First commit

Author: ashishkurmi

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,58 @@
+name: Bug Report
+description: Report a bug in StepSecurity Dev Machine Guard
+title: "[Bug]: "
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to report a bug! Please fill out the information below.
+  - type: input
+    id: version
+    attributes:
+      label: Script Version
+      description: "Run: ./stepsecurity-dev-machine-guard.sh --version"
+      placeholder: "1.8.1"
+    validations:
+      required: true
+  - type: input
+    id: macos-version
+    attributes:
+      label: macOS Version
+      description: "Run: sw_vers -productVersion"
+      placeholder: "15.2"
+    validations:
+      required: true
+  - type: input
+    id: command
+    attributes:
+      label: Command Run
+      description: The exact command you ran
+      placeholder: "./stepsecurity-dev-machine-guard.sh --json"
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected Behavior
+      description: What you expected to happen
+    validations:
+      required: true
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual Behavior
+      description: What actually happened
+    validations:
+      required: true
+  - type: textarea
+    id: output
+    attributes:
+      label: Output / Error Messages
+      description: Paste relevant output (use --verbose for more detail)
+      render: shell
+  - type: textarea
+    id: additional
+    attributes:
+      label: Additional Context
+      description: Any other context about the problem

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,33 @@
+name: Feature Request
+description: Suggest a new feature for StepSecurity Dev Machine Guard
+title: "[Feature]: "
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for suggesting a feature! Please describe your idea below.
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem Description
+      description: What problem does this feature solve?
+    validations:
+      required: true
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed Solution
+      description: How would you like this to work?
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives Considered
+      description: Any alternative approaches you've considered?
+  - type: textarea
+    id: additional
+    attributes:
+      label: Additional Context
+      description: Any other context, screenshots, or examples

.github/pull_request_template.md

@@ -0,0 +1,21 @@
+## What does this PR do?
+
+<!-- Brief description of the changes -->
+
+## Type of change
+
+- [ ] Bug fix
+- [ ] Enhancement
+- [ ] Documentation
+
+## Testing
+
+- [ ] Tested on macOS (version: ___)
+- [ ] Script runs without errors: `./stepsecurity-dev-machine-guard.sh --verbose`
+- [ ] JSON output is valid: `./stepsecurity-dev-machine-guard.sh --json | python3 -m json.tool`
+- [ ] No secrets or credentials included
+- [ ] ShellCheck passes (if script was modified)
+
+## Related Issues
+
+<!-- Link any related issues: Fixes #123, Closes #456 -->

.github/workflows/release.yml

@@ -0,0 +1,91 @@
+name: Release
+
+on:
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  release:
+    name: Build, Sign & Release
+    runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      contents: write       # create tag, release, and upload assets
+      id-token: write       # Sigstore OIDC keyless signing
+      attestations: write   # SLSA build provenance
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Extract version from script
+        id: version
+        run: |
+          version=$(grep -m1 '^AGENT_VERSION=' stepsecurity-dev-machine-guard.sh | sed 's/AGENT_VERSION="//;s/"//')
+          if [ -z "$version" ]; then
+            echo "::error::Could not extract AGENT_VERSION from script"
+            exit 1
+          fi
+          tag="v${version}"
+          echo "version=${version}" >> "$GITHUB_OUTPUT"
+          echo "tag=${tag}" >> "$GITHUB_OUTPUT"
+          echo "Detected version: ${version} (tag: ${tag})"
+
+      - name: Check tag does not already exist
+        run: |
+          if git rev-parse "refs/tags/${{ steps.version.outputs.tag }}" >/dev/null 2>&1; then
+            echo "::error::Tag ${{ steps.version.outputs.tag }} already exists. Bump AGENT_VERSION in the script before releasing."
+            exit 1
+          fi
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+      - name: Sign script with Sigstore (keyless)
+        run: |
+          cosign sign-blob stepsecurity-dev-machine-guard.sh \
+            --bundle stepsecurity-dev-machine-guard.sh.bundle \
+            --yes
+
+      - name: Verify signature
+        run: |
+          cosign verify-blob stepsecurity-dev-machine-guard.sh \
+            --bundle stepsecurity-dev-machine-guard.sh.bundle \
+            --certificate-identity-regexp "github.com/step-security/dev-machine-guard" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+
+      - name: Generate checksums
+        run: |
+          sha256sum stepsecurity-dev-machine-guard.sh > checksums.txt
+          sha256sum stepsecurity-dev-machine-guard.sh.bundle >> checksums.txt
+          echo "Checksums:"
+          cat checksums.txt
+
+      - name: Create tag
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git tag -a "${{ steps.version.outputs.tag }}" -m "Release ${{ steps.version.outputs.tag }}"
+          git push origin "${{ steps.version.outputs.tag }}"
+
+      - name: Create GitHub Release
+        uses: step-security/action-gh-release@d45511d7589f080cf54961ff056b9705a74fd160 # v2.5.0
+        with:
+          tag_name: ${{ steps.version.outputs.tag }}
+          name: ${{ steps.version.outputs.tag }}
+          generate_release_notes: true
+          files: |
+            stepsecurity-dev-machine-guard.sh
+            stepsecurity-dev-machine-guard.sh.bundle
+            checksums.txt
+
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-path: stepsecurity-dev-machine-guard.sh

.github/workflows/shellcheck.yml

@@ -0,0 +1,42 @@
+name: ShellCheck
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - '*.sh'
+  pull_request:
+    branches: [main]
+    paths:
+      - '*.sh'
+
+permissions: {}
+
+jobs:
+  shellcheck:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+    name: ShellCheck
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0
+        env:
+          # SC2155: "Declare and assign separately" - suppressed because the script
+          #   uses `local var=$(...)` extensively for readability. The exit codes from
+          #   these assignments are intentionally not checked (failures are handled
+          #   by downstream empty-string checks instead).
+          # SC2034: "Variable appears unused" - suppressed because detection arrays
+          #   and config variables are read via IFS splitting and indirect expansion,
+          #   which ShellCheck cannot trace.
+          SHELLCHECK_OPTS: '--exclude=SC2155,SC2034'
+        with:
+          scandir: '.'
+          severity: warning

.github/workflows/test.yml

@@ -0,0 +1,32 @@
+name: Smoke Tests
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - '*.sh'
+      - 'tests/**'
+  pull_request:
+    branches: [main]
+    paths:
+      - '*.sh'
+      - 'tests/**'
+
+permissions: {}
+
+jobs:
+  smoke-tests:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+    name: Smoke Tests
+    runs-on: macos-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - name: Run smoke tests
+        run: bash tests/test_smoke.sh

.gitignore

@@ -0,0 +1,21 @@
+# macOS
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Editor files
+*.swp
+*.swo
+*~
+.vscode/
+.idea/
+.claude/
+
+# Output files
+*.log
+*.html
+!docs/**/*.html
+!images/**/*.html
+
+# Temporary files
+todo-remove/

CHANGELOG.md

@@ -0,0 +1,39 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+See [VERSIONING.md](VERSIONING.md) for why the version starts at 1.8.1.
+
+## [1.8.1] - 2026-03-10
+
+First open-source release. The scanning engine was previously an internal enterprise tool (v1.0.0-v1.8.1) running in production. This release adds community mode for local-only scanning while keeping the enterprise codebase intact.
+
+### Added
+- **Community mode** with three output formats: pretty terminal, JSON, and HTML report
+- **AI agent and CLI tool detection**: Claude Code, Codex, Gemini CLI, Kiro, Aider, OpenCode, and more
+- **General-purpose AI agent detection**: OpenClaw, ClawdBot, GPT-Engineer, Claude Cowork
+- **AI framework detection**: Ollama, LM Studio, LocalAI, Text Generation WebUI
+- **MCP server config auditing** across Claude Desktop, Claude Code, Cursor, Windsurf, Antigravity, Zed, Open Interpreter, and Codex
+- **IDE extension scanning** for VS Code and Cursor (with publisher, version, and install date)
+- **Node.js package scanning** for npm, yarn, pnpm, and bun (opt-in in community mode)
+- CLI flags: `--pretty`, `--json`, `--html FILE`, `--verbose`, `--enable-npm-scan`, `--color=WHEN`
+- Documentation: community mode guide, enterprise mode guide, MCP audit guide, adding detections guide, reading scan results guide
+- GitHub issue templates for bugs, feature requests, and new detections
+- ShellCheck CI workflow with Harden-Runner
+
+### Changed
+- Enterprise config variables are now clearly labeled and placed below the community-facing header
+- Progress messages suppressed by default in community mode (enable with `--verbose`)
+- Node.js scanning off by default in community mode (enable with `--enable-npm-scan`)
+
+### Enterprise (unchanged from v1.8.1)
+- `install`, `uninstall`, and `send-telemetry` commands
+- Launchd scheduling (LaunchDaemon for root, LaunchAgent for user)
+- S3 presigned URL upload with backend notification
+- Execution log capture and base64 encoding
+- Instance locking to prevent concurrent runs
+
+[1.8.1]: https://github.com/step-security/dev-machine-guard/releases/tag/v1.8.1