@securityreviewai/securityreview-kit 0.1.32 → 0.1.33

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/package.json +1 -1
  2. package/src/cli.js +5 -1
  3. package/src/commands/init.js +8 -1
  4. package/src/generators/rules/guardrails-init-profile.md +3 -3
  5. package/src/utils/profiler-agent.js +48 -8
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@securityreviewai/securityreview-kit",
3
- "version": "0.1.32",
3
+ "version": "0.1.33",
4
4
  "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
5
5
  "author": "Debarshi Das <debarshi.das@we45.com>",
6
6
  "license": "UNLICENSED",
package/src/cli.js CHANGED
@@ -39,7 +39,11 @@ export function run() {
39
39
  )
40
40
  .option(
41
41
  '--profiler-quiet',
42
- 'When profiling, use minimal agent output (no streaming JSON / verbose progress)',
42
+ 'When profiling, use the standard progress message (default; retained for compatibility)',
43
+ )
44
+ .option(
45
+ '--profiler-verbose',
46
+ 'When profiling, show live agent output for troubleshooting',
43
47
  )
44
48
  .action(async (options) => {
45
49
  try {
package/src/commands/init.js CHANGED
@@ -457,11 +457,18 @@ export async function initCommand(options) {
457
457
  console.log(chalk.dim(' (Sign-in or approvals may be required in your terminal.)'));
458
458
  }
459
459
  console.log('');
460
+ const showProfilerOutput = Boolean(options.profilerVerbose || options.profilerNoTrust);
461
+ if (showProfilerOutput) {
462
+ console.log(chalk.dim(' Profiling in progress. Agent output is visible for this run...'));
463
+ } else {
464
+ console.log(chalk.dim(' Profiling in progress. This can take a few minutes...'));
465
+ }
460
466
  const pr = runProfilerAgent(cwd, {
461
467
  target: agentTarget,
462
468
  projectName: projectNameForSkill,
463
469
  cursorTrust: !options.profilerNoTrust,
464
- streamProgress: !options.profilerQuiet,
470
+ streamProgress: Boolean(options.profilerVerbose),
471
+ showOutput: showProfilerOutput,
465
472
  });
466
473
  if (pr.ok) {
467
474
  console.log(chalk.green(' \u2713 Profiler agent finished.'));
package/src/generators/rules/guardrails-init-profile.md CHANGED
@@ -21,11 +21,11 @@ Do **not** ask the user to verbally approve MCP for `security-review-mcp`. The r
21
21
 
22
22
  ## Cursor CLI (scripted)
23
23
 
24
- From the repo root, non-interactive runs should include workspace trust, MCP approval, and **streaming progress** (matches default `securityreview-kit init`):
24
+ From the repo root, non-interactive runs should include workspace trust and MCP approval:
25
25
 
26
- `agent -p "<your profiling instructions>" --output-format stream-json --stream-partial-output --trust --approve-mcps` (or `cursor-agent` if that is what your install provides)
26
+ `agent -p "<your profiling instructions>" --trust --approve-mcps` (or `cursor-agent` if that is what your install provides)
27
27
 
28
- Omit `--output-format` / `--stream-partial-output` if you want less verbose terminal output (or use `securityreview-kit init` with `--profiler-quiet`).
28
+ Add `--output-format stream-json --stream-partial-output` only when you need verbose agent diagnostics (or use `securityreview-kit init` with `--profiler-verbose`).
29
29
 
30
30
  During `securityreview-kit init`, choose **Yes** when asked to run Cursor login in-terminal, or pass **`--profiler-cursor-login`** with **`--profile-repo`** so login and profiling stay in one run.
31
31
 
package/src/utils/profiler-agent.js CHANGED
@@ -64,18 +64,24 @@ export function pickProfilerAgentTarget(targets) {
64
64
  * @param {boolean} [opts.cursorTrust=true] When true, passes `--trust` and `--approve-mcps` so headless init is not blocked by
65
65
  * workspace trust or MCP approval (user confirmed profiling in the kit). Set false with `--profiler-no-trust`
66
66
  * if you need an interactive trust/login/MCP flow in the same terminal.
67
- * @param {boolean} [opts.streamProgress=true] When true, pass each CLI’s streaming / verbose flags so the terminal shows live progress
68
- * (JSON event lines on Cursor/Codex; stream-json + partial messages + verbose on Claude). Disable with `--profiler-quiet`.
67
+ * @param {boolean} [opts.streamProgress=false] When true, pass each CLI’s streaming / verbose flags.
68
+ * @param {boolean} [opts.showOutput=false] When true, inherit stdio from the child process.
69
+ * Keep both false for init-time profiling so the agent does not flood the terminal with JSON/progress logs.
69
70
  */
70
- export function runProfilerAgent(cwd, { target, projectName, cursorTrust = true, streamProgress = true }) {
71
+ export function runProfilerAgent(
72
+ cwd,
73
+ { target, projectName, cursorTrust = true, streamProgress = false, showOutput = streamProgress },
74
+ ) {
71
75
  const prompt = buildProfilerAgentPrompt(projectName, target);
72
76
  const env = augmentPathEnv(process.env);
73
- const opts = { cwd, stdio: 'inherit', env };
77
+ const opts = showOutput
78
+ ? { cwd, stdio: 'inherit', env }
79
+ : { cwd, stdio: ['ignore', 'pipe', 'pipe'], env, encoding: 'utf8', maxBuffer: 10 * 1024 * 1024 };
74
80
 
75
81
  if (streamProgress) {
76
82
  console.error(
77
83
  '\n[securityreview-kit] Profiler live output: you should see streaming progress below ' +
78
- '(JSON lines are normal). Use --profiler-quiet for minimal output.\n',
84
+ '(JSON lines are normal). Omit --profiler-verbose for minimal output.\n',
79
85
  );
80
86
  }
81
87
 
@@ -99,7 +105,7 @@ export function runProfilerAgent(cwd, { target, projectName, cursorTrust = true,
99
105
  if (r.error) {
100
106
  return { ok: false, message: r.error.message };
101
107
  }
102
- return { ok: r.status === 0, status: r.status };
108
+ return buildProfilerResult(r);
103
109
  }
104
110
 
105
111
  if (target === 'claude') {
@@ -110,7 +116,7 @@ export function runProfilerAgent(cwd, { target, projectName, cursorTrust = true,
110
116
  ? ['-p', '--output-format', 'stream-json', '--include-partial-messages', '--verbose', prompt]
111
117
  : ['-p', prompt];
112
118
  const r = spawnSync('claude', args, opts);
113
- return { ok: r.status === 0, status: r.status };
119
+ return buildProfilerResult(r);
114
120
  }
115
121
 
116
122
  if (target === 'codex') {
@@ -119,8 +125,42 @@ export function runProfilerAgent(cwd, { target, projectName, cursorTrust = true,
119
125
  }
120
126
  const args = streamProgress ? ['exec', '--json', prompt] : ['exec', prompt];
121
127
  const r = spawnSync('codex', args, opts);
122
- return { ok: r.status === 0, status: r.status };
128
+ return buildProfilerResult(r);
123
129
  }
124
130
 
125
131
  return { ok: false, message: 'unsupported agent target' };
126
132
  }
133
+
134
+ function buildProfilerResult(result) {
135
+ if (result.error) {
136
+ return { ok: false, status: result.status, message: result.error.message };
137
+ }
138
+
139
+ if (result.status === 0) {
140
+ return { ok: true, status: result.status };
141
+ }
142
+
143
+ const outputTail = summarizeProfilerOutput(result.stderr || result.stdout || '');
144
+ const exitDetail =
145
+ typeof result.status === 'number'
146
+ ? `exit status ${result.status}`
147
+ : result.signal
148
+ ? `signal ${result.signal}`
149
+ : 'unknown error';
150
+
151
+ return {
152
+ ok: false,
153
+ status: result.status,
154
+ message: outputTail ? `${exitDetail}; last output: ${outputTail}` : exitDetail,
155
+ };
156
+ }
157
+
158
+ function summarizeProfilerOutput(output) {
159
+ return String(output || '')
160
+ .replace(/\u001b\[[0-9;]*m/g, '')
161
+ .split(/\r?\n/)
162
+ .map((line) => line.trim())
163
+ .filter(Boolean)
164
+ .slice(-3)
165
+ .join(' | ');
166
+ }