@rafter-security/cli 0.4.2 → 0.5.3

package/dist/commands/ci/init.js

@@ -0,0 +1,191 @@
+import { Command } from "commander";
+import fs from "fs";
+import path from "path";
+import { fmt } from "../../utils/formatter.js";
+export function createCiInitCommand() {
+    return new Command("init")
+        .description("Generate CI/CD pipeline config for secret scanning")
+        .option("--platform <platform>", "CI platform: github, gitlab, circleci (default: auto-detect)")
+        .option("--output <path>", "Output file path (default: platform-specific)")
+        .option("--with-backend", "Include backend security audit job (requires RAFTER_API_KEY)")
+        .action((opts) => {
+        const platform = opts.platform || detectPlatform();
+        if (!platform) {
+            console.error(fmt.error("Could not auto-detect CI platform."));
+            console.error("Specify one with --platform github|gitlab|circleci");
+            process.exit(1);
+        }
+        const validPlatforms = ["github", "gitlab", "circleci"];
+        if (!validPlatforms.includes(platform)) {
+            console.error(fmt.error(`Unknown platform: ${platform}`));
+            console.error(`Valid options: ${validPlatforms.join(", ")}`);
+            process.exit(1);
+        }
+        const { content, defaultPath } = generateTemplate(platform, !!opts.withBackend);
+        const outputPath = opts.output || defaultPath;
+        const outputDir = path.dirname(outputPath);
+        if (!fs.existsSync(outputDir)) {
+            fs.mkdirSync(outputDir, { recursive: true });
+        }
+        fs.writeFileSync(outputPath, content, "utf-8");
+        console.log(fmt.success(`Generated ${platform} CI config at ${outputPath}`));
+        console.log();
+        console.log("Next steps:");
+        console.log(`  1. Review the generated file: ${outputPath}`);
+        if (opts.withBackend) {
+            if (platform === "github") {
+                console.log("  2. Add RAFTER_API_KEY to repo Settings > Secrets > Actions");
+            }
+            else if (platform === "gitlab") {
+                console.log("  2. Add RAFTER_API_KEY to Settings > CI/CD > Variables");
+            }
+            else {
+                console.log("  2. Add RAFTER_API_KEY to project environment variables");
+            }
+        }
+        console.log(`  ${opts.withBackend ? "3" : "2"}. Commit and push to trigger the pipeline`);
+        console.log();
+    });
+}
+function detectPlatform() {
+    if (fs.existsSync(".github"))
+        return "github";
+    if (fs.existsSync(".gitlab-ci.yml"))
+        return "gitlab";
+    if (fs.existsSync(".circleci"))
+        return "circleci";
+    return null;
+}
+function generateTemplate(platform, withBackend) {
+    switch (platform) {
+        case "github":
+            return { content: githubTemplate(withBackend), defaultPath: ".github/workflows/rafter-security.yml" };
+        case "gitlab":
+            return { content: gitlabTemplate(withBackend), defaultPath: ".gitlab-ci-rafter.yml" };
+        case "circleci":
+            return { content: circleciTemplate(withBackend), defaultPath: ".circleci/rafter-security.yml" };
+    }
+}
+function githubTemplate(withBackend) {
+    let yaml = `# Generated by: rafter ci init
+name: Rafter Security
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  secret-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rafter CLI
+        run: npm install -g @rafter-security/cli
+
+      - name: Scan for secrets
+        run: rafter agent scan . --quiet
+`;
+    if (withBackend) {
+        yaml += `
+  security-audit:
+    runs-on: ubuntu-latest
+    needs: secret-scan
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rafter CLI
+        run: npm install -g @rafter-security/cli
+
+      - name: Run security audit
+        env:
+          RAFTER_API_KEY: \${{ secrets.RAFTER_API_KEY }}
+        run: rafter run --format json --quiet
+`;
+    }
+    return yaml;
+}
+function gitlabTemplate(withBackend) {
+    let yaml = `# Generated by: rafter ci init
+stages:
+  - security
+
+secret-scan:
+  stage: security
+  image: node:20
+  script:
+    - npm install -g @rafter-security/cli
+    - rafter agent scan . --quiet
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "push"
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+`;
+    if (withBackend) {
+        yaml += `
+security-audit:
+  stage: security
+  image: node:20
+  needs: [secret-scan]
+  script:
+    - npm install -g @rafter-security/cli
+    - rafter run --format json --quiet
+  variables:
+    RAFTER_API_KEY: $RAFTER_API_KEY
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "push"
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+`;
+    }
+    return yaml;
+}
+function circleciTemplate(withBackend) {
+    let yaml = `# Generated by: rafter ci init
+version: 2.1
+
+jobs:
+  secret-scan:
+    docker:
+      - image: cimg/node:20.0
+    steps:
+      - checkout
+      - run:
+          name: Install Rafter CLI
+          command: npm install -g @rafter-security/cli
+      - run:
+          name: Scan for secrets
+          command: rafter agent scan . --quiet
+`;
+    if (withBackend) {
+        yaml += `
+  security-audit:
+    docker:
+      - image: cimg/node:20.0
+    steps:
+      - checkout
+      - run:
+          name: Install Rafter CLI
+          command: npm install -g @rafter-security/cli
+      - run:
+          name: Run security audit
+          command: rafter run --format json --quiet
+`;
+    }
+    yaml += `
+workflows:
+  security:
+    jobs:
+      - secret-scan`;
+    if (withBackend) {
+        yaml += `
+      - security-audit:
+          requires:
+            - secret-scan`;
+    }
+    yaml += "\n";
+    return yaml;
+}

package/dist/commands/completion.js

@@ -0,0 +1,170 @@
+import { Command } from "commander";
+const BASH_COMPLETION = `
+# rafter bash completion
+# Add to ~/.bashrc: eval "$(rafter completion bash)"
+_rafter_completion() {
+  local cur prev words
+  COMPREPLY=()
+  cur="\${COMP_WORDS[COMP_CWORD]}"
+  prev="\${COMP_WORDS[COMP_CWORD-1]}"
+  words="\${COMP_WORDS[*]}"
+
+  local top_cmds="run scan get usage agent ci hook mcp policy completion --help --version"
+  local agent_cmds="init scan exec config audit audit-skill install-hook verify status"
+  local ci_cmds="init"
+  local hook_cmds="pretool posttool"
+  local policy_cmds="export"
+
+  if [[ \${COMP_CWORD} -eq 1 ]]; then
+    COMPREPLY=( \$(compgen -W "\${top_cmds}" -- "\${cur}") )
+    return 0
+  fi
+
+  case "\${COMP_WORDS[1]}" in
+    agent)
+      if [[ \${COMP_CWORD} -eq 2 ]]; then
+        COMPREPLY=( \$(compgen -W "\${agent_cmds}" -- "\${cur}") )
+      fi
+      case "\${COMP_WORDS[2]}" in
+        scan)  COMPREPLY=( \$(compgen -W "--quiet --json --format --staged --diff --engine" -- "\${cur}") ) ;;
+        init)  COMPREPLY=( \$(compgen -W "--risk-level --skip-gitleaks --skip-openclaw --skip-claude-code --force" -- "\${cur}") ) ;;
+        verify) COMPREPLY=() ;;
+        status) COMPREPLY=() ;;
+        audit-skill) COMPREPLY=( \$(compgen -W "--skip-openclaw --json" -- "\${cur}") ) ;;
+        install-hook) COMPREPLY=( \$(compgen -W "--global" -- "\${cur}") ) ;;
+        config) COMPREPLY=( \$(compgen -W "show get set" -- "\${cur}") ) ;;
+        audit)  COMPREPLY=( \$(compgen -W "--last --event --agent --since" -- "\${cur}") ) ;;
+      esac
+      ;;
+    hook)
+      COMPREPLY=( \$(compgen -W "\${hook_cmds}" -- "\${cur}") )
+      ;;
+    ci)
+      if [[ \${COMP_CWORD} -eq 2 ]]; then
+        COMPREPLY=( \$(compgen -W "\${ci_cmds}" -- "\${cur}") )
+      fi
+      ;;
+    policy)
+      COMPREPLY=( \$(compgen -W "\${policy_cmds}" -- "\${cur}") )
+      ;;
+    run|scan)
+      COMPREPLY=( \$(compgen -W "--api-key --format --quiet" -- "\${cur}") )
+      ;;
+    completion)
+      COMPREPLY=( \$(compgen -W "bash zsh fish" -- "\${cur}") )
+      ;;
+  esac
+}
+complete -F _rafter_completion rafter
+`;
+const ZSH_COMPLETION = `
+# rafter zsh completion
+# Add to ~/.zshrc: eval "$(rafter completion zsh)"
+#compdef rafter
+
+_rafter() {
+  local state
+  typeset -A opt_args
+
+  _arguments \\
+    '1: :->cmd' \\
+    '*: :->args'
+
+  case \$state in
+    cmd)
+      _values 'command' \\
+        'run[Run a security scan via backend]' \\
+        'scan[Alias for run]' \\
+        'agent[Agent security features]' \\
+        'ci[CI/CD integration]' \\
+        'hook[Hook handlers]' \\
+        'mcp[MCP server]' \\
+        'policy[Policy management]' \\
+        'completion[Shell completion scripts]'
+      ;;
+    args)
+      case \$words[2] in
+        agent)
+          _values 'subcommand' \\
+            'init[Initialize agent security]' \\
+            'scan[Scan for secrets]' \\
+            'exec[Execute command with security validation]' \\
+            'config[Manage configuration]' \\
+            'audit[View audit logs]' \\
+            'audit-skill[Audit a skill file]' \\
+            'install-hook[Install git pre-commit hook]' \\
+            'verify[Health check]' \\
+            'status[Status dashboard]'
+          ;;
+        hook)
+          _values 'subcommand' 'pretool[PreToolUse handler]' 'posttool[PostToolUse handler]'
+          ;;
+        completion)
+          _values 'shell' 'bash' 'zsh' 'fish'
+          ;;
+      esac
+      ;;
+  esac
+}
+
+_rafter
+`;
+const FISH_COMPLETION = `
+# rafter fish completion
+# Save to ~/.config/fish/completions/rafter.fish
+# Or: rafter completion fish > ~/.config/fish/completions/rafter.fish
+
+complete -c rafter -f
+complete -c rafter -n '__fish_use_subcommand' -a 'run' -d 'Run a security scan via backend'
+complete -c rafter -n '__fish_use_subcommand' -a 'agent' -d 'Agent security features'
+complete -c rafter -n '__fish_use_subcommand' -a 'ci' -d 'CI/CD integration'
+complete -c rafter -n '__fish_use_subcommand' -a 'hook' -d 'Hook handlers'
+complete -c rafter -n '__fish_use_subcommand' -a 'mcp' -d 'MCP server'
+complete -c rafter -n '__fish_use_subcommand' -a 'completion' -d 'Shell completion scripts'
+
+# agent subcommands
+complete -c rafter -n '__fish_seen_subcommand_from agent' -a 'init scan exec config audit audit-skill install-hook verify status'
+complete -c rafter -n '__fish_seen_subcommand_from agent; and __fish_seen_subcommand_from scan' -l quiet -s q -d 'Only output if secrets found'
+complete -c rafter -n '__fish_seen_subcommand_from agent; and __fish_seen_subcommand_from scan' -l json -d 'JSON output'
+complete -c rafter -n '__fish_seen_subcommand_from agent; and __fish_seen_subcommand_from scan' -l format -d 'Output format: text, json, sarif'
+complete -c rafter -n '__fish_seen_subcommand_from agent; and __fish_seen_subcommand_from scan' -l staged -d 'Scan staged files'
+complete -c rafter -n '__fish_seen_subcommand_from agent; and __fish_seen_subcommand_from scan' -l engine -d 'Engine: gitleaks, patterns, auto'
+
+# hook subcommands
+complete -c rafter -n '__fish_seen_subcommand_from hook' -a 'pretool posttool'
+
+# completion subcommands
+complete -c rafter -n '__fish_seen_subcommand_from completion' -a 'bash zsh fish'
+`;
+export function createCompletionCommand() {
+    return new Command("completion")
+        .description("Generate shell completion scripts")
+        .argument("<shell>", "Shell type: bash, zsh, or fish")
+        .addHelpText("after", `
+Examples:
+  # bash — add to ~/.bashrc
+  eval "$(rafter completion bash)"
+
+  # zsh — add to ~/.zshrc
+  eval "$(rafter completion zsh)"
+
+  # fish — save to completions dir
+  rafter completion fish > ~/.config/fish/completions/rafter.fish
+`)
+        .action((shell) => {
+        switch (shell.toLowerCase()) {
+            case "bash":
+                process.stdout.write(BASH_COMPLETION.trimStart());
+                break;
+            case "zsh":
+                process.stdout.write(ZSH_COMPLETION.trimStart());
+                break;
+            case "fish":
+                process.stdout.write(FISH_COMPLETION.trimStart());
+                break;
+            default:
+                console.error(`Unknown shell: ${shell}. Supported: bash, zsh, fish`);
+                process.exit(1);
+        }
+    });
+}

package/dist/commands/hook/index.js

@@ -0,0 +1,10 @@
+import { Command } from "commander";
+import { createHookPretoolCommand } from "./pretool.js";
+import { createHookPosttoolCommand } from "./posttool.js";
+export function createHookCommand() {
+    const hook = new Command("hook")
+        .description("Hook handlers for agent platform integration");
+    hook.addCommand(createHookPretoolCommand());
+    hook.addCommand(createHookPosttoolCommand());
+    return hook;
+}

package/dist/commands/hook/posttool.js

@@ -0,0 +1,73 @@
+import { Command } from "commander";
+import { RegexScanner } from "../../scanners/regex-scanner.js";
+import { AuditLogger } from "../../core/audit-logger.js";
+export function createHookPosttoolCommand() {
+    return new Command("posttool")
+        .description("PostToolUse hook handler (reads stdin, redacts secrets in output, writes JSON to stdout)")
+        .action(async () => {
+        const input = await readStdin();
+        let payload;
+        try {
+            payload = JSON.parse(input);
+        }
+        catch {
+            writeOutput({ action: "continue" });
+            return;
+        }
+        const output = evaluateToolResponse(payload);
+        writeOutput(output);
+    });
+}
+function evaluateToolResponse(payload) {
+    const { tool_response } = payload;
+    // No response body — pass through
+    if (!tool_response) {
+        return { action: "continue" };
+    }
+    const scanner = new RegexScanner();
+    let modified = false;
+    const redacted = { ...tool_response };
+    // Scan and redact output
+    if (typeof tool_response.output === "string" && tool_response.output) {
+        if (scanner.hasSecrets(tool_response.output)) {
+            redacted.output = scanner.redact(tool_response.output);
+            modified = true;
+        }
+    }
+    // Scan and redact content (used by some tools)
+    if (typeof tool_response.content === "string" && tool_response.content) {
+        if (scanner.hasSecrets(tool_response.content)) {
+            redacted.content = scanner.redact(tool_response.content);
+            modified = true;
+        }
+    }
+    if (modified) {
+        const audit = new AuditLogger();
+        const matchCount = countMatches(scanner, tool_response);
+        audit.logContentSanitized(`${payload.tool_name} tool response`, matchCount);
+        return { action: "modify", tool_response: redacted };
+    }
+    return { action: "continue" };
+}
+function countMatches(scanner, tool_response) {
+    let count = 0;
+    if (typeof tool_response?.output === "string" && tool_response.output) {
+        count += scanner.scanText(tool_response.output).length;
+    }
+    if (typeof tool_response?.content === "string" && tool_response.content) {
+        count += scanner.scanText(tool_response.content).length;
+    }
+    return count;
+}
+function readStdin() {
+    return new Promise((resolve) => {
+        let data = "";
+        process.stdin.setEncoding("utf-8");
+        process.stdin.on("data", (chunk) => { data += chunk; });
+        process.stdin.on("end", () => { resolve(data); });
+        process.stdin.resume();
+    });
+}
+function writeOutput(output) {
+    process.stdout.write(JSON.stringify(output) + "\n");
+}

package/dist/commands/hook/pretool.js

@@ -0,0 +1,122 @@
+import { Command } from "commander";
+import { CommandInterceptor } from "../../core/command-interceptor.js";
+import { RegexScanner } from "../../scanners/regex-scanner.js";
+import { AuditLogger } from "../../core/audit-logger.js";
+import { execSync } from "child_process";
+export function createHookPretoolCommand() {
+    return new Command("pretool")
+        .description("PreToolUse hook handler (reads stdin, writes JSON decision to stdout)")
+        .action(async () => {
+        const input = await readStdin();
+        let payload;
+        try {
+            payload = JSON.parse(input);
+        }
+        catch {
+            // Can't parse → fail open
+            writeDecision({ decision: "allow" });
+            return;
+        }
+        const decision = evaluateToolCall(payload);
+        writeDecision(decision);
+    });
+}
+function evaluateToolCall(payload) {
+    const { tool_name, tool_input } = payload;
+    if (tool_name === "Bash") {
+        return evaluateBash(tool_input.command || "");
+    }
+    if (tool_name === "Write" || tool_name === "Edit") {
+        return evaluateWrite(tool_input);
+    }
+    return { decision: "allow" };
+}
+function evaluateBash(command) {
+    const interceptor = new CommandInterceptor();
+    const audit = new AuditLogger();
+    const evaluation = interceptor.evaluate(command);
+    // Blocked — hard deny
+    if (!evaluation.allowed && !evaluation.requiresApproval) {
+        audit.logCommandIntercepted(command, false, "blocked", evaluation.reason);
+        return {
+            decision: "deny",
+            reason: `Blocked by Rafter policy: ${evaluation.reason}`,
+        };
+    }
+    // Requires approval — deny (agent can't provide interactive approval)
+    if (evaluation.requiresApproval) {
+        audit.logCommandIntercepted(command, false, "blocked", evaluation.reason);
+        return {
+            decision: "deny",
+            reason: `Rafter policy requires approval: ${evaluation.reason}`,
+        };
+    }
+    // Git commit/push — scan staged files for secrets
+    const trimmed = command.trim();
+    if (trimmed.startsWith("git commit") || trimmed.startsWith("git push")) {
+        const scanResult = scanStagedFiles();
+        if (scanResult.secretsFound) {
+            audit.logSecretDetected("staged files", `${scanResult.count} secret(s)`, "blocked");
+            return {
+                decision: "deny",
+                reason: `${scanResult.count} secret(s) detected in ${scanResult.files} staged file(s). Run 'rafter agent scan --staged' for details.`,
+            };
+        }
+    }
+    audit.logCommandIntercepted(command, true, "allowed");
+    return { decision: "allow" };
+}
+function evaluateWrite(toolInput) {
+    // Write uses "content", Edit uses "new_string"
+    const content = toolInput.content || toolInput.new_string || "";
+    if (!content) {
+        return { decision: "allow" };
+    }
+    const scanner = new RegexScanner();
+    if (scanner.hasSecrets(content)) {
+        const matches = scanner.scanText(content);
+        const names = [...new Set(matches.map(m => m.pattern.name))];
+        const audit = new AuditLogger();
+        audit.logSecretDetected(toolInput.file_path || "file content", names.join(", "), "blocked");
+        return {
+            decision: "deny",
+            reason: `Secret detected in file content: ${names.join(", ")}`,
+        };
+    }
+    return { decision: "allow" };
+}
+function scanStagedFiles() {
+    try {
+        const stagedOutput = execSync("git diff --cached --name-only --diff-filter=ACM", {
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "ignore"],
+        }).trim();
+        if (!stagedOutput) {
+            return { secretsFound: false, count: 0, files: 0 };
+        }
+        const stagedFiles = stagedOutput.split("\n").filter(f => f.trim());
+        const scanner = new RegexScanner();
+        const results = scanner.scanFiles(stagedFiles);
+        const totalMatches = results.reduce((sum, r) => sum + r.matches.length, 0);
+        return {
+            secretsFound: results.length > 0,
+            count: totalMatches,
+            files: results.length,
+        };
+    }
+    catch {
+        return { secretsFound: false, count: 0, files: 0 };
+    }
+}
+function readStdin() {
+    return new Promise((resolve) => {
+        let data = "";
+        process.stdin.setEncoding("utf-8");
+        process.stdin.on("data", (chunk) => { data += chunk; });
+        process.stdin.on("end", () => { resolve(data); });
+        process.stdin.resume();
+    });
+}
+function writeDecision(decision) {
+    process.stdout.write(JSON.stringify(decision) + "\n");
+}

package/dist/commands/mcp/index.js

@@ -0,0 +1,8 @@
+import { Command } from "commander";
+import { createMcpServeCommand } from "./server.js";
+export function createMcpCommand() {
+    const mcp = new Command("mcp")
+        .description("MCP server for cross-platform security tools");
+    mcp.addCommand(createMcpServeCommand());
+    return mcp;
+}