@securityreviewai/securityreview-kit 0.1.50 → 0.1.52

package/src/utils/profiler-agent.js

@@ -0,0 +1,446 @@
+import { spawnSync } from 'node:child_process';
+import { join } from 'node:path';
+import { GUARDRAILS_PROFILER_SKILL_REL_DIR, MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from './constants.js';
+import { augmentPathEnv, resolveCursorAgentExecutable } from './cursor-agent-path.js';
+import { readJson, readText, writeText } from './fs-helpers.js';
+
+const PREFERRED_ORDER = ['cursor', 'vscode', 'claude', 'codex'];
+
+function commandOk(cmd, args = ['--version'], env = process.env) {
+    const r = spawnSync(cmd, args, { stdio: 'ignore', env });
+    return r.status === 0;
+}
+
+export function getProfilerLogPath(cwd, target) {
+    return join(cwd, '.guardrails', 'logs', `profiler-${target}.log`);
+}
+
+function buildProfilerEnv(target, streamProgress, extraEnv = {}) {
+    const env = augmentPathEnv(process.env);
+    for (const [key, value] of Object.entries(extraEnv || {})) {
+        if (value == null || value === '') {
+            delete env[key];
+        } else {
+            env[key] = value;
+        }
+    }
+    if (target === 'codex' && streamProgress && !env.RUST_LOG) {
+        env.RUST_LOG = 'info';
+    }
+    return env;
+}
+
+function persistProfilerLog(cwd, target, result) {
+    if (!result || (result.stdout == null && result.stderr == null)) {
+        return null;
+    }
+
+    const stdout = String(result.stdout || '');
+    const stderr = String(result.stderr || '');
+    const body = [
+        `target=${target}`,
+        `status=${result.status ?? ''}`,
+        `signal=${result.signal ?? ''}`,
+        '',
+        '--- stdout ---',
+        stdout,
+        '',
+        '--- stderr ---',
+        stderr,
+        '',
+    ].join('\n');
+
+    const logPath = getProfilerLogPath(cwd, target);
+    writeText(logPath, body);
+    return logPath;
+}
+
+export function buildProfilerAgentPrompt(projectName, agentTarget = 'cursor') {
+    const p = String(projectName || '').trim() || '<SRAI_PROJECT_NAME>';
+    const skillRoot =
+        GUARDRAILS_PROFILER_SKILL_REL_DIR[agentTarget] ||
+        GUARDRAILS_PROFILER_SKILL_REL_DIR.cursor;
+    return [
+        'Security Review Kit: run guardrails initialization profiling for this workspace.',
+        `SRAI project name: "${p}".`,
+        `Open and follow every step in ${skillRoot}/SKILL.md.`,
+        `Use ${skillRoot}/references/signal-registry.json as the signal registry.`,
+        'Write .guardrails/profile.json as defined in the skill.',
+        `Resolve project_id with find_project_by_name for "${p}", then call update_vibe_profile and write_default_pack via security-review-mcp.`,
+        'Do not invent stack details, compliance, or user groups; ground everything in the repository.',
+    ].join('\n');
+}
+
+/**
+ * Run Cursor Agent OAuth/login in the current terminal (stdio inherited).
+ * Call this from init before profiling so the user does not leave the kit flow.
+ */
+export function runCursorAgentLogin(cwd) {
+    const bin = resolveCursorAgentExecutable();
+    if (!bin) {
+        return {
+            ok: false,
+            status: null,
+            message:
+                'Cursor Agent CLI not found (`agent` or `cursor-agent`). Install from https://cursor.com/docs/cli/installation (add ~/.local/bin to PATH), or re-run init without --skip-ide-cli-install.',
+        };
+    }
+    const env = augmentPathEnv(process.env);
+    const r = spawnSync(bin, ['login'], { cwd, stdio: 'inherit', env });
+    const spawnErr = r.error ? r.error.message : null;
+    if (r.status === null && spawnErr) {
+        return { ok: false, status: null, message: spawnErr };
+    }
+    return { ok: r.status === 0, status: r.status, message: r.status !== 0 ? spawnErr : undefined };
+}
+
+/**
+ * Run GitHub Copilot CLI OAuth login in the current terminal (stdio inherited).
+ * `copilot login` exits after the device-flow succeeds, so init can continue into profiling.
+ */
+export function runCopilotLogin(cwd) {
+    const env = augmentPathEnv(process.env);
+    if (!commandOk('copilot', ['--version'], env)) {
+        return {
+            ok: false,
+            status: null,
+            message:
+                'GitHub Copilot CLI not found (`copilot`). Install from https://docs.github.com/copilot/how-tos/copilot-cli/set-up-copilot-cli/install-copilot-cli.',
+        };
+    }
+    const r = spawnSync('copilot', ['login'], { cwd, stdio: 'inherit', env });
+    const spawnErr = r.error ? r.error.message : null;
+    if (r.status === null && spawnErr) {
+        return { ok: false, status: null, message: spawnErr };
+    }
+    return { ok: r.status === 0, status: r.status, message: r.status !== 0 ? spawnErr : undefined };
+}
+
+/**
+ * Run Claude Code login in the current terminal.
+ */
+export function runClaudeLogin(cwd) {
+    return runClaudeAuthLogin(cwd, { mode: 'claudeai' });
+}
+
+/**
+ * Run Claude Code auth login in the current terminal.
+ */
+export function runClaudeAuthLogin(cwd, options = {}) {
+    const env = augmentPathEnv(process.env);
+    if (!commandOk('claude', ['--version'], env)) {
+        return {
+            ok: false,
+            status: null,
+            message: 'Claude Code CLI not found (`claude`). Install from https://claude.ai/code.',
+        };
+    }
+    const mode = options.mode === 'console' ? '--console' : '--claudeai';
+    const r = spawnSync('claude', ['auth', 'login', mode], { cwd, stdio: 'inherit', env });
+    const spawnErr = r.error ? r.error.message : null;
+    if (r.status === null && spawnErr) {
+        return { ok: false, status: null, message: spawnErr };
+    }
+    return { ok: r.status === 0, status: r.status, message: r.status !== 0 ? spawnErr : undefined };
+}
+
+/**
+ * Run Claude Code long-lived token setup in the current terminal.
+ */
+export function runClaudeSetupToken(cwd) {
+    const env = augmentPathEnv(process.env);
+    if (!commandOk('claude', ['--version'], env)) {
+        return {
+            ok: false,
+            status: null,
+            message: 'Claude Code CLI not found (`claude`). Install from https://claude.ai/code.',
+        };
+    }
+    const r = spawnSync('claude', ['setup-token'], { cwd, stdio: 'inherit', env });
+    const spawnErr = r.error ? r.error.message : null;
+    if (r.status === null && spawnErr) {
+        return { ok: false, status: null, message: spawnErr };
+    }
+    return { ok: r.status === 0, status: r.status, message: r.status !== 0 ? spawnErr : undefined };
+}
+
+/**
+ * Run Codex login in the current terminal. Device auth keeps the flow in-terminal.
+ */
+export function runCodexLogin(cwd) {
+    const env = augmentPathEnv(process.env);
+    if (!commandOk('codex', ['--version'], env)) {
+        return {
+            ok: false,
+            status: null,
+            message: 'Codex CLI not found (`codex`). Install with `npm install -g @openai/codex`.',
+        };
+    }
+    const r = spawnSync('codex', ['login', '--device-auth'], { cwd, stdio: 'inherit', env });
+    const spawnErr = r.error ? r.error.message : null;
+    if (r.status === null && spawnErr) {
+        return { ok: false, status: null, message: spawnErr };
+    }
+    return { ok: r.status === 0, status: r.status, message: r.status !== 0 ? spawnErr : undefined };
+}
+
+function escapeTomlString(value) {
+    return String(value || '').replaceAll('\\', '\\\\').replaceAll('"', '\\"');
+}
+
+function readCodexMcpEnv(cwd) {
+    const config = readText(join(cwd, '.codex', 'config.toml'));
+    const apiUrl = config.match(/^\s*SECURITY_REVIEW_API_URL\s*=\s*"([^"]*)"/m)?.[1] || '';
+    const apiToken = config.match(/^\s*SECURITY_REVIEW_API_TOKEN\s*=\s*"([^"]*)"/m)?.[1] || '';
+    return { apiUrl, apiToken };
+}
+
+export function buildCodexConfigOverrides(cwd, overrides = {}) {
+    const fileValues = readCodexMcpEnv(cwd);
+    const apiUrl = String(overrides.apiUrl || fileValues.apiUrl || '').trim();
+    const apiToken = String(overrides.apiToken || fileValues.apiToken || '').trim();
+
+    if (!apiUrl || !apiToken) {
+        return null;
+    }
+
+    return [
+        'features.codex_hooks=true',
+        `mcp_servers.${MCP_SERVER_NAME}.command="npx"`,
+        `mcp_servers.${MCP_SERVER_NAME}.args=["-y","${MCP_SERVER_PACKAGE}@latest"]`,
+        `mcp_servers.${MCP_SERVER_NAME}.env.SECURITY_REVIEW_API_URL="${escapeTomlString(apiUrl)}"`,
+        `mcp_servers.${MCP_SERVER_NAME}.env.SECURITY_REVIEW_API_TOKEN="${escapeTomlString(apiToken)}"`,
+    ];
+}
+
+export function buildClaudeAdditionalMcpConfig(cwd) {
+    const projectMcp = readJson(join(cwd, '.mcp.json'));
+    const sourceServer = projectMcp?.mcpServers?.[MCP_SERVER_NAME];
+
+    if (!sourceServer || typeof sourceServer !== 'object') {
+        return null;
+    }
+
+    return JSON.stringify({
+        mcpServers: {
+            [MCP_SERVER_NAME]: sourceServer,
+        },
+    });
+}
+
+export function pickProfilerAgentTarget(targets) {
+    for (const t of PREFERRED_ORDER) {
+        if (targets.includes(t)) {
+            return t;
+        }
+    }
+    return null;
+}
+
+/**
+ * Spawn the IDE agent CLI to execute the profiler skill (user must be logged in where required).
+ *
+ * @param {object} opts
+ * @param {boolean} [opts.cursorTrust=true] When true, passes `--trust` and `--approve-mcps` so headless init is not blocked by
+ *   workspace trust or MCP approval (user confirmed profiling in the kit). Set false with `--profiler-no-trust`
+ *   if you need an interactive trust/login/MCP flow in the same terminal.
+ * @param {boolean} [opts.streamProgress=false] When true, pass each CLI’s streaming / verbose flags.
+ * @param {boolean} [opts.showOutput=false] When true, inherit stdio from the child process.
+ *   Keep both false for init-time profiling so the agent does not flood the terminal with JSON/progress logs.
+ */
+export function runProfilerAgent(
+    cwd,
+    {
+        target,
+        projectName,
+        apiUrl,
+        apiToken,
+        modelOverride,
+        extraEnv,
+        cursorTrust = true,
+        streamProgress = false,
+        showOutput = streamProgress,
+    },
+) {
+    const prompt = buildProfilerAgentPrompt(projectName, target);
+    const env = buildProfilerEnv(target, streamProgress, extraEnv);
+    const opts = showOutput
+        ? { cwd, stdio: 'inherit', env }
+        : { cwd, stdio: ['ignore', 'pipe', 'pipe'], env, encoding: 'utf8', maxBuffer: 10 * 1024 * 1024 };
+
+    if (streamProgress) {
+        console.error(
+            '\n[securityreview-kit] Profiler live output: you should see streaming progress below ' +
+                '(JSON lines are normal). Omit --profiler-verbose for minimal output.\n',
+        );
+    }
+
+    if (target === 'cursor') {
+        const bin = resolveCursorAgentExecutable();
+        if (!bin) {
+            return {
+                ok: false,
+                message:
+                    'Cursor Agent CLI not found (`agent` or `cursor-agent`). Install from https://cursor.com/docs/cli/installation and ensure ~/.local/bin exists; run init Step 1b without --skip-ide-cli-install (Node subprocesses get an augmented PATH, but the binary must be installed).',
+            };
+        }
+        const args = ['-p', prompt];
+        if (streamProgress) {
+            args.push('--output-format', 'stream-json', '--stream-partial-output');
+        }
+        if (cursorTrust) {
+            args.push('--trust', '--approve-mcps');
+        }
+        const r = spawnSync(bin, args, opts);
+        if (r.error) {
+            return { ok: false, message: r.error.message };
+        }
+        return buildProfilerResult(r, { logPath: showOutput ? null : persistProfilerLog(cwd, target, r) });
+    }
+
+    if (target === 'claude') {
+        if (!commandOk('claude', ['--version'], env)) {
+            return { ok: false, message: 'claude not on PATH' };
+        }
+        const settingsPath = join(cwd, '.claude', 'settings.json');
+        const mcpConfig = buildClaudeAdditionalMcpConfig(cwd);
+        if (!mcpConfig) {
+            return {
+                ok: false,
+                message:
+                    'Claude profiling needs the SRAI MCP server in .mcp.json. Re-run init with MCP installation enabled.',
+            };
+        }
+        const args = [
+            '-p',
+            '--settings',
+            settingsPath,
+            '--mcp-config',
+            mcpConfig,
+            '--strict-mcp-config',
+            '--permission-mode',
+            'bypassPermissions',
+            '--model',
+            modelOverride || 'haiku',
+        ];
+        if (streamProgress) {
+            args.push('--output-format', 'stream-json', '--include-partial-messages', '--include-hook-events', '--verbose');
+        }
+        args.push(prompt);
+        const r = spawnSync('claude', args, opts);
+        return buildProfilerResult(r, { logPath: showOutput ? null : persistProfilerLog(cwd, target, r) });
+    }
+
+    if (target === 'codex') {
+        if (!commandOk('codex', ['--version'], env)) {
+            return { ok: false, message: 'codex not on PATH' };
+        }
+        const configOverrides = buildCodexConfigOverrides(cwd, { apiUrl, apiToken });
+        if (!configOverrides) {
+            return {
+                ok: false,
+                message:
+                    'Codex profiling needs SRAI MCP credentials. Re-run init with Codex selected and MCP installation enabled.',
+            };
+        }
+        const args = ['exec', '--full-auto'];
+        for (const override of configOverrides) {
+            args.push('-c', override);
+        }
+        if (streamProgress) {
+            args.push('--json');
+        }
+        args.push(prompt);
+        const r = spawnSync('codex', args, opts);
+        return buildProfilerResult(r, { logPath: showOutput ? null : persistProfilerLog(cwd, target, r) });
+    }
+
+    if (target === 'vscode') {
+        if (!commandOk('copilot', ['--version'], env)) {
+            return { ok: false, message: 'copilot not on PATH' };
+        }
+
+        const mcpConfig = buildCopilotAdditionalMcpConfig(cwd);
+        if (!mcpConfig) {
+            return {
+                ok: false,
+                message:
+                    'VS Code MCP config not found for security-review-mcp. Re-run init with MCP installation enabled.',
+            };
+        }
+
+        const args = [
+            '-p',
+            prompt,
+            '--additional-mcp-config',
+            mcpConfig,
+            '--allow-all',
+        ];
+        if (streamProgress) {
+            args.push('--output-format', 'json');
+        }
+        const r = spawnSync('copilot', args, opts);
+        return buildProfilerResult(r, { logPath: showOutput ? null : persistProfilerLog(cwd, target, r) });
+    }
+
+    return { ok: false, message: 'unsupported agent target' };
+}
+
+export function buildCopilotAdditionalMcpConfig(cwd) {
+    const vscodeMcp = readJson(join(cwd, '.vscode', 'mcp.json'));
+    const sourceServer =
+        vscodeMcp?.mcpServers?.[MCP_SERVER_NAME] || vscodeMcp?.servers?.[MCP_SERVER_NAME];
+
+    if (!sourceServer || typeof sourceServer !== 'object') {
+        return null;
+    }
+
+    const server = { ...sourceServer };
+    if (!server.type) {
+        server.type = 'stdio';
+    }
+    if (!Array.isArray(server.tools)) {
+        server.tools = ['*'];
+    }
+
+    return JSON.stringify({
+        mcpServers: {
+            [MCP_SERVER_NAME]: server,
+        },
+    });
+}
+
+function buildProfilerResult(result, extras = {}) {
+    if (result.error) {
+        return { ok: false, status: result.status, message: result.error.message, ...extras };
+    }
+
+    if (result.status === 0) {
+        return { ok: true, status: result.status, ...extras };
+    }
+
+    const outputTail = summarizeProfilerOutput(result.stderr || result.stdout || '');
+    const exitDetail =
+        typeof result.status === 'number'
+            ? `exit status ${result.status}`
+            : result.signal
+              ? `signal ${result.signal}`
+              : 'unknown error';
+
+    return {
+        ok: false,
+        status: result.status,
+        message: outputTail ? `${exitDetail}; last output: ${outputTail}` : exitDetail,
+        ...extras,
+    };
+}
+
+function summarizeProfilerOutput(output) {
+    return String(output || '')
+        .replace(/\u001b\[[0-9;]*m/g, '')
+        .split(/\r?\n/)
+        .map((line) => line.trim())
+        .filter(Boolean)
+        .slice(-3)
+        .join(' | ');
+}

package/src/utils/profiler-agent.test.js

@@ -0,0 +1,81 @@
+import { mkdirSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+import {
+    buildCodexConfigOverrides,
+    buildCopilotAdditionalMcpConfig,
+    buildProfilerAgentPrompt,
+    pickProfilerAgentTarget,
+} from './profiler-agent.js';
+
+test('pickProfilerAgentTarget supports VS Code Copilot', () => {
+    assert.equal(pickProfilerAgentTarget(['vscode']), 'vscode');
+    assert.equal(pickProfilerAgentTarget(['codex', 'vscode']), 'vscode');
+});
+
+test('buildCopilotAdditionalMcpConfig converts VS Code MCP config', () => {
+    const cwd = join(tmpdir(), `securityreview-kit-${Date.now()}`);
+    mkdirSync(join(cwd, '.vscode'), { recursive: true });
+    writeFileSync(
+        join(cwd, '.vscode', 'mcp.json'),
+        JSON.stringify({
+            servers: {
+                'security-review-mcp': {
+                    type: 'stdio',
+                    command: 'npx',
+                    args: ['-y', '@securityreviewai/security-review-mcp@latest'],
+                    env: {
+                        SECURITY_REVIEW_API_URL: 'https://api.example.test',
+                        SECURITY_REVIEW_API_TOKEN: 'token',
+                    },
+                },
+            },
+        }),
+    );
+
+    const converted = JSON.parse(buildCopilotAdditionalMcpConfig(cwd));
+
+    assert.deepEqual(Object.keys(converted.mcpServers), ['security-review-mcp']);
+    assert.equal(converted.mcpServers['security-review-mcp'].command, 'npx');
+    assert.deepEqual(converted.mcpServers['security-review-mcp'].tools, ['*']);
+});
+
+test('buildCodexConfigOverrides builds inline MCP config for profiling', () => {
+    const cwd = join(tmpdir(), `securityreview-kit-codex-${Date.now()}`);
+    mkdirSync(join(cwd, '.codex'), { recursive: true });
+    writeFileSync(
+        join(cwd, '.codex', 'config.toml'),
+        [
+            '[features]',
+            'codex_hooks = true',
+            '',
+            '[mcp_servers.security-review-mcp]',
+            'command = "npx"',
+            'args = ["-y", "@securityreviewai/security-review-mcp@latest"]',
+            '',
+            '[mcp_servers.security-review-mcp.env]',
+            'SECURITY_REVIEW_API_URL = "https://api.example.test"',
+            'SECURITY_REVIEW_API_TOKEN = "token"',
+            '',
+        ].join('\n'),
+    );
+
+    const overrides = buildCodexConfigOverrides(cwd);
+
+    assert.deepEqual(overrides, [
+        'features.codex_hooks=true',
+        'mcp_servers.security-review-mcp.command="npx"',
+        'mcp_servers.security-review-mcp.args=["-y","@securityreviewai/security-review-mcp@latest"]',
+        'mcp_servers.security-review-mcp.env.SECURITY_REVIEW_API_URL="https://api.example.test"',
+        'mcp_servers.security-review-mcp.env.SECURITY_REVIEW_API_TOKEN="token"',
+    ]);
+});
+
+test('buildProfilerAgentPrompt only instructs writing the guardrails profile under .guardrails', () => {
+    const prompt = buildProfilerAgentPrompt('demo-project', 'codex');
+
+    assert.match(prompt, /Write \.guardrails\/profile\.json as defined in the skill\./);
+    assert.doesNotMatch(prompt, /profile\.json at the repository root/);
+});