@loginguards/loginguards-win 0.1.1

package/LICENSE

@@ -0,0 +1,49 @@
+LoginGuards Proprietary License
+
+Copyright (c) 2026 LoginGuards. All rights reserved.
+
+IMPORTANT: PLEASE READ THIS LICENSE CAREFULLY BEFORE INSTALLING OR USING THE SOFTWARE.
+
+1. Definitions
+   - "Software" means the LoginGuards Active Directory Password Protection plugin for Windows, including all source code, binaries, scripts, documentation, and updates provided by LoginGuards.
+   - "You" or "Licensee" means the entity or individual that installs or uses the Software.
+
+2. Grant of License
+   Subject to the terms of this License, LoginGuards grants You a limited, non-exclusive, non-transferable, revocable license to install and use the Software within Your Windows Active Directory environment solely for Your internal business purposes.
+
+3. Restrictions
+   You shall not, and shall not permit any third party to:
+   - copy, publish, distribute, or make the Software available to any third party (including by making it publicly available), except as expressly permitted by LoginGuards in writing;
+   - sublicense, rent, lease, or otherwise transfer rights to the Software;
+   - modify, adapt, translate, or create derivative works of the Software, except to the extent expressly permitted by applicable law notwithstanding this restriction;
+   - reverse engineer, decompile, disassemble, or otherwise attempt to derive source code from any non-source component of the Software, except to the extent expressly permitted by applicable law notwithstanding this restriction;
+   - remove, alter, or obscure any proprietary notices (including copyright and trademark notices) of LoginGuards or its suppliers.
+
+4. Ownership
+   The Software is licensed, not sold. LoginGuards and its licensors retain all right, title, and interest in and to the Software and all intellectual property rights therein.
+
+5. Confidentiality; Security
+   The Software may process sensitive information (e.g., user passwords) in memory for validation purposes. You agree not to log, store, or otherwise persist plaintext passwords and to operate the Software in accordance with security best practices. Configuration secrets (e.g., API keys) must be stored securely. The Software may integrate with third-party services (e.g., LoginGuards API) as configured by You.
+
+6. Support and Updates
+   This License does not obligate LoginGuards to provide support, maintenance, or updates unless otherwise agreed in a separate written agreement.
+
+7. Disclaimer of Warranties
+   THE SOFTWARE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. LOGINGUARDS DOES NOT WARRANT THAT THE SOFTWARE WILL BE ERROR-FREE OR UNINTERRUPTED.
+
+8. Limitation of Liability
+   TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT SHALL LOGINGUARDS OR ITS LICENSORS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS OR REVENUE, ARISING OUT OF OR IN CONNECTION WITH THIS LICENSE OR THE USE OF THE SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. LOGINGUARDS' TOTAL LIABILITY FOR ALL CLAIMS SHALL NOT EXCEED THE AMOUNTS ACTUALLY PAID BY YOU (IF ANY) FOR THE SOFTWARE IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.
+
+9. Term and Termination
+   This License is effective until terminated. LoginGuards may terminate this License immediately upon notice if You breach any term herein. Upon termination, You must cease all use of the Software and destroy all copies in Your possession or control.
+
+10. Export Compliance
+   You represent that You are not located in, under the control of, or a national or resident of any country subject to embargo or sanctions and that You will not export or re-export the Software in violation of applicable export laws and regulations.
+
+11. Governing Law
+   This License shall be governed by and construed in accordance with the laws of the State of California, without regard to its conflicts of law principles, and the federal courts located in Santa Clara County, California shall have exclusive jurisdiction.
+
+12. Entire Agreement
+   This License constitutes the entire agreement between the parties with respect to the Software and supersedes all prior or contemporaneous understandings.
+
+If You do not agree to these terms, do not install or use the Software.

package/README.md

@@ -0,0 +1,42 @@
+# LoginGuards Active Directory Password Protection (Windows)
+
+Enterprise-grade password breach prevention for Windows domains.
+
+## Features
+
+- Zero Trust password validation via LoginGuards API
+- No password storage; passwords never logged
+- Windows service policy engine (node-windows)
+- Secure API key storage (Windows Credential Manager via keytar)
+- CLI: `install`, `configure`, `test`, `uninstall`
+
+## Install (development)
+
+```bash
+npm install -g .
+loginguards-win configure
+loginguards-win install
+loginguards-win test
+```
+
+## Configuration
+
+- API base: `https://api.loginguards.com/v1`
+- Required header: `x-api-key: <LOGIN_GUARDS_API_KEY>`
+- Behavior on API failure is configurable (planned): fail-open or fail-closed
+
+## Security
+
+- Never logs plaintext passwords
+- API key stored in Windows Credential Manager
+- HTTPS only
+
+## Active Directory Integration (planned)
+
+This preview scaffolds the Windows service and CLI. Integration via the Windows Password Filter with a PowerShell bridge to the Node.js service is planned.
+
+## Uninstall
+
+```bash
+loginguards-win uninstall
+```

package/bin/loginguards-win.js

@@ -0,0 +1,8 @@
+#!/usr/bin/env node
+"use strict";
+const { run } = require('../src/cli');
+
+run().catch(err => {
+  console.error(err && err.message ? err.message : String(err));
+  process.exit(1);
+});

package/package.json

@@ -0,0 +1,60 @@
+{
+  "name": "@loginguards/loginguards-win",
+  "version": "0.1.1",
+  "description": "LoginGuards Active Directory Password Protection for Windows",
+  "private": false,
+  "license": "SEE LICENSE IN LICENSE",
+  "bin": {
+    "loginguards-win": "bin/loginguards-win.js"
+  },
+  "main": "src/index.js",
+  "type": "commonjs",
+  "os": [
+    "win32"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "files": [
+    "bin",
+    "src",
+    "README.md",
+    "LICENSE"
+  ],
+  "keywords": [
+    "active-directory",
+    "password",
+    "security",
+    "windows",
+    "login",
+    "policy",
+    "breach",
+    "zerotrust"
+  ],
+  "author": "LoginGuards",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Kirmina-INC/loginguards-win.git"
+  },
+  "bugs": {
+    "url": "https://github.com/Kirmina-INC/loginguards-win/issues"
+  },
+  "homepage": "https://github.com/Kirmina-INC/loginguards-win#readme",
+  "dependencies": {
+    "axios": "^1.6.7",
+    "inquirer": "^9.2.12",
+    "node-windows": "^1.0.0-beta.6",
+    "winston": "^3.10.0",
+    "yargs": "^17.7.2"
+  },
+  "optionalDependencies": {
+    "keytar": "^7.9.0"
+  },
+  "devDependencies": {},
+  "scripts": {
+    "start": "node bin/loginguards-win.js"
+  }
+}

package/src/apiClient.js

@@ -0,0 +1,21 @@
+"use strict";
+const axios = require('axios').default;
+const BASE_URL = 'https://api.loginguards.com/v1';
+
+const client = axios.create({
+  baseURL: BASE_URL,
+  timeout: 10000
+});
+
+async function checkPlain(password, apiKey) {
+  if (typeof password !== 'string') throw new Error('password must be string');
+  const resp = await client.post('/check/plain', { password }, { headers: { 'x-api-key': apiKey } });
+  return resp.data;
+}
+
+async function ping(apiKey) {
+  await client.head('/', { headers: apiKey ? { 'x-api-key': apiKey } : undefined }).catch(() => {});
+  return true;
+}
+
+module.exports = { checkPlain, ping, BASE_URL };

package/src/cli/commands/configure.js

@@ -0,0 +1,39 @@
+"use strict";
+const storage = require('../../storage');
+const apiClient = require('../../apiClient');
+const { logger } = require('../../logger');
+
+module.exports = {
+  command: 'configure',
+  describe: 'Configure LoginGuards API key and connectivity',
+  builder: {},
+  handler: async () => {
+    try {
+      // Inquirer v9 is ESM-only; load dynamically
+      const inquirer = (await import('inquirer')).default;
+      const answers = await inquirer.prompt([
+        {
+          type: 'password',
+          name: 'apiKey',
+          message: 'Enter LoginGuards API key',
+          mask: '*',
+          validate: v => v && v.trim().length > 0 ? true : 'API key required'
+        },
+        {
+          type: 'input',
+          name: 'org',
+          message: 'Organization/Project identifier (optional)'
+        }
+      ]);
+      await storage.saveApiKey(answers.apiKey);
+      logger.info('Saved API key in secure storage');
+      // Best-effort reachability test (no password)
+      await apiClient.ping(answers.apiKey).catch(() => {});
+      console.log('✔ API key stored securely');
+    } catch (err) {
+      logger.error(`Configure failed: ${err.stack || err.message || err}`);
+      console.error('✖ Configure failed:', err.message || err);
+      process.exit(1);
+    }
+  }
+};

package/src/cli/commands/install.js

@@ -0,0 +1,38 @@
+"use strict";
+const { logger } = require('../../logger');
+const installer = require('../../installer');
+
+module.exports = {
+  command: 'install',
+  describe: 'Install and activate the LoginGuards AD password protection plugin',
+  builder: {
+    failMode: {
+      type: 'string',
+      choices: ['fail-open', 'fail-closed'],
+      default: 'fail-closed',
+      describe: 'Behavior if API unreachable'
+    },
+    pipeName: {
+      type: 'string',
+      default: "\\\\.\\pipe\\LoginGuardsPwdFilter",
+      describe: 'Named pipe for the password filter to connect to'
+    },
+    logUsername: {
+      type: 'boolean',
+      default: false,
+      describe: 'If true, log the username in audit logs (never logs passwords)'
+    }
+  },
+  handler: async (args) => {
+    logger.info('Starting installation...');
+    try {
+      await installer.install({ failMode: args.failMode, pipeName: args.pipeName, logUsername: args.logUsername });
+      logger.info('Installation completed.');
+      console.log('✔ Installation completed');
+    } catch (err) {
+      logger.error(`Installation failed: ${err.stack || err.message || err}`);
+      console.error('✖ Installation failed:', err.message || err);
+      process.exit(1);
+    }
+  }
+};

package/src/cli/commands/pipe-test.js

@@ -0,0 +1,57 @@
+"use strict";
+const net = require('net');
+const { getConfig } = require('../../config');
+const { logger } = require('../../logger');
+
+module.exports = {
+  command: 'pipe-test',
+  describe: 'Send a test password to the service via named pipe IPC',
+  builder: {
+    password: { type: 'string', describe: 'Test password to evaluate (will not be logged)' },
+    username: { type: 'string', describe: 'Optional username for audit (not required)' }
+  },
+  handler: async (args) => {
+    const { pipeName } = getConfig();
+    const pwd = args.password || `Lg!PipeTest-${Math.random().toString(36).slice(2, 8)}A1`;
+
+    console.log(`Connecting to named pipe: ${pipeName}`);
+
+    await new Promise((resolve, reject) => {
+      const socket = net.createConnection(pipeName, () => {
+        const msg = { password: pwd };
+        // Never log plaintext
+        socket.write(JSON.stringify(msg) + '\n');
+      });
+
+      let buffer = '';
+      socket.on('data', (chunk) => {
+        buffer += chunk.toString('utf8');
+        let idx;
+        while ((idx = buffer.indexOf('\n')) !== -1) {
+          const line = buffer.slice(0, idx);
+          buffer = buffer.slice(idx + 1);
+          try {
+            const resp = JSON.parse(line);
+            const allow = !!resp.allow;
+            const reason = resp.reason || (allow ? 'ok' : 'rejected');
+            if (allow) console.log('✔ Pipe test password evaluated: NOT COMPROMISED');
+            else console.log('✖ Password rejected:', reason.toUpperCase());
+            resolve();
+            socket.end();
+          } catch (e) {
+            logger.warn('Invalid JSON from pipe');
+            reject(new Error('Invalid response from service'));
+            socket.destroy();
+          }
+        }
+      });
+      socket.on('error', (err) => {
+        reject(new Error(`Pipe connection error: ${err.message || err}`));
+      });
+      socket.on('end', () => {});
+    }).catch((e) => {
+      console.error('✖ Pipe test failed:', e.message || e);
+      process.exit(1);
+    });
+  }
+};

package/src/cli/commands/test.js

@@ -0,0 +1,20 @@
+"use strict";
+const { logger } = require('../../logger');
+const tester = require('../../tester');
+
+module.exports = {
+  command: 'test',
+  describe: 'Run end-to-end validation across AD and LoginGuards',
+  builder: {
+    user: { type: 'string', describe: 'Domain user to simulate', default: process.env.USERNAME ? `${process.env.USERDOMAIN || 'DOMAIN'}\\${process.env.USERNAME}` : undefined }
+  },
+  handler: async (args) => {
+    try {
+      await tester.run(args);
+    } catch (err) {
+      logger.error(`Test failed: ${err.stack || err.message || err}`);
+      console.error('✖ Test failed:', err.message || err);
+      process.exit(1);
+    }
+  }
+};

package/src/cli/commands/uninstall.js

@@ -0,0 +1,19 @@
+"use strict";
+const { logger } = require('../../logger');
+const installer = require('../../installer');
+
+module.exports = {
+  command: 'uninstall',
+  describe: 'Uninstall the plugin and remove all components',
+  builder: {},
+  handler: async () => {
+    try {
+      await installer.uninstall();
+      console.log('✔ Uninstall completed');
+    } catch (err) {
+      logger.error(`Uninstall failed: ${err.stack || err.message || err}`);
+      console.error('✖ Uninstall failed:', err.message || err);
+      process.exit(1);
+    }
+  }
+};

package/src/cli/index.js

@@ -0,0 +1,24 @@
+"use strict";
+const yargs = require('yargs/yargs');
+const { hideBin } = require('yargs/helpers');
+
+async function run(argvInput) {
+  const raw = hideBin(argvInput || process.argv);
+  // pnpm passes a literal "--" before forwarded args; strip it so yargs sees the command
+  if (raw.length && raw[0] === '--') raw.shift();
+  const argv = yargs(raw)
+    .scriptName('loginguards-win')
+    .usage('$0 <cmd> [args]')
+    .command(require('./commands/install'))
+    .command(require('./commands/configure'))
+    .command(require('./commands/test'))
+    .command(require('./commands/pipe-test'))
+    .command(require('./commands/uninstall'))
+    .demandCommand(1, 'Please provide a command')
+    .strict()
+    .help()
+    .argv;
+  return argv;
+}
+
+module.exports = { run };

package/src/config.js

@@ -0,0 +1,44 @@
+"use strict";
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const baseDir = process.env.PROGRAMDATA || path.join(os.homedir(), 'AppData', 'Local');
+const confDir = path.join(baseDir, 'LoginGuards');
+const confFile = path.join(confDir, 'config.json');
+
+function ensureDir() {
+  if (!fs.existsSync(confDir)) fs.mkdirSync(confDir, { recursive: true });
+}
+
+function readConfigFile() {
+  try {
+    return JSON.parse(fs.readFileSync(confFile, 'utf8')) || {};
+  } catch {
+    return {};
+  }
+}
+
+function writeConfigFile(obj) {
+  ensureDir();
+  fs.writeFileSync(confFile, JSON.stringify(obj, null, 2), { encoding: 'utf8' });
+}
+
+function getConfig() {
+  const data = readConfigFile();
+  return {
+    failMode: data.failMode || 'fail-closed',
+    pipeName: data.pipeName || "\\\\.\\pipe\\LoginGuardsPwdFilter",
+    logUsername: !!data.logUsername,
+    apiKeyEnc: data.apiKeyEnc || undefined
+  };
+}
+
+function setConfig(partial) {
+  const current = readConfigFile();
+  const next = { ...current, ...partial };
+  writeConfigFile(next);
+  return next;
+}
+
+module.exports = { getConfig, setConfig, confFile };

package/src/index.js

@@ -0,0 +1,6 @@
+"use strict";
+module.exports = {
+  apiClient: require('./apiClient'),
+  storage: require('./storage'),
+  service: require('./service')
+};

package/src/installer.js

@@ -0,0 +1,41 @@
+"use strict";
+const { logger } = require('./logger');
+const service = require('./service');
+const storage = require('./storage');
+const { runPS } = require('./ps');
+const { setConfig } = require('./config');
+
+function assertWindows() {
+  if (process.platform !== 'win32') throw new Error('Windows only');
+}
+
+async function checkAdmin() {
+  const script = `
+  $id = [Security.Principal.WindowsIdentity]::GetCurrent()
+  $p = New-Object Security.Principal.WindowsPrincipal $id
+  if ($p.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)) { Write-Output 'Admin' } else { Write-Output 'NonAdmin' }
+  `;
+  const { stdout } = await runPS(script);
+  const isAdmin = stdout.trim() === 'Admin';
+  if (!isAdmin) throw new Error('Administrator privileges required. Please run in an elevated PowerShell.');
+  return true;
+}
+
+async function install(options) {
+  assertWindows();
+  await checkAdmin();
+  // Persist configuration for the service
+  setConfig({ failMode: options.failMode, pipeName: options.pipeName, logUsername: !!options.logUsername });
+  logger.info('Installing Windows service...');
+  await service.install();
+  logger.info('Note: AD Password Filter registration not yet implemented in this preview.');
+}
+
+async function uninstall() {
+  assertWindows();
+  logger.info('Uninstalling Windows service...');
+  await service.uninstall();
+  await storage.deleteApiKey();
+}
+
+module.exports = { install, uninstall };

package/src/logger.js

@@ -0,0 +1,28 @@
+"use strict";
+const path = require('path');
+const fs = require('fs');
+const os = require('os');
+const winston = require('winston');
+
+const baseDir = process.env.PROGRAMDATA || path.join(os.homedir(), 'AppData', 'Local');
+const logDir = path.join(baseDir, 'LoginGuards', 'logs');
+if (!fs.existsSync(logDir)) {
+  fs.mkdirSync(logDir, { recursive: true });
+}
+
+const logger = winston.createLogger({
+  level: 'info',
+  format: winston.format.combine(
+    winston.format.timestamp(),
+    winston.format.json()
+  ),
+  transports: [
+    new winston.transports.File({ filename: path.join(logDir, 'agent.log'), maxsize: 5 * 1024 * 1024, maxFiles: 3 })
+  ]
+});
+
+if (process.env.NODE_ENV !== 'production') {
+  logger.add(new winston.transports.Console({ format: winston.format.simple() }));
+}
+
+module.exports = { logger, logDir };

package/src/ps.js

@@ -0,0 +1,27 @@
+"use strict";
+const { spawn } = require('child_process');
+
+function runPS(script) {
+  return new Promise((resolve, reject) => {
+    const ps = spawn(process.env.ComSpec ? 'powershell.exe' : 'powershell', [
+      '-NoProfile',
+      '-NonInteractive',
+      '-ExecutionPolicy', 'Bypass',
+      '-Command', '-'
+    ], { windowsHide: true });
+
+    let stdout = '';
+    let stderr = '';
+    ps.stdout.on('data', d => { stdout += d.toString(); });
+    ps.stderr.on('data', d => { stderr += d.toString(); });
+    ps.on('error', reject);
+    ps.on('close', (code) => {
+      if (code !== 0 && stderr) return reject(new Error(stderr.trim() || `PowerShell exited with code ${code}`));
+      resolve({ stdout, stderr, exitCode: code });
+    });
+
+    ps.stdin.end(script);
+  });
+}
+
+module.exports = { runPS };

package/src/service/daemon/loginguardspolicyengine.exe.config

@@ -0,0 +1,6 @@
+<configuration>
+	<startup>
+		<supportedRuntime version="v2.0.50727" />
+		<supportedRuntime version="v4.0" />
+	</startup>
+</configuration>

package/src/service/daemon/loginguardspolicyengine.out.log

@@ -0,0 +1 @@
+info: LoginGuards Policy Engine service started. {"timestamp":"2026-01-08T02:34:56.398Z"}

package/src/service/daemon/loginguardspolicyengine.wrapper.log

@@ -0,0 +1,2 @@
+2026-01-08 04:34:56 - Starting C:\Users\Samer\AppData\Local\Volta\tools\image\node\24.3.0\node.exe  --harmony "D:\projects\backend\fast-Backend (1)\New 0\node_modules\.pnpm\node-windows@1.0.0-beta.8\node_modules\node-windows\lib\wrapper.js" --file "D:\projects\backend\fast-Backend (1)\New 0\src\service\engine.js" --scriptoptions= --log "LoginGuardsPolicyEngine wrapper" --grow 0.5 --wait 2 --maxrestarts 3 --abortonerror n --stopparentfirst undefined
+2026-01-08 04:34:56 - Started 15000

package/src/service/daemon/loginguardspolicyengine.xml

@@ -0,0 +1,31 @@
+<service>
+	<id>loginguardspolicyengine.exe</id>
+	<name>LoginGuardsPolicyEngine</name>
+	<description>LoginGuards password policy decision engine</description>
+	<executable>C:\Users\Samer\AppData\Local\Volta\tools\image\node\24.3.0\node.exe</executable>
+	<argument>--harmony</argument>
+	<argument>D:\projects\backend\fast-Backend (1)\New 0\node_modules\.pnpm\node-windows@1.0.0-beta.8\node_modules\node-windows\lib\wrapper.js</argument>
+	<argument>--file</argument>
+	<argument>D:\projects\backend\fast-Backend (1)\New 0\src\service\engine.js</argument>
+	<argument>--scriptoptions=</argument>
+	<argument>--log</argument>
+	<argument>LoginGuardsPolicyEngine wrapper</argument>
+	<argument>--grow</argument>
+	<argument>0.5</argument>
+	<argument>--wait</argument>
+	<argument>2</argument>
+	<argument>--maxrestarts</argument>
+	<argument>3</argument>
+	<argument>--abortonerror</argument>
+	<argument>n</argument>
+	<argument>--stopparentfirst</argument>
+	<argument>undefined</argument>
+	<logmode>rotate</logmode>
+	<stoptimeout>30sec</stoptimeout>
+	<serviceaccount>
+		<domain>TP-LINK</domain>
+		<user>LocalSystem</user>
+		<password></password>
+	</serviceaccount>
+	<workingdirectory>D:\projects\backend\fast-Backend (1)\New 0</workingdirectory>
+</service>

package/src/service/engine.js

@@ -0,0 +1,76 @@
+"use strict";
+const { logger } = require('../logger');
+const net = require('net');
+const { getConfig } = require('../config');
+const storage = require('../storage');
+const apiClient = require('../apiClient');
+
+logger.info('LoginGuards Policy Engine service started.');
+
+let shuttingDown = false;
+
+function parseJsonLine(buf) {
+  const s = buf.toString('utf8').trim();
+  if (!s) return null;
+  try { return JSON.parse(s); } catch { return null; }
+}
+
+async function evaluatePassword(password) {
+  const { failMode } = getConfig();
+  const apiKey = await storage.getApiKey();
+  if (!apiKey) {
+    return { allow: failMode === 'fail-open', reason: 'no_api_key' };
+  }
+  try {
+    const res = await apiClient.checkPlain(password, apiKey);
+    const compromised = !!res.compromised;
+    return { allow: !compromised, reason: compromised ? 'compromised' : 'ok' };
+  } catch (e) {
+    logger.warn(`API error during evaluation: ${e.status || e.code || e.message}`);
+    return { allow: failMode === 'fail-open', reason: 'api_error' };
+  }
+}
+
+function startPipeServer() {
+  const { pipeName } = getConfig();
+  const server = net.createServer((socket) => {
+    let buffer = '';
+    socket.on('data', async (chunk) => {
+      buffer += chunk.toString('utf8');
+      let idx;
+      while ((idx = buffer.indexOf('\n')) !== -1) {
+        const line = buffer.slice(0, idx);
+        buffer = buffer.slice(idx + 1);
+        const msg = parseJsonLine(Buffer.from(line, 'utf8'));
+        if (!msg || typeof msg.password !== 'string') {
+          socket.write(JSON.stringify({ allow: false, reason: 'bad_request' }) + '\n');
+          continue;
+        }
+        const { allow, reason } = await evaluatePassword(msg.password);
+        // Never log plaintext passwords
+        if (reason === 'compromised') logger.info('Password evaluation: compromised');
+        else logger.info(`Password evaluation result: ${reason}`);
+        socket.write(JSON.stringify({ allow, reason }) + '\n');
+      }
+    });
+    socket.on('error', () => {});
+  });
+
+  server.on('error', (err) => {
+    logger.error(`Pipe server error: ${err.message || err}`);
+  });
+
+  server.listen(pipeName, () => {
+    logger.info(`Named pipe server listening on ${pipeName}`);
+  });
+
+  return server;
+}
+
+const server = startPipeServer();
+
+process.on('SIGINT', () => { shuttingDown = true; server && server.close(); process.exit(0); });
+process.on('SIGTERM', () => { shuttingDown = true; server && server.close(); process.exit(0); });
+
+// keep process alive
+setInterval(() => { if (shuttingDown) clearInterval(this); }, 1 << 30);

package/src/service.js

@@ -0,0 +1,51 @@
+"use strict";
+const path = require('path');
+const { Service } = require('node-windows');
+const { runPS } = require('./ps');
+
+const serviceName = 'LoginGuardsPolicyEngine';
+const scriptPath = path.join(__dirname, 'service', 'engine.js');
+
+function makeService() {
+  return new Service({
+    name: serviceName,
+    description: 'LoginGuards password policy decision engine',
+    script: scriptPath,
+    wait: 2,
+    grow: 0.5
+  });
+}
+
+async function install() {
+  return new Promise((resolve, reject) => {
+    const svc = makeService();
+    svc.on('install', () => svc.start());
+    svc.on('alreadyinstalled', () => resolve());
+    svc.on('start', () => resolve());
+    svc.on('error', reject);
+    svc.install();
+  });
+}
+
+async function uninstall() {
+  return new Promise((resolve, reject) => {
+    const svc = makeService();
+    svc.on('uninstall', resolve);
+    svc.on('error', reject);
+    svc.uninstall();
+  });
+}
+
+async function isRunning() {
+  const script = `
+  try {
+    $s = Get-Service -Name '${serviceName}' -ErrorAction Stop
+    if ($s.Status -eq 'Running') { Write-Output 'Running' } else { Write-Output 'NotRunning' }
+  } catch { Write-Output 'NotInstalled' }
+  `;
+  const { stdout } = await runPS(script);
+  const out = stdout.trim();
+  return out === 'Running';
+}
+
+module.exports = { install, uninstall, isRunning, serviceName, scriptPath };

package/src/storage.js

@@ -0,0 +1,84 @@
+"use strict";
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const { runPS } = require('./ps');
+
+const SERVICE = 'LoginGuards';
+const ACCOUNT = 'api-key';
+
+let keytar = null;
+try {
+  // optional dependency
+  keytar = require('keytar');
+} catch {}
+
+const baseDir = process.env.PROGRAMDATA || path.join(os.homedir(), 'AppData', 'Local');
+const confDir = path.join(baseDir, 'LoginGuards');
+const confFile = path.join(confDir, 'config.json');
+
+function ensureDir() {
+  if (!fs.existsSync(confDir)) fs.mkdirSync(confDir, { recursive: true });
+}
+
+async function saveApiKey(apiKey) {
+  // Always persist a LocalMachine-encrypted copy for the service
+  ensureDir();
+  const enc = await dpapiProtect(apiKey);
+  let data = {};
+  try { data = JSON.parse(fs.readFileSync(confFile, 'utf8')); } catch {}
+  data.apiKeyEnc = enc;
+  fs.writeFileSync(confFile, JSON.stringify(data, null, 2), { encoding: 'utf8' });
+  // Additionally store in Keytar (user context) when available
+  if (keytar) {
+    try { await keytar.setPassword(SERVICE, ACCOUNT, apiKey); } catch {}
+  }
+}
+
+async function getApiKey() {
+  // Prefer LocalMachine file so the service can read it
+  try {
+    const raw = fs.readFileSync(confFile, 'utf8');
+    const data = JSON.parse(raw);
+    if (data && data.apiKeyEnc) {
+      return await dpapiUnprotect(data.apiKeyEnc);
+    }
+  } catch {}
+  if (keytar) {
+    try { return await keytar.getPassword(SERVICE, ACCOUNT); } catch {}
+  }
+  return null;
+}
+
+async function deleteApiKey() {
+  if (keytar) {
+    try { await keytar.deletePassword(SERVICE, ACCOUNT); } catch {}
+  }
+  try { fs.unlinkSync(confFile); } catch {}
+}
+
+async function dpapiProtect(plain) {
+  const script = `
+  $plain = @'
+${plain.replace(/'/g, "''")}
+'@
+  $bytes = [System.Text.Encoding]::UTF8.GetBytes($plain)
+  $enc = [System.Security.Cryptography.ProtectedData]::Protect($bytes, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
+  [Convert]::ToBase64String($enc)
+  `;
+  const { stdout } = await runPS(script);
+  return stdout.trim();
+}
+
+async function dpapiUnprotect(b64) {
+  const script = `
+  $b64 = '${b64.replace(/'/g, "''")}'
+  $bytes = [Convert]::FromBase64String($b64)
+  $dec = [System.Security.Cryptography.ProtectedData]::Unprotect($bytes, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)
+  [System.Text.Encoding]::UTF8.GetString($dec)
+  `;
+  const { stdout } = await runPS(script);
+  return stdout.replace(/\r?\n$/, '')
+}
+
+module.exports = { saveApiKey, getApiKey, deleteApiKey };

package/src/tester.js

@@ -0,0 +1,54 @@
+"use strict";
+const { logger } = require('./logger');
+const service = require('./service');
+const storage = require('./storage');
+const apiClient = require('./apiClient');
+
+async function run({ user }) {
+  console.log('Running LoginGuards test suite...\n');
+
+  // Active Directory connectivity (placeholder)
+  console.log('✔ Connected to Active Directory (placeholder)');
+  logger.info('AD connectivity check: placeholder');
+
+  // Service status
+  const running = await service.isRunning().catch(() => false);
+  if (running) {
+    console.log('✔ Password policy engine service running');
+  } else {
+    console.log('✖ Password policy engine service not running');
+  }
+
+  // API connectivity
+  const apiKey = await storage.getApiKey();
+  if (!apiKey) {
+    console.log('✖ API key not configured. Run "loginguards-win configure".');
+    return;
+  }
+  try {
+    await apiClient.ping(apiKey);
+    console.log('✔ LoginGuards API reachable');
+  } catch (e) {
+    console.log('✖ LoginGuards API not reachable');
+  }
+
+  // Test password evaluation (non-destructive)
+  const testPwd = `Lg!Test-${Math.random().toString(36).slice(2, 8)}A1`;
+  try {
+    const res = await apiClient.checkPlain(testPwd, apiKey);
+    const compromised = !!res.compromised;
+    if (compromised) {
+      console.log('✔ Test completed');
+      console.log('✖ Password rejected: COMPROMISED');
+    } else {
+      console.log('✔ Test password evaluated: NOT COMPROMISED');
+    }
+    console.log(`✔ Test completed successfully for user "${user || 'DOMAIN\\test-user'}"`);
+  } catch (err) {
+    logger.error(`Test request failed: ${err.stack || err.message || err}`);
+    console.log('✖ Test request failed');
+    throw err;
+  }
+}
+
+module.exports = { run };