thumbgate 1.27.11 → 1.27.13

package/bin/cli.js

@@ -2188,6 +2188,26 @@ function pulse() {
   });
 }
 
+function checkUpdateCmd() {
+  const { checkUpdate } = require(path.join(PKG_ROOT, 'scripts', 'check-update'));
+  const args = parseArgs(process.argv.slice(3));
+  checkUpdate({ verbose: !args.json, force: args.force }).then((res) => {
+    if (args.json) {
+      console.log(JSON.stringify(res, null, 2));
+    }
+    process.exit(0);
+  }).catch((err) => {
+    console.error(err && err.message ? err.message : err);
+    process.exit(1);
+  });
+}
+
+function selfUpdateCmd() {
+  const { selfUpdate } = require(path.join(PKG_ROOT, 'scripts', 'check-update'));
+  const success = selfUpdate();
+  process.exit(success ? 0 : 1);
+}
+
 function dispatchBrief() {
   const args = parseArgs(process.argv.slice(3));
   const {
@@ -3151,6 +3171,7 @@ const SUBCOMMAND_HELP = {
   lessons:       'Usage: npx thumbgate lessons [--query="..."] [--limit=N]\n\nSearch the lesson database (Pro feature).',
   search:        'Usage: npx thumbgate search <query>\n\nSearch ThumbGate knowledge base (Pro feature).',
   'gate-check':  'Usage: npx thumbgate gate-check\n\nPreToolUse hook interface: reads tool call JSON from stdin, outputs gate verdict.',
+  'hermes-gate': 'Usage: npx thumbgate hermes-gate\n\nNous Research Hermes Agent pre_tool_call shell hook: reads Hermes tool-call JSON from stdin, runs the ThumbGate gate pipeline (strict by default), and outputs {"decision":"block","reason":...} to veto or {} to allow. Gates terminal/patch/skill_manage etc. See adapters/hermes/config.yaml.',
   'break-glass': 'Usage: npx thumbgate break-glass --reason="why" [--ttl=5m] [--json]\n\nShort-lived recovery path for over-firing gates. Allows hook settings edits and satisfies PR-create/thread-check gates without disabling core destructive-action protections.',
   serve:         'Usage: npx thumbgate serve\n\nStart the MCP stdio server. This is for agent runtimes, not the local HTTP dashboard.',
   mcp:           'Usage: npx thumbgate mcp\n\nAlias for `thumbgate serve`.',
@@ -3168,11 +3189,6 @@ const SUBCOMMAND_HELP = {
   'ai-inventory': 'Usage: npx thumbgate ai-inventory [--root <dir>] [--format=summary|json|cyclonedx] [--output <path>] [--max-files=N]\n\nScan source/manifests/model artifacts for AI, ML, agent-framework, vector DB, Vertex, Gemini, and Dialogflow CX components. Use --format=cyclonedx to produce exportable ML-BOM evidence for enterprise reviews.',
   brain: 'Usage: npx thumbgate brain [--write] [--json] [--limit=N]\n\nBuild the agent-readable "context brain" — a single artifact consolidating this\nrepo\'s lessons, prevention rules, active gates, and project context for a coding\nagent to read BEFORE acting. --write saves it to .thumbgate/BRAIN.md (versioned,\ndeterministic). --json emits the structured model. --limit caps lessons (default 15).',
   'team-sync': 'Usage: npx thumbgate team-sync\n\nSynchronize prevention rules and context brain with your team\'s git repository (git pull --rebase & git push), then auto-rebuild the local brain.',
-  dream: 'Usage: npx thumbgate dream [--min=N] [--feedback-dir=DIR] [--json]\n\nConsolidate raw history and lessons ("Silicon Dreaming"), merge duplicates, promote recurring failures to gates, and rebuild prevention rules + BRAIN.md.',
-  consolidate: 'Usage: npx thumbgate consolidate\n\nAlias for npx thumbgate dream.',
-  triage: 'Usage: npx thumbgate triage [--schedule="daily 9:00"] [--json]\n\nRun git updates, test verification, and memory consolidation, or schedule it on a cron.',
-  hygiene: 'Usage: npx thumbgate hygiene\n\nAlias for npx thumbgate triage.',
-  community: 'Usage: npx thumbgate community query <error> | share <rule-id>\n\nQuery or share verified prevention rules with the community knowledge registry.',
 };
 
 if (_wantsHelp && COMMAND && SUBCOMMAND_HELP[COMMAND]) {
@@ -3275,31 +3291,6 @@ function renderBrainMarkdown(model) {
   return out.join('\n');
 }
 
-function autoWireInstructionFile(fileName) {
-  const filePath = path.join(CWD, fileName);
-  if (!fs.existsSync(filePath)) return;
-  try {
-    let content = fs.readFileSync(filePath, 'utf8');
-    const blockStart = '<!-- ThumbGate -->';
-    const blockEnd = '<!-- End ThumbGate -->';
-    const block = `${blockStart}\nIMPORTANT: Read .thumbgate/BRAIN.md first for lessons, prevention rules, and active gates in this repo.\n${blockEnd}\n`;
-
-    if (content.includes(blockStart)) {
-      const startIdx = content.indexOf(blockStart);
-      const endIdx = content.indexOf(blockEnd);
-      if (endIdx !== -1) {
-        content = content.slice(0, startIdx) + block + content.slice(endIdx + blockEnd.length).replace(/^\n+/, '');
-      }
-    } else {
-      content = block + '\n' + content;
-    }
-    fs.writeFileSync(filePath, content);
-    console.error(`   Auto-wired agent pointer into ${fileName}`);
-  } catch (err) {
-    console.warn(`⚠️  Failed to auto-wire agent pointer in ${fileName}: ${err.message}`);
-  }
-}
-
 function cmdBrain(args = {}) {
   const model = buildBrainModel({ limit: args.limit });
   if (args.json) { console.log(JSON.stringify(model, null, 2)); return 0; }
@@ -3319,120 +3310,14 @@ function cmdBrain(args = {}) {
     const lt = (model.lessons && model.lessons.total) || 0;
     const rt = (model.rules && model.rules.total) || 0;
     const gt = (model.gates && model.gates.total) || 0;
-    console.error(`\u{1f9e0} Wrote context brain to .thumbgate/BRAIN.md (${lt} lessons · ${rt} rules · ${gt} gates).`);
-    
-    // Auto-inject pointer block into CLAUDE.md / AGENTS.md
-    autoWireInstructionFile('CLAUDE.md');
-    autoWireInstructionFile('AGENTS.md');
-    
+    console.log(`\u{1f9e0} Wrote context brain to .thumbgate/BRAIN.md (${lt} lessons · ${rt} rules · ${gt} gates).`);
+    console.log('   Point your agent at it: add "Read .thumbgate/BRAIN.md first" to CLAUDE.md / AGENTS.md.');
     return 0;
   }
   process.stdout.write(md);
   return 0;
 }
 
-function brain() {
-  const args = parseArgs(process.argv.slice(3));
-  const subcommand = process.argv.slice(3).find((arg) => !arg.startsWith('--')) || 'status';
-  const {
-    buildContextPack,
-    checkNeverDo,
-    cleanupReport,
-    ensureBrain,
-    formatContextPack,
-    recordMemory,
-    refreshNeverDoGates,
-  } = require(path.join(PKG_ROOT, 'scripts', 'brain'));
-
-  if (subcommand === 'init' || subcommand === 'status') {
-    const result = ensureBrain(CWD);
-    const gates = refreshNeverDoGates(CWD);
-    const payload = { ...result, gateCount: gates.gateCount };
-    if (args.json) {
-      console.log(JSON.stringify(payload, null, 2));
-      return;
-    }
-    console.log('ThumbGate brain');
-    console.log('='.repeat(15));
-    console.log(`Brain dir : ${path.relative(CWD, result.brainDir)}`);
-    console.log(`Created   : ${result.created.length}`);
-    console.log(`Soul files: ${result.soulFiles.length}`);
-    console.log(`Memory dirs: ${result.memoryDirs.length}`);
-    console.log(`Never-do gates: ${gates.gateCount}`);
-    return;
-  }
-
-  if (subcommand === 'context') {
-    const task = args.task || process.argv.slice(4).find((arg) => !arg.startsWith('--')) || '';
-    const pack = buildContextPack(CWD, { task });
-    if (args.json) {
-      console.log(JSON.stringify(pack, null, 2));
-      return;
-    }
-    process.stdout.write(formatContextPack(pack));
-    return;
-  }
-
-  if (subcommand === 'remember') {
-    const title = args.title || process.argv.slice(4).find((arg) => !arg.startsWith('--')) || '';
-    const result = recordMemory(CWD, {
-      type: args.type,
-      title,
-      content: args.content || title,
-      reason: args.reason,
-      source: args.source,
-      tags: args.tags,
-      date: args.date,
-    });
-    if (args.json) {
-      console.log(JSON.stringify(result, null, 2));
-      return;
-    }
-    if (!result.ok) {
-      console.error(result.error);
-      process.exit(1);
-    }
-    console.log(`Stored brain memory: ${result.path}`);
-    return;
-  }
-
-  if (subcommand === 'check') {
-    const text = args.text || args.action || readStdinText();
-    const result = checkNeverDo(CWD, { text });
-    if (args.json) {
-      console.log(JSON.stringify(result, null, 2));
-      if (!result.ok) process.exit(2);
-      return;
-    }
-    console.log(`ThumbGate brain decision: ${result.decision.toUpperCase()}`);
-    for (const rule of result.blocked) console.log(`- ${rule.text}`);
-    if (!result.ok) process.exit(2);
-    return;
-  }
-
-  if (subcommand === 'cleanup') {
-    const report = cleanupReport(CWD, args);
-    if (args.json) {
-      console.log(JSON.stringify(report, null, 2));
-      return;
-    }
-    console.log('ThumbGate brain cleanup report');
-    console.log('='.repeat(31));
-    console.log(`Memory files: ${report.total}`);
-    console.log(`Unsourced   : ${report.unsourced.length}`);
-    console.log(`Stale       : ${report.stale.length}`);
-    console.log(`Duplicates  : ${report.duplicates.length}`);
-    if (report.unsourced.length) {
-      console.log('\nUnsourced files:');
-      for (const filePath of report.unsourced) console.log(`- ${filePath}`);
-    }
-    return;
-  }
-
-  console.error('Usage: npx thumbgate brain init|context|remember|check|cleanup [--json]');
-  process.exit(1);
-}
-
 async function teamSync() {
   const { execSync } = require('child_process');
 
@@ -3611,127 +3496,6 @@ switch (COMMAND) {
     }
     break;
   }
-  case 'dream':
-  case 'consolidate': {
-    const args = parseArgs(process.argv.slice(3));
-    const { dream } = require(path.join(PKG_ROOT, 'scripts', 'dream-consolidation'));
-    dream({
-      pkgRoot: PKG_ROOT,
-      feedbackDir: args['feedback-dir'] || args.feedbackDir || CWD,
-      rulesPath: args.output || path.join(CWD, '.thumbgate', 'prevention-rules.md'),
-      minOccurrences: args.min || 2,
-    }).then(async (result) => {
-      try {
-        await cmdBrain({ write: true });
-      } catch (brainErr) {
-        console.warn(`⚠️  Failed to rebuild context brain: ${brainErr.message}`);
-      }
-      if (args.json) {
-        console.log(JSON.stringify(result, null, 2));
-      } else {
-        console.log(`✨ [Dreaming] Consolidation complete! Merged ${result.consolidated} duplicate(s) into ${result.lessonsCount} lessons.`);
-      }
-      process.exit(0);
-    }).catch((err) => {
-      console.error('❌ Error during memory consolidation:', err && err.message ? err.message : err);
-      process.exit(1);
-    });
-    break;
-  }
-  case 'triage':
-  case 'hygiene': {
-    const args = parseArgs(process.argv.slice(3));
-    const { runTriageLoop } = require(path.join(PKG_ROOT, 'scripts', 'triage-loop'));
-    
-    if (args.schedule) {
-      const { createSchedule } = require(path.join(PKG_ROOT, 'scripts', 'schedule-manager'));
-      const scheduleResult = createSchedule({
-        id: 'thumbgate-triage-hygiene',
-        name: 'ThumbGate Triage & Hygiene Loop',
-        description: 'Run autonomous git checks, test suite verification, and Silicon Dreaming memory consolidation.',
-        schedule: args.schedule,
-        command: `const { runTriageLoop } = require('${path.join(PKG_ROOT, 'scripts', 'triage-loop')}'); runTriageLoop({ cwd: '${CWD}', pkgRoot: '${PKG_ROOT}' }).catch(console.error);`,
-        workingDirectory: CWD,
-      });
-      if (args.json) {
-        console.log(JSON.stringify(scheduleResult, null, 2));
-      } else {
-        if (scheduleResult.success) {
-          console.log(`✅ [Triage] Scheduled triage hygiene loop: ${scheduleResult.message}`);
-        } else {
-          console.error(`❌ [Triage] Failed to schedule: ${scheduleResult.error}`);
-          process.exit(1);
-        }
-      }
-      break;
-    }
-
-    runTriageLoop({
-      cwd: CWD,
-      pkgRoot: PKG_ROOT,
-    }).then(async (result) => {
-      try {
-        await cmdBrain({ write: true });
-      } catch (brainErr) {
-        console.warn(`⚠️  Failed to rebuild context brain: ${brainErr.message}`);
-      }
-      if (args.json) {
-        console.log(JSON.stringify(result, null, 2));
-      } else {
-        console.log(result.log);
-      }
-      process.exit(0);
-    }).catch((err) => {
-      console.error('❌ Error during triage loop execution:', err && err.message ? err.message : err);
-      process.exit(1);
-    });
-    break;
-  }
-  case 'community': {
-    const args = parseArgs(process.argv.slice(3));
-    const sub = process.argv.slice(3).find((arg) => !arg.startsWith('--'));
-    const { queryCommunity, shareRule } = require(path.join(PKG_ROOT, 'scripts', 'community-knowledge'));
-
-    if (sub === 'query') {
-      const queryIdx = process.argv.indexOf('query');
-      const queryText = process.argv.slice(queryIdx + 1).filter(arg => !arg.startsWith('--')).join(' ');
-      const result = queryCommunity(queryText, { remote: args.remote });
-      if (args.json) {
-        console.log(JSON.stringify(result, null, 2));
-      } else {
-        console.log(`🔍 Found ${result.resultsCount} community rule(s) matching "${result.query}":`);
-        for (const r of result.results) {
-          console.log(`\n- [${r.id}] ${r.rule}`);
-          console.log(`  Remedy:      ${r.remedy}`);
-          console.log(`  Explanation: ${r.explanation}`);
-        }
-      }
-      process.exit(0);
-    } else if (sub === 'share') {
-      const shareIdx = process.argv.indexOf('share');
-      const ruleId = process.argv.slice(shareIdx + 1).find(arg => !arg.startsWith('--'));
-      if (!ruleId) {
-        console.error('❌ Error: rule ID is required for share subcommand.');
-        process.exit(1);
-      }
-      const result = shareRule(ruleId, { feedbackDir: CWD });
-      if (args.json) {
-        console.log(JSON.stringify(result, null, 2));
-      } else {
-        if (result.ok) {
-          console.log(`✨ Successfully shared rule "${ruleId}" to community registry.`);
-        } else {
-          console.error(`❌ Failed to share rule: ${result.error}`);
-          process.exit(1);
-        }
-      }
-      process.exit(0);
-    } else {
-      console.error('Usage: npx thumbgate community query <error> | share <rule-id> [--json]');
-      process.exit(1);
-    }
-    break;
-  }
   case 'billing:setup':
     require(path.join(PKG_ROOT, 'scripts', 'billing-setup'));
     break;
@@ -4099,6 +3863,14 @@ switch (COMMAND) {
   case 'pulse':
     pulse();
     break;
+  case 'check-update':
+  case 'upgrade-check':
+    checkUpdateCmd();
+    break;
+  case 'self-update':
+  case 'upgrade-cli':
+    selfUpdateCmd();
+    break;
   case 'dispatch':
   case 'dispatch-brief':
     dispatchBrief();
@@ -4124,6 +3896,53 @@ switch (COMMAND) {
     });
     break;
   }
+  case 'hermes-gate': {
+    // Nous Research Hermes Agent `pre_tool_call` shell hook.
+    // Hermes pipes each pending tool call as JSON to stdin and reads a decision from stdout;
+    // {"decision":"block","reason":...} vetoes the call. We reuse the SAME gate pipeline as
+    // `gate-check` (runAsync → secret guard, security scan, force-push / skill_manage / learned
+    // prevention rules) and translate the verdict into Hermes's format.
+    //
+    // Hermes `pre_tool_call` is binary (block or allow) with no warn channel, and the whole point
+    // of wiring it is to gate, so we run STRICT enforcement by default — otherwise ThumbGate's
+    // warn-by-default posture would pass every deny through and the hook would block nothing.
+    // Opt out with THUMBGATE_HERMES_WARN_ONLY=1; THUMBGATE_HOTFIX_BYPASS=1 still disables checks.
+    // Wire it in ~/.hermes/config.yaml — see adapters/hermes/config.yaml.
+    if (process.env.THUMBGATE_HERMES_WARN_ONLY !== '1' && process.env.THUMBGATE_HOTFIX_BYPASS !== '1') {
+      process.env.THUMBGATE_STRICT_ENFORCEMENT = '1';
+    }
+    const { runAsync: hermesGateRun } = require(path.join(PKG_ROOT, 'scripts', 'gates-engine'));
+    let hermesStdin = '';
+    process.stdin.setEncoding('utf8');
+    process.stdin.on('data', (chunk) => { hermesStdin += chunk; });
+    process.stdin.on('end', async () => {
+      try {
+        const payload = JSON.parse(hermesStdin);
+        // Hermes sends snake_case tool_name/tool_input — gates-engine reads these directly.
+        const verdict = await hermesGateRun({ tool_name: payload.tool_name, tool_input: payload.tool_input });
+        let parsed = {};
+        try { parsed = JSON.parse(verdict); } catch (_e) { parsed = {}; }
+        const hso = parsed.hookSpecificOutput || {};
+        if (hso.permissionDecision === 'deny') {
+          process.stdout.write(JSON.stringify({
+            decision: 'block',
+            reason: hso.permissionDecisionReason || 'Blocked by ThumbGate prevention rule.',
+          }) + '\n');
+        } else {
+          // warn / no match → allow. The gate engine already logged the decision.
+          process.stdout.write(JSON.stringify({}) + '\n');
+        }
+        process.exit(0);
+      } catch (err) {
+        // Hermes hooks fail OPEN on error/timeout — emit an explicit allow so a gate fault
+        // never wedges the agent (reliability ≈ enforcement; keep this fast).
+        process.stderr.write(`hermes-gate error: ${err.message}\n`);
+        process.stdout.write(JSON.stringify({}) + '\n');
+        process.exit(0);
+      }
+    });
+    break;
+  }
   case 'gate-stats':
     gateStats();
     break;

package/config/builtin-lessons.json

@@ -0,0 +1,23 @@
+{
+  "version": 1,
+  "lessons": [
+    {
+      "id": "builtin-response-quality-shallow-positive-closeout",
+      "title": "MISTAKE: Assistant gave shallow acknowledgement after user said thumbs up",
+      "content": "What went wrong: Assistant gave shallow acknowledgement after positive feedback, such as thumbs up, perfect, good, or thank you, instead of staying quiet or giving an evidence checkpoint.\nHow to avoid: If the previous user message is positive feedback and the proposed final response is a low-value social closeout, block it and require either silence-level brevity or a compact evidence checkpoint with proof, result, residual risk, and next state.\nAction needed: Enforce this at the final-response boundary, not only as PreToolUse context.\nReasoning: Stored lessons and retrieval are not enough when the model can still ignore the lesson at generation time.",
+      "category": "error",
+      "importance": "high",
+      "tags": [
+        "feedback",
+        "negative",
+        "response-quality",
+        "final-response",
+        "positive-feedback",
+        "shallow-closeout",
+        "enforcement"
+      ],
+      "timestamp": "2026-06-20T19:01:58.000Z",
+      "source": "packaged-builtin"
+    }
+  ]
+}