@rafter-security/cli 0.5.1 → 0.5.5

package/README.md

@@ -566,7 +566,7 @@ Agent security settings are stored in `~/.rafter/config.json`. Key settings:
 
 **File Locations:**
 - Config: `~/.rafter/config.json`
-- Audit log: `~/.rafter/audit.log`
+- Audit log: `~/.rafter/audit.jsonl`
 - Binaries: `~/.rafter/bin/`
 - Patterns: `~/.rafter/patterns/`
 

package/dist/commands/agent/audit-skill.js

@@ -18,7 +18,7 @@ async function auditSkill(skillPath, opts) {
     // Validate skill file exists
     if (!fs.existsSync(skillPath)) {
         console.error(`Error: Skill file not found: ${skillPath}`);
-        process.exit(1);
+        process.exit(2);
     }
     const absolutePath = path.resolve(skillPath);
     const skillContent = fs.readFileSync(absolutePath, "utf-8");
@@ -48,6 +48,9 @@ async function auditSkill(skillPath, opts) {
             rafterSkillInstalled
         };
         console.log(JSON.stringify(result, null, 2));
+        if (quickScan.secrets > 0 || quickScan.highRiskCommands.length > 0) {
+            process.exit(1);
+        }
         return;
     }
     // Check if we can use OpenClaw
@@ -85,6 +88,9 @@ async function auditSkill(skillPath, opts) {
         console.log("─".repeat(60));
     }
     console.log();
+    if (quickScan.secrets > 0 || quickScan.highRiskCommands.length > 0) {
+        process.exit(1);
+    }
 }
 async function runQuickScan(content) {
     // 1. Scan for secrets

package/dist/commands/agent/baseline.js

@@ -0,0 +1,203 @@
+import { Command } from "commander";
+import fs from "fs";
+import os from "os";
+import path from "path";
+import { fmt } from "../../utils/formatter.js";
+import { RegexScanner } from "../../scanners/regex-scanner.js";
+import { GitleaksScanner } from "../../scanners/gitleaks.js";
+import { ConfigManager } from "../../core/config-manager.js";
+const BASELINE_PATH = path.join(os.homedir(), ".rafter", "baseline.json");
+function loadBaseline() {
+    if (!fs.existsSync(BASELINE_PATH)) {
+        return { version: 1, created: "", updated: "", entries: [] };
+    }
+    try {
+        return JSON.parse(fs.readFileSync(BASELINE_PATH, "utf-8"));
+    }
+    catch {
+        return { version: 1, created: "", updated: "", entries: [] };
+    }
+}
+function saveBaseline(baseline) {
+    const dir = path.dirname(BASELINE_PATH);
+    if (!fs.existsSync(dir)) {
+        fs.mkdirSync(dir, { recursive: true });
+    }
+    fs.writeFileSync(BASELINE_PATH, JSON.stringify(baseline, null, 2), "utf-8");
+}
+export function createBaselineCommand() {
+    const baseline = new Command("baseline")
+        .description("Manage the findings baseline (allowlist for known findings)");
+    baseline.addCommand(createBaselineCreateCommand());
+    baseline.addCommand(createBaselineShowCommand());
+    baseline.addCommand(createBaselineClearCommand());
+    baseline.addCommand(createBaselineAddCommand());
+    return baseline;
+}
+function createBaselineCreateCommand() {
+    return new Command("create")
+        .description("Scan and save all current findings as the baseline")
+        .argument("[path]", "Path to scan", ".")
+        .option("--engine <engine>", "Scan engine: gitleaks or patterns", "auto")
+        .action(async (scanPath, opts) => {
+        const resolvedPath = path.resolve(scanPath);
+        if (!fs.existsSync(resolvedPath)) {
+            console.error(`Error: Path not found: ${resolvedPath}`);
+            process.exit(2);
+        }
+        const manager = new ConfigManager();
+        const cfg = manager.loadWithPolicy();
+        const scanCfg = cfg.agent?.scan;
+        console.error(`Scanning ${resolvedPath} to build baseline...`);
+        const engine = await selectEngine(opts.engine || "auto");
+        let results;
+        if (fs.statSync(resolvedPath).isDirectory()) {
+            results = await scanDirectory(resolvedPath, engine, scanCfg);
+        }
+        else {
+            results = await scanFile(resolvedPath, engine);
+        }
+        const now = new Date().toISOString();
+        const entries = [];
+        for (const r of results) {
+            for (const m of r.matches) {
+                entries.push({
+                    file: r.file,
+                    line: m.line ?? null,
+                    pattern: m.pattern.name,
+                    addedAt: now,
+                });
+            }
+        }
+        const existing = loadBaseline();
+        const baseline = {
+            version: 1,
+            created: existing.created || now,
+            updated: now,
+            entries,
+        };
+        saveBaseline(baseline);
+        if (entries.length === 0) {
+            console.log(fmt.success("No findings — baseline is empty (all clean)"));
+        }
+        else {
+            console.log(fmt.success(`Baseline saved: ${entries.length} finding(s) recorded`));
+            console.log(`  Location: ${BASELINE_PATH}`);
+            console.log();
+            console.log("Future scans with --baseline will suppress these findings.");
+        }
+    });
+}
+function createBaselineShowCommand() {
+    return new Command("show")
+        .description("Show current baseline entries")
+        .option("--json", "Output as JSON")
+        .action((opts) => {
+        const baseline = loadBaseline();
+        if (opts.json) {
+            console.log(JSON.stringify(baseline, null, 2));
+            return;
+        }
+        if (baseline.entries.length === 0) {
+            console.log("Baseline is empty. Run: rafter agent baseline create");
+            return;
+        }
+        console.log(`Baseline: ${baseline.entries.length} entries`);
+        if (baseline.updated) {
+            console.log(`Updated: ${baseline.updated}`);
+        }
+        console.log();
+        // Group by file
+        const byFile = new Map();
+        for (const entry of baseline.entries) {
+            const list = byFile.get(entry.file) || [];
+            list.push(entry);
+            byFile.set(entry.file, list);
+        }
+        for (const [file, entries] of byFile) {
+            console.log(fmt.info(file));
+            for (const e of entries) {
+                const loc = e.line != null ? `line ${e.line}` : "unknown location";
+                console.log(`  ${e.pattern} (${loc})`);
+            }
+            console.log();
+        }
+    });
+}
+function createBaselineClearCommand() {
+    return new Command("clear")
+        .description("Remove all baseline entries")
+        .action(() => {
+        if (!fs.existsSync(BASELINE_PATH)) {
+            console.log("No baseline file found — nothing to clear.");
+            return;
+        }
+        fs.unlinkSync(BASELINE_PATH);
+        console.log(fmt.success("Baseline cleared"));
+    });
+}
+function createBaselineAddCommand() {
+    return new Command("add")
+        .description("Manually add a finding to the baseline")
+        .requiredOption("--file <path>", "File path")
+        .requiredOption("--pattern <name>", "Pattern name (e.g. 'AWS Access Key')")
+        .option("--line <number>", "Line number")
+        .action((opts) => {
+        const baseline = loadBaseline();
+        const now = new Date().toISOString();
+        const entry = {
+            file: path.resolve(opts.file),
+            line: opts.line != null ? parseInt(opts.line, 10) : null,
+            pattern: opts.pattern,
+            addedAt: now,
+        };
+        baseline.entries.push(entry);
+        baseline.updated = now;
+        if (!baseline.created)
+            baseline.created = now;
+        saveBaseline(baseline);
+        console.log(fmt.success(`Added to baseline: ${opts.pattern} in ${opts.file}`));
+    });
+}
+// ── helpers ─────────────────────────────────────────────────────────
+async function selectEngine(preference) {
+    if (preference === "patterns")
+        return "patterns";
+    if (preference === "gitleaks") {
+        const g = new GitleaksScanner();
+        return (await g.isAvailable()) ? "gitleaks" : "patterns";
+    }
+    const g = new GitleaksScanner();
+    return (await g.isAvailable()) ? "gitleaks" : "patterns";
+}
+async function scanFile(filePath, engine) {
+    if (engine === "gitleaks") {
+        try {
+            const g = new GitleaksScanner();
+            const r = await g.scanFile(filePath);
+            return r.matches.length > 0 ? [r] : [];
+        }
+        catch {
+            const s = new RegexScanner();
+            const r = s.scanFile(filePath);
+            return r.matches.length > 0 ? [r] : [];
+        }
+    }
+    const s = new RegexScanner();
+    const r = s.scanFile(filePath);
+    return r.matches.length > 0 ? [r] : [];
+}
+async function scanDirectory(dirPath, engine, scanCfg) {
+    if (engine === "gitleaks") {
+        try {
+            const g = new GitleaksScanner();
+            return await g.scanDirectory(dirPath);
+        }
+        catch {
+            const s = new RegexScanner();
+            return s.scanDirectory(dirPath, { excludePaths: scanCfg?.excludePaths });
+        }
+    }
+    const s = new RegexScanner();
+    return s.scanDirectory(dirPath, { excludePaths: scanCfg?.excludePaths });
+}

package/dist/commands/agent/index.js

@@ -6,6 +6,10 @@ import { createConfigCommand } from "./config.js";
 import { createExecCommand } from "./exec.js";
 import { createAuditSkillCommand } from "./audit-skill.js";
 import { createInstallHookCommand } from "./install-hook.js";
+import { createVerifyCommand } from "./verify.js";
+import { createStatusCommand } from "./status.js";
+import { createUpdateGitleaksCommand } from "./update-gitleaks.js";
+import { createBaselineCommand } from "./baseline.js";
 export function createAgentCommand() {
     const agent = new Command("agent")
         .description("Agent security features");
@@ -17,5 +21,9 @@ export function createAgentCommand() {
     agent.addCommand(createAuditCommand());
     agent.addCommand(createAuditSkillCommand());
     agent.addCommand(createInstallHookCommand());
+    agent.addCommand(createVerifyCommand());
+    agent.addCommand(createStatusCommand());
+    agent.addCommand(createUpdateGitleaksCommand());
+    agent.addCommand(createBaselineCommand());
     return agent;
 }

package/dist/commands/agent/init.js

@@ -32,16 +32,25 @@ function installClaudeCodeHooks() {
         settings.hooks = {};
     if (!settings.hooks.PreToolUse)
         settings.hooks.PreToolUse = [];
-    const rafterHook = { type: "command", command: "rafter hook pretool" };
+    if (!settings.hooks.PostToolUse)
+        settings.hooks.PostToolUse = [];
+    const preHook = { type: "command", command: "rafter hook pretool" };
+    const postHook = { type: "command", command: "rafter hook posttool" };
     // Remove any existing Rafter hooks to avoid duplicates
     settings.hooks.PreToolUse = settings.hooks.PreToolUse.filter((entry) => {
         const hooks = entry.hooks || [];
         return !hooks.some((h) => h.command === "rafter hook pretool");
     });
+    settings.hooks.PostToolUse = settings.hooks.PostToolUse.filter((entry) => {
+        const hooks = entry.hooks || [];
+        return !hooks.some((h) => h.command === "rafter hook posttool");
+    });
     // Add Rafter hooks
-    settings.hooks.PreToolUse.push({ matcher: "Bash", hooks: [rafterHook] }, { matcher: "Write|Edit", hooks: [rafterHook] });
+    settings.hooks.PreToolUse.push({ matcher: "Bash", hooks: [preHook] }, { matcher: "Write|Edit", hooks: [preHook] });
+    settings.hooks.PostToolUse.push({ matcher: ".*", hooks: [postHook] });
     fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2), "utf-8");
     console.log(fmt.success(`Installed PreToolUse hooks to ${settingsPath}`));
+    console.log(fmt.success(`Installed PostToolUse hooks to ${settingsPath}`));
 }
 async function installClaudeCodeSkills() {
     const homeDir = os.homedir();
@@ -87,6 +96,7 @@ export function createInitCommand() {
         .option("--skip-claude-code", "Skip Claude Code skill installation")
         .option("--claude-code", "Force Claude Code skill installation")
         .option("--skip-gitleaks", "Skip Gitleaks binary download")
+        .option("--update", "Re-download gitleaks and reinstall integrations without resetting config")
         .action(async (opts) => {
         console.log(fmt.header("Rafter Agent Security Setup"));
         console.log(fmt.divider());
@@ -125,49 +135,90 @@ export function createInitCommand() {
         }
         manager.set("agent.riskLevel", opts.riskLevel);
         console.log(fmt.success(`Set risk level: ${opts.riskLevel}`));
-        // Download Gitleaks binary (optional)
+        // Check / download Gitleaks binary (optional)
         if (!opts.skipGitleaks) {
             const binaryManager = new BinaryManager();
             const platformInfo = binaryManager.getPlatformInfo();
-            if (!platformInfo.supported) {
-                console.log(fmt.info(`Gitleaks not available for ${platformInfo.platform}/${platformInfo.arch}`));
-                console.log(fmt.success("Using pattern-based scanning (21 patterns)"));
-            }
-            else if (binaryManager.isGitleaksInstalled()) {
-                const version = await binaryManager.getGitleaksVersion();
-                console.log(fmt.success(`Gitleaks already installed (${version})`));
+            // Helper: show diagnostics for a failing binary (mirrors Python's agent init)
+            const showDiagnostics = async (binaryPath, verResult) => {
+                if (verResult.stderr) {
+                    console.log(fmt.info(`  stderr: ${verResult.stderr}`));
+                }
+                const diag = await binaryManager.collectBinaryDiagnostics(binaryPath);
+                if (diag) {
+                    console.log(fmt.info("Diagnostics:"));
+                    console.log(diag);
+                }
+                console.log(fmt.info("To fix: install gitleaks (https://github.com/gitleaks/gitleaks/releases) and ensure it is on PATH, then re-run 'rafter agent init'."));
+                console.log();
+            };
+            if (!opts.update && binaryManager.isGitleaksInstalled()) {
+                // Local binary exists — verify it actually works
+                const verResult = await binaryManager.verifyGitleaksVerbose();
+                if (verResult.ok) {
+                    console.log(fmt.success(`Gitleaks already installed (${verResult.stdout})`));
+                }
+                else {
+                    console.log(fmt.warning("Gitleaks binary found locally but failed to execute."));
+                    console.log(fmt.info(`  Binary: ${binaryManager.getGitleaksPath()}`));
+                    await showDiagnostics(binaryManager.getGitleaksPath(), verResult);
+                }
             }
             else {
-                console.log();
-                console.log(fmt.info("Downloading Gitleaks (enhanced secret detection)..."));
-                try {
-                    await binaryManager.downloadGitleaks((msg) => {
-                        console.log(`   ${msg}`);
-                    });
-                    console.log();
+                // Not installed locally (or --update forcing re-download) — check PATH first
+                // unless --update was passed (in that case force a fresh managed install)
+                const pathBinary = opts.update ? null : binaryManager.findGitleaksOnPath();
+                if (pathBinary) {
+                    const verResult = await binaryManager.verifyGitleaksVerbose(pathBinary);
+                    if (verResult.ok) {
+                        console.log(fmt.success(`Gitleaks available on PATH (${verResult.stdout})`));
+                    }
+                    else {
+                        console.log(fmt.warning("Gitleaks found on PATH but failed to execute."));
+                        console.log(fmt.info(`  Binary: ${pathBinary}`));
+                        await showDiagnostics(pathBinary, verResult);
+                    }
+                }
+                else if (!platformInfo.supported) {
+                    console.log(fmt.info(`Gitleaks not available for ${platformInfo.platform}/${platformInfo.arch}`));
+                    console.log(fmt.success("Using pattern-based scanning (21 patterns)"));
                 }
-                catch (e) {
-                    console.log(fmt.warning(`Failed to download Gitleaks: ${e}`));
-                    console.log(fmt.success("Falling back to pattern-based scanning"));
+                else {
+                    // Not on PATH, not installed locally — download
                     console.log();
+                    console.log(fmt.info("Downloading Gitleaks (enhanced secret detection)..."));
+                    try {
+                        await binaryManager.downloadGitleaks((msg) => {
+                            console.log(`   ${msg}`);
+                        });
+                        console.log();
+                    }
+                    catch (e) {
+                        console.log();
+                        console.log(fmt.error(`Gitleaks setup failed — pattern-based scanning will be used instead.`));
+                        console.log(fmt.warning(String(e)));
+                        console.log();
+                        console.log(fmt.info("To fix: install gitleaks manually (https://github.com/gitleaks/gitleaks/releases) and ensure it is on PATH, then re-run 'rafter agent init'."));
+                        console.log();
+                    }
                 }
             }
         }
         // Install OpenClaw skill if applicable
         if (hasOpenClaw && !opts.skipOpenclaw) {
-            try {
-                const skillManager = new SkillManager();
-                const installed = await skillManager.installRafterSkill();
-                if (installed) {
-                    console.log(fmt.success("Installed Rafter Security skill to ~/.openclaw/skills/rafter-security.md"));
-                    manager.set("agent.environments.openclaw.enabled", true);
-                }
-                else {
-                    console.log(fmt.warning("Failed to install Rafter Security skill"));
-                }
+            const skillManager = new SkillManager();
+            const result = await skillManager.installRafterSkillVerbose();
+            if (result.ok) {
+                console.log(fmt.success("Installed Rafter Security skill to ~/.openclaw/skills/rafter-security.md"));
+                manager.set("agent.environments.openclaw.enabled", true);
             }
-            catch (e) {
-                console.error(fmt.error(`Failed to install OpenClaw skill: ${e}`));
+            else {
+                console.log(fmt.error("Failed to install Rafter Security skill"));
+                console.log(fmt.warning(`  Source: ${result.sourcePath}`));
+                console.log(fmt.warning(`  Destination: ${result.destPath}`));
+                if (result.error) {
+                    console.log(fmt.warning(`  Error: ${result.error}`));
+                }
             }
         }
         // Install Claude Code skills + hooks if applicable

package/dist/commands/agent/install-hook.js

@@ -1,5 +1,6 @@
 import { Command } from "commander";
 import fs from "fs";
+import os from "os";
 import path from "path";
 import { execSync } from "child_process";
 import { fileURLToPath } from 'url';
@@ -7,25 +8,36 @@ const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 export function createInstallHookCommand() {
     return new Command("install-hook")
-        .description("Install pre-commit hook to scan for secrets")
+        .description("Install git hook to scan for secrets")
         .option("--global", "Install globally for all repos (via git config)")
+        .option("--push", "Install pre-push hook instead of pre-commit")
         .action(async (opts) => {
         await installHook(opts);
     });
 }
 async function installHook(opts) {
+    const hookName = opts.push ? "pre-push" : "pre-commit";
+    const templateName = opts.push ? "pre-push-hook.sh" : "pre-commit-hook.sh";
     if (opts.global) {
-        await installGlobalHook();
+        await installGlobalHook(hookName, templateName);
     }
     else {
-        await installLocalHook();
+        await installLocalHook(hookName, templateName);
     }
 }
+function getTemplatePath(templateName) {
+    const templatePath = path.join(__dirname, "..", "..", "..", "resources", templateName);
+    if (!fs.existsSync(templatePath)) {
+        console.error("❌ Error: Hook template not found");
+        console.error(`   Expected at: ${templatePath}`);
+        process.exit(1);
+    }
+    return templatePath;
+}
 /**
- * Install pre-commit hook for current repository
+ * Install hook for current repository
  */
-async function installLocalHook() {
-    // Check if in a git repository
+async function installLocalHook(hookName, templateName) {
     try {
         execSync("git rev-parse --git-dir", { stdio: "pipe" });
     }
@@ -34,80 +46,63 @@ async function installLocalHook() {
         console.error("   Run this command from inside a git repository");
         process.exit(1);
     }
-    // Get .git directory
     const gitDir = execSync("git rev-parse --git-dir", { encoding: "utf-8" }).trim();
     const hooksDir = path.resolve(gitDir, "hooks");
-    const hookPath = path.join(hooksDir, "pre-commit");
-    // Ensure hooks directory exists
+    const hookPath = path.join(hooksDir, hookName);
     if (!fs.existsSync(hooksDir)) {
         fs.mkdirSync(hooksDir, { recursive: true });
     }
-    // Check if hook already exists
     if (fs.existsSync(hookPath)) {
         const existing = fs.readFileSync(hookPath, "utf-8");
-        // Check if it's already a Rafter hook
-        if (existing.includes("Rafter Security Pre-Commit Hook")) {
-            console.log("✓ Rafter pre-commit hook already installed");
+        const marker = hookName === "pre-push" ? "Rafter Security Pre-Push Hook" : "Rafter Security Pre-Commit Hook";
+        if (existing.includes(marker)) {
+            console.log(`✓ Rafter ${hookName} hook already installed`);
             return;
         }
-        // Backup existing hook
         const backupPath = `${hookPath}.backup-${Date.now()}`;
         fs.copyFileSync(hookPath, backupPath);
         console.log(`📦 Backed up existing hook to: ${path.basename(backupPath)}`);
     }
-    // Get hook template path
-    const templatePath = path.join(__dirname, "..", "..", "..", "resources", "pre-commit-hook.sh");
-    if (!fs.existsSync(templatePath)) {
-        console.error("❌ Error: Hook template not found");
-        console.error(`   Expected at: ${templatePath}`);
-        process.exit(1);
-    }
-    // Copy hook template
-    const hookContent = fs.readFileSync(templatePath, "utf-8");
+    const hookContent = fs.readFileSync(getTemplatePath(templateName), "utf-8");
     fs.writeFileSync(hookPath, hookContent, "utf-8");
-    // Make executable
     fs.chmodSync(hookPath, 0o755);
-    console.log("✓ Installed Rafter pre-commit hook");
+    console.log(`✓ Installed Rafter ${hookName} hook`);
     console.log(`  Location: ${hookPath}`);
     console.log();
-    console.log("The hook will:");
-    console.log("  • Scan staged files for secrets before each commit");
-    console.log("  • Block commits if secrets are detected");
-    console.log("  • Can be bypassed with: git commit --no-verify (not recommended)");
+    if (hookName === "pre-push") {
+        console.log("The hook will:");
+        console.log("  • Scan commits being pushed for secrets");
+        console.log("  • Block pushes if secrets are detected");
+        console.log("  • Can be bypassed with: git push --no-verify (not recommended)");
+    }
+    else {
+        console.log("The hook will:");
+        console.log("  • Scan staged files for secrets before each commit");
+        console.log("  • Block commits if secrets are detected");
+        console.log("  • Can be bypassed with: git commit --no-verify (not recommended)");
+    }
     console.log();
 }
 /**
- * Install pre-commit hook globally for all repositories
+ * Install hook globally for all repositories
  */
-async function installGlobalHook() {
-    // Create global hooks directory
-    const homeDir = process.env.HOME || process.env.USERPROFILE;
+async function installGlobalHook(hookName, templateName) {
+    const homeDir = os.homedir();
     if (!homeDir) {
         console.error("❌ Error: Could not determine home directory");
         process.exit(1);
     }
     const globalHooksDir = path.join(homeDir, ".rafter", "git-hooks");
-    const hookPath = path.join(globalHooksDir, "pre-commit");
-    // Create directory
+    const hookPath = path.join(globalHooksDir, hookName);
     if (!fs.existsSync(globalHooksDir)) {
         fs.mkdirSync(globalHooksDir, { recursive: true });
     }
-    // Get hook template path
-    const templatePath = path.join(__dirname, "..", "..", "..", "resources", "pre-commit-hook.sh");
-    if (!fs.existsSync(templatePath)) {
-        console.error("❌ Error: Hook template not found");
-        console.error(`   Expected at: ${templatePath}`);
-        process.exit(1);
-    }
-    // Copy hook template
-    const hookContent = fs.readFileSync(templatePath, "utf-8");
+    const hookContent = fs.readFileSync(getTemplatePath(templateName), "utf-8");
     fs.writeFileSync(hookPath, hookContent, "utf-8");
-    // Make executable
     fs.chmodSync(hookPath, 0o755);
-    // Configure git to use global hooks directory
     try {
         execSync(`git config --global core.hooksPath "${globalHooksDir}"`, { stdio: "pipe" });
-        console.log("✓ Installed Rafter pre-commit hook globally");
+        console.log(`✓ Installed Rafter ${hookName} hook globally`);
         console.log(`  Location: ${hookPath}`);
         console.log(`  Git config: core.hooksPath = ${globalHooksDir}`);
         console.log();
@@ -117,7 +112,7 @@ async function installGlobalHook() {
         console.log(`  git config --global --unset core.hooksPath`);
         console.log();
         console.log("To install per-repository instead:");
-        console.log(`  cd <repo> && rafter agent install-hook`);
+        console.log(`  cd <repo> && rafter agent install-hook${hookName === "pre-push" ? " --push" : ""}`);
         console.log();
     }
     catch (e) {