@securityreviewai/securityreview-kit 0.1.11

package/README.md

@@ -0,0 +1,90 @@
+# securityreview-kit
+
+> Bootstrap [security-review-mcp](https://www.npmjs.com/package/security-review-mcp) for AI IDEs and CLI tools in one command.
+
+**securityreview-kit** configures the SRAI security review MCP server and installs workspace rules so your AI assistant consults security threat models and countermeasures *before* generating code.
+
+## Quick Start
+
+```bash
+# Interactive mode (recommended)
+npx securityreview-kit init
+
+# Or specify targets directly
+npx securityreview-kit init --target cursor --api-url https://api.example.com --api-key YOUR_TOKEN
+
+# Install for multiple targets
+npx securityreview-kit init --target cursor claude vscode
+
+# Install for all supported targets
+npx securityreview-kit init --all --api-url https://api.example.com --api-key YOUR_TOKEN
+
+# Re-open project selection menu and update installed rules
+npx securityreview-kit init --switch-project
+```
+
+## Supported Targets
+
+| Target | Flag | MCP Config | Workspace Rule |
+|---|---|---|---|
+| Cursor | `cursor` | `.cursor/mcp.json` | `.cursor/rules/srai-security-review.mdc`, `.cursor/rules/ctm_sync_rule.mdc`, `.cursor/commands/ctm_sync.md`, `.cursor/agents/ctm_sync.md`, `.cursor/commands/create-ide-workflow.md`, `.cursor/commands/srai-profile.md`, `.cursor/skills/threat-modelling/SKILL.md` |
+| Claude Code | `claude` | `.claude/settings.json` | `CLAUDE.md` |
+| VS Code Copilot | `vscode` | `.vscode/mcp.json` | `.github/copilot-instructions.md` |
+| Windsurf | `windsurf` | `.windsurf/mcp_config.json` | `.windsurf/rules/srai-security-review.md` |
+| Codex | `codex` | `.codex/config.toml` | `AGENTS.md` |
+| Gemini CLI | `gemini` | `.gemini/settings.json` | `GEMINI.md` |
+| Antigravity | `antigravity` | `.gemini/settings.json` | `.agents/rules/srai-security-review.md` |
+
+## Commands
+
+### `securityreview-kit init`
+
+Configure security-review-mcp for your IDE/CLI. Runs interactively when no flags are provided.
+
+```
+Options:
+  -t, --target <name...>  Target IDE/CLI (cursor, claude, vscode, windsurf, codex, gemini, antigravity)
+  -a, --all               Install for all supported targets
+  --project-name <name>   (Optional) Preselect project name from fetched API project list
+  --api-url <url>         SRAI API URL (or set SECURITY_REVIEW_API_URL env var)
+  --api-key <token>       SRAI API Token (or set SECURITY_REVIEW_API_TOKEN env var)
+  --switch-project        Fetch projects and only update mapped workspace rules
+  --skip-mcp              Skip MCP server config installation
+  --skip-rules            Skip workspace rule installation
+```
+
+### `securityreview-kit init --switch-project`
+
+Fetches projects from `https://<api-url>/api/projects/` using `Authorization: Bearer <api-key>`, shows a single-select menu, and updates installed workspace rules with the selected project.
+
+### `securityreview-kit status`
+
+Show current configuration status for all supported targets in the workspace.
+
+## Environment Variables
+
+| Variable | Description |
+|---|---|
+| `SECURITY_REVIEW_PROJECT_NAME` | Optional default project name to preselect in the project menu |
+| `SECURITY_REVIEW_API_URL` | SRAI platform API endpoint |
+| `SECURITY_REVIEW_API_TOKEN` | Your SRAI API token |
+
+These can be provided via CLI flags, environment variables, or interactive prompts.
+
+## What Gets Installed
+
+**MCP Server Config** — tells your IDE how to launch the `security-review-mcp` server via `npx`.
+
+**Workspace Rules** — instructs the AI assistant to consult SRAI threat models and countermeasures before generating security-relevant code. If configured, the selected SRAI project name is injected into the MCP workflow instructions in the installed rule content.
+
+## How It Works
+
+1. Run `securityreview-kit init`
+2. Select your IDE/CLI target(s)
+3. Choose whether to install workspace rules and MCP config
+4. If MCP is selected, enter your SRAI credentials (API URL, token)
+5. The tool fetches `/api/projects/` and you select exactly one SRAI project from the menu
+6. The tool creates/merges MCP config and workspace rule files
+7. Your AI assistant now has access to SRAI security reviews
+
+The tool is **idempotent** — running it multiple times safely updates existing configs without duplicating content.

package/bin/securityreview-kit.js

@@ -0,0 +1,5 @@
+#!/usr/bin/env node
+
+import { run } from '../src/cli.js';
+
+run();

package/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "@securityreviewai/securityreview-kit",
+  "version": "0.1.11",
+  "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
+  "author": "Debarshi Das <debarshi.das@we45.com>",
+  "license": "UNLICENSED",
+  "type": "module",
+  "bin": {
+    "securityreview-kit": "./bin/securityreview-kit.js"
+  },
+  "files": [
+    "bin/",
+    "src/",
+    "README.md"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "scripts": {
+    "test": "node --test src/**/*.test.js",
+    "start": "node bin/securityreview-kit.js"
+  },
+  "keywords": [
+    "security",
+    "mcp",
+    "security-review",
+    "srai",
+    "ai-ide",
+    "cursor",
+    "claude",
+    "codex",
+    "gemini",
+    "windsurf",
+    "vscode"
+  ],
+  "dependencies": {
+    "chalk": "^5.4.0",
+    "commander": "^13.0.0",
+    "inquirer": "^12.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}

package/src/cli.js

@@ -0,0 +1,54 @@
+import { Command } from 'commander';
+import { initCommand } from './commands/init.js';
+import { statusCommand } from './commands/status.js';
+import { switchProjectCommand } from './commands/switch-project.js';
+import { TARGET_NAMES } from './utils/constants.js';
+
+export function run() {
+    const program = new Command();
+
+    program
+        .name('securityreview-kit')
+        .description('Bootstrap security-review-mcp for AI IDEs and CLI tools')
+        .version('0.1.0');
+
+    program
+        .command('init')
+        .description('Configure security-review-mcp for your IDE / CLI tool')
+        .option(
+            '-t, --target <name...>',
+            `Target IDE/CLI (${TARGET_NAMES.join(', ')}). Omit for interactive mode.`,
+        )
+        .option('-a, --all', 'Install for all supported targets')
+        .option('--project-name <name>', 'Default SRAI project name to preselect in project menu')
+        .option('--api-url <url>', 'SRAI API URL (or set SECURITY_REVIEW_API_URL env var)')
+        .option('--api-key <token>', 'SRAI API Token (or set SECURITY_REVIEW_API_TOKEN env var)')
+        .option('--switch-project', 'Fetch projects and only update mapped workspace rules')
+        .option('--skip-mcp', 'Skip MCP server config installation')
+        .option('--skip-rules', 'Skip workspace rule installation')
+        .action(async (options) => {
+            try {
+                if (options.switchProject) {
+                    await switchProjectCommand(options);
+                } else {
+                    await initCommand(options);
+                }
+            } catch (err) {
+                if (err.name === 'ExitPromptError') {
+                    // User cancelled interactive prompt
+                    console.log('\n  Cancelled.\n');
+                    process.exit(0);
+                }
+                throw err;
+            }
+        });
+
+    program
+        .command('status')
+        .description('Show current security-review-mcp configuration status')
+        .action(async () => {
+            await statusCommand();
+        });
+
+    program.parse();
+}

package/src/commands/init.js

@@ -0,0 +1,332 @@
+import chalk from 'chalk';
+import { input, checkbox, confirm, select } from '@inquirer/prompts';
+import { TARGETS, TARGET_NAMES } from '../utils/constants.js';
+import { detectTargets } from '../utils/detect.js';
+import { fetchProjectNames, getStoredCredentials, normalizeApiUrl } from '../utils/srai.js';
+
+// Dynamic imports for generators (avoids loading all at startup)
+const mcpGenerators = {
+    cursor: () => import('../generators/mcp/cursor.js'),
+    claude: () => import('../generators/mcp/claude.js'),
+    vscode: () => import('../generators/mcp/vscode.js'),
+    windsurf: () => import('../generators/mcp/windsurf.js'),
+    codex: () => import('../generators/mcp/codex.js'),
+    gemini: () => import('../generators/mcp/gemini.js'),
+    antigravity: () => import('../generators/mcp/gemini.js'),
+};
+
+const ruleGenerators = {
+    cursor: () => import('../generators/rules/cursor.js'),
+    claude: () => import('../generators/rules/claude.js'),
+    vscode: () => import('../generators/rules/vscode.js'),
+    windsurf: () => import('../generators/rules/windsurf.js'),
+    codex: () => import('../generators/rules/codex.js'),
+    gemini: () => import('../generators/rules/gemini.js'),
+    antigravity: () => import('../generators/rules/antigravity.js'),
+};
+
+function normalizeRuleResults(rawResult) {
+    const entries = Array.isArray(rawResult) ? rawResult : [rawResult];
+
+    return entries.map((entry) => {
+        if (typeof entry === 'string') {
+            return { filePath: entry, action: 'created', kind: 'rule' };
+        }
+
+        if (entry && typeof entry.filePath === 'string') {
+            const allowedKinds = new Set(['rule', 'command', 'agent', 'skill']);
+            const kind = allowedKinds.has(entry.kind) ? entry.kind : 'rule';
+            return { filePath: entry.filePath, action: entry.action || 'created', kind };
+        }
+
+        throw new Error('Rule generator returned an invalid result.');
+    });
+}
+
+/**
+ * Resolve environment variables from flags, env, or interactive prompt.
+ */
+async function resolveEnvVars(options, interactive, cwd) {
+    let apiUrl = normalizeApiUrl(options.apiUrl || process.env.SECURITY_REVIEW_API_URL || '');
+    let apiToken = options.apiKey || process.env.SECURITY_REVIEW_API_TOKEN || '';
+
+    if (!apiUrl || !apiToken) {
+        const stored = getStoredCredentials(cwd);
+        if (!apiUrl && stored.apiUrl) {
+            apiUrl = stored.apiUrl;
+        }
+        if (!apiToken && stored.apiToken) {
+            apiToken = stored.apiToken;
+        }
+    }
+
+    if (interactive) {
+        if (!apiUrl) {
+            apiUrl = await input({
+                message: '🔗 SRAI API URL:',
+                default: 'app.demo.securityreview.ai',
+                validate: (v) => {
+                    const normalized = normalizeApiUrl(v);
+                    if (!normalized) return 'Must be a valid URL';
+
+                    try {
+                        new URL(normalized);
+                        return true;
+                    } catch {
+                        return 'Must be a valid URL';
+                    }
+                },
+            });
+            apiUrl = normalizeApiUrl(apiUrl);
+        } else {
+            console.log(chalk.dim(`  API URL: ${apiUrl} (from saved config/env/flags)`));
+        }
+
+        if (!apiToken) {
+            apiToken = await input({
+                message: '🔑 SRAI API Token:',
+                validate: (v) => (v.length > 0 ? true : 'Token is required'),
+            });
+        } else {
+            console.log(chalk.dim(`  API Token: ${'•'.repeat(8)} (from saved config/env/flags)`));
+        }
+    } else {
+        if (!apiUrl || !apiToken) {
+            console.log(
+                chalk.yellow(
+                    '⚠  Missing credentials. Set SECURITY_REVIEW_API_URL and SECURITY_REVIEW_API_TOKEN\n' +
+                    '   environment variables, pass --api-url and --api-key flags, or run in interactive mode.',
+                ),
+            );
+            process.exit(1);
+        }
+    }
+
+    return { apiUrl, apiToken };
+}
+
+/**
+ * Resolve project mapping from SRAI API.
+ */
+async function resolveProjectName(options, interactive, apiUrl, apiToken) {
+    const pinnedProject = (options.projectName || process.env.SECURITY_REVIEW_PROJECT_NAME || '').trim();
+
+    if (!interactive && pinnedProject) {
+        return pinnedProject;
+    }
+
+    const projectNames = await fetchProjectNames(apiUrl, apiToken);
+
+    if (!interactive) {
+        if (projectNames.length === 1) {
+            return projectNames[0];
+        }
+
+        console.log(
+            chalk.yellow(
+                '⚠  Multiple projects available. Pass --project-name or run interactive mode to choose one.',
+            ),
+        );
+        process.exit(1);
+    }
+
+    const selected = await select({
+        message: '🧩 Select SRAI project to connect:',
+        choices: projectNames.map((name) => ({
+            name,
+            value: name,
+        })),
+        default: projectNames.includes(pinnedProject) ? pinnedProject : undefined,
+        pageSize: 12,
+    });
+
+    return selected;
+}
+
+/**
+ * Resolve targets from flags or interactive prompt.
+ */
+async function resolveTargets(options, interactive, cwd) {
+    // Flag mode: explicit target(s)
+    if (options.target) {
+        const targets = Array.isArray(options.target) ? options.target : [options.target];
+        for (const t of targets) {
+            if (!TARGET_NAMES.includes(t)) {
+                console.log(chalk.red(`✗ Unknown target: ${t}`));
+                console.log(chalk.dim(`  Valid targets: ${TARGET_NAMES.join(', ')}`));
+                process.exit(1);
+            }
+        }
+        return targets;
+    }
+
+    if (options.all) {
+        return [...TARGET_NAMES];
+    }
+
+    if (!interactive) {
+        console.log(chalk.red('✗ No target specified. Use --target <name> or --all.'));
+        process.exit(1);
+    }
+
+    // Interactive: detect and offer choices
+    const detected = detectTargets(cwd);
+
+    console.log('');
+    if (detected.length > 0) {
+        console.log(
+            chalk.dim(`  Detected IDEs in workspace: ${detected.map((d) => TARGETS[d].name).join(', ')}`),
+        );
+    }
+
+    const selected = await checkbox({
+        message: '🎯 Select target IDE(s) / CLI(s) to configure:',
+        choices: TARGET_NAMES.map((key) => ({
+            name: `${TARGETS[key].name}`,
+            value: key,
+            checked: detected.includes(key),
+        })),
+        validate: (v) => (v.length > 0 ? true : 'Select at least one target'),
+    });
+
+    return selected;
+}
+
+/**
+ * Main init command handler.
+ */
+export async function initCommand(options) {
+    const cwd = process.cwd();
+    const interactive = !options.target && !options.all;
+
+    // Banner
+    console.log('');
+    console.log(chalk.bold.cyan('  ╔══════════════════════════════════════╗'));
+    console.log(chalk.bold.cyan('  ║') + chalk.bold('   🛡️  Security Review Kit — Init  ') + chalk.bold.cyan('   ║'));
+    console.log(chalk.bold.cyan('  ╚══════════════════════════════════════╝'));
+    console.log('');
+
+    if (interactive) {
+        console.log(chalk.dim('  Interactive setup — follow the prompts below.\n'));
+    }
+
+    // Step 1: Resolve targets
+    console.log(chalk.bold.white('  Step 1 of 4: Select Targets'));
+    console.log(chalk.dim('  ─────────────────────────────────'));
+    const targets = await resolveTargets(options, interactive, cwd);
+    console.log(chalk.green(`  ✓ Targets: ${targets.map((t) => TARGETS[t].name).join(', ')}`));
+    console.log('');
+
+    // Step 2: What to install (rules question first, then MCP)
+    let installMcp = !options.skipMcp;
+    let installRules = !options.skipRules;
+
+    if (interactive) {
+        console.log(chalk.bold.white('  Step 2 of 4: Installation Options'));
+        console.log(chalk.dim('  ─────────────────────────────────'));
+        installRules = await confirm({
+            message: '📋 Install workspace security rules?',
+            default: true,
+        });
+        installMcp = await confirm({
+            message: '📡 Install MCP server configuration?',
+            default: true,
+        });
+    }
+
+    if (!installMcp && !installRules) {
+        console.log(chalk.yellow('  ⚠  Nothing to install. Exiting.'));
+        return;
+    }
+    console.log('');
+
+    // Step 3: Resolve credentials (only needed when MCP is being installed)
+    let envVars = { apiUrl: '', apiToken: '' };
+    if (installMcp) {
+        console.log(chalk.bold.white('  Step 3 of 4: SRAI Credentials'));
+        console.log(chalk.dim('  ─────────────────────────────────'));
+        envVars = await resolveEnvVars(options, interactive, cwd);
+        console.log(chalk.green('  ✓ Credentials configured'));
+    } else {
+        console.log(chalk.dim('  Step 3 of 4: Skipping SRAI credentials (MCP not selected).'));
+    }
+    console.log('');
+
+    // Step 4: Resolve project name (only needed when MCP is being installed)
+    let projectName = options.projectName || process.env.SECURITY_REVIEW_PROJECT_NAME || '';
+    if (installMcp) {
+        console.log(chalk.bold.white('  Step 4 of 4: SRAI Project Mapping'));
+        console.log(chalk.dim('  ─────────────────────────────────'));
+        projectName = await resolveProjectName(options, interactive, envVars.apiUrl, envVars.apiToken);
+        if (projectName) {
+            console.log(chalk.green(`  ✓ Project mapped: ${projectName}`));
+        } else {
+            console.log(chalk.dim('  No project name provided. Rules will use a generic project lookup instruction.'));
+        }
+    } else {
+        console.log(chalk.dim('  Step 4 of 4: Skipping SRAI project mapping (MCP not selected).'));
+    }
+    console.log('');
+
+    console.log(chalk.bold.white('  Installing...'));
+    console.log(chalk.dim('  ─────────────────────────────────'));
+
+    const results = [];
+
+    for (const target of targets) {
+        const targetInfo = TARGETS[target];
+        console.log('');
+        console.log(chalk.bold(`  ${targetInfo.name}`));
+
+        if (installMcp) {
+            try {
+                const gen = await mcpGenerators[target]();
+                const mcpPath = gen.generate(cwd, envVars);
+                console.log(chalk.green(`    ✓ MCP config → ${typeof mcpPath === 'string' ? mcpPath : mcpPath}`));
+                results.push({ target, type: 'mcp', status: 'ok', path: mcpPath });
+            } catch (err) {
+                console.log(chalk.red(`    ✗ MCP config failed: ${err.message}`));
+                results.push({ target, type: 'mcp', status: 'error', error: err.message });
+            }
+        }
+
+        if (installRules) {
+            try {
+                const gen = await ruleGenerators[target]();
+                const generatedRules = normalizeRuleResults(gen.generate(cwd, { projectName }));
+
+                for (const rule of generatedRules) {
+                    const labelByKind = {
+                        rule: 'Workspace rule',
+                        command: 'Workspace command',
+                        agent: 'Workspace agent',
+                        skill: 'Workspace skill',
+                    };
+                    const label = labelByKind[rule.kind] || 'Workspace rule';
+                    console.log(chalk.green(`    ✓ ${label} → ${rule.filePath} (${rule.action})`));
+                    results.push({ target, type: rule.kind, status: 'ok', path: rule.filePath, action: rule.action });
+                }
+            } catch (err) {
+                console.log(chalk.red(`    ✗ Workspace rule failed: ${err.message}`));
+                results.push({ target, type: 'rule', status: 'error', error: err.message });
+            }
+        }
+    }
+
+    // Summary
+    const ok = results.filter((r) => r.status === 'ok').length;
+    const errors = results.filter((r) => r.status === 'error').length;
+
+    console.log('');
+    console.log(chalk.dim('  ─────────────────────────────────'));
+    if (errors === 0) {
+        console.log(chalk.bold.green(`  ✅ Done! ${ok} configuration(s) installed successfully.`));
+    } else {
+        console.log(
+            chalk.bold.yellow(`  ⚠  Done with ${errors} error(s). ${ok} configuration(s) installed.`),
+        );
+    }
+    console.log('');
+    console.log(chalk.dim('  Run `securityreview-kit status` to verify your setup.'));
+    console.log('');
+}

package/src/commands/status.js

@@ -0,0 +1,86 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import chalk from 'chalk';
+import { TARGETS, TARGET_NAMES, SENTINEL_START } from '../utils/constants.js';
+import { readText, readJson } from '../utils/fs-helpers.js';
+
+/**
+ * Status command — show what's configured in the current workspace.
+ */
+export async function statusCommand() {
+    const cwd = process.cwd();
+
+    console.log('');
+    console.log(chalk.bold.cyan('  ╔══════════════════════════════════════╗'));
+    console.log(chalk.bold.cyan('  ║') + chalk.bold('  🛡️  Security Review Kit — Status ') + chalk.bold.cyan('   ║'));
+    console.log(chalk.bold.cyan('  ╚══════════════════════════════════════╝'));
+    console.log('');
+    console.log(chalk.dim(`  Workspace: ${cwd}`));
+    console.log('');
+
+    let anyFound = false;
+
+    for (const key of TARGET_NAMES) {
+        const target = TARGETS[key];
+        const mcpPath = join(cwd, target.mcpConfigPath);
+        const rulePath = join(cwd, target.rulePath);
+
+        const mcpExists = existsSync(mcpPath);
+        const ruleExists = existsSync(rulePath);
+
+        // Check if the MCP config actually has our server
+        let mcpHasServer = false;
+        if (mcpExists) {
+            if (target.mcpConfigPath.endsWith('.toml')) {
+                const content = readText(mcpPath);
+                mcpHasServer = content.includes('[mcp_servers.security-review-mcp]');
+            } else {
+                const json = readJson(mcpPath);
+                const servers = json?.mcpServers || json?.servers || {};
+                mcpHasServer = 'security-review-mcp' in servers;
+            }
+        }
+
+        // Check if rule file has our sentinel
+        let ruleHasSrai = false;
+        if (ruleExists) {
+            if (target.ruleMode === 'append') {
+                const content = readText(rulePath);
+                ruleHasSrai = content.includes(SENTINEL_START) || content.includes('SRAI Security Review');
+            } else {
+                // Standalone rule file — existence is enough
+                ruleHasSrai = true;
+            }
+        }
+
+        if (!mcpHasServer && !ruleHasSrai) continue;
+
+        anyFound = true;
+        console.log(chalk.bold(`  ${target.name}`));
+        console.log(
+            `    MCP Config:     ${mcpHasServer ? chalk.green('✓ Configured') : chalk.dim('✗ Not found')}  ${chalk.dim(target.mcpConfigPath)}`,
+        );
+        console.log(
+            `    Workspace Rule: ${ruleHasSrai ? chalk.green('✓ Installed') : chalk.dim('✗ Not found')}  ${chalk.dim(target.rulePath)}`,
+        );
+        console.log('');
+    }
+
+    if (!anyFound) {
+        console.log(chalk.yellow('  No security-review-mcp configurations found in this workspace.'));
+        console.log(chalk.dim('  Run `securityreview-kit init` to set up.'));
+        console.log('');
+    }
+
+    // Check env vars
+    console.log(chalk.bold('  Environment'));
+    const apiUrl = process.env.SECURITY_REVIEW_API_URL;
+    const apiToken = process.env.SECURITY_REVIEW_API_TOKEN;
+    console.log(
+        `    SECURITY_REVIEW_API_URL:   ${apiUrl ? chalk.green('✓ Set') : chalk.yellow('✗ Not set')}`,
+    );
+    console.log(
+        `    SECURITY_REVIEW_API_TOKEN: ${apiToken ? chalk.green('✓ Set') : chalk.yellow('✗ Not set')}`,
+    );
+    console.log('');
+}