@securityreviewai/securityreview-kit 0.1.25 → 0.1.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/package.json +1 -1
  2. package/src/cli.js +4 -0
  3. package/src/commands/init.js +1 -0
  4. package/src/generators/rules/guardrails-init-profile.md +4 -2
  5. package/src/utils/profiler-agent.js +19 -3
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@securityreviewai/securityreview-kit",
3
- "version": "0.1.25",
3
+ "version": "0.1.26",
4
4
  "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
5
5
  "author": "Debarshi Das <debarshi.das@we45.com>",
6
6
  "license": "UNLICENSED",
package/src/cli.js CHANGED
@@ -37,6 +37,10 @@ export function run() {
37
37
  '--profiler-cursor-login',
38
38
  'Before Cursor profiling, run cursor-agent login in this terminal (then profiling runs in the same init)',
39
39
  )
40
+ .option(
41
+ '--profiler-quiet',
42
+ 'When profiling, use minimal agent output (no streaming JSON / verbose progress)',
43
+ )
40
44
  .action(async (options) => {
41
45
  try {
42
46
  if (options.switchProject) {
package/src/commands/init.js CHANGED
@@ -459,6 +459,7 @@ export async function initCommand(options) {
459
459
  target: agentTarget,
460
460
  projectName: projectNameForSkill,
461
461
  cursorTrust: !options.profilerNoTrust,
462
+ streamProgress: !options.profilerQuiet,
462
463
  });
463
464
  if (pr.ok) {
464
465
  console.log(chalk.green(' \u2713 Profiler agent finished.'));
package/src/generators/rules/guardrails-init-profile.md CHANGED
@@ -19,9 +19,11 @@ Do not skip MCP upload when credentials and MCP are available.
19
19
 
20
20
  ## Cursor CLI (scripted)
21
21
 
22
- From the repo root, non-interactive runs should include workspace trust and MCP approval (matches `securityreview-kit init`):
22
+ From the repo root, non-interactive runs should include workspace trust, MCP approval, and **streaming progress** (matches default `securityreview-kit init`):
23
23
 
24
- `cursor-agent -p "<your profiling instructions>" --trust --approve-mcps`
24
+ `cursor-agent -p "<your profiling instructions>" --output-format stream-json --stream-partial-output --trust --approve-mcps`
25
+
26
+ Omit `--output-format` / `--stream-partial-output` if you want less verbose terminal output (or use `securityreview-kit init` with `--profiler-quiet`).
25
27
 
26
28
  During `securityreview-kit init`, choose **Yes** when asked to run Cursor login in-terminal, or pass **`--profiler-cursor-login`** with **`--profile-repo`** so login and profiling stay in one run.
27
29
 
package/src/utils/profiler-agent.js CHANGED
@@ -52,16 +52,28 @@ export function pickProfilerAgentTarget(targets) {
52
52
  * @param {boolean} [opts.cursorTrust=true] When true, passes `--trust` and `--approve-mcps` so headless init is not blocked by
53
53
  * workspace trust or MCP approval (user confirmed profiling in the kit). Set false with `--profiler-no-trust`
54
54
  * if you need an interactive trust/login/MCP flow in the same terminal.
55
+ * @param {boolean} [opts.streamProgress=true] When true, pass each CLI’s streaming / verbose flags so the terminal shows live progress
56
+ * (JSON event lines on Cursor/Codex; stream-json + partial messages + verbose on Claude). Disable with `--profiler-quiet`.
55
57
  */
56
- export function runProfilerAgent(cwd, { target, projectName, cursorTrust = true }) {
58
+ export function runProfilerAgent(cwd, { target, projectName, cursorTrust = true, streamProgress = true }) {
57
59
  const prompt = buildProfilerAgentPrompt(projectName, target);
58
60
  const opts = { cwd, stdio: 'inherit', env: { ...process.env } };
59
61
 
62
+ if (streamProgress) {
63
+ console.error(
64
+ '\n[securityreview-kit] Profiler live output: you should see streaming progress below ' +
65
+ '(JSON lines are normal). Use --profiler-quiet for minimal output.\n',
66
+ );
67
+ }
68
+
60
69
  if (target === 'cursor') {
61
70
  if (!commandOk('cursor-agent', ['--version'])) {
62
71
  return { ok: false, message: 'cursor-agent not on PATH' };
63
72
  }
64
73
  const args = ['-p', prompt];
74
+ if (streamProgress) {
75
+ args.push('--output-format', 'stream-json', '--stream-partial-output');
76
+ }
65
77
  if (cursorTrust) {
66
78
  args.push('--trust', '--approve-mcps');
67
79
  }
@@ -73,7 +85,10 @@ export function runProfilerAgent(cwd, { target, projectName, cursorTrust = true
73
85
  if (!commandOk('claude', ['--version'])) {
74
86
  return { ok: false, message: 'claude not on PATH' };
75
87
  }
76
- const r = spawnSync('claude', ['-p', prompt], opts);
88
+ const args = streamProgress
89
+ ? ['-p', '--output-format', 'stream-json', '--include-partial-messages', '--verbose', prompt]
90
+ : ['-p', prompt];
91
+ const r = spawnSync('claude', args, opts);
77
92
  return { ok: r.status === 0, status: r.status };
78
93
  }
79
94
 
@@ -81,7 +96,8 @@ export function runProfilerAgent(cwd, { target, projectName, cursorTrust = true
81
96
  if (!commandOk('codex', ['--version'])) {
82
97
  return { ok: false, message: 'codex not on PATH' };
83
98
  }
84
- const r = spawnSync('codex', ['exec', prompt], opts);
99
+ const args = streamProgress ? ['exec', '--json', prompt] : ['exec', prompt];
100
+ const r = spawnSync('codex', args, opts);
85
101
  return { ok: r.status === 0, status: r.status };
86
102
  }
87
103