thesmos-governance 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (149) hide show
  1. package/CHANGELOG.md +308 -0
  2. package/LICENSE +76 -0
  3. package/LICENSE-COMMERCIAL.md +24 -0
  4. package/README.md +766 -0
  5. package/catalog/agents/reviewers/accessibility-reviewer.md +54 -0
  6. package/catalog/agents/reviewers/ai-safety-reviewer.md +56 -0
  7. package/catalog/agents/reviewers/analytics-reviewer.md +55 -0
  8. package/catalog/agents/reviewers/api-reviewer.md +55 -0
  9. package/catalog/agents/reviewers/architecture-reviewer.md +53 -0
  10. package/catalog/agents/reviewers/ate-sql-injection-agent.md +69 -0
  11. package/catalog/agents/reviewers/auth-reviewer.md +56 -0
  12. package/catalog/agents/reviewers/backend-reviewer.md +55 -0
  13. package/catalog/agents/reviewers/build-system-reviewer.md +55 -0
  14. package/catalog/agents/reviewers/cerberus-oauth-agent.md +70 -0
  15. package/catalog/agents/reviewers/ci-reviewer.md +55 -0
  16. package/catalog/agents/reviewers/code-quality-reviewer.md +54 -0
  17. package/catalog/agents/reviewers/compliance-reviewer.md +55 -0
  18. package/catalog/agents/reviewers/content-reviewer.md +54 -0
  19. package/catalog/agents/reviewers/creative-director.md +172 -0
  20. package/catalog/agents/reviewers/data-fetching-reviewer.md +55 -0
  21. package/catalog/agents/reviewers/database-reviewer.md +55 -0
  22. package/catalog/agents/reviewers/dependency-reviewer.md +54 -0
  23. package/catalog/agents/reviewers/design-system-reviewer.md +55 -0
  24. package/catalog/agents/reviewers/devops-reviewer.md +55 -0
  25. package/catalog/agents/reviewers/documentation-reviewer.md +54 -0
  26. package/catalog/agents/reviewers/ecommerce-reviewer.md +56 -0
  27. package/catalog/agents/reviewers/error-handling-reviewer.md +54 -0
  28. package/catalog/agents/reviewers/feature-flag-reviewer.md +54 -0
  29. package/catalog/agents/reviewers/forms-reviewer.md +55 -0
  30. package/catalog/agents/reviewers/frontend-reviewer.md +55 -0
  31. package/catalog/agents/reviewers/fullstack-reviewer.md +56 -0
  32. package/catalog/agents/reviewers/governance-reviewer.md +55 -0
  33. package/catalog/agents/reviewers/graphql-reviewer.md +79 -0
  34. package/catalog/agents/reviewers/hades-credential-agent.md +73 -0
  35. package/catalog/agents/reviewers/hecate-prompt-injection-agent.md +67 -0
  36. package/catalog/agents/reviewers/incident-reviewer.md +54 -0
  37. package/catalog/agents/reviewers/infrastructure-reviewer.md +77 -0
  38. package/catalog/agents/reviewers/localization-reviewer.md +54 -0
  39. package/catalog/agents/reviewers/migration-reviewer.md +55 -0
  40. package/catalog/agents/reviewers/mobile-reviewer.md +55 -0
  41. package/catalog/agents/reviewers/monorepo-reviewer.md +55 -0
  42. package/catalog/agents/reviewers/nemesis-supply-chain-agent.md +71 -0
  43. package/catalog/agents/reviewers/nextjs-reviewer.md +55 -0
  44. package/catalog/agents/reviewers/nyx-api-enumeration-agent.md +70 -0
  45. package/catalog/agents/reviewers/observability-reviewer.md +54 -0
  46. package/catalog/agents/reviewers/onboarding-reviewer.md +55 -0
  47. package/catalog/agents/reviewers/package-publishing-reviewer.md +55 -0
  48. package/catalog/agents/reviewers/performance-reviewer.md +53 -0
  49. package/catalog/agents/reviewers/privacy-reviewer.md +55 -0
  50. package/catalog/agents/reviewers/product-reviewer.md +54 -0
  51. package/catalog/agents/reviewers/prompt-engineering-reviewer.md +54 -0
  52. package/catalog/agents/reviewers/python-reviewer.md +74 -0
  53. package/catalog/agents/reviewers/react-reviewer.md +55 -0
  54. package/catalog/agents/reviewers/refactor-reviewer.md +54 -0
  55. package/catalog/agents/reviewers/release-readiness-reviewer.md +55 -0
  56. package/catalog/agents/reviewers/security-reviewer.md +58 -0
  57. package/catalog/agents/reviewers/seo-reviewer.md +54 -0
  58. package/catalog/agents/reviewers/shopify-reviewer.md +56 -0
  59. package/catalog/agents/reviewers/state-management-reviewer.md +54 -0
  60. package/catalog/agents/reviewers/supabase-reviewer.md +57 -0
  61. package/catalog/agents/reviewers/testing-reviewer.md +53 -0
  62. package/catalog/agents/reviewers/typescript-reviewer.md +55 -0
  63. package/catalog/agents/reviewers/ux-reviewer.md +54 -0
  64. package/catalog/agents/reviewers/wordpress-reviewer.md +56 -0
  65. package/catalog/profiles/base.json +27 -0
  66. package/catalog/profiles/enterprise.json +57 -0
  67. package/catalog/profiles/next-supabase.json +48 -0
  68. package/catalog/profiles/package.json +34 -0
  69. package/catalog/profiles/web.json +43 -0
  70. package/catalog/skills/a11y-audit.md +60 -0
  71. package/catalog/skills/adapter-sync.md +59 -0
  72. package/catalog/skills/add-tests.md +62 -0
  73. package/catalog/skills/ai-prompt-review.md +60 -0
  74. package/catalog/skills/analytics-compliance.md +60 -0
  75. package/catalog/skills/api-deprecation-review.md +61 -0
  76. package/catalog/skills/api-design-review.md +61 -0
  77. package/catalog/skills/auth-flow-review.md +60 -0
  78. package/catalog/skills/build-optimization.md +61 -0
  79. package/catalog/skills/ci-pipeline-audit.md +60 -0
  80. package/catalog/skills/component-audit.md +60 -0
  81. package/catalog/skills/cors-audit.md +60 -0
  82. package/catalog/skills/csp-audit.md +60 -0
  83. package/catalog/skills/data-fetching-audit.md +61 -0
  84. package/catalog/skills/database-schema-review.md +61 -0
  85. package/catalog/skills/dependency-audit.md +61 -0
  86. package/catalog/skills/design-token-audit.md +59 -0
  87. package/catalog/skills/documentation-audit.md +61 -0
  88. package/catalog/skills/e2e-test-review.md +60 -0
  89. package/catalog/skills/env-variable-audit.md +60 -0
  90. package/catalog/skills/error-boundary-audit.md +60 -0
  91. package/catalog/skills/feature-flag-audit.md +60 -0
  92. package/catalog/skills/final-hardening-pass.md +61 -0
  93. package/catalog/skills/generate-report.md +60 -0
  94. package/catalog/skills/graphql-schema-review.md +68 -0
  95. package/catalog/skills/i18n-audit.md +60 -0
  96. package/catalog/skills/incident-postmortem.md +61 -0
  97. package/catalog/skills/infrastructure-security-review.md +75 -0
  98. package/catalog/skills/init-governance.md +60 -0
  99. package/catalog/skills/integration-test-review.md +60 -0
  100. package/catalog/skills/logging-audit.md +60 -0
  101. package/catalog/skills/migration-safety-check.md +60 -0
  102. package/catalog/skills/monorepo-dependency-graph.md +60 -0
  103. package/catalog/skills/observability-review.md +61 -0
  104. package/catalog/skills/onboarding-audit.md +61 -0
  105. package/catalog/skills/performance-profile.md +61 -0
  106. package/catalog/skills/pr-review.md +59 -0
  107. package/catalog/skills/python-async-audit.md +63 -0
  108. package/catalog/skills/rate-limit-audit.md +60 -0
  109. package/catalog/skills/refactor-impact-analysis.md +62 -0
  110. package/catalog/skills/release-checklist.md +63 -0
  111. package/catalog/skills/repo-health-audit.md +61 -0
  112. package/catalog/skills/rls-policy-audit.md +60 -0
  113. package/catalog/skills/scan-codebase.md +58 -0
  114. package/catalog/skills/secret-scan.md +60 -0
  115. package/catalog/skills/security-scan.md +61 -0
  116. package/catalog/skills/seo-audit.md +60 -0
  117. package/catalog/skills/staged-change-review.md +60 -0
  118. package/catalog/skills/state-audit.md +60 -0
  119. package/catalog/skills/test-coverage-report.md +62 -0
  120. package/catalog/skills/typescript-strict-mode.md +62 -0
  121. package/catalog/skills/validate-rules.md +59 -0
  122. package/catalog/skills/webhook-security-review.md +60 -0
  123. package/config.schema.json +252 -0
  124. package/dist/chunk-7GCSYG7G.js +138 -0
  125. package/dist/chunk-7N7GSU6K.js +34 -0
  126. package/dist/chunk-D5UANPA5.js +61 -0
  127. package/dist/chunk-EVQAWKS4.js +50 -0
  128. package/dist/chunk-FFZCCMLT.js +42093 -0
  129. package/dist/chunk-MVHLDFZV.js +156 -0
  130. package/dist/chunk-SVE6NZBV.js +42548 -0
  131. package/dist/chunk-VG2453HG.js +176 -0
  132. package/dist/chunk-YYYN553E.js +154 -0
  133. package/dist/cli.js +22891 -0
  134. package/dist/config-X235D23R.js +13 -0
  135. package/dist/git-IZFKH3GY.js +11 -0
  136. package/dist/hooks-6ANEC6DS.js +24 -0
  137. package/dist/hooks-YH45ZJRU.js +22 -0
  138. package/dist/index.d.ts +1595 -0
  139. package/dist/index.js +6330 -0
  140. package/dist/presets/ai-strict.json +24 -0
  141. package/dist/presets/recommended.json +12 -0
  142. package/dist/presets/vibe-coding.json +47 -0
  143. package/dist/registry-A66NBHXV.js +10 -0
  144. package/dist/registry-UMT2SOUG.js +6 -0
  145. package/dist/review-2FTGISZG.js +20 -0
  146. package/package.json +169 -0
  147. package/presets/ai-strict.json +24 -0
  148. package/presets/recommended.json +12 -0
  149. package/presets/vibe-coding.json +47 -0
package/CHANGELOG.md ADDED
@@ -0,0 +1,308 @@
1
+ # Changelog
2
+
3
+ All notable changes to `thesmos-governance` will be documented here.
4
+
5
+ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
6
+
7
+ ---
8
+
9
+ ## [3.6.0] — 2026-06-23
10
+
11
+ ### Added
12
+
13
+ **Universal Intelligence Protocol — injected into every generated CLAUDE.md:**
14
+ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Protocol to the generated CLAUDE.md. All 34 God Agents inherit: Consultation Mode (ranked options with trade-offs), Calibrated Confidence markers ([ASSUMPTION], [VERIFY], [LIKELY]), Adversarial Self-Check, Governance Badge on every output, Proactive Insight Protocol, Temporal Scope declarations, and God Council Escalation. The protocol is generated by the new `generatePantheonProtocol()` function in `adapters.ts`.
15
+
16
+ **3 New God Agents (catalog: 70 → 73, Pantheon: 31 → 34):**
17
+
18
+ - **God Agent Proteus** (`proteus-drift-agent`) — Drift & Alignment Monitor. Detects product drift, prompt drift, architecture drift, brand drift, strategy drift, and governance drift. Compares the current state against documented baselines; surfaces findings by domain with severity (BLOCKER/HIGH/MEDIUM/LOW) and delegates corrections to domain specialists. Integrates with `prometheus drift` (infrastructure) and `.prometheus/brain.md` (context baseline). Governed by AGNT_001, MCP_001.
19
+ - **God Agent Momus** (`momus-challenger-agent`) — Challenger & Clarity Enforcer. Challenges plans, ideas, and research before they execute using Socratic method, Gary Klein's Pre-mortem, Charlie Munger's Inversion, Red Team thinking, and Five Whys. Delivers: premise check, 3 weakest assumptions, 5 unasked questions, 3 failure scenarios, specificity demands, and unrepresented interests. Auto-invoked by Zeus before irreversible decisions. Governed by AGNT_001, LIC_001.
20
+ - **God Agent Metis** (`metis-pm-agent`) — Project Manager & Execution Planner. Converts plans into executable phases with entry/exit criteria, critical path (CPM), RACI ownership tables, risk registers, definitions of done, and status templates. Auto-invoked by Zeus before plans longer than 4 weeks and by Daedalus after PRD approval. Governed by AGNT_001, SC_002.
21
+
22
+ **"God Agent" naming convention applied to all 37 Pantheon agents** — Every agent's `name:` frontmatter field and `## Identity` opening now use the "God Agent [Name]" prefix. Example: `name: "God Agent Zeus — Executive Agent"` and `"You are God Agent Zeus, Executive Agent..."`. Applied to: all 21 agents in `catalog/agents/pantheon/`, the 10 workflow agents (Chiron, Calliope, Cassandra, etc.), and the 6 security investigators (Hades, Cerberus, Nyx, etc.).
23
+
24
+ **God Council protocol added to God Agent Zeus** — Full arbitration process: conflict trigger conditions, 5-step arbitration sequence, permanent vetoes (Argus security veto, Themis legal veto that cannot be overridden), and standing rule that Momus is invoked before every God Council session.
25
+
26
+ **Delegation map in Zeus updated** — Now includes all 34 God Agents including Metis, Momus, Proteus, Chiron, Cassandra, Calliope, Erato, Kratos, Aether, Polyhymnia, Talos, Clio, and Eos. Direct peer delegation rules added: any agent can invoke Momus (challenge check), Proteus (drift check), Argus (security), or Themis (legal) without routing through Zeus.
27
+
28
+ **Domain mastery sections added to all 37 existing agents** — Three new sections per agent inserted after `## Constraints`:
29
+ - `## Failure modes` — 3–5 domain-specific failure patterns with diagnostic questions
30
+ - `## Problem diagnosis` — 3–4 questions the agent asks before accepting the stated problem
31
+ - `## What makes this God Agent's judgment unique` — 4–5 non-obvious expert insights from deep domain experience
32
+
33
+ ### Changed
34
+
35
+ - **`prometheus/package.json`** — version `3.5.0` → `3.6.0`
36
+ - **`prometheus/catalog.test.ts`** — agent count assertion `70` → `73`
37
+ - **`prometheus/bin/commands/compliance.ts`** — footer version `v3.5.0` → `v3.6.0`
38
+ - **`prometheus/adapters.ts`** — added `generatePantheonProtocol()` function; `generateClaudeRules` now appends Universal Protocol to every CLAUDE.md output
39
+
40
+ ### Website & Documentation
41
+
42
+ - **`holley.studio/prometheus`** — version badge `v3.5.0` → `v3.6.0`, Pantheon count `31` → `34`, 3 new Pantheon cards (Proteus, Momus, Metis), new "Why Prometheus is Different" section with 4-card comparison and competitive table
43
+ - **`prometheus/README.md`** — new "Why Prometheus is different" section with 7 key selling points and feature comparison table
44
+
45
+ ---
46
+
47
+ ## [3.5.0] — 2026-06-23
48
+
49
+ ### Added
50
+
51
+ **10 New Pantheon Agents — Creative, Business, and Developer Workflow:**
52
+
53
+ - **Calliope** (`calliope-email-agent`) — Email Design & HTML/MJML Agent. MJML source code, compiled HTML email templates, responsive cross-client design, deliverability checklists, A/B variant specs. Governed by GDPR_004 (no PII in email URLs), SEC_008 (no secrets in templates), GDPR_001 (consent gate awareness).
54
+ - **Talos** (`talos-web-dev-agent`) — Web Dev & Implementation Agent. Production-ready Next.js/React/TypeScript components, API routes, database queries, and test scaffolds. Runs a mental Prometheus governance scan on every file before delivery. Governed by SEC_004, AUTH_002, NEXT_003, MCP_001.
55
+ - **Clio** (`clio-case-study-agent`) — Case Study & Social Proof Agent. Customer interview frameworks (STAR structure), first draft with [VERIFY] placeholders, ROI calculation worksheets, testimonial pull quotes, LinkedIn post versions, and PDF design briefs for Hephaestus. Governed by LIC_001 (no fabricated quotes), GDPR_013 (client consent required).
56
+ - **Eos** (`eos-automation-agent`) — Automation & Workflow Engineering Agent. n8n/Zapier/Make workflow JSON, GitHub Actions YAML, shell scripts, webhook handler code, and runbooks. All API keys BYOK. Governed by SC_007 (no script injection), SC_001 (pinned actions), SEC_007 (no hardcoded credentials).
57
+ - **Erato** (`erato-brand-voice-agent`) — Brand Voice & Messaging Architecture Agent. Brand voice guides, messaging architecture (hero message → pillars → proof points), tagline options with rationale, boilerplate copy at 4 lengths, competitor voice differentiation matrix. The guide that Apollo executes within.
58
+ - **Kratos** (`kratos-devops-agent`) — DevOps & Infrastructure Agent. Dockerfiles (multi-stage, non-root), docker-compose, GitHub Actions CI/CD, Terraform modules, K8s manifests, secrets management plans, and runbooks. Governed by K8S_001, SC_006, SEC_007.
59
+ - **Aether** (`aether-ai-strategy-agent`) — AI Product Strategy & Prompt Engineering Agent. LLM selection matrix, system prompt engineering (with injection hardening), RAG pipeline architecture, evaluation frameworks, token cost estimates. Governed by MCP_001, AGNT_001, LIC_008. All LLM API keys BYOK.
60
+ - **Polyhymnia** (`polyhymnia-docs-agent`) — Technical Documentation Agent. READMEs with badges/quickstart/API surface, API references, ADR templates, runbooks, JSDoc/TSDoc annotations, and changelog entries. Developer-facing technical docs only — not marketing content. Governed by LIC_001, GDPR_013.
61
+ - **Cassandra** (`cassandra-qa-agent`) — QA & Testing Strategy Agent. Test strategy documents, test plans (happy path + edge cases + error cases), Vitest/Jest scaffolds, Playwright E2E outlines, coverage targets by module type, CI test pipeline config. Risk-based prioritisation; never recommends 100% coverage as a goal. Governed by SC_002, AUTH_002, GDPR_001.
62
+ - **Chiron** (`chiron-architecture-agent`) — Architecture & Engineering Advisory Agent. Architecture recommendations with named alternatives and explicit trade-offs, ADR documents, C4 model system diagrams, technology selection matrices, refactoring roadmaps, and technical debt inventories. The senior engineer in the room. Governed by MCP_001, SC_001, AGNT_001.
63
+
64
+ **Pantheon now spans 31 agents** covering executive, marketing, content, creative, design, sales, CX, legal, finance, PR, BD, operations, knowledge, video, animation, photography, security investigation, email design, web development, case studies, automation, brand voice, DevOps, AI strategy, technical documentation, QA, and architecture.
65
+
66
+ ---
67
+
68
+ ## [3.4.0] — 2026-06-22
69
+
70
+ ### Added
71
+
72
+ **`brain:promote` — Community Rule Promotion:**
73
+
74
+ - New command `prometheus brain:promote --rule=<ID>` scaffolds an approved `ProposedRule` from `brain.json` into a TypeScript rule stub at `prometheus/rules/community/<ID>.ts`
75
+ - Generated stubs follow the exact `ThesmosRule` pattern used throughout the core rules (exported `*_RULES` array, externalized regex constant, `.js` imports)
76
+ - Printed step-by-step wiring instructions guide the developer to import the stub into `registry.ts`, add a test, and set the release version
77
+ - `brain:evolve --approve` now stamps `approvedAt` timestamp on approved proposals
78
+ - New `prometheus/rules/community/` directory with README documenting the promotion workflow
79
+ - Route registered in CLI: `brain:promote`
80
+
81
+ **MCP_001 — Expanded Injection Pattern Detection:**
82
+
83
+ - `INJECTION_RE` in `prometheus/rules/mcp.ts` expanded from 6 patterns to 25+ across 6 attack categories
84
+ - System prompt overrides: `ignore/disregard/forget/override previous instructions`, `your new instructions are`
85
+ - Role-play escapes: `you are now a`, `act as if`, `pretend to be`, `roleplay as`
86
+ - Delimiter injection: `<system>`, `[INST]`, `<|im_start|>`, `### System`
87
+ - Instruction hijacking: `SYSTEM:`, `before calling this`, `you must also`, `additionally send/exfiltrate`
88
+ - Encoding obfuscation: `base64_decode`, `atob()`, `String.fromCharCode`, hex escape sequences
89
+ - Exfil signals: `exfiltrate`, `send/upload/post to https://` or `/api/`
90
+
91
+ **Sensitive Field Taxonomy:**
92
+
93
+ - `PII_FIELD_RE` in GDPR rules extended with high-sensitivity fields: `bankAccount`, `routingNumber`, `accountNumber`, `creditScore`, `socialSecurity`, `taxId`, `driversLicense`, `medicalRecord`, `healthInsurance`
94
+ - `PII_FIELD_RE` extended with medium-sensitivity API response fields: `salary`, `compensation`, `is_admin`, `isAdmin`, `permissions`, `sessionId`, `session_token`, `accessToken`, `refreshToken`
95
+ - `CRED_RE` in security rules extended with: `privateKey`, `private_key`, `clientSecret`, `client_secret`, `serviceAccountKey`, `database_password`, `db_password`, `connectionString`, `connection_string`
96
+
97
+ **6 New Pantheon Security Investigation Agents:**
98
+
99
+ - **Hecate** (`hecate-prompt-injection-agent`) — AI prompt injection and MCP tool poisoning investigator. Detects direct and indirect injection in LLM pipelines, tool descriptions, and agent configurations. References MCP_001–003.
100
+ - **Nemesis** (`nemesis-supply-chain-agent`) — CI/CD supply chain attack investigator. Audits GitHub Actions for unpinned actions, script injection, secrets exposure, and dependency confusion. References SC_001–008.
101
+ - **Cerberus** (`cerberus-oauth-agent`) — OAuth token theft investigator. Reviews token storage, JWT handling, cookie security, and timing attack risks in authentication flows. References AUTH_002–005, SEC_019.
102
+ - **Nyx** (`nyx-api-enumeration-agent`) — API enumeration and BOLA/IDOR investigator. Ensures resource ownership validation and rate limiting on all identifier-based API routes. References AUTH_002, SEC_015, DAST_001–002.
103
+ - **Ate** (`ate-sql-injection-agent`) — SQL injection and WAF evasion investigator. Detects unparameterized queries, raw ORM misuse, and WAF bypass patterns. References SEC_004, DAST_005–006.
104
+ - **Hades** (`hades-credential-agent`) — Credential dumping and secret exposure investigator. Audits hardcoded credentials, unsafe secret storage, and git history for leaked key material. References SEC_007–011, SEC_016, GDPR_008.
105
+
106
+ ---
107
+
108
+ ## [3.3.0] — 2026-06-22
109
+
110
+ ### Added
111
+
112
+ **Complete Builder Wizard — 6 New Generators:**
113
+
114
+ - **`prometheus build:dashboard`** — 5-question wizard that creates a monitoring/analytics dashboard. Supports Next.js React components and plain HTML + Chart.js. Pre-wires Prometheus governance metrics as default data source. Outputs to `src/components/dashboards/<name>.tsx` or `public/dashboards/<name>.html`.
115
+
116
+ - **`prometheus build:workflow`** — 7-question wizard that creates GitHub Actions CI/CD workflows. Covers all trigger types (PR, push, scheduled, manual, release), all common step groups (test+lint, build+deploy, full CI with Prometheus scan), and all major deploy targets (Vercel, AWS, GCP). Manual approval gates wired via `trstringer/manual-approval`.
117
+
118
+ - **`prometheus build:rag`** — 9-question wizard for Retrieval-Augmented Generation pipelines. Generates `chunker.ts`, `retriever.ts`, and `pipeline.ts`. Supports OpenAI, Cohere, Anthropic, and local embeddings (all BYOK). Vector stores: Supabase pgvector, Pinecone, Weaviate, in-memory. Retrieval strategies: similarity, MMR (diverse), hybrid keyword+vector. Optional MCP tool wrapper to expose the pipeline to AI agents. Security note included in generated code: sanitize retrieved content to prevent prompt injection via documents.
119
+
120
+ - **`prometheus build:voice`** — 8-question wizard for real-time voice AI agents. Generates `session.ts`, `transport.ts`, and `pipeline.ts`. Supports WebRTC, Twilio Media Streams, and browser SpeechAPI transports. STT providers: Deepgram, AssemblyAI, OpenAI Whisper, browser native. TTS: ElevenLabs, Deepgram, browser native. LLM: Claude, OpenAI, local (all BYOK). Security warnings for audio PII and session isolation included in generated code.
121
+
122
+ - **`prometheus build:mcp-tool`** — 5-question wizard that creates a new custom tool for the Prometheus MCP server. Generates `prometheus/mcp-tools/<name>.ts` with full type-safe handler and registration instructions for `mcp-server.ts`. Supports read-only, file-writing, and external-API side-effect profiles. Return types: text, JSON, file list, Prometheus findings.
123
+
124
+ - **`prometheus build:automation`** — 6-question wizard for CI/CD automations. For GitHub-hosted triggers (cron, webhook, file-change, event) generates `.github/workflows/<name>.yml`. For local triggers generates `.prometheus/automation/<name>.sh` with retry logic and dry-run support. Covers all common step groups (tests, build, deploy, notification, custom) and failure modes (fail+alert, retry×3+alert, log+continue).
125
+
126
+ **Builder Wizard Infrastructure:**
127
+
128
+ - Generic `runBuilderWizard()` runner shared by all 6 builders — eliminates 200+ lines of duplicated wizard-loop code
129
+ - All 6 builders support `--plan` (outputs Markdown plan + design decisions), `--scaffold` (writes code), and `--yes` (skips confirmation)
130
+ - All scaffold outputs are immediately scanned by the Prometheus governance engine before reporting
131
+ - All API keys are BYOK — Prometheus never stores, caches, or proxies credentials
132
+
133
+ ### Changed
134
+
135
+ - `prometheus/package.json`: version `3.2.0` → `3.3.0`; added keywords: `ai-safety`, `owasp`, `mcp-server`, `brain`, `builder`
136
+ - `prometheus/bin/commands/build.ts`: replaced 6 `runBuildStub` stubs with real implementations; added 6 question arrays (40 total questions); imported 6 generator modules
137
+
138
+ ---
139
+
140
+ ## [2.2.0] — 2026-06-21
141
+
142
+ ### Added
143
+
144
+ **5 Innovation Features:**
145
+
146
+ - **F1 — `debug_finding` MCP Tool** — New MCP tool on the existing `prometheus mcp:serve` server. Call `debug_finding(rule_id, file_content, line?)` to get a `true_positive` / `likely_false_positive` verdict, the full rule explanation, exact fix suggestion, and suppression command. Closes the "why did this fire?" loop without leaving the AI assistant session.
147
+
148
+ - **F2 — Post-Fix Verification (`prometheus fix --verify`)** — After applying a fixer, Prometheus immediately re-runs `detect()` on the patched content to confirm the finding is resolved. New exports: `verifyFix(filePath, beforeContent, afterContent, finding, config): VerifyResult` and `VerifyResult` interface. Reports: ✅ verified / ❌ unresolved / ⚠️ regression introduced. Zero external dependencies — uses Prometheus's own rules engine.
149
+
150
+ - **F3 — GitHub PR Comment Bot (`prometheus github:comment`)** — Posts or updates a single governance summary comment on a GitHub PR. Uses `GITHUB_TOKEN` + native Node 18 `fetch()` — no `@octokit/rest` dependency. Idempotent via an HTML marker (`<!-- thesmos-governance-bot -->`). Includes auto-detection of repo from `git remote`. `--print-workflow` prints a copy-paste GitHub Actions snippet. New file: `prometheus/bin/commands/github-comment.ts`.
151
+
152
+ - **F4 — Incremental Scan Cache** — sha256-keyed per-file finding cache in `.prometheus/.scan-cache.json`. Unchanged files return cached findings instantly; any rules-version bump invalidates all entries. New exports: `loadCache`, `saveCache`, `getCachedFindings`, `setCachedFindings`, `invalidateCache`, `runReviewCached`. Expected speedup: 70–90% on second scan when most files are unchanged. New file: `prometheus/incremental-cache.ts`.
153
+
154
+ - **F5 — LSP Real-Time Feedback Server (`thesmos lsp`)** — Standalone LSP 3.17 server over stdio. Surfaces governance findings as real-time squiggles in any LSP-compatible editor (VS Code, Cursor, Neovim, Emacs). Capabilities: `textDocument/didOpen`, `textDocument/didChange` (debounced 500ms), `textDocument/didSave`, hover tooltips with rule explanation, code actions (suppress / explain). VS Code extension now launches the LSP client alongside its existing on-save analysis via `vscode-languageclient`. New file: `prometheus/lang-server.ts`.
155
+
156
+ **5 Bug Fixes:**
157
+
158
+ - **BUG-1** — Deleted dead code in `mcp.ts` line 743: `const README_OR_SRC = /(?:README|\.md$|\.txt$)|SOURCE_EXT/` (referenced literal `SOURCE_EXT` string instead of the regex variable; never used).
159
+ - **BUG-2** — Fixed NEXT_038 false positive: skip guard was checking `AUTH_IN_MIDDLEWARE` (which matches `NextResponse.redirect`) against route handler files, causing non-auth redirects to trigger the rule. Fix: gate on route handler export pattern only.
160
+ - **BUG-3** — Fixed PROTO_001 greedy regex: `[^}]*` with `s` flag matched across function boundaries when a merge function contained nested braces. Fix: bounded lazy `[\s\S]{0,300}?` / `[\s\S]{0,200}?` prevents cross-function matching.
161
+ - **BUG-4** — Fixed WS_006 miss: single-regex approach with `[^)]+\)` or `[\s\S]{0,100}?\)` both stop at the arrow function parameter `)` not the outer `ws.on(...)` `)`. Fix: two independent checks — `MSG_HANDLER_WITH_PARSE_RE` (presence of `ws.on("message")`) and `JSON_PARSE_RE` (presence of `JSON.parse`). Also fixed `VALIDATE_RE` false negative where `.parse\s*\(` matched `JSON.parse(` — fixed with negative lookbehind `(?<!JSON)`.
162
+ - **BUG-5** — Fixed AI_034 over-aggressive skip guard: `!/public|POST/.test(content)` skipped most real LLM proxy routes (`/api/chat`, `/api/generate`). Fix: path-based `isApiRoute()` / `isServerFile()` helpers identical to the pattern used in `vibe-coding.ts`.
163
+
164
+ **Test Coverage (210 new tests across 5 previously untested modules):**
165
+
166
+ - `rules/mcp.test.ts` — 64 tests for MCP_001–020
167
+ - `rules/rag.test.ts` — 49 tests for RAG_001–015
168
+ - `rules/websocket.test.ts` — 40 tests for WS_001–012
169
+ - `rules/prototype.test.ts` — 34 tests for PROTO_001–010
170
+ - `rules/jwt.test.ts` — 43 tests for JWT_001–013 (including AUTH_008–013)
171
+ - Total test suite: **2623 tests** (2413 previous + 210 new)
172
+
173
+ ### Changed
174
+
175
+ - `prometheus/fix.ts` now imports `PROMETHEUS_RULES` and `runReview` to power `verifyFix()`.
176
+ - `prometheus/bin/commands/fix.ts` gains `--verify` flag.
177
+ - `extensions/vscode/src/extension.ts` now lazily starts an LSP client (requires `vscode-languageclient` installed).
178
+ - `extensions/vscode/package.json` adds `vscode-languageclient ^9.0.1` as a runtime dependency.
179
+
180
+ ---
181
+
182
+ ## [2.0.0] — 2026-06-20
183
+
184
+ ### Added
185
+
186
+ **6 New Governance Pillars:**
187
+
188
+ - **Pillar 1 — MCP Server** (`prometheus mcp:serve`, `prometheus mcp:install`) — Prometheus becomes a Model Context Protocol server. AI assistants call `scan_file`, `explain_rule`, `get_health`, `lint_commit`, and `get_context` *before* generating code. `mcp:install` writes the server entry into `~/.claude/settings.json`. New files: `prometheus/mcp-server.ts`, `prometheus/bin/commands/mcp.ts`.
189
+
190
+ - **Pillar 2 — Dependency Security** (`prometheus deps:audit`) — Async CVE scanning via OSV.dev (`api.osv.dev/v1/querybatch`). Results cached in `.prometheus/dep-cache.json` (24h TTL) and consumed synchronously by 10 new DEP_001–010 rules: critical CVE (BLOCKER), high/medium CVE, abandoned-with-CVE, no integrity hash, git dependency, major drift, prerelease in prod, deprecated package, stale cache. SBOM export via `--sbom` flag in CycloneDX 1.4 format. New files: `prometheus/osv-client.ts`, `prometheus/rules/deps.ts`, `prometheus/bin/commands/deps.ts`.
191
+
192
+ - **Pillar 3 — Agent Governance** — 12 new AGNT_001–012 rules detecting missing scope declarations, unconstrained Bash, ungoverned MCP servers, absent hooks, no token budget, no audit trail, and unrestricted network access. Dual-directory guard (`.claude/` AND `.prometheus/` must both exist) prevents false positives in dev environments. Plus tamper-evident **Agent Audit Trail** (`prometheus agent:audit:log|verify|report|export|rotate`) — append-only `.prometheus/audit.jsonl` with sha256 hash-chained entries using `node:crypto`. `verify` detects tampering by recomputing the entire chain. New files: `prometheus/agent-audit.ts`, `prometheus/rules/agents.ts`, `prometheus/bin/commands/agent-audit.ts`.
193
+
194
+ - **Pillar 4 — SARIF Output** (`prometheus validate --sarif`) — SARIF 2.1.0 JSON for GitHub Security tab, VS Code Problems panel, Azure DevOps. All 911 rules emit full `reportingDescriptor` metadata. `prometheus ci:github-security` generates a GitHub Actions workflow that uploads `prometheus.sarif` to `github/codeql-action/upload-sarif@v3`. New file: `prometheus/sarif.ts`.
195
+
196
+ - **Pillar 5 — License Compliance** — 10 new LIC_001–010 rules: GPL in commercial projects (BLOCKER), unknown/UNLICENSED deps, LGPL copyleft, missing LICENSE file, proprietary dep, invalid SPDX, dual-license ambiguity, AI training restriction, GPL/Apache incompatibility (BLOCKER), missing NOTICE file. All rules use the `changedFiles !== undefined` filesystem guard to avoid false positives in changed-files mode. New file: `prometheus/rules/license.ts`.
197
+
198
+ - **Pillar 6 — GDPR Compliance Pack** (`prometheus compliance:report --standard gdpr`) — 15 new GDPR_001–015 rules covering: PII in console.log, analytics without consent, cookie without consent banner, PII in URL params, PII in localStorage, missing data deletion endpoint, PII in external logging (BLOCKER), unencrypted PII in Prisma schema, missing privacy policy link, third-party tracking without consent, PII in API error responses (BLOCKER), missing retention policy, session without expiry, real PII in test fixtures, and IP storage without consent. `compliance:report --standard gdpr` generates an audit-ready Markdown evidence report mapping each finding to its GDPR article. New files: `prometheus/rules/gdpr.ts`, `prometheus/bin/commands/compliance.ts`.
199
+
200
+ **3 Quick Wins:**
201
+
202
+ - **Governance Certificate** (`prometheus certificate:generate`, `prometheus certificate:verify`) — Signed JSON artifact per delivery with sha256 hash chain for tamper detection. Fields: `rulesChecked`, `blockers`, `healthScore`, `healthGrade`, `hash`, `chain`. Agencies include in every delivery. New file: `prometheus/bin/commands/certificate.ts`.
203
+
204
+ - **Health Badge** (`prometheus health --badge`) — Prints shield.io badge markdown to stdout. Color ranges: ≥80 brightgreen, ≥70 green, ≥60 yellowgreen, ≥50 yellow, ≥40 orange, <40 red.
205
+
206
+ - **AI Code Fingerprinting** (`prometheus ai:fingerprint`) — Detects AI-generated files using git Co-Authored-By commit markers and static content heuristics (over-explained comments, step-numbered blocks, AI docstring patterns, boilerplate try/catch). Reports `aiGeneratedEstimate`, `topTool`, and per-file confidence scores. `--format json` for machine-readable output. New file: `prometheus/bin/commands/ai-fingerprint.ts`.
207
+
208
+ - Total rule count: **911** (864 previous + 12 AGNT + 10 DEP + 10 LIC + 15 GDPR).
209
+
210
+ ### Changed
211
+
212
+ - `formatFindingsSarif()` in `review.ts` now delegates to `sarif.ts` for full rule metadata emission — all 911 rules appear in SARIF output regardless of whether they have findings.
213
+ - `prometheus health --badge` added as a new flag to the existing `health` command.
214
+ - README rule counts updated from 864 → 911.
215
+
216
+ ---
217
+
218
+ ## [1.3.0] — 2026-06-20
219
+
220
+ ### Added
221
+
222
+ - **Conventional Commits Governance** (`prometheus commit:lint`, `prometheus commit:create`) — 10 new COMMIT_001–010 rules validate commit messages against the Conventional Commits specification using the standard `detect()` sentinel pattern (path `.git/COMMIT_EDITMSG`). Rules integrate with `explain`, `baseline`, and `suppressions:audit` automatically. `commit:lint` validates messages from the `commit-msg` hook, `--last`, or `--message "..."`. `commit:create` is an interactive wizard for building valid commit messages step-by-step.
223
+ - **Vercel Deployment Governance** (`prometheus vercel:lint`) — 10 new VERCEL_001–010 rules covering: literal secrets in `vercel.json` (BLOCKER), server secrets with `NEXT_PUBLIC_` prefix (BLOCKER), cron routes missing `CRON_SECRET` check (HIGH), env vars not documented in `.env.example` (HIGH), missing `.env.example` when env vars are used (HIGH), missing `maxDuration` in function config (MEDIUM), middleware missing edge runtime export (MEDIUM), missing security headers (MEDIUM), `maxDuration` exceeding plan limit (LOW), and open redirect patterns in redirects config (HIGH).
224
+ - **`commit-msg` git hook enforcement** — `prometheus hooks install --commit-msg` now writes a real enforcement block calling `prometheus commit:lint "$1"`. Previously a no-op placeholder.
225
+ - **`commitLint` and `vercel` config sections** in `ThesmosConfig` — customise allowed commit types, max subject length, ticket patterns, Vercel plan limits, and cron auth requirements via `.prometheus/config.json`.
226
+ - Total rule count: **864** (844 previous + 10 COMMIT + 10 VERCEL).
227
+
228
+ ### Changed
229
+
230
+ - `generateHookBlock('commit-msg')` now generates a real enforcement script instead of a placeholder comment.
231
+ - `HookInstallOptions` gains optional `commitMsg?: boolean` field; `hooks install --commit-msg` installs the `commit-msg` hook alongside `pre-commit` and `pre-push`.
232
+
233
+ ---
234
+
235
+ ## [1.2.0] — 2026-06-18
236
+
237
+ ### Added
238
+
239
+ - **Slopsquatting Guard** (`prometheus import:scan`) — validates every npm/PyPI package in changed files against live registry APIs. Flags phantom packages (404), newly-registered packages (< 30 days old), and typosquat candidates (edit distance ≤ 2 from top packages). Works offline with graceful degradation. 10 new rules: SLOP_006–015.
240
+ - **Agent Scope Enforcement** (`prometheus scope:*`) — `.prometheus/scope.json` defines workspace boundaries and operation limits. PreToolUse hook intercepts every Write/Edit/Bash call and exits 2 on scope violations. Commands: `scope:init`, `scope:status`, `scope:check`.
241
+ - **Token Budget Governance** (`prometheus tokens:*`) — PostToolUse hook logs token usage per tool call to `.prometheus/token-usage.jsonl`. Enforces configurable session, daily, and project cost caps with alert and hard-stop thresholds. Commands: `tokens:report`, `tokens:reset`, `tokens:budget`.
242
+ - **AI Debt Fingerprinting** (`prometheus debt:scan`) — 20 new DEBT_001–020 rules that detect AI-specific code debt patterns traditional linters miss: duplicate function bodies, swallowed errors, magic numbers, O(n²) nested loops, vague variable names, commented-out blocks, missing `finally`, and more. Outputs a 0–100 debt score with A–F grade.
243
+ - **Context Health + Session Handoff** (`prometheus context:*`) — generates `.prometheus/context.md` from the live codebase (stack, established patterns, active constraints). `thesmos adapters` now auto-updates the snapshot. CLAUDE.md preamble now references `context.md` as step 1. Commands: `context:snapshot`, `context:health`.
244
+ - **Bash tool governance** — `claude:govern` PreToolUse hook now intercepts `Bash(npm install *)` / `Bash(pip install *)` calls and validates package names before they execute.
245
+ - **PostToolUse budget hook** — added to `.claude/settings.json` alongside existing PreToolUse and Stop hooks.
246
+ - **`tokenBudget` in `ThesmosConfig`** — configure token budgets directly in `.prometheus/config.json`.
247
+
248
+ ### Fixed
249
+
250
+ - Token budget hook now reads usage from `hookData.usage` (top-level) — was incorrectly reading from `hookData.tool_response.usage` which is never populated.
251
+ - PyPI age check now uses the package's first-ever release date across all versions, not the latest-version upload time (which caused established packages to falsely appear new on release day).
252
+ - DEBT_007 (commented-out blocks) now correctly emits findings for blocks that run to end of file.
253
+ - DEBT_011 (magic numbers) no longer flags `UPPER_SNAKE_CASE` constant definitions — naming the constant is the correct fix.
254
+ - DEBT_007 now skips JSDoc blocks (`/**`) to prevent false-positives on `@example` code snippets.
255
+ - `getScopeStatus` now reports `allowDelete: false` / `allowGitPush: false` when unconfigured (was reporting `true`, implying permissions were granted when no scope was configured).
256
+ - CI: added `@rolldown/binding-linux-x64-gnu` and `linux-x64-musl` entries with resolved/integrity hashes to root lockfile (npm optional-dep bug identical to the lightningcss fix in 1.1.0).
257
+
258
+ ### Changed
259
+
260
+ - `thesmos adapters` now auto-generates `.prometheus/context.md` on every run.
261
+ - CLAUDE.md "Before Each Task" checklist renumbered 1–12; step 1 now reads `.prometheus/context.md`.
262
+ - Token budget model cost table expanded with legacy date-suffixed model IDs (`claude-3-5-sonnet-20241022`, etc.) reported by older Claude Code versions.
263
+
264
+ ---
265
+
266
+ ## [1.1.0] — 2026-06-17
267
+
268
+ ### Added
269
+
270
+ - **57 new governance rules** across three new domains:
271
+ - **Python** (19 rules, PY_026–PY_045): async/await pitfalls, shell injection, `pickle`/`marshal` RCE, FastAPI/Django security patterns, Pydantic v2 migration, blocking I/O in async context, and more.
272
+ - **GraphQL** (25 rules, GQL_001–GQL_025): query depth/complexity limits, resolver auth enforcement, N+1 without DataLoader, introspection disabled in production, type correctness, and production hardening.
273
+ - **Terraform** (13 rules, TF_013–TF_025): sensitive IAM wildcards, open security groups (0.0.0.0/0), RDS deletion protection, KMS key rotation, secrets in `user_data`, `prevent_destroy` on critical resources, and S3 versioning.
274
+ - **3 new catalog agents**: `python-reviewer`, `graphql-reviewer`, `infrastructure-reviewer` — available via `prometheus catalog:enable`.
275
+ - **`prometheus claude:govern`** — installs Claude Code hooks into `.claude/settings.json` for real-time governance in Auto Mode:
276
+ - `PreToolUse` (Write/Edit): blocks tool call (exit 2) if content contains any BLOCKER finding.
277
+ - `Stop`: runs `prometheus drift` after each session to detect adapter staleness.
278
+ - Install is idempotent; a `_prometheus_governance` marker prevents duplicate hook entries.
279
+ - Autopilot permission profiles now preserve governance hooks when written/restored.
280
+
281
+ ### Fixed
282
+
283
+ - Lockfile: added Linux lightningcss binaries (`lightningcss-linux-x64-gnu`, `lightningcss-linux-x64-musl`) with resolved/integrity hashes to fix CI failures on Ubuntu runners (npm optional-dependency bug).
284
+ - Multiple audit findings: security hardening, dead code removal, and wiring corrections across core modules.
285
+
286
+ ---
287
+
288
+ ## [1.0.0] — 2026-06-10
289
+
290
+ ### Added
291
+
292
+ - **142 governance rules** across 8 categories: security, TypeScript, React, Next.js, AI/LLM, performance, database, and code quality
293
+ - **6 AI adapter targets**: Claude (`CLAUDE.md`), Gemini (`GEMINI.md`), Cursor (`.cursor/rules/prometheus.mdc`), Copilot (`.github/copilot-instructions.md`), Codex (`.codex/prometheus.md`), and `AGENTS.md` — all generated from a single canonical rule registry with zero duplication
294
+ - **CLI commands**: `init`, `scan`, `review`, `validate`, `audit`, `doctor`, `ci-check`, `adapters`, `drift`, `baseline:*`, `explain`, `suppressions:audit`, `metrics`, `pack:*`, `health`, `ci`, `fix`, `update`, `catalog:*`, `agent:create`, `skill:create`
295
+ - **Governance folder** (`.prometheus/`): README, config, GUARDRAILS, RULES, governance docs, architecture docs, and a GitHub Actions workflow — all scaffolded by `prometheus init`
296
+ - **Baseline system**: snapshot known technical debt so new violations are caught without blocking existing codebases
297
+ - **Inline suppressions**: `// prometheus-disable-next-line <id> -- reason: <text>` with expiry dates and audit trail
298
+ - **Health score** (0–100 with letter grade): synthesises findings, drift, suppressions, and baseline into a single governance grade
299
+ - **Metrics engine**: local-first, privacy-safe governance analytics with history tracking
300
+ - **Drift detection**: 12 categories of stale/missing governance artifacts
301
+ - **Rule explanation engine**: `prometheus explain <rule-id>` shows why a rule exists, good/bad examples, and related playbooks
302
+ - **Catalog system**: 50+ built-in agents and 50+ built-in skills; 5 composable profiles (base, web, next-supabase, enterprise)
303
+ - **Pack system**: extensible rule bundles for third-party frameworks
304
+ - **Zero runtime dependencies**: the entire tool ships without a single production dependency
305
+ - **JSON Schema** for `.prometheus/config.json`: add `$schema` for full editor autocomplete and validation
306
+ - **GitHub Actions CI/CD**: workflows for continuous integration (Node 18/20/22 matrix) and npm publishing on version tags
307
+
308
+ [1.0.0]: https://github.com/Holley-Studio/thesmos-governance/releases/tag/v1.0.0
package/LICENSE ADDED
@@ -0,0 +1,76 @@
1
+ Functional Source License, Version 1.1, MIT Future License
2
+
3
+ Copyright (c) 2024 Matt Holley
4
+
5
+ Parameters
6
+
7
+ Licensor: Matt Holley
8
+ Licensed Work: Prometheus Governance
9
+ The Licensed Work is © 2024 Matt Holley
10
+ Change Date: 2030-06-17 (four years from first publication)
11
+ Change License: MIT License
12
+
13
+ For information about alternative licensing arrangements for the Licensed Work,
14
+ please contact holley42@yahoo.com.
15
+
16
+ ---
17
+
18
+ License Grant
19
+
20
+ Subject to the terms and conditions of this license, each Licensor hereby
21
+ grants to you a non-exclusive, royalty-free, worldwide, non-sublicensable,
22
+ non-transferable license to use, copy, distribute, make available, and prepare
23
+ derivative works of the Licensed Work, in each case subject to the limitations
24
+ and conditions below.
25
+
26
+ Use Limitation
27
+
28
+ You may make use of the Licensed Work, provided that you may not use the
29
+ Licensed Work for a Competing Use. A Competing Use means making available any
30
+ on-premises or hosted version of the Licensed Work or a substantially similar
31
+ offering to third parties on a commercial basis.
32
+
33
+ Distribution Limitation
34
+
35
+ You may distribute the Licensed Work or a derivative work in source code or
36
+ compiled form, subject to the following conditions:
37
+
38
+ 1. Notices: You must include all copyright notices, license notices, and
39
+ disclaimers included in the Licensed Work in any copy or distribution.
40
+
41
+ 2. License: You must ensure that all recipients of any distributed copy of the
42
+ Licensed Work receive a copy of this license. The full text of this license
43
+ must be included with any distribution.
44
+
45
+ Patent License
46
+
47
+ Subject to the terms and conditions of this license, each Licensor hereby
48
+ grants to you a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
49
+ irrevocable (except as stated in this section) patent license to make, have
50
+ made, use, offer to sell, sell, import, and otherwise transfer the Licensed
51
+ Work, where such license applies only to those patent claims licensable by
52
+ such Licensor that are necessarily infringed by their contribution(s) alone or
53
+ by combination of their contribution(s) with the Licensed Work to which such
54
+ contribution(s) was submitted.
55
+
56
+ Disclaimer
57
+
58
+ THE LICENSED WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
59
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
60
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
61
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
62
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
63
+ OUT OF OR IN CONNECTION WITH THE LICENSED WORK OR THE USE OR OTHER DEALINGS IN
64
+ THE LICENSED WORK.
65
+
66
+ Condition
67
+
68
+ Upon the Change Date, or upon publication of a new version of the Licensed
69
+ Work under the Change License, the Licensed Work is automatically licensed
70
+ to you under the terms of the Change License, with the following conditions:
71
+
72
+ - The Change License grants you the rights of the Change License.
73
+ - The Change License is MIT License.
74
+
75
+ The preceding paragraph does not limit the rights of any person who received
76
+ the Licensed Work from a Licensor under a Change License.
@@ -0,0 +1,24 @@
1
+ # Commercial Licensing
2
+
3
+ Prometheus Governance is released under the [Functional Source License 1.1 (FSL-1.1-MIT)](LICENSE).
4
+
5
+ FSL permits free use for personal projects, internal tooling, and open source work. It restricts offering Prometheus Governance itself (or a substantially similar product built on it) as a commercial service or product to third parties.
6
+
7
+ ## When you need a commercial license
8
+
9
+ - You are building a SaaS product or hosted service powered by Prometheus Governance
10
+ - You are reselling or white-labeling Prometheus Governance
11
+ - You are bundling it into a commercial product sold to customers
12
+
13
+ ## Contact
14
+
15
+ To inquire about a commercial license, please reach out:
16
+
17
+ **Email:** holley42@yahoo.com
18
+ **GitHub:** https://github.com/Holley-Studio/thesmos-governance
19
+
20
+ Commercial licenses are available for teams, enterprises, and SaaS builders. We're happy to work out terms that fit your use case.
21
+
22
+ ---
23
+
24
+ On **June 17, 2030**, the FSL automatically converts to the MIT License and the software becomes fully open source with no restrictions.