@rafter-security/cli 0.5.3 → 0.5.9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rafter-security/cli",
-  "version": "0.5.3",
+  "version": "0.5.9",
   "type": "module",
   "bin": {
     "rafter": "./dist/index.js"
@@ -22,6 +22,7 @@
     "@modelcontextprotocol/sdk": "^1.12.0",
     "axios": "^1.6.8",
     "chalk": "^5.3.0",
+    "chokidar": "^5.0.0",
     "commander": "^11.1.0",
     "dotenv": "^16.4.5",
     "js-yaml": "^4.1.0",

package/resources/pre-commit-hook.sh

@@ -27,14 +27,14 @@ fi
 echo "🔍 Rafter: Scanning staged files for secrets..."
 
 # Scan staged files
-rafter agent scan --staged --quiet
+rafter scan local --staged --quiet
 
 EXIT_CODE=$?
 
 if [ $EXIT_CODE -ne 0 ]; then
     echo -e "${RED}❌ Commit blocked: Secrets detected in staged files${NC}"
     echo ""
-    echo "   Run: rafter agent scan --staged"
+    echo "   Run: rafter scan local --staged"
     echo "   To see details and remediate."
     echo ""
     echo "   To bypass (NOT recommended): git commit --no-verify"

package/resources/pre-push-hook.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# Rafter Security Pre-Push Hook
+# Scans commits being pushed for secrets
+
+# Colors for output
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+GREEN='\033[0;32m'
+NC='\033[0m' # No Color
+
+# Check if rafter is installed
+if ! command -v rafter &> /dev/null; then
+    echo -e "${YELLOW}⚠️  Warning: rafter CLI not found in PATH${NC}"
+    echo "   Install: npm install -g @rafter-security/cli"
+    echo "   Skipping secret scan..."
+    exit 0
+fi
+
+ZERO_SHA="0000000000000000000000000000000000000000"
+FOUND_SECRETS=0
+
+while read local_ref local_sha remote_ref remote_sha; do
+    # Skip branch deletions
+    if [ "$local_sha" = "$ZERO_SHA" ]; then
+        continue
+    fi
+
+    if [ "$remote_sha" = "$ZERO_SHA" ]; then
+        # New branch — scan all commits on this branch not on any remote branch
+        ref_arg=$(git rev-list --max-parents=0 "$local_sha" 2>/dev/null | head -1)
+        if [ -z "$ref_arg" ]; then
+            ref_arg="$local_sha^"
+        fi
+    else
+        # Existing branch — scan only new commits
+        ref_arg="$remote_sha"
+    fi
+
+    echo "🔍 Rafter: Scanning commits being pushed ($local_ref)..."
+
+    rafter scan local --diff "$ref_arg" --quiet
+    EXIT_CODE=$?
+
+    if [ $EXIT_CODE -ne 0 ]; then
+        FOUND_SECRETS=1
+    fi
+done
+
+if [ $FOUND_SECRETS -ne 0 ]; then
+    echo -e "${RED}❌ Push blocked: Secrets detected in commits being pushed${NC}"
+    echo ""
+    echo "   Run: rafter scan local --diff <remote-sha>"
+    echo "   To see details and remediate."
+    echo ""
+    echo "   To bypass (NOT recommended): git push --no-verify"
+    exit 1
+fi
+
+echo -e "${GREEN}✓ No secrets detected${NC}"
+exit 0

package/resources/rafter-security-skill.md

@@ -6,8 +6,8 @@ openclaw:
   always: false
   requires:
     bins: [rafter]
-version: 0.4.0
-last_updated: 2026-02-03
+version: 0.5.8
+last_updated: 2026-03-04
 ---
 
 # Rafter Security
@@ -32,7 +32,7 @@ Rafter provides real-time security checks for agent operations:
 Scan files for secrets before committing.
 
 ```bash
-rafter agent scan <path>
+rafter scan local <path>
 ```
 
 **When to use:**
@@ -57,21 +57,17 @@ rafter agent scan <path>
 
 ### /rafter-bash
 
-Execute shell command with security validation.
+Explicitly run a command through Rafter's security validator.
 
 ```bash
 rafter agent exec <command>
 ```
 
-**Features:**
-- Blocks destructive commands (rm -rf /, fork bombs)
-- Requires approval for dangerous operations
-- Logs all command attempts
-- Scans staged files before git commits
+**When to use:** Only needed in environments where the `PreToolUse` hook is not installed. When `rafter agent init` has been run, all shell commands are validated automatically — you do not need to route commands through this.
 
 **Risk levels:**
 - **Critical** (blocked): rm -rf /, fork bombs, dd to /dev
-- **High** (approval required): sudo rm, chmod 777, curl|bash
+- **High** (approval required): sudo rm, chmod 777, curl | bash
 - **Medium** (approval on moderate+): sudo, chmod, kill -9
 - **Low** (allowed): npm install, git commit, ls
 
@@ -269,7 +265,7 @@ Configure with: `rafter agent config set agent.riskLevel moderate`
 
 ## Best Practices
 
-1. **Always scan before commits**: Run `rafter agent scan` before `git commit`
+1. **Always scan before commits**: Run `rafter scan local` before `git commit`
 2. **Audit untrusted skills**: Run `/rafter-audit-skill` on skills from unknown sources before installation
 3. **Review audit logs**: Check `rafter agent audit` after suspicious activity
 4. **Keep patterns updated**: Patterns updated automatically with CLI updates