@securityreviewai/securityreview-kit 0.1.48 → 0.1.49

package/src/generators/mcp/vscode.js

@@ -1,29 +0,0 @@
-import { join } from 'node:path';
-import { readJson, writeJson } from '../../utils/fs-helpers.js';
-import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
-
-/**
- * Generate VS Code Copilot MCP config at .vscode/mcp.json
- * Uses the VS Code input variable pattern for secure credential prompting.
- */
-export function generate(cwd, envVars) {
-    const filePath = join(cwd, '.vscode', 'mcp.json');
-    const existing = readJson(filePath) || {};
-
-    if (!existing.servers) {
-        existing.servers = {};
-    }
-
-    existing.servers[MCP_SERVER_NAME] = {
-        type: 'stdio',
-        command: 'npx',
-        args: ['-y', `${MCP_SERVER_PACKAGE}@latest`],
-        env: {
-            SECURITY_REVIEW_API_URL: envVars.apiUrl,
-            SECURITY_REVIEW_API_TOKEN: envVars.apiToken,
-        },
-    };
-
-    writeJson(filePath, existing);
-    return filePath;
-}

package/src/generators/mcp/windsurf.js

@@ -1,27 +0,0 @@
-import { join } from 'node:path';
-import { readJson, writeJson } from '../../utils/fs-helpers.js';
-import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
-
-/**
- * Generate Windsurf MCP config at .windsurf/mcp_config.json
- */
-export function generate(cwd, envVars) {
-    const filePath = join(cwd, '.windsurf', 'mcp_config.json');
-    const existing = readJson(filePath) || {};
-
-    if (!existing.mcpServers) {
-        existing.mcpServers = {};
-    }
-
-    existing.mcpServers[MCP_SERVER_NAME] = {
-        command: 'npx',
-        args: ['-y', `${MCP_SERVER_PACKAGE}@latest`],
-        env: {
-            SECURITY_REVIEW_API_URL: envVars.apiUrl,
-            SECURITY_REVIEW_API_TOKEN: envVars.apiToken,
-        },
-    };
-
-    writeJson(filePath, existing);
-    return filePath;
-}

package/src/generators/rules/antigravity.js

@@ -1,22 +0,0 @@
-import { join } from 'node:path';
-import { writeText } from '../../utils/fs-helpers.js';
-import { getRuleContent } from './content.js';
-
-/**
- * Generate Antigravity workspace rule at .agent/rules/srai-security-review.md
- * Antigravity uses .agent/rules/ with YAML frontmatter (trigger: always_on).
- */
-export function generate(cwd, options = {}) {
-    const filePath = join(cwd, '.agent', 'rules', 'srai-security-review.md');
-    const content = getRuleContent(options);
-
-    const rule = `---
-trigger: always_on
----
-
-${content}
-`;
-
-    writeText(filePath, rule);
-    return filePath;
-}

package/src/generators/rules/claude.js

@@ -1,87 +0,0 @@
-import { existsSync, unlinkSync } from 'node:fs';
-import { join } from 'node:path';
-import {
-    GUARDRAILS_PROFILER_SKILL_REL_DIR,
-    GUARDRAILS_SELECTION_SKILL_REL_DIR,
-    SENTINEL_END,
-    SENTINEL_START,
-    THREAT_MODELLING_SKILL_REL_DIR,
-    VIBEREVIEW_SYNC_SKILL_REL_DIR,
-} from '../../utils/constants.js';
-import { readText, upsertSentinelBlock, writeText } from '../../utils/fs-helpers.js';
-import {
-    getGuardrailsInitProfileContent,
-    getRuleContent,
-    getThreatModellingSkillContent,
-    getVibeReviewSyncSkillContent,
-} from './content.js';
-
-function writeGeneratedText(filePath, content) {
-    const action = existsSync(filePath) ? 'updated' : 'created';
-    writeText(filePath, content);
-    return { filePath, action };
-}
-
-/**
- * Generate Claude Code workspace rule — appends to .claude/CLAUDE.md
- */
-export function generate(cwd, options = {}) {
-    const optionsWithSkillDirs = {
-        ...options,
-        guardrailsSelectionSkillDir: GUARDRAILS_SELECTION_SKILL_REL_DIR.claude,
-        threatModellingSkillDir: THREAT_MODELLING_SKILL_REL_DIR.claude,
-        vibereviewSyncSkillDir: VIBEREVIEW_SYNC_SKILL_REL_DIR.claude,
-    };
-    const legacyRootPath = join(cwd, 'CLAUDE.md');
-    const filePath = join(cwd, '.claude', 'CLAUDE.md');
-    const content = getRuleContent(optionsWithSkillDirs);
-    const action = upsertSentinelBlock(filePath, content);
-
-    const legacyContent = readText(legacyRootPath);
-    if (legacyContent.includes(SENTINEL_START) && legacyContent.includes(SENTINEL_END)) {
-        const startIdx = legacyContent.indexOf(SENTINEL_START);
-        const endIdx = legacyContent.indexOf(SENTINEL_END);
-        const before = legacyContent.substring(0, startIdx);
-        const after = legacyContent.substring(endIdx + SENTINEL_END.length);
-        const migrated = `${before}${after}`.trim();
-        if (migrated) {
-            writeText(legacyRootPath, migrated + '\n');
-        } else if (existsSync(legacyRootPath)) {
-            unlinkSync(legacyRootPath);
-        }
-    }
-
-    const threatSkillPath = join(cwd, THREAT_MODELLING_SKILL_REL_DIR.claude, 'SKILL.md');
-    const threatSkill = writeGeneratedText(
-        threatSkillPath,
-        getThreatModellingSkillContent(optionsWithSkillDirs),
-    );
-
-    const vibereviewSyncSkillPath = join(cwd, VIBEREVIEW_SYNC_SKILL_REL_DIR.claude, 'SKILL.md');
-    const vibereviewSyncSkill = writeGeneratedText(
-        vibereviewSyncSkillPath,
-        getVibeReviewSyncSkillContent(optionsWithSkillDirs),
-    );
-
-    const deletedLegacyAgentPath = join(cwd, '.claude', 'agents', 'ctm_sync.md');
-    const deletedLegacyAgent = existsSync(deletedLegacyAgentPath)
-        ? (unlinkSync(deletedLegacyAgentPath), { filePath: deletedLegacyAgentPath, action: 'deleted' })
-        : null;
-
-    const guardrailsInitPath = join(cwd, '.claude', 'commands', 'guardrails-init-profile.md');
-    const guardrailsInit = writeGeneratedText(
-        guardrailsInitPath,
-        getGuardrailsInitProfileContent({
-            ...optionsWithSkillDirs,
-            guardrailsSkillDir: GUARDRAILS_PROFILER_SKILL_REL_DIR.claude,
-        }),
-    );
-
-    return [
-        { filePath, action, kind: 'rule' },
-        { ...threatSkill, kind: 'skill' },
-        { ...vibereviewSyncSkill, kind: 'skill' },
-        { ...guardrailsInit, kind: 'command' },
-        ...(deletedLegacyAgent ? [{ ...deletedLegacyAgent, kind: 'cleanup' }] : []),
-    ];
-}

package/src/generators/rules/claude.test.js

@@ -1,60 +0,0 @@
-import { existsSync, mkdtempSync, readFileSync, writeFileSync } from 'node:fs';
-import { tmpdir } from 'node:os';
-import { join } from 'node:path';
-import { test } from 'node:test';
-import assert from 'node:assert/strict';
-import { generate } from './claude.js';
-
-test('Claude generator writes .claude/CLAUDE.md, threat skill, and profiling command', () => {
-    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-claude-'));
-
-    const results = generate(cwd, { projectName: 'SmokeProject' });
-
-    const expectedPaths = [
-        '.claude/CLAUDE.md',
-        '.claude/skills/threat-modelling/SKILL.md',
-        '.claude/skills/vibereview-sync/SKILL.md',
-        '.claude/commands/guardrails-init-profile.md',
-    ];
-
-    for (const relPath of expectedPaths) {
-        assert.equal(existsSync(join(cwd, relPath)), true, `${relPath} should exist`);
-    }
-
-    assert.deepEqual(results.map((entry) => entry.kind), ['rule', 'skill', 'skill', 'command']);
-
-    const instructions = readFileSync(join(cwd, '.claude/CLAUDE.md'), 'utf8');
-    assert.match(instructions, /\.claude\/skills\/guardrails-selection\/SKILL\.md/);
-    assert.match(instructions, /\.claude\/skills\/threat-modelling\/SKILL\.md/);
-    assert.match(instructions, /\.claude\/skills\/vibereview-sync\/SKILL\.md/);
-    assert.match(instructions, /sync_ai_ide_markdown/);
-    assert.match(instructions, /vibereview\//);
-
-    const threatSkill = readFileSync(join(cwd, '.claude/skills/threat-modelling/SKILL.md'), 'utf8');
-    assert.match(threatSkill, /sync_ai_ide_markdown/);
-    assert.match(threatSkill, /vibereview\//);
-    assert.doesNotMatch(threatSkill, /get_project_profile_description/);
-
-    const vibereviewSkill = readFileSync(join(cwd, '.claude/skills/vibereview-sync/SKILL.md'), 'utf8');
-    assert.match(vibereviewSkill, /Do not read other/i);
-    assert.match(vibereviewSkill, /sync_ai_ide_markdown/);
-    assert.match(vibereviewSkill, /Event Identity/);
-    assert.match(vibereviewSkill, /Practice 1/);
-    assert.match(vibereviewSkill, /practice_name:/);
-});
-
-test('Claude generator migrates the kit-managed root CLAUDE.md block into .claude/CLAUDE.md', () => {
-    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-claude-migrate-'));
-    const legacyPath = join(cwd, 'CLAUDE.md');
-
-    writeFileSync(
-        legacyPath,
-        '<!-- securityreview-kit:start -->\nold managed block\n<!-- securityreview-kit:end -->\n',
-        'utf8',
-    );
-
-    generate(cwd, { projectName: 'SmokeProject' });
-
-    assert.equal(existsSync(join(cwd, '.claude/CLAUDE.md')), true);
-    assert.equal(existsSync(legacyPath), false);
-});

package/src/generators/rules/codex.js

@@ -1,141 +0,0 @@
-import { existsSync, unlinkSync } from 'node:fs';
-import { join } from 'node:path';
-import {
-    GUARDRAILS_PROFILER_SKILL_REL_DIR,
-    GUARDRAILS_SELECTION_SKILL_REL_DIR,
-    THREAT_MODELLING_SKILL_REL_DIR,
-    VIBEREVIEW_SYNC_SKILL_REL_DIR,
-} from '../../utils/constants.js';
-import { upsertSentinelBlock, writeText } from '../../utils/fs-helpers.js';
-import {
-    getGuardrailsInitProfileContent,
-    getRuleContent,
-    getThreatModellingSkillContent,
-    getVibeReviewSyncSkillContent,
-} from './content.js';
-
-function writeGeneratedText(filePath, content) {
-    const action = existsSync(filePath) ? 'updated' : 'created';
-    writeText(filePath, content);
-    return { filePath, action };
-}
-
-function removeGeneratedText(filePath) {
-    if (existsSync(filePath)) {
-        unlinkSync(filePath);
-        return { filePath, action: 'deleted' };
-    }
-    return null;
-}
-
-function getCodexSessionHookContent() {
-    const additionalContext = [
-        '## MANDATORY SECURITY GATE (Session Policy)',
-        '',
-        'For any request with security impact (auth, authorization, crypto, input handling, secrets, network, data storage, dependencies, new APIs/endpoints, infrastructure, or code handling untrusted data), follow this order:',
-        '',
-        '1. Fetch Vibe Guardrails first using .codex/skills/guardrails-selection/SKILL.md. Resolve the project, call get_guardrails, shortlist relevant guardrails, then call get_guardrail_by_id for the shortlist.',
-        '2. Run PWNISMS threat modelling using .codex/skills/threat-modelling/SKILL.md. Explicitly walk Product, Workload, Network, IAM, Secrets, Monitoring, and Supply Chain.',
-        '3. Implement secure code using both the hydrated guardrails and PWNISMS findings.',
-        '4. Read .codex/skills/vibereview-sync/SKILL.md. Write a structured .md artifact under vibereview/, do not read sibling markdown files there just to infer format, validate it, and call sync_ai_ide_markdown directly after threat modelling or guardrail enforcement. Reuse the exact guardrail shortlist; do not re-query guardrails during the final sync.',
-        '',
-        'Do not use project-profile exploration tools during normal coding tasks. No blocking and no deferral: guardrails first, PWNISMS second, implementation third, VibeReview sync last.',
-    ].join('\n');
-
-    const sessionStartPayload = JSON.stringify({
-        hookSpecificOutput: {
-            hookEventName: 'SessionStart',
-            additionalContext,
-        },
-    });
-    const userPromptPayload = JSON.stringify({
-        hookSpecificOutput: {
-            hookEventName: 'UserPromptSubmit',
-            additionalContext,
-        },
-    });
-
-    return JSON.stringify(
-        {
-            hooks: {
-                SessionStart: [
-                    {
-                        matcher: 'startup|resume',
-                        hooks: [
-                            {
-                                type: 'command',
-                                command: `printf '%s\\n' '${sessionStartPayload.replaceAll("'", "'\\''")}'`,
-                                timeout: 5,
-                                statusMessage: 'Loading SRAI security session policy',
-                            },
-                        ],
-                    },
-                ],
-                UserPromptSubmit: [
-                    {
-                        hooks: [
-                            {
-                                type: 'command',
-                                command: `printf '%s\\n' '${userPromptPayload.replaceAll("'", "'\\''")}'`,
-                                timeout: 5,
-                                statusMessage: 'Refreshing SRAI security session policy',
-                            },
-                        ],
-                    },
-                ],
-            },
-        },
-        null,
-        2,
-    ) + '\n';
-}
-
-/**
- * Generate Codex workspace rule — appends to AGENTS.md
- */
-export function generate(cwd, options = {}) {
-    const optionsWithSkillDirs = {
-        ...options,
-        guardrailsSelectionSkillDir: GUARDRAILS_SELECTION_SKILL_REL_DIR.codex,
-        threatModellingSkillDir: THREAT_MODELLING_SKILL_REL_DIR.codex,
-        vibereviewSyncSkillDir: VIBEREVIEW_SYNC_SKILL_REL_DIR.codex,
-    };
-    const filePath = join(cwd, '.codex', 'AGENTS.md');
-    const content = getRuleContent(optionsWithSkillDirs);
-    const action = upsertSentinelBlock(filePath, content);
-
-    const threatSkillPath = join(cwd, THREAT_MODELLING_SKILL_REL_DIR.codex, 'SKILL.md');
-    const threatSkill = writeGeneratedText(
-        threatSkillPath,
-        getThreatModellingSkillContent(optionsWithSkillDirs),
-    );
-
-    const vibereviewSyncSkillPath = join(cwd, VIBEREVIEW_SYNC_SKILL_REL_DIR.codex, 'SKILL.md');
-    const vibereviewSyncSkill = writeGeneratedText(
-        vibereviewSyncSkillPath,
-        getVibeReviewSyncSkillContent(optionsWithSkillDirs),
-    );
-
-    const deletedLegacyAgent = removeGeneratedText(join(cwd, '.codex', 'agents', 'ctm_sync.toml'));
-
-    const hooksPath = join(cwd, '.codex', 'hooks.json');
-    const hooks = writeGeneratedText(hooksPath, getCodexSessionHookContent());
-
-    const guardrailsInitPath = join(cwd, '.codex', 'commands', 'guardrails-init-profile.md');
-    const guardrailsInit = writeGeneratedText(
-        guardrailsInitPath,
-        getGuardrailsInitProfileContent({
-            ...optionsWithSkillDirs,
-            guardrailsSkillDir: GUARDRAILS_PROFILER_SKILL_REL_DIR.codex,
-        }),
-    );
-
-    return [
-        { filePath, action, kind: 'rule' },
-        { ...threatSkill, kind: 'skill' },
-        { ...vibereviewSyncSkill, kind: 'skill' },
-        { ...hooks, kind: 'hooks' },
-        { ...guardrailsInit, kind: 'command' },
-        ...(deletedLegacyAgent ? [{ ...deletedLegacyAgent, kind: 'cleanup' }] : []),
-    ];
-}

package/src/generators/rules/codex.test.js

@@ -1,59 +0,0 @@
-import { existsSync, mkdtempSync, readFileSync } from 'node:fs';
-import { tmpdir } from 'node:os';
-import { join } from 'node:path';
-import { test } from 'node:test';
-import assert from 'node:assert/strict';
-import { generate } from './codex.js';
-
-test('Codex generator writes AGENTS, skills, hooks, and profiling command', () => {
-    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-codex-'));
-
-    const results = generate(cwd, { projectName: 'SmokeProject' });
-
-    const expectedPaths = [
-        '.codex/AGENTS.md',
-        '.codex/skills/threat-modelling/SKILL.md',
-        '.codex/skills/vibereview-sync/SKILL.md',
-        '.codex/hooks.json',
-        '.codex/commands/guardrails-init-profile.md',
-    ];
-
-    for (const relPath of expectedPaths) {
-        assert.equal(existsSync(join(cwd, relPath)), true, `${relPath} should exist`);
-    }
-
-    assert.deepEqual(results.map((entry) => entry.kind), ['rule', 'skill', 'skill', 'hooks', 'command']);
-
-    const instructions = readFileSync(join(cwd, '.codex/AGENTS.md'), 'utf8');
-    assert.match(instructions, /\.codex\/skills\/guardrails-selection\/SKILL\.md/);
-    assert.match(instructions, /\.codex\/skills\/threat-modelling\/SKILL\.md/);
-    assert.match(instructions, /\.codex\/skills\/vibereview-sync\/SKILL\.md/);
-    assert.match(instructions, /sync_ai_ide_markdown/);
-    assert.match(instructions, /vibereview\//);
-    assert.doesNotMatch(instructions, /\.cursor/);
-    assert.doesNotMatch(instructions, /\.agents\/skills/);
-
-    const threatSkill = readFileSync(join(cwd, '.codex/skills/threat-modelling/SKILL.md'), 'utf8');
-    for (const heading of ['Product', 'Workload', 'Network', 'IAM', 'Secrets', 'Monitoring', 'Supply Chain']) {
-        assert.match(threatSkill, new RegExp(heading));
-    }
-    assert.match(threatSkill, /sync_ai_ide_markdown/);
-    assert.match(threatSkill, /vibereview\//);
-    assert.doesNotMatch(threatSkill, /get_project_profile_description/);
-
-    const vibereviewSkill = readFileSync(join(cwd, '.codex/skills/vibereview-sync/SKILL.md'), 'utf8');
-    assert.match(vibereviewSkill, /do not read other `?\.md`? files in `?vibereview\/`?/i);
-    assert.match(vibereviewSkill, /sync_ai_ide_markdown/);
-    assert.match(vibereviewSkill, /Event Identity/);
-    assert.match(vibereviewSkill, /OWASP Top 10 2025 Mappings/);
-    assert.match(vibereviewSkill, /Practice 1/);
-    assert.match(vibereviewSkill, /practice_name:/);
-
-    const hooks = JSON.parse(readFileSync(join(cwd, '.codex/hooks.json'), 'utf8'));
-    assert.equal(hooks.hooks.SessionStart[0].hooks[0].type, 'command');
-    assert.equal(hooks.hooks.UserPromptSubmit[0].hooks[0].type, 'command');
-    assert.match(hooks.hooks.UserPromptSubmit[0].hooks[0].command, /"hookEventName":"UserPromptSubmit"/);
-    assert.match(hooks.hooks.UserPromptSubmit[0].hooks[0].command, /vibereview/);
-    assert.match(hooks.hooks.UserPromptSubmit[0].hooks[0].command, /sync_ai_ide_markdown/);
-    assert.match(hooks.hooks.UserPromptSubmit[0].hooks[0].command, /vibereview-sync\/SKILL\.md/);
-});

package/src/generators/rules/content.js

@@ -1,110 +0,0 @@
-import { readFileSync } from 'node:fs';
-import { dirname, join } from 'node:path';
-import { fileURLToPath } from 'node:url';
-
-const __dirname = dirname(fileURLToPath(import.meta.url));
-
-function sanitizeProjectName(value) {
-    return value.replace(/[\r\n`]/g, ' ').trim();
-}
-
-function injectPathPlaceholder(content, placeholder, fallbackPath, configuredPath) {
-    if (!content.includes(placeholder)) {
-        return content;
-    }
-
-    const resolvedPath =
-        typeof configuredPath === 'string' && configuredPath.trim() ? configuredPath.trim() : fallbackPath;
-
-    return content.replaceAll(placeholder, resolvedPath);
-}
-
-/**
- * Reads a markdown template and injects the configured project name placeholder.
- */
-function readTemplate(templateFileName, options = {}) {
-    const template = readFileSync(join(__dirname, templateFileName), 'utf-8').trim();
-    const rawProjectName = typeof options.projectName === 'string' ? options.projectName : '';
-    const projectName = sanitizeProjectName(rawProjectName);
-    const resolvedProjectName = projectName || '<SRAI_PROJECT_NAME>';
-
-    let out = template
-        .replaceAll('{{SRAI_PROJECT_NAME}}', resolvedProjectName)
-        .replaceAll('<SRAI_PROJECT_NAME>', resolvedProjectName);
-
-    out = injectPathPlaceholder(
-        out,
-        '{{GUARDRAILS_SKILL_DIR}}',
-        '.cursor/skills/guardrails-profiler',
-        options.guardrailsSkillDir,
-    );
-    out = injectPathPlaceholder(
-        out,
-        '{{GUARDRAILS_SELECTION_SKILL_DIR}}',
-        '.cursor/skills/guardrails-selection',
-        options.guardrailsSelectionSkillDir,
-    );
-    out = injectPathPlaceholder(
-        out,
-        '{{THREAT_MODELLING_SKILL_DIR}}',
-        '.cursor/skills/threat-modelling',
-        options.threatModellingSkillDir,
-    );
-    out = injectPathPlaceholder(
-        out,
-        '{{VIBEREVIEW_SYNC_SKILL_DIR}}',
-        '.cursor/skills/vibereview-sync',
-        options.vibereviewSyncSkillDir,
-    );
-
-    return out;
-}
-
-/**
- * Returns the shared rule content markdown.
- */
-export function getRuleContent(options = {}) {
-    return readTemplate('content.md', options);
-}
-
-/**
- * Returns the Cursor profile uploader command markdown.
- */
-export function getProfileCommandContent(options = {}) {
-    return readTemplate('srai-profile.md', options);
-}
-
-/**
- * Returns the threat-modelling skill markdown.
- */
-export function getThreatModellingSkillContent(options = {}) {
-    return readTemplate('skill.md', options);
-}
-
-/**
- * Returns the VibeReview sync skill markdown.
- */
-export function getVibeReviewSyncSkillContent(options = {}) {
-    return readTemplate(join('vibereview-sync', 'SKILL.md'), options);
-}
-
-/**
- * Returns the vibe guardrails always-applied rule markdown.
- */
-export function getGuardrailsRuleContent(options = {}) {
-    return readTemplate('guardrails_rule.md', options);
-}
-
-/**
- * Guardrails init profile command (repo scan + .guardrails/profile.json + SRAI upload).
- */
-export function getGuardrailsInitProfileContent(options = {}) {
-    return readTemplate('guardrails-init-profile.md', options);
-}
-
-/**
- * Returns the hooks.json content for Cursor session hooks.
- */
-export function getHooksContent() {
-    return readFileSync(join(__dirname, 'hooks.json'), 'utf-8').trim();
-}

package/src/generators/rules/content.md

@@ -1,57 +0,0 @@
-# Security Review Kit Agent Instructions
-
-Configured SRAI project name: `<SRAI_PROJECT_NAME>`
-
-These instructions are always active for security-relevant coding work. Keep this file as the routing policy; use the skills and agents below for the detailed workflows.
-
-## Core Workflow
-
-For any task that touches auth, authorization, input handling, secrets, network, data storage, dependencies, new APIs/endpoints, infrastructure, or code handling untrusted data:
-
-1. **Fetch Vibe Guardrails first.**
-   - Read and follow `{{GUARDRAILS_SELECTION_SKILL_DIR}}/SKILL.md`.
-   - Resolve the SRAI project with `find_project_by_name` using `name="<SRAI_PROJECT_NAME>"`.
-   - Call `get_guardrails`, shortlist only the relevant project guardrails, then hydrate the exact shortlist with `get_guardrail_by_id`.
-   - Preserve that exact shortlist in context for implementation and the final VibeReview sync step.
-
-2. **Run PWNISMS threat modelling before implementation.**
-   - Read and follow `{{THREAT_MODELLING_SKILL_DIR}}/SKILL.md`.
-   - Explicitly walk all seven PWNISMS categories: Product, Workload, Network, IAM, Secrets, Monitoring, and Supply Chain.
-   - If a category is not applicable, say so briefly and continue.
-   - Cross-reference each meaningful threat with the shortlisted guardrails.
-
-3. **Implement secure code using both inputs.**
-   - Treat applicable `must` guardrails as mandatory.
-   - Treat applicable `must_not` guardrails as hard prohibitions.
-   - Use the PWNISMS findings to guide design, validation, authorization, logging, secrets handling, dependency choices, and abuse controls.
-   - If PWNISMS reveals a recurring security rule that is not covered by existing guardrails, create and apply an `ide_generated` guardrail in context.
-
-4. **Write and sync the VibeReview markdown last.**
-   - Read and follow `{{VIBEREVIEW_SYNC_SKILL_DIR}}/SKILL.md`.
-   - After threat modelling is created or updated, or after guardrails are enforced during implementation, the main agent must write or update a structured `.md` artifact under `vibereview/`.
-   - Do not delegate markdown authoring to a subagent. The same agent that performed the work should author the artifact so the context stays intact.
-   - Use the skill's structure and validation checklist rather than improvising the markdown format.
-   - Reuse the exact existing guardrails shortlisted earlier, include any `ide_generated` guardrails, and only include grounded code snippets from actual code.
-   - Call `sync_ai_ide_markdown` directly with the finished markdown artifact before finalizing the task.
-   - If sync fails, keep the file in `vibereview/`, report the failure, and do not pretend synchronization succeeded.
-
-## When To Skip
-
-Skip the SRAI security workflow only for tasks with no security surface, such as documentation-only changes, typo fixes, pure formatting, variable renames with no logic change, or general Q&A that produces no code.
-
-If in doubt, run the workflow. A quick PWNISMS pass is better than silently missing a security boundary.
-
-## Do Not Use Project Profile Exploration
-
-Do not call project-profile exploration tools during normal coding tasks. The old profile walkthrough is no longer part of the agent workflow.
-
-The normal coding workflow is guardrails selection, PWNISMS threat modelling, secure implementation, then VibeReview markdown sync.
-
-## Tool Reference
-
-| Purpose | Tools |
-|---|---|
-| Project resolution | `find_project_by_name`, `list_projects`, `create_project`, `get_project` |
-| Guardrails | `get_guardrails`, `get_guardrail_by_id` |
-| VibeReview sync | `sync_ai_ide_markdown` |
-| Profiler only | `update_vibe_profile`, `write_default_pack` are used by init-time profiling, not normal coding tasks |