thumbgate 1.26.0 → 1.26.2

package/scripts/meta-agent-loop.js

@@ -377,13 +377,17 @@ async function runMetaAgentLoop({ dryRun = false, verbose = false } = {}) {
   // measurement (silentFailureDerivedGates vs user-feedback-derived) is possible.
   candidates = candidates.map((c) => (c.origin ? c : { ...c, origin: 'user-feedback' }));
 
-  // Step 3b: Silent-failure clustering — behind THUMBGATE_SILENT_FAILURE_CLUSTERING=1.
-  // Candidates flow through the SAME scoring / fp-rate eval below; we do not
-  // bypass any guardrail. Off by default to preserve existing behavior.
+  // Step 3b: Silent-failure clustering — DEFAULT-ON as of 2026-05-21
+  // (flipped from opt-in by PR #2289). Opt out via
+  // THUMBGATE_SILENT_FAILURE_CLUSTERING=0 (or NODE_ENV=test). Candidates flow
+  // through the SAME scoring / fp-rate eval below; we do not bypass any
+  // guardrail. The point of this clustering is to cover the case where users
+  // are lazy and never give thumbs-down — keeping it opt-in meant the users
+  // who need it most never got the benefit.
   let silentFailureStats = null;
-  if (process.env.THUMBGATE_SILENT_FAILURE_CLUSTERING === '1') {
+  const { isSilentFailureClusteringEnabled, generateSilentFailureCandidates } = require('./silent-failure-cluster');
+  if (isSilentFailureClusteringEnabled()) {
     try {
-      const { generateSilentFailureCandidates } = require('./silent-failure-cluster');
       const sfResult = generateSilentFailureCandidates({ feedbackLogPath });
       silentFailureStats = sfResult.stats;
       if (sfResult.candidates && sfResult.candidates.length > 0) {

package/scripts/noop-detect.js

@@ -0,0 +1,285 @@
+'use strict';
+
+// scripts/noop-detect.js
+//
+// No-op / redundant-action detection for ThumbGate.
+//
+// Given an action's pre/post state (file diff, command exit code + output),
+// this module decides whether the action actually changed anything OR whether
+// it is byte-identical to an attempt already seen this session. Both are strong,
+// cheap "the agent is looping" repeat signals that plug into
+// track_action -> prevention_rules.
+//
+// Design goals:
+//   * Pure / file-local. No edits to shared modules from inside here.
+//   * Normalize volatile fields (timestamps, shas, ANSI, trailing whitespace)
+//     before hashing so non-deterministic output does not defeat detection.
+//   * Guard partial writes: a truncated after-state that is a strict prefix of
+//     the before-state must NOT be reported as a no-op.
+//
+// Persistence lives beside session-actions.json (derived from
+// gates-engine.SESSION_ACTIONS_PATH) so it picks up THUMBGATE_STATE_DIR
+// overrides and shares the same TTL semantics.
+
+const crypto = require('crypto');
+const fs = require('fs');
+const path = require('path');
+
+const gatesEngine = require('./gates-engine');
+
+// Match the same 1h session window the engine uses for session actions.
+const ATTEMPT_TTL_MS = 60 * 60 * 1000;
+
+// -- volatile-field normalization ------------------------------------------
+//
+// Each pattern strips a class of non-deterministic noise so that two outputs
+// which differ only by a timestamp / sha / uuid / ANSI color / trailing
+// whitespace hash-equal. Exported so the test suite can assert the contract.
+const VOLATILE_PATTERNS = [
+  // ANSI escape / color codes (e.g. \x1b[0m). Strip first so later patterns
+  // see clean text.
+  { name: 'ansi', re: /\x1b\[[0-9;]*[A-Za-z]/g, replacement: '' },
+  // ISO-8601 timestamps: 2026-05-31T12:34:56(.123)?(Z|+00:00)
+  {
+    name: 'iso8601',
+    re: /\d{4}-\d{2}-\d{2}[T ]\d{2}:\d{2}:\d{2}(?:\.\d+)?(?:Z|[+-]\d{2}:?\d{2})?/g,
+    replacement: '<TS>',
+  },
+  // UUIDs (dashed form) — must run before the hexblob pattern, otherwise the
+  // trailing 12-char hex segment gets rewritten first and the UUID never matches.
+  {
+    name: 'uuid',
+    re: /\b[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\b/g,
+    replacement: '<UUID>',
+  },
+  // Epoch integers wider than 10 digits (ms/ns timestamps) — run before the
+  // hexblob pattern so all-decimal epochs are not swallowed as hex first.
+  { name: 'epoch', re: /\b\d{11,}\b/g, replacement: '<EPOCH>' },
+  // Long hex blobs (commit shas, uuids without dashes, content hashes): 12+ hex chars.
+  { name: 'hexblob', re: /\b[0-9a-fA-F]{12,}\b/g, replacement: '<HEX>' },
+  // Trailing whitespace is stripped in normalizeVolatile() via a bounded linear
+  // scan (not a regex) to avoid super-linear backtracking on adversarial input.
+];
+
+// Strip trailing spaces/tabs from a single line via a bounded reverse scan.
+// Linear in line length; replaces /[ \t]+$/ without any regex backtracking.
+function stripTrailingSpaceTab(line) {
+  let end = line.length;
+  while (end > 0) {
+    const c = line.charCodeAt(end - 1);
+    if (c !== 32 && c !== 9) break; // 32 = space, 9 = tab
+    end -= 1;
+  }
+  return line.slice(0, end);
+}
+
+// Normalize a string by applying every volatile pattern, then trimming a
+// trailing newline so "foo\n" and "foo" are equivalent.
+function normalizeVolatile(value) {
+  if (value === null || value === undefined) return '';
+  let out = String(value);
+  for (const pattern of VOLATILE_PATTERNS) {
+    out = out.replace(pattern.re, pattern.replacement);
+  }
+  // Strip trailing space/tab per line without a backtracking-prone regex.
+  out = out.split('\n').map(stripTrailingSpaceTab).join('\n');
+  // Normalize CRLF, then strip the trailing run of newlines via a bounded
+  // linear scan (replaces /\n+$/ without regex backtracking).
+  out = out.replace(/\r\n/g, '\n');
+  let end = out.length;
+  while (end > 0 && out.charCodeAt(end - 1) === 10) end -= 1; // 10 = \n
+  return out.slice(0, end);
+}
+
+function sha256(value) {
+  return crypto.createHash('sha256').update(value, 'utf8').digest('hex');
+}
+
+// -- state hashing ----------------------------------------------------------
+//
+// computeActionStateHash produces a single stable fingerprint for an action's
+// observable state. For file actions the fingerprint is the normalized content;
+// for command actions it is exit code + normalized stdout/stderr.
+function computeActionStateHash(action = {}) {
+  const kind = action.kind === 'command' ? 'command' : 'file';
+
+  if (kind === 'command') {
+    const exitCode = action.exitCode === undefined || action.exitCode === null
+      ? ''
+      : String(action.exitCode);
+    const parts = [
+      'command',
+      `exit:${exitCode}`,
+      `stdout:${normalizeVolatile(action.stdout)}`,
+      `stderr:${normalizeVolatile(action.stderr)}`,
+    ];
+    return sha256(parts.join('\x00'));
+  }
+
+  // file kind: hash the relevant content (after-content is the canonical state
+  // for a single snapshot; for diff comparisons detectNoop compares before/after
+  // separately). Include filePath so two unrelated files never collide.
+  const content = action.afterContent !== undefined && action.afterContent !== null
+    ? action.afterContent
+    : action.beforeContent;
+  const parts = [
+    'file',
+    `path:${action.filePath || ''}`,
+    `content:${normalizeVolatile(content)}`,
+  ];
+  return sha256(parts.join('\x00'));
+}
+
+// Hash just a content blob for before/after comparison (no path/kind framing).
+function contentHash(content) {
+  return sha256(normalizeVolatile(content));
+}
+
+// -- no-op detection --------------------------------------------------------
+//
+// detectNoop({ before, after }) returns { noop, reason }.
+//   before/after: { kind, filePath, beforeContent/afterContent OR content,
+//                   exitCode, stdout, stderr }
+//
+// We accept a flexible shape: the caller may pass a single action object with
+// beforeContent/afterContent, or split before/after sub-objects. Both forms
+// resolve to the same decision.
+function detectNoop(input = {}) {
+  const before = input.before || {};
+  const after = input.after || {};
+
+  // Determine kind from whichever side declares it (default file).
+  const kind = (before.kind || after.kind || input.kind) === 'command'
+    ? 'command'
+    : 'file';
+
+  if (kind === 'command') {
+    const beforeExit = before.exitCode;
+    const afterExit = after.exitCode;
+    if (beforeExit !== undefined && afterExit !== undefined && beforeExit !== afterExit) {
+      return { noop: false, reason: 'exit-code-changed' };
+    }
+    const beforeOut = contentHash(`${normalizeVolatile(before.stdout)}\x00${normalizeVolatile(before.stderr)}`);
+    const afterOut = contentHash(`${normalizeVolatile(after.stdout)}\x00${normalizeVolatile(after.stderr)}`);
+    if (beforeOut === afterOut) {
+      return { noop: true, reason: 'command-output-unchanged' };
+    }
+    return { noop: false, reason: 'command-output-changed' };
+  }
+
+  // file kind.
+  const beforeContent = before.content !== undefined ? before.content
+    : (before.beforeContent !== undefined ? before.beforeContent : input.beforeContent);
+  const afterContent = after.content !== undefined ? after.content
+    : (after.afterContent !== undefined ? after.afterContent : input.afterContent);
+
+  const beforeStr = beforeContent === undefined || beforeContent === null ? '' : String(beforeContent);
+  const afterStr = afterContent === undefined || afterContent === null ? '' : String(afterContent);
+
+  // Partial-write guard: an after-state that is a strict, shorter prefix of the
+  // before-state is a truncation, not a no-op — even though hashes differ, we
+  // make the intent explicit so callers never mistake it.
+  if (afterStr.length > 0 && afterStr.length < beforeStr.length && beforeStr.startsWith(afterStr)) {
+    return { noop: false, reason: 'partial-write-truncation' };
+  }
+
+  if (contentHash(beforeStr) === contentHash(afterStr)) {
+    return { noop: true, reason: 'file-content-unchanged' };
+  }
+  return { noop: false, reason: 'file-content-changed' };
+}
+
+// -- attempt persistence ----------------------------------------------------
+//
+// Stores (sessionId -> { "actionId\x00stateHash": timestamp }) so a repeated
+// (actionId, stateHash) tuple within the TTL window is a strong repeat signal.
+function attemptsPath() {
+  const sessionActionsPath = gatesEngine.SESSION_ACTIONS_PATH;
+  return path.join(path.dirname(sessionActionsPath), 'noop-attempts.json');
+}
+
+function loadAttempts() {
+  try {
+    const raw = fs.readFileSync(attemptsPath(), 'utf8');
+    const parsed = JSON.parse(raw);
+    if (!parsed || typeof parsed !== 'object') return {};
+    return parsed;
+  } catch (e) {
+    return {};
+  }
+}
+
+function pruneExpired(store, now) {
+  let changed = false;
+  for (const sessionId of Object.keys(store)) {
+    const bucket = store[sessionId];
+    if (!bucket || typeof bucket !== 'object') {
+      delete store[sessionId];
+      changed = true;
+      continue;
+    }
+    for (const key of Object.keys(bucket)) {
+      const ts = bucket[key];
+      if (typeof ts !== 'number' || now - ts >= ATTEMPT_TTL_MS) {
+        delete bucket[key];
+        changed = true;
+      }
+    }
+    if (Object.keys(bucket).length === 0) {
+      delete store[sessionId];
+      changed = true;
+    }
+  }
+  return changed;
+}
+
+function saveAttempts(store) {
+  const file = attemptsPath();
+  fs.mkdirSync(path.dirname(file), { recursive: true });
+  fs.writeFileSync(file, JSON.stringify(store, null, 2) + '\n');
+}
+
+function attemptKey(actionId, stateHash) {
+  return `${String(actionId)}\x00${String(stateHash)}`;
+}
+
+// recordActionAttempt persists that (sessionId, actionId, stateHash) was seen.
+// Returns { recorded: boolean, alreadySeen: boolean }.
+function recordActionAttempt(sessionId, actionId, stateHash) {
+  const sid = String(sessionId || 'default');
+  const now = Date.now();
+  const store = loadAttempts();
+  pruneExpired(store, now);
+
+  if (!store[sid] || typeof store[sid] !== 'object') store[sid] = {};
+  const key = attemptKey(actionId, stateHash);
+  const alreadySeen = Object.prototype.hasOwnProperty.call(store[sid], key);
+  store[sid][key] = now;
+  saveAttempts(store);
+  return { recorded: true, alreadySeen };
+}
+
+// isRepeatAttempt returns true when this exact (actionId, stateHash) tuple was
+// already recorded for this session within the TTL window.
+function isRepeatAttempt(sessionId, actionId, stateHash) {
+  const sid = String(sessionId || 'default');
+  const now = Date.now();
+  const store = loadAttempts();
+  const bucket = store[sid];
+  if (!bucket || typeof bucket !== 'object') return false;
+  const ts = bucket[attemptKey(actionId, stateHash)];
+  if (typeof ts !== 'number') return false;
+  return now - ts < ATTEMPT_TTL_MS;
+}
+
+module.exports = {
+  VOLATILE_PATTERNS,
+  ATTEMPT_TTL_MS,
+  normalizeVolatile,
+  computeActionStateHash,
+  detectNoop,
+  recordActionAttempt,
+  isRepeatAttempt,
+  // Exposed for tests / introspection.
+  attemptsPath,
+};

package/scripts/operational-dashboard.js

@@ -0,0 +1,160 @@
+'use strict';
+
+const { resolveAnalyticsWindow } = require('./analytics-window');
+const { getBillingSummaryLive } = require('./billing');
+const { generateDashboard } = require('./dashboard');
+const { getFeedbackPaths } = require('./feedback-loop');
+const { resolveHostedBillingConfig } = require('./hosted-config');
+const { loadOperatorConfig } = require('./operational-summary');
+
+function normalizeText(value) {
+  if (value === undefined || value === null) return null;
+  const text = String(value).trim();
+  return text || null;
+}
+
+function shouldPreferHostedDashboard() {
+  return String(process.env.THUMBGATE_METRICS_SOURCE || '').trim().toLowerCase() !== 'local';
+}
+
+function resolveHostedDashboardConfig() {
+  const runtimeConfig = resolveHostedBillingConfig();
+  const operatorConfig = loadOperatorConfig();
+  // Match operational-summary's key priority chain so north-star and cfo
+  // authenticate against the same hosted deployment consistently. Prior to
+  // this change, north-star only read THUMBGATE_API_KEY, silently 401'ing
+  // on machines configured via operator.json or THUMBGATE_OPERATOR_KEY.
+  const apiKey = normalizeText(process.env.THUMBGATE_OPERATOR_KEY)
+    || operatorConfig.operatorKey
+    || normalizeText(process.env.THUMBGATE_API_KEY);
+  const apiBaseUrl = normalizeText(process.env.THUMBGATE_BILLING_API_BASE_URL)
+    || operatorConfig.baseUrl
+    || runtimeConfig.billingApiBaseUrl;
+  return {
+    apiBaseUrl,
+    apiKey,
+  };
+}
+
+async function buildOperationalDashboard(options = {}) {
+  const analyticsWindow = resolveAnalyticsWindow(options);
+  const feedbackDir = options.feedbackDir || getFeedbackPaths().FEEDBACK_DIR;
+  const billingSummary = await getBillingSummaryLive(analyticsWindow);
+
+  return generateDashboard(feedbackDir, {
+    analyticsWindow,
+    billingSummary,
+    billingSource: 'live',
+    billingFallbackReason: null,
+  });
+}
+
+async function fetchHostedDashboard(options = {}, config = resolveHostedDashboardConfig()) {
+  const analyticsWindow = resolveAnalyticsWindow(options);
+  if (!shouldPreferHostedDashboard()) {
+    const err = new Error('Hosted operational dashboard is disabled.');
+    err.code = 'hosted_dashboard_disabled';
+    throw err;
+  }
+  if (!config.apiBaseUrl || !config.apiKey) {
+    const err = new Error('Hosted operational dashboard is not configured.');
+    err.code = 'hosted_dashboard_unconfigured';
+    throw err;
+  }
+
+  const requestUrl = new URL('/v1/dashboard', config.apiBaseUrl);
+  requestUrl.searchParams.set('window', analyticsWindow.window);
+  requestUrl.searchParams.set('timezone', analyticsWindow.timeZone);
+  requestUrl.searchParams.set('now', analyticsWindow.now);
+
+  const response = await fetch(requestUrl, {
+    method: 'GET',
+    headers: {
+      authorization: `Bearer ${config.apiKey}`,
+      accept: 'application/json',
+    },
+  });
+
+  if (!response.ok) {
+    const detail = await response.text().catch(() => '');
+    const err = new Error(`Hosted operational dashboard request failed (${response.status}): ${detail || 'unknown error'}`);
+    err.code = 'hosted_dashboard_http_error';
+    err.status = response.status;
+    throw err;
+  }
+
+  return response.json();
+}
+
+async function getOperationalDashboard(options = {}) {
+  const analyticsWindow = resolveAnalyticsWindow(options);
+  try {
+    const data = await fetchHostedDashboard(analyticsWindow);
+    return {
+      source: 'hosted',
+      data,
+      fallbackReason: null,
+      hostedStatus: 200,
+    };
+  } catch (err) {
+    const reason = err && err.message ? err.message : 'hosted_dashboard_unavailable';
+    const status = err && typeof err.status === 'number' ? err.status : null;
+    const code = err && err.code ? err.code : null;
+
+    // Hosted deliberately disabled or never configured — local fallback is
+    // intentional, not a degraded state. Tag as plain 'local'.
+    if (code === 'hosted_dashboard_disabled' || code === 'hosted_dashboard_unconfigured') {
+      return {
+        source: 'local',
+        data: await buildOperationalDashboard(analyticsWindow),
+        fallbackReason: reason,
+        hostedStatus: null,
+      };
+    }
+
+    // Mirror operational-summary: auth failure is the dangerous case. A
+    // dashboard that silently shows $0 revenue (from the local ledger) when
+    // Stripe actually has paid customers is a lie the operator acts on.
+    // Refuse to guess — surface an actionable error.
+    if (status === 401 || status === 403) {
+      const authErr = new Error(
+        `Hosted operational dashboard rejected credentials (HTTP ${status}). ` +
+        `The operator key on this machine does not match the one on the ` +
+        `hosted deployment. Fix: set THUMBGATE_OPERATOR_KEY in this shell, ` +
+        `or update the operatorKey field in ~/.config/thumbgate/operator.json, ` +
+        `to match Railway's THUMBGATE_OPERATOR_KEY. ` +
+        `Running north-star without hosted auth would report local-only ` +
+        `data as ground truth, which may not reflect actual Stripe revenue. ` +
+        `Original response: ${reason}`
+      );
+      authErr.code = 'hosted_dashboard_unauthorized';
+      authErr.status = status;
+      throw authErr;
+    }
+
+    // Non-auth failure — local fallback is still useful for dev workflows,
+    // but tag the source so downstream renderers do not mistake it for
+    // verified hosted truth.
+    //
+    // Log only the status code (trusted) — the full reason contains upstream
+    // response text and is only returned structurally via fallbackReason.
+    console.warn(
+      `[operational-dashboard] Hosted dashboard unreachable (status=${status ?? 'network'}); ` +
+      `falling back to LOCAL-UNVERIFIED state. Numbers below may not reflect actual Stripe revenue.`
+    );
+    return {
+      source: 'local-unverified',
+      data: await buildOperationalDashboard(analyticsWindow),
+      fallbackReason: reason,
+      hostedStatus: status,
+    };
+  }
+}
+
+module.exports = {
+  buildOperationalDashboard,
+  fetchHostedDashboard,
+  getOperationalDashboard,
+  resolveHostedDashboardConfig,
+  shouldPreferHostedDashboard,
+};

package/scripts/operational-summary.js

@@ -0,0 +1,178 @@
+'use strict';
+
+const fs = require('node:fs');
+const path = require('node:path');
+const os = require('node:os');
+const { getBillingSummaryLive } = require('./billing');
+const { resolveAnalyticsWindow } = require('./analytics-window');
+const { resolveHostedBillingConfig } = require('./hosted-config');
+
+// Configure fetch proxy when running behind a corporate/sandbox proxy
+(function configureProxy() {
+  const proxyUrl = process.env.HTTPS_PROXY || process.env.https_proxy
+    || process.env.HTTP_PROXY || process.env.http_proxy;
+  if (!proxyUrl) return;
+  try {
+    const { ProxyAgent, setGlobalDispatcher } = require('undici');
+    setGlobalDispatcher(new ProxyAgent(proxyUrl));
+  } catch {
+    // undici not available — fetch will use default dispatcher
+  }
+}());
+
+const OPERATOR_CONFIG_PATH = path.join(os.homedir(), '.config', 'thumbgate', 'operator.json');
+
+function normalizeText(value) {
+  if (value === undefined || value === null) return null;
+  const text = String(value).trim();
+  return text || null;
+}
+
+function loadOperatorConfig(configPath = OPERATOR_CONFIG_PATH) {
+  try {
+    const raw = fs.readFileSync(configPath, 'utf8');
+    const parsed = JSON.parse(raw);
+    return {
+      operatorKey: normalizeText(parsed.operatorKey),
+      baseUrl: normalizeText(parsed.baseUrl),
+    };
+  } catch {
+    return { operatorKey: null, baseUrl: null };
+  }
+}
+
+function shouldPreferHostedSummary() {
+  return String(process.env.THUMBGATE_METRICS_SOURCE || '').trim().toLowerCase() !== 'local';
+}
+
+function resolveHostedSummaryConfig() {
+  const runtimeConfig = resolveHostedBillingConfig();
+  const operatorConfig = loadOperatorConfig();
+  // Priority: env THUMBGATE_OPERATOR_KEY > local config file > env THUMBGATE_API_KEY
+  const apiKey = normalizeText(process.env.THUMBGATE_OPERATOR_KEY)
+    || operatorConfig.operatorKey
+    || normalizeText(process.env.THUMBGATE_API_KEY);
+  const apiBaseUrl = normalizeText(process.env.THUMBGATE_BILLING_API_BASE_URL)
+    || operatorConfig.baseUrl
+    || runtimeConfig.billingApiBaseUrl;
+  return {
+    apiBaseUrl,
+    apiKey,
+  };
+}
+
+async function fetchHostedBillingSummary(options = {}, config = resolveHostedSummaryConfig()) {
+  const analyticsWindow = resolveAnalyticsWindow(options);
+  if (!shouldPreferHostedSummary()) {
+    const err = new Error('Hosted operational summary is disabled.');
+    err.code = 'hosted_summary_disabled';
+    throw err;
+  }
+  if (!config.apiBaseUrl || !config.apiKey) {
+    const err = new Error('Hosted operational summary is not configured.');
+    err.code = 'hosted_summary_unconfigured';
+    throw err;
+  }
+
+  const requestUrl = new URL('/v1/billing/summary', config.apiBaseUrl);
+  requestUrl.searchParams.set('window', analyticsWindow.window);
+  requestUrl.searchParams.set('timezone', analyticsWindow.timeZone);
+  if (options.now !== undefined && options.now !== null && options.now !== '') {
+    requestUrl.searchParams.set('now', analyticsWindow.now);
+  }
+
+  const response = await fetch(requestUrl, {
+    method: 'GET',
+    headers: {
+      authorization: `Bearer ${config.apiKey}`,
+      accept: 'application/json',
+    },
+  });
+
+  if (!response.ok) {
+    const detail = await response.text().catch(() => '');
+    const err = new Error(`Hosted operational summary request failed (${response.status}): ${detail || 'unknown error'}`);
+    err.code = 'hosted_summary_http_error';
+    err.status = response.status;
+    throw err;
+  }
+
+  return response.json();
+}
+
+async function getOperationalBillingSummary(options = {}) {
+  const analyticsWindow = resolveAnalyticsWindow(options);
+  try {
+    const summary = await fetchHostedBillingSummary(analyticsWindow);
+    return {
+      source: 'hosted',
+      summary,
+      fallbackReason: null,
+      hostedStatus: 200,
+      summaryWindow: analyticsWindow.window,
+    };
+  } catch (err) {
+    const reason = err && err.message ? err.message : 'hosted_summary_unavailable';
+    const status = err && typeof err.status === 'number' ? err.status : null;
+    const code = err && err.code ? err.code : null;
+
+    // Hosted deliberately disabled or never configured — local fallback is
+    // intentional, not a degraded state. Tag as plain 'local'.
+    if (code === 'hosted_summary_disabled' || code === 'hosted_summary_unconfigured') {
+      return {
+        source: 'local',
+        summary: await getBillingSummaryLive(analyticsWindow),
+        fallbackReason: reason,
+        hostedStatus: null,
+        summaryWindow: analyticsWindow.window,
+      };
+    }
+
+    // Auth failure is the most dangerous case: if hosted Stripe data says
+    // we have paid customers and local ledgers are empty, silently returning
+    // "$0.00" is a lie that hides actual revenue. Refuse to guess — surface
+    // an actionable error so the operator fixes the key before any
+    // downstream report renders wrong numbers.
+    if (status === 401 || status === 403) {
+      const authErr = new Error(
+        `Hosted billing summary rejected credentials (HTTP ${status}). ` +
+        `The operator key on this machine does not match the one on the ` +
+        `hosted deployment. Fix: set THUMBGATE_OPERATOR_KEY in this shell, ` +
+        `or update the operatorKey field in ~/.config/thumbgate/operator.json, ` +
+        `to match Railway's THUMBGATE_OPERATOR_KEY. ` +
+        `Running this command without hosted auth would report local-only ` +
+        `data as ground truth, which may not reflect actual Stripe revenue. ` +
+        `Original response: ${reason}`
+      );
+      authErr.code = 'hosted_summary_unauthorized';
+      authErr.status = status;
+      throw authErr;
+    }
+
+    // Non-auth failure (network, 5xx, config) — local fallback is still
+    // useful for dev workflows, but tag the source so downstream renderers
+    // and agents do not mistake it for verified hosted truth.
+    //
+    // Log only the status code (trusted) — the full reason contains upstream
+    // response text and is only returned structurally via fallbackReason.
+    console.warn(
+      `[operational-summary] Hosted billing unreachable (status=${status ?? 'network'}); ` +
+      `falling back to LOCAL-UNVERIFIED state. Numbers below may not reflect actual Stripe revenue.`
+    );
+    return {
+      source: 'local-unverified',
+      summary: await getBillingSummaryLive(analyticsWindow),
+      fallbackReason: reason,
+      hostedStatus: status,
+      summaryWindow: analyticsWindow.window,
+    };
+  }
+}
+
+module.exports = {
+  fetchHostedBillingSummary,
+  getOperationalBillingSummary,
+  resolveHostedSummaryConfig,
+  shouldPreferHostedSummary,
+  loadOperatorConfig,
+};

package/scripts/plan-gate.js

@@ -162,6 +162,17 @@ function evaluatePlanGate(toolName, toolInput, options = {}) {
     };
   }
 
+  // Tier 4: Self-Critique / Risk Mitigation Check (Tip #8)
+  const hasCritique = /(?:critique|self-critique|risk|mitigation|alternative|flaw|weakness|pitfall)/i.test(planContent);
+  if (!hasCritique) {
+    return {
+      decision: 'warn',
+      gate: 'plan-gate-critique-missing',
+      message: '🧐 THUMBGATE: No Self-Critique/Risk Analysis detected in your PLAN.md. Please add a "Critique", "Risks", or "Mitigations" section to evaluate potential flaws in this plan before executing high-risk tools.',
+      severity: 'medium'
+    };
+  }
+
   return null;
 }