@securityreviewai/securityreview-kit 0.1.23 → 0.1.25

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@securityreviewai/securityreview-kit",
-  "version": "0.1.23",
+  "version": "0.1.25",
   "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
   "author": "Debarshi Das <debarshi.das@we45.com>",
   "license": "UNLICENSED",

package/src/cli.js

@@ -29,6 +29,14 @@ export function run() {
         .option('--skip-ide-cli-install', 'Do not install Cursor / Claude Code / Codex CLIs when those targets are selected')
         .option('--profile-repo', 'After init, run the guardrails profiler agent (non-interactive; needs cursor, claude, or codex target)')
         .option('--no-profile-repo', 'Skip the optional profiler agent step after init')
+        .option(
+            '--profiler-no-trust',
+            'When profiling with Cursor, do not pass --trust (use if you need interactive workspace trust or login in the terminal)',
+        )
+        .option(
+            '--profiler-cursor-login',
+            'Before Cursor profiling, run cursor-agent login in this terminal (then profiling runs in the same init)',
+        )
         .action(async (options) => {
             try {
                 if (options.switchProject) {

package/src/commands/init.js

@@ -3,8 +3,12 @@ import { input, checkbox, confirm, select } from '@inquirer/prompts';
 import { TARGETS, TARGET_NAMES } from '../utils/constants.js';
 import { detectTargets } from '../utils/detect.js';
 import { ensureIdeClisForTargets } from '../utils/ide-cli-install.js';
-import { writeGuardrailsProfilerBundle } from '../utils/guardrails-profiler-bundle.js';
-import { pickProfilerAgentTarget, runProfilerAgent } from '../utils/profiler-agent.js';
+import { writeGuardrailsProfilerBundles } from '../utils/guardrails-profiler-bundle.js';
+import {
+    pickProfilerAgentTarget,
+    runCursorAgentLogin,
+    runProfilerAgent,
+} from '../utils/profiler-agent.js';
 import { fetchVibeReviewProjectNames, getStoredCredentials, normalizeApiUrl } from '../utils/srai.js';
 
 // Dynamic imports for generators (avoids loading all at startup)
@@ -346,11 +350,23 @@ export async function initCommand(options) {
 
     if (installRules) {
         try {
-            const bundlePath = writeGuardrailsProfilerBundle(cwd, { projectName: projectNameForSkill });
-            console.log(chalk.green(`    \u2713 Guardrails profiler bundle → ${bundlePath}`));
-            results.push({ target: 'kit', type: 'bundle', status: 'ok', path: bundlePath });
+            const bundlePaths = writeGuardrailsProfilerBundles(cwd, {
+                projectName: projectNameForSkill,
+                targets,
+            });
+            if (bundlePaths.length === 0) {
+                console.log(
+                    chalk.dim(
+                        '    (Guardrails profiler skill is only written for Cursor, Claude Code, and Codex targets.)',
+                    ),
+                );
+            }
+            for (const bundlePath of bundlePaths) {
+                console.log(chalk.green(`    \u2713 Guardrails profiler skill \u2192 ${bundlePath}`));
+                results.push({ target: 'kit', type: 'bundle', status: 'ok', path: bundlePath });
+            }
         } catch (err) {
-            console.log(chalk.red(`    \u2717 Guardrails profiler bundle failed: ${err.message}`));
+            console.log(chalk.red(`    \u2717 Guardrails profiler skill failed: ${err.message}`));
             results.push({ target: 'kit', type: 'bundle', status: 'error', error: err.message });
         }
     }
@@ -397,8 +413,53 @@ export async function initCommand(options) {
         } else {
             console.log('');
             console.log(chalk.bold.white(`  Starting profiler via ${TARGETS[agentTarget].name} CLI…`));
-            console.log(chalk.dim('  (Sign-in or approvals may be required in your terminal.)\n'));
-            const pr = runProfilerAgent(cwd, { target: agentTarget, projectName: projectNameForSkill });
+            if (agentTarget === 'cursor') {
+                console.log(
+                    chalk.dim(
+                        '  Cursor: headless profiling uses `--trust` and `--approve-mcps` on this folder (you confirmed above).',
+                    ),
+                );
+                if (options.profilerNoTrust) {
+                    console.log(
+                        chalk.dim(
+                            '  You passed `--profiler-no-trust`: complete any login or workspace-trust prompts in this terminal.',
+                        ),
+                    );
+                }
+
+                let runLogin = Boolean(options.profilerCursorLogin);
+                if (!runLogin && interactive) {
+                    runLogin = await confirm({
+                        message:
+                            'Run Cursor Agent login in this terminal now? (Same init — profiling runs next. Choose No if already signed in.)',
+                        default: true,
+                    });
+                }
+                if (runLogin) {
+                    console.log('');
+                    console.log(chalk.bold.white('  Cursor Agent login'));
+                    console.log(chalk.dim('  Complete the browser or code prompt, then return here.\n'));
+                    const loginResult = runCursorAgentLogin(cwd);
+                    if (loginResult.ok) {
+                        console.log(chalk.green('  \u2713 Cursor Agent login step finished.'));
+                    } else {
+                        console.log(
+                            chalk.yellow(
+                                `  \u26a0  Login exited with status ${loginResult.status ?? 'unknown'}. Profiling will still be attempted; sign in and re-run init if it fails.`,
+                            ),
+                        );
+                    }
+                    console.log('');
+                }
+            } else {
+                console.log(chalk.dim('  (Sign-in or approvals may be required in your terminal.)'));
+            }
+            console.log('');
+            const pr = runProfilerAgent(cwd, {
+                target: agentTarget,
+                projectName: projectNameForSkill,
+                cursorTrust: !options.profilerNoTrust,
+            });
             if (pr.ok) {
                 console.log(chalk.green('  \u2713 Profiler agent finished.'));
             } else {
@@ -410,6 +471,20 @@ export async function initCommand(options) {
                         `  \u26a0  Profiler agent exited with an error: ${detail}. You can run the guardrails-init-profile workflow manually.`,
                     ),
                 );
+                if (agentTarget === 'cursor') {
+                    console.log('');
+                    console.log(chalk.dim('  Typical fixes:'));
+                    console.log(
+                        chalk.dim(
+                            '    • Not signed in: re-run `securityreview-kit init` and choose Yes for “Run Cursor Agent login”, or pass `--profiler-cursor-login` with `--profile-repo`.',
+                        ),
+                    );
+                    console.log(
+                        chalk.dim(
+                            '    • Want interactive trust instead of `--trust`: run `securityreview-kit init ... --profiler-no-trust` and answer the prompts, then profile again.',
+                        ),
+                    );
+                }
             }
         }
     }

package/src/generators/rules/claude.js

@@ -1,4 +1,5 @@
 import { join } from 'node:path';
+import { GUARDRAILS_PROFILER_SKILL_REL_DIR } from '../../utils/constants.js';
 import { upsertSentinelBlock, writeText } from '../../utils/fs-helpers.js';
 import { getRuleContent, getGuardrailsInitProfileContent } from './content.js';
 
@@ -11,7 +12,10 @@ export function generate(cwd, options = {}) {
     const action = upsertSentinelBlock(filePath, content);
 
     const guardrailsInitPath = join(cwd, '.claude', 'commands', 'guardrails-init-profile.md');
-    const guardrailsInitContent = getGuardrailsInitProfileContent(options);
+    const guardrailsInitContent = getGuardrailsInitProfileContent({
+        ...options,
+        guardrailsSkillDir: GUARDRAILS_PROFILER_SKILL_REL_DIR.claude,
+    });
     writeText(guardrailsInitPath, guardrailsInitContent);
 
     return [

package/src/generators/rules/codex.js

@@ -1,4 +1,5 @@
 import { join } from 'node:path';
+import { GUARDRAILS_PROFILER_SKILL_REL_DIR } from '../../utils/constants.js';
 import { upsertSentinelBlock, writeText } from '../../utils/fs-helpers.js';
 import { getRuleContent, getGuardrailsInitProfileContent } from './content.js';
 
@@ -11,7 +12,10 @@ export function generate(cwd, options = {}) {
     const action = upsertSentinelBlock(filePath, content);
 
     const guardrailsInitPath = join(cwd, '.codex', 'commands', 'guardrails-init-profile.md');
-    const guardrailsInitContent = getGuardrailsInitProfileContent(options);
+    const guardrailsInitContent = getGuardrailsInitProfileContent({
+        ...options,
+        guardrailsSkillDir: GUARDRAILS_PROFILER_SKILL_REL_DIR.codex,
+    });
     writeText(guardrailsInitPath, guardrailsInitContent);
 
     return [

package/src/generators/rules/content.js

@@ -17,9 +17,19 @@ function readTemplate(templateFileName, options = {}) {
     const projectName = sanitizeProjectName(rawProjectName);
     const resolvedProjectName = projectName || '<SRAI_PROJECT_NAME>';
 
-    return template
+    let out = template
         .replaceAll('{{SRAI_PROJECT_NAME}}', resolvedProjectName)
         .replaceAll('<SRAI_PROJECT_NAME>', resolvedProjectName);
+
+    if (out.includes('{{GUARDRAILS_SKILL_DIR}}')) {
+        const skillDir =
+            typeof options.guardrailsSkillDir === 'string' && options.guardrailsSkillDir.trim()
+                ? options.guardrailsSkillDir.trim()
+                : '.cursor/skills/guardrails-profiler';
+        out = out.replaceAll('{{GUARDRAILS_SKILL_DIR}}', skillDir);
+    }
+
+    return out;
 }
 
 /**

package/src/generators/rules/cursor.js

@@ -1,6 +1,7 @@
 import { existsSync } from 'node:fs';
 import { join } from 'node:path';
 import { writeText } from '../../utils/fs-helpers.js';
+import { GUARDRAILS_PROFILER_SKILL_REL_DIR } from '../../utils/constants.js';
 import {
     getRuleContent,
     getProfileCommandContent,
@@ -55,7 +56,10 @@ export function generate(cwd, options = {}) {
     const ctmSyncWorkflowContent = getCtmSyncWorkflowContent(options);
     const createIdeWorkflowCommandContent = getCreateIdeWorkflowCommandContent(options);
     const profileCommandContent = getProfileCommandContent(options);
-    const guardrailsInitProfileCommandContent = getGuardrailsInitProfileContent(options);
+    const guardrailsInitProfileCommandContent = getGuardrailsInitProfileContent({
+        ...options,
+        guardrailsSkillDir: GUARDRAILS_PROFILER_SKILL_REL_DIR.cursor,
+    });
     const skillContent = getThreatModellingSkillContent(options);
 
     const baseRule = writeCursorRule(

package/src/generators/rules/guardrails-init-profile.md

@@ -5,14 +5,24 @@ description: Run the Security Review Kit guardrails profiler — scan the repo,
 
 # Guardrails init profile
 
-Execute the workflow defined in **`.securityreview-kit/guardrails-profiler/SKILL.md`** end-to-end in this workspace.
+Execute the workflow defined in **`{{GUARDRAILS_SKILL_DIR}}/SKILL.md`** end-to-end in this workspace (this IDE’s copy of the guardrails-profiler skill).
 
 Configured SRAI project name: `<SRAI_PROJECT_NAME>`
 
 **You must:**
 
-1. Read `.securityreview-kit/guardrails-profiler/SKILL.md` and follow every step (use the signal registry at `.securityreview-kit/guardrails-profiler/references/signal-registry.json`).
+1. Read `{{GUARDRAILS_SKILL_DIR}}/SKILL.md` and follow every step (use the signal registry at `{{GUARDRAILS_SKILL_DIR}}/references/signal-registry.json`).
 2. Write `.guardrails/profile.json` and **`profile.json`** at the project root as specified.
 3. Call **`update_vibe_profile`** and **`write_default_pack`** on `security-review-mcp` after resolving `project_id` for `<SRAI_PROJECT_NAME>`.
 
 Do not skip MCP upload when credentials and MCP are available.
+
+## Cursor CLI (scripted)
+
+From the repo root, non-interactive runs should include workspace trust and MCP approval (matches `securityreview-kit init`):
+
+`cursor-agent -p "<your profiling instructions>" --trust --approve-mcps`
+
+During `securityreview-kit init`, choose **Yes** when asked to run Cursor login in-terminal, or pass **`--profiler-cursor-login`** with **`--profile-repo`** so login and profiling stay in one run.
+
+You can still sign in manually with `cursor-agent login`. To handle trust/login interactively in the terminal, omit `--trust` and `--approve-mcps`.

package/src/generators/rules/guardrails-profiler/SKILL.md

@@ -11,7 +11,8 @@ Configured SRAI project name: `<SRAI_PROJECT_NAME>`
 
 ## Canonical paths
 
-- **Signal registry (read-only):** `.securityreview-kit/guardrails-profiler/references/signal-registry.json`
+- **This skill & signal registry (read-only):** `<GUARDRAILS_SKILL_DIR>/` — e.g. `.cursor/skills/guardrails-profiler`, `.claude/skills/guardrails-profiler`, or `.codex/skills/guardrails-profiler` depending on where this file was installed.
+- **Signal registry file:** `<GUARDRAILS_SKILL_DIR>/references/signal-registry.json`
 - **Local guardrails file:** `.guardrails/profile.json`
 - **Combined manifest (project root):** `profile.json` — includes guardrails profile, vibe profile fields for MCP, and default pack payload
 
@@ -38,7 +39,7 @@ The project root is the current working directory. Confirm with markers such as
 
 ### Step 2: Read the Signal Registry
 
-Read `.securityreview-kit/guardrails-profiler/references/signal-registry.json`. Use its categories (`universal`, `languages`, `frameworks`, `auth_identity`, `ai_agent`, `infrastructure`, `ci_cd`, `cloud_compute`, `databases`, `messaging`, `api_protocols`, etc.) to map detected signals to guardrail pack IDs.
+Read `<GUARDRAILS_SKILL_DIR>/references/signal-registry.json` (the copy next to this `SKILL.md`). Use its categories (`universal`, `languages`, `frameworks`, `auth_identity`, `ai_agent`, `infrastructure`, `ci_cd`, `cloud_compute`, `databases`, `messaging`, `api_protocols`, etc.) to map detected signals to guardrail pack IDs.
 
 ### Step 3: Scan for Signals
 

package/src/utils/constants.js

@@ -59,5 +59,12 @@ export const TARGETS = {
 
 export const TARGET_NAMES = Object.keys(TARGETS);
 
+/** Relative workspace dirs for the guardrails-profiler skill (per IDE / CLI). */
+export const GUARDRAILS_PROFILER_SKILL_REL_DIR = {
+    cursor: '.cursor/skills/guardrails-profiler',
+    claude: '.claude/skills/guardrails-profiler',
+    codex: '.codex/skills/guardrails-profiler',
+};
+
 export const SENTINEL_START = '<!-- securityreview-kit:start -->';
 export const SENTINEL_END = '<!-- securityreview-kit:end -->';

package/src/utils/guardrails-profiler-bundle.js

@@ -1,6 +1,7 @@
 import { copyFileSync, readFileSync } from 'node:fs';
 import { dirname, join } from 'node:path';
 import { fileURLToPath } from 'node:url';
+import { GUARDRAILS_PROFILER_SKILL_REL_DIR } from './constants.js';
 import { ensureDir, writeText } from './fs-helpers.js';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
@@ -14,20 +15,43 @@ function injectProjectName(content, projectName) {
     return content.replaceAll('{{SRAI_PROJECT_NAME}}', resolved).replaceAll('<SRAI_PROJECT_NAME>', resolved);
 }
 
-const BUNDLE_ROOT = join(__dirname, '..', 'generators', 'rules', 'guardrails-profiler');
-
-/**
- * Writes `.securityreview-kit/guardrails-profiler/` (SKILL + signal registry) into the target workspace.
- */
-export function writeGuardrailsProfilerBundle(cwd, options = {}) {
-    const destBase = join(cwd, '.securityreview-kit', 'guardrails-profiler');
-    const destRefs = join(destBase, 'references');
-    ensureDir(destRefs);
+function injectSkillDir(content, skillDirRel) {
+    return content.replaceAll('<GUARDRAILS_SKILL_DIR>', skillDirRel);
+}
 
-    const skillTemplate = readFileSync(join(BUNDLE_ROOT, 'SKILL.md'), 'utf-8');
-    writeText(join(destBase, 'SKILL.md'), injectProjectName(skillTemplate, options.projectName));
+function injectSkillTemplate(content, projectName, skillDirRel) {
+    return injectSkillDir(injectProjectName(content, projectName), skillDirRel);
+}
 
-    copyFileSync(join(BUNDLE_ROOT, 'references', 'signal-registry.json'), join(destRefs, 'signal-registry.json'));
+const BUNDLE_ROOT = join(__dirname, '..', 'generators', 'rules', 'guardrails-profiler');
 
-    return destBase;
+/**
+ * Writes `guardrails-profiler` (SKILL.md + references/signal-registry.json) under each selected
+ * IDE skills directory (e.g. `.cursor/skills/guardrails-profiler`, `.claude/skills/...`).
+ *
+ * @returns {string[]} Absolute paths to each skill root written */
+export function writeGuardrailsProfilerBundles(cwd, options = {}) {
+    const targets = Array.isArray(options.targets) ? options.targets : [];
+    const written = [];
+
+    for (const target of targets) {
+        const rel = GUARDRAILS_PROFILER_SKILL_REL_DIR[target];
+        if (!rel) continue;
+
+        const destBase = join(cwd, rel);
+        const destRefs = join(destBase, 'references');
+        ensureDir(destRefs);
+
+        const skillTemplate = readFileSync(join(BUNDLE_ROOT, 'SKILL.md'), 'utf-8');
+        writeText(join(destBase, 'SKILL.md'), injectSkillTemplate(skillTemplate, options.projectName, rel));
+
+        copyFileSync(
+            join(BUNDLE_ROOT, 'references', 'signal-registry.json'),
+            join(destRefs, 'signal-registry.json'),
+        );
+
+        written.push(destBase);
+    }
+
+    return written;
 }

package/src/utils/profiler-agent.js

@@ -1,4 +1,5 @@
 import { spawnSync } from 'node:child_process';
+import { GUARDRAILS_PROFILER_SKILL_REL_DIR } from './constants.js';
 
 const PREFERRED_ORDER = ['cursor', 'claude', 'codex'];
 
@@ -7,19 +8,34 @@ function commandOk(cmd, args = ['--version']) {
     return r.status === 0;
 }
 
-export function buildProfilerAgentPrompt(projectName) {
+export function buildProfilerAgentPrompt(projectName, agentTarget = 'cursor') {
     const p = String(projectName || '').trim() || '<SRAI_PROJECT_NAME>';
+    const skillRoot =
+        GUARDRAILS_PROFILER_SKILL_REL_DIR[agentTarget] ||
+        GUARDRAILS_PROFILER_SKILL_REL_DIR.cursor;
     return [
         'Security Review Kit: run guardrails initialization profiling for this workspace.',
         `SRAI project name: "${p}".`,
-        'Open and follow every step in .securityreview-kit/guardrails-profiler/SKILL.md.',
-        'Use .securityreview-kit/guardrails-profiler/references/signal-registry.json as the signal registry.',
+        `Open and follow every step in ${skillRoot}/SKILL.md.`,
+        `Use ${skillRoot}/references/signal-registry.json as the signal registry.`,
         'Write .guardrails/profile.json and profile.json at the repository root as defined in the skill.',
         `Resolve project_id with find_project_by_name for "${p}", then call update_vibe_profile and write_default_pack via security-review-mcp.`,
         'Do not invent stack details, compliance, or user groups; ground everything in the repository.',
     ].join('\n');
 }
 
+/**
+ * Run Cursor Agent OAuth/login in the current terminal (stdio inherited).
+ * Call this from init before profiling so the user does not leave the kit flow.
+ */
+export function runCursorAgentLogin(cwd) {
+    if (!commandOk('cursor-agent', ['--version'])) {
+        return { ok: false, status: null, message: 'cursor-agent not on PATH' };
+    }
+    const r = spawnSync('cursor-agent', ['login'], { cwd, stdio: 'inherit', env: { ...process.env } });
+    return { ok: r.status === 0, status: r.status };
+}
+
 export function pickProfilerAgentTarget(targets) {
     for (const t of PREFERRED_ORDER) {
         if (targets.includes(t)) {
@@ -31,16 +47,25 @@ export function pickProfilerAgentTarget(targets) {
 
 /**
  * Spawn the IDE agent CLI to execute the profiler skill (user must be logged in where required).
+ *
+ * @param {object} opts
+ * @param {boolean} [opts.cursorTrust=true] When true, passes `--trust` and `--approve-mcps` so headless init is not blocked by
+ *   workspace trust or MCP approval (user confirmed profiling in the kit). Set false with `--profiler-no-trust`
+ *   if you need an interactive trust/login/MCP flow in the same terminal.
  */
-export function runProfilerAgent(cwd, { target, projectName }) {
-    const prompt = buildProfilerAgentPrompt(projectName);
+export function runProfilerAgent(cwd, { target, projectName, cursorTrust = true }) {
+    const prompt = buildProfilerAgentPrompt(projectName, target);
     const opts = { cwd, stdio: 'inherit', env: { ...process.env } };
 
     if (target === 'cursor') {
         if (!commandOk('cursor-agent', ['--version'])) {
             return { ok: false, message: 'cursor-agent not on PATH' };
         }
-        const r = spawnSync('cursor-agent', ['-p', prompt], opts);
+        const args = ['-p', prompt];
+        if (cursorTrust) {
+            args.push('--trust', '--approve-mcps');
+        }
+        const r = spawnSync('cursor-agent', args, opts);
         return { ok: r.status === 0, status: r.status };
     }