thumbgate 1.27.12 → 1.27.13

package/src/api/server.js

@@ -3,6 +3,7 @@ const http = require('http');
 const https = require('https');
 const fs = require('fs');
 const path = require('path');
+const crypto = require('node:crypto');
 const { EventEmitter } = require('node:events');
 const pkg = require('../../package.json');
 const {
@@ -215,6 +216,8 @@ const mcpOauth = require('../../scripts/mcp-oauth');
 // OAuth 2.1 (PKCE) authorization-server state for the remote MCP connector
 // (Claude Connectors Directory requires OAuth for authenticated services).
 const oauthStore = mcpOauth.createStore();
+const pendingOauthAuthorizeRequests = new Map();
+const OAUTH_AUTHORIZE_REQUEST_TTL_MS = 10 * 60 * 1000;
 const resendMailer = require('../../scripts/mailer/resend-mailer');
 const {
   buildContextFootprintReport,
@@ -244,6 +247,10 @@ const COMPARE_DIR = path.resolve(__dirname, '../../public/compare');
 const USE_CASES_DIR = path.resolve(__dirname, '../../public/use-cases');
 const PUBLIC_DIR = path.resolve(__dirname, '../../public');
 const PUBLIC_ASSETS_DIR = path.resolve(__dirname, '../../public/assets');
+const LEARN_PAGE_PATHS_BY_SLUG = buildPublicHtmlFileMap(LEARN_DIR);
+const GUIDE_PAGE_PATHS_BY_SLUG = buildPublicHtmlFileMap(GUIDES_DIR);
+const COMPARE_PAGE_PATHS_BY_SLUG = buildPublicHtmlFileMap(COMPARE_DIR);
+const USE_CASE_PAGE_PATHS_BY_SLUG = buildPublicHtmlFileMap(USE_CASES_DIR);
 const BUYER_INTENT_SCRIPT_PATH = path.resolve(__dirname, '../../public/js/buyer-intent.js');
 const STATIC_MIME_BY_EXT = Object.freeze({
   '.png': 'image/png',
@@ -460,6 +467,36 @@ const TRACKED_LINK_TARGETS = Object.freeze({
     },
     allowCustomerEmail: true,
   },
+  diagnostic: {
+    configUrlKey: 'sprintDiagnosticCheckoutUrl',
+    fallbackHref: SPRINT_DIAGNOSTIC_CHECKOUT_URL,
+    external: true,
+    ctaId: 'go_diagnostic',
+    ctaPlacement: 'link_router',
+    eventType: 'cta_click',
+    defaults: {
+      utm_source: 'website',
+      utm_medium: 'link_router',
+      utm_campaign: 'sprint_diagnostic',
+      plan_id: 'sprint_diagnostic',
+    },
+    allowCustomerEmail: true,
+  },
+  sprint: {
+    configUrlKey: 'workflowSprintCheckoutUrl',
+    fallbackHref: WORKFLOW_SPRINT_CHECKOUT_URL,
+    external: true,
+    ctaId: 'go_sprint',
+    ctaPlacement: 'link_router',
+    eventType: 'cta_click',
+    defaults: {
+      utm_source: 'website',
+      utm_medium: 'link_router',
+      utm_campaign: 'workflow_sprint',
+      plan_id: 'workflow_sprint',
+    },
+    allowCustomerEmail: true,
+  },
   trial: {
     path: '/guide',
     ctaId: 'go_trial',
@@ -1680,6 +1717,8 @@ const FEEDBACK_LIST_LABELS = Object.freeze({
   positive: 'Recent wins',
 });
 
+const FEEDBACK_OMITTED_TAGS = Object.freeze(['audit-trail', 'auto-capture']);
+
 function formatChatTimestamp(isoString) {
   if (!isoString) return 'unknown time';
   try {
@@ -1698,9 +1737,33 @@ function formatChatTimestamp(isoString) {
   }
 }
 
+function buildFeedbackEntries(windowed, signal) {
+  return (signal ? windowed.filter((r) => r.signal === signal) : windowed)
+    .filter((r) => r.context && !isPlaceholder(r.context))
+    .slice(0, 5);
+}
+
+function formatFeedbackEntry(entry) {
+  const tsFormatted = formatChatTimestamp(entry.timestamp);
+  const signalLabel = entry.signal ? ` [${entry.signal}]` : '';
+  const tagsList = Array.isArray(entry.tags)
+    ? entry.tags.filter((tag) => !FEEDBACK_OMITTED_TAGS.includes(tag))
+    : [];
+  const tagsStr = tagsList.length ? ` (${tagsList.join(', ')})` : '';
+  return `  • ${tsFormatted}${signalLabel}${tagsStr} — ${entry.context}`;
+}
+
+function appendFeedbackListLines(lines, { entries, signal, intent }) {
+  if (!entries.length) {
+    lines.push(`No ${signal || 'feedback'} entries found ${intent.windowLabel}.`);
+    return;
+  }
+  lines.push(`${FEEDBACK_LIST_LABELS[signal] || 'Recent feedback'} (${intent.windowLabel}):`);
+  lines.push(...entries.map(formatFeedbackEntry));
+}
+
 function buildFeedbackSection({ ctx, intent, feedbackDir, approval, lessonPipeline }) {
   const signal = detectFeedbackSignalFromPrompt(ctx.prompt);
-
   // One read of the time-windowed log, then in-memory counts + (signal-filtered,
   // placeholder-stripped) list. Counts include ALL entries (so "Feedback today: 5"
   // matches the dashboard tile); the list drops vague entries like literal "thumbs
@@ -1708,30 +1771,16 @@ function buildFeedbackSection({ ctx, intent, feedbackDir, approval, lessonPipeli
   const windowed = readRecentFeedbackEntries(feedbackDir, null, intent.windowMs, 10000, { includeSignal: true });
   const windowPos = windowed.filter((r) => r.signal === 'positive').length;
   const windowNeg = windowed.filter((r) => r.signal === 'negative').length;
-  const entries = (signal ? windowed.filter((r) => r.signal === signal) : windowed)
-    .filter((r) => r.context && !isPlaceholder(r.context))
-    .slice(0, 5);
+  const entries = buildFeedbackEntries(windowed, signal);
 
-  const lines = [];
-  lines.push(intent.windowMs
+  const lines = [
+    intent.windowMs
     ? `Feedback ${intent.windowLabel}: ${windowed.length} (${windowPos} positive, ${windowNeg} negative).`
-    : `Feedback total: ${compactNumber(approval.total)} (${compactNumber(approval.positive)} positive, ${compactNumber(approval.negative)} negative).`);
+    : `Feedback total: ${compactNumber(approval.total)} (${compactNumber(approval.positive)} positive, ${compactNumber(approval.negative)} negative).`,
+  ];
 
   if (intent.wantsList) {
-    if (entries.length) {
-      lines.push(`${FEEDBACK_LIST_LABELS[signal] || 'Recent feedback'} (${intent.windowLabel}):`);
-      for (const e of entries) {
-        const tsFormatted = formatChatTimestamp(e.timestamp);
-        const signalLabel = e.signal ? ` [${e.signal}]` : '';
-        const tagsList = Array.isArray(e.tags)
-          ? e.tags.filter(t => !['audit-trail', 'auto-capture'].includes(t))
-          : [];
-        const tagsStr = tagsList.length ? ` (${tagsList.join(', ')})` : '';
-        lines.push(`  • ${tsFormatted}${signalLabel}${tagsStr} — ${e.context}`);
-      }
-    } else {
-      lines.push(`No ${signal || 'feedback'} entries found ${intent.windowLabel}.`);
-    }
+    appendFeedbackListLines(lines, { entries, signal, intent });
   } else {
     lines.push(`Lesson pipeline: ${compactNumber(lessonPipeline.lessons || lessonPipeline.generated || 0)} lessons visible in the current dashboard snapshot.`);
   }
@@ -1939,7 +1988,7 @@ async function answerEnterpriseDataChat({ prompt, feedbackDir, parsed }) {
 const answerEnterpriseDialogflowChat = answerEnterpriseDataChat;
 
 function buildLossAnalyticsResponse(data, summaryOptions) {
-  return {
+  return sanitizeHtmlUnsafeJsonValue({
     window: data.analytics.window || summaryOptions,
     lossAnalysis: data.analytics.lossAnalysis || null,
     buyerLoss: data.analytics.buyerLoss || null,
@@ -1951,7 +2000,7 @@ function buildLossAnalyticsResponse(data, summaryOptions) {
       ctas: data.analytics.telemetry && data.analytics.telemetry.ctas,
       visitors: data.analytics.telemetry && data.analytics.telemetry.visitors,
     },
-  };
+  });
 }
 
 function createJourneyId(prefix) {
@@ -2054,17 +2103,111 @@ function buildCheckoutIntentHref(baseUrl, metadata = {}, overrides = {}) {
   });
 }
 
+const CHECKOUT_HIDDEN_ATTRIBUTION_KEYS = Object.freeze([
+  'trace_id',
+  'acquisition_id',
+  'visitor_id',
+  'session_id',
+  'visitor_session_id',
+  'install_id',
+  'utm_source',
+  'utm_medium',
+  'utm_campaign',
+  'utm_content',
+  'utm_term',
+  'creator',
+  'community',
+  'post_id',
+  'comment_id',
+  'campaign_variant',
+  'offer_code',
+  'cta_id',
+  'cta_placement',
+  'plan_id',
+  'billing_cycle',
+  'seat_count',
+  'landing_path',
+  'referrer_host',
+]);
+
+function normalizeHiddenAttributionValue(value) {
+  const normalized = normalizeNullableText(value);
+  if (!normalized) return '';
+  return normalized.slice(0, 512);
+}
+
+function buildCheckoutHiddenAttributionInputs(parsed = null) {
+  if (!parsed?.searchParams) return '';
+
+  const inputs = [];
+  for (const key of CHECKOUT_HIDDEN_ATTRIBUTION_KEYS) {
+    const value = normalizeHiddenAttributionValue(parsed.searchParams.get(key));
+    if (value) {
+      inputs.push(`<input type="hidden" name="${key}" value="${escapeHtmlAttribute(value)}">`);
+    }
+  }
+  return inputs.join('');
+}
+
+function prunePendingOauthAuthorizeRequests(now = Date.now()) {
+  for (const [token, entry] of pendingOauthAuthorizeRequests.entries()) {
+    if (!entry || entry.expiresAt <= now) {
+      pendingOauthAuthorizeRequests.delete(token);
+    }
+  }
+}
+
+function createPendingOauthAuthorizeRequest(params, now = Date.now()) {
+  prunePendingOauthAuthorizeRequests(now);
+  const token = crypto.randomBytes(32).toString('base64url');
+  pendingOauthAuthorizeRequests.set(token, {
+    params,
+    expiresAt: now + OAUTH_AUTHORIZE_REQUEST_TTL_MS,
+  });
+  return token;
+}
+
+function consumePendingOauthAuthorizeRequest(token, now = Date.now()) {
+  if (!token) return null;
+  prunePendingOauthAuthorizeRequests(now);
+  const entry = pendingOauthAuthorizeRequests.get(token);
+  if (!entry) return null;
+  pendingOauthAuthorizeRequests.delete(token);
+  return entry.params;
+}
+
+function getOauthAuthorizeParamsFromQuery(searchParams) {
+  return {
+    clientId: searchParams.get('client_id') || '',
+    redirectUri: searchParams.get('redirect_uri') || '',
+    codeChallenge: searchParams.get('code_challenge') || '',
+    codeChallengeMethod: searchParams.get('code_challenge_method') || '',
+    scope: searchParams.get('scope') || undefined,
+    state: searchParams.get('state') || '',
+    resource: searchParams.get('resource') || '',
+  };
+}
+
+function getOauthAuthorizeParamsFromForm(form, hostedConfig) {
+  const pending = consumePendingOauthAuthorizeRequest(form.get('auth_request_token') || '');
+  if (pending) return pending;
+  return {
+    clientId: form.get('client_id') || '',
+    redirectUri: form.get('redirect_uri') || '',
+    codeChallenge: form.get('code_challenge') || '',
+    codeChallengeMethod: form.get('code_challenge_method') || '',
+    scope: form.get('scope') || undefined,
+    state: form.get('state') || '',
+    resource: form.get('resource') || buildPublicUrl(hostedConfig, '/mcp'),
+  };
+}
+
 function renderCheckoutIntentPage(prefilledEmail = '', parsed = null, options = {}) {
   const plausibleDomain = escapeHtmlAttribute(resolvePlausibleDataDomain({ host: 'thumbgate.ai' }));
   const includeHiddenAttribution = options.includeHiddenAttribution === true;
-  let hiddenInputs = '';
-  if (includeHiddenAttribution && parsed?.searchParams) {
-    for (const [key, value] of parsed.searchParams.entries()) {
-      if (key !== 'confirm' && key !== 'customer_email') {
-        hiddenInputs += `<input type="hidden" name="${escapeHtmlAttribute(key)}" value="${escapeHtmlAttribute(value)}">`;
-      }
-    }
-  }
+  const hiddenInputs = includeHiddenAttribution
+    ? buildCheckoutHiddenAttributionInputs(parsed)
+    : '';
   return `<!doctype html>
 <html lang="en">
 <head>
@@ -2077,7 +2220,7 @@ function renderCheckoutIntentPage(prefilledEmail = '', parsed = null, options =
 body{background:#0a0a0a;color:#eee;font-family:system-ui,-apple-system,sans-serif;line-height:1.5}
 main{max-width:520px;margin:8vh auto;padding:0 20px}
 .brand{display:flex;align-items:center;gap:10px;margin-bottom:24px;font-size:14px;color:#94a3b8}
-.brand-mark{width:24px;height:24px;background:#22d3ee;border-radius:6px;display:inline-block}
+.brand-mark{width:36px;height:36px;display:block;flex:0 0 auto;border-radius:9px}
 h1{font-size:24px;margin:0 0 8px;color:#fff}.price{font-size:32px;font-weight:700;color:#22d3ee;margin:8px 0 4px}.price small{font-size:14px;color:#94a3b8;font-weight:400}
 p{color:#cbd5e1;margin:8px 0}form{margin:0}
 input[type=email]{width:100%;box-sizing:border-box;padding:14px 16px;border:1px solid #374151;border-radius:8px;background:#111827;color:#fff;font-size:15px;margin:16px 0 0;outline:none}
@@ -2096,7 +2239,7 @@ a{display:block;text-decoration:none}a.secondary{border:1px solid #374151;color:
 </head>
 <body>
 <main>
-<div class="brand"><span class="brand-mark"></span><span>ThumbGate</span></div>
+<div class="brand"><img src="/thumbgate-icon.png?v=20260623-stripe-match" alt="" class="brand-mark" width="36" height="36"><span>ThumbGate</span></div>
 <h1>Start ThumbGate Pro</h1>
 <div class="price">$19<small>/mo</small></div>
 <p>The npm package runs your gates locally. <strong>Pro</strong> is what keeps them working across every machine, every agent runtime, and every breaking-change week.</p>
@@ -2262,17 +2405,6 @@ function normalizeCheckoutCustomerEmail(value) {
   return email;
 }
 
-function renderCheckoutIntentGate(parsed, responseHeaders = {}) {
-  let hiddenInputs = '';
-  for (const [key, value] of parsed.searchParams.entries()) {
-    if (key !== 'confirm' && key !== 'customer_email') hiddenInputs += `<input type=hidden name=${escapeHtmlAttribute(key)} value=${escapeHtmlAttribute(value)}>`;
-  }
-  return {
-    html: `<!doctype html><h1>Email for Stripe receipt</h1><form action=/checkout/pro>${hiddenInputs}<input type=hidden name=confirm value=1><input name=customer_email type=email required><button>Continue</button></form>`,
-    headers: responseHeaders,
-  };
-}
-
 function normalizeTrackedLinkSlug(value) {
   return String(value || '').trim().toLowerCase().replace(/[^a-z0-9-]/g, '');
 }
@@ -2283,6 +2415,27 @@ function normalizePublicPageSlug(value) {
     .replace(/[^a-z0-9-]/g, '');
 }
 
+function buildPublicHtmlFileMap(directory) {
+  const entries = new Map();
+  try {
+    for (const fileName of fs.readdirSync(directory)) {
+      if (!/^[a-z0-9-]+\.html$/i.test(fileName)) continue;
+      const slug = normalizePublicPageSlug(fileName);
+      if (!slug) continue;
+      entries.set(slug, path.join(directory, fileName));
+    }
+  } catch (error) {
+    if (error?.code !== 'ENOENT') throw error;
+  }
+  return entries;
+}
+
+function resolvePublicHtmlFile(publicPageMap, rawSlug) {
+  const slug = normalizePublicPageSlug(rawSlug);
+  if (!slug) return null;
+  return publicPageMap.get(slug) || null;
+}
+
 function getTrackedLinkTarget(slug) {
   const normalizedSlug = normalizeTrackedLinkSlug(slug);
   return TRACKED_LINK_TARGETS[normalizedSlug]
@@ -2318,8 +2471,10 @@ function appendTrackedLinkQueryParams(destinationUrl, parsed, target) {
 }
 
 function buildTrackedLinkDestination(target, hostedConfig, parsed) {
-  const destinationUrl = target.href
-    ? new URL(target.href)
+  const configuredHref = target.configUrlKey ? hostedConfig[target.configUrlKey] : null;
+  const href = target.href || configuredHref || target.fallbackHref;
+  const destinationUrl = href
+    ? new URL(href)
     : new URL(target.path || '/', hostedConfig.appOrigin);
   appendTrackedLinkQueryParams(destinationUrl, parsed, target);
   return destinationUrl;
@@ -2446,6 +2601,7 @@ function sendJson(res, statusCode, payload, extraHeaders = {}, options = {}) {
   const body = JSON.stringify(payload);
   res.writeHead(statusCode, {
     'Content-Type': 'application/json; charset=utf-8',
+    'X-Content-Type-Options': 'nosniff',
     'Content-Length': Buffer.byteLength(body),
     ...extraHeaders,
   });
@@ -2539,8 +2695,9 @@ function chatgptActionEventType(integration, suffix) {
 }
 
 function getPublicOrigin(req) {
-  const proto = String(req.headers['x-forwarded-proto'] || '').split(',')[0].trim() || 'http';
-  const host = String(req.headers['x-forwarded-host'] || req.headers.host || '').split(',')[0].trim() || 'localhost';
+  const rawProto = String(req.headers['x-forwarded-proto'] || '').split(',')[0].trim().toLowerCase();
+  const proto = rawProto === 'https' ? 'https' : 'http';
+  const host = getSafePublicRequestHost(req) || 'localhost';
   return `${proto}://${host}`;
 }
 
@@ -2559,6 +2716,47 @@ function getRequestHostHeader(req) {
   return forwardedHost || req.headers.host || '';
 }
 
+function normalizePublicRequestHost(value) {
+  const rawHost = String(value || '').split(',')[0].trim().toLowerCase();
+  if (!rawHost || rawHost.length > 253) return '';
+
+  const hostWithoutPort = rawHost.startsWith('[')
+    ? rawHost.slice(1).split(']')[0]
+    : rawHost.split(':')[0];
+  const port = rawHost.startsWith('[')
+    ? rawHost.split(']:')[1] || ''
+    : rawHost.split(':')[1] || '';
+
+  if (!isAllowedPublicHostName(hostWithoutPort)) {
+    return '';
+  }
+  if (port && !/^\d{1,5}$/.test(port)) return '';
+  if (port && Number(port) > 65535) return '';
+  return port ? `${hostWithoutPort}:${port}` : hostWithoutPort;
+}
+
+function isAllowedPublicHostName(hostname) {
+  return hostname === 'localhost'
+    || hostname === '::1'
+    || isIpv4Host(hostname)
+    || isDnsHostName(hostname);
+}
+
+function isIpv4Host(hostname) {
+  const parts = hostname.split('.');
+  return parts.length === 4 && parts.every((part) => /^\d{1,3}$/.test(part));
+}
+
+function isDnsHostName(hostname) {
+  return hostname
+    .split('.')
+    .every((label) => /^[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?$/.test(label));
+}
+
+function getSafePublicRequestHost(req) {
+  return normalizePublicRequestHost(getRequestHostHeader(req));
+}
+
 function isLoopbackHost(hostValue) {
   const rawHost = String(hostValue || '').split(',')[0].trim();
   if (!rawHost) {
@@ -2613,7 +2811,7 @@ function normalizePublicMarketingHtml(html, runtimeConfig, requestHost) {
   let output = String(html);
   output = output.replaceAll(DEFAULT_PUBLIC_APP_ORIGIN, appOrigin);
   try {
-    const host = requestHost || new URL(appOrigin).host;
+    const host = normalizePublicRequestHost(requestHost) || new URL(appOrigin).host;
     const plausibleDomain = resolvePlausibleDataDomain({ host });
     output = output.replaceAll(
       'data-domain="thumbgate-production.up.railway.app"',
@@ -2654,13 +2852,8 @@ function loadPublicMarketingTemplateHtml(templatePath, runtimeConfig, pageContex
     '__PRO_PRICE_LABEL__': runtimeConfig.proPriceLabel,
     '__SPRINT_DIAGNOSTIC_CHECKOUT_URL__': runtimeConfig.sprintDiagnosticCheckoutUrl || SPRINT_DIAGNOSTIC_CHECKOUT_URL,
     '__WORKFLOW_SPRINT_CHECKOUT_URL__': runtimeConfig.workflowSprintCheckoutUrl || WORKFLOW_SPRINT_CHECKOUT_URL,
-    '__PAYPAL_DIAGNOSTIC_CHECKOUT_URL__': runtimeConfig.paypalDiagnosticCheckoutUrl || '',
-    '__PAYPAL_WORKFLOW_SPRINT_CHECKOUT_URL__': runtimeConfig.paypalWorkflowSprintCheckoutUrl || '',
-    '__MOR_SNAPSHOT_CHECKOUT_URL__': runtimeConfig.morSnapshotCheckoutUrl || '',
-    '__MOR_PROVIDER__': runtimeConfig.morProvider || 'Lemon Squeezy or Paddle',
     '__SPRINT_DIAGNOSTIC_PRICE_DOLLARS__': runtimeConfig.sprintDiagnosticPriceDollars || 499,
     '__WORKFLOW_SPRINT_PRICE_DOLLARS__': runtimeConfig.workflowSprintPriceDollars || 1500,
-    '__SNAPSHOT_PRICE_DOLLARS__': runtimeConfig.snapshotPriceDollars || 97,
     '__GA_MEASUREMENT_ID__': runtimeConfig.gaMeasurementId || '',
     '__GA_BOOTSTRAP__': gaBootstrap,
     '__GOOGLE_SITE_VERIFICATION_META__': googleSiteVerificationMeta,
@@ -3140,7 +3333,7 @@ nav .container { display: flex; justify-content: space-between; align-items: cen
 </head>
 <body>
 <nav><div class="container">
-  <a href="/dashboard" class="nav-logo"><img src="/assets/brand/thumbgate-mark-inline.svg" alt="ThumbGate" class="logo-mark" width="28" height="28"><span class="logo-text">ThumbGate</span></a>
+  <a href="/dashboard" class="nav-logo"><img src="/assets/brand/thumbgate-mark-inline-v3.svg" alt="ThumbGate" class="logo-mark" width="28" height="28"><span class="logo-text">ThumbGate</span></a>
   <div class="nav-links">
     <a href="/dashboard">Dashboard</a>
     <a href="/lessons">Lessons</a>
@@ -3333,9 +3526,6 @@ function renderSitemapXml(runtimeConfig) {
     { path: '/learn/codex-role-plugins-need-governance', changefreq: 'weekly', priority: '0.85' },
     { path: '/learn/agentic-os-team-governance', changefreq: 'weekly', priority: '0.85' },
     { path: '/learn/cost-aware-agent-gate-routing', changefreq: 'weekly', priority: '0.85' },
-    { path: '/learn/databricks-unity-ai-gateway-runtime-governance', changefreq: 'weekly', priority: '0.85' },
-    { path: '/learn/anthropomorphic-claim-gates', changefreq: 'weekly', priority: '0.85' },
-    { path: '/learn/agent-identity-connector-governance', changefreq: 'weekly', priority: '0.9' },
     { path: '/learn/pretix-stripe-connect-marketplaces', changefreq: 'weekly', priority: '0.9' },
     { path: '/compare/claude-code-hooks', changefreq: 'weekly', priority: '0.85' },
     { path: '/compare/bumblebee', changefreq: 'weekly', priority: '0.85' },
@@ -3345,30 +3535,30 @@ function renderSitemapXml(runtimeConfig) {
     { path: '/compare/anthropic-claude-for-legal', changefreq: 'weekly', priority: '0.9' },
     ...THUMBGATE_SEO_SITEMAP_ENTRIES,
   ];
-  // Auto-include every hand-written comparison and guide page so /sitemap.xml can
-  // never drift out of sync with public/compare/*.html or public/guides/*.html.
-  // Crawlers and AI answer engines (Google AI Overviews/AI Mode, ChatGPT,
-  // Perplexity) only surface pages they can discover, so a page missing from the
-  // sitemap is invisible on its buyer-intent query. De-duped against entries
-  // already declared above (e.g. the seo-gsd specs), which keep their explicit
-  // priorities.
+  // Auto-include every hand-written SEO page so /sitemap.xml can never drift out
+  // of sync with public/compare/*.html or public/guides/*.html. Crawlers and AI
+  // answer engines only surface pages they can discover, so a buyer-intent page
+  // missing from the sitemap is invisible on its query. De-duped against entries
+  // already declared above (e.g. seo-gsd specs), which keep explicit priorities.
   const declaredPaths = new Set(entries.map((entry) => entry.path));
-  const includePublicHtmlPages = (dirName, publicPrefix, priority) => {
-    try {
-      const files = fs.readdirSync(path.join(PUBLIC_DIR, dirName)).sort((a, b) => a.localeCompare(b));
+  try {
+    const seoDirectories = [
+      { dir: 'compare', route: '/compare', priority: '0.85' },
+      { dir: 'guides', route: '/guides', priority: '0.85' },
+    ];
+    for (const catalog of seoDirectories) {
+      const files = fs.readdirSync(path.join(PUBLIC_DIR, catalog.dir)).sort((a, b) => a.localeCompare(b));
       for (const file of files) {
         if (!file.endsWith('.html')) continue;
-        const pagePath = `${publicPrefix}/${file.replace(/\.html$/, '')}`;
-        if (declaredPaths.has(pagePath)) continue;
-        declaredPaths.add(pagePath);
-        entries.push({ path: pagePath, changefreq: 'weekly', priority });
+        const publicPath = `${catalog.route}/${file.replace(/\.html$/, '')}`;
+        if (declaredPaths.has(publicPath)) continue;
+        declaredPaths.add(publicPath);
+        entries.push({ path: publicPath, changefreq: 'weekly', priority: catalog.priority });
       }
-    } catch {
-      // Directory absent in a stripped bundle — fall back to the static entries.
     }
-  };
-  includePublicHtmlPages('compare', '/compare', '0.85');
-  includePublicHtmlPages('guides', '/guides', '0.82');
+  } catch {
+    // SEO directories absent in a stripped bundle — fall back to static entries.
+  }
   return [
     '<?xml version="1.0" encoding="UTF-8"?>',
     '<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">',
@@ -3494,7 +3684,7 @@ function servePublicMarketingPage({
     }, req.headers, 'seo_landing_view');
   }
 
-  const requestHost = String(req.headers['x-forwarded-host'] || req.headers.host || '').split(',')[0].trim();
+  const requestHost = getSafePublicRequestHost(req);
   const html = renderHtml(hostedConfig, {
     serverVisitorId: journeyState.visitorId,
     serverSessionId: journeyState.sessionId,
@@ -3645,7 +3835,7 @@ function renderCheckoutSuccessPage(runtimeConfig) {
 </head>
 <body>
   <main>
-    <a href="/" class="brand-header"><img src="/assets/brand/thumbgate-mark-inline.svg" alt="ThumbGate" class="logo-mark" width="32" height="32"><span class="logo-text">ThumbGate</span></a>
+    <a href="/" class="brand-header"><img src="/assets/brand/thumbgate-mark-inline-v3.svg" alt="ThumbGate" class="logo-mark" width="32" height="32"><span class="logo-text">ThumbGate</span></a>
     <span class="eyebrow">ThumbGate Pro</span>
     <h1>Your local Pro dashboard is ready.</h1>
     <p class="lead">This page verifies your Stripe session, provisions the key if needed, and gives you the exact command to save your license and launch your personal local dashboard.</p>
@@ -3873,34 +4063,15 @@ function renderCheckoutCancelledPage(runtimeConfig) {
   const workflowSprintCheckoutUrl = runtimeConfig.workflowSprintCheckoutUrl
     ? escapeHtmlAttribute(runtimeConfig.workflowSprintCheckoutUrl)
     : '';
-  const paypalDiagnosticCheckoutUrl = runtimeConfig.paypalDiagnosticCheckoutUrl
-    ? escapeHtmlAttribute(runtimeConfig.paypalDiagnosticCheckoutUrl)
-    : '';
-  const paypalWorkflowSprintCheckoutUrl = runtimeConfig.paypalWorkflowSprintCheckoutUrl
-    ? escapeHtmlAttribute(runtimeConfig.paypalWorkflowSprintCheckoutUrl)
-    : '';
-  const morSnapshotCheckoutUrl = runtimeConfig.morSnapshotCheckoutUrl
-    ? escapeHtmlAttribute(runtimeConfig.morSnapshotCheckoutUrl)
-    : '';
   const sprintDiagnosticPriceDollars = runtimeConfig.sprintDiagnosticPriceDollars || 499;
   const workflowSprintPriceDollars = runtimeConfig.workflowSprintPriceDollars || 1500;
-  const snapshotPriceDollars = runtimeConfig.snapshotPriceDollars || 97;
   const workflowSprintIntakeUrl = `${escapeHtmlAttribute(runtimeConfig.appOrigin)}/#workflow-sprint-intake`;
   const recoveryOfferLinks = [
     diagnosticCheckoutUrl
-      ? `<a href="${diagnosticCheckoutUrl}" data-recovery-offer="sprint_diagnostic_stripe" data-offer-price="${sprintDiagnosticPriceDollars}">Book $${sprintDiagnosticPriceDollars} diagnostic by Stripe</a>`
-      : '',
-    paypalDiagnosticCheckoutUrl
-      ? `<a href="${paypalDiagnosticCheckoutUrl}" data-recovery-offer="sprint_diagnostic_paypal" data-offer-price="${sprintDiagnosticPriceDollars}">Book $${sprintDiagnosticPriceDollars} diagnostic by PayPal</a>`
+      ? `<a href="${diagnosticCheckoutUrl}" data-recovery-offer="sprint_diagnostic" data-offer-price="${sprintDiagnosticPriceDollars}">Book $${sprintDiagnosticPriceDollars} diagnostic</a>`
       : '',
     workflowSprintCheckoutUrl
-      ? `<a href="${workflowSprintCheckoutUrl}" data-recovery-offer="workflow_sprint_stripe" data-offer-price="${workflowSprintPriceDollars}">Start $${workflowSprintPriceDollars} sprint by Stripe</a>`
-      : '',
-    paypalWorkflowSprintCheckoutUrl
-      ? `<a href="${paypalWorkflowSprintCheckoutUrl}" data-recovery-offer="workflow_sprint_paypal" data-offer-price="${workflowSprintPriceDollars}">Start $${workflowSprintPriceDollars} sprint by PayPal</a>`
-      : '',
-    morSnapshotCheckoutUrl
-      ? `<a href="${morSnapshotCheckoutUrl}" data-recovery-offer="snapshot_mor" data-offer-price="${snapshotPriceDollars}">Buy $${snapshotPriceDollars} snapshot</a>`
+      ? `<a href="${workflowSprintCheckoutUrl}" data-recovery-offer="workflow_sprint" data-offer-price="${workflowSprintPriceDollars}">Start $${workflowSprintPriceDollars} sprint</a>`
       : '',
     `<a href="${workflowTeardownCheckoutUrl}" data-recovery-offer="workflow_teardown" data-offer-price="99">Pay $99 teardown</a>`,
     `<a href="${quickReadCheckoutUrl}" data-recovery-offer="quick_read" data-offer-price="19">Pay $19 quick read</a>`,
@@ -4598,6 +4769,42 @@ function normalizeJobIdFromPath(pathname, suffix = '') {
   return match ? decodeURIComponent(match[1]) : null;
 }
 
+function escapeHtml(value) {
+  return String(value)
+    .replaceAll('&', '&amp;')
+    .replaceAll('<', '&lt;')
+    .replaceAll('>', '&gt;')
+    .replaceAll('"', '&quot;')
+    .replaceAll("'", '&#39;');
+}
+
+function escapeHtmlUnsafeJsonString(value) {
+  return String(value)
+    .replaceAll('<', String.raw`\u003c`)
+    .replaceAll('>', String.raw`\u003e`)
+    .replaceAll('&', String.raw`\u0026`)
+    .replaceAll('\u2028', String.raw`\u2028`)
+    .replaceAll('\u2029', String.raw`\u2029`);
+}
+
+function sanitizeHtmlUnsafeJsonValue(value) {
+  if (typeof value === 'string') {
+    return escapeHtmlUnsafeJsonString(value);
+  }
+  if (Array.isArray(value)) {
+    return value.map((entry) => sanitizeHtmlUnsafeJsonValue(entry));
+  }
+  if (!value || typeof value !== 'object') {
+    return value;
+  }
+  return Object.fromEntries(
+    Object.entries(value).map(([key, entry]) => [
+      escapeHtmlUnsafeJsonString(key),
+      sanitizeHtmlUnsafeJsonValue(entry),
+    ])
+  );
+}
+
 function normalizeDocumentIdFromPath(pathname) {
   const match = pathname.match(/^\/v1\/documents\/([^/]+)$/);
   return match ? decodeURIComponent(match[1]) : null;
@@ -5523,7 +5730,7 @@ async function addContext(){
     if (isGetLikeRequest && (pathname === '/numbers' || pathname === '/numbers.html')) {
       // Route through servePublicMarketingPage so landing_page_view telemetry
       // + funnel-events.jsonl `discovery/landing_view` get captured with UTM
-      // attribution — critical for Zernio social CTAs that target /numbers.
+      // attribution — critical for DirectSocial social CTAs that target /numbers.
       try {
         servePublicMarketingPage({
           req,
@@ -5665,13 +5872,12 @@ async function addContext(){
 
     if (isGetLikeRequest && pathname.startsWith('/learn/')) {
       try {
-        const slug = normalizePublicPageSlug(pathname.replace('/learn/', ''));
-        const articlePath = path.join(LEARN_DIR, `${slug}.html`);
-        if (!articlePath.startsWith(LEARN_DIR)) {
-          sendJson(res, 403, { error: 'Forbidden' });
+        const articlePath = resolvePublicHtmlFile(LEARN_PAGE_PATHS_BY_SLUG, pathname.replace('/learn/', ''));
+        if (!articlePath) {
+          sendJson(res, 404, { error: 'Article not found' });
           return;
         }
-        const requestHost = String(req.headers['x-forwarded-host'] || req.headers.host || '').split(',')[0].trim();
+        const requestHost = getSafePublicRequestHost(req);
         const html = normalizePublicMarketingHtml(fs.readFileSync(articlePath, 'utf-8'), hostedConfig, requestHost);
         sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
       } catch {
@@ -5682,10 +5888,9 @@ async function addContext(){
 
     if (isGetLikeRequest && pathname.startsWith('/guides/')) {
       try {
-        const slug = normalizePublicPageSlug(pathname.replace('/guides/', ''));
-        const guidePath = path.join(GUIDES_DIR, `${slug}.html`);
-        if (!guidePath.startsWith(GUIDES_DIR)) { sendJson(res, 403, { error: 'Forbidden' }); return; }
-        const requestHost = String(req.headers['x-forwarded-host'] || req.headers.host || '').split(',')[0].trim();
+        const guidePath = resolvePublicHtmlFile(GUIDE_PAGE_PATHS_BY_SLUG, pathname.replace('/guides/', ''));
+        if (!guidePath) { sendJson(res, 404, { error: 'Guide not found' }); return; }
+        const requestHost = getSafePublicRequestHost(req);
         const html = normalizePublicMarketingHtml(fs.readFileSync(guidePath, 'utf-8'), hostedConfig, requestHost);
         sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
       } catch { sendJson(res, 404, { error: 'Guide not found' }); }
@@ -5694,10 +5899,9 @@ async function addContext(){
 
     if (isGetLikeRequest && pathname.startsWith('/compare/') && pathname !== '/compare') {
       try {
-        const slug = normalizePublicPageSlug(pathname.replace('/compare/', ''));
-        const comparePath = path.join(COMPARE_DIR, `${slug}.html`);
-        if (!comparePath.startsWith(COMPARE_DIR)) { sendJson(res, 403, { error: 'Forbidden' }); return; }
-        const requestHost = String(req.headers['x-forwarded-host'] || req.headers.host || '').split(',')[0].trim();
+        const comparePath = resolvePublicHtmlFile(COMPARE_PAGE_PATHS_BY_SLUG, pathname.replace('/compare/', ''));
+        if (!comparePath) { sendJson(res, 404, { error: 'Comparison not found' }); return; }
+        const requestHost = getSafePublicRequestHost(req);
         const html = normalizePublicMarketingHtml(fs.readFileSync(comparePath, 'utf-8'), hostedConfig, requestHost);
         sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
       } catch { sendJson(res, 404, { error: 'Comparison not found' }); }
@@ -5706,10 +5910,9 @@ async function addContext(){
 
     if (isGetLikeRequest && pathname.startsWith('/use-cases/')) {
       try {
-        const slug = normalizePublicPageSlug(pathname.replace('/use-cases/', ''));
-        const useCasePath = path.join(USE_CASES_DIR, `${slug}.html`);
-        if (!useCasePath.startsWith(USE_CASES_DIR)) { sendJson(res, 403, { error: 'Forbidden' }); return; }
-        const requestHost = String(req.headers['x-forwarded-host'] || req.headers.host || '').split(',')[0].trim();
+        const useCasePath = resolvePublicHtmlFile(USE_CASE_PAGE_PATHS_BY_SLUG, pathname.replace('/use-cases/', ''));
+        if (!useCasePath) { sendJson(res, 404, { error: 'Use case not found' }); return; }
+        const requestHost = getSafePublicRequestHost(req);
         const html = normalizePublicMarketingHtml(fs.readFileSync(useCasePath, 'utf-8'), hostedConfig, requestHost);
         sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
       } catch { sendJson(res, 404, { error: 'Use case not found' }); }
@@ -6212,7 +6415,7 @@ async function addContext(){
       // Public-facing broker lead-flow audit landing page. Wedge for the
       // real-estate broker outreach. Static HTML served from src/api/static.
       try {
-        const host = String(req.headers['x-forwarded-host'] || req.headers.host || '').split(',')[0].trim();
+        const host = getSafePublicRequestHost(req);
         const html = normalizePublicMarketingHtml(fillTemplate(fs.readFileSync(
           path.resolve(__dirname, '../../assets/static/broker-audit.html'),
           'utf8'
@@ -6270,9 +6473,9 @@ async function addContext(){
     // Authorization endpoint: GET renders consent, POST issues the code.
     if (pathname === '/oauth/authorize') {
       if (isGetLikeRequest) {
-        const q = parsed.searchParams;
-        const fields = ['client_id', 'redirect_uri', 'code_challenge', 'code_challenge_method', 'scope', 'state', 'resource'];
-        const hidden = fields.map((f) => `<input type="hidden" name="${f}" value="${escapeHtmlAttribute(q.get(f) || '')}">`).join('\n');
+        const authRequestToken = createPendingOauthAuthorizeRequest(
+          getOauthAuthorizeParamsFromQuery(parsed.searchParams)
+        );
         const html = `<!doctype html><html><head><meta charset="utf-8"><title>Authorize ThumbGate</title>
 <style>body{font:15px system-ui;margin:0;background:#0b0b0c;color:#eee;display:flex;min-height:100vh;align-items:center;justify-content:center}
 .card{background:#161618;border:1px solid #2a2a2e;border-radius:12px;padding:28px;max-width:420px}
@@ -6281,7 +6484,7 @@ button{width:100%;padding:11px;border-radius:8px;border:0;background:#10b981;col
 a{color:#8b9}</style></head><body><form class="card" method="post" action="/oauth/authorize">
 <h2>Authorize Claude → ThumbGate</h2>
 <p>Paste your ThumbGate API key to let this connector act as you. Get one with <code>npx thumbgate init</code> or from your <a href="/dashboard">dashboard</a>.</p>
-${hidden}
+<input type="hidden" name="auth_request_token" value="${escapeHtmlAttribute(authRequestToken)}">
 <input type="password" name="api_key" placeholder="ThumbGate API key" autocomplete="off" required>
 <button type="submit" name="approve" value="yes">Approve</button>
 </form></body></html>`;
@@ -6293,8 +6496,9 @@ ${hidden}
         req.on('data', (c) => { body += c; if (body.length > 16384) req.destroy(); });
         req.on('end', () => {
           const form = new URLSearchParams(body);
-          const redirectUri = form.get('redirect_uri') || '';
-          const state = form.get('state') || '';
+          const authorizationParams = getOauthAuthorizeParamsFromForm(form, hostedConfig);
+          const redirectUri = authorizationParams.redirectUri;
+          const state = authorizationParams.state;
           // Validate the presented ThumbGate key before issuing a code. When keys
           // are configured (production) the key MUST match a configured admin /
           // operator / reviewer key — otherwise OAuth would authenticate nobody.
@@ -6304,12 +6508,12 @@ ${hidden}
             return;
           }
           const issued = mcpOauth.createAuthorizationCode(oauthStore, {
-            clientId: form.get('client_id') || '',
+            clientId: authorizationParams.clientId,
             redirectUri,
-            codeChallenge: form.get('code_challenge') || '',
-            codeChallengeMethod: form.get('code_challenge_method') || '',
-            scope: form.get('scope') || undefined,
-            resource: form.get('resource') || buildPublicUrl(hostedConfig, '/mcp'),
+            codeChallenge: authorizationParams.codeChallenge,
+            codeChallengeMethod: authorizationParams.codeChallengeMethod,
+            scope: authorizationParams.scope,
+            resource: authorizationParams.resource || buildPublicUrl(hostedConfig, '/mcp'),
             boundKey: form.get('api_key') || '',
             state,
           });
@@ -8402,11 +8606,14 @@ ${hidden}
       {
         const documentId = normalizeDocumentIdFromPath(pathname);
         if (req.method === 'GET' && documentId) {
+          if (!/^[a-zA-Z0-9-_]+$/.test(documentId)) {
+            throw createHttpError(400, 'Invalid document ID format');
+          }
           const document = readImportedDocument(documentId, {
             feedbackDir: requestFeedbackDir,
           });
           if (!document) {
-            throw createHttpError(404, `Imported document not found: ${documentId}`);
+            throw createHttpError(404, `Imported document not found: ${escapeHtml(documentId)}`);
           }
           sendJson(res, 200, { document });
           return;
@@ -9502,6 +9709,8 @@ module.exports = {
     buildEnterpriseChatAnswer,
     answerEnterpriseDataChat,
     answerEnterpriseDialogflowChat,
+    buildLossAnalyticsResponse,
+    sanitizeHtmlUnsafeJsonValue,
   },
 };