fix: address Copilot PR review feedback

- Gate systemd install/uninstall to runtime.GOOS == "linux" with
  unsupported-platform error for other Unix targets
- Fix lock_windows.go: treat ERROR_ACCESS_DENIED as process alive
- Fix systemd.go: check daemon-reload exit code, escape paths with
  spaces in unit files
- Fix syspkg.go: check exit codes on all RunWithTimeout calls
- Fix ide.go resolveInstallDirFromBinary: correct control flow for
  resources/app/bin layout
- Fix ide.go parseDesktopExec: handle wrapper commands (env VAR=...)
  by scanning for first absolute path
- Fix ide.go resolveLinuxVersion: prefer binary inside installDir
  over PATH to avoid version mismatch

Author: swarit-stepsecurity

cmd/stepsecurity-dev-machine-guard/main.go

@@ -108,11 +108,14 @@ func main() {
 				log.Error("%v", err)
 				os.Exit(1)
 			}
-		default:
+		case "linux":
 			if err := systemd.Install(exec, log); err != nil {
 				log.Error("%v", err)
 				os.Exit(1)
 			}
+		default:
+			log.Error("Scheduled installation is not supported on %s", runtime.GOOS)
+			os.Exit(1)
 		}
 		log.Progress("Sending initial telemetry...")
 		fmt.Println()
@@ -134,11 +137,14 @@ func main() {
 				log.Error("%v", err)
 				os.Exit(1)
 			}
-		default:
+		case "linux":
 			if err := systemd.Uninstall(exec, log); err != nil {
 				log.Error("%v", err)
 				os.Exit(1)
 			}
+		default:
+			log.Error("Scheduled installation is not supported on %s", runtime.GOOS)
+			os.Exit(1)
 		}
 
 	default:

internal/detector/ide.go

@@ -302,10 +302,24 @@ func (d *IDEDetector) detectLinux(ctx context.Context, spec ideSpec) (model.IDE,
 }
 
 // resolveLinuxVersion determines the IDE version on Linux.
-// Tries: binary --version, then product-info.json (flat layout), then .eclipseproduct.
+// Prefers the binary within installDir to avoid version mismatch with a different
+// install found via PATH. Falls back to PATH lookup, then metadata files.
 func (d *IDEDetector) resolveLinuxVersion(ctx context.Context, spec ideSpec, installDir string) string {
-	// Try binary --version from PATH first (most reliable on Linux)
 	if spec.LinuxBinary != "" && spec.VersionFlag != "" {
+		// Try binary inside the detected install directory first
+		for _, relBin := range []string{
+			filepath.Join("bin", spec.LinuxBinary),
+			spec.LinuxBinary,
+		} {
+			localBin := filepath.Join(installDir, relBin)
+			if d.exec.FileExists(localBin) {
+				if v := runVersionCmd(ctx, d.exec, localBin, spec.VersionFlag); v != "unknown" {
+					return v
+				}
+			}
+		}
+
+		// Fall back to PATH (may be a different install, but better than unknown)
 		if binPath, err := d.exec.LookPath(spec.LinuxBinary); err == nil {
 			if v := runVersionCmd(ctx, d.exec, binPath, spec.VersionFlag); v != "unknown" {
 				return v
@@ -572,46 +586,55 @@ func (d *IDEDetector) discoverViaDesktopFile(spec ideSpec, homeDir string) (stri
 }
 
 // parseDesktopExec extracts the binary path from the first Exec= line in a .desktop file.
-// Strips field codes (%F, %U, etc.) and flags (--new-window, etc.).
+// Handles wrapper commands like "env VAR=val /snap/bin/code %U" by scanning tokens
+// for the first absolute path.
 func parseDesktopExec(content string) string {
 	for _, line := range strings.Split(content, "\n") {
 		line = strings.TrimSpace(line)
 		if !strings.HasPrefix(line, "Exec=") {
 			continue
 		}
 		execValue := strings.TrimPrefix(line, "Exec=")
-		// The first token is the binary path; the rest are arguments
 		parts := strings.Fields(execValue)
-		if len(parts) == 0 {
-			continue
-		}
-		binPath := parts[0]
-		// Skip entries that are just bare command names (no path)
-		if !strings.Contains(binPath, "/") {
-			continue
+
+		// Find the first token that looks like an absolute path
+		for _, token := range parts {
+			// Skip field codes (%F, %U, etc.) and flags (--foo)
+			if strings.HasPrefix(token, "%") || strings.HasPrefix(token, "-") {
+				continue
+			}
+			// Skip env var assignments (VAR=val)
+			if strings.Contains(token, "=") && !strings.HasPrefix(token, "/") {
+				continue
+			}
+			if strings.HasPrefix(token, "/") {
+				return token
+			}
 		}
-		return binPath
 	}
 	return ""
 }
 
 // resolveInstallDirFromBinary walks up from a binary path to find the app root directory.
-// Strips known bin subdirectories: /bin/, /resources/app/bin/.
+// Handles two common layouts:
+//   - /usr/share/code/bin/code           -> /usr/share/code
+//   - /usr/share/cursor/resources/app/bin/cursor -> /usr/share/cursor
 func resolveInstallDirFromBinary(binPath string) string {
 	dir := filepath.Dir(binPath)
 	base := filepath.Base(dir)
 
-	// /usr/share/code/bin/code -> /usr/share/code
-	// /opt/Windsurf/bin/windsurf -> /opt/Windsurf
-	if base == "bin" {
-		return filepath.Dir(dir)
+	if base != "bin" {
+		return dir
 	}
+
+	parent := filepath.Dir(dir)
+
+	// Check for resources/app/bin layout (Electron apps like Cursor)
 	// /usr/share/cursor/resources/app/bin/cursor -> /usr/share/cursor
-	if base == "bin" || filepath.Base(filepath.Dir(dir)) == "app" {
-		candidate := filepath.Dir(filepath.Dir(filepath.Dir(dir)))
-		if candidate != "" && candidate != "." {
-			return candidate
-		}
+	if filepath.Base(parent) == "app" && filepath.Base(filepath.Dir(parent)) == "resources" {
+		return filepath.Dir(filepath.Dir(parent))
 	}
-	return dir
+
+	// Simple /bin/ layout: /usr/share/code/bin/code -> /usr/share/code
+	return parent
 }

internal/detector/syspkg.go

@@ -72,8 +72,8 @@ func (d *SystemPkgDetector) Detect(ctx context.Context) *model.PkgManager {
 		}
 
 		version := "unknown"
-		stdout, _, _, err := d.exec.RunWithTimeout(ctx, 10*time.Second, spec.Binary, spec.VersionCmd...)
-		if err == nil {
+		stdout, _, exitCode, err := d.exec.RunWithTimeout(ctx, 10*time.Second, spec.Binary, spec.VersionCmd...)
+		if err == nil && exitCode == 0 {
 			if line := strings.TrimSpace(strings.SplitN(stdout, "\n", 2)[0]); line != "" {
 				version = line
 			}
@@ -101,8 +101,8 @@ func (d *SystemPkgDetector) ListPackages(ctx context.Context) []model.SystemPack
 			continue
 		}
 
-		stdout, _, _, err := d.exec.RunWithTimeout(ctx, 60*time.Second, spec.Binary, spec.ListCmd...)
-		if err != nil {
+		stdout, _, exitCode, err := d.exec.RunWithTimeout(ctx, 60*time.Second, spec.Binary, spec.ListCmd...)
+		if err != nil || exitCode != 0 {
 			return nil
 		}
 
@@ -158,8 +158,8 @@ func (d *SystemPkgDetector) DetectAdditionalManagers(ctx context.Context) []mode
 		}
 
 		version := "unknown"
-		stdout, _, _, err := d.exec.RunWithTimeout(ctx, 10*time.Second, pm.binary, pm.versionCmd...)
-		if err == nil {
+		stdout, _, exitCode, err := d.exec.RunWithTimeout(ctx, 10*time.Second, pm.binary, pm.versionCmd...)
+		if err == nil && exitCode == 0 {
 			if line := strings.TrimSpace(strings.SplitN(stdout, "\n", 2)[0]); line != "" {
 				version = line
 			}
@@ -181,8 +181,8 @@ func (d *SystemPkgDetector) ListSnapPackages(ctx context.Context) []model.System
 		return nil
 	}
 
-	stdout, _, _, err := d.exec.RunWithTimeout(ctx, 30*time.Second, "snap", "list")
-	if err != nil {
+	stdout, _, exitCode, err := d.exec.RunWithTimeout(ctx, 30*time.Second, "snap", "list")
+	if err != nil || exitCode != 0 {
 		return nil
 	}
 
@@ -209,9 +209,9 @@ func (d *SystemPkgDetector) ListFlatpakPackages(ctx context.Context) []model.Sys
 		return nil
 	}
 
-	stdout, _, _, err := d.exec.RunWithTimeout(ctx, 30*time.Second,
+	stdout, _, exitCode, err := d.exec.RunWithTimeout(ctx, 30*time.Second,
 		"flatpak", "list", "--app", "--columns=application,version")
-	if err != nil {
+	if err != nil || exitCode != 0 {
 		return nil
 	}
 

internal/lock/lock_windows.go

@@ -13,10 +13,12 @@ var lockFilePath = filepath.Join(os.TempDir(), "stepsecurity-dev-machine-guard.l
 
 // isProcessAlive checks if a process with the given PID exists by attempting
 // to open a handle to it. This avoids shelling out to tasklist.
+// Access-denied means the process exists but is owned by another user/session.
 func isProcessAlive(pid int) bool {
 	h, err := windows.OpenProcess(windows.PROCESS_QUERY_LIMITED_INFORMATION, false, uint32(pid))
 	if err != nil {
-		return false
+		// ERROR_ACCESS_DENIED means the process exists but we can't open it
+		return err == windows.ERROR_ACCESS_DENIED
 	}
 	_ = windows.CloseHandle(h)
 	return true

internal/systemd/systemd.go

@@ -52,8 +52,8 @@ func Install(exec executor.Executor, log *progress.Logger) error {
 	}
 
 	data := unitTemplateData{
-		BinaryPath: binaryPath,
-		LogDir:     logDir,
+		BinaryPath: systemdEscape(binaryPath),
+		LogDir:     systemdEscape(logDir),
 		Hours:      hours,
 	}
 
@@ -70,9 +70,13 @@ func Install(exec executor.Executor, log *progress.Logger) error {
 	}
 
 	// Reload and enable
-	if _, _, _, err := exec.Run(ctx, "systemctl", "--user", "daemon-reload"); err != nil {
+	_, daemonStderr, daemonExitCode, err := exec.Run(ctx, "systemctl", "--user", "daemon-reload")
+	if err != nil {
 		return fmt.Errorf("daemon-reload failed: %w", err)
 	}
+	if daemonExitCode != 0 {
+		return fmt.Errorf("daemon-reload failed (exit code %d): %s", daemonExitCode, daemonStderr)
+	}
 
 	_, stderr, exitCode, err := exec.Run(ctx, "systemctl", "--user", "enable", "--now", unitName+".timer")
 	if err != nil {
@@ -149,11 +153,17 @@ func writeTemplate(path, tmplStr string, data unitTemplateData) error {
 }
 
 type unitTemplateData struct {
-	BinaryPath string
+	BinaryPath string // systemd-escaped (spaces replaced with \x20)
 	LogDir     string
 	Hours      int
 }
 
+// systemdEscape escapes a file path for use in systemd unit files.
+// Spaces must be escaped as \x20 in ExecStart and related directives.
+func systemdEscape(path string) string {
+	return strings.ReplaceAll(path, " ", `\x20`)
+}
+
 const serviceTmpl = `[Unit]
 Description=StepSecurity Dev Machine Guard scan