Summary
On Windows 11 with Smart App Control (SAC) enabled, the bundled browse binary cannot execute, which breaks every browser-driven skill (/canary, /qa, /browse, live /design-review). Please code-sign the Windows release binaries so SAC permits them.
Environment
- gstack
1.58.0.0
- Windows 11, Smart App Control: On (Enforce) —
HKLM:\SYSTEM\CurrentControlSet\Control\CI\Policy\VerifiedAndReputablePolicyState = 1
- Binary:
~/.claude/skills/gstack/browse/dist/browse.exe (PE32+ x86-64)
What happens
Running the binary fails at the OS policy layer:
- Git-Bash:
.../browse.exe: Permission denied (x-bits are set; not a chmod issue)
- PowerShell:
Program 'browse.exe' failed to run: An error occurred trying to start process ... An Application Control policy has blocked this file.
file reports it as PE32+ executable for MS Windows, and it is unsigned.
Root cause
Smart App Control blocks unsigned / low-reputation executables. Critically, SAC has no per-file allowlist — there is no supported way for a user to make one binary an exception. The only user-side workaround is turning SAC Off, which is irreversible (Windows requires a reset/reinstall to re-enable SAC). Asking users to permanently disable a security feature to run a dev tool is not a reasonable workaround.
Impact
Any Windows 11 machine with SAC enabled (the default on many new devices) cannot use the browser-driven skills at all. bin/ shell scripts run fine — only the compiled binaries are blocked.
Ask
- Code-sign the Windows release binaries (Authenticode), and ideally submit them for Microsoft reputation so SAC trusts them without per-machine action. This is the real fix.
- Until signed: document the SAC limitation + fallbacks (curl-based health checks, user-driven browser QA) so Windows users aren't stuck debugging "Permission denied".
Minor secondary note
dist/browse (no .exe extension) cannot be exec'd from Git-Bash even setting SAC aside — Git-Bash won't run a PE without the .exe suffix. Only dist/browse.exe is invokable. Skills compute the binary path as dist/browse; on Windows they should prefer dist/browse.exe.
Summary
On Windows 11 with Smart App Control (SAC) enabled, the bundled
browsebinary cannot execute, which breaks every browser-driven skill (/canary,/qa,/browse, live/design-review). Please code-sign the Windows release binaries so SAC permits them.Environment
1.58.0.0HKLM:\SYSTEM\CurrentControlSet\Control\CI\Policy\VerifiedAndReputablePolicyState = 1~/.claude/skills/gstack/browse/dist/browse.exe(PE32+ x86-64)What happens
Running the binary fails at the OS policy layer:
.../browse.exe: Permission denied(x-bits are set; not a chmod issue)Program 'browse.exe' failed to run: An error occurred trying to start process ... An Application Control policy has blocked this file.filereports it asPE32+ executable for MS Windows, and it is unsigned.Root cause
Smart App Control blocks unsigned / low-reputation executables. Critically, SAC has no per-file allowlist — there is no supported way for a user to make one binary an exception. The only user-side workaround is turning SAC Off, which is irreversible (Windows requires a reset/reinstall to re-enable SAC). Asking users to permanently disable a security feature to run a dev tool is not a reasonable workaround.
Impact
Any Windows 11 machine with SAC enabled (the default on many new devices) cannot use the browser-driven skills at all.
bin/shell scripts run fine — only the compiled binaries are blocked.Ask
Minor secondary note
dist/browse(no.exeextension) cannot be exec'd from Git-Bash even setting SAC aside — Git-Bash won't run a PE without the.exesuffix. Onlydist/browse.exeis invokable. Skills compute the binary path asdist/browse; on Windows they should preferdist/browse.exe.