thumbgate 1.17.0 → 1.19.0

package/public/pro.html

@@ -718,7 +718,7 @@ __GA_BOOTSTRAP__
       <a href="#pricing">Pricing</a>
       <a href="#faq">FAQ</a>
       <a href="/dashboard">Demo</a>
-      <a class="nav-cta" data-quick-read-link href="https://buy.stripe.com/aFa8wPgH29Lo4lH35V3sI0w" onclick="sendFirstPartyTelemetry('quick_read_checkout_started',{ctaId:'pro_page_nav_quick_read_checkout',price:19});sendGa4Event('begin_checkout',{currency:'USD',value:19,items:[{item_id:'quick_read',item_name:'AI Agent Failure Quick Read'}]});">Pay $19 quick read</a>
+      <a rel="nofollow noopener noreferrer" target="_blank" class="nav-cta" data-quick-read-link href="https://buy.stripe.com/5kQ7sL76s1eSaK55e33sI2H" onclick="sendFirstPartyTelemetry('quick_read_checkout_started',{ctaId:'pro_page_nav_quick_read_checkout',price:19});sendGa4Event('begin_checkout',{currency:'USD',value:19,items:[{item_id:'quick_read',item_name:'AI Agent Failure Quick Read'}]});">Pay $19 quick read</a>
     </div>
   </div>
 </nav>
@@ -738,7 +738,7 @@ __GA_BOOTSTRAP__
         <div class="proof-pill">Founder support on risky flows</div>
       </div>
       <div class="hero-actions">
-        <a class="btn-primary" data-quick-read-link href="https://buy.stripe.com/aFa8wPgH29Lo4lH35V3sI0w" onclick="sendFirstPartyTelemetry('quick_read_checkout_started',{ctaId:'pro_page_hero_quick_read_checkout',price:19});sendGa4Event('begin_checkout',{currency:'USD',value:19,items:[{item_id:'quick_read',item_name:'AI Agent Failure Quick Read'}]});">Pay $19 quick read</a>
+        <a rel="nofollow noopener noreferrer" target="_blank" class="btn-primary" data-quick-read-link href="https://buy.stripe.com/5kQ7sL76s1eSaK55e33sI2H" onclick="sendFirstPartyTelemetry('quick_read_checkout_started',{ctaId:'pro_page_hero_quick_read_checkout',price:19});sendGa4Event('begin_checkout',{currency:'USD',value:19,items:[{item_id:'quick_read',item_name:'AI Agent Failure Quick Read'}]});">Pay $19 quick read</a>
         <a class="btn-secondary btn-pro-checkout" href="/checkout/pro?utm_source=website&utm_medium=pro_page_hero&utm_campaign=pro_pack&cta_id=pro_page_primary&cta_placement=hero&plan_id=pro&landing_path=%2Fpro">Start Pro dashboard</a>
         <a class="btn-secondary btn-demo" href="/dashboard?utm_source=website&utm_medium=pro_page&utm_campaign=pro_pack">Open dashboard demo</a>
         <a class="btn-ghost btn-free-path" href="/guide?utm_source=website&utm_medium=pro_page&utm_campaign=free_install">Stay on Free and install locally</a>
@@ -780,8 +780,8 @@ __GA_BOOTSTRAP__
         <h3>Buy the paid diagnostic</h3>
         <p>Skip self-serve Pro and pay for the smallest useful review now.</p>
         <div class="price-stack">
-          <a class="btn-secondary" data-first-rule-link href="https://buy.stripe.com/4gM6oHgH2bTw4lH6i73sI0z" onclick="sendFirstPartyTelemetry('first_failure_rule_checkout_started',{ctaId:'pro_page_first_failure_rule_checkout',price:1});sendGa4Event('begin_checkout',{currency:'USD',value:1,items:[{item_id:'first_failure_rule',item_name:'First AI Agent Failure Rule'}]});">Pay $1 first rule</a>
-          <a class="btn-secondary" data-quick-read-link href="https://buy.stripe.com/aFa8wPgH29Lo4lH35V3sI0w" onclick="sendFirstPartyTelemetry('quick_read_checkout_started',{ctaId:'pro_page_quick_read_checkout',price:19});">Pay $19 quick read</a>
+          <a rel="nofollow noopener noreferrer" target="_blank" class="btn-secondary" data-first-rule-link href="https://buy.stripe.com/fZu28rfCY6zcbO99uj3sI2G" onclick="sendFirstPartyTelemetry('first_failure_rule_checkout_started',{ctaId:'pro_page_first_failure_rule_checkout',price:1});sendGa4Event('begin_checkout',{currency:'USD',value:1,items:[{item_id:'first_failure_rule',item_name:'First AI Agent Failure Rule'}]});">Pay $1 first rule</a>
+          <a rel="nofollow noopener noreferrer" target="_blank" class="btn-secondary" data-quick-read-link href="https://buy.stripe.com/5kQ7sL76s1eSaK55e33sI2H" onclick="sendFirstPartyTelemetry('quick_read_checkout_started',{ctaId:'pro_page_quick_read_checkout',price:19});">Pay $19 quick read</a>
           <a class="btn-primary" data-sprint-diagnostic-link href="__SPRINT_DIAGNOSTIC_CHECKOUT_URL__" onclick="sendFirstPartyTelemetry('workflow_sprint_diagnostic_checkout_started',{ctaId:'pro_page_sprint_diagnostic_checkout'});sendGa4Event('begin_checkout',{currency:'USD',value:__SPRINT_DIAGNOSTIC_PRICE_DOLLARS__});">Pay $__SPRINT_DIAGNOSTIC_PRICE_DOLLARS__ diagnostic</a>
           <a class="btn-secondary" data-workflow-sprint-link href="__WORKFLOW_SPRINT_CHECKOUT_URL__" onclick="sendFirstPartyTelemetry('workflow_sprint_checkout_started',{ctaId:'pro_page_workflow_sprint_checkout'});sendGa4Event('begin_checkout',{currency:'USD',value:__WORKFLOW_SPRINT_PRICE_DOLLARS__});">Pay $__WORKFLOW_SPRINT_PRICE_DOLLARS__ sprint</a>
         </div>

package/scripts/activation-tracker.js

@@ -0,0 +1,127 @@
+'use strict';
+
+/**
+ * Activation tracker — fires `activation_first_rule_promoted` exactly once
+ * per install, the first time a prevention rule auto-promotes from feedback.
+ *
+ * Why: v1.17.0 opened the free tier (5 active rules, unlimited captures).
+ * The metric that decides whether that worked is the % of `npx thumbgate init`
+ * runs that produce a first auto-promoted prevention rule within 24h. Without
+ * this telemetry, every funnel decision is guessing. This is improvement #1
+ * from the 2026-05-13 revenue-ROI critique.
+ *
+ * Payload (anonymous):
+ *   - eventType: 'activation_first_rule_promoted'
+ *   - installId: stable random UUID (from cli-telemetry.getInstallId)
+ *   - daysToFirstRule: days between INSTALL_ID_PATH creation and now
+ *   - visitorType: ci | owner | real_user (from cli-telemetry.classifyInstall)
+ *
+ * No personal data, no rule content, no feedback text. Just the activation
+ * signal. Respects THUMBGATE_NO_TELEMETRY=1 / DO_NOT_TRACK=1 opt-out via
+ * the underlying trackEvent helper.
+ *
+ * Idempotency: writes a marker file. After the first firing the function
+ * is a no-op for the lifetime of that install.
+ */
+
+const fs = require('node:fs');
+const path = require('node:path');
+
+const { trackEvent, getInstallId, classifyInstall, INSTALL_ID_PATH } = require('./cli-telemetry');
+
+const MARKER_DIR = path.join(path.dirname(INSTALL_ID_PATH), 'activation');
+const MARKER_PATH = path.join(MARKER_DIR, 'first-rule-promoted.json');
+
+function readMarker() {
+  try {
+    if (!fs.existsSync(MARKER_PATH)) return null;
+    return JSON.parse(fs.readFileSync(MARKER_PATH, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function writeMarker(record) {
+  try {
+    if (!fs.existsSync(MARKER_DIR)) fs.mkdirSync(MARKER_DIR, { recursive: true });
+    fs.writeFileSync(MARKER_PATH, JSON.stringify(record, null, 2));
+  } catch {
+    // non-fatal: worst case we double-fire on a future run; the telemetry
+    // backend can dedup by installId. Better to be silent than to throw.
+  }
+}
+
+function computeDaysSinceInstall() {
+  try {
+    if (!fs.existsSync(INSTALL_ID_PATH)) return null;
+    const installed = fs.statSync(INSTALL_ID_PATH).mtimeMs;
+    if (!Number.isFinite(installed) || installed <= 0) return null;
+    const diffMs = Date.now() - installed;
+    if (diffMs < 0) return 0;
+    // 1 decimal of precision; the metric uses 24h buckets but a finer-grained
+    // number lets analytics chart same-day vs. 1d / 2d / week-of activation.
+    return Math.round((diffMs / 86_400_000) * 10) / 10;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Fire the activation event if this is the first rule promotion for this
+ * install. Returns true if an event was actually emitted, false if skipped
+ * (already fired before, or environment opted out of telemetry).
+ *
+ * Always synchronous and never throws — safe to call from any side-effect
+ * site without try/catch wrapping. The underlying telemetry call is itself
+ * fire-and-forget over HTTPS with a 3s timeout.
+ */
+function recordFirstRulePromotion(metadata = {}) {
+  if (readMarker()) return false; // already fired
+
+  if (process.env.THUMBGATE_NO_TELEMETRY === '1' || process.env.DO_NOT_TRACK === '1') {
+    // Still write the marker so a later run with telemetry re-enabled does not
+    // fire stale activation data weeks after the actual first promotion.
+    writeMarker({
+      installId: getInstallId(),
+      promotedAt: new Date().toISOString(),
+      telemetryOptOut: true,
+    });
+    return false;
+  }
+
+  const installId = getInstallId();
+  const daysToFirstRule = computeDaysSinceInstall();
+  const visitorType = classifyInstall();
+
+  writeMarker({
+    installId,
+    promotedAt: new Date().toISOString(),
+    daysToFirstRule,
+    visitorType,
+    ...metadata,
+  });
+
+  trackEvent('activation_first_rule_promoted', {
+    daysToFirstRule,
+    visitorType,
+    ...metadata,
+  });
+  return true;
+}
+
+function resetForTesting() {
+  // Test-only helper. Removes the marker so a subsequent recordFirstRulePromotion
+  // call re-fires. Never used in production code paths.
+  try {
+    if (fs.existsSync(MARKER_PATH)) fs.unlinkSync(MARKER_PATH);
+  } catch {}
+}
+
+module.exports = {
+  recordFirstRulePromotion,
+  computeDaysSinceInstall,
+  readMarker,
+  writeMarker,
+  MARKER_PATH,
+  resetForTesting,
+};

package/scripts/auto-promote-gates.js

@@ -6,7 +6,10 @@ const path = require('path');
 const { resolveFeedbackDir } = require('./feedback-paths');
 
 const MAX_AUTO_GATES = 10;
-const WARN_THRESHOLD = 2; // 2+ repeated failures surface a warning gate
+// 1+ failure auto-promotes to a warning gate. Cold buyers expect "one 👎 → blocked next time"
+// — a 2-capture threshold made first-capture invisible and broke the activation loop. Block
+// escalation still requires 3 captures (BLOCK_THRESHOLD) so noise doesn't auto-hard-block.
+const WARN_THRESHOLD = 1;
 const BLOCK_THRESHOLD = 3; // 3+ repeated failures hard-block the action
 const WINDOW_DAYS = 30;
 

package/scripts/feedback-loop.js

@@ -1398,7 +1398,20 @@ function captureFeedback(params) {
   if (feedbackEvent.signal === 'negative') {
     try {
       const autoPromote = require('./auto-promote-gates');
-      autoPromote.promote(FEEDBACK_LOG_PATH);
+      const promoteResult = autoPromote.promote(FEEDBACK_LOG_PATH);
+      // First-rule activation telemetry: anonymous ping the first time
+      // a prevention rule auto-promotes for this install. Idempotent —
+      // see scripts/activation-tracker.js. Critical for activation funnel
+      // analytics; no rule content, just install_id + days_to_first_rule.
+      if (promoteResult && Array.isArray(promoteResult.promotions) && promoteResult.promotions.length > 0) {
+        try {
+          const { recordFirstRulePromotion } = require('./activation-tracker');
+          recordFirstRulePromotion({
+            promotionCount: promoteResult.promotions.length,
+            totalGates: promoteResult.totalGates,
+          });
+        } catch { /* activation telemetry is non-critical */ }
+      }
     } catch { /* Gate promotion is non-critical */ }
   }
 

package/scripts/feedback-to-rules.js

@@ -32,7 +32,17 @@ function normalize(ctx) {
   return (ctx || '').replace(/\/Users\/[^\s/]+/g, '~').replace(/:[0-9]+/g, '').toLowerCase().trim();
 }
 
-const HIGH_RISK_TAGS = new Set(['git-workflow', 'scope-control', 'trust-breach', 'execution-gap', 'regression', 'security']);
+// HIGH_RISK_TAGS triggers single-capture promotion (count >= 1 && hasHighRisk).
+// Tags here MUST overlap with what inferSemanticTags() actually emits (see scripts/feedback-loop.js)
+// — otherwise cold buyers' first 👎 stays a lesson and never becomes a gate.
+const HIGH_RISK_TAGS = new Set([
+  // Original semantic-category labels
+  'git-workflow', 'scope-control', 'trust-breach', 'execution-gap', 'regression', 'security',
+  // Tags inferSemanticTags() emits for destructive / irreversible operations
+  'destructive', 'force-push', 'delete', 'drop', 'force-overwrite',
+  'production', 'database', 'payment', 'credentials', 'secrets',
+  'rm-rf', 'reset-hard', 'truncate', 'data-loss',
+]);
 function analyze(entries) {
   let positiveCount = 0, negativeCount = 0;
   const categories = {};