@rafter-security/cli 0.5.1 → 0.5.5

package/dist/core/custom-patterns.js

@@ -0,0 +1,157 @@
+/**
+ * Load custom secret patterns from ~/.rafter/patterns/
+ * and suppression rules from .rafterignore.
+ */
+import fs from "fs";
+import path from "path";
+import { getRafterDir } from "./config-defaults.js";
+// ---------------------------------------------------------------------------
+// Custom pattern loading
+// ---------------------------------------------------------------------------
+/**
+ * Load user-defined patterns from ~/.rafter/patterns/*.txt and *.json.
+ *
+ * .txt  — one regex per line (comments with # ignored)
+ * .json — array of {name, pattern, severity?} objects
+ *
+ * Returns Pattern[] merged with DEFAULT_SECRET_PATTERNS by callers.
+ */
+export function loadCustomPatterns() {
+    const patternsDir = path.join(getRafterDir(), "patterns");
+    if (!fs.existsSync(patternsDir))
+        return [];
+    const results = [];
+    let entries;
+    try {
+        entries = fs.readdirSync(patternsDir, { withFileTypes: true });
+    }
+    catch {
+        return [];
+    }
+    for (const entry of entries) {
+        if (!entry.isFile())
+            continue;
+        const file = path.join(patternsDir, entry.name);
+        const ext = path.extname(entry.name).toLowerCase();
+        if (ext === ".txt") {
+            results.push(...loadTxtPatterns(file));
+        }
+        else if (ext === ".json") {
+            results.push(...loadJsonPatterns(file));
+        }
+    }
+    return results;
+}
+function loadTxtPatterns(file) {
+    try {
+        const lines = fs.readFileSync(file, "utf-8").split("\n");
+        const patterns = [];
+        for (const raw of lines) {
+            const line = raw.trim();
+            if (!line || line.startsWith("#"))
+                continue;
+            patterns.push({
+                name: `Custom (${path.basename(file, ".txt")})`,
+                regex: line,
+                severity: "high",
+            });
+        }
+        return patterns;
+    }
+    catch {
+        return [];
+    }
+}
+function loadJsonPatterns(file) {
+    try {
+        const data = JSON.parse(fs.readFileSync(file, "utf-8"));
+        if (!Array.isArray(data))
+            return [];
+        const patterns = [];
+        for (const entry of data) {
+            if (typeof entry.pattern !== "string")
+                continue;
+            patterns.push({
+                name: entry.name ?? `Custom (${path.basename(file, ".json")})`,
+                regex: entry.pattern,
+                severity: entry.severity ?? "high",
+                description: entry.description,
+            });
+        }
+        return patterns;
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Parse .rafterignore from the given directory (project root).
+ *
+ * Format — one entry per line:
+ *   path/glob                     → suppress all findings in matching files
+ *   path/glob:pattern-name        → suppress specific pattern in matching files
+ *
+ * Lines starting with # are comments.
+ */
+export function loadSuppressions(projectRoot = process.cwd()) {
+    const file = path.join(projectRoot, ".rafterignore");
+    if (!fs.existsSync(file))
+        return [];
+    const suppressions = [];
+    try {
+        const lines = fs.readFileSync(file, "utf-8").split("\n");
+        for (const raw of lines) {
+            const line = raw.trim();
+            if (!line || line.startsWith("#"))
+                continue;
+            const colonIdx = line.indexOf(":");
+            if (colonIdx === -1) {
+                suppressions.push({ pathGlob: line });
+            }
+            else {
+                suppressions.push({
+                    pathGlob: line.slice(0, colonIdx).trim(),
+                    patternName: line.slice(colonIdx + 1).trim() || undefined,
+                });
+            }
+        }
+    }
+    catch {
+        // ignore unreadable .rafterignore
+    }
+    return suppressions;
+}
+/**
+ * Returns true if a finding should be suppressed.
+ */
+export function isSuppressed(filePath, patternName, suppressions) {
+    for (const s of suppressions) {
+        if (matchGlob(s.pathGlob, filePath)) {
+            if (!s.patternName || s.patternName.toLowerCase() === patternName.toLowerCase()) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+/**
+ * Minimal glob matcher: supports * (within segment) and ** (cross-segment).
+ * Not full micromatch — covers the 90% case for .rafterignore.
+ */
+function matchGlob(glob, filePath) {
+    // Normalise separators
+    const g = glob.replace(/\\/g, "/");
+    const f = filePath.replace(/\\/g, "/");
+    // Escape regex special chars except * which we handle specially
+    const escaped = g
+        .replace(/[.+^${}()|[\]\\]/g, "\\$&")
+        .replace(/\*\*/g, "\x00") // placeholder for **
+        .replace(/\*/g, "[^/]*") // * = anything within one segment
+        .replace(/\x00/g, ".*"); // ** = anything including /
+    try {
+        return new RegExp(`(^|/)${escaped}(/|$)`).test(f);
+    }
+    catch {
+        return false;
+    }
+}

package/dist/core/risk-rules.js

@@ -17,7 +17,10 @@ export const HIGH_PATTERNS = [
     /chmod\s+777/,
     /curl.*\|\s*(bash|sh|zsh|dash)\b/,
     /wget.*\|\s*(bash|sh|zsh|dash)\b/,
-    /git\s+push\s+--force/,
+    /git\s+push\b.*\s--force\b/, // --force anywhere after push
+    /git\s+push\b.*\s-[a-zA-Z]*f\b/, // -f or combined flags like -vf
+    /git\s+push\b.*\s--force-(with-lease|if-includes)\b/, // specific force variants
+    /git\s+push\s+\S*\s+\+/, // refspec force: git push origin +main
     /docker\s+system\s+prune/,
     /npm\s+publish/,
     /pypi.*upload/,
@@ -45,6 +48,10 @@ export const DEFAULT_REQUIRE_APPROVAL = [
     "wget.*\\|\\s*(bash|sh|zsh|dash)\\b",
     "chmod 777",
     "git push --force",
+    "git push -f",
+    "git push --force-with-lease",
+    "git push --force-if-includes",
+    "git push .* \\+",
 ];
 /**
  * Assess risk level of a command string.

package/dist/index.js

@@ -9,10 +9,11 @@ import { createCiCommand } from "./commands/ci/index.js";
 import { createHookCommand } from "./commands/hook/index.js";
 import { createMcpCommand } from "./commands/mcp/index.js";
 import { createPolicyCommand } from "./commands/policy/index.js";
+import { createCompletionCommand } from "./commands/completion.js";
 import { checkForUpdate } from "./utils/update-checker.js";
 import { setAgentMode } from "./utils/formatter.js";
 dotenv.config();
-const VERSION = "0.5.0";
+const VERSION = "0.5.5";
 const program = new Command()
     .name("rafter")
     .description("Rafter CLI")
@@ -39,6 +40,8 @@ program.addCommand(createHookCommand());
 program.addCommand(createMcpCommand());
 // Policy commands
 program.addCommand(createPolicyCommand());
+// Shell completions
+program.addCommand(createCompletionCommand());
 // Non-blocking update check — runs after command, prints to stderr
 checkForUpdate(VERSION).then((notice) => {
     if (notice)

package/dist/scanners/regex-scanner.js

@@ -2,9 +2,10 @@ import fs from "fs";
 import path from "path";
 import { PatternEngine } from "../core/pattern-engine.js";
 import { DEFAULT_SECRET_PATTERNS } from "./secret-patterns.js";
+import { loadCustomPatterns, loadSuppressions, isSuppressed } from "../core/custom-patterns.js";
 export class RegexScanner {
     constructor(customPatterns) {
-        const patterns = [...DEFAULT_SECRET_PATTERNS];
+        const patterns = [...DEFAULT_SECRET_PATTERNS, ...loadCustomPatterns()];
         if (customPatterns) {
             for (const cp of customPatterns) {
                 patterns.push({
@@ -15,6 +16,7 @@ export class RegexScanner {
             }
         }
         this.engine = new PatternEngine(patterns);
+        this.suppressions = loadSuppressions();
     }
     /**
      * Scan a single file for secrets
@@ -22,18 +24,12 @@ export class RegexScanner {
     scanFile(filePath) {
         try {
             const content = fs.readFileSync(filePath, "utf-8");
-            const matches = this.engine.scanWithPosition(content);
-            return {
-                file: filePath,
-                matches
-            };
+            const raw = this.engine.scanWithPosition(content);
+            const matches = raw.filter((m) => !isSuppressed(filePath, m.pattern.name, this.suppressions));
+            return { file: filePath, matches };
         }
         catch (e) {
-            // If file can't be read (binary, permissions, etc.), return empty matches
-            return {
-                file: filePath,
-                matches: []
-            };
+            return { file: filePath, matches: [] };
         }
     }
     /**

package/dist/utils/binary-manager.js

@@ -1,12 +1,13 @@
 import fs from "fs";
+import os from "os";
 import path from "path";
 import https from "https";
-import { exec } from "child_process";
+import { exec, execSync } from "child_process";
 import { promisify } from "util";
 import { getBinDir } from "../core/config-defaults.js";
 import * as tar from "tar";
 const execAsync = promisify(exec);
-const GITLEAKS_VERSION = "8.18.2";
+export const GITLEAKS_VERSION = "8.18.2";
 export class BinaryManager {
     constructor() {
         this.binDir = getBinDir();
@@ -52,6 +53,20 @@ export class BinaryManager {
         const gitleaksPath = this.getGitleaksPath();
         return fs.existsSync(gitleaksPath);
     }
+    /**
+     * Find gitleaks on system PATH (like Python's shutil.which)
+     */
+    findGitleaksOnPath() {
+        const cmd = process.platform === "win32" ? "where gitleaks" : "which gitleaks";
+        try {
+            const result = execSync(cmd, { timeout: 5000, encoding: "utf-8" });
+            const found = result.trim().split("\n")[0].trim();
+            return found || null;
+        }
+        catch {
+            return null;
+        }
+    }
     /**
      * Verify Gitleaks binary works
      */
@@ -70,9 +85,72 @@ export class BinaryManager {
         }
     }
     /**
-     * Download and install Gitleaks
+     * Run gitleaks version and return {ok, stdout, stderr}
+     */
+    async verifyGitleaksVerbose(binaryPath) {
+        const gitleaksPath = binaryPath ?? this.getGitleaksPath();
+        try {
+            const { stdout, stderr } = await execAsync(`"${gitleaksPath}" version`, { timeout: 5000 });
+            const ok = stdout.includes("gitleaks version");
+            return { ok, stdout: stdout.trim(), stderr: stderr.trim() };
+        }
+        catch (e) {
+            const err = e;
+            return {
+                ok: false,
+                stdout: (err.stdout ?? "").trim(),
+                stderr: (err.stderr ?? String(e)).trim(),
+            };
+        }
+    }
+    /**
+     * Collect diagnostic context for a failed binary (file type, uname, glibc/musl)
      */
-    async downloadGitleaks(onProgress) {
+    async collectBinaryDiagnostics(binaryPath) {
+        const gitleaksPath = binaryPath ?? this.getGitleaksPath();
+        const lines = [];
+        try {
+            const { stdout: fileOut } = await execAsync(`file "${gitleaksPath}"`, { timeout: 5000 });
+            lines.push(`  file: ${fileOut.trim()}`);
+        }
+        catch {
+            lines.push(`  file: (unavailable)`);
+        }
+        try {
+            const { stdout: uname } = await execAsync("uname -a", { timeout: 5000 });
+            lines.push(`  uname: ${uname.trim()}`);
+        }
+        catch {
+            lines.push(`  uname: (unavailable)`);
+        }
+        lines.push(`  node arch: ${process.arch}, platform: ${process.platform}`);
+        // Detect glibc vs musl on Linux
+        if (process.platform === "linux") {
+            try {
+                const { stdout: ldd } = await execAsync("ldd --version 2>&1 || true", { timeout: 5000 });
+                if (ldd.includes("musl")) {
+                    lines.push("  libc: musl (gitleaks linux builds target glibc; musl systems need a musl build or static binary)");
+                }
+                else if (ldd.includes("GLIBC") || ldd.includes("GNU")) {
+                    const match = ldd.match(/(\d+\.\d+)/);
+                    lines.push(`  libc: glibc ${match ? match[1] : "(version unknown)"}`);
+                }
+                else {
+                    lines.push("  libc: unknown");
+                }
+            }
+            catch {
+                lines.push("  libc: (detection failed)");
+            }
+        }
+        return lines.join("\n");
+    }
+    /**
+     * Download and install Gitleaks.
+     * @param onProgress  Optional progress callback.
+     * @param version     Gitleaks version to install (defaults to GITLEAKS_VERSION).
+     */
+    async downloadGitleaks(onProgress, version = GITLEAKS_VERSION) {
         const log = onProgress || (() => { });
         // Check platform support
         if (!this.isPlatformSupported()) {
@@ -84,17 +162,20 @@ export class BinaryManager {
         }
         const platform = this.getPlatformString();
         const arch = this.getArchString();
-        const url = this.getDownloadUrl(platform, arch);
-        log(`Downloading Gitleaks v${GITLEAKS_VERSION} for ${platform}/${arch}...`);
+        const url = this.getDownloadUrl(platform, arch, version);
+        log(`Downloading Gitleaks v${version} for ${platform}/${arch}...`);
+        log(`  URL: ${url}`);
         const archivePath = path.join(this.binDir, platform === "windows" ? "gitleaks.zip" : "gitleaks.tar.gz");
         try {
             // Download archive
             await this.downloadFile(url, archivePath, log);
+            // Log downloaded file size as basic integrity signal
+            const stats = fs.statSync(archivePath);
+            log(`  Downloaded: ${(stats.size / 1024).toFixed(1)} KB`);
             // Extract binary
             log("Extracting binary...");
             if (platform === "windows") {
-                // For Windows, we'd need unzip - for now just error
-                throw new Error("Windows support coming soon");
+                await this.extractZip(archivePath);
             }
             else {
                 await this.extractTarball(archivePath);
@@ -102,12 +183,22 @@ export class BinaryManager {
             // Make executable (Unix systems)
             if (process.platform !== "win32") {
                 await execAsync(`chmod +x "${this.getGitleaksPath()}"`);
+                log("  chmod +x applied");
             }
-            // Verify it works
-            const works = await this.verifyGitleaks();
-            if (!works) {
-                throw new Error("Downloaded binary doesn't execute correctly");
+            // Verify it works — capture output for diagnostics
+            const { ok, stdout: verOut, stderr: verErr } = await this.verifyGitleaksVerbose();
+            if (!ok) {
+                const diag = await this.collectBinaryDiagnostics();
+                const binaryPath = this.getGitleaksPath();
+                throw new Error(`Gitleaks binary failed to execute.\n` +
+                    `  Binary: ${binaryPath}\n` +
+                    `  URL: ${url}\n` +
+                    (verOut ? `  gitleaks version stdout: ${verOut}\n` : "") +
+                    (verErr ? `  gitleaks version stderr: ${verErr}\n` : "") +
+                    `Diagnostics:\n${diag}\n` +
+                    `Fix: ensure the binary matches your OS/arch, or install gitleaks manually and ensure it is on PATH.`);
             }
+            log(`  Verified: ${verOut}`);
             // Clean up archive
             if (fs.existsSync(archivePath)) {
                 fs.unlinkSync(archivePath);
@@ -166,15 +257,15 @@ export class BinaryManager {
         throw new Error(`Unsupported architecture: ${arch}`);
     }
     /**
-     * Get download URL for platform/arch
+     * Get download URL for platform/arch/version
      */
-    getDownloadUrl(platform, arch) {
-        const baseUrl = `https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}`;
+    getDownloadUrl(platform, arch, version = GITLEAKS_VERSION) {
+        const baseUrl = `https://github.com/gitleaks/gitleaks/releases/download/v${version}`;
         if (platform === "windows") {
-            return `${baseUrl}/gitleaks_${GITLEAKS_VERSION}_windows_${arch}.zip`;
+            return `${baseUrl}/gitleaks_${version}_windows_${arch}.zip`;
         }
         else {
-            return `${baseUrl}/gitleaks_${GITLEAKS_VERSION}_${platform}_${arch}.tar.gz`;
+            return `${baseUrl}/gitleaks_${version}_${platform}_${arch}.tar.gz`;
         }
     }
     /**
@@ -231,13 +322,53 @@ export class BinaryManager {
         });
     }
     /**
-     * Extract tarball
+     * Extract zip (Windows) — uses PowerShell's Expand-Archive, then copies
+     * only the gitleaks.exe binary to binDir. Cleans up the temp extract dir.
+     */
+    async extractZip(zipPath) {
+        const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "rafter-gitleaks-"));
+        try {
+            // PowerShell 5+ ships on all supported Windows versions
+            await execAsync(`powershell -NoProfile -Command "Expand-Archive -Force -LiteralPath '${zipPath}' -DestinationPath '${tempDir}'"`, { timeout: 30000 });
+            // Find gitleaks.exe — may be at root or inside a subdirectory
+            const findBinary = (dir) => {
+                for (const entry of fs.readdirSync(dir)) {
+                    const full = path.join(dir, entry);
+                    if (entry === "gitleaks.exe")
+                        return full;
+                    if (fs.statSync(full).isDirectory()) {
+                        const found = findBinary(full);
+                        if (found)
+                            return found;
+                    }
+                }
+                return null;
+            };
+            const found = findBinary(tempDir);
+            if (!found)
+                throw new Error("gitleaks.exe not found in archive");
+            fs.copyFileSync(found, path.join(this.binDir, "gitleaks.exe"));
+        }
+        finally {
+            fs.rmSync(tempDir, { recursive: true, force: true });
+        }
+    }
+    /**
+     * Extract tarball — binary only, strip packaging extras (LICENSE, README.md).
+     *
+     * The gitleaks release tarball has all files at the archive root (no top-level
+     * directory), so strip: 0 (the default). With strip: 1, node-tar reduces the
+     * single-component paths to empty strings; the filter never matches "gitleaks"
+     * and nothing is extracted. The filter alone is sufficient.
      */
     async extractTarball(tarballPath) {
         await tar.extract({
             file: tarballPath,
             cwd: this.binDir,
-            strip: 0
+            filter: (p) => {
+                const base = path.basename(p);
+                return base === "gitleaks" || base === "gitleaks.exe";
+            },
         });
     }
 }

package/dist/utils/skill-manager.js

@@ -151,17 +151,17 @@ export class SkillManager {
         }
     }
     /**
-     * Install Rafter Security skill to OpenClaw
+     * Install Rafter Security skill to OpenClaw (verbose result)
      */
-    async installRafterSkill(force = false) {
-        if (!this.isOpenClawInstalled()) {
-            return false;
-        }
+    async installRafterSkillVerbose(force = false) {
         const skillPath = this.getRafterSkillPath();
         const sourcePath = this.getRafterSkillSourcePath();
+        if (!this.isOpenClawInstalled()) {
+            return { ok: false, sourcePath, destPath: skillPath, error: `OpenClaw skills directory not found: ${this.getOpenClawSkillsDir()}` };
+        }
         // Check if already installed and not forcing
         if (!force && this.isRafterSkillInstalled()) {
-            return true;
+            return { ok: true, sourcePath, destPath: skillPath };
         }
         try {
             // Ensure skills directory exists
@@ -169,6 +169,10 @@ export class SkillManager {
             if (!fs.existsSync(skillsDir)) {
                 fs.mkdirSync(skillsDir, { recursive: true });
             }
+            // Verify source exists
+            if (!fs.existsSync(sourcePath)) {
+                return { ok: false, sourcePath, destPath: skillPath, error: `Source skill file not found: ${sourcePath}` };
+            }
             // Copy skill file
             const sourceContent = fs.readFileSync(sourcePath, "utf-8");
             fs.writeFileSync(skillPath, sourceContent, "utf-8");
@@ -180,12 +184,21 @@ export class SkillManager {
             }
             // Migrate old skill-auditor if present
             await this.migrateOldSkill();
-            return true;
+            return { ok: true, sourcePath, destPath: skillPath };
         }
         catch (e) {
-            console.error(`Failed to install Rafter Security skill: ${e}`);
-            return false;
+            return { ok: false, sourcePath, destPath: skillPath, error: String(e) };
+        }
+    }
+    /**
+     * Install Rafter Security skill to OpenClaw
+     */
+    async installRafterSkill(force = false) {
+        const result = await this.installRafterSkillVerbose(force);
+        if (!result.ok && result.error) {
+            console.error(`Failed to install Rafter Security skill: ${result.error}`);
         }
+        return result.ok;
     }
     /**
      * Backup current skill before updating

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rafter-security/cli",
-  "version": "0.5.1",
+  "version": "0.5.5",
   "type": "module",
   "bin": {
     "rafter": "./dist/index.js"

package/resources/pre-push-hook.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# Rafter Security Pre-Push Hook
+# Scans commits being pushed for secrets
+
+# Colors for output
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+GREEN='\033[0;32m'
+NC='\033[0m' # No Color
+
+# Check if rafter is installed
+if ! command -v rafter &> /dev/null; then
+    echo -e "${YELLOW}⚠️  Warning: rafter CLI not found in PATH${NC}"
+    echo "   Install: npm install -g @rafter-security/cli"
+    echo "   Skipping secret scan..."
+    exit 0
+fi
+
+ZERO_SHA="0000000000000000000000000000000000000000"
+FOUND_SECRETS=0
+
+while read local_ref local_sha remote_ref remote_sha; do
+    # Skip branch deletions
+    if [ "$local_sha" = "$ZERO_SHA" ]; then
+        continue
+    fi
+
+    if [ "$remote_sha" = "$ZERO_SHA" ]; then
+        # New branch — scan all commits on this branch not on any remote branch
+        ref_arg=$(git rev-list --max-parents=0 "$local_sha" 2>/dev/null | head -1)
+        if [ -z "$ref_arg" ]; then
+            ref_arg="$local_sha^"
+        fi
+    else
+        # Existing branch — scan only new commits
+        ref_arg="$remote_sha"
+    fi
+
+    echo "🔍 Rafter: Scanning commits being pushed ($local_ref)..."
+
+    rafter agent scan --diff "$ref_arg" --quiet
+    EXIT_CODE=$?
+
+    if [ $EXIT_CODE -ne 0 ]; then
+        FOUND_SECRETS=1
+    fi
+done
+
+if [ $FOUND_SECRETS -ne 0 ]; then
+    echo -e "${RED}❌ Push blocked: Secrets detected in commits being pushed${NC}"
+    echo ""
+    echo "   Run: rafter agent scan --diff <remote-sha>"
+    echo "   To see details and remediate."
+    echo ""
+    echo "   To bypass (NOT recommended): git push --no-verify"
+    exit 1
+fi
+
+echo -e "${GREEN}✓ No secrets detected${NC}"
+exit 0

package/resources/rafter-security-skill.md

@@ -46,6 +46,13 @@ rafter agent scan <path>
 - Private keys (RSA, SSH, etc.)
 - 21+ secret patterns
 
+**Exit codes:**
+- `0` — clean, no secrets
+- `1` — secrets found
+- `2` — runtime error (path not found, not a git repo)
+
+**JSON output** (`--json`): Array of `{file, matches[]}` objects. Each match contains `pattern` (name, severity, description), `line`, `column`, and `redacted` value. Raw secrets are never included.
+
 ---
 
 ### /rafter-bash