feat: add windows support

Signed-off-by: Swarit Pandey <swarit@stepsecurity.io>

Author: swarit-stepsecurity

.gitignore

@@ -10,6 +10,7 @@
 .vscode/
 .idea/
 .claude/
+.plans/
 
 # Output files
 *.log

Makefile

@@ -9,11 +9,14 @@ LDFLAGS := -s -w \
 	-X $(MODULE)/internal/buildinfo.ReleaseTag=$(TAG) \
 	-X $(MODULE)/internal/buildinfo.ReleaseBranch=$(BRANCH)
 
-.PHONY: build test lint clean smoke
+.PHONY: build build-windows test lint clean smoke
 
 build:
 	go build -trimpath -ldflags "$(LDFLAGS)" -o $(BINARY) ./cmd/stepsecurity-dev-machine-guard
 
+build-windows:
+	GOOS=windows GOARCH=amd64 go build -trimpath -ldflags "$(LDFLAGS)" -o $(BINARY).exe ./cmd/stepsecurity-dev-machine-guard
+
 test:
 	go test ./... -v -race -count=1
 

cmd/stepsecurity-dev-machine-guard/main.go

@@ -3,6 +3,7 @@ package main
 import (
 	"fmt"
 	"os"
+	"runtime"
 
 	"github.com/step-security/dev-machine-guard/internal/buildinfo"
 	"github.com/step-security/dev-machine-guard/internal/cli"
@@ -84,6 +85,10 @@ func main() {
 
 	case "install":
 		fmt.Fprintf(os.Stdout, "StepSecurity Dev Machine Guard v%s\n\n", buildinfo.Version)
+		if runtime.GOOS == "windows" {
+			log.Error("Scheduled scanning is not yet supported on Windows. Use the scan command directly.")
+			os.Exit(1)
+		}
 		if !config.IsEnterpriseMode() {
 			log.Error("Enterprise configuration not found. Run '%s configure' or download the script from your StepSecurity dashboard.", os.Args[0])
 			os.Exit(1)
@@ -101,6 +106,10 @@ func main() {
 
 	case "uninstall":
 		fmt.Fprintf(os.Stdout, "StepSecurity Dev Machine Guard v%s\n\n", buildinfo.Version)
+		if runtime.GOOS == "windows" {
+			log.Error("Scheduled scanning is not yet supported on Windows. Use the scan command directly.")
+			os.Exit(1)
+		}
 		if err := launchd.Uninstall(exec, log); err != nil {
 			log.Error("%v", err)
 			os.Exit(1)

internal/detector/agent.go

@@ -2,6 +2,7 @@ package detector
 
 import (
 	"context"
+	"path/filepath"
 	"regexp"
 	"strconv"
 	"strings"
@@ -67,7 +68,7 @@ func (d *AgentDetector) Detect(ctx context.Context, searchDirs []string) []model
 func (d *AgentDetector) findAgent(spec agentSpec, homeDir string) (string, bool) {
 	// Check detection paths
 	for _, relPath := range spec.DetectionPaths {
-		fullPath := homeDir + "/" + relPath
+		fullPath := filepath.Join(homeDir, relPath)
 		if d.exec.DirExists(fullPath) || d.exec.FileExists(fullPath) {
 			return fullPath, true
 		}
@@ -103,12 +104,23 @@ func (d *AgentDetector) getVersion(ctx context.Context, spec agentSpec) string {
 
 // detectClaudeCowork checks for Claude Cowork (a mode within Claude Desktop 0.7+).
 func (d *AgentDetector) detectClaudeCowork(ctx context.Context) (model.AITool, bool) {
-	claudePath := "/Applications/Claude.app"
-	if !d.exec.DirExists(claudePath) {
-		return model.AITool{}, false
+	var claudePath, version string
+
+	if d.exec.GOOS() == "windows" {
+		localAppData := d.exec.Getenv("LOCALAPPDATA")
+		claudePath = filepath.Join(localAppData, "Programs", "Claude")
+		if !d.exec.DirExists(claudePath) {
+			return model.AITool{}, false
+		}
+		version = readRegistryVersion(ctx, d.exec, "Claude")
+	} else {
+		claudePath = "/Applications/Claude.app"
+		if !d.exec.DirExists(claudePath) {
+			return model.AITool{}, false
+		}
+		version = readPlistVersion(ctx, d.exec, filepath.Join(claudePath, "Contents", "Info.plist"))
 	}
 
-	version := readPlistVersion(ctx, d.exec, claudePath+"/Contents/Info.plist")
 	if version == "unknown" {
 		return model.AITool{}, false
 	}

internal/detector/agent_test.go

@@ -96,3 +96,45 @@ func TestIsCoworkVersion(t *testing.T) {
 		}
 	}
 }
+
+func TestAgentDetector_Windows_ClaudeCowork(t *testing.T) {
+	mock := executor.NewMock()
+	mock.SetGOOS("windows")
+	mock.SetHomeDir(`C:\Users\testuser`)
+	mock.SetEnv("LOCALAPPDATA", `C:\Users\testuser\AppData\Local`)
+
+	// detectClaudeCowork on Windows uses filepath.Join(localAppData, "Programs", "Claude").
+	// On macOS host, filepath.Join keeps backslashes and inserts "/":
+	claudePath := `C:\Users\testuser\AppData\Local` + "/Programs/Claude"
+	mock.SetDir(claudePath)
+
+	// Version via readRegistryVersion with appName "Claude".
+	// First registry root tried by readRegistryVersion.
+	mock.SetCommand(
+		"HKLM\\SOFTWARE\\...\\Claude\n    DisplayVersion    REG_SZ    0.7.5\n",
+		"", 0,
+		"reg", "query", `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall`, "/s", "/f", "Claude", "/d",
+	)
+
+	det := NewAgentDetector(mock)
+	results := det.Detect(context.Background(), []string{`C:\Users\testuser`})
+
+	found := false
+	for _, r := range results {
+		if r.Name == "claude-cowork" {
+			found = true
+			if r.Vendor != "Anthropic" {
+				t.Errorf("expected Anthropic, got %s", r.Vendor)
+			}
+			if r.Version != "0.7.5" {
+				t.Errorf("expected 0.7.5, got %s", r.Version)
+			}
+			if r.InstallPath != claudePath {
+				t.Errorf("expected install path %s, got %s", claudePath, r.InstallPath)
+			}
+		}
+	}
+	if !found {
+		t.Error("claude-cowork not found")
+	}
+}

internal/detector/aicli.go

@@ -2,6 +2,8 @@ package detector
 
 import (
 	"context"
+	"os"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -121,11 +123,17 @@ func (d *AICLIDetector) Detect(ctx context.Context) []model.AITool {
 func (d *AICLIDetector) findBinary(ctx context.Context, spec cliToolSpec, homeDir string) (string, bool) {
 	for _, bin := range spec.Binaries {
 		expanded := expandTilde(bin, homeDir)
-		if strings.Contains(expanded, "/") {
-			// Absolute/relative path - check if it exists
+		if expanded != bin {
+			// Path was expanded from tilde — it's a home-relative path, check if it exists
 			if d.exec.FileExists(expanded) {
 				return expanded, true
 			}
+			// On Windows, also try with .exe suffix
+			if d.exec.GOOS() == "windows" && !strings.HasSuffix(expanded, ".exe") {
+				if d.exec.FileExists(expanded + ".exe") {
+					return expanded + ".exe", true
+				}
+			}
 			continue
 		}
 		// Search in PATH
@@ -167,15 +175,30 @@ func (d *AICLIDetector) findConfigDir(spec cliToolSpec, homeDir string) string {
 
 func expandTilde(path, homeDir string) string {
 	if strings.HasPrefix(path, "~/") {
-		return homeDir + path[1:]
+		return filepath.Join(homeDir, filepath.FromSlash(path[2:]))
 	}
 	return path
 }
 
 func getHomeDir(exec executor.Executor) string {
 	u, err := exec.CurrentUser()
 	if err != nil {
-		return "/tmp"
+		return os.TempDir()
 	}
 	return u.HomeDir
 }
+
+// resolveEnvPath replaces %ENVVAR% patterns in Windows-style paths using the executor.
+func resolveEnvPath(exec executor.Executor, path string) string {
+	for strings.Contains(path, "%") {
+		start := strings.Index(path, "%")
+		end := strings.Index(path[start+1:], "%")
+		if end < 0 {
+			break
+		}
+		envName := path[start+1 : start+1+end]
+		envVal := exec.Getenv(envName)
+		path = path[:start] + envVal + path[start+2+end:]
+	}
+	return filepath.FromSlash(path)
+}

internal/detector/extension.go

@@ -3,6 +3,7 @@ package detector
 import (
 	"context"
 	"encoding/json"
+	"path/filepath"
 	"strings"
 
 	"github.com/step-security/dev-machine-guard/internal/executor"
@@ -78,7 +79,7 @@ func (d *ExtensionDetector) collectFromDir(extDir, ideType string) []model.Exten
 		}
 
 		// Get install date from directory modification time
-		info, err := d.exec.Stat(extDir + "/" + dirname)
+		info, err := d.exec.Stat(filepath.Join(extDir, dirname))
 		if err == nil {
 			ext.InstallDate = info.ModTime().Unix()
 		}
@@ -130,7 +131,7 @@ func parseExtensionDir(dirname, ideType string) *model.Extension {
 
 // loadObsolete reads the .obsolete file and returns a set of dirname -> true.
 func (d *ExtensionDetector) loadObsolete(extDir string) map[string]bool {
-	obsoleteFile := extDir + "/.obsolete"
+	obsoleteFile := filepath.Join(extDir, ".obsolete")
 	data, err := d.exec.ReadFile(obsoleteFile)
 	if err != nil {
 		return nil

internal/detector/framework.go

@@ -2,6 +2,7 @@ package detector
 
 import (
 	"context"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -41,7 +42,7 @@ func (d *FrameworkDetector) Detect(ctx context.Context) []model.AITool {
 		}
 
 		version := d.getVersion(ctx, binaryPath)
-		isRunning := d.isProcessRunning(ctx, spec.ProcessName)
+		isRunning := isProcessRunning(ctx, d.exec, spec.ProcessName)
 
 		results = append(results, model.AITool{
 			Name:       spec.Name,
@@ -86,31 +87,32 @@ func (d *FrameworkDetector) getVersion(ctx context.Context, binaryPath string) s
 	return "unknown"
 }
 
-func (d *FrameworkDetector) isProcessRunning(ctx context.Context, processName string) bool {
-	_, _, exitCode, _ := d.exec.Run(ctx, "pgrep", "-x", processName)
-	return exitCode == 0
-}
-
 func (d *FrameworkDetector) detectLMStudioApp(ctx context.Context) (model.AITool, bool) {
-	appPath := "/Applications/LM Studio.app"
-	if !d.exec.DirExists(appPath) {
-		return model.AITool{}, false
-	}
-
-	version := readPlistVersion(ctx, d.exec, appPath+"/Contents/Info.plist")
+	var appPath, version string
 
-	isRunning := false
-	_, _, exitCode, _ := d.exec.Run(ctx, "pgrep", "-f", "LM Studio")
-	if exitCode == 0 {
-		isRunning = true
+	if d.exec.GOOS() == "windows" {
+		localAppData := d.exec.Getenv("LOCALAPPDATA")
+		appPath = filepath.Join(localAppData, "Programs", "LM Studio")
+		if !d.exec.DirExists(appPath) {
+			return model.AITool{}, false
+		}
+		version = readRegistryVersion(ctx, d.exec, "LM Studio")
+	} else {
+		appPath = "/Applications/LM Studio.app"
+		if !d.exec.DirExists(appPath) {
+			return model.AITool{}, false
+		}
+		version = readPlistVersion(ctx, d.exec, filepath.Join(appPath, "Contents", "Info.plist"))
 	}
 
+	running := isProcessRunningFuzzy(ctx, d.exec, "LM Studio")
+
 	return model.AITool{
 		Name:       "lm-studio",
 		Vendor:     "LM Studio",
 		Type:       "framework",
 		Version:    version,
 		BinaryPath: appPath,
-		IsRunning:  &isRunning,
+		IsRunning:  &running,
 	}, true
 }

internal/detector/framework_test.go

@@ -74,3 +74,45 @@ func TestFrameworkDetector_LMStudioApp(t *testing.T) {
 		t.Error("lm-studio not found")
 	}
 }
+
+func TestFrameworkDetector_Windows_FindsOllama(t *testing.T) {
+	mock := executor.NewMock()
+	mock.SetGOOS("windows")
+	mock.SetPath("ollama", `C:\Program Files\Ollama\ollama.exe`)
+
+	mock.SetCommand("0.5.4\n", "", 0, `C:\Program Files\Ollama\ollama.exe`, "--version")
+
+	// isProcessRunning on Windows: tasklist /FI "IMAGENAME eq ollama.exe" /NH
+	mock.SetCommand(
+		"ollama.exe                   12345 Console                    1    100,000 K\n",
+		"", 0,
+		"tasklist", "/FI", "IMAGENAME eq ollama.exe", "/NH",
+	)
+
+	// LM Studio app detection on Windows also runs; ensure it doesn't interfere.
+	// detectLMStudioApp will try Getenv("LOCALAPPDATA") which is empty, so DirExists will fail.
+	// isProcessRunningFuzzy on Windows calls tasklist /NH
+	mock.SetCommand("", "", 1, "tasklist", "/NH")
+
+	det := NewFrameworkDetector(mock)
+	results := det.Detect(context.Background())
+
+	found := false
+	for _, r := range results {
+		if r.Name == "ollama" {
+			found = true
+			if r.Type != "framework" {
+				t.Errorf("expected framework, got %s", r.Type)
+			}
+			if r.Version != "0.5.4" {
+				t.Errorf("expected 0.5.4, got %s", r.Version)
+			}
+			if r.IsRunning == nil || !*r.IsRunning {
+				t.Error("expected is_running=true")
+			}
+		}
+	}
+	if !found {
+		t.Error("ollama not found")
+	}
+}