@securityreviewai/securityreview-kit 0.1.45 → 0.1.46

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/package.json +1 -1
  2. package/src/generators/rules/content.js +1 -1
  3. package/src/generators/rules/guardrails-init-profile.md +2 -2
  4. package/src/generators/rules/guardrails-profiler/SKILL.md +7 -29
  5. package/src/utils/profiler-agent.js +1 -1
  6. package/src/utils/profiler-agent.test.js +8 -0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@securityreviewai/securityreview-kit",
3
- "version": "0.1.45",
3
+ "version": "0.1.46",
4
4
  "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
5
5
  "author": "Debarshi Das <debarshi.das@we45.com>",
6
6
  "license": "UNLICENSED",
package/src/generators/rules/content.js CHANGED
@@ -96,7 +96,7 @@ export function getGuardrailsRuleContent(options = {}) {
96
96
  }
97
97
 
98
98
  /**
99
- * Guardrails init profile command (repo scan + profile.json + SRAI upload).
99
+ * Guardrails init profile command (repo scan + .guardrails/profile.json + SRAI upload).
100
100
  */
101
101
  export function getGuardrailsInitProfileContent(options = {}) {
102
102
  return readTemplate('guardrails-init-profile.md', options);
package/src/generators/rules/guardrails-init-profile.md CHANGED
@@ -1,6 +1,6 @@
1
1
  ---
2
2
  name: guardrails-init-profile
3
- description: Run the Security Review Kit guardrails profiler — scan the repo, write profile.json, push profile and default guardrail pack to SecurityReview.ai via MCP.
3
+ description: Run the Security Review Kit guardrails profiler — scan the repo, write `.guardrails/profile.json`, push the profile and default guardrail pack to SecurityReview.ai via MCP.
4
4
  ---
5
5
 
6
6
  # Guardrails init profile
@@ -12,7 +12,7 @@ Configured SRAI project name: `<SRAI_PROJECT_NAME>`
12
12
  **You must:**
13
13
 
14
14
  1. Read `{{GUARDRAILS_SKILL_DIR}}/SKILL.md` and follow every step (use the signal registry at `{{GUARDRAILS_SKILL_DIR}}/references/signal-registry.json`).
15
- 2. Write `.guardrails/profile.json` and **`profile.json`** at the project root as specified.
15
+ 2. Write `.guardrails/profile.json` as specified.
16
16
  3. Call **`update_vibe_profile`** and **`write_default_pack`** on `security-review-mcp` after resolving `project_id` for `<SRAI_PROJECT_NAME>`.
17
17
 
18
18
  Do not skip MCP upload when credentials and MCP are available.
package/src/generators/rules/guardrails-profiler/SKILL.md CHANGED
@@ -5,7 +5,7 @@ description: Profile a codebase to detect its technology stack and generate a gu
5
5
 
6
6
  # Guardrails Profiler
7
7
 
8
- Profile a codebase's technology stack, write `.guardrails/profile.json`, write a combined **`profile.json` in the project root**, and upload to SRAI using `update_vibe_profile` and `write_default_pack`.
8
+ Profile a codebase's technology stack, write `.guardrails/profile.json`, and upload the detected profile and default guardrail pack to SRAI using `update_vibe_profile` and `write_default_pack`.
9
9
 
10
10
  Configured SRAI project name: `<SRAI_PROJECT_NAME>`
11
11
 
@@ -14,7 +14,6 @@ Configured SRAI project name: `<SRAI_PROJECT_NAME>`
14
14
  - **This skill & signal registry (read-only):** `<GUARDRAILS_SKILL_DIR>/` — e.g. `.cursor/skills/guardrails-profiler`, `.github/skills/guardrails-profiler`, `.claude/skills/guardrails-profiler`, or `.codex/skills/guardrails-profiler` for Codex depending on where this file was installed.
15
15
  - **Signal registry file:** `<GUARDRAILS_SKILL_DIR>/references/signal-registry.json`
16
16
  - **Local guardrails file:** `.guardrails/profile.json`
17
- - **Combined manifest (project root):** `profile.json` — includes guardrails profile, vibe profile fields for MCP, and default pack payload
18
17
 
19
18
  ## When This Runs
20
19
 
@@ -102,40 +101,19 @@ Do **not** invent packs or signals; if the repo is empty, use universal baseline
102
101
 
103
102
  Create `.guardrails/` if needed and write the profile file.
104
103
 
105
- ### Step 6: Build `profile.json` (project root)
106
-
107
- Write **`profile.json`** at the project root with **only** these parts:
108
-
109
- ```json
110
- {
111
- "schema_version": "2.0",
112
- "srai_project_name": "<SRAI_PROJECT_NAME>",
113
- "guardrails_profile": {},
114
- "default_guardrail_pack": {
115
- "guardrail_packs": [],
116
- "pack_count": 0
117
- }
118
- }
119
- ```
120
-
121
- - Populate **`guardrails_profile`** with the **same object** written to `.guardrails/profile.json` (detection summary, packs, etc.).
122
- - Populate **`default_guardrail_pack`** with the deduplicated `guardrail_packs` list (same ids as in `guardrails_profile`) and `pack_count`.
123
-
124
- **Do not** add a separate `vibe_profile` block and do **not** populate narrative fields such as long `description`, `architecture_notes`, `tech_categories`, `user_groups`, `compliance_requirements`, or `language_stacks`. The server-facing “vibe” update is driven **only** from the technical **`guardrails_profile`** plus the default pack (see Step 7).
125
-
126
- ### Step 7: Upload to SecurityReview.ai (security-review-mcp)
104
+ ### Step 6: Upload to SecurityReview.ai (security-review-mcp)
127
105
 
128
106
  1. Resolve `project_id`: `find_project_by_name` with `name="<SRAI_PROJECT_NAME>"`. If missing, follow existing kit rules (`list_projects`, `create_project`).
129
107
 
130
- 2. Call **`update_vibe_profile`** with `project_id` and arguments mapped **only** from **`profile.json.guardrails_profile`** (and any required `project_id` fields) per the MCP tool’s documented schema. Treat the guardrails detection object as the profile payload — **not** a separate prose vibe document.
108
+ 2. Call **`update_vibe_profile`** with `project_id` and arguments mapped directly from the `.guardrails/profile.json` object (and any required `project_id` fields) per the MCP tool’s documented schema. Treat the guardrails detection object as the profile payload — **not** a separate prose vibe document.
131
109
 
132
- 3. Call **`write_default_pack`** with `project_id` and the payload from **`profile.json.default_guardrail_pack`** (match the MCP tool’s schema).
110
+ 3. Call **`write_default_pack`** with `project_id`, `guardrail_packs`, and `pack_count` derived from `.guardrails/profile.json` (match the MCP tool’s schema).
133
111
 
134
112
  4. **MCP approval:** Do **not** ask the user to “approve MCP” or “say you approve” for `security-review-mcp`. Security Review Kit passes the configured MCP server and approval settings during init-time profiling where the CLI supports it (for example Cursor CLI permissions and Copilot CLI `--additional-mcp-config` / `--allow-all`). Invoke `find_project_by_name`, `update_vibe_profile`, and `write_default_pack` directly. If a call still fails with permissions, report the exact CLI permission error — not a conversational approval step.
135
113
 
136
- 5. Confirm success: paths written (`profile.json`, `.guardrails/profile.json`) and whether both MCP calls succeeded, or the exact error.
114
+ 5. Confirm success: path written (`.guardrails/profile.json`) and whether both MCP calls succeeded, or the exact error.
137
115
 
138
- ### Step 8: Report
116
+ ### Step 7: Report
139
117
 
140
118
  Give a concise summary of detected stack, pack count, and upload status.
141
119
 
@@ -145,7 +123,7 @@ If there are no signals:
145
123
 
146
124
  1. Optionally read `.git/config` for hints.
147
125
  2. Emit minimal profile: `owasp-asvs` only, empty summaries where appropriate.
148
- 3. Still write `profile.json` (minimal `guardrails_profile` + `default_guardrail_pack`) and attempt MCP calls.
126
+ 3. Still write `.guardrails/profile.json` (minimal baseline profile) and attempt MCP calls.
149
127
 
150
128
  ## IDE-Specific Notes
151
129
 
package/src/utils/profiler-agent.js CHANGED
@@ -65,7 +65,7 @@ export function buildProfilerAgentPrompt(projectName, agentTarget = 'cursor') {
65
65
  `SRAI project name: "${p}".`,
66
66
  `Open and follow every step in ${skillRoot}/SKILL.md.`,
67
67
  `Use ${skillRoot}/references/signal-registry.json as the signal registry.`,
68
- 'Write .guardrails/profile.json and profile.json at the repository root as defined in the skill.',
68
+ 'Write .guardrails/profile.json as defined in the skill.',
69
69
  `Resolve project_id with find_project_by_name for "${p}", then call update_vibe_profile and write_default_pack via security-review-mcp.`,
70
70
  'Do not invent stack details, compliance, or user groups; ground everything in the repository.',
71
71
  ].join('\n');
package/src/utils/profiler-agent.test.js CHANGED
@@ -6,6 +6,7 @@ import assert from 'node:assert/strict';
6
6
  import {
7
7
  buildCodexConfigOverrides,
8
8
  buildCopilotAdditionalMcpConfig,
9
+ buildProfilerAgentPrompt,
9
10
  pickProfilerAgentTarget,
10
11
  } from './profiler-agent.js';
11
12
 
@@ -71,3 +72,10 @@ test('buildCodexConfigOverrides builds inline MCP config for profiling', () => {
71
72
  'mcp_servers.security-review-mcp.env.SECURITY_REVIEW_API_TOKEN="token"',
72
73
  ]);
73
74
  });
75
+
76
+ test('buildProfilerAgentPrompt only instructs writing the guardrails profile under .guardrails', () => {
77
+ const prompt = buildProfilerAgentPrompt('demo-project', 'codex');
78
+
79
+ assert.match(prompt, /Write \.guardrails\/profile\.json as defined in the skill\./);
80
+ assert.doesNotMatch(prompt, /profile\.json at the repository root/);
81
+ });