thuban 0.3.1 → 0.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -1,150 +1,185 @@
1
- # Thuban — Code Health Engine
1
+ # Thuban
2
2
 
3
- **The safety layer for AI-coded software.**
3
+ Thuban is an independent AI software assurance platform for pull requests, releases, and codebase trust. It combines codebase intelligence, scanner-driven risk detection, and Forge-style verification so teams can decide whether AI-assisted changes are safe to merge.
4
4
 
5
- Scan your codebase for hallucinated APIs, ghost code, architecture drift, and tech debt. Fix what can be fixed automatically. One command. Zero dependencies. Zero config.
5
+ ## Product wedge
6
6
 
7
- ```bash
8
- npx thuban scan .
7
+ Thuban is built around a PR assurance wedge:
8
+
9
+ - connect a GitHub repository through a future GitHub App
10
+ - analyze changed files and architectural blast radius
11
+ - run assurance checks and evidence collection
12
+ - issue a clear verdict with remediation guidance
13
+
14
+ This standalone extraction is based on the Thuban product strategy and the prior CODEX specifications inside `orion-main`.
15
+
16
+ ## Repository layout
17
+
18
+ ```text
19
+ apps/
20
+ api/ Express placeholder API for ingestion, assurance, and attestations
21
+ web/ Next.js placeholder operator UI
22
+ packages/
23
+ scanner/ Extracted Sentinel scanner and monitoring substrate
24
+ forge/ Extracted Forge verifier and verification data
25
+ docs/
26
+ source/ Original CODEX and Orion intelligence specs
27
+ strategy/ Product strategy and viability docs
28
+ schema/ Thuban-only database schema extract
29
+ venture/ Original venture README source
9
30
  ```
10
31
 
11
- ---
32
+ ## What is real today
12
33
 
13
- ## Why Thuban?
34
+ - `packages/scanner/` contains extracted working Sentinel code from Orion
35
+ - `packages/forge/forge-verifier.js` contains extracted Forge verification logic
36
+ - `packages/forge/data/forge-verifications/` contains historical verification artifacts
37
+ - `docs/` contains the original strategy, viability, and CODEX-era source materials
14
38
 
15
- AI coding tools (Copilot, Cursor, Claude, ChatGPT) generate code that **looks correct but isn't**. They invent API methods that don't exist. They paste helper functions nobody calls. They use deprecated patterns from their training data.
39
+ ## What is placeholder today
16
40
 
17
- Linters don't catch this. Code review misses it. Thuban was built specifically for it.
41
+ - `apps/api/` is an Express starter aligned to the target product shape
42
+ - `apps/web/` is a minimal Next.js starter for the future assurance dashboard
43
+ - Postgres integration, GitHub App auth, webhook ingestion, PR check-runs, and production orchestration are planned but not yet implemented here
18
44
 
19
- ---
45
+ See `ARCHITECTURE.md` for a clear real-vs-placeholder breakdown.
20
46
 
21
- ## What It Does
47
+ ## Architecture overview
22
48
 
23
- | Command | What it does |
24
- |---------|-------------|
25
- | `thuban scan [path]` | Full codebase health scan with score (A-F) |
26
- | `thuban fix [path] --fix` | Auto-fix all fixable issues |
27
- | `thuban hallucinate [path]` | Detect AI hallucinated APIs |
28
- | `thuban gate` | Pre-commit hook — blocks hallucinated code in 3 seconds |
29
- | `thuban gate --fix` | Install the pre-commit gate |
30
- | `thuban cost [path]` | Tech debt cost calculator (hours + pounds) |
31
- | `thuban ghosts [path]` | Find dead functions never called |
32
- | `thuban ai-score [path]` | AI risk score per function (0-100%) |
33
- | `thuban clones [path]` | Copy-paste drift detection |
34
- | `thuban passport [path]` | Generate codebase identity file |
35
- | `thuban executive [path]` | CTO-ready PDF report |
36
- | `thuban dashboard [path]` | Visual HTML dashboard |
37
- | `thuban watch [path]` | Live sentinel monitoring |
38
- | `thuban diff [path]` | Scan only git-changed files |
39
- | `thuban drift [path]` | Detect annotation/purpose drift |
40
- | `thuban deps [path]` | Dependency graph + circular detection |
41
- | `thuban status` | Show license and usage info |
42
- | `thuban upgrade` | View pricing and subscribe |
43
- | `thuban activate [key]` | Activate a license key |
49
+ ### Apps
44
50
 
45
- ---
51
+ - `apps/api`: future control plane and integration surface for repos, pull requests, audits, policies, and attestations
52
+ - `apps/web`: future UI for onboarding repos, reviewing audit evidence, and tracking trust history
46
53
 
47
- ## Quick Start
54
+ ### Packages
48
55
 
49
- ### Scan your project
50
- ```bash
51
- npx thuban scan .
52
- ```
56
+ - `packages/scanner`: repository scanning, dependency graphing, drift detection, health checks, alerting, and secret/credential exposure scanning for hardcoded API keys, passwords, secrets in source code, `.env` files not gitignored, database connection strings with passwords, private keys, high-entropy strings, and secrets still exposed in git history, and secret/credential exposure scanning for hardcoded API keys, passwords, secrets in source code, `.env` files not gitignored, database connection strings with passwords, private keys, high-entropy strings, and secrets still exposed in git history
57
+ - `packages/forge`: attestation and verification workflow plus verification history
53
58
 
54
- ### See what it costs you
55
- ```bash
56
- npx thuban cost .
57
- ```
59
+ ### Data
58
60
 
59
- ### Find ghost code
60
- ```bash
61
- npx thuban ghosts .
62
- ```
61
+ - Postgres is the intended system of record
62
+ - the included schema extract in `docs/schema/ORION-ECOSYSTEM-SCHEMA.thuban.json` contains only the `thuban` tables from Orion
63
+ - packaged JSON artifacts are historical examples, not the final persistence model
64
+
65
+ ## Getting started
66
+
67
+ ### Prerequisites
68
+
69
+ - Node.js 20+
70
+ - npm 10+
71
+ - Postgres 15+ for future API work
72
+
73
+ ### Install
63
74
 
64
- ### Block hallucinations on every commit
65
75
  ```bash
66
- npx thuban gate --fix
76
+ npm install
67
77
  ```
68
78
 
69
- ### Generate a CTO report
79
+ ### Run the placeholder apps
80
+
70
81
  ```bash
71
- npx thuban executive .
82
+ npm run dev:api
83
+ npm run dev:web
72
84
  ```
73
85
 
74
- ---
86
+ ### Explore the extracted code
75
87
 
76
- ## Example Output
88
+ - scanner entrypoint: `packages/scanner/index.js`
89
+ - secret scan utility: `quickSecretScan([...files], { rootPath })` or `new SecretScanner({ rootPath }).scanAll()` with output including file path, line number, secret type, severity, and fix recommendation
90
+ - forge verifier: `packages/forge/forge-verifier.js`
91
+ - product strategy: `docs/strategy/THUBAN-PRODUCT-STRATEGY.md`
92
+ - architecture notes: `ARCHITECTURE.md`
77
93
 
78
- ```
79
- THUBAN — Code Health Report
94
+ ## Thuban Pro recurring scans
80
95
 
81
- Score: D+ (38/100)
96
+ Thuban Pro adds scheduled recurring scans for local repositories with change detection, local history, and notification stubs.
82
97
 
83
- CRITICAL: 3 Hallucinated APIs
84
- src/api/payments.js:47
85
- stripe.charges.createImmediate()
86
- ^^^ This method does not exist in Stripe SDK.
98
+ ### What it does
87
99
 
88
- GHOST CODE: 16 functions exist but are never called
89
- 407 wasted lines (1.9% of codebase)
100
+ - stores monitor configuration per repo in `~/.thuban/monitor/config.json`
101
+ - runs the existing scanner pipeline on a schedule
102
+ - saves each run as JSON history in `~/.thuban/monitor/runs/<repo-id>/`
103
+ - compares each run to the previous run to surface:
104
+ - new issues
105
+ - resolved issues
106
+ - issue-count trend
107
+ - hallucination / secret / tech-debt metric deltas
108
+ - writes notification records to `~/.thuban/monitor/notifications.json`
109
+ - gates monitor/history/trend commands to Pro and above
90
110
 
91
- TECH DEBT COST:
92
- Manual fix: 47 hours (£3,760 at £80/hr)
93
- With Thuban: 4 hours
94
- You save: £3,440 (91%)
111
+ ### Commands
95
112
 
96
- Run: thuban fix . --fix
113
+ ```bash
114
+ npx thuban monitor . --once
115
+ npx thuban monitor . --frequency daily
116
+ npx thuban monitor . --frequency weekly
117
+ npx thuban monitor . --frequency custom --interval-ms 3600000
118
+ npx thuban history .
119
+ npx thuban trend .
97
120
  ```
98
121
 
99
- ---
122
+ ### Notification channels
123
+
124
+ Current implementation supports:
125
+
126
+ - `inbox` — local notification inbox persisted to disk
127
+ - `console` — console alert via the existing alert manager
128
+ - `email` — stubbed for future delivery integration
129
+ - `webhook` — stubbed for future delivery integration
130
+
131
+ Example:
132
+
133
+ ```bash
134
+ npx thuban monitor . --once --notify inbox,console
135
+ ```
100
136
 
101
- ## Features
137
+ ### How scheduling works
102
138
 
103
- - **AI Hallucination Detection** finds phantom imports and invented APIs
104
- - **Pre-Commit Gate** 3-second check blocks bad code before it enters your repo
105
- - **Ghost Code Detection** finds functions that exist but are never called
106
- - **AI Risk Score** per-function assessment of AI-generated code
107
- - **Tech Debt Cost Calculator** translates debt into hours and pounds
108
- - **Copy-Paste Drift** — finds duplicated code drifting apart across files
109
- - **Codebase Passport** — one JSON file describing your entire project
110
- - **Mother Code DNA** — contextual annotations that make your codebase self-aware
111
- - **Executive Report** — board-ready HTML report (print to PDF)
112
- - **Auto-Fix** — one command fixes hundreds of issues automatically
113
- - **Live Sentinel** — real-time monitoring on file save
114
- - **Visual Dashboard** — HTML reports with score rings and category breakdowns
115
- - **GitHub CI Action** — grade every PR, block merges below threshold
139
+ - `daily` = every 24 hours
140
+ - `weekly` = every 7 days
141
+ - `custom` = any interval via `--interval-ms`
142
+ - `npx thuban monitor .` starts a foreground daemon-like process until stopped
143
+ - `npx thuban monitor . --once` performs one scheduled-style run immediately and stores history
116
144
 
117
- ---
145
+ ### Diff detection
118
146
 
119
- ## Pricing
147
+ Each issue is fingerprinted from file, category, id, line, and message. Thuban compares the latest run against the previous run and records:
120
148
 
121
- | Tier | Price | What you get |
122
- |------|-------|-------------|
123
- | **Free** | £0 | 5 scans/month, 100 files, summary output |
124
- | **Pro** | £19/mo | Unlimited scans, full details, auto-fix, all features |
125
- | **Team** | £99/mo | 5 seats, CI Action, team reports |
126
- | **Enterprise** | Custom | Unlimited seats, self-hosted, SLA, SSO |
149
+ - `added`: issues not seen in the previous run
150
+ - `resolved`: issues that disappeared
151
+ - `metricsDelta`: changes in issue count, hallucinations, secrets, and tech debt metrics
127
152
 
128
- ---
153
+ This makes recurring scans useful for “what changed since yesterday?” rather than just “scan again.”
129
154
 
130
- ## Requirements
155
+ ## Website deployment
131
156
 
132
- - Node.js 16+
133
- - Works on Windows, macOS, Linux
134
- - Zero npm dependencies — runs with just Node.js built-ins
157
+ The public site at `https://thuban.dev` is deployed from the repository root `docs/` folder via GitHub Pages.
135
158
 
136
- ---
159
+ - workflow: `.github/workflows/deploy-website.yml`
160
+ - trigger: pushes to `main` that change `docs/**`, or manual `workflow_dispatch`
161
+ - deploy artifact: the `docs/` directory uploaded directly to GitHub Pages
162
+ - custom domain: `docs/CNAME`
137
163
 
138
- ## How It Works
164
+ Important deployment notes:
139
165
 
140
- Thuban runs entirely locally. Your code never leaves your machine. It uses static analysis, pattern matching, and heuristic detection no API calls, no cloud, no telemetry.
166
+ - `apps/web/` is a placeholder Next.js app and is not part of the live GitHub Pages deployment
167
+ - there is currently no build/export pipeline from `apps/web/` into `docs/`
168
+ - updating `apps/web/` alone will not change `thuban.dev`
169
+ - to update the live site, edit the static files in `docs/` or add a future export step that writes static output into `docs/`
141
170
 
142
- ---
171
+ Current practical workflow:
143
172
 
144
- ## License
173
+ 1. make website content changes in `docs/`
174
+ 2. commit and push to `main`
175
+ 3. GitHub Actions runs `Deploy Website to GitHub Pages`
176
+ 4. GitHub Pages publishes the uploaded `docs/` artifact to `https://thuban.dev`
145
177
 
146
- Proprietary. Free tier available. See [thuban.dev](https://thuban.dev) for details.
178
+ ## Planned next steps
147
179
 
148
- ---
180
+ 1. implement GitHub App installation and webhook ingestion
181
+ 2. persist repos, analyses, issues, and fixes in Postgres
182
+ 3. convert Sentinel and Forge flows into API-driven services
183
+ 4. connect PR check-runs and release attestation exports
184
+ 5. build the dashboard for audit runs, verdicts, and trust history
149
185
 
150
- Built by [Silverwings](https://silverwingsbenefits.com)