@rafter-security/cli 0.5.5 → 0.6.1

package/README.md

@@ -153,17 +153,29 @@ Initialize agent security system.
 
 **Options:**
 - `--risk-level <level>` - Set risk level: `minimal`, `moderate`, or `aggressive` (default: `moderate`)
-- `--skip-openclaw` - Skip OpenClaw skill installation
+- `--with-openclaw` - Install OpenClaw integration
+- `--with-claude-code` - Install Claude Code integration
+- `--with-codex` - Install Codex CLI integration
+- `--with-gemini` - Install Gemini CLI integration
+- `--with-aider` - Install Aider integration
+- `--with-cursor` - Install Cursor integration
+- `--with-windsurf` - Install Windsurf integration
+- `--with-continue` - Install Continue.dev integration
+- `--with-gitleaks` - Download and install Gitleaks binary
+- `--all` - Install all detected integrations and download Gitleaks
 
 **What it does:**
 - Creates `~/.rafter/config.json` configuration
 - Initializes directory structure
-- Detects and installs OpenClaw skill (if present)
+- Detects available agent environments
+- Installs opted-in integrations (skills, hooks, MCP servers)
 - Sets up audit logging
 
 **Example:**
 ```bash
-rafter agent init
+rafter agent init                      # Config only, detect environments
+rafter agent init --all                # Install all detected integrations
+rafter agent init --with-claude-code   # Install Claude Code integration only
 rafter agent init --risk-level aggressive
 ```
 

package/dist/commands/agent/audit-skill.js

@@ -143,7 +143,7 @@ function displayQuickScan(scan, skillName) {
     else {
         console.log(`⚠️  Secrets: ${scan.secrets} found`);
         console.log("   → API keys, tokens, or credentials detected");
-        console.log("   → Run: rafter agent scan <path> for details");
+        console.log("   → Run: rafter scan local <path> for details");
     }
     // URLs
     if (scan.urls.length === 0) {

package/dist/commands/agent/audit.js

@@ -1,5 +1,10 @@
+import { createHash } from "crypto";
+import fs from "fs";
+import path from "path";
+import { fileURLToPath } from "url";
 import { Command } from "commander";
 import { AuditLogger } from "../../core/audit-logger.js";
+import { ConfigManager } from "../../core/config-manager.js";
 import { isAgentMode } from "../../utils/formatter.js";
 export function createAuditCommand() {
     return new Command("audit")
@@ -8,7 +13,12 @@ export function createAuditCommand() {
         .option("--event <type>", "Filter by event type")
         .option("--agent <type>", "Filter by agent type (openclaw, claude-code)")
         .option("--since <date>", "Show entries since date (YYYY-MM-DD)")
+        .option("--share", "Generate a redacted excerpt for issue reports")
         .action((opts) => {
+        if (opts.share) {
+            generateShareExcerpt();
+            return;
+        }
         const logger = new AuditLogger();
         const filter = {
             limit: parseInt(opts.last, 10)
@@ -41,18 +51,108 @@ export function createAuditCommand() {
             if (entry.action?.riskLevel) {
                 console.log(`   Risk: ${entry.action.riskLevel}`);
             }
-            console.log(`   Check: ${entry.securityCheck.passed ? "PASSED" : "FAILED"}`);
-            if (entry.securityCheck.reason) {
-                console.log(`   Reason: ${entry.securityCheck.reason}`);
+            if (entry.securityCheck) {
+                console.log(`   Check: ${entry.securityCheck.passed ? "PASSED" : "FAILED"}`);
+                if (entry.securityCheck.reason) {
+                    console.log(`   Reason: ${entry.securityCheck.reason}`);
+                }
             }
-            console.log(`   Action: ${entry.resolution.actionTaken}`);
-            if (entry.resolution.overrideReason) {
-                console.log(`   Override: ${entry.resolution.overrideReason}`);
+            if (entry.resolution) {
+                console.log(`   Action: ${entry.resolution.actionTaken}`);
+                if (entry.resolution.overrideReason) {
+                    console.log(`   Override: ${entry.resolution.overrideReason}`);
+                }
             }
             console.log("");
         }
     });
 }
+export function generateShareExcerpt() {
+    const version = getPkgVersion();
+    const os = `${process.platform}/${process.arch}`;
+    const timestamp = new Date().toISOString();
+    const config = new ConfigManager().loadWithPolicy();
+    const policyHash = computePolicyHash(config);
+    const riskLevel = getRiskLevel(config);
+    const logger = new AuditLogger();
+    const entries = logger.read({ limit: 5 });
+    const lines = [
+        "Rafter Audit Excerpt",
+        `Generated: ${timestamp}`,
+        "",
+        "Environment:",
+        `  CLI:    ${version}`,
+        `  OS:     ${os}`,
+        `  Policy: sha256:${policyHash} (${riskLevel})`,
+        "",
+        "Recent events (last 5):",
+    ];
+    if (entries.length === 0) {
+        lines.push("  (no entries)");
+    }
+    else {
+        for (const entry of entries) {
+            const ts = entry.timestamp.replace("T", " ").replace(/\.\d+Z$/, "Z");
+            const eventPad = entry.eventType.padEnd(20);
+            const riskRaw = entry.action?.riskLevel ?? "low";
+            const riskPad = riskRaw.toUpperCase().padEnd(8);
+            const detail = formatShareDetail(entry);
+            lines.push(`  ${ts}  ${eventPad}  ${riskPad} ${detail}`);
+        }
+    }
+    lines.push("");
+    lines.push("Share this excerpt when reporting issues at https://github.com/Raftersecurity/rafter-cli/issues");
+    console.log(lines.join("\n"));
+}
+export function getPkgVersion() {
+    try {
+        const __filename = fileURLToPath(import.meta.url);
+        const __dirname = path.dirname(__filename);
+        // Walk up from dist/commands/agent/ to find package.json
+        let dir = __dirname;
+        for (let i = 0; i < 6; i++) {
+            const candidate = path.join(dir, "package.json");
+            if (fs.existsSync(candidate)) {
+                const pkg = JSON.parse(fs.readFileSync(candidate, "utf-8"));
+                if (pkg.version)
+                    return pkg.version;
+            }
+            dir = path.dirname(dir);
+        }
+    }
+    catch {
+        // fall through
+    }
+    return "unknown";
+}
+export function computePolicyHash(config) {
+    const patterns = config?.agent?.commandPolicy?.requireApproval ?? [];
+    const payload = JSON.stringify(patterns.slice().sort());
+    return createHash("sha256").update(payload).digest("hex").slice(0, 16);
+}
+export function getRiskLevel(config) {
+    return config?.agent?.riskLevel ?? "moderate";
+}
+export function formatShareDetail(entry) {
+    const action = entry.resolution?.actionTaken ?? "unknown";
+    const suffix = `[${action}]`;
+    if (entry.eventType === "secret_detected") {
+        const reason = entry.securityCheck?.reason ?? "";
+        return `${reason} ${suffix}`;
+    }
+    if (entry.action?.command) {
+        return `${truncateCommand(entry.action.command, 60)} ${suffix}`;
+    }
+    if (entry.securityCheck?.reason) {
+        return `${entry.securityCheck.reason} ${suffix}`;
+    }
+    return suffix;
+}
+export function truncateCommand(cmd, maxLen = 60) {
+    if (cmd.length <= maxLen)
+        return cmd;
+    return cmd.slice(0, maxLen) + "...";
+}
 function getEventIndicator(eventType) {
     if (isAgentMode()) {
         const tagMap = {

package/dist/commands/agent/baseline.js

@@ -40,6 +40,12 @@ function createBaselineCreateCommand() {
         .argument("[path]", "Path to scan", ".")
         .option("--engine <engine>", "Scan engine: gitleaks or patterns", "auto")
         .action(async (scanPath, opts) => {
+        const validEngines = ["auto", "gitleaks", "patterns"];
+        const engineValue = opts.engine || "auto";
+        if (!validEngines.includes(engineValue)) {
+            console.error(`Invalid engine: ${engineValue}. Valid values: ${validEngines.join(", ")}`);
+            process.exit(2);
+        }
         const resolvedPath = path.resolve(scanPath);
         if (!fs.existsSync(resolvedPath)) {
             console.error(`Error: Path not found: ${resolvedPath}`);
@@ -167,6 +173,10 @@ async function selectEngine(preference) {
         const g = new GitleaksScanner();
         return (await g.isAvailable()) ? "gitleaks" : "patterns";
     }
+    if (preference !== "auto") {
+        console.error(`Invalid engine: ${preference}. Valid values: auto, gitleaks, patterns`);
+        process.exit(2);
+    }
     const g = new GitleaksScanner();
     return (await g.isAvailable()) ? "gitleaks" : "patterns";
 }

package/dist/commands/agent/exec.js

@@ -29,7 +29,7 @@ export function createExecCommand() {
             if (scanResult.secretsFound) {
                 console.error(`\n${fmt.warning("Secrets detected in staged files!")}\n`);
                 console.error(`Found ${scanResult.count} secret(s) in ${scanResult.files} file(s)`);
-                console.error(`\nRun 'rafter agent scan' for details.\n`);
+                console.error(`\nRun 'rafter scan local' for details.\n`);
                 interceptor.logEvaluation(evaluation, "blocked");
                 process.exit(1);
             }

package/dist/commands/agent/init.js

@@ -52,6 +52,150 @@ function installClaudeCodeHooks() {
     console.log(fmt.success(`Installed PreToolUse hooks to ${settingsPath}`));
     console.log(fmt.success(`Installed PostToolUse hooks to ${settingsPath}`));
 }
+/** MCP server entry for rafter — shared across MCP-native clients */
+const RAFTER_MCP_ENTRY = {
+    command: "rafter",
+    args: ["mcp", "serve"],
+};
+/**
+ * Install MCP server config for Gemini CLI (~/.gemini/settings.json)
+ */
+function installGeminiMcp() {
+    const homeDir = os.homedir();
+    const geminiDir = path.join(homeDir, ".gemini");
+    const settingsPath = path.join(geminiDir, "settings.json");
+    if (!fs.existsSync(geminiDir)) {
+        fs.mkdirSync(geminiDir, { recursive: true });
+    }
+    let settings = {};
+    if (fs.existsSync(settingsPath)) {
+        try {
+            settings = JSON.parse(fs.readFileSync(settingsPath, "utf-8"));
+        }
+        catch {
+            console.log(fmt.warning("Existing Gemini settings.json was unreadable, creating new one"));
+        }
+    }
+    if (!settings.mcpServers)
+        settings.mcpServers = {};
+    settings.mcpServers.rafter = { ...RAFTER_MCP_ENTRY };
+    fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2), "utf-8");
+    console.log(fmt.success(`Installed Rafter MCP server to ${settingsPath}`));
+    return true;
+}
+/**
+ * Install MCP server config for Cursor (~/.cursor/mcp.json)
+ */
+function installCursorMcp() {
+    const homeDir = os.homedir();
+    const cursorDir = path.join(homeDir, ".cursor");
+    const mcpPath = path.join(cursorDir, "mcp.json");
+    if (!fs.existsSync(cursorDir)) {
+        fs.mkdirSync(cursorDir, { recursive: true });
+    }
+    let config = {};
+    if (fs.existsSync(mcpPath)) {
+        try {
+            config = JSON.parse(fs.readFileSync(mcpPath, "utf-8"));
+        }
+        catch {
+            console.log(fmt.warning("Existing Cursor mcp.json was unreadable, creating new one"));
+        }
+    }
+    if (!config.mcpServers)
+        config.mcpServers = {};
+    config.mcpServers.rafter = { ...RAFTER_MCP_ENTRY };
+    fs.writeFileSync(mcpPath, JSON.stringify(config, null, 2), "utf-8");
+    console.log(fmt.success(`Installed Rafter MCP server to ${mcpPath}`));
+    return true;
+}
+/**
+ * Install MCP server config for Windsurf (~/.codeium/windsurf/mcp_config.json)
+ */
+function installWindsurfMcp() {
+    const homeDir = os.homedir();
+    const windsurfDir = path.join(homeDir, ".codeium", "windsurf");
+    const mcpPath = path.join(windsurfDir, "mcp_config.json");
+    if (!fs.existsSync(windsurfDir)) {
+        fs.mkdirSync(windsurfDir, { recursive: true });
+    }
+    let config = {};
+    if (fs.existsSync(mcpPath)) {
+        try {
+            config = JSON.parse(fs.readFileSync(mcpPath, "utf-8"));
+        }
+        catch {
+            console.log(fmt.warning("Existing Windsurf mcp_config.json was unreadable, creating new one"));
+        }
+    }
+    if (!config.mcpServers)
+        config.mcpServers = {};
+    config.mcpServers.rafter = { ...RAFTER_MCP_ENTRY };
+    fs.writeFileSync(mcpPath, JSON.stringify(config, null, 2), "utf-8");
+    console.log(fmt.success(`Installed Rafter MCP server to ${mcpPath}`));
+    return true;
+}
+/**
+ * Install MCP server config for Continue.dev (~/.continue/config.json)
+ */
+function installContinueDevMcp() {
+    const homeDir = os.homedir();
+    const continueDir = path.join(homeDir, ".continue");
+    const configPath = path.join(continueDir, "config.json");
+    if (!fs.existsSync(continueDir)) {
+        fs.mkdirSync(continueDir, { recursive: true });
+    }
+    let config = {};
+    if (fs.existsSync(configPath)) {
+        try {
+            config = JSON.parse(fs.readFileSync(configPath, "utf-8"));
+        }
+        catch {
+            console.log(fmt.warning("Existing Continue.dev config.json was unreadable, creating new one"));
+        }
+    }
+    if (!config.mcpServers)
+        config.mcpServers = [];
+    // Remove existing rafter entry if present (array format)
+    if (Array.isArray(config.mcpServers)) {
+        config.mcpServers = config.mcpServers.filter((s) => s.name !== "rafter");
+        config.mcpServers.push({
+            name: "rafter",
+            command: RAFTER_MCP_ENTRY.command,
+            args: RAFTER_MCP_ENTRY.args,
+        });
+    }
+    else {
+        // Object format (newer Continue.dev versions)
+        config.mcpServers.rafter = { ...RAFTER_MCP_ENTRY };
+    }
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2), "utf-8");
+    console.log(fmt.success(`Installed Rafter MCP server to ${configPath}`));
+    return true;
+}
+/**
+ * Install MCP config for Aider (~/.aider.conf.yml)
+ * Aider uses YAML config with mcpServers list
+ */
+function installAiderMcp() {
+    const homeDir = os.homedir();
+    const configPath = path.join(homeDir, ".aider.conf.yml");
+    // Aider's YAML config is simple — we append the MCP flag if not present
+    let content = "";
+    if (fs.existsSync(configPath)) {
+        content = fs.readFileSync(configPath, "utf-8");
+    }
+    // Check if rafter MCP is already configured
+    if (content.includes("rafter mcp serve")) {
+        console.log(fmt.success("Rafter MCP already configured in Aider config"));
+        return true;
+    }
+    // Append MCP server config
+    const mcpLine = "\n# Rafter security MCP server\nmcp-server-command: rafter mcp serve\n";
+    fs.writeFileSync(configPath, content + mcpLine, "utf-8");
+    console.log(fmt.success(`Installed Rafter MCP server to ${configPath}`));
+    return true;
+}
 async function installClaudeCodeSkills() {
     const homeDir = os.homedir();
     const claudeSkillsDir = path.join(homeDir, ".claude", "skills");
@@ -88,14 +232,52 @@ async function installClaudeCodeSkills() {
         console.log(fmt.warning(`Agent Security skill template not found at ${agentTemplatePath}`));
     }
 }
+function installCodexSkills() {
+    const homeDir = os.homedir();
+    const agentsSkillsDir = path.join(homeDir, ".agents", "skills");
+    // Install Backend Skill
+    const backendDir = path.join(agentsSkillsDir, "rafter");
+    const backendSkillPath = path.join(backendDir, "SKILL.md");
+    const backendTemplatePath = path.join(__dirname, "..", "..", "..", ".claude", "skills", "rafter", "SKILL.md");
+    if (!fs.existsSync(backendDir)) {
+        fs.mkdirSync(backendDir, { recursive: true });
+    }
+    if (fs.existsSync(backendTemplatePath)) {
+        fs.copyFileSync(backendTemplatePath, backendSkillPath);
+        console.log(fmt.success(`Installed Rafter Backend skill to ${backendSkillPath}`));
+    }
+    else {
+        console.log(fmt.warning(`Backend skill template not found at ${backendTemplatePath}`));
+    }
+    // Install Agent Security Skill
+    const agentDir = path.join(agentsSkillsDir, "rafter-agent-security");
+    const agentSkillPath = path.join(agentDir, "SKILL.md");
+    const agentTemplatePath = path.join(__dirname, "..", "..", "..", ".claude", "skills", "rafter-agent-security", "SKILL.md");
+    if (!fs.existsSync(agentDir)) {
+        fs.mkdirSync(agentDir, { recursive: true });
+    }
+    if (fs.existsSync(agentTemplatePath)) {
+        fs.copyFileSync(agentTemplatePath, agentSkillPath);
+        console.log(fmt.success(`Installed Rafter Agent Security skill to ${agentSkillPath}`));
+    }
+    else {
+        console.log(fmt.warning(`Agent Security skill template not found at ${agentTemplatePath}`));
+    }
+}
 export function createInitCommand() {
     return new Command("init")
         .description("Initialize agent security system")
         .option("--risk-level <level>", "Set risk level (minimal, moderate, aggressive)", "moderate")
-        .option("--skip-openclaw", "Skip OpenClaw skill installation")
-        .option("--skip-claude-code", "Skip Claude Code skill installation")
-        .option("--claude-code", "Force Claude Code skill installation")
-        .option("--skip-gitleaks", "Skip Gitleaks binary download")
+        .option("--with-openclaw", "Install OpenClaw integration")
+        .option("--with-claude-code", "Install Claude Code integration")
+        .option("--with-codex", "Install Codex CLI integration")
+        .option("--with-gemini", "Install Gemini CLI integration")
+        .option("--with-aider", "Install Aider integration")
+        .option("--with-cursor", "Install Cursor integration")
+        .option("--with-windsurf", "Install Windsurf integration")
+        .option("--with-continue", "Install Continue.dev integration")
+        .option("--with-gitleaks", "Download and install Gitleaks binary")
+        .option("--all", "Install all detected integrations and download Gitleaks")
         .option("--update", "Re-download gitleaks and reinstall integrations without resetting config")
         .action(async (opts) => {
         console.log(fmt.header("Rafter Agent Security Setup"));
@@ -104,19 +286,64 @@ export function createInitCommand() {
         const manager = new ConfigManager();
         // Detect environments
         const hasOpenClaw = fs.existsSync(path.join(os.homedir(), ".openclaw"));
-        const hasClaudeCode = opts.claudeCode || fs.existsSync(path.join(os.homedir(), ".claude"));
-        if (hasOpenClaw) {
-            console.log(fmt.success("Detected environment: OpenClaw"));
-        }
-        else {
-            console.log(fmt.info("OpenClaw not detected"));
-        }
-        if (hasClaudeCode) {
-            console.log(fmt.success("Detected environment: Claude Code"));
+        const hasClaudeCode = fs.existsSync(path.join(os.homedir(), ".claude"));
+        const hasCodex = fs.existsSync(path.join(os.homedir(), ".codex"));
+        const hasGemini = fs.existsSync(path.join(os.homedir(), ".gemini"));
+        const hasCursor = fs.existsSync(path.join(os.homedir(), ".cursor"));
+        const hasWindsurf = fs.existsSync(path.join(os.homedir(), ".codeium", "windsurf"));
+        const hasContinueDev = fs.existsSync(path.join(os.homedir(), ".continue"));
+        const hasAider = fs.existsSync(path.join(os.homedir(), ".aider.conf.yml"));
+        // Resolve opt-in flags (--all enables all detected)
+        const wantOpenClaw = opts.withOpenclaw || opts.all;
+        const wantClaudeCode = opts.withClaudeCode || opts.all;
+        const wantCodex = opts.withCodex || opts.all;
+        const wantGemini = opts.withGemini || opts.all;
+        const wantCursor = opts.withCursor || opts.all;
+        const wantWindsurf = opts.withWindsurf || opts.all;
+        const wantContinue = opts.withContinue || opts.all;
+        const wantAider = opts.withAider || opts.all;
+        const wantGitleaks = opts.withGitleaks || opts.all;
+        // Show detected environments with opt-in hints
+        const detected = [];
+        if (hasOpenClaw)
+            detected.push("OpenClaw");
+        if (hasClaudeCode)
+            detected.push("Claude Code");
+        if (hasCodex)
+            detected.push("Codex CLI");
+        if (hasGemini)
+            detected.push("Gemini CLI");
+        if (hasCursor)
+            detected.push("Cursor");
+        if (hasWindsurf)
+            detected.push("Windsurf");
+        if (hasContinueDev)
+            detected.push("Continue.dev");
+        if (hasAider)
+            detected.push("Aider");
+        if (detected.length > 0) {
+            console.log(fmt.info(`Detected environments: ${detected.join(", ")}`));
         }
         else {
-            console.log(fmt.info("Claude Code not detected"));
+            console.log(fmt.info("No agent environments detected"));
         }
+        // Warn about requested but undetected environments
+        if (wantOpenClaw && !hasOpenClaw)
+            console.log(fmt.warning("OpenClaw requested but not detected (~/.openclaw not found)"));
+        if (wantClaudeCode && !hasClaudeCode)
+            console.log(fmt.warning("Claude Code requested but not detected (~/.claude not found)"));
+        if (wantCodex && !hasCodex)
+            console.log(fmt.warning("Codex CLI requested but not detected (~/.codex not found)"));
+        if (wantGemini && !hasGemini)
+            console.log(fmt.warning("Gemini CLI requested but not detected (~/.gemini not found)"));
+        if (wantCursor && !hasCursor)
+            console.log(fmt.warning("Cursor requested but not detected (~/.cursor not found)"));
+        if (wantWindsurf && !hasWindsurf)
+            console.log(fmt.warning("Windsurf requested but not detected (~/.codeium/windsurf not found)"));
+        if (wantContinue && !hasContinueDev)
+            console.log(fmt.warning("Continue.dev requested but not detected (~/.continue not found)"));
+        if (wantAider && !hasAider)
+            console.log(fmt.warning("Aider requested but not detected (~/.aider.conf.yml not found)"));
         // Initialize directory structure
         try {
             await manager.initialize();
@@ -135,8 +362,8 @@ export function createInitCommand() {
         }
         manager.set("agent.riskLevel", opts.riskLevel);
         console.log(fmt.success(`Set risk level: ${opts.riskLevel}`));
-        // Check / download Gitleaks binary (optional)
-        if (!opts.skipGitleaks) {
+        // Check / download Gitleaks binary (opt-in via --with-gitleaks or --all)
+        if (wantGitleaks) {
             const binaryManager = new BinaryManager();
             const platformInfo = binaryManager.getPlatformInfo();
             // Helper: show diagnostics for a failing binary (mirrors Python's agent init)
@@ -204,10 +431,12 @@ export function createInitCommand() {
                 }
             }
         }
-        // Install OpenClaw skill if applicable
-        if (hasOpenClaw && !opts.skipOpenclaw) {
+        // Install OpenClaw skill if opted in
+        let openclawOk = false;
+        if (hasOpenClaw && wantOpenClaw) {
             const skillManager = new SkillManager();
             const result = await skillManager.installRafterSkillVerbose();
+            openclawOk = result.ok;
             if (result.ok) {
                 console.log(fmt.success("Installed Rafter Security skill to ~/.openclaw/skills/rafter-security.md"));
                 manager.set("agent.environments.openclaw.enabled", true);
@@ -221,28 +450,139 @@ export function createInitCommand() {
                 }
             }
         }
-        // Install Claude Code skills + hooks if applicable
-        if (hasClaudeCode && !opts.skipClaudeCode) {
+        // Install Claude Code skills + hooks if opted in
+        let claudeCodeOk = false;
+        if (hasClaudeCode && wantClaudeCode) {
             try {
                 await installClaudeCodeSkills();
                 installClaudeCodeHooks();
                 manager.set("agent.environments.claudeCode.enabled", true);
+                claudeCodeOk = true;
             }
             catch (e) {
                 console.error(fmt.error(`Failed to install Claude Code integration: ${e}`));
             }
         }
+        // Install Codex CLI skills if opted in
+        let codexOk = false;
+        if (hasCodex && wantCodex) {
+            try {
+                installCodexSkills();
+                manager.set("agent.environments.codex.enabled", true);
+                codexOk = true;
+            }
+            catch (e) {
+                console.error(fmt.error(`Failed to install Codex CLI integration: ${e}`));
+            }
+        }
+        // Install Gemini CLI MCP if opted in
+        let geminiOk = false;
+        if (hasGemini && wantGemini) {
+            try {
+                geminiOk = installGeminiMcp();
+                if (geminiOk)
+                    manager.set("agent.environments.gemini.enabled", true);
+            }
+            catch (e) {
+                console.error(fmt.error(`Failed to install Gemini CLI integration: ${e}`));
+            }
+        }
+        // Install Cursor MCP if opted in
+        let cursorOk = false;
+        if (hasCursor && wantCursor) {
+            try {
+                cursorOk = installCursorMcp();
+                if (cursorOk)
+                    manager.set("agent.environments.cursor.enabled", true);
+            }
+            catch (e) {
+                console.error(fmt.error(`Failed to install Cursor integration: ${e}`));
+            }
+        }
+        // Install Windsurf MCP if opted in
+        let windsurfOk = false;
+        if (hasWindsurf && wantWindsurf) {
+            try {
+                windsurfOk = installWindsurfMcp();
+                if (windsurfOk)
+                    manager.set("agent.environments.windsurf.enabled", true);
+            }
+            catch (e) {
+                console.error(fmt.error(`Failed to install Windsurf integration: ${e}`));
+            }
+        }
+        // Install Continue.dev MCP if opted in
+        let continueOk = false;
+        if (hasContinueDev && wantContinue) {
+            try {
+                continueOk = installContinueDevMcp();
+                if (continueOk)
+                    manager.set("agent.environments.continueDev.enabled", true);
+            }
+            catch (e) {
+                console.error(fmt.error(`Failed to install Continue.dev integration: ${e}`));
+            }
+        }
+        // Install Aider MCP if opted in
+        let aiderOk = false;
+        if (hasAider && wantAider) {
+            try {
+                aiderOk = installAiderMcp();
+                if (aiderOk)
+                    manager.set("agent.environments.aider.enabled", true);
+            }
+            catch (e) {
+                console.error(fmt.error(`Failed to install Aider integration: ${e}`));
+            }
+        }
         console.log();
         console.log(fmt.success("Agent security initialized!"));
         console.log();
-        console.log("Next steps:");
-        if (hasOpenClaw && !opts.skipOpenclaw) {
-            console.log("  - Restart OpenClaw to load skill");
+        const anyIntegration = openclawOk || claudeCodeOk || codexOk || geminiOk || cursorOk || windsurfOk || continueOk || aiderOk;
+        if (anyIntegration) {
+            console.log("Next steps:");
+            if (openclawOk)
+                console.log("  - Restart OpenClaw to load skill");
+            if (claudeCodeOk)
+                console.log("  - Restart Claude Code to load skills");
+            if (codexOk)
+                console.log("  - Restart Codex CLI to load skills");
+            if (geminiOk)
+                console.log("  - Restart Gemini CLI to load MCP server");
+            if (cursorOk)
+                console.log("  - Restart Cursor to load MCP server");
+            if (windsurfOk)
+                console.log("  - Restart Windsurf to load MCP server");
+            if (continueOk)
+                console.log("  - Restart Continue.dev to load MCP server");
+            if (aiderOk)
+                console.log("  - Restart Aider to load MCP server");
         }
-        if (hasClaudeCode && !opts.skipClaudeCode) {
-            console.log("  - Restart Claude Code to load skills");
+        else if (detected.length > 0) {
+            console.log("No integrations were installed. To install, re-run with opt-in flags:");
+            console.log("  rafter agent init --all                  # Install all detected");
+            if (hasClaudeCode)
+                console.log("  rafter agent init --with-claude-code     # Claude Code only");
+            if (hasOpenClaw)
+                console.log("  rafter agent init --with-openclaw        # OpenClaw only");
+            if (hasCodex)
+                console.log("  rafter agent init --with-codex           # Codex CLI only");
+            if (hasGemini)
+                console.log("  rafter agent init --with-gemini          # Gemini CLI only");
+            if (hasCursor)
+                console.log("  rafter agent init --with-cursor          # Cursor only");
+            if (hasWindsurf)
+                console.log("  rafter agent init --with-windsurf        # Windsurf only");
+            if (hasContinueDev)
+                console.log("  rafter agent init --with-continue        # Continue.dev only");
+            if (hasAider)
+                console.log("  rafter agent init --with-aider           # Aider only");
         }
-        console.log("  - Run: rafter agent scan . (test secret scanning)");
+        else {
+            console.log("No agent environments detected. Install an agent tool and re-run with --with-<tool>.");
+        }
+        console.log();
+        console.log("  - Run: rafter scan local . (test secret scanning)");
         console.log("  - Configure: rafter agent config show");
         console.log();
     });