thumbgate 1.27.4 → 1.27.6

package/.claude/commands/dashboard.md

@@ -0,0 +1,15 @@
+---
+name: dashboard
+description: Open the local HTTP dashboard for the current project in your web browser.
+---
+
+# Open Dashboard
+
+Open the local HTTP dashboard for the current project in your web browser.
+
+## Instructions
+Execute the following command in the project directory to open the browser dashboard scoped to the current repository:
+```bash
+thumbgate-dashboard
+```
+

package/.claude/commands/thumbgate-dashboard.md

@@ -0,0 +1,15 @@
+---
+name: thumbgate-dashboard
+description: Open the local HTTP dashboard for the current project in your web browser.
+---
+
+# Open Scoped ThumbGate Dashboard
+
+Open the local HTTP dashboard for the current project in your web browser.
+
+## Instructions
+Execute the following command in the project directory to open the browser dashboard:
+```bash
+thumbgate-dashboard
+```
+

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "thumbgate",
   "description": "One 👎 becomes a hard rule the agent cannot bypass. Captures thumbs-down feedback, distills it into PreToolUse Pre-Action Checks, enforced across every future Claude Code session.",
-  "version": "1.27.4",
+  "version": "1.27.6",
   "author": {
     "name": "Igor Ganapolsky",
     "email": "ig5973700@gmail.com",
@@ -28,6 +28,7 @@
     "memory"
   ],
   "skills": "./skills/",
+  "commands": "./.claude/commands/",
   "mcpServers": {
     "thumbgate": {
       "command": "npx",

package/.well-known/mcp/server-card.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate",
-  "version": "1.27.4",
+  "version": "1.27.6",
   "description": "ThumbGate — 👍👎 feedback that teaches your AI agent. Thumbs down a mistake, it never happens again.",
   "homepage": "https://thumbgate.ai",
   "transport": "stdio",

package/adapters/claude/.mcp.json

@@ -2,13 +2,13 @@
   "mcpServers": {
     "thumbgate": {
       "command": "npx",
-      "args": ["--yes", "--package", "thumbgate@1.27.4", "thumbgate", "serve"]
+      "args": ["--yes", "--package", "thumbgate@1.27.6", "thumbgate", "serve"]
     }
   },
   "hooks": {
     "preToolUse": {
       "command": "npx",
-      "args": ["--yes", "--package", "thumbgate@1.27.4", "thumbgate", "gate-check"]
+      "args": ["--yes", "--package", "thumbgate@1.27.6", "thumbgate", "gate-check"]
     }
   }
 }

package/adapters/mcp/server-stdio.js

@@ -231,7 +231,7 @@ const {
   finalizeSession: finalizeFeedbackSession,
 } = require('../../scripts/feedback-session');
 
-const SERVER_INFO = { name: 'thumbgate-mcp', version: '1.27.4' };
+const SERVER_INFO = { name: 'thumbgate-mcp', version: '1.27.6' };
 const COMMERCE_CATEGORIES = [
   'product_recommendation',
   'brand_compliance',

package/adapters/opencode/opencode.json

@@ -7,7 +7,7 @@
         "npx",
         "--yes",
         "--package",
-        "thumbgate@1.27.4",
+        "thumbgate@1.27.6",
         "thumbgate",
         "serve"
       ],

package/bin/cli.js

@@ -565,6 +565,20 @@ function setupCodex() {
 }
 
 function setupGemini() {
+  // Try to import custom commands as a Gemini plugin if the CLI is installed
+  const { execSync } = require('child_process');
+  let pluginImported = false;
+  for (const binName of ['agy', 'gemini']) {
+    try {
+      execSync(`${binName} plugin import "${PKG_ROOT}" --force`, { stdio: 'ignore' });
+      console.log(`  Gemini: imported thumbgate plugin via ${binName}`);
+      pluginImported = true;
+      break;
+    } catch (err) {
+      // ignore errors if command doesn't exist or fails
+    }
+  }
+
   const settingsPath = path.join(HOME, '.gemini', 'settings.json');
   if (fs.existsSync(settingsPath)) {
     const settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8'));
@@ -585,13 +599,14 @@ function setupGemini() {
       }
     }
 
-    if (!changed) return false;
+    if (!changed) return pluginImported;
     fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + '\n');
     console.log('  Gemini: updated ~/.gemini/settings.json');
     return true;
   }
   // Fallback: project-level .gemini/settings.json
-  return mergeMcpJson(path.join(CWD, '.gemini', 'settings.json'), 'Gemini', 'project');
+  const mcpChanged = mergeMcpJson(path.join(CWD, '.gemini', 'settings.json'), 'Gemini', 'project');
+  return pluginImported || mcpChanged;
 }
 
 function setupAmp() {
@@ -910,6 +925,32 @@ function init(cliArgs = parseArgs(process.argv.slice(3))) {
   // Always create .mcp.json (project-level MCP config used by Claude, Codex, Cursor)
   mergeMcpJson(path.join(CWD, '.mcp.json'), 'MCP');
 
+  // Copy custom slash commands (.claude/commands/*.md) to the project's config directories
+  const pkgCommandsDir = path.join(PKG_ROOT, '.claude', 'commands');
+  if (fs.existsSync(pkgCommandsDir)) {
+    const targets = [
+      path.join(CWD, '.claude', 'commands'),
+      path.join(CWD, '.gemini', 'commands'),
+      path.join(CWD, '.antigravitycli', 'commands')
+    ];
+    for (const projectCommandsDir of targets) {
+      if (!fs.existsSync(projectCommandsDir)) {
+        fs.mkdirSync(projectCommandsDir, { recursive: true });
+      }
+      try {
+        const files = fs.readdirSync(pkgCommandsDir);
+        for (const file of files) {
+          if (file.endsWith('.md')) {
+            fs.copyFileSync(path.join(pkgCommandsDir, file), path.join(projectCommandsDir, file));
+          }
+        }
+      } catch (err) {
+        console.log(`  Failed to copy custom commands to ${path.relative(CWD, projectCommandsDir)}: ${err.message}`);
+      }
+    }
+    console.log('Scaffolded custom slash commands directories (.claude, .gemini, .antigravitycli)');
+  }
+
   // Auto-detect and configure platform-specific locations
   console.log('');
   console.log('Detecting platforms...');
@@ -3323,8 +3364,13 @@ switch (COMMAND) {
     break;
   }
   case 'brain': {
-    const brainArgs = parseArgs(process.argv.slice(3));
-    process.exitCode = cmdBrain(brainArgs);
+    const sub = process.argv.slice(3).find((arg) => !arg.startsWith('--'));
+    if (sub && ['init', 'context', 'remember', 'check', 'cleanup', 'status'].includes(sub)) {
+      brain();
+    } else {
+      const brainArgs = parseArgs(process.argv.slice(3));
+      process.exitCode = cmdBrain(brainArgs);
+    }
     break;
   }
   case 'billing:setup':

package/commands/dashboard.md

@@ -0,0 +1,15 @@
+---
+name: dashboard
+description: Open the local HTTP dashboard for the current project in your web browser.
+---
+
+# Open Dashboard
+
+Open the local HTTP dashboard for the current project in your web browser.
+
+## Instructions
+Execute the following command in the project directory to open the browser dashboard scoped to the current repository:
+```bash
+thumbgate-dashboard
+```
+

package/commands/thumbgate-dashboard.md

@@ -0,0 +1,15 @@
+---
+name: thumbgate-dashboard
+description: Open the local HTTP dashboard for the current project in your web browser.
+---
+
+# Open Scoped ThumbGate Dashboard
+
+Open the local HTTP dashboard for the current project in your web browser.
+
+## Instructions
+Execute the following command in the project directory to open the browser dashboard:
+```bash
+thumbgate-dashboard
+```
+

package/config/gates/claim-verification.json

@@ -24,6 +24,12 @@
       "requiredActions": ["on_device_verified"],
       "message": "You claimed on-device verification without evidence. Capture the proof first, then call track_action('on_device_verified').",
       "createdAt": 1774972800000
+    },
+    {
+      "pattern": "(github|repo|repository).*(about|metadata|description|topics?).*(updated|verified|fixed|match(?:es|ed)?)|(about|metadata|description|topics?).*(updated|verified|fixed|match(?:es|ed)?).*(github|repo|repository)",
+      "requiredActions": ["github_metadata_verified"],
+      "message": "You claimed GitHub repository metadata was updated or verified without source-of-truth evidence. Read it back with gh api/gh repo view and rendered HTML, then call track_action('github_metadata_verified').",
+      "createdAt": 1780677400000
     }
   ]
 }

package/config/post-deploy-marketing-pages.json

@@ -51,6 +51,11 @@
       "route": "/sitemap.xml",
       "sentinel": "<urlset",
       "description": "XML sitemap for search-engine discoverability"
+    },
+    {
+      "route": "/about",
+      "sentinel": "Igor Ganapolsky",
+      "description": "About page for GEO discoverability"
     }
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate",
-  "version": "1.27.4",
+  "version": "1.27.6",
   "description": "ThumbGate self-improving agent governance: thumbs-up/down turns every mistake into a prevention rule and blocks repeat patterns. 36 pre-action checks, budget enforcement, and self-protection for Claude Code, Cursor, Codex, Gemini CLI, and Amp.",
   "homepage": "https://thumbgate.ai",
   "repository": {
@@ -222,6 +222,8 @@
     "scripts/workspace-evolver.js",
     "scripts/xmemory-lite.js",
     ".claude-plugin/plugin.json",
+    ".claude/commands/",
+    "commands/",
     ".well-known/",
     "LICENSE",
     "README.md",
@@ -359,7 +361,7 @@
     "social:prospect:bluesky:dry": "node scripts/social-bluesky-prospecting.js --dry-run",
     "social:reply-publish:bluesky:dry": "node scripts/social-reply-monitor-bluesky.js --publish-approved --dry-run",
     "test:python": "python3 -m pytest tests/*.py",
-    "test": "npm run test:python && npm run test:schema && npm run test:loop && npm run test:dpo && npm run test:kto && npm run test:api && npm run test:proof && npm run test:e2e && npm run test:rlaif && npm run test:attribution && npm run test:quality && npm run test:intelligence && npm run test:training-export && npm run test:deployment && npm run test:operational-integrity && npm run test:workflow && npm run test:billing && npm run test:cli && npm run test:watcher && npm run test:autoresearch && npm run test:ops && npm run test:session-analyzer && npm run test:tessl && npm run test:gates && npm run test:evoskill && npm run test:gates-hardening && npm run test:workers && npm run test:social-analytics && npm run test:memalign && npm run test:xmemory-lite && npm run test:filesystem-search && npm run test:zernio && npm run test:platform-limits && npm run test:post-video && npm run test:post-everywhere-instagram && npm run test:post-everywhere-channels && npm run test:post-everywhere-zernio-default && npm run test:zernio-canonical-pollers && npm run test:zernio-status && npm run test:obsidian-export && npm run test:lesson-db && npm run test:lesson-rotation && npm run test:memory-dedup && npm run test:feedback-quality && npm run test:sync-version && npm run test:check-congruence && npm run test:tool-registry && npm run test:repeat-metric && npm run test:noop-detect && npm run test:action-receipts && npm run test:feedback-to-rules && npm run test:memory-firewall && npm run test:memory-scope-readiness && npm run test:belief-update && npm run test:hosted-config && npm run test:operational-summary && npm run test:operational-dashboard && npm run test:operator-artifacts && npm run test:operator-key-auth && npm run test:cloudflare-sandbox && npm run test:mcp-config && npm run test:mcp-tool-annotations && npm run test:mcp-oauth && npm run test:mcp-oauth-flow && npm run test:plan-gate && npm run test:pulse && npm run test:semantic-layer && npm run test:data-pipeline && npm run test:optimize-context && npm run test:principle-extractor && npm run test:analytics-window && npm run test:funnel-analytics && npm run test:experiment-tracker && npm run test:build-metadata && npm run test:context-engine && npm run test:hf-papers && npm run test:marketing-experiment && npm run test:seo-gsd && npm run test:verify-run && npm run test:export-dpo-pairs && npm run test:export-hf-dataset && npm run test:license && npm run test:bot-detector && npm run test:audit-pr-bot-contamination && npm run test:stripe-bootstrap-saas-catalog && npm run test:postinstall && npm run test:funnel-invariants && npm run test:cli-telemetry && npm run test:pro-parity && npm run test:model-tier-router && npm run test:computer-use-firewall && npm run test:skill-exporter && npm run test:statusline && npm run test:evolution && npm run test:org-dashboard && npm run test:multi-hop-recall && npm run test:synthetic-dpo && npm run test:thumbgate-skill && npm run test:learn-hub && npm run test:feedback-fallback && npm run test:metaclaw && npm run test:server-lock && npm run test:control-tower && npm run test:pii-scanner && npm run test:data-governance && npm run test:lesson-inference && npm run test:semantic-dedup && npm run test:fs-utils && npm run test:cli-schema && npm run test:explore && npm run test:lesson-reranker && npm run test:lesson-retrieval && npm run test:lesson-semantic-retrieval && npm run test:cross-encoder && npm run test:reflector-agent && npm run test:feedback-session && npm run test:feedback-history-distiller && npm run test:hallucination-detector && npm run test:history-distiller && npm run test:predictive-insights && npm run test:predictive-credible-range && npm run test:prove-predictive-insights && npm run test:statusbar-cli && npm run test:generate-instagram-card && npm run test:instagram-thumbgate-post && npm run test:publish-instagram-thumbgate && npm run test:lesson-synthesis && npm run test:lesson-canonical && npm run test:background-governance && npm run test:memory-migration && npm run test:prompt-dlp && npm run test:ephemeral-store && npm run test:agent-security && npm run test:skill-progressive && npm run test:per-step-scoring && npm run test:weekly-auto-post && npm run test:social-post-hourly && npm run test:social-quality-gate && npm run test:a2ui-engine && npm run test:gate-satisfy && npm run test:money-watcher && npm run test:budget && npm run test:quick-start && npm run test:utm && npm run test:product-feedback && npm run test:feedback-root-consolidator && npm run test:engagement-audit && npm run test:install-growth-automation && npm run test:publish-thumbgate-launch && npm run test:community-course-platform-launch-kit && npm run test:reconcile-thumbgate-campaign && npm run test:reddit-publisher && npm run test:schedule-thumbgate-campaign && npm run test:social-reply-monitor && npm run test:social-dedupe-cleanup && npm run test:sync-launch-assets && npm run test:ai-search-visibility && npm run test:perplexity && npm run test:security-scanner && npm run test:llm-client && npm run test:managed-lesson-agent && npm run test:self-distill && npm run test:meta-agent && npm run test:harness-selector && npm run test:thumbgate-bench && npm run test:seo-guides && npm run test:enforcement-loop && npm run test:cli-agent-experience && npm run test:bot-detection && npm run test:checkout-archived-product-guard && npm run test:postgres-guard && npm run test:checkout-bot-guard && npm run test:checkout-pro-confirmation-gate && npm run test:session-health && npm run test:session-episodes && npm run test:spec-gate && npm run test:decision-trace && npm run test:dashboard-insights && npm run test:telemetry-tracked-link-slug && npm run test:prompt-eval && npm run test:demo-voiceover && npm run test:gate-coherence && npm run test:gate-eval && npm run test:ai-component-inventory && npm run test:high-roi && npm run test:public-static-assets && npm run test:token-savings && npm run test:numbers-page && npm run test:workflow-gate-checkpoint && npm run test:lesson-export-import && npm run test:landing-page-claims && npm run test:competitive-positioning-marketing && npm run test:medium-weekly && npm run test:dashboard-deeplink-e2e && npm run test:public-package-parity && npm run test:token-savings-dashboard && npm run test:cursor-wiring && npm run test:pretooluse-injection && npm run test:recent-corrective-context && npm run test:durability-step && npm run test:mailer && npm run test:brand-assets && npm run test:enforcement-teeth && npm run test:bayes-optimal-gate && npm run test:swarm-coordinator && npm run test:session-report && npm run test:agent-reasoning-traces && npm run test:judge-reward && npm run test:llm-behavior-monitor && npm run test:prompting-os && npm run test:single-use-credential-gate && npm run test:structured-prompt-driven && npm run test:require-evidence-gate && npm run test:rule-validator && npm run test:bluesky-atproto && npm run test:social-reply-monitor-bluesky && npm run test:bluesky-delete-replies && npm run test:architect-kit-memory-bridge && npm run test:sonar-review-hotspots && npm run test:actionable-remediations && npm run test:gemini-embedding-policy && npm run test:agent-design-governance && npm run test:public-core-boundary && npm run test:hook-stop-verify-deploy && npm run test:hook-stop-anti-claim && npm run test:plausible-server-events && npm run test:activation-tracker && npm run test:unified-revenue-rollup && npm run test:conversion-rate-stats && npm run test:external-customer-audit && npm run test:telemetry-export && npm run test:stripe-checkout-diagnostic && npm run test:stripe-business-identity-probe && npm run test:revenue-observability-doctor && npm run test:public-bundle-ratchet && npm run test:stripe-payment-link-update && npm run test:ci-cd-hygiene-audit && npm run test:verify-marketing-pages-deployed && npm run test:install-email-capture && npm run test:install-shim && npm run test:hook-runtime-subcommands && npm run test:implementation-notes && npm run test:daily-block-cap && npm run test:free-to-paid-conversion-units && npm run test:metrics-real-endpoint && npm run test:cli-trial-and-help && npm run test:cost-cli && npm run test:silent-failure-cluster && npm run test:proof:truth && node --test tests/adaptive-reliability.test.js && npm run test:mcp-oauth-reviewer && npm run test:dfcx-gate && npm run test:dfcx-gate-server && npm run test:vertex-scorer && npm run test:dashboard-chat && npm run test:gitar-integration",
+    "test": "npm run test:python && npm run test:schema && npm run test:loop && npm run test:dpo && npm run test:kto && npm run test:api && npm run test:proof && npm run test:e2e && npm run test:rlaif && npm run test:attribution && npm run test:quality && npm run test:intelligence && npm run test:training-export && npm run test:deployment && npm run test:operational-integrity && npm run test:workflow && npm run test:billing && npm run test:cli && npm run test:watcher && npm run test:autoresearch && npm run test:ops && npm run test:session-analyzer && npm run test:tessl && npm run test:gates && npm run test:evoskill && npm run test:gates-hardening && npm run test:workers && npm run test:social-analytics && npm run test:memalign && npm run test:xmemory-lite && npm run test:filesystem-search && npm run test:zernio && npm run test:platform-limits && npm run test:post-video && npm run test:post-everywhere-instagram && npm run test:post-everywhere-channels && npm run test:post-everywhere-zernio-default && npm run test:zernio-canonical-pollers && npm run test:zernio-status && npm run test:obsidian-export && npm run test:lesson-db && npm run test:lesson-rotation && npm run test:memory-dedup && npm run test:feedback-quality && npm run test:sync-version && npm run test:check-congruence && npm run test:tool-registry && npm run test:repeat-metric && npm run test:noop-detect && npm run test:action-receipts && npm run test:feedback-to-rules && npm run test:memory-firewall && npm run test:memory-scope-readiness && npm run test:belief-update && npm run test:hosted-config && npm run test:operational-summary && npm run test:operational-dashboard && npm run test:operator-artifacts && npm run test:operator-key-auth && npm run test:cloudflare-sandbox && npm run test:mcp-config && npm run test:mcp-tool-annotations && npm run test:mcp-oauth && npm run test:mcp-oauth-flow && npm run test:plan-gate && npm run test:ai-component-inventory && npm run test:pulse && npm run test:semantic-layer && npm run test:data-pipeline && npm run test:optimize-context && npm run test:principle-extractor && npm run test:analytics-window && npm run test:funnel-analytics && npm run test:experiment-tracker && npm run test:build-metadata && npm run test:context-engine && npm run test:hf-papers && npm run test:marketing-experiment && npm run test:seo-gsd && npm run test:verify-run && npm run test:export-dpo-pairs && npm run test:export-hf-dataset && npm run test:license && npm run test:bot-detector && npm run test:audit-pr-bot-contamination && npm run test:stripe-bootstrap-saas-catalog && npm run test:postinstall && npm run test:funnel-invariants && npm run test:cli-telemetry && npm run test:pro-parity && npm run test:model-tier-router && npm run test:computer-use-firewall && npm run test:skill-exporter && npm run test:statusline && npm run test:evolution && npm run test:org-dashboard && npm run test:multi-hop-recall && npm run test:synthetic-dpo && npm run test:thumbgate-skill && npm run test:learn-hub && npm run test:feedback-fallback && npm run test:metaclaw && npm run test:server-lock && npm run test:control-tower && npm run test:pii-scanner && npm run test:data-governance && npm run test:lesson-inference && npm run test:semantic-dedup && npm run test:fs-utils && npm run test:cli-schema && npm run test:explore && npm run test:lesson-reranker && npm run test:lesson-retrieval && npm run test:lesson-semantic-retrieval && npm run test:cross-encoder && npm run test:reflector-agent && npm run test:feedback-session && npm run test:feedback-history-distiller && npm run test:hallucination-detector && npm run test:history-distiller && npm run test:predictive-insights && npm run test:predictive-credible-range && npm run test:prove-predictive-insights && npm run test:statusbar-cli && npm run test:generate-instagram-card && npm run test:instagram-thumbgate-post && npm run test:publish-instagram-thumbgate && npm run test:lesson-synthesis && npm run test:lesson-canonical && npm run test:background-governance && npm run test:memory-migration && npm run test:prompt-dlp && npm run test:ephemeral-store && npm run test:agent-security && npm run test:skill-progressive && npm run test:per-step-scoring && npm run test:weekly-auto-post && npm run test:social-post-hourly && npm run test:social-quality-gate && npm run test:a2ui-engine && npm run test:gate-satisfy && npm run test:money-watcher && npm run test:budget && npm run test:quick-start && npm run test:utm && npm run test:product-feedback && npm run test:feedback-root-consolidator && npm run test:engagement-audit && npm run test:install-growth-automation && npm run test:publish-thumbgate-launch && npm run test:community-course-platform-launch-kit && npm run test:reconcile-thumbgate-campaign && npm run test:reddit-publisher && npm run test:schedule-thumbgate-campaign && npm run test:social-reply-monitor && npm run test:social-dedupe-cleanup && npm run test:sync-launch-assets && npm run test:ai-search-visibility && npm run test:perplexity && npm run test:security-scanner && npm run test:llm-client && npm run test:managed-lesson-agent && npm run test:self-distill && npm run test:meta-agent && npm run test:harness-selector && npm run test:thumbgate-bench && npm run test:seo-guides && npm run test:enforcement-loop && npm run test:cli-agent-experience && npm run test:bot-detection && npm run test:checkout-archived-product-guard && npm run test:postgres-guard && npm run test:checkout-bot-guard && npm run test:checkout-pro-confirmation-gate && npm run test:session-health && npm run test:session-episodes && npm run test:spec-gate && npm run test:decision-trace && npm run test:dashboard-insights && npm run test:telemetry-tracked-link-slug && npm run test:prompt-eval && npm run test:demo-voiceover && npm run test:gate-coherence && npm run test:gate-eval && npm run test:high-roi && npm run test:public-static-assets && npm run test:token-savings && npm run test:numbers-page && npm run test:workflow-gate-checkpoint && npm run test:lesson-export-import && npm run test:landing-page-claims && npm run test:competitive-positioning-marketing && npm run test:medium-weekly && npm run test:dashboard-deeplink-e2e && npm run test:public-package-parity && npm run test:token-savings-dashboard && npm run test:cursor-wiring && npm run test:pretooluse-injection && npm run test:recent-corrective-context && npm run test:durability-step && npm run test:mailer && npm run test:brand-assets && npm run test:enforcement-teeth && npm run test:bayes-optimal-gate && npm run test:swarm-coordinator && npm run test:session-report && npm run test:agent-reasoning-traces && npm run test:judge-reward && npm run test:llm-behavior-monitor && npm run test:prompting-os && npm run test:single-use-credential-gate && npm run test:structured-prompt-driven && npm run test:require-evidence-gate && npm run test:rule-validator && npm run test:bluesky-atproto && npm run test:social-reply-monitor-bluesky && npm run test:bluesky-delete-replies && npm run test:architect-kit-memory-bridge && npm run test:sonar-review-hotspots && npm run test:actionable-remediations && npm run test:gemini-embedding-policy && npm run test:agent-design-governance && npm run test:public-core-boundary && npm run test:hook-stop-verify-deploy && npm run test:hook-stop-anti-claim && npm run test:plausible-server-events && npm run test:activation-tracker && npm run test:unified-revenue-rollup && npm run test:conversion-rate-stats && npm run test:external-customer-audit && npm run test:telemetry-export && npm run test:stripe-checkout-diagnostic && npm run test:stripe-business-identity-probe && npm run test:revenue-observability-doctor && npm run test:public-bundle-ratchet && npm run test:stripe-payment-link-update && npm run test:ci-cd-hygiene-audit && npm run test:verify-marketing-pages-deployed && npm run test:install-email-capture && npm run test:install-shim && npm run test:hook-runtime-subcommands && npm run test:implementation-notes && npm run test:daily-block-cap && npm run test:free-to-paid-conversion-units && npm run test:metrics-real-endpoint && npm run test:cli-trial-and-help && npm run test:cost-cli && npm run test:silent-failure-cluster && npm run test:proof:truth && node --test tests/adaptive-reliability.test.js && npm run test:mcp-oauth-reviewer && npm run test:dfcx-gate && npm run test:dfcx-gate-server && npm run test:vertex-scorer && npm run test:dashboard-chat && npm run test:gitar-integration",
     "test:hook-stop-verify-deploy": "node --test tests/hook-stop-verify-deploy.test.js",
     "test:hook-stop-anti-claim": "node --test tests/hook-stop-anti-claim.test.js",
     "test:plausible-server-events": "node --test tests/plausible-server-events.test.js tests/plausible-poller.test.js tests/plausible-domain-config.test.js",

package/public/dashboard.html

@@ -9,6 +9,7 @@
 <link rel="icon" type="image/png" href="/thumbgate-icon.png">
 <link rel="apple-touch-icon" href="/assets/brand/thumbgate-mark.svg">
 <meta name="robots" content="noindex">
+<meta name="referrer" content="same-origin">
 <!-- Privacy-friendly analytics by Plausible -->
 <script defer data-domain="thumbgate-production.up.railway.app" src="https://plausible.io/js/script.js"></script>
 <script type="application/ld+json">
@@ -872,7 +873,10 @@ async function connect(options) {
       tierName = data.tier;
     }
     
-    if (data.geminiKeyStatus === 'validated' || data.geminiValidatedAt) {
+    if (data.localLlmConfigured) {
+      var modelLabel = data.localLlmModel ? ' (' + data.localLlmModel + ')' : '';
+      document.getElementById('chatHint').innerHTML = '<span style="color:var(--green)">✓ Local LLM' + modelLabel + ' ready. Chat answers are generated locally — no cloud calls.</span>';
+    } else if (data.geminiKeyStatus === 'validated' || data.geminiValidatedAt) {
       var when = data.geminiValidatedAt ? ' (validated ' + new Date(data.geminiValidatedAt).toLocaleTimeString() + ')' : '';
       document.getElementById('chatHint').innerHTML = '<span style="color:var(--green)">✓ Gemini API key validated' + when + '. You can now chat with your data.</span>';
     } else if (data.perplexityConfigured) {

package/public/index.html

@@ -20,7 +20,7 @@ __GOOGLE_SITE_VERIFICATION_META__
 <meta property="og:image" content="https://thumbgate.ai/og.png">
 <meta name="twitter:card" content="summary_large_image">
 <meta name="twitter:image" content="https://thumbgate.ai/og.png">
-<meta name="thumbgate-version" content="1.27.4">
+<meta name="thumbgate-version" content="1.27.6">
 <meta name="keywords" content="ThumbGate, thumbgate, AI agent orchestration, AI experience orchestration, agentic development cycle, AC/DC framework, Guide Generate Verify Solve, agent enforcement layer, save LLM tokens, reduce Claude API cost, reduce OpenAI cost, AI agent token savings, prevent LLM retries, prevent hallucination retries, stop AI token waste, pre-action checks, agent governance, Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode, workflow hardening, context engineering, AI authenticity, brand authenticity AI">
 <link rel="canonical" href="__APP_ORIGIN__/">
 <link rel="alternate" type="text/markdown" title="ThumbGate LLM context" href="__APP_ORIGIN__/llm-context.md">
@@ -1676,7 +1676,7 @@ __GA_BOOTSTRAP__
       <a href="https://www.linkedin.com/in/igorganapolsky" target="_blank" rel="noopener">LinkedIn</a>
       <a href="/blog">Blog</a>
     </div>
-    <span class="footer-copy">© 2026 ThumbGate · MIT License · npm v1.27.4</span>
+    <span class="footer-copy">© 2026 ThumbGate · MIT License · npm v1.27.6</span>
   </div>
 </footer>
 

package/public/learn.html

@@ -112,6 +112,12 @@
         "url": "https://thumbgate.ai/learn/from-prototype-to-production",
         "name": "From git init to v1.17.0 in 70 days: an honest ThumbGate build log"
       },
+      {
+        "@type": "ListItem",
+        "position": 13,
+        "url": "https://thumbgate.ai/learn/pretix-stripe-connect-marketplaces",
+        "name": "Building a Pretix + Stripe Connect Plugin for Live-Music Venues"
+      },
       {
         "@type": "ListItem",
         "position": 7,
@@ -404,6 +410,14 @@
       <span class="article-tag">Indie SaaS</span>
       <span class="article-tag">Shipping in Public</span>
     </a>
+
+    <a href="/learn/pretix-stripe-connect-marketplaces" class="article-card">
+      <h3>Building a Pretix + Stripe Connect Plugin for Live-Music Venues</h3>
+      <p>How to design a multi-venue Stripe Connect ticketing plugin on Pretix, keeping venues as Merchant of Record without messy platform-fee tax reporting.</p>
+      <span class="article-tag">Stripe Connect</span>
+      <span class="article-tag">Pretix</span>
+      <span class="article-tag">Case Study</span>
+    </a>
   </div>
 
   <h2>Popular buyer questions</h2>

package/public/numbers.html

@@ -25,7 +25,7 @@
   "alternateName": "thumbgate",
   "applicationCategory": "DeveloperApplication",
   "operatingSystem": "Cross-platform, Node.js >=18.18.0",
-  "softwareVersion": "1.27.4",
+  "softwareVersion": "1.27.6",
   "url": "https://thumbgate.ai/numbers",
   "dateModified": "2026-05-07",
   "creator": {
@@ -202,7 +202,7 @@
 <main class="container">
   <h1>The Numbers</h1>
   <p class="subtitle">Generated first-party operational snapshot from the ThumbGate runtime. This is not customer traction, install volume, revenue, or proof that a configured gate has fired.</p>
-  <div class="freshness">Updated: 2026-05-07 · Version 1.27.4</div>
+  <div class="freshness">Updated: 2026-05-07 · Version 1.27.6</div>
   <div class="truth-note"><strong>Read this first:</strong> configured checks are inventory. Recorded blocks and warnings are usage evidence. This snapshot currently reports 0 recorded hard-block event(s) and 0 recorded warning event(s).</div>
 
   <h2>Gate enforcement</h2>

package/scripts/billing.js

@@ -139,6 +139,10 @@ const IS_TEST = !!(
   process.env.NODE_ENV === 'test'
 );
 
+function allowUnsignedStripeWebhooks() {
+  return IS_TEST && process.env.THUMBGATE_ALLOW_UNSIGNED_STRIPE_WEBHOOKS === '1';
+}
+
 function shouldMergeLegacyBillingData() {
   return process.env._TEST_INCLUDE_LEGACY_BILLING_DATA === '1'
     || process.env.THUMBGATE_INCLUDE_LEGACY_BILLING_DATA === '1';
@@ -2901,7 +2905,7 @@ function disableCustomerKeys(customerId) {
 }
 
 function verifyWebhookSignature(rawBody, signature) {
-  if (!CONFIG.STRIPE_WEBHOOK_SECRET) return true;
+  if (!CONFIG.STRIPE_WEBHOOK_SECRET) return allowUnsignedStripeWebhooks();
   if (!signature || !rawBody) return false;
 
   // Stripe signature format: t=<timestamp>,v1=<hmac>,...
@@ -2931,6 +2935,13 @@ function verifyWebhookSignature(rawBody, signature) {
 
 async function handleWebhook(rawBody, signature) {
   if (LOCAL_MODE()) return { handled: false, reason: 'local_mode' };
+  if (!CONFIG.STRIPE_WEBHOOK_SECRET && !allowUnsignedStripeWebhooks()) {
+    return {
+      handled: false,
+      reason: 'invalid_signature',
+      error: 'STRIPE_WEBHOOK_SECRET is required before Stripe webhooks can be processed.',
+    };
+  }
   let event;
   try {
     if (CONFIG.STRIPE_WEBHOOK_SECRET) {

package/scripts/cli-schema.js

@@ -94,6 +94,25 @@ const CLI_COMMANDS = [
       { name: 'remote',   type: 'boolean', description: 'Fetch from hosted Railway instance' },
     ],
   },
+  {
+    name: 'brain',
+    aliases: ['customer-brain', 'repo-brain'],
+    description: 'Scaffold, query, or build the governed customer/repo context brain',
+    group: 'discovery',
+    flags: [
+      { name: 'json',       type: 'boolean', description: 'Output as JSON' },
+      { name: 'task',       type: 'string',  description: 'Task description for routed context loading' },
+      { name: 'type',       type: 'string',  description: 'Memory type for remember: decision | pattern | feedback | log' },
+      { name: 'title',      type: 'string',  description: 'Title for a sourced memory entry' },
+      { name: 'content',    type: 'string',  description: 'Body for a sourced memory entry' },
+      { name: 'source',     type: 'string',  description: 'Required provenance for factual memory writes' },
+      { name: 'tags',       type: 'string',  description: 'Comma-separated memory tags' },
+      { name: 'text',       type: 'string',  description: 'Text/action to check against never-do rules' },
+      { name: 'stale-days', type: 'number',  description: 'Age threshold for cleanup report (default 60)' },
+      { name: 'write',      type: 'boolean', description: 'Save to .thumbgate/BRAIN.md (versioned, deterministic)' },
+      { name: 'limit',      type: 'number',  description: 'Max lessons to include (default 15)' },
+    ],
+  },
   {
     name: 'stats',
     description: 'Feedback analytics — approval rate, Revenue-at-Risk, recent trend',
@@ -617,16 +636,7 @@ const CLI_COMMANDS = [
       { name: 'info',    type: 'boolean', description: 'Show Pro feature list' },
     ],
   },
-  {
-    name: 'brain',
-    description: 'Build the agent-readable context brain (lessons + rules + gates + project context)',
-    group: 'ops',
-    flags: [
-      { name: 'write', type: 'boolean', description: 'Save to .thumbgate/BRAIN.md (versioned, deterministic)' },
-      { name: 'limit', type: 'number',  description: 'Max lessons to include (default 15)' },
-      { name: 'json',  type: 'boolean', description: 'Output the structured model as JSON' },
-    ],
-  },
+
   {
     name: 'workflow',
     aliases: ['swarm'],

package/scripts/dashboard-chat.js

@@ -129,6 +129,45 @@ async function retrieveVectorContext(question, opts = {}) {
   }
 }
 
+// Live numeric snapshot from gate-stats + feedback analyzer. Always injected
+// (~120 tokens) so the LLM can answer count/quantity questions like
+// "how many were blocked today" without hallucinating.
+function retrieveMetricsContext() {
+  const snapshot = {};
+  try {
+    const gs = require(path.join(__dirname, 'gate-stats'));
+    const s = gs.calculateStats();
+    snapshot.gates = {
+      total: s.totalGates,
+      blockRules: s.blockGates,
+      warnRules: s.warnGates,
+      totalBlockedEvents: s.totalBlocked,
+      totalWarnedEvents: s.totalWarned,
+      estimatedHoursSaved: s.estimatedHoursSaved,
+      topBlockedTrigger: s.topBlocked?.trigger || null,
+      topBlockedOccurrences: s.topBlocked?.occurrences || 0,
+    };
+  } catch (err) {
+    debugChatFallback('gate-stats unavailable', err);
+  }
+  try {
+    const fl = require(path.join(__dirname, 'feedback-loop'));
+    const a = fl.analyzeFeedback();
+    snapshot.feedback = {
+      total: a.total,
+      positive: a.totalPositive,
+      negative: a.totalNegative,
+      approvalRate: a.approvalRate,
+      last7d: a.windows?.['7d'],
+      last30d: a.windows?.['30d'],
+      trend: a.trend,
+    };
+  } catch (err) {
+    debugChatFallback('feedback-loop analyze unavailable', err);
+  }
+  return snapshot;
+}
+
 // Retrieve relevant stored lessons and optional raw feedback vector matches.
 async function retrieveContext(question, opts = {}) {
   const lessons = retrieveLessonContext(question, opts);
@@ -137,7 +176,7 @@ async function retrieveContext(question, opts = {}) {
 }
 
 // Build a grounded RAG prompt. Pure function (testable).
-function buildChatPrompt(question, lessons) {
+function buildChatPrompt(question, lessons, metrics) {
   const q = String(question || '').slice(0, MAX_QUESTION_CHARS).trim();
   const context = (lessons || []).map((l, i) => {
     const mark = /pos|up/i.test(l.signal) ? 'WORKED' : (/neg|down/i.test(l.signal) ? 'MISTAKE' : 'NOTE');
@@ -145,14 +184,19 @@ function buildChatPrompt(question, lessons) {
     return `(${i + 1}) [${mark}] ${l.title || ''}${tags}\n    ${l.content}`;
   }).join('\n');
 
+  const metricsBlock = metrics && Object.keys(metrics).length
+    ? `\n=== Live numeric snapshot (your data, current) ===\n${JSON.stringify(metrics, null, 2)}\n`
+    : '';
+
   const system = [
     'You are ThumbGate\'s "chat with your data" assistant. Answer the user\'s question',
-    'using ONLY the captured lessons below (this team\'s real feedback history).',
-    'Be concise and specific. Cite the lesson numbers you used like [1], [3].',
-    'If the lessons do not contain the answer, say so plainly — do not invent facts.',
+    'using ONLY the captured lessons and the live numeric snapshot below (this team\'s real data).',
+    'For count/quantity questions ("how many X", "what\'s our rate"), use the numeric snapshot.',
+    'For pattern/why questions, cite the lesson numbers like [1], [3].',
+    'If neither source contains the answer, say so plainly — do not invent facts.',
   ].join(' ');
 
-  return `${system}\n\n=== Captured lessons (your data) ===\n${context || '(no relevant lessons found)'}\n\n=== Question ===\n${q}`;
+  return `${system}\n\n=== Captured lessons (your data) ===\n${context || '(no relevant lessons found)'}\n${metricsBlock}\n=== Question ===\n${q}`;
 }
 
 // Parse the Gemini generateContent response into plain text. Pure (testable).
@@ -263,7 +307,8 @@ async function answerDataQuestion(question, opts = {}) {
   }
 
   const model = resolveModel(opts.model);
-  const prompt = buildChatPrompt(q, lessons);
+  const metrics = retrieveMetricsContext();
+  const prompt = buildChatPrompt(q, lessons, metrics);
   const fetchImpl = opts.fetch || globalThis.fetch;
   const isPerplexity = apiKey && (apiKey.startsWith('pplx-') || apiKey.includes('perplexity'));
 

package/scripts/dashboard.js

@@ -449,13 +449,9 @@ function computeGateAuditSeries(feedbackDir, options = {}) {
     const dayKey = toLocalDayKey(entry.timestamp);
     if (!dayKey) continue;
     if (!countsByDay.has(dayKey)) {
-      countsByDay.set(dayKey, { allow: 0, deny: 0, warn: 0, byGate: {} });
-    }
-    const bucket = countsByDay.get(dayKey);
-    bucket[entry.decision] += 1;
-    if ((entry.decision === 'deny' || entry.decision === 'warn') && entry.gateId) {
-      bucket.byGate[entry.gateId] = (bucket.byGate[entry.gateId] || 0) + 1;
+      countsByDay.set(dayKey, { allow: 0, deny: 0, warn: 0 });
     }
+    countsByDay.get(dayKey)[entry.decision] += 1;
   }
 
   const days = [];
@@ -465,7 +461,7 @@ function computeGateAuditSeries(feedbackDir, options = {}) {
     const day = new Date(today);
     day.setDate(today.getDate() - offset);
     const dayKey = toLocalDayKey(day);
-    const record = countsByDay.get(dayKey) || { allow: 0, deny: 0, warn: 0, byGate: {} };
+    const record = countsByDay.get(dayKey) || { allow: 0, deny: 0, warn: 0 };
     const intercepted = record.deny + record.warn;
     const total = intercepted + record.allow;
     const summary = {
@@ -475,7 +471,6 @@ function computeGateAuditSeries(feedbackDir, options = {}) {
       warn: record.warn,
       intercepted,
       total,
-      byGate: record.byGate || {},
     };
     totals.allow += record.allow;
     totals.deny += record.deny;
@@ -530,14 +525,7 @@ function computePreventionImpact(feedbackDir, gateStats) {
   // Last auto-promotion
   const autoGates = readJsonFile(autoGatesPath);
   let lastPromotion = null;
-  let promotionsToday = 0;
-  let promotionIdsToday = [];
   if (autoGates && Array.isArray(autoGates.promotionLog) && autoGates.promotionLog.length > 0) {
-    const todayKey = toLocalDayKey(new Date());
-    promotionIdsToday = autoGates.promotionLog
-      .filter((p) => p && p.timestamp && toLocalDayKey(p.timestamp) === todayKey)
-      .map((p) => p.gateId || p.id || 'unknown');
-    promotionsToday = promotionIdsToday.length;
     const sorted = autoGates.promotionLog
       .filter((p) => p.timestamp)
       .sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());
@@ -552,8 +540,6 @@ function computePreventionImpact(feedbackDir, gateStats) {
     estimatedHoursSaved,
     ruleCount,
     lastPromotion,
-    promotionsToday,
-    promotionIdsToday: promotionIdsToday.slice(0, 5),
   };
 }
 
@@ -2096,6 +2082,7 @@ module.exports = {
   computeObservabilityStats,
   readJSONL,
   readJsonFile,
+  collectAllFeedbackEntries,
 };
 
 if (require.main === module) {

package/scripts/feedback-loop.js

@@ -56,6 +56,90 @@ const {
 
 const AUDIT_TRAIL_TAG = 'audit-trail';
 
+/**
+ * Anonymous fire-and-forget CLI feedback telemetry.
+ *
+ * Pings the hosted /v1/telemetry/ping endpoint exactly once per successful
+ * local feedback capture so the dashboard can measure CLI-side lesson volume.
+ *
+ * Hard contract (do NOT widen without explicit approval):
+ *   - ONE event type: `feedback_captured`
+ *   - Payload: { installId, signal: 'up'|'down', tier, ts } only.
+ *     No context strings, tags, file paths, or content of any kind.
+ *   - Opt-out: THUMBGATE_DISABLE_TELEMETRY=1 (or 'true') short-circuits
+ *     immediately. Legacy THUMBGATE_NO_TELEMETRY=1 / DO_NOT_TRACK=1 are
+ *     also honored for parity with cli-telemetry.js.
+ *   - Fire-and-forget: NEVER await this call. Errors are swallowed.
+ *   - 2-second timeout via AbortSignal.timeout.
+ */
+function emitAnonymousFeedbackPing(signal) {
+  try {
+    const env = process.env || {};
+    if (
+      env.THUMBGATE_DISABLE_TELEMETRY === '1' ||
+      env.THUMBGATE_DISABLE_TELEMETRY === 'true' ||
+      env.THUMBGATE_NO_TELEMETRY === '1' ||
+      env.DO_NOT_TRACK === '1'
+    ) {
+      return;
+    }
+
+    const normalizedSignal = signal === 'positive' ? 'up' : signal === 'negative' ? 'down' : null;
+    if (!normalizedSignal) return;
+
+    // Reuse the canonical installId from cli-telemetry.js (persisted at
+    // ~/.thumbgate/install-id). Falls back to a fresh UUID if that module
+    // is unavailable — better to ship an event we can dedup on the server
+    // than to drop the ping entirely.
+    let installId = null;
+    try {
+      const { getInstallId } = require('./cli-telemetry');
+      installId = getInstallId();
+    } catch (_) { /* fall through */ }
+    if (!installId) {
+      try {
+        installId = require('crypto').randomUUID();
+      } catch (_) {
+        return; // no crypto, no install id → drop silently
+      }
+    }
+
+    let tier = 'free';
+    try {
+      const { getStatuslineMeta } = require('./statusline-meta');
+      const meta = getStatuslineMeta({ env });
+      const rawTier = String(meta && meta.tier ? meta.tier : 'free').toLowerCase();
+      if (rawTier === 'pro' || rawTier === 'enterprise' || rawTier === 'free') {
+        tier = rawTier;
+      }
+    } catch (_) { /* default to 'free' */ }
+
+    const base = env.THUMBGATE_PUBLIC_APP_ORIGIN
+      || env.THUMBGATE_API_URL
+      || 'https://thumbgate-production.up.railway.app';
+
+    const body = JSON.stringify({
+      eventType: 'feedback_captured',
+      clientType: 'cli',
+      installId,
+      signal: normalizedSignal,
+      tier,
+      ts: new Date().toISOString(),
+    });
+
+    // Fire-and-forget. No await. AbortSignal.timeout enforces the 2s cap.
+    if (typeof fetch !== 'function' || typeof AbortSignal === 'undefined' || typeof AbortSignal.timeout !== 'function') {
+      return;
+    }
+    fetch(`${base.replace(/\/+$/, '')}/v1/telemetry/ping`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body,
+      signal: AbortSignal.timeout(2000),
+    }).catch(() => { /* fire-and-forget */ });
+  } catch (_) { /* telemetry must never disrupt CLI */ }
+}
+
 function isAuditTrailEntry(entry = {}) {
   return Array.isArray(entry.tags) && entry.tags.includes(AUDIT_TRAIL_TAG);
 }
@@ -1113,6 +1197,7 @@ function captureFeedback(params) {
     summary.lastUpdated = now;
     saveSummary(summary);
     appendJSONL(FEEDBACK_LOG_PATH, feedbackEvent);
+    emitAnonymousFeedbackPing(signal);
     try { appendRejectionLedger(feedbackEvent, action.reason); } catch { /* non-critical */ }
     try {
       appendSequence(historyEntries, feedbackEvent, getFeedbackPaths(), { accepted: false });
@@ -1154,6 +1239,7 @@ function captureFeedback(params) {
       ...feedbackEvent,
       validationIssues: prepared.issues,
     });
+    emitAnonymousFeedbackPing(signal);
     try { appendRejectionLedger(feedbackEvent, `Schema validation failed: ${prepared.issues.join('; ')}`); } catch { /* non-critical */ }
     try {
       appendSequence(historyEntries, feedbackEvent, getFeedbackPaths(), { accepted: false });
@@ -1228,6 +1314,7 @@ function captureFeedback(params) {
   }
 
   appendJSONL(FEEDBACK_LOG_PATH, feedbackEvent);
+  emitAnonymousFeedbackPing(signal);
 
   // Synthesis: merge similar lessons instead of creating duplicates
   let synthesisResult = null;

package/scripts/gates-engine.js

@@ -1463,7 +1463,42 @@ function checkWhenClause(when, constraints) {
 }
 
 function matchGate(gate, toolName, toolInput = {}) {
-  const matchText = toolInput.command || toolInput.file_path || toolInput.path || '';
+  let matchText = toolInput.command || toolInput.file_path || toolInput.path || '';
+
+  // Claw/hybrid support: enrich matchText with claw metadata (for EnterpriseClaw/OpenShell/Perplexity hybrid agents)
+  const clawCtx = toolInput.clawContext || toolInput._claw || (toolInput.agentId ? {
+    actionType: toolInput.actionType || 'unknown',
+    agentId: toolInput.agentId || 'unknown',
+    hybridRoute: toolInput.hybridRoute || 'unknown',
+    screenInteraction: !!toolInput.screenInteraction,
+    fileAccess: !!toolInput.fileAccess,
+  } : null);
+
+  if (clawCtx) {
+    const actionType = clawCtx.actionType || clawCtx.claw_action_type || 'unknown';
+    const parts = [
+      matchText,
+      `claw_style: true`,
+      `agent_identity: ${clawCtx.agentId || 'unknown'}`,
+      `claw_action_type: ${actionType}`,
+      `hybrid_route: ${clawCtx.hybridRoute || 'unknown'}`,
+    ];
+
+    if (clawCtx.screenInteraction || actionType.includes('screen')) {
+      parts.push('screen_interaction');
+      parts.push('interact screen');
+    }
+    if (clawCtx.fileAccess || actionType.includes('file') || actionType.includes('fs')) {
+      parts.push('file_system_access');
+      parts.push('local device file system access');
+    }
+    if (actionType === 'dynamic-tool-creation' || actionType.includes('create-tool') || actionType.includes('define-tool')) {
+      parts.push('create tool');
+    }
+
+    matchText = parts.filter(Boolean).join(' | ');
+  }
+
   const affected = extractAffectedFiles(toolName, toolInput);
   const affectedFiles = affected.files;
   const repoRoot = affected.repoRoot;

package/scripts/hybrid-feedback-context.js

@@ -730,6 +730,7 @@ function evaluatePretool(toolName, toolInput, opts) {
 
   // Slow path: build live state (also used when compiled guards are stale)
   const state = buildHybridState({
+    feedbackDir: o.feedbackDir,
     feedbackLogPath: o.feedbackLogPath,
     attributedFeedbackPath: o.attributedFeedbackPath,
   });

package/scripts/plausible-domain-config.js

@@ -49,6 +49,17 @@ function resolvePlausibleDataDomain({ host = '', env = process.env } = {}) {
     return normalizedHost;
   }
 
+  // Prevent local/loopback traffic from mapping to the production Plausible site domain
+  const isLocal = normalizedHost === 'localhost' ||
+                  normalizedHost === '127.0.0.1' ||
+                  normalizedHost === '::1' ||
+                  normalizedHost.endsWith('.local') ||
+                  normalizedHost.startsWith('192.168.') ||
+                  normalizedHost.startsWith('10.');
+  if (isLocal) {
+    return 'localhost';
+  }
+
   return FALLBACK_REGISTERED_PLAUSIBLE_DOMAIN;
 }
 

package/scripts/plausible-server-events.js

@@ -34,10 +34,10 @@ const REQUEST_TIMEOUT_MS = 2_000;
 function isPlausibleDisabled() {
   if (process.env.THUMBGATE_PLAUSIBLE_DISABLE === '1') return true;
   if (process.env.DO_NOT_TRACK === '1') return true;
-  // NODE_ENV-based detection was tried and dropped: `node --test` does not
-  // set NODE_ENV automatically, so the check produced surprising behavior
-  // in test vs. production. Tests must opt out explicitly via the dedicated
-  // THUMBGATE_PLAUSIBLE_DISABLE flag.
+  // Automatically disable Plausible events in local development unless explicitly overridden in tests
+  if (process.env.THUMBGATE_PLAUSIBLE_DISABLE !== '0' && process.env.NODE_ENV !== 'production') {
+    return true;
+  }
   return false;
 }
 

package/src/api/server.js

@@ -1550,14 +1550,93 @@ function normalizeEnterpriseChatPrompt(value) {
 
 function classifyEnterpriseChatTopic(prompt) {
   const lower = String(prompt || '').toLowerCase();
-  if (/gate|block|deny|prevent|guard/.test(lower)) return 'gates';
-  if (/lesson|memory|feedback|thumb|mistake|negative|positive/.test(lower)) return 'feedback';
+  // Feedback-specific words run FIRST: "what mistakes were blocked today" is a
+  // feedback question, not a gates question — must not be hijacked by /block/.
+  if (/mistake|lesson|memory|feedback|thumb|negative|positive|what (?:went )?wrong|fail|win|success|worked|good/.test(lower)) return 'feedback';
+  if (/gate|block|deny|prevent|guard|enforce/.test(lower)) return 'gates';
   if (/team|agent|org|enterprise|rollout/.test(lower)) return 'team';
   if (/token|cost|saving|budget|spend/.test(lower)) return 'cost';
   if (/vertex|gcp|google|dialogflow|dfcx|cloud/.test(lower)) return 'cloud';
   return 'overview';
 }
 
+// Parse intent: LIST vs COUNT, and time window. Lets us answer "what mistakes
+// today?" with an actual filtered list instead of a canned total.
+function parseChatIntent(prompt) {
+  const lower = String(prompt || '').toLowerCase();
+  const wantsList = /\bwhat\b|\bwhich\b|\blist\b|\bshow me\b|\bexamples?\b|\btell me about\b/.test(lower);
+  let windowMs = null;
+  let windowLabel = 'across all time';
+  if (/\btoday\b/.test(lower)) { windowMs = 24 * 60 * 60 * 1000; windowLabel = 'today'; }
+  else if (/\byesterday\b/.test(lower)) { windowMs = 48 * 60 * 60 * 1000; windowLabel = 'yesterday'; }
+  else if (/\bthis week\b|\b7 ?d(ay)?s?\b|\blast week\b/.test(lower)) { windowMs = 7 * 24 * 60 * 60 * 1000; windowLabel = 'the last 7 days'; }
+  else if (/\bthis month\b|\b30 ?d(ay)?s?\b|\blast month\b/.test(lower)) { windowMs = 30 * 24 * 60 * 60 * 1000; windowLabel = 'the last 30 days'; }
+  return { wantsList, windowMs, windowLabel };
+}
+
+// Read recent feedback entries (signal-filtered, time-filtered) directly from
+// the feedback log. Bounded + best-effort — never throws into the chat handler.
+// Treat short/placeholder context values as "no real description" so we don't
+// surface `"thumbs down"` × 3 as a useful list. Real feedback always has a
+// concrete sentence somewhere (whatWentWrong, distillation, whatToChange) —
+// pick the longest informative one.
+// Short tokens that mean "no real description" — kept as a plain Set, not a
+// big regex, to keep complexity low and easy to extend.
+const PLACEHOLDER_TOKENS = new Set([
+  'thumbs down', 'thumbs up', 'thumb down', 'thumb up',
+  'good', 'bad', 'ok', 'nice', 'verify', 'verifies', 'verification', 'test', 'testing',
+]);
+
+function isPlaceholder(text) {
+  const t = String(text || '').trim();
+  if (!t || t.length < 20) return true;
+  return PLACEHOLDER_TOKENS.has(t.toLowerCase().replace(/\.$/, ''));
+}
+
+function bestFeedbackDescription(row) {
+  const candidates = [row.whatWentWrong, row.distillation, row.context, row.whatToChange, row.whatWorked, row.reasoning]
+    .map((c) => String(c || '').trim());
+  // Prefer the longest non-placeholder candidate; fall back to any non-empty.
+  const informative = candidates.filter((c) => c && !isPlaceholder(c));
+  const fallback = candidates.find(Boolean) || '';
+  const best = informative.reduce((a, b) => (b.length > a.length ? b : a), '') || fallback;
+  return best.slice(0, 220);
+}
+
+function readRecentFeedbackEntries(feedbackDir, signal, windowMs, limit = 5, opts = {}) {
+  try {
+    if (!feedbackDir) return [];
+    const fsLocal = require('node:fs');
+    const pathLocal = require('node:path');
+    const logPath = pathLocal.join(feedbackDir, 'feedback-log.jsonl');
+    if (!fsLocal.existsSync(logPath)) return [];
+    const { readJsonl } = require('../../scripts/fs-utils');
+    const rows = readJsonl(logPath) || [];
+    const cutoff = windowMs ? Date.now() - windowMs : 0;
+    const filtered = rows
+      .filter((r) => !signal || r.signal === signal)
+      .filter((r) => {
+        if (!cutoff) return true;
+        const t = r.timestamp ? Date.parse(r.timestamp) : Number.NaN;
+        return Number.isFinite(t) && t >= cutoff;
+      })
+      .reverse()
+      .map((r) => {
+        const out = { timestamp: r.timestamp, context: bestFeedbackDescription(r) };
+        if (opts.includeSignal) out.signal = r.signal;
+        return out;
+      });
+    // For list display, drop entries with no real description so the list is useful,
+    // not three "thumbs down" placeholders. For count-only (high limit), keep all.
+    const useful = opts.skipPlaceholders === false || limit > 50
+      ? filtered
+      : filtered.filter((e) => e.context && !isPlaceholder(e.context));
+    return useful.slice(0, limit);
+  } catch {
+    return [];
+  }
+}
+
 function containsUnsafeEnterpriseChatInput(prompt) {
   return /[;&|`$<>\\]/.test(String(prompt || ''));
 }
@@ -1567,101 +1646,99 @@ function compactNumber(value) {
   return Number.isFinite(n) ? n : 0;
 }
 
-function isTodayScopedPrompt(prompt) {
-  return /\btoday\b|\bthis day\b|\blast 24\b|\b24 hours\b/i.test(String(prompt || ''));
+// Pick a signal preference from the prompt. Returns 'negative' | 'positive' | null.
+function detectFeedbackSignalFromPrompt(prompt) {
+  const lower = String(prompt || '').toLowerCase();
+  const wantsNeg = /mistake|wrong|fail|negative|thumbs? *down|block/.test(lower);
+  const wantsPos = /positive|thumbs? *up|worked|success|wins?\b|good/.test(lower);
+  if (wantsNeg && !wantsPos) return 'negative';
+  if (wantsPos && !wantsNeg) return 'positive';
+  return null;
 }
 
-function getTodayGateAudit(gateAudit) {
-  const days = gateAudit && Array.isArray(gateAudit.days) ? gateAudit.days : [];
-  return days.length > 0 ? days[days.length - 1] : null;
-}
+const FEEDBACK_LIST_LABELS = Object.freeze({
+  negative: 'Recent mistakes',
+  positive: 'Recent wins',
+});
 
-function formatGateBuckets(byGate) {
-  return Object.entries(byGate || {})
-    .filter(([, count]) => compactNumber(count) > 0)
-    .sort((a, b) => compactNumber(b[1]) - compactNumber(a[1]))
-    .slice(0, 3)
-    .map(([gateId, count]) => `${gateId} (${compactNumber(count)}x)`);
+function buildFeedbackSection({ ctx, intent, feedbackDir, approval, lessonPipeline }) {
+  const signal = detectFeedbackSignalFromPrompt(ctx.prompt);
+
+  // One read of the time-windowed log, then in-memory counts + (signal-filtered,
+  // placeholder-stripped) list. Counts include ALL entries (so "Feedback today: 5"
+  // matches the dashboard tile); the list drops vague entries like literal "thumbs
+  // down" / "good" so it surfaces only entries with real, actionable description.
+  const windowed = readRecentFeedbackEntries(feedbackDir, null, intent.windowMs, 10000, { includeSignal: true });
+  const windowPos = windowed.filter((r) => r.signal === 'positive').length;
+  const windowNeg = windowed.filter((r) => r.signal === 'negative').length;
+  const entries = (signal ? windowed.filter((r) => r.signal === signal) : windowed)
+    .filter((r) => r.context && !isPlaceholder(r.context))
+    .slice(0, 5);
+
+  const lines = [];
+  lines.push(intent.windowMs
+    ? `Feedback ${intent.windowLabel}: ${windowed.length} (${windowPos} positive, ${windowNeg} negative).`
+    : `Feedback total: ${compactNumber(approval.total)} (${compactNumber(approval.positive)} positive, ${compactNumber(approval.negative)} negative).`);
+
+  if (intent.wantsList) {
+    if (entries.length) {
+      lines.push(`${FEEDBACK_LIST_LABELS[signal] || 'Recent feedback'} (${intent.windowLabel}):`);
+      for (const e of entries) {
+        lines.push(`  • ${(e.timestamp || '').slice(0, 10)} — ${e.context}`);
+      }
+    } else {
+      lines.push(`No ${signal || 'feedback'} entries found ${intent.windowLabel}.`);
+    }
+  } else {
+    lines.push(`Lesson pipeline: ${compactNumber(lessonPipeline.lessons || lessonPipeline.generated || 0)} lessons visible in the current dashboard snapshot.`);
+  }
+  return { lines, sources: ['feedback log', intent.wantsList ? 'feedback contexts' : 'lesson pipeline'] };
 }
 
-function buildTodayGateAnswer(prompt, dashboardData, gateStats, gates) {
-  if (!isTodayScopedPrompt(prompt)) return null;
-  const lower = String(prompt || '').toLowerCase();
-  const gateAudit = dashboardData.gateAudit || {};
-  const prevention = dashboardData.prevention || {};
-  const today = getTodayGateAudit(gateAudit) || { deny: 0, warn: 0, intercepted: 0, byGate: {} };
-  const activeGateCount = gates.length || compactNumber(gateStats.totalGates);
-
-  if (/\b(activated|promoted|created|enabled)\b/.test(lower)) {
-    const promotionsToday = compactNumber(prevention.promotionsToday);
-    const promotedIds = Array.isArray(prevention.promotionIdsToday) ? prevention.promotionIdsToday.filter(Boolean) : [];
-    return [
-      `Gates activated today: ${promotionsToday}.`,
-      `Active gates now: ${activeGateCount}.`,
-      promotedIds.length > 0 ? `Promoted today: ${promotedIds.slice(0, 3).join(', ')}.` : '',
-    ].filter(Boolean);
-  }
+const GATE_EVENTS_REGEX = /activat|fired|trigger|block|denied|prevent|enforce|hit/;
 
-  if (/\b(what|which)\b/.test(lower) && /\b(mistake|mistakes|block|blocked|prevent|prevented)\b/.test(lower)) {
-    const gateBuckets = formatGateBuckets(today.byGate);
-    return [
-      `Today: ${compactNumber(today.deny)} blocked actions and ${compactNumber(today.warn)} warning checkpoints.`,
-      gateBuckets.length > 0
-        ? `Top blocked/warned gates today: ${gateBuckets.join(', ')}.`
-        : 'No per-gate blocked mistake names are present in today\'s local audit snapshot.',
-    ];
-  }
+function describeGate(g) {
+  return `${g.name || g.id || 'unnamed'}${g.severity ? ' [' + g.severity + ']' : ''}`;
+}
 
-  if (/\b(prevent|prevented|intercept|intercepted)\b/.test(lower)) {
-    return [
-      `Mistakes prevented today: ${compactNumber(today.intercepted)} interventions (${compactNumber(today.deny)} blocked, ${compactNumber(today.warn)} warned).`,
-      `All-time blocked actions recorded: ${compactNumber(gateStats.blocked || gateStats.denied || gateStats.totalBlocked)}.`,
-    ];
-  }
+function buildGatesSection({ ctx, intent, gates, gateStats }) {
+  const asksEvents = GATE_EVENTS_REGEX.test(String(ctx.prompt || '').toLowerCase());
+  const totalActive = gates.length || compactNumber(gateStats.totalGates);
+  const totalBlocked = compactNumber(gateStats.blocked || gateStats.denied || gateStats.totalBlocked);
 
-  if (/\b(block|blocked|deny|denied)\b/.test(lower)) {
-    return [
-      `Mistakes blocked today: ${compactNumber(today.deny)} deny decisions.`,
-      `Warnings today: ${compactNumber(today.warn)}; all-time blocked actions recorded: ${compactNumber(gateStats.blocked || gateStats.denied || gateStats.totalBlocked)}.`,
-    ];
+  const lines = [];
+  if (asksEvents) {
+    lines.push(`Blocked actions recorded (all time): ${totalBlocked}.`);
+    if (intent.windowMs) {
+      lines.push(`(Per-${intent.windowLabel} block-event breakdown isn't tracked in the local dashboard snapshot — only the running total. Filter the gate-events log directly for a precise window.)`);
+    }
+  } else {
+    lines.push(`Active gates: ${totalActive}.`);
   }
-
-  return null;
+  if (intent.wantsList && gates.length) {
+    lines.push('Active gates:');
+    for (const g of gates.slice(0, 8)) lines.push(`  • ${describeGate(g)}`);
+  } else if (gates[0] && !intent.wantsList) {
+    lines.push(`Example gate: ${describeGate(gates[0])}.`);
+  }
+  return { lines, sources: ['gate stats'] };
 }
 
-function buildEnterpriseChatSection(topic, dashboardData, status, prompt) {
+function buildEnterpriseChatSection(topic, dashboardData, status, ctx = {}) {
   const approval = dashboardData.approval || {};
   const gates = Array.isArray(dashboardData.gates) ? dashboardData.gates : [];
   const gateStats = dashboardData.gateStats || {};
   const team = dashboardData.team || {};
   const tokenSavings = dashboardData.tokenSavings || {};
   const lessonPipeline = dashboardData.lessonPipeline || {};
+  const intent = ctx.intent || { wantsList: false, windowMs: null, windowLabel: 'across all time' };
+  const feedbackDir = ctx.feedbackDir || null;
 
   if (topic === 'feedback') {
-    return {
-      lines: [
-        `Feedback total: ${compactNumber(approval.total)} (${compactNumber(approval.positive)} positive, ${compactNumber(approval.negative)} negative).`,
-        `Lesson pipeline: ${compactNumber(lessonPipeline.lessons || lessonPipeline.generated || 0)} lessons visible in the current dashboard snapshot.`,
-      ],
-      sources: ['feedback log', 'lesson pipeline'],
-    };
+    return buildFeedbackSection({ ctx, intent, feedbackDir, approval, lessonPipeline });
   }
   if (topic === 'gates') {
-    const todayGateAnswer = buildTodayGateAnswer(prompt, dashboardData, gateStats, gates);
-    if (todayGateAnswer) {
-      return {
-        lines: todayGateAnswer,
-        sources: ['gate audit', 'gate stats'],
-      };
-    }
-    return {
-      lines: [
-        `Active gates: ${gates.length || compactNumber(gateStats.totalGates)}.`,
-        `Blocked actions recorded: ${compactNumber(gateStats.blocked || gateStats.denied || gateStats.totalBlocked)}.`,
-        gates[0] ? `Example gate: ${gates[0].name || gates[0].id || 'unnamed gate'}.` : '',
-      ].filter(Boolean),
-      sources: ['gate stats'],
-    };
+    return buildGatesSection({ ctx, intent, gates, gateStats });
   }
   if (topic === 'team') {
     return {
@@ -1702,13 +1779,22 @@ function buildEnterpriseChatSection(topic, dashboardData, status, prompt) {
   };
 }
 
-function buildEnterpriseChatAnswer(prompt, dashboardData, status) {
+function buildEnterpriseChatAnswer(prompt, dashboardData, status, opts = {}) {
   const topic = classifyEnterpriseChatTopic(prompt);
-  const section = buildEnterpriseChatSection(topic, dashboardData, status, prompt);
+  const intent = parseChatIntent(prompt);
+  const section = buildEnterpriseChatSection(topic, dashboardData, status, {
+    intent,
+    feedbackDir: opts.feedbackDir,
+    prompt,
+  });
+
+  // List-style answers want newlines; single-line answers join with space.
+  const hasList = section.lines.some((l) => /^\s*•/.test(l));
+  const answer = hasList ? section.lines.join('\n') : section.lines.join(' ');
 
   return {
     topic,
-    answer: section.lines.join(' '),
+    answer,
     sources: ['local dashboard data', ...section.sources],
   };
 }
@@ -1724,6 +1810,7 @@ async function trySendLocalDashboardChat(res, parsed, feedbackDir, prompt, suffi
       prompt,
       dashboardResult.data,
       buildEnterpriseDataChatStatus(),
+      { feedbackDir },
     );
     sendJson(res, 200, {
       ok: true,
@@ -1735,7 +1822,7 @@ async function trySendLocalDashboardChat(res, parsed, feedbackDir, prompt, suffi
       grounded: true,
     });
     return true;
-  } catch (_) {
+  } catch {
     return false;
   }
 }
@@ -1771,7 +1858,7 @@ async function answerEnterpriseDataChat({ prompt, feedbackDir, parsed }) {
   // The dashboard's real local/open-source chatbot turn goes through /v1/chat,
   // which uses lesson retrieval + optional LanceDB vector search + the user's
   // configured local or BYO model.
-  const chat = buildEnterpriseChatAnswer(normalizedPrompt, dashboardData, status);
+  const chat = buildEnterpriseChatAnswer(normalizedPrompt, dashboardData, status, { feedbackDir });
   const dfcxRequest = {
     fulfillmentInfo: { tag: 'chat-with-data' },
     sessionInfo: {
@@ -2211,7 +2298,7 @@ function appendBestEffortTelemetry(feedbackDir, payload, headers, context) {
           evidence: [err?.message ? err.message : 'unknown_error'],
         },
       });
-    } catch (_) {}
+    } catch {}
     return false;
   }
 }
@@ -3423,7 +3510,7 @@ function renderCheckoutSuccessPage(runtimeConfig) {
         if (window.sessionStorage) {
           window.sessionStorage.setItem(marker, '1');
         }
-      } catch (_) {
+      } catch {
         sendTelemetry(eventType, extra);
       }
     }
@@ -6082,7 +6169,7 @@ ${hidden}
               evidence: [err?.message ? err.message : 'unknown_error'],
             },
           });
-        } catch (_) {
+        } catch {
           // Telemetry is best-effort and must never fail the caller.
         }
       }
@@ -6449,7 +6536,7 @@ ${hidden}
               context: 'failed to persist install-email capture to ledger',
               metadata: { error: err?.message || 'unknown' },
             });
-          } catch (_) {}
+          } catch {}
         }
 
         // Privacy-clean telemetry ping for funnel attribution (no email).
@@ -7926,7 +8013,7 @@ ${hidden}
               feedbackDir: getSafeDataDir(),
               limit: 10,
             });
-          } catch (_) { /* best-effort — conversation window is optional */ }
+          } catch { /* best-effort — conversation window is optional */ }
         }
         const result = captureFeedback({
           signal: body.signal,