@securityreviewai/securityreview-kit 0.1.51 → 0.1.52

package/src/generators/rules/guardrails-profiler/references/signal-registry.json

@@ -0,0 +1,514 @@
+{
+  "_doc": "Maps filesystem signals to guardrail pack IDs. Each entry defines what to look for and which pack to activate.",
+
+  "universal": {
+    "_doc": "Always included regardless of detection",
+    "packs": ["owasp-asvs"]
+  },
+
+  "mobile_universal": {
+    "_doc": "Included when any mobile platform is detected",
+    "trigger_packs": ["flutter", "react-native", "swift", "objective-c", "kotlin"],
+    "packs": ["owasp-masvs"]
+  },
+
+  "languages": {
+    "typescript": {
+      "manifest_files": ["tsconfig.json", "tsconfig.base.json"],
+      "file_extensions": [".ts", ".tsx"],
+      "pack": "typescript"
+    },
+    "nodejs": {
+      "manifest_files": ["package.json"],
+      "file_extensions": [".js", ".mjs", ".cjs"],
+      "pack": "nodejs"
+    },
+    "python": {
+      "manifest_files": ["requirements.txt", "pyproject.toml", "setup.py", "setup.cfg", "Pipfile", "poetry.lock"],
+      "file_extensions": [".py"],
+      "pack": null,
+      "_note": "Python has no standalone pack; frameworks (django, flask, fastapi) cover it"
+    },
+    "go": {
+      "manifest_files": ["go.mod", "go.sum"],
+      "file_extensions": [".go"],
+      "pack": "go"
+    },
+    "java": {
+      "manifest_files": ["pom.xml", "build.gradle", "build.gradle.kts", "settings.gradle", "settings.gradle.kts"],
+      "file_extensions": [".java"],
+      "pack": null,
+      "_note": "Java framework packs (spring-boot, java-ee) are more specific"
+    },
+    "kotlin": {
+      "manifest_files": ["build.gradle.kts"],
+      "file_extensions": [".kt", ".kts"],
+      "dependency_signals": { "build.gradle.kts": ["kotlin"] },
+      "pack": "kotlin"
+    },
+    "php": {
+      "manifest_files": ["composer.json", "composer.lock"],
+      "file_extensions": [".php"],
+      "pack": "php"
+    },
+    "ruby": {
+      "manifest_files": ["Gemfile", "Gemfile.lock"],
+      "file_extensions": [".rb"],
+      "pack": null,
+      "_note": "Ruby framework pack (ruby-on-rails) is more specific"
+    },
+    "rust": {
+      "manifest_files": ["Cargo.toml", "Cargo.lock"],
+      "file_extensions": [".rs"],
+      "pack": "rust"
+    },
+    "c": {
+      "file_extensions": [".c", ".h"],
+      "manifest_files": ["CMakeLists.txt", "Makefile"],
+      "pack": "c"
+    },
+    "cpp": {
+      "file_extensions": [".cpp", ".cxx", ".cc", ".hpp", ".hxx"],
+      "manifest_files": ["CMakeLists.txt"],
+      "pack": "cpp"
+    },
+    "swift": {
+      "manifest_files": ["Package.swift"],
+      "file_extensions": [".swift"],
+      "config_files": ["*.xcodeproj", "*.xcworkspace"],
+      "pack": "swift"
+    },
+    "objective-c": {
+      "file_extensions": [".m", ".mm"],
+      "pack": "objective-c"
+    },
+    "groovy": {
+      "file_extensions": [".groovy"],
+      "pack": "groovy"
+    },
+    "csharp": {
+      "manifest_files": ["*.csproj", "*.sln"],
+      "file_extensions": [".cs"],
+      "pack": null,
+      "_note": "C# framework pack (dotnet-aspnet-core) is more specific"
+    }
+  },
+
+  "frameworks": {
+    "express": {
+      "ecosystem": "nodejs",
+      "dependency_signals": { "package.json": ["express"] },
+      "pack": "express"
+    },
+    "fastify": {
+      "ecosystem": "nodejs",
+      "dependency_signals": { "package.json": ["fastify"] },
+      "pack": "fastify"
+    },
+    "honojs": {
+      "ecosystem": "nodejs",
+      "dependency_signals": { "package.json": ["hono"] },
+      "pack": "honojs"
+    },
+    "nestjs": {
+      "ecosystem": "nodejs",
+      "dependency_signals": { "package.json": ["@nestjs/core"] },
+      "config_files": ["nest-cli.json"],
+      "pack": "nestjs"
+    },
+    "nextjs": {
+      "ecosystem": "nodejs",
+      "dependency_signals": { "package.json": ["next"] },
+      "config_files": ["next.config.js", "next.config.mjs", "next.config.ts"],
+      "pack": "nextjs"
+    },
+    "react": {
+      "ecosystem": "nodejs",
+      "dependency_signals": { "package.json": ["react", "react-dom"] },
+      "pack": "react"
+    },
+    "angular": {
+      "ecosystem": "nodejs",
+      "dependency_signals": { "package.json": ["@angular/core"] },
+      "config_files": ["angular.json"],
+      "pack": "angular"
+    },
+    "vuejs": {
+      "ecosystem": "nodejs",
+      "dependency_signals": { "package.json": ["vue"] },
+      "config_files": ["vue.config.js", "vite.config.ts", "nuxt.config.ts"],
+      "pack": "vuejs"
+    },
+    "electron": {
+      "ecosystem": "nodejs",
+      "dependency_signals": { "package.json": ["electron"] },
+      "pack": "electron"
+    },
+    "react-native": {
+      "ecosystem": "nodejs",
+      "dependency_signals": { "package.json": ["react-native"] },
+      "pack": "react-native"
+    },
+    "django": {
+      "ecosystem": "python",
+      "dependency_signals": {
+        "requirements.txt": ["django", "Django"],
+        "pyproject.toml": ["django", "Django"],
+        "Pipfile": ["django", "Django"]
+      },
+      "config_files": ["manage.py"],
+      "directory_signals": ["*/settings.py", "*/wsgi.py"],
+      "pack": "django"
+    },
+    "flask": {
+      "ecosystem": "python",
+      "dependency_signals": {
+        "requirements.txt": ["flask", "Flask"],
+        "pyproject.toml": ["flask", "Flask"]
+      },
+      "pack": "flask"
+    },
+    "fastapi": {
+      "ecosystem": "python",
+      "dependency_signals": {
+        "requirements.txt": ["fastapi"],
+        "pyproject.toml": ["fastapi"]
+      },
+      "pack": "fastapi"
+    },
+    "java-spring-boot": {
+      "ecosystem": "java",
+      "dependency_signals": {
+        "pom.xml": ["spring-boot-starter"],
+        "build.gradle": ["org.springframework.boot"]
+      },
+      "pack": "java-spring-boot"
+    },
+    "spring-security": {
+      "ecosystem": "java",
+      "dependency_signals": {
+        "pom.xml": ["spring-boot-starter-security", "spring-security"],
+        "build.gradle": ["spring-boot-starter-security", "spring-security"]
+      },
+      "pack": "spring-security"
+    },
+    "java-ee": {
+      "ecosystem": "java",
+      "dependency_signals": {
+        "pom.xml": ["javax.servlet", "jakarta.servlet", "javax.enterprise", "jakarta.enterprise"],
+        "build.gradle": ["javax.servlet", "jakarta.servlet"]
+      },
+      "config_files": ["web.xml"],
+      "pack": "java-ee"
+    },
+    "ruby-on-rails": {
+      "ecosystem": "ruby",
+      "dependency_signals": { "Gemfile": ["rails"] },
+      "config_files": ["config/routes.rb", "config/application.rb"],
+      "pack": "ruby-on-rails"
+    },
+    "laravel": {
+      "ecosystem": "php",
+      "dependency_signals": { "composer.json": ["laravel/framework"] },
+      "config_files": ["artisan"],
+      "directory_signals": ["app/Http/Controllers"],
+      "pack": "laravel"
+    },
+    "symfony": {
+      "ecosystem": "php",
+      "dependency_signals": { "composer.json": ["symfony/framework-bundle"] },
+      "config_files": ["config/bundles.php", "symfony.lock"],
+      "pack": "symfony"
+    },
+    "dotnet-aspnet-core": {
+      "ecosystem": "csharp",
+      "dependency_signals": { "*.csproj": ["Microsoft.AspNetCore"] },
+      "config_files": ["Program.cs", "Startup.cs", "appsettings.json"],
+      "pack": "dotnet-aspnet-core"
+    },
+    "flutter": {
+      "ecosystem": "dart",
+      "manifest_files": ["pubspec.yaml"],
+      "dependency_signals": { "pubspec.yaml": ["flutter"] },
+      "pack": "flutter"
+    },
+    "apollo-graphql": {
+      "ecosystem": "nodejs",
+      "dependency_signals": { "package.json": ["@apollo/server", "apollo-server", "apollo-server-express"] },
+      "pack": "apollo-graphql"
+    }
+  },
+
+  "auth_identity": {
+    "jwt": {
+      "dependency_signals": {
+        "package.json": ["jsonwebtoken", "jose", "@auth/core"],
+        "requirements.txt": ["pyjwt", "python-jose"],
+        "pyproject.toml": ["pyjwt", "python-jose"],
+        "Gemfile": ["jwt"],
+        "pom.xml": ["jjwt", "nimbus-jose-jwt"]
+      },
+      "pack": "jwt"
+    },
+    "oauth-oidc": {
+      "dependency_signals": {
+        "package.json": ["openid-client", "passport-oauth2", "oauth4webapi"],
+        "requirements.txt": ["authlib", "oauthlib"],
+        "pyproject.toml": ["authlib", "oauthlib"]
+      },
+      "pack": "oauth-oidc"
+    },
+    "auth0": {
+      "dependency_signals": {
+        "package.json": ["@auth0/nextjs-auth0", "auth0", "express-openid-connect"],
+        "requirements.txt": ["auth0-python"],
+        "pyproject.toml": ["auth0-python"]
+      },
+      "pack": "auth0"
+    },
+    "okta": {
+      "dependency_signals": {
+        "package.json": ["@okta/okta-sdk-nodejs", "@okta/oidc-middleware"],
+        "pom.xml": ["okta-spring-boot-starter"]
+      },
+      "pack": "okta"
+    },
+    "keycloak": {
+      "dependency_signals": {
+        "package.json": ["keycloak-connect", "keycloak-js"],
+        "pom.xml": ["keycloak-spring-boot-starter"]
+      },
+      "config_files": ["keycloak.json"],
+      "pack": "keycloak"
+    }
+  },
+
+  "ai_agent": {
+    "langchain": {
+      "dependency_signals": {
+        "requirements.txt": ["langchain"],
+        "pyproject.toml": ["langchain"],
+        "package.json": ["langchain"]
+      },
+      "pack": "langchain"
+    },
+    "langgraph": {
+      "dependency_signals": {
+        "requirements.txt": ["langgraph"],
+        "pyproject.toml": ["langgraph"]
+      },
+      "pack": "langgraph"
+    },
+    "llamaindex": {
+      "dependency_signals": {
+        "requirements.txt": ["llama-index", "llama_index"],
+        "pyproject.toml": ["llama-index", "llama_index"]
+      },
+      "pack": "llamaindex"
+    },
+    "crewai": {
+      "dependency_signals": {
+        "requirements.txt": ["crewai"],
+        "pyproject.toml": ["crewai"]
+      },
+      "pack": "crewai"
+    },
+    "mastra": {
+      "dependency_signals": {
+        "package.json": ["@mastra/core", "mastra"]
+      },
+      "pack": "mastra"
+    },
+    "ai-sdk": {
+      "dependency_signals": {
+        "package.json": ["ai", "@ai-sdk/openai", "@ai-sdk/anthropic"]
+      },
+      "pack": "ai-sdk"
+    },
+    "claude-agent-sdk": {
+      "dependency_signals": {
+        "package.json": ["@anthropic-ai/sdk"],
+        "requirements.txt": ["anthropic"],
+        "pyproject.toml": ["anthropic"]
+      },
+      "pack": "claude-agent-sdk"
+    },
+    "openai-agents-sdk": {
+      "dependency_signals": {
+        "package.json": ["openai"],
+        "requirements.txt": ["openai"],
+        "pyproject.toml": ["openai"]
+      },
+      "pack": "openai-agents-sdk"
+    },
+    "mcp": {
+      "dependency_signals": {
+        "package.json": ["@modelcontextprotocol/sdk"],
+        "requirements.txt": ["mcp"],
+        "pyproject.toml": ["mcp"]
+      },
+      "pack": "mcp"
+    }
+  },
+
+  "infrastructure": {
+    "docker": {
+      "config_files": ["Dockerfile", "docker-compose.yml", "docker-compose.yaml", ".dockerignore"],
+      "pack": "docker"
+    },
+    "kubernetes": {
+      "config_files": ["helmfile.yaml", "Chart.yaml", "kustomization.yaml"],
+      "directory_signals": ["k8s/", "kubernetes/", "helm/"],
+      "content_signals": { "*.yaml": ["apiVersion", "kind: Deployment", "kind: Service", "kind: Pod"] },
+      "pack": "kubernetes"
+    },
+    "terraform-aws": {
+      "file_extensions": [".tf"],
+      "content_signals": { "*.tf": ["provider \"aws\"", "aws_"] },
+      "pack": "terraform-aws"
+    },
+    "terraform-azure": {
+      "file_extensions": [".tf"],
+      "content_signals": { "*.tf": ["provider \"azurerm\"", "azurerm_"] },
+      "pack": "terraform-azure"
+    },
+    "terraform-gcp": {
+      "file_extensions": [".tf"],
+      "content_signals": { "*.tf": ["provider \"google\"", "google_"] },
+      "pack": "terraform-gcp"
+    },
+    "cloudformation": {
+      "content_signals": { "*.yaml": ["AWSTemplateFormatVersion"], "*.json": ["AWSTemplateFormatVersion"] },
+      "config_files": ["template.yaml", "template.json", "samconfig.toml"],
+      "pack": "cloudformation"
+    },
+    "nginx": {
+      "config_files": ["nginx.conf"],
+      "directory_signals": ["nginx/"],
+      "pack": "nginx"
+    }
+  },
+
+  "ci_cd": {
+    "github-actions": {
+      "directory_signals": [".github/workflows/"],
+      "pack": "github-actions"
+    },
+    "jenkins-pipeline": {
+      "config_files": ["Jenkinsfile"],
+      "pack": "jenkins-pipeline"
+    },
+    "argocd": {
+      "config_files": ["argocd-cm.yaml"],
+      "content_signals": { "*.yaml": ["argoproj.io"] },
+      "pack": "argocd"
+    }
+  },
+
+  "cloud_compute": {
+    "aws-lambda": {
+      "config_files": ["serverless.yml", "serverless.yaml", "serverless.ts", "sam.yaml", "samconfig.toml"],
+      "content_signals": {
+        "serverless.yml": ["provider:", "aws"],
+        "template.yaml": ["AWS::Serverless::Function", "AWS::Lambda::Function"]
+      },
+      "pack": "aws-lambda"
+    },
+    "azure-functions": {
+      "config_files": ["host.json", "local.settings.json"],
+      "directory_signals": ["function_app.py"],
+      "pack": "azure-functions"
+    },
+    "gcp-cloud-run": {
+      "config_files": ["app.yaml", "cloudbuild.yaml"],
+      "content_signals": { "*.yaml": ["gcr.io", "run.googleapis.com"] },
+      "pack": "gcp-cloud-run"
+    }
+  },
+
+  "databases": {
+    "mongodb": {
+      "dependency_signals": {
+        "package.json": ["mongoose", "mongodb"],
+        "requirements.txt": ["pymongo", "motor", "mongoengine"],
+        "pyproject.toml": ["pymongo", "motor"],
+        "Gemfile": ["mongoid"]
+      },
+      "pack": "mongodb"
+    },
+    "postgresql": {
+      "dependency_signals": {
+        "package.json": ["pg", "knex", "prisma", "typeorm", "sequelize"],
+        "requirements.txt": ["psycopg2", "asyncpg", "sqlalchemy"],
+        "pyproject.toml": ["psycopg2", "asyncpg", "sqlalchemy"],
+        "Gemfile": ["pg"],
+        "pom.xml": ["postgresql"]
+      },
+      "pack": "postgresql"
+    },
+    "mysql-mariadb": {
+      "dependency_signals": {
+        "package.json": ["mysql2", "mysql"],
+        "requirements.txt": ["mysqlclient", "pymysql", "aiomysql"],
+        "pyproject.toml": ["mysqlclient", "pymysql"],
+        "pom.xml": ["mysql-connector-java"]
+      },
+      "pack": "mysql-mariadb"
+    },
+    "redis": {
+      "dependency_signals": {
+        "package.json": ["redis", "ioredis"],
+        "requirements.txt": ["redis", "aioredis"],
+        "pyproject.toml": ["redis"],
+        "Gemfile": ["redis"]
+      },
+      "pack": "redis"
+    }
+  },
+
+  "messaging": {
+    "kafka": {
+      "dependency_signals": {
+        "package.json": ["kafkajs"],
+        "requirements.txt": ["confluent-kafka", "aiokafka"],
+        "pyproject.toml": ["confluent-kafka"],
+        "pom.xml": ["kafka-clients", "spring-kafka"]
+      },
+      "pack": "kafka"
+    },
+    "rabbitmq": {
+      "dependency_signals": {
+        "package.json": ["amqplib"],
+        "requirements.txt": ["pika", "aio-pika"],
+        "pyproject.toml": ["pika"],
+        "pom.xml": ["spring-boot-starter-amqp"]
+      },
+      "pack": "rabbitmq"
+    }
+  },
+
+  "api_protocols": {
+    "grpc": {
+      "dependency_signals": {
+        "package.json": ["@grpc/grpc-js"],
+        "requirements.txt": ["grpcio"],
+        "pyproject.toml": ["grpcio"],
+        "pom.xml": ["grpc-netty"]
+      },
+      "file_extensions": [".proto"],
+      "pack": "grpc"
+    },
+    "websockets": {
+      "dependency_signals": {
+        "package.json": ["ws", "socket.io"],
+        "requirements.txt": ["websockets"],
+        "pyproject.toml": ["websockets"]
+      },
+      "pack": "websockets"
+    },
+    "openapi-rest-api": {
+      "config_files": ["openapi.yaml", "openapi.json", "swagger.yaml", "swagger.json"],
+      "pack": "openapi-rest-api"
+    }
+  }
+}

package/{templates/shared/guardrails-selection.md → src/generators/rules/guardrails-selection/SKILL.md}

@@ -1,6 +1,6 @@
 ---
 name: guardrails-selection
-description: Analyze the developer request, infer the security categories and likely threats involved, shortlist the most relevant project guardrails, then preserve the exact returned guardrail records before implementation. Use for every security-relevant code task before code is written and preserve the shortlist for the final VibeReview sync.
+description: Analyze the developer request, infer the security categories and likely threats involved, shortlist the most relevant project guardrails, then hydrate the exact guardrails with get_guardrail_by_id before implementation. Use for every security-relevant code task before code is written and preserve the shortlist for the final VibeReview sync.
 ---
 
 # Guardrails Selection
@@ -9,15 +9,13 @@ Configured SRAI project name: `<SRAI_PROJECT_NAME>`
 
 Use this skill whenever code will be created or modified and the task has any security surface.
 
-This skill is a hard pre-write gate. Do not write, edit, patch, or generate implementation code until this skill has produced the active guardrail shortlist and the PWNISMS skill has used that shortlist for threat modelling.
-
 This skill exists to stop the IDE from treating the full `get_guardrails` result as an unstructured blob. The workflow is:
 
 1. Understand the request deeply.
 2. Infer which security categories are in play.
 3. Predict the threats that might occur for this exact task.
 4. Shortlist only the guardrails that mitigate those threats.
-5. Preserve the exact shortlisted guardrails returned by the project guardrail bundle.
+5. Fetch the exact shortlisted guardrails with `get_guardrail_by_id`.
 6. Carry that same shortlist forward into implementation and the final VibeReview markdown sync.
 
 Do not skip the analysis step. Do not rely on title-matching alone. Do not dump every guardrail into the final answer.
@@ -96,7 +94,7 @@ The shortlist should be threat-led, not catalog-led.
 1. Call `find_project_by_name` with `name="<SRAI_PROJECT_NAME>"` to obtain `project_id`.
 2. Call `get_guardrails` with `project_id`.
 
-Treat `get_guardrails` as the broad project catalog. Do not treat the whole catalog as the final set of instructions. The returned entries are already the authoritative guardrail records for this project; shortlist from those exact records and preserve their ids, titles, rule types, categories, and instructions.
+Treat `get_guardrails` as the broad catalog. Do not treat it as the final set of instructions.
 
 Assume each returned guardrail includes the fields needed for selection, including a stable identifier for follow-up retrieval, plus:
 
@@ -126,11 +124,15 @@ Examples:
 - If the task introduces parsing, uploads, template expansion, or object hydration, prioritize input validation, file handling, deserialization, and denial-of-service guardrails.
 - If the task moves security decisions into the browser or mobile client, prioritize client-side trust, token storage, server-side revalidation, and privilege-boundary guardrails.
 
-### Step 3: Preserve exact shortlisted guardrails
+### Step 3: Hydrate exact shortlisted guardrails
+
+For every shortlisted existing guardrail, call `get_guardrail_by_id` to retrieve the exact guardrail that will govern implementation.
 
-For every shortlisted existing guardrail, preserve the exact guardrail record returned by `get_guardrails`.
+- Use `get_guardrail_by_id` for the shortlisted ids only.
+- If the tool supports batching, batch the shortlisted ids.
+- If the tool only supports one id at a time, call it once per shortlisted id.
 
-Implementation must be driven by that exact shortlist, not by vague memory from the broad catalog listing. Do not re-query guardrails after implementation starts unless the shortlist is missing or the task scope materially changes.
+Implementation must be driven by the hydrated shortlist from `get_guardrail_by_id`, not by vague memory from the broad catalog listing.
 
 ### Step 4: Track the active shortlist in context
 
@@ -149,7 +151,7 @@ This shortlist is the source of truth for the rest of the session.
 
 ## Implementation Rules
 
-Once the exact shortlist is preserved:
+Once the shortlist is hydrated:
 
 - Every applicable `must` guardrail is mandatory.
 - Every applicable `must_not` guardrail is a hard prohibition.
@@ -160,7 +162,7 @@ When deciding whether a guardrail applies, prefer security-preserving inclusion
 
 ## VibeReview Sync Contract
 
-The final sync step must reuse the shortlist from this skill. It must not call `get_guardrails` again unless the task scope materially changed.
+The final sync step must reuse the shortlist from this skill. It must not call `get_guardrails` or `get_guardrail_by_id` again.
 
 Before `sync_ai_ide_markdown` is called, ensure the main agent context clearly contains: