@rafter-security/cli 0.6.5 → 0.6.6

package/dist/commands/hook/pretool.js

@@ -29,32 +29,81 @@ function formatApprovalMessage(command, evaluation) {
 export function createHookPretoolCommand() {
     return new Command("pretool")
         .description("PreToolUse hook handler (reads stdin, writes JSON decision to stdout)")
-        .action(async () => {
+        .option("--format <format>", "Output format: claude (default, also Codex/Continue), cursor, gemini, windsurf", "claude")
+        .action(async (opts) => {
+        const format = (opts.format || "claude");
         try {
             const input = await readStdin();
-            let payload;
+            let raw;
             try {
-                payload = JSON.parse(input);
+                raw = JSON.parse(input);
             }
             catch {
                 // Can't parse → fail open
-                writeDecision({ decision: "allow" });
+                writeDecision({ decision: "allow" }, format);
                 return;
             }
             // Validate payload is an object with expected shape
-            if (!payload || typeof payload !== "object" || Array.isArray(payload)) {
-                writeDecision({ decision: "allow" });
+            if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+                writeDecision({ decision: "allow" }, format);
                 return;
             }
+            const payload = normalizeInput(raw, format);
             const decision = evaluateToolCall(payload);
-            writeDecision(decision);
+            writeDecision(decision, format);
         }
         catch {
             // Any unexpected error → fail open
-            writeDecision({ decision: "allow" });
+            writeDecision({ decision: "allow" }, format);
         }
     });
 }
+/**
+ * Normalize platform-specific stdin JSON into a common HookInput shape.
+ *
+ * Claude/Codex/Continue: { tool_name, tool_input: { command } }
+ * Cursor:                { hook_event_name, command, cwd }
+ * Gemini:                { tool_name, tool_input: { command } }  (same as Claude)
+ * Windsurf:              { agent_action_name, tool_info: { command_line, cwd } }
+ */
+function normalizeInput(raw, format) {
+    if (format === "cursor") {
+        // Cursor sends { command, cwd, hook_event_name, ... }
+        const command = raw.command || "";
+        const eventName = raw.hook_event_name || "";
+        // beforeShellExecution → Bash, beforeMCPExecution → tool name from payload
+        const toolName = eventName === "beforeShellExecution" ? "Bash"
+            : eventName === "beforeReadFile" ? "Read"
+                : eventName === "afterFileEdit" ? "Write"
+                    : raw.tool_name || "unknown";
+        return {
+            session_id: raw.conversation_id,
+            tool_name: toolName,
+            tool_input: eventName === "beforeShellExecution" ? { command } : (raw.tool_input || {}),
+        };
+    }
+    if (format === "windsurf") {
+        // Windsurf sends { agent_action_name, tool_info: { command_line, cwd } }
+        const toolInfo = raw.tool_info || {};
+        const actionName = raw.agent_action_name || "";
+        const toolName = actionName.includes("run_command") ? "Bash"
+            : actionName.includes("write_code") ? "Write"
+                : actionName.includes("read_code") ? "Read"
+                    : actionName.includes("mcp_tool_use") ? (toolInfo.mcp_tool_name || "unknown")
+                        : "unknown";
+        return {
+            session_id: raw.trajectory_id,
+            tool_name: toolName,
+            tool_input: toolName === "Bash" ? { command: toolInfo.command_line || "" } : toolInfo,
+        };
+    }
+    // Claude, Codex, Continue, Gemini — all use { tool_name, tool_input }
+    return {
+        session_id: raw.session_id,
+        tool_name: raw.tool_name || "",
+        tool_input: raw.tool_input || {},
+    };
+}
 function evaluateToolCall(payload) {
     const { tool_name, tool_input } = payload;
     if (tool_name === "Bash") {
@@ -154,6 +203,52 @@ function readStdin() {
         process.stdin.resume();
     });
 }
-function writeDecision(decision) {
-    process.stdout.write(JSON.stringify(decision) + "\n");
+function writeDecision(decision, format) {
+    const isDeny = decision.decision === "deny";
+    const reason = decision.reason ?? "";
+    switch (format) {
+        case "cursor": {
+            // Cursor: { permission: "allow"|"deny"|"ask", agentMessage?, userMessage? }
+            const output = {
+                permission: isDeny ? "deny" : "allow",
+            };
+            if (isDeny && reason) {
+                output.agentMessage = reason;
+                output.userMessage = reason;
+            }
+            process.stdout.write(JSON.stringify(output) + "\n");
+            break;
+        }
+        case "gemini": {
+            // Gemini: {} for allow, { decision: "deny", reason: "..." } for deny
+            if (isDeny) {
+                process.stdout.write(JSON.stringify({ decision: "deny", reason }) + "\n");
+            }
+            else {
+                process.stdout.write("{}\n");
+            }
+            break;
+        }
+        case "windsurf": {
+            // Windsurf: exit 0 for allow, exit 2 + stderr for deny
+            if (isDeny) {
+                process.stderr.write(reason + "\n");
+                process.exit(2);
+            }
+            // Allow: exit 0 (no output needed)
+            break;
+        }
+        default: {
+            // Claude Code / Codex / Continue.dev: hookSpecificOutput envelope
+            const output = {
+                hookSpecificOutput: {
+                    hookEventName: "PreToolUse",
+                    permissionDecision: isDeny ? "deny" : "allow",
+                    permissionDecisionReason: reason,
+                },
+            };
+            process.stdout.write(JSON.stringify(output) + "\n");
+            break;
+        }
+    }
 }

package/dist/commands/mcp/server.js

@@ -27,14 +27,14 @@ function textResult(data) {
 function errorResult(message) {
     return { content: [{ type: "text", text: JSON.stringify({ error: message }) }], isError: true };
 }
-function createServer() {
+export function createServer() {
     const server = new Server({ name: "rafter", version: CLI_VERSION }, { capabilities: { tools: {}, resources: {} } });
     // ── Tools ───────────────────────────────────────────────────────────
     server.setRequestHandler(ListToolsRequestSchema, async () => ({
         tools: [
             {
                 name: "scan_secrets",
-                description: "Scan files or directories for hardcoded secrets and credentials",
+                description: "Scan files or directories for leaked secrets, API keys, tokens, passwords, and credentials. Use before pushing code, when handling config files, or when asked 'is this safe to commit?' or 'check for leaked keys'.",
                 inputSchema: {
                     type: "object",
                     properties: {
@@ -50,7 +50,7 @@ function createServer() {
             },
             {
                 name: "evaluate_command",
-                description: "Evaluate whether a shell command is allowed by Rafter security policy",
+                description: "Check if a shell command is safe to run per security policy. Use when asked 'is this command safe?' or before running destructive or privileged operations.",
                 inputSchema: {
                     type: "object",
                     properties: {
@@ -61,7 +61,7 @@ function createServer() {
             },
             {
                 name: "read_audit_log",
-                description: "Read Rafter audit log entries with optional filtering",
+                description: "Read security event history — blocked commands, detected secrets, policy overrides. Use when asked 'what happened?' or 'show security events'.",
                 inputSchema: {
                     type: "object",
                     properties: {
@@ -76,7 +76,7 @@ function createServer() {
             },
             {
                 name: "get_config",
-                description: "Read Rafter configuration (full config or a specific key)",
+                description: "Read Rafter security policy and configuration. Use to understand what protections are active and what risk level is configured.",
                 inputSchema: {
                     type: "object",
                     properties: {

package/dist/commands/notify.js

@@ -0,0 +1,278 @@
+import { Command } from "commander";
+import axios from "axios";
+import { API, resolveKey, EXIT_GENERAL_ERROR, EXIT_SCAN_NOT_FOUND } from "../utils/api.js";
+import { validateWebhookUrl } from "../core/audit-logger.js";
+import { ConfigManager } from "../core/config-manager.js";
+import { fmt } from "../utils/formatter.js";
+function resolveWebhook(cliOpt) {
+    if (cliOpt)
+        return cliOpt;
+    if (process.env.RAFTER_NOTIFY_WEBHOOK)
+        return process.env.RAFTER_NOTIFY_WEBHOOK;
+    // Try config file
+    try {
+        const configManager = new ConfigManager();
+        const config = configManager.load();
+        if (config.agent?.notifications?.webhook) {
+            return config.agent.notifications.webhook;
+        }
+    }
+    catch {
+        // ignore
+    }
+    console.error("No webhook URL provided. Use --webhook or set RAFTER_NOTIFY_WEBHOOK");
+    process.exit(EXIT_GENERAL_ERROR);
+}
+function detectPlatform(url) {
+    if (url.includes("hooks.slack.com") || url.includes("slack.com/api"))
+        return "slack";
+    if (url.includes("discord.com/api/webhooks") || url.includes("discordapp.com/api/webhooks"))
+        return "discord";
+    return "generic";
+}
+function formatSlackPayload(scan) {
+    const status = scan.status ?? "unknown";
+    const repo = scan.repository_name ?? "unknown";
+    const scanId = scan.scan_id ?? "";
+    const findings = scan.findings ?? [];
+    const summary = scan.summary ?? {};
+    const critical = summary.critical ?? 0;
+    const high = summary.high ?? 0;
+    const medium = summary.medium ?? 0;
+    const low = summary.low ?? 0;
+    const total = critical + high + medium + low;
+    let statusIcon;
+    let statusText;
+    if (status === "completed" && total === 0) {
+        statusIcon = ":white_check_mark:";
+        statusText = "Clean — no issues found";
+    }
+    else if (status === "completed" && (critical > 0 || high > 0)) {
+        statusIcon = ":rotating_light:";
+        statusText = `${total} issue${total !== 1 ? "s" : ""} found`;
+    }
+    else if (status === "completed") {
+        statusIcon = ":warning:";
+        statusText = `${total} issue${total !== 1 ? "s" : ""} found`;
+    }
+    else if (status === "failed") {
+        statusIcon = ":x:";
+        statusText = "Scan failed";
+    }
+    else {
+        statusIcon = ":hourglass_flowing_sand:";
+        statusText = `Scan ${status}`;
+    }
+    const sectionFields = [
+        { type: "mrkdwn", text: `*Repository:*\n${repo}` },
+        { type: "mrkdwn", text: `*Status:*\n${statusText}` },
+    ];
+    if (scanId)
+        sectionFields.push({ type: "mrkdwn", text: `*Scan ID:*\n\`${scanId}\`` });
+    if (scan.branch_name)
+        sectionFields.push({ type: "mrkdwn", text: `*Branch:*\n\`${scan.branch_name}\`` });
+    const blocks = [
+        { type: "header", text: { type: "plain_text", text: `${statusIcon} Rafter Security Scan` } },
+        { type: "section", fields: sectionFields },
+    ];
+    if (total > 0) {
+        const parts = [];
+        if (critical)
+            parts.push(`:red_circle: Critical: *${critical}*`);
+        if (high)
+            parts.push(`:orange_circle: High: *${high}*`);
+        if (medium)
+            parts.push(`:large_yellow_circle: Medium: *${medium}*`);
+        if (low)
+            parts.push(`:white_circle: Low: *${low}*`);
+        blocks.push({ type: "section", text: { type: "mrkdwn", text: parts.join("\n") } });
+    }
+    if (findings.length > 0) {
+        const lines = findings.slice(0, 5).map((f) => {
+            const sev = (f.severity ?? "unknown").toUpperCase();
+            const title = f.title ?? f.rule_id ?? "Unknown";
+            const loc = f.location ?? f.file ?? "";
+            let line = `• \`[${sev}]\` ${title}`;
+            if (loc)
+                line += ` — ${loc}`;
+            return line;
+        });
+        if (findings.length > 5)
+            lines.push(`_... and ${findings.length - 5} more_`);
+        blocks.push({ type: "divider" });
+        blocks.push({ type: "section", text: { type: "mrkdwn", text: `*Top Findings:*\n${lines.join("\n")}` } });
+    }
+    blocks.push({
+        type: "context",
+        elements: [{ type: "mrkdwn", text: "Posted by *rafter-bot* | <https://rafter.so|rafter.so>" }],
+    });
+    return { text: `[rafter] ${repo}: ${statusText}`, blocks };
+}
+function formatDiscordPayload(scan) {
+    const status = scan.status ?? "unknown";
+    const repo = scan.repository_name ?? "unknown";
+    const scanId = scan.scan_id ?? "";
+    const findings = scan.findings ?? [];
+    const summary = scan.summary ?? {};
+    const critical = summary.critical ?? 0;
+    const high = summary.high ?? 0;
+    const medium = summary.medium ?? 0;
+    const low = summary.low ?? 0;
+    const total = critical + high + medium + low;
+    let color;
+    let statusText;
+    if (status === "completed" && total === 0) {
+        color = 0x2ecc71;
+        statusText = "Clean — no issues found";
+    }
+    else if (status === "completed" && (critical > 0 || high > 0)) {
+        color = 0xe74c3c;
+        statusText = `${total} issue${total !== 1 ? "s" : ""} found`;
+    }
+    else if (status === "completed") {
+        color = 0xf39c12;
+        statusText = `${total} issue${total !== 1 ? "s" : ""} found`;
+    }
+    else if (status === "failed") {
+        color = 0x95a5a6;
+        statusText = "Scan failed";
+    }
+    else {
+        color = 0x3498db;
+        statusText = `Scan ${status}`;
+    }
+    const fields = [
+        { name: "Repository", value: repo, inline: true },
+        { name: "Status", value: statusText, inline: true },
+    ];
+    if (scanId)
+        fields.push({ name: "Scan ID", value: `\`${scanId}\``, inline: true });
+    if (scan.branch_name)
+        fields.push({ name: "Branch", value: `\`${scan.branch_name}\``, inline: true });
+    if (total > 0) {
+        const parts = [];
+        if (critical)
+            parts.push(`\u{1f534} Critical: **${critical}**`);
+        if (high)
+            parts.push(`\u{1f7e0} High: **${high}**`);
+        if (medium)
+            parts.push(`\u{1f7e1} Medium: **${medium}**`);
+        if (low)
+            parts.push(`\u26aa Low: **${low}**`);
+        fields.push({ name: "Severity Breakdown", value: parts.join("\n"), inline: false });
+    }
+    if (findings.length > 0) {
+        const lines = findings.slice(0, 5).map((f) => {
+            const sev = (f.severity ?? "unknown").toUpperCase();
+            const title = f.title ?? f.rule_id ?? "Unknown";
+            const loc = f.location ?? f.file ?? "";
+            let line = `• \`[${sev}]\` ${title}`;
+            if (loc)
+                line += ` — ${loc}`;
+            return line;
+        });
+        if (findings.length > 5)
+            lines.push(`*... and ${findings.length - 5} more*`);
+        fields.push({ name: "Top Findings", value: lines.join("\n"), inline: false });
+    }
+    return {
+        content: `[rafter] ${repo}: ${statusText}`,
+        embeds: [{ title: "\u{1f6e1}\ufe0f Rafter Security Scan", color, fields, footer: { text: "rafter-bot | rafter.so" } }],
+    };
+}
+function formatGenericPayload(scan) {
+    const status = scan.status ?? "unknown";
+    const repo = scan.repository_name ?? "unknown";
+    const summary = scan.summary ?? {};
+    const total = (summary.critical ?? 0) + (summary.high ?? 0) + (summary.medium ?? 0) + (summary.low ?? 0);
+    let statusText;
+    if (status === "completed" && total === 0)
+        statusText = "Clean — no issues found";
+    else if (status === "completed")
+        statusText = `${total} issue${total !== 1 ? "s" : ""} found`;
+    else
+        statusText = `Scan ${status}`;
+    const msg = `[rafter] ${repo}: ${statusText}`;
+    return { text: msg, content: msg, ...scan };
+}
+export function createNotifyCommand() {
+    return new Command("notify")
+        .description("Post scan results to Slack or Discord channels via webhooks")
+        .argument("[scan_id]", "Scan ID to fetch and post results for")
+        .option("-w, --webhook <url>", "Webhook URL (Slack or Discord)")
+        .option("-k, --api-key <key>", "API key for fetching scan results")
+        .option("-p, --platform <platform>", "Force platform: slack, discord, or generic")
+        .option("--quiet", "Suppress status messages")
+        .option("--dry-run", "Print payload without posting")
+        .action(async (scanId, opts) => {
+        const webhookUrl = resolveWebhook(opts?.webhook);
+        let scanData;
+        if (scanId) {
+            const key = resolveKey(opts?.apiKey);
+            try {
+                const { data } = await axios.get(`${API}/static/scan`, {
+                    params: { scan_id: scanId, format: "json" },
+                    headers: { "x-api-key": key },
+                });
+                scanData = data;
+            }
+            catch (e) {
+                if (e.response?.status === 404) {
+                    console.error(`Scan '${scanId}' not found`);
+                    process.exit(EXIT_SCAN_NOT_FOUND);
+                }
+                console.error(`Error: ${e.response?.data ?? e.message}`);
+                process.exit(EXIT_GENERAL_ERROR);
+            }
+        }
+        else if (!process.stdin.isTTY) {
+            // Read from stdin
+            const chunks = [];
+            for await (const chunk of process.stdin) {
+                chunks.push(chunk);
+            }
+            const raw = Buffer.concat(chunks).toString("utf-8");
+            try {
+                scanData = JSON.parse(raw);
+            }
+            catch {
+                console.error("Error: stdin is not valid JSON");
+                process.exit(EXIT_GENERAL_ERROR);
+            }
+        }
+        else {
+            console.error("Error: provide a scan ID or pipe JSON scan data via stdin");
+            process.exit(EXIT_GENERAL_ERROR);
+        }
+        const detected = opts?.platform || detectPlatform(webhookUrl);
+        let payload;
+        if (detected === "slack")
+            payload = formatSlackPayload(scanData);
+        else if (detected === "discord")
+            payload = formatDiscordPayload(scanData);
+        else
+            payload = formatGenericPayload(scanData);
+        if (opts?.dryRun) {
+            console.log(JSON.stringify(payload, null, 2));
+            return;
+        }
+        if (!opts?.quiet) {
+            process.stderr.write(fmt.info(`Posting to ${detected} webhook...`) + "\n");
+        }
+        try {
+            await validateWebhookUrl(webhookUrl);
+            await fetch(webhookUrl, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify(payload),
+            });
+        }
+        catch (e) {
+            console.error(`Error posting to webhook: ${e.message}`);
+            process.exit(EXIT_GENERAL_ERROR);
+        }
+        if (!opts?.quiet) {
+            process.stderr.write(fmt.success(`Scan results posted to ${detected} channel`) + "\n");
+        }
+    });
+}