thumbgate 1.14.1 → 1.16.0

package/scripts/perplexity-client.js

@@ -110,7 +110,7 @@ function extractCitations(response) {
 
 class PerplexityClient {
   constructor(options = {}) {
-    this.apiKey = options.apiKey || process.env.PERPLEXITY_API_KEY || '';
+    this.apiKey = options.apiKey ?? process.env.PERPLEXITY_API_KEY ?? '';
     this.baseUrl = options.baseUrl || process.env.PERPLEXITY_BASE_URL || DEFAULT_BASE_URL;
     this.fetchFn = options.fetchFn || globalThis.fetch;
     this.timeoutMs = Number(options.timeoutMs || process.env.PERPLEXITY_TIMEOUT_MS || DEFAULT_TIMEOUT_MS);

package/scripts/post-training-governance.js

@@ -0,0 +1,34 @@
+#!/usr/bin/env node
+'use strict';
+
+function evaluatePostTrainingPlan(input = {}) {
+  const mode = String(input.mode || '').toLowerCase();
+  const issues = [];
+  if (!['sft', 'rl', 'grpo', 'gspo'].includes(mode)) issues.push('unsupported_post_training_mode');
+  if (!input.dataset) issues.push('missing_dataset');
+  if (!input.baseCheckpoint) issues.push('missing_base_checkpoint');
+  if (input.piiRedacted !== true) issues.push('pii_redaction_required');
+  if (input.holdoutEval !== true) issues.push('holdout_eval_required');
+  if (input.rewardSpecRequired !== false && ['rl', 'grpo', 'gspo'].includes(mode) && !input.rewardSpec) {
+    issues.push('missing_reward_spec');
+  }
+  if (input.maxSpendCents === undefined) issues.push('missing_spend_cap');
+
+  return {
+    mode,
+    decision: issues.length === 0 ? 'allow' : 'warn',
+    issues,
+    requiredArtifacts: [
+      'dataset manifest',
+      'PII redaction report',
+      'base checkpoint',
+      'holdout eval report',
+      'spend cap',
+      ['rl', 'grpo', 'gspo'].includes(mode) ? 'reward specification' : null,
+    ].filter(Boolean),
+  };
+}
+
+module.exports = {
+  evaluatePostTrainingPlan,
+};

package/scripts/pr-manager.js

@@ -90,9 +90,18 @@ function resolveGhBinary(options = {}) {
   throw new Error(`Unable to locate GH CLI in fixed paths: ${candidates.join(', ')}`);
 }
 
+function buildGhEnv(baseEnv = process.env) {
+  const env = { ...baseEnv };
+  if (!env.GH_TOKEN && !env.GITHUB_TOKEN && env.GH_PAT) {
+    env.GH_TOKEN = env.GH_PAT;
+  }
+  return env;
+}
+
 function runGh(args, options = {}) {
   return spawnSync(resolveGhBinary(options), assertSafeGhArgs(args), {
     encoding: 'utf-8',
+    env: buildGhEnv(options.env || process.env),
     stdio: ['ignore', 'pipe', 'pipe'],
   });
 }
@@ -154,7 +163,8 @@ function isOpenPr(pr) {
 
 function loadManagedPrs(prNumber = '', runner = runGh) {
   if (prNumber) {
-    return [getPrStatus(prNumber, runner)];
+    const explicitPr = getPrStatus(prNumber, runner);
+    return isOpenPr(explicitPr) ? [explicitPr] : [];
   }
 
   const currentBranchPr = getPrStatus('', runner);
@@ -336,11 +346,40 @@ function waitForMergeCommit(prNumber, runner = runGh, options = {}) {
   };
 }
 
+function submitTrunkMergeRequest(prNumber, runner = runGh) {
+  const normalizedPrNumber = normalizePrNumber(prNumber, { allowEmpty: false });
+  const args = ['pr', 'comment', normalizedPrNumber, '--body', '/trunk merge'];
+  console.log(`[PR Manager] Requesting Trunk merge queue for PR #${normalizedPrNumber}...`);
+  const result = runner(args);
+  if (result.status !== 0) {
+    console.error(`[PR Manager] Queue request failed: ${formatGhError(result)}`);
+    return { ok: false, mode: 'failed', args, error: formatGhError(result) };
+  }
+
+  console.log(`[PR Manager] Queue request accepted for PR #${normalizedPrNumber} (/trunk merge).`);
+  return {
+    ok: true,
+    mode: 'queued',
+    args,
+    finalized: false,
+    merged: false,
+    reason: 'merge_commit_pending',
+  };
+}
+
 /**
  * Perform autonomous merge
  */
-function performMerge(prNumber, runner = runGh, options = {}) {
-  const normalizedPrNumber = normalizePrNumber(prNumber, { allowEmpty: false });
+function performMerge(prInput, runner = runGh, options = {}) {
+  const pr = (prInput && typeof prInput === 'object')
+    ? prInput
+    : { number: prInput, baseRefName: options.baseRefName || '' };
+  const normalizedPrNumber = normalizePrNumber(pr.number, { allowEmpty: false });
+
+  if (String(pr.baseRefName || '').toLowerCase() === 'main') {
+    return submitTrunkMergeRequest(normalizedPrNumber, runner);
+  }
+
   const args = ['pr', 'merge', normalizedPrNumber, '--squash', '--delete-branch'];
   console.log(`[PR Manager] Initiating protected squash merge for PR #${normalizedPrNumber}...`);
   const result = runner(args);
@@ -352,10 +391,10 @@ function performMerge(prNumber, runner = runGh, options = {}) {
       ? { finalized: false, merged: false, reason: 'merge_commit_pending' }
       : waitForMergeCommit(normalizedPrNumber, runner, options);
     return { ok: true, mode, args, ...mergeStatus };
-  } else {
-    console.error(`[PR Manager] Merge failed: ${formatGhError(result)}`);
-    return { ok: false, mode: 'failed', args, error: formatGhError(result) };
   }
+
+  console.error(`[PR Manager] Merge failed: ${formatGhError(result)}`);
+  return { ok: false, mode: 'failed', args, error: formatGhError(result) };
 }
 
 async function managePrs(prNumber = '', runner = runGh, options = {}) {
@@ -370,7 +409,7 @@ async function managePrs(prNumber = '', runner = runGh, options = {}) {
   for (const pr of prs) {
     const outcome = await resolveBlockers(pr, runner);
     if (outcome.status === 'ready') {
-      const mergeResult = performMerge(pr.number, runner, options);
+      const mergeResult = performMerge(pr, runner, options);
       outcome.mergeRequested = mergeResult.ok;
       outcome.mergeMode = mergeResult.mode;
       if (mergeResult.mergeCommit) {
@@ -406,6 +445,7 @@ if (require.main === module) {
 
 module.exports = {
   assertSafeGhArgs,
+  buildGhEnv,
   getPrStatus,
   getPrChecks,
   listOpenPrs,

package/scripts/private-core-boundary.js

@@ -0,0 +1,72 @@
+'use strict';
+
+const path = require('node:path');
+
+function normalizeRequest(request) {
+  return String(request || '').trim();
+}
+
+function isOptionalModuleMissing(error, request) {
+  if (!error || error.code !== 'MODULE_NOT_FOUND') {
+    return false;
+  }
+  const message = String(error?.message || '');
+  const normalizedRequest = normalizeRequest(request);
+  const basename = path.basename(normalizedRequest);
+  return [normalizedRequest, basename]
+    .filter(Boolean)
+    .some((candidate) => message.includes(candidate));
+}
+
+function loadOptionalModule(request, fallbackFactory) {
+  try {
+    return require(request);
+  } catch (error) {
+    if (!isOptionalModuleMissing(error, request)) {
+      throw error;
+    }
+    return typeof fallbackFactory === 'function'
+      ? fallbackFactory(error)
+      : (fallbackFactory || {});
+  }
+}
+
+function createUnavailableError(feature, options = {}) {
+  const err = new Error(
+    `${feature} moved behind the ThumbGate-Core boundary and is unavailable in the public thumbgate package.`
+  );
+  err.code = 'THUMBGATE_CORE_REQUIRED';
+  err.statusCode = options.statusCode || 503;
+  err.feature = feature;
+  return err;
+}
+
+function createUnavailableOperation(feature, options = {}) {
+  return function unavailableOperation() {
+    throw createUnavailableError(feature, options);
+  };
+}
+
+function createUnavailableAsyncOperation(feature, options = {}) {
+  return async function unavailableAsyncOperation() {
+    throw createUnavailableError(feature, options);
+  };
+}
+
+function createUnavailableReport(feature, extra = {}) {
+  return {
+    available: false,
+    source: 'ThumbGate-Core',
+    message: `${feature} requires ThumbGate-Core.`,
+    ...extra,
+  };
+}
+
+module.exports = {
+  createUnavailableAsyncOperation,
+  createUnavailableError,
+  createUnavailableOperation,
+  createUnavailableReport,
+  isOptionalModuleMissing,
+  loadOptionalModule,
+};

package/scripts/production-agent-readiness.js

@@ -0,0 +1,40 @@
+#!/usr/bin/env node
+'use strict';
+
+function readinessStatus(score, missing) {
+  if (missing.length === 0) return 'production_ready';
+  if (score >= 60) return 'needs_hardening';
+  return 'prototype';
+}
+
+function evaluateProductionAgentReadiness(input = {}) {
+  const signals = {
+    subAgents: Array.isArray(input.subAgents) && input.subAgents.length >= 2,
+    structuredOutputs: input.structuredOutputs === true,
+    dynamicRag: input.dynamicRag === true,
+    observability: input.observability === true || input.tracing === true,
+    circuitBreakers: input.circuitBreakers === true,
+  };
+  const missing = Object.entries(signals)
+    .filter(([, present]) => !present)
+    .map(([name]) => name);
+  const score = Math.round((Object.values(signals).filter(Boolean).length / Object.keys(signals).length) * 100);
+  return {
+    status: readinessStatus(score, missing),
+    score,
+    signals,
+    missing,
+    requiredFixes: missing.map((name) => ({
+      subAgents: 'Split monolithic prompts into narrow sub-agent stages.',
+      structuredOutputs: 'Use runtime-validated schemas instead of prompt-only JSON formatting.',
+      dynamicRag: 'Replace hardcoded context with refreshed retrieval over indexed source material.',
+      observability: 'Emit traces for model calls, tool calls, tokens, latency, and stage failures.',
+      circuitBreakers: 'Set retry, timeout, loop, and spend limits before production use.',
+    }[name])),
+  };
+}
+
+module.exports = {
+  evaluateProductionAgentReadiness,
+  readinessStatus,
+};

package/scripts/profile-router.js

@@ -107,6 +107,15 @@ function loadProfilesLazy() {
   }
 }
 
+const PROFILE_RESTRICTIVENESS_ORDER = Object.freeze([
+  'locked',
+  'readonly',
+  'essential',
+  'commerce',
+  'dispatch',
+  'default',
+]);
+
 /**
  * Find the most restrictive (smallest) profile that includes the given tool.
  * Profile restrictiveness = fewer tools allowed = more restricted.
@@ -114,11 +123,17 @@ function loadProfilesLazy() {
 function findMostRestrictiveProfile(toolName) {
   const policy = loadProfilesLazy();
   if (!policy || !policy.profiles) return null;
+  const profileRank = new Map(PROFILE_RESTRICTIVENESS_ORDER.map((name, index) => [name, index]));
 
   // Sort profiles by number of tools (most restrictive first)
   const candidates = Object.entries(policy.profiles)
     .filter(([, tools]) => tools.includes(toolName))
-    .sort((a, b) => a[1].length - b[1].length);
+    .sort((a, b) => {
+      const sizeDelta = a[1].length - b[1].length;
+      if (sizeDelta !== 0) return sizeDelta;
+      return (profileRank.get(a[0]) ?? Number.MAX_SAFE_INTEGER)
+        - (profileRank.get(b[0]) ?? Number.MAX_SAFE_INTEGER);
+    });
 
   if (candidates.length === 0) return null;
   return candidates[0][0]; // most restrictive profile that has this tool