@rafter-security/cli 0.1.0 → 0.4.1

package/dist/commands/agent/install-hook.js

@@ -0,0 +1,128 @@
+import { Command } from "commander";
+import fs from "fs";
+import path from "path";
+import { execSync } from "child_process";
+import { fileURLToPath } from 'url';
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+export function createInstallHookCommand() {
+    return new Command("install-hook")
+        .description("Install pre-commit hook to scan for secrets")
+        .option("--global", "Install globally for all repos (via git config)")
+        .action(async (opts) => {
+        await installHook(opts);
+    });
+}
+async function installHook(opts) {
+    if (opts.global) {
+        await installGlobalHook();
+    }
+    else {
+        await installLocalHook();
+    }
+}
+/**
+ * Install pre-commit hook for current repository
+ */
+async function installLocalHook() {
+    // Check if in a git repository
+    try {
+        execSync("git rev-parse --git-dir", { stdio: "pipe" });
+    }
+    catch (e) {
+        console.error("❌ Error: Not in a git repository");
+        console.error("   Run this command from inside a git repository");
+        process.exit(1);
+    }
+    // Get .git directory
+    const gitDir = execSync("git rev-parse --git-dir", { encoding: "utf-8" }).trim();
+    const hooksDir = path.resolve(gitDir, "hooks");
+    const hookPath = path.join(hooksDir, "pre-commit");
+    // Ensure hooks directory exists
+    if (!fs.existsSync(hooksDir)) {
+        fs.mkdirSync(hooksDir, { recursive: true });
+    }
+    // Check if hook already exists
+    if (fs.existsSync(hookPath)) {
+        const existing = fs.readFileSync(hookPath, "utf-8");
+        // Check if it's already a Rafter hook
+        if (existing.includes("Rafter Security Pre-Commit Hook")) {
+            console.log("✓ Rafter pre-commit hook already installed");
+            return;
+        }
+        // Backup existing hook
+        const backupPath = `${hookPath}.backup-${Date.now()}`;
+        fs.copyFileSync(hookPath, backupPath);
+        console.log(`📦 Backed up existing hook to: ${path.basename(backupPath)}`);
+    }
+    // Get hook template path
+    const templatePath = path.join(__dirname, "..", "..", "..", "resources", "pre-commit-hook.sh");
+    if (!fs.existsSync(templatePath)) {
+        console.error("❌ Error: Hook template not found");
+        console.error(`   Expected at: ${templatePath}`);
+        process.exit(1);
+    }
+    // Copy hook template
+    const hookContent = fs.readFileSync(templatePath, "utf-8");
+    fs.writeFileSync(hookPath, hookContent, "utf-8");
+    // Make executable
+    fs.chmodSync(hookPath, 0o755);
+    console.log("✓ Installed Rafter pre-commit hook");
+    console.log(`  Location: ${hookPath}`);
+    console.log();
+    console.log("The hook will:");
+    console.log("  • Scan staged files for secrets before each commit");
+    console.log("  • Block commits if secrets are detected");
+    console.log("  • Can be bypassed with: git commit --no-verify (not recommended)");
+    console.log();
+}
+/**
+ * Install pre-commit hook globally for all repositories
+ */
+async function installGlobalHook() {
+    // Create global hooks directory
+    const homeDir = process.env.HOME || process.env.USERPROFILE;
+    if (!homeDir) {
+        console.error("❌ Error: Could not determine home directory");
+        process.exit(1);
+    }
+    const globalHooksDir = path.join(homeDir, ".rafter", "git-hooks");
+    const hookPath = path.join(globalHooksDir, "pre-commit");
+    // Create directory
+    if (!fs.existsSync(globalHooksDir)) {
+        fs.mkdirSync(globalHooksDir, { recursive: true });
+    }
+    // Get hook template path
+    const templatePath = path.join(__dirname, "..", "..", "..", "resources", "pre-commit-hook.sh");
+    if (!fs.existsSync(templatePath)) {
+        console.error("❌ Error: Hook template not found");
+        console.error(`   Expected at: ${templatePath}`);
+        process.exit(1);
+    }
+    // Copy hook template
+    const hookContent = fs.readFileSync(templatePath, "utf-8");
+    fs.writeFileSync(hookPath, hookContent, "utf-8");
+    // Make executable
+    fs.chmodSync(hookPath, 0o755);
+    // Configure git to use global hooks directory
+    try {
+        execSync(`git config --global core.hooksPath "${globalHooksDir}"`, { stdio: "pipe" });
+        console.log("✓ Installed Rafter pre-commit hook globally");
+        console.log(`  Location: ${hookPath}`);
+        console.log(`  Git config: core.hooksPath = ${globalHooksDir}`);
+        console.log();
+        console.log("The hook will apply to ALL git repositories on this machine.");
+        console.log();
+        console.log("To disable globally:");
+        console.log(`  git config --global --unset core.hooksPath`);
+        console.log();
+        console.log("To install per-repository instead:");
+        console.log(`  cd <repo> && rafter agent install-hook`);
+        console.log();
+    }
+    catch (e) {
+        console.error("❌ Failed to configure global git hooks");
+        console.error("   You may need to manually set: git config --global core.hooksPath ~/.rafter/git-hooks");
+        process.exit(1);
+    }
+}

package/dist/commands/agent/scan.js

@@ -0,0 +1,233 @@
+import { Command } from "commander";
+import { RegexScanner } from "../../scanners/regex-scanner.js";
+import { GitleaksScanner } from "../../scanners/gitleaks.js";
+import { execSync } from "child_process";
+import fs from "fs";
+import path from "path";
+export function createScanCommand() {
+    return new Command("scan")
+        .description("Scan files or directories for secrets")
+        .argument("[path]", "File or directory to scan", ".")
+        .option("-q, --quiet", "Only output if secrets found")
+        .option("--json", "Output as JSON")
+        .option("--staged", "Scan only git staged files")
+        .option("--engine <engine>", "Scan engine: gitleaks or patterns", "auto")
+        .action(async (scanPath, opts) => {
+        // Handle --staged flag
+        if (opts.staged) {
+            await scanStagedFiles(opts);
+            return;
+        }
+        const resolvedPath = path.resolve(scanPath);
+        // Check if path exists
+        if (!fs.existsSync(resolvedPath)) {
+            console.error(`Error: Path not found: ${resolvedPath}`);
+            process.exit(1);
+        }
+        // Determine scan engine
+        const engine = await selectEngine(opts.engine, opts.quiet);
+        // Determine if path is file or directory
+        const stats = fs.statSync(resolvedPath);
+        let results;
+        if (stats.isDirectory()) {
+            if (!opts.quiet) {
+                console.error(`Scanning directory: ${resolvedPath} (${engine})`);
+            }
+            results = await scanDirectory(resolvedPath, engine);
+        }
+        else {
+            if (!opts.quiet) {
+                console.error(`Scanning file: ${resolvedPath} (${engine})`);
+            }
+            results = await scanFile(resolvedPath, engine);
+        }
+        // Output results
+        if (opts.json) {
+            console.log(JSON.stringify(results, null, 2));
+        }
+        else {
+            if (results.length === 0) {
+                if (!opts.quiet) {
+                    console.log("\n✓ No secrets detected\n");
+                }
+                process.exit(0);
+            }
+            else {
+                console.log(`\n⚠️  Found secrets in ${results.length} file(s):\n`);
+                let totalMatches = 0;
+                for (const result of results) {
+                    console.log(`\n📄 ${result.file}`);
+                    for (const match of result.matches) {
+                        totalMatches++;
+                        const location = match.line ? `Line ${match.line}` : "Unknown location";
+                        const severity = getSeverityEmoji(match.pattern.severity);
+                        console.log(`  ${severity} [${match.pattern.severity.toUpperCase()}] ${match.pattern.name}`);
+                        console.log(`     Location: ${location}`);
+                        console.log(`     Pattern: ${match.pattern.description || match.pattern.regex}`);
+                        console.log(`     Redacted: ${match.redacted}`);
+                        console.log();
+                    }
+                }
+                console.log(`\n⚠️  Total: ${totalMatches} secret(s) detected in ${results.length} file(s)\n`);
+                console.log("Run 'rafter agent audit' to see the security log.\n");
+                process.exit(1);
+            }
+        }
+    });
+}
+/**
+ * Scan git staged files for secrets
+ */
+async function scanStagedFiles(opts) {
+    try {
+        // Get list of staged files
+        const stagedFilesOutput = execSync("git diff --cached --name-only --diff-filter=ACM", {
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "ignore"]
+        }).trim();
+        if (!stagedFilesOutput) {
+            if (!opts.quiet) {
+                console.log("✓ No files staged for commit");
+            }
+            process.exit(0);
+        }
+        const stagedFiles = stagedFilesOutput.split("\n").map(f => f.trim()).filter(f => f);
+        if (!opts.quiet) {
+            console.error(`Scanning ${stagedFiles.length} staged file(s)...`);
+        }
+        // Determine scan engine
+        const engine = await selectEngine(opts.engine || "auto", opts.quiet || false);
+        // Scan each staged file
+        const allResults = [];
+        for (const file of stagedFiles) {
+            const filePath = path.resolve(file);
+            // Skip if file doesn't exist (might be deleted)
+            if (!fs.existsSync(filePath)) {
+                continue;
+            }
+            // Skip if not a regular file
+            const stats = fs.statSync(filePath);
+            if (!stats.isFile()) {
+                continue;
+            }
+            const results = await scanFile(filePath, engine);
+            allResults.push(...results);
+        }
+        // Output results (same as regular scan)
+        if (opts.json) {
+            console.log(JSON.stringify(allResults, null, 2));
+        }
+        else {
+            if (allResults.length === 0) {
+                if (!opts.quiet) {
+                    console.log("\n✓ No secrets detected in staged files\n");
+                }
+                process.exit(0);
+            }
+            else {
+                console.log(`\n⚠️  Found secrets in ${allResults.length} staged file(s):\n`);
+                let totalMatches = 0;
+                for (const result of allResults) {
+                    console.log(`\n📄 ${result.file}`);
+                    for (const match of result.matches) {
+                        totalMatches++;
+                        const location = match.line ? `Line ${match.line}` : "Unknown location";
+                        const severity = getSeverityEmoji(match.pattern.severity);
+                        console.log(`  ${severity} [${match.pattern.severity.toUpperCase()}] ${match.pattern.name}`);
+                        console.log(`     Location: ${location}`);
+                        console.log(`     Pattern: ${match.pattern.description || match.pattern.regex}`);
+                        console.log(`     Redacted: ${match.redacted}`);
+                        console.log();
+                    }
+                }
+                console.log(`\n⚠️  Total: ${totalMatches} secret(s) detected in ${allResults.length} file(s)\n`);
+                console.log("❌ Commit blocked. Remove secrets before committing.\n");
+                process.exit(1);
+            }
+        }
+    }
+    catch (error) {
+        if (error.status === 128) {
+            console.error("Error: Not in a git repository");
+            process.exit(1);
+        }
+        throw error;
+    }
+}
+function getSeverityEmoji(severity) {
+    const emojiMap = {
+        critical: "🔴",
+        high: "🟠",
+        medium: "🟡",
+        low: "🟢"
+    };
+    return emojiMap[severity] || "⚪";
+}
+/**
+ * Select scan engine based on availability and user preference
+ */
+async function selectEngine(preference, quiet) {
+    if (preference === "patterns") {
+        return "patterns";
+    }
+    if (preference === "gitleaks") {
+        const gitleaks = new GitleaksScanner();
+        const available = await gitleaks.isAvailable();
+        if (!available) {
+            if (!quiet) {
+                console.error("⚠️  Gitleaks requested but not available, using patterns");
+            }
+            return "patterns";
+        }
+        return "gitleaks";
+    }
+    // Auto mode: try Gitleaks, fall back to patterns
+    const gitleaks = new GitleaksScanner();
+    const available = await gitleaks.isAvailable();
+    return available ? "gitleaks" : "patterns";
+}
+/**
+ * Scan a file with selected engine
+ */
+async function scanFile(filePath, engine) {
+    if (engine === "gitleaks") {
+        try {
+            const gitleaks = new GitleaksScanner();
+            const result = await gitleaks.scanFile(filePath);
+            return result.matches.length > 0 ? [result] : [];
+        }
+        catch (e) {
+            // Fall back to patterns on error
+            console.error(`⚠️  Gitleaks scan failed, falling back to patterns`);
+            const scanner = new RegexScanner();
+            const result = scanner.scanFile(filePath);
+            return result.matches.length > 0 ? [result] : [];
+        }
+    }
+    else {
+        const scanner = new RegexScanner();
+        const result = scanner.scanFile(filePath);
+        return result.matches.length > 0 ? [result] : [];
+    }
+}
+/**
+ * Scan a directory with selected engine
+ */
+async function scanDirectory(dirPath, engine) {
+    if (engine === "gitleaks") {
+        try {
+            const gitleaks = new GitleaksScanner();
+            return await gitleaks.scanDirectory(dirPath);
+        }
+        catch (e) {
+            // Fall back to patterns on error
+            console.error(`⚠️  Gitleaks scan failed, falling back to patterns`);
+            const scanner = new RegexScanner();
+            return scanner.scanDirectory(dirPath);
+        }
+    }
+    else {
+        const scanner = new RegexScanner();
+        return scanner.scanDirectory(dirPath);
+    }
+}

package/dist/commands/backend/get.js

@@ -0,0 +1,41 @@
+import { Command } from "commander";
+import axios from "axios";
+import { API, resolveKey, writePayload, EXIT_GENERAL_ERROR, EXIT_SCAN_NOT_FOUND } from "../../utils/api.js";
+import { handleScanStatus } from "./scan-status.js";
+export function createGetCommand() {
+    return new Command("get")
+        .argument("<scan_id>")
+        .option("-k, --api-key <key>", "API key or RAFTER_API_KEY env var")
+        .option("-f, --format <format>", "json | md", "md")
+        .option("--interactive", "poll until done")
+        .option("--quiet", "suppress status messages")
+        .action(async (scan_id, opts) => {
+        const key = resolveKey(opts.apiKey);
+        if (!opts.interactive) {
+            try {
+                const { data } = await axios.get(`${API}/static/scan`, { params: { scan_id, format: opts.format }, headers: { "x-api-key": key } });
+                const exitCode = writePayload(data, opts.format, opts.quiet);
+                process.exit(exitCode);
+            }
+            catch (e) {
+                if (e.response?.status === 404) {
+                    console.error(`Scan '${scan_id}' not found`);
+                    process.exit(EXIT_SCAN_NOT_FOUND);
+                }
+                else if (e.response?.data) {
+                    console.error(e.response.data);
+                }
+                else if (e instanceof Error) {
+                    console.error(e.message);
+                }
+                else {
+                    console.error(e);
+                }
+                process.exit(EXIT_GENERAL_ERROR);
+            }
+            return;
+        }
+        const exitCode = await handleScanStatus(scan_id, { "x-api-key": key }, opts.format, opts.quiet);
+        process.exit(exitCode);
+    });
+}

package/dist/commands/backend/run.js

@@ -0,0 +1,84 @@
+import { Command } from "commander";
+import axios from "axios";
+import ora from "ora";
+import { detectRepo } from "../../utils/git.js";
+import { API, resolveKey, EXIT_GENERAL_ERROR, EXIT_QUOTA_EXHAUSTED } from "../../utils/api.js";
+import { handleScanStatus } from "./scan-status.js";
+export function createRunCommand() {
+    return new Command("run")
+        .alias("scan")
+        .option("-r, --repo <repo>", "org/repo (default: current)")
+        .option("-b, --branch <branch>", "branch (default: current else main)")
+        .option("-k, --api-key <key>", "API key or RAFTER_API_KEY env var")
+        .option("-f, --format <format>", "json | md", "md")
+        .option("--skip-interactive", "do not wait for scan to complete")
+        .option("--quiet", "suppress status messages")
+        .action(async (opts) => {
+        const key = resolveKey(opts.apiKey);
+        let repo, branch;
+        try {
+            ({ repo, branch } = detectRepo({ repo: opts.repo, branch: opts.branch, quiet: opts.quiet }));
+        }
+        catch (e) {
+            if (e instanceof Error) {
+                console.error(e.message);
+            }
+            else {
+                console.error(e);
+            }
+            process.exit(EXIT_GENERAL_ERROR);
+        }
+        if (!opts.quiet) {
+            const spinner = ora("Submitting scan").start();
+            try {
+                const { data } = await axios.post(`${API}/static/scan`, { repository_name: repo, branch_name: branch }, { headers: { "x-api-key": key } });
+                spinner.succeed(`Scan ID: ${data.scan_id}`);
+                if (opts.skipInteractive)
+                    return;
+                const exitCode = await handleScanStatus(data.scan_id, { "x-api-key": key }, opts.format, opts.quiet);
+                process.exit(exitCode);
+            }
+            catch (e) {
+                spinner.fail("Request failed");
+                if (e.response?.status === 429) {
+                    console.error("Quota exhausted");
+                    process.exit(EXIT_QUOTA_EXHAUSTED);
+                }
+                else if (e.response?.data) {
+                    console.error(e.response.data);
+                }
+                else if (e instanceof Error) {
+                    console.error(e.message);
+                }
+                else {
+                    console.error(e);
+                }
+                process.exit(EXIT_GENERAL_ERROR);
+            }
+        }
+        else {
+            try {
+                const { data } = await axios.post(`${API}/static/scan`, { repository_name: repo, branch_name: branch }, { headers: { "x-api-key": key } });
+                if (opts.skipInteractive)
+                    return;
+                const exitCode = await handleScanStatus(data.scan_id, { "x-api-key": key }, opts.format, opts.quiet);
+                process.exit(exitCode);
+            }
+            catch (e) {
+                if (e.response?.status === 429) {
+                    process.exit(EXIT_QUOTA_EXHAUSTED);
+                }
+                else if (e.response?.data) {
+                    console.error(e.response.data);
+                }
+                else if (e instanceof Error) {
+                    console.error(e.message);
+                }
+                else {
+                    console.error(e);
+                }
+                process.exit(EXIT_GENERAL_ERROR);
+            }
+        }
+    });
+}

package/dist/commands/backend/scan-status.js

@@ -0,0 +1,67 @@
+import axios from "axios";
+import ora from "ora";
+import { API, writePayload, EXIT_GENERAL_ERROR, EXIT_SCAN_NOT_FOUND } from "../../utils/api.js";
+export async function handleScanStatus(scan_id, headers, fmt, quiet) {
+    // First poll
+    let poll;
+    try {
+        poll = await axios.get(`${API}/static/scan`, { params: { scan_id, format: fmt }, headers });
+    }
+    catch (e) {
+        if (e.response?.status === 404) {
+            console.error(`Scan '${scan_id}' not found`);
+            return EXIT_SCAN_NOT_FOUND;
+        }
+        console.error(`Error: ${e.response?.data || e.message}`);
+        return EXIT_GENERAL_ERROR;
+    }
+    let status = poll.data.status;
+    if (["queued", "pending", "processing"].includes(status)) {
+        if (!quiet) {
+            const spinner = ora("Waiting for scan to complete... (this could take several minutes)").start();
+            while (["queued", "pending", "processing"].includes(status)) {
+                await new Promise((r) => setTimeout(r, 10000));
+                poll = await axios.get(`${API}/static/scan`, { params: { scan_id, format: fmt }, headers });
+                status = poll.data.status;
+                if (status === "completed") {
+                    spinner.succeed("Scan completed");
+                    return writePayload(poll.data, fmt, quiet);
+                }
+                else if (status === "failed") {
+                    spinner.fail("Scan failed");
+                    return EXIT_GENERAL_ERROR;
+                }
+            }
+            console.error(`Scan status: ${status}`);
+        }
+        else {
+            while (["queued", "pending", "processing"].includes(status)) {
+                await new Promise((r) => setTimeout(r, 10000));
+                poll = await axios.get(`${API}/static/scan`, { params: { scan_id, format: fmt }, headers });
+                status = poll.data.status;
+                if (status === "completed") {
+                    return writePayload(poll.data, fmt, quiet);
+                }
+                else if (status === "failed") {
+                    return EXIT_GENERAL_ERROR;
+                }
+            }
+        }
+    }
+    else if (status === "completed") {
+        if (!quiet) {
+            console.error("Scan completed");
+        }
+        return writePayload(poll.data, fmt, quiet);
+    }
+    else if (status === "failed") {
+        console.error("Scan failed");
+        return EXIT_GENERAL_ERROR;
+    }
+    else {
+        if (!quiet) {
+            console.error(`Scan status: ${status}`);
+        }
+    }
+    return writePayload(poll.data, fmt, quiet);
+}

package/dist/commands/backend/usage.js

@@ -0,0 +1,23 @@
+import { Command } from "commander";
+import axios from "axios";
+import { API, resolveKey, EXIT_GENERAL_ERROR } from "../../utils/api.js";
+export function createUsageCommand() {
+    return new Command("usage")
+        .option("-k, --api-key <key>", "API key or RAFTER_API_KEY env var")
+        .action(async (opts) => {
+        const key = resolveKey(opts.apiKey);
+        try {
+            const { data } = await axios.get(`${API}/static/usage`, { headers: { "x-api-key": key } });
+            console.log(JSON.stringify(data, null, 2));
+        }
+        catch (e) {
+            if (e.response?.data) {
+                console.error(e.response.data);
+            }
+            else {
+                console.error(e.message);
+            }
+            process.exit(EXIT_GENERAL_ERROR);
+        }
+    });
+}