thumbgate 1.20.0 → 1.21.1

package/scripts/gates-engine.js

@@ -1485,9 +1485,17 @@ async function evaluateGatesAsync(toolName, toolInput, configPath) {
     }
 
     if (gate.action === 'approve') {
-      recordStat(gate.id, 'approve', gate);
-      const result = { decision: 'approve', gate: gate.id, message, severity: gate.severity, reasoning, requiresApproval: true };
-      const auditRecord = recordAuditEvent({ toolName, toolInput, decision: 'approve', gateId: gate.id, message, severity: gate.severity, source: 'gates-engine' });
+      const approvalEnabled = process.env.THUMBGATE_APPROVAL_GATES !== '0';
+      if (approvalEnabled) {
+        recordStat(gate.id, 'approve', gate);
+        const result = { decision: 'approve', gate: gate.id, message, severity: gate.severity, reasoning, requiresApproval: true };
+        const auditRecord = recordAuditEvent({ toolName, toolInput, decision: 'approve', gateId: gate.id, message, severity: gate.severity, source: 'gates-engine' });
+        auditToFeedback(auditRecord);
+        return result;
+      }
+      recordStat(gate.id, 'warn', gate);
+      const result = { decision: 'warn', gate: gate.id, message: `[approval gate disabled] ${message}`, severity: gate.severity, reasoning };
+      const auditRecord = recordAuditEvent({ toolName, toolInput, decision: 'warn', gateId: gate.id, message, severity: gate.severity, source: 'gates-engine' });
       auditToFeedback(auditRecord);
       return result;
     }
@@ -1639,9 +1647,17 @@ function evaluateGates(toolName, toolInput, configPath) {
     }
 
     if (gate.action === 'approve') {
-      recordStat(gate.id, 'approve', gate);
-      const result = { decision: 'approve', gate: gate.id, message, severity: gate.severity, reasoning, requiresApproval: true };
-      const auditRecord = recordAuditEvent({ toolName, toolInput, decision: 'approve', gateId: gate.id, message, severity: gate.severity, source: 'gates-engine' });
+      const approvalEnabled = process.env.THUMBGATE_APPROVAL_GATES !== '0';
+      if (approvalEnabled) {
+        recordStat(gate.id, 'approve', gate);
+        const result = { decision: 'approve', gate: gate.id, message, severity: gate.severity, reasoning, requiresApproval: true };
+        const auditRecord = recordAuditEvent({ toolName, toolInput, decision: 'approve', gateId: gate.id, message, severity: gate.severity, source: 'gates-engine' });
+        auditToFeedback(auditRecord);
+        return result;
+      }
+      recordStat(gate.id, 'warn', gate);
+      const result = { decision: 'warn', gate: gate.id, message: `[approval gate disabled] ${message}`, severity: gate.severity, reasoning };
+      const auditRecord = recordAuditEvent({ toolName, toolInput, decision: 'warn', gateId: gate.id, message, severity: gate.severity, source: 'gates-engine' });
       auditToFeedback(auditRecord);
       return result;
     }
@@ -1811,6 +1827,10 @@ function evaluateSecretGuard(input = {}) {
 }
 
 // ---------------------------------------------------------------------------
+function isApprovalGatesEnabled() {
+  return process.env.THUMBGATE_APPROVAL_GATES !== '0';
+}
+
 // PreToolUse hook interface (stdin/stdout JSON)
 // ---------------------------------------------------------------------------
 
@@ -1849,6 +1869,18 @@ function formatOutput(result, behavioralContext) {
     });
   }
 
+  if (result.decision === 'approve') {
+    const reminder = behavioralContext ? buildReminderOutput(behavioralContext) : {};
+    const reminderSuffix = behavioralContext ? `\n\nSystem reminder:\n${behavioralContext}` : '';
+    return JSON.stringify({
+      hookSpecificOutput: {
+        ...reminder,
+        permissionDecision: 'deny',
+        permissionDecisionReason: `[GATE:${result.gate}] APPROVAL REQUIRED: ${result.message} — Ask the human to confirm this action before proceeding.${reasoningSuffix}${reminderSuffix}`,
+      },
+    });
+  }
+
   if (result.decision === 'warn') {
     const extra = behavioralContext ? `\n${behavioralContext}` : '';
     const context = `[GATE:${result.gate}] WARNING: ${result.message}${reasoningSuffix}${extra}`;
@@ -2223,7 +2255,84 @@ function registerClaimGate(claimPattern, requiredActions, blockMessage) {
   return entry;
 }
 
-function verifyClaimEvidence(claimText) {
+function normalizeStringArray(value) {
+  if (!Array.isArray(value)) return [];
+  return Array.from(new Set(
+    value
+      .map((item) => String(item || '').trim())
+      .filter(Boolean)
+  ));
+}
+
+function normalizeGoalContract(goalContract) {
+  if (!goalContract || typeof goalContract !== 'object' || Array.isArray(goalContract)) {
+    return null;
+  }
+
+  const goal = String(goalContract.goal || '').trim();
+  const doneWhen = normalizeStringArray(goalContract.doneWhen);
+  const requiredActions = normalizeStringArray(goalContract.proveBy);
+  const mustNotChange = normalizeStringArray(goalContract.mustNotChange);
+  const handoff = {
+    workerAgent: String(goalContract.workerAgent || '').trim() || null,
+    reviewerAgent: String(goalContract.reviewerAgent || '').trim() || null,
+    orchestratorAgent: String(goalContract.orchestratorAgent || '').trim() || null,
+  };
+
+  const matched = Boolean(
+    goal ||
+    doneWhen.length > 0 ||
+    requiredActions.length > 0 ||
+    mustNotChange.length > 0 ||
+    handoff.workerAgent ||
+    handoff.reviewerAgent ||
+    handoff.orchestratorAgent
+  );
+
+  if (!matched) return null;
+
+  return {
+    goal: goal || null,
+    doneWhen,
+    requiredActions,
+    mustNotChange,
+    handoff,
+  };
+}
+
+function evaluateGoalContract(goalContract, actions = loadSessionActions()) {
+  const normalized = normalizeGoalContract(goalContract);
+  if (!normalized) {
+    return {
+      matched: false,
+      passed: true,
+      goal: null,
+      doneWhen: [],
+      requiredActions: [],
+      missingActions: [],
+      mustNotChange: [],
+      handoff: {
+        workerAgent: null,
+        reviewerAgent: null,
+        orchestratorAgent: null,
+      },
+    };
+  }
+
+  const missingActions = normalized.requiredActions.filter((actionId) => !actions[actionId]);
+  return {
+    matched: true,
+    passed: missingActions.length === 0,
+    goal: normalized.goal,
+    doneWhen: normalized.doneWhen,
+    requiredActions: normalized.requiredActions,
+    missingActions,
+    mustNotChange: normalized.mustNotChange,
+    handoff: normalized.handoff,
+  };
+}
+
+function verifyClaimEvidence(claimText, options = {}) {
   const normalizedClaimText = String(claimText || '').trim();
   if (!normalizedClaimText) {
     throw new Error('claimText is required');
@@ -2251,9 +2360,23 @@ function verifyClaimEvidence(claimText) {
     });
   }
 
+  const goalContract = evaluateGoalContract(options.goalContract, actions);
+  if (goalContract.matched) {
+    checks.push({
+      claim: 'goal_contract',
+      passed: goalContract.passed,
+      missing: goalContract.missingActions,
+      message: goalContract.passed
+        ? 'Goal contract evidence present'
+        : `Goal contract requires evidence: ${goalContract.missingActions.join(', ')}`,
+      goalContract,
+    });
+  }
+
   return {
     verified: checks.every((check) => check.passed),
     checks,
+    goalContract,
   };
 }
 
@@ -2289,6 +2412,7 @@ module.exports = {
   evaluateGatesAsync,
   computeExecutableHash,
   formatOutput,
+  isApprovalGatesEnabled,
   run,
   runAsync,
   trackAction,
@@ -2297,6 +2421,8 @@ module.exports = {
   clearSessionActions,
   loadClaimGates,
   registerClaimGate,
+  normalizeGoalContract,
+  evaluateGoalContract,
   verifyClaimEvidence,
   DEFAULT_CONFIG_PATH,
   DEFAULT_CLAIM_GATES_PATH,

package/scripts/license.js

@@ -80,7 +80,6 @@ module.exports = {
   verifyLicense,
   isProLicensed,
   activateLicense,
-  generateLicenseKey,
   isValidKey,
   VALID_PREFIXES,
   LICENSE_PATH,

package/scripts/rate-limiter.js

@@ -39,9 +39,39 @@ const PAYWALL_MESSAGES = {
   default: 'This feature requires Pro. Start Pro — card required; billed today.',
 };
 
+const TRIAL_DAYS = 14;
+
+function getInstallAgeDays() {
+  try {
+    const { INSTALL_ID_PATH } = require('./cli-telemetry');
+    if (!fs.existsSync(INSTALL_ID_PATH)) return null;
+    const created = fs.statSync(INSTALL_ID_PATH).birthtimeMs || fs.statSync(INSTALL_ID_PATH).mtimeMs;
+    if (!Number.isFinite(created) || created <= 0) return null;
+    return (Date.now() - created) / (1000 * 60 * 60 * 24);
+  } catch (_) {
+    return null;
+  }
+}
+
+function isInTrialPeriod() {
+  if (process.env.CI || process.env.GITHUB_ACTIONS) return false;
+  if (process.env.THUMBGATE_NO_TRIAL === '1') return false;
+  const age = getInstallAgeDays();
+  if (age === null) return false;
+  if (age < 0.0007) return false; // <1 minute old — just-created install, not a real trial
+  return age < TRIAL_DAYS;
+}
+
+function trialDaysRemaining() {
+  const age = getInstallAgeDays();
+  if (age === null) return 0;
+  return Math.max(0, Math.ceil(TRIAL_DAYS - age));
+}
+
 function isProTier(authContext) {
   if (authContext && authContext.tier === 'pro') return true;
-  if (process.env.THUMBGATE_API_KEY || process.env.THUMBGATE_PRO_MODE === '1' || process.env.THUMBGATE_NO_RATE_LIMIT === '1') return true;
+  if (process.env.THUMBGATE_API_KEY) return true;
+  if (process.env.THUMBGATE_NO_RATE_LIMIT === '1') return true;
   // Creator/dogfooding bypass: when the owner has the dev secret + bypass
   // configured (env or ~/.config/thumbgate/dev.json), treat the install as Pro
   // so marketing nudges and rate limits stop firing on the maintainer's own
@@ -57,6 +87,8 @@ function isProTier(authContext) {
     const { isProLicensed } = require('./license');
     if (isProLicensed()) return true;
   } catch (_) {}
+  // 14-day reverse trial: new installs get full Pro access
+  if (isInTrialPeriod()) return true;
   return false;
 }
 
@@ -180,11 +212,14 @@ module.exports = {
   checkLimit,
   getUsage,
   isProTier,
+  isInTrialPeriod,
+  trialDaysRemaining,
   loadUsage,
   saveUsage,
   todayKey,
   FREE_TIER_LIMITS,
   FREE_TIER_MAX_GATES,
+  TRIAL_DAYS,
   UPGRADE_MESSAGE,
   PAYWALL_MESSAGES,
   USAGE_FILE,

package/scripts/tool-registry.js

@@ -19,6 +19,32 @@ function destructiveTool(tool) {
   };
 }
 
+const GOAL_CONTRACT_SCHEMA = {
+  type: 'object',
+  description: 'Optional agent handoff contract. Use this when a worker/orchestrator/reviewer loop needs explicit done criteria before a done/fixed/shipped claim is allowed.',
+  properties: {
+    goal: { type: 'string', description: 'The operator-visible goal this claim is trying to close.' },
+    doneWhen: {
+      type: 'array',
+      items: { type: 'string' },
+      description: 'Human-readable acceptance criteria for the task.',
+    },
+    proveBy: {
+      type: 'array',
+      items: { type: 'string' },
+      description: 'Tracked action ids required before the claim can pass, such as tests_passed, review_completed, ci_green, deploy_verified, or operator_approved.',
+    },
+    mustNotChange: {
+      type: 'array',
+      items: { type: 'string' },
+      description: 'Protected areas or constraints the agents must preserve while completing the goal.',
+    },
+    workerAgent: { type: 'string', description: 'Agent responsible for implementation.' },
+    reviewerAgent: { type: 'string', description: 'Agent responsible for independent verification.' },
+    orchestratorAgent: { type: 'string', description: 'Agent responsible for routing and deciding whether done can be claimed.' },
+  },
+};
+
 const TOOLS = [
   readOnlyTool({
     name: 'capture_feedback',
@@ -843,6 +869,7 @@ const TOOLS = [
       required: ['claim'],
       properties: {
         claim: { type: 'string', description: 'The claim text to verify' },
+        goalContract: GOAL_CONTRACT_SCHEMA,
       },
     },
   }),
@@ -1291,6 +1318,7 @@ const TOOLS = [
         claim: { type: 'string', description: 'The completion claim text to verify (e.g. "Fix shipped", "Tests passing")' },
         mode: { type: 'string', enum: ['blocking', 'advisory'], description: 'blocking (default) returns blocking=true when evidence missing; advisory returns blocking=false' },
         sessionId: { type: 'string', description: 'Optional session id to associate with the gate decision' },
+        goalContract: GOAL_CONTRACT_SCHEMA,
       },
     },
   }),

package/scripts/verify-marketing-pages-deployed.js

@@ -0,0 +1,195 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * verify-marketing-pages-deployed.js — post-deploy probe for top-level
+ * marketing pages.
+ *
+ * Reads `config/post-deploy-marketing-pages.json` and curls every entry
+ * against the live production URL (default
+ * https://thumbgate-production.up.railway.app, overridable via
+ * THUMBGATE_PROD_URL env or --prod-url=…). Each response body must
+ * contain the configured sentinel string. Any mismatch fails the run
+ * and the route is included in the failure summary.
+ *
+ * Intended to run as a workflow step in .github/workflows/deploy-verify.yml
+ * after the version sentinel check, so the marketing surface is verified
+ * in the same gate as /health and /dashboard. Adding a new marketing
+ * page? Add it to the JSON manifest — no workflow edit required.
+ *
+ * Modes:
+ *   --json    machine-readable report on stdout, suitable for piping
+ *             into the GitHub Actions PR comment step.
+ *   --quiet   suppress per-route lines; only print the final summary.
+ *
+ * Exit code is 0 when every page passes, 1 if any sentinel is missing
+ * or any route returns non-200.
+ */
+
+const fs = require('node:fs');
+const path = require('node:path');
+
+const DEFAULT_PROD_URL = 'https://thumbgate-production.up.railway.app';
+const DEFAULT_TIMEOUT_MS = 12000;
+const DEFAULT_MANIFEST_PATH = path.resolve(__dirname, '..', 'config', 'post-deploy-marketing-pages.json');
+
+function parseArgs(argv = []) {
+  const out = {
+    prodUrl: process.env.THUMBGATE_PROD_URL || DEFAULT_PROD_URL,
+    manifestPath: DEFAULT_MANIFEST_PATH,
+    json: false,
+    quiet: false,
+    timeoutMs: DEFAULT_TIMEOUT_MS,
+  };
+  for (const arg of argv) {
+    if (arg === '--json') out.json = true;
+    else if (arg === '--quiet') out.quiet = true;
+    else if (arg.startsWith('--prod-url=')) out.prodUrl = arg.slice('--prod-url='.length);
+    else if (arg.startsWith('--manifest=')) out.manifestPath = arg.slice('--manifest='.length);
+    else if (arg.startsWith('--timeout-ms=')) {
+      const n = Number(arg.slice('--timeout-ms='.length));
+      if (Number.isFinite(n) && n > 0) out.timeoutMs = n;
+    }
+  }
+  return out;
+}
+
+function loadManifest(manifestPath) {
+  const raw = fs.readFileSync(manifestPath, 'utf-8');
+  const parsed = JSON.parse(raw);
+  if (!Array.isArray(parsed.pages) || parsed.pages.length === 0) {
+    throw new Error(`Manifest has no pages: ${manifestPath}`);
+  }
+  for (const entry of parsed.pages) {
+    if (typeof entry.route !== 'string' || !entry.route.startsWith('/')) {
+      throw new Error(`Invalid route in manifest: ${JSON.stringify(entry)}`);
+    }
+    if (typeof entry.sentinel !== 'string' || entry.sentinel.length === 0) {
+      throw new Error(`Invalid sentinel for route ${entry.route}`);
+    }
+  }
+  return parsed;
+}
+
+async function probePage({ prodUrl, route, sentinel, fetchImpl = globalThis.fetch, timeoutMs = DEFAULT_TIMEOUT_MS }) {
+  if (typeof fetchImpl !== 'function') {
+    return { route, ok: false, error: 'fetch_unavailable' };
+  }
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const url = `${prodUrl.replace(/\/$/, '')}${route}`;
+    const res = await fetchImpl(url, {
+      signal: controller.signal,
+      headers: {
+        // A real browser-shaped UA so any bot-deflection interstitials
+        // do NOT trigger; we are probing the real visitor's surface.
+        'User-Agent': 'thumbgate-deploy-verify/1.0 (+https://github.com/IgorGanapolsky/ThumbGate)',
+        Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+      },
+    });
+    const body = await res.text().catch(() => '');
+    const sentinelPresent = body.includes(sentinel);
+    return {
+      route,
+      url,
+      status: res.status,
+      ok: res.ok && sentinelPresent,
+      sentinelPresent,
+      bytes: body.length,
+    };
+  } catch (error) {
+    return {
+      route,
+      ok: false,
+      error: error?.name === 'AbortError' ? `timeout_after_${timeoutMs}ms` : (error?.message || String(error)),
+    };
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
+async function runVerification({ prodUrl, manifestPath, fetchImpl = globalThis.fetch, timeoutMs = DEFAULT_TIMEOUT_MS } = {}) {
+  const manifest = loadManifest(manifestPath);
+  const results = [];
+  // Sequential is fine — manifest has <20 entries; parallelism would
+  // be over-engineered and would risk masking a per-route rate-limit signal.
+  for (const entry of manifest.pages) {
+    // eslint-disable-next-line no-await-in-loop
+    const result = await probePage({
+      prodUrl,
+      route: entry.route,
+      sentinel: entry.sentinel,
+      fetchImpl,
+      timeoutMs,
+    });
+    results.push({ ...result, sentinel: entry.sentinel, description: entry.description });
+  }
+  const passed = results.filter((r) => r.ok);
+  const failed = results.filter((r) => !r.ok);
+  return {
+    generatedAt: new Date().toISOString(),
+    prodUrl,
+    manifestVersion: manifest.version,
+    totalRoutes: results.length,
+    passedCount: passed.length,
+    failedCount: failed.length,
+    verdict: failed.length === 0 ? 'pass' : 'fail',
+    results,
+  };
+}
+
+function renderHuman(report, { quiet = false } = {}) {
+  const lines = [];
+  if (!quiet) {
+    for (const r of report.results) {
+      if (r.ok) {
+        lines.push(`✅ ${r.route.padEnd(20)}  HTTP ${r.status}  bytes=${r.bytes}  sentinel-OK`);
+      } else if (r.error) {
+        lines.push(`❌ ${r.route.padEnd(20)}  ERROR ${r.error}`);
+      } else if (!r.sentinelPresent) {
+        lines.push(`❌ ${r.route.padEnd(20)}  HTTP ${r.status}  sentinel MISSING (expected: ${JSON.stringify(r.sentinel)})`);
+      } else {
+        lines.push(`❌ ${r.route.padEnd(20)}  HTTP ${r.status}`);
+      }
+    }
+  }
+  lines.push(`\nSummary: ${report.passedCount}/${report.totalRoutes} pages passed against ${report.prodUrl} (verdict: ${report.verdict.toUpperCase()})`);
+  return lines.join('\n');
+}
+
+async function main(argv) {
+  const args = parseArgs(argv);
+  let report;
+  try {
+    report = await runVerification({
+      prodUrl: args.prodUrl,
+      manifestPath: args.manifestPath,
+      timeoutMs: args.timeoutMs,
+    });
+  } catch (error) {
+    process.stderr.write(`verify-marketing-pages-deployed FAILED: ${error.message}\n`);
+    process.exit(2);
+  }
+  if (args.json) {
+    process.stdout.write(`${JSON.stringify(report, null, 2)}\n`);
+  } else {
+    process.stdout.write(`${renderHuman(report, { quiet: args.quiet })}\n`);
+  }
+  process.exitCode = report.verdict === 'pass' ? 0 : 1;
+}
+
+module.exports = {
+  DEFAULT_PROD_URL,
+  DEFAULT_TIMEOUT_MS,
+  DEFAULT_MANIFEST_PATH,
+  parseArgs,
+  loadManifest,
+  probePage,
+  runVerification,
+  renderHuman,
+};
+
+if (path.resolve(process.argv[1] || '') === path.resolve(__filename)) {
+  main(process.argv.slice(2));
+}

package/scripts/workflow-sentinel.js

@@ -1178,10 +1178,15 @@ function chooseDecision({ riskScore, integrity, memoryGuard, learnedPolicy, blas
   if (lowRiskHandoff) {
     return 'allow';
   }
+  // Background customer-system actions checkpoint (warn), never hard-deny.
+  // The checkpoint IS the mitigation — blocking outright prevents legitimate work.
+  if (backgroundAgent && customerSystemAction) {
+    return 'warn';
+  }
   if (destructiveBypass || learnedHardStop || repeatedHighBlast || (hasOperationalBlockers && riskScore >= 0.72) || riskScore >= 0.86) {
     return 'deny';
   }
-  if (economicAction || (backgroundAgent && customerSystemAction) || (backgroundAgent && riskScore >= 0.3)) {
+  if (economicAction || (backgroundAgent && riskScore >= 0.3)) {
     return 'warn';
   }
   if ((workflowControl && workflowControl.mode === 'warn') || (costControl && costControl.mode === 'warn') || riskScore >= 0.45 || (learnedWarning && riskScore >= 0.3) || (learnedRecall && riskScore >= 0.34)) {