thumbgate 1.26.0 → 1.26.2

package/bin/cli.js

@@ -29,6 +29,7 @@
 'use strict';
 
 const fs = require('fs');
+const os = require('os');
 const path = require('path');
 const crypto = require('crypto');
 const { execSync, execFileSync } = require('child_process');
@@ -610,6 +611,91 @@ function detectAgent(projectDir) {
   return null;
 }
 
+async function setupVertex() {
+  const { execSync } = require('child_process');
+  console.log(`\nthumbgate setup-vertex v${pkgVersion()}`);
+  console.log('  Zero-friction Google Cloud & Vertex AI onboarding...');
+  console.log('');
+
+  // 1. Detect gcloud CLI
+  let activeAccount = '';
+  let activeProject = '';
+  try {
+    activeAccount = execSync('gcloud config get-value account', { stdio: ['ignore', 'pipe', 'ignore'] }).toString().trim();
+    activeProject = execSync('gcloud config get-value project', { stdio: ['ignore', 'pipe', 'ignore'] }).toString().trim();
+  } catch (_) {
+    console.log('  ⚠️  Google Cloud SDK (gcloud CLI) not detected or not logged in.');
+    console.log('      To automate setup, install the Google Cloud CLI and run: gcloud auth login');
+    console.log('      Otherwise, manually set the following variables in your .env file:');
+    console.log('      THUMBGATE_PROVIDER_MODE=vertex');
+    console.log('      VERTEX_PROJECT_ID=<your-gcp-project-id>');
+    console.log('');
+    return;
+  }
+
+  if (!activeAccount) {
+    console.log('  ⚠️  No active Google Cloud account set. Run: gcloud auth login');
+    return;
+  }
+
+  console.log(`  Active Account : \x1b[36m${activeAccount}\x1b[0m`);
+  if (!activeProject) {
+    console.log('  ⚠️  No active Google Cloud project set. Run: gcloud config set project <PROJECT_ID>');
+    return;
+  }
+  console.log(`  Active Project : \x1b[36m${activeProject}\x1b[0m`);
+
+  // Validate project ID matches GCP format before use in shell
+  if (!/^[a-z][a-z0-9-]{4,28}[a-z0-9]$/.test(activeProject)) {
+    console.log('  ⚠️  Invalid GCP project ID format. Aborting.');
+    return;
+  }
+
+  // 2. Auto-enable Vertex AI API
+  console.log('  ⚙️  Enabling Vertex AI API in your project (this can take a few seconds)...');
+  try {
+    execSync(`gcloud services enable aiplatform.googleapis.com --project=${activeProject}`, { stdio: 'inherit' });
+    console.log('  ✅  Vertex AI API successfully enabled.');
+  } catch (err) {
+    console.log('  ⚠️  Could not programmatically enable Vertex AI API. Please make sure your billing is open.');
+  }
+
+  // 3. Write env config to .env
+  const envPath = path.join(process.cwd(), '.env');
+  let envContent = '';
+  if (fs.existsSync(envPath)) {
+    envContent = fs.readFileSync(envPath, 'utf8');
+  }
+
+  // Helper to update or append env values
+  function updateEnvKey(content, key, value) {
+    const regex = new RegExp(`^${key}=.*$`, 'm');
+    if (regex.test(content)) {
+      return content.replace(regex, `${key}=${value}`);
+    }
+    return content.trim() + `\n${key}=${value}\n`;
+  }
+
+  let updatedContent = updateEnvKey(envContent, 'THUMBGATE_PROVIDER_MODE', 'vertex');
+  updatedContent = updateEnvKey(updatedContent, 'VERTEX_PROJECT_ID', activeProject);
+
+  fs.writeFileSync(envPath, updatedContent, 'utf8');
+  console.log('  ✅  Wrote configuration to local .env file.');
+
+  // 4. Print gorgeous success activation box
+  console.log('');
+  console.log('  ╭──────────────────────────────────────────────────────────╮');
+  console.log('  │  🎉 Vertex AI Setup Complete — ZERO FRICTION!            │');
+  console.log('  │                                                         │');
+  console.log('  │  ThumbGate is now fully wired to your GCP environment.   │');
+  console.log('  │  All agent checks will route securely via Vertex AI.     │');
+  console.log('  │                                                         │');
+  console.log('  │  Try a test run:                                        │');
+  console.log('  │  npx thumbgate feedback-self-test                       │');
+  console.log('  ╰──────────────────────────────────────────────────────────╯');
+  console.log('');
+}
+
 function quickStart() {
   const qsArgs = parseArgs(process.argv.slice(3));
   const projectDir = process.cwd();
@@ -845,17 +931,12 @@ function init(cliArgs = parseArgs(process.argv.slice(3))) {
   // ---------------------------------------------------------------------------
   console.log('');
   console.log('  ╭──────────────────────────────────────────────────────────╮');
-  console.log('  │  NEXT: Create your first prevention rule (30 seconds)   │');
+  console.log('  │  NEXT: Prove feedback capture works                     │');
   console.log('  │                                                         │');
-  console.log('  │  When your AI agent makes a mistake, capture it:        │');
+  console.log('  │  npx thumbgate feedback-self-test                       │');
   console.log('  │                                                         │');
-  console.log('  │  npx thumbgate capture --feedback=down \\               │');
-  console.log('  │    --context="agent deleted prod config" \\              │');
-  console.log('  │    --what-went-wrong="ran rm on .env" \\                 │');
-  console.log('  │    --what-to-change="never delete .env files"           │');
-  console.log('  │                                                         │');
-  console.log('  │  ThumbGate auto-promotes this to a prevention rule      │');
-  console.log('  │  that blocks the mistake from happening again.          │');
+  console.log('  │  Then dogfood it in chat:                               │');
+  console.log('  │  thumbs down: agent skipped verification                │');
   console.log('  ╰──────────────────────────────────────────────────────────╯');
   console.log('');
   printInitConversionPrompt(onboardingEmail);
@@ -906,13 +987,35 @@ function capture() {
     return;
   }
 
-  const signal = (args.feedback || '').toLowerCase();
+  // Parse pure positional arguments
+  const rawArgv = process.argv.slice(3);
+  const positionalArgs = [];
+  const BOOLEAN_FLAGS = new Set(['--json', '--verbose', '--quiet', '--dry-run', '--stats', '--summary', '--no-nudge', '--help']);
+  for (let i = 0; i < rawArgv.length; i++) {
+    const arg = rawArgv[i];
+    if (arg.startsWith('--')) {
+      if (!arg.includes('=') && !BOOLEAN_FLAGS.has(arg)) {
+        i++;
+      }
+    } else {
+      positionalArgs.push(arg);
+    }
+  }
+
+  let signal = (args.feedback || '').toLowerCase();
+  if (!signal && positionalArgs[0]) {
+    const firstPos = positionalArgs[0].toLowerCase();
+    if (['up', 'down', 'thumbsup', 'thumbsdown', 'thumbs_up', 'thumbs_down', 'positive', 'negative'].some(v => firstPos.includes(v))) {
+      signal = firstPos;
+    }
+  }
+
   const normalized = ['up', 'thumbsup', 'thumbs_up', 'positive'].some(v => signal.includes(v)) ? 'up'
     : ['down', 'thumbsdown', 'thumbs_down', 'negative'].some(v => signal.includes(v)) ? 'down'
     : signal;
 
   if (normalized !== 'up' && normalized !== 'down') {
-    console.error('Missing or unrecognized --feedback=up|down');
+    console.error('Missing or unrecognized --feedback=up|down (or positional argument)');
     process.exit(1);
   }
 
@@ -922,11 +1025,30 @@ function capture() {
     process.exit(1);
   }
 
+  let context = args.context || '';
+  if (!context && positionalArgs[1]) {
+    context = positionalArgs[1];
+  }
+
+  let whatWentWrong = args['what-went-wrong'];
+  if (!whatWentWrong && positionalArgs[2]) {
+    whatWentWrong = positionalArgs[2];
+  } else if (!whatWentWrong && normalized === 'down' && context) {
+    whatWentWrong = context;
+  }
+
+  let whatToChange = args['what-to-change'];
+  if (!whatToChange && positionalArgs[3]) {
+    whatToChange = positionalArgs[3];
+  } else if (!whatToChange && normalized === 'down' && context) {
+    whatToChange = `avoid: ${context}`;
+  }
+
   const result = captureFeedback({
     signal: normalized,
-    context: args.context || '',
-    whatWentWrong: args['what-went-wrong'],
-    whatToChange: args['what-to-change'],
+    context: context,
+    whatWentWrong: whatWentWrong,
+    whatToChange: whatToChange,
     whatWorked: args['what-worked'],
     tags: args.tags,
     gateAction: gateAction || undefined,
@@ -989,6 +1111,116 @@ function capture() {
   }
 }
 
+function readJsonlEntries(filePath) {
+  try {
+    return fs.readFileSync(filePath, 'utf8')
+      .split(/\r?\n/)
+      .map((line) => line.trim())
+      .filter(Boolean)
+      .map((line) => JSON.parse(line));
+  } catch (_) {
+    return [];
+  }
+}
+
+function shellSingleQuote(value) {
+  return `'${String(value).replace(/'/g, `'\\''`)}'`;
+}
+
+function feedbackSelfTest() {
+  const args = parseArgs(process.argv.slice(3));
+  const signalArg = String(args.feedback || args.signal || 'down').toLowerCase();
+  const normalized = ['up', 'thumbsup', 'thumbs_up', 'positive'].some((v) => signalArg.includes(v)) ? 'up'
+    : ['down', 'thumbsdown', 'thumbs_down', 'negative'].some((v) => signalArg.includes(v)) ? 'down'
+    : signalArg;
+
+  if (normalized !== 'up' && normalized !== 'down') {
+    console.error('feedback-self-test needs --feedback=up|down when overriding the default.');
+    process.exit(1);
+  }
+
+  const previousFeedbackDir = process.env.THUMBGATE_FEEDBACK_DIR;
+  const previousNoNudge = process.env.THUMBGATE_NO_NUDGE;
+  const feedbackDir = args['feedback-dir']
+    ? path.resolve(CWD, args['feedback-dir'])
+    : args.persist
+      ? null
+      : fs.mkdtempSync(path.join(os.tmpdir(), 'thumbgate-feedback-self-test-'));
+  const isolated = Boolean(feedbackDir);
+
+  if (feedbackDir) process.env.THUMBGATE_FEEDBACK_DIR = feedbackDir;
+  process.env.THUMBGATE_NO_NUDGE = '1';
+
+  try {
+    const { captureFeedback, getFeedbackPaths } = require(path.join(PKG_ROOT, 'scripts', 'feedback-loop'));
+    const context = args.context || `feedback self-test: typed thumbs ${normalized} reaches ThumbGate capture`;
+    const result = captureFeedback({
+      signal: normalized,
+      context,
+      whatWentWrong: normalized === 'down'
+        ? (args['what-went-wrong'] || 'Need proof that feedback capture is wired in this runtime')
+        : undefined,
+      whatToChange: normalized === 'down'
+        ? (args['what-to-change'] || 'Run a one-command self-test before claiming thumbs feedback is captured')
+        : undefined,
+      whatWorked: normalized === 'up'
+        ? (args['what-worked'] || 'Feedback capture persisted and was verified by a self-test')
+        : undefined,
+      tags: args.tags || 'self-test,dogfood,feedback-capture',
+    });
+
+    const paths = getFeedbackPaths();
+    const feedbackRows = readJsonlEntries(paths.FEEDBACK_LOG_PATH);
+    const memoryRows = readJsonlEntries(paths.MEMORY_LOG_PATH);
+    const feedbackId = result.feedbackEvent && result.feedbackEvent.id;
+    const memoryId = result.memoryRecord && result.memoryRecord.id;
+    const feedbackStored = Boolean(feedbackId && feedbackRows.some((row) => row.id === feedbackId));
+    const memoryStored = Boolean(memoryId && memoryRows.some((row) => row.id === memoryId));
+    const ok = Boolean(result.accepted && feedbackStored && memoryStored);
+
+    const payload = {
+      ok,
+      command: 'feedback-self-test',
+      signal: normalized,
+      accepted: Boolean(result.accepted),
+      feedbackId: feedbackId || null,
+      memoryId: memoryId || null,
+      feedbackStored,
+      memoryStored,
+      isolated,
+      feedbackDir: paths.FEEDBACK_DIR,
+      nextDogfoodCommand: `npx thumbgate capture --feedback=${normalized} --context=${shellSingleQuote(context)}`,
+    };
+
+    if (args.json) {
+      console.log(JSON.stringify(payload, null, 2));
+    } else if (ok) {
+      console.log('\nThumbGate feedback self-test: PASS');
+      console.log('─'.repeat(50));
+      console.log(`  Captured     : ${normalized} (${feedbackId})`);
+      console.log(`  Stored lesson: ${memoryId}`);
+      console.log(`  Storage      : ${paths.FEEDBACK_DIR}`);
+      console.log(`  Mode         : ${isolated ? 'isolated test store' : 'active ThumbGate store'}`);
+      console.log('\nDogfood in chat with:');
+      console.log(`  thumbs ${normalized}: ${context}`);
+    } else {
+      console.log('\nThumbGate feedback self-test: FAIL');
+      console.log('─'.repeat(50));
+      console.log(`  Accepted       : ${payload.accepted}`);
+      console.log(`  Feedback stored: ${feedbackStored}`);
+      console.log(`  Memory stored  : ${memoryStored}`);
+      console.log(`  Storage        : ${paths.FEEDBACK_DIR}`);
+    }
+
+    if (!ok) process.exit(2);
+  } finally {
+    if (previousFeedbackDir === undefined) delete process.env.THUMBGATE_FEEDBACK_DIR;
+    else process.env.THUMBGATE_FEEDBACK_DIR = previousFeedbackDir;
+    if (previousNoNudge === undefined) delete process.env.THUMBGATE_NO_NUDGE;
+    else process.env.THUMBGATE_NO_NUDGE = previousNoNudge;
+  }
+}
+
 function stats() {
   trackEvent('cli_stats', { command: 'stats' });
   const args = parseArgs(process.argv.slice(3));
@@ -2456,12 +2688,14 @@ function help() {
     console.log('');
     console.log('Common commands:');
     console.log('  init                                              Detect agent and wire ThumbGate hooks');
+    console.log('  feedback-self-test                                Prove thumbs capture works locally');
     console.log('  capture --feedback=up|down --context="<text>"    Capture a thumbs signal as a stored lesson');
     console.log('  stats                                             Approval rate, recent trend, blocked-pattern count');
     console.log('  lessons [query]                                   Search promoted lessons');
     console.log('  explore                                           Interactive TUI for lessons, gates, stats');
     console.log('  dashboard                                         Open the local ThumbGate dashboard');
     console.log('  doctor                                            Audit runtime isolation + bootstrap context');
+    console.log('  brain [--write]                                   Build the agent-readable context brain (lessons + rules + gates)');
     console.log('  pro                                               ThumbGate Pro (dashboard, exports, sync)');
     console.log('  subscribe <email>                                 Get the 5-min setup guide + weekly tips by email');
     console.log('');
@@ -2557,6 +2791,7 @@ function help() {
 
   console.log('Examples:');
   console.log('  npx thumbgate init');
+  console.log('  npx thumbgate feedback-self-test');
   console.log('  npx thumbgate status --json');
   console.log('  npx thumbgate explore lessons --json');
   console.log('  npx thumbgate explore gates --json');
@@ -2598,6 +2833,8 @@ const _wantsHelp = _cliSubArgs.includes('--help') || _cliSubArgs.includes('-h');
 const SUBCOMMAND_HELP = {
   capture:       'Usage: npx thumbgate capture --feedback=up|down --context="..." [--what-worked="..."] [--what-went-wrong="..."] [--what-to-change="..."] [--tags=a,b]',
   feedback:      'Usage: npx thumbgate feedback --feedback=up|down --context="..." [--what-worked="..."] [--what-went-wrong="..."] [--what-to-change="..."] [--tags=a,b]',
+  'feedback-self-test': 'Usage: npx thumbgate feedback-self-test [--json] [--persist] [--feedback=up|down]\n\nCapture a synthetic thumbs signal and verify feedback-log + memory-log writes. Defaults to an isolated test store; use --persist to dogfood the active ThumbGate store.',
+  dogfood:       'Usage: npx thumbgate dogfood [--json] [--persist] [--feedback=up|down]\n\nAlias for feedback-self-test.',
   stats:         'Usage: npx thumbgate stats\n\nShow gate enforcement statistics: blocked/warned counts, active gates, time saved.',
   trial:         'Usage: npx thumbgate trial\n\nShow Pro trial status, remaining days, and upgrade path.',
   pro:           'Usage: npx thumbgate pro [--activate <key>]\n\nLaunch the local Pro dashboard or activate a Pro license key.',
@@ -2613,6 +2850,8 @@ const SUBCOMMAND_HELP = {
   suggest:       'Usage: npx thumbgate suggest <gate-id>\n\nSuggest fixes for a specific gate based on lesson history.',
   cost:          'Usage: npx thumbgate cost [--json] [--stats <path>] [--mix \'{"claude-sonnet-4-5":0.8,...}\']\n\nShow cumulative $ and tokens saved by PreToolUse gate blocks. Reads ~/.thumbgate/gate-stats.json.',
   savings:       'Usage: npx thumbgate savings [--json] [--stats <path>] [--mix \'{"claude-sonnet-4-5":0.8,...}\']\n\nAlias for `thumbgate cost`.',
+  'setup-vertex': 'Usage: npx thumbgate setup-vertex\n\nAuto-enable Vertex AI API on GCP and write secure credentials to local .env.',
+  brain: 'Usage: npx thumbgate brain [--write] [--json] [--limit=N]\n\nBuild the agent-readable "context brain" — a single artifact consolidating this\nrepo\'s lessons, prevention rules, active gates, and project context for a coding\nagent to read BEFORE acting. --write saves it to .thumbgate/BRAIN.md (versioned,\ndeterministic). --json emits the structured model. --limit caps lessons (default 15).',
 };
 
 if (_wantsHelp && COMMAND && SUBCOMMAND_HELP[COMMAND]) {
@@ -2620,6 +2859,128 @@ if (_wantsHelp && COMMAND && SUBCOMMAND_HELP[COMMAND]) {
   process.exit(0);
 }
 
+// -----------------------------------------------------------------------------
+// brain — consolidate ThumbGate's institutional memory (lessons + prevention
+// rules + active gates + project context) into a single, versioned,
+// agent-readable "context brain". The persistent context a coding agent should
+// read BEFORE acting, so it stops repeating mistakes. Composes the existing
+// explore-subcommands primitives; output is deterministic (no volatile
+// timestamp) so `.thumbgate/BRAIN.md` diffs only when the underlying memory
+// changes.
+// -----------------------------------------------------------------------------
+function buildBrainModel(opts = {}) {
+  const { exploreLessons, exploreRules, exploreGates } = require(path.join(PKG_ROOT, 'scripts', 'explore-subcommands'));
+  let feedbackDir;
+  try {
+    const { getFeedbackPaths } = require(path.join(PKG_ROOT, 'scripts', 'feedback-loop'));
+    feedbackDir = getFeedbackPaths().FEEDBACK_DIR;
+  } catch (_) { feedbackDir = path.join(CWD, '.thumbgate'); }
+  const limit = Math.max(1, Number(opts.limit) || 15);
+  const safe = (fn, fallback) => { try { return fn(); } catch (_) { return fallback; } };
+  const lessons = safe(() => exploreLessons({ feedbackDir, pkgRoot: PKG_ROOT, limit, json: true }), { lessons: [], total: 0 });
+  const rules = safe(() => exploreRules({ feedbackDir, pkgRoot: PKG_ROOT, json: true }), { rules: [], total: 0 });
+  const gates = safe(() => exploreGates({ feedbackDir, pkgRoot: PKG_ROOT, json: true }), { gates: [], total: 0 });
+  const instructionFiles = ['CLAUDE.md', 'AGENTS.md', 'GEMINI.md', '.cursorrules', '.thumbgate/config.json']
+    .filter((f) => { try { return fs.existsSync(path.join(CWD, f)); } catch (_) { return false; } });
+  return { lessons, rules, gates, project: { root: CWD, instructionFiles } };
+}
+
+function renderBrainMarkdown(model) {
+  const out = [];
+  out.push('# ThumbGate Context Brain');
+  out.push('');
+  out.push('<!-- The persistent context a coding agent should read BEFORE acting in this repo.');
+  out.push('     Generated by `npx thumbgate brain`. Rebuild after capturing feedback. -->');
+  out.push('');
+  out.push('> Institutional memory for AI coding agents working here: what has been');
+  out.push('> learned, what to avoid, and what is enforced. Read this first.');
+  out.push('');
+
+  out.push('## What this codebase taught its agents (lessons)');
+  out.push('');
+  const lessons = (model.lessons && model.lessons.lessons) || [];
+  if (!lessons.length) {
+    out.push('_No lessons captured yet. Run `npx thumbgate capture --feedback=down --context="what failed"`._');
+  } else {
+    for (const l of lessons) {
+      const sig = String(l.signal || '').toLowerCase();
+      const mark = (sig.includes('positive') || sig === 'up') ? '✅' : ((sig.includes('negative') || sig === 'down') ? '⛔' : '•');
+      const enforced = l.confidence === 'active' ? ' _(enforced)_' : '';
+      const ctx = String(l.context || '').replace(/\s+/g, ' ').trim().slice(0, 220);
+      if (ctx) out.push(`- ${mark} ${ctx}${enforced}`);
+    }
+  }
+  out.push('');
+
+  out.push('## Guardrails — do NOT repeat these (prevention rules)');
+  out.push('');
+  const rules = (model.rules && model.rules.rules) || [];
+  if (!rules.length) {
+    out.push('_No prevention rules yet._');
+  } else {
+    for (const r of rules) {
+      out.push(`- **${String(r.title || '').trim()}**`);
+      const body = String(r.body || '').split('\n')[0].trim();
+      if (body && body !== r.title) out.push(`  - ${body.slice(0, 200)}`);
+    }
+  }
+  out.push('');
+
+  out.push('## Active enforcement (gates)');
+  out.push('');
+  const gates = (model.gates && model.gates.gates) || [];
+  if (!gates.length) {
+    out.push('_No active gates._');
+  } else {
+    for (const g of gates) {
+      const occ = g.occurrences ? ` (${g.occurrences}×)` : '';
+      out.push(`- \`${g.pattern || g.id}\` → **${g.action}**${occ}`);
+    }
+  }
+  out.push('');
+
+  out.push('## Project context');
+  out.push('');
+  out.push(`- Repo root: \`${model.project.root}\``);
+  const files = model.project.instructionFiles;
+  out.push(`- Agent instruction files: ${files.length ? files.map((f) => '`' + f + '`').join(', ') : '_none detected_'}`);
+  out.push('');
+  out.push('---');
+  const lt = (model.lessons && model.lessons.total) || 0;
+  const rt = (model.rules && model.rules.total) || 0;
+  const gt = (model.gates && model.gates.total) || 0;
+  out.push(`_${lt} lessons · ${rt} rules · ${gt} gates. Rebuild with \`npx thumbgate brain --write\`._`);
+  out.push('');
+  return out.join('\n');
+}
+
+function cmdBrain(args = {}) {
+  const model = buildBrainModel({ limit: args.limit });
+  if (args.json) { console.log(JSON.stringify(model, null, 2)); return 0; }
+  const md = renderBrainMarkdown(model);
+  if (args.write) {
+    const dir = path.join(CWD, '.thumbgate');
+    const target = path.join(dir, 'BRAIN.md');
+    try {
+      fs.mkdirSync(dir, { recursive: true });
+      fs.writeFileSync(target, md);
+    } catch (err) {
+      // Surface a clean, actionable error instead of an uncaught stack trace
+      // (e.g. permission denied, read-only filesystem).
+      console.error(`Could not write ${target}: ${err && err.message ? err.message : err}`);
+      return 1;
+    }
+    const lt = (model.lessons && model.lessons.total) || 0;
+    const rt = (model.rules && model.rules.total) || 0;
+    const gt = (model.gates && model.gates.total) || 0;
+    console.log(`\u{1f9e0} Wrote context brain to .thumbgate/BRAIN.md (${lt} lessons · ${rt} rules · ${gt} gates).`);
+    console.log('   Point your agent at it: add "Read .thumbgate/BRAIN.md first" to CLAUDE.md / AGENTS.md.');
+    return 0;
+  }
+  process.stdout.write(md);
+  return 0;
+}
+
 switch (COMMAND) {
   case '--version':
   case '-v':
@@ -2666,6 +3027,16 @@ switch (COMMAND) {
     capture();
     upgradeNudge();
     break;
+  case 'feedback-self-test':
+  case 'dogfood':
+    feedbackSelfTest();
+    break;
+  case 'setup-vertex':
+    setupVertex().catch((err) => {
+      console.error(err && err.message ? err.message : err);
+      process.exit(1);
+    });
+    break;
   case 'stats':
     stats();
     upgradeNudge();
@@ -2685,6 +3056,11 @@ switch (COMMAND) {
     // a test runner stubs process.exit (flagged by gitar-bot on PR #2281).
     break;
   }
+  case 'brain': {
+    const brainArgs = parseArgs(process.argv.slice(3));
+    process.exit(cmdBrain(brainArgs));
+    break;
+  }
   case 'billing:setup':
     require(path.join(PKG_ROOT, 'scripts', 'billing-setup'));
     break;

package/config/mcp-allowlists.json

@@ -43,6 +43,9 @@
       "get_branch_governance",
       "approve_protected_action",
       "track_action",
+      "detect_noop",
+      "record_action_receipt",
+      "get_action_receipts",
       "verify_claim",
       "check_operational_integrity",
       "workflow_sentinel",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate",
-  "version": "1.26.0",
+  "version": "1.26.2",
   "description": "ThumbGate self-improving agent governance: thumbs-up/down turns every mistake into a prevention rule and blocks repeat patterns. 36 pre-action checks, budget enforcement, and self-protection for Claude Code, Cursor, Codex, Gemini CLI, and Amp.",
   "homepage": "https://thumbgate.ai",
   "repository": {
@@ -16,6 +16,7 @@
   },
   "files": [
     "scripts/access-anomaly-detector.js",
+    "scripts/action-receipts.js",
     "scripts/activation-tracker.js",
     "scripts/agent-audit-trace.js",
     "scripts/agent-design-governance.js",
@@ -132,7 +133,10 @@
     "scripts/multimodal-retrieval-plan.js",
     "scripts/native-messaging-audit.js",
     "scripts/natural-language-harness.js",
+    "scripts/noop-detect.js",
     "scripts/obsidian-export.js",
+    "scripts/operational-dashboard.js",
+    "scripts/operational-summary.js",
     "scripts/operational-integrity.js",
     "scripts/oss-pr-opportunity-scout.js",
     "scripts/otel-declarative-config.js",
@@ -156,6 +160,7 @@
     "scripts/rag-precision-guardrails.js",
     "scripts/rate-limiter.js",
     "scripts/reasoning-efficiency-guardrails.js",
+    "scripts/repeat-metric.js",
     "scripts/reward-hacking-guardrails.js",
     "scripts/risk-scorer.js",
     "scripts/rlaif-self-audit.js",
@@ -343,7 +348,7 @@
     "social:prospect:bluesky:dry": "node scripts/social-bluesky-prospecting.js --dry-run",
     "social:reply-publish:bluesky:dry": "node scripts/social-reply-monitor-bluesky.js --publish-approved --dry-run",
     "test:python": "python3 -m pytest tests/*.py",
-    "test": "npm run test:python && npm run test:schema && npm run test:loop && npm run test:dpo && npm run test:kto && npm run test:api && npm run test:proof && npm run test:e2e && npm run test:rlaif && npm run test:attribution && npm run test:quality && npm run test:intelligence && npm run test:training-export && npm run test:deployment && npm run test:operational-integrity && npm run test:workflow && npm run test:billing && npm run test:cli && npm run test:watcher && npm run test:autoresearch && npm run test:ops && npm run test:session-analyzer && npm run test:tessl && npm run test:gates && npm run test:evoskill && npm run test:gates-hardening && npm run test:workers && npm run test:social-analytics && npm run test:memalign && npm run test:xmemory-lite && npm run test:filesystem-search && npm run test:zernio && npm run test:platform-limits && npm run test:post-video && npm run test:post-everywhere-instagram && npm run test:post-everywhere-channels && npm run test:post-everywhere-zernio-default && npm run test:zernio-canonical-pollers && npm run test:zernio-status && npm run test:obsidian-export && npm run test:lesson-db && npm run test:lesson-rotation && npm run test:memory-dedup && npm run test:feedback-quality && npm run test:sync-version && npm run test:check-congruence && npm run test:tool-registry && npm run test:feedback-to-rules && npm run test:memory-firewall && npm run test:memory-scope-readiness && npm run test:belief-update && npm run test:hosted-config && npm run test:operational-summary && npm run test:operational-dashboard && npm run test:operator-artifacts && npm run test:operator-key-auth && npm run test:cloudflare-sandbox && npm run test:mcp-config && npm run test:mcp-tool-annotations && npm run test:mcp-oauth && npm run test:mcp-oauth-flow && npm run test:plan-gate && npm run test:pulse && npm run test:semantic-layer && npm run test:data-pipeline && npm run test:optimize-context && npm run test:principle-extractor && npm run test:analytics-window && npm run test:funnel-analytics && npm run test:experiment-tracker && npm run test:build-metadata && npm run test:context-engine && npm run test:hf-papers && npm run test:marketing-experiment && npm run test:seo-gsd && npm run test:verify-run && npm run test:export-dpo-pairs && npm run test:export-hf-dataset && npm run test:license && npm run test:bot-detector && npm run test:audit-pr-bot-contamination && npm run test:stripe-bootstrap-saas-catalog && npm run test:postinstall && npm run test:funnel-invariants && npm run test:cli-telemetry && npm run test:pro-parity && npm run test:model-tier-router && npm run test:computer-use-firewall && npm run test:skill-exporter && npm run test:statusline && npm run test:evolution && npm run test:org-dashboard && npm run test:multi-hop-recall && npm run test:synthetic-dpo && npm run test:thumbgate-skill && npm run test:learn-hub && npm run test:feedback-fallback && npm run test:metaclaw && npm run test:server-lock && npm run test:control-tower && npm run test:pii-scanner && npm run test:data-governance && npm run test:lesson-inference && npm run test:semantic-dedup && npm run test:fs-utils && npm run test:cli-schema && npm run test:explore && npm run test:lesson-reranker && npm run test:lesson-retrieval && npm run test:lesson-semantic-retrieval && npm run test:cross-encoder && npm run test:reflector-agent && npm run test:feedback-session && npm run test:feedback-history-distiller && npm run test:hallucination-detector && npm run test:history-distiller && npm run test:predictive-insights && npm run test:predictive-credible-range && npm run test:prove-predictive-insights && npm run test:statusbar-cli && npm run test:generate-instagram-card && npm run test:instagram-thumbgate-post && npm run test:publish-instagram-thumbgate && npm run test:lesson-synthesis && npm run test:lesson-canonical && npm run test:background-governance && npm run test:memory-migration && npm run test:prompt-dlp && npm run test:ephemeral-store && npm run test:agent-security && npm run test:skill-progressive && npm run test:per-step-scoring && npm run test:weekly-auto-post && npm run test:social-post-hourly && npm run test:social-quality-gate && npm run test:a2ui-engine && npm run test:gate-satisfy && npm run test:money-watcher && npm run test:budget && npm run test:quick-start && npm run test:utm && npm run test:product-feedback && npm run test:feedback-root-consolidator && npm run test:engagement-audit && npm run test:install-growth-automation && npm run test:publish-thumbgate-launch && npm run test:community-course-platform-launch-kit && npm run test:reconcile-thumbgate-campaign && npm run test:reddit-publisher && npm run test:schedule-thumbgate-campaign && npm run test:social-reply-monitor && npm run test:social-dedupe-cleanup && npm run test:sync-launch-assets && npm run test:ai-search-visibility && npm run test:perplexity && npm run test:security-scanner && npm run test:llm-client && npm run test:managed-lesson-agent && npm run test:self-distill && npm run test:meta-agent && npm run test:harness-selector && npm run test:thumbgate-bench && npm run test:seo-guides && npm run test:enforcement-loop && npm run test:cli-agent-experience && npm run test:bot-detection && npm run test:checkout-archived-product-guard && npm run test:postgres-guard && npm run test:checkout-bot-guard && npm run test:checkout-pro-confirmation-gate && npm run test:session-health && npm run test:session-episodes && npm run test:spec-gate && npm run test:decision-trace && npm run test:dashboard-insights && npm run test:telemetry-tracked-link-slug && npm run test:prompt-eval && npm run test:demo-voiceover && npm run test:gate-coherence && npm run test:gate-eval && npm run test:high-roi && npm run test:public-static-assets && npm run test:token-savings && npm run test:numbers-page && npm run test:workflow-gate-checkpoint && npm run test:lesson-export-import && npm run test:landing-page-claims && npm run test:competitive-positioning-marketing && npm run test:medium-weekly && npm run test:dashboard-deeplink-e2e && npm run test:public-package-parity && npm run test:token-savings-dashboard && npm run test:cursor-wiring && npm run test:pretooluse-injection && npm run test:recent-corrective-context && npm run test:durability-step && npm run test:mailer && npm run test:brand-assets && npm run test:enforcement-teeth && npm run test:bayes-optimal-gate && npm run test:swarm-coordinator && npm run test:session-report && npm run test:agent-reasoning-traces && npm run test:judge-reward && npm run test:llm-behavior-monitor && npm run test:prompting-os && npm run test:single-use-credential-gate && npm run test:structured-prompt-driven && npm run test:require-evidence-gate && npm run test:rule-validator && npm run test:bluesky-atproto && npm run test:social-reply-monitor-bluesky && npm run test:bluesky-delete-replies && npm run test:architect-kit-memory-bridge && npm run test:sonar-review-hotspots && npm run test:actionable-remediations && npm run test:gemini-embedding-policy && npm run test:agent-design-governance && npm run test:public-core-boundary && npm run test:hook-stop-verify-deploy && npm run test:hook-stop-anti-claim && npm run test:plausible-server-events && npm run test:activation-tracker && npm run test:unified-revenue-rollup && npm run test:conversion-rate-stats && npm run test:external-customer-audit && npm run test:telemetry-export && npm run test:stripe-checkout-diagnostic && npm run test:stripe-business-identity-probe && npm run test:revenue-observability-doctor && npm run test:public-bundle-ratchet && npm run test:stripe-payment-link-update && npm run test:ci-cd-hygiene-audit && npm run test:verify-marketing-pages-deployed && npm run test:install-email-capture && npm run test:install-shim && npm run test:hook-runtime-subcommands && npm run test:implementation-notes && npm run test:daily-block-cap && npm run test:free-to-paid-conversion-units && npm run test:metrics-real-endpoint && npm run test:cli-trial-and-help && npm run test:cost-cli && npm run test:silent-failure-cluster && npm run test:proof:truth && node --test tests/adaptive-reliability.test.js && npm run test:mcp-oauth-reviewer",
+    "test": "npm run test:python && npm run test:schema && npm run test:loop && npm run test:dpo && npm run test:kto && npm run test:api && npm run test:proof && npm run test:e2e && npm run test:rlaif && npm run test:attribution && npm run test:quality && npm run test:intelligence && npm run test:training-export && npm run test:deployment && npm run test:operational-integrity && npm run test:workflow && npm run test:billing && npm run test:cli && npm run test:watcher && npm run test:autoresearch && npm run test:ops && npm run test:session-analyzer && npm run test:tessl && npm run test:gates && npm run test:evoskill && npm run test:gates-hardening && npm run test:workers && npm run test:social-analytics && npm run test:memalign && npm run test:xmemory-lite && npm run test:filesystem-search && npm run test:zernio && npm run test:platform-limits && npm run test:post-video && npm run test:post-everywhere-instagram && npm run test:post-everywhere-channels && npm run test:post-everywhere-zernio-default && npm run test:zernio-canonical-pollers && npm run test:zernio-status && npm run test:obsidian-export && npm run test:lesson-db && npm run test:lesson-rotation && npm run test:memory-dedup && npm run test:feedback-quality && npm run test:sync-version && npm run test:check-congruence && npm run test:tool-registry && npm run test:repeat-metric && npm run test:noop-detect && npm run test:action-receipts && npm run test:feedback-to-rules && npm run test:memory-firewall && npm run test:memory-scope-readiness && npm run test:belief-update && npm run test:hosted-config && npm run test:operational-summary && npm run test:operational-dashboard && npm run test:operator-artifacts && npm run test:operator-key-auth && npm run test:cloudflare-sandbox && npm run test:mcp-config && npm run test:mcp-tool-annotations && npm run test:mcp-oauth && npm run test:mcp-oauth-flow && npm run test:plan-gate && npm run test:pulse && npm run test:semantic-layer && npm run test:data-pipeline && npm run test:optimize-context && npm run test:principle-extractor && npm run test:analytics-window && npm run test:funnel-analytics && npm run test:experiment-tracker && npm run test:build-metadata && npm run test:context-engine && npm run test:hf-papers && npm run test:marketing-experiment && npm run test:seo-gsd && npm run test:verify-run && npm run test:export-dpo-pairs && npm run test:export-hf-dataset && npm run test:license && npm run test:bot-detector && npm run test:audit-pr-bot-contamination && npm run test:stripe-bootstrap-saas-catalog && npm run test:postinstall && npm run test:funnel-invariants && npm run test:cli-telemetry && npm run test:pro-parity && npm run test:model-tier-router && npm run test:computer-use-firewall && npm run test:skill-exporter && npm run test:statusline && npm run test:evolution && npm run test:org-dashboard && npm run test:multi-hop-recall && npm run test:synthetic-dpo && npm run test:thumbgate-skill && npm run test:learn-hub && npm run test:feedback-fallback && npm run test:metaclaw && npm run test:server-lock && npm run test:control-tower && npm run test:pii-scanner && npm run test:data-governance && npm run test:lesson-inference && npm run test:semantic-dedup && npm run test:fs-utils && npm run test:cli-schema && npm run test:explore && npm run test:lesson-reranker && npm run test:lesson-retrieval && npm run test:lesson-semantic-retrieval && npm run test:cross-encoder && npm run test:reflector-agent && npm run test:feedback-session && npm run test:feedback-history-distiller && npm run test:hallucination-detector && npm run test:history-distiller && npm run test:predictive-insights && npm run test:predictive-credible-range && npm run test:prove-predictive-insights && npm run test:statusbar-cli && npm run test:generate-instagram-card && npm run test:instagram-thumbgate-post && npm run test:publish-instagram-thumbgate && npm run test:lesson-synthesis && npm run test:lesson-canonical && npm run test:background-governance && npm run test:memory-migration && npm run test:prompt-dlp && npm run test:ephemeral-store && npm run test:agent-security && npm run test:skill-progressive && npm run test:per-step-scoring && npm run test:weekly-auto-post && npm run test:social-post-hourly && npm run test:social-quality-gate && npm run test:a2ui-engine && npm run test:gate-satisfy && npm run test:money-watcher && npm run test:budget && npm run test:quick-start && npm run test:utm && npm run test:product-feedback && npm run test:feedback-root-consolidator && npm run test:engagement-audit && npm run test:install-growth-automation && npm run test:publish-thumbgate-launch && npm run test:community-course-platform-launch-kit && npm run test:reconcile-thumbgate-campaign && npm run test:reddit-publisher && npm run test:schedule-thumbgate-campaign && npm run test:social-reply-monitor && npm run test:social-dedupe-cleanup && npm run test:sync-launch-assets && npm run test:ai-search-visibility && npm run test:perplexity && npm run test:security-scanner && npm run test:llm-client && npm run test:managed-lesson-agent && npm run test:self-distill && npm run test:meta-agent && npm run test:harness-selector && npm run test:thumbgate-bench && npm run test:seo-guides && npm run test:enforcement-loop && npm run test:cli-agent-experience && npm run test:bot-detection && npm run test:checkout-archived-product-guard && npm run test:postgres-guard && npm run test:checkout-bot-guard && npm run test:checkout-pro-confirmation-gate && npm run test:session-health && npm run test:session-episodes && npm run test:spec-gate && npm run test:decision-trace && npm run test:dashboard-insights && npm run test:telemetry-tracked-link-slug && npm run test:prompt-eval && npm run test:demo-voiceover && npm run test:gate-coherence && npm run test:gate-eval && npm run test:high-roi && npm run test:public-static-assets && npm run test:token-savings && npm run test:numbers-page && npm run test:workflow-gate-checkpoint && npm run test:lesson-export-import && npm run test:landing-page-claims && npm run test:competitive-positioning-marketing && npm run test:medium-weekly && npm run test:dashboard-deeplink-e2e && npm run test:public-package-parity && npm run test:token-savings-dashboard && npm run test:cursor-wiring && npm run test:pretooluse-injection && npm run test:recent-corrective-context && npm run test:durability-step && npm run test:mailer && npm run test:brand-assets && npm run test:enforcement-teeth && npm run test:bayes-optimal-gate && npm run test:swarm-coordinator && npm run test:session-report && npm run test:agent-reasoning-traces && npm run test:judge-reward && npm run test:llm-behavior-monitor && npm run test:prompting-os && npm run test:single-use-credential-gate && npm run test:structured-prompt-driven && npm run test:require-evidence-gate && npm run test:rule-validator && npm run test:bluesky-atproto && npm run test:social-reply-monitor-bluesky && npm run test:bluesky-delete-replies && npm run test:architect-kit-memory-bridge && npm run test:sonar-review-hotspots && npm run test:actionable-remediations && npm run test:gemini-embedding-policy && npm run test:agent-design-governance && npm run test:public-core-boundary && npm run test:hook-stop-verify-deploy && npm run test:hook-stop-anti-claim && npm run test:plausible-server-events && npm run test:activation-tracker && npm run test:unified-revenue-rollup && npm run test:conversion-rate-stats && npm run test:external-customer-audit && npm run test:telemetry-export && npm run test:stripe-checkout-diagnostic && npm run test:stripe-business-identity-probe && npm run test:revenue-observability-doctor && npm run test:public-bundle-ratchet && npm run test:stripe-payment-link-update && npm run test:ci-cd-hygiene-audit && npm run test:verify-marketing-pages-deployed && npm run test:install-email-capture && npm run test:install-shim && npm run test:hook-runtime-subcommands && npm run test:implementation-notes && npm run test:daily-block-cap && npm run test:free-to-paid-conversion-units && npm run test:metrics-real-endpoint && npm run test:cli-trial-and-help && npm run test:cost-cli && npm run test:silent-failure-cluster && npm run test:proof:truth && node --test tests/adaptive-reliability.test.js && npm run test:mcp-oauth-reviewer && npm run test:dfcx-gate && npm run test:dfcx-gate-server && npm run test:vertex-scorer",
     "test:hook-stop-verify-deploy": "node --test tests/hook-stop-verify-deploy.test.js",
     "test:hook-stop-anti-claim": "node --test tests/hook-stop-anti-claim.test.js",
     "test:plausible-server-events": "node --test tests/plausible-server-events.test.js tests/plausible-poller.test.js",
@@ -396,6 +401,12 @@
     "test:sync-version": "node --test tests/sync-version.test.js",
     "test:check-congruence": "node --test tests/check-congruence.test.js",
     "test:tool-registry": "node --test tests/tool-registry.test.js",
+    "test:dfcx-gate": "node --test tests/dfcx-webhook-gate.test.js",
+    "test:dfcx-gate-server": "node --test tests/dfcx-gate-server.test.js",
+    "test:vertex-scorer": "node --test tests/vertex-scorer.test.js",
+    "test:repeat-metric": "node --test tests/repeat-metric.test.js",
+    "test:noop-detect": "node --test tests/noop-detect.test.js",
+    "test:action-receipts": "node --test tests/action-receipts.test.js",
     "test:learn-hub": "node --test tests/learn-hub.test.js",
     "test:feedback-to-rules": "node --test tests/feedback-to-rules.test.js",
     "test:memory-firewall": "node --test tests/memory-firewall.test.js",

package/public/agents-cost-savings.html

@@ -106,6 +106,7 @@
       <tr><td>Allocate spend to teams / features</td><td>✅</td><td>Per-gate breakdown via <code>byGate</code></td></tr>
       <tr><td>Stop a known-bad tool call before it hits the model</td><td>❌</td><td>✅ — PreToolUse gate fires, no API call made</td></tr>
       <tr><td>Promote a one-off failure into a permanent gate</td><td>❌</td><td>✅ — feedback loop + lesson DB</td></tr>
+      <tr><td>Surface gate candidates from <em>silent</em> failures (where no human ever gave thumbs-down)</td><td>❌</td><td>✅ — unsupervised silent-failure clustering, on by default</td></tr>
       <tr><td>Print conservative $ saved per day</td><td>❌</td><td>✅ — <code>thumbgate cost</code></td></tr>
       <tr><td>K8s pod-level allocation, finance-grade reporting</td><td>✅ (that's their core)</td><td>❌ (not our layer)</td></tr>
     </tbody>
@@ -117,6 +118,7 @@
     <li><strong>Every block is one fewer round trip.</strong> A blocked tool call doesn't reach the model. There's no "ThumbGate intercepted but the request still cost you" — the agent's tool-call execution is replaced with the gate's verdict, and the agent's next reasoning step takes the verdict as context instead of the failed result.</li>
     <li><strong>The avoided retry loop is the bulk of the saving.</strong> Failed tool calls don't just cost the call — they cost the model's next reasoning turn (which sees the failure and tries again), and often a third turn (which tries a different approach). Conservative 2k input + 600 output assumes one retry; in practice it's often more.</li>
     <li><strong>The numbers come from your local <code>gate-stats.json</code>.</strong> Not from a marketing model, not from "what enterprises like you saved." Your machine, your gates, your blocks.</li>
+    <li><strong>You don't have to give thumbs-down for the system to learn.</strong> ThumbGate's unsupervised <em>silent-failure clustering</em> runs by default — it mines your conversation logs for tool calls that failed (non-zero exit code or matched error patterns) but never got an explicit thumbs-down, clusters them by tool + argument shape, and surfaces them as gate candidates. The same false-positive-rate guardrail that vets human-feedback candidates vets these. Lazy users still get the savings. Opt out with <code>THUMBGATE_SILENT_FAILURE_CLUSTERING=0</code> if you want HITL-only.</li>
   </ol>
 
   <h2>Get the number on your machine</h2>