securityreview-kit 0.1.0

package/README.md

@@ -0,0 +1,78 @@
+# securityreview-kit
+
+> Bootstrap [security-review-mcp](https://www.npmjs.com/package/security-review-mcp) for AI IDEs and CLI tools in one command.
+
+**securityreview-kit** configures the SRAI security review MCP server and installs workspace rules so your AI assistant consults security threat models and countermeasures *before* generating code.
+
+## Quick Start
+
+```bash
+# Interactive mode (recommended)
+npx securityreview-kit init
+
+# Or specify targets directly
+npx securityreview-kit init --target cursor --api-url https://api.example.com --api-key YOUR_TOKEN
+
+# Install for multiple targets
+npx securityreview-kit init --target cursor claude vscode
+
+# Install for all supported targets
+npx securityreview-kit init --all --api-url https://api.example.com --api-key YOUR_TOKEN
+```
+
+## Supported Targets
+
+| Target | Flag | MCP Config | Workspace Rule |
+|---|---|---|---|
+| Cursor | `cursor` | `.cursor/mcp.json` | `.cursor/rules/srai-security-review.mdc` |
+| Claude Code | `claude` | `.claude/settings.json` | `CLAUDE.md` |
+| VS Code Copilot | `vscode` | `.vscode/mcp.json` | `.github/copilot-instructions.md` |
+| Windsurf | `windsurf` | `.windsurf/mcp_config.json` | `.windsurf/rules/srai-security-review.md` |
+| Codex | `codex` | `.codex/config.toml` | `AGENTS.md` |
+| Gemini CLI | `gemini` | `.gemini/settings.json` | `GEMINI.md` |
+| Antigravity | `antigravity` | `.gemini/settings.json` | `GEMINI.md` |
+
+## Commands
+
+### `securityreview-kit init`
+
+Configure security-review-mcp for your IDE/CLI. Runs interactively when no flags are provided.
+
+```
+Options:
+  -t, --target <name...>  Target IDE/CLI (cursor, claude, vscode, windsurf, codex, gemini, antigravity)
+  -a, --all               Install for all supported targets
+  --api-url <url>         SRAI API URL (or set SECURITY_REVIEW_API_URL env var)
+  --api-key <token>       SRAI API Token (or set SECURITY_REVIEW_API_TOKEN env var)
+  --skip-mcp              Skip MCP server config installation
+  --skip-rules            Skip workspace rule installation
+```
+
+### `securityreview-kit status`
+
+Show current configuration status for all supported targets in the workspace.
+
+## Environment Variables
+
+| Variable | Description |
+|---|---|
+| `SECURITY_REVIEW_API_URL` | SRAI platform API endpoint |
+| `SECURITY_REVIEW_API_TOKEN` | Your SRAI API token |
+
+These can be provided via CLI flags, environment variables, or interactive prompts.
+
+## What Gets Installed
+
+**MCP Server Config** — tells your IDE how to launch the `security-review-mcp` server via `npx`.
+
+**Workspace Rules** — instructs the AI assistant to consult SRAI threat models and countermeasures before generating security-relevant code. The rules trigger on changes involving authentication, data handling, API endpoints, cryptography, infrastructure, and third-party integrations.
+
+## How It Works
+
+1. Run `securityreview-kit init`
+2. Select your IDE/CLI target(s)
+3. Enter your SRAI credentials
+4. The tool creates/merges MCP config and workspace rule files
+5. Your AI assistant now has access to SRAI security reviews
+
+The tool is **idempotent** — running it multiple times safely updates existing configs without duplicating content.

package/bin/securityreview-kit.js

@@ -0,0 +1,5 @@
+#!/usr/bin/env node
+
+import { run } from '../src/cli.js';
+
+run();

package/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "securityreview-kit",
+  "version": "0.1.0",
+  "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
+  "author": "Debarshi Das <debarshi.das@we45.com>",
+  "license": "UNLICENSED",
+  "type": "module",
+  "bin": {
+    "securityreview-kit": "./bin/securityreview-kit.js"
+  },
+  "files": [
+    "bin/",
+    "src/",
+    "README.md"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "scripts": {
+    "test": "node --test src/**/*.test.js",
+    "start": "node bin/securityreview-kit.js"
+  },
+  "keywords": [
+    "security",
+    "mcp",
+    "security-review",
+    "srai",
+    "ai-ide",
+    "cursor",
+    "claude",
+    "codex",
+    "gemini",
+    "windsurf",
+    "vscode"
+  ],
+  "dependencies": {
+    "chalk": "^5.4.0",
+    "commander": "^13.0.0",
+    "inquirer": "^12.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}

package/src/cli.js

@@ -0,0 +1,47 @@
+import { Command } from 'commander';
+import { initCommand } from './commands/init.js';
+import { statusCommand } from './commands/status.js';
+import { TARGET_NAMES } from './utils/constants.js';
+
+export function run() {
+    const program = new Command();
+
+    program
+        .name('securityreview-kit')
+        .description('Bootstrap security-review-mcp for AI IDEs and CLI tools')
+        .version('0.1.0');
+
+    program
+        .command('init')
+        .description('Configure security-review-mcp for your IDE / CLI tool')
+        .option(
+            '-t, --target <name...>',
+            `Target IDE/CLI (${TARGET_NAMES.join(', ')}). Omit for interactive mode.`,
+        )
+        .option('-a, --all', 'Install for all supported targets')
+        .option('--api-url <url>', 'SRAI API URL (or set SECURITY_REVIEW_API_URL env var)')
+        .option('--api-key <token>', 'SRAI API Token (or set SECURITY_REVIEW_API_TOKEN env var)')
+        .option('--skip-mcp', 'Skip MCP server config installation')
+        .option('--skip-rules', 'Skip workspace rule installation')
+        .action(async (options) => {
+            try {
+                await initCommand(options);
+            } catch (err) {
+                if (err.name === 'ExitPromptError') {
+                    // User cancelled interactive prompt
+                    console.log('\n  Cancelled.\n');
+                    process.exit(0);
+                }
+                throw err;
+            }
+        });
+
+    program
+        .command('status')
+        .description('Show current security-review-mcp configuration status')
+        .action(async () => {
+            await statusCommand();
+        });
+
+    program.parse();
+}

package/src/commands/init.js

@@ -0,0 +1,225 @@
+import chalk from 'chalk';
+import { input, select, checkbox, confirm } from '@inquirer/prompts';
+import { TARGETS, TARGET_NAMES } from '../utils/constants.js';
+import { detectTargets } from '../utils/detect.js';
+
+// Dynamic imports for generators (avoids loading all at startup)
+const mcpGenerators = {
+    cursor: () => import('../generators/mcp/cursor.js'),
+    claude: () => import('../generators/mcp/claude.js'),
+    vscode: () => import('../generators/mcp/vscode.js'),
+    windsurf: () => import('../generators/mcp/windsurf.js'),
+    codex: () => import('../generators/mcp/codex.js'),
+    gemini: () => import('../generators/mcp/gemini.js'),
+    antigravity: () => import('../generators/mcp/gemini.js'),
+};
+
+const ruleGenerators = {
+    cursor: () => import('../generators/rules/cursor.js'),
+    claude: () => import('../generators/rules/claude.js'),
+    vscode: () => import('../generators/rules/vscode.js'),
+    windsurf: () => import('../generators/rules/windsurf.js'),
+    codex: () => import('../generators/rules/codex.js'),
+    gemini: () => import('../generators/rules/gemini.js'),
+    antigravity: () => import('../generators/rules/antigravity.js'),
+};
+
+/**
+ * Resolve environment variables from flags, env, or interactive prompt.
+ */
+async function resolveEnvVars(options, interactive) {
+    let apiUrl = options.apiUrl || process.env.SECURITY_REVIEW_API_URL || '';
+    let apiToken = options.apiKey || process.env.SECURITY_REVIEW_API_TOKEN || '';
+
+    if (interactive) {
+        if (!apiUrl) {
+            apiUrl = await input({
+                message: '🔗 SRAI API URL:',
+                default: 'https://api.securityreview.ai',
+                validate: (v) => (v.startsWith('http') ? true : 'Must be a valid URL'),
+            });
+        } else {
+            console.log(chalk.dim(`  API URL: ${apiUrl} (from env/flags)`));
+        }
+
+        if (!apiToken) {
+            apiToken = await input({
+                message: '🔑 SRAI API Token:',
+                validate: (v) => (v.length > 0 ? true : 'Token is required'),
+            });
+        } else {
+            console.log(chalk.dim(`  API Token: ${'•'.repeat(8)} (from env/flags)`));
+        }
+    } else {
+        if (!apiUrl || !apiToken) {
+            console.log(
+                chalk.yellow(
+                    '⚠  Missing credentials. Set SECURITY_REVIEW_API_URL and SECURITY_REVIEW_API_TOKEN\n' +
+                    '   environment variables, pass --api-url and --api-key flags, or run in interactive mode.',
+                ),
+            );
+            process.exit(1);
+        }
+    }
+
+    return { apiUrl, apiToken };
+}
+
+/**
+ * Resolve targets from flags or interactive prompt.
+ */
+async function resolveTargets(options, interactive, cwd) {
+    // Flag mode: explicit target(s)
+    if (options.target) {
+        const targets = Array.isArray(options.target) ? options.target : [options.target];
+        for (const t of targets) {
+            if (!TARGET_NAMES.includes(t)) {
+                console.log(chalk.red(`✗ Unknown target: ${t}`));
+                console.log(chalk.dim(`  Valid targets: ${TARGET_NAMES.join(', ')}`));
+                process.exit(1);
+            }
+        }
+        return targets;
+    }
+
+    if (options.all) {
+        return [...TARGET_NAMES];
+    }
+
+    if (!interactive) {
+        console.log(chalk.red('✗ No target specified. Use --target <name> or --all.'));
+        process.exit(1);
+    }
+
+    // Interactive: detect and offer choices
+    const detected = detectTargets(cwd);
+
+    console.log('');
+    if (detected.length > 0) {
+        console.log(
+            chalk.dim(`  Detected IDEs in workspace: ${detected.map((d) => TARGETS[d].name).join(', ')}`),
+        );
+    }
+
+    const selected = await checkbox({
+        message: '🎯 Select target IDE(s) / CLI(s) to configure:',
+        choices: TARGET_NAMES.map((key) => ({
+            name: `${TARGETS[key].name}`,
+            value: key,
+            checked: detected.includes(key),
+        })),
+        validate: (v) => (v.length > 0 ? true : 'Select at least one target'),
+    });
+
+    return selected;
+}
+
+/**
+ * Main init command handler.
+ */
+export async function initCommand(options) {
+    const cwd = process.cwd();
+    const interactive = !options.target && !options.all;
+
+    // Banner
+    console.log('');
+    console.log(chalk.bold.cyan('  ╔══════════════════════════════════════╗'));
+    console.log(chalk.bold.cyan('  ║') + chalk.bold('   🛡️  Security Review Kit — Init  ') + chalk.bold.cyan('   ║'));
+    console.log(chalk.bold.cyan('  ╚══════════════════════════════════════╝'));
+    console.log('');
+
+    if (interactive) {
+        console.log(chalk.dim('  Interactive setup — follow the prompts below.\n'));
+    }
+
+    // Step 1: Resolve targets
+    console.log(chalk.bold.white('  Step 1 of 3: Select Targets'));
+    console.log(chalk.dim('  ─────────────────────────────────'));
+    const targets = await resolveTargets(options, interactive, cwd);
+    console.log(chalk.green(`  ✓ Targets: ${targets.map((t) => TARGETS[t].name).join(', ')}`));
+    console.log('');
+
+    // Step 2: Resolve credentials
+    console.log(chalk.bold.white('  Step 2 of 3: SRAI Credentials'));
+    console.log(chalk.dim('  ─────────────────────────────────'));
+    const envVars = await resolveEnvVars(options, interactive);
+    console.log(chalk.green('  ✓ Credentials configured'));
+    console.log('');
+
+    // Step 3: What to install
+    let installMcp = !options.skipMcp;
+    let installRules = !options.skipRules;
+
+    if (interactive) {
+        console.log(chalk.bold.white('  Step 3 of 3: Installation Options'));
+        console.log(chalk.dim('  ─────────────────────────────────'));
+        installMcp = await confirm({
+            message: '📡 Install MCP server configuration?',
+            default: true,
+        });
+        installRules = await confirm({
+            message: '📋 Install workspace security rules?',
+            default: true,
+        });
+    }
+
+    if (!installMcp && !installRules) {
+        console.log(chalk.yellow('  ⚠  Nothing to install. Exiting.'));
+        return;
+    }
+
+    console.log('');
+    console.log(chalk.bold.white('  Installing...'));
+    console.log(chalk.dim('  ─────────────────────────────────'));
+
+    const results = [];
+
+    for (const target of targets) {
+        const targetInfo = TARGETS[target];
+        console.log('');
+        console.log(chalk.bold(`  ${targetInfo.name}`));
+
+        if (installMcp) {
+            try {
+                const gen = await mcpGenerators[target]();
+                const mcpPath = gen.generate(cwd, envVars);
+                console.log(chalk.green(`    ✓ MCP config → ${typeof mcpPath === 'string' ? mcpPath : mcpPath}`));
+                results.push({ target, type: 'mcp', status: 'ok', path: mcpPath });
+            } catch (err) {
+                console.log(chalk.red(`    ✗ MCP config failed: ${err.message}`));
+                results.push({ target, type: 'mcp', status: 'error', error: err.message });
+            }
+        }
+
+        if (installRules) {
+            try {
+                const gen = await ruleGenerators[target]();
+                const result = gen.generate(cwd);
+                const rulePath = typeof result === 'string' ? result : result.filePath;
+                const action = typeof result === 'string' ? 'created' : result.action;
+                console.log(chalk.green(`    ✓ Workspace rule → ${rulePath} (${action})`));
+                results.push({ target, type: 'rule', status: 'ok', path: rulePath, action });
+            } catch (err) {
+                console.log(chalk.red(`    ✗ Workspace rule failed: ${err.message}`));
+                results.push({ target, type: 'rule', status: 'error', error: err.message });
+            }
+        }
+    }
+
+    // Summary
+    const ok = results.filter((r) => r.status === 'ok').length;
+    const errors = results.filter((r) => r.status === 'error').length;
+
+    console.log('');
+    console.log(chalk.dim('  ─────────────────────────────────'));
+    if (errors === 0) {
+        console.log(chalk.bold.green(`  ✅ Done! ${ok} configuration(s) installed successfully.`));
+    } else {
+        console.log(
+            chalk.bold.yellow(`  ⚠  Done with ${errors} error(s). ${ok} configuration(s) installed.`),
+        );
+    }
+    console.log('');
+    console.log(chalk.dim('  Run `securityreview-kit status` to verify your setup.'));
+    console.log('');
+}

package/src/commands/status.js

@@ -0,0 +1,86 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import chalk from 'chalk';
+import { TARGETS, TARGET_NAMES, SENTINEL_START } from '../utils/constants.js';
+import { readText, readJson } from '../utils/fs-helpers.js';
+
+/**
+ * Status command — show what's configured in the current workspace.
+ */
+export async function statusCommand() {
+    const cwd = process.cwd();
+
+    console.log('');
+    console.log(chalk.bold.cyan('  ╔══════════════════════════════════════╗'));
+    console.log(chalk.bold.cyan('  ║') + chalk.bold('  🛡️  Security Review Kit — Status ') + chalk.bold.cyan('   ║'));
+    console.log(chalk.bold.cyan('  ╚══════════════════════════════════════╝'));
+    console.log('');
+    console.log(chalk.dim(`  Workspace: ${cwd}`));
+    console.log('');
+
+    let anyFound = false;
+
+    for (const key of TARGET_NAMES) {
+        const target = TARGETS[key];
+        const mcpPath = join(cwd, target.mcpConfigPath);
+        const rulePath = join(cwd, target.rulePath);
+
+        const mcpExists = existsSync(mcpPath);
+        const ruleExists = existsSync(rulePath);
+
+        // Check if the MCP config actually has our server
+        let mcpHasServer = false;
+        if (mcpExists) {
+            if (target.mcpConfigPath.endsWith('.toml')) {
+                const content = readText(mcpPath);
+                mcpHasServer = content.includes('[mcp_servers.security-review-mcp]');
+            } else {
+                const json = readJson(mcpPath);
+                const servers = json?.mcpServers || json?.servers || {};
+                mcpHasServer = 'security-review-mcp' in servers;
+            }
+        }
+
+        // Check if rule file has our sentinel
+        let ruleHasSrai = false;
+        if (ruleExists) {
+            if (target.ruleMode === 'append') {
+                const content = readText(rulePath);
+                ruleHasSrai = content.includes(SENTINEL_START) || content.includes('SRAI Security Review');
+            } else {
+                // Standalone rule file — existence is enough
+                ruleHasSrai = true;
+            }
+        }
+
+        if (!mcpHasServer && !ruleHasSrai) continue;
+
+        anyFound = true;
+        console.log(chalk.bold(`  ${target.name}`));
+        console.log(
+            `    MCP Config:     ${mcpHasServer ? chalk.green('✓ Configured') : chalk.dim('✗ Not found')}  ${chalk.dim(target.mcpConfigPath)}`,
+        );
+        console.log(
+            `    Workspace Rule: ${ruleHasSrai ? chalk.green('✓ Installed') : chalk.dim('✗ Not found')}  ${chalk.dim(target.rulePath)}`,
+        );
+        console.log('');
+    }
+
+    if (!anyFound) {
+        console.log(chalk.yellow('  No security-review-mcp configurations found in this workspace.'));
+        console.log(chalk.dim('  Run `securityreview-kit init` to set up.'));
+        console.log('');
+    }
+
+    // Check env vars
+    console.log(chalk.bold('  Environment'));
+    const apiUrl = process.env.SECURITY_REVIEW_API_URL;
+    const apiToken = process.env.SECURITY_REVIEW_API_TOKEN;
+    console.log(
+        `    SECURITY_REVIEW_API_URL:   ${apiUrl ? chalk.green('✓ Set') : chalk.yellow('✗ Not set')}`,
+    );
+    console.log(
+        `    SECURITY_REVIEW_API_TOKEN: ${apiToken ? chalk.green('✓ Set') : chalk.yellow('✗ Not set')}`,
+    );
+    console.log('');
+}

package/src/generators/mcp/claude.js

@@ -0,0 +1,27 @@
+import { join } from 'node:path';
+import { readJson, writeJson } from '../../utils/fs-helpers.js';
+import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
+
+/**
+ * Generate Claude Code MCP config at .claude/settings.json
+ */
+export function generate(cwd, envVars) {
+    const filePath = join(cwd, '.claude', 'settings.json');
+    const existing = readJson(filePath) || {};
+
+    if (!existing.mcpServers) {
+        existing.mcpServers = {};
+    }
+
+    existing.mcpServers[MCP_SERVER_NAME] = {
+        command: 'npx',
+        args: ['-y', `${MCP_SERVER_PACKAGE}@latest`],
+        env: {
+            SECURITY_REVIEW_API_URL: envVars.apiUrl,
+            SECURITY_REVIEW_API_TOKEN: envVars.apiToken,
+        },
+    };
+
+    writeJson(filePath, existing);
+    return filePath;
+}

package/src/generators/mcp/codex.js

@@ -0,0 +1,44 @@
+import { join } from 'node:path';
+import { readText, writeText, ensureDir } from '../../utils/fs-helpers.js';
+import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
+
+/**
+ * Generate Codex MCP config at .codex/config.toml
+ * Codex uses TOML format. We use simple string templating since the structure
+ * is straightforward and avoids a TOML library dependency.
+ */
+export function generate(cwd, envVars) {
+    const filePath = join(cwd, '.codex', 'config.toml');
+    const existing = readText(filePath);
+
+    const serverBlock = `
+[mcp_servers.${MCP_SERVER_NAME}]
+command = "npx"
+args = ["-y", "${MCP_SERVER_PACKAGE}@latest"]
+
+[mcp_servers.${MCP_SERVER_NAME}.env]
+SECURITY_REVIEW_API_URL = "${envVars.apiUrl}"
+SECURITY_REVIEW_API_TOKEN = "${envVars.apiToken}"
+`.trim();
+
+    // Check if we already have this server configured
+    if (existing.includes(`[mcp_servers.${MCP_SERVER_NAME}]`)) {
+        // Replace the existing block — find from the server header to the next
+        // section header or end of file
+        const regex = new RegExp(
+            `\\[mcp_servers\\.${MCP_SERVER_NAME}\\][\\s\\S]*?(?=\\n\\[(?!mcp_servers\\.${MCP_SERVER_NAME})|$)`,
+        );
+        const updated = existing.replace(regex, serverBlock);
+        writeText(filePath, updated);
+    } else if (existing) {
+        // Append to existing file
+        const separator = existing.endsWith('\n') ? '\n' : '\n\n';
+        writeText(filePath, existing + separator + serverBlock + '\n');
+    } else {
+        // New file
+        ensureDir(join(cwd, '.codex'));
+        writeText(filePath, serverBlock + '\n');
+    }
+
+    return filePath;
+}

package/src/generators/mcp/cursor.js

@@ -0,0 +1,27 @@
+import { join } from 'node:path';
+import { readJson, writeJson } from '../../utils/fs-helpers.js';
+import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
+
+/**
+ * Generate Cursor MCP config at .cursor/mcp.json
+ */
+export function generate(cwd, envVars) {
+    const filePath = join(cwd, '.cursor', 'mcp.json');
+    const existing = readJson(filePath) || {};
+
+    if (!existing.mcpServers) {
+        existing.mcpServers = {};
+    }
+
+    existing.mcpServers[MCP_SERVER_NAME] = {
+        command: 'npx',
+        args: ['-y', `${MCP_SERVER_PACKAGE}@latest`],
+        env: {
+            SECURITY_REVIEW_API_URL: envVars.apiUrl,
+            SECURITY_REVIEW_API_TOKEN: envVars.apiToken,
+        },
+    };
+
+    writeJson(filePath, existing);
+    return filePath;
+}

package/src/generators/mcp/gemini.js

@@ -0,0 +1,28 @@
+import { join } from 'node:path';
+import { readJson, writeJson } from '../../utils/fs-helpers.js';
+import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
+
+/**
+ * Generate Gemini CLI / Antigravity MCP config at .gemini/settings.json
+ * Both Gemini CLI and Antigravity use the same config file path.
+ */
+export function generate(cwd, envVars) {
+    const filePath = join(cwd, '.gemini', 'settings.json');
+    const existing = readJson(filePath) || {};
+
+    if (!existing.mcpServers) {
+        existing.mcpServers = {};
+    }
+
+    existing.mcpServers[MCP_SERVER_NAME] = {
+        command: 'npx',
+        args: ['-y', `${MCP_SERVER_PACKAGE}@latest`],
+        env: {
+            SECURITY_REVIEW_API_URL: envVars.apiUrl,
+            SECURITY_REVIEW_API_TOKEN: envVars.apiToken,
+        },
+    };
+
+    writeJson(filePath, existing);
+    return filePath;
+}

package/src/generators/mcp/vscode.js

@@ -0,0 +1,29 @@
+import { join } from 'node:path';
+import { readJson, writeJson } from '../../utils/fs-helpers.js';
+import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
+
+/**
+ * Generate VS Code Copilot MCP config at .vscode/mcp.json
+ * Uses the VS Code input variable pattern for secure credential prompting.
+ */
+export function generate(cwd, envVars) {
+    const filePath = join(cwd, '.vscode', 'mcp.json');
+    const existing = readJson(filePath) || {};
+
+    if (!existing.servers) {
+        existing.servers = {};
+    }
+
+    existing.servers[MCP_SERVER_NAME] = {
+        type: 'stdio',
+        command: 'npx',
+        args: ['-y', `${MCP_SERVER_PACKAGE}@latest`],
+        env: {
+            SECURITY_REVIEW_API_URL: envVars.apiUrl,
+            SECURITY_REVIEW_API_TOKEN: envVars.apiToken,
+        },
+    };
+
+    writeJson(filePath, existing);
+    return filePath;
+}

package/src/generators/mcp/windsurf.js

@@ -0,0 +1,27 @@
+import { join } from 'node:path';
+import { readJson, writeJson } from '../../utils/fs-helpers.js';
+import { MCP_SERVER_NAME, MCP_SERVER_PACKAGE } from '../../utils/constants.js';
+
+/**
+ * Generate Windsurf MCP config at .windsurf/mcp_config.json
+ */
+export function generate(cwd, envVars) {
+    const filePath = join(cwd, '.windsurf', 'mcp_config.json');
+    const existing = readJson(filePath) || {};
+
+    if (!existing.mcpServers) {
+        existing.mcpServers = {};
+    }
+
+    existing.mcpServers[MCP_SERVER_NAME] = {
+        command: 'npx',
+        args: ['-y', `${MCP_SERVER_PACKAGE}@latest`],
+        env: {
+            SECURITY_REVIEW_API_URL: envVars.apiUrl,
+            SECURITY_REVIEW_API_TOKEN: envVars.apiToken,
+        },
+    };
+
+    writeJson(filePath, existing);
+    return filePath;
+}

package/src/generators/rules/antigravity.js

@@ -0,0 +1,22 @@
+import { join } from 'node:path';
+import { writeText } from '../../utils/fs-helpers.js';
+import { getRuleContent } from './content.js';
+
+/**
+ * Generate Antigravity workspace rule at .agent/rules/srai-security-review.md
+ * Antigravity uses .agent/rules/ with YAML frontmatter (trigger: always_on).
+ */
+export function generate(cwd) {
+    const filePath = join(cwd, '.agent', 'rules', 'srai-security-review.md');
+    const content = getRuleContent();
+
+    const rule = `---
+trigger: always_on
+---
+
+${content}
+`;
+
+    writeText(filePath, rule);
+    return filePath;
+}

package/src/generators/rules/claude.js

@@ -0,0 +1,13 @@
+import { join } from 'node:path';
+import { upsertSentinelBlock } from '../../utils/fs-helpers.js';
+import { getRuleContent } from './content.js';
+
+/**
+ * Generate Claude Code workspace rule — appends to CLAUDE.md
+ */
+export function generate(cwd) {
+    const filePath = join(cwd, 'CLAUDE.md');
+    const content = getRuleContent();
+    const action = upsertSentinelBlock(filePath, content);
+    return { filePath, action };
+}

package/src/generators/rules/codex.js

@@ -0,0 +1,13 @@
+import { join } from 'node:path';
+import { upsertSentinelBlock } from '../../utils/fs-helpers.js';
+import { getRuleContent } from './content.js';
+
+/**
+ * Generate Codex workspace rule — appends to AGENTS.md
+ */
+export function generate(cwd) {
+    const filePath = join(cwd, 'AGENTS.md');
+    const content = getRuleContent();
+    const action = upsertSentinelBlock(filePath, content);
+    return { filePath, action };
+}

package/src/generators/rules/content.js

@@ -0,0 +1,12 @@
+import { readFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+/**
+ * Returns the shared rule content markdown.
+ */
+export function getRuleContent() {
+    return readFileSync(join(__dirname, 'content.md'), 'utf-8').trim();
+}

package/src/generators/rules/content.md

@@ -0,0 +1,66 @@
+# SRAI Security Review
+
+**THIS RULE IS NON-NEGOTIABLE.** You MUST execute the security review workflow described below BEFORE writing, modifying, or suggesting ANY code. Do NOT skip, defer, or summarize these steps. Execute them by calling the MCP tools directly.
+
+You have access to the `security-review-mcp` MCP server. Use it.
+
+## PHASE 1 — BEFORE You Write Any Code
+
+Execute these tool calls IN ORDER at the start of every task. Do not proceed to code generation until all steps are complete.
+
+### Step 1: Find the project
+Call `find_project_by_name` with a name matching this repository/project.
+- If no project is found, call `list_projects` to check all available projects.
+- If still no match, call `create_project` with the repo name and a short description.
+- Store the `project_id` — you will need it for every subsequent call.
+
+### Step 2: Check for existing reviews
+Call `list_reviews` with the `project_id`.
+- If a completed review exists → go to Step 3.
+- If no review exists → you must create one:
+  1. Call `list_documents` to see available docs for this project.
+  2. If no documents exist, call `create_document_from_content` to upload a description of the current codebase or feature being worked on.
+  3. Call `create_review` with the `project_id`, document IDs, a name, and a description.
+  4. Call `start_workflow` to begin the analysis.
+  5. Poll `get_workflow_status` until the workflow completes.
+
+### Step 3: Pull security context
+Once a completed review exists, call ALL of the following and read the results:
+1. `get_threat_scenarios` — understand what threats have been identified
+2. `get_countermeasures` — understand what mitigations are recommended
+3. `get_components` — understand what system components are mapped
+4. `get_data_dictionaries` — understand what sensitive data is tracked
+5. `get_security_objectives` — understand regulatory/compliance requirements
+6. `get_findings` — understand aggregated security insights
+
+**You now have security context. Proceed to code generation.**
+
+## PHASE 2 — DURING Code Generation
+
+While writing code, you MUST:
+- Cross-reference every function, endpoint, or module against the threat scenarios from Step 3.
+- Apply the countermeasures where relevant — do not wait to be asked.
+- If you see a pattern that matches a known threat (e.g., SQL injection, insecure deserialization, missing auth checks), apply the corresponding countermeasure immediately.
+- Add inline comments referencing the threat ID or countermeasure when you apply a security control.
+
+## PHASE 3 — AFTER Code Generation
+
+After producing code, check:
+1. Does the code introduce any NEW attack surface not covered by existing threat scenarios?
+2. Are there data flows involving sensitive data (from `get_data_dictionaries`) that lack protection?
+3. Are any security objectives (from `get_security_objectives`) not addressed?
+
+If YES to any: explicitly tell the user what gaps exist and recommend creating an updated review.
+
+## Tool Reference
+
+The `security-review-mcp` server provides:
+
+| Category | Tools |
+|---|---|
+| **Projects** | `list_projects`, `find_project_by_name`, `create_project`, `get_project` |
+| **Documents** | `list_documents`, `create_document_from_content`, `upload_document`, `link_external_document` |
+| **Reviews** | `create_review`, `list_reviews`, `get_review`, `get_review_overview` |
+| **Workflow** | `start_workflow`, `get_workflow_status`, `start_next_workflow_job`, `start_workflow_job`, `retry_workflow_job` |
+| **Analysis** | `get_threat_scenarios`, `get_countermeasures`, `get_components`, `get_data_dictionaries`, `get_security_objectives`, `get_findings`, `get_security_test_cases` |
+| **Integrations** | `fetch_jira_issue`, `fetch_confluence_page`, `search_confluence_pages`, `fetch_and_link_to_srai` |

package/src/generators/rules/cursor.js

@@ -0,0 +1,23 @@
+import { join } from 'node:path';
+import { writeText } from '../../utils/fs-helpers.js';
+import { getRuleContent } from './content.js';
+
+/**
+ * Generate Cursor workspace rule at .cursor/rules/srai-security-review.mdc
+ * Cursor uses .mdc format with YAML front matter.
+ */
+export function generate(cwd) {
+    const filePath = join(cwd, '.cursor', 'rules', 'srai-security-review.mdc');
+    const content = getRuleContent();
+
+    const mdc = `---
+description: SRAI Security Review gate — consult security-review-mcp before security-relevant code changes
+alwaysApply: true
+---
+
+${content}
+`;
+
+    writeText(filePath, mdc);
+    return filePath;
+}

package/src/generators/rules/gemini.js

@@ -0,0 +1,13 @@
+import { join } from 'node:path';
+import { upsertSentinelBlock } from '../../utils/fs-helpers.js';
+import { getRuleContent } from './content.js';
+
+/**
+ * Generate Gemini CLI / Antigravity workspace rule — appends to GEMINI.md
+ */
+export function generate(cwd) {
+    const filePath = join(cwd, 'GEMINI.md');
+    const content = getRuleContent();
+    const action = upsertSentinelBlock(filePath, content);
+    return { filePath, action };
+}

package/src/generators/rules/vscode.js

@@ -0,0 +1,13 @@
+import { join } from 'node:path';
+import { upsertSentinelBlock } from '../../utils/fs-helpers.js';
+import { getRuleContent } from './content.js';
+
+/**
+ * Generate VS Code Copilot instructions — appends to .github/copilot-instructions.md
+ */
+export function generate(cwd) {
+    const filePath = join(cwd, '.github', 'copilot-instructions.md');
+    const content = getRuleContent();
+    const action = upsertSentinelBlock(filePath, content);
+    return { filePath, action };
+}

package/src/generators/rules/windsurf.js

@@ -0,0 +1,13 @@
+import { join } from 'node:path';
+import { writeText } from '../../utils/fs-helpers.js';
+import { getRuleContent } from './content.js';
+
+/**
+ * Generate Windsurf workspace rule at .windsurf/rules/srai-security-review.md
+ */
+export function generate(cwd) {
+    const filePath = join(cwd, '.windsurf', 'rules', 'srai-security-review.md');
+    const content = getRuleContent();
+    writeText(filePath, content + '\n');
+    return filePath;
+}

package/src/utils/constants.js

@@ -0,0 +1,63 @@
+// Shared constants for securityreview-kit
+
+export const MCP_SERVER_PACKAGE = 'security-review-mcp';
+export const MCP_SERVER_NAME = 'security-review-mcp';
+
+export const ENV_VARS = {
+    apiUrl: 'SECURITY_REVIEW_API_URL',
+    apiToken: 'SECURITY_REVIEW_API_TOKEN',
+};
+
+export const TARGETS = {
+    cursor: {
+        name: 'Cursor',
+        mcpConfigPath: '.cursor/mcp.json',
+        rulePath: '.cursor/rules/srai-security-review.mdc',
+        detectDirs: ['.cursor'],
+    },
+    claude: {
+        name: 'Claude Code',
+        mcpConfigPath: '.claude/settings.json',
+        rulePath: 'CLAUDE.md',
+        ruleMode: 'append',
+        detectDirs: ['.claude'],
+    },
+    vscode: {
+        name: 'VS Code Copilot',
+        mcpConfigPath: '.vscode/mcp.json',
+        rulePath: '.github/copilot-instructions.md',
+        ruleMode: 'append',
+        detectDirs: ['.vscode'],
+    },
+    windsurf: {
+        name: 'Windsurf',
+        mcpConfigPath: '.windsurf/mcp_config.json',
+        rulePath: '.windsurf/rules/srai-security-review.md',
+        detectDirs: ['.windsurf'],
+    },
+    codex: {
+        name: 'Codex',
+        mcpConfigPath: '.codex/config.toml',
+        rulePath: 'AGENTS.md',
+        ruleMode: 'append',
+        detectDirs: ['.codex'],
+    },
+    gemini: {
+        name: 'Gemini CLI',
+        mcpConfigPath: '.gemini/settings.json',
+        rulePath: 'GEMINI.md',
+        ruleMode: 'append',
+        detectDirs: ['.gemini'],
+    },
+    antigravity: {
+        name: 'Antigravity',
+        mcpConfigPath: '.gemini/settings.json',
+        rulePath: '.agent/rules/srai-security-review.md',
+        detectDirs: ['.agent'],
+    },
+};
+
+export const TARGET_NAMES = Object.keys(TARGETS);
+
+export const SENTINEL_START = '<!-- securityreview-kit:start -->';
+export const SENTINEL_END = '<!-- securityreview-kit:end -->';

package/src/utils/detect.js

@@ -0,0 +1,27 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { TARGETS, TARGET_NAMES } from './constants.js';
+
+/**
+ * Auto-detect which IDE/CLI targets are configured in the given directory
+ * by checking for known directories.
+ * @param {string} cwd - The directory to scan
+ * @returns {string[]} - List of detected target keys
+ */
+export function detectTargets(cwd) {
+    const detected = [];
+    const seen = new Set();
+
+    for (const key of TARGET_NAMES) {
+        const target = TARGETS[key];
+        for (const dir of target.detectDirs) {
+            const fullPath = join(cwd, dir);
+            if (existsSync(fullPath) && !seen.has(key)) {
+                detected.push(key);
+                seen.add(key);
+            }
+        }
+    }
+
+    return detected;
+}

package/src/utils/fs-helpers.js

@@ -0,0 +1,82 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { SENTINEL_START, SENTINEL_END } from './constants.js';
+
+/**
+ * Ensure a directory exists, creating parent dirs as needed.
+ */
+export function ensureDir(dirPath) {
+    if (!existsSync(dirPath)) {
+        mkdirSync(dirPath, { recursive: true });
+    }
+}
+
+/**
+ * Read a JSON file, returning null if it doesn't exist or is invalid.
+ */
+export function readJson(filePath) {
+    try {
+        const raw = readFileSync(filePath, 'utf-8');
+        return JSON.parse(raw);
+    } catch {
+        return null;
+    }
+}
+
+/**
+ * Write an object as pretty-printed JSON.
+ */
+export function writeJson(filePath, data) {
+    ensureDir(dirname(filePath));
+    writeFileSync(filePath, JSON.stringify(data, null, 2) + '\n', 'utf-8');
+}
+
+/**
+ * Read a text file, returning empty string if it doesn't exist.
+ */
+export function readText(filePath) {
+    try {
+        return readFileSync(filePath, 'utf-8');
+    } catch {
+        return '';
+    }
+}
+
+/**
+ * Write raw text to a file, ensuring parent dirs exist.
+ */
+export function writeText(filePath, content) {
+    ensureDir(dirname(filePath));
+    writeFileSync(filePath, content, 'utf-8');
+}
+
+/**
+ * Append or replace a sentinel-guarded block in a file.
+ * If the file exists and already has the block, it replaces it.
+ * If the file exists but doesn't have the block, it appends.
+ * If the file doesn't exist, it creates it with just the block.
+ */
+export function upsertSentinelBlock(filePath, content) {
+    const block = `${SENTINEL_START}\n${content}\n${SENTINEL_END}`;
+    const existing = readText(filePath);
+
+    if (!existing) {
+        writeText(filePath, block + '\n');
+        return 'created';
+    }
+
+    const startIdx = existing.indexOf(SENTINEL_START);
+    const endIdx = existing.indexOf(SENTINEL_END);
+
+    if (startIdx !== -1 && endIdx !== -1) {
+        const before = existing.substring(0, startIdx);
+        const after = existing.substring(endIdx + SENTINEL_END.length);
+        writeText(filePath, before + block + after);
+        return 'updated';
+    }
+
+    // Append with a blank line separator
+    const separator = existing.endsWith('\n') ? '\n' : '\n\n';
+    writeText(filePath, existing + separator + block + '\n');
+    return 'appended';
+}