thumbgate 1.21.2 → 1.23.0

package/src/api/server.js

@@ -429,6 +429,46 @@ const TRACKED_LINK_TARGETS = Object.freeze({
       plan_id: 'team',
     },
   },
+  // Aliases: /go/team → same as /go/teams, /go/checkout → same as /go/pro,
+  // /go/trial → install guide (trial starts on init)
+  team: {
+    path: '/#workflow-sprint-intake',
+    ctaId: 'go_team',
+    ctaPlacement: 'link_router',
+    eventType: 'team_intake_started',
+    defaults: {
+      utm_source: 'website',
+      utm_medium: 'link_router',
+      utm_campaign: 'team_intake',
+      plan_id: 'team',
+    },
+  },
+  checkout: {
+    path: '/checkout/pro',
+    ctaId: 'go_checkout',
+    ctaPlacement: 'link_router',
+    eventType: 'cta_click',
+    defaults: {
+      utm_source: 'website',
+      utm_medium: 'link_router',
+      utm_campaign: 'pro_upgrade',
+      plan_id: 'pro',
+      billing_cycle: 'monthly',
+    },
+    allowCustomerEmail: true,
+  },
+  trial: {
+    path: '/guide',
+    ctaId: 'go_trial',
+    ctaPlacement: 'link_router',
+    eventType: 'trial_start_click',
+    defaults: {
+      utm_source: 'website',
+      utm_medium: 'link_router',
+      utm_campaign: 'trial_start',
+      plan_id: 'free_trial',
+    },
+  },
   install: {
     path: '/guide',
     ctaId: 'go_install',
@@ -757,7 +797,7 @@ function getMcpSkillManifests(hostedConfig) {
         'Inspect prevention_rules after repeats.',
       ],
       installCommand: 'npx thumbgate init',
-      contextUrl: buildPublicUrl(hostedConfig, '/public/llm-context.md'),
+      contextUrl: buildPublicUrl(hostedConfig, '/llm-context.md'),
       proofUrl: VERIFICATION_EVIDENCE_URL,
     },
     {
@@ -784,7 +824,7 @@ function getMcpSkillManifests(hostedConfig) {
         'Evaluate NDCG@10 on visual hard negatives.',
         'Require artifact links before using retrieved evidence in claims.',
       ],
-      contextUrl: buildPublicUrl(hostedConfig, '/public/llm-context.md'),
+      contextUrl: buildPublicUrl(hostedConfig, '/llm-context.md'),
       proofUrl: VERIFICATION_EVIDENCE_URL,
     },
     {
@@ -798,7 +838,7 @@ function getMcpSkillManifests(hostedConfig) {
         'Compact feedback context with anchors for proof-critical lessons.',
         'Record estimated token savings next to the workflow evidence.',
       ],
-      contextUrl: buildPublicUrl(hostedConfig, '/public/llm-context.md'),
+      contextUrl: buildPublicUrl(hostedConfig, '/llm-context.md'),
       footprintUrl: buildPublicUrl(hostedConfig, '/.well-known/mcp/footprint.json'),
       proofUrl: VERIFICATION_EVIDENCE_URL,
     },
@@ -813,7 +853,7 @@ function getMcpSkillManifests(hostedConfig) {
         'Require baseline evals before adding autonomy or subagents.',
         'Classify tool risk before allowing writes, money movement, production changes, or outbound actions.',
       ],
-      contextUrl: buildPublicUrl(hostedConfig, '/public/llm-context.md'),
+      contextUrl: buildPublicUrl(hostedConfig, '/llm-context.md'),
       proofUrl: VERIFICATION_EVIDENCE_URL,
     },
     {
@@ -827,7 +867,7 @@ function getMcpSkillManifests(hostedConfig) {
         'Grade goal inference separately from intervention timing.',
         'Block multi-app proactive writes until rollback and orchestration evidence exists.',
       ],
-      contextUrl: buildPublicUrl(hostedConfig, '/public/llm-context.md'),
+      contextUrl: buildPublicUrl(hostedConfig, '/llm-context.md'),
       proofUrl: VERIFICATION_EVIDENCE_URL,
     },
     {
@@ -841,7 +881,7 @@ function getMcpSkillManifests(hostedConfig) {
         'Map every proxy metric to the real user objective.',
         'Require holdout or regression proof before treating benchmark gains as product gains.',
       ],
-      contextUrl: buildPublicUrl(hostedConfig, '/public/llm-context.md'),
+      contextUrl: buildPublicUrl(hostedConfig, '/llm-context.md'),
       proofUrl: VERIFICATION_EVIDENCE_URL,
     },
     {
@@ -855,7 +895,7 @@ function getMcpSkillManifests(hostedConfig) {
         'Reproduce locally before claiming a fix.',
         'Open one focused PR with tests, proof, and transparent ThumbGate context only when relevant.',
       ],
-      contextUrl: buildPublicUrl(hostedConfig, '/public/llm-context.md'),
+      contextUrl: buildPublicUrl(hostedConfig, '/llm-context.md'),
       proofUrl: VERIFICATION_EVIDENCE_URL,
     },
     {
@@ -869,7 +909,7 @@ function getMcpSkillManifests(hostedConfig) {
         'Route self-serve intent to the guide and team pain to Workflow Hardening Sprint intake.',
         'Block unsupported ad and landing-page claims before spend scales.',
       ],
-      contextUrl: buildPublicUrl(hostedConfig, '/public/llm-context.md'),
+      contextUrl: buildPublicUrl(hostedConfig, '/llm-context.md'),
       proofUrl: VERIFICATION_EVIDENCE_URL,
     },
   ];
@@ -1003,7 +1043,7 @@ function getMcpDiscoveryManifest(hostedConfig) {
     footprint: getContextFootprintReport(hostedConfig),
     proof: {
       verificationEvidenceUrl: VERIFICATION_EVIDENCE_URL,
-      llmContextUrl: buildPublicUrl(hostedConfig, '/public/llm-context.md'),
+      llmContextUrl: buildPublicUrl(hostedConfig, '/llm-context.md'),
     },
   };
 }
@@ -1493,12 +1533,14 @@ function buildCheckoutIntentHref(baseUrl, metadata = {}, overrides = {}) {
 }
 
 function renderCheckoutIntentPage({
-  confirmHref,
   workflowIntakeHref,
+  confirmHiddenParams,
 }) {
-  const safeConfirmHref = escapeHtmlAttribute(confirmHref);
   const safeWorkflowIntakeHref = escapeHtmlAttribute(workflowIntakeHref);
-  return `<!doctype html><html lang="en"><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>Confirm — ThumbGate Pro</title><style>body{background:#0a0a0a;color:#eee;font-family:system-ui,-apple-system,sans-serif;line-height:1.5}main{max-width:520px;margin:8vh auto;padding:0 20px}.brand{display:flex;align-items:center;gap:10px;margin-bottom:24px;font-size:14px;color:#94a3b8}.brand-mark{width:24px;height:24px;background:#22d3ee;border-radius:6px;display:inline-block}h1{font-size:24px;margin:0 0 8px;color:#fff}.price{font-size:32px;font-weight:700;color:#22d3ee;margin:8px 0 4px}.price small{font-size:14px;color:#94a3b8;font-weight:400}p{color:#cbd5e1;margin:8px 0}a{display:block;text-decoration:none}a.primary{background:#22d3ee;color:#000;padding:16px;text-align:center;border-radius:8px;font-weight:700;font-size:16px;margin:20px 0 10px}a.secondary{border:1px solid #374151;color:#cbd5e1;padding:12px;text-align:center;border-radius:8px;margin:8px 0 0;font-size:14px}.trust{margin:24px 0;padding:16px;border:1px solid #1f2937;border-radius:8px;background:#0f172a}.trust-item{font-size:13px;color:#cbd5e1;padding:4px 0;display:flex;gap:8px}.trust-item::before{content:"✓";color:#22d3ee;font-weight:700}.choice-note{font-size:13px;color:#94a3b8;margin-top:14px}.back{text-align:center;color:#64748b;font-size:12px;margin-top:24px}.back a{color:#64748b;display:inline}</style><main><div class="brand"><span class="brand-mark"></span><span>ThumbGate</span></div><h1>Start ThumbGate Pro</h1><div class="price">$19<small>/mo</small></div><p>The npm package runs your gates locally. <strong>Pro</strong> is what keeps them working across every machine, every agent runtime, and every breaking-change week.</p><a class="primary" data-i="pro_checkout_confirmed" rel="nofollow noindex" href="${safeConfirmHref}">Pay $19/mo with Stripe →</a><a class="secondary" data-i="workflow_sprint_intake" href="${safeWorkflowIntakeHref}">Not sure yet? Send the workflow first</a><p class="choice-note">Cancel anytime. 7-day refund, no questions. Diagnostics and sprints have their own pages.</p><div class="trust"><div class="trust-item">Lessons synced across all your machines — no local SQLite to babysit</div><div class="trust-item">Adapter matrix kept current for Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode — version drift is our problem, not yours</div><div class="trust-item">Hosted dashboard: gate stats, DPO export, org-wide rule library</div><div class="trust-item">24×7 ops on the rule engine — SonarCloud regressions fixed in &lt;24h</div></div><p class="back"><a href="/">← Back to thumbgate.ai</a></p></main><script>addEventListener('click',e=>{let a=e.target.closest('[data-i]');if(a&&navigator.sendBeacon)navigator.sendBeacon('/v1/telemetry/ping',new Blob([JSON.stringify({eventType:'checkout_interstitial_cta_clicked',clientType:'web',page:'/checkout/pro',ctaId:a.dataset.i,ctaPlacement:'checkout_interstitial'})],{type:'application/json'}))})</script></html>`;
+  const hiddenFields = (confirmHiddenParams || [])
+    .map(([k, v]) => `<input type="hidden" name="${escapeHtmlAttribute(k)}" value="${escapeHtmlAttribute(v)}">`)
+    .join('');
+  return `<!doctype html><html lang="en"><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>Confirm — ThumbGate Pro</title><style>body{background:#0a0a0a;color:#eee;font-family:system-ui,-apple-system,sans-serif;line-height:1.5}main{max-width:520px;margin:8vh auto;padding:0 20px}.brand{display:flex;align-items:center;gap:10px;margin-bottom:24px;font-size:14px;color:#94a3b8}.brand-mark{width:24px;height:24px;background:#22d3ee;border-radius:6px;display:inline-block}h1{font-size:24px;margin:0 0 8px;color:#fff}.price{font-size:32px;font-weight:700;color:#22d3ee;margin:8px 0 4px}.price small{font-size:14px;color:#94a3b8;font-weight:400}p{color:#cbd5e1;margin:8px 0}form{margin:0}input[type=email]{width:100%;box-sizing:border-box;padding:14px 16px;border:1px solid #374151;border-radius:8px;background:#111827;color:#fff;font-size:15px;margin:16px 0 0;outline:none}input[type=email]:focus{border-color:#22d3ee}input[type=email]::placeholder{color:#64748b}button.primary{background:#22d3ee;color:#000;padding:16px;text-align:center;border-radius:8px;font-weight:700;font-size:16px;margin:10px 0;border:none;cursor:pointer;width:100%}a{display:block;text-decoration:none}a.secondary{border:1px solid #374151;color:#cbd5e1;padding:12px;text-align:center;border-radius:8px;margin:8px 0 0;font-size:14px}.trust{margin:24px 0;padding:16px;border:1px solid #1f2937;border-radius:8px;background:#0f172a}.trust-item{font-size:13px;color:#cbd5e1;padding:4px 0;display:flex;gap:8px}.trust-item::before{content:"✓";color:#22d3ee;font-weight:700}.choice-note{font-size:13px;color:#94a3b8;margin-top:14px}.back{text-align:center;color:#64748b;font-size:12px;margin-top:24px}.back a{color:#64748b;display:inline}.email-note{font-size:12px;color:#64748b;margin:4px 0 0}</style><main><div class="brand"><span class="brand-mark"></span><span>ThumbGate</span></div><h1>Start ThumbGate Pro</h1><div class="price">$19<small>/mo</small></div><p>The npm package runs your gates locally. <strong>Pro</strong> is what keeps them working across every machine, every agent runtime, and every breaking-change week.</p><form action="/checkout/pro" method="GET" data-i="pro_checkout_confirmed">${hiddenFields}<input type="hidden" name="confirm" value="1"><input type="email" name="customer_email" placeholder="you@company.com" required autocomplete="email"><p class="email-note">Pre-fills your Stripe receipt. We only email if you ask.</p><button type="submit" class="primary">Pay $19/mo with Stripe →</button></form><a class="secondary" data-i="workflow_sprint_intake" href="${safeWorkflowIntakeHref}">Not sure yet? Send the workflow first</a><p class="choice-note">Cancel anytime. 7-day refund, no questions. Diagnostics and sprints have their own pages.</p><div class="trust"><div class="trust-item">Lessons synced across all your machines — no local SQLite to babysit</div><div class="trust-item">Adapter matrix kept current for Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode — version drift is our problem, not yours</div><div class="trust-item">Hosted dashboard: gate stats, DPO export, org-wide rule library</div><div class="trust-item">24×7 ops on the rule engine — SonarCloud regressions fixed in &lt;24h</div></div><p class="back"><a href="/">← Back to thumbgate.ai</a></p></main><script>document.querySelector('form').addEventListener('submit',e=>{if(navigator.sendBeacon)navigator.sendBeacon('/v1/telemetry/ping',new Blob([JSON.stringify({eventType:'checkout_interstitial_cta_clicked',clientType:'web',page:'/checkout/pro',ctaId:'pro_checkout_confirmed',ctaPlacement:'checkout_interstitial',customerEmail:document.querySelector('input[name=customer_email]').value})],{type:'application/json'}))})</script></html>`;
 }
 
 function buildCheckoutBootstrapBody(parsed, req, journeyState = resolveJourneyState(req, parsed)) {
@@ -1825,6 +1867,19 @@ function appendBestEffortTelemetry(feedbackDir, payload, headers, context) {
   }
 }
 
+function inferActionIntegration(body = {}, headers = {}) {
+  const explicit = pickFirstText(body.integration, body.source, body.actionIntegration, body.provider);
+  const userAgent = String(headers['user-agent'] || '').toLowerCase();
+  if (/chatgpt|gpt[_-]?actions?|openai/.test(String(explicit || '').toLowerCase()) || /chatgpt|openai/.test(userAgent)) {
+    return 'chatgpt_gpt';
+  }
+  return explicit || 'api';
+}
+
+function chatgptActionEventType(integration, suffix) {
+  return integration === 'chatgpt_gpt' ? `chatgpt_action_${suffix}` : `api_action_${suffix}`;
+}
+
 function getPublicOrigin(req) {
   const proto = String(req.headers['x-forwarded-proto'] || '').split(',')[0].trim() || 'http';
   const host = String(req.headers['x-forwarded-host'] || req.headers.host || '').split(',')[0].trim() || 'localhost';
@@ -2504,6 +2559,9 @@ function renderSitemapXml(runtimeConfig) {
     { path: '/agent-manager', changefreq: 'weekly', priority: '0.9' },
     { path: '/llm-context.md', changefreq: 'weekly', priority: '0.8' },
     { path: '/codex-plugin', changefreq: 'weekly', priority: '0.75' },
+    { path: '/codex-enterprise', changefreq: 'weekly', priority: '0.85' },
+    { path: '/agents-cost-savings', changefreq: 'weekly', priority: '0.85' },
+    { path: '/ai-malpractice-prevention', changefreq: 'weekly', priority: '0.9' },
     ...THUMBGATE_SEO_SITEMAP_ENTRIES,
   ];
   return [
@@ -4520,6 +4578,71 @@ async function addContext(){
       return;
     }
 
+    if (isGetLikeRequest && (pathname === '/codex-enterprise' || pathname === '/codex-enterprise.html')) {
+      // Landing page riding the 2026-05-20 OpenAI×Dell Codex Enterprise
+      // partnership announcement. Dell-distributed Codex expands the TAM
+      // for ThumbGate's governance layer — capture every agent decision,
+      // promote repeat failures to PreToolUse gates, ship the audit trail
+      // procurement requires. Routed through servePublicMarketingPage so
+      // arrivals via the partnership news cycle capture UTM attribution
+      // and landing_page_view telemetry with pageType: 'codex_enterprise'.
+      try {
+        servePublicMarketingPage({
+          req,
+          res,
+          parsed,
+          hostedConfig,
+          isHeadRequest,
+          renderHtml: () => fs.readFileSync(path.join(PUBLIC_DIR, 'codex-enterprise.html'), 'utf-8'),
+          extraTelemetry: { pageType: 'codex_enterprise' },
+        });
+      } catch {
+        sendJson(res, 404, { error: 'Codex Enterprise page not found' });
+      }
+      return;
+    }
+
+    if (isGetLikeRequest && (pathname === '/agents-cost-savings' || pathname === '/agents-cost-savings.html')) {
+      // FinOps-for-AI positioning page. Pairs with the `thumbgate cost` CLI
+      // shipped in #2281: the CLI prints the dollar amount, this page is
+      // the public-facing explanation of why "prevention" (ThumbGate's
+      // PreToolUse gates) is a distinct category from "reporting" (Finout,
+      // Helicone, Vantage, AgentOps). Reply-to-pitch surface for buyers
+      // who get a FinOps-for-AI marketing email and need a frame.
+      try {
+        servePublicMarketingPage({
+          req,
+          res,
+          parsed,
+          hostedConfig,
+          isHeadRequest,
+          renderHtml: () => fs.readFileSync(path.join(PUBLIC_DIR, 'agents-cost-savings.html'), 'utf-8'),
+          extraTelemetry: { pageType: 'agents_cost_savings' },
+        });
+      } catch {
+        sendJson(res, 404, { error: 'Agents Cost Savings page not found' });
+      }
+      return;
+    }
+
+    if (isGetLikeRequest && (pathname === '/ai-malpractice-prevention' || pathname === '/ai-malpractice-prevention.html')) {
+      // Legal-vertical landing page (2026-05-21).
+      try {
+        servePublicMarketingPage({
+          req,
+          res,
+          parsed,
+          hostedConfig,
+          isHeadRequest,
+          renderHtml: () => fs.readFileSync(path.join(PUBLIC_DIR, 'ai-malpractice-prevention.html'), 'utf-8'),
+          extraTelemetry: { pageType: 'ai_malpractice_prevention' },
+        });
+      } catch {
+        sendJson(res, 404, { error: 'AI Malpractice Prevention page not found' });
+      }
+      return;
+    }
+
     if (isGetLikeRequest && pathname === '/learn/learn.css') {
       try {
         const cssPath = path.join(LEARN_DIR, 'learn.css');
@@ -4638,7 +4761,7 @@ async function addContext(){
 
     if (isGetLikeRequest && pathname === '/checkout/pro') {
       if (isHeadRequest) {
-        sendText(res, 200, '', {}, {
+        sendHtml(res, 200, '', {}, {
           headOnly: true,
         });
         return;
@@ -4736,10 +4859,15 @@ async function addContext(){
           ctaPlacement: 'checkout_interstitial',
           planId: 'team',
         });
+        const confirmHiddenParams = [];
+        for (const [key, value] of parsed.searchParams.entries()) {
+          if (key !== 'confirm' && key !== 'customer_email') {
+            confirmHiddenParams.push([key, value]);
+          }
+        }
         const html = renderCheckoutIntentPage({
-          confirmHref: buildCheckoutConfirmHref(parsed),
           workflowIntakeHref,
-          botClassification,
+          confirmHiddenParams,
         });
         sendHtml(res, 200, html, responseHeaders);
         return;
@@ -5140,40 +5268,57 @@ async function addContext(){
       // was down, when feedback-dir was unwritable, when env was misconfigured.
       // The fix is shallow but meaningful: probe each critical subsystem and
       // surface failures with HTTP 503 + a per-check breakdown.
+      // Tiered failure classification — not all degradations should kill the
+      // container. A *service-failing* check (feedback dir unwritable,
+      // appOrigin missing) returns 503 → Railway's healthcheck fails → SIGTERM
+      // → restart loop → outage (this exact failure mode took prod down
+      // 2026-05-21 18:21Z → 19:30Z when BUILD_METADATA.buildSha came up empty
+      // after a Railway env-var cleanup). A *telemetry-degraded* check (missing
+      // buildSha) returns 200 with `degraded: true` so observability stays
+      // visible but Railway doesn't kill an otherwise-healthy container over
+      // a SHA gap.
       const checks = {};
-      let allOk = true;
+      let failing = false;     // any service-failing check → 503
+      let degraded = false;    // any telemetry-degraded check → 200 + flag
 
       // Check 1: feedback dir exists and is writable.
+      // SERVICE-FAILING — if we can't write feedback, the API can't function.
       try {
         const { FEEDBACK_DIR } = getFeedbackPaths();
         fs.accessSync(FEEDBACK_DIR, fs.constants.W_OK);
         checks.feedbackDir = { ok: true };
       } catch (err) {
-        checks.feedbackDir = { ok: false, error: err?.code || 'inaccessible' };
-        allOk = false;
+        checks.feedbackDir = { ok: false, error: err?.code || 'inaccessible', severity: 'failing' };
+        failing = true;
       }
 
       // Check 2: hosted config resolves the canonical app origin.
-      // If appOrigin is missing/empty, redirects + checkout flow break silently.
+      // SERVICE-FAILING — if appOrigin is missing/empty, redirects + checkout
+      // flow break silently.
       if (hostedConfig?.appOrigin) {
         checks.hostedConfig = { ok: true };
       } else {
-        checks.hostedConfig = { ok: false, error: 'missing_appOrigin' };
-        allOk = false;
+        checks.hostedConfig = { ok: false, error: 'missing_appOrigin', severity: 'failing' };
+        failing = true;
       }
 
-      // Check 3: build metadata loaded. If BUILD_METADATA.buildSha is empty,
-      // Railway didn't inject the deploy SHA — observability is degraded.
+      // Check 3: build metadata loaded.
+      // TELEMETRY-DEGRADED — observability gap, not a runtime outage. The
+      // container still serves requests fine; we just can't tag responses with
+      // the deployed SHA. Surfaces the gap to monitors via `degraded: true`
+      // without triggering Railway's SIGTERM-on-503 loop.
       if (BUILD_METADATA?.buildSha) {
         checks.buildMetadata = { ok: true };
       } else {
-        checks.buildMetadata = { ok: false, error: 'missing_buildSha' };
-        allOk = false;
+        checks.buildMetadata = { ok: false, error: 'missing_buildSha', severity: 'degraded' };
+        degraded = true;
       }
 
-      const statusCode = allOk ? 200 : 503;
+      const statusCode = failing ? 503 : 200;
+      const status = failing ? 'failing' : (degraded ? 'degraded' : 'ok');
       sendJson(res, statusCode, {
-        status: allOk ? 'ok' : 'degraded',
+        status,
+        degraded: degraded || failing,
         version: pkg.version,
         buildSha: BUILD_METADATA.buildSha,
         uptime: process.uptime(),
@@ -5271,15 +5416,25 @@ async function addContext(){
       const bd = require('../../scripts/bot-detector');
       const { FEEDBACK_DIR: metricsDir } = getFeedbackPaths();
       const telemetryPath = path.join(metricsDir, 'telemetry-pings.jsonl');
-      let entries = [];
-      try {
-        if (fs.existsSync(telemetryPath)) {
-          entries = fs.readFileSync(telemetryPath, 'utf8')
-            .split('\n').filter(Boolean)
-            .map(l => { try { return JSON.parse(l); } catch(_e) { return null; } })
-            .filter(Boolean);
-        }
-      } catch { entries = []; }
+
+      // Cache parsed entries for 60s to avoid re-parsing 72K+ JSON lines per request
+      const cacheKey = '_metricsRealCache';
+      const cacheTTL = 60_000;
+      let entries;
+      if (global[cacheKey] && (Date.now() - global[cacheKey].ts) < cacheTTL) {
+        entries = global[cacheKey].entries;
+      } else {
+        entries = [];
+        try {
+          if (fs.existsSync(telemetryPath)) {
+            entries = fs.readFileSync(telemetryPath, 'utf8')
+              .split('\n').filter(Boolean)
+              .map(l => { try { return JSON.parse(l); } catch(_e) { return null; } })
+              .filter(Boolean);
+          }
+        } catch { entries = []; }
+        global[cacheKey] = { entries, ts: Date.now() };
+      }
 
       const now = Date.now();
       const sevenDaysAgo = now - 7 * 24 * 60 * 60 * 1000;
@@ -5308,6 +5463,52 @@ async function addContext(){
         byVisitorType[e.visitorType] = (byVisitorType[e.visitorType] || 0) + 1;
       });
 
+      // ---------------------------------------------------------------
+      // Active user analytics: group by installId to distinguish real
+      // users from bots/mirrors. "Active" = performed a meaningful CLI
+      // action (capture, recall, search, gate-check, stats) — not just init.
+      // ---------------------------------------------------------------
+      // Only events that prove a human used the product beyond init.
+      // cli_pro_view excluded: browsing the upgrade page is not "using" the product.
+      // cli_gate_check excluded: runs as subprocess, never fires trackEvent().
+      // cli_search excluded: event name doesn't exist in production telemetry.
+      const ACTIVE_EVENTS = new Set([
+        'cli_capture', 'cli_recall', 'cli_stats',
+        'activation_first_rule_promoted',
+      ]);
+      const thirtyDaysAgo = now - 30 * 24 * 60 * 60 * 1000;
+      const last30 = classified.filter(e => {
+        const ts = e.timestamp || e.receivedAt;
+        return ts && new Date(ts).getTime() > thirtyDaysAgo;
+      });
+
+      // Per-install activity (all-time and recent windows)
+      const activeInstalls7d = new Set();
+      const activeInstalls30d = new Set();
+      const allTimeActiveInstalls = new Set();
+      const uniqueSessions7d = new Set();
+      const uniqueSessions30d = new Set();
+
+      for (const e of classified) {
+        if (!e.installId) continue;
+        const et = e.eventType || '';
+        if (!ACTIVE_EVENTS.has(et)) continue;
+        if (e.visitorType === 'bot' || e.visitorType === 'ci') continue;
+        allTimeActiveInstalls.add(e.installId);
+      }
+      for (const e of recent) {
+        if (!e.installId) continue;
+        if (e.visitorType === 'bot' || e.visitorType === 'ci') continue;
+        if (ACTIVE_EVENTS.has(e.eventType || '')) activeInstalls7d.add(e.installId);
+        if (e.sessionId) uniqueSessions7d.add(e.sessionId);
+      }
+      for (const e of last30) {
+        if (!e.installId) continue;
+        if (e.visitorType === 'bot' || e.visitorType === 'ci') continue;
+        if (ACTIVE_EVENTS.has(e.eventType || '')) activeInstalls30d.add(e.installId);
+        if (e.sessionId) uniqueSessions30d.add(e.sessionId);
+      }
+
       sendJson(res, 200, {
         allTime: {
           total: classified.length,
@@ -5316,6 +5517,12 @@ async function addContext(){
           owner: classified.filter(e => e.visitorType === 'owner').length,
           ci: classified.filter(e => e.visitorType === 'ci').length,
           uniqueInstalls: uniqueInstallIds.size,
+          activeInstalls: allTimeActiveInstalls.size,
+        },
+        last30Days: {
+          uniqueInstalls: new Set(last30.filter(e => e.installId).map(e => e.installId)).size,
+          activeInstalls: activeInstalls30d.size,
+          uniqueSessions: uniqueSessions30d.size,
         },
         last7Days: {
           total: recent.length,
@@ -5324,6 +5531,8 @@ async function addContext(){
           owner: recent.filter(e => e.visitorType === 'owner').length,
           ci: recent.filter(e => e.visitorType === 'ci').length,
           uniqueInstalls: recentInstallIds.size,
+          activeInstalls: activeInstalls7d.size,
+          uniqueSessions: uniqueSessions7d.size,
         },
         byEventType,
         byVisitorType,
@@ -6234,6 +6443,14 @@ async function addContext(){
       return;
     }
 
+    // Catch non-API GET requests that didn't match any public page route above.
+    // Without this, /about, /docs, /demo etc. fall through to the API auth gate
+    // and return a raw JSON 401 instead of a user-friendly 404.
+    if (isGetLikeRequest && !pathname.startsWith('/v1/') && !pathname.startsWith('/api/')) {
+      sendHtml(res, 404, `<!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>Page Not Found — ThumbGate</title><style>body{background:#0a0a0a;color:#e2e8f0;font-family:system-ui,-apple-system,sans-serif;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0}main{text-align:center;padding:2rem}h1{font-size:4rem;margin:0;color:#22d3ee}p{font-size:1.1rem;color:#94a3b8;margin:1rem 0}a{color:#22d3ee;text-decoration:underline}</style></head><body><main><h1>404</h1><p>This page doesn't exist.</p><p><a href="/">Back to ThumbGate</a></p></main></body></html>`);
+      return;
+    }
+
     // Operator key is allowed to bypass the general admin gate for its dedicated endpoint
     const _reqToken = extractApiKey(req);
     const isOperatorBillingRequest = Boolean(expectedOperatorKey)
@@ -6815,6 +7032,18 @@ async function addContext(){
           tags: extractTags(body.tags),
           skill: body.skill,
         });
+        const actionIntegration = inferActionIntegration(body, req.headers);
+        appendBestEffortTelemetry(requestFeedbackDir, {
+          eventType: chatgptActionEventType(actionIntegration, 'capture_feedback'),
+          clientType: 'api',
+          source: actionIntegration,
+          integration: actionIntegration,
+          actionOperation: 'captureFeedback',
+          endpoint: '/v1/feedback/capture',
+          actionStatus: result.accepted ? 'accepted' : 'clarification_required',
+          accepted: Boolean(result.accepted),
+          failureCode: result.accepted ? null : 'clarification_required',
+        }, req.headers, 'api_action_capture_feedback');
         if (result?.accepted) {
           // Fan out to any connected dashboard clients so they re-render
           // without polling. Non-sensitive summary only (no chat history,
@@ -7625,6 +7854,18 @@ async function addContext(){
         });
         report.actionId = evaluation.actionId;
         if (report.decisionControl) report.decisionControl.actionId = evaluation.actionId;
+        const actionIntegration = inferActionIntegration(body, req.headers);
+        appendBestEffortTelemetry(requestFeedbackDir, {
+          eventType: chatgptActionEventType(actionIntegration, 'evaluate_decision'),
+          clientType: 'api',
+          source: actionIntegration,
+          integration: actionIntegration,
+          actionOperation: 'evaluateDecision',
+          endpoint: '/v1/decisions/evaluate',
+          actionStatus: 'accepted',
+          accepted: true,
+          decisionMode: report.decisionControl && report.decisionControl.executionMode,
+        }, req.headers, 'api_action_evaluate_decision');
         sendJson(res, 200, report);
         return;
       }
@@ -7729,6 +7970,7 @@ function startServer({ port, host } = {}) {
   const listenPort = Number(port ?? process.env.PORT ?? 8787);
   const listenHost = String(host ?? process.env.HOST ?? '0.0.0.0').trim() || '0.0.0.0';
   const server = createApiServer();
+  registerGracefulShutdown(server);
   return new Promise((resolve) => {
     server.listen(listenPort, listenHost, () => {
       const address = server.address();
@@ -7744,6 +7986,39 @@ function startServer({ port, host } = {}) {
   });
 }
 
+// Railway / Cloud Run / Kubernetes deploy rotations send SIGTERM to swap
+// containers. Without a handler, Node exits immediately — in-flight requests
+// are killed and the orchestrator may mark the container as "crashed" (instead
+// of "gracefully stopped"), wasting its restart-policy budget on a healthy
+// shutdown. Drain HTTP, give a deadline, then force-exit if anything hangs.
+function registerGracefulShutdown(server, { gracePeriodMs = 25_000 } = {}) {
+  if (server[GRACEFUL_SHUTDOWN_KEY]) return;
+  server[GRACEFUL_SHUTDOWN_KEY] = true;
+  let shuttingDown = false;
+  const stop = (signal) => {
+    if (shuttingDown) return;
+    shuttingDown = true;
+    console.log(`[shutdown] ${signal} received — draining connections (deadline ${gracePeriodMs}ms)`);
+    const forceTimer = setTimeout(() => {
+      console.error('[shutdown] grace period elapsed — forcing exit');
+      process.exit(1);
+    }, gracePeriodMs);
+    if (typeof forceTimer.unref === 'function') forceTimer.unref();
+    server.close((err) => {
+      if (err) {
+        console.error('[shutdown] server.close error:', err.message);
+        process.exit(1);
+      }
+      console.log('[shutdown] drained cleanly');
+      process.exit(0);
+    });
+  };
+  process.on('SIGTERM', () => stop('SIGTERM'));
+  process.on('SIGINT', () => stop('SIGINT'));
+}
+
+const GRACEFUL_SHUTDOWN_KEY = Symbol.for('thumbgate.gracefulShutdownRegistered');
+
 module.exports = {
   createApiServer,
   startServer,