chore(mdm): update docs & address minor issues

Author: shubham-stepsecurity

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -10,9 +10,9 @@ body:
   - type: input
     id: version
     attributes:
-      label: Script Version
-      description: "Run: ./stepsecurity-dev-machine-guard.sh --version"
-      placeholder: "1.8.1"
+      label: Version
+      description: "Run: ./stepsecurity-dev-machine-guard --version"
+      placeholder: "1.9.0"
     validations:
       required: true
   - type: input
@@ -28,7 +28,7 @@ body:
     attributes:
       label: Command Run
       description: The exact command you ran
-      placeholder: "./stepsecurity-dev-machine-guard.sh --json"
+      placeholder: "./stepsecurity-dev-machine-guard --json"
     validations:
       required: true
   - type: textarea

.github/pull_request_template.md

@@ -11,10 +11,11 @@
 ## Testing
 
 - [ ] Tested on macOS (version: ___)
-- [ ] Script runs without errors: `./stepsecurity-dev-machine-guard.sh --verbose`
-- [ ] JSON output is valid: `./stepsecurity-dev-machine-guard.sh --json | python3 -m json.tool`
+- [ ] Binary runs without errors: `./stepsecurity-dev-machine-guard --verbose`
+- [ ] JSON output is valid: `./stepsecurity-dev-machine-guard --json | python3 -m json.tool`
 - [ ] No secrets or credentials included
-- [ ] ShellCheck passes (if script was modified)
+- [ ] Lint passes: `make lint`
+- [ ] Tests pass: `make test`
 
 ## Related Issues
 

.github/workflows/release.yml

@@ -69,44 +69,45 @@ jobs:
       - name: Install cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
-      - name: Locate built binaries
-        id: binaries
+      - name: Prepare release artifacts for signing
         run: |
-          # GoReleaser keeps binaries in build subdirs (e.g. _amd64_v1, _arm64_v8.0)
-          AMD64=$(find dist -type f -name 'stepsecurity-dev-machine-guard' -path '*darwin_amd64*' | head -1)
-          ARM64=$(find dist -type f -name 'stepsecurity-dev-machine-guard' -path '*darwin_arm64*' | head -1)
-
-          for label in "amd64:${AMD64}" "arm64:${ARM64}"; do
+          # Copy binaries to match the exact names users download from the release.
+          # GoReleaser uploads as name_template (e.g. stepsecurity-dev-machine-guard_darwin_amd64)
+          # but keeps them in build subdirs locally. We copy to dist/ with release names
+          # so cosign signs the same bytes users verify against.
+          AMD64_SRC=$(find dist -type f -name 'stepsecurity-dev-machine-guard' -path '*darwin_amd64*' | head -1)
+          ARM64_SRC=$(find dist -type f -name 'stepsecurity-dev-machine-guard' -path '*darwin_arm64*' | head -1)
+
+          for label in "amd64:${AMD64_SRC}" "arm64:${ARM64_SRC}"; do
             name="${label%%:*}"
             path="${label#*:}"
             if [ -z "$path" ] || [ ! -f "$path" ]; then
               echo "::error::Binary not found for ${name}"
-              echo "dist/ contents:"
               find dist -type f
               exit 1
             fi
           done
 
-          echo "amd64=${AMD64}" >> "$GITHUB_OUTPUT"
-          echo "arm64=${ARM64}" >> "$GITHUB_OUTPUT"
-          echo "Found amd64: ${AMD64}"
-          echo "Found arm64: ${ARM64}"
+          cp "$AMD64_SRC" dist/stepsecurity-dev-machine-guard_darwin_amd64
+          cp "$ARM64_SRC" dist/stepsecurity-dev-machine-guard_darwin_arm64
+          echo "Prepared release artifacts for signing"
 
       - name: Sign artifacts with Sigstore (keyless)
         run: |
-          cosign sign-blob "${{ steps.binaries.outputs.amd64 }}" \
+          cosign sign-blob dist/stepsecurity-dev-machine-guard_darwin_amd64 \
             --bundle dist/stepsecurity-dev-machine-guard_darwin_amd64.bundle --yes
-          cosign sign-blob "${{ steps.binaries.outputs.arm64 }}" \
+          cosign sign-blob dist/stepsecurity-dev-machine-guard_darwin_arm64 \
             --bundle dist/stepsecurity-dev-machine-guard_darwin_arm64.bundle --yes
           cosign sign-blob stepsecurity-dev-machine-guard.sh \
             --bundle dist/stepsecurity-dev-machine-guard.sh.bundle --yes
 
       - name: Generate checksums
         run: |
-          SUMS="dist/stepsecurity-dev-machine-guard_${{ steps.version.outputs.version }}_SHA256SUMS"
-          sha256sum "${{ steps.binaries.outputs.amd64 }}" >> "$SUMS"
-          sha256sum "${{ steps.binaries.outputs.arm64 }}" >> "$SUMS"
-          sha256sum stepsecurity-dev-machine-guard.sh >> "$SUMS"
+          # Separate checksum file for cosign-signed artifacts (script + bundles).
+          # GoReleaser already generates checksums for the Go binaries in its own SHA256SUMS file.
+          sha256sum dist/stepsecurity-dev-machine-guard_darwin_amd64 > dist/cosign-checksums.txt
+          sha256sum dist/stepsecurity-dev-machine-guard_darwin_arm64 >> dist/cosign-checksums.txt
+          sha256sum stepsecurity-dev-machine-guard.sh >> dist/cosign-checksums.txt
 
       - name: Upload signature bundles and checksums to release
         env:
@@ -116,7 +117,7 @@ jobs:
             dist/stepsecurity-dev-machine-guard_darwin_amd64.bundle \
             dist/stepsecurity-dev-machine-guard_darwin_arm64.bundle \
             dist/stepsecurity-dev-machine-guard.sh.bundle \
-            dist/stepsecurity-dev-machine-guard_${{ steps.version.outputs.version }}_SHA256SUMS \
+            dist/cosign-checksums.txt \
             --clobber
 
       - name: Mark release as immutable (not a draft, not a prerelease)
@@ -132,6 +133,6 @@ jobs:
         uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
           subject-path: |
-            ${{ steps.binaries.outputs.amd64 }}
-            ${{ steps.binaries.outputs.arm64 }}
+            dist/stepsecurity-dev-machine-guard_darwin_amd64
+            dist/stepsecurity-dev-machine-guard_darwin_arm64
             stepsecurity-dev-machine-guard.sh

.github/workflows/go.yml .github/workflows/tests.yml.github/workflows/go.yml renamed to .github/workflows/tests.yml

@@ -1,4 +1,4 @@
-name: Go
+name: Tests
 
 on:
   push:

CHANGELOG.md

@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 See [VERSIONING.md](VERSIONING.md) for why the version starts at 1.8.1.
 
+## [1.9.0] - 2026-04-03
+
+Migrated from shell script to a compiled Go binary. All existing scanning features, detection logic, CLI flags, output formats, and enterprise telemetry are preserved — this release changes the implementation, not the functionality.
+
+### Added
+- **Go binary**: Single compiled binary (`stepsecurity-dev-machine-guard`) replaces the shell script. Zero external dependencies, no runtime required.
+- **`configure` / `configure show` commands**: Interactive setup and display of enterprise credentials, search directories, and preferences. Saved to `~/.stepsecurity/config.json`.
+
 ## [1.8.2] - 2026-03-17
 
 ### Added
@@ -44,5 +52,6 @@ First open-source release. The scanning engine was previously an internal enterp
 - Execution log capture and base64 encoding
 - Instance locking to prevent concurrent runs
 
+[1.9.0]: https://github.com/step-security/dev-machine-guard/compare/v1.8.2...v1.9.0
 [1.8.2]: https://github.com/step-security/dev-machine-guard/compare/v1.8.1...v1.8.2
 [1.8.1]: https://github.com/step-security/dev-machine-guard/releases/tag/v1.8.1

CONTRIBUTING.md

@@ -9,21 +9,15 @@ Thank you for your interest in contributing! Dev Machine Guard is an open-source
 To add detection for a new AI tool, IDE, or framework:
 
 1. Open an issue using the [Feature Request](.github/ISSUE_TEMPLATE/feature_request.yml) template, or
-2. Submit a PR modifying `stepsecurity-dev-machine-guard.sh`
+2. Submit a PR modifying the appropriate detector in `internal/detector/`
 
 **How to add a new IDE/desktop app:**
 
-Find the `detect_ide_installations()` function and add an entry to the `apps` array:
-```bash
-"App Name|type_id|Vendor|/Applications/App.app|Contents/MacOS/binary|--version"
-```
+Find the IDE detector in `internal/detector/ide.go` and add an entry to the apps list. See [Adding Detections](docs/adding-detections.md) for the full guide.
 
 **How to add a new AI CLI tool:**
 
-Find the `detect_ai_cli_tools()` function and add an entry to the `tools` array:
-```bash
-"tool-name|Vendor|binary1,binary2|~/.config-dir1,~/.config-dir2"
-```
+Find the AI CLI detector in `internal/detector/ai_cli.go` and add an entry to the tools list. See [Adding Detections](docs/adding-detections.md) for the full guide.
 
 ### Improve Documentation
 
@@ -37,37 +31,37 @@ Documentation lives in the `docs/` folder. Improvements, corrections, and new gu
    cd dev-machine-guard
    ```
 
-2. Make the script executable:
+2. Build the binary:
    ```bash
-   chmod +x stepsecurity-dev-machine-guard.sh
+   make build
    ```
 
 3. Run locally:
    ```bash
    # Pretty output with progress messages
-   ./stepsecurity-dev-machine-guard.sh --verbose
+   ./stepsecurity-dev-machine-guard --verbose
 
    # JSON output
-   ./stepsecurity-dev-machine-guard.sh --json
+   ./stepsecurity-dev-machine-guard --json
 
    # HTML report
-   ./stepsecurity-dev-machine-guard.sh --html report.html
+   ./stepsecurity-dev-machine-guard --html report.html
    ```
 
 ## Code Style
 
-- The script must pass [ShellCheck](https://www.shellcheck.net/) (our CI runs it on every PR)
-- Follow the existing code patterns (section headers, function naming, JSON construction)
-- Use `print_progress` for status messages (they respect the `--verbose` flag)
-- Use `print_error` for error messages (always shown)
+- Go source code in `internal/` must pass `golangci-lint` (our CI runs it on every PR)
+- Follow the existing code patterns (package structure, naming conventions, JSON struct tags)
+- Use the `progress` package for status messages (they respect the `--verbose` flag)
+- Use standard Go error handling patterns
 
 ## Pull Request Process
 
 1. Fork the repository
 2. Create a feature branch (`git checkout -b add-new-tool-detection`)
-3. Make your changes
-4. Test locally: `./stepsecurity-dev-machine-guard.sh --verbose`
-5. Ensure ShellCheck passes: `shellcheck stepsecurity-dev-machine-guard.sh`
+3. Edit Go source in `internal/` (not the legacy shell script)
+4. Test locally: `./stepsecurity-dev-machine-guard --verbose`
+5. Ensure lint and tests pass: `make lint && make test && make smoke`
 6. Submit a PR using our [PR template](.github/pull_request_template.md)
 
 ## Reporting Issues

README.md

@@ -72,7 +72,7 @@ make build
 ./stepsecurity-dev-machine-guard
 ```
 
-Requires Go 1.22+. The binary has zero external dependencies.
+Requires Go 1.24+. The binary has zero external dependencies.
 
 ## Usage
 

SECURITY.md

@@ -19,7 +19,7 @@ We will acknowledge your report within 48 hours and provide a detailed response
 ## Scope
 
 This policy covers:
-- The `stepsecurity-dev-machine-guard.sh` script
+- The `stepsecurity-dev-machine-guard` binary and Go source code in `internal/`
 - The StepSecurity backend API (for enterprise mode)
 
 ## Supported Versions