thesmos-governance 4.0.0 → 4.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +53 -2
- package/package.json +21 -17
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,55 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 4.2.0
|
|
4
|
+
|
|
5
|
+
### Minor Changes
|
|
6
|
+
|
|
7
|
+
- 316bf4d: Expand built-in rule registry from 142 to 737 rules, add language packs, IaC security rules, pack authoring toolchain, and HTML report improvements.
|
|
8
|
+
|
|
9
|
+
**New rules (498 added across 16 domain and language files):**
|
|
10
|
+
|
|
11
|
+
- `imports.ts` — 20 rules covering barrel file performance, circular imports, side-effect imports, namespace imports, server modules in client code, missing `.js` extensions, lodash/moment bundle size, and more
|
|
12
|
+
- `state.ts` — 20 rules covering Zustand selector patterns, Redux mutations, Context instability, atom scope, localStorage in SSR, stale closures, and more
|
|
13
|
+
- `forms.ts` — 20 rules covering validation, accessibility (WCAG 1.3.1), CSRF, file upload types, RHF patterns, loading states, `aria-invalid`, and more
|
|
14
|
+
- `logging.ts` — 20 rules including PII in logs (BLOCKER), secrets in logs (BLOCKER), unstructured logs, missing context IDs, audit log gaps, and more
|
|
15
|
+
- `css.ts` — 20 rules covering Tailwind arbitrary values, missing responsive breakpoints, dark mode, z-index magic numbers, `outline-none` without `focus-visible` (WCAG 2.4.7), `prefers-reduced-motion`, and more
|
|
16
|
+
- `nextjs.ts` — expanded from 15 to 37 rules: `use server` placement, missing Suspense, static metadata, `cookies()` forcing dynamic render, raw `<img>`, Server Action revalidation, font optimisation, and more
|
|
17
|
+
- `react.ts` — expanded from 12 to 32 rules: missing keys, index keys, stale `useCallback`, `dangerouslySetInnerHTML` (BLOCKER), `useId` for a11y, debounce on search, and more
|
|
18
|
+
- `security.ts` — expanded from 22 to 40 rules: open redirect, mass assignment (BLOCKER), timing-safe comparison, JWT weak secret (BLOCKER), session fixation, clickjacking headers, plaintext passwords (BLOCKER), and more
|
|
19
|
+
- `typescript.ts` — expanded from 17 to 35 rules: double type assertions, missing return types, `satisfies` operator, `readonly` on config interfaces, excessive non-null assertions, and more
|
|
20
|
+
- `performance.ts` — expanded from 16 to 31 rules: LCP hero images, list virtualisation, runtime CSS-in-JS, passive scroll listeners, layout thrashing, waterfall `await` chains, and more
|
|
21
|
+
- `database.ts` — expanded from 16 to 31 rules: N+1 queries, missing Prisma FK indexes, transaction gaps, soft-delete patterns, connection pool singleton, cascade delete risk, and more
|
|
22
|
+
- `ai.ts` — expanded from 12 to 27 rules: prompt injection (BLOCKER), token limit validation, LLM output execution (BLOCKER), cost budgets, agent loop caps, system prompt leakage, content moderation, RAG citations, and more
|
|
23
|
+
- `python.ts` — 20 new rules: SQL injection via f-string, hardcoded secrets, pickle.loads (BLOCKER), eval/exec usage, subprocess shell injection, YAML unsafe load, weak crypto, path traversal, and more
|
|
24
|
+
- `django.ts` — 20 new rules: debug mode in production, missing CSRF middleware, raw SQL in ORM, open redirect, missing AUTH_PASSWORD_VALIDATORS, template injection via mark_safe, and more
|
|
25
|
+
- `go.ts` — 20 new rules: SQL concat in db.Query, goroutine leak in handlers, ioutil deprecated APIs, weak random, http.ListenAndServe on 0.0.0.0, missing context cancellation, and more
|
|
26
|
+
- `ruby.ts` — 20 new rules: ActiveRecord string interpolation (BLOCKER), params.permit! (BLOCKER), YAML.load unsafe (BLOCKER), missing authenticate before_action, skip_before_action auth, open redirect via redirect_to, and more
|
|
27
|
+
- `php.ts` — 20 new rules: SQL injection via concatenation/interpolation (BLOCKER), XSS echo without htmlspecialchars (BLOCKER), eval() (BLOCKER), command injection (BLOCKER), path traversal/LFI (BLOCKER), $guarded = [] mass assignment (BLOCKER), whereRaw() interpolation (BLOCKER), SSRF via file_get_contents (BLOCKER), unserialize on user input (BLOCKER), Blade missing @csrf, and more
|
|
28
|
+
|
|
29
|
+
**Pack runtime loading:**
|
|
30
|
+
|
|
31
|
+
- `loadPackRulesFromEntry(entry)` — dynamically imports `rules/index.js` from a single pack directory
|
|
32
|
+
- `loadPackRules(root)` — discovers all packs under `.thesmos/packs/` and `node_modules/@thesmos/` and loads their rules
|
|
33
|
+
- `getActiveRules(root)` — returns built-in rules merged with pack rules; pass to `runReview()` as second argument
|
|
34
|
+
- `thesmos review` and `thesmos validate` CLI commands now automatically load pack rules at startup
|
|
35
|
+
|
|
36
|
+
**Pack authoring toolchain:**
|
|
37
|
+
|
|
38
|
+
- `thesmos pack:create @scope/name` — scaffolds a complete pack directory with pack.json, rules/index.ts, agents/, skills/
|
|
39
|
+
- `thesmos pack:publish @scope/name` — compiles TypeScript rules to JS via tsup, validates pack.json schema, runs npm publish
|
|
40
|
+
|
|
41
|
+
**HTML report improvements:**
|
|
42
|
+
|
|
43
|
+
- Language breakdown table showing file counts per detected stack
|
|
44
|
+
- Pack inventory section listing active community packs
|
|
45
|
+
- Trend sparklines for Blockers, High findings, and Health Score from metrics history
|
|
46
|
+
|
|
47
|
+
**Multi-language scan:**
|
|
48
|
+
|
|
49
|
+
- `computeLanguageStats()` — counts files and lines per language/extension
|
|
50
|
+
- `detectStacks()` — infers frameworks (Laravel, Django, Rails, Go modules, etc.) from file patterns
|
|
51
|
+
- `thesmos scan` now shows a "Languages detected" table and "Detected stacks" in console output
|
|
52
|
+
|
|
3
53
|
All notable changes to `thesmos-governance` will be documented here.
|
|
4
54
|
|
|
5
55
|
The format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
@@ -26,6 +76,7 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
|
|
|
26
76
|
**Delegation map in Zeus updated** — Now includes all 34 God Agents including Metis, Momus, Proteus, Chiron, Cassandra, Calliope, Erato, Kratos, Aether, Polyhymnia, Talos, Clio, and Eos. Direct peer delegation rules added: any agent can invoke Momus (challenge check), Proteus (drift check), Argus (security), or Themis (legal) without routing through Zeus.
|
|
27
77
|
|
|
28
78
|
**Domain mastery sections added to all 37 existing agents** — Three new sections per agent inserted after `## Constraints`:
|
|
79
|
+
|
|
29
80
|
- `## Failure modes` — 3–5 domain-specific failure patterns with diagnostic questions
|
|
30
81
|
- `## Problem diagnosis` — 3–4 questions the agent asks before accepting the stated problem
|
|
31
82
|
- `## What makes this God Agent's judgment unique` — 4–5 non-obvious expert insights from deep domain experience
|
|
@@ -185,7 +236,7 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
|
|
|
185
236
|
|
|
186
237
|
**6 New Governance Pillars:**
|
|
187
238
|
|
|
188
|
-
- **Pillar 1 — MCP Server** (`prometheus mcp:serve`, `prometheus mcp:install`) — Prometheus becomes a Model Context Protocol server. AI assistants call `scan_file`, `explain_rule`, `get_health`, `lint_commit`, and `get_context`
|
|
239
|
+
- **Pillar 1 — MCP Server** (`prometheus mcp:serve`, `prometheus mcp:install`) — Prometheus becomes a Model Context Protocol server. AI assistants call `scan_file`, `explain_rule`, `get_health`, `lint_commit`, and `get_context` _before_ generating code. `mcp:install` writes the server entry into `~/.claude/settings.json`. New files: `prometheus/mcp-server.ts`, `prometheus/bin/commands/mcp.ts`.
|
|
189
240
|
|
|
190
241
|
- **Pillar 2 — Dependency Security** (`prometheus deps:audit`) — Async CVE scanning via OSV.dev (`api.osv.dev/v1/querybatch`). Results cached in `.prometheus/dep-cache.json` (24h TTL) and consumed synchronously by 10 new DEP_001–010 rules: critical CVE (BLOCKER), high/medium CVE, abandoned-with-CVE, no integrity hash, git dependency, major drift, prerelease in prod, deprecated package, stale cache. SBOM export via `--sbom` flag in CycloneDX 1.4 format. New files: `prometheus/osv-client.ts`, `prometheus/rules/deps.ts`, `prometheus/bin/commands/deps.ts`.
|
|
191
242
|
|
|
@@ -220,7 +271,7 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
|
|
|
220
271
|
### Added
|
|
221
272
|
|
|
222
273
|
- **Conventional Commits Governance** (`prometheus commit:lint`, `prometheus commit:create`) — 10 new COMMIT_001–010 rules validate commit messages against the Conventional Commits specification using the standard `detect()` sentinel pattern (path `.git/COMMIT_EDITMSG`). Rules integrate with `explain`, `baseline`, and `suppressions:audit` automatically. `commit:lint` validates messages from the `commit-msg` hook, `--last`, or `--message "..."`. `commit:create` is an interactive wizard for building valid commit messages step-by-step.
|
|
223
|
-
- **Vercel Deployment Governance** (`prometheus vercel:lint`) — 10 new
|
|
274
|
+
- **Vercel Deployment Governance** (`prometheus vercel:lint`) — 10 new VERCEL*001–010 rules covering: literal secrets in `vercel.json` (BLOCKER), server secrets with `NEXT_PUBLIC*`prefix (BLOCKER), cron routes missing`CRON_SECRET`check (HIGH), env vars not documented in`.env.example`(HIGH), missing`.env.example`when env vars are used (HIGH), missing`maxDuration`in function config (MEDIUM), middleware missing edge runtime export (MEDIUM), missing security headers (MEDIUM),`maxDuration` exceeding plan limit (LOW), and open redirect patterns in redirects config (HIGH).
|
|
224
275
|
- **`commit-msg` git hook enforcement** — `prometheus hooks install --commit-msg` now writes a real enforcement block calling `prometheus commit:lint "$1"`. Previously a no-op placeholder.
|
|
225
276
|
- **`commitLint` and `vercel` config sections** in `ThesmosConfig` — customise allowed commit types, max subject length, ticket patterns, Vercel plan limits, and cron auth requirements via `.prometheus/config.json`.
|
|
226
277
|
- Total rule count: **864** (844 previous + 10 COMMIT + 10 VERCEL).
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "thesmos-governance",
|
|
3
|
-
"version": "4.
|
|
3
|
+
"version": "4.2.0",
|
|
4
4
|
"description": "AI-stack-agnostic repo governance: 1,075 rules, MCP server, Learning Brain, Builder Wizard, and Pantheon agents for Claude, Gemini, Cursor, Copilot, Codex, and AGENTS.md",
|
|
5
5
|
"license": "SEE LICENSE IN LICENSE",
|
|
6
6
|
"author": {
|
|
@@ -52,7 +52,11 @@
|
|
|
52
52
|
],
|
|
53
53
|
"mcp": {
|
|
54
54
|
"command": "npx",
|
|
55
|
-
"args": [
|
|
55
|
+
"args": [
|
|
56
|
+
"thesmos-governance",
|
|
57
|
+
"mcp",
|
|
58
|
+
"--stdio"
|
|
59
|
+
],
|
|
56
60
|
"description": "Thesmos Governance MCP Server — repo governance tools for Claude, Cursor, Windsurf, and Codex"
|
|
57
61
|
},
|
|
58
62
|
"type": "module",
|
|
@@ -136,22 +140,22 @@
|
|
|
136
140
|
"thesmos:autopilot:generate": "tsx bin/cli.ts autopilot:generate",
|
|
137
141
|
"thesmos:autopilot:review": "tsx bin/cli.ts autopilot:review",
|
|
138
142
|
"thesmos:autopilot:stats": "tsx bin/cli.ts autopilot:stats",
|
|
139
|
-
"thesmos:claude:govern:install":
|
|
143
|
+
"thesmos:claude:govern:install": "tsx bin/cli.ts claude:govern install",
|
|
140
144
|
"thesmos:claude:govern:uninstall": "tsx bin/cli.ts claude:govern uninstall",
|
|
141
|
-
"thesmos:claude:govern:status":
|
|
142
|
-
"thesmos:import:scan":
|
|
143
|
-
"thesmos:scope:init":
|
|
144
|
-
"thesmos:scope:status":
|
|
145
|
-
"thesmos:scope:check":
|
|
146
|
-
"thesmos:tokens:report":
|
|
147
|
-
"thesmos:tokens:reset":
|
|
148
|
-
"thesmos:tokens:budget":
|
|
149
|
-
"thesmos:debt:scan":
|
|
150
|
-
"thesmos:context:snapshot":
|
|
151
|
-
"thesmos:context:health":
|
|
152
|
-
"thesmos:commit:lint":
|
|
153
|
-
"thesmos:commit:create":
|
|
154
|
-
"thesmos:vercel:lint":
|
|
145
|
+
"thesmos:claude:govern:status": "tsx bin/cli.ts claude:govern status",
|
|
146
|
+
"thesmos:import:scan": "tsx bin/cli.ts import:scan",
|
|
147
|
+
"thesmos:scope:init": "tsx bin/cli.ts scope:init",
|
|
148
|
+
"thesmos:scope:status": "tsx bin/cli.ts scope:status",
|
|
149
|
+
"thesmos:scope:check": "tsx bin/cli.ts scope:check",
|
|
150
|
+
"thesmos:tokens:report": "tsx bin/cli.ts tokens:report",
|
|
151
|
+
"thesmos:tokens:reset": "tsx bin/cli.ts tokens:reset",
|
|
152
|
+
"thesmos:tokens:budget": "tsx bin/cli.ts tokens:budget",
|
|
153
|
+
"thesmos:debt:scan": "tsx bin/cli.ts debt:scan",
|
|
154
|
+
"thesmos:context:snapshot": "tsx bin/cli.ts context:snapshot",
|
|
155
|
+
"thesmos:context:health": "tsx bin/cli.ts context:health",
|
|
156
|
+
"thesmos:commit:lint": "tsx bin/cli.ts commit:lint",
|
|
157
|
+
"thesmos:commit:create": "tsx bin/cli.ts commit:create",
|
|
158
|
+
"thesmos:vercel:lint": "tsx bin/cli.ts vercel:lint"
|
|
155
159
|
},
|
|
156
160
|
"optionalDependencies": {
|
|
157
161
|
"lightningcss-linux-x64-gnu": "1.32.0",
|