@securityreviewai/securityreview-kit 0.1.50 → 0.1.52

package/src/commands/status.js

@@ -0,0 +1,99 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import chalk from 'chalk';
+import { TARGETS, TARGET_NAMES, SENTINEL_START } from '../utils/constants.js';
+import { readText, readJson } from '../utils/fs-helpers.js';
+
+/**
+ * Status command — show what's configured in the current workspace.
+ */
+export async function statusCommand() {
+    const cwd = process.cwd();
+
+    console.log('');
+    console.log(chalk.bold.cyan('  ╔══════════════════════════════════════╗'));
+    console.log(chalk.bold.cyan('  ║') + chalk.bold('  🛡️  Security Review Kit — Status ') + chalk.bold.cyan('   ║'));
+    console.log(chalk.bold.cyan('  ╚══════════════════════════════════════╝'));
+    console.log('');
+    console.log(chalk.dim(`  Workspace: ${cwd}`));
+    console.log('');
+
+    let anyFound = false;
+
+    for (const key of TARGET_NAMES) {
+        const target = TARGETS[key];
+        const mcpPath = join(cwd, target.mcpConfigPath);
+        const rulePath = join(cwd, target.rulePath);
+
+        const mcpExists = existsSync(mcpPath);
+        const ruleExists = existsSync(rulePath);
+
+        // Check if the MCP config actually has our server
+        let mcpHasServer = false;
+        if (mcpExists) {
+            if (target.mcpConfigPath.endsWith('.toml')) {
+                const content = readText(mcpPath);
+                mcpHasServer = content.includes('[mcp_servers.security-review-mcp]');
+            } else {
+                const json = readJson(mcpPath);
+                const servers = json?.mcpServers || json?.servers || {};
+                mcpHasServer = 'security-review-mcp' in servers;
+            }
+        }
+
+        // Check if rule file has our sentinel
+        let ruleHasSrai = false;
+        if (ruleExists) {
+            if (target.ruleMode === 'append') {
+                const content = readText(rulePath);
+                ruleHasSrai = content.includes(SENTINEL_START) || content.includes('SRAI Security Review');
+            } else {
+                // Standalone rule file — existence is enough
+                ruleHasSrai = true;
+            }
+        }
+
+        if (!mcpHasServer && !ruleHasSrai) continue;
+
+        anyFound = true;
+        console.log(chalk.bold(`  ${target.name}`));
+        console.log(
+            `    MCP Config:     ${mcpHasServer ? chalk.green('✓ Configured') : chalk.dim('✗ Not found')}  ${chalk.dim(target.mcpConfigPath)}`,
+        );
+        console.log(
+            `    Workspace Rule: ${ruleHasSrai ? chalk.green('✓ Installed') : chalk.dim('✗ Not found')}  ${chalk.dim(target.rulePath)}`,
+        );
+        if (key === 'cursor') {
+            const cliPath = join(cwd, '.cursor', 'cli.json');
+            const cliJson = readJson(cliPath);
+            const allow = cliJson?.permissions?.allow;
+            const hasMcpAllow =
+                Array.isArray(allow) &&
+                allow.some(
+                    (e) => typeof e === 'string' && e.toLowerCase().includes('mcp(security-review-mcp'),
+                );
+            console.log(
+                `    CLI MCP allow:  ${hasMcpAllow ? chalk.green('\u2713 security-review-mcp') : chalk.dim('\u2717 Missing in .cursor/cli.json')}  ${chalk.dim('.cursor/cli.json')}`,
+            );
+        }
+        console.log('');
+    }
+
+    if (!anyFound) {
+        console.log(chalk.yellow('  No security-review-mcp configurations found in this workspace.'));
+        console.log(chalk.dim('  Run `securityreview-kit init` to set up.'));
+        console.log('');
+    }
+
+    // Check env vars
+    console.log(chalk.bold('  Environment'));
+    const apiUrl = process.env.SECURITY_REVIEW_API_URL;
+    const apiToken = process.env.SECURITY_REVIEW_API_TOKEN;
+    console.log(
+        `    SECURITY_REVIEW_API_URL:   ${apiUrl ? chalk.green('✓ Set') : chalk.yellow('✗ Not set')}`,
+    );
+    console.log(
+        `    SECURITY_REVIEW_API_TOKEN: ${apiToken ? chalk.green('✓ Set') : chalk.yellow('✗ Not set')}`,
+    );
+    console.log('');
+}

package/src/commands/switch-project.js

@@ -0,0 +1,207 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import chalk from 'chalk';
+import { input, select } from '@inquirer/prompts';
+import { SENTINEL_START, TARGET_NAMES, TARGETS } from '../utils/constants.js';
+import { readJson, readText } from '../utils/fs-helpers.js';
+import { fetchVibeReviewProjectNames, getStoredCredentials, normalizeApiUrl } from '../utils/srai.js';
+
+const ruleGenerators = {
+    cursor: () => import('../generators/rules/cursor.js'),
+    claude: () => import('../generators/rules/claude.js'),
+    vscode: () => import('../generators/rules/vscode.js'),
+    windsurf: () => import('../generators/rules/windsurf.js'),
+    codex: () => import('../generators/rules/codex.js'),
+    gemini: () => import('../generators/rules/gemini.js'),
+    antigravity: () => import('../generators/rules/antigravity.js'),
+};
+
+function normalizeRuleResults(rawResult) {
+    const entries = Array.isArray(rawResult) ? rawResult : [rawResult];
+
+    return entries.map((entry) => {
+        if (typeof entry === 'string') {
+            return { filePath: entry, action: 'created', kind: 'rule' };
+        }
+
+        if (entry && typeof entry.filePath === 'string') {
+            const allowedKinds = new Set(['rule', 'command', 'agent', 'skill', 'hooks', 'config']);
+            const kind = allowedKinds.has(entry.kind) ? entry.kind : 'rule';
+            return { filePath: entry.filePath, action: entry.action || 'created', kind };
+        }
+
+        throw new Error('Rule generator returned an invalid result.');
+    });
+}
+
+function hasConfiguredMcpServer(cwd, target) {
+    const mcpPath = join(cwd, target.mcpConfigPath);
+    if (!existsSync(mcpPath)) return false;
+
+    if (mcpPath.endsWith('.toml')) {
+        const content = readText(mcpPath);
+        return content.includes('[mcp_servers.security-review-mcp]');
+    }
+
+    const json = readJson(mcpPath);
+    const servers = json?.mcpServers || json?.servers || {};
+    return 'security-review-mcp' in servers;
+}
+
+function hasInstalledRule(cwd, target) {
+    const rulePath = join(cwd, target.rulePath);
+    if (!existsSync(rulePath)) return false;
+
+    if (target.ruleMode === 'append') {
+        const content = readText(rulePath);
+        return content.includes(SENTINEL_START) || content.includes('SRAI Security Review');
+    }
+
+    return true;
+}
+
+function resolveConfiguredTargets(cwd) {
+    return TARGET_NAMES.filter((key) => {
+        const target = TARGETS[key];
+        return hasConfiguredMcpServer(cwd, target) || hasInstalledRule(cwd, target);
+    });
+}
+
+async function resolveCredentials(options, cwd) {
+    let apiUrl = normalizeApiUrl(options.apiUrl || process.env.SECURITY_REVIEW_API_URL || '');
+    let apiToken = String(options.apiKey || process.env.SECURITY_REVIEW_API_TOKEN || '').trim();
+
+    if (!apiUrl || !apiToken) {
+        const stored = getStoredCredentials(cwd);
+        if (!apiUrl && stored.apiUrl) {
+            apiUrl = stored.apiUrl;
+        }
+        if (!apiToken && stored.apiToken) {
+            apiToken = stored.apiToken;
+        }
+    }
+
+    if (!apiUrl) {
+        apiUrl = await input({
+            message: '🔗 SRAI API URL:',
+            default: 'app.demo.securityreview.ai',
+            validate: (v) => {
+                const normalized = normalizeApiUrl(v);
+                if (!normalized) return 'Must be a valid URL';
+
+                try {
+                    new URL(normalized);
+                    return true;
+                } catch {
+                    return 'Must be a valid URL';
+                }
+            },
+        });
+        apiUrl = normalizeApiUrl(apiUrl);
+    } else {
+        console.log(chalk.dim(`  API URL: ${apiUrl} (from saved config/env/flags)`));
+    }
+
+    if (!apiToken) {
+        apiToken = await input({
+            message: '🔑 SRAI API Token:',
+            validate: (v) => (v.length > 0 ? true : 'Token is required'),
+        });
+    } else {
+        console.log(chalk.dim(`  API Token: ${'•'.repeat(8)} (from saved config/env/flags)`));
+    }
+
+    return { apiUrl, apiToken };
+}
+
+async function resolveProjectName(options, apiUrl, apiToken) {
+    const pinnedProject = (options.projectName || process.env.SECURITY_REVIEW_PROJECT_NAME || '').trim();
+    const projectNames = await fetchVibeReviewProjectNames(apiUrl, apiToken);
+
+    return select({
+        message: '🧩 Select SRAI project (vibe review enabled only):',
+        choices: projectNames.map((name) => ({
+            name,
+            value: name,
+        })),
+        default: projectNames.includes(pinnedProject) ? pinnedProject : undefined,
+        pageSize: 12,
+    });
+}
+
+export async function switchProjectCommand(options = {}) {
+    const cwd = process.cwd();
+    const targets = resolveConfiguredTargets(cwd);
+
+    console.log('');
+    console.log(chalk.bold.cyan('  ╔══════════════════════════════════════╗'));
+    console.log(chalk.bold.cyan('  ║') + chalk.bold(' 🛡️  Security Review Kit — Switch ') + chalk.bold.cyan('   ║'));
+    console.log(chalk.bold.cyan('  ╚══════════════════════════════════════╝'));
+    console.log('');
+
+    if (targets.length === 0) {
+        console.log(chalk.yellow('  ⚠  No configured targets found in this workspace.'));
+        console.log(chalk.dim('  Run `securityreview-kit init` first.'));
+        console.log('');
+        return;
+    }
+
+    console.log(chalk.dim(`  Targets to update: ${targets.map((t) => TARGETS[t].name).join(', ')}`));
+    console.log('');
+    console.log(chalk.bold.white('  Step 1 of 2: SRAI Credentials'));
+    console.log(chalk.dim('  ─────────────────────────────────'));
+    const envVars = await resolveCredentials(options, cwd);
+    console.log(chalk.green('  ✓ Credentials configured'));
+    console.log('');
+
+    console.log(chalk.bold.white('  Step 2 of 2: SRAI Project Mapping'));
+    console.log(chalk.dim('  ─────────────────────────────────'));
+    const projectName = await resolveProjectName(options, envVars.apiUrl, envVars.apiToken);
+    console.log(chalk.green(`  ✓ Project mapped: ${projectName}`));
+    console.log('');
+
+    console.log(chalk.bold.white('  Updating workspace rules...'));
+    console.log(chalk.dim('  ─────────────────────────────────'));
+
+    const results = [];
+
+    for (const target of targets) {
+        const targetInfo = TARGETS[target];
+        console.log('');
+        console.log(chalk.bold(`  ${targetInfo.name}`));
+
+        try {
+            const gen = await ruleGenerators[target]();
+            const generatedRules = normalizeRuleResults(gen.generate(cwd, { projectName }));
+
+            for (const rule of generatedRules) {
+                const labelByKind = {
+                    rule: 'Workspace rule',
+                    command: 'Workspace command',
+                    agent: 'Workspace agent',
+                    skill: 'Workspace skill',
+                    hooks: 'Hooks',
+                    config: 'CLI config',
+                };
+                const label = labelByKind[rule.kind] || 'Workspace rule';
+                console.log(chalk.green(`    ✓ ${label} → ${rule.filePath} (${rule.action})`));
+                results.push({ target, type: rule.kind, status: 'ok', path: rule.filePath, action: rule.action });
+            }
+        } catch (err) {
+            console.log(chalk.red(`    ✗ Workspace rule failed: ${err.message}`));
+            results.push({ target, type: 'rule', status: 'error', error: err.message });
+        }
+    }
+
+    const ok = results.filter((r) => r.status === 'ok').length;
+    const errors = results.filter((r) => r.status === 'error').length;
+
+    console.log('');
+    console.log(chalk.dim('  ─────────────────────────────────'));
+    if (errors === 0) {
+        console.log(chalk.bold.green(`  ✅ Done! ${ok} rule update(s) applied successfully.`));
+    } else {
+        console.log(chalk.bold.yellow(`  ⚠  Done with ${errors} error(s). ${ok} rule update(s) applied.`));
+    }
+    console.log('');
+}

package/src/generators/mcp/claude.js

@@ -0,0 +1,85 @@
+import { join } from 'node:path';
+import { readJson, writeJson } from '../../utils/fs-helpers.js';
+import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
+
+const CLAUDE_MCP_PERMISSION = `mcp__${MCP_SERVER_NAME}`;
+
+function getClaudeSessionStartHooks() {
+    const prompt = [
+        'MANDATORY SECURITY GATE (Claude Code Session Policy)',
+        '',
+        'For any request with security impact, follow this order:',
+        '1. Fetch Vibe Guardrails first using .claude/skills/guardrails-selection/SKILL.md.',
+        '2. Run PWNISMS threat modelling using .claude/skills/threat-modelling/SKILL.md.',
+        '3. Implement secure code using the hydrated guardrails and threat findings.',
+        '4. Read .claude/skills/vibereview-sync/SKILL.md. Write a structured .md artifact under vibereview/, do not read sibling markdown files there just to infer format, validate it, and call sync_ai_ide_markdown directly after implementation or threat-model updates.',
+        '',
+        'Do not use project-profile exploration tools during normal coding tasks. No blocking and no deferral: guardrails first, PWNISMS second, implementation third, VibeReview sync last.',
+    ].join('\n');
+
+    return [
+        {
+            matcher: '.*',
+            hooks: [
+                {
+                    type: 'prompt',
+                    prompt,
+                },
+            ],
+        },
+    ];
+}
+
+/**
+ * Generate Claude Code project MCP config at .mcp.json and project settings at .claude/settings.json
+ */
+export function generate(cwd, envVars) {
+    const mcpPath = join(cwd, '.mcp.json');
+    const mcpConfig = readJson(mcpPath) || {};
+
+    if (!mcpConfig.mcpServers) {
+        mcpConfig.mcpServers = {};
+    }
+
+    mcpConfig.mcpServers[MCP_SERVER_NAME] = {
+        command: 'npx',
+        args: ['-y', `${MCP_SERVER_PACKAGE}@latest`],
+        env: {
+            SECURITY_REVIEW_API_URL: envVars.apiUrl,
+            SECURITY_REVIEW_API_TOKEN: envVars.apiToken,
+        },
+    };
+
+    writeJson(mcpPath, mcpConfig);
+
+    const settingsPath = join(cwd, '.claude', 'settings.json');
+    const existing = readJson(settingsPath) || {};
+    const enabledServers = Array.isArray(existing.enabledMcpjsonServers)
+        ? existing.enabledMcpjsonServers.filter((name) => typeof name === 'string' && name.trim())
+        : [];
+    if (!enabledServers.includes(MCP_SERVER_NAME)) {
+        existing.enabledMcpjsonServers = [...enabledServers, MCP_SERVER_NAME];
+    }
+
+    if (!existing.permissions || typeof existing.permissions !== 'object' || Array.isArray(existing.permissions)) {
+        existing.permissions = {};
+    }
+    const allowedTools = Array.isArray(existing.permissions.allow)
+        ? existing.permissions.allow.filter((entry) => typeof entry === 'string' && entry.trim())
+        : [];
+    if (!allowedTools.includes(CLAUDE_MCP_PERMISSION)) {
+        existing.permissions.allow = [...allowedTools, CLAUDE_MCP_PERMISSION];
+    }
+
+    const existingSessionStart = Array.isArray(existing.SessionStart) ? existing.SessionStart : [];
+    const marker = 'MANDATORY SECURITY GATE (Claude Code Session Policy)';
+    const ours = getClaudeSessionStartHooks();
+    const hasOurs = existingSessionStart.some((entry) =>
+        Array.isArray(entry?.hooks) &&
+        entry.hooks.some((hook) => hook?.type === 'prompt' && typeof hook?.prompt === 'string' && hook.prompt.includes(marker)),
+    );
+    existing.SessionStart = hasOurs ? existingSessionStart : [...existingSessionStart, ...ours];
+
+    writeJson(settingsPath, existing);
+    return mcpPath;
+}

package/src/generators/mcp/claude.test.js

@@ -0,0 +1,64 @@
+import { mkdirSync, mkdtempSync, readFileSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import { generate } from './claude.js';
+
+test('Claude MCP generator writes .mcp.json, enables the project MCP server, and adds session hooks', () => {
+    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-claude-mcp-'));
+
+    generate(cwd, {
+        apiUrl: 'https://example.test',
+        apiToken: 'secret-token',
+    });
+
+    const mcpConfig = JSON.parse(readFileSync(join(cwd, '.mcp.json'), 'utf8'));
+    const settings = JSON.parse(readFileSync(join(cwd, '.claude', 'settings.json'), 'utf8'));
+    assert.equal(mcpConfig.mcpServers['security-review-mcp'].command, 'npx');
+    assert.deepEqual(settings.enabledMcpjsonServers, ['security-review-mcp']);
+    assert.deepEqual(settings.permissions.allow, ['mcp__security-review-mcp']);
+    assert.equal(Array.isArray(settings.SessionStart), true);
+    assert.match(settings.SessionStart[0].hooks[0].prompt, /MANDATORY SECURITY GATE/);
+    assert.match(settings.SessionStart[0].hooks[0].prompt, /vibereview\//);
+    assert.match(settings.SessionStart[0].hooks[0].prompt, /sync_ai_ide_markdown/);
+    assert.match(settings.SessionStart[0].hooks[0].prompt, /vibereview-sync\/SKILL\.md/);
+});
+
+test('Claude MCP generator preserves existing SessionStart hooks', () => {
+    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-claude-mcp-merge-'));
+    const configPath = join(cwd, '.claude', 'settings.json');
+    mkdirSync(join(cwd, '.claude'), { recursive: true });
+
+    writeFileSync(
+        configPath,
+        JSON.stringify(
+            {
+                SessionStart: [
+                    {
+                        matcher: '.*',
+                        hooks: [{ type: 'prompt', prompt: 'Existing hook' }],
+                    },
+                ],
+                permissions: {
+                    allow: ['Bash(npm run test:*)'],
+                },
+            },
+            null,
+            2,
+        ),
+        'utf8',
+    );
+
+    generate(cwd, {
+        apiUrl: 'https://example.test',
+        apiToken: 'secret-token',
+    });
+
+    const config = JSON.parse(readFileSync(configPath, 'utf8'));
+    assert.equal(config.SessionStart.length, 2);
+    assert.match(config.SessionStart[0].hooks[0].prompt, /Existing hook/);
+    assert.match(config.SessionStart[1].hooks[0].prompt, /MANDATORY SECURITY GATE/);
+    assert.deepEqual(config.enabledMcpjsonServers, ['security-review-mcp']);
+    assert.deepEqual(config.permissions.allow, ['Bash(npm run test:*)', 'mcp__security-review-mcp']);
+});

package/src/generators/mcp/codex.js

@@ -0,0 +1,70 @@
+import { join } from 'node:path';
+import { readText, writeText, ensureDir } from '../../utils/fs-helpers.js';
+import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
+
+function ensureHooksFeature(existing) {
+    const featureLine = 'codex_hooks = true';
+    const featuresHeader = '[features]';
+
+    if (!existing) {
+        return `${featuresHeader}\n${featureLine}`;
+    }
+
+    if (existing.includes(featuresHeader)) {
+        const featuresSectionPattern = /(\[features\][\s\S]*?)(?=\n\[[^\]]+\]|$)/;
+        return existing.replace(featuresSectionPattern, (section) => {
+            if (/\bcodex_hooks\s*=/.test(section)) {
+                return section.replace(/codex_hooks\s*=\s*(true|false)/, featureLine);
+            }
+            const separator = section.endsWith('\n') ? '' : '\n';
+            return `${section}${separator}${featureLine}\n`;
+        });
+    }
+
+    const separator = existing.endsWith('\n') ? '\n' : '\n\n';
+    return `${existing}${separator}${featuresHeader}\n${featureLine}\n`;
+}
+
+/**
+ * Generate Codex MCP config at .codex/config.toml
+ * Codex uses TOML format. We use simple string templating since the structure
+ * is straightforward and avoids a TOML library dependency.
+ */
+export function generate(cwd, envVars) {
+    const filePath = join(cwd, '.codex', 'config.toml');
+    const existing = readText(filePath);
+
+    const serverBlock = `
+[mcp_servers.${MCP_SERVER_NAME}]
+command = "npx"
+args = ["-y", "${MCP_SERVER_PACKAGE}@latest"]
+default_tools_approval_mode = "approve"
+
+[mcp_servers.${MCP_SERVER_NAME}.env]
+SECURITY_REVIEW_API_URL = "${envVars.apiUrl}"
+SECURITY_REVIEW_API_TOKEN = "${envVars.apiToken}"
+`.trim();
+
+    const existingWithHooks = ensureHooksFeature(existing).trim();
+
+    // Check if we already have this server configured
+    if (existingWithHooks.includes(`[mcp_servers.${MCP_SERVER_NAME}]`)) {
+        // Replace the existing block — find from the server header to the next
+        // section header or end of file
+        const regex = new RegExp(
+            `\\[mcp_servers\\.${MCP_SERVER_NAME}\\][\\s\\S]*?(?=\\n\\[(?!mcp_servers\\.${MCP_SERVER_NAME})|$)`,
+        );
+        const updated = existingWithHooks.replace(regex, serverBlock);
+        writeText(filePath, updated);
+    } else if (existingWithHooks) {
+        // Append to existing file
+        const separator = existingWithHooks.endsWith('\n') ? '\n' : '\n\n';
+        writeText(filePath, existingWithHooks + separator + serverBlock + '\n');
+    } else {
+        // New file
+        ensureDir(join(cwd, '.codex'));
+        writeText(filePath, existingWithHooks + '\n\n' + serverBlock + '\n');
+    }
+
+    return filePath;
+}

package/src/generators/mcp/codex.test.js

@@ -0,0 +1,43 @@
+import { mkdtempSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import { generate } from './codex.js';
+
+test('Codex MCP generator enables hooks and writes MCP server block', () => {
+    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-codex-mcp-'));
+
+    generate(cwd, {
+        apiUrl: 'https://example.test',
+        apiToken: 'secret-token',
+    });
+
+    const config = readFileSync(join(cwd, '.codex/config.toml'), 'utf8');
+    assert.match(config, /\[features\]\ncodex_hooks = true/);
+    assert.match(config, /\[mcp_servers\.security-review-mcp\]/);
+    assert.match(config, /default_tools_approval_mode = "approve"/);
+    assert.match(config, /SECURITY_REVIEW_API_URL = "https:\/\/example\.test"/);
+});
+
+test('Codex MCP generator preserves existing features while forcing codex_hooks', () => {
+    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-codex-mcp-merge-'));
+    const configPath = join(cwd, '.codex', 'config.toml');
+    mkdirSync(join(cwd, '.codex'), { recursive: true });
+
+    writeFileSync(
+        configPath,
+        '[features]\nshell_snapshot = true\ncodex_hooks = false\n\n[profiles.default]\nmodel = "gpt-5.4"\n',
+        'utf8',
+    );
+
+    generate(cwd, {
+        apiUrl: 'https://example.test',
+        apiToken: 'secret-token',
+    });
+
+    const config = readFileSync(configPath, 'utf8');
+    assert.match(config, /\[features\][\s\S]*shell_snapshot = true/);
+    assert.match(config, /\[features\][\s\S]*codex_hooks = true/);
+    assert.match(config, /\[profiles\.default\]\nmodel = "gpt-5\.4"/);
+});

package/src/generators/mcp/cursor.js

@@ -0,0 +1,29 @@
+import { join } from 'node:path';
+import { readJson, writeJson } from '../../utils/fs-helpers.js';
+import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
+import { mergeCursorCliMcpAllowlist } from '../../utils/cursor-cli-permissions.js';
+
+/**
+ * Generate Cursor MCP config at .cursor/mcp.json
+ */
+export function generate(cwd, envVars) {
+    const filePath = join(cwd, '.cursor', 'mcp.json');
+    const existing = readJson(filePath) || {};
+
+    if (!existing.mcpServers) {
+        existing.mcpServers = {};
+    }
+
+    existing.mcpServers[MCP_SERVER_NAME] = {
+        command: 'npx',
+        args: ['-y', `${MCP_SERVER_PACKAGE}@latest`],
+        env: {
+            SECURITY_REVIEW_API_URL: envVars.apiUrl,
+            SECURITY_REVIEW_API_TOKEN: envVars.apiToken,
+        },
+    };
+
+    writeJson(filePath, existing);
+    mergeCursorCliMcpAllowlist(cwd);
+    return filePath;
+}

package/src/generators/mcp/cursor.test.js

@@ -0,0 +1,50 @@
+import { mkdirSync, mkdtempSync, readFileSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import { generate } from './cursor.js';
+
+test('Cursor MCP generator writes server config and CLI MCP allow rule', () => {
+    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-cursor-mcp-'));
+
+    generate(cwd, {
+        apiUrl: 'https://example.test',
+        apiToken: 'secret-token',
+    });
+
+    const mcpConfig = JSON.parse(readFileSync(join(cwd, '.cursor', 'mcp.json'), 'utf8'));
+    const cliConfig = JSON.parse(readFileSync(join(cwd, '.cursor', 'cli.json'), 'utf8'));
+    assert.equal(mcpConfig.mcpServers['security-review-mcp'].command, 'npx');
+    assert.deepEqual(cliConfig.permissions.allow, ['Mcp(security-review-mcp:*)']);
+    assert.deepEqual(cliConfig.permissions.deny, []);
+});
+
+test('Cursor MCP generator preserves existing CLI permissions', () => {
+    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-cursor-mcp-merge-'));
+    const cliPath = join(cwd, '.cursor', 'cli.json');
+    mkdirSync(join(cwd, '.cursor'), { recursive: true });
+    writeFileSync(
+        cliPath,
+        JSON.stringify(
+            {
+                permissions: {
+                    allow: ['Shell(git)'],
+                    deny: ['Shell(rm)'],
+                },
+            },
+            null,
+            2,
+        ),
+        'utf8',
+    );
+
+    generate(cwd, {
+        apiUrl: 'https://example.test',
+        apiToken: 'secret-token',
+    });
+
+    const cliConfig = JSON.parse(readFileSync(cliPath, 'utf8'));
+    assert.deepEqual(cliConfig.permissions.allow, ['Shell(git)', 'Mcp(security-review-mcp:*)']);
+    assert.deepEqual(cliConfig.permissions.deny, ['Shell(rm)']);
+});

package/src/generators/mcp/gemini.js

@@ -0,0 +1,28 @@
+import { join } from 'node:path';
+import { readJson, writeJson } from '../../utils/fs-helpers.js';
+import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
+
+/**
+ * Generate Gemini CLI / Antigravity MCP config at .gemini/settings.json
+ * Both Gemini CLI and Antigravity use the same config file path.
+ */
+export function generate(cwd, envVars) {
+    const filePath = join(cwd, '.gemini', 'settings.json');
+    const existing = readJson(filePath) || {};
+
+    if (!existing.mcpServers) {
+        existing.mcpServers = {};
+    }
+
+    existing.mcpServers[MCP_SERVER_NAME] = {
+        command: 'npx',
+        args: ['-y', `${MCP_SERVER_PACKAGE}@latest`],
+        env: {
+            SECURITY_REVIEW_API_URL: envVars.apiUrl,
+            SECURITY_REVIEW_API_TOKEN: envVars.apiToken,
+        },
+    };
+
+    writeJson(filePath, existing);
+    return filePath;
+}