thumbgate 1.26.8 → 1.27.3

package/src/api/server.js

@@ -96,6 +96,9 @@ const {
 const {
   recordCheckoutFunnelEvent,
 } = require('../../scripts/plausible-server-events');
+const {
+  resolvePlausibleDataDomain,
+} = require('../../scripts/plausible-domain-config');
 const {
   buildCloudflareSandboxPlan,
 } = require('../../scripts/cloudflare-dynamic-sandbox');
@@ -221,6 +224,7 @@ const PRO_PAGE_PATH = path.resolve(__dirname, '../../public/pro.html');
 const DASHBOARD_PAGE_PATH = path.resolve(__dirname, '../../public/dashboard.html');
 const LESSONS_PAGE_PATH = path.resolve(__dirname, '../../public/lessons.html');
 const GUIDE_PAGE_PATH = path.resolve(__dirname, '../../public/guide.html');
+const CHATGPT_APP_PAGE_PATH = path.resolve(__dirname, '../../public/chatgpt-app.html');
 const CODEX_PLUGIN_PAGE_PATH = path.resolve(__dirname, '../../public/codex-plugin.html');
 const COMPARE_PAGE_PATH = path.resolve(__dirname, '../../public/compare.html');
 const LEARN_PAGE_PATH = path.resolve(__dirname, '../../public/learn.html');
@@ -674,6 +678,51 @@ function resolveRequestProjectDir(req, parsed) {
   });
 }
 
+function debugApiFallback(label, error) {
+  if (process.env.THUMBGATE_DEBUG_API !== '1') return;
+  console.warn(`[api] ${label}: ${error?.message || String(error)}`);
+}
+
+function stripEnvQuotes(value) {
+  return String(value || '').trim().replace(/^["']|["']$/g, '');
+}
+
+function extractEnvValue(content, names) {
+  const pattern = new RegExp(`^(?:${names.join('|')})=(.*)$`, 'm');
+  const match = pattern.exec(content);
+  return match ? stripEnvQuotes(match[1]) : '';
+}
+
+function readProjectChatSettings(req, parsed) {
+  const settings = {
+    geminiKey: '',
+    perplexityKey: '',
+    localEndpoint: '',
+    localModel: '',
+    geminiValidatedAt: null,
+  };
+  try {
+    const projectDir = resolveRequestProjectDir(req, parsed);
+    const envPath = path.join(projectDir, '.env');
+    if (fs.existsSync(envPath)) {
+      const content = fs.readFileSync(envPath, 'utf8');
+      settings.geminiKey = extractEnvValue(content, ['GEMINI_API_KEY', 'GOOGLE_API_KEY', 'THUMBGATE_GEMINI_API_KEY']);
+      settings.perplexityKey = extractEnvValue(content, ['PERPLEXITY_API_KEY', 'THUMBGATE_PERPLEXITY_API_KEY']);
+      settings.localEndpoint = extractEnvValue(content, ['THUMBGATE_LOCAL_LLM_ENDPOINT']);
+      settings.localModel = extractEnvValue(content, ['THUMBGATE_LOCAL_LLM_MODEL']);
+    }
+
+    const statusPath = path.join(projectDir, '.gemini-validated.json');
+    if (fs.existsSync(statusPath)) {
+      const status = JSON.parse(fs.readFileSync(statusPath, 'utf8'));
+      settings.geminiValidatedAt = status.validatedAt || null;
+    }
+  } catch (error) {
+    debugApiFallback('project chat settings unavailable', error);
+  }
+  return settings;
+}
+
 function shouldPreferProjectScopedFeedback(req, parsed) {
   const explicitProject = getEffectiveRequestedProjectSelection(req, parsed);
   if (explicitProject) return true;
@@ -1451,7 +1500,7 @@ async function loadLiveDashboardDataOrRespondProblem(res, parsed, feedbackDir, i
   }
 }
 
-function buildEnterpriseDialogflowStatus(env = process.env) {
+function buildEnterpriseDataChatStatus(env = process.env) {
   const vertexProject = normalizeNullableText(env.VERTEX_PROJECT_ID)
     || normalizeNullableText(env.GOOGLE_VERTEX_PROJECT);
   const vertexLocation = normalizeNullableText(env.GOOGLE_VERTEX_LOCATION)
@@ -1483,12 +1532,16 @@ function buildEnterpriseDialogflowStatus(env = process.env) {
     },
     chat: {
       available: true,
-      source: 'local ThumbGate dashboard data',
-      guard: 'DFCX-compatible pre-action gate adapter',
+      source: 'local ThumbGate dashboard data with LanceDB-backed retrieval',
+      guard: 'local data-access guard; DFCX adapter optional for customer Dialogflow deployments',
+      providerRequired: false,
+      localLlmEndpointConfigured: Boolean(normalizeNullableText(env.THUMBGATE_LOCAL_LLM_ENDPOINT)),
     },
   };
 }
 
+const buildEnterpriseDialogflowStatus = buildEnterpriseDataChatStatus;
+
 function normalizeEnterpriseChatPrompt(value) {
   const text = normalizeNullableText(value);
   if (!text) return null;
@@ -1514,60 +1567,116 @@ function compactNumber(value) {
   return Number.isFinite(n) ? n : 0;
 }
 
-function buildEnterpriseChatAnswer(prompt, dashboardData, status) {
-  const topic = classifyEnterpriseChatTopic(prompt);
+function buildEnterpriseChatSection(topic, dashboardData, status) {
   const approval = dashboardData.approval || {};
   const gates = Array.isArray(dashboardData.gates) ? dashboardData.gates : [];
   const gateStats = dashboardData.gateStats || {};
   const team = dashboardData.team || {};
   const tokenSavings = dashboardData.tokenSavings || {};
   const lessonPipeline = dashboardData.lessonPipeline || {};
-  const lines = [];
-  const sources = ['local dashboard data'];
 
   if (topic === 'feedback') {
-    lines.push(`Feedback total: ${compactNumber(approval.total)} (${compactNumber(approval.positive)} positive, ${compactNumber(approval.negative)} negative).`);
-    lines.push(`Lesson pipeline: ${compactNumber(lessonPipeline.lessons || lessonPipeline.generated || 0)} lessons visible in the current dashboard snapshot.`);
-    sources.push('feedback log', 'lesson pipeline');
-  } else if (topic === 'gates') {
-    lines.push(`Active gates: ${gates.length || compactNumber(gateStats.totalGates)}.`);
-    lines.push(`Blocked actions recorded: ${compactNumber(gateStats.blocked || gateStats.denied || gateStats.totalBlocked)}.`);
-    if (gates[0]) lines.push(`Example gate: ${gates[0].name || gates[0].id || 'unnamed gate'}.`);
-    sources.push('gate stats');
-  } else if (topic === 'team') {
-    lines.push(`Team dashboard is available in this local Enterprise view.`);
-    lines.push(`Tracked agents: ${compactNumber(team.totalAgents || team.agentCount || 0)}; risky agents: ${compactNumber(team.riskyAgents || team.highRiskAgents || 0)}.`);
-    sources.push('team dashboard');
-  } else if (topic === 'cost') {
-    lines.push(`Estimated token savings: ${tokenSavings.dollarsSavedDisplay || '$0.00'} from ${compactNumber(tokenSavings.blockedCalls)} blocked calls.`);
-    lines.push('Google Cloud budget alerts are evidence for spend visibility; ThumbGate-side stop conditions must be verified separately before calling them a hard cap.');
-    sources.push('token savings', 'budget posture');
-  } else if (topic === 'cloud') {
-    lines.push(status.vertex.configured
+    return {
+      lines: [
+        `Feedback total: ${compactNumber(approval.total)} (${compactNumber(approval.positive)} positive, ${compactNumber(approval.negative)} negative).`,
+        `Lesson pipeline: ${compactNumber(lessonPipeline.lessons || lessonPipeline.generated || 0)} lessons visible in the current dashboard snapshot.`,
+      ],
+      sources: ['feedback log', 'lesson pipeline'],
+    };
+  }
+  if (topic === 'gates') {
+    return {
+      lines: [
+        `Active gates: ${gates.length || compactNumber(gateStats.totalGates)}.`,
+        `Blocked actions recorded: ${compactNumber(gateStats.blocked || gateStats.denied || gateStats.totalBlocked)}.`,
+        gates[0] ? `Example gate: ${gates[0].name || gates[0].id || 'unnamed gate'}.` : '',
+      ].filter(Boolean),
+      sources: ['gate stats'],
+    };
+  }
+  if (topic === 'team') {
+    return {
+      lines: [
+        'Team dashboard is available in this local Enterprise view.',
+        `Tracked agents: ${compactNumber(team.totalAgents || team.agentCount || 0)}; risky agents: ${compactNumber(team.riskyAgents || team.highRiskAgents || 0)}.`,
+      ],
+      sources: ['team dashboard'],
+    };
+  }
+  if (topic === 'cost') {
+    return {
+      lines: [
+        `Estimated token savings: ${tokenSavings.dollarsSavedDisplay || '$0.00'} from ${compactNumber(tokenSavings.blockedCalls)} blocked calls.`,
+        'Google Cloud budget alerts are evidence for spend visibility; ThumbGate-side stop conditions must be verified separately before calling them a hard cap.',
+      ],
+      sources: ['token savings', 'budget posture'],
+    };
+  }
+  if (topic === 'cloud') {
+    const vertexLine = status.vertex.configured
       ? `Vertex routing config is present for project ${status.vertex.projectId} (${status.vertex.location}).`
-      : 'Vertex routing config is not present in this server environment.');
-    lines.push(status.dfcx.liveAgentConfigured
+      : 'Vertex routing config is not present in this server environment.';
+    const dfcxLine = status.dfcx.liveAgentConfigured
       ? `DFCX env has agent ${status.dfcx.agentId} in ${status.dfcx.location}; verify it with REST/console before production claims.`
-      : 'No live DFCX agent is configured in env. Do not use the old alpha gcloud CX command group; verify agents with the Dialogflow CX REST API or console.');
-    sources.push('enterprise cloud status');
-  } else {
-    lines.push('Ask about feedback, lessons, active gates, team rollout, token savings, or Vertex/DFCX readiness.');
-    lines.push(`Current local snapshot: ${compactNumber(approval.total)} feedback events and ${gates.length || compactNumber(gateStats.totalGates)} active gates.`);
+      : 'No live DFCX agent is configured in env. Do not use the old alpha gcloud CX command group; verify agents with the Dialogflow CX REST API or console.';
+    return {
+      lines: [vertexLine, dfcxLine],
+      sources: ['enterprise cloud status'],
+    };
   }
+  return {
+    lines: [
+      'Ask about feedback, lessons, active gates, team rollout, token savings, or Vertex/DFCX readiness.',
+      `Current local snapshot: ${compactNumber(approval.total)} feedback events and ${gates.length || compactNumber(gateStats.totalGates)} active gates.`,
+    ],
+    sources: [],
+  };
+}
+
+function buildEnterpriseChatAnswer(prompt, dashboardData, status) {
+  const topic = classifyEnterpriseChatTopic(prompt);
+  const section = buildEnterpriseChatSection(topic, dashboardData, status);
 
   return {
     topic,
-    answer: lines.join(' '),
-    sources,
+    answer: section.lines.join(' '),
+    sources: ['local dashboard data', ...section.sources],
   };
 }
 
-async function answerEnterpriseDialogflowChat({ prompt, feedbackDir, parsed }) {
+// Answer the dashboard "Chat with your data" panel LOCALLY (deterministic, no
+// cloud/LLM) from this install's own per-project dashboard data. Returns true if
+// it sent a response; false if the local snapshot was unavailable (caller then
+// falls through). Shared by the local-first path and the no-model fallback.
+async function trySendLocalDashboardChat(res, parsed, feedbackDir, prompt, suffix) {
+  try {
+    const dashboardResult = await buildLiveDashboardData(parsed, feedbackDir);
+    const localChat = buildEnterpriseChatAnswer(
+      prompt,
+      dashboardResult.data,
+      buildEnterpriseDataChatStatus(),
+    );
+    sendJson(res, 200, {
+      ok: true,
+      answer: suffix ? `${localChat.answer} ${suffix}` : localChat.answer,
+      sources: (localChat.sources || []).map((title) => ({ title })),
+      topic: localChat.topic,
+      provider: 'local-data',
+      llm: 'none',
+      grounded: true,
+    });
+    return true;
+  } catch (_) {
+    return false;
+  }
+}
+
+async function answerEnterpriseDataChat({ prompt, feedbackDir, parsed }) {
   const normalizedPrompt = normalizeEnterpriseChatPrompt(prompt);
   if (!normalizedPrompt) {
     throw createHttpError(400, 'prompt is required');
   }
-  const status = buildEnterpriseDialogflowStatus();
+  const status = buildEnterpriseDataChatStatus();
   if (containsUnsafeEnterpriseChatInput(normalizedPrompt)) {
     return {
       ok: false,
@@ -1588,6 +1697,11 @@ async function answerEnterpriseDialogflowChat({ prompt, feedbackDir, parsed }) {
 
   const dashboardResult = await buildLiveDashboardData(parsed, feedbackDir);
   const dashboardData = dashboardResult.data;
+
+  // This guarded stats endpoint stays deterministic for API compatibility.
+  // The dashboard's real local/open-source chatbot turn goes through /v1/chat,
+  // which uses lesson retrieval + optional LanceDB vector search + the user's
+  // configured local or BYO model.
   const chat = buildEnterpriseChatAnswer(normalizedPrompt, dashboardData, status);
   const dfcxRequest = {
     fulfillmentInfo: { tag: 'chat-with-data' },
@@ -1623,6 +1737,8 @@ async function answerEnterpriseDialogflowChat({ prompt, feedbackDir, parsed }) {
   };
 }
 
+const answerEnterpriseDialogflowChat = answerEnterpriseDataChat;
+
 function buildLossAnalyticsResponse(data, summaryOptions) {
   return {
     window: data.analytics.window || summaryOptions,
@@ -1702,8 +1818,9 @@ function buildCheckoutIntentHref(baseUrl, metadata = {}, overrides = {}) {
   });
 }
 
-function renderCheckoutIntentPage() {
-  return `<!doctype html><html lang="en"><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>Confirm — ThumbGate Pro</title><script defer data-domain="thumbgate.ai" src="https://plausible.io/js/script.tagged-events.js"></script><script>window.plausible=window.plausible||function(){(window.plausible.q=window.plausible.q||[]).push(arguments)};</script><style>body{background:#0a0a0a;color:#eee;font-family:system-ui,-apple-system,sans-serif;line-height:1.5}main{max-width:520px;margin:8vh auto;padding:0 20px}.brand{display:flex;align-items:center;gap:10px;margin-bottom:24px;font-size:14px;color:#94a3b8}.brand-mark{width:24px;height:24px;background:#22d3ee;border-radius:6px;display:inline-block}h1{font-size:24px;margin:0 0 8px;color:#fff}.price{font-size:32px;font-weight:700;color:#22d3ee;margin:8px 0 4px}.price small{font-size:14px;color:#94a3b8;font-weight:400}p{color:#cbd5e1;margin:8px 0}form{margin:0}input[type=email]{width:100%;box-sizing:border-box;padding:14px 16px;border:1px solid #374151;border-radius:8px;background:#111827;color:#fff;font-size:15px;margin:16px 0 0;outline:none}input[type=email]:focus{border-color:#22d3ee}input[type=email]::placeholder{color:#64748b}button.primary{background:#22d3ee;color:#000;padding:16px;text-align:center;border-radius:8px;font-weight:700;font-size:16px;margin:10px 0;border:none;cursor:pointer;width:100%}a{display:block;text-decoration:none}a.secondary{border:1px solid #374151;color:#cbd5e1;padding:12px;text-align:center;border-radius:8px;margin:8px 0 0;font-size:14px}.trust{margin:24px 0;padding:16px;border:1px solid #1f2937;border-radius:8px;background:#0f172a}.trust-item{font-size:13px;color:#cbd5e1;padding:4px 0;display:flex;gap:8px}.trust-item::before{content:"✓";color:#22d3ee;font-weight:700}.choice-note{font-size:13px;color:#94a3b8;margin-top:14px}.back{text-align:center;color:#64748b;font-size:12px;margin-top:24px}.back a{color:#64748b;display:inline}.email-note{font-size:12px;color:#64748b;margin:4px 0 0}</style><main><div class="brand"><span class="brand-mark"></span><span>ThumbGate</span></div><h1>Start ThumbGate Pro</h1><div class="price">$19<small>/mo</small></div><p>The npm package runs your gates locally. <strong>Pro</strong> is what keeps them working across every machine, every agent runtime, and every breaking-change week.</p><form action="/checkout/pro" method="GET" data-i="pro_checkout_confirmed"><input type="hidden" name="confirm" value="1"><input type="email" name="customer_email" placeholder="you@company.com" required autocomplete="email"><p class="email-note">Pre-fills your Stripe receipt. We only email if you ask.</p><button type="submit" class="primary">Pay $19/mo with Stripe →</button></form><a class="secondary" data-i="workflow_sprint_intake" href="/#workflow-sprint-intake">Not sure yet? Send the workflow first</a><p class="choice-note">Cancel anytime. 7-day refund, no questions. Diagnostics and sprints have their own pages.</p><div class="trust"><div class="trust-item">Lessons synced across all your machines — no local SQLite to babysit</div><div class="trust-item">Adapter matrix kept current for Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode — version drift is our problem, not yours</div><div class="trust-item">Hosted dashboard: gate stats, DPO export, org-wide rule library</div><div class="trust-item">24×7 ops on the rule engine — SonarCloud regressions fixed in &lt;24h</div></div><p class="back"><a href="/">← Back to thumbgate.ai</a></p></main><script>document.querySelector('form').addEventListener('submit',e=>{if(navigator.sendBeacon)navigator.sendBeacon('/v1/telemetry/ping',new Blob([JSON.stringify({eventType:'checkout_interstitial_cta_clicked',clientType:'web',page:'/checkout/pro',ctaId:'pro_checkout_confirmed',ctaPlacement:'checkout_interstitial',customerEmail:document.querySelector('input[name=customer_email]').value})],{type:'application/json'}));try{window.plausible&&window.plausible('Checkout Pro Email Submitted',{props:{page:'/checkout/pro',source:'interstitial'}})}catch(_){}})</script></html>`;
+function renderCheckoutIntentPage(prefilledEmail = '') {
+  const plausibleDomain = escapeHtmlAttribute(resolvePlausibleDataDomain({ host: 'thumbgate.ai' }));
+  return `<!doctype html><html lang="en"><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>Confirm — ThumbGate Pro</title><script defer data-domain="${plausibleDomain}" src="https://plausible.io/js/script.tagged-events.js"></script><script>window.plausible=window.plausible||function(){(window.plausible.q=window.plausible.q||[]).push(arguments)};</script><style>body{background:#0a0a0a;color:#eee;font-family:system-ui,-apple-system,sans-serif;line-height:1.5}main{max-width:520px;margin:8vh auto;padding:0 20px}.brand{display:flex;align-items:center;gap:10px;margin-bottom:24px;font-size:14px;color:#94a3b8}.brand-mark{width:24px;height:24px;background:#22d3ee;border-radius:6px;display:inline-block}h1{font-size:24px;margin:0 0 8px;color:#fff}.price{font-size:32px;font-weight:700;color:#22d3ee;margin:8px 0 4px}.price small{font-size:14px;color:#94a3b8;font-weight:400}p{color:#cbd5e1;margin:8px 0}form{margin:0}input[type=email]{width:100%;box-sizing:border-box;padding:14px 16px;border:1px solid #374151;border-radius:8px;background:#111827;color:#fff;font-size:15px;margin:16px 0 0;outline:none}input[type=email]:focus{border-color:#22d3ee}input[type=email]::placeholder{color:#64748b}button.primary{background:#22d3ee;color:#000;padding:16px;text-align:center;border-radius:8px;font-weight:700;font-size:16px;margin:10px 0;border:none;cursor:pointer;width:100%}a{display:block;text-decoration:none}a.secondary{border:1px solid #374151;color:#cbd5e1;padding:12px;text-align:center;border-radius:8px;margin:8px 0 0;font-size:14px}.trust{margin:24px 0;padding:16px;border:1px solid #1f2937;border-radius:8px;background:#0f172a}.trust-item{font-size:13px;color:#cbd5e1;padding:4px 0;display:flex;gap:8px}.trust-item::before{content:"✓";color:#22d3ee;font-weight:700}.choice-note{font-size:13px;color:#94a3b8;margin-top:14px}.back{text-align:center;color:#64748b;font-size:12px;margin-top:24px}.back a{color:#64748b;display:inline}.email-note{font-size:12px;color:#64748b;margin:4px 0 0}</style><main><div class="brand"><span class="brand-mark"></span><span>ThumbGate</span></div><h1>Start ThumbGate Pro</h1><div class="price">$19<small>/mo</small></div><p>The npm package runs your gates locally. <strong>Pro</strong> is what keeps them working across every machine, every agent runtime, and every breaking-change week.</p><form action="/checkout/pro" method="GET" data-i="pro_checkout_confirmed"><input type="hidden" name="confirm" value="1"><input type="email" name="customer_email" value="${escapeHtmlAttribute(prefilledEmail)}" placeholder="you@company.com" required autocomplete="email"><p class="email-note">Pre-fills your Stripe receipt. We only email if you ask.</p><button type="submit" class="primary">Pay $19/mo with Stripe →</button></form><a class="secondary" data-i="workflow_sprint_intake" href="/#workflow-sprint-intake">Not sure yet? Send the workflow first</a><p class="choice-note">Cancel anytime. 7-day refund, no questions. Diagnostics and sprints have their own pages.</p><div class="trust"><div class="trust-item">Lessons synced across all your machines — no local SQLite to babysit</div><div class="trust-item">Adapter matrix kept current for Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode — version drift is our problem, not yours</div><div class="trust-item">Hosted dashboard: gate stats, DPO export, org-wide rule library</div><div class="trust-item">24×7 ops on the rule engine — SonarCloud regressions fixed in &lt;24h</div></div><p class="back"><a href="/">← Back to thumbgate.ai</a></p></main><script>document.querySelector('form').addEventListener('submit',e=>{if(navigator.sendBeacon)navigator.sendBeacon('/v1/telemetry/ping',new Blob([JSON.stringify({eventType:'checkout_interstitial_cta_clicked',clientType:'web',page:'/checkout/pro',ctaId:'pro_checkout_confirmed',ctaPlacement:'checkout_interstitial',customerEmail:document.querySelector('input[name=customer_email]').value})],{type:'application/json'}));try{window.plausible&&window.plausible('Checkout Pro Email Submitted',{props:{page:'/checkout/pro',source:'interstitial'}})}catch(_){}})</script></html>`;
 }
 
 function buildCheckoutBootstrapBody(parsed, req, journeyState = resolveJourneyState(req, parsed)) {
@@ -2119,9 +2236,10 @@ function normalizePublicMarketingHtml(html, runtimeConfig) {
   output = output.replaceAll(DEFAULT_PUBLIC_APP_ORIGIN, appOrigin);
   try {
     const host = new URL(appOrigin).host;
+    const plausibleDomain = resolvePlausibleDataDomain({ host });
     output = output.replaceAll(
       'data-domain="thumbgate-production.up.railway.app"',
-      `data-domain="${escapeHtmlAttribute(host)}"`
+      `data-domain="${escapeHtmlAttribute(plausibleDomain)}"`
     );
   } catch {
     // appOrigin is normalized by hosted-config; leave static analytics domains
@@ -2194,6 +2312,10 @@ function readOptionalPublicTemplate(filePath) {
   }
 }
 
+function escapeJsonForInlineScript(value) {
+  return JSON.stringify(value).replaceAll('<', String.raw`\u003c`);
+}
+
 function resolveLocalPageBootstrap(req, expectedApiKey) {
   const forwardedHost = req.headers['x-forwarded-host'];
   const hostHeader = Array.isArray(forwardedHost)
@@ -2202,7 +2324,13 @@ function resolveLocalPageBootstrap(req, expectedApiKey) {
   const localProBootstrap = process.env.THUMBGATE_PRO_MODE === '1' && Boolean(expectedApiKey) && isLoopbackHost(hostHeader);
   const devOverride = expectedApiKey === null && isLoopbackHost(hostHeader);
   const bootstrapActive = localProBootstrap || devOverride;
-  const serializedBootstrapKey = JSON.stringify(localProBootstrap ? expectedApiKey : devOverride ? 'dev-override' : '').replace(/</g, '\\u003c');
+  let bootstrapKey = '';
+  if (localProBootstrap) {
+    bootstrapKey = expectedApiKey;
+  } else if (devOverride) {
+    bootstrapKey = process.env.THUMBGATE_API_KEY || 'dev-override';
+  }
+  const serializedBootstrapKey = escapeJsonForInlineScript(bootstrapKey);
 
   return {
     bootstrapActive,
@@ -2243,7 +2371,7 @@ window.THUMBGATE_DASHBOARD_BOOTSTRAP = { enabled: ${bootstrapActive ? 'true' : '
 <p>This lightweight npm dashboard is bundled without marketing assets, so installs stay small while core feedback, lessons, and API routes remain available.</p>
 <div class="grid">
 <a class="card" href="/v1/dashboard"><strong>Dashboard JSON</strong><span>Inspect feedback totals, lesson counts, and Reliability Gateway health.</span></a>
-<a class="card" href="/v1/enterprise/dialogflow/status"><strong>Enterprise Dialogflow Data Chat</strong><span>Check Vertex/DFCX readiness and use /v1/enterprise/dialogflow/chat to query local ThumbGate data through the DFCX guard.</span></a>
+<a class="card" href="/v1/enterprise/data-chat/status"><strong>Governed Data Chat</strong><span>Local RAG (LanceDB vectors + lessons) over your data plus your LLM. Guard simulation is available; Dialogflow/Vertex are optional adapters for customer-owned agent deployments.</span></a>
 <a class="card" href="/lessons"><strong>Lessons</strong><span>Review remembered thumbs-up/down lessons and enforcement context.</span></a>
 <a class="card" href="/health"><strong>Health</strong><span>Verify the installed package version and runtime status.</span></a>
 </div>
@@ -2323,6 +2451,53 @@ function normalizeLessonSignal(signal) {
   return 'down';
 }
 
+function splitLessonTitlePrefix(titleText) {
+  const prefixMatch = /^(MISTAKE|SUCCESS|LEARNING|PREFERENCE):\s*(.*)/i.exec(titleText);
+  if (!prefixMatch) return { prefix: '', rest: titleText };
+  return {
+    prefix: `${prefixMatch[1].toUpperCase()}: `,
+    rest: prefixMatch[2],
+  };
+}
+
+function maybeParseJsonObject(value) {
+  const trimmed = String(value || '').trim();
+  if (!trimmed.startsWith('{') || !trimmed.endsWith('}')) return null;
+  try {
+    return JSON.parse(trimmed);
+  } catch (error) {
+    debugApiFallback('lesson JSON parse skipped', error);
+    return null;
+  }
+}
+
+function formatLessonJsonTitle(prefix, parsed) {
+  const dirName = parsed.cwd ? parsed.cwd.split('/').pop() : '';
+  const suffix = dirName ? ` inside ${dirName}` : '';
+  if (parsed.prompt) return `${prefix}Prompt "${parsed.prompt}"${suffix}`;
+  const hookVal = parsed.hook_event_name || parsed.hookEventName;
+  if (hookVal) return `${prefix}Hook event ${hookVal}${suffix}`;
+  if (parsed.signal) return `${prefix}${parsed.signal === 'up' ? 'Thumbs Up' : 'Thumbs Down'}${suffix}`;
+  return '';
+}
+
+function cleanLessonTitle(titleText) {
+  if (!titleText) return 'Untitled Lesson';
+  const { prefix, rest } = splitLessonTitlePrefix(titleText);
+  const parsed = maybeParseJsonObject(rest);
+  if (parsed) {
+    const jsonTitle = formatLessonJsonTitle(prefix, parsed);
+    if (jsonTitle) return jsonTitle;
+  }
+  return titleText;
+}
+
+function formatLessonTextValue(value) {
+  if (!value) return '';
+  const parsed = maybeParseJsonObject(value);
+  return parsed ? JSON.stringify(parsed, null, 2) : value;
+}
+
 function renderLessonDetailHtml(record, lessonId) {
   if (!record) {
     return `<!DOCTYPE html><html><head><meta charset="utf-8"><title>Lesson Not Found</title>
@@ -2341,10 +2516,15 @@ a{color:#22d3ee;text-decoration:none}</style></head><body>
   const signal = normalizeLessonSignal(merged.signal);
   const emoji = signal === 'up' ? '👍' : '👎';
   const signalColor = signal === 'up' ? '#4ade80' : '#f87171';
-  const title = merged.title || merged.context || 'Untitled Lesson';
-  const context = merged.context || '';
-  const whatWentWrong = merged.whatWentWrong || '';
-  const whatWorked = merged.whatWorked || '';
+  const rawTitle = merged.title || merged.context || 'Untitled Lesson';
+  const rawContext = merged.context || '';
+  const rawWhatWentWrong = merged.whatWentWrong || '';
+  const rawWhatWorked = merged.whatWorked || '';
+
+  const title = cleanLessonTitle(rawTitle);
+  const context = formatLessonTextValue(rawContext);
+  const whatWentWrong = formatLessonTextValue(rawWhatWentWrong);
+  const whatWorked = formatLessonTextValue(rawWhatWorked);
   const whatToChange = merged.whatToChange || '';
   const tags = Array.isArray(merged.tags) ? merged.tags.join(', ') : (merged.tags || '');
   const timestamp = merged.timestamp ? new Date(merged.timestamp).toLocaleString() : '';
@@ -2742,6 +2922,7 @@ function renderSitemapXml(runtimeConfig) {
     { path: '/pro', changefreq: 'weekly', priority: '0.9' },
     { path: '/agent-manager', changefreq: 'weekly', priority: '0.9' },
     { path: '/llm-context.md', changefreq: 'weekly', priority: '0.8' },
+    { path: '/chatgpt-app', changefreq: 'weekly', priority: '0.85' },
     { path: '/codex-plugin', changefreq: 'weekly', priority: '0.75' },
     { path: '/codex-enterprise', changefreq: 'weekly', priority: '0.85' },
     { path: '/agents-cost-savings', changefreq: 'weekly', priority: '0.85' },
@@ -2749,6 +2930,11 @@ function renderSitemapXml(runtimeConfig) {
     { path: '/learn/background-agent-control-layer', changefreq: 'weekly', priority: '0.85' },
     { path: '/learn/ac-dc-runtime-enforcement', changefreq: 'weekly', priority: '0.85' },
     { path: '/learn/feedback-loop-vs-decision-layer', changefreq: 'weekly', priority: '0.9' },
+    { path: '/learn/agentic-enterprise-context-brain', changefreq: 'weekly', priority: '0.85' },
+    { path: '/learn/deterministic-agent-workflows', changefreq: 'weekly', priority: '0.85' },
+    { path: '/learn/codex-role-plugins-need-governance', changefreq: 'weekly', priority: '0.85' },
+    { path: '/learn/agentic-os-team-governance', changefreq: 'weekly', priority: '0.85' },
+    { path: '/learn/cost-aware-agent-gate-routing', changefreq: 'weekly', priority: '0.85' },
     { path: '/compare/claude-code-hooks', changefreq: 'weekly', priority: '0.85' },
     { path: '/compare/bumblebee', changefreq: 'weekly', priority: '0.85' },
     { path: '/compare/anthropic-containment', changefreq: 'weekly', priority: '0.85' },
@@ -4230,7 +4416,10 @@ function createApiServer() {
           });
           sendJson(res, 200, result);
         } catch (e) {
-          sendJson(res, 500, { error: 'feedback submission failed' });
+          sendJson(res, 500, {
+            error: 'feedback submission failed',
+            message: e?.message || 'Unable to submit dashboard feedback.',
+          });
         }
       });
       return;
@@ -4430,6 +4619,17 @@ function createApiServer() {
       return;
     }
 
+    if (isGetLikeRequest && pathname === '/.well-known/agentic-verify.txt') {
+      const agenticVerifyPath = path.join(__dirname, '..', '..', '.well-known', 'agentic-verify.txt');
+      try {
+        const content = fs.readFileSync(agenticVerifyPath, 'utf8');
+        sendText(res, 200, content, { 'Content-Type': 'text/plain; charset=utf-8', 'Cache-Control': 'public, max-age=3600' }, { headOnly: isHeadRequest });
+      } catch {
+        sendJson(res, 404, { error: 'agentic verification file not found' });
+      }
+      return;
+    }
+
     if (isGetLikeRequest && pathname === '/sitemap.xml') {
       sendText(res, 200, renderSitemapXml(hostedConfig), {
         'Content-Type': 'application/xml; charset=utf-8',
@@ -4742,6 +4942,28 @@ async function addContext(){
       return;
     }
 
+    if (isGetLikeRequest && (
+      pathname === '/chatgpt-app'
+      || pathname === '/chatgpt-app.html'
+      || pathname === '/chatgpt-plugin'
+      || pathname === '/chatgpt-plugin.html'
+    )) {
+      try {
+        servePublicMarketingPage({
+          req,
+          res,
+          parsed,
+          hostedConfig,
+          isHeadRequest,
+          renderHtml: () => fs.readFileSync(CHATGPT_APP_PAGE_PATH, 'utf-8'),
+          extraTelemetry: { pageType: 'chatgpt_app' },
+        });
+      } catch {
+        sendJson(res, 404, { error: 'ChatGPT app page not found' });
+      }
+      return;
+    }
+
     if (isGetLikeRequest && (pathname === '/compare' || pathname === '/compare.html')) {
       try {
         const html = fs.readFileSync(COMPARE_PAGE_PATH, 'utf-8');
@@ -5035,7 +5257,7 @@ async function addContext(){
           version: pkg.version,
           status: 'ok',
           docs: 'https://github.com/IgorGanapolsky/ThumbGate',
-          endpoints: ['/health', '/dashboard', '/guide', '/codex-plugin', '/compare', '/learn', '/pricing', '/v1/feedback/capture', '/v1/feedback/stats', '/v1/feedback/summary', '/v1/lessons/search', '/v1/search', '/v1/documents', '/v1/documents/import', '/v1/documents/{documentId}', '/v1/dashboard', '/v1/dashboard/render-spec', '/v1/decisions/evaluate', '/v1/decisions/outcome', '/v1/decisions/metrics', '/v1/settings/status', '/v1/dpo/export', '/v1/jobs', '/v1/jobs/harness', '/v1/analytics/databricks/export'],
+          endpoints: ['/health', '/dashboard', '/guide', '/chatgpt-app', '/codex-plugin', '/compare', '/learn', '/pricing', '/v1/feedback/capture', '/v1/feedback/stats', '/v1/feedback/summary', '/v1/lessons/search', '/v1/search', '/v1/documents', '/v1/documents/import', '/v1/documents/{documentId}', '/v1/dashboard', '/v1/dashboard/ai-inventory', '/v1/dashboard/render-spec', '/v1/decisions/evaluate', '/v1/decisions/outcome', '/v1/decisions/metrics', '/v1/settings/status', '/v1/dpo/export', '/v1/jobs', '/v1/jobs/harness', '/v1/analytics/databricks/export'],
         }, {}, {
           headOnly: isHeadRequest,
         });
@@ -5060,7 +5282,12 @@ async function addContext(){
       return;
     }
 
-    if (isGetLikeRequest && pathname === '/checkout/pro') {
+    // HOTFIX 2026-06-04 — accept ANY method (GET/HEAD/POST) on /checkout/pro
+    // to prevent the API-key guard from 401'ing real prospective customers
+    // whose forms or fetch() calls land via POST. Audit: 69 emails submitted
+    // → 0 paid because POST hit the auth gate. Query params still drive the
+    // Stripe session creation; POST bodies are ignored harmlessly.
+    if ((isGetLikeRequest || req.method === 'POST') && pathname === '/checkout/pro') {
       if (isHeadRequest) {
         sendHtml(res, 200, '', {}, {
           headOnly: true,
@@ -5155,7 +5382,8 @@ async function addContext(){
           isBot: botClassification.isBot ? 'true' : 'false',
           reason: botClassification.reason,
         }, req.headers, eventType);
-        const html = renderCheckoutIntentPage();
+        const prefilledEmail = parsed?.searchParams?.get('customer_email') || '';
+        const html = renderCheckoutIntentPage(prefilledEmail);
         sendHtml(res, 200, html, responseHeaders);
         return;
       }
@@ -6919,24 +7147,159 @@ ${hidden}
 
     try {
       if (req.method === 'GET' && pathname === '/v1/feedback/stats') {
-        sendJson(res, 200, analyzeFeedback(requestFeedbackPaths.FEEDBACK_LOG_PATH));
+        const stats = analyzeFeedback(requestFeedbackPaths.FEEDBACK_LOG_PATH);
+        try {
+          const { getStatuslineMeta } = require('../../scripts/statusline-meta');
+          const meta = getStatuslineMeta({ env: process.env });
+          stats.tier = meta.tier;
+        } catch (error) {
+          debugApiFallback('statusline meta unavailable', error);
+          stats.tier = 'Pro';
+        }
+
+        const projectChatSettings = readProjectChatSettings(req, parsed);
+
+        stats.geminiConfigured = Boolean(
+          projectChatSettings.geminiKey ||
+          process.env.GEMINI_API_KEY ||
+          process.env.THUMBGATE_GEMINI_API_KEY ||
+          process.env.GOOGLE_API_KEY
+        );
+        stats.perplexityConfigured = Boolean(
+          projectChatSettings.perplexityKey ||
+          process.env.PERPLEXITY_API_KEY ||
+          process.env.THUMBGATE_PERPLEXITY_API_KEY
+        );
+        stats.geminiValidatedAt = projectChatSettings.geminiValidatedAt;
+        stats.geminiKeyStatus = 'none';
+        if (projectChatSettings.geminiKey) {
+          stats.geminiKeyStatus = 'present';
+        }
+        if (projectChatSettings.geminiValidatedAt) {
+          stats.geminiKeyStatus = 'validated';
+        }
+        stats.hybridInferenceAvailable = !!(stats.geminiConfigured || stats.perplexityConfigured);
+        sendJson(res, 200, stats);
         return;
       }
 
-      // Chat with your data — RAG over this install's captured lessons, answered
-      // by Gemini grounded only in the retrieved context. Powers the dashboard
-      // "Chat with your data" panel.
+      // Chat with your data — LOCAL-FIRST. Powers the dashboard "Chat with your
+      // data" panel. Factual/metric questions (gates, blocks, feedback, token
+      // savings, team) are answered DETERMINISTICALLY from this install's own
+      // dashboard data — no cloud, no LLM, no API key (the local-first thesis).
+      // Only open-ended/qualitative questions fall through to lesson retrieval +
+      // the user's configured LOCAL model (a BYO cloud key is optional, not required).
       if (req.method === 'POST' && pathname === '/v1/chat') {
         const body = await parseJsonBody(req);
+        const question = body.question || body.q || body.message;
+        const normalizedChatPrompt = normalizeEnterpriseChatPrompt(question);
+        const chatFeedbackDir = requestFeedbackPaths.FEEDBACK_DIR;
+
+        // Local-first: factual/metric questions (gates, blocks, feedback, cost,
+        // team) are answered deterministically from local data — no cloud/LLM/key.
+        if (
+          normalizedChatPrompt
+          && !containsUnsafeEnterpriseChatInput(normalizedChatPrompt)
+          && classifyEnterpriseChatTopic(normalizedChatPrompt) !== 'overview'
+          && await trySendLocalDashboardChat(res, parsed, chatFeedbackDir, normalizedChatPrompt)
+        ) {
+          return;
+        }
+
         const { answerDataQuestion } = require('../../scripts/dashboard-chat');
-        const result = await answerDataQuestion(body.question || body.q || body.message, {
-          feedbackDir: requestFeedbackPaths.FEEDBACK_DIR,
+
+        const projectChatSettings = readProjectChatSettings(req, parsed);
+
+        const result = await answerDataQuestion(question, {
+          feedbackDir: chatFeedbackDir,
           model: typeof body.model === 'string' ? body.model : undefined,
+          apiKey: projectChatSettings.perplexityKey || projectChatSettings.geminiKey || process.env.PERPLEXITY_API_KEY || process.env.THUMBGATE_PERPLEXITY_API_KEY || process.env.GEMINI_API_KEY || process.env.THUMBGATE_GEMINI_API_KEY || process.env.GOOGLE_API_KEY || '',
+          localEndpoint: projectChatSettings.localEndpoint || process.env.THUMBGATE_LOCAL_LLM_ENDPOINT || '',
+          localModel: projectChatSettings.localModel || process.env.THUMBGATE_LOCAL_LLM_MODEL || '',
         });
+
+        // Local-first guarantee: if no model is configured, never hard-fail with
+        // "no_api_key" — fall back to a deterministic local answer. No cloud required.
+        if (
+          !result.ok
+          && (result.error === 'no_api_key' || result.error === 'no_model')
+          && await trySendLocalDashboardChat(res, parsed, chatFeedbackDir, normalizedChatPrompt || question, '(Connect a local model via THUMBGATE_LOCAL_LLM_ENDPOINT for open-ended analysis over your lessons.)')
+        ) {
+          return;
+        }
+
         sendJson(res, result.ok ? 200 : (result.error === 'no_api_key' ? 503 : 400), result);
         return;
       }
 
+      // Save Gemini API key from the dashboard UI
+      if (req.method === 'POST' && pathname === '/v1/settings/gemini-key') {
+        const body = await parseJsonBody(req);
+        const key = String(body.key || '').trim();
+        if (!key) {
+          sendJson(res, 400, { ok: false, error: 'missing_key', message: 'No API key provided.' });
+          return;
+        }
+
+        // Validate the candidate key using the *exact* same code path as /v1/chat
+        // (project-scoped .env read + RAG + Gemini call). This prevents saving a
+        // key that will later produce the confusing "API key not valid" error in chat.
+        let validation;
+        try {
+          const { answerDataQuestion } = require('../../scripts/dashboard-chat');
+          validation = await answerDataQuestion('Reply with the single word: PONG', {
+            feedbackDir: requestFeedbackPaths.FEEDBACK_DIR,
+            apiKey: key,
+          });
+        } catch (e) {
+          validation = { ok: false, error: 'validation_exception', message: String(e?.message || e) };
+        }
+
+        if (!validation.ok) {
+          const detail = validation.error === 'gemini_error'
+            ? (validation.message || 'Gemini rejected the key')
+            : (validation.message || validation.error || 'unknown error');
+          sendJson(res, 400, {
+            ok: false,
+            error: 'invalid_key',
+            message: 'Key validation failed: ' + detail + '. Get a fresh key from https://aistudio.google.com/app/apikey (or run `npx thumbgate setup-vertex` for Vertex) and try again.'
+          });
+          return;
+        }
+
+        try {
+          const projectDir = resolveRequestProjectDir(req, parsed);
+          const envPath = path.join(projectDir, '.env');
+          let content = '';
+          if (fs.existsSync(envPath)) {
+            content = fs.readFileSync(envPath, 'utf8');
+          }
+          const regex = /^GEMINI_API_KEY=.*$/m;
+          if (regex.test(content)) {
+            content = content.replace(regex, `GEMINI_API_KEY=${key}`);
+          } else {
+            content = content.trim() + `\nGEMINI_API_KEY=${key}\n`;
+          }
+          fs.writeFileSync(envPath, content, 'utf8');
+          // Also set it in the current process so it takes effect immediately without restart
+          process.env.GEMINI_API_KEY = key;
+          // Persist validation success for reliable "configured" status in stats/hints
+          try {
+            const statusPath = path.join(projectDir, '.gemini-validated.json');
+            fs.writeFileSync(statusPath, JSON.stringify({
+              validatedAt: new Date().toISOString(),
+              validatedBy: 'dashboard-save'
+            }, null, 2));
+          } catch (error) {
+            debugApiFallback('Gemini validation marker unavailable', error);
+          }
+          sendJson(res, 200, { ok: true, message: 'Key saved and validated.' });
+        } catch (e) {
+          sendJson(res, 500, { ok: false, error: 'fs_error', message: 'Failed to write to .env file: ' + e.message });
+        }
+        return;
+      }
+
       // Server-Sent Events stream of live feedback / rule-regen / gate events.
       // Dashboard clients subscribe once (with the same Bearer auth already
       // required for /v1/feedback/stats) and receive pushed events as they
@@ -6992,14 +7355,20 @@ ${hidden}
         return;
       }
 
-      if (req.method === 'GET' && pathname === '/v1/enterprise/dialogflow/status') {
-        sendJson(res, 200, buildEnterpriseDialogflowStatus());
+      if (req.method === 'GET' && (
+        pathname === '/v1/enterprise/data-chat/status'
+        || pathname === '/v1/enterprise/dialogflow/status'
+      )) {
+        sendJson(res, 200, buildEnterpriseDataChatStatus());
         return;
       }
 
-      if (req.method === 'POST' && pathname === '/v1/enterprise/dialogflow/chat') {
+      if (req.method === 'POST' && (
+        pathname === '/v1/enterprise/data-chat/chat'
+        || pathname === '/v1/enterprise/dialogflow/chat'
+      )) {
         const body = await parseJsonBody(req, 16 * 1024);
-        const result = await answerEnterpriseDialogflowChat({
+        const result = await answerEnterpriseDataChat({
           prompt: body.prompt || body.message || body.query,
           feedbackDir: requestFeedbackDir,
           parsed,
@@ -7292,6 +7661,7 @@ ${hidden}
           summary: body.summary,
           allowedPaths: body.allowedPaths,
           protectedPaths: body.protectedPaths,
+          workflowContract: body.workflowContract,
           repoPath: body.repoPath,
           localOnly: body.localOnly === true,
           clear: body.clear === true,
@@ -8180,6 +8550,40 @@ ${hidden}
         return;
       }
 
+      // GET /v1/dashboard/ai-inventory -- Enterprise AI inventory evidence
+      if (req.method === 'GET' && pathname === '/v1/dashboard/ai-inventory') {
+        try {
+          const {
+            scanAiComponents,
+            buildCycloneDxMlBom,
+          } = require('../../scripts/ai-component-inventory');
+          const requestedRoot = parsed.searchParams.get('root');
+          const serverRoot = process.cwd();
+          const rootDir = requestedRoot ? path.resolve(requestedRoot) : serverRoot;
+          const rootRel = path.relative(serverRoot, rootDir);
+          if (rootRel.startsWith('..') || path.isAbsolute(rootRel)) {
+            sendJson(res, 400, {
+              error: 'ai_inventory_root_out_of_scope',
+              message: 'Dashboard AI inventory root must stay within the server working directory. Use the CLI for explicit cross-project scans.',
+            });
+            return;
+          }
+          const inventory = scanAiComponents({
+            rootDir,
+            maxFiles: parsed.searchParams.get('maxFiles') ? Number(parsed.searchParams.get('maxFiles')) : undefined,
+            includeSnippets: parsed.searchParams.get('snippets') !== '0',
+          });
+          const format = String(parsed.searchParams.get('format') || 'json').toLowerCase();
+          sendJson(res, 200, format === 'cyclonedx' ? buildCycloneDxMlBom(inventory, { version: pkg.version }) : inventory);
+        } catch (err) {
+          sendJson(res, 500, {
+            error: 'ai_inventory_failed',
+            message: err?.message || 'Unable to scan AI component inventory.',
+          });
+        }
+        return;
+      }
+
       // GET /v1/dashboard/review-state -- incremental review baseline and deltas
       if (req.method === 'GET' && pathname === '/v1/dashboard/review-state') {
         const reviewState = readDashboardReviewState(requestFeedbackDir);
@@ -8199,7 +8603,7 @@ ${hidden}
         const body = await parseJsonBody(req);
         const snapshot = buildReviewSnapshot(requestFeedbackDir);
         // Override snapshot timestamp with client-provided one if available
-        if (body && body.reviewedAt) {
+        if (body?.reviewedAt) {
           snapshot.reviewedAt = body.reviewedAt;
         }
         writeDashboardReviewState(requestFeedbackDir, snapshot);
@@ -8517,8 +8921,10 @@ module.exports = {
     resolveLocalPageBootstrap,
     getPublicMcpTools,
     getServerCardTools,
+    buildEnterpriseDataChatStatus,
     buildEnterpriseDialogflowStatus,
     buildEnterpriseChatAnswer,
+    answerEnterpriseDataChat,
     answerEnterpriseDialogflowChat,
   },
 };