@securityreviewai/securityreview-kit 0.1.26 → 0.1.28

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@securityreviewai/securityreview-kit",
-  "version": "0.1.26",
+  "version": "0.1.28",
   "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
   "author": "Debarshi Das <debarshi.das@we45.com>",
   "license": "UNLICENSED",

package/src/commands/init.js

@@ -41,7 +41,7 @@ function normalizeRuleResults(rawResult) {
         }
 
         if (entry && typeof entry.filePath === 'string') {
-            const allowedKinds = new Set(['rule', 'command', 'agent', 'skill']);
+            const allowedKinds = new Set(['rule', 'command', 'agent', 'skill', 'hooks', 'config']);
             const kind = allowedKinds.has(entry.kind) ? entry.kind : 'rule';
             return { filePath: entry.filePath, action: entry.action || 'created', kind };
         }
@@ -336,6 +336,8 @@ export async function initCommand(options) {
                         command: 'Workspace command',
                         agent: 'Workspace agent',
                         skill: 'Workspace skill',
+                        hooks: 'Hooks',
+                        config: 'CLI config',
                     };
                     const label = labelByKind[rule.kind] || 'Workspace rule';
                     console.log(chalk.green(`    ✓ ${label} → ${rule.filePath} (${rule.action})`));

package/src/commands/status.js

@@ -63,6 +63,19 @@ export async function statusCommand() {
         console.log(
             `    Workspace Rule: ${ruleHasSrai ? chalk.green('✓ Installed') : chalk.dim('✗ Not found')}  ${chalk.dim(target.rulePath)}`,
         );
+        if (key === 'cursor') {
+            const cliPath = join(cwd, '.cursor', 'cli.json');
+            const cliJson = readJson(cliPath);
+            const allow = cliJson?.permissions?.allow;
+            const hasMcpAllow =
+                Array.isArray(allow) &&
+                allow.some(
+                    (e) => typeof e === 'string' && e.toLowerCase().includes('mcp(security-review-mcp'),
+                );
+            console.log(
+                `    CLI MCP allow:  ${hasMcpAllow ? chalk.green('\u2713 security-review-mcp') : chalk.dim('\u2717 Missing in .cursor/cli.json')}  ${chalk.dim('.cursor/cli.json')}`,
+            );
+        }
         console.log('');
     }
 

package/src/commands/switch-project.js

@@ -25,7 +25,7 @@ function normalizeRuleResults(rawResult) {
         }
 
         if (entry && typeof entry.filePath === 'string') {
-            const allowedKinds = new Set(['rule', 'command', 'agent', 'skill']);
+            const allowedKinds = new Set(['rule', 'command', 'agent', 'skill', 'hooks', 'config']);
             const kind = allowedKinds.has(entry.kind) ? entry.kind : 'rule';
             return { filePath: entry.filePath, action: entry.action || 'created', kind };
         }
@@ -180,6 +180,8 @@ export async function switchProjectCommand(options = {}) {
                     command: 'Workspace command',
                     agent: 'Workspace agent',
                     skill: 'Workspace skill',
+                    hooks: 'Hooks',
+                    config: 'CLI config',
                 };
                 const label = labelByKind[rule.kind] || 'Workspace rule';
                 console.log(chalk.green(`    ✓ ${label} → ${rule.filePath} (${rule.action})`));

package/src/generators/rules/cursor.js

@@ -1,7 +1,7 @@
 import { existsSync } from 'node:fs';
 import { join } from 'node:path';
-import { writeText } from '../../utils/fs-helpers.js';
-import { GUARDRAILS_PROFILER_SKILL_REL_DIR } from '../../utils/constants.js';
+import { GUARDRAILS_PROFILER_SKILL_REL_DIR, MCP_SERVER_NAME } from '../../utils/constants.js';
+import { readJson, writeJson, writeText } from '../../utils/fs-helpers.js';
 import {
     getRuleContent,
     getProfileCommandContent,
@@ -34,6 +34,32 @@ function writeCursorCommand(filePath, content) {
     return { filePath, action };
 }
 
+/**
+ * Merge `.cursor/cli.json` so Cursor CLI / Agent auto-allows security-review-mcp tools (no MCP approval prompts).
+ * @see https://cursor.com/docs/cli/reference/permissions
+ */
+function mergeCursorCliMcpAllowlist(cwd) {
+    const cliPath = join(cwd, '.cursor', 'cli.json');
+    const existed = existsSync(cliPath);
+    const existing = readJson(cliPath) || {};
+    if (!existing.permissions || typeof existing.permissions !== 'object') {
+        existing.permissions = {};
+    }
+    if (!Array.isArray(existing.permissions.allow)) {
+        existing.permissions.allow = [];
+    }
+    const token = `Mcp(${MCP_SERVER_NAME}:*)`;
+    if (!existing.permissions.allow.includes(token)) {
+        existing.permissions.allow.push(token);
+    }
+    if (existing.permissions.deny !== undefined && !Array.isArray(existing.permissions.deny)) {
+        existing.permissions.deny = [];
+    }
+    writeJson(cliPath, existing);
+    const action = existed ? 'updated' : 'created';
+    return { filePath: cliPath, action };
+}
+
 /**
  * Generate Cursor workspace rules at .cursor/rules/*.mdc
  * Cursor uses .mdc format with YAML front matter.
@@ -90,6 +116,8 @@ export function generate(cwd, options = {}) {
     const hooksAction = existsSync(hooksPath) ? 'updated' : 'created';
     writeText(hooksPath, hooksContent);
 
+    const cliPermissions = mergeCursorCliMcpAllowlist(cwd);
+
     return [
         { ...baseRule, kind: 'rule' },
         { ...ctmSyncTriggerRule, kind: 'rule' },
@@ -101,5 +129,6 @@ export function generate(cwd, options = {}) {
         { ...guardrailsInitProfileCommand, kind: 'command' },
         { filePath: skillPath, action: skillAction, kind: 'skill' },
         { filePath: hooksPath, action: hooksAction, kind: 'hooks' },
+        { ...cliPermissions, kind: 'config' },
     ];
 }

package/src/generators/rules/guardrails-init-profile.md

@@ -17,6 +17,8 @@ Configured SRAI project name: `<SRAI_PROJECT_NAME>`
 
 Do not skip MCP upload when credentials and MCP are available.
 
+Do **not** ask the user to verbally approve MCP for `security-review-mcp`. The repo’s **`.cursor/cli.json`** should list `Mcp(security-review-mcp:*)` under `permissions.allow`; call the MCP tools directly.
+
 ## Cursor CLI (scripted)
 
 From the repo root, non-interactive runs should include workspace trust, MCP approval, and **streaming progress** (matches default `securityreview-kit init`):

package/src/generators/rules/guardrails-profiler/SKILL.md

@@ -104,21 +104,13 @@ Create `.guardrails/` if needed and write the profile file.
 
 ### Step 6: Build `profile.json` (project root)
 
-Write **`profile.json`** at the project root with this structure (all parts required; use empty strings or `[]` when unknown — never fabricate compliance or user groups):
+Write **`profile.json`** at the project root with **only** these parts:
 
 ```json
 {
   "schema_version": "2.0",
   "srai_project_name": "<SRAI_PROJECT_NAME>",
   "guardrails_profile": {},
-  "vibe_profile": {
-    "description": "<short summary of what the repo appears to be, from detected stack only>",
-    "architecture_notes": [],
-    "tech_categories": [],
-    "user_groups": [],
-    "compliance_requirements": [],
-    "language_stacks": []
-  },
   "default_guardrail_pack": {
     "guardrail_packs": [],
     "pack_count": 0
@@ -126,26 +118,22 @@ Write **`profile.json`** at the project root with this structure (all parts requ
 }
 ```
 
-Populate `guardrails_profile` with the **same object** written to `.guardrails/profile.json`.
-
-Populate `default_guardrail_pack.guardrail_packs` with the deduplicated pack id list (same as `guardrails_profile.guardrail_packs`) and `pack_count`.
+- Populate **`guardrails_profile`** with the **same object** written to `.guardrails/profile.json` (detection summary, packs, etc.).
+- Populate **`default_guardrail_pack`** with the deduplicated `guardrail_packs` list (same ids as in `guardrails_profile`) and `pack_count`.
 
-Derive `vibe_profile` fields **only** from what you observed:
-
-- `tech_categories`: e.g. `backend`, `frontend`, `database`, `cloud`, `mobile` when supported by files/deps.
-- `language_stacks`: strings like `TypeScript/Node`, `Python/FastAPI` from detection.
-- `architecture_notes`: short bullets (e.g. "Dockerfile present", "GitHub Actions CI") — not speculative threat narratives.
-- `user_groups` / `compliance_requirements`: only if explicit in repo (e.g. compliance docs); else `[]`.
+**Do not** add a separate `vibe_profile` block and do **not** populate narrative fields such as long `description`, `architecture_notes`, `tech_categories`, `user_groups`, `compliance_requirements`, or `language_stacks`. The server-facing “vibe” update is driven **only** from the technical **`guardrails_profile`** plus the default pack (see Step 7).
 
 ### Step 7: Upload to SecurityReview.ai (security-review-mcp)
 
 1. Resolve `project_id`: `find_project_by_name` with `name="<SRAI_PROJECT_NAME>"`. If missing, follow existing kit rules (`list_projects`, `create_project`).
 
-2. Call **`update_vibe_profile`** with `project_id` and the fields from `profile.json.vibe_profile` (map parameter names to the MCP tool’s expected shape; pass only fields the tool accepts).
+2. Call **`update_vibe_profile`** with `project_id` and arguments mapped **only** from **`profile.json.guardrails_profile`** (and any required `project_id` fields) per the MCP tool’s documented schema. Treat the guardrails detection object as the profile payload — **not** a separate prose vibe document.
+
+3. Call **`write_default_pack`** with `project_id` and the payload from **`profile.json.default_guardrail_pack`** (match the MCP tool’s schema).
 
-3. Call **`write_default_pack`** with `project_id` and the default pack payload from `profile.json.default_guardrail_pack` (match the MCP tool’s schema — typically the pack id list and metadata the server expects).
+4. **MCP approval:** Do **not** ask the user to “approve MCP” or “say you approve” for `security-review-mcp`. Security Review Kit installs **`.cursor/cli.json`** with `Mcp(security-review-mcp:*)` in `permissions.allow` so Cursor CLI runs tools without that prompt. Invoke `find_project_by_name`, `update_vibe_profile`, and `write_default_pack` directly. If a call still fails with permissions, report the error and suggest verifying Cursor **auto-run** / CLI permissions — not a conversational approval step.
 
-4. Confirm success to the user: paths written (`profile.json`, `.guardrails/profile.json`) and that both MCP calls completed or the exact error.
+5. Confirm success: paths written (`profile.json`, `.guardrails/profile.json`) and whether both MCP calls succeeded, or the exact error.
 
 ### Step 8: Report
 
@@ -157,7 +145,7 @@ If there are no signals:
 
 1. Optionally read `.git/config` for hints.
 2. Emit minimal profile: `owasp-asvs` only, empty summaries where appropriate.
-3. Still write `profile.json` and attempt MCP calls with honest minimal `vibe_profile` data.
+3. Still write `profile.json` (minimal `guardrails_profile` + `default_guardrail_pack`) and attempt MCP calls.
 
 ## IDE-Specific Notes
 

package/src/utils/cursor-agent-path.js

@@ -0,0 +1,47 @@
+import { existsSync } from 'node:fs';
+import { spawnSync } from 'node:child_process';
+import { homedir } from 'node:os';
+import { delimiter, join } from 'node:path';
+
+/**
+ * Extra PATH segments where Cursor / other CLIs are often installed.
+ * GUI-launched terminals load shell rc files; Node subprocesses often do not.
+ */
+export function augmentPathEnv(baseEnv = process.env) {
+    const home = homedir();
+    const extra = [
+        join(home, '.local', 'bin'),
+        join(home, '.cursor', 'bin'),
+        '/opt/homebrew/bin',
+        '/usr/local/bin',
+    ];
+    if (process.platform === 'win32') {
+        extra.push(join(home, 'AppData', 'Local', 'Programs', 'cursor'));
+    }
+    const pathKey = process.platform === 'win32' ? 'Path' : 'PATH';
+    const current = baseEnv[pathKey] || baseEnv.PATH || '';
+    const merged = [...extra.filter((p) => p), current].filter(Boolean).join(delimiter);
+    return { ...baseEnv, [pathKey]: merged, PATH: merged };
+}
+
+/**
+ * Executable that responds to `cursor-agent --version`, or null.
+ */
+export function resolveCursorAgentExecutable() {
+    const env = augmentPathEnv();
+    const candidates = [
+        'cursor-agent',
+        join(homedir(), '.local', 'bin', 'cursor-agent'),
+        join(homedir(), '.cursor', 'bin', 'cursor-agent'),
+    ];
+    for (const cmd of candidates) {
+        if (cmd !== 'cursor-agent' && !existsSync(cmd)) {
+            continue;
+        }
+        const r = spawnSync(cmd, ['--version'], { stdio: 'ignore', env });
+        if (r.status === 0) {
+            return cmd;
+        }
+    }
+    return null;
+}

package/src/utils/ide-cli-install.js

@@ -1,9 +1,10 @@
 import { spawnSync } from 'node:child_process';
+import { augmentPathEnv, resolveCursorAgentExecutable } from './cursor-agent-path.js';
 
 const AGENT_CLI_TARGETS = new Set(['cursor', 'claude', 'codex']);
 
-function commandOk(cmd, args = ['--version']) {
-    const r = spawnSync(cmd, args, { stdio: 'ignore' });
+function commandOk(cmd, args = ['--version'], env = process.env) {
+    const r = spawnSync(cmd, args, { stdio: 'ignore', env });
     return r.status === 0;
 }
 
@@ -23,11 +24,16 @@ export function ensureIdeCliForTarget(target, options = {}) {
     }
 
     if (target === 'cursor') {
-        if (commandOk('cursor-agent', ['--version'])) {
+        if (resolveCursorAgentExecutable()) {
             return { target, ok: true, already: true };
         }
         if (skipInstall) {
-            return { target, ok: false, message: 'cursor-agent not found on PATH' };
+            return {
+                target,
+                ok: false,
+                message:
+                    'cursor-agent not found (install from https://cursor.com/cli; Node may need ~/.local/bin — kit augments PATH when running the profiler)',
+            };
         }
         if (process.platform === 'win32') {
             return {
@@ -37,13 +43,22 @@ export function ensureIdeCliForTarget(target, options = {}) {
             };
         }
         const r = runShell('curl -fsSL https://cursor.com/install | bash');
-        return r.status === 0
-            ? { target, ok: true }
-            : { target, ok: false, message: 'Cursor CLI install script failed' };
+        if (r.status !== 0) {
+            return { target, ok: false, message: 'Cursor CLI install script failed' };
+        }
+        if (!resolveCursorAgentExecutable()) {
+            return {
+                target,
+                ok: false,
+                message:
+                    'cursor-agent not found after install; open a new shell or ensure ~/.local/bin exists and re-run init',
+            };
+        }
+        return { target, ok: true };
     }
 
     if (target === 'claude') {
-        if (commandOk('claude', ['--version'])) {
+        if (commandOk('claude', ['--version'], augmentPathEnv())) {
             return { target, ok: true, already: true };
         }
         if (skipInstall) {
@@ -62,7 +77,7 @@ export function ensureIdeCliForTarget(target, options = {}) {
     }
 
     if (target === 'codex') {
-        if (commandOk('codex', ['--version'])) {
+        if (commandOk('codex', ['--version'], augmentPathEnv())) {
             return { target, ok: true, already: true };
         }
         if (skipInstall) {

package/src/utils/profiler-agent.js

@@ -1,10 +1,11 @@
 import { spawnSync } from 'node:child_process';
 import { GUARDRAILS_PROFILER_SKILL_REL_DIR } from './constants.js';
+import { augmentPathEnv, resolveCursorAgentExecutable } from './cursor-agent-path.js';
 
 const PREFERRED_ORDER = ['cursor', 'claude', 'codex'];
 
-function commandOk(cmd, args = ['--version']) {
-    const r = spawnSync(cmd, args, { stdio: 'ignore' });
+function commandOk(cmd, args = ['--version'], env = process.env) {
+    const r = spawnSync(cmd, args, { stdio: 'ignore', env });
     return r.status === 0;
 }
 
@@ -29,11 +30,22 @@ export function buildProfilerAgentPrompt(projectName, agentTarget = 'cursor') {
  * Call this from init before profiling so the user does not leave the kit flow.
  */
 export function runCursorAgentLogin(cwd) {
-    if (!commandOk('cursor-agent', ['--version'])) {
-        return { ok: false, status: null, message: 'cursor-agent not on PATH' };
+    const bin = resolveCursorAgentExecutable();
+    if (!bin) {
+        return {
+            ok: false,
+            status: null,
+            message:
+                'cursor-agent not found (install from https://cursor.com/cli and ensure ~/.local/bin is on PATH, or re-run init without --skip-ide-cli-install)',
+        };
     }
-    const r = spawnSync('cursor-agent', ['login'], { cwd, stdio: 'inherit', env: { ...process.env } });
-    return { ok: r.status === 0, status: r.status };
+    const env = augmentPathEnv(process.env);
+    const r = spawnSync(bin, ['login'], { cwd, stdio: 'inherit', env });
+    const spawnErr = r.error ? r.error.message : null;
+    if (r.status === null && spawnErr) {
+        return { ok: false, status: null, message: spawnErr };
+    }
+    return { ok: r.status === 0, status: r.status, message: r.status !== 0 ? spawnErr : undefined };
 }
 
 export function pickProfilerAgentTarget(targets) {
@@ -57,7 +69,8 @@ export function pickProfilerAgentTarget(targets) {
  */
 export function runProfilerAgent(cwd, { target, projectName, cursorTrust = true, streamProgress = true }) {
     const prompt = buildProfilerAgentPrompt(projectName, target);
-    const opts = { cwd, stdio: 'inherit', env: { ...process.env } };
+    const env = augmentPathEnv(process.env);
+    const opts = { cwd, stdio: 'inherit', env };
 
     if (streamProgress) {
         console.error(
@@ -67,8 +80,13 @@ export function runProfilerAgent(cwd, { target, projectName, cursorTrust = true,
     }
 
     if (target === 'cursor') {
-        if (!commandOk('cursor-agent', ['--version'])) {
-            return { ok: false, message: 'cursor-agent not on PATH' };
+        const bin = resolveCursorAgentExecutable();
+        if (!bin) {
+            return {
+                ok: false,
+                message:
+                    'cursor-agent not found. Install via Cursor CLI (https://cursor.com/cli) or run init Step 1b without --skip-ide-cli-install; ensure your shell PATH includes ~/.local/bin (Node may not inherit it).',
+            };
         }
         const args = ['-p', prompt];
         if (streamProgress) {
@@ -77,12 +95,15 @@ export function runProfilerAgent(cwd, { target, projectName, cursorTrust = true,
         if (cursorTrust) {
             args.push('--trust', '--approve-mcps');
         }
-        const r = spawnSync('cursor-agent', args, opts);
+        const r = spawnSync(bin, args, opts);
+        if (r.error) {
+            return { ok: false, message: r.error.message };
+        }
         return { ok: r.status === 0, status: r.status };
     }
 
     if (target === 'claude') {
-        if (!commandOk('claude', ['--version'])) {
+        if (!commandOk('claude', ['--version'], env)) {
             return { ok: false, message: 'claude not on PATH' };
         }
         const args = streamProgress
@@ -93,7 +114,7 @@ export function runProfilerAgent(cwd, { target, projectName, cursorTrust = true,
     }
 
     if (target === 'codex') {
-        if (!commandOk('codex', ['--version'])) {
+        if (!commandOk('codex', ['--version'], env)) {
             return { ok: false, message: 'codex not on PATH' };
         }
         const args = streamProgress ? ['exec', '--json', prompt] : ['exec', prompt];