@securityreviewai/securityreview-kit 0.1.39 → 0.1.41

package/README.md

@@ -28,7 +28,7 @@ npx @securityreviewai/securityreview-kit init --switch-project
 | Target | Flag | MCP Config | Workspace Rule |
 |---|---|---|---|
 | Cursor | `cursor` | `.cursor/mcp.json` | `.cursor/rules/srai-security-review.mdc`, `.cursor/rules/ctm_sync_rule.mdc`, `.cursor/commands/ctm_sync.md`, `.cursor/agents/ctm_sync.md`, `.cursor/commands/create-ide-workflow.md`, `.cursor/commands/srai-profile.md`, `.cursor/skills/threat-modelling/SKILL.md` |
-| Claude Code | `claude` | `.claude/settings.json` | `CLAUDE.md`, `.claude/skills/threat-modelling/SKILL.md`, `.claude/skills/guardrails-profiler/SKILL.md`, `.claude/skills/guardrails-selection/SKILL.md`, `.claude/agents/ctm_sync.md`, `.claude/commands/guardrails-init-profile.md` |
+| Claude Code | `claude` | `.mcp.json` | `.claude/CLAUDE.md`, `.claude/settings.json`, `.claude/skills/threat-modelling/SKILL.md`, `.claude/skills/guardrails-profiler/SKILL.md`, `.claude/skills/guardrails-selection/SKILL.md`, `.claude/agents/ctm_sync.md`, `.claude/commands/guardrails-init-profile.md` |
 | VS Code Copilot | `vscode` | `.vscode/mcp.json` | `.github/copilot-instructions.md`, `.github/skills/threat-modelling/SKILL.md`, `.github/skills/guardrails-profiler/SKILL.md`, `.github/skills/guardrails-selection/SKILL.md`, `.github/agents/ctm_sync.agent.md`, `.github/hooks/srai-session-policy.json` |
 | Windsurf | `windsurf` | `.windsurf/mcp_config.json` | `.windsurf/rules/srai-security-review.md` |
 | Codex | `codex` | `.codex/config.toml` | `.codex/AGENTS.md`, `.codex/skills/threat-modelling/SKILL.md`, `.codex/skills/guardrails-profiler/SKILL.md`, `.codex/skills/guardrails-selection/SKILL.md`, `.codex/agents/ctm_sync.toml`, `.codex/hooks.json`, `.codex/commands/guardrails-init-profile.md` |
@@ -53,6 +53,14 @@ Options:
   --skip-rules            Skip workspace rule installation
   --profile-repo          Run the guardrails profiler after init
   --profiler-claude-login Run Claude Code login before profiling
+  --claude-auth-mode <mode>
+                          Claude profiling auth mode: current, claudeai, console, api_key, gateway, bedrock, vertex, or setup_token
+  --claude-api-key <key>  Anthropic API key for Claude profiling
+  --claude-base-url <url> Anthropic-compatible base URL for Claude profiling
+  --claude-auth-token <token>
+                          Auth token for Claude profiling gateway mode
+  --claude-provider-model <model>
+                          Optional Claude provider model override for gateway, Bedrock, or Vertex profiling
   --profiler-copilot-login
                           Run GitHub Copilot CLI login before VS Code Copilot profiling
   --profiler-codex-login  Run Codex login before Codex profiling

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@securityreviewai/securityreview-kit",
-  "version": "0.1.39",
+  "version": "0.1.41",
   "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
   "author": "Debarshi Das <debarshi.das@we45.com>",
   "license": "UNLICENSED",

package/src/cli.js

@@ -41,6 +41,26 @@ export function run() {
             '--profiler-claude-login',
             'Before Claude Code profiling, run `claude auth login` in this terminal',
         )
+        .option(
+            '--claude-auth-mode <mode>',
+            'Claude profiling auth mode: current, claudeai, console, api_key, gateway, bedrock, vertex, or setup_token',
+        )
+        .option(
+            '--claude-api-key <key>',
+            'Anthropic API key for Claude profiling when using --claude-auth-mode api_key',
+        )
+        .option(
+            '--claude-base-url <url>',
+            'Anthropic-compatible base URL for Claude profiling when using --claude-auth-mode gateway',
+        )
+        .option(
+            '--claude-auth-token <token>',
+            'Auth token for Claude profiling when using --claude-auth-mode gateway',
+        )
+        .option(
+            '--claude-provider-model <model>',
+            'Optional Claude provider model override for gateway, Bedrock, or Vertex profiling',
+        )
         .option(
             '--profiler-copilot-login',
             'Before VS Code Copilot profiling, run `copilot login` in this terminal',

package/src/commands/init.js

@@ -1,12 +1,13 @@
 import chalk from 'chalk';
-import { input, checkbox, confirm, select } from '@inquirer/prompts';
+import { input, checkbox, confirm, password, select } from '@inquirer/prompts';
 import { TARGETS, TARGET_NAMES } from '../utils/constants.js';
 import { detectTargets } from '../utils/detect.js';
 import { ensureIdeClisForTargets } from '../utils/ide-cli-install.js';
 import { writeGuardrailsSkillBundles } from '../utils/guardrails-profiler-bundle.js';
 import {
     pickProfilerAgentTarget,
-    runClaudeLogin,
+    runClaudeAuthLogin,
+    runClaudeSetupToken,
     runCodexLogin,
     runCopilotLogin,
     runCursorAgentLogin,
@@ -53,6 +54,170 @@ function normalizeRuleResults(rawResult) {
     });
 }
 
+async function resolveClaudeProfilerAuth(options, interactive, cwd) {
+    const providerModel = String(options.claudeProviderModel || process.env.ANTHROPIC_MODEL || '').trim();
+    let mode = String(options.claudeAuthMode || process.env.SECURITY_REVIEW_CLAUDE_AUTH_MODE || '').trim();
+
+    if (!mode && options.profilerClaudeLogin) {
+        mode = 'claudeai';
+    }
+
+    if (!mode && interactive) {
+        mode = await select({
+            message: 'How should Claude Code authenticate for this profiling run?',
+            default: 'current',
+            choices: [
+                { name: 'Use current Claude Code auth/environment', value: 'current' },
+                { name: 'Claude subscription login', value: 'claudeai' },
+                { name: 'Anthropic Console login', value: 'console' },
+                { name: 'Anthropic API key', value: 'api_key' },
+                { name: 'Anthropic-compatible gateway / proxy', value: 'gateway' },
+                { name: 'AWS Bedrock', value: 'bedrock' },
+                { name: 'Google Vertex AI', value: 'vertex' },
+                { name: 'Long-lived Claude token', value: 'setup_token' },
+            ],
+        });
+    }
+
+    if (!mode) {
+        mode = 'current';
+    }
+
+    const result = {
+        mode,
+        model: providerModel || 'haiku',
+        envOverrides: {},
+        loginRunner: null,
+        loginLabel: '',
+        summary: '',
+    };
+
+    if (mode === 'claudeai') {
+        result.loginRunner = () => runClaudeAuthLogin(cwd, { mode: 'claudeai' });
+        result.loginLabel = 'Claude subscription login';
+        result.summary = 'Claude subscription auth';
+        return result;
+    }
+
+    if (mode === 'console') {
+        result.loginRunner = () => runClaudeAuthLogin(cwd, { mode: 'console' });
+        result.loginLabel = 'Anthropic Console login';
+        result.summary = 'Anthropic Console auth';
+        return result;
+    }
+
+    if (mode === 'setup_token') {
+        result.loginRunner = () => runClaudeSetupToken(cwd);
+        result.loginLabel = 'Claude long-lived token setup';
+        result.summary = 'Claude subscription token auth';
+        return result;
+    }
+
+    if (mode === 'api_key') {
+        let apiKey = String(options.claudeApiKey || process.env.ANTHROPIC_API_KEY || '').trim();
+        if (!apiKey && interactive) {
+            apiKey = await password({
+                message: 'Anthropic API key for this profiling run:',
+                validate: (v) => (String(v || '').trim() ? true : 'API key is required'),
+            });
+        }
+        result.envOverrides = {
+            ANTHROPIC_API_KEY: apiKey,
+            ANTHROPIC_AUTH_TOKEN: null,
+            ANTHROPIC_BASE_URL: null,
+            CLAUDE_CODE_USE_BEDROCK: null,
+            CLAUDE_CODE_USE_VERTEX: null,
+        };
+        result.summary = 'Anthropic API key auth';
+        return result;
+    }
+
+    if (mode === 'gateway') {
+        let baseUrl = String(options.claudeBaseUrl || process.env.ANTHROPIC_BASE_URL || '').trim();
+        let authToken = String(options.claudeAuthToken || process.env.ANTHROPIC_AUTH_TOKEN || '').trim();
+        let model = providerModel;
+
+        if (interactive) {
+            if (!baseUrl) {
+                baseUrl = await input({
+                    message: 'Anthropic-compatible base URL for this profiling run:',
+                    validate: (v) => (String(v || '').trim() ? true : 'Base URL is required'),
+                });
+            }
+            if (!authToken) {
+                authToken = await password({
+                    message: 'Gateway auth token for this profiling run:',
+                    validate: (v) => (String(v || '').trim() ? true : 'Auth token is required'),
+                });
+            }
+            if (!providerModel) {
+                model = String(
+                    await input({
+                        message: 'Provider model override (leave blank to use haiku):',
+                        default: '',
+                    }),
+                ).trim();
+            }
+        }
+
+        result.model = model || 'haiku';
+        result.envOverrides = {
+            ANTHROPIC_BASE_URL: baseUrl,
+            ANTHROPIC_AUTH_TOKEN: authToken,
+            ANTHROPIC_API_KEY: null,
+            CLAUDE_CODE_USE_BEDROCK: null,
+            CLAUDE_CODE_USE_VERTEX: null,
+        };
+        result.summary = `Anthropic-compatible gateway (${baseUrl || 'configured base URL'})`;
+        return result;
+    }
+
+    if (mode === 'bedrock') {
+        let model = providerModel;
+        if (interactive && !providerModel) {
+            model = String(
+                await input({
+                    message: 'Bedrock model override (leave blank to use haiku):',
+                    default: '',
+                }),
+            ).trim();
+        }
+        result.model = model || 'haiku';
+        result.envOverrides = {
+            CLAUDE_CODE_USE_BEDROCK: 'true',
+            CLAUDE_CODE_USE_VERTEX: null,
+            ANTHROPIC_API_KEY: null,
+            ANTHROPIC_AUTH_TOKEN: null,
+        };
+        result.summary = 'AWS Bedrock credentials from your shell/environment';
+        return result;
+    }
+
+    if (mode === 'vertex') {
+        let model = providerModel;
+        if (interactive && !providerModel) {
+            model = String(
+                await input({
+                    message: 'Vertex model override (leave blank to use haiku):',
+                    default: '',
+                }),
+            ).trim();
+        }
+        result.model = model || 'haiku';
+        result.envOverrides = {
+            CLAUDE_CODE_USE_VERTEX: 'true',
+            CLAUDE_CODE_USE_BEDROCK: null,
+            ANTHROPIC_API_KEY: null,
+            ANTHROPIC_AUTH_TOKEN: null,
+        };
+        result.summary = 'Google Vertex AI credentials from your shell/environment';
+        return result;
+    }
+
+    result.summary = 'current Claude Code auth/environment';
+    return result;
+}
+
 /**
  * Resolve environment variables from flags, env, or interactive prompt.
  */
@@ -418,6 +583,7 @@ export async function initCommand(options) {
         } else {
             console.log('');
             console.log(chalk.bold.white(`  Starting profiler via ${TARGETS[agentTarget].name} CLI…`));
+            let claudeProfilerAuth = null;
             if (agentTarget === 'cursor') {
                 console.log(
                     chalk.dim(
@@ -488,31 +654,33 @@ export async function initCommand(options) {
                     console.log('');
                 }
             } else if (agentTarget === 'claude') {
+                claudeProfilerAuth = await resolveClaudeProfilerAuth(options, interactive, cwd);
                 console.log(
                     chalk.dim(
-                        '  Claude Code: profiling uses `.claude/settings.json`, the configured MCP server, and the Haiku model for this run.',
+                        `  Claude Code: profiling uses \`.mcp.json\`, \`.claude/settings.json\`, bypassed tool prompts for this profiling pass, and \`${claudeProfilerAuth.model}\` for this run.`,
                     ),
                 );
+                console.log(chalk.dim(`  Auth mode: ${claudeProfilerAuth.summary}.`));
 
-                let runLogin = Boolean(options.profilerClaudeLogin);
-                if (!runLogin && interactive) {
+                const needsSetup = typeof claudeProfilerAuth.loginRunner === 'function';
+                let runLogin = needsSetup;
+                if (needsSetup && interactive && !options.claudeAuthMode && !options.profilerClaudeLogin) {
                     runLogin = await confirm({
-                        message:
-                            'Run Claude Code login in this terminal now? (Same init — profiling runs next. Choose No if already signed in.)',
+                        message: `${claudeProfilerAuth.loginLabel} in this terminal now? (Same init — profiling runs next.)`,
                         default: true,
                     });
                 }
-                if (runLogin) {
+                if (runLogin && claudeProfilerAuth.loginRunner) {
                     console.log('');
-                    console.log(chalk.bold.white('  Claude Code login'));
-                    console.log(chalk.dim('  Complete the browser prompt, then return here.\n'));
-                    const loginResult = runClaudeLogin(cwd);
+                    console.log(chalk.bold.white(`  ${claudeProfilerAuth.loginLabel}`));
+                    console.log(chalk.dim('  Complete the prompt flow, then return here.\n'));
+                    const loginResult = claudeProfilerAuth.loginRunner();
                     if (loginResult.ok) {
-                        console.log(chalk.green('  \u2713 Claude Code login step finished.'));
+                        console.log(chalk.green(`  \u2713 ${claudeProfilerAuth.loginLabel} finished.`));
                     } else {
                         console.log(
                             chalk.yellow(
-                                `  \u26a0  Claude login exited with status ${loginResult.status ?? 'unknown'}. Profiling will still be attempted; sign in and re-run init if it fails.`,
+                                `  \u26a0  ${claudeProfilerAuth.loginLabel} exited with status ${loginResult.status ?? 'unknown'}. Profiling will still be attempted; configure auth and re-run init if it fails.`,
                             ),
                         );
                     }
@@ -567,6 +735,8 @@ export async function initCommand(options) {
                 projectName: projectNameForSkill,
                 apiUrl: envVars?.apiUrl,
                 apiToken: envVars?.apiToken,
+                modelOverride: agentTarget === 'claude' ? claudeProfilerAuth?.model : undefined,
+                extraEnv: agentTarget === 'claude' ? claudeProfilerAuth?.envOverrides : undefined,
                 cursorTrust: !options.profilerNoTrust,
                 streamProgress: profilerVerbose,
                 showOutput: showProfilerOutput,
@@ -629,7 +799,7 @@ export async function initCommand(options) {
                     console.log(chalk.dim('  Typical fixes:'));
                     console.log(
                         chalk.dim(
-                            '    • Not signed in: re-run `securityreview-kit init` and choose Yes for Claude Code login, or pass `--profiler-claude-login` with `--profile-repo`.',
+                            '    • Choose the right auth mode: subscription, Console, API key, gateway, Bedrock, or Vertex.',
                         ),
                     );
                     console.log(
@@ -639,7 +809,17 @@ export async function initCommand(options) {
                     );
                     console.log(
                         chalk.dim(
-                            '    • MCP missing: re-run init with Claude Code selected and MCP installation enabled so `.claude/settings.json` is written.',
+                            '    • API key / gateway: provide `--claude-api-key`, or `--claude-base-url` plus `--claude-auth-token`, or set the matching env vars before re-running init.',
+                        ),
+                    );
+                    console.log(
+                        chalk.dim(
+                            '    • Bedrock / Vertex: make sure your cloud credentials are already available in this shell before profiling.',
+                        ),
+                    );
+                    console.log(
+                        chalk.dim(
+                            '    • MCP missing: re-run init with Claude Code selected and MCP installation enabled so `.mcp.json` is written and `.claude/settings.json` enables `security-review-mcp`.',
                         ),
                     );
                 } else if (agentTarget === 'codex') {

package/src/generators/mcp/claude.js

@@ -29,17 +29,17 @@ function getClaudeSessionStartHooks() {
 }
 
 /**
- * Generate Claude Code MCP config at .claude/settings.json
+ * Generate Claude Code project MCP config at .mcp.json and project settings at .claude/settings.json
  */
 export function generate(cwd, envVars) {
-    const filePath = join(cwd, '.claude', 'settings.json');
-    const existing = readJson(filePath) || {};
+    const mcpPath = join(cwd, '.mcp.json');
+    const mcpConfig = readJson(mcpPath) || {};
 
-    if (!existing.mcpServers) {
-        existing.mcpServers = {};
+    if (!mcpConfig.mcpServers) {
+        mcpConfig.mcpServers = {};
     }
 
-    existing.mcpServers[MCP_SERVER_NAME] = {
+    mcpConfig.mcpServers[MCP_SERVER_NAME] = {
         command: 'npx',
         args: ['-y', `${MCP_SERVER_PACKAGE}@latest`],
         env: {
@@ -48,6 +48,17 @@ export function generate(cwd, envVars) {
         },
     };
 
+    writeJson(mcpPath, mcpConfig);
+
+    const settingsPath = join(cwd, '.claude', 'settings.json');
+    const existing = readJson(settingsPath) || {};
+    const enabledServers = Array.isArray(existing.enabledMcpjsonServers)
+        ? existing.enabledMcpjsonServers.filter((name) => typeof name === 'string' && name.trim())
+        : [];
+    if (!enabledServers.includes(MCP_SERVER_NAME)) {
+        existing.enabledMcpjsonServers = [...enabledServers, MCP_SERVER_NAME];
+    }
+
     const existingSessionStart = Array.isArray(existing.SessionStart) ? existing.SessionStart : [];
     const marker = 'MANDATORY SECURITY GATE (Claude Code Session Policy)';
     const ours = getClaudeSessionStartHooks();
@@ -57,6 +68,6 @@ export function generate(cwd, envVars) {
     );
     existing.SessionStart = hasOurs ? existingSessionStart : [...existingSessionStart, ...ours];
 
-    writeJson(filePath, existing);
-    return filePath;
+    writeJson(settingsPath, existing);
+    return mcpPath;
 }

package/src/generators/mcp/claude.test.js

@@ -5,7 +5,7 @@ import { test } from 'node:test';
 import assert from 'node:assert/strict';
 import { generate } from './claude.js';
 
-test('Claude MCP generator writes mcp server and session hooks', () => {
+test('Claude MCP generator writes .mcp.json, enables the project MCP server, and adds session hooks', () => {
     const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-claude-mcp-'));
 
     generate(cwd, {
@@ -13,10 +13,12 @@ test('Claude MCP generator writes mcp server and session hooks', () => {
         apiToken: 'secret-token',
     });
 
-    const config = JSON.parse(readFileSync(join(cwd, '.claude', 'settings.json'), 'utf8'));
-    assert.equal(config.mcpServers['security-review-mcp'].command, 'npx');
-    assert.equal(Array.isArray(config.SessionStart), true);
-    assert.match(config.SessionStart[0].hooks[0].prompt, /MANDATORY SECURITY GATE/);
+    const mcpConfig = JSON.parse(readFileSync(join(cwd, '.mcp.json'), 'utf8'));
+    const settings = JSON.parse(readFileSync(join(cwd, '.claude', 'settings.json'), 'utf8'));
+    assert.equal(mcpConfig.mcpServers['security-review-mcp'].command, 'npx');
+    assert.deepEqual(settings.enabledMcpjsonServers, ['security-review-mcp']);
+    assert.equal(Array.isArray(settings.SessionStart), true);
+    assert.match(settings.SessionStart[0].hooks[0].prompt, /MANDATORY SECURITY GATE/);
 });
 
 test('Claude MCP generator preserves existing SessionStart hooks', () => {
@@ -50,4 +52,5 @@ test('Claude MCP generator preserves existing SessionStart hooks', () => {
     assert.equal(config.SessionStart.length, 2);
     assert.match(config.SessionStart[0].hooks[0].prompt, /Existing hook/);
     assert.match(config.SessionStart[1].hooks[0].prompt, /MANDATORY SECURITY GATE/);
+    assert.deepEqual(config.enabledMcpjsonServers, ['security-review-mcp']);
 });

package/src/generators/rules/claude.js

@@ -1,12 +1,14 @@
-import { existsSync } from 'node:fs';
+import { existsSync, unlinkSync } from 'node:fs';
 import { join } from 'node:path';
 import {
     CTM_SYNC_AGENT_REL_PATH,
     GUARDRAILS_PROFILER_SKILL_REL_DIR,
     GUARDRAILS_SELECTION_SKILL_REL_DIR,
+    SENTINEL_END,
+    SENTINEL_START,
     THREAT_MODELLING_SKILL_REL_DIR,
 } from '../../utils/constants.js';
-import { upsertSentinelBlock, writeText } from '../../utils/fs-helpers.js';
+import { readText, upsertSentinelBlock, writeText } from '../../utils/fs-helpers.js';
 import {
     getCtmSyncWorkflowContent,
     getGuardrailsInitProfileContent,
@@ -40,7 +42,7 @@ function getClaudeCtmSyncAgentContent(options = {}) {
 }
 
 /**
- * Generate Claude Code workspace rule — appends to CLAUDE.md
+ * Generate Claude Code workspace rule — appends to .claude/CLAUDE.md
  */
 export function generate(cwd, options = {}) {
     const optionsWithSkillDirs = {
@@ -49,10 +51,25 @@ export function generate(cwd, options = {}) {
         threatModellingSkillDir: THREAT_MODELLING_SKILL_REL_DIR.claude,
         ctmSyncAgentPath: CTM_SYNC_AGENT_REL_PATH.claude,
     };
-    const filePath = join(cwd, 'CLAUDE.md');
+    const legacyRootPath = join(cwd, 'CLAUDE.md');
+    const filePath = join(cwd, '.claude', 'CLAUDE.md');
     const content = getRuleContent(optionsWithSkillDirs);
     const action = upsertSentinelBlock(filePath, content);
 
+    const legacyContent = readText(legacyRootPath);
+    if (legacyContent.includes(SENTINEL_START) && legacyContent.includes(SENTINEL_END)) {
+        const startIdx = legacyContent.indexOf(SENTINEL_START);
+        const endIdx = legacyContent.indexOf(SENTINEL_END);
+        const before = legacyContent.substring(0, startIdx);
+        const after = legacyContent.substring(endIdx + SENTINEL_END.length);
+        const migrated = `${before}${after}`.trim();
+        if (migrated) {
+            writeText(legacyRootPath, migrated + '\n');
+        } else if (existsSync(legacyRootPath)) {
+            unlinkSync(legacyRootPath);
+        }
+    }
+
     const threatSkillPath = join(cwd, THREAT_MODELLING_SKILL_REL_DIR.claude, 'SKILL.md');
     const threatSkill = writeGeneratedText(
         threatSkillPath,

package/src/generators/rules/claude.test.js

@@ -1,17 +1,17 @@
-import { existsSync, mkdtempSync, readFileSync } from 'node:fs';
+import { existsSync, mkdtempSync, readFileSync, writeFileSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import { test } from 'node:test';
 import assert from 'node:assert/strict';
 import { generate } from './claude.js';
 
-test('Claude generator writes CLAUDE.md, threat skill, ctm_sync agent, and profiling command', () => {
+test('Claude generator writes .claude/CLAUDE.md, threat skill, ctm_sync agent, and profiling command', () => {
     const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-claude-'));
 
     const results = generate(cwd, { projectName: 'SmokeProject' });
 
     const expectedPaths = [
-        'CLAUDE.md',
+        '.claude/CLAUDE.md',
         '.claude/skills/threat-modelling/SKILL.md',
         '.claude/agents/ctm_sync.md',
         '.claude/commands/guardrails-init-profile.md',
@@ -23,7 +23,7 @@ test('Claude generator writes CLAUDE.md, threat skill, ctm_sync agent, and profi
 
     assert.deepEqual(results.map((entry) => entry.kind), ['rule', 'skill', 'agent', 'command']);
 
-    const instructions = readFileSync(join(cwd, 'CLAUDE.md'), 'utf8');
+    const instructions = readFileSync(join(cwd, '.claude/CLAUDE.md'), 'utf8');
     assert.match(instructions, /\.claude\/skills\/guardrails-selection\/SKILL\.md/);
     assert.match(instructions, /\.claude\/skills\/threat-modelling\/SKILL\.md/);
     assert.match(instructions, /\.claude\/agents\/ctm_sync\.md/);
@@ -37,3 +37,19 @@ test('Claude generator writes CLAUDE.md, threat skill, ctm_sync agent, and profi
     assert.match(agent, /model: inherit/);
     assert.match(agent, /Configured SRAI project name: `SmokeProject`/);
 });
+
+test('Claude generator migrates the kit-managed root CLAUDE.md block into .claude/CLAUDE.md', () => {
+    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-claude-migrate-'));
+    const legacyPath = join(cwd, 'CLAUDE.md');
+
+    writeFileSync(
+        legacyPath,
+        '<!-- securityreview-kit:start -->\nold managed block\n<!-- securityreview-kit:end -->\n',
+        'utf8',
+    );
+
+    generate(cwd, { projectName: 'SmokeProject' });
+
+    assert.equal(existsSync(join(cwd, '.claude/CLAUDE.md')), true);
+    assert.equal(existsSync(legacyPath), false);
+});

package/src/generators/rules/guardrails-init-profile.md

@@ -33,12 +33,14 @@ You can still sign in manually with `agent login` (or `cursor-agent login`). To
 
 ## Claude Code CLI (scripted)
 
-From the repo root, non-interactive runs should execute with the project settings file and the Haiku model for this profiling pass:
+From the repo root, non-interactive runs should execute with the project settings file, the project `.mcp.json` server config, explicit MCP-only loading, bypassed tool prompts for the profiling pass, and the Haiku model:
 
-`claude -p "<your profiling instructions>" --settings .claude/settings.json --model haiku`
+`claude -p "<your profiling instructions>" --settings .claude/settings.json --mcp-config "$(cat .mcp.json)" --strict-mcp-config --permission-mode bypassPermissions --model haiku`
 
 During `securityreview-kit init`, choose **Yes** when asked to run Claude Code login, or pass **`--profiler-claude-login`** with **`--profile-repo`** so `claude auth login` and profiling stay in one run.
 
+Claude profiling can also run with **Anthropic Console**, **ANTHROPIC_API_KEY**, an **Anthropic-compatible gateway** (`ANTHROPIC_BASE_URL` + `ANTHROPIC_AUTH_TOKEN`), or cloud-provider credentials such as **AWS Bedrock** and **Google Vertex AI**. `securityreview-kit init` can branch into those auth modes before profiling.
+
 ## GitHub Copilot CLI (scripted)
 
 From the repo root, non-interactive runs should load the SRAI MCP server and allow the tools needed to scan, write profile files, and call MCP:

package/src/utils/constants.js

@@ -17,8 +17,8 @@ export const TARGETS = {
     },
     claude: {
         name: 'Claude Code',
-        mcpConfigPath: '.claude/settings.json',
-        rulePath: 'CLAUDE.md',
+        mcpConfigPath: '.mcp.json',
+        rulePath: '.claude/CLAUDE.md',
         ruleMode: 'append',
         detectDirs: ['.claude'],
     },

package/src/utils/profiler-agent.js

@@ -15,8 +15,15 @@ export function getProfilerLogPath(cwd, target) {
     return join(cwd, '.guardrails', 'logs', `profiler-${target}.log`);
 }
 
-function buildProfilerEnv(target, streamProgress) {
+function buildProfilerEnv(target, streamProgress, extraEnv = {}) {
     const env = augmentPathEnv(process.env);
+    for (const [key, value] of Object.entries(extraEnv || {})) {
+        if (value == null || value === '') {
+            delete env[key];
+        } else {
+            env[key] = value;
+        }
+    }
     if (target === 'codex' && streamProgress && !env.RUST_LOG) {
         env.RUST_LOG = 'info';
     }
@@ -113,6 +120,34 @@ export function runCopilotLogin(cwd) {
  * Run Claude Code login in the current terminal.
  */
 export function runClaudeLogin(cwd) {
+    return runClaudeAuthLogin(cwd, { mode: 'claudeai' });
+}
+
+/**
+ * Run Claude Code auth login in the current terminal.
+ */
+export function runClaudeAuthLogin(cwd, options = {}) {
+    const env = augmentPathEnv(process.env);
+    if (!commandOk('claude', ['--version'], env)) {
+        return {
+            ok: false,
+            status: null,
+            message: 'Claude Code CLI not found (`claude`). Install from https://claude.ai/code.',
+        };
+    }
+    const mode = options.mode === 'console' ? '--console' : '--claudeai';
+    const r = spawnSync('claude', ['auth', 'login', mode], { cwd, stdio: 'inherit', env });
+    const spawnErr = r.error ? r.error.message : null;
+    if (r.status === null && spawnErr) {
+        return { ok: false, status: null, message: spawnErr };
+    }
+    return { ok: r.status === 0, status: r.status, message: r.status !== 0 ? spawnErr : undefined };
+}
+
+/**
+ * Run Claude Code long-lived token setup in the current terminal.
+ */
+export function runClaudeSetupToken(cwd) {
     const env = augmentPathEnv(process.env);
     if (!commandOk('claude', ['--version'], env)) {
         return {
@@ -121,7 +156,7 @@ export function runClaudeLogin(cwd) {
             message: 'Claude Code CLI not found (`claude`). Install from https://claude.ai/code.',
         };
     }
-    const r = spawnSync('claude', ['auth', 'login', '--claudeai'], { cwd, stdio: 'inherit', env });
+    const r = spawnSync('claude', ['setup-token'], { cwd, stdio: 'inherit', env });
     const spawnErr = r.error ? r.error.message : null;
     if (r.status === null && spawnErr) {
         return { ok: false, status: null, message: spawnErr };
@@ -178,6 +213,21 @@ export function buildCodexConfigOverrides(cwd, overrides = {}) {
     ];
 }
 
+export function buildClaudeAdditionalMcpConfig(cwd) {
+    const projectMcp = readJson(join(cwd, '.mcp.json'));
+    const sourceServer = projectMcp?.mcpServers?.[MCP_SERVER_NAME];
+
+    if (!sourceServer || typeof sourceServer !== 'object') {
+        return null;
+    }
+
+    return JSON.stringify({
+        mcpServers: {
+            [MCP_SERVER_NAME]: sourceServer,
+        },
+    });
+}
+
 export function pickProfilerAgentTarget(targets) {
     for (const t of PREFERRED_ORDER) {
         if (targets.includes(t)) {
@@ -205,13 +255,15 @@ export function runProfilerAgent(
         projectName,
         apiUrl,
         apiToken,
+        modelOverride,
+        extraEnv,
         cursorTrust = true,
         streamProgress = false,
         showOutput = streamProgress,
     },
 ) {
     const prompt = buildProfilerAgentPrompt(projectName, target);
-    const env = buildProfilerEnv(target, streamProgress);
+    const env = buildProfilerEnv(target, streamProgress, extraEnv);
     const opts = showOutput
         ? { cwd, stdio: 'inherit', env }
         : { cwd, stdio: ['ignore', 'pipe', 'pipe'], env, encoding: 'utf8', maxBuffer: 10 * 1024 * 1024 };
@@ -251,7 +303,26 @@ export function runProfilerAgent(
             return { ok: false, message: 'claude not on PATH' };
         }
         const settingsPath = join(cwd, '.claude', 'settings.json');
-        const args = ['-p', '--settings', settingsPath, '--model', 'haiku'];
+        const mcpConfig = buildClaudeAdditionalMcpConfig(cwd);
+        if (!mcpConfig) {
+            return {
+                ok: false,
+                message:
+                    'Claude profiling needs the SRAI MCP server in .mcp.json. Re-run init with MCP installation enabled.',
+            };
+        }
+        const args = [
+            '-p',
+            '--settings',
+            settingsPath,
+            '--mcp-config',
+            mcpConfig,
+            '--strict-mcp-config',
+            '--permission-mode',
+            'bypassPermissions',
+            '--model',
+            modelOverride || 'haiku',
+        ];
         if (streamProgress) {
             args.push('--output-format', 'stream-json', '--include-partial-messages', '--include-hook-events', '--verbose');
         }