@securityreviewai/securityreview-kit 0.1.50 → 0.1.52

package/src/generators/mcp/vscode.js

@@ -0,0 +1,29 @@
+import { join } from 'node:path';
+import { readJson, writeJson } from '../../utils/fs-helpers.js';
+import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
+
+/**
+ * Generate VS Code Copilot MCP config at .vscode/mcp.json
+ * Uses the VS Code input variable pattern for secure credential prompting.
+ */
+export function generate(cwd, envVars) {
+    const filePath = join(cwd, '.vscode', 'mcp.json');
+    const existing = readJson(filePath) || {};
+
+    if (!existing.servers) {
+        existing.servers = {};
+    }
+
+    existing.servers[MCP_SERVER_NAME] = {
+        type: 'stdio',
+        command: 'npx',
+        args: ['-y', `${MCP_SERVER_PACKAGE}@latest`],
+        env: {
+            SECURITY_REVIEW_API_URL: envVars.apiUrl,
+            SECURITY_REVIEW_API_TOKEN: envVars.apiToken,
+        },
+    };
+
+    writeJson(filePath, existing);
+    return filePath;
+}

package/src/generators/mcp/windsurf.js

@@ -0,0 +1,27 @@
+import { join } from 'node:path';
+import { readJson, writeJson } from '../../utils/fs-helpers.js';
+import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
+
+/**
+ * Generate Windsurf MCP config at .windsurf/mcp_config.json
+ */
+export function generate(cwd, envVars) {
+    const filePath = join(cwd, '.windsurf', 'mcp_config.json');
+    const existing = readJson(filePath) || {};
+
+    if (!existing.mcpServers) {
+        existing.mcpServers = {};
+    }
+
+    existing.mcpServers[MCP_SERVER_NAME] = {
+        command: 'npx',
+        args: ['-y', `${MCP_SERVER_PACKAGE}@latest`],
+        env: {
+            SECURITY_REVIEW_API_URL: envVars.apiUrl,
+            SECURITY_REVIEW_API_TOKEN: envVars.apiToken,
+        },
+    };
+
+    writeJson(filePath, existing);
+    return filePath;
+}

package/src/generators/rules/antigravity.js

@@ -0,0 +1,22 @@
+import { join } from 'node:path';
+import { writeText } from '../../utils/fs-helpers.js';
+import { getRuleContent } from './content.js';
+
+/**
+ * Generate Antigravity workspace rule at .agent/rules/srai-security-review.md
+ * Antigravity uses .agent/rules/ with YAML frontmatter (trigger: always_on).
+ */
+export function generate(cwd, options = {}) {
+    const filePath = join(cwd, '.agent', 'rules', 'srai-security-review.md');
+    const content = getRuleContent(options);
+
+    const rule = `---
+trigger: always_on
+---
+
+${content}
+`;
+
+    writeText(filePath, rule);
+    return filePath;
+}

package/src/generators/rules/claude.js

@@ -0,0 +1,87 @@
+import { existsSync, unlinkSync } from 'node:fs';
+import { join } from 'node:path';
+import {
+    GUARDRAILS_PROFILER_SKILL_REL_DIR,
+    GUARDRAILS_SELECTION_SKILL_REL_DIR,
+    SENTINEL_END,
+    SENTINEL_START,
+    THREAT_MODELLING_SKILL_REL_DIR,
+    VIBEREVIEW_SYNC_SKILL_REL_DIR,
+} from '../../utils/constants.js';
+import { readText, upsertSentinelBlock, writeText } from '../../utils/fs-helpers.js';
+import {
+    getGuardrailsInitProfileContent,
+    getRuleContent,
+    getThreatModellingSkillContent,
+    getVibeReviewSyncSkillContent,
+} from './content.js';
+
+function writeGeneratedText(filePath, content) {
+    const action = existsSync(filePath) ? 'updated' : 'created';
+    writeText(filePath, content);
+    return { filePath, action };
+}
+
+/**
+ * Generate Claude Code workspace rule — appends to .claude/CLAUDE.md
+ */
+export function generate(cwd, options = {}) {
+    const optionsWithSkillDirs = {
+        ...options,
+        guardrailsSelectionSkillDir: GUARDRAILS_SELECTION_SKILL_REL_DIR.claude,
+        threatModellingSkillDir: THREAT_MODELLING_SKILL_REL_DIR.claude,
+        vibereviewSyncSkillDir: VIBEREVIEW_SYNC_SKILL_REL_DIR.claude,
+    };
+    const legacyRootPath = join(cwd, 'CLAUDE.md');
+    const filePath = join(cwd, '.claude', 'CLAUDE.md');
+    const content = getRuleContent(optionsWithSkillDirs);
+    const action = upsertSentinelBlock(filePath, content);
+
+    const legacyContent = readText(legacyRootPath);
+    if (legacyContent.includes(SENTINEL_START) && legacyContent.includes(SENTINEL_END)) {
+        const startIdx = legacyContent.indexOf(SENTINEL_START);
+        const endIdx = legacyContent.indexOf(SENTINEL_END);
+        const before = legacyContent.substring(0, startIdx);
+        const after = legacyContent.substring(endIdx + SENTINEL_END.length);
+        const migrated = `${before}${after}`.trim();
+        if (migrated) {
+            writeText(legacyRootPath, migrated + '\n');
+        } else if (existsSync(legacyRootPath)) {
+            unlinkSync(legacyRootPath);
+        }
+    }
+
+    const threatSkillPath = join(cwd, THREAT_MODELLING_SKILL_REL_DIR.claude, 'SKILL.md');
+    const threatSkill = writeGeneratedText(
+        threatSkillPath,
+        getThreatModellingSkillContent(optionsWithSkillDirs),
+    );
+
+    const vibereviewSyncSkillPath = join(cwd, VIBEREVIEW_SYNC_SKILL_REL_DIR.claude, 'SKILL.md');
+    const vibereviewSyncSkill = writeGeneratedText(
+        vibereviewSyncSkillPath,
+        getVibeReviewSyncSkillContent(optionsWithSkillDirs),
+    );
+
+    const deletedLegacyAgentPath = join(cwd, '.claude', 'agents', 'ctm_sync.md');
+    const deletedLegacyAgent = existsSync(deletedLegacyAgentPath)
+        ? (unlinkSync(deletedLegacyAgentPath), { filePath: deletedLegacyAgentPath, action: 'deleted' })
+        : null;
+
+    const guardrailsInitPath = join(cwd, '.claude', 'commands', 'guardrails-init-profile.md');
+    const guardrailsInit = writeGeneratedText(
+        guardrailsInitPath,
+        getGuardrailsInitProfileContent({
+            ...optionsWithSkillDirs,
+            guardrailsSkillDir: GUARDRAILS_PROFILER_SKILL_REL_DIR.claude,
+        }),
+    );
+
+    return [
+        { filePath, action, kind: 'rule' },
+        { ...threatSkill, kind: 'skill' },
+        { ...vibereviewSyncSkill, kind: 'skill' },
+        { ...guardrailsInit, kind: 'command' },
+        ...(deletedLegacyAgent ? [{ ...deletedLegacyAgent, kind: 'cleanup' }] : []),
+    ];
+}

package/src/generators/rules/claude.test.js

@@ -0,0 +1,60 @@
+import { existsSync, mkdtempSync, readFileSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import { generate } from './claude.js';
+
+test('Claude generator writes .claude/CLAUDE.md, threat skill, and profiling command', () => {
+    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-claude-'));
+
+    const results = generate(cwd, { projectName: 'SmokeProject' });
+
+    const expectedPaths = [
+        '.claude/CLAUDE.md',
+        '.claude/skills/threat-modelling/SKILL.md',
+        '.claude/skills/vibereview-sync/SKILL.md',
+        '.claude/commands/guardrails-init-profile.md',
+    ];
+
+    for (const relPath of expectedPaths) {
+        assert.equal(existsSync(join(cwd, relPath)), true, `${relPath} should exist`);
+    }
+
+    assert.deepEqual(results.map((entry) => entry.kind), ['rule', 'skill', 'skill', 'command']);
+
+    const instructions = readFileSync(join(cwd, '.claude/CLAUDE.md'), 'utf8');
+    assert.match(instructions, /\.claude\/skills\/guardrails-selection\/SKILL\.md/);
+    assert.match(instructions, /\.claude\/skills\/threat-modelling\/SKILL\.md/);
+    assert.match(instructions, /\.claude\/skills\/vibereview-sync\/SKILL\.md/);
+    assert.match(instructions, /sync_ai_ide_markdown/);
+    assert.match(instructions, /vibereview\//);
+
+    const threatSkill = readFileSync(join(cwd, '.claude/skills/threat-modelling/SKILL.md'), 'utf8');
+    assert.match(threatSkill, /sync_ai_ide_markdown/);
+    assert.match(threatSkill, /vibereview\//);
+    assert.doesNotMatch(threatSkill, /get_project_profile_description/);
+
+    const vibereviewSkill = readFileSync(join(cwd, '.claude/skills/vibereview-sync/SKILL.md'), 'utf8');
+    assert.match(vibereviewSkill, /Do not read other/i);
+    assert.match(vibereviewSkill, /sync_ai_ide_markdown/);
+    assert.match(vibereviewSkill, /Event Identity/);
+    assert.match(vibereviewSkill, /Practice 1/);
+    assert.match(vibereviewSkill, /practice_name:/);
+});
+
+test('Claude generator migrates the kit-managed root CLAUDE.md block into .claude/CLAUDE.md', () => {
+    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-claude-migrate-'));
+    const legacyPath = join(cwd, 'CLAUDE.md');
+
+    writeFileSync(
+        legacyPath,
+        '<!-- securityreview-kit:start -->\nold managed block\n<!-- securityreview-kit:end -->\n',
+        'utf8',
+    );
+
+    generate(cwd, { projectName: 'SmokeProject' });
+
+    assert.equal(existsSync(join(cwd, '.claude/CLAUDE.md')), true);
+    assert.equal(existsSync(legacyPath), false);
+});

package/src/generators/rules/codex.js

@@ -0,0 +1,141 @@
+import { existsSync, unlinkSync } from 'node:fs';
+import { join } from 'node:path';
+import {
+    GUARDRAILS_PROFILER_SKILL_REL_DIR,
+    GUARDRAILS_SELECTION_SKILL_REL_DIR,
+    THREAT_MODELLING_SKILL_REL_DIR,
+    VIBEREVIEW_SYNC_SKILL_REL_DIR,
+} from '../../utils/constants.js';
+import { upsertSentinelBlock, writeText } from '../../utils/fs-helpers.js';
+import {
+    getGuardrailsInitProfileContent,
+    getRuleContent,
+    getThreatModellingSkillContent,
+    getVibeReviewSyncSkillContent,
+} from './content.js';
+
+function writeGeneratedText(filePath, content) {
+    const action = existsSync(filePath) ? 'updated' : 'created';
+    writeText(filePath, content);
+    return { filePath, action };
+}
+
+function removeGeneratedText(filePath) {
+    if (existsSync(filePath)) {
+        unlinkSync(filePath);
+        return { filePath, action: 'deleted' };
+    }
+    return null;
+}
+
+function getCodexSessionHookContent() {
+    const additionalContext = [
+        '## MANDATORY SECURITY GATE (Session Policy)',
+        '',
+        'For any request with security impact (auth, authorization, crypto, input handling, secrets, network, data storage, dependencies, new APIs/endpoints, infrastructure, or code handling untrusted data), follow this order:',
+        '',
+        '1. Fetch Vibe Guardrails first using .codex/skills/guardrails-selection/SKILL.md. Resolve the project, call get_guardrails, shortlist relevant guardrails, then call get_guardrail_by_id for the shortlist.',
+        '2. Run PWNISMS threat modelling using .codex/skills/threat-modelling/SKILL.md. Explicitly walk Product, Workload, Network, IAM, Secrets, Monitoring, and Supply Chain.',
+        '3. Implement secure code using both the hydrated guardrails and PWNISMS findings.',
+        '4. Read .codex/skills/vibereview-sync/SKILL.md. Write a structured .md artifact under vibereview/, do not read sibling markdown files there just to infer format, validate it, and call sync_ai_ide_markdown directly after threat modelling or guardrail enforcement. Reuse the exact guardrail shortlist; do not re-query guardrails during the final sync.',
+        '',
+        'Do not use project-profile exploration tools during normal coding tasks. No blocking and no deferral: guardrails first, PWNISMS second, implementation third, VibeReview sync last.',
+    ].join('\n');
+
+    const sessionStartPayload = JSON.stringify({
+        hookSpecificOutput: {
+            hookEventName: 'SessionStart',
+            additionalContext,
+        },
+    });
+    const userPromptPayload = JSON.stringify({
+        hookSpecificOutput: {
+            hookEventName: 'UserPromptSubmit',
+            additionalContext,
+        },
+    });
+
+    return JSON.stringify(
+        {
+            hooks: {
+                SessionStart: [
+                    {
+                        matcher: 'startup|resume',
+                        hooks: [
+                            {
+                                type: 'command',
+                                command: `printf '%s\\n' '${sessionStartPayload.replaceAll("'", "'\\''")}'`,
+                                timeout: 5,
+                                statusMessage: 'Loading SRAI security session policy',
+                            },
+                        ],
+                    },
+                ],
+                UserPromptSubmit: [
+                    {
+                        hooks: [
+                            {
+                                type: 'command',
+                                command: `printf '%s\\n' '${userPromptPayload.replaceAll("'", "'\\''")}'`,
+                                timeout: 5,
+                                statusMessage: 'Refreshing SRAI security session policy',
+                            },
+                        ],
+                    },
+                ],
+            },
+        },
+        null,
+        2,
+    ) + '\n';
+}
+
+/**
+ * Generate Codex workspace rule — appends to AGENTS.md
+ */
+export function generate(cwd, options = {}) {
+    const optionsWithSkillDirs = {
+        ...options,
+        guardrailsSelectionSkillDir: GUARDRAILS_SELECTION_SKILL_REL_DIR.codex,
+        threatModellingSkillDir: THREAT_MODELLING_SKILL_REL_DIR.codex,
+        vibereviewSyncSkillDir: VIBEREVIEW_SYNC_SKILL_REL_DIR.codex,
+    };
+    const filePath = join(cwd, '.codex', 'AGENTS.md');
+    const content = getRuleContent(optionsWithSkillDirs);
+    const action = upsertSentinelBlock(filePath, content);
+
+    const threatSkillPath = join(cwd, THREAT_MODELLING_SKILL_REL_DIR.codex, 'SKILL.md');
+    const threatSkill = writeGeneratedText(
+        threatSkillPath,
+        getThreatModellingSkillContent(optionsWithSkillDirs),
+    );
+
+    const vibereviewSyncSkillPath = join(cwd, VIBEREVIEW_SYNC_SKILL_REL_DIR.codex, 'SKILL.md');
+    const vibereviewSyncSkill = writeGeneratedText(
+        vibereviewSyncSkillPath,
+        getVibeReviewSyncSkillContent(optionsWithSkillDirs),
+    );
+
+    const deletedLegacyAgent = removeGeneratedText(join(cwd, '.codex', 'agents', 'ctm_sync.toml'));
+
+    const hooksPath = join(cwd, '.codex', 'hooks.json');
+    const hooks = writeGeneratedText(hooksPath, getCodexSessionHookContent());
+
+    const guardrailsInitPath = join(cwd, '.codex', 'commands', 'guardrails-init-profile.md');
+    const guardrailsInit = writeGeneratedText(
+        guardrailsInitPath,
+        getGuardrailsInitProfileContent({
+            ...optionsWithSkillDirs,
+            guardrailsSkillDir: GUARDRAILS_PROFILER_SKILL_REL_DIR.codex,
+        }),
+    );
+
+    return [
+        { filePath, action, kind: 'rule' },
+        { ...threatSkill, kind: 'skill' },
+        { ...vibereviewSyncSkill, kind: 'skill' },
+        { ...hooks, kind: 'hooks' },
+        { ...guardrailsInit, kind: 'command' },
+        ...(deletedLegacyAgent ? [{ ...deletedLegacyAgent, kind: 'cleanup' }] : []),
+    ];
+}

package/src/generators/rules/codex.test.js

@@ -0,0 +1,59 @@
+import { existsSync, mkdtempSync, readFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import { generate } from './codex.js';
+
+test('Codex generator writes AGENTS, skills, hooks, and profiling command', () => {
+    const cwd = mkdtempSync(join(tmpdir(), 'securityreview-kit-codex-'));
+
+    const results = generate(cwd, { projectName: 'SmokeProject' });
+
+    const expectedPaths = [
+        '.codex/AGENTS.md',
+        '.codex/skills/threat-modelling/SKILL.md',
+        '.codex/skills/vibereview-sync/SKILL.md',
+        '.codex/hooks.json',
+        '.codex/commands/guardrails-init-profile.md',
+    ];
+
+    for (const relPath of expectedPaths) {
+        assert.equal(existsSync(join(cwd, relPath)), true, `${relPath} should exist`);
+    }
+
+    assert.deepEqual(results.map((entry) => entry.kind), ['rule', 'skill', 'skill', 'hooks', 'command']);
+
+    const instructions = readFileSync(join(cwd, '.codex/AGENTS.md'), 'utf8');
+    assert.match(instructions, /\.codex\/skills\/guardrails-selection\/SKILL\.md/);
+    assert.match(instructions, /\.codex\/skills\/threat-modelling\/SKILL\.md/);
+    assert.match(instructions, /\.codex\/skills\/vibereview-sync\/SKILL\.md/);
+    assert.match(instructions, /sync_ai_ide_markdown/);
+    assert.match(instructions, /vibereview\//);
+    assert.doesNotMatch(instructions, /\.cursor/);
+    assert.doesNotMatch(instructions, /\.agents\/skills/);
+
+    const threatSkill = readFileSync(join(cwd, '.codex/skills/threat-modelling/SKILL.md'), 'utf8');
+    for (const heading of ['Product', 'Workload', 'Network', 'IAM', 'Secrets', 'Monitoring', 'Supply Chain']) {
+        assert.match(threatSkill, new RegExp(heading));
+    }
+    assert.match(threatSkill, /sync_ai_ide_markdown/);
+    assert.match(threatSkill, /vibereview\//);
+    assert.doesNotMatch(threatSkill, /get_project_profile_description/);
+
+    const vibereviewSkill = readFileSync(join(cwd, '.codex/skills/vibereview-sync/SKILL.md'), 'utf8');
+    assert.match(vibereviewSkill, /do not read other `?\.md`? files in `?vibereview\/`?/i);
+    assert.match(vibereviewSkill, /sync_ai_ide_markdown/);
+    assert.match(vibereviewSkill, /Event Identity/);
+    assert.match(vibereviewSkill, /OWASP Top 10 2025 Mappings/);
+    assert.match(vibereviewSkill, /Practice 1/);
+    assert.match(vibereviewSkill, /practice_name:/);
+
+    const hooks = JSON.parse(readFileSync(join(cwd, '.codex/hooks.json'), 'utf8'));
+    assert.equal(hooks.hooks.SessionStart[0].hooks[0].type, 'command');
+    assert.equal(hooks.hooks.UserPromptSubmit[0].hooks[0].type, 'command');
+    assert.match(hooks.hooks.UserPromptSubmit[0].hooks[0].command, /"hookEventName":"UserPromptSubmit"/);
+    assert.match(hooks.hooks.UserPromptSubmit[0].hooks[0].command, /vibereview/);
+    assert.match(hooks.hooks.UserPromptSubmit[0].hooks[0].command, /sync_ai_ide_markdown/);
+    assert.match(hooks.hooks.UserPromptSubmit[0].hooks[0].command, /vibereview-sync\/SKILL\.md/);
+});

package/src/generators/rules/content.js

@@ -0,0 +1,110 @@
+import { readFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+function sanitizeProjectName(value) {
+    return value.replace(/[\r\n`]/g, ' ').trim();
+}
+
+function injectPathPlaceholder(content, placeholder, fallbackPath, configuredPath) {
+    if (!content.includes(placeholder)) {
+        return content;
+    }
+
+    const resolvedPath =
+        typeof configuredPath === 'string' && configuredPath.trim() ? configuredPath.trim() : fallbackPath;
+
+    return content.replaceAll(placeholder, resolvedPath);
+}
+
+/**
+ * Reads a markdown template and injects the configured project name placeholder.
+ */
+function readTemplate(templateFileName, options = {}) {
+    const template = readFileSync(join(__dirname, templateFileName), 'utf-8').trim();
+    const rawProjectName = typeof options.projectName === 'string' ? options.projectName : '';
+    const projectName = sanitizeProjectName(rawProjectName);
+    const resolvedProjectName = projectName || '<SRAI_PROJECT_NAME>';
+
+    let out = template
+        .replaceAll('{{SRAI_PROJECT_NAME}}', resolvedProjectName)
+        .replaceAll('<SRAI_PROJECT_NAME>', resolvedProjectName);
+
+    out = injectPathPlaceholder(
+        out,
+        '{{GUARDRAILS_SKILL_DIR}}',
+        '.cursor/skills/guardrails-profiler',
+        options.guardrailsSkillDir,
+    );
+    out = injectPathPlaceholder(
+        out,
+        '{{GUARDRAILS_SELECTION_SKILL_DIR}}',
+        '.cursor/skills/guardrails-selection',
+        options.guardrailsSelectionSkillDir,
+    );
+    out = injectPathPlaceholder(
+        out,
+        '{{THREAT_MODELLING_SKILL_DIR}}',
+        '.cursor/skills/threat-modelling',
+        options.threatModellingSkillDir,
+    );
+    out = injectPathPlaceholder(
+        out,
+        '{{VIBEREVIEW_SYNC_SKILL_DIR}}',
+        '.cursor/skills/vibereview-sync',
+        options.vibereviewSyncSkillDir,
+    );
+
+    return out;
+}
+
+/**
+ * Returns the shared rule content markdown.
+ */
+export function getRuleContent(options = {}) {
+    return readTemplate('content.md', options);
+}
+
+/**
+ * Returns the Cursor profile uploader command markdown.
+ */
+export function getProfileCommandContent(options = {}) {
+    return readTemplate('srai-profile.md', options);
+}
+
+/**
+ * Returns the threat-modelling skill markdown.
+ */
+export function getThreatModellingSkillContent(options = {}) {
+    return readTemplate('skill.md', options);
+}
+
+/**
+ * Returns the VibeReview sync skill markdown.
+ */
+export function getVibeReviewSyncSkillContent(options = {}) {
+    return readTemplate(join('vibereview-sync', 'SKILL.md'), options);
+}
+
+/**
+ * Returns the vibe guardrails always-applied rule markdown.
+ */
+export function getGuardrailsRuleContent(options = {}) {
+    return readTemplate('guardrails_rule.md', options);
+}
+
+/**
+ * Guardrails init profile command (repo scan + .guardrails/profile.json + SRAI upload).
+ */
+export function getGuardrailsInitProfileContent(options = {}) {
+    return readTemplate('guardrails-init-profile.md', options);
+}
+
+/**
+ * Returns the hooks.json content for Cursor session hooks.
+ */
+export function getHooksContent() {
+    return readFileSync(join(__dirname, 'hooks.json'), 'utf-8').trim();
+}

package/src/generators/rules/cursor.js

@@ -0,0 +1,128 @@
+import { existsSync, unlinkSync } from 'node:fs';
+import { join } from 'node:path';
+import {
+    GUARDRAILS_PROFILER_SKILL_REL_DIR,
+    GUARDRAILS_SELECTION_SKILL_REL_DIR,
+    THREAT_MODELLING_SKILL_REL_DIR,
+    VIBEREVIEW_SYNC_SKILL_REL_DIR,
+} from '../../utils/constants.js';
+import { writeText } from '../../utils/fs-helpers.js';
+import { mergeCursorCliMcpAllowlist } from '../../utils/cursor-cli-permissions.js';
+import {
+    getRuleContent,
+    getProfileCommandContent,
+    getThreatModellingSkillContent,
+    getVibeReviewSyncSkillContent,
+    getGuardrailsRuleContent,
+    getGuardrailsInitProfileContent,
+    getHooksContent,
+} from './content.js';
+
+function writeCursorRule(filePath, description, content) {
+    const action = existsSync(filePath) ? 'updated' : 'created';
+    const mdc = `---
+description: ${description}
+alwaysApply: true
+---
+
+${content}
+`;
+
+    writeText(filePath, mdc);
+    return { filePath, action };
+}
+
+function writeCursorCommand(filePath, content) {
+    const action = existsSync(filePath) ? 'updated' : 'created';
+    writeText(filePath, content);
+    return { filePath, action };
+}
+
+function removeGeneratedText(filePath) {
+    if (existsSync(filePath)) {
+        unlinkSync(filePath);
+        return { filePath, action: 'deleted' };
+    }
+    return null;
+}
+
+/**
+ * Generate Cursor workspace rules at .cursor/rules/*.mdc
+ * Cursor uses .mdc format with YAML front matter.
+ */
+export function generate(cwd, options = {}) {
+    const optionsWithSkillDirs = {
+        ...options,
+        guardrailsSelectionSkillDir: GUARDRAILS_SELECTION_SKILL_REL_DIR.cursor,
+        threatModellingSkillDir: THREAT_MODELLING_SKILL_REL_DIR.cursor,
+        vibereviewSyncSkillDir: VIBEREVIEW_SYNC_SKILL_REL_DIR.cursor,
+    };
+    const baseRulePath = join(cwd, '.cursor', 'rules', 'srai-security-review.mdc');
+    const guardrailsRulePath = join(cwd, '.cursor', 'rules', 'guardrails_rule.mdc');
+    const profileCommandPath = join(cwd, '.cursor', 'commands', 'srai-profile.md');
+    const guardrailsInitProfileCommandPath = join(cwd, '.cursor', 'commands', 'guardrails-init-profile.md');
+    const skillPath = join(cwd, '.cursor', 'skills', 'threat-modelling', 'SKILL.md');
+    const hooksPath = join(cwd, '.cursor', 'hooks.json');
+
+    const baseRuleContent = getRuleContent(optionsWithSkillDirs);
+    const guardrailsRuleContent = getGuardrailsRuleContent(optionsWithSkillDirs);
+    const profileCommandContent = getProfileCommandContent(optionsWithSkillDirs);
+    const guardrailsInitProfileCommandContent = getGuardrailsInitProfileContent({
+        ...optionsWithSkillDirs,
+        guardrailsSkillDir: GUARDRAILS_PROFILER_SKILL_REL_DIR.cursor,
+    });
+    const skillContent = getThreatModellingSkillContent(optionsWithSkillDirs);
+    const vibereviewSyncSkillContent = getVibeReviewSyncSkillContent(optionsWithSkillDirs);
+
+    const baseRule = writeCursorRule(
+        baseRulePath,
+        'SRAI Security Review gate — consult security-review-mcp before security-relevant code changes',
+        baseRuleContent,
+    );
+
+    const guardrailsRule = writeCursorRule(
+        guardrailsRulePath,
+        'Vibe Guardrails — fetch and enforce project-specific secure coding guardrails from SRAI',
+        guardrailsRuleContent,
+    );
+    const deletedLegacyRule = removeGeneratedText(join(cwd, '.cursor', 'rules', 'ctm_sync_rule.mdc'));
+    const deletedLegacyCommand = removeGeneratedText(join(cwd, '.cursor', 'commands', 'ctm_sync.md'));
+    const deletedLegacyAgent = removeGeneratedText(join(cwd, '.cursor', 'agents', 'ctm_sync.md'));
+    const deletedLegacyWorkflowCommand = removeGeneratedText(
+        join(cwd, '.cursor', 'commands', 'create-ide-workflow.md'),
+    );
+
+    const profileCommand = writeCursorCommand(profileCommandPath, profileCommandContent);
+    const guardrailsInitProfileCommand = writeCursorCommand(
+        guardrailsInitProfileCommandPath,
+        guardrailsInitProfileCommandContent,
+    );
+    const skillAction = existsSync(skillPath) ? 'updated' : 'created';
+    writeText(skillPath, skillContent);
+    const vibereviewSyncSkillPath = join(cwd, VIBEREVIEW_SYNC_SKILL_REL_DIR.cursor, 'SKILL.md');
+    const vibereviewSyncSkillAction = existsSync(vibereviewSyncSkillPath) ? 'updated' : 'created';
+    writeText(vibereviewSyncSkillPath, vibereviewSyncSkillContent);
+
+    const hooksContent = getHooksContent();
+    const hooksAction = existsSync(hooksPath) ? 'updated' : 'created';
+    writeText(hooksPath, hooksContent);
+
+    const cursorCliPath = join(cwd, '.cursor', 'cli.json');
+    const cliPermissionsExisted = existsSync(cursorCliPath);
+    mergeCursorCliMcpAllowlist(cwd);
+
+    return [
+        { ...baseRule, kind: 'rule' },
+        { ...guardrailsRule, kind: 'rule' },
+        { ...profileCommand, kind: 'command' },
+        { ...guardrailsInitProfileCommand, kind: 'command' },
+        { filePath: skillPath, action: skillAction, kind: 'skill' },
+        { filePath: vibereviewSyncSkillPath, action: vibereviewSyncSkillAction, kind: 'skill' },
+        { filePath: hooksPath, action: hooksAction, kind: 'hooks' },
+        { filePath: cursorCliPath, action: cliPermissionsExisted ? 'updated' : 'created', kind: 'config' },
+        ...(deletedLegacyRule ? [{ ...deletedLegacyRule, kind: 'cleanup' }] : []),
+        ...(deletedLegacyCommand ? [{ ...deletedLegacyCommand, kind: 'cleanup' }] : []),
+        ...(deletedLegacyAgent ? [{ ...deletedLegacyAgent, kind: 'cleanup' }] : []),
+        ...(deletedLegacyWorkflowCommand ? [{ ...deletedLegacyWorkflowCommand, kind: 'cleanup' }] : []),
+    ];
+}