thumbgate 1.18.0 → 1.19.0

package/src/api/server.js

@@ -13,11 +13,17 @@ const {
 const POSTHOG_API_PATHS = new Set(['/capture', '/batch', '/decide', '/e', '/engage']);
 const POSTHOG_INGEST_HOST = 'us.i.posthog.com';
 const POSTHOG_STATIC_PATH_PREFIX = '/static/';
-const FIRST_FAILURE_RULE_CHECKOUT_URL = 'https://buy.stripe.com/4gM6oHgH2bTw4lH6i73sI0z';
-const QUICK_READ_CHECKOUT_URL = 'https://buy.stripe.com/aFa8wPgH29Lo4lH35V3sI0w';
-const WORKFLOW_TEARDOWN_CHECKOUT_URL = 'https://buy.stripe.com/7sYfZhgH29LodWhdKz3sI0v';
-const SPRINT_DIAGNOSTIC_CHECKOUT_URL = 'https://buy.stripe.com/3cI7sLgH25v8dWh5e33sI0o';
-const WORKFLOW_SPRINT_CHECKOUT_URL = 'https://buy.stripe.com/8x25kDcqMaPs9G15e33sI0p';
+// Payment Links generated by scripts/stripe-bootstrap-saas-catalog.js
+// (2026-05-14 dispatch run 25883541719). These are tied to the
+// ThumbGate-branded persistent products (metadata.thumbgate_tier=*) in the
+// Stripe catalog, with the per-tier thumbnails wired in. Re-run the
+// bootstrap workflow to regenerate; the new URLs surface in the workflow
+// summary log.
+const FIRST_FAILURE_RULE_CHECKOUT_URL = 'https://buy.stripe.com/fZu28rfCY6zcbO99uj3sI2G';
+const QUICK_READ_CHECKOUT_URL = 'https://buy.stripe.com/5kQ7sL76s1eSaK55e33sI2H';
+const WORKFLOW_TEARDOWN_CHECKOUT_URL = 'https://buy.stripe.com/8x214n2Qc4r44lHayn3sI2I';
+const SPRINT_DIAGNOSTIC_CHECKOUT_URL = 'https://buy.stripe.com/28E00j3Uge1E2dzgWL3sI2J';
+const WORKFLOW_SPRINT_CHECKOUT_URL = 'https://buy.stripe.com/6oU00j8aw2iWdWh9uj3sI2K';
 
 function getPosthogProxyPath(pathname) {
   return pathname.slice('/ingest'.length) || '/';
@@ -87,6 +93,9 @@ const {
 const {
   classifyRequester,
 } = require('../../scripts/bot-detection');
+const {
+  recordCheckoutFunnelEvent,
+} = require('../../scripts/plausible-server-events');
 const {
   buildCloudflareSandboxPlan,
 } = require('../../scripts/cloudflare-dynamic-sandbox');
@@ -209,6 +218,7 @@ const CODEX_PLUGIN_PAGE_PATH = path.resolve(__dirname, '../../public/codex-plugi
 const COMPARE_PAGE_PATH = path.resolve(__dirname, '../../public/compare.html');
 const LEARN_PAGE_PATH = path.resolve(__dirname, '../../public/learn.html');
 const NUMBERS_PAGE_PATH = path.resolve(__dirname, '../../public/numbers.html');
+const FEDERAL_PAGE_PATH = path.resolve(__dirname, '../../public/federal.html');
 const LEARN_DIR = path.resolve(__dirname, '../../public/learn');
 const GUIDES_DIR = path.resolve(__dirname, '../../public/guides');
 const COMPARE_DIR = path.resolve(__dirname, '../../public/compare');
@@ -2488,10 +2498,19 @@ function renderRobotsTxt(runtimeConfig) {
   return [
     'User-agent: *',
     'Allow: /',
+    // 2026-05-12: every crawler GET on /checkout/pro creates a live Stripe
+    // session even when no human is on the other end. Stripe sees 50 sessions
+    // in 24h, 0 paid, 0 email captured. Disallow so non-human fetchers stop
+    // inflating the "checkout starts" metric and creating zombie sessions.
+    // Real humans still reach checkout via JS-driven clicks (not crawled).
+    'Disallow: /checkout/',
+    'Disallow: /v1/billing/',
     '',
     '# AI crawler access — allow all major LLM crawlers',
     'User-agent: GPTBot',
     'Allow: /',
+    'Disallow: /checkout/',
+    'Disallow: /v1/billing/',
     '',
     'User-agent: ClaudeBot',
     'Allow: /',
@@ -4373,6 +4392,28 @@ async function addContext(){
       return;
     }
 
+    if (isGetLikeRequest && (pathname === '/federal' || pathname === '/federal.html' || pathname === '/government' || pathname === '/gov')) {
+      // Federal lead-gen page. Routed through servePublicMarketingPage so agency
+      // arrivals via SBIR / GSA / outbound channels capture UTM attribution and
+      // landing_page_view telemetry for downstream pilot-pipeline analysis.
+      // /government and /gov redirect-friendly aliases serve the same page so
+      // common search queries land correctly.
+      try {
+        servePublicMarketingPage({
+          req,
+          res,
+          parsed,
+          hostedConfig,
+          isHeadRequest,
+          renderHtml: () => fs.readFileSync(FEDERAL_PAGE_PATH, 'utf-8'),
+          extraTelemetry: { pageType: 'federal' },
+        });
+      } catch {
+        sendJson(res, 404, { error: 'Federal page not found' });
+      }
+      return;
+    }
+
     if (isGetLikeRequest && pathname === '/learn/learn.css') {
       try {
         const cssPath = path.join(LEARN_DIR, 'learn.css');
@@ -4511,8 +4552,43 @@ async function addContext(){
       const isConfirmedCheckout = confirmParam === '1'
         || confirmParam === 'true'
         || req.method === 'POST';
-      if (!isConfirmedCheckout && botClassification.isBot) {
-        const eventType = 'checkout_bot_deflected';
+      // Plausible funnel event #1 of 3: page view. Fired before interstitial
+      // deflection so we get the full top-of-funnel count, with isBot as a
+      // prop so the dashboard can filter human vs. crawler traffic. Fire-and-forget.
+      recordCheckoutFunnelEvent('view', {
+        page: '/checkout/pro',
+        referrer: req.headers.referer || req.headers.referrer,
+        forwardedFor: req.headers['x-forwarded-for'],
+        remoteAddr: req.socket?.remoteAddress,
+        userAgent: req.headers['user-agent'],
+        props: {
+          traceId,
+          isBot: botClassification.isBot ? 'true' : 'false',
+          botReason: botClassification.isBot ? botClassification.reason : undefined,
+          isConfirmed: isConfirmedCheckout ? 'true' : 'false',
+          utmSource: analyticsMetadata.utmSource,
+          utmMedium: analyticsMetadata.utmMedium,
+          utmCampaign: analyticsMetadata.utmCampaign,
+          planId: analyticsMetadata.planId,
+        },
+      }).catch(() => {});
+      // Render the interstitial for ALL non-confirmed GETs (bot or human),
+      // not just bot traffic. Rationale: a raw GET on /checkout/pro currently
+      // 302s straight to a fresh Stripe `cs_live_*` session, regardless of
+      // whether the visitor is a search crawler, a link-preview fetcher, or
+      // a confused human who doesn't yet know what they're paying for.
+      // That created the 50-zombie-sessions / 0-paid pattern the CEO flagged
+      // 2026-05-13. Every visitor now sees the $19/mo confirmation page first
+      // and must click "Pay $19/mo with Stripe →" (which sets confirm=1) to
+      // trigger the Stripe-session creation + redirect. Counter-risk: one
+      // extra click on the human path. Mitigated because the interstitial
+      // also serves as a value-preview ("6 paying customers, MIT open source,
+      // cancel anytime"), which typically lifts conversion more than the
+      // click-friction costs.
+      if (!isConfirmedCheckout) {
+        const eventType = botClassification.isBot
+          ? 'checkout_bot_deflected'
+          : 'checkout_interstitial_view';
         appendBestEffortTelemetry(FEEDBACK_DIR, {
           eventType,
           clientType: 'web',
@@ -4531,6 +4607,7 @@ async function addContext(){
           ctaId: analyticsMetadata.ctaId,
           ctaPlacement: analyticsMetadata.ctaPlacement,
           planId: analyticsMetadata.planId,
+          isBot: botClassification.isBot ? 'true' : 'false',
           reason: botClassification.reason,
         }, req.headers, eventType);
         const workflowIntakeHref = buildCheckoutIntentHref(`${hostedConfig.appOrigin}/#workflow-sprint-intake`, analyticsMetadata, {
@@ -4651,6 +4728,26 @@ async function addContext(){
         referrer: analyticsMetadata.referrer,
         referrerHost: analyticsMetadata.referrerHost,
       }, req.headers, 'checkout_bootstrap');
+      // Plausible funnel event #2 of 3: email submitted (bootstrap fired with
+      // a valid email present — the user has supplied the Stripe-receipt
+      // address). Only fires when normalizedCheckoutEmail was non-empty.
+      if (normalizedCheckoutEmail) {
+        recordCheckoutFunnelEvent('emailSubmitted', {
+          page: '/checkout/pro',
+          referrer: req.headers.referer || req.headers.referrer,
+          forwardedFor: req.headers['x-forwarded-for'],
+          remoteAddr: req.socket?.remoteAddress,
+          userAgent: req.headers['user-agent'],
+          props: {
+            traceId,
+            utmSource: analyticsMetadata.utmSource,
+            utmMedium: analyticsMetadata.utmMedium,
+            utmCampaign: analyticsMetadata.utmCampaign,
+            planId: analyticsMetadata.planId,
+            billingCycle: analyticsMetadata.billingCycle,
+          },
+        }).catch(() => {});
+      }
 
       try {
         const result = await createCheckoutSession({
@@ -4670,6 +4767,56 @@ async function addContext(){
         });
 
         if (result.url) {
+          // Plausible funnel event #3 of 3: Stripe redirect started. Fires
+          // before the 302 so the event reaches Plausible even if the
+          // browser leaves the origin immediately. Fire-and-forget.
+          recordCheckoutFunnelEvent('stripeRedirect', {
+            page: '/checkout/pro',
+            referrer: req.headers.referer || req.headers.referrer,
+            forwardedFor: req.headers['x-forwarded-for'],
+            remoteAddr: req.socket?.remoteAddress,
+            userAgent: req.headers['user-agent'],
+            props: {
+              traceId,
+              stripeSessionId: result.sessionId,
+              utmSource: analyticsMetadata.utmSource,
+              utmMedium: analyticsMetadata.utmMedium,
+              utmCampaign: analyticsMetadata.utmCampaign,
+              planId: analyticsMetadata.planId,
+              billingCycle: analyticsMetadata.billingCycle,
+            },
+          }).catch(() => {});
+          appendBestEffortTelemetry(FEEDBACK_DIR, {
+            eventType: 'stripe_redirect_started',
+            clientType: 'web',
+            installId: bootstrapBody.installId,
+            acquisitionId: analyticsMetadata.acquisitionId,
+            visitorId: analyticsMetadata.visitorId,
+            sessionId: analyticsMetadata.sessionId,
+            traceId,
+            stripeSessionId: result.sessionId,
+            source: analyticsMetadata.source,
+            utmSource: analyticsMetadata.utmSource,
+            utmMedium: analyticsMetadata.utmMedium,
+            utmCampaign: analyticsMetadata.utmCampaign,
+            utmContent: analyticsMetadata.utmContent,
+            utmTerm: analyticsMetadata.utmTerm,
+            creator: analyticsMetadata.creator,
+            community: analyticsMetadata.community,
+            postId: analyticsMetadata.postId,
+            commentId: analyticsMetadata.commentId,
+            campaignVariant: analyticsMetadata.campaignVariant,
+            offerCode: analyticsMetadata.offerCode,
+            landingPath: analyticsMetadata.landingPath,
+            page: '/checkout/pro',
+            ctaId: analyticsMetadata.ctaId,
+            ctaPlacement: analyticsMetadata.ctaPlacement,
+            planId: analyticsMetadata.planId,
+            billingCycle: analyticsMetadata.billingCycle,
+            seatCount: analyticsMetadata.seatCount,
+            referrer: analyticsMetadata.referrer,
+            referrerHost: analyticsMetadata.referrerHost,
+          }, req.headers, 'stripe_redirect_started');
           res.writeHead(302, {
             ...responseHeaders,
             Location: result.url,
@@ -4905,11 +5052,49 @@ async function addContext(){
     }
 
     if (isGetLikeRequest && pathname === '/health') {
-      sendJson(res, 200, {
-        status: 'ok',
+      // History (2026-05-12): /health used to return status: 'ok' unconditionally
+      // with zero downstream checks. Uptime monitors saw "healthy" when Stripe
+      // was down, when feedback-dir was unwritable, when env was misconfigured.
+      // The fix is shallow but meaningful: probe each critical subsystem and
+      // surface failures with HTTP 503 + a per-check breakdown.
+      const checks = {};
+      let allOk = true;
+
+      // Check 1: feedback dir exists and is writable.
+      try {
+        const { FEEDBACK_DIR } = getFeedbackPaths();
+        fs.accessSync(FEEDBACK_DIR, fs.constants.W_OK);
+        checks.feedbackDir = { ok: true };
+      } catch (err) {
+        checks.feedbackDir = { ok: false, error: err?.code || 'inaccessible' };
+        allOk = false;
+      }
+
+      // Check 2: hosted config resolves the canonical app origin.
+      // If appOrigin is missing/empty, redirects + checkout flow break silently.
+      if (hostedConfig?.appOrigin) {
+        checks.hostedConfig = { ok: true };
+      } else {
+        checks.hostedConfig = { ok: false, error: 'missing_appOrigin' };
+        allOk = false;
+      }
+
+      // Check 3: build metadata loaded. If BUILD_METADATA.buildSha is empty,
+      // Railway didn't inject the deploy SHA — observability is degraded.
+      if (BUILD_METADATA?.buildSha) {
+        checks.buildMetadata = { ok: true };
+      } else {
+        checks.buildMetadata = { ok: false, error: 'missing_buildSha' };
+        allOk = false;
+      }
+
+      const statusCode = allOk ? 200 : 503;
+      sendJson(res, statusCode, {
+        status: allOk ? 'ok' : 'degraded',
         version: pkg.version,
         buildSha: BUILD_METADATA.buildSha,
         uptime: process.uptime(),
+        checks,
         deployment: {
           appOrigin: hostedConfig.appOrigin,
           billingApiBaseUrl: hostedConfig.billingApiBaseUrl,
@@ -4921,11 +5106,26 @@ async function addContext(){
     }
 
     if (isGetLikeRequest && pathname === '/healthz') {
+      // /healthz is the deeper internal probe — verifies feedback log + memory log
+      // paths exist and are writable. Returns 503 when either check fails.
       const { FEEDBACK_LOG_PATH, MEMORY_LOG_PATH } = requestFeedbackPaths;
-      sendJson(res, 200, {
-        status: 'ok',
+      const checks = {};
+      let allOk = true;
+      for (const [label, p] of [['feedbackLog', FEEDBACK_LOG_PATH], ['memoryLog', MEMORY_LOG_PATH]]) {
+        try {
+          const dir = path.dirname(p);
+          fs.accessSync(dir, fs.constants.W_OK);
+          checks[label] = { ok: true };
+        } catch (err) {
+          checks[label] = { ok: false, error: err?.code || 'inaccessible' };
+          allOk = false;
+        }
+      }
+      sendJson(res, allOk ? 200 : 503, {
+        status: allOk ? 'ok' : 'degraded',
         feedbackLogPath: FEEDBACK_LOG_PATH,
         memoryLogPath: MEMORY_LOG_PATH,
+        checks,
       }, {}, {
         headOnly: isHeadRequest,
       });
@@ -5048,6 +5248,114 @@ async function addContext(){
       return;
     }
 
+    // GET /v1/telemetry/export — raw recent telemetry-pings + funnel-events
+    // for the unified-revenue-rollup join. Operator-key gated because the raw
+    // event stream may include user-agent strings and other low-PII data
+    // that we never expose unauthenticated. Returns a bounded window
+    // (default last 24h, capped at 10000 rows per stream) so a misbehaving
+    // caller cannot pull the entire local ledger.
+    if (req.method === 'GET' && pathname === '/v1/telemetry/export') {
+      // Strict auth: raw telemetry export exposes user-agent strings and
+      // first-party event payloads. Unlike /v1/billing/summary (which
+      // returns aggregates only), this endpoint must NEVER fall through
+      // to unauthenticated access when both keys happen to be unset —
+      // that would silently turn an unconfigured dev/preview server into
+      // a public ledger reader. Require BOTH a configured key on the
+      // server AND a token on the request that matches one of them.
+      const requestToken = extractApiKey(req);
+      const adminMatches = !!expectedApiKey && requestToken === expectedApiKey;
+      const operatorMatches = !!expectedOperatorKey && requestToken === expectedOperatorKey;
+      const anyKeyConfigured = !!expectedApiKey || !!expectedOperatorKey;
+      if (!anyKeyConfigured) {
+        sendJson(res, 503, {
+          error: 'Telemetry export disabled — neither THUMBGATE_API_KEY nor THUMBGATE_OPERATOR_KEY is configured on this server',
+        });
+        return;
+      }
+      if (!adminMatches && !operatorMatches) {
+        sendJson(res, 401, { error: 'Unauthorized — operator or admin key required' });
+        return;
+      }
+
+      // Reuse the already-parsed URL object from line ~3654 instead of
+      // re-requiring the legacy 'url' module.
+      const params = parsed.searchParams;
+      const sinceRaw = String(params.get('since') || '').trim();
+      const sinceMs = sinceRaw
+        ? Date.parse(sinceRaw)
+        : Date.now() - 24 * 60 * 60 * 1000;
+      const since = Number.isFinite(sinceMs) ? sinceMs : Date.now() - 24 * 60 * 60 * 1000;
+
+      const limitRaw = Number(params.get('limit'));
+      const limit = Number.isFinite(limitRaw) && limitRaw > 0
+        ? Math.min(Math.floor(limitRaw), 10000)
+        : 1000;
+
+      const sourceRaw = String(params.get('source') || '');
+      const source = ['telemetry', 'funnel', 'both'].includes(sourceRaw) ? sourceRaw : 'both';
+
+      const { FEEDBACK_DIR: exportDir } = getFeedbackPaths();
+      const wantTelemetry = source === 'telemetry' || source === 'both';
+      const wantFunnel = source === 'funnel' || source === 'both';
+
+      const result = {
+        generatedAt: new Date().toISOString(),
+        since: new Date(since).toISOString(),
+        limit,
+        source,
+        telemetry: { rows: [], truncated: false, totalAfterSince: 0 },
+        funnel: { rows: [], truncated: false, totalAfterSince: 0 },
+      };
+
+      function readJsonlSince(p) {
+        try {
+          if (!fs.existsSync(p)) return [];
+          const text = fs.readFileSync(p, 'utf8');
+          const rows = [];
+          for (const line of text.split('\n')) {
+            if (!line) continue;
+            let obj;
+            try { obj = JSON.parse(line); } catch { continue; }
+            const ts = obj.timestamp || obj.receivedAt || obj.ts || null;
+            const parsed = ts ? Date.parse(ts) : NaN;
+            if (Number.isFinite(parsed) && parsed >= since) {
+              rows.push(obj);
+            }
+          }
+          return rows;
+        } catch { return []; }
+      }
+
+      if (wantTelemetry) {
+        const tp = path.join(exportDir, 'telemetry-pings.jsonl');
+        const all = readJsonlSince(tp);
+        result.telemetry.totalAfterSince = all.length;
+        result.telemetry.rows = all.slice(-limit);
+        result.telemetry.truncated = all.length > limit;
+      }
+
+      if (wantFunnel) {
+        // Use the canonical funnel ledger path from scripts/billing.js so
+        // any test override (THUMBGATE_FUNNEL_LEDGER_PATH / _TEST_FUNNEL_LEDGER_PATH)
+        // resolves correctly. Falls back to the feedback dir's funnel-events.jsonl.
+        let funnelPath;
+        try {
+          const billing = require('../../scripts/billing');
+          funnelPath = (billing._FUNNEL_LEDGER_PATH && billing._FUNNEL_LEDGER_PATH())
+            || path.join(exportDir, 'funnel-events.jsonl');
+        } catch {
+          funnelPath = path.join(exportDir, 'funnel-events.jsonl');
+        }
+        const all = readJsonlSince(funnelPath);
+        result.funnel.totalAfterSince = all.length;
+        result.funnel.rows = all.slice(-limit);
+        result.funnel.truncated = all.length > limit;
+      }
+
+      sendJson(res, 200, result);
+      return;
+    }
+
     if (req.method === 'OPTIONS' && pathname === '/v1/intake/workflow-sprint') {
       sendPublicBillingPreflight(res);
       return;
@@ -5240,6 +5548,222 @@ async function addContext(){
       return;
     }
 
+    // Public terms of service — required by Stripe / Stripe Checkout for the
+    // "Terms of service URL" field in Business → Public details. Mirrors the
+    // /privacy + /support pages: thin HTML, no external deps, no DB hit.
+    if (isGetLikeRequest && pathname === '/terms') {
+      sendHtml(res, 200, `<!DOCTYPE html><html><head><title>Terms of Service — ThumbGate</title></head><body>
+<h1>Terms of Service</h1>
+<p><strong>ThumbGate</strong> (npm: thumbgate)</p>
+<p>Last updated: 2026-05-12</p>
+<h2>The Service</h2>
+<p>ThumbGate provides pre-action gates for AI coding agents: a local CLI (MIT-licensed) and an optional hosted tier at thumbgate-production.up.railway.app. By installing the CLI or paying for a subscription, you agree to these terms.</p>
+<h2>Payment</h2>
+<p>Paid tiers are billed through Stripe. Subscriptions auto-renew until cancelled. One-off purchases (Sprint Diagnostic, Workflow Sprint, Quick Read, Workflow Teardown, First Failure Rule) are charged once.</p>
+<h2>Refunds</h2>
+<p>Pro and Team subscriptions: cancel anytime; we issue a full refund within 7 days of the first charge, prorated thereafter. One-off purchases: refund on request if we cannot deliver the scoped artifact.</p>
+<h2>Acceptable Use</h2>
+<p>You may not use ThumbGate to (a) circumvent the safety controls of other AI providers, (b) generate malware or content that violates third-party terms, or (c) resell the hosted tier without written permission.</p>
+<h2>Disclaimer of Warranty</h2>
+<p>The service is provided "as is", without warranty of any kind. ThumbGate is a guard rail, not a guarantee. We do not warrant that every AI-agent mistake will be prevented.</p>
+<h2>Limitation of Liability</h2>
+<p>Total liability for any claim is limited to the amount you paid in the 12 months preceding the claim.</p>
+<h2>Governing Law</h2>
+<p>These terms are governed by the laws of the State of New York, United States.</p>
+<h2>Changes</h2>
+<p>We may update these terms; material changes will be announced via the email on file at least 14 days before they take effect.</p>
+<h2>Contact</h2><p>igor.ganapolsky@gmail.com</p>
+<p><a href="https://github.com/IgorGanapolsky/ThumbGate">GitHub</a> · <a href="/privacy">Privacy</a> · <a href="/support">Support</a></p>
+</body></html>`, {}, {
+        headOnly: isHeadRequest,
+      });
+      return;
+    }
+
+    // Public case studies — proof surface for buyers. Conversion-optimization
+    // surface that was missing: thumbgate.ai had no /case-studies, so visitors
+    // landed on CLI install commands without seeing whether anyone actually
+    // got value. First entry is the Aiventyx Teams listing integration: real
+    // third-party CTR signal (5/8 clicks before the /go/teams fix, end-to-end
+    // verified after).
+    if (isGetLikeRequest && pathname === '/case-studies') {
+      sendHtml(res, 200, `<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>Case Studies — ThumbGate</title><meta name="description" content="Real integrations of ThumbGate's pre-action checks for AI coding agents. Proof, not promises."><style>body{font-family:system-ui,-apple-system,sans-serif;max-width:780px;margin:0 auto;padding:32px 20px;line-height:1.55;color:#1f2937}h1{font-size:32px;margin:0 0 8px}.lede{color:#6b7280;font-size:18px;margin:0 0 32px}article{border:1px solid #e5e7eb;border-radius:12px;padding:24px;margin-bottom:24px;background:#fff}article h2{margin:0 0 4px;font-size:22px}.meta{color:#6b7280;font-size:13px;margin-bottom:16px}h3{font-size:15px;margin:20px 0 8px;color:#374151;text-transform:uppercase;letter-spacing:0.5px}.metric{display:inline-block;background:#0f172a;color:#fff;padding:4px 10px;border-radius:6px;font-weight:600;font-size:14px;margin:0 4px 4px 0}p{margin:8px 0}a{color:#0066cc}code{background:#f3f4f6;padding:1px 6px;border-radius:4px;font-size:13.5px}footer{margin-top:48px;padding-top:24px;border-top:1px solid #e5e7eb;color:#6b7280;font-size:14px}</style></head><body>
+<h1>Case Studies</h1>
+<p class="lede">Real integrations. No fabricated logos, no aspirational numbers — every claim below is reproducible.</p>
+
+<article>
+<h2>Aiventyx marketplace — Teams listing CTR recovery</h2>
+<p class="meta">Integration partner: <a href="https://www.aiventyx.com">Aiventyx</a> · Reported by: Qaiser Mehdi · Verified: 2026-05-13</p>
+
+<h3>The problem</h3>
+<p>Aiventyx is a marketplace for AI tools. ThumbGate's Teams listing was their highest-CTR external surface — <span class="metric">62% CTR</span> (5 clicks on 8 views, May 7–9 window). When their integrator rolled out canonical tracked URLs, every Teams click started landing on:</p>
+<p><code>{"error":"Tracked link not found","allowed":["gpt","pro","install","reddit","linkedin","x","github"]}</code></p>
+<p>The <code>/go/teams</code> slug wasn't registered in our redirector — a 404 was eating every paid-intent click from their strongest external surface.</p>
+
+<h3>The fix</h3>
+<p>Added <code>teams</code> to <code>TRACKED_LINK_TARGETS</code>: HTTP 302 redirect to <code>/checkout/pro?plan_id=team&seat_count=3&billing_cycle=monthly</code> — the 3-seat $147/mo self-serve Stripe Team checkout. Caller-supplied UTMs flow through to Stripe metadata end-to-end.</p>
+
+<h3>The verification</h3>
+<p>Qaiser's own incognito test, May 13 6:04 AM (full email on record):</p>
+<p><code>https://thumbgate.ai/go/teams?utm_source=aiventyx</code><br>
+→ 302 to Stripe checkout<br>
+→ "Subscribe to ThumbGate Team" page loads<br>
+→ $147/mo, 3-seat Team plan confirmed<br>
+→ Aiventyx UTMs intact in URL</p>
+
+<h3>What this proves</h3>
+<p>End-to-end attribution from a third-party marketplace through ThumbGate's redirector into Stripe checkout, with the caller's UTM chain preserved. Two regression tests pin the redirect contract so it can't silently break.</p>
+
+<p><a href="/go/teams?utm_source=case-study">Try the live redirect →</a></p>
+</article>
+
+<footer>
+<p>Want to be the next case study? The product is real, the integration is 30 seconds: <code>npx thumbgate init</code>. If you ship something with ThumbGate and want it documented here, email <a href="mailto:igor.ganapolsky@gmail.com">igor.ganapolsky@gmail.com</a>.</p>
+<p><a href="https://thumbgate.ai">Home</a> · <a href="/pricing">Pricing</a> · <a href="/privacy">Privacy</a> · <a href="/terms">Terms</a> · <a href="/support">Support</a></p>
+</footer>
+</body></html>`, {}, {
+        headOnly: isHeadRequest,
+      });
+      return;
+    }
+
+        // Public canonical pricing page. The audit flagged "pricing schizophrenia":
+    // sales/pricing.json said $49 / $299, COMMERCIAL_TRUTH.md said $19 / $149,
+    // and there was no buyer-facing surface to reconcile the two. This is now
+    // the single source of truth for what ThumbGate sells, in priority order:
+    // Sprint (proof-pack, sales-led) → Pro (self-serve recurring) → Team
+    // (after qualification). Every paid CTA across the site should funnel
+    // here OR directly into Stripe checkout — never a different price.
+    if (isGetLikeRequest && pathname === '/pricing') {
+      sendHtml(res, 200, `<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>Pricing — ThumbGate</title><meta name="description" content="ThumbGate pricing: free CLI, $19/mo Pro, $49/seat Team, $499 Sprint Diagnostic, $1500 full Workflow Hardening Sprint. Single source of truth across the site."><style>body{font-family:system-ui,-apple-system,sans-serif;max-width:980px;margin:0 auto;padding:32px 20px;line-height:1.55;color:#1f2937}h1{font-size:36px;margin:0 0 8px;text-align:center}.lede{color:#6b7280;font-size:18px;margin:0 0 32px;text-align:center}.grid{display:grid;grid-template-columns:1fr;gap:20px;margin-bottom:24px}@media(min-width:720px){.grid{grid-template-columns:repeat(2,1fr)}.hero{grid-column:1/-1}}.card{border:1px solid #e5e7eb;border-radius:12px;padding:24px;background:#fff;display:flex;flex-direction:column}.hero{border:2px solid #0f172a;background:linear-gradient(135deg,#fef3c7,#fff)}.tag{display:inline-block;background:#0f172a;color:#fff;padding:3px 10px;border-radius:6px;font-size:12px;font-weight:600;letter-spacing:0.5px;margin-bottom:12px}.tag-free{background:#10b981}.tag-pro{background:#3b82f6}.tag-team{background:#8b5cf6}.tag-diag{background:#0f172a}.tag-sprint{background:#b91c1c}h2{margin:0 0 4px;font-size:22px}.price{font-size:30px;font-weight:700;margin:8px 0 12px}.price small{font-size:14px;color:#6b7280;font-weight:400}.tagline{color:#374151;margin:0 0 16px;font-size:15px}ul{margin:0 0 20px;padding-left:18px}li{margin:6px 0;font-size:14px}.cta{display:inline-block;background:#0f172a;color:#fff;padding:12px 24px;border-radius:8px;font-weight:600;text-decoration:none;text-align:center;margin-top:auto}.cta-secondary{background:#fff;color:#0f172a;border:1px solid #0f172a}.cta-free{background:#10b981}.micro{border-top:1px solid #e5e7eb;padding-top:24px;margin-top:16px}.micro-grid{display:grid;grid-template-columns:repeat(auto-fit,minmax(180px,1fr));gap:12px;margin:16px 0}.micro-card{border:1px solid #e5e7eb;border-radius:8px;padding:14px;text-align:center;background:#fafafa}.micro-card .mp{font-size:20px;font-weight:700;color:#0f172a}.micro-card .ml{font-size:13px;color:#6b7280;margin:4px 0 8px}.micro-card a{color:#0066cc;font-size:13px;text-decoration:none}footer{margin-top:32px;padding-top:24px;border-top:1px solid #e5e7eb;color:#6b7280;font-size:14px;text-align:center}footer a{color:#0066cc}</style></head><body>
+<h1>Pricing</h1>
+<p class="lede">Six paths to ThumbGate. Pick by what you need: an install, a subscription, a team rollout, or a stakeholder-visible artifact.</p>
+
+<div class="grid">
+
+<div class="card hero">
+<span class="tag tag-sprint">Sprint — Full engagement</span>
+<h2>Workflow Hardening Sprint</h2>
+<div class="price">$1,500 <small>· one-time</small></div>
+<p class="tagline">The full hardening engagement for a single AI-agent workflow. Built on top of the Sprint Diagnostic — we apply the diagnostic findings into a shipped Pre-Action Check pack, deploy hooks into your repo, and run the rollout review. Two weeks calendar-time, single fixed price.</p>
+<ul>
+<li>Diagnostic + applied rules + deployed PreToolUse hooks</li>
+<li>Best path if you need the workflow actually fixed, not just diagnosed</li>
+<li>Refund if we can't extract or apply a rule</li>
+</ul>
+<a class="cta" href="mailto:igor.ganapolsky@gmail.com?subject=ThumbGate%20Workflow%20Hardening%20Sprint%20-%20Intake&body=Stack%20(Claude%20Code%2FCursor%2Fother)%3A%0AOne%20repeated%20agent%20failure%20you%20want%20to%20kill%3A%0ATimeline%3A%0A">Email to start the full sprint →</a>
+</div>
+
+<div class="card">
+<span class="tag tag-diag">Diagnostic — Proof first</span>
+<h2>Sprint Diagnostic</h2>
+<div class="price">$499 <small>· one-time</small></div>
+<p class="tagline">Two-day diagnostic on one workflow. Top-5 prevention rules ranked by impact, scoped Pre-Action Check pack delivered as a PR, 60-minute findings review. The lightweight on-ramp to the full sprint.</p>
+<ul>
+<li>Best if you need a stakeholder-visible artifact (PR, doc, briefing)</li>
+<li>Two days fixed scope — no scope creep</li>
+<li>Refund if we can't extract a rule from your failure trace</li>
+</ul>
+<a class="cta" href="https://buy.stripe.com/28E00j3Uge1E2dzgWL3sI2J">Pay $499 diagnostic →</a>
+</div>
+
+<div class="card">
+<span class="tag tag-free">Free — Forever</span>
+<h2>ThumbGate CLI</h2>
+<div class="price">$0</div>
+<p class="tagline">MIT-licensed CLI + local PreToolUse hook. Unlimited captures, 5 active prevention rules, local lesson DB. Works with Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode.</p>
+<ul>
+<li>30-second install: <code>npx thumbgate init</code></li>
+<li>No account, no signup, no data leaves your machine</li>
+<li>Hit 5 active rules → upgrade to Pro for unlimited</li>
+</ul>
+<a class="cta cta-free" href="/go/install?utm_source=pricing">Install free CLI →</a>
+</div>
+
+<div class="card">
+<span class="tag tag-pro">Pro — Self-serve recurring</span>
+<h2>ThumbGate Pro</h2>
+<div class="price">$19 <small>/ month</small> · $149 / year</div>
+<p class="tagline">For developers running multiple AI agents who hit the 5-rule wall. Unlimited prevention rules, local dashboard, DPO export for offline preference fine-tuning, lesson search across sessions.</p>
+<ul>
+<li>Unlimited active prevention rules</li>
+<li>Local dashboard + lesson recall</li>
+<li>7-day refund window. Cancel anytime.</li>
+</ul>
+<a class="cta cta-secondary" href="/go/pro?utm_source=pricing">Start Pro →</a>
+</div>
+
+<div class="card">
+<span class="tag tag-team">Team — After qualification</span>
+<h2>ThumbGate Team</h2>
+<div class="price">$49 <small>/ seat / month</small> · 3-seat min ($147/mo)</div>
+<p class="tagline">For engineering teams with shared AI-agent workflows. Shared lesson DB so one engineer's save protects the whole team, org-level policy rollout, audit-ready evidence.</p>
+<ul>
+<li>Shared prevention-rule policy across seats</li>
+<li>Self-serve checkout — no sales call required</li>
+<li>Most teams start with a Sprint first, then scale to seats</li>
+</ul>
+<a class="cta cta-secondary" href="/go/teams?utm_source=pricing">Start Team →</a>
+</div>
+
+</div>
+
+<div class="micro">
+<h2 style="text-align:center;font-size:20px;margin:0 0 4px;">Micro-purchases — pay for one piece</h2>
+<p style="text-align:center;color:#6b7280;font-size:14px;margin:0 0 8px;">For evaluators who want to validate one specific surface before subscribing.</p>
+<div class="micro-grid">
+<div class="micro-card">
+<div class="mp">$1</div>
+<div class="ml">First Failure Rule</div>
+<a href="https://buy.stripe.com/fZu28rfCY6zcbO99uj3sI2G">Pay $1 →</a>
+</div>
+<div class="micro-card">
+<div class="mp">$19</div>
+<div class="ml">AI Agent Failure Quick Read</div>
+<a href="https://buy.stripe.com/5kQ7sL76s1eSaK55e33sI2H">Pay $19 →</a>
+</div>
+<div class="micro-card">
+<div class="mp">$99</div>
+<div class="ml">Workflow Teardown</div>
+<a href="https://buy.stripe.com/8x214n2Qc4r44lHayn3sI2I">Pay $99 →</a>
+</div>
+</div>
+</div>
+
+<footer>
+<p>One source of truth for ThumbGate pricing. Numbers here override anything stale elsewhere on the site.</p>
+<p><a href="/">Home</a> · <a href="/case-studies">Case Studies</a> · <a href="/support">Support</a> · <a href="/privacy">Privacy</a> · <a href="/terms">Terms</a></p>
+</footer>
+</body></html>`, {}, {
+        headOnly: isHeadRequest,
+      });
+      return;
+    }
+
+    // Public support / contact page — required for Stripe Business → Public
+    // details "Customer support URL" field. Single source of truth for how
+    // customers reach us (email, GitHub issues, status page).
+    if (isGetLikeRequest && pathname === '/support') {
+      sendHtml(res, 200, `<!DOCTYPE html><html><head><title>Support — ThumbGate</title></head><body>
+<h1>Support</h1>
+<p><strong>ThumbGate</strong> support, billing, and contact paths.</p>
+<h2>Email</h2>
+<p>For billing questions, refunds, subscription changes, or technical issues with the hosted tier: <a href="mailto:igor.ganapolsky@gmail.com">igor.ganapolsky@gmail.com</a>. We reply within one business day.</p>
+<h2>GitHub Issues</h2>
+<p>For bugs, CLI questions, and feature requests in the open-source CLI: <a href="https://github.com/IgorGanapolsky/ThumbGate/issues">github.com/IgorGanapolsky/ThumbGate/issues</a>.</p>
+<h2>Status</h2>
+<p>Hosted-tier status: check <a href="https://thumbgate-production.up.railway.app/health">/health</a> for current health. Railway-hosted; rebuilds take 2-5 minutes.</p>
+<h2>Refunds</h2>
+<p>Pro / Team subscriptions: 7-day full refund window from first charge. One-off purchases: refund on request if we cannot deliver. Email the address above.</p>
+<h2>Security</h2>
+<p>Disclose vulnerabilities by email; please do not post to public GitHub issues. We acknowledge within 48 hours.</p>
+<p><a href="https://github.com/IgorGanapolsky/ThumbGate">GitHub</a> · <a href="/privacy">Privacy</a> · <a href="/terms">Terms</a></p>
+</body></html>`, {}, {
+        headOnly: isHeadRequest,
+      });
+      return;
+    }
+
     // Public privacy policy — required for GPT Store and marketplace listings
     if (isGetLikeRequest && pathname === '/privacy') {
       sendHtml(res, 200, `<!DOCTYPE html><html><head><title>Privacy Policy — ThumbGate</title></head><body>