@rafter-security/cli 0.6.6 → 0.7.1

package/README.md

@@ -23,7 +23,7 @@ yarn global add @rafter-security/cli
 
 ### Getting an API Key
 
-To use backend code analysis features, you'll need a Rafter API key:
+To use remote code analysis features, you'll need a Rafter API key:
 
 1. **Sign up**: Create an account at [rafter.so](https://rafter.so)
 2. **Get API key**: Navigate to Dashboard → Settings → API Keys
@@ -36,9 +36,9 @@ To use backend code analysis features, you'll need a Rafter API key:
    echo "RAFTER_API_KEY=your-api-key-here" >> .env
    ```
 
-**Note**: Agent security features (secret scanning, command execution) work **without an API key**. Only backend code analysis requires authentication.
+**Note**: Agent security features (secret scanning, command execution) work **without an API key**. Only remote code analysis requires authentication.
 
-### Backend Code Analysis
+### Remote Code Analysis
 
 ```bash
 # Set your API key (from above)
@@ -59,20 +59,39 @@ rafter usage
 ```bash
 # Initialize local security
 rafter agent init
+rafter agent init --local              # write config to ./.rafter (ephemeral/benchmark)
+
+# Granular per-component control
+rafter agent list
+rafter agent enable claude-code
+rafter agent disable gemini
 
 # Scan files for secrets
 rafter agent scan .
+rafter agent scan --history            # full git history (gitleaks engine)
 
 # Execute commands safely
 rafter agent exec "git commit -m 'Add feature'"
 
-# View audit logs
+# View audit logs (tamper-evident hash chain)
 rafter agent audit
+rafter agent audit --verify            # verify chain; exit 1 if tampered
 
 # Manage configuration
 rafter agent config show
 ```
 
+### Skills
+
+Four first-party skills ship with the CLI: `rafter` (CYOA router), `rafter-code-review`, `rafter-secure-design`, `rafter-skill-review`.
+
+```bash
+rafter skill list                              # installed + available
+rafter skill install --all                     # install all four
+rafter skill review github:owner/repo          # audit a third-party skill before install
+rafter skill review --installed                # audit every skill already on disk
+```
+
 ## Global Options
 
 | Flag | Description |
@@ -500,7 +519,7 @@ Generate CI/CD pipeline configuration for secret scanning.
 **Options:**
 - `--platform <platform>` - CI platform: `github`, `gitlab`, `circleci` (default: auto-detect)
 - `--output <path>` - Output file path (default: platform-specific)
-- `--with-backend` - Include backend security audit job (requires `RAFTER_API_KEY`)
+- `--with-remote` - Include remote security audit job (requires `RAFTER_API_KEY`)
 
 **Auto-detection:** Checks for `.github/`, `.gitlab-ci.yml`, `.circleci/` in the current directory.
 
@@ -512,8 +531,8 @@ rafter ci init
 # Generate GitHub Actions workflow
 rafter ci init --platform github
 
-# Include backend scanning job
-rafter ci init --with-backend
+# Include remote scanning job
+rafter ci init --with-remote
 
 # Custom output path
 rafter ci init --output .github/workflows/security.yml
@@ -624,7 +643,7 @@ When OpenClaw is detected, `rafter agent init` automatically installs a skill to
 
 Rafter provides TWO skills for Claude Code:
 
-### 1. Backend Code Analysis Skill (Core Feature)
+### 1. Remote Code Analysis Skill (Core Feature)
 
 **Automatic Integration** - Claude can proactively suggest security scans
 
@@ -680,10 +699,10 @@ Explicitly invoke commands:
 
 ### Why Two Skills?
 
-- **Backend code analysis skill** - Safe for Claude to auto-invoke (read-only API calls)
+- **Remote code analysis skill** - Safe for Claude to auto-invoke (read-only API calls)
 - **Agent security skill** - Requires user permission (local file access, command execution)
 
-This separation emphasizes Rafter's core backend code analysis capabilities while keeping local security features safely behind user control.
+This separation emphasizes Rafter's core remote code analysis capabilities while keeping local security features safely behind user control.
 
 ## Documentation
 

package/dist/commands/agent/audit-skill.js

@@ -4,20 +4,22 @@ import path from "path";
 import { PatternEngine } from "../../core/pattern-engine.js";
 import { DEFAULT_SECRET_PATTERNS } from "../../scanners/secret-patterns.js";
 import { SkillManager } from "../../utils/skill-manager.js";
+import { fmt } from "../../utils/formatter.js";
 export function createAuditSkillCommand() {
     return new Command("audit-skill")
-        .description("Security audit of a Claude Code skill file")
+        .description("[deprecated] Security audit of a Claude Code skill file — use `rafter skill review` instead")
         .argument("<skill-path>", "Path to skill file to audit")
         .option("--skip-openclaw", "Skip OpenClaw integration, show manual review prompt")
         .option("--json", "Output results as JSON")
         .action(async (skillPath, opts) => {
+        process.stderr.write("[deprecated] `rafter agent audit-skill` is deprecated; use `rafter skill review <path-or-url>` instead.\n");
         await auditSkill(skillPath, opts);
     });
 }
 async function auditSkill(skillPath, opts) {
     // Validate skill file exists
     if (!fs.existsSync(skillPath)) {
-        console.error(`Error: Skill file not found: ${skillPath}`);
+        console.error(fmt.error(`Skill file not found: ${skillPath}`));
         process.exit(2);
     }
     const absolutePath = path.resolve(skillPath);
@@ -25,8 +27,8 @@ async function auditSkill(skillPath, opts) {
     const skillName = path.basename(absolutePath);
     // Run deterministic analysis
     if (!opts.json) {
-        console.log(`\n🔍 Auditing skill: ${skillName}\n`);
-        console.log("═".repeat(60));
+        console.log(fmt.header(`Auditing skill: ${skillName}`));
+        console.log(fmt.divider());
         console.log("Running quick security scan...\n");
     }
     const quickScan = await runQuickScan(skillContent);
@@ -56,11 +58,11 @@ async function auditSkill(skillPath, opts) {
     // Check if we can use OpenClaw
     if (openClawAvailable && !opts.skipOpenclaw) {
         if (!rafterSkillInstalled) {
-            console.log("\n⚠️  Rafter Security skill not installed in OpenClaw.");
+            console.log(`\n${fmt.warning("Rafter Security skill not installed in OpenClaw.")}`);
             console.log("   Run: rafter agent init\n");
         }
         else {
-            console.log("\n🤖 For comprehensive security review:\n");
+            console.log(`\n${fmt.info("For comprehensive security review:")}\n`);
             console.log("   1. Open OpenClaw");
             console.log(`   2. Run: /rafter-audit-skill ${absolutePath}`);
             console.log("\n   The auditor will analyze:");
@@ -80,12 +82,12 @@ async function auditSkill(skillPath, opts) {
     }
     else {
         // OpenClaw not available or skipped - show manual review prompt
-        console.log("\n📋 Manual Security Review Prompt\n");
-        console.log("═".repeat(60));
+        console.log(fmt.header("Manual Security Review Prompt"));
+        console.log(fmt.divider());
         console.log("\nCopy the following to your AI assistant for review:\n");
-        console.log("─".repeat(60));
+        console.log(fmt.divider());
         console.log(generateManualReviewPrompt(skillName, absolutePath, quickScan, skillContent));
-        console.log("─".repeat(60));
+        console.log(fmt.divider());
     }
     console.log();
     if (quickScan.secrets > 0 || quickScan.highRiskCommands.length > 0) {
@@ -134,25 +136,25 @@ async function runQuickScan(content) {
     };
 }
 function displayQuickScan(scan, skillName) {
-    console.log("📊 Quick Scan Results");
-    console.log("═".repeat(60));
+    console.log(fmt.header("Quick Scan Results"));
+    console.log(fmt.divider());
     // Secrets
     if (scan.secrets === 0) {
-        console.log("✓ Secrets: None detected");
+        console.log(fmt.success("Secrets: None detected"));
     }
     else {
-        console.log(`⚠️  Secrets: ${scan.secrets} found`);
+        console.log(fmt.warning(`Secrets: ${scan.secrets} found`));
         console.log("   → API keys, tokens, or credentials detected");
         console.log("   → Run: rafter scan local <path> for details");
     }
     // URLs
     if (scan.urls.length === 0) {
-        console.log("✓ External URLs: None");
+        console.log(fmt.success("External URLs: None"));
     }
     else {
-        console.log(`⚠️  External URLs: ${scan.urls.length} found`);
+        console.log(fmt.warning(`External URLs: ${scan.urls.length} found`));
         scan.urls.slice(0, 5).forEach(url => {
-            console.log(`   • ${url}`);
+            console.log(`   - ${url}`);
         });
         if (scan.urls.length > 5) {
             console.log(`   ... and ${scan.urls.length - 5} more`);
@@ -160,12 +162,12 @@ function displayQuickScan(scan, skillName) {
     }
     // High-risk commands
     if (scan.highRiskCommands.length === 0) {
-        console.log("✓ High-risk commands: None detected");
+        console.log(fmt.success("High-risk commands: None detected"));
     }
     else {
-        console.log(`⚠️  High-risk commands: ${scan.highRiskCommands.length} found`);
+        console.log(fmt.warning(`High-risk commands: ${scan.highRiskCommands.length} found`));
         scan.highRiskCommands.slice(0, 5).forEach(cmd => {
-            console.log(`   • ${cmd.command} (line ${cmd.line})`);
+            console.log(`   - ${cmd.command} (line ${cmd.line})`);
         });
         if (scan.highRiskCommands.length > 5) {
             console.log(`   ... and ${scan.highRiskCommands.length - 5} more`);

package/dist/commands/agent/audit.js

@@ -13,13 +13,28 @@ export function createAuditCommand() {
         .option("--event <type>", "Filter by event type")
         .option("--agent <type>", "Filter by agent type (openclaw, claude-code)")
         .option("--since <date>", "Show entries since date (YYYY-MM-DD)")
+        .option("--repo <pattern>", "Filter by git repo path (substring match)")
+        .option("--cwd <pattern>", "Filter by working directory (substring match)")
         .option("--share", "Generate a redacted excerpt for issue reports")
+        .option("--verify", "Verify the audit log hash chain and report tampering")
         .action((opts) => {
         if (opts.share) {
             generateShareExcerpt();
             return;
         }
         const logger = new AuditLogger();
+        if (opts.verify) {
+            const breaks = logger.verify();
+            if (breaks.length === 0) {
+                console.log("✓ Audit log hash chain intact");
+                return;
+            }
+            console.error(`✗ Audit log hash chain broken (${breaks.length} break${breaks.length === 1 ? "" : "s"}):`);
+            for (const b of breaks) {
+                console.error(`  line ${b.line}: ${b.reason}`);
+            }
+            process.exit(1);
+        }
         const filter = {
             limit: parseInt(opts.last, 10)
         };
@@ -32,6 +47,12 @@ export function createAuditCommand() {
         if (opts.since) {
             filter.since = new Date(opts.since);
         }
+        if (opts.repo) {
+            filter.gitRepo = opts.repo;
+        }
+        if (opts.cwd) {
+            filter.cwd = opts.cwd;
+        }
         const entries = logger.read(filter);
         if (entries.length === 0) {
             console.log("No audit log entries found");
@@ -46,6 +67,12 @@ export function createAuditCommand() {
             if (entry.agentType) {
                 console.log(`   Agent: ${entry.agentType}`);
             }
+            if (entry.gitRepo) {
+                console.log(`   Repo: ${entry.gitRepo}`);
+            }
+            else if (entry.cwd) {
+                console.log(`   Cwd: ${entry.cwd}`);
+            }
             if (entry.action?.command) {
                 console.log(`   Command: ${entry.action.command}`);
             }