thumbgate 1.26.7 → 1.27.2

package/scripts/dashboard-chat.js

@@ -16,12 +16,37 @@
 const path = require('path');
 
 const GEMINI_ENDPOINT = 'https://generativelanguage.googleapis.com/v1beta/models';
+const PERPLEXITY_ENDPOINT = 'https://api.perplexity.ai/chat/completions';
 const DEFAULT_MODEL = 'gemini-2.5-flash';
 const MAX_QUESTION_CHARS = 2000;
 const MAX_CONTEXT_LESSONS = 8;
 
+// Allowlist the model so a user-supplied `model` cannot route the call to an
+// arbitrary / unexpected (or more expensive) endpoint. Anything not on the list
+// falls back to the default.
+const ALLOWED_MODELS = new Set([
+  'gemini-2.5-flash', 'gemini-2.5-flash-lite', 'gemini-2.5-pro',
+  'gemini-2.0-flash', 'gemini-2.0-flash-lite',
+  'gemini-flash-latest', 'gemini-flash-lite-latest', 'gemini-pro-latest',
+]);
+
+function resolveModel(requested) {
+  const r = String(requested || '').trim();
+  if (r && ALLOWED_MODELS.has(r)) return r;
+  const envModel = String(process.env.THUMBGATE_GEMINI_MODEL || '').trim();
+  if (envModel && ALLOWED_MODELS.has(envModel)) return envModel;
+  return DEFAULT_MODEL;
+}
+
 function resolveApiKey(opts = {}) {
-  return opts.apiKey || process.env.GEMINI_API_KEY || process.env.THUMBGATE_GEMINI_API_KEY || '';
+  let key = '';
+  if (Object.prototype.hasOwnProperty.call(opts, 'apiKey')) {
+    key = opts.apiKey || '';
+  } else {
+    key = opts.apiKey || process.env.GEMINI_API_KEY || process.env.THUMBGATE_GEMINI_API_KEY || process.env.GOOGLE_API_KEY || process.env.PERPLEXITY_API_KEY || process.env.THUMBGATE_PERPLEXITY_API_KEY || '';
+  }
+  if (!key) return '';
+  return key.trim().replace(/^["']|["']$/g, '');
 }
 
 // Retrieve the most relevant stored lessons for the question.
@@ -98,31 +123,53 @@ async function answerDataQuestion(question, opts = {}) {
     return {
       ok: false,
       error: 'no_api_key',
-      message: 'Chat is not configured. Set GEMINI_API_KEY (e.g. `npx thumbgate setup-vertex --write`) to enable "chat with your data".',
+      message: 'Chat is not configured. Set a valid GEMINI_API_KEY or PERPLEXITY_API_KEY (for hybrid local-cloud) in the project .env or via dashboard Save. See adapters/perplexity/HYBRID.md.',
       sources,
     };
   }
 
-  const model = opts.model || process.env.THUMBGATE_GEMINI_MODEL || DEFAULT_MODEL;
+  const model = resolveModel(opts.model);
   const prompt = buildChatPrompt(q, lessons);
   const fetchImpl = opts.fetch || globalThis.fetch;
+  const isPerplexity = apiKey.startsWith('pplx-') || apiKey.includes('perplexity');
 
   try {
-    const res = await fetchImpl(`${GEMINI_ENDPOINT}/${encodeURIComponent(model)}:generateContent`, {
-      method: 'POST',
-      headers: { 'content-type': 'application/json', 'x-goog-api-key': apiKey },
-      body: JSON.stringify({
-        contents: [{ role: 'user', parts: [{ text: prompt }] }],
-        generationConfig: { temperature: 0.2, maxOutputTokens: 1024 },
-      }),
-    });
-    const json = await res.json().catch(() => ({}));
-    if (!res.ok) {
-      const msg = (json && json.error && json.error.message) ? String(json.error.message).split('\n')[0] : `HTTP ${res.status}`;
-      return { ok: false, error: 'gemini_error', status: res.status, message: msg, sources };
+    if (isPerplexity) {
+      // Use Perplexity hybrid-capable API (OpenAI compatible) for RAG chat with your data
+      const res = await fetchImpl(PERPLEXITY_ENDPOINT, {
+        method: 'POST',
+        headers: { 'content-type': 'application/json', 'Authorization': `Bearer ${apiKey}` },
+        body: JSON.stringify({
+          model: 'sonar', // or llama-3.1 etc for hybrid
+          messages: [{ role: 'user', content: prompt }],
+          temperature: 0.2,
+          max_tokens: 1024,
+        }),
+      });
+      const json = await res.json().catch(() => ({}));
+      if (!res.ok) {
+        const msg = (json && json.error && json.error.message) ? String(json.error.message).split('\n')[0] : `HTTP ${res.status}`;
+        return { ok: false, error: 'perplexity_error', status: res.status, message: msg, sources };
+      }
+      const answer = (json.choices && json.choices[0] && json.choices[0].message && json.choices[0].message.content) || '';
+      return { ok: true, answer: answer.trim() || '(no answer returned)', sources, model: json.model || 'perplexity-hybrid' };
+    } else {
+      const res = await fetchImpl(`${GEMINI_ENDPOINT}/${encodeURIComponent(model)}:generateContent`, {
+        method: 'POST',
+        headers: { 'content-type': 'application/json', 'x-goog-api-key': apiKey },
+        body: JSON.stringify({
+          contents: [{ role: 'user', parts: [{ text: prompt }] }],
+          generationConfig: { temperature: 0.2, maxOutputTokens: 1024 },
+        }),
+      });
+      const json = await res.json().catch(() => ({}));
+      if (!res.ok) {
+        const msg = (json && json.error && json.error.message) ? String(json.error.message).split('\n')[0] : `HTTP ${res.status}`;
+        return { ok: false, error: 'gemini_error', status: res.status, message: msg, sources };
+      }
+      const answer = parseGeminiAnswer(json);
+      return { ok: true, answer: answer || '(no answer returned)', sources, model: json.modelVersion || model };
     }
-    const answer = parseGeminiAnswer(json);
-    return { ok: true, answer: answer || '(no answer returned)', sources, model: json.modelVersion || model };
   } catch (err) {
     return { ok: false, error: 'network', message: err && err.message ? err.message : String(err), sources };
   }

package/scripts/feedback-sanitizer.js

@@ -0,0 +1,105 @@
+'use strict';
+
+const crypto = require('crypto');
+
+const TRANSPORT_KEYS = new Set([
+  'hookeventname',
+  'hook_event_name',
+  'sessionid',
+  'session_id',
+  'transcriptpath',
+  'transcript_path',
+  'timestamp',
+  'createdat',
+  'created_at',
+  'updatedat',
+  'updated_at',
+  'cwd',
+  'pid',
+  'processid',
+  'process_id',
+  'promptid',
+  'prompt_id',
+  'traceid',
+  'trace_id',
+  'requestid',
+  'request_id',
+  'installid',
+  'install_id',
+  'visitorsessionid',
+  'visitor_session_id',
+  'toolinput',
+  'tool_input',
+]);
+
+const TRANSPORT_WORDS = new Set([
+  ...TRANSPORT_KEYS,
+  'hook',
+  'event',
+  'userpromptsubmit',
+  'user_prompt_submit',
+  'pretooluse',
+  'pre_tool_use',
+  'posttooluse',
+  'post_tool_use',
+  'claude',
+  'codex',
+  'projects',
+  'redacted',
+  'tmp',
+  'private',
+  'folders',
+  'json',
+]);
+
+function stripEphemeralText(text) {
+  if (!text || typeof text !== 'string') return '';
+  return String(text)
+    .replace(/["']?(?:hook_?event_?name|session_?id|transcript_?path|timestamp|created_?at|updated_?at|cwd|pid|process_?id|prompt_?id|trace_?id|request_?id|install_?id|visitor_?session_?id)["']?\s*[:=]\s*["']?[^"',}\]\s]+["']?/gi, ' ')
+    .replace(/\/(?:private\/)?tmp\/[^\s"',}\]]+/gi, ' ')
+    .replace(/\/var\/folders\/[^\s"',}\]]+/gi, ' ')
+    .replace(/\/Users\/[^/\s]+\/\.(?:claude|codex|thumbgate)\/[^\s"',}\]]+/gi, ' ')
+    .replace(/\/Users\/[^/\s]+\/\.config\/thumbgate\/[^\s"',}\]]+/gi, ' ')
+    .replace(/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/gi, ' ')
+    .replace(/\b[0-9a-f]{24,}\b/gi, ' ')
+    .replace(/\b\d{4}-\d{2}-\d{2}t\d{2}:\d{2}:\d{2}(?:\.\d+)?z?\b/gi, ' ')
+    .replace(/\b\d{10,13}\b/g, ' ')
+    .replace(/:\d{4,5}\b/g, ':PORT');
+}
+
+function transportWordsOnly(text) {
+  const tokens = String(text || '')
+    .toLowerCase()
+    .replace(/[^a-z0-9_ -]/g, ' ')
+    .split(/\s+/)
+    .filter((token) => token.length >= 3);
+  if (tokens.length === 0) return true;
+  return tokens.every((token) => TRANSPORT_WORDS.has(token));
+}
+
+function sanitizeFeedbackText(text) {
+  const stripped = stripEphemeralText(text)
+    .replace(/\/Users\/[^\s/]+/g, '/Users/redacted')
+    .replace(/\s+/g, ' ')
+    .trim();
+  if (transportWordsOnly(stripped)) return '';
+  return stripped;
+}
+
+function actionFingerprint(parts) {
+  const raw = Array.isArray(parts) ? parts.join(' ') : String(parts || '');
+  const stable = sanitizeFeedbackText(raw)
+    .toLowerCase()
+    .replace(/[^a-z0-9._:/ -]/g, ' ')
+    .replace(/\s+/g, ' ')
+    .trim();
+  if (!stable || transportWordsOnly(stable)) return null;
+  return crypto.createHash('sha256').update(stable).digest('hex').slice(0, 16);
+}
+
+module.exports = {
+  TRANSPORT_WORDS,
+  sanitizeFeedbackText,
+  actionFingerprint,
+  transportWordsOnly,
+};