@rafter-security/cli 0.5.3 → 0.5.9

package/dist/commands/agent/scan.js

@@ -2,10 +2,36 @@ import { Command } from "commander";
 import { RegexScanner } from "../../scanners/regex-scanner.js";
 import { GitleaksScanner } from "../../scanners/gitleaks.js";
 import { ConfigManager } from "../../core/config-manager.js";
+import { AuditLogger } from "../../core/audit-logger.js";
 import { execSync, execFileSync } from "child_process";
 import fs from "fs";
+import os from "os";
 import path from "path";
 import { fmt } from "../../utils/formatter.js";
+function loadBaselineEntries() {
+    const baselinePath = path.join(os.homedir(), ".rafter", "baseline.json");
+    if (!fs.existsSync(baselinePath))
+        return [];
+    try {
+        const data = JSON.parse(fs.readFileSync(baselinePath, "utf-8"));
+        return data.entries || [];
+    }
+    catch {
+        return [];
+    }
+}
+function applyBaseline(results, entries) {
+    if (entries.length === 0)
+        return results;
+    return results
+        .map((r) => ({
+        ...r,
+        matches: r.matches.filter((m) => !entries.some((e) => e.file === r.file &&
+            e.pattern === m.pattern.name &&
+            (e.line == null || e.line === (m.line ?? null)))),
+    }))
+        .filter((r) => r.matches.length > 0);
+}
 export function createScanCommand() {
     return new Command("scan")
         .description("Scan files or directories for secrets")
@@ -16,19 +42,42 @@ export function createScanCommand() {
         .option("--staged", "Scan only git staged files")
         .option("--diff <ref>", "Scan files changed since a git ref")
         .option("--engine <engine>", "Scan engine: gitleaks or patterns", "auto")
+        .option("--baseline", "Filter findings present in the saved baseline")
+        .option("--watch", "Watch for file changes and re-scan on change")
         .action(async (scanPath, opts) => {
+        // Validate flags before doing any work
+        const validEngines = ["auto", "gitleaks", "patterns"];
+        const engineValue = opts.engine || "auto";
+        if (!validEngines.includes(engineValue)) {
+            console.error(`Invalid engine: ${engineValue}. Valid values: ${validEngines.join(", ")}`);
+            process.exit(2);
+        }
+        const format = opts.format ?? (opts.json ? "json" : "text");
+        const validFormats = ["text", "json", "sarif"];
+        if (!validFormats.includes(format)) {
+            console.error(`Invalid format: ${format}. Valid values: ${validFormats.join(", ")}`);
+            process.exit(2);
+        }
+        // Deprecation notice — only when invoked as `rafter agent scan`, not as `rafter scan local`
+        const argv = process.argv;
+        const isAgentScan = argv.includes("agent") && argv.includes("scan") &&
+            argv.indexOf("agent") < argv.indexOf("scan");
+        if (isAgentScan) {
+            process.stderr.write("Warning: rafter agent scan is deprecated and will be removed in a future major version. Use rafter scan local instead.\n");
+        }
         // Load policy-merged config for excludePaths/customPatterns
         const manager = new ConfigManager();
         const cfg = manager.loadWithPolicy();
         const scanCfg = cfg.agent?.scan;
+        const baselineEntries = opts.baseline ? loadBaselineEntries() : [];
         // Handle --diff flag
         if (opts.diff) {
-            await scanDiffFiles(opts.diff, opts, scanCfg);
+            await scanDiffFiles(opts.diff, opts, scanCfg, baselineEntries);
             return;
         }
         // Handle --staged flag
         if (opts.staged) {
-            await scanStagedFiles(opts, scanCfg);
+            await scanStagedFiles(opts, scanCfg, baselineEntries);
             return;
         }
         const resolvedPath = path.resolve(scanPath);
@@ -37,6 +86,11 @@ export function createScanCommand() {
             console.error(`Error: Path not found: ${resolvedPath}`);
             process.exit(2);
         }
+        // Handle --watch flag
+        if (opts.watch) {
+            await watchAndScan(resolvedPath, opts, scanCfg);
+            return;
+        }
         // Determine scan engine
         const engine = await selectEngine(opts.engine || "auto", opts.quiet || false);
         // Determine if path is file or directory
@@ -54,7 +108,7 @@ export function createScanCommand() {
             }
             results = await scanFile(resolvedPath, engine, scanCfg);
         }
-        outputScanResults(results, opts);
+        outputScanResults(applyBaseline(results, baselineEntries), opts);
     });
 }
 /**
@@ -89,13 +143,14 @@ function outputSarif(results) {
         }
     }
     const sarif = {
-        $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+        $schema: "https://json.schemastore.org/sarif-2.1.0.json",
         version: "2.1.0",
         runs: [
             {
                 tool: {
                     driver: {
                         name: "rafter",
+                        version: "0.5.7",
                         informationUri: "https://rafter.so",
                         rules: Array.from(rules.values()),
                     },
@@ -110,8 +165,12 @@ function outputSarif(results) {
 /**
  * Shared output logic for scan results
  */
-function outputScanResults(results, opts, context) {
+function outputScanResults(results, opts, context, exitOnFindings = true) {
     const format = opts.format ?? (opts.json ? "json" : "text");
+    if (!["text", "json", "sarif"].includes(format)) {
+        console.error(`Invalid format: ${format}. Valid values: text, json, sarif`);
+        process.exit(2);
+    }
     if (format === "sarif") {
         outputSarif(results);
         return;
@@ -127,14 +186,18 @@ function outputScanResults(results, opts, context) {
             })),
         }));
         console.log(JSON.stringify(out, null, 2));
-        process.exit(results.length > 0 ? 1 : 0);
+        if (exitOnFindings)
+            process.exit(results.length > 0 ? 1 : 0);
+        return;
     }
     if (results.length === 0) {
         if (!opts.quiet) {
             const msg = context ? `No secrets detected in ${context}` : "No secrets detected";
             console.log(`\n${fmt.success(msg)}\n`);
         }
-        process.exit(0);
+        if (exitOnFindings)
+            process.exit(0);
+        return;
     }
     console.log(`\n${fmt.warning(`Found secrets in ${results.length} file(s):`)}\n`);
     let totalMatches = 0;
@@ -155,34 +218,37 @@ function outputScanResults(results, opts, context) {
     if (context === "staged files") {
         console.log(`${fmt.error("Commit blocked. Remove secrets before committing.")}\n`);
     }
-    else {
+    else if (exitOnFindings) {
         console.log(`Run 'rafter agent audit' to see the security log.\n`);
     }
-    process.exit(1);
+    if (exitOnFindings)
+        process.exit(1);
 }
 /**
  * Scan files changed since a git ref
  */
-async function scanDiffFiles(ref, opts, scanCfg) {
+async function scanDiffFiles(ref, opts, scanCfg, baselineEntries = []) {
     try {
         const diffOutput = execFileSync("git", ["diff", "--name-only", "--diff-filter=ACM", ref], {
             encoding: "utf-8",
             stdio: ["pipe", "pipe", "ignore"],
         }).trim();
         if (!diffOutput) {
-            if (!opts.quiet) {
-                console.log(fmt.success(`No files changed since ${ref}`));
-            }
-            process.exit(0);
+            outputScanResults([], opts, `files changed since ${ref}`);
+            return;
         }
         const changedFiles = diffOutput.split("\n").map(f => f.trim()).filter(f => f);
         if (!opts.quiet) {
             console.error(`Scanning ${changedFiles.length} file(s) changed since ${ref}...`);
         }
+        const repoRoot = execFileSync("git", ["rev-parse", "--show-toplevel"], {
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "ignore"],
+        }).trim();
         const engine = await selectEngine(opts.engine || "auto", opts.quiet || false);
         const allResults = [];
         for (const file of changedFiles) {
-            const filePath = path.resolve(file);
+            const filePath = path.resolve(repoRoot, file);
             if (!fs.existsSync(filePath))
                 continue;
             const stats = fs.statSync(filePath);
@@ -191,7 +257,7 @@ async function scanDiffFiles(ref, opts, scanCfg) {
             const results = await scanFile(filePath, engine, scanCfg);
             allResults.push(...results);
         }
-        outputScanResults(allResults, opts, `files changed since ${ref}`);
+        outputScanResults(applyBaseline(allResults, baselineEntries), opts, `files changed since ${ref}`);
     }
     catch (error) {
         if (error.status === 128) {
@@ -204,26 +270,28 @@ async function scanDiffFiles(ref, opts, scanCfg) {
 /**
  * Scan git staged files for secrets
  */
-async function scanStagedFiles(opts, scanCfg) {
+async function scanStagedFiles(opts, scanCfg, baselineEntries = []) {
     try {
         const stagedFilesOutput = execSync("git diff --cached --name-only --diff-filter=ACM", {
             encoding: "utf-8",
             stdio: ["pipe", "pipe", "ignore"]
         }).trim();
         if (!stagedFilesOutput) {
-            if (!opts.quiet) {
-                console.log(fmt.success("No files staged for commit"));
-            }
-            process.exit(0);
+            outputScanResults([], opts, "staged files");
+            return;
         }
         const stagedFiles = stagedFilesOutput.split("\n").map(f => f.trim()).filter(f => f);
         if (!opts.quiet) {
             console.error(`Scanning ${stagedFiles.length} staged file(s)...`);
         }
+        const repoRoot = execFileSync("git", ["rev-parse", "--show-toplevel"], {
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "ignore"],
+        }).trim();
         const engine = await selectEngine(opts.engine || "auto", opts.quiet || false);
         const allResults = [];
         for (const file of stagedFiles) {
-            const filePath = path.resolve(file);
+            const filePath = path.resolve(repoRoot, file);
             if (!fs.existsSync(filePath))
                 continue;
             const stats = fs.statSync(filePath);
@@ -232,7 +300,7 @@ async function scanStagedFiles(opts, scanCfg) {
             const results = await scanFile(filePath, engine, scanCfg);
             allResults.push(...results);
         }
-        outputScanResults(allResults, opts, "staged files");
+        outputScanResults(applyBaseline(allResults, baselineEntries), opts, "staged files");
     }
     catch (error) {
         if (error.status === 128) {
@@ -260,6 +328,10 @@ async function selectEngine(preference, quiet) {
         }
         return "gitleaks";
     }
+    if (preference !== "auto") {
+        console.error(`Invalid engine: ${preference}. Valid values: auto, gitleaks, patterns`);
+        process.exit(2);
+    }
     // Auto mode: try Gitleaks, fall back to patterns
     const gitleaks = new GitleaksScanner();
     const available = await gitleaks.isAvailable();
@@ -308,3 +380,104 @@ async function scanDirectory(dirPath, engine, scanCfg) {
         return scanner.scanDirectory(dirPath, { excludePaths: scanCfg?.excludePaths });
     }
 }
+/**
+ * Watch a path for changes and re-scan on each change
+ */
+async function watchAndScan(watchPath, opts, scanCfg) {
+    const { watch } = await import("chokidar");
+    const logger = new AuditLogger();
+    const engine = await selectEngine(opts.engine || "auto", opts.quiet || false);
+    if (!opts.quiet) {
+        console.error(fmt.info(`Watching ${watchPath} for changes (${engine}). Press Ctrl+C to exit.`));
+    }
+    // Do an initial scan
+    const stats = fs.statSync(watchPath);
+    const initialResults = stats.isDirectory()
+        ? await scanDirectory(watchPath, engine, scanCfg)
+        : await scanFile(watchPath, engine, scanCfg);
+    if (initialResults.length > 0) {
+        console.log(fmt.warning(`\n[Initial scan] Found secrets:`));
+        outputScanResults(initialResults, { ...opts, quiet: false }, undefined, /* exitOnFindings= */ false);
+        logWatchFindings(logger, initialResults);
+    }
+    else if (!opts.quiet) {
+        console.log(fmt.success(`[Initial scan] No secrets detected`));
+    }
+    const watcher = watch(watchPath, {
+        ignoreInitial: true,
+        persistent: true,
+        ignored: /(^|[/\\])\../,
+    });
+    watcher.on("change", async (filePath) => {
+        const timestamp = new Date().toLocaleTimeString();
+        if (!opts.quiet) {
+            console.error(`\n[${timestamp}] Changed: ${filePath}`);
+        }
+        if (!fs.existsSync(filePath))
+            return;
+        const fileStats = fs.statSync(filePath);
+        if (!fileStats.isFile())
+            return;
+        const results = await scanFile(filePath, engine, scanCfg);
+        if (results.length > 0) {
+            outputScanResults(results, { ...opts, quiet: false }, undefined, /* exitOnFindings= */ false);
+            logWatchFindings(logger, results);
+        }
+        else if (!opts.quiet) {
+            console.log(fmt.success(`  No secrets detected`));
+        }
+    });
+    watcher.on("add", async (filePath) => {
+        const timestamp = new Date().toLocaleTimeString();
+        if (!opts.quiet) {
+            console.error(`\n[${timestamp}] Added: ${filePath}`);
+        }
+        const fileStats = fs.statSync(filePath);
+        if (!fileStats.isFile())
+            return;
+        const results = await scanFile(filePath, engine, scanCfg);
+        if (results.length > 0) {
+            outputScanResults(results, { ...opts, quiet: false }, undefined, /* exitOnFindings= */ false);
+            logWatchFindings(logger, results);
+        }
+        else if (!opts.quiet) {
+            console.log(fmt.success(`  No secrets detected`));
+        }
+    });
+    // Keep process alive until Ctrl+C
+    await new Promise((resolve) => {
+        process.on("SIGINT", () => {
+            if (!opts.quiet) {
+                console.log(fmt.info("\nWatch mode stopped."));
+            }
+            watcher.close();
+            resolve();
+        });
+    });
+}
+/**
+ * Log watch findings to audit log
+ */
+function logWatchFindings(logger, results) {
+    for (const result of results) {
+        for (const match of result.matches) {
+            logger.log({
+                eventType: "secret_detected",
+                securityCheck: {
+                    passed: false,
+                    reason: `${match.pattern.name} detected in ${result.file}`,
+                    details: {
+                        file: result.file,
+                        line: match.line,
+                        pattern: match.pattern.name,
+                        severity: match.pattern.severity,
+                        watchMode: true,
+                    },
+                },
+                resolution: {
+                    actionTaken: "allowed",
+                },
+            });
+        }
+    }
+}

package/dist/commands/agent/status.js

@@ -32,7 +32,7 @@ export function createStatusCommand() {
         }
         // --- Gitleaks ---
         const localGitleaks = path.join(getBinDir(), "gitleaks");
-        let gitleaksStatus = "not found — run: rafter agent init";
+        let gitleaksStatus = "not found — run: rafter agent init --with-gitleaks";
         try {
             const ver = execSync("gitleaks version", { timeout: 5000, encoding: "utf-8" }).trim();
             gitleaksStatus = `${ver} (PATH)`;
@@ -74,8 +74,8 @@ export function createStatusCommand() {
                 // unreadable settings
             }
         }
-        console.log(`PreToolUse:   ${pretoolOk ? "installed" : "not installed — run: rafter agent init"}`);
-        console.log(`PostToolUse:  ${posttoolOk ? "installed" : "not installed — run: rafter agent init"}`);
+        console.log(`PreToolUse:   ${pretoolOk ? "installed" : "not installed — run: rafter agent init --with-claude-code"}`);
+        console.log(`PostToolUse:  ${posttoolOk ? "installed" : "not installed — run: rafter agent init --with-claude-code"}`);
         // --- OpenClaw skill ---
         const skillPath = path.join(home, ".openclaw", "skills", "rafter-security.md");
         const openclawDir = path.join(home, ".openclaw");
@@ -83,11 +83,72 @@ export function createStatusCommand() {
             console.log(`OpenClaw:     skill installed (${skillPath})`);
         }
         else if (fs.existsSync(openclawDir)) {
-            console.log("OpenClaw:     detected but skill missing — run: rafter agent init");
+            console.log("OpenClaw:     detected but skill missing — run: rafter agent init --with-openclaw");
         }
         else {
             console.log("OpenClaw:     not detected (optional)");
         }
+        // --- Codex CLI skills ---
+        const codexDir = path.join(home, ".codex");
+        const codexSkillPath = path.join(home, ".agents", "skills", "rafter", "SKILL.md");
+        if (fs.existsSync(codexSkillPath)) {
+            console.log(`Codex CLI:    skills installed (${path.join(home, ".agents", "skills")})`);
+        }
+        else if (fs.existsSync(codexDir)) {
+            console.log("Codex CLI:    detected but skills missing — run: rafter agent init --with-codex");
+        }
+        else {
+            console.log("Codex CLI:    not detected (optional)");
+        }
+        // --- MCP-native AI engine integrations ---
+        const mcpAgents = [
+            { name: "Gemini CLI", flag: "--with-gemini", configDir: path.join(home, ".gemini"), configFile: path.join(home, ".gemini", "settings.json"), needle: "rafter" },
+            { name: "Cursor", flag: "--with-cursor", configDir: path.join(home, ".cursor"), configFile: path.join(home, ".cursor", "mcp.json"), needle: "rafter" },
+            { name: "Windsurf", flag: "--with-windsurf", configDir: path.join(home, ".codeium", "windsurf"), configFile: path.join(home, ".codeium", "windsurf", "mcp_config.json"), needle: "rafter" },
+            { name: "Continue.dev", flag: "--with-continue", configDir: path.join(home, ".continue"), configFile: path.join(home, ".continue", "config.json"), needle: "rafter" },
+        ];
+        for (const agent of mcpAgents) {
+            const label = `${agent.name}:`.padEnd(14);
+            if (fs.existsSync(agent.configFile)) {
+                try {
+                    const content = fs.readFileSync(agent.configFile, "utf-8");
+                    if (content.includes(agent.needle)) {
+                        console.log(`${label}MCP installed (${agent.configFile})`);
+                    }
+                    else {
+                        console.log(`${label}detected but MCP missing — run: rafter agent init ${agent.flag}`);
+                    }
+                }
+                catch {
+                    console.log(`${label}config unreadable (${agent.configFile})`);
+                }
+            }
+            else if (fs.existsSync(agent.configDir)) {
+                console.log(`${label}detected but MCP missing — run: rafter agent init ${agent.flag}`);
+            }
+            else {
+                console.log(`${label}not detected (optional)`);
+            }
+        }
+        // --- Aider ---
+        const aiderConfig = path.join(home, ".aider.conf.yml");
+        if (fs.existsSync(aiderConfig)) {
+            try {
+                const content = fs.readFileSync(aiderConfig, "utf-8");
+                if (content.includes("rafter mcp serve")) {
+                    console.log(`Aider:        MCP installed (${aiderConfig})`);
+                }
+                else {
+                    console.log("Aider:        detected but MCP missing — run: rafter agent init --with-aider");
+                }
+            }
+            catch {
+                console.log(`Aider:        config unreadable (${aiderConfig})`);
+            }
+        }
+        else {
+            console.log("Aider:        not detected (optional)");
+        }
         // --- Audit log summary ---
         console.log(`\nAudit log:    ${auditPath}`);
         if (fs.existsSync(auditPath)) {

package/dist/commands/agent/update-gitleaks.js

@@ -0,0 +1,40 @@
+import { Command } from "commander";
+import { BinaryManager, GITLEAKS_VERSION } from "../../utils/binary-manager.js";
+import { fmt } from "../../utils/formatter.js";
+export function createUpdateGitleaksCommand() {
+    return new Command("update-gitleaks")
+        .description("Update (or reinstall) the managed gitleaks binary")
+        .option("--version <version>", "Gitleaks version to install", GITLEAKS_VERSION)
+        .action(async (opts) => {
+        const bm = new BinaryManager();
+        if (!bm.isPlatformSupported()) {
+            const { platform, arch } = bm.getPlatformInfo();
+            console.error(fmt.error(`Gitleaks not available for ${platform}/${arch}`));
+            process.exit(1);
+        }
+        // Show current version if installed
+        if (bm.isGitleaksInstalled()) {
+            const current = await bm.getGitleaksVersion();
+            console.log(fmt.info(`Current: ${current}`));
+        }
+        else {
+            console.log(fmt.info("Gitleaks not currently installed (managed binary)"));
+        }
+        console.log(fmt.info(`Installing gitleaks v${opts.version}...`));
+        console.log();
+        try {
+            await bm.downloadGitleaks((msg) => console.log(`   ${msg}`), opts.version);
+            console.log();
+            const installed = await bm.getGitleaksVersion();
+            console.log(fmt.success(`Gitleaks updated: ${installed}`));
+            console.log(fmt.info(`  Binary: ${bm.getGitleaksPath()}`));
+        }
+        catch (e) {
+            console.log();
+            console.error(fmt.error(`Update failed: ${e}`));
+            console.log(fmt.info("To fix: install gitleaks manually (https://github.com/gitleaks/gitleaks/releases) " +
+                "and ensure it is on PATH."));
+            process.exit(1);
+        }
+    });
+}

package/dist/commands/agent/verify.js

@@ -43,7 +43,7 @@ function checkClaudeCode() {
     // optional: warn if absent but don't fail exit code
     const claudeDir = path.join(homeDir, ".claude");
     if (!fs.existsSync(claudeDir)) {
-        return { name, passed: false, optional: true, detail: `Not detected — run 'rafter agent init --claude-code' to enable` };
+        return { name, passed: false, optional: true, detail: `Not detected — run 'rafter agent init --with-claude-code' to enable` };
     }
     const settingsPath = path.join(claudeDir, "settings.json");
     if (!fs.existsSync(settingsPath)) {
@@ -54,7 +54,7 @@ function checkClaudeCode() {
         const hooks = settings?.hooks?.PreToolUse || [];
         const hasRafterHook = hooks.some((entry) => (entry.hooks || []).some((h) => h.command === "rafter hook pretool"));
         if (!hasRafterHook) {
-            return { name, passed: false, optional: true, detail: "Rafter hooks not installed — run 'rafter agent init --claude-code'" };
+            return { name, passed: false, optional: true, detail: "Rafter hooks not installed — run 'rafter agent init --with-claude-code'" };
         }
         return { name, passed: true, detail: "Hooks installed" };
     }
@@ -66,14 +66,27 @@ function checkOpenClaw() {
     const name = "OpenClaw";
     const skillManager = new SkillManager();
     if (!skillManager.isOpenClawInstalled()) {
-        return { name, passed: false, optional: true, detail: `Not detected — run 'rafter agent init' to enable` };
+        return { name, passed: false, optional: true, detail: `Not detected — run 'rafter agent init --with-openclaw' to enable` };
     }
     if (!skillManager.isRafterSkillInstalled()) {
-        return { name, passed: false, optional: true, detail: `Rafter skill not installed — run 'rafter agent init'` };
+        return { name, passed: false, optional: true, detail: `Rafter skill not installed — run 'rafter agent init --with-openclaw'` };
     }
     const version = skillManager.getInstalledVersion();
     return { name, passed: true, detail: `Rafter skill installed${version ? ` (v${version})` : ""}` };
 }
+function checkCodex() {
+    const name = "Codex CLI";
+    const homeDir = os.homedir();
+    const codexDir = path.join(homeDir, ".codex");
+    if (!fs.existsSync(codexDir)) {
+        return { name, passed: false, optional: true, detail: `Not detected — run 'rafter agent init --with-codex' to enable` };
+    }
+    const skillPath = path.join(homeDir, ".agents", "skills", "rafter", "SKILL.md");
+    if (!fs.existsSync(skillPath)) {
+        return { name, passed: false, optional: true, detail: `Rafter skills not installed — run 'rafter agent init --with-codex'` };
+    }
+    return { name, passed: true, detail: `Skills installed (${path.join(homeDir, ".agents", "skills")})` };
+}
 export function createVerifyCommand() {
     return new Command("verify")
         .description("Check agent security integration status")
@@ -86,6 +99,7 @@ export function createVerifyCommand() {
             await checkGitleaks(),
             checkClaudeCode(),
             checkOpenClaw(),
+            checkCodex(),
         ];
         for (const r of results) {
             if (r.passed) {