thumbgate 1.22.0 → 1.23.1

package/public/index.html

@@ -19,7 +19,7 @@ __GOOGLE_SITE_VERIFICATION_META__
 <meta property="og:image" content="https://thumbgate-production.up.railway.app/og.png">
 <meta name="twitter:card" content="summary_large_image">
 <meta name="twitter:image" content="https://thumbgate-production.up.railway.app/og.png">
-<meta name="thumbgate-version" content="1.22.0">
+<meta name="thumbgate-version" content="1.23.1">
 <meta name="keywords" content="ThumbGate, thumbgate, AI agent orchestration, AI experience orchestration, agent enforcement layer, save LLM tokens, reduce Claude API cost, reduce OpenAI cost, AI agent token savings, prevent LLM retries, prevent hallucination retries, stop AI token waste, pre-action checks, agent governance, Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode, workflow hardening, context engineering, AI authenticity, brand authenticity AI">
 <link rel="apple-touch-icon" href="/apple-touch-icon.png">
 
@@ -721,7 +721,7 @@ __GA_BOOTSTRAP__
       </div>
       <a href="/go/install?utm_source=website&utm_medium=hero_cta&utm_campaign=install_free&cta_id=hero_install_cli&cta_placement=hero" onclick="event.preventDefault(); navigator.clipboard.writeText('npx thumbgate init'); this.textContent='Copied ✓ — paste in your repo'; setTimeout(()=>{this.textContent='Install Free CLI'},2000); try{posthog.capture('hero_install_click',{cta:'install_cli'})}catch(_){}" class="btn-gpt-page btn-install-hero" title="Click to copy: npx thumbgate init">Install Free CLI</a>
       <a href="#workflow-sprint-intake" onclick="try{posthog.capture('hero_sprint_click',{cta:'sprint_intake'})}catch(_){};sendFirstPartyTelemetry('hero_sprint_intake_started',{ctaId:'hero_workflow_sprint',ctaPlacement:'hero',offer:'workflow_sprint'});" class="btn-pro-page hero-pro">Talk to me — Workflow Hardening Sprint →</a>
-      <a href="#demo" onclick="try{posthog.capture('hero_demo_click',{cta:'watch_demo'})}catch(_){};sendFirstPartyTelemetry('hero_demo_clicked',{ctaId:'hero_watch_demo',ctaPlacement:'hero'});" class="btn-free" style="font-size:15px;padding:14px 22px;">▶ Watch the 90-second demo</a>
+      <a href="#demo" onclick="try{posthog.capture('hero_demo_click',{cta:'see_enforcement'})}catch(_){};sendFirstPartyTelemetry('hero_demo_clicked',{ctaId:'hero_see_enforcement',ctaPlacement:'hero'});" class="btn-free" style="font-size:15px;padding:14px 22px;">See the enforcement in action</a>
     </div>
 
     <div class="hero-trust-bar">
@@ -817,6 +817,37 @@ __GA_BOOTSTRAP__
   </div>
 </section>
 
+<section class="compatibility" id="deterministic-prevention">
+  <div class="container">
+    <div class="section-label">Deterministic Prevention</div>
+    <h2 class="section-title">Native thumbs are a black box. ThumbGate is the inspectable control layer.</h2>
+    <p style="text-align:center;font-size:16px;color:var(--text-muted);max-width:900px;margin:0 auto 28px;line-height:1.7;">Codex, Claude Code, ChatGPT, and other agent surfaces can collect preference signals, but you usually cannot see exactly what changed, which rule will fire, or why a future tool call is allowed. ThumbGate keeps the prevention layer outside the model: typed feedback becomes a local lesson, repeated mistakes become explicit rules, and every block names the matched rule, source lesson, tool call, and audit event.</p>
+    <div class="agent-grid">
+      <div class="agent-card">
+        <h3>Black-box memory</h3>
+        <p>Native thumbs and vendor memories may improve future behavior, but they do not give teams a deterministic allow/block contract at the moment an agent touches files, terminals, APIs, or CI.</p>
+      </div>
+      <div class="agent-card">
+        <h3>Inspectable ThumbGate memory</h3>
+        <p>Lessons live in your ThumbGate store, can be searched, exported as JSONL or DPO pairs, and traced back to the exact correction that created the rule.</p>
+      </div>
+      <div class="agent-card">
+        <h3>Rules before execution</h3>
+        <p>The final decision is not another model opinion. ThumbGate checks tool name, arguments, working directory, command shape, confidence, and required evidence before the action runs.</p>
+      </div>
+    </div>
+    <div style="margin:26px auto 0;max-width:960px;border:1px solid rgba(34,211,238,0.18);border-radius:8px;background:rgba(34,211,238,0.05);padding:18px 20px;">
+      <h3 style="margin:0 0 10px;color:var(--text);font-size:18px;">Why this matters now</h3>
+      <ul style="margin:0;padding-left:20px;color:var(--text-muted);line-height:1.7;">
+        <li><strong>Agent security is now mainstream risk.</strong> Coding agents run shell commands, write files, query databases, and chain actions with developer permissions, so unattended autonomy needs a local policy boundary.</li>
+        <li><strong>MCP adoption is accelerating.</strong> More tools are becoming agent-callable through shared protocols, which means one cross-agent governance layer beats one-off prompt rules per app.</li>
+        <li><strong>Repeated failures waste cash and trust.</strong> Every repeat burns tokens, review time, and release confidence. ThumbGate turns the first correction into a reusable prevention check.</li>
+      </ul>
+      <p style="margin:12px 0 0;font-size:13px;color:var(--text-dim);">Sources to verify the market timing: <a href="https://www.docker.com/blog/ai-coding-agent-horror-stories-security-risks/" target="_blank" rel="noopener" style="color:var(--cyan);">Docker on AI coding agent security risks</a>, <a href="https://www.techradar.com/pro/how-ai-agents-are-wrecking-havoc-in-legacy-security-setups-and-enterprises-are-catching-up" target="_blank" rel="noopener" style="color:var(--cyan);">TechRadar on enterprise agent security pressure</a>, and <a href="https://www.techradar.com/pro/zendesk-becomes-the-latest-to-adopt-mcp-to-futureproof-customers-in-the-ai-first-era" target="_blank" rel="noopener" style="color:var(--cyan);">current MCP adoption coverage</a>.</p>
+    </div>
+  </div>
+</section>
+
 <section class="marketing-deep-dive" style="padding:28px 0 10px;">
   <div class="container" style="max-width:1240px;">
     <div class="section-label">Status bar proof</div>
@@ -1492,7 +1523,7 @@ __GA_BOOTSTRAP__
       <a href="https://www.linkedin.com/in/igorganapolsky" target="_blank" rel="noopener">LinkedIn</a>
       <a href="/blog">Blog</a>
     </div>
-    <span class="footer-copy">© 2026 ThumbGate · MIT License · npm v1.22.0</span>
+    <span class="footer-copy">© 2026 ThumbGate · MIT License · npm v1.23.1</span>
   </div>
 </footer>
 

package/public/numbers.html

@@ -25,7 +25,7 @@
   "alternateName": "thumbgate",
   "applicationCategory": "DeveloperApplication",
   "operatingSystem": "Cross-platform, Node.js >=18.18.0",
-  "softwareVersion": "1.22.0",
+  "softwareVersion": "1.23.1",
   "url": "https://thumbgate-production.up.railway.app/numbers",
   "dateModified": "2026-05-07",
   "creator": {
@@ -202,7 +202,7 @@
 <main class="container">
   <h1>The Numbers</h1>
   <p class="subtitle">Generated first-party operational snapshot from the ThumbGate runtime. This is not customer traction, install volume, revenue, or proof that a configured gate has fired.</p>
-  <div class="freshness">Updated: 2026-05-07 · Version 1.22.0</div>
+  <div class="freshness">Updated: 2026-05-07 · Version 1.23.1</div>
   <div class="truth-note"><strong>Read this first:</strong> configured checks are inventory. Recorded blocks and warnings are usage evidence. This snapshot currently reports 0 recorded hard-block event(s) and 0 recorded warning event(s).</div>
 
   <h2>Gate enforcement</h2>

package/public/pricing.html

@@ -213,7 +213,7 @@ __GA_BOOTSTRAP__
   <div class="container">
     <a href="/" class="nav-logo">ThumbGate</a>
     <div class="nav-links">
-      <a href="/#features">Features</a>
+      <a href="/#how-it-works">Features</a>
       <a href="/pricing" style="color:var(--text);">Pricing</a>
       <a href="/guide">Guide</a>
       <a href="/dashboard">Dashboard</a>

package/public/pro.html

@@ -815,6 +815,28 @@ __GA_BOOTSTRAP__
   </div>
 </section>
 
+<section class="section" id="deterministic-loop">
+  <div class="container">
+    <div class="section-label">Why Pro now</div>
+    <h2 class="section-title">Black-box thumbs do not prove prevention. Pro gives the operator an audit loop.</h2>
+    <p class="section-intro">Native rating buttons can tell a vendor that an answer felt wrong. ThumbGate Pro gives you the operational record: the correction, the lesson, the rule, the blocked tool call, and the export path.</p>
+    <div class="grid-3">
+      <div class="feature-card">
+        <h3>Inspectable memory</h3>
+        <p>Search the exact lesson that came from a thumbs-down and see whether it is still active, warning-only, or blocking.</p>
+      </div>
+      <div class="feature-card">
+        <h3>Deterministic checks</h3>
+        <p>The enforcement layer evaluates tool name, arguments, working directory, command shape, confidence, and required evidence before the action runs.</p>
+      </div>
+      <div class="feature-card">
+        <h3>Exportable proof</h3>
+        <p>Take the same correction history into JSONL, DPO export, review packets, and team rollout conversations instead of trusting hidden memory.</p>
+      </div>
+    </div>
+  </div>
+</section>
+
 <section class="section" id="why-pay">
   <div class="container">
     <div class="section-label">Why operators pay</div>

package/scripts/cli-telemetry.js

@@ -10,6 +10,9 @@ const _DEFAULT_TELEMETRY_HOST = 'https://thumbgate-production.up.railway.app';
 const TELEMETRY_ENDPOINT = `${process.env.THUMBGATE_API_URL || _DEFAULT_TELEMETRY_HOST}/v1/telemetry/ping`;
 const INSTALL_ID_PATH = path.join(process.env.HOME || process.env.USERPROFILE || '.', '.thumbgate', 'install-id');
 
+// Session ID: random per process invocation. Groups all events from one CLI run.
+const SESSION_ID = crypto.randomUUID ? crypto.randomUUID() : crypto.randomBytes(16).toString('hex');
+
 /**
  * Get or create a stable anonymous install ID.
  * This is NOT tied to any personal info — it's a random UUID stored locally.
@@ -61,7 +64,9 @@ function trackEvent(eventType, metadata = {}) {
   const payload = JSON.stringify({
     eventType,
     installId: getInstallId(),
+    sessionId: SESSION_ID,
     visitorType: classifyInstall(),
+    clientType: 'cli',
     platform: os.platform(),
     arch: os.arch(),
     nodeVersion: process.version,
@@ -87,4 +92,4 @@ function trackEvent(eventType, metadata = {}) {
   } catch (_) {} // never crash the CLI
 }
 
-module.exports = { trackEvent, getInstallId, classifyInstall, INSTALL_ID_PATH };
+module.exports = { trackEvent, getInstallId, classifyInstall, INSTALL_ID_PATH, SESSION_ID };

package/scripts/commercial-offer.js

@@ -35,6 +35,75 @@ function normalizeSeatCount(value, fallback = TEAM_MIN_SEATS) {
   return Math.max(TEAM_MIN_SEATS, Math.round(parsed));
 }
 
+function trackedProUrl(source = 'cli_receipt', content = 'value_receipt') {
+  try {
+    const url = new URL(PRO_MONTHLY_PAYMENT_LINK);
+    url.searchParams.set('utm_source', source);
+    url.searchParams.set('utm_medium', 'cli');
+    url.searchParams.set('utm_campaign', 'pro_conversion');
+    url.searchParams.set('utm_content', content);
+    return url.toString();
+  } catch (_) {
+    return PRO_MONTHLY_PAYMENT_LINK;
+  }
+}
+
+function pluralize(count, singular, plural = `${singular}s`) {
+  return Number(count) === 1 ? singular : plural;
+}
+
+function buildCaptureReceipt({ signal, feedbackId, memoryId, actionType } = {}) {
+  const normalizedSignal = String(signal || '').toUpperCase() || 'UNKNOWN';
+  const lines = [
+    '',
+    'Value receipt',
+    '─'.repeat(50),
+    `  Stored proof   : ${normalizedSignal} feedback${feedbackId ? ` (${feedbackId})` : ''}`,
+    memoryId ? `  Local memory   : ${memoryId}` : '  Local memory   : saved locally',
+    actionType ? `  Rule pressure  : ${actionType}` : '  Rule pressure  : available for promotion',
+    '  Next proof     : npx thumbgate stats',
+    '  Cost proof     : npx thumbgate cost',
+    '',
+    `  Solo Pro       : ${PRO_PRICE_LABEL} for dashboard, search, exports, sync`,
+    `  Upgrade        : ${trackedProUrl('cli_capture_receipt', actionType || normalizedSignal.toLowerCase())}`,
+    `  Team path      : ${TEAM_PRICE_LABEL}; start with one repeated workflow failure`,
+    '                   https://thumbgate.ai/#workflow-sprint-intake',
+    '',
+  ];
+  return lines.join('\n');
+}
+
+function buildStatsReceipt(stats = {}) {
+  const negatives = Number(stats.negatives || stats.totalNegative || 0);
+  const blocked = Number(stats.gatesBlocked || stats.blocked || 0);
+  const warned = Number(stats.gatesWarned || stats.warned || 0);
+  const gates = Number(stats.totalGates || 0);
+  const autoPromoted = Number(stats.autoPromotedGates || 0);
+  const hasFriction = negatives > 0 || blocked > 0 || warned > 0 || gates > 0;
+  if (!hasFriction) return '';
+
+  const interventions = blocked + warned;
+  const lines = [
+    '',
+    'Paid-intent next step',
+    '─'.repeat(50),
+  ];
+  if (interventions > 0) {
+    lines.push(`  Proof already seen : ${interventions} gate ${pluralize(interventions, 'intervention')}`);
+  }
+  if (gates > 0) {
+    lines.push(`  Active prevention  : ${gates} ${pluralize(gates, 'gate')} (${autoPromoted} auto-promoted)`);
+  }
+  if (negatives > 0) {
+    lines.push(`  Failure pressure   : ${negatives} negative ${pluralize(negatives, 'signal')}`);
+  }
+  lines.push('  Show the buyer     : npx thumbgate cost');
+  lines.push(`  Solo Pro           : ${trackedProUrl('cli_stats_receipt', 'proof_seen')}`);
+  lines.push('  Team workflow      : https://thumbgate.ai/#workflow-sprint-intake');
+  lines.push('');
+  return lines.join('\n');
+}
+
 module.exports = {
   PRO_MONTHLY_PAYMENT_LINK,
   PRO_ANNUAL_PAYMENT_LINK,
@@ -51,4 +120,7 @@ module.exports = {
   normalizePlanId,
   normalizeBillingCycle,
   normalizeSeatCount,
+  buildCaptureReceipt,
+  buildStatsReceipt,
+  trackedProUrl,
 };

package/scripts/gates-engine.js

@@ -7,7 +7,7 @@ const crypto = require('crypto');
 const { execSync, execFileSync } = require('child_process');
 const { loadOptionalModule } = require('./private-core-boundary');
 
-const { isProTier, FREE_TIER_MAX_GATES } = require('./rate-limiter');
+const { isProTier, isInTrialPeriod, FREE_TIER_MAX_GATES, FREE_TIER_DAILY_BLOCKS, todayKey } = require('./rate-limiter');
 const {
   DEFAULT_BASE_BRANCH,
   evaluateOperationalIntegrity,
@@ -466,6 +466,69 @@ function recordStat(gateId, action, gate) {
   }
 }
 
+// ---------------------------------------------------------------------------
+// Free-tier daily block cap
+// ---------------------------------------------------------------------------
+
+/**
+ * Count today's gate blocks from stats. Free tier gets FREE_TIER_DAILY_BLOCKS
+ * blocks/day. After the limit, deny → warn + upgrade CTA so the action proceeds
+ * but the user sees they lost protection.
+ */
+function getTodayBlockCount() {
+  const stats = loadStats();
+  const today = todayKey();
+  if (!stats.dailyBlocks || !stats.dailyBlocks[today]) return 0;
+  return stats.dailyBlocks[today];
+}
+
+function incrementTodayBlockCount() {
+  const stats = loadStats();
+  const today = todayKey();
+  if (!stats.dailyBlocks) stats.dailyBlocks = {};
+  // Clean old dates (keep only last 7 days to prevent unbounded growth)
+  const keys = Object.keys(stats.dailyBlocks);
+  if (keys.length > 7) {
+    keys.sort();
+    for (const k of keys.slice(0, keys.length - 7)) {
+      delete stats.dailyBlocks[k];
+    }
+  }
+  stats.dailyBlocks[today] = (stats.dailyBlocks[today] || 0) + 1;
+  saveStats(stats);
+  return stats.dailyBlocks[today];
+}
+
+/**
+ * If the user is free-tier and has exceeded daily block limit, downgrade
+ * a deny result to a warn with an upgrade CTA. Returns null if no cap applies.
+ */
+function applyDailyBlockCap(denyResult) {
+  // Pro, trial, CI, and THUMBGATE_NO_RATE_LIMIT users are uncapped
+  if (isProTier()) return null;
+  if (process.env.CI || process.env.GITHUB_ACTIONS) return null;
+
+  const todayCount = getTodayBlockCount();
+  if (todayCount < FREE_TIER_DAILY_BLOCKS) {
+    // Under limit: allow the block, increment counter
+    incrementTodayBlockCount();
+    return null;
+  }
+
+  // Over limit: downgrade deny → warn with upgrade CTA
+  const remaining = 0;
+  return {
+    decision: 'warn',
+    gate: denyResult.gate,
+    message: `⚠️ ${denyResult.message}\n\n🔓 Daily protection limit reached (${FREE_TIER_DAILY_BLOCKS}/${FREE_TIER_DAILY_BLOCKS} blocks used). This action was allowed through. Upgrade for unlimited protection: https://thumbgate.ai/go/pro`,
+    severity: denyResult.severity,
+    reasoning: (denyResult.reasoning || []).concat([
+      `Free-tier daily block limit (${FREE_TIER_DAILY_BLOCKS}) exceeded — deny downgraded to warn`,
+    ]),
+    dailyBlockCapApplied: true,
+  };
+}
+
 // ---------------------------------------------------------------------------
 // Reasoning chain builder
 // ---------------------------------------------------------------------------
@@ -1491,11 +1554,19 @@ async function evaluateGatesAsync(toolName, toolInput, configPath) {
     });
 
     if (gate.action === 'block') {
+      const denyResult = { decision: 'deny', gate: gate.id, message, severity: gate.severity, reasoning };
+      // Free-tier daily block cap: after N blocks/day, deny → warn + upgrade CTA
+      const cappedResult = applyDailyBlockCap(denyResult);
+      if (cappedResult) {
+        recordStat(gate.id, 'warn', gate);
+        const auditRecord = recordAuditEvent({ toolName, toolInput, decision: 'warn', gateId: gate.id, message: cappedResult.message, severity: gate.severity, source: 'gates-engine', dailyBlockCapApplied: true });
+        auditToFeedback(auditRecord);
+        return cappedResult;
+      }
       recordStat(gate.id, 'block', gate);
-      const result = { decision: 'deny', gate: gate.id, message, severity: gate.severity, reasoning };
       const auditRecord = recordAuditEvent({ toolName, toolInput, decision: 'deny', gateId: gate.id, message, severity: gate.severity, source: 'gates-engine' });
       auditToFeedback(auditRecord);
-      return result;
+      return denyResult;
     }
 
     if (gate.action === 'approve') {
@@ -1653,11 +1724,19 @@ function evaluateGates(toolName, toolInput, configPath) {
     const reasoning = buildReasoning(gate, toolName, toolInput, matchDetails);
 
     if (gate.action === 'block') {
+      const denyResult = { decision: 'deny', gate: gate.id, message, severity: gate.severity, reasoning };
+      // Free-tier daily block cap: after N blocks/day, deny → warn + upgrade CTA
+      const cappedResult = applyDailyBlockCap(denyResult);
+      if (cappedResult) {
+        recordStat(gate.id, 'warn', gate);
+        const auditRecord = recordAuditEvent({ toolName, toolInput, decision: 'warn', gateId: gate.id, message: cappedResult.message, severity: gate.severity, source: 'gates-engine', dailyBlockCapApplied: true });
+        auditToFeedback(auditRecord);
+        return cappedResult;
+      }
       recordStat(gate.id, 'block', gate);
-      const result = { decision: 'deny', gate: gate.id, message, severity: gate.severity, reasoning };
       const auditRecord = recordAuditEvent({ toolName, toolInput, decision: 'deny', gateId: gate.id, message, severity: gate.severity, source: 'gates-engine' });
       auditToFeedback(auditRecord);
-      return result;
+      return denyResult;
     }
 
     if (gate.action === 'approve') {
@@ -1856,6 +1935,35 @@ function buildReminderOutput(context) {
   };
 }
 
+// ---------------------------------------------------------------------------
+// Upgrade nudge: surfaces Pro value at usage milestones and trial expiry.
+// Block-action Pro CTA: brief upgrade mention after a deny/warn decision.
+// Highest-intent moment — user just saw ThumbGate save them from a mistake.
+// ---------------------------------------------------------------------------
+
+function buildBlockActionProCta() {
+  try {
+    if (process.env.THUMBGATE_NO_NUDGE === '1') return null;
+    if (process.env.CI || process.env.GITHUB_ACTIONS) return null;
+    if (isProTier()) return null;
+    if (isInTrialPeriod()) return null; // Already have full access
+
+    const stats = loadStats();
+    const totalBlocks = stats.blocked || 0;
+    if (totalBlocks < 5) return null; // Too early — let them experience the product
+
+    if (totalBlocks < 25) {
+      return '\n\n💡 Pro: sync rules across machines + dashboard analytics → thumbgate.ai/go/pro';
+    }
+    if (totalBlocks < 100) {
+      return `\n\n💡 ${totalBlocks} actions blocked. Pro keeps rules in sync everywhere → thumbgate.ai/go/pro ($19/mo)`;
+    }
+    return `\n\n💡 ${totalBlocks} mistakes caught. Your team could use this → thumbgate.ai/go/pro`;
+  } catch (_) {
+    return null;
+  }
+}
+
 function formatOutput(result, behavioralContext) {
   if (!result) {
     // No gate matched — inject behavioral context if available
@@ -1874,11 +1982,12 @@ function formatOutput(result, behavioralContext) {
   if (result.decision === 'deny') {
     const reminder = behavioralContext ? buildReminderOutput(behavioralContext) : {};
     const reminderSuffix = behavioralContext ? `\n\nSystem reminder:\n${behavioralContext}` : '';
+    const proCta = buildBlockActionProCta() || '';
     return JSON.stringify({
       hookSpecificOutput: {
         ...reminder,
         permissionDecision: 'deny',
-        permissionDecisionReason: `[GATE:${result.gate}] ${result.message}${reasoningSuffix}${reminderSuffix}`,
+        permissionDecisionReason: `[GATE:${result.gate}] ${result.message}${reasoningSuffix}${reminderSuffix}${proCta}`,
       },
     });
   }
@@ -2468,6 +2577,10 @@ module.exports = {
   isRemoteSideEffectCommand,
   evaluateLocalOnlyRemoteSideEffectGate,
   PR_THREAD_RESOLUTION_ACTION,
+  buildBlockActionProCta,
+  applyDailyBlockCap,
+  getTodayBlockCount,
+  incrementTodayBlockCount,
 };
 
 // ---------------------------------------------------------------------------

package/scripts/meta-agent-loop.js

@@ -282,6 +282,8 @@ function buildPromotedGate(candidate, metrics, runId) {
     occurrences: metrics.hits,
     promotedAt: new Date().toISOString(),
     source: 'meta-agent',
+    // origin distinguishes silent-failure-clustered candidates from feedback-derived ones
+    origin: candidate.origin || 'user-feedback',
     runId,
     score: parseFloat(metrics.score.toFixed(3)),
     hitRate: parseFloat(metrics.hitRate.toFixed(3)),
@@ -371,6 +373,34 @@ async function runMetaAgentLoop({ dryRun = false, verbose = false } = {}) {
     candidates = generateCandidatesHeuristic(failures, blockPatterns);
   }
 
+  // Tag existing-pipeline candidates with their origin so downstream precision
+  // measurement (silentFailureDerivedGates vs user-feedback-derived) is possible.
+  candidates = candidates.map((c) => (c.origin ? c : { ...c, origin: 'user-feedback' }));
+
+  // Step 3b: Silent-failure clustering — behind THUMBGATE_SILENT_FAILURE_CLUSTERING=1.
+  // Candidates flow through the SAME scoring / fp-rate eval below; we do not
+  // bypass any guardrail. Off by default to preserve existing behavior.
+  let silentFailureStats = null;
+  if (process.env.THUMBGATE_SILENT_FAILURE_CLUSTERING === '1') {
+    try {
+      const { generateSilentFailureCandidates } = require('./silent-failure-cluster');
+      const sfResult = generateSilentFailureCandidates({ feedbackLogPath });
+      silentFailureStats = sfResult.stats;
+      if (sfResult.candidates && sfResult.candidates.length > 0) {
+        candidates = candidates.concat(sfResult.candidates);
+      }
+      if (verbose) {
+        process.stdout.write(
+          `[meta-agent] silent-failure-cluster: candidates=${sfResult.candidates.length} `
+          + `failed=${sfResult.stats.failedCalls} clusters=${sfResult.stats.clusters} `
+          + `skipped=${sfResult.stats.skippedReason || 'none'}\n`
+        );
+      }
+    } catch (err) {
+      if (verbose) process.stdout.write(`[meta-agent] silent-failure-cluster failed (non-fatal): ${err.message}\n`);
+    }
+  }
+
   if (verbose) {
     process.stdout.write(`[meta-agent] candidates generated: ${candidates.length} (mode=${analysisMode})\n`);
   }
@@ -507,6 +537,8 @@ async function runMetaAgentLoop({ dryRun = false, verbose = false } = {}) {
         skipped: evolutionResult.skipped || false,
       }
       : null,
+    silentFailureCluster: silentFailureStats,
+    silentFailureDerivedGates: promotedGates.filter((g) => g.origin === 'silent-failure-cluster').length,
   };
 
   if (!dryRun) {

package/scripts/pro-local-dashboard.js

@@ -16,7 +16,7 @@ const CREATOR_SYNTHETIC_KEY = process.env.THUMBGATE_DEV_KEY || '';
  *   2. Env var: THUMBGATE_DEV_BYPASS=[set via THUMBGATE_DEV_SECRET env var]
  * Requires a specific non-obvious value (not boolean) to prevent accidental activation.
  */
-function isCreatorDev({ env = process.env, homeDir = os.homedir() } = {}) {
+function isCreatorDev({ env = process.env, homeDir = env.HOME || env.USERPROFILE || os.homedir() } = {}) {
   // Layer 1: env var with specific value
   if (CREATOR_BYPASS_VALUE && String(env[CREATOR_BYPASS_ENV] || '') === CREATOR_BYPASS_VALUE) {
     return true;
@@ -37,7 +37,7 @@ function isCreatorDev({ env = process.env, homeDir = os.homedir() } = {}) {
  * with any non-empty bypass value. No env var needed — just the config file.
  * Used by the server to skip auth on localhost during local development.
  */
-function hasDevOverride(homeDir = os.homedir()) {
+function hasDevOverride(homeDir = process.env.HOME || process.env.USERPROFILE || os.homedir()) {
   // Disabled during test runs to avoid interfering with auth assertions
   if (process.env.NODE_TEST_CONTEXT || process.env.THUMBGATE_TESTING) return false;
   try {
@@ -47,11 +47,11 @@ function hasDevOverride(homeDir = os.homedir()) {
   } catch { return false; }
 }
 
-function getLicenseDir(homeDir = os.homedir()) {
+function getLicenseDir(homeDir = process.env.HOME || process.env.USERPROFILE || os.homedir()) {
   return path.join(homeDir, '.thumbgate');
 }
 
-function getLicensePath(homeDir = os.homedir()) {
+function getLicensePath(homeDir = process.env.HOME || process.env.USERPROFILE || os.homedir()) {
   return path.join(getLicenseDir(homeDir), 'license.json');
 }
 

package/scripts/rate-limiter.js

@@ -29,6 +29,7 @@ const FREE_TIER_LIMITS = {
 };
 
 const FREE_TIER_MAX_GATES = 5; // 5 active prevention rules on free; Pro is unlimited
+const FREE_TIER_DAILY_BLOCKS = 10; // 10 gate blocks/day on free; after limit, deny → warn + upgrade CTA
 
 const UPGRADE_MESSAGE = `Pro: ${PRO_PRICE_LABEL} — unlimited rules, recall, lesson search, dashboard, and exports: ${PRO_MONTHLY_PAYMENT_LINK}\n  Team: ${TEAM_PRICE_LABEL} after workflow qualification.`;
 
@@ -45,7 +46,10 @@ function getInstallAgeDays() {
   try {
     const { INSTALL_ID_PATH } = require('./cli-telemetry');
     if (!fs.existsSync(INSTALL_ID_PATH)) return null;
-    const created = fs.statSync(INSTALL_ID_PATH).birthtimeMs || fs.statSync(INSTALL_ID_PATH).mtimeMs;
+    // Use mtimeMs — birthtimeMs is unreliable on Linux (ext4 doesn't backdate creation time).
+    // The install-id file is written once at install, so mtime == creation time in practice.
+    const stat = fs.statSync(INSTALL_ID_PATH);
+    const created = stat.mtimeMs || stat.birthtimeMs;
     if (!Number.isFinite(created) || created <= 0) return null;
     return (Date.now() - created) / (1000 * 60 * 60 * 24);
   } catch (_) {
@@ -211,6 +215,7 @@ function getUsage(action, authContext) {
 module.exports = {
   checkLimit,
   getUsage,
+  getInstallAgeDays,
   isProTier,
   isInTrialPeriod,
   trialDaysRemaining,
@@ -219,6 +224,7 @@ module.exports = {
   todayKey,
   FREE_TIER_LIMITS,
   FREE_TIER_MAX_GATES,
+  FREE_TIER_DAILY_BLOCKS,
   TRIAL_DAYS,
   UPGRADE_MESSAGE,
   PAYWALL_MESSAGES,