thumbgate 1.15.0 → 1.16.1

package/scripts/mailer/resend-mailer.js

@@ -339,7 +339,7 @@ function renderTrialWelcomeBodies({ licenseKey, customerId, customerName, trialE
   const headline = 'Your ThumbGate Pro trial is live.';
   const subhead = `You have 7 days of Pro access. Trial ends ${trialEndLabel}.`;
   const description =
-    'ThumbGate turns thumbs up/down feedback into Pre-Action Gates that stop repeated AI coding mistakes ' +
+    'ThumbGate turns thumbs up/down feedback into Pre-Action Checks that stop repeated AI coding mistakes ' +
     'before the next tool call. Lessons stay on your machine. Repeated failures become Reliability Gateway blocks.';
   const exampleFeedback =
     'thumbs down: the answer skipped exact files and tests; next time include paths, commands, and verification evidence.';
@@ -503,10 +503,121 @@ async function sendTrialWelcomeEmail({ to, licenseKey, customerId, customerName,
   return sendEmail({ to, subject, html, text, replyTo: getReplyTo(), fetchImpl, dnsResolver });
 }
 
+function renderNewsletterWelcomeBodies() {
+  const supportEmail = getSupportEmail();
+  const unsubscribeEmail = getUnsubscribeEmail();
+  const businessName = getBusinessName();
+  const businessAddress = getBusinessAddress();
+  const unsubscribeMailto = `mailto:${unsubscribeEmail}?subject=unsubscribe&body=Please%20remove%20me%20from%20ThumbGate%20emails.`;
+  const headline = 'Welcome to ThumbGate.';
+  const subhead =
+    'One concrete AI coding failure prevented per email. No theory, no fluff.';
+  const firstLesson =
+    'First lesson: the most expensive AI mistake is the one it repeats. ' +
+    'ThumbGate turns thumbs up/down signals into Pre-Action Checks that stop ' +
+    'the next recurrence before the tool call runs.';
+  const ctaLink = 'https://thumbgate.ai/pro';
+
+  const text = [
+    'Welcome to ThumbGate.',
+    '',
+    subhead,
+    '',
+    firstLesson,
+    '',
+    `Want the full stop-repeating-mistakes loop locally? ${ctaLink}`,
+    '',
+    `Questions? Reply to this email or write ${supportEmail}.`,
+    '',
+    '— Igor, founder of ThumbGate',
+    '',
+    '---',
+    `You're getting this because you signed up on thumbgate.ai. Unsubscribe: ${unsubscribeEmail}`,
+    `${businessName} · ${businessAddress}`,
+  ].join('\n');
+
+  const safeHeadline = escapeHtml(headline);
+  const safeSubhead = escapeHtml(subhead);
+  const safeFirstLesson = escapeHtml(firstLesson);
+  const safeSupportEmail = escapeHtml(supportEmail);
+  const safeBusinessName = escapeHtml(businessName);
+  const safeBusinessAddress = escapeHtml(businessAddress);
+  const safeUnsubscribeEmail = escapeHtml(unsubscribeEmail);
+  const safeUnsubscribeMailto = escapeHtml(unsubscribeMailto);
+
+  const html = `<!doctype html>
+<html>
+  <body style="margin:0;background:#f5f7fb;padding:28px 12px;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,Arial,sans-serif;color:#17212b;">
+    <table role="presentation" width="100%" cellspacing="0" cellpadding="0" style="border-collapse:collapse;">
+      <tr>
+        <td align="center">
+          <table role="presentation" width="100%" cellspacing="0" cellpadding="0" style="border-collapse:collapse;max-width:640px;background:#ffffff;border:1px solid #d8e2ea;border-radius:10px;overflow:hidden;">
+            <tr>
+              <td style="background:#071115;padding:24px 28px;color:#e7fbff;">
+                <div style="font-size:13px;font-weight:700;letter-spacing:0.02em;text-transform:uppercase;color:#73d4e9;">ThumbGate</div>
+                <h1 style="margin:10px 0 6px;font-size:24px;line-height:1.25;color:#ffffff;">${safeHeadline}</h1>
+                <p style="margin:0;font-size:14px;line-height:1.5;color:#9cbac4;">${safeSubhead}</p>
+              </td>
+            </tr>
+            <tr>
+              <td style="padding:24px 28px 10px;">
+                <p style="margin:0 0 18px;font-size:15px;line-height:1.6;color:#344451;">${safeFirstLesson}</p>
+                <p style="margin:0 0 22px;">
+                  <a href="${ctaLink}" style="display:inline-block;background:#45bfd8;color:#061015;text-decoration:none;font-weight:700;padding:12px 22px;border-radius:6px;font-size:15px;">See the full Pro loop</a>
+                </p>
+              </td>
+            </tr>
+            <tr>
+              <td style="padding:0 28px 22px;">
+                <p style="margin:0 0 4px;font-size:14px;line-height:1.6;color:#17212b;">— Igor, founder of ThumbGate</p>
+                <p style="margin:0;font-size:13px;line-height:1.55;color:#526273;">
+                  Questions? Reply or write
+                  <a href="mailto:${safeSupportEmail}" style="color:#087a91;">${safeSupportEmail}</a>.
+                </p>
+              </td>
+            </tr>
+            <tr>
+              <td style="padding:16px 28px 22px;border-top:1px solid #e2e8ec;background:#fafbfc;">
+                <p style="margin:0 0 6px;font-size:12px;line-height:1.5;color:#7a8790;">
+                  You signed up on thumbgate.ai.
+                  <a href="${safeUnsubscribeMailto}" style="color:#7a8790;text-decoration:underline;">Unsubscribe</a>
+                  (${safeUnsubscribeEmail}).
+                </p>
+                <p style="margin:0;font-size:12px;line-height:1.5;color:#7a8790;">
+                  ${safeBusinessName} &middot; ${safeBusinessAddress}
+                </p>
+              </td>
+            </tr>
+          </table>
+        </td>
+      </tr>
+    </table>
+  </body>
+</html>`;
+
+  return { html, text };
+}
+
+async function sendNewsletterWelcomeEmail({ to, fetchImpl, dnsResolver } = {}) {
+  if (!isNonEmptyString(to)) throw new Error('sendNewsletterWelcomeEmail: `to` is required');
+  const { html, text } = renderNewsletterWelcomeBodies();
+  return sendEmail({
+    to,
+    subject: 'Welcome to ThumbGate — one AI mistake prevented per email',
+    html,
+    text,
+    replyTo: getReplyTo(),
+    fetchImpl,
+    dnsResolver,
+  });
+}
+
 module.exports = {
   sendEmail,
   sendTrialWelcomeEmail,
+  sendNewsletterWelcomeEmail,
   renderTrialWelcomeBodies,
+  renderNewsletterWelcomeBodies,
   _resolveSenderAddress: resolveSenderAddress,
   _hasResendSenderDns: hasResendSenderDns,
   _recordsHaveResendDns: recordsHaveResendDns,

package/scripts/mcp-transport-strategy.js

@@ -0,0 +1,66 @@
+'use strict';
+
+function scoreTransportNeed(service = {}) {
+  let score = 0;
+  if ((service.callsPerMinute || 0) >= 120) score += 30;
+  if ((service.concurrentAgents || 0) >= 10) score += 20;
+  if (service.streaming) score += 20;
+  if (service.existingGrpc) score += 15;
+  if (service.doubleStackedJsonShim) score += 15;
+  if (service.inferenceDominated) score -= 25;
+  return Math.max(0, Math.min(100, score));
+}
+
+function recommendMcpTransport(service = {}) {
+  const score = scoreTransportNeed(service);
+  const reasons = [];
+
+  if ((service.callsPerMinute || 0) >= 120) reasons.push('high_frequency_tool_calls');
+  if ((service.concurrentAgents || 0) >= 10) reasons.push('many_concurrent_agents');
+  if (service.streaming) reasons.push('streaming_or_long_running_flow');
+  if (service.existingGrpc) reasons.push('backend_already_grpc');
+  if (service.doubleStackedJsonShim) reasons.push('json_shim_exists_only_for_agents');
+  if (service.inferenceDominated) reasons.push('llm_latency_dominates_transport');
+
+  const transport = score >= 50 ? 'grpc' : 'json_rpc_http';
+  return {
+    service: service.name || 'unnamed-service',
+    score,
+    transport,
+    reasons,
+    rollout: transport === 'grpc'
+      ? [
+        'pilot pluggable transport behind config',
+        'reuse protobuf contracts where present',
+        'add contract tests and stream retry policy',
+        'compare latency throughput and error rate against JSON-RPC baseline',
+        'deprecate redundant JSON shim only after soak evidence',
+      ]
+      : [
+        'keep JSON-RPC over HTTP',
+        'avoid transport churn until tool-call volume or streaming pressure changes',
+        'continue validating payloads at MCP boundary',
+      ],
+  };
+}
+
+function buildMcpTransportMigrationPlan(services = []) {
+  const recommendations = services.map(recommendMcpTransport);
+  return {
+    recommendations,
+    pilots: recommendations.filter((item) => item.transport === 'grpc').slice(0, 1),
+    guardrails: [
+      'tool definitions remain transport agnostic',
+      'wire protocol lives behind adapters',
+      'semantic tool descriptions stay available to the LLM',
+      'no JSON shim removal before contract tests and soak metrics pass',
+    ],
+    metrics: ['p95_tool_latency_ms', 'tool_error_rate', 'stream_reconnects', 'payload_validation_failures'],
+  };
+}
+
+module.exports = {
+  buildMcpTransportMigrationPlan,
+  recommendMcpTransport,
+  scoreTransportNeed,
+};

package/scripts/memory-store-governance.js

@@ -0,0 +1,60 @@
+#!/usr/bin/env node
+'use strict';
+
+function normalizeText(value) {
+  if (value === undefined || value === null) return '';
+  return String(value).trim();
+}
+
+function classifyMemoryFile(filePath) {
+  const normalized = normalizeText(filePath).toLowerCase();
+  if (/preference|style|tone|format/.test(normalized)) return 'preference';
+  if (/credential|token|secret|password|key/.test(normalized)) return 'blocked_secret';
+  if (/task|completed|todo|draft/.test(normalized)) return 'workflow_state';
+  if (/account|customer|user|contact/.test(normalized)) return 'sensitive_context';
+  return 'general';
+}
+
+function actionForClassification(classification) {
+  if (classification === 'blocked_secret') return 'block';
+  if (classification === 'sensitive_context') return 'redact_before_export';
+  return 'allow_reviewed_promotion';
+}
+
+function buildMemoryStoreGovernance(input = {}) {
+  const files = Array.isArray(input.files) ? input.files : [];
+  const records = files.map((file) => {
+    const path = typeof file === 'string' ? file : file.path;
+    const classification = classifyMemoryFile(path);
+    return {
+      path: normalizeText(path),
+      classification,
+      promotable: !['blocked_secret', 'sensitive_context'].includes(classification),
+      action: actionForClassification(classification),
+    };
+  }).filter((record) => record.path);
+
+  return {
+    generatedAt: normalizeText(input.generatedAt) || new Date().toISOString(),
+    storeKind: 'file_backed_agent_memory',
+    records,
+    policy: {
+      export: 'allowed_after_redaction',
+      import: 'requires_schema_validation',
+      promotion: 'requires_review_and_actionable_context',
+      deletion: 'append_decision_journal_entry',
+    },
+    summary: {
+      totalFiles: records.length,
+      blocked: records.filter((record) => record.action === 'block').length,
+      redactBeforeExport: records.filter((record) => record.action === 'redact_before_export').length,
+      promotable: records.filter((record) => record.promotable).length,
+    },
+  };
+}
+
+module.exports = {
+  actionForClassification,
+  buildMemoryStoreGovernance,
+  classifyMemoryFile,
+};

package/scripts/meta-agent-loop.js

@@ -36,7 +36,7 @@ const { resolveFeedbackDir } = require('./feedback-paths');
 const { parseFeedbackFile, classifySignal, promoteToGates } = require('./feedback-to-rules');
 const { loadAutoGates, saveAutoGates, getAutoGatesPath, patternToGateId } = require('./auto-promote-gates');
 const { readEvolutionState, writeEvolutionState, captureEvolutionSnapshot, applyAcceptedMutation } = require('./evolution-state');
-const { isAvailable, callClaude, MODELS } = require('./llm-client');
+const { isAvailable, callClaudeJson, MODELS } = require('./llm-client');
 const { ensureParentDir } = require('./fs-utils');
 
 // ---------------------------------------------------------------------------
@@ -165,24 +165,18 @@ async function generateCandidatesViaLLM(failures, successDef, blockPatterns) {
     `Generate ${CANDIDATES_PER_RUN} candidate prevention rules that would catch these failures.`,
   ].join('\n\n');
 
-  const raw = await callClaude({
+  const parsed = await callClaudeJson({
     systemPrompt: CANDIDATE_SYSTEM_PROMPT,
     userPrompt,
     model: MODELS.FAST,
     maxTokens: 1200,
+    cache: true,
   });
 
-  if (!raw) return null;
-
-  try {
-    const parsed = JSON.parse(raw);
-    if (!Array.isArray(parsed)) return null;
-    return parsed
-      .filter((r) => r.pattern && r.action && r.message && r.severity)
-      .slice(0, CANDIDATES_PER_RUN);
-  } catch {
-    return null;
-  }
+  if (!Array.isArray(parsed)) return null;
+  return parsed
+    .filter((r) => r.pattern && r.action && r.message && r.severity)
+    .slice(0, CANDIDATES_PER_RUN);
 }
 
 function generateCandidatesHeuristic(failures, blockPatterns) {

package/scripts/model-access-eligibility.js

@@ -0,0 +1,38 @@
+#!/usr/bin/env node
+'use strict';
+
+function normalizeText(value) {
+  if (value === undefined || value === null) return '';
+  return String(value).trim();
+}
+
+function evaluateModelAccessEligibility(input = {}) {
+  const model = normalizeText(input.model) || 'unknown';
+  const accessType = normalizeText(input.accessType) || 'public';
+  const approved = input.approved === true || input.invited === true || input.allowListed === true;
+  const maintainerPath = input.openSourceMaintainer === true;
+  const gated = /mythos|preview|research|private|invite|glasswing/i.test(`${model} ${accessType}`);
+  const issues = [];
+
+  if (gated && !approved) {
+    issues.push('approval_required_before_platform_setup');
+  }
+  if (gated && !approved && maintainerPath) {
+    issues.push('maintainer_path_is_possible_not_guaranteed');
+  }
+  if (gated && /aws|bedrock|vertex|foundry|azure|gcp/i.test(normalizeText(input.platform)) && !approved) {
+    issues.push('platform_docs_do_not_create_model_access');
+  }
+
+  return {
+    model,
+    accessType,
+    decision: issues.length === 0 ? 'allow' : 'warn',
+    issues,
+    fallback: gated && !approved ? 'Use a public model route until approval exists.' : null,
+  };
+}
+
+module.exports = {
+  evaluateModelAccessEligibility,
+};

package/scripts/model-migration-readiness.js

@@ -0,0 +1,55 @@
+'use strict';
+
+function buildModelMigrationPlan(options = {}) {
+  const targetModel = options.targetModel || 'gpt-5.5';
+  const currentModel = options.currentModel || 'current-codex-default';
+
+  return {
+    targetModel,
+    currentModel,
+    migrationReason: options.migrationReason || 'better agentic coding, lower token use, and longer research loops',
+    benchmarkSuites: [
+      'npm run test:high-roi',
+      'npm run prove:adapters',
+      'npm run prove:automation',
+      'npm run self-heal:check',
+    ],
+    evalDimensions: [
+      'unsupported_completion_claim_rate',
+      'tool_call_accuracy',
+      'token_cost_per_verified_task',
+      'regression_rate',
+      'computer_use_error_rate',
+      'research_loop_persistence',
+    ],
+    routingPolicy: {
+      lowRisk: 'allow_after_smoke_pass',
+      highRisk: 'allow_after_holdout_and_proof_pass',
+      destructiveActions: 'human_review_plus_evidence_gate',
+    },
+  };
+}
+
+function evaluateModelMigrationResult(result = {}) {
+  const issues = [];
+  if (!result.targetModel) issues.push('missing_target_model');
+  if (!result.baselineModel) issues.push('missing_baseline_model');
+  if (!result.highRoiTestsPass) issues.push('high_roi_tests_must_pass');
+  if (!result.adapterProofPass) issues.push('adapter_proof_must_pass');
+  if (!result.automationProofPass) issues.push('automation_proof_must_pass');
+  if (!result.selfHealPass) issues.push('self_heal_must_pass');
+  if (!Number.isFinite(result.tokenDeltaPercent)) issues.push('missing_token_delta');
+  if (Number(result.regressionCount || 0) > 0) issues.push('model_regressions_present');
+  if (result.routeHighRisk && !result.holdoutEvalPass) issues.push('holdout_required_for_high_risk_routing');
+
+  return {
+    decision: issues.length ? 'warn' : 'allow',
+    issues,
+    canRouteHighRisk: issues.length === 0 && Boolean(result.routeHighRisk),
+  };
+}
+
+module.exports = {
+  buildModelMigrationPlan,
+  evaluateModelMigrationResult,
+};

package/scripts/operational-integrity.js

@@ -603,10 +603,18 @@ function findOpenPrForBranch({ branchName, runner = runGh, env = process.env } =
 
 function classifyCommand(command) {
   const text = String(command || '').trim();
+  const workflowRunMatch = text.match(/\bgh\s+workflow\s+run\s+([^\s]+)/i);
+  const refMatch = text.match(/(?:--ref|-r)\s+([^\s]+)/i);
+  const fieldArgs = [...text.matchAll(/(?:--field|-f)\s+([A-Za-z0-9_.-]+)=([^\s]+)/gi)]
+    .map((match) => ({ name: match[1], value: match[2] }));
   return {
     text,
     isPrCreate: /\bgh\s+pr\s+create\b/i.test(text),
     isPrMerge: /\bgh\s+pr\s+merge\b/i.test(text),
+    isWorkflowRun: /\bgh\s+workflow\s+run\b/i.test(text),
+    workflowName: workflowRunMatch ? workflowRunMatch[1] : null,
+    workflowRef: refMatch ? refMatch[1] : null,
+    workflowFields: fieldArgs,
     isPublish: /\b(?:npm|yarn|pnpm)\s+publish\b/i.test(text),
     isReleaseCreate: /\bgh\s+release\s+create\b/i.test(text),
     isTagCreate: /\bgit\s+tag\b/i.test(text),
@@ -648,23 +656,108 @@ function evaluateOperationalIntegrity(options = {}) {
   const commandInfo = classifyCommand(options.command || '');
   const blockers = [];
 
-  const requiresGovernance = commandInfo.isPrCreate || commandInfo.isPrMerge || commandInfo.isPublish || commandInfo.isReleaseCreate || commandInfo.isTagCreate;
+  const requiresGovernance = commandInfo.isPrCreate
+    || commandInfo.isPrMerge
+    || commandInfo.isWorkflowRun
+    || commandInfo.isPublish
+    || commandInfo.isReleaseCreate
+    || commandInfo.isTagCreate;
   const isPublishLike = commandInfo.isPublish || commandInfo.isReleaseCreate || commandInfo.isTagCreate;
 
   if (requiresGovernance && !branchGovernance) {
     blockers.push(buildBlocker(
       'missing_branch_governance',
-      'PR, merge, release, and publish actions require explicit branch governance.'
+      'PR, workflow dispatch, merge, release, and publish actions require explicit branch governance.'
     ));
   }
 
   if (branchGovernance && branchGovernance.localOnly === true && requiresGovernance) {
     blockers.push(buildBlocker(
       'local_only_branch',
-      'This task is marked local-only. PR, merge, release, and publish actions are blocked.'
+      'This task is marked local-only. PR, workflow dispatch, merge, release, and publish actions are blocked.'
     ));
   }
 
+  if (commandInfo.isWorkflowRun) {
+    const workflowEvidence = branchGovernance && branchGovernance.workflowDispatch
+      && typeof branchGovernance.workflowDispatch === 'object'
+      ? branchGovernance.workflowDispatch
+      : null;
+    const requestedEnvironment = workflowEvidence && workflowEvidence.environment
+      ? String(workflowEvidence.environment).trim()
+      : '';
+    const expectedWorkflow = workflowEvidence && workflowEvidence.workflow
+      ? String(workflowEvidence.workflow).trim()
+      : '';
+    const expectedRef = workflowEvidence && workflowEvidence.ref
+      ? String(workflowEvidence.ref).trim()
+      : '';
+    const expectedSha = workflowEvidence && workflowEvidence.sha
+      ? String(workflowEvidence.sha).trim()
+      : '';
+    const expectedJob = workflowEvidence && workflowEvidence.job
+      ? String(workflowEvidence.job).trim()
+      : '';
+
+    if (!workflowEvidence) {
+      blockers.push(buildBlocker(
+        'missing_workflow_dispatch_evidence',
+        'GitHub Actions workflow dispatch requires explicit workflowDispatch evidence: environment, workflow, ref, sha, and job.'
+      ));
+    }
+    if (workflowEvidence && !requestedEnvironment) {
+      blockers.push(buildBlocker(
+        'missing_workflow_environment',
+        'Workflow dispatch requires the requested environment, such as dev, staging, beta, or release.'
+      ));
+    }
+    if (workflowEvidence && !expectedWorkflow) {
+      blockers.push(buildBlocker(
+        'missing_workflow_name',
+        'Workflow dispatch requires the expected workflow file name before execution.'
+      ));
+    }
+    if (workflowEvidence && expectedWorkflow && commandInfo.workflowName !== expectedWorkflow) {
+      blockers.push(buildBlocker(
+        'workflow_name_mismatch',
+        `Requested ${requestedEnvironment || 'workflow'} dispatch expects ${expectedWorkflow}, but command runs ${commandInfo.workflowName || 'unknown workflow'}.`,
+        { expectedWorkflow, actualWorkflow: commandInfo.workflowName }
+      ));
+    }
+    if (workflowEvidence && !expectedRef) {
+      blockers.push(buildBlocker(
+        'missing_workflow_ref',
+        'Workflow dispatch requires an explicit branch/ref before execution.'
+      ));
+    }
+    if (workflowEvidence && expectedRef && commandInfo.workflowRef !== expectedRef) {
+      blockers.push(buildBlocker(
+        'workflow_ref_mismatch',
+        `Workflow dispatch expects ref ${expectedRef}, but command uses ${commandInfo.workflowRef || 'no --ref value'}.`,
+        { expectedRef, actualRef: commandInfo.workflowRef }
+      ));
+    }
+    if (workflowEvidence && !expectedSha) {
+      blockers.push(buildBlocker(
+        'missing_workflow_sha',
+        'Workflow dispatch requires the HEAD SHA that will be verified after dispatch.'
+      ));
+    }
+    if (workflowEvidence && expectedSha && headSha && expectedSha !== headSha) {
+      blockers.push(buildBlocker(
+        'workflow_sha_mismatch',
+        `Workflow dispatch expects SHA ${expectedSha}, but repository HEAD is ${headSha}.`,
+        { expectedSha, headSha }
+      ));
+    }
+    if (workflowEvidence && !expectedJob) {
+      blockers.push(buildBlocker(
+        'missing_workflow_job',
+        'Workflow dispatch requires the expected job name to verify before reporting the run URL.'
+      ));
+    }
+  }
+
   if (commandInfo.isPrMerge && /--admin\b/i.test(commandInfo.text)) {
     blockers.push(buildBlocker(
       'admin_merge_bypass_forbidden',

package/scripts/otel-declarative-config.js

@@ -0,0 +1,56 @@
+#!/usr/bin/env node
+'use strict';
+
+function buildOtelDeclarativeConfig(input = {}) {
+  const serviceName = input.serviceName || 'thumbgate-agent-harness';
+  const environment = input.environment || 'production';
+  return {
+    file: 'otel.yaml',
+    envVar: 'OTEL_CONFIG_FILE',
+    config: {
+      resource: {
+        attributes: {
+          'service.name': serviceName,
+          'deployment.environment': environment,
+        },
+      },
+      traces: {
+        sampler: input.sampler || 'parentbased_traceidratio',
+        ratio: Number.isFinite(Number(input.ratio)) ? Number(input.ratio) : 0.25,
+        dropAttributes: ['authorization', 'cookie', 'x-api-key'],
+      },
+      metrics: {
+        exportIntervalMs: Number.isFinite(Number(input.exportIntervalMs)) ? Number(input.exportIntervalMs) : 60000,
+      },
+      logs: {
+        redactAttributes: ['prompt', 'toolInput', 'secret', 'token'],
+      },
+    },
+    policy: {
+      versionControlled: true,
+      reviewedBeforeProduction: true,
+      dynamicReloadAllowed: input.dynamicReloadAllowed === true,
+    },
+  };
+}
+
+function evaluateOtelConfig(config = {}) {
+  const issues = [];
+  const payload = config.config || config;
+  if (!payload.resource?.attributes?.['service.name']) issues.push('missing_service_name');
+  if (!payload.traces) issues.push('missing_trace_pipeline');
+  if (!payload.metrics) issues.push('missing_metric_pipeline');
+  if (!payload.logs) issues.push('missing_log_pipeline');
+  if (!Array.isArray(payload.traces?.dropAttributes) || !payload.traces.dropAttributes.includes('authorization')) {
+    issues.push('missing_sensitive_trace_attribute_drop');
+  }
+  return {
+    decision: issues.length === 0 ? 'allow' : 'warn',
+    issues,
+  };
+}
+
+module.exports = {
+  buildOtelDeclarativeConfig,
+  evaluateOtelConfig,
+};

package/scripts/perplexity-client.js

@@ -110,7 +110,7 @@ function extractCitations(response) {
 
 class PerplexityClient {
   constructor(options = {}) {
-    this.apiKey = options.apiKey || process.env.PERPLEXITY_API_KEY || '';
+    this.apiKey = options.apiKey ?? process.env.PERPLEXITY_API_KEY ?? '';
     this.baseUrl = options.baseUrl || process.env.PERPLEXITY_BASE_URL || DEFAULT_BASE_URL;
     this.fetchFn = options.fetchFn || globalThis.fetch;
     this.timeoutMs = Number(options.timeoutMs || process.env.PERPLEXITY_TIMEOUT_MS || DEFAULT_TIMEOUT_MS);

package/scripts/post-training-governance.js

@@ -0,0 +1,34 @@
+#!/usr/bin/env node
+'use strict';
+
+function evaluatePostTrainingPlan(input = {}) {
+  const mode = String(input.mode || '').toLowerCase();
+  const issues = [];
+  if (!['sft', 'rl', 'grpo', 'gspo'].includes(mode)) issues.push('unsupported_post_training_mode');
+  if (!input.dataset) issues.push('missing_dataset');
+  if (!input.baseCheckpoint) issues.push('missing_base_checkpoint');
+  if (input.piiRedacted !== true) issues.push('pii_redaction_required');
+  if (input.holdoutEval !== true) issues.push('holdout_eval_required');
+  if (input.rewardSpecRequired !== false && ['rl', 'grpo', 'gspo'].includes(mode) && !input.rewardSpec) {
+    issues.push('missing_reward_spec');
+  }
+  if (input.maxSpendCents === undefined) issues.push('missing_spend_cap');
+
+  return {
+    mode,
+    decision: issues.length === 0 ? 'allow' : 'warn',
+    issues,
+    requiredArtifacts: [
+      'dataset manifest',
+      'PII redaction report',
+      'base checkpoint',
+      'holdout eval report',
+      'spend cap',
+      ['rl', 'grpo', 'gspo'].includes(mode) ? 'reward specification' : null,
+    ].filter(Boolean),
+  };
+}
+
+module.exports = {
+  evaluatePostTrainingPlan,
+};