Picked up the lowest tier to test it. Inside the first hour, Rafter flagged
multiple live production API credentials sitting in committed files in a
codebase I'd been working in for months... credentials my existing security
workflow had completely missed. After remediating, I rotated and revoked
all of them.

I planted a fake AWS key in a test file to verify the pre-commit hook
actually fires. It blocked the commit cleanly with line number, severity,
and a redacted preview. I also intentionally tried to edit a file with a
literal secret in the search string, and Rafter's pre-tool-use hook caught
that mid-edit before it landed. That's real prevention, not theater, and honestly, a no-brainer.

What stood out:

- One command installed three skills, a sub-agent, hooks, and a
pre-commit gate into Claude Code. Zero fragile setup. Dead simple.
- The local CLI is genuinely free, fast, and produces clean JSON output
designed for AI agent consumption. I'm always look for AS deals where I can augment our paid agentic tool stack. If you do most of your work in Claude Code or Codex this is not even worth debating over.
- Skill auditing for third-party AI agent skills is a category nothing
else in my stack does. As more shared skills proliferate this matters
more.

A couple honest edges so you know it's a real review: the local secrets
scanner doesn't yet respect .gitignore by default (easy to filter post-hoc);
the skill audit currently recognizes one naming convention but not all
common ones. I fixed these in my local skills no prob.

Upgrading immediately. One missed credential in production would pay for
the top tier ten times over. So extremely cheap insurance and high value.

Glad to see you guys on AS and look forward to where you take the app.