thumbgate 1.26.7 → 1.27.2

package/public/codex-plugin.html

@@ -3,12 +3,12 @@
 <head>
 <meta charset="UTF-8">
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
-<title>ThumbGate for Codex - Auto-Updating MCP Plugin</title>
+<title>ThumbGate for Codex - CLI Setup and Plugin Bundle</title>
 <script defer data-domain="thumbgate-production.up.railway.app" src="https://plausible.io/js/script.js"></script>
-<meta name="description" content="Install ThumbGate for Codex with an auto-updating MCP plugin, Pre-Action Checks, thumbs-up/down feedback memory, and a local-first Reliability Gateway.">
+<meta name="description" content="Install ThumbGate for Codex with CLI setup first, plus a portable Codex plugin bundle for review, marketplace, and offline workflows. Includes Pre-Action Checks and thumbs-up/down feedback memory.">
 <meta name="keywords" content="ThumbGate Codex plugin, Codex MCP server, Codex pre-action checks, Codex guardrails, thumbgate latest, AI coding agent reliability">
 <meta property="og:title" content="ThumbGate for Codex">
-<meta property="og:description" content="Auto-updating MCP and hook launcher for Codex. One install, then ThumbGate resolves the latest npm runtime when Codex starts.">
+<meta property="og:description" content="CLI-first Codex setup with auto-updating MCP, hooks, and a portable plugin bundle for review or marketplace workflows.">
 <meta property="og:type" content="website">
 <meta property="og:url" content="https://thumbgate.ai/codex-plugin">
 <link rel="canonical" href="https://thumbgate.ai/codex-plugin">
@@ -21,7 +21,7 @@
   "name": "ThumbGate for Codex",
   "applicationCategory": "DeveloperApplication",
   "operatingSystem": "macOS, Linux, Windows with Node.js",
-  "description": "ThumbGate for Codex installs an MCP server and hook launcher that resolves thumbgate@latest at startup, captures thumbs-up/down feedback, and enforces Pre-Action Checks before risky agent actions run.",
+  "description": "ThumbGate for Codex installs an MCP server and hook launcher that resolves thumbgate@latest at startup, captures thumbs-up/down feedback, and enforces Pre-Action Checks before risky agent actions run. The supported fast path is npx thumbgate init --agent codex; the zip is a portable plugin bundle, not a double-click desktop installer.",
   "url": "https://thumbgate.ai/codex-plugin",
   "downloadUrl": "https://github.com/IgorGanapolsky/ThumbGate/releases/latest/download/thumbgate-codex-plugin.zip",
   "installUrl": "https://thumbgate.ai/codex-plugin",
@@ -71,7 +71,15 @@
       "name": "What is the fastest Codex install path?",
       "acceptedAnswer": {
         "@type": "Answer",
-        "text": "Run npx thumbgate init --agent codex for the automatic local setup, or use the standalone Codex plugin bundle if you want a portable plugin surface."
+        "text": "Run npx thumbgate init --agent codex for the automatic local setup. Use the standalone Codex plugin bundle only when you want a portable plugin folder for review, marketplace wiring, offline handoff, or a Codex build that exposes local plugin import."
+      }
+    },
+    {
+      "@type": "Question",
+      "name": "Does the release zip install itself in Codex Desktop?",
+      "acceptedAnswer": {
+        "@type": "Answer",
+        "text": "No. The zip is not a double-click installer. Extract it and install the folder through a Codex plugin directory or marketplace flow if your Codex build exposes one. Otherwise use npx thumbgate init --agent codex."
       }
     }
   ]
@@ -220,9 +228,9 @@
       <p class="sub" style="font-size:13px;opacity:0.85;">Updated: <time datetime="2026-04-20">2026-04-20</time> · by <a href="https://github.com/IgorGanapolsky" style="color:inherit;">Igor Ganapolsky</a></p>
       <p class="sub">ThumbGate wires Codex into local-first feedback memory, MCP tools, and hook enforcement. The launcher resolves <code>thumbgate@latest</code> when Codex starts, so published npm fixes reach your active MCP server after a restart.</p>
       <div class="actions">
-        <a class="button primary" href="https://github.com/IgorGanapolsky/ThumbGate/releases/latest/download/thumbgate-codex-plugin.zip" target="_blank" rel="noopener" onclick="if(typeof plausible==='function')plausible('codex_plugin_download')">Download Codex plugin</a>
+        <a class="button primary" href="/guide" onclick="if(typeof plausible==='function')plausible('codex_cli_setup')">Install with CLI setup</a>
         <a class="button secondary" href="https://github.com/IgorGanapolsky/ThumbGate/blob/main/plugins/codex-profile/INSTALL.md" target="_blank" rel="noopener">Read install docs</a>
-        <a class="button secondary" href="/guide">Use CLI setup</a>
+        <a class="button secondary" href="https://github.com/IgorGanapolsky/ThumbGate/releases/latest/download/thumbgate-codex-plugin.zip" target="_blank" rel="noopener" onclick="if(typeof plausible==='function')plausible('codex_plugin_download')">Download zip for review</a>
       </div>
       <nav class="proof-bar" aria-label="Codex proof and conversion links">
         <a href="https://github.com/IgorGanapolsky/ThumbGate/blob/main/docs/VERIFICATION_EVIDENCE.md" target="_blank" rel="noopener">Verification evidence</a>
@@ -231,8 +239,9 @@
         <a href="/?utm_source=codex&utm_medium=plugin_page&utm_campaign=codex_team_follow_on&utm_content=workflow_sprint&campaign_variant=teams_follow_on&offer_code=CODEX-TEAMS_FOLLOW_ON&cta_id=codex_team_follow_on&cta_placement=plugin_page&surface=codex_plugin#workflow-sprint-intake">Team workflow sprint</a>
       </nav>
       <pre class="terminal">$ npx thumbgate init --agent codex
+$ npx thumbgate feedback-self-test
 # Writes ~/.codex/config.toml and ~/.codex/config.json
-# MCP + hooks install thumbgate@latest before serving or checking gates</pre>
+# Restart Codex, then confirm ThumbGate is enabled in Plugins or MCP settings</pre>
     </div>
   </section>
 
@@ -251,11 +260,31 @@
     </div>
   </section>
 
+  <section class="wrap">
+    <div class="eyebrow">Role plugins, Sites, and team OS</div>
+    <h2>Codex is becoming a business-work surface. ThumbGate is the action boundary.</h2>
+    <div class="steps">
+      <div class="step">
+        <h3>Role plugins</h3>
+        <p>Codex plugins bundle skills, apps, and MCP servers. ThumbGate checks role-specific writes before sales, analytics, design, finance, or support agents modify business systems.</p>
+      </div>
+      <div class="step">
+        <h3>Sites deploys</h3>
+        <p>Before a Sites workflow publishes or widens access, ThumbGate can require build proof, intended audience, secret handling, and deployment evidence.</p>
+      </div>
+      <div class="step">
+        <h3>Team Agentic OS</h3>
+        <p>Human-editable docs, agent-operating files, and git backups still need runtime checks. ThumbGate gates protected skills, MCP config, memory scope, and workflow contracts.</p>
+      </div>
+    </div>
+    <p><a href="/learn/codex-role-plugins-need-governance">Read the Codex role-plugin governance guide</a> · <a href="/learn/agentic-os-team-governance">Read the Agentic OS team governance guide</a> · <a href="/learn/cost-aware-agent-gate-routing">Read cost-aware gate routing</a></p>
+  </section>
+
   <section class="wrap split">
     <div>
       <div class="eyebrow">What Codex gets</div>
       <h2>MCP memory, hook checks, and a dashboard lane in the same install path.</h2>
-      <p>Use the standalone plugin when you want a portable Codex bundle. Use <code>npx thumbgate init --agent codex</code> when you want the shortest path on this machine. Both paths point at the same Reliability Gateway and the same npm runtime.</p>
+      <p>Use <code>npx thumbgate init --agent codex</code> when you want the shortest path on this machine. Use the standalone zip only when you need a portable plugin folder for audit, offline handoff, marketplace wiring, or a Codex build that exposes local plugin import.</p>
       <p class="status">The Codex launcher checks npm on startup. Restart Codex after a ThumbGate publish to let the MCP server and hook bundle pick up the latest runtime.</p>
     </div>
     <figure class="proof">
@@ -273,12 +302,31 @@
         <p>Run <code>npx thumbgate init --agent codex</code>. ThumbGate writes the MCP server block and hook bundle into your Codex config files.</p>
       </div>
       <div class="step">
-        <h3>2. Standalone plugin</h3>
-        <p>Use the release bundle when Codex loads plugin surfaces directly. The bundle includes the manifest, MCP config, marketplace entry, and install docs.</p>
+        <h3>2. Plugin directory</h3>
+        <p>For a true plugin install, use Codex Plugins or a marketplace source. In the Add marketplace dialog, do not keep Codex's default <code>plugins/codex</code> sparse path for this repo; use <code>.agents/plugins/marketplace.json</code> and <code>plugins/codex-profile</code>, or leave sparse paths blank for a local checkout.</p>
       </div>
       <div class="step">
-        <h3>3. Verify in Codex</h3>
-        <p>Open Codex settings, confirm <code>thumbgate</code> is toggled on, then restart Codex after npm releases to pick up the latest runtime.</p>
+        <h3>3. Zip for review</h3>
+        <p>The zip is a portable folder, not a double-click installer. Extract it, inspect <code>.codex-plugin/plugin.json</code>, and use CLI setup when local plugin import is unavailable.</p>
+      </div>
+    </div>
+  </section>
+
+  <section class="wrap">
+    <div class="eyebrow">Desktop install reality</div>
+    <h2>Do not make users guess what to do with a zip.</h2>
+    <div class="steps">
+      <div class="step">
+        <h3>Use first</h3>
+        <p><code>npx thumbgate init --agent codex</code> is the supported self-serve path. It configures MCP, hooks, and the status line without asking the user to understand plugin internals.</p>
+      </div>
+      <div class="step">
+        <h3>Use when available</h3>
+        <p>If Codex shows Plugins, open the directory, clear restrictive filters like <code>Built by OpenAI</code>, install ThumbGate from a marketplace or shared plugin entry, then start a new thread after install.</p>
+      </div>
+      <div class="step">
+        <h3>Use for operators</h3>
+        <p>Download the zip only for security review, offline delivery, or manual marketplace wiring. The user selects the extracted folder, never the compressed file.</p>
       </div>
     </div>
   </section>
@@ -312,7 +360,11 @@
       </div>
       <div class="faq">
         <h3>Where is the direct asset?</h3>
-        <p>The standalone zip remains available at <a href="https://github.com/IgorGanapolsky/ThumbGate/releases/latest/download/thumbgate-codex-plugin.zip" target="_blank" rel="noopener">GitHub Releases</a>. This page is the human install surface so users do not land on an unexplained file download.</p>
+        <p>The standalone zip remains available at <a href="https://github.com/IgorGanapolsky/ThumbGate/releases/latest/download/thumbgate-codex-plugin.zip" target="_blank" rel="noopener">GitHub Releases</a>. It is for review, offline delivery, and manual marketplace workflows. It is not a double-click Codex Desktop installer.</p>
+      </div>
+      <div class="faq">
+        <h3>I searched Plugins for ThumbGate. Why is it missing?</h3>
+        <p>First clear the <code>Built by OpenAI</code> filter. ThumbGate is a local or third-party marketplace plugin, so an OpenAI-only filter hides it. Then confirm the marketplace includes <code>.agents/plugins/marketplace.json</code> and <code>plugins/codex-profile</code>; the default <code>plugins/codex</code> sparse path will miss this repo.</p>
       </div>
     </div>
   </section>

package/public/dashboard.html

@@ -270,7 +270,11 @@
       <input id="chatInput" class="auth-input" style="flex:1;" placeholder="e.g. What mistakes have we made, and how do we avoid them?" onkeydown="if(event.key==='Enter'){event.preventDefault();sendChat();}" />
       <button class="btn" id="chatSend" onclick="sendChat()">Ask</button>
     </div>
-    <div id="chatHint" style="font-size:12px;color:var(--text-muted);margin-top:8px;">Powered by your captured lessons + Gemini. Set <code style="font-family:var(--mono);">GEMINI_API_KEY</code> (<code style="font-family:var(--mono);">npx thumbgate setup-vertex --write</code>) to enable.</div>
+    <div id="chatHint" style="font-size:12px;color:var(--text-muted);margin-top:8px;display:flex;align-items:center;gap:8px;">
+      <span>Powered by your captured lessons + Gemini/Perplexity hybrid (local-cloud).</span>
+      <input type="password" id="geminiKeyInput" placeholder="Set GEMINI_API_KEY..." style="background:var(--bg-raised); border:1px solid var(--border); border-radius:4px; padding:4px 8px; color:var(--text); font-family:var(--mono); font-size:11px; flex:1; max-width: 250px;" onkeydown="if(event.key==='Enter'){event.preventDefault();saveGeminiKey();}" />
+      <button class="btn-outline" style="padding:4px 10px;font-size:11px;border-radius:4px;" onclick="saveGeminiKey()">Save</button>
+    </div>
   </div>
 
   <div class="panel" id="reviewDeltaPanel" style="margin-bottom:20px;">
@@ -304,7 +308,8 @@
     <div class="tab active" onclick="switchTab('search')">🔍 Search Memories</div>
     <div class="tab" onclick="switchTab('gates')">🛡️ Active Gates</div>
     <div class="tab" onclick="switchTab('team')">👥 Team</div>
-    <div class="tab" onclick="switchTab('enterprise')">🏢 Enterprise Chat</div>
+    <div class="tab" onclick="switchTab('enterprise')">🏢 Enterprise Data Chat</div>
+    <div class="tab" onclick="switchTab('ai-inventory')">🧬 AI Inventory</div>
     <div class="tab" onclick="switchTab('generated')">🧩 Generated Views</div>
     <div class="tab" onclick="switchTab('settings')">⚙️ Policy Origins</div>
     <div class="tab" onclick="switchTab('templates')">🧱 Gate Templates</div>
@@ -411,8 +416,8 @@
   <!-- ENTERPRISE CHAT TAB -->
   <div class="tab-content" id="tab-enterprise">
     <div class="templates-section">
-      <h2>Enterprise Dialogflow Data Chat</h2>
-      <p class="template-summary">Ask questions over local ThumbGate feedback, lessons, gates, team posture, and Vertex/DFCX readiness. This local panel uses ThumbGate's DFCX-compatible guard before data access; it does not claim a live Google Dialogflow CX agent unless deployment evidence is configured.</p>
+      <h2>Enterprise Data Chat</h2>
+      <p class="template-summary">Ask questions over local ThumbGate feedback, lessons, gates, team posture, and Vertex/DFCX readiness. This is a governed local data-query panel with a DFCX-compatible guard before data access; it does not claim a live Google Dialogflow CX agent unless deployment evidence is configured.</p>
       <div class="enterprise-chat-layout">
         <div class="panel">
           <h3>Chat With Local ThumbGate Data</h3>
@@ -429,7 +434,30 @@
         <div class="panel">
           <h3>Enterprise Readiness</h3>
           <div class="inventory-tools" id="enterpriseStatusCards"><div class="loading">Loading enterprise status...</div></div>
-          <div class="template-summary" style="margin-top:14px;margin-bottom:0;">Live DFCX proof must come from the Conversational Agents console, deployed webhook URL, Cloud Run logs, or the Dialogflow CX REST API <code style="font-family:var(--mono);font-size:12px;">projects.locations.agents</code>.</div>
+          <div class="template-summary" style="margin-top:14px;margin-bottom:0;">Live DFCX proof must come from the Conversational Agents console, deployed webhook URL, Cloud Run logs, or the Dialogflow CX REST API <code style="font-family:var(--mono);font-size:12px;">projects.locations.agents</code>. Without that proof, the panel stays local-only.</div>
+        </div>
+      </div>
+    </div>
+  </div>
+
+  <!-- AI INVENTORY TAB -->
+  <div class="tab-content" id="tab-ai-inventory">
+    <div class="templates-section">
+      <h2>AI Component Inventory</h2>
+      <p class="template-summary">Enterprise evidence for AI/ML usage: provider SDKs, agent frameworks, vector databases, Vertex/Gemini/Dialogflow CX references, and local model artifacts. Export this as ML-BOM proof before claiming an AI system is production-ready.</p>
+      <div class="inventory-grid" id="aiInventorySummaryCards"><div class="loading">Scanning AI inventory...</div></div>
+      <div class="team-columns" style="margin-top:16px;">
+        <div class="panel">
+          <h3>Detected Components</h3>
+          <div class="inventory-tools" id="aiInventoryComponents"><div class="loading">Scanning components...</div></div>
+        </div>
+        <div class="panel">
+          <h3>Export Evidence</h3>
+          <div class="template-summary" style="margin-bottom:12px;">CLI export:</div>
+          <pre style="white-space:pre-wrap;background:var(--bg);border:1px solid var(--border);border-radius:8px;padding:12px;font-size:12px;color:var(--text);">npx thumbgate ai-inventory --format=cyclonedx --output=.thumbgate/ai-mlbom.json</pre>
+          <div class="template-summary" style="margin-top:12px;">API export:</div>
+          <pre style="white-space:pre-wrap;background:var(--bg);border:1px solid var(--border);border-radius:8px;padding:12px;font-size:12px;color:var(--text);">GET /v1/dashboard/ai-inventory?format=cyclonedx</pre>
+          <div id="aiInventoryExportNote" class="template-summary" style="margin-top:12px;margin-bottom:0;">Waiting for inventory evidence...</div>
         </div>
       </div>
     </div>
@@ -681,8 +709,30 @@ let currentGeneratedView = 'team-review';
 const BOOTSTRAP_API_KEY = __DASHBOARD_BOOTSTRAP_KEY__;
 const LOCAL_PRO_BOOTSTRAP = __DASHBOARD_BOOTSTRAP_ENABLED__;
 
+let ACTIVE_PROJECT_DIR = '';
+try {
+  var urlParams = new URLSearchParams(window.location.search);
+  ACTIVE_PROJECT_DIR = urlParams.get('project') || '';
+} catch (e) {}
+
+function preserveProjectQueryParams() {
+  if (!ACTIVE_PROJECT_DIR) return;
+  var links = document.querySelectorAll('a[href^="/dashboard"], a[href^="/lessons"], a[href="/"]');
+  links.forEach(function(link) {
+    try {
+      var url = new URL(link.href, window.location.origin);
+      url.searchParams.set('project', ACTIVE_PROJECT_DIR);
+      link.href = url.pathname + url.search + url.hash;
+    } catch (e) {}
+  });
+}
+
 function getHeaders() {
-  return { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' };
+  var headers = { 'Authorization': 'Bearer ' + API_KEY, 'Content-Type': 'application/json' };
+  if (ACTIVE_PROJECT_DIR) {
+    headers['x-thumbgate-project-dir'] = ACTIVE_PROJECT_DIR;
+  }
+  return headers;
 }
 
 // --- Chat with your data ---------------------------------------------------
@@ -706,13 +756,32 @@ function chatRenderAnswer(a) {
     .replace(/\[(\d+)\]/g, '<sup style="color:var(--cyan);font-weight:600;">[$1]</sup>')
     .replace(/\n/g, '<br>');
 }
-function chatRenderSources(sources) {
+function chatRenderSources(sources, answerText) {
   if (!sources || !sources.length) return '';
+  var citedNums = new Set();
+  var regex = /\[(\d+)\]/g;
+  var match;
+  while ((match = regex.exec(answerText || '')) !== null) {
+    citedNums.add(parseInt(match[1], 10));
+  }
+
   var items = sources.map(function (s, i) {
+    var num = i + 1;
+    var isCited = citedNums.has(num);
     var label = chatEscape(String(s.title || s.id || '').slice(0, 64));
-    return '<span title="' + label + '" style="display:inline-block;font-size:11px;background:var(--cyan-dim);color:var(--cyan);padding:2px 7px;border-radius:5px;margin:4px 5px 0 0;">[' + (i + 1) + '] ' + label + '</span>';
+    
+    var bg = isCited ? 'var(--cyan-dim)' : 'var(--bg-raised)';
+    var color = isCited ? 'var(--cyan)' : 'var(--text-muted)';
+    var border = isCited ? '1px solid var(--cyan)' : '1px solid var(--border)';
+    var weight = isCited ? '600' : 'normal';
+
+    return '<span title="' + label + '" style="display:inline-block;font-size:11px;background:' + bg + ';color:' + color + ';border:' + border + ';font-weight:' + weight + ';padding:2px 7px;border-radius:5px;margin:4px 5px 0 0;">[' + num + '] ' + label + '</span>';
   }).join('');
-  return '<div style="margin-top:10px;">' + items + '</div>';
+
+  return '<div style="margin-top:12px;border-top:1px dashed var(--border);padding-top:10px;">' +
+         '<div style="font-size:11px;color:var(--text-muted);margin-bottom:6px;font-weight:600;">Database logs analyzed to answer your question:</div>' +
+         items +
+         '</div>';
 }
 async function sendChat() {
   var input = document.getElementById('chatInput');
@@ -729,7 +798,10 @@ async function sendChat() {
     var res = await fetch('/v1/chat', { method: 'POST', headers: getHeaders(), body: JSON.stringify({ question: q }) });
     var data = await res.json();
     if (data && data.ok) {
-      pending.innerHTML = chatRenderAnswer(data.answer) + chatRenderSources(data.sources);
+      pending.innerHTML = chatRenderAnswer(data.answer) + chatRenderSources(data.sources, data.answer);
+    } else if (data && data.error === 'gemini_error') {
+      pending.innerHTML = '<em style="color:#f87171;">Gemini rejected the key: ' + chatEscape(data.message || 'invalid') +
+        '<br>Fix: paste a valid key in the "Set GEMINI_API_KEY..." box below (get one at <a href="https://aistudio.google.com/app/apikey" target="_blank" style="color:#67e8f9;">AI Studio</a>) and click Save.</em>';
     } else {
       pending.innerHTML = '<em style="color:var(--text-muted);">' + chatEscape((data && data.message) || 'Chat is unavailable.') + '</em>';
     }
@@ -741,6 +813,37 @@ async function sendChat() {
   }
 }
 
+async function saveGeminiKey() {
+  var input = document.getElementById('geminiKeyInput');
+  var val = (input.value || '').trim();
+  if (!val) return;
+  var oldPlaceholder = input.placeholder;
+  input.disabled = true;
+  input.placeholder = 'Saving...';
+  try {
+    var res = await fetch('/v1/settings/gemini-key', {
+      method: 'POST',
+      headers: getHeaders(),
+      body: JSON.stringify({ key: val })
+    });
+    var data = await res.json();
+    if (data && data.ok) {
+      input.value = '';
+      input.placeholder = '✓ Key saved to .env';
+      setTimeout(function() {
+        document.getElementById('chatHint').innerHTML = '<span style="color:var(--green)">✓ Key validated. Hybrid (Perplexity/Gemini) supported for chat with your data.</span>';
+      }, 2000);
+    } else {
+      input.placeholder = '✗ Failed: ' + (data.message || data.error || 'Unknown error');
+    }
+  } catch (e) {
+    input.placeholder = '✗ Network error';
+  } finally {
+    input.disabled = false;
+    setTimeout(function() { if (input.placeholder.startsWith('✗')) input.placeholder = oldPlaceholder; }, 3000);
+  }
+}
+
 function hasBootstrapKey() {
   return LOCAL_PRO_BOOTSTRAP && Boolean(BOOTSTRAP_API_KEY);
 }
@@ -751,8 +854,8 @@ async function connect(options) {
   API_KEY = String(opts.key || input.value || '').trim();
   if (!API_KEY) return;
   
-  const isEnterprise = API_KEY.startsWith('tg_op_') || API_KEY.startsWith('tg_creator_');
-  const tierName = isEnterprise ? 'Enterprise' : 'Pro';
+  var isEnterprise = API_KEY.startsWith('tg_op_') || API_KEY.startsWith('tg_creator_');
+  var tierName = isEnterprise ? 'Enterprise' : 'Pro';
 
   const status = document.getElementById('authStatus');
   const btn = document.getElementById('connectBtn');
@@ -763,16 +866,33 @@ async function connect(options) {
     const res = await fetch('/v1/feedback/stats', { headers: getHeaders() });
     if (!res.ok) throw new Error('Invalid API key');
     const data = await res.json();
+    
+    if (data.tier) {
+      isEnterprise = (data.tier === 'Enterprise');
+      tierName = data.tier;
+    }
+    
+    if (data.geminiKeyStatus === 'validated' || data.geminiValidatedAt) {
+      var when = data.geminiValidatedAt ? ' (validated ' + new Date(data.geminiValidatedAt).toLocaleTimeString() + ')' : '';
+      document.getElementById('chatHint').innerHTML = '<span style="color:var(--green)">✓ Gemini API key validated' + when + '. You can now chat with your data.</span>';
+    } else if (data.perplexityConfigured) {
+      document.getElementById('chatHint').innerHTML = '<span style="color:var(--green)">✓ Perplexity hybrid (local-cloud) key present. Supports hybrid inference for chat with your data.</span>';
+    } else if (data.geminiConfigured) {
+      document.getElementById('chatHint').innerHTML = '<span style="color:#f59e0b">⚠ Gemini key present in .env (click Save below to validate it). Perplexity hybrid also supported for cost/privacy.</span>';
+    }
+
     status.className = 'auth-status ok';
     status.textContent = opts.localPro ? `✓ Local ${tierName} connected` : '✓ Connected';
     document.getElementById('dashboardContent').style.display = 'block';
     if (opts.localPro) {
+      const localProActiveMessage = 'Local Pro is active on this machine. Your dashboard is using the saved license key automatically.';
+      const localEnterpriseActiveMessage = 'Local Enterprise is active on this machine. Your dashboard is using the saved license key automatically.';
       input.value = 'local-license';
       input.disabled = true;
       input.placeholder = `Local ${tierName} auto-connected`;
       btn.disabled = true;
       document.getElementById('demoBtn').style.display = 'none';
-      document.getElementById('authHelp').textContent = `Local ${tierName} is active on this machine. Your dashboard is using the saved license key automatically.`;
+      document.getElementById('authHelp').textContent = isEnterprise ? localEnterpriseActiveMessage : localProActiveMessage;
     }
     renderStats(data);
     setSelectedCard('all');
@@ -971,11 +1091,11 @@ function switchTab(name) {
 /**
  * Resolve deep-link tab target from URL hash or query string.
  * Supports: /dashboard#insights, /dashboard?tab=gates, /dashboard#tab-export.
- * Valid targets match tab-content ids (search, gates, team, generated,
- * settings, templates, insights, export).
+ * Valid targets match tab-content ids (search, gates, team, enterprise,
+ * ai-inventory, generated, settings, templates, insights, export).
  */
 function getDeepLinkTab() {
-  var valid = ['search', 'gates', 'team', 'generated', 'settings', 'templates', 'insights', 'export'];
+  var valid = ['search', 'gates', 'team', 'enterprise', 'ai-inventory', 'generated', 'settings', 'templates', 'insights', 'export'];
   var raw = (window.location.hash || '').replace(/^#/, '').replace(/^tab-/, '');
   if (!raw) {
     try {
@@ -1187,9 +1307,70 @@ function renderDashboardData(data) {
   renderRegulatedProof(data.regulatedProof || {});
   renderTemplates(data.templateLibrary || {});
   renderInsights(data);
+  loadAiInventory();
   loadEnterpriseDialogflowStatus();
 }
 
+async function loadAiInventory() {
+  var summaryEl = document.getElementById('aiInventorySummaryCards');
+  var componentsEl = document.getElementById('aiInventoryComponents');
+  var exportEl = document.getElementById('aiInventoryExportNote');
+  if (!summaryEl || !componentsEl) return;
+
+  try {
+    var res = await fetch('/v1/dashboard/ai-inventory', { headers: getHeaders() });
+    if (!res.ok) {
+      var text = await res.text();
+      throw new Error(text || 'Failed to load AI inventory');
+    }
+    var inventory = await res.json();
+    renderAiInventory(inventory);
+  } catch (e) {
+    var message = e && e.message ? e.message : 'Failed to load AI inventory';
+    setMessageState(summaryEl, 'empty', message);
+    setMessageState(componentsEl, 'empty', message);
+    if (exportEl) exportEl.textContent = message;
+  }
+}
+
+function renderAiInventory(inventory) {
+  var summaryEl = document.getElementById('aiInventorySummaryCards');
+  var componentsEl = document.getElementById('aiInventoryComponents');
+  var exportEl = document.getElementById('aiInventoryExportNote');
+  var components = Array.isArray(inventory.components) ? inventory.components : [];
+  var byCategory = inventory.summary && inventory.summary.byCategory ? inventory.summary.byCategory : {};
+  var modelArtifacts = byCategory.model_artifact || 0;
+  var vectorDbs = byCategory.vector_database || 0;
+
+  summaryEl.innerHTML = [
+    '<div class="team-card"><div class="team-kicker">Files scanned</div><div class="team-value">' + escHtml(String(inventory.filesScanned || 0)) + '</div><div class="team-note">source, manifests, model artifacts</div></div>',
+    '<div class="team-card"><div class="team-kicker">AI components</div><div class="team-value">' + escHtml(String(inventory.componentCount || components.length)) + '</div><div class="team-note">inventory evidence items</div></div>',
+    '<div class="team-card"><div class="team-kicker">Vector stores</div><div class="team-value">' + escHtml(String(vectorDbs)) + '</div><div class="team-note">retrieval governance surface</div></div>',
+    '<div class="team-card"><div class="team-kicker">Model artifacts</div><div class="team-value">' + escHtml(String(modelArtifacts)) + '</div><div class="team-note">local ML-BOM artifacts</div></div>'
+  ].join('');
+
+  if (!components.length) {
+    componentsEl.innerHTML = '<div class="empty">No AI/ML components detected in this project root.</div>';
+  } else {
+    componentsEl.innerHTML = components.map(function(item) {
+      var evidence = Array.isArray(item.evidence) ? item.evidence.slice(0, 4) : [];
+      var evidenceHtml = evidence.map(function(e) {
+        var loc = e.line ? (e.file + ':' + e.line) : e.file;
+        return '<li><code>' + escHtml(loc || 'unknown') + '</code> <span style="color:var(--text-muted);">[' + escHtml(e.kind || 'evidence') + ']</span></li>';
+      }).join('');
+      return '<div class="tool-card">' +
+        '<div class="tool-title">' + escHtml(item.name || item.id || 'AI component') + '</div>' +
+        '<div class="tool-meta">' + escHtml(item.category || 'unknown') + ' · ' + escHtml(item.ecosystem || 'unknown') + '</div>' +
+        '<ul style="margin:8px 0 0 18px;padding:0;">' + evidenceHtml + '</ul>' +
+      '</div>';
+    }).join('');
+  }
+
+  if (exportEl) {
+    exportEl.textContent = 'Ready: export ' + String(inventory.componentCount || components.length) + ' component(s) as CycloneDX ML-BOM evidence.';
+  }
+}
+
 function renderGeneratedViewToolbar(spec) {
   var views = Array.isArray(spec.availableViews) ? spec.availableViews : [];
   document.getElementById('generatedViewToolbar').innerHTML = views.map(function(view) {
@@ -1632,7 +1813,11 @@ function renderEnterpriseStatus(status) {
   if (!target) return;
   var vertex = status && status.vertex ? status.vertex : {};
   var dfcx = status && status.dfcx ? status.dfcx : {};
+  var connectionMode = dfcx.liveAgentConfigured
+    ? 'Dialogflow CX configured'
+    : (vertex.configured ? 'Vertex configured' : 'Local-only');
   var rows = [
+    { name: 'Connection mode', value: connectionMode, note: dfcx.liveAgentConfigured ? 'Live DFCX evidence is present in env.' : (vertex.configured ? 'Vertex routing is configured; DFCX still needs live-agent proof.' : 'Local data Q&A only; no cloud agent claim.') },
     { name: 'Vertex routing', value: vertex.configured ? 'Configured' : 'Not configured', note: vertex.projectId ? ('Project: ' + vertex.projectId + ' · ' + (vertex.location || '')) : 'Run setup-vertex or set GOOGLE_VERTEX_PROJECT.' },
     { name: 'DFCX live agent', value: dfcx.liveAgentConfigured ? 'Env present' : 'Not proven', note: dfcx.verification || 'Verify with REST/console evidence.' },
     { name: 'Fulfillment proxy', value: dfcx.fulfillmentProxyConfigured ? 'Configured' : 'Not configured', note: 'Set THUMBGATE_DFCX_FULFILLMENT_URL for a deployed proxy.' },
@@ -1679,7 +1864,7 @@ async function sendEnterpriseChat() {
   }
   button.disabled = true;
   answer.className = 'enterprise-answer';
-  answer.textContent = 'Running the DFCX guard and reading local dashboard data...';
+    answer.textContent = 'Running the data-access guard and reading local dashboard data...';
   sources.innerHTML = '';
   try {
     var res = await fetch('/v1/enterprise/dialogflow/chat', {
@@ -1980,6 +2165,7 @@ function loadDemo() {
 
 // Auto-load demo on first visit so visitors see the product immediately
 window.addEventListener('DOMContentLoaded', function() {
+  preserveProjectQueryParams();
   if (hasBootstrapKey()) {
     connect({ key: BOOTSTRAP_API_KEY, localPro: true });
     return;