@loginguards/loginguards-win 0.1.2 → 2.0.0

package/README.md

@@ -5,10 +5,11 @@ Enterprise-grade password breach prevention for Windows domains.
 ## Features
 
 - Zero Trust password validation via LoginGuards API
+- Windows Password Filter DLL for domain-wide enforcement on DCs
+- Local Windows service policy engine (named pipe IPC)
 - No password storage; passwords never logged
-- Windows service policy engine (node-windows)
 - Secure API key storage (Windows Credential Manager via keytar)
-- CLI: `install`, `configure`, `test`, `uninstall`
+- CLI: `configure`, `install`, `test`, `uninstall`, `check`, `pipe-test`
 
 ## Install (development)
 
@@ -25,7 +26,8 @@ loginguards-win --help
 
 - API base: `https://api.loginguards.com/v1`
 - Required header: `x-api-key: <LOGIN_GUARDS_API_KEY>`
-- Behavior on API failure is configurable (planned): fail-open or fail-closed
+- Behavior on API failure is configurable: `fail-open` (default) or `fail-closed`
+- Timeout default: `1500ms` (configurable)
 
 ## Security
 
@@ -33,9 +35,61 @@ loginguards-win --help
 - API key stored in Windows Credential Manager
 - HTTPS only
 
-## Active Directory Integration (planned)
+## Active Directory Integration (V2)
 
-This preview scaffolds the Windows service and CLI. Integration via the Windows Password Filter with a PowerShell bridge to the Node.js service is planned.
+V2 includes a signed x64 Windows Password Filter DLL that runs inside LSASS on Domain Controllers and communicates with the local policy engine via a named pipe (`\\.\\pipe\\LoginGuardsPwdFilter`). The service calls the LoginGuards API and returns an allow/deny decision to the DLL.
+
+Decision mapping uses the API field `breached` and returns reasons: `SAFE`, `COMPROMISED`, `API_DOWN`, `TIMEOUT`, `NO_API_KEY`. Default policy is `fail-open`.
+
+## Deployment (Domain Controller only)
+
+1. Configure API connectivity on the DC:
+   ```bash
+   loginguards-win configure
+   ```
+2. Install service and register the password filter (admin required; reboot recommended):
+   ```bash
+   # A prebuilt DLL can be bundled at assets/LoginGuardsPwdFilter/x64/LoginGuardsPwdFilter.dll
+   # Or provide an explicit path via --dllPath
+   loginguards-win install \
+     --failMode open \
+     --timeoutMs 1500 \
+     --pipeName "\\.\\pipe\\LoginGuardsPwdFilter" \
+     --reboot
+   ```
+3. Reboot is required for the password filter to load into LSASS.
+
+To uninstall on a DC:
+```bash
+loginguards-win uninstall --reboot
+```
+
+## Test and Diagnostics
+
+- Domain Controller mode:
+  ```bash
+  loginguards-win test --mode dc
+  ```
+  Validates service, pipe, registry (Notification Packages), DLL presence, API reachability, and evaluates a non-destructive test password.
+
+- Client mode (domain-joined workstation):
+  ```bash
+  loginguards-win test --mode client
+  ```
+  Shows domain membership and logon server; enforcement validation must be run on a DC.
+
+- Direct password check (no storage/logging):
+  ```bash
+  loginguards-win check --prompt
+  # or
+  loginguards-win check --password "YourPassword" --debug
+  ```
+
+## Recommended Rollout (Safety)
+
+- Deploy to a secondary Domain Controller first
+- Validate password resets/changes with test users
+- Roll out to all Domain Controllers after validation
 
 ## Uninstall
 

package/assets/LoginGuardsPwdFilter/x64/README.txt

@@ -0,0 +1,3 @@
+Place the signed 64-bit LoginGuardsPwdFilter.dll in this folder before publishing.
+Expected filename: LoginGuardsPwdFilter.dll
+This file will be copied to %SystemRoot%\System32 on Domain Controllers during installation.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@loginguards/loginguards-win",
-  "version": "0.1.2",
+  "version": "2.0.0",
   "description": "LoginGuards Active Directory Password Protection for Windows",
   "private": false,
   "license": "SEE LICENSE IN LICENSE",
@@ -21,6 +21,7 @@
   "files": [
     "bin",
     "src",
+    "assets",
     "README.md",
     "LICENSE"
   ],

package/src/apiClient.js

@@ -7,9 +7,10 @@ const client = axios.create({
   timeout: 10000
 });
 
-async function checkPlain(password, apiKey) {
+async function checkPlain(password, apiKey, options) {
   if (typeof password !== 'string') throw new Error('password must be string');
-  const resp = await client.post('/check/plain', { password }, { headers: { 'x-api-key': apiKey } });
+  const timeout = options && typeof options.timeoutMs === 'number' ? options.timeoutMs : undefined;
+  const resp = await client.post('/check/plain', { password }, { headers: { 'x-api-key': apiKey }, timeout });
   return resp.data;
 }
 

package/src/cli/commands/check.js

@@ -0,0 +1,84 @@
+"use strict";
+const storage = require('../../storage');
+const apiClient = require('../../apiClient');
+const { logger } = require('../../logger');
+
+module.exports = {
+  command: 'check',
+  describe: 'Check one or more passwords against LoginGuards (no passwords are logged or stored)',
+  builder: {
+    password: { type: 'string', describe: 'Password to check (avoid history; prefer --prompt or --stdin)' },
+    prompt: { type: 'boolean', default: false, describe: 'Securely prompt for a password' },
+    stdin: { type: 'boolean', default: false, describe: 'Read newline-separated passwords from stdin' },
+    debug: { type: 'boolean', default: false, describe: 'Print raw API response (sanitized)' }
+  },
+  handler: async (args) => {
+    const apiKey = await storage.getApiKey();
+    if (!apiKey) {
+      console.log('✖ API key not configured. Run "loginguards-win configure".');
+      process.exit(1);
+    }
+
+    async function evalOne(pwd) {
+      try {
+        const res = await apiClient.checkPlain(pwd, apiKey);
+        if (args.debug) {
+          try { console.log('debug response:', JSON.stringify(res)); } catch {}
+        }
+        const compromised = (typeof res.breached !== 'undefined') ? !!res.breached
+          : (typeof res.compromised !== 'undefined') ? !!res.compromised
+          : (typeof res.is_compromised !== 'undefined') ? !!res.is_compromised
+          : (typeof res.isCompromised !== 'undefined') ? !!res.isCompromised
+          : (typeof res.count === 'number') ? res.count > 0
+          : false;
+        if (compromised) {
+          console.log('✖ COMPROMISED');
+        } else {
+          console.log('✔ NOT COMPROMISED');
+        }
+      } catch (e) {
+        const status = e && e.response && e.response.status;
+        if (status === 401) console.log('✖ Error: Unauthorized (invalid API key)');
+        else if (status === 429) console.log('✖ Error: Rate limited');
+        else console.log('✖ Error:', e.message || String(e));
+        logger.warn(`check command API error: ${status || e.code || e.message}`);
+        process.exitCode = 1;
+      }
+    }
+
+    if (args.stdin) {
+      // batch mode from stdin
+      const chunks = [];
+      process.stdin.setEncoding('utf8');
+      process.stdin.on('data', (d) => chunks.push(d));
+      process.stdin.on('end', async () => {
+        const text = chunks.join('');
+        const lines = text.split(/\r?\n/).map(s => s.trim()).filter(Boolean);
+        if (!lines.length) { console.log('No input passwords.'); return; }
+        for (const line of lines) {
+          await evalOne(line);
+        }
+      });
+      if (process.stdin.readableEnded) {
+        // no stdin piped
+        console.log('No stdin provided. Use --password or --prompt instead.');
+      }
+      return;
+    }
+
+    if (typeof args.password === 'string' && args.password.length > 0) {
+      await evalOne(args.password);
+      return;
+    }
+
+    // prompt safely
+    try {
+      const inquirer = (await import('inquirer')).default;
+      const ans = await inquirer.prompt([{ type: 'password', name: 'pwd', message: 'Enter password to check', mask: '*', validate: v => v ? true : 'Required' }]);
+      await evalOne(ans.pwd);
+    } catch (e) {
+      console.error('✖ Prompt failed:', e.message || String(e));
+      process.exit(1);
+    }
+  }
+};

package/src/cli/commands/install.js

@@ -1,6 +1,13 @@
 "use strict";
 const { logger } = require('../../logger');
 const installer = require('../../installer');
+function normalizeFailMode(v) {
+  if (!v) return 'fail-open';
+  const s = String(v).toLowerCase();
+  if (s === 'open' || s === 'fail-open') return 'fail-open';
+  if (s === 'closed' || s === 'fail-closed') return 'fail-closed';
+  return 'fail-open';
+}
 
 module.exports = {
   command: 'install',
@@ -8,8 +15,8 @@ module.exports = {
   builder: {
     failMode: {
       type: 'string',
-      choices: ['fail-open', 'fail-closed'],
-      default: 'fail-closed',
+      choices: ['fail-open', 'fail-closed', 'open', 'closed'],
+      default: 'fail-open',
       describe: 'Behavior if API unreachable'
     },
     pipeName: {
@@ -21,12 +28,27 @@ module.exports = {
       type: 'boolean',
       default: false,
       describe: 'If true, log the username in audit logs (never logs passwords)'
+    },
+    timeoutMs: {
+      type: 'number',
+      default: 1500,
+      describe: 'Max time in milliseconds to wait for API decision (DLL also times out)'
+    },
+    dllPath: {
+      type: 'string',
+      describe: 'Path to prebuilt x64 LoginGuardsPwdFilter.dll (required on DC if not bundled)'
+    },
+    reboot: {
+      type: 'boolean',
+      default: false,
+      describe: 'If true and on DC, reboot after registering the password filter'
     }
   },
   handler: async (args) => {
     logger.info('Starting installation...');
     try {
-      await installer.install({ failMode: args.failMode, pipeName: args.pipeName, logUsername: args.logUsername });
+      const fm = normalizeFailMode(args.failMode);
+      await installer.install({ failMode: fm, pipeName: args.pipeName, logUsername: args.logUsername, timeoutMs: args.timeoutMs, dllPath: args.dllPath, reboot: args.reboot });
       logger.info('Installation completed.');
       console.log('✔ Installation completed');
     } catch (err) {

package/src/cli/commands/test.js

@@ -6,7 +6,9 @@ module.exports = {
   command: 'test',
   describe: 'Run end-to-end validation across AD and LoginGuards',
   builder: {
-    user: { type: 'string', describe: 'Domain user to simulate', default: process.env.USERNAME ? `${process.env.USERDOMAIN || 'DOMAIN'}\\${process.env.USERNAME}` : undefined }
+    user: { type: 'string', describe: 'Domain user to simulate', default: process.env.USERNAME ? `${process.env.USERDOMAIN || 'DOMAIN'}\\${process.env.USERNAME}` : undefined },
+    mode: { type: 'string', choices: ['auto', 'dc', 'client'], default: 'auto', describe: 'Validation mode: detect DC (auto), force DC or client mode' },
+    verbose: { type: 'boolean', default: false, describe: 'Print extra diagnostics' }
   },
   handler: async (args) => {
     try {

package/src/cli/commands/uninstall.js

@@ -5,10 +5,12 @@ const installer = require('../../installer');
 module.exports = {
   command: 'uninstall',
   describe: 'Uninstall the plugin and remove all components',
-  builder: {},
-  handler: async () => {
+  builder: {
+    reboot: { type: 'boolean', default: false, describe: 'If true (on DC), reboot after unregistering the password filter' }
+  },
+  handler: async (args) => {
     try {
-      await installer.uninstall();
+      await installer.uninstall({ reboot: args.reboot });
       console.log('✔ Uninstall completed');
     } catch (err) {
       logger.error(`Uninstall failed: ${err.stack || err.message || err}`);

package/src/cli/index.js

@@ -11,6 +11,7 @@ async function run(argvInput) {
     .usage('$0 <cmd> [args]')
     .command(require('./commands/install'))
     .command(require('./commands/configure'))
+    .command(require('./commands/check'))
     .command(require('./commands/test'))
     .command(require('./commands/pipe-test'))
     .command(require('./commands/uninstall'))

package/src/config.js

@@ -27,9 +27,10 @@ function writeConfigFile(obj) {
 function getConfig() {
   const data = readConfigFile();
   return {
-    failMode: data.failMode || 'fail-closed',
+    failMode: data.failMode || 'fail-open',
     pipeName: data.pipeName || "\\\\.\\pipe\\LoginGuardsPwdFilter",
     logUsername: !!data.logUsername,
+    timeoutMs: typeof data.timeoutMs === 'number' && data.timeoutMs > 0 ? data.timeoutMs : 1500,
     apiKeyEnc: data.apiKeyEnc || undefined
   };
 }

package/src/installer.js

@@ -4,6 +4,8 @@ const service = require('./service');
 const storage = require('./storage');
 const { runPS } = require('./ps');
 const { setConfig } = require('./config');
+const fs = require('fs');
+const path = require('path');
 
 function assertWindows() {
   if (process.platform !== 'win32') throw new Error('Windows only');
@@ -25,17 +27,97 @@ async function install(options) {
   assertWindows();
   await checkAdmin();
   // Persist configuration for the service
-  setConfig({ failMode: options.failMode, pipeName: options.pipeName, logUsername: !!options.logUsername });
+  setConfig({ failMode: options.failMode, pipeName: options.pipeName, logUsername: !!options.logUsername, timeoutMs: options.timeoutMs });
   logger.info('Installing Windows service...');
   await service.install();
-  logger.info('Note: AD Password Filter registration not yet implemented in this preview.');
+  // DC-only: deploy password filter DLL and register in LSA
+  const dc = await isDomainController().catch(() => false);
+  if (!dc) {
+    logger.info('Non-DC host detected; skipping password filter registration.');
+    return;
+  }
+  logger.info('Domain Controller detected; proceeding with Password Filter registration.');
+  const sys32 = process.env.WINDIR ? path.join(process.env.WINDIR, 'System32') : 'C\\\Windows\\System32';
+  const targetDll = path.join(sys32, 'LoginGuardsPwdFilter.dll');
+  let sourceDll = options.dllPath;
+  if (!sourceDll) {
+    // Try bundled asset
+    const bundled = path.join(__dirname, '..', 'assets', 'LoginGuardsPwdFilter', 'x64', 'LoginGuardsPwdFilter.dll');
+    if (fs.existsSync(bundled)) sourceDll = bundled;
+  }
+  if (!sourceDll || !fs.existsSync(sourceDll)) {
+    logger.warn('Password Filter DLL not found. Provide --dllPath to a prebuilt x64 LoginGuardsPwdFilter.dll');
+  } else {
+    logger.info(`Copying DLL to ${targetDll}`);
+    fs.copyFileSync(sourceDll, targetDll);
+  }
+  const changed = await registerPasswordFilter('LoginGuardsPwdFilter');
+  if (changed) {
+    logger.info('Password Filter registered in LSA (Notification Packages). Reboot required.');
+    if (options.reboot) {
+      logger.info('Reboot flag provided; rebooting now.');
+      await runPS('Restart-Computer -Force');
+    } else {
+      console.log('⚠ Reboot required to activate the password filter.');
+    }
+  } else {
+    logger.info('Password Filter already registered.');
+  }
 }
 
-async function uninstall() {
+async function uninstall(options = {}) {
   assertWindows();
   logger.info('Uninstalling Windows service...');
   await service.uninstall();
   await storage.deleteApiKey();
+  const dc = await isDomainController().catch(() => false);
+  if (!dc) return;
+  // DC-only cleanup
+  const removed = await unregisterPasswordFilter('LoginGuardsPwdFilter');
+  const sys32 = process.env.WINDIR ? path.join(process.env.WINDIR, 'System32') : 'C\\\Windows\\System32';
+  const targetDll = path.join(sys32, 'LoginGuardsPwdFilter.dll');
+  try { fs.unlinkSync(targetDll); } catch {}
+  if (removed) {
+    logger.info('Password Filter unregistered. Reboot required to unload.');
+    if (options.reboot) {
+      logger.info('Reboot flag provided; rebooting now.');
+      await runPS('Restart-Computer -Force');
+    } else {
+      console.log('⚠ Reboot required to fully unload the password filter.');
+    }
+  }
+}
+
+async function isDomainController() {
+  const script = `
+  $k = Get-Item 'HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NTDS' -ErrorAction SilentlyContinue
+  if ($null -ne $k) { 'DC' } else { 'NOTDC' }
+  `;
+  const { stdout } = await runPS(script);
+  return stdout.trim() === 'DC';
+}
+
+async function registerPasswordFilter(nameNoExt) {
+  const script = `
+  $path = 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa'
+  $name = 'Notification Packages'
+  $cur = (Get-ItemProperty -Path $path -Name $name -ErrorAction SilentlyContinue).$name
+  if ($null -eq $cur) { $cur = @() }
+  if ($cur -notcontains '${nameNoExt}') { $new = @($cur) + '${nameNoExt}'; Set-ItemProperty -Path $path -Name $name -Value $new; 'CHANGED' } else { 'NOCHANGE' }
+  `;
+  const { stdout } = await runPS(script);
+  return stdout.trim() === 'CHANGED';
+}
+
+async function unregisterPasswordFilter(nameNoExt) {
+  const script = `
+  $path = 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa'
+  $name = 'Notification Packages'
+  $cur = (Get-ItemProperty -Path $path -Name $name -ErrorAction SilentlyContinue).$name
+  if ($null -eq $cur) { 'NOCHANGE' } else { $new = @($cur) | Where-Object { $_ -ne '${nameNoExt}' }; Set-ItemProperty -Path $path -Name $name -Value $new; 'CHANGED' }
+  `;
+  const { stdout } = await runPS(script);
+  return stdout.trim() === 'CHANGED';
 }
 
 module.exports = { install, uninstall };

package/src/service/daemon/loginguardspolicyengine.out.log

@@ -1 +1,7 @@
 info: LoginGuards Policy Engine service started. {"timestamp":"2026-01-08T02:34:56.398Z"}
+info: LoginGuards Policy Engine service started. {"timestamp":"2026-01-08T18:19:44.254Z"}
+info: Named pipe server listening on \\.\pipe\LoginGuardsPwdFilter {"timestamp":"2026-01-08T18:19:44.262Z"}
+info: Password evaluation result: ok {"timestamp":"2026-01-08T18:19:50.289Z"}
+info: Password evaluation result: ok {"timestamp":"2026-01-08T18:28:15.489Z"}
+info: Password evaluation result: ok {"timestamp":"2026-01-08T18:30:48.150Z"}
+info: Password evaluation result: ok {"timestamp":"2026-01-08T19:34:03.913Z"}

package/src/service/daemon/loginguardspolicyengine.wrapper.log

@@ -1,2 +1,18 @@
 2026-01-08 04:34:56 - Starting C:\Users\Samer\AppData\Local\Volta\tools\image\node\24.3.0\node.exe  --harmony "D:\projects\backend\fast-Backend (1)\New 0\node_modules\.pnpm\node-windows@1.0.0-beta.8\node_modules\node-windows\lib\wrapper.js" --file "D:\projects\backend\fast-Backend (1)\New 0\src\service\engine.js" --scriptoptions= --log "LoginGuardsPolicyEngine wrapper" --grow 0.5 --wait 2 --maxrestarts 3 --abortonerror n --stopparentfirst undefined
 2026-01-08 04:34:56 - Started 15000
+2026-01-08 20:19:43 - Stopping loginguardspolicyengine.exe
+2026-01-08 20:19:43 - ProcessKill 15000
+2026-01-08 20:19:43 - Found child process: 7540 Name: conhost.exe
+2026-01-08 20:19:43 - Found child process: 15148 Name: node.exe
+2026-01-08 20:19:43 - Stopping process 7540
+2026-01-08 20:19:43 - Send SIGINT 7540
+2026-01-08 20:19:43 - SIGINT to 7540 failed - Killing as fallback
+2026-01-08 20:19:43 - Stopping process 15148
+2026-01-08 20:19:43 - Send SIGINT 15148
+2026-01-08 20:19:43 - SIGINT to 15148 failed - Killing as fallback
+2026-01-08 20:19:43 - Stopping process 15000
+2026-01-08 20:19:43 - Send SIGINT 15000
+2026-01-08 20:19:43 - SIGINT to 15000 failed - Killing as fallback
+2026-01-08 20:19:43 - Finished loginguardspolicyengine.exe
+2026-01-08 20:19:43 - Starting C:\Users\Samer\AppData\Local\Volta\tools\image\node\24.3.0\node.exe  --harmony "D:\projects\backend\fast-Backend (1)\New 0\node_modules\.pnpm\node-windows@1.0.0-beta.8\node_modules\node-windows\lib\wrapper.js" --file "D:\projects\backend\fast-Backend (1)\New 0\src\service\engine.js" --scriptoptions= --log "LoginGuardsPolicyEngine wrapper" --grow 0.5 --wait 2 --maxrestarts 3 --abortonerror n --stopparentfirst undefined
+2026-01-08 20:19:43 - Started 13552

package/src/service/engine.js

@@ -16,23 +16,31 @@ function parseJsonLine(buf) {
 }
 
 async function evaluatePassword(password) {
-  const { failMode } = getConfig();
+  const { failMode, timeoutMs } = getConfig();
   const apiKey = await storage.getApiKey();
   if (!apiKey) {
-    return { allow: failMode === 'fail-open', reason: 'no_api_key' };
+    return { allow: failMode === 'fail-open', reason: 'NO_API_KEY' };
   }
   try {
-    const res = await apiClient.checkPlain(password, apiKey);
-    const compromised = !!res.compromised;
-    return { allow: !compromised, reason: compromised ? 'compromised' : 'ok' };
+    const res = await apiClient.checkPlain(password, apiKey, { timeoutMs });
+    const compromised = (typeof res.breached !== 'undefined') ? !!res.breached
+      : (typeof res.compromised !== 'undefined') ? !!res.compromised
+      : (typeof res.is_compromised !== 'undefined') ? !!res.is_compromised
+      : (typeof res.isCompromised !== 'undefined') ? !!res.isCompromised
+      : (typeof res.count === 'number') ? res.count > 0
+      : false;
+    return { allow: !compromised, reason: compromised ? 'COMPROMISED' : 'SAFE' };
   } catch (e) {
-    logger.warn(`API error during evaluation: ${e.status || e.code || e.message}`);
-    return { allow: failMode === 'fail-open', reason: 'api_error' };
+    const msg = e && (e.code || e.message || e.toString());
+    const isTimeout = (e && e.code === 'ECONNABORTED') || (typeof msg === 'string' && msg.toLowerCase().includes('timeout'));
+    const reason = isTimeout ? 'TIMEOUT' : 'API_DOWN';
+    logger.warn(`API error during evaluation: ${msg}`);
+    return { allow: failMode === 'fail-open', reason };
   }
 }
 
 function startPipeServer() {
-  const { pipeName } = getConfig();
+  const { pipeName, logUsername } = getConfig();
   const server = net.createServer((socket) => {
     let buffer = '';
     socket.on('data', async (chunk) => {
@@ -43,13 +51,19 @@ function startPipeServer() {
         buffer = buffer.slice(idx + 1);
         const msg = parseJsonLine(Buffer.from(line, 'utf8'));
         if (!msg || typeof msg.password !== 'string') {
-          socket.write(JSON.stringify({ allow: false, reason: 'bad_request' }) + '\n');
+          socket.write(JSON.stringify({ allow: false, reason: 'BAD_REQUEST' }) + '\n');
           continue;
         }
+        const user = (msg && typeof msg.username === 'string') ? msg.username : undefined;
+        const op = (msg && typeof msg.op === 'string') ? msg.op : 'change';
+
         const { allow, reason } = await evaluatePassword(msg.password);
         // Never log plaintext passwords
-        if (reason === 'compromised') logger.info('Password evaluation: compromised');
-        else logger.info(`Password evaluation result: ${reason}`);
+        if (logUsername && user) {
+          logger.info(`Password evaluation: ${reason}; user=${user}; op=${op}`);
+        } else {
+          logger.info(`Password evaluation: ${reason}; op=${op}`);
+        }
         socket.write(JSON.stringify({ allow, reason }) + '\n');
       }
     });

package/src/tester.js

@@ -3,52 +3,122 @@ const { logger } = require('./logger');
 const service = require('./service');
 const storage = require('./storage');
 const apiClient = require('./apiClient');
+const { getConfig } = require('./config');
+const net = require('net');
+const { runPS } = require('./ps');
 
-async function run({ user }) {
+async function run({ user, mode = 'auto', verbose = false }) {
   console.log('Running LoginGuards test suite...\n');
 
-  // Active Directory connectivity (placeholder)
-  console.log('✔ Connected to Active Directory (placeholder)');
-  logger.info('AD connectivity check: placeholder');
+  const isDc = await isDomainController().catch(() => false);
+  const execMode = mode === 'auto' ? (isDc ? 'dc' : 'client') : mode;
 
-  // Service status
+  // Service status (common)
   const running = await service.isRunning().catch(() => false);
-  if (running) {
-    console.log('✔ Password policy engine service running');
-  } else {
-    console.log('✖ Password policy engine service not running');
-  }
+  console.log(running ? '✔ Password policy engine service running' : '✖ Password policy engine service not running');
 
-  // API connectivity
+  // API connectivity (common)
   const apiKey = await storage.getApiKey();
   if (!apiKey) {
     console.log('✖ API key not configured. Run "loginguards-win configure".');
     return;
   }
-  try {
-    await apiClient.ping(apiKey);
-    console.log('✔ LoginGuards API reachable');
-  } catch (e) {
-    console.log('✖ LoginGuards API not reachable');
+  try { await apiClient.ping(apiKey); console.log('✔ LoginGuards API reachable'); } catch { console.log('✖ LoginGuards API not reachable'); }
+
+  if (execMode === 'dc') {
+    console.log('✔ Domain Controller detected');
+    // Registry check
+    const filterReg = await isFilterRegistered('LoginGuardsPwdFilter');
+    console.log(filterReg ? '✔ Password filter registered' : '✖ Password filter not registered');
+    // DLL presence
+    const dllExists = await dllPresent();
+    console.log(dllExists ? '✔ Password filter DLL present in System32' : '✖ Password filter DLL missing in System32');
+    // Pipe check
+    const pipeOk = await pipeHealth();
+    console.log(pipeOk ? '✔ Named pipe OK' : '✖ Named pipe unavailable');
+
+    // End-to-end evaluation via API (non-destructive)
+    const testPwd = `Lg!Test-${Math.random().toString(36).slice(2, 8)}A1`;
+    try {
+      const res = await apiClient.checkPlain(testPwd, apiKey);
+      const compromised = (typeof res.breached !== 'undefined') ? !!res.breached
+        : (typeof res.compromised !== 'undefined') ? !!res.compromised
+        : false;
+      console.log(`✔ Test password evaluated: ${compromised ? 'COMPROMISED' : 'NOT COMPROMISED'}`);
+      console.log(`✔ Test complete successfully for user "${user || 'DOMAIN\\test-user'}"`);
+    } catch (e) {
+      logger.warn(`Test evaluation error: ${e.message || e}`);
+      console.log('✖ Test evaluation failed');
+    }
+    return;
+  }
+
+  // client mode
+  const info = await getDomainInfo().catch(() => null);
+  if (info && info.PartOfDomain) {
+    console.log(`✔ Client is joined to domain: ${info.Domain || 'UNKNOWN'}`);
+    if (info.LogonServer) console.log(`✔ Logon server: ${info.LogonServer}`);
+  } else {
+    console.log('✖ Client is not domain-joined or unable to detect domain');
   }
+  console.log('ℹ Enforcement validation must be run on a Domain Controller.');
+}
+
+async function isDomainController() {
+  const script = `
+  $k = Get-Item 'HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NTDS' -ErrorAction SilentlyContinue
+  if ($null -ne $k) { 'DC' } else { 'NOTDC' }
+  `;
+  const { stdout } = await runPS(script);
+  return stdout.trim() === 'DC';
+}
+
+async function isFilterRegistered(nameNoExt) {
+  const script = `
+  $path = 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa'
+  $name = 'Notification Packages'
+  $cur = (Get-ItemProperty -Path $path -Name $name -ErrorAction SilentlyContinue).$name
+  if ($null -eq $cur) { 'NO' } elseif ($cur -contains '${nameNoExt}') { 'YES' } else { 'NO' }
+  `;
+  const { stdout } = await runPS(script);
+  return stdout.trim() === 'YES';
+}
+
+async function dllPresent() {
+  const sys32 = process.env.WINDIR ? require('path').join(process.env.WINDIR, 'System32') : 'C\\\\Windows\\\\System32';
+  const dll = require('path').join(sys32, 'LoginGuardsPwdFilter.dll');
+  try { require('fs').accessSync(dll); return true; } catch { return false; }
+}
+
+async function pipeHealth() {
+  const { pipeName } = getConfig();
+  return new Promise((resolve) => {
+    const socket = net.createConnection(pipeName, () => {
+      // send minimal JSON and close
+      socket.write(JSON.stringify({ password: `Lg!Probe-${Date.now()}aA1`, op: 'change' }) + '\n');
+    });
+    let responded = false;
+    socket.on('data', () => { responded = true; socket.end(); });
+    socket.on('error', () => resolve(false));
+    socket.on('end', () => resolve(responded));
+    setTimeout(() => { try { socket.destroy(); } catch {} resolve(false); }, 1000);
+  });
+}
 
-  // Test password evaluation (non-destructive)
-  const testPwd = `Lg!Test-${Math.random().toString(36).slice(2, 8)}A1`;
-  try {
-    const res = await apiClient.checkPlain(testPwd, apiKey);
-    const compromised = !!res.compromised;
-    if (compromised) {
-      console.log('✔ Test completed');
-      console.log('✖ Password rejected: COMPROMISED');
-    } else {
-      console.log('✔ Test password evaluated: NOT COMPROMISED');
+async function getDomainInfo() {
+  const script = `
+  $cs = Get-CimInstance -ClassName Win32_ComputerSystem -ErrorAction SilentlyContinue
+  if ($null -eq $cs) { Write-Output '{}' } else {
+    $obj = [ordered]@{
+      PartOfDomain = $cs.PartOfDomain
+      Domain = $cs.Domain
+      LogonServer = $env:LOGONSERVER
     }
-    console.log(`✔ Test completed successfully for user "${user || 'DOMAIN\\test-user'}"`);
-  } catch (err) {
-    logger.error(`Test request failed: ${err.stack || err.message || err}`);
-    console.log('✖ Test request failed');
-    throw err;
+    $obj | ConvertTo-Json -Compress
   }
+  `;
+  const { stdout } = await runPS(script);
+  try { return JSON.parse(stdout.trim()); } catch { return null; }
 }
 
 module.exports = { run };