diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 0aaf16e..1c88973 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -53,7 +53,8 @@ jobs:
             hooks/claude-code/target
             plugins/coding-agent-plugin/target
             tools/coding-agents-kit-ctl/target
-          key: ${{ runner.os }}-${{ matrix.arch }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+            tests/target
+          key: ${{ runner.os }}-${{ matrix.arch }}-cargo-${{ hashFiles('hooks/claude-code/Cargo.lock', 'plugins/coding-agent-plugin/Cargo.lock', 'tools/coding-agents-kit-ctl/Cargo.lock', 'tests/Cargo.lock') }}
           restore-keys: |
             ${{ runner.os }}-${{ matrix.arch }}-cargo-
 
@@ -74,6 +75,65 @@ jobs:
       - name: Run e2e tests
         run: make test-e2e
 
+  build-test-windows:
+    name: Build & Test (Windows ${{ matrix.arch }})
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - arch: x64
+            runner: windows-latest
+            vcpkg_triplet: x64-windows-static
+          - arch: arm64
+            runner: windows-11-arm
+            vcpkg_triplet: arm64-windows-static
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install make
+        run: choco install make -y
+
+      - name: Install vcpkg curl
+        run: vcpkg install curl:${{ matrix.vcpkg_triplet }}
+
+      - name: Cache Cargo registry and build artifacts
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            hooks/claude-code/target
+            plugins/coding-agent-plugin/target
+            tools/coding-agents-kit-ctl/target
+            tests/target
+          key: ${{ runner.os }}-${{ matrix.arch }}-cargo-${{ hashFiles('hooks/claude-code/Cargo.lock', 'plugins/coding-agent-plugin/Cargo.lock', 'tools/coding-agents-kit-ctl/Cargo.lock', 'tests/Cargo.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ matrix.arch }}-cargo-
+
+      - name: Cache Falco build
+        uses: actions/cache@v4
+        with:
+          path: |
+            build/falco-*-windows-*
+            build/falco-src-*
+          key: falco-windows-${{ matrix.arch }}-${{ hashFiles('installers/windows/build-falco.ps1', 'installers/windows/falco-windows-*.patch') }}
+
+      - name: Build
+        run: make build
+
+      - name: Build Falco from source
+        run: make falco-windows-${{ matrix.arch }}
+
+      - name: Run interceptor tests
+        run: make test-interceptor
+
+      - name: Run e2e tests
+        run: make test-e2e
+
   build-test-macos:
     name: Build & Test (macOS ${{ matrix.arch }})
     runs-on: ${{ matrix.runner }}
@@ -103,7 +163,8 @@ jobs:
             hooks/claude-code/target
             plugins/coding-agent-plugin/target
             tools/coding-agents-kit-ctl/target
-          key: ${{ runner.os }}-${{ matrix.arch }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+            tests/target
+          key: ${{ runner.os }}-${{ matrix.arch }}-cargo-${{ hashFiles('hooks/claude-code/Cargo.lock', 'plugins/coding-agent-plugin/Cargo.lock', 'tools/coding-agents-kit-ctl/Cargo.lock', 'tests/Cargo.lock') }}
           restore-keys: |
             ${{ runner.os }}-${{ matrix.arch }}-cargo-
 
diff --git a/CLAUDE.md b/CLAUDE.md
index ce12fdd..d3d1f6b 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -6,7 +6,7 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 
 **coding-agents-kit** is a runtime security layer for AI coding agents. It intercepts tool calls (shell commands, file writes, web requests, etc.) before execution, evaluates them against Falco security rules, and enforces allow/deny/ask verdicts in real time. It operates entirely in user space with no elevated privileges.
 
-The initial version targets **Claude Code** on **Linux and macOS**. The architecture is designed to accommodate other coding agents (e.g., Codex) in the future.
+The project targets **Claude Code** on **Linux, macOS, and Windows**. The architecture is designed to accommodate other coding agents (e.g., Codex) in the future.
 
 ## Architecture
 
@@ -37,9 +37,9 @@ The initial version targets **Claude Code** on **Linux and macOS**. The architec
 | **Interceptor** | `hooks/claude-code/` | Rust | Thin passthrough: reads hook JSON from stdin, wraps in envelope, sends to broker, maps verdict to stdout. No content interpretation. |
 | **Plugin** | `plugins/` | Rust (falco_plugin SDK) | Falco source+extract plugin with embedded broker. Parses events, extracts fields, feeds Falco, receives alerts, resolves verdicts. |
 | **Rules** | `rules/` | YAML (Falco rule language) | Vendor and local security policies. |
-| **Installer** | `installers/linux/`, `installers/macos/` | Shell | Platform-specific packaging, installation, hook registration, mode switching. |
+| **Installer** | `installers/linux/`, `installers/macos/`, `installers/windows/` | Shell/PowerShell | Platform-specific packaging, installation, hook registration, mode switching. |
 | **Skills** | `skills/` | Claude Code skill format | Coding agent skills for rule authoring, status, etc. |
-| **Tests** | `tests/` | TBD | Integration and E2E tests. |
+| **Tests** | `tests/` | Rust | Cross-platform interceptor and E2E integration tests. |
 
 ## Key Design Decisions
 
@@ -283,7 +283,7 @@ The macOS implementation includes `is_service_loaded()` for idempotent start/sto
 
 - **Falco 0.43** — rule engine, running in `nodriver` mode (no kernel instrumentation)
 - **Rust** — interceptor and plugin (using `falco_plugin` crate v0.5.0)
-- **Platforms** — Linux (official Falco builds), macOS (Falco built from source with http_output patch)
+- **Platforms** — Linux (official Falco builds), macOS (Falco built from source with http_output patch), Windows (Falco built from source with http_output patch, system curl via vcpkg)
 
 ## Build & Development
 
@@ -301,12 +301,14 @@ Requires latest stable Rust (the falco_plugin SDK tracks latest stable as MSRV).
 ### Tests
 
 ```bash
-make test                   # Run all tests
+make test                   # Run all tests (cross-platform)
 make test-interceptor       # Interceptor unit tests (mock broker, no Falco needed)
-make test-e2e               # E2E tests (requires Falco in PATH, plugin, and interceptor built)
+make test-e2e               # E2E tests (requires Falco built, plugin, and interceptor)
 ```
 
-On Linux, use `make download-falco-linux` to download pre-built Falco binaries and `make falco-linux-bin-dir` to get the binary path. On macOS, use `make falco-macos` to build from source.
+Tests are written in Rust (`tests/` crate) and work on all platforms with the same targets. E2E tests automatically find the Falco binary from the project's build output (not the system). They skip gracefully if Falco is not built.
+
+On Linux, use `make download-falco-linux` to download pre-built Falco binaries. On macOS, use `make falco-macos` to build from source. On Windows, use `make falco-windows` to build from source (requires vcpkg + MSVC).
 
 ### Packaging
 
@@ -320,6 +322,11 @@ make macos-aarch64          # Apple Silicon
 make macos-x86_64           # Intel (must run on Intel Mac)
 make macos-universal        # Fat binary (requires Rosetta + x86_64 Homebrew)
 make falco-macos            # Build only Falco (convenience target)
+
+# Windows (builds Falco from source, requires vcpkg + MSVC + WiX)
+make windows-x64            # x64 MSI package
+make windows-arm64          # arm64 MSI package
+make falco-windows          # Build only Falco (convenience target)
 ```
 
 ### Environment Variables
diff --git a/Makefile b/Makefile
index ebaf543..deb9fee 100644
--- a/Makefile
+++ b/Makefile
@@ -5,9 +5,11 @@ ARCH := $(shell uname -m)
 .PHONY: all build build-interceptor build-plugin build-ctl \
 	download-falco-linux falco-linux-bin-dir \
 	falco-macos falco-macos-bin-dir \
+	falco-windows falco-windows-x64 falco-windows-arm64 \
 	test test-interceptor test-e2e \
 	linux linux-x86_64 linux-aarch64 \
 	macos macos-aarch64 macos-x86_64 macos-universal \
+	windows windows-x64 windows-arm64 \
 	clean help
 
 all: linux
@@ -44,13 +46,13 @@ falco-linux-bin-dir:
 ## Run all tests
 test: test-interceptor test-e2e
 
-## Run interceptor unit tests
-test-interceptor:
-	bash tests/test_interceptor.sh
+## Run interceptor unit tests (Rust, cross-platform)
+test-interceptor: build-interceptor
+	cd tests && cargo test --test interceptor -- --nocapture
 
-## Run end-to-end tests (requires Falco in PATH)
-test-e2e:
-	bash tests/test_e2e.sh
+## Run end-to-end tests (Rust, cross-platform, requires Falco built)
+test-e2e: build
+	cd tests && cargo test --test e2e --test e2e_monitor -- --nocapture
 
 ## Build Linux packages for all architectures
 linux: linux-x86_64 linux-aarch64
@@ -86,12 +88,35 @@ falco-macos:
 falco-macos-bin-dir:
 	@echo "build/falco-$(FALCO_VERSION)-darwin-$(subst arm64,aarch64,$(ARCH))"
 
+## Build Windows packages (must run on Windows)
+windows: windows-x64
+
+## Build Windows x64 MSI package
+windows-x64:
+	powershell -NoProfile -ExecutionPolicy Bypass -File installers/windows/package.ps1 -Arch x64
+
+## Build Windows arm64 MSI package
+windows-arm64:
+	powershell -NoProfile -ExecutionPolicy Bypass -File installers/windows/package.ps1 -Arch arm64
+
+## Build Falco from source for Windows (default: x64; requires vcpkg + MSVC)
+falco-windows: falco-windows-x64
+
+## Build Falco from source for Windows x64
+falco-windows-x64:
+	powershell -NoProfile -ExecutionPolicy Bypass -File installers/windows/build-falco.ps1 -Arch x64
+
+## Build Falco from source for Windows arm64
+falco-windows-arm64:
+	powershell -NoProfile -ExecutionPolicy Bypass -File installers/windows/build-falco.ps1 -Arch arm64
+
 ## Remove build artifacts
 clean:
 	rm -rf build/
 	-cd hooks/claude-code && cargo clean
 	-cd plugins/coding-agent-plugin && cargo clean
 	-cd tools/coding-agents-kit-ctl && cargo clean
+	-cd tests && cargo clean
 
 ## Show available targets
 help:
@@ -107,12 +132,16 @@ help:
 	@echo "  test               Run all tests"
 	@echo "  test-interceptor   Run interceptor unit tests"
 	@echo "  test-e2e           Run end-to-end tests (requires Falco in PATH)"
+	@echo "  (tests are cross-platform — same targets work on all platforms)"
 	@echo ""
 	@echo "Falco:"
 	@echo "  download-falco-linux  Download pre-built Falco binary (Linux only)"
 	@echo "  falco-linux-bin-dir   Print path to downloaded Falco binary directory"
 	@echo "  falco-macos           Build Falco from source (macOS only)"
 	@echo "  falco-macos-bin-dir   Print path to built Falco binary directory"
+	@echo "  falco-windows         Build Falco from source for Windows (default: x64)"
+	@echo "  falco-windows-x64    Build Falco from source for Windows x64"
+	@echo "  falco-windows-arm64  Build Falco from source for Windows arm64"
 	@echo ""
 	@echo "Package:"
 	@echo "  linux              Build Linux packages for all architectures (default)"
@@ -122,6 +151,9 @@ help:
 	@echo "  macos-aarch64      Build macOS Apple Silicon package"
 	@echo "  macos-x86_64       Build macOS Intel package (must run on Intel Mac)"
 	@echo "  macos-universal    Build macOS universal binary (requires Rosetta + x86_64 Homebrew)"
+	@echo "  windows            Build Windows x64 MSI package (default)"
+	@echo "  windows-x64        Build Windows x64 MSI package"
+	@echo "  windows-arm64      Build Windows arm64 MSI package"
 	@echo ""
 	@echo "Other:"
 	@echo "  clean              Remove all build artifacts"
diff --git a/README.md b/README.md
index 69a7bf1..f482ed3 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@
 [![Sandbox](https://img.shields.io/badge/status-sandbox-red?style=for-the-badge)](https://github.com/falcosecurity/evolution/blob/main/REPOSITORIES.md#sandbox)
 
 [![License](https://img.shields.io/github/license/leogr/coding-agents-kit?style=flat-square)](LICENSE)
-![Platforms](https://img.shields.io/badge/platforms-linux%20%7C%20macOS-blue?style=flat-square)
+![Platforms](https://img.shields.io/badge/platforms-linux%20%7C%20macOS%20%7C%20Windows-blue?style=flat-square)
 ![Architectures](https://img.shields.io/badge/arch-x86__64%20%7C%20aarch64-blueviolet?style=flat-square)
 
 > **Experimental Preview** — This project is under active development and released as an early preview. Interfaces and behavior may change between releases. We welcome your [feedback](#feedback) to help shape its future.
@@ -74,6 +74,19 @@ bash install.sh
 
 The installer copies all components to `~/.coding-agents-kit/`, starts a systemd user service, and registers the hook automatically.
 
+### Windows
+
+Download the `.msi` installer from the [latest release](https://github.com/leogr/coding-agents-kit/releases/latest) and run:
+
+```powershell
+powershell -File Install-CodingAgentsKit.ps1
+```
+
+The installer deploys all components to `%LOCALAPPDATA%\coding-agents-kit\`, registers the Claude Code hook, and sets up auto-start on login.
+
+> [!NOTE]
+> x86_64 builds work on both x86_64 and ARM64 Windows (via emulation). See [`installers/windows/`](installers/windows/) for build prerequisites and details.
+
 ### Verify
 
 ```bash
@@ -184,10 +197,10 @@ The skill guides Claude through writing the rule, placing it in the right direct
 |-------|----------|--------|
 | [Claude Code](https://docs.anthropic.com/en/docs/claude-code) | Linux (x86_64, aarch64) | Supported |
 | [Claude Code](https://docs.anthropic.com/en/docs/claude-code) | macOS (Apple Silicon, Intel) | Supported |
+| [Claude Code](https://docs.anthropic.com/en/docs/claude-code) | Windows (x86_64, ARM64) | Supported |
 | [Codex](https://openai.com/index/codex/) | Linux, macOS | Planned |
-| — | Windows | Planned |
 
-We are actively working on expanding agent and platform support. [Codex](https://openai.com/index/codex/) integration and Windows support are next on the roadmap.
+We are actively working on expanding agent and platform support. [Codex](https://openai.com/index/codex/) integration is next on the roadmap.
 
 ## Building from Source
 
@@ -233,6 +246,23 @@ See [`installers/macos/`](installers/macos/) for details.
 
 </details>
 
+<details>
+<summary><strong>Windows</strong></summary>
+
+Requires: Rust (latest stable), Visual Studio 2022+ with C++ workload, CMake 3.24+, vcpkg with curl, .NET Runtime 8+, WiX Toolset v4.
+
+```powershell
+powershell -File installers\windows\package.ps1 -Version 0.1.2
+```
+
+Output: `build/out/coding-agents-kit-0.1.2-windows-x64.msi`
+
+> Falco is built from source on the first run (~10 min). Subsequent builds use the cached binary.
+
+See [`installers/windows/`](installers/windows/) for detailed prerequisites and build options.
+
+</details>
+
 <details>
 <summary><strong>Individual Components</strong></summary>
 
diff --git a/hooks/claude-code/Cargo.lock b/hooks/claude-code/Cargo.lock
index 2173a33..4c97fd6 100644
--- a/hooks/claude-code/Cargo.lock
+++ b/hooks/claude-code/Cargo.lock
@@ -2,12 +2,117 @@
 # It is not intended for manual editing.
 version = 4
 
+[[package]]
+name = "anyhow"
+version = "1.0.102"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
+
+[[package]]
+name = "autocfg"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
+
+[[package]]
+name = "bitflags"
+version = "2.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af"
+
+[[package]]
+name = "cfg-if"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
+
 [[package]]
 name = "claude-interceptor"
 version = "0.1.0"
 dependencies = [
  "serde",
  "serde_json",
+ "uds_windows",
+]
+
+[[package]]
+name = "equivalent"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
+
+[[package]]
+name = "errno"
+version = "0.3.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
+dependencies = [
+ "libc",
+ "windows-sys",
+]
+
+[[package]]
+name = "fastrand"
+version = "2.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be"
+
+[[package]]
+name = "foldhash"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
+
+[[package]]
+name = "getrandom"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0de51e6874e94e7bf76d726fc5d13ba782deca734ff60d5bb2fb2607c7406555"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "r-efi",
+ "wasip2",
+ "wasip3",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.15.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
+dependencies = [
+ "foldhash",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.16.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100"
+
+[[package]]
+name = "heck"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
+
+[[package]]
+name = "id-arena"
+version = "2.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954"
+
+[[package]]
+name = "indexmap"
+version = "2.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7714e70437a7dc3ac8eb7e6f8df75fd8eb422675fc7678aff7364301092b1017"
+dependencies = [
+ "equivalent",
+ "hashbrown 0.16.1",
+ "serde",
+ "serde_core",
 ]
 
 [[package]]
@@ -16,12 +121,61 @@ version = "1.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2"
 
+[[package]]
+name = "leb128fmt"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"
+
+[[package]]
+name = "libc"
+version = "0.2.183"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b5b646652bf6661599e1da8901b3b9522896f01e736bad5f723fe7a3a27f899d"
+
+[[package]]
+name = "linux-raw-sys"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53"
+
+[[package]]
+name = "log"
+version = "0.4.29"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
+
 [[package]]
 name = "memchr"
 version = "2.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
 
+[[package]]
+name = "memoffset"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "488016bfae457b036d996092f6cb448677611ce4449e970ceaf42695203f218a"
+dependencies = [
+ "autocfg",
+]
+
+[[package]]
+name = "once_cell"
+version = "1.21.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9f7c3e4beb33f85d45ae3e3a1792185706c8e16d043238c593331cc7cd313b50"
+
+[[package]]
+name = "prettyplease"
+version = "0.2.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b"
+dependencies = [
+ "proc-macro2",
+ "syn",
+]
+
 [[package]]
 name = "proc-macro2"
 version = "1.0.106"
@@ -40,6 +194,31 @@ dependencies = [
  "proc-macro2",
 ]
 
+[[package]]
+name = "r-efi"
+version = "6.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf"
+
+[[package]]
+name = "rustix"
+version = "1.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190"
+dependencies = [
+ "bitflags",
+ "errno",
+ "libc",
+ "linux-raw-sys",
+ "windows-sys",
+]
+
+[[package]]
+name = "semver"
+version = "1.0.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"
+
 [[package]]
 name = "serde"
 version = "1.0.228"
@@ -94,12 +273,197 @@ dependencies = [
  "unicode-ident",
 ]
 
+[[package]]
+name = "tempfile"
+version = "3.27.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd"
+dependencies = [
+ "fastrand",
+ "getrandom",
+ "once_cell",
+ "rustix",
+ "windows-sys",
+]
+
+[[package]]
+name = "uds_windows"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2f6fb2847f6742cd76af783a2a2c49e9375d0a111c7bef6f71cd9e738c72d6e"
+dependencies = [
+ "memoffset",
+ "tempfile",
+ "windows-sys",
+]
+
 [[package]]
 name = "unicode-ident"
 version = "1.0.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
 
+[[package]]
+name = "unicode-xid"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
+
+[[package]]
+name = "wasip2"
+version = "1.0.2+wasi-0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9517f9239f02c069db75e65f174b3da828fe5f5b945c4dd26bd25d89c03ebcf5"
+dependencies = [
+ "wit-bindgen",
+]
+
+[[package]]
+name = "wasip3"
+version = "0.4.0+wasi-0.3.0-rc-2026-01-06"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5428f8bf88ea5ddc08faddef2ac4a67e390b88186c703ce6dbd955e1c145aca5"
+dependencies = [
+ "wit-bindgen",
+]
+
+[[package]]
+name = "wasm-encoder"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "990065f2fe63003fe337b932cfb5e3b80e0b4d0f5ff650e6985b1048f62c8319"
+dependencies = [
+ "leb128fmt",
+ "wasmparser",
+]
+
+[[package]]
+name = "wasm-metadata"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bb0e353e6a2fbdc176932bbaab493762eb1255a7900fe0fea1a2f96c296cc909"
+dependencies = [
+ "anyhow",
+ "indexmap",
+ "wasm-encoder",
+ "wasmparser",
+]
+
+[[package]]
+name = "wasmparser"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe"
+dependencies = [
+ "bitflags",
+ "hashbrown 0.15.5",
+ "indexmap",
+ "semver",
+]
+
+[[package]]
+name = "windows-link"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
+
+[[package]]
+name = "windows-sys"
+version = "0.61.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
+dependencies = [
+ "windows-link",
+]
+
+[[package]]
+name = "wit-bindgen"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5"
+dependencies = [
+ "wit-bindgen-rust-macro",
+]
+
+[[package]]
+name = "wit-bindgen-core"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ea61de684c3ea68cb082b7a88508a8b27fcc8b797d738bfc99a82facf1d752dc"
+dependencies = [
+ "anyhow",
+ "heck",
+ "wit-parser",
+]
+
+[[package]]
+name = "wit-bindgen-rust"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7c566e0f4b284dd6561c786d9cb0142da491f46a9fbed79ea69cdad5db17f21"
+dependencies = [
+ "anyhow",
+ "heck",
+ "indexmap",
+ "prettyplease",
+ "syn",
+ "wasm-metadata",
+ "wit-bindgen-core",
+ "wit-component",
+]
+
+[[package]]
+name = "wit-bindgen-rust-macro"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c0f9bfd77e6a48eccf51359e3ae77140a7f50b1e2ebfe62422d8afdaffab17a"
+dependencies = [
+ "anyhow",
+ "prettyplease",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wit-bindgen-core",
+ "wit-bindgen-rust",
+]
+
+[[package]]
+name = "wit-component"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2"
+dependencies = [
+ "anyhow",
+ "bitflags",
+ "indexmap",
+ "log",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "wasm-encoder",
+ "wasm-metadata",
+ "wasmparser",
+ "wit-parser",
+]
+
+[[package]]
+name = "wit-parser"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ecc8ac4bc1dc3381b7f59c34f00b67e18f910c2c0f50015669dde7def656a736"
+dependencies = [
+ "anyhow",
+ "id-arena",
+ "indexmap",
+ "log",
+ "semver",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "unicode-xid",
+ "wasmparser",
+]
+
 [[package]]
 name = "zmij"
 version = "1.0.21"
diff --git a/hooks/claude-code/Cargo.toml b/hooks/claude-code/Cargo.toml
index a41d157..6c1b44c 100644
--- a/hooks/claude-code/Cargo.toml
+++ b/hooks/claude-code/Cargo.toml
@@ -12,6 +12,9 @@ path = "src/main.rs"
 serde = { version = "1", features = ["derive"] }
 serde_json = { version = "1", features = ["raw_value"] }
 
+[target.'cfg(windows)'.dependencies]
+uds_windows = "1.2"
+
 [profile.release]
 opt-level = "z"
 lto = true
diff --git a/hooks/claude-code/src/main.rs b/hooks/claude-code/src/main.rs
index e36c83b..0af1816 100644
--- a/hooks/claude-code/src/main.rs
+++ b/hooks/claude-code/src/main.rs
@@ -25,8 +25,8 @@
 use serde::{Deserialize, Serialize};
 use std::env;
 use std::io::{self, BufRead, Read, Write};
+#[cfg(unix)]
 use std::net::Shutdown;
-use std::os::unix::net::UnixStream;
 use std::process;
 use std::time::{Duration, Instant};
 
@@ -84,6 +84,7 @@ struct HookSpecificOutput<'a> {
 const DEFAULT_TIMEOUT_MS: u64 = 5000;
 const TIMEOUT_MIN_MS: u64 = 100;
 const TIMEOUT_MAX_MS: u64 = 30000;
+#[cfg(unix)]
 const SOCKET_SUFFIX: &str = "/.coding-agents-kit/run/broker.sock";
 const INPUT_MAX: usize = 64 * 1024;
 const RESPONSE_MAX: u64 = 64 * 1024;
@@ -144,11 +145,24 @@ fn get_socket_path() -> String {
             return v;
         }
     }
-    let home = env::var("HOME").unwrap_or_default();
-    if home.is_empty() {
-        return String::new();
+    #[cfg(unix)]
+    {
+        let home = env::var("HOME").unwrap_or_default();
+        if home.is_empty() {
+            return String::new();
+        }
+        format!("{home}{SOCKET_SUFFIX}")
+    }
+    #[cfg(windows)]
+    {
+        // MSI installs to %LOCALAPPDATA%\coding-agents-kit (not %USERPROFILE%)
+        let base = env::var("LOCALAPPDATA").unwrap_or_default();
+        if base.is_empty() {
+            return String::new();
+        }
+        // Use forward slashes — YAML configs and AF_UNIX paths must match exactly.
+        format!("{}/coding-agents-kit/run/broker.sock", base.replace('\\', "/"))
     }
-    format!("{home}{SOCKET_SUFFIX}")
 }
 
 fn get_timeout() -> Duration {
@@ -176,8 +190,12 @@ fn remaining_timeout(start: Instant, timeout: Duration) -> Result<Duration, Stri
 fn communicate(socket_path: &str, request: &[u8], timeout: Duration) -> Result<Response, String> {
     let start = Instant::now();
 
-    let stream =
-        UnixStream::connect(socket_path).map_err(|e| format!("broker unavailable: {e}"))?;
+    #[cfg(unix)]
+    let stream = std::os::unix::net::UnixStream::connect(socket_path)
+        .map_err(|e| format!("broker unavailable: {e}"))?;
+    #[cfg(windows)]
+    let stream = uds_windows::UnixStream::connect(socket_path)
+        .map_err(|e| format!("broker unavailable: {e}"))?;
 
     // Send request.
     let remaining = remaining_timeout(start, timeout)?;
@@ -188,7 +206,11 @@ fn communicate(socket_path: &str, request: &[u8], timeout: Duration) -> Result<R
         .write_all(request)
         .map_err(|e| format!("broker write failed: {e}"))?;
 
-    // Signal we're done writing so the broker knows the full request arrived.
+    // Signal end-of-write so the broker's read_line can detect EOF alongside
+    // the \n delimiter. Skipped on Windows: shutdown(SD_SEND) on AF_UNIX
+    // resets the connection on some Windows builds, preventing the broker
+    // from writing the verdict back to the interceptor.
+    #[cfg(unix)]
     stream
         .shutdown(Shutdown::Write)
         .map_err(|e| format!("broker shutdown failed: {e}"))?;
@@ -272,9 +294,11 @@ fn run() -> Result<(), Error> {
     // Step 4: Configuration.
     let socket_path = get_socket_path();
     if socket_path.is_empty() {
-        return Err(Error::BrokerError(
-            "HOME not set, cannot locate broker socket".into(),
-        ));
+        #[cfg(unix)]
+        let msg = "HOME not set, cannot locate broker socket";
+        #[cfg(windows)]
+        let msg = "LOCALAPPDATA not set, cannot locate broker socket";
+        return Err(Error::BrokerError(msg.into()));
     }
     let timeout = get_timeout();
 
diff --git a/installers/windows/Package.wxs b/installers/windows/Package.wxs
new file mode 100644
index 0000000..6a974cd
--- /dev/null
+++ b/installers/windows/Package.wxs
@@ -0,0 +1,141 @@
+<Wix xmlns="http://wixtoolset.org/schemas/v4/wxs"
+  xmlns:ui="http://wixtoolset.org/schemas/v4/wxs/ui">
+  <Package Name="coding-agents-kit"
+           Manufacturer="Falco Authors"
+           Version="$(var.ProductVersion)"
+           ProductCode="$(var.ProductCode)"
+           UpgradeCode="B2C3D4E5-F6A7-8901-BCDE-F12345678901"
+           Scope="perUser">
+
+    <MajorUpgrade DowngradeErrorMessage="A newer version of coding-agents-kit is already installed."
+            AllowSameVersionUpgrades="yes" />
+    <MediaTemplate EmbedCab="yes" />
+
+    <Feature Id="Complete" Title="coding-agents-kit" Level="1">
+      <ComponentGroupRef Id="BinFiles" />
+      <ComponentGroupRef Id="ShareFiles" />
+      <ComponentGroupRef Id="RulesDefaultFiles" />
+      <ComponentGroupRef Id="RulesSeenFile" />
+      <ComponentGroupRef Id="RulesUserDir" />
+      <ComponentGroupRef Id="ScriptFiles" />
+      <ComponentGroupRef Id="RuntimeDirs" />
+    </Feature>
+
+    <ui:WixUI Id="WixUI_InstallDir" />
+    <Property Id="WIXUI_INSTALLDIR" Value="INSTALLDIR" />
+
+    <!-- Run post-install setup at the end of MSI install so double-clicking
+         the MSI is sufficient for a working installation. -->
+    <CustomAction Id="SetRunPostInstallCmdLine"
+                  Property="RunPostInstall"
+                  Value='"[System64Folder]WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "[#PostInstallScriptFile]"' />
+
+    <CustomAction Id="RunPostInstall"
+                  BinaryRef="$(var.UtilCABinaryRef)"
+                  DllEntry="WixQuietExec64"
+                  Execute="deferred"
+                  Impersonate="yes"
+                  Return="check" />
+
+    <InstallExecuteSequence>
+      <Custom Action="SetRunPostInstallCmdLine" After="InstallFiles" Condition="NOT Installed AND NOT REMOVE" />
+      <Custom Action="RunPostInstall" After="SetRunPostInstallCmdLine" Condition="NOT Installed AND NOT REMOVE" />
+    </InstallExecuteSequence>
+  </Package>
+
+  <!-- Directory layout under %LOCALAPPDATA%\coding-agents-kit\ -->
+  <Fragment>
+    <StandardDirectory Id="LocalAppDataFolder">
+      <Directory Id="INSTALLDIR" Name="coding-agents-kit">
+        <Directory Id="BINDIR" Name="bin" />
+        <Directory Id="SHAREDIR" Name="share" />
+        <Directory Id="CONFIGDIR" Name="config" />
+        <Directory Id="RULESDIR" Name="rules">
+          <Directory Id="RULESDEFAULTDIR" Name="default" />
+          <Directory Id="RULESUSERDIR" Name="user" />
+        </Directory>
+        <Directory Id="SCRIPTSDIR" Name="scripts" />
+        <Directory Id="RUNDIR" Name="run" />
+        <Directory Id="LOGDIR" Name="log" />
+      </Directory>
+    </StandardDirectory>
+  </Fragment>
+
+  <!-- Binaries -->
+  <Fragment>
+    <ComponentGroup Id="BinFiles" Directory="BINDIR">
+      <Component>
+        <File Source="$(var.StageDir)\bin\falco.exe" />
+      </Component>
+      <Component>
+        <File Source="$(var.StageDir)\bin\claude-interceptor.exe" />
+      </Component>
+      <Component>
+        <File Source="$(var.StageDir)\bin\coding-agents-kit-ctl.exe" />
+      </Component>
+      <Component>
+        <File Source="$(var.StageDir)\bin\coding-agents-kit-launcher.ps1" />
+      </Component>
+    </ComponentGroup>
+  </Fragment>
+
+  <!-- Plugin shared library -->
+  <Fragment>
+    <ComponentGroup Id="ShareFiles" Directory="SHAREDIR">
+      <Component>
+        <File Source="$(var.StageDir)\share\coding_agent.dll" />
+      </Component>
+    </ComponentGroup>
+  </Fragment>
+
+  <!-- Default rules -->
+  <Fragment>
+    <ComponentGroup Id="RulesDefaultFiles" Directory="RULESDEFAULTDIR">
+      <Component>
+        <File Source="$(var.StageDir)\rules\default\coding_agents_rules.yaml" />
+      </Component>
+    </ComponentGroup>
+  </Fragment>
+
+  <!-- Seen rule (loaded last) -->
+  <Fragment>
+    <ComponentGroup Id="RulesSeenFile" Directory="RULESDIR">
+      <Component>
+        <File Source="$(var.StageDir)\rules\seen.yaml" />
+      </Component>
+    </ComponentGroup>
+  </Fragment>
+
+  <!-- User rules directory (preserved on upgrade) -->
+  <Fragment>
+    <ComponentGroup Id="RulesUserDir" Directory="RULESUSERDIR">
+      <Component Id="RulesUserDirComp" Guid="D1E2F3A4-B5C6-7890-ABCD-EF1234567890">
+        <CreateFolder />
+      </Component>
+    </ComponentGroup>
+  </Fragment>
+
+  <!-- Install scripts -->
+  <Fragment>
+    <ComponentGroup Id="ScriptFiles" Directory="SCRIPTSDIR">
+      <Component>
+        <File Id="PostInstallScriptFile" Source="$(var.StageDir)\scripts\postinstall.ps1" />
+      </Component>
+      <Component>
+        <File Id="UninstallScriptFile" Source="$(var.StageDir)\scripts\uninstall.ps1" />
+      </Component>
+    </ComponentGroup>
+  </Fragment>
+
+  <!-- Runtime directories (run/, log/) -->
+  <Fragment>
+    <ComponentGroup Id="RuntimeDirs">
+      <Component Id="RunDirComp" Guid="E2F3A4B5-C6D7-8901-BCDE-F12345678902" Directory="RUNDIR">
+        <CreateFolder />
+      </Component>
+      <Component Id="LogDirComp" Guid="F3A4B5C6-D7E8-9012-CDEF-012345678903" Directory="LOGDIR">
+        <CreateFolder />
+      </Component>
+    </ComponentGroup>
+  </Fragment>
+</Wix>
diff --git a/installers/windows/README.md b/installers/windows/README.md
new file mode 100644
index 0000000..785474d
--- /dev/null
+++ b/installers/windows/README.md
@@ -0,0 +1,276 @@
+# Windows Build & Installation Guide
+
+## Architecture
+
+### Platform
+
+Builds target the native architecture of the machine. The build scripts auto-detect x86_64 or ARM64 and compile accordingly.
+
+### Pipeline
+
+The Windows port uses the same Falco plugin architecture as Linux/macOS. Alert delivery uses Falco's native `http_output` on all platforms:
+
+```
+Claude Code
+    │  PreToolUse hook
+    ▼
+claude-interceptor.exe ──Unix socket──▶ Plugin broker (in Falco)
+                                              │
+                                              ▼
+                                       Falco rule engine
+                                              │
+                                              ▼
+                                       http_output (curl)
+                                              │
+                                              ▼
+                                       Plugin HTTP server
+                                              │
+                                              ▼
+                                       Verdict resolution
+                                              │
+                                              ▼
+                                   Response to interceptor
+```
+
+| Component | Linux/macOS | Windows |
+|-----------|------------|---------|
+| Interceptor → broker | Unix domain socket | Unix domain socket (via `uds_windows` crate) |
+| Broker | Embedded in plugin | Embedded in plugin |
+| Plugin | .so / .dylib loaded by Falco | .dll loaded by Falco |
+| Alert delivery | Falco `http_output` (curl) | Falco `http_output` (curl, patched in) |
+| Processes | 1 (Falco) | 1 (Falco) |
+
+### http_output on Windows
+
+Falco's upstream build excludes `http_output` on Windows (CMake and preprocessor guards). A single patch (`falco-windows-http-output.patch`) enables it using the same `HAS_HTTP_OUTPUT` pattern as the macOS patch. System curl is provided via vcpkg with SChannel backend (no OpenSSL dependency). The patch also handles SChannel-specific curl limitations:
+
+- **NOPROXY**: Adds `CURLOPT_NOPROXY="*"` to bypass system/environment proxy settings for localhost alert delivery. Tolerates `CURLE_NOT_BUILT_IN` because the SChannel curl backend may omit proxy support.
+- **CA path**: Wraps the CA certificate path/bundle options in a Windows-specific block that tolerates `CURLE_NOT_BUILT_IN`. SChannel uses the Windows Certificate Store automatically and does not support `CURLOPT_CAPATH` / `CURLOPT_CAINFO`.
+- **Plugin path resolution**: Replaces the POSIX-only `path[0] != '/'` check with `std::filesystem::path::has_root_path()` so that Windows absolute paths (`C:/...`) are recognized correctly and not prepended with the default plugins directory.
+
+## Prerequisites
+
+Install the following in order. All commands should be run from PowerShell.
+
+### 1. Visual Studio Build Tools
+
+Install [Visual Studio 2022+](https://visualstudio.microsoft.com/) (Community is free) with:
+- **Desktop development with C++** workload
+  - MSVC v143+ build tools
+  - Windows SDK (10.0 or later)
+  - C++ CMake tools for Windows
+
+Verify:
+```powershell
+# Open "Developer Command Prompt for VS" and run:
+cl
+cmake --version   # requires 3.24+
+```
+
+### 2. Git
+
+Install [Git for Windows](https://git-scm.com/download/win).
+
+```powershell
+git --version
+```
+
+### 3. Rust
+
+```powershell
+Invoke-WebRequest -Uri https://win.rustup.rs/x86_64 -OutFile rustup-init.exe
+.\rustup-init.exe -y
+# Restart your shell, then:
+rustc --version    # requires 1.80+
+cargo --version
+```
+
+On ARM64 Windows, rustup installs the native `stable-aarch64-pc-windows-msvc` toolchain. Add the x64 target only if you need cross-compilation:
+```powershell
+rustup target add x86_64-pc-windows-msvc
+```
+
+### 4. vcpkg + curl
+
+vcpkg provides the system curl library used by Falco's `http_output`.
+
+```powershell
+git clone https://github.com/microsoft/vcpkg
+.\vcpkg\bootstrap-vcpkg.bat
+
+# Install curl for your architecture:
+.\vcpkg\vcpkg install curl:x64-windows-static      # x64 hosts
+.\vcpkg\vcpkg install curl:arm64-windows-static     # ARM64 hosts
+
+# REQUIRED: set VCPKG_ROOT so the build scripts find it:
+$env:VCPKG_ROOT = (Resolve-Path .\vcpkg).Path
+# To persist across sessions, add to your PowerShell profile or system env vars.
+```
+
+Note: on recent vcpkg baselines, the `schannel` feature name is not required for this use case. The packaging/build scripts only require `libcurl.lib` to be present under the selected triplet.
+
+### 5. .NET Runtime + WiX Toolset (for MSI packaging)
+
+```powershell
+winget install Microsoft.DotNet.Runtime.9 --accept-package-agreements --accept-source-agreements
+dotnet tool install --global wix
+wix eula accept wix7
+wix --version
+```
+
+WiX v7 requires explicit OSMF EULA acceptance. Without this, packaging fails with `WIX7015`.
+
+## Building
+
+### Quick Build (all components + MSI)
+
+```powershell
+# From the repository root (VCPKG_ROOT must be set):
+$env:VCPKG_ROOT = 'C:\path\to\vcpkg'
+powershell -ExecutionPolicy Bypass -File installers\windows\package.ps1 -Version 0.1.2
+```
+
+This single command:
+1. Compiles all Rust crates for the native architecture (interceptor, plugin DLL, ctl)
+2. Clones and builds Falco 0.43.0 from source with patches (~10 min first time, cached after)
+3. Stages all files and produces the MSI installer
+
+Output: `build/out/coding-agents-kit-<version>-windows-<arch>.msi`
+
+### Step-by-Step Build
+
+```powershell
+$env:VCPKG_ROOT = 'C:\path\to\vcpkg'
+
+# 1. Build Rust crates (auto-detects native target)
+cd hooks\claude-code && cargo build --release && cd ..\..
+cd plugins\coding-agent-plugin && cargo build --release && cd ..\..
+cd tools\coding-agents-kit-ctl && cargo build --release && cd ..\..
+
+# 2. Build Falco from source (~10 minutes first time, cached after)
+powershell -ExecutionPolicy Bypass -File installers\windows\build-falco.ps1
+
+# 3. Package MSI (uses pre-built components)
+powershell -ExecutionPolicy Bypass -File installers\windows\package.ps1 -SkipRustBuild -SkipFalcoBuild
+```
+
+### Build Options
+
+| Flag | Description |
+|------|-------------|
+| `-Version 0.1.2` | Package version (semantic versioning) |
+| `-Arch x64` or `-Arch arm64` | Target architecture (default: auto-detected from hardware) |
+| `-SkipRustBuild` | Skip Rust compilation (use pre-built binaries) |
+| `-SkipFalcoBuild` | Skip Falco build (use cached build) |
+| `-FalcoExe <path>` | Use a specific pre-built `falco.exe` |
+
+## Installing
+
+### MSI install + post-install setup
+
+```powershell
+# 1. Install the MSI (shows wizard, or use /quiet for silent)
+msiexec /i build\out\coding-agents-kit-0.1.2-windows-arm64.msi
+
+# 2. Run post-install setup (generates config, registers hook, adds bin/ to PATH)
+powershell -ExecutionPolicy Bypass -File "$env:LOCALAPPDATA\coding-agents-kit\scripts\postinstall.ps1"
+
+# 3. Open a NEW terminal (so the updated PATH takes effect), then:
+coding-agents-kit-ctl start
+Start-Sleep 5
+coding-agents-kit-ctl health
+```
+
+Expected output: `OK: pipeline healthy (synthetic event → allow)`
+
+### Helper script (alternative)
+
+The `Install-CodingAgentsKit.ps1` helper script runs the MSI silently and then runs post-install setup:
+
+```powershell
+powershell -ExecutionPolicy Bypass -File build\out\Install-CodingAgentsKit.ps1
+```
+
+If the product is already installed, it opens the MSI maintenance UI instead of forcing a silent reinstall.
+
+### What the installer does
+
+- Deploys binaries, plugin DLL, rules, and scripts to `%LOCALAPPDATA%\coding-agents-kit\`
+- Post-install generates Falco configuration with resolved Windows paths
+- Registers the Claude Code interceptor hook in `~/.claude/settings.json`
+- Adds `bin/` to the user PATH (persistent, so `coding-agents-kit-ctl` works without full path)
+- Sets up auto-start via Registry Run key
+
+### Uninstalling
+
+**Always use the uninstall helper script** — it runs the cleanup script, removes the Claude Code hook, removes the auto-start registry key, and then removes the MSI-managed files:
+
+```powershell
+powershell -ExecutionPolicy Bypass -File Uninstall-CodingAgentsKit.ps1
+```
+
+> **Warning**: Do NOT uninstall via Apps & Features or `msiexec /x` directly. The MSI alone cannot run cleanup scripts (Windows limitation for per-user installs), so the Claude Code hook and auto-start registry key would be left behind, leaving Claude Code in a fail-closed state.
+
+## Running Tests
+
+Tests are written in Rust and located in the `tests/` directory:
+
+```powershell
+# Run all tests (requires Falco + plugin built)
+cargo test --manifest-path tests/Cargo.toml
+
+# Interceptor unit tests only (mock broker, no Falco needed)
+cargo test --manifest-path tests/Cargo.toml --test interceptor
+
+# End-to-end tests (requires Falco in PATH or FALCO_BIN set)
+cargo test --manifest-path tests/Cargo.toml --test e2e
+```
+
+## Directory Layout (installed)
+
+```
+%LOCALAPPDATA%\coding-agents-kit\
+├── bin\
+│   ├── falco.exe                          # Falco rule engine
+│   ├── claude-interceptor.exe             # Claude Code hook
+│   ├── coding-agents-kit-ctl.exe          # Service management CLI
+│   └── coding-agents-kit-launcher.ps1     # Service launcher
+├── share\
+│   └── coding_agent.dll                   # Falco plugin (source + extract)
+├── config\
+│   ├── falco.yaml                         # Base Falco config
+│   └── falco.coding_agents_plugin.yaml    # Plugin + rules config
+├── rules\
+│   ├── default\coding_agents_rules.yaml   # Default security rules
+│   ├── user\                              # Custom user rules (preserved on upgrade)
+│   └── seen.yaml                          # Catch-all rule (required)
+├── scripts\
+│   ├── postinstall.ps1                    # Post-install setup
+│   └── uninstall.ps1                      # Pre-uninstall cleanup
+├── run\                                   # Runtime state
+└── log\                                   # Falco log files
+```
+
+## Known Caveats
+
+- **`VCPKG_ROOT` must be set**: The Falco build script requires `VCPKG_ROOT` pointing to your vcpkg installation. The build fails immediately without it. Set it in your environment or pass it before each build command.
+
+- **`-ExecutionPolicy Bypass`**: Windows default execution policy blocks PowerShell scripts. Always use `powershell -ExecutionPolicy Bypass -File <script>` when running the build, packaging, or install scripts.
+
+- **External tools write to stderr**: `cargo`, `cmd.exe`, and `vswhere.exe` write non-fatal output to stderr. Since the build scripts use `$ErrorActionPreference = 'Stop'`, unguarded external calls fail. The scripts use `2>&1 | ForEach-Object { "$_" }` to merge stderr safely. If you add new external tool calls, follow the same pattern.
+
+- **`broker response timeout` / stale pending requests**: If Claude Code tool calls are denied with a broker timeout and Falco logs show `reaping stale pending request`, the alert round-trip is not completing. The most common cause is a misconfigured `http_output.url` in `falco.yaml` (must match the plugin's `http_port`). Run `coding-agents-kit-ctl health` to confirm the pipeline is healthy after starting the service.
+
+- **`basename()` in rules on Windows**: Falco's `basename()` transformer uses POSIX logic (splits on `/`). Use `basename(tool.real_file_path)` (forward slashes, normalized by the plugin) not `basename(tool.file_path)` (raw, may contain backslashes on Windows).
+
+- **ARM64 hosts and Rust/MSVC arch alignment**: On ARM64 Windows, use matching ARM64 toolchain for Rust host (`stable-aarch64-pc-windows-msvc`) and MSVC (`vcvarsall arm64`) when building ARM64 artifacts. Mixed host/target toolchains can fail with unresolved externals at link time.
+
+- **Falco nested CMake generator on ARM64 hosts**: Falco's `falcosecurity-libs` nested configure may choose a Visual Studio generator/platform different from the top-level build if generator/platform are not forwarded explicitly. Keep nested and top-level generator settings aligned to avoid `VCTargetsPath` / platform mismatch errors.
+
+- **Git Bash PATH shadowing**: Git Bash's `/usr/bin/tar` misinterprets Windows paths with `C:` as a remote host. The build scripts prepend `C:\Windows\System32` to PATH so Windows native `tar.exe` is used. If running build scripts manually from Git Bash, use: `powershell -File <script>`.
+
+- **Falco patches**: Patch files must be normalized from CRLF to LF before `git apply`. The `build-falco.ps1` script handles this automatically.
+
+- **Falco launched from Git Bash**: Falco may segfault when launched directly from Git Bash due to stdin/stdout handling differences. Always launch via PowerShell or `cmd.exe`. The test scripts and launcher handle this correctly.
+
+- **Path separators in rules**: The plugin normalizes all `real_file_path` and `real_cwd` fields to forward slashes (`C:/Users/...`), so Falco rules should use forward slashes for `startswith` and `contains` comparisons.
diff --git a/installers/windows/build-falco.ps1 b/installers/windows/build-falco.ps1
new file mode 100644
index 0000000..a7d82cb
--- /dev/null
+++ b/installers/windows/build-falco.ps1
@@ -0,0 +1,270 @@
+#Requires -Version 5.1
+<#
+.SYNOPSIS
+    Build Falco from source on Windows with http_output support.
+
+.DESCRIPTION
+    Clones the Falco repository at a specific tag, applies patches to
+    enable http_output on Windows, and builds with MSVC.
+    Requires vcpkg with curl installed (SChannel backend, static).
+
+.PARAMETER Version
+    Falco version tag to build (default: 0.43.0).
+
+.PARAMETER OutputDir
+    Directory for the built falco.exe (default: build/falco-VERSION-windows-ARCH).
+
+.PARAMETER Arch
+    MSVC architecture target: x64 or arm64 (default: x64).
+
+.PARAMETER Force
+    Rebuild even if cached build exists.
+#>
+param(
+    [string]$Version = '0.43.0',
+    [string]$OutputDir = '',
+    [string]$Arch = 'x64',
+    [switch]$Force
+)
+
+Set-StrictMode -Version Latest
+$ErrorActionPreference = 'Stop'
+
+$ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
+$RootDir = Split-Path -Parent (Split-Path -Parent $ScriptDir)
+$BuildBase = Join-Path $RootDir 'build'
+$SrcDir = Join-Path $BuildBase "falco-src-$Version"
+$Tag = $Version
+
+if ([string]::IsNullOrWhiteSpace($OutputDir)) {
+    $OutputDir = Join-Path $BuildBase "falco-$Version-windows-$Arch"
+}
+
+$FalcoExe = Join-Path $OutputDir 'falco.exe'
+if ((Test-Path $FalcoExe) -and -not $Force) {
+    Write-Host "Falco already built at $FalcoExe (use -Force to rebuild)"
+    exit 0
+}
+
+# ---------------------------------------------------------------------------
+# Prerequisites
+# ---------------------------------------------------------------------------
+
+function Resolve-RequiredCommand([string]$Name) {
+    $cmd = Get-Command $Name -ErrorAction SilentlyContinue
+    if (-not $cmd) { throw "Missing required command: $Name" }
+    return $cmd.Source
+}
+
+$Git = Resolve-RequiredCommand 'git'
+$CMake = Resolve-RequiredCommand 'cmake'
+$Tar = Resolve-RequiredCommand 'tar.exe'
+
+# vcpkg is required for system curl (http_output uses curl to POST alerts).
+$VcpkgRoot = $env:VCPKG_ROOT
+if (-not $VcpkgRoot) { $VcpkgRoot = $env:VCPKG_INSTALLATION_ROOT }
+if (-not $VcpkgRoot -or -not (Test-Path $VcpkgRoot)) {
+    throw @"
+vcpkg not found. Set VCPKG_ROOT to your vcpkg installation directory.
+Install vcpkg:  git clone https://github.com/microsoft/vcpkg && .\vcpkg\bootstrap-vcpkg.bat
+Install curl:   vcpkg install curl:$Arch-windows-static
+"@
+}
+$VcpkgToolchain = Join-Path $VcpkgRoot 'scripts\buildsystems\vcpkg.cmake'
+if (-not (Test-Path $VcpkgToolchain)) {
+    throw "vcpkg toolchain file not found: $VcpkgToolchain"
+}
+$VcpkgTriplet = "$Arch-windows-static"
+
+# Verify curl is installed in vcpkg for the target triplet.
+$curlLib = Join-Path $VcpkgRoot "installed\$VcpkgTriplet\lib\libcurl.lib"
+if (-not (Test-Path $curlLib)) {
+    throw @"
+curl not found in vcpkg for triplet $VcpkgTriplet.
+Install:  vcpkg install curl:$VcpkgTriplet
+"@
+}
+
+# Find vcvarsall.bat
+$VcVarsAll = $null
+$vsWhere = Join-Path ${env:ProgramFiles(x86)} 'Microsoft Visual Studio\Installer\vswhere.exe'
+if (Test-Path $vsWhere) {
+    $installPath = & $vsWhere -latest -products * `
+        -requires Microsoft.VisualStudio.Component.VC.Tools.x86.x64 `
+        -property installationPath 2>$null
+    if ($installPath) {
+        $candidate = Join-Path $installPath 'VC\Auxiliary\Build\vcvarsall.bat'
+        if (Test-Path $candidate) { $VcVarsAll = $candidate }
+    }
+}
+if (-not $VcVarsAll) {
+    $candidates = Get-ChildItem 'C:\Program Files\Microsoft Visual Studio' -Recurse `
+        -Filter vcvarsall.bat -ErrorAction SilentlyContinue
+    if ($candidates) { $VcVarsAll = $candidates[0].FullName }
+}
+if (-not $VcVarsAll) { throw 'Could not find vcvarsall.bat. Install Visual Studio Build Tools.' }
+
+# ---------------------------------------------------------------------------
+# Clone Falco source
+# ---------------------------------------------------------------------------
+
+if (-not (Test-Path (Join-Path $SrcDir 'CMakeLists.txt'))) {
+    Write-Host "=== Cloning Falco $Tag ==="
+    if (Test-Path $SrcDir) { Remove-Item $SrcDir -Recurse -Force }
+    # Git writes progress to stderr; temporarily allow non-terminating errors
+    $prevPref = $ErrorActionPreference
+    $ErrorActionPreference = 'Continue'
+    # Clone with autocrlf=false so source files stay LF — patches are
+    # normalized to LF and context matching requires consistent line endings.
+    & $Git -c core.autocrlf=false clone --depth 1 --branch $Tag `
+        https://github.com/falcosecurity/falco.git $SrcDir 2>&1 | ForEach-Object { Write-Host $_ }
+    $ErrorActionPreference = $prevPref
+    if ($LASTEXITCODE -ne 0) { throw 'Failed to clone Falco.' }
+    if (-not (Test-Path (Join-Path $SrcDir 'CMakeLists.txt'))) {
+        throw 'Falco clone completed but CMakeLists.txt not found.'
+    }
+}
+
+# ---------------------------------------------------------------------------
+# Apply patches
+# ---------------------------------------------------------------------------
+
+$PatchDir = $ScriptDir  # patches are alongside this script
+$patches = @(
+    (Join-Path $PatchDir 'falco-windows-http-output.patch')
+)
+
+foreach ($patchPath in $patches) {
+    if (-not (Test-Path $patchPath)) {
+        Write-Host "Patch not found, skipping: $patchPath"
+        continue
+    }
+    $patchName = Split-Path $patchPath -Leaf
+
+    # Normalise patch for git apply on Windows (CRLF handling).
+    # Must happen before --check since the raw file may have CRLF from git checkout.
+    $tmpPatch = Join-Path $env:TEMP "falco-apply-$patchName"
+    $lines = [System.IO.File]::ReadAllLines($patchPath)
+    $inHunk = $false
+    $normalised = [System.Collections.Generic.List[string]]::new()
+    foreach ($line in $lines) {
+        $line = $line.TrimEnd("`r")
+        if ($line -match '^@@') { $inHunk = $true }
+        if ($inHunk -and $line -eq '') { $line = ' ' }
+        $normalised.Add($line)
+    }
+    while ($normalised.Count -gt 0 -and $normalised[$normalised.Count - 1].Trim() -eq '') {
+        $normalised.RemoveAt($normalised.Count - 1)
+    }
+    $utf8NoBom = New-Object System.Text.UTF8Encoding $false
+    [System.IO.File]::WriteAllLines($tmpPatch, $normalised, $utf8NoBom)
+
+    # Check if patch applies cleanly (git apply --check writes to stderr, suppress errors)
+    $prevPref = $ErrorActionPreference
+    $ErrorActionPreference = 'Continue'
+    $null = & $Git -c safe.directory=* -C $SrcDir apply --check --whitespace=nowarn `
+        --recount --ignore-whitespace $tmpPatch 2>&1
+    $checkExit = $LASTEXITCODE
+    $ErrorActionPreference = $prevPref
+    if ($checkExit -ne 0) {
+        # Distinguish "already applied" from "does not apply". Failing closed
+        # avoids silently producing binaries without required fixes.
+        $prevPref = $ErrorActionPreference
+        $ErrorActionPreference = 'Continue'
+        $null = & $Git -c safe.directory=* -C $SrcDir apply --reverse --check --whitespace=nowarn `
+            --recount --ignore-whitespace $tmpPatch 2>&1
+        $reverseExit = $LASTEXITCODE
+        $ErrorActionPreference = $prevPref
+
+        Remove-Item $tmpPatch -Force -ErrorAction SilentlyContinue
+        if ($reverseExit -eq 0) {
+            Write-Host "Patch already applied, skipping: $patchName"
+            continue
+        }
+
+        throw "Patch does not apply cleanly and is not already applied: $patchName"
+    }
+
+    Write-Host "Applying patch: $patchName"
+    & $Git -c safe.directory=* -C $SrcDir apply --whitespace=nowarn --recount --ignore-whitespace $tmpPatch
+    if ($LASTEXITCODE -ne 0) { throw "Patch apply failed: $patchName" }
+    Remove-Item $tmpPatch -Force -ErrorAction SilentlyContinue
+}
+
+# Ensure nested falcosecurity-libs configure uses the same generator/platform
+# as the top-level build. On ARM64 hosts, failing to forward these values can
+# cause an unexpected VS/ARM64 fallback in nested CMake runs.
+$libsCmake = Join-Path $SrcDir 'cmake\modules\falcosecurity-libs.cmake'
+if (Test-Path $libsCmake) {
+    $libsText = Get-Content $libsCmake -Raw
+    if ($libsText -notmatch '-G "\$\{CMAKE_GENERATOR\}"') {
+        $libsText = $libsText -replace '(COMMAND\s+"\$\{CMAKE_COMMAND\}"\s+-DCMAKE_BUILD_TYPE="\$\{CMAKE_BUILD_TYPE\}")', '$1 -G "${CMAKE_GENERATOR}" -A "${CMAKE_GENERATOR_PLATFORM}"'
+        Set-Content -Path $libsCmake -Value $libsText -Encoding UTF8
+        Write-Host 'Applied nested CMake generator/platform forwarding fix.'
+    }
+}
+
+# ---------------------------------------------------------------------------
+# Build
+# ---------------------------------------------------------------------------
+
+$BuildDir = Join-Path $BuildBase "falco-build-$Version-$Arch"
+New-Item -ItemType Directory -Force -Path $OutputDir | Out-Null
+if (Test-Path $BuildDir) {
+    Write-Host 'Removing stale Falco build directory...'
+    Remove-Item $BuildDir -Recurse -Force -ErrorAction SilentlyContinue
+}
+New-Item -ItemType Directory -Force -Path $BuildDir | Out-Null
+
+Write-Host "=== Building Falco $Version ($Arch) ==="
+
+$cmdPath = Join-Path $BuildDir 'build-falco.cmd'
+$script = @"
+@echo off
+setlocal
+call "$VcVarsAll" $Arch
+if %ERRORLEVEL% neq 0 exit /b 1
+
+"$CMake" -S "$SrcDir" -B "$BuildDir" -G "NMake Makefiles" ^
+    -DUSE_BUNDLED_DEPS=ON ^
+    -DUSE_BUNDLED_CURL=OFF ^
+    -DCMAKE_TOOLCHAIN_FILE="$VcpkgToolchain" ^
+    -DVCPKG_TARGET_TRIPLET=$VcpkgTriplet ^
+    -DMINIMAL_BUILD=ON ^
+    -DBUILD_FALCO_MODERN_BPF=OFF ^
+    -DBUILD_WARNINGS_AS_ERRORS=OFF ^
+    -DBUILD_FALCO_UNIT_TESTS=OFF ^
+    -DCREATE_TEST_TARGETS=OFF ^
+    -DCMAKE_BUILD_TYPE=Release
+if %ERRORLEVEL% neq 0 exit /b 1
+
+"$CMake" --build "$BuildDir" --target falco
+if %ERRORLEVEL% neq 0 exit /b 1
+exit /b 0
+"@
+Set-Content -Path $cmdPath -Value $script -Encoding ASCII
+
+try {
+    # Temporarily allow non-terminating errors so that harmless CMake
+    # deprecation warnings on stderr do not trigger ErrorActionPreference Stop.
+    $prevPref = $ErrorActionPreference
+    $ErrorActionPreference = 'Continue'
+    & cmd.exe /d /c $cmdPath
+    $ErrorActionPreference = $prevPref
+    if ($LASTEXITCODE -ne 0) { throw 'Falco Windows build failed.' }
+} finally {
+    Remove-Item $cmdPath -Force -ErrorAction SilentlyContinue
+}
+
+# Find the built falco.exe
+$builtExe = $null
+foreach ($candidate in @(
+    (Join-Path $BuildDir 'userspace\falco\falco.exe'),
+    (Join-Path $BuildDir 'userspace\falco\Release\falco.exe')
+)) {
+    if (Test-Path $candidate) { $builtExe = $candidate; break }
+}
+if (-not $builtExe) { throw 'falco.exe not found after build.' }
+
+Copy-Item $builtExe $FalcoExe -Force
+Write-Host "Falco built: $FalcoExe"
diff --git a/installers/windows/coding-agents-kit-launcher.ps1 b/installers/windows/coding-agents-kit-launcher.ps1
new file mode 100644
index 0000000..300e294
--- /dev/null
+++ b/installers/windows/coding-agents-kit-launcher.ps1
@@ -0,0 +1,79 @@
+#Requires -Version 5.1
+<#
+.SYNOPSIS
+    Launches the coding-agents-kit Falco service on Windows.
+
+.DESCRIPTION
+    Registers the Claude Code hook, starts Falco with http_output for
+    alert delivery, and removes the hook on exit.
+    Equivalent to the macOS launcher script and the Linux systemd
+    ExecStartPost/ExecStopPost hooks.
+#>
+param(
+    [string]$Prefix = (Join-Path $env:LOCALAPPDATA 'coding-agents-kit')
+)
+
+Set-StrictMode -Version Latest
+$ErrorActionPreference = 'Stop'
+
+$FalcoExe = Join-Path $Prefix 'bin\falco.exe'
+$CtlExe = Join-Path $Prefix 'bin\coding-agents-kit-ctl.exe'
+$FalcoConfig = Join-Path $Prefix 'config\falco.yaml'
+$LogDir = Join-Path $Prefix 'log'
+$StderrLog = Join-Path $LogDir 'falco.err'
+$StdoutLog = Join-Path $LogDir 'falco.log'
+
+New-Item -ItemType Directory -Force -Path $LogDir | Out-Null
+
+# Register hook before starting Falco (suppress stderr to avoid ErrorActionPreference=Stop)
+if (Test-Path $CtlExe) {
+    $prevPref = $ErrorActionPreference
+    $ErrorActionPreference = 'Continue'
+    & $CtlExe hook add 2>&1 | Out-Null
+    $ErrorActionPreference = $prevPref
+}
+
+$falcoProcess = $null
+
+try {
+    # Start Falco directly (http_output delivers alerts to the plugin HTTP server)
+    $psi = New-Object System.Diagnostics.ProcessStartInfo
+    $psi.FileName = $FalcoExe
+    $psi.Arguments = "-U -c `"$FalcoConfig`" --disable-source syscall"
+    $psi.UseShellExecute = $false
+    $psi.RedirectStandardOutput = $true
+    $psi.RedirectStandardError = $true
+    $psi.CreateNoWindow = $true
+    $psi.WorkingDirectory = Join-Path $Prefix 'bin'
+    $falcoProcess = [System.Diagnostics.Process]::Start($psi)
+
+    # Drain stdout/stderr asynchronously to prevent OS pipe buffer deadlock.
+    # Even with stdout_output disabled, Falco may write startup messages.
+    $stdoutJob = Register-ObjectEvent -InputObject $falcoProcess -EventName OutputDataReceived -Action {
+        if ($EventArgs.Data) { $EventArgs.Data | Out-File -Append -FilePath $Event.MessageData -Encoding UTF8 }
+    } -MessageData $StdoutLog
+    $stderrJob = Register-ObjectEvent -InputObject $falcoProcess -EventName ErrorDataReceived -Action {
+        if ($EventArgs.Data) { $EventArgs.Data | Out-File -Append -FilePath $Event.MessageData -Encoding UTF8 }
+    } -MessageData $StderrLog
+    $falcoProcess.BeginOutputReadLine()
+    $falcoProcess.BeginErrorReadLine()
+
+    # Wait for Falco to exit
+    $falcoProcess.WaitForExit()
+}
+finally {
+    # Clean up event subscriptions
+    if ($stdoutJob) { Unregister-Event -SourceIdentifier $stdoutJob.Name -ErrorAction SilentlyContinue }
+    if ($stderrJob) { Unregister-Event -SourceIdentifier $stderrJob.Name -ErrorAction SilentlyContinue }
+
+    # Kill Falco if still running
+    if ($falcoProcess -and -not $falcoProcess.HasExited) {
+        try { $falcoProcess.Kill() } catch {}
+    }
+
+    # Remove hook (suppress errors)
+    if (Test-Path $CtlExe) {
+        $ErrorActionPreference = 'Continue'
+        & $CtlExe hook remove 2>&1 | Out-Null
+    }
+}
diff --git a/installers/windows/falco-windows-http-output.patch b/installers/windows/falco-windows-http-output.patch
new file mode 100644
index 0000000..2b6b1df
--- /dev/null
+++ b/installers/windows/falco-windows-http-output.patch
@@ -0,0 +1,198 @@
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index b678374..bec393f 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -143,10 +143,17 @@ if(NOT DEFINED FALCO_COMPONENT_NAME)
+ endif()
+ 
+ if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
+-	set(CMAKE_INSTALL_PREFIX
+-		/usr
+-		CACHE PATH "Default install path" FORCE
+-	)
++	if(WIN32)
++		set(CMAKE_INSTALL_PREFIX
++			"C:/Program Files/${CMAKE_PROJECT_NAME}"
++			CACHE PATH "Default install path" FORCE
++		)
++	else()
++		set(CMAKE_INSTALL_PREFIX
++			/usr
++			CACHE PATH "Default install path" FORCE
++		)
++	endif()
+ endif()
+ 
+ set(CMD_MAKE make)
+@@ -197,6 +204,12 @@ if(NOT WIN32
+ 	include(cpp-httplib)
+ endif()
+ 
++# HTTP output on Windows (coding-agents-kit)
++# Bypass curl.cmake (its unconditional include(openssl) fails on Windows).
++if(WIN32)
++	find_package(CURL REQUIRED)
++endif()
++
+ include(cxxopts)
+ 
+ # One TBB
+diff --git a/userspace/falco/CMakeLists.txt b/userspace/falco/CMakeLists.txt
+index 5ae5b83..8428f83 100644
+--- a/userspace/falco/CMakeLists.txt
++++ b/userspace/falco/CMakeLists.txt
+@@ -130,6 +130,15 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD)
+ 	)
+ endif()
+ 
++# HTTP output on Windows (coding-agents-kit)
++# CURL::libcurl imported target propagates CURL_STATICLIB define and
++# transitive dependencies (crypt32, secur32, etc.) automatically.
++if(WIN32)
++	target_sources(falco_application PRIVATE outputs_http.cpp)
++	target_link_libraries(falco_application CURL::libcurl ws2_32)
++	target_compile_definitions(falco_application PRIVATE HAS_HTTP_OUTPUT)
++endif()
++
+ if(EMSCRIPTEN)
+ 	target_compile_options(falco_application PRIVATE "-sDISABLE_EXCEPTION_CATCHING=0")
+ endif()
+diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h
+index 10238cc..6085255 100644
+--- a/userspace/falco/configuration.h
++++ b/userspace/falco/configuration.h
+@@ -31,6 +31,7 @@ limitations under the License.
+ #include <set>
+ #include <iostream>
+ #include <fstream>
++#include <filesystem>
+ 
+ #include "config_falco.h"
+ #include "yaml_helper.h"
+@@ -420,9 +421,34 @@ struct convert<falco_configuration::plugin_config> {
+ 			return false;
+ 		}
+ 		rhs.m_library_path = node["library_path"].as<std::string>();
+-		if(!rhs.m_library_path.empty() && rhs.m_library_path.at(0) != '/') {
+-			// prepend share dir if path is not absolute
+-			rhs.m_library_path = std::string(FALCO_ENGINE_PLUGINS_DIR) + rhs.m_library_path;
++		if(!rhs.m_library_path.empty() &&
++		   !std::filesystem::path(rhs.m_library_path).has_root_path()) {
++			// Relative path: resolve against the plugins directory
++			// and verify the result stays within it.
++			auto full_path = std::filesystem::path(FALCO_ENGINE_PLUGINS_DIR) / rhs.m_library_path;
++			// lexically_normal resolves . and .. purely lexically,
++			// without filesystem access (unlike weakly_canonical which
++			// leaves .. unresolved for non-existent path components).
++			auto normalized = full_path.lexically_normal();
++			auto plugins_dir = std::filesystem::path(FALCO_ENGINE_PLUGINS_DIR).lexically_normal();
++			auto rel = normalized.lexically_relative(plugins_dir);
++			if(rel.empty()) {
++				throw YAML::Exception(node["library_path"].Mark(),
++				                      "plugin library_path '" +
++				                              node["library_path"].as<std::string>() +
++				                              "' resolves outside the plugins directory (" +
++				                              std::string(FALCO_ENGINE_PLUGINS_DIR) + ")");
++			}
++			for(const auto& component : rel) {
++				if(component == "..") {
++					throw YAML::Exception(node["library_path"].Mark(),
++					                      "plugin library_path '" +
++					                              node["library_path"].as<std::string>() +
++					                              "' resolves outside the plugins directory (" +
++					                              std::string(FALCO_ENGINE_PLUGINS_DIR) + ")");
++				}
++			}
++			rhs.m_library_path = normalized.string();
+ 		}
+ 
+ 		if(node["init_config"] && !node["init_config"].IsNull()) {
+diff --git a/userspace/falco/falco_outputs.cpp b/userspace/falco/falco_outputs.cpp
+index 0023756..f77ff91 100644
+--- a/userspace/falco/falco_outputs.cpp
++++ b/userspace/falco/falco_outputs.cpp
+@@ -36,6 +36,10 @@ limitations under the License.
+ #include "outputs_http.h"
+ #include "outputs_grpc.h"
+ #endif
++#if defined(HAS_HTTP_OUTPUT) && defined(MINIMAL_BUILD)
++#include "outputs_http.h"
++#include <curl/curl.h>
++#endif
+ 
+ static const char *s_internal_source = "internal";
+ 
+@@ -104,6 +108,13 @@ void falco_outputs::add_output(const falco::outputs::config &oc) {
+ 	} else if(oc.name == "grpc") {
+ 		oo = std::make_unique<falco::outputs::output_grpc>();
+ 	}
++#endif
++#if defined(HAS_HTTP_OUTPUT) && defined(MINIMAL_BUILD)
++	else if(oc.name == "http") {
++		// Explicit init required on Windows for thread-safe Winsock setup.
++		curl_global_init(CURL_GLOBAL_DEFAULT);
++		oo = std::make_unique<falco::outputs::output_http>();
++	}
+ #endif
+ 	else {
+ 		throw falco_exception("Output not supported: " + oc.name);
+diff --git a/userspace/falco/outputs_http.cpp b/userspace/falco/outputs_http.cpp
+index 9ef60d7..51ceea6 100644
+--- a/userspace/falco/outputs_http.cpp
++++ b/userspace/falco/outputs_http.cpp
+@@ -66,6 +66,19 @@ bool falco::outputs::output_http::init(const config &oc,
+ 	CHECK_RES(curl_easy_setopt(m_curl, CURLOPT_URL, unquotedUrl.c_str()));
+ 
+ 	CHECK_RES(curl_easy_setopt(m_curl, CURLOPT_USERAGENT, m_oc.options["user_agent"].c_str()));
++
++#ifdef _WIN32
++	// Bypass system/environment proxy settings for localhost alert delivery.
++	// Tolerate CURLE_NOT_BUILT_IN: curl built without proxy support (e.g.
++	// SChannel backend) has no proxy to bypass — the option is a no-op.
++	{
++		CURLcode noproxy_res = curl_easy_setopt(m_curl, CURLOPT_NOPROXY, "*");
++		if(noproxy_res != CURLE_OK && noproxy_res != CURLE_NOT_BUILT_IN) {
++			res = noproxy_res;
++		}
++	}
++#endif
++
+ 	CHECK_RES(curl_easy_setopt(m_curl, CURLOPT_POSTFIELDSIZE, -1L));
+ 
+ 	if(m_oc.options["insecure"] == std::string("true")) {
+@@ -78,6 +91,27 @@ bool falco::outputs::output_http::init(const config &oc,
+ 		CHECK_RES(curl_easy_setopt(m_curl, CURLOPT_SSLKEY, m_oc.options["client_key"].c_str()));
+ 	}
+ 
++#ifdef _WIN32
++	// On Windows with SChannel, CA path/cert options are not supported —
++	// SChannel uses the Windows Certificate Store automatically.
++	// Tolerate CURLE_NOT_BUILT_IN for CA options (plain HTTP to localhost
++	// does not need CA verification at all).
++	{
++		auto win_ca_setopt = [&](CURLoption opt, const char* val) {
++			CURLcode r = curl_easy_setopt(m_curl, opt, val);
++			if(r != CURLE_OK && r != CURLE_NOT_BUILT_IN) {
++				res = r;
++			}
++		};
++		if(!m_oc.options["ca_cert"].empty()) {
++			win_ca_setopt(CURLOPT_CAINFO, m_oc.options["ca_cert"].c_str());
++		} else if(!m_oc.options["ca_bundle"].empty()) {
++			win_ca_setopt(CURLOPT_CAINFO, m_oc.options["ca_bundle"].c_str());
++		} else {
++			win_ca_setopt(CURLOPT_CAPATH, m_oc.options["ca_path"].c_str());
++		}
++	}
++#else
+ 	if(!m_oc.options["ca_cert"].empty()) {
+ 		CHECK_RES(curl_easy_setopt(m_curl, CURLOPT_CAINFO, m_oc.options["ca_cert"].c_str()));
+ 	} else if(!m_oc.options["ca_bundle"].empty()) {
+@@ -85,6 +119,7 @@ bool falco::outputs::output_http::init(const config &oc,
+ 	} else {
+ 		CHECK_RES(curl_easy_setopt(m_curl, CURLOPT_CAPATH, m_oc.options["ca_path"].c_str()));
+ 	}
++#endif
+ 
+ 	if(m_oc.options["echo"] == std::string("false")) {
+ 		// If echo==true, libcurl defaults to fwrite to stdout, ie: echoing
diff --git a/installers/windows/license.rtf b/installers/windows/license.rtf
new file mode 100644
index 0000000..29106a9
--- /dev/null
+++ b/installers/windows/license.rtf
@@ -0,0 +1,11 @@
+{\rtf1\ansi\deff0
+{\fonttbl{\f0 Calibri;}}
+\f0\fs22
+\b coding-agents-kit installation notice\b0\par
+\par
+This installer will deploy coding-agents-kit into your user profile, register the Claude Code interceptor hook, and enable auto-start for the Falco service wrapper.\par
+\par
+If the service is not running, Claude Code tool calls will be blocked until it starts again or the hook is removed.\par
+\par
+By continuing, you acknowledge that the installer will modify your user profile, registry Run key, and Claude Code settings for this account.\par
+}
\ No newline at end of file
diff --git a/installers/windows/package.ps1 b/installers/windows/package.ps1
new file mode 100644
index 0000000..943c2c5
--- /dev/null
+++ b/installers/windows/package.ps1
@@ -0,0 +1,281 @@
+#Requires -Version 5.1
+<#
+.SYNOPSIS
+    Build the coding-agents-kit Windows MSI package.
+
+.DESCRIPTION
+    Compiles Rust crates, builds Falco from source (if needed), stages
+    all files, and produces an MSI installer via WiX v4.
+
+.PARAMETER Version
+    Package version (default: 0.1.2).
+
+.PARAMETER Arch
+    Target architecture: x64 or arm64 (default: native).
+
+.PARAMETER SkipFalcoBuild
+    Skip building Falco (use pre-built binary).
+
+.PARAMETER SkipRustBuild
+    Skip building Rust crates (use pre-built binaries).
+
+.PARAMETER FalcoExe
+    Path to pre-built falco.exe (overrides Falco build).
+#>
+param(
+    [string]$Version = '0.1.2',
+    [string]$Arch = '',
+    [switch]$SkipFalcoBuild,
+    [switch]$SkipRustBuild,
+    [string]$FalcoExe = ''
+)
+
+Set-StrictMode -Version Latest
+$ErrorActionPreference = 'Stop'
+
+$ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
+$RootDir = Split-Path -Parent (Split-Path -Parent $ScriptDir)
+$BuildDir = Join-Path $RootDir 'build'
+
+# Detect native architecture. PROCESSOR_ARCHITECTURE can lie when running under
+# x64 emulation on ARM64 (returns AMD64 instead of ARM64). Check the registry
+# for the true hardware architecture.
+if ([string]::IsNullOrWhiteSpace($Arch)) {
+    $hwArch = (Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_ARCHITECTURE -ErrorAction SilentlyContinue).PROCESSOR_ARCHITECTURE
+    if (-not $hwArch) { $hwArch = $env:PROCESSOR_ARCHITECTURE }
+    switch ($hwArch) {
+        'AMD64' { $Arch = 'x64' }
+        'ARM64' { $Arch = 'arm64' }
+        default { $Arch = 'x64' }
+    }
+}
+
+# Map to Rust target
+$RustTarget = switch ($Arch) {
+    'x64'   { 'x86_64-pc-windows-msvc' }
+    'arm64' { 'aarch64-pc-windows-msvc' }
+    default { throw "Unsupported architecture: $Arch" }
+}
+
+$WixArch = switch ($Arch) {
+    'x64'   { 'x64' }
+    'arm64' { 'arm64' }
+    default { 'x64' }
+}
+
+$UtilCABinaryRef = switch ($Arch) {
+    'x64'   { 'Wix4UtilCA_X64' }
+    'arm64' { 'Wix4UtilCA_A64' }
+    default { 'Wix4UtilCA_X64' }
+}
+
+Write-Host "coding-agents-kit Windows Package Builder"
+Write-Host "  Version:  $Version"
+Write-Host "  Arch:     $Arch"
+Write-Host "  Target:   $RustTarget"
+Write-Host ""
+
+# ---------------------------------------------------------------------------
+# Stage directory
+# ---------------------------------------------------------------------------
+
+$StageDir = Join-Path $BuildDir "stage-windows-$Arch"
+if (Test-Path $StageDir) { Remove-Item $StageDir -Recurse -Force }
+New-Item -ItemType Directory -Force -Path (Join-Path $StageDir 'bin') | Out-Null
+New-Item -ItemType Directory -Force -Path (Join-Path $StageDir 'share') | Out-Null
+New-Item -ItemType Directory -Force -Path (Join-Path $StageDir 'config') | Out-Null
+New-Item -ItemType Directory -Force -Path (Join-Path $StageDir 'rules\default') | Out-Null
+New-Item -ItemType Directory -Force -Path (Join-Path $StageDir 'rules\user') | Out-Null
+New-Item -ItemType Directory -Force -Path (Join-Path $StageDir 'scripts') | Out-Null
+
+# ---------------------------------------------------------------------------
+# Build Rust crates
+# ---------------------------------------------------------------------------
+
+if (-not $SkipRustBuild) {
+    Write-Host "=== Building Rust crates ($RustTarget) ==="
+
+    $cargo = Get-Command cargo -ErrorAction SilentlyContinue
+    if (-not $cargo) { throw 'cargo not found. Install Rust toolchain.' }
+
+    # Ensure target is installed (rustup writes info to stderr, suppress errors)
+    $prevPref = $ErrorActionPreference
+    $ErrorActionPreference = 'Continue'
+    & rustup target add $RustTarget 2>&1 | Out-Null
+    $ErrorActionPreference = $prevPref
+
+    $crates = @(
+        @{ Path = 'hooks\claude-code';              Name = 'Interceptor' },
+        @{ Path = 'plugins\coding-agent-plugin';    Name = 'Plugin' },
+        @{ Path = 'tools\coding-agents-kit-ctl';    Name = 'CTL tool' }
+    )
+    foreach ($crate in $crates) {
+        Write-Host "  Building $($crate.Name)..."
+        Push-Location (Join-Path $RootDir $crate.Path)
+        $prevPref = $ErrorActionPreference
+        $ErrorActionPreference = 'Continue'
+        & cargo build --release --target $RustTarget
+        $ErrorActionPreference = $prevPref
+        if ($LASTEXITCODE -ne 0) { throw "$($crate.Name) build failed." }
+        Pop-Location
+    }
+}
+
+# ---------------------------------------------------------------------------
+# Build Falco
+# ---------------------------------------------------------------------------
+
+$FalcoDir = Join-Path $BuildDir "falco-0.43.0-windows-$Arch"
+
+if ([string]::IsNullOrWhiteSpace($FalcoExe)) {
+    if (-not $SkipFalcoBuild) {
+        if (-not (Test-Path (Join-Path $FalcoDir 'falco.exe'))) {
+            Write-Host "=== Building Falco ==="
+            & (Join-Path $ScriptDir 'build-falco.ps1') -Arch $Arch
+            if ($LASTEXITCODE -ne 0) { throw 'Falco build failed.' }
+        }
+    }
+    $FalcoExe = Join-Path $FalcoDir 'falco.exe'
+}
+
+if (-not (Test-Path $FalcoExe)) { throw "Falco binary not found: $FalcoExe" }
+
+# Stage falco.exe (no binary patching needed — the Falco patch enables
+# absolute library_path on Windows via std::filesystem::path::has_root_path).
+Copy-Item $FalcoExe (Join-Path $StageDir 'bin\falco.exe') -Force
+
+# ---------------------------------------------------------------------------
+# Stage binaries
+# ---------------------------------------------------------------------------
+
+Write-Host "Staging files..."
+
+# Find built artifacts: check target-specific dir first, then default release/
+function Find-Artifact([string]$CrateDir, [string]$FileName) {
+    $candidates = @(
+        (Join-Path $CrateDir "target\$RustTarget\release\$FileName"),
+        (Join-Path $CrateDir "target\release\$FileName")
+    )
+    foreach ($c in $candidates) {
+        if (Test-Path $c) { return $c }
+    }
+    throw "Built artifact not found: $FileName (looked in $($candidates -join ', '))"
+}
+
+Copy-Item (Find-Artifact (Join-Path $RootDir 'hooks\claude-code') 'claude-interceptor.exe') (Join-Path $StageDir 'bin\') -Force
+Copy-Item (Find-Artifact (Join-Path $RootDir 'tools\coding-agents-kit-ctl') 'coding-agents-kit-ctl.exe') (Join-Path $StageDir 'bin\') -Force
+Copy-Item (Find-Artifact (Join-Path $RootDir 'plugins\coding-agent-plugin') 'coding_agent.dll') (Join-Path $StageDir 'share\') -Force
+
+Copy-Item (Join-Path $ScriptDir 'coding-agents-kit-launcher.ps1') (Join-Path $StageDir 'bin\') -Force
+
+# ---------------------------------------------------------------------------
+# Stage rules
+# ---------------------------------------------------------------------------
+
+Copy-Item (Join-Path $RootDir 'rules\default\coding_agents_rules.yaml') (Join-Path $StageDir 'rules\default\') -Force
+Copy-Item (Join-Path $RootDir 'rules\seen.yaml') (Join-Path $StageDir 'rules\') -Force
+
+# ---------------------------------------------------------------------------
+# Stage scripts
+# ---------------------------------------------------------------------------
+
+Copy-Item (Join-Path $ScriptDir 'scripts\postinstall.ps1') (Join-Path $StageDir 'scripts\') -Force
+Copy-Item (Join-Path $ScriptDir 'scripts\uninstall.ps1') (Join-Path $StageDir 'scripts\') -Force
+
+Write-Host "  Staged to: $StageDir"
+
+# ---------------------------------------------------------------------------
+# Deterministic ProductCode from version
+# ---------------------------------------------------------------------------
+
+$versionBytes = [System.Text.Encoding]::UTF8.GetBytes("coding-agents-kit-ProductCode-$Version")
+$sha = [System.Security.Cryptography.SHA256]::Create()
+$hashBytes = $sha.ComputeHash($versionBytes)
+$guidBytes = $hashBytes[0..15]
+$guidBytes[6] = ($guidBytes[6] -band 0x0F) -bor 0x50   # UUID version 5
+$guidBytes[8] = ($guidBytes[8] -band 0x3F) -bor 0x80   # RFC 4122 variant
+$ProductCode = [System.Guid]::new([byte[]]$guidBytes).ToString('B').ToUpper()
+Write-Host "  ProductCode: $ProductCode"
+
+# ---------------------------------------------------------------------------
+# Build MSI
+# ---------------------------------------------------------------------------
+
+$WxsFile = Join-Path $ScriptDir 'Package.wxs'
+$LicenseRtf = Join-Path $ScriptDir 'license.rtf'
+$OutputDir = Join-Path $BuildDir 'out'
+New-Item -ItemType Directory -Force -Path $OutputDir | Out-Null
+$MsiName = "coding-agents-kit-$Version-windows-$Arch.msi"
+
+Write-Host "Building MSI..."
+
+$wix = Get-Command wix -ErrorAction SilentlyContinue
+if (-not $wix) { throw 'WiX Toolset not found. Install via: dotnet tool install --global wix' }
+
+# Ensure WiX v7 OSMF EULA is accepted in non-interactive build environments.
+& wix eula accept wix7 2>&1 | Out-Null
+
+& wix build $WxsFile `
+    -d "StageDir=$StageDir" `
+    -d "ProductVersion=$Version" `
+    -d "ProductCode=$ProductCode" `
+    -d "UtilCABinaryRef=$UtilCABinaryRef" `
+    -bv "WixUILicenseRtf=$LicenseRtf" `
+    -ext WixToolset.Util.wixext `
+    -ext WixToolset.UI.wixext `
+    -o (Join-Path $OutputDir $MsiName) `
+    -arch $WixArch
+
+if ($LASTEXITCODE -ne 0) { throw 'WiX build failed.' }
+
+# ---------------------------------------------------------------------------
+# Emit companion uninstall script
+# ---------------------------------------------------------------------------
+
+$uninstallScript = Join-Path $OutputDir 'Uninstall-CodingAgentsKit.ps1'
+@"
+# Uninstall coding-agents-kit $Version
+# Run cleanup first: remove hook and auto-start registration
+`$prefix = Join-Path `$env:LOCALAPPDATA 'coding-agents-kit'
+`$cleanup = Join-Path `$prefix 'scripts\uninstall.ps1'
+if (Test-Path `$cleanup) {
+    & powershell -NoProfile -ExecutionPolicy Bypass -File `$cleanup -Prefix `$prefix
+}
+# Remove files via MSI
+`$p = Start-Process msiexec -ArgumentList '/x', '$ProductCode', '/quiet' -Wait -PassThru
+if (`$p.ExitCode -ne 0 -and `$p.ExitCode -ne 1605) { Write-Error "Uninstall failed (exit `$(`$p.ExitCode))" }
+Write-Host "Uninstall complete"
+"@ | Set-Content $uninstallScript -Encoding UTF8
+
+# ---------------------------------------------------------------------------
+# Emit install helper script (runs MSI + postinstall)
+# ---------------------------------------------------------------------------
+
+$installScript = Join-Path $OutputDir 'Install-CodingAgentsKit.ps1'
+@"
+# Install coding-agents-kit $Version
+`$msi = Join-Path `$PSScriptRoot '$MsiName'
+`$productCode = '$ProductCode'
+
+# If already installed, open normal MSI maintenance UI (Repair/Uninstall)
+# instead of forcing a silent reinstall.
+`$installer = New-Object -ComObject WindowsInstaller.Installer
+`$state = `$installer.ProductState(`$productCode)
+if (`$state -eq 5) {
+    Start-Process msiexec -ArgumentList '/i', `$msi -Wait | Out-Null
+    exit 0
+}
+
+`$p = Start-Process msiexec -ArgumentList '/i', `$msi, '/quiet' -Wait -PassThru
+if (`$p.ExitCode -ne 0) { Write-Error "MSI install failed (exit `$(`$p.ExitCode))"; exit 1 }
+# Run post-install setup
+`$prefix = Join-Path `$env:LOCALAPPDATA 'coding-agents-kit'
+& "`$prefix\scripts\postinstall.ps1" -Prefix `$prefix
+Write-Host "coding-agents-kit installation complete"
+"@ | Set-Content $installScript -Encoding UTF8
+
+Write-Host ""
+Write-Host "MSI created: $(Join-Path $OutputDir $MsiName)"
+Write-Host ""
+Write-Host "Install:   powershell -File Install-CodingAgentsKit.ps1"
+Write-Host "Uninstall: powershell -File Uninstall-CodingAgentsKit.ps1"
diff --git a/installers/windows/scripts/postinstall.ps1 b/installers/windows/scripts/postinstall.ps1
new file mode 100644
index 0000000..a4dfa5e
--- /dev/null
+++ b/installers/windows/scripts/postinstall.ps1
@@ -0,0 +1,147 @@
+#Requires -Version 5.1
+<#
+.SYNOPSIS
+    Post-installation setup for coding-agents-kit on Windows.
+
+.DESCRIPTION
+    Called by the MSI custom action after files are deployed.
+    Generates Falco config with resolved paths, registers the Claude Code
+    hook, and sets up auto-start via Registry Run key.
+#>
+param(
+    [string]$Prefix = (Join-Path $env:LOCALAPPDATA 'coding-agents-kit')
+)
+
+Set-StrictMode -Version Latest
+$ErrorActionPreference = 'Stop'
+
+$BinDir = Join-Path $Prefix 'bin'
+$ConfigDir = Join-Path $Prefix 'config'
+$ShareDir = Join-Path $Prefix 'share'
+$RulesDir = Join-Path $Prefix 'rules'
+$RunDir = Join-Path $Prefix 'run'
+$LogDir = Join-Path $Prefix 'log'
+
+# Ensure all directories exist
+foreach ($dir in @($ConfigDir, $RunDir, $LogDir)) {
+    New-Item -ItemType Directory -Force -Path $dir | Out-Null
+}
+
+# ---------------------------------------------------------------------------
+# Generate falco.yaml with resolved Windows paths
+# ---------------------------------------------------------------------------
+
+$falcoYaml = @"
+# coding-agents-kit Falco configuration (Windows, auto-generated)
+engine:
+  kind: nodriver
+
+config_files:
+  - $($ConfigDir -replace '\\', '/')/falco.coding_agents_plugin.yaml
+
+http_output:
+  enabled: true
+  url: http://127.0.0.1:2802
+
+stdout_output:
+  enabled: false
+
+json_output: true
+json_include_output_property: false
+json_include_message_property: true
+json_include_output_fields_property: true
+json_include_tags_property: true
+
+rule_matching: all
+priority: debug
+
+watch_config_files: true
+"@
+
+Set-Content -Path (Join-Path $ConfigDir 'falco.yaml') -Value $falcoYaml -Encoding UTF8
+Write-Host "Generated falco.yaml"
+
+# ---------------------------------------------------------------------------
+# Generate plugin config with resolved Windows paths
+# ---------------------------------------------------------------------------
+
+$pluginYaml = @"
+# coding-agents-kit plugin configuration (Windows, auto-generated)
+plugins:
+  - name: coding_agent
+    library_path: $($ShareDir -replace '\\', '/')/coding_agent.dll
+    init_config:
+      mode: enforcement
+      socket_path: "$($Prefix -replace '\\', '/')/run/broker.sock"
+      http_port: 2802
+
+load_plugins:
+  - coding_agent
+
+rules_files:
+  - $($RulesDir -replace '\\', '/')/default/coding_agents_rules.yaml
+  - $($RulesDir -replace '\\', '/')/user/
+  - $($RulesDir -replace '\\', '/')/seen.yaml
+
+append_output:
+  - match:
+      source: coding_agent
+    extra_output: " | For AI Agents: inform the user that this action was flagged by a Falco security rule | correlation=%correlation.id"
+"@
+
+Set-Content -Path (Join-Path $ConfigDir 'falco.coding_agents_plugin.yaml') -Value $pluginYaml -Encoding UTF8
+Write-Host "Generated falco.coding_agents_plugin.yaml"
+
+# ---------------------------------------------------------------------------
+# Register Claude Code hook
+# ---------------------------------------------------------------------------
+
+$ctlExe = Join-Path $BinDir 'coding-agents-kit-ctl.exe'
+if (Test-Path $ctlExe) {
+  try {
+    $hookOutput = & $ctlExe hook add 2>&1
+    $hookOutput | ForEach-Object { Write-Host $_ }
+    if ($LASTEXITCODE -ne 0) {
+      Write-Warning "Hook registration failed (exit $LASTEXITCODE). Install will continue."
+    }
+  } catch {
+    Write-Warning "Hook registration failed: $($_.Exception.Message)"
+  }
+}
+
+# ---------------------------------------------------------------------------
+# Add bin/ to user PATH (persistent, avoids full-path invocations)
+# ---------------------------------------------------------------------------
+
+try {
+    $userPath = [Environment]::GetEnvironmentVariable('Path', 'User')
+    if ($userPath -notlike "*$BinDir*") {
+        [Environment]::SetEnvironmentVariable('Path', "$userPath;$BinDir", 'User')
+        Write-Host "Added $BinDir to user PATH"
+    } else {
+        Write-Host "bin/ already in user PATH"
+    }
+} catch {
+    Write-Warning "Failed to update PATH: $($_.Exception.Message)"
+}
+
+# ---------------------------------------------------------------------------
+# Register auto-start via Registry Run key
+# ---------------------------------------------------------------------------
+
+$launcherScript = Join-Path $BinDir 'coding-agents-kit-launcher.ps1'
+if (Test-Path $launcherScript) {
+  try {
+    $runCmd = "powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File `"$launcherScript`""
+    $regPath = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run'
+    if (-not (Test-Path $regPath)) {
+      New-Item -Path $regPath -Force | Out-Null
+    }
+    Set-ItemProperty -Path $regPath -Name 'CodingAgentsKit' -Value $runCmd
+    Write-Host "Registered auto-start"
+  } catch {
+    Write-Warning "Auto-start registration failed: $($_.Exception.Message)"
+  }
+}
+
+Write-Host "Post-install complete: coding-agents-kit is installed and configured."
diff --git a/installers/windows/scripts/uninstall.ps1 b/installers/windows/scripts/uninstall.ps1
new file mode 100644
index 0000000..c4aa277
--- /dev/null
+++ b/installers/windows/scripts/uninstall.ps1
@@ -0,0 +1,44 @@
+#Requires -Version 5.1
+<#
+.SYNOPSIS
+    Pre-uninstall cleanup for coding-agents-kit on Windows.
+
+.DESCRIPTION
+    Called by the MSI custom action before files are removed.
+    Stops the service, removes the Claude Code hook, and removes
+    the auto-start Registry key.
+#>
+param(
+    [string]$Prefix = (Join-Path $env:LOCALAPPDATA 'coding-agents-kit')
+)
+
+$ErrorActionPreference = 'SilentlyContinue'
+
+# Stop Falco if running
+$falcoProcs = Get-Process -Name falco -ErrorAction SilentlyContinue
+if ($falcoProcs) {
+    Write-Host "Stopping Falco..."
+    $falcoProcs | Stop-Process -Force
+    Start-Sleep -Seconds 1
+}
+
+# Remove Claude Code hook
+$ctlExe = Join-Path $Prefix 'bin\coding-agents-kit-ctl.exe'
+if (Test-Path $ctlExe) {
+    & $ctlExe hook remove 2>$null
+}
+
+# Remove auto-start Registry key
+$regPath = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run'
+Remove-ItemProperty -Path $regPath -Name 'CodingAgentsKit' -ErrorAction SilentlyContinue
+
+# Remove bin/ from user PATH
+$BinDir = Join-Path $Prefix 'bin'
+$userPath = [Environment]::GetEnvironmentVariable('Path', 'User')
+if ($userPath -and $userPath -like "*$BinDir*") {
+    $newPath = ($userPath -split ';' | Where-Object { $_ -ne $BinDir }) -join ';'
+    [Environment]::SetEnvironmentVariable('Path', $newPath, 'User')
+    Write-Host "Removed $BinDir from user PATH"
+}
+
+Write-Host "Uninstall cleanup complete"
diff --git a/plugins/coding-agent-plugin/Cargo.lock b/plugins/coding-agent-plugin/Cargo.lock
index e50c9c9..4c84fcc 100644
--- a/plugins/coding-agent-plugin/Cargo.lock
+++ b/plugins/coding-agent-plugin/Cargo.lock
@@ -125,6 +125,7 @@ dependencies = [
  "serde",
  "serde_json",
  "tiny_http",
+ "uds_windows",
 ]
 
 [[package]]
@@ -162,7 +163,7 @@ checksum = "5041cc499144891f3790297212f32a74fb938e5136a14943f338ef9e0ae276cf"
 dependencies = [
  "cfg-if",
  "crossbeam-utils",
- "hashbrown",
+ "hashbrown 0.14.5",
  "lock_api",
  "once_cell",
  "parking_lot_core",
@@ -185,6 +186,22 @@ version = "1.0.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d0881ea181b1df73ff77ffaaf9c7544ecc11e82fba9b5f27b262a3c73a332555"
 
+[[package]]
+name = "equivalent"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
+
+[[package]]
+name = "errno"
+version = "0.3.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
+dependencies = [
+ "libc",
+ "windows-sys",
+]
+
 [[package]]
 name = "falco_event"
 version = "0.5.1"
@@ -264,12 +281,52 @@ version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582"
 
+[[package]]
+name = "foldhash"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
+
+[[package]]
+name = "getrandom"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0de51e6874e94e7bf76d726fc5d13ba782deca734ff60d5bb2fb2607c7406555"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "r-efi",
+ "wasip2",
+ "wasip3",
+]
+
 [[package]]
 name = "hashbrown"
 version = "0.14.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1"
 
+[[package]]
+name = "hashbrown"
+version = "0.15.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
+dependencies = [
+ "foldhash",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.16.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100"
+
+[[package]]
+name = "heck"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
+
 [[package]]
 name = "httpdate"
 version = "1.0.3"
@@ -300,6 +357,24 @@ dependencies = [
  "cc",
 ]
 
+[[package]]
+name = "id-arena"
+version = "2.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954"
+
+[[package]]
+name = "indexmap"
+version = "2.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7714e70437a7dc3ac8eb7e6f8df75fd8eb422675fc7678aff7364301092b1017"
+dependencies = [
+ "equivalent",
+ "hashbrown 0.16.1",
+ "serde",
+ "serde_core",
+]
+
 [[package]]
 name = "interpolator"
 version = "0.5.0"
@@ -322,12 +397,24 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "leb128fmt"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"
+
 [[package]]
 name = "libc"
 version = "0.2.183"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b5b646652bf6661599e1da8901b3b9522896f01e736bad5f723fe7a3a27f899d"
 
+[[package]]
+name = "linux-raw-sys"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53"
+
 [[package]]
 name = "lock_api"
 version = "0.4.14"
@@ -372,6 +459,15 @@ version = "2.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
 
+[[package]]
+name = "memoffset"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "488016bfae457b036d996092f6cb448677611ce4449e970ceaf42695203f218a"
+dependencies = [
+ "autocfg",
+]
+
 [[package]]
 name = "nix"
 version = "0.30.1"
@@ -466,6 +562,16 @@ dependencies = [
  "siphasher",
 ]
 
+[[package]]
+name = "prettyplease"
+version = "0.2.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b"
+dependencies = [
+ "proc-macro2",
+ "syn",
+]
+
 [[package]]
 name = "proc-macro-utils"
 version = "0.10.0"
@@ -517,6 +623,12 @@ dependencies = [
  "syn",
 ]
 
+[[package]]
+name = "r-efi"
+version = "6.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf"
+
 [[package]]
 name = "redox_syscall"
 version = "0.5.18"
@@ -556,6 +668,19 @@ dependencies = [
  "lock_api",
 ]
 
+[[package]]
+name = "rustix"
+version = "1.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190"
+dependencies = [
+ "bitflags",
+ "errno",
+ "libc",
+ "linux-raw-sys",
+ "windows-sys",
+]
+
 [[package]]
 name = "rustversion"
 version = "1.0.22"
@@ -593,6 +718,12 @@ version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
 
+[[package]]
+name = "semver"
+version = "1.0.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"
+
 [[package]]
 name = "serde"
 version = "1.0.228"
@@ -676,6 +807,19 @@ dependencies = [
  "unicode-ident",
 ]
 
+[[package]]
+name = "tempfile"
+version = "3.27.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd"
+dependencies = [
+ "fastrand",
+ "getrandom",
+ "once_cell",
+ "rustix",
+ "windows-sys",
+]
+
 [[package]]
 name = "thiserror"
 version = "2.0.18"
@@ -714,12 +858,47 @@ version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c462d18470a2857aa657d338af5fa67170bb48bcc80a296710ce3b0802a32566"
 
+[[package]]
+name = "uds_windows"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2f6fb2847f6742cd76af783a2a2c49e9375d0a111c7bef6f71cd9e738c72d6e"
+dependencies = [
+ "memoffset",
+ "tempfile",
+ "windows-sys",
+]
+
 [[package]]
 name = "unicode-ident"
 version = "1.0.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
 
+[[package]]
+name = "unicode-xid"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
+
+[[package]]
+name = "wasip2"
+version = "1.0.2+wasi-0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9517f9239f02c069db75e65f174b3da828fe5f5b945c4dd26bd25d89c03ebcf5"
+dependencies = [
+ "wit-bindgen",
+]
+
+[[package]]
+name = "wasip3"
+version = "0.4.0+wasi-0.3.0-rc-2026-01-06"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5428f8bf88ea5ddc08faddef2ac4a67e390b88186c703ce6dbd955e1c145aca5"
+dependencies = [
+ "wit-bindgen",
+]
+
 [[package]]
 name = "wasm-bindgen"
 version = "0.2.114"
@@ -765,6 +944,40 @@ dependencies = [
  "unicode-ident",
 ]
 
+[[package]]
+name = "wasm-encoder"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "990065f2fe63003fe337b932cfb5e3b80e0b4d0f5ff650e6985b1048f62c8319"
+dependencies = [
+ "leb128fmt",
+ "wasmparser",
+]
+
+[[package]]
+name = "wasm-metadata"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bb0e353e6a2fbdc176932bbaab493762eb1255a7900fe0fea1a2f96c296cc909"
+dependencies = [
+ "anyhow",
+ "indexmap",
+ "wasm-encoder",
+ "wasmparser",
+]
+
+[[package]]
+name = "wasmparser"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe"
+dependencies = [
+ "bitflags",
+ "hashbrown 0.15.5",
+ "indexmap",
+ "semver",
+]
+
 [[package]]
 name = "windows-core"
 version = "0.62.2"
@@ -824,6 +1037,103 @@ dependencies = [
  "windows-link",
 ]
 
+[[package]]
+name = "windows-sys"
+version = "0.61.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
+dependencies = [
+ "windows-link",
+]
+
+[[package]]
+name = "wit-bindgen"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5"
+dependencies = [
+ "wit-bindgen-rust-macro",
+]
+
+[[package]]
+name = "wit-bindgen-core"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ea61de684c3ea68cb082b7a88508a8b27fcc8b797d738bfc99a82facf1d752dc"
+dependencies = [
+ "anyhow",
+ "heck",
+ "wit-parser",
+]
+
+[[package]]
+name = "wit-bindgen-rust"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7c566e0f4b284dd6561c786d9cb0142da491f46a9fbed79ea69cdad5db17f21"
+dependencies = [
+ "anyhow",
+ "heck",
+ "indexmap",
+ "prettyplease",
+ "syn",
+ "wasm-metadata",
+ "wit-bindgen-core",
+ "wit-component",
+]
+
+[[package]]
+name = "wit-bindgen-rust-macro"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c0f9bfd77e6a48eccf51359e3ae77140a7f50b1e2ebfe62422d8afdaffab17a"
+dependencies = [
+ "anyhow",
+ "prettyplease",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wit-bindgen-core",
+ "wit-bindgen-rust",
+]
+
+[[package]]
+name = "wit-component"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2"
+dependencies = [
+ "anyhow",
+ "bitflags",
+ "indexmap",
+ "log",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "wasm-encoder",
+ "wasm-metadata",
+ "wasmparser",
+ "wit-parser",
+]
+
+[[package]]
+name = "wit-parser"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ecc8ac4bc1dc3381b7f59c34f00b67e18f910c2c0f50015669dde7def656a736"
+dependencies = [
+ "anyhow",
+ "id-arena",
+ "indexmap",
+ "log",
+ "semver",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "unicode-xid",
+ "wasmparser",
+]
+
 [[package]]
 name = "zmij"
 version = "1.0.21"
diff --git a/plugins/coding-agent-plugin/Cargo.toml b/plugins/coding-agent-plugin/Cargo.toml
index 24d52d8..b1e16d0 100644
--- a/plugins/coding-agent-plugin/Cargo.toml
+++ b/plugins/coding-agent-plugin/Cargo.toml
@@ -19,6 +19,9 @@ tiny_http = "0.12"
 anyhow = "1"
 log = "0.4"
 
+[target.'cfg(windows)'.dependencies]
+uds_windows = "1.2"
+
 [profile.release]
 opt-level = 2
 lto = true
diff --git a/plugins/coding-agent-plugin/src/broker.rs b/plugins/coding-agent-plugin/src/broker.rs
index 20c032f..b1ba2b1 100644
--- a/plugins/coding-agent-plugin/src/broker.rs
+++ b/plugins/coding-agent-plugin/src/broker.rs
@@ -1,10 +1,16 @@
 use std::io::Write;
 use std::net::Shutdown;
-use std::os::unix::net::UnixStream;
 use std::sync::atomic::{AtomicBool, AtomicU64, Ordering};
 use std::sync::{Arc, Mutex};
 use std::time::Instant;
 
+/// Cross-platform stream type for interceptor connections.
+/// Uses Unix domain sockets on all platforms (Windows 10+ supports AF_UNIX).
+#[cfg(unix)]
+pub type BrokerStream = std::os::unix::net::UnixStream;
+#[cfg(windows)]
+pub type BrokerStream = uds_windows::UnixStream;
+
 use dashmap::DashMap;
 
 use crate::verdict::Verdict;
@@ -31,8 +37,8 @@ pub struct Broker {
 
 /// A pending request from an interceptor, awaiting a verdict.
 struct PendingRequest {
-    /// The Unix socket connection back to the interceptor.
-    stream: Mutex<UnixStream>,
+    /// The connection back to the interceptor (Unix domain socket).
+    stream: Mutex<BrokerStream>,
     /// The wire protocol request ID (to include in the response).
     wire_id: String,
     /// The current best verdict (escalated as alerts arrive).
@@ -83,7 +89,7 @@ impl Broker {
     /// Register a new pending request. `correlation_id` is the broker-assigned ID
     /// used for Falco alert correlation. `wire_id` is the interceptor's request ID
     /// used in the verdict response.
-    pub fn register(&self, correlation_id: u64, wire_id: String, stream: UnixStream) {
+    pub fn register(&self, correlation_id: u64, wire_id: String, stream: BrokerStream) {
         self.pending.insert(
             correlation_id,
             PendingRequest {
@@ -146,6 +152,7 @@ impl Broker {
             let response = verdict.to_response_json(&pending.wire_id);
             let mut stream = pending.stream.lock().unwrap_or_else(|e| e.into_inner());
             let _ = write!(stream, "{}\n", response);
+            let _ = stream.flush();
             let _ = stream.shutdown(Shutdown::Both);
         }
     }
@@ -158,6 +165,7 @@ impl Broker {
             let response = verdict.to_response_json(&pending.wire_id);
             let mut stream = pending.stream.lock().unwrap_or_else(|e| e.into_inner());
             let _ = write!(stream, "{}\n", response);
+            let _ = stream.flush();
             let _ = stream.shutdown(Shutdown::Both);
         }
     }
@@ -189,6 +197,7 @@ impl Broker {
                     .to_response_json(&pending.wire_id);
                 let mut stream = pending.stream.lock().unwrap_or_else(|e| e.into_inner());
                 let _ = write!(stream, "{}\n", response);
+                let _ = stream.flush();
                 let _ = stream.shutdown(Shutdown::Both);
                 reaped += 1;
             }
diff --git a/plugins/coding-agent-plugin/src/config.rs b/plugins/coding-agent-plugin/src/config.rs
index d815fd9..1711173 100644
--- a/plugins/coding-agent-plugin/src/config.rs
+++ b/plugins/coding-agent-plugin/src/config.rs
@@ -11,7 +11,7 @@ pub struct CodingAgentConfig {
     #[serde(default = "default_mode")]
     pub mode: String,
 
-    /// Path to the Unix domain socket for interceptor connections.
+    /// Broker listen address (Unix domain socket path on all platforms).
     #[serde(default = "default_socket_path")]
     pub socket_path: String,
 
@@ -37,10 +37,21 @@ fn default_mode() -> String {
 }
 
 fn default_socket_path() -> String {
-    if let Ok(home) = std::env::var("HOME") {
-        format!("{home}/.coding-agents-kit/run/broker.sock")
-    } else {
-        "/tmp/coding-agents-kit-broker.sock".to_string()
+    #[cfg(unix)]
+    {
+        if let Ok(home) = std::env::var("HOME") {
+            format!("{home}/.coding-agents-kit/run/broker.sock")
+        } else {
+            "/tmp/coding-agents-kit-broker.sock".to_string()
+        }
+    }
+    #[cfg(windows)]
+    {
+        if let Ok(local) = std::env::var("LOCALAPPDATA") {
+            format!("{}/coding-agents-kit/run/broker.sock", local.replace('\\', "/"))
+        } else {
+            "C:/coding-agents-kit-broker.sock".to_string()
+        }
     }
 }
 
diff --git a/plugins/coding-agent-plugin/src/event.rs b/plugins/coding-agent-plugin/src/event.rs
index c61164b..2df6cb4 100644
--- a/plugins/coding-agent-plugin/src/event.rs
+++ b/plugins/coding-agent-plugin/src/event.rs
@@ -161,6 +161,7 @@ impl ParsedEvent {
         let tool_input_command = extract_command(&tool_name, &tool_input);
         let mcp_server = extract_mcp_server(&tool_name);
 
+
         Some(ParsedFields {
             agent_name: agent_name.to_string(),
             correlation_id,
@@ -264,12 +265,17 @@ fn extract_raw_file_path(tool_name: &str, tool_input: &serde_json::Value) -> Str
 }
 
 /// Normalize a path lexically: resolve `.` and `..` without touching the filesystem.
+/// Never pops past the root (/ on Unix, C:\ on Windows) — mirrors filesystem behavior.
 fn normalize_path(path: &Path) -> PathBuf {
     let mut result = PathBuf::new();
     for component in path.components() {
         match component {
             Component::ParentDir => {
-                result.pop();
+                // file_name() returns None for root paths and empty paths,
+                // preventing `..` from erasing the drive letter or root.
+                if result.file_name().is_some() {
+                    result.pop();
+                }
             }
             Component::CurDir => {}
             other => result.push(other),
@@ -278,6 +284,25 @@ fn normalize_path(path: &Path) -> PathBuf {
     result
 }
 
+/// Normalize path separators to forward slashes for cross-platform rule portability.
+/// On Windows, `canonicalize` and `PathBuf::to_string_lossy` produce backslashes,
+/// but Falco rules should use forward slashes consistently.
+fn normalize_separators(path: String) -> String {
+    #[cfg(windows)]
+    {
+        // Strip \\?\ prefix that Windows canonicalize may add.
+        let stripped = path
+            .strip_prefix(r"\\?\")
+            .unwrap_or(&path)
+            .to_string();
+        stripped.replace('\\', "/")
+    }
+    #[cfg(not(windows))]
+    {
+        path
+    }
+}
+
 /// Resolve a single path: canonicalize if possible, otherwise lexically normalize.
 fn resolve_path(raw: &str) -> String {
     if raw.is_empty() {
@@ -285,10 +310,10 @@ fn resolve_path(raw: &str) -> String {
     }
     // Try filesystem canonicalization first (resolves symlinks).
     if let Ok(resolved) = std::fs::canonicalize(raw) {
-        return resolved.to_string_lossy().into_owned();
+        return normalize_separators(resolved.to_string_lossy().into_owned());
     }
     // Fallback: lexical normalization only.
-    normalize_path(Path::new(raw)).to_string_lossy().into_owned()
+    normalize_separators(normalize_path(Path::new(raw)).to_string_lossy().into_owned())
 }
 
 /// Resolve a file path: if relative, join with cwd first, then resolve.
@@ -306,10 +331,10 @@ fn resolve_file_path(file_path: &str, resolved_cwd: &str) -> String {
     };
     // Try filesystem canonicalization first.
     if let Ok(resolved) = std::fs::canonicalize(&abs) {
-        return resolved.to_string_lossy().into_owned();
+        return normalize_separators(resolved.to_string_lossy().into_owned());
     }
     // Fallback: lexical normalization.
-    normalize_path(&abs).to_string_lossy().into_owned()
+    normalize_separators(normalize_path(&abs).to_string_lossy().into_owned())
 }
 
 fn extract_mcp_server(tool_name: &str) -> String {
@@ -322,3 +347,76 @@ fn extract_mcp_server(tool_name: &str) -> String {
         _ => String::new(),
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn normalize_path_relative() {
+        assert_eq!(normalize_path(Path::new("foo/bar/../baz")), PathBuf::from("foo/baz"));
+    }
+
+    #[test]
+    fn normalize_path_empty() {
+        assert_eq!(normalize_path(Path::new("")), PathBuf::from(""));
+    }
+
+    #[test]
+    fn normalize_path_unix_root_not_erased() {
+        // /foo/../.. must stop at /, not produce an empty path.
+        assert_eq!(normalize_path(Path::new("/foo/../..")), PathBuf::from("/"));
+    }
+
+    #[test]
+    fn normalize_path_unix_root_stays() {
+        assert_eq!(normalize_path(Path::new("/..")), PathBuf::from("/"));
+    }
+
+    #[test]
+    fn normalize_path_dot_only() {
+        assert_eq!(normalize_path(Path::new("./foo/./bar")), PathBuf::from("foo/bar"));
+    }
+
+    #[cfg(windows)]
+    #[test]
+    fn normalize_path_windows_drive_not_erased() {
+        // C:\foo\..\.. must stop at C:\, not produce bare "bar" or empty.
+        assert_eq!(
+            normalize_path(Path::new(r"C:\foo\..\..\bar")),
+            PathBuf::from(r"C:\bar")
+        );
+    }
+
+    #[cfg(windows)]
+    #[test]
+    fn normalize_path_windows_drive_root_stays() {
+        assert_eq!(normalize_path(Path::new(r"C:\..")), PathBuf::from(r"C:\"));
+    }
+
+    #[test]
+    fn normalize_path_consecutive_dotdot_from_root() {
+        assert_eq!(normalize_path(Path::new("/../../..")), PathBuf::from("/"));
+    }
+
+    #[test]
+    fn normalize_path_relative_dotdot_past_start() {
+        // Relative ../ past start can't be resolved lexically — discarded.
+        assert_eq!(normalize_path(Path::new("../../foo")), PathBuf::from("foo"));
+    }
+
+    #[test]
+    fn normalize_path_single_dotdot() {
+        assert_eq!(normalize_path(Path::new("..")), PathBuf::from(""));
+    }
+
+    #[cfg(windows)]
+    #[test]
+    fn normalize_path_windows_unc_root_not_erased() {
+        // UNC root must be preserved: \\server\share\..\.. stops at \\server\.
+        let result = normalize_path(Path::new(r"\\server\share\..\.."));
+        // After popping share and attempting to pop past UNC root,
+        // the root component is preserved.
+        assert!(result.to_string_lossy().starts_with(r"\\server"));
+    }
+}
diff --git a/plugins/coding-agent-plugin/src/socket_server.rs b/plugins/coding-agent-plugin/src/socket_server.rs
index 73086b6..79a80b0 100644
--- a/plugins/coding-agent-plugin/src/socket_server.rs
+++ b/plugins/coding-agent-plugin/src/socket_server.rs
@@ -1,11 +1,13 @@
 use std::io::{BufRead, BufReader, Read};
-use std::os::unix::net::UnixListener;
 use std::sync::Arc;
 use std::time::Duration;
 
+#[cfg(unix)]
+use std::os::unix::net::UnixListener;
+
 use crossbeam_channel::Sender;
 
-use crate::broker::Broker;
+use crate::broker::{Broker, BrokerStream};
 use crate::event::{EventData, InterceptorRequest};
 
 /// Max request size from an interceptor (64KB + envelope overhead).
@@ -18,7 +20,10 @@ const CONNECTION_READ_TIMEOUT: Duration = Duration::from_secs(5);
 /// flag after each timeout, enabling clean exit during config hot-reload.
 const ACCEPT_TIMEOUT: Duration = Duration::from_secs(1);
 
-/// Start the Unix socket server in a background thread.
+/// Start the broker socket server in a background thread.
+///
+/// Listens on a Unix domain socket at `socket_path` (all platforms).
+/// On Windows, uses the `uds_windows` crate for AF_UNIX support.
 pub fn start(
     socket_path: String,
     event_tx: Sender<EventData>,
@@ -30,6 +35,7 @@ pub fn start(
         .expect("failed to spawn socket server thread")
 }
 
+#[cfg(unix)]
 fn run_server(socket_path: &str, event_tx: &Sender<EventData>, broker: &Broker) {
     // Remove stale socket file if it exists.
     let _ = std::fs::remove_file(socket_path);
@@ -90,8 +96,65 @@ fn run_server(socket_path: &str, event_tx: &Sender<EventData>, broker: &Broker)
     }
 }
 
+#[cfg(windows)]
+fn run_server(socket_path: &str, event_tx: &Sender<EventData>, broker: &Broker) {
+    // Remove stale socket file if it exists.
+    let _ = std::fs::remove_file(socket_path);
+
+    // Ensure parent directory exists.
+    if let Some(parent) = std::path::Path::new(socket_path).parent() {
+        let _ = std::fs::create_dir_all(parent);
+    }
+
+    let listener = match uds_windows::UnixListener::bind(socket_path) {
+        Ok(l) => l,
+        Err(e) => {
+            log::error!("failed to bind Unix socket at {}: {}", socket_path, e);
+            return;
+        }
+    };
+
+    log::info!("broker listening on {}", socket_path);
+
+    // Use non-blocking accept + shutdown flag polling, same as the Unix impl.
+    // This enables clean exit during config hot-reload.
+    listener
+        .set_nonblocking(false)
+        .unwrap_or_else(|e| log::warn!("failed to set listener blocking mode: {}", e));
+
+    loop {
+        if broker.is_shutdown() {
+            log::info!("socket server shutting down");
+            break;
+        }
+
+        listener
+            .set_nonblocking(true)
+            .unwrap_or_else(|e| log::warn!("failed to set non-blocking: {}", e));
+
+        match listener.accept() {
+            Ok((stream, _)) => {
+                let _ = stream.set_read_timeout(Some(CONNECTION_READ_TIMEOUT));
+
+                if let Err(e) = handle_connection(stream, event_tx, broker) {
+                    log::warn!("connection error: {}", e);
+                }
+            }
+            Err(ref e) if e.kind() == std::io::ErrorKind::WouldBlock => {
+                std::thread::sleep(ACCEPT_TIMEOUT);
+            }
+            Err(e) => {
+                if broker.is_shutdown() {
+                    break;
+                }
+                log::warn!("failed to accept connection: {}", e);
+            }
+        }
+    }
+}
+
 fn handle_connection(
-    stream: std::os::unix::net::UnixStream,
+    stream: BrokerStream,
     event_tx: &Sender<EventData>,
     broker: &Broker,
 ) -> Result<(), String> {
diff --git a/tests/Cargo.lock b/tests/Cargo.lock
new file mode 100644
index 0000000..030696e
--- /dev/null
+++ b/tests/Cargo.lock
@@ -0,0 +1,471 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 4
+
+[[package]]
+name = "anyhow"
+version = "1.0.102"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
+
+[[package]]
+name = "autocfg"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
+
+[[package]]
+name = "bitflags"
+version = "2.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c4512299f36f043ab09a583e57bceb5a5aab7a73db1805848e8fef3c9e8c78b3"
+
+[[package]]
+name = "cak-tests"
+version = "0.1.0"
+dependencies = [
+ "serde",
+ "serde_json",
+ "uds_windows",
+]
+
+[[package]]
+name = "cfg-if"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
+
+[[package]]
+name = "equivalent"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
+
+[[package]]
+name = "errno"
+version = "0.3.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
+dependencies = [
+ "libc",
+ "windows-sys",
+]
+
+[[package]]
+name = "fastrand"
+version = "2.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9f1f227452a390804cdb637b74a86990f2a7d7ba4b7d5693aac9b4dd6defd8d6"
+
+[[package]]
+name = "foldhash"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
+
+[[package]]
+name = "getrandom"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0de51e6874e94e7bf76d726fc5d13ba782deca734ff60d5bb2fb2607c7406555"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "r-efi",
+ "wasip2",
+ "wasip3",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.15.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
+dependencies = [
+ "foldhash",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4f467dd6dccf739c208452f8014c75c18bb8301b050ad1cfb27153803edb0f51"
+
+[[package]]
+name = "heck"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
+
+[[package]]
+name = "id-arena"
+version = "2.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954"
+
+[[package]]
+name = "indexmap"
+version = "2.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d466e9454f08e4a911e14806c24e16fba1b4c121d1ea474396f396069cf949d9"
+dependencies = [
+ "equivalent",
+ "hashbrown 0.17.0",
+ "serde",
+ "serde_core",
+]
+
+[[package]]
+name = "itoa"
+version = "1.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
+
+[[package]]
+name = "leb128fmt"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"
+
+[[package]]
+name = "libc"
+version = "0.2.185"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "52ff2c0fe9bc6cb6b14a0592c2ff4fa9ceb83eea9db979b0487cd054946a2b8f"
+
+[[package]]
+name = "linux-raw-sys"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53"
+
+[[package]]
+name = "log"
+version = "0.4.29"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
+
+[[package]]
+name = "memchr"
+version = "2.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
+
+[[package]]
+name = "memoffset"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "488016bfae457b036d996092f6cb448677611ce4449e970ceaf42695203f218a"
+dependencies = [
+ "autocfg",
+]
+
+[[package]]
+name = "once_cell"
+version = "1.21.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9f7c3e4beb33f85d45ae3e3a1792185706c8e16d043238c593331cc7cd313b50"
+
+[[package]]
+name = "prettyplease"
+version = "0.2.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b"
+dependencies = [
+ "proc-macro2",
+ "syn",
+]
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.106"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.45"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "r-efi"
+version = "6.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf"
+
+[[package]]
+name = "rustix"
+version = "1.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190"
+dependencies = [
+ "bitflags",
+ "errno",
+ "libc",
+ "linux-raw-sys",
+ "windows-sys",
+]
+
+[[package]]
+name = "semver"
+version = "1.0.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8a7852d02fc848982e0c167ef163aaff9cd91dc640ba85e263cb1ce46fae51cd"
+
+[[package]]
+name = "serde"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
+dependencies = [
+ "serde_core",
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_core"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
+dependencies = [
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_derive"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "serde_json"
+version = "1.0.149"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86"
+dependencies = [
+ "itoa",
+ "memchr",
+ "serde",
+ "serde_core",
+ "zmij",
+]
+
+[[package]]
+name = "syn"
+version = "2.0.117"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "tempfile"
+version = "3.27.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd"
+dependencies = [
+ "fastrand",
+ "getrandom",
+ "once_cell",
+ "rustix",
+ "windows-sys",
+]
+
+[[package]]
+name = "uds_windows"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2f6fb2847f6742cd76af783a2a2c49e9375d0a111c7bef6f71cd9e738c72d6e"
+dependencies = [
+ "memoffset",
+ "tempfile",
+ "windows-sys",
+]
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
+
+[[package]]
+name = "unicode-xid"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853"
+
+[[package]]
+name = "wasip2"
+version = "1.0.2+wasi-0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9517f9239f02c069db75e65f174b3da828fe5f5b945c4dd26bd25d89c03ebcf5"
+dependencies = [
+ "wit-bindgen",
+]
+
+[[package]]
+name = "wasip3"
+version = "0.4.0+wasi-0.3.0-rc-2026-01-06"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5428f8bf88ea5ddc08faddef2ac4a67e390b88186c703ce6dbd955e1c145aca5"
+dependencies = [
+ "wit-bindgen",
+]
+
+[[package]]
+name = "wasm-encoder"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "990065f2fe63003fe337b932cfb5e3b80e0b4d0f5ff650e6985b1048f62c8319"
+dependencies = [
+ "leb128fmt",
+ "wasmparser",
+]
+
+[[package]]
+name = "wasm-metadata"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bb0e353e6a2fbdc176932bbaab493762eb1255a7900fe0fea1a2f96c296cc909"
+dependencies = [
+ "anyhow",
+ "indexmap",
+ "wasm-encoder",
+ "wasmparser",
+]
+
+[[package]]
+name = "wasmparser"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe"
+dependencies = [
+ "bitflags",
+ "hashbrown 0.15.5",
+ "indexmap",
+ "semver",
+]
+
+[[package]]
+name = "windows-link"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
+
+[[package]]
+name = "windows-sys"
+version = "0.61.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
+dependencies = [
+ "windows-link",
+]
+
+[[package]]
+name = "wit-bindgen"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5"
+dependencies = [
+ "wit-bindgen-rust-macro",
+]
+
+[[package]]
+name = "wit-bindgen-core"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ea61de684c3ea68cb082b7a88508a8b27fcc8b797d738bfc99a82facf1d752dc"
+dependencies = [
+ "anyhow",
+ "heck",
+ "wit-parser",
+]
+
+[[package]]
+name = "wit-bindgen-rust"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b7c566e0f4b284dd6561c786d9cb0142da491f46a9fbed79ea69cdad5db17f21"
+dependencies = [
+ "anyhow",
+ "heck",
+ "indexmap",
+ "prettyplease",
+ "syn",
+ "wasm-metadata",
+ "wit-bindgen-core",
+ "wit-component",
+]
+
+[[package]]
+name = "wit-bindgen-rust-macro"
+version = "0.51.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c0f9bfd77e6a48eccf51359e3ae77140a7f50b1e2ebfe62422d8afdaffab17a"
+dependencies = [
+ "anyhow",
+ "prettyplease",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wit-bindgen-core",
+ "wit-bindgen-rust",
+]
+
+[[package]]
+name = "wit-component"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2"
+dependencies = [
+ "anyhow",
+ "bitflags",
+ "indexmap",
+ "log",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "wasm-encoder",
+ "wasm-metadata",
+ "wasmparser",
+ "wit-parser",
+]
+
+[[package]]
+name = "wit-parser"
+version = "0.244.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ecc8ac4bc1dc3381b7f59c34f00b67e18f910c2c0f50015669dde7def656a736"
+dependencies = [
+ "anyhow",
+ "id-arena",
+ "indexmap",
+ "log",
+ "semver",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "unicode-xid",
+ "wasmparser",
+]
+
+[[package]]
+name = "zmij"
+version = "1.0.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8848ee67ecc8aedbaf3e4122217aff892639231befc6a1b58d29fff4c2cabaa"
diff --git a/tests/Cargo.toml b/tests/Cargo.toml
new file mode 100644
index 0000000..79794fc
--- /dev/null
+++ b/tests/Cargo.toml
@@ -0,0 +1,12 @@
+[package]
+name = "cak-tests"
+version = "0.1.0"
+edition = "2021"
+publish = false
+
+[dependencies]
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+
+[target.'cfg(windows)'.dependencies]
+uds_windows = "1.2"
diff --git a/tests/mock_broker.py b/tests/mock_broker.py
deleted file mode 100755
index 05f2ae2..0000000
--- a/tests/mock_broker.py
+++ /dev/null
@@ -1,96 +0,0 @@
-#!/usr/bin/env python3
-"""
-Mock broker for testing the interceptor.
-
-Usage:
-    mock_broker.py <socket_path> [mode]
-
-Modes:
-    allow           - respond with allow (default)
-    deny            - respond with deny + reason
-    ask             - respond with ask + reason
-    slow:<seconds>  - wait N seconds before responding (for timeout tests)
-    close           - accept connection then close immediately (no response)
-    bad_json        - respond with invalid JSON
-    wrong_id        - respond with mismatched ID
-"""
-
-import json
-import os
-import socket
-import sys
-import time
-
-
-def main():
-    if len(sys.argv) < 2:
-        print("Usage: mock_broker.py <socket_path> [mode]", file=sys.stderr)
-        sys.exit(1)
-
-    sock_path = sys.argv[1]
-    mode = sys.argv[2] if len(sys.argv) > 2 else "allow"
-
-    # Clean up stale socket.
-    try:
-        os.unlink(sock_path)
-    except FileNotFoundError:
-        pass
-
-    server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
-    server.bind(sock_path)
-    server.listen(1)
-
-    # Signal readiness.
-    print("READY", flush=True)
-
-    conn, _ = server.accept()
-    try:
-        data = b""
-        while b"\n" not in data:
-            chunk = conn.recv(4096)
-            if not chunk:
-                break
-            data += chunk
-
-        if mode == "close":
-            conn.close()
-            return
-
-        # Parse request to get the ID.
-        try:
-            req = json.loads(data.decode("utf-8").strip())
-            req_id = req.get("id", "unknown")
-        except (json.JSONDecodeError, UnicodeDecodeError):
-            req_id = "unknown"
-
-        # Also print the request for test validation.
-        print(f"REQUEST:{data.decode('utf-8').strip()}", flush=True)
-
-        if mode.startswith("slow:"):
-            delay = float(mode.split(":")[1])
-            time.sleep(delay)
-            resp = {"id": req_id, "decision": "allow", "reason": ""}
-        elif mode == "deny":
-            resp = {"id": req_id, "decision": "deny", "reason": "blocked by test rule"}
-        elif mode == "ask":
-            resp = {"id": req_id, "decision": "ask", "reason": "requires confirmation"}
-        elif mode == "bad_json":
-            conn.sendall(b"this is not json\n")
-            return
-        elif mode == "wrong_id":
-            resp = {"id": "wrong-id-xxx", "decision": "allow", "reason": ""}
-        else:
-            resp = {"id": req_id, "decision": "allow", "reason": ""}
-
-        conn.sendall((json.dumps(resp) + "\n").encode("utf-8"))
-    finally:
-        conn.close()
-        server.close()
-        try:
-            os.unlink(sock_path)
-        except FileNotFoundError:
-            pass
-
-
-if __name__ == "__main__":
-    main()
diff --git a/tests/src/e2e.rs b/tests/src/e2e.rs
new file mode 100644
index 0000000..53000ed
--- /dev/null
+++ b/tests/src/e2e.rs
@@ -0,0 +1,343 @@
+use std::path::{Path, PathBuf};
+use std::process::{Child, Command, Stdio};
+use std::time::Duration;
+
+use crate::interceptor;
+
+/// E2E test harness managing a Falco process with the coding-agent plugin.
+pub struct E2eHarness {
+    falco: Child,
+    pub socket_path: PathBuf,
+    pub e2e_dir: PathBuf,
+    pub http_port: u16,
+}
+
+/// Find the Falco binary from the project's own build output.
+/// Does NOT use system Falco — only looks in known build directories
+/// and the FALCO env var (for CI to point at the built binary).
+pub fn find_falco() -> Option<PathBuf> {
+    if let Ok(p) = std::env::var("FALCO") {
+        let path = PathBuf::from(p);
+        if path.exists() {
+            return Some(path);
+        }
+    }
+    let root = Path::new(env!("CARGO_MANIFEST_DIR")).parent().unwrap();
+    let candidates: Vec<PathBuf> = if cfg!(windows) {
+        vec![
+            root.join("build/stage-windows-x64/bin/falco.exe"),
+            root.join("build/stage-windows-arm64/bin/falco.exe"),
+            root.join("build/falco-0.43.0-windows-x64/falco.exe"),
+            root.join("build/falco-0.43.0-windows-arm64/falco.exe"),
+        ]
+    } else if cfg!(target_os = "macos") {
+        let arch = if cfg!(target_arch = "aarch64") {
+            "aarch64"
+        } else {
+            "x86_64"
+        };
+        vec![root.join(format!("build/falco-0.43.0-darwin-{arch}/falco"))]
+    } else {
+        let arch = if cfg!(target_arch = "aarch64") {
+            "aarch64"
+        } else {
+            "x86_64"
+        };
+        vec![root.join(format!(
+            "build/falco-0.43.0-{arch}/usr/bin/falco"
+        ))]
+    };
+    for c in candidates {
+        if c.exists() {
+            return Some(c);
+        }
+    }
+    None
+}
+
+/// Find the plugin shared library.
+pub fn find_plugin_lib() -> Option<PathBuf> {
+    let root = Path::new(env!("CARGO_MANIFEST_DIR")).parent().unwrap();
+    let (prefix, ext) = if cfg!(windows) {
+        ("", "dll")
+    } else if cfg!(target_os = "macos") {
+        ("lib", "dylib")
+    } else {
+        ("lib", "so")
+    };
+    let base = root.join("plugins/coding-agent-plugin/target/release");
+    let lib = base.join(format!("{prefix}coding_agent.{ext}"));
+    if lib.exists() {
+        return Some(lib);
+    }
+    None
+}
+
+/// Macro to skip a test if Falco or the plugin is not available.
+#[macro_export]
+macro_rules! skip_unless_falco {
+    ($falco:ident, $plugin:ident) => {
+        let Some($falco) = $crate::e2e::find_falco() else {
+            eprintln!("SKIP: falco not found");
+            return;
+        };
+        let Some($plugin) = $crate::e2e::find_plugin_lib() else {
+            eprintln!("SKIP: plugin library not built");
+            return;
+        };
+    };
+}
+
+impl E2eHarness {
+    /// Start Falco with the plugin in the given mode.
+    /// Returns `None` if Falco or the plugin is not available.
+    pub fn start(mode: &str) -> Option<Self> {
+        let falco_bin = find_falco()?;
+        let plugin_lib = find_plugin_lib()?;
+        let hook_bin = interceptor::interceptor_path();
+        if !hook_bin.exists() {
+            eprintln!("SKIP: interceptor binary not found");
+            return None;
+        }
+
+        let pid = std::process::id();
+        let root = Path::new(env!("CARGO_MANIFEST_DIR")).parent().unwrap();
+        let e2e_dir = root.join(format!("build/e2e-{pid}"));
+        let _ = std::fs::create_dir_all(&e2e_dir);
+
+        let rules_dir = e2e_dir.join("rules");
+        let _ = std::fs::create_dir_all(&rules_dir);
+
+        let socket_path = e2e_dir.join("broker.sock");
+        let http_port = 19000 + (pid % 1000) as u16;
+
+        // Write rules.
+        write_rules(&rules_dir);
+
+        // Write Falco config.
+        let config_path = e2e_dir.join("falco.yaml");
+        write_falco_config(
+            &config_path,
+            &plugin_lib,
+            &socket_path,
+            &rules_dir,
+            http_port,
+            mode,
+        );
+
+        // Start Falco.
+        let falco_dir = falco_bin.parent().unwrap_or(Path::new("."));
+        let mut cmd = Command::new(&falco_bin);
+        cmd.arg("-U")
+            .arg("-c")
+            .arg(&config_path)
+            .arg("--disable-source")
+            .arg("syscall")
+            .stdout(Stdio::piped())
+            .stderr(Stdio::piped())
+            .current_dir(falco_dir);
+
+        let mut child = cmd
+            .spawn()
+            .unwrap_or_else(|e| panic!("failed to spawn falco at {}: {e}", falco_bin.display()));
+
+        // Wait for broker socket to appear.
+        let mut ready = false;
+        for _ in 0..40 {
+            if socket_path.exists() {
+                ready = true;
+                break;
+            }
+            if let Some(status) = child.try_wait().ok().flatten() {
+                eprintln!("ERROR: Falco exited early with code {status}");
+                // Drain stderr for diagnostics.
+                if let Some(mut stderr) = child.stderr.take() {
+                    let mut buf = String::new();
+                    use std::io::Read;
+                    let _ = stderr.read_to_string(&mut buf);
+                    eprintln!("Falco stderr: {buf}");
+                }
+                return None;
+            }
+            std::thread::sleep(Duration::from_millis(200));
+        }
+
+        if !ready {
+            eprintln!("ERROR: Falco broker socket not found after 8s: {}", socket_path.display());
+            let _ = child.kill();
+            return None;
+        }
+
+        // Extra wait for HTTP server.
+        std::thread::sleep(Duration::from_millis(500));
+
+        Some(E2eHarness {
+            falco: child,
+            socket_path,
+            e2e_dir,
+            http_port,
+        })
+    }
+
+    /// Run a hook event through the interceptor against this Falco instance.
+    pub fn run_hook(&self, input: &str) -> interceptor::InterceptorResult {
+        interceptor::run_interceptor(input, &self.socket_path.to_string_lossy(), &[])
+    }
+
+    /// Build a hook JSON input string.
+    pub fn make_input(
+        tool_name: &str,
+        tool_input: &str,
+        cwd: &str,
+        tool_use_id: &str,
+    ) -> String {
+        format!(
+            r#"{{"hook_event_name":"PreToolUse","tool_name":"{}","tool_input":{},"session_id":"e2e-test","cwd":"{}","tool_use_id":"{}"}}"#,
+            tool_name, tool_input, cwd, tool_use_id
+        )
+    }
+}
+
+impl Drop for E2eHarness {
+    fn drop(&mut self) {
+        let _ = self.falco.kill();
+        let _ = self.falco.wait();
+        // Small delay to release file handles before cleanup.
+        std::thread::sleep(Duration::from_millis(200));
+        let _ = std::fs::remove_dir_all(&self.e2e_dir);
+    }
+}
+
+fn to_forward_slashes(p: &Path) -> String {
+    p.to_string_lossy().replace('\\', "/")
+}
+
+fn write_falco_config(
+    config_path: &Path,
+    plugin_lib: &Path,
+    socket_path: &Path,
+    rules_dir: &Path,
+    http_port: u16,
+    mode: &str,
+) {
+    let deny_rules = to_forward_slashes(&rules_dir.join("deny.yaml"));
+    let seen_rules = to_forward_slashes(&rules_dir.join("seen.yaml"));
+    let plugin_path = to_forward_slashes(plugin_lib);
+    let sock_path = to_forward_slashes(socket_path);
+
+    let config = format!(
+        r#"engine:
+  kind: nodriver
+plugins:
+  - name: coding_agent
+    library_path: {plugin_path}
+    init_config:
+      socket_path: "{sock_path}"
+      http_port: {http_port}
+      mode: {mode}
+load_plugins:
+  - coding_agent
+rules_files:
+  - {deny_rules}
+  - {seen_rules}
+json_output: true
+json_include_message_property: true
+json_include_output_property: false
+json_include_output_fields_property: true
+json_include_tags_property: true
+rule_matching: all
+priority: debug
+http_output:
+  enabled: true
+  url: http://127.0.0.1:{http_port}
+stdout_output:
+  enabled: false
+syslog_output:
+  enabled: false
+"#
+    );
+    std::fs::write(config_path, config).expect("failed to write falco config");
+}
+
+fn write_rules(rules_dir: &Path) {
+    // On macOS, /etc is a symlink to /private/etc. The plugin resolves paths
+    // via canonicalize() when the file exists, but falls back to lexical
+    // normalization when it doesn't (common in tests). Rules must match both
+    // forms: /etc/... and /private/etc/...
+    let sensitive_write_condition = if cfg!(windows) {
+        r#"tool.name in ("Write", "Edit") and tool.real_file_path startswith "C:/Windows""#
+    } else if cfg!(target_os = "macos") {
+        r#"tool.name in ("Write", "Edit") and (tool.real_file_path startswith "/etc" or tool.real_file_path startswith "/private/etc")"#
+    } else {
+        r#"tool.name in ("Write", "Edit") and tool.real_file_path startswith "/etc""#
+    };
+    let sensitive_read_condition = if cfg!(windows) {
+        r#"tool.name = "Read" and (tool.real_file_path startswith "C:/Windows" or tool.real_file_path contains ".ssh")"#
+    } else if cfg!(target_os = "macos") {
+        r#"tool.name = "Read" and (tool.real_file_path startswith "/etc" or tool.real_file_path startswith "/private/etc" or tool.real_file_path contains ".ssh" or tool.real_file_path contains ".aws")"#
+    } else {
+        r#"tool.name = "Read" and (tool.real_file_path startswith "/etc" or tool.real_file_path contains ".ssh" or tool.real_file_path contains ".aws")"#
+    };
+
+    let deny_rules = format!(
+        r#"- rule: Deny rm -rf
+  desc: Block dangerous rm -rf commands
+  condition: tool.name = "Bash" and tool.input_command contains "rm -rf"
+  output: "Falco blocked rm -rf: %tool.input_command | correlation=%correlation.id"
+  priority: CRITICAL
+  source: coding_agent
+  tags: [coding_agent_deny]
+
+- rule: Deny writes to sensitive paths
+  desc: Block writes to sensitive system directories
+  condition: {sensitive_write_condition}
+  output: "Falco blocked writing to %tool.real_file_path | correlation=%correlation.id"
+  priority: CRITICAL
+  source: coding_agent
+  tags: [coding_agent_deny]
+
+- rule: Deny writing to ssh dir
+  desc: Block writes to .ssh directories
+  condition: tool.name in ("Write", "Edit") and tool.real_file_path contains "/.ssh/"
+  output: "Falco blocked writing to %tool.real_file_path because .ssh is sensitive | correlation=%correlation.id"
+  priority: CRITICAL
+  source: coding_agent
+  tags: [coding_agent_deny]
+
+- rule: Ask write outside cwd
+  desc: Require confirmation for writes outside working directory
+  condition: tool.name in ("Write", "Edit") and not tool.real_file_path startswith val(agent.real_cwd)
+  output: "Falco asks about writing to %tool.real_file_path outside %agent.real_cwd | correlation=%correlation.id"
+  priority: WARNING
+  source: coding_agent
+  tags: [coding_agent_ask]
+
+- rule: Deny reading sensitive paths
+  desc: Block reads from sensitive paths
+  condition: {sensitive_read_condition}
+  output: "Falco blocked reading %tool.real_file_path | correlation=%correlation.id"
+  priority: CRITICAL
+  source: coding_agent
+  tags: [coding_agent_deny]
+
+- rule: Audit read outside cwd
+  desc: Log reads outside working directory (monitor only, no enforcement)
+  condition: tool.name = "Read" and not tool.real_file_path startswith val(agent.real_cwd)
+  output: "Falco noticed read outside cwd %tool.real_file_path | correlation=%correlation.id"
+  priority: NOTICE
+  source: coding_agent
+  tags: []
+"#
+    );
+    std::fs::write(rules_dir.join("deny.yaml"), deny_rules).expect("failed to write deny rules");
+
+    let seen_rule = r#"- rule: Coding Agent Event Seen
+  desc: Catch-all rule signaling evaluation complete
+  condition: correlation.id > 0
+  output: "id=%correlation.id agent=%agent.name tool=%tool.name cwd=%agent.real_cwd path=%tool.real_file_path cmd=%tool.input_command"
+  priority: DEBUG
+  source: coding_agent
+  tags: [coding_agent_seen]
+"#;
+    std::fs::write(rules_dir.join("seen.yaml"), seen_rule).expect("failed to write seen rule");
+}
diff --git a/tests/src/interceptor.rs b/tests/src/interceptor.rs
new file mode 100644
index 0000000..5d532f6
--- /dev/null
+++ b/tests/src/interceptor.rs
@@ -0,0 +1,108 @@
+use std::io::Write;
+use std::path::{Path, PathBuf};
+use std::process::{Command, Stdio};
+
+use crate::mock_broker::{self, MockBroker, MockMode};
+
+/// Result of running the interceptor binary.
+pub struct InterceptorResult {
+    pub stdout: String,
+    pub stderr: String,
+    pub exit_code: i32,
+}
+
+/// Find the interceptor binary.
+pub fn interceptor_path() -> PathBuf {
+    if let Ok(p) = std::env::var("HOOK") {
+        return PathBuf::from(p);
+    }
+    let root = Path::new(env!("CARGO_MANIFEST_DIR")).parent().unwrap();
+    let bin_name = if cfg!(windows) {
+        "claude-interceptor.exe"
+    } else {
+        "claude-interceptor"
+    };
+    // Check common build locations.
+    let candidates = [
+        root.join("hooks/claude-code/target/release").join(bin_name),
+        root.join("hooks/claude-code/target/x86_64-pc-windows-msvc/release")
+            .join(bin_name),
+        root.join("hooks/claude-code/target/aarch64-pc-windows-msvc/release")
+            .join(bin_name),
+    ];
+    for c in &candidates {
+        if c.exists() {
+            return c.clone();
+        }
+    }
+    // Default to the first candidate (will fail at spawn with a clear error).
+    candidates[0].clone()
+}
+
+/// Run the interceptor binary with the given stdin input and socket path.
+pub fn run_interceptor(
+    input: &str,
+    socket_path: &str,
+    env_overrides: &[(&str, &str)],
+) -> InterceptorResult {
+    let hook = interceptor_path();
+    let mut cmd = Command::new(&hook);
+    cmd.stdin(Stdio::piped())
+        .stdout(Stdio::piped())
+        .stderr(Stdio::piped())
+        .env("CODING_AGENTS_KIT_SOCKET", socket_path);
+    for (k, v) in env_overrides {
+        cmd.env(k, v);
+    }
+
+    let mut child = cmd
+        .spawn()
+        .unwrap_or_else(|e| panic!("failed to spawn interceptor at {}: {}", hook.display(), e));
+
+    // Write stdin and drop to signal EOF.
+    if let Some(mut stdin) = child.stdin.take() {
+        let _ = stdin.write_all(input.as_bytes());
+    }
+
+    let output = child
+        .wait_with_output()
+        .expect("failed to wait for interceptor");
+
+    InterceptorResult {
+        stdout: String::from_utf8_lossy(&output.stdout).to_string(),
+        stderr: String::from_utf8_lossy(&output.stderr).to_string(),
+        exit_code: output.status.code().unwrap_or(-1),
+    }
+}
+
+/// Run the interceptor against a mock broker with the given mode.
+pub fn run_with_mock(mode: MockMode, input: &str, label: &str) -> InterceptorResult {
+    let sock = mock_broker::temp_socket_path(label);
+    let broker = MockBroker::start(&sock, mode);
+    let result = run_interceptor(input, &sock.to_string_lossy(), &[]);
+    broker.stop();
+    result
+}
+
+/// Assert the interceptor output contains the expected verdict decision.
+pub fn assert_decision(result: &InterceptorResult, expected: &str) {
+    let needle = format!("\"permissionDecision\":\"{}\"", expected);
+    assert!(
+        result.stdout.contains(&needle),
+        "expected decision={}, got stdout='{}' stderr='{}'",
+        expected,
+        result.stdout.trim(),
+        result.stderr.trim()
+    );
+}
+
+/// Assert the interceptor output reason contains the expected text.
+pub fn assert_reason_contains(result: &InterceptorResult, needle: &str) {
+    assert!(
+        result.stdout.contains(needle),
+        "expected reason to contain '{}', got stdout='{}' stderr='{}'",
+        needle,
+        result.stdout.trim(),
+        result.stderr.trim()
+    );
+}
diff --git a/tests/src/lib.rs b/tests/src/lib.rs
new file mode 100644
index 0000000..b4489ac
--- /dev/null
+++ b/tests/src/lib.rs
@@ -0,0 +1,3 @@
+pub mod mock_broker;
+pub mod interceptor;
+pub mod e2e;
diff --git a/tests/src/mock_broker.rs b/tests/src/mock_broker.rs
new file mode 100644
index 0000000..a0740c0
--- /dev/null
+++ b/tests/src/mock_broker.rs
@@ -0,0 +1,152 @@
+use std::io::{BufRead, BufReader, Write};
+use std::path::{Path, PathBuf};
+use std::sync::mpsc;
+use std::thread::{self, JoinHandle};
+use std::time::Duration;
+
+#[cfg(unix)]
+type Listener = std::os::unix::net::UnixListener;
+#[cfg(windows)]
+type Listener = uds_windows::UnixListener;
+
+#[cfg(unix)]
+type Stream = std::os::unix::net::UnixStream;
+#[cfg(windows)]
+type Stream = uds_windows::UnixStream;
+
+/// Response mode for the mock broker.
+#[derive(Clone)]
+pub enum MockMode {
+    Allow,
+    Deny,
+    Ask,
+    Slow(Duration),
+    Close,
+    BadJson,
+    WrongId,
+}
+
+/// A mock broker that listens on a Unix domain socket and responds to one request.
+pub struct MockBroker {
+    socket_path: PathBuf,
+    thread: Option<JoinHandle<()>>,
+}
+
+impl MockBroker {
+    /// Start a mock broker on the given socket path.
+    /// Blocks until the listener is ready (bind + listen succeeded).
+    pub fn start(socket_path: &Path, mode: MockMode) -> Self {
+        let path = socket_path.to_path_buf();
+        let path_for_thread = path.clone();
+
+        // Readiness signal: thread sends () after bind+listen.
+        let (tx, rx) = mpsc::channel();
+
+        let thread = thread::Builder::new()
+            .name("mock-broker".into())
+            .spawn(move || run_broker(&path_for_thread, mode, tx))
+            .expect("failed to spawn mock broker thread");
+
+        // Wait for the broker to be ready (5s timeout).
+        rx.recv_timeout(Duration::from_secs(5))
+            .expect("mock broker did not become ready in time");
+
+        MockBroker {
+            socket_path: path,
+            thread: Some(thread),
+        }
+    }
+
+    /// Wait for the broker thread to finish.
+    pub fn stop(mut self) {
+        if let Some(t) = self.thread.take() {
+            let _ = t.join();
+        }
+    }
+}
+
+impl Drop for MockBroker {
+    fn drop(&mut self) {
+        if let Some(t) = self.thread.take() {
+            let _ = t.join();
+        }
+        let _ = std::fs::remove_file(&self.socket_path);
+    }
+}
+
+fn run_broker(socket_path: &Path, mode: MockMode, ready_tx: mpsc::Sender<()>) {
+    // Clean up stale socket.
+    let _ = std::fs::remove_file(socket_path);
+    if let Some(parent) = socket_path.parent() {
+        let _ = std::fs::create_dir_all(parent);
+    }
+
+    let listener = Listener::bind(socket_path).expect("mock broker: bind failed");
+    // Signal readiness.
+    let _ = ready_tx.send(());
+
+    // Accept one connection.
+    let (stream, _) = listener.accept().expect("mock broker: accept failed");
+    handle_connection(stream, &mode);
+}
+
+fn handle_connection(stream: Stream, mode: &MockMode) {
+    // Read newline-terminated request.
+    let mut reader = BufReader::new(&stream);
+    let mut line = String::new();
+    let _ = reader.read_line(&mut line);
+
+    if matches!(mode, MockMode::Close) {
+        // Close without responding.
+        return;
+    }
+
+    // Parse request ID.
+    let req_id = serde_json::from_str::<serde_json::Value>(&line)
+        .ok()
+        .and_then(|v| v.get("id").and_then(|id| id.as_str().map(String::from)))
+        .unwrap_or_else(|| "unknown".into());
+
+    let response = match mode {
+        MockMode::Allow => format!(
+            r#"{{"id":"{}","decision":"allow","reason":""}}"#,
+            req_id
+        ),
+        MockMode::Deny => format!(
+            r#"{{"id":"{}","decision":"deny","reason":"blocked by test rule"}}"#,
+            req_id
+        ),
+        MockMode::Ask => format!(
+            r#"{{"id":"{}","decision":"ask","reason":"requires confirmation"}}"#,
+            req_id
+        ),
+        MockMode::Slow(delay) => {
+            thread::sleep(*delay);
+            format!(r#"{{"id":"{}","decision":"allow","reason":""}}"#, req_id)
+        }
+        MockMode::BadJson => "this is not json".into(),
+        MockMode::WrongId => r#"{"id":"wrong-id-xxx","decision":"allow","reason":""}"#.into(),
+        MockMode::Close => unreachable!(),
+    };
+
+    let mut writer = stream;
+    let _ = write!(writer, "{}\n", response);
+}
+
+/// Generate a unique socket path in the system temp directory.
+pub fn temp_socket_path(label: &str) -> PathBuf {
+    let path = std::env::temp_dir().join(format!(
+        "cak-test-{}-{}.sock",
+        std::process::id(),
+        label
+    ));
+    // Normalize to forward slashes on Windows for AF_UNIX compatibility.
+    #[cfg(windows)]
+    {
+        PathBuf::from(path.to_string_lossy().replace('\\', "/"))
+    }
+    #[cfg(not(windows))]
+    {
+        path
+    }
+}
diff --git a/tests/test_e2e.sh b/tests/test_e2e.sh
deleted file mode 100755
index 5192c38..0000000
--- a/tests/test_e2e.sh
+++ /dev/null
@@ -1,419 +0,0 @@
-#!/usr/bin/env bash
-#
-# End-to-end tests for the coding-agents-kit pipeline.
-# Requires: Falco 0.43+, the built plugin (.so), the built interceptor.
-#
-set -uo pipefail
-
-SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
-ROOT_DIR="$(cd -- "$SCRIPT_DIR/.." &>/dev/null && pwd)"
-HOOK="${ROOT_DIR}/hooks/claude-code/target/release/claude-interceptor"
-case "$(uname -s)" in
-    Darwin) PLUGIN_EXT="dylib" ;;
-    *)      PLUGIN_EXT="so" ;;
-esac
-PLUGIN_LIB="${ROOT_DIR}/plugins/coding-agent-plugin/target/release/libcoding_agent.${PLUGIN_EXT}"
-# Use build/ for temp files to avoid /tmp restrictions on some platforms.
-E2E_DIR="${ROOT_DIR}/build/e2e-$$"
-mkdir -p "$E2E_DIR"
-SOCK="${E2E_DIR}/broker.sock"
-HTTP_PORT=$((19000 + ($$ % 1000)))
-PASS=0
-FAIL=0
-FALCO_PID=""
-
-# --- Preflight checks ---
-for bin in falco "$HOOK"; do
-    if [[ ! -x "$bin" ]] && ! command -v "$bin" &>/dev/null; then
-        echo "ERROR: $bin not found" >&2
-        exit 1
-    fi
-done
-if [[ ! -f "$PLUGIN_LIB" ]]; then
-    echo "ERROR: plugin not found at $PLUGIN_LIB (run 'cargo build --release' in plugins/coding-agent-plugin/)" >&2
-    exit 1
-fi
-
-# --- Rules ---
-RULES_DIR="${E2E_DIR}/rules"
-mkdir -p "$RULES_DIR"
-
-cat > "$RULES_DIR/deny.yaml" << 'YAML'
-- rule: Deny rm -rf
-  desc: Block dangerous rm -rf commands
-  condition: tool.name = "Bash" and tool.input_command contains "rm -rf"
-  output: "DENY id=%correlation.id cmd=%tool.input_command"
-  priority: CRITICAL
-  source: coding_agent
-  tags: [coding_agent_deny]
-
-- rule: Deny writes to etc
-  desc: Block writes to /etc/ (and /private/etc/ on macOS where /etc is a symlink)
-  condition: tool.name in ("Write", "Edit") and (tool.real_file_path startswith "/etc/" or tool.real_file_path startswith "/private/etc/")
-  output: "DENY id=%correlation.id path=%tool.real_file_path"
-  priority: CRITICAL
-  source: coding_agent
-  tags: [coding_agent_deny]
-
-- rule: Ask write outside cwd
-  desc: Require confirmation for writes outside working directory
-  condition: tool.name in ("Write", "Edit") and not tool.real_file_path startswith val(agent.real_cwd)
-  output: "ASK id=%correlation.id path=%tool.real_file_path cwd=%agent.real_cwd"
-  priority: WARNING
-  source: coding_agent
-  tags: [coding_agent_ask]
-
-- rule: Deny reading sensitive paths
-  desc: Block reads from sensitive paths
-  condition: tool.name = "Read" and (tool.real_file_path startswith "/etc/" or tool.real_file_path startswith "/private/etc/" or tool.real_file_path contains "/.ssh/" or tool.real_file_path contains "/.aws/")
-  output: "Falco blocked reading %tool.real_file_path because it is a sensitive path"
-  priority: CRITICAL
-  source: coding_agent
-  tags: [coding_agent_deny]
-
-- rule: Deny writing to ssh dir
-  desc: Block writes to .ssh directories
-  condition: tool.name in ("Write", "Edit") and tool.real_file_path contains "/.ssh/"
-  output: "Falco blocked writing to %tool.real_file_path because .ssh is a sensitive directory"
-  priority: CRITICAL
-  source: coding_agent
-  tags: [coding_agent_deny]
-
-- rule: Monitor outside cwd
-  desc: Log all file access outside working directory (informational, no verdict)
-  condition: tool.name in ("Write", "Edit", "Read") and tool.real_file_path != "" and not tool.real_file_path startswith val(agent.real_cwd)
-  output: "File access outside cwd | file=%tool.real_file_path cwd=%agent.real_cwd"
-  priority: NOTICE
-  source: coding_agent
-  tags: []
-YAML
-
-cat > "$RULES_DIR/seen.yaml" << 'YAML'
-- rule: Coding Agent Event Seen
-  desc: Catch-all rule signaling evaluation complete
-  condition: correlation.id > 0
-  output: "id=%correlation.id"
-  priority: DEBUG
-  source: coding_agent
-  tags: [coding_agent_seen]
-YAML
-
-# --- Helpers ---
-cleanup() {
-    stop_falco
-    rm -rf "$E2E_DIR"
-}
-trap cleanup EXIT
-
-stop_falco() {
-    if [[ -n "$FALCO_PID" ]]; then
-        kill "$FALCO_PID" 2>/dev/null && wait "$FALCO_PID" 2>/dev/null
-        FALCO_PID=""
-    fi
-}
-
-start_falco() {
-    local mode="${1:-enforcement}"
-    stop_falco
-    rm -f "$SOCK"
-    # Use an empty config file with inline overrides so the test does not
-    # depend on any installed config. Without -c, Falco looks for
-    # /etc/falco/falco.yaml and fails if it doesn't exist.
-    falco -c "$SCRIPT_DIR/falco.yaml" \
-        -o "engine.kind=nodriver" \
-        -o "config_files=" \
-        -o "plugins[0].name=coding_agent" \
-        -o "plugins[0].library_path=$PLUGIN_LIB" \
-        -o "plugins[0].init_config={\"socket_path\":\"$SOCK\",\"http_port\":$HTTP_PORT,\"mode\":\"$mode\"}" \
-        -o "load_plugins[0]=coding_agent" \
-        -o "rules_files[0]=$RULES_DIR/deny.yaml" \
-        -o "rules_files[1]=$RULES_DIR/seen.yaml" \
-        -o "json_output=true" \
-        -o "json_include_message_property=true" \
-        -o "json_include_output_property=false" \
-        -o "json_include_output_fields_property=true" \
-        -o "json_include_tags_property=true" \
-        -o "rule_matching=all" \
-        -o "priority=debug" \
-        -o "stdout_output.enabled=true" \
-        -o "syslog_output.enabled=false" \
-        -o "http_output.enabled=true" \
-        -o "http_output.url=http://127.0.0.1:$HTTP_PORT" \
-        -o "append_output[0].match.source=coding_agent" \
-        -o "append_output[0].extra_output=| For AI Agents: inform the user that this action was flagged by a Falco security rule | correlation=%correlation.id" \
-        --disable-source syscall \
-        > "$E2E_DIR/falco.log" 2>&1 &
-    FALCO_PID=$!
-
-    # Wait for socket + HTTP server to be ready.
-    local i=0
-    while [[ ! -S "$SOCK" ]] && (( i < 40 )); do
-        sleep 0.2
-        ((i++))
-    done
-    # Extra wait for HTTP server bind.
-    sleep 0.5
-
-    if [[ ! -S "$SOCK" ]]; then
-        echo "ERROR: Falco did not start (socket not found)" >&2
-        echo "Falco log:" >&2
-        cat "$E2E_DIR/falco.log" >&2
-        return 1
-    fi
-}
-
-run_hook() {
-    local input="$1"
-    echo "$input" | \
-        CODING_AGENTS_KIT_SOCKET="$SOCK" \
-        CODING_AGENTS_KIT_TIMEOUT_MS=5000 \
-        "$HOOK" 2>/dev/null || true
-}
-
-pass() {
-    echo "  PASS: $1"
-    ((PASS++)) || true
-}
-
-fail() {
-    echo "  FAIL: $1"
-    echo "    expected: $2"
-    echo "    got: $3"
-    ((FAIL++)) || true
-}
-
-assert_decision() {
-    local output="$1"
-    local expected="$2"
-    local msg="$3"
-    if echo "$output" | grep -qF "\"permissionDecision\":\"$expected\""; then
-        pass "$msg"
-    else
-        fail "$msg" "decision=$expected" "$output"
-    fi
-}
-
-assert_reason_contains() {
-    local output="$1"
-    local needle="$2"
-    local msg="$3"
-    if echo "$output" | grep -qF "$needle"; then
-        pass "$msg"
-    else
-        fail "$msg" "reason contains '$needle'" "$output"
-    fi
-}
-
-make_input() {
-    local tool_name="$1"
-    local tool_input="$2"
-    local cwd="${3:-/tmp}"
-    local id="${4:-toolu_$(date +%s%N)}"
-    echo "{\"hook_event_name\":\"PreToolUse\",\"tool_name\":\"$tool_name\",\"tool_input\":$tool_input,\"session_id\":\"e2e-test\",\"cwd\":\"$cwd\",\"tool_use_id\":\"$id\"}"
-}
-
-# --- Start Falco ---
-echo "Starting Falco with plugin..."
-start_falco || exit 1
-echo "Falco running (PID=$FALCO_PID, socket=$SOCK, http=$HTTP_PORT)"
-echo ""
-
-# --- Tests ---
-
-echo "=== Deny: rm -rf ==="
-out=$(run_hook "$(make_input Bash '{"command":"rm -rf /"}' /tmp toolu_deny_rmrf)")
-assert_decision "$out" "deny" "rm -rf denied"
-assert_reason_contains "$out" "Deny rm -rf" "deny reason mentions rule name"
-
-echo "=== Deny: rm -rf (variant) ==="
-out=$(run_hook "$(make_input Bash '{"command":"sudo rm -rf /home"}' /tmp toolu_deny_rmrf2)")
-assert_decision "$out" "deny" "rm -rf variant denied"
-
-echo "=== Allow: safe command ==="
-out=$(run_hook "$(make_input Bash '{"command":"ls -la"}' /tmp toolu_allow_ls)")
-assert_decision "$out" "allow" "ls allowed"
-
-echo "=== Allow: echo command ==="
-out=$(run_hook "$(make_input Bash '{"command":"echo hello"}' /tmp toolu_allow_echo)")
-assert_decision "$out" "allow" "echo allowed"
-
-echo "=== Deny: write to /etc/ ==="
-out=$(run_hook "$(make_input Write '{"file_path":"/etc/passwd","content":"x"}' /tmp toolu_deny_etc)")
-assert_decision "$out" "deny" "write to /etc denied"
-assert_reason_contains "$out" "Deny writes to etc" "deny reason mentions rule name"
-
-echo "=== Ask: write outside cwd ==="
-out=$(run_hook "$(make_input Write '{"file_path":"/home/other/file.txt","content":"x"}' /tmp/myproject toolu_ask_outside)")
-assert_decision "$out" "ask" "write outside cwd asks"
-assert_reason_contains "$out" "Ask write outside cwd" "ask reason mentions rule name"
-
-echo "=== Allow: write inside cwd ==="
-out=$(run_hook "$(make_input Write '{"file_path":"/tmp/myproject/file.txt","content":"x"}' /tmp/myproject toolu_allow_inside)")
-assert_decision "$out" "allow" "write inside cwd allowed"
-
-echo "=== Allow: Read tool ==="
-out=$(run_hook "$(make_input Read '{"file_path":"/tmp/test.txt"}' /tmp toolu_allow_read)")
-assert_decision "$out" "allow" "read allowed"
-
-echo "=== Allow: Grep tool ==="
-out=$(run_hook "$(make_input Grep '{"pattern":"foo","path":"/tmp"}' /tmp toolu_allow_grep)")
-assert_decision "$out" "allow" "grep allowed"
-
-echo "=== Allow: MCP tool ==="
-out=$(run_hook "$(make_input 'mcp__github__get_issue' '{"number":42}' /tmp toolu_allow_mcp)")
-assert_decision "$out" "allow" "MCP tool allowed"
-
-echo "=== Deny: read sensitive path ==="
-out=$(run_hook "$(make_input Read '{"file_path":"/etc/shadow"}' /tmp toolu_deny_read_etc)")
-assert_decision "$out" "deny" "read /etc/shadow denied"
-assert_reason_contains "$out" "Deny reading sensitive paths" "deny reason mentions read rule name"
-
-echo "=== Deny: read ssh key ==="
-out=$(run_hook "$(make_input Read '{"file_path":"/home/user/.ssh/id_rsa"}' /tmp toolu_deny_read_ssh)")
-assert_decision "$out" "deny" "read .ssh/id_rsa denied"
-
-echo "=== Allow: read safe file ==="
-out=$(run_hook "$(make_input Read '{"file_path":"/tmp/safe.txt"}' /tmp toolu_allow_read_safe)")
-assert_decision "$out" "allow" "read safe file allowed"
-
-echo "=== Deny: append_output text in reason ==="
-# Verify the append_output "For AI Agents" instruction appears in deny reasons.
-out=$(run_hook "$(make_input Bash '{"command":"rm -rf /tmp/nuke"}' /tmp toolu_deny_append)")
-assert_reason_contains "$out" "For AI Agents" "append_output instruction in deny reason"
-assert_reason_contains "$out" "correlation=" "correlation.id in deny reason"
-
-echo "=== Deny: write to /etc does not get ask (escalation) ==="
-# Write to /etc/ is both outside cwd and a sensitive path — deny must win over ask.
-out=$(run_hook "$(make_input Write '{"file_path":"/etc/hosts","content":"x"}' /tmp/myproject toolu_escalation)")
-assert_decision "$out" "deny" "deny wins over ask (verdict escalation)"
-
-# --- Edit tool (same rules as Write, verify both match) ---
-
-echo "=== Deny: edit to /etc/ ==="
-out=$(run_hook "$(make_input Edit '{"file_path":"/etc/passwd","old_string":"x","new_string":"y"}' /tmp toolu_deny_edit_etc)")
-assert_decision "$out" "deny" "edit /etc denied"
-
-echo "=== Ask: edit outside cwd ==="
-out=$(run_hook "$(make_input Edit '{"file_path":"/home/other/file.txt","old_string":"x","new_string":"y"}' /tmp/myproject toolu_ask_edit_outside)")
-assert_decision "$out" "ask" "edit outside cwd asks"
-
-echo "=== Allow: edit inside cwd ==="
-out=$(run_hook "$(make_input Edit '{"file_path":"/tmp/myproject/file.txt","old_string":"x","new_string":"y"}' /tmp/myproject toolu_allow_edit_inside)")
-assert_decision "$out" "allow" "edit inside cwd allowed"
-
-# --- Sensitive directory variants ---
-
-echo "=== Deny: write to .ssh/ ==="
-out=$(run_hook "$(make_input Write '{"file_path":"/home/user/.ssh/authorized_keys","content":"x"}' /tmp toolu_deny_write_ssh)")
-assert_decision "$out" "deny" "write to .ssh denied"
-
-echo "=== Deny: edit .ssh/ ==="
-out=$(run_hook "$(make_input Edit '{"file_path":"/home/user/.ssh/config","old_string":"x","new_string":"y"}' /tmp toolu_deny_edit_ssh)")
-assert_decision "$out" "deny" "edit .ssh denied"
-
-echo "=== Deny: read .aws/ ==="
-out=$(run_hook "$(make_input Read '{"file_path":"/home/user/.aws/credentials"}' /tmp toolu_deny_read_aws)")
-assert_decision "$out" "deny" "read .aws/credentials denied"
-
-# --- Bash edge cases ---
-
-echo "=== Allow: rm without -rf (not dangerous) ==="
-out=$(run_hook "$(make_input Bash '{"command":"rm file.txt"}' /tmp toolu_allow_rm_safe)")
-assert_decision "$out" "allow" "rm without -rf allowed"
-
-echo "=== Deny: rm -rf in chained command ==="
-out=$(run_hook "$(make_input Bash '{"command":"echo yes && rm -rf /tmp/target"}' /tmp toolu_deny_rmrf_chain)")
-assert_decision "$out" "deny" "rm -rf in chained command denied"
-
-# --- Tools that should always allow (no matching rules) ---
-
-echo "=== Allow: Agent tool ==="
-out=$(run_hook "$(make_input Agent '{"prompt":"do something","description":"test"}' /tmp toolu_allow_agent)")
-assert_decision "$out" "allow" "Agent tool allowed (no rules match)"
-
-echo "=== Allow: Glob tool ==="
-out=$(run_hook "$(make_input Glob '{"pattern":"*.rs"}' /tmp toolu_allow_glob)")
-assert_decision "$out" "allow" "Glob tool allowed (no rules match)"
-
-echo "=== Allow: WebSearch tool ==="
-out=$(run_hook "$(make_input WebSearch '{"query":"rust programming"}' /tmp toolu_allow_websearch)")
-assert_decision "$out" "allow" "WebSearch tool allowed (no rules match)"
-
-# --- Path resolution edge cases ---
-
-echo "=== Deny: write with path traversal to /etc/ ==="
-# /tmp/myproject/../../etc/passwd resolves to /etc/passwd
-out=$(run_hook "$(make_input Write '{"file_path":"/tmp/myproject/../../etc/passwd","content":"x"}' /tmp/myproject toolu_deny_traversal)")
-assert_decision "$out" "deny" "path traversal to /etc/ denied"
-
-echo "=== Allow: relative path inside cwd ==="
-out=$(run_hook "$(make_input Write '{"file_path":"src/main.rs","content":"x"}' /tmp/myproject toolu_allow_relative)")
-assert_decision "$out" "allow" "relative path inside cwd allowed"
-
-# --- Monitor rule (no verdict tag — still allows) ---
-
-echo "=== Allow: read outside cwd triggers monitor but still allows ==="
-# The Monitor outside cwd rule fires (NOTICE, empty tags) but doesn't affect the verdict.
-out=$(run_hook "$(make_input Read '{"file_path":"/tmp/other/data.txt"}' /tmp/myproject toolu_monitor_read)")
-assert_decision "$out" "allow" "monitor-only rule does not block"
-
-# --- MCP tool field extraction ---
-
-echo "=== Allow: MCP tool with server name ==="
-out=$(run_hook "$(make_input 'mcp__ide__getDiagnostics' '{"uri":"file:///tmp/test.ts"}' /tmp toolu_allow_mcp_ide)")
-assert_decision "$out" "allow" "MCP tool with server name allowed"
-
-# --- Health check (uses the ctl binary) ---
-
-CTL="${ROOT_DIR}/tools/coding-agents-kit-ctl/target/release/coding-agents-kit-ctl"
-if [[ -x "$CTL" ]]; then
-    echo "=== Health check via ctl ==="
-    # The health command sends a synthetic event through the interceptor and checks the verdict.
-    # We need to point it at our test prefix (with interceptor binary and broker socket).
-    # Create a minimal prefix structure pointing to the E2E socket.
-    HEALTH_PREFIX="${E2E_DIR}/health-prefix"
-    mkdir -p "$HEALTH_PREFIX/bin" "$HEALTH_PREFIX/run"
-    ln -sf "$HOOK" "$HEALTH_PREFIX/bin/claude-interceptor"
-    ln -sf "$SOCK" "$HEALTH_PREFIX/run/broker.sock"
-    out=$("$CTL" --prefix="$HEALTH_PREFIX" health 2>&1)
-    if echo "$out" | grep -q "^OK:"; then
-        pass "health check passes"
-    else
-        fail "health check" "OK: ..." "$out"
-    fi
-else
-    echo "  SKIP: ctl binary not built (skipping health check test)"
-fi
-
-# --- Monitor mode tests ---
-# Restart Falco in monitor mode: rules evaluate and log, but all verdicts
-# resolve as allow. This verifies the broker's monitor mode branches.
-echo ""
-echo "=== Restarting Falco in monitor mode ==="
-start_falco monitor || exit 1
-echo "Falco running in monitor mode (PID=$FALCO_PID)"
-echo ""
-
-echo "=== Monitor: rm -rf resolves as allow ==="
-out=$(run_hook "$(make_input Bash '{"command":"rm -rf /"}' /tmp toolu_mon_rmrf)")
-assert_decision "$out" "allow" "monitor mode: rm -rf allowed (not enforced)"
-
-echo "=== Monitor: write to /etc/ resolves as allow ==="
-out=$(run_hook "$(make_input Write '{"file_path":"/etc/passwd","content":"x"}' /tmp toolu_mon_etc)")
-assert_decision "$out" "allow" "monitor mode: write /etc/ allowed (not enforced)"
-
-echo "=== Monitor: write outside cwd resolves as allow ==="
-out=$(run_hook "$(make_input Write '{"file_path":"/home/other/file.txt","content":"x"}' /tmp/myproject toolu_mon_outside)")
-assert_decision "$out" "allow" "monitor mode: write outside cwd allowed (not enforced)"
-
-echo "=== Monitor: safe command still allowed ==="
-out=$(run_hook "$(make_input Bash '{"command":"ls -la"}' /tmp toolu_mon_ls)")
-assert_decision "$out" "allow" "monitor mode: safe command allowed"
-
-# --- Results ---
-echo ""
-echo "================================"
-echo "E2E Results: $PASS passed, $FAIL failed"
-echo "================================"
-
-[[ "$FAIL" -eq 0 ]]
diff --git a/tests/test_installed_service_windows.ps1 b/tests/test_installed_service_windows.ps1
new file mode 100644
index 0000000..74d2d65
--- /dev/null
+++ b/tests/test_installed_service_windows.ps1
@@ -0,0 +1,179 @@
+#Requires -Version 5.1
+<#
+.SYNOPSIS
+    Integration test for the installed coding-agents-kit service on Windows.
+
+.DESCRIPTION
+    Tests the full installed pipeline: launcher → Falco → plugin → rules →
+    verdict → interceptor. Optionally tests with Claude Code if detected.
+
+    Requires: coding-agents-kit installed via MSI + postinstall.
+#>
+Set-StrictMode -Version Latest
+$ErrorActionPreference = 'Stop'
+
+$Prefix = Join-Path $env:LOCALAPPDATA 'coding-agents-kit'
+$Launcher = Join-Path $Prefix 'bin\coding-agents-kit-launcher.ps1'
+$Hook = Join-Path $Prefix 'bin\claude-interceptor.exe'
+$PASS = 0
+$FAIL = 0
+$launcherProc = $null
+
+function Cleanup {
+    if ($script:launcherProc -and -not $script:launcherProc.HasExited) {
+        & taskkill /F /T /PID $script:launcherProc.Id 2>$null
+    }
+    Start-Sleep -Milliseconds 500
+}
+
+function Assert-True([bool]$Condition, [string]$TestName) {
+    if ($Condition) {
+        Write-Host "  PASS: $TestName"
+        $script:PASS++
+    } else {
+        Write-Host "  FAIL: $TestName"
+        $script:FAIL++
+    }
+}
+
+function Run-Hook([string]$Json) {
+    $psi = New-Object System.Diagnostics.ProcessStartInfo
+    $psi.FileName = $Hook
+    $psi.UseShellExecute = $false
+    $psi.RedirectStandardInput = $true
+    $psi.RedirectStandardOutput = $true
+    $psi.RedirectStandardError = $true
+    # Do NOT set CODING_AGENTS_KIT_SOCKET — test the interceptor's default
+    # socket path discovery (%LOCALAPPDATA%/coding-agents-kit/run/broker.sock)
+    $psi.EnvironmentVariables['CODING_AGENTS_KIT_TIMEOUT_MS'] = '8000'
+    $proc = [System.Diagnostics.Process]::Start($psi)
+    $bytes = [System.Text.Encoding]::UTF8.GetBytes($Json)
+    $proc.StandardInput.BaseStream.Write($bytes, 0, $bytes.Length)
+    $proc.StandardInput.BaseStream.Flush()
+    $proc.StandardInput.Dispose()
+    $so = $proc.StandardOutput.ReadToEndAsync()
+    [void]$proc.WaitForExit(10000)
+    return $so.GetAwaiter().GetResult()
+}
+
+# ---------------------------------------------------------------------------
+# Preflight
+# ---------------------------------------------------------------------------
+
+Write-Host "=== Preflight ==="
+$missing = @()
+foreach ($f in @($Launcher, $Hook, (Join-Path $Prefix 'bin\falco.exe'), (Join-Path $Prefix 'share\coding_agent.dll'), (Join-Path $Prefix 'config\falco.yaml'))) {
+    if (-not (Test-Path $f)) { $missing += (Split-Path $f -Leaf) }
+}
+if ($missing.Count -gt 0) {
+    Write-Error "coding-agents-kit not installed. Missing: $($missing -join ', ')"
+    exit 1
+}
+Write-Host "  Installation verified"
+
+# ---------------------------------------------------------------------------
+# Start service
+# ---------------------------------------------------------------------------
+
+Write-Host "`n=== Start service ==="
+Get-Process falco -ErrorAction SilentlyContinue | Stop-Process -Force
+Start-Sleep 1
+Remove-Item (Join-Path $Prefix 'run\broker.sock') -Force -ErrorAction SilentlyContinue
+
+$psi = New-Object System.Diagnostics.ProcessStartInfo
+$psi.FileName = 'powershell.exe'
+$psi.Arguments = "-NoProfile -ExecutionPolicy Bypass -File `"$Launcher`" -Prefix `"$Prefix`""
+$psi.UseShellExecute = $false
+$psi.CreateNoWindow = $true
+$launcherProc = [System.Diagnostics.Process]::Start($psi)
+
+$retries = 0
+$sockFile = Join-Path $Prefix 'run\broker.sock'
+while ($retries -lt 40) {
+    if (Test-Path $sockFile) { break }
+    Start-Sleep -Milliseconds 250
+    $retries++
+}
+
+Assert-True (Test-Path $sockFile) "broker socket created"
+Assert-True (-not $launcherProc.HasExited) "service running"
+
+if ($launcherProc.HasExited -or -not (Test-Path $sockFile)) {
+    Write-Host "FATAL: service did not start"
+    Cleanup
+    exit 1
+}
+
+Start-Sleep -Milliseconds 500
+
+# ---------------------------------------------------------------------------
+# Interceptor tests against installed service
+# ---------------------------------------------------------------------------
+
+Write-Host "`n=== Interceptor → installed service ==="
+
+$allowJson = '{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"echo hello"},"session_id":"installed-test","cwd":"C:\\Users\\test","tool_use_id":"inst_allow1"}'
+$out = Run-Hook $allowJson
+Assert-True ($out.Contains('"permissionDecision"')) "interceptor gets a verdict"
+# Default rules should allow safe commands
+Assert-True ($out.Contains('"permissionDecision":"allow"')) "safe command allowed"
+
+$readJson = '{"hook_event_name":"PreToolUse","tool_name":"Read","tool_input":{"file_path":"C:\\Users\\test\\readme.txt"},"session_id":"installed-test","cwd":"C:\\Users\\test","tool_use_id":"inst_read1"}'
+$out = Run-Hook $readJson
+Assert-True ($out.Contains('"permissionDecision":"allow"')) "read file allowed"
+
+$grepJson = '{"hook_event_name":"PreToolUse","tool_name":"Grep","tool_input":{"pattern":"test","path":"C:\\Users\\test"},"session_id":"installed-test","cwd":"C:\\Users\\test","tool_use_id":"inst_grep1"}'
+$out = Run-Hook $grepJson
+Assert-True ($out.Contains('"permissionDecision":"allow"')) "grep allowed"
+
+# ---------------------------------------------------------------------------
+# Claude Code integration (only if claude is installed)
+# ---------------------------------------------------------------------------
+
+$claudeExe = Get-Command 'claude' -ErrorAction SilentlyContinue
+if ($claudeExe) {
+    Write-Host "`n=== Claude Code integration ==="
+
+    # Check hook is registered
+    $settingsPath = Join-Path $env:USERPROFILE '.claude\settings.json'
+    if (Test-Path $settingsPath) {
+        $settings = Get-Content $settingsPath -Raw
+        Assert-True ($settings.Contains('claude-interceptor')) "hook registered in Claude Code settings"
+    } else {
+        Write-Host "  SKIP: no Claude Code settings.json found"
+    }
+
+    # Test: ask Claude to use a tool (Bash) via --print (non-interactive).
+    # This exercises the real hook path: Claude → PreToolUse hook → interceptor →
+    # broker → Falco → rules → verdict → response → Claude proceeds/blocks.
+    # "echo hello" forces the Bash tool, which triggers the hook.
+    Write-Host "  Testing Claude Code with real hook (this may take a moment)..."
+    $prevPref = $ErrorActionPreference
+    $ErrorActionPreference = 'Continue'
+    $claudeOut = & claude --print "Run this exact command and show me the output: echo hello_from_hook_test" 2>&1
+    $ErrorActionPreference = $prevPref
+    $claudeStr = ($claudeOut | Out-String).Trim()
+    if ($claudeStr.Contains('hello_from_hook_test')) {
+        Write-Host "  PASS: Claude Code ran Bash tool through hook pipeline"
+        $PASS++
+    } else {
+        Write-Host "  INFO: Claude Code response: $($claudeStr.Substring(0, [Math]::Min(200, $claudeStr.Length)))"
+        Write-Host "  (May fail if Claude Code requires auth or the model is unavailable)"
+    }
+} else {
+    Write-Host "`n=== Claude Code integration ==="
+    Write-Host "  SKIP: claude command not found (install Claude Code to enable)"
+}
+
+# ---------------------------------------------------------------------------
+# Cleanup
+# ---------------------------------------------------------------------------
+
+Write-Host "`n=== Cleanup ==="
+Cleanup
+
+Write-Host "`n================================"
+Write-Host "Results: $PASS passed, $FAIL failed"
+Write-Host "================================"
+
+exit $(if ($FAIL -eq 0) { 0 } else { 1 })
diff --git a/tests/test_interceptor.sh b/tests/test_interceptor.sh
deleted file mode 100755
index f042d36..0000000
--- a/tests/test_interceptor.sh
+++ /dev/null
@@ -1,172 +0,0 @@
-#!/usr/bin/env bash
-#
-# Integration tests for the interceptor.
-# Requires: python3, the built interceptor binary.
-#
-set -uo pipefail
-
-SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
-ROOT_DIR="$(cd -- "$SCRIPT_DIR/.." &>/dev/null && pwd)"
-# Allow overriding the hook binary via HOOK env var (for testing C vs Rust).
-HOOK="${HOOK:-${ROOT_DIR}/hooks/claude-code/target/release/claude-interceptor}"
-MOCK="${ROOT_DIR}/tests/mock_broker.py"
-
-if [[ ! -x "$HOOK" ]]; then
-    echo "ERROR: interceptor not found at $HOOK" >&2
-    echo "  Rust: cd hooks/claude-code && cargo build --release" >&2
-    echo "  C:    cd hooks && make linux" >&2
-    exit 1
-fi
-SOCK="/tmp/cak-test-$$.sock"
-PASS=0
-FAIL=0
-
-cleanup() {
-    rm -f "$SOCK"
-}
-trap cleanup EXIT
-
-# Start mock broker, wait for socket, run hook, collect output, stop broker.
-# Usage: result=$(run_test <mode> <stdin_json> [extra_env...])
-run_test() {
-    local mode="$1"
-    local input="$2"
-    shift 2
-
-    rm -f "$SOCK"
-    python3 "$MOCK" "$SOCK" "$mode" > /dev/null 2>&1 &
-    local pid=$!
-
-    # Wait for socket.
-    local i=0
-    while [[ ! -S "$SOCK" ]] && (( i < 20 )); do
-        sleep 0.1
-        ((i++))
-    done
-
-    local out
-    out=$(echo "$input" | env CODING_AGENTS_KIT_SOCKET="$SOCK" "$@" "$HOOK" 2>/dev/null) || true
-
-    kill "$pid" 2>/dev/null || true
-    wait "$pid" 2>/dev/null || true
-    rm -f "$SOCK"
-    echo "$out"
-}
-
-pass() {
-    echo "  PASS: $1"
-    ((PASS++)) || true
-}
-
-fail() {
-    echo "  FAIL: $1"
-    echo "    expected: $2"
-    echo "    got: $3"
-    ((FAIL++)) || true
-}
-
-assert_contains() {
-    if echo "$1" | grep -qF "$2"; then
-        pass "$3"
-    else
-        fail "$3" "contains '$2'" "$1"
-    fi
-}
-
-SAMPLE='{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"ls -la"},"session_id":"test-sess","cwd":"/tmp","tool_use_id":"toolu_test123"}'
-
-# ------------------------------------------------------------------
-echo "=== Allow verdict ==="
-out=$(run_test allow "$SAMPLE")
-assert_contains "$out" '"permissionDecision":"allow"' "allow verdict"
-
-echo "=== Deny verdict ==="
-out=$(run_test deny "$SAMPLE")
-assert_contains "$out" '"permissionDecision":"deny"' "deny verdict"
-assert_contains "$out" 'blocked by test rule' "deny reason"
-
-echo "=== Ask verdict ==="
-out=$(run_test ask "$SAMPLE")
-assert_contains "$out" '"permissionDecision":"ask"' "ask verdict"
-assert_contains "$out" 'requires confirmation' "ask reason"
-
-echo "=== Broker unreachable (fail-closed) ==="
-rm -f "$SOCK"
-out=$(echo "$SAMPLE" | env CODING_AGENTS_KIT_SOCKET="$SOCK" "$HOOK" 2>/dev/null) || true
-assert_contains "$out" '"permissionDecision":"deny"' "fail-closed deny"
-
-echo "=== Bad JSON response ==="
-out=$(run_test bad_json "$SAMPLE")
-assert_contains "$out" '"permissionDecision":"deny"' "bad_json deny"
-
-echo "=== Wrong ID response ==="
-out=$(run_test wrong_id "$SAMPLE")
-assert_contains "$out" '"permissionDecision":"deny"' "wrong_id deny"
-
-echo "=== Timeout ==="
-out=$(run_test "slow:3" "$SAMPLE" env CODING_AGENTS_KIT_TIMEOUT_MS=200)
-assert_contains "$out" '"permissionDecision":"deny"' "timeout deny"
-
-echo "=== Broker closes connection ==="
-out=$(run_test close "$SAMPLE")
-assert_contains "$out" '"permissionDecision":"deny"' "close deny"
-
-echo "=== Empty stdin ==="
-rc=0
-echo -n "" | "$HOOK" 2>/dev/null || rc=$?
-if [[ "$rc" -eq 2 ]]; then pass "empty stdin exit 2"; else fail "empty stdin exit 2" "exit 2" "exit $rc"; fi
-
-echo "=== Malformed JSON ==="
-rc=0
-echo 'not json' | "$HOOK" 2>/dev/null || rc=$?
-if [[ "$rc" -eq 2 ]]; then pass "malformed JSON exit 2"; else fail "malformed JSON exit 2" "exit 2" "exit $rc"; fi
-
-echo "=== Missing tool_name (valid JSON, no broker) ==="
-# Interceptor no longer validates tool_name — it passes through to broker.
-# With no broker running, this is a broker error → fail-closed deny.
-rm -f "$SOCK"
-out=$(echo '{"hook_event_name":"PreToolUse","tool_input":{}}' | env CODING_AGENTS_KIT_SOCKET="$SOCK" "$HOOK" 2>/dev/null) || true
-assert_contains "$out" '"permissionDecision":"deny"' "missing tool_name deny (no broker)"
-
-echo "=== Write tool path ==="
-write_input='{"hook_event_name":"PreToolUse","tool_name":"Write","tool_input":{"file_path":"/tmp/test.txt","content":"hello"},"session_id":"s1","cwd":"/tmp","tool_use_id":"t2"}'
-out=$(run_test allow "$write_input")
-assert_contains "$out" '"permissionDecision":"allow"' "write tool"
-
-echo "=== MCP tool ==="
-mcp_input='{"hook_event_name":"PreToolUse","tool_name":"mcp__github__create_issue","tool_input":{"title":"test"},"session_id":"s1","cwd":"/tmp","tool_use_id":"t3"}'
-out=$(run_test allow "$mcp_input")
-assert_contains "$out" '"permissionDecision":"allow"' "MCP tool"
-
-echo "=== Large tool_input ==="
-large_cmd=$(python3 -c "print('x' * 60000)")
-large_input="{\"hook_event_name\":\"PreToolUse\",\"tool_name\":\"Bash\",\"tool_input\":{\"command\":\"$large_cmd\"},\"session_id\":\"s1\",\"cwd\":\"/tmp\",\"tool_use_id\":\"t4\"}"
-out=$(run_test allow "$large_input")
-assert_contains "$out" '"permissionDecision":"allow"' "large input"
-
-echo "=== Nested key spoofing (find_key must only match root-level keys) ==="
-# tool_input contains a "tool_name" key that should NOT override the real top-level one.
-spoof_input='{"hook_event_name":"PreToolUse","tool_input":{"tool_name":"SPOOFED","command":"ls"},"tool_name":"Bash","session_id":"s1","cwd":"/tmp","tool_use_id":"t5"}'
-out=$(run_test allow "$spoof_input")
-assert_contains "$out" '"permissionDecision":"allow"' "nested key spoofing"
-
-echo "=== JSON escape in command ==="
-# Command contains a literal quote character (escaped in JSON as \").
-# Verify the hook doesn't crash and round-trips correctly.
-esc_input='{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"echo \"hello world\""},"session_id":"s1","cwd":"/tmp","tool_use_id":"t6"}'
-out=$(run_test allow "$esc_input")
-assert_contains "$out" '"permissionDecision":"allow"' "escaped command"
-
-echo "=== Path traversal normalization ==="
-# file_path with .. components should be normalized in the wire protocol.
-traversal_input='{"hook_event_name":"PreToolUse","tool_name":"Write","tool_input":{"file_path":"subdir/../../etc/shadow","content":"x"},"session_id":"s1","cwd":"/home/user","tool_use_id":"t7"}'
-out=$(run_test allow "$traversal_input")
-assert_contains "$out" '"permissionDecision":"allow"' "path traversal normalization"
-
-# ------------------------------------------------------------------
-echo ""
-echo "================================"
-echo "Results: $PASS passed, $FAIL failed"
-echo "================================"
-
-[[ "$FAIL" -eq 0 ]]
diff --git a/tests/tests/e2e.rs b/tests/tests/e2e.rs
new file mode 100644
index 0000000..9ea0f79
--- /dev/null
+++ b/tests/tests/e2e.rs
@@ -0,0 +1,481 @@
+use std::sync::OnceLock;
+
+use cak_tests::e2e::E2eHarness;
+use cak_tests::interceptor::{assert_decision, assert_reason_contains};
+
+static HARNESS: OnceLock<Option<E2eHarness>> = OnceLock::new();
+
+fn harness() -> &'static E2eHarness {
+    let opt = HARNESS.get_or_init(|| E2eHarness::start("enforcement"));
+    opt.as_ref().expect("falco + plugin required for e2e tests (set FALCO env var)")
+}
+
+/// Returns true if Falco is available. Tests call this to skip gracefully.
+fn falco_available() -> bool {
+    HARNESS
+        .get_or_init(|| E2eHarness::start("enforcement"))
+        .is_some()
+}
+
+macro_rules! require_falco {
+    () => {
+        if !falco_available() {
+            eprintln!("SKIP: falco or plugin not available");
+            return;
+        }
+    };
+}
+
+fn cwd() -> &'static str {
+    if cfg!(windows) {
+        "C:/Users/test/project"
+    } else {
+        "/tmp/myproject"
+    }
+}
+
+// --- Deny: dangerous shell commands ---
+
+#[test]
+fn deny_rm_rf() {
+    require_falco!();
+    let h = harness();
+    let input = E2eHarness::make_input("Bash", r#"{"command":"rm -rf /"}"#, cwd(), "e2e-rm1");
+    let r = h.run_hook(&input);
+    assert_decision(&r, "deny");
+    assert_reason_contains(&r, "Deny rm -rf");
+}
+
+#[test]
+fn deny_rm_rf_variant() {
+    require_falco!();
+    let h = harness();
+    let input = E2eHarness::make_input(
+        "Bash",
+        r#"{"command":"sudo rm -rf /home"}"#,
+        cwd(),
+        "e2e-rm2",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "deny");
+}
+
+#[test]
+fn allow_safe_command() {
+    require_falco!();
+    let h = harness();
+    let input = E2eHarness::make_input("Bash", r#"{"command":"ls -la"}"#, cwd(), "e2e-ls");
+    let r = h.run_hook(&input);
+    assert_decision(&r, "allow");
+}
+
+#[test]
+fn allow_echo_command() {
+    require_falco!();
+    let h = harness();
+    let input = E2eHarness::make_input("Bash", r#"{"command":"echo hello"}"#, cwd(), "e2e-echo");
+    let r = h.run_hook(&input);
+    assert_decision(&r, "allow");
+}
+
+// --- Deny: writes to sensitive paths ---
+
+#[test]
+fn deny_write_to_sensitive() {
+    require_falco!();
+    let h = harness();
+    let path = if cfg!(windows) {
+        "C:/Windows/system32/drivers/etc/hosts"
+    } else {
+        "/etc/passwd"
+    };
+    let input = E2eHarness::make_input(
+        "Write",
+        &format!(r#"{{"file_path":"{}","content":"x"}}"#, path),
+        cwd(),
+        "e2e-wsen",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "deny");
+    assert_reason_contains(&r, "Deny writes to sensitive paths");
+}
+
+// --- Ask: writes outside cwd ---
+
+#[test]
+fn ask_write_outside_cwd() {
+    require_falco!();
+    let h = harness();
+    let path = if cfg!(windows) {
+        "C:/Users/other/file.txt"
+    } else {
+        "/home/other/file.txt"
+    };
+    let input = E2eHarness::make_input(
+        "Write",
+        &format!(r#"{{"file_path":"{}","content":"x"}}"#, path),
+        cwd(),
+        "e2e-wout",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "ask");
+    assert_reason_contains(&r, "Ask write outside cwd");
+}
+
+// --- Allow: writes inside cwd ---
+
+#[test]
+fn allow_write_inside_cwd() {
+    require_falco!();
+    let h = harness();
+    let path = if cfg!(windows) {
+        "C:/Users/test/project/file.txt"
+    } else {
+        "/tmp/myproject/file.txt"
+    };
+    let input = E2eHarness::make_input(
+        "Write",
+        &format!(r#"{{"file_path":"{}","content":"x"}}"#, path),
+        cwd(),
+        "e2e-win",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "allow");
+}
+
+// --- Read tool ---
+
+#[test]
+fn allow_read_tool() {
+    require_falco!();
+    let h = harness();
+    let path = if cfg!(windows) {
+        "C:/Users/test/project/readme.txt"
+    } else {
+        "/tmp/myproject/readme.txt"
+    };
+    let input = E2eHarness::make_input(
+        "Read",
+        &format!(r#"{{"file_path":"{}"}}"#, path),
+        cwd(),
+        "e2e-read",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "allow");
+}
+
+#[test]
+fn deny_read_sensitive_path() {
+    require_falco!();
+    let h = harness();
+    let path = if cfg!(windows) {
+        "C:/Windows/System32/config/SAM"
+    } else {
+        "/etc/shadow"
+    };
+    let input = E2eHarness::make_input(
+        "Read",
+        &format!(r#"{{"file_path":"{}"}}"#, path),
+        cwd(),
+        "e2e-rsen",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "deny");
+}
+
+#[test]
+fn deny_read_ssh_key() {
+    require_falco!();
+    let h = harness();
+    let path = if cfg!(windows) {
+        "C:/Users/test/.ssh/id_rsa"
+    } else {
+        "/home/user/.ssh/id_rsa"
+    };
+    let input = E2eHarness::make_input(
+        "Read",
+        &format!(r#"{{"file_path":"{}"}}"#, path),
+        cwd(),
+        "e2e-rssh",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "deny");
+}
+
+#[test]
+fn allow_read_safe_file() {
+    require_falco!();
+    let h = harness();
+    let path = if cfg!(windows) {
+        "C:/Users/test/project/data.txt"
+    } else {
+        "/tmp/myproject/data.txt"
+    };
+    let input = E2eHarness::make_input(
+        "Read",
+        &format!(r#"{{"file_path":"{}"}}"#, path),
+        cwd(),
+        "e2e-rsafe",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "allow");
+}
+
+// --- Append output / correlation ---
+
+#[test]
+fn deny_has_append_output() {
+    require_falco!();
+    let h = harness();
+    let input = E2eHarness::make_input(
+        "Bash",
+        r#"{"command":"rm -rf /tmp/nuke"}"#,
+        cwd(),
+        "e2e-append",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "deny");
+    assert_reason_contains(&r, "correlation=");
+}
+
+// --- Verdict escalation ---
+
+#[test]
+fn deny_wins_over_ask() {
+    require_falco!();
+    let h = harness();
+    // Write to sensitive path from different cwd → both deny and ask rules match.
+    // Deny should win.
+    let path = if cfg!(windows) {
+        "C:/Windows/system.ini"
+    } else {
+        "/etc/hosts"
+    };
+    let input = E2eHarness::make_input(
+        "Write",
+        &format!(r#"{{"file_path":"{}","content":"x"}}"#, path),
+        cwd(),
+        "e2e-esc",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "deny");
+}
+
+// --- Edit tool ---
+
+#[test]
+fn deny_edit_sensitive() {
+    require_falco!();
+    let h = harness();
+    let path = if cfg!(windows) {
+        "C:/Windows/win.ini"
+    } else {
+        "/etc/passwd"
+    };
+    let input = E2eHarness::make_input(
+        "Edit",
+        &format!(r#"{{"file_path":"{}","old_string":"a","new_string":"b"}}"#, path),
+        cwd(),
+        "e2e-edsen",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "deny");
+}
+
+#[test]
+fn ask_edit_outside_cwd() {
+    require_falco!();
+    let h = harness();
+    let path = if cfg!(windows) {
+        "C:/Users/other/file.txt"
+    } else {
+        "/home/other/file.txt"
+    };
+    let input = E2eHarness::make_input(
+        "Edit",
+        &format!(r#"{{"file_path":"{}","old_string":"a","new_string":"b"}}"#, path),
+        cwd(),
+        "e2e-edout",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "ask");
+}
+
+#[test]
+fn allow_edit_inside_cwd() {
+    require_falco!();
+    let h = harness();
+    let path = if cfg!(windows) {
+        "C:/Users/test/project/file.txt"
+    } else {
+        "/tmp/myproject/file.txt"
+    };
+    let input = E2eHarness::make_input(
+        "Edit",
+        &format!(r#"{{"file_path":"{}","old_string":"a","new_string":"b"}}"#, path),
+        cwd(),
+        "e2e-edin",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "allow");
+}
+
+// --- Sensitive dotfiles ---
+
+#[test]
+fn deny_write_ssh() {
+    require_falco!();
+    let h = harness();
+    let path = if cfg!(windows) {
+        "C:/Users/test/.ssh/authorized_keys"
+    } else {
+        "/home/user/.ssh/authorized_keys"
+    };
+    let input = E2eHarness::make_input(
+        "Write",
+        &format!(r#"{{"file_path":"{}","content":"x"}}"#, path),
+        cwd(),
+        "e2e-wssh",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "deny");
+}
+
+#[cfg(not(windows))]
+#[test]
+fn deny_read_aws_credentials() {
+    require_falco!();
+    let h = harness();
+    let input = E2eHarness::make_input(
+        "Read",
+        r#"{"file_path":"/home/user/.aws/credentials"}"#,
+        cwd(),
+        "e2e-raws",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "deny");
+}
+
+// --- Bash edge cases ---
+
+#[test]
+fn allow_rm_without_rf() {
+    require_falco!();
+    let h = harness();
+    let input = E2eHarness::make_input("Bash", r#"{"command":"rm file.txt"}"#, cwd(), "e2e-rm3");
+    let r = h.run_hook(&input);
+    assert_decision(&r, "allow");
+}
+
+#[test]
+fn deny_rm_rf_in_chain() {
+    require_falco!();
+    let h = harness();
+    let input = E2eHarness::make_input(
+        "Bash",
+        r#"{"command":"echo yes && rm -rf /tmp/target"}"#,
+        cwd(),
+        "e2e-rm4",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "deny");
+}
+
+// --- Other tools (no matching rules → allow) ---
+
+#[test]
+fn allow_agent_tool() {
+    require_falco!();
+    let h = harness();
+    let input = E2eHarness::make_input("Agent", r#"{"prompt":"help me"}"#, cwd(), "e2e-agent");
+    let r = h.run_hook(&input);
+    assert_decision(&r, "allow");
+}
+
+#[test]
+fn allow_glob_tool() {
+    require_falco!();
+    let h = harness();
+    let input =
+        E2eHarness::make_input("Glob", r#"{"pattern":"**/*.rs"}"#, cwd(), "e2e-glob");
+    let r = h.run_hook(&input);
+    assert_decision(&r, "allow");
+}
+
+#[test]
+fn allow_websearch_tool() {
+    require_falco!();
+    let h = harness();
+    let input =
+        E2eHarness::make_input("WebSearch", r#"{"query":"rust test"}"#, cwd(), "e2e-web");
+    let r = h.run_hook(&input);
+    assert_decision(&r, "allow");
+}
+
+// --- Path traversal ---
+
+#[test]
+#[cfg(not(windows))]
+fn deny_path_traversal_to_sensitive() {
+    require_falco!();
+    let h = harness();
+    let input = E2eHarness::make_input(
+        "Write",
+        r#"{"file_path":"/tmp/myproject/../../etc/passwd","content":"x"}"#,
+        cwd(),
+        "e2e-trav",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "deny");
+}
+
+#[test]
+fn allow_relative_path_inside_cwd() {
+    require_falco!();
+    let h = harness();
+    let input = E2eHarness::make_input(
+        "Write",
+        r#"{"file_path":"src/main.rs","content":"x"}"#,
+        cwd(),
+        "e2e-rel",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "allow");
+}
+
+// --- Monitor-only rule (NOTICE priority, no deny/ask tag) ---
+
+#[test]
+fn monitor_rule_does_not_block() {
+    require_falco!();
+    let h = harness();
+    let path = if cfg!(windows) {
+        "C:/Users/other/data.txt"
+    } else {
+        "/tmp/other/data.txt"
+    };
+    let input = E2eHarness::make_input(
+        "Read",
+        &format!(r#"{{"file_path":"{}"}}"#, path),
+        cwd(),
+        "e2e-mon",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "allow");
+}
+
+// --- MCP tool ---
+
+#[test]
+fn allow_mcp_with_server_name() {
+    require_falco!();
+    let h = harness();
+    let input = E2eHarness::make_input(
+        "mcp__ide__getDiagnostics",
+        r#"{"uri":"file:///tmp/test.rs"}"#,
+        cwd(),
+        "e2e-mcp2",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "allow");
+}
diff --git a/tests/tests/e2e_monitor.rs b/tests/tests/e2e_monitor.rs
new file mode 100644
index 0000000..8b94358
--- /dev/null
+++ b/tests/tests/e2e_monitor.rs
@@ -0,0 +1,88 @@
+use std::sync::OnceLock;
+
+use cak_tests::e2e::E2eHarness;
+use cak_tests::interceptor::assert_decision;
+
+static HARNESS: OnceLock<Option<E2eHarness>> = OnceLock::new();
+
+fn harness() -> &'static E2eHarness {
+    let opt = HARNESS.get_or_init(|| E2eHarness::start("monitor"));
+    opt.as_ref().expect("falco + plugin required for e2e monitor tests")
+}
+
+fn falco_available() -> bool {
+    HARNESS.get_or_init(|| E2eHarness::start("monitor")).is_some()
+}
+
+macro_rules! require_falco {
+    () => {
+        if !falco_available() {
+            eprintln!("SKIP: falco or plugin not available");
+            return;
+        }
+    };
+}
+
+fn cwd() -> &'static str {
+    if cfg!(windows) {
+        "C:/Users/test/project"
+    } else {
+        "/tmp/myproject"
+    }
+}
+
+#[test]
+fn monitor_rm_rf_allowed() {
+    require_falco!();
+    let h = harness();
+    let input = E2eHarness::make_input("Bash", r#"{"command":"rm -rf /"}"#, cwd(), "mon-rm");
+    let r = h.run_hook(&input);
+    assert_decision(&r, "allow");
+}
+
+#[test]
+fn monitor_write_sensitive_allowed() {
+    require_falco!();
+    let h = harness();
+    let path = if cfg!(windows) {
+        "C:/Windows/system.ini"
+    } else {
+        "/etc/passwd"
+    };
+    let input = E2eHarness::make_input(
+        "Write",
+        &format!(r#"{{"file_path":"{}","content":"x"}}"#, path),
+        cwd(),
+        "mon-wsen",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "allow");
+}
+
+#[test]
+fn monitor_write_outside_cwd_allowed() {
+    require_falco!();
+    let h = harness();
+    let path = if cfg!(windows) {
+        "C:/Users/other/file.txt"
+    } else {
+        "/home/other/file.txt"
+    };
+    let input = E2eHarness::make_input(
+        "Write",
+        &format!(r#"{{"file_path":"{}","content":"x"}}"#, path),
+        cwd(),
+        "mon-wout",
+    );
+    let r = h.run_hook(&input);
+    assert_decision(&r, "allow");
+}
+
+#[test]
+fn monitor_safe_command_allowed() {
+    require_falco!();
+    let h = harness();
+    let input = E2eHarness::make_input("Bash", r#"{"command":"ls -la"}"#, cwd(), "mon-ls");
+    let r = h.run_hook(&input);
+    assert_decision(&r, "allow");
+}
diff --git a/tests/tests/interceptor.rs b/tests/tests/interceptor.rs
new file mode 100644
index 0000000..8606f08
--- /dev/null
+++ b/tests/tests/interceptor.rs
@@ -0,0 +1,141 @@
+use std::time::Duration;
+
+use cak_tests::interceptor::{
+    assert_decision, assert_reason_contains, run_interceptor, run_with_mock,
+};
+use cak_tests::mock_broker::{self, MockMode};
+
+const SAMPLE: &str = r#"{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"ls -la"},"session_id":"test-sess","cwd":"/tmp","tool_use_id":"toolu_test123"}"#;
+
+#[test]
+fn allow_verdict() {
+    let r = run_with_mock(MockMode::Allow, SAMPLE, "allow");
+    assert_decision(&r, "allow");
+}
+
+#[test]
+fn deny_verdict() {
+    let r = run_with_mock(MockMode::Deny, SAMPLE, "deny");
+    assert_decision(&r, "deny");
+    assert_reason_contains(&r, "blocked by test rule");
+}
+
+#[test]
+fn ask_verdict() {
+    let r = run_with_mock(MockMode::Ask, SAMPLE, "ask");
+    assert_decision(&r, "ask");
+    assert_reason_contains(&r, "requires confirmation");
+}
+
+#[test]
+fn broker_unreachable_fail_closed() {
+    let sock = mock_broker::temp_socket_path("unreachable");
+    // No broker started — socket doesn't exist.
+    let r = run_interceptor(SAMPLE, &sock.to_string_lossy(), &[]);
+    assert_decision(&r, "deny");
+}
+
+#[test]
+fn bad_json_response() {
+    let r = run_with_mock(MockMode::BadJson, SAMPLE, "badjson");
+    assert_decision(&r, "deny");
+}
+
+#[test]
+fn wrong_id_response() {
+    let r = run_with_mock(MockMode::WrongId, SAMPLE, "wrongid");
+    assert_decision(&r, "deny");
+}
+
+#[test]
+fn timeout() {
+    let sock = mock_broker::temp_socket_path("timeout");
+    let broker = mock_broker::MockBroker::start(&sock, MockMode::Slow(Duration::from_secs(3)));
+    let r = run_interceptor(
+        SAMPLE,
+        &sock.to_string_lossy(),
+        &[("CODING_AGENTS_KIT_TIMEOUT_MS", "200")],
+    );
+    assert_decision(&r, "deny");
+    drop(broker);
+}
+
+#[test]
+fn broker_closes_connection() {
+    let r = run_with_mock(MockMode::Close, SAMPLE, "close");
+    assert_decision(&r, "deny");
+}
+
+#[test]
+fn empty_stdin() {
+    let sock = mock_broker::temp_socket_path("empty");
+    let r = run_interceptor("", &sock.to_string_lossy(), &[]);
+    assert_eq!(r.exit_code, 2, "expected exit 2 for empty stdin, got {}", r.exit_code);
+}
+
+#[test]
+fn malformed_json() {
+    let sock = mock_broker::temp_socket_path("malformed");
+    let r = run_interceptor("not json", &sock.to_string_lossy(), &[]);
+    assert_eq!(r.exit_code, 2, "expected exit 2 for malformed JSON, got {}", r.exit_code);
+}
+
+#[test]
+fn missing_tool_name_no_broker() {
+    let sock = mock_broker::temp_socket_path("notool");
+    // Valid JSON but no tool_name — interceptor proceeds but broker unreachable → deny.
+    let r = run_interceptor(
+        r#"{"hook_event_name":"PreToolUse","tool_input":{}}"#,
+        &sock.to_string_lossy(),
+        &[],
+    );
+    assert_decision(&r, "deny");
+}
+
+#[test]
+fn write_tool_path() {
+    let input = r#"{"hook_event_name":"PreToolUse","tool_name":"Write","tool_input":{"file_path":"/tmp/file.txt","content":"hello"},"session_id":"s1","cwd":"/tmp","tool_use_id":"t2"}"#;
+    let r = run_with_mock(MockMode::Allow, input, "write");
+    assert_decision(&r, "allow");
+}
+
+#[test]
+fn mcp_tool() {
+    let input = r#"{"hook_event_name":"PreToolUse","tool_name":"mcp__github__create_issue","tool_input":{"title":"test"},"session_id":"s1","cwd":"/tmp","tool_use_id":"t3"}"#;
+    let r = run_with_mock(MockMode::Allow, input, "mcp");
+    assert_decision(&r, "allow");
+}
+
+#[test]
+fn large_tool_input() {
+    let large_cmd = "x".repeat(60000);
+    let input = format!(
+        r#"{{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{{"command":"{}"}},"session_id":"s1","cwd":"/tmp","tool_use_id":"t4"}}"#,
+        large_cmd
+    );
+    let r = run_with_mock(MockMode::Allow, &input, "large");
+    assert_decision(&r, "allow");
+}
+
+#[test]
+fn nested_key_spoofing() {
+    // tool_name at the top level should win; a nested tool_name should not be extracted.
+    let input = r#"{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"ls","nested":{"tool_name":"SPOOFED"}},"session_id":"s1","cwd":"/tmp","tool_use_id":"t5"}"#;
+    let r = run_with_mock(MockMode::Allow, input, "spoof");
+    assert_decision(&r, "allow");
+}
+
+#[test]
+fn json_escape_in_command() {
+    let input = r#"{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"echo \"hello world\""},"session_id":"s1","cwd":"/tmp","tool_use_id":"t6"}"#;
+    let r = run_with_mock(MockMode::Allow, input, "escape");
+    assert_decision(&r, "allow");
+}
+
+#[test]
+fn path_traversal_normalization() {
+    // The interceptor should pass this through; normalization happens in the plugin.
+    let input = r#"{"hook_event_name":"PreToolUse","tool_name":"Write","tool_input":{"file_path":"/tmp/myproject/../../etc/passwd","content":"x"},"session_id":"s1","cwd":"/tmp/myproject","tool_use_id":"t7"}"#;
+    let r = run_with_mock(MockMode::Allow, input, "traversal");
+    assert_decision(&r, "allow");
+}
diff --git a/tools/coding-agents-kit-ctl/src/main.rs b/tools/coding-agents-kit-ctl/src/main.rs
index d1e612f..a9c7974 100644
--- a/tools/coding-agents-kit-ctl/src/main.rs
+++ b/tools/coding-agents-kit-ctl/src/main.rs
@@ -6,9 +6,29 @@ use std::process::{self, Command};
 #[cfg(target_os = "linux")]
 const SERVICE_NAME: &str = "coding-agents-kit";
 
+fn home_dir() -> String {
+    #[cfg(unix)]
+    {
+        env::var("HOME").unwrap_or_else(|_| "/tmp".to_string())
+    }
+    #[cfg(windows)]
+    {
+        env::var("LOCALAPPDATA").unwrap_or_else(|_| {
+            env::var("USERPROFILE").unwrap_or_else(|_| "C:\\".to_string())
+        })
+    }
+}
+
 fn default_prefix() -> PathBuf {
-    let home = env::var("HOME").unwrap_or_else(|_| "/tmp".to_string());
-    PathBuf::from(home).join(".coding-agents-kit")
+    #[cfg(unix)]
+    {
+        PathBuf::from(home_dir()).join(".coding-agents-kit")
+    }
+    #[cfg(windows)]
+    {
+        // MSI installs to %LOCALAPPDATA%\coding-agents-kit (no leading dot)
+        PathBuf::from(home_dir()).join("coding-agents-kit")
+    }
 }
 
 fn plugin_config_path(prefix: &PathBuf) -> PathBuf {
@@ -16,19 +36,35 @@ fn plugin_config_path(prefix: &PathBuf) -> PathBuf {
 }
 
 fn claude_settings_path() -> PathBuf {
-    let home = env::var("HOME").unwrap_or_else(|_| "/tmp".to_string());
-    PathBuf::from(home).join(".claude/settings.json")
+    #[cfg(unix)]
+    {
+        PathBuf::from(home_dir()).join(".claude/settings.json")
+    }
+    #[cfg(windows)]
+    {
+        let home = env::var("USERPROFILE").unwrap_or_else(|_| "C:\\".to_string());
+        PathBuf::from(home).join(".claude/settings.json")
+    }
 }
 
 fn interceptor_command(prefix: &PathBuf) -> String {
-    let home = env::var("HOME").unwrap_or_default();
     let prefix_str = prefix.to_string_lossy();
-    let default = format!("{home}/.coding-agents-kit");
-    if prefix_str == default {
-        // Use $HOME for portability in settings.json.
-        "$HOME/.coding-agents-kit/bin/claude-interceptor".to_string()
-    } else {
-        format!("{}/bin/claude-interceptor", prefix_str)
+    #[cfg(unix)]
+    {
+        let home = env::var("HOME").unwrap_or_default();
+        let default = format!("{home}/.coding-agents-kit");
+        if prefix_str == default {
+            // Use $HOME for portability in settings.json.
+            "$HOME/.coding-agents-kit/bin/claude-interceptor".to_string()
+        } else {
+            format!("{}/bin/claude-interceptor", prefix_str)
+        }
+    }
+    #[cfg(windows)]
+    {
+        // Use forward slashes — Claude Code runs hooks via /usr/bin/bash
+        // (Git Bash) which strips backslashes as escape characters.
+        format!("{}/bin/claude-interceptor.exe", prefix_str.replace('\\', "/"))
     }
 }
 
@@ -455,6 +491,133 @@ fn service_status() {
     }
 }
 
+// ---------------------------------------------------------------------------
+// Windows service management
+// ---------------------------------------------------------------------------
+
+#[cfg(target_os = "windows")]
+const RUN_KEY: &str = r"HKCU\Software\Microsoft\Windows\CurrentVersion\Run";
+#[cfg(target_os = "windows")]
+const RUN_VALUE_NAME: &str = "CodingAgentsKit";
+
+#[cfg(target_os = "windows")]
+fn is_falco_running() -> bool {
+    Command::new("tasklist")
+        .args(["/FI", "IMAGENAME eq falco.exe", "/NH"])
+        .output()
+        .map(|o| String::from_utf8_lossy(&o.stdout).contains("falco.exe"))
+        .unwrap_or(false)
+}
+
+#[cfg(target_os = "windows")]
+fn service_start() {
+    if is_falco_running() {
+        println!("Service already running.");
+        return;
+    }
+    let prefix = default_prefix();
+    let launcher = prefix.join("bin").join("coding-agents-kit-launcher.ps1");
+    if !launcher.exists() {
+        eprintln!("Launcher not found: {}", launcher.display());
+        eprintln!("Is coding-agents-kit installed?");
+        process::exit(1);
+    }
+    let ok = Command::new("powershell")
+        .args([
+            "-NoProfile",
+            "-ExecutionPolicy",
+            "Bypass",
+            "-WindowStyle",
+            "Hidden",
+            "-File",
+            &launcher.to_string_lossy(),
+        ])
+        .spawn()
+        .is_ok();
+    if !ok {
+        eprintln!("Failed to start service.");
+        process::exit(1);
+    }
+    // Poll briefly to verify Falco actually started.
+    let mut started = false;
+    for _ in 0..6 {
+        std::thread::sleep(std::time::Duration::from_millis(500));
+        if is_falco_running() {
+            started = true;
+            break;
+        }
+    }
+    if started {
+        println!("Service started.");
+    } else {
+        println!("Service starting (Falco not yet detected \u{2014} check logs).");
+    }
+}
+
+#[cfg(target_os = "windows")]
+fn service_stop() {
+    if !is_falco_running() {
+        println!("Service not running.");
+        return;
+    }
+    let ok = Command::new("taskkill")
+        .args(["/F", "/IM", "falco.exe"])
+        .status()
+        .map(|s| s.success())
+        .unwrap_or(false);
+    if ok {
+        println!("Service stopped.");
+        warn_hook_still_registered();
+    } else {
+        eprintln!("Failed to stop service.");
+        process::exit(1);
+    }
+}
+
+#[cfg(target_os = "windows")]
+fn service_enable() {
+    let prefix = default_prefix();
+    let launcher = prefix.join("bin").join("coding-agents-kit-launcher.ps1");
+    let cmd = format!(
+        "powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File \"{}\"",
+        launcher.display()
+    );
+    let ok = Command::new("reg")
+        .args(["add", RUN_KEY, "/v", RUN_VALUE_NAME, "/t", "REG_SZ", "/d", &cmd, "/f"])
+        .status()
+        .map(|s| s.success())
+        .unwrap_or(false);
+    if ok {
+        println!("Service enabled (auto-start on login).");
+    } else {
+        eprintln!("Failed to enable service.");
+        process::exit(1);
+    }
+}
+
+#[cfg(target_os = "windows")]
+fn service_disable() {
+    let ok = Command::new("reg")
+        .args(["delete", RUN_KEY, "/v", RUN_VALUE_NAME, "/f"])
+        .status()
+        .map(|s| s.success())
+        .unwrap_or(false);
+    if ok {
+        println!("Service disabled.");
+    } else {
+        eprintln!("Failed to disable service (may not have been enabled).");
+    }
+}
+
+#[cfg(target_os = "windows")]
+fn service_status() {
+    if is_falco_running() {
+        println!("Service running.");
+    } else {
+        println!("Service not running.");
+    }
+}
+
 // ---------------------------------------------------------------------------
 // Uninstall
 // ---------------------------------------------------------------------------
@@ -497,6 +660,22 @@ fn uninstall(prefix: &PathBuf, keep_user_rules: bool) {
             let _ = fs::remove_file(&plist);
         }
     }
+    #[cfg(target_os = "windows")]
+    {
+        // Stop Falco if running.
+        if is_falco_running() {
+            println!("Stopping service...");
+            let _ = Command::new("taskkill")
+                .args(["/F", "/IM", "falco.exe"])
+                .status();
+        }
+        // Remove auto-start registry key.
+        let _ = Command::new("reg")
+            .args(["delete", RUN_KEY, "/v", RUN_VALUE_NAME, "/f"])
+            .status();
+        // Remove hook.
+        hook_remove();
+    }
 
     // 2. Remove the hook (safety net).
     // The service's ExecStopPost (Linux) or launcher trap (macOS) should have
@@ -546,8 +725,24 @@ fn uninstall(prefix: &PathBuf, keep_user_rules: bool) {
 // ---------------------------------------------------------------------------
 
 fn health(prefix: &PathBuf) {
+    #[cfg(unix)]
     let interceptor = prefix.join("bin/claude-interceptor");
-    let socket = prefix.join("run/broker.sock");
+    #[cfg(windows)]
+    let interceptor = prefix.join("bin/claude-interceptor.exe");
+
+    // Socket path must use forward slashes on Windows — AF_UNIX treats the path
+    // as an opaque address, so it must match exactly what the plugin binds to.
+    let socket = {
+        let raw = prefix.join("run/broker.sock");
+        #[cfg(windows)]
+        {
+            std::path::PathBuf::from(raw.to_string_lossy().replace('\\', "/"))
+        }
+        #[cfg(unix)]
+        {
+            raw
+        }
+    };
 
     // Check interceptor binary exists.
     if !interceptor.exists() {
@@ -585,25 +780,56 @@ fn health(prefix: &PathBuf) {
     match output {
         Ok(out) if out.status.success() => {
             let stdout = String::from_utf8_lossy(&out.stdout);
-            if stdout.contains("\"permissionDecision\"") {
-                // Parse to show a cleaner message.
-                if stdout.contains("\"allow\"") {
-                    println!("OK: pipeline healthy (synthetic event → allow)");
-                } else if stdout.contains("\"deny\"") {
-                    println!("OK: pipeline healthy (synthetic event → deny)");
-                    println!("  Note: a deny rule matched the health-check event.");
-                    println!("  This is expected if you have rules matching Bash commands.");
-                } else if stdout.contains("\"ask\"") {
-                    println!("OK: pipeline healthy (synthetic event → ask)");
-                } else {
-                    println!("OK: pipeline responded (unexpected verdict)");
-                    println!("  Response: {}", stdout.trim());
+            let parsed: serde_json::Value = match serde_json::from_str(stdout.trim()) {
+                Ok(v) => v,
+                Err(_) => {
+                    eprintln!("FAIL: interceptor returned malformed JSON");
+                    eprintln!("  Output: {}", stdout.trim());
+                    process::exit(1);
                 }
-            } else {
+            };
+
+            let decision = parsed
+                .pointer("/hookSpecificOutput/permissionDecision")
+                .and_then(|v| v.as_str())
+                .unwrap_or("");
+            let reason = parsed
+                .pointer("/hookSpecificOutput/permissionDecisionReason")
+                .and_then(|v| v.as_str())
+                .unwrap_or("");
+
+            if decision.is_empty() {
                 eprintln!("FAIL: interceptor returned unexpected output");
                 eprintln!("  Output: {}", stdout.trim());
                 process::exit(1);
             }
+
+            // Denies caused by infrastructure failure (not real security rules)
+            // indicate a broken pipeline. Detect both forms of broker failure:
+            // - "broker response timeout": socket connected but no verdict arrived
+            // - "broker unavailable": connection refused (service not running)
+            if decision == "deny"
+                && (reason.contains("broker response timeout")
+                    || reason.contains("broker unavailable"))
+            {
+                eprintln!("FAIL: broker unreachable or timed out while waiting for verdict");
+                eprintln!("  Reason: {}", reason);
+                process::exit(1);
+            }
+
+            // Parse to show a cleaner message.
+            if decision == "allow" {
+                println!("OK: pipeline healthy (synthetic event → allow)");
+            } else if decision == "deny" {
+                println!("OK: pipeline healthy (synthetic event → deny)");
+                println!("  Note: a deny rule matched the health-check event.");
+                println!("  This is expected if you have rules matching Bash commands.");
+            } else if decision == "ask" {
+                println!("OK: pipeline healthy (synthetic event → ask)");
+            } else {
+                println!("OK: pipeline responded (unexpected verdict)");
+                println!("  Response: {}", stdout.trim());
+            }
         }
         Ok(out) => {
             eprintln!("FAIL: interceptor exited with code {}", out.status);
@@ -632,9 +858,18 @@ fn logs(prefix: &PathBuf, stderr: bool) {
         eprintln!("Is the service running?");
         process::exit(1);
     }
+    #[cfg(unix)]
     let status = Command::new("tail")
         .args(["-f", &path.to_string_lossy()])
         .status();
+    #[cfg(windows)]
+    let status = Command::new("powershell")
+        .args([
+            "-NoProfile",
+            "-Command",
+            &format!("Get-Content -Path '{}' -Wait -Tail 50", path.display()),
+        ])
+        .status();
     if let Err(e) = status {
         eprintln!("Failed to tail log: {e}");
         process::exit(1);