@rafter-security/cli 0.1.0 → 0.4.1

package/dist/commands/agent/audit-skill.js

@@ -0,0 +1,199 @@
+import { Command } from "commander";
+import fs from "fs";
+import path from "path";
+import { PatternEngine } from "../../core/pattern-engine.js";
+import { DEFAULT_SECRET_PATTERNS } from "../../scanners/secret-patterns.js";
+import { SkillManager } from "../../utils/skill-manager.js";
+export function createAuditSkillCommand() {
+    return new Command("audit-skill")
+        .description("Security audit of a Claude Code skill file")
+        .argument("<skill-path>", "Path to skill file to audit")
+        .option("--skip-openclaw", "Skip OpenClaw integration, show manual review prompt")
+        .option("--json", "Output results as JSON")
+        .action(async (skillPath, opts) => {
+        await auditSkill(skillPath, opts);
+    });
+}
+async function auditSkill(skillPath, opts) {
+    // Validate skill file exists
+    if (!fs.existsSync(skillPath)) {
+        console.error(`Error: Skill file not found: ${skillPath}`);
+        process.exit(1);
+    }
+    const absolutePath = path.resolve(skillPath);
+    const skillContent = fs.readFileSync(absolutePath, "utf-8");
+    const skillName = path.basename(absolutePath);
+    // Run deterministic analysis
+    if (!opts.json) {
+        console.log(`\n🔍 Auditing skill: ${skillName}\n`);
+        console.log("═".repeat(60));
+        console.log("Running quick security scan...\n");
+    }
+    const quickScan = await runQuickScan(skillContent);
+    // Display quick scan results
+    if (!opts.json) {
+        displayQuickScan(quickScan, skillName);
+    }
+    // Check OpenClaw availability
+    const skillManager = new SkillManager();
+    const openClawAvailable = skillManager.isOpenClawInstalled();
+    const rafterSkillInstalled = skillManager.isRafterSkillInstalled();
+    if (opts.json) {
+        // JSON output
+        const result = {
+            skill: skillName,
+            path: absolutePath,
+            quickScan,
+            openClawAvailable,
+            rafterSkillInstalled
+        };
+        console.log(JSON.stringify(result, null, 2));
+        return;
+    }
+    // Check if we can use OpenClaw
+    if (openClawAvailable && !opts.skipOpenclaw) {
+        if (!rafterSkillInstalled) {
+            console.log("\n⚠️  Rafter Security skill not installed in OpenClaw.");
+            console.log("   Run: rafter agent init\n");
+        }
+        else {
+            console.log("\n🤖 For comprehensive security review:\n");
+            console.log("   1. Open OpenClaw");
+            console.log(`   2. Run: /rafter-audit-skill ${absolutePath}`);
+            console.log("\n   The auditor will analyze:");
+            console.log("   • Trust & attribution");
+            console.log("   • Network security");
+            console.log("   • Command execution risks");
+            console.log("   • File system access");
+            console.log("   • Credential handling");
+            console.log("   • Input validation & injection risks");
+            console.log("   • Data exfiltration patterns");
+            console.log("   • Obfuscation techniques");
+            console.log("   • Scope & intent alignment");
+            console.log("   • Error handling & info disclosure");
+            console.log("   • Dependencies & supply chain");
+            console.log("   • Environment manipulation\n");
+        }
+    }
+    else {
+        // OpenClaw not available or skipped - show manual review prompt
+        console.log("\n📋 Manual Security Review Prompt\n");
+        console.log("═".repeat(60));
+        console.log("\nCopy the following to your AI assistant for review:\n");
+        console.log("─".repeat(60));
+        console.log(generateManualReviewPrompt(skillName, absolutePath, quickScan, skillContent));
+        console.log("─".repeat(60));
+    }
+    console.log();
+}
+async function runQuickScan(content) {
+    // 1. Scan for secrets
+    const patternEngine = new PatternEngine(DEFAULT_SECRET_PATTERNS);
+    const secretMatches = patternEngine.scan(content);
+    // 2. Extract URLs
+    const urlRegex = /https?:\/\/[^\s<>"]+/gi;
+    const urls = Array.from(new Set(content.match(urlRegex) || []));
+    // 3. Detect high-risk commands
+    const highRiskPatterns = [
+        { pattern: /rm\s+-rf\s+\/(?!\w)/gi, name: "rm -rf /" },
+        { pattern: /sudo\s+rm/gi, name: "sudo rm" },
+        { pattern: /curl[^|]*\|\s*(?:ba)?sh/gi, name: "curl | sh" },
+        { pattern: /wget[^|]*\|\s*(?:ba)?sh/gi, name: "wget | sh" },
+        { pattern: /eval\s*\(/gi, name: "eval()" },
+        { pattern: /exec\s*\(/gi, name: "exec()" },
+        { pattern: /chmod\s+777/gi, name: "chmod 777" },
+        { pattern: /:\(\)\{\s*:\|:&\s*\};:/g, name: "fork bomb" },
+        { pattern: /dd\s+if=\/dev\/(?:zero|random)\s+of=\/dev/gi, name: "dd to device" },
+        { pattern: /mkfs/gi, name: "mkfs (format)" },
+        { pattern: /base64\s+-d[^|]*\|\s*(?:ba)?sh/gi, name: "base64 decode | sh" }
+    ];
+    const commands = [];
+    const lines = content.split('\n');
+    for (const { pattern, name } of highRiskPatterns) {
+        pattern.lastIndex = 0; // Reset regex
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+            // Find line number
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            commands.push({
+                command: name,
+                line: lineNumber
+            });
+        }
+    }
+    return {
+        secrets: secretMatches.length,
+        urls,
+        highRiskCommands: commands
+    };
+}
+function displayQuickScan(scan, skillName) {
+    console.log("📊 Quick Scan Results");
+    console.log("═".repeat(60));
+    // Secrets
+    if (scan.secrets === 0) {
+        console.log("✓ Secrets: None detected");
+    }
+    else {
+        console.log(`⚠️  Secrets: ${scan.secrets} found`);
+        console.log("   → API keys, tokens, or credentials detected");
+        console.log("   → Run: rafter agent scan <path> for details");
+    }
+    // URLs
+    if (scan.urls.length === 0) {
+        console.log("✓ External URLs: None");
+    }
+    else {
+        console.log(`⚠️  External URLs: ${scan.urls.length} found`);
+        scan.urls.slice(0, 5).forEach(url => {
+            console.log(`   • ${url}`);
+        });
+        if (scan.urls.length > 5) {
+            console.log(`   ... and ${scan.urls.length - 5} more`);
+        }
+    }
+    // High-risk commands
+    if (scan.highRiskCommands.length === 0) {
+        console.log("✓ High-risk commands: None detected");
+    }
+    else {
+        console.log(`⚠️  High-risk commands: ${scan.highRiskCommands.length} found`);
+        scan.highRiskCommands.slice(0, 5).forEach(cmd => {
+            console.log(`   • ${cmd.command} (line ${cmd.line})`);
+        });
+        if (scan.highRiskCommands.length > 5) {
+            console.log(`   ... and ${scan.highRiskCommands.length - 5} more`);
+        }
+    }
+    console.log();
+}
+function generateManualReviewPrompt(skillName, skillPath, scan, content) {
+    return `You are reviewing a Claude Code skill for security issues. Analyze the skill below and provide:
+
+1. **Security Assessment**: Evaluate trustworthiness, identify risks
+2. **External Dependencies**: Review URLs, APIs, network calls - are they trustworthy?
+3. **Command Safety**: Analyze shell commands - any dangerous patterns?
+4. **Bundled Resources**: Check for suspicious scripts, images, binaries
+5. **Prompt Injection Risks**: Could malicious input exploit this skill?
+6. **Data Exfiltration**: Does it send sensitive data externally?
+7. **Credential Handling**: How are API keys/secrets managed?
+8. **Input Validation**: Is user input properly sanitized?
+9. **File System Access**: What files does it read/write?
+10. **Scope Alignment**: Does behavior match stated purpose?
+11. **Recommendations**: Should I install this? What precautions?
+
+**Skill**: ${skillName}
+**Path**: ${skillPath}
+
+**Quick Scan Findings**:
+- Secrets detected: ${scan.secrets}
+- External URLs: ${scan.urls.length}${scan.urls.length > 0 ? `\n  ${scan.urls.join('\n  ')}` : ''}
+- High-risk commands: ${scan.highRiskCommands.length}${scan.highRiskCommands.length > 0 ? `\n  ${scan.highRiskCommands.map(c => `${c.command} (line ${c.line})`).join('\n  ')}` : ''}
+
+**Skill Content**:
+\`\`\`markdown
+${content}
+\`\`\`
+
+Provide a clear risk rating (LOW/MEDIUM/HIGH/CRITICAL) and actionable recommendations.`;
+}

package/dist/commands/agent/audit.js

@@ -0,0 +1,65 @@
+import { Command } from "commander";
+import { AuditLogger } from "../../core/audit-logger.js";
+export function createAuditCommand() {
+    return new Command("audit")
+        .description("View audit log entries")
+        .option("--last <n>", "Show last N entries", "10")
+        .option("--event <type>", "Filter by event type")
+        .option("--agent <type>", "Filter by agent type (openclaw, claude-code)")
+        .option("--since <date>", "Show entries since date (YYYY-MM-DD)")
+        .action((opts) => {
+        const logger = new AuditLogger();
+        const filter = {
+            limit: parseInt(opts.last, 10)
+        };
+        if (opts.event) {
+            filter.eventType = opts.event;
+        }
+        if (opts.agent) {
+            filter.agentType = opts.agent;
+        }
+        if (opts.since) {
+            filter.since = new Date(opts.since);
+        }
+        const entries = logger.read(filter);
+        if (entries.length === 0) {
+            console.log("No audit log entries found");
+            return;
+        }
+        console.log(`\nShowing ${entries.length} audit log entries:\n`);
+        for (const entry of entries) {
+            const timestamp = new Date(entry.timestamp).toLocaleString();
+            const emoji = getEventEmoji(entry.eventType);
+            console.log(`${emoji} [${timestamp}] ${entry.eventType}`);
+            if (entry.agentType) {
+                console.log(`   Agent: ${entry.agentType}`);
+            }
+            if (entry.action?.command) {
+                console.log(`   Command: ${entry.action.command}`);
+            }
+            if (entry.action?.riskLevel) {
+                console.log(`   Risk: ${entry.action.riskLevel}`);
+            }
+            console.log(`   Check: ${entry.securityCheck.passed ? "PASSED" : "FAILED"}`);
+            if (entry.securityCheck.reason) {
+                console.log(`   Reason: ${entry.securityCheck.reason}`);
+            }
+            console.log(`   Action: ${entry.resolution.actionTaken}`);
+            if (entry.resolution.overrideReason) {
+                console.log(`   Override: ${entry.resolution.overrideReason}`);
+            }
+            console.log("");
+        }
+    });
+}
+function getEventEmoji(eventType) {
+    const emojiMap = {
+        command_intercepted: "🛡️",
+        secret_detected: "🔑",
+        content_sanitized: "🧹",
+        policy_override: "⚠️",
+        scan_executed: "🔍",
+        config_changed: "⚙️"
+    };
+    return emojiMap[eventType] || "📝";
+}

package/dist/commands/agent/config.js

@@ -0,0 +1,54 @@
+import { Command } from "commander";
+import { ConfigManager } from "../../core/config-manager.js";
+export function createConfigCommand() {
+    const config = new Command("config")
+        .description("Manage agent configuration");
+    // Show all config
+    config
+        .command("show")
+        .description("Show current configuration")
+        .action(() => {
+        const manager = new ConfigManager();
+        const cfg = manager.load();
+        console.log(JSON.stringify(cfg, null, 2));
+    });
+    // Get specific value
+    config
+        .command("get")
+        .description("Get a configuration value")
+        .argument("<key>", "Config key (e.g., agent.riskLevel)")
+        .action((key) => {
+        const manager = new ConfigManager();
+        const value = manager.get(key);
+        if (value === undefined) {
+            console.error(`Key not found: ${key}`);
+            process.exit(1);
+        }
+        if (typeof value === "object") {
+            console.log(JSON.stringify(value, null, 2));
+        }
+        else {
+            console.log(value);
+        }
+    });
+    // Set specific value
+    config
+        .command("set")
+        .description("Set a configuration value")
+        .argument("<key>", "Config key (e.g., agent.riskLevel)")
+        .argument("<value>", "Value to set")
+        .action((key, value) => {
+        const manager = new ConfigManager();
+        // Try to parse value as JSON, otherwise use as string
+        let parsedValue = value;
+        try {
+            parsedValue = JSON.parse(value);
+        }
+        catch {
+            // Use as string
+        }
+        manager.set(key, parsedValue);
+        console.log(`✓ Set ${key} = ${JSON.stringify(parsedValue)}`);
+    });
+    return config;
+}

package/dist/commands/agent/exec.js

@@ -0,0 +1,120 @@
+import { Command } from "commander";
+import { CommandInterceptor } from "../../core/command-interceptor.js";
+import { RegexScanner } from "../../scanners/regex-scanner.js";
+import { execSync } from "child_process";
+import readline from "readline";
+export function createExecCommand() {
+    return new Command("exec")
+        .description("Execute command with security validation")
+        .argument("<command>", "Command to execute")
+        .option("--skip-scan", "Skip pre-execution file scanning")
+        .option("--force", "Skip approval prompts (use with caution)")
+        .action(async (command, opts) => {
+        const interceptor = new CommandInterceptor();
+        // Step 1: Evaluate command
+        const evaluation = interceptor.evaluate(command);
+        // Step 2: Handle blocked commands
+        if (!evaluation.allowed && !evaluation.requiresApproval) {
+            console.error(`\n🚫 Command BLOCKED\n`);
+            console.error(`Risk Level: ${evaluation.riskLevel.toUpperCase()}`);
+            console.error(`Reason: ${evaluation.reason}`);
+            console.error(`Command: ${command}\n`);
+            interceptor.logEvaluation(evaluation, "blocked");
+            process.exit(1);
+        }
+        // Step 3: Pre-execution scanning for git commands
+        if (!opts.skipScan && isGitCommand(command)) {
+            const scanResult = await scanStagedFiles();
+            if (scanResult.secretsFound) {
+                console.error(`\n⚠️  Secrets detected in staged files!\n`);
+                console.error(`Found ${scanResult.count} secret(s) in ${scanResult.files} file(s)`);
+                console.error(`\nRun 'rafter agent scan' for details.\n`);
+                interceptor.logEvaluation(evaluation, "blocked");
+                process.exit(1);
+            }
+        }
+        // Step 4: Handle approval required
+        if (evaluation.requiresApproval && !opts.force) {
+            console.log(`\n⚠️  Command requires approval\n`);
+            console.log(`Risk Level: ${evaluation.riskLevel.toUpperCase()}`);
+            console.log(`Command: ${command}`);
+            if (evaluation.reason) {
+                console.log(`Reason: ${evaluation.reason}`);
+            }
+            console.log();
+            const approved = await promptApproval();
+            if (!approved) {
+                console.log("\n❌ Command cancelled\n");
+                interceptor.logEvaluation(evaluation, "blocked");
+                process.exit(1);
+            }
+            console.log("\n✓ Command approved by user\n");
+            interceptor.logEvaluation(evaluation, "overridden");
+        }
+        else if (opts.force && evaluation.requiresApproval) {
+            console.log(`\n⚠️  Forcing execution (--force flag)\n`);
+            interceptor.logEvaluation(evaluation, "overridden");
+        }
+        else {
+            interceptor.logEvaluation(evaluation, "allowed");
+        }
+        // Step 5: Execute command
+        try {
+            const output = execSync(command, {
+                stdio: "inherit",
+                encoding: "utf-8"
+            });
+            console.log(`\n✓ Command executed successfully\n`);
+            process.exit(0);
+        }
+        catch (e) {
+            console.error(`\n❌ Command failed with exit code ${e.status}\n`);
+            process.exit(e.status || 1);
+        }
+    });
+}
+function isGitCommand(command) {
+    return command.trim().startsWith("git commit") ||
+        command.trim().startsWith("git push");
+}
+async function scanStagedFiles() {
+    try {
+        // Get staged files
+        const stagedFiles = execSync("git diff --cached --name-only", {
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "ignore"]
+        })
+            .trim()
+            .split("\n")
+            .filter(f => f);
+        if (stagedFiles.length === 0) {
+            return { secretsFound: false, count: 0, files: 0 };
+        }
+        // Scan staged files
+        const scanner = new RegexScanner();
+        const results = scanner.scanFiles(stagedFiles);
+        const totalMatches = results.reduce((sum, r) => sum + r.matches.length, 0);
+        return {
+            secretsFound: results.length > 0,
+            count: totalMatches,
+            files: results.length
+        };
+    }
+    catch {
+        // If git command fails (not in repo, etc.), skip scanning
+        return { secretsFound: false, count: 0, files: 0 };
+    }
+}
+async function promptApproval() {
+    const rl = readline.createInterface({
+        input: process.stdin,
+        output: process.stdout
+    });
+    return new Promise((resolve) => {
+        rl.question("Approve this command? (yes/no): ", (answer) => {
+            rl.close();
+            const normalized = answer.trim().toLowerCase();
+            resolve(normalized === "yes" || normalized === "y");
+        });
+    });
+}

package/dist/commands/agent/index.js

@@ -0,0 +1,21 @@
+import { Command } from "commander";
+import { createAuditCommand } from "./audit.js";
+import { createScanCommand } from "./scan.js";
+import { createInitCommand } from "./init.js";
+import { createConfigCommand } from "./config.js";
+import { createExecCommand } from "./exec.js";
+import { createAuditSkillCommand } from "./audit-skill.js";
+import { createInstallHookCommand } from "./install-hook.js";
+export function createAgentCommand() {
+    const agent = new Command("agent")
+        .description("Agent security features");
+    // Add subcommands
+    agent.addCommand(createInitCommand());
+    agent.addCommand(createScanCommand());
+    agent.addCommand(createExecCommand());
+    agent.addCommand(createConfigCommand());
+    agent.addCommand(createAuditCommand());
+    agent.addCommand(createAuditSkillCommand());
+    agent.addCommand(createInstallHookCommand());
+    return agent;
+}

package/dist/commands/agent/init.js

@@ -0,0 +1,162 @@
+import { Command } from "commander";
+import { ConfigManager } from "../../core/config-manager.js";
+import { BinaryManager } from "../../utils/binary-manager.js";
+import { SkillManager } from "../../utils/skill-manager.js";
+import fs from "fs";
+import path from "path";
+import os from "os";
+import { fileURLToPath } from "url";
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+async function installClaudeCodeSkills() {
+    const homeDir = os.homedir();
+    const claudeSkillsDir = path.join(homeDir, ".claude", "skills");
+    // Ensure .claude/skills directory exists
+    if (!fs.existsSync(claudeSkillsDir)) {
+        fs.mkdirSync(claudeSkillsDir, { recursive: true });
+    }
+    // Install Backend Skill
+    const backendSkillDir = path.join(claudeSkillsDir, "rafter");
+    const backendSkillPath = path.join(backendSkillDir, "SKILL.md");
+    const backendTemplatePath = path.join(__dirname, "..", "..", "..", ".claude", "skills", "rafter", "SKILL.md");
+    if (!fs.existsSync(backendSkillDir)) {
+        fs.mkdirSync(backendSkillDir, { recursive: true });
+    }
+    if (fs.existsSync(backendTemplatePath)) {
+        fs.copyFileSync(backendTemplatePath, backendSkillPath);
+        console.log(`✓ Installed Rafter Backend skill to ${backendSkillPath}`);
+    }
+    else {
+        console.log(`⚠️  Backend skill template not found at ${backendTemplatePath}`);
+    }
+    // Install Agent Security Skill
+    const agentSkillDir = path.join(claudeSkillsDir, "rafter-agent-security");
+    const agentSkillPath = path.join(agentSkillDir, "SKILL.md");
+    const agentTemplatePath = path.join(__dirname, "..", "..", "..", ".claude", "skills", "rafter-agent-security", "SKILL.md");
+    if (!fs.existsSync(agentSkillDir)) {
+        fs.mkdirSync(agentSkillDir, { recursive: true });
+    }
+    if (fs.existsSync(agentTemplatePath)) {
+        fs.copyFileSync(agentTemplatePath, agentSkillPath);
+        console.log(`✓ Installed Rafter Agent Security skill to ${agentSkillPath}`);
+    }
+    else {
+        console.log(`⚠️  Agent Security skill template not found at ${agentTemplatePath}`);
+    }
+}
+export function createInitCommand() {
+    return new Command("init")
+        .description("Initialize agent security system")
+        .option("--risk-level <level>", "Set risk level (minimal, moderate, aggressive)", "moderate")
+        .option("--skip-openclaw", "Skip OpenClaw skill installation")
+        .option("--skip-claude-code", "Skip Claude Code skill installation")
+        .option("--claude-code", "Force Claude Code skill installation")
+        .option("--skip-gitleaks", "Skip Gitleaks binary download")
+        .action(async (opts) => {
+        console.log("\n🛡️  Rafter Agent Security Setup");
+        console.log("━".repeat(40));
+        console.log();
+        const manager = new ConfigManager();
+        // Detect environments
+        const hasOpenClaw = fs.existsSync(path.join(os.homedir(), ".openclaw"));
+        const hasClaudeCode = opts.claudeCode || fs.existsSync(path.join(os.homedir(), ".claude"));
+        if (hasOpenClaw) {
+            console.log("✓ Detected environment: OpenClaw");
+        }
+        else {
+            console.log("ℹ️  OpenClaw not detected");
+        }
+        if (hasClaudeCode) {
+            console.log("✓ Detected environment: Claude Code");
+        }
+        else {
+            console.log("ℹ️  Claude Code not detected");
+        }
+        // Initialize directory structure
+        try {
+            await manager.initialize();
+            console.log(`✓ Created config at ~/.rafter/config.json`);
+        }
+        catch (e) {
+            console.error(`Failed to initialize: ${e}`);
+            process.exit(1);
+        }
+        // Set risk level
+        const validRiskLevels = ["minimal", "moderate", "aggressive"];
+        if (!validRiskLevels.includes(opts.riskLevel)) {
+            console.error(`Invalid risk level: ${opts.riskLevel}`);
+            console.error(`Valid options: ${validRiskLevels.join(", ")}`);
+            process.exit(1);
+        }
+        manager.set("agent.riskLevel", opts.riskLevel);
+        console.log(`✓ Set risk level: ${opts.riskLevel}`);
+        // Download Gitleaks binary (optional)
+        if (!opts.skipGitleaks) {
+            const binaryManager = new BinaryManager();
+            const platformInfo = binaryManager.getPlatformInfo();
+            if (!platformInfo.supported) {
+                console.log(`ℹ️  Gitleaks not available for ${platformInfo.platform}/${platformInfo.arch}`);
+                console.log("✓ Using pattern-based scanning (21 patterns)");
+            }
+            else if (binaryManager.isGitleaksInstalled()) {
+                const version = await binaryManager.getGitleaksVersion();
+                console.log(`✓ Gitleaks already installed (${version})`);
+            }
+            else {
+                console.log();
+                console.log("📦 Downloading Gitleaks (enhanced secret detection)...");
+                try {
+                    await binaryManager.downloadGitleaks((msg) => {
+                        console.log(`   ${msg}`);
+                    });
+                    console.log();
+                }
+                catch (e) {
+                    console.log(`⚠️  Failed to download Gitleaks: ${e}`);
+                    console.log("✓ Falling back to pattern-based scanning");
+                    console.log();
+                }
+            }
+        }
+        // Install OpenClaw skill if applicable
+        if (hasOpenClaw && !opts.skipOpenclaw) {
+            try {
+                const skillManager = new SkillManager();
+                const installed = await skillManager.installRafterSkill();
+                if (installed) {
+                    console.log("✓ Installed Rafter Security skill to ~/.openclaw/skills/rafter-security.md");
+                    manager.set("agent.environments.openclaw.enabled", true);
+                }
+                else {
+                    console.log("⚠️  Failed to install Rafter Security skill");
+                }
+            }
+            catch (e) {
+                console.error(`Failed to install OpenClaw skill: ${e}`);
+            }
+        }
+        // Install Claude Code skills if applicable
+        if (hasClaudeCode && !opts.skipClaudeCode) {
+            try {
+                await installClaudeCodeSkills();
+                manager.set("agent.environments.claudeCode.enabled", true);
+            }
+            catch (e) {
+                console.error(`Failed to install Claude Code skills: ${e}`);
+            }
+        }
+        console.log();
+        console.log("✓ Agent security initialized!");
+        console.log();
+        console.log("Next steps:");
+        if (hasOpenClaw && !opts.skipOpenclaw) {
+            console.log("  - Restart OpenClaw to load skill");
+        }
+        if (hasClaudeCode && !opts.skipClaudeCode) {
+            console.log("  - Restart Claude Code to load skills");
+        }
+        console.log("  - Run: rafter agent scan . (test secret scanning)");
+        console.log("  - Configure: rafter agent config show");
+        console.log();
+    });
+}