thesmos-governance 4.2.0 → 4.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (136) hide show
  1. package/CHANGELOG.md +60 -60
  2. package/LICENSE +2 -2
  3. package/LICENSE-COMMERCIAL.md +4 -4
  4. package/README.md +12 -12
  5. package/catalog/agents/reviewers/accessibility-reviewer.md +2 -0
  6. package/catalog/agents/reviewers/ai-safety-reviewer.md +2 -0
  7. package/catalog/agents/reviewers/analytics-reviewer.md +2 -0
  8. package/catalog/agents/reviewers/api-reviewer.md +2 -0
  9. package/catalog/agents/reviewers/architecture-reviewer.md +2 -0
  10. package/catalog/agents/reviewers/ate-sql-injection-agent.md +2 -0
  11. package/catalog/agents/reviewers/auth-reviewer.md +2 -0
  12. package/catalog/agents/reviewers/backend-reviewer.md +2 -0
  13. package/catalog/agents/reviewers/build-system-reviewer.md +2 -0
  14. package/catalog/agents/reviewers/cerberus-oauth-agent.md +2 -0
  15. package/catalog/agents/reviewers/ci-reviewer.md +2 -0
  16. package/catalog/agents/reviewers/code-quality-reviewer.md +2 -0
  17. package/catalog/agents/reviewers/compliance-reviewer.md +2 -0
  18. package/catalog/agents/reviewers/content-reviewer.md +2 -0
  19. package/catalog/agents/reviewers/creative-director.md +2 -0
  20. package/catalog/agents/reviewers/data-fetching-reviewer.md +2 -0
  21. package/catalog/agents/reviewers/database-reviewer.md +2 -0
  22. package/catalog/agents/reviewers/dependency-reviewer.md +2 -0
  23. package/catalog/agents/reviewers/design-system-reviewer.md +2 -0
  24. package/catalog/agents/reviewers/devops-reviewer.md +3 -1
  25. package/catalog/agents/reviewers/documentation-reviewer.md +2 -0
  26. package/catalog/agents/reviewers/ecommerce-reviewer.md +2 -0
  27. package/catalog/agents/reviewers/error-handling-reviewer.md +2 -0
  28. package/catalog/agents/reviewers/feature-flag-reviewer.md +2 -0
  29. package/catalog/agents/reviewers/forms-reviewer.md +2 -0
  30. package/catalog/agents/reviewers/frontend-reviewer.md +2 -0
  31. package/catalog/agents/reviewers/fullstack-reviewer.md +2 -0
  32. package/catalog/agents/reviewers/governance-reviewer.md +2 -0
  33. package/catalog/agents/reviewers/graphql-reviewer.md +2 -0
  34. package/catalog/agents/reviewers/hades-credential-agent.md +2 -0
  35. package/catalog/agents/reviewers/hecate-prompt-injection-agent.md +2 -0
  36. package/catalog/agents/reviewers/incident-reviewer.md +2 -0
  37. package/catalog/agents/reviewers/infrastructure-reviewer.md +2 -0
  38. package/catalog/agents/reviewers/localization-reviewer.md +2 -0
  39. package/catalog/agents/reviewers/migration-reviewer.md +2 -0
  40. package/catalog/agents/reviewers/mobile-reviewer.md +2 -0
  41. package/catalog/agents/reviewers/monorepo-reviewer.md +2 -0
  42. package/catalog/agents/reviewers/nemesis-supply-chain-agent.md +2 -0
  43. package/catalog/agents/reviewers/nextjs-reviewer.md +2 -0
  44. package/catalog/agents/reviewers/nyx-api-enumeration-agent.md +2 -0
  45. package/catalog/agents/reviewers/observability-reviewer.md +2 -0
  46. package/catalog/agents/reviewers/onboarding-reviewer.md +2 -0
  47. package/catalog/agents/reviewers/package-publishing-reviewer.md +2 -0
  48. package/catalog/agents/reviewers/performance-reviewer.md +2 -0
  49. package/catalog/agents/reviewers/privacy-reviewer.md +2 -0
  50. package/catalog/agents/reviewers/product-reviewer.md +2 -0
  51. package/catalog/agents/reviewers/prompt-engineering-reviewer.md +2 -0
  52. package/catalog/agents/reviewers/python-reviewer.md +2 -0
  53. package/catalog/agents/reviewers/react-reviewer.md +2 -0
  54. package/catalog/agents/reviewers/refactor-reviewer.md +2 -0
  55. package/catalog/agents/reviewers/release-readiness-reviewer.md +2 -0
  56. package/catalog/agents/reviewers/security-reviewer.md +2 -0
  57. package/catalog/agents/reviewers/seo-reviewer.md +2 -0
  58. package/catalog/agents/reviewers/shopify-reviewer.md +2 -0
  59. package/catalog/agents/reviewers/state-management-reviewer.md +2 -0
  60. package/catalog/agents/reviewers/supabase-reviewer.md +2 -0
  61. package/catalog/agents/reviewers/testing-reviewer.md +2 -0
  62. package/catalog/agents/reviewers/typescript-reviewer.md +2 -0
  63. package/catalog/agents/reviewers/ux-reviewer.md +2 -0
  64. package/catalog/agents/reviewers/wordpress-reviewer.md +2 -0
  65. package/catalog/skills/a11y-audit.md +1 -1
  66. package/catalog/skills/adapter-sync.md +10 -10
  67. package/catalog/skills/add-tests.md +2 -2
  68. package/catalog/skills/ai-prompt-review.md +1 -1
  69. package/catalog/skills/analytics-compliance.md +1 -1
  70. package/catalog/skills/api-deprecation-review.md +1 -1
  71. package/catalog/skills/api-design-review.md +1 -1
  72. package/catalog/skills/auth-flow-review.md +1 -1
  73. package/catalog/skills/build-optimization.md +1 -1
  74. package/catalog/skills/ci-pipeline-audit.md +1 -1
  75. package/catalog/skills/component-audit.md +1 -1
  76. package/catalog/skills/cors-audit.md +1 -1
  77. package/catalog/skills/csp-audit.md +1 -1
  78. package/catalog/skills/data-fetching-audit.md +1 -1
  79. package/catalog/skills/database-schema-review.md +1 -1
  80. package/catalog/skills/dependency-audit.md +1 -1
  81. package/catalog/skills/design-token-audit.md +1 -1
  82. package/catalog/skills/documentation-audit.md +1 -1
  83. package/catalog/skills/e2e-test-review.md +1 -1
  84. package/catalog/skills/env-variable-audit.md +2 -2
  85. package/catalog/skills/error-boundary-audit.md +1 -1
  86. package/catalog/skills/feature-flag-audit.md +1 -1
  87. package/catalog/skills/final-hardening-pass.md +4 -4
  88. package/catalog/skills/generate-report.md +2 -2
  89. package/catalog/skills/graphql-schema-review.md +2 -2
  90. package/catalog/skills/i18n-audit.md +1 -1
  91. package/catalog/skills/incident-postmortem.md +1 -1
  92. package/catalog/skills/infrastructure-security-review.md +2 -2
  93. package/catalog/skills/init-governance.md +9 -9
  94. package/catalog/skills/integration-test-review.md +1 -1
  95. package/catalog/skills/logging-audit.md +1 -1
  96. package/catalog/skills/migration-safety-check.md +1 -1
  97. package/catalog/skills/monorepo-dependency-graph.md +1 -1
  98. package/catalog/skills/observability-review.md +1 -1
  99. package/catalog/skills/onboarding-audit.md +1 -1
  100. package/catalog/skills/performance-profile.md +1 -1
  101. package/catalog/skills/pr-review.md +6 -6
  102. package/catalog/skills/python-async-audit.md +2 -2
  103. package/catalog/skills/rate-limit-audit.md +1 -1
  104. package/catalog/skills/refactor-impact-analysis.md +1 -1
  105. package/catalog/skills/release-checklist.md +3 -3
  106. package/catalog/skills/repo-health-audit.md +5 -5
  107. package/catalog/skills/rls-policy-audit.md +1 -1
  108. package/catalog/skills/scan-codebase.md +3 -3
  109. package/catalog/skills/secret-scan.md +2 -2
  110. package/catalog/skills/security-scan.md +3 -3
  111. package/catalog/skills/seo-audit.md +1 -1
  112. package/catalog/skills/staged-change-review.md +2 -2
  113. package/catalog/skills/state-audit.md +1 -1
  114. package/catalog/skills/test-coverage-report.md +3 -3
  115. package/catalog/skills/typescript-strict-mode.md +2 -2
  116. package/catalog/skills/validate-rules.md +8 -8
  117. package/catalog/skills/webhook-security-review.md +1 -1
  118. package/dist/chunk-CFZYUTI5.js +53 -0
  119. package/dist/chunk-NNBMRFC7.js +84 -0
  120. package/dist/{chunk-7GCSYG7G.js → chunk-O624A53O.js} +24 -3
  121. package/dist/{chunk-EVQAWKS4.js → chunk-PABK62WO.js} +1 -1
  122. package/dist/{chunk-SVE6NZBV.js → chunk-Q4PVEMEN.js} +2778 -135
  123. package/dist/chunk-RG2UYI73.js +1039 -0
  124. package/dist/{chunk-FFZCCMLT.js → chunk-UXMN2OKJ.js} +2746 -111
  125. package/dist/cli.js +8629 -6463
  126. package/dist/{config-X235D23R.js → config-72CZV7A6.js} +3 -2
  127. package/dist/{git-IZFKH3GY.js → git-DO2YR34V.js} +5 -2
  128. package/dist/index.d.ts +114 -19
  129. package/dist/index.js +785 -410
  130. package/dist/{registry-A66NBHXV.js → registry-D75IVQU3.js} +4 -3
  131. package/dist/registry-Y6KQ2L4L.js +6 -0
  132. package/dist/{review-2FTGISZG.js → review-7N6HVVSX.js} +4 -3
  133. package/package.json +16 -6
  134. package/dist/chunk-D5UANPA5.js +0 -61
  135. package/dist/chunk-VG2453HG.js +0 -176
  136. package/dist/registry-UMT2SOUG.js +0 -6
package/CHANGELOG.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # Changelog
2
2
 
3
- ## 4.2.0
3
+ ## 4.5.0
4
4
 
5
5
  ### Minor Changes
6
6
 
@@ -65,7 +65,7 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
65
65
 
66
66
  **3 New God Agents (catalog: 70 → 73, Pantheon: 31 → 34):**
67
67
 
68
- - **God Agent Proteus** (`proteus-drift-agent`) — Drift & Alignment Monitor. Detects product drift, prompt drift, architecture drift, brand drift, strategy drift, and governance drift. Compares the current state against documented baselines; surfaces findings by domain with severity (BLOCKER/HIGH/MEDIUM/LOW) and delegates corrections to domain specialists. Integrates with `prometheus drift` (infrastructure) and `.prometheus/brain.md` (context baseline). Governed by AGNT_001, MCP_001.
68
+ - **God Agent Proteus** (`proteus-drift-agent`) — Drift & Alignment Monitor. Detects product drift, prompt drift, architecture drift, brand drift, strategy drift, and governance drift. Compares the current state against documented baselines; surfaces findings by domain with severity (BLOCKER/HIGH/MEDIUM/LOW) and delegates corrections to domain specialists. Integrates with `thesmos drift` (infrastructure) and `.thesmos/brain.md` (context baseline). Governed by AGNT_001, MCP_001.
69
69
  - **God Agent Momus** (`momus-challenger-agent`) — Challenger & Clarity Enforcer. Challenges plans, ideas, and research before they execute using Socratic method, Gary Klein's Pre-mortem, Charlie Munger's Inversion, Red Team thinking, and Five Whys. Delivers: premise check, 3 weakest assumptions, 5 unasked questions, 3 failure scenarios, specificity demands, and unrepresented interests. Auto-invoked by Zeus before irreversible decisions. Governed by AGNT_001, LIC_001.
70
70
  - **God Agent Metis** (`metis-pm-agent`) — Project Manager & Execution Planner. Converts plans into executable phases with entry/exit criteria, critical path (CPM), RACI ownership tables, risk registers, definitions of done, and status templates. Auto-invoked by Zeus before plans longer than 4 weeks and by Daedalus after PRD approval. Governed by AGNT_001, SC_002.
71
71
 
@@ -83,15 +83,15 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
83
83
 
84
84
  ### Changed
85
85
 
86
- - **`prometheus/package.json`** — version `3.5.0` → `3.6.0`
87
- - **`prometheus/catalog.test.ts`** — agent count assertion `70` → `73`
88
- - **`prometheus/bin/commands/compliance.ts`** — footer version `v3.5.0` → `v3.6.0`
89
- - **`prometheus/adapters.ts`** — added `generatePantheonProtocol()` function; `generateClaudeRules` now appends Universal Protocol to every CLAUDE.md output
86
+ - **`thesmos/package.json`** — version `3.5.0` → `3.6.0`
87
+ - **`thesmos/catalog.test.ts`** — agent count assertion `70` → `73`
88
+ - **`thesmos/bin/commands/compliance.ts`** — footer version `v3.5.0` → `v3.6.0`
89
+ - **`thesmos/adapters.ts`** — added `generatePantheonProtocol()` function; `generateClaudeRules` now appends Universal Protocol to every CLAUDE.md output
90
90
 
91
91
  ### Website & Documentation
92
92
 
93
- - **`holley.studio/prometheus`** — version badge `v3.5.0` → `v3.6.0`, Pantheon count `31` → `34`, 3 new Pantheon cards (Proteus, Momus, Metis), new "Why Prometheus is Different" section with 4-card comparison and competitive table
94
- - **`prometheus/README.md`** — new "Why Prometheus is different" section with 7 key selling points and feature comparison table
93
+ - **`holley.studio/thesmos`** — version badge `v3.5.0` → `v3.6.0`, Pantheon count `31` → `34`, 3 new Pantheon cards (Proteus, Momus, Metis), new "Why Thesmos is Different" section with 4-card comparison and competitive table
94
+ - **`thesmos/README.md`** — new "Why Thesmos is different" section with 7 key selling points and feature comparison table
95
95
 
96
96
  ---
97
97
 
@@ -102,7 +102,7 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
102
102
  **10 New Pantheon Agents — Creative, Business, and Developer Workflow:**
103
103
 
104
104
  - **Calliope** (`calliope-email-agent`) — Email Design & HTML/MJML Agent. MJML source code, compiled HTML email templates, responsive cross-client design, deliverability checklists, A/B variant specs. Governed by GDPR_004 (no PII in email URLs), SEC_008 (no secrets in templates), GDPR_001 (consent gate awareness).
105
- - **Talos** (`talos-web-dev-agent`) — Web Dev & Implementation Agent. Production-ready Next.js/React/TypeScript components, API routes, database queries, and test scaffolds. Runs a mental Prometheus governance scan on every file before delivery. Governed by SEC_004, AUTH_002, NEXT_003, MCP_001.
105
+ - **Talos** (`talos-web-dev-agent`) — Web Dev & Implementation Agent. Production-ready Next.js/React/TypeScript components, API routes, database queries, and test scaffolds. Runs a mental Thesmos governance scan on every file before delivery. Governed by SEC_004, AUTH_002, NEXT_003, MCP_001.
106
106
  - **Clio** (`clio-case-study-agent`) — Case Study & Social Proof Agent. Customer interview frameworks (STAR structure), first draft with [VERIFY] placeholders, ROI calculation worksheets, testimonial pull quotes, LinkedIn post versions, and PDF design briefs for Hephaestus. Governed by LIC_001 (no fabricated quotes), GDPR_013 (client consent required).
107
107
  - **Eos** (`eos-automation-agent`) — Automation & Workflow Engineering Agent. n8n/Zapier/Make workflow JSON, GitHub Actions YAML, shell scripts, webhook handler code, and runbooks. All API keys BYOK. Governed by SC_007 (no script injection), SC_001 (pinned actions), SEC_007 (no hardcoded credentials).
108
108
  - **Erato** (`erato-brand-voice-agent`) — Brand Voice & Messaging Architecture Agent. Brand voice guides, messaging architecture (hero message → pillars → proof points), tagline options with rationale, boilerplate copy at 4 lengths, competitor voice differentiation matrix. The guide that Apollo executes within.
@@ -122,16 +122,16 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
122
122
 
123
123
  **`brain:promote` — Community Rule Promotion:**
124
124
 
125
- - New command `prometheus brain:promote --rule=<ID>` scaffolds an approved `ProposedRule` from `brain.json` into a TypeScript rule stub at `prometheus/rules/community/<ID>.ts`
125
+ - New command `thesmos brain:promote --rule=<ID>` scaffolds an approved `ProposedRule` from `brain.json` into a TypeScript rule stub at `thesmos/rules/community/<ID>.ts`
126
126
  - Generated stubs follow the exact `ThesmosRule` pattern used throughout the core rules (exported `*_RULES` array, externalized regex constant, `.js` imports)
127
127
  - Printed step-by-step wiring instructions guide the developer to import the stub into `registry.ts`, add a test, and set the release version
128
128
  - `brain:evolve --approve` now stamps `approvedAt` timestamp on approved proposals
129
- - New `prometheus/rules/community/` directory with README documenting the promotion workflow
129
+ - New `thesmos/rules/community/` directory with README documenting the promotion workflow
130
130
  - Route registered in CLI: `brain:promote`
131
131
 
132
132
  **MCP_001 — Expanded Injection Pattern Detection:**
133
133
 
134
- - `INJECTION_RE` in `prometheus/rules/mcp.ts` expanded from 6 patterns to 25+ across 6 attack categories
134
+ - `INJECTION_RE` in `thesmos/rules/mcp.ts` expanded from 6 patterns to 25+ across 6 attack categories
135
135
  - System prompt overrides: `ignore/disregard/forget/override previous instructions`, `your new instructions are`
136
136
  - Role-play escapes: `you are now a`, `act as if`, `pretend to be`, `roleplay as`
137
137
  - Delimiter injection: `<system>`, `[INST]`, `<|im_start|>`, `### System`
@@ -162,29 +162,29 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
162
162
 
163
163
  **Complete Builder Wizard — 6 New Generators:**
164
164
 
165
- - **`prometheus build:dashboard`** — 5-question wizard that creates a monitoring/analytics dashboard. Supports Next.js React components and plain HTML + Chart.js. Pre-wires Prometheus governance metrics as default data source. Outputs to `src/components/dashboards/<name>.tsx` or `public/dashboards/<name>.html`.
165
+ - **`thesmos build:dashboard`** — 5-question wizard that creates a monitoring/analytics dashboard. Supports Next.js React components and plain HTML + Chart.js. Pre-wires Thesmos governance metrics as default data source. Outputs to `src/components/dashboards/<name>.tsx` or `public/dashboards/<name>.html`.
166
166
 
167
- - **`prometheus build:workflow`** — 7-question wizard that creates GitHub Actions CI/CD workflows. Covers all trigger types (PR, push, scheduled, manual, release), all common step groups (test+lint, build+deploy, full CI with Prometheus scan), and all major deploy targets (Vercel, AWS, GCP). Manual approval gates wired via `trstringer/manual-approval`.
167
+ - **`thesmos build:workflow`** — 7-question wizard that creates GitHub Actions CI/CD workflows. Covers all trigger types (PR, push, scheduled, manual, release), all common step groups (test+lint, build+deploy, full CI with Thesmos scan), and all major deploy targets (Vercel, AWS, GCP). Manual approval gates wired via `trstringer/manual-approval`.
168
168
 
169
- - **`prometheus build:rag`** — 9-question wizard for Retrieval-Augmented Generation pipelines. Generates `chunker.ts`, `retriever.ts`, and `pipeline.ts`. Supports OpenAI, Cohere, Anthropic, and local embeddings (all BYOK). Vector stores: Supabase pgvector, Pinecone, Weaviate, in-memory. Retrieval strategies: similarity, MMR (diverse), hybrid keyword+vector. Optional MCP tool wrapper to expose the pipeline to AI agents. Security note included in generated code: sanitize retrieved content to prevent prompt injection via documents.
169
+ - **`thesmos build:rag`** — 9-question wizard for Retrieval-Augmented Generation pipelines. Generates `chunker.ts`, `retriever.ts`, and `pipeline.ts`. Supports OpenAI, Cohere, Anthropic, and local embeddings (all BYOK). Vector stores: Supabase pgvector, Pinecone, Weaviate, in-memory. Retrieval strategies: similarity, MMR (diverse), hybrid keyword+vector. Optional MCP tool wrapper to expose the pipeline to AI agents. Security note included in generated code: sanitize retrieved content to prevent prompt injection via documents.
170
170
 
171
- - **`prometheus build:voice`** — 8-question wizard for real-time voice AI agents. Generates `session.ts`, `transport.ts`, and `pipeline.ts`. Supports WebRTC, Twilio Media Streams, and browser SpeechAPI transports. STT providers: Deepgram, AssemblyAI, OpenAI Whisper, browser native. TTS: ElevenLabs, Deepgram, browser native. LLM: Claude, OpenAI, local (all BYOK). Security warnings for audio PII and session isolation included in generated code.
171
+ - **`thesmos build:voice`** — 8-question wizard for real-time voice AI agents. Generates `session.ts`, `transport.ts`, and `pipeline.ts`. Supports WebRTC, Twilio Media Streams, and browser SpeechAPI transports. STT providers: Deepgram, AssemblyAI, OpenAI Whisper, browser native. TTS: ElevenLabs, Deepgram, browser native. LLM: Claude, OpenAI, local (all BYOK). Security warnings for audio PII and session isolation included in generated code.
172
172
 
173
- - **`prometheus build:mcp-tool`** — 5-question wizard that creates a new custom tool for the Prometheus MCP server. Generates `prometheus/mcp-tools/<name>.ts` with full type-safe handler and registration instructions for `mcp-server.ts`. Supports read-only, file-writing, and external-API side-effect profiles. Return types: text, JSON, file list, Prometheus findings.
173
+ - **`thesmos build:mcp-tool`** — 5-question wizard that creates a new custom tool for the Thesmos MCP server. Generates `thesmos/mcp-tools/<name>.ts` with full type-safe handler and registration instructions for `mcp-server.ts`. Supports read-only, file-writing, and external-API side-effect profiles. Return types: text, JSON, file list, Thesmos findings.
174
174
 
175
- - **`prometheus build:automation`** — 6-question wizard for CI/CD automations. For GitHub-hosted triggers (cron, webhook, file-change, event) generates `.github/workflows/<name>.yml`. For local triggers generates `.prometheus/automation/<name>.sh` with retry logic and dry-run support. Covers all common step groups (tests, build, deploy, notification, custom) and failure modes (fail+alert, retry×3+alert, log+continue).
175
+ - **`thesmos build:automation`** — 6-question wizard for CI/CD automations. For GitHub-hosted triggers (cron, webhook, file-change, event) generates `.github/workflows/<name>.yml`. For local triggers generates `.thesmos/automation/<name>.sh` with retry logic and dry-run support. Covers all common step groups (tests, build, deploy, notification, custom) and failure modes (fail+alert, retry×3+alert, log+continue).
176
176
 
177
177
  **Builder Wizard Infrastructure:**
178
178
 
179
179
  - Generic `runBuilderWizard()` runner shared by all 6 builders — eliminates 200+ lines of duplicated wizard-loop code
180
180
  - All 6 builders support `--plan` (outputs Markdown plan + design decisions), `--scaffold` (writes code), and `--yes` (skips confirmation)
181
- - All scaffold outputs are immediately scanned by the Prometheus governance engine before reporting
182
- - All API keys are BYOK — Prometheus never stores, caches, or proxies credentials
181
+ - All scaffold outputs are immediately scanned by the Thesmos governance engine before reporting
182
+ - All API keys are BYOK — Thesmos never stores, caches, or proxies credentials
183
183
 
184
184
  ### Changed
185
185
 
186
- - `prometheus/package.json`: version `3.2.0` → `3.3.0`; added keywords: `ai-safety`, `owasp`, `mcp-server`, `brain`, `builder`
187
- - `prometheus/bin/commands/build.ts`: replaced 6 `runBuildStub` stubs with real implementations; added 6 question arrays (40 total questions); imported 6 generator modules
186
+ - `thesmos/package.json`: version `3.2.0` → `3.3.0`; added keywords: `ai-safety`, `owasp`, `mcp-server`, `brain`, `builder`
187
+ - `thesmos/bin/commands/build.ts`: replaced 6 `runBuildStub` stubs with real implementations; added 6 question arrays (40 total questions); imported 6 generator modules
188
188
 
189
189
  ---
190
190
 
@@ -194,15 +194,15 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
194
194
 
195
195
  **5 Innovation Features:**
196
196
 
197
- - **F1 — `debug_finding` MCP Tool** — New MCP tool on the existing `prometheus mcp:serve` server. Call `debug_finding(rule_id, file_content, line?)` to get a `true_positive` / `likely_false_positive` verdict, the full rule explanation, exact fix suggestion, and suppression command. Closes the "why did this fire?" loop without leaving the AI assistant session.
197
+ - **F1 — `debug_finding` MCP Tool** — New MCP tool on the existing `thesmos mcp:serve` server. Call `debug_finding(rule_id, file_content, line?)` to get a `true_positive` / `likely_false_positive` verdict, the full rule explanation, exact fix suggestion, and suppression command. Closes the "why did this fire?" loop without leaving the AI assistant session.
198
198
 
199
- - **F2 — Post-Fix Verification (`prometheus fix --verify`)** — After applying a fixer, Prometheus immediately re-runs `detect()` on the patched content to confirm the finding is resolved. New exports: `verifyFix(filePath, beforeContent, afterContent, finding, config): VerifyResult` and `VerifyResult` interface. Reports: ✅ verified / ❌ unresolved / ⚠️ regression introduced. Zero external dependencies — uses Prometheus's own rules engine.
199
+ - **F2 — Post-Fix Verification (`thesmos fix --verify`)** — After applying a fixer, Thesmos immediately re-runs `detect()` on the patched content to confirm the finding is resolved. New exports: `verifyFix(filePath, beforeContent, afterContent, finding, config): VerifyResult` and `VerifyResult` interface. Reports: ✅ verified / ❌ unresolved / ⚠️ regression introduced. Zero external dependencies — uses Thesmos's own rules engine.
200
200
 
201
- - **F3 — GitHub PR Comment Bot (`prometheus github:comment`)** — Posts or updates a single governance summary comment on a GitHub PR. Uses `GITHUB_TOKEN` + native Node 18 `fetch()` — no `@octokit/rest` dependency. Idempotent via an HTML marker (`<!-- thesmos-governance-bot -->`). Includes auto-detection of repo from `git remote`. `--print-workflow` prints a copy-paste GitHub Actions snippet. New file: `prometheus/bin/commands/github-comment.ts`.
201
+ - **F3 — GitHub PR Comment Bot (`thesmos github:comment`)** — Posts or updates a single governance summary comment on a GitHub PR. Uses `GITHUB_TOKEN` + native Node 18 `fetch()` — no `@octokit/rest` dependency. Idempotent via an HTML marker (`<!-- thesmos-governance-bot -->`). Includes auto-detection of repo from `git remote`. `--print-workflow` prints a copy-paste GitHub Actions snippet. New file: `thesmos/bin/commands/github-comment.ts`.
202
202
 
203
- - **F4 — Incremental Scan Cache** — sha256-keyed per-file finding cache in `.prometheus/.scan-cache.json`. Unchanged files return cached findings instantly; any rules-version bump invalidates all entries. New exports: `loadCache`, `saveCache`, `getCachedFindings`, `setCachedFindings`, `invalidateCache`, `runReviewCached`. Expected speedup: 70–90% on second scan when most files are unchanged. New file: `prometheus/incremental-cache.ts`.
203
+ - **F4 — Incremental Scan Cache** — sha256-keyed per-file finding cache in `.thesmos/.scan-cache.json`. Unchanged files return cached findings instantly; any rules-version bump invalidates all entries. New exports: `loadCache`, `saveCache`, `getCachedFindings`, `setCachedFindings`, `invalidateCache`, `runReviewCached`. Expected speedup: 70–90% on second scan when most files are unchanged. New file: `thesmos/incremental-cache.ts`.
204
204
 
205
- - **F5 — LSP Real-Time Feedback Server (`thesmos lsp`)** — Standalone LSP 3.17 server over stdio. Surfaces governance findings as real-time squiggles in any LSP-compatible editor (VS Code, Cursor, Neovim, Emacs). Capabilities: `textDocument/didOpen`, `textDocument/didChange` (debounced 500ms), `textDocument/didSave`, hover tooltips with rule explanation, code actions (suppress / explain). VS Code extension now launches the LSP client alongside its existing on-save analysis via `vscode-languageclient`. New file: `prometheus/lang-server.ts`.
205
+ - **F5 — LSP Real-Time Feedback Server (`thesmos lsp`)** — Standalone LSP 3.17 server over stdio. Surfaces governance findings as real-time squiggles in any LSP-compatible editor (VS Code, Cursor, Neovim, Emacs). Capabilities: `textDocument/didOpen`, `textDocument/didChange` (debounced 500ms), `textDocument/didSave`, hover tooltips with rule explanation, code actions (suppress / explain). VS Code extension now launches the LSP client alongside its existing on-save analysis via `vscode-languageclient`. New file: `thesmos/lang-server.ts`.
206
206
 
207
207
  **5 Bug Fixes:**
208
208
 
@@ -223,8 +223,8 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
223
223
 
224
224
  ### Changed
225
225
 
226
- - `prometheus/fix.ts` now imports `PROMETHEUS_RULES` and `runReview` to power `verifyFix()`.
227
- - `prometheus/bin/commands/fix.ts` gains `--verify` flag.
226
+ - `thesmos/fix.ts` now imports `THESMOS_RULES` and `runReview` to power `verifyFix()`.
227
+ - `thesmos/bin/commands/fix.ts` gains `--verify` flag.
228
228
  - `extensions/vscode/src/extension.ts` now lazily starts an LSP client (requires `vscode-languageclient` installed).
229
229
  - `extensions/vscode/package.json` adds `vscode-languageclient ^9.0.1` as a runtime dependency.
230
230
 
@@ -236,32 +236,32 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
236
236
 
237
237
  **6 New Governance Pillars:**
238
238
 
239
- - **Pillar 1 — MCP Server** (`prometheus mcp:serve`, `prometheus mcp:install`) — Prometheus becomes a Model Context Protocol server. AI assistants call `scan_file`, `explain_rule`, `get_health`, `lint_commit`, and `get_context` _before_ generating code. `mcp:install` writes the server entry into `~/.claude/settings.json`. New files: `prometheus/mcp-server.ts`, `prometheus/bin/commands/mcp.ts`.
239
+ - **Pillar 1 — MCP Server** (`thesmos mcp:serve`, `thesmos mcp:install`) — Thesmos becomes a Model Context Protocol server. AI assistants call `scan_file`, `explain_rule`, `get_health`, `lint_commit`, and `get_context` _before_ generating code. `mcp:install` writes the server entry into `~/.claude/settings.json`. New files: `thesmos/mcp-server.ts`, `thesmos/bin/commands/mcp.ts`.
240
240
 
241
- - **Pillar 2 — Dependency Security** (`prometheus deps:audit`) — Async CVE scanning via OSV.dev (`api.osv.dev/v1/querybatch`). Results cached in `.prometheus/dep-cache.json` (24h TTL) and consumed synchronously by 10 new DEP_001–010 rules: critical CVE (BLOCKER), high/medium CVE, abandoned-with-CVE, no integrity hash, git dependency, major drift, prerelease in prod, deprecated package, stale cache. SBOM export via `--sbom` flag in CycloneDX 1.4 format. New files: `prometheus/osv-client.ts`, `prometheus/rules/deps.ts`, `prometheus/bin/commands/deps.ts`.
241
+ - **Pillar 2 — Dependency Security** (`thesmos deps:audit`) — Async CVE scanning via OSV.dev (`api.osv.dev/v1/querybatch`). Results cached in `.thesmos/dep-cache.json` (24h TTL) and consumed synchronously by 10 new DEP_001–010 rules: critical CVE (BLOCKER), high/medium CVE, abandoned-with-CVE, no integrity hash, git dependency, major drift, prerelease in prod, deprecated package, stale cache. SBOM export via `--sbom` flag in CycloneDX 1.4 format. New files: `thesmos/osv-client.ts`, `thesmos/rules/deps.ts`, `thesmos/bin/commands/deps.ts`.
242
242
 
243
- - **Pillar 3 — Agent Governance** — 12 new AGNT_001–012 rules detecting missing scope declarations, unconstrained Bash, ungoverned MCP servers, absent hooks, no token budget, no audit trail, and unrestricted network access. Dual-directory guard (`.claude/` AND `.prometheus/` must both exist) prevents false positives in dev environments. Plus tamper-evident **Agent Audit Trail** (`prometheus agent:audit:log|verify|report|export|rotate`) — append-only `.prometheus/audit.jsonl` with sha256 hash-chained entries using `node:crypto`. `verify` detects tampering by recomputing the entire chain. New files: `prometheus/agent-audit.ts`, `prometheus/rules/agents.ts`, `prometheus/bin/commands/agent-audit.ts`.
243
+ - **Pillar 3 — Agent Governance** — 12 new AGNT_001–012 rules detecting missing scope declarations, unconstrained Bash, ungoverned MCP servers, absent hooks, no token budget, no audit trail, and unrestricted network access. Dual-directory guard (`.claude/` AND `.thesmos/` must both exist) prevents false positives in dev environments. Plus tamper-evident **Agent Audit Trail** (`thesmos agent:audit:log|verify|report|export|rotate`) — append-only `.thesmos/audit.jsonl` with sha256 hash-chained entries using `node:crypto`. `verify` detects tampering by recomputing the entire chain. New files: `thesmos/agent-audit.ts`, `thesmos/rules/agents.ts`, `thesmos/bin/commands/agent-audit.ts`.
244
244
 
245
- - **Pillar 4 — SARIF Output** (`prometheus validate --sarif`) — SARIF 2.1.0 JSON for GitHub Security tab, VS Code Problems panel, Azure DevOps. All 911 rules emit full `reportingDescriptor` metadata. `prometheus ci:github-security` generates a GitHub Actions workflow that uploads `prometheus.sarif` to `github/codeql-action/upload-sarif@v3`. New file: `prometheus/sarif.ts`.
245
+ - **Pillar 4 — SARIF Output** (`thesmos validate --sarif`) — SARIF 2.1.0 JSON for GitHub Security tab, VS Code Problems panel, Azure DevOps. All 911 rules emit full `reportingDescriptor` metadata. `thesmos ci:github-security` generates a GitHub Actions workflow that uploads `thesmos.sarif` to `github/codeql-action/upload-sarif@v3`. New file: `thesmos/sarif.ts`.
246
246
 
247
- - **Pillar 5 — License Compliance** — 10 new LIC_001–010 rules: GPL in commercial projects (BLOCKER), unknown/UNLICENSED deps, LGPL copyleft, missing LICENSE file, proprietary dep, invalid SPDX, dual-license ambiguity, AI training restriction, GPL/Apache incompatibility (BLOCKER), missing NOTICE file. All rules use the `changedFiles !== undefined` filesystem guard to avoid false positives in changed-files mode. New file: `prometheus/rules/license.ts`.
247
+ - **Pillar 5 — License Compliance** — 10 new LIC_001–010 rules: GPL in commercial projects (BLOCKER), unknown/UNLICENSED deps, LGPL copyleft, missing LICENSE file, proprietary dep, invalid SPDX, dual-license ambiguity, AI training restriction, GPL/Apache incompatibility (BLOCKER), missing NOTICE file. All rules use the `changedFiles !== undefined` filesystem guard to avoid false positives in changed-files mode. New file: `thesmos/rules/license.ts`.
248
248
 
249
- - **Pillar 6 — GDPR Compliance Pack** (`prometheus compliance:report --standard gdpr`) — 15 new GDPR_001–015 rules covering: PII in console.log, analytics without consent, cookie without consent banner, PII in URL params, PII in localStorage, missing data deletion endpoint, PII in external logging (BLOCKER), unencrypted PII in Prisma schema, missing privacy policy link, third-party tracking without consent, PII in API error responses (BLOCKER), missing retention policy, session without expiry, real PII in test fixtures, and IP storage without consent. `compliance:report --standard gdpr` generates an audit-ready Markdown evidence report mapping each finding to its GDPR article. New files: `prometheus/rules/gdpr.ts`, `prometheus/bin/commands/compliance.ts`.
249
+ - **Pillar 6 — GDPR Compliance Pack** (`thesmos compliance:report --standard gdpr`) — 15 new GDPR_001–015 rules covering: PII in console.log, analytics without consent, cookie without consent banner, PII in URL params, PII in localStorage, missing data deletion endpoint, PII in external logging (BLOCKER), unencrypted PII in Prisma schema, missing privacy policy link, third-party tracking without consent, PII in API error responses (BLOCKER), missing retention policy, session without expiry, real PII in test fixtures, and IP storage without consent. `compliance:report --standard gdpr` generates an audit-ready Markdown evidence report mapping each finding to its GDPR article. New files: `thesmos/rules/gdpr.ts`, `thesmos/bin/commands/compliance.ts`.
250
250
 
251
251
  **3 Quick Wins:**
252
252
 
253
- - **Governance Certificate** (`prometheus certificate:generate`, `prometheus certificate:verify`) — Signed JSON artifact per delivery with sha256 hash chain for tamper detection. Fields: `rulesChecked`, `blockers`, `healthScore`, `healthGrade`, `hash`, `chain`. Agencies include in every delivery. New file: `prometheus/bin/commands/certificate.ts`.
253
+ - **Governance Certificate** (`thesmos certificate:generate`, `thesmos certificate:verify`) — Signed JSON artifact per delivery with sha256 hash chain for tamper detection. Fields: `rulesChecked`, `blockers`, `healthScore`, `healthGrade`, `hash`, `chain`. Agencies include in every delivery. New file: `thesmos/bin/commands/certificate.ts`.
254
254
 
255
- - **Health Badge** (`prometheus health --badge`) — Prints shield.io badge markdown to stdout. Color ranges: ≥80 brightgreen, ≥70 green, ≥60 yellowgreen, ≥50 yellow, ≥40 orange, <40 red.
255
+ - **Health Badge** (`thesmos health --badge`) — Prints shield.io badge markdown to stdout. Color ranges: ≥80 brightgreen, ≥70 green, ≥60 yellowgreen, ≥50 yellow, ≥40 orange, <40 red.
256
256
 
257
- - **AI Code Fingerprinting** (`prometheus ai:fingerprint`) — Detects AI-generated files using git Co-Authored-By commit markers and static content heuristics (over-explained comments, step-numbered blocks, AI docstring patterns, boilerplate try/catch). Reports `aiGeneratedEstimate`, `topTool`, and per-file confidence scores. `--format json` for machine-readable output. New file: `prometheus/bin/commands/ai-fingerprint.ts`.
257
+ - **AI Code Fingerprinting** (`thesmos ai:fingerprint`) — Detects AI-generated files using git Co-Authored-By commit markers and static content heuristics (over-explained comments, step-numbered blocks, AI docstring patterns, boilerplate try/catch). Reports `aiGeneratedEstimate`, `topTool`, and per-file confidence scores. `--format json` for machine-readable output. New file: `thesmos/bin/commands/ai-fingerprint.ts`.
258
258
 
259
259
  - Total rule count: **911** (864 previous + 12 AGNT + 10 DEP + 10 LIC + 15 GDPR).
260
260
 
261
261
  ### Changed
262
262
 
263
263
  - `formatFindingsSarif()` in `review.ts` now delegates to `sarif.ts` for full rule metadata emission — all 911 rules appear in SARIF output regardless of whether they have findings.
264
- - `prometheus health --badge` added as a new flag to the existing `health` command.
264
+ - `thesmos health --badge` added as a new flag to the existing `health` command.
265
265
  - README rule counts updated from 864 → 911.
266
266
 
267
267
  ---
@@ -270,10 +270,10 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
270
270
 
271
271
  ### Added
272
272
 
273
- - **Conventional Commits Governance** (`prometheus commit:lint`, `prometheus commit:create`) — 10 new COMMIT_001–010 rules validate commit messages against the Conventional Commits specification using the standard `detect()` sentinel pattern (path `.git/COMMIT_EDITMSG`). Rules integrate with `explain`, `baseline`, and `suppressions:audit` automatically. `commit:lint` validates messages from the `commit-msg` hook, `--last`, or `--message "..."`. `commit:create` is an interactive wizard for building valid commit messages step-by-step.
274
- - **Vercel Deployment Governance** (`prometheus vercel:lint`) — 10 new VERCEL*001–010 rules covering: literal secrets in `vercel.json` (BLOCKER), server secrets with `NEXT_PUBLIC*`prefix (BLOCKER), cron routes missing`CRON_SECRET`check (HIGH), env vars not documented in`.env.example`(HIGH), missing`.env.example`when env vars are used (HIGH), missing`maxDuration`in function config (MEDIUM), middleware missing edge runtime export (MEDIUM), missing security headers (MEDIUM),`maxDuration` exceeding plan limit (LOW), and open redirect patterns in redirects config (HIGH).
275
- - **`commit-msg` git hook enforcement** — `prometheus hooks install --commit-msg` now writes a real enforcement block calling `prometheus commit:lint "$1"`. Previously a no-op placeholder.
276
- - **`commitLint` and `vercel` config sections** in `ThesmosConfig` — customise allowed commit types, max subject length, ticket patterns, Vercel plan limits, and cron auth requirements via `.prometheus/config.json`.
273
+ - **Conventional Commits Governance** (`thesmos commit:lint`, `thesmos commit:create`) — 10 new COMMIT_001–010 rules validate commit messages against the Conventional Commits specification using the standard `detect()` sentinel pattern (path `.git/COMMIT_EDITMSG`). Rules integrate with `explain`, `baseline`, and `suppressions:audit` automatically. `commit:lint` validates messages from the `commit-msg` hook, `--last`, or `--message "..."`. `commit:create` is an interactive wizard for building valid commit messages step-by-step.
274
+ - **Vercel Deployment Governance** (`thesmos vercel:lint`) — 10 new VERCEL*001–010 rules covering: literal secrets in `vercel.json` (BLOCKER), server secrets with `NEXT_PUBLIC*`prefix (BLOCKER), cron routes missing`CRON_SECRET`check (HIGH), env vars not documented in`.env.example`(HIGH), missing`.env.example`when env vars are used (HIGH), missing`maxDuration`in function config (MEDIUM), middleware missing edge runtime export (MEDIUM), missing security headers (MEDIUM),`maxDuration` exceeding plan limit (LOW), and open redirect patterns in redirects config (HIGH).
275
+ - **`commit-msg` git hook enforcement** — `thesmos hooks install --commit-msg` now writes a real enforcement block calling `thesmos commit:lint "$1"`. Previously a no-op placeholder.
276
+ - **`commitLint` and `vercel` config sections** in `ThesmosConfig` — customise allowed commit types, max subject length, ticket patterns, Vercel plan limits, and cron auth requirements via `.thesmos/config.json`.
277
277
  - Total rule count: **864** (844 previous + 10 COMMIT + 10 VERCEL).
278
278
 
279
279
  ### Changed
@@ -287,14 +287,14 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
287
287
 
288
288
  ### Added
289
289
 
290
- - **Slopsquatting Guard** (`prometheus import:scan`) — validates every npm/PyPI package in changed files against live registry APIs. Flags phantom packages (404), newly-registered packages (< 30 days old), and typosquat candidates (edit distance ≤ 2 from top packages). Works offline with graceful degradation. 10 new rules: SLOP_006–015.
291
- - **Agent Scope Enforcement** (`prometheus scope:*`) — `.prometheus/scope.json` defines workspace boundaries and operation limits. PreToolUse hook intercepts every Write/Edit/Bash call and exits 2 on scope violations. Commands: `scope:init`, `scope:status`, `scope:check`.
292
- - **Token Budget Governance** (`prometheus tokens:*`) — PostToolUse hook logs token usage per tool call to `.prometheus/token-usage.jsonl`. Enforces configurable session, daily, and project cost caps with alert and hard-stop thresholds. Commands: `tokens:report`, `tokens:reset`, `tokens:budget`.
293
- - **AI Debt Fingerprinting** (`prometheus debt:scan`) — 20 new DEBT_001–020 rules that detect AI-specific code debt patterns traditional linters miss: duplicate function bodies, swallowed errors, magic numbers, O(n²) nested loops, vague variable names, commented-out blocks, missing `finally`, and more. Outputs a 0–100 debt score with A–F grade.
294
- - **Context Health + Session Handoff** (`prometheus context:*`) — generates `.prometheus/context.md` from the live codebase (stack, established patterns, active constraints). `thesmos adapters` now auto-updates the snapshot. CLAUDE.md preamble now references `context.md` as step 1. Commands: `context:snapshot`, `context:health`.
290
+ - **Slopsquatting Guard** (`thesmos import:scan`) — validates every npm/PyPI package in changed files against live registry APIs. Flags phantom packages (404), newly-registered packages (< 30 days old), and typosquat candidates (edit distance ≤ 2 from top packages). Works offline with graceful degradation. 10 new rules: SLOP_006–015.
291
+ - **Agent Scope Enforcement** (`thesmos scope:*`) — `.thesmos/scope.json` defines workspace boundaries and operation limits. PreToolUse hook intercepts every Write/Edit/Bash call and exits 2 on scope violations. Commands: `scope:init`, `scope:status`, `scope:check`.
292
+ - **Token Budget Governance** (`thesmos tokens:*`) — PostToolUse hook logs token usage per tool call to `.thesmos/token-usage.jsonl`. Enforces configurable session, daily, and project cost caps with alert and hard-stop thresholds. Commands: `tokens:report`, `tokens:reset`, `tokens:budget`.
293
+ - **AI Debt Fingerprinting** (`thesmos debt:scan`) — 20 new DEBT_001–020 rules that detect AI-specific code debt patterns traditional linters miss: duplicate function bodies, swallowed errors, magic numbers, O(n²) nested loops, vague variable names, commented-out blocks, missing `finally`, and more. Outputs a 0–100 debt score with A–F grade.
294
+ - **Context Health + Session Handoff** (`thesmos context:*`) — generates `.thesmos/context.md` from the live codebase (stack, established patterns, active constraints). `thesmos adapters` now auto-updates the snapshot. CLAUDE.md preamble now references `context.md` as step 1. Commands: `context:snapshot`, `context:health`.
295
295
  - **Bash tool governance** — `claude:govern` PreToolUse hook now intercepts `Bash(npm install *)` / `Bash(pip install *)` calls and validates package names before they execute.
296
296
  - **PostToolUse budget hook** — added to `.claude/settings.json` alongside existing PreToolUse and Stop hooks.
297
- - **`tokenBudget` in `ThesmosConfig`** — configure token budgets directly in `.prometheus/config.json`.
297
+ - **`tokenBudget` in `ThesmosConfig`** — configure token budgets directly in `.thesmos/config.json`.
298
298
 
299
299
  ### Fixed
300
300
 
@@ -308,8 +308,8 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
308
308
 
309
309
  ### Changed
310
310
 
311
- - `thesmos adapters` now auto-generates `.prometheus/context.md` on every run.
312
- - CLAUDE.md "Before Each Task" checklist renumbered 1–12; step 1 now reads `.prometheus/context.md`.
311
+ - `thesmos adapters` now auto-generates `.thesmos/context.md` on every run.
312
+ - CLAUDE.md "Before Each Task" checklist renumbered 1–12; step 1 now reads `.thesmos/context.md`.
313
313
  - Token budget model cost table expanded with legacy date-suffixed model IDs (`claude-3-5-sonnet-20241022`, etc.) reported by older Claude Code versions.
314
314
 
315
315
  ---
@@ -322,11 +322,11 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
322
322
  - **Python** (19 rules, PY_026–PY_045): async/await pitfalls, shell injection, `pickle`/`marshal` RCE, FastAPI/Django security patterns, Pydantic v2 migration, blocking I/O in async context, and more.
323
323
  - **GraphQL** (25 rules, GQL_001–GQL_025): query depth/complexity limits, resolver auth enforcement, N+1 without DataLoader, introspection disabled in production, type correctness, and production hardening.
324
324
  - **Terraform** (13 rules, TF_013–TF_025): sensitive IAM wildcards, open security groups (0.0.0.0/0), RDS deletion protection, KMS key rotation, secrets in `user_data`, `prevent_destroy` on critical resources, and S3 versioning.
325
- - **3 new catalog agents**: `python-reviewer`, `graphql-reviewer`, `infrastructure-reviewer` — available via `prometheus catalog:enable`.
326
- - **`prometheus claude:govern`** — installs Claude Code hooks into `.claude/settings.json` for real-time governance in Auto Mode:
325
+ - **3 new catalog agents**: `python-reviewer`, `graphql-reviewer`, `infrastructure-reviewer` — available via `thesmos catalog:enable`.
326
+ - **`thesmos claude:govern`** — installs Claude Code hooks into `.claude/settings.json` for real-time governance in Auto Mode:
327
327
  - `PreToolUse` (Write/Edit): blocks tool call (exit 2) if content contains any BLOCKER finding.
328
- - `Stop`: runs `prometheus drift` after each session to detect adapter staleness.
329
- - Install is idempotent; a `_prometheus_governance` marker prevents duplicate hook entries.
328
+ - `Stop`: runs `thesmos drift` after each session to detect adapter staleness.
329
+ - Install is idempotent; a `_thesmos_governance` marker prevents duplicate hook entries.
330
330
  - Autopilot permission profiles now preserve governance hooks when written/restored.
331
331
 
332
332
  ### Fixed
@@ -341,19 +341,19 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
341
341
  ### Added
342
342
 
343
343
  - **142 governance rules** across 8 categories: security, TypeScript, React, Next.js, AI/LLM, performance, database, and code quality
344
- - **6 AI adapter targets**: Claude (`CLAUDE.md`), Gemini (`GEMINI.md`), Cursor (`.cursor/rules/prometheus.mdc`), Copilot (`.github/copilot-instructions.md`), Codex (`.codex/prometheus.md`), and `AGENTS.md` — all generated from a single canonical rule registry with zero duplication
344
+ - **6 AI adapter targets**: Claude (`CLAUDE.md`), Gemini (`GEMINI.md`), Cursor (`.cursor/rules/thesmos.mdc`), Copilot (`.github/copilot-instructions.md`), Codex (`.codex/thesmos.md`), and `AGENTS.md` — all generated from a single canonical rule registry with zero duplication
345
345
  - **CLI commands**: `init`, `scan`, `review`, `validate`, `audit`, `doctor`, `ci-check`, `adapters`, `drift`, `baseline:*`, `explain`, `suppressions:audit`, `metrics`, `pack:*`, `health`, `ci`, `fix`, `update`, `catalog:*`, `agent:create`, `skill:create`
346
- - **Governance folder** (`.prometheus/`): README, config, GUARDRAILS, RULES, governance docs, architecture docs, and a GitHub Actions workflow — all scaffolded by `prometheus init`
346
+ - **Governance folder** (`.thesmos/`): README, config, GUARDRAILS, RULES, governance docs, architecture docs, and a GitHub Actions workflow — all scaffolded by `thesmos init`
347
347
  - **Baseline system**: snapshot known technical debt so new violations are caught without blocking existing codebases
348
- - **Inline suppressions**: `// prometheus-disable-next-line <id> -- reason: <text>` with expiry dates and audit trail
348
+ - **Inline suppressions**: `// thesmos-disable-next-line <id> -- reason: <text>` with expiry dates and audit trail
349
349
  - **Health score** (0–100 with letter grade): synthesises findings, drift, suppressions, and baseline into a single governance grade
350
350
  - **Metrics engine**: local-first, privacy-safe governance analytics with history tracking
351
351
  - **Drift detection**: 12 categories of stale/missing governance artifacts
352
- - **Rule explanation engine**: `prometheus explain <rule-id>` shows why a rule exists, good/bad examples, and related playbooks
352
+ - **Rule explanation engine**: `thesmos explain <rule-id>` shows why a rule exists, good/bad examples, and related playbooks
353
353
  - **Catalog system**: 50+ built-in agents and 50+ built-in skills; 5 composable profiles (base, web, next-supabase, enterprise)
354
354
  - **Pack system**: extensible rule bundles for third-party frameworks
355
355
  - **Zero runtime dependencies**: the entire tool ships without a single production dependency
356
- - **JSON Schema** for `.prometheus/config.json`: add `$schema` for full editor autocomplete and validation
356
+ - **JSON Schema** for `.thesmos/config.json`: add `$schema` for full editor autocomplete and validation
357
357
  - **GitHub Actions CI/CD**: workflows for continuous integration (Node 18/20/22 matrix) and npm publishing on version tags
358
358
 
359
359
  [1.0.0]: https://github.com/Holley-Studio/thesmos-governance/releases/tag/v1.0.0
package/LICENSE CHANGED
@@ -5,8 +5,8 @@ Copyright (c) 2024 Matt Holley
5
5
  Parameters
6
6
 
7
7
  Licensor: Matt Holley
8
- Licensed Work: Prometheus Governance
9
- The Licensed Work is © 2024 Matt Holley
8
+ Licensed Work: Thesmos Governance
9
+ The Licensed Work is © 2024–2026 Holley Studio LLC
10
10
  Change Date: 2030-06-17 (four years from first publication)
11
11
  Change License: MIT License
12
12
 
@@ -1,13 +1,13 @@
1
1
  # Commercial Licensing
2
2
 
3
- Prometheus Governance is released under the [Functional Source License 1.1 (FSL-1.1-MIT)](LICENSE).
3
+ Thesmos is released under the [Functional Source License 1.1 (FSL-1.1-MIT)](LICENSE).
4
4
 
5
- FSL permits free use for personal projects, internal tooling, and open source work. It restricts offering Prometheus Governance itself (or a substantially similar product built on it) as a commercial service or product to third parties.
5
+ FSL permits free use for personal projects, internal tooling, and open source work. It restricts offering Thesmos itself (or a substantially similar product built on it) as a commercial service or product to third parties.
6
6
 
7
7
  ## When you need a commercial license
8
8
 
9
- - You are building a SaaS product or hosted service powered by Prometheus Governance
10
- - You are reselling or white-labeling Prometheus Governance
9
+ - You are building a SaaS product or hosted service powered by Thesmos
10
+ - You are reselling or white-labeling Thesmos
11
11
  - You are bundling it into a commercial product sold to customers
12
12
 
13
13
  ## Contact
package/README.md CHANGED
@@ -18,7 +18,7 @@ Thesmos is a repo governance tool for TypeScript projects. Define your code revi
18
18
 
19
19
  Without governance, every AI assistant in your team invents its own rules. Claude follows one convention, Cursor follows another, Copilot knows nothing about your auth patterns. Every PR review is inconsistent. Governance debt compounds silently.
20
20
 
21
- Thesmos solves this with a **single source of truth**: 911 rules defined once, propagated everywhere.
21
+ Thesmos solves this with a **single source of truth**: 1,137 rules defined once, propagated everywhere.
22
22
 
23
23
  | | Thesmos | ESLint | Danger.js | CodeClimate |
24
24
  | --- | --- | --- | --- | --- |
@@ -27,7 +27,7 @@ Thesmos solves this with a **single source of truth**: 911 rules defined once, p
27
27
  | Works fully offline | ✓ | ✓ | ✗ | ✗ |
28
28
  | Governance folder + AI context | ✓ | ✗ | ✗ | ✗ |
29
29
  | Health score (0–100) | ✓ | ✗ | ✗ | ✓ |
30
- | Built-in rules (no plugins needed) | 911 | ✗ | ✗ | ✓ |
30
+ | Built-in rules (no plugins needed) | 1,137 | ✗ | ✗ | ✓ |
31
31
  | Installable rule packs | ✓ | ✓ | ✗ | ✗ |
32
32
  | Inline suppressions with audit | ✓ | ✓ | ✗ | ✗ |
33
33
  | Baseline for legacy debt | ✓ | ✗ | ✗ | ✗ |
@@ -84,7 +84,7 @@ Other platforms give you AI assistants. Thesmos gives you a governed AI team —
84
84
 
85
85
  **7 things no other agent platform does:**
86
86
 
87
- 1. **Governance badge on every output** — Every God Agent delivery closes with `Thesmos check: [RULE_ID] ✅`. No other platform runs 1,075 governance rules against AI outputs automatically.
87
+ 1. **Governance badge on every output** — Every God Agent delivery closes with `Thesmos check: [RULE_ID] ✅`. No other platform runs 1,137 governance rules against AI outputs automatically.
88
88
  2. **38 world-class God Agents — not assistants** — Each agent has a named methodology, failure mode taxonomy, and adversarial self-check. Not "I know marketing" but "I use Ehrenberg-Bass reach theory, and here's the specific thing your brief gets wrong."
89
89
  3. **God Council arbitration** — When agents conflict, Zeus arbitrates. Argus holds a permanent security veto; Themis holds a permanent legal veto. You get one decision, not a debate.
90
90
  4. **God Agent Momus** — The only agent platform with a mandatory challenger. Momus challenges every major decision before it ships using Socratic method, Gary Klein's Pre-mortem, and Munger's Inversion.
@@ -320,7 +320,7 @@ npx thesmos validate --base=origin/$GITHUB_BASE_REF
320
320
 
321
321
  ### `thesmos adapters`
322
322
 
323
- Generates AI assistant instruction files from the canonical rule registry. Preserves any content you have written outside `<!-- PROMETHEUS:GENERATED -->` markers.
323
+ Generates AI assistant instruction files from the canonical rule registry. Preserves any content you have written outside `<!-- THESMOS:GENERATED -->` markers.
324
324
 
325
325
  ```bash
326
326
  npx thesmos adapters
@@ -438,7 +438,7 @@ npx thesmos fix --base=main # applies changes
438
438
 
439
439
  ## Rule packs
440
440
 
441
- Packs are installable bundles of additional rules, agents, skills, and playbooks. The built-in registry ships 911 rules — packs let the community (and your organisation) add more without forking.
441
+ Packs are installable bundles of additional rules, agents, skills, and playbooks. The built-in registry ships 1,137 rules — packs let the community (and your organisation) add more without forking.
442
442
 
443
443
  ### Installing a pack
444
444
 
@@ -559,7 +559,7 @@ Use rule IDs (`ENV_001`) or category names (`direct_env_access`). Both are shown
559
559
 
560
560
  ## Adapter targets
561
561
 
562
- Every adapter is generated from the same `PROMETHEUS_RULES` array. You never write rules twice.
562
+ Every adapter is generated from the same `THESMOS_RULES` array. You never write rules twice.
563
563
 
564
564
  | Target | Output path | Used by |
565
565
  | --- | --- | --- |
@@ -570,9 +570,9 @@ Every adapter is generated from the same `PROMETHEUS_RULES` array. You never wri
570
570
  | `codex` | `.codex/thesmos.md` | OpenAI Codex CLI |
571
571
  | `agents` | `AGENTS.md` | OpenAI Agents, generic agents |
572
572
 
573
- Adapters embed a `<!-- PROMETHEUS:META -->` comment with `version`, `target`, and `ruleCount`. `thesmos ci-check` reads this metadata to detect drift without re-running the generator — fully deterministic, no timestamps.
573
+ Adapters embed a `<!-- THESMOS:META -->` comment with `version`, `target`, and `ruleCount`. `thesmos ci-check` reads this metadata to detect drift without re-running the generator — fully deterministic, no timestamps.
574
574
 
575
- Manual content you write outside `<!-- PROMETHEUS:GENERATED START -->` / `<!-- PROMETHEUS:GENERATED END -->` markers is **always preserved** across regenerations.
575
+ Manual content you write outside `<!-- THESMOS:GENERATED START -->` / `<!-- THESMOS:GENERATED END -->` markers is **always preserved** across regenerations.
576
576
 
577
577
  ---
578
578
 
@@ -656,7 +656,7 @@ import {
656
656
  runDoctorForRoot,
657
657
  runCiCheckForRoot,
658
658
  exitCodeFor,
659
- PROMETHEUS_RULES,
659
+ THESMOS_RULES,
660
660
  } from 'thesmos-governance';
661
661
 
662
662
  // Load config from .thesmos/config.json
@@ -676,14 +676,14 @@ const checks = await runDoctorForRoot(root, config);
676
676
 
677
677
  // Generate adapter content for any target
678
678
  import { buildAdapterContent } from 'thesmos-governance';
679
- const content = buildAdapterContent('claude', existing, PROMETHEUS_RULES, config);
679
+ const content = buildAdapterContent('claude', existing, THESMOS_RULES, config);
680
680
  ```
681
681
 
682
682
  ### Key exports
683
683
 
684
684
  ```typescript
685
685
  // Rules
686
- PROMETHEUS_RULES // ThesmosRule[] — all 911 built-in rules
686
+ THESMOS_RULES // ThesmosRule[] — all 1,137 built-in rules
687
687
  getRulesByTag(tag) // filter by tag
688
688
  getRulesBySeverity(sev) // filter by severity
689
689
  getRulesByCategory(cat) // filter by category
@@ -729,7 +729,7 @@ import type {
729
729
  ## How it works
730
730
 
731
731
  ```text
732
- PROMETHEUS_RULES ← single source of truth (911 built-in rules + pack rules at runtime)
732
+ THESMOS_RULES ← single source of truth (1,137 built-in rules + pack rules at runtime)
733
733
 
734
734
  ├── adapters.ts → CLAUDE.md · GEMINI.md · .cursor/ · .github/ · .codex/ · AGENTS.md
735
735
  ├── init.ts → .thesmos/ governance folder
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
15
15
 
16
16
  # Accessibility Reviewer
17
17
 
18
+ > I am the **Accessibility Reviewer**, a specialized governance gate of the Thesmos Pantheon.
19
+
18
20
  ## Purpose
19
21
 
20
22
  Reviews UI component changes for WCAG 2.1 AA compliance: missing ARIA attributes, insufficient colour contrast, keyboard navigation gaps, focus management issues, and form labels not associated with inputs.
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
15
15
 
16
16
  # AI Safety Reviewer
17
17
 
18
+ > I am the **AI Safety Reviewer**, a specialized governance gate of the Thesmos Pantheon.
19
+
18
20
  ## Purpose
19
21
 
20
22
  Reviews AI-integrated code for safety issues: prompt injection risks, LLM output used without sanitisation, model API keys committed to source, missing output validation, and user-supplied content passed directly to system prompts.
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
15
15
 
16
16
  # Analytics Reviewer
17
17
 
18
+ > I am the **Analytics Reviewer**, a specialized governance gate of the Thesmos Pantheon.
19
+
18
20
  ## Purpose
19
21
 
20
22
  Reviews analytics implementation: consent gate correctness, PII in tracking events, data layer schema consistency, and GDPR-compliant event firing. Ensures analytics events do not fire before consent is granted.
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
15
15
 
16
16
  # API Reviewer
17
17
 
18
+ > I am the **API Reviewer**, a specialized governance gate of the Thesmos Pantheon.
19
+
18
20
  ## Purpose
19
21
 
20
22
  Reviews API route handlers for security and correctness: authentication guards, input validation, HTTP method handling, error response shapes, and rate limiting. Ensures new routes follow the established API contract.
@@ -14,6 +14,8 @@ model: claude-haiku-4-5-20251001
14
14
 
15
15
  # Architecture Reviewer
16
16
 
17
+ > I am the **Architecture Reviewer**, a specialized governance gate of the Thesmos Pantheon.
18
+
17
19
  ## Purpose
18
20
 
19
21
  Reviews changes for structural integrity: oversized files that should be split, emerging duplicate component patterns that indicate premature divergence, and refactors that cross module boundaries without updating dependents.
@@ -16,6 +16,8 @@ model: claude-haiku-4-5-20251001
16
16
 
17
17
  # God Agent Ate — SQL Injection & WAF Investigator
18
18
 
19
+ > I am the **God Agent Ate — SQL Injection & WAF Investigator**, a specialized governance gate of the Thesmos Pantheon.
20
+
19
21
  ## Purpose
20
22
 
21
23
  Investigates SQL injection vulnerabilities and WAF evasion patterns in database query code. Detects string concatenation in SQL queries, missing parameterization, template literal interpolation into raw SQL, ORM raw query misuse, and WAF bypass techniques (UNION SELECT, encoded payloads, comment-based obfuscation). Named for Ate, goddess of ruin and folly — she who ensures every developer who forgets to parameterize a query faces the consequences.
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
15
15
 
16
16
  # Auth Reviewer
17
17
 
18
+ > I am the **Auth Reviewer**, a specialized governance gate of the Thesmos Pantheon.
19
+
18
20
  ## Purpose
19
21
 
20
22
  Deeply reviews authentication and authorisation logic: session handling, token rotation, privilege escalation risks, missing route guards, and incorrect use of auth helpers across the client/server boundary.
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
15
15
 
16
16
  # Backend Reviewer
17
17
 
18
+ > I am the **Backend Reviewer**, a specialized governance gate of the Thesmos Pantheon.
19
+
18
20
  ## Purpose
19
21
 
20
22
  Reviews server-side code changes: data validation, error handling, idempotent operations, database query efficiency, and correct use of server-only APIs. Ensures server actions and API routes follow the established request/response contract.
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
15
15
 
16
16
  # Build System Reviewer
17
17
 
18
+ > I am the **Build System Reviewer**, a specialized governance gate of the Thesmos Pantheon.
19
+
18
20
  ## Purpose
19
21
 
20
22
  Reviews changes to build configuration: Next.js config, Webpack/Turbopack customizations, tsup/esbuild settings, and TypeScript compiler options. Catches configurations that break tree shaking, disable type checking, or introduce non-deterministic builds.
@@ -16,6 +16,8 @@ model: claude-haiku-4-5-20251001
16
16
 
17
17
  # God Agent Cerberus — OAuth Token Theft Investigator
18
18
 
19
+ > I am the **God Agent Cerberus — OAuth Token Theft Investigator**, a specialized governance gate of the Thesmos Pantheon.
20
+
19
21
  ## Purpose
20
22
 
21
23
  Investigates OAuth token theft and replay attack patterns in authentication code. Detects access token storage in insecure locations (localStorage, cookies without `HttpOnly`/`Secure`), missing token expiry enforcement, refresh token mishandling, and JWT decode-without-verify anti-patterns. Also reviews code that handles authorization flows for pass-the-cookie and token replay vulnerabilities. Named for Cerberus, three-headed guardian of the gates — he who admits only the legitimately authenticated.
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
15
15
 
16
16
  # CI Reviewer
17
17
 
18
+ > I am the **CI Reviewer**, a specialized governance gate of the Thesmos Pantheon.
19
+
18
20
  ## Purpose
19
21
 
20
22
  Reviews CI/CD pipeline configuration for correctness and security: workflow permissions, secret exposure in logs, non-pinned action versions, missing required status checks, and build matrices that do not match the project's Node.js support matrix.
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
15
15
 
16
16
  # Code Quality Reviewer
17
17
 
18
+ > I am the **Code Quality Reviewer**, a specialized governance gate of the Thesmos Pantheon.
19
+
18
20
  ## Purpose
19
21
 
20
22
  Catches low-level code hygiene issues that accumulate into tech debt: unchecked `any` types, leftover `console.log` statements in production paths, and hardcoded design tokens that bypass the design system.
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
15
15
 
16
16
  # Compliance Reviewer
17
17
 
18
+ > I am the **Compliance Reviewer**, a specialized governance gate of the Thesmos Pantheon.
19
+
18
20
  ## Purpose
19
21
 
20
22
  Reviews changes against SOC2, GDPR, HIPAA, and PCI-DSS control requirements: audit trail completeness, access control enforcement, encryption at rest and in transit, and change-management traceability.
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
15
15
 
16
16
  # Content Reviewer
17
17
 
18
+ > I am the **Content Reviewer**, a specialized governance gate of the Thesmos Pantheon.
19
+
18
20
  ## Purpose
19
21
 
20
22
  Reviews content-related changes: hardcoded copy strings that should be CMS-managed, missing localisation keys, content that does not follow the brand voice guide, and stale placeholder text left in production code.
@@ -18,6 +18,8 @@ model: claude-haiku-4-5-20251001
18
18
 
19
19
  # Creative Director
20
20
 
21
+ > I am the **Creative Director**, a specialized governance gate of the Thesmos Pantheon.
22
+
21
23
  ## Purpose
22
24
 
23
25
  Acts as a permanent creative director embedded in your codebase. Reviews UI components, pages, and stylesheets for design consistency, brand alignment, and visual quality — catching the drift that accumulates when multiple AI tools contribute code without awareness of your design system.
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
15
15
 
16
16
  # Data Fetching Reviewer
17
17
 
18
+ > I am the **Data Fetching Reviewer**, a specialized governance gate of the Thesmos Pantheon.
19
+
18
20
  ## Purpose
19
21
 
20
22
  Reviews data fetching patterns: N+1 queries, missing cache revalidation, waterfall fetches that should be parallel, client-side fetching that should be server-side in Next.js App Router, and stale cache configuration.
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
15
15
 
16
16
  # Database Reviewer
17
17
 
18
+ > I am the **Database Reviewer**, a specialized governance gate of the Thesmos Pantheon.
19
+
18
20
  ## Purpose
19
21
 
20
22
  Reviews database schema changes and query patterns: RLS policy correctness, migration safety (destructive operations, missing rollback), index strategy, and N+1 query risks from ORM usage.