@securityreviewai/securityreview-kit 0.1.33 → 0.1.35

package/README.md

@@ -29,7 +29,7 @@ npx @securityreviewai/securityreview-kit init --switch-project
 |---|---|---|---|
 | Cursor | `cursor` | `.cursor/mcp.json` | `.cursor/rules/srai-security-review.mdc`, `.cursor/rules/ctm_sync_rule.mdc`, `.cursor/commands/ctm_sync.md`, `.cursor/agents/ctm_sync.md`, `.cursor/commands/create-ide-workflow.md`, `.cursor/commands/srai-profile.md`, `.cursor/skills/threat-modelling/SKILL.md` |
 | Claude Code | `claude` | `.claude/settings.json` | `CLAUDE.md` |
-| VS Code Copilot | `vscode` | `.vscode/mcp.json` | `.github/copilot-instructions.md` |
+| VS Code Copilot | `vscode` | `.vscode/mcp.json` | `.github/copilot-instructions.md`, `.github/skills/guardrails-profiler/SKILL.md`, `.github/skills/guardrails-selection/SKILL.md` |
 | Windsurf | `windsurf` | `.windsurf/mcp_config.json` | `.windsurf/rules/srai-security-review.md` |
 | Codex | `codex` | `.codex/config.toml` | `AGENTS.md` |
 | Gemini CLI | `gemini` | `.gemini/settings.json` | `GEMINI.md` |
@@ -51,6 +51,9 @@ Options:
   --switch-project        Fetch projects and only update mapped workspace rules
   --skip-mcp              Skip MCP server config installation
   --skip-rules            Skip workspace rule installation
+  --profile-repo          Run the guardrails profiler after init
+  --profiler-copilot-login
+                          Run GitHub Copilot CLI login before VS Code Copilot profiling
 ```
 
 ### `@securityreviewai/securityreview-kit init --switch-project`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@securityreviewai/securityreview-kit",
-  "version": "0.1.33",
+  "version": "0.1.35",
   "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
   "author": "Debarshi Das <debarshi.das@we45.com>",
   "license": "UNLICENSED",

package/src/cli.js

@@ -26,8 +26,8 @@ export function run() {
         .option('--switch-project', 'Fetch projects and only update mapped workspace rules')
         .option('--skip-mcp', 'Skip MCP server config installation')
         .option('--skip-rules', 'Skip workspace rule installation')
-        .option('--skip-ide-cli-install', 'Do not install Cursor / Claude Code / Codex CLIs when those targets are selected')
-        .option('--profile-repo', 'After init, run the guardrails profiler agent (non-interactive; needs cursor, claude, or codex target)')
+        .option('--skip-ide-cli-install', 'Do not install Cursor / Copilot / Claude Code / Codex CLIs when those targets are selected')
+        .option('--profile-repo', 'After init, run the guardrails profiler agent (non-interactive; needs cursor, vscode, claude, or codex target)')
         .option('--no-profile-repo', 'Skip the optional profiler agent step after init')
         .option(
             '--profiler-no-trust',
@@ -37,6 +37,10 @@ export function run() {
             '--profiler-cursor-login',
             'Before Cursor profiling, run `agent login` (or `cursor-agent login`) in this terminal (then profiling runs in the same init)',
         )
+        .option(
+            '--profiler-copilot-login',
+            'Before VS Code Copilot profiling, run `copilot login` in this terminal',
+        )
         .option(
             '--profiler-quiet',
             'When profiling, use the standard progress message (default; retained for compatibility)',

package/src/commands/init.js

@@ -6,6 +6,7 @@ import { ensureIdeClisForTargets } from '../utils/ide-cli-install.js';
 import { writeGuardrailsSkillBundles } from '../utils/guardrails-profiler-bundle.js';
 import {
     pickProfilerAgentTarget,
+    runCopilotLogin,
     runCursorAgentLogin,
     runProfilerAgent,
 } from '../utils/profiler-agent.js';
@@ -359,7 +360,7 @@ export async function initCommand(options) {
             if (bundlePaths.length === 0) {
                 console.log(
                     chalk.dim(
-                        '    (Guardrails skills are only written for Cursor, Claude Code, and Codex targets.)',
+                        '    (Guardrails skills are only written for Cursor, VS Code Copilot, Claude Code, and Codex targets.)',
                     ),
                 );
             }
@@ -409,7 +410,7 @@ export async function initCommand(options) {
         if (!agentTarget) {
             console.log(
                 chalk.yellow(
-                    '  \u26a0  Profiling needs Cursor, Claude Code, or Codex in your targets. Add one and re-run, or run the guardrails-init-profile command in your IDE.',
+                    '  \u26a0  Profiling needs Cursor, VS Code Copilot, Claude Code, or Codex in your targets. Add one and re-run, or run the guardrails-init-profile command in your IDE.',
                 ),
             );
         } else {
@@ -453,11 +454,44 @@ export async function initCommand(options) {
                     }
                     console.log('');
                 }
+            } else if (agentTarget === 'vscode') {
+                console.log(
+                    chalk.dim(
+                        '  Copilot: profiling uses the VS Code MCP config and Copilot CLI tool approvals for this folder.',
+                    ),
+                );
+
+                let runLogin = Boolean(options.profilerCopilotLogin);
+                if (!runLogin && interactive) {
+                    runLogin = await confirm({
+                        message:
+                            'Run GitHub Copilot CLI login in this terminal now? (Same init — profiling runs next. Choose No if already signed in.)',
+                        default: true,
+                    });
+                }
+                if (runLogin) {
+                    console.log('');
+                    console.log(chalk.bold.white('  GitHub Copilot CLI login'));
+                    console.log(chalk.dim('  Complete the browser or device-code prompt, then return here.\n'));
+                    const loginResult = runCopilotLogin(cwd);
+                    if (loginResult.ok) {
+                        console.log(chalk.green('  \u2713 GitHub Copilot CLI login step finished.'));
+                    } else {
+                        console.log(
+                            chalk.yellow(
+                                `  \u26a0  Copilot login exited with status ${loginResult.status ?? 'unknown'}. Profiling will still be attempted; sign in and re-run init if it fails.`,
+                            ),
+                        );
+                    }
+                    console.log('');
+                }
             } else {
                 console.log(chalk.dim('  (Sign-in or approvals may be required in your terminal.)'));
             }
             console.log('');
-            const showProfilerOutput = Boolean(options.profilerVerbose || options.profilerNoTrust);
+            const showProfilerOutput = Boolean(
+                options.profilerVerbose || (agentTarget === 'cursor' && options.profilerNoTrust),
+            );
             if (showProfilerOutput) {
                 console.log(chalk.dim('  Profiling in progress. Agent output is visible for this run...'));
             } else {
@@ -499,6 +533,24 @@ export async function initCommand(options) {
                             '    • Want interactive trust instead of `--trust`: run `securityreview-kit init ... --profiler-no-trust` and answer the prompts, then profile again.',
                         ),
                     );
+                } else if (agentTarget === 'vscode') {
+                    console.log('');
+                    console.log(chalk.dim('  Typical fixes:'));
+                    console.log(
+                        chalk.dim(
+                            '    • Not signed in: re-run `securityreview-kit init` and choose Yes for GitHub Copilot CLI login, or pass `--profiler-copilot-login` with `--profile-repo`.',
+                        ),
+                    );
+                    console.log(
+                        chalk.dim(
+                            '    • CLI missing: install GitHub Copilot CLI and verify `copilot --version`.',
+                        ),
+                    );
+                    console.log(
+                        chalk.dim(
+                            '    • MCP missing: re-run init with VS Code selected and MCP installation enabled so `.vscode/mcp.json` is written.',
+                        ),
+                    );
                 }
             }
         }

package/src/generators/rules/guardrails-init-profile.md

@@ -17,7 +17,7 @@ Configured SRAI project name: `<SRAI_PROJECT_NAME>`
 
 Do not skip MCP upload when credentials and MCP are available.
 
-Do **not** ask the user to verbally approve MCP for `security-review-mcp`. The repo’s **`.cursor/cli.json`** should list `Mcp(security-review-mcp:*)` under `permissions.allow`; call the MCP tools directly.
+Do **not** ask the user to verbally approve MCP for `security-review-mcp`. The init-time profiler runner passes the CLI-specific MCP configuration and approval settings where supported; call the MCP tools directly.
 
 ## Cursor CLI (scripted)
 
@@ -30,3 +30,11 @@ Add `--output-format stream-json --stream-partial-output` only when you need ver
 During `securityreview-kit init`, choose **Yes** when asked to run Cursor login in-terminal, or pass **`--profiler-cursor-login`** with **`--profile-repo`** so login and profiling stay in one run.
 
 You can still sign in manually with `agent login` (or `cursor-agent login`). To handle trust/login interactively in the terminal, omit `--trust` and `--approve-mcps`.
+
+## GitHub Copilot CLI (scripted)
+
+From the repo root, non-interactive runs should load the SRAI MCP server and allow the tools needed to scan, write profile files, and call MCP:
+
+`copilot -p "<your profiling instructions>" --additional-mcp-config '{"mcpServers":{"security-review-mcp":{"type":"stdio","command":"npx","args":["-y","@securityreviewai/security-review-mcp@latest"]}}}' --allow-all`
+
+During `securityreview-kit init`, choose **Yes** when asked to run GitHub Copilot CLI login, or pass **`--profiler-copilot-login`** with **`--profile-repo`** so `copilot login` and profiling stay in one run.

package/src/generators/rules/guardrails-profiler/SKILL.md

@@ -11,7 +11,7 @@ Configured SRAI project name: `<SRAI_PROJECT_NAME>`
 
 ## Canonical paths
 
-- **This skill & signal registry (read-only):** `<GUARDRAILS_SKILL_DIR>/` — e.g. `.cursor/skills/guardrails-profiler`, `.claude/skills/guardrails-profiler`, or `.codex/skills/guardrails-profiler` depending on where this file was installed.
+- **This skill & signal registry (read-only):** `<GUARDRAILS_SKILL_DIR>/` — e.g. `.cursor/skills/guardrails-profiler`, `.github/skills/guardrails-profiler`, `.claude/skills/guardrails-profiler`, or `.codex/skills/guardrails-profiler` depending on where this file was installed.
 - **Signal registry file:** `<GUARDRAILS_SKILL_DIR>/references/signal-registry.json`
 - **Local guardrails file:** `.guardrails/profile.json`
 - **Combined manifest (project root):** `profile.json` — includes guardrails profile, vibe profile fields for MCP, and default pack payload
@@ -131,7 +131,7 @@ Write **`profile.json`** at the project root with **only** these parts:
 
 3. Call **`write_default_pack`** with `project_id` and the payload from **`profile.json.default_guardrail_pack`** (match the MCP tool’s schema).
 
-4. **MCP approval:** Do **not** ask the user to “approve MCP” or “say you approve” for `security-review-mcp`. Security Review Kit installs **`.cursor/cli.json`** with `Mcp(security-review-mcp:*)` in `permissions.allow` so Cursor CLI runs tools without that prompt. Invoke `find_project_by_name`, `update_vibe_profile`, and `write_default_pack` directly. If a call still fails with permissions, report the error and suggest verifying Cursor **auto-run** / CLI permissions — not a conversational approval step.
+4. **MCP approval:** Do **not** ask the user to “approve MCP” or “say you approve” for `security-review-mcp`. Security Review Kit passes the configured MCP server and approval settings during init-time profiling where the CLI supports it (for example Cursor CLI permissions and Copilot CLI `--additional-mcp-config` / `--allow-all`). Invoke `find_project_by_name`, `update_vibe_profile`, and `write_default_pack` directly. If a call still fails with permissions, report the exact CLI permission error — not a conversational approval step.
 
 5. Confirm success: paths written (`profile.json`, `.guardrails/profile.json`) and whether both MCP calls succeeded, or the exact error.
 
@@ -149,4 +149,4 @@ If there are no signals:
 
 ## IDE-Specific Notes
 
-When run from Cursor Agent CLI, Claude Code, or Codex CLI, set `profiled_by` to a stable id (`agent` or `cursor-agent`, `claude`, `codex`).
+When run from Cursor Agent CLI, GitHub Copilot CLI, Claude Code, or Codex CLI, set `profiled_by` to a stable id (`agent` or `cursor-agent`, `copilot`, `claude`, `codex`).

package/src/generators/rules/vscode.js

@@ -1,4 +1,5 @@
 import { join } from 'node:path';
+import { GUARDRAILS_SELECTION_SKILL_REL_DIR } from '../../utils/constants.js';
 import { upsertSentinelBlock } from '../../utils/fs-helpers.js';
 import { getRuleContent } from './content.js';
 
@@ -7,7 +8,10 @@ import { getRuleContent } from './content.js';
  */
 export function generate(cwd, options = {}) {
     const filePath = join(cwd, '.github', 'copilot-instructions.md');
-    const content = getRuleContent(options);
+    const content = getRuleContent({
+        ...options,
+        guardrailsSelectionSkillDir: GUARDRAILS_SELECTION_SKILL_REL_DIR.vscode,
+    });
     const action = upsertSentinelBlock(filePath, content);
     return { filePath, action };
 }

package/src/utils/constants.js

@@ -63,6 +63,7 @@ export const TARGET_NAMES = Object.keys(TARGETS);
 export const GUARDRAILS_PROFILER_SKILL_REL_DIR = {
     cursor: '.cursor/skills/guardrails-profiler',
     claude: '.claude/skills/guardrails-profiler',
+    vscode: '.github/skills/guardrails-profiler',
     codex: '.codex/skills/guardrails-profiler',
 };
 
@@ -70,6 +71,7 @@ export const GUARDRAILS_PROFILER_SKILL_REL_DIR = {
 export const GUARDRAILS_SELECTION_SKILL_REL_DIR = {
     cursor: '.cursor/skills/guardrails-selection',
     claude: '.claude/skills/guardrails-selection',
+    vscode: '.github/skills/guardrails-selection',
     codex: '.codex/skills/guardrails-selection',
 };
 

package/src/utils/ide-cli-install.js

@@ -1,7 +1,7 @@
 import { spawnSync } from 'node:child_process';
 import { augmentPathEnv, resolveCursorAgentExecutable } from './cursor-agent-path.js';
 
-const AGENT_CLI_TARGETS = new Set(['cursor', 'claude', 'codex']);
+const AGENT_CLI_TARGETS = new Set(['cursor', 'claude', 'vscode', 'codex']);
 
 function commandOk(cmd, args = ['--version'], env = process.env) {
     const r = spawnSync(cmd, args, { stdio: 'ignore', env });
@@ -13,7 +13,7 @@ function runShell(script) {
 }
 
 /**
- * Ensure Cursor / Claude Code / Codex CLIs are present when those targets are selected.
+ * Ensure Cursor / Claude Code / Copilot / Codex CLIs are present when those targets are selected.
  * Installation uses vendor scripts or npm where appropriate.
  */
 export function ensureIdeCliForTarget(target, options = {}) {
@@ -89,6 +89,47 @@ export function ensureIdeCliForTarget(target, options = {}) {
             : { target, ok: false, message: 'Codex CLI npm install failed' };
     }
 
+    if (target === 'vscode') {
+        if (commandOk('copilot', ['--version'], augmentPathEnv())) {
+            return { target, ok: true, already: true };
+        }
+        if (skipInstall) {
+            return {
+                target,
+                ok: false,
+                message:
+                    'GitHub Copilot CLI not found (`copilot`). Install from https://docs.github.com/copilot/how-tos/copilot-cli/set-up-copilot-cli/install-copilot-cli.',
+            };
+        }
+        if (process.platform === 'win32') {
+            const r = runShell('winget install GitHub.Copilot');
+            if (r.status !== 0) {
+                return { target, ok: false, message: 'GitHub Copilot CLI winget install failed' };
+            }
+            return commandOk('copilot', ['--version'], augmentPathEnv())
+                ? { target, ok: true }
+                : {
+                      target,
+                      ok: false,
+                      message:
+                          'GitHub Copilot CLI (`copilot`) not found after install; open a new shell or ensure it is on PATH and re-run init',
+                  };
+        }
+        const r = runShell('curl -fsSL https://gh.io/copilot-install | bash');
+        if (r.status !== 0) {
+            return { target, ok: false, message: 'GitHub Copilot CLI install script failed' };
+        }
+        if (!commandOk('copilot', ['--version'], augmentPathEnv())) {
+            return {
+                target,
+                ok: false,
+                message:
+                    'GitHub Copilot CLI (`copilot`) not found after install; open a new shell or ensure the install directory is on PATH and re-run init',
+            };
+        }
+        return { target, ok: true };
+    }
+
     return { target, ok: true, skipped: true };
 }
 

package/src/utils/profiler-agent.js

@@ -1,8 +1,10 @@
 import { spawnSync } from 'node:child_process';
-import { GUARDRAILS_PROFILER_SKILL_REL_DIR } from './constants.js';
+import { join } from 'node:path';
+import { GUARDRAILS_PROFILER_SKILL_REL_DIR, MCP_SERVER_NAME } from './constants.js';
 import { augmentPathEnv, resolveCursorAgentExecutable } from './cursor-agent-path.js';
+import { readJson } from './fs-helpers.js';
 
-const PREFERRED_ORDER = ['cursor', 'claude', 'codex'];
+const PREFERRED_ORDER = ['cursor', 'vscode', 'claude', 'codex'];
 
 function commandOk(cmd, args = ['--version'], env = process.env) {
     const r = spawnSync(cmd, args, { stdio: 'ignore', env });
@@ -48,6 +50,28 @@ export function runCursorAgentLogin(cwd) {
     return { ok: r.status === 0, status: r.status, message: r.status !== 0 ? spawnErr : undefined };
 }
 
+/**
+ * Run GitHub Copilot CLI OAuth login in the current terminal (stdio inherited).
+ * `copilot login` exits after the device-flow succeeds, so init can continue into profiling.
+ */
+export function runCopilotLogin(cwd) {
+    const env = augmentPathEnv(process.env);
+    if (!commandOk('copilot', ['--version'], env)) {
+        return {
+            ok: false,
+            status: null,
+            message:
+                'GitHub Copilot CLI not found (`copilot`). Install from https://docs.github.com/copilot/how-tos/copilot-cli/set-up-copilot-cli/install-copilot-cli.',
+        };
+    }
+    const r = spawnSync('copilot', ['login'], { cwd, stdio: 'inherit', env });
+    const spawnErr = r.error ? r.error.message : null;
+    if (r.status === null && spawnErr) {
+        return { ok: false, status: null, message: spawnErr };
+    }
+    return { ok: r.status === 0, status: r.status, message: r.status !== 0 ? spawnErr : undefined };
+}
+
 export function pickProfilerAgentTarget(targets) {
     for (const t of PREFERRED_ORDER) {
         if (targets.includes(t)) {
@@ -128,9 +152,61 @@ export function runProfilerAgent(
         return buildProfilerResult(r);
     }
 
+    if (target === 'vscode') {
+        if (!commandOk('copilot', ['--version'], env)) {
+            return { ok: false, message: 'copilot not on PATH' };
+        }
+
+        const mcpConfig = buildCopilotAdditionalMcpConfig(cwd);
+        if (!mcpConfig) {
+            return {
+                ok: false,
+                message:
+                    'VS Code MCP config not found for security-review-mcp. Re-run init with MCP installation enabled.',
+            };
+        }
+
+        const args = [
+            '-p',
+            prompt,
+            '--additional-mcp-config',
+            mcpConfig,
+            '--allow-all',
+        ];
+        if (streamProgress) {
+            args.push('--output-format', 'json');
+        }
+        const r = spawnSync('copilot', args, opts);
+        return buildProfilerResult(r);
+    }
+
     return { ok: false, message: 'unsupported agent target' };
 }
 
+export function buildCopilotAdditionalMcpConfig(cwd) {
+    const vscodeMcp = readJson(join(cwd, '.vscode', 'mcp.json'));
+    const sourceServer =
+        vscodeMcp?.mcpServers?.[MCP_SERVER_NAME] || vscodeMcp?.servers?.[MCP_SERVER_NAME];
+
+    if (!sourceServer || typeof sourceServer !== 'object') {
+        return null;
+    }
+
+    const server = { ...sourceServer };
+    if (!server.type) {
+        server.type = 'stdio';
+    }
+    if (!Array.isArray(server.tools)) {
+        server.tools = ['*'];
+    }
+
+    return JSON.stringify({
+        mcpServers: {
+            [MCP_SERVER_NAME]: server,
+        },
+    });
+}
+
 function buildProfilerResult(result) {
     if (result.error) {
         return { ok: false, status: result.status, message: result.error.message };

package/src/utils/profiler-agent.test.js

@@ -0,0 +1,41 @@
+import { mkdirSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import {
+    buildCopilotAdditionalMcpConfig,
+    pickProfilerAgentTarget,
+} from './profiler-agent.js';
+
+test('pickProfilerAgentTarget supports VS Code Copilot', () => {
+    assert.equal(pickProfilerAgentTarget(['vscode']), 'vscode');
+    assert.equal(pickProfilerAgentTarget(['codex', 'vscode']), 'vscode');
+});
+
+test('buildCopilotAdditionalMcpConfig converts VS Code MCP config', () => {
+    const cwd = join(tmpdir(), `securityreview-kit-${Date.now()}`);
+    mkdirSync(join(cwd, '.vscode'), { recursive: true });
+    writeFileSync(
+        join(cwd, '.vscode', 'mcp.json'),
+        JSON.stringify({
+            servers: {
+                'security-review-mcp': {
+                    type: 'stdio',
+                    command: 'npx',
+                    args: ['-y', '@securityreviewai/security-review-mcp@latest'],
+                    env: {
+                        SECURITY_REVIEW_API_URL: 'https://api.example.test',
+                        SECURITY_REVIEW_API_TOKEN: 'token',
+                    },
+                },
+            },
+        }),
+    );
+
+    const converted = JSON.parse(buildCopilotAdditionalMcpConfig(cwd));
+
+    assert.deepEqual(Object.keys(converted.mcpServers), ['security-review-mcp']);
+    assert.equal(converted.mcpServers['security-review-mcp'].command, 'npx');
+    assert.deepEqual(converted.mcpServers['security-review-mcp'].tools, ['*']);
+});