thumbgate 0.9.10

package/scripts/pii-scanner.js

@@ -0,0 +1,153 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * PII Scanner — LogSentinel-inspired PII detection for ThumbGate.
+ *
+ * Scans feedback content, context packs, and DPO exports for PII patterns.
+ * Applies hierarchical sensitivity labels. Redacts or rejects as configured.
+ * Builds on secret-scanner.js patterns + adds PII-specific detectors.
+ */
+
+const { SECRET_PATTERNS, redactText: redactSecrets } = require('./secret-scanner');
+
+// PII patterns beyond secrets — emails, phone numbers, SSNs, card numbers, IP addresses
+const PII_PATTERNS = [
+  { id: 'email', label: 'Email address', regex: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g, sensitivity: 'sensitive' },
+  { id: 'phone_us', label: 'US phone number', regex: /\b(?:\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b/g, sensitivity: 'sensitive' },
+  { id: 'ssn', label: 'Social Security Number', regex: /\b\d{3}[-.\s]?\d{2}[-.\s]?\d{4}\b/g, sensitivity: 'restricted' },
+  { id: 'credit_card', label: 'Credit card number', regex: /\b(?:4\d{3}|5[1-5]\d{2}|3[47]\d{2}|6(?:011|5\d{2}))[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}\b/g, sensitivity: 'restricted' },
+  { id: 'ip_address', label: 'IP address', regex: /\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\b/g, sensitivity: 'internal' },
+  { id: 'aws_account', label: 'AWS account ID', regex: /\b\d{12}\b/g, sensitivity: 'internal' },
+];
+
+const SENSITIVITY_LEVELS = ['public', 'internal', 'sensitive', 'restricted'];
+
+function sensitivityRank(level) {
+  const idx = SENSITIVITY_LEVELS.indexOf(level);
+  return idx >= 0 ? idx : 0;
+}
+
+/**
+ * Scan text for PII and return findings with sensitivity labels.
+ */
+function scanForPii(text) {
+  if (!text) return { findings: [], highestSensitivity: 'public', hasPii: false };
+  const str = String(text);
+  const findings = [];
+  let highest = 'public';
+
+  for (const pattern of PII_PATTERNS) {
+    // Reset regex lastIndex for global patterns
+    pattern.regex.lastIndex = 0;
+    const matches = str.match(pattern.regex);
+    if (matches && matches.length > 0) {
+      findings.push({
+        id: pattern.id,
+        label: pattern.label,
+        sensitivity: pattern.sensitivity,
+        matchCount: matches.length,
+        sample: matches[0].slice(0, 4) + '***',
+      });
+      if (sensitivityRank(pattern.sensitivity) > sensitivityRank(highest)) {
+        highest = pattern.sensitivity;
+      }
+    }
+  }
+
+  return { findings, highestSensitivity: highest, hasPii: findings.length > 0 };
+}
+
+/**
+ * Redact PII from text. Returns redacted string.
+ */
+function redactPii(text) {
+  if (!text) return '';
+  let redacted = String(text);
+  // First redact secrets (API keys, tokens)
+  redacted = redactSecrets(redacted);
+  // Then redact PII
+  for (const pattern of PII_PATTERNS) {
+    pattern.regex.lastIndex = 0;
+    redacted = redacted.replace(pattern.regex, `[REDACTED:${pattern.id}]`);
+  }
+  return redacted;
+}
+
+/**
+ * Assign a sensitivity label to a feedback entry based on content scan.
+ * Returns: { sensitivity, findings, redactedContent }
+ */
+function classifyFeedback(feedbackEntry) {
+  const content = [
+    feedbackEntry.context || '',
+    feedbackEntry.whatWentWrong || '',
+    feedbackEntry.whatToChange || '',
+    feedbackEntry.whatWorked || '',
+  ].join('\n');
+
+  const scan = scanForPii(content);
+
+  return {
+    sensitivity: scan.highestSensitivity,
+    findings: scan.findings,
+    hasPii: scan.hasPii,
+    redactedContent: scan.hasPii ? redactPii(content) : content,
+    originalContentHash: require('crypto').createHash('sha256').update(content).digest('hex').slice(0, 16),
+  };
+}
+
+/**
+ * Scan a DPO pair for PII. Returns scan result with pass/fail.
+ */
+function scanDpoPair(pair) {
+  const chosen = scanForPii(pair.chosen || '');
+  const rejected = scanForPii(pair.rejected || '');
+  const prompt = scanForPii(pair.prompt || '');
+  const allFindings = [...prompt.findings, ...chosen.findings, ...rejected.findings];
+  const highest = SENSITIVITY_LEVELS[Math.max(
+    sensitivityRank(prompt.highestSensitivity),
+    sensitivityRank(chosen.highestSensitivity),
+    sensitivityRank(rejected.highestSensitivity),
+  )];
+
+  return {
+    hasPii: allFindings.length > 0,
+    highestSensitivity: highest,
+    findings: allFindings,
+    safe: sensitivityRank(highest) < sensitivityRank('sensitive'),
+  };
+}
+
+/**
+ * Gate a DPO export: filter out pairs containing PII above threshold.
+ * Returns { safePairs, blockedPairs, blockedCount, totalScanned }.
+ */
+function gateDpoExport(pairs, { maxSensitivity = 'internal' } = {}) {
+  const maxRank = sensitivityRank(maxSensitivity);
+  const safePairs = [];
+  const blockedPairs = [];
+
+  for (const pair of pairs) {
+    const scan = scanDpoPair(pair);
+    if (sensitivityRank(scan.highestSensitivity) <= maxRank) {
+      safePairs.push(pair);
+    } else {
+      blockedPairs.push({ pair, scan });
+    }
+  }
+
+  return {
+    safePairs,
+    blockedPairs,
+    blockedCount: blockedPairs.length,
+    totalScanned: pairs.length,
+    passRate: pairs.length > 0 ? Math.round((safePairs.length / pairs.length) * 1000) / 10 : 100,
+  };
+}
+
+module.exports = {
+  PII_PATTERNS, SENSITIVITY_LEVELS,
+  scanForPii, redactPii, classifyFeedback,
+  scanDpoPair, gateDpoExport, sensitivityRank,
+};

package/scripts/plan-gate.js

@@ -0,0 +1,154 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+// ---------------------------------------------------------------------------
+// Gate validators
+// ---------------------------------------------------------------------------
+
+function countTableRows(content, sectionHeading) {
+  const sectionRegex = new RegExp(
+    `#+\\s*${sectionHeading}[^\\n]*\\n([\\s\\S]*?)(?=\\n#+\\s|$)`,
+  );
+  const match = content.match(sectionRegex);
+  if (!match) return 0;
+
+  const lines = match[1].split('\n').filter((l) => l.trim().startsWith('|'));
+  // Subtract header row and separator row
+  const dataRows = lines.filter(
+    (l) => !/^\|\s*-+/.test(l.trim()) && !/^\|\s*:?-+/.test(l.trim()),
+  );
+  // First row is the header
+  return Math.max(0, dataRows.length - 1);
+}
+
+function countContracts(content) {
+  const sectionRegex = /#+\s*Contracts[^\n]*\n([\s\S]*?)(?=\n#+\s|$)/;
+  const match = content.match(sectionRegex);
+  if (!match) return 0;
+
+  const section = match[1];
+  // Find code blocks and look for interface/type keywords inside them
+  const codeBlockRegex = /```[\s\S]*?```/g;
+  let count = 0;
+  let blockMatch;
+  while ((blockMatch = codeBlockRegex.exec(section)) !== null) {
+    const block = blockMatch[0];
+    const interfaceMatches = block.match(/\b(interface|type)\s+\w+/g);
+    if (interfaceMatches) count += interfaceMatches.length;
+  }
+  return count;
+}
+
+function countValidationScenarios(content) {
+  const sectionRegex =
+    /#+\s*Validation\s+Checklist[^\n]*\n([\s\S]*?)(?=\n#+\s|$)/;
+  const match = content.match(sectionRegex);
+  if (!match) return 0;
+
+  const lines = match[1].split('\n');
+  return lines.filter((l) => /^\s*-\s*\[\s*\]/.test(l)).length;
+}
+
+function getStatus(content) {
+  const match = content.match(/#+\s*Status[^\n]*\n\s*(\S+)/);
+  return match ? match[1].trim() : null;
+}
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+function validatePlan(content) {
+  const questionCount = countTableRows(content, 'Clarifying Questions Resolved');
+  const contractCount = countContracts(content);
+  const scenarioCount = countValidationScenarios(content);
+  const status = getStatus(content);
+
+  const gates = [
+    {
+      name: 'Clarifying Questions',
+      pass: questionCount >= 3,
+      detail: `${questionCount} questions resolved`,
+    },
+    {
+      name: 'Contracts Defined',
+      pass: contractCount >= 1,
+      detail: `${contractCount} interface${contractCount !== 1 ? 's' : ''} found`,
+    },
+    {
+      name: 'Validation Checklist',
+      pass: scenarioCount >= 2,
+      detail: `${scenarioCount} scenarios defined`,
+    },
+    {
+      name: 'Status',
+      pass: status !== 'COMPLETE',
+      detail:
+        status === 'COMPLETE'
+          ? 'COMPLETE (already finished — cannot re-approve)'
+          : `${status || 'UNKNOWN'} (not COMPLETE)`,
+    },
+  ];
+
+  const allPass = gates.every((g) => g.pass);
+  return { gates, allPass };
+}
+
+function formatReport(result) {
+  const lines = result.gates.map(
+    (g) => `${g.pass ? '✅' : '❌'} ${g.name}: ${g.detail}`,
+  );
+  lines.push('');
+  lines.push(
+    result.allPass
+      ? 'RESULT: PASS — all gates satisfied'
+      : 'RESULT: BLOCKED — resolve issues above before spawning agents',
+  );
+  return lines.join('\n');
+}
+
+function run() {
+  const args = process.argv.slice(2);
+  const jsonFlag = args.includes('--json');
+  const filePath = args.find((a) => a !== '--json');
+
+  if (!filePath) {
+    console.error('Usage: node scripts/plan-gate.js <plan-file.md> [--json]');
+    process.exit(1);
+  }
+
+  const resolved = path.resolve(filePath);
+  if (!fs.existsSync(resolved)) {
+    console.error(`File not found: ${resolved}`);
+    process.exit(1);
+  }
+
+  const content = fs.readFileSync(resolved, 'utf-8');
+  const result = validatePlan(content);
+
+  if (jsonFlag) {
+    console.log(JSON.stringify(result, null, 2));
+  } else {
+    console.log(formatReport(result));
+  }
+
+  process.exit(result.allPass ? 0 : 1);
+}
+
+// Export for testing
+module.exports = {
+  validatePlan,
+  formatReport,
+  countTableRows,
+  countContracts,
+  countValidationScenarios,
+  getStatus,
+};
+
+// Run only when executed directly
+if (require.main === module) {
+  run();
+}

package/scripts/post-everywhere.js

@@ -0,0 +1,308 @@
+'use strict';
+
+/**
+ * post-everywhere.js
+ * Unified CLI to post content to all social platforms from a single markdown post file.
+ *
+ * Usage:
+ *   node scripts/post-everywhere.js docs/marketing/reddit-cursor-post.md
+ *   node scripts/post-everywhere.js docs/marketing/reddit-cursor-post.md --dry-run
+ *   node scripts/post-everywhere.js docs/marketing/reddit-cursor-post.md --platforms=reddit,x,devto
+ *
+ * Post file format (markdown with metadata):
+ *   # Reddit Post: r/cursor
+ *   **Subreddit:** r/cursor
+ *   **Title:** ...
+ *   **Body:** ...
+ *   **Comment (post immediately after):** ...
+ *
+ * The script parses the markdown, extracts platform-specific fields, and dispatches to
+ * the appropriate publisher module.
+ *
+ * Env vars: see individual publisher modules for required credentials per platform.
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { tagUrlsInText } = require('./social-analytics/utm');
+
+// ---------------------------------------------------------------------------
+// Publisher imports (lazy — only loaded when needed)
+// ---------------------------------------------------------------------------
+
+function getPublisher(platform) {
+  const publishers = {
+    reddit: () => require('./social-analytics/publishers/reddit.js'),
+    x: () => require('./post-to-x.js'),
+    linkedin: () => require('./social-analytics/publishers/linkedin.js'),
+    devto: () => require('./social-analytics/publishers/devto.js'),
+    threads: () => require('./social-analytics/publishers/threads.js'),
+    instagram: () => require('./social-analytics/publishers/instagram.js'),
+    tiktok: () => require('./social-analytics/publishers/tiktok.js'),
+    youtube: () => require('./social-analytics/publishers/youtube.js'),
+  };
+  const loader = publishers[platform];
+  if (!loader) throw new Error(`Unknown platform: ${platform}`);
+  return loader();
+}
+
+// ---------------------------------------------------------------------------
+// Markdown parser
+// ---------------------------------------------------------------------------
+
+/**
+ * Parse a marketing post markdown file into structured fields.
+ * Extracts: subreddit, title, body, comment, platform hints.
+ */
+function parsePostFile(filePath) {
+  const raw = fs.readFileSync(filePath, 'utf8');
+  const lines = raw.split('\n');
+
+  const result = {
+    platform: null,
+    subreddit: null,
+    title: null,
+    body: null,
+    comment: null,
+    tags: [],
+  };
+
+  // Detect platform from header
+  const header = lines[0] || '';
+  if (/reddit/i.test(header)) result.platform = 'reddit';
+  else if (/obsidian/i.test(header)) result.platform = 'reddit'; // Obsidian posts go to Reddit
+  else if (/locallama/i.test(header)) result.platform = 'reddit';
+  else if (/programming/i.test(header)) result.platform = 'reddit';
+  else if (/twitter|x\.com/i.test(header)) result.platform = 'x';
+  else if (/linkedin/i.test(header)) result.platform = 'linkedin';
+  else if (/dev\.to/i.test(header)) result.platform = 'devto';
+
+  // Extract subreddit
+  const subLine = lines.find((l) => /^\*\*Subreddit:\*\*/i.test(l.trim()));
+  if (subLine) {
+    const match = subLine.match(/r\/(\w+)/);
+    if (match) result.subreddit = match[1];
+  }
+
+  // Extract title
+  const titleLine = lines.find((l) => /^\*\*Title:\*\*/i.test(l.trim()));
+  if (titleLine) {
+    result.title = titleLine.replace(/^\*\*Title:\*\*\s*/i, '').trim();
+  }
+
+  // Extract body — content between **Body:** and the next **Comment or --- separator
+  const bodyStartIdx = lines.findIndex((l) => /^\*\*Body:\*\*/i.test(l.trim()));
+  if (bodyStartIdx !== -1) {
+    const bodyLines = [];
+    for (let i = bodyStartIdx + 1; i < lines.length; i++) {
+      const line = lines[i];
+      // Stop at comment section or horizontal rule before comment
+      if (/^\*\*Comment/i.test(line.trim())) break;
+      if (line.trim() === '---' && i + 1 < lines.length && /^\*\*Comment/i.test(lines[i + 1].trim())) break;
+      bodyLines.push(line);
+    }
+    result.body = bodyLines.join('\n').trim();
+  }
+
+  // Extract comment
+  const commentStartIdx = lines.findIndex((l) => /^\*\*Comment/i.test(l.trim()));
+  if (commentStartIdx !== -1) {
+    const commentLines = [];
+    for (let i = commentStartIdx + 1; i < lines.length; i++) {
+      commentLines.push(lines[i]);
+    }
+    result.comment = commentLines.join('\n').trim();
+  }
+
+  return result;
+}
+
+// ---------------------------------------------------------------------------
+// Platform dispatchers
+// ---------------------------------------------------------------------------
+
+async function postToReddit(parsed, dryRun) {
+  const { subreddit, title, body, comment } = parsed;
+  if (!subreddit || !title || !body) {
+    throw new Error('Reddit post requires subreddit, title, and body');
+  }
+
+  if (dryRun) {
+    console.log(`[dry-run] Reddit r/${subreddit}: "${title}" (${body.length} chars)`);
+    if (comment) console.log(`[dry-run] Reddit follow-up comment: (${comment.length} chars)`);
+    return { dryRun: true };
+  }
+
+  const reddit = getPublisher('reddit');
+  const postData = await reddit.publishToReddit({ subreddit, title, text: body });
+
+  // Post the follow-up comment if we have one and got a post ID
+  if (comment && postData.name) {
+    console.log('[post-everywhere] Posting follow-up comment...');
+    const token = await reddit.getRedditToken(
+      process.env.REDDIT_CLIENT_ID,
+      process.env.REDDIT_CLIENT_SECRET,
+      process.env.REDDIT_USERNAME,
+      process.env.REDDIT_PASSWORD
+    );
+    const userAgent = process.env.REDDIT_USER_AGENT || `thumbgate/1.0 by ${process.env.REDDIT_USERNAME}`;
+    await reddit.submitComment(token, userAgent, { parentId: postData.name, text: comment });
+  }
+
+  return postData;
+}
+
+async function postToX(parsed, dryRun) {
+  const text = parsed.title ? `${parsed.title}\n\n${(parsed.body || '').slice(0, 240)}` : parsed.body;
+  if (!text) throw new Error('X post requires title or body');
+
+  if (dryRun) {
+    console.log(`[dry-run] X/Twitter: "${text.slice(0, 100)}..." (${text.length} chars)`);
+    return { dryRun: true };
+  }
+
+  const x = getPublisher('x');
+  return x.postTweet(text);
+}
+
+async function postToLinkedIn(parsed, dryRun) {
+  const text = parsed.body || '';
+  if (!text) throw new Error('LinkedIn post requires body');
+
+  if (dryRun) {
+    console.log(`[dry-run] LinkedIn: "${text.slice(0, 100)}..." (${text.length} chars)`);
+    return { dryRun: true };
+  }
+
+  const linkedin = getPublisher('linkedin');
+  return linkedin.publishPost({ text });
+}
+
+async function postToDevTo(parsed, dryRun) {
+  const { title, body } = parsed;
+  if (!title || !body) throw new Error('Dev.to post requires title and body');
+
+  if (dryRun) {
+    console.log(`[dry-run] Dev.to: "${title}" (${body.length} chars)`);
+    return { dryRun: true };
+  }
+
+  const devto = getPublisher('devto');
+  return devto.publishArticle({ title, body_markdown: body, tags: parsed.tags });
+}
+
+// ---------------------------------------------------------------------------
+// Main orchestrator
+// ---------------------------------------------------------------------------
+
+const DISPATCHERS = {
+  reddit: postToReddit,
+  x: postToX,
+  linkedin: postToLinkedIn,
+  devto: postToDevTo,
+};
+
+async function postEverywhere(filePath, { platforms, dryRun } = {}) {
+  const parsed = parsePostFile(filePath);
+  console.log(`[post-everywhere] Parsed: platform=${parsed.platform}, subreddit=${parsed.subreddit}, title="${parsed.title}"`);
+
+  const qualityGate = require('./social-quality-gate');
+  const postText = [parsed.title, parsed.body, parsed.comment].filter(Boolean).join('\n');
+  const gateResult = qualityGate.gatePost(postText);
+  if (!gateResult.allowed) {
+    const reasons = gateResult.findings.map(f => f.reason).join(', ');
+    console.error(`[post-everywhere] BLOCKED by quality gate: ${reasons}`);
+    return { blocked: true, reasons: gateResult.findings };
+  }
+  console.log('[post-everywhere] Quality gate: PASSED');
+
+  // Determine which platforms to post to
+  const targetPlatforms = platforms || (parsed.platform ? [parsed.platform] : Object.keys(DISPATCHERS));
+
+  // Preserve original body/comment so each platform gets a fresh UTM tag
+  const originalBody = parsed.body;
+  const originalComment = parsed.comment;
+
+  // Tag trackable URLs with per-platform UTM parameters before dispatching
+  const results = {};
+  for (const platform of targetPlatforms) {
+    const utmOpts = { source: platform, medium: 'social', campaign: 'organic' };
+    parsed.body = originalBody ? tagUrlsInText(originalBody, utmOpts) : originalBody;
+    parsed.comment = originalComment ? tagUrlsInText(originalComment, utmOpts) : originalComment;
+
+    const dispatcher = DISPATCHERS[platform];
+    if (!dispatcher) {
+      console.warn(`[post-everywhere] No dispatcher for platform: ${platform}, skipping`);
+      continue;
+    }
+
+    try {
+      console.log(`\n[post-everywhere] Posting to ${platform}...`);
+      results[platform] = await dispatcher(parsed, dryRun);
+      console.log(`[post-everywhere] ${platform}: OK`);
+    } catch (err) {
+      console.error(`[post-everywhere] ${platform}: FAILED — ${err.message}`);
+      results[platform] = { error: err.message };
+    }
+  }
+
+  return results;
+}
+
+module.exports = { postEverywhere, parsePostFile };
+
+// ---------------------------------------------------------------------------
+// CLI
+// ---------------------------------------------------------------------------
+if (require.main === module) {
+  const args = process.argv.slice(2);
+  const filePath = args.find((a) => !a.startsWith('--'));
+  const dryRun = args.includes('--dry-run');
+
+  function getArg(flag) {
+    const prefix = `${flag}=`;
+    const entry = args.find((a) => a.startsWith(prefix));
+    return entry ? entry.slice(prefix.length) : null;
+  }
+
+  const platformsArg = getArg('--platforms');
+  const platforms = platformsArg ? platformsArg.split(',').map((p) => p.trim()) : null;
+
+  if (!filePath) {
+    console.error('Usage: node scripts/post-everywhere.js <post-file.md> [--dry-run] [--platforms=reddit,x,devto]');
+    process.exit(1);
+  }
+
+  const resolved = path.resolve(filePath);
+  if (!fs.existsSync(resolved)) {
+    console.error(`File not found: ${resolved}`);
+    process.exit(1);
+  }
+
+  // Load .env if available
+  const envPath = path.resolve(__dirname, '..', '.env');
+  if (fs.existsSync(envPath)) {
+    const envContent = fs.readFileSync(envPath, 'utf8');
+    for (const line of envContent.split('\n')) {
+      const trimmed = line.trim();
+      if (!trimmed || trimmed.startsWith('#')) continue;
+      const eqIdx = trimmed.indexOf('=');
+      if (eqIdx > 0) {
+        const key = trimmed.slice(0, eqIdx);
+        const value = trimmed.slice(eqIdx + 1);
+        if (!process.env[key]) process.env[key] = value;
+      }
+    }
+  }
+
+  postEverywhere(resolved, { platforms, dryRun })
+    .then((results) => {
+      console.log('\n[post-everywhere] Results:', JSON.stringify(results, null, 2));
+      const failed = Object.values(results).filter((r) => r.error);
+      if (failed.length > 0) process.exit(1);
+    })
+    .catch((err) => {
+      console.error('[post-everywhere] Fatal:', err.message);
+      process.exit(1);
+    });
+}

package/scripts/post-to-x-retry.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+# Retry posting to X.com until it succeeds (X API v2 has frequent 503s)
+# Usage: source .env && bash scripts/post-to-x-retry.sh
+
+set -euo pipefail
+
+MAX_RETRIES=10
+RETRY_DELAY=30
+
+for i in $(seq 1 $MAX_RETRIES); do
+  echo "Attempt $i/$MAX_RETRIES..."
+  if node scripts/post-to-x.js "$@" 2>&1 | grep -q "Posted tweet"; then
+    echo "✅ Tweet posted successfully!"
+    exit 0
+  fi
+  echo "  Retrying in ${RETRY_DELAY}s..."
+  sleep $RETRY_DELAY
+  RETRY_DELAY=$((RETRY_DELAY * 2))
+done
+
+echo "❌ Failed after $MAX_RETRIES attempts. X API may be down."
+exit 1