feat(windows): add npm scanning

Signed-off-by: Swarit Pandey <swarit@stepsecurity.io>

Author: swarit-stepsecurity

Makefile

@@ -9,14 +9,17 @@ LDFLAGS := -s -w \
 	-X $(MODULE)/internal/buildinfo.ReleaseTag=$(TAG) \
 	-X $(MODULE)/internal/buildinfo.ReleaseBranch=$(BRANCH)
 
-.PHONY: build build-windows test lint clean smoke
+.PHONY: build build-windows deploy-windows test lint clean smoke
 
 build:
 	go build -trimpath -ldflags "$(LDFLAGS)" -o $(BINARY) ./cmd/stepsecurity-dev-machine-guard
 
 build-windows:
 	GOOS=windows GOARCH=amd64 go build -trimpath -ldflags "$(LDFLAGS)" -o $(BINARY).exe ./cmd/stepsecurity-dev-machine-guard
 
+deploy-windows:
+	@bash scripts/deploy-windows.sh $(DEPLOY_ARGS)
+
 test:
 	go test ./... -v -race -count=1
 

cmd/stepsecurity-dev-machine-guard/stepsecurity-dev-machine-guard

@@ -157,12 +157,25 @@ func (d *AICLIDetector) getVersion(ctx context.Context, spec cliToolSpec, binary
 	if len(lines) > 0 {
 		v := strings.TrimSpace(lines[0])
 		if v != "" {
-			return v
+			return cleanVersionString(v)
 		}
 	}
 	return "unknown"
 }
 
+// cleanVersionString strips a leading tool name prefix from version output.
+// e.g. "codex-cli 0.118.0" -> "0.118.0", "aider 0.86.2" -> "0.86.2"
+func cleanVersionString(v string) string {
+	parts := strings.Fields(v)
+	for _, p := range parts {
+		trimmed := strings.TrimLeft(p, "v")
+		if len(trimmed) > 0 && trimmed[0] >= '0' && trimmed[0] <= '9' {
+			return p
+		}
+	}
+	return v
+}
+
 func (d *AICLIDetector) findConfigDir(spec cliToolSpec, homeDir string) string {
 	for _, dir := range spec.ConfigDirs {
 		expanded := expandTilde(dir, homeDir)

internal/detector/aicli.go

@@ -2,6 +2,7 @@ package detector
 
 import (
 	"context"
+	"path/filepath"
 	"testing"
 
 	"github.com/step-security/dev-machine-guard/internal/executor"
@@ -51,6 +52,58 @@ func TestNodePMDetector_NoneFound(t *testing.T) {
 	}
 }
 
+func TestNodePMDetector_Windows_FindsNPM(t *testing.T) {
+	mock := executor.NewMock()
+	mock.SetGOOS("windows")
+	mock.SetPath("npm", `C:\Program Files\nodejs\npm.cmd`)
+	mock.SetCommand("10.2.0\n", "", 0, "npm", "--version")
+
+	det := NewNodePMDetector(mock)
+	results := det.DetectManagers(context.Background())
+
+	if len(results) < 1 {
+		t.Fatal("expected at least 1 package manager on Windows")
+	}
+	if results[0].Name != "npm" {
+		t.Errorf("expected npm, got %s", results[0].Name)
+	}
+	if results[0].Version != "10.2.0" {
+		t.Errorf("expected 10.2.0, got %s", results[0].Version)
+	}
+	if results[0].Path != `C:\Program Files\nodejs\npm.cmd` {
+		t.Errorf("expected Windows path, got %s", results[0].Path)
+	}
+}
+
+func TestDetectProjectPM_Windows(t *testing.T) {
+	// Note: filepath.Join is host-OS dependent; on macOS it uses "/" even for
+	// Windows-style project dirs. We use filepath.Join here to match what
+	// DetectProjectPM produces internally.
+	projectDir := `C:\Users\dev\myapp`
+	tests := []struct {
+		name     string
+		lockFile string
+		expected string
+	}{
+		{"npm lock", "package-lock.json", "npm"},
+		{"yarn lock", "yarn.lock", "yarn"},
+		{"pnpm lock", "pnpm-lock.yaml", "pnpm"},
+		{"bun lock", "bun.lock", "bun"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mock := executor.NewMock()
+			mock.SetGOOS("windows")
+			mock.SetFile(filepath.Join(projectDir, tt.lockFile), []byte{})
+			got := DetectProjectPM(mock, projectDir)
+			if got != tt.expected {
+				t.Errorf("expected %s, got %s", tt.expected, got)
+			}
+		})
+	}
+}
+
 func TestDetectProjectPM(t *testing.T) {
 	tests := []struct {
 		name     string

internal/detector/nodepm_test.go

@@ -190,7 +190,7 @@ func (s *NodeScanner) ScanProjects(ctx context.Context, searchDirs []string) []m
 				return nil
 			}
 			projectDir := filepath.Dir(path)
-			if strings.Contains(projectDir, "/node_modules/") {
+			if isInsideNodeModules(projectDir) {
 				return nil
 			}
 			// Get modification time for sorting
@@ -322,3 +322,11 @@ func (s *NodeScanner) getOutput(ctx context.Context, binary string, args ...stri
 	}
 	return strings.TrimSpace(stdout)
 }
+
+// isInsideNodeModules returns true if the path contains a node_modules component.
+// Uses strings.ReplaceAll instead of filepath.ToSlash so the check works
+// regardless of the host OS (important for cross-platform mock tests).
+func isInsideNodeModules(projectDir string) bool {
+	normalized := strings.ReplaceAll(projectDir, "\\", "/")
+	return strings.Contains(normalized, "/node_modules/")
+}

internal/detector/nodescan.go

@@ -0,0 +1,244 @@
+package detector
+
+import (
+	"context"
+	"encoding/base64"
+	"path/filepath"
+	"testing"
+
+	"github.com/step-security/dev-machine-guard/internal/executor"
+	"github.com/step-security/dev-machine-guard/internal/progress"
+)
+
+func newTestScanner(exec *executor.Mock) *NodeScanner {
+	log := progress.NewLogger(false)
+	return NewNodeScanner(exec, log)
+}
+
+func TestNodeScanner_ScanNPMGlobal(t *testing.T) {
+	mock := executor.NewMock()
+	mock.SetPath("npm", "/usr/local/bin/npm")
+	mock.SetCommand("10.2.0\n", "", 0, "npm", "--version")
+	mock.SetCommand("/usr/local\n", "", 0, "npm", "config", "get", "prefix")
+	mock.SetCommand(`{"dependencies":{"express":{"version":"4.18.2"}}}`, "", 0, "npm", "list", "-g", "--json", "--depth=3")
+
+	scanner := newTestScanner(mock)
+	results := scanner.ScanGlobalPackages(context.Background())
+
+	npmFound := false
+	for _, r := range results {
+		if r.PackageManager == "npm" {
+			npmFound = true
+			if r.ProjectPath != "/usr/local" {
+				t.Errorf("expected ProjectPath /usr/local, got %s", r.ProjectPath)
+			}
+			if r.PMVersion != "10.2.0" {
+				t.Errorf("expected PMVersion 10.2.0, got %s", r.PMVersion)
+			}
+			if r.ExitCode != 0 {
+				t.Errorf("expected ExitCode 0, got %d", r.ExitCode)
+			}
+			decoded, _ := base64.StdEncoding.DecodeString(r.RawStdoutBase64)
+			if len(decoded) == 0 {
+				t.Error("expected non-empty RawStdoutBase64")
+			}
+		}
+	}
+	if !npmFound {
+		t.Fatal("expected npm in global scan results")
+	}
+}
+
+func TestNodeScanner_ScanNPMGlobal_Windows(t *testing.T) {
+	mock := executor.NewMock()
+	mock.SetGOOS("windows")
+	mock.SetPath("npm", `C:\Program Files\nodejs\npm.cmd`)
+	mock.SetCommand("10.2.0\n", "", 0, "npm", "--version")
+	// npm config get prefix returns a Windows-style path on real Windows.
+	// The code stores it directly (no filepath.* processing), so the mock
+	// value flows through unchanged.
+	mock.SetCommand(`C:\Users\dev\AppData\Roaming\npm`+"\n", "", 0, "npm", "config", "get", "prefix")
+	mock.SetCommand(`{"dependencies":{"express":{"version":"4.18.2"}}}`, "", 0, "npm", "list", "-g", "--json", "--depth=3")
+
+	scanner := newTestScanner(mock)
+	results := scanner.ScanGlobalPackages(context.Background())
+
+	npmFound := false
+	for _, r := range results {
+		if r.PackageManager == "npm" {
+			npmFound = true
+			if r.ProjectPath != `C:\Users\dev\AppData\Roaming\npm` {
+				t.Errorf("expected Windows npm prefix, got %s", r.ProjectPath)
+			}
+			if r.PMVersion != "10.2.0" {
+				t.Errorf("expected PMVersion 10.2.0, got %s", r.PMVersion)
+			}
+			if r.ExitCode != 0 {
+				t.Errorf("expected ExitCode 0, got %d", r.ExitCode)
+			}
+		}
+	}
+	if !npmFound {
+		t.Fatal("expected npm in global scan results on Windows")
+	}
+}
+
+func TestNodeScanner_ScanYarnGlobal_Windows(t *testing.T) {
+	mock := executor.NewMock()
+	mock.SetGOOS("windows")
+	mock.SetPath("yarn", `C:\Program Files\nodejs\yarn.cmd`)
+	mock.SetCommand("1.22.19\n", "", 0, "yarn", "--version")
+	mock.SetCommand(`C:\Users\dev\AppData\Local\Yarn\Data\global`+"\n", "", 0, "yarn", "global", "dir")
+	// runShellCmd dispatches to cmd /c on Windows; platformShellQuote uses double quotes
+	mock.SetCommand(`{"type":"tree","data":{"trees":[]}}`, "", 0,
+		"cmd", "/c", `cd "C:\Users\dev\AppData\Local\Yarn\Data\global" && yarn list --json --depth=0`)
+
+	scanner := newTestScanner(mock)
+	results := scanner.ScanGlobalPackages(context.Background())
+
+	yarnFound := false
+	for _, r := range results {
+		if r.PackageManager == "yarn" {
+			yarnFound = true
+			if r.ProjectPath != `C:\Users\dev\AppData\Local\Yarn\Data\global` {
+				t.Errorf("expected Windows yarn global dir, got %s", r.ProjectPath)
+			}
+			if r.PMVersion != "1.22.19" {
+				t.Errorf("expected PMVersion 1.22.19, got %s", r.PMVersion)
+			}
+		}
+	}
+	if !yarnFound {
+		t.Fatal("expected yarn in global scan results on Windows")
+	}
+}
+
+func TestNodeScanner_ScanPnpmGlobal_Windows(t *testing.T) {
+	mock := executor.NewMock()
+	mock.SetGOOS("windows")
+	mock.SetPath("pnpm", `C:\Users\dev\AppData\Local\pnpm\pnpm.cmd`)
+	mock.SetCommand("9.1.0\n", "", 0, "pnpm", "--version")
+	// pnpm root -g returns the global node_modules dir. The code calls
+	// filepath.Dir on it. Since filepath.Dir is host-OS dependent, we use
+	// forward slashes here so the test works on macOS hosts too.
+	mock.SetCommand("C:/Users/dev/AppData/Local/pnpm/global/5/node_modules\n", "", 0, "pnpm", "root", "-g")
+	mock.SetCommand(`{"dependencies":{"typescript":{"version":"5.4.0"}}}`, "", 0, "pnpm", "list", "-g", "--json", "--depth=3")
+
+	scanner := newTestScanner(mock)
+	results := scanner.ScanGlobalPackages(context.Background())
+
+	pnpmFound := false
+	for _, r := range results {
+		if r.PackageManager == "pnpm" {
+			pnpmFound = true
+			// filepath.Dir strips the last component (node_modules)
+			expected := "C:/Users/dev/AppData/Local/pnpm/global/5"
+			if r.ProjectPath != expected {
+				t.Errorf("expected ProjectPath %s, got %s", expected, r.ProjectPath)
+			}
+			if r.PMVersion != "9.1.0" {
+				t.Errorf("expected PMVersion 9.1.0, got %s", r.PMVersion)
+			}
+		}
+	}
+	if !pnpmFound {
+		t.Fatal("expected pnpm in global scan results on Windows")
+	}
+}
+
+func TestNodeScanner_ScanProject_Windows(t *testing.T) {
+	mock := executor.NewMock()
+	mock.SetGOOS("windows")
+	mock.SetPath("npm", `C:\Program Files\nodejs\npm.cmd`)
+	mock.SetCommand("10.2.0\n", "", 0, "npm", "--version")
+	// DetectProjectPM uses filepath.Join which is host-dependent;
+	// construct the mock file path the same way the code will.
+	mock.SetFile(filepath.Join(`C:\Users\dev\myapp`, "package-lock.json"), []byte{})
+	mock.SetCommand(`{"dependencies":{"lodash":{"version":"4.17.21"}}}`, "", 0,
+		"cmd", "/c", `cd "C:\Users\dev\myapp" && npm ls --json --depth=3`)
+
+	scanner := newTestScanner(mock)
+	result := scanner.scanProject(context.Background(), `C:\Users\dev\myapp`)
+
+	if result.PackageManager != "npm" {
+		t.Errorf("expected npm, got %s", result.PackageManager)
+	}
+	if result.ProjectPath != `C:\Users\dev\myapp` {
+		t.Errorf("expected project path C:\\Users\\dev\\myapp, got %s", result.ProjectPath)
+	}
+	if result.ExitCode != 0 {
+		t.Errorf("expected ExitCode 0, got %d", result.ExitCode)
+	}
+	if result.PMVersion != "10.2.0" {
+		t.Errorf("expected PMVersion 10.2.0, got %s", result.PMVersion)
+	}
+	decoded, _ := base64.StdEncoding.DecodeString(result.RawStdoutBase64)
+	if len(decoded) == 0 {
+		t.Error("expected non-empty RawStdoutBase64")
+	}
+}
+
+func TestNodeScanner_ScanProject_YarnBerry_Windows(t *testing.T) {
+	mock := executor.NewMock()
+	mock.SetGOOS("windows")
+	mock.SetPath("yarn", `C:\Program Files\nodejs\yarn.cmd`)
+	mock.SetCommand("4.1.0\n", "", 0, "yarn", "--version")
+	// Use filepath.Join to construct mock file paths matching the code's behavior.
+	projectDir := `C:\Users\dev\myapp`
+	mock.SetFile(filepath.Join(projectDir, "yarn.lock"), []byte{})
+	mock.SetFile(filepath.Join(projectDir, ".yarnrc.yml"), []byte{})
+	mock.SetCommand(`{"name":"myapp","children":[]}`, "", 0,
+		"cmd", "/c", `cd "C:\Users\dev\myapp" && yarn info --all --json`)
+
+	scanner := newTestScanner(mock)
+	result := scanner.scanProject(context.Background(), projectDir)
+
+	if result.PackageManager != "yarn-berry" {
+		t.Errorf("expected yarn-berry, got %s", result.PackageManager)
+	}
+	if result.PMVersion != "4.1.0" {
+		t.Errorf("expected PMVersion 4.1.0, got %s", result.PMVersion)
+	}
+	if result.ExitCode != 0 {
+		t.Errorf("expected ExitCode 0, got %d", result.ExitCode)
+	}
+}
+
+func TestNodeScanner_ScanGlobalPackages_NoneInstalled(t *testing.T) {
+	mock := executor.NewMock()
+	scanner := newTestScanner(mock)
+	results := scanner.ScanGlobalPackages(context.Background())
+
+	if len(results) != 0 {
+		t.Errorf("expected 0 results when no PMs installed, got %d", len(results))
+	}
+}
+
+func TestIsInsideNodeModules(t *testing.T) {
+	tests := []struct {
+		path string
+		want bool
+	}{
+		// Unix-style paths
+		{"/Users/dev/node_modules/foo", true},
+		{"/Users/dev/myapp", false},
+		{"/Users/dev/node_modules_backup/foo", false},
+		{"/node_modules/", true},
+		// Windows-style paths (backslashes)
+		{`C:\Users\dev\node_modules\foo`, true},
+		{`C:\Users\dev\myapp`, false},
+		{`C:\node_modules\pkg`, true},
+		{`\node_modules\`, true},
+		// Edge cases
+		{"node_modules", false},
+		{"", false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.path, func(t *testing.T) {
+			got := isInsideNodeModules(tt.path)
+			if got != tt.want {
+				t.Errorf("isInsideNodeModules(%q) = %v, want %v", tt.path, got, tt.want)
+			}
+		})
+	}
+}

internal/detector/nodescan_test.go

@@ -169,7 +169,7 @@ const htmlTemplate = `<!DOCTYPE html>
 <div class="device-grid">
   <div class="field"><span class="field-label">Hostname</span><span class="field-value">{{.Device.Hostname}}</span></div>
   <div class="field"><span class="field-label">Serial</span><span class="field-value">{{.Device.SerialNumber}}</span></div>
-  <div class="field"><span class="field-label">macOS</span><span class="field-value">{{.Device.OSVersion}}</span></div>
+  <div class="field"><span class="field-label">{{if eq .Device.Platform "windows"}}Windows{{else}}macOS{{end}}</span><span class="field-value">{{.Device.OSVersion}}</span></div>
   <div class="field"><span class="field-label">User</span><span class="field-value">{{.Device.UserIdentity}}</span></div>
 </div>