CLI Installation
The VibeReview CLI is published on npm as
@securityreviewai/vibereview.
It bootstraps the VibeReview MCP server and installs workspace rules, skills, and
hooks for AI IDEs.
Requirements
- Node.js ≥ 18
- A VibeReview API token (create one under Settings → API Tokens)
- The MCP server URL and API URL for your VibeReview environment
Install & run
The canonical pattern is to run it with npx, always pinned to the latest
version, from inside the repository you open in your IDE:
npx -y @securityreviewai/vibereview@latest init
A global install also works because the package ships a vibereview bin:
npm i -g @securityreviewai/vibereview
vibereview init
The command you type is vibereview.
What init does
init configures the MCP server and installs rules/skills/hooks for your selected
IDE or CLI tools. Run without flags, it prompts for:
- the VibeReview MCP server URL,
- the VibeReview API URL,
- the VibeReview API key,
- the project to link, and
- the IDE target.
"The CLI writes only the files required for the selected IDE. Server-side repository profiling and guardrail selection are handled by VibeReview."
It then writes, per target:
- an MCP server config (e.g.
.cursor/mcp.json,.mcp.json,.vscode/mcp.json), - a rules / agent-instructions file (e.g.
.cursor/rules/vibereview-security.mdc,.claude/CLAUDE.md,.github/copilot-instructions.md), - the security skills workflow into the target's skills directory, and
- a project config file.
See IDE & CLI Targets for the full per-IDE file map and The Skills Workflow for what the skills do.
Non-interactive install
Pass everything as flags for CI or scripted setup:
npx -y @securityreviewai/vibereview@latest init \
--target cursor \
--mcp-url https://<your-mcp-server> \
--api-url https://<your-api-server> \
--api-key <YOUR_TOKEN> \
--project-slug java-benchmark \
--approval-mode critical \
--yes
Install for all supported IDEs at once with --all. Full flag reference is on
the Commands page.
Files & directories the CLI manages
| Path | Purpose |
|---|---|
.vibereview/config.json | Central config — credentials, URLs, target list, and the resolved project/tenant binding. |
.vibereview/scans/ | Structured JSON scan artifacts (one per event), consumed by sync / flush. |
| Per-target MCP config | MCP server wiring for the IDE. |
| Per-target rules file | Security instructions injected into the AI assistant. |
| Per-target skills dir | The VibeReview security skills workflow. |
Environment variables
init reads these as fallbacks when the matching flag is not supplied:
| Variable | Purpose | Default |
|---|---|---|
VIBEREVIEW_MCP_SERVER_URL | MCP server URL | http://localhost:3000 |
VIBEREVIEW_API_URL | API URL | http://localhost:8000 |
VIBIREVIEW_API_TOKEN | API token / key | — |
VIBEREVIEW_PROJECT_SLUG | Preselect project | — |
The token environment variable is literally VIBIREVIEW_API_TOKEN in the CLI
source (note the VIBIREVIEW spelling), not VIBEREVIEW_API_TOKEN. Set it exactly
as written or the token will not be picked up.
The localhost:3000 / localhost:8000 defaults are for local development. For a
hosted environment, point --mcp-url / --api-url (or the env vars) at your
VibeReview server and use a token created in the web app.