'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It 'Config GitHubApiVersion with valid format but /user returns 410: InvalidApiVersion (not TokenInvalid)' {
+            InModuleScope Maester {
+                $__MtSession.MaesterConfig = [PSCustomObject]@{
+                    GlobalSettings = [PSCustomObject]@{
+                        GitHubApiVersion = '2020-01-01'
+                    }
+                }
+            }
+            $fakeResp = [PSCustomObject]@{ StatusCode = 410; Headers = @{} }
+            $ex = [System.Exception]::new('Gone')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Get-MtGitHubErrorStatusCode -ModuleName Maester { 410 }
+            Mock Get-MtGitHubErrorMessage    -ModuleName Maester { 'API version is not supported' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiVersion'
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'Parameter -ApiVersion "latest" sets InvalidApiVersion and clears prior session state' {
+            # Pre-seed a stale session to prove the function clears it before failing.
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'stale' }
+                $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer stale-token' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester { throw 'Invoke-WebRequest must not be called when ApiVersion is invalid' }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiVersion 'latest' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiVersion'
+                # Stale auth header must be cleared even though the failure path runs early.
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 0
+        }
+
+        It '/user 400 with "Not a supported version" message maps to InvalidApiVersion (not TokenInvalid)' {
+            $fakeResp = [PSCustomObject]@{ StatusCode = 400; Headers = @{} }
+            $ex = [System.Exception]::new('Bad Request')
+            Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+            Mock Get-MtGitHubErrorStatusCode -ModuleName Maester { 400 }
+            Mock Get-MtGitHubErrorMessage    -ModuleName Maester { 'Not a supported version' }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } { throw $ex }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiVersion '2024-01-01' 6>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected     | Should -BeFalse
+                $c.FailureReason | Should -Be 'InvalidApiVersion'
+            }
+        }
+
+        It 'Parameter -ApiVersion "2024-01-01" passes local format validation and reaches /user header' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{}'; StatusCode = 200 }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+
+            Connect-MtGitHub -Organization 'myorg' -ApiVersion '2024-01-01' 3>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected  | Should -BeTrue
+                $c.ApiVersion | Should -Be '2024-01-01'
+                $__MtSession.GitHubAuthHeader['X-GitHub-Api-Version'] | Should -Be '2024-01-01'
+            }
+        }
+    }
+
+    Context 'Whitespace trimming on resolved values' {
+        BeforeEach {
+            $env:MAESTER_GITHUB_TOKEN = 'valid-token'
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/actions/permissions$' } {
+                [PSCustomObject]@{ Content = '{}'; StatusCode = 200 }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/memberships/' } {
+                [PSCustomObject]@{ Content = '{"state":"active","role":"admin"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/user$' } {
+                [PSCustomObject]@{ Content = '{"login":"testuser"}' }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '/orgs/[^/]+$' } {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}' }
+            }
+        }
+
+        It 'Trims surrounding whitespace from -Organization parameter' {
+            Connect-MtGitHub -Organization "  myorg`t" 3>$null
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected    | Should -BeTrue
+                $__MtSession.GitHubConnection.Organization | Should -Be 'myorg'
+            }
+            # Probe URIs must use the trimmed org, not URL-encoded whitespace.
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 1 -ParameterFilter {
+                $Uri -eq 'https://api.github.com/orgs/myorg'
+            }
+        }
+
+        It 'Trims surrounding whitespace from config-supplied GitHubOrganization' {
+            InModuleScope Maester {
+                $__MtSession.MaesterConfig = [PSCustomObject]@{
+                    GlobalSettings = [PSCustomObject]@{
+                        GitHubOrganization = "  myorg `n"
+                    }
+                }
+            }
+
+            Connect-MtGitHub 3>$null
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.Connected    | Should -BeTrue
+                $__MtSession.GitHubConnection.Organization | Should -Be 'myorg'
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 1 -ParameterFilter {
+                $Uri -eq 'https://api.github.com/orgs/myorg'
+            }
+        }
+
+        It 'Trims surrounding whitespace from -ApiVersion parameter before validation' {
+            Connect-MtGitHub -Organization 'myorg' -ApiVersion "  2024-01-01`t" 3>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected  | Should -BeTrue
+                $c.ApiVersion | Should -Be '2024-01-01'
+                $__MtSession.GitHubAuthHeader['X-GitHub-Api-Version'] | Should -Be '2024-01-01'
+            }
+        }
+
+        It 'Trims surrounding whitespace from config-supplied GitHubApiVersion before validation' {
+            InModuleScope Maester {
+                $__MtSession.MaesterConfig = [PSCustomObject]@{
+                    GlobalSettings = [PSCustomObject]@{
+                        GitHubApiVersion = " 2024-06-01 "
+                    }
+                }
+            }
+
+            Connect-MtGitHub -Organization 'myorg' 3>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected  | Should -BeTrue
+                $c.ApiVersion | Should -Be '2024-06-01'
+            }
+        }
+
+        It 'Trims surrounding whitespace from -ApiBaseUri parameter before validation' {
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri ' https://api.github.com ' 3>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected  | Should -BeTrue
+                $c.ApiBaseUri | Should -Be 'https://api.github.com'
+            }
+            # Probe URI must be clean — no URL-encoded whitespace prefix/suffix that would 404.
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 1 -ParameterFilter {
+                $Uri -eq 'https://api.github.com/user'
+            }
+        }
+
+        It 'Trims surrounding whitespace from -ApiBaseUri parameter combined with trailing slash' {
+            Connect-MtGitHub -Organization 'myorg' -ApiBaseUri 'https://api.github.com/ ' 3>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected  | Should -BeTrue
+                $c.ApiBaseUri | Should -Be 'https://api.github.com'
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 1 -ParameterFilter {
+                $Uri -eq 'https://api.github.com/user'
+            }
+        }
+
+        It 'Trims surrounding whitespace from config-supplied GitHubApiBaseUri before validation' {
+            InModuleScope Maester {
+                $__MtSession.MaesterConfig = [PSCustomObject]@{
+                    GlobalSettings = [PSCustomObject]@{
+                        GitHubApiBaseUri = ' https://api.github.com/ '
+                    }
+                }
+            }
+
+            Connect-MtGitHub -Organization 'myorg' 3>$null
+
+            InModuleScope Maester {
+                $c = $__MtSession.GitHubConnection
+                $c.Connected  | Should -BeTrue
+                $c.ApiBaseUri | Should -Be 'https://api.github.com'
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Times 1 -ParameterFilter {
+                $Uri -eq 'https://api.github.com/user'
+            }
+        }
+    }
+}
diff --git a/powershell/tests/functions/ConvertTo-MtMaesterResult.Tests.ps1 b/powershell/tests/functions/ConvertTo-MtMaesterResult.Tests.ps1
new file mode 100644
index 000000000..be48241a0
--- /dev/null
+++ b/powershell/tests/functions/ConvertTo-MtMaesterResult.Tests.ps1
@@ -0,0 +1,82 @@
+BeforeAll {
+    Import-Module "$PSScriptRoot/../../Maester.psd1" -Force
+}
+
+Describe 'ConvertTo-MtMaesterResult' {
+    BeforeEach {
+        InModuleScope Maester {
+            $__MtSession.TestResultDetail = @{}
+            $__MtSession.MaesterConfig = [PSCustomObject]@{
+                GlobalSettings   = [PSCustomObject]@{}
+                TestSettings     = @()
+                TestSettingsHash = @{}
+            }
+        }
+        Mock Test-MtConnection -ModuleName Maester { $false }
+        Mock Get-MtModuleVersion -ModuleName Maester { '0.0.0-test' }
+        Mock Get-MtLatestModuleVersion -ModuleName Maester { $null }
+    }
+
+    AfterEach {
+        InModuleScope Maester {
+            $__MtSession.TestResultDetail = @{}
+            $__MtSession.MaesterConfig = $null
+        }
+    }
+
+    It 'Converts GitHub manual-review details to Investigate instead of Skipped' {
+        InModuleScope Maester {
+            $testName = 'CIS.GH.1.2.3: Ensure repository deletion is limited to specific users'
+            $__MtSession.TestResultDetail[$testName] = @{
+                TestTitle       = $testName
+                TestDescription = 'GitHub repository deletion control.'
+                TestResult      = 'Manual review required - members_can_delete_repositories is true.'
+                TestSkipped     = $null
+                SkippedReason   = $null
+                TestInvestigate = $true
+                Severity        = 'High'
+                Service         = 'GitHub'
+            }
+
+            $pesterTest = [PSCustomObject]@{
+                ExpandedName = $testName
+                Result       = 'Passed'
+                ErrorRecord  = @()
+                ScriptBlock  = [scriptblock]::Create('$result = Test-MtCisGitHubRepositoryDeletionLimited')
+                Block        = [PSCustomObject]@{
+                    Tag          = @('CIS.GH.1.2.3', 'CIS GH')
+                    ExpandedName = 'CIS'
+                }
+                Duration     = [TimeSpan]::FromSeconds(1)
+                Tag          = @('CIS.GH.1.2.3')
+            }
+            $pesterResults = [PSCustomObject]@{
+                Tests             = @($pesterTest)
+                Containers        = @(
+                    [PSCustomObject]@{
+                        Blocks = @(
+                            [PSCustomObject]@{
+                                Name   = 'CIS'
+                                Result = 'Passed'
+                                Tag    = @('CIS')
+                            }
+                        )
+                    }
+                )
+                Result            = 'Passed'
+                ExecutedAt        = [DateTime]::UtcNow
+                Duration          = [TimeSpan]::FromSeconds(1)
+                UserDuration      = [TimeSpan]::FromSeconds(1)
+                DiscoveryDuration = [TimeSpan]::Zero
+                FrameworkDuration = [TimeSpan]::Zero
+            }
+
+            $result = ConvertTo-MtMaesterResult -PesterResults $pesterResults
+
+            $result.Tests[0].Result | Should -Be 'Investigate'
+            $result.InvestigateCount | Should -Be 1
+            $result.SkippedCount | Should -Be 0
+            $result.Tests[0].ResultDetail.TestResult | Should -Match 'Manual review required'
+        }
+    }
+}
diff --git a/powershell/tests/functions/Disconnect-Maester.Tests.ps1 b/powershell/tests/functions/Disconnect-Maester.Tests.ps1
new file mode 100644
index 000000000..5c2bcb751
--- /dev/null
+++ b/powershell/tests/functions/Disconnect-Maester.Tests.ps1
@@ -0,0 +1,112 @@
+BeforeAll {
+    Import-Module "$PSScriptRoot/../../Maester.psd1" -Force
+}
+
+Describe 'Disconnect-Maester — GitHub cleanup branch' {
+    BeforeEach {
+        InModuleScope Maester {
+            $__MtSession.Connections      = @()
+            $__MtSession.GitHubConnection = $null
+            $__MtSession.GitHubAuthHeader = $null
+            $__MtSession.GitHubCache      = @{}
+        }
+    }
+
+    AfterEach {
+        InModuleScope Maester {
+            $__MtSession.Connections      = @()
+            $__MtSession.GitHubConnection = $null
+            $__MtSession.GitHubAuthHeader = $null
+            $__MtSession.GitHubCache      = @{}
+        }
+    }
+
+    Context 'Default name (Disconnect-Maester)' {
+        It 'Clears all three GitHub session keys' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+                $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer token' }
+                $__MtSession.GitHubCache      = @{ 'foo' = 'bar' }
+            }
+            Disconnect-Maester 6>$null
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection | Should -BeNullOrEmpty
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+                $__MtSession.GitHubCache.Count | Should -Be 0
+            }
+        }
+    }
+
+    Context 'Module-qualified invocation (Maester\Disconnect-Maester)' {
+        It 'Clears all three GitHub session keys' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+                $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer token' }
+                $__MtSession.GitHubCache      = @{ 'foo' = 'bar' }
+            }
+            Maester\Disconnect-Maester 6>$null
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection  | Should -BeNullOrEmpty
+                $__MtSession.GitHubAuthHeader  | Should -BeNullOrEmpty
+                $__MtSession.GitHubCache.Count | Should -Be 0
+            }
+        }
+    }
+
+    Context 'Disconnect-MtMaester alias' {
+        It 'Clears GitHub state' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+                $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer token' }
+            }
+            Disconnect-MtMaester 6>$null
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection | Should -BeNullOrEmpty
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context 'Disconnect-MtGraph alias' {
+        It 'Does NOT clear GitHub state (Graph-only semantic)' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+                $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer token' }
+            }
+            Disconnect-MtGraph 6>$null
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection | Should -Not -BeNullOrEmpty
+                $__MtSession.GitHubConnection.Organization | Should -Be 'myorg'
+                $__MtSession.GitHubAuthHeader | Should -Not -BeNullOrEmpty
+                $__MtSession.GitHubAuthHeader['Authorization'] | Should -Be 'Bearer token'
+            }
+        }
+    }
+
+    Context 'When Graph disconnect throws' {
+        It 'Still clears GitHub state and rethrows the original exception' {
+            InModuleScope Maester {
+                $__MtSession.Connections      = @('Graph')
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+                $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer token' }
+                $__MtSession.GitHubCache      = @{ 'foo' = 'bar' }
+            }
+            Mock Disconnect-MgGraph -ModuleName Maester { throw 'Graph disconnect blew up' }
+
+            { Disconnect-Maester 6>$null } | Should -Throw '*Graph disconnect blew up*'
+
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection  | Should -BeNullOrEmpty
+                $__MtSession.GitHubAuthHeader  | Should -BeNullOrEmpty
+                $__MtSession.GitHubCache.Count | Should -Be 0
+            }
+        }
+    }
+
+    Context 'When no GitHub state exists' {
+        It 'Produces no GitHub-related host output' {
+            $hostOutput = Disconnect-Maester 6>&1 | Out-String
+            $hostOutput | Should -Not -Match 'Disconnected from GitHub'
+        }
+    }
+}
diff --git a/powershell/tests/functions/Disconnect-MtGitHub.Tests.ps1 b/powershell/tests/functions/Disconnect-MtGitHub.Tests.ps1
new file mode 100644
index 000000000..01a4f4e28
--- /dev/null
+++ b/powershell/tests/functions/Disconnect-MtGitHub.Tests.ps1
@@ -0,0 +1,51 @@
+BeforeAll {
+    Import-Module "$PSScriptRoot/../../Maester.psd1" -Force
+}
+
+Describe 'Disconnect-MtGitHub' {
+    BeforeEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection = $null
+            $__MtSession.GitHubAuthHeader = $null
+            $__MtSession.GitHubCache      = @{}
+        }
+    }
+
+    AfterEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection = $null
+            $__MtSession.GitHubAuthHeader = $null
+            $__MtSession.GitHubCache      = @{}
+        }
+    }
+
+    Context 'When GitHub state is set' {
+        It 'Clears GitHubConnection, GitHubAuthHeader, and GitHubCache' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+                $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer token' }
+                $__MtSession.GitHubCache      = @{ 'foo' = 'bar' }
+            }
+            Disconnect-MtGitHub 6>$null
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection | Should -BeNullOrEmpty
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+                $__MtSession.GitHubCache.Count | Should -Be 0
+            }
+        }
+    }
+
+    Context 'When GitHub state is already null' {
+        It 'Does not throw' {
+            { Disconnect-MtGitHub 6>$null } | Should -Not -Throw
+        }
+
+        It 'Leaves session keys null' {
+            Disconnect-MtGitHub 6>$null
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection | Should -BeNullOrEmpty
+                $__MtSession.GitHubAuthHeader | Should -BeNullOrEmpty
+            }
+        }
+    }
+}
diff --git a/powershell/tests/functions/Get-MtGitHubRateLimitMessage.Tests.ps1 b/powershell/tests/functions/Get-MtGitHubRateLimitMessage.Tests.ps1
new file mode 100644
index 000000000..10827b680
--- /dev/null
+++ b/powershell/tests/functions/Get-MtGitHubRateLimitMessage.Tests.ps1
@@ -0,0 +1,141 @@
+BeforeAll {
+    Import-Module "$PSScriptRoot/../../Maester.psd1" -Force
+}
+
+Describe 'Get-MtGitHubRateLimitMessage' {
+    function New-RateLimitErrorRecord {
+        param(
+            [int] $StatusCode,
+            [hashtable] $Headers
+        )
+        $resp = [PSCustomObject]@{ StatusCode = $StatusCode; Headers = $Headers }
+        $ex = [System.Exception]::new("HTTP $StatusCode")
+        Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $resp
+        # An ErrorRecord wrapping the exception is what the helper expects.
+        [System.Management.Automation.ErrorRecord]::new($ex, "TestId", [System.Management.Automation.ErrorCategory]::NotSpecified, $null)
+    }
+
+    Context 'Non-rate-limit responses' {
+        It 'Returns $null for status codes outside 403/429' {
+            InModuleScope Maester {
+                $resp = [PSCustomObject]@{ StatusCode = 500; Headers = @{} }
+                $ex = [System.Exception]::new('Server error')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $resp
+                $err = [System.Management.Automation.ErrorRecord]::new($ex, 'id', 'NotSpecified', $null)
+                Get-MtGitHubRateLimitMessage -ErrorRecord $err | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'Returns $null for 403 without rate-limit headers' {
+            InModuleScope Maester {
+                $resp = [PSCustomObject]@{ StatusCode = 403; Headers = @{} }
+                $ex = [System.Exception]::new('Forbidden')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $resp
+                $err = [System.Management.Automation.ErrorRecord]::new($ex, 'id', 'NotSpecified', $null)
+                Get-MtGitHubRateLimitMessage -ErrorRecord $err | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context 'Malformed headers' {
+        It 'Returns $null when x-ratelimit-remaining is not a number and no retry-after header is set' {
+            InModuleScope Maester {
+                $resp = [PSCustomObject]@{
+                    StatusCode = 403
+                    Headers    = @{ 'x-ratelimit-remaining' = 'not-a-number' }
+                }
+                $ex = [System.Exception]::new('Forbidden')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $resp
+                $err = [System.Management.Automation.ErrorRecord]::new($ex, 'id', 'NotSpecified', $null)
+                { Get-MtGitHubRateLimitMessage -ErrorRecord $err } | Should -Not -Throw
+                Get-MtGitHubRateLimitMessage -ErrorRecord $err | Should -BeNullOrEmpty
+            }
+        }
+
+        It 'Returns primary rate-limit message with "Resets at: unknown" when remaining is 0 and reset is malformed' {
+            InModuleScope Maester {
+                $resp = [PSCustomObject]@{
+                    StatusCode = 403
+                    Headers    = @{ 'x-ratelimit-remaining' = '0'; 'x-ratelimit-reset' = 'not-a-number' }
+                }
+                $ex = [System.Exception]::new('Forbidden')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $resp
+                $err = [System.Management.Automation.ErrorRecord]::new($ex, 'id', 'NotSpecified', $null)
+                $msg = Get-MtGitHubRateLimitMessage -ErrorRecord $err
+                $msg | Should -Match 'rate limit'
+                $msg | Should -Match 'Resets at: unknown'
+            }
+        }
+    }
+
+    Context 'Valid rate-limit headers' {
+        It 'Returns primary rate-limit message with parsed reset time when remaining=0 and reset is valid' {
+            InModuleScope Maester {
+                $resp = [PSCustomObject]@{
+                    StatusCode = 403
+                    Headers    = @{ 'x-ratelimit-remaining' = '0'; 'x-ratelimit-reset' = '9999999999' }
+                }
+                $ex = [System.Exception]::new('Forbidden')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $resp
+                $err = [System.Management.Automation.ErrorRecord]::new($ex, 'id', 'NotSpecified', $null)
+                $msg = Get-MtGitHubRateLimitMessage -ErrorRecord $err
+                $msg | Should -Match '^GitHub API rate limit encountered \(HTTP 403\)\. Resets at: '
+                $msg | Should -Not -Match 'unknown'
+            }
+        }
+
+        It 'Returns secondary rate-limit message when retry-after is present' {
+            InModuleScope Maester {
+                $resp = [PSCustomObject]@{
+                    StatusCode = 429
+                    Headers    = @{ 'retry-after' = '30' }
+                }
+                $ex = [System.Exception]::new('Too Many Requests')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $resp
+                $err = [System.Management.Automation.ErrorRecord]::new($ex, 'id', 'NotSpecified', $null)
+                $msg = Get-MtGitHubRateLimitMessage -ErrorRecord $err
+                $msg | Should -Match 'secondary rate limit'
+                $msg | Should -Match 'Retry after: 30s'
+            }
+        }
+    }
+
+    Context 'Body-fallback secondary rate-limit detection' {
+        It 'Returns secondary rate-limit message for 403 when body mentions secondary rate limit and no retry-after header is present' {
+            InModuleScope Maester {
+                $resp = [PSCustomObject]@{ StatusCode = 403; Headers = @{} }
+                $ex = [System.Exception]::new('Forbidden')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $resp
+                $err = [System.Management.Automation.ErrorRecord]::new($ex, 'id', 'NotSpecified', $null)
+                $err.ErrorDetails = [System.Management.Automation.ErrorDetails]::new('{"message":"You have exceeded a secondary rate limit. Please wait a few minutes before you try again."}')
+                $msg = Get-MtGitHubRateLimitMessage -ErrorRecord $err
+                $msg | Should -Match '^GitHub secondary rate limit encountered \(HTTP 403\)\.'
+                $msg | Should -Match 'Retry after at least 60s'
+            }
+        }
+
+        It 'Returns secondary rate-limit message for 429 when body mentions abuse detection and no retry-after header is present' {
+            InModuleScope Maester {
+                $resp = [PSCustomObject]@{ StatusCode = 429; Headers = @{} }
+                $ex = [System.Exception]::new('Too Many Requests')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $resp
+                $err = [System.Management.Automation.ErrorRecord]::new($ex, 'id', 'NotSpecified', $null)
+                $err.ErrorDetails = [System.Management.Automation.ErrorDetails]::new('{"message":"Triggered abuse detection mechanism."}')
+                $msg = Get-MtGitHubRateLimitMessage -ErrorRecord $err
+                $msg | Should -Match '^GitHub secondary rate limit encountered \(HTTP 429\)\.'
+                $msg | Should -Match 'Retry after at least 60s'
+            }
+        }
+
+        It 'Still returns $null for 403 when body has unrelated message and no rate-limit headers' {
+            InModuleScope Maester {
+                $resp = [PSCustomObject]@{ StatusCode = 403; Headers = @{} }
+                $ex = [System.Exception]::new('Forbidden')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $resp
+                $err = [System.Management.Automation.ErrorRecord]::new($ex, 'id', 'NotSpecified', $null)
+                $err.ErrorDetails = [System.Management.Automation.ErrorDetails]::new('{"message":"Resource not accessible by personal access token"}')
+                Get-MtGitHubRateLimitMessage -ErrorRecord $err | Should -BeNullOrEmpty
+            }
+        }
+    }
+}
diff --git a/powershell/tests/functions/Get-MtGitHubResponseHeaderValue.Tests.ps1 b/powershell/tests/functions/Get-MtGitHubResponseHeaderValue.Tests.ps1
new file mode 100644
index 000000000..60e582b05
--- /dev/null
+++ b/powershell/tests/functions/Get-MtGitHubResponseHeaderValue.Tests.ps1
@@ -0,0 +1,99 @@
+BeforeAll {
+    Import-Module "$PSScriptRoot/../../Maester.psd1" -Force
+}
+
+Describe 'Get-MtGitHubResponseHeaderValue' {
+    Context 'Null headers' {
+        It 'Returns $null when Headers is $null' {
+            InModuleScope Maester {
+                Get-MtGitHubResponseHeaderValue -Headers $null -Name 'x-ratelimit-remaining' | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context 'IDictionary headers (PS 5.1 WebHeaderCollection style)' {
+        It 'Returns value for exact-case match' {
+            InModuleScope Maester {
+                $headers = @{ 'x-ratelimit-remaining' = '42' }
+                Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'x-ratelimit-remaining' | Should -Be '42'
+            }
+        }
+
+        It 'Returns value for different-case header name' {
+            InModuleScope Maester {
+                $headers = @{ 'X-RateLimit-Remaining' = '10' }
+                Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'x-ratelimit-remaining' | Should -Be '10'
+            }
+        }
+
+        It 'Returns first element when header value is an array' {
+            InModuleScope Maester {
+                $headers = @{ 'Link' = @('<https://api.github.com/next>; rel="next"', '<https://api.github.com/last>; rel="last"') }
+                $result = Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'Link'
+                $result | Should -Be '<https://api.github.com/next>; rel="next"'
+            }
+        }
+
+        It 'Returns $null when header is not present' {
+            InModuleScope Maester {
+                $headers = @{ 'content-type' = 'application/json' }
+                Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'x-ratelimit-remaining' | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context 'HttpResponseHeaders with GetValues (PS 7 style)' {
+        It 'Returns value when GetValues succeeds' {
+            InModuleScope Maester {
+                $headers = [PSCustomObject]@{}
+                $headers | Add-Member -MemberType ScriptMethod -Name GetValues -Value {
+                    param([string]$name)
+                    if ($name -eq 'x-ratelimit-reset') { return @('1700000000') }
+                    throw "Header '$name' not found"
+                }
+                $result = Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'x-ratelimit-reset'
+                $result | Should -Be '1700000000'
+            }
+        }
+
+        It 'Returns $null when GetValues throws for unknown header' {
+            InModuleScope Maester {
+                $headers = [PSCustomObject]@{}
+                $headers | Add-Member -MemberType ScriptMethod -Name GetValues -Value {
+                    param([string]$name)
+                    throw "Header '$name' not found"
+                }
+                Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'x-ratelimit-remaining' | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context 'HttpResponseHeaders with TryGetValues (PS 7 style)' {
+        It 'Returns value when TryGetValues succeeds' {
+            InModuleScope Maester {
+                $headers = [PSCustomObject]@{}
+                $headers | Add-Member -MemberType ScriptMethod -Name TryGetValues -Value {
+                    param([string]$name, [ref]$values)
+                    if ($name -eq 'retry-after') {
+                        $values.Value = @('30')
+                        return $true
+                    }
+                    return $false
+                }
+                $result = Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'retry-after'
+                $result | Should -Be '30'
+            }
+        }
+
+        It 'Returns $null when TryGetValues returns false' {
+            InModuleScope Maester {
+                $headers = [PSCustomObject]@{}
+                $headers | Add-Member -MemberType ScriptMethod -Name TryGetValues -Value {
+                    param([string]$name, [ref]$values)
+                    return $false
+                }
+                Get-MtGitHubResponseHeaderValue -Headers $headers -Name 'x-ratelimit-remaining' | Should -BeNullOrEmpty
+            }
+        }
+    }
+}
diff --git a/powershell/tests/functions/Get-MtSession.Tests.ps1 b/powershell/tests/functions/Get-MtSession.Tests.ps1
new file mode 100644
index 000000000..4205b3e4f
--- /dev/null
+++ b/powershell/tests/functions/Get-MtSession.Tests.ps1
@@ -0,0 +1,143 @@
+BeforeAll {
+    Import-Module "$PSScriptRoot/../../Maester.psd1" -Force
+}
+
+Describe 'Get-MtSession — GitHubAuthHeader redaction' {
+    BeforeEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubAuthHeader = $null
+        }
+    }
+
+    AfterEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubAuthHeader = $null
+        }
+    }
+
+    Context 'When GitHubAuthHeader is null' {
+        It 'Returns null without error' {
+            $result = Get-MtSession
+            $result.GitHubAuthHeader | Should -BeNullOrEmpty
+        }
+    }
+
+    Context 'When GitHubAuthHeader is a hashtable with Authorization (PascalCase)' {
+        It 'Redacts Authorization and preserves other headers' {
+            InModuleScope Maester {
+                $__MtSession.GitHubAuthHeader = @{
+                    Authorization          = 'Bearer ghp_realtoken123'
+                    Accept                 = 'application/vnd.github+json'
+                    'X-GitHub-Api-Version' = '2022-11-28'
+                    'User-Agent'           = 'Maester-GitHubCis'
+                }
+            }
+            $result = Get-MtSession
+            $result.GitHubAuthHeader | Should -BeOfType [System.Collections.IDictionary]
+            $result.GitHubAuthHeader['Authorization']          | Should -Be '<redacted>'
+            $result.GitHubAuthHeader['Accept']                 | Should -Be 'application/vnd.github+json'
+            $result.GitHubAuthHeader['X-GitHub-Api-Version']   | Should -Be '2022-11-28'
+            $result.GitHubAuthHeader['User-Agent']             | Should -Be 'Maester-GitHubCis'
+        }
+    }
+
+    Context 'When GitHubAuthHeader has lowercase authorization key' {
+        It 'Redacts the lowercase key and leaves no token in any value' {
+            InModuleScope Maester {
+                $__MtSession.GitHubAuthHeader = @{
+                    authorization = 'Bearer ghp_realtoken123'
+                    Accept        = 'application/vnd.github+json'
+                }
+            }
+            $result = Get-MtSession
+            $result.GitHubAuthHeader['authorization'] | Should -Be '<redacted>'
+            foreach ($v in $result.GitHubAuthHeader.Values) {
+                $v | Should -Not -Be 'Bearer ghp_realtoken123'
+            }
+        }
+    }
+
+    Context 'When GitHubAuthHeader has uppercase AUTHORIZATION key' {
+        It 'Redacts the uppercase key' {
+            InModuleScope Maester {
+                $__MtSession.GitHubAuthHeader = @{
+                    AUTHORIZATION = 'Bearer ghp_realtoken123'
+                    Accept        = 'application/vnd.github+json'
+                }
+            }
+            $result = Get-MtSession
+            $result.GitHubAuthHeader['AUTHORIZATION'] | Should -Be '<redacted>'
+            foreach ($v in $result.GitHubAuthHeader.Values) {
+                $v | Should -Not -Be 'Bearer ghp_realtoken123'
+            }
+        }
+    }
+
+    Context 'When GitHubAuthHeader has BOTH Authorization and authorization' {
+        It 'Redacts every Authorization-like key' {
+            InModuleScope Maester {
+                $h = [ordered]@{}
+                $h['Authorization'] = 'Bearer ghp_realtoken123'
+                $h['authorization'] = 'Bearer ghp_realtoken123'
+                $h['Accept']        = 'application/vnd.github+json'
+                $__MtSession.GitHubAuthHeader = $h
+            }
+            $result = Get-MtSession
+            $result.GitHubAuthHeader['Authorization'] | Should -Be '<redacted>'
+            $result.GitHubAuthHeader['authorization'] | Should -Be '<redacted>'
+            foreach ($v in $result.GitHubAuthHeader.Values) {
+                $v | Should -Not -Be 'Bearer ghp_realtoken123'
+            }
+        }
+    }
+
+    Context 'When GitHubAuthHeader is an OrderedDictionary' {
+        It 'Redacts Authorization and preserves remaining keys' {
+            InModuleScope Maester {
+                $h = [ordered]@{}
+                $h['Authorization']        = 'Bearer ghp_realtoken123'
+                $h['Accept']               = 'application/vnd.github+json'
+                $h['X-GitHub-Api-Version'] = '2022-11-28'
+                $__MtSession.GitHubAuthHeader = $h
+            }
+            $result = Get-MtSession
+            $result.GitHubAuthHeader | Should -BeOfType [System.Collections.IDictionary]
+            $result.GitHubAuthHeader['Authorization']        | Should -Be '<redacted>'
+            $result.GitHubAuthHeader['Accept']               | Should -Be 'application/vnd.github+json'
+            $result.GitHubAuthHeader['X-GitHub-Api-Version'] | Should -Be '2022-11-28'
+        }
+    }
+
+    Context 'When GitHubAuthHeader is an unsupported non-null shape' {
+        It 'Replaces the entire value with the redacted sentinel string (fail-closed)' {
+            InModuleScope Maester {
+                $__MtSession.GitHubAuthHeader = 'Bearer ghp_realtoken123'
+            }
+            $result = Get-MtSession
+            $result.GitHubAuthHeader | Should -Be '<redacted>'
+        }
+
+        It 'Replaces a PSCustomObject auth-like blob with the redacted sentinel string' {
+            InModuleScope Maester {
+                $__MtSession.GitHubAuthHeader = [PSCustomObject]@{ Authorization = 'Bearer ghp_realtoken123' }
+            }
+            $result = Get-MtSession
+            $result.GitHubAuthHeader | Should -Be '<redacted>'
+        }
+    }
+
+    Context 'Live session is not mutated by Get-MtSession' {
+        It 'Leaves $__MtSession.GitHubAuthHeader.Authorization intact for internal callers' {
+            InModuleScope Maester {
+                $__MtSession.GitHubAuthHeader = @{
+                    Authorization = 'Bearer ghp_realtoken123'
+                    Accept        = 'application/vnd.github+json'
+                }
+            }
+            Get-MtSession | Out-Null
+            InModuleScope Maester {
+                $__MtSession.GitHubAuthHeader['Authorization'] | Should -Be 'Bearer ghp_realtoken123'
+            }
+        }
+    }
+}
diff --git a/powershell/tests/functions/Invoke-MtGitHubRequest.Tests.ps1 b/powershell/tests/functions/Invoke-MtGitHubRequest.Tests.ps1
new file mode 100644
index 000000000..b2df6f569
--- /dev/null
+++ b/powershell/tests/functions/Invoke-MtGitHubRequest.Tests.ps1
@@ -0,0 +1,336 @@
+BeforeAll {
+    Import-Module "$PSScriptRoot/../../Maester.psd1" -Force
+}
+
+Describe 'Invoke-MtGitHubRequest' {
+    BeforeEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection = [PSCustomObject]@{
+                Connected    = $true
+                Organization = 'myorg'
+                ApiBaseUri   = 'https://api.github.com'
+                ApiVersion   = '2022-11-28'
+            }
+            $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer faketoken' }
+            $__MtSession.GitHubCache      = @{}
+        }
+    }
+
+    AfterEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection = $null
+            $__MtSession.GitHubAuthHeader = $null
+            $__MtSession.GitHubCache      = @{}
+        }
+    }
+
+    Context 'Connection guard' {
+        It 'Throws when GitHubConnection is null' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = $null
+                { Invoke-MtGitHubRequest '/orgs/myorg' } | Should -Throw '*Connect-MtGitHub*'
+            }
+        }
+
+        It 'Throws when Connected = $false' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false }
+                { Invoke-MtGitHubRequest '/orgs/myorg' } | Should -Throw '*Connect-MtGitHub*'
+            }
+        }
+    }
+
+    Context 'Cache key helper' {
+        It 'Builds cache keys as ApiVersion|absoluteUri' {
+            InModuleScope Maester {
+                Get-MtGitHubCacheKey -ApiVersion '2022-11-28' -AbsoluteUri 'https://api.github.com/orgs/myorg' | Should -Be '2022-11-28|https://api.github.com/orgs/myorg'
+            }
+        }
+    }
+
+    Context 'Cache behavior' {
+        BeforeEach {
+            Mock Invoke-WebRequest -ModuleName Maester {
+                [PSCustomObject]@{ Content = '{"login":"myorg"}'; Headers = @{} }
+            }
+            Mock Get-MtGitHubCacheKey -ModuleName Maester {
+                "$ApiVersion|$AbsoluteUri"
+            }
+        }
+
+        It 'Returns cached result; Invoke-WebRequest called only once for two identical calls' {
+            InModuleScope Maester {
+                Invoke-MtGitHubRequest '/orgs/myorg' | Out-Null
+                Invoke-MtGitHubRequest '/orgs/myorg' | Out-Null
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Exactly -Times 1
+            Should -Invoke Get-MtGitHubCacheKey -ModuleName Maester -Exactly -Times 2 -ParameterFilter {
+                $ApiVersion -eq '2022-11-28' -and $AbsoluteUri -eq 'https://api.github.com/orgs/myorg'
+            }
+        }
+
+        It 'Cache key is ApiVersion|absoluteUri' {
+            InModuleScope Maester {
+                Invoke-MtGitHubRequest '/orgs/myorg' | Out-Null
+                $expectedKey = '2022-11-28|https://api.github.com/orgs/myorg'
+                $__MtSession.GitHubCache.ContainsKey($expectedKey) | Should -BeTrue
+            }
+        }
+
+        It 'Stores result in cache on successful call (no -DisableCache)' {
+            InModuleScope Maester {
+                $result = Invoke-MtGitHubRequest '/orgs/myorg'
+                $result.login | Should -Be 'myorg'
+                $__MtSession.GitHubCache.Count | Should -Be 1
+                $cacheKey = '2022-11-28|https://api.github.com/orgs/myorg'
+                $__MtSession.GitHubCache[$cacheKey].login | Should -Be 'myorg'
+            }
+        }
+
+        It '-DisableCache bypasses existing cache entry and does NOT store result' {
+            InModuleScope Maester {
+                $cacheKey = '2022-11-28|https://api.github.com/orgs/myorg'
+                $__MtSession.GitHubCache[$cacheKey] = [PSCustomObject]@{ login = 'cached-value' }
+
+                $result = Invoke-MtGitHubRequest '/orgs/myorg' -DisableCache
+
+                # Web request was made (bypassed cache)
+                $result.login | Should -Be 'myorg'
+                # Original cache entry is untouched (not overwritten)
+                $__MtSession.GitHubCache[$cacheKey].login | Should -Be 'cached-value'
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Exactly -Times 1
+        }
+    }
+
+    Context 'Non-paginated request' {
+        It 'Returns single object body without -Paginate' {
+            Mock Invoke-WebRequest -ModuleName Maester {
+                [PSCustomObject]@{ Content = '{"login":"myorg","plan":{"name":"enterprise"}}'; Headers = @{} }
+            }
+            InModuleScope Maester {
+                $result = Invoke-MtGitHubRequest '/orgs/myorg'
+                $result.login | Should -Be 'myorg'
+            }
+        }
+    }
+
+    Context 'Pagination' {
+        It 'Follows Link rel=next until no next link; returns all items combined' {
+            # [?&]page= matches ?page= or &page= but NOT per_page= (per_page contains 'page=' at offset 4)
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -notmatch '[?&]page=\d' } {
+                [PSCustomObject]@{
+                    Content = '[{"id":1},{"id":2}]'
+                    Headers = @{ 'Link' = '<https://api.github.com/orgs/myorg/members?page=2>; rel="next"' }
+                }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '[?&]page=\d' } {
+                [PSCustomObject]@{ Content = '[{"id":3}]'; Headers = @{} }
+            }
+
+            InModuleScope Maester {
+                $result = Invoke-MtGitHubRequest '/orgs/myorg/members' -Paginate
+                $result.Count | Should -Be 3
+                $result[2].id | Should -Be 3
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Exactly -Times 2
+        }
+    }
+
+    Context 'Pagination of empty arrays' {
+        It 'Returns an empty result (count 0) when the only page is `[]` with no next link' {
+            Mock Invoke-WebRequest -ModuleName Maester {
+                [PSCustomObject]@{ Content = '[]'; Headers = @{} }
+            }
+            InModuleScope Maester {
+                $result = Invoke-MtGitHubRequest '/orgs/myorg/members' -Paginate
+                @($result).Count | Should -Be 0
+                # Must not contain a spurious $null item (the regression case).
+                @($result) -contains $null | Should -BeFalse
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Exactly -Times 1
+        }
+
+        It 'Skips an empty intermediate page without contributing $null items' {
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -notmatch '[?&]page=\d' } {
+                [PSCustomObject]@{
+                    Content = '[]'
+                    Headers = @{ 'Link' = '<https://api.github.com/orgs/myorg/members?page=2>; rel="next"' }
+                }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '[?&]page=\d' } {
+                [PSCustomObject]@{ Content = '[{"id":7}]'; Headers = @{} }
+            }
+            InModuleScope Maester {
+                $result = Invoke-MtGitHubRequest '/orgs/myorg/members' -Paginate
+                @($result).Count | Should -Be 1
+                @($result)[0].id | Should -Be 7
+                @($result) -contains $null | Should -BeFalse
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Exactly -Times 2
+        }
+
+        It 'Non-paginated `[]` response does not return a single $null item' {
+            Mock Invoke-WebRequest -ModuleName Maester {
+                [PSCustomObject]@{ Content = '[]'; Headers = @{} }
+            }
+            InModuleScope Maester {
+                $result = Invoke-MtGitHubRequest '/orgs/myorg/members'
+                @($result).Count | Should -Be 0
+                @($result) -contains $null | Should -BeFalse
+            }
+        }
+    }
+
+    Context 'Pagination cross-origin guard' {
+        It 'Throws and stops paginating when next link is on a different origin' {
+            Mock Invoke-WebRequest -ModuleName Maester {
+                [PSCustomObject]@{
+                    Content = '[{"id":1}]'
+                    Headers = @{ 'Link' = '<https://evil.example/orgs/myorg/members?page=2>; rel="next"' }
+                }
+            }
+            InModuleScope Maester {
+                { Invoke-MtGitHubRequest '/orgs/myorg/members' -Paginate } |
+                    Should -Throw '*outside the configured ApiBaseUri*'
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Exactly -Times 1
+        }
+
+        It 'Allows a same-origin next link with a base path prefix (GHE-style /api/v3)' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection.ApiBaseUri = 'https://ghe.example.com/api/v3'
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -notmatch '[?&]page=\d' } {
+                [PSCustomObject]@{
+                    Content = '[{"id":1}]'
+                    Headers = @{ 'Link' = '<https://ghe.example.com/api/v3/orgs/myorg/members?page=2>; rel="next"' }
+                }
+            }
+            Mock Invoke-WebRequest -ModuleName Maester -ParameterFilter { $Uri -match '[?&]page=\d' } {
+                [PSCustomObject]@{ Content = '[{"id":2}]'; Headers = @{} }
+            }
+            InModuleScope Maester {
+                $result = Invoke-MtGitHubRequest '/orgs/myorg/members' -Paginate
+                $result.Count | Should -Be 2
+            }
+            Should -Invoke Invoke-WebRequest -ModuleName Maester -Exactly -Times 2
+        }
+    }
+
+    Context 'Rate limit handling' {
+        It 'Emits verbose message when x-ratelimit-remaining is 0 on successful response' {
+            Mock Invoke-WebRequest -ModuleName Maester {
+                [PSCustomObject]@{
+                    Content = '{"login":"myorg"}'
+                    Headers = @{ 'x-ratelimit-remaining' = '0'; 'x-ratelimit-reset' = '9999999999' }
+                }
+            }
+            InModuleScope Maester {
+                $allOutput   = Invoke-MtGitHubRequest '/orgs/myorg' -Verbose 4>&1
+                $verboseMsgs = ($allOutput | Where-Object { $_ -is [System.Management.Automation.VerboseRecord] }).Message
+                $verboseMsgs | Should -Match 'rate limit'
+            }
+        }
+
+        It 'Throws on primary rate-limit exhaustion (HTTP 403, remaining = 0)' {
+            Mock Invoke-WebRequest -ModuleName Maester {
+                $fakeResp = [PSCustomObject]@{
+                    StatusCode = 403
+                    Headers    = @{ 'x-ratelimit-remaining' = '0'; 'x-ratelimit-reset' = '9999999999' }
+                }
+                $ex = [System.Exception]::new('Forbidden')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+                throw $ex
+            }
+            InModuleScope Maester {
+                { Invoke-MtGitHubRequest '/orgs/myorg' } | Should -Throw '*rate limit*'
+            }
+        }
+
+        It 'Rethrows ordinary 403 without rate-limit headers as the original error (not a rate-limit message)' {
+            Mock Invoke-WebRequest -ModuleName Maester {
+                $fakeResp = [PSCustomObject]@{
+                    StatusCode = 403
+                    Headers    = @{}
+                }
+                $ex = [System.Exception]::new('Forbidden')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+                throw $ex
+            }
+            InModuleScope Maester {
+                $thrownMessage = $null
+                try { Invoke-MtGitHubRequest '/orgs/myorg' } catch { $thrownMessage = $_.Exception.Message }
+                $thrownMessage | Should -Match 'Forbidden'
+                $thrownMessage | Should -Not -Match 'rate limit'
+            }
+        }
+
+        It 'Rethrows original error when x-ratelimit-remaining is malformed (no parse exception)' {
+            Mock Invoke-WebRequest -ModuleName Maester {
+                $fakeResp = [PSCustomObject]@{
+                    StatusCode = 403
+                    Headers    = @{ 'x-ratelimit-remaining' = 'not-a-number' }
+                }
+                $ex = [System.Exception]::new('Forbidden')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+                throw $ex
+            }
+            InModuleScope Maester {
+                $thrownMessage = $null
+                try { Invoke-MtGitHubRequest '/orgs/myorg' } catch { $thrownMessage = $_.Exception.Message }
+                $thrownMessage | Should -Match 'Forbidden'
+                $thrownMessage | Should -Not -Match 'rate limit'
+                $thrownMessage | Should -Not -Match 'Cannot convert'
+            }
+        }
+
+        It 'Does not throw on successful response when x-ratelimit-reset is out of range for FromUnixTimeSeconds' {
+            # 253402300800 is one second past the documented upper bound of FromUnixTimeSeconds
+            # (max accepted = 253402300799 = 9999-12-31T23:59:59Z). A bogus reset epoch from
+            # an upstream proxy must not raise ArgumentOutOfRangeException and mask the response.
+            Mock Invoke-WebRequest -ModuleName Maester {
+                [PSCustomObject]@{
+                    Content = '{"login":"myorg"}'
+                    Headers = @{ 'x-ratelimit-remaining' = '0'; 'x-ratelimit-reset' = '253402300800' }
+                }
+            }
+            InModuleScope Maester {
+                { Invoke-MtGitHubRequest '/orgs/myorg' } | Should -Not -Throw
+                $result = Invoke-MtGitHubRequest '/orgs/myorg' -DisableCache
+                $result.login | Should -Be 'myorg'
+            }
+        }
+
+        It 'Does not throw on successful response when x-ratelimit-remaining is malformed' {
+            # Successful response body is valid; a malformed rate-limit header (e.g. an upstream
+            # proxy rewriting the value) must not raise a parse exception that masks the response.
+            Mock Invoke-WebRequest -ModuleName Maester {
+                [PSCustomObject]@{
+                    Content = '{"login":"myorg"}'
+                    Headers = @{ 'x-ratelimit-remaining' = 'not-a-number'; 'x-ratelimit-reset' = 'also-bogus' }
+                }
+            }
+            InModuleScope Maester {
+                { Invoke-MtGitHubRequest '/orgs/myorg' } | Should -Not -Throw
+                $result = Invoke-MtGitHubRequest '/orgs/myorg' -DisableCache
+                $result.login | Should -Be 'myorg'
+            }
+        }
+
+        It 'Throws on secondary rate-limit (HTTP 429, retry-after header present)' {
+            Mock Invoke-WebRequest -ModuleName Maester {
+                $fakeResp = [PSCustomObject]@{
+                    StatusCode = 429
+                    Headers    = @{ 'retry-after' = '30' }
+                }
+                $ex = [System.Exception]::new('Too Many Requests')
+                Add-Member -InputObject $ex -MemberType NoteProperty -Name Response -Value $fakeResp
+                throw $ex
+            }
+            InModuleScope Maester {
+                { Invoke-MtGitHubRequest '/orgs/myorg' } | Should -Throw '*secondary rate limit*'
+            }
+        }
+    }
+}
diff --git a/powershell/tests/functions/Test-MtCisGitHubOrganizationSettings.Tests.ps1 b/powershell/tests/functions/Test-MtCisGitHubOrganizationSettings.Tests.ps1
new file mode 100644
index 000000000..190c8475a
--- /dev/null
+++ b/powershell/tests/functions/Test-MtCisGitHubOrganizationSettings.Tests.ps1
@@ -0,0 +1,370 @@
+BeforeAll {
+    Import-Module "$PSScriptRoot/../../Maester.psd1" -Force
+}
+
+Describe 'CIS GitHub organization setting tests' {
+    BeforeEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection = [PSCustomObject]@{
+                Connected    = $true
+                Organization = 'myorg'
+                ApiBaseUri   = 'https://api.github.com'
+                ApiVersion   = '2022-11-28'
+            }
+            $__MtSession.GitHubAuthHeader = @{ Authorization = 'Bearer faketoken' }
+            $__MtSession.GitHubCache      = @{}
+            $__MtSession.MaesterConfig    = [PSCustomObject]@{ GlobalSettings = [PSCustomObject]@{} }
+        }
+
+        $script:orgResponse = [PSCustomObject]@{
+            login                                    = 'myorg'
+            members_can_create_public_repositories  = $false
+            members_can_create_private_repositories = $false
+            members_can_create_internal_repositories = $false
+            members_allowed_repository_creation_type = 'none'
+            members_can_delete_repositories         = $false
+            members_can_delete_issues               = $false
+            members_can_create_teams                = $false
+            default_repository_permission           = 'read'
+        }
+
+        Mock Invoke-MtGitHubRequest -ModuleName Maester { $script:orgResponse }
+        Mock Add-MtTestResultDetail -ModuleName Maester { }
+    }
+
+    AfterEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection = $null
+            $__MtSession.GitHubAuthHeader = $null
+            $__MtSession.GitHubCache      = @{}
+            $__MtSession.MaesterConfig    = $null
+        }
+    }
+
+    Context 'Helpers' {
+        It 'Test-MtGitHubObjectProperty treats a $false property as present' {
+            InModuleScope Maester {
+                $obj = [PSCustomObject]@{ members_can_delete_issues = $false }
+                Test-MtGitHubObjectProperty -InputObject $obj -PropertyName 'members_can_delete_issues' | Should -BeTrue
+                Test-MtGitHubObjectProperty -InputObject $obj -PropertyName 'missing_field' | Should -BeFalse
+            }
+        }
+
+        It 'Get-MtGitHubOrganization uses the connected organization and request cache helper' {
+            InModuleScope Maester {
+                $result = Get-MtGitHubOrganization
+                $result.login | Should -Be 'myorg'
+            }
+            Should -Invoke Invoke-MtGitHubRequest -ModuleName Maester -Exactly -Times 1 -ParameterFilter {
+                $RelativeUri -eq '/orgs/myorg'
+            }
+        }
+
+        It 'Get-MtGitHubOrganization throws when GitHub is not connected' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = $null
+                { Get-MtGitHubOrganization } | Should -Throw -ExpectedMessage 'Not connected to GitHub. Call Connect-MtGitHub first.'
+            }
+        }
+    }
+
+    Context 'Pass cases' {
+        It 'Passes repository creation when API evidence is compliant' {
+            Test-MtCisGitHubRepositoryCreationLimited | Should -BeTrue
+        }
+
+        It 'Passes team creation when API evidence is compliant' {
+            Test-MtCisGitHubTeamCreationLimited | Should -BeTrue
+        }
+
+        It 'Passes strict base permissions when API evidence is compliant' {
+            Test-MtCisGitHubStrictBasePermission | Should -BeTrue
+        }
+
+        It 'Passes repository creation when the internal repository field is not returned' {
+            $script:orgResponse = [PSCustomObject]@{
+                members_can_create_public_repositories  = $false
+                members_can_create_private_repositories = $false
+            }
+
+            Test-MtCisGitHubRepositoryCreationLimited | Should -BeTrue
+        }
+
+        It 'Passes repository creation when only returned internal repository creation is allowed' {
+            $script:orgResponse.members_can_create_internal_repositories = $true
+
+            Test-MtCisGitHubRepositoryCreationLimited | Should -BeTrue
+        }
+
+        It 'Passes when GitHub returns mixed-case Read because -contains is case-insensitive' {
+            # This documents PowerShell's default case-insensitive -contains behavior.
+            $script:orgResponse.default_repository_permission = 'Read'
+
+            Test-MtCisGitHubStrictBasePermission | Should -BeTrue
+        }
+    }
+
+    Context 'Result rendering' {
+        $renderingCases = @(
+            @{
+                Function        = 'Test-MtCisGitHubRepositoryCreationLimited'
+                Id              = 'CIS.GH.1.2.2'
+                ExpectedRows    = @(
+                    '\| `members_can_create_public_repositories` \| `False` \| `False` \|'
+                    '\| `members_can_create_private_repositories` \| `False` \| `False` \|'
+                    '\| `members_can_create_internal_repositories` \| `False` \| `Informational` \|'
+                )
+                HasLegacyFooter = $true
+                HasInternalNote = $true
+                IsInvestigate   = $false
+            }
+            @{
+                Function        = 'Test-MtCisGitHubRepositoryDeletionLimited'
+                Id              = 'CIS.GH.1.2.3'
+                ExpectedRows    = @('\| `members_can_delete_repositories` \| `False` \| `False` \|')
+                HasLegacyFooter = $false
+                HasInternalNote = $false
+                IsInvestigate   = $true
+            }
+            @{
+                Function        = 'Test-MtCisGitHubIssueDeletionLimited'
+                Id              = 'CIS.GH.1.2.4'
+                ExpectedRows    = @('\| `members_can_delete_issues` \| `False` \| `False` \|')
+                HasLegacyFooter = $false
+                HasInternalNote = $false
+                IsInvestigate   = $true
+            }
+            @{
+                Function        = 'Test-MtCisGitHubTeamCreationLimited'
+                Id              = 'CIS.GH.1.3.2'
+                ExpectedRows    = @('\| `members_can_create_teams` \| `False` \| `False` \|')
+                HasLegacyFooter = $false
+                HasInternalNote = $false
+                IsInvestigate   = $false
+            }
+            @{
+                Function        = 'Test-MtCisGitHubStrictBasePermission'
+                Id              = 'CIS.GH.1.3.8'
+                ExpectedRows    = @('\| `default_repository_permission` \| `read` \| `none` or `read` \|')
+                HasLegacyFooter = $false
+                HasInternalNote = $false
+                IsInvestigate   = $false
+            }
+        )
+
+        It 'Renders <Function> with the common evidence table shape' -ForEach $renderingCases {
+            $functionResult = & $Function
+            if ($IsInvestigate) {
+                $functionResult | Should -BeNullOrEmpty
+            } else {
+                $functionResult | Should -BeTrue
+            }
+
+            Should -Invoke Add-MtTestResultDetail -ModuleName Maester -Exactly -Times 1 -ParameterFilter {
+                $Result -match "$Id automated evidence from ``GET /orgs/\{org\}``\." -and
+                $Result -match '\| Field \| Actual \| Expected \|' -and
+                $Result -match '\| --- \| --- \| --- \|' -and
+                (($IsInvestigate -and $Investigate -eq $true) -or (-not $IsInvestigate -and -not $Investigate))
+            }
+
+            foreach ($row in $ExpectedRows) {
+                Should -Invoke Add-MtTestResultDetail -ModuleName Maester -Exactly -Times 1 -ParameterFilter {
+                    $Result -match $row
+                }
+            }
+
+            if ($HasLegacyFooter) {
+                Should -Invoke Add-MtTestResultDetail -ModuleName Maester -Exactly -Times 1 -ParameterFilter {
+                    $Result -match 'Deprecated umbrella field `members_allowed_repository_creation_type` was returned as `none`' -and
+                    $Result -match 'granular fields above are the decisive checks'
+                }
+            } else {
+                Should -Invoke Add-MtTestResultDetail -ModuleName Maester -Exactly -Times 1 -ParameterFilter {
+                    $Result -notmatch 'Deprecated umbrella field'
+                }
+            }
+
+            if ($HasInternalNote) {
+                Should -Invoke Add-MtTestResultDetail -ModuleName Maester -Exactly -Times 1 -ParameterFilter {
+                    $Result -match "The internal-repository row is informational\. CIS GH 1\.2\.2's literal audit covers public and private only\."
+                }
+            }
+        }
+
+        It 'Renders repository creation deprecated umbrella footer when the umbrella field is omitted' {
+            $script:orgResponse = [PSCustomObject]@{
+                login                                    = 'myorg'
+                members_can_create_public_repositories  = $false
+                members_can_create_private_repositories = $false
+            }
+
+            Test-MtCisGitHubRepositoryCreationLimited | Should -BeTrue
+
+            Should -Invoke Add-MtTestResultDetail -ModuleName Maester -Exactly -Times 1 -ParameterFilter {
+                $Result -match '\| `members_can_create_public_repositories` \| `False` \| `False` \|' -and
+                $Result -match '\| `members_can_create_private_repositories` \| `False` \| `False` \|' -and
+                $Result -match 'Deprecated umbrella field `members_allowed_repository_creation_type` was not returned' -and
+                $Result -match 'granular fields above are the decisive checks'
+            }
+        }
+    }
+
+    Context 'Fail cases' {
+        $failCases = @(
+            @{
+                Name     = 'repository creation when public repository creation is allowed'
+                Function = 'Test-MtCisGitHubRepositoryCreationLimited'
+                Mutate   = { $script:orgResponse.members_can_create_public_repositories = $true }
+            }
+            @{
+                Name     = 'team creation when member team creation is allowed'
+                Function = 'Test-MtCisGitHubTeamCreationLimited'
+                Mutate   = { $script:orgResponse.members_can_create_teams = $true }
+            }
+            @{
+                Name     = 'strict base permissions when default permission is write'
+                Function = 'Test-MtCisGitHubStrictBasePermission'
+                Mutate   = { $script:orgResponse.default_repository_permission = 'write' }
+            }
+        )
+
+        It 'Fails <Name>' -ForEach $failCases {
+            & $Mutate
+            & $Function | Should -BeFalse
+        }
+
+    }
+
+    Context 'Manual review required' {
+        It 'Marks repository deletion as investigate when member repository deletion is disabled' {
+            Test-MtCisGitHubRepositoryDeletionLimited | Should -BeNullOrEmpty
+
+            Should -Invoke Add-MtTestResultDetail -ModuleName Maester -Exactly -Times 1 -ParameterFilter {
+                -not $SkippedBecause -and
+                -not $SkippedCustomReason -and
+                $Investigate -eq $true -and
+                $Result -match 'Manual review required' -and
+                $Result -match 'organization owners are trusted and qualified' -and
+                $Result -match '\| `members_can_delete_repositories` \| `False` \| `False` \|'
+            }
+        }
+
+        It 'Marks repository deletion as investigate when member repository deletion is enabled' {
+            $script:orgResponse.members_can_delete_repositories = $true
+
+            Test-MtCisGitHubRepositoryDeletionLimited | Should -BeNullOrEmpty
+
+            Should -Invoke Add-MtTestResultDetail -ModuleName Maester -Exactly -Times 1 -ParameterFilter {
+                -not $SkippedBecause -and
+                -not $SkippedCustomReason -and
+                $Investigate -eq $true -and
+                $Result -match 'Manual review required' -and
+                $Result -match 'repository admin members are trusted and qualified' -and
+                $Result -match '\| `members_can_delete_repositories` \| `True` \| `False` \|'
+            }
+        }
+
+        It 'Marks issue deletion as investigate when member issue deletion is disabled' {
+            Test-MtCisGitHubIssueDeletionLimited | Should -BeNullOrEmpty
+
+            Should -Invoke Add-MtTestResultDetail -ModuleName Maester -Exactly -Times 1 -ParameterFilter {
+                -not $SkippedBecause -and
+                -not $SkippedCustomReason -and
+                $Investigate -eq $true -and
+                $Result -match 'Manual review required' -and
+                $Result -match 'organization owners are trusted and qualified' -and
+                $Result -match '\| `members_can_delete_issues` \| `False` \| `False` \|'
+            }
+        }
+
+        It 'Marks issue deletion as investigate when member issue deletion is enabled' {
+            $script:orgResponse.members_can_delete_issues = $true
+
+            Test-MtCisGitHubIssueDeletionLimited | Should -BeNullOrEmpty
+
+            Should -Invoke Add-MtTestResultDetail -ModuleName Maester -Exactly -Times 1 -ParameterFilter {
+                -not $SkippedBecause -and
+                -not $SkippedCustomReason -and
+                $Investigate -eq $true -and
+                $Result -match 'Manual review required' -and
+                $Result -match 'repository admin members are trusted and qualified' -and
+                $Result -match '\| `members_can_delete_issues` \| `True` \| `False` \|'
+            }
+        }
+    }
+
+    Context 'Missing evidence' {
+        $missingFieldCases = @(
+            @{
+                Function = 'Test-MtCisGitHubRepositoryCreationLimited'
+                Field    = 'members_can_create_public_repositories'
+            }
+            @{
+                Function = 'Test-MtCisGitHubRepositoryDeletionLimited'
+                Field    = 'members_can_delete_repositories'
+            }
+            @{
+                Function = 'Test-MtCisGitHubIssueDeletionLimited'
+                Field    = 'members_can_delete_issues'
+            }
+            @{
+                Function = 'Test-MtCisGitHubTeamCreationLimited'
+                Field    = 'members_can_create_teams'
+            }
+            @{
+                Function = 'Test-MtCisGitHubStrictBasePermission'
+                Field    = 'default_repository_permission'
+            }
+        )
+
+        It 'Skips <Function> when <Field> is missing' -ForEach $missingFieldCases {
+            $script:orgResponse = [PSCustomObject]@{ login = 'myorg' }
+
+            & $Function | Should -BeNullOrEmpty
+            Should -Invoke Add-MtTestResultDetail -ModuleName Maester -Exactly -Times 1 -ParameterFilter {
+                $SkippedBecause -eq 'Custom' -and $SkippedCustomReason -match $Field
+            }
+        }
+    }
+
+    Context 'Disconnected GitHub' {
+        $functions = @(
+            'Test-MtCisGitHubRepositoryCreationLimited'
+            'Test-MtCisGitHubRepositoryDeletionLimited'
+            'Test-MtCisGitHubIssueDeletionLimited'
+            'Test-MtCisGitHubTeamCreationLimited'
+            'Test-MtCisGitHubStrictBasePermission'
+        )
+
+        It 'Skips <_> when GitHub is not connected' -ForEach $functions {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = $null
+            }
+
+            & $_ | Should -BeNullOrEmpty
+            Should -Invoke Add-MtTestResultDetail -ModuleName Maester -Exactly -Times 1 -ParameterFilter {
+                $SkippedBecause -eq 'NotConnectedGitHub'
+            }
+            Should -Invoke Invoke-MtGitHubRequest -ModuleName Maester -Exactly -Times 0
+        }
+    }
+
+    Context 'GitHub request errors' {
+        $functions = @(
+            'Test-MtCisGitHubRepositoryCreationLimited'
+            'Test-MtCisGitHubRepositoryDeletionLimited'
+            'Test-MtCisGitHubIssueDeletionLimited'
+            'Test-MtCisGitHubTeamCreationLimited'
+            'Test-MtCisGitHubStrictBasePermission'
+        )
+
+        It 'Skips <_> when the GitHub organization request throws' -ForEach $functions {
+            Mock Invoke-MtGitHubRequest -ModuleName Maester { throw 'GitHub API boom' }
+
+            & $_ | Should -BeNullOrEmpty
+            Should -Invoke Add-MtTestResultDetail -ModuleName Maester -Exactly -Times 1 -ParameterFilter {
+                $SkippedBecause -eq 'Error' -and $null -ne $SkippedError
+            }
+        }
+    }
+}
diff --git a/powershell/tests/functions/Test-MtConnection.Tests.ps1 b/powershell/tests/functions/Test-MtConnection.Tests.ps1
new file mode 100644
index 000000000..42612de1a
--- /dev/null
+++ b/powershell/tests/functions/Test-MtConnection.Tests.ps1
@@ -0,0 +1,218 @@
+BeforeAll {
+    Import-Module "$PSScriptRoot/../../Maester.psd1" -Force
+
+    # Bypass Pester's slow command-resolution path when MS service modules are not loaded
+    # in the test environment. Track which stubs we created so AfterAll cleans up only
+    # those — never touch real cmdlets that were already present.
+    $script:createdStubs = @()
+    foreach ($cmd in 'Get-AzContext','Invoke-AzRestMethod','Get-MgContext','Get-CsTenant') {
+        if (-not (Get-Command $cmd -ErrorAction SilentlyContinue)) {
+            New-Item -Path "function:global:$cmd" -Value { } | Out-Null
+            $script:createdStubs += $cmd
+        }
+    }
+}
+
+AfterAll {
+    foreach ($cmd in $script:createdStubs) {
+        Remove-Item -Path "function:global:$cmd" -ErrorAction SilentlyContinue
+    }
+}
+
+Describe 'Test-MtConnection — GitHub service' {
+    BeforeEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection      = $null
+            $__MtSession.AzureDevOpsConnection = $null
+        }
+    }
+
+    AfterEach {
+        InModuleScope Maester {
+            $__MtSession.GitHubConnection      = $null
+            $__MtSession.AzureDevOpsConnection = $null
+        }
+    }
+
+    Context 'Help' {
+        It 'Documents the -Service All GitHub explicit connection behavior' {
+            $help = Get-Help Test-MtConnection -Detailed | Out-String
+            $help | Should -Match 'after Connect-MtGitHub has been called'
+            $help | Should -Not -Match 'NotCalled sentinel'
+            $help | Should -Match 'skipped and does not affect the result'
+        }
+    }
+
+    Context 'When Connect-MtGitHub has never been called' {
+        It 'Returns $false for -Service GitHub' {
+            InModuleScope Maester {
+                Test-MtConnection -Service GitHub | Should -BeFalse
+            }
+        }
+
+        It 'Records that Connect-MtGitHub has not been called' {
+            InModuleScope Maester {
+                Test-MtConnection -Service GitHub | Out-Null
+                $__MtSession.GitHubConnection | Should -Not -BeNullOrEmpty
+                $__MtSession.GitHubConnection.FailureReason | Should -Be 'NotCalled'
+            }
+        }
+    }
+
+    Context 'When GitHub is explicitly disconnected' {
+        It 'Returns $false when Connected is $false' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'TokenInvalid' }
+                Test-MtConnection -Service GitHub | Should -BeFalse
+            }
+        }
+
+        It 'Returns $false when membership is pending (FailureReason = OrgMembershipPending)' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'OrgMembershipPending' }
+                Test-MtConnection -Service GitHub | Should -BeFalse
+            }
+        }
+    }
+
+    Context 'When GitHub is connected' {
+        It 'Returns $true' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+                Test-MtConnection -Service GitHub | Should -BeTrue
+            }
+        }
+
+        It 'Returns an object with GitHub populated and AllConnected $true when using -Details' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+                $result = Test-MtConnection -Service GitHub -Details
+                $result.GitHub | Should -Not -BeNullOrEmpty
+                $result.GitHub.Connected | Should -BeTrue
+                $result.AllConnected | Should -BeTrue
+            }
+        }
+    }
+
+    Context 'When GitHub is not connected' {
+        It 'Returns an object with GitHub $null and AllConnected $false when using -Details' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $false; FailureReason = 'NoToken' }
+                $result = Test-MtConnection -Service GitHub -Details
+                $result.GitHub | Should -BeNullOrEmpty
+                $result.AllConnected | Should -BeFalse
+            }
+        }
+    }
+
+    Context '-Service GitHub -Details with GitHub connected' {
+        It 'Populates the GitHub property and returns AllConnected $true' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+            }
+            $result = Test-MtConnection -Service GitHub -Details
+            $result.GitHub | Should -Not -BeNullOrEmpty
+            $result.GitHub.Connected | Should -BeTrue
+            $result.AllConnected | Should -BeTrue
+        }
+    }
+
+    Context '-Service All regression — GitHub absence does not flip AllConnected' {
+        It 'Returns AllConnected $true when all MS services are connected and GitHub session is absent' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection      = $null
+                $__MtSession.AzureDevOpsConnection = [PSCustomObject]@{ Organization = 'ado-org' }
+            }
+            Mock Get-AzContext { [PSCustomObject]@{ Account = 'test@contoso.com' } } -ModuleName Maester
+            Mock Invoke-AzRestMethod { [PSCustomObject]@{} } -ModuleName Maester
+            Mock Get-MgContext { [PSCustomObject]@{ TenantId = 'tenant-id' } } -ModuleName Maester
+            Mock Get-MtExo {
+                @(
+                    [PSCustomObject]@{ Name = 'ExchangeOnline'; State = 'Connected'; IsEopSession = $false }
+                    [PSCustomObject]@{ Name = 'ExchangeOnline'; State = 'Connected'; IsEopSession = $true }
+                )
+            } -ModuleName Maester
+            Mock Get-CsTenant { [PSCustomObject]@{ TenantId = 'tenant-id' } } -ModuleName Maester
+            $result = Test-MtConnection -Service All -Details
+            $result.AllConnected | Should -BeTrue
+            $result.GitHub | Should -BeNullOrEmpty
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection | Should -BeNullOrEmpty
+            }
+        }
+    }
+
+    Context '-Service All — GitHub skipped when Connect-MtGitHub has not been called' {
+        It 'Does not set the GitHub property or flip AllConnected' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection      = [PSCustomObject]@{ Connected = $false; FailureReason = 'NotCalled' }
+                $__MtSession.AzureDevOpsConnection = [PSCustomObject]@{ Organization = 'ado-org' }
+            }
+            Mock Get-AzContext { [PSCustomObject]@{ Account = 'test@contoso.com' } } -ModuleName Maester
+            Mock Invoke-AzRestMethod { [PSCustomObject]@{} } -ModuleName Maester
+            Mock Get-MgContext { [PSCustomObject]@{ TenantId = 'tenant-id' } } -ModuleName Maester
+            Mock Get-MtExo {
+                @(
+                    [PSCustomObject]@{ Name = 'ExchangeOnline'; State = 'Connected'; IsEopSession = $false }
+                    [PSCustomObject]@{ Name = 'ExchangeOnline'; State = 'Connected'; IsEopSession = $true }
+                )
+            } -ModuleName Maester
+            Mock Get-CsTenant { [PSCustomObject]@{ TenantId = 'tenant-id' } } -ModuleName Maester
+            $result = Test-MtConnection -Service All -Details
+            $result.AllConnected | Should -BeTrue
+            $result.GitHub | Should -BeNullOrEmpty
+        }
+    }
+
+    Context '-Service GitHub -Details formatted output' {
+        It 'Renders safe GitHub metadata and excludes auth/token values' {
+            $fakeToken = 'ghp_FAKE_TOKEN_VALUE_DO_NOT_USE'
+            InModuleScope Maester -ArgumentList $fakeToken {
+                param($FakeToken)
+                $__MtSession.GitHubConnection = [PSCustomObject]@{
+                    Connected                        = $true
+                    Organization                     = 'myorg'
+                    TokenLogin                       = 'octocat'
+                    ApiBaseUri                       = 'https://api.github.com'
+                    ApiVersion                       = '2022-11-28'
+                    Role                             = 'admin'
+                    RoleState                        = 'active'
+                    AdministrationPermissionVerified = $true
+                }
+                $__MtSession.GitHubAuthHeader = @{
+                    Authorization = "Bearer $FakeToken"
+                }
+            }
+            $rendered = Test-MtConnection -Service GitHub -Details | Out-String
+            $rendered | Should -Match 'GitHub'
+            $rendered | Should -Match 'myorg'
+            $rendered | Should -Match 'octocat'
+            $rendered | Should -Not -Match 'Bearer'
+            $rendered | Should -Not -Match 'Authorization'
+            $rendered | Should -Not -Match ([regex]::Escape($fakeToken))
+        }
+    }
+
+    Context '-Service All — GitHub included when connected' {
+        It 'Populates the GitHub property and participates in AllConnected' {
+            InModuleScope Maester {
+                $__MtSession.GitHubConnection      = [PSCustomObject]@{ Connected = $true; Organization = 'myorg' }
+                $__MtSession.AzureDevOpsConnection = [PSCustomObject]@{ Organization = 'ado-org' }
+            }
+            Mock Get-AzContext { [PSCustomObject]@{ Account = 'test@contoso.com' } } -ModuleName Maester
+            Mock Invoke-AzRestMethod { [PSCustomObject]@{} } -ModuleName Maester
+            Mock Get-MgContext { [PSCustomObject]@{ TenantId = 'tenant-id' } } -ModuleName Maester
+            Mock Get-MtExo {
+                @(
+                    [PSCustomObject]@{ Name = 'ExchangeOnline'; State = 'Connected'; IsEopSession = $false }
+                    [PSCustomObject]@{ Name = 'ExchangeOnline'; State = 'Connected'; IsEopSession = $true }
+                )
+            } -ModuleName Maester
+            Mock Get-CsTenant { [PSCustomObject]@{ TenantId = 'tenant-id' } } -ModuleName Maester
+            $result = Test-MtConnection -Service All -Details
+            $result.AllConnected | Should -BeTrue
+            $result.GitHub | Should -Not -BeNullOrEmpty
+            $result.GitHub.Connected | Should -BeTrue
+        }
+    }
+}
diff --git a/powershell/tests/general/Manifest.Tests.ps1 b/powershell/tests/general/Manifest.Tests.ps1
index 37bfc97db..899b418c6 100644
--- a/powershell/tests/general/Manifest.Tests.ps1
+++ b/powershell/tests/general/Manifest.Tests.ps1
@@ -28,6 +28,10 @@ Describe 'Validating the module manifest' -ForEach @{ moduleRoot = $moduleRoot;
             $files = Get-ChildItem "$moduleRoot/internal" -Recurse -File -Filter '*.ps1'
             $files | Where-Object BaseName -In $manifest.FunctionsToExport | Should -BeNullOrEmpty
         }
+
+        It 'Keeps GitHub cache key helper internal' {
+            $manifest.FunctionsToExport | Should -Not -Contain 'Get-MtGitHubCacheKey'
+        }
     }
 
     Context 'Testing tags' {
@@ -53,4 +57,4 @@ Describe 'Validating the module manifest' -ForEach @{ moduleRoot = $moduleRoot;
             }
         }
     }
-}
\ No newline at end of file
+}
diff --git a/tests/cis/Test-MtCisGitHubIssueDeletionLimited.Tests.ps1 b/tests/cis/Test-MtCisGitHubIssueDeletionLimited.Tests.ps1
new file mode 100644
index 000000000..6770b08f3
--- /dev/null
+++ b/tests/cis/Test-MtCisGitHubIssueDeletionLimited.Tests.ps1
@@ -0,0 +1,7 @@
+Describe "CIS" -Tag "CIS.GH.1.2.4", "L1", "CIS GH Level 1", "CIS GH", "CIS", "CIS GitHub v1.2.0" {
+    It "CIS.GH.1.2.4: Ensure issue deletion is limited to specific users" {
+        $result = Test-MtCisGitHubIssueDeletionLimited
+
+        $result | Should -BeNullOrEmpty -Because "CIS GH 1.2.4 requires manual trust review after collecting issue deletion setting evidence"
+    }
+}
diff --git a/tests/cis/Test-MtCisGitHubRepositoryCreationLimited.Tests.ps1 b/tests/cis/Test-MtCisGitHubRepositoryCreationLimited.Tests.ps1
new file mode 100644
index 000000000..4561836f1
--- /dev/null
+++ b/tests/cis/Test-MtCisGitHubRepositoryCreationLimited.Tests.ps1
@@ -0,0 +1,9 @@
+Describe "CIS" -Tag "CIS.GH.1.2.2", "L1", "CIS GH Level 1", "CIS GH", "CIS", "CIS GitHub v1.2.0" {
+    It "CIS.GH.1.2.2: Ensure repository creation is limited to specific members" {
+        $result = Test-MtCisGitHubRepositoryCreationLimited
+
+        if ($null -ne $result) {
+            $result | Should -Be $true -Because "members cannot create public or private repositories"
+        }
+    }
+}
diff --git a/tests/cis/Test-MtCisGitHubRepositoryDeletionLimited.Tests.ps1 b/tests/cis/Test-MtCisGitHubRepositoryDeletionLimited.Tests.ps1
new file mode 100644
index 000000000..363928f23
--- /dev/null
+++ b/tests/cis/Test-MtCisGitHubRepositoryDeletionLimited.Tests.ps1
@@ -0,0 +1,7 @@
+Describe "CIS" -Tag "CIS.GH.1.2.3", "L1", "CIS GH Level 1", "CIS GH", "CIS", "CIS GitHub v1.2.0" {
+    It "CIS.GH.1.2.3: Ensure repository deletion is limited to specific users" {
+        $result = Test-MtCisGitHubRepositoryDeletionLimited
+
+        $result | Should -BeNullOrEmpty -Because "CIS GH 1.2.3 requires manual trust review after collecting repository deletion setting evidence"
+    }
+}
diff --git a/tests/cis/Test-MtCisGitHubStrictBasePermission.Tests.ps1 b/tests/cis/Test-MtCisGitHubStrictBasePermission.Tests.ps1
new file mode 100644
index 000000000..077b29689
--- /dev/null
+++ b/tests/cis/Test-MtCisGitHubStrictBasePermission.Tests.ps1
@@ -0,0 +1,9 @@
+Describe "CIS" -Tag "CIS.GH.1.3.8", "L1", "CIS GH Level 1", "CIS GH", "CIS", "CIS GitHub v1.2.0" {
+    It "CIS.GH.1.3.8: Ensure strict base permissions are set for repositories" {
+        $result = Test-MtCisGitHubStrictBasePermission
+
+        if ($null -ne $result) {
+            $result | Should -Be $true -Because "default_repository_permission is none or read"
+        }
+    }
+}
diff --git a/tests/cis/Test-MtCisGitHubTeamCreationLimited.Tests.ps1 b/tests/cis/Test-MtCisGitHubTeamCreationLimited.Tests.ps1
new file mode 100644
index 000000000..97b04451f
--- /dev/null
+++ b/tests/cis/Test-MtCisGitHubTeamCreationLimited.Tests.ps1
@@ -0,0 +1,9 @@
+Describe "CIS" -Tag "CIS.GH.1.3.2", "L1", "CIS GH Level 1", "CIS GH", "CIS", "CIS GitHub v1.2.0" {
+    It "CIS.GH.1.3.2: Ensure team creation is limited to specific members" {
+        $result = Test-MtCisGitHubTeamCreationLimited
+
+        if ($null -ne $result) {
+            $result | Should -Be $true -Because "members_can_create_teams is false"
+        }
+    }
+}
diff --git a/tests/maester-config.json b/tests/maester-config.json
index e055960b7..e7084f283 100644
--- a/tests/maester-config.json
+++ b/tests/maester-config.json
@@ -1,9 +1,37 @@
 {
   "GlobalSettings": {
     "EmergencyAccessAccounts": [],
-    "DataverseEnvironmentUrl": ""
+    "DataverseEnvironmentUrl": "",
+    "GitHubOrganization": "",
+    "GitHubApiBaseUri": "https://api.github.com",
+    "GitHubApiVersion": "2022-11-28"
   },
   "TestSettings": [
+    {
+      "Id": "CIS.GH.1.2.2",
+      "Severity": "Medium",
+      "Title": "(L1) Ensure repository creation is limited to specific members"
+    },
+    {
+      "Id": "CIS.GH.1.2.3",
+      "Severity": "High",
+      "Title": "(L1) Ensure repository deletion is limited to specific users"
+    },
+    {
+      "Id": "CIS.GH.1.2.4",
+      "Severity": "Medium",
+      "Title": "(L1) Ensure issue deletion is limited to specific users"
+    },
+    {
+      "Id": "CIS.GH.1.3.2",
+      "Severity": "Medium",
+      "Title": "(L1) Ensure team creation is limited to specific members"
+    },
+    {
+      "Id": "CIS.GH.1.3.8",
+      "Severity": "High",
+      "Title": "(L1) Ensure strict base permissions are set for repositories"
+    },
     {
       "Id": "CIS.M365.1.1.1",
       "Severity": "High",
diff --git a/website/docs/commands/Connect-MtGitHub.mdx b/website/docs/commands/Connect-MtGitHub.mdx
new file mode 100644
index 000000000..15815c691
--- /dev/null
+++ b/website/docs/commands/Connect-MtGitHub.mdx
@@ -0,0 +1,216 @@
+---
+sidebar_class_name: hidden
+description: "Establishes a GitHub Enterprise Cloud organization REST API session for Maester."
+id: Connect-MtGitHub
+title: Connect-MtGitHub
+hide_title: false
+hide_table_of_contents: false
+custom_edit_url: https://github.com/maester365/maester/blob/main/powershell/public/Connect-MtGitHub.ps1
+---
+
+## SYNOPSIS
+
+Establishes a GitHub Enterprise Cloud organization REST API session for Maester.
+
+## SYNTAX
+
+```powershell
+Connect-MtGitHub [[-Organization] <String>] [[-Token] <SecureString>] [[-ApiBaseUri] <String>]
+ [[-ApiVersion] <String>] [-ProgressAction <ActionPreference>] [<CommonParameters>]
+```
+
+## DESCRIPTION
+
+Establishes a GitHub Enterprise Cloud organization REST API session for Maester CIS
+benchmark tests.
+This is an organization-scoped session, not a full enterprise-admin
+session: enterprise-admin endpoints under /enterprises/\{enterprise\} are not verified
+by this command and would require a future enterprise-access probe if CIS controls
+need them.
+
+Validates the PAT via four probes.
+The first three are blocking (any failure aborts
+the connection); the fourth is non-blocking (failure emits a warning but the session
+is still established):
+  1.
+GET /user                            - token identity (blocking)
+  2.
+GET /orgs/\{org\}                      - org metadata (blocking)
+  3.
+GET /orgs/\{org\}/memberships/\{user\}   - org-access proof, state + role (blocking)
+  4.
+GET /orgs/\{org\}/actions/permissions  - administration access probe (non-blocking)
+
+The membership probe is the real access gate: /orgs/\{org\} returns public metadata
+even for tokens with no relationship to the organization.
+A 4xx, malformed body,
+or missing state/role on probe 3 aborts with FailureReason = 'OrgMembershipFailed'.
+A successful response whose membership state is anything other than 'active'
+(e.g.
+'pending' for an invitation that has not been accepted) also aborts the
+connection, with FailureReason = 'OrgMembershipPending' - only an active
+membership proves the user can act on the organization.
+
+Probe 4 verifies the token can reach an org-administration endpoint.
+GitHub
+documents /orgs/\{org\}/actions/permissions as requiring classic PAT 'admin:org' or
+fine-grained 'Organization Administration: read'.
+Failure here records
+AdministrationPermissionVerified = $false and emits a warning, but does not flip
+Connected to $false - the session remains usable for controls that don't require
+org administration access.
+
+On success, Role = 'admin' + RoleState = 'active' + AdministrationPermissionVerified
+= $true is the no-warning path.
+Other active roles (member, billing_manager, etc.)
+or admin-probe failure still connect but emit warnings indicating limited CIS
+coverage.
+Non-active membership states do not connect at all.
+
+A non-rate-limited HTTP 403 from GET /user aborts with FailureReason =
+'TokenForbidden'.
+Common causes include SAML SSO enforcement, IP allowlists,
+token/account blocking, or other authorization policies.
+A rate-limited 403
+is still classified as FailureReason = 'RateLimited'.
+
+A malformed JSON response from GET /orgs/\{org\} aborts with FailureReason =
+'OrgAccessFailed' and identifies the response parsing problem instead of
+blaming the PAT scope, organization name, or API base URI.
+
+The successful GET /orgs/\{org\} response is cached only after the full
+connection succeeds, so failed connection attempts do not seed org data.
+
+Token resolution order:
+  1.
+-Token parameter (SecureString)
+  2.
+MAESTER_GITHUB_TOKEN environment variable
+  3.
+GH_TOKEN environment variable (GitHub CLI convention)
+
+Required permissions:
+  Classic PAT:        admin:org
+  Fine-grained PAT:   Organization Members: read + Organization Administration: read
+  Required role for full coverage: organization owner/admin
+
+Note: Connection success proves token validity and org access, not that all
+CIS control fields will be visible.
+Each CIS test validates field availability
+and skips with an informative message if required fields are absent.
+
+## EXAMPLES
+
+### EXAMPLE 1
+
+```powershell
+Connect-MtGitHub -Organization 'mycompany'
+```
+
+### EXAMPLE 2
+
+```powershell
+Connect-MtGitHub -Organization 'mycompany' -ApiBaseUri 'https://api.myco.ghe.com'
+```
+
+## PARAMETERS
+
+### -Organization
+
+GitHub organization login name.
+Falls back to GitHubOrganization in maester-config.json.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Token
+
+PAT as SecureString.
+Falls back to MAESTER_GITHUB_TOKEN or GH_TOKEN env vars.
+
+```yaml
+Type: SecureString
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ApiBaseUri
+
+GitHub API base URI.
+Falls back to GitHubApiBaseUri config, then https://api.github.com.
+Set to https://api.\{subdomain\}.ghe.com for GHE.com EMU deployments.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ApiVersion
+
+GitHub REST API version date.
+Falls back to GitHubApiVersion config, then 2022-11-28.
+GitHub defaults requests without X-GitHub-Api-Version to 2022-11-28.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 4
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ProgressAction
+
+\{\{ Fill ProgressAction Description \}\}
+
+```yaml
+Type: ActionPreference
+Parameter Sets: (All)
+Aliases: proga
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[https://maester.dev/docs/commands/Connect-MtGitHub](https://maester.dev/docs/commands/Connect-MtGitHub)
diff --git a/website/docs/commands/Disconnect-MtGitHub.mdx b/website/docs/commands/Disconnect-MtGitHub.mdx
new file mode 100644
index 000000000..4f77aaf2f
--- /dev/null
+++ b/website/docs/commands/Disconnect-MtGitHub.mdx
@@ -0,0 +1,73 @@
+---
+sidebar_class_name: hidden
+description: "Clears the current GitHub REST session in Maester."
+id: Disconnect-MtGitHub
+title: Disconnect-MtGitHub
+hide_title: false
+hide_table_of_contents: false
+custom_edit_url: https://github.com/maester365/maester/blob/main/powershell/public/Disconnect-MtGitHub.ps1
+---
+
+## SYNOPSIS
+
+Clears the current GitHub REST session in Maester.
+
+## SYNTAX
+
+```powershell
+Disconnect-MtGitHub [-ProgressAction <ActionPreference>] [<CommonParameters>]
+```
+
+## DESCRIPTION
+
+Removes the GitHub PAT-derived auth header, the connection metadata, and the per-session
+REST response cache from the Maester module's session state.
+Idempotent - safe to call when
+no GitHub session is active.
+
+Use this when you want to drop the in-memory token, switch organizations, or clean up
+troubleshooting state.
+Disconnect-Maester also calls this automatically (Disconnect-MtGraph
+alias does not, to preserve its narrow Graph-only semantic).
+
+## EXAMPLES
+
+### EXAMPLE 1
+
+```powershell
+Disconnect-MtGitHub
+```
+
+Clears any active GitHub session.
+
+## PARAMETERS
+
+### -ProgressAction
+
+\{\{ Fill ProgressAction Description \}\}
+
+```yaml
+Type: ActionPreference
+Parameter Sets: (All)
+Aliases: proga
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[https://maester.dev/docs/commands/Disconnect-MtGitHub](https://maester.dev/docs/commands/Disconnect-MtGitHub)
diff --git a/website/docs/commands/Test-MtCisGitHubIssueDeletionLimited.mdx b/website/docs/commands/Test-MtCisGitHubIssueDeletionLimited.mdx
new file mode 100644
index 000000000..50bcec6ee
--- /dev/null
+++ b/website/docs/commands/Test-MtCisGitHubIssueDeletionLimited.mdx
@@ -0,0 +1,72 @@
+---
+sidebar_class_name: hidden
+description: "CIS.GH.1.2.4: Ensure issue deletion is limited to specific users."
+id: Test-MtCisGitHubIssueDeletionLimited
+title: Test-MtCisGitHubIssueDeletionLimited
+hide_title: false
+hide_table_of_contents: false
+custom_edit_url: https://github.com/maester365/maester/blob/main/powershell/public/Test-MtCisGitHubIssueDeletionLimited.ps1
+---
+
+## SYNOPSIS
+
+CIS.GH.1.2.4: Ensure issue deletion is limited to specific users.
+
+## SYNTAX
+
+```powershell
+Test-MtCisGitHubIssueDeletionLimited [-ProgressAction <ActionPreference>] [<CommonParameters>]
+```
+
+## DESCRIPTION
+
+CIS GitHub Benchmark v1.2.0 section 1.2.4 marks this recommendation as
+Manual.
+This test collects organization setting evidence from
+GET /orgs/\{org\} and marks the result as Investigate because CIS GH 1.2.4
+still requires a manual trust review for either repository administrators
+or organization owners.
+
+## EXAMPLES
+
+### EXAMPLE 1
+
+```powershell
+Test-MtCisGitHubIssueDeletionLimited
+```
+
+Returns Investigate when the GitHub organization setting is available.
+
+## PARAMETERS
+
+### -ProgressAction
+
+\{\{ Fill ProgressAction Description \}\}
+
+```yaml
+Type: ActionPreference
+Parameter Sets: (All)
+Aliases: proga
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Boolean
+
+## NOTES
+
+## RELATED LINKS
+
+[https://maester.dev/docs/commands/Test-MtCisGitHubIssueDeletionLimited](https://maester.dev/docs/commands/Test-MtCisGitHubIssueDeletionLimited)
diff --git a/website/docs/commands/Test-MtCisGitHubRepositoryCreationLimited.mdx b/website/docs/commands/Test-MtCisGitHubRepositoryCreationLimited.mdx
new file mode 100644
index 000000000..9dd7b8c0b
--- /dev/null
+++ b/website/docs/commands/Test-MtCisGitHubRepositoryCreationLimited.mdx
@@ -0,0 +1,73 @@
+---
+sidebar_class_name: hidden
+description: "CIS.GH.1.2.2: Ensure repository creation is limited to specific members."
+id: Test-MtCisGitHubRepositoryCreationLimited
+title: Test-MtCisGitHubRepositoryCreationLimited
+hide_title: false
+hide_table_of_contents: false
+custom_edit_url: https://github.com/maester365/maester/blob/main/powershell/public/Test-MtCisGitHubRepositoryCreationLimited.ps1
+---
+
+## SYNOPSIS
+
+CIS.GH.1.2.2: Ensure repository creation is limited to specific members.
+
+## SYNTAX
+
+```powershell
+Test-MtCisGitHubRepositoryCreationLimited [-ProgressAction <ActionPreference>] [<CommonParameters>]
+```
+
+## DESCRIPTION
+
+CIS GitHub Benchmark v1.2.0 section 1.2.2 marks this recommendation as
+Manual.
+This test automates the organization member-privileges fields
+exposed by GET /orgs/\{org\}.
+Public and private repository creation decide
+the test result; internal repository creation is shown as informational
+evidence when GitHub returns it.
+
+## EXAMPLES
+
+### EXAMPLE 1
+
+```powershell
+Test-MtCisGitHubRepositoryCreationLimited
+```
+
+Returns true when members cannot create public or private repositories.
+
+## PARAMETERS
+
+### -ProgressAction
+
+\{\{ Fill ProgressAction Description \}\}
+
+```yaml
+Type: ActionPreference
+Parameter Sets: (All)
+Aliases: proga
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Boolean
+
+## NOTES
+
+## RELATED LINKS
+
+[https://maester.dev/docs/commands/Test-MtCisGitHubRepositoryCreationLimited](https://maester.dev/docs/commands/Test-MtCisGitHubRepositoryCreationLimited)
diff --git a/website/docs/commands/Test-MtCisGitHubRepositoryDeletionLimited.mdx b/website/docs/commands/Test-MtCisGitHubRepositoryDeletionLimited.mdx
new file mode 100644
index 000000000..7ae420a96
--- /dev/null
+++ b/website/docs/commands/Test-MtCisGitHubRepositoryDeletionLimited.mdx
@@ -0,0 +1,72 @@
+---
+sidebar_class_name: hidden
+description: "CIS.GH.1.2.3: Ensure repository deletion is limited to specific users."
+id: Test-MtCisGitHubRepositoryDeletionLimited
+title: Test-MtCisGitHubRepositoryDeletionLimited
+hide_title: false
+hide_table_of_contents: false
+custom_edit_url: https://github.com/maester365/maester/blob/main/powershell/public/Test-MtCisGitHubRepositoryDeletionLimited.ps1
+---
+
+## SYNOPSIS
+
+CIS.GH.1.2.3: Ensure repository deletion is limited to specific users.
+
+## SYNTAX
+
+```powershell
+Test-MtCisGitHubRepositoryDeletionLimited [-ProgressAction <ActionPreference>] [<CommonParameters>]
+```
+
+## DESCRIPTION
+
+CIS GitHub Benchmark v1.2.0 section 1.2.3 marks this recommendation as
+Manual.
+This test collects organization setting evidence from
+GET /orgs/\{org\} and marks the result as Investigate because CIS GH 1.2.3
+still requires a manual trust review for either repository administrators
+or organization owners.
+
+## EXAMPLES
+
+### EXAMPLE 1
+
+```powershell
+Test-MtCisGitHubRepositoryDeletionLimited
+```
+
+Returns Investigate when the GitHub organization setting is available.
+
+## PARAMETERS
+
+### -ProgressAction
+
+\{\{ Fill ProgressAction Description \}\}
+
+```yaml
+Type: ActionPreference
+Parameter Sets: (All)
+Aliases: proga
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Boolean
+
+## NOTES
+
+## RELATED LINKS
+
+[https://maester.dev/docs/commands/Test-MtCisGitHubRepositoryDeletionLimited](https://maester.dev/docs/commands/Test-MtCisGitHubRepositoryDeletionLimited)
diff --git a/website/docs/commands/Test-MtCisGitHubStrictBasePermission.mdx b/website/docs/commands/Test-MtCisGitHubStrictBasePermission.mdx
new file mode 100644
index 000000000..20e4e5a34
--- /dev/null
+++ b/website/docs/commands/Test-MtCisGitHubStrictBasePermission.mdx
@@ -0,0 +1,70 @@
+---
+sidebar_class_name: hidden
+description: "CIS.GH.1.3.8: Ensure strict base permissions are set for repositories."
+id: Test-MtCisGitHubStrictBasePermission
+title: Test-MtCisGitHubStrictBasePermission
+hide_title: false
+hide_table_of_contents: false
+custom_edit_url: https://github.com/maester365/maester/blob/main/powershell/public/Test-MtCisGitHubStrictBasePermission.ps1
+---
+
+## SYNOPSIS
+
+CIS.GH.1.3.8: Ensure strict base permissions are set for repositories.
+
+## SYNTAX
+
+```powershell
+Test-MtCisGitHubStrictBasePermission [-ProgressAction <ActionPreference>] [<CommonParameters>]
+```
+
+## DESCRIPTION
+
+CIS GitHub Benchmark v1.2.0 section 1.3.8 marks this recommendation as
+Manual.
+This test automates the organization default repository permission
+exposed by GET /orgs/\{org\} and requires the value to be none or read.
+
+## EXAMPLES
+
+### EXAMPLE 1
+
+```powershell
+Test-MtCisGitHubStrictBasePermission
+```
+
+Returns true when default_repository_permission is none or read.
+
+## PARAMETERS
+
+### -ProgressAction
+
+\{\{ Fill ProgressAction Description \}\}
+
+```yaml
+Type: ActionPreference
+Parameter Sets: (All)
+Aliases: proga
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Boolean
+
+## NOTES
+
+## RELATED LINKS
+
+[https://maester.dev/docs/commands/Test-MtCisGitHubStrictBasePermission](https://maester.dev/docs/commands/Test-MtCisGitHubStrictBasePermission)
diff --git a/website/docs/commands/Test-MtCisGitHubTeamCreationLimited.mdx b/website/docs/commands/Test-MtCisGitHubTeamCreationLimited.mdx
new file mode 100644
index 000000000..5bab7da38
--- /dev/null
+++ b/website/docs/commands/Test-MtCisGitHubTeamCreationLimited.mdx
@@ -0,0 +1,71 @@
+---
+sidebar_class_name: hidden
+description: "CIS.GH.1.3.2: Ensure team creation is limited to specific members."
+id: Test-MtCisGitHubTeamCreationLimited
+title: Test-MtCisGitHubTeamCreationLimited
+hide_title: false
+hide_table_of_contents: false
+custom_edit_url: https://github.com/maester365/maester/blob/main/powershell/public/Test-MtCisGitHubTeamCreationLimited.ps1
+---
+
+## SYNOPSIS
+
+CIS.GH.1.3.2: Ensure team creation is limited to specific members.
+
+## SYNTAX
+
+```powershell
+Test-MtCisGitHubTeamCreationLimited [-ProgressAction <ActionPreference>] [<CommonParameters>]
+```
+
+## DESCRIPTION
+
+CIS GitHub Benchmark v1.2.0 section 1.3.2 marks this recommendation as
+Manual.
+This test automates the organization member-privileges field
+exposed by GET /orgs/\{org\} and requires members_can_create_teams to be
+false.
+
+## EXAMPLES
+
+### EXAMPLE 1
+
+```powershell
+Test-MtCisGitHubTeamCreationLimited
+```
+
+Returns true when members cannot create teams.
+
+## PARAMETERS
+
+### -ProgressAction
+
+\{\{ Fill ProgressAction Description \}\}
+
+```yaml
+Type: ActionPreference
+Parameter Sets: (All)
+Aliases: proga
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Boolean
+
+## NOTES
+
+## RELATED LINKS
+
+[https://maester.dev/docs/commands/Test-MtCisGitHubTeamCreationLimited](https://maester.dev/docs/commands/Test-MtCisGitHubTeamCreationLimited)
diff --git a/website/docs/commands/docusaurus.sidebar.js b/website/docs/commands/docusaurus.sidebar.js
index af630f881..0807721f2 100644
--- a/website/docs/commands/docusaurus.sidebar.js
+++ b/website/docs/commands/docusaurus.sidebar.js
@@ -17,12 +17,14 @@ module.exports = [
     'commands/Compare-MtJsonObject',
     'commands/Compare-MtTestResult',
     'commands/Connect-Maester',
+    'commands/Connect-MtGitHub',
     'commands/Convert-MtResultsToFlatObject',
     'commands/ConvertFrom-MailAuthenticationRecordDkim',
     'commands/ConvertFrom-MailAuthenticationRecordDmarc',
     'commands/ConvertFrom-MailAuthenticationRecordMx',
     'commands/ConvertFrom-MailAuthenticationRecordSpf',
     'commands/Disconnect-Maester',
+    'commands/Disconnect-MtGitHub',
     'commands/Get-MailAuthenticationRecord',
     'commands/Get-MdeConfiguration',
     'commands/Get-MdeDeviceCount',
@@ -249,6 +251,11 @@ module.exports = [
     'commands/Test-MtCisEnsureUserConsentToAppsDisallowed',
     'commands/Test-MtCisExoAdditionalStorageProvider',
     'commands/Test-MtCisFormsPhishingProtectionEnabled',
+    'commands/Test-MtCisGitHubIssueDeletionLimited',
+    'commands/Test-MtCisGitHubRepositoryCreationLimited',
+    'commands/Test-MtCisGitHubRepositoryDeletionLimited',
+    'commands/Test-MtCisGitHubStrictBasePermission',
+    'commands/Test-MtCisGitHubTeamCreationLimited',
     'commands/Test-MtCisGlobalAdminCount',
     'commands/Test-MtCisHostedConnectionFilterPolicy',
     'commands/Test-MtCisInternalMalwareNotification',
diff --git a/website/docs/tests/cis/CIS.GH.1.2.2.md b/website/docs/tests/cis/CIS.GH.1.2.2.md
new file mode 100644
index 000000000..06dbeb099
--- /dev/null
+++ b/website/docs/tests/cis/CIS.GH.1.2.2.md
@@ -0,0 +1,90 @@
+---
+title: "CIS.GH.1.2.2 - (L1) Ensure repository creation is limited to specific members"
+description: "1.2.2 (L1) Ensure repository creation is limited to specific members CIS Benchmark: CIS GitHub Benchmark v1.2.0 Assessment Status: Manual Rationale Repository sprawl makes source ownership, visibility, and review harder to manage. Limiting who can create public and private repositories reduces the…"
+slug: /tests/CIS.GH.1.2.2
+className: generated-test-doc
+sidebar_class_name: hidden
+hide_table_of_contents: true
+keywords:
+  - "Maester"
+  - "Microsoft 365 security"
+  - "CIS.GH.1.2.2"
+  - "Medium"
+  - "CIS"
+  - "CIS GH Level 1"
+  - "CIS GH"
+  - "CIS GitHub v1.2.0"
+  - "L1"
+---
+
+<!-- This file is generated by website/scripts/generate-test-docs.mjs. Do not edit manually. -->
+
+# CIS.GH.1.2.2 - (L1) Ensure repository creation is limited to specific members
+
+## Overview
+
+1.2.2 (L1) Ensure repository creation is limited to specific members
+
+CIS Benchmark: CIS GitHub Benchmark v1.2.0
+
+Assessment Status: Manual
+
+#### Rationale
+
+Repository sprawl makes source ownership, visibility, and review harder to manage. Limiting who can create public and private repositories reduces the chance that organization code or data is exposed through an unmanaged repository and keeps the repository inventory easier to monitor.
+
+#### Impact
+
+Members who previously created repositories directly may need an owner, administrator, or approved internal process to create new repositories for them.
+
+#### Maester automation note
+
+CIS marks this recommendation as Manual. This Maester test automates the portion of CIS GH 1.2.2 that maps to documented GitHub REST API evidence. It should be treated as automated evidence collection for the corresponding GitHub setting, not as a claim that every possible manual review path has been fully evaluated.
+
+This test checks the organization member privilege settings returned by `GET /orgs/{org}`.
+
+#### API evidence
+
+Endpoint: `GET /orgs/{org}`
+
+Evidence fields:
+
+- `members_can_create_public_repositories`
+- `members_can_create_private_repositories`
+- `members_can_create_internal_repositories` when returned, shown as informational
+- `members_allowed_repository_creation_type` is displayed when returned, but is not decisive
+
+The test passes when public and private repository creation are `false`. Internal repository creation is shown as additional enterprise/GHEC context only because the CIS GH 1.2.2 literal audit covers public and private repository creation.
+
+#### Permissions required
+
+GitHub requires organization-owner visibility for full organization details. Use `Connect-MtGitHub` with a classic PAT that has `admin:org`, or a fine-grained PAT with organization Members read and Administration read permissions.
+
+#### Remediation summary
+
+In the organization settings, open **Member privileges** and clear the public and private repository creation options for members. For GHEC organizations associated with an enterprise, review internal repository creation separately as an enterprise governance decision.
+
+#### Known limitations
+
+This test uses the granular repository creation fields because GitHub is replacing the legacy `members_allowed_repository_creation_type` umbrella field. That umbrella value is displayed when returned, but is not decisive. If required granular fields are not returned, the test skips with a field-specific reason.
+
+#### Related links
+
+* [CIS GitHub Benchmark v1.2.0 - Section 1.2.2](https://www.cisecurity.org/benchmark/github)
+* [GitHub REST API: Get an organization](https://docs.github.com/en/rest/orgs/orgs#get-an-organization)
+
+## Test Metadata
+
+| Field | Value |
+| --- | --- |
+| Test ID | CIS.GH.1.2.2 |
+| Severity | Medium |
+| Suite | CIS |
+| Category | CIS GH Level 1 |
+| PowerShell test | [Test-MtCisGitHubRepositoryCreationLimited](/docs/commands/Test-MtCisGitHubRepositoryCreationLimited) |
+| Tags | CIS, CIS GH, CIS GH Level 1, CIS GitHub v1.2.0, CIS.GH.1.2.2, L1 |
+
+## Source
+
+- Pester test: `tests/cis/Test-MtCisGitHubRepositoryCreationLimited.Tests.ps1`
+- PowerShell source: `powershell/public/cis/Test-MtCisGitHubRepositoryCreationLimited.ps1`
diff --git a/website/docs/tests/cis/CIS.GH.1.2.3.md b/website/docs/tests/cis/CIS.GH.1.2.3.md
new file mode 100644
index 000000000..ba4155d96
--- /dev/null
+++ b/website/docs/tests/cis/CIS.GH.1.2.3.md
@@ -0,0 +1,85 @@
+---
+title: "CIS.GH.1.2.3 - (L1) Ensure repository deletion is limited to specific users"
+description: "1.2.3 (L1) Ensure repository deletion is limited to specific users CIS Benchmark: CIS GitHub Benchmark v1.2.0 Assessment Status: Manual Rationale Deleting repositories can cause major source loss, break delivery workflows, and hide malicious or accidental activity. Repository deletion should theref…"
+slug: /tests/CIS.GH.1.2.3
+className: generated-test-doc
+sidebar_class_name: hidden
+hide_table_of_contents: true
+keywords:
+  - "Maester"
+  - "Microsoft 365 security"
+  - "CIS.GH.1.2.3"
+  - "High"
+  - "CIS"
+  - "CIS GH Level 1"
+  - "CIS GH"
+  - "CIS GitHub v1.2.0"
+  - "L1"
+---
+
+<!-- This file is generated by website/scripts/generate-test-docs.mjs. Do not edit manually. -->
+
+# CIS.GH.1.2.3 - (L1) Ensure repository deletion is limited to specific users
+
+## Overview
+
+1.2.3 (L1) Ensure repository deletion is limited to specific users
+
+CIS Benchmark: CIS GitHub Benchmark v1.2.0
+
+Assessment Status: Manual
+
+#### Rationale
+
+Deleting repositories can cause major source loss, break delivery workflows, and hide malicious or accidental activity. Repository deletion should therefore be limited to a small set of trusted people whose access is reviewed intentionally.
+
+#### Impact
+
+Members without the required repository or organization role will not be able to delete or transfer repositories. Teams may need a documented owner-led process for repository retirement.
+
+#### Maester automation note
+
+CIS marks this recommendation as Manual. This Maester test collects the organization setting evidence that maps to CIS GH 1.2.3, then reports Investigate because CIS still requires a human trust review.
+
+When `members_can_delete_repositories` is `true`, CIS requires verifying that repository admin members are trusted and qualified. When it is `false`, CIS still requires verifying that organization owners are trusted and qualified.
+
+#### API evidence
+
+Endpoint: `GET /orgs/{org}`
+
+Evidence field: `members_can_delete_repositories`
+
+When this field is returned, the test records the actual value and returns Investigate so the remaining CIS manual review path is visible in Maester results.
+
+#### Permissions required
+
+GitHub requires organization-owner visibility for full organization details. Use `Connect-MtGitHub` with a classic PAT that has `admin:org`, or a fine-grained PAT with organization Members read and Administration read permissions.
+
+#### Remediation summary
+
+In the organization settings, open **Member privileges** and disable the option that allows members to delete or transfer repositories for the organization. If the setting remains enabled, manually verify that repository administrators are limited to trusted users and document the review. If the setting is disabled, verify that organization owners are limited to trusted users and document the review.
+
+#### Known limitations
+
+This test verifies the organization setting only. It does not enumerate repository administrators, organization owners, or decide whether those users are trusted.
+
+#### Related links
+
+* [CIS GitHub Benchmark v1.2.0 - Section 1.2.3](https://www.cisecurity.org/benchmark/github)
+* [GitHub REST API: Get an organization](https://docs.github.com/en/rest/orgs/orgs#get-an-organization)
+
+## Test Metadata
+
+| Field | Value |
+| --- | --- |
+| Test ID | CIS.GH.1.2.3 |
+| Severity | High |
+| Suite | CIS |
+| Category | CIS GH Level 1 |
+| PowerShell test | [Test-MtCisGitHubRepositoryDeletionLimited](/docs/commands/Test-MtCisGitHubRepositoryDeletionLimited) |
+| Tags | CIS, CIS GH, CIS GH Level 1, CIS GitHub v1.2.0, CIS.GH.1.2.3, L1 |
+
+## Source
+
+- Pester test: `tests/cis/Test-MtCisGitHubRepositoryDeletionLimited.Tests.ps1`
+- PowerShell source: `powershell/public/cis/Test-MtCisGitHubRepositoryDeletionLimited.ps1`
diff --git a/website/docs/tests/cis/CIS.GH.1.2.4.md b/website/docs/tests/cis/CIS.GH.1.2.4.md
new file mode 100644
index 000000000..d1300e581
--- /dev/null
+++ b/website/docs/tests/cis/CIS.GH.1.2.4.md
@@ -0,0 +1,85 @@
+---
+title: "CIS.GH.1.2.4 - (L1) Ensure issue deletion is limited to specific users"
+description: "1.2.4 (L1) Ensure issue deletion is limited to specific users CIS Benchmark: CIS GitHub Benchmark v1.2.0 Assessment Status: Manual Rationale Issues often capture defects, milestones, operational history, and security-relevant discussion. Broad issue deletion rights can disrupt development records o…"
+slug: /tests/CIS.GH.1.2.4
+className: generated-test-doc
+sidebar_class_name: hidden
+hide_table_of_contents: true
+keywords:
+  - "Maester"
+  - "Microsoft 365 security"
+  - "CIS.GH.1.2.4"
+  - "Medium"
+  - "CIS"
+  - "CIS GH Level 1"
+  - "CIS GH"
+  - "CIS GitHub v1.2.0"
+  - "L1"
+---
+
+<!-- This file is generated by website/scripts/generate-test-docs.mjs. Do not edit manually. -->
+
+# CIS.GH.1.2.4 - (L1) Ensure issue deletion is limited to specific users
+
+## Overview
+
+1.2.4 (L1) Ensure issue deletion is limited to specific users
+
+CIS Benchmark: CIS GitHub Benchmark v1.2.0
+
+Assessment Status: Manual
+
+#### Rationale
+
+Issues often capture defects, milestones, operational history, and security-relevant discussion. Broad issue deletion rights can disrupt development records or remove evidence of suspicious activity, so deletion should be limited to trusted users.
+
+#### Impact
+
+Members without the required repository or organization role will not be able to delete issues. Organizations may need a documented escalation path for legitimate issue cleanup.
+
+#### Maester automation note
+
+CIS marks this recommendation as Manual. This Maester test collects the organization setting evidence that maps to CIS GH 1.2.4, then reports Investigate because CIS still requires a human trust review.
+
+When `members_can_delete_issues` is `true`, CIS requires verifying that repository admin members are trusted and qualified. When it is `false`, CIS still requires verifying that organization owners are trusted and qualified.
+
+#### API evidence
+
+Endpoint: `GET /orgs/{org}`
+
+Evidence field: `members_can_delete_issues`
+
+When this field is returned, the test records the actual value and returns Investigate so the remaining CIS manual review path is visible in Maester results.
+
+#### Permissions required
+
+GitHub requires organization-owner visibility for full organization details. Use `Connect-MtGitHub` with a classic PAT that has `admin:org`, or a fine-grained PAT with organization Members read and Administration read permissions.
+
+#### Remediation summary
+
+In the organization settings, open **Member privileges** and disable the option that allows members to delete issues for the organization. If the setting remains enabled, manually verify that repository administrators are limited to trusted users and document the review. If the setting is disabled, verify that organization owners are limited to trusted users and document the review.
+
+#### Known limitations
+
+This test verifies the organization setting only. It does not enumerate repository administrators, organization owners, or decide whether those users are trusted.
+
+#### Related links
+
+* [CIS GitHub Benchmark v1.2.0 - Section 1.2.4](https://www.cisecurity.org/benchmark/github)
+* [GitHub REST API: Get an organization](https://docs.github.com/en/rest/orgs/orgs#get-an-organization)
+
+## Test Metadata
+
+| Field | Value |
+| --- | --- |
+| Test ID | CIS.GH.1.2.4 |
+| Severity | Medium |
+| Suite | CIS |
+| Category | CIS GH Level 1 |
+| PowerShell test | [Test-MtCisGitHubIssueDeletionLimited](/docs/commands/Test-MtCisGitHubIssueDeletionLimited) |
+| Tags | CIS, CIS GH, CIS GH Level 1, CIS GitHub v1.2.0, CIS.GH.1.2.4, L1 |
+
+## Source
+
+- Pester test: `tests/cis/Test-MtCisGitHubIssueDeletionLimited.Tests.ps1`
+- PowerShell source: `powershell/public/cis/Test-MtCisGitHubIssueDeletionLimited.ps1`
diff --git a/website/docs/tests/cis/CIS.GH.1.3.2.md b/website/docs/tests/cis/CIS.GH.1.3.2.md
new file mode 100644
index 000000000..72620dec6
--- /dev/null
+++ b/website/docs/tests/cis/CIS.GH.1.3.2.md
@@ -0,0 +1,83 @@
+---
+title: "CIS.GH.1.3.2 - (L1) Ensure team creation is limited to specific members"
+description: "1.3.2 (L1) Ensure team creation is limited to specific members CIS Benchmark: CIS GitHub Benchmark v1.2.0 Assessment Status: Manual Rationale Teams can inherit access and quickly become part of the organization's permission model. Restricting team creation helps prevent shadow teams, accidental pri…"
+slug: /tests/CIS.GH.1.3.2
+className: generated-test-doc
+sidebar_class_name: hidden
+hide_table_of_contents: true
+keywords:
+  - "Maester"
+  - "Microsoft 365 security"
+  - "CIS.GH.1.3.2"
+  - "Medium"
+  - "CIS"
+  - "CIS GH Level 1"
+  - "CIS GH"
+  - "CIS GitHub v1.2.0"
+  - "L1"
+---
+
+<!-- This file is generated by website/scripts/generate-test-docs.mjs. Do not edit manually. -->
+
+# CIS.GH.1.3.2 - (L1) Ensure team creation is limited to specific members
+
+## Overview
+
+1.3.2 (L1) Ensure team creation is limited to specific members
+
+CIS Benchmark: CIS GitHub Benchmark v1.2.0
+
+Assessment Status: Manual
+
+#### Rationale
+
+Teams can inherit access and quickly become part of the organization's permission model. Restricting team creation helps prevent shadow teams, accidental privilege expansion, and unnecessary organizational clutter.
+
+#### Impact
+
+Members who previously created teams directly may need an owner, administrator, or approved access-management process to create new teams.
+
+#### Maester automation note
+
+CIS marks this recommendation as Manual. This Maester test automates the portion of CIS GH 1.3.2 that maps to documented GitHub REST API evidence. It should be treated as automated evidence collection for the corresponding GitHub setting, not as a claim that every possible manual review path has been fully evaluated.
+
+#### API evidence
+
+Endpoint: `GET /orgs/{org}`
+
+Evidence field: `members_can_create_teams`
+
+The test passes when `members_can_create_teams` is `false`.
+
+#### Permissions required
+
+GitHub requires organization-owner visibility for full organization details. Use `Connect-MtGitHub` with a classic PAT that has `admin:org`, or a fine-grained PAT with organization Members read and Administration read permissions.
+
+#### Remediation summary
+
+In the organization settings, open **Member privileges** and disable **Allow members to create teams**.
+
+#### Known limitations
+
+This test verifies the organization-level team creation setting. It does not review custom operational processes for who may request or approve new teams.
+
+#### Related links
+
+* [CIS GitHub Benchmark v1.2.0 - Section 1.3.2](https://www.cisecurity.org/benchmark/github)
+* [GitHub REST API: Get an organization](https://docs.github.com/en/rest/orgs/orgs#get-an-organization)
+
+## Test Metadata
+
+| Field | Value |
+| --- | --- |
+| Test ID | CIS.GH.1.3.2 |
+| Severity | Medium |
+| Suite | CIS |
+| Category | CIS GH Level 1 |
+| PowerShell test | [Test-MtCisGitHubTeamCreationLimited](/docs/commands/Test-MtCisGitHubTeamCreationLimited) |
+| Tags | CIS, CIS GH, CIS GH Level 1, CIS GitHub v1.2.0, CIS.GH.1.3.2, L1 |
+
+## Source
+
+- Pester test: `tests/cis/Test-MtCisGitHubTeamCreationLimited.Tests.ps1`
+- PowerShell source: `powershell/public/cis/Test-MtCisGitHubTeamCreationLimited.ps1`
diff --git a/website/docs/tests/cis/CIS.GH.1.3.8.md b/website/docs/tests/cis/CIS.GH.1.3.8.md
new file mode 100644
index 000000000..c6b51bebe
--- /dev/null
+++ b/website/docs/tests/cis/CIS.GH.1.3.8.md
@@ -0,0 +1,83 @@
+---
+title: "CIS.GH.1.3.8 - (L1) Ensure strict base permissions are set for repositories"
+description: "1.3.8 (L1) Ensure strict base permissions are set for repositories CIS Benchmark: CIS GitHub Benchmark v1.2.0 Assessment Status: Manual Rationale Base permissions apply broadly across organization repositories. Keeping the default at none or read follows least privilege and lowers the chance that e…"
+slug: /tests/CIS.GH.1.3.8
+className: generated-test-doc
+sidebar_class_name: hidden
+hide_table_of_contents: true
+keywords:
+  - "Maester"
+  - "Microsoft 365 security"
+  - "CIS.GH.1.3.8"
+  - "High"
+  - "CIS"
+  - "CIS GH Level 1"
+  - "CIS GH"
+  - "CIS GitHub v1.2.0"
+  - "L1"
+---
+
+<!-- This file is generated by website/scripts/generate-test-docs.mjs. Do not edit manually. -->
+
+# CIS.GH.1.3.8 - (L1) Ensure strict base permissions are set for repositories
+
+## Overview
+
+1.3.8 (L1) Ensure strict base permissions are set for repositories
+
+CIS Benchmark: CIS GitHub Benchmark v1.2.0
+
+Assessment Status: Manual
+
+#### Rationale
+
+Base permissions apply broadly across organization repositories. Keeping the default at none or read follows least privilege and lowers the chance that every member can change code where they do not have a specific business need.
+
+#### Impact
+
+Some members may lose default write access and require explicit repository, team, or role assignments before they can contribute changes.
+
+#### Maester automation note
+
+CIS marks this recommendation as Manual. This Maester test automates the portion of CIS GH 1.3.8 that maps to documented GitHub REST API evidence. It should be treated as automated evidence collection for the corresponding GitHub setting, not as a claim that every possible manual review path has been fully evaluated.
+
+#### API evidence
+
+Endpoint: `GET /orgs/{org}`
+
+Evidence field: `default_repository_permission`
+
+The test passes when `default_repository_permission` is `none` or `read`. It fails when the value is `write` or `admin`.
+
+#### Permissions required
+
+GitHub requires organization-owner visibility for full organization details. Use `Connect-MtGitHub` with a classic PAT that has `admin:org`, or a fine-grained PAT with organization Members read and Administration read permissions.
+
+#### Remediation summary
+
+In the organization settings, open **Member privileges** and set **Base permissions** to **None** or **Read**.
+
+#### Known limitations
+
+This test verifies the organization default repository permission only. It does not review per-repository collaborators, teams, or custom access grants.
+
+#### Related links
+
+* [CIS GitHub Benchmark v1.2.0 - Section 1.3.8](https://www.cisecurity.org/benchmark/github)
+* [GitHub REST API: Get an organization](https://docs.github.com/en/rest/orgs/orgs#get-an-organization)
+
+## Test Metadata
+
+| Field | Value |
+| --- | --- |
+| Test ID | CIS.GH.1.3.8 |
+| Severity | High |
+| Suite | CIS |
+| Category | CIS GH Level 1 |
+| PowerShell test | [Test-MtCisGitHubStrictBasePermission](/docs/commands/Test-MtCisGitHubStrictBasePermission) |
+| Tags | CIS, CIS GH, CIS GH Level 1, CIS GitHub v1.2.0, CIS.GH.1.3.8, L1 |
+
+## Source
+
+- Pester test: `tests/cis/Test-MtCisGitHubStrictBasePermission.Tests.ps1`
+- PowerShell source: `powershell/public/cis/Test-MtCisGitHubStrictBasePermission.ps1`
diff --git a/website/docs/tests/cis/readme.md b/website/docs/tests/cis/readme.md
index 7fd1fefb9..136db55e0 100644
--- a/website/docs/tests/cis/readme.md
+++ b/website/docs/tests/cis/readme.md
@@ -1,58 +1,63 @@
 ---
 id: overview
-title: "CIS Microsoft 365 Foundations Benchmark Tests"
+title: "CIS Benchmark Tests"
 sidebar_label: "🌀 CIS"
 sidebar_position: 1
 className: generated-test-doc
 hide_table_of_contents: true
-description: "CIS Microsoft 365 Foundations Benchmark controls implemented as Maester tests."
+description: "CIS Benchmark controls implemented as Maester tests."
 ---
 
 <!-- This file is generated by website/scripts/generate-test-docs.mjs. Do not edit manually. -->
 
-# CIS Microsoft 365 Foundations Benchmark Tests
+# CIS Benchmark Tests
 
-These tests verify Microsoft 365 tenant configuration against CIS Microsoft 365 Foundations Benchmark recommendations.
+These tests verify tenant and organization configuration against CIS Benchmark recommendations.
 
 ## Tests
 
 | Test ID | Title | Severity | Category |
 | --- | --- | --- | --- |
-| [CIS.M365.1.1.1](../CIS.M365.1.1.1) | Ensure Administrative accounts are cloud-only | High | CIS E3 Level 1 |
-| [CIS.M365.1.1.3](../CIS.M365.1.1.3) | Ensure that between two and four global admins are designated | High | CIS E3 Level 1 |
-| [CIS.M365.1.2.1](../CIS.M365.1.2.1) | Ensure that only organizationally managed/approved public groups exist | Medium | CIS E3 Level 2 |
-| [CIS.M365.1.2.2](../CIS.M365.1.2.2) | Ensure sign-in to shared mailboxes is blocked | High | CIS E3 Level 1 |
-| [CIS.M365.1.3.1](../CIS.M365.1.3.1) | Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)' | High | CIS E3 Level 1 |
-| [CIS.M365.1.3.3](../CIS.M365.1.3.3) | Ensure 'External sharing' of calendars is not available | Medium | CIS E3 Level 2 |
-| [CIS.M365.1.3.4](../CIS.M365.1.3.4) | Ensure 'User owned apps and services' is restricted | Unknown | CIS E3 Level 1 |
+| [CIS.GH.1.2.2](../CIS.GH.1.2.2) | (L1) Ensure repository creation is limited to specific members | Medium | CIS GH Level 1 |
+| [CIS.GH.1.2.3](../CIS.GH.1.2.3) | (L1) Ensure repository deletion is limited to specific users | High | CIS GH Level 1 |
+| [CIS.GH.1.2.4](../CIS.GH.1.2.4) | (L1) Ensure issue deletion is limited to specific users | Medium | CIS GH Level 1 |
+| [CIS.GH.1.3.2](../CIS.GH.1.3.2) | (L1) Ensure team creation is limited to specific members | Medium | CIS GH Level 1 |
+| [CIS.GH.1.3.8](../CIS.GH.1.3.8) | (L1) Ensure strict base permissions are set for repositories | High | CIS GH Level 1 |
+| [CIS.M365.1.1.1](../CIS.M365.1.1.1) | (L1) Ensure Administrative accounts are cloud-only | High | CIS E3 Level 1 |
+| [CIS.M365.1.1.3](../CIS.M365.1.1.3) | (L1) Ensure that between two and four global admins are designated | High | CIS E3 Level 1 |
+| [CIS.M365.1.2.1](../CIS.M365.1.2.1) | (L2) Ensure that only organizationally managed/approved public groups exist | Medium | CIS E3 Level 2 |
+| [CIS.M365.1.2.2](../CIS.M365.1.2.2) | (L1) Ensure sign-in to shared mailboxes is blocked | High | CIS E3 Level 1 |
+| [CIS.M365.1.3.1](../CIS.M365.1.3.1) | (L1) Ensure the 'Password expiration policy' is set to 'Set passwords to never expire (recommended)' | High | CIS E3 Level 1 |
+| [CIS.M365.1.3.3](../CIS.M365.1.3.3) | (L2) Ensure 'External sharing' of calendars is not available | Medium | CIS E3 Level 2 |
+| [CIS.M365.1.3.4](../CIS.M365.1.3.4) | Ensure | Unknown | CIS E3 Level 1 |
 | [CIS.M365.1.3.5](../CIS.M365.1.3.5) | Ensure internal phishing protection for Forms is enabled | Unknown | CIS E3 Level 1 |
-| [CIS.M365.1.3.6](../CIS.M365.1.3.6) | Ensure the customer lockbox feature is enabled | High | CIS E5 Level 2 |
-| [CIS.M365.1.3.7](../CIS.M365.1.3.7) | Ensure 'third-party storage services' are restricted in 'Microsoft 365 on the web'  | Unknown | CIS E3 Level 2 |
-| [CIS.M365.2.1.1](../CIS.M365.2.1.1) | Ensure Safe Links for Office Applications is Enabled (Only Checks Default Policy) | Medium | CIS E5 Level 2 |
-| [CIS.M365.2.1.2](../CIS.M365.2.1.2) | Ensure the Common Attachment Types Filter is enabled (Only Checks Default Policy) | Medium | CIS E3 Level 1 |
-| [CIS.M365.2.1.3](../CIS.M365.2.1.3) | Ensure notifications for internal users sending malware is Enabled (Only Checks Default Policy) | Medium | CIS E3 Level 1 |
-| [CIS.M365.2.1.4](../CIS.M365.2.1.4) | Ensure Safe Attachments policy is enabled (Only Checks Default Policy) | High | CIS E5 Level 2 |
-| [CIS.M365.2.1.5](../CIS.M365.2.1.5) | Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled | High | CIS E5 Level 2 |
-| [CIS.M365.2.1.6](../CIS.M365.2.1.6) | Ensure Exchange Online Spam Policies are set to notify administrators (Only Checks Default Policy) | Medium | CIS E3 Level 1 |
-| [CIS.M365.2.1.7](../CIS.M365.2.1.7) | Ensure that an anti-phishing policy has been created (Only Checks Default Policy) | Medium | CIS E5 Level 1 |
-| [CIS.M365.2.1.9](../CIS.M365.2.1.9) | Ensure that DKIM is enabled for all Exchange Online Domains | High | CIS E3 Level 1 |
-| [CIS.M365.2.1.11](../CIS.M365.2.1.11) | Ensure comprehensive attachment filtering is applied | High | CIS E3 Level 2 |
-| [CIS.M365.2.1.12](../CIS.M365.2.1.12) | Ensure the connection filter IP allow list is not used (Only Checks Default Policy) | Medium | CIS E3 Level 1 |
-| [CIS.M365.2.1.13](../CIS.M365.2.1.13) | Ensure the connection filter safe list is off (Only Checks Default Policy) | Medium | CIS E3 Level 1 |
-| [CIS.M365.2.4.4](../CIS.M365.2.4.4) | Ensure Zero-hour auto purge for Microsoft Teams is on (Only Checks ZAP is enabled) | Medium | CIS E5 Level 1 |
-| [CIS.M365.3.1.1](../CIS.M365.3.1.1) | Ensure Microsoft 365 audit log search is Enabled | High | CIS E3 Level 1 |
+| [CIS.M365.1.3.6](../CIS.M365.1.3.6) | (L2) Ensure the customer lockbox feature is enabled | High | CIS E5 Level 2 |
+| [CIS.M365.1.3.7](../CIS.M365.1.3.7) | Ensure | Unknown | CIS E3 Level 2 |
+| [CIS.M365.2.1.1](../CIS.M365.2.1.1) | (L2) Ensure Safe Links for Office Applications is Enabled (Only Checks Default Policy) | Medium | CIS E5 Level 2 |
+| [CIS.M365.2.1.2](../CIS.M365.2.1.2) | (L1) Ensure the Common Attachment Types Filter is enabled (Only Checks Default Policy) | Medium | CIS E3 Level 1 |
+| [CIS.M365.2.1.3](../CIS.M365.2.1.3) | (L1) Ensure notifications for internal users sending malware is Enabled (Only Checks Default Policy) | Medium | CIS E3 Level 1 |
+| [CIS.M365.2.1.4](../CIS.M365.2.1.4) | (L2) Ensure Safe Attachments policy is enabled (Only Checks Default Policy) | High | CIS E5 Level 2 |
+| [CIS.M365.2.1.5](../CIS.M365.2.1.5) | (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled | High | CIS E5 Level 2 |
+| [CIS.M365.2.1.6](../CIS.M365.2.1.6) | (L1) Ensure Exchange Online Spam Policies are set to notify administrators (Only Checks Default Policy) | Medium | CIS E3 Level 1 |
+| [CIS.M365.2.1.7](../CIS.M365.2.1.7) | (L1) Ensure that an anti-phishing policy has been created (Only Checks Default Policy) | Medium | CIS E5 Level 1 |
+| [CIS.M365.2.1.9](../CIS.M365.2.1.9) | (L1) Ensure that DKIM is enabled for all Exchange Online Domains | High | CIS E3 Level 1 |
+| [CIS.M365.2.1.11](../CIS.M365.2.1.11) | (L2) Ensure comprehensive attachment filtering is applied | High | CIS E3 Level 2 |
+| [CIS.M365.2.1.12](../CIS.M365.2.1.12) | (L1) Ensure the connection filter IP allow list is not used (Only Checks Default Policy) | Medium | CIS E3 Level 1 |
+| [CIS.M365.2.1.13](../CIS.M365.2.1.13) | (L1) Ensure the connection filter safe list is off (Only Checks Default Policy) | Medium | CIS E3 Level 1 |
+| [CIS.M365.2.4.4](../CIS.M365.2.4.4) | (L1) Ensure Zero-hour auto purge for Microsoft Teams is on (Only Checks ZAP is enabled) | Medium | CIS E5 Level 1 |
+| [CIS.M365.3.1.1](../CIS.M365.3.1.1) | (L1) Ensure Microsoft 365 audit log search is Enabled | High | CIS E3 Level 1 |
 | [CIS.M365.4.1](../CIS.M365.4.1) | Ensure devices without a compliance policy are marked | Unknown | CIS E3 Level 2 |
 | [CIS.M365.5.1.2.2](../CIS.M365.5.1.2.2) | Ensure third party integrated applications are not allowed | Unknown | CIS E3 Level 2 |
-| [CIS.M365.5.1.2.3](../CIS.M365.5.1.2.3) | Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' | Unknown | CIS E3 Level 1 |
+| [CIS.M365.5.1.2.3](../CIS.M365.5.1.2.3) | Ensure | Unknown | CIS E3 Level 1 |
 | [CIS.M365.5.1.3.1](../CIS.M365.5.1.3.1) | Ensure a dynamic group for guest users is created | Unknown | CIS E3 Level 1 |
 | [CIS.M365.5.1.5.1](../CIS.M365.5.1.5.1) | Ensure user consent to apps accessing company data on their behalf is not allowed | Unknown | CIS E3 Level 2 |
 | [CIS.M365.5.1.5.2](../CIS.M365.5.1.5.2) | Ensure the admin consent workflow is enabled | Unknown | CIS E3 Level 1 |
 | [CIS.M365.5.1.6.2](../CIS.M365.5.1.6.2) | Ensure that guest user access is restricted | Unknown | CIS E3 Level 1 |
 | [CIS.M365.5.2.3.5](../CIS.M365.5.2.3.5) | Ensure weak authentication methods are disabled | Unknown | CIS E3 Level 1 |
 | [CIS.M365.6.5.3](../CIS.M365.6.5.3) | Ensure additional storage providers are restricted in Outlook on the web | Unknown | CIS E3 Level 2 |
-| [CIS.M365.8.1.1](../CIS.M365.8.1.1) | Ensure external file sharing in Teams is enabled for only approved cloud storage services | Medium | CIS E5 Level 2 |
-| [CIS.M365.8.2.2](../CIS.M365.8.2.2) | Ensure communication with unmanaged Teams users is disabled | Medium | CIS E5 Level 1 |
-| [CIS.M365.8.2.3](../CIS.M365.8.2.3) | Ensure external Teams users cannot initiate conversations | Unknown | CIS E5 Level 1 |
-| [CIS.M365.8.4.1](../CIS.M365.8.4.1) | Ensure all or a majority of third-party and custom apps are blocked | High | CIS E5 Level 1 |
-| [CIS.M365.8.5.3](../CIS.M365.8.5.3) | Ensure only people in my org can bypass the lobby | Medium | CIS E3 Level 1 |
-| [CIS.M365.8.6.1](../CIS.M365.8.6.1) | Ensure users can report security concerns in Teams to internal destination | Medium | CIS E3 Level 1 |
+| [CIS.M365.8.1.1](../CIS.M365.8.1.1) | (L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services | Medium | CIS M365 v6.0.1 |
+| [CIS.M365.8.2.2](../CIS.M365.8.2.2) | (L1) Ensure communication with unmanaged Teams users is disabled | Medium | CIS M365 v6.0.1 |
+| [CIS.M365.8.2.3](../CIS.M365.8.2.3) | Ensure external Teams users cannot initiate conversations | Unknown | CIS M365 v6.0.1 |
+| [CIS.M365.8.4.1](../CIS.M365.8.4.1) | (L1) Ensure all or a majority of third-party and custom apps are blocked | High | CIS M365 v6.0.1 |
+| [CIS.M365.8.5.3](../CIS.M365.8.5.3) | (L1) Ensure only people in my org can bypass the lobby | Medium | CIS E3 Level 1 |
+| [CIS.M365.8.6.1](../CIS.M365.8.6.1) | (L1) Ensure users can report security concerns in Teams to internal destination | Medium | CIS E3 Level 1 |
diff --git a/website/docs/tests/readme.md b/website/docs/tests/readme.md
index 38ee0374f..18eabf353 100644
--- a/website/docs/tests/readme.md
+++ b/website/docs/tests/readme.md
@@ -21,13 +21,18 @@ This section is generated from the Maester test source. Each page includes the t
 | [Maester](./maester) | 144 | Maester security tests for Microsoft 365 and Microsoft Entra configurations. |
 | [Entra ID SCA](./eidsca) | 44 | Entra ID Security Config Analyzer tests mapped to Microsoft Entra security configuration checks. |
 | [CISA](./cisa) | 73 | CISA SCuBA baseline tests for Microsoft 365 security configurations. |
-| [CIS](./cis) | 38 | CIS Microsoft 365 Foundations Benchmark controls implemented as Maester tests. |
+| [CIS](./cis) | 43 | CIS Benchmark controls implemented as Maester tests. |
 | [ORCA](./orca) | 67 | ORCA Exchange Online security configuration tests included in Maester. |
 
 ## All Tests
 
 | Test ID | Title | Suite | Severity | Category |
 | --- | --- | --- | --- | --- |
+| [CIS.GH.1.2.2](./CIS.GH.1.2.2) | (L1) Ensure repository creation is limited to specific members | CIS | Medium | CIS GH Level 1 |
+| [CIS.GH.1.2.3](./CIS.GH.1.2.3) | (L1) Ensure repository deletion is limited to specific users | CIS | High | CIS GH Level 1 |
+| [CIS.GH.1.2.4](./CIS.GH.1.2.4) | (L1) Ensure issue deletion is limited to specific users | CIS | Medium | CIS GH Level 1 |
+| [CIS.GH.1.3.2](./CIS.GH.1.3.2) | (L1) Ensure team creation is limited to specific members | CIS | Medium | CIS GH Level 1 |
+| [CIS.GH.1.3.8](./CIS.GH.1.3.8) | (L1) Ensure strict base permissions are set for repositories | CIS | High | CIS GH Level 1 |
 | [CIS.M365.1.1.1](./CIS.M365.1.1.1) | (L1) Ensure Administrative accounts are cloud-only | CIS | High | CIS E3 Level 1 |
 | [CIS.M365.1.1.3](./CIS.M365.1.1.3) | (L1) Ensure that between two and four global admins are designated | CIS | High | CIS E3 Level 1 |
 | [CIS.M365.1.2.1](./CIS.M365.1.2.1) | (L2) Ensure that only organizationally managed/approved public groups exist | CIS | Medium | CIS E3 Level 2 |
diff --git a/website/docs/tests/tags/readme.md b/website/docs/tests/tags/readme.md
index 1dd64ca05..f70623228 100644
--- a/website/docs/tests/tags/readme.md
+++ b/website/docs/tests/tags/readme.md
@@ -25,14 +25,22 @@ Tags are discovered from Pester test metadata and can be used to find related Ma
 | Backup | 1 | [MT.1065](../MT.1065) |
 | CA | 33 | [MT.1001](../MT.1001), [MT.1003](../MT.1003), [MT.1004](../MT.1004), [MT.1005](../MT.1005), [MT.1006](../MT.1006), [MT.1007](../MT.1007), [MT.1008](../MT.1008), [MT.1009](../MT.1009), ... |
 | CAWhatIf | 2 | [MT.1033](../MT.1033), [MT.1034](../MT.1034) |
-| CIS | 38 | [CIS.M365.1.1.1](../CIS.M365.1.1.1), [CIS.M365.1.1.3](../CIS.M365.1.1.3), [CIS.M365.1.2.1](../CIS.M365.1.2.1), [CIS.M365.1.2.2](../CIS.M365.1.2.2), [CIS.M365.1.3.1](../CIS.M365.1.3.1), [CIS.M365.1.3.3](../CIS.M365.1.3.3), [CIS.M365.1.3.4](../CIS.M365.1.3.4), [CIS.M365.1.3.5](../CIS.M365.1.3.5), ... |
+| CIS | 43 | [CIS.GH.1.2.2](../CIS.GH.1.2.2), [CIS.GH.1.2.3](../CIS.GH.1.2.3), [CIS.GH.1.2.4](../CIS.GH.1.2.4), [CIS.GH.1.3.2](../CIS.GH.1.3.2), [CIS.GH.1.3.8](../CIS.GH.1.3.8), [CIS.M365.1.1.1](../CIS.M365.1.1.1), [CIS.M365.1.1.3](../CIS.M365.1.1.3), [CIS.M365.1.2.1](../CIS.M365.1.2.1), ... |
 | CIS E3 | 28 | [CIS.M365.1.1.1](../CIS.M365.1.1.1), [CIS.M365.1.1.3](../CIS.M365.1.1.3), [CIS.M365.1.2.1](../CIS.M365.1.2.1), [CIS.M365.1.2.2](../CIS.M365.1.2.2), [CIS.M365.1.3.1](../CIS.M365.1.3.1), [CIS.M365.1.3.3](../CIS.M365.1.3.3), [CIS.M365.1.3.4](../CIS.M365.1.3.4), [CIS.M365.1.3.5](../CIS.M365.1.3.5), ... |
 | CIS E3 Level 1 | 23 | [CIS.M365.1.1.1](../CIS.M365.1.1.1), [CIS.M365.1.1.3](../CIS.M365.1.1.3), [CIS.M365.1.2.2](../CIS.M365.1.2.2), [CIS.M365.1.3.1](../CIS.M365.1.3.1), [CIS.M365.1.3.4](../CIS.M365.1.3.4), [CIS.M365.1.3.5](../CIS.M365.1.3.5), [CIS.M365.2.1.2](../CIS.M365.2.1.2), [CIS.M365.2.1.3](../CIS.M365.2.1.3), ... |
 | CIS E3 Level 2 | 9 | [CIS.M365.1.2.1](../CIS.M365.1.2.1), [CIS.M365.1.3.3](../CIS.M365.1.3.3), [CIS.M365.1.3.7](../CIS.M365.1.3.7), [CIS.M365.2.1.11](../CIS.M365.2.1.11), [CIS.M365.4.1](../CIS.M365.4.1), [CIS.M365.5.1.2.2](../CIS.M365.5.1.2.2), [CIS.M365.5.1.5.1](../CIS.M365.5.1.5.1), [CIS.M365.6.5.3](../CIS.M365.6.5.3), ... |
 | CIS E5 | 18 | [CIS.M365.1.3.4](../CIS.M365.1.3.4), [CIS.M365.1.3.5](../CIS.M365.1.3.5), [CIS.M365.1.3.6](../CIS.M365.1.3.6), [CIS.M365.1.3.7](../CIS.M365.1.3.7), [CIS.M365.2.1.1](../CIS.M365.2.1.1), [CIS.M365.2.1.4](../CIS.M365.2.1.4), [CIS.M365.2.1.5](../CIS.M365.2.1.5), [CIS.M365.2.1.7](../CIS.M365.2.1.7), ... |
 | CIS E5 Level 1 | 9 | [CIS.M365.1.3.4](../CIS.M365.1.3.4), [CIS.M365.1.3.5](../CIS.M365.1.3.5), [CIS.M365.2.1.7](../CIS.M365.2.1.7), [CIS.M365.2.4.4](../CIS.M365.2.4.4), [CIS.M365.5.1.2.3](../CIS.M365.5.1.2.3), [CIS.M365.5.1.3.1](../CIS.M365.5.1.3.1), [CIS.M365.5.1.5.2](../CIS.M365.5.1.5.2), [CIS.M365.5.1.6.2](../CIS.M365.5.1.6.2), ... |
 | CIS E5 Level 2 | 9 | [CIS.M365.1.3.6](../CIS.M365.1.3.6), [CIS.M365.1.3.7](../CIS.M365.1.3.7), [CIS.M365.2.1.1](../CIS.M365.2.1.1), [CIS.M365.2.1.4](../CIS.M365.2.1.4), [CIS.M365.2.1.5](../CIS.M365.2.1.5), [CIS.M365.4.1](../CIS.M365.4.1), [CIS.M365.5.1.2.2](../CIS.M365.5.1.2.2), [CIS.M365.5.1.5.1](../CIS.M365.5.1.5.1), ... |
+| CIS GH | 5 | [CIS.GH.1.2.2](../CIS.GH.1.2.2), [CIS.GH.1.2.3](../CIS.GH.1.2.3), [CIS.GH.1.2.4](../CIS.GH.1.2.4), [CIS.GH.1.3.2](../CIS.GH.1.3.2), [CIS.GH.1.3.8](../CIS.GH.1.3.8) |
+| CIS GH Level 1 | 5 | [CIS.GH.1.2.2](../CIS.GH.1.2.2), [CIS.GH.1.2.3](../CIS.GH.1.2.3), [CIS.GH.1.2.4](../CIS.GH.1.2.4), [CIS.GH.1.3.2](../CIS.GH.1.3.2), [CIS.GH.1.3.8](../CIS.GH.1.3.8) |
+| CIS GitHub v1.2.0 | 5 | [CIS.GH.1.2.2](../CIS.GH.1.2.2), [CIS.GH.1.2.3](../CIS.GH.1.2.3), [CIS.GH.1.2.4](../CIS.GH.1.2.4), [CIS.GH.1.3.2](../CIS.GH.1.3.2), [CIS.GH.1.3.8](../CIS.GH.1.3.8) |
 | CIS M365 v6.0.1 | 38 | [CIS.M365.1.1.1](../CIS.M365.1.1.1), [CIS.M365.1.1.3](../CIS.M365.1.1.3), [CIS.M365.1.2.1](../CIS.M365.1.2.1), [CIS.M365.1.2.2](../CIS.M365.1.2.2), [CIS.M365.1.3.1](../CIS.M365.1.3.1), [CIS.M365.1.3.3](../CIS.M365.1.3.3), [CIS.M365.1.3.4](../CIS.M365.1.3.4), [CIS.M365.1.3.5](../CIS.M365.1.3.5), ... |
+| CIS.GH.1.2.2 | 1 | [CIS.GH.1.2.2](../CIS.GH.1.2.2) |
+| CIS.GH.1.2.3 | 1 | [CIS.GH.1.2.3](../CIS.GH.1.2.3) |
+| CIS.GH.1.2.4 | 1 | [CIS.GH.1.2.4](../CIS.GH.1.2.4) |
+| CIS.GH.1.3.2 | 1 | [CIS.GH.1.3.2](../CIS.GH.1.3.2) |
+| CIS.GH.1.3.8 | 1 | [CIS.GH.1.3.8](../CIS.GH.1.3.8) |
 | CIS.M365.1.1.1 | 1 | [CIS.M365.1.1.1](../CIS.M365.1.1.1) |
 | CIS.M365.1.1.3 | 1 | [CIS.M365.1.1.3](../CIS.M365.1.1.3) |
 | CIS.M365.1.2.1 | 1 | [CIS.M365.1.2.1](../CIS.M365.1.2.1) |
@@ -206,7 +214,7 @@ Tags are discovered from Pester test metadata and can be used to find related Ma
 | Group | 2 | [MT.1055](../MT.1055), [MT.1069](../MT.1069) |
 | Hybrid | 3 | [MT.1073](../MT.1073), [MT.1084](../MT.1084), [MT.1147](../MT.1147) |
 | Intune | 16 | [MT.1053](../MT.1053), [MT.1054](../MT.1054), [MT.1092](../MT.1092), [MT.1093](../MT.1093), [MT.1094](../MT.1094), [MT.1095](../MT.1095), [MT.1096](../MT.1096), [MT.1097](../MT.1097), ... |
-| L1 | 22 | [CIS.M365.1.1.1](../CIS.M365.1.1.1), [CIS.M365.1.1.3](../CIS.M365.1.1.3), [CIS.M365.1.2.2](../CIS.M365.1.2.2), [CIS.M365.1.3.1](../CIS.M365.1.3.1), [CIS.M365.1.3.4](../CIS.M365.1.3.4), [CIS.M365.1.3.5](../CIS.M365.1.3.5), [CIS.M365.2.1.2](../CIS.M365.2.1.2), [CIS.M365.2.1.3](../CIS.M365.2.1.3), ... |
+| L1 | 27 | [CIS.GH.1.2.2](../CIS.GH.1.2.2), [CIS.GH.1.2.3](../CIS.GH.1.2.3), [CIS.GH.1.2.4](../CIS.GH.1.2.4), [CIS.GH.1.3.2](../CIS.GH.1.3.2), [CIS.GH.1.3.8](../CIS.GH.1.3.8), [CIS.M365.1.1.1](../CIS.M365.1.1.1), [CIS.M365.1.1.3](../CIS.M365.1.1.3), [CIS.M365.1.2.2](../CIS.M365.1.2.2), ... |
 | L2 | 12 | [CIS.M365.1.2.1](../CIS.M365.1.2.1), [CIS.M365.1.3.3](../CIS.M365.1.3.3), [CIS.M365.1.3.6](../CIS.M365.1.3.6), [CIS.M365.1.3.7](../CIS.M365.1.3.7), [CIS.M365.2.1.1](../CIS.M365.2.1.1), [CIS.M365.2.1.4](../CIS.M365.2.1.4), [CIS.M365.2.1.5](../CIS.M365.2.1.5), [CIS.M365.2.1.11](../CIS.M365.2.1.11), ... |
 | LongRunning | 19 | [MT.1033](../MT.1033), [MT.1034](../MT.1034), [MT.1050](../MT.1050), [MT.1051](../MT.1051), [MT.1057](../MT.1057), [MT.1058](../MT.1058), [MT.1063](../MT.1063), [MT.1075](../MT.1075), ... |
 | Maester | 100 | [MT.1001](../MT.1001), [MT.1002](../MT.1002), [MT.1003](../MT.1003), [MT.1004](../MT.1004), [MT.1005](../MT.1005), [MT.1006](../MT.1006), [MT.1007](../MT.1007), [MT.1008](../MT.1008), ... |
diff --git a/website/scripts/generate-test-docs.mjs b/website/scripts/generate-test-docs.mjs
index 3816aa7f7..f0a5d6fc0 100644
--- a/website/scripts/generate-test-docs.mjs
+++ b/website/scripts/generate-test-docs.mjs
@@ -40,11 +40,11 @@ const suiteConfig = {
   },
   cis: {
     label: "CIS",
-    title: "CIS Microsoft 365 Foundations Benchmark Tests",
+    title: "CIS Benchmark Tests",
     sidebarLabel: "🌀 CIS",
-    description: "CIS Microsoft 365 Foundations Benchmark controls implemented as Maester tests.",
+    description: "CIS Benchmark controls implemented as Maester tests.",
     overview:
-      "These tests verify Microsoft 365 tenant configuration against CIS Microsoft 365 Foundations Benchmark recommendations.",
+      "These tests verify tenant and organization configuration against CIS Benchmark recommendations.",
   },
   orca: {
     label: "ORCA",
diff --git a/website/versioned_docs/version-2.1.0/commands/Connect-MtGitHub.mdx b/website/versioned_docs/version-2.1.0/commands/Connect-MtGitHub.mdx
new file mode 100644
index 000000000..15815c691
--- /dev/null
+++ b/website/versioned_docs/version-2.1.0/commands/Connect-MtGitHub.mdx
@@ -0,0 +1,216 @@
+---
+sidebar_class_name: hidden
+description: "Establishes a GitHub Enterprise Cloud organization REST API session for Maester."
+id: Connect-MtGitHub
+title: Connect-MtGitHub
+hide_title: false
+hide_table_of_contents: false
+custom_edit_url: https://github.com/maester365/maester/blob/main/powershell/public/Connect-MtGitHub.ps1
+---
+
+## SYNOPSIS
+
+Establishes a GitHub Enterprise Cloud organization REST API session for Maester.
+
+## SYNTAX
+
+```powershell
+Connect-MtGitHub [[-Organization] <String>] [[-Token] <SecureString>] [[-ApiBaseUri] <String>]
+ [[-ApiVersion] <String>] [-ProgressAction <ActionPreference>] [<CommonParameters>]
+```
+
+## DESCRIPTION
+
+Establishes a GitHub Enterprise Cloud organization REST API session for Maester CIS
+benchmark tests.
+This is an organization-scoped session, not a full enterprise-admin
+session: enterprise-admin endpoints under /enterprises/\{enterprise\} are not verified
+by this command and would require a future enterprise-access probe if CIS controls
+need them.
+
+Validates the PAT via four probes.
+The first three are blocking (any failure aborts
+the connection); the fourth is non-blocking (failure emits a warning but the session
+is still established):
+  1.
+GET /user                            - token identity (blocking)
+  2.
+GET /orgs/\{org\}                      - org metadata (blocking)
+  3.
+GET /orgs/\{org\}/memberships/\{user\}   - org-access proof, state + role (blocking)
+  4.
+GET /orgs/\{org\}/actions/permissions  - administration access probe (non-blocking)
+
+The membership probe is the real access gate: /orgs/\{org\} returns public metadata
+even for tokens with no relationship to the organization.
+A 4xx, malformed body,
+or missing state/role on probe 3 aborts with FailureReason = 'OrgMembershipFailed'.
+A successful response whose membership state is anything other than 'active'
+(e.g.
+'pending' for an invitation that has not been accepted) also aborts the
+connection, with FailureReason = 'OrgMembershipPending' - only an active
+membership proves the user can act on the organization.
+
+Probe 4 verifies the token can reach an org-administration endpoint.
+GitHub
+documents /orgs/\{org\}/actions/permissions as requiring classic PAT 'admin:org' or
+fine-grained 'Organization Administration: read'.
+Failure here records
+AdministrationPermissionVerified = $false and emits a warning, but does not flip
+Connected to $false - the session remains usable for controls that don't require
+org administration access.
+
+On success, Role = 'admin' + RoleState = 'active' + AdministrationPermissionVerified
+= $true is the no-warning path.
+Other active roles (member, billing_manager, etc.)
+or admin-probe failure still connect but emit warnings indicating limited CIS
+coverage.
+Non-active membership states do not connect at all.
+
+A non-rate-limited HTTP 403 from GET /user aborts with FailureReason =
+'TokenForbidden'.
+Common causes include SAML SSO enforcement, IP allowlists,
+token/account blocking, or other authorization policies.
+A rate-limited 403
+is still classified as FailureReason = 'RateLimited'.
+
+A malformed JSON response from GET /orgs/\{org\} aborts with FailureReason =
+'OrgAccessFailed' and identifies the response parsing problem instead of
+blaming the PAT scope, organization name, or API base URI.
+
+The successful GET /orgs/\{org\} response is cached only after the full
+connection succeeds, so failed connection attempts do not seed org data.
+
+Token resolution order:
+  1.
+-Token parameter (SecureString)
+  2.
+MAESTER_GITHUB_TOKEN environment variable
+  3.
+GH_TOKEN environment variable (GitHub CLI convention)
+
+Required permissions:
+  Classic PAT:        admin:org
+  Fine-grained PAT:   Organization Members: read + Organization Administration: read
+  Required role for full coverage: organization owner/admin
+
+Note: Connection success proves token validity and org access, not that all
+CIS control fields will be visible.
+Each CIS test validates field availability
+and skips with an informative message if required fields are absent.
+
+## EXAMPLES
+
+### EXAMPLE 1
+
+```powershell
+Connect-MtGitHub -Organization 'mycompany'
+```
+
+### EXAMPLE 2
+
+```powershell
+Connect-MtGitHub -Organization 'mycompany' -ApiBaseUri 'https://api.myco.ghe.com'
+```
+
+## PARAMETERS
+
+### -Organization
+
+GitHub organization login name.
+Falls back to GitHubOrganization in maester-config.json.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Token
+
+PAT as SecureString.
+Falls back to MAESTER_GITHUB_TOKEN or GH_TOKEN env vars.
+
+```yaml
+Type: SecureString
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ApiBaseUri
+
+GitHub API base URI.
+Falls back to GitHubApiBaseUri config, then https://api.github.com.
+Set to https://api.\{subdomain\}.ghe.com for GHE.com EMU deployments.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ApiVersion
+
+GitHub REST API version date.
+Falls back to GitHubApiVersion config, then 2022-11-28.
+GitHub defaults requests without X-GitHub-Api-Version to 2022-11-28.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 4
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ProgressAction
+
+\{\{ Fill ProgressAction Description \}\}
+
+```yaml
+Type: ActionPreference
+Parameter Sets: (All)
+Aliases: proga
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[https://maester.dev/docs/commands/Connect-MtGitHub](https://maester.dev/docs/commands/Connect-MtGitHub)
diff --git a/website/versioned_docs/version-2.1.0/commands/Disconnect-MtGitHub.mdx b/website/versioned_docs/version-2.1.0/commands/Disconnect-MtGitHub.mdx
new file mode 100644
index 000000000..4f77aaf2f
--- /dev/null
+++ b/website/versioned_docs/version-2.1.0/commands/Disconnect-MtGitHub.mdx
@@ -0,0 +1,73 @@
+---
+sidebar_class_name: hidden
+description: "Clears the current GitHub REST session in Maester."
+id: Disconnect-MtGitHub
+title: Disconnect-MtGitHub
+hide_title: false
+hide_table_of_contents: false
+custom_edit_url: https://github.com/maester365/maester/blob/main/powershell/public/Disconnect-MtGitHub.ps1
+---
+
+## SYNOPSIS
+
+Clears the current GitHub REST session in Maester.
+
+## SYNTAX
+
+```powershell
+Disconnect-MtGitHub [-ProgressAction <ActionPreference>] [<CommonParameters>]
+```
+
+## DESCRIPTION
+
+Removes the GitHub PAT-derived auth header, the connection metadata, and the per-session
+REST response cache from the Maester module's session state.
+Idempotent - safe to call when
+no GitHub session is active.
+
+Use this when you want to drop the in-memory token, switch organizations, or clean up
+troubleshooting state.
+Disconnect-Maester also calls this automatically (Disconnect-MtGraph
+alias does not, to preserve its narrow Graph-only semantic).
+
+## EXAMPLES
+
+### EXAMPLE 1
+
+```powershell
+Disconnect-MtGitHub
+```
+
+Clears any active GitHub session.
+
+## PARAMETERS
+
+### -ProgressAction
+
+\{\{ Fill ProgressAction Description \}\}
+
+```yaml
+Type: ActionPreference
+Parameter Sets: (All)
+Aliases: proga
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[https://maester.dev/docs/commands/Disconnect-MtGitHub](https://maester.dev/docs/commands/Disconnect-MtGitHub)
diff --git a/website/versioned_docs/version-2.1.0/commands/Test-MtCisGitHubIssueDeletionLimited.mdx b/website/versioned_docs/version-2.1.0/commands/Test-MtCisGitHubIssueDeletionLimited.mdx
new file mode 100644
index 000000000..50bcec6ee
--- /dev/null
+++ b/website/versioned_docs/version-2.1.0/commands/Test-MtCisGitHubIssueDeletionLimited.mdx
@@ -0,0 +1,72 @@
+---
+sidebar_class_name: hidden
+description: "CIS.GH.1.2.4: Ensure issue deletion is limited to specific users."
+id: Test-MtCisGitHubIssueDeletionLimited
+title: Test-MtCisGitHubIssueDeletionLimited
+hide_title: false
+hide_table_of_contents: false
+custom_edit_url: https://github.com/maester365/maester/blob/main/powershell/public/Test-MtCisGitHubIssueDeletionLimited.ps1
+---
+
+## SYNOPSIS
+
+CIS.GH.1.2.4: Ensure issue deletion is limited to specific users.
+
+## SYNTAX
+
+```powershell
+Test-MtCisGitHubIssueDeletionLimited [-ProgressAction <ActionPreference>] [<CommonParameters>]
+```
+
+## DESCRIPTION
+
+CIS GitHub Benchmark v1.2.0 section 1.2.4 marks this recommendation as
+Manual.
+This test collects organization setting evidence from
+GET /orgs/\{org\} and marks the result as Investigate because CIS GH 1.2.4
+still requires a manual trust review for either repository administrators
+or organization owners.
+
+## EXAMPLES
+
+### EXAMPLE 1
+
+```powershell
+Test-MtCisGitHubIssueDeletionLimited
+```
+
+Returns Investigate when the GitHub organization setting is available.
+
+## PARAMETERS
+
+### -ProgressAction
+
+\{\{ Fill ProgressAction Description \}\}
+
+```yaml
+Type: ActionPreference
+Parameter Sets: (All)
+Aliases: proga
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Boolean
+
+## NOTES
+
+## RELATED LINKS
+
+[https://maester.dev/docs/commands/Test-MtCisGitHubIssueDeletionLimited](https://maester.dev/docs/commands/Test-MtCisGitHubIssueDeletionLimited)
diff --git a/website/versioned_docs/version-2.1.0/commands/Test-MtCisGitHubRepositoryCreationLimited.mdx b/website/versioned_docs/version-2.1.0/commands/Test-MtCisGitHubRepositoryCreationLimited.mdx
new file mode 100644
index 000000000..9dd7b8c0b
--- /dev/null
+++ b/website/versioned_docs/version-2.1.0/commands/Test-MtCisGitHubRepositoryCreationLimited.mdx
@@ -0,0 +1,73 @@
+---
+sidebar_class_name: hidden
+description: "CIS.GH.1.2.2: Ensure repository creation is limited to specific members."
+id: Test-MtCisGitHubRepositoryCreationLimited
+title: Test-MtCisGitHubRepositoryCreationLimited
+hide_title: false
+hide_table_of_contents: false
+custom_edit_url: https://github.com/maester365/maester/blob/main/powershell/public/Test-MtCisGitHubRepositoryCreationLimited.ps1
+---
+
+## SYNOPSIS
+
+CIS.GH.1.2.2: Ensure repository creation is limited to specific members.
+
+## SYNTAX
+
+```powershell
+Test-MtCisGitHubRepositoryCreationLimited [-ProgressAction <ActionPreference>] [<CommonParameters>]
+```
+
+## DESCRIPTION
+
+CIS GitHub Benchmark v1.2.0 section 1.2.2 marks this recommendation as
+Manual.
+This test automates the organization member-privileges fields
+exposed by GET /orgs/\{org\}.
+Public and private repository creation decide
+the test result; internal repository creation is shown as informational
+evidence when GitHub returns it.
+
+## EXAMPLES
+
+### EXAMPLE 1
+
+```powershell
+Test-MtCisGitHubRepositoryCreationLimited
+```
+
+Returns true when members cannot create public or private repositories.
+
+## PARAMETERS
+
+### -ProgressAction
+
+\{\{ Fill ProgressAction Description \}\}
+
+```yaml
+Type: ActionPreference
+Parameter Sets: (All)
+Aliases: proga
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Boolean
+
+## NOTES
+
+## RELATED LINKS
+
+[https://maester.dev/docs/commands/Test-MtCisGitHubRepositoryCreationLimited](https://maester.dev/docs/commands/Test-MtCisGitHubRepositoryCreationLimited)
diff --git a/website/versioned_docs/version-2.1.0/commands/Test-MtCisGitHubRepositoryDeletionLimited.mdx b/website/versioned_docs/version-2.1.0/commands/Test-MtCisGitHubRepositoryDeletionLimited.mdx
new file mode 100644
index 000000000..7ae420a96
--- /dev/null
+++ b/website/versioned_docs/version-2.1.0/commands/Test-MtCisGitHubRepositoryDeletionLimited.mdx
@@ -0,0 +1,72 @@
+---
+sidebar_class_name: hidden
+description: "CIS.GH.1.2.3: Ensure repository deletion is limited to specific users."
+id: Test-MtCisGitHubRepositoryDeletionLimited
+title: Test-MtCisGitHubRepositoryDeletionLimited
+hide_title: false
+hide_table_of_contents: false
+custom_edit_url: https://github.com/maester365/maester/blob/main/powershell/public/Test-MtCisGitHubRepositoryDeletionLimited.ps1
+---
+
+## SYNOPSIS
+
+CIS.GH.1.2.3: Ensure repository deletion is limited to specific users.
+
+## SYNTAX
+
+```powershell
+Test-MtCisGitHubRepositoryDeletionLimited [-ProgressAction <ActionPreference>] [<CommonParameters>]
+```
+
+## DESCRIPTION
+
+CIS GitHub Benchmark v1.2.0 section 1.2.3 marks this recommendation as
+Manual.
+This test collects organization setting evidence from
+GET /orgs/\{org\} and marks the result as Investigate because CIS GH 1.2.3
+still requires a manual trust review for either repository administrators
+or organization owners.
+
+## EXAMPLES
+
+### EXAMPLE 1
+
+```powershell
+Test-MtCisGitHubRepositoryDeletionLimited
+```
+
+Returns Investigate when the GitHub organization setting is available.
+
+## PARAMETERS
+
+### -ProgressAction
+
+\{\{ Fill ProgressAction Description \}\}
+
+```yaml
+Type: ActionPreference
+Parameter Sets: (All)
+Aliases: proga
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Boolean
+
+## NOTES
+
+## RELATED LINKS
+
+[https://maester.dev/docs/commands/Test-MtCisGitHubRepositoryDeletionLimited](https://maester.dev/docs/commands/Test-MtCisGitHubRepositoryDeletionLimited)
diff --git a/website/versioned_docs/version-2.1.0/commands/Test-MtCisGitHubStrictBasePermission.mdx b/website/versioned_docs/version-2.1.0/commands/Test-MtCisGitHubStrictBasePermission.mdx
new file mode 100644
index 000000000..20e4e5a34
--- /dev/null
+++ b/website/versioned_docs/version-2.1.0/commands/Test-MtCisGitHubStrictBasePermission.mdx
@@ -0,0 +1,70 @@
+---
+sidebar_class_name: hidden
+description: "CIS.GH.1.3.8: Ensure strict base permissions are set for repositories."
+id: Test-MtCisGitHubStrictBasePermission
+title: Test-MtCisGitHubStrictBasePermission
+hide_title: false
+hide_table_of_contents: false
+custom_edit_url: https://github.com/maester365/maester/blob/main/powershell/public/Test-MtCisGitHubStrictBasePermission.ps1
+---
+
+## SYNOPSIS
+
+CIS.GH.1.3.8: Ensure strict base permissions are set for repositories.
+
+## SYNTAX
+
+```powershell
+Test-MtCisGitHubStrictBasePermission [-ProgressAction <ActionPreference>] [<CommonParameters>]
+```
+
+## DESCRIPTION
+
+CIS GitHub Benchmark v1.2.0 section 1.3.8 marks this recommendation as
+Manual.
+This test automates the organization default repository permission
+exposed by GET /orgs/\{org\} and requires the value to be none or read.
+
+## EXAMPLES
+
+### EXAMPLE 1
+
+```powershell
+Test-MtCisGitHubStrictBasePermission
+```
+
+Returns true when default_repository_permission is none or read.
+
+## PARAMETERS
+
+### -ProgressAction
+
+\{\{ Fill ProgressAction Description \}\}
+
+```yaml
+Type: ActionPreference
+Parameter Sets: (All)
+Aliases: proga
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Boolean
+
+## NOTES
+
+## RELATED LINKS
+
+[https://maester.dev/docs/commands/Test-MtCisGitHubStrictBasePermission](https://maester.dev/docs/commands/Test-MtCisGitHubStrictBasePermission)
diff --git a/website/versioned_docs/version-2.1.0/commands/Test-MtCisGitHubTeamCreationLimited.mdx b/website/versioned_docs/version-2.1.0/commands/Test-MtCisGitHubTeamCreationLimited.mdx
new file mode 100644
index 000000000..5bab7da38
--- /dev/null
+++ b/website/versioned_docs/version-2.1.0/commands/Test-MtCisGitHubTeamCreationLimited.mdx
@@ -0,0 +1,71 @@
+---
+sidebar_class_name: hidden
+description: "CIS.GH.1.3.2: Ensure team creation is limited to specific members."
+id: Test-MtCisGitHubTeamCreationLimited
+title: Test-MtCisGitHubTeamCreationLimited
+hide_title: false
+hide_table_of_contents: false
+custom_edit_url: https://github.com/maester365/maester/blob/main/powershell/public/Test-MtCisGitHubTeamCreationLimited.ps1
+---
+
+## SYNOPSIS
+
+CIS.GH.1.3.2: Ensure team creation is limited to specific members.
+
+## SYNTAX
+
+```powershell
+Test-MtCisGitHubTeamCreationLimited [-ProgressAction <ActionPreference>] [<CommonParameters>]
+```
+
+## DESCRIPTION
+
+CIS GitHub Benchmark v1.2.0 section 1.3.2 marks this recommendation as
+Manual.
+This test automates the organization member-privileges field
+exposed by GET /orgs/\{org\} and requires members_can_create_teams to be
+false.
+
+## EXAMPLES
+
+### EXAMPLE 1
+
+```powershell
+Test-MtCisGitHubTeamCreationLimited
+```
+
+Returns true when members cannot create teams.
+
+## PARAMETERS
+
+### -ProgressAction
+
+\{\{ Fill ProgressAction Description \}\}
+
+```yaml
+Type: ActionPreference
+Parameter Sets: (All)
+Aliases: proga
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Boolean
+
+## NOTES
+
+## RELATED LINKS
+
+[https://maester.dev/docs/commands/Test-MtCisGitHubTeamCreationLimited](https://maester.dev/docs/commands/Test-MtCisGitHubTeamCreationLimited)