@rafter-security/cli 0.6.5 → 0.7.0

package/dist/commands/notify.js

@@ -0,0 +1,278 @@
+import { Command } from "commander";
+import axios from "axios";
+import { API, resolveKey, EXIT_GENERAL_ERROR, EXIT_SCAN_NOT_FOUND } from "../utils/api.js";
+import { validateWebhookUrl } from "../core/audit-logger.js";
+import { ConfigManager } from "../core/config-manager.js";
+import { fmt } from "../utils/formatter.js";
+function resolveWebhook(cliOpt) {
+    if (cliOpt)
+        return cliOpt;
+    if (process.env.RAFTER_NOTIFY_WEBHOOK)
+        return process.env.RAFTER_NOTIFY_WEBHOOK;
+    // Try config file
+    try {
+        const configManager = new ConfigManager();
+        const config = configManager.load();
+        if (config.agent?.notifications?.webhook) {
+            return config.agent.notifications.webhook;
+        }
+    }
+    catch {
+        // ignore
+    }
+    console.error("No webhook URL provided. Use --webhook or set RAFTER_NOTIFY_WEBHOOK");
+    process.exit(EXIT_GENERAL_ERROR);
+}
+function detectPlatform(url) {
+    if (url.includes("hooks.slack.com") || url.includes("slack.com/api"))
+        return "slack";
+    if (url.includes("discord.com/api/webhooks") || url.includes("discordapp.com/api/webhooks"))
+        return "discord";
+    return "generic";
+}
+function formatSlackPayload(scan) {
+    const status = scan.status ?? "unknown";
+    const repo = scan.repository_name ?? "unknown";
+    const scanId = scan.scan_id ?? "";
+    const findings = scan.findings ?? [];
+    const summary = scan.summary ?? {};
+    const critical = summary.critical ?? 0;
+    const high = summary.high ?? 0;
+    const medium = summary.medium ?? 0;
+    const low = summary.low ?? 0;
+    const total = critical + high + medium + low;
+    let statusIcon;
+    let statusText;
+    if (status === "completed" && total === 0) {
+        statusIcon = ":white_check_mark:";
+        statusText = "Clean — no issues found";
+    }
+    else if (status === "completed" && (critical > 0 || high > 0)) {
+        statusIcon = ":rotating_light:";
+        statusText = `${total} issue${total !== 1 ? "s" : ""} found`;
+    }
+    else if (status === "completed") {
+        statusIcon = ":warning:";
+        statusText = `${total} issue${total !== 1 ? "s" : ""} found`;
+    }
+    else if (status === "failed") {
+        statusIcon = ":x:";
+        statusText = "Scan failed";
+    }
+    else {
+        statusIcon = ":hourglass_flowing_sand:";
+        statusText = `Scan ${status}`;
+    }
+    const sectionFields = [
+        { type: "mrkdwn", text: `*Repository:*\n${repo}` },
+        { type: "mrkdwn", text: `*Status:*\n${statusText}` },
+    ];
+    if (scanId)
+        sectionFields.push({ type: "mrkdwn", text: `*Scan ID:*\n\`${scanId}\`` });
+    if (scan.branch_name)
+        sectionFields.push({ type: "mrkdwn", text: `*Branch:*\n\`${scan.branch_name}\`` });
+    const blocks = [
+        { type: "header", text: { type: "plain_text", text: `${statusIcon} Rafter Security Scan` } },
+        { type: "section", fields: sectionFields },
+    ];
+    if (total > 0) {
+        const parts = [];
+        if (critical)
+            parts.push(`:red_circle: Critical: *${critical}*`);
+        if (high)
+            parts.push(`:orange_circle: High: *${high}*`);
+        if (medium)
+            parts.push(`:large_yellow_circle: Medium: *${medium}*`);
+        if (low)
+            parts.push(`:white_circle: Low: *${low}*`);
+        blocks.push({ type: "section", text: { type: "mrkdwn", text: parts.join("\n") } });
+    }
+    if (findings.length > 0) {
+        const lines = findings.slice(0, 5).map((f) => {
+            const sev = (f.severity ?? "unknown").toUpperCase();
+            const title = f.title ?? f.rule_id ?? "Unknown";
+            const loc = f.location ?? f.file ?? "";
+            let line = `• \`[${sev}]\` ${title}`;
+            if (loc)
+                line += ` — ${loc}`;
+            return line;
+        });
+        if (findings.length > 5)
+            lines.push(`_... and ${findings.length - 5} more_`);
+        blocks.push({ type: "divider" });
+        blocks.push({ type: "section", text: { type: "mrkdwn", text: `*Top Findings:*\n${lines.join("\n")}` } });
+    }
+    blocks.push({
+        type: "context",
+        elements: [{ type: "mrkdwn", text: "Posted by *rafter-bot* | <https://rafter.so|rafter.so>" }],
+    });
+    return { text: `[rafter] ${repo}: ${statusText}`, blocks };
+}
+function formatDiscordPayload(scan) {
+    const status = scan.status ?? "unknown";
+    const repo = scan.repository_name ?? "unknown";
+    const scanId = scan.scan_id ?? "";
+    const findings = scan.findings ?? [];
+    const summary = scan.summary ?? {};
+    const critical = summary.critical ?? 0;
+    const high = summary.high ?? 0;
+    const medium = summary.medium ?? 0;
+    const low = summary.low ?? 0;
+    const total = critical + high + medium + low;
+    let color;
+    let statusText;
+    if (status === "completed" && total === 0) {
+        color = 0x2ecc71;
+        statusText = "Clean — no issues found";
+    }
+    else if (status === "completed" && (critical > 0 || high > 0)) {
+        color = 0xe74c3c;
+        statusText = `${total} issue${total !== 1 ? "s" : ""} found`;
+    }
+    else if (status === "completed") {
+        color = 0xf39c12;
+        statusText = `${total} issue${total !== 1 ? "s" : ""} found`;
+    }
+    else if (status === "failed") {
+        color = 0x95a5a6;
+        statusText = "Scan failed";
+    }
+    else {
+        color = 0x3498db;
+        statusText = `Scan ${status}`;
+    }
+    const fields = [
+        { name: "Repository", value: repo, inline: true },
+        { name: "Status", value: statusText, inline: true },
+    ];
+    if (scanId)
+        fields.push({ name: "Scan ID", value: `\`${scanId}\``, inline: true });
+    if (scan.branch_name)
+        fields.push({ name: "Branch", value: `\`${scan.branch_name}\``, inline: true });
+    if (total > 0) {
+        const parts = [];
+        if (critical)
+            parts.push(`\u{1f534} Critical: **${critical}**`);
+        if (high)
+            parts.push(`\u{1f7e0} High: **${high}**`);
+        if (medium)
+            parts.push(`\u{1f7e1} Medium: **${medium}**`);
+        if (low)
+            parts.push(`\u26aa Low: **${low}**`);
+        fields.push({ name: "Severity Breakdown", value: parts.join("\n"), inline: false });
+    }
+    if (findings.length > 0) {
+        const lines = findings.slice(0, 5).map((f) => {
+            const sev = (f.severity ?? "unknown").toUpperCase();
+            const title = f.title ?? f.rule_id ?? "Unknown";
+            const loc = f.location ?? f.file ?? "";
+            let line = `• \`[${sev}]\` ${title}`;
+            if (loc)
+                line += ` — ${loc}`;
+            return line;
+        });
+        if (findings.length > 5)
+            lines.push(`*... and ${findings.length - 5} more*`);
+        fields.push({ name: "Top Findings", value: lines.join("\n"), inline: false });
+    }
+    return {
+        content: `[rafter] ${repo}: ${statusText}`,
+        embeds: [{ title: "\u{1f6e1}\ufe0f Rafter Security Scan", color, fields, footer: { text: "rafter-bot | rafter.so" } }],
+    };
+}
+function formatGenericPayload(scan) {
+    const status = scan.status ?? "unknown";
+    const repo = scan.repository_name ?? "unknown";
+    const summary = scan.summary ?? {};
+    const total = (summary.critical ?? 0) + (summary.high ?? 0) + (summary.medium ?? 0) + (summary.low ?? 0);
+    let statusText;
+    if (status === "completed" && total === 0)
+        statusText = "Clean — no issues found";
+    else if (status === "completed")
+        statusText = `${total} issue${total !== 1 ? "s" : ""} found`;
+    else
+        statusText = `Scan ${status}`;
+    const msg = `[rafter] ${repo}: ${statusText}`;
+    return { text: msg, content: msg, ...scan };
+}
+export function createNotifyCommand() {
+    return new Command("notify")
+        .description("Post scan results to Slack or Discord channels via webhooks")
+        .argument("[scan_id]", "Scan ID to fetch and post results for")
+        .option("-w, --webhook <url>", "Webhook URL (Slack or Discord)")
+        .option("-k, --api-key <key>", "API key for fetching scan results")
+        .option("-p, --platform <platform>", "Force platform: slack, discord, or generic")
+        .option("--quiet", "Suppress status messages")
+        .option("--dry-run", "Print payload without posting")
+        .action(async (scanId, opts) => {
+        const webhookUrl = resolveWebhook(opts?.webhook);
+        let scanData;
+        if (scanId) {
+            const key = resolveKey(opts?.apiKey);
+            try {
+                const { data } = await axios.get(`${API}/static/scan`, {
+                    params: { scan_id: scanId, format: "json" },
+                    headers: { "x-api-key": key },
+                });
+                scanData = data;
+            }
+            catch (e) {
+                if (e.response?.status === 404) {
+                    console.error(`Scan '${scanId}' not found`);
+                    process.exit(EXIT_SCAN_NOT_FOUND);
+                }
+                console.error(`Error: ${e.response?.data ?? e.message}`);
+                process.exit(EXIT_GENERAL_ERROR);
+            }
+        }
+        else if (!process.stdin.isTTY) {
+            // Read from stdin
+            const chunks = [];
+            for await (const chunk of process.stdin) {
+                chunks.push(chunk);
+            }
+            const raw = Buffer.concat(chunks).toString("utf-8");
+            try {
+                scanData = JSON.parse(raw);
+            }
+            catch {
+                console.error("Error: stdin is not valid JSON");
+                process.exit(EXIT_GENERAL_ERROR);
+            }
+        }
+        else {
+            console.error("Error: provide a scan ID or pipe JSON scan data via stdin");
+            process.exit(EXIT_GENERAL_ERROR);
+        }
+        const detected = opts?.platform || detectPlatform(webhookUrl);
+        let payload;
+        if (detected === "slack")
+            payload = formatSlackPayload(scanData);
+        else if (detected === "discord")
+            payload = formatDiscordPayload(scanData);
+        else
+            payload = formatGenericPayload(scanData);
+        if (opts?.dryRun) {
+            console.log(JSON.stringify(payload, null, 2));
+            return;
+        }
+        if (!opts?.quiet) {
+            process.stderr.write(fmt.info(`Posting to ${detected} webhook...`) + "\n");
+        }
+        try {
+            await validateWebhookUrl(webhookUrl);
+            await fetch(webhookUrl, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify(payload),
+            });
+        }
+        catch (e) {
+            console.error(`Error posting to webhook: ${e.message}`);
+            process.exit(EXIT_GENERAL_ERROR);
+        }
+        if (!opts?.quiet) {
+            process.stderr.write(fmt.success(`Scan results posted to ${detected} channel`) + "\n");
+        }
+    });
+}

package/dist/commands/report.js

@@ -0,0 +1,274 @@
+import { Command } from "commander";
+import fs from "fs";
+import path from "path";
+import { createRequire } from "module";
+const _require = createRequire(import.meta.url);
+const { version: CLI_VERSION } = _require("../../package.json");
+export function createReportCommand() {
+    return new Command("report")
+        .description("Generate a standalone HTML security report from scan results")
+        .argument("[input]", "Path to JSON scan results (default: read from stdin)")
+        .option("-o, --output <path>", "Output file path (default: stdout)")
+        .option("--title <title>", "Report title", "Rafter Security Report")
+        .action(async (input, opts) => {
+        let jsonData;
+        if (input) {
+            const resolved = path.resolve(input);
+            if (!fs.existsSync(resolved)) {
+                console.error(`Error: File not found: ${resolved}`);
+                process.exit(2);
+            }
+            jsonData = fs.readFileSync(resolved, "utf-8");
+        }
+        else if (!process.stdin.isTTY) {
+            jsonData = await readStdin();
+        }
+        else {
+            console.error("Error: No input provided. Pipe scan results or provide a file path.\n" +
+                "  Example: rafter scan local --json . | rafter report -o report.html\n" +
+                "  Example: rafter report scan-results.json -o report.html");
+            process.exit(2);
+            return;
+        }
+        let results;
+        try {
+            results = JSON.parse(jsonData);
+            if (!Array.isArray(results)) {
+                throw new Error("Expected a JSON array of scan results");
+            }
+        }
+        catch (e) {
+            console.error(`Error: Invalid JSON input — ${e.message}`);
+            process.exit(2);
+            return;
+        }
+        const html = generateHtmlReport(results, opts.title || "Rafter Security Report");
+        if (opts.output) {
+            const outPath = path.resolve(opts.output);
+            fs.writeFileSync(outPath, html, "utf-8");
+            console.error(`Report written to ${outPath}`);
+        }
+        else {
+            process.stdout.write(html);
+        }
+    });
+}
+function readStdin() {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        process.stdin.on("data", (chunk) => chunks.push(chunk));
+        process.stdin.on("end", () => resolve(Buffer.concat(chunks).toString("utf-8")));
+        process.stdin.on("error", reject);
+    });
+}
+function generateHtmlReport(results, title) {
+    const now = new Date().toISOString();
+    const totalFindings = results.reduce((sum, r) => sum + r.matches.length, 0);
+    const filesAffected = results.length;
+    const severityCounts = { critical: 0, high: 0, medium: 0, low: 0 };
+    const patternCounts = {};
+    for (const r of results) {
+        for (const m of r.matches) {
+            const sev = m.pattern.severity.toLowerCase();
+            if (sev in severityCounts)
+                severityCounts[sev]++;
+            const name = m.pattern.name;
+            patternCounts[name] = (patternCounts[name] || 0) + 1;
+        }
+    }
+    const riskLevel = severityCounts.critical > 0
+        ? "Critical"
+        : severityCounts.high > 0
+            ? "High"
+            : severityCounts.medium > 0
+                ? "Medium"
+                : totalFindings > 0
+                    ? "Low"
+                    : "None";
+    const riskColor = {
+        Critical: "hsl(0 40% 55%)",
+        High: "hsl(25 35% 55%)",
+        Medium: "hsl(0 0% 64%)",
+        Low: "hsl(0 0% 50%)",
+        None: "hsl(0 0% 50%)",
+    }[riskLevel];
+    const topPatterns = Object.entries(patternCounts)
+        .sort((a, b) => b[1] - a[1])
+        .slice(0, 10);
+    const findingsRows = results
+        .flatMap((r) => r.matches.map((m) => ({
+        file: escapeHtml(r.file),
+        line: m.line ?? "—",
+        severity: m.pattern.severity,
+        pattern: escapeHtml(m.pattern.name),
+        description: escapeHtml(m.pattern.description || ""),
+        redacted: escapeHtml(m.redacted || ""),
+    })))
+        .sort((a, b) => severityRank(a.severity) - severityRank(b.severity));
+    return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>${escapeHtml(title)}</title>
+<style>
+  *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+  body { font-family: "SFMono-Regular", Consolas, "Liberation Mono", Menlo, monospace; line-height: 1.6; color: hsl(0 0% 98%); background: hsl(0 0% 3.9%); }
+  .container { max-width: 1100px; margin: 0 auto; padding: 2rem 1.5rem; }
+  header { background: hsl(0 0% 7%); color: hsl(0 0% 98%); padding: 2rem 0; margin-bottom: 2rem; border-bottom: 1px solid hsl(0 0% 14.9%); }
+  header .container { display: flex; justify-content: space-between; align-items: center; flex-wrap: wrap; gap: 1rem; }
+  header h1 { font-size: 1.5rem; font-weight: 700; }
+  header .meta { font-size: 0.85rem; opacity: 0.6; text-align: right; }
+  .card { background: hsl(0 0% 7%); border-radius: 8px; border: 1px solid hsl(0 0% 14.9%); padding: 1.5rem; margin-bottom: 1.5rem; }
+  .card h2 { font-size: 1.1rem; font-weight: 600; margin-bottom: 1rem; color: hsl(0 0% 98%); }
+  .summary-grid { display: grid; grid-template-columns: repeat(auto-fit, minmax(180px, 1fr)); gap: 1rem; }
+  .stat { text-align: center; padding: 1rem; border-radius: 6px; background: hsl(0 0% 10%); border: 1px solid hsl(0 0% 14.9%); }
+  .stat .value { font-size: 2rem; font-weight: 700; color: hsl(0 0% 98%); }
+  .stat .label { font-size: 0.8rem; text-transform: uppercase; letter-spacing: 0.05em; color: hsl(0 0% 50%); margin-top: 0.25rem; }
+  .risk-badge { display: inline-block; padding: 0.25rem 0.75rem; border-radius: 4px; font-weight: 600; font-size: 0.85rem; }
+  .sev-critical { background: hsl(0 30% 20%); color: hsl(0 40% 75%); border: 1px solid hsl(0 30% 30%); }
+  .sev-high { background: hsl(25 25% 18%); color: hsl(25 35% 70%); border: 1px solid hsl(25 25% 28%); }
+  .sev-medium { background: hsl(0 0% 18%); color: hsl(0 0% 70%); border: 1px solid hsl(0 0% 25%); }
+  .sev-low { background: hsl(0 0% 14%); color: hsl(0 0% 55%); border: 1px solid hsl(0 0% 22%); }
+  .bar-chart { margin-top: 0.5rem; }
+  .bar-row { display: flex; align-items: center; margin-bottom: 0.4rem; }
+  .bar-label { width: 180px; font-size: 0.85rem; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; color: hsl(0 0% 70%); }
+  .bar-track { flex: 1; height: 20px; background: hsl(0 0% 14.9%); border-radius: 3px; overflow: hidden; }
+  .bar-fill { height: 100%; border-radius: 3px; min-width: 2px; background: hsl(0 0% 98%); opacity: 0.6; }
+  .bar-count { width: 40px; text-align: right; font-size: 0.85rem; font-weight: 600; color: hsl(0 0% 64%); margin-left: 0.5rem; }
+  table { width: 100%; border-collapse: collapse; font-size: 0.85rem; }
+  th { text-align: left; padding: 0.6rem 0.75rem; background: hsl(0 0% 10%); border-bottom: 2px solid hsl(0 0% 14.9%); font-weight: 600; color: hsl(0 0% 64%); white-space: nowrap; text-transform: uppercase; letter-spacing: 0.05em; font-size: 0.75rem; }
+  td { padding: 0.6rem 0.75rem; border-bottom: 1px solid hsl(0 0% 14.9%); vertical-align: top; }
+  tr:hover td { background: hsl(0 0% 10%); }
+  .sev-pill { display: inline-block; padding: 0.15rem 0.5rem; border-radius: 3px; font-weight: 600; font-size: 0.75rem; text-transform: uppercase; }
+  .file-path { font-size: 0.8rem; word-break: break-all; }
+  .redacted { font-size: 0.8rem; color: hsl(0 0% 40%); }
+  .description { color: hsl(0 0% 50%); }
+  footer { text-align: center; padding: 2rem 0; font-size: 0.8rem; color: hsl(0 0% 35%); border-top: 1px solid hsl(0 0% 14.9%); }
+  .no-findings { text-align: center; padding: 3rem; color: hsl(0 0% 64%); }
+  .no-findings .icon { font-size: 3rem; margin-bottom: 0.5rem; }
+  @media (max-width: 768px) {
+    .summary-grid { grid-template-columns: repeat(2, 1fr); }
+    .bar-label { width: 120px; }
+    table { display: block; overflow-x: auto; }
+  }
+  @media print {
+    body { background: hsl(0 0% 3.9%); color: hsl(0 0% 98%); }
+    .card { break-inside: avoid; }
+    header { -webkit-print-color-adjust: exact; print-color-adjust: exact; }
+  }
+</style>
+</head>
+<body>
+<header>
+  <div class="container">
+    <h1>${escapeHtml(title)}</h1>
+    <div class="meta">
+      Generated: ${escapeHtml(formatDate(now))}<br>
+      Rafter CLI v${escapeHtml(CLI_VERSION)}
+    </div>
+  </div>
+</header>
+<main class="container">
+  <div class="card">
+    <h2>Executive Summary</h2>
+    <div class="summary-grid">
+      <div class="stat">
+        <div class="value">${totalFindings}</div>
+        <div class="label">Total Findings</div>
+      </div>
+      <div class="stat">
+        <div class="value">${filesAffected}</div>
+        <div class="label">Files Affected</div>
+      </div>
+      <div class="stat">
+        <div class="value"><span class="risk-badge" style="background:${riskColor};color:hsl(0 0% 98%)">${riskLevel}</span></div>
+        <div class="label">Overall Risk</div>
+      </div>
+    </div>
+  </div>
+
+  <div class="card">
+    <h2>Severity Breakdown</h2>
+    <div class="summary-grid">
+      <div class="stat"><div class="value" style="color:hsl(0 40% 70%)">${severityCounts.critical}</div><div class="label">Critical</div></div>
+      <div class="stat"><div class="value" style="color:hsl(25 30% 65%)">${severityCounts.high}</div><div class="label">High</div></div>
+      <div class="stat"><div class="value">${severityCounts.medium}</div><div class="label">Medium</div></div>
+      <div class="stat"><div class="value" style="color:hsl(0 0% 50%)">${severityCounts.low}</div><div class="label">Low</div></div>
+    </div>
+  </div>
+
+${topPatterns.length > 0 ? `  <div class="card">
+    <h2>Top Finding Types</h2>
+    <div class="bar-chart">
+${topPatterns.map(([name, count]) => {
+        const pct = Math.round((count / totalFindings) * 100);
+        return `      <div class="bar-row">
+        <div class="bar-label" title="${escapeHtml(name)}">${escapeHtml(name)}</div>
+        <div class="bar-track"><div class="bar-fill" style="width:${pct}%"></div></div>
+        <div class="bar-count">${count}</div>
+      </div>`;
+    }).join("\n")}
+    </div>
+  </div>
+` : ""}
+${totalFindings > 0 ? `  <div class="card">
+    <h2>Detailed Findings</h2>
+    <table>
+      <thead>
+        <tr>
+          <th>Severity</th>
+          <th>Pattern</th>
+          <th>File</th>
+          <th>Line</th>
+          <th>Redacted</th>
+        </tr>
+      </thead>
+      <tbody>
+${findingsRows.map((f) => `        <tr>
+          <td><span class="sev-pill sev-${f.severity}">${f.severity}</span></td>
+          <td>${f.pattern}${f.description ? `<br><small class="description">${f.description}</small>` : ""}</td>
+          <td class="file-path">${f.file}</td>
+          <td>${f.line}</td>
+          <td class="redacted">${f.redacted}</td>
+        </tr>`).join("\n")}
+      </tbody>
+    </table>
+  </div>
+` : `  <div class="card no-findings">
+    <div class="icon">&#x2705;</div>
+    <h2>No Security Findings</h2>
+    <p>No secrets or vulnerabilities were detected in the scanned files.</p>
+  </div>
+`}
+</main>
+<footer>
+  Generated by Rafter CLI v${escapeHtml(CLI_VERSION)} &mdash; ${escapeHtml(formatDate(now))}
+</footer>
+</body>
+</html>
+`;
+}
+function escapeHtml(text) {
+    return text
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#39;");
+}
+function severityRank(severity) {
+    const ranks = { critical: 0, high: 1, medium: 2, low: 3 };
+    return ranks[severity.toLowerCase()] ?? 4;
+}
+function formatDate(iso) {
+    const d = new Date(iso);
+    return d.toLocaleDateString("en-US", {
+        year: "numeric",
+        month: "long",
+        day: "numeric",
+        hour: "2-digit",
+        minute: "2-digit",
+        timeZoneName: "short",
+    });
+}

package/dist/commands/scan/index.js

@@ -1,8 +1,8 @@
 /**
  * rafter scan — top-level scan command group.
  *
- * Default (no subcommand): remote backend scan (same as `rafter run`)
- * rafter scan remote:       explicit alias for remote backend scan
+ * Default (no subcommand): remote scan (same as `rafter run`)
+ * rafter scan remote:       explicit alias for remote scan
  * rafter scan local [path]: local secret scanner (was `rafter agent scan`)
  */
 import { Command } from "commander";
@@ -21,25 +21,27 @@ export function createScanGroupCommand() {
         .option("-k, --api-key <key>", "API key or RAFTER_API_KEY env var")
         .option("-f, --format <format>", "json | md", "md")
         .option("-m, --mode <mode>", "scan mode: fast | plus", "fast")
+        .option("--github-token <token>", "GitHub PAT for private repos (or RAFTER_GITHUB_TOKEN env var)")
         .option("--skip-interactive", "do not wait for scan to complete")
         .option("--quiet", "suppress status messages")
         .action(async (opts) => {
         await runRemoteScan(opts);
     });
-    // Root scan group — default action is remote backend scan
+    // Root scan group — default action is remote scan
     const scanGroup = new Command("scan")
-        .description("Scan for security issues. Default: remote backend scan. Use 'scan local' for local secret scanning.")
+        .description("Scan for security issues. Default: remote scan. Use 'scan local' for local secret scanning.")
         .enablePositionalOptions()
         .option("-r, --repo <repo>", "org/repo (default: current)")
         .option("-b, --branch <branch>", "branch (default: current else main)")
         .option("-k, --api-key <key>", "API key or RAFTER_API_KEY env var")
         .option("-f, --format <format>", "json | md", "md")
         .option("-m, --mode <mode>", "scan mode: fast | plus", "fast")
+        .option("--github-token <token>", "GitHub PAT for private repos (or RAFTER_GITHUB_TOKEN env var)")
         .option("--skip-interactive", "do not wait for scan to complete")
         .option("--quiet", "suppress status messages");
     scanGroup.addCommand(localCmd);
     scanGroup.addCommand(remoteCmd);
-    // When invoked with no subcommand, run remote backend scan
+    // When invoked with no subcommand, run remote scan
     scanGroup.action(async (opts) => {
         await runRemoteScan(opts);
     });

package/dist/core/risk-rules.js

@@ -2,8 +2,15 @@
  * Centralized risk assessment rules.
  * Single source of truth — imported by command-interceptor, audit-logger, and config-defaults.
  */
+/** Directories where `rm -rf /<dir>` is catastrophic (data loss / unbootable). */
+const CRITICAL_DIRS = "home|etc|usr|boot|root|sys|proc|lib|lib64|bin|sbin|opt";
 export const CRITICAL_PATTERNS = [
-    /rm\s+-rf\s+\//,
+    // rm -rf / (root only, any flag order)
+    new RegExp(`rm\\s+(-[a-z]*r[a-z]*\\s+)*-[a-z]*f[a-z]*\\s+/(\\s|$)`),
+    new RegExp(`rm\\s+(-[a-z]*f[a-z]*\\s+)*-[a-z]*r[a-z]*\\s+/(\\s|$)`),
+    // rm -rf on critical top-level directories
+    new RegExp(`rm\\s+(-[a-z]*r[a-z]*\\s+)*-[a-z]*f[a-z]*\\s+/(${CRITICAL_DIRS})(/|\\s|$)`),
+    new RegExp(`rm\\s+(-[a-z]*f[a-z]*\\s+)*-[a-z]*r[a-z]*\\s+/(${CRITICAL_DIRS})(/|\\s|$)`),
     /:\(\)\{\s*:\|:&\s*\};:/, // fork bomb
     /dd\s+if=.*of=\/dev\/sd/,
     />\s*\/dev\/sd/,
@@ -12,7 +19,8 @@ export const CRITICAL_PATTERNS = [
     /parted/,
 ];
 export const HIGH_PATTERNS = [
-    /rm\s+-rf/,
+    /rm\s+(-[a-z]*r[a-z]*\s+)*-[a-z]*f[a-z]*/, // rm -rf, -fr, -r -f, -f -r (any path)
+    /rm\s+(-[a-z]*f[a-z]*\s+)*-[a-z]*r[a-z]*/, // rm -fr, reversed
     /sudo\s+rm/,
     /chmod\s+777/,
     /curl.*\|\s*(bash|sh|zsh|dash)\b/,
@@ -53,11 +61,18 @@ export const DEFAULT_REQUIRE_APPROVAL = [
     "git push --force-if-includes",
     "git push .* \\+",
 ];
+/** Read-only commands whose arguments should not trigger risk patterns. */
+const SAFE_PREFIX = /^(grep|egrep|fgrep|rg|ag|ack|echo|printf)\s/;
+/** Shell operators that chain independent commands. */
+const CHAIN_OPERATORS = /[;|&]|&&|\|\|/;
 /**
  * Assess risk level of a command string.
  */
 export function assessCommandRisk(command) {
-    const cmd = command.toLowerCase();
+    const cmd = command.toLowerCase().trim();
+    // Safe prefix only applies to simple (non-chained) commands
+    if (SAFE_PREFIX.test(cmd) && !CHAIN_OPERATORS.test(cmd))
+        return "low";
     for (const pattern of CRITICAL_PATTERNS) {
         if (pattern.test(cmd))
             return "critical";