thumbgate 1.18.0 → 1.20.0

package/public/numbers.html

@@ -25,7 +25,7 @@
   "alternateName": "thumbgate",
   "applicationCategory": "DeveloperApplication",
   "operatingSystem": "Cross-platform, Node.js >=18.18.0",
-  "softwareVersion": "1.18.0",
+  "softwareVersion": "1.20.0",
   "url": "https://thumbgate-production.up.railway.app/numbers",
   "dateModified": "2026-05-07",
   "creator": {
@@ -202,7 +202,7 @@
 <main class="container">
   <h1>The Numbers</h1>
   <p class="subtitle">Generated first-party operational snapshot from the ThumbGate runtime. This is not customer traction, install volume, revenue, or proof that a configured gate has fired.</p>
-  <div class="freshness">Updated: 2026-05-07 · Version 1.18.0</div>
+  <div class="freshness">Updated: 2026-05-07 · Version 1.20.0</div>
   <div class="truth-note"><strong>Read this first:</strong> configured checks are inventory. Recorded blocks and warnings are usage evidence. This snapshot currently reports 0 recorded hard-block event(s) and 0 recorded warning event(s).</div>
 
   <h2>Gate enforcement</h2>

package/public/pro.html

@@ -718,7 +718,7 @@ __GA_BOOTSTRAP__
       <a href="#pricing">Pricing</a>
       <a href="#faq">FAQ</a>
       <a href="/dashboard">Demo</a>
-      <a class="nav-cta" data-quick-read-link href="https://buy.stripe.com/aFa8wPgH29Lo4lH35V3sI0w" onclick="sendFirstPartyTelemetry('quick_read_checkout_started',{ctaId:'pro_page_nav_quick_read_checkout',price:19});sendGa4Event('begin_checkout',{currency:'USD',value:19,items:[{item_id:'quick_read',item_name:'AI Agent Failure Quick Read'}]});">Pay $19 quick read</a>
+      <a class="nav-cta btn-pro-checkout" href="/checkout/pro?utm_source=website&utm_medium=pro_page_nav&utm_campaign=pro_pack&cta_id=pro_page_nav&cta_placement=nav&plan_id=pro&landing_path=%2Fpro">Start Pro</a>
     </div>
   </div>
 </nav>
@@ -730,7 +730,7 @@ __GA_BOOTSTRAP__
       <h1>Buy the operator loop that proves your AI agent stopped repeating the mistake.</h1>
       <p style="font-size:13px;opacity:0.8;margin-bottom:0.5rem;">Updated: <time datetime="2026-04-20">2026-04-20</time> · by <a href="https://github.com/IgorGanapolsky" style="color:inherit;">Igor Ganapolsky</a></p>
       <p>ThumbGate Pro is for one operator who already hit a repeated AI-agent failure and now needs proof: what was blocked, why it was blocked, and what changed before the next risky run.</p>
-      <p>If you need help today, start with the $19 quick read: send one failed tool call or workflow snippet and get the likely rule shape plus proof check. Use Pro when you want the local dashboard and DPO export.</p>
+      <p>Start Pro when you want the local dashboard, DPO export, and a single proof lane for the repeated mistake you need to stop. Team diagnostics and custom services are handled through intake, not this buyer path.</p>
       <div class="hero-proof">
         <div class="proof-pill">Personal local dashboard</div>
         <div class="proof-pill">DPO export from real corrections</div>
@@ -738,8 +738,7 @@ __GA_BOOTSTRAP__
         <div class="proof-pill">Founder support on risky flows</div>
       </div>
       <div class="hero-actions">
-        <a class="btn-primary" data-quick-read-link href="https://buy.stripe.com/aFa8wPgH29Lo4lH35V3sI0w" onclick="sendFirstPartyTelemetry('quick_read_checkout_started',{ctaId:'pro_page_hero_quick_read_checkout',price:19});sendGa4Event('begin_checkout',{currency:'USD',value:19,items:[{item_id:'quick_read',item_name:'AI Agent Failure Quick Read'}]});">Pay $19 quick read</a>
-        <a class="btn-secondary btn-pro-checkout" href="/checkout/pro?utm_source=website&utm_medium=pro_page_hero&utm_campaign=pro_pack&cta_id=pro_page_primary&cta_placement=hero&plan_id=pro&landing_path=%2Fpro">Start Pro dashboard</a>
+        <a class="btn-primary btn-pro-checkout" href="/checkout/pro?utm_source=website&utm_medium=pro_page_hero&utm_campaign=pro_pack&cta_id=pro_page_primary&cta_placement=hero&plan_id=pro&landing_path=%2Fpro">Start Pro dashboard</a>
         <a class="btn-secondary btn-demo" href="/dashboard?utm_source=website&utm_medium=pro_page&utm_campaign=pro_pack">Open dashboard demo</a>
         <a class="btn-ghost btn-free-path" href="/guide?utm_source=website&utm_medium=pro_page&utm_campaign=free_install">Stay on Free and install locally</a>
       </div>
@@ -775,18 +774,6 @@ __GA_BOOTSTRAP__
         <p>Visual check debugger, DPO export, auto-connect after activation, Model Hardening Advisor, and founder support for the risky flow you need to harden first.</p>
       </div>
 
-      <div class="aside-card" data-pro-paid-recovery>
-        <div class="aside-kicker">Team workflow blocked?</div>
-        <h3>Buy the paid diagnostic</h3>
-        <p>Skip self-serve Pro and pay for the smallest useful review now.</p>
-        <div class="price-stack">
-          <a class="btn-secondary" data-first-rule-link href="https://buy.stripe.com/4gM6oHgH2bTw4lH6i73sI0z" onclick="sendFirstPartyTelemetry('first_failure_rule_checkout_started',{ctaId:'pro_page_first_failure_rule_checkout',price:1});sendGa4Event('begin_checkout',{currency:'USD',value:1,items:[{item_id:'first_failure_rule',item_name:'First AI Agent Failure Rule'}]});">Pay $1 first rule</a>
-          <a class="btn-secondary" data-quick-read-link href="https://buy.stripe.com/aFa8wPgH29Lo4lH35V3sI0w" onclick="sendFirstPartyTelemetry('quick_read_checkout_started',{ctaId:'pro_page_quick_read_checkout',price:19});">Pay $19 quick read</a>
-          <a class="btn-primary" data-sprint-diagnostic-link href="__SPRINT_DIAGNOSTIC_CHECKOUT_URL__" onclick="sendFirstPartyTelemetry('workflow_sprint_diagnostic_checkout_started',{ctaId:'pro_page_sprint_diagnostic_checkout'});sendGa4Event('begin_checkout',{currency:'USD',value:__SPRINT_DIAGNOSTIC_PRICE_DOLLARS__});">Pay $__SPRINT_DIAGNOSTIC_PRICE_DOLLARS__ diagnostic</a>
-          <a class="btn-secondary" data-workflow-sprint-link href="__WORKFLOW_SPRINT_CHECKOUT_URL__" onclick="sendFirstPartyTelemetry('workflow_sprint_checkout_started',{ctaId:'pro_page_workflow_sprint_checkout'});sendGa4Event('begin_checkout',{currency:'USD',value:__WORKFLOW_SPRINT_PRICE_DOLLARS__});">Pay $__WORKFLOW_SPRINT_PRICE_DOLLARS__ sprint</a>
-        </div>
-      </div>
-
       <div class="aside-card">
         <div class="aside-kicker">Keep the buyer path warm</div>
         <h3>Save your work email before you decide</h3>
@@ -1024,7 +1011,6 @@ function sendFirstPartyTelemetry(eventType, props) {
 }
 
 function sendGa4Event(e,p){if(typeof gtag==='function')gtag('event',e,p||{})}
-function initializeProPaidRecovery(){var c=document.querySelector('[data-pro-paid-recovery]');if(!c)return;var n=0;c.querySelectorAll('a[href]').forEach(function(a){var h=a.getAttribute('href')||'';if(/^https?:\/\//.test(h))n+=1;else a.hidden=true});c.hidden=n===0}
 
 function initializeBuyerIntent() {
   globalThis.ThumbGateBuyerIntent.initializeBuyerIntent({
@@ -1067,7 +1053,6 @@ trackClick('.btn-pro-checkout', 'pro_checkout_start', { tier: 'pro', page: 'pro'
 trackClick('.btn-demo', 'pro_demo_click', { page: 'pro' });
 trackClick('.btn-free-path', 'pro_free_path_click', { page: 'pro' });
 trackClick('.proof-links a', 'pro_proof_click', { page: 'pro' });
-initializeProPaidRecovery();
 initializeBuyerIntent();
 globalThis.buyerJourney = globalThis.ThumbGateBuyerIntent.initializeBehaviorAnalytics({
   pageType: 'marketing',
@@ -1084,10 +1069,6 @@ globalThis.buyerJourney = globalThis.ThumbGateBuyerIntent.initializeBehaviorAnal
   ],
   ctaImpressions: [
     { selector: '.btn-pro-checkout', ctaId: 'pro_checkout', ctaPlacement: 'pro_page', planId: 'pro' },
-    { selector: '[data-first-rule-link]', ctaId: 'pro_page_first_failure_rule_checkout', ctaPlacement: 'pro_paid_recovery', planId: 'first_failure_rule' },
-    { selector: '[data-quick-read-link]', ctaId: 'pro_page_quick_read_checkout', ctaPlacement: 'pro_paid_recovery', planId: 'quick_read' },
-    { selector: '[data-sprint-diagnostic-link]', ctaId: 'pro_page_sprint_diagnostic_checkout', ctaPlacement: 'pro_paid_recovery', planId: 'sprint_diagnostic' },
-    { selector: '[data-workflow-sprint-link]', ctaId: 'pro_page_workflow_sprint_checkout', ctaPlacement: 'pro_paid_recovery', planId: 'workflow_sprint' },
     { selector: '.btn-demo', ctaId: 'pro_demo', ctaPlacement: 'pro_page', planId: 'proof' },
     { selector: '.btn-free-path', ctaId: 'pro_free_path', ctaPlacement: 'pro_page', planId: 'free' }
   ]

package/scripts/activation-tracker.js

@@ -0,0 +1,127 @@
+'use strict';
+
+/**
+ * Activation tracker — fires `activation_first_rule_promoted` exactly once
+ * per install, the first time a prevention rule auto-promotes from feedback.
+ *
+ * Why: v1.17.0 opened the free tier (5 active rules, unlimited captures).
+ * The metric that decides whether that worked is the % of `npx thumbgate init`
+ * runs that produce a first auto-promoted prevention rule within 24h. Without
+ * this telemetry, every funnel decision is guessing. This is improvement #1
+ * from the 2026-05-13 revenue-ROI critique.
+ *
+ * Payload (anonymous):
+ *   - eventType: 'activation_first_rule_promoted'
+ *   - installId: stable random UUID (from cli-telemetry.getInstallId)
+ *   - daysToFirstRule: days between INSTALL_ID_PATH creation and now
+ *   - visitorType: ci | owner | real_user (from cli-telemetry.classifyInstall)
+ *
+ * No personal data, no rule content, no feedback text. Just the activation
+ * signal. Respects THUMBGATE_NO_TELEMETRY=1 / DO_NOT_TRACK=1 opt-out via
+ * the underlying trackEvent helper.
+ *
+ * Idempotency: writes a marker file. After the first firing the function
+ * is a no-op for the lifetime of that install.
+ */
+
+const fs = require('node:fs');
+const path = require('node:path');
+
+const { trackEvent, getInstallId, classifyInstall, INSTALL_ID_PATH } = require('./cli-telemetry');
+
+const MARKER_DIR = path.join(path.dirname(INSTALL_ID_PATH), 'activation');
+const MARKER_PATH = path.join(MARKER_DIR, 'first-rule-promoted.json');
+
+function readMarker() {
+  try {
+    if (!fs.existsSync(MARKER_PATH)) return null;
+    return JSON.parse(fs.readFileSync(MARKER_PATH, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function writeMarker(record) {
+  try {
+    if (!fs.existsSync(MARKER_DIR)) fs.mkdirSync(MARKER_DIR, { recursive: true });
+    fs.writeFileSync(MARKER_PATH, JSON.stringify(record, null, 2));
+  } catch {
+    // non-fatal: worst case we double-fire on a future run; the telemetry
+    // backend can dedup by installId. Better to be silent than to throw.
+  }
+}
+
+function computeDaysSinceInstall() {
+  try {
+    if (!fs.existsSync(INSTALL_ID_PATH)) return null;
+    const installed = fs.statSync(INSTALL_ID_PATH).mtimeMs;
+    if (!Number.isFinite(installed) || installed <= 0) return null;
+    const diffMs = Date.now() - installed;
+    if (diffMs < 0) return 0;
+    // 1 decimal of precision; the metric uses 24h buckets but a finer-grained
+    // number lets analytics chart same-day vs. 1d / 2d / week-of activation.
+    return Math.round((diffMs / 86_400_000) * 10) / 10;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Fire the activation event if this is the first rule promotion for this
+ * install. Returns true if an event was actually emitted, false if skipped
+ * (already fired before, or environment opted out of telemetry).
+ *
+ * Always synchronous and never throws — safe to call from any side-effect
+ * site without try/catch wrapping. The underlying telemetry call is itself
+ * fire-and-forget over HTTPS with a 3s timeout.
+ */
+function recordFirstRulePromotion(metadata = {}) {
+  if (readMarker()) return false; // already fired
+
+  if (process.env.THUMBGATE_NO_TELEMETRY === '1' || process.env.DO_NOT_TRACK === '1') {
+    // Still write the marker so a later run with telemetry re-enabled does not
+    // fire stale activation data weeks after the actual first promotion.
+    writeMarker({
+      installId: getInstallId(),
+      promotedAt: new Date().toISOString(),
+      telemetryOptOut: true,
+    });
+    return false;
+  }
+
+  const installId = getInstallId();
+  const daysToFirstRule = computeDaysSinceInstall();
+  const visitorType = classifyInstall();
+
+  writeMarker({
+    installId,
+    promotedAt: new Date().toISOString(),
+    daysToFirstRule,
+    visitorType,
+    ...metadata,
+  });
+
+  trackEvent('activation_first_rule_promoted', {
+    daysToFirstRule,
+    visitorType,
+    ...metadata,
+  });
+  return true;
+}
+
+function resetForTesting() {
+  // Test-only helper. Removes the marker so a subsequent recordFirstRulePromotion
+  // call re-fires. Never used in production code paths.
+  try {
+    if (fs.existsSync(MARKER_PATH)) fs.unlinkSync(MARKER_PATH);
+  } catch {}
+}
+
+module.exports = {
+  recordFirstRulePromotion,
+  computeDaysSinceInstall,
+  readMarker,
+  writeMarker,
+  MARKER_PATH,
+  resetForTesting,
+};

package/scripts/auto-promote-gates.js

@@ -13,6 +13,22 @@ const WARN_THRESHOLD = 1;
 const BLOCK_THRESHOLD = 3; // 3+ repeated failures hard-block the action
 const WINDOW_DAYS = 30;
 
+// Default TTL on auto-promoted gates. Reddit reviewer @MomSausageandPeppers
+// (2026-05-13) flagged that without expiry, "accidental dislikes become policy
+// forever." Gates expire 90 days after promotion UNLESS they keep firing —
+// every fire refreshes lastFiredAt, and expireGates() keeps any gate fired
+// within the last TTL window regardless of original promotion date. Manual
+// force-promote bypasses TTL (operator says "permanent"). Override via
+// THUMBGATE_RULE_TTL_DAYS env var.
+const DEFAULT_RULE_TTL_DAYS = 90;
+function getRuleTtlDays() {
+  const raw = Number(process.env.THUMBGATE_RULE_TTL_DAYS);
+  return Number.isFinite(raw) && raw > 0 ? raw : DEFAULT_RULE_TTL_DAYS;
+}
+function getRuleTtlMs() {
+  return getRuleTtlDays() * 24 * 60 * 60 * 1000;
+}
+
 const NEG_SIGNALS = new Set(['negative', 'negative_strong', 'down', 'thumbs_down']);
 
 function getFeedbackLogPath() {
@@ -66,15 +82,54 @@ function isNegative(entry) {
   return NEG_SIGNALS.has(sig);
 }
 
+/**
+ * Normalize a captured command/context string so trivial variants collapse
+ * to the same gate signature.
+ *
+ * Reddit critique (MomSausageandPeppers, 2026-05-17): "commands are matched
+ * by string equality, so `rm -rf node_modules` and `rm -rf ./node_modules`
+ * create separate gates."
+ *
+ * Conservative — only collapse variants that are *unambiguously* the same
+ * intent. Does NOT reorder flags, strip `&&` chains, or canonicalize
+ * subcommands (each can change semantics).
+ *
+ *  1. Lowercase
+ *  2. Strip `/Users/<name>` and `/home/<name>` home-dir prefixes (→ `~`)
+ *  3. Drop `:LINE` and `:LINE:COL` refs
+ *  4. Per-token: strip one layer of matching outer quotes/backticks
+ *  5. Per-token: drop leading `./`
+ *  6. Collapse whitespace + trim
+ */
+function normalizeCommandSignature(input) {
+  let text = String(input || '');
+  if (!text) return '';
+  text = text.toLowerCase();
+  text = text.replace(/\/users\/[^\s/]+/g, '~').replace(/\/home\/[^\s/]+/g, '~');
+  text = text.replace(/:\d+(?::\d+)?\b/g, '');
+  const tokens = text.split(/\s+/).filter(Boolean).map((tok) => {
+    let t = tok;
+    if (t.length >= 2) {
+      const first = t[0];
+      const last = t[t.length - 1];
+      if ((first === '"' || first === "'" || first === '`') && first === last) {
+        t = t.slice(1, -1);
+      }
+    }
+    if (t.startsWith('./')) t = t.slice(2);
+    return t;
+  }).filter(Boolean);
+  return tokens.join(' ').trim();
+}
+
 function extractPatternKey(entry) {
   // Use tags as primary grouping key; fall back to context normalization
   const tags = (entry.tags || []).filter((t) => !['feedback', 'negative', 'positive'].includes(t));
   if (tags.length > 0) return tags.sort().join('+');
 
-  const ctx = (entry.context || entry.whatWentWrong || '').toLowerCase().trim();
+  const ctx = (entry.context || entry.whatWentWrong || '').trim();
   if (ctx.length < 10) return null;
-  // Normalize paths and numbers for grouping
-  return ctx.replace(/\/Users\/[^\s/]+/g, '~').replace(/:[0-9]+/g, '').replace(/\s+/g, ' ').slice(0, 100);
+  return normalizeCommandSignature(ctx).slice(0, 100);
 }
 
 function extractDiagnosticKeys(entry) {
@@ -147,10 +202,17 @@ function buildGateRule(group) {
     : group.key.startsWith('constraint:')
       ? 'repeated constraint violation'
       : 'repeated pattern';
-  
+
   const occurrencesText = group.count === 'MANUAL' ? 'manual' : `${group.count} occurrences`;
   const suggestedMessage = `Auto-promoted ${kind}: "${context}" (${occurrencesText} in ${WINDOW_DAYS} days)`;
 
+  // TTL: auto-promoted rules expire after the configured window unless
+  // refreshed by a fresh fire. Manual force-promote bypasses TTL — operator
+  // says "permanent" by going through the force path.
+  const nowMs = Date.now();
+  const isManual = group.count === 'MANUAL';
+  const expiresAt = isManual ? null : new Date(nowMs + getRuleTtlMs()).toISOString();
+
   return {
     id: patternToGateId(group.key),
     trigger: `auto:${group.key}`,
@@ -160,10 +222,82 @@ function buildGateRule(group) {
     severity,
     occurrences: group.count,
     promotedAt: new Date().toISOString(),
+    expiresAt,
+    lastFiredAt: null,
     source: group.source || 'auto-promote',
   };
 }
 
+/**
+ * Drop expired gates from the data and return the gates removed.
+ *
+ * A gate is expired when its `expiresAt` is in the past AND its
+ * `lastFiredAt` (if set) is also outside the TTL window — high-signal
+ * gates that keep firing get continuously renewed and never expire.
+ *
+ * `expiresAt: null` is treated as "permanent" (used by force-promote /
+ * legacy gates without TTL data).
+ */
+function expireGates(data, now = Date.now()) {
+  const safeData = data && typeof data === 'object'
+    ? { version: data.version || 1, gates: Array.isArray(data.gates) ? data.gates : [], promotionLog: Array.isArray(data.promotionLog) ? data.promotionLog : [] }
+    : { version: 1, gates: [], promotionLog: [] };
+  const ttlMs = getRuleTtlMs();
+  const kept = [];
+  const expired = [];
+  for (const gate of safeData.gates) {
+    if (!gate || typeof gate !== 'object') continue;
+    // No expiresAt → treat as permanent (manual force-promote, legacy gates).
+    if (gate.expiresAt == null) {
+      kept.push(gate);
+      continue;
+    }
+    const expiresMs = Date.parse(gate.expiresAt);
+    if (!Number.isFinite(expiresMs)) {
+      kept.push(gate);
+      continue;
+    }
+    // If last fire is within TTL window, refresh the gate (extend expiresAt).
+    const lastFiredMs = gate.lastFiredAt ? Date.parse(gate.lastFiredAt) : NaN;
+    if (Number.isFinite(lastFiredMs) && now - lastFiredMs < ttlMs) {
+      kept.push({ ...gate, expiresAt: new Date(lastFiredMs + ttlMs).toISOString() });
+      continue;
+    }
+    if (now < expiresMs) {
+      kept.push(gate);
+    } else {
+      expired.push({ id: gate.id, expiresAt: gate.expiresAt, lastFiredAt: gate.lastFiredAt });
+    }
+  }
+  safeData.gates = kept;
+  if (expired.length > 0) {
+    safeData.promotionLog.push(
+      ...expired.map((e) => ({ type: 'expired', gateId: e.id, expiredAt: e.expiresAt, timestamp: new Date(now).toISOString() }))
+    );
+  }
+  return { data: safeData, expired };
+}
+
+/**
+ * Mark a gate as fired now. Refreshes lastFiredAt AND extends expiresAt by
+ * the full TTL — a gate that keeps catching repeats sharpens, doesn't
+ * decay. Caller passes the gate ID; returns the updated gate (or null).
+ */
+function recordGateFire(data, gateId, now = Date.now()) {
+  if (!data || !Array.isArray(data.gates)) return null;
+  const idx = data.gates.findIndex((g) => g && g.id === gateId);
+  if (idx === -1) return null;
+  const gate = data.gates[idx];
+  const lastFiredAtIso = new Date(now).toISOString();
+  const updated = {
+    ...gate,
+    lastFiredAt: lastFiredAtIso,
+    expiresAt: gate.expiresAt == null ? null : new Date(now + getRuleTtlMs()).toISOString(),
+  };
+  data.gates[idx] = updated;
+  return updated;
+}
+
 function forcePromote(context, action = 'block') {
   if (!context) throw new Error('context is required for force-promote');
   const data = loadAutoGates();
@@ -202,9 +336,15 @@ function promote(feedbackLogPath) {
   const logPath = feedbackLogPath || getFeedbackLogPath();
   const entries = readJSONL(logPath);
   const groups = groupNegativeFeedback(entries, WINDOW_DAYS);
-  const data = loadAutoGates();
-  const existingIds = new Set(data.gates.map((g) => g.id));
-  const promotions = [];
+  // Expire stale gates BEFORE running the promotion loop so an expiring
+  // gate that's about to be re-promoted gets a fresh TTL via the normal
+  // path rather than carrying a near-stale expiresAt.
+  const { data: expiredData, expired } = expireGates(loadAutoGates());
+  const data = expiredData;
+  if (expired.length > 0) {
+    saveAutoGates(data);
+  }
+  const promotions = expired.map((e) => ({ type: 'expired', gateId: e.id, expiredAt: e.expiresAt }));
 
   for (const group of Object.values(groups)) {
     if (group.count < WARN_THRESHOLD) continue;
@@ -298,9 +438,15 @@ module.exports = {
   patternToGateId,
   buildGateRule,
   extractPatternKey,
+  normalizeCommandSignature,
   isNegative,
+  expireGates,
+  recordGateFire,
+  getRuleTtlDays,
+  getRuleTtlMs,
   MAX_AUTO_GATES,
   WARN_THRESHOLD,
   BLOCK_THRESHOLD,
   WINDOW_DAYS,
+  DEFAULT_RULE_TTL_DAYS,
 };

package/scripts/auto-wire-hooks.js

@@ -186,48 +186,69 @@ function hookAlreadyPresent(hookArray, command) {
  *                              (defaults to process.cwd()).
  * @returns {{ hooks: Array, removedPaths: string[] }}
  */
+// Shell-style variable expansion limited to the env vars Claude Code
+// documents for hook commands (CLAUDE_PROJECT_DIR), plus other process env
+// vars. Surrounding ASCII quotes are stripped first so tokens like
+// `"$CLAUDE_PROJECT_DIR"/.claude/hooks/x.sh` resolve correctly.
+function expandShellToken(token, resolveBase) {
+  let s = token;
+  if (s.startsWith('"') && s.includes('"', 1)) {
+    s = s.slice(1, s.indexOf('"', 1)) + s.slice(s.indexOf('"', 1) + 1);
+  } else if (s.startsWith("'") && s.includes("'", 1)) {
+    s = s.slice(1, s.indexOf("'", 1)) + s.slice(s.indexOf("'", 1) + 1);
+  }
+  const lookup = (name) => (name === 'CLAUDE_PROJECT_DIR'
+    ? process.env.CLAUDE_PROJECT_DIR || resolveBase
+    : process.env[name]);
+  s = s.replace(/\$\{([A-Za-z_]\w*)\}/g, (_, n) => {
+    const v = lookup(n);
+    return v == null ? `\${${n}}` : v;
+  });
+  s = s.replace(/\$([A-Za-z_]\w*)/g, (_, n) => {
+    const v = lookup(n);
+    return v == null ? `$${n}` : v;
+  });
+  return s;
+}
+
+// Returns the raw (unexpanded) script-path token if the command points at a
+// missing script file, else null. Anything that doesn't look like a file
+// reference, or contains unresolved $VAR after expansion, returns null —
+// caller treats null as "keep the hook" (err on the side of NOT pruning).
+function staleHookPath(command, resolveBase) {
+  if (!command) return null;
+  const rawFirstToken = command.split(/\s+/)[0];
+  const firstToken = expandShellToken(rawFirstToken, resolveBase);
+  const looksLikePath =
+    firstToken.includes('/') ||
+    firstToken.includes('\\') ||
+    firstToken.endsWith('.sh');
+  if (!looksLikePath) return null;
+  if (firstToken.includes('$')) return null;
+  const resolved = path.isAbsolute(firstToken)
+    ? firstToken
+    : path.resolve(resolveBase, firstToken);
+  return fs.existsSync(resolved) ? null : rawFirstToken;
+}
+
 function pruneStaleFileHooks(hookArray, baseDir) {
   if (!Array.isArray(hookArray)) {
     return { hooks: [], removedPaths: [] };
   }
-
   const resolveBase = baseDir || process.cwd();
   const removedPaths = [];
-
   const hooks = hookArray.filter((entry) => {
     const entryHooks = Array.isArray(entry && entry.hooks) ? entry.hooks : [];
-    let shouldRemove = false;
-
     for (const hook of entryHooks) {
       const command = hook && typeof hook.command === 'string' ? hook.command : '';
-      if (!command) continue;
-
-      // Extract the first token as the potential script path.
-      const firstToken = command.split(/\s+/)[0];
-
-      // Only treat it as a file reference if it looks like a path.
-      const looksLikePath =
-        firstToken.includes('/') ||
-        firstToken.includes('\\') ||
-        firstToken.endsWith('.sh');
-
-      if (!looksLikePath) continue;
-
-      // Resolve the path (absolute or relative to baseDir).
-      const resolved = path.isAbsolute(firstToken)
-        ? firstToken
-        : path.resolve(resolveBase, firstToken);
-
-      if (!fs.existsSync(resolved)) {
-        removedPaths.push(firstToken);
-        shouldRemove = true;
-        break;
+      const stale = staleHookPath(command, resolveBase);
+      if (stale !== null) {
+        removedPaths.push(stale);
+        return false;
       }
     }
-
-    return !shouldRemove;
+    return true;
   });
-
   return { hooks, removedPaths };
 }
 

package/scripts/cli-feedback.js

@@ -14,7 +14,15 @@
  */
 
 const { captureFeedback } = require('./feedback-loop');
-const { distillFromHistory } = require('./history-distiller');
+const { loadOptionalModule } = require('./private-core-boundary');
+// `history-distiller` is a PRIVATE_CORE_MODULE — present in this checkout and
+// in ThumbGate-Core, but intentionally excluded from the public npm tarball.
+// The hard `require('./history-distiller')` form crashed `hook-auto-capture`
+// in published 1.19.0 with MODULE_NOT_FOUND. Public-shell fallback returns
+// null distillation; caller already handles a null distillResult.
+const { distillFromHistory } = loadOptionalModule('./history-distiller', () => ({
+  distillFromHistory: () => null,
+}));
 const { getRecentLesson, getLessonStats } = require('./lesson-inference');
 
 const G = '\x1b[32m';

package/scripts/feedback-loop.js

@@ -1398,7 +1398,20 @@ function captureFeedback(params) {
   if (feedbackEvent.signal === 'negative') {
     try {
       const autoPromote = require('./auto-promote-gates');
-      autoPromote.promote(FEEDBACK_LOG_PATH);
+      const promoteResult = autoPromote.promote(FEEDBACK_LOG_PATH);
+      // First-rule activation telemetry: anonymous ping the first time
+      // a prevention rule auto-promotes for this install. Idempotent —
+      // see scripts/activation-tracker.js. Critical for activation funnel
+      // analytics; no rule content, just install_id + days_to_first_rule.
+      if (promoteResult && Array.isArray(promoteResult.promotions) && promoteResult.promotions.length > 0) {
+        try {
+          const { recordFirstRulePromotion } = require('./activation-tracker');
+          recordFirstRulePromotion({
+            promotionCount: promoteResult.promotions.length,
+            totalGates: promoteResult.totalGates,
+          });
+        } catch { /* activation telemetry is non-critical */ }
+      }
     } catch { /* Gate promotion is non-critical */ }
   }