thumbgate 0.9.9

package/scripts/history-distiller.js

@@ -0,0 +1,200 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * History Distiller — Self-Healing Brain for ThumbGate (Pro feature).
+ *
+ * When a user gives thumbs-down, this module:
+ * 1. Takes the last N conversation messages (chatHistory)
+ * 2. Identifies the failed tool call and its context
+ * 3. Auto-proposes a lesson: "I noticed X. I've recorded a rule to NEVER do X. Correct?"
+ * 4. Creates a prevention rule if the user confirms
+ *
+ * This closes the gap from "manual guardrail" to "self-healing brain."
+ * Strategic value: justifies Pro $19/mo subscription via outcome-based intelligence.
+ */
+
+const { createLesson, inferFromSurroundingMessages } = require('./lesson-inference');
+const contextfs = require('./contextfs');
+
+// ---------------------------------------------------------------------------
+// Chat History Analysis
+// ---------------------------------------------------------------------------
+
+
+const ANTI_PATTERNS = [
+  { pattern: /\b(?:tailwind|tw-)\b/i, label: 'Tailwind CSS', ruleTemplate: 'NEVER use Tailwind CSS in this project' },
+  { pattern: /(?:force[- ]?push|push\s*--force|--force)\b/i, label: 'force push', ruleTemplate: 'NEVER force-push to any branch' },
+  { pattern: /\b(?:rm\s+-rf|delete\s+all)\b/i, label: 'destructive deletion', ruleTemplate: 'NEVER run destructive delete commands without confirmation' },
+  { pattern: /\bskip\s*(?:test|ci|check)/i, label: 'skipping tests', ruleTemplate: 'NEVER skip tests or CI checks' },
+  { pattern: /\b(?:mock(?:ed|ing)?|stub(?:bed|bing)?)\b.*\b(?:database|db)\b/i, label: 'mocking database', ruleTemplate: 'NEVER mock the database — use real test instances' },
+  { pattern: /\b(?:hardcod|hard[- ]cod)/i, label: 'hardcoded values', ruleTemplate: 'NEVER hardcode secrets, URLs, or configuration values' },
+  { pattern: /\b(?:console\.log|print\s+debug)\b/i, label: 'debug logging', ruleTemplate: 'NEVER leave debug console.log/print statements in production code' },
+  { pattern: /\b(?:any\b.*type|:\s*any\b)/i, label: 'TypeScript any', ruleTemplate: 'NEVER use the `any` type — use proper type annotations' },
+];
+
+/**
+ * Analyze chat history to find the correction pattern.
+ * Looks for: user corrected the agent about something → agent did it again → user gave thumbs down.
+ *
+ * @param {Array} chatHistory - Array of {role, content} messages, most recent last
+ * @param {Object} failedToolCall - The tool call that triggered the thumbs-down
+ * @returns {{ correction, antiPattern, proposedRule, confidence, evidence }}
+ */
+function analyzeChatHistory(chatHistory, failedToolCall = null) {
+  const messages = Array.isArray(chatHistory) ? chatHistory : [];
+  if (messages.length === 0) return { correction: null, antiPattern: null, proposedRule: null, confidence: 0, evidence: [] };
+
+  const evidence = [];
+  let bestAntiPattern = null;
+  let userCorrection = null;
+
+  // Scan for user corrections (messages where user said "don't", "stop", "no", "never", "wrong")
+  const correctionPatterns = [
+    /\b(?:don'?t|do not|stop|never|wrong|no,?\s+(?:that|not|I said))\b/i,
+    /\b(?:I (?:told|said|asked) you|I already|we don'?t)\b/i,
+    /\b(?:should(?:n'?t| not)|must not|not supposed to)\b/i,
+  ];
+
+  for (const msg of messages) {
+    if (msg.role !== 'user') continue;
+    const text = msg.content || msg.text || '';
+    for (const cp of correctionPatterns) {
+      if (cp.test(text)) {
+        userCorrection = text.slice(0, 200);
+        evidence.push({ type: 'user_correction', text: userCorrection });
+        break;
+      }
+    }
+  }
+
+  // Scan assistant messages for anti-patterns
+  const assistantMessages = messages.filter((m) => m.role === 'assistant').map((m) => m.content || m.text || '');
+  const allAssistantText = assistantMessages.join('\n');
+
+  // Also check the failed tool call
+  const toolCallText = failedToolCall
+    ? `${failedToolCall.tool || ''} ${failedToolCall.input || ''} ${failedToolCall.output || ''}`
+    : '';
+  const combinedText = `${allAssistantText}\n${toolCallText}`;
+
+  for (const ap of ANTI_PATTERNS) {
+    if (ap.pattern.test(combinedText)) {
+      bestAntiPattern = ap;
+      evidence.push({ type: 'anti_pattern', label: ap.label });
+      break;
+    }
+  }
+
+  // Build proposed rule
+  let proposedRule = null;
+  let confidence = 0;
+
+  if (bestAntiPattern && userCorrection) {
+    proposedRule = bestAntiPattern.ruleTemplate;
+    confidence = 90;
+  } else if (bestAntiPattern) {
+    proposedRule = bestAntiPattern.ruleTemplate;
+    confidence = 60;
+  } else if (userCorrection) {
+    // Extract the "don't X" part as a rule
+    const dontMatch = userCorrection.match(/(?:don'?t|never|stop)\s+(.{5,60})/i);
+    if (dontMatch) {
+      proposedRule = `NEVER ${dontMatch[1].trim().replace(/[.!?]+$/, '')}`;
+      confidence = 50;
+    }
+  }
+
+  return {
+    correction: userCorrection,
+    antiPattern: bestAntiPattern ? bestAntiPattern.label : null,
+    proposedRule,
+    confidence,
+    evidence,
+    messageCount: messages.length,
+  };
+}
+
+// ---------------------------------------------------------------------------
+// History-Aware Distillation (the main entry point)
+// ---------------------------------------------------------------------------
+
+/**
+ * Distill a lesson from chat history when thumbs-down is received.
+ * This is the "Reflector" agent — it takes conversation context and
+ * auto-proposes what went wrong + a prevention rule.
+ *
+ * @param {Object} opts
+ * @param {Array} opts.chatHistory - Last N messages [{role, content}]
+ * @param {Object} [opts.failedToolCall] - The tool call that failed
+ * @param {string} [opts.feedbackContext] - User's feedback context string
+ * @param {string} [opts.signal] - 'negative' or 'positive'
+ * @returns {{ lesson, proposedRule, confirmation, autoCreated }}
+ */
+function distillFromHistory({ chatHistory = [], failedToolCall = null, feedbackContext = '', signal = 'negative' } = {}) {
+  // Step 1: Analyze chat history for corrections and anti-patterns
+  const analysis = analyzeChatHistory(chatHistory, failedToolCall);
+
+  // Step 2: Infer from surrounding messages (leverage existing module)
+  const inference = inferFromSurroundingMessages({
+    priorMessages: chatHistory.slice(-10),
+    signal,
+    feedbackContext,
+  });
+
+  // Step 3: Build the auto-proposed lesson
+  let proposedWhatWentWrong;
+  let proposedRule = analysis.proposedRule;
+
+  if (analysis.correction && analysis.antiPattern) {
+    proposedWhatWentWrong = `I noticed I used ${analysis.antiPattern} despite your earlier correction: "${analysis.correction.slice(0, 100)}". This has been recorded as a mistake.`;
+  } else if (analysis.antiPattern) {
+    proposedWhatWentWrong = `I detected a ${analysis.antiPattern} anti-pattern in my output that likely caused the issue.`;
+  } else if (analysis.correction) {
+    proposedWhatWentWrong = `You previously corrected me: "${analysis.correction.slice(0, 100)}". I may have repeated the same mistake.`;
+  } else if (inference.inferredAction) {
+    proposedWhatWentWrong = `The ${inference.inferredAction.type} action on ${inference.inferredAction.target} did not produce the expected result.`;
+  } else {
+    proposedWhatWentWrong = feedbackContext || 'The agent action did not meet expectations.';
+  }
+
+  // Step 4: Build confirmation message
+  const confirmation = proposedRule
+    ? `I've recorded a rule: "${proposedRule}". Correct?`
+    : `Lesson captured: "${proposedWhatWentWrong.slice(0, 100)}". Any corrections?`;
+
+  // Step 5: Auto-create the lesson
+  const lesson = createLesson({
+    signal,
+    inferredLesson: proposedWhatWentWrong,
+    triggerMessage: inference.triggerMessage,
+    priorSummary: inference.priorSummary,
+    confidence: analysis.confidence || inference.confidence,
+    tags: analysis.antiPattern ? [analysis.antiPattern] : [],
+    metadata: { distilled: true, hasCorrection: !!analysis.correction, hasAntiPattern: !!analysis.antiPattern },
+  });
+
+  // Step 6: If high confidence + anti-pattern, auto-install prevention rule
+  let ruleInstalled = false;
+  if (proposedRule && analysis.confidence >= 60) {
+    try {
+      contextfs.registerPreventionRules(`# Auto-Distilled Rule\n\n- ${proposedRule}\n\nSource: history-distiller (confidence: ${analysis.confidence}%)`, { source: 'history-distiller', lessonId: lesson.id });
+      ruleInstalled = true;
+    } catch { /* non-critical */ }
+  }
+
+  return {
+    lesson,
+    proposedWhatWentWrong,
+    proposedRule,
+    confirmation,
+    ruleInstalled,
+    analysis,
+    inference: { action: inference.inferredAction, confidence: inference.confidence },
+    autoCreated: true,
+  };
+}
+
+module.exports = {
+  ANTI_PATTERNS, analyzeChatHistory, distillFromHistory,
+};

package/scripts/hook-auto-capture.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+# Claude Code UserPromptSubmit hook — auto-captures thumbs up/down feedback
+# Triggered on every user message. Only acts on feedback signals.
+# Shows full verbose output with storage paths, memory IDs, and stats.
+
+PROMPT="$CLAUDE_USER_PROMPT"
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+CAPTURE="$SCRIPT_DIR/../.claude/scripts/feedback/capture-feedback.js"
+PROMPT_GUARD="$SCRIPT_DIR/prompt-guard.js"
+ACTIVE_CWD="${CLAUDE_PROJECT_DIR:-${PWD:-$(pwd)}}"
+FEEDBACK_DIR="$(node -e "const path = require('path'); const { resolveFeedbackDir } = require(path.join(process.argv[1], 'feedback-paths.js')); process.stdout.write(resolveFeedbackDir({ cwd: process.argv[2] || process.cwd(), feedbackDir: process.env.THUMBGATE_FEEDBACK_DIR || undefined }));" "$SCRIPT_DIR" "$ACTIVE_CWD" 2>/dev/null)"
+if [ -z "$FEEDBACK_DIR" ]; then
+  FEEDBACK_DIR="${THUMBGATE_FEEDBACK_DIR:-$ACTIVE_CWD/.rlhf}"
+fi
+FEEDBACK_LOG="$FEEDBACK_DIR/feedback-log.jsonl"
+MEMORY_LOG="$FEEDBACK_DIR/memory-log.jsonl"
+
+# Record the latest user prompt so statusline thumbs can distill lessons
+# from recent conversation even when the click itself has no body payload.
+THUMBGATE_CONVERSATION_TEXT="$PROMPT" node -e "
+  const { recordConversationEntry } = require(process.argv[1]);
+  recordConversationEntry({
+    author: 'user',
+    text: process.env.THUMBGATE_CONVERSATION_TEXT || '',
+    source: 'claude_user_prompt',
+  });
+" "$SCRIPT_DIR/feedback-history-distiller.js" 2>/dev/null || true
+
+# Normalize to lowercase for matching
+LOWER=$(echo "$PROMPT" | tr '[:upper:]' '[:lower:]')
+
+if [ -f "$PROMPT_GUARD" ]; then
+  GUARD_RESULT=$(node "$PROMPT_GUARD" 2>/dev/null || true)
+  if [ -n "$GUARD_RESULT" ]; then
+    echo "$GUARD_RESULT"
+    exit 0
+  fi
+fi
+
+capture_and_report() {
+  local SIGNAL="$1"
+
+  # Capture feedback (verbose output already shows IDs, signal, storage)
+  node "$CAPTURE" --feedback="$SIGNAL" --context="$PROMPT" --tags="auto-capture,hook"
+  local CAPTURE_STATUS=$?
+
+  if [ "$CAPTURE_STATUS" -eq 2 ]; then
+    echo "Reusable memory status: signal logged only. Add one specific sentence so the MCP can promote it."
+    echo ""
+  fi
+
+  # Show storage proof
+  echo ""
+  echo "Storage Proof:"
+  echo "  Feedback log : $FEEDBACK_LOG ($(wc -l < "$FEEDBACK_LOG" 2>/dev/null || echo 0) entries)"
+  echo "  Memory log   : $MEMORY_LOG ($(wc -l < "$MEMORY_LOG" 2>/dev/null || echo 0) entries)"
+  echo "  LanceDB      : $FEEDBACK_DIR/lancedb/"
+  echo ""
+
+  # Show last entry written
+  echo "Last Entry Written:"
+  tail -1 "$FEEDBACK_LOG" 2>/dev/null | node -e "
+    const d = JSON.parse(require('fs').readFileSync('/dev/stdin','utf8'));
+    console.log('  ID        :', d.id);
+    console.log('  Signal    :', d.signal, '(' + d.actionType + ')');
+    console.log('  Context   :', (d.context||'').slice(0,80));
+    console.log('  Tags      :', (d.tags||[]).join(', '));
+    console.log('  Timestamp :', d.timestamp);
+    console.log('  Domain    :', (d.richContext||{}).domain || 'general');
+  " 2>/dev/null
+
+  # Show cumulative stats
+  echo ""
+  echo "Cumulative Stats:"
+  node -e "
+    const fs = require('fs');
+    const lines = fs.readFileSync('$FEEDBACK_LOG','utf8').trim().split('\n').filter(Boolean);
+    const entries = lines.map(l => { try { return JSON.parse(l); } catch(e) { return null; } }).filter(Boolean);
+    const pos = entries.filter(e => e.signal === 'positive').length;
+    const neg = entries.filter(e => e.signal === 'negative').length;
+    const promoted = entries.filter(e => e.actionType === 'store-learning' || e.actionType === 'store-mistake').length;
+    console.log('  Total feedback  :', entries.length);
+    console.log('  Positive (up)   :', pos);
+    console.log('  Negative (down) :', neg);
+    console.log('  Promoted to mem :', promoted);
+    console.log('  Ratio           :', pos > 0 ? (pos/(pos+neg)*100).toFixed(0) + '% positive' : 'n/a');
+  " 2>/dev/null
+}
+
+# Check for thumbs up signals
+if echo "$LOWER" | grep -qE '(thumbs? ?up|that worked|looks good|nice work|perfect|good job)'; then
+  capture_and_report "up"
+  exit 0
+fi
+
+# Check for thumbs down signals
+if echo "$LOWER" | grep -qE '(thumbs? ?down|that failed|that was wrong|fix this)'; then
+  capture_and_report "down"
+  exit 0
+fi

package/scripts/hook-stop-pr-thread-check.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+# Stop hook — blocks "done/pushed/resolved" claims without PR thread evidence
+# Inspects the assistant response for completion signals and requires proof
+# that all PR review threads are resolved before allowing the claim.
+#
+# Environment variables (Stop hooks):
+#   CLAUDE_RESPONSE — the assistant's last response text
+#
+# Returns JSON with decision: "block" + message, or passes through silently.
+
+set -euo pipefail
+
+RESPONSE="${CLAUDE_RESPONSE:-}"
+
+# If no response, nothing to check
+if [ -z "$RESPONSE" ]; then
+  exit 0
+fi
+
+node -e '
+  "use strict";
+
+  const response = process.env.CLAUDE_RESPONSE || "";
+
+  // 1. Detect completion/done signals
+  const doneSignal = /\b(done|pushed|resolved|ready for review|all comments addressed|merged|ship it|completed|fixed and pushed)\b/i.test(response);
+  if (!doneSignal) {
+    // No completion claim — pass through silently
+    process.exit(0);
+  }
+
+  // 2. Check for PR thread evidence in the response
+  const threadEvidence =
+    /\b(0 unresolved|all threads resolved|no open threads|no unresolved|all comments resolved)\b/i.test(response) ||
+    /gh pr view.*review/i.test(response) ||
+    /reviewDecision.*APPROVED/i.test(response) ||
+    /comments.*:\s*0\b/i.test(response) ||
+    /unresolved.*:\s*0\b/i.test(response);
+
+  if (threadEvidence) {
+    // Evidence present — allow
+    process.exit(0);
+  }
+
+  // 3. Check if we are actually in a PR context (has a branch that is not main/master)
+  const { execSync } = require("child_process");
+  let branch = "";
+  try {
+    branch = execSync("git rev-parse --abbrev-ref HEAD", { encoding: "utf-8" }).trim();
+  } catch {
+    // Not in a git repo — skip check
+    process.exit(0);
+  }
+
+  if (branch === "main" || branch === "master") {
+    // Not on a feature branch — no PR to check
+    process.exit(0);
+  }
+
+  // 4. Block: completion claim on a feature branch without thread evidence
+  const output = {
+    decision: "block",
+    reason: "MANDATORY: Before declaring done, run `gh pr view --json reviewDecision,comments` and confirm 0 unresolved threads. Show the output in your response."
+  };
+  process.stdout.write(JSON.stringify(output));
+' 2>/dev/null || true
+
+exit 0

package/scripts/hook-stop-self-score.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+# Claude Code / Amp Stop hook — autonomous self-scoring after every agent turn
+# Fires after the agent completes a response. Runs selfAuditAndLog to produce
+# a RLAIF self-score entry in self-score-log.jsonl.
+#
+# Environment variables available in Stop hooks:
+#   CLAUDE_STOP_REASON   — why the agent stopped (e.g., "end_turn", "tool_use")
+#   CLAUDE_TOOL_OUTPUT   — last tool output (if any)
+#
+# This hook is NON-BLOCKING — it exits 0 regardless of errors.
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+THUMBGATE_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+
+# Run the self-score via Node.js — sync, no API calls, ~5ms
+node -e '
+  "use strict";
+  const path = require("path");
+
+  // Resolve modules relative to ThumbGate package root
+  const rlhfRoot = process.env.THUMBGATE_ROOT;
+  const { selfAuditAndLog } = require(path.join(rlhfRoot, "scripts", "rlaif-self-audit"));
+  const { getFeedbackPaths } = require(path.join(rlhfRoot, "scripts", "feedback-loop"));
+
+  const stopReason = process.env.CLAUDE_STOP_REASON || "unknown";
+
+  // Build a minimal feedback event for self-scoring
+  const feedbackEvent = {
+    id: `stop_${Date.now()}_${Math.random().toString(36).slice(2, 6)}`,
+    signal: "positive",
+    context: `Agent turn completed (stop_reason: ${stopReason}). Autonomous self-score checkpoint.`,
+    tags: ["stop-hook", "auto-score"],
+    whatWorked: null,
+    whatWentWrong: null,
+    whatToChange: null,
+    rubric: null,
+  };
+
+  const paths = getFeedbackPaths();
+  const result = selfAuditAndLog(feedbackEvent, paths);
+
+  // Output minimal JSON for hook response (non-blocking)
+  process.stdout.write(JSON.stringify({
+    hookSpecificOutput: {
+      hookEventName: "Stop",
+      additionalContext: `Self-score: ${result.score} (${result.constraints.filter(c => c.passed).length}/${result.constraints.length} constraints passed)`
+    }
+  }));
+' 2>/dev/null || true
+
+exit 0

package/scripts/hook-stop-verify-deploy.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# Hook: Stop
+#
+# When it fires: After Claude finishes responding (every turn).
+# What it does:  Checks if a curl to production happened this session.
+#                If not, prints a warning reminding the CTO to verify.
+# Why:           Prevents saying "deployed" without proof.
+# Env vars:
+#   CLAUDE_STOP_REASON — why the agent stopped (set by Claude Code)
+# Marker file:
+#   /tmp/.thumbgate-last-deploy-verify — written by hook-verify-before-done.sh
+# Exit code: Always 0 (informational only).
+
+PROD_URL="thumbgate-production.up.railway.app"
+VERIFICATION_MARKER="/tmp/.thumbgate-last-deploy-verify"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
+EXPECTED_VERSION="$(node -e "console.log(require(process.argv[1]).version)" "${REPO_ROOT}/package.json")"
+
+if [ -f "$VERIFICATION_MARKER" ]; then
+  VERIFY_TIME=$(cat "$VERIFICATION_MARKER")
+  echo "✅ Last deployment verification: $VERIFY_TIME"
+else
+  echo "⚠️  WARNING: No deployment verification found this session."
+  echo "   If you deployed to Railway, run:"
+  echo "   curl -s https://${PROD_URL}/health | grep '\"version\":\"${EXPECTED_VERSION}\"'"
+  echo "   curl -s https://${PROD_URL}/dashboard | grep 'ThumbGate Dashboard'"
+  echo "   before claiming done."
+fi
+
+exit 0

package/scripts/hook-thumbgate-cache-updater.js

@@ -0,0 +1,48 @@
+#!/usr/bin/env node
+/**
+ * PostToolUse hook: updates ThumbGate statusline cache after feedback_stats calls.
+ * Installed by: npx thumbgate init --agent claude-code
+ */
+'use strict';
+const fs = require('fs');
+const path = require('path');
+const { resolveFeedbackDir } = require('./feedback-paths');
+
+const CACHE_PATH = path.join(resolveFeedbackDir(), 'statusline_cache.json');
+
+let input = '';
+process.stdin.setEncoding('utf8');
+process.stdin.on('data', chunk => { input += chunk; });
+process.stdin.on('end', () => {
+  try {
+    const event = JSON.parse(input);
+    const tool = event.tool_name || '';
+    if (tool !== 'mcp__rlhf__feedback_stats' && tool !== 'mcp__rlhf__dashboard') return;
+
+    const raw = event.tool_response;
+    if (!raw) return;
+    const data = typeof raw === 'string' ? JSON.parse(raw) : raw;
+
+    const cache = {};
+    if (tool === 'mcp__rlhf__feedback_stats') {
+      cache.thumbs_up = String(data.totalPositive || 0);
+      cache.thumbs_down = String(data.totalNegative || 0);
+      cache.lessons = String((data.rubric || {}).samples || 0);
+      cache.approval_rate = String(Math.round((data.approvalRate || 0) * 1000) / 10);
+      cache.trend = data.trend || '?';
+      cache.total_feedback = String(data.total || 0);
+    } else if (tool === 'mcp__rlhf__dashboard') {
+      const approval = data.approval || {};
+      cache.thumbs_up = String(approval.totalPositive || 0);
+      cache.thumbs_down = String(approval.totalNegative || 0);
+      cache.lessons = String((data.rubric || {}).samples || 0);
+      cache.approval_rate = String(approval.approvalRate || '?');
+      cache.trend = approval.trendDirection || '?';
+      cache.total_feedback = String(approval.total || 0);
+    }
+    cache.updated_at = String(Math.floor(Date.now() / 1000));
+
+    fs.mkdirSync(path.dirname(CACHE_PATH), { recursive: true });
+    fs.writeFileSync(CACHE_PATH, JSON.stringify(cache));
+  } catch (_) { /* silent — statusline cache is best-effort */ }
+});

package/scripts/hook-verify-before-done.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# Hook: PreToolUse (matcher: Bash)
+#
+# When it fires: Before every Bash tool call in Claude Code.
+# What it does:  If the Bash command contains a curl to production,
+#                records the timestamp to a marker file.
+# Why:           The Stop hook (hook-stop-verify-deploy.sh) checks this
+#                marker to warn if no prod verification happened.
+# Env vars:
+#   CLAUDE_TOOL_INPUT — the Bash command about to execute (set by Claude Code)
+# Exit code: Always 0 (never blocks tool calls).
+
+PROD_URL="thumbgate-production.up.railway.app"
+VERIFICATION_MARKER="/tmp/.thumbgate-last-deploy-verify"
+
+if echo "${CLAUDE_TOOL_INPUT:-}" | grep -q "curl.*${PROD_URL}"; then
+  date -u +"%Y-%m-%dT%H:%M:%SZ" > "$VERIFICATION_MARKER"
+fi
+
+exit 0

package/scripts/hosted-config.js

@@ -0,0 +1,156 @@
+'use strict';
+
+const crypto = require('node:crypto');
+const {
+  PRO_MONTHLY_PAYMENT_LINK,
+  PRO_MONTHLY_PRICE_DOLLARS,
+  PRO_PRICE_LABEL,
+} = require('./commercial-offer');
+
+const DEFAULT_PUBLIC_APP_ORIGIN = 'https://thumbgate-production.up.railway.app';
+const DEFAULT_CHECKOUT_FALLBACK_URL = PRO_MONTHLY_PAYMENT_LINK;
+const DEFAULT_PRO_PRICE_DOLLARS = PRO_MONTHLY_PRICE_DOLLARS;
+const DEFAULT_PRO_PRICE_LABEL = PRO_PRICE_LABEL;
+const GA_MEASUREMENT_ID_PATTERN = /^G-[A-Z0-9]+$/i;
+
+function normalizeOrigin(value) {
+  if (!value || typeof value !== 'string') {
+    return '';
+  }
+
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return '';
+  }
+
+  try {
+    const parsed = new URL(trimmed);
+    if (!/^https?:$/.test(parsed.protocol)) {
+      return '';
+    }
+    parsed.pathname = parsed.pathname.replace(/\/+$/, '') || '/';
+    parsed.search = '';
+    parsed.hash = '';
+    const serialized = parsed.toString();
+    return serialized.endsWith('/') ? serialized.slice(0, -1) : serialized;
+  } catch {
+    return '';
+  }
+}
+
+function normalizeAbsoluteUrl(value) {
+  if (!value || typeof value !== 'string') {
+    return '';
+  }
+
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return '';
+  }
+
+  try {
+    const parsed = new URL(trimmed);
+    if (!/^https?:$/.test(parsed.protocol)) {
+      return '';
+    }
+    return parsed.toString();
+  } catch {
+    return '';
+  }
+}
+
+function normalizeTrackingId(value, pattern) {
+  if (!value || typeof value !== 'string') {
+    return '';
+  }
+
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return '';
+  }
+
+  if (pattern && !pattern.test(trimmed)) {
+    return '';
+  }
+
+  return trimmed;
+}
+
+function joinPublicUrl(baseOrigin, pathname) {
+  const normalized = normalizeOrigin(baseOrigin);
+  if (!normalized) {
+    throw new Error(`Invalid public origin: ${String(baseOrigin || '')}`);
+  }
+  const cleanPath = pathname.startsWith('/') ? pathname : `/${pathname}`;
+  return `${normalized}${cleanPath}`;
+}
+
+function createTraceId(prefix = 'trace') {
+  return `${prefix}_${Date.now().toString(36)}_${crypto.randomBytes(6).toString('hex')}`;
+}
+
+function normalizePriceDollars(value) {
+  if (value === undefined || value === null || value === '') {
+    return null;
+  }
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    return null;
+  }
+  return Math.round(parsed);
+}
+
+function buildHostedSuccessUrl(appOrigin, traceId) {
+  const encodedTraceId = encodeURIComponent(String(traceId || ''));
+  const traceQuery = traceId ? `&trace_id=${encodedTraceId}` : '';
+  return `${joinPublicUrl(appOrigin, '/success')}?session_id={CHECKOUT_SESSION_ID}${traceQuery}`;
+}
+
+function buildHostedCancelUrl(appOrigin, traceId) {
+  const encodedTraceId = encodeURIComponent(String(traceId || ''));
+  const traceQuery = traceId ? `?trace_id=${encodedTraceId}` : '';
+  return `${joinPublicUrl(appOrigin, '/cancel')}${traceQuery}`;
+}
+
+function resolveHostedBillingConfig({ requestOrigin } = {}) {
+  const inferredOrigin = normalizeOrigin(requestOrigin) || DEFAULT_PUBLIC_APP_ORIGIN;
+  const appOrigin = normalizeOrigin(process.env.THUMBGATE_PUBLIC_APP_ORIGIN) || inferredOrigin;
+  const billingApiBaseUrl = normalizeOrigin(
+    process.env.THUMBGATE_BILLING_API_BASE_URL || process.env.THUMBGATE_CANONICAL_API_BASE_URL || appOrigin
+  ) || appOrigin;
+  const proPriceDollars = normalizePriceDollars(process.env.THUMBGATE_PRO_PRICE_DOLLARS) || DEFAULT_PRO_PRICE_DOLLARS;
+  const proPriceLabel = process.env.THUMBGATE_PRO_PRICE_LABEL || DEFAULT_PRO_PRICE_LABEL;
+  const gaMeasurementId = normalizeTrackingId(process.env.THUMBGATE_GA_MEASUREMENT_ID, GA_MEASUREMENT_ID_PATTERN);
+  const googleSiteVerification = normalizeTrackingId(process.env.THUMBGATE_GOOGLE_SITE_VERIFICATION);
+
+  return {
+    appOrigin,
+    billingApiBaseUrl,
+    checkoutEndpoint: joinPublicUrl(billingApiBaseUrl, '/v1/billing/checkout'),
+    sessionEndpoint: joinPublicUrl(billingApiBaseUrl, '/v1/billing/session'),
+    checkoutFallbackUrl: normalizeAbsoluteUrl(
+      process.env.THUMBGATE_CHECKOUT_FALLBACK_URL || DEFAULT_CHECKOUT_FALLBACK_URL
+    ) || DEFAULT_CHECKOUT_FALLBACK_URL,
+    proPriceDollars,
+    proPriceLabel,
+    gaMeasurementId,
+    googleSiteVerification,
+  };
+}
+
+module.exports = {
+  DEFAULT_PUBLIC_APP_ORIGIN,
+  DEFAULT_CHECKOUT_FALLBACK_URL,
+  DEFAULT_PRO_PRICE_DOLLARS,
+  DEFAULT_PRO_PRICE_LABEL,
+  GA_MEASUREMENT_ID_PATTERN,
+  normalizeAbsoluteUrl,
+  normalizeOrigin,
+  normalizeTrackingId,
+  normalizePriceDollars,
+  joinPublicUrl,
+  createTraceId,
+  buildHostedSuccessUrl,
+  buildHostedCancelUrl,
+  resolveHostedBillingConfig,
+};