npm - @hobocode/thought-layer - Versions diffs - 0.4.1 → 0.4.2 - Mend

@hobocode/thought-layer 0.4.1 → 0.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -17,6 +17,10 @@ This is open source and BYOK by design. The point is to help people build real t
 - **thought-layer-prd.** Draft the complete PRD — with a first-cut domain glossary and testable requirements — from the validated idea and business model. The plan the grill then hardens.
 - **thought-layer-grill.** The last design step: grills the draft PRD against the domain one question at a time, sharpening the glossary and hardening the requirements inline until it is build-ready. Runs after the PRD, not instead of the framework.
 - **thought-layer-naming.** Name the thing, with rationale and domain-ready slugs.
+- **thought-layer-build.** Build the hardened PRD into a static-first, deploy-ready artifact, verified to run, and leave a manifest the deploy step reads.
+- **thought-layer-deploy.** Take the build live to a URL you own, with no lock-in: a Netlify token deploys into your own account, or the Netlify CLI handles a logged-in or anonymous deploy.
+- **thought-layer-speedrun.** A fast, unranked path to a build-ready spec when you do not need the full panel and score.
+- **Optional deep-dives**, pulled in when you want to go further than the backbone: `thought-layer-strategy`, `thought-layer-brand`, `thought-layer-market-research`, and `thought-layer-business-model`.
 **A Pi package** that adds, on top of the skills:
@@ -30,11 +34,11 @@ This is open source and BYOK by design. The point is to help people build real t
 ```bash
 pi install npm:@hobocode/thought-layer
-# or, before it is published:
+# or track the latest from GitHub:
 pi install git:github.com/hobocode-ofc/thought-layer-kit
 ```
-Installing the package lights up the skills, the `/tl` commands, and the `tl_score` / `tl_domains` / `tl_project` tools. You can also invoke a skill directly with `/skill:thought-layer-panel`.
+Installing the package lights up the skills, the `/tl` commands, and the deterministic tools (`tl_score`, `tl_domains`, `tl_project`, `tl_state`, `tl_scaffold`, `deploy`). You can also invoke a skill directly with `/skill:thought-layer-panel`.
 ### Claude Code (or any agent that reads the Agent Skills format)

package/SECURITY.md ADDED Viewed

@@ -0,0 +1,48 @@
+# Security
+The Thought Layer Kit is bring-your-own-key by design. It has no server, no
+telemetry, and no central account. The threat model and the guarantees below
+follow from that.
+## What the kit handles
+- **Secrets are read from the environment only.** The Netlify token
+  (`NETLIFY_AUTH_TOKEN` / `NETLIFY_TOKEN`) and the domain-check key
+  (`THOUGHT_LAYER_DOMAIN_KEY` / `RAPIDAPI_KEY`) are read from `process.env`. They
+  are never accepted as tool or CLI parameters, never logged or printed, and
+  never written to disk. The `deploy.json` record stores the resulting URLs and
+  ids, never the token.
+- **Deploys go to your own account.** With a token, the deploy uses Netlify's
+  file-digest API to publish into your account. With no token, it delegates to
+  your installed Netlify CLI (a site in your account when logged in, or an
+  anonymous, claimable site when logged out). Nothing is hosted on infrastructure
+  we control, and there is no claim handshake we mediate.
+- **No shell injection.** External commands (the Netlify CLI) are invoked with an
+  argument array and no shell, so values such as a site name or publish directory
+  cannot break out into a shell. Site names are sanitized to `[a-z0-9-]`.
+- **File writes are confined.** The scaffold and state-file writers resolve paths
+  against the working directory; the state file and build artifacts live under
+  `.thought-layer/` and the chosen publish directory.
+- **No network calls you did not ask for.** The only outbound requests are to the
+  Netlify API (deploy) and, if you set a domain key, the RapidAPI domains
+  endpoint. There is no analytics or phone-home.
+## What stays your responsibility
+- The kit runs inside your own agent (Pi, Claude Code, or another) on your own
+  model and keys. The quality and safety of code an agent builds from a spec is a
+  function of that agent and model, not the kit.
+- Keep your provider keys and Netlify token in your environment or your agent's
+  secret store, not in committed files. `.thought-layer/` and `.env` are
+  gitignored in this repo for that reason.
+## Reporting a vulnerability
+Email security reports to **jerm@hobocode.net**. Please include steps to
+reproduce and the affected version. We aim to acknowledge within a few days.
+Public disclosure is welcome once a fix is released.
+## Supported versions
+The latest published `@hobocode/thought-layer` release on npm is the supported
+version. Fixes ship forward; please update before reporting.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@hobocode/thought-layer",
-  "version": "0.4.1",
+  "version": "0.4.2",
   "description": "The Thought Layer: rigor for building. Validate an idea, grill it into a buildable spec, then build and deploy it, inside the agent you already use. BYOK, no telemetry.",
   "license": "MIT",
   "author": "Hobocode LLC <jerm@hobocode.net>",
@@ -70,6 +70,7 @@
     "core/deploy-io.ts",
     "dist",
     "README.md",
+    "SECURITY.md",
     "LICENSE"
   ]
 }