thumbgate 1.27.4 → 1.27.7

package/scripts/gates-engine.js

@@ -119,8 +119,16 @@ const MAX_COMMAND_SCAN_CHARS = 20000;
 const BOOSTED_RISK_BLOCK_SCORE = 0.8;
 const BOOSTED_RISK_MIN_EXAMPLES = 3;
 const PR_THREAD_RESOLUTION_ACTION = 'pr_thread_resolution_verified_after_commit';
+const HELPER_BYPASS_ACTION = 'helper_script_modified';
 const KNOWLEDGE_ENTROPY_THRESHOLD = 0.7;
-const KNOWLEDGE_CONFLICT_STRICT_BASH_PATTERN = /\b(?:git\s+push\b|gh\s+pr\s+merge\b|gh\s+release\s+(?:create|delete|edit|upload)\b|(?:npm|yarn|pnpm)\s+publish\b|rm\s+-rf\b|git\s+reset\s+--hard\b|git\s+clean\s+-f|railway\s+(?:deploy|up)\b|gcloud\s+(?:run\s+deploy|app\s+deploy)\b|firebase\s+deploy\b|vercel\s+--prod\b|kubectl\s+(?:apply|delete)\b|terraform\s+(?:apply|destroy)\b)\b/i;
+const KNOWLEDGE_CONFLICT_STRICT_BASH_PATTERN = /\b(?:git\s+push\b|gh\s+pr\s+merge\b|gh\s+release\s+(?:create|delete|edit|upload)\b|(?:npm|yarn|pnpm)\s+publish\b|rm\s+-rf\b|git\s+reset\s+--hard\b|git\s+clean\s+-f[a-z]*|railway\s+(?:deploy|up)\b|gcloud\s+(?:run\s+deploy|app\s+deploy)\b|firebase\s+deploy\b|vercel\s+--prod\b|kubectl\s+(?:apply|delete)\b|terraform\s+(?:apply|destroy)\b)\b/i;
+const HELPER_SCRIPT_FILE_PATTERN = /(?:^|\/)(?:scripts|bin|tools|tasks|\.githooks|\.github\/workflows)\/|(?:^|\/)(?:package\.json|Makefile|justfile|Taskfile\.ya?ml)$|\.(?:sh|bash|zsh|fish|js|mjs|cjs|ts|tsx|py|rb|pl|ps1|yml|yaml)$/i;
+const PACKAGE_RUN_PATTERN = /\b(?:npm|yarn|pnpm)\s+run\s+([:@./\w-]+)\b/i;
+const HELPER_EXEC_PATTERN = /(?:^|[;&|]\s*|\b(?:bash|sh|zsh|node|python3?|ruby|perl|tsx|ts-node)\s+)(?:(?:\.?\.?\/)?(?:scripts|bin|tools|tasks|tmp|build|dist|\.tmp|\.cache)\/[^\s;&|]+|\.\/[^\s;&|]+\.(?:sh|bash|zsh|js|mjs|cjs|ts|py|rb|pl|ps1))\b/i;
+const HELPER_WRITE_PATTERN = /\b(?:cat|printf|echo|tee|npm\s+pkg\s+set|jq|node\s+-e|python3?\s+-c)\b[\s\S]{0,300}(?:>|--field|scripts\.|package\.json|(?:scripts|bin|tools|tasks|tmp|build|dist|\.tmp|\.cache)\/[^\s;&|]+|\.(?:sh|js|mjs|cjs|ts|py|rb|pl|ps1))\b/i;
+const NETWORK_OR_PROCESS_BOUNDARY_PATTERN = /\b(?:curl|wget|nc|ncat|socat|ssh|scp|rsync|ftp|python3?\s+-m\s+http\.server|node\s+-e|python3?\s+-c|perl\s+-e|ruby\s+-e|bash\s+-c|sh\s+-c|osascript|open)\b/i;
+const DOWNLOAD_EXEC_CHAIN_PATTERN = /\b(?:curl|wget)\b[\s\S]{0,400}(?:\|\s*(?:bash|sh|zsh)|&&[\s\S]{0,200}\bchmod\s+\+x\b[\s\S]{0,200}&&[\s\S]{0,120}(?:\.\/|bash|sh|node|python3?))/i;
+const DESTRUCTIVE_OR_PRIVILEGE_BOUNDARY_PATTERN = /\b(?:rm\s+-rf|chmod\s+(?:\+x|777)|chown\b|sudo\b|dd\s+if=|mkfs|git\s+reset\s+--hard|git\s+clean\s+-f[a-z]*|kubectl\s+(?:apply|delete)|terraform\s+(?:apply|destroy)|railway\s+(?:deploy|up)|gcloud\s+(?:run\s+deploy|app\s+deploy)|vercel\s+--prod|firebase\s+deploy)\b/i;
 
 // ---------------------------------------------------------------------------
 // Enforcement posture (CEO decision 2026-06-04): warn-by-default.
@@ -834,9 +842,26 @@ function toRepoRelativePath(filePath, repoRoot) {
   const value = String(filePath || '').trim();
   if (!value) return '';
   if (repoRoot && path.isAbsolute(value)) {
-    const relative = path.relative(repoRoot, value);
-    if (!relative.startsWith('..') && !path.isAbsolute(relative)) {
-      return normalizePosix(relative);
+    const candidates = [[path.resolve(repoRoot), path.resolve(value)]];
+    try {
+      const rootReal = fs.realpathSync.native(repoRoot);
+      let valueReal = null;
+      try {
+        valueReal = fs.realpathSync.native(value);
+      } catch {
+        const parentReal = fs.realpathSync.native(path.dirname(value));
+        valueReal = path.join(parentReal, path.basename(value));
+      }
+      candidates.push([rootReal, valueReal]);
+    } catch {
+      // Fall back to lexical path comparison below.
+    }
+
+    for (const [rootCandidate, valueCandidate] of candidates) {
+      const relative = path.relative(rootCandidate, valueCandidate);
+      if (!relative.startsWith('..') && !path.isAbsolute(relative)) {
+        return normalizePosix(relative);
+      }
     }
   }
   return normalizePosix(value);
@@ -1195,6 +1220,125 @@ function evaluateLocalOnlyRemoteSideEffectGate(toolName, toolInput = {}, governa
   };
 }
 
+function helperRiskReasons(text) {
+  const value = String(text || '');
+  const reasons = [];
+  if (DOWNLOAD_EXEC_CHAIN_PATTERN.test(value)) reasons.push('download-then-execute chain');
+  if (NETWORK_OR_PROCESS_BOUNDARY_PATTERN.test(value)) reasons.push('network/process boundary');
+  if (DESTRUCTIVE_OR_PRIVILEGE_BOUNDARY_PATTERN.test(value)) reasons.push('destructive/privileged side effect');
+  if (/\b(?:child_process|spawn\(|exec\(|execFile\(|subprocess|ProcessBuilder)\b/i.test(value)) {
+    reasons.push('process spawn');
+  }
+  return [...new Set(reasons)];
+}
+
+function readPackageScript(repoRoot, scriptName) {
+  if (!repoRoot || !scriptName) return '';
+  try {
+    const packagePath = path.join(repoRoot, 'package.json');
+    if (!fs.existsSync(packagePath)) return '';
+    const { scripts = {} } = JSON.parse(fs.readFileSync(packagePath, 'utf8')) || {};
+    return typeof scripts[scriptName] === 'string' ? scripts[scriptName] : '';
+  } catch {
+    return '';
+  }
+}
+
+function recordHelperScriptWrite(toolName, toolInput = {}) {
+  if (process.env.THUMBGATE_HELPER_BYPASS_GUARD === '0') return null;
+
+  const affected = extractAffectedFiles(toolName, toolInput);
+  const affectedFiles = affected.files || [];
+  const command = String(toolInput.command || '');
+  const actionContext = extractActionContext(toolName, toolInput);
+  const helperFiles = affectedFiles.filter((filePath) => HELPER_SCRIPT_FILE_PATTERN.test(normalizePosix(filePath)));
+  const packageScriptTouched = affectedFiles.some((filePath) => normalizePosix(filePath) === 'package.json') || /\bpackage\.json\b|\bscripts\./i.test(actionContext);
+  const commandWrite = toolName === 'Bash' && HELPER_WRITE_PATTERN.test(command);
+
+  if (helperFiles.length === 0 && !packageScriptTouched && !commandWrite) return null;
+
+  const riskText = [
+    actionContext,
+    command,
+    helperFiles.join(' '),
+    packageScriptTouched ? 'package.json scripts' : '',
+  ].filter(Boolean).join('\n');
+  const reasons = helperRiskReasons(riskText);
+
+  const metadata = {
+    repoRoot: affected.repoRoot || resolveRepoRoot(toolInput) || null,
+    helperFiles,
+    packageScriptTouched,
+    reasons,
+  };
+  trackAction(HELPER_BYPASS_ACTION, metadata);
+  return metadata;
+}
+
+function evaluateStatefulHelperBypassGate(toolName, toolInput = {}) {
+  if (process.env.THUMBGATE_HELPER_BYPASS_GUARD === '0') return null;
+  if (toolName !== 'Bash') {
+    recordHelperScriptWrite(toolName, toolInput);
+    return null;
+  }
+
+  const command = String(toolInput.command || '').trim();
+  if (!command) return null;
+
+  if (DOWNLOAD_EXEC_CHAIN_PATTERN.test(command)) {
+    return {
+      decision: 'deny',
+      gate: 'stateful-helper-script-bypass',
+      message: 'Download-then-execute chains are blocked before the real action moves below the visible tool call.',
+      severity: 'critical',
+      reasoning: [
+        `Command matched download/execute chain: ${command.slice(0, 180)}`,
+        'PreToolUse must review the whole action chain, not only the first low-risk command',
+      ],
+    };
+  }
+
+  const writeMetadata = recordHelperScriptWrite(toolName, toolInput);
+  const actions = listSessionActions();
+  const recentWrite = actions[HELPER_BYPASS_ACTION];
+  const recentMetadata = recentWrite && recentWrite.metadata && typeof recentWrite.metadata === 'object'
+    ? recentWrite.metadata
+    : null;
+
+  const scriptMatch = command.match(PACKAGE_RUN_PATTERN);
+  const scriptName = scriptMatch ? scriptMatch[1] : '';
+  const repoRoot = resolveRepoRoot(toolInput);
+  const packageScript = scriptName ? readPackageScript(repoRoot, scriptName) : '';
+  const commandBoundaryReasons = helperRiskReasons(`${command}\n${packageScript}`);
+  const executesRecentHelper = HELPER_EXEC_PATTERN.test(command);
+  const runsRecentPackageScript = Boolean(scriptName && recentMetadata && recentMetadata.packageScriptTouched);
+  const recentReasons = recentMetadata && Array.isArray(recentMetadata.reasons) ? recentMetadata.reasons : [];
+  const writeRiskReasons = writeMetadata && Array.isArray(writeMetadata.reasons) ? writeMetadata.reasons : [];
+  const correlatedReasons = [...new Set([...recentReasons, ...writeRiskReasons, ...commandBoundaryReasons])];
+
+  if (
+    (executesRecentHelper || runsRecentPackageScript) &&
+    (recentMetadata || writeMetadata) &&
+    correlatedReasons.length > 0
+  ) {
+    const target = scriptName ? `package script "${scriptName}"` : 'recent helper script';
+    return {
+      decision: 'deny',
+      gate: 'stateful-helper-script-bypass',
+      message: `A recently modified ${target} now crosses a risky boundary. Review it or constrain cwd, network, process, and writable paths before execution.`,
+      severity: 'critical',
+      reasoning: [
+        `Recent helper/package modification: ${(recentMetadata && recentMetadata.helperFiles || []).join(', ') || (recentMetadata && recentMetadata.packageScriptTouched ? 'package.json scripts' : 'current command write')}`,
+        `Execution command: ${command.slice(0, 180)}`,
+        `Risk reasons: ${correlatedReasons.join(', ')}`,
+        'This blocks the helper-script/package-script bypass class raised in external review',
+      ],
+    };
+  }
+
+  return null;
+}
+
 function recordStructuralGateBlock(toolName, toolInput, result) {
   recordStat(result.gate, 'block', null, { toolName, toolInput });
   const auditRecord = recordAuditEvent({
@@ -1454,8 +1598,19 @@ function checkWhenClause(when, constraints) {
   if (!when || !when.constraints) return true;
   
   for (const [key, expectedValue] of Object.entries(when.constraints)) {
-    const constraint = constraints[key];
-    if (!constraint || constraint.value !== expectedValue) {
+    let value;
+    if (key === 'careful_mode') {
+      const isEnvTrue = process.env.THUMBGATE_CAREFUL_MODE === '1' || 
+                       String(process.env.THUMBGATE_CAREFUL_MODE).toLowerCase() === 'true';
+      value = isEnvTrue || (constraints[key] && constraints[key].value === expectedValue);
+    } else if (key === 'freeze_mode') {
+      value = Boolean(process.env.THUMBGATE_FREEZE_PATHS) || 
+              (constraints[key] && constraints[key].value !== false && constraints[key].value !== null && constraints[key].value !== undefined);
+    } else {
+      const constraint = constraints[key];
+      value = constraint && constraint.value === expectedValue;
+    }
+    if (!value) {
       return false;
     }
   }
@@ -1463,11 +1618,69 @@ function checkWhenClause(when, constraints) {
 }
 
 function matchGate(gate, toolName, toolInput = {}) {
-  const matchText = toolInput.command || toolInput.file_path || toolInput.path || '';
+  let matchText = toolInput.command || toolInput.file_path || toolInput.path || '';
+
+  // Claw/hybrid support: enrich matchText with claw metadata (for EnterpriseClaw/OpenShell/Perplexity hybrid agents)
+  const clawCtx = toolInput.clawContext || toolInput._claw || (toolInput.agentId ? {
+    actionType: toolInput.actionType || 'unknown',
+    agentId: toolInput.agentId || 'unknown',
+    hybridRoute: toolInput.hybridRoute || 'unknown',
+    screenInteraction: !!toolInput.screenInteraction,
+    fileAccess: !!toolInput.fileAccess,
+  } : null);
+
+  if (clawCtx) {
+    const actionType = clawCtx.actionType || clawCtx.claw_action_type || 'unknown';
+    const parts = [
+      matchText,
+      `claw_style: true`,
+      `agent_identity: ${clawCtx.agentId || 'unknown'}`,
+      `claw_action_type: ${actionType}`,
+      `hybrid_route: ${clawCtx.hybridRoute || 'unknown'}`,
+    ];
+
+    if (clawCtx.screenInteraction || actionType.includes('screen')) {
+      parts.push('screen_interaction');
+      parts.push('interact screen');
+    }
+    if (clawCtx.fileAccess || actionType.includes('file') || actionType.includes('fs')) {
+      parts.push('file_system_access');
+      parts.push('local device file system access');
+    }
+    if (actionType === 'dynamic-tool-creation' || actionType.includes('create-tool') || actionType.includes('define-tool')) {
+      parts.push('create tool');
+    }
+
+    matchText = parts.filter(Boolean).join(' | ');
+  }
+
   const affected = extractAffectedFiles(toolName, toolInput);
   const affectedFiles = affected.files;
   const repoRoot = affected.repoRoot;
   const governanceState = loadGovernanceState();
+  const constraints = loadConstraints();
+
+  if (gate.id === 'on-demand-freeze-mode' || (gate.when && gate.when.constraints && gate.when.constraints.freeze_mode)) {
+    let freezePaths = [];
+    if (process.env.THUMBGATE_FREEZE_PATHS) {
+      freezePaths = process.env.THUMBGATE_FREEZE_PATHS.split(',').map(p => p.trim()).filter(Boolean);
+    } else if (constraints.freeze_mode && typeof constraints.freeze_mode.value === 'string') {
+      freezePaths = constraints.freeze_mode.value.split(',').map(p => p.trim()).filter(Boolean);
+    } else if (constraints.freeze_mode && Array.isArray(constraints.freeze_mode.value)) {
+      freezePaths = constraints.freeze_mode.value;
+    } else if (governanceState.taskScope && Array.isArray(governanceState.taskScope.allowedPaths)) {
+      freezePaths = governanceState.taskScope.allowedPaths;
+    }
+
+    if (freezePaths.length > 0) {
+      const outsideFiles = affectedFiles.filter((filePath) => !matchesAnyGlob(filePath, freezePaths));
+      if (outsideFiles.length > 0) {
+        return { matched: true, matchText, affectedFiles };
+      } else {
+        return { matched: false, matchText, affectedFiles };
+      }
+    }
+  }
 
   if (Array.isArray(gate.toolNames) && gate.toolNames.length > 0 && !gate.toolNames.includes(toolName)) {
     return { matched: false, matchText, affectedFiles };
@@ -1803,6 +2016,10 @@ async function evaluateGatesAsync(toolName, toolInput, configPath) {
   if (localOnlyRemoteSideEffectGate) {
     return recordStructuralGateBlock(toolName, toolInput, localOnlyRemoteSideEffectGate);
   }
+  const statefulHelperBypassGate = evaluateStatefulHelperBypassGate(toolName, toolInput);
+  if (statefulHelperBypassGate) {
+    return recordStructuralGateBlock(toolName, toolInput, statefulHelperBypassGate);
+  }
   if (isBreakGlassSettingsRecoveryAction(toolName, toolInput)) {
     recordAuditEvent({
       toolName,
@@ -2030,6 +2247,10 @@ function evaluateGates(toolName, toolInput, configPath) {
   if (localOnlyRemoteSideEffectGate) {
     return recordStructuralGateBlock(toolName, toolInput, localOnlyRemoteSideEffectGate);
   }
+  const statefulHelperBypassGate = evaluateStatefulHelperBypassGate(toolName, toolInput);
+  if (statefulHelperBypassGate) {
+    return recordStructuralGateBlock(toolName, toolInput, statefulHelperBypassGate);
+  }
   if (isBreakGlassSettingsRecoveryAction(toolName, toolInput)) {
     recordAuditEvent({
       toolName,
@@ -2672,6 +2893,9 @@ function extractActionContext(toolName, toolInput) {
   const parts = [toolName];
   if (toolInput.command) parts.push(String(toolInput.command).slice(0, 400));
   if (toolInput.file_path) parts.push(String(toolInput.file_path));
+  if (toolInput.content) parts.push(String(toolInput.content).slice(0, 600));
+  if (toolInput.new_string) parts.push(String(toolInput.new_string).slice(0, 600));
+  if (toolInput.old_string) parts.push(String(toolInput.old_string).slice(0, 240));
   if (toolInput.description) parts.push(String(toolInput.description).slice(0, 200));
   if (toolInput.prompt) parts.push(String(toolInput.prompt).slice(0, 400));
   if (toolInput.pattern) parts.push(String(toolInput.pattern).slice(0, 200));
@@ -3114,9 +3338,12 @@ module.exports = {
   getLocalOnlyScopeSources,
   isRemoteSideEffectCommand,
   evaluateLocalOnlyRemoteSideEffectGate,
+  recordHelperScriptWrite,
+  evaluateStatefulHelperBypassGate,
   isAgentHookSettingsFile,
   isBreakGlassSettingsRecoveryAction,
   PR_THREAD_RESOLUTION_ACTION,
+  HELPER_BYPASS_ACTION,
   buildBlockActionProCta,
   applyDailyBlockCap,
   getTodayBlockCount,

package/scripts/gemini-embedding-policy.js

@@ -122,7 +122,7 @@ function resolveGeminiEmbeddingConfig(env = process.env) {
 
   return {
     enabled,
-    provider: enabled ? 'gemini' : 'local',
+    provider: provider === 'coreai' ? 'coreai' : (enabled ? 'gemini' : 'local'),
     model: String(env.THUMBGATE_GEMINI_EMBED_MODEL || GEMINI_EMBEDDING_2_MODEL).trim() || GEMINI_EMBEDDING_2_MODEL,
     apiKey,
     apiBaseUrl: trimTrailingSlashes(env.THUMBGATE_GEMINI_API_BASE_URL || 'https://generativelanguage.googleapis.com/v1beta'),
@@ -171,6 +171,7 @@ function buildGeminiEmbeddingRolloutPlan(args = {}) {
     },
     rolloutSteps: [
       'Keep local embeddings as the default offline path.',
+      'For Apple Silicon developers, route local queries through Core AI (AOT compiled models) to bypass CPU overhead.',
       'Enable Gemini Embedding 2 only when a Gemini API key is present.',
       'Use task-specific query/document prefixes at index and retrieval time.',
       'Start at 768 dimensions, then benchmark 1536 only if recall misses show up.',

package/scripts/hook-stop-anti-claim.js

@@ -0,0 +1,227 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * Stop hook: anti-claim enforcement.
+ *
+ * Scans the assistant's most recent turn (assistant text + same-turn tool_use
+ * blocks) and blocks the "deployed / live / done / fixed / ready" claim
+ * unless that same turn included a proof tool call (curl / grep / test).
+ *
+ * Why: CLAUDE.md anti-lying directive ("Never claim fix done until
+ * committed+pushed. Never claim 'ready' without running e2e.") was
+ * aspirational, not enforced. Per CEO 2026-05-13 feedback after a session in
+ * which 5+ unverified claims slipped through, this is the harness-level
+ * enforcement that ends the recurring trust-burn pattern. ThumbGate-on-
+ * ThumbGate dogfood — we are the prevention-rule generator and a perfect
+ * customer for our own gate.
+ *
+ * Wires through .claude/settings.json Stop hooks list. Always exits 0
+ * (informational): the goal is to surface a system reminder in the next
+ * turn so the agent corrects mid-conversation rather than to hard-block
+ * the turn that already happened.
+ *
+ * Stdin: Claude Code passes the hook payload as JSON on stdin. We read
+ * `transcript_path` to locate the JSONL session log and scan the last
+ * assistant message.
+ *
+ * Stdout: any text printed is shown to the agent on the next turn.
+ */
+
+const fs = require('node:fs');
+
+// Lie-phrase patterns. These match common "claim of completion" wording
+// the agent emits without verification. Word-boundary anchored to avoid
+// false positives ("ready-made", "live-streaming", etc).
+const CLAIM_PATTERNS = [
+  /\bis\s+live\b/i,
+  /\bnow\s+live\b/i,
+  /\bgoing\s+live\b/i,
+  /\bdeployed\b(?!\s*(yet|to\s+staging|on\s+a\s+branch))/i,
+  /\b(?:is|are|it'?s)\s+(?:now\s+)?(?:fully\s+)?(?:fixed|resolved|merged|shipped)\b/i,
+  /\bproduction[-\s]ready\b/i,
+  /\beverything\s+(?:is\s+)?(?:done|working|ready)\b/i,
+  /\b(?:github|repo|repository)\s+(?:about|metadata|description|topics?)\b.*\b(?:updated|verified|fixed|match(?:es|ed)?)\b/i,
+  /\b(?:about|metadata|description|topics?)\b.*\b(?:updated|verified|fixed|match(?:es|ed)?)\b.*\b(?:github|repo|repository)\b/i,
+  /\b(?:money|payment|charge|checkout|revenue|price|pricing|invoice|billing|tax|sales tax|inventory|stock|permission|access|customer[-\s]facing)\b.*\b(?:correct|accurate|verified|valid|matches|working|fixed|resolved|calculated|configured)\b/i,
+  /\b(?:correct|accurate|verified|valid|matches|working|fixed|resolved|calculated|configured)\b.*\b(?:money|payment|charge|checkout|revenue|price|pricing|invoice|billing|tax|sales tax|inventory|stock|permission|access|customer[-\s]facing)\b/i,
+  // Added 2026-06-11 after a cross-project failure analysis: these completion
+  // claims ("all green / stable / verified / race over / tests pass") were
+  // asserted without proof and slipped past the original set. The proof-gate
+  // below suppresses them whenever the SAME turn ran a verification tool, so a
+  // "verified" claim backed by a test/curl/Read stays silent.
+  /\ball\s+(?:the\s+)?(?:tests?\s+|checks?\s+)?(?:are\s+)?green\b/i,
+  /\b(?:all\s+)?(?:tests?|checks?|ci)\s+(?:are\s+)?(?:now\s+)?passing\b/i,
+  /\ball\s+(?:tests?|checks?)\s+pass(?:ed)?\b/i,
+  /\bverified\b/i,
+  /\bconfirmed\b/i,
+  /\b(?:is|are|it'?s|now)\s+stable\b/i,
+  /\ball\s+clear\b/i,
+  /\bgood\s+to\s+go\b/i,
+  /\brace\s+(?:is\s+)?over\b/i,
+  /\bno\s+longer\s+racing\b/i,
+];
+
+// Proof-of-verification patterns. If the SAME turn included one of these
+// tool calls or shell command tokens, the claim is considered backed and
+// the hook stays silent.
+const PROOF_PATTERNS = [
+  /\bcurl\b/,
+  /\bgh\s+pr\s+(?:view|checks|status)\b/,
+  /\bgh\s+run\s+view\b/,
+  /\bgh\s+api\b/,
+  /\bnode\s+--test\b/,
+  /\bnpm\s+(?:run\s+)?test\b/,
+  /\bnpm\s+pack\b/,
+  /\bjest\b/,
+  /\bmocha\b/,
+  /\bpytest\b/,
+  /\bplaywright\b/,
+  /\bgrep\b/,
+  /\bstripe\b/,
+  /\bplaid\b/,
+  /\bshopify\b/,
+  /\bsquare\b/,
+  /\bquickbooks\b/,
+  /Read\s*\(/, // Claude Code Read tool call
+  /Bash\s*\(/, // Claude Code Bash tool call
+];
+
+function readLastAssistantTurn(transcriptPath) {
+  if (!transcriptPath || !fs.existsSync(transcriptPath)) return null;
+  let content;
+  try {
+    content = fs.readFileSync(transcriptPath, 'utf8');
+  } catch {
+    return null;
+  }
+  const lines = content.trim().split('\n');
+  // Walk backwards to find the last assistant message
+  for (let i = lines.length - 1; i >= 0; i--) {
+    const raw = lines[i].trim();
+    if (!raw) continue;
+    let entry;
+    try {
+      entry = JSON.parse(raw);
+    } catch {
+      continue;
+    }
+    if (entry.type === 'assistant' && entry.message) {
+      return entry.message;
+    }
+  }
+  return null;
+}
+
+function extractText(message) {
+  if (!message || !Array.isArray(message.content)) return '';
+  return message.content
+    .filter((b) => b && typeof b.text === 'string')
+    .map((b) => b.text)
+    .join('\n');
+}
+
+function extractToolUseSummary(message) {
+  if (!message || !Array.isArray(message.content)) return '';
+  return message.content
+    .filter((b) => b?.type === 'tool_use')
+    .map((b) => {
+      const name = b.name || 'tool';
+      let summary = '';
+      if (b.input && typeof b.input === 'object') {
+        if (typeof b.input.command === 'string') summary = b.input.command;
+        else if (typeof b.input.file_path === 'string') summary = b.input.file_path;
+        else if (typeof b.input.query === 'string') summary = b.input.query;
+        else summary = JSON.stringify(b.input).slice(0, 200);
+      }
+      return `${name}: ${summary}`;
+    })
+    .join('\n');
+}
+
+function findClaim(text) {
+  for (const p of CLAIM_PATTERNS) {
+    const m = text.match(p);
+    if (m) return m[0];
+  }
+  return null;
+}
+
+function hasProof(combined) {
+  return PROOF_PATTERNS.some((p) => p.test(combined));
+}
+
+function readStdinSync() {
+  try {
+    return fs.readFileSync(0, 'utf8');
+  } catch {
+    return '';
+  }
+}
+
+function main() {
+  const raw = readStdinSync();
+  let payload = {};
+  try {
+    payload = raw ? JSON.parse(raw) : {};
+  } catch {
+    payload = {};
+  }
+
+  const transcriptPath = payload.transcript_path || process.env.CLAUDE_TRANSCRIPT_PATH;
+  const message = readLastAssistantTurn(transcriptPath);
+  if (!message) return; // no transcript visible; nothing to check
+
+  const text = extractText(message);
+  const toolUseSummary = extractToolUseSummary(message);
+  const claim = findClaim(text);
+  if (!claim) return; // no completion claim made; silent
+
+  const proofText = `${text}\n${toolUseSummary}`;
+  if (hasProof(proofText)) return; // claim backed by proof in same turn
+
+  // Strict mode (THUMBGATE_STRICT_ENFORCEMENT=1): hard-block the stop. Emit a
+  // Stop-hook block decision so Claude Code does NOT end the turn — the agent
+  // must run the verification (or retract) before it can stop. Default mode
+  // stays soft (a reminder for the next turn) so we don't break existing wiring.
+  if (process.env.THUMBGATE_STRICT_ENFORCEMENT === '1') {
+    const reason = `ThumbGate anti-claim gate (strict): you claimed completion ("${claim}") without a proof tool call in the same message. Run the verification (curl / grep / test / Read) and restate with the proof, or retract — do not end the turn on an unverified claim.`;
+    process.stdout.write(JSON.stringify({ decision: 'block', reason }) + '\n');
+    return;
+  }
+
+  // Default (soft): surface a system reminder for the NEXT turn. Do not hard-block.
+  const reminder = [
+    '⚠️ ThumbGate anti-claim gate: previous turn claimed completion',
+    `   ("${claim}") without a proof tool call in the same message.`,
+    '   Per CLAUDE.md anti-lying: never claim "done / live / deployed / fixed /',
+    '   verified / all green / stable" or commercial truth (money / tax / inventory /',
+    '   permissions / customer-facing state) without curl / grep / test / source-of-truth output in the SAME turn.',
+    '   If the work really is verified, re-state the claim with the proof.',
+    '   If not, retract and run the verification before re-asserting.',
+  ].join('\n');
+  process.stdout.write(reminder + '\n');
+}
+
+// Path-resolve check instead of `require.main === module`. SonarCloud's
+// strict type inference (rule S3403) flags the === form as always-false
+// in CommonJS, and CLAUDE.md "Hard-Won Lessons" pins the path-based form
+// as the portable fix (incident 2026-04-21 / PR #1115). Resolve BOTH sides
+// so the comparison is between two normalized absolute paths.
+const path = require('node:path');
+if (path.resolve(process.argv[1] || '') === path.resolve(__filename)) {
+  try {
+    main();
+  } catch {
+    // never crash the agent
+  }
+}
+
+module.exports = {
+  CLAIM_PATTERNS,
+  PROOF_PATTERNS,
+  findClaim,
+  hasProof,
+  extractText,
+  extractToolUseSummary,
+};

package/scripts/hook-thumbgate-cache-updater.js

@@ -6,11 +6,27 @@
  * Also used directly by the CLI to refresh statusline counters after feedback capture.
  */
 
-const fs = require('fs');
-const path = require('path');
+const fs = require('node:fs');
+const os = require('node:os');
+const path = require('node:path');
 const { resolveFeedbackDir } = require('./feedback-paths');
+const {
+  getAggregateStatuslineCachePath,
+  shouldAggregateFeedback,
+} = require('./feedback-aggregate');
 
 function getCachePath() {
+  const explicitFeedbackDir = process.env.THUMBGATE_FEEDBACK_DIR;
+  if (shouldAggregateFeedback() && explicitFeedbackDir) {
+    try {
+      if (path.resolve(explicitFeedbackDir).startsWith(path.resolve(os.tmpdir()) + path.sep)) {
+        return path.join(resolveFeedbackDir(), 'statusline_cache.json');
+      }
+    } catch {
+      return path.join(resolveFeedbackDir(), 'statusline_cache.json');
+    }
+  }
+  if (shouldAggregateFeedback()) return getAggregateStatuslineCachePath();
   return path.join(resolveFeedbackDir(), 'statusline_cache.json');
 }
 

package/scripts/hybrid-feedback-context.js

@@ -730,6 +730,7 @@ function evaluatePretool(toolName, toolInput, opts) {
 
   // Slow path: build live state (also used when compiled guards are stale)
   const state = buildHybridState({
+    feedbackDir: o.feedbackDir,
     feedbackLogPath: o.feedbackLogPath,
     attributedFeedbackPath: o.attributedFeedbackPath,
   });

package/scripts/lesson-inference.js

@@ -18,6 +18,7 @@ const fs = require('fs');
 const path = require('path');
 const { resolveFeedbackDir } = require('./feedback-paths');
 const { ensureParentDir, readJsonl } = require('./fs-utils');
+const { redactSecretsDeep } = require('./secret-redaction');
 const {
   buildStableId,
   extractFilePaths,
@@ -137,15 +138,19 @@ function createLesson({ feedbackId, signal, inferredLesson, triggerMessage, prio
   // Stable link: dashboard deep-link to this lesson
   lesson.link = `${getLessonBaseUrl()}/lessons#${lesson.id}`;
 
+  // Redact secrets before persisting — lesson text is derived from conversation content that may
+  // have captured a pasted credential. See scripts/secret-redaction.js.
+  const redactedLesson = redactSecretsDeep(lesson);
+
   const lessonsPath = getLessonsPath();
   ensureParentDir(lessonsPath);
-  fs.appendFileSync(lessonsPath, JSON.stringify(lesson) + '\n');
+  fs.appendFileSync(lessonsPath, JSON.stringify(redactedLesson) + '\n');
 
   // Update recent lesson for statusbar
   const recentPath = getRecentLessonPath();
-  fs.writeFileSync(recentPath, JSON.stringify(lesson, null, 2) + '\n');
+  fs.writeFileSync(recentPath, JSON.stringify(redactedLesson, null, 2) + '\n');
 
-  return lesson;
+  return redactedLesson;
 }
 
 /**