@rafter-security/cli 0.4.1 → 0.5.1

package/dist/commands/agent/scan.js

@@ -1,9 +1,11 @@
 import { Command } from "commander";
 import { RegexScanner } from "../../scanners/regex-scanner.js";
 import { GitleaksScanner } from "../../scanners/gitleaks.js";
-import { execSync } from "child_process";
+import { ConfigManager } from "../../core/config-manager.js";
+import { execSync, execFileSync } from "child_process";
 import fs from "fs";
 import path from "path";
+import { fmt } from "../../utils/formatter.js";
 export function createScanCommand() {
     return new Command("scan")
         .description("Scan files or directories for secrets")
@@ -11,11 +13,21 @@ export function createScanCommand() {
         .option("-q, --quiet", "Only output if secrets found")
         .option("--json", "Output as JSON")
         .option("--staged", "Scan only git staged files")
+        .option("--diff <ref>", "Scan files changed since a git ref")
         .option("--engine <engine>", "Scan engine: gitleaks or patterns", "auto")
         .action(async (scanPath, opts) => {
+        // Load policy-merged config for excludePaths/customPatterns
+        const manager = new ConfigManager();
+        const cfg = manager.loadWithPolicy();
+        const scanCfg = cfg.agent?.scan;
+        // Handle --diff flag
+        if (opts.diff) {
+            await scanDiffFiles(opts.diff, opts, scanCfg);
+            return;
+        }
         // Handle --staged flag
         if (opts.staged) {
-            await scanStagedFiles(opts);
+            await scanStagedFiles(opts, scanCfg);
             return;
         }
         const resolvedPath = path.resolve(scanPath);
@@ -25,7 +37,7 @@ export function createScanCommand() {
             process.exit(1);
         }
         // Determine scan engine
-        const engine = await selectEngine(opts.engine, opts.quiet);
+        const engine = await selectEngine(opts.engine || "auto", opts.quiet || false);
         // Determine if path is file or directory
         const stats = fs.statSync(resolvedPath);
         let results;
@@ -33,61 +45,109 @@ export function createScanCommand() {
             if (!opts.quiet) {
                 console.error(`Scanning directory: ${resolvedPath} (${engine})`);
             }
-            results = await scanDirectory(resolvedPath, engine);
+            results = await scanDirectory(resolvedPath, engine, scanCfg);
         }
         else {
             if (!opts.quiet) {
                 console.error(`Scanning file: ${resolvedPath} (${engine})`);
             }
-            results = await scanFile(resolvedPath, engine);
+            results = await scanFile(resolvedPath, engine, scanCfg);
         }
-        // Output results
-        if (opts.json) {
-            console.log(JSON.stringify(results, null, 2));
+        outputScanResults(results, opts);
+    });
+}
+/**
+ * Shared output logic for scan results
+ */
+function outputScanResults(results, opts, context) {
+    if (opts.json) {
+        console.log(JSON.stringify(results, null, 2));
+        process.exit(results.length > 0 ? 1 : 0);
+    }
+    if (results.length === 0) {
+        if (!opts.quiet) {
+            const msg = context ? `No secrets detected in ${context}` : "No secrets detected";
+            console.log(`\n${fmt.success(msg)}\n`);
         }
-        else {
-            if (results.length === 0) {
-                if (!opts.quiet) {
-                    console.log("\n✓ No secrets detected\n");
-                }
-                process.exit(0);
-            }
-            else {
-                console.log(`\n⚠️  Found secrets in ${results.length} file(s):\n`);
-                let totalMatches = 0;
-                for (const result of results) {
-                    console.log(`\n📄 ${result.file}`);
-                    for (const match of result.matches) {
-                        totalMatches++;
-                        const location = match.line ? `Line ${match.line}` : "Unknown location";
-                        const severity = getSeverityEmoji(match.pattern.severity);
-                        console.log(`  ${severity} [${match.pattern.severity.toUpperCase()}] ${match.pattern.name}`);
-                        console.log(`     Location: ${location}`);
-                        console.log(`     Pattern: ${match.pattern.description || match.pattern.regex}`);
-                        console.log(`     Redacted: ${match.redacted}`);
-                        console.log();
-                    }
-                }
-                console.log(`\n⚠️  Total: ${totalMatches} secret(s) detected in ${results.length} file(s)\n`);
-                console.log("Run 'rafter agent audit' to see the security log.\n");
-                process.exit(1);
+        process.exit(0);
+    }
+    console.log(`\n${fmt.warning(`Found secrets in ${results.length} file(s):`)}\n`);
+    let totalMatches = 0;
+    for (const result of results) {
+        console.log(`\n${fmt.info(result.file)}`);
+        for (const match of result.matches) {
+            totalMatches++;
+            const location = match.line ? `Line ${match.line}` : "Unknown location";
+            const sev = fmt.severity(match.pattern.severity);
+            console.log(`  ${sev} ${match.pattern.name}`);
+            console.log(`     Location: ${location}`);
+            console.log(`     Pattern: ${match.pattern.description || match.pattern.regex}`);
+            console.log(`     Redacted: ${match.redacted}`);
+            console.log();
+        }
+    }
+    console.log(`\n${fmt.warning(`Total: ${totalMatches} secret(s) detected in ${results.length} file(s)`)}\n`);
+    if (context === "staged files") {
+        console.log(`${fmt.error("Commit blocked. Remove secrets before committing.")}\n`);
+    }
+    else {
+        console.log(`Run 'rafter agent audit' to see the security log.\n`);
+    }
+    process.exit(1);
+}
+/**
+ * Scan files changed since a git ref
+ */
+async function scanDiffFiles(ref, opts, scanCfg) {
+    try {
+        const diffOutput = execFileSync("git", ["diff", "--name-only", "--diff-filter=ACM", ref], {
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "ignore"],
+        }).trim();
+        if (!diffOutput) {
+            if (!opts.quiet) {
+                console.log(fmt.success(`No files changed since ${ref}`));
             }
+            process.exit(0);
         }
-    });
+        const changedFiles = diffOutput.split("\n").map(f => f.trim()).filter(f => f);
+        if (!opts.quiet) {
+            console.error(`Scanning ${changedFiles.length} file(s) changed since ${ref}...`);
+        }
+        const engine = await selectEngine(opts.engine || "auto", opts.quiet || false);
+        const allResults = [];
+        for (const file of changedFiles) {
+            const filePath = path.resolve(file);
+            if (!fs.existsSync(filePath))
+                continue;
+            const stats = fs.statSync(filePath);
+            if (!stats.isFile())
+                continue;
+            const results = await scanFile(filePath, engine, scanCfg);
+            allResults.push(...results);
+        }
+        outputScanResults(allResults, opts, `files changed since ${ref}`);
+    }
+    catch (error) {
+        if (error.status === 128) {
+            console.error("Error: Not in a git repository or invalid ref");
+            process.exit(1);
+        }
+        throw error;
+    }
 }
 /**
  * Scan git staged files for secrets
  */
-async function scanStagedFiles(opts) {
+async function scanStagedFiles(opts, scanCfg) {
     try {
-        // Get list of staged files
         const stagedFilesOutput = execSync("git diff --cached --name-only --diff-filter=ACM", {
             encoding: "utf-8",
             stdio: ["pipe", "pipe", "ignore"]
         }).trim();
         if (!stagedFilesOutput) {
             if (!opts.quiet) {
-                console.log("✓ No files staged for commit");
+                console.log(fmt.success("No files staged for commit"));
             }
             process.exit(0);
         }
@@ -95,56 +155,19 @@ async function scanStagedFiles(opts) {
         if (!opts.quiet) {
             console.error(`Scanning ${stagedFiles.length} staged file(s)...`);
         }
-        // Determine scan engine
         const engine = await selectEngine(opts.engine || "auto", opts.quiet || false);
-        // Scan each staged file
         const allResults = [];
         for (const file of stagedFiles) {
             const filePath = path.resolve(file);
-            // Skip if file doesn't exist (might be deleted)
-            if (!fs.existsSync(filePath)) {
+            if (!fs.existsSync(filePath))
                 continue;
-            }
-            // Skip if not a regular file
             const stats = fs.statSync(filePath);
-            if (!stats.isFile()) {
+            if (!stats.isFile())
                 continue;
-            }
-            const results = await scanFile(filePath, engine);
+            const results = await scanFile(filePath, engine, scanCfg);
             allResults.push(...results);
         }
-        // Output results (same as regular scan)
-        if (opts.json) {
-            console.log(JSON.stringify(allResults, null, 2));
-        }
-        else {
-            if (allResults.length === 0) {
-                if (!opts.quiet) {
-                    console.log("\n✓ No secrets detected in staged files\n");
-                }
-                process.exit(0);
-            }
-            else {
-                console.log(`\n⚠️  Found secrets in ${allResults.length} staged file(s):\n`);
-                let totalMatches = 0;
-                for (const result of allResults) {
-                    console.log(`\n📄 ${result.file}`);
-                    for (const match of result.matches) {
-                        totalMatches++;
-                        const location = match.line ? `Line ${match.line}` : "Unknown location";
-                        const severity = getSeverityEmoji(match.pattern.severity);
-                        console.log(`  ${severity} [${match.pattern.severity.toUpperCase()}] ${match.pattern.name}`);
-                        console.log(`     Location: ${location}`);
-                        console.log(`     Pattern: ${match.pattern.description || match.pattern.regex}`);
-                        console.log(`     Redacted: ${match.redacted}`);
-                        console.log();
-                    }
-                }
-                console.log(`\n⚠️  Total: ${totalMatches} secret(s) detected in ${allResults.length} file(s)\n`);
-                console.log("❌ Commit blocked. Remove secrets before committing.\n");
-                process.exit(1);
-            }
-        }
+        outputScanResults(allResults, opts, "staged files");
     }
     catch (error) {
         if (error.status === 128) {
@@ -154,15 +177,6 @@ async function scanStagedFiles(opts) {
         throw error;
     }
 }
-function getSeverityEmoji(severity) {
-    const emojiMap = {
-        critical: "🔴",
-        high: "🟠",
-        medium: "🟡",
-        low: "🟢"
-    };
-    return emojiMap[severity] || "⚪";
-}
 /**
  * Select scan engine based on availability and user preference
  */
@@ -175,7 +189,7 @@ async function selectEngine(preference, quiet) {
         const available = await gitleaks.isAvailable();
         if (!available) {
             if (!quiet) {
-                console.error("⚠️  Gitleaks requested but not available, using patterns");
+                console.error(fmt.warning("Gitleaks requested but not available, using patterns"));
             }
             return "patterns";
         }
@@ -189,7 +203,7 @@ async function selectEngine(preference, quiet) {
 /**
  * Scan a file with selected engine
  */
-async function scanFile(filePath, engine) {
+async function scanFile(filePath, engine, scanCfg) {
     if (engine === "gitleaks") {
         try {
             const gitleaks = new GitleaksScanner();
@@ -197,15 +211,14 @@ async function scanFile(filePath, engine) {
             return result.matches.length > 0 ? [result] : [];
         }
         catch (e) {
-            // Fall back to patterns on error
-            console.error(`⚠️  Gitleaks scan failed, falling back to patterns`);
-            const scanner = new RegexScanner();
+            console.error(fmt.warning("Gitleaks scan failed, falling back to patterns"));
+            const scanner = new RegexScanner(scanCfg?.customPatterns);
             const result = scanner.scanFile(filePath);
             return result.matches.length > 0 ? [result] : [];
         }
     }
     else {
-        const scanner = new RegexScanner();
+        const scanner = new RegexScanner(scanCfg?.customPatterns);
         const result = scanner.scanFile(filePath);
         return result.matches.length > 0 ? [result] : [];
     }
@@ -213,21 +226,20 @@ async function scanFile(filePath, engine) {
 /**
  * Scan a directory with selected engine
  */
-async function scanDirectory(dirPath, engine) {
+async function scanDirectory(dirPath, engine, scanCfg) {
     if (engine === "gitleaks") {
         try {
             const gitleaks = new GitleaksScanner();
             return await gitleaks.scanDirectory(dirPath);
         }
         catch (e) {
-            // Fall back to patterns on error
-            console.error(`⚠️  Gitleaks scan failed, falling back to patterns`);
-            const scanner = new RegexScanner();
-            return scanner.scanDirectory(dirPath);
+            console.error(fmt.warning("Gitleaks scan failed, falling back to patterns"));
+            const scanner = new RegexScanner(scanCfg?.customPatterns);
+            return scanner.scanDirectory(dirPath, { excludePaths: scanCfg?.excludePaths });
         }
     }
     else {
-        const scanner = new RegexScanner();
-        return scanner.scanDirectory(dirPath);
+        const scanner = new RegexScanner(scanCfg?.customPatterns);
+        return scanner.scanDirectory(dirPath, { excludePaths: scanCfg?.excludePaths });
     }
 }

package/dist/commands/ci/index.js

@@ -0,0 +1,8 @@
+import { Command } from "commander";
+import { createCiInitCommand } from "./init.js";
+export function createCiCommand() {
+    const ci = new Command("ci")
+        .description("CI/CD integration commands");
+    ci.addCommand(createCiInitCommand());
+    return ci;
+}

package/dist/commands/ci/init.js

@@ -0,0 +1,191 @@
+import { Command } from "commander";
+import fs from "fs";
+import path from "path";
+import { fmt } from "../../utils/formatter.js";
+export function createCiInitCommand() {
+    return new Command("init")
+        .description("Generate CI/CD pipeline config for secret scanning")
+        .option("--platform <platform>", "CI platform: github, gitlab, circleci (default: auto-detect)")
+        .option("--output <path>", "Output file path (default: platform-specific)")
+        .option("--with-backend", "Include backend security audit job (requires RAFTER_API_KEY)")
+        .action((opts) => {
+        const platform = opts.platform || detectPlatform();
+        if (!platform) {
+            console.error(fmt.error("Could not auto-detect CI platform."));
+            console.error("Specify one with --platform github|gitlab|circleci");
+            process.exit(1);
+        }
+        const validPlatforms = ["github", "gitlab", "circleci"];
+        if (!validPlatforms.includes(platform)) {
+            console.error(fmt.error(`Unknown platform: ${platform}`));
+            console.error(`Valid options: ${validPlatforms.join(", ")}`);
+            process.exit(1);
+        }
+        const { content, defaultPath } = generateTemplate(platform, !!opts.withBackend);
+        const outputPath = opts.output || defaultPath;
+        const outputDir = path.dirname(outputPath);
+        if (!fs.existsSync(outputDir)) {
+            fs.mkdirSync(outputDir, { recursive: true });
+        }
+        fs.writeFileSync(outputPath, content, "utf-8");
+        console.log(fmt.success(`Generated ${platform} CI config at ${outputPath}`));
+        console.log();
+        console.log("Next steps:");
+        console.log(`  1. Review the generated file: ${outputPath}`);
+        if (opts.withBackend) {
+            if (platform === "github") {
+                console.log("  2. Add RAFTER_API_KEY to repo Settings > Secrets > Actions");
+            }
+            else if (platform === "gitlab") {
+                console.log("  2. Add RAFTER_API_KEY to Settings > CI/CD > Variables");
+            }
+            else {
+                console.log("  2. Add RAFTER_API_KEY to project environment variables");
+            }
+        }
+        console.log(`  ${opts.withBackend ? "3" : "2"}. Commit and push to trigger the pipeline`);
+        console.log();
+    });
+}
+function detectPlatform() {
+    if (fs.existsSync(".github"))
+        return "github";
+    if (fs.existsSync(".gitlab-ci.yml"))
+        return "gitlab";
+    if (fs.existsSync(".circleci"))
+        return "circleci";
+    return null;
+}
+function generateTemplate(platform, withBackend) {
+    switch (platform) {
+        case "github":
+            return { content: githubTemplate(withBackend), defaultPath: ".github/workflows/rafter-security.yml" };
+        case "gitlab":
+            return { content: gitlabTemplate(withBackend), defaultPath: ".gitlab-ci-rafter.yml" };
+        case "circleci":
+            return { content: circleciTemplate(withBackend), defaultPath: ".circleci/rafter-security.yml" };
+    }
+}
+function githubTemplate(withBackend) {
+    let yaml = `# Generated by: rafter ci init
+name: Rafter Security
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  secret-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rafter CLI
+        run: npm install -g @rafter-security/cli
+
+      - name: Scan for secrets
+        run: rafter agent scan . --quiet
+`;
+    if (withBackend) {
+        yaml += `
+  security-audit:
+    runs-on: ubuntu-latest
+    needs: secret-scan
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rafter CLI
+        run: npm install -g @rafter-security/cli
+
+      - name: Run security audit
+        env:
+          RAFTER_API_KEY: \${{ secrets.RAFTER_API_KEY }}
+        run: rafter run --format json --quiet
+`;
+    }
+    return yaml;
+}
+function gitlabTemplate(withBackend) {
+    let yaml = `# Generated by: rafter ci init
+stages:
+  - security
+
+secret-scan:
+  stage: security
+  image: node:20
+  script:
+    - npm install -g @rafter-security/cli
+    - rafter agent scan . --quiet
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "push"
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+`;
+    if (withBackend) {
+        yaml += `
+security-audit:
+  stage: security
+  image: node:20
+  needs: [secret-scan]
+  script:
+    - npm install -g @rafter-security/cli
+    - rafter run --format json --quiet
+  variables:
+    RAFTER_API_KEY: $RAFTER_API_KEY
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "push"
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+`;
+    }
+    return yaml;
+}
+function circleciTemplate(withBackend) {
+    let yaml = `# Generated by: rafter ci init
+version: 2.1
+
+jobs:
+  secret-scan:
+    docker:
+      - image: cimg/node:20.0
+    steps:
+      - checkout
+      - run:
+          name: Install Rafter CLI
+          command: npm install -g @rafter-security/cli
+      - run:
+          name: Scan for secrets
+          command: rafter agent scan . --quiet
+`;
+    if (withBackend) {
+        yaml += `
+  security-audit:
+    docker:
+      - image: cimg/node:20.0
+    steps:
+      - checkout
+      - run:
+          name: Install Rafter CLI
+          command: npm install -g @rafter-security/cli
+      - run:
+          name: Run security audit
+          command: rafter run --format json --quiet
+`;
+    }
+    yaml += `
+workflows:
+  security:
+    jobs:
+      - secret-scan`;
+    if (withBackend) {
+        yaml += `
+      - security-audit:
+          requires:
+            - secret-scan`;
+    }
+    yaml += "\n";
+    return yaml;
+}

package/dist/commands/hook/index.js

@@ -0,0 +1,8 @@
+import { Command } from "commander";
+import { createHookPretoolCommand } from "./pretool.js";
+export function createHookCommand() {
+    const hook = new Command("hook")
+        .description("Hook handlers for agent platform integration");
+    hook.addCommand(createHookPretoolCommand());
+    return hook;
+}

package/dist/commands/hook/pretool.js

@@ -0,0 +1,122 @@
+import { Command } from "commander";
+import { CommandInterceptor } from "../../core/command-interceptor.js";
+import { RegexScanner } from "../../scanners/regex-scanner.js";
+import { AuditLogger } from "../../core/audit-logger.js";
+import { execSync } from "child_process";
+export function createHookPretoolCommand() {
+    return new Command("pretool")
+        .description("PreToolUse hook handler (reads stdin, writes JSON decision to stdout)")
+        .action(async () => {
+        const input = await readStdin();
+        let payload;
+        try {
+            payload = JSON.parse(input);
+        }
+        catch {
+            // Can't parse → fail open
+            writeDecision({ decision: "allow" });
+            return;
+        }
+        const decision = evaluateToolCall(payload);
+        writeDecision(decision);
+    });
+}
+function evaluateToolCall(payload) {
+    const { tool_name, tool_input } = payload;
+    if (tool_name === "Bash") {
+        return evaluateBash(tool_input.command || "");
+    }
+    if (tool_name === "Write" || tool_name === "Edit") {
+        return evaluateWrite(tool_input);
+    }
+    return { decision: "allow" };
+}
+function evaluateBash(command) {
+    const interceptor = new CommandInterceptor();
+    const audit = new AuditLogger();
+    const evaluation = interceptor.evaluate(command);
+    // Blocked — hard deny
+    if (!evaluation.allowed && !evaluation.requiresApproval) {
+        audit.logCommandIntercepted(command, false, "blocked", evaluation.reason);
+        return {
+            decision: "deny",
+            reason: `Blocked by Rafter policy: ${evaluation.reason}`,
+        };
+    }
+    // Requires approval — deny (agent can't provide interactive approval)
+    if (evaluation.requiresApproval) {
+        audit.logCommandIntercepted(command, false, "blocked", evaluation.reason);
+        return {
+            decision: "deny",
+            reason: `Rafter policy requires approval: ${evaluation.reason}`,
+        };
+    }
+    // Git commit/push — scan staged files for secrets
+    const trimmed = command.trim();
+    if (trimmed.startsWith("git commit") || trimmed.startsWith("git push")) {
+        const scanResult = scanStagedFiles();
+        if (scanResult.secretsFound) {
+            audit.logSecretDetected("staged files", `${scanResult.count} secret(s)`, "blocked");
+            return {
+                decision: "deny",
+                reason: `${scanResult.count} secret(s) detected in ${scanResult.files} staged file(s). Run 'rafter agent scan --staged' for details.`,
+            };
+        }
+    }
+    audit.logCommandIntercepted(command, true, "allowed");
+    return { decision: "allow" };
+}
+function evaluateWrite(toolInput) {
+    // Write uses "content", Edit uses "new_string"
+    const content = toolInput.content || toolInput.new_string || "";
+    if (!content) {
+        return { decision: "allow" };
+    }
+    const scanner = new RegexScanner();
+    if (scanner.hasSecrets(content)) {
+        const matches = scanner.scanText(content);
+        const names = [...new Set(matches.map(m => m.pattern.name))];
+        const audit = new AuditLogger();
+        audit.logSecretDetected(toolInput.file_path || "file content", names.join(", "), "blocked");
+        return {
+            decision: "deny",
+            reason: `Secret detected in file content: ${names.join(", ")}`,
+        };
+    }
+    return { decision: "allow" };
+}
+function scanStagedFiles() {
+    try {
+        const stagedOutput = execSync("git diff --cached --name-only --diff-filter=ACM", {
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "ignore"],
+        }).trim();
+        if (!stagedOutput) {
+            return { secretsFound: false, count: 0, files: 0 };
+        }
+        const stagedFiles = stagedOutput.split("\n").filter(f => f.trim());
+        const scanner = new RegexScanner();
+        const results = scanner.scanFiles(stagedFiles);
+        const totalMatches = results.reduce((sum, r) => sum + r.matches.length, 0);
+        return {
+            secretsFound: results.length > 0,
+            count: totalMatches,
+            files: results.length,
+        };
+    }
+    catch {
+        return { secretsFound: false, count: 0, files: 0 };
+    }
+}
+function readStdin() {
+    return new Promise((resolve) => {
+        let data = "";
+        process.stdin.setEncoding("utf-8");
+        process.stdin.on("data", (chunk) => { data += chunk; });
+        process.stdin.on("end", () => { resolve(data); });
+        process.stdin.resume();
+    });
+}
+function writeDecision(decision) {
+    process.stdout.write(JSON.stringify(decision) + "\n");
+}

package/dist/commands/mcp/index.js

@@ -0,0 +1,8 @@
+import { Command } from "commander";
+import { createMcpServeCommand } from "./server.js";
+export function createMcpCommand() {
+    const mcp = new Command("mcp")
+        .description("MCP server for cross-platform security tools");
+    mcp.addCommand(createMcpServeCommand());
+    return mcp;
+}