thesmos-governance 4.0.0 → 4.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/CHANGELOG.md +53 -2
  2. package/package.json +21 -17
package/CHANGELOG.md CHANGED
@@ -1,5 +1,55 @@
1
1
  # Changelog
2
2
 
3
+ ## 4.2.0
4
+
5
+ ### Minor Changes
6
+
7
+ - 316bf4d: Expand built-in rule registry from 142 to 737 rules, add language packs, IaC security rules, pack authoring toolchain, and HTML report improvements.
8
+
9
+ **New rules (498 added across 16 domain and language files):**
10
+
11
+ - `imports.ts` — 20 rules covering barrel file performance, circular imports, side-effect imports, namespace imports, server modules in client code, missing `.js` extensions, lodash/moment bundle size, and more
12
+ - `state.ts` — 20 rules covering Zustand selector patterns, Redux mutations, Context instability, atom scope, localStorage in SSR, stale closures, and more
13
+ - `forms.ts` — 20 rules covering validation, accessibility (WCAG 1.3.1), CSRF, file upload types, RHF patterns, loading states, `aria-invalid`, and more
14
+ - `logging.ts` — 20 rules including PII in logs (BLOCKER), secrets in logs (BLOCKER), unstructured logs, missing context IDs, audit log gaps, and more
15
+ - `css.ts` — 20 rules covering Tailwind arbitrary values, missing responsive breakpoints, dark mode, z-index magic numbers, `outline-none` without `focus-visible` (WCAG 2.4.7), `prefers-reduced-motion`, and more
16
+ - `nextjs.ts` — expanded from 15 to 37 rules: `use server` placement, missing Suspense, static metadata, `cookies()` forcing dynamic render, raw `<img>`, Server Action revalidation, font optimisation, and more
17
+ - `react.ts` — expanded from 12 to 32 rules: missing keys, index keys, stale `useCallback`, `dangerouslySetInnerHTML` (BLOCKER), `useId` for a11y, debounce on search, and more
18
+ - `security.ts` — expanded from 22 to 40 rules: open redirect, mass assignment (BLOCKER), timing-safe comparison, JWT weak secret (BLOCKER), session fixation, clickjacking headers, plaintext passwords (BLOCKER), and more
19
+ - `typescript.ts` — expanded from 17 to 35 rules: double type assertions, missing return types, `satisfies` operator, `readonly` on config interfaces, excessive non-null assertions, and more
20
+ - `performance.ts` — expanded from 16 to 31 rules: LCP hero images, list virtualisation, runtime CSS-in-JS, passive scroll listeners, layout thrashing, waterfall `await` chains, and more
21
+ - `database.ts` — expanded from 16 to 31 rules: N+1 queries, missing Prisma FK indexes, transaction gaps, soft-delete patterns, connection pool singleton, cascade delete risk, and more
22
+ - `ai.ts` — expanded from 12 to 27 rules: prompt injection (BLOCKER), token limit validation, LLM output execution (BLOCKER), cost budgets, agent loop caps, system prompt leakage, content moderation, RAG citations, and more
23
+ - `python.ts` — 20 new rules: SQL injection via f-string, hardcoded secrets, pickle.loads (BLOCKER), eval/exec usage, subprocess shell injection, YAML unsafe load, weak crypto, path traversal, and more
24
+ - `django.ts` — 20 new rules: debug mode in production, missing CSRF middleware, raw SQL in ORM, open redirect, missing AUTH_PASSWORD_VALIDATORS, template injection via mark_safe, and more
25
+ - `go.ts` — 20 new rules: SQL concat in db.Query, goroutine leak in handlers, ioutil deprecated APIs, weak random, http.ListenAndServe on 0.0.0.0, missing context cancellation, and more
26
+ - `ruby.ts` — 20 new rules: ActiveRecord string interpolation (BLOCKER), params.permit! (BLOCKER), YAML.load unsafe (BLOCKER), missing authenticate before_action, skip_before_action auth, open redirect via redirect_to, and more
27
+ - `php.ts` — 20 new rules: SQL injection via concatenation/interpolation (BLOCKER), XSS echo without htmlspecialchars (BLOCKER), eval() (BLOCKER), command injection (BLOCKER), path traversal/LFI (BLOCKER), $guarded = [] mass assignment (BLOCKER), whereRaw() interpolation (BLOCKER), SSRF via file_get_contents (BLOCKER), unserialize on user input (BLOCKER), Blade missing @csrf, and more
28
+
29
+ **Pack runtime loading:**
30
+
31
+ - `loadPackRulesFromEntry(entry)` — dynamically imports `rules/index.js` from a single pack directory
32
+ - `loadPackRules(root)` — discovers all packs under `.thesmos/packs/` and `node_modules/@thesmos/` and loads their rules
33
+ - `getActiveRules(root)` — returns built-in rules merged with pack rules; pass to `runReview()` as second argument
34
+ - `thesmos review` and `thesmos validate` CLI commands now automatically load pack rules at startup
35
+
36
+ **Pack authoring toolchain:**
37
+
38
+ - `thesmos pack:create @scope/name` — scaffolds a complete pack directory with pack.json, rules/index.ts, agents/, skills/
39
+ - `thesmos pack:publish @scope/name` — compiles TypeScript rules to JS via tsup, validates pack.json schema, runs npm publish
40
+
41
+ **HTML report improvements:**
42
+
43
+ - Language breakdown table showing file counts per detected stack
44
+ - Pack inventory section listing active community packs
45
+ - Trend sparklines for Blockers, High findings, and Health Score from metrics history
46
+
47
+ **Multi-language scan:**
48
+
49
+ - `computeLanguageStats()` — counts files and lines per language/extension
50
+ - `detectStacks()` — infers frameworks (Laravel, Django, Rails, Go modules, etc.) from file patterns
51
+ - `thesmos scan` now shows a "Languages detected" table and "Detected stacks" in console output
52
+
3
53
  All notable changes to `thesmos-governance` will be documented here.
4
54
 
5
55
  The format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
@@ -26,6 +76,7 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
26
76
  **Delegation map in Zeus updated** — Now includes all 34 God Agents including Metis, Momus, Proteus, Chiron, Cassandra, Calliope, Erato, Kratos, Aether, Polyhymnia, Talos, Clio, and Eos. Direct peer delegation rules added: any agent can invoke Momus (challenge check), Proteus (drift check), Argus (security), or Themis (legal) without routing through Zeus.
27
77
 
28
78
  **Domain mastery sections added to all 37 existing agents** — Three new sections per agent inserted after `## Constraints`:
79
+
29
80
  - `## Failure modes` — 3–5 domain-specific failure patterns with diagnostic questions
30
81
  - `## Problem diagnosis` — 3–4 questions the agent asks before accepting the stated problem
31
82
  - `## What makes this God Agent's judgment unique` — 4–5 non-obvious expert insights from deep domain experience
@@ -185,7 +236,7 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
185
236
 
186
237
  **6 New Governance Pillars:**
187
238
 
188
- - **Pillar 1 — MCP Server** (`prometheus mcp:serve`, `prometheus mcp:install`) — Prometheus becomes a Model Context Protocol server. AI assistants call `scan_file`, `explain_rule`, `get_health`, `lint_commit`, and `get_context` *before* generating code. `mcp:install` writes the server entry into `~/.claude/settings.json`. New files: `prometheus/mcp-server.ts`, `prometheus/bin/commands/mcp.ts`.
239
+ - **Pillar 1 — MCP Server** (`prometheus mcp:serve`, `prometheus mcp:install`) — Prometheus becomes a Model Context Protocol server. AI assistants call `scan_file`, `explain_rule`, `get_health`, `lint_commit`, and `get_context` _before_ generating code. `mcp:install` writes the server entry into `~/.claude/settings.json`. New files: `prometheus/mcp-server.ts`, `prometheus/bin/commands/mcp.ts`.
189
240
 
190
241
  - **Pillar 2 — Dependency Security** (`prometheus deps:audit`) — Async CVE scanning via OSV.dev (`api.osv.dev/v1/querybatch`). Results cached in `.prometheus/dep-cache.json` (24h TTL) and consumed synchronously by 10 new DEP_001–010 rules: critical CVE (BLOCKER), high/medium CVE, abandoned-with-CVE, no integrity hash, git dependency, major drift, prerelease in prod, deprecated package, stale cache. SBOM export via `--sbom` flag in CycloneDX 1.4 format. New files: `prometheus/osv-client.ts`, `prometheus/rules/deps.ts`, `prometheus/bin/commands/deps.ts`.
191
242
 
@@ -220,7 +271,7 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
220
271
  ### Added
221
272
 
222
273
  - **Conventional Commits Governance** (`prometheus commit:lint`, `prometheus commit:create`) — 10 new COMMIT_001–010 rules validate commit messages against the Conventional Commits specification using the standard `detect()` sentinel pattern (path `.git/COMMIT_EDITMSG`). Rules integrate with `explain`, `baseline`, and `suppressions:audit` automatically. `commit:lint` validates messages from the `commit-msg` hook, `--last`, or `--message "..."`. `commit:create` is an interactive wizard for building valid commit messages step-by-step.
223
- - **Vercel Deployment Governance** (`prometheus vercel:lint`) — 10 new VERCEL_001–010 rules covering: literal secrets in `vercel.json` (BLOCKER), server secrets with `NEXT_PUBLIC_` prefix (BLOCKER), cron routes missing `CRON_SECRET` check (HIGH), env vars not documented in `.env.example` (HIGH), missing `.env.example` when env vars are used (HIGH), missing `maxDuration` in function config (MEDIUM), middleware missing edge runtime export (MEDIUM), missing security headers (MEDIUM), `maxDuration` exceeding plan limit (LOW), and open redirect patterns in redirects config (HIGH).
274
+ - **Vercel Deployment Governance** (`prometheus vercel:lint`) — 10 new VERCEL*001–010 rules covering: literal secrets in `vercel.json` (BLOCKER), server secrets with `NEXT_PUBLIC*`prefix (BLOCKER), cron routes missing`CRON_SECRET`check (HIGH), env vars not documented in`.env.example`(HIGH), missing`.env.example`when env vars are used (HIGH), missing`maxDuration`in function config (MEDIUM), middleware missing edge runtime export (MEDIUM), missing security headers (MEDIUM),`maxDuration` exceeding plan limit (LOW), and open redirect patterns in redirects config (HIGH).
224
275
  - **`commit-msg` git hook enforcement** — `prometheus hooks install --commit-msg` now writes a real enforcement block calling `prometheus commit:lint "$1"`. Previously a no-op placeholder.
225
276
  - **`commitLint` and `vercel` config sections** in `ThesmosConfig` — customise allowed commit types, max subject length, ticket patterns, Vercel plan limits, and cron auth requirements via `.prometheus/config.json`.
226
277
  - Total rule count: **864** (844 previous + 10 COMMIT + 10 VERCEL).
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "thesmos-governance",
3
- "version": "4.0.0",
3
+ "version": "4.2.0",
4
4
  "description": "AI-stack-agnostic repo governance: 1,075 rules, MCP server, Learning Brain, Builder Wizard, and Pantheon agents for Claude, Gemini, Cursor, Copilot, Codex, and AGENTS.md",
5
5
  "license": "SEE LICENSE IN LICENSE",
6
6
  "author": {
@@ -52,7 +52,11 @@
52
52
  ],
53
53
  "mcp": {
54
54
  "command": "npx",
55
- "args": ["thesmos-governance", "mcp", "--stdio"],
55
+ "args": [
56
+ "thesmos-governance",
57
+ "mcp",
58
+ "--stdio"
59
+ ],
56
60
  "description": "Thesmos Governance MCP Server — repo governance tools for Claude, Cursor, Windsurf, and Codex"
57
61
  },
58
62
  "type": "module",
@@ -136,22 +140,22 @@
136
140
  "thesmos:autopilot:generate": "tsx bin/cli.ts autopilot:generate",
137
141
  "thesmos:autopilot:review": "tsx bin/cli.ts autopilot:review",
138
142
  "thesmos:autopilot:stats": "tsx bin/cli.ts autopilot:stats",
139
- "thesmos:claude:govern:install": "tsx bin/cli.ts claude:govern install",
143
+ "thesmos:claude:govern:install": "tsx bin/cli.ts claude:govern install",
140
144
  "thesmos:claude:govern:uninstall": "tsx bin/cli.ts claude:govern uninstall",
141
- "thesmos:claude:govern:status": "tsx bin/cli.ts claude:govern status",
142
- "thesmos:import:scan": "tsx bin/cli.ts import:scan",
143
- "thesmos:scope:init": "tsx bin/cli.ts scope:init",
144
- "thesmos:scope:status": "tsx bin/cli.ts scope:status",
145
- "thesmos:scope:check": "tsx bin/cli.ts scope:check",
146
- "thesmos:tokens:report": "tsx bin/cli.ts tokens:report",
147
- "thesmos:tokens:reset": "tsx bin/cli.ts tokens:reset",
148
- "thesmos:tokens:budget": "tsx bin/cli.ts tokens:budget",
149
- "thesmos:debt:scan": "tsx bin/cli.ts debt:scan",
150
- "thesmos:context:snapshot": "tsx bin/cli.ts context:snapshot",
151
- "thesmos:context:health": "tsx bin/cli.ts context:health",
152
- "thesmos:commit:lint": "tsx bin/cli.ts commit:lint",
153
- "thesmos:commit:create": "tsx bin/cli.ts commit:create",
154
- "thesmos:vercel:lint": "tsx bin/cli.ts vercel:lint"
145
+ "thesmos:claude:govern:status": "tsx bin/cli.ts claude:govern status",
146
+ "thesmos:import:scan": "tsx bin/cli.ts import:scan",
147
+ "thesmos:scope:init": "tsx bin/cli.ts scope:init",
148
+ "thesmos:scope:status": "tsx bin/cli.ts scope:status",
149
+ "thesmos:scope:check": "tsx bin/cli.ts scope:check",
150
+ "thesmos:tokens:report": "tsx bin/cli.ts tokens:report",
151
+ "thesmos:tokens:reset": "tsx bin/cli.ts tokens:reset",
152
+ "thesmos:tokens:budget": "tsx bin/cli.ts tokens:budget",
153
+ "thesmos:debt:scan": "tsx bin/cli.ts debt:scan",
154
+ "thesmos:context:snapshot": "tsx bin/cli.ts context:snapshot",
155
+ "thesmos:context:health": "tsx bin/cli.ts context:health",
156
+ "thesmos:commit:lint": "tsx bin/cli.ts commit:lint",
157
+ "thesmos:commit:create": "tsx bin/cli.ts commit:create",
158
+ "thesmos:vercel:lint": "tsx bin/cli.ts vercel:lint"
155
159
  },
156
160
  "optionalDependencies": {
157
161
  "lightningcss-linux-x64-gnu": "1.32.0",