@securityreviewai/securityreview-kit 0.1.48 → 0.1.50

package/dist/scaffold/rules.js

@@ -0,0 +1,191 @@
+import { readFileSync } from "node:fs";
+const TOOL_PROJECT = "`vibreview_get_tenant_project`";
+const TOOL_GUARDRAILS = "`vibreview_get_guardrails`";
+const TOOL_SYNC = "`vibreview_ctm_sync_markdown`";
+export const SENTINEL_START = "<!-- securityreview-kit:start -->";
+export const SENTINEL_END = "<!-- securityreview-kit:end -->";
+export function ruleContent(config, paths) {
+    return renderTemplate("content.md", config, paths);
+}
+export function claudeRuleContent(config) {
+    return ruleContent(config, {
+        guardrailsSelectionSkillDir: ".claude/skills/guardrails-selection",
+        threatModellingSkillDir: ".claude/skills/threat-modelling",
+        vibereviewSyncSkillDir: ".claude/skills/vibereview-sync",
+    });
+}
+export function copilotRuleContent(config) {
+    return ruleContent(config, {
+        guardrailsSelectionSkillDir: ".github/skills/guardrails-selection",
+        threatModellingSkillDir: ".github/skills/threat-modelling",
+        vibereviewSyncSkillDir: ".github/skills/vibereview-sync",
+    });
+}
+export function codexRuleContent(config) {
+    return ruleContent(config, {
+        guardrailsSelectionSkillDir: ".codex/skills/guardrails-selection",
+        threatModellingSkillDir: ".codex/skills/threat-modelling",
+        vibereviewSyncSkillDir: ".codex/skills/vibereview-sync",
+    });
+}
+export function cursorRuleContent(config) {
+    return ruleContent(config, {
+        guardrailsSelectionSkillDir: ".cursor/skills/guardrails-selection",
+        threatModellingSkillDir: ".cursor/skills/threat-modelling",
+        vibereviewSyncSkillDir: ".cursor/skills/vibereview-sync",
+    });
+}
+export function guardrailsSelectionSkillContent(config, paths = defaultPaths("cursor")) {
+    return renderTemplate("guardrails-selection.md", config, paths);
+}
+export function threatModelSkillContent(config, paths = defaultPaths("cursor")) {
+    return renderTemplate("threat-modelling.md", config, paths);
+}
+export function syncSkillContent(config, scanDir = ".vibreview/scans") {
+    return renderTemplate("vibereview-sync/SKILL.md", config, defaultPaths("cursor")).replaceAll(".vibreview/scans/", `${scanDir.replace(/\/$/, "")}/`);
+}
+export function cursorHooksContent(config) {
+    return JSON.stringify({
+        version: 1,
+        hooks: {
+            sessionStart: [
+                {
+                    command: `printf '%s\\n' '${jsonPayload(additionalContext(config)).replaceAll("'", "'\\''")}'`,
+                    timeout: 5,
+                },
+            ],
+        },
+    }, null, 2) + "\n";
+}
+export function codexHooksContent(config) {
+    return JSON.stringify({
+        hooks: {
+            SessionStart: [
+                {
+                    matcher: "startup|resume",
+                    hooks: [
+                        {
+                            type: "command",
+                            command: `printf '%s\\n' '${codexPayload(config, "SessionStart").replaceAll("'", "'\\''")}'`,
+                            timeout: 5,
+                            statusMessage: "Loading VibeReview security session policy",
+                        },
+                    ],
+                },
+            ],
+            UserPromptSubmit: [
+                {
+                    hooks: [
+                        {
+                            type: "command",
+                            command: `printf '%s\\n' '${codexPayload(config, "UserPromptSubmit").replaceAll("'", "'\\''")}'`,
+                            timeout: 5,
+                            statusMessage: "Refreshing VibeReview security session policy",
+                        },
+                    ],
+                },
+            ],
+        },
+    }, null, 2) + "\n";
+}
+export function vscodeHooksContent(config) {
+    return JSON.stringify({
+        hooks: {
+            SessionStart: [
+                {
+                    type: "command",
+                    command: `printf '%s\\n' '${codexPayload(config, "SessionStart").replaceAll("'", "'\\''")}'`,
+                    timeout: 5,
+                },
+            ],
+        },
+    }, null, 2) + "\n";
+}
+function additionalContext(config) {
+    const project = projectContext(config);
+    return [
+        "## MANDATORY VIBEREVIEW SECURITY GATE",
+        "",
+        `Configured project: ${project.name} (${project.slug}, ${project.id})`,
+        "",
+        "For any request with security impact, follow this order:",
+        "",
+        `1. Resolve the tenant/project with ${TOOL_PROJECT} using project_id="${project.id}" or project_slug="${project.slug}".`,
+        `2. Fetch VibeReview guardrails with ${TOOL_GUARDRAILS}, shortlist relevant guardrails, and preserve that shortlist.`,
+        "3. Run PWNISMS threat modelling before implementation.",
+        "4. Implement secure code using the threat model and shortlisted guardrails.",
+        `5. Write one markdown artifact under .vibreview/scans/ and call ${TOOL_SYNC} immediately after writing it.`,
+        "",
+        "No deferral. No local profiling. The main agent owns the final markdown sync.",
+    ].join("\\n");
+}
+function codexPayload(config, hookEventName) {
+    return JSON.stringify({
+        hookSpecificOutput: {
+            hookEventName,
+            additionalContext: additionalContext(config),
+        },
+    });
+}
+function jsonPayload(additionalContext) {
+    return JSON.stringify({ additional_context: additionalContext });
+}
+function renderTemplate(templatePath, config, paths) {
+    const project = projectContext(config);
+    const template = readFileSync(new URL(`../../templates/shared/${templatePath}`, import.meta.url), "utf8").trim();
+    return template
+        .replaceAll("Configured SRAI project name: `<SRAI_PROJECT_NAME>`", [
+        `Configured VibeReview project: \`${project.name}\``,
+        `Project slug: \`${project.slug}\``,
+        `Project id: \`${project.id}\``,
+    ].join("\n"))
+        .replaceAll("Configured SRAI project name: `<SRAI_PROJECT_NAME>`", `Configured VibeReview project: \`${project.name}\``)
+        .replaceAll("name=\"<SRAI_PROJECT_NAME>\"", `project_id="${project.id}", project_slug="${project.slug}", project_name="${project.name}"`)
+        .replaceAll("<SRAI_PROJECT_NAME>", project.name)
+        .replaceAll("{{SRAI_PROJECT_NAME}}", project.name)
+        .replaceAll("SRAI", "VibeReview")
+        .replaceAll("srai", "vibreview")
+        .replaceAll("security-review-mcp", "vibreview")
+        .replaceAll("find_project_by_name", "vibreview_get_tenant_project")
+        .replaceAll("list_projects", "vibreview_get_tenant_project")
+        .replaceAll("create_project", "vibreview_get_tenant_project")
+        .replaceAll("get_project", "vibreview_get_tenant_project")
+        .replaceAll("get_guardrails", "vibreview_get_guardrails")
+        .replaceAll("get_guardrail_by_id", "the exact returned guardrail entry")
+        .replaceAll("sync_ai_ide_markdown", "vibreview_ctm_sync_markdown")
+        .replaceAll("update_vibe_profile", "server-side repository profiling")
+        .replaceAll("write_default_pack", "server-side guardrail pack selection")
+        .replaceAll("`vibereview/`", "`.vibreview/scans/`")
+        .replaceAll("vibereview/*.md", ".vibreview/scans/*.md")
+        .replaceAll("vibereview/<chat_session_id>-<slugified-title-or-event-name>.md", ".vibreview/scans/<chat_session_id>-<slugified-title-or-event-name>.md")
+        .replaceAll("under `vibereview/`", "under `.vibreview/scans/`")
+        .replaceAll("in `vibereview/`", "in `.vibreview/scans/`")
+        .replaceAll("`{{GUARDRAILS_SELECTION_SKILL_DIR}}/SKILL.md`", `\`${paths.guardrailsSelectionSkillDir}/SKILL.md\``)
+        .replaceAll("`{{THREAT_MODELLING_SKILL_DIR}}/SKILL.md`", `\`${paths.threatModellingSkillDir}/SKILL.md\``)
+        .replaceAll("`{{VIBEREVIEW_SYNC_SKILL_DIR}}/SKILL.md`", `\`${paths.vibereviewSyncSkillDir}/SKILL.md\``)
+        .replaceAll("{{GUARDRAILS_SELECTION_SKILL_DIR}}", paths.guardrailsSelectionSkillDir)
+        .replaceAll("{{THREAT_MODELLING_SKILL_DIR}}", paths.threatModellingSkillDir)
+        .replaceAll("{{VIBEREVIEW_SYNC_SKILL_DIR}}", paths.vibereviewSyncSkillDir)
+        .replaceAll("name=\"{{SRAI_PROJECT_NAME}}\"", `project_id="${project.id}"`)
+        .replaceAll("name=\"<VibeReview_PROJECT_NAME>\"", `project_id="${project.id}", project_slug="${project.slug}", project_name="${project.name}"`)
+        .replaceAll("The old profile walkthrough is no longer part of the agent workflow.", "Local profile walkthroughs are no longer part of the IDE workflow; profiling happens server-side after project creation.")
+        .replaceAll("Profiler only | `server-side repository profiling`, `server-side guardrail pack selection` are used by init-time profiling, not normal coding tasks", "Profiler only | Server-side repository profiling and guardrail pack selection happen after project creation, not during normal IDE coding tasks");
+}
+function defaultPaths(ide) {
+    const root = ide === "claude" ? ".claude/skills" : ide === "vscode" ? ".github/skills" : ide === "codex" ? ".codex/skills" : ".cursor/skills";
+    return {
+        guardrailsSelectionSkillDir: `${root}/guardrails-selection`,
+        threatModellingSkillDir: `${root}/threat-modelling`,
+        vibereviewSyncSkillDir: `${root}/vibereview-sync`,
+    };
+}
+function projectContext(config) {
+    return {
+        id: sanitize(config.project_id || config.project_slug),
+        slug: sanitize(config.project_slug),
+        name: sanitize(config.project_name || config.project_slug),
+    };
+}
+function sanitize(value) {
+    return value.replace(/[\r\n`]/g, " ").trim();
+}

package/dist/scaffold/vibreview.js

@@ -0,0 +1,30 @@
+import { join } from "node:path";
+import { CONFIG_DIR, SCANS_DIR, SYNC_STATE_PATH, writeConfig } from "../config.js";
+import { ensureDir, readJson, upsertBlock, writeJson } from "../fs.js";
+const GITIGNORE_START = "# BEGIN VibeReview";
+const GITIGNORE_END = "# END VibeReview";
+export async function scaffoldVibeReview(cwd, config) {
+    await ensureDir(join(cwd, CONFIG_DIR));
+    await ensureDir(join(cwd, SCANS_DIR));
+    await writeConfig(cwd, config);
+    const existingSyncState = await readJson(join(cwd, SYNC_STATE_PATH));
+    if (!existingSyncState)
+        await writeJson(join(cwd, SYNC_STATE_PATH), { version: 1, artifacts: {} });
+    await upsertBlock(join(cwd, ".gitignore"), GITIGNORE_START, GITIGNORE_END, gitignoreEntries(config).join("\n"));
+}
+function gitignoreEntries(config) {
+    const entries = [".vibreview/config.json", ".vibreview/sync-state.json", ".vibreview/scans/"];
+    if (config.ide.includes("claude_code"))
+        entries.push(".mcp.json");
+    if (config.ide.includes("cursor"))
+        entries.push(".cursor/mcp.json");
+    if (config.ide.includes("vscode_copilot"))
+        entries.push(".vscode/mcp.json");
+    if (config.ide.includes("codex"))
+        entries.push(".codex/config.toml");
+    if (config.ide.includes("gemini") || config.ide.includes("antigravity"))
+        entries.push(".gemini/settings.json");
+    if (config.ide.includes("windsurf"))
+        entries.push(".windsurf/mcp_config.json");
+    return entries;
+}

package/dist/scaffold/vscode.js

@@ -0,0 +1,28 @@
+import { join } from "node:path";
+import { readJson, writeJson, writeText, upsertBlock } from "../fs.js";
+import { mcpRemoteServerWithType } from "./mcp.js";
+import { SENTINEL_END, SENTINEL_START, copilotRuleContent, guardrailsSelectionSkillContent, syncSkillContent, threatModelSkillContent, vscodeHooksContent } from "./rules.js";
+export async function scaffoldVSCode(cwd, config) {
+    const paths = {
+        guardrailsSelectionSkillDir: ".github/skills/guardrails-selection",
+        threatModellingSkillDir: ".github/skills/threat-modelling",
+        vibereviewSyncSkillDir: ".github/skills/vibereview-sync",
+    };
+    const settingsPath = join(cwd, ".vscode", "settings.json");
+    const existing = (await readJson(settingsPath)) ?? {};
+    await writeJson(settingsPath, {
+        ...existing,
+        "vibreview.serverUrl": config.server_url,
+        "vibreview.projectSlug": config.project_slug,
+    });
+    const mcpPath = join(cwd, ".vscode", "mcp.json");
+    const mcpConfig = (await readJson(mcpPath)) ?? {};
+    const servers = mcpConfig.servers ?? {};
+    servers.vibreview = mcpRemoteServerWithType(config);
+    await writeJson(mcpPath, { ...mcpConfig, servers });
+    await upsertBlock(join(cwd, ".github", "copilot-instructions.md"), SENTINEL_START, SENTINEL_END, copilotRuleContent(config));
+    await writeText(join(cwd, ".github", "hooks", "vibreview-session-policy.json"), vscodeHooksContent(config));
+    await writeText(join(cwd, ".github", "skills", "guardrails-selection", "SKILL.md"), `${guardrailsSelectionSkillContent(config, paths)}\n`);
+    await writeText(join(cwd, ".github", "skills", "threat-modelling", "SKILL.md"), `${threatModelSkillContent(config, paths)}\n`);
+    await writeText(join(cwd, ".github", "skills", "vibereview-sync", "SKILL.md"), `${syncSkillContent(config)}\n`);
+}

package/dist/scaffold/windsurf.js

@@ -0,0 +1,10 @@
+import { join } from "node:path";
+import { readJson, writeJson } from "../fs.js";
+import { mcpRemoteServer } from "./mcp.js";
+export async function scaffoldWindsurf(cwd, config) {
+    const path = join(cwd, ".windsurf", "mcp_config.json");
+    const existing = (await readJson(path)) ?? {};
+    const mcpServers = existing.mcpServers ?? {};
+    mcpServers.vibreview = mcpRemoteServer(config);
+    await writeJson(path, { ...existing, mcpServers });
+}

package/dist/sync/index.js

@@ -0,0 +1,34 @@
+import { readdir, readFile } from "node:fs/promises";
+import { join } from "node:path";
+import { VibeReviewApiClient } from "../api.js";
+import { SCANS_DIR, readConfig, writeConfig } from "../config.js";
+import { buildSyncMarkdownPayload } from "./payload.js";
+import { readSyncState, writeSyncState } from "./state.js";
+export async function syncTelemetry(cwd, options = {}) {
+    const config = await readConfig(cwd);
+    if (!config)
+        throw new Error("VibeReview is not initialized. Run `securityreview-kit init` first.");
+    const scanDir = join(cwd, SCANS_DIR);
+    const files = (await readdir(scanDir).catch(() => [])).filter((file) => file.endsWith(".md")).sort();
+    const state = await readSyncState(cwd);
+    const client = new VibeReviewApiClient(config);
+    let synced = 0;
+    let skipped = 0;
+    for (const file of files) {
+        const path = join(scanDir, file);
+        const content = await readFile(path, "utf8");
+        const payload = buildSyncMarkdownPayload(config.project_slug, path, content, config.ide[0]);
+        const previous = state.artifacts[payload.artifact_id];
+        if (!options.force && previous?.artifact_hash === payload.artifact_hash) {
+            skipped++;
+            continue;
+        }
+        await client.syncCTMMarkdown(config.project_slug, payload);
+        const syncedAt = new Date().toISOString();
+        state.artifacts[payload.artifact_id] = { artifact_hash: payload.artifact_hash, synced_at: syncedAt };
+        synced++;
+    }
+    await writeSyncState(cwd, state);
+    await writeConfig(cwd, { ...config, last_synced: new Date().toISOString() });
+    return { synced, skipped };
+}

package/dist/sync/payload.js

@@ -0,0 +1,23 @@
+import { createHash, randomUUID } from "node:crypto";
+import { basename } from "node:path";
+export function artifactHash(content) {
+    return createHash("sha256").update(content).digest("hex");
+}
+export function buildSyncMarkdownPayload(projectSlug, filePath, content, ide) {
+    const hash = artifactHash(content);
+    const artifactId = basename(filePath).replace(/\.md$/i, "");
+    return {
+        markdown: content,
+        session_id: artifactId || randomUUID(),
+        artifact_id: artifactId || hash.slice(0, 16),
+        artifact_hash: hash,
+        idempotency_key: `${projectSlug}:${artifactId}:${hash}`,
+        generated_at: new Date().toISOString(),
+        file_name: basename(filePath),
+        ide,
+        metadata: {
+            source: "securityreview-kit",
+            file_path: filePath,
+        },
+    };
+}

package/dist/sync/state.js

@@ -0,0 +1,12 @@
+import { join } from "node:path";
+import { SYNC_STATE_PATH } from "../config.js";
+import { readJson, writeJson } from "../fs.js";
+export async function readSyncState(cwd) {
+    return ((await readJson(join(cwd, SYNC_STATE_PATH))) ?? {
+        version: 1,
+        artifacts: {},
+    });
+}
+export async function writeSyncState(cwd, state) {
+    await writeJson(join(cwd, SYNC_STATE_PATH), state);
+}

package/dist/types.js

@@ -0,0 +1 @@
+export {};

package/package.json

@@ -1,44 +1,38 @@
 {
   "name": "@securityreviewai/securityreview-kit",
-  "version": "0.1.48",
-  "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
-  "author": "Debarshi Das <debarshi.das@we45.com>",
-  "license": "UNLICENSED",
+  "version": "0.1.50",
   "type": "module",
+  "publishConfig": {
+    "access": "public"
+  },
   "bin": {
-    "securityreview-kit": "./bin/securityreview-kit.js"
+    "securityreview-kit": "./dist/index.js",
+    "vibreview": "./dist/index.js"
   },
   "files": [
-    "bin/",
-    "src/",
+    "dist",
+    "templates",
     "README.md"
   ],
-  "engines": {
-    "node": ">=18"
-  },
   "scripts": {
-    "test": "node --test",
-    "start": "node bin/securityreview-kit.js"
+    "build": "tsc -p tsconfig.json",
+    "dev": "tsx src/index.ts",
+    "lint": "tsc -p tsconfig.json --noEmit",
+    "test": "vitest run"
   },
-  "keywords": [
-    "security",
-    "mcp",
-    "security-review",
-    "srai",
-    "ai-ide",
-    "cursor",
-    "claude",
-    "codex",
-    "gemini",
-    "windsurf",
-    "vscode"
-  ],
   "dependencies": {
-    "chalk": "^5.4.0",
-    "commander": "^13.0.0",
-    "inquirer": "^12.0.0"
+    "chalk": "^5.6.2",
+    "commander": "^14.0.2",
+    "inquirer": "^12.10.0",
+    "zod": "^4.4.3"
   },
-  "publishConfig": {
-    "access": "public"
+  "devDependencies": {
+    "@types/node": "^25.6.0",
+    "tsx": "^4.21.0",
+    "typescript": "^5.9.3",
+    "vitest": "^4.1.5"
+  },
+  "engines": {
+    "node": ">=20"
   }
 }

package/templates/claude/CLAUDE.md

@@ -0,0 +1,13 @@
+# VibeReview Security Workflow
+
+When implementing or changing code in this repository:
+
+1. Resolve the current tenant/project with `vibreview_get_tenant_project`.
+2. Fetch the project's guardrail bundle with `vibreview_get_guardrails`.
+3. Locally shortlist the guardrails relevant to the user's requested feature or change.
+4. Before editing, write a concise threat model for the requested change.
+5. Implement the change while preserving the shortlisted guardrails.
+6. Record the review/threat-model outcome as one markdown artifact in `.vibreview/scans/`.
+7. Sync the markdown artifact with `vibreview_ctm_sync_markdown`.
+
+Do not run local repository profiling from the IDE. VibeReview profiles the repository server-side after project creation and stores the relevant guardrails for this tenant/project in the MCP-backed KV cache.

package/templates/claude/agents/guardrail_profiler.md

@@ -0,0 +1,12 @@
+# Guardrail Selector
+
+Use this agent when a task needs careful guardrail selection before code changes.
+
+Do not profile the local repository from the IDE. VibeReview SaaS profiles repositories server-side after project creation and projects the required guardrails into the MCP/KV path.
+
+Workflow:
+
+1. Call `vibreview_get_tenant_project`.
+2. Call `vibreview_get_guardrails`.
+3. Rank guardrails by direct relevance to the user request, changed files, data handled, entry points, auth/authorization boundaries, and external integrations.
+4. Return the shortlisted guardrail IDs, names, and the reason each one applies.

package/templates/claude/agents/threat_modeler.md

@@ -0,0 +1,5 @@
+# Threat Modeler
+
+Placeholder agent definition for future VibeReview threat modeling automation.
+
+Before implementation, use `vibreview_get_tenant_project` and `vibreview_get_guardrails`, shortlist the relevant guardrails locally, and identify likely threats, mitigations, standards mappings, and residual risk. Keep the model concise enough to sync as one markdown artifact with `vibreview_ctm_sync_markdown`.

package/templates/claude/skills/vibreview/SKILL.md

@@ -0,0 +1,21 @@
+# VibeReview Skill
+
+Use this skill for VibeReview-aware secure coding sessions.
+
+## Fast Sync Rules
+
+- Write one telemetry artifact per task in `.vibreview/scans/`.
+- Keep the artifact readable markdown: task, threat model, selected guardrails, decisions, and follow-up risks.
+- Avoid pasting large diffs or full files into telemetry unless necessary.
+- Include guardrail IDs, affected files, and concise evidence when useful.
+- Call `vibreview_ctm_sync_markdown` immediately after implementation or threat model updates.
+
+## Workflow
+
+1. Load tenant/project context with `vibreview_get_tenant_project`.
+2. Fetch guardrails with `vibreview_get_guardrails`.
+3. Filter and rank the returned guardrails locally for the requested feature.
+4. Threat model before editing.
+5. Implement with guardrails applied.
+6. Record markdown telemetry.
+7. Sync with `vibreview_ctm_sync_markdown`.

package/templates/claude/skills/vibreview/guardrail_patterns.md

@@ -0,0 +1,12 @@
+# Guardrail Patterns
+
+Fetch the project guardrail bundle with `vibreview_get_guardrails`, then filter locally against the feature request, touched files, framework, data flow, and threat model.
+
+- Authentication: login, sessions, password handling, MFA, tokens.
+- Authorization: role checks, object ownership, tenant isolation.
+- Persistence: database queries, ORM usage, migrations.
+- Validation: input parsing, bounds, schemas, file uploads.
+- Data Exposure: logs, errors, secrets, sensitive output.
+- Transport: TLS, headers, callbacks, API clients.
+
+For broad changes, build a shortlist before editing. Prefer guardrails with direct category, title, instruction, severity, or metadata matches. Keep the selected guardrail IDs in the `.vibreview/scans/` markdown artifact so VibeReview can connect the IDE-side work back to the server-side guardrail set.

package/templates/cursor/rules/vibreview-security.mdc

@@ -0,0 +1,8 @@
+---
+description: VibeReview security workflow
+alwaysApply: true
+---
+
+Before security-relevant code changes, use `vibreview_get_tenant_project` to resolve the tenant/project, then call `vibreview_get_guardrails` to fetch the project guardrail bundle. Filter and rank the returned guardrails locally against the user's requested feature before implementing.
+
+Record one readable markdown artifact in `.vibreview/scans/` with the threat model, selected guardrail IDs, decisions, and important evidence. Sync it with `vibreview_ctm_sync_markdown`. Do not run local repository profiling; VibeReview handles profiling server-side after project creation.

package/README.md

@@ -1,105 +0,0 @@
-# @securityreviewai/securityreview-kit
-
-> Bootstrap [security-review-mcp](https://www.npmjs.com/package/security-review-mcp) for AI IDEs and CLI tools in one command.
-
-**@securityreviewai/securityreview-kit** configures the SRAI security review MCP server and installs workspace rules so your AI assistant consults security threat models and countermeasures *before* generating code.
-
-## Quick Start
-
-```bash
-# Interactive mode (recommended)
-npx @securityreviewai/securityreview-kit init
-
-# Or specify targets directly
-npx @securityreviewai/securityreview-kit init --target cursor --api-url https://api.example.com --api-key YOUR_TOKEN
-
-# Install for multiple targets
-npx @securityreviewai/securityreview-kit init --target cursor claude vscode
-
-# Install for all supported targets
-npx @securityreviewai/securityreview-kit init --all --api-url https://api.example.com --api-key YOUR_TOKEN
-
-# Re-open project selection menu and update installed rules
-npx @securityreviewai/securityreview-kit init --switch-project
-```
-
-## Supported Targets
-
-| Target | Flag | MCP Config | Workspace Rule |
-|---|---|---|---|
-| Cursor | `cursor` | `.cursor/mcp.json` | `.cursor/rules/srai-security-review.mdc`, `.cursor/rules/guardrails_rule.mdc`, `.cursor/commands/srai-profile.md`, `.cursor/commands/guardrails-init-profile.md`, `.cursor/skills/threat-modelling/SKILL.md`, `.cursor/skills/vibereview-sync/SKILL.md`, `.cursor/hooks.json` |
-| Claude Code | `claude` | `.mcp.json` | `.claude/CLAUDE.md`, `.claude/settings.json`, `.claude/skills/threat-modelling/SKILL.md`, `.claude/skills/vibereview-sync/SKILL.md`, `.claude/skills/guardrails-profiler/SKILL.md`, `.claude/skills/guardrails-selection/SKILL.md`, `.claude/commands/guardrails-init-profile.md` |
-| VS Code Copilot | `vscode` | `.vscode/mcp.json` | `.github/copilot-instructions.md`, `.github/skills/threat-modelling/SKILL.md`, `.github/skills/vibereview-sync/SKILL.md`, `.github/skills/guardrails-profiler/SKILL.md`, `.github/skills/guardrails-selection/SKILL.md`, `.github/hooks/srai-session-policy.json` |
-| Windsurf | `windsurf` | `.windsurf/mcp_config.json` | `.windsurf/rules/srai-security-review.md` |
-| Codex | `codex` | `.codex/config.toml` | `.codex/AGENTS.md`, `.codex/skills/threat-modelling/SKILL.md`, `.codex/skills/vibereview-sync/SKILL.md`, `.codex/skills/guardrails-profiler/SKILL.md`, `.codex/skills/guardrails-selection/SKILL.md`, `.codex/hooks.json`, `.codex/commands/guardrails-init-profile.md` |
-| Gemini CLI | `gemini` | `.gemini/settings.json` | `GEMINI.md` |
-| Antigravity | `antigravity` | `.gemini/settings.json` | `.agents/rules/srai-security-review.md` |
-
-## Commands
-
-### `@securityreviewai/securityreview-kit init`
-
-Configure security-review-mcp for your IDE/CLI. Runs interactively when no flags are provided.
-
-```
-Options:
-  -t, --target <name...>  Target IDE/CLI (cursor, claude, vscode, windsurf, codex, gemini, antigravity)
-  -a, --all               Install for all supported targets
-  --project-name <name>   (Optional) Preselect project name from fetched API project list
-  --api-url <url>         SRAI API URL (or set SECURITY_REVIEW_API_URL env var)
-  --api-key <token>       SRAI API Token (or set SECURITY_REVIEW_API_TOKEN env var)
-  --switch-project        Fetch projects and only update mapped workspace rules
-  --skip-mcp              Skip MCP server config installation
-  --skip-rules            Skip workspace rule installation
-  --profile-repo          Run the guardrails profiler after init
-  --profiler-claude-login Run Claude Code login before profiling
-  --claude-auth-mode <mode>
-                          Claude profiling auth mode: current, claudeai, console, api_key, gateway, bedrock, vertex, or setup_token
-  --claude-api-key <key>  Anthropic API key for Claude profiling
-  --claude-base-url <url> Anthropic-compatible base URL for Claude profiling
-  --claude-auth-token <token>
-                          Auth token for Claude profiling gateway mode
-  --claude-provider-model <model>
-                          Optional Claude provider model override for gateway, Bedrock, or Vertex profiling
-  --profiler-copilot-login
-                          Run GitHub Copilot CLI login before VS Code Copilot profiling
-  --profiler-codex-login  Run Codex login before Codex profiling
-  --profiler-verbose      Show live profiler output while profiling runs
-  --show-profiler-logs    Alias for --profiler-verbose
-```
-
-### `@securityreviewai/securityreview-kit init --switch-project`
-
-Fetches projects from `https://<api-url>/api/projects/` using `Authorization: Bearer <api-key>`, shows a single-select menu, and updates installed workspace rules with the selected project.
-
-### `@securityreviewai/securityreview-kit status`
-
-Show current configuration status for all supported targets in the workspace.
-
-## Environment Variables
-
-| Variable | Description |
-|---|---|
-| `SECURITY_REVIEW_PROJECT_NAME` | Optional default project name to preselect in the project menu |
-| `SECURITY_REVIEW_API_URL` | SRAI platform API endpoint |
-| `SECURITY_REVIEW_API_TOKEN` | Your SRAI API token |
-
-These can be provided via CLI flags, environment variables, or interactive prompts.
-
-## What Gets Installed
-
-**MCP Server Config** — tells your IDE how to launch the `security-review-mcp` server via `npx`.
-
-**Workspace Rules** — instructs the AI assistant to consult SRAI threat models and countermeasures before generating security-relevant code. If configured, the selected SRAI project name is injected into the MCP workflow instructions in the installed rule content.
-
-## How It Works
-
-1. Run `@securityreviewai/securityreview-kit init`
-2. Select your IDE/CLI target(s)
-3. Choose whether to install workspace rules and MCP config
-4. If MCP is selected, enter your SRAI credentials (API URL, token)
-5. The tool fetches `/api/projects/` and you select exactly one SRAI project from the menu
-6. The tool creates/merges MCP config and workspace rule files
-7. Your AI assistant now has access to SRAI security reviews
-
-The tool is **idempotent** — running it multiple times safely updates existing configs without duplicating content.

package/bin/securityreview-kit.js

@@ -1,5 +0,0 @@
-#!/usr/bin/env node
-
-import { run } from '../src/cli.js';
-
-run();