@rafter-security/cli 0.5.3 → 0.5.9

package/dist/commands/hook/pretool.js

@@ -3,31 +3,65 @@ import { CommandInterceptor } from "../../core/command-interceptor.js";
 import { RegexScanner } from "../../scanners/regex-scanner.js";
 import { AuditLogger } from "../../core/audit-logger.js";
 import { execSync } from "child_process";
+const RISK_LABELS = {
+    critical: "CRITICAL", high: "HIGH", medium: "MEDIUM", low: "LOW",
+};
+const RISK_DESCRIPTIONS = {
+    critical: "irreversible system damage",
+    high: "significant system changes",
+    medium: "moderate risk operation",
+    low: "minimal risk",
+};
+function formatBlockedMessage(command, evaluation) {
+    const cmdDisplay = command.length > 60 ? command.slice(0, 60) + "..." : command;
+    const rule = evaluation.matchedPattern ?? "policy violation";
+    const label = RISK_LABELS[evaluation.riskLevel] ?? evaluation.riskLevel.toUpperCase();
+    const desc = RISK_DESCRIPTIONS[evaluation.riskLevel] ?? "";
+    return `\u2717 Rafter blocked: ${cmdDisplay}\n  Rule: ${rule}\n  Risk: ${label}\u2014${desc}`;
+}
+function formatApprovalMessage(command, evaluation) {
+    const cmdDisplay = command.length > 60 ? command.slice(0, 60) + "..." : command;
+    const rule = evaluation.matchedPattern ?? "policy match";
+    const label = RISK_LABELS[evaluation.riskLevel] ?? evaluation.riskLevel.toUpperCase();
+    const desc = RISK_DESCRIPTIONS[evaluation.riskLevel] ?? "";
+    return `\u26a0 Rafter: approval required\n  Command: ${cmdDisplay}\n  Rule: ${rule}\n  Risk: ${label}\u2014${desc}\n\nTo approve: rafter agent exec --approve "${command}"\nTo configure: rafter agent config set agent.riskLevel minimal`;
+}
 export function createHookPretoolCommand() {
     return new Command("pretool")
         .description("PreToolUse hook handler (reads stdin, writes JSON decision to stdout)")
         .action(async () => {
-        const input = await readStdin();
-        let payload;
         try {
-            payload = JSON.parse(input);
+            const input = await readStdin();
+            let payload;
+            try {
+                payload = JSON.parse(input);
+            }
+            catch {
+                // Can't parse → fail open
+                writeDecision({ decision: "allow" });
+                return;
+            }
+            // Validate payload is an object with expected shape
+            if (!payload || typeof payload !== "object" || Array.isArray(payload)) {
+                writeDecision({ decision: "allow" });
+                return;
+            }
+            const decision = evaluateToolCall(payload);
+            writeDecision(decision);
         }
         catch {
-            // Can't parse → fail open
+            // Any unexpected error → fail open
             writeDecision({ decision: "allow" });
-            return;
         }
-        const decision = evaluateToolCall(payload);
-        writeDecision(decision);
     });
 }
 function evaluateToolCall(payload) {
     const { tool_name, tool_input } = payload;
     if (tool_name === "Bash") {
-        return evaluateBash(tool_input.command || "");
+        return evaluateBash(tool_input?.command || "");
     }
     if (tool_name === "Write" || tool_name === "Edit") {
-        return evaluateWrite(tool_input);
+        return evaluateWrite(tool_input || {});
     }
     return { decision: "allow" };
 }
@@ -40,7 +74,7 @@ function evaluateBash(command) {
         audit.logCommandIntercepted(command, false, "blocked", evaluation.reason);
         return {
             decision: "deny",
-            reason: `Blocked by Rafter policy: ${evaluation.reason}`,
+            reason: formatBlockedMessage(command, evaluation),
         };
     }
     // Requires approval — deny (agent can't provide interactive approval)
@@ -48,7 +82,7 @@ function evaluateBash(command) {
         audit.logCommandIntercepted(command, false, "blocked", evaluation.reason);
         return {
             decision: "deny",
-            reason: `Rafter policy requires approval: ${evaluation.reason}`,
+            reason: formatApprovalMessage(command, evaluation),
         };
     }
     // Git commit/push — scan staged files for secrets
@@ -59,7 +93,7 @@ function evaluateBash(command) {
             audit.logSecretDetected("staged files", `${scanResult.count} secret(s)`, "blocked");
             return {
                 decision: "deny",
-                reason: `${scanResult.count} secret(s) detected in ${scanResult.files} staged file(s). Run 'rafter agent scan --staged' for details.`,
+                reason: `${scanResult.count} secret(s) detected in ${scanResult.files} staged file(s). Run 'rafter scan local --staged' for details.`,
             };
         }
     }
@@ -108,12 +142,15 @@ function scanStagedFiles() {
         return { secretsFound: false, count: 0, files: 0 };
     }
 }
+const STDIN_TIMEOUT_MS = 5000;
 function readStdin() {
     return new Promise((resolve) => {
         let data = "";
+        const timeout = setTimeout(() => { resolve(data); }, STDIN_TIMEOUT_MS);
         process.stdin.setEncoding("utf-8");
         process.stdin.on("data", (chunk) => { data += chunk; });
-        process.stdin.on("end", () => { resolve(data); });
+        process.stdin.on("end", () => { clearTimeout(timeout); resolve(data); });
+        process.stdin.on("error", () => { clearTimeout(timeout); resolve(data); });
         process.stdin.resume();
     });
 }

package/dist/commands/issues/dedup.js

@@ -0,0 +1,39 @@
+/**
+ * Deduplication logic for GitHub issues created from scan findings.
+ *
+ * Uses a fingerprint hash (file + pattern/ruleId) embedded in the issue body
+ * to avoid creating duplicate issues for the same finding.
+ */
+import crypto from "crypto";
+const FINGERPRINT_PREFIX = "<!-- rafter-fingerprint:";
+const FINGERPRINT_SUFFIX = " -->";
+export function fingerprint(file, ruleId) {
+    const hash = crypto
+        .createHash("sha256")
+        .update(`${file}:${ruleId}`)
+        .digest("hex")
+        .slice(0, 12);
+    return hash;
+}
+export function embedFingerprint(body, fp) {
+    return `${body}\n\n${FINGERPRINT_PREFIX}${fp}${FINGERPRINT_SUFFIX}`;
+}
+export function extractFingerprint(body) {
+    const idx = body.indexOf(FINGERPRINT_PREFIX);
+    if (idx === -1)
+        return null;
+    const start = idx + FINGERPRINT_PREFIX.length;
+    const end = body.indexOf(FINGERPRINT_SUFFIX, start);
+    if (end === -1)
+        return null;
+    return body.slice(start, end);
+}
+export function findDuplicates(existingIssues, newFingerprints) {
+    const existingFps = new Set();
+    for (const issue of existingIssues) {
+        const fp = extractFingerprint(issue.body);
+        if (fp)
+            existingFps.add(fp);
+    }
+    return new Set(newFingerprints.filter((fp) => existingFps.has(fp)));
+}

package/dist/commands/issues/from-scan.js

@@ -0,0 +1,143 @@
+/**
+ * rafter issues create from-scan — create GitHub issues from scan results.
+ *
+ * Supports both:
+ * - Backend scans: --scan-id <id> (fetches from Rafter API)
+ * - Local scans: --from-local <path> (reads JSON file from `rafter scan local --format json`)
+ */
+import { Command } from "commander";
+import fs from "fs";
+import axios from "axios";
+import { API, resolveKey, EXIT_GENERAL_ERROR } from "../../utils/api.js";
+import { detectRepo } from "../../utils/git.js";
+import { fmt } from "../../utils/formatter.js";
+import { createIssue, listOpenIssues } from "./github-client.js";
+import { findDuplicates } from "./dedup.js";
+import { buildFromBackendVulnerability, buildFromLocalMatch, } from "./issue-builder.js";
+export function createFromScanCommand() {
+    return new Command("from-scan")
+        .description("Create GitHub issues from scan results")
+        .option("--scan-id <id>", "Backend scan ID to create issues from")
+        .option("--from-local <path>", "Path to local scan JSON (from rafter scan local --format json)")
+        .option("-r, --repo <repo>", "Target GitHub repo (org/repo)")
+        .option("-k, --api-key <key>", "Rafter API key (for --scan-id)")
+        .option("--no-dedup", "Skip deduplication check")
+        .option("--dry-run", "Show issues that would be created without creating them")
+        .option("--quiet", "Suppress status messages")
+        .action(async (opts) => {
+        try {
+            await runFromScan(opts);
+        }
+        catch (e) {
+            console.error(fmt.error(e.message || String(e)));
+            process.exit(EXIT_GENERAL_ERROR);
+        }
+    });
+}
+async function runFromScan(opts) {
+    if (!opts.scanId && !opts.fromLocal) {
+        console.error(fmt.error("Provide --scan-id or --from-local"));
+        process.exit(EXIT_GENERAL_ERROR);
+    }
+    // Resolve target repo
+    let repo;
+    if (opts.repo) {
+        repo = opts.repo;
+    }
+    else {
+        const detected = detectRepo({});
+        repo = detected.repo;
+    }
+    if (!opts.quiet) {
+        console.error(fmt.info(`Target repo: ${repo}`));
+    }
+    // Build issue drafts from scan results
+    let drafts;
+    if (opts.scanId) {
+        drafts = await draftsFromBackendScan(opts.scanId, opts.apiKey);
+    }
+    else {
+        drafts = draftsFromLocalScan(opts.fromLocal);
+    }
+    if (drafts.length === 0) {
+        if (!opts.quiet) {
+            console.error(fmt.success("No findings to create issues for"));
+        }
+        return;
+    }
+    if (!opts.quiet) {
+        console.error(fmt.info(`Found ${drafts.length} findings`));
+    }
+    // Dedup against existing open issues
+    if (opts.dedup !== false) {
+        const existing = listOpenIssues(repo);
+        const dupes = findDuplicates(existing, drafts.map((d) => d.fingerprint));
+        const before = drafts.length;
+        drafts = drafts.filter((d) => !dupes.has(d.fingerprint));
+        if (before !== drafts.length && !opts.quiet) {
+            console.error(fmt.info(`Skipped ${before - drafts.length} duplicate(s)`));
+        }
+    }
+    if (drafts.length === 0) {
+        if (!opts.quiet) {
+            console.error(fmt.success("All findings already have open issues"));
+        }
+        return;
+    }
+    // Dry run — print what would be created
+    if (opts.dryRun) {
+        console.error(fmt.info(`Would create ${drafts.length} issue(s):`));
+        for (const draft of drafts) {
+            console.error(`  - ${draft.title}`);
+        }
+        // Output drafts as JSON to stdout for piping
+        process.stdout.write(JSON.stringify(drafts, null, 2));
+        return;
+    }
+    // Create issues
+    const created = [];
+    for (const draft of drafts) {
+        try {
+            const issue = createIssue({
+                repo,
+                title: draft.title,
+                body: draft.body,
+                labels: draft.labels,
+            });
+            created.push(issue.html_url);
+            if (!opts.quiet) {
+                console.error(fmt.success(`Created: ${issue.html_url}`));
+            }
+        }
+        catch (e) {
+            console.error(fmt.error(`Failed to create issue: ${e.message}`));
+        }
+    }
+    // Output created issue URLs to stdout
+    if (created.length > 0) {
+        process.stdout.write(created.join("\n") + "\n");
+    }
+    if (!opts.quiet) {
+        console.error(fmt.success(`Created ${created.length}/${drafts.length} issue(s)`));
+    }
+}
+async function draftsFromBackendScan(scanId, apiKey) {
+    const key = resolveKey(apiKey);
+    const { data } = await axios.get(`${API}/static/scan`, {
+        params: { scan_id: scanId, format: "json" },
+        headers: { "x-api-key": key },
+    });
+    const vulns = data.vulnerabilities || [];
+    return vulns.map(buildFromBackendVulnerability);
+}
+function draftsFromLocalScan(filePath) {
+    const raw = fs.readFileSync(filePath, "utf-8");
+    const results = JSON.parse(raw);
+    const drafts = [];
+    for (const result of results) {
+        for (const match of result.matches) {
+            drafts.push(buildFromLocalMatch(result.file, match));
+        }
+    }
+    return drafts;
+}

package/dist/commands/issues/from-text.js

@@ -0,0 +1,185 @@
+/**
+ * rafter issues create from-text — create a GitHub issue from natural language.
+ *
+ * Input sources: stdin (pipe), --file, --text inline.
+ * Parses natural text to extract title, description, labels, severity, affected files.
+ * Works as a skill: /rafter-issue in Claude Code / OpenClaw.
+ */
+import { Command } from "commander";
+import fs from "fs";
+import { detectRepo } from "../../utils/git.js";
+import { fmt } from "../../utils/formatter.js";
+import { EXIT_GENERAL_ERROR } from "../../utils/api.js";
+import { createIssue } from "./github-client.js";
+export function createFromTextCommand() {
+    return new Command("from-text")
+        .description("Create a GitHub issue from natural language text (stdin, file, or inline)")
+        .option("-r, --repo <repo>", "Target GitHub repo (org/repo)")
+        .option("-t, --text <text>", "Inline text to convert to an issue")
+        .option("-f, --file <path>", "Read text from file")
+        .option("--title <title>", "Override extracted title")
+        .option("--labels <labels>", "Comma-separated labels to add")
+        .option("--dry-run", "Show parsed issue without creating it")
+        .option("--quiet", "Suppress status messages")
+        .action(async (opts) => {
+        try {
+            await runFromText(opts);
+        }
+        catch (e) {
+            console.error(fmt.error(e.message || String(e)));
+            process.exit(EXIT_GENERAL_ERROR);
+        }
+    });
+}
+async function runFromText(opts) {
+    // Read input text
+    const input = await readInput(opts);
+    if (!input.trim()) {
+        console.error(fmt.error("No input text provided. Use --text, --file, or pipe via stdin"));
+        process.exit(EXIT_GENERAL_ERROR);
+    }
+    // Resolve target repo
+    let repo;
+    if (opts.repo) {
+        repo = opts.repo;
+    }
+    else {
+        const detected = detectRepo({});
+        repo = detected.repo;
+    }
+    // Parse the natural text into a structured issue
+    const parsed = parseNaturalText(input);
+    // Apply overrides
+    if (opts.title)
+        parsed.title = opts.title;
+    if (opts.labels) {
+        const extra = opts.labels.split(",").map((l) => l.trim()).filter(Boolean);
+        parsed.labels.push(...extra);
+    }
+    if (!opts.quiet) {
+        console.error(fmt.info(`Target repo: ${repo}`));
+        console.error(fmt.info(`Title: ${parsed.title}`));
+        if (parsed.labels.length) {
+            console.error(fmt.info(`Labels: ${parsed.labels.join(", ")}`));
+        }
+    }
+    if (opts.dryRun) {
+        process.stdout.write(JSON.stringify(parsed, null, 2));
+        return;
+    }
+    const issue = createIssue({
+        repo,
+        title: parsed.title,
+        body: parsed.body,
+        labels: parsed.labels,
+    });
+    if (!opts.quiet) {
+        console.error(fmt.success(`Created: ${issue.html_url}`));
+    }
+    process.stdout.write(issue.html_url + "\n");
+}
+async function readInput(opts) {
+    if (opts.text)
+        return opts.text;
+    if (opts.file)
+        return fs.readFileSync(opts.file, "utf-8");
+    // Read from stdin if available (piped input)
+    if (!process.stdin.isTTY) {
+        return new Promise((resolve) => {
+            let data = "";
+            process.stdin.setEncoding("utf-8");
+            process.stdin.on("data", (chunk) => (data += chunk));
+            process.stdin.on("end", () => resolve(data));
+        });
+    }
+    return "";
+}
+/**
+ * Parse natural language text into a structured GitHub issue.
+ *
+ * Heuristics-based extraction:
+ * - First line or sentence → title
+ * - Severity keywords → labels
+ * - File paths → mentioned in body
+ * - Security keywords → security label
+ */
+function parseNaturalText(text) {
+    const lines = text.trim().split("\n");
+    const labels = [];
+    // Extract title: first non-empty line, cleaned up
+    let title = "";
+    let bodyStart = 0;
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i].trim();
+        if (line) {
+            // Strip markdown headers
+            title = line.replace(/^#+\s*/, "").trim();
+            bodyStart = i + 1;
+            break;
+        }
+    }
+    if (!title) {
+        title = "Security issue reported via Rafter CLI";
+    }
+    // Truncate long titles
+    if (title.length > 120) {
+        title = title.slice(0, 117) + "...";
+    }
+    // Build body from remaining text
+    const bodyLines = lines.slice(bodyStart);
+    let body = bodyLines.join("\n").trim();
+    if (!body) {
+        body = text.trim();
+    }
+    // Extract severity from text
+    const textLower = text.toLowerCase();
+    if (textLower.includes("critical") || textLower.includes("p0")) {
+        labels.push("severity:critical");
+    }
+    else if (textLower.includes("high severity") ||
+        textLower.includes("high risk") ||
+        textLower.includes("p1")) {
+        labels.push("severity:high");
+    }
+    else if (textLower.includes("medium") || textLower.includes("p2")) {
+        labels.push("severity:medium");
+    }
+    else if (textLower.includes("low") || textLower.includes("p3")) {
+        labels.push("severity:low");
+    }
+    // Detect security-related content
+    const securityKeywords = [
+        "security",
+        "vulnerability",
+        "cve",
+        "cwe",
+        "owasp",
+        "secret",
+        "credential",
+        "token",
+        "password",
+        "injection",
+        "xss",
+        "csrf",
+        "ssrf",
+        "exploit",
+    ];
+    if (securityKeywords.some((kw) => textLower.includes(kw))) {
+        labels.push("security");
+    }
+    // Extract file paths mentioned in text
+    const fileRefs = text.match(/(?:^|\s)([a-zA-Z0-9_./-]+\.[a-zA-Z]{1,10})(?::(\d+))?/gm);
+    if (fileRefs && fileRefs.length > 0) {
+        const files = fileRefs
+            .map((f) => f.trim())
+            .filter((f) => f.includes("/") || f.includes("."));
+        if (files.length > 0) {
+            body += `\n\n### Referenced Files\n\n`;
+            for (const f of files.slice(0, 10)) {
+                body += `- \`${f}\`\n`;
+            }
+        }
+    }
+    body += `\n\n---\n*Created by [Rafter CLI](https://rafter.so) — security for AI builders*\n`;
+    return { title, body, labels: [...new Set(labels)] };
+}

package/dist/commands/issues/github-client.js

@@ -0,0 +1,85 @@
+/**
+ * GitHub API client — wraps `gh` CLI for issue operations.
+ *
+ * Prefers `gh` CLI (handles auth, rate limits, pagination) over raw REST.
+ * Falls back to GITHUB_TOKEN + REST if gh is unavailable.
+ */
+import { execFileSync } from "child_process";
+function ghAvailable() {
+    try {
+        execFileSync("gh", ["--version"], { stdio: "ignore" });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export function createIssue(params) {
+    const { repo, title, body, labels } = params;
+    if (!ghAvailable()) {
+        throw new Error("GitHub CLI (gh) is required. Install: https://cli.github.com");
+    }
+    const args = [
+        "issue",
+        "create",
+        "--repo",
+        repo,
+        "--title",
+        title,
+        "--body",
+        body,
+    ];
+    if (labels && labels.length > 0) {
+        for (const label of labels) {
+            args.push("--label", label);
+        }
+    }
+    const result = execFileSync("gh", args, {
+        encoding: "utf-8",
+        stdio: ["ignore", "pipe", "pipe"],
+    }).trim();
+    // gh issue create returns the issue URL
+    const urlMatch = result.match(/https:\/\/github\.com\/[^/]+\/[^/]+\/issues\/(\d+)/);
+    const number = urlMatch ? parseInt(urlMatch[1], 10) : 0;
+    return {
+        number,
+        title,
+        body,
+        labels: labels || [],
+        html_url: result,
+        state: "open",
+    };
+}
+export function listOpenIssues(repo) {
+    if (!ghAvailable()) {
+        return [];
+    }
+    try {
+        const result = execFileSync("gh", [
+            "issue",
+            "list",
+            "--repo",
+            repo,
+            "--state",
+            "open",
+            "--json",
+            "number,title,body,labels,url",
+            "--limit",
+            "200",
+        ], { encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"] }).trim();
+        if (!result)
+            return [];
+        const issues = JSON.parse(result);
+        return issues.map((i) => ({
+            number: i.number,
+            title: i.title,
+            body: i.body || "",
+            labels: (i.labels || []).map((l) => l.name),
+            html_url: i.url,
+            state: "open",
+        }));
+    }
+    catch {
+        return [];
+    }
+}

package/dist/commands/issues/index.js

@@ -0,0 +1,25 @@
+/**
+ * rafter issues — GitHub Issues integration.
+ *
+ * Subcommands:
+ *   rafter issues create --from-scan <id>     Create issues from backend scan results
+ *   rafter issues create --from-local <path>   Create issues from local scan JSON
+ *   rafter issues create --from-text           Create issue from natural text (stdin/file/inline)
+ */
+import { Command } from "commander";
+import { createFromScanCommand } from "./from-scan.js";
+import { createFromTextCommand } from "./from-text.js";
+export function createIssuesCommand() {
+    const issuesGroup = new Command("issues")
+        .description("GitHub Issues integration — create issues from scan results or text");
+    const createGroup = new Command("create")
+        .description("Create GitHub issues from scan findings or natural text");
+    createGroup.addCommand(createFromScanCommand());
+    createGroup.addCommand(createFromTextCommand());
+    // Default action for `rafter issues create` with no subcommand — show help
+    createGroup.action(() => {
+        createGroup.help();
+    });
+    issuesGroup.addCommand(createGroup);
+    return issuesGroup;
+}