@kaademos/secure-sdlc 1.0.0

package/cli/src/commands/init.js

@@ -0,0 +1,219 @@
+import { mkdirSync, copyFileSync, writeFileSync, existsSync, readdirSync, readFileSync } from "fs";
+import { join, resolve } from "path";
+import chalk from "chalk";
+import ora from "ora";
+import { detectStack } from "../utils/stack-detect.js";
+import { printBanner, printSuccess, printWarn, printError, printInfo } from "../utils/banner.js";
+import { getPackageRoot } from "../utils/package-root.js";
+
+const REPO_ROOT = getPackageRoot();
+
+export default async function init(options) {
+  const projectRoot = resolve(options.path || process.cwd());
+
+  printBanner();
+  console.log(chalk.bold(`Initialising Secure SDLC in: ${projectRoot}\n`));
+
+  // Detect stack
+  const stack = detectStack(projectRoot);
+  if (stack.name !== "unknown") {
+    printSuccess(`Detected stack: ${chalk.bold(stack.display)} (${stack.language})`);
+  } else {
+    printWarn("Could not detect stack — using generic security guidance");
+  }
+
+  // 1. Create docs directory structure
+  const spinner = ora("Creating docs directory structure").start();
+  try {
+    mkdirSync(join(projectRoot, "docs", "audit-evidence"), { recursive: true });
+    spinner.succeed("Docs directory created");
+  } catch (err) {
+    spinner.fail(`Failed to create docs directory: ${err.message}`);
+    process.exit(1);
+  }
+
+  // 2. Copy templates
+  const templatesDir = join(REPO_ROOT, "docs", "templates");
+  const docsDir = join(projectRoot, "docs");
+
+  if (existsSync(templatesDir)) {
+    const spinner2 = ora("Copying document templates").start();
+    let copied = 0;
+    for (const file of readdirSync(templatesDir)) {
+      const dest = join(docsDir, file);
+      if (!existsSync(dest)) {
+        copyFileSync(join(templatesDir, file), dest);
+        copied++;
+      }
+    }
+    spinner2.succeed(`${copied} templates copied to docs/`);
+  }
+
+  // 3. Create secure-sdlc.yaml config
+  const configPath = join(projectRoot, "secure-sdlc.yaml");
+  if (!existsSync(configPath)) {
+    const spinner3 = ora("Creating secure-sdlc.yaml config").start();
+    const config = generateConfig(projectRoot, stack);
+    writeFileSync(configPath, config);
+    spinner3.succeed("secure-sdlc.yaml created");
+  } else {
+    printInfo("secure-sdlc.yaml already exists — skipping");
+  }
+
+  // 4. Install git hooks
+  if (!options.skipHooks) {
+    const hooksDir = join(projectRoot, ".git", "hooks");
+    if (existsSync(join(projectRoot, ".git"))) {
+      const spinner4 = ora("Installing git hooks").start();
+      try {
+        mkdirSync(hooksDir, { recursive: true });
+        const srcHooks = join(REPO_ROOT, "hooks");
+        for (const hookFile of ["pre-commit", "pre-push"]) {
+          const src = join(srcHooks, hookFile);
+          const dest = join(hooksDir, hookFile);
+          if (existsSync(src)) {
+            copyFileSync(src, dest);
+            // Make executable
+            const { chmodSync } = await import("fs");
+            chmodSync(dest, 0o755);
+          }
+        }
+        spinner4.succeed("Git hooks installed (pre-commit, pre-push)");
+      } catch (err) {
+        spinner4.warn(`Could not install git hooks: ${err.message}`);
+      }
+    } else {
+      printWarn("Not a git repo — skipping hook installation");
+    }
+  }
+
+  // 5. Generate GitHub Actions workflow
+  if (!options.skipCi) {
+    const workflowsDir = join(projectRoot, ".github", "workflows");
+    const workflowPath = join(workflowsDir, "secure-sdlc-gate.yml");
+
+    if (!existsSync(workflowPath)) {
+      const spinner5 = ora("Generating GitHub Actions workflow").start();
+      try {
+        mkdirSync(workflowsDir, { recursive: true });
+        const srcWorkflow = join(REPO_ROOT, ".github", "workflows", "secure-sdlc-gate.yml");
+        if (existsSync(srcWorkflow)) {
+          copyFileSync(srcWorkflow, workflowPath);
+          spinner5.succeed("GitHub Actions workflow created (.github/workflows/secure-sdlc-gate.yml)");
+        } else {
+          spinner5.warn("GitHub Actions template not found — skipping");
+        }
+      } catch (err) {
+        spinner5.warn(`Could not create workflow: ${err.message}`);
+      }
+    } else {
+      printInfo("GitHub Actions workflow already exists — skipping");
+    }
+  }
+
+  // 6. Cursor MCP setup
+  if (options.cursor) {
+    const spinner6 = ora("Configuring Cursor MCP integration").start();
+    try {
+      const cursorDir = join(projectRoot, ".cursor");
+      mkdirSync(cursorDir, { recursive: true });
+
+      const mcpConfig = {
+        mcpServers: {
+          "secure-sdlc": {
+            command: "node",
+            args: [join(REPO_ROOT, "mcp", "src", "server.js")],
+          },
+        },
+      };
+      writeFileSync(
+        join(cursorDir, "mcp.json"),
+        JSON.stringify(mcpConfig, null, 2)
+      );
+
+      // Copy Cursor rules
+      const rulesDir = join(REPO_ROOT, ".cursor", "rules");
+      const destRulesDir = join(cursorDir, "rules");
+      if (existsSync(rulesDir)) {
+        mkdirSync(destRulesDir, { recursive: true });
+        for (const file of readdirSync(rulesDir)) {
+          copyFileSync(join(rulesDir, file), join(destRulesDir, file));
+        }
+      }
+
+      spinner6.succeed("Cursor MCP config and rules created (.cursor/)");
+    } catch (err) {
+      spinner6.warn(`Cursor setup failed: ${err.message}`);
+    }
+  }
+
+  // Print summary
+  console.log("\n" + chalk.bold.green("✓ Secure SDLC initialised successfully\n"));
+  console.log(chalk.bold("Next steps:\n"));
+  console.log(`  ${chalk.cyan("1.")} Start the Plan phase:\n`);
+  console.log(
+    chalk.dim(`     claude --agent product-manager "Define security requirements for [your feature]"\n`)
+  );
+  console.log(
+    chalk.dim(`     # OR if using MCP: sdlc_plan_feature({ feature_description: "..." })\n`)
+  );
+  console.log(`  ${chalk.cyan("2.")} Check your current status:\n`);
+  console.log(chalk.dim(`     secure-sdlc status\n`));
+  console.log(`  ${chalk.cyan("3.")} Run the feature kickoff wizard:\n`);
+  console.log(chalk.dim(`     secure-sdlc kickoff\n`));
+
+  if (stack.name !== "unknown") {
+    const { getStackSecurityNotes } = await import("../utils/stack-detect.js");
+    const notes = getStackSecurityNotes(stack.name);
+    if (notes.length) {
+      console.log(chalk.bold(`\n${stack.display} security notes for your team:\n`));
+      notes.slice(0, 3).forEach((n) => console.log(chalk.dim(`  • ${n}`)));
+      console.log(chalk.dim(`  (see stacks/${stack.name}.md for full guidance)\n`));
+    }
+  }
+}
+
+function generateConfig(projectRoot, stack) {
+  return `# Secure SDLC Configuration
+# Generated by: secure-sdlc init
+# Documentation: https://github.com/Kaademos/secure-sdlc-agents
+
+project:
+  name: "${projectRoot.split("/").pop()}"
+  stack: "${stack.display}"
+
+security:
+  asvs_level: L2          # L1 (basic), L2 (standard), L3 (high-assurance)
+  
+  # Compliance frameworks applicable to this project
+  # Options: SOC2, ISO27001, NIST_CSF, PCI_DSS, GDPR, HIPAA, DORA, FedRAMP, NIS2
+  frameworks: []
+
+  # Severity thresholds that block CI/CD gates
+  gates:
+    build_to_test:
+      block_on: [CRITICAL, HIGH]
+    test_to_release:
+      block_on: [CRITICAL, HIGH]
+    release:
+      block_on: [CRITICAL]
+      warn_on: [HIGH, MEDIUM]
+
+  # Agents to invoke automatically in CI
+  ci:
+    on_pr: [dev-lead, appsec-engineer]
+    on_merge_to_main: [appsec-engineer, cloud-platform-engineer]
+    on_release: [release-manager, grc-analyst]
+
+# Paths to key artefacts (relative to project root)
+artefacts:
+  security_requirements: docs/security-requirements.md
+  risk_register: docs/risk-register.md
+  threat_model: docs/threat-model.md
+  infra_review: docs/infra-security-review.md
+  sast_findings: docs/sast-findings.md
+  test_report: docs/test-security-report.md
+  release_sign_off: docs/release-security-sign-off.md
+  audit_evidence: docs/audit-evidence/
+`;
+}

package/cli/src/commands/install-mcp.js

@@ -0,0 +1,121 @@
+import { existsSync, mkdirSync, writeFileSync, readFileSync } from "fs";
+import { join, homedir } from "path";
+import chalk from "chalk";
+import { printBanner, printSuccess, printWarn } from "../utils/banner.js";
+import { getMcpServerPath } from "../utils/package-root.js";
+
+const SERVER_PATH = getMcpServerPath();
+
+const MCP_CONFIG = {
+  "secure-sdlc": {
+    command: "node",
+    args: [SERVER_PATH],
+  },
+};
+
+export default async function installMCP(options) {
+  const tool = options.tool || "all";
+
+  printBanner();
+  console.log(chalk.bold("Secure SDLC MCP Server Installation\n"));
+  console.log(chalk.dim(`Server path: ${SERVER_PATH}\n`));
+
+  if (!existsSync(SERVER_PATH)) {
+    console.log(chalk.red(`✗ MCP server not found at ${SERVER_PATH}`));
+    console.log(chalk.dim("  Run: npm install (from the secure-sdlc package root)"));
+    process.exit(1);
+  }
+
+  const installers = {
+    cursor: installCursor,
+    "claude-code": installClaudeCode,
+    windsurf: installWindsurf,
+  };
+
+  const targets = tool === "all" ? Object.keys(installers) : [tool];
+
+  for (const t of targets) {
+    if (installers[t]) {
+      await installers[t]();
+    } else {
+      printWarn(`Unknown tool: ${t}`);
+    }
+  }
+
+  console.log(chalk.bold("\nAvailable MCP tools after installation:\n"));
+  const tools = [
+    "sdlc_plan_feature      — ASVS requirements + risk register",
+    "sdlc_threat_model      — STRIDE/LINDDUN threat model",
+    "sdlc_review_pr         — Security review pull requests",
+    "sdlc_review_infra      — IaC security review",
+    "sdlc_triage_sast       — Triage SAST findings",
+    "sdlc_release_gate      — Pre-release go/no-go gate",
+    "sdlc_check_compliance  — Compliance gap analysis",
+    "sdlc_security_champion — Quick security Q&A",
+    "sdlc_ai_security_review — AI/LLM feature security review",
+  ];
+  tools.forEach((t) => console.log(chalk.dim(`  • ${t}`)));
+}
+
+async function installCursor() {
+  console.log(chalk.bold("Installing for Cursor...\n"));
+
+  // Global Cursor MCP config
+  const cursorConfigDir = join(homedir(), ".cursor");
+  const configPath = join(cursorConfigDir, "mcp.json");
+
+  mkdirSync(cursorConfigDir, { recursive: true });
+
+  let existing = {};
+  if (existsSync(configPath)) {
+    try {
+      existing = JSON.parse(readFileSync(configPath, "utf-8"));
+    } catch {
+      // ignore parse error
+    }
+  }
+
+  const updated = {
+    ...existing,
+    mcpServers: {
+      ...(existing.mcpServers || {}),
+      ...MCP_CONFIG,
+    },
+  };
+
+  writeFileSync(configPath, JSON.stringify(updated, null, 2));
+  printSuccess(`Cursor global MCP config updated: ${configPath}`);
+  console.log(chalk.dim("  Restart Cursor to load the new tools.\n"));
+}
+
+async function installClaudeCode() {
+  console.log(chalk.bold("Installing for Claude Code...\n"));
+  console.log(chalk.dim("Run this command to register the MCP server:\n"));
+  console.log(chalk.cyan(`  claude mcp add secure-sdlc -- node ${SERVER_PATH}\n`));
+  console.log(chalk.dim("Then verify with:\n"));
+  console.log(chalk.cyan("  claude mcp list\n"));
+}
+
+async function installWindsurf() {
+  console.log(chalk.bold("Installing for Windsurf / Cascade...\n"));
+
+  const windsurfConfigDir = join(homedir(), ".codeium", "windsurf");
+  const configPath = join(windsurfConfigDir, "mcp_config.json");
+
+  if (existsSync(windsurfConfigDir)) {
+    mkdirSync(windsurfConfigDir, { recursive: true });
+    let existing = {};
+    if (existsSync(configPath)) {
+      try { existing = JSON.parse(readFileSync(configPath, "utf-8")); } catch { /* */ }
+    }
+    const updated = {
+      ...existing,
+      mcpServers: { ...(existing.mcpServers || {}), ...MCP_CONFIG },
+    };
+    writeFileSync(configPath, JSON.stringify(updated, null, 2));
+    printSuccess(`Windsurf MCP config updated: ${configPath}`);
+  } else {
+    console.log(chalk.dim("Windsurf config directory not found. Add this to your Windsurf MCP config manually:\n"));
+    console.log(chalk.cyan(JSON.stringify({ mcpServers: MCP_CONFIG }, null, 2)));
+  }
+}

package/cli/src/commands/kickoff.js

@@ -0,0 +1,261 @@
+import { resolve } from "path";
+import chalk from "chalk";
+import inquirer from "inquirer";
+import { printBanner, printPhase } from "../utils/banner.js";
+import { detectStack } from "../utils/stack-detect.js";
+
+/**
+ * Interactive feature kickoff wizard.
+ *
+ * Guides the developer through the information needed to kick off a new
+ * feature with full Secure SDLC coverage, then generates the exact
+ * claude --agent commands (or MCP calls) to execute each phase.
+ */
+export default async function kickoff(options) {
+  const projectRoot = resolve(options.path || process.cwd());
+
+  printBanner();
+  console.log(chalk.bold("Feature Security Kickoff Wizard\n"));
+  console.log(chalk.dim("Answer a few questions to generate your Secure SDLC plan.\n"));
+
+  const stack = detectStack(projectRoot);
+
+  const answers = await inquirer.prompt([
+    {
+      type: "input",
+      name: "featureName",
+      message: "Feature name:",
+      validate: (v) => v.trim().length > 2 || "Please enter a feature name",
+    },
+    {
+      type: "input",
+      name: "featureDescription",
+      message: "What does this feature do? (be specific about actors, data, integrations):",
+      validate: (v) => v.trim().length > 10 || "Please describe the feature",
+    },
+    {
+      type: "input",
+      name: "stack",
+      message: "Technology stack:",
+      default: stack.display !== "Unknown" ? stack.display : undefined,
+    },
+    {
+      type: "list",
+      name: "asvsLevel",
+      message: "OWASP ASVS assurance level:",
+      choices: [
+        { name: "L1 — Basic (low-risk internal tools)", value: "L1" },
+        { name: "L2 — Standard (most applications)  ← recommended", value: "L2" },
+        { name: "L3 — High-assurance (regulated, high-risk)", value: "L3" },
+      ],
+      default: "L2",
+    },
+    {
+      type: "checkbox",
+      name: "complianceFrameworks",
+      message: "Compliance frameworks in scope (select all that apply):",
+      choices: [
+        { name: "SOC 2 Type II", value: "SOC2" },
+        { name: "ISO 27001:2022", value: "ISO27001" },
+        { name: "GDPR / UK GDPR", value: "GDPR" },
+        { name: "PCI DSS v4.0", value: "PCI-DSS" },
+        { name: "HIPAA", value: "HIPAA" },
+        { name: "NIST CSF 2.0", value: "NIST_CSF" },
+        { name: "DORA", value: "DORA" },
+        { name: "FedRAMP", value: "FedRAMP" },
+        { name: "None / Not sure", value: "none" },
+      ],
+    },
+    {
+      type: "checkbox",
+      name: "dataTypes",
+      message: "What data does this feature handle?",
+      choices: [
+        { name: "User credentials (passwords, tokens)", value: "credentials" },
+        { name: "Personal Identifiable Information (PII)", value: "pii" },
+        { name: "Payment / financial data", value: "payment" },
+        { name: "Health / medical data (PHI)", value: "phi" },
+        { name: "File uploads", value: "files" },
+        { name: "Third-party API integrations", value: "integrations" },
+        { name: "AI / LLM model calls", value: "ai" },
+        { name: "No sensitive data", value: "none" },
+      ],
+    },
+    {
+      type: "confirm",
+      name: "hasInfra",
+      message: "Does this feature include infrastructure changes (Terraform, K8s, AWS config, etc.)?",
+      default: false,
+    },
+    {
+      type: "list",
+      name: "toolPreference",
+      message: "How do you invoke agents?",
+      choices: [
+        { name: "Claude Code (claude --agent ...)", value: "claude-code" },
+        { name: "Cursor MCP (sdlc_* tools)", value: "cursor-mcp" },
+        { name: "Both", value: "both" },
+      ],
+    },
+  ]);
+
+  // Generate the plan
+  const frameworks = answers.complianceFrameworks.filter((f) => f !== "none");
+  const hasPii = answers.dataTypes.includes("pii") || answers.dataTypes.includes("phi");
+  const hasAI = answers.dataTypes.includes("ai");
+  const hasFiles = answers.dataTypes.includes("files");
+
+  console.log("\n");
+  console.log(chalk.bold.green("═".repeat(60)));
+  console.log(chalk.bold.green(`  Secure SDLC Plan: ${answers.featureName}`));
+  console.log(chalk.bold.green("═".repeat(60)));
+
+  // ── PLAN ──────────────────────────────────────────────────────
+  printPhase("PLAN", "Define secure requirements and risk register");
+
+  if (answers.toolPreference !== "cursor-mcp") {
+    console.log(chalk.bold("1. Product Manager — Security Requirements:"));
+    console.log(chalk.cyan(`
+  claude --agent product-manager \\
+    "Define security requirements for: ${answers.featureDescription}. \\
+     Stack: ${answers.stack}. ASVS ${answers.asvsLevel}.${
+       frameworks.length ? ` Compliance: ${frameworks.join(", ")}.` : ""
+     }"
+`));
+
+    console.log(chalk.bold("2. GRC Analyst — Risk Register:"));
+    console.log(chalk.cyan(`
+  claude --agent grc-analyst \\
+    "Initialise risk register for ${answers.featureName}.${
+      frameworks.length ? ` Map to ${frameworks.join(", ")}.` : ""
+    }"
+`));
+  }
+
+  if (answers.toolPreference !== "claude-code") {
+    console.log(chalk.bold("MCP equivalent:"));
+    console.log(chalk.dim(`
+  sdlc_plan_feature({
+    feature_description: "${answers.featureDescription}",
+    stack: "${answers.stack}",
+    asvs_level: "${answers.asvsLevel}",
+    ${frameworks.length ? `compliance_frameworks: [${frameworks.map((f) => `"${f}"`).join(", ")}],` : ""}
+    project_root: "${projectRoot}"
+  })
+`));
+  }
+
+  // ── DESIGN ────────────────────────────────────────────────────
+  printPhase("DESIGN", "Threat model and infrastructure review");
+  console.log(chalk.dim("(Run after requirements are written and architecture is defined)\n"));
+
+  if (answers.toolPreference !== "cursor-mcp") {
+    console.log(chalk.bold("3. AppSec Engineer — Threat Model:"));
+    console.log(chalk.cyan(`
+  claude --agent appsec-engineer \\
+    "Threat model ${answers.featureName} using STRIDE.${hasPii ? " Also run LINDDUN — PII in scope." : ""} \\
+     Architecture: [describe your components and data flows]"
+`));
+
+    if (answers.hasInfra) {
+      console.log(chalk.bold("4. Cloud/Platform Engineer — Infra Review:"));
+      console.log(chalk.cyan(`
+  claude --agent cloud-platform-engineer \\
+    "Review infrastructure changes for ${answers.featureName}: [describe IaC changes]"
+`));
+    }
+  }
+
+  if (answers.toolPreference !== "claude-code") {
+    console.log(chalk.bold("MCP equivalent:"));
+    console.log(chalk.dim(`
+  sdlc_threat_model({
+    architecture_description: "[describe architecture]",
+    pii_in_scope: ${hasPii},
+    project_root: "${projectRoot}"
+  })
+`));
+  }
+
+  // ── BUILD ─────────────────────────────────────────────────────
+  printPhase("BUILD", "Secure code review on every PR");
+
+  if (answers.toolPreference !== "cursor-mcp") {
+    console.log(chalk.bold("5. Dev Lead — PR Review (run on every PR):"));
+    console.log(chalk.cyan(`
+  claude --agent dev-lead "Review PR #[N] — [brief PR description]"
+  claude --agent appsec-engineer "Triage any SAST findings for PR #[N]"
+`));
+  }
+
+  if (answers.toolPreference !== "claude-code") {
+    console.log(chalk.bold("MCP equivalent:"));
+    console.log(chalk.dim(`
+  sdlc_review_pr({
+    pr_description: "[what the PR does]",
+    code_diff: "[paste diff or key code sections]",
+    language_stack: "${answers.stack}"
+  })
+`));
+  }
+
+  // Special cases
+  if (hasFiles) {
+    console.log(chalk.yellow(`\n  ⚠  File upload detected — ensure:`));
+    console.log(chalk.dim(`     • Content-type validated by magic bytes, not client MIME`));
+    console.log(chalk.dim(`     • Original filenames never used as storage keys`));
+    console.log(chalk.dim(`     • SVG explicitly blocked (it's XML, can contain scripts)`));
+    console.log(chalk.dim(`     • Malware scan before files become accessible to others\n`));
+  }
+
+  if (hasAI) {
+    console.log(chalk.yellow(`\n  ⚠  AI/LLM features detected — also run:`));
+    console.log(chalk.cyan(`
+  claude --agent ai-security-engineer \\
+    "Security review the AI feature: [describe model usage, inputs, tools/functions it can call]"
+  # OR: sdlc_ai_security_review({ ai_feature_description: "..." })
+`));
+  }
+
+  // ── TEST ──────────────────────────────────────────────────────
+  printPhase("TEST", "DAST, penetration testing, and audit evidence");
+
+  if (answers.toolPreference !== "cursor-mcp") {
+    console.log(chalk.bold("6. AppSec Engineer — DAST Findings:"));
+    console.log(chalk.cyan(`
+  claude --agent appsec-engineer \\
+    "Interpret these DAST findings for ${answers.featureName}: [paste ZAP/Burp output]"
+`));
+  }
+
+  // ── RELEASE ───────────────────────────────────────────────────
+  printPhase("RELEASE", "Go/no-go security gate");
+
+  if (answers.toolPreference !== "cursor-mcp") {
+    console.log(chalk.bold("7. Release Manager — Security Gate:"));
+    console.log(chalk.cyan(`
+  claude --agent release-manager \\
+    "Run pre-release security checklist for v[X.Y.Z] — ${answers.featureName}"
+`));
+  }
+
+  if (answers.toolPreference !== "claude-code") {
+    console.log(chalk.bold("MCP equivalent:"));
+    console.log(chalk.dim(`
+  sdlc_release_gate({
+    version: "v1.0.0",
+    docs_path: "${projectRoot}/docs"
+  })
+`));
+  }
+
+  // ── SEVERITY REMINDERS ────────────────────────────────────────
+  console.log("\n" + chalk.bold("Severity gates:\n"));
+  console.log(chalk.red("  CRITICAL → blocks all gates, no exceptions"));
+  console.log(chalk.yellow("  HIGH     → blocks Build→Test and Test→Release without documented accepted risk"));
+  console.log(chalk.blue("  MEDIUM   → requires remediation plan or accepted risk before release"));
+  console.log(chalk.dim("  LOW      → tracked in risk register, does not block\n"));
+
+  console.log(chalk.bold("Track progress:\n"));
+  console.log(chalk.dim("  secure-sdlc status   # Check which artefacts are complete\n"));
+}

package/cli/src/commands/paths.js

@@ -0,0 +1,33 @@
+import chalk from "chalk";
+import { join } from "path";
+import { printBanner } from "../utils/banner.js";
+import { getPackageRoot, getMcpServerPath } from "../utils/package-root.js";
+
+/**
+ * Print resolved paths after npm install -g (for MCP / Cursor configuration).
+ */
+export default async function pathsCmd() {
+  const root = getPackageRoot();
+  printBanner();
+  console.log(chalk.bold("Package install paths\n"));
+  console.log(`${chalk.cyan("PACKAGE_ROOT")}=${root}`);
+  console.log(`${chalk.cyan("MCP_SERVER")}=${getMcpServerPath()}`);
+  console.log(`${chalk.cyan("TEMPLATES")}=${join(root, "docs", "templates")}`);
+  console.log(`${chalk.cyan("HOOKS")}=${join(root, "hooks")}`);
+  console.log(chalk.dim("\nCursor MCP snippet (copy args path):\n"));
+  console.log(
+    JSON.stringify(
+      {
+        mcpServers: {
+          "secure-sdlc": {
+            command: "node",
+            args: [getMcpServerPath()],
+          },
+        },
+      },
+      null,
+      2
+    )
+  );
+  console.log();
+}

package/cli/src/commands/review.js

@@ -0,0 +1,53 @@
+import { readFileSync, existsSync } from "fs";
+import { resolve } from "path";
+import chalk from "chalk";
+import { printBanner } from "../utils/banner.js";
+
+/**
+ * Prints a ready-to-paste prompt for dev-lead / MCP PR review.
+ * Does not call an LLM — use this to drive Claude Code or Cursor manually.
+ */
+export default async function review(target, options) {
+  const projectRoot = resolve(options.path || process.cwd());
+  const type = options.type || "code";
+
+  printBanner();
+  console.log(chalk.bold("Security review — copy the block below into Claude Code or Cursor\n"));
+
+  let codeBlock = "";
+  if (target) {
+    const abs = resolve(projectRoot, target);
+    if (existsSync(abs)) {
+      codeBlock = readFileSync(abs, "utf-8");
+    } else {
+      console.log(chalk.yellow(`File not found: ${abs}\n`));
+    }
+  }
+
+  const stack = options.stack || "(describe your stack)";
+
+  console.log(chalk.dim("─── Paste from here ───\n"));
+  console.log(
+    [
+      `Run a ${type} security review for this project.`,
+      "",
+      stack ? `Stack: ${stack}` : "",
+      target ? `Scope: file ${target}` : "Scope: recent changes / describe what to review",
+      "",
+      codeBlock
+        ? "Code:\n```\n" + codeBlock.slice(0, 12000) + (codeBlock.length > 12000 ? "\n... (truncated)" : "") + "\n```"
+        : "(Attach diff or paste code.)",
+      "",
+      "Reference docs/security-requirements.md if it exists.",
+      "",
+      "Claude Code:",
+      '  claude --agent dev-lead "Review the above for secure coding issues and dependency risks"',
+      "",
+      "Cursor (MCP):",
+      "  sdlc_review_pr({ pr_description: \"...\", code_diff: \"...\", language_stack: \"...\" })",
+    ]
+      .filter(Boolean)
+      .join("\n")
+  );
+  console.log(chalk.dim("\n─── End ───\n"));
+}