thumbgate 1.19.0 → 1.21.0

package/scripts/auto-promote-gates.js

@@ -13,6 +13,22 @@ const WARN_THRESHOLD = 1;
 const BLOCK_THRESHOLD = 3; // 3+ repeated failures hard-block the action
 const WINDOW_DAYS = 30;
 
+// Default TTL on auto-promoted gates. Reddit reviewer @MomSausageandPeppers
+// (2026-05-13) flagged that without expiry, "accidental dislikes become policy
+// forever." Gates expire 90 days after promotion UNLESS they keep firing —
+// every fire refreshes lastFiredAt, and expireGates() keeps any gate fired
+// within the last TTL window regardless of original promotion date. Manual
+// force-promote bypasses TTL (operator says "permanent"). Override via
+// THUMBGATE_RULE_TTL_DAYS env var.
+const DEFAULT_RULE_TTL_DAYS = 90;
+function getRuleTtlDays() {
+  const raw = Number(process.env.THUMBGATE_RULE_TTL_DAYS);
+  return Number.isFinite(raw) && raw > 0 ? raw : DEFAULT_RULE_TTL_DAYS;
+}
+function getRuleTtlMs() {
+  return getRuleTtlDays() * 24 * 60 * 60 * 1000;
+}
+
 const NEG_SIGNALS = new Set(['negative', 'negative_strong', 'down', 'thumbs_down']);
 
 function getFeedbackLogPath() {
@@ -66,15 +82,54 @@ function isNegative(entry) {
   return NEG_SIGNALS.has(sig);
 }
 
+/**
+ * Normalize a captured command/context string so trivial variants collapse
+ * to the same gate signature.
+ *
+ * Reddit critique (MomSausageandPeppers, 2026-05-17): "commands are matched
+ * by string equality, so `rm -rf node_modules` and `rm -rf ./node_modules`
+ * create separate gates."
+ *
+ * Conservative — only collapse variants that are *unambiguously* the same
+ * intent. Does NOT reorder flags, strip `&&` chains, or canonicalize
+ * subcommands (each can change semantics).
+ *
+ *  1. Lowercase
+ *  2. Strip `/Users/<name>` and `/home/<name>` home-dir prefixes (→ `~`)
+ *  3. Drop `:LINE` and `:LINE:COL` refs
+ *  4. Per-token: strip one layer of matching outer quotes/backticks
+ *  5. Per-token: drop leading `./`
+ *  6. Collapse whitespace + trim
+ */
+function normalizeCommandSignature(input) {
+  let text = String(input || '');
+  if (!text) return '';
+  text = text.toLowerCase();
+  text = text.replace(/\/users\/[^\s/]+/g, '~').replace(/\/home\/[^\s/]+/g, '~');
+  text = text.replace(/:\d+(?::\d+)?\b/g, '');
+  const tokens = text.split(/\s+/).filter(Boolean).map((tok) => {
+    let t = tok;
+    if (t.length >= 2) {
+      const first = t[0];
+      const last = t[t.length - 1];
+      if ((first === '"' || first === "'" || first === '`') && first === last) {
+        t = t.slice(1, -1);
+      }
+    }
+    if (t.startsWith('./')) t = t.slice(2);
+    return t;
+  }).filter(Boolean);
+  return tokens.join(' ').trim();
+}
+
 function extractPatternKey(entry) {
   // Use tags as primary grouping key; fall back to context normalization
   const tags = (entry.tags || []).filter((t) => !['feedback', 'negative', 'positive'].includes(t));
   if (tags.length > 0) return tags.sort().join('+');
 
-  const ctx = (entry.context || entry.whatWentWrong || '').toLowerCase().trim();
+  const ctx = (entry.context || entry.whatWentWrong || '').trim();
   if (ctx.length < 10) return null;
-  // Normalize paths and numbers for grouping
-  return ctx.replace(/\/Users\/[^\s/]+/g, '~').replace(/:[0-9]+/g, '').replace(/\s+/g, ' ').slice(0, 100);
+  return normalizeCommandSignature(ctx).slice(0, 100);
 }
 
 function extractDiagnosticKeys(entry) {
@@ -138,19 +193,26 @@ function patternToGateId(key) {
   return 'auto-' + key.replace(/[^a-z0-9]+/gi, '-').replace(/^-|-$/g, '').slice(0, 50).toLowerCase();
 }
 
-function buildGateRule(group) {
-  const action = group.count === 'MANUAL' ? group.manualAction || 'block' : (group.count >= BLOCK_THRESHOLD ? 'block' : 'warn');
-  const severity = action === 'block' ? 'critical' : 'medium';
+function buildGateRule(group, actionOverride) {
+  const action = actionOverride || (group.count === 'MANUAL' ? group.manualAction || 'block' : (group.count >= BLOCK_THRESHOLD ? 'block' : 'warn'));
+  const severity = action === 'block' ? 'critical' : action === 'approve' ? 'high' : 'medium';
   const context = group.latestContext.slice(0, 120);
   const kind = group.key.startsWith('diagnosis:')
     ? 'repeated diagnosis'
     : group.key.startsWith('constraint:')
       ? 'repeated constraint violation'
       : 'repeated pattern';
-  
+
   const occurrencesText = group.count === 'MANUAL' ? 'manual' : `${group.count} occurrences`;
   const suggestedMessage = `Auto-promoted ${kind}: "${context}" (${occurrencesText} in ${WINDOW_DAYS} days)`;
 
+  // TTL: auto-promoted rules expire after the configured window unless
+  // refreshed by a fresh fire. Manual force-promote bypasses TTL — operator
+  // says "permanent" by going through the force path.
+  const nowMs = Date.now();
+  const isManual = group.count === 'MANUAL';
+  const expiresAt = isManual ? null : new Date(nowMs + getRuleTtlMs()).toISOString();
+
   return {
     id: patternToGateId(group.key),
     trigger: `auto:${group.key}`,
@@ -160,10 +222,82 @@ function buildGateRule(group) {
     severity,
     occurrences: group.count,
     promotedAt: new Date().toISOString(),
+    expiresAt,
+    lastFiredAt: null,
     source: group.source || 'auto-promote',
   };
 }
 
+/**
+ * Drop expired gates from the data and return the gates removed.
+ *
+ * A gate is expired when its `expiresAt` is in the past AND its
+ * `lastFiredAt` (if set) is also outside the TTL window — high-signal
+ * gates that keep firing get continuously renewed and never expire.
+ *
+ * `expiresAt: null` is treated as "permanent" (used by force-promote /
+ * legacy gates without TTL data).
+ */
+function expireGates(data, now = Date.now()) {
+  const safeData = data && typeof data === 'object'
+    ? { version: data.version || 1, gates: Array.isArray(data.gates) ? data.gates : [], promotionLog: Array.isArray(data.promotionLog) ? data.promotionLog : [] }
+    : { version: 1, gates: [], promotionLog: [] };
+  const ttlMs = getRuleTtlMs();
+  const kept = [];
+  const expired = [];
+  for (const gate of safeData.gates) {
+    if (!gate || typeof gate !== 'object') continue;
+    // No expiresAt → treat as permanent (manual force-promote, legacy gates).
+    if (gate.expiresAt == null) {
+      kept.push(gate);
+      continue;
+    }
+    const expiresMs = Date.parse(gate.expiresAt);
+    if (!Number.isFinite(expiresMs)) {
+      kept.push(gate);
+      continue;
+    }
+    // If last fire is within TTL window, refresh the gate (extend expiresAt).
+    const lastFiredMs = gate.lastFiredAt ? Date.parse(gate.lastFiredAt) : NaN;
+    if (Number.isFinite(lastFiredMs) && now - lastFiredMs < ttlMs) {
+      kept.push({ ...gate, expiresAt: new Date(lastFiredMs + ttlMs).toISOString() });
+      continue;
+    }
+    if (now < expiresMs) {
+      kept.push(gate);
+    } else {
+      expired.push({ id: gate.id, expiresAt: gate.expiresAt, lastFiredAt: gate.lastFiredAt });
+    }
+  }
+  safeData.gates = kept;
+  if (expired.length > 0) {
+    safeData.promotionLog.push(
+      ...expired.map((e) => ({ type: 'expired', gateId: e.id, expiredAt: e.expiresAt, timestamp: new Date(now).toISOString() }))
+    );
+  }
+  return { data: safeData, expired };
+}
+
+/**
+ * Mark a gate as fired now. Refreshes lastFiredAt AND extends expiresAt by
+ * the full TTL — a gate that keeps catching repeats sharpens, doesn't
+ * decay. Caller passes the gate ID; returns the updated gate (or null).
+ */
+function recordGateFire(data, gateId, now = Date.now()) {
+  if (!data || !Array.isArray(data.gates)) return null;
+  const idx = data.gates.findIndex((g) => g && g.id === gateId);
+  if (idx === -1) return null;
+  const gate = data.gates[idx];
+  const lastFiredAtIso = new Date(now).toISOString();
+  const updated = {
+    ...gate,
+    lastFiredAt: lastFiredAtIso,
+    expiresAt: gate.expiresAt == null ? null : new Date(now + getRuleTtlMs()).toISOString(),
+  };
+  data.gates[idx] = updated;
+  return updated;
+}
+
 function forcePromote(context, action = 'block') {
   if (!context) throw new Error('context is required for force-promote');
   const data = loadAutoGates();
@@ -198,13 +332,20 @@ function forcePromote(context, action = 'block') {
   return { gateId, action, totalGates: data.gates.length };
 }
 
-function promote(feedbackLogPath) {
+function promote(feedbackLogPath, options) {
+  const opts = options || {};
   const logPath = feedbackLogPath || getFeedbackLogPath();
   const entries = readJSONL(logPath);
   const groups = groupNegativeFeedback(entries, WINDOW_DAYS);
-  const data = loadAutoGates();
-  const existingIds = new Set(data.gates.map((g) => g.id));
-  const promotions = [];
+  // Expire stale gates BEFORE running the promotion loop so an expiring
+  // gate that's about to be re-promoted gets a fresh TTL via the normal
+  // path rather than carrying a near-stale expiresAt.
+  const { data: expiredData, expired } = expireGates(loadAutoGates());
+  const data = expiredData;
+  if (expired.length > 0) {
+    saveAutoGates(data);
+  }
+  const promotions = expired.map((e) => ({ type: 'expired', gateId: e.id, expiredAt: e.expiresAt }));
 
   for (const group of Object.values(groups)) {
     if (group.count < WARN_THRESHOLD) continue;
@@ -226,8 +367,8 @@ function promote(feedbackLogPath) {
       continue;
     }
 
-    // New gate
-    const gate = buildGateRule(group);
+    // New gate — respect explicit gateAction override (e.g. 'approve' for human-approval rules)
+    const gate = buildGateRule(group, opts.gateAction);
 
     // Enforce max limit — rotate oldest
     if (data.gates.length >= MAX_AUTO_GATES) {
@@ -298,9 +439,15 @@ module.exports = {
   patternToGateId,
   buildGateRule,
   extractPatternKey,
+  normalizeCommandSignature,
   isNegative,
+  expireGates,
+  recordGateFire,
+  getRuleTtlDays,
+  getRuleTtlMs,
   MAX_AUTO_GATES,
   WARN_THRESHOLD,
   BLOCK_THRESHOLD,
   WINDOW_DAYS,
+  DEFAULT_RULE_TTL_DAYS,
 };

package/scripts/auto-wire-hooks.js

@@ -186,48 +186,69 @@ function hookAlreadyPresent(hookArray, command) {
  *                              (defaults to process.cwd()).
  * @returns {{ hooks: Array, removedPaths: string[] }}
  */
+// Shell-style variable expansion limited to the env vars Claude Code
+// documents for hook commands (CLAUDE_PROJECT_DIR), plus other process env
+// vars. Surrounding ASCII quotes are stripped first so tokens like
+// `"$CLAUDE_PROJECT_DIR"/.claude/hooks/x.sh` resolve correctly.
+function expandShellToken(token, resolveBase) {
+  let s = token;
+  if (s.startsWith('"') && s.includes('"', 1)) {
+    s = s.slice(1, s.indexOf('"', 1)) + s.slice(s.indexOf('"', 1) + 1);
+  } else if (s.startsWith("'") && s.includes("'", 1)) {
+    s = s.slice(1, s.indexOf("'", 1)) + s.slice(s.indexOf("'", 1) + 1);
+  }
+  const lookup = (name) => (name === 'CLAUDE_PROJECT_DIR'
+    ? process.env.CLAUDE_PROJECT_DIR || resolveBase
+    : process.env[name]);
+  s = s.replace(/\$\{([A-Za-z_]\w*)\}/g, (_, n) => {
+    const v = lookup(n);
+    return v == null ? `\${${n}}` : v;
+  });
+  s = s.replace(/\$([A-Za-z_]\w*)/g, (_, n) => {
+    const v = lookup(n);
+    return v == null ? `$${n}` : v;
+  });
+  return s;
+}
+
+// Returns the raw (unexpanded) script-path token if the command points at a
+// missing script file, else null. Anything that doesn't look like a file
+// reference, or contains unresolved $VAR after expansion, returns null —
+// caller treats null as "keep the hook" (err on the side of NOT pruning).
+function staleHookPath(command, resolveBase) {
+  if (!command) return null;
+  const rawFirstToken = command.split(/\s+/)[0];
+  const firstToken = expandShellToken(rawFirstToken, resolveBase);
+  const looksLikePath =
+    firstToken.includes('/') ||
+    firstToken.includes('\\') ||
+    firstToken.endsWith('.sh');
+  if (!looksLikePath) return null;
+  if (firstToken.includes('$')) return null;
+  const resolved = path.isAbsolute(firstToken)
+    ? firstToken
+    : path.resolve(resolveBase, firstToken);
+  return fs.existsSync(resolved) ? null : rawFirstToken;
+}
+
 function pruneStaleFileHooks(hookArray, baseDir) {
   if (!Array.isArray(hookArray)) {
     return { hooks: [], removedPaths: [] };
   }
-
   const resolveBase = baseDir || process.cwd();
   const removedPaths = [];
-
   const hooks = hookArray.filter((entry) => {
     const entryHooks = Array.isArray(entry && entry.hooks) ? entry.hooks : [];
-    let shouldRemove = false;
-
     for (const hook of entryHooks) {
       const command = hook && typeof hook.command === 'string' ? hook.command : '';
-      if (!command) continue;
-
-      // Extract the first token as the potential script path.
-      const firstToken = command.split(/\s+/)[0];
-
-      // Only treat it as a file reference if it looks like a path.
-      const looksLikePath =
-        firstToken.includes('/') ||
-        firstToken.includes('\\') ||
-        firstToken.endsWith('.sh');
-
-      if (!looksLikePath) continue;
-
-      // Resolve the path (absolute or relative to baseDir).
-      const resolved = path.isAbsolute(firstToken)
-        ? firstToken
-        : path.resolve(resolveBase, firstToken);
-
-      if (!fs.existsSync(resolved)) {
-        removedPaths.push(firstToken);
-        shouldRemove = true;
-        break;
+      const stale = staleHookPath(command, resolveBase);
+      if (stale !== null) {
+        removedPaths.push(stale);
+        return false;
       }
     }
-
-    return !shouldRemove;
+    return true;
   });
-
   return { hooks, removedPaths };
 }
 

package/scripts/billing.js

@@ -444,6 +444,57 @@ function buildCheckoutProductData({ name, description, appOrigin, planId }) {
   };
 }
 
+/**
+ * Verify an ACTIVE Stripe product exists for the given plan name before
+ * we let buildSubscriptionPriceData create inline price_data under it.
+ *
+ * Stripe matches product_data by `name`. If only an archived product
+ * matches, new prices created via that path inherit active=false and the
+ * generated checkout URL renders "Something went wrong / The page you
+ * were looking for could not be found." for the buyer. Stripe Dashboard
+ * shows the session as `open` with no email captured — looks like the
+ * buyer abandoned, but they were never given a working page.
+ *
+ * Failing here surfaces the misconfiguration at the first checkout
+ * attempt instead of silently breaking every buyer for days.
+ *
+ * Verified incident: ThumbGate#2188 (May 2026) — 20 sessions abandoned in
+ * 7 days, all because the only product named "ThumbGate Pro" matching the
+ * inline product_data was archived (prod_UXxOHAfbDsPyRb), while an active
+ * product with the same name existed (prod_UW82THPxfNvwKT) that should
+ * have been used instead.
+ */
+async function verifyActiveProductForPlan(stripe, planId) {
+  const expectedName = planId === 'team' ? 'ThumbGate Team' : 'ThumbGate Pro';
+  let products;
+  try {
+    products = await stripe.products.list({ limit: 100 });
+  } catch (err) {
+    // Network/transient failures shouldn't block checkout creation.
+    // The original session.create call will surface real Stripe errors.
+    return;
+  }
+  const matching = (products && products.data ? products.data : [])
+    .filter((p) => p && p.name === expectedName);
+  if (matching.length === 0) {
+    // No product with this name exists; Stripe will create a new one when
+    // session.create fires with inline product_data. Safe path.
+    return;
+  }
+  const active = matching.find((p) => p.active === true);
+  if (!active) {
+    const archived = matching[0];
+    throw new Error(
+      `Refusing to create checkout session: Stripe product named "${expectedName}" ` +
+      `exists only in archived state (id=${archived.id}, active=false). New prices ` +
+      `created via inline product_data would inherit active=false, rendering ` +
+      `"page not found" on Stripe checkout for every buyer. Fix: reactivate the ` +
+      `archived product in Stripe Dashboard, or rename the active product to ` +
+      `match "${expectedName}". See ThumbGate#2188 for the May 2026 incident.`
+    );
+  }
+}
+
 function buildSubscriptionPriceData(checkoutSelection, appOrigin) {
   const isTeam = checkoutSelection.planId === 'team';
   const annual = checkoutSelection.billingCycle === 'annual';
@@ -2525,6 +2576,18 @@ async function createCheckoutSession({ successUrl, cancelUrl, customerEmail, ins
   }
 
   const stripe = getStripeClient();
+
+  // Defensive guard against ThumbGate#2188:
+  // When buildSubscriptionPriceData passes inline `product_data` to Stripe,
+  // Stripe name-matches existing products. If the only existing product with
+  // that name is ARCHIVED (active=false), the new price inherits active=false
+  // and every Stripe checkout page renders "page not found" for the buyer.
+  // That bug burnt 20+ silent abandoned sessions in May 2026. Fail fast
+  // instead of letting the broken page ship.
+  if (!packId) {
+    await verifyActiveProductForPlan(stripe, checkoutSelection.planId);
+  }
+
   const sessionPayload = buildCheckoutSessionPayload({
     successUrl,
     cancelUrl,
@@ -3127,6 +3190,7 @@ module.exports = {
   _buildTrialActivationEmail: buildTrialActivationEmail,
   _sendTrialActivationEmail: sendTrialActivationEmail,
   _resolveSubscriptionCheckoutSelection: resolveSubscriptionCheckoutSelection,
+  _verifyActiveProductForPlan: verifyActiveProductForPlan,
   _API_KEYS_PATH: () => CONFIG.API_KEYS_PATH,
   _FUNNEL_LEDGER_PATH: () => CONFIG.FUNNEL_LEDGER_PATH,
   _REVENUE_LEDGER_PATH: () => CONFIG.REVENUE_LEDGER_PATH,

package/scripts/cli-feedback.js

@@ -14,7 +14,15 @@
  */
 
 const { captureFeedback } = require('./feedback-loop');
-const { distillFromHistory } = require('./history-distiller');
+const { loadOptionalModule } = require('./private-core-boundary');
+// `history-distiller` is a PRIVATE_CORE_MODULE — present in this checkout and
+// in ThumbGate-Core, but intentionally excluded from the public npm tarball.
+// The hard `require('./history-distiller')` form crashed `hook-auto-capture`
+// in published 1.19.0 with MODULE_NOT_FOUND. Public-shell fallback returns
+// null distillation; caller already handles a null distillResult.
+const { distillFromHistory } = loadOptionalModule('./history-distiller', () => ({
+  distillFromHistory: () => null,
+}));
 const { getRecentLesson, getLessonStats } = require('./lesson-inference');
 
 const G = '\x1b[32m';

package/scripts/context-manager.js

@@ -111,13 +111,41 @@ function assembleGuards(toolName, toolInput) {
   }
 }
 
-function assembleContextPack(query, agentProfile) {
+function assembleContextPack(query, agentProfile, options = {}) {
+  const { guards } = options;
   try {
     ensureContextFs();
+
+    // 1. Proactive Governance: Filter what the agent sees based on prevention rules
+    let structuredQuery = query;
+    if (guards && guards.mode === 'block') {
+      structuredQuery = `${query} (Active Block Policy: ${guards.reason})`;
+    }
+
+    // 2. Elevate Thompson Sampling to Architecture Level
+    let strategy = null;
+    try {
+      const ts = require('./thompson-sampling');
+      const model = ts.loadModel();
+      const bestCategory = ts.argmaxPosteriors(model);
+      
+      // Route between context-building strategies based on TS posterior mean
+      if (bestCategory === 'architecture' || bestCategory === 'infra') {
+        strategy = 'hierarchical';
+      } else if (bestCategory === 'observability' || bestCategory === 'debugging') {
+        strategy = 'summarize-then-expand';
+      } else {
+        strategy = 'semantic';
+      }
+    } catch (e) {
+      // Fallback to default routing
+    }
+
     return constructContextPack({
-      query,
+      query: structuredQuery,
       maxItems: Math.min(8, Math.ceil(agentProfile.contextBudget / 1000)),
       maxChars: agentProfile.contextBudget,
+      strategy
     });
   } catch {
     return null;
@@ -228,6 +256,12 @@ function assembleUnifiedContext(params = {}) {
       })),
       visibility: contextPack.visibility || null,
       cached: !!(contextPack.cache && contextPack.cache.hit),
+      layers: {
+        localState: session || null,
+        graphState: codeGraph || null,
+        policyState: guards || null,
+        sessionState: contextPack.items ? contextPack.items.filter(i => i.namespace === 'session') : []
+      }
     } : null,
     codeGraph: codeGraph || null,
     assembledAt: new Date().toISOString(),
@@ -306,6 +340,12 @@ function formatUnifiedContext(ctx) {
 
   // Context pack
   if (ctx.contextPack) {
+    lines.push(`### Context Architecture Layers`);
+    lines.push(`- Local State: ${ctx.contextPack.layers.localState ? 'Active' : 'Empty'}`);
+    lines.push(`- Graph State: ${ctx.contextPack.layers.graphState ? 'Active' : 'Empty'}`);
+    lines.push(`- Policy State: ${ctx.contextPack.layers.policyState ? ctx.contextPack.layers.policyState.mode : 'Empty'}`);
+    lines.push(`- Session State: ${ctx.contextPack.layers.sessionState.length} items`);
+    lines.push('');
     lines.push(`### Context Pack (${ctx.contextPack.itemCount} items)`);
     ctx.contextPack.items.forEach((item) => {
       lines.push(`- [${item.namespace}] ${item.title} (score: ${item.score})`);

package/scripts/feedback-loop.js

@@ -1059,6 +1059,7 @@ function captureFeedback(params) {
         : null),
     structuredRule: structuredRule || null,
     ...(reflection && { reflection }),
+    gateAction: params.gateAction || null,
     timestamp: now,
   };
 
@@ -1398,7 +1399,7 @@ function captureFeedback(params) {
   if (feedbackEvent.signal === 'negative') {
     try {
       const autoPromote = require('./auto-promote-gates');
-      const promoteResult = autoPromote.promote(FEEDBACK_LOG_PATH);
+      const promoteResult = autoPromote.promote(FEEDBACK_LOG_PATH, { gateAction: feedbackEvent.gateAction });
       // First-rule activation telemetry: anonymous ping the first time
       // a prevention rule auto-promotes for this install. Idempotent —
       // see scripts/activation-tracker.js. Critical for activation funnel