thumbgate 0.9.9 → 0.9.11

package/scripts/operational-integrity.js

@@ -0,0 +1,480 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const { execFileSync, spawnSync } = require('child_process');
+
+const DEFAULT_BASE_BRANCH = 'main';
+const DEFAULT_RELEASE_SENSITIVE_GLOBS = [
+  'package.json',
+  'package-lock.json',
+  'server.json',
+  '.github/workflows/ci.yml',
+  '.github/workflows/publish-*.yml',
+  'scripts/publish-decision.js',
+  'scripts/pr-manager.js',
+  'scripts/gates-engine.js',
+  'scripts/tool-registry.js',
+  'src/api/server.js',
+  'adapters/mcp/server-stdio.js',
+  'config/gates/**',
+  'config/mcp-allowlists.json',
+];
+
+function normalizePosix(filePath) {
+  return String(filePath || '')
+    .replace(/\\/g, '/')
+    .replace(/^\.\//, '')
+    .replace(/^\/+/, '')
+    .trim();
+}
+
+function normalizeGlob(glob) {
+  return normalizePosix(glob).replace(/\/+$/, '');
+}
+
+function sanitizeGlobList(globs) {
+  if (!Array.isArray(globs)) return [];
+  return [...new Set(globs.map((glob) => normalizeGlob(glob)).filter(Boolean))];
+}
+
+function globToRegExp(glob) {
+  const normalized = normalizeGlob(glob);
+  let pattern = '^';
+  for (let i = 0; i < normalized.length; i++) {
+    const char = normalized[i];
+    const next = normalized[i + 1];
+    if (char === '*') {
+      if (next === '*') {
+        pattern += '.*';
+        i += 1;
+      } else {
+        pattern += '[^/]*';
+      }
+      continue;
+    }
+    if ('\\^$+?.()|{}[]'.includes(char)) {
+      pattern += `\\${char}`;
+      continue;
+    }
+    pattern += char;
+  }
+  pattern += '$';
+  return new RegExp(pattern);
+}
+
+function matchesAnyGlob(filePath, globs) {
+  const normalized = sanitizeGlobList(globs);
+  if (!filePath || normalized.length === 0) return false;
+  return normalized.some((glob) => {
+    try {
+      return globToRegExp(glob).test(normalizePosix(filePath));
+    } catch {
+      return false;
+    }
+  });
+}
+
+function runGit(repoPath, args) {
+  return execFileSync('git', args, {
+    cwd: repoPath,
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'ignore'],
+  }).trim();
+}
+
+function tryRunGit(repoPath, args) {
+  try {
+    return runGit(repoPath, args);
+  } catch {
+    return '';
+  }
+}
+
+function resolveRepoRoot(repoPath = process.cwd()) {
+  try {
+    return runGit(repoPath, ['rev-parse', '--show-toplevel']);
+  } catch {
+    return null;
+  }
+}
+
+function gitRefExists(repoPath, ref) {
+  if (!repoPath || !ref) return false;
+  try {
+    execFileSync('git', ['rev-parse', '--verify', ref], {
+      cwd: repoPath,
+      stdio: 'ignore',
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function isSafeBranchName(branchName) {
+  const normalized = String(branchName || '').trim();
+  if (!normalized) return false;
+  if (normalized.startsWith('-')) return false;
+  if (!/^[A-Za-z0-9._/-]+$/.test(normalized)) return false;
+  if (normalized.includes('..') || normalized.includes('//') || normalized.includes('@{')) return false;
+  if (normalized.endsWith('.') || normalized.endsWith('/')) return false;
+  return true;
+}
+
+function fetchBaseBranch(repoPath, baseBranch) {
+  if (!repoPath || !isSafeBranchName(baseBranch)) return false;
+  // Fetch the remote tracking refs without passing user-controlled branch names to git.
+  const result = spawnSync('git', ['fetch', '--no-tags', '--depth=64', 'origin'], {
+    cwd: repoPath,
+    encoding: 'utf8',
+  });
+  return result.status === 0;
+}
+
+function resolveBaseRef(repoPath, baseBranch = DEFAULT_BASE_BRANCH, { fetchIfMissing = false } = {}) {
+  if (!isSafeBranchName(baseBranch)) return null;
+  const remoteRef = `refs/remotes/origin/${baseBranch}`;
+  if (gitRefExists(repoPath, remoteRef)) {
+    return `origin/${baseBranch}`;
+  }
+  if (fetchIfMissing) {
+    fetchBaseBranch(repoPath, baseBranch);
+    if (gitRefExists(repoPath, remoteRef)) {
+      return `origin/${baseBranch}`;
+    }
+  }
+  if (gitRefExists(repoPath, baseBranch)) {
+    return baseBranch;
+  }
+  return null;
+}
+
+function getCurrentBranch(repoPath) {
+  return tryRunGit(repoPath, ['rev-parse', '--abbrev-ref', 'HEAD']) || null;
+}
+
+function getHeadSha(repoPath) {
+  return tryRunGit(repoPath, ['rev-parse', 'HEAD']) || null;
+}
+
+function readPackageVersion(repoPath, ref = 'HEAD') {
+  try {
+    let raw;
+    if (ref === 'HEAD') {
+      raw = fs.readFileSync(path.join(repoPath, 'package.json'), 'utf8');
+    } else {
+      raw = runGit(repoPath, ['show', `${ref}:package.json`]);
+    }
+    return JSON.parse(raw).version || null;
+  } catch {
+    return null;
+  }
+}
+
+function parseSemver(version) {
+  const match = String(version || '').trim().match(/^(\d+)\.(\d+)\.(\d+)(?:[-+].*)?$/);
+  if (!match) return null;
+  return match.slice(1).map((part) => Number(part));
+}
+
+function compareSemver(left, right) {
+  const a = parseSemver(left);
+  const b = parseSemver(right);
+  if (!a || !b) return null;
+  for (let i = 0; i < 3; i += 1) {
+    if (a[i] > b[i]) return 1;
+    if (a[i] < b[i]) return -1;
+  }
+  return 0;
+}
+
+function listChangedFilesAgainstBase(repoPath, baseBranch = DEFAULT_BASE_BRANCH, { fetchIfMissing = false } = {}) {
+  const baseRef = resolveBaseRef(repoPath, baseBranch, { fetchIfMissing });
+  if (!baseRef) return [];
+  const diff = tryRunGit(repoPath, ['diff', '--name-only', `${baseRef}...HEAD`]);
+  return diff.split('\n').map((line) => normalizePosix(line)).filter(Boolean);
+}
+
+function findReleaseSensitiveFiles(files, globs = DEFAULT_RELEASE_SENSITIVE_GLOBS) {
+  return (Array.isArray(files) ? files : []).filter((filePath) => matchesAnyGlob(filePath, globs));
+}
+
+function isHeadReachableFrom(repoPath, ref, commit = 'HEAD') {
+  if (!repoPath || !ref) return false;
+  const result = spawnSync('git', ['merge-base', '--is-ancestor', commit, ref], {
+    cwd: repoPath,
+    encoding: 'utf8',
+  });
+  return result.status === 0;
+}
+
+function runGh(args) {
+  return spawnSync('gh', args, {
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+  });
+}
+
+function findOpenPrForBranch({ branchName, runner = runGh } = {}) {
+  const normalizedBranch = String(branchName || '').trim();
+  if (!normalizedBranch) return null;
+  if (!process.env.GH_TOKEN && !process.env.GITHUB_TOKEN) {
+    return null;
+  }
+  const result = runner(['pr', 'list', '--head', normalizedBranch, '--state', 'open', '--json', 'number,state,isDraft,url']);
+  if (!result || result.status !== 0) {
+    return null;
+  }
+  try {
+    const prs = JSON.parse(result.stdout || '[]');
+    return Array.isArray(prs) && prs.length > 0 ? prs[0] : null;
+  } catch {
+    return null;
+  }
+}
+
+function classifyCommand(command) {
+  const text = String(command || '').trim();
+  return {
+    text,
+    isPrCreate: /\bgh\s+pr\s+create\b/i.test(text),
+    isPrMerge: /\bgh\s+pr\s+merge\b/i.test(text),
+    isPublish: /\b(?:npm|yarn|pnpm)\s+publish\b/i.test(text),
+    isReleaseCreate: /\bgh\s+release\s+create\b/i.test(text),
+    isTagCreate: /\bgit\s+tag\b/i.test(text),
+  };
+}
+
+function buildBlocker(code, message, extra = {}) {
+  return { code, message, ...extra };
+}
+
+function evaluateOperationalIntegrity(options = {}) {
+  const repoRoot = options.repoPath ? resolveRepoRoot(options.repoPath) : resolveRepoRoot(process.cwd());
+  const baseBranch = String(options.baseBranch || DEFAULT_BASE_BRANCH).trim() || DEFAULT_BASE_BRANCH;
+  const currentBranch = String(options.currentBranch || (repoRoot ? getCurrentBranch(repoRoot) : '')).trim() || null;
+  const baseRef = repoRoot ? resolveBaseRef(repoRoot, baseBranch, { fetchIfMissing: options.fetchBase === true }) : null;
+  const changedFiles = Array.isArray(options.changedFiles)
+    ? options.changedFiles.map((filePath) => normalizePosix(filePath)).filter(Boolean)
+    : (repoRoot ? listChangedFilesAgainstBase(repoRoot, baseBranch, { fetchIfMissing: options.fetchBase === true }) : []);
+  const releaseSensitiveGlobs = sanitizeGlobList(options.releaseSensitiveGlobs || DEFAULT_RELEASE_SENSITIVE_GLOBS);
+  const releaseSensitiveFiles = findReleaseSensitiveFiles(changedFiles, releaseSensitiveGlobs);
+  const packageVersion = options.packageVersion !== undefined
+    ? options.packageVersion
+    : (repoRoot ? readPackageVersion(repoRoot, 'HEAD') : null);
+  const baseVersion = options.baseVersion !== undefined
+    ? options.baseVersion
+    : (repoRoot && baseRef ? readPackageVersion(repoRoot, baseRef) : null);
+  const versionComparison = packageVersion && baseVersion ? compareSemver(packageVersion, baseVersion) : null;
+  const headSha = options.headSha || (repoRoot ? getHeadSha(repoRoot) : null);
+  const headOnBase = options.headOnBase !== undefined
+    ? options.headOnBase
+    : Boolean(repoRoot && baseRef && headSha && isHeadReachableFrom(repoRoot, baseRef, headSha));
+  const branchGovernance = options.branchGovernance && typeof options.branchGovernance === 'object'
+    ? options.branchGovernance
+    : null;
+  const openPr = options.openPr !== undefined
+    ? options.openPr
+    : findOpenPrForBranch({ branchName: currentBranch, runner: options.ghRunner || runGh });
+  const commandInfo = classifyCommand(options.command || '');
+  const blockers = [];
+
+  const requiresGovernance = commandInfo.isPrCreate || commandInfo.isPrMerge || commandInfo.isPublish || commandInfo.isReleaseCreate || commandInfo.isTagCreate;
+  const isPublishLike = commandInfo.isPublish || commandInfo.isReleaseCreate || commandInfo.isTagCreate;
+
+  if (requiresGovernance && !branchGovernance) {
+    blockers.push(buildBlocker(
+      'missing_branch_governance',
+      'PR, merge, release, and publish actions require explicit branch governance.'
+    ));
+  }
+
+  if (branchGovernance && branchGovernance.localOnly === true && requiresGovernance) {
+    blockers.push(buildBlocker(
+      'local_only_branch',
+      'This task is marked local-only. PR, merge, release, and publish actions are blocked.'
+    ));
+  }
+
+  if (commandInfo.isPrMerge && /--admin\b/i.test(commandInfo.text)) {
+    blockers.push(buildBlocker(
+      'admin_merge_bypass_forbidden',
+      'Admin merge bypass is blocked. Use the normal protected-branch flow or merge queue.'
+    ));
+  }
+
+  if (commandInfo.isPrMerge && branchGovernance && !branchGovernance.prNumber && !branchGovernance.prUrl) {
+    blockers.push(buildBlocker(
+      'merge_requires_pr_context',
+      'Merging requires explicit PR context (prNumber or prUrl) in branch governance.'
+    ));
+  }
+
+  if (isPublishLike) {
+    if (!branchGovernance || !branchGovernance.releaseVersion) {
+      blockers.push(buildBlocker(
+        'missing_release_version',
+        'Release and publish actions require an explicit releaseVersion in branch governance.'
+      ));
+    } else if (packageVersion && branchGovernance.releaseVersion !== packageVersion) {
+      blockers.push(buildBlocker(
+        'release_version_mismatch',
+        `Branch governance expects release version ${branchGovernance.releaseVersion}, but package.json is ${packageVersion}.`
+      ));
+    }
+
+    if (currentBranch && currentBranch !== baseBranch) {
+      blockers.push(buildBlocker(
+        'publish_requires_base_branch',
+        `Release and publish actions must run from ${baseBranch}, not ${currentBranch}.`
+      ));
+    }
+
+    if (!headOnBase) {
+      blockers.push(buildBlocker(
+        'publish_requires_mainline_head',
+        `Current HEAD is not reachable from ${baseBranch}. Release and publish actions require a mainline commit.`
+      ));
+    }
+  }
+
+  if (options.requirePrForReleaseSensitive && releaseSensitiveFiles.length > 0 && currentBranch && currentBranch !== baseBranch && !openPr) {
+    blockers.push(buildBlocker(
+      'release_sensitive_changes_require_pr',
+      `Release-sensitive changes on ${currentBranch} require an open pull request before continuing.`,
+      { releaseSensitiveFiles }
+    ));
+  }
+
+  if (options.requireVersionNotBehindBase && releaseSensitiveFiles.length > 0 && versionComparison !== null && versionComparison < 0) {
+    blockers.push(buildBlocker(
+      'version_behind_base',
+      `package.json version ${packageVersion} is behind ${baseBranch} version ${baseVersion} while release-sensitive files changed.`,
+      { packageVersion, baseVersion }
+    ));
+  }
+
+  return {
+    ok: blockers.length === 0,
+    repoRoot,
+    baseBranch,
+    baseRef,
+    currentBranch,
+    headSha,
+    headOnBase,
+    changedFiles,
+    releaseSensitiveFiles,
+    packageVersion,
+    baseVersion,
+    versionComparison,
+    branchGovernance,
+    openPr,
+    blockers,
+    commandInfo,
+  };
+}
+
+function parseCliArgs(argv = process.argv.slice(2)) {
+  const options = {
+    json: false,
+    ci: false,
+    fetchBase: false,
+    requirePrForReleaseSensitive: false,
+    requireVersionNotBehindBase: false,
+    repoPath: process.cwd(),
+    baseBranch: DEFAULT_BASE_BRANCH,
+  };
+
+  for (let i = 0; i < argv.length; i += 1) {
+    const arg = argv[i];
+    if (arg === '--json') {
+      options.json = true;
+    } else if (arg === '--ci') {
+      options.ci = true;
+      options.fetchBase = true;
+      options.requirePrForReleaseSensitive = true;
+      options.requireVersionNotBehindBase = true;
+    } else if (arg === '--fetch-base') {
+      options.fetchBase = true;
+    } else if (arg === '--require-pr-for-release-sensitive') {
+      options.requirePrForReleaseSensitive = true;
+    } else if (arg === '--require-version-not-behind-base') {
+      options.requireVersionNotBehindBase = true;
+    } else if (arg === '--repo-path' && argv[i + 1]) {
+      options.repoPath = argv[i + 1];
+      i += 1;
+    } else if (arg === '--base-branch' && argv[i + 1]) {
+      options.baseBranch = argv[i + 1];
+      i += 1;
+    }
+  }
+
+  return options;
+}
+
+function runCli(env = process.env, argv = process.argv.slice(2)) {
+  const args = parseCliArgs(argv);
+  const result = evaluateOperationalIntegrity({
+    repoPath: args.repoPath,
+    baseBranch: args.baseBranch || env.DEFAULT_BRANCH || DEFAULT_BASE_BRANCH,
+    currentBranch: env.GITHUB_REF_NAME || undefined,
+    requirePrForReleaseSensitive: args.requirePrForReleaseSensitive,
+    requireVersionNotBehindBase: args.requireVersionNotBehindBase,
+    fetchBase: args.fetchBase,
+  });
+
+  const lines = [];
+  lines.push(`Operational integrity: ${result.ok ? 'ok' : 'blocked'}`);
+  lines.push(`Base branch: ${result.baseBranch}`);
+  lines.push(`Current branch: ${result.currentBranch || 'unknown'}`);
+  if (result.packageVersion) {
+    lines.push(`package.json version: ${result.packageVersion}`);
+  }
+  if (result.baseVersion) {
+    lines.push(`${result.baseBranch} version: ${result.baseVersion}`);
+  }
+  if (result.releaseSensitiveFiles.length > 0) {
+    lines.push(`Release-sensitive files: ${result.releaseSensitiveFiles.join(', ')}`);
+  }
+  if (result.openPr && result.openPr.number) {
+    lines.push(`Open PR: #${result.openPr.number}${result.openPr.url ? ` ${result.openPr.url}` : ''}`);
+  }
+  for (const blocker of result.blockers) {
+    lines.push(`BLOCKER ${blocker.code}: ${blocker.message}`);
+  }
+
+  if (args.json) {
+    console.log(JSON.stringify(result, null, 2));
+  } else {
+    console.log(lines.join('\n'));
+  }
+
+  return result.ok ? 0 : 1;
+}
+
+if (require.main === module) {
+  process.exitCode = runCli();
+}
+
+module.exports = {
+  DEFAULT_BASE_BRANCH,
+  DEFAULT_RELEASE_SENSITIVE_GLOBS,
+  classifyCommand,
+  compareSemver,
+  evaluateOperationalIntegrity,
+  findOpenPrForBranch,
+  findReleaseSensitiveFiles,
+  getCurrentBranch,
+  isSafeBranchName,
+  listChangedFilesAgainstBase,
+  normalizeGlob,
+  normalizePosix,
+  parseSemver,
+  readPackageVersion,
+  resolveBaseRef,
+  resolveRepoRoot,
+  runCli,
+  sanitizeGlobList,
+};

package/scripts/optimize-context.js

@@ -2,7 +2,7 @@
 const fs = require('fs');
 const path = require('path');
 const CLAUDE_MD_PATH = path.join(process.cwd(), 'CLAUDE.md');
-const THUMBGATE_DIR = path.join(process.cwd(), '.rlhf');
+const THUMBGATE_DIR = path.join(process.cwd(), '.thumbgate');
 const RULES_PATH = path.join(THUMBGATE_DIR, 'prevention-rules.md');
 function optimize() {
   console.log('🚀 [Context Optimizer] Starting CLAUDE.md migration...');

package/scripts/perplexity-marketing.js

@@ -98,7 +98,7 @@ I built "${PRODUCT.name}" — ${PRODUCT.tagline}
 Research and provide:
 1. **Competitor Analysis**: What similar tools exist? (LangSmith, Weights & Biases, custom ThumbGate pipelines, etc.) What do they charge? What gaps does my tool fill?
 2. **Target Buyer Personas**: Who would pay $19/mo or $149/yr for a Pro plan with curated ThumbGate configs? (AI engineers, dev tool builders, agent framework users)
-3. **Distribution Channels**: Specific subreddits, Discord servers, Slack communities, newsletters, and forums where MCP/RLHF tool buyers hang out. Include URLs.
+3. **Distribution Channels**: Specific subreddits, Discord servers, Slack communities, newsletters, and forums where MCP and AI agent reliability tool buyers hang out. Include URLs.
 4. **SEO/GEO Keywords**: High-intent search terms people use when looking for this type of tool
 5. **Launch Strategy**: Specific steps to get first 10 paying customers this week
 6. **Pricing Validation**: Is $19/mo or $149/yr right for a Pro plan? What would similar tools charge?

package/scripts/post-everywhere.js

@@ -136,17 +136,9 @@ async function postToReddit(parsed, dryRun) {
   const reddit = getPublisher('reddit');
   const postData = await reddit.publishToReddit({ subreddit, title, text: body });
 
-  // Post the follow-up comment if we have one and got a post ID
+  // Reddit follow-up comments are manual-review only.
   if (comment && postData.name) {
-    console.log('[post-everywhere] Posting follow-up comment...');
-    const token = await reddit.getRedditToken(
-      process.env.REDDIT_CLIENT_ID,
-      process.env.REDDIT_CLIENT_SECRET,
-      process.env.REDDIT_USERNAME,
-      process.env.REDDIT_PASSWORD
-    );
-    const userAgent = process.env.REDDIT_USER_AGENT || `thumbgate/1.0 by ${process.env.REDDIT_USERNAME}`;
-    await reddit.submitComment(token, userAgent, { parentId: postData.name, text: comment });
+    console.log('[post-everywhere] Reddit follow-up comment skipped; manual review required');
   }
 
   return postData;
@@ -216,8 +208,11 @@ async function postEverywhere(filePath, { platforms, dryRun } = {}) {
   }
   console.log('[post-everywhere] Quality gate: PASSED');
 
-  // Determine which platforms to post to
-  const targetPlatforms = platforms || (parsed.platform ? [parsed.platform] : Object.keys(DISPATCHERS));
+  // Determine which platforms to post to.
+  // Default excludes devto — high-volume Dev.to posting is counterproductive (0 engagement on 427 posts).
+  // Use --platforms=devto explicitly for monthly cross-posts only.
+  const DEFAULT_PLATFORMS = ['reddit', 'x', 'linkedin'];
+  const targetPlatforms = platforms || (parsed.platform ? [parsed.platform] : DEFAULT_PLATFORMS);
 
   // Preserve original body/comment so each platform gets a fresh UTM tag
   const originalBody = parsed.body;

package/scripts/post-to-x.js

@@ -9,7 +9,7 @@
  * CLI usage:
  *   node scripts/post-to-x.js "Your tweet text here"
  *   node scripts/post-to-x.js --thread
- *   node scripts/post-to-x.js --search "MCP memory gateway"
+ *   node scripts/post-to-x.js --search "ThumbGate"
  *   node scripts/post-to-x.js --reply <tweetId> "Reply text"
  *   node scripts/post-to-x.js --dry-run "Preview this tweet"
  *   node scripts/post-to-x.js --dry-run --thread

package/scripts/pr-manager.js

@@ -165,11 +165,9 @@ async function resolveBlockers(pr, runner = runGh) {
   }
 
   // 5. Ready to Merge
-  if (pr.mergeStateStatus === 'CLEAN' || pr.mergeStateStatus === 'BLOCKED' /* admin bypass potential */) {
-    if (pr.mergeable === 'MERGEABLE') {
-      console.log('[PR Manager] SUCCESS: PR is ready for autonomous merge.');
-      return { status: 'ready' };
-    }
+  if (pr.mergeStateStatus === 'CLEAN' && pr.mergeable === 'MERGEABLE') {
+    console.log('[PR Manager] SUCCESS: PR is ready for protected autonomous merge.');
+    return { status: 'ready' };
   }
 
   return { status: 'pending', reason: 'unknown_state' };
@@ -179,14 +177,17 @@ async function resolveBlockers(pr, runner = runGh) {
  * Perform autonomous merge
  */
 function performMerge(prNumber, runner = runGh) {
-  console.log(`[PR Manager] Initiating squash merge for PR #${prNumber}...`);
-  const result = runner(['pr', 'merge', prNumber.toString(), '--squash', '--delete-branch', '--admin']);
+  const args = ['pr', 'merge', prNumber.toString(), '--squash', '--delete-branch', '--auto'];
+  console.log(`[PR Manager] Initiating protected squash merge for PR #${prNumber}...`);
+  const result = runner(args);
   if (result.status === 0) {
-    console.log(`[PR Manager] Merged PR #${prNumber} successfully.`);
-    return true;
+    const output = `${result.stdout || ''}\n${result.stderr || ''}`;
+    const mode = /merge queue|queued|auto-merge/i.test(output) ? 'queued_or_auto' : 'merged';
+    console.log(`[PR Manager] Merge accepted for PR #${prNumber} (${mode}).`);
+    return { ok: true, mode, args };
   } else {
     console.error(`[PR Manager] Merge failed: ${formatGhError(result)}`);
-    return false;
+    return { ok: false, mode: 'failed', args, error: formatGhError(result) };
   }
 }
 
@@ -202,7 +203,9 @@ async function managePrs(prNumber = '', runner = runGh) {
   for (const pr of prs) {
     const outcome = await resolveBlockers(pr, runner);
     if (outcome.status === 'ready') {
-      outcome.merged = performMerge(pr.number, runner);
+      const mergeResult = performMerge(pr.number, runner);
+      outcome.mergeRequested = mergeResult.ok;
+      outcome.mergeMode = mergeResult.mode;
     }
 
     results.push({

package/scripts/problem-detail.js

@@ -6,16 +6,16 @@
  */
 
 const PROBLEM_TYPES = {
-  RATE_LIMIT: 'urn:rlhf:error:rate-limit-exceeded',
-  UNAUTHORIZED: 'urn:rlhf:error:unauthorized',
-  FORBIDDEN: 'urn:rlhf:error:forbidden',
-  NOT_FOUND: 'urn:rlhf:error:not-found',
-  BAD_REQUEST: 'urn:rlhf:error:bad-request',
-  INVALID_JSON: 'urn:rlhf:error:invalid-json',
-  PAYMENT_REQUIRED: 'urn:rlhf:error:payment-required',
-  INTERNAL: 'urn:rlhf:error:internal-server-error',
-  WEBHOOK_INVALID: 'urn:rlhf:error:webhook-invalid-signature',
-  SERVICE_UNAVAILABLE: 'urn:rlhf:error:service-unavailable',
+  RATE_LIMIT: 'urn:thumbgate:error:rate-limit-exceeded',
+  UNAUTHORIZED: 'urn:thumbgate:error:unauthorized',
+  FORBIDDEN: 'urn:thumbgate:error:forbidden',
+  NOT_FOUND: 'urn:thumbgate:error:not-found',
+  BAD_REQUEST: 'urn:thumbgate:error:bad-request',
+  INVALID_JSON: 'urn:thumbgate:error:invalid-json',
+  PAYMENT_REQUIRED: 'urn:thumbgate:error:payment-required',
+  INTERNAL: 'urn:thumbgate:error:internal-server-error',
+  WEBHOOK_INVALID: 'urn:thumbgate:error:webhook-invalid-signature',
+  SERVICE_UNAVAILABLE: 'urn:thumbgate:error:service-unavailable',
 };
 
 /**

package/scripts/profile-router.js

@@ -183,6 +183,8 @@ function routePrivacy(params = {}) {
     'capture_feedback',
     'export_dpo_pairs',
     'export_databricks_bundle',
+    'set_task_scope',
+    'approve_protected_action',
     'track_action',
     'verify_claim',
     'register_claim_gate',

package/scripts/prompt-dlp.js

@@ -97,6 +97,7 @@ const KNOWN_GATED_TOOLS = new Set([
   'Bash', 'Edit', 'Write', 'Read', 'Glob', 'Grep',
   'capture_feedback', 'recall', 'search_lessons', 'prevention_rules',
   'feedback_stats', 'construct_context_pack', 'evaluate_context_pack',
+  'set_task_scope', 'get_scope_state', 'approve_protected_action',
 ]);
 
 const SHADOW_LOG_FILE = 'shadow-actions.jsonl';