@securityreviewai/securityreview-kit 0.1.38 → 0.1.39

package/README.md

@@ -28,7 +28,7 @@ npx @securityreviewai/securityreview-kit init --switch-project
 | Target | Flag | MCP Config | Workspace Rule |
 |---|---|---|---|
 | Cursor | `cursor` | `.cursor/mcp.json` | `.cursor/rules/srai-security-review.mdc`, `.cursor/rules/ctm_sync_rule.mdc`, `.cursor/commands/ctm_sync.md`, `.cursor/agents/ctm_sync.md`, `.cursor/commands/create-ide-workflow.md`, `.cursor/commands/srai-profile.md`, `.cursor/skills/threat-modelling/SKILL.md` |
-| Claude Code | `claude` | `.claude/settings.json` | `CLAUDE.md` |
+| Claude Code | `claude` | `.claude/settings.json` | `CLAUDE.md`, `.claude/skills/threat-modelling/SKILL.md`, `.claude/skills/guardrails-profiler/SKILL.md`, `.claude/skills/guardrails-selection/SKILL.md`, `.claude/agents/ctm_sync.md`, `.claude/commands/guardrails-init-profile.md` |
 | VS Code Copilot | `vscode` | `.vscode/mcp.json` | `.github/copilot-instructions.md`, `.github/skills/threat-modelling/SKILL.md`, `.github/skills/guardrails-profiler/SKILL.md`, `.github/skills/guardrails-selection/SKILL.md`, `.github/agents/ctm_sync.agent.md`, `.github/hooks/srai-session-policy.json` |
 | Windsurf | `windsurf` | `.windsurf/mcp_config.json` | `.windsurf/rules/srai-security-review.md` |
 | Codex | `codex` | `.codex/config.toml` | `.codex/AGENTS.md`, `.codex/skills/threat-modelling/SKILL.md`, `.codex/skills/guardrails-profiler/SKILL.md`, `.codex/skills/guardrails-selection/SKILL.md`, `.codex/agents/ctm_sync.toml`, `.codex/hooks.json`, `.codex/commands/guardrails-init-profile.md` |
@@ -52,6 +52,7 @@ Options:
   --skip-mcp              Skip MCP server config installation
   --skip-rules            Skip workspace rule installation
   --profile-repo          Run the guardrails profiler after init
+  --profiler-claude-login Run Claude Code login before profiling
   --profiler-copilot-login
                           Run GitHub Copilot CLI login before VS Code Copilot profiling
   --profiler-codex-login  Run Codex login before Codex profiling

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@securityreviewai/securityreview-kit",
-  "version": "0.1.38",
+  "version": "0.1.39",
   "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
   "author": "Debarshi Das <debarshi.das@we45.com>",
   "license": "UNLICENSED",

package/src/cli.js

@@ -37,6 +37,10 @@ export function run() {
             '--profiler-cursor-login',
             'Before Cursor profiling, run `agent login` (or `cursor-agent login`) in this terminal (then profiling runs in the same init)',
         )
+        .option(
+            '--profiler-claude-login',
+            'Before Claude Code profiling, run `claude auth login` in this terminal',
+        )
         .option(
             '--profiler-copilot-login',
             'Before VS Code Copilot profiling, run `copilot login` in this terminal',

package/src/commands/init.js

@@ -6,6 +6,7 @@ import { ensureIdeClisForTargets } from '../utils/ide-cli-install.js';
 import { writeGuardrailsSkillBundles } from '../utils/guardrails-profiler-bundle.js';
 import {
     pickProfilerAgentTarget,
+    runClaudeLogin,
     runCodexLogin,
     runCopilotLogin,
     runCursorAgentLogin,
@@ -486,6 +487,37 @@ export async function initCommand(options) {
                     }
                     console.log('');
                 }
+            } else if (agentTarget === 'claude') {
+                console.log(
+                    chalk.dim(
+                        '  Claude Code: profiling uses `.claude/settings.json`, the configured MCP server, and the Haiku model for this run.',
+                    ),
+                );
+
+                let runLogin = Boolean(options.profilerClaudeLogin);
+                if (!runLogin && interactive) {
+                    runLogin = await confirm({
+                        message:
+                            'Run Claude Code login in this terminal now? (Same init — profiling runs next. Choose No if already signed in.)',
+                        default: true,
+                    });
+                }
+                if (runLogin) {
+                    console.log('');
+                    console.log(chalk.bold.white('  Claude Code login'));
+                    console.log(chalk.dim('  Complete the browser prompt, then return here.\n'));
+                    const loginResult = runClaudeLogin(cwd);
+                    if (loginResult.ok) {
+                        console.log(chalk.green('  \u2713 Claude Code login step finished.'));
+                    } else {
+                        console.log(
+                            chalk.yellow(
+                                `  \u26a0  Claude login exited with status ${loginResult.status ?? 'unknown'}. Profiling will still be attempted; sign in and re-run init if it fails.`,
+                            ),
+                        );
+                    }
+                    console.log('');
+                }
             } else if (agentTarget === 'codex') {
                 console.log(
                     chalk.dim(
@@ -592,6 +624,24 @@ export async function initCommand(options) {
                             '    • MCP missing: re-run init with VS Code selected and MCP installation enabled so `.vscode/mcp.json` is written.',
                         ),
                     );
+                } else if (agentTarget === 'claude') {
+                    console.log('');
+                    console.log(chalk.dim('  Typical fixes:'));
+                    console.log(
+                        chalk.dim(
+                            '    • Not signed in: re-run `securityreview-kit init` and choose Yes for Claude Code login, or pass `--profiler-claude-login` with `--profile-repo`.',
+                        ),
+                    );
+                    console.log(
+                        chalk.dim(
+                            '    • CLI missing: install Claude Code and verify `claude --version`.',
+                        ),
+                    );
+                    console.log(
+                        chalk.dim(
+                            '    • MCP missing: re-run init with Claude Code selected and MCP installation enabled so `.claude/settings.json` is written.',
+                        ),
+                    );
                 } else if (agentTarget === 'codex') {
                     console.log('');
                     console.log(chalk.dim('  Typical fixes:'));

package/src/generators/mcp/claude.js

@@ -2,6 +2,32 @@ import { join } from 'node:path';
 import { readJson, writeJson } from '../../utils/fs-helpers.js';
 import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
 
+function getClaudeSessionStartHooks() {
+    const prompt = [
+        'MANDATORY SECURITY GATE (Claude Code Session Policy)',
+        '',
+        'For any request with security impact, follow this order:',
+        '1. Fetch Vibe Guardrails first using .claude/skills/guardrails-selection/SKILL.md.',
+        '2. Run PWNISMS threat modelling using .claude/skills/threat-modelling/SKILL.md.',
+        '3. Implement secure code using the hydrated guardrails and threat findings.',
+        '4. Invoke the ctm_sync agent using .claude/agents/ctm_sync.md after implementation or threat-model updates.',
+        '',
+        'Do not use project-profile exploration tools during normal coding tasks. No blocking and no deferral: guardrails first, PWNISMS second, implementation third, ctm_sync last.',
+    ].join('\n');
+
+    return [
+        {
+            matcher: '.*',
+            hooks: [
+                {
+                    type: 'prompt',
+                    prompt,
+                },
+            ],
+        },
+    ];
+}
+
 /**
  * Generate Claude Code MCP config at .claude/settings.json
  */
@@ -22,6 +48,15 @@ export function generate(cwd, envVars) {
         },
     };
 
+    const existingSessionStart = Array.isArray(existing.SessionStart) ? existing.SessionStart : [];
+    const marker = 'MANDATORY SECURITY GATE (Claude Code Session Policy)';
+    const ours = getClaudeSessionStartHooks();
+    const hasOurs = existingSessionStart.some((entry) =>
+        Array.isArray(entry?.hooks) &&
+        entry.hooks.some((hook) => hook?.type === 'prompt' && typeof hook?.prompt === 'string' && hook.prompt.includes(marker)),
+    );
+    existing.SessionStart = hasOurs ? existingSessionStart : [...existingSessionStart, ...ours];
+
     writeJson(filePath, existing);
     return filePath;
 }

package/src/generators/mcp/claude.test.js

@@ -0,0 +1,53 @@
+import { mkdirSync, mkdtempSync, readFileSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import { generate } from './claude.js';
+
+test('Claude MCP generator writes mcp server and session hooks', () => {
+    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-claude-mcp-'));
+
+    generate(cwd, {
+        apiUrl: 'https://example.test',
+        apiToken: 'secret-token',
+    });
+
+    const config = JSON.parse(readFileSync(join(cwd, '.claude', 'settings.json'), 'utf8'));
+    assert.equal(config.mcpServers['security-review-mcp'].command, 'npx');
+    assert.equal(Array.isArray(config.SessionStart), true);
+    assert.match(config.SessionStart[0].hooks[0].prompt, /MANDATORY SECURITY GATE/);
+});
+
+test('Claude MCP generator preserves existing SessionStart hooks', () => {
+    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-claude-mcp-merge-'));
+    const configPath = join(cwd, '.claude', 'settings.json');
+    mkdirSync(join(cwd, '.claude'), { recursive: true });
+
+    writeFileSync(
+        configPath,
+        JSON.stringify(
+            {
+                SessionStart: [
+                    {
+                        matcher: '.*',
+                        hooks: [{ type: 'prompt', prompt: 'Existing hook' }],
+                    },
+                ],
+            },
+            null,
+            2,
+        ),
+        'utf8',
+    );
+
+    generate(cwd, {
+        apiUrl: 'https://example.test',
+        apiToken: 'secret-token',
+    });
+
+    const config = JSON.parse(readFileSync(configPath, 'utf8'));
+    assert.equal(config.SessionStart.length, 2);
+    assert.match(config.SessionStart[0].hooks[0].prompt, /Existing hook/);
+    assert.match(config.SessionStart[1].hooks[0].prompt, /MANDATORY SECURITY GATE/);
+});

package/src/generators/rules/claude.js

@@ -1,28 +1,83 @@
+import { existsSync } from 'node:fs';
 import { join } from 'node:path';
-import { GUARDRAILS_PROFILER_SKILL_REL_DIR, GUARDRAILS_SELECTION_SKILL_REL_DIR } from '../../utils/constants.js';
+import {
+    CTM_SYNC_AGENT_REL_PATH,
+    GUARDRAILS_PROFILER_SKILL_REL_DIR,
+    GUARDRAILS_SELECTION_SKILL_REL_DIR,
+    THREAT_MODELLING_SKILL_REL_DIR,
+} from '../../utils/constants.js';
 import { upsertSentinelBlock, writeText } from '../../utils/fs-helpers.js';
-import { getRuleContent, getGuardrailsInitProfileContent } from './content.js';
+import {
+    getCtmSyncWorkflowContent,
+    getGuardrailsInitProfileContent,
+    getRuleContent,
+    getThreatModellingSkillContent,
+} from './content.js';
+
+function writeGeneratedText(filePath, content) {
+    const action = existsSync(filePath) ? 'updated' : 'created';
+    writeText(filePath, content);
+    return { filePath, action };
+}
+
+function getAgentBody(content) {
+    return content.replace(/^---\n[\s\S]*?\n---\n*/, '').trim();
+}
+
+function getClaudeCtmSyncAgentContent(options = {}) {
+    const body = getAgentBody(getCtmSyncWorkflowContent(options));
+    return [
+        '---',
+        'name: ctm_sync',
+        'description: Use this agent after security-relevant implementation or threat modelling work to synchronize the latest threat model, mitigations, and guardrails to SRAI.',
+        'model: inherit',
+        'color: blue',
+        '---',
+        '',
+        body,
+        '',
+    ].join('\n');
+}
 
 /**
  * Generate Claude Code workspace rule — appends to CLAUDE.md
  */
 export function generate(cwd, options = {}) {
-    const filePath = join(cwd, 'CLAUDE.md');
-    const content = getRuleContent({
+    const optionsWithSkillDirs = {
         ...options,
         guardrailsSelectionSkillDir: GUARDRAILS_SELECTION_SKILL_REL_DIR.claude,
-    });
+        threatModellingSkillDir: THREAT_MODELLING_SKILL_REL_DIR.claude,
+        ctmSyncAgentPath: CTM_SYNC_AGENT_REL_PATH.claude,
+    };
+    const filePath = join(cwd, 'CLAUDE.md');
+    const content = getRuleContent(optionsWithSkillDirs);
     const action = upsertSentinelBlock(filePath, content);
 
+    const threatSkillPath = join(cwd, THREAT_MODELLING_SKILL_REL_DIR.claude, 'SKILL.md');
+    const threatSkill = writeGeneratedText(
+        threatSkillPath,
+        getThreatModellingSkillContent(optionsWithSkillDirs),
+    );
+
+    const ctmSyncAgentPath = join(cwd, CTM_SYNC_AGENT_REL_PATH.claude);
+    const ctmSyncAgent = writeGeneratedText(
+        ctmSyncAgentPath,
+        getClaudeCtmSyncAgentContent(optionsWithSkillDirs),
+    );
+
     const guardrailsInitPath = join(cwd, '.claude', 'commands', 'guardrails-init-profile.md');
-    const guardrailsInitContent = getGuardrailsInitProfileContent({
-        ...options,
-        guardrailsSkillDir: GUARDRAILS_PROFILER_SKILL_REL_DIR.claude,
-    });
-    writeText(guardrailsInitPath, guardrailsInitContent);
+    const guardrailsInit = writeGeneratedText(
+        guardrailsInitPath,
+        getGuardrailsInitProfileContent({
+            ...optionsWithSkillDirs,
+            guardrailsSkillDir: GUARDRAILS_PROFILER_SKILL_REL_DIR.claude,
+        }),
+    );
 
     return [
         { filePath, action, kind: 'rule' },
-        { filePath: guardrailsInitPath, action: 'created', kind: 'command' },
+        { ...threatSkill, kind: 'skill' },
+        { ...ctmSyncAgent, kind: 'agent' },
+        { ...guardrailsInit, kind: 'command' },
     ];
 }

package/src/generators/rules/claude.test.js

@@ -0,0 +1,39 @@
+import { existsSync, mkdtempSync, readFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import { generate } from './claude.js';
+
+test('Claude generator writes CLAUDE.md, threat skill, ctm_sync agent, and profiling command', () => {
+    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-claude-'));
+
+    const results = generate(cwd, { projectName: 'SmokeProject' });
+
+    const expectedPaths = [
+        'CLAUDE.md',
+        '.claude/skills/threat-modelling/SKILL.md',
+        '.claude/agents/ctm_sync.md',
+        '.claude/commands/guardrails-init-profile.md',
+    ];
+
+    for (const relPath of expectedPaths) {
+        assert.equal(existsSync(join(cwd, relPath)), true, `${relPath} should exist`);
+    }
+
+    assert.deepEqual(results.map((entry) => entry.kind), ['rule', 'skill', 'agent', 'command']);
+
+    const instructions = readFileSync(join(cwd, 'CLAUDE.md'), 'utf8');
+    assert.match(instructions, /\.claude\/skills\/guardrails-selection\/SKILL\.md/);
+    assert.match(instructions, /\.claude\/skills\/threat-modelling\/SKILL\.md/);
+    assert.match(instructions, /\.claude\/agents\/ctm_sync\.md/);
+
+    const threatSkill = readFileSync(join(cwd, '.claude/skills/threat-modelling/SKILL.md'), 'utf8');
+    assert.match(threatSkill, /\.claude\/agents\/ctm_sync\.md/);
+    assert.doesNotMatch(threatSkill, /get_project_profile_description/);
+
+    const agent = readFileSync(join(cwd, '.claude/agents/ctm_sync.md'), 'utf8');
+    assert.match(agent, /^---\nname: ctm_sync/m);
+    assert.match(agent, /model: inherit/);
+    assert.match(agent, /Configured SRAI project name: `SmokeProject`/);
+});

package/src/generators/rules/guardrails-init-profile.md

@@ -31,6 +31,14 @@ During `securityreview-kit init`, choose **Yes** when asked to run Cursor login
 
 You can still sign in manually with `agent login` (or `cursor-agent login`). To handle trust/login interactively in the terminal, omit `--trust` and `--approve-mcps`.
 
+## Claude Code CLI (scripted)
+
+From the repo root, non-interactive runs should execute with the project settings file and the Haiku model for this profiling pass:
+
+`claude -p "<your profiling instructions>" --settings .claude/settings.json --model haiku`
+
+During `securityreview-kit init`, choose **Yes** when asked to run Claude Code login, or pass **`--profiler-claude-login`** with **`--profile-repo`** so `claude auth login` and profiling stay in one run.
+
 ## GitHub Copilot CLI (scripted)
 
 From the repo root, non-interactive runs should load the SRAI MCP server and allow the tools needed to scan, write profile files, and call MCP:

package/src/utils/constants.js

@@ -78,6 +78,7 @@ export const GUARDRAILS_SELECTION_SKILL_REL_DIR = {
 /** Relative workspace dirs for the PWNISMS threat-modelling skill (per IDE / CLI). */
 export const THREAT_MODELLING_SKILL_REL_DIR = {
     cursor: '.cursor/skills/threat-modelling',
+    claude: '.claude/skills/threat-modelling',
     vscode: '.github/skills/threat-modelling',
     codex: '.codex/skills/threat-modelling',
 };
@@ -85,6 +86,7 @@ export const THREAT_MODELLING_SKILL_REL_DIR = {
 /** Relative workspace paths for the CTM sync agent/workflow (per IDE / CLI). */
 export const CTM_SYNC_AGENT_REL_PATH = {
     cursor: '.cursor/agents/ctm_sync.md',
+    claude: '.claude/agents/ctm_sync.md',
     vscode: '.github/agents/ctm_sync.agent.md',
     codex: '.codex/agents/ctm_sync.toml',
 };

package/src/utils/profiler-agent.js

@@ -109,6 +109,26 @@ export function runCopilotLogin(cwd) {
     return { ok: r.status === 0, status: r.status, message: r.status !== 0 ? spawnErr : undefined };
 }
 
+/**
+ * Run Claude Code login in the current terminal.
+ */
+export function runClaudeLogin(cwd) {
+    const env = augmentPathEnv(process.env);
+    if (!commandOk('claude', ['--version'], env)) {
+        return {
+            ok: false,
+            status: null,
+            message: 'Claude Code CLI not found (`claude`). Install from https://claude.ai/code.',
+        };
+    }
+    const r = spawnSync('claude', ['auth', 'login', '--claudeai'], { cwd, stdio: 'inherit', env });
+    const spawnErr = r.error ? r.error.message : null;
+    if (r.status === null && spawnErr) {
+        return { ok: false, status: null, message: spawnErr };
+    }
+    return { ok: r.status === 0, status: r.status, message: r.status !== 0 ? spawnErr : undefined };
+}
+
 /**
  * Run Codex login in the current terminal. Device auth keeps the flow in-terminal.
  */
@@ -230,9 +250,12 @@ export function runProfilerAgent(
         if (!commandOk('claude', ['--version'], env)) {
             return { ok: false, message: 'claude not on PATH' };
         }
-        const args = streamProgress
-            ? ['-p', '--output-format', 'stream-json', '--include-partial-messages', '--verbose', prompt]
-            : ['-p', prompt];
+        const settingsPath = join(cwd, '.claude', 'settings.json');
+        const args = ['-p', '--settings', settingsPath, '--model', 'haiku'];
+        if (streamProgress) {
+            args.push('--output-format', 'stream-json', '--include-partial-messages', '--include-hook-events', '--verbose');
+        }
+        args.push(prompt);
         const r = spawnSync('claude', args, opts);
         return buildProfilerResult(r, { logPath: showOutput ? null : persistProfilerLog(cwd, target, r) });
     }