merge: resolve conflicts with upstream/main (v1.10.0)

Adopt upstream's IDEType naming (intellij_idea, pycharm instead of
intellij_idea_ultimate, pycharm_professional). Keep our Windows
enhancements (glob paths, product-info.json, .eclipseproduct,
RunInDir, JetBrains plugin detection). Incorporate upstream additions
(Fleet, Xcode, Homebrew, Python scanning, UserAwareExecutor).

Author: swarit-stepsecurity

.github/workflows/release.yml

@@ -65,15 +65,32 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Resolve draft release tag
+        id: release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # GoReleaser creates draft releases under an "untagged-*" slug,
+          # so gh release upload by version tag returns 404. Look up the
+          # actual tag GitHub assigned to the draft.
+          release_tag=$(gh api "repos/${{ github.repository }}/releases" \
+            --jq '[.[] | select(.draft and .tag_name == "${{ steps.version.outputs.tag }}")] | first | .tag_name')
+          if [ -z "$release_tag" ] || [ "$release_tag" = "null" ]; then
+            echo "::error::Could not find draft release for ${{ steps.version.outputs.tag }}"
+            exit 1
+          fi
+          echo "tag=$release_tag" >> "$GITHUB_OUTPUT"
+          echo "Resolved draft release tag: $release_tag"
+
       - name: Install cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Locate binaries
         id: binaries
         run: |
           DARWIN=$(find dist -type f -name '*darwin_unnotarized' | head -1)
-          WIN_AMD64=$(find dist -type f -name '*windows_amd64.exe' | head -1)
-          WIN_ARM64=$(find dist -type f -name '*windows_arm64.exe' | head -1)
+          WIN_AMD64=$(find dist -type f -name '*.exe' -path '*windows_amd64*' | head -1)
+          WIN_ARM64=$(find dist -type f -name '*.exe' -path '*windows_arm64*' | head -1)
 
           for label in "darwin:${DARWIN}" "windows_amd64:${WIN_AMD64}" "windows_arm64:${WIN_ARM64}"; do
             name="${label%%:*}"
@@ -91,22 +108,23 @@ jobs:
 
       - name: Sign artifacts with Sigstore
         run: |
-          for artifact in \
-            "${{ steps.binaries.outputs.darwin }}" \
-            "${{ steps.binaries.outputs.win_amd64 }}" \
-            "${{ steps.binaries.outputs.win_arm64 }}" \
-            stepsecurity-dev-machine-guard.sh; do
-            cosign sign-blob "$artifact" --bundle "${artifact}.bundle" --yes
-          done
+          cosign sign-blob "${{ steps.binaries.outputs.darwin }}" \
+            --bundle dist/stepsecurity-dev-machine-guard-darwin_unnotarized.bundle --yes
+          cosign sign-blob "${{ steps.binaries.outputs.win_amd64 }}" \
+            --bundle dist/stepsecurity-dev-machine-guard-windows_amd64.exe.bundle --yes
+          cosign sign-blob "${{ steps.binaries.outputs.win_arm64 }}" \
+            --bundle dist/stepsecurity-dev-machine-guard-windows_arm64.exe.bundle --yes
+          cosign sign-blob stepsecurity-dev-machine-guard.sh \
+            --bundle dist/stepsecurity-dev-machine-guard.sh.bundle --yes
 
       - name: Upload cosign bundles
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gh release upload "${{ steps.version.outputs.tag }}" \
-            "${{ steps.binaries.outputs.darwin }}.bundle" \
-            "${{ steps.binaries.outputs.win_amd64 }}.bundle" \
-            "${{ steps.binaries.outputs.win_arm64 }}.bundle" \
+          gh release upload "${{ steps.release.outputs.tag }}" \
+            dist/stepsecurity-dev-machine-guard-darwin_unnotarized.bundle \
+            dist/stepsecurity-dev-machine-guard-windows_amd64.exe.bundle \
+            dist/stepsecurity-dev-machine-guard-windows_arm64.exe.bundle \
             dist/stepsecurity-dev-machine-guard.sh.bundle \
             --clobber
 

CHANGELOG.md

@@ -11,12 +11,33 @@ See [VERSIONING.md](VERSIONING.md) for why the version starts at 1.8.1.
 
 ### Added
 
-- **JetBrains IDE detection** (macOS + Windows): IntelliJ IDEA (Ultimate & CE), PyCharm (Professional & CE), WebStorm, GoLand, PhpStorm, CLion, Rider, RubyMine, DataGrip, and Android Studio.
-- **Eclipse IDE detection** (macOS + Windows): Detects standard install paths including Eclipse Installer (`%USERPROFILE%\eclipse\*\eclipse`) and manual installs.
-- **Glob-based Windows path matching**: `detectWindows` now supports wildcard patterns in `WinPaths` for IDEs that embed version numbers in folder names (e.g., `C:\Program Files\JetBrains\GoLand 2025.1.3\`). Picks the newest installation when multiple versions are present.
-- **`product-info.json` version extraction**: Reads the JetBrains `product-info.json` file for accurate marketing version numbers (avoids registry build numbers).
-- **`.eclipseproduct` version extraction**: Reads Eclipse's `.eclipseproduct` properties file for version detection on Windows (Eclipse does not register in the Windows registry).
-- **JetBrains plugin detection** (macOS + Windows): Detects user-installed plugins for all JetBrains IDEs by reading `product-info.json` to resolve the config directory, then scanning the plugins directory. Version extracted from JAR filenames.
+- **Glob-based Windows path matching**: `detectWindows` supports wildcard patterns in `WinPaths` for JetBrains IDEs that embed version numbers in folder names. Picks the newest installation when multiple versions are present.
+- **`product-info.json` version extraction**: Reads JetBrains `product-info.json` for accurate marketing version numbers on Windows (avoids registry build numbers).
+- **`.eclipseproduct` version extraction**: Reads Eclipse's `.eclipseproduct` properties file for version detection on Windows.
+- **JetBrains plugin detection enhancements**: Reads `productVendor` from `product-info.json` for correct config paths (handles Android Studio's `Google` vendor). Checks `idea.plugins.path` override in `idea.properties`.
+
+### Fixed
+
+- **Windows project package scanning**: Added `RunInDir` to Executor interface to bypass `cmd.exe` quote escaping issues. Fixes project-level NPM packages not being collected on Windows.
+
+## [1.10.0] - 2026-04-20
+
+### Added
+
+- Windows support: cross-platform detection for IDEs, extensions, AI tools, frameworks, MCP configs, and Node.js scanning on Windows.
+- Homebrew scanning: detects formulae and casks with raw output capture for enterprise telemetry.
+- Python scanning: detects package managers, global packages, and projects with virtual environments.
+- User-aware executor: commands like `brew`, `pip3`, and `npm` now run in the logged-in user's context when the agent runs as root.
+- IDE plugin detection: JetBrains IDEs, Xcode Source Editor extensions, and Eclipse plugins with bundled/user-installed source tagging.
+- Project-level MCP configuration discovery and filtering.
+- S3 upload retry mechanism with exponential backoff and extended timeout for large payloads.
+- Enhanced user shell resolution for macOS `RunAsUser`.
+
+### Fixed
+
+- Populated missing performance metrics fields (brew formulae/cask counts, Python global packages/project counts).
+- S3 retry logging now includes the actual error value for easier debugging.
+- Retry backoff respects context cancellation during shutdown.
 
 ## [1.9.2] - 2026-04-15
 
@@ -83,6 +104,7 @@ First open-source release. The scanning engine was previously an internal enterp
 - Execution log capture and base64 encoding
 - Instance locking to prevent concurrent runs
 
+[1.10.0]: https://github.com/step-security/dev-machine-guard/compare/v1.9.2...v1.10.0
 [1.9.2]: https://github.com/step-security/dev-machine-guard/compare/v1.9.1...v1.9.2
 [1.9.1]: https://github.com/step-security/dev-machine-guard/compare/v1.9.0...v1.9.1
 [1.9.0]: https://github.com/step-security/dev-machine-guard/compare/v1.8.2...v1.9.0

cmd/stepsecurity-dev-machine-guard/main.go

@@ -34,6 +34,12 @@ func main() {
 	if cfg.EnableNPMScan == nil && config.EnableNPMScan != nil {
 		cfg.EnableNPMScan = config.EnableNPMScan
 	}
+	if cfg.EnableBrewScan == nil && config.EnableBrewScan != nil {
+		cfg.EnableBrewScan = config.EnableBrewScan
+	}
+	if cfg.EnablePythonScan == nil && config.EnablePythonScan != nil {
+		cfg.EnablePythonScan = config.EnablePythonScan
+	}
 	if cfg.ColorMode == "auto" && config.ColorMode != "" {
 		cfg.ColorMode = config.ColorMode
 	}
@@ -60,9 +66,8 @@ func main() {
 	if cfg.OutputFormat == "json" {
 		quiet = true
 	}
-	if cfg.Command == "send-telemetry" || cfg.Command == "install" {
-		quiet = false
-	}
+	// Note: send-telemetry and bare command (auto-detected enterprise) both
+	// respect the same quiet logic — config value wins, default is true.
 	log := progress.NewLogger(quiet)
 
 	switch cfg.Command {

examples/sample-output.json

@@ -1,5 +1,5 @@
 {
-  "agent_version": "1.9.2",
+  "agent_version": "1.10.0",
   "scan_timestamp": 1741305600,
   "scan_timestamp_iso": "2026-03-07T00:00:00Z",
   "device": {
@@ -70,6 +70,13 @@
       "install_path": "/Applications/Claude.app",
       "vendor": "Anthropic",
       "is_installed": true
+    },
+    {
+      "ide_type": "goland",
+      "version": "2024.3.1",
+      "install_path": "/Applications/GoLand.app",
+      "vendor": "JetBrains",
+      "is_installed": true
     }
   ],
   "ide_extensions": [
@@ -126,11 +133,56 @@
     }
   ],
   "node_packages": [],
+  "node_projects": [
+    { "path": "/Users/developer/projects/my-app", "package_manager": "npm" },
+    { "path": "/Users/developer/projects/api-server", "package_manager": "yarn" },
+    { "path": "/Users/developer/projects/frontend", "package_manager": "pnpm" }
+  ],
+  "brew_package_manager": {
+    "name": "homebrew",
+    "version": "4.3.5",
+    "path": "/opt/homebrew/bin/brew"
+  },
+  "brew_formulae": [
+    { "name": "ca-certificates", "version": "2024.2.2" },
+    { "name": "curl", "version": "8.4.0" },
+    { "name": "git", "version": "2.43.0" },
+    { "name": "openssl@3", "version": "3.2.0" }
+  ],
+  "brew_casks": [
+    { "name": "visual-studio-code", "version": "1.85.0" },
+    { "name": "firefox", "version": "120.0" }
+  ],
+  "python_package_managers": [
+    {
+      "name": "python3",
+      "version": "3.12.0",
+      "path": "/usr/local/bin/python3"
+    },
+    {
+      "name": "pip",
+      "version": "24.0",
+      "path": "/usr/local/bin/pip3"
+    }
+  ],
+  "python_packages": [
+    { "name": "requests", "version": "2.31.0" },
+    { "name": "numpy", "version": "1.26.2" },
+    { "name": "pip", "version": "24.0" }
+  ],
+  "python_projects": [
+    { "path": "/Users/developer/projects/ml-pipeline", "package_manager": "poetry" },
+    { "path": "/Users/developer/projects/data-analysis", "package_manager": "pip" },
+    { "path": "/Users/developer/projects/web-scraper", "package_manager": "uv" }
+  ],
   "summary": {
     "ai_agents_and_tools_count": 5,
-    "ide_installations_count": 3,
+    "ide_installations_count": 4,
     "ide_extensions_count": 4,
     "mcp_configs_count": 2,
-    "node_projects_count": 0
+    "node_projects_count": 3,
+    "brew_formulae_count": 42,
+    "brew_casks_count": 15,
+    "python_projects_count": 3
   }
 }

internal/buildinfo/version.go

@@ -3,7 +3,7 @@ package buildinfo
 import "fmt"
 
 const (
-	Version  = "1.9.2"
+	Version  = "1.10.0"
 	AgentURL = "https://github.com/step-security/dev-machine-guard"
 )
 

internal/cli/cli.go

@@ -11,14 +11,16 @@ import (
 
 // Config holds all parsed CLI flags.
 type Config struct {
-	Command         string   // "", "install", "uninstall", "send-telemetry", "configure", "configure show"
-	OutputFormat    string   // "pretty", "json", "html"
-	OutputFormatSet bool     // true if --pretty/--json/--html was explicitly passed (not persisted)
-	HTMLOutputFile  string   // set by --html (not persisted)
-	ColorMode       string   // "auto", "always", "never"
-	Verbose         bool     // --verbose
-	EnableNPMScan   *bool    // nil=auto, true/false=explicit
-	SearchDirs      []string // defaults to ["$HOME"]
+	Command          string   // "", "install", "uninstall", "send-telemetry", "configure", "configure show"
+	OutputFormat     string   // "pretty", "json", "html"
+	OutputFormatSet  bool     // true if --pretty/--json/--html was explicitly passed (not persisted)
+	HTMLOutputFile   string   // set by --html (not persisted)
+	ColorMode        string   // "auto", "always", "never"
+	Verbose          bool     // --verbose
+	EnableNPMScan    *bool    // nil=auto, true/false=explicit
+	EnableBrewScan   *bool    // nil=auto, true/false=explicit
+	EnablePythonScan *bool    // nil=auto, true/false=explicit
+	SearchDirs       []string // defaults to ["$HOME"]
 }
 
 // Parse parses CLI arguments and returns a Config.
@@ -69,6 +71,18 @@ func Parse(args []string) (*Config, error) {
 		case arg == "--disable-npm-scan":
 			v := false
 			cfg.EnableNPMScan = &v
+		case arg == "--enable-brew-scan":
+			v := true
+			cfg.EnableBrewScan = &v
+		case arg == "--disable-brew-scan":
+			v := false
+			cfg.EnableBrewScan = &v
+		case arg == "--enable-python-scan":
+			v := true
+			cfg.EnablePythonScan = &v
+		case arg == "--disable-python-scan":
+			v := false
+			cfg.EnablePythonScan = &v
 		case strings.HasPrefix(arg, "--color="):
 			mode := strings.TrimPrefix(arg, "--color=")
 			if mode != "auto" && mode != "always" && mode != "never" {
@@ -127,12 +141,16 @@ Output formats (community mode, mutually exclusive):
 
 Options:
   --search-dirs DIR [DIR...]  Search DIRs instead of $HOME (replaces default; repeatable)
-  --enable-npm-scan    Enable Node.js package scanning
-  --disable-npm-scan   Disable Node.js package scanning
-  --verbose            Show progress messages (suppressed by default)
-  --color=WHEN         Color mode: auto | always | never (default: auto)
-  -v, --version        Show version
-  -h, --help           Show this help
+  --enable-npm-scan      Enable Node.js package scanning
+  --disable-npm-scan     Disable Node.js package scanning
+  --enable-brew-scan     Enable Homebrew package scanning
+  --disable-brew-scan    Disable Homebrew package scanning
+  --enable-python-scan   Enable Python package scanning
+  --disable-python-scan  Disable Python package scanning
+  --verbose              Show progress messages (suppressed by default)
+  --color=WHEN           Color mode: auto | always | never (default: auto)
+  -v, --version          Show version
+  -h, --help             Show this help
 
 Examples:
   %s                                  # Pretty terminal output