thumbgate 0.9.10 → 0.9.11

package/scripts/operational-integrity.js

@@ -0,0 +1,480 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const { execFileSync, spawnSync } = require('child_process');
+
+const DEFAULT_BASE_BRANCH = 'main';
+const DEFAULT_RELEASE_SENSITIVE_GLOBS = [
+  'package.json',
+  'package-lock.json',
+  'server.json',
+  '.github/workflows/ci.yml',
+  '.github/workflows/publish-*.yml',
+  'scripts/publish-decision.js',
+  'scripts/pr-manager.js',
+  'scripts/gates-engine.js',
+  'scripts/tool-registry.js',
+  'src/api/server.js',
+  'adapters/mcp/server-stdio.js',
+  'config/gates/**',
+  'config/mcp-allowlists.json',
+];
+
+function normalizePosix(filePath) {
+  return String(filePath || '')
+    .replace(/\\/g, '/')
+    .replace(/^\.\//, '')
+    .replace(/^\/+/, '')
+    .trim();
+}
+
+function normalizeGlob(glob) {
+  return normalizePosix(glob).replace(/\/+$/, '');
+}
+
+function sanitizeGlobList(globs) {
+  if (!Array.isArray(globs)) return [];
+  return [...new Set(globs.map((glob) => normalizeGlob(glob)).filter(Boolean))];
+}
+
+function globToRegExp(glob) {
+  const normalized = normalizeGlob(glob);
+  let pattern = '^';
+  for (let i = 0; i < normalized.length; i++) {
+    const char = normalized[i];
+    const next = normalized[i + 1];
+    if (char === '*') {
+      if (next === '*') {
+        pattern += '.*';
+        i += 1;
+      } else {
+        pattern += '[^/]*';
+      }
+      continue;
+    }
+    if ('\\^$+?.()|{}[]'.includes(char)) {
+      pattern += `\\${char}`;
+      continue;
+    }
+    pattern += char;
+  }
+  pattern += '$';
+  return new RegExp(pattern);
+}
+
+function matchesAnyGlob(filePath, globs) {
+  const normalized = sanitizeGlobList(globs);
+  if (!filePath || normalized.length === 0) return false;
+  return normalized.some((glob) => {
+    try {
+      return globToRegExp(glob).test(normalizePosix(filePath));
+    } catch {
+      return false;
+    }
+  });
+}
+
+function runGit(repoPath, args) {
+  return execFileSync('git', args, {
+    cwd: repoPath,
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'ignore'],
+  }).trim();
+}
+
+function tryRunGit(repoPath, args) {
+  try {
+    return runGit(repoPath, args);
+  } catch {
+    return '';
+  }
+}
+
+function resolveRepoRoot(repoPath = process.cwd()) {
+  try {
+    return runGit(repoPath, ['rev-parse', '--show-toplevel']);
+  } catch {
+    return null;
+  }
+}
+
+function gitRefExists(repoPath, ref) {
+  if (!repoPath || !ref) return false;
+  try {
+    execFileSync('git', ['rev-parse', '--verify', ref], {
+      cwd: repoPath,
+      stdio: 'ignore',
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function isSafeBranchName(branchName) {
+  const normalized = String(branchName || '').trim();
+  if (!normalized) return false;
+  if (normalized.startsWith('-')) return false;
+  if (!/^[A-Za-z0-9._/-]+$/.test(normalized)) return false;
+  if (normalized.includes('..') || normalized.includes('//') || normalized.includes('@{')) return false;
+  if (normalized.endsWith('.') || normalized.endsWith('/')) return false;
+  return true;
+}
+
+function fetchBaseBranch(repoPath, baseBranch) {
+  if (!repoPath || !isSafeBranchName(baseBranch)) return false;
+  // Fetch the remote tracking refs without passing user-controlled branch names to git.
+  const result = spawnSync('git', ['fetch', '--no-tags', '--depth=64', 'origin'], {
+    cwd: repoPath,
+    encoding: 'utf8',
+  });
+  return result.status === 0;
+}
+
+function resolveBaseRef(repoPath, baseBranch = DEFAULT_BASE_BRANCH, { fetchIfMissing = false } = {}) {
+  if (!isSafeBranchName(baseBranch)) return null;
+  const remoteRef = `refs/remotes/origin/${baseBranch}`;
+  if (gitRefExists(repoPath, remoteRef)) {
+    return `origin/${baseBranch}`;
+  }
+  if (fetchIfMissing) {
+    fetchBaseBranch(repoPath, baseBranch);
+    if (gitRefExists(repoPath, remoteRef)) {
+      return `origin/${baseBranch}`;
+    }
+  }
+  if (gitRefExists(repoPath, baseBranch)) {
+    return baseBranch;
+  }
+  return null;
+}
+
+function getCurrentBranch(repoPath) {
+  return tryRunGit(repoPath, ['rev-parse', '--abbrev-ref', 'HEAD']) || null;
+}
+
+function getHeadSha(repoPath) {
+  return tryRunGit(repoPath, ['rev-parse', 'HEAD']) || null;
+}
+
+function readPackageVersion(repoPath, ref = 'HEAD') {
+  try {
+    let raw;
+    if (ref === 'HEAD') {
+      raw = fs.readFileSync(path.join(repoPath, 'package.json'), 'utf8');
+    } else {
+      raw = runGit(repoPath, ['show', `${ref}:package.json`]);
+    }
+    return JSON.parse(raw).version || null;
+  } catch {
+    return null;
+  }
+}
+
+function parseSemver(version) {
+  const match = String(version || '').trim().match(/^(\d+)\.(\d+)\.(\d+)(?:[-+].*)?$/);
+  if (!match) return null;
+  return match.slice(1).map((part) => Number(part));
+}
+
+function compareSemver(left, right) {
+  const a = parseSemver(left);
+  const b = parseSemver(right);
+  if (!a || !b) return null;
+  for (let i = 0; i < 3; i += 1) {
+    if (a[i] > b[i]) return 1;
+    if (a[i] < b[i]) return -1;
+  }
+  return 0;
+}
+
+function listChangedFilesAgainstBase(repoPath, baseBranch = DEFAULT_BASE_BRANCH, { fetchIfMissing = false } = {}) {
+  const baseRef = resolveBaseRef(repoPath, baseBranch, { fetchIfMissing });
+  if (!baseRef) return [];
+  const diff = tryRunGit(repoPath, ['diff', '--name-only', `${baseRef}...HEAD`]);
+  return diff.split('\n').map((line) => normalizePosix(line)).filter(Boolean);
+}
+
+function findReleaseSensitiveFiles(files, globs = DEFAULT_RELEASE_SENSITIVE_GLOBS) {
+  return (Array.isArray(files) ? files : []).filter((filePath) => matchesAnyGlob(filePath, globs));
+}
+
+function isHeadReachableFrom(repoPath, ref, commit = 'HEAD') {
+  if (!repoPath || !ref) return false;
+  const result = spawnSync('git', ['merge-base', '--is-ancestor', commit, ref], {
+    cwd: repoPath,
+    encoding: 'utf8',
+  });
+  return result.status === 0;
+}
+
+function runGh(args) {
+  return spawnSync('gh', args, {
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+  });
+}
+
+function findOpenPrForBranch({ branchName, runner = runGh } = {}) {
+  const normalizedBranch = String(branchName || '').trim();
+  if (!normalizedBranch) return null;
+  if (!process.env.GH_TOKEN && !process.env.GITHUB_TOKEN) {
+    return null;
+  }
+  const result = runner(['pr', 'list', '--head', normalizedBranch, '--state', 'open', '--json', 'number,state,isDraft,url']);
+  if (!result || result.status !== 0) {
+    return null;
+  }
+  try {
+    const prs = JSON.parse(result.stdout || '[]');
+    return Array.isArray(prs) && prs.length > 0 ? prs[0] : null;
+  } catch {
+    return null;
+  }
+}
+
+function classifyCommand(command) {
+  const text = String(command || '').trim();
+  return {
+    text,
+    isPrCreate: /\bgh\s+pr\s+create\b/i.test(text),
+    isPrMerge: /\bgh\s+pr\s+merge\b/i.test(text),
+    isPublish: /\b(?:npm|yarn|pnpm)\s+publish\b/i.test(text),
+    isReleaseCreate: /\bgh\s+release\s+create\b/i.test(text),
+    isTagCreate: /\bgit\s+tag\b/i.test(text),
+  };
+}
+
+function buildBlocker(code, message, extra = {}) {
+  return { code, message, ...extra };
+}
+
+function evaluateOperationalIntegrity(options = {}) {
+  const repoRoot = options.repoPath ? resolveRepoRoot(options.repoPath) : resolveRepoRoot(process.cwd());
+  const baseBranch = String(options.baseBranch || DEFAULT_BASE_BRANCH).trim() || DEFAULT_BASE_BRANCH;
+  const currentBranch = String(options.currentBranch || (repoRoot ? getCurrentBranch(repoRoot) : '')).trim() || null;
+  const baseRef = repoRoot ? resolveBaseRef(repoRoot, baseBranch, { fetchIfMissing: options.fetchBase === true }) : null;
+  const changedFiles = Array.isArray(options.changedFiles)
+    ? options.changedFiles.map((filePath) => normalizePosix(filePath)).filter(Boolean)
+    : (repoRoot ? listChangedFilesAgainstBase(repoRoot, baseBranch, { fetchIfMissing: options.fetchBase === true }) : []);
+  const releaseSensitiveGlobs = sanitizeGlobList(options.releaseSensitiveGlobs || DEFAULT_RELEASE_SENSITIVE_GLOBS);
+  const releaseSensitiveFiles = findReleaseSensitiveFiles(changedFiles, releaseSensitiveGlobs);
+  const packageVersion = options.packageVersion !== undefined
+    ? options.packageVersion
+    : (repoRoot ? readPackageVersion(repoRoot, 'HEAD') : null);
+  const baseVersion = options.baseVersion !== undefined
+    ? options.baseVersion
+    : (repoRoot && baseRef ? readPackageVersion(repoRoot, baseRef) : null);
+  const versionComparison = packageVersion && baseVersion ? compareSemver(packageVersion, baseVersion) : null;
+  const headSha = options.headSha || (repoRoot ? getHeadSha(repoRoot) : null);
+  const headOnBase = options.headOnBase !== undefined
+    ? options.headOnBase
+    : Boolean(repoRoot && baseRef && headSha && isHeadReachableFrom(repoRoot, baseRef, headSha));
+  const branchGovernance = options.branchGovernance && typeof options.branchGovernance === 'object'
+    ? options.branchGovernance
+    : null;
+  const openPr = options.openPr !== undefined
+    ? options.openPr
+    : findOpenPrForBranch({ branchName: currentBranch, runner: options.ghRunner || runGh });
+  const commandInfo = classifyCommand(options.command || '');
+  const blockers = [];
+
+  const requiresGovernance = commandInfo.isPrCreate || commandInfo.isPrMerge || commandInfo.isPublish || commandInfo.isReleaseCreate || commandInfo.isTagCreate;
+  const isPublishLike = commandInfo.isPublish || commandInfo.isReleaseCreate || commandInfo.isTagCreate;
+
+  if (requiresGovernance && !branchGovernance) {
+    blockers.push(buildBlocker(
+      'missing_branch_governance',
+      'PR, merge, release, and publish actions require explicit branch governance.'
+    ));
+  }
+
+  if (branchGovernance && branchGovernance.localOnly === true && requiresGovernance) {
+    blockers.push(buildBlocker(
+      'local_only_branch',
+      'This task is marked local-only. PR, merge, release, and publish actions are blocked.'
+    ));
+  }
+
+  if (commandInfo.isPrMerge && /--admin\b/i.test(commandInfo.text)) {
+    blockers.push(buildBlocker(
+      'admin_merge_bypass_forbidden',
+      'Admin merge bypass is blocked. Use the normal protected-branch flow or merge queue.'
+    ));
+  }
+
+  if (commandInfo.isPrMerge && branchGovernance && !branchGovernance.prNumber && !branchGovernance.prUrl) {
+    blockers.push(buildBlocker(
+      'merge_requires_pr_context',
+      'Merging requires explicit PR context (prNumber or prUrl) in branch governance.'
+    ));
+  }
+
+  if (isPublishLike) {
+    if (!branchGovernance || !branchGovernance.releaseVersion) {
+      blockers.push(buildBlocker(
+        'missing_release_version',
+        'Release and publish actions require an explicit releaseVersion in branch governance.'
+      ));
+    } else if (packageVersion && branchGovernance.releaseVersion !== packageVersion) {
+      blockers.push(buildBlocker(
+        'release_version_mismatch',
+        `Branch governance expects release version ${branchGovernance.releaseVersion}, but package.json is ${packageVersion}.`
+      ));
+    }
+
+    if (currentBranch && currentBranch !== baseBranch) {
+      blockers.push(buildBlocker(
+        'publish_requires_base_branch',
+        `Release and publish actions must run from ${baseBranch}, not ${currentBranch}.`
+      ));
+    }
+
+    if (!headOnBase) {
+      blockers.push(buildBlocker(
+        'publish_requires_mainline_head',
+        `Current HEAD is not reachable from ${baseBranch}. Release and publish actions require a mainline commit.`
+      ));
+    }
+  }
+
+  if (options.requirePrForReleaseSensitive && releaseSensitiveFiles.length > 0 && currentBranch && currentBranch !== baseBranch && !openPr) {
+    blockers.push(buildBlocker(
+      'release_sensitive_changes_require_pr',
+      `Release-sensitive changes on ${currentBranch} require an open pull request before continuing.`,
+      { releaseSensitiveFiles }
+    ));
+  }
+
+  if (options.requireVersionNotBehindBase && releaseSensitiveFiles.length > 0 && versionComparison !== null && versionComparison < 0) {
+    blockers.push(buildBlocker(
+      'version_behind_base',
+      `package.json version ${packageVersion} is behind ${baseBranch} version ${baseVersion} while release-sensitive files changed.`,
+      { packageVersion, baseVersion }
+    ));
+  }
+
+  return {
+    ok: blockers.length === 0,
+    repoRoot,
+    baseBranch,
+    baseRef,
+    currentBranch,
+    headSha,
+    headOnBase,
+    changedFiles,
+    releaseSensitiveFiles,
+    packageVersion,
+    baseVersion,
+    versionComparison,
+    branchGovernance,
+    openPr,
+    blockers,
+    commandInfo,
+  };
+}
+
+function parseCliArgs(argv = process.argv.slice(2)) {
+  const options = {
+    json: false,
+    ci: false,
+    fetchBase: false,
+    requirePrForReleaseSensitive: false,
+    requireVersionNotBehindBase: false,
+    repoPath: process.cwd(),
+    baseBranch: DEFAULT_BASE_BRANCH,
+  };
+
+  for (let i = 0; i < argv.length; i += 1) {
+    const arg = argv[i];
+    if (arg === '--json') {
+      options.json = true;
+    } else if (arg === '--ci') {
+      options.ci = true;
+      options.fetchBase = true;
+      options.requirePrForReleaseSensitive = true;
+      options.requireVersionNotBehindBase = true;
+    } else if (arg === '--fetch-base') {
+      options.fetchBase = true;
+    } else if (arg === '--require-pr-for-release-sensitive') {
+      options.requirePrForReleaseSensitive = true;
+    } else if (arg === '--require-version-not-behind-base') {
+      options.requireVersionNotBehindBase = true;
+    } else if (arg === '--repo-path' && argv[i + 1]) {
+      options.repoPath = argv[i + 1];
+      i += 1;
+    } else if (arg === '--base-branch' && argv[i + 1]) {
+      options.baseBranch = argv[i + 1];
+      i += 1;
+    }
+  }
+
+  return options;
+}
+
+function runCli(env = process.env, argv = process.argv.slice(2)) {
+  const args = parseCliArgs(argv);
+  const result = evaluateOperationalIntegrity({
+    repoPath: args.repoPath,
+    baseBranch: args.baseBranch || env.DEFAULT_BRANCH || DEFAULT_BASE_BRANCH,
+    currentBranch: env.GITHUB_REF_NAME || undefined,
+    requirePrForReleaseSensitive: args.requirePrForReleaseSensitive,
+    requireVersionNotBehindBase: args.requireVersionNotBehindBase,
+    fetchBase: args.fetchBase,
+  });
+
+  const lines = [];
+  lines.push(`Operational integrity: ${result.ok ? 'ok' : 'blocked'}`);
+  lines.push(`Base branch: ${result.baseBranch}`);
+  lines.push(`Current branch: ${result.currentBranch || 'unknown'}`);
+  if (result.packageVersion) {
+    lines.push(`package.json version: ${result.packageVersion}`);
+  }
+  if (result.baseVersion) {
+    lines.push(`${result.baseBranch} version: ${result.baseVersion}`);
+  }
+  if (result.releaseSensitiveFiles.length > 0) {
+    lines.push(`Release-sensitive files: ${result.releaseSensitiveFiles.join(', ')}`);
+  }
+  if (result.openPr && result.openPr.number) {
+    lines.push(`Open PR: #${result.openPr.number}${result.openPr.url ? ` ${result.openPr.url}` : ''}`);
+  }
+  for (const blocker of result.blockers) {
+    lines.push(`BLOCKER ${blocker.code}: ${blocker.message}`);
+  }
+
+  if (args.json) {
+    console.log(JSON.stringify(result, null, 2));
+  } else {
+    console.log(lines.join('\n'));
+  }
+
+  return result.ok ? 0 : 1;
+}
+
+if (require.main === module) {
+  process.exitCode = runCli();
+}
+
+module.exports = {
+  DEFAULT_BASE_BRANCH,
+  DEFAULT_RELEASE_SENSITIVE_GLOBS,
+  classifyCommand,
+  compareSemver,
+  evaluateOperationalIntegrity,
+  findOpenPrForBranch,
+  findReleaseSensitiveFiles,
+  getCurrentBranch,
+  isSafeBranchName,
+  listChangedFilesAgainstBase,
+  normalizeGlob,
+  normalizePosix,
+  parseSemver,
+  readPackageVersion,
+  resolveBaseRef,
+  resolveRepoRoot,
+  runCli,
+  sanitizeGlobList,
+};

package/scripts/post-everywhere.js

@@ -136,17 +136,9 @@ async function postToReddit(parsed, dryRun) {
   const reddit = getPublisher('reddit');
   const postData = await reddit.publishToReddit({ subreddit, title, text: body });
 
-  // Post the follow-up comment if we have one and got a post ID
+  // Reddit follow-up comments are manual-review only.
   if (comment && postData.name) {
-    console.log('[post-everywhere] Posting follow-up comment...');
-    const token = await reddit.getRedditToken(
-      process.env.REDDIT_CLIENT_ID,
-      process.env.REDDIT_CLIENT_SECRET,
-      process.env.REDDIT_USERNAME,
-      process.env.REDDIT_PASSWORD
-    );
-    const userAgent = process.env.REDDIT_USER_AGENT || `thumbgate/1.0 by ${process.env.REDDIT_USERNAME}`;
-    await reddit.submitComment(token, userAgent, { parentId: postData.name, text: comment });
+    console.log('[post-everywhere] Reddit follow-up comment skipped; manual review required');
   }
 
   return postData;
@@ -216,8 +208,11 @@ async function postEverywhere(filePath, { platforms, dryRun } = {}) {
   }
   console.log('[post-everywhere] Quality gate: PASSED');
 
-  // Determine which platforms to post to
-  const targetPlatforms = platforms || (parsed.platform ? [parsed.platform] : Object.keys(DISPATCHERS));
+  // Determine which platforms to post to.
+  // Default excludes devto — high-volume Dev.to posting is counterproductive (0 engagement on 427 posts).
+  // Use --platforms=devto explicitly for monthly cross-posts only.
+  const DEFAULT_PLATFORMS = ['reddit', 'x', 'linkedin'];
+  const targetPlatforms = platforms || (parsed.platform ? [parsed.platform] : DEFAULT_PLATFORMS);
 
   // Preserve original body/comment so each platform gets a fresh UTM tag
   const originalBody = parsed.body;

package/scripts/pr-manager.js

@@ -165,11 +165,9 @@ async function resolveBlockers(pr, runner = runGh) {
   }
 
   // 5. Ready to Merge
-  if (pr.mergeStateStatus === 'CLEAN' || pr.mergeStateStatus === 'BLOCKED' /* admin bypass potential */) {
-    if (pr.mergeable === 'MERGEABLE') {
-      console.log('[PR Manager] SUCCESS: PR is ready for autonomous merge.');
-      return { status: 'ready' };
-    }
+  if (pr.mergeStateStatus === 'CLEAN' && pr.mergeable === 'MERGEABLE') {
+    console.log('[PR Manager] SUCCESS: PR is ready for protected autonomous merge.');
+    return { status: 'ready' };
   }
 
   return { status: 'pending', reason: 'unknown_state' };
@@ -179,14 +177,17 @@ async function resolveBlockers(pr, runner = runGh) {
  * Perform autonomous merge
  */
 function performMerge(prNumber, runner = runGh) {
-  console.log(`[PR Manager] Initiating squash merge for PR #${prNumber}...`);
-  const result = runner(['pr', 'merge', prNumber.toString(), '--squash', '--delete-branch', '--admin']);
+  const args = ['pr', 'merge', prNumber.toString(), '--squash', '--delete-branch', '--auto'];
+  console.log(`[PR Manager] Initiating protected squash merge for PR #${prNumber}...`);
+  const result = runner(args);
   if (result.status === 0) {
-    console.log(`[PR Manager] Merged PR #${prNumber} successfully.`);
-    return true;
+    const output = `${result.stdout || ''}\n${result.stderr || ''}`;
+    const mode = /merge queue|queued|auto-merge/i.test(output) ? 'queued_or_auto' : 'merged';
+    console.log(`[PR Manager] Merge accepted for PR #${prNumber} (${mode}).`);
+    return { ok: true, mode, args };
   } else {
     console.error(`[PR Manager] Merge failed: ${formatGhError(result)}`);
-    return false;
+    return { ok: false, mode: 'failed', args, error: formatGhError(result) };
   }
 }
 
@@ -202,7 +203,9 @@ async function managePrs(prNumber = '', runner = runGh) {
   for (const pr of prs) {
     const outcome = await resolveBlockers(pr, runner);
     if (outcome.status === 'ready') {
-      outcome.merged = performMerge(pr.number, runner);
+      const mergeResult = performMerge(pr.number, runner);
+      outcome.mergeRequested = mergeResult.ok;
+      outcome.mergeMode = mergeResult.mode;
     }
 
     results.push({

package/scripts/profile-router.js

@@ -183,6 +183,8 @@ function routePrivacy(params = {}) {
     'capture_feedback',
     'export_dpo_pairs',
     'export_databricks_bundle',
+    'set_task_scope',
+    'approve_protected_action',
     'track_action',
     'verify_claim',
     'register_claim_gate',

package/scripts/prompt-dlp.js

@@ -97,6 +97,7 @@ const KNOWN_GATED_TOOLS = new Set([
   'Bash', 'Edit', 'Write', 'Read', 'Glob', 'Grep',
   'capture_feedback', 'recall', 'search_lessons', 'prevention_rules',
   'feedback_stats', 'construct_context_pack', 'evaluate_context_pack',
+  'set_task_scope', 'get_scope_state', 'approve_protected_action',
 ]);
 
 const SHADOW_LOG_FILE = 'shadow-actions.jsonl';

package/scripts/publish-decision.js

@@ -9,6 +9,8 @@ function decidePublishPlan(options) {
   const currentSha = String(options.currentSha || '').trim();
   const tagSha = String(options.tagSha || '').trim();
   const version = String(options.version || '').trim();
+  const currentBranch = String(options.currentBranch || '').trim();
+  const defaultBranch = String(options.defaultBranch || '').trim();
   const published = normalizeBoolean(options.published);
   const tagExists = normalizeBoolean(options.tagExists);
   const tagMatchesCurrentCommit = tagExists && tagSha === currentSha;
@@ -21,6 +23,12 @@ function decidePublishPlan(options) {
     throw new Error('CURRENT_SHA is required.');
   }
 
+  if (currentBranch && defaultBranch && currentBranch !== defaultBranch) {
+    throw new Error(
+      `Refusing to publish from ${currentBranch}. Publish workflow must run from ${defaultBranch}.`
+    );
+  }
+
   if (published && !tagExists) {
     throw new Error(
       `Version ${version} is already published on npm but has no remote tag. Recover from the original release commit or bump the version.`
@@ -106,6 +114,8 @@ function runCli(env = process.env) {
   const plan = decidePublishPlan({
     version: env.VERSION,
     currentSha: env.CURRENT_SHA || env.GITHUB_SHA,
+    currentBranch: env.CURRENT_BRANCH || env.GITHUB_REF_NAME,
+    defaultBranch: env.DEFAULT_BRANCH,
     published: env.NPM_PUBLISHED,
     tagExists: env.TAG_EXISTS,
     tagSha: env.TAG_SHA,

package/scripts/published-cli.js

@@ -0,0 +1,34 @@
+'use strict';
+
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const { execFileSync } = require('child_process');
+
+function publishedCliArgs(pkgVersion, commandArgs = []) {
+  return ['--yes', '--package', `thumbgate@${pkgVersion}`, 'thumbgate', ...commandArgs];
+}
+
+function runPublishedCli(pkgVersion, commandArgs = [], options = {}) {
+  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'thumbgate-published-cli-'));
+  try {
+    return execFileSync('npx', publishedCliArgs(pkgVersion, commandArgs), {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'ignore'],
+      timeout: options.timeout || 8000,
+      cwd: tmpDir,
+    });
+  } finally {
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+  }
+}
+
+function runPublishedCliHelp(pkgVersion, options = {}) {
+  return runPublishedCli(pkgVersion, ['help'], options);
+}
+
+module.exports = {
+  publishedCliArgs,
+  runPublishedCli,
+  runPublishedCliHelp,
+};

package/scripts/risk-scorer.js

@@ -3,9 +3,10 @@
 
 const fs = require('fs');
 const path = require('path');
+const { resolveFeedbackDir: resolveSharedFeedbackDir } = require('./feedback-paths');
 
 const PROJECT_ROOT = path.join(__dirname, '..');
-const DEFAULT_FEEDBACK_DIR = path.join(PROJECT_ROOT, '.claude', 'memory', 'feedback');
+const DEFAULT_FEEDBACK_DIR = resolveSharedFeedbackDir();
 const DEFAULT_MODEL_PATH = path.join(DEFAULT_FEEDBACK_DIR, 'risk-model.json');
 const DEFAULT_SEQUENCE_PATH = path.join(DEFAULT_FEEDBACK_DIR, 'feedback-sequences.jsonl');
 
@@ -29,7 +30,7 @@ const SAFETY_WORD_RE = /\b(budget|path|guardrail|safe|security|risk)\b/i;
 const SUCCESS_WORD_RE = /\b(pass|worked|fixed|success|verified)\b/i;
 
 function resolveFeedbackDir(feedbackDir) {
-  return feedbackDir || process.env.THUMBGATE_FEEDBACK_DIR || DEFAULT_FEEDBACK_DIR;
+  return resolveSharedFeedbackDir({ feedbackDir });
 }
 
 function readJSONL(filePath) {