@rafter-security/cli 0.7.7 → 0.7.9

package/dist/core/custom-patterns.js

@@ -1,6 +1,6 @@
 /**
  * Load custom secret patterns from ~/.rafter/patterns/
- * and suppression rules from .rafterignore.
+ * and suppression rules from .rafterignore + .rafter.yml ignore section.
  */
 import fs from "fs";
 import path from "path";
@@ -119,12 +119,13 @@ export function loadSuppressions(projectRoot = process.cwd()) {
                 continue;
             const colonIdx = line.indexOf(":");
             if (colonIdx === -1) {
-                suppressions.push({ pathGlob: line });
+                suppressions.push({ pathGlob: line, source: ".rafterignore" });
             }
             else {
                 suppressions.push({
                     pathGlob: line.slice(0, colonIdx).trim(),
                     patternName: line.slice(colonIdx + 1).trim() || undefined,
+                    source: ".rafterignore",
                 });
             }
         }
@@ -134,6 +135,79 @@ export function loadSuppressions(projectRoot = process.cwd()) {
     }
     return suppressions;
 }
+/**
+ * Convert .rafter.yml ignore rules into the flat Suppression list used at scan time.
+ * Each entry's path globs cross-product with its rule names.
+ */
+export function policyIgnoreToSuppressions(rules) {
+    if (!rules || rules.length === 0)
+        return [];
+    const out = [];
+    for (const rule of rules) {
+        if (!Array.isArray(rule.paths) || rule.paths.length === 0)
+            continue;
+        const ruleNames = Array.isArray(rule.rules) && rule.rules.length > 0 ? rule.rules : [undefined];
+        for (const pathGlob of rule.paths) {
+            for (const ruleName of ruleNames) {
+                out.push({
+                    pathGlob,
+                    patternName: ruleName,
+                    reason: rule.reason,
+                    source: ".rafter.yml",
+                });
+            }
+        }
+    }
+    return out;
+}
+/**
+ * Find the first matching suppression for a finding, or null. First-match wins so
+ * users can put more specific entries earlier and rely on stable precedence.
+ */
+export function findSuppression(filePath, patternName, suppressions) {
+    for (const s of suppressions) {
+        if (matchGlob(s.pathGlob, filePath)) {
+            if (!s.patternName || s.patternName.toLowerCase() === patternName.toLowerCase()) {
+                return s;
+            }
+        }
+    }
+    return null;
+}
+/**
+ * Split scan results into kept matches and structured suppressed findings.
+ * Used by the scan command for engine-agnostic suppression.
+ */
+export function applySuppressions(results, suppressions) {
+    if (suppressions.length === 0)
+        return { results, suppressed: [] };
+    const suppressed = [];
+    const filtered = [];
+    for (const r of results) {
+        const kept = [];
+        for (const m of r.matches) {
+            const hit = findSuppression(r.file, m.pattern.name, suppressions);
+            if (hit) {
+                suppressed.push({
+                    file: r.file,
+                    line: m.line ?? null,
+                    column: m.column ?? null,
+                    rule: m.pattern.name,
+                    severity: m.pattern.severity,
+                    reason: hit.reason ?? null,
+                    source: hit.source ?? ".rafterignore",
+                });
+            }
+            else {
+                kept.push(m);
+            }
+        }
+        if (kept.length > 0) {
+            filtered.push({ ...r, matches: kept });
+        }
+    }
+    return { results: filtered, suppressed };
+}
 /**
  * Returns true if a finding should be suppressed.
  */
@@ -151,10 +225,18 @@ export function isSuppressed(filePath, patternName, suppressions) {
  * Match a file path against a glob pattern using minimatch.
  *
  * Uses `matchBase` so bare patterns like "*.env" match against the basename
- * (e.g. "config/.env"), and `dot` so dotfiles are included.
+ * (e.g. "config/.env"), and `dot` so dotfiles are included. Also tries
+ * matching the glob against any suffix of the path so that relative globs
+ * like `tests/fixtures/**` match absolute paths under any project root.
  */
 function matchGlob(glob, filePath) {
     const g = glob.replace(/\\/g, "/");
     const f = filePath.replace(/\\/g, "/");
-    return minimatch(f, g, { dot: true, matchBase: true });
+    if (minimatch(f, g, { dot: true, matchBase: true }))
+        return true;
+    // Auto-anchor relative globs to "anywhere in the path" so that `tests/**`
+    // matches `/abs/project/tests/foo`. Skip if the user already anchored.
+    if (g.startsWith("/") || g.startsWith("**/") || g.startsWith("**"))
+        return false;
+    return minimatch(f, "**/" + g, { dot: true });
 }

package/dist/core/policy-loader.js

@@ -76,6 +76,31 @@ function mapPolicy(raw) {
             }));
         }
     }
+    if (Array.isArray(raw.ignore)) {
+        const rules = [];
+        for (const entry of raw.ignore) {
+            if (!entry || typeof entry !== "object") {
+                console.error(`Warning: skipping malformed ignore entry — must be an object with paths.`);
+                continue;
+            }
+            const paths = entry.paths;
+            if (!Array.isArray(paths) || paths.length === 0) {
+                console.error(`Warning: skipping ignore entry — "paths" must be a non-empty array of strings.`);
+                continue;
+            }
+            const rule = { paths: paths.map((p) => String(p)) };
+            if (Array.isArray(entry.rules)) {
+                rule.rules = entry.rules.map((r) => String(r));
+            }
+            if (typeof entry.reason === "string" && entry.reason) {
+                rule.reason = entry.reason;
+            }
+            rules.push(rule);
+        }
+        if (rules.length > 0) {
+            policy.ignore = rules;
+        }
+    }
     if (raw.audit && typeof raw.audit === "object") {
         policy.audit = {};
         if (raw.audit.retention_days != null) {
@@ -153,7 +178,7 @@ function deriveDocId(source, kind) {
     const crypto = require("crypto");
     return crypto.createHash("sha256").update(source).digest("hex").slice(0, 8);
 }
-const VALID_TOP_LEVEL_KEYS = new Set(["version", "risk_level", "command_policy", "scan", "audit", "docs"]);
+const VALID_TOP_LEVEL_KEYS = new Set(["version", "risk_level", "command_policy", "scan", "ignore", "audit", "docs"]);
 const VALID_RISK_LEVELS = new Set(["minimal", "moderate", "aggressive"]);
 const VALID_COMMAND_MODES = new Set(["allow-all", "approve-dangerous", "deny-list"]);
 const VALID_LOG_LEVELS = new Set(["debug", "info", "warn", "error"]);
@@ -232,6 +257,40 @@ function validatePolicy(policy, raw) {
             }
         }
     }
+    if (policy.ignore !== undefined) {
+        if (!Array.isArray(policy.ignore)) {
+            console.error(`Warning: "ignore" must be an array — ignoring.`);
+            delete policy.ignore;
+        }
+        else {
+            const valid = [];
+            for (const entry of policy.ignore) {
+                if (!entry || typeof entry !== "object") {
+                    console.error(`Warning: skipping malformed ignore entry — must be an object with paths.`);
+                    continue;
+                }
+                if (!Array.isArray(entry.paths) || entry.paths.length === 0 || !entry.paths.every((p) => typeof p === "string" && p)) {
+                    console.error(`Warning: skipping ignore entry — "paths" must be a non-empty array of strings.`);
+                    continue;
+                }
+                if (entry.rules !== undefined && (!Array.isArray(entry.rules) || !entry.rules.every((r) => typeof r === "string"))) {
+                    console.error(`Warning: skipping ignore entry — "rules" must be an array of strings.`);
+                    continue;
+                }
+                if (entry.reason !== undefined && typeof entry.reason !== "string") {
+                    console.error(`Warning: ignore entry "reason" must be a string — dropping reason.`);
+                    delete entry.reason;
+                }
+                valid.push(entry);
+            }
+            if (valid.length > 0) {
+                policy.ignore = valid;
+            }
+            else {
+                delete policy.ignore;
+            }
+        }
+    }
     if (policy.audit) {
         if (policy.audit.retentionDays !== undefined && (typeof policy.audit.retentionDays !== "number" || isNaN(policy.audit.retentionDays))) {
             console.error(`Warning: "audit.retention_days" must be a number — ignoring.`);

package/dist/scanners/regex-scanner.js

@@ -2,7 +2,7 @@ import fs from "fs";
 import path from "path";
 import { PatternEngine } from "../core/pattern-engine.js";
 import { DEFAULT_SECRET_PATTERNS } from "./secret-patterns.js";
-import { loadCustomPatterns, loadSuppressions, isSuppressed } from "../core/custom-patterns.js";
+import { loadCustomPatterns } from "../core/custom-patterns.js";
 export class RegexScanner {
     constructor(customPatterns) {
         const patterns = [...DEFAULT_SECRET_PATTERNS, ...loadCustomPatterns()];
@@ -16,16 +16,15 @@ export class RegexScanner {
             }
         }
         this.engine = new PatternEngine(patterns);
-        this.suppressions = loadSuppressions();
     }
     /**
-     * Scan a single file for secrets
+     * Scan a single file for secrets. Suppression is applied at the scan
+     * command boundary (engine-agnostic), not here.
      */
     scanFile(filePath) {
         try {
             const content = fs.readFileSync(filePath, "utf-8");
-            const raw = this.engine.scanWithPosition(content);
-            const matches = raw.filter((m) => !isSuppressed(filePath, m.pattern.name, this.suppressions));
+            const matches = this.engine.scanWithPosition(content);
             return { file: filePath, matches };
         }
         catch (e) {

package/dist/utils/skill-manager.js

@@ -11,22 +11,51 @@ export class SkillManager {
         this.configManager = new ConfigManager();
     }
     /**
-     * Get path to OpenClaw skills directory
+     * Path to the OpenClaw root directory.
+     *
+     * The platform's presence is the platform root, not the skills dir — a
+     * fresh OpenClaw install has no skills written yet.
+     */
+    getOpenClawRoot() {
+        return path.join(os.homedir(), ".openclaw");
+    }
+    /**
+     * Path to the OpenClaw default-workspace skills directory.
+     *
+     * Per docs.openclaw.ai/tools/skills, OpenClaw auto-discovers skills from
+     * `<workspace>/skills/<skill>/SKILL.md`. The default workspace lives at
+     * `~/.openclaw/workspace/`. ClawHub-style skills are directories
+     * containing a `SKILL.md`, not loose markdown files.
+     *
+     * Earlier rafter versions wrote to `~/.openclaw/skills/<name>.md` — that
+     * path was never read by OpenClaw at runtime. Migrated in rf-zgwj.
      */
     getOpenClawSkillsDir() {
-        return path.join(os.homedir(), ".openclaw", "skills");
+        return path.join(this.getOpenClawRoot(), "workspace", "skills");
+    }
+    /**
+     * Path to the Rafter Security skill directory (containing SKILL.md).
+     */
+    getRafterSkillDir() {
+        return path.join(this.getOpenClawSkillsDir(), "rafter-security");
     }
     /**
-     * Get path to Rafter Security skill in OpenClaw
+     * Path to the Rafter Security SKILL.md file.
      */
     getRafterSkillPath() {
-        return path.join(this.getOpenClawSkillsDir(), "rafter-security.md");
+        return path.join(this.getRafterSkillDir(), "SKILL.md");
+    }
+    /**
+     * Legacy install path used by rafter ≤ 0.7.7. Removed on reinstall.
+     */
+    getLegacyRafterSkillPath() {
+        return path.join(this.getOpenClawRoot(), "skills", "rafter-security.md");
     }
     /**
      * Get path to old skill-auditor (for migration)
      */
     getOldSkillAuditorPath() {
-        return path.join(this.getOpenClawSkillsDir(), "rafter-skill-auditor.md");
+        return path.join(this.getOpenClawRoot(), "skills", "rafter-skill-auditor.md");
     }
     /**
      * Get path to Rafter Security skill source in CLI resources
@@ -42,10 +71,21 @@ export class SkillManager {
         return path.join(this.getOpenClawSkillsDir(), ".backups");
     }
     /**
-     * Check if OpenClaw is installed (skills directory exists)
+     * Check if OpenClaw is installed.
+     *
+     * Detects the platform root (~/.openclaw) — a fresh OpenClaw install
+     * doesn't have the workspace skills dir yet, so checking the skills dir
+     * gave a false-negative until at least one skill was written.
      */
     isOpenClawInstalled() {
-        return fs.existsSync(this.getOpenClawSkillsDir());
+        return fs.existsSync(this.getOpenClawRoot());
+    }
+    /**
+     * Check if the legacy skill file from rafter ≤ 0.7.7 is present.
+     * Used to print a migration note on reinstall (rf-zgwj).
+     */
+    hasLegacyRafterSkill() {
+        return fs.existsSync(this.getLegacyRafterSkillPath());
     }
     /**
      * Check if Rafter Security skill is installed
@@ -135,6 +175,36 @@ export class SkillManager {
             return false;
         }
     }
+    /**
+     * Remove the rafter ≤ 0.7.7 install path
+     * (`~/.openclaw/skills/rafter-security.md`). OpenClaw never read that
+     * path; we strip it on reinstall so the user is left with just the
+     * canonical ClawHub-shaped skill (rf-zgwj migration).
+     */
+    removeLegacyRafterSkill() {
+        const legacy = this.getLegacyRafterSkillPath();
+        if (!fs.existsSync(legacy))
+            return;
+        try {
+            fs.unlinkSync(legacy);
+            console.log(`✓ Removed legacy ${legacy} (superseded by ClawHub-shaped skill at ${this.getRafterSkillPath()})`);
+        }
+        catch {
+            /* best-effort */
+        }
+        // Clean up empty parent if we just emptied it. Don't touch dirs that
+        // contain other user content.
+        const legacyDir = path.dirname(legacy);
+        try {
+            const entries = fs.readdirSync(legacyDir);
+            if (entries.length === 0) {
+                fs.rmdirSync(legacyDir);
+            }
+        }
+        catch {
+            /* best-effort */
+        }
+    }
     /**
      * Migrate from old separate skill-auditor to combined Rafter Security skill
      */
@@ -151,25 +221,33 @@ export class SkillManager {
         }
     }
     /**
-     * Install Rafter Security skill to OpenClaw (verbose result)
+     * Install Rafter Security skill to OpenClaw (verbose result).
+     *
+     * rf-zgwj: writes to the canonical ClawHub workspace location
+     * (`~/.openclaw/workspace/skills/rafter-security/SKILL.md`) so OpenClaw
+     * auto-discovers it at session start. Earlier versions wrote to
+     * `~/.openclaw/skills/rafter-security.md` — that file is removed on
+     * reinstall as a migration step.
      */
     async installRafterSkillVerbose(force = false) {
         const skillPath = this.getRafterSkillPath();
         const sourcePath = this.getRafterSkillSourcePath();
-        // Check if ~/.openclaw exists (the parent dir), not just the skills subdir
-        const openclawDir = path.join(os.homedir(), ".openclaw");
-        if (!fs.existsSync(openclawDir)) {
-            return { ok: false, sourcePath, destPath: skillPath, error: `OpenClaw not found: ${openclawDir}` };
+        if (!this.isOpenClawInstalled()) {
+            return { ok: false, sourcePath, destPath: skillPath, error: `OpenClaw not found: ${this.getOpenClawRoot()}` };
         }
         // Check if already installed and not forcing
         if (!force && this.isRafterSkillInstalled()) {
+            // Still strip the legacy file on reinstall — a previous rafter
+            // version may have left it behind alongside a hand-installed skill.
+            this.removeLegacyRafterSkill();
             return { ok: true, sourcePath, destPath: skillPath };
         }
         try {
-            // Ensure skills directory exists (may not exist on fresh OpenClaw installs)
-            const skillsDir = this.getOpenClawSkillsDir();
-            if (!fs.existsSync(skillsDir)) {
-                fs.mkdirSync(skillsDir, { recursive: true });
+            // Ensure the skill dir (NOT just the parent skills dir) exists; the
+            // ClawHub format is one directory per skill.
+            const skillDir = this.getRafterSkillDir();
+            if (!fs.existsSync(skillDir)) {
+                fs.mkdirSync(skillDir, { recursive: true });
             }
             // Verify source exists
             if (!fs.existsSync(sourcePath)) {
@@ -178,6 +256,8 @@ export class SkillManager {
             // Copy skill file
             const sourceContent = fs.readFileSync(sourcePath, "utf-8");
             fs.writeFileSync(skillPath, sourceContent, "utf-8");
+            // Migration: strip the rafter ≤ 0.7.7 install path (rf-zgwj).
+            this.removeLegacyRafterSkill();
             // Update config
             const version = this.getSourceVersion();
             if (version) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rafter-security/cli",
-  "version": "0.7.7",
+  "version": "0.7.9",
   "type": "module",
   "bin": {
     "rafter": "./dist/index.js"

package/resources/agents/rafter.md

@@ -0,0 +1,81 @@
+---
+name: rafter
+description: Use proactively to answer "is this safe / secure / production worthy?" Delegate when about to commit, push, open a PR, or mark a security-relevant task done; when a diff touches auth, credentials, secrets, user input, SQL, shell, file paths, deserialization, or crypto; when evaluating a destructive shell command before running it; or when reviewing a third-party skill, MCP server, or agent config before installing. Returns a structured finding list with severity, location, and a one-sentence fix.
+tools: Bash, Read, Grep
+---
+
+# Rafter — Security Sub-Agent
+
+You are Rafter, a security-focused sub-agent. The calling agent has handed you a security question and is waiting for a tight, structured verdict. You do not write code. You do not commit. You do not run scanners other than `rafter`.
+
+## Pick the right tier — DO NOT stop at "local"
+
+Rafter ships three CLI tiers **and** four in-repo skills. They are NOT interchangeable. The local tier is the narrowest — secrets-only — and stopping there is the #1 way agents under-use rafter.
+
+**Anti-patterns that count as "stopping at local":**
+- Running `rafter secrets` clean and reporting "rafter passed" — you ran a regex sweep, not a security scan.
+- Skipping `rafter run` because `RAFTER_API_KEY` is unset, and not saying so in the verdict.
+- Treating the CLI as the whole tool. The judgment-layer skills (`rafter-code-review`, `rafter-secure-design`, `rafter-skill-review`) catch what scanners can't.
+- Auditing a third-party skill / MCP / agent config by eye instead of running `rafter-skill-review`.
+
+### CLI tiers (run code through the scanner)
+
+1. **`rafter run`** (default mode) — remote SAST + SCA + secrets via the Rafter API. Real code analysis: dataflow, taint, vulnerable deps, crypto misuse, injection sinks. Needs `RAFTER_API_KEY`. **This is the default for "is this safe / secure / production worthy?".**
+2. **`rafter run --mode plus`** — agentic deep-dive on suspicious patterns. Slower, higher signal. Use when fast mode flags something worth investigating, or when stakes are high (auth, payments, ingress, crypto, anything user-data-shaped).
+3. **`rafter secrets [path]`** — local secrets only (regex + gitleaks for hardcoded API keys, tokens, private keys). Fast, offline, no key. **NOT a code security scan.** Will not find SQL injection, SSRF, auth bugs, deserialization, or logic flaws. Use only when no API key is available, or as a fast pre-check alongside `rafter run`.
+
+If `RAFTER_API_KEY` is unset, run `rafter secrets` and **say so explicitly in your verdict** — "secrets-only pass; full code analysis was skipped (no API key)." Do not claim the code was "scanned" without that qualification. Never silently downgrade.
+
+### Rafter skills (the judgment layer the scanner can't reach)
+
+The CLI finds patterns. Skills ask the questions patterns miss — design choices, code-review walkthroughs, third-party-asset vetting. Skills ship next to this sub-agent at `.claude/skills/<name>/`. **`Read` the SKILL.md first; pull a sub-doc from `docs/` only if the skill points you at one.** The CLI is necessary but rarely sufficient — for any non-trivial security question, plan to use both.
+
+- **`rafter`** — the tier router. Same three CLI tiers plus a Choose-Your-Adventure for "scan code", "evaluate a command", "audit a plugin", "understand a finding", "write secure code from scratch", "analyse existing code for flaws". Start here when the right move isn't obvious.
+  - → `.claude/skills/rafter/SKILL.md`
+  - Sub-docs: `docs/backend.md` (fast vs plus, auth, cost), `docs/cli-reference.md` (full flag matrix), `docs/finding-triage.md` (how to read output), `docs/guardrails.md` (PreToolUse hooks + risk tiers), `docs/shift-left.md` (when to invoke earlier).
+- **`rafter-secure-design`** — shift-left, design-phase questions *before the code exists*. Use at feature kickoff, architecture review, or when picking between primitives.
+  - → `.claude/skills/rafter-secure-design/SKILL.md`
+  - Sub-docs: `docs/auth.md`, `docs/data-storage.md`, `docs/api-design.md`, `docs/ingestion.md`, `docs/deployment.md`, `docs/dependencies.md`, `docs/threat-modeling.md`, `docs/standards-pointers.md`.
+- **`rafter-code-review`** — structured review (OWASP / MITRE / ASVS) as questions, not audits. Pairs with `rafter run`: the scanner finds known-bad patterns, this skill asks the questions patterns miss. Use during PR review, refactoring risky modules, or pre-release hardening.
+  - → `.claude/skills/rafter-code-review/SKILL.md`
+  - Sub-docs: `docs/web-app.md`, `docs/api.md`, `docs/llm.md` (LLM-integrated apps), `docs/cwe-top25.md`, `docs/asvs.md`, `docs/investigation-playbook.md`.
+- **`rafter-skill-review`** — REQUIRED before installing any third-party `SKILL.md`, MCP manifest, Cursor rule, or agent config. Installing a skill grants Read/Bash/network under the caller's identity — `curl | sh` in a different costume. Wraps `rafter skill review`.
+  - → `.claude/skills/rafter-skill-review/SKILL.md`
+  - Sub-docs: `docs/authorship-provenance.md`, `docs/malware-indicators.md`, `docs/prompt-injection.md`, `docs/data-practices.md`, `docs/telemetry.md`, `docs/changelog-review.md`.
+
+### Routing rule
+
+| Question shape | Reach for |
+|---|---|
+| "Is this code / diff / repo safe?" (existing code) | `rafter run` (CLI tier 1) **and** `rafter-code-review` skill for the judgment layer — not one or the other |
+| "Is this design / primitive / API shape safe?" (no code yet) | `rafter-secure-design` skill (CLI can't help — there's no code) |
+| "Is this command safe to run?" | `rafter agent exec --dry-run -- <cmd>` (see `rafter/docs/guardrails.md`) |
+| "Is this skill / MCP / agent config safe to install?" | `rafter-skill-review` skill — **vet before install, not after** |
+| "How do I read this finding?" | `rafter` skill → `docs/finding-triage.md` |
+| "Which rafter thing should I even use?" | `rafter` skill (tier router) |
+
+## Other rafter commands you can use
+
+- `rafter agent exec --dry-run -- <command>` — classify a shell command's risk tier before running it.
+- `rafter agent exec -- <command>` — wrap execution; blocks on critical, prompts on high.
+- `cat ~/.rafter/audit.jsonl` — recent security-relevant events on this machine (read-only inspection).
+
+## Protocol
+
+1. **Infer scope** from the caller's prompt: a path, a diff, a commit range, a shell command, a third-party config to install, a design sketch. If scope is ambiguous, default to scanning the current working directory.
+2. **Pick the right tool** using the routing table above. When unsure, `Read` `.claude/skills/rafter/SKILL.md` first — that's the tier router.
+3. **Run it.** Capture stdout/stderr. For skill-driven judgment work, walk the skill's checklist and capture findings the same way you would CLI output.
+4. **Report.** One short paragraph of verdict, then findings as a list:
+   - `severity` (critical / high / medium / low / info)
+   - `location` (`file:line` or command/snippet)
+   - `rule` or category (e.g. `hardcoded-secret`, `sql-injection`, `dangerous-shell`, `design:auth-primitive`, `skill:prompt-injection`)
+   - `fix` (one sentence — what the caller should change)
+   - If there are no findings: say so in one line and stop.
+
+## Hard rules
+
+- **Never** modify code, write files, run `git commit`, or open PRs. You are read-only.
+- **Never** invoke non-rafter scanners (no `npm audit`, no `safety`, no `trivy`). The caller can do that — your job is the rafter signal.
+- **Never** silently fall back to a weaker tier. If you couldn't run the tier the question called for, name the tier you ran and why.
+- **Never** install or load a third-party skill / MCP / agent asset on the caller's behalf. Vet via `rafter-skill-review` and return the verdict; the caller decides.
+- Be terse. The calling agent wants a verdict, not an essay.

package/resources/continue-rules/rafter-code-review.md

@@ -0,0 +1,15 @@
+---
+name: rafter-code-review
+description: "REQUIRED before declaring a task done when the diff touches user input, SQL, shell, auth, credentials, file paths, serialization, or dependency surface. Walks OWASP/ASVS/MITRE questions the compiler and the test suite won't catch. Pair with `rafter run` on the same diff. A security-relevant task marked complete without both has been under-delivered — do not claim done."
+alwaysApply: false
+---
+
+# rafter-code-review — structured pre-merge review
+
+Pointer rule. Use the `rafter-code-review` skill at `.claude/skills/rafter-code-review/SKILL.md` BEFORE declaring done on any diff touching the surface listed above.
+
+- Read the matching sub-doc (web-app / api / llm / cli-library-iac).
+- Walk the OWASP / ASVS / MITRE questions the scanner can't ask.
+- Pair with `rafter run` on the same diff — the scanner finds known-bad patterns, this skill asks the questions patterns miss.
+
+A security-relevant task marked complete without BOTH the skill walkthrough and a `rafter run` pass has been under-delivered. Do not claim done until both are recorded.

package/resources/continue-rules/rafter-secure-design.md

@@ -0,0 +1,15 @@
+---
+name: rafter-secure-design
+description: "REQUIRED before writing code for any feature touching auth, payments, credentials, tokens, sessions, file upload, user data, or data deletion. Invoke it, record answers inline in the design doc or PR description, then write the code. Skipping this is how auth bypass, token leakage, and delete-the-wrong-record bugs ship. If the feature touches any of those surfaces and this hasn't run, the design is incomplete — do not proceed to implementation."
+alwaysApply: false
+---
+
+# rafter-secure-design — shift-left design review
+
+Pointer rule. Use the `rafter-secure-design` skill at `.claude/skills/rafter-secure-design/SKILL.md` BEFORE writing code for any feature on the surface listed above.
+
+- Read the matching sub-doc (auth / data-storage / api-design / ingestion / deployment / dependencies).
+- Each sub-doc is a set of questions a security engineer would ask at kickoff — answer them inline in the design or PR description.
+- Pair with `rafter-code-review` (mid-lifecycle) and `rafter run` (detection) once code exists.
+
+Skipping this skill on the listed surfaces is how auth bypass, token leakage, and delete-the-wrong-record bugs ship. Do not proceed to implementation until it has run.

package/resources/continue-rules/rafter-skill-review.md

@@ -0,0 +1,15 @@
+---
+name: rafter-skill-review
+description: "REQUIRED before copying any third-party SKILL.md, MCP manifest, Cursor rule, or agent config into this machine or forwarding one to a user. Installing a skill grants Read/Bash/network under your identity — this is `curl | sh` in a different costume. Do not install, load, recommend, or forward any third-party agent asset until this skill has vetted it. Bypassing this turns the agent into a delivery vector."
+alwaysApply: false
+---
+
+# rafter-skill-review — vet before you install
+
+Pointer rule. Use the `rafter-skill-review` skill at `.claude/skills/rafter-skill-review/SKILL.md` BEFORE installing or forwarding any third-party agent asset.
+
+- Run `rafter skill review <path-or-url>` against the SKILL.md / MCP manifest / Cursor rule / agent config.
+- Read the skill's sub-docs for the deeper review questions (telemetry, allowed-tools, network egress).
+- Do NOT install, load, recommend, or forward the asset until the skill has produced a verdict.
+
+Installing a skill grants Read/Bash/network under your identity — `curl | sh` in a different costume. Bypassing this turns the agent into a delivery vector.

package/resources/continue-rules/rafter.md

@@ -0,0 +1,16 @@
+---
+name: rafter
+description: "Entry point for rafter. Invoke when a sub-skill is unclear, or when the task needs `rafter run` (remote SAST+SCA), `rafter secrets` (local secrets-only), `rafter audit`, policy checks, or command-risk evaluation. If a task is security-relevant and no rafter skill or CLI call has been made, invoke this before handing the task off — an un-evaluated \"done\" on security-relevant work is not done."
+alwaysApply: false
+---
+
+# rafter — security toolkit router
+
+Pointer rule. Use the `rafter` skill (full guidance at `.claude/skills/rafter/SKILL.md`).
+
+- Run `rafter run` for the default tier — remote SAST + SCA + secrets. Needs `RAFTER_API_KEY`.
+- Run `rafter run --mode plus` for agentic deep-dive on suspicious patterns.
+- Run `rafter secrets <path>` for offline secrets-only (NOT a code security scan).
+- Run `rafter agent exec --dry-run -- <cmd>` to classify a shell command's risk before running it.
+
+If unsure which tier to pick, Read `.claude/skills/rafter/SKILL.md` and follow the routing table.

package/resources/cursor-rules/rafter-code-review.mdc

@@ -0,0 +1,14 @@
+---
+description: "REQUIRED before declaring a task done when the diff touches user input, SQL, shell, auth, credentials, file paths, serialization, or dependency surface. Walks OWASP/ASVS/MITRE questions the compiler and the test suite won't catch. Pair with `rafter run` on the same diff. A security-relevant task marked complete without both has been under-delivered — do not claim done."
+alwaysApply: false
+---
+
+# rafter-code-review — structured pre-merge review
+
+Pointer rule. Use the `rafter-code-review` skill at `.claude/skills/rafter-code-review/SKILL.md` BEFORE declaring done on any diff touching the surface listed above.
+
+- Read the matching sub-doc (web-app / api / llm / cli-library-iac).
+- Walk the OWASP / ASVS / MITRE questions the scanner can't ask.
+- Pair with `rafter run` on the same diff — the scanner finds known-bad patterns, this skill asks the questions patterns miss.
+
+A security-relevant task marked complete without BOTH the skill walkthrough and a `rafter run` pass has been under-delivered. Do not claim done until both are recorded.

package/resources/cursor-rules/rafter-secure-design.mdc

@@ -0,0 +1,14 @@
+---
+description: "REQUIRED before writing code for any feature touching auth, payments, credentials, tokens, sessions, file upload, user data, or data deletion. Invoke it, record answers inline in the design doc or PR description, then write the code. Skipping this is how auth bypass, token leakage, and delete-the-wrong-record bugs ship. If the feature touches any of those surfaces and this hasn't run, the design is incomplete — do not proceed to implementation."
+alwaysApply: false
+---
+
+# rafter-secure-design — shift-left design review
+
+Pointer rule. Use the `rafter-secure-design` skill at `.claude/skills/rafter-secure-design/SKILL.md` BEFORE writing code for any feature on the surface listed above.
+
+- Read the matching sub-doc (auth / data-storage / api-design / ingestion / deployment / dependencies).
+- Each sub-doc is a set of questions a security engineer would ask at kickoff — answer them inline in the design or PR description.
+- Pair with `rafter-code-review` (mid-lifecycle) and `rafter run` (detection) once code exists.
+
+Skipping this skill on the listed surfaces is how auth bypass, token leakage, and delete-the-wrong-record bugs ship. Do not proceed to implementation until it has run.

package/resources/cursor-rules/rafter-skill-review.mdc

@@ -0,0 +1,14 @@
+---
+description: "REQUIRED before copying any third-party SKILL.md, MCP manifest, Cursor rule, or agent config into this machine or forwarding one to a user. Installing a skill grants Read/Bash/network under your identity — this is `curl | sh` in a different costume. Do not install, load, recommend, or forward any third-party agent asset until this skill has vetted it. Bypassing this turns the agent into a delivery vector."
+alwaysApply: false
+---
+
+# rafter-skill-review — vet before you install
+
+Pointer rule. Use the `rafter-skill-review` skill at `.claude/skills/rafter-skill-review/SKILL.md` BEFORE installing or forwarding any third-party agent asset.
+
+- Run `rafter skill review <path-or-url>` against the SKILL.md / MCP manifest / Cursor rule / agent config.
+- Read the skill's sub-docs for the deeper review questions (telemetry, allowed-tools, network egress).
+- Do NOT install, load, recommend, or forward the asset until the skill has produced a verdict.
+
+Installing a skill grants Read/Bash/network under your identity — `curl | sh` in a different costume. Bypassing this turns the agent into a delivery vector.

package/resources/cursor-rules/rafter.mdc

@@ -0,0 +1,15 @@
+---
+description: "Entry point for rafter. Invoke when a sub-skill is unclear, or when the task needs `rafter run` (remote SAST+SCA), `rafter secrets` (local secrets-only), `rafter audit`, policy checks, or command-risk evaluation. If a task is security-relevant and no rafter skill or CLI call has been made, invoke this before handing the task off — an un-evaluated \"done\" on security-relevant work is not done."
+alwaysApply: false
+---
+
+# rafter — security toolkit router
+
+Pointer rule. Use the `rafter` skill (full guidance at `.claude/skills/rafter/SKILL.md`, also installed as a Cursor sub-agent at `.cursor/agents/rafter.md`).
+
+- Run `rafter run` for the default tier — remote SAST + SCA + secrets. Needs `RAFTER_API_KEY`.
+- Run `rafter run --mode plus` for agentic deep-dive on suspicious patterns.
+- Run `rafter secrets <path>` for offline secrets-only (NOT a code security scan).
+- Run `rafter agent exec --dry-run -- <cmd>` to classify a shell command's risk before running it.
+
+If unsure which tier to pick, Read `.claude/skills/rafter/SKILL.md` and follow the routing table.