@rafter-security/cli 0.4.2 → 0.5.3

package/dist/core/custom-patterns.js

@@ -0,0 +1,157 @@
+/**
+ * Load custom secret patterns from ~/.rafter/patterns/
+ * and suppression rules from .rafterignore.
+ */
+import fs from "fs";
+import path from "path";
+import { getRafterDir } from "./config-defaults.js";
+// ---------------------------------------------------------------------------
+// Custom pattern loading
+// ---------------------------------------------------------------------------
+/**
+ * Load user-defined patterns from ~/.rafter/patterns/*.txt and *.json.
+ *
+ * .txt  — one regex per line (comments with # ignored)
+ * .json — array of {name, pattern, severity?} objects
+ *
+ * Returns Pattern[] merged with DEFAULT_SECRET_PATTERNS by callers.
+ */
+export function loadCustomPatterns() {
+    const patternsDir = path.join(getRafterDir(), "patterns");
+    if (!fs.existsSync(patternsDir))
+        return [];
+    const results = [];
+    let entries;
+    try {
+        entries = fs.readdirSync(patternsDir, { withFileTypes: true });
+    }
+    catch {
+        return [];
+    }
+    for (const entry of entries) {
+        if (!entry.isFile())
+            continue;
+        const file = path.join(patternsDir, entry.name);
+        const ext = path.extname(entry.name).toLowerCase();
+        if (ext === ".txt") {
+            results.push(...loadTxtPatterns(file));
+        }
+        else if (ext === ".json") {
+            results.push(...loadJsonPatterns(file));
+        }
+    }
+    return results;
+}
+function loadTxtPatterns(file) {
+    try {
+        const lines = fs.readFileSync(file, "utf-8").split("\n");
+        const patterns = [];
+        for (const raw of lines) {
+            const line = raw.trim();
+            if (!line || line.startsWith("#"))
+                continue;
+            patterns.push({
+                name: `Custom (${path.basename(file, ".txt")})`,
+                regex: line,
+                severity: "high",
+            });
+        }
+        return patterns;
+    }
+    catch {
+        return [];
+    }
+}
+function loadJsonPatterns(file) {
+    try {
+        const data = JSON.parse(fs.readFileSync(file, "utf-8"));
+        if (!Array.isArray(data))
+            return [];
+        const patterns = [];
+        for (const entry of data) {
+            if (typeof entry.pattern !== "string")
+                continue;
+            patterns.push({
+                name: entry.name ?? `Custom (${path.basename(file, ".json")})`,
+                regex: entry.pattern,
+                severity: entry.severity ?? "high",
+                description: entry.description,
+            });
+        }
+        return patterns;
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Parse .rafterignore from the given directory (project root).
+ *
+ * Format — one entry per line:
+ *   path/glob                     → suppress all findings in matching files
+ *   path/glob:pattern-name        → suppress specific pattern in matching files
+ *
+ * Lines starting with # are comments.
+ */
+export function loadSuppressions(projectRoot = process.cwd()) {
+    const file = path.join(projectRoot, ".rafterignore");
+    if (!fs.existsSync(file))
+        return [];
+    const suppressions = [];
+    try {
+        const lines = fs.readFileSync(file, "utf-8").split("\n");
+        for (const raw of lines) {
+            const line = raw.trim();
+            if (!line || line.startsWith("#"))
+                continue;
+            const colonIdx = line.indexOf(":");
+            if (colonIdx === -1) {
+                suppressions.push({ pathGlob: line });
+            }
+            else {
+                suppressions.push({
+                    pathGlob: line.slice(0, colonIdx).trim(),
+                    patternName: line.slice(colonIdx + 1).trim() || undefined,
+                });
+            }
+        }
+    }
+    catch {
+        // ignore unreadable .rafterignore
+    }
+    return suppressions;
+}
+/**
+ * Returns true if a finding should be suppressed.
+ */
+export function isSuppressed(filePath, patternName, suppressions) {
+    for (const s of suppressions) {
+        if (matchGlob(s.pathGlob, filePath)) {
+            if (!s.patternName || s.patternName.toLowerCase() === patternName.toLowerCase()) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+/**
+ * Minimal glob matcher: supports * (within segment) and ** (cross-segment).
+ * Not full micromatch — covers the 90% case for .rafterignore.
+ */
+function matchGlob(glob, filePath) {
+    // Normalise separators
+    const g = glob.replace(/\\/g, "/");
+    const f = filePath.replace(/\\/g, "/");
+    // Escape regex special chars except * which we handle specially
+    const escaped = g
+        .replace(/[.+^${}()|[\]\\]/g, "\\$&")
+        .replace(/\*\*/g, "\x00") // placeholder for **
+        .replace(/\*/g, "[^/]*") // * = anything within one segment
+        .replace(/\x00/g, ".*"); // ** = anything including /
+    try {
+        return new RegExp(`(^|/)${escaped}(/|$)`).test(f);
+    }
+    catch {
+        return false;
+    }
+}

package/dist/core/policy-loader.js

@@ -0,0 +1,167 @@
+import fs from "fs";
+import path from "path";
+import { execSync } from "child_process";
+import yaml from "js-yaml";
+const POLICY_FILENAMES = [".rafter.yml", ".rafter.yaml"];
+/**
+ * Find a policy file by walking from cwd up to git root
+ */
+export function findPolicyFile() {
+    let dir = process.cwd();
+    const root = getGitRoot() || path.parse(dir).root;
+    while (true) {
+        for (const filename of POLICY_FILENAMES) {
+            const candidate = path.join(dir, filename);
+            if (fs.existsSync(candidate)) {
+                return candidate;
+            }
+        }
+        const parent = path.dirname(dir);
+        if (parent === dir || dir === root) {
+            break;
+        }
+        dir = parent;
+    }
+    return null;
+}
+/**
+ * Load and parse the policy file, returning null if not found
+ */
+export function loadPolicy() {
+    const policyPath = findPolicyFile();
+    if (!policyPath)
+        return null;
+    try {
+        const content = fs.readFileSync(policyPath, "utf-8");
+        const parsed = yaml.load(content);
+        if (!parsed || typeof parsed !== "object")
+            return null;
+        return validatePolicy(mapPolicy(parsed), parsed);
+    }
+    catch (e) {
+        console.error(`Warning: Failed to parse policy file ${policyPath}: ${e.message}`);
+        return null;
+    }
+}
+/**
+ * Map snake_case YAML keys to camelCase PolicyFile
+ */
+function mapPolicy(raw) {
+    const policy = {};
+    if (raw.version)
+        policy.version = String(raw.version);
+    if (raw.risk_level)
+        policy.riskLevel = raw.risk_level;
+    if (raw.command_policy && typeof raw.command_policy === "object") {
+        policy.commandPolicy = {};
+        if (raw.command_policy.mode)
+            policy.commandPolicy.mode = raw.command_policy.mode;
+        if (Array.isArray(raw.command_policy.blocked_patterns)) {
+            policy.commandPolicy.blockedPatterns = raw.command_policy.blocked_patterns;
+        }
+        if (Array.isArray(raw.command_policy.require_approval)) {
+            policy.commandPolicy.requireApproval = raw.command_policy.require_approval;
+        }
+    }
+    if (raw.scan && typeof raw.scan === "object") {
+        policy.scan = {};
+        if (Array.isArray(raw.scan.exclude_paths)) {
+            policy.scan.excludePaths = raw.scan.exclude_paths;
+        }
+        if (Array.isArray(raw.scan.custom_patterns)) {
+            policy.scan.customPatterns = raw.scan.custom_patterns.map((p) => ({
+                name: p.name,
+                regex: p.regex,
+                severity: p.severity || "high",
+            }));
+        }
+    }
+    if (raw.audit && typeof raw.audit === "object") {
+        policy.audit = {};
+        if (raw.audit.retention_days != null) {
+            policy.audit.retentionDays = Number(raw.audit.retention_days);
+        }
+        if (raw.audit.log_level)
+            policy.audit.logLevel = raw.audit.log_level;
+    }
+    return policy;
+}
+const VALID_TOP_LEVEL_KEYS = new Set(["version", "risk_level", "command_policy", "scan", "audit"]);
+const VALID_RISK_LEVELS = new Set(["minimal", "moderate", "aggressive"]);
+const VALID_COMMAND_MODES = new Set(["allow-all", "approve-dangerous", "deny-list"]);
+const VALID_LOG_LEVELS = new Set(["debug", "info", "warn", "error"]);
+/**
+ * Validate a mapped policy, warn on stderr for invalid fields, strip them out.
+ * `raw` is the original parsed YAML (snake_case keys) for unknown-key detection.
+ */
+function validatePolicy(policy, raw) {
+    // 1. Unknown top-level keys
+    for (const key of Object.keys(raw)) {
+        if (!VALID_TOP_LEVEL_KEYS.has(key)) {
+            console.error(`Warning: Unknown policy key "${key}" — ignoring.`);
+        }
+    }
+    // 2. Type checking + strip invalid
+    if (policy.version !== undefined && typeof policy.version !== "string") {
+        console.error(`Warning: "version" must be a string — ignoring.`);
+        delete policy.version;
+    }
+    if (policy.riskLevel !== undefined && !VALID_RISK_LEVELS.has(policy.riskLevel)) {
+        console.error(`Warning: "risk_level" must be one of: minimal, moderate, aggressive — ignoring.`);
+        delete policy.riskLevel;
+    }
+    if (policy.commandPolicy) {
+        if (policy.commandPolicy.mode !== undefined && !VALID_COMMAND_MODES.has(policy.commandPolicy.mode)) {
+            console.error(`Warning: "command_policy.mode" must be one of: allow-all, approve-dangerous, deny-list — ignoring.`);
+            delete policy.commandPolicy.mode;
+        }
+        if (policy.commandPolicy.blockedPatterns !== undefined) {
+            if (!Array.isArray(policy.commandPolicy.blockedPatterns) || !policy.commandPolicy.blockedPatterns.every((v) => typeof v === "string")) {
+                console.error(`Warning: "command_policy.blocked_patterns" must be an array of strings — ignoring.`);
+                delete policy.commandPolicy.blockedPatterns;
+            }
+        }
+        if (policy.commandPolicy.requireApproval !== undefined) {
+            if (!Array.isArray(policy.commandPolicy.requireApproval) || !policy.commandPolicy.requireApproval.every((v) => typeof v === "string")) {
+                console.error(`Warning: "command_policy.require_approval" must be an array of strings — ignoring.`);
+                delete policy.commandPolicy.requireApproval;
+            }
+        }
+    }
+    if (policy.scan) {
+        if (policy.scan.excludePaths !== undefined) {
+            if (!Array.isArray(policy.scan.excludePaths) || !policy.scan.excludePaths.every((v) => typeof v === "string")) {
+                console.error(`Warning: "scan.exclude_paths" must be an array of strings — ignoring.`);
+                delete policy.scan.excludePaths;
+            }
+        }
+        if (policy.scan.customPatterns !== undefined) {
+            if (!Array.isArray(policy.scan.customPatterns) || !policy.scan.customPatterns.every((v) => v && typeof v === "object" && typeof v.name === "string" && v.name !== "" && typeof v.regex === "string" && v.regex !== "" && typeof v.severity === "string")) {
+                console.error(`Warning: "scan.custom_patterns" must be an array of objects with name, regex, severity — ignoring.`);
+                delete policy.scan.customPatterns;
+            }
+        }
+    }
+    if (policy.audit) {
+        if (policy.audit.retentionDays !== undefined && (typeof policy.audit.retentionDays !== "number" || isNaN(policy.audit.retentionDays))) {
+            console.error(`Warning: "audit.retention_days" must be a number — ignoring.`);
+            delete policy.audit.retentionDays;
+        }
+        if (policy.audit.logLevel !== undefined && !VALID_LOG_LEVELS.has(policy.audit.logLevel)) {
+            console.error(`Warning: "audit.log_level" must be one of: debug, info, warn, error — ignoring.`);
+            delete policy.audit.logLevel;
+        }
+    }
+    return policy;
+}
+function getGitRoot() {
+    try {
+        return execSync("git rev-parse --show-toplevel", {
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "ignore"],
+        }).trim();
+    }
+    catch {
+        return null;
+    }
+}

package/dist/core/risk-rules.js

@@ -0,0 +1,72 @@
+/**
+ * Centralized risk assessment rules.
+ * Single source of truth — imported by command-interceptor, audit-logger, and config-defaults.
+ */
+export const CRITICAL_PATTERNS = [
+    /rm\s+-rf\s+\//,
+    /:\(\)\{\s*:\|:&\s*\};:/, // fork bomb
+    /dd\s+if=.*of=\/dev\/sd/,
+    />\s*\/dev\/sd/,
+    /mkfs/,
+    /fdisk/,
+    /parted/,
+];
+export const HIGH_PATTERNS = [
+    /rm\s+-rf/,
+    /sudo\s+rm/,
+    /chmod\s+777/,
+    /curl.*\|\s*(bash|sh|zsh|dash)\b/,
+    /wget.*\|\s*(bash|sh|zsh|dash)\b/,
+    /git\s+push\s+(--force|-f)\b/,
+    /git\s+push\s+--force-(with-lease|if-includes)\b/,
+    /git\s+push\s+\S*\s+\+\S+/, // refspec force: git push origin +main
+    /docker\s+system\s+prune/,
+    /npm\s+publish/,
+    /pypi.*upload/,
+];
+export const MEDIUM_PATTERNS = [
+    /sudo/,
+    /chmod/,
+    /chown/,
+    /systemctl/,
+    /service/,
+    /kill\s+-9/,
+    /pkill/,
+    /killall/,
+];
+export const DEFAULT_BLOCKED_PATTERNS = [
+    "rm -rf /",
+    ":(){ :|:& };:",
+    "dd if=/dev/zero of=/dev/sda",
+    "> /dev/sda",
+];
+export const DEFAULT_REQUIRE_APPROVAL = [
+    "rm -rf",
+    "sudo rm",
+    "curl.*\\|\\s*(bash|sh|zsh|dash)\\b",
+    "wget.*\\|\\s*(bash|sh|zsh|dash)\\b",
+    "chmod 777",
+    "git push --force",
+    "git push -f",
+    "git push --force-with-lease",
+    "git push --force-if-includes",
+];
+/**
+ * Assess risk level of a command string.
+ */
+export function assessCommandRisk(command) {
+    const cmd = command.toLowerCase();
+    for (const pattern of CRITICAL_PATTERNS) {
+        if (pattern.test(cmd))
+            return "critical";
+    }
+    for (const pattern of HIGH_PATTERNS) {
+        if (pattern.test(cmd))
+            return "high";
+    }
+    for (const pattern of MEDIUM_PATTERNS) {
+        if (pattern.test(cmd))
+            return "medium";
+    }
+    return "low";
+}

package/dist/index.js

@@ -5,19 +5,43 @@ import { createRunCommand } from "./commands/backend/run.js";
 import { createGetCommand } from "./commands/backend/get.js";
 import { createUsageCommand } from "./commands/backend/usage.js";
 import { createAgentCommand } from "./commands/agent/index.js";
+import { createCiCommand } from "./commands/ci/index.js";
+import { createHookCommand } from "./commands/hook/index.js";
+import { createMcpCommand } from "./commands/mcp/index.js";
+import { createPolicyCommand } from "./commands/policy/index.js";
+import { createCompletionCommand } from "./commands/completion.js";
 import { checkForUpdate } from "./utils/update-checker.js";
+import { setAgentMode } from "./utils/formatter.js";
 dotenv.config();
-const VERSION = "0.4.2";
+const VERSION = "0.5.3";
 const program = new Command()
     .name("rafter")
     .description("Rafter CLI")
-    .version(VERSION);
+    .version(VERSION)
+    .option("-a, --agent", "Plain output for AI agents (no colors/emoji)");
+// Set agent mode before any subcommand runs
+program.hook("preAction", (thisCommand) => {
+    const opts = thisCommand.opts();
+    if (opts.agent) {
+        setAgentMode(true);
+    }
+});
 // Backend commands (existing)
 program.addCommand(createRunCommand());
 program.addCommand(createGetCommand());
 program.addCommand(createUsageCommand());
 // Agent commands
 program.addCommand(createAgentCommand());
+// CI commands
+program.addCommand(createCiCommand());
+// Hook commands (for agent platform integration)
+program.addCommand(createHookCommand());
+// MCP server
+program.addCommand(createMcpCommand());
+// Policy commands
+program.addCommand(createPolicyCommand());
+// Shell completions
+program.addCommand(createCompletionCommand());
 // Non-blocking update check — runs after command, prints to stderr
 checkForUpdate(VERSION).then((notice) => {
     if (notice)

package/dist/scanners/gitleaks.js

@@ -1,9 +1,10 @@
-import { exec } from "child_process";
+import { execFile } from "child_process";
 import { promisify } from "util";
 import { BinaryManager } from "../utils/binary-manager.js";
 import fs from "fs";
+import os from "os";
 import path from "path";
-const execAsync = promisify(exec);
+const execFileAsync = promisify(execFile);
 export class GitleaksScanner {
     constructor() {
         this.binaryManager = new BinaryManager();
@@ -25,10 +26,10 @@ export class GitleaksScanner {
             throw new Error("Gitleaks not available");
         }
         const gitleaksPath = this.binaryManager.getGitleaksPath();
-        const tmpReport = path.join("/tmp", `gitleaks-${Date.now()}.json`);
+        const tmpReport = path.join(os.tmpdir(), `gitleaks-${Date.now()}-${Math.random().toString(36).slice(2, 8)}.json`);
         try {
             // Run gitleaks detect on file
-            await execAsync(`"${gitleaksPath}" detect --no-git -f json -r "${tmpReport}" -s "${filePath}"`, { timeout: 30000 });
+            await execFileAsync(gitleaksPath, ["detect", "--no-git", "-f", "json", "-r", tmpReport, "-s", filePath], { timeout: 30000 });
             // If no leaks found, gitleaks exits 0 with empty report
             if (!fs.existsSync(tmpReport)) {
                 return { file: filePath, matches: [] };
@@ -85,10 +86,10 @@ export class GitleaksScanner {
             throw new Error("Gitleaks not available");
         }
         const gitleaksPath = this.binaryManager.getGitleaksPath();
-        const tmpReport = path.join("/tmp", `gitleaks-${Date.now()}.json`);
+        const tmpReport = path.join(os.tmpdir(), `gitleaks-${Date.now()}-${Math.random().toString(36).slice(2, 8)}.json`);
         try {
             // Run gitleaks detect on directory
-            await execAsync(`"${gitleaksPath}" detect --no-git -f json -r "${tmpReport}" -s "${dirPath}"`, { timeout: 60000 });
+            await execFileAsync(gitleaksPath, ["detect", "--no-git", "-f", "json", "-r", tmpReport, "-s", dirPath], { timeout: 60000 });
             // No leaks found
             if (!fs.existsSync(tmpReport)) {
                 return [];

package/dist/scanners/regex-scanner.js

@@ -2,9 +2,21 @@ import fs from "fs";
 import path from "path";
 import { PatternEngine } from "../core/pattern-engine.js";
 import { DEFAULT_SECRET_PATTERNS } from "./secret-patterns.js";
+import { loadCustomPatterns, loadSuppressions, isSuppressed } from "../core/custom-patterns.js";
 export class RegexScanner {
-    constructor() {
-        this.engine = new PatternEngine(DEFAULT_SECRET_PATTERNS);
+    constructor(customPatterns) {
+        const patterns = [...DEFAULT_SECRET_PATTERNS, ...loadCustomPatterns()];
+        if (customPatterns) {
+            for (const cp of customPatterns) {
+                patterns.push({
+                    name: cp.name,
+                    regex: cp.regex,
+                    severity: cp.severity,
+                });
+            }
+        }
+        this.engine = new PatternEngine(patterns);
+        this.suppressions = loadSuppressions();
     }
     /**
      * Scan a single file for secrets
@@ -12,18 +24,12 @@ export class RegexScanner {
     scanFile(filePath) {
         try {
             const content = fs.readFileSync(filePath, "utf-8");
-            const matches = this.engine.scanWithPosition(content);
-            return {
-                file: filePath,
-                matches
-            };
+            const raw = this.engine.scanWithPosition(content);
+            const matches = raw.filter((m) => !isSuppressed(filePath, m.pattern.name, this.suppressions));
+            return { file: filePath, matches };
         }
         catch (e) {
-            // If file can't be read (binary, permissions, etc.), return empty matches
-            return {
-                file: filePath,
-                matches: []
-            };
+            return { file: filePath, matches: [] };
         }
     }
     /**
@@ -53,6 +59,16 @@ export class RegexScanner {
             ".vscode",
             ".idea"
         ];
+        // Merge policy excludePaths into the exclude list
+        if (options?.excludePaths) {
+            for (const ep of options.excludePaths) {
+                // Strip trailing slashes for directory name matching
+                const cleaned = ep.replace(/\/+$/, "");
+                if (!exclude.includes(cleaned)) {
+                    exclude.push(cleaned);
+                }
+            }
+        }
         const files = this.walkDirectory(dirPath, exclude, options?.maxDepth || 10);
         return this.scanFiles(files);
     }