@securityreviewai/securityreview-kit 0.1.48 → 0.1.49

package/dist/scaffold/rules.js

@@ -0,0 +1,165 @@
+const TOOL_PROJECT = "`vibreview_get_tenant_project`";
+const TOOL_GUARDRAILS = "`vibreview_get_guardrails`";
+const TOOL_SYNC = "`vibreview_ctm_sync_markdown`";
+export const SENTINEL_START = "<!-- securityreview-kit:start -->";
+export const SENTINEL_END = "<!-- securityreview-kit:end -->";
+export function claudeRuleContent() {
+    return [
+        "# VibeReview Security Workflow",
+        "",
+        "For any security-relevant task touching auth, authorization, input handling, secrets, network, storage, dependencies, new endpoints, infrastructure, or untrusted data:",
+        "",
+        `1. Resolve the current tenant/project with ${TOOL_PROJECT}.`,
+        `2. Fetch the project guardrail bundle with ${TOOL_GUARDRAILS}, shortlist only the guardrails relevant to the task, and keep that shortlist in context.`,
+        "3. Run threat modelling before implementation and cross-check the shortlist against the likely abuse paths.",
+        "4. Implement secure code using the shortlisted guardrails as hard constraints.",
+        `5. Write one markdown artifact under \`.vibreview/scans/\` and call ${TOOL_SYNC} immediately after writing or updating it.`,
+        "",
+        "Do not run local profiling from the IDE. Repository profiling happens server-side after project creation.",
+    ].join("\n");
+}
+export function copilotRuleContent() {
+    return [
+        "# VibeReview Security Workflow",
+        "",
+        `Resolve the current tenant/project with ${TOOL_PROJECT}, fetch the guardrail bundle with ${TOOL_GUARDRAILS}, shortlist the relevant guardrails locally, then threat model and implement against that shortlist.`,
+        "",
+        `After the security review or implementation step, write one markdown artifact under \`.vibreview/scans/\` and call ${TOOL_SYNC} immediately. If sync fails, keep the file on disk and report the failure clearly.`,
+    ].join("\n");
+}
+export function codexRuleContent() {
+    return [
+        "# VibeReview Security Workflow",
+        "",
+        `For security-relevant work, resolve the tenant/project with ${TOOL_PROJECT}, fetch the project guardrails with ${TOOL_GUARDRAILS}, shortlist the relevant guardrails locally, and keep that shortlist active through the whole task.`,
+        "",
+        `After threat modelling or implementation, write one concise markdown artifact under \`.vibreview/scans/\` and call ${TOOL_SYNC} right away. The same agent that did the work should author the markdown so the context stays grounded.`,
+    ].join("\n");
+}
+export function cursorRuleContent() {
+    return [
+        "Before security-relevant changes, resolve the tenant/project with `vibreview_get_tenant_project`, fetch the full project guardrail bundle with `vibreview_get_guardrails`, shortlist only the relevant guardrails, then threat model before editing.",
+        "",
+        "After the review or implementation step, the same agent must write one markdown artifact under `.vibreview/scans/` and call `vibreview_ctm_sync_markdown` immediately. Do not defer sync and do not read sibling markdown files just to infer format.",
+    ].join("\n");
+}
+export function threatModelSkillContent(skillPath) {
+    return [
+        "---",
+        "name: PWNISMS Threat Modelling",
+        "description: Run a lightweight threat model before or during security-relevant implementation and keep the shortlisted VibeReview guardrails active throughout the task.",
+        "---",
+        "",
+        "# PWNISMS Threat Modelling",
+        "",
+        "Use this skill for security-relevant coding work.",
+        "",
+        "Workflow:",
+        `1. Resolve the tenant/project with ${TOOL_PROJECT}.`,
+        `2. Fetch the guardrail bundle with ${TOOL_GUARDRAILS} and shortlist only the relevant guardrails.`,
+        "3. Walk Product, Workload, Network, IAM, Secrets, Monitoring, and Supply Chain. Mark non-applicable categories briefly and move on.",
+        "4. Implement with the shortlisted guardrails treated as hard constraints.",
+        `5. Read ${skillPath}/SKILL.md after threat modelling or implementation changes the security posture.`,
+    ].join("\n");
+}
+export function syncSkillContent(scanDir = ".vibreview/scans") {
+    return [
+        "---",
+        "name: vibereview-sync",
+        "description: Write and synchronize a VibeReview markdown artifact for the current security-relevant task.",
+        "---",
+        "",
+        "# VibeReview Markdown Sync",
+        "",
+        `Write one markdown artifact under \`${scanDir}/\` for the current task only.`,
+        "",
+        "Rules:",
+        `1. The artifact must live under \`${scanDir}/\`.`,
+        "2. Do not read sibling markdown files just to infer structure or reuse content.",
+        "3. Include the threat model, selected guardrail IDs, important decisions, and grounded code evidence when useful.",
+        "4. If updating an existing task artifact, update that file directly instead of creating duplicates.",
+        `5. Call ${TOOL_SYNC} immediately after writing or updating the markdown.`,
+        "6. If sync fails, leave the markdown file on disk and report the failure clearly.",
+    ].join("\n");
+}
+export function cursorHooksContent() {
+    return JSON.stringify({
+        version: 1,
+        hooks: {
+            sessionStart: [
+                {
+                    command: `printf '%s\\n' '${jsonPayload(cursorAdditionalContext()).replaceAll("'", "'\\''")}'`,
+                    timeout: 5,
+                },
+            ],
+        },
+    }, null, 2) + "\n";
+}
+export function codexHooksContent() {
+    return JSON.stringify({
+        hooks: {
+            SessionStart: [
+                {
+                    matcher: "startup|resume",
+                    hooks: [
+                        {
+                            type: "command",
+                            command: `printf '%s\\n' '${codexPayload("SessionStart").replaceAll("'", "'\\''")}'`,
+                            timeout: 5,
+                            statusMessage: "Loading VibeReview security session policy",
+                        },
+                    ],
+                },
+            ],
+            UserPromptSubmit: [
+                {
+                    hooks: [
+                        {
+                            type: "command",
+                            command: `printf '%s\\n' '${codexPayload("UserPromptSubmit").replaceAll("'", "'\\''")}'`,
+                            timeout: 5,
+                            statusMessage: "Refreshing VibeReview security session policy",
+                        },
+                    ],
+                },
+            ],
+        },
+    }, null, 2) + "\n";
+}
+export function vscodeHooksContent() {
+    return JSON.stringify({
+        hooks: {
+            SessionStart: [
+                {
+                    type: "command",
+                    command: `printf '%s\\n' '${codexPayload("SessionStart").replaceAll("'", "'\\''")}'`,
+                    timeout: 5,
+                },
+            ],
+        },
+    }, null, 2) + "\n";
+}
+function cursorAdditionalContext() {
+    return [
+        "## MANDATORY VIBEREVIEW SECURITY GATE",
+        "",
+        `1. Resolve the tenant/project with ${TOOL_PROJECT}.`,
+        `2. Fetch the project guardrail bundle with ${TOOL_GUARDRAILS}, shortlist only what is relevant, and keep that shortlist in context.`,
+        "3. Run threat modelling before implementation.",
+        "4. Implement secure code using the shortlisted guardrails as hard constraints.",
+        `5. Write one markdown artifact under \`.vibreview/scans/\` and call ${TOOL_SYNC} immediately after writing it.`,
+        "",
+        "No deferral. No separate local profiling. The main agent owns the final markdown sync.",
+    ].join("\\n");
+}
+function codexPayload(hookEventName) {
+    return JSON.stringify({
+        hookSpecificOutput: {
+            hookEventName,
+            additionalContext: cursorAdditionalContext(),
+        },
+    });
+}
+function jsonPayload(additionalContext) {
+    return JSON.stringify({ additional_context: additionalContext });
+}

package/dist/scaffold/vibreview.js

@@ -0,0 +1,24 @@
+import { join } from "node:path";
+import { CONFIG_DIR, SCANS_DIR, SYNC_STATE_PATH, writeConfig } from "../config.js";
+import { ensureDir, readJson, upsertBlock, writeJson } from "../fs.js";
+const GITIGNORE_START = "# BEGIN VibeReview";
+const GITIGNORE_END = "# END VibeReview";
+export async function scaffoldVibeReview(cwd, config) {
+    await ensureDir(join(cwd, CONFIG_DIR));
+    await ensureDir(join(cwd, SCANS_DIR));
+    await writeConfig(cwd, config);
+    const existingSyncState = await readJson(join(cwd, SYNC_STATE_PATH));
+    if (!existingSyncState)
+        await writeJson(join(cwd, SYNC_STATE_PATH), { version: 1, artifacts: {} });
+    await upsertBlock(join(cwd, ".gitignore"), GITIGNORE_START, GITIGNORE_END, [
+        ".vibreview/config.json",
+        ".vibreview/sync-state.json",
+        ".vibreview/scans/",
+        ".mcp.json",
+        ".cursor/mcp.json",
+        ".vscode/mcp.json",
+        ".codex/config.toml",
+        ".gemini/settings.json",
+        ".windsurf/mcp_config.json",
+    ].join("\n"));
+}

package/dist/scaffold/vscode.js

@@ -0,0 +1,22 @@
+import { join } from "node:path";
+import { readJson, writeJson, writeText, upsertBlock } from "../fs.js";
+import { mcpRemoteServerWithType } from "./mcp.js";
+import { SENTINEL_END, SENTINEL_START, copilotRuleContent, syncSkillContent, threatModelSkillContent, vscodeHooksContent } from "./rules.js";
+export async function scaffoldVSCode(cwd, config) {
+    const settingsPath = join(cwd, ".vscode", "settings.json");
+    const existing = (await readJson(settingsPath)) ?? {};
+    await writeJson(settingsPath, {
+        ...existing,
+        "vibreview.serverUrl": config.server_url,
+        "vibreview.projectSlug": config.project_slug,
+    });
+    const mcpPath = join(cwd, ".vscode", "mcp.json");
+    const mcpConfig = (await readJson(mcpPath)) ?? {};
+    const servers = mcpConfig.servers ?? {};
+    servers.vibreview = mcpRemoteServerWithType(config);
+    await writeJson(mcpPath, { ...mcpConfig, servers });
+    await upsertBlock(join(cwd, ".github", "copilot-instructions.md"), SENTINEL_START, SENTINEL_END, copilotRuleContent());
+    await writeText(join(cwd, ".github", "hooks", "vibreview-session-policy.json"), vscodeHooksContent());
+    await writeText(join(cwd, ".github", "skills", "threat-modelling", "SKILL.md"), `${threatModelSkillContent(".github/skills/vibereview-sync")}\n`);
+    await writeText(join(cwd, ".github", "skills", "vibereview-sync", "SKILL.md"), `${syncSkillContent()}\n`);
+}

package/dist/scaffold/windsurf.js

@@ -0,0 +1,10 @@
+import { join } from "node:path";
+import { readJson, writeJson } from "../fs.js";
+import { mcpRemoteServer } from "./mcp.js";
+export async function scaffoldWindsurf(cwd, config) {
+    const path = join(cwd, ".windsurf", "mcp_config.json");
+    const existing = (await readJson(path)) ?? {};
+    const mcpServers = existing.mcpServers ?? {};
+    mcpServers.vibreview = mcpRemoteServer(config);
+    await writeJson(path, { ...existing, mcpServers });
+}

package/dist/sync/index.js

@@ -0,0 +1,34 @@
+import { readdir, readFile } from "node:fs/promises";
+import { join } from "node:path";
+import { VibeReviewApiClient } from "../api.js";
+import { SCANS_DIR, readConfig, writeConfig } from "../config.js";
+import { buildSyncMarkdownPayload } from "./payload.js";
+import { readSyncState, writeSyncState } from "./state.js";
+export async function syncTelemetry(cwd, options = {}) {
+    const config = await readConfig(cwd);
+    if (!config)
+        throw new Error("VibeReview is not initialized. Run `securityreview-kit init` first.");
+    const scanDir = join(cwd, SCANS_DIR);
+    const files = (await readdir(scanDir).catch(() => [])).filter((file) => file.endsWith(".md")).sort();
+    const state = await readSyncState(cwd);
+    const client = new VibeReviewApiClient(config);
+    let synced = 0;
+    let skipped = 0;
+    for (const file of files) {
+        const path = join(scanDir, file);
+        const content = await readFile(path, "utf8");
+        const payload = buildSyncMarkdownPayload(config.project_slug, path, content, config.ide[0]);
+        const previous = state.artifacts[payload.artifact_id];
+        if (!options.force && previous?.artifact_hash === payload.artifact_hash) {
+            skipped++;
+            continue;
+        }
+        await client.syncCTMMarkdown(config.project_slug, payload);
+        const syncedAt = new Date().toISOString();
+        state.artifacts[payload.artifact_id] = { artifact_hash: payload.artifact_hash, synced_at: syncedAt };
+        synced++;
+    }
+    await writeSyncState(cwd, state);
+    await writeConfig(cwd, { ...config, last_synced: new Date().toISOString() });
+    return { synced, skipped };
+}

package/dist/sync/payload.js

@@ -0,0 +1,23 @@
+import { createHash, randomUUID } from "node:crypto";
+import { basename } from "node:path";
+export function artifactHash(content) {
+    return createHash("sha256").update(content).digest("hex");
+}
+export function buildSyncMarkdownPayload(projectSlug, filePath, content, ide) {
+    const hash = artifactHash(content);
+    const artifactId = basename(filePath).replace(/\.md$/i, "");
+    return {
+        markdown: content,
+        session_id: artifactId || randomUUID(),
+        artifact_id: artifactId || hash.slice(0, 16),
+        artifact_hash: hash,
+        idempotency_key: `${projectSlug}:${artifactId}:${hash}`,
+        generated_at: new Date().toISOString(),
+        file_name: basename(filePath),
+        ide,
+        metadata: {
+            source: "securityreview-kit",
+            file_path: filePath,
+        },
+    };
+}

package/dist/sync/state.js

@@ -0,0 +1,12 @@
+import { join } from "node:path";
+import { SYNC_STATE_PATH } from "../config.js";
+import { readJson, writeJson } from "../fs.js";
+export async function readSyncState(cwd) {
+    return ((await readJson(join(cwd, SYNC_STATE_PATH))) ?? {
+        version: 1,
+        artifacts: {},
+    });
+}
+export async function writeSyncState(cwd, state) {
+    await writeJson(join(cwd, SYNC_STATE_PATH), state);
+}

package/dist/types.js

@@ -0,0 +1 @@
+export {};

package/package.json

@@ -1,44 +1,38 @@
 {
   "name": "@securityreviewai/securityreview-kit",
-  "version": "0.1.48",
-  "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
-  "author": "Debarshi Das <debarshi.das@we45.com>",
-  "license": "UNLICENSED",
+  "version": "0.1.49",
   "type": "module",
+  "publishConfig": {
+    "access": "public"
+  },
   "bin": {
-    "securityreview-kit": "./bin/securityreview-kit.js"
+    "securityreview-kit": "./dist/index.js",
+    "vibreview": "./dist/index.js"
   },
   "files": [
-    "bin/",
-    "src/",
+    "dist",
+    "templates",
     "README.md"
   ],
-  "engines": {
-    "node": ">=18"
-  },
   "scripts": {
-    "test": "node --test",
-    "start": "node bin/securityreview-kit.js"
+    "build": "tsc -p tsconfig.json",
+    "dev": "tsx src/index.ts",
+    "lint": "tsc -p tsconfig.json --noEmit",
+    "test": "vitest run"
   },
-  "keywords": [
-    "security",
-    "mcp",
-    "security-review",
-    "srai",
-    "ai-ide",
-    "cursor",
-    "claude",
-    "codex",
-    "gemini",
-    "windsurf",
-    "vscode"
-  ],
   "dependencies": {
-    "chalk": "^5.4.0",
-    "commander": "^13.0.0",
-    "inquirer": "^12.0.0"
+    "chalk": "^5.6.2",
+    "commander": "^14.0.2",
+    "inquirer": "^12.10.0",
+    "zod": "^4.4.3"
   },
-  "publishConfig": {
-    "access": "public"
+  "devDependencies": {
+    "@types/node": "^25.6.0",
+    "tsx": "^4.21.0",
+    "typescript": "^5.9.3",
+    "vitest": "^4.1.5"
+  },
+  "engines": {
+    "node": ">=20"
   }
 }

package/templates/claude/CLAUDE.md

@@ -0,0 +1,13 @@
+# VibeReview Security Workflow
+
+When implementing or changing code in this repository:
+
+1. Resolve the current tenant/project with `vibreview_get_tenant_project`.
+2. Fetch the project's guardrail bundle with `vibreview_get_guardrails`.
+3. Locally shortlist the guardrails relevant to the user's requested feature or change.
+4. Before editing, write a concise threat model for the requested change.
+5. Implement the change while preserving the shortlisted guardrails.
+6. Record the review/threat-model outcome as one markdown artifact in `.vibreview/scans/`.
+7. Sync the markdown artifact with `vibreview_ctm_sync_markdown`.
+
+Do not run local repository profiling from the IDE. VibeReview profiles the repository server-side after project creation and stores the relevant guardrails for this tenant/project in the MCP-backed KV cache.

package/templates/claude/agents/guardrail_profiler.md

@@ -0,0 +1,12 @@
+# Guardrail Selector
+
+Use this agent when a task needs careful guardrail selection before code changes.
+
+Do not profile the local repository from the IDE. VibeReview SaaS profiles repositories server-side after project creation and projects the required guardrails into the MCP/KV path.
+
+Workflow:
+
+1. Call `vibreview_get_tenant_project`.
+2. Call `vibreview_get_guardrails`.
+3. Rank guardrails by direct relevance to the user request, changed files, data handled, entry points, auth/authorization boundaries, and external integrations.
+4. Return the shortlisted guardrail IDs, names, and the reason each one applies.

package/templates/claude/agents/threat_modeler.md

@@ -0,0 +1,5 @@
+# Threat Modeler
+
+Placeholder agent definition for future VibeReview threat modeling automation.
+
+Before implementation, use `vibreview_get_tenant_project` and `vibreview_get_guardrails`, shortlist the relevant guardrails locally, and identify likely threats, mitigations, standards mappings, and residual risk. Keep the model concise enough to sync as one markdown artifact with `vibreview_ctm_sync_markdown`.

package/templates/claude/skills/vibreview/SKILL.md

@@ -0,0 +1,21 @@
+# VibeReview Skill
+
+Use this skill for VibeReview-aware secure coding sessions.
+
+## Fast Sync Rules
+
+- Write one telemetry artifact per task in `.vibreview/scans/`.
+- Keep the artifact readable markdown: task, threat model, selected guardrails, decisions, and follow-up risks.
+- Avoid pasting large diffs or full files into telemetry unless necessary.
+- Include guardrail IDs, affected files, and concise evidence when useful.
+- Call `vibreview_ctm_sync_markdown` immediately after implementation or threat model updates.
+
+## Workflow
+
+1. Load tenant/project context with `vibreview_get_tenant_project`.
+2. Fetch guardrails with `vibreview_get_guardrails`.
+3. Filter and rank the returned guardrails locally for the requested feature.
+4. Threat model before editing.
+5. Implement with guardrails applied.
+6. Record markdown telemetry.
+7. Sync with `vibreview_ctm_sync_markdown`.

package/templates/claude/skills/vibreview/guardrail_patterns.md

@@ -0,0 +1,12 @@
+# Guardrail Patterns
+
+Fetch the project guardrail bundle with `vibreview_get_guardrails`, then filter locally against the feature request, touched files, framework, data flow, and threat model.
+
+- Authentication: login, sessions, password handling, MFA, tokens.
+- Authorization: role checks, object ownership, tenant isolation.
+- Persistence: database queries, ORM usage, migrations.
+- Validation: input parsing, bounds, schemas, file uploads.
+- Data Exposure: logs, errors, secrets, sensitive output.
+- Transport: TLS, headers, callbacks, API clients.
+
+For broad changes, build a shortlist before editing. Prefer guardrails with direct category, title, instruction, severity, or metadata matches. Keep the selected guardrail IDs in the `.vibreview/scans/` markdown artifact so VibeReview can connect the IDE-side work back to the server-side guardrail set.

package/templates/cursor/rules/vibreview-security.mdc

@@ -0,0 +1,8 @@
+---
+description: VibeReview security workflow
+alwaysApply: true
+---
+
+Before security-relevant code changes, use `vibreview_get_tenant_project` to resolve the tenant/project, then call `vibreview_get_guardrails` to fetch the project guardrail bundle. Filter and rank the returned guardrails locally against the user's requested feature before implementing.
+
+Record one readable markdown artifact in `.vibreview/scans/` with the threat model, selected guardrail IDs, decisions, and important evidence. Sync it with `vibreview_ctm_sync_markdown`. Do not run local repository profiling; VibeReview handles profiling server-side after project creation.

package/README.md

@@ -1,105 +0,0 @@
-# @securityreviewai/securityreview-kit
-
-> Bootstrap [security-review-mcp](https://www.npmjs.com/package/security-review-mcp) for AI IDEs and CLI tools in one command.
-
-**@securityreviewai/securityreview-kit** configures the SRAI security review MCP server and installs workspace rules so your AI assistant consults security threat models and countermeasures *before* generating code.
-
-## Quick Start
-
-```bash
-# Interactive mode (recommended)
-npx @securityreviewai/securityreview-kit init
-
-# Or specify targets directly
-npx @securityreviewai/securityreview-kit init --target cursor --api-url https://api.example.com --api-key YOUR_TOKEN
-
-# Install for multiple targets
-npx @securityreviewai/securityreview-kit init --target cursor claude vscode
-
-# Install for all supported targets
-npx @securityreviewai/securityreview-kit init --all --api-url https://api.example.com --api-key YOUR_TOKEN
-
-# Re-open project selection menu and update installed rules
-npx @securityreviewai/securityreview-kit init --switch-project
-```
-
-## Supported Targets
-
-| Target | Flag | MCP Config | Workspace Rule |
-|---|---|---|---|
-| Cursor | `cursor` | `.cursor/mcp.json` | `.cursor/rules/srai-security-review.mdc`, `.cursor/rules/guardrails_rule.mdc`, `.cursor/commands/srai-profile.md`, `.cursor/commands/guardrails-init-profile.md`, `.cursor/skills/threat-modelling/SKILL.md`, `.cursor/skills/vibereview-sync/SKILL.md`, `.cursor/hooks.json` |
-| Claude Code | `claude` | `.mcp.json` | `.claude/CLAUDE.md`, `.claude/settings.json`, `.claude/skills/threat-modelling/SKILL.md`, `.claude/skills/vibereview-sync/SKILL.md`, `.claude/skills/guardrails-profiler/SKILL.md`, `.claude/skills/guardrails-selection/SKILL.md`, `.claude/commands/guardrails-init-profile.md` |
-| VS Code Copilot | `vscode` | `.vscode/mcp.json` | `.github/copilot-instructions.md`, `.github/skills/threat-modelling/SKILL.md`, `.github/skills/vibereview-sync/SKILL.md`, `.github/skills/guardrails-profiler/SKILL.md`, `.github/skills/guardrails-selection/SKILL.md`, `.github/hooks/srai-session-policy.json` |
-| Windsurf | `windsurf` | `.windsurf/mcp_config.json` | `.windsurf/rules/srai-security-review.md` |
-| Codex | `codex` | `.codex/config.toml` | `.codex/AGENTS.md`, `.codex/skills/threat-modelling/SKILL.md`, `.codex/skills/vibereview-sync/SKILL.md`, `.codex/skills/guardrails-profiler/SKILL.md`, `.codex/skills/guardrails-selection/SKILL.md`, `.codex/hooks.json`, `.codex/commands/guardrails-init-profile.md` |
-| Gemini CLI | `gemini` | `.gemini/settings.json` | `GEMINI.md` |
-| Antigravity | `antigravity` | `.gemini/settings.json` | `.agents/rules/srai-security-review.md` |
-
-## Commands
-
-### `@securityreviewai/securityreview-kit init`
-
-Configure security-review-mcp for your IDE/CLI. Runs interactively when no flags are provided.
-
-```
-Options:
-  -t, --target <name...>  Target IDE/CLI (cursor, claude, vscode, windsurf, codex, gemini, antigravity)
-  -a, --all               Install for all supported targets
-  --project-name <name>   (Optional) Preselect project name from fetched API project list
-  --api-url <url>         SRAI API URL (or set SECURITY_REVIEW_API_URL env var)
-  --api-key <token>       SRAI API Token (or set SECURITY_REVIEW_API_TOKEN env var)
-  --switch-project        Fetch projects and only update mapped workspace rules
-  --skip-mcp              Skip MCP server config installation
-  --skip-rules            Skip workspace rule installation
-  --profile-repo          Run the guardrails profiler after init
-  --profiler-claude-login Run Claude Code login before profiling
-  --claude-auth-mode <mode>
-                          Claude profiling auth mode: current, claudeai, console, api_key, gateway, bedrock, vertex, or setup_token
-  --claude-api-key <key>  Anthropic API key for Claude profiling
-  --claude-base-url <url> Anthropic-compatible base URL for Claude profiling
-  --claude-auth-token <token>
-                          Auth token for Claude profiling gateway mode
-  --claude-provider-model <model>
-                          Optional Claude provider model override for gateway, Bedrock, or Vertex profiling
-  --profiler-copilot-login
-                          Run GitHub Copilot CLI login before VS Code Copilot profiling
-  --profiler-codex-login  Run Codex login before Codex profiling
-  --profiler-verbose      Show live profiler output while profiling runs
-  --show-profiler-logs    Alias for --profiler-verbose
-```
-
-### `@securityreviewai/securityreview-kit init --switch-project`
-
-Fetches projects from `https://<api-url>/api/projects/` using `Authorization: Bearer <api-key>`, shows a single-select menu, and updates installed workspace rules with the selected project.
-
-### `@securityreviewai/securityreview-kit status`
-
-Show current configuration status for all supported targets in the workspace.
-
-## Environment Variables
-
-| Variable | Description |
-|---|---|
-| `SECURITY_REVIEW_PROJECT_NAME` | Optional default project name to preselect in the project menu |
-| `SECURITY_REVIEW_API_URL` | SRAI platform API endpoint |
-| `SECURITY_REVIEW_API_TOKEN` | Your SRAI API token |
-
-These can be provided via CLI flags, environment variables, or interactive prompts.
-
-## What Gets Installed
-
-**MCP Server Config** — tells your IDE how to launch the `security-review-mcp` server via `npx`.
-
-**Workspace Rules** — instructs the AI assistant to consult SRAI threat models and countermeasures before generating security-relevant code. If configured, the selected SRAI project name is injected into the MCP workflow instructions in the installed rule content.
-
-## How It Works
-
-1. Run `@securityreviewai/securityreview-kit init`
-2. Select your IDE/CLI target(s)
-3. Choose whether to install workspace rules and MCP config
-4. If MCP is selected, enter your SRAI credentials (API URL, token)
-5. The tool fetches `/api/projects/` and you select exactly one SRAI project from the menu
-6. The tool creates/merges MCP config and workspace rule files
-7. Your AI assistant now has access to SRAI security reviews
-
-The tool is **idempotent** — running it multiple times safely updates existing configs without duplicating content.

package/bin/securityreview-kit.js

@@ -1,5 +0,0 @@
-#!/usr/bin/env node
-
-import { run } from '../src/cli.js';
-
-run();