thumbgate 1.26.8 → 1.27.3

package/scripts/hybrid-feedback-context.js

@@ -18,6 +18,11 @@ const fs = require('fs');
 const path = require('path');
 const { resolveFeedbackDir } = require('./feedback-paths');
 const { readJsonl } = require('./fs-utils');
+const {
+  TRANSPORT_WORDS,
+  sanitizeFeedbackText,
+  transportWordsOnly,
+} = require('./feedback-sanitizer');
 
 // ---------------------------------------------------------------------------
 // Paths
@@ -51,6 +56,7 @@ const STOPWORDS = new Set([
   'has', 'had', 'not', 'but', 'they', 'you', 'can', 'will', 'all', 'any',
   'one', 'its', 'our', 'also', 'more', 'very', 'just', 'into', 'been',
   'bash', 'edit', 'write', 'tool', 'hook', 'clear',
+  ...TRANSPORT_WORDS,
 ]);
 
 const NEG = new Set([
@@ -74,7 +80,7 @@ const HYBRID_JSONL_READ_LIMIT = 400;
  */
 function normalize(text) {
   if (!text || typeof text !== 'string') return '';
-  return text
+  return sanitizeFeedbackText(text)
     .replace(/\/Users\/[^\s/]+/g, '/Users/redacted')
     .replace(/:\d{4,5}\b/g, ':PORT')
     .toLowerCase()
@@ -97,7 +103,9 @@ function stripFeedbackPrefix(text) {
  * Compose normalize + stripFeedbackPrefix.
  */
 function normalizePatternText(text) {
-  return normalize(stripFeedbackPrefix(text));
+  const normalized = normalize(stripFeedbackPrefix(text));
+  if (transportWordsOnly(normalized)) return '';
+  return normalized;
 }
 
 /**
@@ -125,6 +133,104 @@ function classify(entry) {
   return 'neutral';
 }
 
+function isHookPromptEnvelope(context) {
+  if (!context || typeof context !== 'string') return false;
+  try {
+    const parsed = JSON.parse(context);
+    if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) return false;
+    return Boolean(
+      parsed.prompt &&
+      (
+        parsed.hookEventName ||
+        parsed.hook_event_name ||
+        parsed.workspaceRoot ||
+        parsed.workspace_root ||
+        parsed.session_id ||
+        parsed.sessionId ||
+        parsed.transcript_path ||
+        parsed.transcriptPath
+      )
+    );
+  } catch (_) {
+    return false;
+  }
+}
+
+function patternContext(entry) {
+  const context = entry && entry.context ? String(entry.context) : '';
+  if (!context) return '';
+  const hasExplicitFeedback = Boolean(
+    entry.whatWentWrong ||
+    entry.what_went_wrong ||
+    entry.whatToChange ||
+    entry.what_to_change ||
+    entry.failureType ||
+    (Array.isArray(entry.tags) && entry.tags.length > 0) ||
+    entry.structuredRule
+  );
+  if (isHookPromptEnvelope(context) && !hasExplicitFeedback) return '';
+  if (isHookPromptEnvelope(context) && hasExplicitFeedback) {
+    return '';
+  }
+  return context;
+}
+
+/**
+ * Check if the feedback entry is an automated enforcement log (e.g. from gates engine)
+ * rather than real developer/user feedback.
+ */
+function isAutomatedFeedback(entry) {
+  const tags = entry.tags || [];
+  if (tags.includes('auto-capture') || tags.includes('gates-engine') || tags.includes('audit-trail')) {
+    return true;
+  }
+  const context = String(entry.context || entry.whatWentWrong || '').toLowerCase();
+  return context.includes('gate "') || context.includes('blocked tool') || context.includes('warned tool');
+}
+
+
+function isHookPromptEnvelope(context) {
+  if (!context || typeof context !== 'string') return false;
+  try {
+    const parsed = JSON.parse(context);
+    if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) return false;
+    return Boolean(
+      parsed.prompt &&
+      (
+        parsed.hookEventName ||
+        parsed.hook_event_name ||
+        parsed.workspaceRoot ||
+        parsed.workspace_root ||
+        parsed.session_id ||
+        parsed.sessionId ||
+        parsed.transcript_path ||
+        parsed.transcriptPath
+      )
+    );
+  } catch (_) {
+    return false;
+  }
+}
+
+function patternContext(entry) {
+  const context = entry && entry.context ? String(entry.context) : '';
+  if (!context) return '';
+  const hasExplicitFeedback = Boolean(
+    entry.whatWentWrong ||
+    entry.what_went_wrong ||
+    entry.whatToChange ||
+    entry.what_to_change ||
+    entry.failureType ||
+    (Array.isArray(entry.tags) && entry.tags.length > 0) ||
+    entry.structuredRule
+  );
+  if (isHookPromptEnvelope(context) && !hasExplicitFeedback) return '';
+  if (isHookPromptEnvelope(context) && hasExplicitFeedback) {
+    return '';
+  }
+  return context;
+}
+
 /**
  * Extract ms from a timestamp value. Returns 0 on failure.
  */
@@ -212,13 +318,15 @@ function buildHybridState(opts) {
     if (cls === 'positive') positive++;
     if (cls === 'negative') {
       negative++;
-      // Track tool-level negative counts
-      const toolName = inferToolName(entry.toolName || entry.tool_name || 'unknown', entry.context || '');
-      toolNegatives[toolName] = (toolNegatives[toolName] || 0) + 1;
+      // Track tool-level negative counts (exclude automated gate logs)
+      if (!isAutomatedFeedback(entry)) {
+        const toolName = inferToolName(entry.toolName || entry.tool_name || 'unknown', entry.context || '');
+        toolNegatives[toolName] = (toolNegatives[toolName] || 0) + 1;
+      }
 
       // Build pattern from context / whatWentWrong / what_went_wrong
       const rawText = [
-        entry.context || '',
+        patternContext(entry),
         entry.whatWentWrong || entry.what_went_wrong || '',
         entry.whatToChange || entry.what_to_change || '',
         entry.failureType || '',
@@ -254,11 +362,13 @@ function buildHybridState(opts) {
 
   // Process attributed feedback separately to track attributed tool counts
   for (const entry of attributedEntries) {
+    if (classify(entry) !== 'negative') continue; // skip pruned/positive
+    if (isAutomatedFeedback(entry)) continue; // skip automated gate blocks
     const toolName = inferToolName(entry.toolName || entry.tool_name || entry.attributed_tool || 'unknown', entry.context || '');
     toolNegativesAttributed[toolName] = (toolNegativesAttributed[toolName] || 0) + 1;
 
     const rawText = [
-      entry.context || '',
+      patternContext(entry),
       entry.whatWentWrong || entry.what_went_wrong || '',
       ...(Array.isArray(entry.tags) ? entry.tags : []),
       ...(entry.richContext && Array.isArray(entry.richContext.filePaths) ? entry.richContext.filePaths : []),
@@ -626,6 +736,29 @@ function evaluatePretool(toolName, toolInput, opts) {
   return evaluatePretoolFromState(state, toolName, toolInput);
 }
 
+// Claw-style agent support (high-ROI for EnterpriseClaw / OpenShell agents from Automation Anywhere / Nvidia)
+// Extends hybrid context for claw_action_type (file, screen, dynamic-tool, orchestration), agent_identity, hybrid_route.
+// Use in evaluatePretool calls from claw-aware MCP/hooks: pass {clawContext: {actionType: 'dynamic-tool-creation', agentId: '...', route: 'local/cloud'}} in opts.
+function evaluateClawPretool(toolName, toolInput, clawContext, opts) {
+  const o = opts || {};
+  const claw = clawContext || {};
+  // Merge claw metadata into toolInput for gate evaluation (so templates like block-dynamic-tool-creation can match)
+  const enrichedInput = {
+    ...(typeof toolInput === 'object' ? toolInput : { raw: toolInput }),
+    _claw: {
+      actionType: claw.actionType || 'unknown',
+      agentId: claw.agentId || 'unknown',
+      hybridRoute: claw.hybridRoute || 'unknown',
+      screenInteraction: !!claw.screenInteraction,
+      fileAccess: !!claw.fileAccess,
+    }
+  };
+  const result = evaluatePretool(toolName, JSON.stringify(enrichedInput), o);
+  // Tag result with claw metadata for logging/feedback
+  result.clawContext = claw;
+  return result;
+}
+
 // ---------------------------------------------------------------------------
 // CLI main()
 // ---------------------------------------------------------------------------
@@ -674,6 +807,7 @@ function main() {
 module.exports = {
   buildHybridState,
   evaluatePretool,
+  evaluateClawPretool,
   compileGuardArtifact,
   writeGuardArtifact,
   readGuardArtifact,

package/scripts/memory-scope-readiness.js

@@ -2,6 +2,38 @@
 'use strict';
 
 const REQUIRED_SCOPE_FIELDS = ['entityId', 'projectId', 'processId', 'sessionId'];
+const MEMORY_OS_LAYERS = Object.freeze([
+  {
+    id: 'file_layer',
+    name: 'File Layer',
+    purpose: 'Raw feedback, tool receipts, sessions, and memory rows are durably stored before interpretation.',
+  },
+  {
+    id: 'vector_db_layer',
+    name: 'Vector DB Layer',
+    purpose: 'Semantic retrieval can find related lessons without stuffing every raw memory into context.',
+  },
+  {
+    id: 'structured_facts_layer',
+    name: 'Structured Facts Layer',
+    purpose: 'Confirmed account, project, policy, and budget facts are typed separately from fuzzy memories.',
+  },
+  {
+    id: 'auto_curation_layer',
+    name: 'Auto Curation Layer',
+    purpose: 'Duplicate, stale, contradictory, and unscoped memories are consolidated before retrieval quality decays.',
+  },
+  {
+    id: 'context_layer',
+    name: 'Context Layer',
+    purpose: 'Only relevant scoped memories enter a given tool call, PR, deployment, or support session.',
+  },
+  {
+    id: 'interface_layer',
+    name: 'Interface Layer',
+    purpose: 'The memory contract is exposed through CLI, MCP, hooks, dashboards, and agent adapters without model lock-in.',
+  },
+]);
 
 const FIELD_ALIASES = {
   entityId: [
@@ -228,6 +260,128 @@ function buildRecommendations({ unscopedRecords, crossScopeDuplicates }) {
   return recommendations;
 }
 
+function hasEmbeddingEvidence(record = {}) {
+  return Boolean(
+    record.embedding
+    || record.vector
+    || record.embeddingId
+    || record.metadata?.embedding
+    || record.metadata?.embeddingId
+    || record.metadata?.vectorId
+    || record.semanticKey
+    || record.metadata?.semanticKey
+  );
+}
+
+function hasStructuredFactEvidence(record = {}) {
+  const type = String(record.type || record.kind || record.memoryType || record.metadata?.type || '').toLowerCase();
+  return type === 'fact'
+    || type === 'structured_fact'
+    || Boolean(record.factKey || record.fact || record.metadata?.factKey || record.metadata?.fact);
+}
+
+function hasContextEvidence(record = {}) {
+  return Boolean(
+    record.contextPackId
+    || record.contextPack
+    || record.metadata?.contextPackId
+    || record.metadata?.contextPack
+    || record.retrievalQuery
+    || record.metadata?.retrievalQuery
+  );
+}
+
+function boolCapability(capabilities = {}, ...keys) {
+  return keys.some((key) => capabilities[key] === true);
+}
+
+function buildMemoryOsLayerReport(records = [], capabilities = {}) {
+  const scopeReport = buildMemoryScopeReadinessReport(records);
+  const semanticRecords = records.filter(hasEmbeddingEvidence);
+  const structuredFactRecords = records.filter(hasStructuredFactEvidence);
+  const contextRecords = records.filter(hasContextEvidence);
+  const curationReady = scopeReport.unscopedRecords === 0 && scopeReport.crossScopeDuplicates.length === 0;
+
+  const checks = [
+    {
+      id: 'file_layer',
+      ok: records.length > 0 || boolCapability(capabilities, 'rawStorage', 'fileLayer'),
+      evidence: {
+        records: records.length,
+        durableStore: Boolean(records.length > 0 || capabilities.rawStorage || capabilities.fileLayer),
+      },
+      recommendation: 'Capture raw feedback, action receipts, and tool outcomes before promoting memories.',
+    },
+    {
+      id: 'vector_db_layer',
+      ok: semanticRecords.length > 0 || boolCapability(capabilities, 'semanticSearch', 'vectorDbLayer'),
+      evidence: {
+        semanticRecords: semanticRecords.length,
+        semanticSearch: Boolean(capabilities.semanticSearch || capabilities.vectorDbLayer),
+      },
+      recommendation: 'Index lessons with semantic keys or embeddings so related failures are retrieved before action.',
+    },
+    {
+      id: 'structured_facts_layer',
+      ok: structuredFactRecords.length > 0 || boolCapability(capabilities, 'structuredFacts', 'structuredFactsLayer'),
+      evidence: {
+        structuredFactRecords: structuredFactRecords.length,
+        structuredFacts: Boolean(capabilities.structuredFacts || capabilities.structuredFactsLayer),
+      },
+      recommendation: 'Store confirmed customer, project, policy, and budget facts as typed records, not just prose.',
+    },
+    {
+      id: 'auto_curation_layer',
+      ok: curationReady && boolCapability(capabilities, 'autoCuration', 'dedupe', 'autoCurationLayer'),
+      evidence: {
+        unscopedRecords: scopeReport.unscopedRecords,
+        crossScopeDuplicates: scopeReport.crossScopeDuplicates.length,
+        autoCuration: Boolean(capabilities.autoCuration || capabilities.dedupe || capabilities.autoCurationLayer),
+      },
+      recommendation: 'Run dedupe, contradiction, stale-memory, and scope-isolation checks before memories can become gates.',
+    },
+    {
+      id: 'context_layer',
+      ok: contextRecords.length > 0 || boolCapability(capabilities, 'contextPacks', 'contextLayer', 'scopedRetrieval'),
+      evidence: {
+        contextRecords: contextRecords.length,
+        scopedRetrieval: Boolean(capabilities.contextPacks || capabilities.contextLayer || capabilities.scopedRetrieval),
+      },
+      recommendation: 'Inject scoped context packs per task instead of loading every memory into the model window.',
+    },
+    {
+      id: 'interface_layer',
+      ok: boolCapability(capabilities, 'mcp', 'cli', 'hooks', 'dashboard', 'interfaceLayer'),
+      evidence: {
+        cli: Boolean(capabilities.cli),
+        mcp: Boolean(capabilities.mcp),
+        hooks: Boolean(capabilities.hooks),
+        dashboard: Boolean(capabilities.dashboard),
+      },
+      recommendation: 'Expose the same memory contract through CLI, MCP, hooks, dashboard, and agent adapters.',
+    },
+  ].map((check) => {
+    const layer = MEMORY_OS_LAYERS.find((candidate) => candidate.id === check.id);
+    return {
+      ...layer,
+      ...check,
+    };
+  });
+
+  const missingLayers = checks.filter((check) => !check.ok).map((check) => check.id);
+
+  return {
+    ready: missingLayers.length === 0,
+    riskLevel: missingLayers.length === 0 ? 'low' : missingLayers.length <= 2 ? 'medium' : 'high',
+    layers: checks,
+    missingLayers,
+    scopeReport,
+    recommendations: checks
+      .filter((check) => !check.ok)
+      .map((check) => check.recommendation),
+  };
+}
+
 function selectRecordsForScope(records = [], requestedScope = {}, options = {}) {
   const requested = normalizeScope(requestedScope);
   const requestedKey = memoryScopeKey(requested);
@@ -265,6 +419,7 @@ function buildMemoriStyleBenchmarkRecords() {
       projectId: 'thumbgate',
       processId: 'agent-a',
       sessionId: 'session-1',
+      metadata: { semanticKey: 'checkout-readiness', contextPackId: 'checkout-pro' },
       content: 'Use the paid sprint checklist before changing checkout code.',
     },
     {
@@ -298,14 +453,18 @@ function buildMemoriStyleBenchmarkRecords() {
       processId: 'agent-a',
       sessionId: 'session-1',
       visibility: 'shared',
+      type: 'fact',
+      factKey: 'checkout.mutation_policy',
       content: 'Shared rule: checkout mutations require audit evidence.',
     },
   ];
 }
 
 module.exports = {
+  MEMORY_OS_LAYERS,
   REQUIRED_SCOPE_FIELDS,
   buildMemoriStyleBenchmarkRecords,
+  buildMemoryOsLayerReport,
   buildMemoryScopeReadinessReport,
   isSharedMemory,
   memoryScopeKey,

package/scripts/oss-pr-opportunity-scout.js

@@ -8,6 +8,7 @@ const DEFAULT_PACKAGE_PATH = path.join(__dirname, '..', 'package.json');
 const DEFAULT_OUTPUT_DIR = path.join(__dirname, '..', 'docs', 'marketing');
 const KNOWN_REPOS = Object.freeze({
   '@anthropic-ai/sdk': 'anthropics/anthropic-sdk-typescript',
+  '@modelcontextprotocol/sdk': 'modelcontextprotocol/typescript-sdk',
   '@google/genai': 'googleapis/js-genai',
   '@huggingface/transformers': 'huggingface/transformers.js',
   '@lancedb/lancedb': 'lancedb/lancedb',
@@ -23,6 +24,24 @@ const KNOWN_REPOS = Object.freeze({
   undici: 'nodejs/undici',
 });
 
+// Communities where ThumbGate's buyers live even though they are not npm
+// dependencies. ThumbGate ships an MCP server, so the Model Context Protocol
+// repos are the single highest-ROI ecosystem to contribute to — but the
+// dependency-scan above would never surface them. These are always scouted on
+// the default (no explicit --dependencies) path, de-duped against package.json.
+const STRATEGIC_DEPENDENCIES = Object.freeze([
+  '@modelcontextprotocol/sdk', // MCP TypeScript SDK — the protocol ThumbGate implements
+  'modelcontextprotocol/servers', // MCP servers ecosystem — where MCP authors (our buyers) collaborate
+]);
+
+// Honest, repo-accurate framing for the outreach draft. ThumbGate does not
+// `import` these — it implements the protocol — so the generic "while using X"
+// line would be a false claim. Keep drafts truthful (CEO honesty rule).
+const RELATIONSHIP_OVERRIDES = Object.freeze({
+  '@modelcontextprotocol/sdk': 'building ThumbGate as an MCP server against the Model Context Protocol spec',
+  'modelcontextprotocol/servers': 'building and testing ThumbGate as an MCP server alongside the reference MCP servers',
+});
+
 const BOUNTY_KEYWORDS = [
   'bug bounty',
   'bounty',
@@ -70,7 +89,10 @@ function dependencyNames(pkg = {}) {
 }
 
 function repoFromDependency(name) {
-  return KNOWN_REPOS[name] || '';
+  if (KNOWN_REPOS[name]) return KNOWN_REPOS[name];
+  // A strategic identifier may itself be an "owner/repo" slug (not an npm name).
+  if (!name.startsWith('@') && /^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+$/.test(name)) return name;
+  return '';
 }
 
 function buildIssueSearchQueries(repo) {
@@ -89,14 +111,18 @@ function scoreOpportunity(depName, repo, options = {}) {
     score += 20;
     reasons.push('known upstream repository');
   }
-  if (/sdk|genai|stripe|playwright|lancedb|transformers|sqlite|undici/i.test(depName)) {
+  if (/sdk|genai|stripe|playwright|lancedb|transformers|sqlite|undici|mcp|modelcontext/i.test(depName)) {
     score += 20;
     reasons.push('high product adjacency for agent tooling');
   }
-  if (/anthropic|google|huggingface|stripe|microsoft|nodejs/i.test(repo)) {
+  if (/anthropic|google|huggingface|stripe|microsoft|nodejs|modelcontextprotocol/i.test(repo)) {
     score += 15;
     reasons.push('large ecosystem visibility');
   }
+  if (/modelcontext|mcp/i.test(depName) || /modelcontextprotocol/i.test(repo)) {
+    score += 12;
+    reasons.push("ThumbGate's own protocol surface — buyers are MCP authors");
+  }
   if (options.includeBounties) {
     score += 10;
     reasons.push('bounty search enabled');
@@ -138,7 +164,7 @@ function buildOpportunity(depName, options = {}) {
       'no bounty, security, or maintainer-policy claim without source link',
     ],
     outreachDraft: repo
-      ? `I found this while using ${depName} in ThumbGate. I reproduced the issue, added a minimal fix with tests, and kept the PR scoped to the maintainer's issue.`
+      ? `I found this while ${RELATIONSHIP_OVERRIDES[depName] || `using ${depName} in ThumbGate`}. I reproduced the issue, added a minimal fix with tests, and kept the PR scoped to the maintainer's issue.`
       : '',
   };
 }
@@ -149,7 +175,9 @@ function buildOssPrOpportunityScoutPlan(rawOptions = {}) {
   const explicitDeps = splitList(rawOptions.dependencies || rawOptions.deps);
   const includeBounties = rawOptions.includeBounties !== false && rawOptions['include-bounties'] !== false;
   const maxRepos = Math.max(1, Number.parseInt(String(rawOptions.maxRepos || rawOptions['max-repos'] || 12), 10) || 12);
-  const deps = explicitDeps.length ? explicitDeps : dependencyNames(pkg);
+  const deps = explicitDeps.length
+    ? explicitDeps
+    : [...new Set([...dependencyNames(pkg), ...STRATEGIC_DEPENDENCIES])];
   const opportunities = deps
     .map((dep) => buildOpportunity(dep, { includeBounties }))
     .filter((opportunity) => opportunity.repo)
@@ -223,6 +251,8 @@ function writeOssPrOpportunityScoutPack(outputDir = DEFAULT_OUTPUT_DIR, options
 
 module.exports = {
   KNOWN_REPOS,
+  STRATEGIC_DEPENDENCIES,
+  RELATIONSHIP_OVERRIDES,
   buildIssueSearchQueries,
   buildOpportunity,
   buildOssPrOpportunityScoutPlan,