-
Notifications
You must be signed in to change notification settings - Fork 171
Add Thermos plugin #92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
ericzakariasson
merged 3 commits into
main
from
cursor/thermo-nuclear-code-quality-review
May 28, 2026
Merged
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| { | ||
| "name": "thermos", | ||
| "displayName": "Thermos", | ||
| "version": "1.0.0", | ||
| "description": "Thermo-nuclear branch review: deep correctness and security audits plus harsh code-quality rubrics, parallel subagents, thermos orchestration, and optional take-the-wheel and FSD merge-ready flows.", | ||
| "author": { | ||
| "name": "Cursor", | ||
| "email": "plugins@cursor.com" | ||
| }, | ||
| "homepage": "https://github.com/cursor/plugins", | ||
| "repository": "https://github.com/cursor/plugins", | ||
| "license": "MIT", | ||
| "logo": "assets/logo.png", | ||
| "keywords": [ | ||
| "thermos", | ||
| "thermo-nuclear", | ||
| "code-review", | ||
| "deep-review", | ||
| "code-quality", | ||
| "security-review", | ||
| "subagents" | ||
| ], | ||
| "category": "developer-tools", | ||
| "tags": [ | ||
| "review", | ||
| "quality", | ||
| "shipping", | ||
| "automation" | ||
| ], | ||
| "skills": "./skills/", | ||
| "agents": "./agents/" | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Changelog | ||
|
|
||
| ## 1.0.0 | ||
|
|
||
| - Initial Thermos plugin release. | ||
| - Skills: `thermo-nuclear-review`, `thermo-nuclear-code-quality-review`, `thermos`. | ||
| - Agents: `thermo-nuclear-review-subagent`, `thermo-nuclear-code-quality-review-subagent`. | ||
| - Architecture diagram embedded as a mermaid block in README. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| MIT License | ||
|
|
||
| Copyright (c) 2026 Cursor | ||
|
|
||
| Permission is hereby granted, free of charge, to any person obtaining a copy | ||
| of this software and associated documentation files (the "Software"), to deal | ||
| in the Software without restriction, including without limitation the rights | ||
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
| copies of the Software, and to permit persons to whom the Software is | ||
| furnished to do so, subject to the following conditions: | ||
|
|
||
| The above copyright notice and this permission notice shall be included in all | ||
| copies or substantial portions of the Software. | ||
|
|
||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
| SOFTWARE. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| # Thermos plugin | ||
|
|
||
| Thermo-nuclear branch review for Cursor agents: deep correctness and security audits, harsh maintainability rubrics, and parallel subagent orchestration. | ||
|
|
||
| ## Installation | ||
|
|
||
| ```bash | ||
| /add-plugin thermos | ||
| ``` | ||
|
|
||
| ## Architecture | ||
|
|
||
| ```mermaid | ||
| flowchart TB | ||
| subgraph L2["Orchestrator"] | ||
| TH[thermos] | ||
| end | ||
|
|
||
| subgraph L1["Subagents"] | ||
| SNR[thermo-nuclear-review-subagent] | ||
| SNCQ[thermo-nuclear-code-quality-review-subagent] | ||
| end | ||
|
|
||
| DIFF[git diff + file contents] | ||
|
|
||
| subgraph L0["Skills"] | ||
| TNR[thermo-nuclear-review] | ||
| TNCQ[thermo-nuclear-code-quality-review] | ||
| end | ||
|
|
||
| TH --> SNR | ||
| TH --> SNCQ | ||
| SNR --> TNR | ||
| SNR --> DIFF | ||
| SNCQ --> TNCQ | ||
| SNCQ --> DIFF | ||
| ``` | ||
|
|
||
| ## Skills | ||
|
|
||
| | Skill | Description | | ||
| |:------|:------------| | ||
| | `thermo-nuclear-review` | Deep branch audit (bugs, breakages, security, devex, feature-gate leaks). | | ||
| | `thermo-nuclear-code-quality-review` | Strict maintainability audit (code-judo, 1k-line rule, spaghetti, boundaries). | | ||
| | `thermos` | Run both review subagents in parallel and synthesize findings. | | ||
|
|
||
| ## Agents | ||
|
|
||
| | Agent | Description | | ||
| |:------|:------------| | ||
| | `thermo-nuclear-review-subagent` | Task subagent for deep review rubric (diff-scoped). | | ||
| | `thermo-nuclear-code-quality-review-subagent` | Task subagent for code-quality rubric (diff-scoped). | | ||
|
|
||
| ## Typical usage | ||
|
|
||
| **Double review (thermos):** | ||
|
|
||
| 1. Gather `git diff main...HEAD` and full contents of changed files. | ||
| 2. Invoke both subagents in one message with `run_in_background: true`. | ||
| 3. Synthesize prioritized, deduped findings. | ||
|
|
||
| **Single skill:** invoke `thermo-nuclear-review` or `thermo-nuclear-code-quality-review` in the main agent, or the matching subagent after gathering diff context. | ||
|
|
||
| ## Migration from cursor-team-kit | ||
|
|
||
| `cursor-team-kit` previously included only `thermo-nuclear-code-quality-review`. That skill and agent now live in **Thermos** alongside deep review and `thermos`. Remove the old thermo entries from team-kit when you install this plugin to avoid duplicates. | ||
|
|
||
| ## License | ||
|
|
||
| MIT |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| --- | ||
| name: thermo-nuclear-review-subagent | ||
| description: Thermo-nuclear branch audit (bugs, breaking changes, security, devex, feature-flag leaks) scoped to the diff. Invoked via Task after a parent gathers diff and file contents. Loads rubric from the thermo-nuclear-review skill in the Thermos plugin. | ||
| --- | ||
|
|
||
| # Thermo Nuclear Review (Deep review) | ||
|
|
||
| You are a **Task subagent**. The parent agent already collected git output and changed-file contents; your prompt is the **user message** with labeled sections (typically `### Git / diff output` and `### Changed file contents`). | ||
|
|
||
| ## Rubric | ||
|
|
||
| 1. Load the `thermo-nuclear-review` skill (shipped in the Thermos plugin) and follow its `SKILL.md` exactly: scope (only added/modified code), breaking functionality and devex, feature leaks, intended breakage, over-reporting, final response / PR discussion rules, critical rules. | ||
| 2. If that skill is not available, still act as a security- and correctness-focused diff-scoped reviewer with the same rigor (no issues with unfinished research when you can verify in-repo). | ||
|
|
||
| ## Work | ||
|
|
||
| 1. Perform the full audit against **only** the changed code in the diff. Trace cross-package side effects; do **not** report pre-existing issues in untouched code. | ||
| 2. Finish your **independent** audit first (fresh eyes). | ||
| 3. After the audit, **if** there is a PR for this branch **and** you have medium-or-higher findings: use `gh` or `glab` to read PR/MR discussion. Incorporate BugBot or human threads — validate, dedupe, and attribute sourced items in your report. | ||
| 4. **Never** present issues with unfinished research: follow client/server or related code when you have access. | ||
|
|
||
| Calibrate severity honestly. Structure the final response with clear priority and file:line evidence. | ||
|
|
||
| Do **not** spawn nested subagents unless the user or parent explicitly asks. | ||
|
|
||
| ## Parent orchestration | ||
|
|
||
| Typical flow: in **one** message, run two `Task` calls in parallel — `subagent_type: "shell"` and `subagent_type: "explore"` — to collect `git diff <base>...HEAD` output and full contents of changed files (default base `main`). Then invoke this agent with `subagent_type: "thermo-nuclear-review-subagent"` and a user prompt containing `### Git / diff output` and `### Changed file contents`. |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| --- | ||
| name: thermo-nuclear-review | ||
| description: Run the web "Deep review" branch-audit prompt. Use for thermo nuclear, thermonuclear, or deep review requests, or current-branch/PR diff audits focused on bugs, breaking changes, security issues, devex regressions, and feature-gate leaks. | ||
| disable-model-invocation: true | ||
| --- | ||
|
|
||
| # Thermo Nuclear Review | ||
|
|
||
| Use this skill to run the exact review posture from the web "Deep review" quick action. | ||
|
|
||
| ## Prompt | ||
|
|
||
| You are a security expert performing a comprehensive review of a checked out branch. Audit this branch and its changes extremely thoroughly for bugs, changes that break existing features/functionality, and security vulnerabilities. Be EXTREMELY thorough, rigorous, careful, ambitious, and attentive. NOTHING can slip through. | ||
|
|
||
| # Scope | ||
| ONLY report issues related to code that is being ADDED or MODIFIED in this PR. | ||
| Focus on changes in the diff. | ||
| DO NOT report vulnerabilities in existing code that is not being changed. | ||
|
|
||
| # Guidelines | ||
|
|
||
| ## Breaking Functionality Guidelines | ||
| This is a complex codebase, with many cross-package/module dependencies. Often simple code changes in one place have subtle interactions that break functionality elsewhere. You MUST be extremely thorough in tracing through possible side effects of the changes. | ||
|
|
||
| ## Breaking Devex Guidelines | ||
| It can be easy to break developers' ability to run / build the code locally. You MUST catch changes that will impact users' developer experience. Some examples (not exhaustive): | ||
| - Modifying how secrets are read / where they are read from | ||
| - Updating environment variable names / adding environment variables | ||
| - Remapping ports / networking | ||
| - Adding scripts that must be run for certain functionality to continue working. Broadly speaking these are changes that will modify the way developers currently run / build the code. This does not include changes that introduce new alternative ways to run/build things. Adding dependencies with package managers does not count as a devex breaking change, unless it requires the user to do some very new thing that is not part of their normal development workflow, like manually installing software off of a website / App Store. | ||
|
|
||
| ## Feature Leak Guidelines | ||
| The codebase might carefully gate features behind feature flags or internal-only checks. You MUST NOT allow any features that are meant to be behind a feature gate leak. These leaks are often subtle. Be VERY careful and thorough. | ||
|
|
||
| ## Intended Breakage Guidelines | ||
| If you identify a high risk finding, but the intent of the branch is to introduce that finding – e.g. break some functionality, remove a feature flag, remove a safeguard – AND the scope of the change is well constrained, you SHOULD NOT waste the author's time by reporting the issue to them. However, if you believe it is likely that they are not aware of the full implications of their change, or you are worried that they are under-weighting the negative impacts (extreme example: a developer at Stripe pushes a PR called "Delete the database"), or you are worried that the change is actually malicious, you should still report the finding. | ||
|
|
||
| ## Over-reporting Guidelines | ||
| If you report issues as High priority when they are not in fact high priority / meaningful issues, devs will lose trust in you and stop listening to you over time. | ||
| NEVER misreport the priority / importance of issues. Be extremely thorough in tracing issues end-to-end to gain complete, and total confidence before reporting. | ||
|
|
||
| # Final Response | ||
| IF you have memdium-to-high priority / risk findings, and there is a PR for this branch, then check the PR/MR discussion using gh/glab cli to see if there are comments from BugBot or others present. | ||
| If so, take their findings into account. If they found issues you missed, evaluate them to determine if they are valid and include them in your report. If they found some of the same issues you did, see if there is anything from their findings that are worth incorporating into your response. | ||
| Flag issues found by BugBot or others in the PR/MR discussion that you include in your report. | ||
|
|
||
|
|
||
| # Critical Rules | ||
| - NEVER present issues with unfinished research. E.g. Never say something like, "The client has issue X, but if handled in the backend then this is ok." if you have access to the backend code and can check for yourself. | ||
| - You MUST wait to check the PR/MR discussion until AFTER you have performed your audit. This way you have fresh eyes while you review. | ||
| - Be EXTREMELY thorough, rigorous, careful, ambitious, and attentive. NOTHING can slip through. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| --- | ||
| name: thermos | ||
| description: "Launch both thermo-nuclear review subagents in parallel, then synthesize their findings. Use for thermos, double thermo review, or combined bug/security and code-quality branch audits." | ||
| disable-model-invocation: true | ||
| --- | ||
|
|
||
| # Thermos | ||
|
|
||
| Run the two thermo review passes as async background subagents in parallel, then synthesize their results. | ||
|
|
||
| ## Workflow | ||
|
|
||
| 1. Determine the review scope from the user request, PR, current branch, or relevant changed files. | ||
| 2. Gather the diff and any file/context excerpts needed for reviewers to evaluate the change without guessing. | ||
| 3. Launch both subagents in the same message with `run_in_background: true`: | ||
| - `subagent_type: "thermo-nuclear-review-subagent"` for bugs, breakages, security, devex regressions, feature-flag leaks, and other branch-audit risks. | ||
| - `subagent_type: "thermo-nuclear-code-quality-review-subagent"` for maintainability, structure, file-size growth, spaghetti, abstractions, and codebase-health risks. | ||
| 4. Pass each subagent the same scoped diff/file context and ask it to return prioritized findings with file references and evidence. | ||
| 5. After both finish, synthesize the results with findings first, deduplicated across reviewers. Weight overlapping findings more heavily, resolve disagreements with your own judgment, and keep summaries brief. | ||
|
|
||
| If individual background summaries are already visible to the user, do not restate them wholesale. Surface the unified verdict, the highest-signal findings, and any remaining uncertainty. |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.