@rafter-security/cli 0.5.1 → 0.5.5

package/dist/commands/agent/scan.js

@@ -4,37 +4,65 @@ import { GitleaksScanner } from "../../scanners/gitleaks.js";
 import { ConfigManager } from "../../core/config-manager.js";
 import { execSync, execFileSync } from "child_process";
 import fs from "fs";
+import os from "os";
 import path from "path";
 import { fmt } from "../../utils/formatter.js";
+function loadBaselineEntries() {
+    const baselinePath = path.join(os.homedir(), ".rafter", "baseline.json");
+    if (!fs.existsSync(baselinePath))
+        return [];
+    try {
+        const data = JSON.parse(fs.readFileSync(baselinePath, "utf-8"));
+        return data.entries || [];
+    }
+    catch {
+        return [];
+    }
+}
+function applyBaseline(results, entries) {
+    if (entries.length === 0)
+        return results;
+    return results
+        .map((r) => ({
+        ...r,
+        matches: r.matches.filter((m) => !entries.some((e) => e.file === r.file &&
+            e.pattern === m.pattern.name &&
+            (e.line == null || e.line === (m.line ?? null)))),
+    }))
+        .filter((r) => r.matches.length > 0);
+}
 export function createScanCommand() {
     return new Command("scan")
         .description("Scan files or directories for secrets")
         .argument("[path]", "File or directory to scan", ".")
         .option("-q, --quiet", "Only output if secrets found")
         .option("--json", "Output as JSON")
+        .option("--format <format>", "Output format: text, json, sarif", "text")
         .option("--staged", "Scan only git staged files")
         .option("--diff <ref>", "Scan files changed since a git ref")
         .option("--engine <engine>", "Scan engine: gitleaks or patterns", "auto")
+        .option("--baseline", "Filter findings present in the saved baseline")
         .action(async (scanPath, opts) => {
         // Load policy-merged config for excludePaths/customPatterns
         const manager = new ConfigManager();
         const cfg = manager.loadWithPolicy();
         const scanCfg = cfg.agent?.scan;
+        const baselineEntries = opts.baseline ? loadBaselineEntries() : [];
         // Handle --diff flag
         if (opts.diff) {
-            await scanDiffFiles(opts.diff, opts, scanCfg);
+            await scanDiffFiles(opts.diff, opts, scanCfg, baselineEntries);
             return;
         }
         // Handle --staged flag
         if (opts.staged) {
-            await scanStagedFiles(opts, scanCfg);
+            await scanStagedFiles(opts, scanCfg, baselineEntries);
             return;
         }
         const resolvedPath = path.resolve(scanPath);
         // Check if path exists
         if (!fs.existsSync(resolvedPath)) {
             console.error(`Error: Path not found: ${resolvedPath}`);
-            process.exit(1);
+            process.exit(2);
         }
         // Determine scan engine
         const engine = await selectEngine(opts.engine || "auto", opts.quiet || false);
@@ -53,15 +81,84 @@ export function createScanCommand() {
             }
             results = await scanFile(resolvedPath, engine, scanCfg);
         }
-        outputScanResults(results, opts);
+        outputScanResults(applyBaseline(results, baselineEntries), opts);
     });
 }
+/**
+ * Emit SARIF 2.1.0 JSON for GitHub/GitLab security tab integration
+ */
+function outputSarif(results) {
+    const rules = new Map();
+    const sarifResults = [];
+    for (const r of results) {
+        for (const m of r.matches) {
+            const ruleId = m.pattern.name.toLowerCase().replace(/\s+/g, "-");
+            if (!rules.has(ruleId)) {
+                rules.set(ruleId, {
+                    id: ruleId,
+                    name: m.pattern.name,
+                    shortDescription: m.pattern.description || m.pattern.name,
+                });
+            }
+            sarifResults.push({
+                ruleId,
+                level: m.pattern.severity === "critical" || m.pattern.severity === "high" ? "error" : "warning",
+                message: { text: `${m.pattern.name} detected` },
+                locations: [
+                    {
+                        physicalLocation: {
+                            artifactLocation: { uri: r.file.replace(/\\/g, "/"), uriBaseId: "%SRCROOT%" },
+                            region: m.line ? { startLine: m.line, startColumn: m.column ?? 1 } : undefined,
+                        },
+                    },
+                ],
+            });
+        }
+    }
+    const sarif = {
+        $schema: "https://json.schemastore.org/sarif-2.1.0.json",
+        version: "2.1.0",
+        runs: [
+            {
+                tool: {
+                    driver: {
+                        name: "rafter",
+                        version: "0.5.5",
+                        informationUri: "https://rafter.so",
+                        rules: Array.from(rules.values()),
+                    },
+                },
+                results: sarifResults,
+            },
+        ],
+    };
+    console.log(JSON.stringify(sarif, null, 2));
+    process.exit(results.length > 0 ? 1 : 0);
+}
 /**
  * Shared output logic for scan results
  */
 function outputScanResults(results, opts, context) {
-    if (opts.json) {
-        console.log(JSON.stringify(results, null, 2));
+    const format = opts.format ?? (opts.json ? "json" : "text");
+    if (!["text", "json", "sarif"].includes(format)) {
+        console.error(`Invalid format: ${format}. Valid values: text, json, sarif`);
+        process.exit(2);
+    }
+    if (format === "sarif") {
+        outputSarif(results);
+        return;
+    }
+    if (format === "json" || opts.json) {
+        const out = results.map((r) => ({
+            file: r.file,
+            matches: r.matches.map((m) => ({
+                pattern: { name: m.pattern.name, severity: m.pattern.severity, description: m.pattern.description || "" },
+                line: m.line ?? null,
+                column: m.column ?? null,
+                redacted: m.redacted || "",
+            })),
+        }));
+        console.log(JSON.stringify(out, null, 2));
         process.exit(results.length > 0 ? 1 : 0);
     }
     if (results.length === 0) {
@@ -98,7 +195,7 @@ function outputScanResults(results, opts, context) {
 /**
  * Scan files changed since a git ref
  */
-async function scanDiffFiles(ref, opts, scanCfg) {
+async function scanDiffFiles(ref, opts, scanCfg, baselineEntries = []) {
     try {
         const diffOutput = execFileSync("git", ["diff", "--name-only", "--diff-filter=ACM", ref], {
             encoding: "utf-8",
@@ -126,12 +223,12 @@ async function scanDiffFiles(ref, opts, scanCfg) {
             const results = await scanFile(filePath, engine, scanCfg);
             allResults.push(...results);
         }
-        outputScanResults(allResults, opts, `files changed since ${ref}`);
+        outputScanResults(applyBaseline(allResults, baselineEntries), opts, `files changed since ${ref}`);
     }
     catch (error) {
         if (error.status === 128) {
             console.error("Error: Not in a git repository or invalid ref");
-            process.exit(1);
+            process.exit(2);
         }
         throw error;
     }
@@ -139,7 +236,7 @@ async function scanDiffFiles(ref, opts, scanCfg) {
 /**
  * Scan git staged files for secrets
  */
-async function scanStagedFiles(opts, scanCfg) {
+async function scanStagedFiles(opts, scanCfg, baselineEntries = []) {
     try {
         const stagedFilesOutput = execSync("git diff --cached --name-only --diff-filter=ACM", {
             encoding: "utf-8",
@@ -167,12 +264,12 @@ async function scanStagedFiles(opts, scanCfg) {
             const results = await scanFile(filePath, engine, scanCfg);
             allResults.push(...results);
         }
-        outputScanResults(allResults, opts, "staged files");
+        outputScanResults(applyBaseline(allResults, baselineEntries), opts, "staged files");
     }
     catch (error) {
         if (error.status === 128) {
             console.error("Error: Not in a git repository");
-            process.exit(1);
+            process.exit(2);
         }
         throw error;
     }

package/dist/commands/agent/status.js

@@ -0,0 +1,115 @@
+import { Command } from "commander";
+import fs from "fs";
+import path from "path";
+import os from "os";
+import { execSync } from "child_process";
+import { getRafterDir, getAuditLogPath, getBinDir } from "../../core/config-defaults.js";
+import { AuditLogger } from "../../core/audit-logger.js";
+import { ConfigManager } from "../../core/config-manager.js";
+export function createStatusCommand() {
+    return new Command("status")
+        .description("Show agent security status dashboard")
+        .action(async () => {
+        const rafterDir = getRafterDir();
+        const auditPath = getAuditLogPath();
+        const home = os.homedir();
+        console.log("Rafter Agent Status");
+        console.log("=".repeat(50));
+        // --- Config ---
+        const configPath = path.join(rafterDir, "config.json");
+        if (fs.existsSync(configPath)) {
+            try {
+                const cfg = new ConfigManager().load();
+                console.log(`\nConfig:       ${configPath}`);
+                console.log(`Risk level:   ${cfg.agent?.riskLevel ?? "moderate"}`);
+            }
+            catch {
+                console.log(`\nConfig:       ${configPath} (parse error)`);
+            }
+        }
+        else {
+            console.log(`\nConfig:       not found — run: rafter agent init`);
+        }
+        // --- Gitleaks ---
+        const localGitleaks = path.join(getBinDir(), "gitleaks");
+        let gitleaksStatus = "not found — run: rafter agent init";
+        try {
+            const ver = execSync("gitleaks version", { timeout: 5000, encoding: "utf-8" }).trim();
+            gitleaksStatus = `${ver} (PATH)`;
+        }
+        catch {
+            if (fs.existsSync(localGitleaks)) {
+                try {
+                    const ver = execSync(`"${localGitleaks}" version`, { timeout: 5000, encoding: "utf-8" }).trim();
+                    gitleaksStatus = `${ver} (local)`;
+                }
+                catch {
+                    gitleaksStatus = `${localGitleaks} (binary error)`;
+                }
+            }
+        }
+        console.log(`Gitleaks:     ${gitleaksStatus}`);
+        // --- Claude Code hooks ---
+        const settingsPath = path.join(home, ".claude", "settings.json");
+        let pretoolOk = false;
+        let posttoolOk = false;
+        if (fs.existsSync(settingsPath)) {
+            try {
+                const settings = JSON.parse(fs.readFileSync(settingsPath, "utf-8"));
+                const hooks = settings.hooks ?? {};
+                for (const entry of hooks.PreToolUse ?? []) {
+                    for (const h of entry.hooks ?? []) {
+                        if (String(h.command ?? "").includes("rafter hook pretool"))
+                            pretoolOk = true;
+                    }
+                }
+                for (const entry of hooks.PostToolUse ?? []) {
+                    for (const h of entry.hooks ?? []) {
+                        if (String(h.command ?? "").includes("rafter hook posttool"))
+                            posttoolOk = true;
+                    }
+                }
+            }
+            catch {
+                // unreadable settings
+            }
+        }
+        console.log(`PreToolUse:   ${pretoolOk ? "installed" : "not installed — run: rafter agent init"}`);
+        console.log(`PostToolUse:  ${posttoolOk ? "installed" : "not installed — run: rafter agent init"}`);
+        // --- OpenClaw skill ---
+        const skillPath = path.join(home, ".openclaw", "skills", "rafter-security.md");
+        const openclawDir = path.join(home, ".openclaw");
+        if (fs.existsSync(skillPath)) {
+            console.log(`OpenClaw:     skill installed (${skillPath})`);
+        }
+        else if (fs.existsSync(openclawDir)) {
+            console.log("OpenClaw:     detected but skill missing — run: rafter agent init");
+        }
+        else {
+            console.log("OpenClaw:     not detected (optional)");
+        }
+        // --- Audit log summary ---
+        console.log(`\nAudit log:    ${auditPath}`);
+        if (fs.existsSync(auditPath)) {
+            const logger = new AuditLogger();
+            const allEntries = logger.read();
+            const total = allEntries.length;
+            const secrets = allEntries.filter((e) => e.eventType === "secret_detected").length;
+            const blocked = allEntries.filter((e) => e.eventType === "command_intercepted" && e.resolution?.actionTaken === "blocked").length;
+            console.log(`Total events: ${total}  |  Secrets detected: ${secrets}  |  Commands blocked: ${blocked}`);
+            const recent = logger.read({ limit: 5 });
+            if (recent.length > 0) {
+                console.log("\nRecent events:");
+                for (const e of [...recent].reverse()) {
+                    const ts = (e.timestamp ?? "").slice(0, 19).replace("T", " ");
+                    const action = e.resolution?.actionTaken ?? "";
+                    console.log(`  ${ts}  ${e.eventType}  [${action}]`);
+                }
+            }
+        }
+        else {
+            console.log("No events logged yet.");
+        }
+        console.log();
+    });
+}

package/dist/commands/agent/update-gitleaks.js

@@ -0,0 +1,40 @@
+import { Command } from "commander";
+import { BinaryManager, GITLEAKS_VERSION } from "../../utils/binary-manager.js";
+import { fmt } from "../../utils/formatter.js";
+export function createUpdateGitleaksCommand() {
+    return new Command("update-gitleaks")
+        .description("Update (or reinstall) the managed gitleaks binary")
+        .option("--version <version>", "Gitleaks version to install", GITLEAKS_VERSION)
+        .action(async (opts) => {
+        const bm = new BinaryManager();
+        if (!bm.isPlatformSupported()) {
+            const { platform, arch } = bm.getPlatformInfo();
+            console.error(fmt.error(`Gitleaks not available for ${platform}/${arch}`));
+            process.exit(1);
+        }
+        // Show current version if installed
+        if (bm.isGitleaksInstalled()) {
+            const current = await bm.getGitleaksVersion();
+            console.log(fmt.info(`Current: ${current}`));
+        }
+        else {
+            console.log(fmt.info("Gitleaks not currently installed (managed binary)"));
+        }
+        console.log(fmt.info(`Installing gitleaks v${opts.version}...`));
+        console.log();
+        try {
+            await bm.downloadGitleaks((msg) => console.log(`   ${msg}`), opts.version);
+            console.log();
+            const installed = await bm.getGitleaksVersion();
+            console.log(fmt.success(`Gitleaks updated: ${installed}`));
+            console.log(fmt.info(`  Binary: ${bm.getGitleaksPath()}`));
+        }
+        catch (e) {
+            console.log();
+            console.error(fmt.error(`Update failed: ${e}`));
+            console.log(fmt.info("To fix: install gitleaks manually (https://github.com/gitleaks/gitleaks/releases) " +
+                "and ensure it is on PATH."));
+            process.exit(1);
+        }
+    });
+}

package/dist/commands/agent/verify.js

@@ -0,0 +1,117 @@
+import { Command } from "commander";
+import { BinaryManager } from "../../utils/binary-manager.js";
+import { SkillManager } from "../../utils/skill-manager.js";
+import fs from "fs";
+import path from "path";
+import os from "os";
+import { fmt } from "../../utils/formatter.js";
+async function checkGitleaks() {
+    const binaryManager = new BinaryManager();
+    const name = "Gitleaks";
+    // Check PATH first (e.g. Homebrew), then fall back to ~/.rafter/bin
+    const pathBinary = binaryManager.findGitleaksOnPath();
+    const hasBinary = pathBinary !== null || binaryManager.isGitleaksInstalled();
+    if (!hasBinary) {
+        return { name, passed: false, detail: `Not found on PATH or at ${binaryManager.getGitleaksPath()}` };
+    }
+    const binaryPath = pathBinary ?? binaryManager.getGitleaksPath();
+    const { ok, stdout, stderr } = await binaryManager.verifyGitleaksVerbose(binaryPath);
+    if (!ok) {
+        const diag = await binaryManager.collectBinaryDiagnostics(binaryPath);
+        return { name, passed: false, detail: `Binary found at ${binaryPath} but failed to execute\n${stdout ? `  stdout: ${stdout}\n` : ""}${stderr ? `  stderr: ${stderr}\n` : ""}${diag}` };
+    }
+    return { name, passed: true, detail: `${stdout} (${binaryPath})` };
+}
+function checkConfig() {
+    const name = "Config";
+    const configPath = path.join(os.homedir(), ".rafter", "config.json");
+    if (!fs.existsSync(configPath)) {
+        return { name, passed: false, detail: `Not found: ${configPath}` };
+    }
+    try {
+        const content = fs.readFileSync(configPath, "utf-8");
+        JSON.parse(content);
+        return { name, passed: true, detail: configPath };
+    }
+    catch (e) {
+        return { name, passed: false, detail: `Invalid JSON: ${configPath} — ${e}` };
+    }
+}
+function checkClaudeCode() {
+    const name = "Claude Code";
+    const homeDir = os.homedir();
+    // optional: warn if absent but don't fail exit code
+    const claudeDir = path.join(homeDir, ".claude");
+    if (!fs.existsSync(claudeDir)) {
+        return { name, passed: false, optional: true, detail: `Not detected — run 'rafter agent init --claude-code' to enable` };
+    }
+    const settingsPath = path.join(claudeDir, "settings.json");
+    if (!fs.existsSync(settingsPath)) {
+        return { name, passed: false, optional: true, detail: `Settings file not found: ${settingsPath}` };
+    }
+    try {
+        const settings = JSON.parse(fs.readFileSync(settingsPath, "utf-8"));
+        const hooks = settings?.hooks?.PreToolUse || [];
+        const hasRafterHook = hooks.some((entry) => (entry.hooks || []).some((h) => h.command === "rafter hook pretool"));
+        if (!hasRafterHook) {
+            return { name, passed: false, optional: true, detail: "Rafter hooks not installed — run 'rafter agent init --claude-code'" };
+        }
+        return { name, passed: true, detail: "Hooks installed" };
+    }
+    catch (e) {
+        return { name, passed: false, optional: true, detail: `Cannot read settings: ${e}` };
+    }
+}
+function checkOpenClaw() {
+    const name = "OpenClaw";
+    const skillManager = new SkillManager();
+    if (!skillManager.isOpenClawInstalled()) {
+        return { name, passed: false, optional: true, detail: `Not detected — run 'rafter agent init' to enable` };
+    }
+    if (!skillManager.isRafterSkillInstalled()) {
+        return { name, passed: false, optional: true, detail: `Rafter skill not installed — run 'rafter agent init'` };
+    }
+    const version = skillManager.getInstalledVersion();
+    return { name, passed: true, detail: `Rafter skill installed${version ? ` (v${version})` : ""}` };
+}
+export function createVerifyCommand() {
+    return new Command("verify")
+        .description("Check agent security integration status")
+        .action(async () => {
+        console.log(fmt.header("Rafter Agent Verify"));
+        console.log(fmt.divider());
+        console.log();
+        const results = [
+            checkConfig(),
+            await checkGitleaks(),
+            checkClaudeCode(),
+            checkOpenClaw(),
+        ];
+        for (const r of results) {
+            if (r.passed) {
+                console.log(fmt.success(`${r.name}: ${r.detail}`));
+            }
+            else if (r.optional) {
+                console.log(fmt.warning(`${r.name}: ${r.detail}`));
+            }
+            else {
+                console.log(fmt.error(`${r.name}: FAIL — ${r.detail}`));
+            }
+        }
+        console.log();
+        const hardFailed = results.filter((r) => !r.passed && !r.optional);
+        const warned = results.filter((r) => !r.passed && r.optional);
+        const passed = results.filter((r) => r.passed);
+        if (hardFailed.length === 0) {
+            const warnNote = warned.length > 0 ? ` (${warned.length} optional check${warned.length > 1 ? "s" : ""} not configured)` : "";
+            console.log(fmt.success(`${passed.length}/${results.length} core checks passed${warnNote}`));
+        }
+        else {
+            console.log(fmt.error(`${hardFailed.length} check${hardFailed.length > 1 ? "s" : ""} failed`));
+        }
+        console.log();
+        if (hardFailed.length > 0) {
+            process.exit(1);
+        }
+    });
+}