@securityreviewai/securityreview-kit 0.1.44 → 0.1.45

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@securityreviewai/securityreview-kit",
-  "version": "0.1.44",
+  "version": "0.1.45",
   "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
   "author": "Debarshi Das <debarshi.das@we45.com>",
   "license": "UNLICENSED",

package/src/generators/rules/claude.test.js

@@ -39,6 +39,8 @@ test('Claude generator writes .claude/CLAUDE.md, threat skill, and profiling com
     assert.match(vibereviewSkill, /Do not read other/i);
     assert.match(vibereviewSkill, /sync_ai_ide_markdown/);
     assert.match(vibereviewSkill, /Event Identity/);
+    assert.match(vibereviewSkill, /Practice 1/);
+    assert.match(vibereviewSkill, /practice_name:/);
 });
 
 test('Claude generator migrates the kit-managed root CLAUDE.md block into .claude/CLAUDE.md', () => {

package/src/generators/rules/codex.test.js

@@ -46,6 +46,8 @@ test('Codex generator writes AGENTS, skills, hooks, and profiling command', () =
     assert.match(vibereviewSkill, /sync_ai_ide_markdown/);
     assert.match(vibereviewSkill, /Event Identity/);
     assert.match(vibereviewSkill, /OWASP Top 10 2025 Mappings/);
+    assert.match(vibereviewSkill, /Practice 1/);
+    assert.match(vibereviewSkill, /practice_name:/);
 
     const hooks = JSON.parse(readFileSync(join(cwd, '.codex/hooks.json'), 'utf8'));
     assert.equal(hooks.hooks.SessionStart[0].hooks[0].type, 'command');

package/src/generators/rules/skill.md

@@ -212,7 +212,7 @@ When discussing designs before code exists:
 The main agent writes a structured `.md` artifact under `vibereview/` and uploads it through `sync_ai_ide_markdown`. That markdown should contain:
 
 - **Threat model findings**: threats mitigated, PWNISMS categories, severities, mitigations applied
-- **Best practices achieved**: security patterns followed during implementation
+- **Best practices achieved**: structured practice entries with `practice_name`, `description`, and `category`
 - **Secure code snippets**: security-relevant code with explanations
 - **Guardrails applied**: all guardrails enforced during this session — both existing ones shortlisted earlier via `get_guardrails` + `get_guardrail_by_id` (`source: "existing"`) and new ones the IDE agent created on the fly (`source: "ide_generated"`), each with satisfaction status
 - **Workflow metadata**: `chat_session_id`, `event_name` or `title`, required `summary`, and optional `workflow_name` / `workflow_description`
@@ -229,11 +229,12 @@ The main agent writes a structured `.md` artifact under `vibereview/` and upload
    - `Guardrails Applied`
    - `OWASP Top 10 2025 Mappings`
 5. Validate that:
-   - every threat entry includes `threat_name`, `pwnisms_category`, `severity`, and `mitigation_applied`
+    - every threat entry includes `threat_name`, `pwnisms_category`, `severity`, and `mitigation_applied`
+   - every best-practice entry includes `practice_name`, `description`, and `category`
    - every guardrail includes `title`, `rule_type`, `source`, and `satisfied`
    - OWASP mappings use exact IDs and names
    - snippets are grounded in actual code, not invented text
-    - no sibling `.md` files in `vibereview/` were read just to infer format or content
+   - no sibling `.md` files in `vibereview/` were read just to infer format or content
 6. Call `sync_ai_ide_markdown` directly with the finished markdown artifact.
 7. If sync fails, leave the artifact in `vibereview/` and report the failure clearly.
 

package/src/generators/rules/vibereview-sync/SKILL.md

@@ -197,17 +197,37 @@ if not chat_session_id:
 
 ## Best Practices Achieved Section
 
-Use plain bullet items only:
+Use structured practice entries, not plain bullet-only lists.
 
-```md
+````md
 # Best Practices Achieved
 
-- Used a stable chat_session_id to deterministically reuse or create workflows.
-- Kept workflow and event creation on the server instead of relying on IDE-side orchestration.
-- Validated required event identity fields before persisting security review data.
-```
+## Practice 1
+- practice_name: Stable workflow correlation
+- description: Used a stable chat session identifier to ensure repeated syncs map to the same workflow.
+- category: identity
+
+## Practice 2
+- practice_name: Server-side workflow orchestration
+- description: Kept workflow and event creation on the server instead of relying on IDE-side orchestration.
+- category: design
+
+## Practice 3
+- practice_name: Required field validation
+- description: Validated required event identity fields before persisting security review data.
+- category: validation
+````
+
+### Best practice rules
 
-Do not turn this into freeform paragraphs.
+- Each entry should be introduced with a stable heading such as `## Practice 1`, `## Practice 2`, and so on.
+- Each entry must include:
+  - `practice_name`
+  - `description`
+  - `category`
+- Keep the values concise and grounded in the actual work completed.
+- Do not turn this section into freeform paragraphs.
+- Do not reduce this section to plain bullet statements without field names.
 
 ## Secure Code Snippets Section
 

package/src/generators/rules/vscode.test.js

@@ -43,6 +43,8 @@ test('VS Code Copilot generator writes instructions, skills, and hooks', () => {
     assert.match(vibereviewSkill, /Do not read other/i);
     assert.match(vibereviewSkill, /sync_ai_ide_markdown/);
     assert.match(vibereviewSkill, /Guardrails Applied/);
+    assert.match(vibereviewSkill, /Practice 1/);
+    assert.match(vibereviewSkill, /practice_name:/);
 
     const hooks = JSON.parse(readFileSync(join(cwd, '.github/hooks/srai-session-policy.json'), 'utf8'));
     assert.equal(hooks.hooks.SessionStart[0].type, 'command');