thumbgate 1.27.10 → 1.27.12

package/config/builtin-lessons.json

@@ -0,0 +1,23 @@
+{
+  "version": 1,
+  "lessons": [
+    {
+      "id": "builtin-response-quality-shallow-positive-closeout",
+      "title": "MISTAKE: Assistant gave shallow acknowledgement after user said thumbs up",
+      "content": "What went wrong: Assistant gave shallow acknowledgement after positive feedback, such as thumbs up, perfect, good, or thank you, instead of staying quiet or giving an evidence checkpoint.\nHow to avoid: If the previous user message is positive feedback and the proposed final response is a low-value social closeout, block it and require either silence-level brevity or a compact evidence checkpoint with proof, result, residual risk, and next state.\nAction needed: Enforce this at the final-response boundary, not only as PreToolUse context.\nReasoning: Stored lessons and retrieval are not enough when the model can still ignore the lesson at generation time.",
+      "category": "error",
+      "importance": "high",
+      "tags": [
+        "feedback",
+        "negative",
+        "response-quality",
+        "final-response",
+        "positive-feedback",
+        "shallow-closeout",
+        "enforcement"
+      ],
+      "timestamp": "2026-06-20T19:01:58.000Z",
+      "source": "packaged-builtin"
+    }
+  ]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate",
-  "version": "1.27.10",
+  "version": "1.27.12",
   "description": "ThumbGate self-improving agent governance: thumbs-up/down turns every mistake into a prevention rule and blocks repeat patterns. 36 pre-action checks, budget enforcement, and self-protection for Claude Code, Cursor, Codex, Gemini CLI, and Amp.",
   "homepage": "https://thumbgate.ai",
   "repository": {

package/scripts/gate-stats.js

@@ -11,6 +11,11 @@ const PROJECT_ROOT = path.join(__dirname, '..');
 const MANUAL_GATES_PATH = path.join(PROJECT_ROOT, 'config', 'gates', 'default.json');
 const STATS_PATH = path.join(process.env.HOME || '/tmp', '.thumbgate', 'gate-stats.json');
 
+function safeOccurrenceCount(value) {
+  const n = Number(value);
+  return Number.isFinite(n) && n > 0 ? n : 0;
+}
+
 function loadGatesFile(filePath) {
   if (!fs.existsSync(filePath)) return [];
   try {
@@ -39,16 +44,16 @@ function calculateStats() {
   // Count total blocks/warns from occurrences in auto-promoted gates
   const totalBlocked = autoGates
     .filter((g) => g.action === 'block')
-    .reduce((sum, g) => sum + (g.occurrences || 0), 0);
+    .reduce((sum, g) => sum + safeOccurrenceCount(g.occurrences), 0);
   const totalWarned = autoGates
     .filter((g) => g.action === 'warn')
-    .reduce((sum, g) => sum + (g.occurrences || 0), 0);
+    .reduce((sum, g) => sum + safeOccurrenceCount(g.occurrences), 0);
 
   // Top blocked gate. A configured block rule with zero occurrences is not a
   // "top blocker"; only recorded block events should appear here.
   const topBlocked = [...allGates]
-    .filter((g) => g.action === 'block' && Number(g.occurrences || 0) > 0)
-    .sort((a, b) => (b.occurrences || 0) - (a.occurrences || 0))
+    .filter((g) => g.action === 'block' && safeOccurrenceCount(g.occurrences) > 0)
+    .sort((a, b) => safeOccurrenceCount(b.occurrences) - safeOccurrenceCount(a.occurrences))
     .at(0) || null;
 
   // Last promotion event
@@ -105,7 +110,7 @@ function computeCalibration(gates) {
   const calibration = [];
   for (const gate of gates || []) {
     if (!gate || !gate.id) continue;
-    const occurrences = Number(gate.occurrences || 0);
+    const occurrences = safeOccurrenceCount(gate.occurrences);
     const action = gate.action || 'unknown';
     // Only annotate gates with recorded occurrence data
     if (occurrences === 0) continue;
@@ -258,6 +263,7 @@ module.exports = {
   loadGatesFile,
   tryComputeBayesErrorRate,
   computeCalibration,
+  safeOccurrenceCount,
   MANUAL_GATES_PATH,
   STATS_PATH,
 };

package/scripts/gates-engine.js

@@ -16,6 +16,13 @@ const {
 const {
   evaluateWorkflowSentinel,
 } = require('./workflow-sentinel');
+const {
+  extractPayloadText,
+  extractPayloadPreviousUserText,
+  hasPositiveFeedback,
+  isLowValueCloseout,
+  buildResponseQualityReason,
+} = require('./hook-stop-anti-claim');
 const {
   recordDecisionEvaluation,
   recordDecisionOutcome,
@@ -2585,6 +2592,39 @@ function buildReminderOutput(context) {
   });
 }
 
+function inferHookEventName(input = {}) {
+  const explicit = input.hook_event_name || input.hookEventName || input.event || input.lifecycle;
+  if (explicit) return String(explicit);
+  return extractPayloadText(input) ? 'Stop' : 'PreToolUse';
+}
+
+function buildResponseQualityBlockOutput(reason, input = {}) {
+  return JSON.stringify({
+    decision: 'block',
+    reason,
+    hookSpecificOutput: {
+      hookEventName: inferHookEventName(input),
+      permissionDecision: 'deny',
+      permissionDecisionReason: reason,
+    },
+  });
+}
+
+function evaluateFinalResponseQualityGate(input = {}) {
+  const finalText = extractPayloadText(input) || process.env.CLAUDE_RESPONSE || '';
+  const previousUserText = extractPayloadPreviousUserText(input)
+    || process.env.CLAUDE_PREVIOUS_USER_TEXT
+    || process.env.CLAUDE_PREVIOUS_USER
+    || '';
+
+  if (!finalText || !hasPositiveFeedback(previousUserText)) return null;
+  if (!isLowValueCloseout(finalText, '')) return null;
+  recordStat('response-quality-shallow-closeout', 'block', null, {
+    hookEventName: inferHookEventName(input),
+  });
+  return buildResponseQualityBlockOutput(buildResponseQualityReason(), input);
+}
+
 // ---------------------------------------------------------------------------
 // Upgrade nudge: surfaces Pro value at usage milestones and trial expiry.
 // Block-action Pro CTA: brief upgrade mention after a deny/warn decision.
@@ -2915,6 +2955,9 @@ function mergeContextStrings(...ctxs) {
 }
 
 async function runAsync(input) {
+  const responseQualityGate = evaluateFinalResponseQualityGate(input);
+  if (responseQualityGate) return responseQualityGate;
+
   const secretGuard = evaluateSecretGuard(input);
   if (secretGuard) {
     return formatOutput(secretGuard);
@@ -2962,6 +3005,9 @@ async function runAsync(input) {
 }
 
 function run(input) {
+  const responseQualityGate = evaluateFinalResponseQualityGate(input);
+  if (responseQualityGate) return responseQualityGate;
+
   const secretGuard = evaluateSecretGuard(input);
   if (secretGuard) {
     return formatOutput(secretGuard);
@@ -3296,6 +3342,9 @@ module.exports = {
   evaluateGatesAsync,
   computeExecutableHash,
   formatOutput,
+  inferHookEventName,
+  buildResponseQualityBlockOutput,
+  evaluateFinalResponseQualityGate,
   isApprovalGatesEnabled,
   run,
   runAsync,

package/scripts/hook-stop-anti-claim.js

@@ -16,10 +16,11 @@
  * ThumbGate dogfood — we are the prevention-rule generator and a perfect
  * customer for our own gate.
  *
- * Wires through .claude/settings.json Stop hooks list. Always exits 0
- * (informational): the goal is to surface a system reminder in the next
- * turn so the agent corrects mid-conversation rather than to hard-block
- * the turn that already happened.
+ * Wires through .claude/settings.json Stop hooks list. Always exits 0 and
+ * emits a Claude-hook `decision:"block"` JSON payload when a final-response
+ * violation can be evaluated before the response is accepted. Transcript-only
+ * runs still surface a reminder for the next turn when the host has already
+ * written the assistant response.
  *
  * Stdin: Claude Code passes the hook payload as JSON on stdin. We read
  * `transcript_path` to locate the JSONL session log and scan the last
@@ -203,6 +204,79 @@ function hasProof(combined) {
   return PROOF_PATTERNS.some((p) => p.test(combined));
 }
 
+function extractPayloadText(payload) {
+  if (!payload || typeof payload !== 'object') return '';
+  const candidates = [
+    payload.response,
+    payload.assistant_response,
+    payload.assistantResponse,
+    payload.final_response,
+    payload.finalResponse,
+    payload.text,
+    payload.output,
+    payload.message,
+  ];
+  for (const candidate of candidates) {
+    if (typeof candidate === 'string' && candidate.trim()) return candidate;
+    if (candidate && typeof candidate === 'object') {
+      const extracted = extractText(candidate);
+      if (extracted.trim()) return extracted;
+    }
+  }
+  return '';
+}
+
+function extractPayloadPreviousUserText(payload) {
+  if (!payload || typeof payload !== 'object') return '';
+  const candidates = [
+    payload.previous_user_text,
+    payload.previousUserText,
+    payload.user_prompt,
+    payload.userPrompt,
+    payload.prompt,
+  ];
+  for (const candidate of candidates) {
+    if (typeof candidate === 'string' && candidate.trim()) return candidate;
+    if (candidate && typeof candidate === 'object') {
+      const extracted = extractText(candidate);
+      if (extracted.trim()) return extracted;
+    }
+  }
+  return '';
+}
+
+function buildResponseQualityReason() {
+  return [
+    'ThumbGate response-quality gate: final response answered positive feedback',
+    'with a low-value social closeout instead of silence-level brevity or an evidence checkpoint.',
+    'Positive feedback after operational work should trigger either no extra noise,',
+    'a compact evidence checkpoint, or a concrete next-state update.',
+    'Do not reply with generic "Good / Great / Use X/Y" filler.',
+  ].join(' ');
+}
+
+function buildResponseQualityReminder() {
+  return [
+    '⚠️ ThumbGate response-quality gate: previous turn answered positive feedback',
+    '   with a low-value social closeout instead of silence-level brevity or an evidence checkpoint.',
+    '   Positive feedback after operational work should trigger either no extra noise,',
+    '   a compact evidence checkpoint, or a concrete next-state update.',
+    '   Do not reply with generic "Good / Great / Use X/Y" filler.',
+  ].join('\n');
+}
+
+function writeBlock(reason) {
+  process.stdout.write(JSON.stringify({
+    decision: 'block',
+    reason,
+    hookSpecificOutput: {
+      hookEventName: 'Stop',
+      permissionDecision: 'deny',
+      permissionDecisionReason: reason,
+    },
+  }) + '\n');
+}
+
 function readStdinSync() {
   try {
     return fs.readFileSync(0, 'utf8');
@@ -221,6 +295,17 @@ function main() {
   }
 
   const transcriptPath = payload.transcript_path || process.env.CLAUDE_TRANSCRIPT_PATH;
+  const directText = extractPayloadText(payload) || process.env.CLAUDE_RESPONSE || '';
+  const directPreviousUserText = extractPayloadPreviousUserText(payload)
+    || process.env.CLAUDE_PREVIOUS_USER_TEXT
+    || process.env.CLAUDE_PREVIOUS_USER
+    || '';
+
+  if (directText && hasPositiveFeedback(directPreviousUserText) && isLowValueCloseout(directText, '')) {
+    writeBlock(buildResponseQualityReason());
+    return;
+  }
+
   const message = readLastAssistantTurn(transcriptPath);
   if (!message) return; // no transcript visible; nothing to check
 
@@ -229,14 +314,7 @@ function main() {
   const previousUserText = readPreviousUserText(transcriptPath);
 
   if (hasPositiveFeedback(previousUserText) && isLowValueCloseout(text, toolUseSummary)) {
-    const reminder = [
-      '⚠️ ThumbGate response-quality gate: previous turn answered positive feedback',
-      '   with a low-value social closeout instead of silence-level brevity or an evidence checkpoint.',
-      '   Positive feedback after operational work should trigger either no extra noise,',
-      '   a compact evidence checkpoint, or a concrete next-state update.',
-      '   Do not reply with generic "Good / Great / Use X/Y" filler.',
-    ].join('\n');
-    process.stdout.write(reminder + '\n');
+    process.stdout.write(buildResponseQualityReminder() + '\n');
     return;
   }
 
@@ -282,6 +360,9 @@ module.exports = {
   hasProof,
   hasPositiveFeedback,
   isLowValueCloseout,
+  extractPayloadText,
+  extractPayloadPreviousUserText,
+  buildResponseQualityReason,
   extractText,
   extractToolUseSummary,
   readPreviousUserText,

package/scripts/lesson-search.js

@@ -1,6 +1,7 @@
 'use strict';
 
 const path = require('node:path');
+const fs = require('node:fs');
 const { readJSONL, getFeedbackPaths } = require('./feedback-loop');
 const { buildMemoryLifecycleView, scoreHybridMemoryMatch } = require('./agent-memory-lifecycle');
 const { loadOptionalModule } = require('./private-core-boundary');
@@ -166,6 +167,17 @@ function resolveLessonPaths(options = {}) {
   };
 }
 
+function readPackagedBuiltinLessons() {
+  if (process.env.THUMBGATE_DISABLE_BUILTIN_LESSONS === '1') return [];
+  const builtinPath = path.resolve(__dirname, '..', 'config', 'builtin-lessons.json');
+  try {
+    const parsed = JSON.parse(fs.readFileSync(builtinPath, 'utf8'));
+    return Array.isArray(parsed.lessons) ? parsed.lessons : [];
+  } catch {
+    return [];
+  }
+}
+
 function readPreventionRuleMatches(queryText, limit = 3, options = {}) {
   const { PREVENTION_RULES_PATH } = resolveLessonPaths(options);
   if (!PREVENTION_RULES_PATH) return [];
@@ -481,7 +493,9 @@ function searchLessons(query = '', options = {}) {
   const sqliteResults = tryFts5Search(query, options);
   if (sqliteResults) return sqliteResults;
 
-  const memories = readJSONL(MEMORY_LOG_PATH);
+  const localMemories = readJSONL(MEMORY_LOG_PATH);
+  const builtinMemories = options.includeBuiltinLessons === false ? [] : readPackagedBuiltinLessons();
+  const memories = [...builtinMemories, ...localMemories];
   const feedbackEntries = readJSONL(FEEDBACK_LOG_PATH);
   const feedbackById = new Map(feedbackEntries.map((entry) => [entry.id, entry]));
   const parsedLimit = Number(options.limit || 10);