npm - thumbgate - Versions diffs - 0.9.10 - Mend

thumbgate 0.9.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (364) hide show

package/.claude-plugin/README.md +134 -0
package/.claude-plugin/bundle/icon.png +0 -0
package/.claude-plugin/bundle/icon.svg +18 -0
package/.claude-plugin/bundle/server/index.js +24 -0
package/.claude-plugin/marketplace.json +36 -0
package/.claude-plugin/plugin.json +21 -0
package/.well-known/mcp/server-card.json +231 -0
package/LICENSE +21 -0
package/README.md +375 -0
package/adapters/README.md +9 -0
package/adapters/amp/skills/thumbgate-feedback/SKILL.md +22 -0
package/adapters/chatgpt/INSTALL.md +83 -0
package/adapters/chatgpt/openapi.yaml +1281 -0
package/adapters/claude/.mcp.json +14 -0
package/adapters/codex/config.toml +9 -0
package/adapters/gemini/function-declarations.json +224 -0
package/adapters/mcp/server-stdio.js +788 -0
package/adapters/opencode/opencode.json +15 -0
package/bin/cli.js +1484 -0
package/bin/memory.sh +64 -0
package/bin/obsidian-sync.sh +20 -0
package/bin/postinstall.js +37 -0
package/config/build-metadata.json +4 -0
package/config/e2e-critical-flows.json +45 -0
package/config/gate-templates.json +77 -0
package/config/gates/claim-verification.json +29 -0
package/config/gates/computer-use.json +39 -0
package/config/gates/default.json +117 -0
package/config/github-about.json +25 -0
package/config/mcp-allowlists.json +135 -0
package/config/model-tiers.json +33 -0
package/config/partner-routing.json +132 -0
package/config/policy-bundles/constrained-v1.json +64 -0
package/config/policy-bundles/default-v1.json +91 -0
package/config/rubrics/default-v1.json +52 -0
package/config/skill-packs/react-testing.json +23 -0
package/config/skill-packs/stripe-integration/references/api-spec.json +1 -0
package/config/skill-packs/stripe-integration/references/webhook-guide.md +3 -0
package/config/skill-specs/pr-reviewer.json +9 -0
package/config/skill-specs/release-status.json +9 -0
package/config/skill-specs/ticket-triage.json +9 -0
package/config/subagent-profiles.json +32 -0
package/config/tessl-tiles.json +29 -0
package/config/thumbgate-settings.managed.json +12 -0
package/openapi/openapi.yaml +1281 -0
package/package.json +283 -0
package/plugins/amp-skill/INSTALL.md +52 -0
package/plugins/amp-skill/SKILL.md +64 -0
package/plugins/claude-codex-bridge/.claude-plugin/plugin.json +22 -0
package/plugins/claude-codex-bridge/.mcp.json +12 -0
package/plugins/claude-codex-bridge/INSTALL.md +43 -0
package/plugins/claude-codex-bridge/README.md +46 -0
package/plugins/claude-codex-bridge/scripts/codex-bridge.js +288 -0
package/plugins/claude-codex-bridge/skills/adversarial-review/SKILL.md +24 -0
package/plugins/claude-codex-bridge/skills/result/SKILL.md +22 -0
package/plugins/claude-codex-bridge/skills/review/SKILL.md +28 -0
package/plugins/claude-codex-bridge/skills/second-pass/SKILL.md +27 -0
package/plugins/claude-codex-bridge/skills/setup/SKILL.md +21 -0
package/plugins/claude-codex-bridge/skills/status/SKILL.md +19 -0
package/plugins/claude-skill/INSTALL.md +55 -0
package/plugins/claude-skill/SKILL.md +46 -0
package/plugins/codex-profile/.codex-plugin/plugin.json +43 -0
package/plugins/codex-profile/.mcp.json +12 -0
package/plugins/codex-profile/AGENTS.md +20 -0
package/plugins/codex-profile/INSTALL.md +66 -0
package/plugins/codex-profile/README.md +37 -0
package/plugins/cursor-marketplace/.cursor-plugin/plugin.json +23 -0
package/plugins/cursor-marketplace/CHANGELOG.md +30 -0
package/plugins/cursor-marketplace/LICENSE +21 -0
package/plugins/cursor-marketplace/README.md +124 -0
package/plugins/cursor-marketplace/agents/reliability-reviewer.md +31 -0
package/plugins/cursor-marketplace/assets/logo-400x400.png +0 -0
package/plugins/cursor-marketplace/commands/capture-feedback.md +33 -0
package/plugins/cursor-marketplace/commands/check-gates.md +25 -0
package/plugins/cursor-marketplace/commands/show-lessons.md +27 -0
package/plugins/cursor-marketplace/hooks/hooks.json +10 -0
package/plugins/cursor-marketplace/mcp.json +12 -0
package/plugins/cursor-marketplace/rules/feedback-capture.mdc +34 -0
package/plugins/cursor-marketplace/rules/pre-action-gates.mdc +30 -0
package/plugins/cursor-marketplace/rules/session-continuity.mdc +28 -0
package/plugins/cursor-marketplace/scripts/gate-check.sh +11 -0
package/plugins/cursor-marketplace/skills/capture-feedback/SKILL.md +47 -0
package/plugins/cursor-marketplace/skills/prevention-rules/SKILL.md +31 -0
package/plugins/cursor-marketplace/skills/recall-context/SKILL.md +30 -0
package/plugins/cursor-marketplace/skills/search-lessons/SKILL.md +33 -0
package/plugins/gemini-extension/INSTALL.md +92 -0
package/plugins/gemini-extension/gemini_prompt.txt +14 -0
package/plugins/gemini-extension/tool_contract.json +45 -0
package/plugins/opencode-profile/INSTALL.md +57 -0
package/public/assets/instagram-card.png +0 -0
package/public/assets/tiktok-agent-memory.mp4 +0 -0
package/public/blog.html +400 -0
package/public/dashboard.html +1093 -0
package/public/guide.html +317 -0
package/public/index.html +1014 -0
package/public/learn/agent-harness-pattern.html +180 -0
package/public/learn/ai-agent-persistent-memory.html +202 -0
package/public/learn/learn.css +45 -0
package/public/learn/mcp-pre-action-gates-explained.html +172 -0
package/public/learn/stop-ai-agent-force-push.html +134 -0
package/public/learn/vibe-coding-safety-net.html +142 -0
package/public/learn.html +213 -0
package/public/lessons.html +650 -0
package/public/vercel.json +8 -0
package/scripts/__pycache__/train_from_feedback.cpython-312.pyc +0 -0
package/scripts/a2ui-engine.js +73 -0
package/scripts/access-anomaly-detector.js +12 -0
package/scripts/adk-consolidator.js +266 -0
package/scripts/agent-readiness.js +220 -0
package/scripts/agent-security-hardening.js +227 -0
package/scripts/agentic-data-pipeline.js +847 -0
package/scripts/analytics-report.js +328 -0
package/scripts/analytics-window.js +158 -0
package/scripts/async-job-runner.js +1001 -0
package/scripts/audit-trail.js +398 -0
package/scripts/auto-promote-gates.js +299 -0
package/scripts/auto-wire-hooks.js +312 -0
package/scripts/autonomous-sales-agent.js +39 -0
package/scripts/autoresearch-runner.js +216 -0
package/scripts/background-agent-governance.js +237 -0
package/scripts/behavioral-extraction.js +97 -0
package/scripts/belief-update.js +84 -0
package/scripts/billing.js +2438 -0
package/scripts/bot-detector.js +50 -0
package/scripts/budget-guard.js +173 -0
package/scripts/build-claude-mcpb.js +189 -0
package/scripts/build-metadata.js +97 -0
package/scripts/check-congruence.js +322 -0
package/scripts/cli-feedback.js +135 -0
package/scripts/cli-telemetry.js +87 -0
package/scripts/cloudflare-dynamic-sandbox.js +315 -0
package/scripts/code-reasoning.js +350 -0
package/scripts/codegraph-context.js +466 -0
package/scripts/commercial-offer.js +56 -0
package/scripts/computer-use-firewall.js +250 -0
package/scripts/context-engine.js +694 -0
package/scripts/contextfs.js +1287 -0
package/scripts/conversation-context.js +119 -0
package/scripts/creator-campaigns.js +239 -0
package/scripts/daemon-manager.js +108 -0
package/scripts/daily-digest.js +11 -0
package/scripts/dashboard-render-spec.js +395 -0
package/scripts/dashboard.js +1058 -0
package/scripts/data-governance.js +173 -0
package/scripts/delegation-runtime.js +900 -0
package/scripts/deploy-gcp.sh +44 -0
package/scripts/deploy-policy.js +263 -0
package/scripts/disagreement-mining.js +315 -0
package/scripts/dispatch-brief.js +159 -0
package/scripts/distribution-surfaces.js +44 -0
package/scripts/dpo-optimizer.js +209 -0
package/scripts/ephemeral-agent-store.js +219 -0
package/scripts/eval-harness.js +56 -0
package/scripts/evolution-state.js +241 -0
package/scripts/experiment-tracker.js +267 -0
package/scripts/export-databricks-bundle.js +242 -0
package/scripts/export-dpo-pairs.js +345 -0
package/scripts/export-kto-pairs.js +310 -0
package/scripts/export-training.js +448 -0
package/scripts/failure-diagnostics.js +558 -0
package/scripts/feedback-attribution.js +313 -0
package/scripts/feedback-fallback.js +111 -0
package/scripts/feedback-history-distiller.js +391 -0
package/scripts/feedback-inbox-read.js +162 -0
package/scripts/feedback-loop.js +1887 -0
package/scripts/feedback-paths.js +145 -0
package/scripts/feedback-quality.js +139 -0
package/scripts/feedback-root-consolidator.js +238 -0
package/scripts/feedback-schema.js +426 -0
package/scripts/feedback-session.js +286 -0
package/scripts/feedback-to-memory.js +185 -0
package/scripts/feedback-to-rules.js +163 -0
package/scripts/filesystem-search.js +404 -0
package/scripts/funnel-analytics.js +35 -0
package/scripts/gate-satisfy.js +42 -0
package/scripts/gate-stats.js +116 -0
package/scripts/gate-templates.js +70 -0
package/scripts/gates-engine.js +816 -0
package/scripts/generate-paperbanana-diagrams.sh +99 -0
package/scripts/generate-pretool-hook.sh +40 -0
package/scripts/github-about.js +350 -0
package/scripts/github-outreach.js +65 -0
package/scripts/gtm-revenue-loop.js +520 -0
package/scripts/hallucination-detector.js +226 -0
package/scripts/hf-papers.js +317 -0
package/scripts/history-distiller.js +200 -0
package/scripts/hook-auto-capture.sh +95 -0
package/scripts/hook-stop-pr-thread-check.sh +68 -0
package/scripts/hook-stop-self-score.sh +51 -0
package/scripts/hook-stop-verify-deploy.sh +31 -0
package/scripts/hook-thumbgate-cache-updater.js +48 -0
package/scripts/hook-verify-before-done.sh +20 -0
package/scripts/hosted-config.js +170 -0
package/scripts/hybrid-feedback-context.js +676 -0
package/scripts/install-mcp.js +159 -0
package/scripts/intent-router.js +392 -0
package/scripts/internal-agent-bootstrap.js +490 -0
package/scripts/jsonl-watcher.js +155 -0
package/scripts/lesson-db.js +613 -0
package/scripts/lesson-inference.js +315 -0
package/scripts/lesson-retrieval.js +95 -0
package/scripts/lesson-rotation.js +137 -0
package/scripts/lesson-search.js +644 -0
package/scripts/lesson-synthesis.js +196 -0
package/scripts/license.js +50 -0
package/scripts/local-model-profile.js +383 -0
package/scripts/markdown-escape.js +12 -0
package/scripts/marketing-experiment.js +671 -0
package/scripts/mcp-config.js +149 -0
package/scripts/mcp-policy.js +99 -0
package/scripts/memalign-recall.js +111 -0
package/scripts/memory-firewall.js +222 -0
package/scripts/memory-migration.js +296 -0
package/scripts/meta-policy.js +194 -0
package/scripts/metered-billing.js +16 -0
package/scripts/model-tier-router.js +301 -0
package/scripts/money-watcher.js +71 -0
package/scripts/multi-hop-recall.js +240 -0
package/scripts/natural-language-harness.js +330 -0
package/scripts/obsidian-export.js +712 -0
package/scripts/operational-dashboard.js +103 -0
package/scripts/operational-summary.js +93 -0
package/scripts/optimize-context.js +17 -0
package/scripts/org-dashboard.js +201 -0
package/scripts/partner-orchestration.js +146 -0
package/scripts/per-step-scoring.js +165 -0
package/scripts/perplexity-marketing.js +466 -0
package/scripts/pii-scanner.js +153 -0
package/scripts/plan-gate.js +154 -0
package/scripts/post-everywhere.js +308 -0
package/scripts/post-to-x-retry.sh +22 -0
package/scripts/post-to-x.js +369 -0
package/scripts/pr-manager.js +236 -0
package/scripts/predictive-insights.js +356 -0
package/scripts/principle-extractor.js +162 -0
package/scripts/pro-features.js +40 -0
package/scripts/pro-local-dashboard.js +174 -0
package/scripts/problem-detail.js +53 -0
package/scripts/product-feedback.js +134 -0
package/scripts/profile-router.js +245 -0
package/scripts/prompt-dlp.js +221 -0
package/scripts/prompt-guard.js +83 -0
package/scripts/prove-adapters.js +863 -0
package/scripts/prove-attribution.js +365 -0
package/scripts/prove-automation.js +653 -0
package/scripts/prove-autoresearch.js +304 -0
package/scripts/prove-claim-verification.js +277 -0
package/scripts/prove-cloudflare-sandbox.js +163 -0
package/scripts/prove-data-pipeline.js +410 -0
package/scripts/prove-data-quality.js +227 -0
package/scripts/prove-evolution.js +352 -0
package/scripts/prove-harnesses.js +287 -0
package/scripts/prove-intelligence.js +259 -0
package/scripts/prove-lancedb.js +371 -0
package/scripts/prove-local-intelligence.js +342 -0
package/scripts/prove-loop-closure.js +263 -0
package/scripts/prove-predictive-insights.js +357 -0
package/scripts/prove-runtime.js +350 -0
package/scripts/prove-seo-gsd.js +234 -0
package/scripts/prove-settings.js +279 -0
package/scripts/prove-subway-upgrades.js +277 -0
package/scripts/prove-tessl.js +229 -0
package/scripts/prove-training-export.js +327 -0
package/scripts/prove-workflow-contract.js +116 -0
package/scripts/prove-xmemory.js +332 -0
package/scripts/publish-decision.js +133 -0
package/scripts/pulse.js +80 -0
package/scripts/rate-limiter.js +125 -0
package/scripts/reddit-dm-outreach.js +182 -0
package/scripts/reddit-monitor-cron.sh +26 -0
package/scripts/reflector-agent.js +221 -0
package/scripts/reminder-engine.js +132 -0
package/scripts/revenue-status.js +472 -0
package/scripts/risk-scorer.js +458 -0
package/scripts/rlaif-self-audit.js +129 -0
package/scripts/rubric-engine.js +230 -0
package/scripts/schedule-manager.js +251 -0
package/scripts/secret-scanner.js +414 -0
package/scripts/self-heal.js +147 -0
package/scripts/self-healing-check.js +188 -0
package/scripts/semantic-layer.js +98 -0
package/scripts/seo-gsd.js +1153 -0
package/scripts/settings-hierarchy.js +214 -0
package/scripts/shieldcortex-memory-firewall-runner.mjs +53 -0
package/scripts/skill-exporter.js +262 -0
package/scripts/skill-generator.js +446 -0
package/scripts/skill-materializer.js +134 -0
package/scripts/skill-packs.js +136 -0
package/scripts/skill-proposer.js +99 -0
package/scripts/skill-quality-tracker.js +284 -0
package/scripts/slo-alert-engine.js +14 -0
package/scripts/slow-loop.js +72 -0
package/scripts/social-analytics/db/schema.sql +32 -0
package/scripts/social-analytics/digest.js +256 -0
package/scripts/social-analytics/generate-instagram-card.js +97 -0
package/scripts/social-analytics/instagram-thumbgate-post.js +73 -0
package/scripts/social-analytics/mcp-server.js +289 -0
package/scripts/social-analytics/normalizer.js +580 -0
package/scripts/social-analytics/notify.js +162 -0
package/scripts/social-analytics/poll-all.js +107 -0
package/scripts/social-analytics/pollers/github.js +195 -0
package/scripts/social-analytics/pollers/instagram.js +253 -0
package/scripts/social-analytics/pollers/linkedin.js +330 -0
package/scripts/social-analytics/pollers/plausible.js +247 -0
package/scripts/social-analytics/pollers/reddit.js +306 -0
package/scripts/social-analytics/pollers/threads.js +233 -0
package/scripts/social-analytics/pollers/tiktok.js +203 -0
package/scripts/social-analytics/pollers/x.js +227 -0
package/scripts/social-analytics/pollers/youtube.js +304 -0
package/scripts/social-analytics/pollers/zernio.js +180 -0
package/scripts/social-analytics/publish-instagram-thumbgate.js +85 -0
package/scripts/social-analytics/publishers/devto.js +122 -0
package/scripts/social-analytics/publishers/instagram.js +317 -0
package/scripts/social-analytics/publishers/linkedin.js +294 -0
package/scripts/social-analytics/publishers/reddit.js +390 -0
package/scripts/social-analytics/publishers/threads.js +275 -0
package/scripts/social-analytics/publishers/tiktok.js +217 -0
package/scripts/social-analytics/publishers/x.js +259 -0
package/scripts/social-analytics/publishers/youtube.js +223 -0
package/scripts/social-analytics/publishers/zernio.js +209 -0
package/scripts/social-analytics/run-digest.js +34 -0
package/scripts/social-analytics/store.js +257 -0
package/scripts/social-analytics/utm.js +143 -0
package/scripts/social-pipeline.js +2628 -0
package/scripts/social-quality-gate.js +18 -0
package/scripts/social-reply-monitor.js +445 -0
package/scripts/status-dashboard.js +155 -0
package/scripts/statusline-lesson.js +16 -0
package/scripts/statusline-tower.js +8 -0
package/scripts/statusline.sh +116 -0
package/scripts/stripe-live-status.js +115 -0
package/scripts/subagent-profiles.js +79 -0
package/scripts/sync-gh-secrets-from-env.sh +70 -0
package/scripts/sync-github-about.js +52 -0
package/scripts/sync-version.js +451 -0
package/scripts/synthetic-dpo.js +234 -0
package/scripts/telemetry-analytics.js +821 -0
package/scripts/tessl-export.js +371 -0
package/scripts/test-coverage.js +120 -0
package/scripts/thompson-sampling.js +417 -0
package/scripts/thumbgate-search.js +189 -0
package/scripts/tool-kpi-tracker.js +12 -0
package/scripts/tool-registry.js +811 -0
package/scripts/train_from_feedback.py +910 -0
package/scripts/user-profile.js +78 -0
package/scripts/validate-feedback.js +580 -0
package/scripts/validate-workflow-contract.js +287 -0
package/scripts/vector-store.js +198 -0
package/scripts/verification-loop.js +291 -0
package/scripts/verify-obsidian-setup.sh +269 -0
package/scripts/verify-run.js +269 -0
package/scripts/webhook-delivery.js +62 -0
package/scripts/weekly-auto-post.js +124 -0
package/scripts/workflow-runs.js +154 -0
package/scripts/workflow-sprint-intake.js +475 -0
package/scripts/workspace-evolver.js +374 -0
package/scripts/x-autonomous-marketing.js +139 -0
package/scripts/xmemory-lite.js +405 -0
package/skills/agent-memory/SKILL.md +97 -0
package/skills/solve-architecture-autonomy/SKILL.md +17 -0
package/skills/solve-architecture-autonomy/tool.js +33 -0
package/skills/thumbgate/SKILL.md +114 -0
package/skills/thumbgate-feedback/SKILL.md +49 -0
package/src/api/server.js +4208 -0

package/scripts/bot-detector.js ADDED Viewed

@@ -0,0 +1,50 @@
+'use strict';
+const BOT_PATTERNS = [
+  /bot/i, /crawl/i, /spider/i, /slurp/i, /mediapartners/i,
+  /Googlebot/i, /Bingbot/i, /DuckDuckBot/i, /Baiduspider/i,
+  /YandexBot/i, /facebookexternalhit/i, /Twitterbot/i,
+  /LinkedInBot/i, /WhatsApp/i, /Discordbot/i, /TelegramBot/i,
+  /Applebot/i, /PetalBot/i, /SemrushBot/i, /AhrefsBot/i,
+  /MJ12bot/i, /DotBot/i, /Bytespider/i,
+  /GPTBot/i, /ChatGPT/i, /Claude-SearchBot/i, /Anthropic/i, /Perplexity/i,
+  /Google-Extended/i, /CCBot/i, /cohere-ai/i,
+  /HeadlessChrome/i, /PhantomJS/i, /Puppeteer/i, /Playwright/i,
+  /python-requests/i, /node-fetch/i, /wget/i,
+  /Scrapy/i, /HttpClient/i, /Go-http-client/i,
+  /UptimeRobot/i, /Pingdom/i, /StatusCake/i,
+];
+const OWNER_EMAILS = ['iganapolsky@gmail.com', 'ig5973700@gmail.com'];
+function classifyVisitor(req) {
+  const ua = (req.headers && req.headers['user-agent']) || '';
+  const email = req.email || (req.query && req.query.email) || '';
+  for (const pattern of BOT_PATTERNS) {
+    if (pattern.test(ua)) {
+      return { type: 'bot', reason: `UA matches: ${pattern}`, userAgent: ua };
+    }
+  }
+  if (!ua || ua.length < 10) {
+    return { type: 'bot', reason: 'Empty or short user-agent', userAgent: ua };
+  }
+  for (const ownerEmail of OWNER_EMAILS) {
+    if (email && email.toLowerCase().includes(ownerEmail.toLowerCase())) {
+      return { type: 'owner', reason: `Email matches: ${ownerEmail}`, userAgent: ua };
+    }
+  }
+  return { type: 'real_user', reason: 'No bot pattern matched', userAgent: ua };
+}
+function shouldExcludeFromAnalytics(req) {
+  const classification = req.visitorClass || classifyVisitor(req);
+  return classification.type === 'bot';
+}
+function botFilterMiddleware(req, res, next) {
+  req.visitorClass = classifyVisitor(req);
+  next();
+}
+module.exports = { classifyVisitor, botFilterMiddleware, shouldExcludeFromAnalytics, BOT_PATTERNS, OWNER_EMAILS };

package/scripts/budget-guard.js ADDED Viewed

@@ -0,0 +1,173 @@
+#!/usr/bin/env node
+const fs = require('fs');
+const path = require('path');
+const PROJECT_ROOT = path.join(__dirname, '..');
+const FEEDBACK_DIR = process.env.THUMBGATE_FEEDBACK_DIR || path.join(PROJECT_ROOT, '.claude', 'memory', 'feedback');
+const LEDGER_PATH = path.join(FEEDBACK_DIR, 'budget-ledger.json');
+const LOCK_PATH = `${LEDGER_PATH}.lock`;
+function parseMonthlyBudget(rawValue) {
+  const parsed = Number(rawValue);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    throw new Error(`Invalid THUMBGATE_MONTHLY_BUDGET_USD value: '${rawValue}'`);
+  }
+  return parsed;
+}
+function getMonthlyBudget() {
+  const rawValue = process.env.THUMBGATE_MONTHLY_BUDGET_USD || '10';
+  return parseMonthlyBudget(rawValue);
+}
+function currentMonthKey() {
+  const now = new Date();
+  return `${now.getUTCFullYear()}-${String(now.getUTCMonth() + 1).padStart(2, '0')}`;
+}
+function loadLedger() {
+  if (!fs.existsSync(LEDGER_PATH)) return { months: {} };
+  return JSON.parse(fs.readFileSync(LEDGER_PATH, 'utf-8'));
+}
+function saveLedger(ledger) {
+  fs.mkdirSync(path.dirname(LEDGER_PATH), { recursive: true });
+  fs.writeFileSync(LEDGER_PATH, `${JSON.stringify(ledger, null, 2)}\n`);
+}
+function blockMs(ms) {
+  const start = Date.now();
+  while (Date.now() - start < ms) {
+    // Intentional synchronous short wait while lock clears.
+  }
+}
+function acquireLock({ timeoutMs = 5000, staleMs = 15000 } = {}) {
+  const startedAt = Date.now();
+  fs.mkdirSync(path.dirname(LOCK_PATH), { recursive: true });
+  while (true) {
+    try {
+      return fs.openSync(LOCK_PATH, 'wx');
+    } catch (err) {
+      if (err.code !== 'EEXIST') throw err;
+      try {
+        const stat = fs.statSync(LOCK_PATH);
+        if (Date.now() - stat.mtimeMs > staleMs) {
+          fs.rmSync(LOCK_PATH, { force: true });
+          continue;
+        }
+      } catch {
+        // lock disappeared between retries
+      }
+      if (Date.now() - startedAt > timeoutMs) {
+        throw new Error('Could not acquire budget ledger lock');
+      }
+      blockMs(20);
+    }
+  }
+}
+function releaseLock(lockFd) {
+  try {
+    fs.closeSync(lockFd);
+  } finally {
+    fs.rmSync(LOCK_PATH, { force: true });
+  }
+}
+function addSpend({ amountUsd, source, note }) {
+  if (!Number.isFinite(amountUsd) || amountUsd < 0) {
+    throw new Error('amountUsd must be a non-negative number');
+  }
+  const budgetUsd = getMonthlyBudget();
+  const lockFd = acquireLock();
+  try {
+    const ledger = loadLedger();
+    const month = currentMonthKey();
+    if (!ledger.months[month]) {
+      ledger.months[month] = {
+        totalUsd: 0,
+        entries: [],
+      };
+    }
+    const nextTotal = ledger.months[month].totalUsd + amountUsd;
+    if (nextTotal > budgetUsd) {
+      throw new Error(`Budget exceeded: ${nextTotal.toFixed(2)} > ${budgetUsd.toFixed(2)} USD/month`);
+    }
+    ledger.months[month].totalUsd = nextTotal;
+    ledger.months[month].entries.push({
+      ts: new Date().toISOString(),
+      source: source || 'unknown',
+      note: note || '',
+      amountUsd,
+    });
+    saveLedger(ledger);
+    return {
+      month,
+      totalUsd: ledger.months[month].totalUsd,
+      budgetUsd,
+    };
+  } finally {
+    releaseLock(lockFd);
+  }
+}
+function getBudgetStatus() {
+  const budgetUsd = getMonthlyBudget();
+  const ledger = loadLedger();
+  const month = currentMonthKey();
+  const total = ledger.months[month] ? ledger.months[month].totalUsd : 0;
+  return {
+    month,
+    totalUsd: total,
+    budgetUsd,
+    remainingUsd: Math.max(0, budgetUsd - total),
+  };
+}
+function runCli() {
+  const args = process.argv.slice(2);
+  if (args.includes('--status')) {
+    console.log(JSON.stringify(getBudgetStatus(), null, 2));
+    return;
+  }
+  const addArg = args.find((a) => a.startsWith('--add='));
+  if (!addArg) {
+    console.log('Usage: node scripts/budget-guard.js --status');
+    console.log('Usage: node scripts/budget-guard.js --add=0.15 --source=paperbanana --note="diagram generation"');
+    process.exit(1);
+  }
+  const amountUsd = Number(addArg.replace('--add=', ''));
+  const sourceArg = args.find((a) => a.startsWith('--source='));
+  const noteArg = args.find((a) => a.startsWith('--note='));
+  const result = addSpend({
+    amountUsd,
+    source: sourceArg ? sourceArg.replace('--source=', '') : 'unknown',
+    note: noteArg ? noteArg.replace('--note=', '') : '',
+  });
+  console.log(JSON.stringify(result, null, 2));
+}
+module.exports = {
+  addSpend,
+  getBudgetStatus,
+  getMonthlyBudget,
+  parseMonthlyBudget,
+  LEDGER_PATH,
+  LOCK_PATH,
+};
+if (require.main === module) {
+  runCli();
+}

package/scripts/build-claude-mcpb.js ADDED Viewed

@@ -0,0 +1,189 @@
+#!/usr/bin/env node
+'use strict';
+const fs = require('fs');
+const path = require('path');
+const { execFileSync } = require('child_process');
+const {
+  getClaudePluginVersionedAssetName,
+} = require('./distribution-surfaces');
+const PROJECT_ROOT = path.join(__dirname, '..');
+const DEFAULT_OUTPUT_DIR = path.join(PROJECT_ROOT, '.artifacts', 'claude-desktop');
+const RUNTIME_COPY_PATHS = [
+  'bin',
+  'src',
+  'scripts',
+  'adapters',
+  'config',
+  'plugins',
+  'skills',
+  'openapi',
+  'public',
+  '.well-known',
+  '.claude-plugin',
+  'README.md',
+  'LICENSE',
+  'SECURITY.md',
+  'server.json',
+];
+function readJson(relativePath) {
+  return JSON.parse(fs.readFileSync(path.join(PROJECT_ROOT, relativePath), 'utf8'));
+}
+function readText(relativePath) {
+  return fs.readFileSync(path.join(PROJECT_ROOT, relativePath), 'utf8');
+}
+function copyEntry(relativePath, stageDir) {
+  const sourcePath = path.join(PROJECT_ROOT, relativePath);
+  if (!fs.existsSync(sourcePath)) return;
+  const targetPath = path.join(stageDir, relativePath);
+  const stat = fs.statSync(sourcePath);
+  if (stat.isDirectory()) {
+    fs.mkdirSync(path.dirname(targetPath), { recursive: true });
+    fs.cpSync(sourcePath, targetPath, { recursive: true });
+    return;
+  }
+  fs.mkdirSync(path.dirname(targetPath), { recursive: true });
+  fs.copyFileSync(sourcePath, targetPath);
+}
+function exec(command, args, options = {}) {
+  return execFileSync(command, args, {
+    cwd: PROJECT_ROOT,
+    stdio: 'inherit',
+    ...options,
+  });
+}
+function buildClaudeMcpbManifest() {
+  const packageJson = readJson('package.json');
+  const pluginManifest = readJson('.claude-plugin/plugin.json');
+  const marketplace = readJson('.claude-plugin/marketplace.json');
+  const { TOOLS } = require(path.join(PROJECT_ROOT, 'scripts', 'tool-registry'));
+  const repositoryUrl = String(pluginManifest.repository || packageJson.repository.url).replace(/\.git$/, '');
+  const privacyPolicyUrl = `${packageJson.homepage}/privacy`;
+  const marketplaceEntry = marketplace.plugins[0];
+  const readme = readText('.claude-plugin/README.md')
+    .split('\n')
+    .slice(0, 6)
+    .join(' ')
+    .replace(/\s+/g, ' ')
+    .trim();
+  return {
+    manifest_version: '0.3',
+    name: pluginManifest.name,
+    display_name: 'ThumbGate',
+    version: packageJson.version,
+    description: marketplaceEntry.description,
+    long_description: readme,
+    author: {
+      name: pluginManifest.author.name,
+      url: repositoryUrl,
+    },
+    repository: {
+      type: 'git',
+      url: repositoryUrl,
+    },
+    homepage: packageJson.homepage,
+    documentation: `${repositoryUrl}/blob/main/docs/CLAUDE_DESKTOP_EXTENSION.md`,
+    support: `${repositoryUrl}/issues`,
+    icon: 'icon.png',
+    server: {
+      type: 'node',
+      entry_point: 'server/index.js',
+      mcp_config: {
+        command: 'node',
+        args: ['${__dirname}/server/index.js'],
+        env: {},
+      },
+    },
+    tools: TOOLS.map((tool) => ({
+      name: tool.name,
+      description: tool.description,
+    })),
+    tools_generated: true,
+    keywords: pluginManifest.keywords,
+    license: packageJson.license,
+    privacy_policies: [privacyPolicyUrl],
+  };
+}
+function stageClaudeMcpbBundle(outputDir = DEFAULT_OUTPUT_DIR) {
+  const packageJson = readJson('package.json');
+  const stageDir = path.join(outputDir, 'bundle');
+  const outputFile = path.join(outputDir, getClaudePluginVersionedAssetName(packageJson.version));
+  fs.rmSync(outputDir, { recursive: true, force: true });
+  fs.mkdirSync(path.join(stageDir, 'server'), { recursive: true });
+  for (const relativePath of RUNTIME_COPY_PATHS) {
+    copyEntry(relativePath, stageDir);
+  }
+  copyEntry('package.json', stageDir);
+  copyEntry('package-lock.json', stageDir);
+  fs.writeFileSync(
+    path.join(stageDir, 'server', 'index.js'),
+    readText('.claude-plugin/bundle/server/index.js')
+  );
+  fs.writeFileSync(
+    path.join(stageDir, 'icon.png'),
+    fs.readFileSync(path.join(PROJECT_ROOT, '.claude-plugin', 'bundle', 'icon.png'))
+  );
+  fs.writeFileSync(
+    path.join(stageDir, 'README.md'),
+    readText('.claude-plugin/README.md')
+  );
+  fs.writeFileSync(
+    path.join(stageDir, 'manifest.json'),
+    JSON.stringify(buildClaudeMcpbManifest(), null, 2) + '\n'
+  );
+  return {
+    stageDir,
+    outputFile,
+  };
+}
+function buildClaudeMcpb(outputDir = DEFAULT_OUTPUT_DIR) {
+  const { stageDir, outputFile } = stageClaudeMcpbBundle(outputDir);
+  exec('npm', ['ci', '--omit=dev'], { cwd: stageDir });
+  exec('npx', ['-y', '@anthropic-ai/mcpb', 'pack', stageDir, outputFile], { cwd: PROJECT_ROOT });
+  const info = execFileSync('npx', ['-y', '@anthropic-ai/mcpb', 'info', outputFile], {
+    cwd: PROJECT_ROOT,
+    encoding: 'utf8',
+  });
+  process.stdout.write(info);
+  return {
+    stageDir,
+    outputFile,
+    info,
+  };
+}
+if (require.main === module) {
+  const outputDir = process.argv[2]
+    ? path.resolve(process.cwd(), process.argv[2])
+    : DEFAULT_OUTPUT_DIR;
+  const { outputFile } = buildClaudeMcpb(outputDir);
+  console.log(`Built Claude Desktop bundle: ${outputFile}`);
+}
+module.exports = {
+  DEFAULT_OUTPUT_DIR,
+  buildClaudeMcpbManifest,
+  stageClaudeMcpbBundle,
+  buildClaudeMcpb,
+};

package/scripts/build-metadata.js ADDED Viewed

@@ -0,0 +1,97 @@
+const fs = require('fs');
+const path = require('path');
+const PROJECT_ROOT = path.resolve(__dirname, '..');
+const DEFAULT_BUILD_METADATA_PATH = path.join(PROJECT_ROOT, 'config', 'build-metadata.json');
+function normalizeNullableText(value) {
+  if (typeof value !== 'string') {
+    return null;
+  }
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function resolveBuildMetadata({ env = process.env, filePath } = {}) {
+  const resolvedPath =
+    normalizeNullableText(filePath) ||
+    normalizeNullableText(env.THUMBGATE_BUILD_METADATA_PATH) ||
+    DEFAULT_BUILD_METADATA_PATH;
+  try {
+    const parsed = JSON.parse(fs.readFileSync(resolvedPath, 'utf8'));
+    return {
+      path: resolvedPath,
+      buildSha: normalizeNullableText(parsed.buildSha),
+      generatedAt: normalizeNullableText(parsed.generatedAt),
+    };
+  } catch {
+    return {
+      path: resolvedPath,
+      buildSha: null,
+      generatedAt: null,
+    };
+  }
+}
+function writeBuildMetadataFile({ sha, outputPath, generatedAt = new Date().toISOString() }) {
+  const buildSha = normalizeNullableText(sha);
+  if (!buildSha) {
+    throw new Error('A non-empty build SHA is required.');
+  }
+  const targetPath = normalizeNullableText(outputPath) || DEFAULT_BUILD_METADATA_PATH;
+  fs.mkdirSync(path.dirname(targetPath), { recursive: true });
+  const payload = {
+    buildSha,
+    generatedAt,
+  };
+  fs.writeFileSync(targetPath, `${JSON.stringify(payload, null, 2)}\n`);
+  return {
+    path: targetPath,
+    ...payload,
+  };
+}
+function parseArgs(argv) {
+  const options = {
+    sha: null,
+    outputPath: null,
+    generatedAt: null,
+  };
+  for (let index = 0; index < argv.length; index += 1) {
+    const arg = argv[index];
+    if (arg === '--sha') {
+      options.sha = argv[index + 1] || null;
+      index += 1;
+      continue;
+    }
+    if (arg === '--output') {
+      options.outputPath = argv[index + 1] || null;
+      index += 1;
+      continue;
+    }
+    if (arg === '--generated-at') {
+      options.generatedAt = argv[index + 1] || null;
+      index += 1;
+      continue;
+    }
+    throw new Error(`Unknown argument: ${arg}`);
+  }
+  return options;
+}
+if (require.main === module) {
+  const { sha, outputPath, generatedAt } = parseArgs(process.argv.slice(2));
+  const result = writeBuildMetadataFile({ sha, outputPath, generatedAt: generatedAt || undefined });
+  process.stdout.write(`${JSON.stringify(result)}\n`);
+}
+module.exports = {
+  DEFAULT_BUILD_METADATA_PATH,
+  resolveBuildMetadata,
+  writeBuildMetadataFile,
+};