thumbgate 1.16.13 → 1.16.19

package/src/api/server.js

@@ -112,6 +112,7 @@ const {
   getBillingSummaryLive,
 } = require('../../scripts/billing');
 const {
+  DEFAULT_PUBLIC_APP_ORIGIN,
   resolveHostedBillingConfig,
   createTraceId,
   buildHostedSuccessUrl,
@@ -462,6 +463,12 @@ const TRACKED_LINK_TARGETS = Object.freeze({
 // Stripe event tracking helpers
 // ---------------------------------------------------------------------------
 const STRIPE_EVENTS_PATH = path.resolve(__dirname, '../../.thumbgate/stripe-events.jsonl');
+const LEGACY_STRIPE_EVENT_TYPES = new Set([
+  'checkout.session.completed',
+  'customer.subscription.created',
+  'customer.subscription.updated',
+  'customer.subscription.deleted',
+]);
 
 function ensureStripeEventsDir() {
   const dir = path.dirname(STRIPE_EVENTS_PATH);
@@ -473,6 +480,81 @@ function appendStripeEvent(record) {
   fs.appendFileSync(STRIPE_EVENTS_PATH, JSON.stringify(record) + '\n', 'utf8');
 }
 
+function buildLegacyStripeEventRecord(event) {
+  const obj = event.data && event.data.object ? event.data.object : {};
+  return {
+    timestamp: new Date().toISOString(),
+    event_type: event.type,
+    event_id: event.id || null,
+    customer_email:
+      obj.customer_email ||
+      obj.email ||
+      (obj.customer_details && obj.customer_details.email) ||
+      null,
+    plan:
+      obj.plan
+        ? (obj.plan.nickname || obj.plan.id || null)
+        : (
+          obj.items &&
+          obj.items.data &&
+          obj.items.data[0] &&
+          obj.items.data[0].plan
+            ? (obj.items.data[0].plan.nickname || obj.items.data[0].plan.id)
+            : null
+        ),
+    amount_cents: obj.amount_total || (obj.plan && obj.plan.amount) || null,
+    currency: obj.currency || null,
+    subscription_id: obj.subscription || obj.id || null,
+  };
+}
+
+async function handleLegacyStripeWebhook(req, res) {
+  try {
+    const rawBody = await new Promise((resolve, reject) => {
+      const chunks = [];
+      req.on('data', (c) => chunks.push(c));
+      req.on('end', () => resolve(Buffer.concat(chunks)));
+      req.on('error', reject);
+    });
+
+    const sig = req.headers['stripe-signature'] || '';
+    if (!verifyWebhookSignature(rawBody, sig)) {
+      sendProblem(res, {
+        type: PROBLEM_TYPES.WEBHOOK_INVALID,
+        title: 'Invalid webhook signature',
+        status: 400,
+        detail: 'The webhook signature could not be verified.',
+      });
+      return;
+    }
+
+    let event;
+    try {
+      event = JSON.parse(rawBody.toString('utf-8'));
+    } catch {
+      sendProblem(res, {
+        type: PROBLEM_TYPES.INVALID_JSON,
+        title: 'Invalid JSON',
+        status: 400,
+        detail: 'Invalid JSON in webhook body.',
+      });
+      return;
+    }
+
+    if (LEGACY_STRIPE_EVENT_TYPES.has(event.type)) {
+      appendStripeEvent(buildLegacyStripeEventRecord(event));
+    }
+    sendJson(res, 200, { received: true, event_type: event.type });
+  } catch (err) {
+    sendProblem(res, {
+      type: PROBLEM_TYPES.INTERNAL,
+      title: 'Internal Server Error',
+      status: 500,
+      detail: err.message,
+    });
+  }
+}
+
 function readStripeEvents() {
   ensureStripeEventsDir();
   if (!fs.existsSync(STRIPE_EVENTS_PATH)) return [];
@@ -688,6 +770,76 @@ function getMcpSkillManifests(hostedConfig) {
       footprintUrl: buildPublicUrl(hostedConfig, '/.well-known/mcp/footprint.json'),
       proofUrl: VERIFICATION_EVIDENCE_URL,
     },
+    {
+      name: 'agent-design-governance',
+      title: 'Agent Design Governance',
+      description: 'Decide when to stay single-agent, when to split into manager or handoff patterns, and which eval/tool safeguards are required first.',
+      triggers: ['agent architecture', 'multi-agent', 'tool overload', 'agent evals', 'agent instructions'],
+      recommendedFlow: [
+        'Start with a single agent plus clear tools and instructions.',
+        'Split only when instruction complexity or tool overload is measured.',
+        'Require baseline evals before adding autonomy or subagents.',
+        'Classify tool risk before allowing writes, money movement, production changes, or outbound actions.',
+      ],
+      contextUrl: buildPublicUrl(hostedConfig, '/public/llm-context.md'),
+      proofUrl: VERIFICATION_EVIDENCE_URL,
+    },
+    {
+      name: 'proactive-agent-eval-guardrails',
+      title: 'Proactive Agent Eval Guardrails',
+      description: 'Require state-machine modeling, active user simulation, goal inference, intervention timing, and multi-app orchestration proof before proactive agents write or interrupt users.',
+      triggers: ['proactive agents', 'PARE', 'active user simulation', 'intervention timing', 'multi-app orchestration'],
+      recommendedFlow: [
+        'Model each app as states, actions, and valid transitions.',
+        'Simulate active users before enabling anticipatory interventions.',
+        'Grade goal inference separately from intervention timing.',
+        'Block multi-app proactive writes until rollback and orchestration evidence exists.',
+      ],
+      contextUrl: buildPublicUrl(hostedConfig, '/public/llm-context.md'),
+      proofUrl: VERIFICATION_EVIDENCE_URL,
+    },
+    {
+      name: 'reward-hacking-guardrails',
+      title: 'Reward Hacking Guardrails',
+      description: 'Catch proxy-optimization failures such as unsupported completion claims, sycophancy, verbosity-as-proof, benchmark overfitting, and evaluator manipulation.',
+      triggers: ['reward hacking', 'benchmark overfitting', 'unsupported claims', 'sycophancy', 'verifier theater'],
+      recommendedFlow: [
+        'Inspect candidate claims for completion, safety, test, or deployment language.',
+        'Require proof artifacts before accepting done, fixed, safe, or ready-to-merge claims.',
+        'Map every proxy metric to the real user objective.',
+        'Require holdout or regression proof before treating benchmark gains as product gains.',
+      ],
+      contextUrl: buildPublicUrl(hostedConfig, '/public/llm-context.md'),
+      proofUrl: VERIFICATION_EVIDENCE_URL,
+    },
+    {
+      name: 'oss-pr-opportunity-scout',
+      title: 'OSS PR Opportunity Scout',
+      description: 'Find upstream GitHub repositories ThumbGate actually depends on, then rank issue, bounty, and proof-backed PR opportunities without spam.',
+      triggers: ['GitHub issues', 'bug bounty', 'upstream PR', 'open source promotion', 'maintainer outreach'],
+      recommendedFlow: [
+        'Map package dependencies to upstream repositories.',
+        'Search only maintainer-visible issues, help-wanted labels, regressions, and bounty surfaces.',
+        'Reproduce locally before claiming a fix.',
+        'Open one focused PR with tests, proof, and transparent ThumbGate context only when relevant.',
+      ],
+      contextUrl: buildPublicUrl(hostedConfig, '/public/llm-context.md'),
+      proofUrl: VERIFICATION_EVIDENCE_URL,
+    },
+    {
+      name: 'chatgpt-ads-readiness-pack',
+      title: 'ChatGPT Ads Readiness Pack',
+      description: 'Prepare ThumbGate intent clusters, proof-backed copy, landing routes, and measurement before ChatGPT Ads Manager becomes broadly self-serve.',
+      triggers: ['ChatGPT ads', 'AI ads', 'paid AI search', 'Ads Manager', 'agent governance advertising'],
+      recommendedFlow: [
+        'Submit advertiser interest when eligible.',
+        'Cluster high-intent conversational queries around agent governance and repeated workflow failures.',
+        'Route self-serve intent to the guide and team pain to Workflow Hardening Sprint intake.',
+        'Block unsupported ad and landing-page claims before spend scales.',
+      ],
+      contextUrl: buildPublicUrl(hostedConfig, '/public/llm-context.md'),
+      proofUrl: VERIFICATION_EVIDENCE_URL,
+    },
   ];
 }
 
@@ -788,6 +940,31 @@ function getMcpDiscoveryManifest(hostedConfig) {
         description: 'Measure MCP schema and feedback-context footprint before loading large manifests into model context.',
         tools: ['plan_context_footprint', 'construct_context_pack', 'context_provenance'],
       },
+      {
+        name: 'agent-design-governance',
+        description: 'Evaluate agent architecture, instruction quality, tool risk, and baseline eval readiness before adding subagents or autonomy.',
+        tools: ['plan_agent_design_governance', 'search_lessons', 'diagnose_failure', 'require_evidence_for_claim'],
+      },
+      {
+        name: 'proactive-agent-eval-guardrails',
+        description: 'Evaluate proactive-agent state modeling, active-user simulation, goal inference, timing, and multi-app write readiness.',
+        tools: ['plan_proactive_agent_eval_guardrails', 'require_evidence_for_claim', 'workflow_sentinel'],
+      },
+      {
+        name: 'reward-hacking-guardrails',
+        description: 'Detect proxy-optimization failures before accepting completion claims, benchmark wins, verifier approvals, or multimodal assertions.',
+        tools: ['plan_reward_hacking_guardrails', 'require_evidence_for_claim', 'verify_claim'],
+      },
+      {
+        name: 'oss-pr-opportunity-scout',
+        description: 'Rank upstream repositories for proof-backed issue fixes and PR opportunities using ThumbGate dependency evidence.',
+        tools: ['plan_oss_pr_opportunity_scout', 'require_evidence_for_claim', 'track_action'],
+      },
+      {
+        name: 'chatgpt-ads-readiness-pack',
+        description: 'Prepare AI-ads intent clusters, copy, proof links, and measurement gates for ThumbGate campaigns.',
+        tools: ['plan_chatgpt_ads_readiness', 'require_evidence_for_claim', 'get_business_metrics'],
+      },
     ],
     skills: getMcpSkillManifests(hostedConfig),
     applications: getMcpApplications(hostedConfig),
@@ -1318,6 +1495,16 @@ function buildCheckoutBootstrapBody(parsed, req, journeyState = resolveJourneySt
   };
 }
 
+function buildCheckoutConfirmHref(parsed) {
+  const confirmUrl = new URL('/checkout/pro', 'https://thumbgate.invalid');
+  confirmUrl.searchParams.set('confirm', '1');
+  for (const [key, value] of parsed.searchParams.entries()) {
+    if (key === 'confirm') continue;
+    confirmUrl.searchParams.append(key, value);
+  }
+  return `${confirmUrl.pathname}${confirmUrl.search}`;
+}
+
 function normalizeTrackedLinkSlug(value) {
   return String(value || '').trim().toLowerCase().replace(/[^a-z0-9-]/g, '');
 }
@@ -1625,6 +1812,34 @@ function escapeHtmlAttribute(value) {
     .replaceAll('>', '>');
 }
 
+function stripTrailingSlashes(value) {
+  const input = String(value || '');
+  let end = input.length;
+  while (end > 0 && input[end - 1] === '/') end -= 1;
+  return input.slice(0, end);
+}
+
+function normalizePublicMarketingHtml(html, runtimeConfig) {
+  const appOrigin = runtimeConfig?.appOrigin
+    ? stripTrailingSlashes(runtimeConfig.appOrigin)
+    : '';
+  if (!appOrigin) return html;
+
+  let output = String(html);
+  output = output.replaceAll(DEFAULT_PUBLIC_APP_ORIGIN, appOrigin);
+  try {
+    const host = new URL(appOrigin).host;
+    output = output.replaceAll(
+      'data-domain="thumbgate-production.up.railway.app"',
+      `data-domain="${escapeHtmlAttribute(host)}"`
+    );
+  } catch {
+    // appOrigin is normalized by hosted-config; leave static analytics domains
+    // untouched if a future caller deliberately supplies a non-URL value.
+  }
+  return output;
+}
+
 function loadPublicMarketingTemplateHtml(templatePath, runtimeConfig, pageContext = {}) {
   const template = fs.readFileSync(templatePath, 'utf-8');
   const googleSiteVerificationMeta = runtimeConfig.googleSiteVerification
@@ -1637,11 +1852,11 @@ function loadPublicMarketingTemplateHtml(templatePath, runtimeConfig, pageContex
       '    window.dataLayer = window.dataLayer || [];',
       '    function gtag(){dataLayer.push(arguments);}',
       "    gtag('js', new Date());",
-      `    gtag('config', '${runtimeConfig.gaMeasurementId}', { send_page_view: false });`,
+      `    gtag('config', '${runtimeConfig.gaMeasurementId}');`,
       '  </script>',
     ].join('\n')
     : '';
-  return fillTemplate(template, {
+  return normalizePublicMarketingHtml(fillTemplate(template, {
     '__PACKAGE_VERSION__': pkg.version,
     '__APP_ORIGIN__': runtimeConfig.appOrigin,
     '__CHECKOUT_ENDPOINT__': runtimeConfig.checkoutEndpoint,
@@ -1665,7 +1880,7 @@ function loadPublicMarketingTemplateHtml(templatePath, runtimeConfig, pageContex
     '__GTM_PLAN_URL__': 'https://github.com/IgorGanapolsky/ThumbGate/blob/main/docs/GO_TO_MARKET_REVENUE_WEDGE_2026-03.md',
     '__GITHUB_URL__': 'https://github.com/IgorGanapolsky/ThumbGate',
     '__POSTHOG_API_KEY__': runtimeConfig.posthogApiKey || '',
-  });
+  }), runtimeConfig);
 }
 
 function loadLandingPageHtml(runtimeConfig, pageContext = {}) {
@@ -2208,9 +2423,7 @@ function renderRobotsTxt(runtimeConfig) {
 function renderSitemapXml(runtimeConfig) {
   const entries = [
     { path: '/', changefreq: 'weekly', priority: '1.0' },
-    // /pro consolidated into /#pro-pitch (2026-04-16) — removed from sitemap
-    // so search engines don't chase the 301 instead of indexing the canonical
-    // homepage directly.
+    { path: '/pro', changefreq: 'weekly', priority: '0.9' },
     { path: '/llm-context.md', changefreq: 'weekly', priority: '0.8' },
     { path: '/codex-plugin', changefreq: 'weekly', priority: '0.75' },
     ...THUMBGATE_SEO_SITEMAP_ENTRIES,
@@ -2234,6 +2447,21 @@ function renderSitemapXml(runtimeConfig) {
   ].join('\n');
 }
 
+function buildHostedRuntimePresence(hostedConfig, { expectedApiKey, expectedOperatorKey } = {}) {
+  return {
+    THUMBGATE_FEEDBACK_DIR: Boolean(process.env.THUMBGATE_FEEDBACK_DIR),
+    THUMBGATE_OPERATOR_KEY: Boolean(expectedOperatorKey),
+    THUMBGATE_API_KEY: Boolean(expectedApiKey),
+    THUMBGATE_PUBLIC_APP_ORIGIN: Boolean(hostedConfig.appOrigin),
+    THUMBGATE_BILLING_API_BASE_URL: Boolean(hostedConfig.billingApiBaseUrl),
+    THUMBGATE_GA_MEASUREMENT_ID: Boolean(hostedConfig.gaMeasurementId),
+    THUMBGATE_CHECKOUT_FALLBACK_URL: Boolean(hostedConfig.checkoutFallbackUrl),
+    THUMBGATE_SPRINT_DIAGNOSTIC_CHECKOUT_URL: Boolean(hostedConfig.sprintDiagnosticCheckoutUrl),
+    THUMBGATE_WORKFLOW_SPRINT_CHECKOUT_URL: Boolean(hostedConfig.workflowSprintCheckoutUrl),
+    STRIPE_SECRET_KEY: Boolean(process.env.STRIPE_SECRET_KEY),
+  };
+}
+
 function isSeoAttributionSource(source) {
   return source === 'organic_search' || source === 'ai_search';
 }
@@ -2699,6 +2927,33 @@ function renderCheckoutSuccessPage(runtimeConfig) {
 }
 
 function renderCheckoutCancelledPage(runtimeConfig) {
+  const diagnosticCheckoutUrl = runtimeConfig.sprintDiagnosticCheckoutUrl
+    ? escapeHtmlAttribute(runtimeConfig.sprintDiagnosticCheckoutUrl)
+    : '';
+  const workflowSprintCheckoutUrl = runtimeConfig.workflowSprintCheckoutUrl
+    ? escapeHtmlAttribute(runtimeConfig.workflowSprintCheckoutUrl)
+    : '';
+  const sprintDiagnosticPriceDollars = runtimeConfig.sprintDiagnosticPriceDollars || 499;
+  const workflowSprintPriceDollars = runtimeConfig.workflowSprintPriceDollars || 1500;
+  const workflowSprintIntakeUrl = `${escapeHtmlAttribute(runtimeConfig.appOrigin)}/#workflow-sprint-intake`;
+  const recoveryOfferLinks = [
+    `<a id="send-workflow-first" href="${workflowSprintIntakeUrl}" data-recovery-offer="workflow_sprint_intake" data-offer-price="0">Send workflow first</a>`,
+    diagnosticCheckoutUrl
+      ? `<a href="${diagnosticCheckoutUrl}" data-recovery-offer="sprint_diagnostic" data-offer-price="${sprintDiagnosticPriceDollars}">Book $${sprintDiagnosticPriceDollars} diagnostic</a>`
+      : '',
+    workflowSprintCheckoutUrl
+      ? `<a href="${workflowSprintCheckoutUrl}" data-recovery-offer="workflow_sprint" data-offer-price="${workflowSprintPriceDollars}">Start $${workflowSprintPriceDollars} sprint</a>`
+      : '',
+  ].filter(Boolean).join('\n        ');
+  const recoveryOfferCard = recoveryOfferLinks
+    ? `<div class="card recovery-card">
+      <h2>Need help deciding?</h2>
+      <p>If Pro is not the right next step, send the workflow first. We can qualify the blocker, confirm the proof plan, and route you to the diagnostic or sprint only when the scope is real.</p>
+      <div class="actions">
+        ${recoveryOfferLinks}
+      </div>
+    </div>`
+    : '';
   return `<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -2784,6 +3039,9 @@ function renderCheckoutCancelledPage(runtimeConfig) {
       gap: 12px;
       margin-top: 18px;
     }
+    .recovery-card {
+      border-color: rgba(184, 92, 45, 0.38);
+    }
     .note {
       font-size: 14px;
       margin-top: 12px;
@@ -2812,17 +3070,19 @@ function renderCheckoutCancelledPage(runtimeConfig) {
       </div>
       <div class="actions">
         <button type="button" id="submit-reason">Send feedback</button>
-        <a id="retry-checkout" href="/checkout/pro" class="secondary">Try checkout again</a>
+        <a id="retry-checkout" href="/checkout/pro" class="secondary" data-recovery-offer="pro_trial_retry" data-offer-price="19">Restart $19 Pro trial</a>
         <a href="${runtimeConfig.appOrigin}" class="secondary">Return to Context Gateway</a>
       </div>
       <p class="note" id="status">No feedback sent yet.</p>
     </div>
+    ${recoveryOfferCard}
     <script>
       (function () {
         const params = new URLSearchParams(window.location.search);
         const statusEl = document.getElementById('status');
         const noteEl = document.getElementById('buyer-note');
         const retryLink = document.getElementById('retry-checkout');
+        const workflowIntakeLink = document.getElementById('send-workflow-first');
         let selectedReason = null;
 
         function sendTelemetry(eventType, extra) {
@@ -2875,6 +3135,19 @@ function renderCheckoutCancelledPage(runtimeConfig) {
         });
         retryLink.href = retryUrl.toString();
 
+        if (workflowIntakeLink) {
+          const intakeUrl = new URL(workflowIntakeLink.href, window.location.origin);
+          ['trace_id', 'acquisition_id', 'visitor_id', 'session_id', 'visitor_session_id', 'install_id', 'utm_source', 'utm_campaign', 'utm_content', 'utm_term', 'creator', 'community', 'post_id', 'comment_id', 'campaign_variant', 'offer_code', 'landing_path', 'referrer_host'].forEach(function (key) {
+            const value = params.get(key);
+            if (value) intakeUrl.searchParams.set(key, value);
+          });
+          intakeUrl.searchParams.set('utm_medium', 'checkout_cancel_recovery');
+          intakeUrl.searchParams.set('cta_id', 'checkout_cancel_workflow_sprint_intake');
+          intakeUrl.searchParams.set('cta_placement', 'checkout_cancel_recovery');
+          intakeUrl.searchParams.set('plan_id', 'team');
+          workflowIntakeLink.href = intakeUrl.toString();
+        }
+
         sendTelemetry('checkout_cancelled');
 
         document.querySelectorAll('[data-reason]').forEach(function (button) {
@@ -2893,6 +3166,27 @@ function renderCheckoutCancelledPage(runtimeConfig) {
             ? 'Feedback saved: ' + selectedReason.replaceAll('_', ' ') + '.'
             : 'Feedback saved.';
         });
+
+        document.querySelectorAll('[data-recovery-offer]').forEach(function (link) {
+          link.addEventListener('click', function () {
+            if (link.getAttribute('data-recovery-offer') === 'workflow_sprint_intake') {
+              sendTelemetry('checkout_cancel_workflow_intake_clicked', {
+                ctaId: 'checkout_cancel_workflow_sprint_intake',
+                ctaPlacement: 'checkout_cancel_recovery',
+                offerCode: 'workflow_sprint_intake',
+                planId: 'team',
+                reasonCode: selectedReason || null
+              });
+              return;
+            }
+            sendTelemetry('checkout_recovery_offer_clicked', {
+              ctaId: link.getAttribute('data-recovery-offer'),
+              ctaPlacement: 'checkout_cancel_recovery',
+              offerCode: link.getAttribute('data-recovery-offer'),
+              offerPriceDollars: link.getAttribute('data-offer-price')
+            });
+          });
+        });
       }());
     </script>
   </main>
@@ -3880,17 +4174,22 @@ async function addContext(){
     }
 
     if (isGetLikeRequest && pathname === '/pro') {
-      // Consolidated: /pro content now lives inline on `/` as the #pro-pitch
-      // strip (hero-adjacent pricing card). 301 so external links (README,
-      // plugin manifests, guides, compare pages) pass link equity onto the
-      // single canonical landing page. Query string is preserved so UTM
-      // tracking from inbound campaigns still reaches GA/PostHog on `/`.
-      const redirectTarget = `/#pro-pitch${parsed.search || ''}`;
-      res.writeHead(301, {
-        Location: redirectTarget,
-        'Cache-Control': 'public, max-age=3600',
-      });
-      res.end();
+      try {
+        servePublicMarketingPage({
+          req,
+          res,
+          parsed,
+          hostedConfig,
+          isHeadRequest,
+          renderHtml: loadProPageHtml,
+          extraTelemetry: {
+            pageType: 'pro',
+            planId: 'pro',
+          },
+        });
+      } catch (err) {
+        sendText(res, 500, err.message || 'Pro page unavailable');
+      }
       return;
     }
 
@@ -4112,7 +4411,8 @@ async function addContext(){
           planId: analyticsMetadata.planId,
           reason: botClassification.reason,
         }, req.headers, 'checkout_bot_deflected');
-        const html = '<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="robots" content="noindex,nofollow"><title>ThumbGate Pro \u2014 Confirm checkout</title><style>*{box-sizing:border-box}body{background:#0a0a0a;color:#e5e5e5;font-family:system-ui,-apple-system,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0;padding:20px}.card{background:#141414;border:1px solid #222;border-radius:16px;padding:48px 40px;max-width:460px;width:100%;text-align:center;box-shadow:0 8px 32px rgba(0,0,0,.5)}h1{margin:0 0 12px;font-size:22px;color:#22d3ee}p{color:#9ca3af;font-size:14px;line-height:1.55;margin:0 0 24px}.btn{display:inline-block;background:#22d3ee;color:#000;text-decoration:none;font-weight:700;padding:14px 32px;border-radius:999px;font-size:16px;cursor:pointer;border:none}.btn:hover{opacity:.9}.sub{margin-top:16px;font-size:12px;color:#6b7280}a.back{color:#6b7280;font-size:13px;text-decoration:underline}</style></head><body><div class="card"><h1>Continue to secure checkout</h1><p>You\'re one click from ThumbGate Pro at $19/mo. We create the payment session only after you confirm \u2014 keeps your path clean and our funnel honest.</p><a class="btn" href="/checkout/pro?confirm=1" rel="noopener">Continue to Stripe \u2192</a><div class="sub">Payments handled by Stripe. 7-day free trial. Cancel anytime.</div><div class="sub"><a class="back" href="/">\u2190 Back to homepage</a></div></div></body></html>';
+        const confirmHref = escapeHtmlAttribute(buildCheckoutConfirmHref(parsed));
+        const html = `<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="robots" content="noindex,nofollow"><title>ThumbGate Pro \u2014 Confirm checkout</title><style>*{box-sizing:border-box}body{background:#0a0a0a;color:#e5e5e5;font-family:system-ui,-apple-system,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0;padding:20px}.card{background:#141414;border:1px solid #222;border-radius:16px;padding:48px 40px;max-width:460px;width:100%;text-align:center;box-shadow:0 8px 32px rgba(0,0,0,.5)}h1{margin:0 0 12px;font-size:22px;color:#22d3ee}p{color:#9ca3af;font-size:14px;line-height:1.55;margin:0 0 24px}.btn{display:inline-block;background:#22d3ee;color:#000;text-decoration:none;font-weight:700;padding:14px 32px;border-radius:999px;font-size:16px;cursor:pointer;border:none}.btn:hover{opacity:.9}.sub{margin-top:16px;font-size:12px;color:#6b7280}a.back{color:#6b7280;font-size:13px;text-decoration:underline}</style></head><body><div class="card"><h1>Continue to secure checkout</h1><p>You're one click from ThumbGate Pro at $19/mo. We create the payment session only after you confirm \u2014 keeps your path clean and our funnel honest.</p><a class="btn" href="${confirmHref}" rel="noopener">Continue to Stripe \u2192</a><div class="sub">Payments handled by Stripe. 7-day trial. Card required; no charge today. Cancel anytime.</div><div class="sub"><a class="back" href="/">\u2190 Back to homepage</a></div></div></body></html>`;
         sendHtml(res, 200, html, responseHeaders);
         return;
       }
@@ -4809,6 +5109,13 @@ async function addContext(){
       return;
     }
 
+    // POST /webhook/stripe — legacy Stripe event log bridge kept for backward compatibility.
+    // This must remain unauthenticated like /v1/billing/webhook; Stripe auth is the HMAC signature.
+    if (req.method === 'POST' && pathname === '/webhook/stripe') {
+      await handleLegacyStripeWebhook(req, res);
+      return;
+    }
+
     // GitHub Marketplace webhook
     if (req.method === 'POST' && pathname === '/v1/billing/github-webhook') {
       try {
@@ -6010,7 +6317,13 @@ async function addContext(){
         }
 
         const summary = await getBillingSummaryLive(summaryOptions);
-        sendJson(res, 200, summary);
+        sendJson(res, 200, {
+          ...summary,
+          runtimePresence: buildHostedRuntimePresence(hostedConfig, {
+            expectedApiKey,
+            expectedOperatorKey,
+          }),
+        });
         return;
       }
 
@@ -6375,86 +6688,6 @@ async function addContext(){
         return;
       }
 
-      // POST /webhook/stripe — legacy Stripe event log bridge kept for backward compatibility.
-      // When STRIPE_WEBHOOK_SECRET is configured, verify the same Stripe signature used by
-      // the /v1/billing/webhook route before touching any payload.
-      if (req.method === 'POST' && pathname === '/webhook/stripe') {
-        try {
-          const rawBody = await new Promise((resolve, reject) => {
-            const chunks = [];
-            req.on('data', (c) => chunks.push(c));
-            req.on('end', () => resolve(Buffer.concat(chunks)));
-            req.on('error', reject);
-          });
-
-          const sig = req.headers['stripe-signature'] || '';
-          if (!verifyWebhookSignature(rawBody, sig)) {
-            sendProblem(res, {
-              type: PROBLEM_TYPES.WEBHOOK_INVALID,
-              title: 'Invalid webhook signature',
-              status: 400,
-              detail: 'The webhook signature could not be verified.',
-            });
-            return;
-          }
-
-          let event;
-          try {
-            event = JSON.parse(rawBody.toString('utf-8'));
-          } catch {
-            sendProblem(res, {
-              type: PROBLEM_TYPES.INVALID_JSON,
-              title: 'Invalid JSON',
-              status: 400,
-              detail: 'Invalid JSON in webhook body.',
-            });
-            return;
-          }
-          const TRACKED_STRIPE_EVENTS = new Set([
-            'checkout.session.completed',
-            'customer.subscription.created',
-            'customer.subscription.deleted',
-          ]);
-          if (TRACKED_STRIPE_EVENTS.has(event.type)) {
-            const obj = event.data && event.data.object ? event.data.object : {};
-            const record = {
-              timestamp: new Date().toISOString(),
-              event_type: event.type,
-              event_id: event.id || null,
-              customer_email:
-                obj.customer_email ||
-                obj.email ||
-                (obj.customer_details && obj.customer_details.email) ||
-                null,
-              plan:
-                obj.plan
-                  ? (obj.plan.nickname || obj.plan.id || null)
-                  : (
-                    obj.items &&
-                    obj.items.data &&
-                    obj.items.data[0] &&
-                    obj.items.data[0].plan
-                      ? (obj.items.data[0].plan.nickname || obj.items.data[0].plan.id)
-                      : null
-                  ),
-              amount_cents: obj.amount_total || (obj.plan && obj.plan.amount) || null,
-              currency: obj.currency || null,
-              subscription_id: obj.subscription || obj.id || null,
-            };
-            appendStripeEvent(record);
-          }
-          sendJson(res, 200, { received: true, event_type: event.type });
-        } catch (err) {
-          sendProblem(res, {
-            type: PROBLEM_TYPES.INTERNAL,
-            title: 'Internal Server Error',
-            status: 500,
-            detail: err.message,
-          });
-        }
-        return;
-      }
-
       // GET /api/conversions — Conversion stats derived from the Stripe event log
       if (req.method === 'GET' && pathname === '/api/conversions') {
         try {

package/scripts/agents-sdk-sandbox-plan.js

@@ -1,57 +0,0 @@
-'use strict';
-
-function buildAgentsSdkSandboxPlan(options = {}) {
-  const provider = options.provider || 'unix_local';
-  const mounts = options.mounts || [{ name: 'data', mode: 'read_only' }];
-  const outputDir = options.outputDir || 'outputs';
-
-  return {
-    harness: 'openai_agents_sdk_sandbox',
-    provider,
-    manifest: {
-      mounts,
-      outputDir,
-      network: options.network || 'disabled_by_default',
-      allowedCommands: options.allowedCommands || ['npm test', 'npm run test:coverage'],
-    },
-    separation: {
-      credentialsInSandbox: false,
-      toolBrokerOwnsSecrets: true,
-      sandboxGetsScopedFilesOnly: true,
-    },
-    durability: {
-      externalState: true,
-      checkpoints: ['manifest_loaded', 'tools_completed', 'patch_written', 'tests_run'],
-      rehydrateOnSandboxLoss: true,
-    },
-    gates: [
-      'read manifest before file access',
-      'write only under declared output or scoped repo path',
-      'cite source filenames for data-room answers',
-      'run configured verification before completion claim',
-      'persist decision journal outside sandbox',
-    ],
-  };
-}
-
-function evaluateSandboxPlan(plan = {}) {
-  const issues = [];
-  if (!plan.manifest?.mounts?.length) issues.push('missing_manifest_mounts');
-  if (!plan.manifest?.outputDir) issues.push('missing_output_dir');
-  if (plan.separation?.credentialsInSandbox !== false) issues.push('credentials_must_stay_outside_sandbox');
-  if (!plan.durability?.externalState) issues.push('external_state_required');
-  if (!plan.durability?.rehydrateOnSandboxLoss) issues.push('rehydration_required');
-  if (!Array.isArray(plan.gates) || !plan.gates.some((gate) => /verification/i.test(gate))) {
-    issues.push('verification_gate_required');
-  }
-
-  return {
-    decision: issues.length ? 'warn' : 'allow',
-    issues,
-  };
-}
-
-module.exports = {
-  buildAgentsSdkSandboxPlan,
-  evaluateSandboxPlan,
-};