> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rafter.so/llms.txt
> Use this file to discover all available pages before exploring further.

# Command Reference

> Complete reference for Rafter local security CLI commands

# Command Reference

Complete reference for all Rafter local security and MCP commands.

## `rafter agent init`

Initialize local security system.

```bash theme={null}
rafter agent init [options]
```

### Options

| Flag                   | Description                                                                            | Default    |
| ---------------------- | -------------------------------------------------------------------------------------- | ---------- |
| `--risk-level <level>` | Set risk level: `minimal`, `moderate`, `aggressive`                                    | `moderate` |
| `--with-openclaw`      | Install OpenClaw integration                                                           | false      |
| `--with-claude-code`   | Install Claude Code integration (hooks + skills)                                       | false      |
| `--with-codex`         | Install Codex CLI integration (skills)                                                 | false      |
| `--with-gemini`        | Install Gemini CLI integration (MCP server)                                            | false      |
| `--with-cursor`        | Install Cursor integration (MCP server)                                                | false      |
| `--with-windsurf`      | Install Windsurf integration (MCP server)                                              | false      |
| `--with-continue`      | Install Continue.dev integration (MCP server)                                          | false      |
| `--with-aider`         | Install Aider integration (MCP server)                                                 | false      |
| `--with-openclaw`      | Install OpenClaw integration (ClawHub-shaped skill)                                    | false      |
| `--with-betterleaks`   | Download and install Betterleaks binary (gitleaks successor)                           | false      |
| `--all`                | Install all detected integrations and download Betterleaks                             | false      |
| `-i, --interactive`    | Guided setup — prompts for each detected integration                                   | false      |
| `--update`             | Re-download betterleaks and reinstall integrations without resetting config            | false      |
| `--dry-run`            | Print every file path that would be created, modified, or downloaded — make no changes | false      |

<Note>The legacy `--with-gitleaks`, `--engine gitleaks`, and `rafter agent update-gitleaks` flags were removed in v0.8.0. Use the `-betterleaks` equivalents. `rafter agent verify` and `rafter agent status` still detect a leftover `~/.rafter/bin/gitleaks` and tell you to run `rafter agent update-betterleaks`.</Note>

### What It Does

1. Creates `~/.rafter/config.json` configuration
2. Initializes directory structure (`~/.rafter/`)
3. Detects installed development environments (`~/.claude`, `~/.codex`, `~/.gemini`, etc.)
4. Installs opted-in integrations (skills, hooks, sub-agents, per-skill rules, or MCP server configs)
5. Downloads Betterleaks binary if `--with-betterleaks` or `--all` is passed

### Examples

```bash theme={null}
# Basic initialization (config only, no integrations)
rafter agent init

# Install all detected integrations
rafter agent init --all

# Preview every file path that would change — write nothing
rafter agent init --all --dry-run

# Set aggressive security from start
rafter agent init --risk-level aggressive --all

# Install only Claude Code integration
rafter agent init --with-claude-code

# Install only Codex CLI integration
rafter agent init --with-codex

# Re-download Betterleaks and reinstall
rafter agent init --all --update
```

***

## `rafter agent init-project`

Generate project-level instruction files so AI agents discover Rafter at session start.

```bash theme={null}
rafter agent init-project [options]
```

### Options

| Flag                 | Description                                                      |
| -------------------- | ---------------------------------------------------------------- |
| `--only <platforms>` | Comma-separated list of platforms to generate for                |
| `--list`             | Dry-run — show which files would be created without writing them |

### What It Does

Creates instruction files in the current project for all 7 supported agent platforms:

| Platform     | File Created                        |
| ------------ | ----------------------------------- |
| Claude Code  | `.claude/CLAUDE.md`                 |
| Codex CLI    | `AGENTS.md`                         |
| Gemini CLI   | `GEMINI.md`                         |
| Cursor       | `.cursor/rules/rafter-security.mdc` |
| Windsurf     | `.windsurfrules`                    |
| Continue.dev | `.continuerules`                    |
| Aider        | `.aider/conventions.md`             |

Each file contains a Rafter security context block with scanning commands, integration tips, and CLI reference pointers. Files use marker comments (`<!-- rafter:start/end -->`) for idempotent updates — safe to re-run without duplicating content.

### Examples

```bash theme={null}
# Generate for all platforms
rafter agent init-project

# Preview what would be created
rafter agent init-project --list

# Generate only for specific platforms
rafter agent init-project --only claude-code,cursor

# Generate for a single platform
rafter agent init-project --only codex
```

<Tip>Commit the generated files so every contributor's agent session sees Rafter security context automatically.</Tip>

***

## `rafter secrets`

> **Note:** `rafter agent scan` still works but is deprecated — it will be removed in a future major version.

Scan files or directories for secrets.

```bash theme={null}
rafter secrets [path] [options]
```

### Arguments

| Argument | Description               | Default                 |
| -------- | ------------------------- | ----------------------- |
| `path`   | File or directory to scan | `.` (current directory) |

### Options

| Flag                             | Description                                                                                                                                                                                              |
| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `-q, --quiet`                    | Only output if secrets found                                                                                                                                                                             |
| `--json`                         | Output results as JSON (alias for `--format json`)                                                                                                                                                       |
| `--format <type>`                | Output format: `text` (default), `json`, or `sarif`                                                                                                                                                      |
| `--staged`                       | Scan only git-staged files                                                                                                                                                                               |
| `--diff <ref>`                   | Scan only files changed since a git ref (e.g. `HEAD~1`, `main`)                                                                                                                                          |
| `--engine <type>`                | Scan engine: `patterns`, `betterleaks`, or `auto` (default)                                                                                                                                              |
| `--history`                      | Scan git history for secrets (requires `betterleaks` engine)                                                                                                                                             |
| `--baseline`                     | Filter findings present in the saved baseline                                                                                                                                                            |
| `--watch`                        | Watch for file changes and re-scan on change                                                                                                                                                             |
| `--gitignore` / `--no-gitignore` | Honor `.gitignore` when walking the scan target (default: on). Honors nested `.gitignore`, negations, `.git/info/exclude`, and the global excludes file. Outside any git work tree this flag is a no-op. |

### Exit Codes

* `0` - No secrets found
* `1` - Secrets detected
* `2` - Runtime error (path not found, not a git repo, invalid ref)

### Examples

```bash theme={null}
# Scan current directory
rafter secrets

# Scan specific file
rafter secrets ./config.js

# Scan with JSON output
rafter secrets --json > results.json

# CI/CD usage (quiet mode)
rafter secrets --quiet || exit 1

# Scan only changed files
rafter secrets --diff main

# Use Betterleaks engine explicitly (default: auto-pick if installed)
rafter secrets --engine betterleaks

# Watch for changes and re-scan
rafter secrets --watch .
```

### Detected Patterns

<Accordion title="View All 21+ Secret Types">
  **Cloud Providers:**

  * AWS Access Keys (`AKIA...`)
  * AWS Secret Keys
  * Google API Keys (`AIza...`)
  * Google OAuth credentials

  **Version Control:**

  * GitHub Personal Access Tokens (`ghp_...`)
  * GitHub OAuth Tokens (`gho_...`)
  * GitHub App Tokens (`ghu_...`, `ghs_...`)
  * GitHub Refresh Tokens (`ghr_...`)

  **Payment & SaaS:**

  * Stripe API Keys (`sk_live_...`, `rk_live_...`)
  * Slack Tokens (`xox[baprs]-...`)
  * Slack Webhooks
  * Twilio API Keys (`SK...`)

  **Package Registries:**

  * npm Access Tokens (`npm_...`)
  * PyPI API Tokens (`pypi-...`)

  **General:**

  * Database connection strings
  * Private keys (RSA, DSA, EC, OpenSSH)
  * JWT tokens
  * Bearer tokens
  * Generic API keys
  * Generic secrets/passwords
</Accordion>

***

## `rafter agent exec`

Execute command with security validation.

```bash theme={null}
rafter agent exec <command> [options]
```

### Arguments

| Argument  | Description              |
| --------- | ------------------------ |
| `command` | Shell command to execute |

### Options

| Flag          | Description                             |
| ------------- | --------------------------------------- |
| `--skip-scan` | Skip pre-execution file scanning        |
| `--force`     | Skip approval prompts (logged in audit) |

### Command Risk Levels

<AccordionGroup>
  <Accordion title="🔴 Critical (Always Blocked)">
    * `rm -rf /`
    * `:(){ :|:& };:` (fork bomb)
    * `dd if=/dev/zero of=/dev/sda`
    * `> /dev/sda`
    * `mkfs.*`
    * `fdisk`, `parted`
  </Accordion>

  <Accordion title="🟠 High (Requires Approval)">
    * `rm -rf <dir>`
    * `sudo rm`
    * `chmod 777`
    * `curl ... | sh`
    * `git push --force`
    * `npm publish`
    * `docker system prune`
  </Accordion>

  <Accordion title="🟡 Medium (Moderate+ Requires Approval)">
    * `sudo`
    * `chmod`
    * `chown`
    * `kill -9`
    * `systemctl`
  </Accordion>

  <Accordion title="🟢 Low (Allowed)">
    * `npm install`
    * `git commit`
    * File read operations (`ls`, `cat`, `grep`)
    * Basic file operations (`echo`, `touch`)
  </Accordion>
</AccordionGroup>

### Examples

```bash theme={null}
# Safe command - executes immediately
rafter agent exec "npm test"

# Git commit - evaluates risk, then scans staged files
rafter agent exec "git commit -m 'Add feature'"

# High-risk - requires approval
rafter agent exec "sudo systemctl restart nginx"

# Force execution (skip approval, logged)
rafter agent exec "git push --force" --force

# Skip file scanning
rafter agent exec "git commit -m 'Fix typo'" --skip-scan
```

### Pre-Execution Scanning

For all commands, Rafter first evaluates the command against risk rules. For git commands (`git commit`, `git push`), it additionally:

1. Gets list of staged files
2. Scans each file for secrets
3. Blocks if secrets detected
4. Allows if clean

Skip with `--skip-scan` if needed.

***

## `rafter agent config`

Manage agent configuration.

```bash theme={null}
rafter agent config <subcommand> [options]
```

### Subcommands

#### `show`

Display full configuration:

```bash theme={null}
rafter agent config show
```

#### `get <key>`

Get specific configuration value:

```bash theme={null}
rafter agent config get <key>
```

**Example:**

```bash theme={null}
rafter agent config get agent.riskLevel
# Output: moderate
```

#### `set <key> <value>`

Set configuration value:

```bash theme={null}
rafter agent config set <key> <value>
```

**Example:**

```bash theme={null}
rafter agent config set agent.riskLevel aggressive
```

### Configuration Keys

| Key                                   | Type    | Options                                       | Description                                |
| ------------------------------------- | ------- | --------------------------------------------- | ------------------------------------------ |
| `agent.riskLevel`                     | string  | `minimal`, `moderate`, `aggressive`           | Overall security stance                    |
| `agent.commandPolicy.mode`            | string  | `allow-all`, `approve-dangerous`, `deny-list` | Command handling mode                      |
| `agent.commandPolicy.blockedPatterns` | array   | -                                             | Always-blocked command patterns            |
| `agent.commandPolicy.requireApproval` | array   | -                                             | Patterns requiring approval                |
| `agent.outputFiltering.redactSecrets` | boolean | `true`, `false`                               | Redact secrets in output                   |
| `agent.audit.logAllActions`           | boolean | `true`, `false`                               | Log all security events                    |
| `agent.audit.retentionDays`           | number  | -                                             | Log retention period (days)                |
| `agent.audit.logLevel`                | string  | `debug`, `info`, `warn`, `error`              | Log verbosity                              |
| `agent.notifications.webhook`         | string  | -                                             | Webhook URL to POST notifications to       |
| `agent.notifications.minRiskLevel`    | string  | `"high"`, `"critical"`                        | Minimum risk level to trigger notification |

### Examples

```bash theme={null}
# View all config
rafter agent config show

# Get risk level
rafter agent config get agent.riskLevel

# Set to aggressive
rafter agent config set agent.riskLevel aggressive

# Change policy mode
rafter agent config set agent.commandPolicy.mode deny-list

# Enable secret redaction
rafter agent config set agent.outputFiltering.redactSecrets true

# Set log retention
rafter agent config set agent.audit.retentionDays 60

# Configure webhook notifications
rafter agent config set agent.notifications.webhook https://hooks.slack.com/services/T.../B.../xxx
rafter agent config set agent.notifications.minRiskLevel critical
```

***

## `rafter agent audit`

View security audit logs. For the full JSONL schema specification, see [Audit Log](/guides/agent-security/audit-log).

```bash theme={null}
rafter agent audit [options]
```

### Options

| Flag             | Description                                 | Default |
| ---------------- | ------------------------------------------- | ------- |
| `--last <n>`     | Show last N entries                         | `10`    |
| `--event <type>` | Filter by event type                        | -       |
| `--agent <type>` | Filter by agent (`openclaw`, `claude-code`) | -       |
| `--since <date>` | Show entries since date (YYYY-MM-DD)        | -       |

### Event Types

| Event                 | Description               |
| --------------------- | ------------------------- |
| `command_intercepted` | Command execution attempt |
| `secret_detected`     | Secret found in files     |
| `content_sanitized`   | Output redacted           |
| `policy_override`     | User override of policy   |
| `scan_executed`       | File scan performed       |
| `config_changed`      | Configuration modified    |

### Examples

```bash theme={null}
# Show recent logs
rafter agent audit

# Show last 20 entries
rafter agent audit --last 20

# Filter by event type
rafter agent audit --event command_intercepted

# Filter by agent
rafter agent audit --agent openclaw

# Show logs since date
rafter agent audit --since 2026-02-01

# Combine filters
rafter agent audit --event secret_detected --last 50
```

### Output Format

```
🛡️ [2026-02-02 10:30:45] command_intercepted
   Agent: openclaw
   Command: git commit -m 'Add feature'
   Risk: medium
   Check: PASSED
   Action: allowed

🔑 [2026-02-02 10:25:12] secret_detected
   Agent: openclaw
   Risk: critical
   Check: FAILED
   Reason: AWS Access Key detected in config.js
   Action: blocked
```

***

## `rafter agent verify`

Check local security integration status across all 8 supported platforms.

```bash theme={null}
rafter agent verify [--json] [--probe]
```

### What It Does

Validates your Rafter setup by checking 10 things in order:

1. **Config** — `~/.rafter/config.json` exists and is valid JSON
2. **Betterleaks** — Binary available on PATH or at `~/.rafter/bin/betterleaks` (legacy `~/.rafter/bin/gitleaks` is detected and surfaced as an "upgrade needed" hint, not an error)
3. **Claude Code** — `~/.claude/settings.json` has `PreToolUse` hooks installed *(optional)*
4. **OpenClaw** — `~/.openclaw/workspace/skills/rafter-security/SKILL.md` exists with ClawHub frontmatter *(optional)*
5. **Codex CLI** — `~/.agents/skills/rafter/SKILL.md` and `~/.agents/skills/rafter-agent-security/SKILL.md` exist *(optional)*
6. **Gemini CLI** — MCP server configured for Gemini *(optional)*
7. **Cursor** — hooks + per-skill rules + sub-agent installed *(optional)*
8. **Windsurf** — per-skill rules + AGENTS.md + MCP entry installed *(optional)*
9. **Continue.dev** — MCP entry + per-skill rules installed *(optional)*
10. **Aider** — `RAFTER.md` present and listed in `.aider.conf.yml`'s `read:` *(optional)*

Config and Betterleaks are hard requirements (failure → exit 1). Everything else is an optional integration (failure → warning only, exit 0).

### Options

| Flag      | Description                                                                                                                                                                                                                                                                                                              |
| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `--json`  | Emit a single JSON object (`checks[]` + `summary`) with stable `pass \| warn \| fail` status. Intended for CI consumption.                                                                                                                                                                                               |
| `--probe` | Runtime probe for Claude Code: synthesize a `PreToolUse` stdin payload with a known-dangerous sentinel command, invoke `rafter hook pretool`, and confirm `~/.rafter/audit.jsonl` recorded a `command_intercepted` entry. Catches the "wrote file but the hook never fires" failure mode that file-presence checks miss. |

### Exit Codes

| Code | Meaning                                               |
| ---- | ----------------------------------------------------- |
| `0`  | All required checks passed (optional checks may warn) |
| `1`  | One or more required checks failed                    |

### Examples

```bash theme={null}
# Run health check
rafter agent verify

# CI consumption — single JSON object on stdout
rafter agent verify --json

# Runtime probe — confirms Claude Code's PreToolUse hook actually fires
rafter agent verify --probe

# Example output (all passing):
# ✓ Config        ~/.rafter/config.json
# ✓ Betterleaks   1.1.2 (/home/you/.rafter/bin/betterleaks)
# ✓ Claude Code   PreToolUse hook installed
# ✓ OpenClaw      rafter-security SKILL.md present

# Example output (legacy gitleaks needs upgrade):
# ✓ Config        ~/.rafter/config.json
# ⚠  Betterleaks   legacy gitleaks at ~/.rafter/bin/gitleaks — run: rafter agent update-betterleaks
# ✓ Claude Code   PreToolUse hook installed
```

<Tip>Run `rafter agent verify` after `rafter agent init` to confirm everything installed correctly, and after system updates to catch binary incompatibilities. Use `--probe` in CI/post-install to catch hook regressions that file-presence checks miss.</Tip>

***

## `rafter agent status`

Show a live dashboard of your Rafter local security setup.

```bash theme={null}
rafter agent status
```

### What It Shows

| Section         | Details                                                                                   |
| --------------- | ----------------------------------------------------------------------------------------- |
| **Config**      | Presence and validity of `~/.rafter/config.json`; risk level, audit log path              |
| **Betterleaks** | Version string and binary path (legacy `gitleaks` detected as upgrade-needed hint)        |
| **Hooks**       | Whether `PreToolUse` and `PostToolUse` hooks are registered in Claude Code settings       |
| **OpenClaw**    | Whether the `rafter-security` SKILL.md is installed under `~/.openclaw/workspace/skills/` |
| **Audit Log**   | Total event count + 5 most recent events (type, timestamp, risk)                          |

### Example Output

```bash theme={null}
rafter agent status

# Rafter Agent Status
# ─────────────────────────────────
# Config:       ~/.rafter/config.json  (risk: medium)
# Betterleaks:  1.1.2  (/home/you/.rafter/bin/betterleaks)
# Hooks:        PreToolUse ✓  PostToolUse ✓
# OpenClaw:     rafter-security SKILL.md ✓
#
# Audit Log: 142 events
#   [2026-02-21 14:32] command_allowed      low
#   [2026-02-21 14:31] secret_detected      high
#   [2026-02-21 14:28] command_intercepted  critical
#   [2026-02-21 14:20] command_allowed      low
#   [2026-02-21 14:18] command_allowed      low
```

***

## `rafter agent install-hook`

Install a git pre-commit hook that scans staged files for secrets before each commit.

```bash theme={null}
rafter agent install-hook [options]
```

### Options

| Flag       | Description                               | Default            |
| ---------- | ----------------------------------------- | ------------------ |
| `--global` | Install for all git repos on this machine | false (local only) |

### What It Does

**Without `--global`** (local install):

* Writes hook to `.git/hooks/pre-commit` in the current repo
* Backs up any existing hook before overwriting

**With `--global`** (global install):

* Writes hook to `~/.rafter/git-hooks/pre-commit`
* Sets `git config --global core.hooksPath ~/.rafter/git-hooks`
* Applies to every git repo on the machine

When `git commit` runs, the hook calls `rafter secrets --staged`. If secrets are detected the commit is blocked. Pass `git commit --no-verify` to bypass (not recommended).

### Examples

```bash theme={null}
# Install for current repo
rafter agent install-hook

# Install globally for all repos
rafter agent install-hook --global

# Remove global hook
git config --global --unset core.hooksPath
```

***

## `rafter agent audit-skill`

Security audit of a Claude Code or OpenClaw skill file.

```bash theme={null}
rafter agent audit-skill <skill-path> [options]
```

### Arguments

| Argument       | Description                                |
| -------------- | ------------------------------------------ |
| `<skill-path>` | Path to the skill file to audit (required) |

### Options

| Flag              | Description                                                   |
| ----------------- | ------------------------------------------------------------- |
| `--skip-openclaw` | Skip OpenClaw integration; print manual review prompt instead |
| `--json`          | Output results as JSON                                        |

### What It Does

Performs deterministic security analysis on the skill file:

1. **Secret detection** — Scans for hardcoded API keys, tokens, and credentials
2. **URL extraction** — Lists all external HTTP/HTTPS URLs
3. **High-risk command patterns** — Detects 11 dangerous patterns: `rm -rf /`, `sudo rm`, `curl|sh`, `wget|sh`, `eval()`, `exec()`, `chmod 777`, fork bombs, `dd /dev/xyz`, `mkfs`, `base64 -d|sh`

If OpenClaw is available, the command routes the skill to the `/rafter-audit-skill` slash command for a deeper 12-dimension security review covering trust, network access, credential handling, obfuscation, supply chain, and more.

### Exit Codes

| Code | Meaning                                   |
| ---- | ----------------------------------------- |
| `0`  | No secrets or high-risk commands detected |
| `1`  | Secrets or high-risk commands found       |

### Examples

```bash theme={null}
# Audit a skill file
rafter agent audit-skill ~/.claude/skills/github-integration/SKILL.md

# JSON output for scripting
rafter agent audit-skill skill.md --json

# Skip OpenClaw (prints manual review prompt)
rafter agent audit-skill skill.md --skip-openclaw
```

### JSON Output

```bash theme={null}
rafter agent audit-skill skill.md --json
```

```json theme={null}
{
  "skill": "skill.md",
  "path": "/absolute/path/to/skill.md",
  "quickScan": {
    "secrets": 0,
    "urls": ["https://api.example.com"],
    "highRiskCommands": []
  },
  "openClawAvailable": true,
  "rafterSkillInstalled": true
}
```

***

## `rafter ci init`

Generate CI/CD workflow files for your project.

```bash theme={null}
rafter ci init [options]
```

### Options

| Flag                | Description                                     | Default          |
| ------------------- | ----------------------------------------------- | ---------------- |
| `--platform <type>` | Target platform: `github`, `gitlab`, `circleci` | Auto-detected    |
| `--output <path>`   | Output file path                                | Platform default |
| `--with-backend`    | Include API-based security audit job            | false            |

### What It Does

1. Detects your CI platform from project files (`.github/`, `.gitlab-ci.yml`, `.circleci/`)
2. Generates a workflow file with secret scanning and security checks
3. Optionally adds a backend scan job using the Rafter API

### Examples

```bash theme={null}
# Auto-detect platform and generate config
rafter ci init

# Generate GitHub Actions workflow
rafter ci init --platform github

# Include backend scanning job
rafter ci init --platform github --with-backend
```

***

## `rafter brief`

Print rafter knowledge reformatted for CLI output. Designed for any agent on any platform — pipe to memory, save to instructions, or just read in-session.

```bash theme={null}
rafter brief [topic]
```

### Arguments

| Argument  | Description                                                     |
| --------- | --------------------------------------------------------------- |
| `[topic]` | Topic to display (optional — lists available topics if omitted) |

### Topics

| Topic              | Description                                                                                                |
| ------------------ | ---------------------------------------------------------------------------------------------------------- |
| `security`         | Local security toolkit — scanning, auditing, policy enforcement                                            |
| `scanning`         | Remote SAST/SCA code analysis via Rafter API                                                               |
| `commands`         | Condensed command reference for all rafter commands                                                        |
| `setup`            | Setup instructions for all supported agent platforms                                                       |
| `setup/<platform>` | Platform-specific setup (claude-code, codex, gemini, cursor, windsurf, aider, openclaw, continue, generic) |
| `all`              | Everything — full security + scanning + setup briefing                                                     |

### Examples

```bash theme={null}
# List available topics
rafter brief

# Get the local security briefing
rafter brief security

# Platform-specific setup guide
rafter brief setup/claude-code

# For agents without native skill support — load context manually
rafter brief security    # save to memory/instructions
rafter brief commands    # save command reference

# Pipe to a file for manual skill creation
rafter brief scanning > ~/.agents/skills/rafter/SKILL.md
```

<Tip>`rafter brief` works on any platform — use it to bootstrap agent knowledge when skill auto-install isn't available.</Tip>

***

## `rafter mcp serve`

Start an MCP server exposing Rafter security tools over stdio transport. Works with any MCP-compatible client.

```bash theme={null}
rafter mcp serve [options]
```

### Options

| Flag                 | Description              | Default |
| -------------------- | ------------------------ | ------- |
| `--transport <type>` | Transport type (`stdio`) | `stdio` |

### Tools Provided

| Tool               | Description                           | Required Params |
| ------------------ | ------------------------------------- | --------------- |
| `scan_secrets`     | Scan for hardcoded secrets            | `path`          |
| `evaluate_command` | Check if command is allowed by policy | `command`       |
| `read_audit_log`   | Read audit log entries                | (none)          |
| `get_config`       | Read Rafter configuration             | (none)          |

### Resources Provided

| URI               | Description                                            |
| ----------------- | ------------------------------------------------------ |
| `rafter://config` | Current Rafter configuration                           |
| `rafter://policy` | Active security policy (merged `.rafter.yml` + config) |

### MCP Client Config

```json theme={null}
{
  "rafter": {
    "command": "rafter",
    "args": ["mcp", "serve"]
  }
}
```

See [MCP Integration](/guides/agent-security/mcp-integration) for platform-specific setup.

***

## `rafter hook pretool`

PreToolUse hook handler for Claude Code. Reads tool input JSON from stdin, writes decision to stdout.

```bash theme={null}
rafter hook pretool
```

Evaluates `Bash` tool calls against command policy and scans `Write`/`Edit` content for secrets.

See [Claude Code Integration](/guides/agent-security/claude-code-integration) for setup.

***

## `rafter hook posttool`

PostToolUse hook handler for Claude Code. Reads tool result JSON from stdin, logs security-relevant events to the audit log.

```bash theme={null}
rafter hook posttool
```

Logs completed `Bash`, `Write`, and `Edit` tool executions with their outcome and risk level. Useful for auditing what an agent actually did (vs. what was blocked at pretool).

See [Claude Code Integration](/guides/agent-security/claude-code-integration) for setup.

***

## `rafter policy export`

Export Rafter security policy for agent platforms.

```bash theme={null}
rafter policy export --format <claude|codex> [--output <path>]
```

### Options

| Flag              | Description                                                                    |
| ----------------- | ------------------------------------------------------------------------------ |
| `--format <type>` | Target format: `claude` (Claude Code hooks JSON) or `codex` (Codex rules TOML) |
| `--output <path>` | Write to file instead of stdout                                                |

***

## `rafter completion`

Generate shell completion scripts for `rafter`.

```bash theme={null}
rafter completion <shell>
```

### Arguments

| Argument  | Description                            |
| --------- | -------------------------------------- |
| `<shell>` | Target shell: `bash`, `zsh`, or `fish` |

### Setup

```bash theme={null}
# Bash — add to ~/.bashrc
eval "$(rafter completion bash)"

# Zsh — add to ~/.zshrc
eval "$(rafter completion zsh)"

# Fish — saves directly to completions directory
rafter completion fish
```

***

## Global Flags

Available on all commands:

| Flag            | Description              |
| --------------- | ------------------------ |
| `-h, --help`    | Display help for command |
| `-V, --version` | Output version number    |

***

## Environment Variables

| Variable              | Description                                                        |
| --------------------- | ------------------------------------------------------------------ |
| `RAFTER_API_KEY`      | API key for backend scanning                                       |
| `RAFTER_GITHUB_TOKEN` | GitHub PAT for private repo scanning (needs `Contents:Read` scope) |
| `RAFTER_CONFIG_PATH`  | Custom config file location                                        |

***

## File Locations

| Path                                                    | Description                                                                       |
| ------------------------------------------------------- | --------------------------------------------------------------------------------- |
| `~/.rafter/config.json`                                 | Configuration file                                                                |
| `~/.rafter/audit.jsonl`                                 | Audit log (JSONL format, see [Audit Log](/guides/agent-security/audit-log))       |
| `~/.rafter/bin/`                                        | Binary tools (Betterleaks, etc.)                                                  |
| `~/.rafter/patterns/`                                   | Custom secret patterns (`*.txt` or `*.json`)                                      |
| `~/.rafter/.rafterignore`                               | Findings suppression rules (path globs, optional `:pattern-name` qualifier)       |
| `.rafter.yml`                                           | Project-level policy file (see [Policy File](/guides/agent-security/policy-file)) |
| `~/.openclaw/workspace/skills/rafter-security/SKILL.md` | OpenClaw skill file (canonical ClawHub path; v0.8.0+)                             |

***

## Exit Codes

### Local Security (`rafter agent *`, `rafter secrets`)

| Code | Meaning                                                     |
| ---- | ----------------------------------------------------------- |
| `0`  | Success / no secrets found                                  |
| `1`  | Error or secrets found                                      |
| `2`  | Runtime error (path not found, not a git repo, invalid ref) |

### Remote Code Analysis (`rafter run`, `rafter get`, `rafter usage`)

| Code | Meaning                                           |
| ---- | ------------------------------------------------- |
| `0`  | Success                                           |
| `1`  | General error                                     |
| `2`  | Scan not found (HTTP 404)                         |
| `3`  | Quota exhausted (HTTP 429 or 403 scan-mode limit) |
| `4`  | Insufficient scope / forbidden (HTTP 403)         |

***

## Support

<Card title="Need Help?" icon="question">
  * Documentation: [docs.rafter.so](https://docs.rafter.so)
  * GitHub: [rafter-cli/issues](https://github.com/raftersecurity/rafter-cli/issues)
  * Support: [rafter.so/help](https://rafter.so/help)
</Card>
