@securityreviewai/securityreview-kit 0.1.47 → 0.1.49

package/src/generators/rules/vscode.js

@@ -1,101 +0,0 @@
-import { existsSync, unlinkSync } from 'node:fs';
-import { join } from 'node:path';
-import {
-    GUARDRAILS_SELECTION_SKILL_REL_DIR,
-    THREAT_MODELLING_SKILL_REL_DIR,
-    VIBEREVIEW_SYNC_SKILL_REL_DIR,
-} from '../../utils/constants.js';
-import { upsertSentinelBlock, writeText } from '../../utils/fs-helpers.js';
-import { getRuleContent, getThreatModellingSkillContent, getVibeReviewSyncSkillContent } from './content.js';
-
-function writeGeneratedText(filePath, content) {
-    const action = existsSync(filePath) ? 'updated' : 'created';
-    writeText(filePath, content);
-    return { filePath, action };
-}
-
-function removeGeneratedText(filePath) {
-    if (existsSync(filePath)) {
-        unlinkSync(filePath);
-        return { filePath, action: 'deleted' };
-    }
-    return null;
-}
-
-function getCopilotSessionHookContent() {
-    const additionalContext = [
-        '## MANDATORY SECURITY GATE (Session Policy)',
-        '',
-        'For any request with security impact (auth, authorization, crypto, input handling, secrets, network, data storage, dependencies, new APIs/endpoints, infrastructure, or code handling untrusted data), follow this order:',
-        '',
-        '1. Fetch Vibe Guardrails first using .github/skills/guardrails-selection/SKILL.md. Resolve the project, call get_guardrails, shortlist relevant guardrails, then call get_guardrail_by_id for the shortlist.',
-        '2. Run PWNISMS threat modelling using .github/skills/threat-modelling/SKILL.md. Explicitly walk Product, Workload, Network, IAM, Secrets, Monitoring, and Supply Chain.',
-        '3. Implement secure code using both the hydrated guardrails and PWNISMS findings.',
-        '4. Read .github/skills/vibereview-sync/SKILL.md. Write a structured .md artifact under vibereview/, do not read sibling markdown files there just to infer format, validate it, and call sync_ai_ide_markdown directly after threat modelling or guardrail enforcement. Reuse the exact guardrail shortlist; do not re-query guardrails during the final sync.',
-        '',
-        'Do not use project-profile exploration tools during normal coding tasks. No blocking and no deferral: guardrails first, PWNISMS second, implementation third, VibeReview sync last.',
-    ].join('\n');
-
-    const commandPayload = JSON.stringify({
-        hookSpecificOutput: {
-            hookEventName: 'SessionStart',
-            additionalContext,
-        },
-    });
-
-    return JSON.stringify(
-        {
-            hooks: {
-                SessionStart: [
-                    {
-                        type: 'command',
-                        command: `printf '%s\\n' '${commandPayload.replaceAll("'", "'\\''")}'`,
-                        timeout: 5,
-                    },
-                ],
-            },
-        },
-        null,
-        2,
-    ) + '\n';
-}
-
-/**
- * Generate VS Code Copilot instructions — appends to .github/copilot-instructions.md
- */
-export function generate(cwd, options = {}) {
-    const optionsWithSkillDirs = {
-        ...options,
-        guardrailsSelectionSkillDir: GUARDRAILS_SELECTION_SKILL_REL_DIR.vscode,
-        threatModellingSkillDir: THREAT_MODELLING_SKILL_REL_DIR.vscode,
-        vibereviewSyncSkillDir: VIBEREVIEW_SYNC_SKILL_REL_DIR.vscode,
-    };
-    const filePath = join(cwd, '.github', 'copilot-instructions.md');
-    const content = getRuleContent(optionsWithSkillDirs);
-    const action = upsertSentinelBlock(filePath, content);
-
-    const threatSkillPath = join(cwd, THREAT_MODELLING_SKILL_REL_DIR.vscode, 'SKILL.md');
-    const threatSkill = writeGeneratedText(
-        threatSkillPath,
-        getThreatModellingSkillContent(optionsWithSkillDirs),
-    );
-
-    const vibereviewSyncSkillPath = join(cwd, VIBEREVIEW_SYNC_SKILL_REL_DIR.vscode, 'SKILL.md');
-    const vibereviewSyncSkill = writeGeneratedText(
-        vibereviewSyncSkillPath,
-        getVibeReviewSyncSkillContent(optionsWithSkillDirs),
-    );
-
-    const deletedLegacyAgent = removeGeneratedText(join(cwd, '.github', 'agents', 'ctm_sync.agent.md'));
-
-    const hooksPath = join(cwd, '.github', 'hooks', 'srai-session-policy.json');
-    const hooks = writeGeneratedText(hooksPath, getCopilotSessionHookContent());
-
-    return [
-        { filePath, action, kind: 'rule' },
-        { ...threatSkill, kind: 'skill' },
-        { ...vibereviewSyncSkill, kind: 'skill' },
-        { ...hooks, kind: 'hooks' },
-        ...(deletedLegacyAgent ? [{ ...deletedLegacyAgent, kind: 'cleanup' }] : []),
-    ];
-}

package/src/generators/rules/vscode.test.js

@@ -1,54 +0,0 @@
-import { existsSync, mkdtempSync, readFileSync } from 'node:fs';
-import { tmpdir } from 'node:os';
-import { join } from 'node:path';
-import { test } from 'node:test';
-import assert from 'node:assert/strict';
-import { generate } from './vscode.js';
-
-test('VS Code Copilot generator writes instructions, skills, and hooks', () => {
-    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-vscode-'));
-
-    const results = generate(cwd, { projectName: 'SmokeProject' });
-
-    const expectedPaths = [
-        '.github/copilot-instructions.md',
-        '.github/skills/threat-modelling/SKILL.md',
-        '.github/skills/vibereview-sync/SKILL.md',
-        '.github/hooks/srai-session-policy.json',
-    ];
-
-    for (const relPath of expectedPaths) {
-        assert.equal(existsSync(join(cwd, relPath)), true, `${relPath} should exist`);
-    }
-
-    assert.deepEqual(results.map((entry) => entry.kind), ['rule', 'skill', 'skill', 'hooks']);
-
-    const instructions = readFileSync(join(cwd, '.github/copilot-instructions.md'), 'utf8');
-    assert.match(instructions, /\.github\/skills\/guardrails-selection\/SKILL\.md/);
-    assert.match(instructions, /\.github\/skills\/threat-modelling\/SKILL\.md/);
-    assert.match(instructions, /\.github\/skills\/vibereview-sync\/SKILL\.md/);
-    assert.match(instructions, /sync_ai_ide_markdown/);
-    assert.match(instructions, /vibereview\//);
-    assert.doesNotMatch(instructions, /\.cursor/);
-
-    const threatSkill = readFileSync(join(cwd, '.github/skills/threat-modelling/SKILL.md'), 'utf8');
-    for (const heading of ['Product', 'Workload', 'Network', 'IAM', 'Secrets', 'Monitoring', 'Supply Chain']) {
-        assert.match(threatSkill, new RegExp(heading));
-    }
-    assert.match(threatSkill, /sync_ai_ide_markdown/);
-    assert.match(threatSkill, /vibereview\//);
-    assert.doesNotMatch(threatSkill, /get_project_profile_description/);
-
-    const vibereviewSkill = readFileSync(join(cwd, '.github/skills/vibereview-sync/SKILL.md'), 'utf8');
-    assert.match(vibereviewSkill, /Do not read other/i);
-    assert.match(vibereviewSkill, /sync_ai_ide_markdown/);
-    assert.match(vibereviewSkill, /Guardrails Applied/);
-    assert.match(vibereviewSkill, /Practice 1/);
-    assert.match(vibereviewSkill, /practice_name:/);
-
-    const hooks = JSON.parse(readFileSync(join(cwd, '.github/hooks/srai-session-policy.json'), 'utf8'));
-    assert.equal(hooks.hooks.SessionStart[0].type, 'command');
-    assert.match(hooks.hooks.SessionStart[0].command, /vibereview/);
-    assert.match(hooks.hooks.SessionStart[0].command, /sync_ai_ide_markdown/);
-    assert.match(hooks.hooks.SessionStart[0].command, /vibereview-sync\/SKILL\.md/);
-});

package/src/generators/rules/windsurf.js

@@ -1,13 +0,0 @@
-import { join } from 'node:path';
-import { writeText } from '../../utils/fs-helpers.js';
-import { getRuleContent } from './content.js';
-
-/**
- * Generate Windsurf workspace rule at .windsurf/rules/srai-security-review.md
- */
-export function generate(cwd, options = {}) {
-    const filePath = join(cwd, '.windsurf', 'rules', 'srai-security-review.md');
-    const content = getRuleContent(options);
-    writeText(filePath, content + '\n');
-    return filePath;
-}

package/src/utils/constants.js

@@ -1,95 +0,0 @@
-// Shared constants for securityreview-kit
-
-export const MCP_SERVER_PACKAGE = '@securityreviewai/security-review-mcp';
-export const MCP_SERVER_NAME = 'security-review-mcp';
-
-export const ENV_VARS = {
-    apiUrl: 'SECURITY_REVIEW_API_URL',
-    apiToken: 'SECURITY_REVIEW_API_TOKEN',
-};
-
-export const TARGETS = {
-    cursor: {
-        name: 'Cursor',
-        mcpConfigPath: '.cursor/mcp.json',
-        rulePath: '.cursor/rules/srai-security-review.mdc',
-        detectDirs: ['.cursor'],
-    },
-    claude: {
-        name: 'Claude Code',
-        mcpConfigPath: '.mcp.json',
-        rulePath: '.claude/CLAUDE.md',
-        ruleMode: 'append',
-        detectDirs: ['.claude'],
-    },
-    vscode: {
-        name: 'VS Code Copilot',
-        mcpConfigPath: '.vscode/mcp.json',
-        rulePath: '.github/copilot-instructions.md',
-        ruleMode: 'append',
-        detectDirs: ['.vscode'],
-    },
-    windsurf: {
-        name: 'Windsurf',
-        mcpConfigPath: '.windsurf/mcp_config.json',
-        rulePath: '.windsurf/rules/srai-security-review.md',
-        detectDirs: ['.windsurf'],
-    },
-    codex: {
-        name: 'Codex',
-        mcpConfigPath: '.codex/config.toml',
-        rulePath: '.codex/AGENTS.md',
-        ruleMode: 'append',
-        detectDirs: ['.codex'],
-    },
-    gemini: {
-        name: 'Gemini CLI',
-        mcpConfigPath: '.gemini/settings.json',
-        rulePath: 'GEMINI.md',
-        ruleMode: 'append',
-        detectDirs: ['.gemini'],
-    },
-    antigravity: {
-        name: 'Antigravity',
-        mcpConfigPath: '.gemini/settings.json',
-        rulePath: '.agent/rules/srai-security-review.md',
-        detectDirs: ['.agent'],
-    },
-};
-
-export const TARGET_NAMES = Object.keys(TARGETS);
-
-/** Relative workspace dirs for the guardrails-profiler skill (per IDE / CLI). */
-export const GUARDRAILS_PROFILER_SKILL_REL_DIR = {
-    cursor: '.cursor/skills/guardrails-profiler',
-    claude: '.claude/skills/guardrails-profiler',
-    vscode: '.github/skills/guardrails-profiler',
-    codex: '.codex/skills/guardrails-profiler',
-};
-
-/** Relative workspace dirs for the guardrails-selection skill (per IDE / CLI). */
-export const GUARDRAILS_SELECTION_SKILL_REL_DIR = {
-    cursor: '.cursor/skills/guardrails-selection',
-    claude: '.claude/skills/guardrails-selection',
-    vscode: '.github/skills/guardrails-selection',
-    codex: '.codex/skills/guardrails-selection',
-};
-
-/** Relative workspace dirs for the PWNISMS threat-modelling skill (per IDE / CLI). */
-export const THREAT_MODELLING_SKILL_REL_DIR = {
-    cursor: '.cursor/skills/threat-modelling',
-    claude: '.claude/skills/threat-modelling',
-    vscode: '.github/skills/threat-modelling',
-    codex: '.codex/skills/threat-modelling',
-};
-
-/** Relative workspace dirs for the VibeReview markdown sync skill (per IDE / CLI). */
-export const VIBEREVIEW_SYNC_SKILL_REL_DIR = {
-    cursor: '.cursor/skills/vibereview-sync',
-    claude: '.claude/skills/vibereview-sync',
-    vscode: '.github/skills/vibereview-sync',
-    codex: '.codex/skills/vibereview-sync',
-};
-
-export const SENTINEL_START = '<!-- securityreview-kit:start -->';
-export const SENTINEL_END = '<!-- securityreview-kit:end -->';

package/src/utils/cursor-agent-path.js

@@ -1,67 +0,0 @@
-import { existsSync } from 'node:fs';
-import { spawnSync } from 'node:child_process';
-import { homedir } from 'node:os';
-import { delimiter, isAbsolute, join } from 'node:path';
-
-/**
- * Extra PATH segments where Cursor / other CLIs are often installed.
- * GUI-launched terminals load shell rc files; Node subprocesses often do not.
- */
-export function augmentPathEnv(baseEnv = process.env) {
-    const home = homedir();
-    const extra = [
-        join(home, '.local', 'bin'),
-        join(home, '.cursor', 'bin'),
-        '/opt/homebrew/bin',
-        '/usr/local/bin',
-    ];
-    if (process.platform === 'win32') {
-        extra.push(join(home, 'AppData', 'Local', 'Programs', 'cursor'));
-    }
-    const pathKey = process.platform === 'win32' ? 'Path' : 'PATH';
-    const current = baseEnv[pathKey] || baseEnv.PATH || '';
-    const merged = [...extra.filter((p) => p), current].filter(Boolean).join(delimiter);
-    return { ...baseEnv, [pathKey]: merged, PATH: merged };
-}
-
-/**
- * Cursor Agent CLI binary (`agent` or legacy `cursor-agent`) that responds to `--version`, or null.
- * New installs often only ship `agent` in ~/.local/bin (see https://cursor.com/docs/cli/installation).
- */
-export function resolveCursorAgentExecutable() {
-    const env = augmentPathEnv();
-    const home = homedir();
-    const candidates = [
-        join(home, '.local', 'bin', 'agent'),
-        join(home, '.local', 'bin', 'cursor-agent'),
-        ...(process.platform === 'win32'
-            ? [
-                  join(home, '.local', 'bin', 'agent.cmd'),
-                  join(home, '.local', 'bin', 'cursor-agent.cmd'),
-              ]
-            : []),
-        join(home, '.cursor', 'bin', 'agent'),
-        join(home, '.cursor', 'bin', 'cursor-agent'),
-        'agent',
-        'cursor-agent',
-    ];
-    if (process.platform === 'win32') {
-        const base = join(home, 'AppData', 'Local', 'Programs', 'cursor');
-        candidates.splice(
-            candidates.length - 2,
-            0,
-            join(base, 'agent.exe'),
-            join(base, 'cursor-agent.exe'),
-        );
-    }
-    for (const cmd of candidates) {
-        if (isAbsolute(cmd) && !existsSync(cmd)) {
-            continue;
-        }
-        const r = spawnSync(cmd, ['--version'], { stdio: 'ignore', env });
-        if (r.status === 0) {
-            return cmd;
-        }
-    }
-    return null;
-}

package/src/utils/cursor-cli-permissions.js

@@ -1,28 +0,0 @@
-import { join } from 'node:path';
-import { MCP_SERVER_NAME } from './constants.js';
-import { readJson, writeJson } from './fs-helpers.js';
-
-/**
- * Merge project-level Cursor CLI permissions so cursor-agent can use the SRAI MCP tools.
- * @see https://docs.cursor.com/cli/reference/configuration
- * @see https://docs.cursor.com/cli/reference/permissions
- */
-export function mergeCursorCliMcpAllowlist(cwd) {
-    const cliPath = join(cwd, '.cursor', 'cli.json');
-    const existing = readJson(cliPath) || {};
-    if (!existing.permissions || typeof existing.permissions !== 'object' || Array.isArray(existing.permissions)) {
-        existing.permissions = {};
-    }
-    if (!Array.isArray(existing.permissions.allow)) {
-        existing.permissions.allow = [];
-    }
-    const token = `Mcp(${MCP_SERVER_NAME}:*)`;
-    if (!existing.permissions.allow.includes(token)) {
-        existing.permissions.allow.push(token);
-    }
-    if (!Array.isArray(existing.permissions.deny)) {
-        existing.permissions.deny = [];
-    }
-    writeJson(cliPath, existing);
-    return cliPath;
-}

package/src/utils/detect.js

@@ -1,27 +0,0 @@
-import { existsSync } from 'node:fs';
-import { join } from 'node:path';
-import { TARGETS, TARGET_NAMES } from './constants.js';
-
-/**
- * Auto-detect which IDE/CLI targets are configured in the given directory
- * by checking for known directories.
- * @param {string} cwd - The directory to scan
- * @returns {string[]} - List of detected target keys
- */
-export function detectTargets(cwd) {
-    const detected = [];
-    const seen = new Set();
-
-    for (const key of TARGET_NAMES) {
-        const target = TARGETS[key];
-        for (const dir of target.detectDirs) {
-            const fullPath = join(cwd, dir);
-            if (existsSync(fullPath) && !seen.has(key)) {
-                detected.push(key);
-                seen.add(key);
-            }
-        }
-    }
-
-    return detected;
-}

package/src/utils/fs-helpers.js

@@ -1,82 +0,0 @@
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
-import { dirname, join } from 'node:path';
-import { SENTINEL_START, SENTINEL_END } from './constants.js';
-
-/**
- * Ensure a directory exists, creating parent dirs as needed.
- */
-export function ensureDir(dirPath) {
-    if (!existsSync(dirPath)) {
-        mkdirSync(dirPath, { recursive: true });
-    }
-}
-
-/**
- * Read a JSON file, returning null if it doesn't exist or is invalid.
- */
-export function readJson(filePath) {
-    try {
-        const raw = readFileSync(filePath, 'utf-8');
-        return JSON.parse(raw);
-    } catch {
-        return null;
-    }
-}
-
-/**
- * Write an object as pretty-printed JSON.
- */
-export function writeJson(filePath, data) {
-    ensureDir(dirname(filePath));
-    writeFileSync(filePath, JSON.stringify(data, null, 2) + '\n', 'utf-8');
-}
-
-/**
- * Read a text file, returning empty string if it doesn't exist.
- */
-export function readText(filePath) {
-    try {
-        return readFileSync(filePath, 'utf-8');
-    } catch {
-        return '';
-    }
-}
-
-/**
- * Write raw text to a file, ensuring parent dirs exist.
- */
-export function writeText(filePath, content) {
-    ensureDir(dirname(filePath));
-    writeFileSync(filePath, content, 'utf-8');
-}
-
-/**
- * Append or replace a sentinel-guarded block in a file.
- * If the file exists and already has the block, it replaces it.
- * If the file exists but doesn't have the block, it appends.
- * If the file doesn't exist, it creates it with just the block.
- */
-export function upsertSentinelBlock(filePath, content) {
-    const block = `${SENTINEL_START}\n${content}\n${SENTINEL_END}`;
-    const existing = readText(filePath);
-
-    if (!existing) {
-        writeText(filePath, block + '\n');
-        return 'created';
-    }
-
-    const startIdx = existing.indexOf(SENTINEL_START);
-    const endIdx = existing.indexOf(SENTINEL_END);
-
-    if (startIdx !== -1 && endIdx !== -1) {
-        const before = existing.substring(0, startIdx);
-        const after = existing.substring(endIdx + SENTINEL_END.length);
-        writeText(filePath, before + block + after);
-        return 'updated';
-    }
-
-    // Append with a blank line separator
-    const separator = existing.endsWith('\n') ? '\n' : '\n\n';
-    writeText(filePath, existing + separator + block + '\n');
-    return 'appended';
-}

package/src/utils/guardrails-profiler-bundle.js

@@ -1,84 +0,0 @@
-import { copyFileSync, readFileSync } from 'node:fs';
-import { dirname, join } from 'node:path';
-import { fileURLToPath } from 'node:url';
-import { GUARDRAILS_PROFILER_SKILL_REL_DIR, GUARDRAILS_SELECTION_SKILL_REL_DIR } from './constants.js';
-import { ensureDir, writeText } from './fs-helpers.js';
-
-const __dirname = dirname(fileURLToPath(import.meta.url));
-
-function sanitizeProjectName(value) {
-    return String(value || '').replace(/[\r\n`]/g, ' ').trim();
-}
-
-function injectProjectName(content, projectName) {
-    const resolved = sanitizeProjectName(projectName) || '<SRAI_PROJECT_NAME>';
-    return content.replaceAll('{{SRAI_PROJECT_NAME}}', resolved).replaceAll('<SRAI_PROJECT_NAME>', resolved);
-}
-
-function injectSkillDir(content, skillDirRel) {
-    return content
-        .replaceAll('<GUARDRAILS_SKILL_DIR>', skillDirRel)
-        .replaceAll('{{GUARDRAILS_SELECTION_SKILL_DIR}}', skillDirRel);
-}
-
-function injectSkillTemplate(content, projectName, skillDirRel) {
-    return injectSkillDir(injectProjectName(content, projectName), skillDirRel);
-}
-
-const PROFILER_BUNDLE_ROOT = join(__dirname, '..', 'generators', 'rules', 'guardrails-profiler');
-const SELECTION_BUNDLE_ROOT = join(__dirname, '..', 'generators', 'rules', 'guardrails-selection');
-
-/**
- * Writes bundled guardrails skills under each selected IDE skills directory.
- *
- * @returns {string[]} Absolute paths to each skill root written */
-export function writeGuardrailsSkillBundles(cwd, options = {}) {
-    const targets = Array.isArray(options.targets) ? options.targets : [];
-    const written = [];
-
-    for (const target of targets) {
-        const profilerRel = GUARDRAILS_PROFILER_SKILL_REL_DIR[target];
-        if (profilerRel) {
-            const profilerDestBase = join(cwd, profilerRel);
-            const profilerDestRefs = join(profilerDestBase, 'references');
-            ensureDir(profilerDestRefs);
-
-            const profilerSkillTemplate = readFileSync(join(PROFILER_BUNDLE_ROOT, 'SKILL.md'), 'utf-8');
-            writeText(
-                join(profilerDestBase, 'SKILL.md'),
-                injectSkillTemplate(profilerSkillTemplate, options.projectName, profilerRel),
-            );
-
-            copyFileSync(
-                join(PROFILER_BUNDLE_ROOT, 'references', 'signal-registry.json'),
-                join(profilerDestRefs, 'signal-registry.json'),
-            );
-
-            written.push(profilerDestBase);
-        }
-
-        const selectionRel = GUARDRAILS_SELECTION_SKILL_REL_DIR[target];
-        if (selectionRel) {
-            const selectionDestBase = join(cwd, selectionRel);
-            const selectionDestRefs = join(selectionDestBase, 'references');
-            ensureDir(selectionDestRefs);
-
-            const selectionSkillTemplate = readFileSync(join(SELECTION_BUNDLE_ROOT, 'SKILL.md'), 'utf-8');
-            writeText(
-                join(selectionDestBase, 'SKILL.md'),
-                injectSkillTemplate(selectionSkillTemplate, options.projectName, selectionRel),
-            );
-
-            copyFileSync(
-                join(SELECTION_BUNDLE_ROOT, 'references', 'category-threat-map.md'),
-                join(selectionDestRefs, 'category-threat-map.md'),
-            );
-
-            written.push(selectionDestBase);
-        }
-    }
-
-    return written;
-}
-
-export const writeGuardrailsProfilerBundles = writeGuardrailsSkillBundles;