@rafter-security/cli 0.5.3 → 0.5.5

package/dist/commands/agent/audit-skill.js

@@ -18,7 +18,7 @@ async function auditSkill(skillPath, opts) {
     // Validate skill file exists
     if (!fs.existsSync(skillPath)) {
         console.error(`Error: Skill file not found: ${skillPath}`);
-        process.exit(1);
+        process.exit(2);
     }
     const absolutePath = path.resolve(skillPath);
     const skillContent = fs.readFileSync(absolutePath, "utf-8");

package/dist/commands/agent/baseline.js

@@ -0,0 +1,203 @@
+import { Command } from "commander";
+import fs from "fs";
+import os from "os";
+import path from "path";
+import { fmt } from "../../utils/formatter.js";
+import { RegexScanner } from "../../scanners/regex-scanner.js";
+import { GitleaksScanner } from "../../scanners/gitleaks.js";
+import { ConfigManager } from "../../core/config-manager.js";
+const BASELINE_PATH = path.join(os.homedir(), ".rafter", "baseline.json");
+function loadBaseline() {
+    if (!fs.existsSync(BASELINE_PATH)) {
+        return { version: 1, created: "", updated: "", entries: [] };
+    }
+    try {
+        return JSON.parse(fs.readFileSync(BASELINE_PATH, "utf-8"));
+    }
+    catch {
+        return { version: 1, created: "", updated: "", entries: [] };
+    }
+}
+function saveBaseline(baseline) {
+    const dir = path.dirname(BASELINE_PATH);
+    if (!fs.existsSync(dir)) {
+        fs.mkdirSync(dir, { recursive: true });
+    }
+    fs.writeFileSync(BASELINE_PATH, JSON.stringify(baseline, null, 2), "utf-8");
+}
+export function createBaselineCommand() {
+    const baseline = new Command("baseline")
+        .description("Manage the findings baseline (allowlist for known findings)");
+    baseline.addCommand(createBaselineCreateCommand());
+    baseline.addCommand(createBaselineShowCommand());
+    baseline.addCommand(createBaselineClearCommand());
+    baseline.addCommand(createBaselineAddCommand());
+    return baseline;
+}
+function createBaselineCreateCommand() {
+    return new Command("create")
+        .description("Scan and save all current findings as the baseline")
+        .argument("[path]", "Path to scan", ".")
+        .option("--engine <engine>", "Scan engine: gitleaks or patterns", "auto")
+        .action(async (scanPath, opts) => {
+        const resolvedPath = path.resolve(scanPath);
+        if (!fs.existsSync(resolvedPath)) {
+            console.error(`Error: Path not found: ${resolvedPath}`);
+            process.exit(2);
+        }
+        const manager = new ConfigManager();
+        const cfg = manager.loadWithPolicy();
+        const scanCfg = cfg.agent?.scan;
+        console.error(`Scanning ${resolvedPath} to build baseline...`);
+        const engine = await selectEngine(opts.engine || "auto");
+        let results;
+        if (fs.statSync(resolvedPath).isDirectory()) {
+            results = await scanDirectory(resolvedPath, engine, scanCfg);
+        }
+        else {
+            results = await scanFile(resolvedPath, engine);
+        }
+        const now = new Date().toISOString();
+        const entries = [];
+        for (const r of results) {
+            for (const m of r.matches) {
+                entries.push({
+                    file: r.file,
+                    line: m.line ?? null,
+                    pattern: m.pattern.name,
+                    addedAt: now,
+                });
+            }
+        }
+        const existing = loadBaseline();
+        const baseline = {
+            version: 1,
+            created: existing.created || now,
+            updated: now,
+            entries,
+        };
+        saveBaseline(baseline);
+        if (entries.length === 0) {
+            console.log(fmt.success("No findings — baseline is empty (all clean)"));
+        }
+        else {
+            console.log(fmt.success(`Baseline saved: ${entries.length} finding(s) recorded`));
+            console.log(`  Location: ${BASELINE_PATH}`);
+            console.log();
+            console.log("Future scans with --baseline will suppress these findings.");
+        }
+    });
+}
+function createBaselineShowCommand() {
+    return new Command("show")
+        .description("Show current baseline entries")
+        .option("--json", "Output as JSON")
+        .action((opts) => {
+        const baseline = loadBaseline();
+        if (opts.json) {
+            console.log(JSON.stringify(baseline, null, 2));
+            return;
+        }
+        if (baseline.entries.length === 0) {
+            console.log("Baseline is empty. Run: rafter agent baseline create");
+            return;
+        }
+        console.log(`Baseline: ${baseline.entries.length} entries`);
+        if (baseline.updated) {
+            console.log(`Updated: ${baseline.updated}`);
+        }
+        console.log();
+        // Group by file
+        const byFile = new Map();
+        for (const entry of baseline.entries) {
+            const list = byFile.get(entry.file) || [];
+            list.push(entry);
+            byFile.set(entry.file, list);
+        }
+        for (const [file, entries] of byFile) {
+            console.log(fmt.info(file));
+            for (const e of entries) {
+                const loc = e.line != null ? `line ${e.line}` : "unknown location";
+                console.log(`  ${e.pattern} (${loc})`);
+            }
+            console.log();
+        }
+    });
+}
+function createBaselineClearCommand() {
+    return new Command("clear")
+        .description("Remove all baseline entries")
+        .action(() => {
+        if (!fs.existsSync(BASELINE_PATH)) {
+            console.log("No baseline file found — nothing to clear.");
+            return;
+        }
+        fs.unlinkSync(BASELINE_PATH);
+        console.log(fmt.success("Baseline cleared"));
+    });
+}
+function createBaselineAddCommand() {
+    return new Command("add")
+        .description("Manually add a finding to the baseline")
+        .requiredOption("--file <path>", "File path")
+        .requiredOption("--pattern <name>", "Pattern name (e.g. 'AWS Access Key')")
+        .option("--line <number>", "Line number")
+        .action((opts) => {
+        const baseline = loadBaseline();
+        const now = new Date().toISOString();
+        const entry = {
+            file: path.resolve(opts.file),
+            line: opts.line != null ? parseInt(opts.line, 10) : null,
+            pattern: opts.pattern,
+            addedAt: now,
+        };
+        baseline.entries.push(entry);
+        baseline.updated = now;
+        if (!baseline.created)
+            baseline.created = now;
+        saveBaseline(baseline);
+        console.log(fmt.success(`Added to baseline: ${opts.pattern} in ${opts.file}`));
+    });
+}
+// ── helpers ─────────────────────────────────────────────────────────
+async function selectEngine(preference) {
+    if (preference === "patterns")
+        return "patterns";
+    if (preference === "gitleaks") {
+        const g = new GitleaksScanner();
+        return (await g.isAvailable()) ? "gitleaks" : "patterns";
+    }
+    const g = new GitleaksScanner();
+    return (await g.isAvailable()) ? "gitleaks" : "patterns";
+}
+async function scanFile(filePath, engine) {
+    if (engine === "gitleaks") {
+        try {
+            const g = new GitleaksScanner();
+            const r = await g.scanFile(filePath);
+            return r.matches.length > 0 ? [r] : [];
+        }
+        catch {
+            const s = new RegexScanner();
+            const r = s.scanFile(filePath);
+            return r.matches.length > 0 ? [r] : [];
+        }
+    }
+    const s = new RegexScanner();
+    const r = s.scanFile(filePath);
+    return r.matches.length > 0 ? [r] : [];
+}
+async function scanDirectory(dirPath, engine, scanCfg) {
+    if (engine === "gitleaks") {
+        try {
+            const g = new GitleaksScanner();
+            return await g.scanDirectory(dirPath);
+        }
+        catch {
+            const s = new RegexScanner();
+            return s.scanDirectory(dirPath, { excludePaths: scanCfg?.excludePaths });
+        }
+    }
+    const s = new RegexScanner();
+    return s.scanDirectory(dirPath, { excludePaths: scanCfg?.excludePaths });
+}

package/dist/commands/agent/index.js

@@ -8,6 +8,8 @@ import { createAuditSkillCommand } from "./audit-skill.js";
 import { createInstallHookCommand } from "./install-hook.js";
 import { createVerifyCommand } from "./verify.js";
 import { createStatusCommand } from "./status.js";
+import { createUpdateGitleaksCommand } from "./update-gitleaks.js";
+import { createBaselineCommand } from "./baseline.js";
 export function createAgentCommand() {
     const agent = new Command("agent")
         .description("Agent security features");
@@ -21,5 +23,7 @@ export function createAgentCommand() {
     agent.addCommand(createInstallHookCommand());
     agent.addCommand(createVerifyCommand());
     agent.addCommand(createStatusCommand());
+    agent.addCommand(createUpdateGitleaksCommand());
+    agent.addCommand(createBaselineCommand());
     return agent;
 }

package/dist/commands/agent/init.js

@@ -96,6 +96,7 @@ export function createInitCommand() {
         .option("--skip-claude-code", "Skip Claude Code skill installation")
         .option("--claude-code", "Force Claude Code skill installation")
         .option("--skip-gitleaks", "Skip Gitleaks binary download")
+        .option("--update", "Re-download gitleaks and reinstall integrations without resetting config")
         .action(async (opts) => {
         console.log(fmt.header("Rafter Agent Security Setup"));
         console.log(fmt.divider());
@@ -151,7 +152,7 @@ export function createInitCommand() {
                 console.log(fmt.info("To fix: install gitleaks (https://github.com/gitleaks/gitleaks/releases) and ensure it is on PATH, then re-run 'rafter agent init'."));
                 console.log();
             };
-            if (binaryManager.isGitleaksInstalled()) {
+            if (!opts.update && binaryManager.isGitleaksInstalled()) {
                 // Local binary exists — verify it actually works
                 const verResult = await binaryManager.verifyGitleaksVerbose();
                 if (verResult.ok) {
@@ -164,8 +165,9 @@ export function createInitCommand() {
                 }
             }
             else {
-                // Not installed locally — check PATH (mirrors Python's shutil.which)
-                const pathBinary = binaryManager.findGitleaksOnPath();
+                // Not installed locally (or --update forcing re-download) — check PATH first
+                // unless --update was passed (in that case force a fresh managed install)
+                const pathBinary = opts.update ? null : binaryManager.findGitleaksOnPath();
                 if (pathBinary) {
                     const verResult = await binaryManager.verifyGitleaksVerbose(pathBinary);
                     if (verResult.ok) {

package/dist/commands/agent/install-hook.js

@@ -8,25 +8,36 @@ const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 export function createInstallHookCommand() {
     return new Command("install-hook")
-        .description("Install pre-commit hook to scan for secrets")
+        .description("Install git hook to scan for secrets")
         .option("--global", "Install globally for all repos (via git config)")
+        .option("--push", "Install pre-push hook instead of pre-commit")
         .action(async (opts) => {
         await installHook(opts);
     });
 }
 async function installHook(opts) {
+    const hookName = opts.push ? "pre-push" : "pre-commit";
+    const templateName = opts.push ? "pre-push-hook.sh" : "pre-commit-hook.sh";
     if (opts.global) {
-        await installGlobalHook();
+        await installGlobalHook(hookName, templateName);
     }
     else {
-        await installLocalHook();
+        await installLocalHook(hookName, templateName);
     }
 }
+function getTemplatePath(templateName) {
+    const templatePath = path.join(__dirname, "..", "..", "..", "resources", templateName);
+    if (!fs.existsSync(templatePath)) {
+        console.error("❌ Error: Hook template not found");
+        console.error(`   Expected at: ${templatePath}`);
+        process.exit(1);
+    }
+    return templatePath;
+}
 /**
- * Install pre-commit hook for current repository
+ * Install hook for current repository
  */
-async function installLocalHook() {
-    // Check if in a git repository
+async function installLocalHook(hookName, templateName) {
     try {
         execSync("git rev-parse --git-dir", { stdio: "pipe" });
     }
@@ -35,80 +46,63 @@ async function installLocalHook() {
         console.error("   Run this command from inside a git repository");
         process.exit(1);
     }
-    // Get .git directory
     const gitDir = execSync("git rev-parse --git-dir", { encoding: "utf-8" }).trim();
     const hooksDir = path.resolve(gitDir, "hooks");
-    const hookPath = path.join(hooksDir, "pre-commit");
-    // Ensure hooks directory exists
+    const hookPath = path.join(hooksDir, hookName);
     if (!fs.existsSync(hooksDir)) {
         fs.mkdirSync(hooksDir, { recursive: true });
     }
-    // Check if hook already exists
     if (fs.existsSync(hookPath)) {
         const existing = fs.readFileSync(hookPath, "utf-8");
-        // Check if it's already a Rafter hook
-        if (existing.includes("Rafter Security Pre-Commit Hook")) {
-            console.log("✓ Rafter pre-commit hook already installed");
+        const marker = hookName === "pre-push" ? "Rafter Security Pre-Push Hook" : "Rafter Security Pre-Commit Hook";
+        if (existing.includes(marker)) {
+            console.log(`✓ Rafter ${hookName} hook already installed`);
             return;
         }
-        // Backup existing hook
         const backupPath = `${hookPath}.backup-${Date.now()}`;
         fs.copyFileSync(hookPath, backupPath);
         console.log(`📦 Backed up existing hook to: ${path.basename(backupPath)}`);
     }
-    // Get hook template path
-    const templatePath = path.join(__dirname, "..", "..", "..", "resources", "pre-commit-hook.sh");
-    if (!fs.existsSync(templatePath)) {
-        console.error("❌ Error: Hook template not found");
-        console.error(`   Expected at: ${templatePath}`);
-        process.exit(1);
-    }
-    // Copy hook template
-    const hookContent = fs.readFileSync(templatePath, "utf-8");
+    const hookContent = fs.readFileSync(getTemplatePath(templateName), "utf-8");
     fs.writeFileSync(hookPath, hookContent, "utf-8");
-    // Make executable
     fs.chmodSync(hookPath, 0o755);
-    console.log("✓ Installed Rafter pre-commit hook");
+    console.log(`✓ Installed Rafter ${hookName} hook`);
     console.log(`  Location: ${hookPath}`);
     console.log();
-    console.log("The hook will:");
-    console.log("  • Scan staged files for secrets before each commit");
-    console.log("  • Block commits if secrets are detected");
-    console.log("  • Can be bypassed with: git commit --no-verify (not recommended)");
+    if (hookName === "pre-push") {
+        console.log("The hook will:");
+        console.log("  • Scan commits being pushed for secrets");
+        console.log("  • Block pushes if secrets are detected");
+        console.log("  • Can be bypassed with: git push --no-verify (not recommended)");
+    }
+    else {
+        console.log("The hook will:");
+        console.log("  • Scan staged files for secrets before each commit");
+        console.log("  • Block commits if secrets are detected");
+        console.log("  • Can be bypassed with: git commit --no-verify (not recommended)");
+    }
     console.log();
 }
 /**
- * Install pre-commit hook globally for all repositories
+ * Install hook globally for all repositories
  */
-async function installGlobalHook() {
-    // Create global hooks directory
+async function installGlobalHook(hookName, templateName) {
     const homeDir = os.homedir();
     if (!homeDir) {
         console.error("❌ Error: Could not determine home directory");
         process.exit(1);
     }
     const globalHooksDir = path.join(homeDir, ".rafter", "git-hooks");
-    const hookPath = path.join(globalHooksDir, "pre-commit");
-    // Create directory
+    const hookPath = path.join(globalHooksDir, hookName);
     if (!fs.existsSync(globalHooksDir)) {
         fs.mkdirSync(globalHooksDir, { recursive: true });
     }
-    // Get hook template path
-    const templatePath = path.join(__dirname, "..", "..", "..", "resources", "pre-commit-hook.sh");
-    if (!fs.existsSync(templatePath)) {
-        console.error("❌ Error: Hook template not found");
-        console.error(`   Expected at: ${templatePath}`);
-        process.exit(1);
-    }
-    // Copy hook template
-    const hookContent = fs.readFileSync(templatePath, "utf-8");
+    const hookContent = fs.readFileSync(getTemplatePath(templateName), "utf-8");
     fs.writeFileSync(hookPath, hookContent, "utf-8");
-    // Make executable
     fs.chmodSync(hookPath, 0o755);
-    // Configure git to use global hooks directory
     try {
         execSync(`git config --global core.hooksPath "${globalHooksDir}"`, { stdio: "pipe" });
-        console.log("✓ Installed Rafter pre-commit hook globally");
+        console.log(`✓ Installed Rafter ${hookName} hook globally`);
         console.log(`  Location: ${hookPath}`);
         console.log(`  Git config: core.hooksPath = ${globalHooksDir}`);
         console.log();
@@ -118,7 +112,7 @@ async function installGlobalHook() {
         console.log(`  git config --global --unset core.hooksPath`);
         console.log();
         console.log("To install per-repository instead:");
-        console.log(`  cd <repo> && rafter agent install-hook`);
+        console.log(`  cd <repo> && rafter agent install-hook${hookName === "pre-push" ? " --push" : ""}`);
         console.log();
     }
     catch (e) {

package/dist/commands/agent/scan.js

@@ -4,8 +4,33 @@ import { GitleaksScanner } from "../../scanners/gitleaks.js";
 import { ConfigManager } from "../../core/config-manager.js";
 import { execSync, execFileSync } from "child_process";
 import fs from "fs";
+import os from "os";
 import path from "path";
 import { fmt } from "../../utils/formatter.js";
+function loadBaselineEntries() {
+    const baselinePath = path.join(os.homedir(), ".rafter", "baseline.json");
+    if (!fs.existsSync(baselinePath))
+        return [];
+    try {
+        const data = JSON.parse(fs.readFileSync(baselinePath, "utf-8"));
+        return data.entries || [];
+    }
+    catch {
+        return [];
+    }
+}
+function applyBaseline(results, entries) {
+    if (entries.length === 0)
+        return results;
+    return results
+        .map((r) => ({
+        ...r,
+        matches: r.matches.filter((m) => !entries.some((e) => e.file === r.file &&
+            e.pattern === m.pattern.name &&
+            (e.line == null || e.line === (m.line ?? null)))),
+    }))
+        .filter((r) => r.matches.length > 0);
+}
 export function createScanCommand() {
     return new Command("scan")
         .description("Scan files or directories for secrets")
@@ -16,19 +41,21 @@ export function createScanCommand() {
         .option("--staged", "Scan only git staged files")
         .option("--diff <ref>", "Scan files changed since a git ref")
         .option("--engine <engine>", "Scan engine: gitleaks or patterns", "auto")
+        .option("--baseline", "Filter findings present in the saved baseline")
         .action(async (scanPath, opts) => {
         // Load policy-merged config for excludePaths/customPatterns
         const manager = new ConfigManager();
         const cfg = manager.loadWithPolicy();
         const scanCfg = cfg.agent?.scan;
+        const baselineEntries = opts.baseline ? loadBaselineEntries() : [];
         // Handle --diff flag
         if (opts.diff) {
-            await scanDiffFiles(opts.diff, opts, scanCfg);
+            await scanDiffFiles(opts.diff, opts, scanCfg, baselineEntries);
             return;
         }
         // Handle --staged flag
         if (opts.staged) {
-            await scanStagedFiles(opts, scanCfg);
+            await scanStagedFiles(opts, scanCfg, baselineEntries);
             return;
         }
         const resolvedPath = path.resolve(scanPath);
@@ -54,7 +81,7 @@ export function createScanCommand() {
             }
             results = await scanFile(resolvedPath, engine, scanCfg);
         }
-        outputScanResults(results, opts);
+        outputScanResults(applyBaseline(results, baselineEntries), opts);
     });
 }
 /**
@@ -89,13 +116,14 @@ function outputSarif(results) {
         }
     }
     const sarif = {
-        $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+        $schema: "https://json.schemastore.org/sarif-2.1.0.json",
         version: "2.1.0",
         runs: [
             {
                 tool: {
                     driver: {
                         name: "rafter",
+                        version: "0.5.5",
                         informationUri: "https://rafter.so",
                         rules: Array.from(rules.values()),
                     },
@@ -112,6 +140,10 @@ function outputSarif(results) {
  */
 function outputScanResults(results, opts, context) {
     const format = opts.format ?? (opts.json ? "json" : "text");
+    if (!["text", "json", "sarif"].includes(format)) {
+        console.error(`Invalid format: ${format}. Valid values: text, json, sarif`);
+        process.exit(2);
+    }
     if (format === "sarif") {
         outputSarif(results);
         return;
@@ -163,7 +195,7 @@ function outputScanResults(results, opts, context) {
 /**
  * Scan files changed since a git ref
  */
-async function scanDiffFiles(ref, opts, scanCfg) {
+async function scanDiffFiles(ref, opts, scanCfg, baselineEntries = []) {
     try {
         const diffOutput = execFileSync("git", ["diff", "--name-only", "--diff-filter=ACM", ref], {
             encoding: "utf-8",
@@ -191,7 +223,7 @@ async function scanDiffFiles(ref, opts, scanCfg) {
             const results = await scanFile(filePath, engine, scanCfg);
             allResults.push(...results);
         }
-        outputScanResults(allResults, opts, `files changed since ${ref}`);
+        outputScanResults(applyBaseline(allResults, baselineEntries), opts, `files changed since ${ref}`);
     }
     catch (error) {
         if (error.status === 128) {
@@ -204,7 +236,7 @@ async function scanDiffFiles(ref, opts, scanCfg) {
 /**
  * Scan git staged files for secrets
  */
-async function scanStagedFiles(opts, scanCfg) {
+async function scanStagedFiles(opts, scanCfg, baselineEntries = []) {
     try {
         const stagedFilesOutput = execSync("git diff --cached --name-only --diff-filter=ACM", {
             encoding: "utf-8",
@@ -232,7 +264,7 @@ async function scanStagedFiles(opts, scanCfg) {
             const results = await scanFile(filePath, engine, scanCfg);
             allResults.push(...results);
         }
-        outputScanResults(allResults, opts, "staged files");
+        outputScanResults(applyBaseline(allResults, baselineEntries), opts, "staged files");
     }
     catch (error) {
         if (error.status === 128) {

package/dist/commands/agent/update-gitleaks.js

@@ -0,0 +1,40 @@
+import { Command } from "commander";
+import { BinaryManager, GITLEAKS_VERSION } from "../../utils/binary-manager.js";
+import { fmt } from "../../utils/formatter.js";
+export function createUpdateGitleaksCommand() {
+    return new Command("update-gitleaks")
+        .description("Update (or reinstall) the managed gitleaks binary")
+        .option("--version <version>", "Gitleaks version to install", GITLEAKS_VERSION)
+        .action(async (opts) => {
+        const bm = new BinaryManager();
+        if (!bm.isPlatformSupported()) {
+            const { platform, arch } = bm.getPlatformInfo();
+            console.error(fmt.error(`Gitleaks not available for ${platform}/${arch}`));
+            process.exit(1);
+        }
+        // Show current version if installed
+        if (bm.isGitleaksInstalled()) {
+            const current = await bm.getGitleaksVersion();
+            console.log(fmt.info(`Current: ${current}`));
+        }
+        else {
+            console.log(fmt.info("Gitleaks not currently installed (managed binary)"));
+        }
+        console.log(fmt.info(`Installing gitleaks v${opts.version}...`));
+        console.log();
+        try {
+            await bm.downloadGitleaks((msg) => console.log(`   ${msg}`), opts.version);
+            console.log();
+            const installed = await bm.getGitleaksVersion();
+            console.log(fmt.success(`Gitleaks updated: ${installed}`));
+            console.log(fmt.info(`  Binary: ${bm.getGitleaksPath()}`));
+        }
+        catch (e) {
+            console.log();
+            console.error(fmt.error(`Update failed: ${e}`));
+            console.log(fmt.info("To fix: install gitleaks manually (https://github.com/gitleaks/gitleaks/releases) " +
+                "and ensure it is on PATH."));
+            process.exit(1);
+        }
+    });
+}