feat(platform): add Windows support, migrate to new Zenable CLI (#90)

Author: JonZeolla

.github/actions/bootstrap/action.yml

@@ -16,13 +16,21 @@ inputs:
 runs:
   using: 'composite'
   steps:
-    - name: Create run_script for running scripts downstream
+    - name: Create run_script for running scripts downstream (Unix)
+      if: runner.os != 'Windows'
       shell: 'bash --noprofile --norc -Eeuo pipefail {0}'
       working-directory: ${{ inputs.working-directory }}
       run: |
         run_script="uv run --frozen"
         echo "run_script=${run_script}" | tee -a "${GITHUB_ENV}"
 
+    - name: Create run_script for running scripts downstream (Windows)
+      if: runner.os == 'Windows'
+      shell: pwsh
+      working-directory: ${{ inputs.working-directory }}
+      run: |
+        echo "run_script=uv run --frozen" | Tee-Object -Append $env:GITHUB_ENV
+
     - name: Setup uv
       uses: astral-sh/setup-uv@v4
       with:
@@ -37,6 +45,7 @@ runs:
         repo-token: ${{ inputs.token }}
 
     - name: Add Homebrew to the path
+      if: runner.os != 'Windows'
       shell: 'bash --noprofile --norc -Eeuo pipefail {0}'
       # This ensures compatibility with macOS runners and Linux runners with Homebrew
       run: |
@@ -67,19 +76,45 @@ runs:
         fi
       working-directory: ${{ inputs.working-directory }}
 
-    - name: Set Python hash for caching
+    - name: Install trufflehog
+      if: runner.os != 'Windows'
+      shell: 'bash --noprofile --norc -Eeuo pipefail {0}'
+      run: |
+        curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
+
+    - name: Set Python hash for caching (Unix)
+      if: runner.os != 'Windows'
       shell: 'bash --noprofile --norc -Eeuo pipefail {0}'
       run: |
         # Create a hash of the Python version for better cache keys
         echo "PY=$(python -VV | sha256sum | cut -d' ' -f1)" | tee -a "${GITHUB_ENV}"
 
+    - name: Set Python hash for caching (Windows)
+      if: runner.os == 'Windows'
+      shell: pwsh
+      run: |
+        $pyVersion = python -VV 2>&1
+        $hash = [System.BitConverter]::ToString(
+          [System.Security.Cryptography.SHA256]::Create().ComputeHash(
+            [System.Text.Encoding]::UTF8.GetBytes($pyVersion)
+          )
+        ).Replace("-", "").ToLower()
+        echo "PY=$hash" | Tee-Object -Append $env:GITHUB_ENV
+
     - name: Cache pre-commit environments
       uses: actions/cache@v4
       with:
         path: ~/.cache/pre-commit
         key: pre-commit|${{ env.PY }}|${{ hashFiles(format('{0}/.pre-commit-config.yaml', inputs.working-directory)) }}
 
-    - name: Initialize the repository
+    - name: Initialize the repository (Unix)
+      if: runner.os != 'Windows'
       working-directory: ${{ inputs.working-directory }}
       shell: 'bash --noprofile --norc -Eeuo pipefail {0}'
       run: task -v init
+
+    - name: Initialize the repository (Windows)
+      if: runner.os == 'Windows'
+      working-directory: ${{ inputs.working-directory }}
+      shell: pwsh
+      run: task -v init

.github/etc/dictionary.txt

@@ -1,15 +1,18 @@
 allstar
 anchore
 buildx
+conftest
 cookiecutter
 dependabot
 digestabot
+docstrings
 dockerhub
 htmlcov
 pylance
 pythonpath
 refurb
 skopeo
 syft
+taskfile
 zenable
 zizmor

.github/workflows/ci.yml

@@ -102,6 +102,147 @@ jobs:
           name: vuln-scan-results
           path: vulns.json
           if-no-files-found: error
+  windows-smoke-test:
+    name: Windows Smoke Test
+    runs-on: windows-latest
+    steps:
+      # Note: no checkout step. The cookiecutter template directory contains
+      # characters (pipe, quotes) that are illegal on NTFS, so we cannot check
+      # out the repo on Windows. Instead, cookiecutter fetches the template
+      # directly from the remote branch.
+      - name: Setup uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          python-version: ${{ env.python_version }}
+      - name: Install Task
+        uses: go-task/setup-task@v1
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Generate project from template
+        shell: bash
+        env:
+          RUN_POST_HOOK: 'true'
+          SKIP_GIT_PUSH: 'true'
+          TEMPLATE_REF: ${{ github.event.pull_request.head.sha || github.sha }}
+        run: |
+          git config --global user.name "CI Automation"
+          git config --global user.email "ci@zenable.io"
+
+          # The template directory name contains NTFS-illegal characters
+          # (double quotes, pipe). Use extract_template_zip.py to safely
+          # extract and rename only the top-level template dir.
+          zipUrl="https://github.com/${{ github.repository }}/archive/${TEMPLATE_REF}.zip"
+          scriptUrl="https://raw.githubusercontent.com/${{ github.repository }}/${TEMPLATE_REF}/scripts/extract_template_zip.py"
+          tmpdir=$(mktemp -d)
+          curl -fsSL "$zipUrl" -o "$tmpdir/template.zip"
+          curl -fsSL "$scriptUrl" -o "$tmpdir/extract_template_zip.py"
+          repoDir=$(python3 "$tmpdir/extract_template_zip.py" "$tmpdir/template.zip" "$tmpdir/src")
+
+          uvx --with gitpython cookiecutter "$repoDir" --no-input --output-dir "$RUNNER_TEMP"
+      - name: Verify generated project
+        shell: pwsh
+        run: |
+          $project = Join-Path $env:RUNNER_TEMP "replace-me"
+
+          # Verify the project directory was created
+          if (-not (Test-Path $project)) {
+            Write-Error "Project directory not found at $project"
+            exit 1
+          }
+
+          # Verify key files exist
+          $requiredFiles = @(
+            "pyproject.toml",
+            "Taskfile.yml",
+            "Dockerfile",
+            "CLAUDE.md",
+            ".github/project.yml",
+            ".github/workflows/ci.yml"
+          )
+          foreach ($file in $requiredFiles) {
+            $filePath = Join-Path $project $file
+            if (-not (Test-Path $filePath)) {
+              Write-Error "Required file missing: $file"
+              exit 1
+            }
+          }
+
+          # Verify no unrendered cookiecutter variables remain
+          $pattern = '\{\{\s*cookiecutter\.'
+          $matches = Get-ChildItem -Path $project -Recurse -File -Exclude '.git' |
+            Where-Object { $_.FullName -notmatch '[\\/]\.git[\\/]' } |
+            Select-String -Pattern $pattern
+          if ($matches) {
+            Write-Error "Unrendered cookiecutter variables found:"
+            $matches | ForEach-Object { Write-Error $_.ToString() }
+            exit 1
+          }
+
+          # Verify git repo was initialized and has a commit
+          $gitDir = Join-Path $project ".git"
+          if (-not (Test-Path $gitDir)) {
+            Write-Error "Git repository not initialized"
+            exit 1
+          }
+
+          Push-Location $project
+          $commitCount = git rev-list --count HEAD 2>$null
+          Pop-Location
+          if ($commitCount -lt 1) {
+            Write-Error "No commits found in generated project"
+            exit 1
+          }
+
+          Write-Host "Windows smoke test passed: project generated and verified successfully"
+      - name: Setup WSL with Docker
+        shell: bash
+        run: |
+          wsl --install -d Ubuntu-24.04 --no-launch
+          wsl -d Ubuntu-24.04 -u root -- bash -ec "
+            apt-get update -qq
+            apt-get install -y -qq curl ca-certificates >/dev/null
+            curl -fsSL https://get.docker.com | sh -s -- --quiet
+            service docker start
+          "
+
+          # Create docker wrappers that route to WSL's Docker.
+          # - .bat for Task's mvdan/sh (Go's exec.LookPath needs a Windows extension)
+          # - bash script for Git Bash steps
+          mkdir -p "$HOME/bin"
+          printf '@wsl -d Ubuntu-24.04 -u root -- docker %%*\r\n' > "$HOME/bin/docker.bat"
+          cat > "$HOME/bin/docker" << 'WRAPPER'
+          #!/bin/bash
+          exec wsl -d Ubuntu-24.04 -u root -- docker "$@"
+          WRAPPER
+          chmod +x "$HOME/bin/docker"
+          echo "$HOME/bin" >> "$GITHUB_PATH"
+      - name: Initialize generated project
+        shell: bash
+        run: |
+          cd "$RUNNER_TEMP/replace-me"
+          task -v init
+      - name: Run unit tests
+        shell: bash
+        # Integration tests require Docker (Linux images) which is not
+        # available on Windows runners; those are covered by the Linux CI job.
+        run: |
+          cd "$RUNNER_TEMP/replace-me"
+          task -v unit-test
+      - name: Build Docker image
+        shell: bash
+        run: |
+          cd "$RUNNER_TEMP/replace-me"
+          task -v build
+      - name: Verify Docker image
+        shell: bash
+        run: |
+          docker run --rm zenable-io/replace-me:latest --version
+          docker run --rm zenable-io/replace-me:latest --help
+      - name: Verify zenable CLI
+        shell: bash
+        run: |
+          export PATH="$HOME/.zenable/bin:$PATH"
+          zenable version
   finalizer:
     # This gives us something to set as required in the repo settings. Some projects use dynamic fan-outs using matrix strategies and the fromJSON function, so
     # you can't hard-code what _should_ run vs not. Having a finalizer simplifies that so you can just check that the finalizer succeeded, and if so, your
@@ -110,7 +251,7 @@ jobs:
     name: Finalize the pipeline
     runs-on: ubuntu-24.04
     # Keep this aligned with the above jobs
-    needs: [lint, test]
+    needs: [lint, test, windows-smoke-test]
     if: always()  # Ensure it runs even if "needs" fails or is cancelled
     steps:
       - name: Check for failed or cancelled jobs

.pre-commit-config.yaml

@@ -43,8 +43,11 @@ repos:
    rev: ad6fc8fb446b8fafbf7ea8193d2d6bfd42f45690  # frozen: v3.90.11
    hooks:
      - id: trufflehog
-       # Check the past 2 commits; it's useful to make this go further back than main when running this where main and HEAD are equal
-       entry: trufflehog git file://. --since-commit main~1 --no-verification --fail
+       # Resolve the repo root via git-common-dir so this works in both normal repos and worktrees
+       # (trufflehog doesn't support .git files used by worktrees).
+       # Guard against detached HEAD (e.g. CI) by falling back to the commit SHA.
+       language: system
+       entry: bash -c 'BRANCH=$(git rev-parse --abbrev-ref HEAD); [ "$BRANCH" = "HEAD" ] && BRANCH=$(git rev-parse HEAD); trufflehog git "file://$(cd "$(git rev-parse --git-common-dir)/.." && pwd)" --branch "$BRANCH" --since-commit HEAD~1 --no-verification --fail'
  - repo: https://github.com/python-openapi/openapi-spec-validator
    rev: a76da2ffdaf698a7fdbd755f89b051fef4c790fd  # frozen: 0.8.0b1
    hooks:

.pre-commit-hooks.yaml

@@ -2,5 +2,5 @@
 - id: zenable-check
   name: Run a Zenable check on all changed files
   language: system
-  entry: uvx zenable-mcp@latest check
+  entry: zenable check
   pass_filenames: true

docs/ai-ide-support.md

@@ -7,11 +7,23 @@ The AI-Native Python template automatically configures AI-powered development to
 
 ## Automatic Configuration
 
-When you generate a new project, the post-generation hook automatically detects which IDEs and AI assistants you have installed and creates appropriate configuration files:
+When you generate a new project, the post-generation hook automatically installs the [Zenable CLI](https://cli.zenable.app) and configures your IDE integrations:
 
-- Model Context Protocol (MCP) configuration for [Zenable](https://zenable.io) and other MCP servers (if supported tools are detected)
-- IDE-specific configuration files based on what's installed (Claude, GitHub Copilot, Cursor, etc.)
-- Project-specific context and guidelines tailored to your project
+**Installation (if the Zenable CLI is not already installed):**
+
+macOS/Linux:
+```bash
+curl -fsSL https://cli.zenable.app/install.sh | bash
+```
+
+Windows:
+```powershell
+powershell -ExecutionPolicy Bypass -Command "irm https://cli.zenable.app/install.ps1 | iex"
+```
+
+**IDE Configuration:**
+
+Once installed, `zenable install` detects which IDEs and AI assistants you have installed and creates appropriate configuration files for 15+ supported IDEs including Claude Code, Cursor, Windsurf, VS Code, GitHub Copilot, and more.
 
 These configurations are dynamically generated based on your installed IDEs and project settings, and include: