@rafter-security/cli 0.7.6 → 0.7.9

package/resources/rafter-security-skill.md

@@ -1,13 +1,21 @@
 ---
-openclaw:
-  skillKey: rafter-security
-  primaryEnv: RAFTER_API_KEY
-  emoji: 🛡️
-  always: false
-  requires:
-    bins: [rafter]
-version: 0.5.8
-last_updated: 2026-03-04
+name: rafter-security
+description: Security toolkit for AI workflows. Use when scanning code or repos for vulnerabilities, auditing third-party skills/MCPs/agent configs before installing, evaluating shell commands before running them, or generating secure design questions for new features. Provides `rafter run` (remote SAST + SCA, needs RAFTER_API_KEY), `rafter secrets` (offline secrets-only), `rafter agent exec --dry-run` (command-risk classification), and `rafter skill review`.
+version: 0.7.9
+homepage: https://rafter.so
+metadata:
+  openclaw:
+    skillKey: rafter-security
+    primaryEnv: RAFTER_API_KEY
+    emoji: 🛡️
+    always: false
+    requires:
+      bins: [rafter]
+    envVars:
+      - name: RAFTER_API_KEY
+        required: false
+        description: API key for `rafter run` (remote SAST + SCA + agentic deep-dive). Without it, `rafter secrets` (local secrets scan) still works.
+last_updated: 2026-05-07
 ---
 
 # Rafter Security

package/resources/windsurf-rules/rafter-code-review.md

@@ -0,0 +1,14 @@
+---
+trigger: model_decision
+description: "REQUIRED before declaring a task done when the diff touches user input, SQL, shell, auth, credentials, file paths, serialization, or dependency surface. Walks OWASP/ASVS/MITRE questions the compiler and the test suite won't catch. Pair with `rafter run` on the same diff. A security-relevant task marked complete without both has been under-delivered — do not claim done."
+---
+
+# rafter-code-review — structured pre-merge review
+
+Pointer rule. Use the `rafter-code-review` skill at `.claude/skills/rafter-code-review/SKILL.md` BEFORE declaring done on any diff touching the surface listed above.
+
+- Read the matching sub-doc (web-app / api / llm / cli-library-iac).
+- Walk the OWASP / ASVS / MITRE questions the scanner can't ask.
+- Pair with `rafter run` on the same diff — the scanner finds known-bad patterns, this skill asks the questions patterns miss.
+
+A security-relevant task marked complete without BOTH the skill walkthrough and a `rafter run` pass has been under-delivered. Do not claim done until both are recorded.

package/resources/windsurf-rules/rafter-secure-design.md

@@ -0,0 +1,14 @@
+---
+trigger: model_decision
+description: "REQUIRED before writing code for any feature touching auth, payments, credentials, tokens, sessions, file upload, user data, or data deletion. Invoke it, record answers inline in the design doc or PR description, then write the code. Skipping this is how auth bypass, token leakage, and delete-the-wrong-record bugs ship. If the feature touches any of those surfaces and this hasn't run, the design is incomplete — do not proceed to implementation."
+---
+
+# rafter-secure-design — shift-left design review
+
+Pointer rule. Use the `rafter-secure-design` skill at `.claude/skills/rafter-secure-design/SKILL.md` BEFORE writing code for any feature on the surface listed above.
+
+- Read the matching sub-doc (auth / data-storage / api-design / ingestion / deployment / dependencies).
+- Each sub-doc is a set of questions a security engineer would ask at kickoff — answer them inline in the design or PR description.
+- Pair with `rafter-code-review` (mid-lifecycle) and `rafter run` (detection) once code exists.
+
+Skipping this skill on the listed surfaces is how auth bypass, token leakage, and delete-the-wrong-record bugs ship. Do not proceed to implementation until it has run.

package/resources/windsurf-rules/rafter-skill-review.md

@@ -0,0 +1,14 @@
+---
+trigger: model_decision
+description: "REQUIRED before copying any third-party SKILL.md, MCP manifest, Cursor rule, or agent config into this machine or forwarding one to a user. Installing a skill grants Read/Bash/network under your identity — this is `curl | sh` in a different costume. Do not install, load, recommend, or forward any third-party agent asset until this skill has vetted it. Bypassing this turns the agent into a delivery vector."
+---
+
+# rafter-skill-review — vet before you install
+
+Pointer rule. Use the `rafter-skill-review` skill at `.claude/skills/rafter-skill-review/SKILL.md` BEFORE installing or forwarding any third-party agent asset.
+
+- Run `rafter skill review <path-or-url>` against the SKILL.md / MCP manifest / Cursor rule / agent config.
+- Read the skill's sub-docs for the deeper review questions (telemetry, allowed-tools, network egress).
+- Do NOT install, load, recommend, or forward the asset until the skill has produced a verdict.
+
+Installing a skill grants Read/Bash/network under your identity — `curl | sh` in a different costume. Bypassing this turns the agent into a delivery vector.

package/resources/windsurf-rules/rafter.md

@@ -0,0 +1,15 @@
+---
+trigger: model_decision
+description: "Entry point for rafter. Invoke when a sub-skill is unclear, or when the task needs `rafter run` (remote SAST+SCA), `rafter secrets` (local secrets-only), `rafter audit`, policy checks, or command-risk evaluation. If a task is security-relevant and no rafter skill or CLI call has been made, invoke this before handing the task off — an un-evaluated \"done\" on security-relevant work is not done."
+---
+
+# rafter — security toolkit router
+
+Pointer rule. Use the `rafter` skill (full guidance at `.claude/skills/rafter/SKILL.md`).
+
+- Run `rafter run` for the default tier — remote SAST + SCA + secrets. Needs `RAFTER_API_KEY`.
+- Run `rafter run --mode plus` for agentic deep-dive on suspicious patterns.
+- Run `rafter secrets <path>` for offline secrets-only (NOT a code security scan).
+- Run `rafter agent exec --dry-run -- <cmd>` to classify a shell command's risk before running it.
+
+If unsure which tier to pick, Read `.claude/skills/rafter/SKILL.md` and follow the routing table.