thumbgate 1.2.0 → 1.4.0

package/scripts/content-engine/output/linkedin-posts-2026-04-09.md

@@ -0,0 +1,175 @@
+# LinkedIn Content: ThumbGate Gates (2026-04-09)
+
+Generated from: `config/gates/default.json`
+Gate count in config: 25
+Posts generated: 7
+
+---
+
+## Post 1: Local Only Git Writes
+
+🚨 Your AI agents are running without guardrails.
+
+Blocks git writes when local-only mode is active, preventing accidental remote pushes during development.
+
+The problem? AI agents run autonomously. A single unchecked operation—a force-push, an unapproved deploy, a dependency injection—can unwind days of work in seconds. Traditional CI won't catch it. Your human reviewer might miss it.
+
+The solution? **Gate `local-only-git-writes`** in ThumbGate stops high-risk operations *before* they execute. No second chances. Just prevention.
+
+This isn't about slowing down. It's about building trust in autonomous systems. Every gate is a rule learned from real failures.
+
+🔒 Install ThumbGate today:
+```bash
+npx thumbgate@latest init
+```
+
+Then add this gate to your config and sleep better.
+
+#AIGovernance #DevTools #AgentSafety #EngineeringTeams
+
+---
+
+
+## Post 2: Gh Pr Create Restricted
+
+⚠️ One missing gate. One catastrophic mistake.
+
+Restricts PR creation to explicitly approved workflows, preventing unvetted code changes.
+
+The problem? AI agents run autonomously. A single unchecked operation—a force-push, an unapproved deploy, a dependency injection—can unwind days of work in seconds. Traditional CI won't catch it. Your human reviewer might miss it.
+
+The solution? **Gate `gh-pr-create-restricted`** in ThumbGate stops high-risk operations *before* they execute. No second chances. Just prevention.
+
+This isn't about slowing down. It's about building trust in autonomous systems. Every gate is a rule learned from real failures.
+
+🔒 Install ThumbGate today:
+```bash
+npx thumbgate@latest init
+```
+
+Then add this gate to your config and sleep better.
+
+#AIGovernance #DevTools #AgentSafety #EngineeringTeams
+
+---
+
+
+## Post 3: Env File Edit
+
+🛡️ Even the best engineers miss edge cases.
+
+Warns when editing .env files—catches accidental token deletion.
+
+The problem? AI agents run autonomously. A single unchecked operation—a force-push, an unapproved deploy, a dependency injection—can unwind days of work in seconds. Traditional CI won't catch it. Your human reviewer might miss it.
+
+The solution? **Gate `env-file-edit`** in ThumbGate stops high-risk operations *before* they execute. No second chances. Just prevention.
+
+This isn't about slowing down. It's about building trust in autonomous systems. Every gate is a rule learned from real failures.
+
+🔒 Install ThumbGate today:
+```bash
+npx thumbgate@latest init
+```
+
+Then add this gate to your config and sleep better.
+
+#AIGovernance #DevTools #AgentSafety #EngineeringTeams
+
+---
+
+
+## Post 4: Style Violation Log
+
+💥 Your deployment pipeline has a blind spot.
+
+Protects your workflow by style audit mode active. action recorded for review but allowed to proceed.
+
+The problem? AI agents run autonomously. A single unchecked operation—a force-push, an unapproved deploy, a dependency injection—can unwind days of work in seconds. Traditional CI won't catch it. Your human reviewer might miss it.
+
+The solution? **Gate `style-violation-log`** in ThumbGate stops high-risk operations *before* they execute. No second chances. Just prevention.
+
+This isn't about slowing down. It's about building trust in autonomous systems. Every gate is a rule learned from real failures.
+
+🔒 Install ThumbGate today:
+```bash
+npx thumbgate@latest init
+```
+
+Then add this gate to your config and sleep better.
+
+#AIGovernance #DevTools #AgentSafety #EngineeringTeams
+
+---
+
+
+## Post 5: Loop Abuse Prevention
+
+🔓 Git operations—unguarded by default.
+
+Protects your workflow by high-risk command detected inside a loop. scheduled tasks must not perform egress or destructive writes without explicit approval.
+
+The problem? AI agents run autonomously. A single unchecked operation—a force-push, an unapproved deploy, a dependency injection—can unwind days of work in seconds. Traditional CI won't catch it. Your human reviewer might miss it.
+
+The solution? **Gate `loop-abuse-prevention`** in ThumbGate stops high-risk operations *before* they execute. No second chances. Just prevention.
+
+This isn't about slowing down. It's about building trust in autonomous systems. Every gate is a rule learned from real failures.
+
+🔒 Install ThumbGate today:
+```bash
+npx thumbgate@latest init
+```
+
+Then add this gate to your config and sleep better.
+
+#AIGovernance #DevTools #AgentSafety #EngineeringTeams
+
+---
+
+
+## Post 6: Release Readiness Required
+
+🎯 Prevention beats firefighting.
+
+Ensures releases only happen from releasable mainline commits with version alignment.
+
+The problem? AI agents run autonomously. A single unchecked operation—a force-push, an unapproved deploy, a dependency injection—can unwind days of work in seconds. Traditional CI won't catch it. Your human reviewer might miss it.
+
+The solution? **Gate `release-readiness-required`** in ThumbGate stops high-risk operations *before* they execute. No second chances. Just prevention.
+
+This isn't about slowing down. It's about building trust in autonomous systems. Every gate is a rule learned from real failures.
+
+🔒 Install ThumbGate today:
+```bash
+npx thumbgate@latest init
+```
+
+Then add this gate to your config and sleep better.
+
+#AIGovernance #DevTools #AgentSafety #EngineeringTeams
+
+---
+
+
+## Post 7: Protected Branch Push
+
+⏱️ How fast can your agent destroy a month of work?
+
+Prevents direct pushes to main/develop. All changes flow through PR review.
+
+The problem? AI agents run autonomously. A single unchecked operation—a force-push, an unapproved deploy, a dependency injection—can unwind days of work in seconds. Traditional CI won't catch it. Your human reviewer might miss it.
+
+The solution? **Gate `protected-branch-push`** in ThumbGate stops high-risk operations *before* they execute. No second chances. Just prevention.
+
+This isn't about slowing down. It's about building trust in autonomous systems. Every gate is a rule learned from real failures.
+
+🔒 Install ThumbGate today:
+```bash
+npx thumbgate@latest init
+```
+
+Then add this gate to your config and sleep better.
+
+#AIGovernance #DevTools #AgentSafety #EngineeringTeams
+
+---
+

package/scripts/content-engine/reddit-thread-finder.js

@@ -0,0 +1,154 @@
+#!/usr/bin/env node
+/**
+ * Reddit Thread Finder for ThumbGate Engagement
+ *
+ * Add to package.json:
+ *   "content:reddit": "node scripts/content-engine/reddit-thread-finder.js"
+ *   "content:reddit:dry": "node scripts/content-engine/reddit-thread-finder.js --dry-run"
+ *   "content:reddit:limit": "node scripts/content-engine/reddit-thread-finder.js --limit 20"
+ */
+
+const https = require('https');
+const fs = require('fs');
+const path = require('path');
+
+const SUBREDDITS = [
+  'ChatGPTCoding', 'ClaudeAI', 'cursor', 'devops',
+  'SoftwareEngineering', 'ExperiencedDevs', 'MachineLearning', 'LocalLLaMA'
+];
+
+const KEYWORDS = [
+  'agent broke', 'agent deleted', 'force push', 'prevent AI from',
+  'guardrails', 'agent governance', 'coding agent mistakes'
+];
+
+const USER_AGENT = 'script:thumbgate-content:v1.0';
+const DELAY = 2000; // ms between requests
+const DEFAULT_LIMIT = 10;
+
+let dryRun = false;
+let outputLimit = DEFAULT_LIMIT;
+
+process.argv.slice(2).forEach(arg => {
+  if (arg === '--dry-run') dryRun = true;
+  if (arg.startsWith('--limit')) outputLimit = parseInt(arg.split('=')[1] || arg.split(' ')[1], 10);
+});
+
+function fetchReddit(url) {
+  return new Promise((resolve, reject) => {
+    const req = https.get(url, { headers: { 'User-Agent': USER_AGENT } }, res => {
+      let data = '';
+      res.on('data', chunk => data += chunk);
+      res.on('end', () => {
+        try {
+          resolve(JSON.parse(data));
+        } catch (e) {
+          reject(e);
+        }
+      });
+    });
+    req.on('error', reject);
+  });
+}
+
+async function searchSubreddit(sub, keyword) {
+  const url = `https://www.reddit.com/r/${sub}/search.json?q=${encodeURIComponent(keyword)}&sort=new&t=week&limit=5`;
+  try {
+    const data = await fetchReddit(url);
+    return (data.data?.children || []).map(post => ({
+      id: post.data.id,
+      title: post.data.title,
+      url: `https://reddit.com${post.data.permalink}`,
+      subreddit: post.data.subreddit,
+      score: post.data.score,
+      numComments: post.data.num_comments,
+      created: post.data.created_utc,
+      selftext: post.data.selftext
+    }));
+  } catch (err) {
+    console.error(`Error searching ${sub} for "${keyword}": ${err.message}`);
+    return [];
+  }
+}
+
+function scoreThread(thread) {
+  const now = Math.floor(Date.now() / 1000);
+  const ageHours = (now - thread.created) / 3600;
+  const recencyScore = Math.max(0, 1 - ageHours / 168); // 0-1 over a week
+  const upvoteScore = Math.log(Math.max(1, thread.score)) / Math.log(100);
+  const commentScore = Math.log(Math.max(1, thread.numComments)) / Math.log(100);
+
+  return (recencyScore * 0.5) + (upvoteScore * 0.3) + (commentScore * 0.2);
+}
+
+function generateReply(thread) {
+  const context = thread.selftext.substring(0, 200);
+  return `
+**ThumbGate can help prevent this.** Our pre-action gates catch agent mistakes before they happen:
+- Stop force pushes on protected branches
+- Prevent deletions of critical files
+- Verify AI actions before execution
+- Capture lessons from failures to block similar mistakes
+
+Learn more: https://thumbgate-production.up.railway.app/dashboard
+`;
+}
+
+async function main() {
+  console.log(`[${new Date().toISOString()}] Starting Reddit thread finder...`);
+
+  const threads = {};
+  let requestCount = 0;
+
+  for (const sub of SUBREDDITS) {
+    for (const keyword of KEYWORDS) {
+      if (requestCount > 0) await new Promise(r => setTimeout(r, DELAY));
+
+      console.log(`  Searching r/${sub} for "${keyword}"...`);
+      const results = await searchSubreddit(sub, keyword);
+
+      results.forEach(thread => {
+        if (!threads[thread.id]) {
+          threads[thread.id] = thread;
+        }
+      });
+      requestCount++;
+    }
+  }
+
+  const sorted = Object.values(threads)
+    .sort((a, b) => scoreThread(b) - scoreThread(a))
+    .slice(0, outputLimit);
+
+  const date = new Date().toISOString().split('T')[0];
+  const outputDir = path.join(__dirname, 'output');
+
+  if (!fs.existsSync(outputDir)) {
+    fs.mkdirSync(outputDir, { recursive: true });
+  }
+
+  let markdown = `# Reddit Threads - ${date}\n\nFound ${sorted.length} high-relevance threads.\n\n`;
+
+  sorted.forEach((thread, idx) => {
+    const score = scoreThread(thread);
+    markdown += `## ${idx + 1}. ${thread.title}\n`;
+    markdown += `**r/${thread.subreddit}** | [Link](${thread.url}) | Score: ${thread.score} | Comments: ${thread.numComments}\n`;
+    markdown += `**Relevance Score:** ${score.toFixed(2)}\n\n`;
+
+    if (!dryRun) {
+      markdown += `**Suggested Reply:**\n${generateReply(thread)}\n\n`;
+    }
+    markdown += '---\n\n';
+  });
+
+  const outputFile = path.join(outputDir, `reddit-threads-${date}.md`);
+  fs.writeFileSync(outputFile, markdown);
+
+  console.log(`\n✅ Generated ${sorted.length} threads to ${outputFile}`);
+  if (dryRun) console.log('   (--dry-run: no reply suggestions included)');
+}
+
+main().catch(err => {
+  console.error('❌ Fatal error:', err.message);
+  process.exit(1);
+});

package/scripts/context-engine.js

@@ -20,6 +20,7 @@ const fs = require('fs');
 const path = require('path');
 const crypto = require('crypto');
 const { constructContextPack } = require('./contextfs');
+const { ensureDir } = require('./fs-utils');
 
 // ---------------------------------------------------------------------------
 // Default paths
@@ -75,11 +76,6 @@ const TOOL_CONSOLIDATION = {
 // Utility: ensure directory exists
 // ---------------------------------------------------------------------------
 
-function ensureDir(dirPath) {
-  if (!fs.existsSync(dirPath)) {
-    fs.mkdirSync(dirPath, { recursive: true });
-  }
-}
 
 // ---------------------------------------------------------------------------
 // Knowledge Bundle Builder
@@ -649,10 +645,29 @@ function compactContext(entries, anchors, opts) {
     return true;
   });
 
+  // Stage 6: Global token budget — drop entries (oldest first) until total chars fit
+  let finalStage = 5;
+  const totalMaxChars = typeof options.totalMaxChars === 'number' ? options.totalMaxChars : null;
+  if (totalMaxChars !== null) {
+    let budget = totalMaxChars;
+    const budgeted = [];
+    // Iterate newest-first so most recent entries are preserved
+    for (let i = working.length - 1; i >= 0; i--) {
+      const entrySize = JSON.stringify(working[i]).length;
+      if (budget - entrySize < 0) break;
+      budget -= entrySize;
+      budgeted.unshift(working[i]);
+    }
+    if (budgeted.length < working.length) {
+      working = budgeted;
+      finalStage = 6;
+    }
+  }
+
   const removedCount = initial - working.length;
   return {
     entries: [...anchorEntries, ...working],
-    stage: 5,
+    stage: finalStage,
     removedCount,
     compacted: removedCount > 0,
   };

package/scripts/contextfs.js

@@ -12,6 +12,7 @@ const fs = require('fs');
 const path = require('path');
 const crypto = require('crypto');
 const { resolveFeedbackDir } = require('./feedback-paths');
+const { ensureDir, readJsonl } = require('./fs-utils');
 const {
   retrieveHierarchicalDocuments,
   shouldUseHierarchicalRetrieval,
@@ -23,9 +24,15 @@ function getFeedbackBaseDir() {
   return resolveFeedbackDir();
 }
 
-const FEEDBACK_DIR = getFeedbackBaseDir();
-const CONTEXTFS_ROOT = process.env.THUMBGATE_CONTEXTFS_DIR
-  || (FEEDBACK_DIR.endsWith('contextfs') ? FEEDBACK_DIR : path.join(FEEDBACK_DIR, 'contextfs'));
+function getContextFsRoot() {
+  const feedbackDir = getFeedbackBaseDir();
+  if (process.env.THUMBGATE_CONTEXTFS_DIR) return process.env.THUMBGATE_CONTEXTFS_DIR;
+  return feedbackDir.endsWith('contextfs') ? feedbackDir : path.join(feedbackDir, 'contextfs');
+}
+
+function contextFsPath(...segments) {
+  return path.join(getContextFsRoot(), ...segments);
+}
 
 const NAMESPACES = {
   rawHistory: 'raw_history',
@@ -93,15 +100,10 @@ const PACK_TEMPLATES = {
   },
 };
 
-function ensureDir(dirPath) {
-  if (!fs.existsSync(dirPath)) {
-    fs.mkdirSync(dirPath, { recursive: true });
-  }
-}
 
 function ensureContextFs() {
   Object.values(NAMESPACES).forEach((subPath) => {
-    ensureDir(path.join(CONTEXTFS_ROOT, subPath));
+    ensureDir(contextFsPath(subPath));
   });
 }
 
@@ -111,7 +113,7 @@ function nowIso() {
 
 function inferNamespaceFromPath(filePath) {
   if (!filePath) return '';
-  const relativeDir = path.relative(CONTEXTFS_ROOT, path.dirname(filePath));
+  const relativeDir = path.relative(getContextFsRoot(), path.dirname(filePath));
   if (!relativeDir || relativeDir.startsWith('..')) return '';
   return relativeDir;
 }
@@ -134,22 +136,6 @@ function appendJsonl(filePath, payload) {
   fs.appendFileSync(filePath, `${JSON.stringify(payload)}\n`);
 }
 
-function readJsonl(filePath) {
-  if (!fs.existsSync(filePath)) return [];
-  const raw = fs.readFileSync(filePath, 'utf-8').trim();
-  if (!raw) return [];
-  return raw
-    .split('\n')
-    .map((line) => {
-      try {
-        return JSON.parse(line);
-      } catch {
-        return null;
-      }
-    })
-    .filter(Boolean);
-}
-
 function listJsonFiles(dirPath) {
   if (!fs.existsSync(dirPath)) return [];
   const files = fs.readdirSync(dirPath, { withFileTypes: true });
@@ -211,7 +197,7 @@ function getSemanticCacheConfig() {
 }
 
 function getSemanticCachePath() {
-  return path.join(CONTEXTFS_ROOT, NAMESPACES.provenance, 'semantic-cache.jsonl');
+  return contextFsPath(NAMESPACES.provenance, 'semantic-cache.jsonl');
 }
 
 function loadSemanticCacheEntries() {
@@ -227,7 +213,7 @@ function getSourceHash(namespaces) {
   const normalizedNamespaces = normalizeNamespaces(namespaces);
 
   for (const ns of normalizedNamespaces) {
-    const dirPath = path.join(CONTEXTFS_ROOT, ns);
+    const dirPath = contextFsPath(ns);
     if (!fs.existsSync(dirPath)) continue;
 
     const files = fs.readdirSync(dirPath).sort();
@@ -291,7 +277,7 @@ function recordProvenance(event) {
     timestamp: nowIso(),
     ...event,
   };
-  appendJsonl(path.join(CONTEXTFS_ROOT, NAMESPACES.provenance, 'events.jsonl'), payload);
+  appendJsonl(contextFsPath(NAMESPACES.provenance, 'events.jsonl'), payload);
   return payload;
 }
 
@@ -299,7 +285,7 @@ function writeContextObject({ namespace, title, content, tags = [], source, ttl
   ensureContextFs();
 
   const id = `${Date.now()}_${toSlug(title)}`;
-  const filePath = path.join(CONTEXTFS_ROOT, namespace, `${id}.json`);
+  const filePath = contextFsPath(namespace, `${id}.json`);
 
   const doc = {
     id,
@@ -361,7 +347,7 @@ function findExistingContextObject({ namespace, title, content, tags = [], sourc
   ensureContextFs();
 
   const expectedTags = normalizeTagList(tags);
-  const dirPath = path.join(CONTEXTFS_ROOT, namespace);
+  const dirPath = contextFsPath(namespace);
   const files = listJsonFiles(dirPath).sort();
 
   for (const filePath of files) {
@@ -507,7 +493,7 @@ function loadCandidates(namespaces) {
   const docs = [];
 
   selected.forEach((namespace) => {
-    const dir = path.join(CONTEXTFS_ROOT, namespace);
+    const dir = contextFsPath(namespace);
     const files = listJsonFiles(dir);
     files.forEach((filePath) => {
       try {
@@ -624,7 +610,7 @@ function selectFlatContextItems(candidates, maxItems, maxChars) {
 const MEMEX_INDEX_FILE = 'memex-index.jsonl';
 
 function getMemexIndexPath() {
-  return path.join(CONTEXTFS_ROOT, NAMESPACES.provenance, MEMEX_INDEX_FILE);
+  return contextFsPath(NAMESPACES.provenance, MEMEX_INDEX_FILE);
 }
 
 function buildIndexEntry(doc, filePath) {
@@ -751,7 +737,7 @@ function constructMemexPack({ query = '', maxItems = 8, maxChars = 6000, namespa
     cache: { hit: false },
   };
 
-  appendJsonl(path.join(CONTEXTFS_ROOT, NAMESPACES.provenance, 'packs.jsonl'), pack);
+  appendJsonl(contextFsPath(NAMESPACES.provenance, 'packs.jsonl'), pack);
   recordProvenance({
     type: 'memex_pack_constructed',
     packId,
@@ -792,7 +778,7 @@ function constructContextPack({ query = '', maxItems = 8, maxChars = 6000, names
       },
     };
 
-    appendJsonl(path.join(CONTEXTFS_ROOT, NAMESPACES.provenance, 'packs.jsonl'), pack);
+    appendJsonl(contextFsPath(NAMESPACES.provenance, 'packs.jsonl'), pack);
     recordProvenance({
       type: 'context_pack_cache_hit',
       packId,
@@ -861,7 +847,7 @@ function constructContextPack({ query = '', maxItems = 8, maxChars = 6000, names
     retrieval: selection.retrieval,
   };
 
-  appendJsonl(path.join(CONTEXTFS_ROOT, NAMESPACES.provenance, 'packs.jsonl'), pack);
+  appendJsonl(contextFsPath(NAMESPACES.provenance, 'packs.jsonl'), pack);
   appendSemanticCacheEntry({
     id: `cache_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
     timestamp: nowIso(),
@@ -899,7 +885,7 @@ function evaluateContextPack({ packId, outcome, signal = null, notes = '', rubri
     timestamp: nowIso(),
   };
 
-  appendJsonl(path.join(CONTEXTFS_ROOT, NAMESPACES.provenance, 'evaluations.jsonl'), evaluation);
+  appendJsonl(contextFsPath(NAMESPACES.provenance, 'evaluations.jsonl'), evaluation);
   recordProvenance({
     type: 'context_pack_evaluated',
     packId,
@@ -912,7 +898,7 @@ function evaluateContextPack({ packId, outcome, signal = null, notes = '', rubri
 }
 
 function getProvenance(limit = 50) {
-  const eventsPath = path.join(CONTEXTFS_ROOT, NAMESPACES.provenance, 'events.jsonl');
+  const eventsPath = contextFsPath(NAMESPACES.provenance, 'events.jsonl');
   const events = readJsonl(eventsPath);
   return events.slice(-limit);
 }
@@ -923,7 +909,7 @@ function getProvenance(limit = 50) {
  * session starts with full context — no manual primer.md needed.
  */
 function writeSessionHandoff({ project, branch, lastTask, nextStep, blockers, openFiles, customContext } = {}) {
-  ensureDir(path.join(CONTEXTFS_ROOT, NAMESPACES.session));
+  ensureDir(contextFsPath(NAMESPACES.session));
 
   let gitContext = {};
   try {
@@ -951,7 +937,7 @@ function writeSessionHandoff({ project, branch, lastTask, nextStep, blockers, op
     customContext: customContext || null,
   };
 
-  const primerPath = path.join(CONTEXTFS_ROOT, NAMESPACES.session, 'primer.json');
+  const primerPath = contextFsPath(NAMESPACES.session, 'primer.json');
   fs.writeFileSync(primerPath, JSON.stringify(primer, null, 2));
 
   // Sync to primer.md if it exists
@@ -991,7 +977,7 @@ function writeSessionHandoff({ project, branch, lastTask, nextStep, blockers, op
  * Read the most recent session handoff primer.
  */
 function readSessionHandoff() {
-  const primerPath = path.join(CONTEXTFS_ROOT, NAMESPACES.session, 'primer.json');
+  const primerPath = contextFsPath(NAMESPACES.session, 'primer.json');
   if (!fs.existsSync(primerPath)) return null;
   try {
     return JSON.parse(fs.readFileSync(primerPath, 'utf8'));
@@ -1192,7 +1178,7 @@ function constructMultiHopPack({ query = '', maxItems = 8, maxChars = 6000, name
     },
   };
 
-  appendJsonl(path.join(CONTEXTFS_ROOT, NAMESPACES.provenance, 'packs.jsonl'), pack);
+  appendJsonl(contextFsPath(NAMESPACES.provenance, 'packs.jsonl'), pack);
   appendSemanticCacheEntry({
     id: `cache_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
     timestamp: nowIso(),
@@ -1244,7 +1230,10 @@ function listPackTemplates() {
 }
 
 module.exports = {
-  CONTEXTFS_ROOT,
+  get CONTEXTFS_ROOT() {
+    return getContextFsRoot();
+  },
+  getContextFsRoot,
   NAMESPACES,
   ensureContextFs,
   recordProvenance,
@@ -1283,5 +1272,5 @@ module.exports = {
 
 if (require.main === module) {
   ensureContextFs();
-  console.log(`ContextFS ready at ${CONTEXTFS_ROOT}`);
+  console.log(`ContextFS ready at ${getContextFsRoot()}`);
 }