thumbgate 0.9.10

package/scripts/settings-hierarchy.js

@@ -0,0 +1,214 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const PROJECT_ROOT = path.join(__dirname, '..');
+const SETTINGS_SCOPE_ORDER = ['defaults', 'user', 'project', 'local', 'managed'];
+const DEFAULT_SETTINGS = Object.freeze({
+  mcp: {
+    defaultProfile: 'essential',
+    readonlySessionProfile: 'readonly',
+  },
+  harnesses: {
+    enabled: true,
+    allowRuntimeExecution: true,
+  },
+  dashboard: {
+    showSettingsStatus: true,
+    showPolicyOrigins: true,
+  },
+  team: {
+    orgVisibilityMode: 'team_rollout',
+  },
+  policies: {
+    surfaceOriginsInStatus: true,
+  },
+});
+
+function isPlainObject(value) {
+  return Boolean(value) && typeof value === 'object' && !Array.isArray(value);
+}
+
+function cloneValue(value) {
+  if (Array.isArray(value)) {
+    return value.map(cloneValue);
+  }
+  if (isPlainObject(value)) {
+    return Object.fromEntries(Object.entries(value).map(([key, entry]) => [key, cloneValue(entry)]));
+  }
+  return value;
+}
+
+function mergeSettings(base, override) {
+  if (!isPlainObject(override)) {
+    return cloneValue(override);
+  }
+
+  const merged = isPlainObject(base) ? cloneValue(base) : {};
+  for (const [key, value] of Object.entries(override)) {
+    if (isPlainObject(value) && isPlainObject(merged[key])) {
+      merged[key] = mergeSettings(merged[key], value);
+      continue;
+    }
+    merged[key] = cloneValue(value);
+  }
+  return merged;
+}
+
+function flattenLeafValues(value, prefix = '', entries = []) {
+  if (!isPlainObject(value)) {
+    if (prefix) {
+      entries.push([prefix, cloneValue(value)]);
+    }
+    return entries;
+  }
+
+  for (const [key, entry] of Object.entries(value)) {
+    const nextPrefix = prefix ? `${prefix}.${key}` : key;
+    if (isPlainObject(entry)) {
+      flattenLeafValues(entry, nextPrefix, entries);
+      continue;
+    }
+    entries.push([nextPrefix, cloneValue(entry)]);
+  }
+
+  return entries;
+}
+
+function getNestedValue(target, dottedPath) {
+  if (!dottedPath) return target;
+  return String(dottedPath)
+    .split('.')
+    .reduce((current, key) => (current && Object.prototype.hasOwnProperty.call(current, key) ? current[key] : undefined), target);
+}
+
+function resolveSettingsPaths(options = {}) {
+  const projectRoot = options.projectRoot || PROJECT_ROOT;
+  const homeDir = options.homeDir || process.env.HOME || os.homedir();
+
+  return {
+    managed: path.join(projectRoot, 'config', 'thumbgate-settings.managed.json'),
+    user: path.join(homeDir, '.thumbgate', 'settings.json'),
+    project: path.join(projectRoot, '.thumbgate', 'settings.json'),
+    local: path.join(projectRoot, '.thumbgate', 'settings.local.json'),
+  };
+}
+
+function readJsonObject(filePath) {
+  if (!filePath || !fs.existsSync(filePath)) {
+    return null;
+  }
+
+  try {
+    const parsed = JSON.parse(fs.readFileSync(filePath, 'utf8'));
+    return isPlainObject(parsed) ? parsed : null;
+  } catch {
+    return null;
+  }
+}
+
+function summarizeOrigins(originsByPath) {
+  return Object.values(originsByPath).reduce((summary, origin) => {
+    summary[origin.scope] = (summary[origin.scope] || 0) + 1;
+    return summary;
+  }, {});
+}
+
+function resolveSettingsHierarchy(options = {}) {
+  const paths = resolveSettingsPaths(options);
+  let settings = cloneValue(DEFAULT_SETTINGS);
+  const originsByPath = Object.fromEntries(
+    flattenLeafValues(DEFAULT_SETTINGS).map(([settingPath, value]) => [
+      settingPath,
+      {
+        scope: 'defaults',
+        sourcePath: null,
+        value,
+      },
+    ]),
+  );
+
+  const activeLayers = [
+    {
+      scope: 'defaults',
+      sourcePath: null,
+      exists: true,
+      leafCount: flattenLeafValues(DEFAULT_SETTINGS).length,
+    },
+  ];
+
+  for (const scope of SETTINGS_SCOPE_ORDER.slice(1)) {
+    const sourcePath = paths[scope];
+    const data = readJsonObject(sourcePath);
+    const exists = Boolean(data);
+    activeLayers.push({
+      scope,
+      sourcePath,
+      exists,
+      leafCount: exists ? flattenLeafValues(data).length : 0,
+    });
+
+    if (!exists) {
+      continue;
+    }
+
+    settings = mergeSettings(settings, data);
+    for (const [settingPath, value] of flattenLeafValues(data)) {
+      originsByPath[settingPath] = {
+        scope,
+        sourcePath,
+        value,
+      };
+    }
+  }
+
+  const warnings = activeLayers
+    .filter((layer) => !layer.exists && layer.scope !== 'defaults')
+    .map((layer) => `No ${layer.scope} settings file at ${layer.sourcePath}`);
+
+  return {
+    resolvedSettings: settings,
+    settings,
+    originsByPath,
+    origins: Object.entries(originsByPath)
+      .sort((a, b) => a[0].localeCompare(b[0]))
+      .map(([settingPath, origin]) => ({ path: settingPath, ...origin })),
+    activeLayers,
+    originSummary: summarizeOrigins(originsByPath),
+    warnings,
+    paths,
+  };
+}
+
+function getSetting(settingPath, options = {}) {
+  return getNestedValue(resolveSettingsHierarchy(options).resolvedSettings, settingPath);
+}
+
+function getSettingOrigin(settingPath, options = {}) {
+  return resolveSettingsHierarchy(options).originsByPath[String(settingPath || '')] || null;
+}
+
+function getSettingsStatus(options = {}) {
+  const hierarchy = resolveSettingsHierarchy(options);
+  return {
+    activeLayers: hierarchy.activeLayers,
+    originSummary: hierarchy.originSummary,
+    origins: hierarchy.origins,
+    paths: hierarchy.paths,
+    resolvedSettings: hierarchy.resolvedSettings,
+    warnings: hierarchy.warnings,
+  };
+}
+
+module.exports = {
+  DEFAULT_SETTINGS,
+  SETTINGS_SCOPE_ORDER,
+  getSetting,
+  getSettingOrigin,
+  getSettingsStatus,
+  resolveSettingsHierarchy,
+  resolveSettingsPaths,
+};

package/scripts/shieldcortex-memory-firewall-runner.mjs

@@ -0,0 +1,53 @@
+#!/usr/bin/env node
+
+import { readFileSync } from 'node:fs';
+
+async function main() {
+  try {
+    const raw = readFileSync(0, 'utf8');
+    const parsed = raw.trim() ? JSON.parse(raw) : {};
+    const { record = {}, options = {} } = parsed;
+
+    const { ShieldCortexGuardedMemoryBridge } = await import('shieldcortex');
+
+    const backend = {
+      name: 'thumbgate-ingress',
+      async save() {
+        return { id: 'memory-ingress-probe' };
+      },
+    };
+
+    const bridge = new ShieldCortexGuardedMemoryBridge(backend, {
+      mode: options.mode ?? 'strict',
+      sourceType: options.sourceType ?? 'hook',
+      sourceIdentifier: options.sourceIdentifier ?? 'feedback-loop',
+      blockOnThreat: true,
+    });
+
+    const result = await bridge.save(record);
+    const defence = result.defence || {};
+    const firewall = defence.firewall || {};
+
+    process.stdout.write(JSON.stringify({
+      available: true,
+      allowed: Boolean(result.allowed),
+      provider: 'shieldcortex',
+      mode: options.mode ?? 'strict',
+      reason: result.reason || firewall.reason || 'ShieldCortex decision completed.',
+      threatIndicators: Array.isArray(firewall.threatIndicators) ? firewall.threatIndicators : [],
+      blockedPatterns: Array.isArray(firewall.blockedPatterns) ? firewall.blockedPatterns : [],
+      firewallResult: firewall.result || null,
+      anomalyScore: firewall.anomalyScore ?? null,
+      sensitivityLevel: defence.sensitivity ? defence.sensitivity.level : null,
+      trustScore: defence.trust ? defence.trust.score : null,
+      auditId: defence.auditId ?? null,
+    }));
+  } catch (error) {
+    process.stdout.write(JSON.stringify({
+      available: false,
+      error: error.message,
+    }));
+  }
+}
+
+await main();

package/scripts/skill-exporter.js

@@ -0,0 +1,262 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * Skill Exporter — compiles ThumbGate profiles/policy-bundles into
+ * OpenAI Skill definitions and Codex Plugin manifests.
+ * Vendor-neutral IR → target format compilation.
+ */
+
+const fs = require('node:fs');
+const path = require('node:path');
+
+const ROOT = path.join(__dirname, '..');
+const SKILL_SPECS_DIR = path.join(ROOT, 'config', 'skill-specs');
+const POLICY_BUNDLES_DIR = path.join(ROOT, 'config', 'policy-bundles');
+const DIST_DIR = path.join(ROOT, 'dist', 'skills');
+const PKG = require(path.join(ROOT, 'package.json'));
+
+function readJson(filePath) {
+  return JSON.parse(fs.readFileSync(filePath, 'utf8'));
+}
+
+function ensureDir(dirPath) {
+  fs.mkdirSync(dirPath, { recursive: true });
+}
+
+/**
+ * Load a SkillSpec by name from config/skill-specs/.
+ * @param {string} name - spec name (without .json)
+ * @returns {object} parsed SkillSpec
+ */
+function loadSkillSpec(name) {
+  const specPath = path.join(SKILL_SPECS_DIR, `${name}.json`);
+  if (!fs.existsSync(specPath)) {
+    throw new Error(`Skill spec not found: ${name} (looked at ${specPath})`);
+  }
+  return readJson(specPath);
+}
+
+/**
+ * List all available skill specs in config/skill-specs/.
+ * @returns {string[]} spec names (without .json extension)
+ */
+function listAvailableSpecs() {
+  if (!fs.existsSync(SKILL_SPECS_DIR)) return [];
+  return fs.readdirSync(SKILL_SPECS_DIR)
+    .filter((f) => f.endsWith('.json'))
+    .map((f) => f.replace(/\.json$/, ''));
+}
+
+/**
+ * Load a policy bundle by bundleId.
+ * @param {string} bundleId
+ * @returns {object} parsed policy bundle
+ */
+function loadPolicyBundle(bundleId) {
+  const bundlePath = path.join(POLICY_BUNDLES_DIR, `${bundleId}.json`);
+  if (!fs.existsSync(bundlePath)) return null;
+  return readJson(bundlePath);
+}
+
+/**
+ * Build instruction text from a policy bundle and escalation rules.
+ * @param {object} bundle - parsed policy bundle
+ * @param {string[]} escalationRules
+ * @returns {string} instruction text
+ */
+function buildInstructions(bundle, escalationRules) {
+  const lines = [];
+  lines.push(`Policy: ${bundle.description}`);
+  lines.push(`Default MCP Profile: ${bundle.defaultMcpProfile}`);
+  lines.push('');
+  lines.push('## Approval Gates');
+  lines.push(`Required risk levels for approval: ${bundle.approval.requiredRisks.join(', ')}`);
+  lines.push('');
+  lines.push('## Available Intents');
+  for (const intent of bundle.intents) {
+    const actions = intent.actions.map((a) => a.name).join(', ');
+    lines.push(`- ${intent.id} [${intent.risk}]: ${intent.description} (${actions})`);
+  }
+  if (escalationRules.length > 0) {
+    lines.push('');
+    lines.push('## Escalation Rules');
+    for (const rule of escalationRules) {
+      lines.push(`- ${rule}`);
+    }
+  }
+  return lines.join('\n');
+}
+
+/**
+ * Compile a SkillSpec into an OpenAI Skill definition.
+ * @param {object} spec - parsed SkillSpec
+ * @returns {object} OpenAI Skill JSON
+ */
+function compileToOpenAISkill(spec) {
+  const bundle = loadPolicyBundle(spec.policyBundle);
+  const instructions = bundle
+    ? buildInstructions(bundle, spec.escalationRules || [])
+    : `Skill: ${spec.description}`;
+
+  return {
+    name: spec.name,
+    description: spec.description,
+    model_class: spec.defaultModelClass,
+    instructions,
+    scripts: {
+      gate_check: `recall --scope ${(spec.memoryScope || []).join(',')} --enforce`,
+      recall_injection: `recall --query "{{context}}" --scope ${(spec.memoryScope || []).join(',')}`
+    },
+    assets: {
+      prevention_rules: `config/policy-bundles/${spec.policyBundle}.json`,
+      memory_scope: spec.memoryScope || [],
+      tools: spec.tools || []
+    }
+  };
+}
+
+/**
+ * Compile a SkillSpec into a Codex Plugin manifest.
+ * @param {object} spec - parsed SkillSpec
+ * @returns {object} { pluginJson, mcpJson, agentsMd }
+ */
+function compileToCodexPlugin(spec) {
+  const bundle = loadPolicyBundle(spec.policyBundle);
+  const instructions = bundle
+    ? buildInstructions(bundle, spec.escalationRules || [])
+    : `Skill: ${spec.description}`;
+
+  const pluginJson = {
+    name: spec.name,
+    version: PKG.version,
+    description: spec.description,
+    author: {
+      name: PKG.author,
+      url: 'https://github.com/IgorGanapolsky'
+    },
+    homepage: PKG.homepage,
+    repository: PKG.repository.url.replace(/\.git$/, ''),
+    license: PKG.license,
+    keywords: ['codex', 'codex-plugin', 'thumbgate', spec.name, ...(spec.memoryScope || [])],
+    mcpServers: './.mcp.json',
+    interface: {
+      displayName: `ThumbGate: ${spec.name}`,
+      shortDescription: spec.description,
+      longDescription: instructions,
+      developerName: PKG.author,
+      category: 'Developer Tools',
+      capabilities: ['Interactive', 'Write'],
+      websiteURL: PKG.homepage,
+      brandColor: '#0ea5e9'
+    }
+  };
+
+  const mcpJson = {
+    mcpServers: {
+      thumbgate: {
+        command: 'npx',
+        args: ['-y', `thumbgate@${PKG.version}`, 'serve'],
+        tools: spec.tools || []
+      }
+    }
+  };
+
+  const agentsMdLines = [
+    `# ${spec.name} — ThumbGate Codex Plugin`,
+    '',
+    '## Trigger',
+    'If user gives explicit positive/negative outcome feedback, capture it immediately.',
+    '',
+    '## Memory Scope',
+    ...(spec.memoryScope || []).map((s) => `- ${s}`),
+    '',
+    '## Gating Instructions',
+    instructions,
+    '',
+    '## Session Start',
+    '',
+    '```bash',
+    'npm run feedback:summary',
+    'npm run feedback:rules',
+    '```',
+    '',
+    'Use generated rules as hard guardrails to avoid repeated mistakes.'
+  ];
+
+  return {
+    pluginJson,
+    mcpJson,
+    agentsMd: agentsMdLines.join('\n')
+  };
+}
+
+/**
+ * Export a skill spec to the given target formats.
+ * @param {string} name - spec name
+ * @param {string[]} targets - array of 'openai' and/or 'codex'
+ * @returns {{ openai?: object, codex?: object, written: string[] }}
+ */
+function exportSkill(name, targets = ['openai', 'codex']) {
+  const spec = loadSkillSpec(name);
+  const result = { written: [] };
+  const outDir = path.join(DIST_DIR, name);
+  ensureDir(outDir);
+
+  if (targets.includes('openai')) {
+    const openai = compileToOpenAISkill(spec);
+    result.openai = openai;
+    const openaiPath = path.join(outDir, 'openai-skill.json');
+    fs.writeFileSync(openaiPath, JSON.stringify(openai, null, 2) + '\n');
+    result.written.push(openaiPath);
+  }
+
+  if (targets.includes('codex')) {
+    const codex = compileToCodexPlugin(spec);
+    result.codex = codex;
+    const codexDir = path.join(outDir, 'codex');
+    ensureDir(path.join(codexDir, '.codex-plugin'));
+
+    const pluginPath = path.join(codexDir, '.codex-plugin', 'plugin.json');
+    fs.writeFileSync(pluginPath, JSON.stringify(codex.pluginJson, null, 2) + '\n');
+    result.written.push(pluginPath);
+
+    const mcpPath = path.join(codexDir, '.mcp.json');
+    fs.writeFileSync(mcpPath, JSON.stringify(codex.mcpJson, null, 2) + '\n');
+    result.written.push(mcpPath);
+
+    const agentsPath = path.join(codexDir, 'AGENTS.md');
+    fs.writeFileSync(agentsPath, codex.agentsMd + '\n');
+    result.written.push(agentsPath);
+  }
+
+  return result;
+}
+
+module.exports = { loadSkillSpec, compileToOpenAISkill, compileToCodexPlugin, exportSkill, listAvailableSpecs };
+
+/* istanbul ignore next — CLI entry */
+if (require.main === module) {
+  const args = process.argv.slice(2);
+  const cmd = args[0] || 'list';
+  if (cmd === 'list') {
+    const specs = listAvailableSpecs();
+    console.log('Available skill specs:', specs.join(', '));
+  } else if (cmd === 'export') {
+    const name = args[1];
+    if (!name) { console.error('Usage: skill-exporter.js export <name>'); process.exit(1); }
+    const targets = args[2] ? args[2].split(',') : ['openai', 'codex'];
+    const result = exportSkill(name, targets);
+    console.log(`Exported ${name} → ${result.written.length} files`);
+    result.written.forEach((f) => console.log(`  ${f}`));
+  } else if (cmd === 'export-all') {
+    const specs = listAvailableSpecs();
+    for (const name of specs) {
+      const result = exportSkill(name);
+      console.log(`Exported ${name} → ${result.written.length} files`);
+    }
+  } else {
+    console.error(`Unknown command: ${cmd}`);
+    process.exit(1);
+  }
+}