@securityreviewai/securityreview-kit 0.1.45 → 0.1.47

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@securityreviewai/securityreview-kit",
-  "version": "0.1.45",
+  "version": "0.1.47",
   "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
   "author": "Debarshi Das <debarshi.das@we45.com>",
   "license": "UNLICENSED",

package/src/generators/mcp/claude.js

@@ -2,6 +2,8 @@ import { join } from 'node:path';
 import { readJson, writeJson } from '../../utils/fs-helpers.js';
 import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
 
+const CLAUDE_MCP_PERMISSION = `mcp__${MCP_SERVER_NAME}`;
+
 function getClaudeSessionStartHooks() {
     const prompt = [
         'MANDATORY SECURITY GATE (Claude Code Session Policy)',
@@ -59,6 +61,16 @@ export function generate(cwd, envVars) {
         existing.enabledMcpjsonServers = [...enabledServers, MCP_SERVER_NAME];
     }
 
+    if (!existing.permissions || typeof existing.permissions !== 'object' || Array.isArray(existing.permissions)) {
+        existing.permissions = {};
+    }
+    const allowedTools = Array.isArray(existing.permissions.allow)
+        ? existing.permissions.allow.filter((entry) => typeof entry === 'string' && entry.trim())
+        : [];
+    if (!allowedTools.includes(CLAUDE_MCP_PERMISSION)) {
+        existing.permissions.allow = [...allowedTools, CLAUDE_MCP_PERMISSION];
+    }
+
     const existingSessionStart = Array.isArray(existing.SessionStart) ? existing.SessionStart : [];
     const marker = 'MANDATORY SECURITY GATE (Claude Code Session Policy)';
     const ours = getClaudeSessionStartHooks();

package/src/generators/mcp/claude.test.js

@@ -17,6 +17,7 @@ test('Claude MCP generator writes .mcp.json, enables the project MCP server, and
     const settings = JSON.parse(readFileSync(join(cwd, '.claude', 'settings.json'), 'utf8'));
     assert.equal(mcpConfig.mcpServers['security-review-mcp'].command, 'npx');
     assert.deepEqual(settings.enabledMcpjsonServers, ['security-review-mcp']);
+    assert.deepEqual(settings.permissions.allow, ['mcp__security-review-mcp']);
     assert.equal(Array.isArray(settings.SessionStart), true);
     assert.match(settings.SessionStart[0].hooks[0].prompt, /MANDATORY SECURITY GATE/);
     assert.match(settings.SessionStart[0].hooks[0].prompt, /vibereview\//);
@@ -39,6 +40,9 @@ test('Claude MCP generator preserves existing SessionStart hooks', () => {
                         hooks: [{ type: 'prompt', prompt: 'Existing hook' }],
                     },
                 ],
+                permissions: {
+                    allow: ['Bash(npm run test:*)'],
+                },
             },
             null,
             2,
@@ -56,4 +60,5 @@ test('Claude MCP generator preserves existing SessionStart hooks', () => {
     assert.match(config.SessionStart[0].hooks[0].prompt, /Existing hook/);
     assert.match(config.SessionStart[1].hooks[0].prompt, /MANDATORY SECURITY GATE/);
     assert.deepEqual(config.enabledMcpjsonServers, ['security-review-mcp']);
+    assert.deepEqual(config.permissions.allow, ['Bash(npm run test:*)', 'mcp__security-review-mcp']);
 });

package/src/generators/mcp/codex.js

@@ -38,6 +38,7 @@ export function generate(cwd, envVars) {
 [mcp_servers.${MCP_SERVER_NAME}]
 command = "npx"
 args = ["-y", "${MCP_SERVER_PACKAGE}@latest"]
+default_tools_approval_mode = "approve"
 
 [mcp_servers.${MCP_SERVER_NAME}.env]
 SECURITY_REVIEW_API_URL = "${envVars.apiUrl}"

package/src/generators/mcp/codex.test.js

@@ -16,6 +16,7 @@ test('Codex MCP generator enables hooks and writes MCP server block', () => {
     const config = readFileSync(join(cwd, '.codex/config.toml'), 'utf8');
     assert.match(config, /\[features\]\ncodex_hooks = true/);
     assert.match(config, /\[mcp_servers\.security-review-mcp\]/);
+    assert.match(config, /default_tools_approval_mode = "approve"/);
     assert.match(config, /SECURITY_REVIEW_API_URL = "https:\/\/example\.test"/);
 });
 

package/src/generators/mcp/cursor.js

@@ -1,6 +1,7 @@
 import { join } from 'node:path';
 import { readJson, writeJson } from '../../utils/fs-helpers.js';
 import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
+import { mergeCursorCliMcpAllowlist } from '../../utils/cursor-cli-permissions.js';
 
 /**
  * Generate Cursor MCP config at .cursor/mcp.json
@@ -23,5 +24,6 @@ export function generate(cwd, envVars) {
     };
 
     writeJson(filePath, existing);
+    mergeCursorCliMcpAllowlist(cwd);
     return filePath;
 }

package/src/generators/mcp/cursor.test.js

@@ -0,0 +1,50 @@
+import { mkdirSync, mkdtempSync, readFileSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import { generate } from './cursor.js';
+
+test('Cursor MCP generator writes server config and CLI MCP allow rule', () => {
+    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-cursor-mcp-'));
+
+    generate(cwd, {
+        apiUrl: 'https://example.test',
+        apiToken: 'secret-token',
+    });
+
+    const mcpConfig = JSON.parse(readFileSync(join(cwd, '.cursor', 'mcp.json'), 'utf8'));
+    const cliConfig = JSON.parse(readFileSync(join(cwd, '.cursor', 'cli.json'), 'utf8'));
+    assert.equal(mcpConfig.mcpServers['security-review-mcp'].command, 'npx');
+    assert.deepEqual(cliConfig.permissions.allow, ['Mcp(security-review-mcp:*)']);
+    assert.deepEqual(cliConfig.permissions.deny, []);
+});
+
+test('Cursor MCP generator preserves existing CLI permissions', () => {
+    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-cursor-mcp-merge-'));
+    const cliPath = join(cwd, '.cursor', 'cli.json');
+    mkdirSync(join(cwd, '.cursor'), { recursive: true });
+    writeFileSync(
+        cliPath,
+        JSON.stringify(
+            {
+                permissions: {
+                    allow: ['Shell(git)'],
+                    deny: ['Shell(rm)'],
+                },
+            },
+            null,
+            2,
+        ),
+        'utf8',
+    );
+
+    generate(cwd, {
+        apiUrl: 'https://example.test',
+        apiToken: 'secret-token',
+    });
+
+    const cliConfig = JSON.parse(readFileSync(cliPath, 'utf8'));
+    assert.deepEqual(cliConfig.permissions.allow, ['Shell(git)', 'Mcp(security-review-mcp:*)']);
+    assert.deepEqual(cliConfig.permissions.deny, ['Shell(rm)']);
+});

package/src/generators/mcp/vscode.js

@@ -2,6 +2,19 @@ import { join } from 'node:path';
 import { readJson, writeJson } from '../../utils/fs-helpers.js';
 import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
 
+function getSandboxAllowedDomains(apiUrl) {
+    const domains = ['registry.npmjs.org'];
+    try {
+        const hostname = new URL(apiUrl).hostname;
+        if (hostname) {
+            domains.push(hostname);
+        }
+    } catch {
+        // Keep the documented sandbox shape even if the URL is supplied later through another workflow.
+    }
+    return [...new Set(domains)];
+}
+
 /**
  * Generate VS Code Copilot MCP config at .vscode/mcp.json
  * Uses the VS Code input variable pattern for secure credential prompting.
@@ -22,6 +35,12 @@ export function generate(cwd, envVars) {
             SECURITY_REVIEW_API_URL: envVars.apiUrl,
             SECURITY_REVIEW_API_TOKEN: envVars.apiToken,
         },
+        sandboxEnabled: true,
+        sandbox: {
+            network: {
+                allowedDomains: getSandboxAllowedDomains(envVars.apiUrl),
+            },
+        },
     };
 
     writeJson(filePath, existing);

package/src/generators/mcp/vscode.test.js

@@ -0,0 +1,21 @@
+import { mkdtempSync, readFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import { generate } from './vscode.js';
+
+test('VS Code MCP generator enables sandbox auto-approval for the SRAI server', () => {
+    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-vscode-mcp-'));
+
+    generate(cwd, {
+        apiUrl: 'https://api.example.test/v1',
+        apiToken: 'secret-token',
+    });
+
+    const config = JSON.parse(readFileSync(join(cwd, '.vscode', 'mcp.json'), 'utf8'));
+    const server = config.servers['security-review-mcp'];
+    assert.equal(server.type, 'stdio');
+    assert.equal(server.sandboxEnabled, true);
+    assert.deepEqual(server.sandbox.network.allowedDomains, ['registry.npmjs.org', 'api.example.test']);
+});

package/src/generators/rules/content.js

@@ -96,7 +96,7 @@ export function getGuardrailsRuleContent(options = {}) {
 }
 
 /**
- * Guardrails init profile command (repo scan + profile.json + SRAI upload).
+ * Guardrails init profile command (repo scan + .guardrails/profile.json + SRAI upload).
  */
 export function getGuardrailsInitProfileContent(options = {}) {
     return readTemplate('guardrails-init-profile.md', options);

package/src/generators/rules/cursor.js

@@ -3,11 +3,11 @@ import { join } from 'node:path';
 import {
     GUARDRAILS_PROFILER_SKILL_REL_DIR,
     GUARDRAILS_SELECTION_SKILL_REL_DIR,
-    MCP_SERVER_NAME,
     THREAT_MODELLING_SKILL_REL_DIR,
     VIBEREVIEW_SYNC_SKILL_REL_DIR,
 } from '../../utils/constants.js';
-import { readJson, writeJson, writeText } from '../../utils/fs-helpers.js';
+import { writeText } from '../../utils/fs-helpers.js';
+import { mergeCursorCliMcpAllowlist } from '../../utils/cursor-cli-permissions.js';
 import {
     getRuleContent,
     getProfileCommandContent,
@@ -46,34 +46,6 @@ function removeGeneratedText(filePath) {
     return null;
 }
 
-/**
- * Merge `.cursor/cli.json` so Cursor CLI / Agent auto-allows security-review-mcp tools (no MCP approval prompts).
- * @see https://cursor.com/docs/cli/reference/permissions
- */
-function mergeCursorCliMcpAllowlist(cwd) {
-    const cliPath = join(cwd, '.cursor', 'cli.json');
-    const existed = existsSync(cliPath);
-    const existing = readJson(cliPath) || {};
-    if (!existing.permissions || typeof existing.permissions !== 'object') {
-        existing.permissions = {};
-    }
-    if (!Array.isArray(existing.permissions.allow)) {
-        existing.permissions.allow = [];
-    }
-    const token = `Mcp(${MCP_SERVER_NAME}:*)`;
-    if (!existing.permissions.allow.includes(token)) {
-        existing.permissions.allow.push(token);
-    }
-    // Cursor CLI schema requires permissions.deny to be a string[] (may be empty).
-    // @see https://cursor.com/docs/cli/reference/configuration
-    if (!Array.isArray(existing.permissions.deny)) {
-        existing.permissions.deny = [];
-    }
-    writeJson(cliPath, existing);
-    const action = existed ? 'updated' : 'created';
-    return { filePath: cliPath, action };
-}
-
 /**
  * Generate Cursor workspace rules at .cursor/rules/*.mdc
  * Cursor uses .mdc format with YAML front matter.
@@ -135,7 +107,9 @@ export function generate(cwd, options = {}) {
     const hooksAction = existsSync(hooksPath) ? 'updated' : 'created';
     writeText(hooksPath, hooksContent);
 
-    const cliPermissions = mergeCursorCliMcpAllowlist(cwd);
+    const cursorCliPath = join(cwd, '.cursor', 'cli.json');
+    const cliPermissionsExisted = existsSync(cursorCliPath);
+    mergeCursorCliMcpAllowlist(cwd);
 
     return [
         { ...baseRule, kind: 'rule' },
@@ -145,7 +119,7 @@ export function generate(cwd, options = {}) {
         { filePath: skillPath, action: skillAction, kind: 'skill' },
         { filePath: vibereviewSyncSkillPath, action: vibereviewSyncSkillAction, kind: 'skill' },
         { filePath: hooksPath, action: hooksAction, kind: 'hooks' },
-        { ...cliPermissions, kind: 'config' },
+        { filePath: cursorCliPath, action: cliPermissionsExisted ? 'updated' : 'created', kind: 'config' },
         ...(deletedLegacyRule ? [{ ...deletedLegacyRule, kind: 'cleanup' }] : []),
         ...(deletedLegacyCommand ? [{ ...deletedLegacyCommand, kind: 'cleanup' }] : []),
         ...(deletedLegacyAgent ? [{ ...deletedLegacyAgent, kind: 'cleanup' }] : []),

package/src/generators/rules/guardrails-init-profile.md

@@ -1,6 +1,6 @@
 ---
 name: guardrails-init-profile
-description: Run the Security Review Kit guardrails profiler — scan the repo, write profile.json, push profile and default guardrail pack to SecurityReview.ai via MCP.
+description: Run the Security Review Kit guardrails profiler — scan the repo, write `.guardrails/profile.json`, push the profile and default guardrail pack to SecurityReview.ai via MCP.
 ---
 
 # Guardrails init profile
@@ -12,7 +12,7 @@ Configured SRAI project name: `<SRAI_PROJECT_NAME>`
 **You must:**
 
 1. Read `{{GUARDRAILS_SKILL_DIR}}/SKILL.md` and follow every step (use the signal registry at `{{GUARDRAILS_SKILL_DIR}}/references/signal-registry.json`).
-2. Write `.guardrails/profile.json` and **`profile.json`** at the project root as specified.
+2. Write `.guardrails/profile.json` as specified.
 3. Call **`update_vibe_profile`** and **`write_default_pack`** on `security-review-mcp` after resolving `project_id` for `<SRAI_PROJECT_NAME>`.
 
 Do not skip MCP upload when credentials and MCP are available.

package/src/generators/rules/guardrails-profiler/SKILL.md

@@ -5,7 +5,7 @@ description: Profile a codebase to detect its technology stack and generate a gu
 
 # Guardrails Profiler
 
-Profile a codebase's technology stack, write `.guardrails/profile.json`, write a combined **`profile.json` in the project root**, and upload to SRAI using `update_vibe_profile` and `write_default_pack`.
+Profile a codebase's technology stack, write `.guardrails/profile.json`, and upload the detected profile and default guardrail pack to SRAI using `update_vibe_profile` and `write_default_pack`.
 
 Configured SRAI project name: `<SRAI_PROJECT_NAME>`
 
@@ -14,7 +14,6 @@ Configured SRAI project name: `<SRAI_PROJECT_NAME>`
 - **This skill & signal registry (read-only):** `<GUARDRAILS_SKILL_DIR>/` — e.g. `.cursor/skills/guardrails-profiler`, `.github/skills/guardrails-profiler`, `.claude/skills/guardrails-profiler`, or `.codex/skills/guardrails-profiler` for Codex depending on where this file was installed.
 - **Signal registry file:** `<GUARDRAILS_SKILL_DIR>/references/signal-registry.json`
 - **Local guardrails file:** `.guardrails/profile.json`
-- **Combined manifest (project root):** `profile.json` — includes guardrails profile, vibe profile fields for MCP, and default pack payload
 
 ## When This Runs
 
@@ -102,40 +101,19 @@ Do **not** invent packs or signals; if the repo is empty, use universal baseline
 
 Create `.guardrails/` if needed and write the profile file.
 
-### Step 6: Build `profile.json` (project root)
-
-Write **`profile.json`** at the project root with **only** these parts:
-
-```json
-{
-  "schema_version": "2.0",
-  "srai_project_name": "<SRAI_PROJECT_NAME>",
-  "guardrails_profile": {},
-  "default_guardrail_pack": {
-    "guardrail_packs": [],
-    "pack_count": 0
-  }
-}
-```
-
-- Populate **`guardrails_profile`** with the **same object** written to `.guardrails/profile.json` (detection summary, packs, etc.).
-- Populate **`default_guardrail_pack`** with the deduplicated `guardrail_packs` list (same ids as in `guardrails_profile`) and `pack_count`.
-
-**Do not** add a separate `vibe_profile` block and do **not** populate narrative fields such as long `description`, `architecture_notes`, `tech_categories`, `user_groups`, `compliance_requirements`, or `language_stacks`. The server-facing “vibe” update is driven **only** from the technical **`guardrails_profile`** plus the default pack (see Step 7).
-
-### Step 7: Upload to SecurityReview.ai (security-review-mcp)
+### Step 6: Upload to SecurityReview.ai (security-review-mcp)
 
 1. Resolve `project_id`: `find_project_by_name` with `name="<SRAI_PROJECT_NAME>"`. If missing, follow existing kit rules (`list_projects`, `create_project`).
 
-2. Call **`update_vibe_profile`** with `project_id` and arguments mapped **only** from **`profile.json.guardrails_profile`** (and any required `project_id` fields) per the MCP tool’s documented schema. Treat the guardrails detection object as the profile payload — **not** a separate prose vibe document.
+2. Call **`update_vibe_profile`** with `project_id` and arguments mapped directly from the `.guardrails/profile.json` object (and any required `project_id` fields) per the MCP tool’s documented schema. Treat the guardrails detection object as the profile payload — **not** a separate prose vibe document.
 
-3. Call **`write_default_pack`** with `project_id` and the payload from **`profile.json.default_guardrail_pack`** (match the MCP tool’s schema).
+3. Call **`write_default_pack`** with `project_id`, `guardrail_packs`, and `pack_count` derived from `.guardrails/profile.json` (match the MCP tool’s schema).
 
 4. **MCP approval:** Do **not** ask the user to “approve MCP” or “say you approve” for `security-review-mcp`. Security Review Kit passes the configured MCP server and approval settings during init-time profiling where the CLI supports it (for example Cursor CLI permissions and Copilot CLI `--additional-mcp-config` / `--allow-all`). Invoke `find_project_by_name`, `update_vibe_profile`, and `write_default_pack` directly. If a call still fails with permissions, report the exact CLI permission error — not a conversational approval step.
 
-5. Confirm success: paths written (`profile.json`, `.guardrails/profile.json`) and whether both MCP calls succeeded, or the exact error.
+5. Confirm success: path written (`.guardrails/profile.json`) and whether both MCP calls succeeded, or the exact error.
 
-### Step 8: Report
+### Step 7: Report
 
 Give a concise summary of detected stack, pack count, and upload status.
 
@@ -145,7 +123,7 @@ If there are no signals:
 
 1. Optionally read `.git/config` for hints.
 2. Emit minimal profile: `owasp-asvs` only, empty summaries where appropriate.
-3. Still write `profile.json` (minimal `guardrails_profile` + `default_guardrail_pack`) and attempt MCP calls.
+3. Still write `.guardrails/profile.json` (minimal baseline profile) and attempt MCP calls.
 
 ## IDE-Specific Notes
 

package/src/utils/cursor-cli-permissions.js

@@ -0,0 +1,28 @@
+import { join } from 'node:path';
+import { MCP_SERVER_NAME } from './constants.js';
+import { readJson, writeJson } from './fs-helpers.js';
+
+/**
+ * Merge project-level Cursor CLI permissions so cursor-agent can use the SRAI MCP tools.
+ * @see https://docs.cursor.com/cli/reference/configuration
+ * @see https://docs.cursor.com/cli/reference/permissions
+ */
+export function mergeCursorCliMcpAllowlist(cwd) {
+    const cliPath = join(cwd, '.cursor', 'cli.json');
+    const existing = readJson(cliPath) || {};
+    if (!existing.permissions || typeof existing.permissions !== 'object' || Array.isArray(existing.permissions)) {
+        existing.permissions = {};
+    }
+    if (!Array.isArray(existing.permissions.allow)) {
+        existing.permissions.allow = [];
+    }
+    const token = `Mcp(${MCP_SERVER_NAME}:*)`;
+    if (!existing.permissions.allow.includes(token)) {
+        existing.permissions.allow.push(token);
+    }
+    if (!Array.isArray(existing.permissions.deny)) {
+        existing.permissions.deny = [];
+    }
+    writeJson(cliPath, existing);
+    return cliPath;
+}

package/src/utils/profiler-agent.js

@@ -65,7 +65,7 @@ export function buildProfilerAgentPrompt(projectName, agentTarget = 'cursor') {
         `SRAI project name: "${p}".`,
         `Open and follow every step in ${skillRoot}/SKILL.md.`,
         `Use ${skillRoot}/references/signal-registry.json as the signal registry.`,
-        'Write .guardrails/profile.json and profile.json at the repository root as defined in the skill.',
+        'Write .guardrails/profile.json as defined in the skill.',
         `Resolve project_id with find_project_by_name for "${p}", then call update_vibe_profile and write_default_pack via security-review-mcp.`,
         'Do not invent stack details, compliance, or user groups; ground everything in the repository.',
     ].join('\n');

package/src/utils/profiler-agent.test.js

@@ -6,6 +6,7 @@ import assert from 'node:assert/strict';
 import {
     buildCodexConfigOverrides,
     buildCopilotAdditionalMcpConfig,
+    buildProfilerAgentPrompt,
     pickProfilerAgentTarget,
 } from './profiler-agent.js';
 
@@ -71,3 +72,10 @@ test('buildCodexConfigOverrides builds inline MCP config for profiling', () => {
         'mcp_servers.security-review-mcp.env.SECURITY_REVIEW_API_TOKEN="token"',
     ]);
 });
+
+test('buildProfilerAgentPrompt only instructs writing the guardrails profile under .guardrails', () => {
+    const prompt = buildProfilerAgentPrompt('demo-project', 'codex');
+
+    assert.match(prompt, /Write \.guardrails\/profile\.json as defined in the skill\./);
+    assert.doesNotMatch(prompt, /profile\.json at the repository root/);
+});