@rafter-security/cli 0.4.1 → 0.5.1

package/dist/core/policy-loader.js

@@ -0,0 +1,167 @@
+import fs from "fs";
+import path from "path";
+import { execSync } from "child_process";
+import yaml from "js-yaml";
+const POLICY_FILENAMES = [".rafter.yml", ".rafter.yaml"];
+/**
+ * Find a policy file by walking from cwd up to git root
+ */
+export function findPolicyFile() {
+    let dir = process.cwd();
+    const root = getGitRoot() || path.parse(dir).root;
+    while (true) {
+        for (const filename of POLICY_FILENAMES) {
+            const candidate = path.join(dir, filename);
+            if (fs.existsSync(candidate)) {
+                return candidate;
+            }
+        }
+        const parent = path.dirname(dir);
+        if (parent === dir || dir === root) {
+            break;
+        }
+        dir = parent;
+    }
+    return null;
+}
+/**
+ * Load and parse the policy file, returning null if not found
+ */
+export function loadPolicy() {
+    const policyPath = findPolicyFile();
+    if (!policyPath)
+        return null;
+    try {
+        const content = fs.readFileSync(policyPath, "utf-8");
+        const parsed = yaml.load(content);
+        if (!parsed || typeof parsed !== "object")
+            return null;
+        return validatePolicy(mapPolicy(parsed), parsed);
+    }
+    catch (e) {
+        console.error(`Warning: Failed to parse policy file ${policyPath}: ${e.message}`);
+        return null;
+    }
+}
+/**
+ * Map snake_case YAML keys to camelCase PolicyFile
+ */
+function mapPolicy(raw) {
+    const policy = {};
+    if (raw.version)
+        policy.version = String(raw.version);
+    if (raw.risk_level)
+        policy.riskLevel = raw.risk_level;
+    if (raw.command_policy && typeof raw.command_policy === "object") {
+        policy.commandPolicy = {};
+        if (raw.command_policy.mode)
+            policy.commandPolicy.mode = raw.command_policy.mode;
+        if (Array.isArray(raw.command_policy.blocked_patterns)) {
+            policy.commandPolicy.blockedPatterns = raw.command_policy.blocked_patterns;
+        }
+        if (Array.isArray(raw.command_policy.require_approval)) {
+            policy.commandPolicy.requireApproval = raw.command_policy.require_approval;
+        }
+    }
+    if (raw.scan && typeof raw.scan === "object") {
+        policy.scan = {};
+        if (Array.isArray(raw.scan.exclude_paths)) {
+            policy.scan.excludePaths = raw.scan.exclude_paths;
+        }
+        if (Array.isArray(raw.scan.custom_patterns)) {
+            policy.scan.customPatterns = raw.scan.custom_patterns.map((p) => ({
+                name: p.name,
+                regex: p.regex,
+                severity: p.severity || "high",
+            }));
+        }
+    }
+    if (raw.audit && typeof raw.audit === "object") {
+        policy.audit = {};
+        if (raw.audit.retention_days != null) {
+            policy.audit.retentionDays = Number(raw.audit.retention_days);
+        }
+        if (raw.audit.log_level)
+            policy.audit.logLevel = raw.audit.log_level;
+    }
+    return policy;
+}
+const VALID_TOP_LEVEL_KEYS = new Set(["version", "risk_level", "command_policy", "scan", "audit"]);
+const VALID_RISK_LEVELS = new Set(["minimal", "moderate", "aggressive"]);
+const VALID_COMMAND_MODES = new Set(["allow-all", "approve-dangerous", "deny-list"]);
+const VALID_LOG_LEVELS = new Set(["debug", "info", "warn", "error"]);
+/**
+ * Validate a mapped policy, warn on stderr for invalid fields, strip them out.
+ * `raw` is the original parsed YAML (snake_case keys) for unknown-key detection.
+ */
+function validatePolicy(policy, raw) {
+    // 1. Unknown top-level keys
+    for (const key of Object.keys(raw)) {
+        if (!VALID_TOP_LEVEL_KEYS.has(key)) {
+            console.error(`Warning: Unknown policy key "${key}" — ignoring.`);
+        }
+    }
+    // 2. Type checking + strip invalid
+    if (policy.version !== undefined && typeof policy.version !== "string") {
+        console.error(`Warning: "version" must be a string — ignoring.`);
+        delete policy.version;
+    }
+    if (policy.riskLevel !== undefined && !VALID_RISK_LEVELS.has(policy.riskLevel)) {
+        console.error(`Warning: "risk_level" must be one of: minimal, moderate, aggressive — ignoring.`);
+        delete policy.riskLevel;
+    }
+    if (policy.commandPolicy) {
+        if (policy.commandPolicy.mode !== undefined && !VALID_COMMAND_MODES.has(policy.commandPolicy.mode)) {
+            console.error(`Warning: "command_policy.mode" must be one of: allow-all, approve-dangerous, deny-list — ignoring.`);
+            delete policy.commandPolicy.mode;
+        }
+        if (policy.commandPolicy.blockedPatterns !== undefined) {
+            if (!Array.isArray(policy.commandPolicy.blockedPatterns) || !policy.commandPolicy.blockedPatterns.every((v) => typeof v === "string")) {
+                console.error(`Warning: "command_policy.blocked_patterns" must be an array of strings — ignoring.`);
+                delete policy.commandPolicy.blockedPatterns;
+            }
+        }
+        if (policy.commandPolicy.requireApproval !== undefined) {
+            if (!Array.isArray(policy.commandPolicy.requireApproval) || !policy.commandPolicy.requireApproval.every((v) => typeof v === "string")) {
+                console.error(`Warning: "command_policy.require_approval" must be an array of strings — ignoring.`);
+                delete policy.commandPolicy.requireApproval;
+            }
+        }
+    }
+    if (policy.scan) {
+        if (policy.scan.excludePaths !== undefined) {
+            if (!Array.isArray(policy.scan.excludePaths) || !policy.scan.excludePaths.every((v) => typeof v === "string")) {
+                console.error(`Warning: "scan.exclude_paths" must be an array of strings — ignoring.`);
+                delete policy.scan.excludePaths;
+            }
+        }
+        if (policy.scan.customPatterns !== undefined) {
+            if (!Array.isArray(policy.scan.customPatterns) || !policy.scan.customPatterns.every((v) => v && typeof v === "object" && typeof v.name === "string" && v.name !== "" && typeof v.regex === "string" && v.regex !== "" && typeof v.severity === "string")) {
+                console.error(`Warning: "scan.custom_patterns" must be an array of objects with name, regex, severity — ignoring.`);
+                delete policy.scan.customPatterns;
+            }
+        }
+    }
+    if (policy.audit) {
+        if (policy.audit.retentionDays !== undefined && (typeof policy.audit.retentionDays !== "number" || isNaN(policy.audit.retentionDays))) {
+            console.error(`Warning: "audit.retention_days" must be a number — ignoring.`);
+            delete policy.audit.retentionDays;
+        }
+        if (policy.audit.logLevel !== undefined && !VALID_LOG_LEVELS.has(policy.audit.logLevel)) {
+            console.error(`Warning: "audit.log_level" must be one of: debug, info, warn, error — ignoring.`);
+            delete policy.audit.logLevel;
+        }
+    }
+    return policy;
+}
+function getGitRoot() {
+    try {
+        return execSync("git rev-parse --show-toplevel", {
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "ignore"],
+        }).trim();
+    }
+    catch {
+        return null;
+    }
+}

package/dist/core/risk-rules.js

@@ -0,0 +1,67 @@
+/**
+ * Centralized risk assessment rules.
+ * Single source of truth — imported by command-interceptor, audit-logger, and config-defaults.
+ */
+export const CRITICAL_PATTERNS = [
+    /rm\s+-rf\s+\//,
+    /:\(\)\{\s*:\|:&\s*\};:/, // fork bomb
+    /dd\s+if=.*of=\/dev\/sd/,
+    />\s*\/dev\/sd/,
+    /mkfs/,
+    /fdisk/,
+    /parted/,
+];
+export const HIGH_PATTERNS = [
+    /rm\s+-rf/,
+    /sudo\s+rm/,
+    /chmod\s+777/,
+    /curl.*\|\s*(bash|sh|zsh|dash)\b/,
+    /wget.*\|\s*(bash|sh|zsh|dash)\b/,
+    /git\s+push\s+--force/,
+    /docker\s+system\s+prune/,
+    /npm\s+publish/,
+    /pypi.*upload/,
+];
+export const MEDIUM_PATTERNS = [
+    /sudo/,
+    /chmod/,
+    /chown/,
+    /systemctl/,
+    /service/,
+    /kill\s+-9/,
+    /pkill/,
+    /killall/,
+];
+export const DEFAULT_BLOCKED_PATTERNS = [
+    "rm -rf /",
+    ":(){ :|:& };:",
+    "dd if=/dev/zero of=/dev/sda",
+    "> /dev/sda",
+];
+export const DEFAULT_REQUIRE_APPROVAL = [
+    "rm -rf",
+    "sudo rm",
+    "curl.*\\|\\s*(bash|sh|zsh|dash)\\b",
+    "wget.*\\|\\s*(bash|sh|zsh|dash)\\b",
+    "chmod 777",
+    "git push --force",
+];
+/**
+ * Assess risk level of a command string.
+ */
+export function assessCommandRisk(command) {
+    const cmd = command.toLowerCase();
+    for (const pattern of CRITICAL_PATTERNS) {
+        if (pattern.test(cmd))
+            return "critical";
+    }
+    for (const pattern of HIGH_PATTERNS) {
+        if (pattern.test(cmd))
+            return "high";
+    }
+    for (const pattern of MEDIUM_PATTERNS) {
+        if (pattern.test(cmd))
+            return "medium";
+    }
+    return "low";
+}

package/dist/index.js

@@ -5,19 +5,40 @@ import { createRunCommand } from "./commands/backend/run.js";
 import { createGetCommand } from "./commands/backend/get.js";
 import { createUsageCommand } from "./commands/backend/usage.js";
 import { createAgentCommand } from "./commands/agent/index.js";
+import { createCiCommand } from "./commands/ci/index.js";
+import { createHookCommand } from "./commands/hook/index.js";
+import { createMcpCommand } from "./commands/mcp/index.js";
+import { createPolicyCommand } from "./commands/policy/index.js";
 import { checkForUpdate } from "./utils/update-checker.js";
+import { setAgentMode } from "./utils/formatter.js";
 dotenv.config();
-const VERSION = "0.4.1";
+const VERSION = "0.5.0";
 const program = new Command()
     .name("rafter")
     .description("Rafter CLI")
-    .version(VERSION);
+    .version(VERSION)
+    .option("-a, --agent", "Plain output for AI agents (no colors/emoji)");
+// Set agent mode before any subcommand runs
+program.hook("preAction", (thisCommand) => {
+    const opts = thisCommand.opts();
+    if (opts.agent) {
+        setAgentMode(true);
+    }
+});
 // Backend commands (existing)
 program.addCommand(createRunCommand());
 program.addCommand(createGetCommand());
 program.addCommand(createUsageCommand());
 // Agent commands
 program.addCommand(createAgentCommand());
+// CI commands
+program.addCommand(createCiCommand());
+// Hook commands (for agent platform integration)
+program.addCommand(createHookCommand());
+// MCP server
+program.addCommand(createMcpCommand());
+// Policy commands
+program.addCommand(createPolicyCommand());
 // Non-blocking update check — runs after command, prints to stderr
 checkForUpdate(VERSION).then((notice) => {
     if (notice)

package/dist/scanners/gitleaks.js

@@ -1,9 +1,10 @@
-import { exec } from "child_process";
+import { execFile } from "child_process";
 import { promisify } from "util";
 import { BinaryManager } from "../utils/binary-manager.js";
 import fs from "fs";
+import os from "os";
 import path from "path";
-const execAsync = promisify(exec);
+const execFileAsync = promisify(execFile);
 export class GitleaksScanner {
     constructor() {
         this.binaryManager = new BinaryManager();
@@ -25,10 +26,10 @@ export class GitleaksScanner {
             throw new Error("Gitleaks not available");
         }
         const gitleaksPath = this.binaryManager.getGitleaksPath();
-        const tmpReport = path.join("/tmp", `gitleaks-${Date.now()}.json`);
+        const tmpReport = path.join(os.tmpdir(), `gitleaks-${Date.now()}-${Math.random().toString(36).slice(2, 8)}.json`);
         try {
             // Run gitleaks detect on file
-            await execAsync(`"${gitleaksPath}" detect --no-git -f json -r "${tmpReport}" -s "${filePath}"`, { timeout: 30000 });
+            await execFileAsync(gitleaksPath, ["detect", "--no-git", "-f", "json", "-r", tmpReport, "-s", filePath], { timeout: 30000 });
             // If no leaks found, gitleaks exits 0 with empty report
             if (!fs.existsSync(tmpReport)) {
                 return { file: filePath, matches: [] };
@@ -85,10 +86,10 @@ export class GitleaksScanner {
             throw new Error("Gitleaks not available");
         }
         const gitleaksPath = this.binaryManager.getGitleaksPath();
-        const tmpReport = path.join("/tmp", `gitleaks-${Date.now()}.json`);
+        const tmpReport = path.join(os.tmpdir(), `gitleaks-${Date.now()}-${Math.random().toString(36).slice(2, 8)}.json`);
         try {
             // Run gitleaks detect on directory
-            await execAsync(`"${gitleaksPath}" detect --no-git -f json -r "${tmpReport}" -s "${dirPath}"`, { timeout: 60000 });
+            await execFileAsync(gitleaksPath, ["detect", "--no-git", "-f", "json", "-r", tmpReport, "-s", dirPath], { timeout: 60000 });
             // No leaks found
             if (!fs.existsSync(tmpReport)) {
                 return [];

package/dist/scanners/regex-scanner.js

@@ -3,8 +3,18 @@ import path from "path";
 import { PatternEngine } from "../core/pattern-engine.js";
 import { DEFAULT_SECRET_PATTERNS } from "./secret-patterns.js";
 export class RegexScanner {
-    constructor() {
-        this.engine = new PatternEngine(DEFAULT_SECRET_PATTERNS);
+    constructor(customPatterns) {
+        const patterns = [...DEFAULT_SECRET_PATTERNS];
+        if (customPatterns) {
+            for (const cp of customPatterns) {
+                patterns.push({
+                    name: cp.name,
+                    regex: cp.regex,
+                    severity: cp.severity,
+                });
+            }
+        }
+        this.engine = new PatternEngine(patterns);
     }
     /**
      * Scan a single file for secrets
@@ -53,6 +63,16 @@ export class RegexScanner {
             ".vscode",
             ".idea"
         ];
+        // Merge policy excludePaths into the exclude list
+        if (options?.excludePaths) {
+            for (const ep of options.excludePaths) {
+                // Strip trailing slashes for directory name matching
+                const cleaned = ep.replace(/\/+$/, "");
+                if (!exclude.includes(cleaned)) {
+                    exclude.push(cleaned);
+                }
+            }
+        }
         const files = this.walkDirectory(dirPath, exclude, options?.maxDepth || 10);
         return this.scanFiles(files);
     }

package/dist/utils/formatter.js

@@ -0,0 +1,52 @@
+import chalk from "chalk";
+let agentMode = false;
+export function setAgentMode(enabled) {
+    agentMode = enabled;
+}
+export function isAgentMode() {
+    return agentMode;
+}
+export const fmt = {
+    header(text) {
+        if (agentMode)
+            return `=== ${text} ===`;
+        return chalk.bold(`\n${chalk.cyan("┌─")} ${text} ${chalk.cyan("─┐")}\n`);
+    },
+    success(text) {
+        if (agentMode)
+            return `[OK] ${text}`;
+        return chalk.green(`✓ ${text}`);
+    },
+    warning(text) {
+        if (agentMode)
+            return `[WARN] ${text}`;
+        return chalk.yellow(`⚠️  ${text}`);
+    },
+    error(text) {
+        if (agentMode)
+            return `[ERROR] ${text}`;
+        return chalk.red(`✗ ${text}`);
+    },
+    severity(level) {
+        const upper = level.toUpperCase();
+        if (agentMode)
+            return `[${upper}]`;
+        switch (level) {
+            case "critical": return chalk.bgRed.white.bold(` ${upper} `);
+            case "high": return chalk.bgYellow.black.bold(` ${upper} `);
+            case "medium": return chalk.bgBlue.white(` ${upper} `);
+            case "low": return chalk.bgGreen.white(` ${upper} `);
+            default: return `[${upper}]`;
+        }
+    },
+    divider() {
+        if (agentMode)
+            return "---";
+        return chalk.gray("═".repeat(50));
+    },
+    info(text) {
+        if (agentMode)
+            return text;
+        return chalk.cyan(text);
+    },
+};

package/package.json

@@ -1,12 +1,13 @@
 {
   "name": "@rafter-security/cli",
-  "version": "0.4.1",
+  "version": "0.5.1",
   "type": "module",
   "bin": {
     "rafter": "./dist/index.js"
   },
   "files": [
-    "dist"
+    "dist",
+    "resources"
   ],
   "scripts": {
     "build": "tsc -p tsconfig.json",
@@ -18,17 +19,20 @@
   },
   "license": "MIT",
   "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.12.0",
     "axios": "^1.6.8",
     "chalk": "^5.3.0",
     "commander": "^11.1.0",
     "dotenv": "^16.4.5",
+    "js-yaml": "^4.1.0",
     "ora": "^7.0.1",
     "tar": "^7.5.7"
   },
   "devDependencies": {
+    "@types/js-yaml": "^4.0.9",
     "@types/node": "^20.11.30",
     "tsx": "^4.7.0",
     "typescript": "^5.4.5",
-    "vitest": "^1.5.0"
+    "vitest": "^4.0.18"
   }
 }

package/resources/pre-commit-hook.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+# Rafter Security Pre-Commit Hook
+# Scans staged files for secrets before allowing commits
+
+# Colors for output
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+GREEN='\033[0;32m'
+NC='\033[0m' # No Color
+
+# Check if rafter is installed
+if ! command -v rafter &> /dev/null; then
+    echo -e "${YELLOW}⚠️  Warning: rafter CLI not found in PATH${NC}"
+    echo "   Install: npm install -g @rafter-security/cli"
+    echo "   Skipping secret scan..."
+    exit 0
+fi
+
+# Get list of staged files
+STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
+
+if [ -z "$STAGED_FILES" ]; then
+    # No files staged
+    exit 0
+fi
+
+echo "🔍 Rafter: Scanning staged files for secrets..."
+
+# Scan staged files
+rafter agent scan --staged --quiet
+
+EXIT_CODE=$?
+
+if [ $EXIT_CODE -ne 0 ]; then
+    echo -e "${RED}❌ Commit blocked: Secrets detected in staged files${NC}"
+    echo ""
+    echo "   Run: rafter agent scan --staged"
+    echo "   To see details and remediate."
+    echo ""
+    echo "   To bypass (NOT recommended): git commit --no-verify"
+    exit 1
+fi
+
+echo -e "${GREEN}✓ No secrets detected${NC}"
+exit 0