@securityreviewai/securityreview-kit 0.1.50 → 0.1.52

package/README.md

@@ -0,0 +1,105 @@
+# @securityreviewai/securityreview-kit
+
+> Bootstrap [security-review-mcp](https://www.npmjs.com/package/security-review-mcp) for AI IDEs and CLI tools in one command.
+
+**@securityreviewai/securityreview-kit** configures the SRAI security review MCP server and installs workspace rules so your AI assistant consults security threat models and countermeasures *before* generating code.
+
+## Quick Start
+
+```bash
+# Interactive mode (recommended)
+npx @securityreviewai/securityreview-kit init
+
+# Or specify targets directly
+npx @securityreviewai/securityreview-kit init --target cursor --api-url https://api.example.com --api-key YOUR_TOKEN
+
+# Install for multiple targets
+npx @securityreviewai/securityreview-kit init --target cursor claude vscode
+
+# Install for all supported targets
+npx @securityreviewai/securityreview-kit init --all --api-url https://api.example.com --api-key YOUR_TOKEN
+
+# Re-open project selection menu and update installed rules
+npx @securityreviewai/securityreview-kit init --switch-project
+```
+
+## Supported Targets
+
+| Target | Flag | MCP Config | Workspace Rule |
+|---|---|---|---|
+| Cursor | `cursor` | `.cursor/mcp.json` | `.cursor/rules/srai-security-review.mdc`, `.cursor/rules/guardrails_rule.mdc`, `.cursor/commands/srai-profile.md`, `.cursor/commands/guardrails-init-profile.md`, `.cursor/skills/threat-modelling/SKILL.md`, `.cursor/skills/vibereview-sync/SKILL.md`, `.cursor/hooks.json` |
+| Claude Code | `claude` | `.mcp.json` | `.claude/CLAUDE.md`, `.claude/settings.json`, `.claude/skills/threat-modelling/SKILL.md`, `.claude/skills/vibereview-sync/SKILL.md`, `.claude/skills/guardrails-profiler/SKILL.md`, `.claude/skills/guardrails-selection/SKILL.md`, `.claude/commands/guardrails-init-profile.md` |
+| VS Code Copilot | `vscode` | `.vscode/mcp.json` | `.github/copilot-instructions.md`, `.github/skills/threat-modelling/SKILL.md`, `.github/skills/vibereview-sync/SKILL.md`, `.github/skills/guardrails-profiler/SKILL.md`, `.github/skills/guardrails-selection/SKILL.md`, `.github/hooks/srai-session-policy.json` |
+| Windsurf | `windsurf` | `.windsurf/mcp_config.json` | `.windsurf/rules/srai-security-review.md` |
+| Codex | `codex` | `.codex/config.toml` | `.codex/AGENTS.md`, `.codex/skills/threat-modelling/SKILL.md`, `.codex/skills/vibereview-sync/SKILL.md`, `.codex/skills/guardrails-profiler/SKILL.md`, `.codex/skills/guardrails-selection/SKILL.md`, `.codex/hooks.json`, `.codex/commands/guardrails-init-profile.md` |
+| Gemini CLI | `gemini` | `.gemini/settings.json` | `GEMINI.md` |
+| Antigravity | `antigravity` | `.gemini/settings.json` | `.agents/rules/srai-security-review.md` |
+
+## Commands
+
+### `@securityreviewai/securityreview-kit init`
+
+Configure security-review-mcp for your IDE/CLI. Runs interactively when no flags are provided.
+
+```
+Options:
+  -t, --target <name...>  Target IDE/CLI (cursor, claude, vscode, windsurf, codex, gemini, antigravity)
+  -a, --all               Install for all supported targets
+  --project-name <name>   (Optional) Preselect project name from fetched API project list
+  --api-url <url>         SRAI API URL (or set SECURITY_REVIEW_API_URL env var)
+  --api-key <token>       SRAI API Token (or set SECURITY_REVIEW_API_TOKEN env var)
+  --switch-project        Fetch projects and only update mapped workspace rules
+  --skip-mcp              Skip MCP server config installation
+  --skip-rules            Skip workspace rule installation
+  --profile-repo          Run the guardrails profiler after init
+  --profiler-claude-login Run Claude Code login before profiling
+  --claude-auth-mode <mode>
+                          Claude profiling auth mode: current, claudeai, console, api_key, gateway, bedrock, vertex, or setup_token
+  --claude-api-key <key>  Anthropic API key for Claude profiling
+  --claude-base-url <url> Anthropic-compatible base URL for Claude profiling
+  --claude-auth-token <token>
+                          Auth token for Claude profiling gateway mode
+  --claude-provider-model <model>
+                          Optional Claude provider model override for gateway, Bedrock, or Vertex profiling
+  --profiler-copilot-login
+                          Run GitHub Copilot CLI login before VS Code Copilot profiling
+  --profiler-codex-login  Run Codex login before Codex profiling
+  --profiler-verbose      Show live profiler output while profiling runs
+  --show-profiler-logs    Alias for --profiler-verbose
+```
+
+### `@securityreviewai/securityreview-kit init --switch-project`
+
+Fetches projects from `https://<api-url>/api/projects/` using `Authorization: Bearer <api-key>`, shows a single-select menu, and updates installed workspace rules with the selected project.
+
+### `@securityreviewai/securityreview-kit status`
+
+Show current configuration status for all supported targets in the workspace.
+
+## Environment Variables
+
+| Variable | Description |
+|---|---|
+| `SECURITY_REVIEW_PROJECT_NAME` | Optional default project name to preselect in the project menu |
+| `SECURITY_REVIEW_API_URL` | SRAI platform API endpoint |
+| `SECURITY_REVIEW_API_TOKEN` | Your SRAI API token |
+
+These can be provided via CLI flags, environment variables, or interactive prompts.
+
+## What Gets Installed
+
+**MCP Server Config** — tells your IDE how to launch the `security-review-mcp` server via `npx`.
+
+**Workspace Rules** — instructs the AI assistant to consult SRAI threat models and countermeasures before generating security-relevant code. If configured, the selected SRAI project name is injected into the MCP workflow instructions in the installed rule content.
+
+## How It Works
+
+1. Run `@securityreviewai/securityreview-kit init`
+2. Select your IDE/CLI target(s)
+3. Choose whether to install workspace rules and MCP config
+4. If MCP is selected, enter your SRAI credentials (API URL, token)
+5. The tool fetches `/api/projects/` and you select exactly one SRAI project from the menu
+6. The tool creates/merges MCP config and workspace rule files
+7. Your AI assistant now has access to SRAI security reviews
+
+The tool is **idempotent** — running it multiple times safely updates existing configs without duplicating content.

package/bin/securityreview-kit.js

@@ -0,0 +1,5 @@
+#!/usr/bin/env node
+
+import { run } from '../src/cli.js';
+
+run();

package/package.json

@@ -1,38 +1,44 @@
 {
   "name": "@securityreviewai/securityreview-kit",
-  "version": "0.1.50",
+  "version": "0.1.52",
+  "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
+  "author": "Debarshi Das <debarshi.das@we45.com>",
+  "license": "UNLICENSED",
   "type": "module",
-  "publishConfig": {
-    "access": "public"
-  },
   "bin": {
-    "securityreview-kit": "./dist/index.js",
-    "vibreview": "./dist/index.js"
+    "securityreview-kit": "./bin/securityreview-kit.js"
   },
   "files": [
-    "dist",
-    "templates",
+    "bin/",
+    "src/",
     "README.md"
   ],
+  "engines": {
+    "node": ">=18"
+  },
   "scripts": {
-    "build": "tsc -p tsconfig.json",
-    "dev": "tsx src/index.ts",
-    "lint": "tsc -p tsconfig.json --noEmit",
-    "test": "vitest run"
+    "test": "node --test",
+    "start": "node bin/securityreview-kit.js"
   },
+  "keywords": [
+    "security",
+    "mcp",
+    "security-review",
+    "srai",
+    "ai-ide",
+    "cursor",
+    "claude",
+    "codex",
+    "gemini",
+    "windsurf",
+    "vscode"
+  ],
   "dependencies": {
-    "chalk": "^5.6.2",
-    "commander": "^14.0.2",
-    "inquirer": "^12.10.0",
-    "zod": "^4.4.3"
-  },
-  "devDependencies": {
-    "@types/node": "^25.6.0",
-    "tsx": "^4.21.0",
-    "typescript": "^5.9.3",
-    "vitest": "^4.1.5"
+    "chalk": "^5.4.0",
+    "commander": "^13.0.0",
+    "inquirer": "^12.0.0"
   },
-  "engines": {
-    "node": ">=20"
+  "publishConfig": {
+    "access": "public"
   }
 }

package/src/cli.js

@@ -0,0 +1,109 @@
+import { Command } from 'commander';
+import { initCommand } from './commands/init.js';
+import { statusCommand } from './commands/status.js';
+import { switchProjectCommand } from './commands/switch-project.js';
+import { TARGET_NAMES } from './utils/constants.js';
+
+export function run() {
+    const program = new Command();
+
+    program
+        .name('securityreview-kit')
+        .description('Bootstrap security-review-mcp for AI IDEs and CLI tools')
+        .version('0.1.0');
+
+    program
+        .command('init')
+        .description('Configure security-review-mcp for your IDE / CLI tool')
+        .option(
+            '-t, --target <name...>',
+            `Target IDE/CLI (${TARGET_NAMES.join(', ')}). Omit for interactive mode.`,
+        )
+        .option('-a, --all', 'Install for all supported targets')
+        .option('--project-name <name>', 'Default SRAI project name to preselect in project menu')
+        .option('--api-url <url>', 'SRAI API URL (or set SECURITY_REVIEW_API_URL env var)')
+        .option('--api-key <token>', 'SRAI API Token (or set SECURITY_REVIEW_API_TOKEN env var)')
+        .option('--switch-project', 'Fetch projects and only update mapped workspace rules')
+        .option('--skip-mcp', 'Skip MCP server config installation')
+        .option('--skip-rules', 'Skip workspace rule installation')
+        .option('--skip-ide-cli-install', 'Do not install Cursor / Copilot / Claude Code / Codex CLIs when those targets are selected')
+        .option('--profile-repo', 'After init, run the guardrails profiler agent (non-interactive; needs cursor, vscode, claude, or codex target)')
+        .option('--no-profile-repo', 'Skip the optional profiler agent step after init')
+        .option(
+            '--profiler-no-trust',
+            'When profiling with Cursor, do not pass --trust (use if you need interactive workspace trust or login in the terminal)',
+        )
+        .option(
+            '--profiler-cursor-login',
+            'Before Cursor profiling, run `agent login` (or `cursor-agent login`) in this terminal (then profiling runs in the same init)',
+        )
+        .option(
+            '--profiler-claude-login',
+            'Before Claude Code profiling, run `claude auth login` in this terminal',
+        )
+        .option(
+            '--claude-auth-mode <mode>',
+            'Claude profiling auth mode: current, claudeai, console, api_key, gateway, bedrock, vertex, or setup_token',
+        )
+        .option(
+            '--claude-api-key <key>',
+            'Anthropic API key for Claude profiling when using --claude-auth-mode api_key',
+        )
+        .option(
+            '--claude-base-url <url>',
+            'Anthropic-compatible base URL for Claude profiling when using --claude-auth-mode gateway',
+        )
+        .option(
+            '--claude-auth-token <token>',
+            'Auth token for Claude profiling when using --claude-auth-mode gateway',
+        )
+        .option(
+            '--claude-provider-model <model>',
+            'Optional Claude provider model override for gateway, Bedrock, or Vertex profiling',
+        )
+        .option(
+            '--profiler-copilot-login',
+            'Before VS Code Copilot profiling, run `copilot login` in this terminal',
+        )
+        .option(
+            '--profiler-codex-login',
+            'Before Codex profiling, run `codex login --device-auth` in this terminal',
+        )
+        .option(
+            '--profiler-quiet',
+            'When profiling, use the standard progress message (default; retained for compatibility)',
+        )
+        .option(
+            '--profiler-verbose',
+            'When profiling, show live agent output for troubleshooting',
+        )
+        .option(
+            '--show-profiler-logs',
+            'Alias for --profiler-verbose; show live profiler logs while profiling runs',
+        )
+        .action(async (options) => {
+            try {
+                if (options.switchProject) {
+                    await switchProjectCommand(options);
+                } else {
+                    await initCommand(options);
+                }
+            } catch (err) {
+                if (err.name === 'ExitPromptError') {
+                    // User cancelled interactive prompt
+                    console.log('\n  Cancelled.\n');
+                    process.exit(0);
+                }
+                throw err;
+            }
+        });
+
+    program
+        .command('status')
+        .description('Show current security-review-mcp configuration status')
+        .action(async () => {
+            await statusCommand();
+        });
+
+    program.parse();
+}