thumbgate 1.14.1 → 1.15.0

package/.claude-plugin/marketplace.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate-marketplace",
-  "version": "1.14.1",
+  "version": "1.15.0",
   "owner": {
     "name": "Igor Ganapolsky",
     "email": "ig5973700@gmail.com"
@@ -13,7 +13,7 @@
         "source": "npm",
         "package": "thumbgate"
       },
-      "version": "1.14.1",
+      "version": "1.15.0",
       "author": {
         "name": "Igor Ganapolsky"
       },

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "thumbgate",
   "description": "Type 👍 or 👎 on any agent action. ThumbGate captures it, distills a lesson, and blocks the pattern from repeating. One thumbs-down = the agent physically cannot make that mistake again. 33 pre-action gates, budget enforcement, self-protection, and NIST/SOC2 compliance tags.",
-  "version": "1.14.1",
+  "version": "1.15.0",
   "author": {
     "name": "Igor Ganapolsky"
   },

package/.well-known/mcp/server-card.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate",
-  "version": "1.14.1",
+  "version": "1.15.0",
   "description": "ThumbGate — 👍👎 feedback that teaches your AI agent. Thumbs down a mistake, it never happens again.",
   "homepage": "https://thumbgate-production.up.railway.app",
   "transport": "stdio",

package/README.md

@@ -210,6 +210,7 @@ npx thumbgate doctor     # health check
 npx thumbgate capture    # create a gate from text
 npx thumbgate lessons    # see what's been learned
 npx thumbgate explore    # terminal explorer for lessons, gates, stats
+npx thumbgate native-messaging-audit  # inspect local browser bridges and extension hosts
 npx thumbgate dashboard  # open local dashboard
 npx thumbgate serve      # start MCP server on stdio
 npx thumbgate bench      # run reliability benchmark
@@ -335,7 +336,7 @@ Every Changeset is tied to the exact `main` merge commit and generates Verificat
 
 ---
 
-**Popular buyer questions:** **[Stop repeated AI agent mistakes](https://thumbgate-production.up.railway.app/guides/stop-repeated-ai-agent-mistakes?utm_source=github&utm_medium=readme&utm_campaign=buyer_questions)** · **[Autoresearch agent safety](https://thumbgate-production.up.railway.app/guides/autoresearch-agent-safety?utm_source=github&utm_medium=readme&utm_campaign=buyer_questions)** · **[Cursor guardrails](https://thumbgate-production.up.railway.app/guides/cursor-agent-guardrails?utm_source=github&utm_medium=readme&utm_campaign=buyer_questions)** · **[Codex CLI guardrails](https://thumbgate-production.up.railway.app/guides/codex-cli-guardrails?utm_source=github&utm_medium=readme&utm_campaign=buyer_questions)** · **[Gemini CLI memory + enforcement](https://thumbgate-production.up.railway.app/guides/gemini-cli-feedback-memory?utm_source=github&utm_medium=readme&utm_campaign=buyer_questions)**
+**Popular buyer questions:** **[Stop repeated AI agent mistakes](https://thumbgate-production.up.railway.app/guides/stop-repeated-ai-agent-mistakes?utm_source=github&utm_medium=readme&utm_campaign=buyer_questions)** · **[Browser automation safety](https://thumbgate-production.up.railway.app/guides/browser-automation-safety?utm_source=github&utm_medium=readme&utm_campaign=buyer_questions)** · **[Native messaging host security](https://thumbgate-production.up.railway.app/guides/native-messaging-host-security?utm_source=github&utm_medium=readme&utm_campaign=buyer_questions)** · **[Autoresearch agent safety](https://thumbgate-production.up.railway.app/guides/autoresearch-agent-safety?utm_source=github&utm_medium=readme&utm_campaign=buyer_questions)** · **[Cursor guardrails](https://thumbgate-production.up.railway.app/guides/cursor-agent-guardrails?utm_source=github&utm_medium=readme&utm_campaign=buyer_questions)** · **[Codex CLI guardrails](https://thumbgate-production.up.railway.app/guides/codex-cli-guardrails?utm_source=github&utm_medium=readme&utm_campaign=buyer_questions)** · **[Gemini CLI memory + enforcement](https://thumbgate-production.up.railway.app/guides/gemini-cli-feedback-memory?utm_source=github&utm_medium=readme&utm_campaign=buyer_questions)**
 
 **[Workflow Hardening Sprint](https://thumbgate-production.up.railway.app/?utm_source=github&utm_medium=readme&utm_campaign=top_cta#workflow-sprint-intake)** · **[Live Dashboard](https://thumbgate-production.up.railway.app/dashboard?utm_source=github&utm_medium=readme&utm_campaign=top_cta)**
 

package/adapters/claude/.mcp.json

@@ -2,13 +2,13 @@
   "mcpServers": {
     "thumbgate": {
       "command": "npx",
-      "args": ["--yes", "--package", "thumbgate@1.14.1", "thumbgate", "serve"]
+      "args": ["--yes", "--package", "thumbgate@1.15.0", "thumbgate", "serve"]
     }
   },
   "hooks": {
     "preToolUse": {
       "command": "npx",
-      "args": ["--yes", "--package", "thumbgate@1.14.1", "thumbgate", "gate-check"]
+      "args": ["--yes", "--package", "thumbgate@1.15.0", "thumbgate", "gate-check"]
     }
   }
 }

package/adapters/mcp/server-stdio.js

@@ -93,6 +93,7 @@ const { exportDatabricksBundle } = require('../../scripts/export-databricks-bund
 const { generateDashboard } = require('../../scripts/dashboard');
 const { getSettingsStatus } = require('../../scripts/settings-hierarchy');
 const { generateSkills } = require('../../scripts/skill-generator');
+const { buildNativeMessagingAudit } = require('../../scripts/native-messaging-audit');
 const {
   loadModel,
   getReliability,
@@ -157,7 +158,7 @@ const {
   finalizeSession: finalizeFeedbackSession,
 } = require('../../scripts/feedback-session');
 
-const SERVER_INFO = { name: 'thumbgate-mcp', version: '1.14.1' };
+const SERVER_INFO = { name: 'thumbgate-mcp', version: '1.15.0' };
 const COMMERCE_CATEGORIES = [
   'product_recommendation',
   'brand_compliance',
@@ -850,6 +851,12 @@ async function callToolInner(name, args) {
       return toTextResult(generateOrgDashboard({ windowHours: Number(args.windowHours || 24) }));
     case 'settings_status':
       return toTextResult(getSettingsStatus());
+    case 'native_messaging_audit':
+      return toTextResult(buildNativeMessagingAudit({
+        platform: args.platform,
+        homeDir: args.homeDir,
+        aiOnly: args.aiOnly === true,
+      }));
     case 'commerce_recall':
       enforceLimit('commerce_recall');
       return buildCommerceRecallResponse(args);

package/adapters/opencode/opencode.json

@@ -7,7 +7,7 @@
         "npx",
         "--yes",
         "--package",
-        "thumbgate@1.14.1",
+        "thumbgate@1.15.0",
         "thumbgate",
         "serve"
       ],

package/bin/cli.js

@@ -1475,6 +1475,52 @@ function gateStats() {
   console.log('\n' + formatStats(stats) + '\n');
 }
 
+function harnessAudit() {
+  const args = parseArgs(process.argv.slice(3));
+  const { buildHarnessOptimizationAudit } = require(path.join(PKG_ROOT, 'scripts', 'harness-selector'));
+  const audit = buildHarnessOptimizationAudit({
+    rootDir: CWD,
+    docTokenBudget: args['doc-token-budget'],
+  });
+
+  if (args.json) {
+    console.log(JSON.stringify(audit, null, 2));
+    return;
+  }
+
+  console.log('\nThumbGate Harness Optimization Audit');
+  console.log(`Status : ${audit.status}`);
+  console.log(`Score  : ${audit.score}/100`);
+  console.log(`Docs   : ~${audit.totals.globalDocEstimatedTokens} tokens across global agent docs`);
+  console.log(`MCP    : ${audit.totals.mcpToolCount} indexed tools; progressive discovery ${audit.signals.progressiveToolIndexPresent ? 'on' : 'missing'}`);
+  console.log(`Gates  : ${audit.totals.specializedHarnessCount} specialized harnesses`);
+  console.log('\nRecommendations:');
+  for (const recommendation of audit.recommendations) {
+    console.log(`  - ${recommendation}`);
+  }
+  console.log('');
+}
+
+function nativeMessagingAudit() {
+  const args = parseArgs(process.argv.slice(3));
+  const {
+    buildNativeMessagingAudit,
+    formatNativeMessagingAudit,
+  } = require(path.join(PKG_ROOT, 'scripts', 'native-messaging-audit'));
+  const report = buildNativeMessagingAudit({
+    homeDir: args['home-dir'],
+    platform: args.platform,
+    aiOnly: args['ai-only'] === true,
+  });
+
+  if (args.json) {
+    console.log(JSON.stringify(report, null, 2));
+    return;
+  }
+
+  process.stdout.write(formatNativeMessagingAudit(report));
+}
+
 function optimize() {
   const { optimize: doOptimize } = require(path.join(PKG_ROOT, 'scripts', 'optimize-context'));
   doOptimize();
@@ -1969,6 +2015,14 @@ switch (COMMAND) {
   case 'rules':
     rules();
     break;
+  case 'harness-audit':
+  case 'harness':
+    harnessAudit();
+    break;
+  case 'native-messaging-audit':
+  case 'bridge-audit':
+    nativeMessagingAudit();
+    break;
   case 'optimize':
     optimize();
     break;

package/config/enforcement.json

@@ -1,20 +1,72 @@
 {
   "$schema": "./enforcement.schema.json",
-  "description": "Loss matrix and enforcement knobs for the Bayes-optimal pre-tool-use gate. See scripts/bayes-optimal-gate.js for the decision math. Tags listed here mirror the canonical tags emitted by risk-scorer.buildPatternSummary. To disable tag-specific costs and fall back to a symmetric 1:1 decision, reduce any override to 1.0.",
+  "description": "Loss matrix and enforcement knobs for the Bayes-optimal pre-tool-use gate. See scripts/bayes-optimal-gate.js for the decision math. Tags listed here mirror the canonical tags emitted by risk-scorer.buildPatternSummary. Costs are relative: falseAllow[tag] is the regret of letting a harmful tool call through, falseBlock[tag] is the regret of blocking a safe one. resolveCost takes the max across matched tags, so a single high-cost tag dominates. To disable tag-specific costs and fall back to a symmetric 1:1 decision, reduce any override to 1.0.",
   "lossMatrix": {
     "falseAllow": {
       "default": 1.0,
-      "deploy-prod": 100.0,
-      "destructive": 50.0,
+
       "secrets": 1000.0,
-      "force-push-main": 200.0,
-      "data-loss": 500.0,
       "credentials": 800.0,
+      "env-file-edit": 700.0,
+      "env-override": 700.0,
+      "deploy-env-secret-exposure": 900.0,
+
+      "self-protect": 1500.0,
+      "kill-gate": 1500.0,
+      "hooks-disable": 1200.0,
+      "config-tamper": 1200.0,
+
+      "data-loss": 500.0,
+      "db-drop-production": 600.0,
+      "db-truncate-production": 600.0,
+      "db-delete-nowhere": 500.0,
+      "db-unmigrated-sql": 400.0,
+      "db-runtime-sqlite": 350.0,
+      "db-lancedb-wipe": 400.0,
+      "mcp-sql-delete": 400.0,
+      "mcp-sql-bulk-update": 250.0,
+
+      "destructive": 50.0,
       "rm-rf": 300.0,
-      "git-reset-hard": 100.0
+      "git-reset-hard": 100.0,
+      "force-push-main": 200.0,
+      "force-push": 150.0,
+      "protected-branch-push": 150.0,
+      "protected-file": 120.0,
+      "package-lock-reset": 75.0,
+
+      "deploy-prod": 100.0,
+      "deploy-unverified": 120.0,
+      "deploy-skip-ci": 150.0,
+      "deploy-publish-without-test": 180.0,
+      "deploy-version-drift": 90.0,
+      "production-change": 130.0,
+      "schema-migration": 150.0,
+      "permission-change": 140.0,
+
+      "supply-chain": 200.0,
+      "supply-chain-add": 200.0,
+      "unverified-skill": 160.0,
+      "blocked-npx": 180.0,
+      "network-egress": 250.0,
+      "unauthorized-egress": 250.0,
+
+      "pr-scope-violation": 80.0,
+      "admin-merge-bypass": 80.0,
+      "loop-abuse": 40.0,
+      "thread-unchecked-push": 40.0,
+      "generated-file-edit": 30.0,
+      "test-skip": 40.0,
+      "version-drift": 50.0,
+      "lockfile-manual": 60.0
     },
     "falseBlock": {
-      "default": 1.0
+      "default": 1.0,
+
+      "style-violation": 5.0,
+      "console-log-commit": 4.0,
+      "non-critical-warning": 5.0,
+      "large-file": 3.0
     }
   },
   "bayesOptimalEnabled": true,

package/config/gates/default.json

@@ -146,6 +146,28 @@
       "severity": "critical",
       "compliance": ["NIST-CM-5", "SOC2-CC8.1", "CWE-863"]
     },
+    {
+      "id": "git-reset-hard",
+      "layer": "Execution",
+      "trigger": "Bash:git_reset_hard",
+      "toolNames": ["Bash"],
+      "pattern": "(?:^|[;&|]\\s*)git\\s+reset\\s+--hard\\b",
+      "action": "block",
+      "message": "git reset --hard is blocked because it can destroy uncommitted work. Stash or use a non-destructive restore path with explicit user approval.",
+      "severity": "critical",
+      "compliance": ["NIST-CM-5", "SOC2-CC8.1", "CWE-863"]
+    },
+    {
+      "id": "git-clean-force",
+      "layer": "Execution",
+      "trigger": "Bash:git_clean_force",
+      "toolNames": ["Bash"],
+      "pattern": "(?:^|[;&|]\\s*)git\\s+clean\\s+(?:-[^\\s]*f[^\\s]*|--force)\\b",
+      "action": "block",
+      "message": "git clean --force is blocked because it can delete untracked user work. Inventory files and get explicit approval before destructive cleanup.",
+      "severity": "critical",
+      "compliance": ["NIST-CM-5", "SOC2-CC8.1", "CWE-863"]
+    },
     {
       "id": "protected-branch-push",
       "layer": "Execution",
@@ -155,6 +177,17 @@
       "message": "Direct push to protected branch. Use feature branches and PRs.",
       "severity": "critical"
     },
+    {
+      "id": "rm-rf-home-or-root",
+      "layer": "Execution",
+      "trigger": "Bash:rm_rf_home_or_root",
+      "toolNames": ["Bash"],
+      "pattern": "(?:^|[;&|]\\s*)rm\\s+-(?=[^\\s]*r)(?=[^\\s]*f)[^\\s]+\\s+(?:/|/\\*|~(?:/[^\\s]*)?|\\$HOME(?:/[^\\s]*)?)(?:\\s|$)",
+      "action": "block",
+      "message": "Broad rm -rf against root or home is blocked. Use a narrow, reviewed path and explicit approval for destructive deletes.",
+      "severity": "critical",
+      "compliance": ["NIST-CM-5", "SOC2-CC8.1", "CWE-732"]
+    },
     {
       "id": "env-file-edit",
       "layer": "Cloud",

package/config/mcp-allowlists.json

@@ -45,6 +45,7 @@
       "gate_stats",
       "dashboard",
       "settings_status",
+      "native_messaging_audit",
       "list_harnesses",
       "run_harness",
       "run_autoresearch",
@@ -139,6 +140,7 @@
       "gate_stats",
       "dashboard",
       "settings_status",
+      "native_messaging_audit",
       "get_business_metrics",
       "describe_semantic_entity",
       "get_reliability_rules",
@@ -173,6 +175,7 @@
       "gate_stats",
       "dashboard",
       "settings_status",
+      "native_messaging_audit",
       "get_business_metrics",
       "describe_semantic_entity",
       "get_reliability_rules",
@@ -199,6 +202,7 @@
       "check_operational_integrity",
       "workflow_sentinel",
       "settings_status",
+      "native_messaging_audit",
       "generate_operator_artifact"
     ]
   }

package/config/merge-quality-checks.json

@@ -6,7 +6,8 @@
     "Verify changeset",
     "SonarCloud Code Analysis",
     "GitGuardian Security Checks",
-    "Socket Security: Project Report"
+    "Socket Security: Project Report",
+    "Socket Security: Pull Request Alerts"
   ],
   "passingBuckets": [
     "pass",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate",
-  "version": "1.14.1",
+  "version": "1.15.0",
   "description": "Self-improving agent governance: type thumbs-up or thumbs-down on any AI agent action. ThumbGate turns every mistake into a prevention rule and blocks the pattern from repeating. One thumbs-down, never again. 33 pre-action gates, budget enforcement, and self-protection for Claude Code, Cursor, Codex, Gemini CLI, and Amp.",
   "homepage": "https://thumbgate-production.up.railway.app",
   "repository": {
@@ -15,7 +15,6 @@
     "thumbgate": "bin/cli.js"
   },
   "files": [
-    ".claude-plugin/README.md",
     ".claude-plugin/marketplace.json",
     ".claude-plugin/plugin.json",
     ".well-known/",
@@ -42,6 +41,7 @@
     "public/index.html",
     "public/learn.html",
     "public/lessons.html",
+    "public/numbers.html",
     "public/pro.html",
     "scripts/access-anomaly-detector.js",
     "scripts/agent-readiness.js",
@@ -125,6 +125,7 @@
     "scripts/internal-agent-bootstrap.js",
     "scripts/intervention-policy.js",
     "scripts/jsonl-watcher.js",
+    "scripts/lesson-canonical.js",
     "scripts/lesson-db.js",
     "scripts/lesson-inference.js",
     "scripts/lesson-reranker.js",
@@ -132,6 +133,7 @@
     "scripts/lesson-rotation.js",
     "scripts/lesson-search.js",
     "scripts/lesson-synthesis.js",
+    "scripts/rule-validator.js",
     "scripts/license.js",
     "scripts/llm-client.js",
     "scripts/mailer/index.js",
@@ -143,6 +145,7 @@
     "scripts/memory-firewall.js",
     "scripts/meta-agent-loop.js",
     "scripts/multimodal-retrieval-plan.js",
+    "scripts/native-messaging-audit.js",
     "scripts/natural-language-harness.js",
     "scripts/obsidian-export.js",
     "scripts/operational-dashboard.js",
@@ -208,7 +211,7 @@
     "scripts/workflow-sprint-intake.js",
     "scripts/workspace-evolver.js",
     "scripts/xmemory-lite.js",
-    "skills/",
+    "skills/thumbgate/SKILL.md",
     "src/"
   ],
   "scripts": {
@@ -265,10 +268,11 @@
     "trace:eval": "node scripts/decision-trace.js eval",
     "social:reply-monitor": "node scripts/social-reply-monitor.js",
     "social:reply-monitor:dry": "node scripts/social-reply-monitor.js --dry-run",
-    "test": "npm run test:schema && npm run test:loop && npm run test:dpo && npm run test:kto && npm run test:api && npm run test:proof && npm run test:e2e && npm run test:rlaif && npm run test:attribution && npm run test:quality && npm run test:intelligence && npm run test:training-export && npm run test:deployment && npm run test:operational-integrity && npm run test:workflow && npm run test:billing && npm run test:cli && npm run test:watcher && npm run test:autoresearch && npm run test:ops && npm run test:session-analyzer && npm run test:tessl && npm run test:gates && npm run test:evoskill && npm run test:gates-hardening && npm run test:workers && npm run test:social-analytics && npm run test:memalign && npm run test:xmemory-lite && npm run test:filesystem-search && npm run test:zernio && npm run test:platform-limits && npm run test:post-video && npm run test:post-everywhere-instagram && npm run test:post-everywhere-channels && npm run test:zernio-canonical-pollers && npm run test:zernio-status && npm run test:obsidian-export && npm run test:lesson-db && npm run test:lesson-rotation && npm run test:memory-dedup && npm run test:feedback-quality && npm run test:sync-version && npm run test:check-congruence && npm run test:tool-registry && npm run test:feedback-to-rules && npm run test:memory-firewall && npm run test:belief-update && npm run test:hosted-config && npm run test:operational-summary && npm run test:operator-artifacts && npm run test:operator-key-auth && npm run test:cloudflare-sandbox && npm run test:mcp-config && npm run test:plan-gate && npm run test:pulse && npm run test:semantic-layer && npm run test:data-pipeline && npm run test:optimize-context && npm run test:principle-extractor && npm run test:analytics-window && npm run test:funnel-analytics && npm run test:experiment-tracker && npm run test:build-metadata && npm run test:context-engine && npm run test:hf-papers && npm run test:marketing-experiment && npm run test:seo-gsd && npm run test:verify-run && npm run test:export-dpo-pairs && npm run test:export-hf-dataset && npm run test:license && npm run test:bot-detector && npm run test:postinstall && npm run test:funnel-invariants && npm run test:cli-telemetry && npm run test:pro-parity && npm run test:model-tier-router && npm run test:computer-use-firewall && npm run test:skill-exporter && npm run test:statusline && npm run test:evolution && npm run test:org-dashboard && npm run test:multi-hop-recall && npm run test:synthetic-dpo && npm run test:thumbgate-skill && npm run test:learn-hub && npm run test:feedback-fallback && npm run test:metaclaw && npm run test:server-lock && npm run test:control-tower && npm run test:pii-scanner && npm run test:data-governance && npm run test:lesson-inference && npm run test:semantic-dedup && npm run test:fs-utils && npm run test:cli-schema && npm run test:explore && npm run test:lesson-reranker && npm run test:lesson-retrieval && npm run test:cross-encoder && npm run test:reflector-agent && npm run test:feedback-session && npm run test:feedback-history-distiller && npm run test:hallucination-detector && npm run test:history-distiller && npm run test:predictive-insights && npm run test:prove-predictive-insights && npm run test:statusbar-cli && npm run test:generate-instagram-card && npm run test:instagram-thumbgate-post && npm run test:publish-instagram-thumbgate && npm run test:lesson-synthesis && npm run test:background-governance && npm run test:memory-migration && npm run test:prompt-dlp && npm run test:ephemeral-store && npm run test:agent-security && npm run test:skill-progressive && npm run test:per-step-scoring && npm run test:weekly-auto-post && npm run test:social-post-hourly && npm run test:social-quality-gate && npm run test:a2ui-engine && npm run test:gate-satisfy && npm run test:money-watcher && npm run test:budget && npm run test:quick-start && npm run test:utm && npm run test:product-feedback && npm run test:feedback-root-consolidator && npm run test:engagement-audit && npm run test:install-growth-automation && npm run test:publish-thumbgate-launch && npm run test:reconcile-thumbgate-campaign && npm run test:reddit-publisher && npm run test:schedule-thumbgate-campaign && npm run test:social-reply-monitor && npm run test:sync-launch-assets && npm run test:ai-search-visibility && npm run test:perplexity && npm run test:security-scanner && npm run test:llm-client && npm run test:managed-lesson-agent && npm run test:self-distill && npm run test:meta-agent && npm run test:harness-selector && npm run test:thumbgate-bench && npm run test:seo-guides && npm run test:enforcement-loop && npm run test:cli-agent-experience && npm run test:bot-detection && npm run test:checkout-bot-guard && npm run test:session-health && npm run test:session-episodes && npm run test:spec-gate && npm run test:decision-trace && npm run test:dashboard-insights && npm run test:prompt-eval && npm run test:demo-voiceover && npm run test:gate-coherence && npm run test:gate-eval && npm run test:high-roi && npm run test:public-static-assets && npm run test:token-savings && npm run test:workflow-gate-checkpoint && npm run test:lesson-export-import && npm run test:landing-page-claims && npm run test:dashboard-deeplink-e2e && npm run test:public-package-parity && npm run test:token-savings-dashboard && npm run test:cursor-wiring && npm run test:pretooluse-injection && npm run test:recent-corrective-context && npm run test:durability-step && npm run test:mailer && npm run test:brand-assets && npm run test:enforcement-teeth && npm run test:bayes-optimal-gate && npm run test:swarm-coordinator && npm run test:session-report && npm run test:require-evidence-gate",
+    "test": "npm run test:schema && npm run test:loop && npm run test:dpo && npm run test:kto && npm run test:api && npm run test:proof && npm run test:e2e && npm run test:rlaif && npm run test:attribution && npm run test:quality && npm run test:intelligence && npm run test:training-export && npm run test:deployment && npm run test:operational-integrity && npm run test:workflow && npm run test:billing && npm run test:cli && npm run test:watcher && npm run test:autoresearch && npm run test:ops && npm run test:session-analyzer && npm run test:tessl && npm run test:gates && npm run test:evoskill && npm run test:gates-hardening && npm run test:workers && npm run test:social-analytics && npm run test:memalign && npm run test:xmemory-lite && npm run test:filesystem-search && npm run test:zernio && npm run test:platform-limits && npm run test:post-video && npm run test:post-everywhere-instagram && npm run test:post-everywhere-channels && npm run test:zernio-canonical-pollers && npm run test:zernio-status && npm run test:obsidian-export && npm run test:lesson-db && npm run test:lesson-rotation && npm run test:memory-dedup && npm run test:feedback-quality && npm run test:sync-version && npm run test:check-congruence && npm run test:tool-registry && npm run test:feedback-to-rules && npm run test:memory-firewall && npm run test:belief-update && npm run test:hosted-config && npm run test:operational-summary && npm run test:operator-artifacts && npm run test:operator-key-auth && npm run test:cloudflare-sandbox && npm run test:mcp-config && npm run test:plan-gate && npm run test:pulse && npm run test:semantic-layer && npm run test:data-pipeline && npm run test:optimize-context && npm run test:principle-extractor && npm run test:analytics-window && npm run test:funnel-analytics && npm run test:experiment-tracker && npm run test:build-metadata && npm run test:context-engine && npm run test:hf-papers && npm run test:marketing-experiment && npm run test:seo-gsd && npm run test:verify-run && npm run test:export-dpo-pairs && npm run test:export-hf-dataset && npm run test:license && npm run test:bot-detector && npm run test:postinstall && npm run test:funnel-invariants && npm run test:cli-telemetry && npm run test:pro-parity && npm run test:model-tier-router && npm run test:computer-use-firewall && npm run test:skill-exporter && npm run test:statusline && npm run test:evolution && npm run test:org-dashboard && npm run test:multi-hop-recall && npm run test:synthetic-dpo && npm run test:thumbgate-skill && npm run test:learn-hub && npm run test:feedback-fallback && npm run test:metaclaw && npm run test:server-lock && npm run test:control-tower && npm run test:pii-scanner && npm run test:data-governance && npm run test:lesson-inference && npm run test:semantic-dedup && npm run test:fs-utils && npm run test:cli-schema && npm run test:explore && npm run test:lesson-reranker && npm run test:lesson-retrieval && npm run test:cross-encoder && npm run test:reflector-agent && npm run test:feedback-session && npm run test:feedback-history-distiller && npm run test:hallucination-detector && npm run test:history-distiller && npm run test:predictive-insights && npm run test:prove-predictive-insights && npm run test:statusbar-cli && npm run test:generate-instagram-card && npm run test:instagram-thumbgate-post && npm run test:publish-instagram-thumbgate && npm run test:lesson-synthesis && npm run test:lesson-canonical && npm run test:background-governance && npm run test:memory-migration && npm run test:prompt-dlp && npm run test:ephemeral-store && npm run test:agent-security && npm run test:skill-progressive && npm run test:per-step-scoring && npm run test:weekly-auto-post && npm run test:social-post-hourly && npm run test:social-quality-gate && npm run test:a2ui-engine && npm run test:gate-satisfy && npm run test:money-watcher && npm run test:budget && npm run test:quick-start && npm run test:utm && npm run test:product-feedback && npm run test:feedback-root-consolidator && npm run test:engagement-audit && npm run test:install-growth-automation && npm run test:publish-thumbgate-launch && npm run test:reconcile-thumbgate-campaign && npm run test:reddit-publisher && npm run test:schedule-thumbgate-campaign && npm run test:social-reply-monitor && npm run test:sync-launch-assets && npm run test:ai-search-visibility && npm run test:perplexity && npm run test:security-scanner && npm run test:llm-client && npm run test:managed-lesson-agent && npm run test:self-distill && npm run test:meta-agent && npm run test:harness-selector && npm run test:thumbgate-bench && npm run test:seo-guides && npm run test:enforcement-loop && npm run test:cli-agent-experience && npm run test:bot-detection && npm run test:checkout-bot-guard && npm run test:session-health && npm run test:session-episodes && npm run test:spec-gate && npm run test:decision-trace && npm run test:dashboard-insights && npm run test:prompt-eval && npm run test:demo-voiceover && npm run test:gate-coherence && npm run test:gate-eval && npm run test:high-roi && npm run test:public-static-assets && npm run test:token-savings && npm run test:numbers-page && npm run test:workflow-gate-checkpoint && npm run test:lesson-export-import && npm run test:landing-page-claims && npm run test:dashboard-deeplink-e2e && npm run test:public-package-parity && npm run test:token-savings-dashboard && npm run test:cursor-wiring && npm run test:pretooluse-injection && npm run test:recent-corrective-context && npm run test:durability-step && npm run test:mailer && npm run test:brand-assets && npm run test:enforcement-teeth && npm run test:bayes-optimal-gate && npm run test:swarm-coordinator && npm run test:session-report && npm run test:require-evidence-gate && npm run test:rule-validator && npm run test:bluesky-atproto && npm run test:social-reply-monitor-bluesky && npm run test:bluesky-delete-replies && npm run test:architect-kit-memory-bridge && npm run test:sonar-review-hotspots",
     "test:swarm-coordinator": "node --test tests/swarm-coordinator.test.js",
     "test:session-report": "node --test tests/session-report.test.js",
     "test:require-evidence-gate": "node --test tests/require-evidence-gate.test.js",
+    "test:rule-validator": "node --test tests/rule-validator.test.js",
     "test:session-health": "node --test tests/session-health-sensor.test.js",
     "test:session-episodes": "node --test tests/session-episode-store.test.js",
     "test:spec-gate": "node --test tests/spec-gate.test.js",
@@ -345,7 +349,7 @@
     "test:evolution": "node --test tests/workspace-evolver.test.js",
     "test:watcher": "node --test tests/jsonl-watcher.test.js",
     "test:autoresearch": "node --test tests/autoresearch.test.js",
-    "test:ops": "node --test tests/adk-consolidator.test.js tests/anthropic-partner-strategy.test.js tests/auto-promote-gates.test.js tests/auto-wire-hooks.test.js tests/claude-skill.test.js tests/codegraph-context.test.js tests/commercial-signals.test.js tests/decision-journal.test.js tests/delegation-runtime.test.js tests/disagreement-mining.test.js tests/failure-diagnostics.test.js tests/gate-stats.test.js tests/github-billing.test.js tests/intervention-policy.test.js tests/markdown-escape.test.js tests/mcp-tools-gates.test.js tests/project-bayes-e2e.test.js tests/project-bayes.test.js tests/rate-limiter.test.js tests/schedule-manager.test.js tests/session-handoff.test.js tests/skill-generator.test.js tests/smart-learning.test.js tests/spike-and-sink.test.js tests/stripe-revenue.test.js tests/stripe-webhook-route.test.js tests/stripe-webhook-rotation.test.js tests/train-from-feedback.test.js tests/workflow-hardening-sprint.test.js tests/workflow-sentinel.test.js tests/test-suite-parity.test.js tests/a2ui-engine.test.js tests/webhook-delivery.test.js",
+    "test:ops": "node --test tests/adk-consolidator.test.js tests/anthropic-partner-strategy.test.js tests/auto-promote-gates.test.js tests/auto-wire-hooks.test.js tests/claude-skill.test.js tests/codegraph-context.test.js tests/commercial-signals.test.js tests/decision-journal.test.js tests/delegation-runtime.test.js tests/disagreement-mining.test.js tests/failure-diagnostics.test.js tests/gate-stats.test.js tests/git-hook-installer.test.js tests/github-billing.test.js tests/intervention-policy.test.js tests/markdown-escape.test.js tests/mcp-tools-gates.test.js tests/native-messaging-audit.test.js tests/project-bayes-e2e.test.js tests/project-bayes.test.js tests/rate-limiter.test.js tests/schedule-manager.test.js tests/session-handoff.test.js tests/skill-generator.test.js tests/smart-learning.test.js tests/spike-and-sink.test.js tests/stripe-revenue.test.js tests/stripe-webhook-route.test.js tests/stripe-webhook-rotation.test.js tests/train-from-feedback.test.js tests/workflow-hardening-sprint.test.js tests/workflow-sentinel.test.js tests/test-suite-parity.test.js tests/a2ui-engine.test.js tests/webhook-delivery.test.js",
     "test:session-analyzer": "node --test tests/session-analyzer.test.js",
     "test:tessl": "node --test tests/tessl-export.test.js",
     "test:gates": "node --test tests/gate-templates.test.js tests/gates-engine.test.js tests/claim-verification.test.js tests/secret-scanner.test.js tests/prompt-guard.test.js tests/audit-trail.test.js tests/profile-router.test.js tests/workflow-sentinel.test.js tests/docker-sandbox-planner.test.js",
@@ -439,6 +443,7 @@
     "test:instagram-thumbgate-post": "node --test tests/instagram-thumbgate-post.test.js",
     "test:publish-instagram-thumbgate": "node --test tests/publish-instagram-thumbgate.test.js",
     "test:lesson-synthesis": "node --test tests/lesson-synthesis.test.js",
+    "test:lesson-canonical": "node --test tests/lesson-canonical.test.js",
     "test:background-governance": "node --test tests/background-governance.test.js",
     "test:memory-migration": "node --test tests/memory-migration.test.js",
     "test:prompt-dlp": "node --test tests/prompt-dlp.test.js",
@@ -467,6 +472,12 @@
     "test:reconcile-thumbgate-campaign": "node --test tests/reconcile-thumbgate-campaign.test.js",
     "test:schedule-thumbgate-campaign": "node --test tests/schedule-thumbgate-campaign.test.js",
     "test:social-reply-monitor": "node --test tests/social-reply-monitor.test.js",
+    "test:bluesky-atproto": "node --test tests/bluesky-atproto.test.js",
+    "test:social-reply-monitor-bluesky": "node --test tests/social-reply-monitor-bluesky.test.js",
+    "test:bluesky-delete-replies": "node --test tests/bluesky-delete-replies.test.js",
+    "test:architect-kit-memory-bridge": "node --test tests/architect-kit-memory-bridge.test.js",
+    "test:sonar-review-hotspots": "node --test tests/sonar-review-hotspots.test.js",
+    "integrations:architect-kit:import": "node scripts/integrations/architect-kit-memory-bridge.js",
     "test:sync-launch-assets": "node --test tests/sync-launch-assets.test.js",
     "test:reddit-publisher": "node --test tests/reddit-publisher.test.js",
     "test:engagement-audit": "node --test tests/engagement-audit.test.js",
@@ -508,6 +519,7 @@
     "test:high-roi": "node --test tests/high-roi.test.js tests/autonomous-workflow.test.js",
     "test:public-static-assets": "node --test tests/public-static-assets.test.js",
     "test:token-savings": "node --test tests/token-savings.test.js",
+    "test:numbers-page": "node --test tests/numbers-page.test.js",
     "test:workflow-gate-checkpoint": "node --test tests/workflow-gate-checkpoint.test.js tests/autonomous-workflow.test.js",
     "workflow:autonomous": "node scripts/autonomous-workflow.js",
     "test:lesson-export-import": "node --test tests/lesson-export-import.test.js",

package/public/codex-plugin.html

@@ -26,10 +26,15 @@
   "downloadUrl": "https://github.com/IgorGanapolsky/ThumbGate/releases/latest/download/thumbgate-codex-plugin.zip",
   "installUrl": "https://thumbgate-production.up.railway.app/codex-plugin",
   "license": "https://opensource.org/licenses/MIT",
+  "dateModified": "2026-04-20",
   "creator": {
     "@type": "Person",
     "name": "Igor Ganapolsky",
-    "url": "https://github.com/IgorGanapolsky"
+    "url": "https://github.com/IgorGanapolsky",
+    "sameAs": [
+      "https://github.com/IgorGanapolsky",
+      "https://www.linkedin.com/in/igorganapolsky"
+    ]
   },
   "offers": {
     "@type": "Offer",
@@ -189,6 +194,7 @@
     <div class="wrap">
       <div class="eyebrow">Codex MCP plugin + Pre-Action Gates</div>
       <h1>Give Codex a thumbs-down once. Block the repeat before it runs again.</h1>
+      <p class="sub" style="font-size:13px;opacity:0.85;">Updated: <time datetime="2026-04-20">2026-04-20</time> · by <a href="https://github.com/IgorGanapolsky" style="color:inherit;">Igor Ganapolsky</a></p>
       <p class="sub">ThumbGate wires Codex into local-first feedback memory, MCP tools, and hook enforcement. The launcher resolves <code>thumbgate@latest</code> when Codex starts, so published npm fixes reach your active MCP server after a restart.</p>
       <div class="actions">
         <a class="button primary" href="https://github.com/IgorGanapolsky/ThumbGate/releases/latest/download/thumbgate-codex-plugin.zip" target="_blank" rel="noopener" onclick="if(typeof plausible==='function')plausible('codex_plugin_download')">Download Codex plugin</a>

package/public/dashboard.html

@@ -11,6 +11,26 @@
 <meta name="robots" content="noindex">
 <!-- Privacy-friendly analytics by Plausible -->
 <script defer data-domain="thumbgate-production.up.railway.app" src="https://plausible.io/js/script.js"></script>
+<script type="application/ld+json">
+{
+  "@context": "https://schema.org",
+  "@type": "WebApplication",
+  "name": "ThumbGate Dashboard",
+  "applicationCategory": "DeveloperApplication",
+  "operatingSystem": "Cross-platform",
+  "url": "https://thumbgate-production.up.railway.app/dashboard",
+  "dateModified": "2026-04-20",
+  "creator": {
+    "@type": "Person",
+    "name": "Igor Ganapolsky",
+    "url": "https://github.com/IgorGanapolsky",
+    "sameAs": [
+      "https://github.com/IgorGanapolsky",
+      "https://www.linkedin.com/in/igorganapolsky"
+    ]
+  }
+}
+</script>
 <script src="https://cdn.jsdelivr.net/npm/chart.js@4.4.7/dist/chart.umd.min.js"></script>
 <style>
   *, *::before, *::after { margin: 0; padding: 0; box-sizing: border-box; }
@@ -200,6 +220,7 @@
 
   <div style="margin:0 0 24px;padding:24px;background:linear-gradient(135deg,rgba(34,211,238,0.08),rgba(74,222,128,0.05));border:1px solid rgba(34,211,238,0.2);border-radius:12px;">
     <h1 style="font-size:22px;font-weight:700;margin-bottom:8px;letter-spacing:-0.02em;">🔍 Operations Dashboard</h1>
+    <p style="font-size:12px;color:var(--text-muted);margin-bottom:8px;">Updated: <time datetime="2026-04-20">2026-04-20</time> · by <a href="https://github.com/IgorGanapolsky" style="color:inherit;">Igor Ganapolsky</a></p>
     <p style="font-size:14px;color:var(--text-muted);line-height:1.6;max-width:700px;">What's happening right now? Search memories, inspect active gates, manage your team, and export training data. <span style="color:var(--cyan);font-weight:600;">This is your control plane for AI agent behavior.</span></p>
     <div style="display:flex;gap:16px;margin-top:12px;font-size:12px;color:var(--text-muted);">
       <span>🔍 <strong style="color:var(--text);">Search</strong> — find any memory</span>
@@ -211,7 +232,7 @@
 
   <div class="demo-banner" id="demoBanner" style="display:none;">
     <span>📊 <strong>Demo Mode</strong> — sample data. Pro unlocks your personal dashboard with search, DPO export, and gate analytics.</span>
-    <a href="https://buy.stripe.com/7sYcN5bmIf5IcSd8qf3sI0a" target="_blank" rel="noopener" style="background:#b85c2d;color:#fff;padding:6px 14px;border-radius:8px;text-decoration:none;font-weight:700;white-space:nowrap;">Start 7-day free trial</a>
+    <a href="/go/pro?utm_source=dashboard_demo" rel="noopener" style="background:#b85c2d;color:#fff;padding:6px 14px;border-radius:8px;text-decoration:none;font-weight:700;white-space:nowrap;">Start 7-day free trial</a>
   </div>
 
   <!-- STATS -->
@@ -1216,7 +1237,7 @@ function loadDemo() {
     '<span style="color:#ffb98a;font-weight:700;">Live demo data below.</span> ' +
     'Point ThumbGate at your own feedback to see <em>your</em> gates, lessons, and team signals — no signup required.' +
     '</div>' +
-    '<a href="https://buy.stripe.com/7sYcN5bmIf5IcSd8qf3sI0a" target="_blank" rel="noopener" ' +
+    '<a href="/go/pro?utm_source=dashboard_live" rel="noopener" ' +
     'style="flex:none;background:#b85c2d;color:#fff;padding:8px 18px;border-radius:8px;text-decoration:none;font-weight:700;font-size:13px;white-space:nowrap;">Go Pro — $19/mo</a>' +
     '</div>';
   document.getElementById('searchResults').innerHTML = upgradeBanner + teaserHtml;

package/public/index.html

@@ -903,6 +903,24 @@ __GA_BOOTSTRAP__
         <p>The core concept explained in plain language: how thumbs up, thumbs down, and runtime enforcement work together to prevent repeated failures.</p>
         <div class="card-arrow">Read the guide →</div>
       </a>
+      <a class="seo-card" href="/guides/agent-harness-optimization">
+        <div class="seo-kicker">Harness</div>
+        <h3>AI Agent Harness Optimization</h3>
+        <p>Keep global prompts lean, load MCP schemas on demand, and turn harness lessons into Pre-Action Gates that block repeat failures.</p>
+        <div class="card-arrow">Audit your harness →</div>
+      </a>
+      <a class="seo-card" href="/guides/browser-automation-safety">
+        <div class="seo-kicker">Browser Safety</div>
+        <h3>Browser Automation Safety for AI Agents</h3>
+        <p>See how prompt injection, cross-app bridges, and silent connector installs turn browser-use into a governance problem, then audit what is already wired on disk.</p>
+        <div class="card-arrow">Read the browser safety guide →</div>
+      </a>
+      <a class="seo-card" href="/guides/native-messaging-host-security">
+        <div class="seo-kicker">Native Messaging</div>
+        <h3>Native Messaging Host Security</h3>
+        <p>Audit local browser bridges, missing host binaries, and pre-authorized extension paths before a desktop agent turns a one-off experiment into a durable integration.</p>
+        <div class="card-arrow">Run the bridge audit →</div>
+      </a>
       <a class="seo-card" href="/guides/claude-code-feedback">
         <div class="seo-kicker">Integration</div>
         <h3>Claude Code Feedback Memory That Enforces</h3>
@@ -974,7 +992,7 @@ __GA_BOOTSTRAP__
 <!-- HOW IT WORKS -->
 <section class="how-it-works" id="how-it-works">
   <div class="container">
-    <div class="section-label">New in v1.14.1</div>
+    <div class="section-label">New in v1.15.0</div>
     <h2 class="section-title">Three steps to stop repeated AI failures</h2>
     <div class="steps">
       <div class="step">
@@ -1330,7 +1348,7 @@ __GA_BOOTSTRAP__
       <a href="https://www.linkedin.com/in/igorganapolsky" target="_blank" rel="noopener">LinkedIn</a>
       <a href="/blog">Blog</a>
     </div>
-    <span class="footer-copy">© 2026 Max Smith KDP LLC · MIT License · v1.14.1</span>
+    <span class="footer-copy">© 2026 Max Smith KDP LLC · MIT License · v1.15.0</span>
   </div>
 </footer>