thesmos-governance 4.2.0 → 4.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +60 -60
- package/LICENSE +2 -2
- package/LICENSE-COMMERCIAL.md +4 -4
- package/README.md +12 -12
- package/catalog/agents/reviewers/accessibility-reviewer.md +2 -0
- package/catalog/agents/reviewers/ai-safety-reviewer.md +2 -0
- package/catalog/agents/reviewers/analytics-reviewer.md +2 -0
- package/catalog/agents/reviewers/api-reviewer.md +2 -0
- package/catalog/agents/reviewers/architecture-reviewer.md +2 -0
- package/catalog/agents/reviewers/ate-sql-injection-agent.md +2 -0
- package/catalog/agents/reviewers/auth-reviewer.md +2 -0
- package/catalog/agents/reviewers/backend-reviewer.md +2 -0
- package/catalog/agents/reviewers/build-system-reviewer.md +2 -0
- package/catalog/agents/reviewers/cerberus-oauth-agent.md +2 -0
- package/catalog/agents/reviewers/ci-reviewer.md +2 -0
- package/catalog/agents/reviewers/code-quality-reviewer.md +2 -0
- package/catalog/agents/reviewers/compliance-reviewer.md +2 -0
- package/catalog/agents/reviewers/content-reviewer.md +2 -0
- package/catalog/agents/reviewers/creative-director.md +2 -0
- package/catalog/agents/reviewers/data-fetching-reviewer.md +2 -0
- package/catalog/agents/reviewers/database-reviewer.md +2 -0
- package/catalog/agents/reviewers/dependency-reviewer.md +2 -0
- package/catalog/agents/reviewers/design-system-reviewer.md +2 -0
- package/catalog/agents/reviewers/devops-reviewer.md +3 -1
- package/catalog/agents/reviewers/documentation-reviewer.md +2 -0
- package/catalog/agents/reviewers/ecommerce-reviewer.md +2 -0
- package/catalog/agents/reviewers/error-handling-reviewer.md +2 -0
- package/catalog/agents/reviewers/feature-flag-reviewer.md +2 -0
- package/catalog/agents/reviewers/forms-reviewer.md +2 -0
- package/catalog/agents/reviewers/frontend-reviewer.md +2 -0
- package/catalog/agents/reviewers/fullstack-reviewer.md +2 -0
- package/catalog/agents/reviewers/governance-reviewer.md +2 -0
- package/catalog/agents/reviewers/graphql-reviewer.md +2 -0
- package/catalog/agents/reviewers/hades-credential-agent.md +2 -0
- package/catalog/agents/reviewers/hecate-prompt-injection-agent.md +2 -0
- package/catalog/agents/reviewers/incident-reviewer.md +2 -0
- package/catalog/agents/reviewers/infrastructure-reviewer.md +2 -0
- package/catalog/agents/reviewers/localization-reviewer.md +2 -0
- package/catalog/agents/reviewers/migration-reviewer.md +2 -0
- package/catalog/agents/reviewers/mobile-reviewer.md +2 -0
- package/catalog/agents/reviewers/monorepo-reviewer.md +2 -0
- package/catalog/agents/reviewers/nemesis-supply-chain-agent.md +2 -0
- package/catalog/agents/reviewers/nextjs-reviewer.md +2 -0
- package/catalog/agents/reviewers/nyx-api-enumeration-agent.md +2 -0
- package/catalog/agents/reviewers/observability-reviewer.md +2 -0
- package/catalog/agents/reviewers/onboarding-reviewer.md +2 -0
- package/catalog/agents/reviewers/package-publishing-reviewer.md +2 -0
- package/catalog/agents/reviewers/performance-reviewer.md +2 -0
- package/catalog/agents/reviewers/privacy-reviewer.md +2 -0
- package/catalog/agents/reviewers/product-reviewer.md +2 -0
- package/catalog/agents/reviewers/prompt-engineering-reviewer.md +2 -0
- package/catalog/agents/reviewers/python-reviewer.md +2 -0
- package/catalog/agents/reviewers/react-reviewer.md +2 -0
- package/catalog/agents/reviewers/refactor-reviewer.md +2 -0
- package/catalog/agents/reviewers/release-readiness-reviewer.md +2 -0
- package/catalog/agents/reviewers/security-reviewer.md +2 -0
- package/catalog/agents/reviewers/seo-reviewer.md +2 -0
- package/catalog/agents/reviewers/shopify-reviewer.md +2 -0
- package/catalog/agents/reviewers/state-management-reviewer.md +2 -0
- package/catalog/agents/reviewers/supabase-reviewer.md +2 -0
- package/catalog/agents/reviewers/testing-reviewer.md +2 -0
- package/catalog/agents/reviewers/typescript-reviewer.md +2 -0
- package/catalog/agents/reviewers/ux-reviewer.md +2 -0
- package/catalog/agents/reviewers/wordpress-reviewer.md +2 -0
- package/catalog/skills/a11y-audit.md +1 -1
- package/catalog/skills/adapter-sync.md +10 -10
- package/catalog/skills/add-tests.md +2 -2
- package/catalog/skills/ai-prompt-review.md +1 -1
- package/catalog/skills/analytics-compliance.md +1 -1
- package/catalog/skills/api-deprecation-review.md +1 -1
- package/catalog/skills/api-design-review.md +1 -1
- package/catalog/skills/auth-flow-review.md +1 -1
- package/catalog/skills/build-optimization.md +1 -1
- package/catalog/skills/ci-pipeline-audit.md +1 -1
- package/catalog/skills/component-audit.md +1 -1
- package/catalog/skills/cors-audit.md +1 -1
- package/catalog/skills/csp-audit.md +1 -1
- package/catalog/skills/data-fetching-audit.md +1 -1
- package/catalog/skills/database-schema-review.md +1 -1
- package/catalog/skills/dependency-audit.md +1 -1
- package/catalog/skills/design-token-audit.md +1 -1
- package/catalog/skills/documentation-audit.md +1 -1
- package/catalog/skills/e2e-test-review.md +1 -1
- package/catalog/skills/env-variable-audit.md +2 -2
- package/catalog/skills/error-boundary-audit.md +1 -1
- package/catalog/skills/feature-flag-audit.md +1 -1
- package/catalog/skills/final-hardening-pass.md +4 -4
- package/catalog/skills/generate-report.md +2 -2
- package/catalog/skills/graphql-schema-review.md +2 -2
- package/catalog/skills/i18n-audit.md +1 -1
- package/catalog/skills/incident-postmortem.md +1 -1
- package/catalog/skills/infrastructure-security-review.md +2 -2
- package/catalog/skills/init-governance.md +9 -9
- package/catalog/skills/integration-test-review.md +1 -1
- package/catalog/skills/logging-audit.md +1 -1
- package/catalog/skills/migration-safety-check.md +1 -1
- package/catalog/skills/monorepo-dependency-graph.md +1 -1
- package/catalog/skills/observability-review.md +1 -1
- package/catalog/skills/onboarding-audit.md +1 -1
- package/catalog/skills/performance-profile.md +1 -1
- package/catalog/skills/pr-review.md +6 -6
- package/catalog/skills/python-async-audit.md +2 -2
- package/catalog/skills/rate-limit-audit.md +1 -1
- package/catalog/skills/refactor-impact-analysis.md +1 -1
- package/catalog/skills/release-checklist.md +3 -3
- package/catalog/skills/repo-health-audit.md +5 -5
- package/catalog/skills/rls-policy-audit.md +1 -1
- package/catalog/skills/scan-codebase.md +3 -3
- package/catalog/skills/secret-scan.md +2 -2
- package/catalog/skills/security-scan.md +3 -3
- package/catalog/skills/seo-audit.md +1 -1
- package/catalog/skills/staged-change-review.md +2 -2
- package/catalog/skills/state-audit.md +1 -1
- package/catalog/skills/test-coverage-report.md +3 -3
- package/catalog/skills/typescript-strict-mode.md +2 -2
- package/catalog/skills/validate-rules.md +8 -8
- package/catalog/skills/webhook-security-review.md +1 -1
- package/dist/chunk-CFZYUTI5.js +53 -0
- package/dist/chunk-NNBMRFC7.js +84 -0
- package/dist/{chunk-7GCSYG7G.js → chunk-O624A53O.js} +24 -3
- package/dist/{chunk-EVQAWKS4.js → chunk-PABK62WO.js} +1 -1
- package/dist/{chunk-SVE6NZBV.js → chunk-Q4PVEMEN.js} +2778 -135
- package/dist/chunk-RG2UYI73.js +1039 -0
- package/dist/{chunk-FFZCCMLT.js → chunk-UXMN2OKJ.js} +2746 -111
- package/dist/cli.js +8629 -6463
- package/dist/{config-X235D23R.js → config-72CZV7A6.js} +3 -2
- package/dist/{git-IZFKH3GY.js → git-DO2YR34V.js} +5 -2
- package/dist/index.d.ts +114 -19
- package/dist/index.js +785 -410
- package/dist/{registry-A66NBHXV.js → registry-D75IVQU3.js} +4 -3
- package/dist/registry-Y6KQ2L4L.js +6 -0
- package/dist/{review-2FTGISZG.js → review-7N6HVVSX.js} +4 -3
- package/package.json +16 -6
- package/dist/chunk-D5UANPA5.js +0 -61
- package/dist/chunk-VG2453HG.js +0 -176
- package/dist/registry-UMT2SOUG.js +0 -6
package/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
-
## 4.
|
|
3
|
+
## 4.5.0
|
|
4
4
|
|
|
5
5
|
### Minor Changes
|
|
6
6
|
|
|
@@ -65,7 +65,7 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
|
|
|
65
65
|
|
|
66
66
|
**3 New God Agents (catalog: 70 → 73, Pantheon: 31 → 34):**
|
|
67
67
|
|
|
68
|
-
- **God Agent Proteus** (`proteus-drift-agent`) — Drift & Alignment Monitor. Detects product drift, prompt drift, architecture drift, brand drift, strategy drift, and governance drift. Compares the current state against documented baselines; surfaces findings by domain with severity (BLOCKER/HIGH/MEDIUM/LOW) and delegates corrections to domain specialists. Integrates with `
|
|
68
|
+
- **God Agent Proteus** (`proteus-drift-agent`) — Drift & Alignment Monitor. Detects product drift, prompt drift, architecture drift, brand drift, strategy drift, and governance drift. Compares the current state against documented baselines; surfaces findings by domain with severity (BLOCKER/HIGH/MEDIUM/LOW) and delegates corrections to domain specialists. Integrates with `thesmos drift` (infrastructure) and `.thesmos/brain.md` (context baseline). Governed by AGNT_001, MCP_001.
|
|
69
69
|
- **God Agent Momus** (`momus-challenger-agent`) — Challenger & Clarity Enforcer. Challenges plans, ideas, and research before they execute using Socratic method, Gary Klein's Pre-mortem, Charlie Munger's Inversion, Red Team thinking, and Five Whys. Delivers: premise check, 3 weakest assumptions, 5 unasked questions, 3 failure scenarios, specificity demands, and unrepresented interests. Auto-invoked by Zeus before irreversible decisions. Governed by AGNT_001, LIC_001.
|
|
70
70
|
- **God Agent Metis** (`metis-pm-agent`) — Project Manager & Execution Planner. Converts plans into executable phases with entry/exit criteria, critical path (CPM), RACI ownership tables, risk registers, definitions of done, and status templates. Auto-invoked by Zeus before plans longer than 4 weeks and by Daedalus after PRD approval. Governed by AGNT_001, SC_002.
|
|
71
71
|
|
|
@@ -83,15 +83,15 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
|
|
|
83
83
|
|
|
84
84
|
### Changed
|
|
85
85
|
|
|
86
|
-
- **`
|
|
87
|
-
- **`
|
|
88
|
-
- **`
|
|
89
|
-
- **`
|
|
86
|
+
- **`thesmos/package.json`** — version `3.5.0` → `3.6.0`
|
|
87
|
+
- **`thesmos/catalog.test.ts`** — agent count assertion `70` → `73`
|
|
88
|
+
- **`thesmos/bin/commands/compliance.ts`** — footer version `v3.5.0` → `v3.6.0`
|
|
89
|
+
- **`thesmos/adapters.ts`** — added `generatePantheonProtocol()` function; `generateClaudeRules` now appends Universal Protocol to every CLAUDE.md output
|
|
90
90
|
|
|
91
91
|
### Website & Documentation
|
|
92
92
|
|
|
93
|
-
- **`holley.studio/
|
|
94
|
-
- **`
|
|
93
|
+
- **`holley.studio/thesmos`** — version badge `v3.5.0` → `v3.6.0`, Pantheon count `31` → `34`, 3 new Pantheon cards (Proteus, Momus, Metis), new "Why Thesmos is Different" section with 4-card comparison and competitive table
|
|
94
|
+
- **`thesmos/README.md`** — new "Why Thesmos is different" section with 7 key selling points and feature comparison table
|
|
95
95
|
|
|
96
96
|
---
|
|
97
97
|
|
|
@@ -102,7 +102,7 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
|
|
|
102
102
|
**10 New Pantheon Agents — Creative, Business, and Developer Workflow:**
|
|
103
103
|
|
|
104
104
|
- **Calliope** (`calliope-email-agent`) — Email Design & HTML/MJML Agent. MJML source code, compiled HTML email templates, responsive cross-client design, deliverability checklists, A/B variant specs. Governed by GDPR_004 (no PII in email URLs), SEC_008 (no secrets in templates), GDPR_001 (consent gate awareness).
|
|
105
|
-
- **Talos** (`talos-web-dev-agent`) — Web Dev & Implementation Agent. Production-ready Next.js/React/TypeScript components, API routes, database queries, and test scaffolds. Runs a mental
|
|
105
|
+
- **Talos** (`talos-web-dev-agent`) — Web Dev & Implementation Agent. Production-ready Next.js/React/TypeScript components, API routes, database queries, and test scaffolds. Runs a mental Thesmos governance scan on every file before delivery. Governed by SEC_004, AUTH_002, NEXT_003, MCP_001.
|
|
106
106
|
- **Clio** (`clio-case-study-agent`) — Case Study & Social Proof Agent. Customer interview frameworks (STAR structure), first draft with [VERIFY] placeholders, ROI calculation worksheets, testimonial pull quotes, LinkedIn post versions, and PDF design briefs for Hephaestus. Governed by LIC_001 (no fabricated quotes), GDPR_013 (client consent required).
|
|
107
107
|
- **Eos** (`eos-automation-agent`) — Automation & Workflow Engineering Agent. n8n/Zapier/Make workflow JSON, GitHub Actions YAML, shell scripts, webhook handler code, and runbooks. All API keys BYOK. Governed by SC_007 (no script injection), SC_001 (pinned actions), SEC_007 (no hardcoded credentials).
|
|
108
108
|
- **Erato** (`erato-brand-voice-agent`) — Brand Voice & Messaging Architecture Agent. Brand voice guides, messaging architecture (hero message → pillars → proof points), tagline options with rationale, boilerplate copy at 4 lengths, competitor voice differentiation matrix. The guide that Apollo executes within.
|
|
@@ -122,16 +122,16 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
|
|
|
122
122
|
|
|
123
123
|
**`brain:promote` — Community Rule Promotion:**
|
|
124
124
|
|
|
125
|
-
- New command `
|
|
125
|
+
- New command `thesmos brain:promote --rule=<ID>` scaffolds an approved `ProposedRule` from `brain.json` into a TypeScript rule stub at `thesmos/rules/community/<ID>.ts`
|
|
126
126
|
- Generated stubs follow the exact `ThesmosRule` pattern used throughout the core rules (exported `*_RULES` array, externalized regex constant, `.js` imports)
|
|
127
127
|
- Printed step-by-step wiring instructions guide the developer to import the stub into `registry.ts`, add a test, and set the release version
|
|
128
128
|
- `brain:evolve --approve` now stamps `approvedAt` timestamp on approved proposals
|
|
129
|
-
- New `
|
|
129
|
+
- New `thesmos/rules/community/` directory with README documenting the promotion workflow
|
|
130
130
|
- Route registered in CLI: `brain:promote`
|
|
131
131
|
|
|
132
132
|
**MCP_001 — Expanded Injection Pattern Detection:**
|
|
133
133
|
|
|
134
|
-
- `INJECTION_RE` in `
|
|
134
|
+
- `INJECTION_RE` in `thesmos/rules/mcp.ts` expanded from 6 patterns to 25+ across 6 attack categories
|
|
135
135
|
- System prompt overrides: `ignore/disregard/forget/override previous instructions`, `your new instructions are`
|
|
136
136
|
- Role-play escapes: `you are now a`, `act as if`, `pretend to be`, `roleplay as`
|
|
137
137
|
- Delimiter injection: `<system>`, `[INST]`, `<|im_start|>`, `### System`
|
|
@@ -162,29 +162,29 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
|
|
|
162
162
|
|
|
163
163
|
**Complete Builder Wizard — 6 New Generators:**
|
|
164
164
|
|
|
165
|
-
- **`
|
|
165
|
+
- **`thesmos build:dashboard`** — 5-question wizard that creates a monitoring/analytics dashboard. Supports Next.js React components and plain HTML + Chart.js. Pre-wires Thesmos governance metrics as default data source. Outputs to `src/components/dashboards/<name>.tsx` or `public/dashboards/<name>.html`.
|
|
166
166
|
|
|
167
|
-
- **`
|
|
167
|
+
- **`thesmos build:workflow`** — 7-question wizard that creates GitHub Actions CI/CD workflows. Covers all trigger types (PR, push, scheduled, manual, release), all common step groups (test+lint, build+deploy, full CI with Thesmos scan), and all major deploy targets (Vercel, AWS, GCP). Manual approval gates wired via `trstringer/manual-approval`.
|
|
168
168
|
|
|
169
|
-
- **`
|
|
169
|
+
- **`thesmos build:rag`** — 9-question wizard for Retrieval-Augmented Generation pipelines. Generates `chunker.ts`, `retriever.ts`, and `pipeline.ts`. Supports OpenAI, Cohere, Anthropic, and local embeddings (all BYOK). Vector stores: Supabase pgvector, Pinecone, Weaviate, in-memory. Retrieval strategies: similarity, MMR (diverse), hybrid keyword+vector. Optional MCP tool wrapper to expose the pipeline to AI agents. Security note included in generated code: sanitize retrieved content to prevent prompt injection via documents.
|
|
170
170
|
|
|
171
|
-
- **`
|
|
171
|
+
- **`thesmos build:voice`** — 8-question wizard for real-time voice AI agents. Generates `session.ts`, `transport.ts`, and `pipeline.ts`. Supports WebRTC, Twilio Media Streams, and browser SpeechAPI transports. STT providers: Deepgram, AssemblyAI, OpenAI Whisper, browser native. TTS: ElevenLabs, Deepgram, browser native. LLM: Claude, OpenAI, local (all BYOK). Security warnings for audio PII and session isolation included in generated code.
|
|
172
172
|
|
|
173
|
-
- **`
|
|
173
|
+
- **`thesmos build:mcp-tool`** — 5-question wizard that creates a new custom tool for the Thesmos MCP server. Generates `thesmos/mcp-tools/<name>.ts` with full type-safe handler and registration instructions for `mcp-server.ts`. Supports read-only, file-writing, and external-API side-effect profiles. Return types: text, JSON, file list, Thesmos findings.
|
|
174
174
|
|
|
175
|
-
- **`
|
|
175
|
+
- **`thesmos build:automation`** — 6-question wizard for CI/CD automations. For GitHub-hosted triggers (cron, webhook, file-change, event) generates `.github/workflows/<name>.yml`. For local triggers generates `.thesmos/automation/<name>.sh` with retry logic and dry-run support. Covers all common step groups (tests, build, deploy, notification, custom) and failure modes (fail+alert, retry×3+alert, log+continue).
|
|
176
176
|
|
|
177
177
|
**Builder Wizard Infrastructure:**
|
|
178
178
|
|
|
179
179
|
- Generic `runBuilderWizard()` runner shared by all 6 builders — eliminates 200+ lines of duplicated wizard-loop code
|
|
180
180
|
- All 6 builders support `--plan` (outputs Markdown plan + design decisions), `--scaffold` (writes code), and `--yes` (skips confirmation)
|
|
181
|
-
- All scaffold outputs are immediately scanned by the
|
|
182
|
-
- All API keys are BYOK —
|
|
181
|
+
- All scaffold outputs are immediately scanned by the Thesmos governance engine before reporting
|
|
182
|
+
- All API keys are BYOK — Thesmos never stores, caches, or proxies credentials
|
|
183
183
|
|
|
184
184
|
### Changed
|
|
185
185
|
|
|
186
|
-
- `
|
|
187
|
-
- `
|
|
186
|
+
- `thesmos/package.json`: version `3.2.0` → `3.3.0`; added keywords: `ai-safety`, `owasp`, `mcp-server`, `brain`, `builder`
|
|
187
|
+
- `thesmos/bin/commands/build.ts`: replaced 6 `runBuildStub` stubs with real implementations; added 6 question arrays (40 total questions); imported 6 generator modules
|
|
188
188
|
|
|
189
189
|
---
|
|
190
190
|
|
|
@@ -194,15 +194,15 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
|
|
|
194
194
|
|
|
195
195
|
**5 Innovation Features:**
|
|
196
196
|
|
|
197
|
-
- **F1 — `debug_finding` MCP Tool** — New MCP tool on the existing `
|
|
197
|
+
- **F1 — `debug_finding` MCP Tool** — New MCP tool on the existing `thesmos mcp:serve` server. Call `debug_finding(rule_id, file_content, line?)` to get a `true_positive` / `likely_false_positive` verdict, the full rule explanation, exact fix suggestion, and suppression command. Closes the "why did this fire?" loop without leaving the AI assistant session.
|
|
198
198
|
|
|
199
|
-
- **F2 — Post-Fix Verification (`
|
|
199
|
+
- **F2 — Post-Fix Verification (`thesmos fix --verify`)** — After applying a fixer, Thesmos immediately re-runs `detect()` on the patched content to confirm the finding is resolved. New exports: `verifyFix(filePath, beforeContent, afterContent, finding, config): VerifyResult` and `VerifyResult` interface. Reports: ✅ verified / ❌ unresolved / ⚠️ regression introduced. Zero external dependencies — uses Thesmos's own rules engine.
|
|
200
200
|
|
|
201
|
-
- **F3 — GitHub PR Comment Bot (`
|
|
201
|
+
- **F3 — GitHub PR Comment Bot (`thesmos github:comment`)** — Posts or updates a single governance summary comment on a GitHub PR. Uses `GITHUB_TOKEN` + native Node 18 `fetch()` — no `@octokit/rest` dependency. Idempotent via an HTML marker (`<!-- thesmos-governance-bot -->`). Includes auto-detection of repo from `git remote`. `--print-workflow` prints a copy-paste GitHub Actions snippet. New file: `thesmos/bin/commands/github-comment.ts`.
|
|
202
202
|
|
|
203
|
-
- **F4 — Incremental Scan Cache** — sha256-keyed per-file finding cache in `.
|
|
203
|
+
- **F4 — Incremental Scan Cache** — sha256-keyed per-file finding cache in `.thesmos/.scan-cache.json`. Unchanged files return cached findings instantly; any rules-version bump invalidates all entries. New exports: `loadCache`, `saveCache`, `getCachedFindings`, `setCachedFindings`, `invalidateCache`, `runReviewCached`. Expected speedup: 70–90% on second scan when most files are unchanged. New file: `thesmos/incremental-cache.ts`.
|
|
204
204
|
|
|
205
|
-
- **F5 — LSP Real-Time Feedback Server (`thesmos lsp`)** — Standalone LSP 3.17 server over stdio. Surfaces governance findings as real-time squiggles in any LSP-compatible editor (VS Code, Cursor, Neovim, Emacs). Capabilities: `textDocument/didOpen`, `textDocument/didChange` (debounced 500ms), `textDocument/didSave`, hover tooltips with rule explanation, code actions (suppress / explain). VS Code extension now launches the LSP client alongside its existing on-save analysis via `vscode-languageclient`. New file: `
|
|
205
|
+
- **F5 — LSP Real-Time Feedback Server (`thesmos lsp`)** — Standalone LSP 3.17 server over stdio. Surfaces governance findings as real-time squiggles in any LSP-compatible editor (VS Code, Cursor, Neovim, Emacs). Capabilities: `textDocument/didOpen`, `textDocument/didChange` (debounced 500ms), `textDocument/didSave`, hover tooltips with rule explanation, code actions (suppress / explain). VS Code extension now launches the LSP client alongside its existing on-save analysis via `vscode-languageclient`. New file: `thesmos/lang-server.ts`.
|
|
206
206
|
|
|
207
207
|
**5 Bug Fixes:**
|
|
208
208
|
|
|
@@ -223,8 +223,8 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
|
|
|
223
223
|
|
|
224
224
|
### Changed
|
|
225
225
|
|
|
226
|
-
- `
|
|
227
|
-
- `
|
|
226
|
+
- `thesmos/fix.ts` now imports `THESMOS_RULES` and `runReview` to power `verifyFix()`.
|
|
227
|
+
- `thesmos/bin/commands/fix.ts` gains `--verify` flag.
|
|
228
228
|
- `extensions/vscode/src/extension.ts` now lazily starts an LSP client (requires `vscode-languageclient` installed).
|
|
229
229
|
- `extensions/vscode/package.json` adds `vscode-languageclient ^9.0.1` as a runtime dependency.
|
|
230
230
|
|
|
@@ -236,32 +236,32 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
|
|
|
236
236
|
|
|
237
237
|
**6 New Governance Pillars:**
|
|
238
238
|
|
|
239
|
-
- **Pillar 1 — MCP Server** (`
|
|
239
|
+
- **Pillar 1 — MCP Server** (`thesmos mcp:serve`, `thesmos mcp:install`) — Thesmos becomes a Model Context Protocol server. AI assistants call `scan_file`, `explain_rule`, `get_health`, `lint_commit`, and `get_context` _before_ generating code. `mcp:install` writes the server entry into `~/.claude/settings.json`. New files: `thesmos/mcp-server.ts`, `thesmos/bin/commands/mcp.ts`.
|
|
240
240
|
|
|
241
|
-
- **Pillar 2 — Dependency Security** (`
|
|
241
|
+
- **Pillar 2 — Dependency Security** (`thesmos deps:audit`) — Async CVE scanning via OSV.dev (`api.osv.dev/v1/querybatch`). Results cached in `.thesmos/dep-cache.json` (24h TTL) and consumed synchronously by 10 new DEP_001–010 rules: critical CVE (BLOCKER), high/medium CVE, abandoned-with-CVE, no integrity hash, git dependency, major drift, prerelease in prod, deprecated package, stale cache. SBOM export via `--sbom` flag in CycloneDX 1.4 format. New files: `thesmos/osv-client.ts`, `thesmos/rules/deps.ts`, `thesmos/bin/commands/deps.ts`.
|
|
242
242
|
|
|
243
|
-
- **Pillar 3 — Agent Governance** — 12 new AGNT_001–012 rules detecting missing scope declarations, unconstrained Bash, ungoverned MCP servers, absent hooks, no token budget, no audit trail, and unrestricted network access. Dual-directory guard (`.claude/` AND `.
|
|
243
|
+
- **Pillar 3 — Agent Governance** — 12 new AGNT_001–012 rules detecting missing scope declarations, unconstrained Bash, ungoverned MCP servers, absent hooks, no token budget, no audit trail, and unrestricted network access. Dual-directory guard (`.claude/` AND `.thesmos/` must both exist) prevents false positives in dev environments. Plus tamper-evident **Agent Audit Trail** (`thesmos agent:audit:log|verify|report|export|rotate`) — append-only `.thesmos/audit.jsonl` with sha256 hash-chained entries using `node:crypto`. `verify` detects tampering by recomputing the entire chain. New files: `thesmos/agent-audit.ts`, `thesmos/rules/agents.ts`, `thesmos/bin/commands/agent-audit.ts`.
|
|
244
244
|
|
|
245
|
-
- **Pillar 4 — SARIF Output** (`
|
|
245
|
+
- **Pillar 4 — SARIF Output** (`thesmos validate --sarif`) — SARIF 2.1.0 JSON for GitHub Security tab, VS Code Problems panel, Azure DevOps. All 911 rules emit full `reportingDescriptor` metadata. `thesmos ci:github-security` generates a GitHub Actions workflow that uploads `thesmos.sarif` to `github/codeql-action/upload-sarif@v3`. New file: `thesmos/sarif.ts`.
|
|
246
246
|
|
|
247
|
-
- **Pillar 5 — License Compliance** — 10 new LIC_001–010 rules: GPL in commercial projects (BLOCKER), unknown/UNLICENSED deps, LGPL copyleft, missing LICENSE file, proprietary dep, invalid SPDX, dual-license ambiguity, AI training restriction, GPL/Apache incompatibility (BLOCKER), missing NOTICE file. All rules use the `changedFiles !== undefined` filesystem guard to avoid false positives in changed-files mode. New file: `
|
|
247
|
+
- **Pillar 5 — License Compliance** — 10 new LIC_001–010 rules: GPL in commercial projects (BLOCKER), unknown/UNLICENSED deps, LGPL copyleft, missing LICENSE file, proprietary dep, invalid SPDX, dual-license ambiguity, AI training restriction, GPL/Apache incompatibility (BLOCKER), missing NOTICE file. All rules use the `changedFiles !== undefined` filesystem guard to avoid false positives in changed-files mode. New file: `thesmos/rules/license.ts`.
|
|
248
248
|
|
|
249
|
-
- **Pillar 6 — GDPR Compliance Pack** (`
|
|
249
|
+
- **Pillar 6 — GDPR Compliance Pack** (`thesmos compliance:report --standard gdpr`) — 15 new GDPR_001–015 rules covering: PII in console.log, analytics without consent, cookie without consent banner, PII in URL params, PII in localStorage, missing data deletion endpoint, PII in external logging (BLOCKER), unencrypted PII in Prisma schema, missing privacy policy link, third-party tracking without consent, PII in API error responses (BLOCKER), missing retention policy, session without expiry, real PII in test fixtures, and IP storage without consent. `compliance:report --standard gdpr` generates an audit-ready Markdown evidence report mapping each finding to its GDPR article. New files: `thesmos/rules/gdpr.ts`, `thesmos/bin/commands/compliance.ts`.
|
|
250
250
|
|
|
251
251
|
**3 Quick Wins:**
|
|
252
252
|
|
|
253
|
-
- **Governance Certificate** (`
|
|
253
|
+
- **Governance Certificate** (`thesmos certificate:generate`, `thesmos certificate:verify`) — Signed JSON artifact per delivery with sha256 hash chain for tamper detection. Fields: `rulesChecked`, `blockers`, `healthScore`, `healthGrade`, `hash`, `chain`. Agencies include in every delivery. New file: `thesmos/bin/commands/certificate.ts`.
|
|
254
254
|
|
|
255
|
-
- **Health Badge** (`
|
|
255
|
+
- **Health Badge** (`thesmos health --badge`) — Prints shield.io badge markdown to stdout. Color ranges: ≥80 brightgreen, ≥70 green, ≥60 yellowgreen, ≥50 yellow, ≥40 orange, <40 red.
|
|
256
256
|
|
|
257
|
-
- **AI Code Fingerprinting** (`
|
|
257
|
+
- **AI Code Fingerprinting** (`thesmos ai:fingerprint`) — Detects AI-generated files using git Co-Authored-By commit markers and static content heuristics (over-explained comments, step-numbered blocks, AI docstring patterns, boilerplate try/catch). Reports `aiGeneratedEstimate`, `topTool`, and per-file confidence scores. `--format json` for machine-readable output. New file: `thesmos/bin/commands/ai-fingerprint.ts`.
|
|
258
258
|
|
|
259
259
|
- Total rule count: **911** (864 previous + 12 AGNT + 10 DEP + 10 LIC + 15 GDPR).
|
|
260
260
|
|
|
261
261
|
### Changed
|
|
262
262
|
|
|
263
263
|
- `formatFindingsSarif()` in `review.ts` now delegates to `sarif.ts` for full rule metadata emission — all 911 rules appear in SARIF output regardless of whether they have findings.
|
|
264
|
-
- `
|
|
264
|
+
- `thesmos health --badge` added as a new flag to the existing `health` command.
|
|
265
265
|
- README rule counts updated from 864 → 911.
|
|
266
266
|
|
|
267
267
|
---
|
|
@@ -270,10 +270,10 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
|
|
|
270
270
|
|
|
271
271
|
### Added
|
|
272
272
|
|
|
273
|
-
- **Conventional Commits Governance** (`
|
|
274
|
-
- **Vercel Deployment Governance** (`
|
|
275
|
-
- **`commit-msg` git hook enforcement** — `
|
|
276
|
-
- **`commitLint` and `vercel` config sections** in `ThesmosConfig` — customise allowed commit types, max subject length, ticket patterns, Vercel plan limits, and cron auth requirements via `.
|
|
273
|
+
- **Conventional Commits Governance** (`thesmos commit:lint`, `thesmos commit:create`) — 10 new COMMIT_001–010 rules validate commit messages against the Conventional Commits specification using the standard `detect()` sentinel pattern (path `.git/COMMIT_EDITMSG`). Rules integrate with `explain`, `baseline`, and `suppressions:audit` automatically. `commit:lint` validates messages from the `commit-msg` hook, `--last`, or `--message "..."`. `commit:create` is an interactive wizard for building valid commit messages step-by-step.
|
|
274
|
+
- **Vercel Deployment Governance** (`thesmos vercel:lint`) — 10 new VERCEL*001–010 rules covering: literal secrets in `vercel.json` (BLOCKER), server secrets with `NEXT_PUBLIC*`prefix (BLOCKER), cron routes missing`CRON_SECRET`check (HIGH), env vars not documented in`.env.example`(HIGH), missing`.env.example`when env vars are used (HIGH), missing`maxDuration`in function config (MEDIUM), middleware missing edge runtime export (MEDIUM), missing security headers (MEDIUM),`maxDuration` exceeding plan limit (LOW), and open redirect patterns in redirects config (HIGH).
|
|
275
|
+
- **`commit-msg` git hook enforcement** — `thesmos hooks install --commit-msg` now writes a real enforcement block calling `thesmos commit:lint "$1"`. Previously a no-op placeholder.
|
|
276
|
+
- **`commitLint` and `vercel` config sections** in `ThesmosConfig` — customise allowed commit types, max subject length, ticket patterns, Vercel plan limits, and cron auth requirements via `.thesmos/config.json`.
|
|
277
277
|
- Total rule count: **864** (844 previous + 10 COMMIT + 10 VERCEL).
|
|
278
278
|
|
|
279
279
|
### Changed
|
|
@@ -287,14 +287,14 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
|
|
|
287
287
|
|
|
288
288
|
### Added
|
|
289
289
|
|
|
290
|
-
- **Slopsquatting Guard** (`
|
|
291
|
-
- **Agent Scope Enforcement** (`
|
|
292
|
-
- **Token Budget Governance** (`
|
|
293
|
-
- **AI Debt Fingerprinting** (`
|
|
294
|
-
- **Context Health + Session Handoff** (`
|
|
290
|
+
- **Slopsquatting Guard** (`thesmos import:scan`) — validates every npm/PyPI package in changed files against live registry APIs. Flags phantom packages (404), newly-registered packages (< 30 days old), and typosquat candidates (edit distance ≤ 2 from top packages). Works offline with graceful degradation. 10 new rules: SLOP_006–015.
|
|
291
|
+
- **Agent Scope Enforcement** (`thesmos scope:*`) — `.thesmos/scope.json` defines workspace boundaries and operation limits. PreToolUse hook intercepts every Write/Edit/Bash call and exits 2 on scope violations. Commands: `scope:init`, `scope:status`, `scope:check`.
|
|
292
|
+
- **Token Budget Governance** (`thesmos tokens:*`) — PostToolUse hook logs token usage per tool call to `.thesmos/token-usage.jsonl`. Enforces configurable session, daily, and project cost caps with alert and hard-stop thresholds. Commands: `tokens:report`, `tokens:reset`, `tokens:budget`.
|
|
293
|
+
- **AI Debt Fingerprinting** (`thesmos debt:scan`) — 20 new DEBT_001–020 rules that detect AI-specific code debt patterns traditional linters miss: duplicate function bodies, swallowed errors, magic numbers, O(n²) nested loops, vague variable names, commented-out blocks, missing `finally`, and more. Outputs a 0–100 debt score with A–F grade.
|
|
294
|
+
- **Context Health + Session Handoff** (`thesmos context:*`) — generates `.thesmos/context.md` from the live codebase (stack, established patterns, active constraints). `thesmos adapters` now auto-updates the snapshot. CLAUDE.md preamble now references `context.md` as step 1. Commands: `context:snapshot`, `context:health`.
|
|
295
295
|
- **Bash tool governance** — `claude:govern` PreToolUse hook now intercepts `Bash(npm install *)` / `Bash(pip install *)` calls and validates package names before they execute.
|
|
296
296
|
- **PostToolUse budget hook** — added to `.claude/settings.json` alongside existing PreToolUse and Stop hooks.
|
|
297
|
-
- **`tokenBudget` in `ThesmosConfig`** — configure token budgets directly in `.
|
|
297
|
+
- **`tokenBudget` in `ThesmosConfig`** — configure token budgets directly in `.thesmos/config.json`.
|
|
298
298
|
|
|
299
299
|
### Fixed
|
|
300
300
|
|
|
@@ -308,8 +308,8 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
|
|
|
308
308
|
|
|
309
309
|
### Changed
|
|
310
310
|
|
|
311
|
-
- `thesmos adapters` now auto-generates `.
|
|
312
|
-
- CLAUDE.md "Before Each Task" checklist renumbered 1–12; step 1 now reads `.
|
|
311
|
+
- `thesmos adapters` now auto-generates `.thesmos/context.md` on every run.
|
|
312
|
+
- CLAUDE.md "Before Each Task" checklist renumbered 1–12; step 1 now reads `.thesmos/context.md`.
|
|
313
313
|
- Token budget model cost table expanded with legacy date-suffixed model IDs (`claude-3-5-sonnet-20241022`, etc.) reported by older Claude Code versions.
|
|
314
314
|
|
|
315
315
|
---
|
|
@@ -322,11 +322,11 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
|
|
|
322
322
|
- **Python** (19 rules, PY_026–PY_045): async/await pitfalls, shell injection, `pickle`/`marshal` RCE, FastAPI/Django security patterns, Pydantic v2 migration, blocking I/O in async context, and more.
|
|
323
323
|
- **GraphQL** (25 rules, GQL_001–GQL_025): query depth/complexity limits, resolver auth enforcement, N+1 without DataLoader, introspection disabled in production, type correctness, and production hardening.
|
|
324
324
|
- **Terraform** (13 rules, TF_013–TF_025): sensitive IAM wildcards, open security groups (0.0.0.0/0), RDS deletion protection, KMS key rotation, secrets in `user_data`, `prevent_destroy` on critical resources, and S3 versioning.
|
|
325
|
-
- **3 new catalog agents**: `python-reviewer`, `graphql-reviewer`, `infrastructure-reviewer` — available via `
|
|
326
|
-
- **`
|
|
325
|
+
- **3 new catalog agents**: `python-reviewer`, `graphql-reviewer`, `infrastructure-reviewer` — available via `thesmos catalog:enable`.
|
|
326
|
+
- **`thesmos claude:govern`** — installs Claude Code hooks into `.claude/settings.json` for real-time governance in Auto Mode:
|
|
327
327
|
- `PreToolUse` (Write/Edit): blocks tool call (exit 2) if content contains any BLOCKER finding.
|
|
328
|
-
- `Stop`: runs `
|
|
329
|
-
- Install is idempotent; a `
|
|
328
|
+
- `Stop`: runs `thesmos drift` after each session to detect adapter staleness.
|
|
329
|
+
- Install is idempotent; a `_thesmos_governance` marker prevents duplicate hook entries.
|
|
330
330
|
- Autopilot permission profiles now preserve governance hooks when written/restored.
|
|
331
331
|
|
|
332
332
|
### Fixed
|
|
@@ -341,19 +341,19 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
|
|
|
341
341
|
### Added
|
|
342
342
|
|
|
343
343
|
- **142 governance rules** across 8 categories: security, TypeScript, React, Next.js, AI/LLM, performance, database, and code quality
|
|
344
|
-
- **6 AI adapter targets**: Claude (`CLAUDE.md`), Gemini (`GEMINI.md`), Cursor (`.cursor/rules/
|
|
344
|
+
- **6 AI adapter targets**: Claude (`CLAUDE.md`), Gemini (`GEMINI.md`), Cursor (`.cursor/rules/thesmos.mdc`), Copilot (`.github/copilot-instructions.md`), Codex (`.codex/thesmos.md`), and `AGENTS.md` — all generated from a single canonical rule registry with zero duplication
|
|
345
345
|
- **CLI commands**: `init`, `scan`, `review`, `validate`, `audit`, `doctor`, `ci-check`, `adapters`, `drift`, `baseline:*`, `explain`, `suppressions:audit`, `metrics`, `pack:*`, `health`, `ci`, `fix`, `update`, `catalog:*`, `agent:create`, `skill:create`
|
|
346
|
-
- **Governance folder** (`.
|
|
346
|
+
- **Governance folder** (`.thesmos/`): README, config, GUARDRAILS, RULES, governance docs, architecture docs, and a GitHub Actions workflow — all scaffolded by `thesmos init`
|
|
347
347
|
- **Baseline system**: snapshot known technical debt so new violations are caught without blocking existing codebases
|
|
348
|
-
- **Inline suppressions**: `//
|
|
348
|
+
- **Inline suppressions**: `// thesmos-disable-next-line <id> -- reason: <text>` with expiry dates and audit trail
|
|
349
349
|
- **Health score** (0–100 with letter grade): synthesises findings, drift, suppressions, and baseline into a single governance grade
|
|
350
350
|
- **Metrics engine**: local-first, privacy-safe governance analytics with history tracking
|
|
351
351
|
- **Drift detection**: 12 categories of stale/missing governance artifacts
|
|
352
|
-
- **Rule explanation engine**: `
|
|
352
|
+
- **Rule explanation engine**: `thesmos explain <rule-id>` shows why a rule exists, good/bad examples, and related playbooks
|
|
353
353
|
- **Catalog system**: 50+ built-in agents and 50+ built-in skills; 5 composable profiles (base, web, next-supabase, enterprise)
|
|
354
354
|
- **Pack system**: extensible rule bundles for third-party frameworks
|
|
355
355
|
- **Zero runtime dependencies**: the entire tool ships without a single production dependency
|
|
356
|
-
- **JSON Schema** for `.
|
|
356
|
+
- **JSON Schema** for `.thesmos/config.json`: add `$schema` for full editor autocomplete and validation
|
|
357
357
|
- **GitHub Actions CI/CD**: workflows for continuous integration (Node 18/20/22 matrix) and npm publishing on version tags
|
|
358
358
|
|
|
359
359
|
[1.0.0]: https://github.com/Holley-Studio/thesmos-governance/releases/tag/v1.0.0
|
package/LICENSE
CHANGED
|
@@ -5,8 +5,8 @@ Copyright (c) 2024 Matt Holley
|
|
|
5
5
|
Parameters
|
|
6
6
|
|
|
7
7
|
Licensor: Matt Holley
|
|
8
|
-
Licensed Work:
|
|
9
|
-
The Licensed Work is © 2024
|
|
8
|
+
Licensed Work: Thesmos Governance
|
|
9
|
+
The Licensed Work is © 2024–2026 Holley Studio LLC
|
|
10
10
|
Change Date: 2030-06-17 (four years from first publication)
|
|
11
11
|
Change License: MIT License
|
|
12
12
|
|
package/LICENSE-COMMERCIAL.md
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
# Commercial Licensing
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
Thesmos is released under the [Functional Source License 1.1 (FSL-1.1-MIT)](LICENSE).
|
|
4
4
|
|
|
5
|
-
FSL permits free use for personal projects, internal tooling, and open source work. It restricts offering
|
|
5
|
+
FSL permits free use for personal projects, internal tooling, and open source work. It restricts offering Thesmos itself (or a substantially similar product built on it) as a commercial service or product to third parties.
|
|
6
6
|
|
|
7
7
|
## When you need a commercial license
|
|
8
8
|
|
|
9
|
-
- You are building a SaaS product or hosted service powered by
|
|
10
|
-
- You are reselling or white-labeling
|
|
9
|
+
- You are building a SaaS product or hosted service powered by Thesmos
|
|
10
|
+
- You are reselling or white-labeling Thesmos
|
|
11
11
|
- You are bundling it into a commercial product sold to customers
|
|
12
12
|
|
|
13
13
|
## Contact
|
package/README.md
CHANGED
|
@@ -18,7 +18,7 @@ Thesmos is a repo governance tool for TypeScript projects. Define your code revi
|
|
|
18
18
|
|
|
19
19
|
Without governance, every AI assistant in your team invents its own rules. Claude follows one convention, Cursor follows another, Copilot knows nothing about your auth patterns. Every PR review is inconsistent. Governance debt compounds silently.
|
|
20
20
|
|
|
21
|
-
Thesmos solves this with a **single source of truth**:
|
|
21
|
+
Thesmos solves this with a **single source of truth**: 1,137 rules defined once, propagated everywhere.
|
|
22
22
|
|
|
23
23
|
| | Thesmos | ESLint | Danger.js | CodeClimate |
|
|
24
24
|
| --- | --- | --- | --- | --- |
|
|
@@ -27,7 +27,7 @@ Thesmos solves this with a **single source of truth**: 911 rules defined once, p
|
|
|
27
27
|
| Works fully offline | ✓ | ✓ | ✗ | ✗ |
|
|
28
28
|
| Governance folder + AI context | ✓ | ✗ | ✗ | ✗ |
|
|
29
29
|
| Health score (0–100) | ✓ | ✗ | ✗ | ✓ |
|
|
30
|
-
| Built-in rules (no plugins needed) |
|
|
30
|
+
| Built-in rules (no plugins needed) | 1,137 | ✗ | ✗ | ✓ |
|
|
31
31
|
| Installable rule packs | ✓ | ✓ | ✗ | ✗ |
|
|
32
32
|
| Inline suppressions with audit | ✓ | ✓ | ✗ | ✗ |
|
|
33
33
|
| Baseline for legacy debt | ✓ | ✗ | ✗ | ✗ |
|
|
@@ -84,7 +84,7 @@ Other platforms give you AI assistants. Thesmos gives you a governed AI team —
|
|
|
84
84
|
|
|
85
85
|
**7 things no other agent platform does:**
|
|
86
86
|
|
|
87
|
-
1. **Governance badge on every output** — Every God Agent delivery closes with `Thesmos check: [RULE_ID] ✅`. No other platform runs 1,
|
|
87
|
+
1. **Governance badge on every output** — Every God Agent delivery closes with `Thesmos check: [RULE_ID] ✅`. No other platform runs 1,137 governance rules against AI outputs automatically.
|
|
88
88
|
2. **38 world-class God Agents — not assistants** — Each agent has a named methodology, failure mode taxonomy, and adversarial self-check. Not "I know marketing" but "I use Ehrenberg-Bass reach theory, and here's the specific thing your brief gets wrong."
|
|
89
89
|
3. **God Council arbitration** — When agents conflict, Zeus arbitrates. Argus holds a permanent security veto; Themis holds a permanent legal veto. You get one decision, not a debate.
|
|
90
90
|
4. **God Agent Momus** — The only agent platform with a mandatory challenger. Momus challenges every major decision before it ships using Socratic method, Gary Klein's Pre-mortem, and Munger's Inversion.
|
|
@@ -320,7 +320,7 @@ npx thesmos validate --base=origin/$GITHUB_BASE_REF
|
|
|
320
320
|
|
|
321
321
|
### `thesmos adapters`
|
|
322
322
|
|
|
323
|
-
Generates AI assistant instruction files from the canonical rule registry. Preserves any content you have written outside `<!--
|
|
323
|
+
Generates AI assistant instruction files from the canonical rule registry. Preserves any content you have written outside `<!-- THESMOS:GENERATED -->` markers.
|
|
324
324
|
|
|
325
325
|
```bash
|
|
326
326
|
npx thesmos adapters
|
|
@@ -438,7 +438,7 @@ npx thesmos fix --base=main # applies changes
|
|
|
438
438
|
|
|
439
439
|
## Rule packs
|
|
440
440
|
|
|
441
|
-
Packs are installable bundles of additional rules, agents, skills, and playbooks. The built-in registry ships
|
|
441
|
+
Packs are installable bundles of additional rules, agents, skills, and playbooks. The built-in registry ships 1,137 rules — packs let the community (and your organisation) add more without forking.
|
|
442
442
|
|
|
443
443
|
### Installing a pack
|
|
444
444
|
|
|
@@ -559,7 +559,7 @@ Use rule IDs (`ENV_001`) or category names (`direct_env_access`). Both are shown
|
|
|
559
559
|
|
|
560
560
|
## Adapter targets
|
|
561
561
|
|
|
562
|
-
Every adapter is generated from the same `
|
|
562
|
+
Every adapter is generated from the same `THESMOS_RULES` array. You never write rules twice.
|
|
563
563
|
|
|
564
564
|
| Target | Output path | Used by |
|
|
565
565
|
| --- | --- | --- |
|
|
@@ -570,9 +570,9 @@ Every adapter is generated from the same `PROMETHEUS_RULES` array. You never wri
|
|
|
570
570
|
| `codex` | `.codex/thesmos.md` | OpenAI Codex CLI |
|
|
571
571
|
| `agents` | `AGENTS.md` | OpenAI Agents, generic agents |
|
|
572
572
|
|
|
573
|
-
Adapters embed a `<!--
|
|
573
|
+
Adapters embed a `<!-- THESMOS:META -->` comment with `version`, `target`, and `ruleCount`. `thesmos ci-check` reads this metadata to detect drift without re-running the generator — fully deterministic, no timestamps.
|
|
574
574
|
|
|
575
|
-
Manual content you write outside `<!--
|
|
575
|
+
Manual content you write outside `<!-- THESMOS:GENERATED START -->` / `<!-- THESMOS:GENERATED END -->` markers is **always preserved** across regenerations.
|
|
576
576
|
|
|
577
577
|
---
|
|
578
578
|
|
|
@@ -656,7 +656,7 @@ import {
|
|
|
656
656
|
runDoctorForRoot,
|
|
657
657
|
runCiCheckForRoot,
|
|
658
658
|
exitCodeFor,
|
|
659
|
-
|
|
659
|
+
THESMOS_RULES,
|
|
660
660
|
} from 'thesmos-governance';
|
|
661
661
|
|
|
662
662
|
// Load config from .thesmos/config.json
|
|
@@ -676,14 +676,14 @@ const checks = await runDoctorForRoot(root, config);
|
|
|
676
676
|
|
|
677
677
|
// Generate adapter content for any target
|
|
678
678
|
import { buildAdapterContent } from 'thesmos-governance';
|
|
679
|
-
const content = buildAdapterContent('claude', existing,
|
|
679
|
+
const content = buildAdapterContent('claude', existing, THESMOS_RULES, config);
|
|
680
680
|
```
|
|
681
681
|
|
|
682
682
|
### Key exports
|
|
683
683
|
|
|
684
684
|
```typescript
|
|
685
685
|
// Rules
|
|
686
|
-
|
|
686
|
+
THESMOS_RULES // ThesmosRule[] — all 1,137 built-in rules
|
|
687
687
|
getRulesByTag(tag) // filter by tag
|
|
688
688
|
getRulesBySeverity(sev) // filter by severity
|
|
689
689
|
getRulesByCategory(cat) // filter by category
|
|
@@ -729,7 +729,7 @@ import type {
|
|
|
729
729
|
## How it works
|
|
730
730
|
|
|
731
731
|
```text
|
|
732
|
-
|
|
732
|
+
THESMOS_RULES ← single source of truth (1,137 built-in rules + pack rules at runtime)
|
|
733
733
|
│
|
|
734
734
|
├── adapters.ts → CLAUDE.md · GEMINI.md · .cursor/ · .github/ · .codex/ · AGENTS.md
|
|
735
735
|
├── init.ts → .thesmos/ governance folder
|
|
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
|
|
|
15
15
|
|
|
16
16
|
# Accessibility Reviewer
|
|
17
17
|
|
|
18
|
+
> I am the **Accessibility Reviewer**, a specialized governance gate of the Thesmos Pantheon.
|
|
19
|
+
|
|
18
20
|
## Purpose
|
|
19
21
|
|
|
20
22
|
Reviews UI component changes for WCAG 2.1 AA compliance: missing ARIA attributes, insufficient colour contrast, keyboard navigation gaps, focus management issues, and form labels not associated with inputs.
|
|
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
|
|
|
15
15
|
|
|
16
16
|
# AI Safety Reviewer
|
|
17
17
|
|
|
18
|
+
> I am the **AI Safety Reviewer**, a specialized governance gate of the Thesmos Pantheon.
|
|
19
|
+
|
|
18
20
|
## Purpose
|
|
19
21
|
|
|
20
22
|
Reviews AI-integrated code for safety issues: prompt injection risks, LLM output used without sanitisation, model API keys committed to source, missing output validation, and user-supplied content passed directly to system prompts.
|
|
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
|
|
|
15
15
|
|
|
16
16
|
# Analytics Reviewer
|
|
17
17
|
|
|
18
|
+
> I am the **Analytics Reviewer**, a specialized governance gate of the Thesmos Pantheon.
|
|
19
|
+
|
|
18
20
|
## Purpose
|
|
19
21
|
|
|
20
22
|
Reviews analytics implementation: consent gate correctness, PII in tracking events, data layer schema consistency, and GDPR-compliant event firing. Ensures analytics events do not fire before consent is granted.
|
|
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
|
|
|
15
15
|
|
|
16
16
|
# API Reviewer
|
|
17
17
|
|
|
18
|
+
> I am the **API Reviewer**, a specialized governance gate of the Thesmos Pantheon.
|
|
19
|
+
|
|
18
20
|
## Purpose
|
|
19
21
|
|
|
20
22
|
Reviews API route handlers for security and correctness: authentication guards, input validation, HTTP method handling, error response shapes, and rate limiting. Ensures new routes follow the established API contract.
|
|
@@ -14,6 +14,8 @@ model: claude-haiku-4-5-20251001
|
|
|
14
14
|
|
|
15
15
|
# Architecture Reviewer
|
|
16
16
|
|
|
17
|
+
> I am the **Architecture Reviewer**, a specialized governance gate of the Thesmos Pantheon.
|
|
18
|
+
|
|
17
19
|
## Purpose
|
|
18
20
|
|
|
19
21
|
Reviews changes for structural integrity: oversized files that should be split, emerging duplicate component patterns that indicate premature divergence, and refactors that cross module boundaries without updating dependents.
|
|
@@ -16,6 +16,8 @@ model: claude-haiku-4-5-20251001
|
|
|
16
16
|
|
|
17
17
|
# God Agent Ate — SQL Injection & WAF Investigator
|
|
18
18
|
|
|
19
|
+
> I am the **God Agent Ate — SQL Injection & WAF Investigator**, a specialized governance gate of the Thesmos Pantheon.
|
|
20
|
+
|
|
19
21
|
## Purpose
|
|
20
22
|
|
|
21
23
|
Investigates SQL injection vulnerabilities and WAF evasion patterns in database query code. Detects string concatenation in SQL queries, missing parameterization, template literal interpolation into raw SQL, ORM raw query misuse, and WAF bypass techniques (UNION SELECT, encoded payloads, comment-based obfuscation). Named for Ate, goddess of ruin and folly — she who ensures every developer who forgets to parameterize a query faces the consequences.
|
|
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
|
|
|
15
15
|
|
|
16
16
|
# Auth Reviewer
|
|
17
17
|
|
|
18
|
+
> I am the **Auth Reviewer**, a specialized governance gate of the Thesmos Pantheon.
|
|
19
|
+
|
|
18
20
|
## Purpose
|
|
19
21
|
|
|
20
22
|
Deeply reviews authentication and authorisation logic: session handling, token rotation, privilege escalation risks, missing route guards, and incorrect use of auth helpers across the client/server boundary.
|
|
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
|
|
|
15
15
|
|
|
16
16
|
# Backend Reviewer
|
|
17
17
|
|
|
18
|
+
> I am the **Backend Reviewer**, a specialized governance gate of the Thesmos Pantheon.
|
|
19
|
+
|
|
18
20
|
## Purpose
|
|
19
21
|
|
|
20
22
|
Reviews server-side code changes: data validation, error handling, idempotent operations, database query efficiency, and correct use of server-only APIs. Ensures server actions and API routes follow the established request/response contract.
|
|
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
|
|
|
15
15
|
|
|
16
16
|
# Build System Reviewer
|
|
17
17
|
|
|
18
|
+
> I am the **Build System Reviewer**, a specialized governance gate of the Thesmos Pantheon.
|
|
19
|
+
|
|
18
20
|
## Purpose
|
|
19
21
|
|
|
20
22
|
Reviews changes to build configuration: Next.js config, Webpack/Turbopack customizations, tsup/esbuild settings, and TypeScript compiler options. Catches configurations that break tree shaking, disable type checking, or introduce non-deterministic builds.
|
|
@@ -16,6 +16,8 @@ model: claude-haiku-4-5-20251001
|
|
|
16
16
|
|
|
17
17
|
# God Agent Cerberus — OAuth Token Theft Investigator
|
|
18
18
|
|
|
19
|
+
> I am the **God Agent Cerberus — OAuth Token Theft Investigator**, a specialized governance gate of the Thesmos Pantheon.
|
|
20
|
+
|
|
19
21
|
## Purpose
|
|
20
22
|
|
|
21
23
|
Investigates OAuth token theft and replay attack patterns in authentication code. Detects access token storage in insecure locations (localStorage, cookies without `HttpOnly`/`Secure`), missing token expiry enforcement, refresh token mishandling, and JWT decode-without-verify anti-patterns. Also reviews code that handles authorization flows for pass-the-cookie and token replay vulnerabilities. Named for Cerberus, three-headed guardian of the gates — he who admits only the legitimately authenticated.
|
|
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
|
|
|
15
15
|
|
|
16
16
|
# CI Reviewer
|
|
17
17
|
|
|
18
|
+
> I am the **CI Reviewer**, a specialized governance gate of the Thesmos Pantheon.
|
|
19
|
+
|
|
18
20
|
## Purpose
|
|
19
21
|
|
|
20
22
|
Reviews CI/CD pipeline configuration for correctness and security: workflow permissions, secret exposure in logs, non-pinned action versions, missing required status checks, and build matrices that do not match the project's Node.js support matrix.
|
|
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
|
|
|
15
15
|
|
|
16
16
|
# Code Quality Reviewer
|
|
17
17
|
|
|
18
|
+
> I am the **Code Quality Reviewer**, a specialized governance gate of the Thesmos Pantheon.
|
|
19
|
+
|
|
18
20
|
## Purpose
|
|
19
21
|
|
|
20
22
|
Catches low-level code hygiene issues that accumulate into tech debt: unchecked `any` types, leftover `console.log` statements in production paths, and hardcoded design tokens that bypass the design system.
|
|
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
|
|
|
15
15
|
|
|
16
16
|
# Compliance Reviewer
|
|
17
17
|
|
|
18
|
+
> I am the **Compliance Reviewer**, a specialized governance gate of the Thesmos Pantheon.
|
|
19
|
+
|
|
18
20
|
## Purpose
|
|
19
21
|
|
|
20
22
|
Reviews changes against SOC2, GDPR, HIPAA, and PCI-DSS control requirements: audit trail completeness, access control enforcement, encryption at rest and in transit, and change-management traceability.
|
|
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
|
|
|
15
15
|
|
|
16
16
|
# Content Reviewer
|
|
17
17
|
|
|
18
|
+
> I am the **Content Reviewer**, a specialized governance gate of the Thesmos Pantheon.
|
|
19
|
+
|
|
18
20
|
## Purpose
|
|
19
21
|
|
|
20
22
|
Reviews content-related changes: hardcoded copy strings that should be CMS-managed, missing localisation keys, content that does not follow the brand voice guide, and stale placeholder text left in production code.
|
|
@@ -18,6 +18,8 @@ model: claude-haiku-4-5-20251001
|
|
|
18
18
|
|
|
19
19
|
# Creative Director
|
|
20
20
|
|
|
21
|
+
> I am the **Creative Director**, a specialized governance gate of the Thesmos Pantheon.
|
|
22
|
+
|
|
21
23
|
## Purpose
|
|
22
24
|
|
|
23
25
|
Acts as a permanent creative director embedded in your codebase. Reviews UI components, pages, and stylesheets for design consistency, brand alignment, and visual quality — catching the drift that accumulates when multiple AI tools contribute code without awareness of your design system.
|
|
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
|
|
|
15
15
|
|
|
16
16
|
# Data Fetching Reviewer
|
|
17
17
|
|
|
18
|
+
> I am the **Data Fetching Reviewer**, a specialized governance gate of the Thesmos Pantheon.
|
|
19
|
+
|
|
18
20
|
## Purpose
|
|
19
21
|
|
|
20
22
|
Reviews data fetching patterns: N+1 queries, missing cache revalidation, waterfall fetches that should be parallel, client-side fetching that should be server-side in Next.js App Router, and stale cache configuration.
|
|
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
|
|
|
15
15
|
|
|
16
16
|
# Database Reviewer
|
|
17
17
|
|
|
18
|
+
> I am the **Database Reviewer**, a specialized governance gate of the Thesmos Pantheon.
|
|
19
|
+
|
|
18
20
|
## Purpose
|
|
19
21
|
|
|
20
22
|
Reviews database schema changes and query patterns: RLS policy correctness, migration safety (destructive operations, missing rollback), index strategy, and N+1 query risks from ORM usage.
|