thumbgate 0.9.10 → 0.9.12

package/scripts/social-quality-gate.js

@@ -1,5 +1,6 @@
 #!/usr/bin/env node
 'use strict';
+
 const BOT_SLOP_PATTERNS = [
   { id: 'emoji_spam', pattern: /(?:🚀|💡|🔥|⚡|🎯|💪|🙌|👀){3,}/g, reason: 'Excessive emoji spam' },
   { id: 'generic_opener', pattern: /^(?:Just|Excited to|Thrilled to|Happy to|Proud to) (?:\w+ )*?(?:launch|ship|release|publish|built|creat|announc)/i, reason: 'Generic shipped opener' },
@@ -11,8 +12,123 @@ const BOT_SLOP_PATTERNS = [
   { id: 'self_congratulation', pattern: /(?:We're proud to|I'm honored to|Humbled to|Grateful to announce)/i, reason: 'Self-congratulatory opener' },
   { id: 'empty_hype', pattern: /(?:game.?changer|revolutionary|disruptive|next.?gen|cutting.?edge|world.?class|best.?in.?class)/i, reason: 'Empty hype words' },
 ];
+
+const REPLY_TOPIC_PATTERNS = {
+  skills: /\bskill|template|process|workflow|review|sprint|implement|phase/i,
+  context: /\bcontext doc|context docs|conflicting|inconsisten|claude\.md|cursorrules|instruction/i,
+  memory: /\bmemory|remember|amnesia|across sessions|next session|compaction|persist/i,
+  setup: /\binstall|setup|config|init|repo|github|link|tool|open source|built/i,
+  gates: /\bgate|hook|block|prevent|pretooluse|mcp/i,
+};
+
+const UNSOLICITED_PROMO_PATTERNS = [
+  { id: 'unsolicited_link', pattern: /https?:\/\//i, reason: 'Unsolicited link in reply' },
+  { id: 'unsolicited_install', pattern: /npx thumbgate init/i, reason: 'Unsolicited install CTA in reply' },
+  { id: 'unsolicited_stack_dump', pattern: /\b(?:sqlite\+fts5|thompson sampling|pretooluse|mcp server)\b/i, reason: 'Unsolicited architecture dump in reply' },
+];
+
 const MIN_POST_LENGTH = 30;
 const MAX_POST_LENGTH = 2000;
-function scanForSlop(postText) { const text = String(postText || ''); const findings = []; if (text.length < MIN_POST_LENGTH) findings.push({ id: 'too_short', reason: 'Too short' }); if (text.length > MAX_POST_LENGTH) findings.push({ id: 'too_long', reason: 'Too long' }); for (const p of BOT_SLOP_PATTERNS) { p.pattern.lastIndex = 0; if (p.pattern.test(text)) findings.push({ id: p.id, reason: p.reason }); } const words = text.split(/\s+/).filter(w => w.length > 3); const capsWords = words.filter(w => w === w.toUpperCase() && /[A-Z]/.test(w)); if (words.length > 5 && capsWords.length / words.length > 0.3) findings.push({ id: 'caps_shouting', reason: 'Too many ALL CAPS' }); return { allowed: findings.length === 0, findings, findingCount: findings.length, postLength: text.length }; }
-function gatePost(postText) { const scan = scanForSlop(postText); if (!scan.allowed) { console.error('[social-quality-gate] BLOCKED:'); for (const f of scan.findings) console.error('  -', f.id, f.reason); } return scan; }
-module.exports = { scanForSlop, gatePost, BOT_SLOP_PATTERNS, MIN_POST_LENGTH, MAX_POST_LENGTH };
+
+function scanForSlop(postText) {
+  const text = String(postText || '');
+  const findings = [];
+
+  if (text.length < MIN_POST_LENGTH) {
+    findings.push({ id: 'too_short', reason: 'Too short' });
+  }
+
+  if (text.length > MAX_POST_LENGTH) {
+    findings.push({ id: 'too_long', reason: 'Too long' });
+  }
+
+  for (const rule of BOT_SLOP_PATTERNS) {
+    rule.pattern.lastIndex = 0;
+    if (rule.pattern.test(text)) {
+      findings.push({ id: rule.id, reason: rule.reason });
+    }
+  }
+
+  const words = text.split(/\s+/).filter((word) => word.length > 3);
+  const capsWords = words.filter((word) => word === word.toUpperCase() && /[A-Z]/.test(word));
+  if (words.length > 5 && capsWords.length / words.length > 0.3) {
+    findings.push({ id: 'caps_shouting', reason: 'Too many ALL CAPS' });
+  }
+
+  return {
+    allowed: findings.length === 0,
+    findings,
+    findingCount: findings.length,
+    postLength: text.length,
+  };
+}
+
+function detectReplyTopics(text) {
+  const content = String(text || '');
+  return Object.entries(REPLY_TOPIC_PATTERNS)
+    .filter(([, pattern]) => pattern.test(content))
+    .map(([topic]) => topic);
+}
+
+function commentExplicitlyRequestsProduct(commentText) {
+  return /\b(?:what tool|what is it|which tool|repo|github|link|where can i find|can you share|how do i install|setup details|what did you build)\b/i.test(
+    String(commentText || '')
+  );
+}
+
+function gateContextualReply(commentText, replyText, options = {}) {
+  const scan = scanForSlop(replyText);
+  const findings = [...scan.findings];
+  const comment = String(commentText || '');
+  const reply = String(replyText || '');
+  const platform = String(options.platform || '').toLowerCase();
+  const commentTopics = detectReplyTopics(comment);
+  const replyTopics = detectReplyTopics(reply);
+
+  if (commentTopics.length > 0 && !commentTopics.some((topic) => replyTopics.includes(topic))) {
+    findings.push({
+      id: 'not_contextual',
+      reason: 'Reply does not address the commenter’s actual point',
+    });
+  }
+
+  if (platform === 'reddit' && !commentExplicitlyRequestsProduct(comment)) {
+    for (const rule of UNSOLICITED_PROMO_PATTERNS) {
+      rule.pattern.lastIndex = 0;
+      if (rule.pattern.test(reply)) {
+        findings.push({ id: rule.id, reason: rule.reason });
+      }
+    }
+  }
+
+  return {
+    allowed: findings.length === 0,
+    findings,
+    findingCount: findings.length,
+    replyLength: reply.length,
+    commentTopics,
+    replyTopics,
+  };
+}
+
+function gatePost(postText) {
+  const scan = scanForSlop(postText);
+  if (!scan.allowed) {
+    console.error('[social-quality-gate] BLOCKED:');
+    for (const finding of scan.findings) {
+      console.error('  -', finding.id, finding.reason);
+    }
+  }
+  return scan;
+}
+
+module.exports = {
+  BOT_SLOP_PATTERNS,
+  MAX_POST_LENGTH,
+  MIN_POST_LENGTH,
+  commentExplicitlyRequestsProduct,
+  detectReplyTopics,
+  gateContextualReply,
+  gatePost,
+  scanForSlop,
+};

package/scripts/social-reply-monitor.js

@@ -16,12 +16,16 @@
  * State file: .thumbgate/reply-monitor-state.json — tracks which replies we've already responded to.
  */
 
-require('dotenv').config();
 const fs = require('fs');
 const path = require('path');
+const { loadLocalEnv } = require('./social-analytics/load-env');
+const { gateContextualReply, commentExplicitlyRequestsProduct } = require('./social-quality-gate');
 
 const STATE_FILE = path.resolve(__dirname, '..', '.thumbgate', 'reply-monitor-state.json');
 const REDDIT_API_BASE = 'https://oauth.reddit.com';
+const DEFAULT_X_HANDLE = 'IgorGanapolsky';
+
+loadLocalEnv();
 
 // ---------------------------------------------------------------------------
 // State management
@@ -58,6 +62,85 @@ function saveDraft(draft) {
   fs.appendFileSync(DRAFT_FILE, JSON.stringify(draft) + '\n');
 }
 
+function normalizeArray(value) {
+  if (value && Array.isArray(value.data)) {
+    return value.data;
+  }
+  return Array.isArray(value) ? value : [];
+}
+
+function isRevenueRelevantXTweet(tweet = {}) {
+  const text = String(tweet.text || '').toLowerCase();
+  if (!text) return false;
+  return /thumbgate|thumbgate-production|checkout\/pro|workflow-sprint|pre-action gates|vibe coding/.test(text);
+}
+
+function buildOwnedConversationQuery(tweetId, username = DEFAULT_X_HANDLE) {
+  const normalizedId = String(tweetId || '').trim();
+  const normalizedUsername = String(username || DEFAULT_X_HANDLE).trim();
+  if (!normalizedId) {
+    return '';
+  }
+  return `conversation_id:${normalizedId} -from:${normalizedUsername}`;
+}
+
+async function collectXSearchCandidates(options = {}) {
+  const searchTweets = options.searchTweets;
+  if (typeof searchTweets !== 'function') {
+    return { tweets: [], searchMode: 'unavailable', queryLog: [] };
+  }
+
+  const username = options.username || process.env.X_USERNAME || DEFAULT_X_HANDLE;
+  const ownUserId = options.ownUserId || process.env.X_USER_ID || '1733256637199073280';
+  const queryLog = [];
+  const aggregate = [];
+  const seenTweetIds = new Set();
+  let ownedCandidates = [];
+
+  if (typeof options.fetchOwnedTweets === 'function') {
+    try {
+      const recentTweets = await options.fetchOwnedTweets();
+      ownedCandidates = normalizeArray(recentTweets)
+        .filter((tweet) => String(tweet.author_id || ownUserId) === ownUserId)
+        .filter(isRevenueRelevantXTweet)
+        .slice(0, 6);
+    } catch (err) {
+      console.warn(`[reply-monitor] Could not fetch own X tweets: ${err.message}`);
+    }
+  }
+
+  for (const tweet of ownedCandidates) {
+    const query = buildOwnedConversationQuery(tweet.id, username);
+    if (!query) continue;
+    queryLog.push(query);
+    const replies = normalizeArray(await searchTweets(query, { maxResults: 10 }));
+    for (const reply of replies) {
+      if (!reply || seenTweetIds.has(reply.id)) continue;
+      seenTweetIds.add(reply.id);
+      aggregate.push(reply);
+    }
+  }
+
+  if (aggregate.length > 0) {
+    return {
+      tweets: aggregate,
+      ownTweets: ownedCandidates.map((tweet) => ({ id: tweet.id, text: tweet.text || '' })),
+      queryLog,
+      searchMode: 'owned_conversations',
+    };
+  }
+
+  const fallbackQuery = 'thumbgate OR ThumbGate OR "pre-action gates"';
+  queryLog.push(fallbackQuery);
+  const fallbackTweets = normalizeArray(await searchTweets(fallbackQuery, { maxResults: 10 }));
+  return {
+    tweets: fallbackTweets,
+    ownTweets: ownedCandidates.map((tweet) => ({ id: tweet.id, text: tweet.text || '' })),
+    queryLog,
+    searchMode: 'keyword_fallback',
+  };
+}
+
 // ---------------------------------------------------------------------------
 // Bot/hostile detection — skip comments that are calling us out
 // ---------------------------------------------------------------------------
@@ -97,7 +180,8 @@ async function generateReply(comment, context) {
 
   // NEVER reply with generic fluff — build reply from what they ACTUALLY said
   const isQuestion = context.isQuestion || /\?/.test(comment);
-  const REPO = 'https://github.com/IgorGanapolsky/ThumbGate';
+  const isReddit = context.platform === 'reddit';
+  const wantsProductDetails = commentExplicitlyRequestsProduct(comment);
 
   // Extract the specific topic they're asking about
   const mentionsSetup = /install|setup|config|init|npx|how.+start/i.test(lc);
@@ -108,33 +192,74 @@ async function generateReply(comment, context) {
   const mentionsScaling = /scale|team|multi.?repo|collaborate|share/i.test(lc);
   const mentionsSkeptical = /why not|already exist|what.+different|vs |compared to/i.test(lc);
   const mentionsThanks = /thanks|thank you|cool|nice|interesting|awesome/i.test(lc);
+  const mentionsSkillsProcess = /skill|template|process|workflow|review|sprint|implement|phase/i.test(lc);
+  const mentionsConflictingDocs = /context doc|context docs|conflicting|inconsisten|claude\.md|cursorrules|instruction/i.test(lc);
 
   // Build response that addresses THEIR specific point
-  if (mentionsSetup && isQuestion) {
+  if (mentionsSkillsProcess || mentionsConflictingDocs) {
+    const reply = [
+      'That matches what I have seen too.',
+      'Smaller review/implement phases hold up much better than one giant instruction blob,',
+      'and conflicting context docs are where things usually start drifting.'
+    ].join(' ');
+    const gate = gateContextualReply(comment, reply, context);
+    return gate.allowed ? reply : null;
+  }
+  if (mentionsSetup && isQuestion && !isReddit) {
     return `\`npx thumbgate init\` auto-detects your agent and wires the hooks. Takes about 30 seconds. What agent are you using?`;
   }
   if (mentionsSkeptical) {
-    return `Fair question. The difference from rules files or memory tools: this physically blocks the action before execution, not after. The agent can't ignore a gate the way it can ignore a system prompt. Whether that tradeoff is worth it depends on how often your agent repeats mistakes.`;
+    // Build a reply that mirrors the commenter's frame (memory, context docs, or general rules)
+    // so gateContextualReply's topic-overlap check passes.
+    let replyBase;
+    if (mentionsMemory) {
+      replyBase = 'The distinction from memory tools is enforcement: memory helps the agent remember a past mistake, but it can still repeat it. The gate stops the already-rejected move before it runs. Whether that extra step is worth the setup depends on how often your agent ignores its own memory.';
+    } else {
+      replyBase = 'The difference from cursorrules or instruction files is enforcement: the bad action gets stopped before execution instead of being added to context docs and then ignored anyway. Whether that tradeoff is worth it depends on how often your agent repeats the same mistake.';
+    }
+    const gate = gateContextualReply(comment, replyBase, context);
+    return gate.allowed ? replyBase : null;
   }
-  if (mentionsHow && mentionsGates) {
-    return `PreToolUse hooks intercept the tool call before it runs. Each call is checked against prevention rules promoted from past failures. If it matches, the action is blocked — the agent has to try a different approach. The rules adapt over time via Thompson Sampling so false positives decrease.`;
+  if (mentionsGates && (mentionsHow || (!isReddit && !mentionsThanks))) {
+    // On X, engage on gate-topic statements too (not just "how does" questions).
+    // On Reddit, keep the old conservative behavior (questions only via mentionsHow).
+    if (isReddit && !mentionsHow) return null;
+    const reply = isReddit
+      ? 'The short version is: the tool call gets checked before it runs. If it matches a previously rejected pattern, it is blocked and the agent has to try a different path.'
+      : 'PreToolUse hooks intercept the tool call before it runs. Each call is checked against prevention rules promoted from past failures. If it matches, the action is blocked and the agent has to try a different approach. The rules adapt over time so false positives decrease.';
+    const gate = gateContextualReply(comment, reply, context);
+    return gate.allowed ? reply : null;
   }
   if (mentionsScaling) {
-    return `For teams, the Pro tier syncs prevention rules across machines so everyone benefits from lessons learned on any repo. But the free local version covers solo dev workflows completely.`;
+    if (isReddit && !wantsProductDetails) {
+      return null;
+    }
+    const reply = 'For teams, the useful part is shared lessons instead of each developer relearning the same failure pattern alone. Solo workflows usually benefit first from the local version.';
+    const gate = gateContextualReply(comment, reply, context);
+    return gate.allowed ? reply : null;
   }
-  if (mentionsMemory && isQuestion) {
-    return `The key difference from memory tools: memory helps agents remember, but they can still ignore what they remember. Gates enforce — if there's a rule against force-pushing, the agent physically can't do it. It's enforcement, not suggestion.`;
+  if (mentionsMemory) {
+    // Engage on memory/context topics whether it's a question or a statement — both are worth a reply on X
+    if (isReddit && !isQuestion) return null; // Reddit: only reply to direct questions
+    const reply = 'The useful distinction is memory versus enforcement. Memory helps the agent remember, but it can still ignore that memory. Enforcement is what stops the already-rejected move from happening again.';
+    const gate = gateContextualReply(comment, reply, context);
+    return gate.allowed ? reply : null;
   }
-  if (mentionsCursor && isQuestion) {
-    return `Works with Cursor via MCP. The hooks are agent-agnostic — same prevention rules apply whether you're using Cursor, Claude Code, or Codex. What specific failure patterns are you hitting?`;
+  if (mentionsCursor && isQuestion && !isReddit) {
+    return 'Works with Cursor via MCP. The same prevention rules can apply across Cursor, Claude Code, and Codex. What specific failure patterns are you hitting?';
   }
   if (mentionsThanks && !isQuestion) {
     // Don't reply to simple "thanks" — it looks desperate
     return null;
   }
+  if (isReddit && wantsProductDetails) {
+    const reply = 'Happy to share the repo or setup details if that would help. The main thing that worked for me was keeping accepted and rejected patterns outside the session so the next run starts with the same constraints.';
+    const gate = gateContextualReply(comment, reply, context);
+    return gate.allowed ? reply : null;
+  }
   if (isQuestion) {
-    // They asked something specific we didn't match — better to draft for human review
-    return null;
+    // They asked something specific we didn't match — signal to caller to save a draft for human review
+    return '__DRAFT__';
   }
   // Not a question, not hostile, not thanks — probably a statement. Don't reply.
   return null;
@@ -214,7 +339,7 @@ async function checkRedditReplies(state, dryRun) {
       isQuestion,
     });
 
-    if (!generatedReply) {
+    if (!generatedReply || generatedReply === '__DRAFT__') {
       console.warn(`[reply-monitor] Could not generate reply for ${commentId}`);
       continue;
     }
@@ -260,29 +385,41 @@ async function checkXReplies(state, dryRun) {
 
   // Use the post-to-x module for OAuth signing
   let xModule;
+  let xPoller;
   try {
     xModule = require('./post-to-x.js');
+    xPoller = require('./social-analytics/pollers/x.js');
   } catch {
-    console.warn('[reply-monitor] Could not load post-to-x.js, skipping X');
+    console.warn('[reply-monitor] Could not load X modules, skipping X');
     return [];
   }
 
-  // Search for recent mentions
-  let mentions;
+  let searchResult;
   try {
-    mentions = await xModule.searchTweets('thumbgate OR ThumbGate OR "pre-action gates"');
+    searchResult = await collectXSearchCandidates({
+      searchTweets: xModule.searchTweets,
+      fetchOwnedTweets: process.env.X_BEARER_TOKEN && process.env.X_USER_ID
+        ? async () => {
+          const response = await xPoller.fetchUserTweets(process.env.X_BEARER_TOKEN, process.env.X_USER_ID);
+          return response && response.data;
+        }
+        : null,
+      ownUserId: process.env.X_USER_ID || '1733256637199073280',
+      username: process.env.X_USERNAME || DEFAULT_X_HANDLE,
+    });
   } catch (err) {
     console.warn(`[reply-monitor] X search failed: ${err.message}`);
     return [];
   }
 
-  // searchTweets returns the array directly, not {data: [...]}
-  const mentionsList = Array.isArray(mentions) ? mentions : mentions?.data;
+  const mentionsList = normalizeArray(searchResult && searchResult.tweets);
   if (!mentionsList || mentionsList.length === 0) {
     console.log('[reply-monitor] No X mentions found');
     return [];
   }
 
+  console.log(`[reply-monitor] X candidate search mode: ${searchResult.searchMode}`);
+
   const results = [];
   const repliesSentThisRun = new Set(); // Track reply text to prevent duplicates
 
@@ -314,6 +451,25 @@ async function checkXReplies(state, dryRun) {
       continue;
     }
 
+    // Unmatched question — save a draft for human review rather than silently skipping
+    if (generatedReply === '__DRAFT__') {
+      const draft = {
+        platform: 'x',
+        tweetId,
+        author: tweet.author_id,
+        theirTweet: tweet.text.slice(0, 500),
+        suggestedReply: null,
+        draftedAt: new Date().toISOString(),
+        status: 'needs_human_reply',
+        reason: 'unmatched_question',
+      };
+      saveDraft(draft);
+      state.repliedTo[`x_${tweetId}`] = { at: new Date().toISOString(), platform: 'x', drafted: true, skipped: 'needs_human_reply' };
+      results.push({ tweetId, reply: null, posted: false, drafted: true });
+      console.log(`[reply-monitor] 📝 DRAFTED (needs human reply) for tweet ${tweetId} — saved to .thumbgate/reply-drafts.jsonl`);
+      continue;
+    }
+
     // Truncate to 280 chars for Twitter
     const truncated = generatedReply.slice(0, 275) + (generatedReply.length > 275 ? '...' : '');
 
@@ -400,7 +556,14 @@ async function monitor({ platforms, dryRun } = {}) {
   return allResults;
 }
 
-module.exports = { monitor, generateReply };
+module.exports = {
+  buildOwnedConversationQuery,
+  checkXReplies,
+  collectXSearchCandidates,
+  generateReply,
+  isRevenueRelevantXTweet,
+  monitor,
+};
 
 // ---------------------------------------------------------------------------
 // CLI
@@ -418,22 +581,6 @@ if (require.main === module) {
   const platformArg = getArg('--platform');
   const platforms = platformArg ? [platformArg] : null;
 
-  // Load .env
-  const envPath = path.resolve(__dirname, '..', '.env');
-  if (fs.existsSync(envPath)) {
-    const envContent = fs.readFileSync(envPath, 'utf8');
-    for (const line of envContent.split('\n')) {
-      const trimmed = line.trim();
-      if (!trimmed || trimmed.startsWith('#')) continue;
-      const eqIdx = trimmed.indexOf('=');
-      if (eqIdx > 0) {
-        const key = trimmed.slice(0, eqIdx);
-        const value = trimmed.slice(eqIdx + 1);
-        if (!process.env[key]) process.env[key] = value;
-      }
-    }
-  }
-
   monitor({ platforms, dryRun })
     .then((results) => {
       console.log('\n[reply-monitor] Summary:', JSON.stringify(results, null, 2));

package/scripts/statusline-cache-path.js

@@ -0,0 +1,27 @@
+#!/usr/bin/env node
+'use strict';
+
+const path = require('path');
+const { resolveFeedbackDir } = require('./feedback-paths');
+
+function unique(values = []) {
+  return [...new Set(values.filter(Boolean).map((value) => path.resolve(value)))];
+}
+
+function getStatuslineCacheCandidates(options = {}) {
+  const cwd = options.cwd || process.cwd();
+  const home = options.home || process.env.HOME || process.env.USERPROFILE || '';
+  const feedbackDir = resolveFeedbackDir({ cwd, env: options.env || process.env });
+
+  return unique([
+    path.join(feedbackDir, 'statusline_cache.json'),
+    path.join(cwd, '.thumbgate', 'statusline_cache.json'),
+    home ? path.join(home, '.thumbgate', 'statusline_cache.json') : null,
+  ]);
+}
+
+if (require.main === module) {
+  process.stdout.write(JSON.stringify({ candidates: getStatuslineCacheCandidates() }));
+}
+
+module.exports = { getStatuslineCacheCandidates };

package/scripts/statusline-local-stats.js

@@ -0,0 +1,16 @@
+#!/usr/bin/env node
+'use strict';
+
+const { analyzeFeedback } = require('./feedback-loop');
+const { normalizeStatsPayload } = require('./hook-thumbgate-cache-updater');
+
+try {
+  const stats = analyzeFeedback();
+  const payload = {
+    ...normalizeStatsPayload(stats),
+    updated_at: String(Math.floor(Date.now() / 1000)),
+  };
+  process.stdout.write(JSON.stringify(payload));
+} catch (_) {
+  process.exit(0);
+}

package/scripts/statusline-meta.js

@@ -0,0 +1,22 @@
+#!/usr/bin/env node
+'use strict';
+
+const path = require('path');
+const { isProLicensed } = require('./license');
+
+function getStatuslineMeta(options = {}) {
+  const pkg = require(path.join(__dirname, '..', 'package.json'));
+  const env = options.env || process.env;
+  const homeDir = options.homeDir || env.HOME || env.USERPROFILE || '.';
+
+  return {
+    version: String(pkg.version || '').trim() || 'unknown',
+    tier: isProLicensed({ homeDir }) ? 'Pro' : 'Free',
+  };
+}
+
+if (require.main === module) {
+  process.stdout.write(JSON.stringify(getStatuslineMeta()));
+}
+
+module.exports = { getStatuslineMeta };

package/scripts/statusline.sh

@@ -1,7 +1,6 @@
 #!/bin/bash
 # ThumbGate Status Line for Claude Code
-# Shows ThumbGate feedback stats + most recent lesson at a glance.
-# Thumbs icons trigger CLI feedback capture inline (no browser).
+# Shows ThumbGate feedback stats + package version/tier at a glance.
 # Installed by: npx thumbgate init --agent claude-code
 
 # Resolve script directory safely (CodeQL: no uncontrolled paths)
@@ -17,16 +16,21 @@ CTX_PCT="${CTX_PCT:-0}"
 
 # ── ThumbGate stats from cache ────────────────────────────────────────
 THUMBGATE_CACHE=""
-for base in "${THUMBGATE_FEEDBACK_DIR:-.}" "." "${HOME}"; do
-  for rel in ".thumbgate/statusline_cache.json"; do
-    if [ -f "${base}/${rel}" ]; then
-      THUMBGATE_CACHE="${base}/${rel}"
-      break 2
+_CACHE_CANDIDATES_JSON=$(node "${SCRIPT_DIR}/statusline-cache-path.js" 2>/dev/null)
+if [ -n "$_CACHE_CANDIDATES_JSON" ]; then
+  while IFS= read -r candidate; do
+    [ -z "$candidate" ] && continue
+    if [ -f "$candidate" ]; then
+      THUMBGATE_CACHE="$candidate"
+      break
     fi
-  done
-done
+  done < <(echo "$_CACHE_CANDIDATES_JSON" | jq -r '.candidates[]?' 2>/dev/null)
+fi
+if [ -z "$THUMBGATE_CACHE" ]; then
+  THUMBGATE_CACHE="$(echo "$_CACHE_CANDIDATES_JSON" | jq -r '.candidates[0] // empty' 2>/dev/null)"
+fi
 if [ -z "$THUMBGATE_CACHE" ]; then
-  THUMBGATE_CACHE="${THUMBGATE_FEEDBACK_DIR:-.}/.thumbgate/statusline_cache.json"
+  THUMBGATE_CACHE="${THUMBGATE_FEEDBACK_DIR:-.}/statusline_cache.json"
 fi
 
 UP="0"; DOWN="0"; LESSONS="0"; TREND="?"; CACHE_TS="0"
@@ -40,8 +44,23 @@ if [ -f "$THUMBGATE_CACHE" ]; then
   ' "$THUMBGATE_CACHE" 2>/dev/null)"
 fi
 
-# Background refresh from REST API when cache is stale (>120s)
 _NOW=$(date +%s)
+if [ "$UP" = "0" ] && [ "$DOWN" = "0" ] || [ $(( _NOW - ${CACHE_TS:-0} )) -gt 120 ]; then
+  _LOCAL_STATS_JSON=$(node "${SCRIPT_DIR}/statusline-local-stats.js" 2>/dev/null)
+  if [ -n "$_LOCAL_STATS_JSON" ]; then
+    mkdir -p "$(dirname "$THUMBGATE_CACHE")"
+    printf '%s' "$_LOCAL_STATS_JSON" > "$THUMBGATE_CACHE"
+    eval "$(echo "$_LOCAL_STATS_JSON" | jq -r '
+      @sh "UP=\(.thumbs_up // "0")",
+      @sh "DOWN=\(.thumbs_down // "0")",
+      @sh "LESSONS=\(.lessons // "0")",
+      @sh "TREND=\(.trend // "?")",
+      @sh "CACHE_TS=\(.updated_at // "0")"
+    ' 2>/dev/null)"
+  fi
+fi
+
+# Background refresh from REST API when cache is stale (>120s)
 if [ $(( _NOW - ${CACHE_TS:-0} )) -gt 120 ]; then
   (
     _R=$(curl -s --max-time 3 "http://localhost:3456/v1/feedback/stats" -H "Authorization: Bearer ${THUMBGATE_API_KEY:-tg_creator_dev_enterprise}" 2>/dev/null)
@@ -59,13 +78,13 @@ except:pass
   disown 2>/dev/null
 fi
 
-# ── Most recent lesson from lesson-inference ──────────────────────
-LESSON_TEXT=""; LESSON_ID=""
-_LESSON_JSON=$(node "${SCRIPT_DIR}/statusline-lesson.js" 2>/dev/null)
-if [ -n "$_LESSON_JSON" ]; then
-  eval "$(echo "$_LESSON_JSON" | jq -r '
-    @sh "LESSON_TEXT=\(.text // "")",
-    @sh "LESSON_ID=\(.lessonId // "")"
+# ── ThumbGate package metadata ────────────────────────────────────────
+TG_VERSION="unknown"; TG_TIER="Free"
+_META_JSON=$(node "${SCRIPT_DIR}/statusline-meta.js" 2>/dev/null)
+if [ -n "$_META_JSON" ]; then
+  eval "$(echo "$_META_JSON" | jq -r '
+    @sh "TG_VERSION=\(.version // "unknown")",
+    @sh "TG_TIER=\(.tier // "Free")"
   ' 2>/dev/null)"
 fi
 
@@ -88,29 +107,17 @@ case "${TREND}" in
   improving) ARROW="↗" ;; degrading) ARROW="↘" ;; stable) ARROW="→" ;; *) ARROW="?" ;;
 esac
 
-# ── OSC 8 clickable links ────────────────────────────────────────
-# Links use CLI commands instead of browser URLs.
-# Clicking 👍 runs: node bin/cli.js feedback --signal=up
-# Clicking 👎 runs: node bin/cli.js feedback --signal=down
-osc_link() { printf '\033]8;;%s\a%s\033]8;;\a' "$1" "$2"; }
-CLI="node ${SCRIPT_DIR}/../bin/cli.js"
-
 # ── Output (single line) ─────────────────────────────────────────
+LINE="ThumbGate v${TG_VERSION} · ${TG_TIER}"
 if [ "$UP" = "0" ] && [ "$DOWN" = "0" ]; then
-  echo -e "${D}ThumbGate: no feedback yet — type 'thumbs up' or 'thumbs down'${RST}"
+  echo -e "${D}${LINE} · no feedback yet${RST}"
 else
-  # Feedback counts
-  LINE="ThumbGate: ${G}${BD}${UP}${RST}👍 ${R}${BD}${DOWN}${RST}👎 · ${M}${BD}${LESSONS}${RST} lessons ${ARROW}"
+  LINE="${LINE} · ${G}${BD}${UP}${RST}👍 ${R}${BD}${DOWN}${RST}👎 ${ARROW}"
 
   # Control Tower alerts (if any)
   [ "${SLO_V:-0}" -gt 0 ] && LINE="${LINE} ${R}${SLO_V} SLO${RST}"
   [ "${AT_RISK:-0}" -gt 0 ] && LINE="${LINE} ${R}${AT_RISK}⚠${RST}"
   [ "${ANOMALIES:-0}" -gt 0 ] && LINE="${LINE} ${R}${ANOMALIES}☠${RST}"
 
-  # Most recent lesson
-  if [ -n "$LESSON_TEXT" ]; then
-    LINE="${LINE} · ${C}${LESSON_TEXT}${RST}"
-  fi
-
   echo -e "$LINE"
 fi