Merge branch 'main' into worktree-rename-api-endpoint

Author: raysubham

.github/workflows/msi-smoke.yml

@@ -257,7 +257,7 @@ jobs:
 
       - name: Upload install logs on failure
         if: failure()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: msi-smoke-logs
           path: |

CHANGELOG.md

@@ -7,6 +7,46 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 See [VERSIONING.md](VERSIONING.md) for why the version starts at 1.8.1.
 
+## [1.11.6] - 2026-05-27
+
+### Fixed
+
+- **macOS Tahoe Media Library prompt**: the project walker now skips `~/Library` wholesale instead of curating individual TCC-protected subpaths. This prevents new TCC prompts (e.g. `kTCCServiceMediaLibrary` from `~/Library/Application Support/com.apple.avfoundation/`) from firing after each macOS release adds Apple-managed subtrees behind new TCC services. Targeted detectors that read specific files under `~/Library` (JetBrains plugins, Claude desktop MCP config, pip global config) keep working unchanged.
+
+## [1.11.5] - 2026-05-27
+
+### Added
+
+- **macOS TCC-protected directory skipping**: scanners now skip TCC-protected paths (Photos, Media Library, App Management, etc.) by default when running under launchd, avoiding spurious permission prompts and noisy denials. Hits are logged so operators can see which paths were skipped.
+- **PPPC configuration guide**: new docs explain how to grant the agent the necessary TCC permissions via a PPPC profile for environments that want full coverage.
+- **`verify-msi.ps1` script**: client-side PowerShell script for verifying the integrity and Authenticode signature of distributed MSI artifacts.
+
+### Fixed
+
+- **Empty `--install-dir` rejected**: install/uninstall commands now reject an empty `--install-dir` value instead of silently falling back to a default, preventing accidental installs to the wrong location.
+- **`install_dir` config field is authoritative**: the configured `install_dir` is now treated as the source of truth across install/uninstall paths, resolving inconsistencies when the field disagreed with runtime defaults.
+
+## [1.11.4] - 2026-05-26
+
+### Added
+
+- **Authenticode-signed Windows binaries and MSIs**: release artifacts are now signed via Azure Trusted Signing, so installs no longer trip SmartScreen/EDR unsigned-binary heuristics on Windows.
+- **Feature gate for selective scanning**: new feature-gate mechanism allows disabling or enabling individual scanners at runtime, giving operators a way to scope what a deployment reports without rebuilding.
+- **Invocation method + in-flight status reporting**: telemetry now records how the agent was invoked (launchd / systemd / scheduled task / interactive) and emits structured per-phase status info while a scan is running.
+- **`$HOME` expansion in configured paths**: path-style config values now expand `$HOME` (and `~`) consistently across platforms.
+
+### Fixed
+
+- **Windows console window flashes during scheduled scans**: the scheduled task no longer pops a visible console window on each run.
+- **Telemetry post-phase is non-blocking**: post-phase telemetry submission can no longer stall scan completion if the backend is slow or unreachable; sandbox invocation tests added to cover the path.
+- **Canonicalised `$HOME`/`~` expansion**: path expansion now goes through `filepath.Join` so the resulting paths are normalised across `/`-vs-`\` and trailing-separator edge cases.
+
+### Changed
+
+- **Per-phase telemetry sub-progress incl. upload phase**: progress reporting now tracks sub-progress within each phase and adds an explicit upload phase, giving the dashboard finer-grained visibility into long-running scans.
+- **CI: on-demand test-binary + MSI workflow** added so non-release builds can be produced from a PR without cutting a tag.
+- **CI: msi-smoke workflow hardened** following StepSecurity best-practice review.
+
 ## [1.11.3] - 2026-05-21
 
 ### Added
@@ -181,6 +221,9 @@ First open-source release. The scanning engine was previously an internal enterp
 - Execution log capture and base64 encoding
 - Instance locking to prevent concurrent runs
 
+[1.11.6]: https://github.com/step-security/dev-machine-guard/compare/v1.11.5...v1.11.6
+[1.11.5]: https://github.com/step-security/dev-machine-guard/compare/v1.11.4...v1.11.5
+[1.11.4]: https://github.com/step-security/dev-machine-guard/compare/v1.11.3...v1.11.4
 [1.11.3]: https://github.com/step-security/dev-machine-guard/compare/v1.11.1...v1.11.3
 [1.11.1]: https://github.com/step-security/dev-machine-guard/compare/v1.11.0...v1.11.1
 [1.11.0]: https://github.com/step-security/dev-machine-guard/compare/v1.10.2...v1.11.0

README.md

@@ -470,6 +470,7 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
 - [Scan Coverage](SCAN_COVERAGE.md) — full catalog of detections
 - [Release Process](docs/release-process.md) — how releases are signed and verified
 - [Deploying via SCCM](docs/deploying-via-sccm.md) — Windows fleet rollout via Microsoft Configuration Manager (signed MSI, no PowerShell)
+- [macOS TCC Permissions](docs/macos-tcc-permissions.md) — how the agent handles Documents/Downloads/Mail TCC dirs, PPPC profile for MDM-pushed Full Disk Access, and the `include_tcc_protected` config field
 - [Versioning](VERSIONING.md) — why the version starts at 1.8.1
 - [Security Policy](SECURITY.md) — reporting vulnerabilities
 - [Code of Conduct](CODE_OF_CONDUCT.md)

cmd/stepsecurity-dev-machine-guard-task/main.go

@@ -1,58 +1,85 @@
 //go:build windows
 
 // Command stepsecurity-dev-machine-guard-task is a GUI-subsystem
-// launcher that invokes the console-subsystem agent under
+// launcher that invokes a console-subsystem child under
 // CREATE_NO_WINDOW. Built with `-ldflags "-H windowsgui"`.
 //
 // Why a separate binary: Windows allocates a console for any
-// console-subsystem process whose parent has none. Task Scheduler
-// under /ru INTERACTIVE is such a parent, so the agent itself would
-// always flash a window. The only fully-reliable suppression is for
-// the parent CreateProcess call to pass CREATE_NO_WINDOW, and the
-// only way to be that parent without flashing our own console is to
-// be GUI-subsystem. The agent stays console-subsystem so interactive
-// CLI use (install, configure, manual scans) still works normally.
+// console-subsystem process whose parent has none. Task Scheduler under
+// /ru INTERACTIVE is such a parent, so a console-subsystem child
+// invoked directly would always flash a window. The only fully reliable
+// suppression is for the parent CreateProcess call to pass
+// CREATE_NO_WINDOW, and the only way to be that parent without flashing
+// our own console is to be GUI-subsystem.
 //
-// Layout: both binaries sit in the same directory. The scheduled task
-// points at this launcher; arguments forward unchanged.
+// Two operating modes (target-resolution lives in internal/launcher so
+// it can be unit-tested cross-platform):
 //
-// Lifecycle: the agent is assigned to a Job Object with
-// JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE so it dies when the launcher
-// does — including under Stop-ScheduledTask, which only terminates
-// the registered action's PID.
+//   - Default. Invoked without --exec, the launcher spawns its sibling
+//     stepsecurity-dev-machine-guard.exe and forwards argv unchanged.
+//     This is what the MSI install layout's scheduled-task action uses.
+//
+//   - --exec mode. Invoked as `task.exe --exec <exe> [args...]`, the
+//     launcher spawns <exe> (exec.LookPath resolved) with the remaining
+//     args. Used by the PowerShell loader's scheduled task to wrap
+//     `powershell.exe -File loader.ps1 send-telemetry` in the same
+//     no-console envelope the MSI flow uses for the agent.
+//
+// The agent (and any --exec target) stays console-subsystem so
+// interactive CLI use continues to work normally.
+//
+// Lifecycle: the child is assigned to a Job Object with
+// JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE so it dies when the launcher does
+// — including under Stop-ScheduledTask, which only terminates the
+// registered action's PID.
 package main
 
 import (
 	"errors"
+	"fmt"
 	"os"
 	"os/exec"
-	"path/filepath"
 	"syscall"
 	"unsafe"
 
+	"github.com/step-security/dev-machine-guard/internal/launcher"
 	"golang.org/x/sys/windows"
 )
 
-const (
-	createNoWindow uint32 = 0x08000000
-	agentBinary           = "stepsecurity-dev-machine-guard.exe"
-)
+const createNoWindow uint32 = 0x08000000
 
 func main() {
-	os.Exit(run())
+	os.Exit(run(os.Args[1:]))
 }
 
-func run() int {
-	me, err := os.Executable()
+// run is split out so the entrypoint stays one line. argv is the slice
+// after the program name (os.Args[1:] in main); accepting it explicitly
+// keeps the windows-only test path open if we add one later.
+func run(argv []string) int {
+	target, childArgs, err := launcher.ResolveTarget(argv)
 	if err != nil {
-		return 1
-	}
-	agent := filepath.Join(filepath.Dir(me), agentBinary)
-	if _, err := os.Stat(agent); err != nil {
+		// Two distinct failure shapes, matched to the legacy contract:
+		//
+		//   - Default mode (no --exec): the launcher silently exits 1.
+		//     This preserves byte-for-byte compatibility with MSI installs
+		//     that the pre-1.11.5 launcher served. Task Scheduler records
+		//     "LastTaskResult=1" — same value MSI deployments have always
+		//     observed when the sibling agent is absent. A behavioral
+		//     change here would shift downstream dashboards/alerts that
+		//     key on the result code.
+		//
+		//   - --exec mode: the caller asked for a feature; surface the
+		//     concrete misuse (missing target, unresolved PATH, etc.) on
+		//     stderr with a distinct exit code so dispatch failures are
+		//     diagnosable.
+		if len(argv) > 0 && argv[0] == launcher.ExecFlag {
+			fmt.Fprintln(os.Stderr, err)
+			return 2
+		}
 		return 1
 	}
 
-	cmd := exec.Command(agent, os.Args[1:]...)
+	cmd := exec.Command(target, childArgs...)
 	cmd.SysProcAttr = &syscall.SysProcAttr{
 		HideWindow:    true,
 		CreationFlags: createNoWindow,
@@ -62,10 +89,11 @@ func run() int {
 		return 1
 	}
 
-	// Best-effort: bind the agent to a kill-on-close job. The job
+	// Best-effort: bind the child to a kill-on-close job. The job
 	// handle stays open in this process; the kernel closes it on our
 	// exit, which fires the kill. Failure here only weakens lifecycle
-	// (orphan possible on forced termination), not the scan itself.
+	// (orphan possible on forced termination), not the work the child
+	// was started to do.
 	if job, jerr := newKillOnCloseJob(); jerr == nil {
 		if h, oerr := windows.OpenProcess(
 			windows.PROCESS_SET_QUOTA|windows.PROCESS_TERMINATE,

cmd/stepsecurity-dev-machine-guard/main.go

@@ -84,6 +84,9 @@ func main() {
 	if cfg.EnablePythonScan == nil && config.EnablePythonScan != nil {
 		cfg.EnablePythonScan = config.EnablePythonScan
 	}
+	if cfg.IncludeTCCProtected == nil && config.IncludeTCCProtected != nil {
+		cfg.IncludeTCCProtected = config.IncludeTCCProtected
+	}
 	if cfg.ColorMode == "auto" && config.ColorMode != "" {
 		cfg.ColorMode = config.ColorMode
 	}
@@ -100,24 +103,32 @@ func main() {
 	exec := executor.NewReal()
 
 	// Install dir resolution (see internal/paths.Home for the canonical
-	// chain): --install-dir CLI flag > $STEPSECURITY_HOME env var >
-	// install_dir config field > ~/.stepsecurity default. The CLI flag
-	// wins because it is the most explicit per-invocation override the
-	// operator can supply. We feed it to paths via SetOverride; an
-	// explicit `--install-dir=` (empty) is preserved and short-circuits
-	// the path computation below to disable file logging for this run.
+	// chain): --install-dir CLI flag > install_dir config field >
+	// $STEPSECURITY_HOME env var > ~/.stepsecurity default. Config beats
+	// env because config.json is the source of truth that the loader
+	// scripts write to and operators hand-edit; the env var baked into
+	// service unit files at install time can otherwise become stale.
+	// An explicit `--install-dir=` (empty) routes through SetDisabled,
+	// after which paths.Home() returns "" so EVERY on-disk consumer
+	// (filelog, ai-agent hook errors, any future file) uniformly skips
+	// — not just file logging. cli.Parse rejects the empty form when
+	// paired with `install` / `uninstall`, where the platform installers
+	// need a real on-disk path for unit files and the log directory.
 	//
 	// The capture is installed before the logger so every subsequent
 	// stderr write — including the pipe-tee in
 	// internal/telemetry/logcapture.go, which nests inside this one —
 	// flows through to disk.
 	if cfg.InstallDirSet {
-		paths.SetOverride(cfg.InstallDir) // may be "" = disabled
+		if cfg.InstallDir == "" {
+			paths.SetDisabled()
+		} else {
+			paths.SetOverride(cfg.InstallDir)
+		}
 	}
-	installDir := paths.Home()
-	disabled := cfg.InstallDirSet && cfg.InstallDir == ""
+	installDir := paths.Home() // "" when SetDisabled or home unresolved
 	logFilePath := ""
-	if !disabled && installDir != "" {
+	if installDir != "" {
 		logFilePath = filepath.Join(installDir, filelog.Filename)
 		// Pre-rotate BOTH files unconditionally. In interactive mode the
 		// stderr rotation is redundant with filelog.Start's own rotation
@@ -164,7 +175,7 @@ func main() {
 	// auto-move — too risky for v1 (silent overwrites, races with other
 	// processes, perms changes). Just point at the leftovers.
 	legacy := paths.LegacyHome()
-	if !disabled && legacy != "" && installDir != "" && installDir != legacy {
+	if legacy != "" && installDir != "" && installDir != legacy {
 		if leftovers := findLegacyLeftovers(legacy); len(leftovers) > 0 {
 			log.Warn("install dir is %s but the legacy default %s still has files: %s — copy them over manually if you want their history.",
 				installDir, legacy, strings.Join(leftovers, ", "))