@securityreviewai/securityreview-kit 0.1.42 → 0.1.44

package/README.md

@@ -27,11 +27,11 @@ npx @securityreviewai/securityreview-kit init --switch-project
 
 | Target | Flag | MCP Config | Workspace Rule |
 |---|---|---|---|
-| Cursor | `cursor` | `.cursor/mcp.json` | `.cursor/rules/srai-security-review.mdc`, `.cursor/rules/ctm_sync_rule.mdc`, `.cursor/commands/ctm_sync.md`, `.cursor/agents/ctm_sync.md`, `.cursor/commands/create-ide-workflow.md`, `.cursor/commands/srai-profile.md`, `.cursor/skills/threat-modelling/SKILL.md` |
-| Claude Code | `claude` | `.mcp.json` | `.claude/CLAUDE.md`, `.claude/settings.json`, `.claude/skills/threat-modelling/SKILL.md`, `.claude/skills/guardrails-profiler/SKILL.md`, `.claude/skills/guardrails-selection/SKILL.md`, `.claude/agents/ctm_sync.md`, `.claude/commands/guardrails-init-profile.md` |
-| VS Code Copilot | `vscode` | `.vscode/mcp.json` | `.github/copilot-instructions.md`, `.github/skills/threat-modelling/SKILL.md`, `.github/skills/guardrails-profiler/SKILL.md`, `.github/skills/guardrails-selection/SKILL.md`, `.github/agents/ctm_sync.agent.md`, `.github/hooks/srai-session-policy.json` |
+| Cursor | `cursor` | `.cursor/mcp.json` | `.cursor/rules/srai-security-review.mdc`, `.cursor/rules/guardrails_rule.mdc`, `.cursor/commands/srai-profile.md`, `.cursor/commands/guardrails-init-profile.md`, `.cursor/skills/threat-modelling/SKILL.md`, `.cursor/skills/vibereview-sync/SKILL.md`, `.cursor/hooks.json` |
+| Claude Code | `claude` | `.mcp.json` | `.claude/CLAUDE.md`, `.claude/settings.json`, `.claude/skills/threat-modelling/SKILL.md`, `.claude/skills/vibereview-sync/SKILL.md`, `.claude/skills/guardrails-profiler/SKILL.md`, `.claude/skills/guardrails-selection/SKILL.md`, `.claude/commands/guardrails-init-profile.md` |
+| VS Code Copilot | `vscode` | `.vscode/mcp.json` | `.github/copilot-instructions.md`, `.github/skills/threat-modelling/SKILL.md`, `.github/skills/vibereview-sync/SKILL.md`, `.github/skills/guardrails-profiler/SKILL.md`, `.github/skills/guardrails-selection/SKILL.md`, `.github/hooks/srai-session-policy.json` |
 | Windsurf | `windsurf` | `.windsurf/mcp_config.json` | `.windsurf/rules/srai-security-review.md` |
-| Codex | `codex` | `.codex/config.toml` | `.codex/AGENTS.md`, `.codex/skills/threat-modelling/SKILL.md`, `.codex/skills/guardrails-profiler/SKILL.md`, `.codex/skills/guardrails-selection/SKILL.md`, `.codex/agents/ctm_sync.toml`, `.codex/hooks.json`, `.codex/commands/guardrails-init-profile.md` |
+| Codex | `codex` | `.codex/config.toml` | `.codex/AGENTS.md`, `.codex/skills/threat-modelling/SKILL.md`, `.codex/skills/vibereview-sync/SKILL.md`, `.codex/skills/guardrails-profiler/SKILL.md`, `.codex/skills/guardrails-selection/SKILL.md`, `.codex/hooks.json`, `.codex/commands/guardrails-init-profile.md` |
 | Gemini CLI | `gemini` | `.gemini/settings.json` | `GEMINI.md` |
 | Antigravity | `antigravity` | `.gemini/settings.json` | `.agents/rules/srai-security-review.md` |
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@securityreviewai/securityreview-kit",
-  "version": "0.1.42",
+  "version": "0.1.44",
   "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
   "author": "Debarshi Das <debarshi.das@we45.com>",
   "license": "UNLICENSED",

package/src/generators/mcp/claude.js

@@ -10,9 +10,9 @@ function getClaudeSessionStartHooks() {
         '1. Fetch Vibe Guardrails first using .claude/skills/guardrails-selection/SKILL.md.',
         '2. Run PWNISMS threat modelling using .claude/skills/threat-modelling/SKILL.md.',
         '3. Implement secure code using the hydrated guardrails and threat findings.',
-        '4. Invoke the ctm_sync agent using .claude/agents/ctm_sync.md after implementation or threat-model updates. The agent should write a structured .md sync artifact and upload it with sync_ai_ide_markdown.',
+        '4. Read .claude/skills/vibereview-sync/SKILL.md. Write a structured .md artifact under vibereview/, do not read sibling markdown files there just to infer format, validate it, and call sync_ai_ide_markdown directly after implementation or threat-model updates.',
         '',
-        'Do not use project-profile exploration tools during normal coding tasks. No blocking and no deferral: guardrails first, PWNISMS second, implementation third, ctm_sync last.',
+        'Do not use project-profile exploration tools during normal coding tasks. No blocking and no deferral: guardrails first, PWNISMS second, implementation third, VibeReview sync last.',
     ].join('\n');
 
     return [

package/src/generators/mcp/claude.test.js

@@ -19,6 +19,9 @@ test('Claude MCP generator writes .mcp.json, enables the project MCP server, and
     assert.deepEqual(settings.enabledMcpjsonServers, ['security-review-mcp']);
     assert.equal(Array.isArray(settings.SessionStart), true);
     assert.match(settings.SessionStart[0].hooks[0].prompt, /MANDATORY SECURITY GATE/);
+    assert.match(settings.SessionStart[0].hooks[0].prompt, /vibereview\//);
+    assert.match(settings.SessionStart[0].hooks[0].prompt, /sync_ai_ide_markdown/);
+    assert.match(settings.SessionStart[0].hooks[0].prompt, /vibereview-sync\/SKILL\.md/);
 });
 
 test('Claude MCP generator preserves existing SessionStart hooks', () => {

package/src/generators/rules/claude.js

@@ -1,19 +1,19 @@
 import { existsSync, unlinkSync } from 'node:fs';
 import { join } from 'node:path';
 import {
-    CTM_SYNC_AGENT_REL_PATH,
     GUARDRAILS_PROFILER_SKILL_REL_DIR,
     GUARDRAILS_SELECTION_SKILL_REL_DIR,
     SENTINEL_END,
     SENTINEL_START,
     THREAT_MODELLING_SKILL_REL_DIR,
+    VIBEREVIEW_SYNC_SKILL_REL_DIR,
 } from '../../utils/constants.js';
 import { readText, upsertSentinelBlock, writeText } from '../../utils/fs-helpers.js';
 import {
-    getCtmSyncWorkflowContent,
     getGuardrailsInitProfileContent,
     getRuleContent,
     getThreatModellingSkillContent,
+    getVibeReviewSyncSkillContent,
 } from './content.js';
 
 function writeGeneratedText(filePath, content) {
@@ -22,25 +22,6 @@ function writeGeneratedText(filePath, content) {
     return { filePath, action };
 }
 
-function getAgentBody(content) {
-    return content.replace(/^---\n[\s\S]*?\n---\n*/, '').trim();
-}
-
-function getClaudeCtmSyncAgentContent(options = {}) {
-    const body = getAgentBody(getCtmSyncWorkflowContent(options));
-    return [
-        '---',
-        'name: ctm_sync',
-        'description: Use this agent after security-relevant implementation or threat modelling work to synchronize the latest threat model, mitigations, and guardrails to SRAI.',
-        'model: inherit',
-        'color: blue',
-        '---',
-        '',
-        body,
-        '',
-    ].join('\n');
-}
-
 /**
  * Generate Claude Code workspace rule — appends to .claude/CLAUDE.md
  */
@@ -49,7 +30,7 @@ export function generate(cwd, options = {}) {
         ...options,
         guardrailsSelectionSkillDir: GUARDRAILS_SELECTION_SKILL_REL_DIR.claude,
         threatModellingSkillDir: THREAT_MODELLING_SKILL_REL_DIR.claude,
-        ctmSyncAgentPath: CTM_SYNC_AGENT_REL_PATH.claude,
+        vibereviewSyncSkillDir: VIBEREVIEW_SYNC_SKILL_REL_DIR.claude,
     };
     const legacyRootPath = join(cwd, 'CLAUDE.md');
     const filePath = join(cwd, '.claude', 'CLAUDE.md');
@@ -76,12 +57,17 @@ export function generate(cwd, options = {}) {
         getThreatModellingSkillContent(optionsWithSkillDirs),
     );
 
-    const ctmSyncAgentPath = join(cwd, CTM_SYNC_AGENT_REL_PATH.claude);
-    const ctmSyncAgent = writeGeneratedText(
-        ctmSyncAgentPath,
-        getClaudeCtmSyncAgentContent(optionsWithSkillDirs),
+    const vibereviewSyncSkillPath = join(cwd, VIBEREVIEW_SYNC_SKILL_REL_DIR.claude, 'SKILL.md');
+    const vibereviewSyncSkill = writeGeneratedText(
+        vibereviewSyncSkillPath,
+        getVibeReviewSyncSkillContent(optionsWithSkillDirs),
     );
 
+    const deletedLegacyAgentPath = join(cwd, '.claude', 'agents', 'ctm_sync.md');
+    const deletedLegacyAgent = existsSync(deletedLegacyAgentPath)
+        ? (unlinkSync(deletedLegacyAgentPath), { filePath: deletedLegacyAgentPath, action: 'deleted' })
+        : null;
+
     const guardrailsInitPath = join(cwd, '.claude', 'commands', 'guardrails-init-profile.md');
     const guardrailsInit = writeGeneratedText(
         guardrailsInitPath,
@@ -94,7 +80,8 @@ export function generate(cwd, options = {}) {
     return [
         { filePath, action, kind: 'rule' },
         { ...threatSkill, kind: 'skill' },
-        { ...ctmSyncAgent, kind: 'agent' },
+        { ...vibereviewSyncSkill, kind: 'skill' },
         { ...guardrailsInit, kind: 'command' },
+        ...(deletedLegacyAgent ? [{ ...deletedLegacyAgent, kind: 'cleanup' }] : []),
     ];
 }

package/src/generators/rules/claude.test.js

@@ -5,7 +5,7 @@ import { test } from 'node:test';
 import assert from 'node:assert/strict';
 import { generate } from './claude.js';
 
-test('Claude generator writes .claude/CLAUDE.md, threat skill, ctm_sync agent, and profiling command', () => {
+test('Claude generator writes .claude/CLAUDE.md, threat skill, and profiling command', () => {
     const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-claude-'));
 
     const results = generate(cwd, { projectName: 'SmokeProject' });
@@ -13,7 +13,7 @@ test('Claude generator writes .claude/CLAUDE.md, threat skill, ctm_sync agent, a
     const expectedPaths = [
         '.claude/CLAUDE.md',
         '.claude/skills/threat-modelling/SKILL.md',
-        '.claude/agents/ctm_sync.md',
+        '.claude/skills/vibereview-sync/SKILL.md',
         '.claude/commands/guardrails-init-profile.md',
     ];
 
@@ -21,27 +21,24 @@ test('Claude generator writes .claude/CLAUDE.md, threat skill, ctm_sync agent, a
         assert.equal(existsSync(join(cwd, relPath)), true, `${relPath} should exist`);
     }
 
-    assert.deepEqual(results.map((entry) => entry.kind), ['rule', 'skill', 'agent', 'command']);
+    assert.deepEqual(results.map((entry) => entry.kind), ['rule', 'skill', 'skill', 'command']);
 
     const instructions = readFileSync(join(cwd, '.claude/CLAUDE.md'), 'utf8');
     assert.match(instructions, /\.claude\/skills\/guardrails-selection\/SKILL\.md/);
     assert.match(instructions, /\.claude\/skills\/threat-modelling\/SKILL\.md/);
-    assert.match(instructions, /\.claude\/agents\/ctm_sync\.md/);
+    assert.match(instructions, /\.claude\/skills\/vibereview-sync\/SKILL\.md/);
+    assert.match(instructions, /sync_ai_ide_markdown/);
+    assert.match(instructions, /vibereview\//);
 
     const threatSkill = readFileSync(join(cwd, '.claude/skills/threat-modelling/SKILL.md'), 'utf8');
-    assert.match(threatSkill, /\.claude\/agents\/ctm_sync\.md/);
+    assert.match(threatSkill, /sync_ai_ide_markdown/);
+    assert.match(threatSkill, /vibereview\//);
     assert.doesNotMatch(threatSkill, /get_project_profile_description/);
 
-    const agent = readFileSync(join(cwd, '.claude/agents/ctm_sync.md'), 'utf8');
-    assert.match(agent, /^---\nname: ctm_sync/m);
-    assert.match(agent, /model: inherit/);
-    assert.match(agent, /Configured SRAI project name: `SmokeProject`/);
-    assert.match(agent, /sync_ai_ide_markdown/);
-    assert.match(agent, /structured markdown artifact/i);
-    assert.match(agent, /chat_session_id/);
-    assert.match(agent, /Guardrails Applied/);
-    assert.match(agent, /vibereview\//);
-    assert.doesNotMatch(agent, /Call `create_ai_ide_event` with/i);
+    const vibereviewSkill = readFileSync(join(cwd, '.claude/skills/vibereview-sync/SKILL.md'), 'utf8');
+    assert.match(vibereviewSkill, /Do not read other/i);
+    assert.match(vibereviewSkill, /sync_ai_ide_markdown/);
+    assert.match(vibereviewSkill, /Event Identity/);
 });
 
 test('Claude generator migrates the kit-managed root CLAUDE.md block into .claude/CLAUDE.md', () => {

package/src/generators/rules/codex.js

@@ -1,17 +1,17 @@
-import { existsSync } from 'node:fs';
+import { existsSync, unlinkSync } from 'node:fs';
 import { join } from 'node:path';
 import {
-    CTM_SYNC_AGENT_REL_PATH,
     GUARDRAILS_PROFILER_SKILL_REL_DIR,
     GUARDRAILS_SELECTION_SKILL_REL_DIR,
     THREAT_MODELLING_SKILL_REL_DIR,
+    VIBEREVIEW_SYNC_SKILL_REL_DIR,
 } from '../../utils/constants.js';
 import { upsertSentinelBlock, writeText } from '../../utils/fs-helpers.js';
 import {
-    getCtmSyncWorkflowContent,
     getGuardrailsInitProfileContent,
     getRuleContent,
     getThreatModellingSkillContent,
+    getVibeReviewSyncSkillContent,
 } from './content.js';
 
 function writeGeneratedText(filePath, content) {
@@ -20,6 +20,14 @@ function writeGeneratedText(filePath, content) {
     return { filePath, action };
 }
 
+function removeGeneratedText(filePath) {
+    if (existsSync(filePath)) {
+        unlinkSync(filePath);
+        return { filePath, action: 'deleted' };
+    }
+    return null;
+}
+
 function getCodexSessionHookContent() {
     const additionalContext = [
         '## MANDATORY SECURITY GATE (Session Policy)',
@@ -29,9 +37,9 @@ function getCodexSessionHookContent() {
         '1. Fetch Vibe Guardrails first using .codex/skills/guardrails-selection/SKILL.md. Resolve the project, call get_guardrails, shortlist relevant guardrails, then call get_guardrail_by_id for the shortlist.',
         '2. Run PWNISMS threat modelling using .codex/skills/threat-modelling/SKILL.md. Explicitly walk Product, Workload, Network, IAM, Secrets, Monitoring, and Supply Chain.',
         '3. Implement secure code using both the hydrated guardrails and PWNISMS findings.',
-        '4. Invoke the ctm_sync subagent using .codex/agents/ctm_sync.toml after threat modelling or guardrail enforcement. Reuse the exact guardrail shortlist; do not re-query guardrails during CTM sync. The subagent should write a structured .md sync artifact and upload it with sync_ai_ide_markdown.',
+        '4. Read .codex/skills/vibereview-sync/SKILL.md. Write a structured .md artifact under vibereview/, do not read sibling markdown files there just to infer format, validate it, and call sync_ai_ide_markdown directly after threat modelling or guardrail enforcement. Reuse the exact guardrail shortlist; do not re-query guardrails during the final sync.',
         '',
-        'Do not use project-profile exploration tools during normal coding tasks. No blocking and no deferral: guardrails first, PWNISMS second, implementation third, ctm_sync last.',
+        'Do not use project-profile exploration tools during normal coding tasks. No blocking and no deferral: guardrails first, PWNISMS second, implementation third, VibeReview sync last.',
     ].join('\n');
 
     const sessionStartPayload = JSON.stringify({
@@ -82,22 +90,6 @@ function getCodexSessionHookContent() {
     ) + '\n';
 }
 
-function getAgentBody(content) {
-    return content.replace(/^---\n[\s\S]*?\n---\n*/, '').trim();
-}
-
-function getCodexCtmSyncAgentContent(options = {}) {
-    const developerInstructions = getAgentBody(getCtmSyncWorkflowContent(options));
-    return [
-        'name = "ctm_sync"',
-        'description = "Synchronize threat-model and guardrail data to SRAI after security-relevant work."',
-        "developer_instructions = '''",
-        developerInstructions,
-        "'''",
-        '',
-    ].join('\n');
-}
-
 /**
  * Generate Codex workspace rule — appends to AGENTS.md
  */
@@ -106,7 +98,7 @@ export function generate(cwd, options = {}) {
         ...options,
         guardrailsSelectionSkillDir: GUARDRAILS_SELECTION_SKILL_REL_DIR.codex,
         threatModellingSkillDir: THREAT_MODELLING_SKILL_REL_DIR.codex,
-        ctmSyncAgentPath: CTM_SYNC_AGENT_REL_PATH.codex,
+        vibereviewSyncSkillDir: VIBEREVIEW_SYNC_SKILL_REL_DIR.codex,
     };
     const filePath = join(cwd, '.codex', 'AGENTS.md');
     const content = getRuleContent(optionsWithSkillDirs);
@@ -118,12 +110,14 @@ export function generate(cwd, options = {}) {
         getThreatModellingSkillContent(optionsWithSkillDirs),
     );
 
-    const ctmSyncAgentPath = join(cwd, CTM_SYNC_AGENT_REL_PATH.codex);
-    const ctmSyncAgent = writeGeneratedText(
-        ctmSyncAgentPath,
-        getCodexCtmSyncAgentContent(optionsWithSkillDirs),
+    const vibereviewSyncSkillPath = join(cwd, VIBEREVIEW_SYNC_SKILL_REL_DIR.codex, 'SKILL.md');
+    const vibereviewSyncSkill = writeGeneratedText(
+        vibereviewSyncSkillPath,
+        getVibeReviewSyncSkillContent(optionsWithSkillDirs),
     );
 
+    const deletedLegacyAgent = removeGeneratedText(join(cwd, '.codex', 'agents', 'ctm_sync.toml'));
+
     const hooksPath = join(cwd, '.codex', 'hooks.json');
     const hooks = writeGeneratedText(hooksPath, getCodexSessionHookContent());
 
@@ -139,8 +133,9 @@ export function generate(cwd, options = {}) {
     return [
         { filePath, action, kind: 'rule' },
         { ...threatSkill, kind: 'skill' },
-        { ...ctmSyncAgent, kind: 'agent' },
+        { ...vibereviewSyncSkill, kind: 'skill' },
         { ...hooks, kind: 'hooks' },
         { ...guardrailsInit, kind: 'command' },
+        ...(deletedLegacyAgent ? [{ ...deletedLegacyAgent, kind: 'cleanup' }] : []),
     ];
 }

package/src/generators/rules/codex.test.js

@@ -5,7 +5,7 @@ import { test } from 'node:test';
 import assert from 'node:assert/strict';
 import { generate } from './codex.js';
 
-test('Codex generator writes AGENTS, skills, subagent, hooks, and profiling command', () => {
+test('Codex generator writes AGENTS, skills, hooks, and profiling command', () => {
     const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-codex-'));
 
     const results = generate(cwd, { projectName: 'SmokeProject' });
@@ -13,7 +13,7 @@ test('Codex generator writes AGENTS, skills, subagent, hooks, and profiling comm
     const expectedPaths = [
         '.codex/AGENTS.md',
         '.codex/skills/threat-modelling/SKILL.md',
-        '.codex/agents/ctm_sync.toml',
+        '.codex/skills/vibereview-sync/SKILL.md',
         '.codex/hooks.json',
         '.codex/commands/guardrails-init-profile.md',
     ];
@@ -22,12 +22,14 @@ test('Codex generator writes AGENTS, skills, subagent, hooks, and profiling comm
         assert.equal(existsSync(join(cwd, relPath)), true, `${relPath} should exist`);
     }
 
-    assert.deepEqual(results.map((entry) => entry.kind), ['rule', 'skill', 'agent', 'hooks', 'command']);
+    assert.deepEqual(results.map((entry) => entry.kind), ['rule', 'skill', 'skill', 'hooks', 'command']);
 
     const instructions = readFileSync(join(cwd, '.codex/AGENTS.md'), 'utf8');
     assert.match(instructions, /\.codex\/skills\/guardrails-selection\/SKILL\.md/);
     assert.match(instructions, /\.codex\/skills\/threat-modelling\/SKILL\.md/);
-    assert.match(instructions, /\.codex\/agents\/ctm_sync\.toml/);
+    assert.match(instructions, /\.codex\/skills\/vibereview-sync\/SKILL\.md/);
+    assert.match(instructions, /sync_ai_ide_markdown/);
+    assert.match(instructions, /vibereview\//);
     assert.doesNotMatch(instructions, /\.cursor/);
     assert.doesNotMatch(instructions, /\.agents\/skills/);
 
@@ -35,22 +37,21 @@ test('Codex generator writes AGENTS, skills, subagent, hooks, and profiling comm
     for (const heading of ['Product', 'Workload', 'Network', 'IAM', 'Secrets', 'Monitoring', 'Supply Chain']) {
         assert.match(threatSkill, new RegExp(heading));
     }
-    assert.match(threatSkill, /\.codex\/agents\/ctm_sync\.toml/);
+    assert.match(threatSkill, /sync_ai_ide_markdown/);
+    assert.match(threatSkill, /vibereview\//);
     assert.doesNotMatch(threatSkill, /get_project_profile_description/);
 
-    const agent = readFileSync(join(cwd, '.codex/agents/ctm_sync.toml'), 'utf8');
-    assert.match(agent, /name = "ctm_sync"/);
-    assert.match(agent, /developer_instructions = '''/);
-    assert.match(agent, /Configured SRAI project name: `SmokeProject`/);
-    assert.match(agent, /sync_ai_ide_markdown/);
-    assert.match(agent, /structured markdown artifact/i);
-    assert.match(agent, /chat_session_id/);
-    assert.match(agent, /Best Practices Achieved/);
-    assert.match(agent, /vibereview\//);
-    assert.doesNotMatch(agent, /Call `create_ai_ide_event` with/i);
+    const vibereviewSkill = readFileSync(join(cwd, '.codex/skills/vibereview-sync/SKILL.md'), 'utf8');
+    assert.match(vibereviewSkill, /do not read other `?\.md`? files in `?vibereview\/`?/i);
+    assert.match(vibereviewSkill, /sync_ai_ide_markdown/);
+    assert.match(vibereviewSkill, /Event Identity/);
+    assert.match(vibereviewSkill, /OWASP Top 10 2025 Mappings/);
 
     const hooks = JSON.parse(readFileSync(join(cwd, '.codex/hooks.json'), 'utf8'));
     assert.equal(hooks.hooks.SessionStart[0].hooks[0].type, 'command');
     assert.equal(hooks.hooks.UserPromptSubmit[0].hooks[0].type, 'command');
     assert.match(hooks.hooks.UserPromptSubmit[0].hooks[0].command, /"hookEventName":"UserPromptSubmit"/);
+    assert.match(hooks.hooks.UserPromptSubmit[0].hooks[0].command, /vibereview/);
+    assert.match(hooks.hooks.UserPromptSubmit[0].hooks[0].command, /sync_ai_ide_markdown/);
+    assert.match(hooks.hooks.UserPromptSubmit[0].hooks[0].command, /vibereview-sync\/SKILL\.md/);
 });

package/src/generators/rules/content.js

@@ -52,9 +52,9 @@ function readTemplate(templateFileName, options = {}) {
     );
     out = injectPathPlaceholder(
         out,
-        '{{CTM_SYNC_AGENT_PATH}}',
-        '.cursor/agents/ctm_sync.md',
-        options.ctmSyncAgentPath,
+        '{{VIBEREVIEW_SYNC_SKILL_DIR}}',
+        '.cursor/skills/vibereview-sync',
+        options.vibereviewSyncSkillDir,
     );
 
     return out;
@@ -75,31 +75,17 @@ export function getProfileCommandContent(options = {}) {
 }
 
 /**
- * Returns the CTM sync workflow content markdown.
- */
-export function getCtmSyncWorkflowContent(options = {}) {
-    return readTemplate('ctm_sync.md', options);
-}
-
-/**
- * Returns the Cursor CTM sync trigger rule markdown.
- */
-export function getCtmSyncTriggerRuleContent(options = {}) {
-    return readTemplate('ctm_sync_rule.md', options);
-}
-
-/**
- * Returns the Cursor create-ide-workflow command markdown.
+ * Returns the threat-modelling skill markdown.
  */
-export function getCreateIdeWorkflowCommandContent(options = {}) {
-    return readTemplate('create-ide-workflow.md', options);
+export function getThreatModellingSkillContent(options = {}) {
+    return readTemplate('skill.md', options);
 }
 
 /**
- * Returns the threat-modelling skill markdown.
+ * Returns the VibeReview sync skill markdown.
  */
-export function getThreatModellingSkillContent(options = {}) {
-    return readTemplate('skill.md', options);
+export function getVibeReviewSyncSkillContent(options = {}) {
+    return readTemplate(join('vibereview-sync', 'SKILL.md'), options);
 }
 
 /**

package/src/generators/rules/content.md

@@ -12,7 +12,7 @@ For any task that touches auth, authorization, input handling, secrets, network,
    - Read and follow `{{GUARDRAILS_SELECTION_SKILL_DIR}}/SKILL.md`.
    - Resolve the SRAI project with `find_project_by_name` using `name="<SRAI_PROJECT_NAME>"`.
    - Call `get_guardrails`, shortlist only the relevant project guardrails, then hydrate the exact shortlist with `get_guardrail_by_id`.
-   - Preserve that exact shortlist in context for implementation and CTM sync.
+   - Preserve that exact shortlist in context for implementation and the final VibeReview sync step.
 
 2. **Run PWNISMS threat modelling before implementation.**
    - Read and follow `{{THREAT_MODELLING_SKILL_DIR}}/SKILL.md`.
@@ -26,11 +26,14 @@ For any task that touches auth, authorization, input handling, secrets, network,
    - Use the PWNISMS findings to guide design, validation, authorization, logging, secrets handling, dependency choices, and abuse controls.
    - If PWNISMS reveals a recurring security rule that is not covered by existing guardrails, create and apply an `ide_generated` guardrail in context.
 
-4. **Run CTM sync last.**
-   - After threat modelling is created or updated, or after guardrails are enforced during implementation, invoke the `ctm_sync` agent/workflow.
-   - Use `{{CTM_SYNC_AGENT_PATH}}` for the markdown contract and sync workflow.
-   - Pass the current threat model summary, the stable `chat_session_id`, the exact existing guardrails shortlisted earlier, and any `ide_generated` guardrails so `ctm_sync` can write a structured `.md` artifact for server-side extraction.
-   - Do not re-query guardrails during CTM sync; reuse the shortlist selected before implementation.
+4. **Write and sync the VibeReview markdown last.**
+   - Read and follow `{{VIBEREVIEW_SYNC_SKILL_DIR}}/SKILL.md`.
+   - After threat modelling is created or updated, or after guardrails are enforced during implementation, the main agent must write or update a structured `.md` artifact under `vibereview/`.
+   - Do not delegate markdown authoring to a subagent. The same agent that performed the work should author the artifact so the context stays intact.
+   - Use the skill's structure and validation checklist rather than improvising the markdown format.
+   - Reuse the exact existing guardrails shortlisted earlier, include any `ide_generated` guardrails, and only include grounded code snippets from actual code.
+   - Call `sync_ai_ide_markdown` directly with the finished markdown artifact before finalizing the task.
+   - If sync fails, keep the file in `vibereview/`, report the failure, and do not pretend synchronization succeeded.
 
 ## When To Skip
 
@@ -42,7 +45,7 @@ If in doubt, run the workflow. A quick PWNISMS pass is better than silently miss
 
 Do not call project-profile exploration tools during normal coding tasks. The old profile walkthrough is no longer part of the agent workflow.
 
-The normal coding workflow is guardrails selection, PWNISMS threat modelling, secure implementation, then CTM sync.
+The normal coding workflow is guardrails selection, PWNISMS threat modelling, secure implementation, then VibeReview markdown sync.
 
 ## Tool Reference
 
@@ -50,5 +53,5 @@ The normal coding workflow is guardrails selection, PWNISMS threat modelling, se
 |---|---|
 | Project resolution | `find_project_by_name`, `list_projects`, `create_project`, `get_project` |
 | Guardrails | `get_guardrails`, `get_guardrail_by_id` |
-| CTM sync | `sync_ai_ide_markdown` |
+| VibeReview sync | `sync_ai_ide_markdown` |
 | Profiler only | `update_vibe_profile`, `write_default_pack` are used by init-time profiling, not normal coding tasks |

package/src/generators/rules/cursor.js

@@ -1,20 +1,18 @@
-import { existsSync } from 'node:fs';
+import { existsSync, unlinkSync } from 'node:fs';
 import { join } from 'node:path';
 import {
     GUARDRAILS_PROFILER_SKILL_REL_DIR,
     GUARDRAILS_SELECTION_SKILL_REL_DIR,
-    CTM_SYNC_AGENT_REL_PATH,
     MCP_SERVER_NAME,
     THREAT_MODELLING_SKILL_REL_DIR,
+    VIBEREVIEW_SYNC_SKILL_REL_DIR,
 } from '../../utils/constants.js';
 import { readJson, writeJson, writeText } from '../../utils/fs-helpers.js';
 import {
     getRuleContent,
     getProfileCommandContent,
-    getCtmSyncWorkflowContent,
-    getCtmSyncTriggerRuleContent,
-    getCreateIdeWorkflowCommandContent,
     getThreatModellingSkillContent,
+    getVibeReviewSyncSkillContent,
     getGuardrailsRuleContent,
     getGuardrailsInitProfileContent,
     getHooksContent,
@@ -40,6 +38,14 @@ function writeCursorCommand(filePath, content) {
     return { filePath, action };
 }
 
+function removeGeneratedText(filePath) {
+    if (existsSync(filePath)) {
+        unlinkSync(filePath);
+        return { filePath, action: 'deleted' };
+    }
+    return null;
+}
+
 /**
  * Merge `.cursor/cli.json` so Cursor CLI / Agent auto-allows security-review-mcp tools (no MCP approval prompts).
  * @see https://cursor.com/docs/cli/reference/permissions
@@ -77,30 +83,24 @@ export function generate(cwd, options = {}) {
         ...options,
         guardrailsSelectionSkillDir: GUARDRAILS_SELECTION_SKILL_REL_DIR.cursor,
         threatModellingSkillDir: THREAT_MODELLING_SKILL_REL_DIR.cursor,
-        ctmSyncAgentPath: CTM_SYNC_AGENT_REL_PATH.cursor,
+        vibereviewSyncSkillDir: VIBEREVIEW_SYNC_SKILL_REL_DIR.cursor,
     };
     const baseRulePath = join(cwd, '.cursor', 'rules', 'srai-security-review.mdc');
-    const ctmSyncTriggerRulePath = join(cwd, '.cursor', 'rules', 'ctm_sync_rule.mdc');
     const guardrailsRulePath = join(cwd, '.cursor', 'rules', 'guardrails_rule.mdc');
-    const ctmSyncWorkflowPath = join(cwd, '.cursor', 'commands', 'ctm_sync.md');
-    const ctmSyncAgentPath = join(cwd, '.cursor', 'agents', 'ctm_sync.md');
-    const createIdeWorkflowCommandPath = join(cwd, '.cursor', 'commands', 'create-ide-workflow.md');
     const profileCommandPath = join(cwd, '.cursor', 'commands', 'srai-profile.md');
     const guardrailsInitProfileCommandPath = join(cwd, '.cursor', 'commands', 'guardrails-init-profile.md');
     const skillPath = join(cwd, '.cursor', 'skills', 'threat-modelling', 'SKILL.md');
     const hooksPath = join(cwd, '.cursor', 'hooks.json');
 
     const baseRuleContent = getRuleContent(optionsWithSkillDirs);
-    const ctmSyncTriggerRuleContent = getCtmSyncTriggerRuleContent(optionsWithSkillDirs);
     const guardrailsRuleContent = getGuardrailsRuleContent(optionsWithSkillDirs);
-    const ctmSyncWorkflowContent = getCtmSyncWorkflowContent(optionsWithSkillDirs);
-    const createIdeWorkflowCommandContent = getCreateIdeWorkflowCommandContent(optionsWithSkillDirs);
     const profileCommandContent = getProfileCommandContent(optionsWithSkillDirs);
     const guardrailsInitProfileCommandContent = getGuardrailsInitProfileContent({
         ...optionsWithSkillDirs,
         guardrailsSkillDir: GUARDRAILS_PROFILER_SKILL_REL_DIR.cursor,
     });
     const skillContent = getThreatModellingSkillContent(optionsWithSkillDirs);
+    const vibereviewSyncSkillContent = getVibeReviewSyncSkillContent(optionsWithSkillDirs);
 
     const baseRule = writeCursorRule(
         baseRulePath,
@@ -108,15 +108,17 @@ export function generate(cwd, options = {}) {
         baseRuleContent,
     );
 
-    const ctmSyncTriggerRule = writeCursorCommand(ctmSyncTriggerRulePath, ctmSyncTriggerRuleContent);
     const guardrailsRule = writeCursorRule(
         guardrailsRulePath,
         'Vibe Guardrails — fetch and enforce project-specific secure coding guardrails from SRAI',
         guardrailsRuleContent,
     );
-    const ctmSyncWorkflow = writeCursorCommand(ctmSyncWorkflowPath, ctmSyncWorkflowContent);
-    const ctmSyncAgent = writeCursorCommand(ctmSyncAgentPath, ctmSyncWorkflowContent);
-    const createIdeWorkflowCommand = writeCursorCommand(createIdeWorkflowCommandPath, createIdeWorkflowCommandContent);
+    const deletedLegacyRule = removeGeneratedText(join(cwd, '.cursor', 'rules', 'ctm_sync_rule.mdc'));
+    const deletedLegacyCommand = removeGeneratedText(join(cwd, '.cursor', 'commands', 'ctm_sync.md'));
+    const deletedLegacyAgent = removeGeneratedText(join(cwd, '.cursor', 'agents', 'ctm_sync.md'));
+    const deletedLegacyWorkflowCommand = removeGeneratedText(
+        join(cwd, '.cursor', 'commands', 'create-ide-workflow.md'),
+    );
 
     const profileCommand = writeCursorCommand(profileCommandPath, profileCommandContent);
     const guardrailsInitProfileCommand = writeCursorCommand(
@@ -125,6 +127,9 @@ export function generate(cwd, options = {}) {
     );
     const skillAction = existsSync(skillPath) ? 'updated' : 'created';
     writeText(skillPath, skillContent);
+    const vibereviewSyncSkillPath = join(cwd, VIBEREVIEW_SYNC_SKILL_REL_DIR.cursor, 'SKILL.md');
+    const vibereviewSyncSkillAction = existsSync(vibereviewSyncSkillPath) ? 'updated' : 'created';
+    writeText(vibereviewSyncSkillPath, vibereviewSyncSkillContent);
 
     const hooksContent = getHooksContent();
     const hooksAction = existsSync(hooksPath) ? 'updated' : 'created';
@@ -134,15 +139,16 @@ export function generate(cwd, options = {}) {
 
     return [
         { ...baseRule, kind: 'rule' },
-        { ...ctmSyncTriggerRule, kind: 'rule' },
         { ...guardrailsRule, kind: 'rule' },
-        { ...ctmSyncWorkflow, kind: 'command' },
-        { ...ctmSyncAgent, kind: 'agent' },
-        { ...createIdeWorkflowCommand, kind: 'command' },
         { ...profileCommand, kind: 'command' },
         { ...guardrailsInitProfileCommand, kind: 'command' },
         { filePath: skillPath, action: skillAction, kind: 'skill' },
+        { filePath: vibereviewSyncSkillPath, action: vibereviewSyncSkillAction, kind: 'skill' },
         { filePath: hooksPath, action: hooksAction, kind: 'hooks' },
         { ...cliPermissions, kind: 'config' },
+        ...(deletedLegacyRule ? [{ ...deletedLegacyRule, kind: 'cleanup' }] : []),
+        ...(deletedLegacyCommand ? [{ ...deletedLegacyCommand, kind: 'cleanup' }] : []),
+        ...(deletedLegacyAgent ? [{ ...deletedLegacyAgent, kind: 'cleanup' }] : []),
+        ...(deletedLegacyWorkflowCommand ? [{ ...deletedLegacyWorkflowCommand, kind: 'cleanup' }] : []),
     ];
 }

package/src/generators/rules/guardrails-selection/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: guardrails-selection
-description: Analyze the developer request, infer the security categories and likely threats involved, shortlist the most relevant project guardrails, then hydrate the exact guardrails with get_guardrail_by_id before implementation. Use for every security-relevant code task before code is written and preserve the shortlist for CTM sync.
+description: Analyze the developer request, infer the security categories and likely threats involved, shortlist the most relevant project guardrails, then hydrate the exact guardrails with get_guardrail_by_id before implementation. Use for every security-relevant code task before code is written and preserve the shortlist for the final VibeReview sync.
 ---
 
 # Guardrails Selection
@@ -16,7 +16,7 @@ This skill exists to stop the IDE from treating the full `get_guardrails` result
 3. Predict the threats that might occur for this exact task.
 4. Shortlist only the guardrails that mitigate those threats.
 5. Fetch the exact shortlisted guardrails with `get_guardrail_by_id`.
-6. Carry that same shortlist forward into implementation and `ctm_sync`.
+6. Carry that same shortlist forward into implementation and the final VibeReview markdown sync.
 
 Do not skip the analysis step. Do not rely on title-matching alone. Do not dump every guardrail into the final answer.
 
@@ -160,11 +160,11 @@ Once the shortlist is hydrated:
 
 When deciding whether a guardrail applies, prefer security-preserving inclusion over risky omission. If it plausibly mitigates a realistic path to abuse for the current task, keep it in scope.
 
-## CTM Sync Handoff Contract
+## VibeReview Sync Contract
 
-`ctm_sync` must reuse the shortlist from this skill. It must not call `get_guardrails` or `get_guardrail_by_id` again.
+The final sync step must reuse the shortlist from this skill. It must not call `get_guardrails` or `get_guardrail_by_id` again.
 
-Before `ctm_sync` is invoked, ensure the parent context clearly contains:
+Before `sync_ai_ide_markdown` is called, ensure the main agent context clearly contains:
 
 - the exact existing guardrails shortlisted earlier
 - which of them were applied
@@ -182,6 +182,6 @@ A good selection does all of the following:
 - captures adjacent controls that stop bypass chains
 - avoids irrelevant noise
 - produces a small, defensible set of guardrails that can actually guide implementation
-- leaves `ctm_sync` with an exact list of what the IDE selected and enforced
+- leaves the final VibeReview markdown with an exact list of what the IDE selected and enforced
 
 If your shortlist feels generic, it is probably incomplete or over-broad. Re-check the prompt, the code patterns, and the threat map.