thumbgate 1.1.0 → 1.2.0

package/scripts/docker-sandbox-planner.js

@@ -0,0 +1,208 @@
+#!/usr/bin/env node
+'use strict';
+
+const path = require('node:path');
+
+const { classifyCommand } = require('./operational-integrity');
+
+const HIGH_RISK_ACTION_TYPES = new Set([
+  'shell.exec',
+  'file.delete',
+  'upload',
+  'message.send',
+]);
+
+function normalizeText(value) {
+  if (value === undefined || value === null) return '';
+  return String(value).trim();
+}
+
+function normalizeStringArray(values = []) {
+  if (!Array.isArray(values)) return [];
+  return Array.from(new Set(
+    values
+      .map((value) => normalizeText(value))
+      .filter(Boolean),
+  ));
+}
+
+function normalizeRiskBand(value) {
+  const normalized = normalizeText(value).toLowerCase();
+  if (['very_high', 'high', 'medium', 'low'].includes(normalized)) {
+    return normalized;
+  }
+  if (normalized === 'critical') return 'very_high';
+  return 'low';
+}
+
+function quoteShellArg(value) {
+  return `'${String(value).replaceAll('\'', String.raw`'\''`)}'`;
+}
+
+function buildNetworkPolicy(input = {}) {
+  const allowedHosts = normalizeStringArray(input.allowedHosts || input.egressAllowlist);
+  if (input.requiresNetwork !== true) {
+    return {
+      mode: 'deny_all',
+      allowedHosts: [],
+    };
+  }
+  return {
+    mode: allowedHosts.length > 0 ? 'allow_list' : 'egress_enabled',
+    allowedHosts,
+  };
+}
+
+function buildLaunchers(workspacePath) {
+  const suffix = workspacePath ? ` shell ${quoteShellArg(workspacePath)}` : ' shell';
+  return {
+    standalone: `sbx run${suffix}`,
+    dockerDesktop: `docker sandbox run${suffix}`,
+    followUp: workspacePath
+      ? [
+        'sbx list',
+        'docker sandbox ls',
+      ]
+      : [],
+  };
+}
+
+function buildSummary(shouldSandbox, recommendation) {
+  if (!shouldSandbox) {
+    return 'Current action can stay on the normal local execution path.';
+  }
+  if (recommendation === 'required') {
+    return 'Route this action into Docker Sandboxes before retrying so the run happens inside a disposable microVM instead of on the host.';
+  }
+  return 'Prefer Docker Sandboxes for this action to reduce host blast radius while keeping local autonomy.';
+}
+
+function buildWhy({
+  recommendation,
+  command,
+  riskBand,
+  actionType,
+  affectedFiles,
+}) {
+  const lines = [];
+  if (recommendation === 'required') {
+    lines.push('The predicted action is destructive or release-sensitive enough to justify host isolation.');
+  } else if (recommendation === 'recommended') {
+    lines.push('The predicted action is high-risk enough that isolated execution meaningfully reduces host blast radius.');
+  } else {
+    lines.push('The current action does not need a dedicated Docker sandbox boundary.');
+  }
+
+  if (command && /\brm\s+-rf\b/i.test(command)) {
+    lines.push('Recursive delete commands are safer when the filesystem boundary lives inside a disposable microVM.');
+  }
+  if (command && /\bgit\s+push\b.*(?:--force|-f)\b/i.test(command)) {
+    lines.push('Force-push flows should run in an isolated lane so host credentials and unrelated state stay out of scope.');
+  }
+  if (command && /\b(?:gh\s+pr\s+(?:create|merge)|npm\s+publish|yarn\s+publish|pnpm\s+publish)\b/i.test(command)) {
+    lines.push('PR, merge, and publish flows are governance-sensitive and benefit from a disposable execution boundary.');
+  }
+  if (HIGH_RISK_ACTION_TYPES.has(actionType)) {
+    lines.push(`Action type ${actionType} is in the high-risk set for local execution.`);
+  }
+  if (riskBand === 'very_high' || riskBand === 'high') {
+    lines.push(`Risk band ${riskBand} predicts elevated blast radius on the local host.`);
+  }
+  if (affectedFiles.length >= 4) {
+    lines.push(`The change touches ${affectedFiles.length} files, so host isolation improves recovery if the run goes sideways.`);
+  }
+  return lines;
+}
+
+function buildDockerSandboxPlan(input = {}) {
+  const toolName = normalizeText(input.toolName);
+  const actionType = normalizeText(input.actionType)
+    || (toolName === 'Bash' ? 'shell.exec' : '');
+  const command = normalizeText(input.command);
+  const repoPath = normalizeText(input.repoPath);
+  const workspacePath = repoPath ? path.resolve(repoPath) : null;
+  const affectedFiles = normalizeStringArray(input.affectedFiles || input.changedFiles || input.files);
+  const riskBand = normalizeRiskBand(input.riskBand || input.band);
+  const riskScore = Number.isFinite(Number(input.riskScore))
+    ? Number(Number(input.riskScore).toFixed(4))
+    : null;
+  const commandInfo = classifyCommand(command);
+  const destructiveCommand = /\brm\s+-rf\b/i.test(command)
+    || /\bgit\s+push\b.*(?:--force|-f)\b/i.test(command)
+    || /\bgh\s+pr\s+merge\b.*--admin\b/i.test(command);
+  const governedCommand = Boolean(
+    commandInfo.isPrCreate
+      || commandInfo.isPrMerge
+      || commandInfo.isPublish
+      || commandInfo.isReleaseCreate
+      || commandInfo.isTagCreate
+  );
+  const highRiskAction = HIGH_RISK_ACTION_TYPES.has(actionType)
+    || destructiveCommand
+    || governedCommand
+    || riskBand === 'high'
+    || riskBand === 'very_high';
+
+  let recommendation = 'not_needed';
+  if (destructiveCommand || commandInfo.isPublish || commandInfo.isReleaseCreate || actionType === 'upload' || actionType === 'message.send') {
+    recommendation = 'required';
+  } else if (highRiskAction || affectedFiles.length >= 4) {
+    recommendation = 'recommended';
+  }
+
+  const shouldSandbox = recommendation !== 'not_needed';
+  const networkPolicy = buildNetworkPolicy({
+    requiresNetwork: input.requiresNetwork === true || governedCommand || commandInfo.isPublish || actionType === 'upload' || actionType === 'message.send',
+    allowedHosts: input.allowedHosts,
+    egressAllowlist: input.egressAllowlist,
+  });
+  const launchers = buildLaunchers(workspacePath);
+  const summary = buildSummary(shouldSandbox, recommendation);
+
+  return {
+    plannerVersion: 'docker-sandbox-plan-v1',
+    shouldSandbox,
+    recommendation,
+    summary,
+    sandboxKind: shouldSandbox ? 'docker_microvm' : 'host',
+    workspacePath,
+    actionType: actionType || null,
+    riskBand,
+    riskScore,
+    command: command || null,
+    affectedFiles,
+    networkPolicy,
+    launchers,
+    claims: shouldSandbox ? {
+      isolationBoundary: 'microvm',
+      hostAccess: 'bounded_outside_host',
+      dockerDaemon: 'private_inside_sandbox',
+      workspaceStrategy: workspacePath ? 'directory_sync' : 'ephemeral',
+    } : null,
+    why: buildWhy({
+      recommendation,
+      command,
+      riskBand,
+      actionType,
+      affectedFiles,
+    }),
+  };
+}
+
+module.exports = {
+  HIGH_RISK_ACTION_TYPES,
+  buildDockerSandboxPlan,
+  buildLaunchers,
+  buildNetworkPolicy,
+  buildSummary,
+  normalizeRiskBand,
+};
+
+if (require.main === module) {
+  const plan = buildDockerSandboxPlan({
+    toolName: process.argv[2] || 'Bash',
+    command: process.argv.slice(3).join(' '),
+    repoPath: process.cwd(),
+  });
+  console.log(JSON.stringify(plan, null, 2));
+}

package/scripts/github-about.js

@@ -12,6 +12,8 @@ const ROOT = path.join(__dirname, '..');
 const CONFIG_RELATIVE_PATH = path.join('config', 'github-about.json');
 const LEGACY_REPOSITORY_URL = 'https://github.com/IgorGanapolsky/thumbgate';
 const GITHUB_API_BASE_URL = 'https://api.github.com';
+const DEFAULT_VERIFY_ATTEMPTS = 5;
+const DEFAULT_VERIFY_DELAY_MS = 2000;
 
 function readText(root, relativePath) {
   return fs.readFileSync(path.join(root, relativePath), 'utf8');
@@ -296,6 +298,57 @@ async function fetchLiveGitHubAbout(options = {}) {
   };
 }
 
+function normalizePositiveInteger(value, fallback) {
+  const parsed = Number.parseInt(value, 10);
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : fallback;
+}
+
+function sleep(delayMs) {
+  return new Promise((resolve) => {
+    setTimeout(resolve, delayMs);
+  });
+}
+
+async function verifyLiveGitHubAbout(options = {}) {
+  const root = options.root || ROOT;
+  const expected = options.expected || loadGitHubAboutConfig(root);
+  const repo = normalizeText(options.repo) || expected.repo;
+  const label = options.label || `Live GitHub About (${repo})`;
+  const attempts = normalizePositiveInteger(options.attempts, DEFAULT_VERIFY_ATTEMPTS);
+  const delayMs = normalizePositiveInteger(options.delayMs, DEFAULT_VERIFY_DELAY_MS);
+  const fetcher = typeof options.fetcher === 'function' ? options.fetcher : fetchLiveGitHubAbout;
+  const sleeper = typeof options.sleep === 'function' ? options.sleep : sleep;
+  let actual = null;
+  let errors = [];
+
+  for (let attempt = 1; attempt <= attempts; attempt += 1) {
+    actual = await fetcher({
+      root,
+      repo,
+      token: options.token,
+    });
+    errors = compareGitHubAbout(expected, actual, label);
+    if (errors.length === 0) {
+      return {
+        ok: true,
+        actual,
+        attemptsUsed: attempt,
+        errors: [],
+      };
+    }
+    if (attempt < attempts) {
+      await sleeper(delayMs * attempt);
+    }
+  }
+
+  return {
+    ok: false,
+    actual,
+    attemptsUsed: attempts,
+    errors,
+  };
+}
+
 async function updateLiveGitHubAbout(options = {}) {
   const about = loadGitHubAboutConfig(options.root || ROOT);
   const repo = normalizeText(options.repo) || about.repo;
@@ -334,6 +387,8 @@ async function updateLiveGitHubAbout(options = {}) {
 }
 
 module.exports = {
+  DEFAULT_VERIFY_ATTEMPTS,
+  DEFAULT_VERIFY_DELAY_MS,
   LEGACY_REPOSITORY_URL,
   buildCanonicalRepoUrls,
   collectLocalGitHubAboutErrors,
@@ -347,4 +402,5 @@ module.exports = {
   normalizeTopics,
   normalizeUrl,
   updateLiveGitHubAbout,
+  verifyLiveGitHubAbout,
 };

package/scripts/operational-integrity.js

@@ -457,12 +457,17 @@ function parseCliArgs(argv = process.argv.slice(2)) {
   return options;
 }
 
+function resolveCiBranchName(env = process.env) {
+  const branchName = String(env.GITHUB_HEAD_REF || env.GITHUB_REF_NAME || '').trim();
+  return branchName || undefined;
+}
+
 function runCli(env = process.env, argv = process.argv.slice(2)) {
   const args = parseCliArgs(argv);
   const result = evaluateOperationalIntegrity({
     repoPath: args.repoPath,
     baseBranch: args.baseBranch || env.DEFAULT_BRANCH || DEFAULT_BASE_BRANCH,
-    currentBranch: env.GITHUB_REF_NAME || undefined,
+    currentBranch: resolveCiBranchName(env),
     requirePrForReleaseSensitive: args.requirePrForReleaseSensitive,
     requireVersionNotBehindBase: args.requireVersionNotBehindBase,
     fetchBase: args.fetchBase,
@@ -517,6 +522,7 @@ module.exports = {
   parseSemver,
   readPackageVersion,
   resolveBaseRef,
+  resolveCiBranchName,
   resolveRepoRoot,
   runCli,
   sanitizeGlobList,

package/scripts/published-cli.js

@@ -13,6 +13,10 @@ function runtimePrefixDir(prefixDir) {
   return prefixDir || path.join(os.homedir(), '.thumbgate', 'runtime');
 }
 
+function installedRuntimeBin(prefixDir) {
+  return path.join(runtimePrefixDir(prefixDir), 'node_modules', '.bin', 'thumbgate');
+}
+
 function publishedCliArgs(pkgVersion, commandArgs = [], options = {}) {
   return [
     'exec',
@@ -29,7 +33,11 @@ function publishedCliArgs(pkgVersion, commandArgs = [], options = {}) {
 
 function publishedCliShellCommand(pkgVersion, commandArgs = [], options = {}) {
   const prefixDir = runtimePrefixDir(options.prefixDir);
-  return `mkdir -p ${shellQuote(prefixDir)} && exec npm ${publishedCliArgs(pkgVersion, commandArgs, { prefixDir }).map(shellQuote).join(' ')}`;
+  const runtimeBin = installedRuntimeBin(prefixDir);
+  const escapedArgs = commandArgs.map(shellQuote).join(' ');
+  const fastPath = `[ -x ${shellQuote(runtimeBin)} ] && exec ${shellQuote(runtimeBin)}${escapedArgs ? ` ${escapedArgs}` : ''}`;
+  const installPath = `mkdir -p ${shellQuote(prefixDir)} && exec npm ${publishedCliArgs(pkgVersion, commandArgs, { prefixDir }).map(shellQuote).join(' ')}`;
+  return `${fastPath} || ${installPath}`;
 }
 
 function runPublishedCli(pkgVersion, commandArgs = [], options = {}) {
@@ -55,6 +63,7 @@ function runPublishedCliHelp(pkgVersion, options = {}) {
 module.exports = {
   publishedCliArgs,
   publishedCliShellCommand,
+  installedRuntimeBin,
   runtimePrefixDir,
   runPublishedCli,
   runPublishedCliHelp,

package/scripts/statusline-links.js

@@ -0,0 +1,238 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const http = require('http');
+const { spawn } = require('child_process');
+
+const { getHomeDir, getRuntimeDir, resolveProjectDir } = require('./feedback-paths');
+const { resolveProKey } = require('./pro-local-dashboard');
+
+const DEFAULT_ORIGIN = 'http://localhost:3456';
+const DEFAULT_TIMEOUT_MS = 150;
+const DEFAULT_BOOT_GRACE_MS = 5000;
+const PKG_ROOT = path.join(__dirname, '..');
+
+function parseOrigin(origin) {
+  const url = new URL(origin || DEFAULT_ORIGIN);
+  return {
+    origin: url.origin,
+    host: url.hostname,
+    port: Number(url.port || (url.protocol === 'https:' ? 443 : 80)),
+    protocol: url.protocol,
+  };
+}
+
+function isLoopbackHost(host) {
+  return host === 'localhost' || host === '127.0.0.1' || host === '::1';
+}
+
+function runtimeStatePath(options = {}) {
+  return path.join(getRuntimeDir(options), 'statusline-api.json');
+}
+
+function readRuntimeState(options = {}) {
+  try {
+    return JSON.parse(fs.readFileSync(runtimeStatePath(options), 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function writeRuntimeState(payload, options = {}) {
+  const targetPath = runtimeStatePath(options);
+  fs.mkdirSync(path.dirname(targetPath), { recursive: true });
+  fs.writeFileSync(targetPath, JSON.stringify(payload, null, 2) + '\n');
+  return targetPath;
+}
+
+function isPidAlive(pid) {
+  const numericPid = Number(pid);
+  if (!Number.isInteger(numericPid) || numericPid <= 0) return false;
+  try {
+    process.kill(numericPid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function shouldReuseBootingState(state, now = Date.now()) {
+  if (!state || !isPidAlive(state.pid)) return false;
+  const startedAt = Date.parse(state.startedAt || 0);
+  if (!Number.isFinite(startedAt)) return true;
+  return now - startedAt < DEFAULT_BOOT_GRACE_MS;
+}
+
+function requestOk(url, timeoutMs = DEFAULT_TIMEOUT_MS) {
+  return new Promise((resolve) => {
+    const req = http.get(url, (res) => {
+      res.resume();
+      resolve(res.statusCode >= 200 && res.statusCode < 500);
+    });
+    req.on('error', () => resolve(false));
+    req.setTimeout(timeoutMs, () => {
+      req.destroy();
+      resolve(false);
+    });
+  });
+}
+
+async function probeLocalServer(origin, options = {}) {
+  const timeoutMs = Number(options.timeoutMs || DEFAULT_TIMEOUT_MS);
+  return requestOk(`${origin}/health`, timeoutMs);
+}
+
+function launchLocalServer(options = {}) {
+  const env = options.env || process.env;
+  const origin = parseOrigin(options.origin || env.THUMBGATE_LOCAL_API_ORIGIN || DEFAULT_ORIGIN);
+  const homeDir = options.homeDir || getHomeDir({ env });
+  const resolvedKey = (options.resolveKey || resolveProKey)({ env, homeDir });
+  const projectDir = resolveProjectDir({ env, cwd: options.cwd || process.cwd() });
+  const childEnv = {
+    ...env,
+    HOST: origin.host,
+    PORT: String(origin.port),
+    THUMBGATE_LOCAL_API_ORIGIN: origin.origin,
+    THUMBGATE_PROJECT_DIR: projectDir,
+    THUMBGATE_PRO_MODE: '1',
+  };
+
+  if (resolvedKey && resolvedKey.key) {
+    childEnv.THUMBGATE_API_KEY = resolvedKey.key;
+  }
+
+  const child = spawn(
+    process.execPath,
+    [path.join(PKG_ROOT, 'bin', 'cli.js'), 'start-api'],
+    {
+      cwd: projectDir,
+      env: childEnv,
+      detached: true,
+      stdio: 'ignore',
+    }
+  );
+  child.unref();
+
+  const state = {
+    pid: child.pid,
+    projectDir,
+    origin: origin.origin,
+    startedAt: new Date().toISOString(),
+  };
+  writeRuntimeState(state, { env, home: homeDir });
+  return state;
+}
+
+function buildLinkState({
+  ready,
+  booting,
+  origin,
+  canBootstrap,
+}) {
+  if (ready) {
+    return {
+      state: 'ready',
+      dashboardLabel: 'Dashboard',
+      lessonsLabel: 'Lessons',
+      upLabel: '👍',
+      downLabel: '👎',
+      dashboardUrl: `${origin}/dashboard`,
+      lessonsUrl: `${origin}/lessons`,
+      upUrl: `${origin}/feedback/quick?signal=up`,
+      downUrl: `${origin}/feedback/quick?signal=down`,
+    };
+  }
+
+  if (booting) {
+    return {
+      state: 'booting',
+      dashboardLabel: 'Dashboard…',
+      lessonsLabel: 'Lessons…',
+      upLabel: '👍',
+      downLabel: '👎',
+      dashboardUrl: '',
+      lessonsUrl: '',
+      upUrl: '',
+      downUrl: '',
+    };
+  }
+
+  return {
+    state: canBootstrap ? 'offline' : 'unavailable',
+    dashboardLabel: canBootstrap ? 'Dash: thumbgate pro' : 'Dashboard',
+    lessonsLabel: 'Learn: thumbgate lessons',
+    upLabel: '👍',
+    downLabel: '👎',
+    dashboardUrl: '',
+    lessonsUrl: '',
+    upUrl: '',
+    downUrl: '',
+  };
+}
+
+async function getStatuslineLinks(options = {}) {
+  const env = options.env || process.env;
+  if (env._TEST_THUMBGATE_STATUSLINE_LINKS_JSON) {
+    return JSON.parse(env._TEST_THUMBGATE_STATUSLINE_LINKS_JSON);
+  }
+
+  const homeDir = options.homeDir || getHomeDir({ env });
+  const parsedOrigin = parseOrigin(options.origin || env.THUMBGATE_LOCAL_API_ORIGIN || DEFAULT_ORIGIN);
+  const origin = parsedOrigin.origin;
+  const allowLocalBootstrap = isLoopbackHost(parsedOrigin.host);
+  const probe = options.probeLocalServer || probeLocalServer;
+  const resolveKey = options.resolveKey || resolveProKey;
+  const startServer = options.launchLocalServer || launchLocalServer;
+  const key = resolveKey({ env, homeDir });
+  const canBootstrap = allowLocalBootstrap && Boolean(key && key.key);
+
+  const ready = allowLocalBootstrap ? await probe(origin, options) : false;
+  if (ready) {
+    return buildLinkState({ ready: true, booting: false, origin, canBootstrap });
+  }
+
+  const state = readRuntimeState({ env, home: homeDir });
+  if (shouldReuseBootingState(state)) {
+    return buildLinkState({ ready: false, booting: true, origin, canBootstrap });
+  }
+
+  if (canBootstrap) {
+    startServer({
+      env,
+      homeDir,
+      origin,
+      cwd: options.cwd || process.cwd(),
+      resolveKey: () => key,
+    });
+    return buildLinkState({ ready: false, booting: true, origin, canBootstrap });
+  }
+
+  return buildLinkState({ ready: false, booting: false, origin, canBootstrap });
+}
+
+if (require.main === module) {
+  getStatuslineLinks()
+    .then((payload) => {
+      process.stdout.write(JSON.stringify(payload));
+    })
+    .catch(() => {
+      process.exit(0);
+    });
+}
+
+module.exports = {
+  buildLinkState,
+  getStatuslineLinks,
+  isPidAlive,
+  launchLocalServer,
+  parseOrigin,
+  isLoopbackHost,
+  probeLocalServer,
+  readRuntimeState,
+  runtimeStatePath,
+  shouldReuseBootingState,
+  writeRuntimeState,
+};

package/scripts/statusline.sh

@@ -6,6 +6,7 @@
 # Resolve script directory safely (CodeQL: no uncontrolled paths)
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 case "$SCRIPT_DIR" in *[!a-zA-Z0-9/_.-]*) echo "ThumbGate: invalid script path"; exit 1;; esac
+LOCAL_API_ORIGIN="${THUMBGATE_LOCAL_API_ORIGIN:-http://localhost:3456}"
 
 # ── Parse Claude Code session JSON from stdin ─────────────────────
 eval "$(cat | jq -r '
@@ -63,7 +64,7 @@ fi
 # Background refresh from REST API when cache is stale (>120s)
 if [ $(( _NOW - ${CACHE_TS:-0} )) -gt 120 ]; then
   (
-    _R=$(curl -s --max-time 3 "http://localhost:3456/v1/feedback/stats" -H "Authorization: Bearer ${THUMBGATE_API_KEY:-tg_creator_dev_enterprise}" 2>/dev/null)
+    _R=$(curl -s --max-time 3 "${LOCAL_API_ORIGIN}/v1/feedback/stats" -H "Authorization: Bearer ${THUMBGATE_API_KEY:-tg_creator_dev_enterprise}" 2>/dev/null)
     [ -z "$_R" ] && exit 0
     echo "$_R" | python3 -c "
 import json,sys,time,os
@@ -78,6 +79,23 @@ except:pass
   disown 2>/dev/null
 fi
 
+# ── Clickable statusline affordances ─────────────────────────────
+LINK_STATE="offline"
+UP_URL=""; DOWN_URL=""; DASHBOARD_URL=""; LESSONS_URL=""
+DASHBOARD_LABEL="Dashboard"; LESSONS_LABEL="Lessons"
+_LINKS_JSON=$(node "${SCRIPT_DIR}/statusline-links.js" 2>/dev/null)
+if [ -n "$_LINKS_JSON" ]; then
+  eval "$(echo "$_LINKS_JSON" | jq -r '
+    @sh "LINK_STATE=\(.state // "offline")",
+    @sh "UP_URL=\(.upUrl // "")",
+    @sh "DOWN_URL=\(.downUrl // "")",
+    @sh "DASHBOARD_URL=\(.dashboardUrl // "")",
+    @sh "LESSONS_URL=\(.lessonsUrl // "")",
+    @sh "DASHBOARD_LABEL=\(.dashboardLabel // "Dashboard")",
+    @sh "LESSONS_LABEL=\(.lessonsLabel // "Lessons")"
+  ' 2>/dev/null)"
+fi
+
 # ── ThumbGate package metadata ────────────────────────────────────────
 TG_VERSION="unknown"; TG_TIER="Free"
 _META_JSON=$(node "${SCRIPT_DIR}/statusline-meta.js" 2>/dev/null)
@@ -107,17 +125,34 @@ case "${TREND}" in
   improving) ARROW="↗" ;; degrading) ARROW="↘" ;; stable) ARROW="→" ;; *) ARROW="?" ;;
 esac
 
+osc8_link() {
+  local url="$1"
+  local label="$2"
+  if [ -n "$url" ]; then
+    printf '\033]8;;%s\a%s\033]8;;\a' "$url" "$label"
+  else
+    printf '%s' "$label"
+  fi
+}
+
+UP_ICON="$(osc8_link "$UP_URL" "👍")"
+DOWN_ICON="$(osc8_link "$DOWN_URL" "👎")"
+DASHBOARD_LINK="$(osc8_link "$DASHBOARD_URL" "$DASHBOARD_LABEL")"
+LESSONS_LINK="$(osc8_link "$LESSONS_URL" "$LESSONS_LABEL")"
+
 # ── Output (single line) ─────────────────────────────────────────
 LINE="ThumbGate v${TG_VERSION} · ${TG_TIER}"
 if [ "$UP" = "0" ] && [ "$DOWN" = "0" ]; then
-  echo -e "${D}${LINE} · no feedback yet${RST}"
+  LINE="${D}${LINE} · no feedback yet${RST} · ${C}${DASHBOARD_LINK}${RST} · ${M}${LESSONS_LINK}${RST}"
+  printf '%b\n' "$LINE"
 else
-  LINE="${LINE} · ${G}${BD}${UP}${RST}👍 ${R}${BD}${DOWN}${RST}👎 ${ARROW}"
+  LINE="${LINE} · ${G}${BD}${UP}${RST}${UP_ICON} ${R}${BD}${DOWN}${RST}${DOWN_ICON} ${ARROW}"
 
   # Control Tower alerts (if any)
   [ "${SLO_V:-0}" -gt 0 ] && LINE="${LINE} ${R}${SLO_V} SLO${RST}"
   [ "${AT_RISK:-0}" -gt 0 ] && LINE="${LINE} ${R}${AT_RISK}⚠${RST}"
   [ "${ANOMALIES:-0}" -gt 0 ] && LINE="${LINE} ${R}${ANOMALIES}☠${RST}"
+  LINE="${LINE} · ${C}${DASHBOARD_LINK}${RST} · ${M}${LESSONS_LINK}${RST}"
 
-  echo -e "$LINE"
+  printf '%b\n' "$LINE"
 fi

package/scripts/sync-github-about.js

@@ -6,6 +6,7 @@ const {
   fetchLiveGitHubAbout,
   loadGitHubAboutConfig,
   updateLiveGitHubAbout,
+  verifyLiveGitHubAbout,
 } = require('./github-about');
 
 async function main() {
@@ -32,11 +33,13 @@ async function main() {
   console.log(`Syncing GitHub About for ${about.repo}...`);
   await updateLiveGitHubAbout({ repo: about.repo });
 
-  const after = await fetchLiveGitHubAbout({ repo: about.repo });
-  const remaining = compareGitHubAbout(about, after, `Live GitHub About (${about.repo})`);
-  if (remaining.length > 0) {
+  const verification = await verifyLiveGitHubAbout({
+    expected: about,
+    repo: about.repo,
+  });
+  if (verification.errors.length > 0) {
     console.error(`\n❌ GitHub About sync incomplete for ${about.repo}:\n`);
-    for (const error of remaining) {
+    for (const error of verification.errors) {
       console.error(`  • ${error}`);
     }
     console.error('');