thumbgate 1.27.2 → 1.27.3

package/public/pricing.html

@@ -5,9 +5,9 @@
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
 __GOOGLE_SITE_VERIFICATION_META__
 <title>Pricing — ThumbGate</title>
-<meta name="description" content="ThumbGate pricing: free CLI forever, $19/mo Pro dashboard, and intake-led Team enforcement at $49/seat after scope. One clear subscription path.">
+<meta name="description" content="ThumbGate pricing: free CLI forever, $19/mo Pro dashboard, and custom Enterprise enforcement scoped after intake. One clear subscription path.">
 <meta property="og:title" content="Pricing — ThumbGate">
-<meta property="og:description" content="Free CLI, Pro self-serve, and Team after workflow scope. No mixed consulting checkout maze.">
+<meta property="og:description" content="Free CLI, Pro self-serve, and Enterprise after workflow scope. No mixed consulting checkout maze.">
 <meta property="og:type" content="website">
 <meta property="og:url" content="__APP_ORIGIN__/pricing">
 <meta property="og:image" content="/og.png">
@@ -40,7 +40,7 @@ __GA_BOOTSTRAP__
     { "@type": "Offer", "name": "ThumbGate CLI (Free)", "price": "0", "priceCurrency": "USD" },
     { "@type": "Offer", "name": "ThumbGate Pro Monthly", "price": "__PRO_PRICE_DOLLARS__", "priceCurrency": "USD", "url": "__APP_ORIGIN__/checkout/pro?plan_id=pro&billing_cycle=monthly&landing_path=%2Fpricing" },
     { "@type": "Offer", "name": "ThumbGate Pro Annual", "price": "149", "priceCurrency": "USD", "url": "__APP_ORIGIN__/checkout/pro?plan_id=pro&billing_cycle=annual&landing_path=%2Fpricing" },
-    { "@type": "Offer", "name": "ThumbGate Team", "price": "49", "priceCurrency": "USD", "url": "__APP_ORIGIN__/#workflow-sprint-intake" }
+    { "@type": "Offer", "name": "ThumbGate Enterprise", "priceCurrency": "USD", "url": "__APP_ORIGIN__/#workflow-sprint-intake" }
   ]
 }
 </script>
@@ -51,9 +51,9 @@ __GA_BOOTSTRAP__
   "@type": "FAQPage",
   "mainEntity": [
     { "@type": "Question", "name": "What does Pro add over the free CLI?", "acceptedAnswer": { "@type": "Answer", "text": "Free gives you 5 captures/day and 3 active rules, running entirely on your machine. Pro is the hosted layer: unlimited captures, unlimited rules, lesson sync across machines, a dashboard without self-hosting, managed adapter updates, and DPO export. You're paying for infrastructure we run, not features we hide." } },
-    { "@type": "Question", "name": "Does ThumbGate send my code to the cloud?", "acceptedAnswer": { "@type": "Answer", "text": "No. The CLI is local-first — no data leaves your machine. Pro and Team add hosted sync for dashboards and shared lessons, but your source code stays local." } },
-    { "@type": "Question", "name": "When should I pick Team over Pro?", "acceptedAnswer": { "@type": "Answer", "text": "When one engineer's correction should protect the whole team. Team shares the lesson database across seats so a fix in one repo prevents the same mistake in every repo." } },
-    { "@type": "Question", "name": "Can I cancel anytime?", "acceptedAnswer": { "@type": "Answer", "text": "Yes. Pro and Team are month-to-month with a 7-day refund window on the first charge. Cancel from the billing portal and your subscription ends at the period close." } }
+    { "@type": "Question", "name": "Does ThumbGate send my code to the cloud?", "acceptedAnswer": { "@type": "Answer", "text": "No. The CLI is local-first — no data leaves your machine. Pro and Enterprise add hosted sync for dashboards and shared lessons, but your source code stays local." } },
+    { "@type": "Question", "name": "When should I pick Enterprise over Pro?", "acceptedAnswer": { "@type": "Answer", "text": "When one engineer's correction should protect the whole team. Enterprise shares the lesson database across the org so a fix in one repo prevents the same mistake in every repo." } },
+    { "@type": "Question", "name": "Can I cancel anytime?", "acceptedAnswer": { "@type": "Answer", "text": "Yes. Pro and Enterprise are month-to-month with a 7-day refund window on the first charge. Cancel from the billing portal and your subscription ends at the period close." } }
   ]
 }
 </script>
@@ -266,42 +266,29 @@ __GA_BOOTSTRAP__
       <p class="btn-sub">or $149/year (save 35%)</p>
     </div>
 
-    <div class="price-card team-card" id="team">
-      <div class="tier">Team</div>
-      <div class="price">$49<span>/seat/mo</span></div>
-      <div class="price-sub">Shared enforcement memory for the whole team. One engineer's save protects every agent.</div>
+    <div class="price-card enterprise-card" id="enterprise">
+      <div class="tier">Enterprise</div>
+      <div class="price">Custom<span> / scoped after intake</span></div>
+      <div class="price-sub">Shared enforcement for the whole team and regulated workflows. One engineer's save protects every agent.</div>
       <ul>
-        <li>Everything in Pro for each seat</li>
+        <li>Everything in Pro, for every developer and agent</li>
         <li><strong>Shared lesson database</strong> — one engineer's fix protects every agent on the team</li>
         <li><strong>Org dashboard</strong> — visibility across all agent surfaces and developers</li>
-        <li><strong>Enterprise Data Chat</strong> — query local ThumbGate feedback, lessons, gates, and rollout readiness; Dialogflow CX / Vertex integration is enabled only when deployment evidence is configured</li>
-        <li>Check template library for deploys, publish, and DB operations</li>
-        <li>Email support during pilot rollout</li>
-        <li>3-seat minimum after scope; rollout starts only after workflow and proof review are explicit</li>
-      </ul>
-      <a class="btn-team" href="/?utm_source=pricing&utm_medium=team_card&utm_campaign=team_intake&cta_id=pricing_team_intake&cta_placement=pricing&plan_id=team#workflow-sprint-intake" onclick="try{posthog.capture('pricing_cta_click',{cta:'team_intake',tier:'team',placement:'pricing_page',price:0})}catch(_){};try{plausible('pricing_cta_click',{props:{cta:'team_intake',tier:'team'}})}catch(_){}">Send team workflow first</a>
-      <p class="btn-sub">Rollout starts through intake so the workflow is scoped before checkout.</p>
-    </div>
-
-  </div>
-
-  <div class="enterprise-band" style="max-width:920px;margin:0 auto 8px;padding:24px 28px;border:1px solid rgba(34,211,238,0.24);border-radius:10px;background:#090d12;display:flex;flex-wrap:wrap;align-items:center;justify-content:space-between;gap:16px;">
-    <div style="flex:1 1 460px;text-align:left;">
-      <div class="tier" style="color:var(--cyan);">Enterprise</div>
-      <div class="price-sub" style="margin:4px 0 10px;">For regulated teams that need agent checks routed through their own cloud — talk to us.</div>
-      <ul style="margin:0;padding-left:18px;font-size:13px;color:var(--text-muted);line-height:1.7;">
-        <li><strong>Vertex AI / VPC gating</strong> — route agent checks through Gemini models in your Google Cloud project (<code>npx thumbgate setup-vertex</code>)</li>
+        <li><strong>Dialogflow CX fulfillment guard</strong> — put ThumbGate's pre-action gate in front of your Dialogflow CX webhook fulfillment, in your own GCP tenant, so risky or repeat turns are blocked before they touch a DB, CRM, or billing system (white-glove design-partner pilot)</li>
+        <li><strong>Vertex AI / VPC gating</strong> — route agent checks through Gemini in your own Google Cloud project (<code>npx thumbgate setup-vertex</code>)</li>
         <li><strong>Regulatory gate templates</strong> — legal intake, financial compliance, healthcare</li>
-        <li>Custom policy layers scoped to firm / practice area</li>
-        <li>Compliance audit export + dedicated onboarding with SLA</li>
+        <li>Custom policy layers, compliance audit export, approval boundaries, SSO, and dedicated onboarding with SLA</li>
+        <li>Rollout starts only after workflow and proof review are explicit</li>
       </ul>
+      <a class="btn-team" href="/?utm_source=pricing&utm_medium=enterprise_card&utm_campaign=enterprise_intake&cta_id=pricing_enterprise_intake&cta_placement=pricing&plan_id=enterprise#workflow-sprint-intake" onclick="try{posthog.capture('pricing_cta_click',{cta:'enterprise_intake',tier:'enterprise',placement:'pricing_page',price:0})}catch(_){};try{plausible('pricing_cta_click',{props:{cta:'enterprise_intake',tier:'enterprise'}})}catch(_){}">Talk to us</a>
+      <p class="btn-sub">Custom pricing, scoped through intake so the workflow is explicit before checkout.</p>
     </div>
-    <a class="btn-team" style="white-space:nowrap;" href="/?utm_source=pricing&utm_medium=enterprise_band&utm_campaign=enterprise_intake&cta_id=pricing_enterprise&cta_placement=pricing&plan_id=enterprise#workflow-sprint-intake" onclick="try{posthog.capture('pricing_cta_click',{cta:'enterprise_intake',tier:'enterprise',placement:'pricing_page',price:0})}catch(_){};try{plausible('pricing_cta_click',{props:{cta:'enterprise_intake',tier:'enterprise'}})}catch(_){}">Talk to us</a>
+
   </div>
 
   <div style="text-align:center;margin:32px 0;color:var(--text-muted);font-size:14px;">
     Need founder help? Do not buy a blind diagnostic from a pricing table.
-    <a href="/?utm_source=pricing&utm_medium=scope_first&utm_campaign=team_intake&cta_id=pricing_scope_first&cta_placement=pricing_note&plan_id=team#workflow-sprint-intake" style="color:var(--cyan);text-decoration:none;font-weight:600;" onclick="try{posthog.capture('pricing_cta_click',{cta:'scope_first',tier:'team',price:0})}catch(_){};try{plausible('pricing_cta_click',{props:{cta:'scope_first',tier:'team'}})}catch(_){}">Send the workflow first</a> — then we scope the smallest paid rollout that can prove one repeated failure is blocked.
+    <a href="/?utm_source=pricing&utm_medium=scope_first&utm_campaign=enterprise_intake&cta_id=pricing_scope_first&cta_placement=pricing_note&plan_id=enterprise#workflow-sprint-intake" style="color:var(--cyan);text-decoration:none;font-weight:600;" onclick="try{posthog.capture('pricing_cta_click',{cta:'scope_first',tier:'enterprise',price:0})}catch(_){};try{plausible('pricing_cta_click',{props:{cta:'scope_first',tier:'enterprise'}})}catch(_){}">Send the workflow first</a> — then we scope the smallest paid rollout that can prove one repeated failure is blocked.
   </div>
 </section>
 
@@ -319,15 +306,15 @@ __GA_BOOTSTRAP__
       </div>
       <div class="faq-item">
         <div class="faq-q">Does ThumbGate send my code to the cloud?</div>
-        <div class="faq-a">No. The CLI is local-first and no source code leaves your machine. Pro and Team add hosted sync for dashboards and shared lessons, but your code stays local.</div>
+        <div class="faq-a">No. The CLI is local-first and no source code leaves your machine. Pro and Enterprise add hosted sync for dashboards and shared lessons, but your code stays local.</div>
       </div>
       <div class="faq-item">
-        <div class="faq-q">When should I pick Team over Pro?</div>
-        <div class="faq-a">When one engineer's correction should protect the whole team. Team shares the lesson database across seats so a fix in one repo prevents the same mistake in every repo.</div>
+        <div class="faq-q">When should I pick Enterprise over Pro?</div>
+        <div class="faq-a">When one engineer's correction should protect the whole team. Enterprise shares the lesson database across the org so a fix in one repo prevents the same mistake in every repo.</div>
       </div>
       <div class="faq-item">
         <div class="faq-q">Can I cancel anytime?</div>
-        <div class="faq-a">Yes. Pro and Team are month-to-month with a 7-day refund window on the first charge. Cancel from the billing portal and your subscription ends at the period close.</div>
+        <div class="faq-a">Yes. Pro and Enterprise are month-to-month with a 7-day refund window on the first charge. Cancel from the billing portal and your subscription ends at the period close.</div>
       </div>
       <div class="faq-item">
         <div class="faq-q">What happens if I stop paying?</div>

package/public/pro.html

@@ -924,11 +924,11 @@ __GA_BOOTSTRAP__
 
     <div class="pricing-sidebar">
       <div class="team-card">
-        <div class="section-label" style="text-align:left;margin-bottom:8px;">When Team is better</div>
+        <div class="section-label" style="text-align:left;margin-bottom:8px;">When Enterprise is better</div>
         <h3>Need shared enforcement?</h3>
-        <p>Choose Team when one correction must protect multiple developers or agents across shared repositories, CI, approval policies, and audit trails. Team is $49/seat/mo with a 3-seat minimum after qualification.</p>
+        <p>Choose Enterprise when one correction must protect multiple developers or agents across shared repositories, CI, approval policies, and audit trails. Enterprise is custom pricing, scoped after intake.</p>
         <div class="hero-actions" style="margin-top:18px;">
-          <a class="btn-secondary" href="/#workflow-sprint-intake">Book a Team Pilot Call</a>
+          <a class="btn-secondary" href="/#workflow-sprint-intake">Book an Enterprise Pilot Call</a>
         </div>
       </div>
       <div class="team-card">

package/scripts/commercial-offer.js

@@ -14,7 +14,12 @@ const TEAM_ANNUAL_PRICE_DOLLARS = 588;
 const TEAM_MIN_SEATS = 3;
 
 const PRO_PRICE_LABEL = '$19/mo or $149/yr (individual)';
-const TEAM_PRICE_LABEL = '$49/seat/mo — Agent governance for engineering teams';
+// Enterprise is the contact-sales tier (absorbs the former Team workflow + the
+// regulated-industry lane). Pricing is scoped after intake — no self-serve seat
+// price is surfaced. The dormant TEAM_* Stripe constants below remain only as
+// inert billing plumbing pending a dedicated cleanup; they are no longer a
+// customer-facing tier.
+const ENTERPRISE_PRICE_LABEL = 'Custom pricing, scoped after intake — Enterprise agent governance';
 
 function normalizePlanId(value) {
   const text = String(value || '').trim().toLowerCase();
@@ -68,6 +73,8 @@ function buildCaptureReceipt({ signal, feedbackId, memoryId, actionType } = {})
     '',
     `  Solo Pro       : ${PRO_PRICE_LABEL} for hosted sync, search, dashboard, and exports`,
     `  Upgrade        : ${trackedProUrl('cli_capture_receipt', actionType || normalizedSignal.toLowerCase())}`,
+    `  Enterprise     : ${ENTERPRISE_PRICE_LABEL}; start with one repeated workflow failure`,
+    '                   https://thumbgate.ai/#workflow-sprint-intake',
     '',
   ];
   return lines.join('\n');
@@ -100,6 +107,7 @@ function buildStatsReceipt(stats = {}) {
   lines.push('  Show the buyer     : npx thumbgate cost');
   lines.push('  Pro sync value     : keep these lessons/rules visible across laptops, CI, containers, and agent runtimes');
   lines.push(`  Solo Pro           : ${trackedProUrl('cli_stats_receipt', 'proof_seen')}`);
+  lines.push('  Enterprise         : https://thumbgate.ai/#workflow-sprint-intake');
   lines.push('');
   return lines.join('\n');
 }
@@ -116,7 +124,7 @@ module.exports = {
   TEAM_ANNUAL_PRICE_DOLLARS,
   TEAM_MIN_SEATS,
   PRO_PRICE_LABEL,
-  TEAM_PRICE_LABEL,
+  ENTERPRISE_PRICE_LABEL,
   normalizePlanId,
   normalizeBillingCycle,
   normalizeSeatCount,

package/scripts/dashboard-chat.js

@@ -2,15 +2,15 @@
 
 // scripts/dashboard-chat.js
 // -----------------------------------------------------------------------------
-// "Chat with your data" — the dashboard chat backend. Answers a natural-language
-// question about THIS install's ThumbGate data (captured lessons + prevention
-// rules) by retrieving the most relevant lessons and asking Gemini to answer
-// grounded ONLY in that retrieved context (RAG). No data leaves the box except
-// the retrieved snippets + the question, sent to the configured Gemini endpoint.
+// "Chat with your data" — the dashboard chat backend. Local-first RAG over
+// this install's ThumbGate data (lessons, raw feedback memories via LanceDB
+// vectors, receipts, gate stats). Retrieval is local (lesson search + optional
+// vector-store.searchSimilar). Generation uses your configured LLM: a local
+// OpenAI-compatible endpoint first, then Gemini or Perplexity when explicitly
+// configured.
 //
-// Enterprise framing: this is the in-product "chat with your governed data"
-// experience. (The Dialogflow CX messenger widget is the separate path where a
-// customer connects their own DFCX agent + the ThumbGate webhook gate.)
+// Dialogflow/Google is not the dashboard chatbot brain. It remains an optional
+// guard-adapter path for buyers who already run their own Google agent tenancy.
 // -----------------------------------------------------------------------------
 
 const path = require('path');
@@ -40,7 +40,7 @@ function resolveModel(requested) {
 
 function resolveApiKey(opts = {}) {
   let key = '';
-  if (Object.prototype.hasOwnProperty.call(opts, 'apiKey')) {
+  if (Object.hasOwn(opts, 'apiKey')) {
     key = opts.apiKey || '';
   } else {
     key = opts.apiKey || process.env.GEMINI_API_KEY || process.env.THUMBGATE_GEMINI_API_KEY || process.env.GOOGLE_API_KEY || process.env.PERPLEXITY_API_KEY || process.env.THUMBGATE_PERPLEXITY_API_KEY || '';
@@ -49,31 +49,91 @@ function resolveApiKey(opts = {}) {
   return key.trim().replace(/^["']|["']$/g, '');
 }
 
-// Retrieve the most relevant stored lessons for the question.
-function retrieveContext(question, opts = {}) {
-  let searchLessons;
+function debugChatFallback(label, err) {
+  if (process.env.THUMBGATE_DEBUG_CHAT !== '1') return;
+  const detail = err?.message ? err.message : String(err);
+  console.warn(`[dashboard-chat] ${label}: ${detail}`);
+}
+
+function loadLessonSearcher() {
   try {
-    ({ searchLessons } = require(path.join(__dirname, 'lesson-search')));
-  } catch (_) {
-    return [];
+    return require(path.join(__dirname, 'lesson-search')).searchLessons;
+  } catch (err) {
+    debugChatFallback('lesson search unavailable', err);
+    return null;
   }
-  let res;
+}
+
+function lessonToContextItem(lesson) {
+  return {
+    id: lesson.id,
+    signal: lesson.signal || lesson.feedback || '',
+    title: (lesson.title || '').replace(/^(?:MISTAKE|SUCCESS):\s*/i, '').slice(0, 160),
+    content: String(lesson.content || lesson.context || '').replace(/\s+/g, ' ').trim().slice(0, 600),
+    tags: lesson.tags || [],
+    source: 'lessons',
+  };
+}
+
+function vectorMatchToContextItem(match, index) {
+  return {
+    id: match.id || `vec-${index}`,
+    signal: match.signal || '',
+    title: String(match.context || match.text || '').slice(0, 100),
+    content: match.text || match.context || '',
+    tags: match.tags ? String(match.tags).split(',').filter(Boolean) : [],
+    source: 'lancedb-vector',
+  };
+}
+
+function dedupeContextItems(items, limit = MAX_CONTEXT_LESSONS + 3) {
+  const seen = new Set();
+  return items.filter((item) => {
+    if (!(item.content || item.title)) return false;
+    const key = item.id || item.content.slice(0, 80);
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  }).slice(0, limit);
+}
+
+function retrieveLessonContext(question, opts = {}) {
+  const searchLessons = loadLessonSearcher();
+  if (!searchLessons) return [];
   try {
-    res = searchLessons(String(question || ''), {
+    const res = searchLessons(String(question || ''), {
       limit: MAX_CONTEXT_LESSONS,
       feedbackDir: opts.feedbackDir,
     });
-  } catch (_) {
+    const rows = res?.results || res?.lessons || [];
+    return rows.slice(0, MAX_CONTEXT_LESSONS).map(lessonToContextItem);
+  } catch (err) {
+    debugChatFallback('lesson retrieval failed', err);
+    return [];
+  }
+}
+
+async function retrieveVectorContext(question, opts = {}) {
+  if (opts.useVectorSearch === false) return [];
+  try {
+    const vectorStore = require(path.join(__dirname, 'vector-store'));
+    const vecResults = vectorStore.searchSimilar
+      ? await vectorStore.searchSimilar(String(question || ''), opts.vectorLimit || 4)
+      : [];
+    return vecResults
+      .filter((match) => match?.text)
+      .map(vectorMatchToContextItem);
+  } catch (err) {
+    debugChatFallback('vector retrieval failed', err);
     return [];
   }
-  const rows = (res && (res.results || res.lessons)) || [];
-  return rows.slice(0, MAX_CONTEXT_LESSONS).map((l) => ({
-    id: l.id,
-    signal: l.signal || l.feedback || '',
-    title: (l.title || '').replace(/^(?:MISTAKE|SUCCESS):\s*/i, '').slice(0, 160),
-    content: String(l.content || l.context || '').replace(/\s+/g, ' ').trim().slice(0, 600),
-    tags: l.tags || [],
-  })).filter((l) => l.content || l.title);
+}
+
+// Retrieve relevant stored lessons and optional raw feedback vector matches.
+async function retrieveContext(question, opts = {}) {
+  const lessons = retrieveLessonContext(question, opts);
+  const vectors = await retrieveVectorContext(question, opts);
+  return dedupeContextItems([...lessons, ...vectors]);
 }
 
 // Build a grounded RAG prompt. Pure function (testable).
@@ -97,15 +157,87 @@ function buildChatPrompt(question, lessons) {
 
 // Parse the Gemini generateContent response into plain text. Pure (testable).
 function parseGeminiAnswer(body) {
-  const parts = body
-    && body.candidates
-    && body.candidates[0]
-    && body.candidates[0].content
-    && body.candidates[0].content.parts;
+  const parts = body?.candidates?.[0]?.content?.parts;
   if (!Array.isArray(parts)) return '';
   return parts.map((p) => (p && typeof p.text === 'string' ? p.text : '')).join('').trim();
 }
 
+function buildOpenAiChatPayload(prompt, model) {
+  return JSON.stringify({
+    model,
+    messages: [{ role: 'user', content: prompt }],
+    temperature: 0.2,
+    max_tokens: 1024,
+  });
+}
+
+function parseOpenAiChatAnswer(json) {
+  return json?.choices?.[0]?.message?.content || '';
+}
+
+function parseModelError(json, status) {
+  return json?.error?.message ? String(json.error.message).split('\n')[0] : `HTTP ${status}`;
+}
+
+function trimTrailingSlashes(value) {
+  let text = String(value || '');
+  while (text.endsWith('/')) {
+    text = text.slice(0, -1);
+  }
+  return text;
+}
+
+async function callLocalOpenAiEndpoint({ endpoint, apiKey, model, prompt, fetchImpl, sources }) {
+  const url = endpoint.includes('/chat/completions')
+    ? endpoint
+    : `${trimTrailingSlashes(endpoint)}/chat/completions`;
+  const res = await fetchImpl(url, {
+    method: 'POST',
+    headers: {
+      'content-type': 'application/json',
+      'Authorization': `Bearer ${apiKey || 'local'}`
+    },
+    body: buildOpenAiChatPayload(prompt, model),
+  });
+  const json = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    return { ok: false, error: 'local_llm_error', status: res.status, message: parseModelError(json, res.status), sources };
+  }
+  const answer = parseOpenAiChatAnswer(json);
+  return { ok: true, answer: answer.trim() || '(no answer returned)', sources, model: json.model || model };
+}
+
+async function callPerplexityEndpoint({ apiKey, prompt, fetchImpl, sources }) {
+  const res = await fetchImpl(PERPLEXITY_ENDPOINT, {
+    method: 'POST',
+    headers: { 'content-type': 'application/json', 'Authorization': `Bearer ${apiKey}` },
+    body: buildOpenAiChatPayload(prompt, 'sonar'),
+  });
+  const json = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    return { ok: false, error: 'perplexity_error', status: res.status, message: parseModelError(json, res.status), sources };
+  }
+  const answer = parseOpenAiChatAnswer(json);
+  return { ok: true, answer: answer.trim() || '(no answer returned)', sources, model: json.model || 'perplexity-hybrid' };
+}
+
+async function callGeminiEndpoint({ apiKey, model, prompt, fetchImpl, sources }) {
+  const res = await fetchImpl(`${GEMINI_ENDPOINT}/${encodeURIComponent(model)}:generateContent`, {
+    method: 'POST',
+    headers: { 'content-type': 'application/json', 'x-goog-api-key': apiKey },
+    body: JSON.stringify({
+      contents: [{ role: 'user', parts: [{ text: prompt }] }],
+      generationConfig: { temperature: 0.2, maxOutputTokens: 1024 },
+    }),
+  });
+  const json = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    return { ok: false, error: 'gemini_error', status: res.status, message: parseModelError(json, res.status), sources };
+  }
+  const answer = parseGeminiAnswer(json);
+  return { ok: true, answer: answer || '(no answer returned)', sources, model: json.modelVersion || model };
+}
+
 // Answer a question grounded in this install's lessons. Returns
 // { ok, answer, sources, model } or { ok:false, error, ... }.
 async function answerDataQuestion(question, opts = {}) {
@@ -115,15 +247,17 @@ async function answerDataQuestion(question, opts = {}) {
     return { ok: false, error: 'question_too_long', message: `Question exceeds ${MAX_QUESTION_CHARS} characters.` };
   }
 
+  const localEndpoint = opts.localEndpoint || process.env.THUMBGATE_LOCAL_LLM_ENDPOINT || '';
+  const localModel = opts.localModel || process.env.THUMBGATE_LOCAL_LLM_MODEL || 'llama3';
   const apiKey = resolveApiKey(opts);
-  const lessons = retrieveContext(q, opts);
+  const lessons = await retrieveContext(q, opts);
   const sources = lessons.map((l) => ({ id: l.id, title: l.title, signal: l.signal }));
 
-  if (!apiKey) {
+  if (!apiKey && !localEndpoint) {
     return {
       ok: false,
       error: 'no_api_key',
-      message: 'Chat is not configured. Set a valid GEMINI_API_KEY or PERPLEXITY_API_KEY (for hybrid local-cloud) in the project .env or via dashboard Save. See adapters/perplexity/HYBRID.md.',
+      message: 'Chat is not configured. Set a valid GEMINI_API_KEY, PERPLEXITY_API_KEY, or THUMBGATE_LOCAL_LLM_ENDPOINT in the project .env.',
       sources,
     };
   }
@@ -131,47 +265,14 @@ async function answerDataQuestion(question, opts = {}) {
   const model = resolveModel(opts.model);
   const prompt = buildChatPrompt(q, lessons);
   const fetchImpl = opts.fetch || globalThis.fetch;
-  const isPerplexity = apiKey.startsWith('pplx-') || apiKey.includes('perplexity');
+  const isPerplexity = apiKey && (apiKey.startsWith('pplx-') || apiKey.includes('perplexity'));
 
   try {
-    if (isPerplexity) {
-      // Use Perplexity hybrid-capable API (OpenAI compatible) for RAG chat with your data
-      const res = await fetchImpl(PERPLEXITY_ENDPOINT, {
-        method: 'POST',
-        headers: { 'content-type': 'application/json', 'Authorization': `Bearer ${apiKey}` },
-        body: JSON.stringify({
-          model: 'sonar', // or llama-3.1 etc for hybrid
-          messages: [{ role: 'user', content: prompt }],
-          temperature: 0.2,
-          max_tokens: 1024,
-        }),
-      });
-      const json = await res.json().catch(() => ({}));
-      if (!res.ok) {
-        const msg = (json && json.error && json.error.message) ? String(json.error.message).split('\n')[0] : `HTTP ${res.status}`;
-        return { ok: false, error: 'perplexity_error', status: res.status, message: msg, sources };
-      }
-      const answer = (json.choices && json.choices[0] && json.choices[0].message && json.choices[0].message.content) || '';
-      return { ok: true, answer: answer.trim() || '(no answer returned)', sources, model: json.model || 'perplexity-hybrid' };
-    } else {
-      const res = await fetchImpl(`${GEMINI_ENDPOINT}/${encodeURIComponent(model)}:generateContent`, {
-        method: 'POST',
-        headers: { 'content-type': 'application/json', 'x-goog-api-key': apiKey },
-        body: JSON.stringify({
-          contents: [{ role: 'user', parts: [{ text: prompt }] }],
-          generationConfig: { temperature: 0.2, maxOutputTokens: 1024 },
-        }),
-      });
-      const json = await res.json().catch(() => ({}));
-      if (!res.ok) {
-        const msg = (json && json.error && json.error.message) ? String(json.error.message).split('\n')[0] : `HTTP ${res.status}`;
-        return { ok: false, error: 'gemini_error', status: res.status, message: msg, sources };
-      }
-      const answer = parseGeminiAnswer(json);
-      return { ok: true, answer: answer || '(no answer returned)', sources, model: json.modelVersion || model };
-    }
+    if (localEndpoint) return await callLocalOpenAiEndpoint({ endpoint: localEndpoint, apiKey, model: localModel, prompt, fetchImpl, sources });
+    if (isPerplexity) return await callPerplexityEndpoint({ apiKey, prompt, fetchImpl, sources });
+    return await callGeminiEndpoint({ apiKey, model, prompt, fetchImpl, sources });
   } catch (err) {
-    return { ok: false, error: 'network', message: err && err.message ? err.message : String(err), sources };
+    return { ok: false, error: 'network', message: err?.message || String(err), sources };
   }
 }
 

package/scripts/gates-engine.js

@@ -121,6 +121,43 @@ const BOOSTED_RISK_MIN_EXAMPLES = 3;
 const PR_THREAD_RESOLUTION_ACTION = 'pr_thread_resolution_verified_after_commit';
 const KNOWLEDGE_ENTROPY_THRESHOLD = 0.7;
 const KNOWLEDGE_CONFLICT_STRICT_BASH_PATTERN = /\b(?:git\s+push\b|gh\s+pr\s+merge\b|gh\s+release\s+(?:create|delete|edit|upload)\b|(?:npm|yarn|pnpm)\s+publish\b|rm\s+-rf\b|git\s+reset\s+--hard\b|git\s+clean\s+-f|railway\s+(?:deploy|up)\b|gcloud\s+(?:run\s+deploy|app\s+deploy)\b|firebase\s+deploy\b|vercel\s+--prod\b|kubectl\s+(?:apply|delete)\b|terraform\s+(?:apply|destroy)\b)\b/i;
+
+// ---------------------------------------------------------------------------
+// Enforcement posture (CEO decision 2026-06-04): warn-by-default.
+// The firewall ALWAYS fires and logs every decision, but most gates WARN rather
+// than hard-block — only TRULY CATASTROPHIC, irreversible actions hard-block:
+//   - secret exfiltration (handled on its own deny path; never downgraded)
+//   - security-vulnerability / supply-chain denies (own deny path; not downgraded)
+//   - irreversibly destructive filesystem commands (rm -rf class, mkfs, dd to disk,
+//     fork bomb) — kept as hard deny via DESTRUCTIVE_FS_PATTERN below.
+// Everything else (memory-high-risk, workflow-sequence, off-scope, git push, deploy,
+// approval gates) downgrades deny/approve -> warn so legitimate work is never blocked.
+// Opt back into full hard enforcement with THUMBGATE_STRICT_ENFORCEMENT=1.
+// Enforcement posture (CEO decision 2026-06-04): WARN + AUDIT by default.
+// The firewall fires and LOGS every decision, but downgrades deny/approve -> warn so
+// legitimate work is never hard-blocked. We deliberately do NOT try to hard-block
+// arbitrary destructive commands here: a regex "catastrophic floor" is unwinnable
+// (sudo / bash -c / find -exec / eval / base64|sh all evade it) and gives false confidence.
+// HARD enforcement is an explicit opt-in via THUMBGATE_STRICT_ENFORCEMENT=1, which keeps
+// the engine's FULL gate set (its high-risk-command gates catch prefixed/obfuscated forms
+// far better than any single regex). Secret exfiltration and the security-vulnerability
+// scan hard-deny on their OWN paths before this runs, so irreversible data-leak / supply
+// chain risks stay blocked regardless of posture.
+function applyEnforcementPosture(result) {
+  if (!result || (result.decision !== 'deny' && result.decision !== 'approve')) return result;
+  // Full hard enforcement opt-in: keep every deny.
+  if (process.env.THUMBGATE_STRICT_ENFORCEMENT === '1') return result;
+  // Honor the explicit strict-knowledge-conflict opt-in for that gate.
+  if (process.env.THUMBGATE_STRICT_KNOWLEDGE_CONFLICT === '1' && result.gate === 'knowledge-conflict-gate') return result;
+  // Warn-by-default: the gate still fired and is recorded; the action is allowed through
+  // with the warning surfaced instead of hard-blocked, so legitimate work is never blocked.
+  return {
+    ...result,
+    decision: 'warn',
+    warnByDefault: true,
+    message: `${result.message}\n\n⚠️ ThumbGate is in warn-by-default mode — this was flagged and logged, not blocked. Set THUMBGATE_STRICT_ENFORCEMENT=1 to hard-block, or THUMBGATE_HOTFIX_BYPASS=1 to disable checks entirely.`,
+  };
+}
 const BREAK_GLASS_CONDITION = 'thumbgate_break_glass';
 const BREAK_GLASS_SETTINGS_GLOBS = [
   '.claude/settings.local.json',
@@ -2671,7 +2708,7 @@ async function runAsync(input) {
 
   const sequenceGuard = evaluateSequenceState(toolName, toolInput);
   if (sequenceGuard && sequenceGuard.decision === 'deny') {
-    return formatOutput(sequenceGuard);
+    return formatOutput(applyEnforcementPosture(sequenceGuard));
   }
 
   const result = await evaluateGatesAsync(toolName, toolInput);
@@ -2691,12 +2728,12 @@ async function runAsync(input) {
   const lessonContext = safeSecretStorageWrite ? null : await buildRelevantLessonContextAsync(toolName, toolInput);
   
   if (lessonContext && lessonContext.decision === "deny") {
-    return formatOutput(lessonContext);
+    return formatOutput(applyEnforcementPosture(lessonContext));
   }
   
   const recentContext = buildRecentCorrectiveActionsContext();
   const combinedContext = mergeContextStrings(lessonContext, recentContext, behavioralContext);
-  return formatOutput(result, combinedContext);
+  return formatOutput(applyEnforcementPosture(result), combinedContext);
 
 }
 
@@ -2718,7 +2755,7 @@ function run(input) {
 
   const sequenceGuard = evaluateSequenceState(toolName, toolInput);
   if (sequenceGuard && sequenceGuard.decision === 'deny') {
-    return formatOutput(sequenceGuard);
+    return formatOutput(applyEnforcementPosture(sequenceGuard));
   }
 
   const result = evaluateGates(toolName, toolInput);
@@ -2738,12 +2775,12 @@ function run(input) {
   const lessonContext = safeSecretStorageWrite ? null : buildRelevantLessonContext(toolName, toolInput);
   
   if (lessonContext && lessonContext.decision === "deny") {
-    return formatOutput(lessonContext);
+    return formatOutput(applyEnforcementPosture(lessonContext));
   }
   
   const recentContext = buildRecentCorrectiveActionsContext();
   const combinedContext = mergeContextStrings(lessonContext, recentContext, behavioralContext);
-  return formatOutput(result, combinedContext);
+  return formatOutput(applyEnforcementPosture(result), combinedContext);
 
 }