@rafter-security/cli 0.5.3 → 0.5.9

package/README.md

@@ -153,17 +153,29 @@ Initialize agent security system.
 
 **Options:**
 - `--risk-level <level>` - Set risk level: `minimal`, `moderate`, or `aggressive` (default: `moderate`)
-- `--skip-openclaw` - Skip OpenClaw skill installation
+- `--with-openclaw` - Install OpenClaw integration
+- `--with-claude-code` - Install Claude Code integration
+- `--with-codex` - Install Codex CLI integration
+- `--with-gemini` - Install Gemini CLI integration
+- `--with-aider` - Install Aider integration
+- `--with-cursor` - Install Cursor integration
+- `--with-windsurf` - Install Windsurf integration
+- `--with-continue` - Install Continue.dev integration
+- `--with-gitleaks` - Download and install Gitleaks binary
+- `--all` - Install all detected integrations and download Gitleaks
 
 **What it does:**
 - Creates `~/.rafter/config.json` configuration
 - Initializes directory structure
-- Detects and installs OpenClaw skill (if present)
+- Detects available agent environments
+- Installs opted-in integrations (skills, hooks, MCP servers)
 - Sets up audit logging
 
 **Example:**
 ```bash
-rafter agent init
+rafter agent init                      # Config only, detect environments
+rafter agent init --all                # Install all detected integrations
+rafter agent init --with-claude-code   # Install Claude Code integration only
 rafter agent init --risk-level aggressive
 ```
 

package/dist/commands/agent/audit-skill.js

@@ -18,7 +18,7 @@ async function auditSkill(skillPath, opts) {
     // Validate skill file exists
     if (!fs.existsSync(skillPath)) {
         console.error(`Error: Skill file not found: ${skillPath}`);
-        process.exit(1);
+        process.exit(2);
     }
     const absolutePath = path.resolve(skillPath);
     const skillContent = fs.readFileSync(absolutePath, "utf-8");
@@ -143,7 +143,7 @@ function displayQuickScan(scan, skillName) {
     else {
         console.log(`⚠️  Secrets: ${scan.secrets} found`);
         console.log("   → API keys, tokens, or credentials detected");
-        console.log("   → Run: rafter agent scan <path> for details");
+        console.log("   → Run: rafter scan local <path> for details");
     }
     // URLs
     if (scan.urls.length === 0) {

package/dist/commands/agent/audit.js

@@ -1,5 +1,10 @@
+import { createHash } from "crypto";
+import fs from "fs";
+import path from "path";
+import { fileURLToPath } from "url";
 import { Command } from "commander";
 import { AuditLogger } from "../../core/audit-logger.js";
+import { ConfigManager } from "../../core/config-manager.js";
 import { isAgentMode } from "../../utils/formatter.js";
 export function createAuditCommand() {
     return new Command("audit")
@@ -8,7 +13,12 @@ export function createAuditCommand() {
         .option("--event <type>", "Filter by event type")
         .option("--agent <type>", "Filter by agent type (openclaw, claude-code)")
         .option("--since <date>", "Show entries since date (YYYY-MM-DD)")
+        .option("--share", "Generate a redacted excerpt for issue reports")
         .action((opts) => {
+        if (opts.share) {
+            generateShareExcerpt();
+            return;
+        }
         const logger = new AuditLogger();
         const filter = {
             limit: parseInt(opts.last, 10)
@@ -53,6 +63,92 @@ export function createAuditCommand() {
         }
     });
 }
+export function generateShareExcerpt() {
+    const version = getPkgVersion();
+    const os = `${process.platform}/${process.arch}`;
+    const timestamp = new Date().toISOString();
+    const config = new ConfigManager().loadWithPolicy();
+    const policyHash = computePolicyHash(config);
+    const riskLevel = getRiskLevel(config);
+    const logger = new AuditLogger();
+    const entries = logger.read({ limit: 5 });
+    const lines = [
+        "Rafter Audit Excerpt",
+        `Generated: ${timestamp}`,
+        "",
+        "Environment:",
+        `  CLI:    ${version}`,
+        `  OS:     ${os}`,
+        `  Policy: sha256:${policyHash} (${riskLevel})`,
+        "",
+        "Recent events (last 5):",
+    ];
+    if (entries.length === 0) {
+        lines.push("  (no entries)");
+    }
+    else {
+        for (const entry of entries) {
+            const ts = entry.timestamp.replace("T", " ").replace(/\.\d+Z$/, "Z");
+            const eventPad = entry.eventType.padEnd(20);
+            const riskRaw = entry.action?.riskLevel ?? "low";
+            const riskPad = riskRaw.toUpperCase().padEnd(8);
+            const detail = formatShareDetail(entry);
+            lines.push(`  ${ts}  ${eventPad}  ${riskPad} ${detail}`);
+        }
+    }
+    lines.push("");
+    lines.push("Share this excerpt when reporting issues at https://github.com/Raftersecurity/rafter-cli/issues");
+    console.log(lines.join("\n"));
+}
+export function getPkgVersion() {
+    try {
+        const __filename = fileURLToPath(import.meta.url);
+        const __dirname = path.dirname(__filename);
+        // Walk up from dist/commands/agent/ to find package.json
+        let dir = __dirname;
+        for (let i = 0; i < 6; i++) {
+            const candidate = path.join(dir, "package.json");
+            if (fs.existsSync(candidate)) {
+                const pkg = JSON.parse(fs.readFileSync(candidate, "utf-8"));
+                if (pkg.version)
+                    return pkg.version;
+            }
+            dir = path.dirname(dir);
+        }
+    }
+    catch {
+        // fall through
+    }
+    return "unknown";
+}
+export function computePolicyHash(config) {
+    const patterns = config?.agent?.commandPolicy?.requireApproval ?? [];
+    const payload = JSON.stringify(patterns.slice().sort());
+    return createHash("sha256").update(payload).digest("hex").slice(0, 16);
+}
+export function getRiskLevel(config) {
+    return config?.agent?.riskLevel ?? "moderate";
+}
+export function formatShareDetail(entry) {
+    const action = entry.resolution.actionTaken;
+    const suffix = `[${action}]`;
+    if (entry.eventType === "secret_detected") {
+        const reason = entry.securityCheck.reason ?? "";
+        return `${reason} ${suffix}`;
+    }
+    if (entry.action?.command) {
+        return `${truncateCommand(entry.action.command, 60)} ${suffix}`;
+    }
+    if (entry.securityCheck.reason) {
+        return `${entry.securityCheck.reason} ${suffix}`;
+    }
+    return suffix;
+}
+export function truncateCommand(cmd, maxLen = 60) {
+    if (cmd.length <= maxLen)
+        return cmd;
+    return cmd.slice(0, maxLen) + "...";
+}
 function getEventIndicator(eventType) {
     if (isAgentMode()) {
         const tagMap = {

package/dist/commands/agent/baseline.js

@@ -0,0 +1,213 @@
+import { Command } from "commander";
+import fs from "fs";
+import os from "os";
+import path from "path";
+import { fmt } from "../../utils/formatter.js";
+import { RegexScanner } from "../../scanners/regex-scanner.js";
+import { GitleaksScanner } from "../../scanners/gitleaks.js";
+import { ConfigManager } from "../../core/config-manager.js";
+const BASELINE_PATH = path.join(os.homedir(), ".rafter", "baseline.json");
+function loadBaseline() {
+    if (!fs.existsSync(BASELINE_PATH)) {
+        return { version: 1, created: "", updated: "", entries: [] };
+    }
+    try {
+        return JSON.parse(fs.readFileSync(BASELINE_PATH, "utf-8"));
+    }
+    catch {
+        return { version: 1, created: "", updated: "", entries: [] };
+    }
+}
+function saveBaseline(baseline) {
+    const dir = path.dirname(BASELINE_PATH);
+    if (!fs.existsSync(dir)) {
+        fs.mkdirSync(dir, { recursive: true });
+    }
+    fs.writeFileSync(BASELINE_PATH, JSON.stringify(baseline, null, 2), "utf-8");
+}
+export function createBaselineCommand() {
+    const baseline = new Command("baseline")
+        .description("Manage the findings baseline (allowlist for known findings)");
+    baseline.addCommand(createBaselineCreateCommand());
+    baseline.addCommand(createBaselineShowCommand());
+    baseline.addCommand(createBaselineClearCommand());
+    baseline.addCommand(createBaselineAddCommand());
+    return baseline;
+}
+function createBaselineCreateCommand() {
+    return new Command("create")
+        .description("Scan and save all current findings as the baseline")
+        .argument("[path]", "Path to scan", ".")
+        .option("--engine <engine>", "Scan engine: gitleaks or patterns", "auto")
+        .action(async (scanPath, opts) => {
+        const validEngines = ["auto", "gitleaks", "patterns"];
+        const engineValue = opts.engine || "auto";
+        if (!validEngines.includes(engineValue)) {
+            console.error(`Invalid engine: ${engineValue}. Valid values: ${validEngines.join(", ")}`);
+            process.exit(2);
+        }
+        const resolvedPath = path.resolve(scanPath);
+        if (!fs.existsSync(resolvedPath)) {
+            console.error(`Error: Path not found: ${resolvedPath}`);
+            process.exit(2);
+        }
+        const manager = new ConfigManager();
+        const cfg = manager.loadWithPolicy();
+        const scanCfg = cfg.agent?.scan;
+        console.error(`Scanning ${resolvedPath} to build baseline...`);
+        const engine = await selectEngine(opts.engine || "auto");
+        let results;
+        if (fs.statSync(resolvedPath).isDirectory()) {
+            results = await scanDirectory(resolvedPath, engine, scanCfg);
+        }
+        else {
+            results = await scanFile(resolvedPath, engine);
+        }
+        const now = new Date().toISOString();
+        const entries = [];
+        for (const r of results) {
+            for (const m of r.matches) {
+                entries.push({
+                    file: r.file,
+                    line: m.line ?? null,
+                    pattern: m.pattern.name,
+                    addedAt: now,
+                });
+            }
+        }
+        const existing = loadBaseline();
+        const baseline = {
+            version: 1,
+            created: existing.created || now,
+            updated: now,
+            entries,
+        };
+        saveBaseline(baseline);
+        if (entries.length === 0) {
+            console.log(fmt.success("No findings — baseline is empty (all clean)"));
+        }
+        else {
+            console.log(fmt.success(`Baseline saved: ${entries.length} finding(s) recorded`));
+            console.log(`  Location: ${BASELINE_PATH}`);
+            console.log();
+            console.log("Future scans with --baseline will suppress these findings.");
+        }
+    });
+}
+function createBaselineShowCommand() {
+    return new Command("show")
+        .description("Show current baseline entries")
+        .option("--json", "Output as JSON")
+        .action((opts) => {
+        const baseline = loadBaseline();
+        if (opts.json) {
+            console.log(JSON.stringify(baseline, null, 2));
+            return;
+        }
+        if (baseline.entries.length === 0) {
+            console.log("Baseline is empty. Run: rafter agent baseline create");
+            return;
+        }
+        console.log(`Baseline: ${baseline.entries.length} entries`);
+        if (baseline.updated) {
+            console.log(`Updated: ${baseline.updated}`);
+        }
+        console.log();
+        // Group by file
+        const byFile = new Map();
+        for (const entry of baseline.entries) {
+            const list = byFile.get(entry.file) || [];
+            list.push(entry);
+            byFile.set(entry.file, list);
+        }
+        for (const [file, entries] of byFile) {
+            console.log(fmt.info(file));
+            for (const e of entries) {
+                const loc = e.line != null ? `line ${e.line}` : "unknown location";
+                console.log(`  ${e.pattern} (${loc})`);
+            }
+            console.log();
+        }
+    });
+}
+function createBaselineClearCommand() {
+    return new Command("clear")
+        .description("Remove all baseline entries")
+        .action(() => {
+        if (!fs.existsSync(BASELINE_PATH)) {
+            console.log("No baseline file found — nothing to clear.");
+            return;
+        }
+        fs.unlinkSync(BASELINE_PATH);
+        console.log(fmt.success("Baseline cleared"));
+    });
+}
+function createBaselineAddCommand() {
+    return new Command("add")
+        .description("Manually add a finding to the baseline")
+        .requiredOption("--file <path>", "File path")
+        .requiredOption("--pattern <name>", "Pattern name (e.g. 'AWS Access Key')")
+        .option("--line <number>", "Line number")
+        .action((opts) => {
+        const baseline = loadBaseline();
+        const now = new Date().toISOString();
+        const entry = {
+            file: path.resolve(opts.file),
+            line: opts.line != null ? parseInt(opts.line, 10) : null,
+            pattern: opts.pattern,
+            addedAt: now,
+        };
+        baseline.entries.push(entry);
+        baseline.updated = now;
+        if (!baseline.created)
+            baseline.created = now;
+        saveBaseline(baseline);
+        console.log(fmt.success(`Added to baseline: ${opts.pattern} in ${opts.file}`));
+    });
+}
+// ── helpers ─────────────────────────────────────────────────────────
+async function selectEngine(preference) {
+    if (preference === "patterns")
+        return "patterns";
+    if (preference === "gitleaks") {
+        const g = new GitleaksScanner();
+        return (await g.isAvailable()) ? "gitleaks" : "patterns";
+    }
+    if (preference !== "auto") {
+        console.error(`Invalid engine: ${preference}. Valid values: auto, gitleaks, patterns`);
+        process.exit(2);
+    }
+    const g = new GitleaksScanner();
+    return (await g.isAvailable()) ? "gitleaks" : "patterns";
+}
+async function scanFile(filePath, engine) {
+    if (engine === "gitleaks") {
+        try {
+            const g = new GitleaksScanner();
+            const r = await g.scanFile(filePath);
+            return r.matches.length > 0 ? [r] : [];
+        }
+        catch {
+            const s = new RegexScanner();
+            const r = s.scanFile(filePath);
+            return r.matches.length > 0 ? [r] : [];
+        }
+    }
+    const s = new RegexScanner();
+    const r = s.scanFile(filePath);
+    return r.matches.length > 0 ? [r] : [];
+}
+async function scanDirectory(dirPath, engine, scanCfg) {
+    if (engine === "gitleaks") {
+        try {
+            const g = new GitleaksScanner();
+            return await g.scanDirectory(dirPath);
+        }
+        catch {
+            const s = new RegexScanner();
+            return s.scanDirectory(dirPath, { excludePaths: scanCfg?.excludePaths });
+        }
+    }
+    const s = new RegexScanner();
+    return s.scanDirectory(dirPath, { excludePaths: scanCfg?.excludePaths });
+}

package/dist/commands/agent/exec.js

@@ -29,7 +29,7 @@ export function createExecCommand() {
             if (scanResult.secretsFound) {
                 console.error(`\n${fmt.warning("Secrets detected in staged files!")}\n`);
                 console.error(`Found ${scanResult.count} secret(s) in ${scanResult.files} file(s)`);
-                console.error(`\nRun 'rafter agent scan' for details.\n`);
+                console.error(`\nRun 'rafter scan local' for details.\n`);
                 interceptor.logEvaluation(evaluation, "blocked");
                 process.exit(1);
             }

package/dist/commands/agent/index.js

@@ -8,6 +8,8 @@ import { createAuditSkillCommand } from "./audit-skill.js";
 import { createInstallHookCommand } from "./install-hook.js";
 import { createVerifyCommand } from "./verify.js";
 import { createStatusCommand } from "./status.js";
+import { createUpdateGitleaksCommand } from "./update-gitleaks.js";
+import { createBaselineCommand } from "./baseline.js";
 export function createAgentCommand() {
     const agent = new Command("agent")
         .description("Agent security features");
@@ -21,5 +23,7 @@ export function createAgentCommand() {
     agent.addCommand(createInstallHookCommand());
     agent.addCommand(createVerifyCommand());
     agent.addCommand(createStatusCommand());
+    agent.addCommand(createUpdateGitleaksCommand());
+    agent.addCommand(createBaselineCommand());
     return agent;
 }