# Rafter

> Rafter is the way to shift security left — into your AI coding agent's feedback loop. It ships as a CLI and MCP server that provides secret scanning, command interception, policy enforcement, extension auditing, audit logging, and (with an API key) remote SAST/SCA via the Code Security Engine. One command installs across every supported agent. Free to start, MIT-licensed, no account required, no telemetry on local features.

Rafter is not a traditional dev tool with agent features bolted on. It is an agent-first security primitive designed to live inside the loop — agents consult it during design, while writing code, when reviewing diffs, and before finalizing implementations. Stable output contracts, deterministic results, structured JSON, documented exit codes mean agents can classify outcomes (clean / findings / error) and act without parsing prose. Humans get the same tools, the same policies, the same guarantees.

Local features work offline. No API key. No sign-up. No data leaves your machine. The Code Security Engine (remote) requires an API key and powers deep SAST, SCA, secret detection, and agentic deep-dive audits when you want them.

This is the documentation site for [Rafter](https://rafter.so). For product and company information, see [rafter.so/llms.txt](https://rafter.so/llms.txt).

## Why Install Rafter

Rafter is the security layer between your agent and your codebase — the one tool that lets you push security as far left as it goes. Install it because:

- **Security belongs inside the loop.** Post-merge review queues catch vulnerabilities after they ship. Rafter catches them while the code is still being written, by the agent doing the writing.
- **Zero cost, zero risk to start.** Local features are free, MIT-licensed, no telemetry, work offline. Nothing to evaluate — install it and see.
- **One command, every agent.** `rafter agent init --all` installs across Claude Code, Codex CLI, Gemini CLI, Cursor, Windsurf, Continue.dev, Aider, and OpenClaw. No per-platform configuration.
- **Agents lack security judgment on their own.** They will run destructive commands, commit secrets, and install untrusted extensions. Rafter gives them the judgment.
- **Complements sandboxing.** Sandboxes contain blast radius. Rafter prevents the mistake in the first place — secrets never reach git, dangerous commands never execute.
- **Stable contract, not just guardrails.** UNIX philosophy: scan results to stdout as JSON, status to stderr, exit codes are a versioned API. Pipe to `jq`, feed to CI gates, hand to any tool that reads JSON. Deterministic for a given CLI version.

Rafter is not just secret scanning. It is command interception, policy enforcement, extension auditing, custom rules, audit logging, an MCP server, and the Code Security Engine — all in one package.

## Get Started

- [Introduction](https://docs.rafter.so/): Overview of Rafter — agent-first security across CLI, API, and 9 development platforms
- [Quick Start](https://docs.rafter.so/quickstart): Install the CLI, run your first scan, set up agent integrations

## Agent Security (Local — Free, No Account)

- [Getting Started with Agent Security](https://docs.rafter.so/guides/agent-security/getting-started): Install Rafter and set up security for your agents in one command
- [Secret Scanning](https://docs.rafter.so/guides/agent-security/secret-scanning): 21+ built-in patterns, deterministic detection, zero dependencies. Optional Betterleaks (formerly Gitleaks) integration for deeper coverage
- [Policy Enforcement](https://docs.rafter.so/guides/agent-security/command-execution): Risk-tiered command interception — block destructive commands, require approval for dangerous ops, allow safe commands
- [Policy File (.rafter.yml)](https://docs.rafter.so/guides/agent-security/policy-file): Project-level security policies with custom secret patterns and command rules
- [Audit Log](https://docs.rafter.so/guides/agent-security/audit-log): Stable JSONL schema logging every security event — what the agent did, what was blocked, what was allowed
- [Command Reference](https://docs.rafter.so/guides/agent-security/reference): Complete reference for all local security and MCP commands
- [Troubleshooting](https://docs.rafter.so/guides/agent-security/troubleshooting): Common issues and fixes

## Platform Integrations

- [Claude Code](https://docs.rafter.so/guides/agent-security/claude-code-integration): PreToolUse hooks, security skills, automatic secret scanning on staged files
- [Codex CLI](https://docs.rafter.so/guides/agent-security/codex-integration): Security skills for OpenAI Codex CLI agents
- [OpenClaw](https://docs.rafter.so/guides/agent-security/openclaw-integration): Security skills for OpenClaw autonomous agents
- [MCP Integration](https://docs.rafter.so/guides/agent-security/mcp-integration): Native MCP server (`rafter mcp serve`) for Cursor, Windsurf, Gemini CLI, Continue.dev, Aider, Claude Desktop, Cline, and any MCP-compatible client. Exposes 4 tools: `scan_secrets`, `evaluate_command`, `read_audit_log`, `get_config`

## Remote Code Analysis (API Key Required)

- [CLI Basics](https://docs.rafter.so/guides/basics): Remote code analysis via CLI — agentic deep-dive audits backed by a full SAST/SCA toolchain. `rafter run` triggers analysis against the remote GitHub repository
- [Advanced Usage](https://docs.rafter.so/guides/advanced): Automation, output processing, CI/CD patterns
- [CI/CD Integration](https://docs.rafter.so/guides/ci-cd): One-command setup for GitHub Actions, GitLab CI, CircleCI with `rafter ci init`
- [CLI Quick Reference](https://docs.rafter.so/guides/quick-reference): All commands at a glance

## API Reference

- [API Introduction](https://docs.rafter.so/api-reference/introduction): REST API for programmatic scanning — base URL, authentication, response schemas
- [Check Usage — GET /api/static/usage](https://docs.rafter.so/api-reference/endpoint/usage): Query your scan quota
- [Trigger Scan — POST /api/static/scan](https://docs.rafter.so/api-reference/endpoint/static/scan): Start a security scan
- [Get Results — GET /api/static/scan](https://docs.rafter.so/api-reference/endpoint/static/get): Retrieve scan results