feat(windows): add scheduled tasks

Signed-off-by: Swarit Pandey <swarit@stepsecurity.io>

Author: swarit-stepsecurity

cmd/stepsecurity-dev-machine-guard/main.go

@@ -12,6 +12,7 @@ import (
 	"github.com/step-security/dev-machine-guard/internal/launchd"
 	"github.com/step-security/dev-machine-guard/internal/progress"
 	"github.com/step-security/dev-machine-guard/internal/scan"
+	"github.com/step-security/dev-machine-guard/internal/schtasks"
 	"github.com/step-security/dev-machine-guard/internal/telemetry"
 )
 
@@ -85,17 +86,20 @@ func main() {
 
 	case "install":
 		_, _ = fmt.Fprintf(os.Stdout, "StepSecurity Dev Machine Guard v%s\n\n", buildinfo.Version)
-		if runtime.GOOS == "windows" {
-			log.Error("Scheduled scanning is not yet supported on Windows. Use the scan command directly.")
-			os.Exit(1)
-		}
 		if !config.IsEnterpriseMode() {
 			log.Error("Enterprise configuration not found. Run '%s configure' or download the script from your StepSecurity dashboard.", os.Args[0])
 			os.Exit(1)
 		}
-		if err := launchd.Install(exec, log); err != nil {
-			log.Error("%v", err)
-			os.Exit(1)
+		if runtime.GOOS == "windows" {
+			if err := schtasks.Install(exec, log); err != nil {
+				log.Error("%v", err)
+				os.Exit(1)
+			}
+		} else {
+			if err := launchd.Install(exec, log); err != nil {
+				log.Error("%v", err)
+				os.Exit(1)
+			}
 		}
 		log.Progress("Sending initial telemetry...")
 		fmt.Println()
@@ -107,12 +111,15 @@ func main() {
 	case "uninstall":
 		_, _ = fmt.Fprintf(os.Stdout, "StepSecurity Dev Machine Guard v%s\n\n", buildinfo.Version)
 		if runtime.GOOS == "windows" {
-			log.Error("Scheduled scanning is not yet supported on Windows. Use the scan command directly.")
-			os.Exit(1)
-		}
-		if err := launchd.Uninstall(exec, log); err != nil {
-			log.Error("%v", err)
-			os.Exit(1)
+			if err := schtasks.Uninstall(exec, log); err != nil {
+				log.Error("%v", err)
+				os.Exit(1)
+			}
+		} else {
+			if err := launchd.Uninstall(exec, log); err != nil {
+				log.Error("%v", err)
+				os.Exit(1)
+			}
 		}
 
 	default:

internal/cli/cli.go

@@ -116,8 +116,8 @@ Usage: %s [COMMAND] [OPTIONS]
 Commands:
   configure            Configure enterprise settings and search directories
   configure show       Show current configuration
-  install              Install launchd for periodic scanning (enterprise)
-  uninstall            Remove launchd configuration (enterprise)
+  install              Install scheduled scanning (enterprise)
+  uninstall            Remove scheduled scanning (enterprise)
   send-telemetry       Upload scan results to the StepSecurity dashboard (enterprise)
 
 Output formats (community mode, mutually exclusive):

internal/schtasks/schtasks.go

@@ -0,0 +1,107 @@
+package schtasks
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strconv"
+
+	"github.com/step-security/dev-machine-guard/internal/config"
+	"github.com/step-security/dev-machine-guard/internal/executor"
+	"github.com/step-security/dev-machine-guard/internal/progress"
+)
+
+const taskName = "StepSecurity Agent"
+
+// Install configures Windows Task Scheduler for periodic scanning.
+// If already installed, upgrades by removing and re-creating the task.
+func Install(exec executor.Executor, log *progress.Logger) error {
+	ctx := context.Background()
+
+	// Check for existing installation and upgrade
+	if isConfigured(ctx, exec) {
+		log.Progress("Existing agent installation detected. Upgrading...")
+		if err := doUninstall(ctx, exec, log); err != nil {
+			log.Progress("Warning: failed to remove previous installation: %v", err)
+		}
+		log.Progress("Previous installation removed. Installing new version...")
+	}
+
+	binaryPath, err := os.Executable()
+	if err != nil {
+		return fmt.Errorf("determining binary path: %w", err)
+	}
+
+	hours, _ := strconv.Atoi(config.ScanFrequencyHours)
+	if hours <= 0 {
+		hours = 4
+	}
+
+	logDir := resolveLogDir(exec)
+	if err := os.MkdirAll(logDir, 0o755); err != nil {
+		return fmt.Errorf("creating log directory: %w", err)
+	}
+
+	// Build the task command with output redirection
+	taskCmd := fmt.Sprintf(`cmd /c "\"%s\" send-telemetry >> \"%s\agent.log\" 2>> \"%s\agent.error.log\""`,
+		binaryPath, logDir, logDir)
+
+	// Build schtasks arguments
+	args := []string{"/create", "/tn", taskName, "/tr", taskCmd,
+		"/sc", "HOURLY", "/mo", strconv.Itoa(hours), "/f"}
+	if exec.IsRoot() {
+		args = append(args, "/ru", "SYSTEM")
+	}
+
+	_, stderr, exitCode, err := exec.Run(ctx, "schtasks", args...)
+	if err != nil || exitCode != 0 {
+		return fmt.Errorf("failed to create scheduled task: %s", stderr)
+	}
+
+	log.Progress("Windows Task Scheduler configuration completed successfully")
+	log.Progress("  Task: %s", taskName)
+	log.Progress("  Logs: %s\\agent.log", logDir)
+	log.Progress("Installation complete!")
+	log.Progress("The agent will now run automatically every %d hours", hours)
+
+	return nil
+}
+
+// Uninstall removes the scheduled task.
+func Uninstall(exec executor.Executor, log *progress.Logger) error {
+	ctx := context.Background()
+
+	if !isConfigured(ctx, exec) {
+		log.Progress("Agent is not currently configured for periodic execution")
+		return nil
+	}
+
+	return doUninstall(ctx, exec, log)
+}
+
+func doUninstall(ctx context.Context, exec executor.Executor, log *progress.Logger) error {
+	_, stderr, exitCode, err := exec.Run(ctx, "schtasks", "/delete", "/tn", taskName, "/f")
+	if err != nil || exitCode != 0 {
+		return fmt.Errorf("failed to delete scheduled task: %s", stderr)
+	}
+
+	log.Progress("Removed scheduled task: %s", taskName)
+	log.Progress("Windows Task Scheduler configuration removed successfully")
+	return nil
+}
+
+func isConfigured(ctx context.Context, exec executor.Executor) bool {
+	_, _, exitCode, _ := exec.Run(ctx, "schtasks", "/query", "/tn", taskName)
+	return exitCode == 0
+}
+
+func resolveLogDir(exec executor.Executor) string {
+	if exec.IsRoot() {
+		return `C:\ProgramData\StepSecurity`
+	}
+	homeDir, _ := exec.CurrentUser()
+	if homeDir != nil {
+		return homeDir.HomeDir + `\.stepsecurity`
+	}
+	return `C:\ProgramData\StepSecurity`
+}

internal/schtasks/schtasks_test.go

@@ -0,0 +1,118 @@
+package schtasks
+
+import (
+	"context"
+	"testing"
+
+	"github.com/step-security/dev-machine-guard/internal/config"
+	"github.com/step-security/dev-machine-guard/internal/executor"
+	"github.com/step-security/dev-machine-guard/internal/progress"
+)
+
+func newTestLogger() *progress.Logger {
+	return progress.NewLogger(false)
+}
+
+func TestIsConfigured_True(t *testing.T) {
+	mock := executor.NewMock()
+	mock.SetGOOS("windows")
+	mock.SetCommand("", "", 0, "schtasks", "/query", "/tn", taskName)
+
+	got := isConfigured(context.Background(), mock)
+	if !got {
+		t.Error("expected isConfigured to return true when task exists")
+	}
+}
+
+func TestIsConfigured_False(t *testing.T) {
+	mock := executor.NewMock()
+	mock.SetGOOS("windows")
+	mock.SetCommand("", "ERROR: The system cannot find the path specified.", 1, "schtasks", "/query", "/tn", taskName)
+
+	got := isConfigured(context.Background(), mock)
+	if got {
+		t.Error("expected isConfigured to return false when task does not exist")
+	}
+}
+
+func TestUninstall_Configured(t *testing.T) {
+	mock := executor.NewMock()
+	mock.SetGOOS("windows")
+	mock.SetCommand("", "", 0, "schtasks", "/query", "/tn", taskName)
+	mock.SetCommand("SUCCESS: The scheduled task was successfully deleted.", "", 0, "schtasks", "/delete", "/tn", taskName, "/f")
+
+	err := Uninstall(mock, newTestLogger())
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+}
+
+func TestUninstall_NotConfigured(t *testing.T) {
+	mock := executor.NewMock()
+	mock.SetGOOS("windows")
+	mock.SetCommand("", "ERROR: The system cannot find the path specified.", 1, "schtasks", "/query", "/tn", taskName)
+
+	err := Uninstall(mock, newTestLogger())
+	if err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+}
+
+func TestInstall_CreateFails(t *testing.T) {
+	mock := executor.NewMock()
+	mock.SetGOOS("windows")
+	mock.SetHomeDir(`C:\Users\testuser`)
+	// Task doesn't exist
+	mock.SetCommand("", "ERROR: The system cannot find the path specified.", 1, "schtasks", "/query", "/tn", taskName)
+
+	// Note: Install calls os.Executable() and os.MkdirAll() which we can't mock,
+	// but the schtasks /create will fail because we haven't stubbed it.
+	err := Install(mock, newTestLogger())
+	if err == nil {
+		t.Fatal("expected error when schtasks /create is not stubbed")
+	}
+}
+
+func TestResolveLogDir_NonAdmin(t *testing.T) {
+	mock := executor.NewMock()
+	mock.SetGOOS("windows")
+	mock.SetIsRoot(false)
+	mock.SetHomeDir(`C:\Users\testuser`)
+
+	dir := resolveLogDir(mock)
+	expected := `C:\Users\testuser\.stepsecurity`
+	if dir != expected {
+		t.Errorf("expected %s, got %s", expected, dir)
+	}
+}
+
+func TestResolveLogDir_Admin(t *testing.T) {
+	mock := executor.NewMock()
+	mock.SetGOOS("windows")
+	mock.SetIsRoot(true)
+
+	dir := resolveLogDir(mock)
+	expected := `C:\ProgramData\StepSecurity`
+	if dir != expected {
+		t.Errorf("expected %s, got %s", expected, dir)
+	}
+}
+
+func TestInstall_CustomFrequency(t *testing.T) {
+	origFreq := config.ScanFrequencyHours
+	t.Cleanup(func() { config.ScanFrequencyHours = origFreq })
+	config.ScanFrequencyHours = "6"
+
+	mock := executor.NewMock()
+	mock.SetGOOS("windows")
+	mock.SetIsRoot(false)
+	mock.SetHomeDir(`C:\Users\testuser`)
+	// Task doesn't exist
+	mock.SetCommand("", "ERROR: not found", 1, "schtasks", "/query", "/tn", taskName)
+
+	// Install will fail at os.Executable or schtasks create, but we're testing
+	// that the frequency is parsed correctly via the resolveLogDir and config paths.
+	// A full integration test requires the real binary on Windows.
+	_ = Install(mock, newTestLogger())
+	// If we got past the config parsing without panic, the frequency was handled correctly.
+}