@securityreviewai/securityreview-kit 0.1.11

package/src/commands/switch-project.js

@@ -0,0 +1,205 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import chalk from 'chalk';
+import { input, select } from '@inquirer/prompts';
+import { SENTINEL_START, TARGET_NAMES, TARGETS } from '../utils/constants.js';
+import { readJson, readText } from '../utils/fs-helpers.js';
+import { fetchProjectNames, getStoredCredentials, normalizeApiUrl } from '../utils/srai.js';
+
+const ruleGenerators = {
+    cursor: () => import('../generators/rules/cursor.js'),
+    claude: () => import('../generators/rules/claude.js'),
+    vscode: () => import('../generators/rules/vscode.js'),
+    windsurf: () => import('../generators/rules/windsurf.js'),
+    codex: () => import('../generators/rules/codex.js'),
+    gemini: () => import('../generators/rules/gemini.js'),
+    antigravity: () => import('../generators/rules/antigravity.js'),
+};
+
+function normalizeRuleResults(rawResult) {
+    const entries = Array.isArray(rawResult) ? rawResult : [rawResult];
+
+    return entries.map((entry) => {
+        if (typeof entry === 'string') {
+            return { filePath: entry, action: 'created', kind: 'rule' };
+        }
+
+        if (entry && typeof entry.filePath === 'string') {
+            const allowedKinds = new Set(['rule', 'command', 'agent', 'skill']);
+            const kind = allowedKinds.has(entry.kind) ? entry.kind : 'rule';
+            return { filePath: entry.filePath, action: entry.action || 'created', kind };
+        }
+
+        throw new Error('Rule generator returned an invalid result.');
+    });
+}
+
+function hasConfiguredMcpServer(cwd, target) {
+    const mcpPath = join(cwd, target.mcpConfigPath);
+    if (!existsSync(mcpPath)) return false;
+
+    if (mcpPath.endsWith('.toml')) {
+        const content = readText(mcpPath);
+        return content.includes('[mcp_servers.security-review-mcp]');
+    }
+
+    const json = readJson(mcpPath);
+    const servers = json?.mcpServers || json?.servers || {};
+    return 'security-review-mcp' in servers;
+}
+
+function hasInstalledRule(cwd, target) {
+    const rulePath = join(cwd, target.rulePath);
+    if (!existsSync(rulePath)) return false;
+
+    if (target.ruleMode === 'append') {
+        const content = readText(rulePath);
+        return content.includes(SENTINEL_START) || content.includes('SRAI Security Review');
+    }
+
+    return true;
+}
+
+function resolveConfiguredTargets(cwd) {
+    return TARGET_NAMES.filter((key) => {
+        const target = TARGETS[key];
+        return hasConfiguredMcpServer(cwd, target) || hasInstalledRule(cwd, target);
+    });
+}
+
+async function resolveCredentials(options, cwd) {
+    let apiUrl = normalizeApiUrl(options.apiUrl || process.env.SECURITY_REVIEW_API_URL || '');
+    let apiToken = String(options.apiKey || process.env.SECURITY_REVIEW_API_TOKEN || '').trim();
+
+    if (!apiUrl || !apiToken) {
+        const stored = getStoredCredentials(cwd);
+        if (!apiUrl && stored.apiUrl) {
+            apiUrl = stored.apiUrl;
+        }
+        if (!apiToken && stored.apiToken) {
+            apiToken = stored.apiToken;
+        }
+    }
+
+    if (!apiUrl) {
+        apiUrl = await input({
+            message: '🔗 SRAI API URL:',
+            default: 'app.demo.securityreview.ai',
+            validate: (v) => {
+                const normalized = normalizeApiUrl(v);
+                if (!normalized) return 'Must be a valid URL';
+
+                try {
+                    new URL(normalized);
+                    return true;
+                } catch {
+                    return 'Must be a valid URL';
+                }
+            },
+        });
+        apiUrl = normalizeApiUrl(apiUrl);
+    } else {
+        console.log(chalk.dim(`  API URL: ${apiUrl} (from saved config/env/flags)`));
+    }
+
+    if (!apiToken) {
+        apiToken = await input({
+            message: '🔑 SRAI API Token:',
+            validate: (v) => (v.length > 0 ? true : 'Token is required'),
+        });
+    } else {
+        console.log(chalk.dim(`  API Token: ${'•'.repeat(8)} (from saved config/env/flags)`));
+    }
+
+    return { apiUrl, apiToken };
+}
+
+async function resolveProjectName(options, apiUrl, apiToken) {
+    const pinnedProject = (options.projectName || process.env.SECURITY_REVIEW_PROJECT_NAME || '').trim();
+    const projectNames = await fetchProjectNames(apiUrl, apiToken);
+
+    return select({
+        message: '🧩 Select SRAI project:',
+        choices: projectNames.map((name) => ({
+            name,
+            value: name,
+        })),
+        default: projectNames.includes(pinnedProject) ? pinnedProject : undefined,
+        pageSize: 12,
+    });
+}
+
+export async function switchProjectCommand(options = {}) {
+    const cwd = process.cwd();
+    const targets = resolveConfiguredTargets(cwd);
+
+    console.log('');
+    console.log(chalk.bold.cyan('  ╔══════════════════════════════════════╗'));
+    console.log(chalk.bold.cyan('  ║') + chalk.bold(' 🛡️  Security Review Kit — Switch ') + chalk.bold.cyan('   ║'));
+    console.log(chalk.bold.cyan('  ╚══════════════════════════════════════╝'));
+    console.log('');
+
+    if (targets.length === 0) {
+        console.log(chalk.yellow('  ⚠  No configured targets found in this workspace.'));
+        console.log(chalk.dim('  Run `securityreview-kit init` first.'));
+        console.log('');
+        return;
+    }
+
+    console.log(chalk.dim(`  Targets to update: ${targets.map((t) => TARGETS[t].name).join(', ')}`));
+    console.log('');
+    console.log(chalk.bold.white('  Step 1 of 2: SRAI Credentials'));
+    console.log(chalk.dim('  ─────────────────────────────────'));
+    const envVars = await resolveCredentials(options, cwd);
+    console.log(chalk.green('  ✓ Credentials configured'));
+    console.log('');
+
+    console.log(chalk.bold.white('  Step 2 of 2: SRAI Project Mapping'));
+    console.log(chalk.dim('  ─────────────────────────────────'));
+    const projectName = await resolveProjectName(options, envVars.apiUrl, envVars.apiToken);
+    console.log(chalk.green(`  ✓ Project mapped: ${projectName}`));
+    console.log('');
+
+    console.log(chalk.bold.white('  Updating workspace rules...'));
+    console.log(chalk.dim('  ─────────────────────────────────'));
+
+    const results = [];
+
+    for (const target of targets) {
+        const targetInfo = TARGETS[target];
+        console.log('');
+        console.log(chalk.bold(`  ${targetInfo.name}`));
+
+        try {
+            const gen = await ruleGenerators[target]();
+            const generatedRules = normalizeRuleResults(gen.generate(cwd, { projectName }));
+
+            for (const rule of generatedRules) {
+                const labelByKind = {
+                    rule: 'Workspace rule',
+                    command: 'Workspace command',
+                    agent: 'Workspace agent',
+                    skill: 'Workspace skill',
+                };
+                const label = labelByKind[rule.kind] || 'Workspace rule';
+                console.log(chalk.green(`    ✓ ${label} → ${rule.filePath} (${rule.action})`));
+                results.push({ target, type: rule.kind, status: 'ok', path: rule.filePath, action: rule.action });
+            }
+        } catch (err) {
+            console.log(chalk.red(`    ✗ Workspace rule failed: ${err.message}`));
+            results.push({ target, type: 'rule', status: 'error', error: err.message });
+        }
+    }
+
+    const ok = results.filter((r) => r.status === 'ok').length;
+    const errors = results.filter((r) => r.status === 'error').length;
+
+    console.log('');
+    console.log(chalk.dim('  ─────────────────────────────────'));
+    if (errors === 0) {
+        console.log(chalk.bold.green(`  ✅ Done! ${ok} rule update(s) applied successfully.`));
+    } else {
+        console.log(chalk.bold.yellow(`  ⚠  Done with ${errors} error(s). ${ok} rule update(s) applied.`));
+    }
+    console.log('');
+}

package/src/generators/mcp/claude.js

@@ -0,0 +1,27 @@
+import { join } from 'node:path';
+import { readJson, writeJson } from '../../utils/fs-helpers.js';
+import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
+
+/**
+ * Generate Claude Code MCP config at .claude/settings.json
+ */
+export function generate(cwd, envVars) {
+    const filePath = join(cwd, '.claude', 'settings.json');
+    const existing = readJson(filePath) || {};
+
+    if (!existing.mcpServers) {
+        existing.mcpServers = {};
+    }
+
+    existing.mcpServers[MCP_SERVER_NAME] = {
+        command: 'npx',
+        args: ['-y', `${MCP_SERVER_PACKAGE}@latest`],
+        env: {
+            SECURITY_REVIEW_API_URL: envVars.apiUrl,
+            SECURITY_REVIEW_API_TOKEN: envVars.apiToken,
+        },
+    };
+
+    writeJson(filePath, existing);
+    return filePath;
+}

package/src/generators/mcp/codex.js

@@ -0,0 +1,44 @@
+import { join } from 'node:path';
+import { readText, writeText, ensureDir } from '../../utils/fs-helpers.js';
+import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
+
+/**
+ * Generate Codex MCP config at .codex/config.toml
+ * Codex uses TOML format. We use simple string templating since the structure
+ * is straightforward and avoids a TOML library dependency.
+ */
+export function generate(cwd, envVars) {
+    const filePath = join(cwd, '.codex', 'config.toml');
+    const existing = readText(filePath);
+
+    const serverBlock = `
+[mcp_servers.${MCP_SERVER_NAME}]
+command = "npx"
+args = ["-y", "${MCP_SERVER_PACKAGE}@latest"]
+
+[mcp_servers.${MCP_SERVER_NAME}.env]
+SECURITY_REVIEW_API_URL = "${envVars.apiUrl}"
+SECURITY_REVIEW_API_TOKEN = "${envVars.apiToken}"
+`.trim();
+
+    // Check if we already have this server configured
+    if (existing.includes(`[mcp_servers.${MCP_SERVER_NAME}]`)) {
+        // Replace the existing block — find from the server header to the next
+        // section header or end of file
+        const regex = new RegExp(
+            `\\[mcp_servers\\.${MCP_SERVER_NAME}\\][\\s\\S]*?(?=\\n\\[(?!mcp_servers\\.${MCP_SERVER_NAME})|$)`,
+        );
+        const updated = existing.replace(regex, serverBlock);
+        writeText(filePath, updated);
+    } else if (existing) {
+        // Append to existing file
+        const separator = existing.endsWith('\n') ? '\n' : '\n\n';
+        writeText(filePath, existing + separator + serverBlock + '\n');
+    } else {
+        // New file
+        ensureDir(join(cwd, '.codex'));
+        writeText(filePath, serverBlock + '\n');
+    }
+
+    return filePath;
+}

package/src/generators/mcp/cursor.js

@@ -0,0 +1,27 @@
+import { join } from 'node:path';
+import { readJson, writeJson } from '../../utils/fs-helpers.js';
+import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
+
+/**
+ * Generate Cursor MCP config at .cursor/mcp.json
+ */
+export function generate(cwd, envVars) {
+    const filePath = join(cwd, '.cursor', 'mcp.json');
+    const existing = readJson(filePath) || {};
+
+    if (!existing.mcpServers) {
+        existing.mcpServers = {};
+    }
+
+    existing.mcpServers[MCP_SERVER_NAME] = {
+        command: 'npx',
+        args: ['-y', `${MCP_SERVER_PACKAGE}@latest`],
+        env: {
+            SECURITY_REVIEW_API_URL: envVars.apiUrl,
+            SECURITY_REVIEW_API_TOKEN: envVars.apiToken,
+        },
+    };
+
+    writeJson(filePath, existing);
+    return filePath;
+}

package/src/generators/mcp/gemini.js

@@ -0,0 +1,28 @@
+import { join } from 'node:path';
+import { readJson, writeJson } from '../../utils/fs-helpers.js';
+import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
+
+/**
+ * Generate Gemini CLI / Antigravity MCP config at .gemini/settings.json
+ * Both Gemini CLI and Antigravity use the same config file path.
+ */
+export function generate(cwd, envVars) {
+    const filePath = join(cwd, '.gemini', 'settings.json');
+    const existing = readJson(filePath) || {};
+
+    if (!existing.mcpServers) {
+        existing.mcpServers = {};
+    }
+
+    existing.mcpServers[MCP_SERVER_NAME] = {
+        command: 'npx',
+        args: ['-y', `${MCP_SERVER_PACKAGE}@latest`],
+        env: {
+            SECURITY_REVIEW_API_URL: envVars.apiUrl,
+            SECURITY_REVIEW_API_TOKEN: envVars.apiToken,
+        },
+    };
+
+    writeJson(filePath, existing);
+    return filePath;
+}

package/src/generators/mcp/vscode.js

@@ -0,0 +1,29 @@
+import { join } from 'node:path';
+import { readJson, writeJson } from '../../utils/fs-helpers.js';
+import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
+
+/**
+ * Generate VS Code Copilot MCP config at .vscode/mcp.json
+ * Uses the VS Code input variable pattern for secure credential prompting.
+ */
+export function generate(cwd, envVars) {
+    const filePath = join(cwd, '.vscode', 'mcp.json');
+    const existing = readJson(filePath) || {};
+
+    if (!existing.servers) {
+        existing.servers = {};
+    }
+
+    existing.servers[MCP_SERVER_NAME] = {
+        type: 'stdio',
+        command: 'npx',
+        args: ['-y', `${MCP_SERVER_PACKAGE}@latest`],
+        env: {
+            SECURITY_REVIEW_API_URL: envVars.apiUrl,
+            SECURITY_REVIEW_API_TOKEN: envVars.apiToken,
+        },
+    };
+
+    writeJson(filePath, existing);
+    return filePath;
+}

package/src/generators/mcp/windsurf.js

@@ -0,0 +1,27 @@
+import { join } from 'node:path';
+import { readJson, writeJson } from '../../utils/fs-helpers.js';
+import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
+
+/**
+ * Generate Windsurf MCP config at .windsurf/mcp_config.json
+ */
+export function generate(cwd, envVars) {
+    const filePath = join(cwd, '.windsurf', 'mcp_config.json');
+    const existing = readJson(filePath) || {};
+
+    if (!existing.mcpServers) {
+        existing.mcpServers = {};
+    }
+
+    existing.mcpServers[MCP_SERVER_NAME] = {
+        command: 'npx',
+        args: ['-y', `${MCP_SERVER_PACKAGE}@latest`],
+        env: {
+            SECURITY_REVIEW_API_URL: envVars.apiUrl,
+            SECURITY_REVIEW_API_TOKEN: envVars.apiToken,
+        },
+    };
+
+    writeJson(filePath, existing);
+    return filePath;
+}

package/src/generators/rules/antigravity.js

@@ -0,0 +1,22 @@
+import { join } from 'node:path';
+import { writeText } from '../../utils/fs-helpers.js';
+import { getRuleContent } from './content.js';
+
+/**
+ * Generate Antigravity workspace rule at .agent/rules/srai-security-review.md
+ * Antigravity uses .agent/rules/ with YAML frontmatter (trigger: always_on).
+ */
+export function generate(cwd, options = {}) {
+    const filePath = join(cwd, '.agent', 'rules', 'srai-security-review.md');
+    const content = getRuleContent(options);
+
+    const rule = `---
+trigger: always_on
+---
+
+${content}
+`;
+
+    writeText(filePath, rule);
+    return filePath;
+}

package/src/generators/rules/claude.js

@@ -0,0 +1,13 @@
+import { join } from 'node:path';
+import { upsertSentinelBlock } from '../../utils/fs-helpers.js';
+import { getRuleContent } from './content.js';
+
+/**
+ * Generate Claude Code workspace rule — appends to CLAUDE.md
+ */
+export function generate(cwd, options = {}) {
+    const filePath = join(cwd, 'CLAUDE.md');
+    const content = getRuleContent(options);
+    const action = upsertSentinelBlock(filePath, content);
+    return { filePath, action };
+}

package/src/generators/rules/codex.js

@@ -0,0 +1,13 @@
+import { join } from 'node:path';
+import { upsertSentinelBlock } from '../../utils/fs-helpers.js';
+import { getRuleContent } from './content.js';
+
+/**
+ * Generate Codex workspace rule — appends to AGENTS.md
+ */
+export function generate(cwd, options = {}) {
+    const filePath = join(cwd, 'AGENTS.md');
+    const content = getRuleContent(options);
+    const action = upsertSentinelBlock(filePath, content);
+    return { filePath, action };
+}

package/src/generators/rules/content.js

@@ -0,0 +1,72 @@
+import { readFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+function sanitizeProjectName(value) {
+    return value.replace(/[\r\n`]/g, ' ').trim();
+}
+
+/**
+ * Reads a markdown template and injects the configured project name placeholder.
+ */
+function readTemplate(templateFileName, options = {}) {
+    const template = readFileSync(join(__dirname, templateFileName), 'utf-8').trim();
+    const rawProjectName = typeof options.projectName === 'string' ? options.projectName : '';
+    const projectName = sanitizeProjectName(rawProjectName);
+    const resolvedProjectName = projectName || '<SRAI_PROJECT_NAME>';
+
+    return template
+        .replaceAll('{{SRAI_PROJECT_NAME}}', resolvedProjectName)
+        .replaceAll('<SRAI_PROJECT_NAME>', resolvedProjectName);
+}
+
+/**
+ * Returns the shared rule content markdown.
+ */
+export function getRuleContent(options = {}) {
+    return readTemplate('content.md', options);
+}
+
+/**
+ * Returns the Cursor profile uploader command markdown.
+ */
+export function getProfileCommandContent(options = {}) {
+    return readTemplate('srai-profile.md', options);
+}
+
+/**
+ * Returns the CTM sync workflow content markdown.
+ */
+export function getCtmSyncWorkflowContent(options = {}) {
+    return readTemplate('ctm_sync.md', options);
+}
+
+/**
+ * Returns the Cursor CTM sync trigger rule markdown.
+ */
+export function getCtmSyncTriggerRuleContent(options = {}) {
+    return readTemplate('ctm_sync_rule.md', options);
+}
+
+/**
+ * Returns the Cursor create-ide-workflow command markdown.
+ */
+export function getCreateIdeWorkflowCommandContent(options = {}) {
+    return readTemplate('create-ide-workflow.md', options);
+}
+
+/**
+ * Returns the threat-modelling skill markdown.
+ */
+export function getThreatModellingSkillContent(options = {}) {
+    return readTemplate('skill.md', options);
+}
+
+/**
+ * Returns the hooks.json content for Cursor session hooks.
+ */
+export function getHooksContent() {
+    return readFileSync(join(__dirname, 'hooks.json'), 'utf-8').trim();
+}

package/src/generators/rules/content.md

@@ -0,0 +1,93 @@
+# Security-First Code Generation with PWNISMS Threat Modeling
+
+**THIS RULE IS NON-NEGOTIABLE AND TRIGGERED BEFORE YOU EVEN START THINKING.** You MUST think security-first and perform on-the-go threat modeling using the PWNISMS framework BEFORE and DURING every task whether it's TODO or PLAN or codegen. This is not optional. This is not deferred to a later review. Every line of code you write must be informed by threat awareness.
+
+> **Skill Reference:** Read and apply `.cursor/skills/threat-modelling/SKILL.md` for the full PWNISMS framework — the 7 threat categories, code generation rules, and post-generation checklist. You MUST walk through all 7 categories for every code task that seems security relevant.
+
+### When NOT to apply
+
+Skip PWNISMS and the MCP flow entirely for tasks that have **no security surface**:
+
+- Documentation-only changes (README, comments, changelogs)
+- Code formatting, linting, or style fixes
+- Renaming variables/files with no logic change
+- General Q&A, explanations, or research that produces no code
+- UI copy, typo fixes, or purely cosmetic changes
+- Adding or updating tests that don't touch auth, crypto, or input handling
+
+If in doubt, do a quick mental scan: *does this change touch auth, input handling, secrets, network, data storage, or dependencies?* If **no**, skip. If **yes** or **maybe**, apply.
+
+**MANDATORY POST THREAT MODELLING** ALWAYS invoke `ctm_sync` immediately after threat modelling is generated or updated. This is required on every threat-model run.
+---
+
+## MCP Enhancement — `security-review-mcp`
+
+Configured SRAI project name: `<SRAI_PROJECT_NAME>`
+
+Assess Task Security Relevance
+
+Before any MCP call, classify the task:
+
+1. Bug fix or refactor with no security surface change — Enrich your context with the profile exploration below, skip review tools
+2. Non-security task — Skip MCP entirely
+3. New feature — Start with full profile exploration, then full MCP flow
+
+When the `security-review-mcp` MCP server is available, use it to **enrich and persist** your threat analysis. This is a force multiplier on top of PWNISMS, not a replacement.
+
+### Enriching Your Analysis — Step-by-Step Profile Exploration
+
+Rather than fetching the entire profile at once, walk through each reasoning block below **in order**. Each step builds context for the next and directly informs your PWNISMS threat modeling.
+
+1. **Find the project** — Call `find_project_by_name` with `name="<SRAI_PROJECT_NAME>"`. If that project does not exist, call `list_projects`. If no project exists, call `create_project`.
+
+2. **Understand what the project does** — Call `get_project_profile_description`.
+   - Use this to frame the threat surface: what data flows exist, what the system's purpose is, and where trust boundaries lie.
+
+3. **Discover technology categories** — Call `list_profile_technology_categories`.
+   - This reveals the broad technology areas (e.g., frontend, backend, database, cloud). Use this to scope which PWNISMS categories are most relevant.
+
+4. **Deep-dive each technology category** — For each category returned above, call `get_project_profile_technology_category` with the category name.
+   - Understand specific frameworks, libraries, and versions. Flag known-vulnerable dependencies for the **Supply Chain (S)** PWNISMS category.
+
+5. **Review architecture notes** — Call `list_project_profile_architecture_notes`.
+   - Identify deployment topology, trust boundaries, and data flow patterns. Feed this into **Workload (W)** and **Network (N)** analysis.
+
+6. **Identify user groups** — Call `list_project_profile_user_groups`.
+   - Map user roles and privilege levels. This directly informs **IAM (I)** and **Product (P)** threat categories.
+
+7. **Get language stacks** — Call `list_project_profile_language_stacks`.
+   - Understand the language/runtime landscape for language-specific vulnerability patterns.
+
+8. **List security controls** — Call `list_project_profile_security_controls`.
+   - Get an overview of existing defenses. For each control that is relevant to the current task, call `get_project_profile_security_control` to get full details.
+   - Cross-reference with your PWNISMS findings: are there gaps in **Secrets (S)**, **Monitoring (M)**, or **IAM (I)**?
+
+9. **List compliance requirements** — Call `list_profile_compliance_requirements`.
+   - For each requirement relevant to the task, call `get_profile_compliance_requirement` for full details.
+   - Map these to security objectives and ensure your implementation meets them.
+
+10. **Check for existing reviews** — Call `list_reviews`. If a completed review exists, pull context:
+    - `get_threat_scenarios` — Cross-reference with your PWNISMS findings
+    - `get_countermeasures` — Apply recommended mitigations
+    - `get_components` — Understand the system architecture
+    - `get_data_dictionaries` — Identify sensitive data assets and stepping stones
+    - `get_security_objectives` — Understand compliance requirements
+    - `get_findings` — Review aggregated security insights
+
+11. **No review exists?** Create one:
+    - Upload context via `create_document_from_content`
+    - `create_review` → `start_workflow` → poll `get_workflow_status`
+
+12. **After threat modeling (ALWAYS / POST threat modelling)** — Invoke `ctm_sync` agent and upload the required CTM data.
+
+### Tool Reference
+
+| Category | Tools |
+|---|---|
+| **Projects** | `list_projects`, `find_project_by_name`, `create_project`, `get_project` |
+| **Profile Exploration** | `get_project_profile_description`, `list_profile_technology_categories`, `get_project_profile_technology_category`, `list_project_profile_architecture_notes`, `list_project_profile_user_groups`, `list_project_profile_language_stacks`, `list_project_profile_security_controls`, `get_project_profile_security_control`, `list_profile_compliance_requirements`, `get_profile_compliance_requirement` |
+| **Documents** | `list_documents`, `create_document_from_content`, `upload_document`, `link_external_document` |
+| **Reviews** | `create_review`, `list_reviews`, `get_review`, `get_review_overview` |
+| **Workflow** | `start_workflow`, `get_workflow_status`, `start_next_workflow_job`, `start_workflow_job`, `retry_workflow_job` |
+| **Analysis** | `get_threat_scenarios`, `get_countermeasures`, `get_components`, `get_data_dictionaries`, `get_security_objectives`, `get_findings`, `get_security_test_cases` |
+| **Integrations** | `fetch_jira_issue`, `fetch_confluence_page`, `search_confluence_pages`, `fetch_and_link_to_srai` |

package/src/generators/rules/create-ide-workflow.md

@@ -0,0 +1,34 @@
+---
+name: create-ide-workflow
+description: Create an AI IDE workflow in SRAI via security-review-mcp.
+---
+
+# Create IDE Workflow
+
+Use `security-review-mcp` to create a workflow by calling:
+
+- `create_ai_ide_workflow`
+
+Required payload fields:
+
+- `project_id`
+- `name`
+- `description`
+
+## Steps
+
+1. Resolve `project_id`.
+   - Use configured project name `<SRAI_PROJECT_NAME>` by default.
+   - Call `find_project_by_name` with `name="<SRAI_PROJECT_NAME>"`.
+   - If not found, call `list_projects` and select the right project.
+2. Build `name` and `description` from the user request.
+   - Keep `name` short and action-oriented.
+   - Keep `description` specific about trigger and output.
+3. Call `create_ai_ide_workflow` with:
+   - `project_id`
+   - `name`
+   - `description`
+4. Return a concise confirmation including:
+   - project id
+   - workflow name
+   - workflow id from MCP response (if returned)