thumbgate 1.1.0 → 1.3.0

package/scripts/dashboard.js

@@ -4,6 +4,7 @@
 const fs = require('fs');
 const path = require('path');
 const { aggregateFailureDiagnostics } = require('./failure-diagnostics');
+const { AUDIT_LOG_FILENAME } = require('./audit-trail');
 const { getBillingSummary, loadFunnelLedger, loadResolvedRevenueEvents } = require('./billing');
 const { getTelemetryAnalytics, loadTelemetryEvents } = require('./telemetry-analytics');
 const { getAutoGatesPath } = require('./auto-promote-gates');
@@ -19,6 +20,7 @@ const { routeProfile } = require('./profile-router');
 const { getSettingsStatus } = require('./settings-hierarchy');
 const { summarizeWorkflowRuns } = require('./workflow-runs');
 const { searchLessons } = require('./lesson-search');
+const { getInterventionPolicySummary } = require('./intervention-policy');
 
 const PROJECT_ROOT = path.join(__dirname, '..');
 const DEFAULT_GATES_PATH = path.join(PROJECT_ROOT, 'config', 'gates', 'default.json');
@@ -60,6 +62,15 @@ function pickFirstText(...values) {
   return null;
 }
 
+function toLocalDayKey(value) {
+  const ts = value instanceof Date ? value : new Date(value);
+  if (Number.isNaN(ts.getTime())) return null;
+  const year = ts.getFullYear();
+  const month = String(ts.getMonth() + 1).padStart(2, '0');
+  const day = String(ts.getDate()).padStart(2, '0');
+  return `${year}-${month}-${day}`;
+}
+
 // ---------------------------------------------------------------------------
 // Approval rate + trend
 // ---------------------------------------------------------------------------
@@ -143,6 +154,58 @@ function computeGateStats() {
   };
 }
 
+function computeGateAuditSeries(feedbackDir, options = {}) {
+  const auditLogPath = path.join(feedbackDir, AUDIT_LOG_FILENAME);
+  const entries = readJSONL(auditLogPath).filter((entry) => entry && entry.timestamp);
+  const dayCount = Number.isInteger(options.dayCount) ? options.dayCount : 14;
+  const today = new Date();
+  today.setHours(0, 0, 0, 0);
+  const countsByDay = new Map();
+
+  for (const entry of entries) {
+    if (!['allow', 'deny', 'warn'].includes(entry.decision)) continue;
+    const dayKey = toLocalDayKey(entry.timestamp);
+    if (!dayKey) continue;
+    if (!countsByDay.has(dayKey)) {
+      countsByDay.set(dayKey, { allow: 0, deny: 0, warn: 0 });
+    }
+    countsByDay.get(dayKey)[entry.decision] += 1;
+  }
+
+  const days = [];
+  const totals = { allow: 0, deny: 0, warn: 0, intercepted: 0, total: 0 };
+
+  for (let offset = dayCount - 1; offset >= 0; offset -= 1) {
+    const day = new Date(today);
+    day.setDate(today.getDate() - offset);
+    const dayKey = toLocalDayKey(day);
+    const record = countsByDay.get(dayKey) || { allow: 0, deny: 0, warn: 0 };
+    const intercepted = record.deny + record.warn;
+    const total = intercepted + record.allow;
+    const summary = {
+      dayKey,
+      allow: record.allow,
+      deny: record.deny,
+      warn: record.warn,
+      intercepted,
+      total,
+    };
+    totals.allow += record.allow;
+    totals.deny += record.deny;
+    totals.warn += record.warn;
+    totals.intercepted += intercepted;
+    totals.total += total;
+    days.push(summary);
+  }
+
+  return {
+    dayCount,
+    days,
+    totals,
+    activeDays: days.filter((day) => day.total > 0).length,
+  };
+}
+
 function listActiveGates() {
   try {
     const config = loadGatesConfig();
@@ -710,6 +773,7 @@ function generateDashboard(feedbackDir, options = {}) {
   const prevention = computePreventionImpact(feedbackDir, gateStats);
   const trend = computeSessionTrend(entries, 10);
   const health = computeSystemHealth(feedbackDir, gateStats);
+  const gateAudit = computeGateAuditSeries(feedbackDir);
   const diagnostics = aggregateFailureDiagnostics([...entries, ...diagnosticEntries]);
   const secretGuard = computeSecretGuardStats(diagnosticEntries);
   const gates = listActiveGates();
@@ -722,6 +786,7 @@ function generateDashboard(feedbackDir, options = {}) {
   const delegation = summarizeDelegation(feedbackDir);
   const readiness = generateAgentReadinessReport({ projectRoot: PROJECT_ROOT });
   const harness = computeHarnessOverview(feedbackDir, entries);
+  const interventionPolicy = getInterventionPolicySummary(feedbackDir);
   const settingsStatus = getSettingsStatus({ projectRoot: PROJECT_ROOT });
   settingsStatus.routingPreview = {
     dashboardTool: routeProfile({
@@ -782,6 +847,7 @@ function generateDashboard(feedbackDir, options = {}) {
     prevention,
     trend,
     health,
+    gateAudit,
     diagnostics,
     delegation,
     secretGuard,
@@ -790,6 +856,7 @@ function generateDashboard(feedbackDir, options = {}) {
     observability,
     instrumentation,
     readiness,
+    interventionPolicy,
     settingsStatus,
     team,
     templateLibrary,
@@ -809,6 +876,7 @@ function printDashboard(data) {
     prevention,
     trend,
     health,
+    gateAudit,
     diagnostics,
     delegation,
     secretGuard,
@@ -817,6 +885,7 @@ function printDashboard(data) {
     observability,
     instrumentation,
     readiness,
+    interventionPolicy,
     settingsStatus,
     team,
     templateLibrary,
@@ -862,6 +931,20 @@ function printDashboard(data) {
     console.log(`  Top Next Fix     : ${harness.topRecommendations[0].type} (${harness.topRecommendations[0].count} lessons)`);
   }
 
+  console.log('');
+  console.log('🧠 Learned Policy');
+  console.log(`  Enabled          : ${interventionPolicy.enabled ? 'yes' : 'no'}`);
+  console.log(`  Examples         : ${interventionPolicy.exampleCount}`);
+  console.log(`  Train Accuracy   : ${Math.round((interventionPolicy.metrics.trainingAccuracy || 0) * 100)}%`);
+  console.log(`  Holdout Accuracy : ${Math.round((interventionPolicy.metrics.holdoutAccuracy || 0) * 100)}%`);
+  console.log(`  Recent Pressure  : ${Math.round((interventionPolicy.nonAllowRate || 0) * 100)}% non-allow`);
+  if (interventionPolicy.updatedAt) {
+    console.log(`  Updated          : ${interventionPolicy.updatedAt}`);
+  }
+  if (interventionPolicy.topTokens && interventionPolicy.topTokens.deny && interventionPolicy.topTokens.deny[0]) {
+    console.log(`  Top Deny Signal  : ${interventionPolicy.topTokens.deny[0].token}`);
+  }
+
   console.log('');
   console.log('🎯 North Star');
   console.log(`  Weekly Proof Runs: ${analytics.northStar.weeklyActiveProofBackedWorkflowRuns}`);
@@ -1043,6 +1126,7 @@ module.exports = {
   computeSystemHealth,
   computeEfficiencyMetrics,
   computeHarnessOverview,
+  getInterventionPolicySummary,
   computeAnalyticsSummary,
   computeSecretGuardStats,
   computeObservabilityStats,

package/scripts/docker-sandbox-planner.js

@@ -0,0 +1,208 @@
+#!/usr/bin/env node
+'use strict';
+
+const path = require('node:path');
+
+const { classifyCommand } = require('./operational-integrity');
+
+const HIGH_RISK_ACTION_TYPES = new Set([
+  'shell.exec',
+  'file.delete',
+  'upload',
+  'message.send',
+]);
+
+function normalizeText(value) {
+  if (value === undefined || value === null) return '';
+  return String(value).trim();
+}
+
+function normalizeStringArray(values = []) {
+  if (!Array.isArray(values)) return [];
+  return Array.from(new Set(
+    values
+      .map((value) => normalizeText(value))
+      .filter(Boolean),
+  ));
+}
+
+function normalizeRiskBand(value) {
+  const normalized = normalizeText(value).toLowerCase();
+  if (['very_high', 'high', 'medium', 'low'].includes(normalized)) {
+    return normalized;
+  }
+  if (normalized === 'critical') return 'very_high';
+  return 'low';
+}
+
+function quoteShellArg(value) {
+  return `'${String(value).replaceAll('\'', String.raw`'\''`)}'`;
+}
+
+function buildNetworkPolicy(input = {}) {
+  const allowedHosts = normalizeStringArray(input.allowedHosts || input.egressAllowlist);
+  if (input.requiresNetwork !== true) {
+    return {
+      mode: 'deny_all',
+      allowedHosts: [],
+    };
+  }
+  return {
+    mode: allowedHosts.length > 0 ? 'allow_list' : 'egress_enabled',
+    allowedHosts,
+  };
+}
+
+function buildLaunchers(workspacePath) {
+  const suffix = workspacePath ? ` shell ${quoteShellArg(workspacePath)}` : ' shell';
+  return {
+    standalone: `sbx run${suffix}`,
+    dockerDesktop: `docker sandbox run${suffix}`,
+    followUp: workspacePath
+      ? [
+        'sbx list',
+        'docker sandbox ls',
+      ]
+      : [],
+  };
+}
+
+function buildSummary(shouldSandbox, recommendation) {
+  if (!shouldSandbox) {
+    return 'Current action can stay on the normal local execution path.';
+  }
+  if (recommendation === 'required') {
+    return 'Route this action into Docker Sandboxes before retrying so the run happens inside a disposable microVM instead of on the host.';
+  }
+  return 'Prefer Docker Sandboxes for this action to reduce host blast radius while keeping local autonomy.';
+}
+
+function buildWhy({
+  recommendation,
+  command,
+  riskBand,
+  actionType,
+  affectedFiles,
+}) {
+  const lines = [];
+  if (recommendation === 'required') {
+    lines.push('The predicted action is destructive or release-sensitive enough to justify host isolation.');
+  } else if (recommendation === 'recommended') {
+    lines.push('The predicted action is high-risk enough that isolated execution meaningfully reduces host blast radius.');
+  } else {
+    lines.push('The current action does not need a dedicated Docker sandbox boundary.');
+  }
+
+  if (command && /\brm\s+-rf\b/i.test(command)) {
+    lines.push('Recursive delete commands are safer when the filesystem boundary lives inside a disposable microVM.');
+  }
+  if (command && /\bgit\s+push\b.*(?:--force|-f)\b/i.test(command)) {
+    lines.push('Force-push flows should run in an isolated lane so host credentials and unrelated state stay out of scope.');
+  }
+  if (command && /\b(?:gh\s+pr\s+(?:create|merge)|npm\s+publish|yarn\s+publish|pnpm\s+publish)\b/i.test(command)) {
+    lines.push('PR, merge, and publish flows are governance-sensitive and benefit from a disposable execution boundary.');
+  }
+  if (HIGH_RISK_ACTION_TYPES.has(actionType)) {
+    lines.push(`Action type ${actionType} is in the high-risk set for local execution.`);
+  }
+  if (riskBand === 'very_high' || riskBand === 'high') {
+    lines.push(`Risk band ${riskBand} predicts elevated blast radius on the local host.`);
+  }
+  if (affectedFiles.length >= 4) {
+    lines.push(`The change touches ${affectedFiles.length} files, so host isolation improves recovery if the run goes sideways.`);
+  }
+  return lines;
+}
+
+function buildDockerSandboxPlan(input = {}) {
+  const toolName = normalizeText(input.toolName);
+  const actionType = normalizeText(input.actionType)
+    || (toolName === 'Bash' ? 'shell.exec' : '');
+  const command = normalizeText(input.command);
+  const repoPath = normalizeText(input.repoPath);
+  const workspacePath = repoPath ? path.resolve(repoPath) : null;
+  const affectedFiles = normalizeStringArray(input.affectedFiles || input.changedFiles || input.files);
+  const riskBand = normalizeRiskBand(input.riskBand || input.band);
+  const riskScore = Number.isFinite(Number(input.riskScore))
+    ? Number(Number(input.riskScore).toFixed(4))
+    : null;
+  const commandInfo = classifyCommand(command);
+  const destructiveCommand = /\brm\s+-rf\b/i.test(command)
+    || /\bgit\s+push\b.*(?:--force|-f)\b/i.test(command)
+    || /\bgh\s+pr\s+merge\b.*--admin\b/i.test(command);
+  const governedCommand = Boolean(
+    commandInfo.isPrCreate
+      || commandInfo.isPrMerge
+      || commandInfo.isPublish
+      || commandInfo.isReleaseCreate
+      || commandInfo.isTagCreate
+  );
+  const highRiskAction = HIGH_RISK_ACTION_TYPES.has(actionType)
+    || destructiveCommand
+    || governedCommand
+    || riskBand === 'high'
+    || riskBand === 'very_high';
+
+  let recommendation = 'not_needed';
+  if (destructiveCommand || commandInfo.isPublish || commandInfo.isReleaseCreate || actionType === 'upload' || actionType === 'message.send') {
+    recommendation = 'required';
+  } else if (highRiskAction || affectedFiles.length >= 4) {
+    recommendation = 'recommended';
+  }
+
+  const shouldSandbox = recommendation !== 'not_needed';
+  const networkPolicy = buildNetworkPolicy({
+    requiresNetwork: input.requiresNetwork === true || governedCommand || commandInfo.isPublish || actionType === 'upload' || actionType === 'message.send',
+    allowedHosts: input.allowedHosts,
+    egressAllowlist: input.egressAllowlist,
+  });
+  const launchers = buildLaunchers(workspacePath);
+  const summary = buildSummary(shouldSandbox, recommendation);
+
+  return {
+    plannerVersion: 'docker-sandbox-plan-v1',
+    shouldSandbox,
+    recommendation,
+    summary,
+    sandboxKind: shouldSandbox ? 'docker_microvm' : 'host',
+    workspacePath,
+    actionType: actionType || null,
+    riskBand,
+    riskScore,
+    command: command || null,
+    affectedFiles,
+    networkPolicy,
+    launchers,
+    claims: shouldSandbox ? {
+      isolationBoundary: 'microvm',
+      hostAccess: 'bounded_outside_host',
+      dockerDaemon: 'private_inside_sandbox',
+      workspaceStrategy: workspacePath ? 'directory_sync' : 'ephemeral',
+    } : null,
+    why: buildWhy({
+      recommendation,
+      command,
+      riskBand,
+      actionType,
+      affectedFiles,
+    }),
+  };
+}
+
+module.exports = {
+  HIGH_RISK_ACTION_TYPES,
+  buildDockerSandboxPlan,
+  buildLaunchers,
+  buildNetworkPolicy,
+  buildSummary,
+  normalizeRiskBand,
+};
+
+if (require.main === module) {
+  const plan = buildDockerSandboxPlan({
+    toolName: process.argv[2] || 'Bash',
+    command: process.argv.slice(3).join(' '),
+    repoPath: process.cwd(),
+  });
+  console.log(JSON.stringify(plan, null, 2));
+}

package/scripts/feedback-loop.js

@@ -377,6 +377,10 @@ function appendDiagnosticRecord(params = {}) {
     timestamp: params.timestamp || new Date().toISOString(),
   };
   appendJSONL(DIAGNOSTIC_LOG_PATH, record);
+  try {
+    const { trainAndPersistInterventionPolicy } = require('./intervention-policy');
+    trainAndPersistInterventionPolicy(getFeedbackPaths().FEEDBACK_DIR);
+  } catch { /* non-critical */ }
   return record;
 }
 
@@ -1090,6 +1094,10 @@ function captureFeedback(params) {
       const riskScorer = getRiskScorerModule();
       if (riskScorer) riskScorer.trainAndPersistRiskModel(FEEDBACK_DIR);
     } catch { /* non-critical */ }
+    try {
+      const { trainAndPersistInterventionPolicy } = require('./intervention-policy');
+      trainAndPersistInterventionPolicy(FEEDBACK_DIR);
+    } catch { /* non-critical */ }
     updateStatuslineWithLesson({
       accepted: false,
       signal,
@@ -1127,6 +1135,10 @@ function captureFeedback(params) {
       const riskScorer = getRiskScorerModule();
       if (riskScorer) riskScorer.trainAndPersistRiskModel(FEEDBACK_DIR);
     } catch { /* non-critical */ }
+    try {
+      const { trainAndPersistInterventionPolicy } = require('./intervention-policy');
+      trainAndPersistInterventionPolicy(FEEDBACK_DIR);
+    } catch { /* non-critical */ }
     return {
       accepted: false,
       signalLogged: true,
@@ -1285,6 +1297,10 @@ function captureFeedback(params) {
     const riskScorer = getRiskScorerModule();
     if (riskScorer) riskScorer.trainAndPersistRiskModel(FEEDBACK_DIR);
   } catch { /* non-critical */ }
+  try {
+    const { trainAndPersistInterventionPolicy } = require('./intervention-policy');
+    trainAndPersistInterventionPolicy(FEEDBACK_DIR);
+  } catch { /* non-critical */ }
   try {
     const toolName = feedbackEvent.toolName || feedbackEvent.tool_name || 'unknown';
     const toolInput = feedbackEvent.context || feedbackEvent.input || '';

package/scripts/github-about.js

@@ -12,6 +12,8 @@ const ROOT = path.join(__dirname, '..');
 const CONFIG_RELATIVE_PATH = path.join('config', 'github-about.json');
 const LEGACY_REPOSITORY_URL = 'https://github.com/IgorGanapolsky/thumbgate';
 const GITHUB_API_BASE_URL = 'https://api.github.com';
+const DEFAULT_VERIFY_ATTEMPTS = 5;
+const DEFAULT_VERIFY_DELAY_MS = 2000;
 
 function readText(root, relativePath) {
   return fs.readFileSync(path.join(root, relativePath), 'utf8');
@@ -296,6 +298,57 @@ async function fetchLiveGitHubAbout(options = {}) {
   };
 }
 
+function normalizePositiveInteger(value, fallback) {
+  const parsed = Number.parseInt(value, 10);
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : fallback;
+}
+
+function sleep(delayMs) {
+  return new Promise((resolve) => {
+    setTimeout(resolve, delayMs);
+  });
+}
+
+async function verifyLiveGitHubAbout(options = {}) {
+  const root = options.root || ROOT;
+  const expected = options.expected || loadGitHubAboutConfig(root);
+  const repo = normalizeText(options.repo) || expected.repo;
+  const label = options.label || `Live GitHub About (${repo})`;
+  const attempts = normalizePositiveInteger(options.attempts, DEFAULT_VERIFY_ATTEMPTS);
+  const delayMs = normalizePositiveInteger(options.delayMs, DEFAULT_VERIFY_DELAY_MS);
+  const fetcher = typeof options.fetcher === 'function' ? options.fetcher : fetchLiveGitHubAbout;
+  const sleeper = typeof options.sleep === 'function' ? options.sleep : sleep;
+  let actual = null;
+  let errors = [];
+
+  for (let attempt = 1; attempt <= attempts; attempt += 1) {
+    actual = await fetcher({
+      root,
+      repo,
+      token: options.token,
+    });
+    errors = compareGitHubAbout(expected, actual, label);
+    if (errors.length === 0) {
+      return {
+        ok: true,
+        actual,
+        attemptsUsed: attempt,
+        errors: [],
+      };
+    }
+    if (attempt < attempts) {
+      await sleeper(delayMs * attempt);
+    }
+  }
+
+  return {
+    ok: false,
+    actual,
+    attemptsUsed: attempts,
+    errors,
+  };
+}
+
 async function updateLiveGitHubAbout(options = {}) {
   const about = loadGitHubAboutConfig(options.root || ROOT);
   const repo = normalizeText(options.repo) || about.repo;
@@ -334,6 +387,8 @@ async function updateLiveGitHubAbout(options = {}) {
 }
 
 module.exports = {
+  DEFAULT_VERIFY_ATTEMPTS,
+  DEFAULT_VERIFY_DELAY_MS,
   LEGACY_REPOSITORY_URL,
   buildCanonicalRepoUrls,
   collectLocalGitHubAboutErrors,
@@ -347,4 +402,5 @@ module.exports = {
   normalizeTopics,
   normalizeUrl,
   updateLiveGitHubAbout,
+  verifyLiveGitHubAbout,
 };