thumbgate 1.23.2 → 1.25.1

package/scripts/gates-engine.js

@@ -55,6 +55,9 @@ const {
 const {
   evaluateSecurityScan,
 } = require('./security-scanner');
+const { evaluateSequenceState } = loadOptionalModule('./sequence-guard', () => ({
+  evaluateSequenceState: () => null,
+}));
 const { getAutoGatesPath } = require('./auto-promote-gates');
 const { recordAuditEvent, auditToFeedback } = require('./audit-trail');
 
@@ -2132,8 +2135,9 @@ function buildRecentCorrectiveActionsContext(options = {}) {
 function buildRelevantLessonContext(toolName, toolInput) {
   if (!toolName) return null;
 
-  const { retrieveRelevantLessons } = loadOptionalModule('./lesson-retrieval', () => ({
+  const { retrieveRelevantLessons, calculateRetrievalEntropy } = loadOptionalModule('./lesson-retrieval', () => ({
     retrieveRelevantLessons: () => [],
+    calculateRetrievalEntropy: () => 0,
   }));
 
   // Extract a searchable action context from the tool input
@@ -2142,23 +2146,77 @@ function buildRelevantLessonContext(toolName, toolInput) {
 
   try {
     const lessons = retrieveRelevantLessons(toolName, actionContext, { maxResults: 3 });
-    // retrieveRelevantLessons already filters at relevanceScore > 0.1 internally;
-    // any negative lesson that survives retrieval is relevant enough to surface.
-    const negative = lessons.filter((l) => l.signal === 'negative');
-    if (negative.length === 0) return null;
-
-    const formatted = negative.map((l) => {
-      const title = (l.title || '').replace(/^MISTAKE:\s*/, '').slice(0, 140);
-      const advice = extractAvoidanceAdvice(l.content);
-      return advice ? `  • ${title}\n    → ${advice}` : `  • ${title}`;
-    });
 
-    return `[ThumbGate] Past mistakes relevant to this action — read before proceeding:\n${formatted.join('\n')}`;
+    const entropy = calculateRetrievalEntropy(lessons);
+    if (entropy > 0.7) {
+      recordStat("retrieval_entropy_high", "block");
+      return { decision: "deny", gate: "knowledge-conflict-gate", message: "✗ THUMBGATE: Action blocked due to high Knowledge Entropy (conflicting past lessons).", severity: "high" };
+    }
+    return formatNegativeLessonContext(lessons);
   } catch {
     return null;
   }
 }
 
+/**
+ * Async counterpart of buildRelevantLessonContext: uses HYBRID (dense embeddings +
+ * lexical) retrieval so the agent is warned about semantically-related past mistakes
+ * even when they share no keywords with the current action. Wired into runAsync.
+ * Degrades to the lexical result automatically when no embedder is available.
+ */
+async function buildRelevantLessonContextAsync(toolName, toolInput) {
+  if (!toolName) return null;
+
+  const { retrieveRelevantLessonsAsync, retrieveRelevantLessons, calculateRetrievalEntropy } = loadOptionalModule(
+    './lesson-retrieval',
+    () => ({ retrieveRelevantLessonsAsync: null, retrieveRelevantLessons: () => [], calculateRetrievalEntropy: () => 0 }),
+  );
+
+  const actionContext = extractActionContext(toolName, toolInput);
+  if (!actionContext) return null;
+
+  try {
+    const lessons = retrieveRelevantLessonsAsync
+      ? await retrieveRelevantLessonsAsync(toolName, actionContext, { maxResults: 3 })
+      : retrieveRelevantLessons(toolName, actionContext, { maxResults: 3 });
+    
+    // Knowledge Conflict Detection: if retrieved lessons have high sentiment entropy,
+    // it indicates conflicting past evidence. Block and require human disambiguation.
+    const entropy = calculateRetrievalEntropy(lessons);
+    if (entropy > 0.7) {
+      recordStat('retrieval_entropy_high', 'block');
+      return {
+        decision: 'deny',
+        gate: 'knowledge-conflict-gate',
+        message: '✗ THUMBGATE: Action blocked due to high Knowledge Entropy (conflicting past lessons). Please disambiguate your instructions or verify the intended behavior manually.',
+        severity: 'high',
+      };
+    }
+
+    return formatNegativeLessonContext(lessons);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Shared formatter: render the negative (mistake) lessons that survived retrieval
+ * into the PreToolUse warning block. Retrieval already filters by relevance, so any
+ * negative lesson present is relevant enough to surface.
+ */
+function formatNegativeLessonContext(lessons) {
+  const negative = (lessons || []).filter((l) => l.signal === 'negative');
+  if (negative.length === 0) return null;
+
+  const formatted = negative.map((l) => {
+    const title = (l.title || '').replace(/^MISTAKE:\s*/, '').slice(0, 140);
+    const advice = extractAvoidanceAdvice(l.content);
+    return advice ? `  • ${title}\n    → ${advice}` : `  • ${title}`;
+  });
+
+  return `[ThumbGate] Past mistakes relevant to this action — read before proceeding:\n${formatted.join('\n')}`;
+}
+
 function extractActionContext(toolName, toolInput) {
   if (!toolInput) return toolName;
   const parts = [toolName];
@@ -2196,6 +2254,12 @@ async function runAsync(input) {
 
   const toolName = input.tool_name || '';
   const toolInput = input.tool_input || {};
+
+  const sequenceGuard = evaluateSequenceState(toolName, toolInput);
+  if (sequenceGuard && sequenceGuard.decision === 'deny') {
+    return formatOutput(sequenceGuard);
+  }
+
   const result = await evaluateGatesAsync(toolName, toolInput);
 
   // Attach security warnings to allow/warn results
@@ -2208,11 +2272,18 @@ async function runAsync(input) {
     }
   }
 
+  
   const behavioralContext = buildBehavioralContext();
-  const lessonContext = buildRelevantLessonContext(toolName, toolInput);
+  const lessonContext = await buildRelevantLessonContextAsync(toolName, toolInput);
+  
+  if (lessonContext && lessonContext.decision === "deny") {
+    return formatOutput(lessonContext);
+  }
+  
   const recentContext = buildRecentCorrectiveActionsContext();
   const combinedContext = mergeContextStrings(lessonContext, recentContext, behavioralContext);
   return formatOutput(result, combinedContext);
+
 }
 
 function run(input) {
@@ -2229,6 +2300,12 @@ function run(input) {
 
   const toolName = input.tool_name || '';
   const toolInput = input.tool_input || {};
+
+  const sequenceGuard = evaluateSequenceState(toolName, toolInput);
+  if (sequenceGuard && sequenceGuard.decision === 'deny') {
+    return formatOutput(sequenceGuard);
+  }
+
   const result = evaluateGates(toolName, toolInput);
 
   // Attach security warnings to allow/warn results
@@ -2241,11 +2318,18 @@ function run(input) {
     }
   }
 
+  
   const behavioralContext = buildBehavioralContext();
   const lessonContext = buildRelevantLessonContext(toolName, toolInput);
+  
+  if (lessonContext && lessonContext.decision === "deny") {
+    return formatOutput(lessonContext);
+  }
+  
   const recentContext = buildRecentCorrectiveActionsContext();
   const combinedContext = mergeContextStrings(lessonContext, recentContext, behavioralContext);
   return formatOutput(result, combinedContext);
+
 }
 
 // ---------------------------------------------------------------------------
@@ -2562,6 +2646,7 @@ module.exports = {
   buildBehavioralContext,
   buildRecentCorrectiveActionsContext,
   buildRelevantLessonContext,
+  buildRelevantLessonContextAsync,
   extractActionContext,
   extractAvoidanceAdvice,
   mergeContextStrings,

package/scripts/mcp-oauth.js

@@ -0,0 +1,293 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * mcp-oauth.js — OAuth 2.1 (PKCE) authorization-server machinery for the remote
+ * ThumbGate MCP connector, required by the Claude Connectors Directory
+ * ("Use OAuth 2.0 for authenticated services").
+ *
+ * Pure, dependency-free, IO-free functions + an injectable store, so the full
+ * flow is unit-testable without a network. The HTTP wiring (in src/api/server.js)
+ * is a thin shell over these.
+ *
+ * Implements:
+ *   - RFC 9728 protected-resource metadata
+ *   - RFC 8414 authorization-server metadata
+ *   - RFC 7591 dynamic client registration (open registration)
+ *   - Authorization-code grant with mandatory PKCE S256 (RFC 7636)
+ *   - Bearer access tokens bound to a ThumbGate API key (so existing gating is unchanged)
+ *
+ * SECURITY NOTES:
+ *   - PKCE S256 is mandatory; the plain method is rejected.
+ *   - Auth codes are single-use and short-lived (60s); access tokens TTL-bound.
+ *   - redirect_uri is matched exactly against the registered set.
+ *   - The token never exposes the bound ThumbGate key; it maps server-side only.
+ */
+
+const crypto = require('crypto');
+
+const AUTH_CODE_TTL_MS = 60 * 1000; // 1 minute
+const ACCESS_TOKEN_TTL_MS = 60 * 60 * 1000; // 1 hour
+const DEFAULT_SCOPE = 'mcp:read mcp:write';
+
+// Upper bounds on the in-memory store. The registration and authorization
+// endpoints are reachable pre-auth, so without a cap a malicious caller could
+// grow these Maps unboundedly and exhaust server memory. When a Map is full we
+// evict the oldest entry (FIFO) rather than deny service to legitimate clients.
+const MAX_CLIENTS = 10000;
+const MAX_CODES = 10000;
+const MAX_TOKENS = 50000;
+
+function now() {
+  return Date.now();
+}
+
+function randomToken(bytes = 32) {
+  return crypto.randomBytes(bytes).toString('base64url');
+}
+
+function base64UrlSha256(input) {
+  return crypto.createHash('sha256').update(String(input)).digest('base64url');
+}
+
+/**
+ * Create a fresh in-memory store.
+ *
+ * DURABILITY (known limitation): this uses plain Maps, so a process restart or a
+ * multi-instance / load-balanced deployment will drop issued tokens and
+ * registered clients (clients see 401s, in-flight authorizations break). For
+ * single-instance use this is fine; production multi-tenancy needs a durable,
+ * shared backing (Redis/DB) — tracked as the per-user-data-scoping follow-up.
+ * Entry counts are bounded (see MAX_* and capInsert) to prevent memory
+ * exhaustion from anonymous calls to the registration/authorization endpoints.
+ */
+function createStore() {
+  return {
+    clients: new Map(),
+    codes: new Map(),
+    tokens: new Map(),
+  };
+}
+
+/** Insert into a Map, evicting the oldest entry (FIFO) once `max` is reached. */
+function capInsert(map, key, value, max) {
+  if (map.size >= max && !map.has(key)) {
+    const oldest = map.keys().next().value;
+    if (oldest !== undefined) map.delete(oldest);
+  }
+  map.set(key, value);
+}
+
+// ---------------------------------------------------------------------------
+// Metadata (RFC 9728 / RFC 8414)
+// ---------------------------------------------------------------------------
+
+function trimSlash(u) {
+  // Non-regex trailing-slash strip (avoids a SonarCloud S5852 false-positive on a
+  // provably-linear pattern).
+  let s = String(u || '');
+  while (s.endsWith('/')) s = s.slice(0, -1);
+  return s;
+}
+
+function buildProtectedResourceMetadata(baseUrl) {
+  const base = trimSlash(baseUrl);
+  return {
+    resource: `${base}/mcp`,
+    authorization_servers: [base],
+    bearer_methods_supported: ['header'],
+    scopes_supported: ['mcp:read', 'mcp:write'],
+    resource_documentation: `${base}/docs/connectors`,
+  };
+}
+
+function buildAuthServerMetadata(baseUrl) {
+  const base = trimSlash(baseUrl);
+  return {
+    issuer: base,
+    authorization_endpoint: `${base}/oauth/authorize`,
+    token_endpoint: `${base}/oauth/token`,
+    registration_endpoint: `${base}/oauth/register`,
+    scopes_supported: ['mcp:read', 'mcp:write'],
+    response_types_supported: ['code'],
+    grant_types_supported: ['authorization_code'],
+    code_challenge_methods_supported: ['S256'],
+    token_endpoint_auth_methods_supported: ['none'],
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Dynamic client registration (RFC 7591)
+// ---------------------------------------------------------------------------
+
+// The MCP authorization spec is explicit: "All redirect URIs MUST be either
+// `localhost` or use HTTPS." We therefore accept only HTTPS and loopback
+// (http://localhost | http://127.0.0.1) and reject every other scheme —
+// including native-app custom schemes (myapp://, intent://, etc.), which the MCP
+// profile does not sanction and the real client (Claude) does not use.
+function isAllowedRedirectUri(uri) {
+  const u = String(uri || '');
+  if (/^https:\/\//i.test(u)) return true;
+  if (/^http:\/\/(localhost|127\.0\.0\.1)(:\d+)?(\/|$)/i.test(u)) return true;
+  return false;
+}
+
+function registerClient(store, body = {}) {
+  const redirectUris = Array.isArray(body.redirect_uris) ? body.redirect_uris.filter(Boolean) : [];
+  if (redirectUris.length === 0) {
+    return { error: 'invalid_redirect_uri', error_description: 'redirect_uris is required' };
+  }
+  for (const uri of redirectUris) {
+    if (!isAllowedRedirectUri(uri)) {
+      return { error: 'invalid_redirect_uri', error_description: `unsupported redirect_uri: ${uri}` };
+    }
+  }
+  const clientId = `tg_${randomToken(16)}`;
+  const record = {
+    client_id: clientId,
+    redirect_uris: redirectUris,
+    token_endpoint_auth_method: 'none',
+    grant_types: ['authorization_code'],
+    response_types: ['code'],
+    client_name: typeof body.client_name === 'string' ? body.client_name.slice(0, 200) : 'mcp-client',
+    created_at: now(),
+  };
+  capInsert(store.clients, clientId, record, MAX_CLIENTS);
+  return record;
+}
+
+function getClient(store, clientId) {
+  return store.clients.get(clientId) || null;
+}
+
+// ---------------------------------------------------------------------------
+// Authorization code (PKCE S256)
+// ---------------------------------------------------------------------------
+
+/**
+ * Issue an auth code. `boundKey` is the ThumbGate API key the resulting access
+ * token will act as (resolved by the authorize step once the user consents).
+ */
+function createAuthorizationCode(store, {
+  clientId, redirectUri, codeChallenge, codeChallengeMethod, scope, boundKey, state, resource,
+} = {}) {
+  const client = getClient(store, clientId);
+  if (!client) return { error: 'invalid_client' };
+  if (!client.redirect_uris.includes(redirectUri)) return { error: 'invalid_request', error_description: 'redirect_uri mismatch' };
+  if (codeChallengeMethod !== 'S256') return { error: 'invalid_request', error_description: 'code_challenge_method must be S256' };
+  if (!codeChallenge || String(codeChallenge).length < 16) return { error: 'invalid_request', error_description: 'code_challenge required' };
+
+  const code = randomToken(24);
+  capInsert(store.codes, code, {
+    clientId,
+    redirectUri,
+    codeChallenge,
+    scope: scope || DEFAULT_SCOPE,
+    boundKey: boundKey || '',
+    resource: resource || '', // RFC 8707 resource indicator (the MCP server URL)
+    expiresAt: now() + AUTH_CODE_TTL_MS,
+    used: false,
+  }, MAX_CODES);
+  return { code, state };
+}
+
+function verifyPkce(codeChallenge, codeVerifier) {
+  if (!codeChallenge || !codeVerifier) return false;
+  // RFC 7636: verifier 43–128 chars.
+  if (String(codeVerifier).length < 43 || String(codeVerifier).length > 128) return false;
+  try {
+    return crypto.timingSafeEqual(
+      Buffer.from(base64UrlSha256(codeVerifier)),
+      Buffer.from(String(codeChallenge)),
+    );
+  } catch {
+    return false;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Token exchange + validation
+// ---------------------------------------------------------------------------
+
+function exchangeCode(store, { code, codeVerifier, clientId, redirectUri, resource } = {}) {
+  const entry = store.codes.get(code);
+  if (!entry) return { error: 'invalid_grant', error_description: 'unknown code' };
+  // Single-use + expiry: consume regardless of outcome.
+  store.codes.delete(code);
+  if (entry.used) return { error: 'invalid_grant', error_description: 'code already used' };
+  if (now() > entry.expiresAt) return { error: 'invalid_grant', error_description: 'code expired' };
+  if (entry.clientId !== clientId) return { error: 'invalid_grant', error_description: 'client mismatch' };
+  if (entry.redirectUri !== redirectUri) return { error: 'invalid_grant', error_description: 'redirect_uri mismatch' };
+  if (!verifyPkce(entry.codeChallenge, codeVerifier)) return { error: 'invalid_grant', error_description: 'PKCE verification failed' };
+  // RFC 8707: the resource at token time must match the one bound at authorize time.
+  if (entry.resource && resource && entry.resource !== resource) {
+    return { error: 'invalid_target', error_description: 'resource indicator mismatch' };
+  }
+
+  const accessToken = `tgat_${randomToken(32)}`;
+  capInsert(store.tokens, accessToken, {
+    boundKey: entry.boundKey,
+    scope: entry.scope,
+    clientId,
+    aud: entry.resource || resource || '',
+    expiresAt: now() + ACCESS_TOKEN_TTL_MS,
+  }, MAX_TOKENS);
+  return {
+    access_token: accessToken,
+    token_type: 'Bearer',
+    expires_in: Math.floor(ACCESS_TOKEN_TTL_MS / 1000),
+    scope: entry.scope,
+  };
+}
+
+/** Resolve an access token to its session, or null if invalid/expired. */
+function resolveAccessToken(store, token) {
+  if (!token) return null;
+  const entry = store.tokens.get(token);
+  if (!entry) return null;
+  if (now() > entry.expiresAt) {
+    store.tokens.delete(token);
+    return null;
+  }
+  return { boundKey: entry.boundKey, scope: entry.scope, clientId: entry.clientId, aud: entry.aud };
+}
+
+/**
+ * RFC 8707 audience validation: a token is valid for `expectedResource` only if it
+ * was issued for it (or carries no audience, for back-compat). MCP servers MUST
+ * reject tokens minted for a different resource.
+ */
+function tokenAudienceValid(session, expectedResource) {
+  if (!session) return false;
+  if (!session.aud) return true; // no audience recorded — accept (back-compat)
+  return session.aud === expectedResource;
+}
+
+/** Best-effort GC of expired codes/tokens (call opportunistically). */
+function pruneExpired(store) {
+  const t = now();
+  for (const [k, v] of store.codes) if (t > v.expiresAt) store.codes.delete(k);
+  for (const [k, v] of store.tokens) if (t > v.expiresAt) store.tokens.delete(k);
+}
+
+module.exports = {
+  createStore,
+  buildProtectedResourceMetadata,
+  buildAuthServerMetadata,
+  registerClient,
+  getClient,
+  createAuthorizationCode,
+  verifyPkce,
+  exchangeCode,
+  resolveAccessToken,
+  tokenAudienceValid,
+  pruneExpired,
+  isAllowedRedirectUri,
+  base64UrlSha256,
+  AUTH_CODE_TTL_MS,
+  ACCESS_TOKEN_TTL_MS,
+  DEFAULT_SCOPE,
+  MAX_CLIENTS,
+  MAX_CODES,
+  MAX_TOKENS,
+};

package/scripts/security-scanner.js

@@ -1,6 +1,9 @@
 #!/usr/bin/env node
 'use strict';
 
+const { loadOptionalModule } = require("./private-core-boundary");
+
+
 /**
  * Security Scanner — OWASP-aware static analysis for PreToolUse checks.
  *
@@ -16,6 +19,10 @@
 const fs = require('fs');
 const path = require('path');
 const { recordAuditEvent, auditToFeedback } = require('./audit-trail');
+const { scanInstallCommand, detectSlopsquat } = loadOptionalModule('./slopsquat-guard', () => ({
+  scanInstallCommand: () => ({ detected: false, findings: [] }),
+  detectSlopsquat: () => null,
+}));
 
 // ---------------------------------------------------------------------------
 // Vulnerability pattern definitions (OWASP Top 10 + supply chain)
@@ -277,6 +284,18 @@ function scanDependencyChange(oldContent, newContent) {
             path: 'package.json',
           });
         }
+
+        // Tier 3: Slopsquat Guard — deterministic typosquat detection
+        const slopsquatFinding = detectSlopsquat(pkg, 'npm');
+        if (slopsquatFinding) {
+          findings.push({
+            id: slopsquatFinding.id,
+            category: 'supply-chain',
+            severity: slopsquatFinding.severity,
+            label: slopsquatFinding.label,
+            path: 'package.json',
+          });
+        }
       }
     }
   }
@@ -313,27 +332,68 @@ function scanDependencyChange(oldContent, newContent) {
  * @param {Object} input - Hook input { tool_name, tool_input }
  * @returns {Object|null} Gate result or null if clean
  */
+
+/**
+ * Evaluate slopsquat guard for a Bash command.
+ * @param {string} toolName 
+ * @param {Object} toolInput 
+ * @returns {Object|null}
+ */
+function evaluateSlopsquatScan(toolName, toolInput) {
+  if (toolName !== "Bash") return null;
+  const command = toolInput.command || "";
+  if (!command) return null;
+
+  const { resolveMode, scanInstallCommand } = loadOptionalModule("./slopsquat-guard", () => ({
+    resolveMode: () => "block",
+    scanInstallCommand: () => ({ detected: false, findings: [] }),
+  }));
+
+  const mode = resolveMode();
+  if (mode === "off") return null;
+
+  const result = scanInstallCommand(command);
+  if (!result.detected) return null;
+
+  const hasCritical = result.findings.some(f => f.severity === "critical");
+  const decision = (mode === "block" && hasCritical) ? "deny" : "warn";
+
+  return {
+    decision,
+    gate: "slopsquat-guard",
+    message: "✗ THUMBGATE: " + result.findings[0].label,
+    severity: hasCritical ? "critical" : "high",
+    reasoning: result.findings.map(f => f.label),
+  };
+}
+
 function evaluateSecurityScan(input = {}) {
   const toolName = input.tool_name || input.toolName || '';
   const toolInput = input.tool_input || {};
 
-  // Only scan write-type operations
+  // Only scan write-type operations and Bash commands
   const WRITE_TOOLS = new Set(['Edit', 'Write', 'MultiEdit']);
-  if (!WRITE_TOOLS.has(toolName)) {
+  const IS_BASH = toolName === 'Bash';
+  
+  if (!WRITE_TOOLS.has(toolName) && !IS_BASH) {
     return null;
   }
 
   const filePath = toolInput.file_path || toolInput.path || '';
   const content = toolInput.content || toolInput.new_string || '';
+  const command = toolInput.command || '';
 
-  if (!content) return null;
+  if (!content && !command) return null;
 
-  // Tier 1: Code vulnerability scan
-  const codeResult = scanCode(content, filePath);
+  // Tier 1: Code vulnerability scan (for Edits)
+  let codeResult = { detected: false, findings: [] };
+  if (content) {
+    codeResult = scanCode(content, filePath);
+  }
 
   // Tier 2: Supply chain scan for package.json changes
   let supplyChainResult = { detected: false, findings: [] };
-  if (filePath && path.basename(filePath) === 'package.json') {
+  if (filePath && path.basename(filePath) === 'package.json' && content) {
     let oldContent = '';
     try {
       const absPath = path.isAbsolute(filePath) ? filePath : path.resolve(filePath);
@@ -344,7 +404,14 @@ function evaluateSecurityScan(input = {}) {
     supplyChainResult = scanDependencyChange(oldContent, content);
   }
 
-  const allFindings = [...codeResult.findings, ...supplyChainResult.findings];
+  // Tier 3: Slopsquat Guard for Bash commands
+  let slopsquatResult = { detected: false, findings: [] };
+  if (IS_BASH && command) {
+    const slopsquatGate = evaluateSlopsquatScan(toolName, toolInput);
+    if (slopsquatGate) return slopsquatGate;
+  }
+
+  const allFindings = [...codeResult.findings, ...supplyChainResult.findings, ...slopsquatResult.findings];
   if (allFindings.length === 0) return null;
 
   // Determine overall severity
@@ -359,16 +426,18 @@ function evaluateSecurityScan(input = {}) {
     `[${f.severity.toUpperCase()}] ${f.label}${f.line ? ` (line ${f.line})` : ''}`
   ).join('; ');
 
-  const message = `Security scan detected ${allFindings.length} issue(s) in ${filePath || 'code'}: ${summary}`;
+  const message = `Security scan detected ${allFindings.length} issue(s) in ${filePath || (IS_BASH ? 'command' : 'code')}: ${summary}`;
 
   const reasoning = [
-    `Scanned ${content.length} bytes of content being written to ${filePath || 'unknown file'}`,
+    IS_BASH 
+      ? `Scanned Bash command for slopsquat/typosquat risk: "${command.slice(0, 100)}..."`
+      : `Scanned ${content.length} bytes of content being written to ${filePath || 'unknown file'}`,
     ...allFindings.map(f => `${f.category}/${f.id}: ${f.label}${f.match ? ` — matched: ${f.match.slice(0, 60)}` : ''}`),
   ];
 
   recordAuditEvent({
     toolName,
-    toolInput: { file_path: filePath, content_length: content.length },
+    toolInput: { file_path: filePath, content_length: content.length, command: IS_BASH ? command : undefined },
     decision,
     gateId,
     message,
@@ -439,6 +508,7 @@ function scanGitDiff(diffContent) {
 // ---------------------------------------------------------------------------
 
 module.exports = {
+  evaluateSlopsquatScan,
   VULN_PATTERNS,
   SUPPLY_CHAIN_PATTERNS,
   scanCode,

package/scripts/thompson-sampling.js

@@ -302,24 +302,30 @@ function getCalibration(model) {
 // ---------------------------------------------------------------------------
 
 /**
- * Draw one sample from the Beta posterior for each category via the
- * Marsaglia-Tsang (2000) gamma ratio method. No external library needed.
+ * Draw one sample from the Beta posterior for each category.
+ * Supports temperature scaling to adjust exploitation vs exploration.
  *
- * betaSample(alpha, beta) = gammaSample(alpha) / (gammaSample(alpha) + gammaSample(beta))
+ * Temperature (T):
+ *   T = 1.0 (default) — Standard Thompson Sampling.
+ *   T < 1.0 — Sharper distribution, favors high-reliability categories (exploit).
+ *   T > 1.0 — Flatter distribution, increases uncertainty and exploration.
  *
- * This is the JS equivalent of Python's random.betavariate(alpha, beta).
- * Used for Thompson Sampling action selection (explore via uncertainty).
+ * Implementation: Scales alpha and beta by 1/T.
  *
  * @param {Object} model - Model object containing categories
+ * @param {number} temperature - Scaling factor (default 1.0)
  * @returns {Object} Map of category → float sample in [0, 1]
  */
-function samplePosteriors(model) {
+function samplePosteriors(model, temperature = 1.0) {
   const samples = {};
+  const T = Math.max(0.01, Number(temperature) || 1.0);
+  const invT = 1.0 / T;
+
   for (const [cat, params] of Object.entries(model.categories || {})) {
-    samples[cat] = betaSample(
-      Math.max(params.alpha, 0.01),
-      Math.max(params.beta, 0.01),
-    );
+    // Scale precision by inverse temperature
+    const alpha = Math.max(params.alpha * invT, 0.01);
+    const beta = Math.max(params.beta * invT, 0.01);
+    samples[cat] = betaSample(alpha, beta);
   }
   return samples;
 }