@securityreviewai/securityreview-kit 0.1.24 → 0.1.25

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@securityreviewai/securityreview-kit",
-  "version": "0.1.24",
+  "version": "0.1.25",
   "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
   "author": "Debarshi Das <debarshi.das@we45.com>",
   "license": "UNLICENSED",

package/src/commands/init.js

@@ -3,7 +3,7 @@ import { input, checkbox, confirm, select } from '@inquirer/prompts';
 import { TARGETS, TARGET_NAMES } from '../utils/constants.js';
 import { detectTargets } from '../utils/detect.js';
 import { ensureIdeClisForTargets } from '../utils/ide-cli-install.js';
-import { writeGuardrailsProfilerBundle } from '../utils/guardrails-profiler-bundle.js';
+import { writeGuardrailsProfilerBundles } from '../utils/guardrails-profiler-bundle.js';
 import {
     pickProfilerAgentTarget,
     runCursorAgentLogin,
@@ -350,11 +350,23 @@ export async function initCommand(options) {
 
     if (installRules) {
         try {
-            const bundlePath = writeGuardrailsProfilerBundle(cwd, { projectName: projectNameForSkill });
-            console.log(chalk.green(`    \u2713 Guardrails profiler bundle → ${bundlePath}`));
-            results.push({ target: 'kit', type: 'bundle', status: 'ok', path: bundlePath });
+            const bundlePaths = writeGuardrailsProfilerBundles(cwd, {
+                projectName: projectNameForSkill,
+                targets,
+            });
+            if (bundlePaths.length === 0) {
+                console.log(
+                    chalk.dim(
+                        '    (Guardrails profiler skill is only written for Cursor, Claude Code, and Codex targets.)',
+                    ),
+                );
+            }
+            for (const bundlePath of bundlePaths) {
+                console.log(chalk.green(`    \u2713 Guardrails profiler skill \u2192 ${bundlePath}`));
+                results.push({ target: 'kit', type: 'bundle', status: 'ok', path: bundlePath });
+            }
         } catch (err) {
-            console.log(chalk.red(`    \u2717 Guardrails profiler bundle failed: ${err.message}`));
+            console.log(chalk.red(`    \u2717 Guardrails profiler skill failed: ${err.message}`));
             results.push({ target: 'kit', type: 'bundle', status: 'error', error: err.message });
         }
     }

package/src/generators/rules/claude.js

@@ -1,4 +1,5 @@
 import { join } from 'node:path';
+import { GUARDRAILS_PROFILER_SKILL_REL_DIR } from '../../utils/constants.js';
 import { upsertSentinelBlock, writeText } from '../../utils/fs-helpers.js';
 import { getRuleContent, getGuardrailsInitProfileContent } from './content.js';
 
@@ -11,7 +12,10 @@ export function generate(cwd, options = {}) {
     const action = upsertSentinelBlock(filePath, content);
 
     const guardrailsInitPath = join(cwd, '.claude', 'commands', 'guardrails-init-profile.md');
-    const guardrailsInitContent = getGuardrailsInitProfileContent(options);
+    const guardrailsInitContent = getGuardrailsInitProfileContent({
+        ...options,
+        guardrailsSkillDir: GUARDRAILS_PROFILER_SKILL_REL_DIR.claude,
+    });
     writeText(guardrailsInitPath, guardrailsInitContent);
 
     return [

package/src/generators/rules/codex.js

@@ -1,4 +1,5 @@
 import { join } from 'node:path';
+import { GUARDRAILS_PROFILER_SKILL_REL_DIR } from '../../utils/constants.js';
 import { upsertSentinelBlock, writeText } from '../../utils/fs-helpers.js';
 import { getRuleContent, getGuardrailsInitProfileContent } from './content.js';
 
@@ -11,7 +12,10 @@ export function generate(cwd, options = {}) {
     const action = upsertSentinelBlock(filePath, content);
 
     const guardrailsInitPath = join(cwd, '.codex', 'commands', 'guardrails-init-profile.md');
-    const guardrailsInitContent = getGuardrailsInitProfileContent(options);
+    const guardrailsInitContent = getGuardrailsInitProfileContent({
+        ...options,
+        guardrailsSkillDir: GUARDRAILS_PROFILER_SKILL_REL_DIR.codex,
+    });
     writeText(guardrailsInitPath, guardrailsInitContent);
 
     return [

package/src/generators/rules/content.js

@@ -17,9 +17,19 @@ function readTemplate(templateFileName, options = {}) {
     const projectName = sanitizeProjectName(rawProjectName);
     const resolvedProjectName = projectName || '<SRAI_PROJECT_NAME>';
 
-    return template
+    let out = template
         .replaceAll('{{SRAI_PROJECT_NAME}}', resolvedProjectName)
         .replaceAll('<SRAI_PROJECT_NAME>', resolvedProjectName);
+
+    if (out.includes('{{GUARDRAILS_SKILL_DIR}}')) {
+        const skillDir =
+            typeof options.guardrailsSkillDir === 'string' && options.guardrailsSkillDir.trim()
+                ? options.guardrailsSkillDir.trim()
+                : '.cursor/skills/guardrails-profiler';
+        out = out.replaceAll('{{GUARDRAILS_SKILL_DIR}}', skillDir);
+    }
+
+    return out;
 }
 
 /**

package/src/generators/rules/cursor.js

@@ -1,6 +1,7 @@
 import { existsSync } from 'node:fs';
 import { join } from 'node:path';
 import { writeText } from '../../utils/fs-helpers.js';
+import { GUARDRAILS_PROFILER_SKILL_REL_DIR } from '../../utils/constants.js';
 import {
     getRuleContent,
     getProfileCommandContent,
@@ -55,7 +56,10 @@ export function generate(cwd, options = {}) {
     const ctmSyncWorkflowContent = getCtmSyncWorkflowContent(options);
     const createIdeWorkflowCommandContent = getCreateIdeWorkflowCommandContent(options);
     const profileCommandContent = getProfileCommandContent(options);
-    const guardrailsInitProfileCommandContent = getGuardrailsInitProfileContent(options);
+    const guardrailsInitProfileCommandContent = getGuardrailsInitProfileContent({
+        ...options,
+        guardrailsSkillDir: GUARDRAILS_PROFILER_SKILL_REL_DIR.cursor,
+    });
     const skillContent = getThreatModellingSkillContent(options);
 
     const baseRule = writeCursorRule(

package/src/generators/rules/guardrails-init-profile.md

@@ -5,13 +5,13 @@ description: Run the Security Review Kit guardrails profiler — scan the repo,
 
 # Guardrails init profile
 
-Execute the workflow defined in **`.securityreview-kit/guardrails-profiler/SKILL.md`** end-to-end in this workspace.
+Execute the workflow defined in **`{{GUARDRAILS_SKILL_DIR}}/SKILL.md`** end-to-end in this workspace (this IDE’s copy of the guardrails-profiler skill).
 
 Configured SRAI project name: `<SRAI_PROJECT_NAME>`
 
 **You must:**
 
-1. Read `.securityreview-kit/guardrails-profiler/SKILL.md` and follow every step (use the signal registry at `.securityreview-kit/guardrails-profiler/references/signal-registry.json`).
+1. Read `{{GUARDRAILS_SKILL_DIR}}/SKILL.md` and follow every step (use the signal registry at `{{GUARDRAILS_SKILL_DIR}}/references/signal-registry.json`).
 2. Write `.guardrails/profile.json` and **`profile.json`** at the project root as specified.
 3. Call **`update_vibe_profile`** and **`write_default_pack`** on `security-review-mcp` after resolving `project_id` for `<SRAI_PROJECT_NAME>`.
 

package/src/generators/rules/guardrails-profiler/SKILL.md

@@ -11,7 +11,8 @@ Configured SRAI project name: `<SRAI_PROJECT_NAME>`
 
 ## Canonical paths
 
-- **Signal registry (read-only):** `.securityreview-kit/guardrails-profiler/references/signal-registry.json`
+- **This skill & signal registry (read-only):** `<GUARDRAILS_SKILL_DIR>/` — e.g. `.cursor/skills/guardrails-profiler`, `.claude/skills/guardrails-profiler`, or `.codex/skills/guardrails-profiler` depending on where this file was installed.
+- **Signal registry file:** `<GUARDRAILS_SKILL_DIR>/references/signal-registry.json`
 - **Local guardrails file:** `.guardrails/profile.json`
 - **Combined manifest (project root):** `profile.json` — includes guardrails profile, vibe profile fields for MCP, and default pack payload
 
@@ -38,7 +39,7 @@ The project root is the current working directory. Confirm with markers such as
 
 ### Step 2: Read the Signal Registry
 
-Read `.securityreview-kit/guardrails-profiler/references/signal-registry.json`. Use its categories (`universal`, `languages`, `frameworks`, `auth_identity`, `ai_agent`, `infrastructure`, `ci_cd`, `cloud_compute`, `databases`, `messaging`, `api_protocols`, etc.) to map detected signals to guardrail pack IDs.
+Read `<GUARDRAILS_SKILL_DIR>/references/signal-registry.json` (the copy next to this `SKILL.md`). Use its categories (`universal`, `languages`, `frameworks`, `auth_identity`, `ai_agent`, `infrastructure`, `ci_cd`, `cloud_compute`, `databases`, `messaging`, `api_protocols`, etc.) to map detected signals to guardrail pack IDs.
 
 ### Step 3: Scan for Signals
 

package/src/utils/constants.js

@@ -59,5 +59,12 @@ export const TARGETS = {
 
 export const TARGET_NAMES = Object.keys(TARGETS);
 
+/** Relative workspace dirs for the guardrails-profiler skill (per IDE / CLI). */
+export const GUARDRAILS_PROFILER_SKILL_REL_DIR = {
+    cursor: '.cursor/skills/guardrails-profiler',
+    claude: '.claude/skills/guardrails-profiler',
+    codex: '.codex/skills/guardrails-profiler',
+};
+
 export const SENTINEL_START = '<!-- securityreview-kit:start -->';
 export const SENTINEL_END = '<!-- securityreview-kit:end -->';

package/src/utils/guardrails-profiler-bundle.js

@@ -1,6 +1,7 @@
 import { copyFileSync, readFileSync } from 'node:fs';
 import { dirname, join } from 'node:path';
 import { fileURLToPath } from 'node:url';
+import { GUARDRAILS_PROFILER_SKILL_REL_DIR } from './constants.js';
 import { ensureDir, writeText } from './fs-helpers.js';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
@@ -14,20 +15,43 @@ function injectProjectName(content, projectName) {
     return content.replaceAll('{{SRAI_PROJECT_NAME}}', resolved).replaceAll('<SRAI_PROJECT_NAME>', resolved);
 }
 
-const BUNDLE_ROOT = join(__dirname, '..', 'generators', 'rules', 'guardrails-profiler');
-
-/**
- * Writes `.securityreview-kit/guardrails-profiler/` (SKILL + signal registry) into the target workspace.
- */
-export function writeGuardrailsProfilerBundle(cwd, options = {}) {
-    const destBase = join(cwd, '.securityreview-kit', 'guardrails-profiler');
-    const destRefs = join(destBase, 'references');
-    ensureDir(destRefs);
+function injectSkillDir(content, skillDirRel) {
+    return content.replaceAll('<GUARDRAILS_SKILL_DIR>', skillDirRel);
+}
 
-    const skillTemplate = readFileSync(join(BUNDLE_ROOT, 'SKILL.md'), 'utf-8');
-    writeText(join(destBase, 'SKILL.md'), injectProjectName(skillTemplate, options.projectName));
+function injectSkillTemplate(content, projectName, skillDirRel) {
+    return injectSkillDir(injectProjectName(content, projectName), skillDirRel);
+}
 
-    copyFileSync(join(BUNDLE_ROOT, 'references', 'signal-registry.json'), join(destRefs, 'signal-registry.json'));
+const BUNDLE_ROOT = join(__dirname, '..', 'generators', 'rules', 'guardrails-profiler');
 
-    return destBase;
+/**
+ * Writes `guardrails-profiler` (SKILL.md + references/signal-registry.json) under each selected
+ * IDE skills directory (e.g. `.cursor/skills/guardrails-profiler`, `.claude/skills/...`).
+ *
+ * @returns {string[]} Absolute paths to each skill root written */
+export function writeGuardrailsProfilerBundles(cwd, options = {}) {
+    const targets = Array.isArray(options.targets) ? options.targets : [];
+    const written = [];
+
+    for (const target of targets) {
+        const rel = GUARDRAILS_PROFILER_SKILL_REL_DIR[target];
+        if (!rel) continue;
+
+        const destBase = join(cwd, rel);
+        const destRefs = join(destBase, 'references');
+        ensureDir(destRefs);
+
+        const skillTemplate = readFileSync(join(BUNDLE_ROOT, 'SKILL.md'), 'utf-8');
+        writeText(join(destBase, 'SKILL.md'), injectSkillTemplate(skillTemplate, options.projectName, rel));
+
+        copyFileSync(
+            join(BUNDLE_ROOT, 'references', 'signal-registry.json'),
+            join(destRefs, 'signal-registry.json'),
+        );
+
+        written.push(destBase);
+    }
+
+    return written;
 }

package/src/utils/profiler-agent.js

@@ -1,4 +1,5 @@
 import { spawnSync } from 'node:child_process';
+import { GUARDRAILS_PROFILER_SKILL_REL_DIR } from './constants.js';
 
 const PREFERRED_ORDER = ['cursor', 'claude', 'codex'];
 
@@ -7,13 +8,16 @@ function commandOk(cmd, args = ['--version']) {
     return r.status === 0;
 }
 
-export function buildProfilerAgentPrompt(projectName) {
+export function buildProfilerAgentPrompt(projectName, agentTarget = 'cursor') {
     const p = String(projectName || '').trim() || '<SRAI_PROJECT_NAME>';
+    const skillRoot =
+        GUARDRAILS_PROFILER_SKILL_REL_DIR[agentTarget] ||
+        GUARDRAILS_PROFILER_SKILL_REL_DIR.cursor;
     return [
         'Security Review Kit: run guardrails initialization profiling for this workspace.',
         `SRAI project name: "${p}".`,
-        'Open and follow every step in .securityreview-kit/guardrails-profiler/SKILL.md.',
-        'Use .securityreview-kit/guardrails-profiler/references/signal-registry.json as the signal registry.',
+        `Open and follow every step in ${skillRoot}/SKILL.md.`,
+        `Use ${skillRoot}/references/signal-registry.json as the signal registry.`,
         'Write .guardrails/profile.json and profile.json at the repository root as defined in the skill.',
         `Resolve project_id with find_project_by_name for "${p}", then call update_vibe_profile and write_default_pack via security-review-mcp.`,
         'Do not invent stack details, compliance, or user groups; ground everything in the repository.',
@@ -50,7 +54,7 @@ export function pickProfilerAgentTarget(targets) {
  *   if you need an interactive trust/login/MCP flow in the same terminal.
  */
 export function runProfilerAgent(cwd, { target, projectName, cursorTrust = true }) {
-    const prompt = buildProfilerAgentPrompt(projectName);
+    const prompt = buildProfilerAgentPrompt(projectName, target);
     const opts = { cwd, stdio: 'inherit', env: { ...process.env } };
 
     if (target === 'cursor') {