@securityreviewai/securityreview-kit 0.1.50 → 0.1.52

package/dist/scaffold/claude-code.js

@@ -1,43 +0,0 @@
-import { join } from "node:path";
-import { readJson, writeJson, writeText, upsertBlock } from "../fs.js";
-import { mcpRemoteServerWithType } from "./mcp.js";
-import { SENTINEL_END, SENTINEL_START, claudeRuleContent, guardrailsSelectionSkillContent, syncSkillContent, threatModelSkillContent } from "./rules.js";
-export async function scaffoldClaudeCode(cwd, config) {
-    await writeMcpConfig(cwd, config);
-    await writeClaudeSettings(cwd);
-    await writeClaudeRules(cwd, config);
-}
-async function writeMcpConfig(cwd, config) {
-    const path = join(cwd, ".mcp.json");
-    const existing = (await readJson(path)) ?? {};
-    const mcpServers = existing.mcpServers ?? {};
-    mcpServers.vibreview = mcpRemoteServerWithType(config);
-    await writeJson(path, { ...existing, mcpServers });
-}
-async function writeClaudeSettings(cwd) {
-    const path = join(cwd, ".claude", "settings.json");
-    const existing = (await readJson(path)) ?? {};
-    const enabled = Array.isArray(existing.enabledMcpjsonServers) ? existing.enabledMcpjsonServers : [];
-    const allow = Array.isArray(existing.permissions?.allow)
-        ? existing.permissions.allow.filter((item) => typeof item === "string")
-        : [];
-    await writeJson(path, {
-        ...existing,
-        enabledMcpjsonServers: enabled.includes("vibreview") ? enabled : [...enabled, "vibreview"],
-        permissions: {
-            ...(typeof existing.permissions === "object" && existing.permissions ? existing.permissions : {}),
-            allow: allow.includes("mcp__vibreview") ? allow : [...allow, "mcp__vibreview"],
-        },
-    });
-}
-async function writeClaudeRules(cwd, config) {
-    const paths = {
-        guardrailsSelectionSkillDir: ".claude/skills/guardrails-selection",
-        threatModellingSkillDir: ".claude/skills/threat-modelling",
-        vibereviewSyncSkillDir: ".claude/skills/vibereview-sync",
-    };
-    await upsertBlock(join(cwd, "CLAUDE.md"), SENTINEL_START, SENTINEL_END, claudeRuleContent(config));
-    await writeText(join(cwd, ".claude", "skills", "guardrails-selection", "SKILL.md"), `${guardrailsSelectionSkillContent(config, paths)}\n`);
-    await writeText(join(cwd, ".claude", "skills", "threat-modelling", "SKILL.md"), `${threatModelSkillContent(config, paths)}\n`);
-    await writeText(join(cwd, ".claude", "skills", "vibereview-sync", "SKILL.md"), `${syncSkillContent(config)}\n`);
-}

package/dist/scaffold/codex.js

@@ -1,41 +0,0 @@
-import { join } from "node:path";
-import { readText, upsertBlock, writeText } from "../fs.js";
-import { SENTINEL_END, SENTINEL_START, codexHooksContent, codexRuleContent, guardrailsSelectionSkillContent, syncSkillContent, threatModelSkillContent } from "./rules.js";
-export async function scaffoldCodex(cwd, config) {
-    const paths = {
-        guardrailsSelectionSkillDir: ".codex/skills/guardrails-selection",
-        threatModellingSkillDir: ".codex/skills/threat-modelling",
-        vibereviewSyncSkillDir: ".codex/skills/vibereview-sync",
-    };
-    await writeCodexConfig(cwd, config);
-    await upsertBlock(join(cwd, ".codex", "AGENTS.md"), SENTINEL_START, SENTINEL_END, codexRuleContent(config));
-    await writeText(join(cwd, ".codex", "hooks.json"), codexHooksContent(config));
-    await writeText(join(cwd, ".codex", "skills", "guardrails-selection", "SKILL.md"), `${guardrailsSelectionSkillContent(config, paths)}\n`);
-    await writeText(join(cwd, ".codex", "skills", "threat-modelling", "SKILL.md"), `${threatModelSkillContent(config, paths)}\n`);
-    await writeText(join(cwd, ".codex", "skills", "vibereview-sync", "SKILL.md"), `${syncSkillContent(config)}\n`);
-}
-async function writeCodexConfig(cwd, config) {
-    const path = join(cwd, ".codex", "config.toml");
-    const existing = await readText(path);
-    const serverBlock = `
-[mcp_servers.vibreview]
-command = "npx"
-args = ["-y", "mcp-remote@latest", "${config.server_url.replace(/\/$/, "")}/mcp", "--header", "Authorization:\${AUTH_HEADER}"]
-default_tools_approval_mode = "approve"
-
-[mcp_servers.vibreview.env]
-AUTH_HEADER = "Bearer ${escapeTomlString(config.api_key ?? "")}"
-`.trim();
-    const updated = replaceTomlBlock(existing, serverBlock);
-    await writeText(path, `${updated.trim()}\n`);
-}
-function replaceTomlBlock(existing, serverBlock) {
-    if (!existing.trim())
-        return serverBlock;
-    if (!existing.includes("[mcp_servers.vibreview]"))
-        return `${existing.trimEnd()}\n\n${serverBlock}`;
-    return existing.replace(/\[mcp_servers\.vibreview][\s\S]*?(?=\n\[[^\]]+]|\s*$)/, serverBlock);
-}
-function escapeTomlString(value) {
-    return value.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
-}

package/dist/scaffold/cursor.js

@@ -1,45 +0,0 @@
-import { join } from "node:path";
-import { readJson, writeJson, writeText } from "../fs.js";
-import { mcpRemoteServerWithType } from "./mcp.js";
-import { cursorHooksContent, cursorRuleContent, guardrailsSelectionSkillContent, syncSkillContent, threatModelSkillContent } from "./rules.js";
-export async function scaffoldCursor(cwd, config) {
-    const paths = {
-        guardrailsSelectionSkillDir: ".cursor/skills/guardrails-selection",
-        threatModellingSkillDir: ".cursor/skills/threat-modelling",
-        vibereviewSyncSkillDir: ".cursor/skills/vibereview-sync",
-    };
-    const mcpPath = join(cwd, ".cursor", "mcp.json");
-    const existing = (await readJson(mcpPath)) ?? {};
-    const mcpServers = existing.mcpServers ?? {};
-    mcpServers.vibreview = mcpRemoteServerWithType(config);
-    await writeJson(mcpPath, { ...existing, mcpServers });
-    await writeText(join(cwd, ".cursor", "rules", "vibreview-security.mdc"), cursorRuleFile(config));
-    await writeText(join(cwd, ".cursor", "hooks.json"), cursorHooksContent(config));
-    await writeText(join(cwd, ".cursor", "skills", "guardrails-selection", "SKILL.md"), `${guardrailsSelectionSkillContent(config, paths)}\n`);
-    await writeText(join(cwd, ".cursor", "skills", "threat-modelling", "SKILL.md"), `${threatModelSkillContent(config, paths)}\n`);
-    await writeText(join(cwd, ".cursor", "skills", "vibereview-sync", "SKILL.md"), `${syncSkillContent(config)}\n`);
-    await updateCursorAllowlist(cwd);
-}
-async function updateCursorAllowlist(cwd) {
-    const path = join(cwd, ".cursor", "cli.json");
-    const existing = (await readJson(path)) ?? {};
-    const permissions = existing.permissions ?? {};
-    const allow = Array.isArray(permissions.allow) ? permissions.allow.filter((item) => typeof item === "string") : [];
-    const entry = "mcp(vibreview)";
-    await writeJson(path, {
-        ...existing,
-        permissions: {
-            ...permissions,
-            allow: allow.includes(entry) ? allow : [...allow, entry],
-        },
-    });
-}
-function cursorRuleFile(config) {
-    return `---
-description: VibeReview security workflow
-alwaysApply: true
----
-
-${cursorRuleContent(config)}
-`;
-}

package/dist/scaffold/gemini.js

@@ -1,10 +0,0 @@
-import { join } from "node:path";
-import { readJson, writeJson } from "../fs.js";
-import { mcpRemoteServer } from "./mcp.js";
-export async function scaffoldGemini(cwd, config) {
-    const path = join(cwd, ".gemini", "settings.json");
-    const existing = (await readJson(path)) ?? {};
-    const mcpServers = existing.mcpServers ?? {};
-    mcpServers.vibreview = mcpRemoteServer(config);
-    await writeJson(path, { ...existing, mcpServers });
-}

package/dist/scaffold/index.js

@@ -1,22 +0,0 @@
-import { scaffoldClaudeCode } from "./claude-code.js";
-import { scaffoldCodex } from "./codex.js";
-import { scaffoldCursor } from "./cursor.js";
-import { scaffoldGemini } from "./gemini.js";
-import { scaffoldVibeReview } from "./vibreview.js";
-import { scaffoldVSCode } from "./vscode.js";
-import { scaffoldWindsurf } from "./windsurf.js";
-export async function scaffoldProject(cwd, config) {
-    await scaffoldVibeReview(cwd, config);
-    if (config.ide.includes("claude_code"))
-        await scaffoldClaudeCode(cwd, config);
-    if (config.ide.includes("cursor"))
-        await scaffoldCursor(cwd, config);
-    if (config.ide.includes("vscode_copilot"))
-        await scaffoldVSCode(cwd, config);
-    if (config.ide.includes("codex"))
-        await scaffoldCodex(cwd, config);
-    if (config.ide.includes("gemini") || config.ide.includes("antigravity"))
-        await scaffoldGemini(cwd, config);
-    if (config.ide.includes("windsurf"))
-        await scaffoldWindsurf(cwd, config);
-}

package/dist/scaffold/mcp.js

@@ -1,15 +0,0 @@
-export function mcpRemoteServer(config) {
-    return {
-        command: "npx",
-        args: ["-y", "mcp-remote@latest", `${config.server_url.replace(/\/$/, "")}/mcp`, "--header", "Authorization:${AUTH_HEADER}"],
-        env: {
-            AUTH_HEADER: `Bearer ${config.api_key ?? ""}`,
-        },
-    };
-}
-export function mcpRemoteServerWithType(config) {
-    return {
-        type: "stdio",
-        ...mcpRemoteServer(config),
-    };
-}

package/dist/scaffold/rules.js

@@ -1,191 +0,0 @@
-import { readFileSync } from "node:fs";
-const TOOL_PROJECT = "`vibreview_get_tenant_project`";
-const TOOL_GUARDRAILS = "`vibreview_get_guardrails`";
-const TOOL_SYNC = "`vibreview_ctm_sync_markdown`";
-export const SENTINEL_START = "<!-- securityreview-kit:start -->";
-export const SENTINEL_END = "<!-- securityreview-kit:end -->";
-export function ruleContent(config, paths) {
-    return renderTemplate("content.md", config, paths);
-}
-export function claudeRuleContent(config) {
-    return ruleContent(config, {
-        guardrailsSelectionSkillDir: ".claude/skills/guardrails-selection",
-        threatModellingSkillDir: ".claude/skills/threat-modelling",
-        vibereviewSyncSkillDir: ".claude/skills/vibereview-sync",
-    });
-}
-export function copilotRuleContent(config) {
-    return ruleContent(config, {
-        guardrailsSelectionSkillDir: ".github/skills/guardrails-selection",
-        threatModellingSkillDir: ".github/skills/threat-modelling",
-        vibereviewSyncSkillDir: ".github/skills/vibereview-sync",
-    });
-}
-export function codexRuleContent(config) {
-    return ruleContent(config, {
-        guardrailsSelectionSkillDir: ".codex/skills/guardrails-selection",
-        threatModellingSkillDir: ".codex/skills/threat-modelling",
-        vibereviewSyncSkillDir: ".codex/skills/vibereview-sync",
-    });
-}
-export function cursorRuleContent(config) {
-    return ruleContent(config, {
-        guardrailsSelectionSkillDir: ".cursor/skills/guardrails-selection",
-        threatModellingSkillDir: ".cursor/skills/threat-modelling",
-        vibereviewSyncSkillDir: ".cursor/skills/vibereview-sync",
-    });
-}
-export function guardrailsSelectionSkillContent(config, paths = defaultPaths("cursor")) {
-    return renderTemplate("guardrails-selection.md", config, paths);
-}
-export function threatModelSkillContent(config, paths = defaultPaths("cursor")) {
-    return renderTemplate("threat-modelling.md", config, paths);
-}
-export function syncSkillContent(config, scanDir = ".vibreview/scans") {
-    return renderTemplate("vibereview-sync/SKILL.md", config, defaultPaths("cursor")).replaceAll(".vibreview/scans/", `${scanDir.replace(/\/$/, "")}/`);
-}
-export function cursorHooksContent(config) {
-    return JSON.stringify({
-        version: 1,
-        hooks: {
-            sessionStart: [
-                {
-                    command: `printf '%s\\n' '${jsonPayload(additionalContext(config)).replaceAll("'", "'\\''")}'`,
-                    timeout: 5,
-                },
-            ],
-        },
-    }, null, 2) + "\n";
-}
-export function codexHooksContent(config) {
-    return JSON.stringify({
-        hooks: {
-            SessionStart: [
-                {
-                    matcher: "startup|resume",
-                    hooks: [
-                        {
-                            type: "command",
-                            command: `printf '%s\\n' '${codexPayload(config, "SessionStart").replaceAll("'", "'\\''")}'`,
-                            timeout: 5,
-                            statusMessage: "Loading VibeReview security session policy",
-                        },
-                    ],
-                },
-            ],
-            UserPromptSubmit: [
-                {
-                    hooks: [
-                        {
-                            type: "command",
-                            command: `printf '%s\\n' '${codexPayload(config, "UserPromptSubmit").replaceAll("'", "'\\''")}'`,
-                            timeout: 5,
-                            statusMessage: "Refreshing VibeReview security session policy",
-                        },
-                    ],
-                },
-            ],
-        },
-    }, null, 2) + "\n";
-}
-export function vscodeHooksContent(config) {
-    return JSON.stringify({
-        hooks: {
-            SessionStart: [
-                {
-                    type: "command",
-                    command: `printf '%s\\n' '${codexPayload(config, "SessionStart").replaceAll("'", "'\\''")}'`,
-                    timeout: 5,
-                },
-            ],
-        },
-    }, null, 2) + "\n";
-}
-function additionalContext(config) {
-    const project = projectContext(config);
-    return [
-        "## MANDATORY VIBEREVIEW SECURITY GATE",
-        "",
-        `Configured project: ${project.name} (${project.slug}, ${project.id})`,
-        "",
-        "For any request with security impact, follow this order:",
-        "",
-        `1. Resolve the tenant/project with ${TOOL_PROJECT} using project_id="${project.id}" or project_slug="${project.slug}".`,
-        `2. Fetch VibeReview guardrails with ${TOOL_GUARDRAILS}, shortlist relevant guardrails, and preserve that shortlist.`,
-        "3. Run PWNISMS threat modelling before implementation.",
-        "4. Implement secure code using the threat model and shortlisted guardrails.",
-        `5. Write one markdown artifact under .vibreview/scans/ and call ${TOOL_SYNC} immediately after writing it.`,
-        "",
-        "No deferral. No local profiling. The main agent owns the final markdown sync.",
-    ].join("\\n");
-}
-function codexPayload(config, hookEventName) {
-    return JSON.stringify({
-        hookSpecificOutput: {
-            hookEventName,
-            additionalContext: additionalContext(config),
-        },
-    });
-}
-function jsonPayload(additionalContext) {
-    return JSON.stringify({ additional_context: additionalContext });
-}
-function renderTemplate(templatePath, config, paths) {
-    const project = projectContext(config);
-    const template = readFileSync(new URL(`../../templates/shared/${templatePath}`, import.meta.url), "utf8").trim();
-    return template
-        .replaceAll("Configured SRAI project name: `<SRAI_PROJECT_NAME>`", [
-        `Configured VibeReview project: \`${project.name}\``,
-        `Project slug: \`${project.slug}\``,
-        `Project id: \`${project.id}\``,
-    ].join("\n"))
-        .replaceAll("Configured SRAI project name: `<SRAI_PROJECT_NAME>`", `Configured VibeReview project: \`${project.name}\``)
-        .replaceAll("name=\"<SRAI_PROJECT_NAME>\"", `project_id="${project.id}", project_slug="${project.slug}", project_name="${project.name}"`)
-        .replaceAll("<SRAI_PROJECT_NAME>", project.name)
-        .replaceAll("{{SRAI_PROJECT_NAME}}", project.name)
-        .replaceAll("SRAI", "VibeReview")
-        .replaceAll("srai", "vibreview")
-        .replaceAll("security-review-mcp", "vibreview")
-        .replaceAll("find_project_by_name", "vibreview_get_tenant_project")
-        .replaceAll("list_projects", "vibreview_get_tenant_project")
-        .replaceAll("create_project", "vibreview_get_tenant_project")
-        .replaceAll("get_project", "vibreview_get_tenant_project")
-        .replaceAll("get_guardrails", "vibreview_get_guardrails")
-        .replaceAll("get_guardrail_by_id", "the exact returned guardrail entry")
-        .replaceAll("sync_ai_ide_markdown", "vibreview_ctm_sync_markdown")
-        .replaceAll("update_vibe_profile", "server-side repository profiling")
-        .replaceAll("write_default_pack", "server-side guardrail pack selection")
-        .replaceAll("`vibereview/`", "`.vibreview/scans/`")
-        .replaceAll("vibereview/*.md", ".vibreview/scans/*.md")
-        .replaceAll("vibereview/<chat_session_id>-<slugified-title-or-event-name>.md", ".vibreview/scans/<chat_session_id>-<slugified-title-or-event-name>.md")
-        .replaceAll("under `vibereview/`", "under `.vibreview/scans/`")
-        .replaceAll("in `vibereview/`", "in `.vibreview/scans/`")
-        .replaceAll("`{{GUARDRAILS_SELECTION_SKILL_DIR}}/SKILL.md`", `\`${paths.guardrailsSelectionSkillDir}/SKILL.md\``)
-        .replaceAll("`{{THREAT_MODELLING_SKILL_DIR}}/SKILL.md`", `\`${paths.threatModellingSkillDir}/SKILL.md\``)
-        .replaceAll("`{{VIBEREVIEW_SYNC_SKILL_DIR}}/SKILL.md`", `\`${paths.vibereviewSyncSkillDir}/SKILL.md\``)
-        .replaceAll("{{GUARDRAILS_SELECTION_SKILL_DIR}}", paths.guardrailsSelectionSkillDir)
-        .replaceAll("{{THREAT_MODELLING_SKILL_DIR}}", paths.threatModellingSkillDir)
-        .replaceAll("{{VIBEREVIEW_SYNC_SKILL_DIR}}", paths.vibereviewSyncSkillDir)
-        .replaceAll("name=\"{{SRAI_PROJECT_NAME}}\"", `project_id="${project.id}"`)
-        .replaceAll("name=\"<VibeReview_PROJECT_NAME>\"", `project_id="${project.id}", project_slug="${project.slug}", project_name="${project.name}"`)
-        .replaceAll("The old profile walkthrough is no longer part of the agent workflow.", "Local profile walkthroughs are no longer part of the IDE workflow; profiling happens server-side after project creation.")
-        .replaceAll("Profiler only | `server-side repository profiling`, `server-side guardrail pack selection` are used by init-time profiling, not normal coding tasks", "Profiler only | Server-side repository profiling and guardrail pack selection happen after project creation, not during normal IDE coding tasks");
-}
-function defaultPaths(ide) {
-    const root = ide === "claude" ? ".claude/skills" : ide === "vscode" ? ".github/skills" : ide === "codex" ? ".codex/skills" : ".cursor/skills";
-    return {
-        guardrailsSelectionSkillDir: `${root}/guardrails-selection`,
-        threatModellingSkillDir: `${root}/threat-modelling`,
-        vibereviewSyncSkillDir: `${root}/vibereview-sync`,
-    };
-}
-function projectContext(config) {
-    return {
-        id: sanitize(config.project_id || config.project_slug),
-        slug: sanitize(config.project_slug),
-        name: sanitize(config.project_name || config.project_slug),
-    };
-}
-function sanitize(value) {
-    return value.replace(/[\r\n`]/g, " ").trim();
-}

package/dist/scaffold/vibreview.js

@@ -1,30 +0,0 @@
-import { join } from "node:path";
-import { CONFIG_DIR, SCANS_DIR, SYNC_STATE_PATH, writeConfig } from "../config.js";
-import { ensureDir, readJson, upsertBlock, writeJson } from "../fs.js";
-const GITIGNORE_START = "# BEGIN VibeReview";
-const GITIGNORE_END = "# END VibeReview";
-export async function scaffoldVibeReview(cwd, config) {
-    await ensureDir(join(cwd, CONFIG_DIR));
-    await ensureDir(join(cwd, SCANS_DIR));
-    await writeConfig(cwd, config);
-    const existingSyncState = await readJson(join(cwd, SYNC_STATE_PATH));
-    if (!existingSyncState)
-        await writeJson(join(cwd, SYNC_STATE_PATH), { version: 1, artifacts: {} });
-    await upsertBlock(join(cwd, ".gitignore"), GITIGNORE_START, GITIGNORE_END, gitignoreEntries(config).join("\n"));
-}
-function gitignoreEntries(config) {
-    const entries = [".vibreview/config.json", ".vibreview/sync-state.json", ".vibreview/scans/"];
-    if (config.ide.includes("claude_code"))
-        entries.push(".mcp.json");
-    if (config.ide.includes("cursor"))
-        entries.push(".cursor/mcp.json");
-    if (config.ide.includes("vscode_copilot"))
-        entries.push(".vscode/mcp.json");
-    if (config.ide.includes("codex"))
-        entries.push(".codex/config.toml");
-    if (config.ide.includes("gemini") || config.ide.includes("antigravity"))
-        entries.push(".gemini/settings.json");
-    if (config.ide.includes("windsurf"))
-        entries.push(".windsurf/mcp_config.json");
-    return entries;
-}

package/dist/scaffold/vscode.js

@@ -1,28 +0,0 @@
-import { join } from "node:path";
-import { readJson, writeJson, writeText, upsertBlock } from "../fs.js";
-import { mcpRemoteServerWithType } from "./mcp.js";
-import { SENTINEL_END, SENTINEL_START, copilotRuleContent, guardrailsSelectionSkillContent, syncSkillContent, threatModelSkillContent, vscodeHooksContent } from "./rules.js";
-export async function scaffoldVSCode(cwd, config) {
-    const paths = {
-        guardrailsSelectionSkillDir: ".github/skills/guardrails-selection",
-        threatModellingSkillDir: ".github/skills/threat-modelling",
-        vibereviewSyncSkillDir: ".github/skills/vibereview-sync",
-    };
-    const settingsPath = join(cwd, ".vscode", "settings.json");
-    const existing = (await readJson(settingsPath)) ?? {};
-    await writeJson(settingsPath, {
-        ...existing,
-        "vibreview.serverUrl": config.server_url,
-        "vibreview.projectSlug": config.project_slug,
-    });
-    const mcpPath = join(cwd, ".vscode", "mcp.json");
-    const mcpConfig = (await readJson(mcpPath)) ?? {};
-    const servers = mcpConfig.servers ?? {};
-    servers.vibreview = mcpRemoteServerWithType(config);
-    await writeJson(mcpPath, { ...mcpConfig, servers });
-    await upsertBlock(join(cwd, ".github", "copilot-instructions.md"), SENTINEL_START, SENTINEL_END, copilotRuleContent(config));
-    await writeText(join(cwd, ".github", "hooks", "vibreview-session-policy.json"), vscodeHooksContent(config));
-    await writeText(join(cwd, ".github", "skills", "guardrails-selection", "SKILL.md"), `${guardrailsSelectionSkillContent(config, paths)}\n`);
-    await writeText(join(cwd, ".github", "skills", "threat-modelling", "SKILL.md"), `${threatModelSkillContent(config, paths)}\n`);
-    await writeText(join(cwd, ".github", "skills", "vibereview-sync", "SKILL.md"), `${syncSkillContent(config)}\n`);
-}

package/dist/scaffold/windsurf.js

@@ -1,10 +0,0 @@
-import { join } from "node:path";
-import { readJson, writeJson } from "../fs.js";
-import { mcpRemoteServer } from "./mcp.js";
-export async function scaffoldWindsurf(cwd, config) {
-    const path = join(cwd, ".windsurf", "mcp_config.json");
-    const existing = (await readJson(path)) ?? {};
-    const mcpServers = existing.mcpServers ?? {};
-    mcpServers.vibreview = mcpRemoteServer(config);
-    await writeJson(path, { ...existing, mcpServers });
-}

package/dist/sync/index.js

@@ -1,34 +0,0 @@
-import { readdir, readFile } from "node:fs/promises";
-import { join } from "node:path";
-import { VibeReviewApiClient } from "../api.js";
-import { SCANS_DIR, readConfig, writeConfig } from "../config.js";
-import { buildSyncMarkdownPayload } from "./payload.js";
-import { readSyncState, writeSyncState } from "./state.js";
-export async function syncTelemetry(cwd, options = {}) {
-    const config = await readConfig(cwd);
-    if (!config)
-        throw new Error("VibeReview is not initialized. Run `securityreview-kit init` first.");
-    const scanDir = join(cwd, SCANS_DIR);
-    const files = (await readdir(scanDir).catch(() => [])).filter((file) => file.endsWith(".md")).sort();
-    const state = await readSyncState(cwd);
-    const client = new VibeReviewApiClient(config);
-    let synced = 0;
-    let skipped = 0;
-    for (const file of files) {
-        const path = join(scanDir, file);
-        const content = await readFile(path, "utf8");
-        const payload = buildSyncMarkdownPayload(config.project_slug, path, content, config.ide[0]);
-        const previous = state.artifacts[payload.artifact_id];
-        if (!options.force && previous?.artifact_hash === payload.artifact_hash) {
-            skipped++;
-            continue;
-        }
-        await client.syncCTMMarkdown(config.project_slug, payload);
-        const syncedAt = new Date().toISOString();
-        state.artifacts[payload.artifact_id] = { artifact_hash: payload.artifact_hash, synced_at: syncedAt };
-        synced++;
-    }
-    await writeSyncState(cwd, state);
-    await writeConfig(cwd, { ...config, last_synced: new Date().toISOString() });
-    return { synced, skipped };
-}

package/dist/sync/payload.js

@@ -1,23 +0,0 @@
-import { createHash, randomUUID } from "node:crypto";
-import { basename } from "node:path";
-export function artifactHash(content) {
-    return createHash("sha256").update(content).digest("hex");
-}
-export function buildSyncMarkdownPayload(projectSlug, filePath, content, ide) {
-    const hash = artifactHash(content);
-    const artifactId = basename(filePath).replace(/\.md$/i, "");
-    return {
-        markdown: content,
-        session_id: artifactId || randomUUID(),
-        artifact_id: artifactId || hash.slice(0, 16),
-        artifact_hash: hash,
-        idempotency_key: `${projectSlug}:${artifactId}:${hash}`,
-        generated_at: new Date().toISOString(),
-        file_name: basename(filePath),
-        ide,
-        metadata: {
-            source: "securityreview-kit",
-            file_path: filePath,
-        },
-    };
-}

package/dist/sync/state.js

@@ -1,12 +0,0 @@
-import { join } from "node:path";
-import { SYNC_STATE_PATH } from "../config.js";
-import { readJson, writeJson } from "../fs.js";
-export async function readSyncState(cwd) {
-    return ((await readJson(join(cwd, SYNC_STATE_PATH))) ?? {
-        version: 1,
-        artifacts: {},
-    });
-}
-export async function writeSyncState(cwd, state) {
-    await writeJson(join(cwd, SYNC_STATE_PATH), state);
-}

package/dist/types.js

@@ -1 +0,0 @@
-export {};

package/templates/claude/CLAUDE.md

@@ -1,13 +0,0 @@
-# VibeReview Security Workflow
-
-When implementing or changing code in this repository:
-
-1. Resolve the current tenant/project with `vibreview_get_tenant_project`.
-2. Fetch the project's guardrail bundle with `vibreview_get_guardrails`.
-3. Locally shortlist the guardrails relevant to the user's requested feature or change.
-4. Before editing, write a concise threat model for the requested change.
-5. Implement the change while preserving the shortlisted guardrails.
-6. Record the review/threat-model outcome as one markdown artifact in `.vibreview/scans/`.
-7. Sync the markdown artifact with `vibreview_ctm_sync_markdown`.
-
-Do not run local repository profiling from the IDE. VibeReview profiles the repository server-side after project creation and stores the relevant guardrails for this tenant/project in the MCP-backed KV cache.

package/templates/claude/agents/guardrail_profiler.md

@@ -1,12 +0,0 @@
-# Guardrail Selector
-
-Use this agent when a task needs careful guardrail selection before code changes.
-
-Do not profile the local repository from the IDE. VibeReview SaaS profiles repositories server-side after project creation and projects the required guardrails into the MCP/KV path.
-
-Workflow:
-
-1. Call `vibreview_get_tenant_project`.
-2. Call `vibreview_get_guardrails`.
-3. Rank guardrails by direct relevance to the user request, changed files, data handled, entry points, auth/authorization boundaries, and external integrations.
-4. Return the shortlisted guardrail IDs, names, and the reason each one applies.

package/templates/claude/agents/threat_modeler.md

@@ -1,5 +0,0 @@
-# Threat Modeler
-
-Placeholder agent definition for future VibeReview threat modeling automation.
-
-Before implementation, use `vibreview_get_tenant_project` and `vibreview_get_guardrails`, shortlist the relevant guardrails locally, and identify likely threats, mitigations, standards mappings, and residual risk. Keep the model concise enough to sync as one markdown artifact with `vibreview_ctm_sync_markdown`.

package/templates/claude/skills/vibreview/SKILL.md

@@ -1,21 +0,0 @@
-# VibeReview Skill
-
-Use this skill for VibeReview-aware secure coding sessions.
-
-## Fast Sync Rules
-
-- Write one telemetry artifact per task in `.vibreview/scans/`.
-- Keep the artifact readable markdown: task, threat model, selected guardrails, decisions, and follow-up risks.
-- Avoid pasting large diffs or full files into telemetry unless necessary.
-- Include guardrail IDs, affected files, and concise evidence when useful.
-- Call `vibreview_ctm_sync_markdown` immediately after implementation or threat model updates.
-
-## Workflow
-
-1. Load tenant/project context with `vibreview_get_tenant_project`.
-2. Fetch guardrails with `vibreview_get_guardrails`.
-3. Filter and rank the returned guardrails locally for the requested feature.
-4. Threat model before editing.
-5. Implement with guardrails applied.
-6. Record markdown telemetry.
-7. Sync with `vibreview_ctm_sync_markdown`.

package/templates/claude/skills/vibreview/guardrail_patterns.md

@@ -1,12 +0,0 @@
-# Guardrail Patterns
-
-Fetch the project guardrail bundle with `vibreview_get_guardrails`, then filter locally against the feature request, touched files, framework, data flow, and threat model.
-
-- Authentication: login, sessions, password handling, MFA, tokens.
-- Authorization: role checks, object ownership, tenant isolation.
-- Persistence: database queries, ORM usage, migrations.
-- Validation: input parsing, bounds, schemas, file uploads.
-- Data Exposure: logs, errors, secrets, sensitive output.
-- Transport: TLS, headers, callbacks, API clients.
-
-For broad changes, build a shortlist before editing. Prefer guardrails with direct category, title, instruction, severity, or metadata matches. Keep the selected guardrail IDs in the `.vibreview/scans/` markdown artifact so VibeReview can connect the IDE-side work back to the server-side guardrail set.

package/templates/cursor/rules/vibreview-security.mdc

@@ -1,8 +0,0 @@
----
-description: VibeReview security workflow
-alwaysApply: true
----
-
-Before security-relevant code changes, use `vibreview_get_tenant_project` to resolve the tenant/project, then call `vibreview_get_guardrails` to fetch the project guardrail bundle. Filter and rank the returned guardrails locally against the user's requested feature before implementing.
-
-Record one readable markdown artifact in `.vibreview/scans/` with the threat model, selected guardrail IDs, decisions, and important evidence. Sync it with `vibreview_ctm_sync_markdown`. Do not run local repository profiling; VibeReview handles profiling server-side after project creation.