@securityreviewai/securityreview-kit 0.1.44 → 0.1.46

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@securityreviewai/securityreview-kit",
-  "version": "0.1.44",
+  "version": "0.1.46",
   "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
   "author": "Debarshi Das <debarshi.das@we45.com>",
   "license": "UNLICENSED",

package/src/generators/rules/claude.test.js

@@ -39,6 +39,8 @@ test('Claude generator writes .claude/CLAUDE.md, threat skill, and profiling com
     assert.match(vibereviewSkill, /Do not read other/i);
     assert.match(vibereviewSkill, /sync_ai_ide_markdown/);
     assert.match(vibereviewSkill, /Event Identity/);
+    assert.match(vibereviewSkill, /Practice 1/);
+    assert.match(vibereviewSkill, /practice_name:/);
 });
 
 test('Claude generator migrates the kit-managed root CLAUDE.md block into .claude/CLAUDE.md', () => {

package/src/generators/rules/codex.test.js

@@ -46,6 +46,8 @@ test('Codex generator writes AGENTS, skills, hooks, and profiling command', () =
     assert.match(vibereviewSkill, /sync_ai_ide_markdown/);
     assert.match(vibereviewSkill, /Event Identity/);
     assert.match(vibereviewSkill, /OWASP Top 10 2025 Mappings/);
+    assert.match(vibereviewSkill, /Practice 1/);
+    assert.match(vibereviewSkill, /practice_name:/);
 
     const hooks = JSON.parse(readFileSync(join(cwd, '.codex/hooks.json'), 'utf8'));
     assert.equal(hooks.hooks.SessionStart[0].hooks[0].type, 'command');

package/src/generators/rules/content.js

@@ -96,7 +96,7 @@ export function getGuardrailsRuleContent(options = {}) {
 }
 
 /**
- * Guardrails init profile command (repo scan + profile.json + SRAI upload).
+ * Guardrails init profile command (repo scan + .guardrails/profile.json + SRAI upload).
  */
 export function getGuardrailsInitProfileContent(options = {}) {
     return readTemplate('guardrails-init-profile.md', options);

package/src/generators/rules/guardrails-init-profile.md

@@ -1,6 +1,6 @@
 ---
 name: guardrails-init-profile
-description: Run the Security Review Kit guardrails profiler — scan the repo, write profile.json, push profile and default guardrail pack to SecurityReview.ai via MCP.
+description: Run the Security Review Kit guardrails profiler — scan the repo, write `.guardrails/profile.json`, push the profile and default guardrail pack to SecurityReview.ai via MCP.
 ---
 
 # Guardrails init profile
@@ -12,7 +12,7 @@ Configured SRAI project name: `<SRAI_PROJECT_NAME>`
 **You must:**
 
 1. Read `{{GUARDRAILS_SKILL_DIR}}/SKILL.md` and follow every step (use the signal registry at `{{GUARDRAILS_SKILL_DIR}}/references/signal-registry.json`).
-2. Write `.guardrails/profile.json` and **`profile.json`** at the project root as specified.
+2. Write `.guardrails/profile.json` as specified.
 3. Call **`update_vibe_profile`** and **`write_default_pack`** on `security-review-mcp` after resolving `project_id` for `<SRAI_PROJECT_NAME>`.
 
 Do not skip MCP upload when credentials and MCP are available.

package/src/generators/rules/guardrails-profiler/SKILL.md

@@ -5,7 +5,7 @@ description: Profile a codebase to detect its technology stack and generate a gu
 
 # Guardrails Profiler
 
-Profile a codebase's technology stack, write `.guardrails/profile.json`, write a combined **`profile.json` in the project root**, and upload to SRAI using `update_vibe_profile` and `write_default_pack`.
+Profile a codebase's technology stack, write `.guardrails/profile.json`, and upload the detected profile and default guardrail pack to SRAI using `update_vibe_profile` and `write_default_pack`.
 
 Configured SRAI project name: `<SRAI_PROJECT_NAME>`
 
@@ -14,7 +14,6 @@ Configured SRAI project name: `<SRAI_PROJECT_NAME>`
 - **This skill & signal registry (read-only):** `<GUARDRAILS_SKILL_DIR>/` — e.g. `.cursor/skills/guardrails-profiler`, `.github/skills/guardrails-profiler`, `.claude/skills/guardrails-profiler`, or `.codex/skills/guardrails-profiler` for Codex depending on where this file was installed.
 - **Signal registry file:** `<GUARDRAILS_SKILL_DIR>/references/signal-registry.json`
 - **Local guardrails file:** `.guardrails/profile.json`
-- **Combined manifest (project root):** `profile.json` — includes guardrails profile, vibe profile fields for MCP, and default pack payload
 
 ## When This Runs
 
@@ -102,40 +101,19 @@ Do **not** invent packs or signals; if the repo is empty, use universal baseline
 
 Create `.guardrails/` if needed and write the profile file.
 
-### Step 6: Build `profile.json` (project root)
-
-Write **`profile.json`** at the project root with **only** these parts:
-
-```json
-{
-  "schema_version": "2.0",
-  "srai_project_name": "<SRAI_PROJECT_NAME>",
-  "guardrails_profile": {},
-  "default_guardrail_pack": {
-    "guardrail_packs": [],
-    "pack_count": 0
-  }
-}
-```
-
-- Populate **`guardrails_profile`** with the **same object** written to `.guardrails/profile.json` (detection summary, packs, etc.).
-- Populate **`default_guardrail_pack`** with the deduplicated `guardrail_packs` list (same ids as in `guardrails_profile`) and `pack_count`.
-
-**Do not** add a separate `vibe_profile` block and do **not** populate narrative fields such as long `description`, `architecture_notes`, `tech_categories`, `user_groups`, `compliance_requirements`, or `language_stacks`. The server-facing “vibe” update is driven **only** from the technical **`guardrails_profile`** plus the default pack (see Step 7).
-
-### Step 7: Upload to SecurityReview.ai (security-review-mcp)
+### Step 6: Upload to SecurityReview.ai (security-review-mcp)
 
 1. Resolve `project_id`: `find_project_by_name` with `name="<SRAI_PROJECT_NAME>"`. If missing, follow existing kit rules (`list_projects`, `create_project`).
 
-2. Call **`update_vibe_profile`** with `project_id` and arguments mapped **only** from **`profile.json.guardrails_profile`** (and any required `project_id` fields) per the MCP tool’s documented schema. Treat the guardrails detection object as the profile payload — **not** a separate prose vibe document.
+2. Call **`update_vibe_profile`** with `project_id` and arguments mapped directly from the `.guardrails/profile.json` object (and any required `project_id` fields) per the MCP tool’s documented schema. Treat the guardrails detection object as the profile payload — **not** a separate prose vibe document.
 
-3. Call **`write_default_pack`** with `project_id` and the payload from **`profile.json.default_guardrail_pack`** (match the MCP tool’s schema).
+3. Call **`write_default_pack`** with `project_id`, `guardrail_packs`, and `pack_count` derived from `.guardrails/profile.json` (match the MCP tool’s schema).
 
 4. **MCP approval:** Do **not** ask the user to “approve MCP” or “say you approve” for `security-review-mcp`. Security Review Kit passes the configured MCP server and approval settings during init-time profiling where the CLI supports it (for example Cursor CLI permissions and Copilot CLI `--additional-mcp-config` / `--allow-all`). Invoke `find_project_by_name`, `update_vibe_profile`, and `write_default_pack` directly. If a call still fails with permissions, report the exact CLI permission error — not a conversational approval step.
 
-5. Confirm success: paths written (`profile.json`, `.guardrails/profile.json`) and whether both MCP calls succeeded, or the exact error.
+5. Confirm success: path written (`.guardrails/profile.json`) and whether both MCP calls succeeded, or the exact error.
 
-### Step 8: Report
+### Step 7: Report
 
 Give a concise summary of detected stack, pack count, and upload status.
 
@@ -145,7 +123,7 @@ If there are no signals:
 
 1. Optionally read `.git/config` for hints.
 2. Emit minimal profile: `owasp-asvs` only, empty summaries where appropriate.
-3. Still write `profile.json` (minimal `guardrails_profile` + `default_guardrail_pack`) and attempt MCP calls.
+3. Still write `.guardrails/profile.json` (minimal baseline profile) and attempt MCP calls.
 
 ## IDE-Specific Notes
 

package/src/generators/rules/skill.md

@@ -212,7 +212,7 @@ When discussing designs before code exists:
 The main agent writes a structured `.md` artifact under `vibereview/` and uploads it through `sync_ai_ide_markdown`. That markdown should contain:
 
 - **Threat model findings**: threats mitigated, PWNISMS categories, severities, mitigations applied
-- **Best practices achieved**: security patterns followed during implementation
+- **Best practices achieved**: structured practice entries with `practice_name`, `description`, and `category`
 - **Secure code snippets**: security-relevant code with explanations
 - **Guardrails applied**: all guardrails enforced during this session — both existing ones shortlisted earlier via `get_guardrails` + `get_guardrail_by_id` (`source: "existing"`) and new ones the IDE agent created on the fly (`source: "ide_generated"`), each with satisfaction status
 - **Workflow metadata**: `chat_session_id`, `event_name` or `title`, required `summary`, and optional `workflow_name` / `workflow_description`
@@ -229,11 +229,12 @@ The main agent writes a structured `.md` artifact under `vibereview/` and upload
    - `Guardrails Applied`
    - `OWASP Top 10 2025 Mappings`
 5. Validate that:
-   - every threat entry includes `threat_name`, `pwnisms_category`, `severity`, and `mitigation_applied`
+    - every threat entry includes `threat_name`, `pwnisms_category`, `severity`, and `mitigation_applied`
+   - every best-practice entry includes `practice_name`, `description`, and `category`
    - every guardrail includes `title`, `rule_type`, `source`, and `satisfied`
    - OWASP mappings use exact IDs and names
    - snippets are grounded in actual code, not invented text
-    - no sibling `.md` files in `vibereview/` were read just to infer format or content
+   - no sibling `.md` files in `vibereview/` were read just to infer format or content
 6. Call `sync_ai_ide_markdown` directly with the finished markdown artifact.
 7. If sync fails, leave the artifact in `vibereview/` and report the failure clearly.
 

package/src/generators/rules/vibereview-sync/SKILL.md

@@ -197,17 +197,37 @@ if not chat_session_id:
 
 ## Best Practices Achieved Section
 
-Use plain bullet items only:
+Use structured practice entries, not plain bullet-only lists.
 
-```md
+````md
 # Best Practices Achieved
 
-- Used a stable chat_session_id to deterministically reuse or create workflows.
-- Kept workflow and event creation on the server instead of relying on IDE-side orchestration.
-- Validated required event identity fields before persisting security review data.
-```
+## Practice 1
+- practice_name: Stable workflow correlation
+- description: Used a stable chat session identifier to ensure repeated syncs map to the same workflow.
+- category: identity
+
+## Practice 2
+- practice_name: Server-side workflow orchestration
+- description: Kept workflow and event creation on the server instead of relying on IDE-side orchestration.
+- category: design
+
+## Practice 3
+- practice_name: Required field validation
+- description: Validated required event identity fields before persisting security review data.
+- category: validation
+````
+
+### Best practice rules
 
-Do not turn this into freeform paragraphs.
+- Each entry should be introduced with a stable heading such as `## Practice 1`, `## Practice 2`, and so on.
+- Each entry must include:
+  - `practice_name`
+  - `description`
+  - `category`
+- Keep the values concise and grounded in the actual work completed.
+- Do not turn this section into freeform paragraphs.
+- Do not reduce this section to plain bullet statements without field names.
 
 ## Secure Code Snippets Section
 

package/src/generators/rules/vscode.test.js

@@ -43,6 +43,8 @@ test('VS Code Copilot generator writes instructions, skills, and hooks', () => {
     assert.match(vibereviewSkill, /Do not read other/i);
     assert.match(vibereviewSkill, /sync_ai_ide_markdown/);
     assert.match(vibereviewSkill, /Guardrails Applied/);
+    assert.match(vibereviewSkill, /Practice 1/);
+    assert.match(vibereviewSkill, /practice_name:/);
 
     const hooks = JSON.parse(readFileSync(join(cwd, '.github/hooks/srai-session-policy.json'), 'utf8'));
     assert.equal(hooks.hooks.SessionStart[0].type, 'command');

package/src/utils/profiler-agent.js

@@ -65,7 +65,7 @@ export function buildProfilerAgentPrompt(projectName, agentTarget = 'cursor') {
         `SRAI project name: "${p}".`,
         `Open and follow every step in ${skillRoot}/SKILL.md.`,
         `Use ${skillRoot}/references/signal-registry.json as the signal registry.`,
-        'Write .guardrails/profile.json and profile.json at the repository root as defined in the skill.',
+        'Write .guardrails/profile.json as defined in the skill.',
         `Resolve project_id with find_project_by_name for "${p}", then call update_vibe_profile and write_default_pack via security-review-mcp.`,
         'Do not invent stack details, compliance, or user groups; ground everything in the repository.',
     ].join('\n');

package/src/utils/profiler-agent.test.js

@@ -6,6 +6,7 @@ import assert from 'node:assert/strict';
 import {
     buildCodexConfigOverrides,
     buildCopilotAdditionalMcpConfig,
+    buildProfilerAgentPrompt,
     pickProfilerAgentTarget,
 } from './profiler-agent.js';
 
@@ -71,3 +72,10 @@ test('buildCodexConfigOverrides builds inline MCP config for profiling', () => {
         'mcp_servers.security-review-mcp.env.SECURITY_REVIEW_API_TOKEN="token"',
     ]);
 });
+
+test('buildProfilerAgentPrompt only instructs writing the guardrails profile under .guardrails', () => {
+    const prompt = buildProfilerAgentPrompt('demo-project', 'codex');
+
+    assert.match(prompt, /Write \.guardrails\/profile\.json as defined in the skill\./);
+    assert.doesNotMatch(prompt, /profile\.json at the repository root/);
+});