npm - thumbgate - Versions diffs - 1.17.0 → 1.19.0 - Mend

thumbgate 1.17.0 → 1.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/.claude-plugin/marketplace.json +2 -2
package/.claude-plugin/plugin.json +1 -1
package/.well-known/mcp/server-card.json +1 -1
package/README.md +26 -4
package/adapters/claude/.mcp.json +2 -2
package/adapters/mcp/server-stdio.js +1 -1
package/adapters/opencode/opencode.json +1 -1
package/config/model-candidates.json +31 -0
package/package.json +29 -8
package/public/compare.html +6 -0
package/public/federal.html +375 -0
package/public/guide.html +2 -2
package/public/index.html +49 -19
package/public/learn.html +28 -0
package/public/numbers.html +2 -2
package/public/pro.html +4 -4
package/scripts/activation-tracker.js +127 -0
package/scripts/auto-promote-gates.js +4 -1
package/scripts/feedback-loop.js +14 -1
package/scripts/feedback-to-rules.js +11 -1
package/scripts/feedback_quality_eval.py +725 -0
package/scripts/memory-scope-readiness.js +315 -0
package/scripts/plausible-server-events.js +162 -0
package/scripts/seo-gsd.js +75 -2
package/scripts/statusline-links.js +2 -0
package/scripts/telemetry-analytics.js +1 -0
package/src/api/server.js +557 -12

package/src/api/server.js CHANGED Viewed

@@ -13,11 +13,17 @@ const {
 const POSTHOG_API_PATHS = new Set(['/capture', '/batch', '/decide', '/e', '/engage']);
 const POSTHOG_INGEST_HOST = 'us.i.posthog.com';
 const POSTHOG_STATIC_PATH_PREFIX = '/static/';
-const FIRST_FAILURE_RULE_CHECKOUT_URL = 'https://buy.stripe.com/4gM6oHgH2bTw4lH6i73sI0z';
-const QUICK_READ_CHECKOUT_URL = 'https://buy.stripe.com/aFa8wPgH29Lo4lH35V3sI0w';
-const WORKFLOW_TEARDOWN_CHECKOUT_URL = 'https://buy.stripe.com/7sYfZhgH29LodWhdKz3sI0v';
-const SPRINT_DIAGNOSTIC_CHECKOUT_URL = 'https://buy.stripe.com/3cI7sLgH25v8dWh5e33sI0o';
-const WORKFLOW_SPRINT_CHECKOUT_URL = 'https://buy.stripe.com/8x25kDcqMaPs9G15e33sI0p';
+// Payment Links generated by scripts/stripe-bootstrap-saas-catalog.js
+// (2026-05-14 dispatch run 25883541719). These are tied to the
+// ThumbGate-branded persistent products (metadata.thumbgate_tier=*) in the
+// Stripe catalog, with the per-tier thumbnails wired in. Re-run the
+// bootstrap workflow to regenerate; the new URLs surface in the workflow
+// summary log.
+const FIRST_FAILURE_RULE_CHECKOUT_URL = 'https://buy.stripe.com/fZu28rfCY6zcbO99uj3sI2G';
+const QUICK_READ_CHECKOUT_URL = 'https://buy.stripe.com/5kQ7sL76s1eSaK55e33sI2H';
+const WORKFLOW_TEARDOWN_CHECKOUT_URL = 'https://buy.stripe.com/8x214n2Qc4r44lHayn3sI2I';
+const SPRINT_DIAGNOSTIC_CHECKOUT_URL = 'https://buy.stripe.com/28E00j3Uge1E2dzgWL3sI2J';
+const WORKFLOW_SPRINT_CHECKOUT_URL = 'https://buy.stripe.com/6oU00j8aw2iWdWh9uj3sI2K';
 function getPosthogProxyPath(pathname) {
   return pathname.slice('/ingest'.length) || '/';
@@ -87,6 +93,9 @@ const {
 const {
   classifyRequester,
 } = require('../../scripts/bot-detection');
+const {
+  recordCheckoutFunnelEvent,
+} = require('../../scripts/plausible-server-events');
 const {
   buildCloudflareSandboxPlan,
 } = require('../../scripts/cloudflare-dynamic-sandbox');
@@ -209,6 +218,7 @@ const CODEX_PLUGIN_PAGE_PATH = path.resolve(__dirname, '../../public/codex-plugi
 const COMPARE_PAGE_PATH = path.resolve(__dirname, '../../public/compare.html');
 const LEARN_PAGE_PATH = path.resolve(__dirname, '../../public/learn.html');
 const NUMBERS_PAGE_PATH = path.resolve(__dirname, '../../public/numbers.html');
+const FEDERAL_PAGE_PATH = path.resolve(__dirname, '../../public/federal.html');
 const LEARN_DIR = path.resolve(__dirname, '../../public/learn');
 const GUIDES_DIR = path.resolve(__dirname, '../../public/guides');
 const COMPARE_DIR = path.resolve(__dirname, '../../public/compare');
@@ -403,6 +413,27 @@ const TRACKED_LINK_TARGETS = Object.freeze({
     },
     allowCustomerEmail: true,
   },
+  // 2026-05-12: Aiventyx marketplace listing routes its Teams clicks through
+  // /go/teams (best-performing listing at ~62% CTR). Without this slug the
+  // server returned 404 + "Tracked link not found". Every Aiventyx Teams
+  // click between the URL swap and this deploy landed on that error page.
+  // Destination: 3-seat Team self-serve Stripe checkout (the path I shipped
+  // in PR #1877 — plan_id=team + seat_count=3 = $147/mo entry).
+  teams: {
+    path: '/checkout/pro',
+    ctaId: 'go_teams',
+    ctaPlacement: 'link_router',
+    eventType: 'cta_click',
+    defaults: {
+      utm_source: 'website',
+      utm_medium: 'link_router',
+      utm_campaign: 'team_self_serve',
+      plan_id: 'team',
+      seat_count: '3',
+      billing_cycle: 'monthly',
+    },
+    allowCustomerEmail: true,
+  },
   install: {
     path: '/guide',
     ctaId: 'go_install',
@@ -1511,7 +1542,7 @@ function renderCheckoutIntentPage({
   const teardownAction = safeWorkflowTeardownCheckoutHref
     ? `<a data-i="workflow_teardown_checkout" href="${safeWorkflowTeardownCheckoutHref}">Pay $99 teardown</a>`
     : '';
-  return `<!doctype html><html lang="en"><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><style>body{background:#0a0a0a;color:#eee;font-family:system-ui,sans-serif}div{max-width:560px;margin:12vh auto}a{display:block;margin:10px 0;padding:12px;border:1px solid #374151;color:inherit;text-align:center}.primary{background:#22d3ee;color:#000}.high-ticket{border-color:#4ade80;color:#4ade80}</style><div><h1>Choose the right paid path.</h1><p>For one repeated workflow failure, start with the diagnostic or sprint. Use Pro only when you need the local self-serve dashboard.</p>${diagnosticAction.replace('<a ', '<a class="high-ticket" ')}${sprintAction.replace('<a ', '<a class="high-ticket" ')}<a class="primary" data-i="pro_checkout_confirmed" href="${safeConfirmHref}">Pay in Stripe</a>${teardownAction}${quickReadAction}${firstRuleAction}<a data-i="workflow_sprint_intake" href="${safeWorkflowIntakeHref}">Send workflow first</a><a data-i="team_paid_path" href="${safeTeamOptionsHref}">See options</a><p>Stripe checkout.</p><a href="/">Back</a></div><script>addEventListener('click',e=>{let a=e.target.closest('[data-i]');if(a&&navigator.sendBeacon)navigator.sendBeacon('/v1/telemetry/ping',new Blob([JSON.stringify({eventType:'checkout_interstitial_cta_clicked',clientType:'web',page:'/checkout/pro',ctaId:a.dataset.i,ctaPlacement:'checkout_interstitial'})],{type:'application/json'}))})</script>`;
+  return `<!doctype html><html lang="en"><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>Confirm — ThumbGate Pro</title><style>body{background:#0a0a0a;color:#eee;font-family:system-ui,-apple-system,sans-serif;line-height:1.5}main{max-width:520px;margin:8vh auto;padding:0 20px}.brand{display:flex;align-items:center;gap:10px;margin-bottom:24px;font-size:14px;color:#94a3b8}.brand-mark{width:24px;height:24px;background:#22d3ee;border-radius:6px;display:inline-block}h1{font-size:24px;margin:0 0 8px;color:#fff}.price{font-size:32px;font-weight:700;color:#22d3ee;margin:8px 0 4px}.price small{font-size:14px;color:#94a3b8;font-weight:400}p{color:#cbd5e1;margin:8px 0}a{display:block;text-decoration:none}a.primary{background:#22d3ee;color:#000;padding:16px;text-align:center;border-radius:8px;font-weight:700;font-size:16px;margin:20px 0 10px}a.secondary{border:1px solid #374151;color:#cbd5e1;padding:12px;text-align:center;border-radius:8px;margin:8px 0;font-size:14px}.trust{margin:24px 0;padding:16px;border:1px solid #1f2937;border-radius:8px;background:#0f172a}.trust-item{font-size:13px;color:#cbd5e1;padding:4px 0;display:flex;gap:8px}.trust-item::before{content:"✓";color:#22d3ee;font-weight:700}details{margin-top:32px;font-size:13px;color:#94a3b8}details summary{cursor:pointer;padding:8px 0}details a{border:1px solid #374151;color:#94a3b8;padding:10px;text-align:center;border-radius:6px;margin:6px 0;font-size:13px}.back{text-align:center;color:#64748b;font-size:12px;margin-top:24px}.back a{color:#64748b;display:inline}</style><main><div class="brand"><span class="brand-mark"></span><span>ThumbGate</span></div><h1>Start ThumbGate Pro</h1><div class="price">$19<small>/mo</small></div><p>Block every repeat AI-agent mistake. Local-first. MIT-licensed CLI included. Cancel anytime.</p><a class="primary" data-i="pro_checkout_confirmed" href="${safeConfirmHref}">Pay $19/mo with Stripe →</a><div class="trust"><div class="trust-item">6 paying customers, 18,000+ installs verified on npm</div><div class="trust-item">Cancel anytime — instant refund within 7 days</div><div class="trust-item">MIT open source · no vendor lock-in</div><div class="trust-item">Works with Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode</div></div><details><summary>Other paid paths (diagnostic, sprint, teardown, single-rule)</summary>${diagnosticAction.replace('<a ', '<a class="secondary" ')}${sprintAction.replace('<a ', '<a class="secondary" ')}${teardownAction.replace('<a ', '<a class="secondary" ')}${quickReadAction.replace('<a ', '<a class="secondary" ')}${firstRuleAction.replace('<a ', '<a class="secondary" ')}<a class="secondary" data-i="workflow_sprint_intake" href="${safeWorkflowIntakeHref}">Send workflow first (intake)</a><a class="secondary" data-i="team_paid_path" href="${safeTeamOptionsHref}">See all options</a></details><p class="back"><a href="/">← Back to thumbgate.ai</a></p></main><script>addEventListener('click',e=>{let a=e.target.closest('[data-i]');if(a&&navigator.sendBeacon)navigator.sendBeacon('/v1/telemetry/ping',new Blob([JSON.stringify({eventType:'checkout_interstitial_cta_clicked',clientType:'web',page:'/checkout/pro',ctaId:a.dataset.i,ctaPlacement:'checkout_interstitial'})],{type:'application/json'}))})</script></html>`;
 }
 function buildCheckoutBootstrapBody(parsed, req, journeyState = resolveJourneyState(req, parsed)) {
@@ -2467,10 +2498,19 @@ function renderRobotsTxt(runtimeConfig) {
   return [
     'User-agent: *',
     'Allow: /',
+    // 2026-05-12: every crawler GET on /checkout/pro creates a live Stripe
+    // session even when no human is on the other end. Stripe sees 50 sessions
+    // in 24h, 0 paid, 0 email captured. Disallow so non-human fetchers stop
+    // inflating the "checkout starts" metric and creating zombie sessions.
+    // Real humans still reach checkout via JS-driven clicks (not crawled).
+    'Disallow: /checkout/',
+    'Disallow: /v1/billing/',
     '',
     '# AI crawler access — allow all major LLM crawlers',
     'User-agent: GPTBot',
     'Allow: /',
+    'Disallow: /checkout/',
+    'Disallow: /v1/billing/',
     '',
     'User-agent: ClaudeBot',
     'Allow: /',
@@ -4352,6 +4392,28 @@ async function addContext(){
       return;
     }
+    if (isGetLikeRequest && (pathname === '/federal' || pathname === '/federal.html' || pathname === '/government' || pathname === '/gov')) {
+      // Federal lead-gen page. Routed through servePublicMarketingPage so agency
+      // arrivals via SBIR / GSA / outbound channels capture UTM attribution and
+      // landing_page_view telemetry for downstream pilot-pipeline analysis.
+      // /government and /gov redirect-friendly aliases serve the same page so
+      // common search queries land correctly.
+      try {
+        servePublicMarketingPage({
+          req,
+          res,
+          parsed,
+          hostedConfig,
+          isHeadRequest,
+          renderHtml: () => fs.readFileSync(FEDERAL_PAGE_PATH, 'utf-8'),
+          extraTelemetry: { pageType: 'federal' },
+        });
+      } catch {
+        sendJson(res, 404, { error: 'Federal page not found' });
+      }
+      return;
+    }
     if (isGetLikeRequest && pathname === '/learn/learn.css') {
       try {
         const cssPath = path.join(LEARN_DIR, 'learn.css');
@@ -4490,8 +4552,43 @@ async function addContext(){
       const isConfirmedCheckout = confirmParam === '1'
         || confirmParam === 'true'
         || req.method === 'POST';
-      if (!isConfirmedCheckout && botClassification.isBot) {
-        const eventType = 'checkout_bot_deflected';
+      // Plausible funnel event #1 of 3: page view. Fired before interstitial
+      // deflection so we get the full top-of-funnel count, with isBot as a
+      // prop so the dashboard can filter human vs. crawler traffic. Fire-and-forget.
+      recordCheckoutFunnelEvent('view', {
+        page: '/checkout/pro',
+        referrer: req.headers.referer || req.headers.referrer,
+        forwardedFor: req.headers['x-forwarded-for'],
+        remoteAddr: req.socket?.remoteAddress,
+        userAgent: req.headers['user-agent'],
+        props: {
+          traceId,
+          isBot: botClassification.isBot ? 'true' : 'false',
+          botReason: botClassification.isBot ? botClassification.reason : undefined,
+          isConfirmed: isConfirmedCheckout ? 'true' : 'false',
+          utmSource: analyticsMetadata.utmSource,
+          utmMedium: analyticsMetadata.utmMedium,
+          utmCampaign: analyticsMetadata.utmCampaign,
+          planId: analyticsMetadata.planId,
+        },
+      }).catch(() => {});
+      // Render the interstitial for ALL non-confirmed GETs (bot or human),
+      // not just bot traffic. Rationale: a raw GET on /checkout/pro currently
+      // 302s straight to a fresh Stripe `cs_live_*` session, regardless of
+      // whether the visitor is a search crawler, a link-preview fetcher, or
+      // a confused human who doesn't yet know what they're paying for.
+      // That created the 50-zombie-sessions / 0-paid pattern the CEO flagged
+      // 2026-05-13. Every visitor now sees the $19/mo confirmation page first
+      // and must click "Pay $19/mo with Stripe →" (which sets confirm=1) to
+      // trigger the Stripe-session creation + redirect. Counter-risk: one
+      // extra click on the human path. Mitigated because the interstitial
+      // also serves as a value-preview ("6 paying customers, MIT open source,
+      // cancel anytime"), which typically lifts conversion more than the
+      // click-friction costs.
+      if (!isConfirmedCheckout) {
+        const eventType = botClassification.isBot
+          ? 'checkout_bot_deflected'
+          : 'checkout_interstitial_view';
         appendBestEffortTelemetry(FEEDBACK_DIR, {
           eventType,
           clientType: 'web',
@@ -4510,6 +4607,7 @@ async function addContext(){
           ctaId: analyticsMetadata.ctaId,
           ctaPlacement: analyticsMetadata.ctaPlacement,
           planId: analyticsMetadata.planId,
+          isBot: botClassification.isBot ? 'true' : 'false',
           reason: botClassification.reason,
         }, req.headers, eventType);
         const workflowIntakeHref = buildCheckoutIntentHref(`${hostedConfig.appOrigin}/#workflow-sprint-intake`, analyticsMetadata, {
@@ -4630,6 +4728,26 @@ async function addContext(){
         referrer: analyticsMetadata.referrer,
         referrerHost: analyticsMetadata.referrerHost,
       }, req.headers, 'checkout_bootstrap');
+      // Plausible funnel event #2 of 3: email submitted (bootstrap fired with
+      // a valid email present — the user has supplied the Stripe-receipt
+      // address). Only fires when normalizedCheckoutEmail was non-empty.
+      if (normalizedCheckoutEmail) {
+        recordCheckoutFunnelEvent('emailSubmitted', {
+          page: '/checkout/pro',
+          referrer: req.headers.referer || req.headers.referrer,
+          forwardedFor: req.headers['x-forwarded-for'],
+          remoteAddr: req.socket?.remoteAddress,
+          userAgent: req.headers['user-agent'],
+          props: {
+            traceId,
+            utmSource: analyticsMetadata.utmSource,
+            utmMedium: analyticsMetadata.utmMedium,
+            utmCampaign: analyticsMetadata.utmCampaign,
+            planId: analyticsMetadata.planId,
+            billingCycle: analyticsMetadata.billingCycle,
+          },
+        }).catch(() => {});
+      }
       try {
         const result = await createCheckoutSession({
@@ -4649,6 +4767,56 @@ async function addContext(){
         });
         if (result.url) {
+          // Plausible funnel event #3 of 3: Stripe redirect started. Fires
+          // before the 302 so the event reaches Plausible even if the
+          // browser leaves the origin immediately. Fire-and-forget.
+          recordCheckoutFunnelEvent('stripeRedirect', {
+            page: '/checkout/pro',
+            referrer: req.headers.referer || req.headers.referrer,
+            forwardedFor: req.headers['x-forwarded-for'],
+            remoteAddr: req.socket?.remoteAddress,
+            userAgent: req.headers['user-agent'],
+            props: {
+              traceId,
+              stripeSessionId: result.sessionId,
+              utmSource: analyticsMetadata.utmSource,
+              utmMedium: analyticsMetadata.utmMedium,
+              utmCampaign: analyticsMetadata.utmCampaign,
+              planId: analyticsMetadata.planId,
+              billingCycle: analyticsMetadata.billingCycle,
+            },
+          }).catch(() => {});
+          appendBestEffortTelemetry(FEEDBACK_DIR, {
+            eventType: 'stripe_redirect_started',
+            clientType: 'web',
+            installId: bootstrapBody.installId,
+            acquisitionId: analyticsMetadata.acquisitionId,
+            visitorId: analyticsMetadata.visitorId,
+            sessionId: analyticsMetadata.sessionId,
+            traceId,
+            stripeSessionId: result.sessionId,
+            source: analyticsMetadata.source,
+            utmSource: analyticsMetadata.utmSource,
+            utmMedium: analyticsMetadata.utmMedium,
+            utmCampaign: analyticsMetadata.utmCampaign,
+            utmContent: analyticsMetadata.utmContent,
+            utmTerm: analyticsMetadata.utmTerm,
+            creator: analyticsMetadata.creator,
+            community: analyticsMetadata.community,
+            postId: analyticsMetadata.postId,
+            commentId: analyticsMetadata.commentId,
+            campaignVariant: analyticsMetadata.campaignVariant,
+            offerCode: analyticsMetadata.offerCode,
+            landingPath: analyticsMetadata.landingPath,
+            page: '/checkout/pro',
+            ctaId: analyticsMetadata.ctaId,
+            ctaPlacement: analyticsMetadata.ctaPlacement,
+            planId: analyticsMetadata.planId,
+            billingCycle: analyticsMetadata.billingCycle,
+            seatCount: analyticsMetadata.seatCount,
+            referrer: analyticsMetadata.referrer,
+            referrerHost: analyticsMetadata.referrerHost,
+          }, req.headers, 'stripe_redirect_started');
           res.writeHead(302, {
             ...responseHeaders,
             Location: result.url,
@@ -4884,11 +5052,49 @@ async function addContext(){
     }
     if (isGetLikeRequest && pathname === '/health') {
-      sendJson(res, 200, {
-        status: 'ok',
+      // History (2026-05-12): /health used to return status: 'ok' unconditionally
+      // with zero downstream checks. Uptime monitors saw "healthy" when Stripe
+      // was down, when feedback-dir was unwritable, when env was misconfigured.
+      // The fix is shallow but meaningful: probe each critical subsystem and
+      // surface failures with HTTP 503 + a per-check breakdown.
+      const checks = {};
+      let allOk = true;
+      // Check 1: feedback dir exists and is writable.
+      try {
+        const { FEEDBACK_DIR } = getFeedbackPaths();
+        fs.accessSync(FEEDBACK_DIR, fs.constants.W_OK);
+        checks.feedbackDir = { ok: true };
+      } catch (err) {
+        checks.feedbackDir = { ok: false, error: err?.code || 'inaccessible' };
+        allOk = false;
+      }
+      // Check 2: hosted config resolves the canonical app origin.
+      // If appOrigin is missing/empty, redirects + checkout flow break silently.
+      if (hostedConfig?.appOrigin) {
+        checks.hostedConfig = { ok: true };
+      } else {
+        checks.hostedConfig = { ok: false, error: 'missing_appOrigin' };
+        allOk = false;
+      }
+      // Check 3: build metadata loaded. If BUILD_METADATA.buildSha is empty,
+      // Railway didn't inject the deploy SHA — observability is degraded.
+      if (BUILD_METADATA?.buildSha) {
+        checks.buildMetadata = { ok: true };
+      } else {
+        checks.buildMetadata = { ok: false, error: 'missing_buildSha' };
+        allOk = false;
+      }
+      const statusCode = allOk ? 200 : 503;
+      sendJson(res, statusCode, {
+        status: allOk ? 'ok' : 'degraded',
         version: pkg.version,
         buildSha: BUILD_METADATA.buildSha,
         uptime: process.uptime(),
+        checks,
         deployment: {
           appOrigin: hostedConfig.appOrigin,
           billingApiBaseUrl: hostedConfig.billingApiBaseUrl,
@@ -4900,11 +5106,26 @@ async function addContext(){
     }
     if (isGetLikeRequest && pathname === '/healthz') {
+      // /healthz is the deeper internal probe — verifies feedback log + memory log
+      // paths exist and are writable. Returns 503 when either check fails.
       const { FEEDBACK_LOG_PATH, MEMORY_LOG_PATH } = requestFeedbackPaths;
-      sendJson(res, 200, {
-        status: 'ok',
+      const checks = {};
+      let allOk = true;
+      for (const [label, p] of [['feedbackLog', FEEDBACK_LOG_PATH], ['memoryLog', MEMORY_LOG_PATH]]) {
+        try {
+          const dir = path.dirname(p);
+          fs.accessSync(dir, fs.constants.W_OK);
+          checks[label] = { ok: true };
+        } catch (err) {
+          checks[label] = { ok: false, error: err?.code || 'inaccessible' };
+          allOk = false;
+        }
+      }
+      sendJson(res, allOk ? 200 : 503, {
+        status: allOk ? 'ok' : 'degraded',
         feedbackLogPath: FEEDBACK_LOG_PATH,
         memoryLogPath: MEMORY_LOG_PATH,
+        checks,
       }, {}, {
         headOnly: isHeadRequest,
       });
@@ -5027,6 +5248,114 @@ async function addContext(){
       return;
     }
+    // GET /v1/telemetry/export — raw recent telemetry-pings + funnel-events
+    // for the unified-revenue-rollup join. Operator-key gated because the raw
+    // event stream may include user-agent strings and other low-PII data
+    // that we never expose unauthenticated. Returns a bounded window
+    // (default last 24h, capped at 10000 rows per stream) so a misbehaving
+    // caller cannot pull the entire local ledger.
+    if (req.method === 'GET' && pathname === '/v1/telemetry/export') {
+      // Strict auth: raw telemetry export exposes user-agent strings and
+      // first-party event payloads. Unlike /v1/billing/summary (which
+      // returns aggregates only), this endpoint must NEVER fall through
+      // to unauthenticated access when both keys happen to be unset —
+      // that would silently turn an unconfigured dev/preview server into
+      // a public ledger reader. Require BOTH a configured key on the
+      // server AND a token on the request that matches one of them.
+      const requestToken = extractApiKey(req);
+      const adminMatches = !!expectedApiKey && requestToken === expectedApiKey;
+      const operatorMatches = !!expectedOperatorKey && requestToken === expectedOperatorKey;
+      const anyKeyConfigured = !!expectedApiKey || !!expectedOperatorKey;
+      if (!anyKeyConfigured) {
+        sendJson(res, 503, {
+          error: 'Telemetry export disabled — neither THUMBGATE_API_KEY nor THUMBGATE_OPERATOR_KEY is configured on this server',
+        });
+        return;
+      }
+      if (!adminMatches && !operatorMatches) {
+        sendJson(res, 401, { error: 'Unauthorized — operator or admin key required' });
+        return;
+      }
+      // Reuse the already-parsed URL object from line ~3654 instead of
+      // re-requiring the legacy 'url' module.
+      const params = parsed.searchParams;
+      const sinceRaw = String(params.get('since') || '').trim();
+      const sinceMs = sinceRaw
+        ? Date.parse(sinceRaw)
+        : Date.now() - 24 * 60 * 60 * 1000;
+      const since = Number.isFinite(sinceMs) ? sinceMs : Date.now() - 24 * 60 * 60 * 1000;
+      const limitRaw = Number(params.get('limit'));
+      const limit = Number.isFinite(limitRaw) && limitRaw > 0
+        ? Math.min(Math.floor(limitRaw), 10000)
+        : 1000;
+      const sourceRaw = String(params.get('source') || '');
+      const source = ['telemetry', 'funnel', 'both'].includes(sourceRaw) ? sourceRaw : 'both';
+      const { FEEDBACK_DIR: exportDir } = getFeedbackPaths();
+      const wantTelemetry = source === 'telemetry' || source === 'both';
+      const wantFunnel = source === 'funnel' || source === 'both';
+      const result = {
+        generatedAt: new Date().toISOString(),
+        since: new Date(since).toISOString(),
+        limit,
+        source,
+        telemetry: { rows: [], truncated: false, totalAfterSince: 0 },
+        funnel: { rows: [], truncated: false, totalAfterSince: 0 },
+      };
+      function readJsonlSince(p) {
+        try {
+          if (!fs.existsSync(p)) return [];
+          const text = fs.readFileSync(p, 'utf8');
+          const rows = [];
+          for (const line of text.split('\n')) {
+            if (!line) continue;
+            let obj;
+            try { obj = JSON.parse(line); } catch { continue; }
+            const ts = obj.timestamp || obj.receivedAt || obj.ts || null;
+            const parsed = ts ? Date.parse(ts) : NaN;
+            if (Number.isFinite(parsed) && parsed >= since) {
+              rows.push(obj);
+            }
+          }
+          return rows;
+        } catch { return []; }
+      }
+      if (wantTelemetry) {
+        const tp = path.join(exportDir, 'telemetry-pings.jsonl');
+        const all = readJsonlSince(tp);
+        result.telemetry.totalAfterSince = all.length;
+        result.telemetry.rows = all.slice(-limit);
+        result.telemetry.truncated = all.length > limit;
+      }
+      if (wantFunnel) {
+        // Use the canonical funnel ledger path from scripts/billing.js so
+        // any test override (THUMBGATE_FUNNEL_LEDGER_PATH / _TEST_FUNNEL_LEDGER_PATH)
+        // resolves correctly. Falls back to the feedback dir's funnel-events.jsonl.
+        let funnelPath;
+        try {
+          const billing = require('../../scripts/billing');
+          funnelPath = (billing._FUNNEL_LEDGER_PATH && billing._FUNNEL_LEDGER_PATH())
+            || path.join(exportDir, 'funnel-events.jsonl');
+        } catch {
+          funnelPath = path.join(exportDir, 'funnel-events.jsonl');
+        }
+        const all = readJsonlSince(funnelPath);
+        result.funnel.totalAfterSince = all.length;
+        result.funnel.rows = all.slice(-limit);
+        result.funnel.truncated = all.length > limit;
+      }
+      sendJson(res, 200, result);
+      return;
+    }
     if (req.method === 'OPTIONS' && pathname === '/v1/intake/workflow-sprint') {
       sendPublicBillingPreflight(res);
       return;
@@ -5219,6 +5548,222 @@ async function addContext(){
       return;
     }
+    // Public terms of service — required by Stripe / Stripe Checkout for the
+    // "Terms of service URL" field in Business → Public details. Mirrors the
+    // /privacy + /support pages: thin HTML, no external deps, no DB hit.
+    if (isGetLikeRequest && pathname === '/terms') {
+      sendHtml(res, 200, `<!DOCTYPE html><html><head><title>Terms of Service — ThumbGate</title></head><body>
+<h1>Terms of Service</h1>
+<p><strong>ThumbGate</strong> (npm: thumbgate)</p>
+<p>Last updated: 2026-05-12</p>
+<h2>The Service</h2>
+<p>ThumbGate provides pre-action gates for AI coding agents: a local CLI (MIT-licensed) and an optional hosted tier at thumbgate-production.up.railway.app. By installing the CLI or paying for a subscription, you agree to these terms.</p>
+<h2>Payment</h2>
+<p>Paid tiers are billed through Stripe. Subscriptions auto-renew until cancelled. One-off purchases (Sprint Diagnostic, Workflow Sprint, Quick Read, Workflow Teardown, First Failure Rule) are charged once.</p>
+<h2>Refunds</h2>
+<p>Pro and Team subscriptions: cancel anytime; we issue a full refund within 7 days of the first charge, prorated thereafter. One-off purchases: refund on request if we cannot deliver the scoped artifact.</p>
+<h2>Acceptable Use</h2>
+<p>You may not use ThumbGate to (a) circumvent the safety controls of other AI providers, (b) generate malware or content that violates third-party terms, or (c) resell the hosted tier without written permission.</p>
+<h2>Disclaimer of Warranty</h2>
+<p>The service is provided "as is", without warranty of any kind. ThumbGate is a guard rail, not a guarantee. We do not warrant that every AI-agent mistake will be prevented.</p>
+<h2>Limitation of Liability</h2>
+<p>Total liability for any claim is limited to the amount you paid in the 12 months preceding the claim.</p>
+<h2>Governing Law</h2>
+<p>These terms are governed by the laws of the State of New York, United States.</p>
+<h2>Changes</h2>
+<p>We may update these terms; material changes will be announced via the email on file at least 14 days before they take effect.</p>
+<h2>Contact</h2><p>igor.ganapolsky@gmail.com</p>
+<p><a href="https://github.com/IgorGanapolsky/ThumbGate">GitHub</a> · <a href="/privacy">Privacy</a> · <a href="/support">Support</a></p>
+</body></html>`, {}, {
+        headOnly: isHeadRequest,
+      });
+      return;
+    }
+    // Public case studies — proof surface for buyers. Conversion-optimization
+    // surface that was missing: thumbgate.ai had no /case-studies, so visitors
+    // landed on CLI install commands without seeing whether anyone actually
+    // got value. First entry is the Aiventyx Teams listing integration: real
+    // third-party CTR signal (5/8 clicks before the /go/teams fix, end-to-end
+    // verified after).
+    if (isGetLikeRequest && pathname === '/case-studies') {
+      sendHtml(res, 200, `<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>Case Studies — ThumbGate</title><meta name="description" content="Real integrations of ThumbGate's pre-action checks for AI coding agents. Proof, not promises."><style>body{font-family:system-ui,-apple-system,sans-serif;max-width:780px;margin:0 auto;padding:32px 20px;line-height:1.55;color:#1f2937}h1{font-size:32px;margin:0 0 8px}.lede{color:#6b7280;font-size:18px;margin:0 0 32px}article{border:1px solid #e5e7eb;border-radius:12px;padding:24px;margin-bottom:24px;background:#fff}article h2{margin:0 0 4px;font-size:22px}.meta{color:#6b7280;font-size:13px;margin-bottom:16px}h3{font-size:15px;margin:20px 0 8px;color:#374151;text-transform:uppercase;letter-spacing:0.5px}.metric{display:inline-block;background:#0f172a;color:#fff;padding:4px 10px;border-radius:6px;font-weight:600;font-size:14px;margin:0 4px 4px 0}p{margin:8px 0}a{color:#0066cc}code{background:#f3f4f6;padding:1px 6px;border-radius:4px;font-size:13.5px}footer{margin-top:48px;padding-top:24px;border-top:1px solid #e5e7eb;color:#6b7280;font-size:14px}</style></head><body>
+<h1>Case Studies</h1>
+<p class="lede">Real integrations. No fabricated logos, no aspirational numbers — every claim below is reproducible.</p>
+<article>
+<h2>Aiventyx marketplace — Teams listing CTR recovery</h2>
+<p class="meta">Integration partner: <a href="https://www.aiventyx.com">Aiventyx</a> · Reported by: Qaiser Mehdi · Verified: 2026-05-13</p>
+<h3>The problem</h3>
+<p>Aiventyx is a marketplace for AI tools. ThumbGate's Teams listing was their highest-CTR external surface — <span class="metric">62% CTR</span> (5 clicks on 8 views, May 7–9 window). When their integrator rolled out canonical tracked URLs, every Teams click started landing on:</p>
+<p><code>{"error":"Tracked link not found","allowed":["gpt","pro","install","reddit","linkedin","x","github"]}</code></p>
+<p>The <code>/go/teams</code> slug wasn't registered in our redirector — a 404 was eating every paid-intent click from their strongest external surface.</p>
+<h3>The fix</h3>
+<p>Added <code>teams</code> to <code>TRACKED_LINK_TARGETS</code>: HTTP 302 redirect to <code>/checkout/pro?plan_id=team&seat_count=3&billing_cycle=monthly</code> — the 3-seat $147/mo self-serve Stripe Team checkout. Caller-supplied UTMs flow through to Stripe metadata end-to-end.</p>
+<h3>The verification</h3>
+<p>Qaiser's own incognito test, May 13 6:04 AM (full email on record):</p>
+<p><code>https://thumbgate.ai/go/teams?utm_source=aiventyx</code><br>
+→ 302 to Stripe checkout<br>
+→ "Subscribe to ThumbGate Team" page loads<br>
+→ $147/mo, 3-seat Team plan confirmed<br>
+→ Aiventyx UTMs intact in URL</p>
+<h3>What this proves</h3>
+<p>End-to-end attribution from a third-party marketplace through ThumbGate's redirector into Stripe checkout, with the caller's UTM chain preserved. Two regression tests pin the redirect contract so it can't silently break.</p>
+<p><a href="/go/teams?utm_source=case-study">Try the live redirect →</a></p>
+</article>
+<footer>
+<p>Want to be the next case study? The product is real, the integration is 30 seconds: <code>npx thumbgate init</code>. If you ship something with ThumbGate and want it documented here, email <a href="mailto:igor.ganapolsky@gmail.com">igor.ganapolsky@gmail.com</a>.</p>
+<p><a href="https://thumbgate.ai">Home</a> · <a href="/pricing">Pricing</a> · <a href="/privacy">Privacy</a> · <a href="/terms">Terms</a> · <a href="/support">Support</a></p>
+</footer>
+</body></html>`, {}, {
+        headOnly: isHeadRequest,
+      });
+      return;
+    }
+        // Public canonical pricing page. The audit flagged "pricing schizophrenia":
+    // sales/pricing.json said $49 / $299, COMMERCIAL_TRUTH.md said $19 / $149,
+    // and there was no buyer-facing surface to reconcile the two. This is now
+    // the single source of truth for what ThumbGate sells, in priority order:
+    // Sprint (proof-pack, sales-led) → Pro (self-serve recurring) → Team
+    // (after qualification). Every paid CTA across the site should funnel
+    // here OR directly into Stripe checkout — never a different price.
+    if (isGetLikeRequest && pathname === '/pricing') {
+      sendHtml(res, 200, `<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>Pricing — ThumbGate</title><meta name="description" content="ThumbGate pricing: free CLI, $19/mo Pro, $49/seat Team, $499 Sprint Diagnostic, $1500 full Workflow Hardening Sprint. Single source of truth across the site."><style>body{font-family:system-ui,-apple-system,sans-serif;max-width:980px;margin:0 auto;padding:32px 20px;line-height:1.55;color:#1f2937}h1{font-size:36px;margin:0 0 8px;text-align:center}.lede{color:#6b7280;font-size:18px;margin:0 0 32px;text-align:center}.grid{display:grid;grid-template-columns:1fr;gap:20px;margin-bottom:24px}@media(min-width:720px){.grid{grid-template-columns:repeat(2,1fr)}.hero{grid-column:1/-1}}.card{border:1px solid #e5e7eb;border-radius:12px;padding:24px;background:#fff;display:flex;flex-direction:column}.hero{border:2px solid #0f172a;background:linear-gradient(135deg,#fef3c7,#fff)}.tag{display:inline-block;background:#0f172a;color:#fff;padding:3px 10px;border-radius:6px;font-size:12px;font-weight:600;letter-spacing:0.5px;margin-bottom:12px}.tag-free{background:#10b981}.tag-pro{background:#3b82f6}.tag-team{background:#8b5cf6}.tag-diag{background:#0f172a}.tag-sprint{background:#b91c1c}h2{margin:0 0 4px;font-size:22px}.price{font-size:30px;font-weight:700;margin:8px 0 12px}.price small{font-size:14px;color:#6b7280;font-weight:400}.tagline{color:#374151;margin:0 0 16px;font-size:15px}ul{margin:0 0 20px;padding-left:18px}li{margin:6px 0;font-size:14px}.cta{display:inline-block;background:#0f172a;color:#fff;padding:12px 24px;border-radius:8px;font-weight:600;text-decoration:none;text-align:center;margin-top:auto}.cta-secondary{background:#fff;color:#0f172a;border:1px solid #0f172a}.cta-free{background:#10b981}.micro{border-top:1px solid #e5e7eb;padding-top:24px;margin-top:16px}.micro-grid{display:grid;grid-template-columns:repeat(auto-fit,minmax(180px,1fr));gap:12px;margin:16px 0}.micro-card{border:1px solid #e5e7eb;border-radius:8px;padding:14px;text-align:center;background:#fafafa}.micro-card .mp{font-size:20px;font-weight:700;color:#0f172a}.micro-card .ml{font-size:13px;color:#6b7280;margin:4px 0 8px}.micro-card a{color:#0066cc;font-size:13px;text-decoration:none}footer{margin-top:32px;padding-top:24px;border-top:1px solid #e5e7eb;color:#6b7280;font-size:14px;text-align:center}footer a{color:#0066cc}</style></head><body>
+<h1>Pricing</h1>
+<p class="lede">Six paths to ThumbGate. Pick by what you need: an install, a subscription, a team rollout, or a stakeholder-visible artifact.</p>
+<div class="grid">
+<div class="card hero">
+<span class="tag tag-sprint">Sprint — Full engagement</span>
+<h2>Workflow Hardening Sprint</h2>
+<div class="price">$1,500 <small>· one-time</small></div>
+<p class="tagline">The full hardening engagement for a single AI-agent workflow. Built on top of the Sprint Diagnostic — we apply the diagnostic findings into a shipped Pre-Action Check pack, deploy hooks into your repo, and run the rollout review. Two weeks calendar-time, single fixed price.</p>
+<ul>
+<li>Diagnostic + applied rules + deployed PreToolUse hooks</li>
+<li>Best path if you need the workflow actually fixed, not just diagnosed</li>
+<li>Refund if we can't extract or apply a rule</li>
+</ul>
+<a class="cta" href="mailto:igor.ganapolsky@gmail.com?subject=ThumbGate%20Workflow%20Hardening%20Sprint%20-%20Intake&body=Stack%20(Claude%20Code%2FCursor%2Fother)%3A%0AOne%20repeated%20agent%20failure%20you%20want%20to%20kill%3A%0ATimeline%3A%0A">Email to start the full sprint →</a>
+</div>
+<div class="card">
+<span class="tag tag-diag">Diagnostic — Proof first</span>
+<h2>Sprint Diagnostic</h2>
+<div class="price">$499 <small>· one-time</small></div>
+<p class="tagline">Two-day diagnostic on one workflow. Top-5 prevention rules ranked by impact, scoped Pre-Action Check pack delivered as a PR, 60-minute findings review. The lightweight on-ramp to the full sprint.</p>
+<ul>
+<li>Best if you need a stakeholder-visible artifact (PR, doc, briefing)</li>
+<li>Two days fixed scope — no scope creep</li>
+<li>Refund if we can't extract a rule from your failure trace</li>
+</ul>
+<a class="cta" href="https://buy.stripe.com/28E00j3Uge1E2dzgWL3sI2J">Pay $499 diagnostic →</a>
+</div>
+<div class="card">
+<span class="tag tag-free">Free — Forever</span>
+<h2>ThumbGate CLI</h2>
+<div class="price">$0</div>
+<p class="tagline">MIT-licensed CLI + local PreToolUse hook. Unlimited captures, 5 active prevention rules, local lesson DB. Works with Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode.</p>
+<ul>
+<li>30-second install: <code>npx thumbgate init</code></li>
+<li>No account, no signup, no data leaves your machine</li>
+<li>Hit 5 active rules → upgrade to Pro for unlimited</li>
+</ul>
+<a class="cta cta-free" href="/go/install?utm_source=pricing">Install free CLI →</a>
+</div>
+<div class="card">
+<span class="tag tag-pro">Pro — Self-serve recurring</span>
+<h2>ThumbGate Pro</h2>
+<div class="price">$19 <small>/ month</small> · $149 / year</div>
+<p class="tagline">For developers running multiple AI agents who hit the 5-rule wall. Unlimited prevention rules, local dashboard, DPO export for offline preference fine-tuning, lesson search across sessions.</p>
+<ul>
+<li>Unlimited active prevention rules</li>
+<li>Local dashboard + lesson recall</li>
+<li>7-day refund window. Cancel anytime.</li>
+</ul>
+<a class="cta cta-secondary" href="/go/pro?utm_source=pricing">Start Pro →</a>
+</div>
+<div class="card">
+<span class="tag tag-team">Team — After qualification</span>
+<h2>ThumbGate Team</h2>
+<div class="price">$49 <small>/ seat / month</small> · 3-seat min ($147/mo)</div>
+<p class="tagline">For engineering teams with shared AI-agent workflows. Shared lesson DB so one engineer's save protects the whole team, org-level policy rollout, audit-ready evidence.</p>
+<ul>
+<li>Shared prevention-rule policy across seats</li>
+<li>Self-serve checkout — no sales call required</li>
+<li>Most teams start with a Sprint first, then scale to seats</li>
+</ul>
+<a class="cta cta-secondary" href="/go/teams?utm_source=pricing">Start Team →</a>
+</div>
+</div>
+<div class="micro">
+<h2 style="text-align:center;font-size:20px;margin:0 0 4px;">Micro-purchases — pay for one piece</h2>
+<p style="text-align:center;color:#6b7280;font-size:14px;margin:0 0 8px;">For evaluators who want to validate one specific surface before subscribing.</p>
+<div class="micro-grid">
+<div class="micro-card">
+<div class="mp">$1</div>
+<div class="ml">First Failure Rule</div>
+<a href="https://buy.stripe.com/fZu28rfCY6zcbO99uj3sI2G">Pay $1 →</a>
+</div>
+<div class="micro-card">
+<div class="mp">$19</div>
+<div class="ml">AI Agent Failure Quick Read</div>
+<a href="https://buy.stripe.com/5kQ7sL76s1eSaK55e33sI2H">Pay $19 →</a>
+</div>
+<div class="micro-card">
+<div class="mp">$99</div>
+<div class="ml">Workflow Teardown</div>
+<a href="https://buy.stripe.com/8x214n2Qc4r44lHayn3sI2I">Pay $99 →</a>
+</div>
+</div>
+</div>
+<footer>
+<p>One source of truth for ThumbGate pricing. Numbers here override anything stale elsewhere on the site.</p>
+<p><a href="/">Home</a> · <a href="/case-studies">Case Studies</a> · <a href="/support">Support</a> · <a href="/privacy">Privacy</a> · <a href="/terms">Terms</a></p>
+</footer>
+</body></html>`, {}, {
+        headOnly: isHeadRequest,
+      });
+      return;
+    }
+    // Public support / contact page — required for Stripe Business → Public
+    // details "Customer support URL" field. Single source of truth for how
+    // customers reach us (email, GitHub issues, status page).
+    if (isGetLikeRequest && pathname === '/support') {
+      sendHtml(res, 200, `<!DOCTYPE html><html><head><title>Support — ThumbGate</title></head><body>
+<h1>Support</h1>
+<p><strong>ThumbGate</strong> support, billing, and contact paths.</p>
+<h2>Email</h2>
+<p>For billing questions, refunds, subscription changes, or technical issues with the hosted tier: <a href="mailto:igor.ganapolsky@gmail.com">igor.ganapolsky@gmail.com</a>. We reply within one business day.</p>
+<h2>GitHub Issues</h2>
+<p>For bugs, CLI questions, and feature requests in the open-source CLI: <a href="https://github.com/IgorGanapolsky/ThumbGate/issues">github.com/IgorGanapolsky/ThumbGate/issues</a>.</p>
+<h2>Status</h2>
+<p>Hosted-tier status: check <a href="https://thumbgate-production.up.railway.app/health">/health</a> for current health. Railway-hosted; rebuilds take 2-5 minutes.</p>
+<h2>Refunds</h2>
+<p>Pro / Team subscriptions: 7-day full refund window from first charge. One-off purchases: refund on request if we cannot deliver. Email the address above.</p>
+<h2>Security</h2>
+<p>Disclose vulnerabilities by email; please do not post to public GitHub issues. We acknowledge within 48 hours.</p>
+<p><a href="https://github.com/IgorGanapolsky/ThumbGate">GitHub</a> · <a href="/privacy">Privacy</a> · <a href="/terms">Terms</a></p>
+</body></html>`, {}, {
+        headOnly: isHeadRequest,
+      });
+      return;
+    }
     // Public privacy policy — required for GPT Store and marketplace listings
     if (isGetLikeRequest && pathname === '/privacy') {
       sendHtml(res, 200, `<!DOCTYPE html><html><head><title>Privacy Policy — ThumbGate</title></head><body>