@rafter-security/cli 0.6.6 → 0.7.0

package/README.md

@@ -23,7 +23,7 @@ yarn global add @rafter-security/cli
 
 ### Getting an API Key
 
-To use backend code analysis features, you'll need a Rafter API key:
+To use remote code analysis features, you'll need a Rafter API key:
 
 1. **Sign up**: Create an account at [rafter.so](https://rafter.so)
 2. **Get API key**: Navigate to Dashboard → Settings → API Keys
@@ -36,9 +36,9 @@ To use backend code analysis features, you'll need a Rafter API key:
    echo "RAFTER_API_KEY=your-api-key-here" >> .env
    ```
 
-**Note**: Agent security features (secret scanning, command execution) work **without an API key**. Only backend code analysis requires authentication.
+**Note**: Agent security features (secret scanning, command execution) work **without an API key**. Only remote code analysis requires authentication.
 
-### Backend Code Analysis
+### Remote Code Analysis
 
 ```bash
 # Set your API key (from above)
@@ -500,7 +500,7 @@ Generate CI/CD pipeline configuration for secret scanning.
 **Options:**
 - `--platform <platform>` - CI platform: `github`, `gitlab`, `circleci` (default: auto-detect)
 - `--output <path>` - Output file path (default: platform-specific)
-- `--with-backend` - Include backend security audit job (requires `RAFTER_API_KEY`)
+- `--with-remote` - Include remote security audit job (requires `RAFTER_API_KEY`)
 
 **Auto-detection:** Checks for `.github/`, `.gitlab-ci.yml`, `.circleci/` in the current directory.
 
@@ -512,8 +512,8 @@ rafter ci init
 # Generate GitHub Actions workflow
 rafter ci init --platform github
 
-# Include backend scanning job
-rafter ci init --with-backend
+# Include remote scanning job
+rafter ci init --with-remote
 
 # Custom output path
 rafter ci init --output .github/workflows/security.yml
@@ -624,7 +624,7 @@ When OpenClaw is detected, `rafter agent init` automatically installs a skill to
 
 Rafter provides TWO skills for Claude Code:
 
-### 1. Backend Code Analysis Skill (Core Feature)
+### 1. Remote Code Analysis Skill (Core Feature)
 
 **Automatic Integration** - Claude can proactively suggest security scans
 
@@ -680,10 +680,10 @@ Explicitly invoke commands:
 
 ### Why Two Skills?
 
-- **Backend code analysis skill** - Safe for Claude to auto-invoke (read-only API calls)
+- **Remote code analysis skill** - Safe for Claude to auto-invoke (read-only API calls)
 - **Agent security skill** - Requires user permission (local file access, command execution)
 
-This separation emphasizes Rafter's core backend code analysis capabilities while keeping local security features safely behind user control.
+This separation emphasizes Rafter's core remote code analysis capabilities while keeping local security features safely behind user control.
 
 ## Documentation
 

package/dist/commands/agent/audit-skill.js

@@ -4,6 +4,7 @@ import path from "path";
 import { PatternEngine } from "../../core/pattern-engine.js";
 import { DEFAULT_SECRET_PATTERNS } from "../../scanners/secret-patterns.js";
 import { SkillManager } from "../../utils/skill-manager.js";
+import { fmt } from "../../utils/formatter.js";
 export function createAuditSkillCommand() {
     return new Command("audit-skill")
         .description("Security audit of a Claude Code skill file")
@@ -17,7 +18,7 @@ export function createAuditSkillCommand() {
 async function auditSkill(skillPath, opts) {
     // Validate skill file exists
     if (!fs.existsSync(skillPath)) {
-        console.error(`Error: Skill file not found: ${skillPath}`);
+        console.error(fmt.error(`Skill file not found: ${skillPath}`));
         process.exit(2);
     }
     const absolutePath = path.resolve(skillPath);
@@ -25,8 +26,8 @@ async function auditSkill(skillPath, opts) {
     const skillName = path.basename(absolutePath);
     // Run deterministic analysis
     if (!opts.json) {
-        console.log(`\n🔍 Auditing skill: ${skillName}\n`);
-        console.log("═".repeat(60));
+        console.log(fmt.header(`Auditing skill: ${skillName}`));
+        console.log(fmt.divider());
         console.log("Running quick security scan...\n");
     }
     const quickScan = await runQuickScan(skillContent);
@@ -56,11 +57,11 @@ async function auditSkill(skillPath, opts) {
     // Check if we can use OpenClaw
     if (openClawAvailable && !opts.skipOpenclaw) {
         if (!rafterSkillInstalled) {
-            console.log("\n⚠️  Rafter Security skill not installed in OpenClaw.");
+            console.log(`\n${fmt.warning("Rafter Security skill not installed in OpenClaw.")}`);
             console.log("   Run: rafter agent init\n");
         }
         else {
-            console.log("\n🤖 For comprehensive security review:\n");
+            console.log(`\n${fmt.info("For comprehensive security review:")}\n`);
             console.log("   1. Open OpenClaw");
             console.log(`   2. Run: /rafter-audit-skill ${absolutePath}`);
             console.log("\n   The auditor will analyze:");
@@ -80,12 +81,12 @@ async function auditSkill(skillPath, opts) {
     }
     else {
         // OpenClaw not available or skipped - show manual review prompt
-        console.log("\n📋 Manual Security Review Prompt\n");
-        console.log("═".repeat(60));
+        console.log(fmt.header("Manual Security Review Prompt"));
+        console.log(fmt.divider());
         console.log("\nCopy the following to your AI assistant for review:\n");
-        console.log("─".repeat(60));
+        console.log(fmt.divider());
         console.log(generateManualReviewPrompt(skillName, absolutePath, quickScan, skillContent));
-        console.log("─".repeat(60));
+        console.log(fmt.divider());
     }
     console.log();
     if (quickScan.secrets > 0 || quickScan.highRiskCommands.length > 0) {
@@ -134,25 +135,25 @@ async function runQuickScan(content) {
     };
 }
 function displayQuickScan(scan, skillName) {
-    console.log("📊 Quick Scan Results");
-    console.log("═".repeat(60));
+    console.log(fmt.header("Quick Scan Results"));
+    console.log(fmt.divider());
     // Secrets
     if (scan.secrets === 0) {
-        console.log("✓ Secrets: None detected");
+        console.log(fmt.success("Secrets: None detected"));
     }
     else {
-        console.log(`⚠️  Secrets: ${scan.secrets} found`);
+        console.log(fmt.warning(`Secrets: ${scan.secrets} found`));
         console.log("   → API keys, tokens, or credentials detected");
         console.log("   → Run: rafter scan local <path> for details");
     }
     // URLs
     if (scan.urls.length === 0) {
-        console.log("✓ External URLs: None");
+        console.log(fmt.success("External URLs: None"));
     }
     else {
-        console.log(`⚠️  External URLs: ${scan.urls.length} found`);
+        console.log(fmt.warning(`External URLs: ${scan.urls.length} found`));
         scan.urls.slice(0, 5).forEach(url => {
-            console.log(`   • ${url}`);
+            console.log(`   - ${url}`);
         });
         if (scan.urls.length > 5) {
             console.log(`   ... and ${scan.urls.length - 5} more`);
@@ -160,12 +161,12 @@ function displayQuickScan(scan, skillName) {
     }
     // High-risk commands
     if (scan.highRiskCommands.length === 0) {
-        console.log("✓ High-risk commands: None detected");
+        console.log(fmt.success("High-risk commands: None detected"));
     }
     else {
-        console.log(`⚠️  High-risk commands: ${scan.highRiskCommands.length} found`);
+        console.log(fmt.warning(`High-risk commands: ${scan.highRiskCommands.length} found`));
         scan.highRiskCommands.slice(0, 5).forEach(cmd => {
-            console.log(`   • ${cmd.command} (line ${cmd.line})`);
+            console.log(`   - ${cmd.command} (line ${cmd.line})`);
         });
         if (scan.highRiskCommands.length > 5) {
             console.log(`   ... and ${scan.highRiskCommands.length - 5} more`);

package/dist/commands/agent/config.js

@@ -1,5 +1,6 @@
 import { Command } from "commander";
 import { ConfigManager } from "../../core/config-manager.js";
+import { fmt } from "../../utils/formatter.js";
 export function createConfigCommand() {
     const config = new Command("config")
         .description("Manage agent configuration");
@@ -48,7 +49,7 @@ export function createConfigCommand() {
             // Use as string
         }
         manager.set(key, parsedValue);
-        console.log(`✓ Set ${key} = ${JSON.stringify(parsedValue)}`);
+        console.log(fmt.success(`Set ${key} = ${JSON.stringify(parsedValue)}`));
     });
     return config;
 }

package/dist/commands/agent/exec.js

@@ -112,6 +112,8 @@ async function promptApproval() {
         output: process.stdout
     });
     return new Promise((resolve) => {
+        // Handle EOF / non-interactive stdin (e.g. piped or closed stdin)
+        rl.on("close", () => resolve(false));
         rl.question("Approve this command? (yes/no): ", (answer) => {
             rl.close();
             const normalized = answer.trim().toLowerCase();

package/dist/commands/agent/init.js

@@ -419,10 +419,10 @@ async function installClaudeCodeSkills() {
     }
     if (fs.existsSync(backendTemplatePath)) {
         fs.copyFileSync(backendTemplatePath, backendSkillPath);
-        console.log(fmt.success(`Installed Rafter Backend skill to ${backendSkillPath}`));
+        console.log(fmt.success(`Installed Rafter Remote skill to ${backendSkillPath}`));
     }
     else {
-        console.log(fmt.warning(`Backend skill template not found at ${backendTemplatePath}`));
+        console.log(fmt.warning(`Remote skill template not found at ${backendTemplatePath}`));
     }
     // Install Agent Security Skill
     const agentSkillDir = path.join(claudeSkillsDir, "rafter-agent-security");
@@ -451,10 +451,10 @@ function installCodexSkills() {
     }
     if (fs.existsSync(backendTemplatePath)) {
         fs.copyFileSync(backendTemplatePath, backendSkillPath);
-        console.log(fmt.success(`Installed Rafter Backend skill to ${backendSkillPath}`));
+        console.log(fmt.success(`Installed Rafter Remote skill to ${backendSkillPath}`));
     }
     else {
-        console.log(fmt.warning(`Backend skill template not found at ${backendTemplatePath}`));
+        console.log(fmt.warning(`Remote skill template not found at ${backendTemplatePath}`));
     }
     // Install Agent Security Skill
     const agentDir = path.join(agentsSkillsDir, "rafter-agent-security");
@@ -698,8 +698,9 @@ export function createInitCommand() {
             }
         }
         // Install Claude Code skills + hooks if opted in
+        // When --with-claude-code is explicitly passed, install even if .claude doesn't exist yet
         let claudeCodeOk = false;
-        if (hasClaudeCode && wantClaudeCode) {
+        if ((hasClaudeCode || opts.withClaudeCode) && wantClaudeCode) {
             try {
                 await installClaudeCodeSkills();
                 installClaudeCodeHooks();

package/dist/commands/agent/install-hook.js

@@ -4,6 +4,7 @@ import os from "os";
 import path from "path";
 import { execSync } from "child_process";
 import { fileURLToPath } from 'url';
+import { fmt } from "../../utils/formatter.js";
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 export function createInstallHookCommand() {
@@ -28,7 +29,7 @@ async function installHook(opts) {
 function getTemplatePath(templateName) {
     const templatePath = path.join(__dirname, "..", "..", "..", "resources", templateName);
     if (!fs.existsSync(templatePath)) {
-        console.error("❌ Error: Hook template not found");
+        console.error(fmt.error("Hook template not found"));
         console.error(`   Expected at: ${templatePath}`);
         process.exit(1);
     }
@@ -42,7 +43,7 @@ async function installLocalHook(hookName, templateName) {
         execSync("git rev-parse --git-dir", { stdio: "pipe" });
     }
     catch (e) {
-        console.error("❌ Error: Not in a git repository");
+        console.error(fmt.error("Not in a git repository"));
         console.error("   Run this command from inside a git repository");
         process.exit(1);
     }
@@ -56,30 +57,30 @@ async function installLocalHook(hookName, templateName) {
         const existing = fs.readFileSync(hookPath, "utf-8");
         const marker = hookName === "pre-push" ? "Rafter Security Pre-Push Hook" : "Rafter Security Pre-Commit Hook";
         if (existing.includes(marker)) {
-            console.log(`✓ Rafter ${hookName} hook already installed`);
+            console.log(fmt.success(`Rafter ${hookName} hook already installed`));
             return;
         }
         const backupPath = `${hookPath}.backup-${Date.now()}`;
         fs.copyFileSync(hookPath, backupPath);
-        console.log(`📦 Backed up existing hook to: ${path.basename(backupPath)}`);
+        console.log(fmt.info(`Backed up existing hook to: ${path.basename(backupPath)}`));
     }
     const hookContent = fs.readFileSync(getTemplatePath(templateName), "utf-8");
     fs.writeFileSync(hookPath, hookContent, "utf-8");
     fs.chmodSync(hookPath, 0o755);
-    console.log(`✓ Installed Rafter ${hookName} hook`);
+    console.log(fmt.success(`Installed Rafter ${hookName} hook`));
     console.log(`  Location: ${hookPath}`);
     console.log();
     if (hookName === "pre-push") {
         console.log("The hook will:");
-        console.log("  • Scan commits being pushed for secrets");
-        console.log("  • Block pushes if secrets are detected");
-        console.log("  • Can be bypassed with: git push --no-verify (not recommended)");
+        console.log("  - Scan commits being pushed for secrets");
+        console.log("  - Block pushes if secrets are detected");
+        console.log("  - Can be bypassed with: git push --no-verify (not recommended)");
     }
     else {
         console.log("The hook will:");
-        console.log("  • Scan staged files for secrets before each commit");
-        console.log("  • Block commits if secrets are detected");
-        console.log("  • Can be bypassed with: git commit --no-verify (not recommended)");
+        console.log("  - Scan staged files for secrets before each commit");
+        console.log("  - Block commits if secrets are detected");
+        console.log("  - Can be bypassed with: git commit --no-verify (not recommended)");
     }
     console.log();
 }
@@ -89,7 +90,7 @@ async function installLocalHook(hookName, templateName) {
 async function installGlobalHook(hookName, templateName) {
     const homeDir = os.homedir();
     if (!homeDir) {
-        console.error("❌ Error: Could not determine home directory");
+        console.error(fmt.error("Could not determine home directory"));
         process.exit(1);
     }
     const globalHooksDir = path.join(homeDir, ".rafter", "git-hooks");
@@ -102,7 +103,7 @@ async function installGlobalHook(hookName, templateName) {
     fs.chmodSync(hookPath, 0o755);
     try {
         execSync(`git config --global core.hooksPath "${globalHooksDir}"`, { stdio: "pipe" });
-        console.log(`✓ Installed Rafter ${hookName} hook globally`);
+        console.log(fmt.success(`Installed Rafter ${hookName} hook globally`));
         console.log(`  Location: ${hookPath}`);
         console.log(`  Git config: core.hooksPath = ${globalHooksDir}`);
         console.log();
@@ -116,7 +117,7 @@ async function installGlobalHook(hookName, templateName) {
         console.log();
     }
     catch (e) {
-        console.error("❌ Failed to configure global git hooks");
+        console.error(fmt.error("Failed to configure global git hooks"));
         console.error("   You may need to manually set: git config --global core.hooksPath ~/.rafter/git-hooks");
         process.exit(1);
     }

package/dist/commands/agent/scan.js

@@ -47,6 +47,7 @@ export function createScanCommand() {
         .option("--engine <engine>", "Scan engine: gitleaks or patterns", "auto")
         .option("--baseline", "Filter findings present in the saved baseline")
         .option("--watch", "Watch for file changes and re-scan on change")
+        .option("--history", "Scan git history for secrets (requires gitleaks engine)")
         .action(async (scanPath, opts) => {
         // Validate flags before doing any work
         const validEngines = ["auto", "gitleaks", "patterns"];
@@ -103,7 +104,7 @@ export function createScanCommand() {
             if (!opts.quiet) {
                 console.error(`Scanning directory: ${resolvedPath} (${engine})`);
             }
-            results = await scanDirectory(resolvedPath, engine, scanCfg);
+            results = await scanDirectory(resolvedPath, engine, scanCfg, opts.history);
         }
         else {
             if (!opts.quiet) {
@@ -372,11 +373,11 @@ async function scanFile(filePath, engine, scanCfg) {
 /**
  * Scan a directory with selected engine
  */
-async function scanDirectory(dirPath, engine, scanCfg) {
+async function scanDirectory(dirPath, engine, scanCfg, history) {
     if (engine === "gitleaks") {
         try {
             const gitleaks = new GitleaksScanner();
-            return await gitleaks.scanDirectory(dirPath);
+            return await gitleaks.scanDirectory(dirPath, { useGit: history ?? false });
         }
         catch (e) {
             console.error(fmt.warning("Gitleaks scan failed, falling back to patterns"));

package/dist/commands/agent/verify.js

@@ -193,7 +193,7 @@ export function createVerifyCommand() {
             console.log(fmt.success(`${passed.length}/${results.length} core checks passed${warnNote}`));
         }
         else {
-            console.log(fmt.error(`${hardFailed.length} check${hardFailed.length > 1 ? "s" : ""} failed`));
+            console.log(fmt.error(`${passed.length}/${results.length} checks passed — ${hardFailed.length} failed`));
         }
         console.log();
         if (hardFailed.length > 0) {

package/dist/commands/backend/run.js

@@ -9,6 +9,7 @@ import { handleScanStatus } from "./scan-status.js";
  */
 export async function runRemoteScan(opts) {
     const key = resolveKey(opts.apiKey);
+    const ghToken = opts.githubToken || process.env.RAFTER_GITHUB_TOKEN;
     let repo, branch;
     try {
         ({ repo, branch } = detectRepo({ repo: opts.repo, branch: opts.branch, quiet: opts.quiet }));
@@ -22,10 +23,17 @@ export async function runRemoteScan(opts) {
         }
         process.exit(EXIT_GENERAL_ERROR);
     }
+    const body = {
+        repository_name: repo,
+        branch_name: branch,
+        scan_mode: opts.mode ?? "fast",
+    };
+    if (ghToken)
+        body.github_token = ghToken;
     if (!opts.quiet) {
         const spinner = ora("Submitting scan").start();
         try {
-            const { data } = await axios.post(`${API}/static/scan`, { repository_name: repo, branch_name: branch, scan_mode: opts.mode ?? "fast" }, { headers: { "x-api-key": key } });
+            const { data } = await axios.post(`${API}/static/scan`, body, { headers: { "x-api-key": key } });
             spinner.succeed(`Scan ID: ${data.scan_id}`);
             if (opts.skipInteractive)
                 return;
@@ -56,7 +64,7 @@ export async function runRemoteScan(opts) {
     }
     else {
         try {
-            const { data } = await axios.post(`${API}/static/scan`, { repository_name: repo, branch_name: branch, scan_mode: opts.mode ?? "fast" }, { headers: { "x-api-key": key } });
+            const { data } = await axios.post(`${API}/static/scan`, body, { headers: { "x-api-key": key } });
             if (opts.skipInteractive)
                 return;
             const exitCode = await handleScanStatus(data.scan_id, { "x-api-key": key }, opts.format ?? "md", opts.quiet);
@@ -90,12 +98,13 @@ function addRunOptions(cmd) {
         .option("-k, --api-key <key>", "API key or RAFTER_API_KEY env var")
         .option("-f, --format <format>", "json | md", "md")
         .option("-m, --mode <mode>", "scan mode: fast | plus", "fast")
+        .option("--github-token <token>", "GitHub PAT for private repos (or RAFTER_GITHUB_TOKEN env var)")
         .option("--skip-interactive", "do not wait for scan to complete")
         .option("--quiet", "suppress status messages");
 }
 export function createRunCommand() {
     return addRunOptions(new Command("run")
-        .description("Trigger a remote backend security scan")).action(async (opts) => {
+        .description("Trigger a remote security scan")).action(async (opts) => {
         await runRemoteScan(opts);
     });
 }

package/dist/commands/backend/scan-status.js

@@ -1,6 +1,7 @@
 import axios from "axios";
 import ora from "ora";
 import { API, writePayload, EXIT_GENERAL_ERROR, EXIT_SCAN_NOT_FOUND } from "../../utils/api.js";
+import { fmt as output } from "../../utils/formatter.js";
 export async function handleScanStatus(scan_id, headers, fmt, quiet) {
     // First poll
     let poll;
@@ -9,10 +10,10 @@ export async function handleScanStatus(scan_id, headers, fmt, quiet) {
     }
     catch (e) {
         if (e.response?.status === 404) {
-            console.error(`Scan '${scan_id}' not found`);
+            console.error(output.error(`Scan '${scan_id}' not found`));
             return EXIT_SCAN_NOT_FOUND;
         }
-        console.error(`Error: ${e.response?.data || e.message}`);
+        console.error(output.error(`${e.response?.data || e.message}`));
         return EXIT_GENERAL_ERROR;
     }
     let status = poll.data.status;

package/dist/commands/brief.js

@@ -54,7 +54,7 @@ function buildTopics() {
             render: () => loadSkill("rafter-agent-security"),
         },
         scanning: {
-            description: "Remote SAST/SCA code analysis via backend API",
+            description: "Remote SAST/SCA code analysis via Rafter API",
             render: () => loadSkill("rafter"),
         },
         commands: {
@@ -78,7 +78,7 @@ function buildTopics() {
                 return [
                     "# Rafter Command Reference",
                     "",
-                    "## Backend (Remote Code Analysis)",
+                    "## Remote Code Analysis",
                     "",
                     backCmds,
                     "",

package/dist/commands/ci/init.js

@@ -1,13 +1,14 @@
 import { Command } from "commander";
 import fs from "fs";
 import path from "path";
-import { fmt } from "../../utils/formatter.js";
+import { fmt, isAgentMode } from "../../utils/formatter.js";
 export function createCiInitCommand() {
     return new Command("init")
         .description("Generate CI/CD pipeline config for secret scanning")
         .option("--platform <platform>", "CI platform: github, gitlab, circleci (default: auto-detect)")
         .option("--output <path>", "Output file path (default: platform-specific)")
-        .option("--with-backend", "Include backend security audit job (requires RAFTER_API_KEY)")
+        .option("--with-remote", "Include remote security audit job (requires RAFTER_API_KEY)")
+        .option("--with-backend", "Deprecated: use --with-remote")
         .action((opts) => {
         const platform = opts.platform || detectPlatform();
         if (!platform) {
@@ -21,7 +22,8 @@ export function createCiInitCommand() {
             console.error(`Valid options: ${validPlatforms.join(", ")}`);
             process.exit(1);
         }
-        const { content, defaultPath } = generateTemplate(platform, !!opts.withBackend);
+        const includeRemote = !!(opts.includeRemote || opts.withBackend);
+        const { content, defaultPath } = generateTemplate(platform, includeRemote);
         const outputPath = opts.output || defaultPath;
         const outputDir = path.dirname(outputPath);
         if (!fs.existsSync(outputDir)) {
@@ -29,28 +31,30 @@ export function createCiInitCommand() {
         }
         fs.writeFileSync(outputPath, content, "utf-8");
         console.log(fmt.success(`Generated ${platform} CI config at ${outputPath}`));
-        console.log();
-        console.log("Next steps:");
-        console.log(`  1. Review the generated file: ${outputPath}`);
-        if (opts.withBackend) {
-            if (platform === "github") {
-                console.log("  2. Add RAFTER_API_KEY to repo Settings > Secrets > Actions");
-            }
-            else if (platform === "gitlab") {
-                console.log("  2. Add RAFTER_API_KEY to Settings > CI/CD > Variables");
+        if (!isAgentMode()) {
+            console.log();
+            console.log("Next steps:");
+            console.log(`  1. Review the generated file: ${outputPath}`);
+            if (includeRemote) {
+                if (platform === "github") {
+                    console.log("  2. Add RAFTER_API_KEY to repo Settings > Secrets > Actions");
+                }
+                else if (platform === "gitlab") {
+                    console.log("  2. Add RAFTER_API_KEY to Settings > CI/CD > Variables");
+                }
+                else {
+                    console.log("  2. Add RAFTER_API_KEY to project environment variables");
+                }
             }
-            else {
-                console.log("  2. Add RAFTER_API_KEY to project environment variables");
+            console.log(`  ${includeRemote ? "3" : "2"}. Commit and push to trigger the pipeline`);
+            if (platform === "github") {
+                console.log();
+                console.log("Alternatives:");
+                console.log("  - GitHub Action: uses: Raftersecurity/rafter-cli@v1");
+                console.log("  - Pre-commit:  https://github.com/Raftersecurity/rafter-cli#pre-commit-framework");
             }
-        }
-        console.log(`  ${opts.withBackend ? "3" : "2"}. Commit and push to trigger the pipeline`);
-        if (platform === "github") {
             console.log();
-            console.log("Alternatives:");
-            console.log("  - GitHub Action: uses: Raftersecurity/rafter-cli@v1");
-            console.log("  - Pre-commit:  https://github.com/Raftersecurity/rafter-cli#pre-commit-framework");
         }
-        console.log();
     });
 }
 function detectPlatform() {

package/dist/commands/completion.js

@@ -68,7 +68,7 @@ _rafter_completions() {
       if [[ "\${COMP_WORDS[1]}" == "agent" ]]; then
         COMPREPLY=( $(compgen -W "--risk-level --with-openclaw --with-claude-code --with-codex --with-gemini --with-aider --with-cursor --with-windsurf --with-continue --with-gitleaks --all --help" -- "\${cur}") )
       elif [[ "\${COMP_WORDS[1]}" == "ci" ]]; then
-        COMPREPLY=( $(compgen -W "--platform --output --with-backend --help" -- "\${cur}") )
+        COMPREPLY=( $(compgen -W "--platform --output --with-remote --with-backend --help" -- "\${cur}") )
       fi
       return 0
       ;;
@@ -81,7 +81,7 @@ const ZSH_COMPLETION = `#compdef rafter
 _rafter() {
   local -a commands
   commands=(
-    'run:Submit a security scan to the Rafter backend'
+    'run:Submit a remote security scan'
     'scan:Alias for run'
     'get:Retrieve scan results'
     'usage:Check API usage quota'
@@ -369,7 +369,8 @@ complete -c rafter -n '__fish_seen_subcommand_from agent; and __fish_seen_subcom
 complete -c rafter -n '__fish_seen_subcommand_from ci' -a init -d 'Initialize CI pipeline'
 complete -c rafter -n '__fish_seen_subcommand_from ci; and __fish_seen_subcommand_from init' -l platform -d 'CI platform' -ra 'github gitlab circleci'
 complete -c rafter -n '__fish_seen_subcommand_from ci; and __fish_seen_subcommand_from init' -l output -d 'Output path' -r
-complete -c rafter -n '__fish_seen_subcommand_from ci; and __fish_seen_subcommand_from init' -l with-backend -d 'Include backend audit'
+complete -c rafter -n '__fish_seen_subcommand_from ci; and __fish_seen_subcommand_from init' -l with-remote -d 'Include remote audit'
+complete -c rafter -n '__fish_seen_subcommand_from ci; and __fish_seen_subcommand_from init' -l with-backend -d 'Deprecated: use --with-remote'
 
 # hook subcommands
 complete -c rafter -n '__fish_seen_subcommand_from hook' -a pretool -d 'PreToolUse hook handler'

package/dist/commands/report.js

@@ -86,11 +86,11 @@ function generateHtmlReport(results, title) {
                     ? "Low"
                     : "None";
     const riskColor = {
-        Critical: "#dc2626",
-        High: "#ea580c",
-        Medium: "#2563eb",
-        Low: "#16a34a",
-        None: "#16a34a",
+        Critical: "hsl(0 40% 55%)",
+        High: "hsl(25 35% 55%)",
+        Medium: "hsl(0 0% 64%)",
+        Low: "hsl(0 0% 50%)",
+        None: "hsl(0 0% 50%)",
     }[riskLevel];
     const topPatterns = Object.entries(patternCounts)
         .sort((a, b) => b[1] - a[1])
@@ -113,38 +113,39 @@ function generateHtmlReport(results, title) {
 <title>${escapeHtml(title)}</title>
 <style>
   *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
-  body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif; line-height: 1.6; color: #1e293b; background: #f8fafc; }
+  body { font-family: "SFMono-Regular", Consolas, "Liberation Mono", Menlo, monospace; line-height: 1.6; color: hsl(0 0% 98%); background: hsl(0 0% 3.9%); }
   .container { max-width: 1100px; margin: 0 auto; padding: 2rem 1.5rem; }
-  header { background: linear-gradient(135deg, #0f172a 0%, #1e293b 100%); color: white; padding: 2rem 0; margin-bottom: 2rem; }
+  header { background: hsl(0 0% 7%); color: hsl(0 0% 98%); padding: 2rem 0; margin-bottom: 2rem; border-bottom: 1px solid hsl(0 0% 14.9%); }
   header .container { display: flex; justify-content: space-between; align-items: center; flex-wrap: wrap; gap: 1rem; }
   header h1 { font-size: 1.5rem; font-weight: 700; }
-  header .meta { font-size: 0.85rem; opacity: 0.8; text-align: right; }
-  .card { background: white; border-radius: 8px; box-shadow: 0 1px 3px rgba(0,0,0,0.08); padding: 1.5rem; margin-bottom: 1.5rem; }
-  .card h2 { font-size: 1.1rem; font-weight: 600; margin-bottom: 1rem; color: #334155; }
+  header .meta { font-size: 0.85rem; opacity: 0.6; text-align: right; }
+  .card { background: hsl(0 0% 7%); border-radius: 8px; border: 1px solid hsl(0 0% 14.9%); padding: 1.5rem; margin-bottom: 1.5rem; }
+  .card h2 { font-size: 1.1rem; font-weight: 600; margin-bottom: 1rem; color: hsl(0 0% 98%); }
   .summary-grid { display: grid; grid-template-columns: repeat(auto-fit, minmax(180px, 1fr)); gap: 1rem; }
-  .stat { text-align: center; padding: 1rem; border-radius: 6px; background: #f1f5f9; }
-  .stat .value { font-size: 2rem; font-weight: 700; }
-  .stat .label { font-size: 0.8rem; text-transform: uppercase; letter-spacing: 0.05em; color: #64748b; margin-top: 0.25rem; }
-  .risk-badge { display: inline-block; padding: 0.25rem 0.75rem; border-radius: 4px; color: white; font-weight: 600; font-size: 0.85rem; }
-  .sev-critical { background: #dc2626; }
-  .sev-high { background: #ea580c; }
-  .sev-medium { background: #2563eb; }
-  .sev-low { background: #16a34a; }
+  .stat { text-align: center; padding: 1rem; border-radius: 6px; background: hsl(0 0% 10%); border: 1px solid hsl(0 0% 14.9%); }
+  .stat .value { font-size: 2rem; font-weight: 700; color: hsl(0 0% 98%); }
+  .stat .label { font-size: 0.8rem; text-transform: uppercase; letter-spacing: 0.05em; color: hsl(0 0% 50%); margin-top: 0.25rem; }
+  .risk-badge { display: inline-block; padding: 0.25rem 0.75rem; border-radius: 4px; font-weight: 600; font-size: 0.85rem; }
+  .sev-critical { background: hsl(0 30% 20%); color: hsl(0 40% 75%); border: 1px solid hsl(0 30% 30%); }
+  .sev-high { background: hsl(25 25% 18%); color: hsl(25 35% 70%); border: 1px solid hsl(25 25% 28%); }
+  .sev-medium { background: hsl(0 0% 18%); color: hsl(0 0% 70%); border: 1px solid hsl(0 0% 25%); }
+  .sev-low { background: hsl(0 0% 14%); color: hsl(0 0% 55%); border: 1px solid hsl(0 0% 22%); }
   .bar-chart { margin-top: 0.5rem; }
   .bar-row { display: flex; align-items: center; margin-bottom: 0.4rem; }
-  .bar-label { width: 180px; font-size: 0.85rem; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; }
-  .bar-track { flex: 1; height: 20px; background: #e2e8f0; border-radius: 3px; overflow: hidden; }
-  .bar-fill { height: 100%; border-radius: 3px; min-width: 2px; }
-  .bar-count { width: 40px; text-align: right; font-size: 0.85rem; font-weight: 600; color: #475569; margin-left: 0.5rem; }
+  .bar-label { width: 180px; font-size: 0.85rem; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; color: hsl(0 0% 70%); }
+  .bar-track { flex: 1; height: 20px; background: hsl(0 0% 14.9%); border-radius: 3px; overflow: hidden; }
+  .bar-fill { height: 100%; border-radius: 3px; min-width: 2px; background: hsl(0 0% 98%); opacity: 0.6; }
+  .bar-count { width: 40px; text-align: right; font-size: 0.85rem; font-weight: 600; color: hsl(0 0% 64%); margin-left: 0.5rem; }
   table { width: 100%; border-collapse: collapse; font-size: 0.85rem; }
-  th { text-align: left; padding: 0.6rem 0.75rem; background: #f1f5f9; border-bottom: 2px solid #e2e8f0; font-weight: 600; color: #475569; white-space: nowrap; }
-  td { padding: 0.6rem 0.75rem; border-bottom: 1px solid #e2e8f0; vertical-align: top; }
-  tr:hover td { background: #f8fafc; }
-  .sev-pill { display: inline-block; padding: 0.15rem 0.5rem; border-radius: 3px; color: white; font-weight: 600; font-size: 0.75rem; text-transform: uppercase; }
-  .file-path { font-family: "SFMono-Regular", Consolas, "Liberation Mono", Menlo, monospace; font-size: 0.8rem; word-break: break-all; }
-  .redacted { font-family: monospace; font-size: 0.8rem; color: #94a3b8; }
-  footer { text-align: center; padding: 2rem 0; font-size: 0.8rem; color: #94a3b8; }
-  .no-findings { text-align: center; padding: 3rem; color: #16a34a; }
+  th { text-align: left; padding: 0.6rem 0.75rem; background: hsl(0 0% 10%); border-bottom: 2px solid hsl(0 0% 14.9%); font-weight: 600; color: hsl(0 0% 64%); white-space: nowrap; text-transform: uppercase; letter-spacing: 0.05em; font-size: 0.75rem; }
+  td { padding: 0.6rem 0.75rem; border-bottom: 1px solid hsl(0 0% 14.9%); vertical-align: top; }
+  tr:hover td { background: hsl(0 0% 10%); }
+  .sev-pill { display: inline-block; padding: 0.15rem 0.5rem; border-radius: 3px; font-weight: 600; font-size: 0.75rem; text-transform: uppercase; }
+  .file-path { font-size: 0.8rem; word-break: break-all; }
+  .redacted { font-size: 0.8rem; color: hsl(0 0% 40%); }
+  .description { color: hsl(0 0% 50%); }
+  footer { text-align: center; padding: 2rem 0; font-size: 0.8rem; color: hsl(0 0% 35%); border-top: 1px solid hsl(0 0% 14.9%); }
+  .no-findings { text-align: center; padding: 3rem; color: hsl(0 0% 64%); }
   .no-findings .icon { font-size: 3rem; margin-bottom: 0.5rem; }
   @media (max-width: 768px) {
     .summary-grid { grid-template-columns: repeat(2, 1fr); }
@@ -152,9 +153,9 @@ function generateHtmlReport(results, title) {
     table { display: block; overflow-x: auto; }
   }
   @media print {
-    body { background: white; }
-    .card { box-shadow: none; border: 1px solid #e2e8f0; break-inside: avoid; }
-    header { background: #0f172a !important; -webkit-print-color-adjust: exact; print-color-adjust: exact; }
+    body { background: hsl(0 0% 3.9%); color: hsl(0 0% 98%); }
+    .card { break-inside: avoid; }
+    header { -webkit-print-color-adjust: exact; print-color-adjust: exact; }
   }
 </style>
 </head>
@@ -173,7 +174,7 @@ function generateHtmlReport(results, title) {
     <h2>Executive Summary</h2>
     <div class="summary-grid">
       <div class="stat">
-        <div class="value" style="color:${riskColor}">${totalFindings}</div>
+        <div class="value">${totalFindings}</div>
         <div class="label">Total Findings</div>
       </div>
       <div class="stat">
@@ -181,7 +182,7 @@ function generateHtmlReport(results, title) {
         <div class="label">Files Affected</div>
       </div>
       <div class="stat">
-        <div class="value"><span class="risk-badge" style="background:${riskColor}">${riskLevel}</span></div>
+        <div class="value"><span class="risk-badge" style="background:${riskColor};color:hsl(0 0% 98%)">${riskLevel}</span></div>
         <div class="label">Overall Risk</div>
       </div>
     </div>
@@ -190,10 +191,10 @@ function generateHtmlReport(results, title) {
   <div class="card">
     <h2>Severity Breakdown</h2>
     <div class="summary-grid">
-      <div class="stat"><div class="value" style="color:#dc2626">${severityCounts.critical}</div><div class="label">Critical</div></div>
-      <div class="stat"><div class="value" style="color:#ea580c">${severityCounts.high}</div><div class="label">High</div></div>
-      <div class="stat"><div class="value" style="color:#2563eb">${severityCounts.medium}</div><div class="label">Medium</div></div>
-      <div class="stat"><div class="value" style="color:#16a34a">${severityCounts.low}</div><div class="label">Low</div></div>
+      <div class="stat"><div class="value" style="color:hsl(0 40% 70%)">${severityCounts.critical}</div><div class="label">Critical</div></div>
+      <div class="stat"><div class="value" style="color:hsl(25 30% 65%)">${severityCounts.high}</div><div class="label">High</div></div>
+      <div class="stat"><div class="value">${severityCounts.medium}</div><div class="label">Medium</div></div>
+      <div class="stat"><div class="value" style="color:hsl(0 0% 50%)">${severityCounts.low}</div><div class="label">Low</div></div>
     </div>
   </div>
 
@@ -204,7 +205,7 @@ ${topPatterns.map(([name, count]) => {
         const pct = Math.round((count / totalFindings) * 100);
         return `      <div class="bar-row">
         <div class="bar-label" title="${escapeHtml(name)}">${escapeHtml(name)}</div>
-        <div class="bar-track"><div class="bar-fill sev-medium" style="width:${pct}%"></div></div>
+        <div class="bar-track"><div class="bar-fill" style="width:${pct}%"></div></div>
         <div class="bar-count">${count}</div>
       </div>`;
     }).join("\n")}
@@ -226,7 +227,7 @@ ${totalFindings > 0 ? `  <div class="card">
       <tbody>
 ${findingsRows.map((f) => `        <tr>
           <td><span class="sev-pill sev-${f.severity}">${f.severity}</span></td>
-          <td>${f.pattern}${f.description ? `<br><small style="color:#94a3b8">${f.description}</small>` : ""}</td>
+          <td>${f.pattern}${f.description ? `<br><small class="description">${f.description}</small>` : ""}</td>
           <td class="file-path">${f.file}</td>
           <td>${f.line}</td>
           <td class="redacted">${f.redacted}</td>

package/dist/commands/scan/index.js

@@ -1,8 +1,8 @@
 /**
  * rafter scan — top-level scan command group.
  *
- * Default (no subcommand): remote backend scan (same as `rafter run`)
- * rafter scan remote:       explicit alias for remote backend scan
+ * Default (no subcommand): remote scan (same as `rafter run`)
+ * rafter scan remote:       explicit alias for remote scan
  * rafter scan local [path]: local secret scanner (was `rafter agent scan`)
  */
 import { Command } from "commander";
@@ -21,25 +21,27 @@ export function createScanGroupCommand() {
         .option("-k, --api-key <key>", "API key or RAFTER_API_KEY env var")
         .option("-f, --format <format>", "json | md", "md")
         .option("-m, --mode <mode>", "scan mode: fast | plus", "fast")
+        .option("--github-token <token>", "GitHub PAT for private repos (or RAFTER_GITHUB_TOKEN env var)")
         .option("--skip-interactive", "do not wait for scan to complete")
         .option("--quiet", "suppress status messages")
         .action(async (opts) => {
         await runRemoteScan(opts);
     });
-    // Root scan group — default action is remote backend scan
+    // Root scan group — default action is remote scan
     const scanGroup = new Command("scan")
-        .description("Scan for security issues. Default: remote backend scan. Use 'scan local' for local secret scanning.")
+        .description("Scan for security issues. Default: remote scan. Use 'scan local' for local secret scanning.")
         .enablePositionalOptions()
         .option("-r, --repo <repo>", "org/repo (default: current)")
         .option("-b, --branch <branch>", "branch (default: current else main)")
         .option("-k, --api-key <key>", "API key or RAFTER_API_KEY env var")
         .option("-f, --format <format>", "json | md", "md")
         .option("-m, --mode <mode>", "scan mode: fast | plus", "fast")
+        .option("--github-token <token>", "GitHub PAT for private repos (or RAFTER_GITHUB_TOKEN env var)")
         .option("--skip-interactive", "do not wait for scan to complete")
         .option("--quiet", "suppress status messages");
     scanGroup.addCommand(localCmd);
     scanGroup.addCommand(remoteCmd);
-    // When invoked with no subcommand, run remote backend scan
+    // When invoked with no subcommand, run remote scan
     scanGroup.action(async (opts) => {
         await runRemoteScan(opts);
     });

package/dist/core/risk-rules.js

@@ -2,9 +2,15 @@
  * Centralized risk assessment rules.
  * Single source of truth — imported by command-interceptor, audit-logger, and config-defaults.
  */
+/** Directories where `rm -rf /<dir>` is catastrophic (data loss / unbootable). */
+const CRITICAL_DIRS = "home|etc|usr|boot|root|sys|proc|lib|lib64|bin|sbin|opt";
 export const CRITICAL_PATTERNS = [
-    /rm\s+(-[a-z]*r[a-z]*\s+)*-[a-z]*f[a-z]*\s+\//, // rm -rf / (any flag order: -rf, -fr, -r -f, -f -r)
-    /rm\s+(-[a-z]*f[a-z]*\s+)*-[a-z]*r[a-z]*\s+\//, // rm -fr / (reversed)
+    // rm -rf / (root only, any flag order)
+    new RegExp(`rm\\s+(-[a-z]*r[a-z]*\\s+)*-[a-z]*f[a-z]*\\s+/(\\s|$)`),
+    new RegExp(`rm\\s+(-[a-z]*f[a-z]*\\s+)*-[a-z]*r[a-z]*\\s+/(\\s|$)`),
+    // rm -rf on critical top-level directories
+    new RegExp(`rm\\s+(-[a-z]*r[a-z]*\\s+)*-[a-z]*f[a-z]*\\s+/(${CRITICAL_DIRS})(/|\\s|$)`),
+    new RegExp(`rm\\s+(-[a-z]*f[a-z]*\\s+)*-[a-z]*r[a-z]*\\s+/(${CRITICAL_DIRS})(/|\\s|$)`),
     /:\(\)\{\s*:\|:&\s*\};:/, // fork bomb
     /dd\s+if=.*of=\/dev\/sd/,
     />\s*\/dev\/sd/,
@@ -55,11 +61,18 @@ export const DEFAULT_REQUIRE_APPROVAL = [
     "git push --force-if-includes",
     "git push .* \\+",
 ];
+/** Read-only commands whose arguments should not trigger risk patterns. */
+const SAFE_PREFIX = /^(grep|egrep|fgrep|rg|ag|ack|echo|printf)\s/;
+/** Shell operators that chain independent commands. */
+const CHAIN_OPERATORS = /[;|&]|&&|\|\|/;
 /**
  * Assess risk level of a command string.
  */
 export function assessCommandRisk(command) {
-    const cmd = command.toLowerCase();
+    const cmd = command.toLowerCase().trim();
+    // Safe prefix only applies to simple (non-chained) commands
+    if (SAFE_PREFIX.test(cmd) && !CHAIN_OPERATORS.test(cmd))
+        return "low";
     for (const pattern of CRITICAL_PATTERNS) {
         if (pattern.test(cmd))
             return "critical";

package/dist/index.js

@@ -21,24 +21,22 @@ import { createRequire } from "module";
 dotenv.config();
 const require = createRequire(import.meta.url);
 const { version: VERSION } = require("../package.json");
+// Set agent mode early from argv — preAction hooks may not propagate to nested
+// subcommands on Node 18, so we detect -a/--agent before Commander parses.
+if (process.argv.includes("-a") || process.argv.includes("--agent")) {
+    setAgentMode(true);
+}
 const program = new Command()
     .name("rafter")
     .description("Rafter CLI — the default security agent for AI workflows. Free for individuals and open source. No account required.")
     .version(VERSION)
     .enablePositionalOptions()
     .option("-a, --agent", "Plain output for AI agents (no colors/emoji)");
-// Set agent mode before any subcommand runs
-program.hook("preAction", (thisCommand) => {
-    const opts = thisCommand.opts();
-    if (opts.agent) {
-        setAgentMode(true);
-    }
-});
-// Backend commands
+// Remote scan commands
 program.addCommand(createRunCommand());
 program.addCommand(createGetCommand());
 program.addCommand(createUsageCommand());
-// Scan command group (default: remote backend scan; subcommands: local, remote)
+// Scan command group (default: remote scan; subcommands: local, remote)
 program.addCommand(createScanGroupCommand());
 // Agent commands
 program.addCommand(createAgentCommand());
@@ -60,6 +58,12 @@ program.addCommand(createNotifyCommand());
 program.addCommand(createReportCommand());
 // Shell completions
 program.addCommand(createCompletionCommand());
+// Version subcommand (also available as --version)
+program.addCommand(new Command("version")
+    .description("Print version and exit")
+    .action(() => {
+    console.log(VERSION);
+}));
 // Non-blocking update check — runs after command, prints to stderr
 checkForUpdate(VERSION).then((notice) => {
     if (notice)

package/dist/scanners/gitleaks.js

@@ -82,15 +82,19 @@ export class GitleaksScanner {
     /**
      * Scan a directory
      */
-    async scanDirectory(dirPath) {
+    async scanDirectory(dirPath, opts) {
         if (!await this.isAvailable()) {
             throw new Error("Gitleaks not available");
         }
         const gitleaksPath = this.binaryManager.getGitleaksPath();
         const tmpReport = path.join(os.tmpdir(), `gitleaks-${Date.now()}-${randomBytes(6).toString("hex")}.json`);
         try {
+            const args = ["detect", "-f", "json", "-r", tmpReport, "-s", dirPath];
+            if (!opts?.useGit) {
+                args.splice(1, 0, "--no-git");
+            }
             // Run gitleaks detect on directory
-            await execFileAsync(gitleaksPath, ["detect", "--no-git", "-f", "json", "-r", tmpReport, "-s", dirPath], { timeout: 60000 });
+            await execFileAsync(gitleaksPath, args, { timeout: 60000 });
             // No leaks found
             if (!fs.existsSync(tmpReport)) {
                 return [];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rafter-security/cli",
-  "version": "0.6.6",
+  "version": "0.7.0",
   "type": "module",
   "bin": {
     "rafter": "./dist/index.js"

package/resources/skills/rafter/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: rafter
 description: "Rafter — the security toolkit built for AI workflows. Three tiers: (1) fast local secret scanning, deterministic, no API key needed; (2) remote SAST/SCA with deterministic secret detection and dependency checks via API (fast mode, default); (3) agentic deep-dive analysis with additional passes (plus mode). Use when checking for vulnerabilities, leaked credentials, or whether code is safe to push. Also use before merging PRs, deploying, or shipping new features. If RAFTER_API_KEY is not set, local scanning works fully — don't block on it. Run `rafter brief commands` for full CLI reference."
-version: 0.6.5
+version: 0.7.0
 allowed-tools: [Bash]
 ---
 

package/resources/skills/rafter-agent-security/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: rafter-agent-security
 description: "Rafter local security tools — deterministic secret scanning, command risk assessment, skill auditing, and audit log review. Use when: checking for leaked credentials or API keys, evaluating whether code is safe to push, auditing skills before installation, reviewing security events. Works offline, no API key needed. Run `rafter brief security` for full capabilities."
-version: 0.6.5
+version: 0.7.0
 allowed-tools: [Bash, Read, Glob, Grep]
 ---