thumbgate 1.26.1 → 1.26.3

package/.claude-plugin/marketplace.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate-marketplace",
-  "version": "1.26.1",
+  "version": "1.26.0",
   "owner": {
     "name": "Igor Ganapolsky",
     "email": "ig5973700@gmail.com"
@@ -14,7 +14,7 @@
         "source": "npm",
         "package": "thumbgate"
       },
-      "version": "1.26.1",
+      "version": "1.26.0",
       "author": {
         "name": "Igor Ganapolsky",
         "email": "ig5973700@gmail.com",

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "thumbgate",
   "description": "One 👎 becomes a hard rule the agent cannot bypass. Captures thumbs-down feedback, distills it into PreToolUse Pre-Action Checks, enforced across every future Claude Code session.",
-  "version": "1.26.1",
+  "version": "1.26.0",
   "author": {
     "name": "Igor Ganapolsky",
     "email": "ig5973700@gmail.com",

package/.well-known/mcp/server-card.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate",
-  "version": "1.26.1",
+  "version": "1.26.0",
   "description": "ThumbGate — 👍👎 feedback that teaches your AI agent. Thumbs down a mistake, it never happens again.",
   "homepage": "https://thumbgate.ai",
   "transport": "stdio",

package/adapters/claude/.mcp.json

@@ -2,13 +2,13 @@
   "mcpServers": {
     "thumbgate": {
       "command": "npx",
-      "args": ["--yes", "--package", "thumbgate@1.26.1", "thumbgate", "serve"]
+      "args": ["--yes", "--package", "thumbgate@1.26.0", "thumbgate", "serve"]
     }
   },
   "hooks": {
     "preToolUse": {
       "command": "npx",
-      "args": ["--yes", "--package", "thumbgate@1.26.1", "thumbgate", "gate-check"]
+      "args": ["--yes", "--package", "thumbgate@1.26.0", "thumbgate", "gate-check"]
     }
   }
 }

package/adapters/mcp/server-stdio.js

@@ -77,6 +77,7 @@ const {
   recordActionAttempt,
   isRepeatAttempt,
 } = require('../../scripts/noop-detect');
+const { recordAuditEvent } = require('../../scripts/audit-trail');
 const {
   recordReceipt,
   getReceiptForAction,
@@ -230,7 +231,7 @@ const {
   finalizeSession: finalizeFeedbackSession,
 } = require('../../scripts/feedback-session');
 
-const SERVER_INFO = { name: 'thumbgate-mcp', version: '1.26.1' };
+const SERVER_INFO = { name: 'thumbgate-mcp', version: '1.26.0' };
 const COMMERCE_CATEGORIES = [
   'product_recommendation',
   'brand_compliance',

package/adapters/opencode/opencode.json

@@ -7,7 +7,7 @@
         "npx",
         "--yes",
         "--package",
-        "thumbgate@1.26.1",
+        "thumbgate@1.26.0",
         "thumbgate",
         "serve"
       ],

package/bin/cli.js

@@ -239,6 +239,21 @@ function parseArgs(argv) {
   return args;
 }
 
+function parseTtlMs(value, fallbackMs = 5 * 60 * 1000) {
+  if (value === undefined || value === null || value === true || value === '') return fallbackMs;
+  const raw = String(value).trim().toLowerCase();
+  const match = raw.match(/^(\d+(?:\.\d+)?)(ms|s|m|h)?$/);
+  if (!match) return fallbackMs;
+  const amount = Number(match[1]);
+  if (!Number.isFinite(amount) || amount <= 0) return fallbackMs;
+  const unit = match[2] || 'ms';
+  const factor = unit === 'h' ? 60 * 60 * 1000
+    : unit === 'm' ? 60 * 1000
+      : unit === 's' ? 1000
+        : 1;
+  return Math.round(amount * factor);
+}
+
 function readStdinText() {
   try {
     return fs.readFileSync(0, 'utf8');
@@ -1003,10 +1018,21 @@ function capture() {
   }
 
   let signal = (args.feedback || '').toLowerCase();
+  let consumedSignalArgs = 0;
   if (!signal && positionalArgs[0]) {
-    const firstPos = positionalArgs[0].toLowerCase();
-    if (['up', 'down', 'thumbsup', 'thumbsdown', 'thumbs_up', 'thumbs_down', 'positive', 'negative'].some(v => firstPos.includes(v))) {
-      signal = firstPos;
+    const { detectFeedbackSignal } = require(path.join(PKG_ROOT, 'scripts', 'feedback-quality'));
+    const oneWord = positionalArgs[0];
+    const twoWords = positionalArgs.slice(0, 2).join(' ');
+    const detected = detectFeedbackSignal(twoWords) || detectFeedbackSignal(oneWord);
+    if (detected) {
+      signal = detected.signal;
+      consumedSignalArgs = detectFeedbackSignal(twoWords) ? Math.min(2, positionalArgs.length) : 1;
+    } else {
+      const firstPos = positionalArgs[0].toLowerCase();
+      if (['up', 'down', 'thumbsup', 'thumbsdown', 'thumbs_up', 'thumbs_down', 'positive', 'negative'].some(v => firstPos.includes(v))) {
+        signal = firstPos;
+        consumedSignalArgs = 1;
+      }
     }
   }
 
@@ -1026,19 +1052,25 @@ function capture() {
   }
 
   let context = args.context || '';
-  if (!context && positionalArgs[1]) {
+  if (!context && consumedSignalArgs > 0) {
+    context = positionalArgs.slice(consumedSignalArgs).join(' ');
+  } else if (!context && positionalArgs[1]) {
     context = positionalArgs[1];
   }
 
   let whatWentWrong = args['what-went-wrong'];
-  if (!whatWentWrong && positionalArgs[2]) {
+  if (!whatWentWrong && consumedSignalArgs > 0 && positionalArgs.length > consumedSignalArgs + 1) {
+    whatWentWrong = positionalArgs.slice(consumedSignalArgs + 1).join(' ');
+  } else if (!whatWentWrong && positionalArgs[2]) {
     whatWentWrong = positionalArgs[2];
   } else if (!whatWentWrong && normalized === 'down' && context) {
     whatWentWrong = context;
   }
 
   let whatToChange = args['what-to-change'];
-  if (!whatToChange && positionalArgs[3]) {
+  if (!whatToChange && consumedSignalArgs > 0 && positionalArgs.length > consumedSignalArgs + 2) {
+    whatToChange = positionalArgs.slice(consumedSignalArgs + 2).join(' ');
+  } else if (!whatToChange && positionalArgs[3]) {
     whatToChange = positionalArgs[3];
   } else if (!whatToChange && normalized === 'down' && context) {
     whatToChange = `avoid: ${context}`;
@@ -2375,6 +2407,43 @@ function optimize() {
   doOptimize();
 }
 
+function cleanup() {
+  console.log('Cleaning up ThumbGate processes...');
+  try {
+    const { execSync } = require('child_process');
+    // Kill all 'thumbgate serve' and 'thumbgate dashboard' processes except this one
+    const pids = execSync("ps aux | grep 'thumbgate' | grep -v 'grep' | awk '{print $2}'", { encoding: 'utf8' })
+      .split('\n')
+      .filter(Boolean)
+      .map(Number)
+      .filter(pid => pid !== process.pid);
+
+    if (pids.length > 0) {
+      console.log(`Killing ${pids.length} process(es): ${pids.join(', ')}`);
+      pids.forEach(pid => {
+        try { process.kill(pid, 'SIGTERM'); } catch (_) {}
+      });
+      // Give them a moment to die
+      execSync('sleep 1');
+    } else {
+      console.log('No other ThumbGate processes found.');
+    }
+
+    // Check port 3456 specifically
+    try {
+      const portPid = execSync("lsof -ti :3456", { encoding: 'utf8' }).trim();
+      if (portPid) {
+        console.log(`Killing process ${portPid} holding port 3456`);
+        try { process.kill(Number(portPid), 'SIGKILL'); } catch (_) {}
+      }
+    } catch (_) { /* port already free */ }
+
+    console.log('✅ Cleanup complete. Run "npx thumbgate pro" to restart the dashboard.');
+  } catch (err) {
+    console.error(`Cleanup failed: ${err.message}`);
+  }
+}
+
 function serve() {
   try {
     const { repairCodexHooks } = require(path.join(PKG_ROOT, 'scripts', 'codex-self-heal'));
@@ -2411,11 +2480,21 @@ function install() {
 }
 
 async function gateCheck() {
-  const payload = readStdinText();
-  const input = payload ? JSON.parse(payload) : {};
-  const gatesEngine = require(path.join(PKG_ROOT, 'scripts', 'gates-engine'));
-  const output = await gatesEngine.runAsync(input);
-  process.stdout.write(output + '\n');
+  try {
+    const payload = readStdinText();
+    const input = payload ? JSON.parse(payload) : {};
+    const gatesEngine = require(path.join(PKG_ROOT, 'scripts', 'gates-engine'));
+    const output = await gatesEngine.runAsync(input);
+    process.stdout.write(output + '\n');
+  } catch (err) {
+    process.stderr.write(`gate-check error: ${err.message}\n`);
+    process.stdout.write(JSON.stringify({
+      hookSpecificOutput: {
+        hookEventName: 'PreToolUse',
+        additionalContext: `[ThumbGate Error] ${err.message}`,
+      }
+    }) + '\n');
+  }
 }
 
 function cacheUpdate() {
@@ -2442,9 +2521,14 @@ function statuslineRender() {
 
 function hookAutoCapture() {
   syncActiveProjectContext();
-  const prompt = process.env.CLAUDE_USER_PROMPT || process.env.THUMBGATE_USER_PROMPT || readStdinText().trim();
+  const prompt = process.env.CLAUDE_USER_PROMPT
+    || process.env.THUMBGATE_USER_PROMPT
+    || process.env.CODEX_USER_PROMPT
+    || process.env.USER_PROMPT
+    || readStdinText().trim();
   const { evaluatePromptGuard } = require(path.join(PKG_ROOT, 'scripts', 'prompt-guard'));
   const { processInlineFeedback, formatCliOutput } = require(path.join(PKG_ROOT, 'scripts', 'cli-feedback'));
+  const { detectFeedbackSignal } = require(path.join(PKG_ROOT, 'scripts', 'feedback-quality'));
   const { loadOptionalModule } = require(path.join(PKG_ROOT, 'scripts', 'private-core-boundary'));
   const { recordConversationEntry, readRecentConversationWindow } = loadOptionalModule(
     path.join(PKG_ROOT, 'scripts', 'feedback-history-distiller'),
@@ -2466,14 +2550,12 @@ function hookAutoCapture() {
     return;
   }
 
-  const lower = prompt.toLowerCase();
-  const isUp = /(thumbs?\s*up|that worked|looks good|nice work|perfect|good job)/i.test(lower);
-  const isDown = /(thumbs?\s*down|that failed|that was wrong|fix this)/i.test(lower);
-  if (!isUp && !isDown) {
+  const detected = detectFeedbackSignal(prompt);
+  if (!detected) {
     return;
   }
 
-  const signal = isDown ? 'down' : 'up';
+  const signal = detected.signal;
   const conversationWindow = readRecentConversationWindow({ limit: 8 });
   const result = processInlineFeedback({
     signal,
@@ -2673,6 +2755,30 @@ function startApi() {
   }
 }
 
+function breakGlass() {
+  const args = parseArgs(process.argv.slice(3));
+  const positionalReason = process.argv.slice(3).find((arg) => !arg.startsWith('--'));
+  const reason = String(args.reason || positionalReason || '').trim();
+  if (!reason) {
+    console.error('Usage: npx thumbgate break-glass --reason "why this recovery is needed" [--ttl=5m] [--json]');
+    process.exit(1);
+  }
+
+  const ttlMs = parseTtlMs(args.ttl, 5 * 60 * 1000);
+  const { breakGlassEmergency } = require(path.join(PKG_ROOT, 'scripts', 'gates-engine'));
+  const result = breakGlassEmergency({ reason, ttlMs });
+  if (args.json) {
+    console.log(JSON.stringify(result, null, 2));
+    return;
+  }
+
+  console.log('ThumbGate break-glass active.');
+  console.log(`  Reason     : ${result.reason}`);
+  console.log(`  Expires    : ${result.expiresAt}`);
+  console.log('  Unlocked   : hook settings edits, pr_create_allowed, pr_threads_checked');
+  console.log('  Still gated: local-only scope, force-push, protected branch push, unsafe chmod, broad rm -rf');
+}
+
 function help() {
   const v = pkgVersion();
   const helpArgs = process.argv.slice(3);
@@ -2695,6 +2801,7 @@ function help() {
     console.log('  explore                                           Interactive TUI for lessons, gates, stats');
     console.log('  dashboard                                         Open the local ThumbGate dashboard');
     console.log('  doctor                                            Audit runtime isolation + bootstrap context');
+    console.log('  break-glass --reason="..."                       Short TTL recovery if gates over-fire');
     console.log('  brain [--write]                                   Build the agent-readable context brain (lessons + rules + gates)');
     console.log('  pro                                               ThumbGate Pro (dashboard, exports, sync)');
     console.log('  subscribe <email>                                 Get the 5-min setup guide + weekly tips by email');
@@ -2747,6 +2854,7 @@ function help() {
   console.log('                            default: machine-wide  (~/.claude/settings.json — shared dashboard)');
   console.log('                            --project: per-repo    (<cwd>/.claude/settings.json — isolated dashboard)');
   console.log('                            --no-hooks: MCP only, skip hook wiring');
+  console.log('  break-glass           Short TTL recovery if gates over-fire');
   console.log('  cfo                   Hosted billing summary (local fallback JSON)');
   console.log('  billing:setup         Generate operator key + print Railway setup instructions');
   console.log('  repair-github-marketplace  Repair legacy GitHub Marketplace amount mappings');
@@ -2842,6 +2950,11 @@ const SUBCOMMAND_HELP = {
   lessons:       'Usage: npx thumbgate lessons [--query="..."] [--limit=N]\n\nSearch the lesson database (Pro feature).',
   search:        'Usage: npx thumbgate search <query>\n\nSearch ThumbGate knowledge base (Pro feature).',
   'gate-check':  'Usage: npx thumbgate gate-check\n\nPreToolUse hook interface: reads tool call JSON from stdin, outputs gate verdict.',
+  'break-glass': 'Usage: npx thumbgate break-glass --reason="why" [--ttl=5m] [--json]\n\nShort-lived recovery path for over-firing gates. Allows hook settings edits and satisfies PR-create/thread-check gates without disabling core destructive-action protections.',
+  serve:         'Usage: npx thumbgate serve\n\nStart the MCP stdio server. This is for agent runtimes, not the local HTTP dashboard.',
+  mcp:           'Usage: npx thumbgate mcp\n\nAlias for `thumbgate serve`.',
+  dashboard:     'Usage: npx thumbgate dashboard [--window=today|7d|30d]\n\nPrint the operational dashboard summary. Use `npx thumbgate start-api` for the local HTTP dashboard on :3456.',
+  'start-api':   'Usage: npx thumbgate start-api\n\nStart the local ThumbGate HTTP API/dashboard. Defaults to PORT=8787; use PORT=3456 for statusline localhost links.',
   'export-dpo':  'Usage: npx thumbgate export-dpo [--format=jsonl|csv]\n\nExport feedback as DPO training pairs (Pro feature).',
   status:        'Usage: npx thumbgate status\n\nShow ThumbGate system health and active configuration.',
   watch:         'Usage: npx thumbgate watch\n\nWatch for feedback changes and auto-regenerate prevention rules.',
@@ -3004,6 +3117,9 @@ switch (COMMAND) {
   case 'mcp':
     serve();
     break;
+  case 'cleanup':
+    cleanup();
+    break;
   case 'gate-check':
     gateCheck().catch((err) => {
       console.error(err && err.message ? err.message : err);
@@ -3058,7 +3174,7 @@ switch (COMMAND) {
   }
   case 'brain': {
     const brainArgs = parseArgs(process.argv.slice(3));
-    process.exit(cmdBrain(brainArgs));
+    process.exitCode = cmdBrain(brainArgs);
     break;
   }
   case 'billing:setup':
@@ -3371,6 +3487,10 @@ switch (COMMAND) {
   case 'status':
     status();
     break;
+  case 'break-glass':
+  case 'breakglass':
+    breakGlass();
+    break;
   case 'funnel':
     funnel();
     break;

package/config/gates/default.json

@@ -23,7 +23,7 @@
       "id": "task-scope-required",
       "layer": "Decisions",
       "toolNames": ["Bash"],
-      "pattern": "^(git\\s+(add|commit|push)|gh\\s+pr\\s+(create|merge)|gh\\s+release\\s+create|git\\s+tag\\b|npm\\s+publish|yarn\\s+publish|pnpm\\s+publish)",
+      "pattern": "^(git\\s+(add|commit|push)|gh\\s+pr\\s+(create|merge)|gh\\s+api\\b(?=.*(?:/pulls\\b|repos/[^\\s]+/[^\\s]+/pulls\\b))(?=.*(?:-f\\b|--field\\b|-F\\b|--raw-field\\b|--method\\s+POST\\b|-X\\s+POST\\b))|gh\\s+release\\s+create|git\\s+tag\\b|npm\\s+publish|yarn\\s+publish|pnpm\\s+publish)",
       "requireTaskScope": true,
       "action": "block",
       "message": "Git write, PR, release, and publish operations require an explicit task scope.",
@@ -72,6 +72,15 @@
       "message": "PR creation requires explicit 'pr_create_allowed' satisfaction with evidence of user permission.",
       "severity": "high"
     },
+    {
+      "id": "gh-api-pr-create-restricted",
+      "layer": "Identity",
+      "pattern": "gh\\s+api\\b(?=.*(?:/pulls\\b|repos/[^\\s]+/[^\\s]+/pulls\\b))(?=.*(?:-f\\b|--field\\b|-F\\b|--raw-field\\b|--method\\s+POST\\b|-X\\s+POST\\b))",
+      "action": "block",
+      "unless": "pr_create_allowed",
+      "message": "GitHub API PR creation requires explicit 'pr_create_allowed' satisfaction with evidence of user permission. Use the same approval path as gh pr create.",
+      "severity": "high"
+    },
     {
       "id": "gh-pr-merge-restricted",
       "layer": "Identity",
@@ -85,7 +94,7 @@
       "id": "branch-governance-required",
       "layer": "Decisions",
       "toolNames": ["Bash"],
-      "pattern": "^(gh\\s+pr\\s+(create|merge)|gh\\s+release\\s+create|git\\s+tag\\b|npm\\s+publish|yarn\\s+publish|pnpm\\s+publish)",
+      "pattern": "^(gh\\s+pr\\s+(create|merge)|gh\\s+api\\b(?=.*(?:/pulls\\b|repos/[^\\s]+/[^\\s]+/pulls\\b))(?=.*(?:-f\\b|--field\\b|-F\\b|--raw-field\\b|--method\\s+POST\\b|-X\\s+POST\\b))|gh\\s+release\\s+create|git\\s+tag\\b|npm\\s+publish|yarn\\s+publish|pnpm\\s+publish)",
       "requireBranchGovernance": true,
       "action": "block",
       "message": "PR, release, and publish actions require explicit branch governance.",

package/package.json

@@ -1,11 +1,11 @@
 {
   "name": "thumbgate",
-  "version": "1.26.1",
+  "version": "1.26.3",
   "description": "ThumbGate self-improving agent governance: thumbs-up/down turns every mistake into a prevention rule and blocks repeat patterns. 36 pre-action checks, budget enforcement, and self-protection for Claude Code, Cursor, Codex, Gemini CLI, and Amp.",
   "homepage": "https://thumbgate.ai",
   "repository": {
     "type": "git",
-    "url": "https://github.com/IgorGanapolsky/ThumbGate.git"
+    "url": "git+https://github.com/IgorGanapolsky/ThumbGate.git"
   },
   "bugs": {
     "url": "https://github.com/IgorGanapolsky/ThumbGate/issues"
@@ -135,7 +135,6 @@
     "scripts/natural-language-harness.js",
     "scripts/noop-detect.js",
     "scripts/obsidian-export.js",
-    "scripts/operational-dashboard.js",
     "scripts/operational-integrity.js",
     "scripts/oss-pr-opportunity-scout.js",
     "scripts/otel-declarative-config.js",

package/public/index.html

@@ -20,7 +20,7 @@ __GOOGLE_SITE_VERIFICATION_META__
 <meta property="og:image" content="https://thumbgate.ai/og.png">
 <meta name="twitter:card" content="summary_large_image">
 <meta name="twitter:image" content="https://thumbgate.ai/og.png">
-<meta name="thumbgate-version" content="1.26.1">
+<meta name="thumbgate-version" content="1.26.0">
 <meta name="keywords" content="ThumbGate, thumbgate, AI agent orchestration, AI experience orchestration, agentic development cycle, AC/DC framework, Guide Generate Verify Solve, agent enforcement layer, save LLM tokens, reduce Claude API cost, reduce OpenAI cost, AI agent token savings, prevent LLM retries, prevent hallucination retries, stop AI token waste, pre-action checks, agent governance, Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode, workflow hardening, context engineering, AI authenticity, brand authenticity AI">
 <link rel="canonical" href="__APP_ORIGIN__/">
 <link rel="alternate" type="text/markdown" title="ThumbGate LLM context" href="__APP_ORIGIN__/llm-context.md">
@@ -1594,7 +1594,7 @@ __GA_BOOTSTRAP__
       <a href="https://www.linkedin.com/in/igorganapolsky" target="_blank" rel="noopener">LinkedIn</a>
       <a href="/blog">Blog</a>
     </div>
-    <span class="footer-copy">© 2026 ThumbGate · MIT License · npm v1.26.1</span>
+    <span class="footer-copy">© 2026 ThumbGate · MIT License · npm v1.26.0</span>
   </div>
 </footer>
 

package/public/numbers.html

@@ -25,7 +25,7 @@
   "alternateName": "thumbgate",
   "applicationCategory": "DeveloperApplication",
   "operatingSystem": "Cross-platform, Node.js >=18.18.0",
-  "softwareVersion": "1.26.1",
+  "softwareVersion": "1.26.0",
   "url": "https://thumbgate.ai/numbers",
   "dateModified": "2026-05-07",
   "creator": {
@@ -202,7 +202,7 @@
 <main class="container">
   <h1>The Numbers</h1>
   <p class="subtitle">Generated first-party operational snapshot from the ThumbGate runtime. This is not customer traction, install volume, revenue, or proof that a configured gate has fired.</p>
-  <div class="freshness">Updated: 2026-05-07 · Version 1.26.1</div>
+  <div class="freshness">Updated: 2026-05-07 · Version 1.26.0</div>
   <div class="truth-note"><strong>Read this first:</strong> configured checks are inventory. Recorded blocks and warnings are usage evidence. This snapshot currently reports 0 recorded hard-block event(s) and 0 recorded warning event(s).</div>
 
   <h2>Gate enforcement</h2>

package/scripts/agent-readiness.js

@@ -94,9 +94,26 @@ function detectRuntimeIsolation() {
   };
 }
 
-function collectBootstrapFiles(projectRoot = PROJECT_ROOT) {
+function findProjectRoot(startDir = process.cwd()) {
+  try {
+    let curr = path.resolve(startDir);
+    while (true) {
+      const indicators = ['AGENTS.md', 'CLAUDE.md', 'GEMINI.md', '.mcp.json', '.git'];
+      if (indicators.some((f) => fs.existsSync(path.join(curr, f)))) {
+        return curr;
+      }
+      const parent = path.dirname(curr);
+      if (parent === curr) break;
+      curr = parent;
+    }
+  } catch (_) { /* fallback to startDir */ }
+  return startDir;
+}
+
+function collectBootstrapFiles(projectRoot) {
+  const effectiveRoot = projectRoot || findProjectRoot();
   const files = BOOTSTRAP_FILES.map((file) => {
-    const absolutePath = path.join(projectRoot, file.path);
+    const absolutePath = path.join(effectiveRoot, file.path);
     return {
       id: file.id,
       path: file.path,
@@ -118,7 +135,7 @@ function collectBootstrapFiles(projectRoot = PROJECT_ROOT) {
     missingRequired,
     recommendation: missingRequired.length === 0
       ? 'Bootstrap context is present.'
-      : `Add missing bootstrap files: ${missingRequired.join(', ')}`,
+      : `Add missing bootstrap files to project root (${effectiveRoot}): ${missingRequired.join(', ')}`,
   };
 }
 

package/scripts/cli-feedback.js

@@ -88,11 +88,13 @@ function formatCliOutput(result) {
   if (result.feedbackResult && result.feedbackResult.accepted !== false) {
     lines.push(`${isDown ? R : G}${BD}${isDown ? '👎 Thumbs down recorded' : '👍 Thumbs up recorded'}${RST}`);
     const feedbackId = (result.feedbackResult.feedbackEvent && result.feedbackResult.feedbackEvent.id) || result.feedbackResult.id;
+    const memoryId = (result.feedbackResult.memoryRecord && result.feedbackResult.memoryRecord.id) || result.feedbackResult.memoryId;
     if (feedbackId) {
-      lines.push(`${D}  ID: ${feedbackId}${RST}`);
+      lines.push(`${D}  Feedback ID: ${feedbackId}${RST}`);
+      if (memoryId) lines.push(`${D}  Memory ID  : ${memoryId}${RST}`);
       // Echo feedback ID to stderr so it's visible directly in the terminal,
       // not hidden behind Claude Code's "ctrl+o to expand" MCP call collapse.
-      process.stderr.write(`✅ Feedback captured (${feedbackId})\n`);
+      process.stderr.write(`✅ Feedback captured (${feedbackId}${memoryId ? `, ${memoryId}` : ''})\n`);
     }
   } else {
     lines.push(`${R}Feedback not accepted: ${(result.feedbackResult && result.feedbackResult.reason) || 'unknown'}${RST}`);

package/scripts/commercial-offer.js

@@ -68,8 +68,6 @@ function buildCaptureReceipt({ signal, feedbackId, memoryId, actionType } = {})
     '',
     `  Solo Pro       : ${PRO_PRICE_LABEL} for hosted sync, search, dashboard, and exports`,
     `  Upgrade        : ${trackedProUrl('cli_capture_receipt', actionType || normalizedSignal.toLowerCase())}`,
-    `  Team path      : ${TEAM_PRICE_LABEL}; start with one repeated workflow failure`,
-    '                   https://thumbgate.ai/#workflow-sprint-intake',
     '',
   ];
   return lines.join('\n');
@@ -102,7 +100,6 @@ function buildStatsReceipt(stats = {}) {
   lines.push('  Show the buyer     : npx thumbgate cost');
   lines.push('  Pro sync value     : keep these lessons/rules visible across laptops, CI, containers, and agent runtimes');
   lines.push(`  Solo Pro           : ${trackedProUrl('cli_stats_receipt', 'proof_seen')}`);
-  lines.push('  Team workflow      : https://thumbgate.ai/#workflow-sprint-intake');
   lines.push('');
   return lines.join('\n');
 }

package/scripts/feedback-quality.js

@@ -62,6 +62,92 @@ function normalizeFeedbackText(value) {
     .trim();
 }
 
+function editDistance(a, b) {
+  const left = String(a || '');
+  const right = String(b || '');
+  const dp = Array.from({ length: left.length + 1 }, () => Array(right.length + 1).fill(0));
+  for (let i = 0; i <= left.length; i++) dp[i][0] = i;
+  for (let j = 0; j <= right.length; j++) dp[0][j] = j;
+  for (let i = 1; i <= left.length; i++) {
+    for (let j = 1; j <= right.length; j++) {
+      const cost = left[i - 1] === right[j - 1] ? 0 : 1;
+      dp[i][j] = Math.min(
+        dp[i - 1][j] + 1,
+        dp[i][j - 1] + 1,
+        dp[i - 1][j - 1] + cost,
+      );
+    }
+  }
+  return dp[left.length][right.length];
+}
+
+function isNearThumbToken(token) {
+  const value = String(token || '');
+  if (value.length < 4) return false;
+  return editDistance(value, 'thumb') <= 1 || editDistance(value, 'thumbs') <= 2;
+}
+
+function isNearUpToken(token) {
+  const value = String(token || '');
+  return value === 'up' || editDistance(value, 'up') <= 1;
+}
+
+function isNearDownToken(token) {
+  const value = String(token || '');
+  if (value.length < 2) return false;
+  return editDistance(value, 'down') <= 1;
+}
+
+function detectFeedbackSignal(value) {
+  const raw = String(value || '');
+  if (/[👎👎🏻👎🏼👎🏽👎🏾👎🏿]/u.test(raw)) return { signal: 'down', confidence: 'emoji', match: '👎' };
+  if (/[👍👍🏻👍🏼👍🏽👍🏾👍🏿]/u.test(raw)) return { signal: 'up', confidence: 'emoji', match: '👍' };
+
+  const normalized = normalizeFeedbackText(raw);
+  if (!normalized) return null;
+
+  const exactDown = [
+    /\bthumbs?\s*down\b/,
+    /\bthumbs?down\b/,
+    /\bthat failed\b/,
+    /\bit failed\b/,
+    /\bthat was wrong\b/,
+    /\bfix this\b/,
+  ];
+  if (exactDown.some((pattern) => pattern.test(normalized))) {
+    return { signal: 'down', confidence: 'exact', match: normalized };
+  }
+
+  const exactUp = [
+    /\bthumbs?\s*up\b/,
+    /\bthumbs?up\b/,
+    /\bthat worked\b/,
+    /\bit worked\b/,
+    /\blooks good\b/,
+    /\bgood job\b/,
+    /\bgood work\b/,
+    /\bnice work\b/,
+    /\bperfect\b/,
+    /\blgtm\b/,
+  ];
+  if (exactUp.some((pattern) => pattern.test(normalized))) {
+    return { signal: 'up', confidence: 'exact', match: normalized };
+  }
+
+  const words = normalized.split(/\s+/).filter(Boolean);
+  for (let i = 0; i < words.length - 1; i++) {
+    if (!isNearThumbToken(words[i])) continue;
+    if (isNearDownToken(words[i + 1])) {
+      return { signal: 'down', confidence: 'fuzzy', match: `${words[i]} ${words[i + 1]}` };
+    }
+    if (isNearUpToken(words[i + 1])) {
+      return { signal: 'up', confidence: 'fuzzy', match: `${words[i]} ${words[i + 1]}` };
+    }
+  }
+
+  return null;
+}
+
 function isGenericFeedbackText(value, signal) {
   const normalized = normalizeFeedbackText(value);
   if (!normalized) return false;
@@ -131,6 +217,7 @@ function buildClarificationMessage(params = {}) {
 
 module.exports = {
   GENERIC_PHRASE_RULES,
+  detectFeedbackSignal,
   normalizeFeedbackSignal,
   normalizeFeedbackText,
   isGenericFeedbackText,

package/scripts/gates-engine.js

@@ -109,9 +109,21 @@ const DEFAULT_PROTECTED_FILE_GLOBS = [
 const EDIT_LIKE_TOOLS = new Set(['Edit', 'Write', 'MultiEdit']);
 const HIGH_RISK_BASH_PATTERN = /\b(?:git\s+(?:add|commit|push)|gh\s+pr\s+(?:create|merge)|npm\s+publish|yarn\s+publish|pnpm\s+publish|rm\s+-rf)\b/i;
 const REMOTE_SIDE_EFFECT_BASH_PATTERN = /\b(?:git\s+push\b|gh\s+pr\s+(?:create|merge|close|reopen|ready|edit)\b|gh\s+release\s+(?:create|delete|edit|upload)\b|npm\s+publish\b|yarn\s+publish\b|pnpm\s+publish\b)\b/i;
+const GH_API_PR_CREATE_PATTERN = /\bgh\s+api\b(?=.*(?:\/pulls\b|repos\/[^\s]+\/[^\s]+\/pulls\b))(?=.*(?:-f\b|--field\b|-F\b|--raw-field\b|--method\s+POST\b|-X\s+POST\b))/i;
 const BOOSTED_RISK_BLOCK_SCORE = 0.8;
 const BOOSTED_RISK_MIN_EXAMPLES = 3;
 const PR_THREAD_RESOLUTION_ACTION = 'pr_thread_resolution_verified_after_commit';
+const KNOWLEDGE_ENTROPY_THRESHOLD = 0.7;
+const KNOWLEDGE_CONFLICT_STRICT_BASH_PATTERN = /\b(?:git\s+push\b|gh\s+pr\s+merge\b|gh\s+release\s+(?:create|delete|edit|upload)\b|(?:npm|yarn|pnpm)\s+publish\b|rm\s+-rf\b|git\s+reset\s+--hard\b|git\s+clean\s+-f|railway\s+(?:deploy|up)\b|gcloud\s+(?:run\s+deploy|app\s+deploy)\b|firebase\s+deploy\b|vercel\s+--prod\b|kubectl\s+(?:apply|delete)\b|terraform\s+(?:apply|destroy)\b)\b/i;
+const BREAK_GLASS_CONDITION = 'thumbgate_break_glass';
+const BREAK_GLASS_SETTINGS_GLOBS = [
+  '.claude/settings.local.json',
+  '.claude/settings.json',
+  '**/.claude/settings.local.json',
+  '**/.claude/settings.json',
+  '.codex/config.toml',
+  '**/.codex/config.toml',
+];
 
 function isRuntimePlanGateEnabled() {
   return process.env.THUMBGATE_PLAN_GATE === '1' || process.env.THUMBGATE_PLAN_GATE === 'true';
@@ -360,6 +372,38 @@ function approveProtectedAction(input = {}) {
   return entry;
 }
 
+function breakGlassEmergency(input = {}) {
+  const reason = String(input.reason || '').trim();
+  if (!reason) {
+    throw new Error('reason is required');
+  }
+
+  const ttlMs = Math.min(clampTtlMs(input.ttlMs, TTL_MS), TTL_MS);
+  const evidence = `BREAK GLASS: ${reason}`;
+  const gates = ['pr_create_allowed', 'pr_threads_checked', BREAK_GLASS_CONDITION];
+  const satisfied = {};
+  for (const gateId of gates) {
+    satisfied[gateId] = satisfyCondition(gateId, evidence);
+  }
+
+  const approval = approveProtectedAction({
+    pathGlobs: BREAK_GLASS_SETTINGS_GLOBS,
+    reason: evidence,
+    evidence,
+    ttlMs,
+  });
+
+  return {
+    ok: true,
+    reason,
+    ttlMs,
+    expiresAt: new Date(Date.now() + ttlMs).toISOString(),
+    satisfied,
+    approval,
+    settingsGlobs: BREAK_GLASS_SETTINGS_GLOBS.slice(),
+  };
+}
+
 function setBranchGovernance(input = {}) {
   if (input && input.clear === true) {
     const state = loadGovernanceState();
@@ -693,7 +737,7 @@ function extractAffectedFiles(toolName, toolInput = {}) {
       }
     }
 
-    if (/\bgit\s+push\b/i.test(command) || /\bgh\s+pr\s+(?:create|merge)\b/i.test(command)) {
+    if (/\bgit\s+push\b/i.test(command) || /\bgh\s+pr\s+(?:create|merge)\b/i.test(command) || GH_API_PR_CREATE_PATTERN.test(command)) {
       for (const filePath of getBranchDiffFiles(repoRoot)) {
         files.add(normalizePosix(filePath));
       }
@@ -712,6 +756,7 @@ function isHighRiskAction(toolName, toolInput = {}, affectedFiles = []) {
   const command = String(toolInput.command || '');
   // Original high-risk pattern (git writes, publishes, destructive ops)
   if (HIGH_RISK_BASH_PATTERN.test(command)) return true;
+  if (GH_API_PR_CREATE_PATTERN.test(command)) return true;
   // Broadened: any Bash command that modifies files or has side effects.
   // Excludes pure read/analysis commands (node --test, cat, ls, echo, etc.)
   // to avoid false positives on benign operations.
@@ -949,7 +994,8 @@ function getLocalOnlyScopeSources(governanceState = {}, constraints = {}) {
 
 function isRemoteSideEffectCommand(toolName, toolInput = {}) {
   if (toolName !== 'Bash') return false;
-  return REMOTE_SIDE_EFFECT_BASH_PATTERN.test(String(toolInput.command || ''));
+  const command = String(toolInput.command || '');
+  return REMOTE_SIDE_EFFECT_BASH_PATTERN.test(command) || GH_API_PR_CREATE_PATTERN.test(command);
 }
 
 function evaluateLocalOnlyRemoteSideEffectGate(toolName, toolInput = {}, governanceState = {}, constraints = {}) {
@@ -1003,6 +1049,18 @@ function shouldEnforceTaskScope(gate, governanceState, toolName, toolInput = {},
   return isScopeEnforcedAction(toolName, toolInput, affectedFiles);
 }
 
+function isAgentHookSettingsFile(filePath) {
+  return matchesAnyGlob(filePath, BREAK_GLASS_SETTINGS_GLOBS);
+}
+
+function isBreakGlassSettingsBypass(gate, affectedFiles) {
+  if (!gate || !['task-scope-edit-boundary', 'protected-file-approval-required'].includes(gate.id)) {
+    return false;
+  }
+  if (!isConditionSatisfied(BREAK_GLASS_CONDITION)) return false;
+  return Array.isArray(affectedFiles) && affectedFiles.length > 0 && affectedFiles.every(isAgentHookSettingsFile);
+}
+
 function formatFileList(files, limit = 5) {
   const items = Array.isArray(files) ? files.filter(Boolean) : [];
   if (items.length === 0) return 'none';
@@ -1234,6 +1292,12 @@ function matchGate(gate, toolName, toolInput = {}) {
     try {
       const regex = new RegExp(gate.pattern);
       if (!regex.test(matchText)) return { matched: false, matchText, affectedFiles };
+      if (gate.id === 'permission-change-approval' && isSafeLocalCredentialHardeningCommand(toolName, toolInput)) {
+        return { matched: false, matchText, affectedFiles };
+      }
+      if (isBreakGlassSettingsBypass(gate, affectedFiles)) {
+        return { matched: false, matchText, affectedFiles };
+      }
     } catch {
       return { matched: false, matchText, affectedFiles };
     }
@@ -1251,6 +1315,9 @@ function matchGate(gate, toolName, toolInput = {}) {
 
   let taskScopeViolation = null;
   if (gate.requireTaskScope) {
+    if (isBreakGlassSettingsBypass(gate, affectedFiles)) {
+      return { matched: false, matchText, affectedFiles };
+    }
     if (!shouldEnforceTaskScope(gate, governanceState, toolName, toolInput, affectedFiles)) {
       return { matched: false, matchText, affectedFiles };
     }
@@ -1260,6 +1327,9 @@ function matchGate(gate, toolName, toolInput = {}) {
 
   let protectedApprovalViolation = null;
   if (gate.requireProtectedApproval) {
+    if (isBreakGlassSettingsBypass(gate, affectedFiles)) {
+      return { matched: false, matchText, affectedFiles };
+    }
     const protectedGlobs = sanitizeGlobList(
       Array.isArray(gate.protectedGlobs) && gate.protectedGlobs.length > 0
         ? gate.protectedGlobs
@@ -1299,6 +1369,27 @@ function matchesGate(gate, toolName, toolInput) {
   return matchGate(gate, toolName, toolInput).matched;
 }
 
+function isSafeLocalCredentialHardeningCommand(toolName, toolInput = {}) {
+  if (toolName !== 'Bash') return false;
+  const command = String(toolInput.command || '').trim();
+  if (!command || /(?:^|\s)chmod\s+[^&;|]*\s+-R\b/i.test(command)) return false;
+  if (/[;&|`$()<>*?[\]{}]/.test(command)) return false;
+
+  const match = command.match(/(?:^|\s)chmod\s+(?:-[fv]\s+)?0?([46]00)\s+(['"]?)(\S+)\2\s*$/i);
+  if (!match) return false;
+
+  const target = match[3];
+  if (!target || target === '/' || target === '~') return false;
+  if (/^\.\.?(?:\/|$)/.test(target)) return false;
+
+  const normalized = target.replace(/^['"]|['"]$/g, '').toLowerCase();
+  const looksLikeCredentialPath = /(?:^|\/)(?:\.config|\.ssh|\.gnupg|\.aws|\.gcloud|\.gemini|\.resume_secrets|\.thumbgate|secrets?|credentials?)(?:\/|$)/.test(normalized)
+    || /(?:key|secret|token|credential|gemini|gcloud|google|operator).*\.(?:json|pem|key|env)$/i.test(normalized)
+    || /\.(?:pem|key)$/i.test(normalized);
+
+  return looksLikeCredentialPath;
+}
+
 function evaluateMemoryGuard(toolName, toolInput = {}) {
   const affected = extractAffectedFiles(toolName, toolInput);
   const affectedFiles = affected.files;
@@ -1315,7 +1406,10 @@ function evaluateMemoryGuard(toolName, toolInput = {}) {
   }
 
   const command = String(toolInput.command || '');
-  if (toolName === 'Bash' && /\bgh\s+pr\s+create\b/i.test(command) && isConditionSatisfied('pr_create_allowed')) {
+  const isPrCreateCommand = toolName === 'Bash' && (
+    /\bgh\s+pr\s+create\b/i.test(command) || GH_API_PR_CREATE_PATTERN.test(command)
+  );
+  if (isPrCreateCommand && isConditionSatisfied('pr_create_allowed')) {
     const branchGovernanceViolation = buildBranchGovernanceViolation(
       governanceState,
       toolInput,
@@ -1328,7 +1422,10 @@ function evaluateMemoryGuard(toolName, toolInput = {}) {
     }
   }
 
-  if (toolName === 'Bash' && /\b(?:gh\s+pr\s+(?:create|merge)|gh\s+release\s+create|git\s+tag\b|(?:npm|yarn|pnpm)\s+publish\b)\b/i.test(command)) {
+  if (toolName === 'Bash' && (
+    /\b(?:gh\s+pr\s+(?:create|merge)|gh\s+release\s+create|git\s+tag\b|(?:npm|yarn|pnpm)\s+publish\b)\b/i.test(command) ||
+    GH_API_PR_CREATE_PATTERN.test(command)
+  )) {
     const branchGovernanceViolation = buildBranchGovernanceViolation(
       governanceState,
       toolInput,
@@ -1989,12 +2086,19 @@ function isApprovalGatesEnabled() {
 // PreToolUse hook interface (stdin/stdout JSON)
 // ---------------------------------------------------------------------------
 
-function buildReminderOutput(context) {
+function buildPreToolUseOutput(fields = {}) {
   return {
+    hookEventName: 'PreToolUse',
+    ...fields,
+  };
+}
+
+function buildReminderOutput(context) {
+  return buildPreToolUseOutput({
     additionalContext: context,
     systemReminder: context,
     thumbgateSystemReminder: context,
-  };
+  });
 }
 
 // ---------------------------------------------------------------------------
@@ -2047,6 +2151,7 @@ function formatOutput(result, behavioralContext) {
     const proCta = buildBlockActionProCta() || '';
     return JSON.stringify({
       hookSpecificOutput: {
+        hookEventName: 'PreToolUse',
         ...reminder,
         permissionDecision: 'deny',
         permissionDecisionReason: `[GATE:${result.gate}] ${result.message}${reasoningSuffix}${reminderSuffix}${proCta}`,
@@ -2059,6 +2164,7 @@ function formatOutput(result, behavioralContext) {
     const reminderSuffix = behavioralContext ? `\n\nSystem reminder:\n${behavioralContext}` : '';
     return JSON.stringify({
       hookSpecificOutput: {
+        hookEventName: 'PreToolUse',
         ...reminder,
         permissionDecision: 'deny',
         permissionDecisionReason: `[GATE:${result.gate}] APPROVAL REQUIRED: ${result.message} — Ask the human to confirm this action before proceeding.${reasoningSuffix}${reminderSuffix}`,
@@ -2071,6 +2177,7 @@ function formatOutput(result, behavioralContext) {
     const context = `[GATE:${result.gate}] WARNING: ${result.message}${reasoningSuffix}${extra}`;
     return JSON.stringify({
       hookSpecificOutput: {
+        hookEventName: 'PreToolUse',
         additionalContext: context,
         ...(behavioralContext ? {
           systemReminder: behavioralContext,
@@ -2204,9 +2311,8 @@ function buildRelevantLessonContext(toolName, toolInput) {
     const lessons = retrieveRelevantLessons(toolName, actionContext, { maxResults: 3 });
 
     const entropy = calculateRetrievalEntropy(lessons);
-    if (entropy > 0.7) {
-      recordStat("retrieval_entropy_high", "block");
-      return { decision: "deny", gate: "knowledge-conflict-gate", message: "✗ THUMBGATE: Action blocked due to high Knowledge Entropy (conflicting past lessons).", severity: "high" };
+    if (entropy > KNOWLEDGE_ENTROPY_THRESHOLD) {
+      return buildKnowledgeConflictContext(toolName, toolInput, lessons, entropy);
     }
     return formatNegativeLessonContext(lessons);
   } catch {
@@ -2237,16 +2343,11 @@ async function buildRelevantLessonContextAsync(toolName, toolInput) {
       : retrieveRelevantLessons(toolName, actionContext, { maxResults: 3 });
     
     // Knowledge Conflict Detection: if retrieved lessons have high sentiment entropy,
-    // it indicates conflicting past evidence. Block and require human disambiguation.
+    // it indicates conflicting past evidence. Warn by default; hard-block only in
+    // strict mode for external/destructive side-effect commands.
     const entropy = calculateRetrievalEntropy(lessons);
-    if (entropy > 0.7) {
-      recordStat('retrieval_entropy_high', 'block');
-      return {
-        decision: 'deny',
-        gate: 'knowledge-conflict-gate',
-        message: '✗ THUMBGATE: Action blocked due to high Knowledge Entropy (conflicting past lessons). Please disambiguate your instructions or verify the intended behavior manually.',
-        severity: 'high',
-      };
+    if (entropy > KNOWLEDGE_ENTROPY_THRESHOLD) {
+      return buildKnowledgeConflictContext(toolName, toolInput, lessons, entropy);
     }
 
     return formatNegativeLessonContext(lessons);
@@ -2273,6 +2374,36 @@ function formatNegativeLessonContext(lessons) {
   return `[ThumbGate] Past mistakes relevant to this action — read before proceeding:\n${formatted.join('\n')}`;
 }
 
+function isStrictKnowledgeConflictMode() {
+  return process.env.THUMBGATE_STRICT_KNOWLEDGE_CONFLICT === '1'
+    || process.env.THUMBGATE_STRICT_KNOWLEDGE_CONFLICT === 'true';
+}
+
+function isKnowledgeConflictHardBlockAction(toolName, toolInput = {}) {
+  if (!isStrictKnowledgeConflictMode()) return false;
+  if (EDIT_LIKE_TOOLS.has(toolName)) return true;
+  if (toolName !== 'Bash') return false;
+  return KNOWLEDGE_CONFLICT_STRICT_BASH_PATTERN.test(String(toolInput.command || ''));
+}
+
+function buildKnowledgeConflictContext(toolName, toolInput, lessons, entropy) {
+  const lessonContext = formatNegativeLessonContext(lessons);
+  const message = `Knowledge conflict warning: retrieved lessons disagree for this action (entropy ${entropy}). Treat the reminders below as cautionary context, but do not stop unrelated work solely because memory is noisy.`;
+
+  if (isKnowledgeConflictHardBlockAction(toolName, toolInput)) {
+    recordStat('retrieval_entropy_high', 'block');
+    return {
+      decision: 'deny',
+      gate: 'knowledge-conflict-gate',
+      message: `✗ THUMBGATE: ${message} Strict mode is enabled for destructive or external side-effect actions; verify intent or narrow the task before proceeding.`,
+      severity: 'high',
+    };
+  }
+
+  recordStat('retrieval_entropy_high', 'warn');
+  return mergeContextStrings(`[ThumbGate] ${message}`, lessonContext);
+}
+
 function extractActionContext(toolName, toolInput) {
   if (!toolInput) return toolName;
   const parts = [toolName];
@@ -2659,6 +2790,7 @@ module.exports = {
   setTaskScope,
   setBranchGovernance,
   approveProtectedAction,
+  breakGlassEmergency,
   getScopeState,
   getBranchGovernanceState,
   isConditionSatisfied,
@@ -2717,6 +2849,7 @@ module.exports = {
   getLocalOnlyScopeSources,
   isRemoteSideEffectCommand,
   evaluateLocalOnlyRemoteSideEffectGate,
+  isAgentHookSettingsFile,
   PR_THREAD_RESOLUTION_ACTION,
   buildBlockActionProCta,
   applyDailyBlockCap,

package/scripts/install-shim.js

@@ -3,13 +3,12 @@
 /**
  * install-shim.js — Install a stable shim at ~/.thumbgate/bin/thumbgate-hook
  *
- * The shim is a tiny shell script that always resolves thumbgate@latest,
- * so hook commands in settings.local.json never go stale. This is the
- * Volta-style pattern: a version-agnostic indirection layer that survives
- * across thumbgate upgrades.
+ * The shim is a tiny shell script that resolves the cached ThumbGate runtime
+ * first, so hook commands in settings.local.json stay stable across projects
+ * and agent restarts.
  *
  * The shim checks for a cached runtime binary first (fast path), and falls
- * back to `npx --yes thumbgate@latest` (slow path, self-installs).
+ * back to `npx --yes thumbgate@latest` (slow path, first-time self-install).
  */
 
 const fs = require('fs');
@@ -24,9 +23,10 @@ const RUNTIME_BIN = path.join(os.homedir(), '.thumbgate', 'runtime', 'node_modul
  * The shim script. Key design choices:
  * - Uses `exec` to replace the shell process (no zombie processes)
  * - Fast path: if cached runtime binary exists, exec it directly
- * - Slow path: npx --yes thumbgate@latest (auto-installs)
- * - Background upgrade: after the fast path succeeds once, spawn a
- *   detached npm install to refresh the cache for next time
+ * - Slow path: npx --yes thumbgate@latest (first-time auto-installs)
+ * - No default self-mutation: background upgrades are opt-in via
+ *   THUMBGATE_SHIM_AUTO_UPDATE=1 so source checkouts, enterprise pins, and
+ *   dogfood runtimes cannot be overwritten by a hook side effect.
  */
 function shimContent() {
   const escapedRuntimeBin = JSON.stringify(RUNTIME_BIN);
@@ -35,7 +35,7 @@ function shimContent() {
   return `#!/usr/bin/env bash
 # ThumbGate hook shim — DO NOT EDIT
 # Installed by: thumbgate init
-# Purpose: version-agnostic hook entry point that always runs latest ThumbGate
+# Purpose: stable hook entry point that runs the cached ThumbGate runtime
 # Pattern: Volta-style stable shim (see https://volta.sh)
 
 set -euo pipefail
@@ -45,8 +45,11 @@ RUNTIME_DIR=${escapedRuntimeDir}
 
 # Fast path: cached runtime binary exists and is executable
 if [ -x "$RUNTIME_BIN" ]; then
-  # Spawn background upgrade (detached, no stdout/stderr, won't block hook)
-  ( nohup npm install --prefix "$RUNTIME_DIR" --no-save --omit=dev thumbgate@latest >/dev/null 2>&1 & ) 2>/dev/null || true
+  # Optional background upgrade. Disabled by default so hooks never mutate a
+  # source checkout, enterprise pin, or dogfood runtime behind the operator's back.
+  if [ "\${THUMBGATE_SHIM_AUTO_UPDATE:-0}" = "1" ]; then
+    ( nohup npm install --prefix "$RUNTIME_DIR" --no-save --omit=dev thumbgate@latest >/dev/null 2>&1 & ) 2>/dev/null || true
+  fi
   exec "$RUNTIME_BIN" "$@"
 fi
 

package/src/api/server.js

@@ -418,34 +418,18 @@ const TRACKED_LINK_TARGETS = Object.freeze({
     },
     allowCustomerEmail: true,
   },
-  // 2026-05-19: Team is intake-led. Keep the tracked shortlink alive for
-  // marketplaces and old outreach, but route it to workflow scope first
-  // instead of blind 3-seat checkout.
+  // 2026-06-02: Teams/Aiventyx deprecated. Redirect legacy links to Pro.
   teams: {
-    path: '/#workflow-sprint-intake',
-    ctaId: 'go_teams',
+    path: '/go/pro?utm_source=legacy_teams&utm_medium=redirect',
+    ctaId: 'go_pro',
     ctaPlacement: 'link_router',
-    eventType: 'team_intake_started',
-    defaults: {
-      utm_source: 'website',
-      utm_medium: 'link_router',
-      utm_campaign: 'team_intake',
-      plan_id: 'team',
-    },
+    eventType: 'cta_click',
   },
-  // Aliases: /go/team → same as /go/teams, /go/checkout → same as /go/pro,
-  // /go/trial → install guide (trial starts on init)
   team: {
-    path: '/#workflow-sprint-intake',
-    ctaId: 'go_team',
+    path: '/go/pro?utm_source=legacy_teams&utm_medium=redirect',
+    ctaId: 'go_pro',
     ctaPlacement: 'link_router',
-    eventType: 'team_intake_started',
-    defaults: {
-      utm_source: 'website',
-      utm_medium: 'link_router',
-      utm_campaign: 'team_intake',
-      plan_id: 'team',
-    },
+    eventType: 'cta_click',
   },
   checkout: {
     path: '/checkout/pro',
@@ -6405,30 +6389,7 @@ ${hidden}
 <h1>Case Studies</h1>
 <p class="lede">Real integrations. No fabricated logos, no aspirational numbers — every claim below is reproducible.</p>
 
-<article>
-<h2>Aiventyx marketplace — Teams listing intake recovery</h2>
-<p class="meta">Integration partner: <a href="https://www.aiventyx.com">Aiventyx</a> · Reported by: Qaiser Mehdi · Verified: 2026-05-13</p>
-
-<h3>The problem</h3>
-<p>Aiventyx is a marketplace for AI tools. ThumbGate's Teams listing was their highest-CTR external surface — <span class="metric">62% CTR</span> (5 clicks on 8 views, May 7–9 window). When their integrator rolled out canonical tracked URLs, every Teams click started landing on:</p>
-<p><code>{"error":"Tracked link not found","allowed":["gpt","pro","install","reddit","linkedin","x","github"]}</code></p>
-<p>The <code>/go/teams</code> slug wasn't registered in our redirector — a 404 was eating every paid-intent click from their strongest external surface.</p>
-
-<h3>The fix</h3>
-<p>Added <code>teams</code> to <code>TRACKED_LINK_TARGETS</code> and now routes it to <code>/?plan_id=team#workflow-sprint-intake</code>. Caller-supplied UTMs flow through to the intake path so the workflow, owner, and proof boundary are explicit before any Team checkout.</p>
-
-<h3>The verification</h3>
-<p>Qaiser's own incognito test, May 13 6:04 AM (full email on record):</p>
-<p><code>https://thumbgate.ai/go/teams?utm_source=aiventyx</code><br>
-→ 302 to the Team workflow intake<br>
-→ pricing source, campaign, and plan metadata preserved<br>
-→ buyer sees the scope-first path before any subscription decision</p>
-
-<h3>What this proves</h3>
-<p>End-to-end attribution from a third-party marketplace through ThumbGate's redirector into the Team intake path, with the caller's UTM chain preserved. Regression tests pin the redirect contract so it can't silently break or regress into a blind Team checkout.</p>
-
-<p><a href="/go/teams?utm_source=case-study">Try the live redirect →</a></p>
-</article>
+<p><em>New case studies for individual Pro operators coming soon.</em></p>
 
 <footer>
 <p>Want to be the next case study? The product is real, the integration is 30 seconds: <code>npx thumbgate init</code>. If you ship something with ThumbGate and want it documented here, email <a href="mailto:igor.ganapolsky@gmail.com">igor.ganapolsky@gmail.com</a>.</p>

package/scripts/operational-dashboard.js

@@ -1,160 +0,0 @@
-'use strict';
-
-const { resolveAnalyticsWindow } = require('./analytics-window');
-const { getBillingSummaryLive } = require('./billing');
-const { generateDashboard } = require('./dashboard');
-const { getFeedbackPaths } = require('./feedback-loop');
-const { resolveHostedBillingConfig } = require('./hosted-config');
-const { loadOperatorConfig } = require('./operational-summary');
-
-function normalizeText(value) {
-  if (value === undefined || value === null) return null;
-  const text = String(value).trim();
-  return text || null;
-}
-
-function shouldPreferHostedDashboard() {
-  return String(process.env.THUMBGATE_METRICS_SOURCE || '').trim().toLowerCase() !== 'local';
-}
-
-function resolveHostedDashboardConfig() {
-  const runtimeConfig = resolveHostedBillingConfig();
-  const operatorConfig = loadOperatorConfig();
-  // Match operational-summary's key priority chain so north-star and cfo
-  // authenticate against the same hosted deployment consistently. Prior to
-  // this change, north-star only read THUMBGATE_API_KEY, silently 401'ing
-  // on machines configured via operator.json or THUMBGATE_OPERATOR_KEY.
-  const apiKey = normalizeText(process.env.THUMBGATE_OPERATOR_KEY)
-    || operatorConfig.operatorKey
-    || normalizeText(process.env.THUMBGATE_API_KEY);
-  const apiBaseUrl = normalizeText(process.env.THUMBGATE_BILLING_API_BASE_URL)
-    || operatorConfig.baseUrl
-    || runtimeConfig.billingApiBaseUrl;
-  return {
-    apiBaseUrl,
-    apiKey,
-  };
-}
-
-async function buildOperationalDashboard(options = {}) {
-  const analyticsWindow = resolveAnalyticsWindow(options);
-  const feedbackDir = options.feedbackDir || getFeedbackPaths().FEEDBACK_DIR;
-  const billingSummary = await getBillingSummaryLive(analyticsWindow);
-
-  return generateDashboard(feedbackDir, {
-    analyticsWindow,
-    billingSummary,
-    billingSource: 'live',
-    billingFallbackReason: null,
-  });
-}
-
-async function fetchHostedDashboard(options = {}, config = resolveHostedDashboardConfig()) {
-  const analyticsWindow = resolveAnalyticsWindow(options);
-  if (!shouldPreferHostedDashboard()) {
-    const err = new Error('Hosted operational dashboard is disabled.');
-    err.code = 'hosted_dashboard_disabled';
-    throw err;
-  }
-  if (!config.apiBaseUrl || !config.apiKey) {
-    const err = new Error('Hosted operational dashboard is not configured.');
-    err.code = 'hosted_dashboard_unconfigured';
-    throw err;
-  }
-
-  const requestUrl = new URL('/v1/dashboard', config.apiBaseUrl);
-  requestUrl.searchParams.set('window', analyticsWindow.window);
-  requestUrl.searchParams.set('timezone', analyticsWindow.timeZone);
-  requestUrl.searchParams.set('now', analyticsWindow.now);
-
-  const response = await fetch(requestUrl, {
-    method: 'GET',
-    headers: {
-      authorization: `Bearer ${config.apiKey}`,
-      accept: 'application/json',
-    },
-  });
-
-  if (!response.ok) {
-    const detail = await response.text().catch(() => '');
-    const err = new Error(`Hosted operational dashboard request failed (${response.status}): ${detail || 'unknown error'}`);
-    err.code = 'hosted_dashboard_http_error';
-    err.status = response.status;
-    throw err;
-  }
-
-  return response.json();
-}
-
-async function getOperationalDashboard(options = {}) {
-  const analyticsWindow = resolveAnalyticsWindow(options);
-  try {
-    const data = await fetchHostedDashboard(analyticsWindow);
-    return {
-      source: 'hosted',
-      data,
-      fallbackReason: null,
-      hostedStatus: 200,
-    };
-  } catch (err) {
-    const reason = err && err.message ? err.message : 'hosted_dashboard_unavailable';
-    const status = err && typeof err.status === 'number' ? err.status : null;
-    const code = err && err.code ? err.code : null;
-
-    // Hosted deliberately disabled or never configured — local fallback is
-    // intentional, not a degraded state. Tag as plain 'local'.
-    if (code === 'hosted_dashboard_disabled' || code === 'hosted_dashboard_unconfigured') {
-      return {
-        source: 'local',
-        data: await buildOperationalDashboard(analyticsWindow),
-        fallbackReason: reason,
-        hostedStatus: null,
-      };
-    }
-
-    // Mirror operational-summary: auth failure is the dangerous case. A
-    // dashboard that silently shows $0 revenue (from the local ledger) when
-    // Stripe actually has paid customers is a lie the operator acts on.
-    // Refuse to guess — surface an actionable error.
-    if (status === 401 || status === 403) {
-      const authErr = new Error(
-        `Hosted operational dashboard rejected credentials (HTTP ${status}). ` +
-        `The operator key on this machine does not match the one on the ` +
-        `hosted deployment. Fix: set THUMBGATE_OPERATOR_KEY in this shell, ` +
-        `or update the operatorKey field in ~/.config/thumbgate/operator.json, ` +
-        `to match Railway's THUMBGATE_OPERATOR_KEY. ` +
-        `Running north-star without hosted auth would report local-only ` +
-        `data as ground truth, which may not reflect actual Stripe revenue. ` +
-        `Original response: ${reason}`
-      );
-      authErr.code = 'hosted_dashboard_unauthorized';
-      authErr.status = status;
-      throw authErr;
-    }
-
-    // Non-auth failure — local fallback is still useful for dev workflows,
-    // but tag the source so downstream renderers do not mistake it for
-    // verified hosted truth.
-    //
-    // Log only the status code (trusted) — the full reason contains upstream
-    // response text and is only returned structurally via fallbackReason.
-    console.warn(
-      `[operational-dashboard] Hosted dashboard unreachable (status=${status ?? 'network'}); ` +
-      `falling back to LOCAL-UNVERIFIED state. Numbers below may not reflect actual Stripe revenue.`
-    );
-    return {
-      source: 'local-unverified',
-      data: await buildOperationalDashboard(analyticsWindow),
-      fallbackReason: reason,
-      hostedStatus: status,
-    };
-  }
-}
-
-module.exports = {
-  buildOperationalDashboard,
-  fetchHostedDashboard,
-  getOperationalDashboard,
-  resolveHostedDashboardConfig,
-  shouldPreferHostedDashboard,
-};