feat(cloud): AI safety ratings for Startup Manager and Uninstaller (#73)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: 3 people

src/main/ipc/index.ts

@@ -29,6 +29,8 @@ import { registerEmptyFolderCleanerIpc } from './empty-folder-cleaner.ipc'
 import { registerFileShredderIpc } from './file-shredder.ipc'
 import { registerGameModeIpc } from './game-mode.ipc'
 import { registerCveScannerIpc } from './cve-scanner.ipc'
+import { registerStartupSafetyIpc } from './startup-safety.ipc'
+import { registerProgramSafetyIpc } from './program-safety.ipc'
 import { getSettings, setSettings, flushSettings, getOnboardingComplete, setOnboardingComplete } from '../services/settings-store'
 import { isAdmin } from '../services/elevation'
 import { getHistory, addHistoryEntry, clearHistory } from '../services/history-store'
@@ -65,6 +67,8 @@ export function registerCleanerIpc(getWindow: WindowGetter): void {
   registerSoftwareUpdaterIpc(getWindow)
   registerCloudAgentIpc()
   registerCveScannerIpc()
+  registerStartupSafetyIpc()
+  registerProgramSafetyIpc()
   registerFileShredderIpc(getWindow)
   registerGameModeIpc(getWindow)
 
@@ -103,9 +107,9 @@ export function registerCleanerIpc(getWindow: WindowGetter): void {
 
   // Onboarding
   ipcMain.handle(IPC.ONBOARDING_GET, () => getOnboardingComplete())
-  ipcMain.handle(IPC.ONBOARDING_SET, (_event, value: boolean) => {
+  ipcMain.handle(IPC.ONBOARDING_SET, async (_event, value: boolean) => {
     if (typeof value !== 'boolean') return
-    setOnboardingComplete(value)
+    await setOnboardingComplete(value)
   })
 
   // Elevation

src/main/ipc/program-safety.ipc.ts

@@ -0,0 +1,9 @@
+import { ipcMain } from 'electron'
+import { IPC } from '../../shared/channels'
+import { cloudAgent } from '../services/cloud-agent'
+
+export function registerProgramSafetyIpc(): void {
+  ipcMain.handle(IPC.PROGRAM_SAFETY_FETCH, async () => {
+    return cloudAgent.getInstalledProgramSafetyRatings()
+  })
+}

src/main/ipc/startup-manager.ipc.ts

@@ -397,11 +397,14 @@ export async function toggleStartupItem(
         // This is the authoritative signal Windows checks — even if the Run value
         // is re-created by the app, Windows will skip it while the marker is 03.
         // The value is a 12-byte REG_BINARY: status byte + 8-byte timestamp + padding.
+        let approvedOk = false
+        let deleteOk = false
         try {
           await execNativeUtf8('reg',[
             'add', approvedKey, '/v', name, '/t', 'REG_BINARY',
             '/d', '030000000000000000000000', '/f'
           ], { timeout: 10000 })
+          approvedOk = true
         } catch {
           // May fail if key doesn't exist yet — fall through to Run deletion
         }
@@ -410,10 +413,14 @@ export async function toggleStartupItem(
           await execNativeUtf8('reg',[
             'delete', location, '/v', name, '/f'
           ], { timeout: 10000 })
+          deleteOk = true
         } catch {
-          // Registry op may fail for permissions — still persist state
+          // Registry op may fail for permissions
         }
 
+        // If neither registry operation succeeded, the disable didn't take effect
+        if (!approvedOk && !deleteOk) return false
+
         await withDisabledFileLock(() => {
           const disabled = readDisabledEntries()
           if (!disabled.some((e) => e.name === name && e.source === source)) {
@@ -430,12 +437,14 @@ export async function toggleStartupItem(
         if (!stored) return false
         const safeCommand = stored.command
 
+        let addOk = false
         try {
           await execNativeUtf8('reg',[
             'add', location, '/v', name, '/t', 'REG_SZ', '/d', safeCommand, '/f'
           ], { timeout: 10000 })
+          addOk = true
         } catch {
-          // Registry op may fail for permissions — still persist state
+          // Registry op may fail for permissions
         }
 
         // Write an "enabled" marker (first byte 02) to StartupApproved
@@ -448,6 +457,9 @@ export async function toggleStartupItem(
           // Non-critical — Run key entry is sufficient for most apps
         }
 
+        // If the critical Run key write failed, the enable didn't take effect
+        if (!addOk) return false
+
         await withDisabledFileLock(() => {
           const current = readDisabledEntries()
           writeDisabledEntries(current.filter((e) => !(e.name === name && e.source === source)))

src/main/ipc/startup-safety.ipc.ts

@@ -0,0 +1,9 @@
+import { ipcMain } from 'electron'
+import { IPC } from '../../shared/channels'
+import { cloudAgent } from '../services/cloud-agent'
+
+export function registerStartupSafetyIpc(): void {
+  ipcMain.handle(IPC.STARTUP_SAFETY_FETCH, async () => {
+    return cloudAgent.getStartupSafetyRatings()
+  })
+}

src/main/services/cloud-agent.ts

@@ -29,6 +29,7 @@ import { scanBloatware, removeBloatware } from '../ipc/debloater.ipc'
 import { applyServiceChanges } from '../ipc/service-manager.ipc'
 import { quarantineMalware, deleteMalware } from '../ipc/malware-scanner.ipc'
 import { scanForLeftovers } from './uninstall-leftovers'
+import { getInstalledProgramsFull } from './program-uninstaller'
 import { PerfMonitorService } from './perf-monitor'
 import { cloudLog } from './logger'
 import type {
@@ -40,14 +41,14 @@ import type {
   HealthReport,
   AllowedScanType,
 } from './cloud-agent-types'
-import type { ScanResult, CloudActionEntry } from '../../shared/types'
+import type { ScanResult, CloudActionEntry, StartupSafetyResult } from '../../shared/types'
 import { addCloudHistoryEntry } from './cloud-history-store'
 import { downloadAndUpdateBlacklist, loadBlacklist } from './threat-blacklist-store'
 import { threatMonitor } from './threat-monitor'
 import { isLikelyFalsePositive, deduplicateCves } from './cve-filter'
 
 const execFileAsync = promisify(execFile)
-const DEFAULT_SERVER_URL = app.isPackaged ? 'https://cloud.usekudu.com' : 'http://localhost:8000'
+const DEFAULT_SERVER_URL = app.isPackaged ? 'https://cloud.usekudu.com' : 'https://cloud.usekudu.com'
 
 const COMMAND_TIMEOUT_MS = 5 * 60 * 1000
 const LONG_COMMAND_TIMEOUT_MS = 30 * 60 * 1000 // for bulk update / install commands
@@ -249,6 +250,18 @@ class CloudAgentService {
     }
   }
 
+  async getStartupSafetyRatings(): Promise<StartupSafetyResult> {
+    if (this.status !== 'connected') throw new Error('Cloud agent not connected')
+    this.startupItems = null
+    return this.submitStartupPrograms()
+  }
+
+  async getInstalledProgramSafetyRatings(): Promise<StartupSafetyResult> {
+    if (this.status !== 'connected') throw new Error('Cloud agent not connected')
+    this.cachedInstalledPrograms = null
+    return this.submitInstalledPrograms()
+  }
+
   async link(apiKey: string): Promise<{ success: boolean; error?: string }> {
     try {
       // Stop any existing connection before re-linking
@@ -510,6 +523,8 @@ class CloudAgentService {
       this.startTelemetry()
       this.startHealthReports()
       this.startThreatMonitor()
+      this.syncStartupSafety().catch(() => {})
+      this.syncInstalledProgramSafety().catch(() => {})
     })
 
     this.channel.bind('pusher:subscription_error', (err: unknown) => {
@@ -1012,6 +1027,8 @@ class CloudAgentService {
     this.healthReportTimer = setInterval(() => {
       if (this.status === 'connected') {
         this.collectAndSendHealthReport()
+        this.syncStartupSafety().catch(() => {})
+        this.syncInstalledProgramSafety().catch(() => {})
       }
     }, HEALTH_REPORT_INTERVAL_MS)
   }
@@ -2461,6 +2478,142 @@ class CloudAgentService {
       ? await toggleStartupItemWin32(name, location, command, source as any, enabled)
       : await getPlatform().startup.toggleItem(name, location, command, source as any, enabled)
     await this.postCommandResult(requestId, success, { name, enabled }, success ? undefined : 'Failed to toggle startup item')
+    if (success) this.syncStartupSafety().catch(() => {})
+  }
+
+  // ─── Startup Safety Enrichment ──────────────────────────
+
+  private startupItems: import('../../shared/types').StartupItem[] | null = null
+
+  private async submitStartupPrograms(): Promise<StartupSafetyResult> {
+    if (!this.startupItems) {
+      this.startupItems = process.platform === 'win32'
+        ? await listStartupItemsWin32()
+        : await getPlatform().startup.listItems()
+    }
+    const raw = (await this.postApi(`/devices/${encodeURIComponent(this.deviceId)}/startup-programs`, {
+      items: this.startupItems.map((i) => ({
+        name: i.name,
+        displayName: i.displayName,
+        command: i.command,
+        location: i.location,
+        source: i.source,
+        enabled: i.enabled,
+        publisher: i.publisher,
+        impact: i.impact,
+      })),
+    })) as Record<string, unknown> | null
+    const rawItems = Array.isArray(raw?.ratings) ? raw!.ratings : []
+    const ratings = rawItems
+      .filter((item: unknown): item is Record<string, unknown> =>
+        item !== null && typeof item === 'object' &&
+        typeof (item as Record<string, unknown>).name === 'string' &&
+        typeof (item as Record<string, unknown>).safety_score === 'number'
+      )
+      .map((item) => ({
+        name: String(item.name),
+        safetyScore: Math.max(1, Math.min(10, Math.round(Number(item.safety_score)))),
+        description: typeof item.description === 'string' ? item.description.slice(0, 500) : '',
+        analyzedAt: typeof item.analyzed_at === 'string' ? item.analyzed_at : '',
+      }))
+    const pending = typeof raw?.pending === 'number' ? raw.pending : 0
+    return { ratings, pending }
+  }
+
+  private async syncStartupSafety(): Promise<void> {
+    try {
+      // Clear cached items so we re-list from OS
+      this.startupItems = null
+      let result = await this.submitStartupPrograms()
+      this.pushSafetyToRenderer(result)
+
+      // Poll while analyses are still pending (max 10 retries, 5s apart)
+      let retries = 0
+      while (result.pending > 0 && retries < 10) {
+        retries++
+        await new Promise((r) => setTimeout(r, 5000))
+        if (this.status !== 'connected') break
+        result = await this.submitStartupPrograms()
+        this.pushSafetyToRenderer(result)
+      }
+    } catch (err) {
+      cloudLog('ERROR', `Startup safety sync failed: ${err}`)
+    }
+  }
+
+  private pushSafetyToRenderer(result: StartupSafetyResult): void {
+    const win = BrowserWindow.getAllWindows()[0]
+    if (win && !win.isDestroyed()) {
+      win.webContents.send(IPC.STARTUP_SAFETY_UPDATED, result)
+    }
+  }
+
+  // ─── Installed Program Safety Enrichment ──────────────────
+
+  private cachedInstalledPrograms: import('../../shared/types').InstalledProgram[] | null = null
+
+  private async submitInstalledPrograms(): Promise<StartupSafetyResult> {
+    if (!this.cachedInstalledPrograms) {
+      this.cachedInstalledPrograms = await getInstalledProgramsFull()
+    }
+    const raw = (await this.postApi(`/devices/${encodeURIComponent(this.deviceId)}/installed-programs`, {
+      items: this.cachedInstalledPrograms.map((p) => ({
+        name: p.displayName,
+        displayName: p.displayName,
+        publisher: p.publisher,
+        version: p.displayVersion,
+        installDate: p.installDate,
+        estimatedSize: p.estimatedSize,
+        installLocation: p.installLocation,
+        isSystemComponent: p.isSystemComponent,
+      })),
+    })) as Record<string, unknown> | null
+    cloudLog('DEBUG', `installed-programs response: pending=${raw?.pending}, ratings=${Array.isArray(raw?.ratings) ? raw!.ratings.length : 'none'}, keys=${raw ? Object.keys(raw).join(',') : 'null'}`)
+    const rawItems = Array.isArray(raw?.ratings) ? raw!.ratings : []
+    if (rawItems.length > 0) {
+      cloudLog('DEBUG', `installed-programs first rating sample: ${JSON.stringify(rawItems[0]).slice(0, 200)}`)
+    }
+    const ratings = rawItems
+      .filter((item: unknown): item is Record<string, unknown> =>
+        item !== null && typeof item === 'object' &&
+        typeof (item as Record<string, unknown>).name === 'string' &&
+        typeof (item as Record<string, unknown>).safety_score === 'number'
+      )
+      .map((item) => ({
+        name: String(item.name),
+        safetyScore: Math.max(1, Math.min(10, Math.round(Number(item.safety_score)))),
+        description: typeof item.description === 'string' ? item.description.slice(0, 500) : '',
+        analyzedAt: typeof item.analyzed_at === 'string' ? item.analyzed_at : '',
+      }))
+    const pending = typeof raw?.pending === 'number' ? raw.pending : 0
+    cloudLog('DEBUG', `installed-programs parsed: ${ratings.length} ratings, ${pending} pending`)
+    return { ratings, pending }
+  }
+
+  private async syncInstalledProgramSafety(): Promise<void> {
+    try {
+      this.cachedInstalledPrograms = null
+      let result = await this.submitInstalledPrograms()
+      this.pushProgramSafetyToRenderer(result)
+
+      let retries = 0
+      while (result.pending > 0 && retries < 10) {
+        retries++
+        await new Promise((r) => setTimeout(r, 5000))
+        if (this.status !== 'connected') break
+        result = await this.submitInstalledPrograms()
+        this.pushProgramSafetyToRenderer(result)
+      }
+    } catch (err) {
+      cloudLog('ERROR', `Installed program safety sync failed: ${err}`)
+    }
+  }
+
+  private pushProgramSafetyToRenderer(result: StartupSafetyResult): void {
+    const win = BrowserWindow.getAllWindows()[0]
+    if (win && !win.isDestroyed()) {
+      win.webContents.send(IPC.PROGRAM_SAFETY_UPDATED, result)
+    }
   }
 
   private perfMonitor: PerfMonitorService | null = null

src/main/services/settings-store.ts

@@ -260,11 +260,11 @@ export function getOnboardingComplete(): boolean {
   return readStore().onboardingComplete
 }
 
-export function setOnboardingComplete(value: boolean): void {
+export function setOnboardingComplete(value: boolean): Promise<void> {
   const prev = writeLock
   let unlock: () => void
   writeLock = new Promise<void>((r) => { unlock = r })
-  prev.then(() => {
+  return prev.then(() => {
     try {
       const data = readStore()
       data.onboardingComplete = value

src/preload/index.ts

@@ -71,6 +71,7 @@ import type {
   GameModeStatus,
   GameModeProgress,
   CvePageResult,
+  StartupSafetyResult,
 } from '../shared/types'
 
 const api = {
@@ -143,6 +144,12 @@ const api = {
   startupDelete: (name: string, location: string, source: string): Promise<boolean> =>
     ipcRenderer.invoke(IPC.STARTUP_DELETE, name, location, source),
   startupBootTrace: (): Promise<StartupBootTrace> => ipcRenderer.invoke(IPC.STARTUP_BOOT_TRACE),
+  startupSafetyFetch: (): Promise<StartupSafetyResult> => ipcRenderer.invoke(IPC.STARTUP_SAFETY_FETCH),
+  onStartupSafetyUpdated: (callback: (data: StartupSafetyResult) => void) => {
+    const handler = (_event: Electron.IpcRendererEvent, data: StartupSafetyResult) => callback(data)
+    ipcRenderer.on(IPC.STARTUP_SAFETY_UPDATED, handler)
+    return () => { ipcRenderer.removeListener(IPC.STARTUP_SAFETY_UPDATED, handler) }
+  },
 
   // Network cleanup
   networkScan: (): Promise<NetworkItem[]> => ipcRenderer.invoke(IPC.NETWORK_SCAN),
@@ -326,6 +333,12 @@ const api = {
     ipcRenderer.on(IPC.UNINSTALLER_PROGRESS, handler)
     return () => { ipcRenderer.removeListener(IPC.UNINSTALLER_PROGRESS, handler) }
   },
+  programSafetyFetch: (): Promise<StartupSafetyResult> => ipcRenderer.invoke(IPC.PROGRAM_SAFETY_FETCH),
+  onProgramSafetyUpdated: (callback: (data: StartupSafetyResult) => void) => {
+    const handler = (_event: Electron.IpcRendererEvent, data: StartupSafetyResult) => callback(data)
+    ipcRenderer.on(IPC.PROGRAM_SAFETY_UPDATED, handler)
+    return () => { ipcRenderer.removeListener(IPC.PROGRAM_SAFETY_UPDATED, handler) }
+  },
 
   // Software Updater
   softwareUpdateCheck: (): Promise<UpdateCheckResult> =>

src/renderer/src/App.tsx

@@ -113,7 +113,16 @@ export function App() {
   // Hydrate Game Mode status so the sidebar badge works on all pages
   useEffect(() => { initGameModeStore() }, [])
 
-  if (!onboardingChecked) return null
+  if (!onboardingChecked) {
+    return (
+      <div className="flex h-screen w-screen items-center justify-center" style={{ background: '#09090b' }}>
+        <div className="flex flex-col items-center gap-4">
+          <img src="" alt="" className="h-16 w-16 rounded-2xl" style={{ visibility: 'hidden' }} />
+          <div className="h-5 w-5 animate-spin rounded-full border-2 border-zinc-700 border-t-amber-500" />
+        </div>
+      </div>
+    )
+  }
 
   return (
     <PlatformContext value={platformInfo}>

src/renderer/src/hooks/usePlatform.ts

@@ -3,7 +3,7 @@ import type { PlatformInfo } from '../../../shared/types'
 
 const defaultInfo: PlatformInfo = {
   platform: 'win32',
-  features: { registry: true, debloater: true, drivers: true, restorePoint: true, bootTrace: true },
+  features: { registry: true, debloater: true, drivers: true, restorePoint: true, bootTrace: true, gameMode: true },
 }
 
 const PlatformContext = createContext<PlatformInfo>(defaultInfo)