@securityreviewai/securityreview-kit 0.1.12 → 0.1.14

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@securityreviewai/securityreview-kit",
-  "version": "0.1.12",
+  "version": "0.1.14",
   "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
   "author": "Debarshi Das <debarshi.das@we45.com>",
   "license": "UNLICENSED",

package/src/commands/init.js

@@ -2,7 +2,7 @@ import chalk from 'chalk';
 import { input, checkbox, confirm, select } from '@inquirer/prompts';
 import { TARGETS, TARGET_NAMES } from '../utils/constants.js';
 import { detectTargets } from '../utils/detect.js';
-import { fetchProjectNames, getStoredCredentials, normalizeApiUrl } from '../utils/srai.js';
+import { fetchVibeReviewProjectNames, getStoredCredentials, normalizeApiUrl } from '../utils/srai.js';
 
 // Dynamic imports for generators (avoids loading all at startup)
 const mcpGenerators = {
@@ -111,27 +111,36 @@ async function resolveEnvVars(options, interactive, cwd) {
 async function resolveProjectName(options, interactive, apiUrl, apiToken) {
     const pinnedProject = (options.projectName || process.env.SECURITY_REVIEW_PROJECT_NAME || '').trim();
 
-    if (!interactive && pinnedProject) {
-        return pinnedProject;
-    }
-
-    const projectNames = await fetchProjectNames(apiUrl, apiToken);
+    const projectNames = await fetchVibeReviewProjectNames(apiUrl, apiToken);
 
     if (!interactive) {
+        if (pinnedProject) {
+            if (!projectNames.includes(pinnedProject)) {
+                console.log(
+                    chalk.yellow(
+                        `⚠  Project "${pinnedProject}" is not in the vibe-review-enabled list. ` +
+                            'Only projects with is_vibe_review=true can be selected. Pass a valid --project-name or run interactive mode.',
+                    ),
+                );
+                process.exit(1);
+            }
+            return pinnedProject;
+        }
+
         if (projectNames.length === 1) {
             return projectNames[0];
         }
 
         console.log(
             chalk.yellow(
-                '⚠  Multiple projects available. Pass --project-name or run interactive mode to choose one.',
+                '⚠  Multiple vibe-review projects available. Pass --project-name or run interactive mode to choose one.',
             ),
         );
         process.exit(1);
     }
 
     const selected = await select({
-        message: '🧩 Select SRAI project to connect:',
+        message: '🧩 Select SRAI project (vibe review enabled only):',
         choices: projectNames.map((name) => ({
             name,
             value: name,

package/src/commands/switch-project.js

@@ -4,7 +4,7 @@ import chalk from 'chalk';
 import { input, select } from '@inquirer/prompts';
 import { SENTINEL_START, TARGET_NAMES, TARGETS } from '../utils/constants.js';
 import { readJson, readText } from '../utils/fs-helpers.js';
-import { fetchProjectNames, getStoredCredentials, normalizeApiUrl } from '../utils/srai.js';
+import { fetchVibeReviewProjectNames, getStoredCredentials, normalizeApiUrl } from '../utils/srai.js';
 
 const ruleGenerators = {
     cursor: () => import('../generators/rules/cursor.js'),
@@ -116,10 +116,10 @@ async function resolveCredentials(options, cwd) {
 
 async function resolveProjectName(options, apiUrl, apiToken) {
     const pinnedProject = (options.projectName || process.env.SECURITY_REVIEW_PROJECT_NAME || '').trim();
-    const projectNames = await fetchProjectNames(apiUrl, apiToken);
+    const projectNames = await fetchVibeReviewProjectNames(apiUrl, apiToken);
 
     return select({
-        message: '🧩 Select SRAI project:',
+        message: '🧩 Select SRAI project (vibe review enabled only):',
         choices: projectNames.map((name) => ({
             name,
             value: name,

package/src/generators/rules/content.md

@@ -80,6 +80,14 @@ Rather than fetching the entire profile at once, walk through each reasoning blo
 
 12. **After threat modeling (ALWAYS / POST threat modelling)** — Invoke `ctm_sync` agent and upload the required CTM data.
 
+### CTM sync — chat session and workflows (all IDEs)
+
+When running `ctm_sync` (dedicated agent/command where available, or the same steps inline):
+
+- Include a stable **`chat_session_id`** on every event payload. Reuse one id for the entire current chat; use a different id for a different chat. Prefer an IDE-provided session/conversation id; if unavailable, generate a UUID once per chat and reuse it.
+- **First time** a `chat_session_id` is seen for a project: create an AI IDE workflow via `create_ai_ide_workflow` with a short name `session1`, `session2`, … (next free index) and put `chat_session_id:<id>` in the workflow **description** so it can be found later.
+- **Same chat later:** find the workflow whose description contains that `chat_session_id` marker and push `create_ai_ide_event` to that `workflow_id` — do **not** create another workflow for the same session.
+
 ### Tool Reference
 
 | Category | Tools |
@@ -91,3 +99,5 @@ Rather than fetching the entire profile at once, walk through each reasoning blo
 | **Workflow** | `start_workflow`, `get_workflow_status`, `start_next_workflow_job`, `start_workflow_job`, `retry_workflow_job` |
 | **Analysis** | `get_threat_scenarios`, `get_countermeasures`, `get_components`, `get_data_dictionaries`, `get_security_objectives`, `get_findings`, `get_security_test_cases` |
 | **Integrations** | `fetch_jira_issue`, `fetch_confluence_page`, `search_confluence_pages`, `fetch_and_link_to_srai` |
+| **AI IDE CTM** | `create_ai_ide_workflow`, `create_ai_ide_event` (and any `list_*` AI IDE workflow tools exposed by the server) |
+| **Profile Update** | `update_vibe_project_profile` |

package/src/generators/rules/ctm_sync.md

@@ -9,25 +9,45 @@ Configured SRAI project name: `<SRAI_PROJECT_NAME>`
 
 When invoked:
 
-0. Verify `create_ai_ide_event` tool exists in `security-review-mcp`
+0. Verify `create_ai_ide_event` and `create_ai_ide_workflow` exist in `security-review-mcp`. If a `list_*` tool for AI IDE workflows exists, prefer it for workflow discovery.
 1. Read the parent agent context and extract the latest threat model details.
-2. Build a JSON payload with these exact keys:
+2. **Chat session identity (required)** — The event payload MUST include a stable `chat_session_id` for the current IDE chat session:
+   - Use a session identifier supplied by the host environment when one exists (e.g. conversation or session id from the IDE/agent runtime).
+   - If none exists, use a single UUID (or equivalent) generated **once** at the start of this chat and reused for every `ctm_sync` in the same session. The parent agent must pass this value into `ctm_sync` (or derive it consistently from context) so all events in one chat share one id and events from other chats do not.
+3. **Resolve or create the AI IDE workflow** (one workflow per distinct `chat_session_id`):
+   - Resolve the SRAI project: `find_project_by_name` with `name="<SRAI_PROJECT_NAME>"`. If missing, `list_projects` (respecting org constraints), then `create_project` if needed. Obtain `project_id` as required by MCP tools.
+   - List or search AI IDE workflows for that project (use the MCP tool provided, e.g. listing workflows filtered by project). Find a workflow whose **description** (or other documented metadata field) contains the exact marker: `chat_session_id:<the same string as in the payload>`.
+   - **If a matching workflow exists:** use its `workflow_id` for the event.
+   - **If none exists:** call `create_ai_ide_workflow` with:
+     - `project_id`
+     - `name`: a short sequential label `session1`, `session2`, `session3`, … — choose the next unused index (e.g. count existing AI IDE workflows for the project and use `session` + (count + 1), or first gap if your listing allows).
+     - `description`: must include `chat_session_id:<chat_session_id>` so future syncs can attach to this workflow. Add a brief human-readable note if helpful.
+   - Store the returned `workflow_id` for the upload step.
+4. Build a JSON payload for `create_ai_ide_event` with these exact keys:
    - `workflow_id`
+   - `chat_session_id` (same value used for routing above)
    - `title`
    - `summary`
-   - `developer_name` = fetch from git config unless explicity specified by user
-   - `developer_email` = fetch from git config unless explicity specified by user
+   - `developer_name` = fetch from git config unless explicitly specified by user
+   - `developer_email` = fetch from git config unless explicitly specified by user
    - `threats_mitigated`
    - `best_practises_achieved`
    - `secure_code_snippets`
-3. Resolve the configured SRAI project:
-   - Call `find_project_by_name` with `name="<SRAI_PROJECT_NAME>"`.
-   - If missing, call `list_projects`, then `create_project` if needed.
-4. Upload the payload using `security-review-mcp`:
+5. Upload the payload using `security-review-mcp`:
    - Use the tool `create_ai_ide_event`
+6. **Push a project profile update** — After the event is created, derive project profile data from the current threat model context and call `update_vibe_project_profile` with `project_id` and the following fields:
+   - `description`: a concise summary of the system/project derived from the threat model context (what it does, what data it handles, its overall purpose)
+   - `architecture_notes`: a list of architecture observations extracted from the threat model — deployment topology, trust boundaries, data flows, integration points
+   - `tech_categories`: a list of technology category labels identified during threat modeling (e.g. `"backend"`, `"frontend"`, `"database"`, `"cloud"`, `"mobile"`)
+   - `user_groups`: a list of user roles and groups surfaced in the threat model (e.g. `"admin"`, `"end user"`, `"service account"`)
+   - `compliance_requirements`: a list of compliance requirements or standards referenced in the threat model or conversation (e.g. `"PCI-DSS"`, `"HIPAA"`, `"SOC 2"`)
+   - `language_stacks`: a list of programming languages, runtimes, and major frameworks identified in the codebase or threat model context (e.g. `"Python/FastAPI"`, `"TypeScript/React"`, `"Java/Spring"`)
+   - Omit any field for which no data is available in context — do **not** invent values. Pass an empty list `[]` only if the field is reasonably expected but simply unpopulated.
 
 ## Output Contract
 
 - Never skip upload when a threat model exists.
 - Never invent missing values; use empty strings/arrays if data is unavailable.
-- Return a compact confirmation after upload.
+- Never omit `chat_session_id` from the payload.
+- Never skip the `update_vibe_project_profile` call when profile-relevant data (architecture, tech, users, compliance, languages, or description) can be derived from context.
+- Return a compact confirmation after upload (including whether an existing workflow was reused or a new `sessionN` workflow was created, and confirmation that the project profile was updated).

package/src/generators/rules/ctm_sync_rule.md

@@ -55,10 +55,12 @@ This includes both:
 2. **Immediately call the `ctm_sync` agent**
 
    - Use the `Task` tool (or equivalent agent launcher) with `subagent_type="ctm_sync"`.
+   - **Session routing:** In the prompt (or structured handoff), always include the **current chat’s stable `chat_session_id`** — the same id for every `ctm_sync` in this conversation, and a new id for a different chat. Use the IDE/session id when exposed; otherwise generate one UUID at the start of the chat and reuse it. This ensures SRAI attaches events to the correct per-session workflow (`session1`, `session2`, … for new sessions).
    - Provide a clear, concise description in the `description`/`prompt` fields explaining:
      - What system or component the threat model covers
      - Whether this is a new threat model or an update
      - Where the latest threat content can be found (e.g., “from this conversation” or “from the last threat modeling step”)
+     - The `chat_session_id` value to use for this sync
 
    **Example invocation (conceptual, not literal code):**
 

package/src/utils/srai.js

@@ -115,7 +115,7 @@ function toProjectName(entry) {
     return '';
 }
 
-function extractProjectNames(payload) {
+function collectProjectLists(payload) {
     const collections = [];
 
     if (Array.isArray(payload)) {
@@ -131,8 +131,12 @@ function extractProjectNames(payload) {
         }
     }
 
+    return collections;
+}
+
+function extractProjectNames(payload) {
     const names = new Set();
-    for (const list of collections) {
+    for (const list of collectProjectLists(payload)) {
         for (const entry of list) {
             const name = toProjectName(entry);
             if (name) names.add(name);
@@ -143,9 +147,48 @@ function extractProjectNames(payload) {
 }
 
 /**
- * Fetch all project names from SRAI.
+ * Whether a project object is marked for AI / vibe review kit selection.
+ * Only entries with an explicit true-like `is_vibe_review` (or common API aliases) qualify.
  */
-export async function fetchProjectNames(apiUrl, apiToken) {
+export function isVibeReviewProject(entry) {
+    if (!entry || typeof entry !== 'object') return false;
+
+    const keys = ['is_vibe_review', 'isVibeReview', 'vibe_review', 'vibeReview'];
+    for (const key of keys) {
+        if (!Object.prototype.hasOwnProperty.call(entry, key)) continue;
+        const value = entry[key];
+        if (value === true || value === 1) return true;
+        if (typeof value === 'string') {
+            const v = value.toLowerCase().trim();
+            if (v === 'true' || v === '1' || v === 'yes') return true;
+        }
+        return false;
+    }
+
+    return false;
+}
+
+/**
+ * Extract { name, entry } pairs from a projects API payload.
+ */
+export function extractProjectEntries(payload) {
+    const out = [];
+    const seen = new Set();
+
+    for (const list of collectProjectLists(payload)) {
+        for (const entry of list) {
+            const name = toProjectName(entry);
+            if (!name || seen.has(name)) continue;
+            seen.add(name);
+            out.push({ name, entry });
+        }
+    }
+
+    out.sort((a, b) => a.name.localeCompare(b.name));
+    return out;
+}
+
+async function fetchProjectsPayload(apiUrl, apiToken) {
     const endpoint = resolveProjectsEndpoint(apiUrl);
 
     let response;
@@ -174,6 +217,14 @@ export async function fetchProjectNames(apiUrl, apiToken) {
         throw new Error(`Project fetch returned non-JSON content at ${endpoint}`);
     }
 
+    return { payload, endpoint };
+}
+
+/**
+ * Fetch all project names from SRAI (no filtering).
+ */
+export async function fetchProjectNames(apiUrl, apiToken) {
+    const { payload, endpoint } = await fetchProjectsPayload(apiUrl, apiToken);
     const names = extractProjectNames(payload);
     if (names.length === 0) {
         throw new Error(`No project names found in API response from ${endpoint}`);
@@ -181,3 +232,21 @@ export async function fetchProjectNames(apiUrl, apiToken) {
 
     return names;
 }
+
+/**
+ * Fetch project names that have `is_vibe_review` (or API alias) set true — used for kit init / project switch.
+ */
+export async function fetchVibeReviewProjectNames(apiUrl, apiToken) {
+    const { payload, endpoint } = await fetchProjectsPayload(apiUrl, apiToken);
+    const entries = extractProjectEntries(payload);
+    const names = entries.filter(({ entry }) => isVibeReviewProject(entry)).map(({ name }) => name);
+
+    if (names.length === 0) {
+        throw new Error(
+            `No projects with vibe review enabled (is_vibe_review=true) were returned from ${endpoint}. ` +
+                'Enable vibe review on at least one SRAI project, or check your API token and URL.',
+        );
+    }
+
+    return names;
+}