thumbgate 1.14.1 → 1.16.0

package/bin/cli.js

@@ -11,6 +11,7 @@
  *   npx thumbgate import-doc    # import a local policy/runbook document and propose gates
  *   npx thumbgate export-dpo    # export DPO training pairs
  *   npx thumbgate export-databricks   # export Databricks-ready analytics bundle
+ *   npx thumbgate eval --from-feedback # turn feedback into reusable prompt evals
  *   npx thumbgate stats         # feedback analytics + Revenue-at-Risk
  *   npx thumbgate cfo           # local operational billing summary
  *   npx thumbgate pro           # solo dashboard + exports side lane
@@ -528,8 +529,54 @@ function setupForge() {
   return true;
 }
 
+function setupCline() {
+  let changed = false;
+
+  // 1. Copy .clinerules into project root (Cline auto-loads this at session start).
+  const rulesDest = path.join(CWD, '.clinerules');
+  const rulesSrc = path.join(PKG_ROOT, 'adapters', 'cline', '.clinerules');
+  if (!fs.existsSync(rulesDest) && fs.existsSync(rulesSrc)) {
+    fs.copyFileSync(rulesSrc, rulesDest);
+    console.log('  Cline: installed .clinerules with ThumbGate gating rules');
+    changed = true;
+  }
+
+  // 2. Merge MCP server block into Cline's VS Code globalStorage settings.
+  // Extension id: saoudrizwan.claude-dev
+  const platform = process.platform;
+  let clineSettingsPath = null;
+  if (platform === 'darwin') {
+    clineSettingsPath = path.join(HOME, 'Library', 'Application Support', 'Code', 'User', 'globalStorage', 'saoudrizwan.claude-dev', 'settings', 'cline_mcp_settings.json');
+  } else if (platform === 'linux') {
+    clineSettingsPath = path.join(HOME, '.config', 'Code', 'User', 'globalStorage', 'saoudrizwan.claude-dev', 'settings', 'cline_mcp_settings.json');
+  } else if (platform === 'win32' && process.env.APPDATA) {
+    clineSettingsPath = path.join(process.env.APPDATA, 'Code', 'User', 'globalStorage', 'saoudrizwan.claude-dev', 'settings', 'cline_mcp_settings.json');
+  }
+
+  if (clineSettingsPath) {
+    let settings = { mcpServers: {} };
+    if (fs.existsSync(clineSettingsPath)) {
+      try { settings = JSON.parse(fs.readFileSync(clineSettingsPath, 'utf8')); } catch (_) { settings = { mcpServers: {} }; }
+    }
+    settings.mcpServers = settings.mcpServers || {};
+    const canonicalEntry = canonicalMcpEntry('home');
+    if (!mcpEntriesMatch(settings.mcpServers[MCP_SERVER_NAME], canonicalEntry)) {
+      settings.mcpServers[MCP_SERVER_NAME] = canonicalEntry;
+      fs.mkdirSync(path.dirname(clineSettingsPath), { recursive: true });
+      fs.writeFileSync(clineSettingsPath, JSON.stringify(settings, null, 2) + '\n');
+      console.log(`  Cline: registered thumbgate MCP server in ${clineSettingsPath}`);
+      changed = true;
+    }
+  } else {
+    console.log('  Cline: unsupported platform for auto-wiring MCP settings; see adapters/cline/INSTALL.md');
+  }
+
+  return changed;
+}
+
 function detectAgent(projectDir) {
   if (fs.existsSync(path.join(projectDir, '.claude'))) return 'claude-code';
+  if (fs.existsSync(path.join(projectDir, '.clinerules'))) return 'cline';
   if (fs.existsSync(path.join(projectDir, '.cursorrules'))) return 'cursor';
   if (fs.existsSync(path.join(projectDir, '.cursor'))) return 'cursor';
   if (fs.existsSync(path.join(projectDir, '.codex'))) return 'codex';
@@ -670,6 +717,12 @@ function init(cliArgs = parseArgs(process.argv.slice(3))) {
     { name: 'Amp', detect: [() => whichExists('amp'), () => fs.existsSync(path.join(HOME, '.amp'))], setup: setupAmp },
     { name: 'Cursor', detect: [() => fs.existsSync(path.join(HOME, '.cursor', 'mcp.json')), () => fs.existsSync(path.join(CWD, '.cursor'))], setup: setupCursor },
     { name: 'ForgeCode', detect: [() => whichExists('forge'), () => fs.existsSync(path.join(CWD, 'forge.yaml'))], setup: setupForge },
+    { name: 'Cline', detect: [
+      () => fs.existsSync(path.join(CWD, '.clinerules')),
+      () => process.platform === 'darwin' && fs.existsSync(path.join(HOME, 'Library', 'Application Support', 'Code', 'User', 'globalStorage', 'saoudrizwan.claude-dev')),
+      () => process.platform === 'linux' && fs.existsSync(path.join(HOME, '.config', 'Code', 'User', 'globalStorage', 'saoudrizwan.claude-dev')),
+      () => process.platform === 'win32' && process.env.APPDATA && fs.existsSync(path.join(process.env.APPDATA, 'Code', 'User', 'globalStorage', 'saoudrizwan.claude-dev')),
+    ], setup: setupCline },
   ];
 
   for (const p of platforms) {
@@ -690,8 +743,11 @@ function init(cliArgs = parseArgs(process.argv.slice(3))) {
 
   if (configured === 0) console.log('  All detected platforms already configured.');
 
-  // Auto-wire hooks if --agent flag is provided (or auto-detect)
-  if (args.agent || args['wire-hooks']) {
+  // Cline uses .clinerules (no native hook surface). Run setupCline directly
+  // and skip wireHooks, which does not support cline.
+  if (args.agent === 'cline') {
+    setupCline();
+  } else if (args.agent || args['wire-hooks']) {
     const { wireHooks } = require(path.join(PKG_ROOT, 'scripts', 'auto-wire-hooks'));
     const hookResult = wireHooks({ agent: args.agent, dryRun: args['dry-run'] });
     if (hookResult.error) {
@@ -999,8 +1055,8 @@ function pro() {
     console.log('  Launch dashboard: npx thumbgate pro');
     console.log('  Activate + run  : npx thumbgate pro --activate --key=YOUR_KEY');
     console.log('  Install configs : npx thumbgate pro --upgrade');
-    console.log('  Legacy launcher : npx thumbgate-pro (separate package)');
-    console.log('  Pro repo        : https://github.com/IgorGanapolsky/thumbgate-pro\n');
+    console.log('  Private core    : ThumbGate-Core (private repo)');
+    console.log('  Core repo       : https://github.com/IgorGanapolsky/ThumbGate-Core\n');
   }
 
   function launchDashboard(key, eventType) {
@@ -1164,6 +1220,27 @@ function modelFit() {
   console.log(JSON.stringify({ reportPath, report }, null, 2));
 }
 
+function modelCandidatesCmd() {
+  const args = parseArgs(process.argv.slice(3));
+  const { writeModelCandidatesReport, renderModelCandidatesReport } = require(path.join(PKG_ROOT, 'scripts', 'model-candidates'));
+  const maxCandidates = args.max ? Number(args.max) : undefined;
+  const { reportPath, report } = writeModelCandidatesReport(undefined, {
+    workload: args.workload,
+    provider: args.provider,
+    family: args.family,
+    gateway: args.gateway,
+    maxCandidates: Number.isFinite(maxCandidates) ? maxCandidates : undefined,
+  });
+
+  if (args.json) {
+    console.log(JSON.stringify({ reportPath, report }, null, 2));
+    return;
+  }
+
+  process.stdout.write(renderModelCandidatesReport(report));
+  process.stdout.write(`\nReport path: ${reportPath}\n`);
+}
+
 function risk() {
   const args = parseArgs(process.argv.slice(3));
   const riskScorer = require(path.join(PKG_ROOT, 'scripts', 'risk-scorer'));
@@ -1475,6 +1552,52 @@ function gateStats() {
   console.log('\n' + formatStats(stats) + '\n');
 }
 
+function harnessAudit() {
+  const args = parseArgs(process.argv.slice(3));
+  const { buildHarnessOptimizationAudit } = require(path.join(PKG_ROOT, 'scripts', 'harness-selector'));
+  const audit = buildHarnessOptimizationAudit({
+    rootDir: CWD,
+    docTokenBudget: args['doc-token-budget'],
+  });
+
+  if (args.json) {
+    console.log(JSON.stringify(audit, null, 2));
+    return;
+  }
+
+  console.log('\nThumbGate Harness Optimization Audit');
+  console.log(`Status : ${audit.status}`);
+  console.log(`Score  : ${audit.score}/100`);
+  console.log(`Docs   : ~${audit.totals.globalDocEstimatedTokens} tokens across global agent docs`);
+  console.log(`MCP    : ${audit.totals.mcpToolCount} indexed tools; progressive discovery ${audit.signals.progressiveToolIndexPresent ? 'on' : 'missing'}`);
+  console.log(`Gates  : ${audit.totals.specializedHarnessCount} specialized harnesses`);
+  console.log('\nRecommendations:');
+  for (const recommendation of audit.recommendations) {
+    console.log(`  - ${recommendation}`);
+  }
+  console.log('');
+}
+
+function nativeMessagingAudit() {
+  const args = parseArgs(process.argv.slice(3));
+  const {
+    buildNativeMessagingAudit,
+    formatNativeMessagingAudit,
+  } = require(path.join(PKG_ROOT, 'scripts', 'native-messaging-audit'));
+  const report = buildNativeMessagingAudit({
+    homeDir: args['home-dir'],
+    platform: args.platform,
+    aiOnly: args['ai-only'] === true,
+  });
+
+  if (args.json) {
+    console.log(JSON.stringify(report, null, 2));
+    return;
+  }
+
+  process.stdout.write(formatNativeMessagingAudit(report));
+}
+
 function optimize() {
   const { optimize: doOptimize } = require(path.join(PKG_ROOT, 'scripts', 'optimize-context'));
   doOptimize();
@@ -1550,7 +1673,14 @@ function hookAutoCapture() {
   const prompt = process.env.CLAUDE_USER_PROMPT || process.env.THUMBGATE_USER_PROMPT || readStdinText().trim();
   const { evaluatePromptGuard } = require(path.join(PKG_ROOT, 'scripts', 'prompt-guard'));
   const { processInlineFeedback, formatCliOutput } = require(path.join(PKG_ROOT, 'scripts', 'cli-feedback'));
-  const { recordConversationEntry, readRecentConversationWindow } = require(path.join(PKG_ROOT, 'scripts', 'feedback-history-distiller'));
+  const { loadOptionalModule } = require(path.join(PKG_ROOT, 'scripts', 'private-core-boundary'));
+  const { recordConversationEntry, readRecentConversationWindow } = loadOptionalModule(
+    path.join(PKG_ROOT, 'scripts', 'feedback-history-distiller'),
+    () => ({
+      recordConversationEntry: () => ({ recorded: false, reason: 'thumbgate_core_required' }),
+      readRecentConversationWindow: () => [],
+    })
+  );
 
   recordConversationEntry({
     author: 'user',
@@ -1708,6 +1838,60 @@ function gateStats() {
   console.log('\n' + formatStats(stats) + '\n');
 }
 
+function evalCmd() {
+  syncActiveProjectContext();
+  const args = parseArgs(process.argv.slice(3));
+  const {
+    formatProofReport,
+    runFeedbackEvalSuite,
+    runSuite,
+    loadSuite,
+  } = require(path.join(PKG_ROOT, 'scripts', 'prompt-eval'));
+  const minScore = args['min-score'] === undefined ? 80 : Number(args['min-score']);
+  const maxCases = args['max-cases'] === undefined ? 25 : Number(args['max-cases']);
+  const suitePath = args.suite ? path.resolve(CWD, args.suite) : null;
+  const fromFeedback = Boolean(args['from-feedback'] || !suitePath);
+  const evalRun = fromFeedback
+    ? runFeedbackEvalSuite({
+        feedbackDir: args['feedback-dir'] ? path.resolve(CWD, args['feedback-dir']) : undefined,
+        feedbackLog: args['feedback-log'] ? path.resolve(CWD, args['feedback-log']) : undefined,
+        maxCases,
+        minScore,
+      })
+    : {
+        suite: loadSuite(suitePath),
+        report: runSuite(suitePath, { minScore }),
+      };
+  const { suite, report } = evalRun;
+
+  if (args['write-suite']) {
+    const outputPath = path.resolve(CWD, args['write-suite']);
+    fs.mkdirSync(path.dirname(outputPath), { recursive: true });
+    fs.writeFileSync(outputPath, `${JSON.stringify(suite, null, 2)}\n`, 'utf8');
+  }
+
+  if (args['write-report']) {
+    const outputPath = path.resolve(CWD, args['write-report']);
+    fs.mkdirSync(path.dirname(outputPath), { recursive: true });
+    fs.writeFileSync(outputPath, `${formatProofReport(report, suite)}\n`, 'utf8');
+  }
+
+  if (args.json) {
+    console.log(JSON.stringify({ ...report, suiteDefinition: fromFeedback ? suite : undefined }, null, 2));
+    process.exit(report.pass ? 0 : 1);
+  }
+
+  console.log(`\nPrompt Evaluation: ${report.suite}`);
+  console.log('─'.repeat(50));
+  console.log(`  Score      : ${report.score}% (min ${report.minScore}%)`);
+  console.log(`  Cases      : ${report.passed}/${report.total} passing`);
+  console.log(`  Failures   : ${report.failed}`);
+  console.log(`  Errors     : ${report.errors}`);
+  console.log(`  Source     : ${fromFeedback ? 'feedback-derived' : suitePath}`);
+  console.log(report.pass ? '\n✅ PASS\n' : '\n❌ FAIL\n');
+  process.exit(report.pass ? 0 : 1);
+}
+
 function startApi() {
   const serverPath = path.join(PKG_ROOT, 'src', 'api', 'server.js');
   try {
@@ -1724,13 +1908,13 @@ function help() {
   const GROUP_LABELS = {
     capture:   'Feedback capture',
     discovery: 'Discovery & inspection',
-    gates:     'Gates & rules',
+    gates:     'Checks & rules',
     export:    'Export',
     ops:       'Operations',
     advanced:  'Advanced',
   };
 
-  console.log(`thumbgate v${v}  — pre-action gates for AI coding agents`);
+  console.log(`thumbgate v${v}  — pre-action checks for AI coding agents`);
   console.log('');
 
   for (const [groupKey, label] of Object.entries(GROUP_LABELS)) {
@@ -1760,8 +1944,10 @@ function help() {
   console.log('  repair-github-marketplace  Repair legacy GitHub Marketplace amount mappings');
   console.log('  north-star            Show proof-backed workflow-run progress toward the North Star');
   console.log('  model-fit             Detect local embedding profile and write evidence report');
+  console.log('  model-candidates      Rank managed model candidates and emit a benchmark plan');
   console.log('  risk                  Train or query the boosted local risk scorer');
-  console.log('  optimize              [PRO] Prune CLAUDE.md and migrate rules to Pre-Action Gates');
+  console.log('  eval                  Turn feedback into reusable prompt/workflow eval proof');
+  console.log('  optimize              [PRO] Prune CLAUDE.md and migrate rules to Pre-Action Checks');
   console.log('  prove [--target=X]    Run proof harness (adapters|automation|...)');
   console.log('  watch                 Watch .thumbgate/ for external signals');
   console.log('  status                Approval trend + failure domain dashboard');
@@ -1792,6 +1978,7 @@ function help() {
   console.log('  npx thumbgate explore gates --json');
   console.log('  npx thumbgate demo');
   console.log('  npx thumbgate stats --json');
+  console.log('  npx thumbgate eval --from-feedback --json');
   console.log('  npx thumbgate lessons "force push" --json');
   console.log('  npx thumbgate lessons --query="deploy" --remote');
   console.log('  npx thumbgate gate-stats --json');
@@ -1933,6 +2120,10 @@ switch (COMMAND) {
   case 'model-fit':
     modelFit();
     break;
+  case 'model-candidates':
+  case 'managed-models':
+    modelCandidatesCmd();
+    break;
   case 'risk':
     risk();
     break;
@@ -1969,6 +2160,14 @@ switch (COMMAND) {
   case 'rules':
     rules();
     break;
+  case 'harness-audit':
+  case 'harness':
+    harnessAudit();
+    break;
+  case 'native-messaging-audit':
+  case 'bridge-audit':
+    nativeMessagingAudit();
+    break;
   case 'optimize':
     optimize();
     break;
@@ -2064,6 +2263,10 @@ switch (COMMAND) {
   case 'gate-stats':
     gateStats();
     break;
+  case 'eval':
+  case 'prompt-eval':
+    evalCmd();
+    break;
   case 'explore': {
     const subCmd = process.argv[3];
     const exploreArgs = parseArgs(process.argv.slice(3));

package/config/enforcement.json

@@ -1,20 +1,72 @@
 {
   "$schema": "./enforcement.schema.json",
-  "description": "Loss matrix and enforcement knobs for the Bayes-optimal pre-tool-use gate. See scripts/bayes-optimal-gate.js for the decision math. Tags listed here mirror the canonical tags emitted by risk-scorer.buildPatternSummary. To disable tag-specific costs and fall back to a symmetric 1:1 decision, reduce any override to 1.0.",
+  "description": "Loss matrix and enforcement knobs for the Bayes-optimal pre-tool-use gate. See scripts/bayes-optimal-gate.js for the decision math. Tags listed here mirror the canonical tags emitted by risk-scorer.buildPatternSummary. Costs are relative: falseAllow[tag] is the regret of letting a harmful tool call through, falseBlock[tag] is the regret of blocking a safe one. resolveCost takes the max across matched tags, so a single high-cost tag dominates. To disable tag-specific costs and fall back to a symmetric 1:1 decision, reduce any override to 1.0.",
   "lossMatrix": {
     "falseAllow": {
       "default": 1.0,
-      "deploy-prod": 100.0,
-      "destructive": 50.0,
+
       "secrets": 1000.0,
-      "force-push-main": 200.0,
-      "data-loss": 500.0,
       "credentials": 800.0,
+      "env-file-edit": 700.0,
+      "env-override": 700.0,
+      "deploy-env-secret-exposure": 900.0,
+
+      "self-protect": 1500.0,
+      "kill-gate": 1500.0,
+      "hooks-disable": 1200.0,
+      "config-tamper": 1200.0,
+
+      "data-loss": 500.0,
+      "db-drop-production": 600.0,
+      "db-truncate-production": 600.0,
+      "db-delete-nowhere": 500.0,
+      "db-unmigrated-sql": 400.0,
+      "db-runtime-sqlite": 350.0,
+      "db-lancedb-wipe": 400.0,
+      "mcp-sql-delete": 400.0,
+      "mcp-sql-bulk-update": 250.0,
+
+      "destructive": 50.0,
       "rm-rf": 300.0,
-      "git-reset-hard": 100.0
+      "git-reset-hard": 100.0,
+      "force-push-main": 200.0,
+      "force-push": 150.0,
+      "protected-branch-push": 150.0,
+      "protected-file": 120.0,
+      "package-lock-reset": 75.0,
+
+      "deploy-prod": 100.0,
+      "deploy-unverified": 120.0,
+      "deploy-skip-ci": 150.0,
+      "deploy-publish-without-test": 180.0,
+      "deploy-version-drift": 90.0,
+      "production-change": 130.0,
+      "schema-migration": 150.0,
+      "permission-change": 140.0,
+
+      "supply-chain": 200.0,
+      "supply-chain-add": 200.0,
+      "unverified-skill": 160.0,
+      "blocked-npx": 180.0,
+      "network-egress": 250.0,
+      "unauthorized-egress": 250.0,
+
+      "pr-scope-violation": 80.0,
+      "admin-merge-bypass": 80.0,
+      "loop-abuse": 40.0,
+      "thread-unchecked-push": 40.0,
+      "generated-file-edit": 30.0,
+      "test-skip": 40.0,
+      "version-drift": 50.0,
+      "lockfile-manual": 60.0
     },
     "falseBlock": {
-      "default": 1.0
+      "default": 1.0,
+
+      "style-violation": 5.0,
+      "console-log-commit": 4.0,
+      "non-critical-warning": 5.0,
+      "large-file": 3.0
     }
   },
   "bayesOptimalEnabled": true,