fix(windows): use RunInDir for project package scanning

On Windows, Go's os/exec escapes double quotes with backslashes when
passing arguments to cmd.exe, but cmd.exe treats \ as a path separator.
This caused every "cd <path> && npm ls" command to fail with
"The filename, directory name, or volume label syntax is incorrect."

Result: all project-level NPM packages were missing from telemetry on
Windows (only global packages were collected).

Fix: Add RunInDir to the Executor interface which sets exec.Cmd.Dir
directly, bypassing the shell entirely. Update scanProject() and
scanYarnGlobal() to use RunInDir instead of shell cd.

Author: swarit-stepsecurity

internal/detector/nodescan.go

@@ -70,11 +70,15 @@ func (s *NodeScanner) runCmd(ctx context.Context, timeout time.Duration, name st
 
 // runShellCmd runs a shell command string, delegating to the logged-in user when running as root.
 // Falls through to the platform-aware free function for the normal (non-delegation) path.
-func (s *NodeScanner) runShellCmd(ctx context.Context, timeout time.Duration, shellCmd string) (string, string, int, error) {
+func (s *NodeScanner) runInDir(ctx context.Context, dir string, timeout time.Duration, name string, args ...string) (string, string, int, error) {
 	if s.shouldRunAsUser() {
 		ctx, cancel := context.WithTimeout(ctx, timeout)
 		defer cancel()
-		stdout, err := s.exec.RunAsUser(ctx, s.loggedInUser, shellCmd)
+		cmd := "cd " + platformShellQuote(s.exec, dir) + " && " + name
+		for _, a := range args {
+			cmd += " " + a
+		}
+		stdout, err := s.exec.RunAsUser(ctx, s.loggedInUser, cmd)
 		if err != nil {
 			if ctx.Err() == context.DeadlineExceeded {
 				return stdout, "", 124, fmt.Errorf("command timed out after %s", timeout)
@@ -83,9 +87,10 @@ func (s *NodeScanner) runShellCmd(ctx context.Context, timeout time.Duration, sh
 		}
 		return stdout, "", 0, nil
 	}
-	return runShellCmd(ctx, s.exec, timeout, shellCmd)
+	return s.exec.RunInDir(ctx, dir, timeout, name, args...)
 }
 
+
 // checkPath checks if a binary is available, using the logged-in user's PATH when running as root.
 func (s *NodeScanner) checkPath(ctx context.Context, name string) error {
 	if s.shouldRunAsUser() {
@@ -166,8 +171,8 @@ func (s *NodeScanner) scanYarnGlobal(ctx context.Context) (model.NodeScanResult,
 	}
 
 	start := time.Now()
-	shellCmd := "cd " + platformShellQuote(s.exec, globalDir) + " && yarn list --json --depth=0"
-	stdout, stderr, exitCode, _ := s.runShellCmd(ctx, 60*time.Second, shellCmd)
+	// Run directly in the global dir instead of shell cd (avoids Windows quoting issues).
+	stdout, stderr, exitCode, _ := s.runInDir(ctx, globalDir, 60*time.Second, "yarn", "list", "--json", "--depth=0")
 	duration := time.Since(start).Milliseconds()
 
 	errMsg := ""
@@ -343,11 +348,10 @@ func (s *NodeScanner) scanProject(ctx context.Context, projectDir string) model.
 	}
 
 	start := time.Now()
-	cmdStr := "cd " + platformShellQuote(s.exec, projectDir) + " && " + cmd
-	for _, a := range args {
-		cmdStr += " " + a
-	}
-	stdout, stderr, exitCode, _ := s.runShellCmd(ctx, 30*time.Second, cmdStr)
+	// Run the package manager command directly in the project directory.
+	// Avoids shell cd + quoting issues on Windows where cmd.exe misinterprets
+	// Go's backslash-escaped quotes in paths.
+	stdout, stderr, exitCode, _ := s.runInDir(ctx, projectDir, 30*time.Second, cmd, args...)
 	duration := time.Since(start).Milliseconds()
 
 	errMsg := ""

internal/detector/nodescan_test.go

@@ -154,8 +154,9 @@ func TestNodeScanner_ScanProject_Windows(t *testing.T) {
 	// DetectProjectPM uses filepath.Join which is host-dependent;
 	// construct the mock file path the same way the code will.
 	mock.SetFile(filepath.Join(`C:\Users\dev\myapp`, "package-lock.json"), []byte{})
+	// RunInDir calls Run(name, args...) directly — no shell cd needed
 	mock.SetCommand(`{"dependencies":{"lodash":{"version":"4.17.21"}}}`, "", 0,
-		"cmd", "/c", `cd "C:\Users\dev\myapp" && npm ls --json --depth=3`)
+		"npm", "ls", "--json", "--depth=3")
 
 	scanner := newTestScanner(mock)
 	result := scanner.scanProject(context.Background(), `C:\Users\dev\myapp`)
@@ -187,8 +188,9 @@ func TestNodeScanner_ScanProject_YarnBerry_Windows(t *testing.T) {
 	projectDir := `C:\Users\dev\myapp`
 	mock.SetFile(filepath.Join(projectDir, "yarn.lock"), []byte{})
 	mock.SetFile(filepath.Join(projectDir, ".yarnrc.yml"), []byte{})
+	// RunInDir calls Run(name, args...) directly — no shell cd needed
 	mock.SetCommand(`{"name":"myapp","children":[]}`, "", 0,
-		"cmd", "/c", `cd "C:\Users\dev\myapp" && yarn info --all --json`)
+		"yarn", "info", "--all", "--json")
 
 	scanner := newTestScanner(mock)
 	result := scanner.scanProject(context.Background(), projectDir)

internal/detector/shellcmd.go

@@ -1,23 +1,11 @@
 package detector
 
 import (
-	"context"
 	"strings"
-	"time"
 
 	"github.com/step-security/dev-machine-guard/internal/executor"
 )
 
-// runShellCmd runs a shell command string using the platform-appropriate shell.
-// On Unix: bash -c "command"
-// On Windows: cmd /c "command"
-func runShellCmd(ctx context.Context, exec executor.Executor, timeout time.Duration, command string) (string, string, int, error) {
-	if exec.GOOS() == "windows" {
-		return exec.RunWithTimeout(ctx, timeout, "cmd", "/c", command)
-	}
-	return exec.RunWithTimeout(ctx, timeout, "bash", "-c", command)
-}
-
 // platformShellQuote quotes a string for use in a shell command.
 // On Unix: single quotes with escaping.
 // On Windows: double quotes with escaping.

internal/executor/executor.go

@@ -20,6 +20,9 @@ type Executor interface {
 	Run(ctx context.Context, name string, args ...string) (stdout, stderr string, exitCode int, err error)
 	// RunWithTimeout executes a command with a timeout.
 	RunWithTimeout(ctx context.Context, timeout time.Duration, name string, args ...string) (stdout, stderr string, exitCode int, err error)
+	// RunInDir executes a command with a working directory and timeout.
+	// Avoids shell quoting issues with cd on Windows.
+	RunInDir(ctx context.Context, dir string, timeout time.Duration, name string, args ...string) (stdout, stderr string, exitCode int, err error)
 	// RunAsUser runs a shell command as a specific user (for root -> user delegation).
 	RunAsUser(ctx context.Context, username, command string) (string, error)
 	// LookPath searches for an executable in PATH.
@@ -87,6 +90,29 @@ func (r *Real) RunWithTimeout(ctx context.Context, timeout time.Duration, name s
 	return stdout, stderr, code, err
 }
 
+func (r *Real) RunInDir(ctx context.Context, dir string, timeout time.Duration, name string, args ...string) (string, string, int, error) {
+	ctx, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+	cmd := exec.CommandContext(ctx, name, args...)
+	cmd.Dir = dir
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	exitCode := 0
+	if err != nil {
+		if exitErr, ok := err.(*exec.ExitError); ok {
+			exitCode = exitErr.ExitCode()
+		} else {
+			return stdout.String(), stderr.String(), -1, err
+		}
+	}
+	if ctx.Err() == context.DeadlineExceeded {
+		return stdout.String(), stderr.String(), 124, fmt.Errorf("command timed out after %s", timeout)
+	}
+	return stdout.String(), stderr.String(), exitCode, nil
+}
+
 func (r *Real) LookPath(name string) (string, error) {
 	return exec.LookPath(name)
 }

internal/executor/mock.go

@@ -167,6 +167,10 @@ func (m *Mock) RunWithTimeout(ctx context.Context, _ time.Duration, name string,
 	return m.Run(ctx, name, args...)
 }
 
+func (m *Mock) RunInDir(ctx context.Context, _ string, _ time.Duration, name string, args ...string) (string, string, int, error) {
+	return m.Run(ctx, name, args...)
+}
+
 func (m *Mock) RunAsUser(ctx context.Context, _ string, command string) (string, error) {
 	stdout, _, _, err := m.Run(ctx, "bash", "-c", command)
 	return stdout, err