Merge branch 'main' into swarit/fix/enable-rc-config-feature-gates

Author: ashishkurmi

.github/workflows/test-build.yml

@@ -1,4 +1,9 @@
 name: Test Build (Binaries & MSIs)
+# run-name embeds the dispatcher-supplied correlation_id so a caller (e.g. the
+# integration-test Intune E2E) can locate the exact run it triggered: a
+# workflow_dispatch run's head_sha is the ref HEAD, not commit_id, so the SHA
+# alone cannot identify it.
+run-name: Test Build ${{ inputs.commit_id }} ${{ inputs.correlation_id }}
 
 # Build test binaries and MSIs from an arbitrary commit, without cutting a
 # release tag or touching the upstream release pipeline. Artifacts are
@@ -16,6 +21,10 @@ on:
         description: "Optional PR number to comment on with the artifact location"
         required: false
         type: string
+      correlation_id:
+        description: "Opaque marker echoed into run-name so a dispatcher can correlate this run (e.g. the integration-test Intune E2E)"
+        required: false
+        type: string
 
 permissions: {}
 
@@ -205,13 +214,98 @@ jobs:
 
           Get-ChildItem dist -Filter "*.msi" | Format-Table Name, Length
 
+      # Pack the MSIs into .intunewin so the integration-test Intune E2E can test
+      # a per-commit package identical in shape to a release (just unsigned).
+      # Mirrors the pack in release.yml; no Sigstore signing / release upload here.
+      - name: Download IntuneWinAppUtil.exe (pinned)
+        shell: pwsh
+        run: |
+          # Microsoft/Microsoft-Win32-Content-Prep-Tool v1.8.7, commit-pinned raw
+          # URL + canonical SHA-256 (same pin as release.yml), Authenticode-checked
+          # in the next step.
+          $ErrorActionPreference = 'Stop'
+          $url    = 'https://raw.githubusercontent.com/microsoft/Microsoft-Win32-Content-Prep-Tool/1d6cfcbdf8c28edc596337031f74df951f38f718/IntuneWinAppUtil.exe'
+          $sha256 = 'c1ba45b5cb939e84af064bb7ff4b38fb3dfe33c8dc1078fd9b157672eae671f6'
+          $dst    = 'dist/tools/IntuneWinAppUtil.exe'
+          New-Item -ItemType Directory -Path (Split-Path $dst) -Force | Out-Null
+          Invoke-WebRequest -Uri $url -OutFile $dst -UseBasicParsing
+          $actual = (Get-FileHash -Path $dst -Algorithm SHA256).Hash.ToLower()
+          if ($actual -ne $sha256) {
+            Write-Error "IntuneWinAppUtil.exe SHA-256 mismatch -- expected $sha256, got $actual"
+            exit 1
+          }
+          Write-Host "IntuneWinAppUtil.exe SHA-256 verified: $actual"
+
+      - name: Verify IntuneWinAppUtil.exe Microsoft Authenticode signature
+        shell: pwsh
+        run: |
+          $ErrorActionPreference = 'Stop'
+          $sig = Get-AuthenticodeSignature 'dist/tools/IntuneWinAppUtil.exe'
+          $subject = if ($sig.SignerCertificate) { $sig.SignerCertificate.Subject } else { '<none>' }
+          Write-Host "IntuneWinAppUtil.exe: Status=$($sig.Status), Signer=$subject"
+          if ($sig.Status -ne 'Valid') {
+            Write-Error "IntuneWinAppUtil.exe signature status is $($sig.Status), expected Valid"
+            exit 1
+          }
+          if ($subject -notlike '*Microsoft Corporation*') {
+            Write-Error "IntuneWinAppUtil.exe not signed by Microsoft Corporation (subject: $subject)"
+            exit 1
+          }
+
+      - name: Pack .intunewin (x64 + arm64)
+        shell: pwsh
+        run: |
+          # IntuneWinAppUtil takes a SOURCE FOLDER (-c) and a SETUP FILE within it
+          # (-s); the setup file is install.cmd (not the MSI), with uninstall.cmd
+          # and the MSI staged alongside -- identical to release.yml so the package
+          # matches the real delivery path byte-for-byte (modulo signing).
+          $ErrorActionPreference = 'Stop'
+          $version = "${{ needs.build.outputs.version }}"
+          $tool    = 'dist/tools/IntuneWinAppUtil.exe'
+
+          foreach ($arch in @('x64', 'arm64')) {
+            $msiName = "stepsecurity-dev-machine-guard-$version-$arch.msi"
+            $stage   = "dist/intunewin-staging-$arch"
+            New-Item -ItemType Directory -Path $stage -Force | Out-Null
+            Copy-Item -Path "dist/$msiName"                          -Destination $stage -Force
+            Copy-Item -Path "packaging/windows/intune/install.cmd"   -Destination $stage -Force
+            Copy-Item -Path "packaging/windows/intune/uninstall.cmd" -Destination $stage -Force
+
+            & $tool -c $stage -s install.cmd -o dist -q
+            if ($LASTEXITCODE -ne 0) {
+              Write-Error "IntuneWinAppUtil.exe failed for $arch (exit $LASTEXITCODE)"
+              exit 1
+            }
+            Remove-Item -Path $stage -Recurse -Force
+
+            # IntuneWinAppUtil names the output after the setup file
+            # (install.intunewin); rename to the versioned, arch-tagged filename.
+            $produced = "dist/install.intunewin"
+            if (-not (Test-Path $produced)) {
+              Write-Error "Expected output not found: $produced"
+              exit 1
+            }
+            $final = "dist/stepsecurity-dev-machine-guard-$version-$arch.intunewin"
+            if (Test-Path $final) { Remove-Item -Path $final -Force }
+            Move-Item -Path $produced -Destination $final
+          }
+
+          Get-ChildItem dist -Filter "*.intunewin" | Format-Table Name, Length
+
       - name: Upload MSIs
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: windows-msis
           path: dist/*.msi
           if-no-files-found: error
 
+      - name: Upload .intunewin
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: windows-intunewin
+          path: dist/*.intunewin
+          if-no-files-found: error
+
   comment-on-pr:
     name: Comment on PR
     needs: [build, build-msi]

internal/cli/cli.go

@@ -73,6 +73,22 @@ type Config struct {
 	// Internal — not advertised in --help. Equivalent env var:
 	// STEPSECURITY_OVERRIDE_GATE=1.
 	OverrideGate bool
+
+	// RulesFile makes the malicious-file detection engine load its RuleSet
+	// from a local JSON file instead of fetching it from the backend.
+	// Dev-only — not advertised in --help. Equivalent env var:
+	// STEPSECURITY_RULES_FILE=PATH. Lets the engine be exercised offline
+	// (rules live only in the backend, so an offline run would otherwise scan
+	// nothing). Zero production impact when unset.
+	RulesFile string
+
+	// TelemetryOutFile makes an enterprise run write the assembled telemetry
+	// Payload to a local JSON file and skip the S3 upload + run-status notify.
+	// Dev-only — not advertised in --help. Equivalent env var:
+	// STEPSECURITY_TELEMETRY_OUT=PATH. The dumped file is exactly what the
+	// backend's process-uploaded sees after gunzip, so it doubles as a backend
+	// ingestion fixture. Zero production impact when unset.
+	TelemetryOutFile string
 }
 
 // supportedHookAgents lists the agent names accepted by `hooks --agent <name>` and `_hook <agent> ...`.
@@ -253,6 +269,22 @@ func Parse(args []string) (*Config, error) {
 			cfg.Verbose = true
 		case arg == "--override-gate":
 			cfg.OverrideGate = true
+		case strings.HasPrefix(arg, "--rules-file="):
+			cfg.RulesFile = strings.TrimPrefix(arg, "--rules-file=")
+		case arg == "--rules-file":
+			i++
+			if i >= len(args) {
+				return nil, fmt.Errorf("--rules-file requires a file path argument")
+			}
+			cfg.RulesFile = args[i]
+		case strings.HasPrefix(arg, "--telemetry-out="):
+			cfg.TelemetryOutFile = strings.TrimPrefix(arg, "--telemetry-out=")
+		case arg == "--telemetry-out":
+			i++
+			if i >= len(args) {
+				return nil, fmt.Errorf("--telemetry-out requires a file path argument")
+			}
+			cfg.TelemetryOutFile = args[i]
 		case strings.HasPrefix(arg, "--log-level="):
 			level := strings.ToLower(strings.TrimPrefix(arg, "--log-level="))
 			switch level {
@@ -290,6 +322,16 @@ func Parse(args []string) (*Config, error) {
 		return nil, fmt.Errorf("--npmrc, --pipconfig, --pnpmrc, --bunfig, and --yarnrc are mutually exclusive; pick one")
 	}
 
+	// Env-var equivalents for the dev-only flags, so an installed
+	// launchd/systemd unit need not change to exercise the offline harness.
+	// An explicit flag wins over the env var.
+	if cfg.RulesFile == "" {
+		cfg.RulesFile = os.Getenv("STEPSECURITY_RULES_FILE")
+	}
+	if cfg.TelemetryOutFile == "" {
+		cfg.TelemetryOutFile = os.Getenv("STEPSECURITY_TELEMETRY_OUT")
+	}
+
 	// --install-dir= (explicit empty) disables file logging by routing
 	// paths.Home() to "" globally. That conflicts with `install` /
 	// `uninstall`, whose platform installers (systemd / launchd) call

internal/cli/cli_devflags_test.go

@@ -0,0 +1,58 @@
+package cli
+
+import "testing"
+
+func TestParse_RulesFileAndTelemetryOut(t *testing.T) {
+	cfg, err := Parse([]string{"send-telemetry", "--rules-file=/tmp/rules.json", "--telemetry-out=/tmp/out.json"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if cfg.RulesFile != "/tmp/rules.json" {
+		t.Errorf("RulesFile = %q", cfg.RulesFile)
+	}
+	if cfg.TelemetryOutFile != "/tmp/out.json" {
+		t.Errorf("TelemetryOutFile = %q", cfg.TelemetryOutFile)
+	}
+}
+
+func TestParse_DevFlagsSeparateValue(t *testing.T) {
+	cfg, err := Parse([]string{"--rules-file", "r.json", "--telemetry-out", "o.json"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if cfg.RulesFile != "r.json" || cfg.TelemetryOutFile != "o.json" {
+		t.Errorf("got RulesFile=%q TelemetryOutFile=%q", cfg.RulesFile, cfg.TelemetryOutFile)
+	}
+}
+
+func TestParse_DevFlagsMissingValue(t *testing.T) {
+	if _, err := Parse([]string{"--rules-file"}); err == nil {
+		t.Error("--rules-file without value should error")
+	}
+	if _, err := Parse([]string{"--telemetry-out"}); err == nil {
+		t.Error("--telemetry-out without value should error")
+	}
+}
+
+func TestParse_DevFlagsEnvVarFallback(t *testing.T) {
+	t.Setenv("STEPSECURITY_RULES_FILE", "/env/rules.json")
+	t.Setenv("STEPSECURITY_TELEMETRY_OUT", "/env/out.json")
+	cfg, err := Parse([]string{})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if cfg.RulesFile != "/env/rules.json" || cfg.TelemetryOutFile != "/env/out.json" {
+		t.Errorf("env fallback failed: RulesFile=%q TelemetryOutFile=%q", cfg.RulesFile, cfg.TelemetryOutFile)
+	}
+}
+
+func TestParse_FlagBeatsEnvVar(t *testing.T) {
+	t.Setenv("STEPSECURITY_RULES_FILE", "/env/rules.json")
+	cfg, err := Parse([]string{"--rules-file=/flag/rules.json"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if cfg.RulesFile != "/flag/rules.json" {
+		t.Errorf("explicit flag should win over env var, got %q", cfg.RulesFile)
+	}
+}

internal/detector/brew_test.go

@@ -2,9 +2,11 @@ package detector
 
 import (
 	"context"
+	"encoding/base64"
 	"testing"
 
 	"github.com/step-security/dev-machine-guard/internal/executor"
+	"github.com/step-security/dev-machine-guard/internal/model"
 	"github.com/step-security/dev-machine-guard/internal/progress"
 )
 
@@ -76,56 +78,61 @@ func TestBrewDetector_ListCasks(t *testing.T) {
 	}
 }
 
-func TestBrewScanner_Formulae(t *testing.T) {
-	mock := executor.NewMock()
-	mock.SetPath("brew", "/opt/homebrew/bin/brew")
-	mock.SetCommand("curl 8.4.0\ngit 2.43.0\n", "", 0, "brew", "list", "--formula", "--versions")
-
-	log := newTestLogger()
-	scanner := NewBrewScanner(mock, log)
-	result, ok := scanner.ScanFormulae(context.Background())
-
-	if !ok {
-		t.Fatal("expected scan to succeed")
+func TestBrewScanner_FormulaeResult(t *testing.T) {
+	scanner := NewBrewScanner(executor.NewMock(), newTestLogger())
+	pkgs := []model.BrewPackage{
+		{Name: "curl", Version: "8.4.0"},
+		{Name: "git", Version: "2.43.0"},
 	}
+	result := scanner.FormulaeResult(pkgs)
+
 	if result.ScanType != "formulae" {
 		t.Errorf("expected scan type formulae, got %s", result.ScanType)
 	}
-	if result.RawStdoutBase64 == "" {
-		t.Error("expected non-empty base64 stdout")
-	}
 	if result.ExitCode != 0 {
 		t.Errorf("expected exit code 0, got %d", result.ExitCode)
 	}
+	if result.LineCount != 2 {
+		t.Errorf("expected line count 2, got %d", result.LineCount)
+	}
+	decoded, err := base64.StdEncoding.DecodeString(result.RawStdoutBase64)
+	if err != nil {
+		t.Fatalf("base64 decode failed: %v", err)
+	}
+	want := "curl 8.4.0\ngit 2.43.0\n"
+	if string(decoded) != want {
+		t.Errorf("stdout mismatch: got %q, want %q", string(decoded), want)
+	}
 }
 
-func TestBrewScanner_Casks(t *testing.T) {
-	mock := executor.NewMock()
-	mock.SetPath("brew", "/opt/homebrew/bin/brew")
-	mock.SetCommand("firefox 120.0\ngoogle-chrome 120.0.6099.109\n", "", 0, "brew", "list", "--cask", "--versions")
-
-	log := newTestLogger()
-	scanner := NewBrewScanner(mock, log)
-	result, ok := scanner.ScanCasks(context.Background())
-
-	if !ok {
-		t.Fatal("expected scan to succeed")
+func TestBrewScanner_CasksResult(t *testing.T) {
+	scanner := NewBrewScanner(executor.NewMock(), newTestLogger())
+	pkgs := []model.BrewPackage{
+		{Name: "firefox", Version: "120.0"},
+		{Name: "google-chrome", Version: "120.0.6099.109"},
 	}
+	result := scanner.CasksResult(pkgs)
+
 	if result.ScanType != "casks" {
 		t.Errorf("expected scan type casks, got %s", result.ScanType)
 	}
+	if result.LineCount != 2 {
+		t.Errorf("expected line count 2, got %d", result.LineCount)
+	}
 	if result.RawStdoutBase64 == "" {
 		t.Error("expected non-empty base64 stdout")
 	}
 }
 
-func TestBrewScanner_NotInstalled(t *testing.T) {
-	mock := executor.NewMock()
-	log := newTestLogger()
-	scanner := NewBrewScanner(mock, log)
+func TestBrewScanner_EmptyInput(t *testing.T) {
+	scanner := NewBrewScanner(executor.NewMock(), newTestLogger())
+	result := scanner.FormulaeResult(nil)
 
-	_, ok := scanner.ScanFormulae(context.Background())
-	if ok {
-		t.Error("expected scan to fail when brew is not installed")
+	if result.LineCount != 0 {
+		t.Errorf("expected line count 0, got %d", result.LineCount)
+	}
+	decoded, _ := base64.StdEncoding.DecodeString(result.RawStdoutBase64)
+	if len(decoded) != 0 {
+		t.Errorf("expected empty stdout, got %q", string(decoded))
 	}
 }