@securityreviewai/securityreview-kit 0.1.40 → 0.1.41

package/README.md

@@ -28,7 +28,7 @@ npx @securityreviewai/securityreview-kit init --switch-project
 | Target | Flag | MCP Config | Workspace Rule |
 |---|---|---|---|
 | Cursor | `cursor` | `.cursor/mcp.json` | `.cursor/rules/srai-security-review.mdc`, `.cursor/rules/ctm_sync_rule.mdc`, `.cursor/commands/ctm_sync.md`, `.cursor/agents/ctm_sync.md`, `.cursor/commands/create-ide-workflow.md`, `.cursor/commands/srai-profile.md`, `.cursor/skills/threat-modelling/SKILL.md` |
-| Claude Code | `claude` | `.claude/settings.json` | `CLAUDE.md`, `.claude/skills/threat-modelling/SKILL.md`, `.claude/skills/guardrails-profiler/SKILL.md`, `.claude/skills/guardrails-selection/SKILL.md`, `.claude/agents/ctm_sync.md`, `.claude/commands/guardrails-init-profile.md` |
+| Claude Code | `claude` | `.mcp.json` | `.claude/CLAUDE.md`, `.claude/settings.json`, `.claude/skills/threat-modelling/SKILL.md`, `.claude/skills/guardrails-profiler/SKILL.md`, `.claude/skills/guardrails-selection/SKILL.md`, `.claude/agents/ctm_sync.md`, `.claude/commands/guardrails-init-profile.md` |
 | VS Code Copilot | `vscode` | `.vscode/mcp.json` | `.github/copilot-instructions.md`, `.github/skills/threat-modelling/SKILL.md`, `.github/skills/guardrails-profiler/SKILL.md`, `.github/skills/guardrails-selection/SKILL.md`, `.github/agents/ctm_sync.agent.md`, `.github/hooks/srai-session-policy.json` |
 | Windsurf | `windsurf` | `.windsurf/mcp_config.json` | `.windsurf/rules/srai-security-review.md` |
 | Codex | `codex` | `.codex/config.toml` | `.codex/AGENTS.md`, `.codex/skills/threat-modelling/SKILL.md`, `.codex/skills/guardrails-profiler/SKILL.md`, `.codex/skills/guardrails-selection/SKILL.md`, `.codex/agents/ctm_sync.toml`, `.codex/hooks.json`, `.codex/commands/guardrails-init-profile.md` |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@securityreviewai/securityreview-kit",
-  "version": "0.1.40",
+  "version": "0.1.41",
   "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
   "author": "Debarshi Das <debarshi.das@we45.com>",
   "license": "UNLICENSED",

package/src/commands/init.js

@@ -657,7 +657,7 @@ export async function initCommand(options) {
                 claudeProfilerAuth = await resolveClaudeProfilerAuth(options, interactive, cwd);
                 console.log(
                     chalk.dim(
-                        `  Claude Code: profiling uses \`.claude/settings.json\`, the configured MCP server, and \`${claudeProfilerAuth.model}\` for this run.`,
+                        `  Claude Code: profiling uses \`.mcp.json\`, \`.claude/settings.json\`, bypassed tool prompts for this profiling pass, and \`${claudeProfilerAuth.model}\` for this run.`,
                     ),
                 );
                 console.log(chalk.dim(`  Auth mode: ${claudeProfilerAuth.summary}.`));
@@ -819,7 +819,7 @@ export async function initCommand(options) {
                     );
                     console.log(
                         chalk.dim(
-                            '    • MCP missing: re-run init with Claude Code selected and MCP installation enabled so `.claude/settings.json` is written.',
+                            '    • MCP missing: re-run init with Claude Code selected and MCP installation enabled so `.mcp.json` is written and `.claude/settings.json` enables `security-review-mcp`.',
                         ),
                     );
                 } else if (agentTarget === 'codex') {

package/src/generators/mcp/claude.js

@@ -29,17 +29,17 @@ function getClaudeSessionStartHooks() {
 }
 
 /**
- * Generate Claude Code MCP config at .claude/settings.json
+ * Generate Claude Code project MCP config at .mcp.json and project settings at .claude/settings.json
  */
 export function generate(cwd, envVars) {
-    const filePath = join(cwd, '.claude', 'settings.json');
-    const existing = readJson(filePath) || {};
+    const mcpPath = join(cwd, '.mcp.json');
+    const mcpConfig = readJson(mcpPath) || {};
 
-    if (!existing.mcpServers) {
-        existing.mcpServers = {};
+    if (!mcpConfig.mcpServers) {
+        mcpConfig.mcpServers = {};
     }
 
-    existing.mcpServers[MCP_SERVER_NAME] = {
+    mcpConfig.mcpServers[MCP_SERVER_NAME] = {
         command: 'npx',
         args: ['-y', `${MCP_SERVER_PACKAGE}@latest`],
         env: {
@@ -48,6 +48,17 @@ export function generate(cwd, envVars) {
         },
     };
 
+    writeJson(mcpPath, mcpConfig);
+
+    const settingsPath = join(cwd, '.claude', 'settings.json');
+    const existing = readJson(settingsPath) || {};
+    const enabledServers = Array.isArray(existing.enabledMcpjsonServers)
+        ? existing.enabledMcpjsonServers.filter((name) => typeof name === 'string' && name.trim())
+        : [];
+    if (!enabledServers.includes(MCP_SERVER_NAME)) {
+        existing.enabledMcpjsonServers = [...enabledServers, MCP_SERVER_NAME];
+    }
+
     const existingSessionStart = Array.isArray(existing.SessionStart) ? existing.SessionStart : [];
     const marker = 'MANDATORY SECURITY GATE (Claude Code Session Policy)';
     const ours = getClaudeSessionStartHooks();
@@ -57,6 +68,6 @@ export function generate(cwd, envVars) {
     );
     existing.SessionStart = hasOurs ? existingSessionStart : [...existingSessionStart, ...ours];
 
-    writeJson(filePath, existing);
-    return filePath;
+    writeJson(settingsPath, existing);
+    return mcpPath;
 }

package/src/generators/mcp/claude.test.js

@@ -5,7 +5,7 @@ import { test } from 'node:test';
 import assert from 'node:assert/strict';
 import { generate } from './claude.js';
 
-test('Claude MCP generator writes mcp server and session hooks', () => {
+test('Claude MCP generator writes .mcp.json, enables the project MCP server, and adds session hooks', () => {
     const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-claude-mcp-'));
 
     generate(cwd, {
@@ -13,10 +13,12 @@ test('Claude MCP generator writes mcp server and session hooks', () => {
         apiToken: 'secret-token',
     });
 
-    const config = JSON.parse(readFileSync(join(cwd, '.claude', 'settings.json'), 'utf8'));
-    assert.equal(config.mcpServers['security-review-mcp'].command, 'npx');
-    assert.equal(Array.isArray(config.SessionStart), true);
-    assert.match(config.SessionStart[0].hooks[0].prompt, /MANDATORY SECURITY GATE/);
+    const mcpConfig = JSON.parse(readFileSync(join(cwd, '.mcp.json'), 'utf8'));
+    const settings = JSON.parse(readFileSync(join(cwd, '.claude', 'settings.json'), 'utf8'));
+    assert.equal(mcpConfig.mcpServers['security-review-mcp'].command, 'npx');
+    assert.deepEqual(settings.enabledMcpjsonServers, ['security-review-mcp']);
+    assert.equal(Array.isArray(settings.SessionStart), true);
+    assert.match(settings.SessionStart[0].hooks[0].prompt, /MANDATORY SECURITY GATE/);
 });
 
 test('Claude MCP generator preserves existing SessionStart hooks', () => {
@@ -50,4 +52,5 @@ test('Claude MCP generator preserves existing SessionStart hooks', () => {
     assert.equal(config.SessionStart.length, 2);
     assert.match(config.SessionStart[0].hooks[0].prompt, /Existing hook/);
     assert.match(config.SessionStart[1].hooks[0].prompt, /MANDATORY SECURITY GATE/);
+    assert.deepEqual(config.enabledMcpjsonServers, ['security-review-mcp']);
 });

package/src/generators/rules/claude.js

@@ -1,12 +1,14 @@
-import { existsSync } from 'node:fs';
+import { existsSync, unlinkSync } from 'node:fs';
 import { join } from 'node:path';
 import {
     CTM_SYNC_AGENT_REL_PATH,
     GUARDRAILS_PROFILER_SKILL_REL_DIR,
     GUARDRAILS_SELECTION_SKILL_REL_DIR,
+    SENTINEL_END,
+    SENTINEL_START,
     THREAT_MODELLING_SKILL_REL_DIR,
 } from '../../utils/constants.js';
-import { upsertSentinelBlock, writeText } from '../../utils/fs-helpers.js';
+import { readText, upsertSentinelBlock, writeText } from '../../utils/fs-helpers.js';
 import {
     getCtmSyncWorkflowContent,
     getGuardrailsInitProfileContent,
@@ -40,7 +42,7 @@ function getClaudeCtmSyncAgentContent(options = {}) {
 }
 
 /**
- * Generate Claude Code workspace rule — appends to CLAUDE.md
+ * Generate Claude Code workspace rule — appends to .claude/CLAUDE.md
  */
 export function generate(cwd, options = {}) {
     const optionsWithSkillDirs = {
@@ -49,10 +51,25 @@ export function generate(cwd, options = {}) {
         threatModellingSkillDir: THREAT_MODELLING_SKILL_REL_DIR.claude,
         ctmSyncAgentPath: CTM_SYNC_AGENT_REL_PATH.claude,
     };
-    const filePath = join(cwd, 'CLAUDE.md');
+    const legacyRootPath = join(cwd, 'CLAUDE.md');
+    const filePath = join(cwd, '.claude', 'CLAUDE.md');
     const content = getRuleContent(optionsWithSkillDirs);
     const action = upsertSentinelBlock(filePath, content);
 
+    const legacyContent = readText(legacyRootPath);
+    if (legacyContent.includes(SENTINEL_START) && legacyContent.includes(SENTINEL_END)) {
+        const startIdx = legacyContent.indexOf(SENTINEL_START);
+        const endIdx = legacyContent.indexOf(SENTINEL_END);
+        const before = legacyContent.substring(0, startIdx);
+        const after = legacyContent.substring(endIdx + SENTINEL_END.length);
+        const migrated = `${before}${after}`.trim();
+        if (migrated) {
+            writeText(legacyRootPath, migrated + '\n');
+        } else if (existsSync(legacyRootPath)) {
+            unlinkSync(legacyRootPath);
+        }
+    }
+
     const threatSkillPath = join(cwd, THREAT_MODELLING_SKILL_REL_DIR.claude, 'SKILL.md');
     const threatSkill = writeGeneratedText(
         threatSkillPath,

package/src/generators/rules/claude.test.js

@@ -1,17 +1,17 @@
-import { existsSync, mkdtempSync, readFileSync } from 'node:fs';
+import { existsSync, mkdtempSync, readFileSync, writeFileSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import { test } from 'node:test';
 import assert from 'node:assert/strict';
 import { generate } from './claude.js';
 
-test('Claude generator writes CLAUDE.md, threat skill, ctm_sync agent, and profiling command', () => {
+test('Claude generator writes .claude/CLAUDE.md, threat skill, ctm_sync agent, and profiling command', () => {
     const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-claude-'));
 
     const results = generate(cwd, { projectName: 'SmokeProject' });
 
     const expectedPaths = [
-        'CLAUDE.md',
+        '.claude/CLAUDE.md',
         '.claude/skills/threat-modelling/SKILL.md',
         '.claude/agents/ctm_sync.md',
         '.claude/commands/guardrails-init-profile.md',
@@ -23,7 +23,7 @@ test('Claude generator writes CLAUDE.md, threat skill, ctm_sync agent, and profi
 
     assert.deepEqual(results.map((entry) => entry.kind), ['rule', 'skill', 'agent', 'command']);
 
-    const instructions = readFileSync(join(cwd, 'CLAUDE.md'), 'utf8');
+    const instructions = readFileSync(join(cwd, '.claude/CLAUDE.md'), 'utf8');
     assert.match(instructions, /\.claude\/skills\/guardrails-selection\/SKILL\.md/);
     assert.match(instructions, /\.claude\/skills\/threat-modelling\/SKILL\.md/);
     assert.match(instructions, /\.claude\/agents\/ctm_sync\.md/);
@@ -37,3 +37,19 @@ test('Claude generator writes CLAUDE.md, threat skill, ctm_sync agent, and profi
     assert.match(agent, /model: inherit/);
     assert.match(agent, /Configured SRAI project name: `SmokeProject`/);
 });
+
+test('Claude generator migrates the kit-managed root CLAUDE.md block into .claude/CLAUDE.md', () => {
+    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-claude-migrate-'));
+    const legacyPath = join(cwd, 'CLAUDE.md');
+
+    writeFileSync(
+        legacyPath,
+        '<!-- securityreview-kit:start -->\nold managed block\n<!-- securityreview-kit:end -->\n',
+        'utf8',
+    );
+
+    generate(cwd, { projectName: 'SmokeProject' });
+
+    assert.equal(existsSync(join(cwd, '.claude/CLAUDE.md')), true);
+    assert.equal(existsSync(legacyPath), false);
+});

package/src/generators/rules/guardrails-init-profile.md

@@ -33,9 +33,9 @@ You can still sign in manually with `agent login` (or `cursor-agent login`). To
 
 ## Claude Code CLI (scripted)
 
-From the repo root, non-interactive runs should execute with the project settings file and the Haiku model for this profiling pass:
+From the repo root, non-interactive runs should execute with the project settings file, the project `.mcp.json` server config, explicit MCP-only loading, bypassed tool prompts for the profiling pass, and the Haiku model:
 
-`claude -p "<your profiling instructions>" --settings .claude/settings.json --model haiku`
+`claude -p "<your profiling instructions>" --settings .claude/settings.json --mcp-config "$(cat .mcp.json)" --strict-mcp-config --permission-mode bypassPermissions --model haiku`
 
 During `securityreview-kit init`, choose **Yes** when asked to run Claude Code login, or pass **`--profiler-claude-login`** with **`--profile-repo`** so `claude auth login` and profiling stay in one run.
 

package/src/utils/constants.js

@@ -17,8 +17,8 @@ export const TARGETS = {
     },
     claude: {
         name: 'Claude Code',
-        mcpConfigPath: '.claude/settings.json',
-        rulePath: 'CLAUDE.md',
+        mcpConfigPath: '.mcp.json',
+        rulePath: '.claude/CLAUDE.md',
         ruleMode: 'append',
         detectDirs: ['.claude'],
     },

package/src/utils/profiler-agent.js

@@ -213,6 +213,21 @@ export function buildCodexConfigOverrides(cwd, overrides = {}) {
     ];
 }
 
+export function buildClaudeAdditionalMcpConfig(cwd) {
+    const projectMcp = readJson(join(cwd, '.mcp.json'));
+    const sourceServer = projectMcp?.mcpServers?.[MCP_SERVER_NAME];
+
+    if (!sourceServer || typeof sourceServer !== 'object') {
+        return null;
+    }
+
+    return JSON.stringify({
+        mcpServers: {
+            [MCP_SERVER_NAME]: sourceServer,
+        },
+    });
+}
+
 export function pickProfilerAgentTarget(targets) {
     for (const t of PREFERRED_ORDER) {
         if (targets.includes(t)) {
@@ -288,7 +303,26 @@ export function runProfilerAgent(
             return { ok: false, message: 'claude not on PATH' };
         }
         const settingsPath = join(cwd, '.claude', 'settings.json');
-        const args = ['-p', '--settings', settingsPath, '--model', modelOverride || 'haiku'];
+        const mcpConfig = buildClaudeAdditionalMcpConfig(cwd);
+        if (!mcpConfig) {
+            return {
+                ok: false,
+                message:
+                    'Claude profiling needs the SRAI MCP server in .mcp.json. Re-run init with MCP installation enabled.',
+            };
+        }
+        const args = [
+            '-p',
+            '--settings',
+            settingsPath,
+            '--mcp-config',
+            mcpConfig,
+            '--strict-mcp-config',
+            '--permission-mode',
+            'bypassPermissions',
+            '--model',
+            modelOverride || 'haiku',
+        ];
         if (streamProgress) {
             args.push('--output-format', 'stream-json', '--include-partial-messages', '--include-hook-events', '--verbose');
         }