@rafter-security/cli 0.6.3 → 0.6.4

package/dist/commands/agent/audit.js

@@ -39,9 +39,10 @@ export function createAuditCommand() {
         }
         console.log(`\nShowing ${entries.length} audit log entries:\n`);
         for (const entry of entries) {
-            const timestamp = new Date(entry.timestamp).toLocaleString();
-            const indicator = getEventIndicator(entry.eventType);
-            console.log(`${indicator} [${timestamp}] ${entry.eventType}`);
+            const timestamp = entry.timestamp ? new Date(entry.timestamp).toLocaleString() : "unknown";
+            const eventType = entry.eventType ?? "unknown";
+            const indicator = getEventIndicator(eventType);
+            console.log(`${indicator} [${timestamp}] ${eventType}`);
             if (entry.agentType) {
                 console.log(`   Agent: ${entry.agentType}`);
             }
@@ -92,8 +93,8 @@ export function generateShareExcerpt() {
     }
     else {
         for (const entry of entries) {
-            const ts = entry.timestamp.replace("T", " ").replace(/\.\d+Z$/, "Z");
-            const eventPad = entry.eventType.padEnd(20);
+            const ts = (entry.timestamp ?? "").replace("T", " ").replace(/\.\d+Z$/, "Z");
+            const eventPad = (entry.eventType ?? "unknown").padEnd(20);
             const riskRaw = entry.action?.riskLevel ?? "low";
             const riskPad = riskRaw.toUpperCase().padEnd(8);
             const detail = formatShareDetail(entry);
@@ -136,7 +137,7 @@ export function getRiskLevel(config) {
 export function formatShareDetail(entry) {
     const action = entry.resolution?.actionTaken ?? "unknown";
     const suffix = `[${action}]`;
-    if (entry.eventType === "secret_detected") {
+    if ((entry.eventType ?? "unknown") === "secret_detected") {
         const reason = entry.securityCheck?.reason ?? "";
         return `${reason} ${suffix}`;
     }

package/dist/commands/agent/init.js

@@ -5,7 +5,9 @@ import { SkillManager } from "../../utils/skill-manager.js";
 import fs from "fs";
 import path from "path";
 import os from "os";
+import { execSync } from "child_process";
 import { fileURLToPath } from "url";
+import { createRequire } from "module";
 import { fmt } from "../../utils/formatter.js";
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
@@ -585,5 +587,23 @@ export function createInitCommand() {
         console.log("  - Run: rafter scan local . (test secret scanning)");
         console.log("  - Configure: rafter agent config show");
         console.log();
+        // Warn if a different rafter version shadows this one on PATH
+        try {
+            const _require = createRequire(import.meta.url);
+            const { version: thisVersion } = _require("../../../package.json");
+            const pathVersion = execSync("rafter --version", {
+                encoding: "utf-8",
+                timeout: 5000,
+                stdio: ["pipe", "pipe", "ignore"],
+            }).trim();
+            if (pathVersion && pathVersion !== thisVersion && !pathVersion.includes(thisVersion)) {
+                console.log(fmt.warning(`PATH version mismatch: 'rafter --version' reports ${pathVersion}, but this install is ${thisVersion}.`));
+                console.log(fmt.info("Another rafter binary may be shadowing this one. Check: which rafter"));
+                console.log();
+            }
+        }
+        catch {
+            // Ignore — rafter may not be on PATH yet
+        }
     });
 }

package/dist/commands/agent/status.js

@@ -34,13 +34,13 @@ export function createStatusCommand() {
         const localGitleaks = path.join(getBinDir(), "gitleaks");
         let gitleaksStatus = "not found — run: rafter agent init --with-gitleaks";
         try {
-            const ver = execSync("gitleaks version", { timeout: 5000, encoding: "utf-8" }).trim();
+            const ver = execSync("gitleaks version", { timeout: 5000, encoding: "utf-8", stdio: ["pipe", "pipe", "ignore"] }).trim();
             gitleaksStatus = `${ver} (PATH)`;
         }
         catch {
             if (fs.existsSync(localGitleaks)) {
                 try {
-                    const ver = execSync(`"${localGitleaks}" version`, { timeout: 5000, encoding: "utf-8" }).trim();
+                    const ver = execSync(`"${localGitleaks}" version`, { timeout: 5000, encoding: "utf-8", stdio: ["pipe", "pipe", "ignore"] }).trim();
                     gitleaksStatus = `${ver} (local)`;
                 }
                 catch {
@@ -164,7 +164,7 @@ export function createStatusCommand() {
                 for (const e of [...recent].reverse()) {
                     const ts = (e.timestamp ?? "").slice(0, 19).replace("T", " ");
                     const action = e.resolution?.actionTaken ?? "";
-                    console.log(`  ${ts}  ${e.eventType}  [${action}]`);
+                    console.log(`  ${ts}  ${e.eventType ?? "unknown"}  [${action}]`);
                 }
             }
         }

package/dist/commands/backend/run.js

@@ -2,7 +2,7 @@ import { Command } from "commander";
 import axios from "axios";
 import ora from "ora";
 import { detectRepo } from "../../utils/git.js";
-import { API, resolveKey, EXIT_GENERAL_ERROR, EXIT_QUOTA_EXHAUSTED, EXIT_INSUFFICIENT_SCOPE, handleScopeError } from "../../utils/api.js";
+import { API, resolveKey, EXIT_GENERAL_ERROR, EXIT_QUOTA_EXHAUSTED, handle403 } from "../../utils/api.js";
 import { handleScanStatus } from "./scan-status.js";
 /**
  * Shared handler for the remote backend scan (used by both `rafter run` and `rafter scan` / `rafter scan remote`).
@@ -34,8 +34,9 @@ export async function runRemoteScan(opts) {
         }
         catch (e) {
             spinner.fail("Request failed");
-            if (handleScopeError(e)) {
-                process.exit(EXIT_INSUFFICIENT_SCOPE);
+            const forbiddenCode = handle403(e);
+            if (forbiddenCode >= 0) {
+                process.exit(forbiddenCode);
             }
             else if (e.response?.status === 429) {
                 console.error("Quota exhausted");
@@ -62,8 +63,9 @@ export async function runRemoteScan(opts) {
             process.exit(exitCode);
         }
         catch (e) {
-            if (handleScopeError(e)) {
-                process.exit(EXIT_INSUFFICIENT_SCOPE);
+            const forbiddenCode = handle403(e);
+            if (forbiddenCode >= 0) {
+                process.exit(forbiddenCode);
             }
             else if (e.response?.status === 429) {
                 process.exit(EXIT_QUOTA_EXHAUSTED);

package/dist/core/audit-logger.js

@@ -260,7 +260,11 @@ export class AuditLogger {
         const lines = content.split("\n").filter(line => line.trim());
         let entries = lines.map(line => {
             try {
-                return JSON.parse(line);
+                const parsed = JSON.parse(line);
+                // Skip malformed entries missing required fields
+                if (!parsed || typeof parsed !== "object" || !parsed.timestamp)
+                    return null;
+                return parsed;
             }
             catch {
                 return null;

package/dist/scanners/gitleaks.js

@@ -152,17 +152,20 @@ export class GitleaksScanner {
      */
     getSeverity(ruleID, tags) {
         const lowerID = ruleID.toLowerCase();
-        // Critical: Private keys, passwords, database credentials
+        // Critical: Private keys, passwords, database credentials, access tokens
         if (lowerID.includes("private-key") ||
             lowerID.includes("password") ||
             lowerID.includes("database") ||
-            tags.includes("key") && tags.includes("secret")) {
+            lowerID.includes("access-token") ||
+            lowerID.includes("secret-key") ||
+            lowerID.endsWith("-pat") ||
+            (tags.includes("key") && tags.includes("secret"))) {
             return "critical";
         }
-        // High: API keys, access tokens
+        // High: API keys, generic tokens
         if (lowerID.includes("api-key") ||
-            lowerID.includes("access-token") ||
-            lowerID.includes("secret-key") ||
+            lowerID.includes("-token") ||
+            lowerID.startsWith("token-") ||
             tags.includes("api")) {
             return "high";
         }

package/dist/utils/api.js

@@ -6,13 +6,20 @@ export const EXIT_SCAN_NOT_FOUND = 2;
 export const EXIT_QUOTA_EXHAUSTED = 3;
 export const EXIT_INSUFFICIENT_SCOPE = 4;
 /**
- * Detect a 403 scope-enforcement error from the API and print a helpful message.
- * Returns true if the error was a scope error (caller should exit), false otherwise.
+ * Detect a 403 error from the API and print a helpful message.
+ * Returns the appropriate exit code, or -1 if not a 403.
  */
-export function handleScopeError(e) {
+export function handle403(e) {
     if (!e || e.response?.status !== 403)
-        return false;
+        return -1;
     const body = e.response?.data;
+    if (typeof body === "object" && body?.scan_mode) {
+        const mode = body.scan_mode;
+        const limit = body.limit ?? "?";
+        const used = body.used ?? limit;
+        console.error(`Error: ${mode.charAt(0).toUpperCase() + mode.slice(1)} scan limit reached (${used}/${limit} used this billing period).\nUpgrade your plan or wait for your quota to reset.`);
+        return EXIT_QUOTA_EXHAUSTED;
+    }
     const msg = typeof body === "string" ? body : body?.error ?? "";
     if (msg.includes("scope")) {
         console.error('Error: This API key only has read access.\nTo trigger scans, create a key with "Read & Scan" scope at https://rfrr.co/account');
@@ -20,7 +27,11 @@ export function handleScopeError(e) {
     else {
         console.error(`Error: Forbidden (403) — ${msg || "access denied"}`);
     }
-    return true;
+    return EXIT_INSUFFICIENT_SCOPE;
+}
+/** @deprecated Use handle403 instead */
+export function handleScopeError(e) {
+    return handle403(e) >= 0;
 }
 export function resolveKey(cliKey) {
     if (cliKey)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rafter-security/cli",
-  "version": "0.6.3",
+  "version": "0.6.4",
   "type": "module",
   "bin": {
     "rafter": "./dist/index.js"

package/resources/skills/rafter/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: rafter
 description: "Trigger Rafter backend security scans on GitHub repositories. Use when the user asks about SAST, code security analysis, vulnerability scanning, or wants to scan a repo for security issues before merging or deploying. Also use when starting new features or reviewing pull requests."
-version: 0.6.3
+version: 0.6.4
 allowed-tools: [Bash]
 ---
 

package/resources/skills/rafter-agent-security/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: rafter-agent-security
 description: "Local security tools for agents: scan files for secrets before commits, audit Claude Code skills before installation, view security audit logs. Use for: pre-commit secret scanning, skill security analysis, audit log review. Note: command blocking is handled automatically by the PreToolUse hook—you do not need to invoke /rafter-bash for normal commands."
-version: 0.6.3
+version: 0.6.4
 disable-model-invocation: true
 allowed-tools: [Bash, Read, Glob, Grep]
 ---