thesmos-governance 4.3.0 → 4.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (138) hide show
  1. package/CHANGELOG.md +67 -103
  2. package/LICENSE +2 -2
  3. package/LICENSE-COMMERCIAL.md +4 -4
  4. package/README.md +12 -12
  5. package/catalog/agents/reviewers/accessibility-reviewer.md +2 -0
  6. package/catalog/agents/reviewers/ai-safety-reviewer.md +2 -0
  7. package/catalog/agents/reviewers/analytics-reviewer.md +2 -0
  8. package/catalog/agents/reviewers/api-reviewer.md +2 -0
  9. package/catalog/agents/reviewers/architecture-reviewer.md +2 -0
  10. package/catalog/agents/reviewers/ate-sql-injection-agent.md +2 -0
  11. package/catalog/agents/reviewers/auth-reviewer.md +2 -0
  12. package/catalog/agents/reviewers/backend-reviewer.md +2 -0
  13. package/catalog/agents/reviewers/build-system-reviewer.md +2 -0
  14. package/catalog/agents/reviewers/cerberus-oauth-agent.md +2 -0
  15. package/catalog/agents/reviewers/ci-reviewer.md +2 -0
  16. package/catalog/agents/reviewers/code-quality-reviewer.md +2 -0
  17. package/catalog/agents/reviewers/compliance-reviewer.md +2 -0
  18. package/catalog/agents/reviewers/content-reviewer.md +2 -0
  19. package/catalog/agents/reviewers/creative-director.md +2 -0
  20. package/catalog/agents/reviewers/data-fetching-reviewer.md +2 -0
  21. package/catalog/agents/reviewers/database-reviewer.md +2 -0
  22. package/catalog/agents/reviewers/dependency-reviewer.md +2 -0
  23. package/catalog/agents/reviewers/design-system-reviewer.md +2 -0
  24. package/catalog/agents/reviewers/devops-reviewer.md +3 -1
  25. package/catalog/agents/reviewers/documentation-reviewer.md +2 -0
  26. package/catalog/agents/reviewers/ecommerce-reviewer.md +2 -0
  27. package/catalog/agents/reviewers/error-handling-reviewer.md +2 -0
  28. package/catalog/agents/reviewers/feature-flag-reviewer.md +2 -0
  29. package/catalog/agents/reviewers/forms-reviewer.md +2 -0
  30. package/catalog/agents/reviewers/frontend-reviewer.md +2 -0
  31. package/catalog/agents/reviewers/fullstack-reviewer.md +2 -0
  32. package/catalog/agents/reviewers/governance-reviewer.md +2 -0
  33. package/catalog/agents/reviewers/graphql-reviewer.md +2 -0
  34. package/catalog/agents/reviewers/hades-credential-agent.md +2 -0
  35. package/catalog/agents/reviewers/hecate-prompt-injection-agent.md +2 -0
  36. package/catalog/agents/reviewers/incident-reviewer.md +2 -0
  37. package/catalog/agents/reviewers/infrastructure-reviewer.md +2 -0
  38. package/catalog/agents/reviewers/localization-reviewer.md +2 -0
  39. package/catalog/agents/reviewers/migration-reviewer.md +2 -0
  40. package/catalog/agents/reviewers/mobile-reviewer.md +2 -0
  41. package/catalog/agents/reviewers/monorepo-reviewer.md +2 -0
  42. package/catalog/agents/reviewers/nemesis-supply-chain-agent.md +2 -0
  43. package/catalog/agents/reviewers/nextjs-reviewer.md +2 -0
  44. package/catalog/agents/reviewers/nyx-api-enumeration-agent.md +2 -0
  45. package/catalog/agents/reviewers/observability-reviewer.md +2 -0
  46. package/catalog/agents/reviewers/onboarding-reviewer.md +2 -0
  47. package/catalog/agents/reviewers/package-publishing-reviewer.md +2 -0
  48. package/catalog/agents/reviewers/performance-reviewer.md +2 -0
  49. package/catalog/agents/reviewers/privacy-reviewer.md +2 -0
  50. package/catalog/agents/reviewers/product-reviewer.md +2 -0
  51. package/catalog/agents/reviewers/prompt-engineering-reviewer.md +2 -0
  52. package/catalog/agents/reviewers/python-reviewer.md +2 -0
  53. package/catalog/agents/reviewers/react-reviewer.md +2 -0
  54. package/catalog/agents/reviewers/refactor-reviewer.md +2 -0
  55. package/catalog/agents/reviewers/release-readiness-reviewer.md +2 -0
  56. package/catalog/agents/reviewers/security-reviewer.md +2 -0
  57. package/catalog/agents/reviewers/seo-reviewer.md +2 -0
  58. package/catalog/agents/reviewers/shopify-reviewer.md +2 -0
  59. package/catalog/agents/reviewers/state-management-reviewer.md +2 -0
  60. package/catalog/agents/reviewers/supabase-reviewer.md +2 -0
  61. package/catalog/agents/reviewers/testing-reviewer.md +2 -0
  62. package/catalog/agents/reviewers/typescript-reviewer.md +2 -0
  63. package/catalog/agents/reviewers/ux-reviewer.md +2 -0
  64. package/catalog/agents/reviewers/wordpress-reviewer.md +2 -0
  65. package/catalog/skills/a11y-audit.md +1 -1
  66. package/catalog/skills/adapter-sync.md +10 -10
  67. package/catalog/skills/add-tests.md +2 -2
  68. package/catalog/skills/ai-prompt-review.md +1 -1
  69. package/catalog/skills/analytics-compliance.md +1 -1
  70. package/catalog/skills/api-deprecation-review.md +1 -1
  71. package/catalog/skills/api-design-review.md +1 -1
  72. package/catalog/skills/auth-flow-review.md +1 -1
  73. package/catalog/skills/build-optimization.md +1 -1
  74. package/catalog/skills/ci-pipeline-audit.md +1 -1
  75. package/catalog/skills/component-audit.md +1 -1
  76. package/catalog/skills/cors-audit.md +1 -1
  77. package/catalog/skills/csp-audit.md +1 -1
  78. package/catalog/skills/data-fetching-audit.md +1 -1
  79. package/catalog/skills/database-schema-review.md +1 -1
  80. package/catalog/skills/dependency-audit.md +1 -1
  81. package/catalog/skills/design-token-audit.md +1 -1
  82. package/catalog/skills/documentation-audit.md +1 -1
  83. package/catalog/skills/e2e-test-review.md +1 -1
  84. package/catalog/skills/env-variable-audit.md +2 -2
  85. package/catalog/skills/error-boundary-audit.md +1 -1
  86. package/catalog/skills/feature-flag-audit.md +1 -1
  87. package/catalog/skills/final-hardening-pass.md +4 -4
  88. package/catalog/skills/generate-report.md +2 -2
  89. package/catalog/skills/graphql-schema-review.md +2 -2
  90. package/catalog/skills/i18n-audit.md +1 -1
  91. package/catalog/skills/incident-postmortem.md +1 -1
  92. package/catalog/skills/infrastructure-security-review.md +2 -2
  93. package/catalog/skills/init-governance.md +9 -9
  94. package/catalog/skills/integration-test-review.md +1 -1
  95. package/catalog/skills/logging-audit.md +1 -1
  96. package/catalog/skills/migration-safety-check.md +1 -1
  97. package/catalog/skills/monorepo-dependency-graph.md +1 -1
  98. package/catalog/skills/observability-review.md +1 -1
  99. package/catalog/skills/onboarding-audit.md +1 -1
  100. package/catalog/skills/performance-profile.md +1 -1
  101. package/catalog/skills/pr-review.md +6 -6
  102. package/catalog/skills/python-async-audit.md +2 -2
  103. package/catalog/skills/rate-limit-audit.md +1 -1
  104. package/catalog/skills/refactor-impact-analysis.md +1 -1
  105. package/catalog/skills/release-checklist.md +3 -3
  106. package/catalog/skills/repo-health-audit.md +5 -5
  107. package/catalog/skills/rls-policy-audit.md +1 -1
  108. package/catalog/skills/scan-codebase.md +3 -3
  109. package/catalog/skills/secret-scan.md +2 -2
  110. package/catalog/skills/security-scan.md +3 -3
  111. package/catalog/skills/seo-audit.md +1 -1
  112. package/catalog/skills/staged-change-review.md +2 -2
  113. package/catalog/skills/state-audit.md +1 -1
  114. package/catalog/skills/test-coverage-report.md +3 -3
  115. package/catalog/skills/typescript-strict-mode.md +2 -2
  116. package/catalog/skills/validate-rules.md +8 -8
  117. package/catalog/skills/webhook-security-review.md +1 -1
  118. package/config.schema.json +11 -0
  119. package/dist/chunk-CFZYUTI5.js +53 -0
  120. package/dist/{chunk-7GCSYG7G.js → chunk-LNKIVLDD.js} +36 -5
  121. package/dist/{chunk-SVE6NZBV.js → chunk-N3JARC7J.js} +2867 -169
  122. package/dist/chunk-NNBMRFC7.js +84 -0
  123. package/dist/chunk-NZP3IDLM.js +1053 -0
  124. package/dist/{chunk-EVQAWKS4.js → chunk-PABK62WO.js} +1 -1
  125. package/dist/{chunk-FFZCCMLT.js → chunk-TB4RKQHR.js} +2818 -145
  126. package/dist/cli.js +15485 -13117
  127. package/dist/{config-X235D23R.js → config-65EKMTOG.js} +3 -2
  128. package/dist/{git-IZFKH3GY.js → git-DO2YR34V.js} +5 -2
  129. package/dist/index.d.ts +130 -19
  130. package/dist/index.js +807 -411
  131. package/dist/registry-FBNMJBM7.js +10 -0
  132. package/dist/registry-Q5WEDMVX.js +15 -0
  133. package/dist/{review-2FTGISZG.js → review-TSPFDIXP.js} +4 -3
  134. package/package.json +16 -6
  135. package/dist/chunk-D5UANPA5.js +0 -61
  136. package/dist/chunk-VG2453HG.js +0 -176
  137. package/dist/registry-A66NBHXV.js +0 -10
  138. package/dist/registry-UMT2SOUG.js +0 -6
package/CHANGELOG.md CHANGED
@@ -1,54 +1,18 @@
1
1
  # Changelog
2
2
 
3
- ## 4.3.0
3
+ ## 4.6.0
4
4
 
5
5
  ### Minor Changes
6
6
 
7
- - 316bf4d: Expand built-in rule registry from 142 to 737 rules, add language packs, IaC security rules, pack authoring toolchain, and HTML report improvements.
7
+ - e8ce8d1: AGNT_037 (1M context window governance) is now a hard BLOCKER gate instead of an advisory HIGH lint. Enabling a `[1m]` model variant or `context-1m` beta header without explicit `"context1M": { "allow1M": true }` in `.thesmos/config.json` now blocks the Write/Edit governance hook and fails CI, instead of only printing a warning. The matcher is scoped to live config contexts (model assignments, `anthropic-beta` values) so it does not fire on prose/documentation mentioning `[1m]`.
8
+ - e8ce8d1: Adds a native Claude Code plugin surface (`.claude-plugin/plugin.json` + marketplace listing) that registers the existing MCP server, the governance PreToolUse/PostToolUse/Stop hooks, and three skills (scan/review/advise). Install via `/plugin marketplace add Holley-Studio/thesmos-governance` — no separate `npm install` step required.
9
+ - e8ce8d1: New `power: 'lean' | 'god'` config governs Pantheon orchestration ceremony in AI-assistant adapter output. `lean` (default) routes to one specialist with a one-line Zeus header and no auto-council; `god` unlocks the full multi-line routing banners, council assembly/report blocks, and deep-research escalation. `thesmos advise` now assigns a model recommendation per plan phase (splitting a plan across model tiers when phases genuinely differ in depth) instead of a single recommendation for the whole plan.
10
+ - e8ce8d1: New rule tiering engine. The free CLI now runs a 289-rule Essentials set (every BLOCKER plus the complete AI-code safety net — VIBE/AI/SLOP rule families); the remaining 848 rules unlock via a distribution-gated premium pack marker (`~/.thesmos/premium/pack.json` or a project's `.thesmos/premium/pack.json`), or explicitly via `config.tier` / the `THESMOS_TIER` environment variable. New `thesmos tier` command reports the active tier and rule counts (supports `--json`).
8
11
 
9
- **New rules (498 added across 16 domain and language files):**
12
+ ### Patch Changes
10
13
 
11
- - `imports.ts` 20 rules covering barrel file performance, circular imports, side-effect imports, namespace imports, server modules in client code, missing `.js` extensions, lodash/moment bundle size, and more
12
- - `state.ts` 20 rules covering Zustand selector patterns, Redux mutations, Context instability, atom scope, localStorage in SSR, stale closures, and more
13
- - `forms.ts` — 20 rules covering validation, accessibility (WCAG 1.3.1), CSRF, file upload types, RHF patterns, loading states, `aria-invalid`, and more
14
- - `logging.ts` — 20 rules including PII in logs (BLOCKER), secrets in logs (BLOCKER), unstructured logs, missing context IDs, audit log gaps, and more
15
- - `css.ts` — 20 rules covering Tailwind arbitrary values, missing responsive breakpoints, dark mode, z-index magic numbers, `outline-none` without `focus-visible` (WCAG 2.4.7), `prefers-reduced-motion`, and more
16
- - `nextjs.ts` — expanded from 15 to 37 rules: `use server` placement, missing Suspense, static metadata, `cookies()` forcing dynamic render, raw `<img>`, Server Action revalidation, font optimisation, and more
17
- - `react.ts` — expanded from 12 to 32 rules: missing keys, index keys, stale `useCallback`, `dangerouslySetInnerHTML` (BLOCKER), `useId` for a11y, debounce on search, and more
18
- - `security.ts` — expanded from 22 to 40 rules: open redirect, mass assignment (BLOCKER), timing-safe comparison, JWT weak secret (BLOCKER), session fixation, clickjacking headers, plaintext passwords (BLOCKER), and more
19
- - `typescript.ts` — expanded from 17 to 35 rules: double type assertions, missing return types, `satisfies` operator, `readonly` on config interfaces, excessive non-null assertions, and more
20
- - `performance.ts` — expanded from 16 to 31 rules: LCP hero images, list virtualisation, runtime CSS-in-JS, passive scroll listeners, layout thrashing, waterfall `await` chains, and more
21
- - `database.ts` — expanded from 16 to 31 rules: N+1 queries, missing Prisma FK indexes, transaction gaps, soft-delete patterns, connection pool singleton, cascade delete risk, and more
22
- - `ai.ts` — expanded from 12 to 27 rules: prompt injection (BLOCKER), token limit validation, LLM output execution (BLOCKER), cost budgets, agent loop caps, system prompt leakage, content moderation, RAG citations, and more
23
- - `python.ts` — 20 new rules: SQL injection via f-string, hardcoded secrets, pickle.loads (BLOCKER), eval/exec usage, subprocess shell injection, YAML unsafe load, weak crypto, path traversal, and more
24
- - `django.ts` — 20 new rules: debug mode in production, missing CSRF middleware, raw SQL in ORM, open redirect, missing AUTH_PASSWORD_VALIDATORS, template injection via mark_safe, and more
25
- - `go.ts` — 20 new rules: SQL concat in db.Query, goroutine leak in handlers, ioutil deprecated APIs, weak random, http.ListenAndServe on 0.0.0.0, missing context cancellation, and more
26
- - `ruby.ts` — 20 new rules: ActiveRecord string interpolation (BLOCKER), params.permit! (BLOCKER), YAML.load unsafe (BLOCKER), missing authenticate before_action, skip_before_action auth, open redirect via redirect_to, and more
27
- - `php.ts` — 20 new rules: SQL injection via concatenation/interpolation (BLOCKER), XSS echo without htmlspecialchars (BLOCKER), eval() (BLOCKER), command injection (BLOCKER), path traversal/LFI (BLOCKER), $guarded = [] mass assignment (BLOCKER), whereRaw() interpolation (BLOCKER), SSRF via file_get_contents (BLOCKER), unserialize on user input (BLOCKER), Blade missing @csrf, and more
28
-
29
- **Pack runtime loading:**
30
-
31
- - `loadPackRulesFromEntry(entry)` — dynamically imports `rules/index.js` from a single pack directory
32
- - `loadPackRules(root)` — discovers all packs under `.thesmos/packs/` and `node_modules/@thesmos/` and loads their rules
33
- - `getActiveRules(root)` — returns built-in rules merged with pack rules; pass to `runReview()` as second argument
34
- - `thesmos review` and `thesmos validate` CLI commands now automatically load pack rules at startup
35
-
36
- **Pack authoring toolchain:**
37
-
38
- - `thesmos pack:create @scope/name` — scaffolds a complete pack directory with pack.json, rules/index.ts, agents/, skills/
39
- - `thesmos pack:publish @scope/name` — compiles TypeScript rules to JS via tsup, validates pack.json schema, runs npm publish
40
-
41
- **HTML report improvements:**
42
-
43
- - Language breakdown table showing file counts per detected stack
44
- - Pack inventory section listing active community packs
45
- - Trend sparklines for Blockers, High findings, and Health Score from metrics history
46
-
47
- **Multi-language scan:**
48
-
49
- - `computeLanguageStats()` — counts files and lines per language/extension
50
- - `detectStacks()` — infers frameworks (Laravel, Django, Rails, Go modules, etc.) from file patterns
51
- - `thesmos scan` now shows a "Languages detected" table and "Detected stacks" in console output
14
+ - aff19cb: claude:govern check now writes block messages to stderr so Claude Code displays them (blocking hooks only surface stderr on exit 2; stdout was silently dropped, making every block appear as "No stderr output"). Ships alongside the already-committed VIBE_007 placeholder and VIBE_009 JSX `<select>` template-literal false-positive fixes, which were fixed in source but never published.
15
+ - 4ece775: Fixed the Linux secrets vault path (`secret-tool`) to pipe the master key via real stdin (`execFileSync`'s `input` option) instead of an intermediate `echo`/`printf` shell process, which briefly exposed the raw key in that process's own argv. Also documented — but could not eliminate — a matching, narrower exposure on macOS: Apple's own `security` CLI has no stdin/env alternative to its `-w` flag (its own `-h` text admits this: "Use of the -p or -w options is insecure"), so the key briefly appears in `security`'s argv there. Local-only, single-user exposure window in both cases; not remotely exploitable.
52
16
 
53
17
  All notable changes to `thesmos-governance` will be documented here.
54
18
 
@@ -65,7 +29,7 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
65
29
 
66
30
  **3 New God Agents (catalog: 70 → 73, Pantheon: 31 → 34):**
67
31
 
68
- - **God Agent Proteus** (`proteus-drift-agent`) — Drift & Alignment Monitor. Detects product drift, prompt drift, architecture drift, brand drift, strategy drift, and governance drift. Compares the current state against documented baselines; surfaces findings by domain with severity (BLOCKER/HIGH/MEDIUM/LOW) and delegates corrections to domain specialists. Integrates with `prometheus drift` (infrastructure) and `.prometheus/brain.md` (context baseline). Governed by AGNT_001, MCP_001.
32
+ - **God Agent Proteus** (`proteus-drift-agent`) — Drift & Alignment Monitor. Detects product drift, prompt drift, architecture drift, brand drift, strategy drift, and governance drift. Compares the current state against documented baselines; surfaces findings by domain with severity (BLOCKER/HIGH/MEDIUM/LOW) and delegates corrections to domain specialists. Integrates with `thesmos drift` (infrastructure) and `.thesmos/brain.md` (context baseline). Governed by AGNT_001, MCP_001.
69
33
  - **God Agent Momus** (`momus-challenger-agent`) — Challenger & Clarity Enforcer. Challenges plans, ideas, and research before they execute using Socratic method, Gary Klein's Pre-mortem, Charlie Munger's Inversion, Red Team thinking, and Five Whys. Delivers: premise check, 3 weakest assumptions, 5 unasked questions, 3 failure scenarios, specificity demands, and unrepresented interests. Auto-invoked by Zeus before irreversible decisions. Governed by AGNT_001, LIC_001.
70
34
  - **God Agent Metis** (`metis-pm-agent`) — Project Manager & Execution Planner. Converts plans into executable phases with entry/exit criteria, critical path (CPM), RACI ownership tables, risk registers, definitions of done, and status templates. Auto-invoked by Zeus before plans longer than 4 weeks and by Daedalus after PRD approval. Governed by AGNT_001, SC_002.
71
35
 
@@ -83,15 +47,15 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
83
47
 
84
48
  ### Changed
85
49
 
86
- - **`prometheus/package.json`** — version `3.5.0` → `3.6.0`
87
- - **`prometheus/catalog.test.ts`** — agent count assertion `70` → `73`
88
- - **`prometheus/bin/commands/compliance.ts`** — footer version `v3.5.0` → `v3.6.0`
89
- - **`prometheus/adapters.ts`** — added `generatePantheonProtocol()` function; `generateClaudeRules` now appends Universal Protocol to every CLAUDE.md output
50
+ - **`thesmos/package.json`** — version `3.5.0` → `3.6.0`
51
+ - **`thesmos/catalog.test.ts`** — agent count assertion `70` → `73`
52
+ - **`thesmos/bin/commands/compliance.ts`** — footer version `v3.5.0` → `v3.6.0`
53
+ - **`thesmos/adapters.ts`** — added `generatePantheonProtocol()` function; `generateClaudeRules` now appends Universal Protocol to every CLAUDE.md output
90
54
 
91
55
  ### Website & Documentation
92
56
 
93
- - **`holley.studio/prometheus`** — version badge `v3.5.0` → `v3.6.0`, Pantheon count `31` → `34`, 3 new Pantheon cards (Proteus, Momus, Metis), new "Why Prometheus is Different" section with 4-card comparison and competitive table
94
- - **`prometheus/README.md`** — new "Why Prometheus is different" section with 7 key selling points and feature comparison table
57
+ - **`holley.studio/thesmos`** — version badge `v3.5.0` → `v3.6.0`, Pantheon count `31` → `34`, 3 new Pantheon cards (Proteus, Momus, Metis), new "Why Thesmos is Different" section with 4-card comparison and competitive table
58
+ - **`thesmos/README.md`** — new "Why Thesmos is different" section with 7 key selling points and feature comparison table
95
59
 
96
60
  ---
97
61
 
@@ -102,7 +66,7 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
102
66
  **10 New Pantheon Agents — Creative, Business, and Developer Workflow:**
103
67
 
104
68
  - **Calliope** (`calliope-email-agent`) — Email Design & HTML/MJML Agent. MJML source code, compiled HTML email templates, responsive cross-client design, deliverability checklists, A/B variant specs. Governed by GDPR_004 (no PII in email URLs), SEC_008 (no secrets in templates), GDPR_001 (consent gate awareness).
105
- - **Talos** (`talos-web-dev-agent`) — Web Dev & Implementation Agent. Production-ready Next.js/React/TypeScript components, API routes, database queries, and test scaffolds. Runs a mental Prometheus governance scan on every file before delivery. Governed by SEC_004, AUTH_002, NEXT_003, MCP_001.
69
+ - **Talos** (`talos-web-dev-agent`) — Web Dev & Implementation Agent. Production-ready Next.js/React/TypeScript components, API routes, database queries, and test scaffolds. Runs a mental Thesmos governance scan on every file before delivery. Governed by SEC_004, AUTH_002, NEXT_003, MCP_001.
106
70
  - **Clio** (`clio-case-study-agent`) — Case Study & Social Proof Agent. Customer interview frameworks (STAR structure), first draft with [VERIFY] placeholders, ROI calculation worksheets, testimonial pull quotes, LinkedIn post versions, and PDF design briefs for Hephaestus. Governed by LIC_001 (no fabricated quotes), GDPR_013 (client consent required).
107
71
  - **Eos** (`eos-automation-agent`) — Automation & Workflow Engineering Agent. n8n/Zapier/Make workflow JSON, GitHub Actions YAML, shell scripts, webhook handler code, and runbooks. All API keys BYOK. Governed by SC_007 (no script injection), SC_001 (pinned actions), SEC_007 (no hardcoded credentials).
108
72
  - **Erato** (`erato-brand-voice-agent`) — Brand Voice & Messaging Architecture Agent. Brand voice guides, messaging architecture (hero message → pillars → proof points), tagline options with rationale, boilerplate copy at 4 lengths, competitor voice differentiation matrix. The guide that Apollo executes within.
@@ -122,16 +86,16 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
122
86
 
123
87
  **`brain:promote` — Community Rule Promotion:**
124
88
 
125
- - New command `prometheus brain:promote --rule=<ID>` scaffolds an approved `ProposedRule` from `brain.json` into a TypeScript rule stub at `prometheus/rules/community/<ID>.ts`
89
+ - New command `thesmos brain:promote --rule=<ID>` scaffolds an approved `ProposedRule` from `brain.json` into a TypeScript rule stub at `thesmos/rules/community/<ID>.ts`
126
90
  - Generated stubs follow the exact `ThesmosRule` pattern used throughout the core rules (exported `*_RULES` array, externalized regex constant, `.js` imports)
127
91
  - Printed step-by-step wiring instructions guide the developer to import the stub into `registry.ts`, add a test, and set the release version
128
92
  - `brain:evolve --approve` now stamps `approvedAt` timestamp on approved proposals
129
- - New `prometheus/rules/community/` directory with README documenting the promotion workflow
93
+ - New `thesmos/rules/community/` directory with README documenting the promotion workflow
130
94
  - Route registered in CLI: `brain:promote`
131
95
 
132
96
  **MCP_001 — Expanded Injection Pattern Detection:**
133
97
 
134
- - `INJECTION_RE` in `prometheus/rules/mcp.ts` expanded from 6 patterns to 25+ across 6 attack categories
98
+ - `INJECTION_RE` in `thesmos/rules/mcp.ts` expanded from 6 patterns to 25+ across 6 attack categories
135
99
  - System prompt overrides: `ignore/disregard/forget/override previous instructions`, `your new instructions are`
136
100
  - Role-play escapes: `you are now a`, `act as if`, `pretend to be`, `roleplay as`
137
101
  - Delimiter injection: `<system>`, `[INST]`, `<|im_start|>`, `### System`
@@ -162,29 +126,29 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
162
126
 
163
127
  **Complete Builder Wizard — 6 New Generators:**
164
128
 
165
- - **`prometheus build:dashboard`** — 5-question wizard that creates a monitoring/analytics dashboard. Supports Next.js React components and plain HTML + Chart.js. Pre-wires Prometheus governance metrics as default data source. Outputs to `src/components/dashboards/<name>.tsx` or `public/dashboards/<name>.html`.
129
+ - **`thesmos build:dashboard`** — 5-question wizard that creates a monitoring/analytics dashboard. Supports Next.js React components and plain HTML + Chart.js. Pre-wires Thesmos governance metrics as default data source. Outputs to `src/components/dashboards/<name>.tsx` or `public/dashboards/<name>.html`.
166
130
 
167
- - **`prometheus build:workflow`** — 7-question wizard that creates GitHub Actions CI/CD workflows. Covers all trigger types (PR, push, scheduled, manual, release), all common step groups (test+lint, build+deploy, full CI with Prometheus scan), and all major deploy targets (Vercel, AWS, GCP). Manual approval gates wired via `trstringer/manual-approval`.
131
+ - **`thesmos build:workflow`** — 7-question wizard that creates GitHub Actions CI/CD workflows. Covers all trigger types (PR, push, scheduled, manual, release), all common step groups (test+lint, build+deploy, full CI with Thesmos scan), and all major deploy targets (Vercel, AWS, GCP). Manual approval gates wired via `trstringer/manual-approval`.
168
132
 
169
- - **`prometheus build:rag`** — 9-question wizard for Retrieval-Augmented Generation pipelines. Generates `chunker.ts`, `retriever.ts`, and `pipeline.ts`. Supports OpenAI, Cohere, Anthropic, and local embeddings (all BYOK). Vector stores: Supabase pgvector, Pinecone, Weaviate, in-memory. Retrieval strategies: similarity, MMR (diverse), hybrid keyword+vector. Optional MCP tool wrapper to expose the pipeline to AI agents. Security note included in generated code: sanitize retrieved content to prevent prompt injection via documents.
133
+ - **`thesmos build:rag`** — 9-question wizard for Retrieval-Augmented Generation pipelines. Generates `chunker.ts`, `retriever.ts`, and `pipeline.ts`. Supports OpenAI, Cohere, Anthropic, and local embeddings (all BYOK). Vector stores: Supabase pgvector, Pinecone, Weaviate, in-memory. Retrieval strategies: similarity, MMR (diverse), hybrid keyword+vector. Optional MCP tool wrapper to expose the pipeline to AI agents. Security note included in generated code: sanitize retrieved content to prevent prompt injection via documents.
170
134
 
171
- - **`prometheus build:voice`** — 8-question wizard for real-time voice AI agents. Generates `session.ts`, `transport.ts`, and `pipeline.ts`. Supports WebRTC, Twilio Media Streams, and browser SpeechAPI transports. STT providers: Deepgram, AssemblyAI, OpenAI Whisper, browser native. TTS: ElevenLabs, Deepgram, browser native. LLM: Claude, OpenAI, local (all BYOK). Security warnings for audio PII and session isolation included in generated code.
135
+ - **`thesmos build:voice`** — 8-question wizard for real-time voice AI agents. Generates `session.ts`, `transport.ts`, and `pipeline.ts`. Supports WebRTC, Twilio Media Streams, and browser SpeechAPI transports. STT providers: Deepgram, AssemblyAI, OpenAI Whisper, browser native. TTS: ElevenLabs, Deepgram, browser native. LLM: Claude, OpenAI, local (all BYOK). Security warnings for audio PII and session isolation included in generated code.
172
136
 
173
- - **`prometheus build:mcp-tool`** — 5-question wizard that creates a new custom tool for the Prometheus MCP server. Generates `prometheus/mcp-tools/<name>.ts` with full type-safe handler and registration instructions for `mcp-server.ts`. Supports read-only, file-writing, and external-API side-effect profiles. Return types: text, JSON, file list, Prometheus findings.
137
+ - **`thesmos build:mcp-tool`** — 5-question wizard that creates a new custom tool for the Thesmos MCP server. Generates `thesmos/mcp-tools/<name>.ts` with full type-safe handler and registration instructions for `mcp-server.ts`. Supports read-only, file-writing, and external-API side-effect profiles. Return types: text, JSON, file list, Thesmos findings.
174
138
 
175
- - **`prometheus build:automation`** — 6-question wizard for CI/CD automations. For GitHub-hosted triggers (cron, webhook, file-change, event) generates `.github/workflows/<name>.yml`. For local triggers generates `.prometheus/automation/<name>.sh` with retry logic and dry-run support. Covers all common step groups (tests, build, deploy, notification, custom) and failure modes (fail+alert, retry×3+alert, log+continue).
139
+ - **`thesmos build:automation`** — 6-question wizard for CI/CD automations. For GitHub-hosted triggers (cron, webhook, file-change, event) generates `.github/workflows/<name>.yml`. For local triggers generates `.thesmos/automation/<name>.sh` with retry logic and dry-run support. Covers all common step groups (tests, build, deploy, notification, custom) and failure modes (fail+alert, retry×3+alert, log+continue).
176
140
 
177
141
  **Builder Wizard Infrastructure:**
178
142
 
179
143
  - Generic `runBuilderWizard()` runner shared by all 6 builders — eliminates 200+ lines of duplicated wizard-loop code
180
144
  - All 6 builders support `--plan` (outputs Markdown plan + design decisions), `--scaffold` (writes code), and `--yes` (skips confirmation)
181
- - All scaffold outputs are immediately scanned by the Prometheus governance engine before reporting
182
- - All API keys are BYOK — Prometheus never stores, caches, or proxies credentials
145
+ - All scaffold outputs are immediately scanned by the Thesmos governance engine before reporting
146
+ - All API keys are BYOK — Thesmos never stores, caches, or proxies credentials
183
147
 
184
148
  ### Changed
185
149
 
186
- - `prometheus/package.json`: version `3.2.0` → `3.3.0`; added keywords: `ai-safety`, `owasp`, `mcp-server`, `brain`, `builder`
187
- - `prometheus/bin/commands/build.ts`: replaced 6 `runBuildStub` stubs with real implementations; added 6 question arrays (40 total questions); imported 6 generator modules
150
+ - `thesmos/package.json`: version `3.2.0` → `3.3.0`; added keywords: `ai-safety`, `owasp`, `mcp-server`, `brain`, `builder`
151
+ - `thesmos/bin/commands/build.ts`: replaced 6 `runBuildStub` stubs with real implementations; added 6 question arrays (40 total questions); imported 6 generator modules
188
152
 
189
153
  ---
190
154
 
@@ -194,15 +158,15 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
194
158
 
195
159
  **5 Innovation Features:**
196
160
 
197
- - **F1 — `debug_finding` MCP Tool** — New MCP tool on the existing `prometheus mcp:serve` server. Call `debug_finding(rule_id, file_content, line?)` to get a `true_positive` / `likely_false_positive` verdict, the full rule explanation, exact fix suggestion, and suppression command. Closes the "why did this fire?" loop without leaving the AI assistant session.
161
+ - **F1 — `debug_finding` MCP Tool** — New MCP tool on the existing `thesmos mcp:serve` server. Call `debug_finding(rule_id, file_content, line?)` to get a `true_positive` / `likely_false_positive` verdict, the full rule explanation, exact fix suggestion, and suppression command. Closes the "why did this fire?" loop without leaving the AI assistant session.
198
162
 
199
- - **F2 — Post-Fix Verification (`prometheus fix --verify`)** — After applying a fixer, Prometheus immediately re-runs `detect()` on the patched content to confirm the finding is resolved. New exports: `verifyFix(filePath, beforeContent, afterContent, finding, config): VerifyResult` and `VerifyResult` interface. Reports: ✅ verified / ❌ unresolved / ⚠️ regression introduced. Zero external dependencies — uses Prometheus's own rules engine.
163
+ - **F2 — Post-Fix Verification (`thesmos fix --verify`)** — After applying a fixer, Thesmos immediately re-runs `detect()` on the patched content to confirm the finding is resolved. New exports: `verifyFix(filePath, beforeContent, afterContent, finding, config): VerifyResult` and `VerifyResult` interface. Reports: ✅ verified / ❌ unresolved / ⚠️ regression introduced. Zero external dependencies — uses Thesmos's own rules engine.
200
164
 
201
- - **F3 — GitHub PR Comment Bot (`prometheus github:comment`)** — Posts or updates a single governance summary comment on a GitHub PR. Uses `GITHUB_TOKEN` + native Node 18 `fetch()` — no `@octokit/rest` dependency. Idempotent via an HTML marker (`<!-- thesmos-governance-bot -->`). Includes auto-detection of repo from `git remote`. `--print-workflow` prints a copy-paste GitHub Actions snippet. New file: `prometheus/bin/commands/github-comment.ts`.
165
+ - **F3 — GitHub PR Comment Bot (`thesmos github:comment`)** — Posts or updates a single governance summary comment on a GitHub PR. Uses `GITHUB_TOKEN` + native Node 18 `fetch()` — no `@octokit/rest` dependency. Idempotent via an HTML marker (`<!-- thesmos-governance-bot -->`). Includes auto-detection of repo from `git remote`. `--print-workflow` prints a copy-paste GitHub Actions snippet. New file: `thesmos/bin/commands/github-comment.ts`.
202
166
 
203
- - **F4 — Incremental Scan Cache** — sha256-keyed per-file finding cache in `.prometheus/.scan-cache.json`. Unchanged files return cached findings instantly; any rules-version bump invalidates all entries. New exports: `loadCache`, `saveCache`, `getCachedFindings`, `setCachedFindings`, `invalidateCache`, `runReviewCached`. Expected speedup: 70–90% on second scan when most files are unchanged. New file: `prometheus/incremental-cache.ts`.
167
+ - **F4 — Incremental Scan Cache** — sha256-keyed per-file finding cache in `.thesmos/.scan-cache.json`. Unchanged files return cached findings instantly; any rules-version bump invalidates all entries. New exports: `loadCache`, `saveCache`, `getCachedFindings`, `setCachedFindings`, `invalidateCache`, `runReviewCached`. Expected speedup: 70–90% on second scan when most files are unchanged. New file: `thesmos/incremental-cache.ts`.
204
168
 
205
- - **F5 — LSP Real-Time Feedback Server (`thesmos lsp`)** — Standalone LSP 3.17 server over stdio. Surfaces governance findings as real-time squiggles in any LSP-compatible editor (VS Code, Cursor, Neovim, Emacs). Capabilities: `textDocument/didOpen`, `textDocument/didChange` (debounced 500ms), `textDocument/didSave`, hover tooltips with rule explanation, code actions (suppress / explain). VS Code extension now launches the LSP client alongside its existing on-save analysis via `vscode-languageclient`. New file: `prometheus/lang-server.ts`.
169
+ - **F5 — LSP Real-Time Feedback Server (`thesmos lsp`)** — Standalone LSP 3.17 server over stdio. Surfaces governance findings as real-time squiggles in any LSP-compatible editor (VS Code, Cursor, Neovim, Emacs). Capabilities: `textDocument/didOpen`, `textDocument/didChange` (debounced 500ms), `textDocument/didSave`, hover tooltips with rule explanation, code actions (suppress / explain). VS Code extension now launches the LSP client alongside its existing on-save analysis via `vscode-languageclient`. New file: `thesmos/lang-server.ts`.
206
170
 
207
171
  **5 Bug Fixes:**
208
172
 
@@ -223,8 +187,8 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
223
187
 
224
188
  ### Changed
225
189
 
226
- - `prometheus/fix.ts` now imports `PROMETHEUS_RULES` and `runReview` to power `verifyFix()`.
227
- - `prometheus/bin/commands/fix.ts` gains `--verify` flag.
190
+ - `thesmos/fix.ts` now imports `THESMOS_RULES` and `runReview` to power `verifyFix()`.
191
+ - `thesmos/bin/commands/fix.ts` gains `--verify` flag.
228
192
  - `extensions/vscode/src/extension.ts` now lazily starts an LSP client (requires `vscode-languageclient` installed).
229
193
  - `extensions/vscode/package.json` adds `vscode-languageclient ^9.0.1` as a runtime dependency.
230
194
 
@@ -236,32 +200,32 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
236
200
 
237
201
  **6 New Governance Pillars:**
238
202
 
239
- - **Pillar 1 — MCP Server** (`prometheus mcp:serve`, `prometheus mcp:install`) — Prometheus becomes a Model Context Protocol server. AI assistants call `scan_file`, `explain_rule`, `get_health`, `lint_commit`, and `get_context` _before_ generating code. `mcp:install` writes the server entry into `~/.claude/settings.json`. New files: `prometheus/mcp-server.ts`, `prometheus/bin/commands/mcp.ts`.
203
+ - **Pillar 1 — MCP Server** (`thesmos mcp:serve`, `thesmos mcp:install`) — Thesmos becomes a Model Context Protocol server. AI assistants call `scan_file`, `explain_rule`, `get_health`, `lint_commit`, and `get_context` *before* generating code. `mcp:install` writes the server entry into `~/.claude/settings.json`. New files: `thesmos/mcp-server.ts`, `thesmos/bin/commands/mcp.ts`.
240
204
 
241
- - **Pillar 2 — Dependency Security** (`prometheus deps:audit`) — Async CVE scanning via OSV.dev (`api.osv.dev/v1/querybatch`). Results cached in `.prometheus/dep-cache.json` (24h TTL) and consumed synchronously by 10 new DEP_001–010 rules: critical CVE (BLOCKER), high/medium CVE, abandoned-with-CVE, no integrity hash, git dependency, major drift, prerelease in prod, deprecated package, stale cache. SBOM export via `--sbom` flag in CycloneDX 1.4 format. New files: `prometheus/osv-client.ts`, `prometheus/rules/deps.ts`, `prometheus/bin/commands/deps.ts`.
205
+ - **Pillar 2 — Dependency Security** (`thesmos deps:audit`) — Async CVE scanning via OSV.dev (`api.osv.dev/v1/querybatch`). Results cached in `.thesmos/dep-cache.json` (24h TTL) and consumed synchronously by 10 new DEP_001–010 rules: critical CVE (BLOCKER), high/medium CVE, abandoned-with-CVE, no integrity hash, git dependency, major drift, prerelease in prod, deprecated package, stale cache. SBOM export via `--sbom` flag in CycloneDX 1.4 format. New files: `thesmos/osv-client.ts`, `thesmos/rules/deps.ts`, `thesmos/bin/commands/deps.ts`.
242
206
 
243
- - **Pillar 3 — Agent Governance** — 12 new AGNT_001–012 rules detecting missing scope declarations, unconstrained Bash, ungoverned MCP servers, absent hooks, no token budget, no audit trail, and unrestricted network access. Dual-directory guard (`.claude/` AND `.prometheus/` must both exist) prevents false positives in dev environments. Plus tamper-evident **Agent Audit Trail** (`prometheus agent:audit:log|verify|report|export|rotate`) — append-only `.prometheus/audit.jsonl` with sha256 hash-chained entries using `node:crypto`. `verify` detects tampering by recomputing the entire chain. New files: `prometheus/agent-audit.ts`, `prometheus/rules/agents.ts`, `prometheus/bin/commands/agent-audit.ts`.
207
+ - **Pillar 3 — Agent Governance** — 12 new AGNT_001–012 rules detecting missing scope declarations, unconstrained Bash, ungoverned MCP servers, absent hooks, no token budget, no audit trail, and unrestricted network access. Dual-directory guard (`.claude/` AND `.thesmos/` must both exist) prevents false positives in dev environments. Plus tamper-evident **Agent Audit Trail** (`thesmos agent:audit:log|verify|report|export|rotate`) — append-only `.thesmos/audit.jsonl` with sha256 hash-chained entries using `node:crypto`. `verify` detects tampering by recomputing the entire chain. New files: `thesmos/agent-audit.ts`, `thesmos/rules/agents.ts`, `thesmos/bin/commands/agent-audit.ts`.
244
208
 
245
- - **Pillar 4 — SARIF Output** (`prometheus validate --sarif`) — SARIF 2.1.0 JSON for GitHub Security tab, VS Code Problems panel, Azure DevOps. All 911 rules emit full `reportingDescriptor` metadata. `prometheus ci:github-security` generates a GitHub Actions workflow that uploads `prometheus.sarif` to `github/codeql-action/upload-sarif@v3`. New file: `prometheus/sarif.ts`.
209
+ - **Pillar 4 — SARIF Output** (`thesmos validate --sarif`) — SARIF 2.1.0 JSON for GitHub Security tab, VS Code Problems panel, Azure DevOps. All 911 rules emit full `reportingDescriptor` metadata. `thesmos ci:github-security` generates a GitHub Actions workflow that uploads `thesmos.sarif` to `github/codeql-action/upload-sarif@v3`. New file: `thesmos/sarif.ts`.
246
210
 
247
- - **Pillar 5 — License Compliance** — 10 new LIC_001–010 rules: GPL in commercial projects (BLOCKER), unknown/UNLICENSED deps, LGPL copyleft, missing LICENSE file, proprietary dep, invalid SPDX, dual-license ambiguity, AI training restriction, GPL/Apache incompatibility (BLOCKER), missing NOTICE file. All rules use the `changedFiles !== undefined` filesystem guard to avoid false positives in changed-files mode. New file: `prometheus/rules/license.ts`.
211
+ - **Pillar 5 — License Compliance** — 10 new LIC_001–010 rules: GPL in commercial projects (BLOCKER), unknown/UNLICENSED deps, LGPL copyleft, missing LICENSE file, proprietary dep, invalid SPDX, dual-license ambiguity, AI training restriction, GPL/Apache incompatibility (BLOCKER), missing NOTICE file. All rules use the `changedFiles !== undefined` filesystem guard to avoid false positives in changed-files mode. New file: `thesmos/rules/license.ts`.
248
212
 
249
- - **Pillar 6 — GDPR Compliance Pack** (`prometheus compliance:report --standard gdpr`) — 15 new GDPR_001–015 rules covering: PII in console.log, analytics without consent, cookie without consent banner, PII in URL params, PII in localStorage, missing data deletion endpoint, PII in external logging (BLOCKER), unencrypted PII in Prisma schema, missing privacy policy link, third-party tracking without consent, PII in API error responses (BLOCKER), missing retention policy, session without expiry, real PII in test fixtures, and IP storage without consent. `compliance:report --standard gdpr` generates an audit-ready Markdown evidence report mapping each finding to its GDPR article. New files: `prometheus/rules/gdpr.ts`, `prometheus/bin/commands/compliance.ts`.
213
+ - **Pillar 6 — GDPR Compliance Pack** (`thesmos compliance:report --standard gdpr`) — 15 new GDPR_001–015 rules covering: PII in console.log, analytics without consent, cookie without consent banner, PII in URL params, PII in localStorage, missing data deletion endpoint, PII in external logging (BLOCKER), unencrypted PII in Prisma schema, missing privacy policy link, third-party tracking without consent, PII in API error responses (BLOCKER), missing retention policy, session without expiry, real PII in test fixtures, and IP storage without consent. `compliance:report --standard gdpr` generates an audit-ready Markdown evidence report mapping each finding to its GDPR article. New files: `thesmos/rules/gdpr.ts`, `thesmos/bin/commands/compliance.ts`.
250
214
 
251
215
  **3 Quick Wins:**
252
216
 
253
- - **Governance Certificate** (`prometheus certificate:generate`, `prometheus certificate:verify`) — Signed JSON artifact per delivery with sha256 hash chain for tamper detection. Fields: `rulesChecked`, `blockers`, `healthScore`, `healthGrade`, `hash`, `chain`. Agencies include in every delivery. New file: `prometheus/bin/commands/certificate.ts`.
217
+ - **Governance Certificate** (`thesmos certificate:generate`, `thesmos certificate:verify`) — Signed JSON artifact per delivery with sha256 hash chain for tamper detection. Fields: `rulesChecked`, `blockers`, `healthScore`, `healthGrade`, `hash`, `chain`. Agencies include in every delivery. New file: `thesmos/bin/commands/certificate.ts`.
254
218
 
255
- - **Health Badge** (`prometheus health --badge`) — Prints shield.io badge markdown to stdout. Color ranges: ≥80 brightgreen, ≥70 green, ≥60 yellowgreen, ≥50 yellow, ≥40 orange, <40 red.
219
+ - **Health Badge** (`thesmos health --badge`) — Prints shield.io badge markdown to stdout. Color ranges: ≥80 brightgreen, ≥70 green, ≥60 yellowgreen, ≥50 yellow, ≥40 orange, <40 red.
256
220
 
257
- - **AI Code Fingerprinting** (`prometheus ai:fingerprint`) — Detects AI-generated files using git Co-Authored-By commit markers and static content heuristics (over-explained comments, step-numbered blocks, AI docstring patterns, boilerplate try/catch). Reports `aiGeneratedEstimate`, `topTool`, and per-file confidence scores. `--format json` for machine-readable output. New file: `prometheus/bin/commands/ai-fingerprint.ts`.
221
+ - **AI Code Fingerprinting** (`thesmos ai:fingerprint`) — Detects AI-generated files using git Co-Authored-By commit markers and static content heuristics (over-explained comments, step-numbered blocks, AI docstring patterns, boilerplate try/catch). Reports `aiGeneratedEstimate`, `topTool`, and per-file confidence scores. `--format json` for machine-readable output. New file: `thesmos/bin/commands/ai-fingerprint.ts`.
258
222
 
259
223
  - Total rule count: **911** (864 previous + 12 AGNT + 10 DEP + 10 LIC + 15 GDPR).
260
224
 
261
225
  ### Changed
262
226
 
263
227
  - `formatFindingsSarif()` in `review.ts` now delegates to `sarif.ts` for full rule metadata emission — all 911 rules appear in SARIF output regardless of whether they have findings.
264
- - `prometheus health --badge` added as a new flag to the existing `health` command.
228
+ - `thesmos health --badge` added as a new flag to the existing `health` command.
265
229
  - README rule counts updated from 864 → 911.
266
230
 
267
231
  ---
@@ -270,10 +234,10 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
270
234
 
271
235
  ### Added
272
236
 
273
- - **Conventional Commits Governance** (`prometheus commit:lint`, `prometheus commit:create`) — 10 new COMMIT_001–010 rules validate commit messages against the Conventional Commits specification using the standard `detect()` sentinel pattern (path `.git/COMMIT_EDITMSG`). Rules integrate with `explain`, `baseline`, and `suppressions:audit` automatically. `commit:lint` validates messages from the `commit-msg` hook, `--last`, or `--message "..."`. `commit:create` is an interactive wizard for building valid commit messages step-by-step.
274
- - **Vercel Deployment Governance** (`prometheus vercel:lint`) — 10 new VERCEL*001–010 rules covering: literal secrets in `vercel.json` (BLOCKER), server secrets with `NEXT_PUBLIC*`prefix (BLOCKER), cron routes missing`CRON_SECRET`check (HIGH), env vars not documented in`.env.example`(HIGH), missing`.env.example`when env vars are used (HIGH), missing`maxDuration`in function config (MEDIUM), middleware missing edge runtime export (MEDIUM), missing security headers (MEDIUM),`maxDuration` exceeding plan limit (LOW), and open redirect patterns in redirects config (HIGH).
275
- - **`commit-msg` git hook enforcement** — `prometheus hooks install --commit-msg` now writes a real enforcement block calling `prometheus commit:lint "$1"`. Previously a no-op placeholder.
276
- - **`commitLint` and `vercel` config sections** in `ThesmosConfig` — customise allowed commit types, max subject length, ticket patterns, Vercel plan limits, and cron auth requirements via `.prometheus/config.json`.
237
+ - **Conventional Commits Governance** (`thesmos commit:lint`, `thesmos commit:create`) — 10 new COMMIT_001–010 rules validate commit messages against the Conventional Commits specification using the standard `detect()` sentinel pattern (path `.git/COMMIT_EDITMSG`). Rules integrate with `explain`, `baseline`, and `suppressions:audit` automatically. `commit:lint` validates messages from the `commit-msg` hook, `--last`, or `--message "..."`. `commit:create` is an interactive wizard for building valid commit messages step-by-step.
238
+ - **Vercel Deployment Governance** (`thesmos vercel:lint`) — 10 new VERCEL_001–010 rules covering: literal secrets in `vercel.json` (BLOCKER), server secrets with `NEXT_PUBLIC_` prefix (BLOCKER), cron routes missing `CRON_SECRET` check (HIGH), env vars not documented in `.env.example` (HIGH), missing `.env.example` when env vars are used (HIGH), missing `maxDuration` in function config (MEDIUM), middleware missing edge runtime export (MEDIUM), missing security headers (MEDIUM), `maxDuration` exceeding plan limit (LOW), and open redirect patterns in redirects config (HIGH).
239
+ - **`commit-msg` git hook enforcement** — `thesmos hooks install --commit-msg` now writes a real enforcement block calling `thesmos commit:lint "$1"`. Previously a no-op placeholder.
240
+ - **`commitLint` and `vercel` config sections** in `ThesmosConfig` — customise allowed commit types, max subject length, ticket patterns, Vercel plan limits, and cron auth requirements via `.thesmos/config.json`.
277
241
  - Total rule count: **864** (844 previous + 10 COMMIT + 10 VERCEL).
278
242
 
279
243
  ### Changed
@@ -287,14 +251,14 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
287
251
 
288
252
  ### Added
289
253
 
290
- - **Slopsquatting Guard** (`prometheus import:scan`) — validates every npm/PyPI package in changed files against live registry APIs. Flags phantom packages (404), newly-registered packages (< 30 days old), and typosquat candidates (edit distance ≤ 2 from top packages). Works offline with graceful degradation. 10 new rules: SLOP_006–015.
291
- - **Agent Scope Enforcement** (`prometheus scope:*`) — `.prometheus/scope.json` defines workspace boundaries and operation limits. PreToolUse hook intercepts every Write/Edit/Bash call and exits 2 on scope violations. Commands: `scope:init`, `scope:status`, `scope:check`.
292
- - **Token Budget Governance** (`prometheus tokens:*`) — PostToolUse hook logs token usage per tool call to `.prometheus/token-usage.jsonl`. Enforces configurable session, daily, and project cost caps with alert and hard-stop thresholds. Commands: `tokens:report`, `tokens:reset`, `tokens:budget`.
293
- - **AI Debt Fingerprinting** (`prometheus debt:scan`) — 20 new DEBT_001–020 rules that detect AI-specific code debt patterns traditional linters miss: duplicate function bodies, swallowed errors, magic numbers, O(n²) nested loops, vague variable names, commented-out blocks, missing `finally`, and more. Outputs a 0–100 debt score with A–F grade.
294
- - **Context Health + Session Handoff** (`prometheus context:*`) — generates `.prometheus/context.md` from the live codebase (stack, established patterns, active constraints). `thesmos adapters` now auto-updates the snapshot. CLAUDE.md preamble now references `context.md` as step 1. Commands: `context:snapshot`, `context:health`.
254
+ - **Slopsquatting Guard** (`thesmos import:scan`) — validates every npm/PyPI package in changed files against live registry APIs. Flags phantom packages (404), newly-registered packages (< 30 days old), and typosquat candidates (edit distance ≤ 2 from top packages). Works offline with graceful degradation. 10 new rules: SLOP_006–015.
255
+ - **Agent Scope Enforcement** (`thesmos scope:*`) — `.thesmos/scope.json` defines workspace boundaries and operation limits. PreToolUse hook intercepts every Write/Edit/Bash call and exits 2 on scope violations. Commands: `scope:init`, `scope:status`, `scope:check`.
256
+ - **Token Budget Governance** (`thesmos tokens:*`) — PostToolUse hook logs token usage per tool call to `.thesmos/token-usage.jsonl`. Enforces configurable session, daily, and project cost caps with alert and hard-stop thresholds. Commands: `tokens:report`, `tokens:reset`, `tokens:budget`.
257
+ - **AI Debt Fingerprinting** (`thesmos debt:scan`) — 20 new DEBT_001–020 rules that detect AI-specific code debt patterns traditional linters miss: duplicate function bodies, swallowed errors, magic numbers, O(n²) nested loops, vague variable names, commented-out blocks, missing `finally`, and more. Outputs a 0–100 debt score with A–F grade.
258
+ - **Context Health + Session Handoff** (`thesmos context:*`) — generates `.thesmos/context.md` from the live codebase (stack, established patterns, active constraints). `thesmos adapters` now auto-updates the snapshot. CLAUDE.md preamble now references `context.md` as step 1. Commands: `context:snapshot`, `context:health`.
295
259
  - **Bash tool governance** — `claude:govern` PreToolUse hook now intercepts `Bash(npm install *)` / `Bash(pip install *)` calls and validates package names before they execute.
296
260
  - **PostToolUse budget hook** — added to `.claude/settings.json` alongside existing PreToolUse and Stop hooks.
297
- - **`tokenBudget` in `ThesmosConfig`** — configure token budgets directly in `.prometheus/config.json`.
261
+ - **`tokenBudget` in `ThesmosConfig`** — configure token budgets directly in `.thesmos/config.json`.
298
262
 
299
263
  ### Fixed
300
264
 
@@ -308,8 +272,8 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
308
272
 
309
273
  ### Changed
310
274
 
311
- - `thesmos adapters` now auto-generates `.prometheus/context.md` on every run.
312
- - CLAUDE.md "Before Each Task" checklist renumbered 1–12; step 1 now reads `.prometheus/context.md`.
275
+ - `thesmos adapters` now auto-generates `.thesmos/context.md` on every run.
276
+ - CLAUDE.md "Before Each Task" checklist renumbered 1–12; step 1 now reads `.thesmos/context.md`.
313
277
  - Token budget model cost table expanded with legacy date-suffixed model IDs (`claude-3-5-sonnet-20241022`, etc.) reported by older Claude Code versions.
314
278
 
315
279
  ---
@@ -322,11 +286,11 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
322
286
  - **Python** (19 rules, PY_026–PY_045): async/await pitfalls, shell injection, `pickle`/`marshal` RCE, FastAPI/Django security patterns, Pydantic v2 migration, blocking I/O in async context, and more.
323
287
  - **GraphQL** (25 rules, GQL_001–GQL_025): query depth/complexity limits, resolver auth enforcement, N+1 without DataLoader, introspection disabled in production, type correctness, and production hardening.
324
288
  - **Terraform** (13 rules, TF_013–TF_025): sensitive IAM wildcards, open security groups (0.0.0.0/0), RDS deletion protection, KMS key rotation, secrets in `user_data`, `prevent_destroy` on critical resources, and S3 versioning.
325
- - **3 new catalog agents**: `python-reviewer`, `graphql-reviewer`, `infrastructure-reviewer` — available via `prometheus catalog:enable`.
326
- - **`prometheus claude:govern`** — installs Claude Code hooks into `.claude/settings.json` for real-time governance in Auto Mode:
289
+ - **3 new catalog agents**: `python-reviewer`, `graphql-reviewer`, `infrastructure-reviewer` — available via `thesmos catalog:enable`.
290
+ - **`thesmos claude:govern`** — installs Claude Code hooks into `.claude/settings.json` for real-time governance in Auto Mode:
327
291
  - `PreToolUse` (Write/Edit): blocks tool call (exit 2) if content contains any BLOCKER finding.
328
- - `Stop`: runs `prometheus drift` after each session to detect adapter staleness.
329
- - Install is idempotent; a `_prometheus_governance` marker prevents duplicate hook entries.
292
+ - `Stop`: runs `thesmos drift` after each session to detect adapter staleness.
293
+ - Install is idempotent; a `_thesmos_governance` marker prevents duplicate hook entries.
330
294
  - Autopilot permission profiles now preserve governance hooks when written/restored.
331
295
 
332
296
  ### Fixed
@@ -341,19 +305,19 @@ Every `thesmos adapters` run now appends the Pantheon Universal Intelligence Pro
341
305
  ### Added
342
306
 
343
307
  - **142 governance rules** across 8 categories: security, TypeScript, React, Next.js, AI/LLM, performance, database, and code quality
344
- - **6 AI adapter targets**: Claude (`CLAUDE.md`), Gemini (`GEMINI.md`), Cursor (`.cursor/rules/prometheus.mdc`), Copilot (`.github/copilot-instructions.md`), Codex (`.codex/prometheus.md`), and `AGENTS.md` — all generated from a single canonical rule registry with zero duplication
308
+ - **6 AI adapter targets**: Claude (`CLAUDE.md`), Gemini (`GEMINI.md`), Cursor (`.cursor/rules/thesmos.mdc`), Copilot (`.github/copilot-instructions.md`), Codex (`.codex/thesmos.md`), and `AGENTS.md` — all generated from a single canonical rule registry with zero duplication
345
309
  - **CLI commands**: `init`, `scan`, `review`, `validate`, `audit`, `doctor`, `ci-check`, `adapters`, `drift`, `baseline:*`, `explain`, `suppressions:audit`, `metrics`, `pack:*`, `health`, `ci`, `fix`, `update`, `catalog:*`, `agent:create`, `skill:create`
346
- - **Governance folder** (`.prometheus/`): README, config, GUARDRAILS, RULES, governance docs, architecture docs, and a GitHub Actions workflow — all scaffolded by `prometheus init`
310
+ - **Governance folder** (`.thesmos/`): README, config, GUARDRAILS, RULES, governance docs, architecture docs, and a GitHub Actions workflow — all scaffolded by `thesmos init`
347
311
  - **Baseline system**: snapshot known technical debt so new violations are caught without blocking existing codebases
348
- - **Inline suppressions**: `// prometheus-disable-next-line <id> -- reason: <text>` with expiry dates and audit trail
312
+ - **Inline suppressions**: `// thesmos-disable-next-line <id> -- reason: <text>` with expiry dates and audit trail
349
313
  - **Health score** (0–100 with letter grade): synthesises findings, drift, suppressions, and baseline into a single governance grade
350
314
  - **Metrics engine**: local-first, privacy-safe governance analytics with history tracking
351
315
  - **Drift detection**: 12 categories of stale/missing governance artifacts
352
- - **Rule explanation engine**: `prometheus explain <rule-id>` shows why a rule exists, good/bad examples, and related playbooks
316
+ - **Rule explanation engine**: `thesmos explain <rule-id>` shows why a rule exists, good/bad examples, and related playbooks
353
317
  - **Catalog system**: 50+ built-in agents and 50+ built-in skills; 5 composable profiles (base, web, next-supabase, enterprise)
354
318
  - **Pack system**: extensible rule bundles for third-party frameworks
355
319
  - **Zero runtime dependencies**: the entire tool ships without a single production dependency
356
- - **JSON Schema** for `.prometheus/config.json`: add `$schema` for full editor autocomplete and validation
320
+ - **JSON Schema** for `.thesmos/config.json`: add `$schema` for full editor autocomplete and validation
357
321
  - **GitHub Actions CI/CD**: workflows for continuous integration (Node 18/20/22 matrix) and npm publishing on version tags
358
322
 
359
323
  [1.0.0]: https://github.com/Holley-Studio/thesmos-governance/releases/tag/v1.0.0
package/LICENSE CHANGED
@@ -5,8 +5,8 @@ Copyright (c) 2024 Matt Holley
5
5
  Parameters
6
6
 
7
7
  Licensor: Matt Holley
8
- Licensed Work: Prometheus Governance
9
- The Licensed Work is © 2024 Matt Holley
8
+ Licensed Work: Thesmos Governance
9
+ The Licensed Work is © 2024–2026 Holley Studio LLC
10
10
  Change Date: 2030-06-17 (four years from first publication)
11
11
  Change License: MIT License
12
12
 
@@ -1,13 +1,13 @@
1
1
  # Commercial Licensing
2
2
 
3
- Prometheus Governance is released under the [Functional Source License 1.1 (FSL-1.1-MIT)](LICENSE).
3
+ Thesmos is released under the [Functional Source License 1.1 (FSL-1.1-MIT)](LICENSE).
4
4
 
5
- FSL permits free use for personal projects, internal tooling, and open source work. It restricts offering Prometheus Governance itself (or a substantially similar product built on it) as a commercial service or product to third parties.
5
+ FSL permits free use for personal projects, internal tooling, and open source work. It restricts offering Thesmos itself (or a substantially similar product built on it) as a commercial service or product to third parties.
6
6
 
7
7
  ## When you need a commercial license
8
8
 
9
- - You are building a SaaS product or hosted service powered by Prometheus Governance
10
- - You are reselling or white-labeling Prometheus Governance
9
+ - You are building a SaaS product or hosted service powered by Thesmos
10
+ - You are reselling or white-labeling Thesmos
11
11
  - You are bundling it into a commercial product sold to customers
12
12
 
13
13
  ## Contact
package/README.md CHANGED
@@ -18,7 +18,7 @@ Thesmos is a repo governance tool for TypeScript projects. Define your code revi
18
18
 
19
19
  Without governance, every AI assistant in your team invents its own rules. Claude follows one convention, Cursor follows another, Copilot knows nothing about your auth patterns. Every PR review is inconsistent. Governance debt compounds silently.
20
20
 
21
- Thesmos solves this with a **single source of truth**: 911 rules defined once, propagated everywhere.
21
+ Thesmos solves this with a **single source of truth**: 1,137 rules defined once, propagated everywhere.
22
22
 
23
23
  | | Thesmos | ESLint | Danger.js | CodeClimate |
24
24
  | --- | --- | --- | --- | --- |
@@ -27,7 +27,7 @@ Thesmos solves this with a **single source of truth**: 911 rules defined once, p
27
27
  | Works fully offline | ✓ | ✓ | ✗ | ✗ |
28
28
  | Governance folder + AI context | ✓ | ✗ | ✗ | ✗ |
29
29
  | Health score (0–100) | ✓ | ✗ | ✗ | ✓ |
30
- | Built-in rules (no plugins needed) | 911 | ✗ | ✗ | ✓ |
30
+ | Built-in rules (no plugins needed) | 1,137 | ✗ | ✗ | ✓ |
31
31
  | Installable rule packs | ✓ | ✓ | ✗ | ✗ |
32
32
  | Inline suppressions with audit | ✓ | ✓ | ✗ | ✗ |
33
33
  | Baseline for legacy debt | ✓ | ✗ | ✗ | ✗ |
@@ -84,7 +84,7 @@ Other platforms give you AI assistants. Thesmos gives you a governed AI team —
84
84
 
85
85
  **7 things no other agent platform does:**
86
86
 
87
- 1. **Governance badge on every output** — Every God Agent delivery closes with `Thesmos check: [RULE_ID] ✅`. No other platform runs 1,075 governance rules against AI outputs automatically.
87
+ 1. **Governance badge on every output** — Every God Agent delivery closes with `Thesmos check: [RULE_ID] ✅`. No other platform runs 1,137 governance rules against AI outputs automatically.
88
88
  2. **38 world-class God Agents — not assistants** — Each agent has a named methodology, failure mode taxonomy, and adversarial self-check. Not "I know marketing" but "I use Ehrenberg-Bass reach theory, and here's the specific thing your brief gets wrong."
89
89
  3. **God Council arbitration** — When agents conflict, Zeus arbitrates. Argus holds a permanent security veto; Themis holds a permanent legal veto. You get one decision, not a debate.
90
90
  4. **God Agent Momus** — The only agent platform with a mandatory challenger. Momus challenges every major decision before it ships using Socratic method, Gary Klein's Pre-mortem, and Munger's Inversion.
@@ -320,7 +320,7 @@ npx thesmos validate --base=origin/$GITHUB_BASE_REF
320
320
 
321
321
  ### `thesmos adapters`
322
322
 
323
- Generates AI assistant instruction files from the canonical rule registry. Preserves any content you have written outside `<!-- PROMETHEUS:GENERATED -->` markers.
323
+ Generates AI assistant instruction files from the canonical rule registry. Preserves any content you have written outside `<!-- THESMOS:GENERATED -->` markers.
324
324
 
325
325
  ```bash
326
326
  npx thesmos adapters
@@ -438,7 +438,7 @@ npx thesmos fix --base=main # applies changes
438
438
 
439
439
  ## Rule packs
440
440
 
441
- Packs are installable bundles of additional rules, agents, skills, and playbooks. The built-in registry ships 911 rules — packs let the community (and your organisation) add more without forking.
441
+ Packs are installable bundles of additional rules, agents, skills, and playbooks. The built-in registry ships 1,137 rules — packs let the community (and your organisation) add more without forking.
442
442
 
443
443
  ### Installing a pack
444
444
 
@@ -559,7 +559,7 @@ Use rule IDs (`ENV_001`) or category names (`direct_env_access`). Both are shown
559
559
 
560
560
  ## Adapter targets
561
561
 
562
- Every adapter is generated from the same `PROMETHEUS_RULES` array. You never write rules twice.
562
+ Every adapter is generated from the same `THESMOS_RULES` array. You never write rules twice.
563
563
 
564
564
  | Target | Output path | Used by |
565
565
  | --- | --- | --- |
@@ -570,9 +570,9 @@ Every adapter is generated from the same `PROMETHEUS_RULES` array. You never wri
570
570
  | `codex` | `.codex/thesmos.md` | OpenAI Codex CLI |
571
571
  | `agents` | `AGENTS.md` | OpenAI Agents, generic agents |
572
572
 
573
- Adapters embed a `<!-- PROMETHEUS:META -->` comment with `version`, `target`, and `ruleCount`. `thesmos ci-check` reads this metadata to detect drift without re-running the generator — fully deterministic, no timestamps.
573
+ Adapters embed a `<!-- THESMOS:META -->` comment with `version`, `target`, and `ruleCount`. `thesmos ci-check` reads this metadata to detect drift without re-running the generator — fully deterministic, no timestamps.
574
574
 
575
- Manual content you write outside `<!-- PROMETHEUS:GENERATED START -->` / `<!-- PROMETHEUS:GENERATED END -->` markers is **always preserved** across regenerations.
575
+ Manual content you write outside `<!-- THESMOS:GENERATED START -->` / `<!-- THESMOS:GENERATED END -->` markers is **always preserved** across regenerations.
576
576
 
577
577
  ---
578
578
 
@@ -656,7 +656,7 @@ import {
656
656
  runDoctorForRoot,
657
657
  runCiCheckForRoot,
658
658
  exitCodeFor,
659
- PROMETHEUS_RULES,
659
+ THESMOS_RULES,
660
660
  } from 'thesmos-governance';
661
661
 
662
662
  // Load config from .thesmos/config.json
@@ -676,14 +676,14 @@ const checks = await runDoctorForRoot(root, config);
676
676
 
677
677
  // Generate adapter content for any target
678
678
  import { buildAdapterContent } from 'thesmos-governance';
679
- const content = buildAdapterContent('claude', existing, PROMETHEUS_RULES, config);
679
+ const content = buildAdapterContent('claude', existing, THESMOS_RULES, config);
680
680
  ```
681
681
 
682
682
  ### Key exports
683
683
 
684
684
  ```typescript
685
685
  // Rules
686
- PROMETHEUS_RULES // ThesmosRule[] — all 911 built-in rules
686
+ THESMOS_RULES // ThesmosRule[] — all 1,137 built-in rules
687
687
  getRulesByTag(tag) // filter by tag
688
688
  getRulesBySeverity(sev) // filter by severity
689
689
  getRulesByCategory(cat) // filter by category
@@ -729,7 +729,7 @@ import type {
729
729
  ## How it works
730
730
 
731
731
  ```text
732
- PROMETHEUS_RULES ← single source of truth (911 built-in rules + pack rules at runtime)
732
+ THESMOS_RULES ← single source of truth (1,137 built-in rules + pack rules at runtime)
733
733
 
734
734
  ├── adapters.ts → CLAUDE.md · GEMINI.md · .cursor/ · .github/ · .codex/ · AGENTS.md
735
735
  ├── init.ts → .thesmos/ governance folder
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
15
15
 
16
16
  # Accessibility Reviewer
17
17
 
18
+ > I am the **Accessibility Reviewer**, a specialized governance gate of the Thesmos Pantheon.
19
+
18
20
  ## Purpose
19
21
 
20
22
  Reviews UI component changes for WCAG 2.1 AA compliance: missing ARIA attributes, insufficient colour contrast, keyboard navigation gaps, focus management issues, and form labels not associated with inputs.
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
15
15
 
16
16
  # AI Safety Reviewer
17
17
 
18
+ > I am the **AI Safety Reviewer**, a specialized governance gate of the Thesmos Pantheon.
19
+
18
20
  ## Purpose
19
21
 
20
22
  Reviews AI-integrated code for safety issues: prompt injection risks, LLM output used without sanitisation, model API keys committed to source, missing output validation, and user-supplied content passed directly to system prompts.
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
15
15
 
16
16
  # Analytics Reviewer
17
17
 
18
+ > I am the **Analytics Reviewer**, a specialized governance gate of the Thesmos Pantheon.
19
+
18
20
  ## Purpose
19
21
 
20
22
  Reviews analytics implementation: consent gate correctness, PII in tracking events, data layer schema consistency, and GDPR-compliant event firing. Ensures analytics events do not fire before consent is granted.
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
15
15
 
16
16
  # API Reviewer
17
17
 
18
+ > I am the **API Reviewer**, a specialized governance gate of the Thesmos Pantheon.
19
+
18
20
  ## Purpose
19
21
 
20
22
  Reviews API route handlers for security and correctness: authentication guards, input validation, HTTP method handling, error response shapes, and rate limiting. Ensures new routes follow the established API contract.
@@ -14,6 +14,8 @@ model: claude-haiku-4-5-20251001
14
14
 
15
15
  # Architecture Reviewer
16
16
 
17
+ > I am the **Architecture Reviewer**, a specialized governance gate of the Thesmos Pantheon.
18
+
17
19
  ## Purpose
18
20
 
19
21
  Reviews changes for structural integrity: oversized files that should be split, emerging duplicate component patterns that indicate premature divergence, and refactors that cross module boundaries without updating dependents.
@@ -16,6 +16,8 @@ model: claude-haiku-4-5-20251001
16
16
 
17
17
  # God Agent Ate — SQL Injection & WAF Investigator
18
18
 
19
+ > I am the **God Agent Ate — SQL Injection & WAF Investigator**, a specialized governance gate of the Thesmos Pantheon.
20
+
19
21
  ## Purpose
20
22
 
21
23
  Investigates SQL injection vulnerabilities and WAF evasion patterns in database query code. Detects string concatenation in SQL queries, missing parameterization, template literal interpolation into raw SQL, ORM raw query misuse, and WAF bypass techniques (UNION SELECT, encoded payloads, comment-based obfuscation). Named for Ate, goddess of ruin and folly — she who ensures every developer who forgets to parameterize a query faces the consequences.
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
15
15
 
16
16
  # Auth Reviewer
17
17
 
18
+ > I am the **Auth Reviewer**, a specialized governance gate of the Thesmos Pantheon.
19
+
18
20
  ## Purpose
19
21
 
20
22
  Deeply reviews authentication and authorisation logic: session handling, token rotation, privilege escalation risks, missing route guards, and incorrect use of auth helpers across the client/server boundary.
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
15
15
 
16
16
  # Backend Reviewer
17
17
 
18
+ > I am the **Backend Reviewer**, a specialized governance gate of the Thesmos Pantheon.
19
+
18
20
  ## Purpose
19
21
 
20
22
  Reviews server-side code changes: data validation, error handling, idempotent operations, database query efficiency, and correct use of server-only APIs. Ensures server actions and API routes follow the established request/response contract.
@@ -15,6 +15,8 @@ model: claude-haiku-4-5-20251001
15
15
 
16
16
  # Build System Reviewer
17
17
 
18
+ > I am the **Build System Reviewer**, a specialized governance gate of the Thesmos Pantheon.
19
+
18
20
  ## Purpose
19
21
 
20
22
  Reviews changes to build configuration: Next.js config, Webpack/Turbopack customizations, tsup/esbuild settings, and TypeScript compiler options. Catches configurations that break tree shaking, disable type checking, or introduce non-deterministic builds.
@@ -16,6 +16,8 @@ model: claude-haiku-4-5-20251001
16
16
 
17
17
  # God Agent Cerberus — OAuth Token Theft Investigator
18
18
 
19
+ > I am the **God Agent Cerberus — OAuth Token Theft Investigator**, a specialized governance gate of the Thesmos Pantheon.
20
+
19
21
  ## Purpose
20
22
 
21
23
  Investigates OAuth token theft and replay attack patterns in authentication code. Detects access token storage in insecure locations (localStorage, cookies without `HttpOnly`/`Secure`), missing token expiry enforcement, refresh token mishandling, and JWT decode-without-verify anti-patterns. Also reviews code that handles authorization flows for pass-the-cookie and token replay vulnerabilities. Named for Cerberus, three-headed guardian of the gates — he who admits only the legitimately authenticated.