@securityreviewai/securityreview-kit 0.1.48 → 0.1.50

package/dist/api.js

@@ -0,0 +1,44 @@
+import { apiBaseUrl } from "./config.js";
+export class VibeReviewApiClient {
+    baseUrl;
+    apiKey;
+    constructor(config) {
+        this.baseUrl = apiBaseUrl(config).replace(/\/$/, "");
+        this.apiKey = config.api_key;
+    }
+    async listProjects() {
+        return this.request("/v1/projects");
+    }
+    async getAuthContext() {
+        return this.request("/v1/mcp/auth-context");
+    }
+    async getProject(projectSlug) {
+        return this.request(`/v1/projects/${encodeURIComponent(projectSlug)}`);
+    }
+    async getGuardrails(projectSlug) {
+        return this.request(`/v1/projects/${encodeURIComponent(projectSlug)}/guardrails`);
+    }
+    async syncCTMMarkdown(projectSlug, payload) {
+        return this.request(`/v1/mcp/projects/${encodeURIComponent(projectSlug)}/ctm-sync-markdown`, {
+            method: "POST",
+            body: payload,
+        });
+    }
+    async request(path, options = {}) {
+        if (!this.apiKey) {
+            throw new Error("Missing VibeReview API key in .vibreview/config.json");
+        }
+        const response = await fetch(`${this.baseUrl}${path}`, {
+            method: options.method ?? "GET",
+            headers: {
+                Authorization: `Bearer ${this.apiKey}`,
+                ...(options.body ? { "Content-Type": "application/json" } : {}),
+            },
+            body: options.body ? JSON.stringify(options.body) : undefined,
+        });
+        if (!response.ok) {
+            throw new Error(`VibeReview API request failed (${response.status}): ${await response.text()}`);
+        }
+        return response.json();
+    }
+}

package/dist/commands/guardrails.js

@@ -0,0 +1,13 @@
+import chalk from "chalk";
+import { VibeReviewApiClient } from "../api.js";
+import { readConfig } from "../config.js";
+export async function guardrailsCommand(options = {}) {
+    const config = await readConfig(options.cwd ?? process.cwd());
+    if (!config)
+        throw new Error("VibeReview is not initialized. Run `securityreview-kit init` first.");
+    const guardrails = await new VibeReviewApiClient(config).getGuardrails(config.project_slug);
+    console.log(chalk.bold(`${guardrails.length} guardrail(s)`));
+    for (const guardrail of guardrails) {
+        console.log(`${guardrail.type.toUpperCase()} [${guardrail.category}] ${guardrail.title}`);
+    }
+}

package/dist/commands/init.js

@@ -0,0 +1,88 @@
+import inquirer from "inquirer";
+import chalk from "chalk";
+import { VibeReviewApiClient } from "../api.js";
+import { scaffoldProject } from "../scaffold/index.js";
+export async function initCommand(options = {}) {
+    const cwd = options.cwd ?? process.cwd();
+    const answers = await promptForMissing(options);
+    const client = new VibeReviewApiClient({
+        server_url: answers.serverUrl,
+        api_base_url: answers.apiBaseUrl,
+        api_key: answers.apiKey,
+    });
+    const authContext = await client.getAuthContext();
+    const projects = await loadProjects(client);
+    const selected = await selectProject(projects, authContext, answers.projectSlug, answers.projectId, answers.yes);
+    const config = {
+        version: 1,
+        server_url: answers.serverUrl,
+        api_base_url: answers.apiBaseUrl,
+        api_key: answers.apiKey,
+        tenant_id: authContext.tenant_id,
+        project_slug: selected.slug,
+        project_id: selected.id,
+        project_name: selected.name,
+        ide: answers.ide,
+    };
+    await scaffoldProject(cwd, config);
+    console.log(chalk.green(`VibeReview initialized for project ${selected.slug}.`));
+    console.log(chalk.dim(`Tenant: ${authContext.tenant_id}`));
+    console.log(chalk.dim(`MCP: ${answers.serverUrl.replace(/\/$/, "")}/mcp`));
+}
+async function promptForMissing(options) {
+    const questions = [];
+    if (!options.ide) {
+        questions.push({
+            type: "checkbox",
+            name: "ide",
+            message: "Which IDEs do you use?",
+            choices: [
+                { name: "Claude Code", value: "claude_code" },
+                { name: "Cursor", value: "cursor" },
+                { name: "VSCode Copilot", value: "vscode_copilot" },
+                { name: "Codex", value: "codex" },
+                { name: "Gemini", value: "gemini" },
+                { name: "Windsurf", value: "windsurf" },
+            ],
+            default: ["claude_code"],
+        });
+    }
+    if (!options.serverUrl)
+        questions.push({ type: "input", name: "serverUrl", message: "VibeReview MCP server URL", default: "http://localhost:3000" });
+    if (!options.apiBaseUrl)
+        questions.push({ type: "input", name: "apiBaseUrl", message: "VibeReview API URL", default: "http://localhost:8000" });
+    if (!options.apiKey)
+        questions.push({ type: "password", name: "apiKey", message: "VibeReview API key", mask: "*" });
+    const answers = questions.length ? await inquirer.prompt(questions) : {};
+    return {
+        serverUrl: (options.serverUrl ?? answers.serverUrl),
+        apiBaseUrl: (options.apiBaseUrl ?? answers.apiBaseUrl),
+        apiKey: (options.apiKey ?? answers.apiKey),
+        projectSlug: options.projectSlug,
+        projectId: options.projectId,
+        ide: (options.ide ?? answers.ide ?? ["claude_code"]),
+        yes: options.yes ?? false,
+    };
+}
+async function loadProjects(client) {
+    return client.listProjects();
+}
+async function selectProject(projects, authContext, slug, projectId, yes) {
+    const requested = projects.find((project) => project.id === projectId || project.slug === slug);
+    if (requested)
+        return requested;
+    const scopedProject = authContext.project_id ? projects.find((project) => project.id === authContext.project_id) : undefined;
+    if (scopedProject)
+        return scopedProject;
+    if (slug && yes)
+        return { id: projectId ?? "", name: slug, slug };
+    if (projects.length === 0) {
+        throw new Error("No VibeReview projects were visible for this API key. Create a project in the SaaS app first.");
+    }
+    if (yes)
+        return projects[0];
+    const answer = await inquirer.prompt([
+        { type: "list", name: "project", message: "Select a VibeReview project", choices: projects.map((project) => ({ name: `${project.name} (${project.slug})`, value: project.slug })) },
+    ]);
+    return projects.find((project) => project.slug === answer.project) ?? projects[0];
+}

package/dist/commands/profile.js

@@ -0,0 +1,14 @@
+import chalk from "chalk";
+import { readConfig } from "../config.js";
+export async function profileCommand(options = {}) {
+    const cwd = options.cwd ?? process.cwd();
+    const config = await readConfig(cwd);
+    if (!config) {
+        console.log(chalk.yellow("VibeReview is not initialized. Run `securityreview-kit init` first."));
+        return;
+    }
+    console.log(chalk.yellow("Local profiling is deprecated for VibeReview SaaS."));
+    console.log(`Project ${config.project_slug} is profiled server-side after project creation, and guardrails are served through the VibeReview MCP/KV path.`);
+    if (options.push)
+        console.log(chalk.dim("--push was ignored."));
+}

package/dist/commands/status.js

@@ -0,0 +1,27 @@
+import chalk from "chalk";
+import { VibeReviewApiClient } from "../api.js";
+import { readConfig } from "../config.js";
+export async function statusCommand(options = {}) {
+    const cwd = options.cwd ?? process.cwd();
+    const config = await readConfig(cwd);
+    if (!config) {
+        console.log(chalk.yellow("VibeReview is not initialized. Run `securityreview-kit init`."));
+        return;
+    }
+    console.log(chalk.bold("VibeReview status"));
+    console.log(`Project: ${config.project_slug}`);
+    if (config.project_id)
+        console.log(`Project ID: ${config.project_id}`);
+    if (config.tenant_id)
+        console.log(`Tenant ID: ${config.tenant_id}`);
+    console.log(`MCP server: ${config.server_url}`);
+    console.log(`IDEs: ${config.ide.join(", ")}`);
+    console.log(`Last synced: ${config.last_synced ?? "never"}`);
+    try {
+        const guardrails = await new VibeReviewApiClient(config).getGuardrails(config.project_slug);
+        console.log(`Guardrails: ${guardrails.length}`);
+    }
+    catch (error) {
+        console.log(chalk.yellow(`Remote check skipped: ${error instanceof Error ? error.message : String(error)}`));
+    }
+}

package/dist/commands/sync.js

@@ -0,0 +1,6 @@
+import chalk from "chalk";
+import { syncTelemetry } from "../sync/index.js";
+export async function syncCommand(options = {}) {
+    const result = await syncTelemetry(options.cwd ?? process.cwd(), { force: options.force });
+    console.log(chalk.green(`Synced ${result.synced} artifact(s), skipped ${result.skipped} unchanged artifact(s).`));
+}

package/dist/config.js

@@ -0,0 +1,18 @@
+import { join } from "node:path";
+import { readJson, writeJson } from "./fs.js";
+export const CONFIG_DIR = ".vibreview";
+export const CONFIG_PATH = join(CONFIG_DIR, "config.json");
+export const SYNC_STATE_PATH = join(CONFIG_DIR, "sync-state.json");
+export const SCANS_DIR = join(CONFIG_DIR, "scans");
+export function resolveConfigPath(cwd) {
+    return join(cwd, CONFIG_PATH);
+}
+export async function readConfig(cwd) {
+    return readJson(resolveConfigPath(cwd));
+}
+export async function writeConfig(cwd, config) {
+    await writeJson(resolveConfigPath(cwd), config);
+}
+export function apiBaseUrl(config) {
+    return config.api_base_url ?? config.server_url.replace(/\/mcp\/?$/, "").replace(/:3000$/, ":8000");
+}

package/dist/fs.js

@@ -0,0 +1,43 @@
+import { mkdir, readFile, writeFile } from "node:fs/promises";
+import { dirname } from "node:path";
+export async function ensureDir(path) {
+    await mkdir(path, { recursive: true });
+}
+export async function readText(path) {
+    try {
+        return await readFile(path, "utf8");
+    }
+    catch {
+        return "";
+    }
+}
+export async function writeText(path, content) {
+    await ensureDir(dirname(path));
+    await writeFile(path, content, "utf8");
+}
+export async function readJson(path) {
+    try {
+        return JSON.parse(await readFile(path, "utf8"));
+    }
+    catch {
+        return null;
+    }
+}
+export async function writeJson(path, data) {
+    await writeText(path, `${JSON.stringify(data, null, 2)}\n`);
+}
+export async function upsertBlock(path, start, end, content) {
+    const block = `${start}\n${content.trim()}\n${end}`;
+    const existing = await readText(path);
+    if (!existing) {
+        await writeText(path, `${block}\n`);
+        return;
+    }
+    const startIndex = existing.indexOf(start);
+    const endIndex = existing.indexOf(end);
+    if (startIndex >= 0 && endIndex >= 0) {
+        await writeText(path, `${existing.slice(0, startIndex)}${block}${existing.slice(endIndex + end.length)}`);
+        return;
+    }
+    await writeText(path, `${existing.trimEnd()}\n\n${block}\n`);
+}

package/dist/index.js

@@ -0,0 +1,44 @@
+#!/usr/bin/env node
+import { Command } from "commander";
+import { guardrailsCommand } from "./commands/guardrails.js";
+import { initCommand } from "./commands/init.js";
+import { profileCommand } from "./commands/profile.js";
+import { statusCommand } from "./commands/status.js";
+import { syncCommand } from "./commands/sync.js";
+const program = new Command();
+program.name("securityreview-kit").description("VibeReview IDE integration CLI").version("0.1.0");
+program
+    .command("init")
+    .description("Initialize VibeReview in this repository")
+    .option("--server-url <url>", "VibeReview MCP server URL")
+    .option("--api-base-url <url>", "VibeReview API URL")
+    .option("--api-key <key>", "VibeReview API key")
+    .option("--project-slug <slug>", "VibeReview project slug")
+    .option("--project-id <id>", "VibeReview project ID")
+    .option("--ide <ide...>", "IDE targets")
+    .option("-y, --yes", "Use provided values without project selection prompt")
+    .action((options) => initCommand({
+    serverUrl: options.serverUrl,
+    apiBaseUrl: options.apiBaseUrl,
+    apiKey: options.apiKey,
+    projectSlug: options.projectSlug,
+    projectId: options.projectId,
+    ide: options.ide,
+    yes: options.yes,
+}));
+program
+    .command("profile")
+    .description("Explain server-side VibeReview profiling")
+    .option("--push", "Deprecated; profiling runs server-side")
+    .action((options) => profileCommand({ push: options.push }));
+program
+    .command("sync")
+    .description("Sync local scan telemetry")
+    .option("--force", "Re-sync unchanged artifacts")
+    .action((options) => syncCommand({ force: options.force }));
+program.command("status").description("Show VibeReview link status").action(() => statusCommand());
+program.command("guardrails").description("List project guardrails").action(() => guardrailsCommand());
+program.parseAsync().catch((error) => {
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exitCode = 1;
+});

package/dist/profile.js

@@ -0,0 +1,113 @@
+import { readdir, readFile, stat } from "node:fs/promises";
+import { extname, join } from "node:path";
+const LANGUAGE_BY_EXTENSION = {
+    ".py": "python",
+    ".ts": "typescript",
+    ".tsx": "typescript",
+    ".js": "javascript",
+    ".jsx": "javascript",
+    ".go": "go",
+    ".java": "java",
+    ".rb": "ruby",
+    ".php": "php",
+    ".cs": "csharp",
+    ".rs": "rust",
+    ".kt": "kotlin",
+    ".swift": "swift",
+};
+const SKIP_DIRS = new Set([".git", "node_modules", ".venv", "venv", "dist", "build", ".turbo", "__pycache__"]);
+export async function profileRepository(cwd) {
+    const files = await collectFiles(cwd);
+    const languageCounts = {};
+    const frameworks = new Set();
+    const databases = new Set();
+    const auth = new Set();
+    const infrastructure = new Set();
+    const apiProtocols = new Set();
+    for (const file of files) {
+        const language = LANGUAGE_BY_EXTENSION[extname(file)];
+        if (language)
+            languageCounts[language] = (languageCounts[language] ?? 0) + 1;
+        const lower = file.toLowerCase();
+        if (lower.endsWith("package.json")) {
+            const pkg = await readJsonSafe(file);
+            const deps = { ...(pkg?.dependencies ?? {}), ...(pkg?.devDependencies ?? {}) };
+            if (deps.react)
+                frameworks.add("react");
+            if (deps.next)
+                frameworks.add("nextjs");
+            if (deps["@nestjs/core"])
+                frameworks.add("nestjs");
+            if (deps.express)
+                frameworks.add("express");
+            if (deps.hono)
+                frameworks.add("honojs");
+            if (deps["@apollo/server"])
+                apiProtocols.add("graphql");
+        }
+        if (lower.endsWith("pyproject.toml") || lower.endsWith("requirements.txt")) {
+            const text = await readFile(file, "utf8").catch(() => "");
+            if (/fastapi/i.test(text))
+                frameworks.add("fastapi");
+            if (/flask/i.test(text))
+                frameworks.add("flask");
+            if (/django/i.test(text))
+                frameworks.add("django");
+            if (/sqlalchemy/i.test(text))
+                frameworks.add("sqlalchemy");
+        }
+        if (lower.includes("dockerfile") || lower.endsWith("docker-compose.yml"))
+            infrastructure.add("docker");
+        if (lower.includes(".github/workflows"))
+            infrastructure.add("github-actions");
+        if (lower.includes("kubernetes") || lower.endsWith(".helm.yaml"))
+            infrastructure.add("kubernetes");
+        if (/postgres|postgresql/.test(lower))
+            databases.add("postgresql");
+        if (/redis/.test(lower))
+            databases.add("redis");
+        if (/mongo/.test(lower))
+            databases.add("mongodb");
+        if (/jwt|oauth|oidc|auth0|zitadel|okta|keycloak/.test(lower))
+            auth.add(RegExp.lastMatch.toLowerCase());
+        if (/openapi|swagger|graphql|grpc/.test(lower))
+            apiProtocols.add(RegExp.lastMatch.toLowerCase());
+    }
+    return {
+        languages: percentages(languageCounts),
+        frameworks: [...frameworks].sort(),
+        databases: [...databases].sort(),
+        auth: [...auth].sort(),
+        infrastructure: [...infrastructure].sort(),
+        api_protocols: [...apiProtocols].sort(),
+        generated_at: new Date().toISOString(),
+    };
+}
+async function collectFiles(root, current = root, output = []) {
+    for (const entry of await readdir(current, { withFileTypes: true }).catch(() => [])) {
+        if (entry.isDirectory()) {
+            if (!SKIP_DIRS.has(entry.name))
+                await collectFiles(root, join(current, entry.name), output);
+            continue;
+        }
+        const path = join(current, entry.name);
+        const info = await stat(path).catch(() => null);
+        if (info && info.size < 1_000_000)
+            output.push(path);
+    }
+    return output;
+}
+async function readJsonSafe(path) {
+    try {
+        return JSON.parse(await readFile(path, "utf8"));
+    }
+    catch {
+        return null;
+    }
+}
+function percentages(counts) {
+    const total = Object.values(counts).reduce((sum, value) => sum + value, 0);
+    if (total === 0)
+        return {};
+    return Object.fromEntries(Object.entries(counts).map(([key, value]) => [key, Math.round((value / total) * 100)]));
+}

package/dist/scaffold/claude-code.js

@@ -0,0 +1,43 @@
+import { join } from "node:path";
+import { readJson, writeJson, writeText, upsertBlock } from "../fs.js";
+import { mcpRemoteServerWithType } from "./mcp.js";
+import { SENTINEL_END, SENTINEL_START, claudeRuleContent, guardrailsSelectionSkillContent, syncSkillContent, threatModelSkillContent } from "./rules.js";
+export async function scaffoldClaudeCode(cwd, config) {
+    await writeMcpConfig(cwd, config);
+    await writeClaudeSettings(cwd);
+    await writeClaudeRules(cwd, config);
+}
+async function writeMcpConfig(cwd, config) {
+    const path = join(cwd, ".mcp.json");
+    const existing = (await readJson(path)) ?? {};
+    const mcpServers = existing.mcpServers ?? {};
+    mcpServers.vibreview = mcpRemoteServerWithType(config);
+    await writeJson(path, { ...existing, mcpServers });
+}
+async function writeClaudeSettings(cwd) {
+    const path = join(cwd, ".claude", "settings.json");
+    const existing = (await readJson(path)) ?? {};
+    const enabled = Array.isArray(existing.enabledMcpjsonServers) ? existing.enabledMcpjsonServers : [];
+    const allow = Array.isArray(existing.permissions?.allow)
+        ? existing.permissions.allow.filter((item) => typeof item === "string")
+        : [];
+    await writeJson(path, {
+        ...existing,
+        enabledMcpjsonServers: enabled.includes("vibreview") ? enabled : [...enabled, "vibreview"],
+        permissions: {
+            ...(typeof existing.permissions === "object" && existing.permissions ? existing.permissions : {}),
+            allow: allow.includes("mcp__vibreview") ? allow : [...allow, "mcp__vibreview"],
+        },
+    });
+}
+async function writeClaudeRules(cwd, config) {
+    const paths = {
+        guardrailsSelectionSkillDir: ".claude/skills/guardrails-selection",
+        threatModellingSkillDir: ".claude/skills/threat-modelling",
+        vibereviewSyncSkillDir: ".claude/skills/vibereview-sync",
+    };
+    await upsertBlock(join(cwd, "CLAUDE.md"), SENTINEL_START, SENTINEL_END, claudeRuleContent(config));
+    await writeText(join(cwd, ".claude", "skills", "guardrails-selection", "SKILL.md"), `${guardrailsSelectionSkillContent(config, paths)}\n`);
+    await writeText(join(cwd, ".claude", "skills", "threat-modelling", "SKILL.md"), `${threatModelSkillContent(config, paths)}\n`);
+    await writeText(join(cwd, ".claude", "skills", "vibereview-sync", "SKILL.md"), `${syncSkillContent(config)}\n`);
+}

package/dist/scaffold/codex.js

@@ -0,0 +1,41 @@
+import { join } from "node:path";
+import { readText, upsertBlock, writeText } from "../fs.js";
+import { SENTINEL_END, SENTINEL_START, codexHooksContent, codexRuleContent, guardrailsSelectionSkillContent, syncSkillContent, threatModelSkillContent } from "./rules.js";
+export async function scaffoldCodex(cwd, config) {
+    const paths = {
+        guardrailsSelectionSkillDir: ".codex/skills/guardrails-selection",
+        threatModellingSkillDir: ".codex/skills/threat-modelling",
+        vibereviewSyncSkillDir: ".codex/skills/vibereview-sync",
+    };
+    await writeCodexConfig(cwd, config);
+    await upsertBlock(join(cwd, ".codex", "AGENTS.md"), SENTINEL_START, SENTINEL_END, codexRuleContent(config));
+    await writeText(join(cwd, ".codex", "hooks.json"), codexHooksContent(config));
+    await writeText(join(cwd, ".codex", "skills", "guardrails-selection", "SKILL.md"), `${guardrailsSelectionSkillContent(config, paths)}\n`);
+    await writeText(join(cwd, ".codex", "skills", "threat-modelling", "SKILL.md"), `${threatModelSkillContent(config, paths)}\n`);
+    await writeText(join(cwd, ".codex", "skills", "vibereview-sync", "SKILL.md"), `${syncSkillContent(config)}\n`);
+}
+async function writeCodexConfig(cwd, config) {
+    const path = join(cwd, ".codex", "config.toml");
+    const existing = await readText(path);
+    const serverBlock = `
+[mcp_servers.vibreview]
+command = "npx"
+args = ["-y", "mcp-remote@latest", "${config.server_url.replace(/\/$/, "")}/mcp", "--header", "Authorization:\${AUTH_HEADER}"]
+default_tools_approval_mode = "approve"
+
+[mcp_servers.vibreview.env]
+AUTH_HEADER = "Bearer ${escapeTomlString(config.api_key ?? "")}"
+`.trim();
+    const updated = replaceTomlBlock(existing, serverBlock);
+    await writeText(path, `${updated.trim()}\n`);
+}
+function replaceTomlBlock(existing, serverBlock) {
+    if (!existing.trim())
+        return serverBlock;
+    if (!existing.includes("[mcp_servers.vibreview]"))
+        return `${existing.trimEnd()}\n\n${serverBlock}`;
+    return existing.replace(/\[mcp_servers\.vibreview][\s\S]*?(?=\n\[[^\]]+]|\s*$)/, serverBlock);
+}
+function escapeTomlString(value) {
+    return value.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+}

package/dist/scaffold/cursor.js

@@ -0,0 +1,45 @@
+import { join } from "node:path";
+import { readJson, writeJson, writeText } from "../fs.js";
+import { mcpRemoteServerWithType } from "./mcp.js";
+import { cursorHooksContent, cursorRuleContent, guardrailsSelectionSkillContent, syncSkillContent, threatModelSkillContent } from "./rules.js";
+export async function scaffoldCursor(cwd, config) {
+    const paths = {
+        guardrailsSelectionSkillDir: ".cursor/skills/guardrails-selection",
+        threatModellingSkillDir: ".cursor/skills/threat-modelling",
+        vibereviewSyncSkillDir: ".cursor/skills/vibereview-sync",
+    };
+    const mcpPath = join(cwd, ".cursor", "mcp.json");
+    const existing = (await readJson(mcpPath)) ?? {};
+    const mcpServers = existing.mcpServers ?? {};
+    mcpServers.vibreview = mcpRemoteServerWithType(config);
+    await writeJson(mcpPath, { ...existing, mcpServers });
+    await writeText(join(cwd, ".cursor", "rules", "vibreview-security.mdc"), cursorRuleFile(config));
+    await writeText(join(cwd, ".cursor", "hooks.json"), cursorHooksContent(config));
+    await writeText(join(cwd, ".cursor", "skills", "guardrails-selection", "SKILL.md"), `${guardrailsSelectionSkillContent(config, paths)}\n`);
+    await writeText(join(cwd, ".cursor", "skills", "threat-modelling", "SKILL.md"), `${threatModelSkillContent(config, paths)}\n`);
+    await writeText(join(cwd, ".cursor", "skills", "vibereview-sync", "SKILL.md"), `${syncSkillContent(config)}\n`);
+    await updateCursorAllowlist(cwd);
+}
+async function updateCursorAllowlist(cwd) {
+    const path = join(cwd, ".cursor", "cli.json");
+    const existing = (await readJson(path)) ?? {};
+    const permissions = existing.permissions ?? {};
+    const allow = Array.isArray(permissions.allow) ? permissions.allow.filter((item) => typeof item === "string") : [];
+    const entry = "mcp(vibreview)";
+    await writeJson(path, {
+        ...existing,
+        permissions: {
+            ...permissions,
+            allow: allow.includes(entry) ? allow : [...allow, entry],
+        },
+    });
+}
+function cursorRuleFile(config) {
+    return `---
+description: VibeReview security workflow
+alwaysApply: true
+---
+
+${cursorRuleContent(config)}
+`;
+}

package/dist/scaffold/gemini.js

@@ -0,0 +1,10 @@
+import { join } from "node:path";
+import { readJson, writeJson } from "../fs.js";
+import { mcpRemoteServer } from "./mcp.js";
+export async function scaffoldGemini(cwd, config) {
+    const path = join(cwd, ".gemini", "settings.json");
+    const existing = (await readJson(path)) ?? {};
+    const mcpServers = existing.mcpServers ?? {};
+    mcpServers.vibreview = mcpRemoteServer(config);
+    await writeJson(path, { ...existing, mcpServers });
+}

package/dist/scaffold/index.js

@@ -0,0 +1,22 @@
+import { scaffoldClaudeCode } from "./claude-code.js";
+import { scaffoldCodex } from "./codex.js";
+import { scaffoldCursor } from "./cursor.js";
+import { scaffoldGemini } from "./gemini.js";
+import { scaffoldVibeReview } from "./vibreview.js";
+import { scaffoldVSCode } from "./vscode.js";
+import { scaffoldWindsurf } from "./windsurf.js";
+export async function scaffoldProject(cwd, config) {
+    await scaffoldVibeReview(cwd, config);
+    if (config.ide.includes("claude_code"))
+        await scaffoldClaudeCode(cwd, config);
+    if (config.ide.includes("cursor"))
+        await scaffoldCursor(cwd, config);
+    if (config.ide.includes("vscode_copilot"))
+        await scaffoldVSCode(cwd, config);
+    if (config.ide.includes("codex"))
+        await scaffoldCodex(cwd, config);
+    if (config.ide.includes("gemini") || config.ide.includes("antigravity"))
+        await scaffoldGemini(cwd, config);
+    if (config.ide.includes("windsurf"))
+        await scaffoldWindsurf(cwd, config);
+}

package/dist/scaffold/mcp.js

@@ -0,0 +1,15 @@
+export function mcpRemoteServer(config) {
+    return {
+        command: "npx",
+        args: ["-y", "mcp-remote@latest", `${config.server_url.replace(/\/$/, "")}/mcp`, "--header", "Authorization:${AUTH_HEADER}"],
+        env: {
+            AUTH_HEADER: `Bearer ${config.api_key ?? ""}`,
+        },
+    };
+}
+export function mcpRemoteServerWithType(config) {
+    return {
+        type: "stdio",
+        ...mcpRemoteServer(config),
+    };
+}