thuban 0.3.2 → 0.3.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +137 -102
- package/dist/LICENSE +21 -0
- package/dist/README.md +185 -0
- package/dist/cli.js +2 -0
- package/dist/packages/scanner/ai-confidence-scorer.js +1 -0
- package/dist/packages/scanner/alert-manager.js +1 -0
- package/dist/packages/scanner/baseline-manager.js +1 -0
- package/dist/packages/scanner/code-scanner.js +1 -0
- package/dist/packages/scanner/codebase-passport.js +1 -0
- package/dist/packages/scanner/copy-paste-detector.js +1 -0
- package/dist/packages/scanner/dependency-graph.js +1 -0
- package/dist/packages/scanner/drift-detector.js +1 -0
- package/dist/packages/scanner/executive-report.js +1 -0
- package/dist/packages/scanner/file-collector.js +1 -0
- package/dist/packages/scanner/file-watcher.js +1 -0
- package/dist/packages/scanner/ghost-code-detector.js +1 -0
- package/dist/packages/scanner/hallucination-detector.js +1 -0
- package/dist/packages/scanner/health-checker.js +1 -0
- package/dist/packages/scanner/html-report.js +1 -0
- package/dist/packages/scanner/index.js +1 -0
- package/dist/packages/scanner/license-manager.js +1 -0
- package/dist/packages/scanner/master-health-checker.js +1 -0
- package/dist/packages/scanner/monitor-notifier.js +1 -0
- package/dist/packages/scanner/monitor-service.js +1 -0
- package/dist/packages/scanner/monitor-store.js +1 -0
- package/dist/packages/scanner/pre-commit-gate.js +1 -0
- package/dist/packages/scanner/scan-diff.js +1 -0
- package/dist/packages/scanner/scan-runner.js +1 -0
- package/dist/packages/scanner/secret-scanner.js +1 -0
- package/dist/packages/scanner/sentinel-core.js +1 -0
- package/dist/packages/scanner/sentinel-knowledge.js +1 -0
- package/dist/packages/scanner/tech-debt-analyzer.js +1 -0
- package/dist/packages/scanner/tech-debt-cost.js +1 -0
- package/dist/packages/scanner/widget-generator.js +1 -0
- package/package.json +16 -8
- package/cli.js +0 -2412
- package/packages/scanner/ai-confidence-scorer.js +0 -260
- package/packages/scanner/alert-manager.js +0 -398
- package/packages/scanner/baseline-manager.js +0 -109
- package/packages/scanner/code-scanner.js +0 -713
- package/packages/scanner/codebase-passport.js +0 -299
- package/packages/scanner/copy-paste-detector.js +0 -250
- package/packages/scanner/dependency-graph.js +0 -536
- package/packages/scanner/drift-detector.js +0 -423
- package/packages/scanner/executive-report.js +0 -774
- package/packages/scanner/file-watcher.js +0 -323
- package/packages/scanner/ghost-code-detector.js +0 -226
- package/packages/scanner/hallucination-detector.js +0 -652
- package/packages/scanner/health-checker.js +0 -586
- package/packages/scanner/html-report.js +0 -634
- package/packages/scanner/index.js +0 -92
- package/packages/scanner/license-manager.js +0 -318
- package/packages/scanner/master-health-checker.js +0 -513
- package/packages/scanner/pre-commit-gate.js +0 -216
- package/packages/scanner/sentinel-core.js +0 -608
- package/packages/scanner/sentinel-knowledge.js +0 -322
- package/packages/scanner/tech-debt-analyzer.js +0 -565
- package/packages/scanner/tech-debt-cost.js +0 -194
- package/packages/scanner/widget-generator.js +0 -415
package/README.md
CHANGED
|
@@ -1,150 +1,185 @@
|
|
|
1
|
-
# Thuban
|
|
1
|
+
# Thuban
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
Thuban is an independent AI software assurance platform for pull requests, releases, and codebase trust. It combines codebase intelligence, scanner-driven risk detection, and Forge-style verification so teams can decide whether AI-assisted changes are safe to merge.
|
|
4
4
|
|
|
5
|
-
|
|
5
|
+
## Product wedge
|
|
6
6
|
|
|
7
|
-
|
|
8
|
-
|
|
7
|
+
Thuban is built around a PR assurance wedge:
|
|
8
|
+
|
|
9
|
+
- connect a GitHub repository through a future GitHub App
|
|
10
|
+
- analyze changed files and architectural blast radius
|
|
11
|
+
- run assurance checks and evidence collection
|
|
12
|
+
- issue a clear verdict with remediation guidance
|
|
13
|
+
|
|
14
|
+
This standalone extraction is based on the Thuban product strategy and the prior CODEX specifications inside `orion-main`.
|
|
15
|
+
|
|
16
|
+
## Repository layout
|
|
17
|
+
|
|
18
|
+
```text
|
|
19
|
+
apps/
|
|
20
|
+
api/ Express placeholder API for ingestion, assurance, and attestations
|
|
21
|
+
web/ Next.js placeholder operator UI
|
|
22
|
+
packages/
|
|
23
|
+
scanner/ Extracted Sentinel scanner and monitoring substrate
|
|
24
|
+
forge/ Extracted Forge verifier and verification data
|
|
25
|
+
docs/
|
|
26
|
+
source/ Original CODEX and Orion intelligence specs
|
|
27
|
+
strategy/ Product strategy and viability docs
|
|
28
|
+
schema/ Thuban-only database schema extract
|
|
29
|
+
venture/ Original venture README source
|
|
9
30
|
```
|
|
10
31
|
|
|
11
|
-
|
|
32
|
+
## What is real today
|
|
12
33
|
|
|
13
|
-
|
|
34
|
+
- `packages/scanner/` contains extracted working Sentinel code from Orion
|
|
35
|
+
- `packages/forge/forge-verifier.js` contains extracted Forge verification logic
|
|
36
|
+
- `packages/forge/data/forge-verifications/` contains historical verification artifacts
|
|
37
|
+
- `docs/` contains the original strategy, viability, and CODEX-era source materials
|
|
14
38
|
|
|
15
|
-
|
|
39
|
+
## What is placeholder today
|
|
16
40
|
|
|
17
|
-
|
|
41
|
+
- `apps/api/` is an Express starter aligned to the target product shape
|
|
42
|
+
- `apps/web/` is a minimal Next.js starter for the future assurance dashboard
|
|
43
|
+
- Postgres integration, GitHub App auth, webhook ingestion, PR check-runs, and production orchestration are planned but not yet implemented here
|
|
18
44
|
|
|
19
|
-
|
|
45
|
+
See `ARCHITECTURE.md` for a clear real-vs-placeholder breakdown.
|
|
20
46
|
|
|
21
|
-
##
|
|
47
|
+
## Architecture overview
|
|
22
48
|
|
|
23
|
-
|
|
24
|
-
|---------|-------------|
|
|
25
|
-
| `thuban scan [path]` | Full codebase health scan with score (A-F) |
|
|
26
|
-
| `thuban fix [path] --fix` | Auto-fix all fixable issues |
|
|
27
|
-
| `thuban hallucinate [path]` | Detect AI hallucinated APIs |
|
|
28
|
-
| `thuban gate` | Pre-commit hook — blocks hallucinated code in 3 seconds |
|
|
29
|
-
| `thuban gate --fix` | Install the pre-commit gate |
|
|
30
|
-
| `thuban cost [path]` | Tech debt cost calculator (hours + pounds) |
|
|
31
|
-
| `thuban ghosts [path]` | Find dead functions never called |
|
|
32
|
-
| `thuban ai-score [path]` | AI risk score per function (0-100%) |
|
|
33
|
-
| `thuban clones [path]` | Copy-paste drift detection |
|
|
34
|
-
| `thuban passport [path]` | Generate codebase identity file |
|
|
35
|
-
| `thuban executive [path]` | CTO-ready PDF report |
|
|
36
|
-
| `thuban dashboard [path]` | Visual HTML dashboard |
|
|
37
|
-
| `thuban watch [path]` | Live sentinel monitoring |
|
|
38
|
-
| `thuban diff [path]` | Scan only git-changed files |
|
|
39
|
-
| `thuban drift [path]` | Detect annotation/purpose drift |
|
|
40
|
-
| `thuban deps [path]` | Dependency graph + circular detection |
|
|
41
|
-
| `thuban status` | Show license and usage info |
|
|
42
|
-
| `thuban upgrade` | View pricing and subscribe |
|
|
43
|
-
| `thuban activate [key]` | Activate a license key |
|
|
49
|
+
### Apps
|
|
44
50
|
|
|
45
|
-
|
|
51
|
+
- `apps/api`: future control plane and integration surface for repos, pull requests, audits, policies, and attestations
|
|
52
|
+
- `apps/web`: future UI for onboarding repos, reviewing audit evidence, and tracking trust history
|
|
46
53
|
|
|
47
|
-
|
|
54
|
+
### Packages
|
|
48
55
|
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
npx thuban scan .
|
|
52
|
-
```
|
|
56
|
+
- `packages/scanner`: repository scanning, dependency graphing, drift detection, health checks, alerting, and secret/credential exposure scanning for hardcoded API keys, passwords, secrets in source code, `.env` files not gitignored, database connection strings with passwords, private keys, high-entropy strings, and secrets still exposed in git history, and secret/credential exposure scanning for hardcoded API keys, passwords, secrets in source code, `.env` files not gitignored, database connection strings with passwords, private keys, high-entropy strings, and secrets still exposed in git history
|
|
57
|
+
- `packages/forge`: attestation and verification workflow plus verification history
|
|
53
58
|
|
|
54
|
-
###
|
|
55
|
-
```bash
|
|
56
|
-
npx thuban cost .
|
|
57
|
-
```
|
|
59
|
+
### Data
|
|
58
60
|
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
61
|
+
- Postgres is the intended system of record
|
|
62
|
+
- the included schema extract in `docs/schema/ORION-ECOSYSTEM-SCHEMA.thuban.json` contains only the `thuban` tables from Orion
|
|
63
|
+
- packaged JSON artifacts are historical examples, not the final persistence model
|
|
64
|
+
|
|
65
|
+
## Getting started
|
|
66
|
+
|
|
67
|
+
### Prerequisites
|
|
68
|
+
|
|
69
|
+
- Node.js 20+
|
|
70
|
+
- npm 10+
|
|
71
|
+
- Postgres 15+ for future API work
|
|
72
|
+
|
|
73
|
+
### Install
|
|
63
74
|
|
|
64
|
-
### Block hallucinations on every commit
|
|
65
75
|
```bash
|
|
66
|
-
|
|
76
|
+
npm install
|
|
67
77
|
```
|
|
68
78
|
|
|
69
|
-
###
|
|
79
|
+
### Run the placeholder apps
|
|
80
|
+
|
|
70
81
|
```bash
|
|
71
|
-
|
|
82
|
+
npm run dev:api
|
|
83
|
+
npm run dev:web
|
|
72
84
|
```
|
|
73
85
|
|
|
74
|
-
|
|
86
|
+
### Explore the extracted code
|
|
75
87
|
|
|
76
|
-
|
|
88
|
+
- scanner entrypoint: `packages/scanner/index.js`
|
|
89
|
+
- secret scan utility: `quickSecretScan([...files], { rootPath })` or `new SecretScanner({ rootPath }).scanAll()` with output including file path, line number, secret type, severity, and fix recommendation
|
|
90
|
+
- forge verifier: `packages/forge/forge-verifier.js`
|
|
91
|
+
- product strategy: `docs/strategy/THUBAN-PRODUCT-STRATEGY.md`
|
|
92
|
+
- architecture notes: `ARCHITECTURE.md`
|
|
77
93
|
|
|
78
|
-
|
|
79
|
-
THUBAN — Code Health Report
|
|
94
|
+
## Thuban Pro recurring scans
|
|
80
95
|
|
|
81
|
-
|
|
96
|
+
Thuban Pro adds scheduled recurring scans for local repositories with change detection, local history, and notification stubs.
|
|
82
97
|
|
|
83
|
-
|
|
84
|
-
src/api/payments.js:47
|
|
85
|
-
stripe.charges.createImmediate()
|
|
86
|
-
^^^ This method does not exist in Stripe SDK.
|
|
98
|
+
### What it does
|
|
87
99
|
|
|
88
|
-
|
|
89
|
-
|
|
100
|
+
- stores monitor configuration per repo in `~/.thuban/monitor/config.json`
|
|
101
|
+
- runs the existing scanner pipeline on a schedule
|
|
102
|
+
- saves each run as JSON history in `~/.thuban/monitor/runs/<repo-id>/`
|
|
103
|
+
- compares each run to the previous run to surface:
|
|
104
|
+
- new issues
|
|
105
|
+
- resolved issues
|
|
106
|
+
- issue-count trend
|
|
107
|
+
- hallucination / secret / tech-debt metric deltas
|
|
108
|
+
- writes notification records to `~/.thuban/monitor/notifications.json`
|
|
109
|
+
- gates monitor/history/trend commands to Pro and above
|
|
90
110
|
|
|
91
|
-
|
|
92
|
-
Manual fix: 47 hours (£3,760 at £80/hr)
|
|
93
|
-
With Thuban: 4 hours
|
|
94
|
-
You save: £3,440 (91%)
|
|
111
|
+
### Commands
|
|
95
112
|
|
|
96
|
-
|
|
113
|
+
```bash
|
|
114
|
+
npx thuban monitor . --once
|
|
115
|
+
npx thuban monitor . --frequency daily
|
|
116
|
+
npx thuban monitor . --frequency weekly
|
|
117
|
+
npx thuban monitor . --frequency custom --interval-ms 3600000
|
|
118
|
+
npx thuban history .
|
|
119
|
+
npx thuban trend .
|
|
97
120
|
```
|
|
98
121
|
|
|
99
|
-
|
|
122
|
+
### Notification channels
|
|
123
|
+
|
|
124
|
+
Current implementation supports:
|
|
125
|
+
|
|
126
|
+
- `inbox` — local notification inbox persisted to disk
|
|
127
|
+
- `console` — console alert via the existing alert manager
|
|
128
|
+
- `email` — stubbed for future delivery integration
|
|
129
|
+
- `webhook` — stubbed for future delivery integration
|
|
130
|
+
|
|
131
|
+
Example:
|
|
132
|
+
|
|
133
|
+
```bash
|
|
134
|
+
npx thuban monitor . --once --notify inbox,console
|
|
135
|
+
```
|
|
100
136
|
|
|
101
|
-
|
|
137
|
+
### How scheduling works
|
|
102
138
|
|
|
103
|
-
-
|
|
104
|
-
-
|
|
105
|
-
-
|
|
106
|
-
-
|
|
107
|
-
-
|
|
108
|
-
- **Copy-Paste Drift** — finds duplicated code drifting apart across files
|
|
109
|
-
- **Codebase Passport** — one JSON file describing your entire project
|
|
110
|
-
- **Mother Code DNA** — contextual annotations that make your codebase self-aware
|
|
111
|
-
- **Executive Report** — board-ready HTML report (print to PDF)
|
|
112
|
-
- **Auto-Fix** — one command fixes hundreds of issues automatically
|
|
113
|
-
- **Live Sentinel** — real-time monitoring on file save
|
|
114
|
-
- **Visual Dashboard** — HTML reports with score rings and category breakdowns
|
|
115
|
-
- **GitHub CI Action** — grade every PR, block merges below threshold
|
|
139
|
+
- `daily` = every 24 hours
|
|
140
|
+
- `weekly` = every 7 days
|
|
141
|
+
- `custom` = any interval via `--interval-ms`
|
|
142
|
+
- `npx thuban monitor .` starts a foreground daemon-like process until stopped
|
|
143
|
+
- `npx thuban monitor . --once` performs one scheduled-style run immediately and stores history
|
|
116
144
|
|
|
117
|
-
|
|
145
|
+
### Diff detection
|
|
118
146
|
|
|
119
|
-
|
|
147
|
+
Each issue is fingerprinted from file, category, id, line, and message. Thuban compares the latest run against the previous run and records:
|
|
120
148
|
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
| **Pro** | £19/mo | Unlimited scans, full details, auto-fix, all features |
|
|
125
|
-
| **Team** | £99/mo | 5 seats, CI Action, team reports |
|
|
126
|
-
| **Enterprise** | Custom | Unlimited seats, self-hosted, SLA, SSO |
|
|
149
|
+
- `added`: issues not seen in the previous run
|
|
150
|
+
- `resolved`: issues that disappeared
|
|
151
|
+
- `metricsDelta`: changes in issue count, hallucinations, secrets, and tech debt metrics
|
|
127
152
|
|
|
128
|
-
|
|
153
|
+
This makes recurring scans useful for “what changed since yesterday?” rather than just “scan again.”
|
|
129
154
|
|
|
130
|
-
##
|
|
155
|
+
## Website deployment
|
|
131
156
|
|
|
132
|
-
|
|
133
|
-
- Works on Windows, macOS, Linux
|
|
134
|
-
- Zero npm dependencies — runs with just Node.js built-ins
|
|
157
|
+
The public site at `https://thuban.dev` is deployed from the repository root `docs/` folder via GitHub Pages.
|
|
135
158
|
|
|
136
|
-
|
|
159
|
+
- workflow: `.github/workflows/deploy-website.yml`
|
|
160
|
+
- trigger: pushes to `main` that change `docs/**`, or manual `workflow_dispatch`
|
|
161
|
+
- deploy artifact: the `docs/` directory uploaded directly to GitHub Pages
|
|
162
|
+
- custom domain: `docs/CNAME`
|
|
137
163
|
|
|
138
|
-
|
|
164
|
+
Important deployment notes:
|
|
139
165
|
|
|
140
|
-
|
|
166
|
+
- `apps/web/` is a placeholder Next.js app and is not part of the live GitHub Pages deployment
|
|
167
|
+
- there is currently no build/export pipeline from `apps/web/` into `docs/`
|
|
168
|
+
- updating `apps/web/` alone will not change `thuban.dev`
|
|
169
|
+
- to update the live site, edit the static files in `docs/` or add a future export step that writes static output into `docs/`
|
|
141
170
|
|
|
142
|
-
|
|
171
|
+
Current practical workflow:
|
|
143
172
|
|
|
144
|
-
|
|
173
|
+
1. make website content changes in `docs/`
|
|
174
|
+
2. commit and push to `main`
|
|
175
|
+
3. GitHub Actions runs `Deploy Website to GitHub Pages`
|
|
176
|
+
4. GitHub Pages publishes the uploaded `docs/` artifact to `https://thuban.dev`
|
|
145
177
|
|
|
146
|
-
|
|
178
|
+
## Planned next steps
|
|
147
179
|
|
|
148
|
-
|
|
180
|
+
1. implement GitHub App installation and webhook ingestion
|
|
181
|
+
2. persist repos, analyses, issues, and fixes in Postgres
|
|
182
|
+
3. convert Sentinel and Forge flows into API-driven services
|
|
183
|
+
4. connect PR check-runs and release attestation exports
|
|
184
|
+
5. build the dashboard for audit runs, verdicts, and trust history
|
|
149
185
|
|
|
150
|
-
Built by [Silverwings](https://silverwingsbenefits.com)
|
package/dist/LICENSE
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 Silverwings Benefits Ltd
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
package/dist/README.md
ADDED
|
@@ -0,0 +1,185 @@
|
|
|
1
|
+
# Thuban
|
|
2
|
+
|
|
3
|
+
Thuban is an independent AI software assurance platform for pull requests, releases, and codebase trust. It combines codebase intelligence, scanner-driven risk detection, and Forge-style verification so teams can decide whether AI-assisted changes are safe to merge.
|
|
4
|
+
|
|
5
|
+
## Product wedge
|
|
6
|
+
|
|
7
|
+
Thuban is built around a PR assurance wedge:
|
|
8
|
+
|
|
9
|
+
- connect a GitHub repository through a future GitHub App
|
|
10
|
+
- analyze changed files and architectural blast radius
|
|
11
|
+
- run assurance checks and evidence collection
|
|
12
|
+
- issue a clear verdict with remediation guidance
|
|
13
|
+
|
|
14
|
+
This standalone extraction is based on the Thuban product strategy and the prior CODEX specifications inside `orion-main`.
|
|
15
|
+
|
|
16
|
+
## Repository layout
|
|
17
|
+
|
|
18
|
+
```text
|
|
19
|
+
apps/
|
|
20
|
+
api/ Express placeholder API for ingestion, assurance, and attestations
|
|
21
|
+
web/ Next.js placeholder operator UI
|
|
22
|
+
packages/
|
|
23
|
+
scanner/ Extracted Sentinel scanner and monitoring substrate
|
|
24
|
+
forge/ Extracted Forge verifier and verification data
|
|
25
|
+
docs/
|
|
26
|
+
source/ Original CODEX and Orion intelligence specs
|
|
27
|
+
strategy/ Product strategy and viability docs
|
|
28
|
+
schema/ Thuban-only database schema extract
|
|
29
|
+
venture/ Original venture README source
|
|
30
|
+
```
|
|
31
|
+
|
|
32
|
+
## What is real today
|
|
33
|
+
|
|
34
|
+
- `packages/scanner/` contains extracted working Sentinel code from Orion
|
|
35
|
+
- `packages/forge/forge-verifier.js` contains extracted Forge verification logic
|
|
36
|
+
- `packages/forge/data/forge-verifications/` contains historical verification artifacts
|
|
37
|
+
- `docs/` contains the original strategy, viability, and CODEX-era source materials
|
|
38
|
+
|
|
39
|
+
## What is placeholder today
|
|
40
|
+
|
|
41
|
+
- `apps/api/` is an Express starter aligned to the target product shape
|
|
42
|
+
- `apps/web/` is a minimal Next.js starter for the future assurance dashboard
|
|
43
|
+
- Postgres integration, GitHub App auth, webhook ingestion, PR check-runs, and production orchestration are planned but not yet implemented here
|
|
44
|
+
|
|
45
|
+
See `ARCHITECTURE.md` for a clear real-vs-placeholder breakdown.
|
|
46
|
+
|
|
47
|
+
## Architecture overview
|
|
48
|
+
|
|
49
|
+
### Apps
|
|
50
|
+
|
|
51
|
+
- `apps/api`: future control plane and integration surface for repos, pull requests, audits, policies, and attestations
|
|
52
|
+
- `apps/web`: future UI for onboarding repos, reviewing audit evidence, and tracking trust history
|
|
53
|
+
|
|
54
|
+
### Packages
|
|
55
|
+
|
|
56
|
+
- `packages/scanner`: repository scanning, dependency graphing, drift detection, health checks, alerting, and secret/credential exposure scanning for hardcoded API keys, passwords, secrets in source code, `.env` files not gitignored, database connection strings with passwords, private keys, high-entropy strings, and secrets still exposed in git history, and secret/credential exposure scanning for hardcoded API keys, passwords, secrets in source code, `.env` files not gitignored, database connection strings with passwords, private keys, high-entropy strings, and secrets still exposed in git history
|
|
57
|
+
- `packages/forge`: attestation and verification workflow plus verification history
|
|
58
|
+
|
|
59
|
+
### Data
|
|
60
|
+
|
|
61
|
+
- Postgres is the intended system of record
|
|
62
|
+
- the included schema extract in `docs/schema/ORION-ECOSYSTEM-SCHEMA.thuban.json` contains only the `thuban` tables from Orion
|
|
63
|
+
- packaged JSON artifacts are historical examples, not the final persistence model
|
|
64
|
+
|
|
65
|
+
## Getting started
|
|
66
|
+
|
|
67
|
+
### Prerequisites
|
|
68
|
+
|
|
69
|
+
- Node.js 20+
|
|
70
|
+
- npm 10+
|
|
71
|
+
- Postgres 15+ for future API work
|
|
72
|
+
|
|
73
|
+
### Install
|
|
74
|
+
|
|
75
|
+
```bash
|
|
76
|
+
npm install
|
|
77
|
+
```
|
|
78
|
+
|
|
79
|
+
### Run the placeholder apps
|
|
80
|
+
|
|
81
|
+
```bash
|
|
82
|
+
npm run dev:api
|
|
83
|
+
npm run dev:web
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
### Explore the extracted code
|
|
87
|
+
|
|
88
|
+
- scanner entrypoint: `packages/scanner/index.js`
|
|
89
|
+
- secret scan utility: `quickSecretScan([...files], { rootPath })` or `new SecretScanner({ rootPath }).scanAll()` with output including file path, line number, secret type, severity, and fix recommendation
|
|
90
|
+
- forge verifier: `packages/forge/forge-verifier.js`
|
|
91
|
+
- product strategy: `docs/strategy/THUBAN-PRODUCT-STRATEGY.md`
|
|
92
|
+
- architecture notes: `ARCHITECTURE.md`
|
|
93
|
+
|
|
94
|
+
## Thuban Pro recurring scans
|
|
95
|
+
|
|
96
|
+
Thuban Pro adds scheduled recurring scans for local repositories with change detection, local history, and notification stubs.
|
|
97
|
+
|
|
98
|
+
### What it does
|
|
99
|
+
|
|
100
|
+
- stores monitor configuration per repo in `~/.thuban/monitor/config.json`
|
|
101
|
+
- runs the existing scanner pipeline on a schedule
|
|
102
|
+
- saves each run as JSON history in `~/.thuban/monitor/runs/<repo-id>/`
|
|
103
|
+
- compares each run to the previous run to surface:
|
|
104
|
+
- new issues
|
|
105
|
+
- resolved issues
|
|
106
|
+
- issue-count trend
|
|
107
|
+
- hallucination / secret / tech-debt metric deltas
|
|
108
|
+
- writes notification records to `~/.thuban/monitor/notifications.json`
|
|
109
|
+
- gates monitor/history/trend commands to Pro and above
|
|
110
|
+
|
|
111
|
+
### Commands
|
|
112
|
+
|
|
113
|
+
```bash
|
|
114
|
+
npx thuban monitor . --once
|
|
115
|
+
npx thuban monitor . --frequency daily
|
|
116
|
+
npx thuban monitor . --frequency weekly
|
|
117
|
+
npx thuban monitor . --frequency custom --interval-ms 3600000
|
|
118
|
+
npx thuban history .
|
|
119
|
+
npx thuban trend .
|
|
120
|
+
```
|
|
121
|
+
|
|
122
|
+
### Notification channels
|
|
123
|
+
|
|
124
|
+
Current implementation supports:
|
|
125
|
+
|
|
126
|
+
- `inbox` — local notification inbox persisted to disk
|
|
127
|
+
- `console` — console alert via the existing alert manager
|
|
128
|
+
- `email` — stubbed for future delivery integration
|
|
129
|
+
- `webhook` — stubbed for future delivery integration
|
|
130
|
+
|
|
131
|
+
Example:
|
|
132
|
+
|
|
133
|
+
```bash
|
|
134
|
+
npx thuban monitor . --once --notify inbox,console
|
|
135
|
+
```
|
|
136
|
+
|
|
137
|
+
### How scheduling works
|
|
138
|
+
|
|
139
|
+
- `daily` = every 24 hours
|
|
140
|
+
- `weekly` = every 7 days
|
|
141
|
+
- `custom` = any interval via `--interval-ms`
|
|
142
|
+
- `npx thuban monitor .` starts a foreground daemon-like process until stopped
|
|
143
|
+
- `npx thuban monitor . --once` performs one scheduled-style run immediately and stores history
|
|
144
|
+
|
|
145
|
+
### Diff detection
|
|
146
|
+
|
|
147
|
+
Each issue is fingerprinted from file, category, id, line, and message. Thuban compares the latest run against the previous run and records:
|
|
148
|
+
|
|
149
|
+
- `added`: issues not seen in the previous run
|
|
150
|
+
- `resolved`: issues that disappeared
|
|
151
|
+
- `metricsDelta`: changes in issue count, hallucinations, secrets, and tech debt metrics
|
|
152
|
+
|
|
153
|
+
This makes recurring scans useful for “what changed since yesterday?” rather than just “scan again.”
|
|
154
|
+
|
|
155
|
+
## Website deployment
|
|
156
|
+
|
|
157
|
+
The public site at `https://thuban.dev` is deployed from the repository root `docs/` folder via GitHub Pages.
|
|
158
|
+
|
|
159
|
+
- workflow: `.github/workflows/deploy-website.yml`
|
|
160
|
+
- trigger: pushes to `main` that change `docs/**`, or manual `workflow_dispatch`
|
|
161
|
+
- deploy artifact: the `docs/` directory uploaded directly to GitHub Pages
|
|
162
|
+
- custom domain: `docs/CNAME`
|
|
163
|
+
|
|
164
|
+
Important deployment notes:
|
|
165
|
+
|
|
166
|
+
- `apps/web/` is a placeholder Next.js app and is not part of the live GitHub Pages deployment
|
|
167
|
+
- there is currently no build/export pipeline from `apps/web/` into `docs/`
|
|
168
|
+
- updating `apps/web/` alone will not change `thuban.dev`
|
|
169
|
+
- to update the live site, edit the static files in `docs/` or add a future export step that writes static output into `docs/`
|
|
170
|
+
|
|
171
|
+
Current practical workflow:
|
|
172
|
+
|
|
173
|
+
1. make website content changes in `docs/`
|
|
174
|
+
2. commit and push to `main`
|
|
175
|
+
3. GitHub Actions runs `Deploy Website to GitHub Pages`
|
|
176
|
+
4. GitHub Pages publishes the uploaded `docs/` artifact to `https://thuban.dev`
|
|
177
|
+
|
|
178
|
+
## Planned next steps
|
|
179
|
+
|
|
180
|
+
1. implement GitHub App installation and webhook ingestion
|
|
181
|
+
2. persist repos, analyses, issues, and fixes in Postgres
|
|
182
|
+
3. convert Sentinel and Forge flows into API-driven services
|
|
183
|
+
4. connect PR check-runs and release attestation exports
|
|
184
|
+
5. build the dashboard for audit runs, verdicts, and trust history
|
|
185
|
+
|