thumbgate 1.26.0 → 1.26.1

package/scripts/meta-agent-loop.js

@@ -377,13 +377,17 @@ async function runMetaAgentLoop({ dryRun = false, verbose = false } = {}) {
   // measurement (silentFailureDerivedGates vs user-feedback-derived) is possible.
   candidates = candidates.map((c) => (c.origin ? c : { ...c, origin: 'user-feedback' }));
 
-  // Step 3b: Silent-failure clustering — behind THUMBGATE_SILENT_FAILURE_CLUSTERING=1.
-  // Candidates flow through the SAME scoring / fp-rate eval below; we do not
-  // bypass any guardrail. Off by default to preserve existing behavior.
+  // Step 3b: Silent-failure clustering — DEFAULT-ON as of 2026-05-21
+  // (flipped from opt-in by PR #2289). Opt out via
+  // THUMBGATE_SILENT_FAILURE_CLUSTERING=0 (or NODE_ENV=test). Candidates flow
+  // through the SAME scoring / fp-rate eval below; we do not bypass any
+  // guardrail. The point of this clustering is to cover the case where users
+  // are lazy and never give thumbs-down — keeping it opt-in meant the users
+  // who need it most never got the benefit.
   let silentFailureStats = null;
-  if (process.env.THUMBGATE_SILENT_FAILURE_CLUSTERING === '1') {
+  const { isSilentFailureClusteringEnabled, generateSilentFailureCandidates } = require('./silent-failure-cluster');
+  if (isSilentFailureClusteringEnabled()) {
     try {
-      const { generateSilentFailureCandidates } = require('./silent-failure-cluster');
       const sfResult = generateSilentFailureCandidates({ feedbackLogPath });
       silentFailureStats = sfResult.stats;
       if (sfResult.candidates && sfResult.candidates.length > 0) {

package/scripts/noop-detect.js

@@ -0,0 +1,285 @@
+'use strict';
+
+// scripts/noop-detect.js
+//
+// No-op / redundant-action detection for ThumbGate.
+//
+// Given an action's pre/post state (file diff, command exit code + output),
+// this module decides whether the action actually changed anything OR whether
+// it is byte-identical to an attempt already seen this session. Both are strong,
+// cheap "the agent is looping" repeat signals that plug into
+// track_action -> prevention_rules.
+//
+// Design goals:
+//   * Pure / file-local. No edits to shared modules from inside here.
+//   * Normalize volatile fields (timestamps, shas, ANSI, trailing whitespace)
+//     before hashing so non-deterministic output does not defeat detection.
+//   * Guard partial writes: a truncated after-state that is a strict prefix of
+//     the before-state must NOT be reported as a no-op.
+//
+// Persistence lives beside session-actions.json (derived from
+// gates-engine.SESSION_ACTIONS_PATH) so it picks up THUMBGATE_STATE_DIR
+// overrides and shares the same TTL semantics.
+
+const crypto = require('crypto');
+const fs = require('fs');
+const path = require('path');
+
+const gatesEngine = require('./gates-engine');
+
+// Match the same 1h session window the engine uses for session actions.
+const ATTEMPT_TTL_MS = 60 * 60 * 1000;
+
+// -- volatile-field normalization ------------------------------------------
+//
+// Each pattern strips a class of non-deterministic noise so that two outputs
+// which differ only by a timestamp / sha / uuid / ANSI color / trailing
+// whitespace hash-equal. Exported so the test suite can assert the contract.
+const VOLATILE_PATTERNS = [
+  // ANSI escape / color codes (e.g. \x1b[0m). Strip first so later patterns
+  // see clean text.
+  { name: 'ansi', re: /\x1b\[[0-9;]*[A-Za-z]/g, replacement: '' },
+  // ISO-8601 timestamps: 2026-05-31T12:34:56(.123)?(Z|+00:00)
+  {
+    name: 'iso8601',
+    re: /\d{4}-\d{2}-\d{2}[T ]\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+-]\d{2}:?\d{2})?/g,
+    replacement: '<TS>',
+  },
+  // UUIDs (dashed form) — must run before the hexblob pattern, otherwise the
+  // trailing 12-char hex segment gets rewritten first and the UUID never matches.
+  {
+    name: 'uuid',
+    re: /\b[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\b/g,
+    replacement: '<UUID>',
+  },
+  // Epoch integers wider than 10 digits (ms/ns timestamps) — run before the
+  // hexblob pattern so all-decimal epochs are not swallowed as hex first.
+  { name: 'epoch', re: /\b\d{11,}\b/g, replacement: '<EPOCH>' },
+  // Long hex blobs (commit shas, uuids without dashes, content hashes): 12+ hex chars.
+  { name: 'hexblob', re: /\b[0-9a-fA-F]{12,}\b/g, replacement: '<HEX>' },
+  // Trailing whitespace is stripped in normalizeVolatile() via a bounded linear
+  // scan (not a regex) to avoid super-linear backtracking on adversarial input.
+];
+
+// Strip trailing spaces/tabs from a single line via a bounded reverse scan.
+// Linear in line length; replaces /[ \t]+$/ without any regex backtracking.
+function stripTrailingSpaceTab(line) {
+  let end = line.length;
+  while (end > 0) {
+    const c = line.charCodeAt(end - 1);
+    if (c !== 32 && c !== 9) break; // 32 = space, 9 = tab
+    end -= 1;
+  }
+  return line.slice(0, end);
+}
+
+// Normalize a string by applying every volatile pattern, then trimming a
+// trailing newline so "foo\n" and "foo" are equivalent.
+function normalizeVolatile(value) {
+  if (value === null || value === undefined) return '';
+  let out = String(value);
+  for (const pattern of VOLATILE_PATTERNS) {
+    out = out.replace(pattern.re, pattern.replacement);
+  }
+  // Strip trailing space/tab per line without a backtracking-prone regex.
+  out = out.split('\n').map(stripTrailingSpaceTab).join('\n');
+  // Normalize CRLF, then strip the trailing run of newlines via a bounded
+  // linear scan (replaces /\n+$/ without regex backtracking).
+  out = out.replace(/\r\n/g, '\n');
+  let end = out.length;
+  while (end > 0 && out.charCodeAt(end - 1) === 10) end -= 1; // 10 = \n
+  return out.slice(0, end);
+}
+
+function sha256(value) {
+  return crypto.createHash('sha256').update(value, 'utf8').digest('hex');
+}
+
+// -- state hashing ----------------------------------------------------------
+//
+// computeActionStateHash produces a single stable fingerprint for an action's
+// observable state. For file actions the fingerprint is the normalized content;
+// for command actions it is exit code + normalized stdout/stderr.
+function computeActionStateHash(action = {}) {
+  const kind = action.kind === 'command' ? 'command' : 'file';
+
+  if (kind === 'command') {
+    const exitCode = action.exitCode === undefined || action.exitCode === null
+      ? ''
+      : String(action.exitCode);
+    const parts = [
+      'command',
+      `exit:${exitCode}`,
+      `stdout:${normalizeVolatile(action.stdout)}`,
+      `stderr:${normalizeVolatile(action.stderr)}`,
+    ];
+    return sha256(parts.join('\x00'));
+  }
+
+  // file kind: hash the relevant content (after-content is the canonical state
+  // for a single snapshot; for diff comparisons detectNoop compares before/after
+  // separately). Include filePath so two unrelated files never collide.
+  const content = action.afterContent !== undefined && action.afterContent !== null
+    ? action.afterContent
+    : action.beforeContent;
+  const parts = [
+    'file',
+    `path:${action.filePath || ''}`,
+    `content:${normalizeVolatile(content)}`,
+  ];
+  return sha256(parts.join('\x00'));
+}
+
+// Hash just a content blob for before/after comparison (no path/kind framing).
+function contentHash(content) {
+  return sha256(normalizeVolatile(content));
+}
+
+// -- no-op detection --------------------------------------------------------
+//
+// detectNoop({ before, after }) returns { noop, reason }.
+//   before/after: { kind, filePath, beforeContent/afterContent OR content,
+//                   exitCode, stdout, stderr }
+//
+// We accept a flexible shape: the caller may pass a single action object with
+// beforeContent/afterContent, or split before/after sub-objects. Both forms
+// resolve to the same decision.
+function detectNoop(input = {}) {
+  const before = input.before || {};
+  const after = input.after || {};
+
+  // Determine kind from whichever side declares it (default file).
+  const kind = (before.kind || after.kind || input.kind) === 'command'
+    ? 'command'
+    : 'file';
+
+  if (kind === 'command') {
+    const beforeExit = before.exitCode;
+    const afterExit = after.exitCode;
+    if (beforeExit !== undefined && afterExit !== undefined && beforeExit !== afterExit) {
+      return { noop: false, reason: 'exit-code-changed' };
+    }
+    const beforeOut = contentHash(`${normalizeVolatile(before.stdout)}\x00${normalizeVolatile(before.stderr)}`);
+    const afterOut = contentHash(`${normalizeVolatile(after.stdout)}\x00${normalizeVolatile(after.stderr)}`);
+    if (beforeOut === afterOut) {
+      return { noop: true, reason: 'command-output-unchanged' };
+    }
+    return { noop: false, reason: 'command-output-changed' };
+  }
+
+  // file kind.
+  const beforeContent = before.content !== undefined ? before.content
+    : (before.beforeContent !== undefined ? before.beforeContent : input.beforeContent);
+  const afterContent = after.content !== undefined ? after.content
+    : (after.afterContent !== undefined ? after.afterContent : input.afterContent);
+
+  const beforeStr = beforeContent === undefined || beforeContent === null ? '' : String(beforeContent);
+  const afterStr = afterContent === undefined || afterContent === null ? '' : String(afterContent);
+
+  // Partial-write guard: an after-state that is a strict, shorter prefix of the
+  // before-state is a truncation, not a no-op — even though hashes differ, we
+  // make the intent explicit so callers never mistake it.
+  if (afterStr.length > 0 && afterStr.length < beforeStr.length && beforeStr.startsWith(afterStr)) {
+    return { noop: false, reason: 'partial-write-truncation' };
+  }
+
+  if (contentHash(beforeStr) === contentHash(afterStr)) {
+    return { noop: true, reason: 'file-content-unchanged' };
+  }
+  return { noop: false, reason: 'file-content-changed' };
+}
+
+// -- attempt persistence ----------------------------------------------------
+//
+// Stores (sessionId -> { "actionId\x00stateHash": timestamp }) so a repeated
+// (actionId, stateHash) tuple within the TTL window is a strong repeat signal.
+function attemptsPath() {
+  const sessionActionsPath = gatesEngine.SESSION_ACTIONS_PATH;
+  return path.join(path.dirname(sessionActionsPath), 'noop-attempts.json');
+}
+
+function loadAttempts() {
+  try {
+    const raw = fs.readFileSync(attemptsPath(), 'utf8');
+    const parsed = JSON.parse(raw);
+    if (!parsed || typeof parsed !== 'object') return {};
+    return parsed;
+  } catch (e) {
+    return {};
+  }
+}
+
+function pruneExpired(store, now) {
+  let changed = false;
+  for (const sessionId of Object.keys(store)) {
+    const bucket = store[sessionId];
+    if (!bucket || typeof bucket !== 'object') {
+      delete store[sessionId];
+      changed = true;
+      continue;
+    }
+    for (const key of Object.keys(bucket)) {
+      const ts = bucket[key];
+      if (typeof ts !== 'number' || now - ts >= ATTEMPT_TTL_MS) {
+        delete bucket[key];
+        changed = true;
+      }
+    }
+    if (Object.keys(bucket).length === 0) {
+      delete store[sessionId];
+      changed = true;
+    }
+  }
+  return changed;
+}
+
+function saveAttempts(store) {
+  const file = attemptsPath();
+  fs.mkdirSync(path.dirname(file), { recursive: true });
+  fs.writeFileSync(file, JSON.stringify(store, null, 2) + '\n');
+}
+
+function attemptKey(actionId, stateHash) {
+  return `${String(actionId)}\x00${String(stateHash)}`;
+}
+
+// recordActionAttempt persists that (sessionId, actionId, stateHash) was seen.
+// Returns { recorded: boolean, alreadySeen: boolean }.
+function recordActionAttempt(sessionId, actionId, stateHash) {
+  const sid = String(sessionId || 'default');
+  const now = Date.now();
+  const store = loadAttempts();
+  pruneExpired(store, now);
+
+  if (!store[sid] || typeof store[sid] !== 'object') store[sid] = {};
+  const key = attemptKey(actionId, stateHash);
+  const alreadySeen = Object.prototype.hasOwnProperty.call(store[sid], key);
+  store[sid][key] = now;
+  saveAttempts(store);
+  return { recorded: true, alreadySeen };
+}
+
+// isRepeatAttempt returns true when this exact (actionId, stateHash) tuple was
+// already recorded for this session within the TTL window.
+function isRepeatAttempt(sessionId, actionId, stateHash) {
+  const sid = String(sessionId || 'default');
+  const now = Date.now();
+  const store = loadAttempts();
+  const bucket = store[sid];
+  if (!bucket || typeof bucket !== 'object') return false;
+  const ts = bucket[attemptKey(actionId, stateHash)];
+  if (typeof ts !== 'number') return false;
+  return now - ts < ATTEMPT_TTL_MS;
+}
+
+module.exports = {
+  VOLATILE_PATTERNS,
+  ATTEMPT_TTL_MS,
+  normalizeVolatile,
+  computeActionStateHash,
+  detectNoop,
+  recordActionAttempt,
+  isRepeatAttempt,
+  // Exposed for tests / introspection.
+  attemptsPath,
+};

package/scripts/operational-dashboard.js

@@ -0,0 +1,160 @@
+'use strict';
+
+const { resolveAnalyticsWindow } = require('./analytics-window');
+const { getBillingSummaryLive } = require('./billing');
+const { generateDashboard } = require('./dashboard');
+const { getFeedbackPaths } = require('./feedback-loop');
+const { resolveHostedBillingConfig } = require('./hosted-config');
+const { loadOperatorConfig } = require('./operational-summary');
+
+function normalizeText(value) {
+  if (value === undefined || value === null) return null;
+  const text = String(value).trim();
+  return text || null;
+}
+
+function shouldPreferHostedDashboard() {
+  return String(process.env.THUMBGATE_METRICS_SOURCE || '').trim().toLowerCase() !== 'local';
+}
+
+function resolveHostedDashboardConfig() {
+  const runtimeConfig = resolveHostedBillingConfig();
+  const operatorConfig = loadOperatorConfig();
+  // Match operational-summary's key priority chain so north-star and cfo
+  // authenticate against the same hosted deployment consistently. Prior to
+  // this change, north-star only read THUMBGATE_API_KEY, silently 401'ing
+  // on machines configured via operator.json or THUMBGATE_OPERATOR_KEY.
+  const apiKey = normalizeText(process.env.THUMBGATE_OPERATOR_KEY)
+    || operatorConfig.operatorKey
+    || normalizeText(process.env.THUMBGATE_API_KEY);
+  const apiBaseUrl = normalizeText(process.env.THUMBGATE_BILLING_API_BASE_URL)
+    || operatorConfig.baseUrl
+    || runtimeConfig.billingApiBaseUrl;
+  return {
+    apiBaseUrl,
+    apiKey,
+  };
+}
+
+async function buildOperationalDashboard(options = {}) {
+  const analyticsWindow = resolveAnalyticsWindow(options);
+  const feedbackDir = options.feedbackDir || getFeedbackPaths().FEEDBACK_DIR;
+  const billingSummary = await getBillingSummaryLive(analyticsWindow);
+
+  return generateDashboard(feedbackDir, {
+    analyticsWindow,
+    billingSummary,
+    billingSource: 'live',
+    billingFallbackReason: null,
+  });
+}
+
+async function fetchHostedDashboard(options = {}, config = resolveHostedDashboardConfig()) {
+  const analyticsWindow = resolveAnalyticsWindow(options);
+  if (!shouldPreferHostedDashboard()) {
+    const err = new Error('Hosted operational dashboard is disabled.');
+    err.code = 'hosted_dashboard_disabled';
+    throw err;
+  }
+  if (!config.apiBaseUrl || !config.apiKey) {
+    const err = new Error('Hosted operational dashboard is not configured.');
+    err.code = 'hosted_dashboard_unconfigured';
+    throw err;
+  }
+
+  const requestUrl = new URL('/v1/dashboard', config.apiBaseUrl);
+  requestUrl.searchParams.set('window', analyticsWindow.window);
+  requestUrl.searchParams.set('timezone', analyticsWindow.timeZone);
+  requestUrl.searchParams.set('now', analyticsWindow.now);
+
+  const response = await fetch(requestUrl, {
+    method: 'GET',
+    headers: {
+      authorization: `Bearer ${config.apiKey}`,
+      accept: 'application/json',
+    },
+  });
+
+  if (!response.ok) {
+    const detail = await response.text().catch(() => '');
+    const err = new Error(`Hosted operational dashboard request failed (${response.status}): ${detail || 'unknown error'}`);
+    err.code = 'hosted_dashboard_http_error';
+    err.status = response.status;
+    throw err;
+  }
+
+  return response.json();
+}
+
+async function getOperationalDashboard(options = {}) {
+  const analyticsWindow = resolveAnalyticsWindow(options);
+  try {
+    const data = await fetchHostedDashboard(analyticsWindow);
+    return {
+      source: 'hosted',
+      data,
+      fallbackReason: null,
+      hostedStatus: 200,
+    };
+  } catch (err) {
+    const reason = err && err.message ? err.message : 'hosted_dashboard_unavailable';
+    const status = err && typeof err.status === 'number' ? err.status : null;
+    const code = err && err.code ? err.code : null;
+
+    // Hosted deliberately disabled or never configured — local fallback is
+    // intentional, not a degraded state. Tag as plain 'local'.
+    if (code === 'hosted_dashboard_disabled' || code === 'hosted_dashboard_unconfigured') {
+      return {
+        source: 'local',
+        data: await buildOperationalDashboard(analyticsWindow),
+        fallbackReason: reason,
+        hostedStatus: null,
+      };
+    }
+
+    // Mirror operational-summary: auth failure is the dangerous case. A
+    // dashboard that silently shows $0 revenue (from the local ledger) when
+    // Stripe actually has paid customers is a lie the operator acts on.
+    // Refuse to guess — surface an actionable error.
+    if (status === 401 || status === 403) {
+      const authErr = new Error(
+        `Hosted operational dashboard rejected credentials (HTTP ${status}). ` +
+        `The operator key on this machine does not match the one on the ` +
+        `hosted deployment. Fix: set THUMBGATE_OPERATOR_KEY in this shell, ` +
+        `or update the operatorKey field in ~/.config/thumbgate/operator.json, ` +
+        `to match Railway's THUMBGATE_OPERATOR_KEY. ` +
+        `Running north-star without hosted auth would report local-only ` +
+        `data as ground truth, which may not reflect actual Stripe revenue. ` +
+        `Original response: ${reason}`
+      );
+      authErr.code = 'hosted_dashboard_unauthorized';
+      authErr.status = status;
+      throw authErr;
+    }
+
+    // Non-auth failure — local fallback is still useful for dev workflows,
+    // but tag the source so downstream renderers do not mistake it for
+    // verified hosted truth.
+    //
+    // Log only the status code (trusted) — the full reason contains upstream
+    // response text and is only returned structurally via fallbackReason.
+    console.warn(
+      `[operational-dashboard] Hosted dashboard unreachable (status=${status ?? 'network'}); ` +
+      `falling back to LOCAL-UNVERIFIED state. Numbers below may not reflect actual Stripe revenue.`
+    );
+    return {
+      source: 'local-unverified',
+      data: await buildOperationalDashboard(analyticsWindow),
+      fallbackReason: reason,
+      hostedStatus: status,
+    };
+  }
+}
+
+module.exports = {
+  buildOperationalDashboard,
+  fetchHostedDashboard,
+  getOperationalDashboard,
+  resolveHostedDashboardConfig,
+  shouldPreferHostedDashboard,
+};

package/scripts/plan-gate.js

@@ -162,6 +162,17 @@ function evaluatePlanGate(toolName, toolInput, options = {}) {
     };
   }
 
+  // Tier 4: Self-Critique / Risk Mitigation Check (Tip #8)
+  const hasCritique = /(?:critique|self-critique|risk|mitigation|alternative|flaw|weakness|pitfall)/i.test(planContent);
+  if (!hasCritique) {
+    return {
+      decision: 'warn',
+      gate: 'plan-gate-critique-missing',
+      message: '🧐 THUMBGATE: No Self-Critique/Risk Analysis detected in your PLAN.md. Please add a "Critique", "Risks", or "Mitigations" section to evaluate potential flaws in this plan before executing high-risk tools.',
+      severity: 'medium'
+    };
+  }
+
   return null;
 }
 

package/scripts/repeat-metric.js

@@ -0,0 +1,121 @@
+'use strict';
+
+// ---------------------------------------------------------------------------
+// repeat-metric — first-class "repeat-attempts blocked before execution" metric
+//
+// This module exposes data ThumbGate already collects in gate-stats state. It
+// does NOT write to disk; it is a pure function over gates-engine.loadStats().
+//
+// The headline number is stats.recurringBlocks — incremented by recordStat()
+// in gates-engine.js every time the SAME gateId fires twice within one session
+// bucket. That is exactly "a pre-action gate fire that stopped a tool call the
+// agent had already been blocked on", i.e. a repeat attempt prevented before it
+// could round-trip and execute.
+// ---------------------------------------------------------------------------
+
+const gatesEngine = require('./gates-engine');
+
+/**
+ * Derive a per-gate { firstBlocks, repeatBlocks } split from the raw stats.
+ *
+ * recordStat() records, per session bucket, which gates have fired
+ * (stats.sessionFiredGates[sessionKey][gateId] === true). The FIRST fire of a
+ * gate in a bucket marks the flag; every subsequent fire in that same bucket
+ * increments stats.recurringBlocks. So for each gate:
+ *   firstBlocks  = number of distinct session buckets the gate fired in
+ *   repeatBlocks = (total block+warn events for the gate) - firstBlocks
+ *
+ * total block+warn events come from stats.byGate[id] (blocked + warned), which
+ * recordStat() also maintains. repeatBlocks is clamped to >= 0 to stay robust
+ * against partially-written / legacy state.
+ *
+ * @param {object} stats raw object returned by gates-engine.loadStats()
+ * @returns {Object<string,{firstBlocks:number, repeatBlocks:number}>}
+ */
+function computeByGateSplit(stats) {
+  const byGate = {};
+  const sessionFiredGates = (stats && stats.sessionFiredGates) || {};
+  const rawByGate = (stats && stats.byGate) || {};
+
+  // Count distinct session buckets each gate fired in => firstBlocks.
+  const firstBlocksByGate = {};
+  for (const sessionKey of Object.keys(sessionFiredGates)) {
+    const fired = sessionFiredGates[sessionKey] || {};
+    for (const gateId of Object.keys(fired)) {
+      if (fired[gateId]) {
+        firstBlocksByGate[gateId] = (firstBlocksByGate[gateId] || 0) + 1;
+      }
+    }
+  }
+
+  // Union of every gate id we know about from either source.
+  const gateIds = new Set([
+    ...Object.keys(rawByGate),
+    ...Object.keys(firstBlocksByGate),
+  ]);
+
+  for (const gateId of gateIds) {
+    const gateStat = rawByGate[gateId] || {};
+    const totalFires = (gateStat.blocked || 0) + (gateStat.warned || 0);
+    const firstBlocks = firstBlocksByGate[gateId] || 0;
+    // Repeat fires are total fires beyond the first fire per session bucket.
+    const repeatBlocks = Math.max(0, totalFires - firstBlocks);
+    byGate[gateId] = { firstBlocks, repeatBlocks };
+  }
+
+  return byGate;
+}
+
+/**
+ * Compute the repeat-attempts-blocked-before-execution metric.
+ *
+ * Pure read of gates-engine.loadStats(); no disk writes.
+ *
+ * @returns {{
+ *   repeatBlocksBeforeExecution: number,
+ *   recurringBlocks: number,
+ *   totalBlocked: number,
+ *   byGate: Object<string,{firstBlocks:number, repeatBlocks:number}>
+ * }}
+ */
+function computeRepeatMetric() {
+  let stats;
+  try {
+    stats = gatesEngine.loadStats() || {};
+  } catch (_) {
+    stats = {};
+  }
+
+  const recurringBlocks = Number(stats.recurringBlocks || 0);
+  const totalBlocked = Number(stats.blocked || 0);
+
+  return {
+    // Headline: a pre-action block that stopped a tool call the agent had
+    // already been blocked on this session.
+    repeatBlocksBeforeExecution: recurringBlocks,
+    recurringBlocks,
+    totalBlocked,
+    byGate: computeByGateSplit(stats),
+  };
+}
+
+/**
+ * Add a `repeat` sub-key to a gate-stats object WITHOUT mutating the original.
+ *
+ * Takes the object returned by gate-stats.calculateStats() or
+ * dashboard.computeGateStats() and returns a shallow copy with the repeat
+ * metric attached. The caller's file does not need to import any internals.
+ *
+ * @param {object} gateStatsObject
+ * @returns {object} copy of gateStatsObject with `.repeat`
+ */
+function mergeRepeatMetricIntoGateStats(gateStatsObject) {
+  const base = gateStatsObject && typeof gateStatsObject === 'object' ? gateStatsObject : {};
+  return Object.assign({}, base, { repeat: computeRepeatMetric() });
+}
+
+module.exports = {
+  computeRepeatMetric,
+  mergeRepeatMetricIntoGateStats,
+  computeByGateSplit,
+};

package/scripts/silent-failure-cluster.js

@@ -4,7 +4,14 @@
 /**
  * Silent-Failure Clustering — Unsupervised candidate source for the meta-agent loop
  *
- * Off by default. Enabled with: THUMBGATE_SILENT_FAILURE_CLUSTERING=1
+ * Default-ON since 2026-05-21. Opt-out with: THUMBGATE_SILENT_FAILURE_CLUSTERING=0
+ * (or set NODE_ENV=test to skip in test runs). Was opt-in for the initial
+ * landing of PR #2285; flipped to default-on because the entire point is to
+ * cover the case where users never give thumbs-down — keeping it opt-in
+ * means lazy users (the ones who need it most) never benefit. Bounded risk:
+ * candidates still flow through meta-agent-loop's existing fp-rate eval, so
+ * a noisy cluster can't auto-promote to a real gate without passing the
+ * same precision/recall thresholds as LLM-generated candidates.
  *
  * Problem: ThumbGate's HITL loop only learns from explicit thumbs-down. Tool calls
  * that fail without user feedback (exit_code != 0, regex-matched error in output,
@@ -460,9 +467,20 @@ function generateSilentFailureCandidates(opts = {}) {
 // CLI
 // ---------------------------------------------------------------------------
 
+/**
+ * Resolve the enabled state. Default ON. Explicit "0" or "false" opts out;
+ * NODE_ENV=test also opts out to keep test runs deterministic.
+ */
+function isSilentFailureClusteringEnabled(env = process.env) {
+  if (env.NODE_ENV === 'test') return false;
+  const raw = (env.THUMBGATE_SILENT_FAILURE_CLUSTERING || '').toLowerCase();
+  if (raw === '0' || raw === 'false' || raw === 'off' || raw === 'no') return false;
+  return true;
+}
+
 async function main() {
-  if (process.env.THUMBGATE_SILENT_FAILURE_CLUSTERING !== '1') {
-    process.stdout.write('silent-failure-cluster: disabled (set THUMBGATE_SILENT_FAILURE_CLUSTERING=1 to enable)\n');
+  if (!isSilentFailureClusteringEnabled()) {
+    process.stdout.write('silent-failure-cluster: disabled (THUMBGATE_SILENT_FAILURE_CLUSTERING=0 or NODE_ENV=test)\n');
     return;
   }
 
@@ -492,6 +510,7 @@ if (require.main === module) {
 
 module.exports = {
   generateSilentFailureCandidates,
+  isSilentFailureClusteringEnabled,
   // exported for testing
   redactSecrets,
   normalizePaths,