thumbgate 1.27.4 → 1.27.7

package/src/api/server.js

@@ -3,6 +3,7 @@ const http = require('http');
 const https = require('https');
 const fs = require('fs');
 const path = require('path');
+const crypto = require('node:crypto');
 const { EventEmitter } = require('node:events');
 const pkg = require('../../package.json');
 const {
@@ -168,7 +169,13 @@ const {
   buildReviewSnapshot,
   readDashboardReviewState,
   writeDashboardReviewState,
+  collectAllFeedbackEntries,
 } = require('../../scripts/dashboard');
+const {
+  collectAggregateLogEntries,
+  computeAggregateFeedbackStats,
+  shouldAggregateFeedback,
+} = require('../../scripts/feedback-aggregate');
 const {
   guardDfcxWebhook,
 } = require('../../adapters/gcp/dfcx-webhook-gate');
@@ -209,6 +216,8 @@ const mcpOauth = require('../../scripts/mcp-oauth');
 // OAuth 2.1 (PKCE) authorization-server state for the remote MCP connector
 // (Claude Connectors Directory requires OAuth for authenticated services).
 const oauthStore = mcpOauth.createStore();
+const pendingOauthAuthorizeRequests = new Map();
+const OAUTH_AUTHORIZE_REQUEST_TTL_MS = 10 * 60 * 1000;
 const resendMailer = require('../../scripts/mailer/resend-mailer');
 const {
   buildContextFootprintReport,
@@ -231,12 +240,17 @@ const LEARN_PAGE_PATH = path.resolve(__dirname, '../../public/learn.html');
 const NUMBERS_PAGE_PATH = path.resolve(__dirname, '../../public/numbers.html');
 const FEDERAL_PAGE_PATH = path.resolve(__dirname, '../../public/federal.html');
 const PRICING_PAGE_PATH = path.resolve(__dirname, '../../public/pricing.html');
+const ABOUT_PAGE_PATH = path.resolve(__dirname, '../../public/about.html');
 const LEARN_DIR = path.resolve(__dirname, '../../public/learn');
 const GUIDES_DIR = path.resolve(__dirname, '../../public/guides');
 const COMPARE_DIR = path.resolve(__dirname, '../../public/compare');
 const USE_CASES_DIR = path.resolve(__dirname, '../../public/use-cases');
 const PUBLIC_DIR = path.resolve(__dirname, '../../public');
 const PUBLIC_ASSETS_DIR = path.resolve(__dirname, '../../public/assets');
+const LEARN_PAGE_PATHS_BY_SLUG = buildPublicHtmlFileMap(LEARN_DIR);
+const GUIDE_PAGE_PATHS_BY_SLUG = buildPublicHtmlFileMap(GUIDES_DIR);
+const COMPARE_PAGE_PATHS_BY_SLUG = buildPublicHtmlFileMap(COMPARE_DIR);
+const USE_CASE_PAGE_PATHS_BY_SLUG = buildPublicHtmlFileMap(USE_CASES_DIR);
 const BUYER_INTENT_SCRIPT_PATH = path.resolve(__dirname, '../../public/js/buyer-intent.js');
 const STATIC_MIME_BY_EXT = Object.freeze({
   '.png': 'image/png',
@@ -355,6 +369,7 @@ function serveStaticFile(res, filePath, { headOnly = false, cacheSeconds = 86400
   res.setHeader('Content-Type', contentType);
   res.setHeader('Content-Length', stat.size);
   res.setHeader('Cache-Control', `public, max-age=${cacheSeconds}, immutable`);
+  res.setHeader('Referrer-Policy', 'same-origin');
   if (headOnly) {
     res.end();
     return;
@@ -452,6 +467,36 @@ const TRACKED_LINK_TARGETS = Object.freeze({
     },
     allowCustomerEmail: true,
   },
+  diagnostic: {
+    configUrlKey: 'sprintDiagnosticCheckoutUrl',
+    fallbackHref: SPRINT_DIAGNOSTIC_CHECKOUT_URL,
+    external: true,
+    ctaId: 'go_diagnostic',
+    ctaPlacement: 'link_router',
+    eventType: 'cta_click',
+    defaults: {
+      utm_source: 'website',
+      utm_medium: 'link_router',
+      utm_campaign: 'sprint_diagnostic',
+      plan_id: 'sprint_diagnostic',
+    },
+    allowCustomerEmail: true,
+  },
+  sprint: {
+    configUrlKey: 'workflowSprintCheckoutUrl',
+    fallbackHref: WORKFLOW_SPRINT_CHECKOUT_URL,
+    external: true,
+    ctaId: 'go_sprint',
+    ctaPlacement: 'link_router',
+    eventType: 'cta_click',
+    defaults: {
+      utm_source: 'website',
+      utm_medium: 'link_router',
+      utm_campaign: 'workflow_sprint',
+      plan_id: 'workflow_sprint',
+    },
+    allowCustomerEmail: true,
+  },
   trial: {
     path: '/guide',
     ctaId: 'go_trial',
@@ -1550,14 +1595,104 @@ function normalizeEnterpriseChatPrompt(value) {
 
 function classifyEnterpriseChatTopic(prompt) {
   const lower = String(prompt || '').toLowerCase();
-  if (/gate|block|deny|prevent|guard/.test(lower)) return 'gates';
-  if (/lesson|memory|feedback|thumb|mistake|negative|positive/.test(lower)) return 'feedback';
+  // Feedback-specific words run FIRST: "what mistakes were blocked today" is a
+  // feedback question, not a gates question — must not be hijacked by /block/.
+  if (/mistake|lesson|memory|feedback|thumb|negative|positive|what (?:went )?wrong|fail|win|success|worked|good/.test(lower)) return 'feedback';
+  if (/gate|block|deny|prevent|guard|enforce/.test(lower)) return 'gates';
   if (/team|agent|org|enterprise|rollout/.test(lower)) return 'team';
   if (/token|cost|saving|budget|spend/.test(lower)) return 'cost';
   if (/vertex|gcp|google|dialogflow|dfcx|cloud/.test(lower)) return 'cloud';
   return 'overview';
 }
 
+// Parse intent: LIST vs COUNT, and time window. Lets us answer "what mistakes
+// today?" with an actual filtered list instead of a canned total.
+function parseChatIntent(prompt) {
+  const lower = String(prompt || '').toLowerCase();
+  const terms = new Set(lower.split(/[^a-z0-9]+/).filter(Boolean));
+  const hasTerm = (term) => terms.has(term);
+  const wantsList = lower.includes('tell me about') ||
+    ['what', 'which', 'list', 'show', 'example', 'examples'].some(hasTerm);
+  let windowMs = null;
+  let windowLabel = 'across all time';
+  if (/\btoday\b/.test(lower)) { windowMs = 24 * 60 * 60 * 1000; windowLabel = 'today'; }
+  else if (/\byesterday\b/.test(lower)) { windowMs = 48 * 60 * 60 * 1000; windowLabel = 'yesterday'; }
+  else if (/\bthis week\b|\b7 ?d(ay)?s?\b|\blast week\b/.test(lower)) { windowMs = 7 * 24 * 60 * 60 * 1000; windowLabel = 'the last 7 days'; }
+  else if (/\bthis month\b|\b30 ?d(ay)?s?\b|\blast month\b/.test(lower)) { windowMs = 30 * 24 * 60 * 60 * 1000; windowLabel = 'the last 30 days'; }
+  return { wantsList, windowMs, windowLabel };
+}
+
+// Read recent feedback entries (signal-filtered, time-filtered) directly from
+// the feedback log. Bounded + best-effort — never throws into the chat handler.
+// Treat short/placeholder context values as "no real description" so we don't
+// surface `"thumbs down"` × 3 as a useful list. Real feedback always has a
+// concrete sentence somewhere (whatWentWrong, distillation, whatToChange) —
+// pick the longest informative one.
+// Short tokens that mean "no real description" — kept as a plain Set, not a
+// big regex, to keep complexity low and easy to extend.
+const PLACEHOLDER_TOKENS = new Set([
+  'thumbs down', 'thumbs up', 'thumb down', 'thumb up',
+  'good', 'bad', 'ok', 'nice', 'verify', 'verifies', 'verification', 'test', 'testing',
+]);
+
+function isPlaceholder(text) {
+  const t = String(text || '').trim();
+  if (!t || t.length < 20) return true;
+  return PLACEHOLDER_TOKENS.has(t.toLowerCase().replace(/\.$/, ''));
+}
+
+function bestFeedbackDescription(row) {
+  const candidates = [row.whatWentWrong, row.distillation, row.context, row.whatToChange, row.whatWorked, row.reasoning]
+    .map((c) => String(c || '').trim());
+  // Prefer the longest non-placeholder candidate; fall back to any non-empty.
+  const informative = candidates.filter((c) => c && !isPlaceholder(c));
+  const fallback = candidates.find(Boolean) || '';
+  const best = informative.reduce((a, b) => (b.length > a.length ? b : a), '') || fallback;
+  return best.slice(0, 220);
+}
+
+function readRecentFeedbackEntries(feedbackDir, signal, windowMs, limit = 5, opts = {}) {
+  try {
+    if (!feedbackDir) return [];
+    const rows = shouldAggregateFeedback()
+      ? collectAggregateLogEntries('feedback-log.jsonl', { feedbackDir }).entries
+      : (() => {
+          const fsLocal = require('node:fs');
+          const pathLocal = require('node:path');
+          const logPath = pathLocal.join(feedbackDir, 'feedback-log.jsonl');
+          if (!fsLocal.existsSync(logPath)) return [];
+          const { readJsonl } = require('../../scripts/fs-utils');
+          return readJsonl(logPath) || [];
+        })();
+    const cutoff = windowMs ? Date.now() - windowMs : 0;
+    const filtered = rows
+      .filter((r) => !signal || r.signal === signal)
+      .filter((r) => {
+        if (!cutoff) return true;
+        const t = r.timestamp ? Date.parse(r.timestamp) : Number.NaN;
+        return Number.isFinite(t) && t >= cutoff;
+      })
+      .reverse()
+      .map((r) => {
+        const out = {
+          timestamp: r.timestamp,
+          context: bestFeedbackDescription(r),
+          tags: Array.isArray(r.tags) ? r.tags : []
+        };
+        if (opts.includeSignal) out.signal = r.signal;
+        return out;
+      });
+    // For list display, drop entries with no real description so the list is useful,
+    // not three "thumbs down" placeholders. For count-only (high limit), keep all.
+    const useful = opts.skipPlaceholders === false || limit > 50
+      ? filtered
+      : filtered.filter((e) => e.context && !isPlaceholder(e.context));
+    return useful.slice(0, limit);
+  } catch {
+    return [];
+  }
+}
+
 function containsUnsafeEnterpriseChatInput(prompt) {
   return /[;&|`$<>\\]/.test(String(prompt || ''));
 }
@@ -1567,101 +1702,135 @@ function compactNumber(value) {
   return Number.isFinite(n) ? n : 0;
 }
 
-function isTodayScopedPrompt(prompt) {
-  return /\btoday\b|\bthis day\b|\blast 24\b|\b24 hours\b/i.test(String(prompt || ''));
+// Pick a signal preference from the prompt. Returns 'negative' | 'positive' | null.
+function detectFeedbackSignalFromPrompt(prompt) {
+  const lower = String(prompt || '').toLowerCase();
+  const wantsNeg = /mistake|wrong|fail|negative|thumbs? *down|block/.test(lower);
+  const wantsPos = /positive|thumbs? *up|worked|success|wins?\b|good/.test(lower);
+  if (wantsNeg && !wantsPos) return 'negative';
+  if (wantsPos && !wantsNeg) return 'positive';
+  return null;
+}
+
+const FEEDBACK_LIST_LABELS = Object.freeze({
+  negative: 'Recent mistakes',
+  positive: 'Recent wins',
+});
+
+const FEEDBACK_OMITTED_TAGS = Object.freeze(['audit-trail', 'auto-capture']);
+
+function formatChatTimestamp(isoString) {
+  if (!isoString) return 'unknown time';
+  try {
+    const d = new Date(isoString);
+    if (Number.isNaN(d.getTime())) return isoString;
+    const pad = (n) => String(n).padStart(2, '0');
+    const yyyy = d.getFullYear();
+    const mm = pad(d.getMonth() + 1);
+    const dd = pad(d.getDate());
+    const hh = pad(d.getHours());
+    const min = pad(d.getMinutes());
+    const ss = pad(d.getSeconds());
+    return `${yyyy}-${mm}-${dd} ${hh}:${min}:${ss}`;
+  } catch {
+    return isoString;
+  }
 }
 
-function getTodayGateAudit(gateAudit) {
-  const days = gateAudit && Array.isArray(gateAudit.days) ? gateAudit.days : [];
-  return days.length > 0 ? days[days.length - 1] : null;
+function buildFeedbackEntries(windowed, signal) {
+  return (signal ? windowed.filter((r) => r.signal === signal) : windowed)
+    .filter((r) => r.context && !isPlaceholder(r.context))
+    .slice(0, 5);
 }
 
-function formatGateBuckets(byGate) {
-  return Object.entries(byGate || {})
-    .filter(([, count]) => compactNumber(count) > 0)
-    .sort((a, b) => compactNumber(b[1]) - compactNumber(a[1]))
-    .slice(0, 3)
-    .map(([gateId, count]) => `${gateId} (${compactNumber(count)}x)`);
+function formatFeedbackEntry(entry) {
+  const tsFormatted = formatChatTimestamp(entry.timestamp);
+  const signalLabel = entry.signal ? ` [${entry.signal}]` : '';
+  const tagsList = Array.isArray(entry.tags)
+    ? entry.tags.filter((tag) => !FEEDBACK_OMITTED_TAGS.includes(tag))
+    : [];
+  const tagsStr = tagsList.length ? ` (${tagsList.join(', ')})` : '';
+  return `  • ${tsFormatted}${signalLabel}${tagsStr} — ${entry.context}`;
 }
 
-function buildTodayGateAnswer(prompt, dashboardData, gateStats, gates) {
-  if (!isTodayScopedPrompt(prompt)) return null;
-  const lower = String(prompt || '').toLowerCase();
-  const gateAudit = dashboardData.gateAudit || {};
-  const prevention = dashboardData.prevention || {};
-  const today = getTodayGateAudit(gateAudit) || { deny: 0, warn: 0, intercepted: 0, byGate: {} };
-  const activeGateCount = gates.length || compactNumber(gateStats.totalGates);
-
-  if (/\b(activated|promoted|created|enabled)\b/.test(lower)) {
-    const promotionsToday = compactNumber(prevention.promotionsToday);
-    const promotedIds = Array.isArray(prevention.promotionIdsToday) ? prevention.promotionIdsToday.filter(Boolean) : [];
-    return [
-      `Gates activated today: ${promotionsToday}.`,
-      `Active gates now: ${activeGateCount}.`,
-      promotedIds.length > 0 ? `Promoted today: ${promotedIds.slice(0, 3).join(', ')}.` : '',
-    ].filter(Boolean);
+function appendFeedbackListLines(lines, { entries, signal, intent }) {
+  if (!entries.length) {
+    lines.push(`No ${signal || 'feedback'} entries found ${intent.windowLabel}.`);
+    return;
   }
+  lines.push(`${FEEDBACK_LIST_LABELS[signal] || 'Recent feedback'} (${intent.windowLabel}):`);
+  lines.push(...entries.map(formatFeedbackEntry));
+}
+
+function buildFeedbackSection({ ctx, intent, feedbackDir, approval, lessonPipeline }) {
+  const signal = detectFeedbackSignalFromPrompt(ctx.prompt);
+  // One read of the time-windowed log, then in-memory counts + (signal-filtered,
+  // placeholder-stripped) list. Counts include ALL entries (so "Feedback today: 5"
+  // matches the dashboard tile); the list drops vague entries like literal "thumbs
+  // down" / "good" so it surfaces only entries with real, actionable description.
+  const windowed = readRecentFeedbackEntries(feedbackDir, null, intent.windowMs, 10000, { includeSignal: true });
+  const windowPos = windowed.filter((r) => r.signal === 'positive').length;
+  const windowNeg = windowed.filter((r) => r.signal === 'negative').length;
+  const entries = buildFeedbackEntries(windowed, signal);
+
+  const lines = [
+    intent.windowMs
+    ? `Feedback ${intent.windowLabel}: ${windowed.length} (${windowPos} positive, ${windowNeg} negative).`
+    : `Feedback total: ${compactNumber(approval.total)} (${compactNumber(approval.positive)} positive, ${compactNumber(approval.negative)} negative).`,
+  ];
 
-  if (/\b(what|which)\b/.test(lower) && /\b(mistake|mistakes|block|blocked|prevent|prevented)\b/.test(lower)) {
-    const gateBuckets = formatGateBuckets(today.byGate);
-    return [
-      `Today: ${compactNumber(today.deny)} blocked actions and ${compactNumber(today.warn)} warning checkpoints.`,
-      gateBuckets.length > 0
-        ? `Top blocked/warned gates today: ${gateBuckets.join(', ')}.`
-        : 'No per-gate blocked mistake names are present in today\'s local audit snapshot.',
-    ];
+  if (intent.wantsList) {
+    appendFeedbackListLines(lines, { entries, signal, intent });
+  } else {
+    lines.push(`Lesson pipeline: ${compactNumber(lessonPipeline.lessons || lessonPipeline.generated || 0)} lessons visible in the current dashboard snapshot.`);
   }
+  return { lines, sources: ['feedback log', intent.wantsList ? 'feedback contexts' : 'lesson pipeline'] };
+}
 
-  if (/\b(prevent|prevented|intercept|intercepted)\b/.test(lower)) {
-    return [
-      `Mistakes prevented today: ${compactNumber(today.intercepted)} interventions (${compactNumber(today.deny)} blocked, ${compactNumber(today.warn)} warned).`,
-      `All-time blocked actions recorded: ${compactNumber(gateStats.blocked || gateStats.denied || gateStats.totalBlocked)}.`,
-    ];
-  }
+const GATE_EVENTS_REGEX = /activat|fired|trigger|block|denied|prevent|enforce|hit/;
 
-  if (/\b(block|blocked|deny|denied)\b/.test(lower)) {
-    return [
-      `Mistakes blocked today: ${compactNumber(today.deny)} deny decisions.`,
-      `Warnings today: ${compactNumber(today.warn)}; all-time blocked actions recorded: ${compactNumber(gateStats.blocked || gateStats.denied || gateStats.totalBlocked)}.`,
-    ];
-  }
+function describeGate(g) {
+  return `${g.name || g.id || 'unnamed'}${g.severity ? ' [' + g.severity + ']' : ''}`;
+}
 
-  return null;
+function buildGatesSection({ ctx, intent, gates, gateStats }) {
+  const asksEvents = GATE_EVENTS_REGEX.test(String(ctx.prompt || '').toLowerCase());
+  const totalActive = gates.length || compactNumber(gateStats.totalGates);
+  const totalBlocked = compactNumber(gateStats.blocked || gateStats.denied || gateStats.totalBlocked);
+
+  const lines = [];
+  if (asksEvents) {
+    lines.push(`Blocked actions recorded (all time): ${totalBlocked}.`);
+    if (intent.windowMs) {
+      lines.push(`(Per-${intent.windowLabel} block-event breakdown isn't tracked in the local dashboard snapshot — only the running total. Filter the gate-events log directly for a precise window.)`);
+    }
+  } else {
+    lines.push(`Active gates: ${totalActive}.`);
+  }
+  if (intent.wantsList && gates.length) {
+    lines.push('Active gates:');
+    for (const g of gates.slice(0, 8)) lines.push(`  • ${describeGate(g)}`);
+  } else if (gates[0] && !intent.wantsList) {
+    lines.push(`Example gate: ${describeGate(gates[0])}.`);
+  }
+  return { lines, sources: ['gate stats'] };
 }
 
-function buildEnterpriseChatSection(topic, dashboardData, status, prompt) {
+function buildEnterpriseChatSection(topic, dashboardData, status, ctx = {}) {
   const approval = dashboardData.approval || {};
   const gates = Array.isArray(dashboardData.gates) ? dashboardData.gates : [];
   const gateStats = dashboardData.gateStats || {};
   const team = dashboardData.team || {};
   const tokenSavings = dashboardData.tokenSavings || {};
   const lessonPipeline = dashboardData.lessonPipeline || {};
+  const intent = ctx.intent || { wantsList: false, windowMs: null, windowLabel: 'across all time' };
+  const feedbackDir = ctx.feedbackDir || null;
 
   if (topic === 'feedback') {
-    return {
-      lines: [
-        `Feedback total: ${compactNumber(approval.total)} (${compactNumber(approval.positive)} positive, ${compactNumber(approval.negative)} negative).`,
-        `Lesson pipeline: ${compactNumber(lessonPipeline.lessons || lessonPipeline.generated || 0)} lessons visible in the current dashboard snapshot.`,
-      ],
-      sources: ['feedback log', 'lesson pipeline'],
-    };
+    return buildFeedbackSection({ ctx, intent, feedbackDir, approval, lessonPipeline });
   }
   if (topic === 'gates') {
-    const todayGateAnswer = buildTodayGateAnswer(prompt, dashboardData, gateStats, gates);
-    if (todayGateAnswer) {
-      return {
-        lines: todayGateAnswer,
-        sources: ['gate audit', 'gate stats'],
-      };
-    }
-    return {
-      lines: [
-        `Active gates: ${gates.length || compactNumber(gateStats.totalGates)}.`,
-        `Blocked actions recorded: ${compactNumber(gateStats.blocked || gateStats.denied || gateStats.totalBlocked)}.`,
-        gates[0] ? `Example gate: ${gates[0].name || gates[0].id || 'unnamed gate'}.` : '',
-      ].filter(Boolean),
-      sources: ['gate stats'],
-    };
+    return buildGatesSection({ ctx, intent, gates, gateStats });
   }
   if (topic === 'team') {
     return {
@@ -1702,13 +1871,22 @@ function buildEnterpriseChatSection(topic, dashboardData, status, prompt) {
   };
 }
 
-function buildEnterpriseChatAnswer(prompt, dashboardData, status) {
+function buildEnterpriseChatAnswer(prompt, dashboardData, status, opts = {}) {
   const topic = classifyEnterpriseChatTopic(prompt);
-  const section = buildEnterpriseChatSection(topic, dashboardData, status, prompt);
+  const intent = parseChatIntent(prompt);
+  const section = buildEnterpriseChatSection(topic, dashboardData, status, {
+    intent,
+    feedbackDir: opts.feedbackDir,
+    prompt,
+  });
+
+  // List-style answers want newlines; single-line answers join with space.
+  const hasList = section.lines.some((l) => /^\s*•/.test(l));
+  const answer = hasList ? section.lines.join('\n') : section.lines.join(' ');
 
   return {
     topic,
-    answer: section.lines.join(' '),
+    answer,
     sources: ['local dashboard data', ...section.sources],
   };
 }
@@ -1724,6 +1902,7 @@ async function trySendLocalDashboardChat(res, parsed, feedbackDir, prompt, suffi
       prompt,
       dashboardResult.data,
       buildEnterpriseDataChatStatus(),
+      { feedbackDir },
     );
     sendJson(res, 200, {
       ok: true,
@@ -1735,7 +1914,7 @@ async function trySendLocalDashboardChat(res, parsed, feedbackDir, prompt, suffi
       grounded: true,
     });
     return true;
-  } catch (_) {
+  } catch {
     return false;
   }
 }
@@ -1771,7 +1950,7 @@ async function answerEnterpriseDataChat({ prompt, feedbackDir, parsed }) {
   // The dashboard's real local/open-source chatbot turn goes through /v1/chat,
   // which uses lesson retrieval + optional LanceDB vector search + the user's
   // configured local or BYO model.
-  const chat = buildEnterpriseChatAnswer(normalizedPrompt, dashboardData, status);
+  const chat = buildEnterpriseChatAnswer(normalizedPrompt, dashboardData, status, { feedbackDir });
   const dfcxRequest = {
     fulfillmentInfo: { tag: 'chat-with-data' },
     sessionInfo: {
@@ -1809,7 +1988,7 @@ async function answerEnterpriseDataChat({ prompt, feedbackDir, parsed }) {
 const answerEnterpriseDialogflowChat = answerEnterpriseDataChat;
 
 function buildLossAnalyticsResponse(data, summaryOptions) {
-  return {
+  return sanitizeHtmlUnsafeJsonValue({
     window: data.analytics.window || summaryOptions,
     lossAnalysis: data.analytics.lossAnalysis || null,
     buyerLoss: data.analytics.buyerLoss || null,
@@ -1821,13 +2000,50 @@ function buildLossAnalyticsResponse(data, summaryOptions) {
       ctas: data.analytics.telemetry && data.analytics.telemetry.ctas,
       visitors: data.analytics.telemetry && data.analytics.telemetry.visitors,
     },
-  };
+  });
 }
 
 function createJourneyId(prefix) {
   return createTraceId(prefix).replace(/^trace_/, `${prefix}_`);
 }
 
+function normalizeCheckoutInterstitialSampleRate(value) {
+  const parsed = Number.parseFloat(String(value || '').trim());
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    return 0;
+  }
+  if (parsed > 1) {
+    return Math.min(parsed / 100, 1);
+  }
+  return Math.min(parsed, 1);
+}
+
+function stableUnitInterval(value) {
+  const text = String(value || '');
+  let hash = 2166136261;
+  for (const character of text) {
+    hash ^= character.codePointAt(0);
+    hash = Math.imul(hash, 16777619);
+  }
+  return (hash >>> 0) / 4294967296;
+}
+
+function shouldSampleCheckoutInterstitial({ sampleRate, traceId, analyticsMetadata }) {
+  if (sampleRate <= 0) {
+    return false;
+  }
+  if (sampleRate >= 1) {
+    return true;
+  }
+  const seed = [
+    analyticsMetadata?.visitorId,
+    analyticsMetadata?.sessionId,
+    analyticsMetadata?.acquisitionId,
+    traceId,
+  ].filter(Boolean).join(':');
+  return stableUnitInterval(seed || traceId) < sampleRate;
+}
+
 function appendQueryParam(url, key, value) {
   const normalized = normalizeNullableText(value);
   if (normalized) {
@@ -1887,9 +2103,245 @@ function buildCheckoutIntentHref(baseUrl, metadata = {}, overrides = {}) {
   });
 }
 
-function renderCheckoutIntentPage(prefilledEmail = '') {
+const CHECKOUT_HIDDEN_ATTRIBUTION_KEYS = Object.freeze([
+  'trace_id',
+  'acquisition_id',
+  'visitor_id',
+  'session_id',
+  'visitor_session_id',
+  'install_id',
+  'utm_source',
+  'utm_medium',
+  'utm_campaign',
+  'utm_content',
+  'utm_term',
+  'creator',
+  'community',
+  'post_id',
+  'comment_id',
+  'campaign_variant',
+  'offer_code',
+  'cta_id',
+  'cta_placement',
+  'plan_id',
+  'billing_cycle',
+  'seat_count',
+  'landing_path',
+  'referrer_host',
+]);
+
+function normalizeHiddenAttributionValue(value) {
+  const normalized = normalizeNullableText(value);
+  if (!normalized) return '';
+  return normalized.slice(0, 512);
+}
+
+function buildCheckoutHiddenAttributionInputs(parsed = null) {
+  if (!parsed?.searchParams) return '';
+
+  const inputs = [];
+  for (const key of CHECKOUT_HIDDEN_ATTRIBUTION_KEYS) {
+    const value = normalizeHiddenAttributionValue(parsed.searchParams.get(key));
+    if (value) {
+      inputs.push(`<input type="hidden" name="${key}" value="${escapeHtmlAttribute(value)}">`);
+    }
+  }
+  return inputs.join('');
+}
+
+function prunePendingOauthAuthorizeRequests(now = Date.now()) {
+  for (const [token, entry] of pendingOauthAuthorizeRequests.entries()) {
+    if (!entry || entry.expiresAt <= now) {
+      pendingOauthAuthorizeRequests.delete(token);
+    }
+  }
+}
+
+function createPendingOauthAuthorizeRequest(params, now = Date.now()) {
+  prunePendingOauthAuthorizeRequests(now);
+  const token = crypto.randomBytes(32).toString('base64url');
+  pendingOauthAuthorizeRequests.set(token, {
+    params,
+    expiresAt: now + OAUTH_AUTHORIZE_REQUEST_TTL_MS,
+  });
+  return token;
+}
+
+function consumePendingOauthAuthorizeRequest(token, now = Date.now()) {
+  if (!token) return null;
+  prunePendingOauthAuthorizeRequests(now);
+  const entry = pendingOauthAuthorizeRequests.get(token);
+  if (!entry) return null;
+  pendingOauthAuthorizeRequests.delete(token);
+  return entry.params;
+}
+
+function getOauthAuthorizeParamsFromQuery(searchParams) {
+  return {
+    clientId: searchParams.get('client_id') || '',
+    redirectUri: searchParams.get('redirect_uri') || '',
+    codeChallenge: searchParams.get('code_challenge') || '',
+    codeChallengeMethod: searchParams.get('code_challenge_method') || '',
+    scope: searchParams.get('scope') || undefined,
+    state: searchParams.get('state') || '',
+    resource: searchParams.get('resource') || '',
+  };
+}
+
+function getOauthAuthorizeParamsFromForm(form, hostedConfig) {
+  const pending = consumePendingOauthAuthorizeRequest(form.get('auth_request_token') || '');
+  if (pending) return pending;
+  return {
+    clientId: form.get('client_id') || '',
+    redirectUri: form.get('redirect_uri') || '',
+    codeChallenge: form.get('code_challenge') || '',
+    codeChallengeMethod: form.get('code_challenge_method') || '',
+    scope: form.get('scope') || undefined,
+    state: form.get('state') || '',
+    resource: form.get('resource') || buildPublicUrl(hostedConfig, '/mcp'),
+  };
+}
+
+function renderCheckoutIntentPage(prefilledEmail = '', parsed = null, options = {}) {
   const plausibleDomain = escapeHtmlAttribute(resolvePlausibleDataDomain({ host: 'thumbgate.ai' }));
-  return `<!doctype html><html lang="en"><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>Confirm — ThumbGate Pro</title><script defer data-domain="${plausibleDomain}" src="https://plausible.io/js/script.tagged-events.js"></script><script>window.plausible=window.plausible||function(){(window.plausible.q=window.plausible.q||[]).push(arguments)};</script><style>body{background:#0a0a0a;color:#eee;font-family:system-ui,-apple-system,sans-serif;line-height:1.5}main{max-width:520px;margin:8vh auto;padding:0 20px}.brand{display:flex;align-items:center;gap:10px;margin-bottom:24px;font-size:14px;color:#94a3b8}.brand-mark{width:24px;height:24px;background:#22d3ee;border-radius:6px;display:inline-block}h1{font-size:24px;margin:0 0 8px;color:#fff}.price{font-size:32px;font-weight:700;color:#22d3ee;margin:8px 0 4px}.price small{font-size:14px;color:#94a3b8;font-weight:400}p{color:#cbd5e1;margin:8px 0}form{margin:0}input[type=email]{width:100%;box-sizing:border-box;padding:14px 16px;border:1px solid #374151;border-radius:8px;background:#111827;color:#fff;font-size:15px;margin:16px 0 0;outline:none}input[type=email]:focus{border-color:#22d3ee}input[type=email]::placeholder{color:#64748b}button.primary{background:#22d3ee;color:#000;padding:16px;text-align:center;border-radius:8px;font-weight:700;font-size:16px;margin:10px 0;border:none;cursor:pointer;width:100%}a{display:block;text-decoration:none}a.secondary{border:1px solid #374151;color:#cbd5e1;padding:12px;text-align:center;border-radius:8px;margin:8px 0 0;font-size:14px}.trust{margin:24px 0;padding:16px;border:1px solid #1f2937;border-radius:8px;background:#0f172a}.trust-item{font-size:13px;color:#cbd5e1;padding:4px 0;display:flex;gap:8px}.trust-item::before{content:"✓";color:#22d3ee;font-weight:700}.choice-note{font-size:13px;color:#94a3b8;margin-top:14px}.back{text-align:center;color:#64748b;font-size:12px;margin-top:24px}.back a{color:#64748b;display:inline}.email-note{font-size:12px;color:#64748b;margin:4px 0 0}</style><main><div class="brand"><span class="brand-mark"></span><span>ThumbGate</span></div><h1>Start ThumbGate Pro</h1><div class="price">$19<small>/mo</small></div><p>The npm package runs your gates locally. <strong>Pro</strong> is what keeps them working across every machine, every agent runtime, and every breaking-change week.</p><form action="/checkout/pro" method="GET" data-i="pro_checkout_confirmed"><input type="hidden" name="confirm" value="1"><input type="email" name="customer_email" value="${escapeHtmlAttribute(prefilledEmail)}" placeholder="you@company.com" required autocomplete="email"><p class="email-note">Pre-fills your Stripe receipt. We only email if you ask.</p><button type="submit" class="primary">Pay $19/mo with Stripe →</button></form><a class="secondary" data-i="workflow_sprint_intake" href="/#workflow-sprint-intake">Not sure yet? Send the workflow first</a><p class="choice-note">Cancel anytime. 7-day refund, no questions. Diagnostics and sprints have their own pages.</p><div class="trust"><div class="trust-item">Lessons synced across all your machines — no local SQLite to babysit</div><div class="trust-item">Adapter matrix kept current for Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode — version drift is our problem, not yours</div><div class="trust-item">Hosted dashboard: gate stats, DPO export, org-wide rule library</div><div class="trust-item">24×7 ops on the rule engine — SonarCloud regressions fixed in &lt;24h</div></div><p class="back"><a href="/">← Back to thumbgate.ai</a></p></main><script>document.querySelector('form').addEventListener('submit',e=>{if(navigator.sendBeacon)navigator.sendBeacon('/v1/telemetry/ping',new Blob([JSON.stringify({eventType:'checkout_interstitial_cta_clicked',clientType:'web',page:'/checkout/pro',ctaId:'pro_checkout_confirmed',ctaPlacement:'checkout_interstitial',customerEmail:document.querySelector('input[name=customer_email]').value})],{type:'application/json'}));try{window.plausible&&window.plausible('Checkout Pro Email Submitted',{props:{page:'/checkout/pro',source:'interstitial'}})}catch(_){}})</script></html>`;
+  const includeHiddenAttribution = options.includeHiddenAttribution === true;
+  const hiddenInputs = includeHiddenAttribution
+    ? buildCheckoutHiddenAttributionInputs(parsed)
+    : '';
+  return `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>Confirm - ThumbGate Pro</title>
+<script defer data-domain="${plausibleDomain}" src="https://plausible.io/js/script.tagged-events.js"></script>
+<script>window.plausible=window.plausible||function(){(window.plausible.q=window.plausible.q||[]).push(arguments)};</script>
+<style>
+body{background:#0a0a0a;color:#eee;font-family:system-ui,-apple-system,sans-serif;line-height:1.5}
+main{max-width:520px;margin:8vh auto;padding:0 20px}
+.brand{display:flex;align-items:center;gap:10px;margin-bottom:24px;font-size:14px;color:#94a3b8}
+.brand-mark{width:24px;height:24px;background:#22d3ee;border-radius:6px;display:inline-block}
+h1{font-size:24px;margin:0 0 8px;color:#fff}.price{font-size:32px;font-weight:700;color:#22d3ee;margin:8px 0 4px}.price small{font-size:14px;color:#94a3b8;font-weight:400}
+p{color:#cbd5e1;margin:8px 0}form{margin:0}
+input[type=email]{width:100%;box-sizing:border-box;padding:14px 16px;border:1px solid #374151;border-radius:8px;background:#111827;color:#fff;font-size:15px;margin:16px 0 0;outline:none}
+input[type=email]:focus{border-color:#22d3ee}input[type=email]::placeholder{color:#64748b}
+button.primary{background:#22d3ee;color:#000;padding:16px;text-align:center;border-radius:8px;font-weight:700;font-size:16px;margin:10px 0;border:none;cursor:pointer;width:100%}
+a{display:block;text-decoration:none}a.secondary{border:1px solid #374151;color:#cbd5e1;padding:12px;text-align:center;border-radius:8px;margin:8px 0 0;font-size:14px}
+.trust,.objection-box{margin:24px 0;padding:16px;border:1px solid #1f2937;border-radius:8px;background:#0f172a}
+.trust-item{font-size:13px;color:#cbd5e1;padding:4px 0;display:flex;gap:8px}.trust-item::before{content:"✓";color:#22d3ee;font-weight:700}
+.choice-note,.email-note,.objection-note{font-size:13px;color:#94a3b8;margin-top:10px}
+.objection-grid{display:grid;gap:8px;margin-top:12px}
+.objection-grid button{border:1px solid #374151;background:#111827;color:#e5e7eb;border-radius:8px;padding:10px 12px;text-align:left;cursor:pointer}
+.objection-grid button:hover,.objection-grid button:focus{border-color:#22d3ee;outline:none}
+.feedback-saved{display:none;color:#22d3ee;font-size:13px;margin-top:10px}
+.back{text-align:center;color:#64748b;font-size:12px;margin-top:24px}.back a{color:#64748b;display:inline}
+</style>
+</head>
+<body>
+<main>
+<div class="brand"><span class="brand-mark"></span><span>ThumbGate</span></div>
+<h1>Start ThumbGate Pro</h1>
+<div class="price">$19<small>/mo</small></div>
+<p>The npm package runs your gates locally. <strong>Pro</strong> is what keeps them working across every machine, every agent runtime, and every breaking-change week.</p>
+<form action="/checkout/pro" method="GET" data-i="pro_checkout_confirmed">
+${hiddenInputs}
+<input type="hidden" name="confirm" value="1">
+<input type="email" name="customer_email" value="${escapeHtmlAttribute(prefilledEmail)}" placeholder="you@company.com" autocomplete="email">
+<p class="email-note">Optional. Stripe can collect your email on the secure checkout page.</p>
+<button type="submit" class="primary">Pay $19/mo with Stripe →</button>
+</form>
+<a class="secondary" data-i="workflow_sprint_intake" href="/#workflow-sprint-intake">Not sure yet? Send the workflow first</a>
+<p class="choice-note">Cancel anytime. 7-day refund, no questions. Diagnostics and sprints have their own pages.</p>
+<div class="objection-box" aria-label="Checkout feedback">
+<strong>Not buying today?</strong>
+<p class="objection-note">Tap one reason so we know what to fix. This does not sign you up.</p>
+<div class="objection-grid">
+<button type="button" data-reason="price_unclear">Price or scope is unclear</button>
+<button type="button" data-reason="need_more_proof">Need more proof first</button>
+<button type="button" data-reason="need_team_plan">Need a team/workflow plan instead</button>
+<button type="button" data-reason="not_urgent">Not urgent right now</button>
+</div>
+<div class="feedback-saved" id="feedback-saved">Feedback saved.</div>
+</div>
+<div class="trust"><div class="trust-item">Lessons synced across all your machines — no local SQLite to babysit</div><div class="trust-item">Adapter matrix kept current for Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode — version drift is our problem, not yours</div><div class="trust-item">Hosted dashboard: gate stats, DPO export, org-wide rule library</div><div class="trust-item">24×7 ops on the rule engine — SonarCloud regressions fixed in &lt;24h</div></div>
+<p class="back"><a href="/">← Back to thumbgate.ai</a></p>
+</main>
+<script>
+(function(){
+  var params = new URLSearchParams(window.location.search);
+  var submitted = false;
+  var feedbackSent = false;
+  function pick(key, fallback) { return params.get(key) || fallback || null; }
+  function sendTelemetry(eventType, extra) {
+    var payload = Object.assign({
+      eventType: eventType,
+      clientType: 'web',
+      page: '/checkout/pro',
+      traceId: pick('trace_id'),
+      acquisitionId: pick('acquisition_id'),
+      visitorId: pick('visitor_id'),
+      sessionId: pick('visitor_session_id') || pick('session_id'),
+      installId: pick('install_id'),
+      source: pick('utm_source') || pick('source') || 'website',
+      utmSource: pick('utm_source') || pick('source') || 'website',
+      utmMedium: pick('utm_medium') || 'checkout_interstitial',
+      utmCampaign: pick('utm_campaign') || 'pro_pack',
+      utmContent: pick('utm_content'),
+      utmTerm: pick('utm_term'),
+      creator: pick('creator') || pick('creator_handle'),
+      community: pick('community') || pick('subreddit'),
+      postId: pick('post_id'),
+      commentId: pick('comment_id'),
+      campaignVariant: pick('campaign_variant'),
+      offerCode: pick('offer_code'),
+      ctaId: pick('cta_id') || 'pricing_pro',
+      ctaPlacement: pick('cta_placement') || 'checkout_interstitial',
+      planId: pick('plan_id') || 'pro',
+      billingCycle: pick('billing_cycle') || 'monthly',
+      landingPath: pick('landing_path') || '/',
+      referrerHost: pick('referrer_host'),
+      referrer: document.referrer || null
+    }, extra || {});
+    var body = JSON.stringify(payload);
+    if (navigator.sendBeacon) {
+      navigator.sendBeacon('/v1/telemetry/ping', new Blob([body], { type: 'application/json' }));
+      return;
+    }
+    fetch('/v1/telemetry/ping', { method:'POST', headers:{ 'content-type':'application/json' }, body: body, keepalive: true }).catch(function(){});
+  }
+  document.querySelector('form').addEventListener('submit', function(){
+    submitted = true;
+    var emailInput = document.querySelector('input[name=customer_email]');
+    sendTelemetry('checkout_interstitial_cta_clicked', {
+      ctaId: 'pro_checkout_confirmed',
+      ctaPlacement: 'checkout_interstitial',
+      customerEmail: emailInput ? emailInput.value : null
+    });
+    try { window.plausible && window.plausible('Checkout Pro Email Submitted', { props: { page:'/checkout/pro', source:'interstitial' } }); } catch(_) {}
+  });
+  document.querySelectorAll('[data-reason]').forEach(function(button) {
+    button.addEventListener('click', function(){
+      var reason = button.getAttribute('data-reason');
+      feedbackSent = true;
+      sendTelemetry('reason_not_buying', {
+        reasonCode: reason,
+        ctaId: 'checkout_interstitial_reason_' + reason,
+        ctaPlacement: 'checkout_interstitial_feedback'
+      });
+      try { window.plausible && window.plausible('Checkout Pro Reason Not Buying', { props: { page:'/checkout/pro', reasonCode: reason } }); } catch(_) {}
+      var saved = document.getElementById('feedback-saved');
+      if (saved) saved.style.display = 'block';
+    });
+  });
+  window.addEventListener('pagehide', function(){
+    if (!submitted && !feedbackSent) {
+      sendTelemetry('checkout_interstitial_abandoned', { reasonCode: 'left_without_confirming' });
+    }
+  });
+})();
+</script>
+</body>
+</html>`;
 }
 
 function buildCheckoutBootstrapBody(parsed, req, journeyState = resolveJourneyState(req, parsed)) {
@@ -1953,17 +2405,6 @@ function normalizeCheckoutCustomerEmail(value) {
   return email;
 }
 
-function renderCheckoutIntentGate(parsed, responseHeaders = {}) {
-  let hiddenInputs = '';
-  for (const [key, value] of parsed.searchParams.entries()) {
-    if (key !== 'confirm' && key !== 'customer_email') hiddenInputs += `<input type=hidden name=${escapeHtmlAttribute(key)} value=${escapeHtmlAttribute(value)}>`;
-  }
-  return {
-    html: `<!doctype html><h1>Email for Stripe receipt</h1><form action=/checkout/pro>${hiddenInputs}<input type=hidden name=confirm value=1><input name=customer_email type=email required><button>Continue</button></form>`,
-    headers: responseHeaders,
-  };
-}
-
 function normalizeTrackedLinkSlug(value) {
   return String(value || '').trim().toLowerCase().replace(/[^a-z0-9-]/g, '');
 }
@@ -1974,6 +2415,27 @@ function normalizePublicPageSlug(value) {
     .replace(/[^a-z0-9-]/g, '');
 }
 
+function buildPublicHtmlFileMap(directory) {
+  const entries = new Map();
+  try {
+    for (const fileName of fs.readdirSync(directory)) {
+      if (!/^[a-z0-9-]+\.html$/i.test(fileName)) continue;
+      const slug = normalizePublicPageSlug(fileName);
+      if (!slug) continue;
+      entries.set(slug, path.join(directory, fileName));
+    }
+  } catch (error) {
+    if (error?.code !== 'ENOENT') throw error;
+  }
+  return entries;
+}
+
+function resolvePublicHtmlFile(publicPageMap, rawSlug) {
+  const slug = normalizePublicPageSlug(rawSlug);
+  if (!slug) return null;
+  return publicPageMap.get(slug) || null;
+}
+
 function getTrackedLinkTarget(slug) {
   const normalizedSlug = normalizeTrackedLinkSlug(slug);
   return TRACKED_LINK_TARGETS[normalizedSlug]
@@ -2009,8 +2471,10 @@ function appendTrackedLinkQueryParams(destinationUrl, parsed, target) {
 }
 
 function buildTrackedLinkDestination(target, hostedConfig, parsed) {
-  const destinationUrl = target.href
-    ? new URL(target.href)
+  const configuredHref = target.configUrlKey ? hostedConfig[target.configUrlKey] : null;
+  const href = target.href || configuredHref || target.fallbackHref;
+  const destinationUrl = href
+    ? new URL(href)
     : new URL(target.path || '/', hostedConfig.appOrigin);
   appendTrackedLinkQueryParams(destinationUrl, parsed, target);
   return destinationUrl;
@@ -2137,6 +2601,7 @@ function sendJson(res, statusCode, payload, extraHeaders = {}, options = {}) {
   const body = JSON.stringify(payload);
   res.writeHead(statusCode, {
     'Content-Type': 'application/json; charset=utf-8',
+    'X-Content-Type-Options': 'nosniff',
     'Content-Length': Buffer.byteLength(body),
     ...extraHeaders,
   });
@@ -2211,7 +2676,7 @@ function appendBestEffortTelemetry(feedbackDir, payload, headers, context) {
           evidence: [err?.message ? err.message : 'unknown_error'],
         },
       });
-    } catch (_) {}
+    } catch {}
     return false;
   }
 }
@@ -2230,8 +2695,9 @@ function chatgptActionEventType(integration, suffix) {
 }
 
 function getPublicOrigin(req) {
-  const proto = String(req.headers['x-forwarded-proto'] || '').split(',')[0].trim() || 'http';
-  const host = String(req.headers['x-forwarded-host'] || req.headers.host || '').split(',')[0].trim() || 'localhost';
+  const rawProto = String(req.headers['x-forwarded-proto'] || '').split(',')[0].trim().toLowerCase();
+  const proto = rawProto === 'https' ? 'https' : 'http';
+  const host = getSafePublicRequestHost(req) || 'localhost';
   return `${proto}://${host}`;
 }
 
@@ -2250,6 +2716,47 @@ function getRequestHostHeader(req) {
   return forwardedHost || req.headers.host || '';
 }
 
+function normalizePublicRequestHost(value) {
+  const rawHost = String(value || '').split(',')[0].trim().toLowerCase();
+  if (!rawHost || rawHost.length > 253) return '';
+
+  const hostWithoutPort = rawHost.startsWith('[')
+    ? rawHost.slice(1).split(']')[0]
+    : rawHost.split(':')[0];
+  const port = rawHost.startsWith('[')
+    ? rawHost.split(']:')[1] || ''
+    : rawHost.split(':')[1] || '';
+
+  if (!isAllowedPublicHostName(hostWithoutPort)) {
+    return '';
+  }
+  if (port && !/^\d{1,5}$/.test(port)) return '';
+  if (port && Number(port) > 65535) return '';
+  return port ? `${hostWithoutPort}:${port}` : hostWithoutPort;
+}
+
+function isAllowedPublicHostName(hostname) {
+  return hostname === 'localhost'
+    || hostname === '::1'
+    || isIpv4Host(hostname)
+    || isDnsHostName(hostname);
+}
+
+function isIpv4Host(hostname) {
+  const parts = hostname.split('.');
+  return parts.length === 4 && parts.every((part) => /^\d{1,3}$/.test(part));
+}
+
+function isDnsHostName(hostname) {
+  return hostname
+    .split('.')
+    .every((label) => /^[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?$/.test(label));
+}
+
+function getSafePublicRequestHost(req) {
+  return normalizePublicRequestHost(getRequestHostHeader(req));
+}
+
 function isLoopbackHost(hostValue) {
   const rawHost = String(hostValue || '').split(',')[0].trim();
   if (!rawHost) {
@@ -2295,7 +2802,7 @@ function stripTrailingSlashes(value) {
   return input.slice(0, end);
 }
 
-function normalizePublicMarketingHtml(html, runtimeConfig) {
+function normalizePublicMarketingHtml(html, runtimeConfig, requestHost) {
   const appOrigin = runtimeConfig?.appOrigin
     ? stripTrailingSlashes(runtimeConfig.appOrigin)
     : '';
@@ -2304,11 +2811,14 @@ function normalizePublicMarketingHtml(html, runtimeConfig) {
   let output = String(html);
   output = output.replaceAll(DEFAULT_PUBLIC_APP_ORIGIN, appOrigin);
   try {
-    const host = new URL(appOrigin).host;
+    const host = normalizePublicRequestHost(requestHost) || new URL(appOrigin).host;
     const plausibleDomain = resolvePlausibleDataDomain({ host });
     output = output.replaceAll(
       'data-domain="thumbgate-production.up.railway.app"',
       `data-domain="${escapeHtmlAttribute(plausibleDomain)}"`
+    ).replaceAll(
+      'data-domain="thumbgate.ai"',
+      `data-domain="${escapeHtmlAttribute(plausibleDomain)}"`
     );
   } catch {
     // appOrigin is normalized by hosted-config; leave static analytics domains
@@ -2357,7 +2867,7 @@ function loadPublicMarketingTemplateHtml(templatePath, runtimeConfig, pageContex
     '__GTM_PLAN_URL__': 'https://github.com/IgorGanapolsky/ThumbGate/blob/main/docs/GO_TO_MARKET_REVENUE_WEDGE_2026-03.md',
     '__GITHUB_URL__': 'https://github.com/IgorGanapolsky/ThumbGate',
     '__POSTHOG_API_KEY__': runtimeConfig.posthogApiKey || '',
-  }), runtimeConfig);
+  }), runtimeConfig, pageContext.requestHost);
 }
 
 function loadLandingPageHtml(runtimeConfig, pageContext = {}) {
@@ -2372,6 +2882,18 @@ function loadPricingPageHtml(runtimeConfig, pageContext = {}) {
   return loadPublicMarketingTemplateHtml(PRICING_PAGE_PATH, runtimeConfig, pageContext);
 }
 
+function loadAboutPageHtml(runtimeConfig, pageContext = {}) {
+  return loadPublicMarketingTemplateHtml(ABOUT_PAGE_PATH, runtimeConfig, pageContext);
+}
+
+function loadGuidePageHtml(runtimeConfig, pageContext = {}) {
+  return loadPublicMarketingTemplateHtml(GUIDE_PAGE_PATH, runtimeConfig, pageContext);
+}
+
+function loadLearnPageHtml(runtimeConfig, pageContext = {}) {
+  return loadPublicMarketingTemplateHtml(LEARN_PAGE_PATH, runtimeConfig, pageContext);
+}
+
 function readOptionalPublicTemplate(filePath) {
   try {
     return fs.readFileSync(filePath, 'utf-8');
@@ -3004,6 +3526,7 @@ function renderSitemapXml(runtimeConfig) {
     { path: '/learn/codex-role-plugins-need-governance', changefreq: 'weekly', priority: '0.85' },
     { path: '/learn/agentic-os-team-governance', changefreq: 'weekly', priority: '0.85' },
     { path: '/learn/cost-aware-agent-gate-routing', changefreq: 'weekly', priority: '0.85' },
+    { path: '/learn/pretix-stripe-connect-marketplaces', changefreq: 'weekly', priority: '0.9' },
     { path: '/compare/claude-code-hooks', changefreq: 'weekly', priority: '0.85' },
     { path: '/compare/bumblebee', changefreq: 'weekly', priority: '0.85' },
     { path: '/compare/anthropic-containment', changefreq: 'weekly', priority: '0.85' },
@@ -3012,6 +3535,30 @@ function renderSitemapXml(runtimeConfig) {
     { path: '/compare/anthropic-claude-for-legal', changefreq: 'weekly', priority: '0.9' },
     ...THUMBGATE_SEO_SITEMAP_ENTRIES,
   ];
+  // Auto-include every hand-written SEO page so /sitemap.xml can never drift out
+  // of sync with public/compare/*.html or public/guides/*.html. Crawlers and AI
+  // answer engines only surface pages they can discover, so a buyer-intent page
+  // missing from the sitemap is invisible on its query. De-duped against entries
+  // already declared above (e.g. seo-gsd specs), which keep explicit priorities.
+  const declaredPaths = new Set(entries.map((entry) => entry.path));
+  try {
+    const seoDirectories = [
+      { dir: 'compare', route: '/compare', priority: '0.85' },
+      { dir: 'guides', route: '/guides', priority: '0.85' },
+    ];
+    for (const catalog of seoDirectories) {
+      const files = fs.readdirSync(path.join(PUBLIC_DIR, catalog.dir)).sort((a, b) => a.localeCompare(b));
+      for (const file of files) {
+        if (!file.endsWith('.html')) continue;
+        const publicPath = `${catalog.route}/${file.replace(/\.html$/, '')}`;
+        if (declaredPaths.has(publicPath)) continue;
+        declaredPaths.add(publicPath);
+        entries.push({ path: publicPath, changefreq: 'weekly', priority: catalog.priority });
+      }
+    }
+  } catch {
+    // SEO directories absent in a stripped bundle — fall back to static entries.
+  }
   return [
     '<?xml version="1.0" encoding="UTF-8"?>',
     '<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">',
@@ -3137,11 +3684,13 @@ function servePublicMarketingPage({
     }, req.headers, 'seo_landing_view');
   }
 
+  const requestHost = getSafePublicRequestHost(req);
   const html = renderHtml(hostedConfig, {
     serverVisitorId: journeyState.visitorId,
     serverSessionId: journeyState.sessionId,
     serverAcquisitionId: journeyState.acquisitionId,
     serverTelemetryCaptured: landingTelemetryCaptured,
+    requestHost,
   });
 
   sendHtml(
@@ -3423,7 +3972,7 @@ function renderCheckoutSuccessPage(runtimeConfig) {
         if (window.sessionStorage) {
           window.sessionStorage.setItem(marker, '1');
         }
-      } catch (_) {
+      } catch {
         sendTelemetry(eventType, extra);
       }
     }
@@ -4220,6 +4769,42 @@ function normalizeJobIdFromPath(pathname, suffix = '') {
   return match ? decodeURIComponent(match[1]) : null;
 }
 
+function escapeHtml(value) {
+  return String(value)
+    .replaceAll('&', '&amp;')
+    .replaceAll('<', '&lt;')
+    .replaceAll('>', '&gt;')
+    .replaceAll('"', '&quot;')
+    .replaceAll("'", '&#39;');
+}
+
+function escapeHtmlUnsafeJsonString(value) {
+  return String(value)
+    .replaceAll('<', String.raw`\u003c`)
+    .replaceAll('>', String.raw`\u003e`)
+    .replaceAll('&', String.raw`\u0026`)
+    .replaceAll('\u2028', String.raw`\u2028`)
+    .replaceAll('\u2029', String.raw`\u2029`);
+}
+
+function sanitizeHtmlUnsafeJsonValue(value) {
+  if (typeof value === 'string') {
+    return escapeHtmlUnsafeJsonString(value);
+  }
+  if (Array.isArray(value)) {
+    return value.map((entry) => sanitizeHtmlUnsafeJsonValue(entry));
+  }
+  if (!value || typeof value !== 'object') {
+    return value;
+  }
+  return Object.fromEntries(
+    Object.entries(value).map(([key, entry]) => [
+      escapeHtmlUnsafeJsonString(key),
+      sanitizeHtmlUnsafeJsonValue(entry),
+    ])
+  );
+}
+
 function normalizeDocumentIdFromPath(pathname) {
   const match = pathname.match(/^\/v1\/documents\/([^/]+)$/);
   return match ? decodeURIComponent(match[1]) : null;
@@ -4991,12 +5576,40 @@ async function addContext(){
       return;
     }
 
+    if (isGetLikeRequest && (pathname === '/about' || pathname === '/about.html')) {
+      try {
+        servePublicMarketingPage({
+          req,
+          res,
+          parsed,
+          hostedConfig,
+          isHeadRequest,
+          renderHtml: loadAboutPageHtml,
+          extraTelemetry: {
+            pageType: 'about',
+          },
+        });
+      } catch (err) {
+        sendText(res, 500, err.message || 'About page unavailable');
+      }
+      return;
+    }
+
     if (isGetLikeRequest && (pathname === '/guide' || pathname === '/guide.html')) {
       try {
-        const html = fs.readFileSync(GUIDE_PAGE_PATH, 'utf-8');
-        sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
-      } catch {
-        sendJson(res, 404, { error: 'Guide page not found' });
+        servePublicMarketingPage({
+          req,
+          res,
+          parsed,
+          hostedConfig,
+          isHeadRequest,
+          renderHtml: loadGuidePageHtml,
+          extraTelemetry: {
+            pageType: 'guide',
+          },
+        });
+      } catch (err) {
+        sendText(res, 500, err.message || 'Guide page unavailable');
       }
       return;
     }
@@ -5056,10 +5669,19 @@ async function addContext(){
 
     if (isGetLikeRequest && (pathname === '/learn' || pathname === '/learn.html')) {
       try {
-        const html = fs.readFileSync(LEARN_PAGE_PATH, 'utf-8');
-        sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
-      } catch {
-        sendJson(res, 404, { error: 'Learn page not found' });
+        servePublicMarketingPage({
+          req,
+          res,
+          parsed,
+          hostedConfig,
+          isHeadRequest,
+          renderHtml: loadLearnPageHtml,
+          extraTelemetry: {
+            pageType: 'learn',
+          },
+        });
+      } catch (err) {
+        sendText(res, 500, err.message || 'Learn page unavailable');
       }
       return;
     }
@@ -5250,13 +5872,13 @@ async function addContext(){
 
     if (isGetLikeRequest && pathname.startsWith('/learn/')) {
       try {
-        const slug = normalizePublicPageSlug(pathname.replace('/learn/', ''));
-        const articlePath = path.join(LEARN_DIR, `${slug}.html`);
-        if (!articlePath.startsWith(LEARN_DIR)) {
-          sendJson(res, 403, { error: 'Forbidden' });
+        const articlePath = resolvePublicHtmlFile(LEARN_PAGE_PATHS_BY_SLUG, pathname.replace('/learn/', ''));
+        if (!articlePath) {
+          sendJson(res, 404, { error: 'Article not found' });
           return;
         }
-        const html = fs.readFileSync(articlePath, 'utf-8');
+        const requestHost = getSafePublicRequestHost(req);
+        const html = normalizePublicMarketingHtml(fs.readFileSync(articlePath, 'utf-8'), hostedConfig, requestHost);
         sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
       } catch {
         sendJson(res, 404, { error: 'Article not found' });
@@ -5266,10 +5888,10 @@ async function addContext(){
 
     if (isGetLikeRequest && pathname.startsWith('/guides/')) {
       try {
-        const slug = normalizePublicPageSlug(pathname.replace('/guides/', ''));
-        const guidePath = path.join(GUIDES_DIR, `${slug}.html`);
-        if (!guidePath.startsWith(GUIDES_DIR)) { sendJson(res, 403, { error: 'Forbidden' }); return; }
-        const html = fs.readFileSync(guidePath, 'utf-8');
+        const guidePath = resolvePublicHtmlFile(GUIDE_PAGE_PATHS_BY_SLUG, pathname.replace('/guides/', ''));
+        if (!guidePath) { sendJson(res, 404, { error: 'Guide not found' }); return; }
+        const requestHost = getSafePublicRequestHost(req);
+        const html = normalizePublicMarketingHtml(fs.readFileSync(guidePath, 'utf-8'), hostedConfig, requestHost);
         sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
       } catch { sendJson(res, 404, { error: 'Guide not found' }); }
       return;
@@ -5277,10 +5899,10 @@ async function addContext(){
 
     if (isGetLikeRequest && pathname.startsWith('/compare/') && pathname !== '/compare') {
       try {
-        const slug = normalizePublicPageSlug(pathname.replace('/compare/', ''));
-        const comparePath = path.join(COMPARE_DIR, `${slug}.html`);
-        if (!comparePath.startsWith(COMPARE_DIR)) { sendJson(res, 403, { error: 'Forbidden' }); return; }
-        const html = fs.readFileSync(comparePath, 'utf-8');
+        const comparePath = resolvePublicHtmlFile(COMPARE_PAGE_PATHS_BY_SLUG, pathname.replace('/compare/', ''));
+        if (!comparePath) { sendJson(res, 404, { error: 'Comparison not found' }); return; }
+        const requestHost = getSafePublicRequestHost(req);
+        const html = normalizePublicMarketingHtml(fs.readFileSync(comparePath, 'utf-8'), hostedConfig, requestHost);
         sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
       } catch { sendJson(res, 404, { error: 'Comparison not found' }); }
       return;
@@ -5288,10 +5910,10 @@ async function addContext(){
 
     if (isGetLikeRequest && pathname.startsWith('/use-cases/')) {
       try {
-        const slug = normalizePublicPageSlug(pathname.replace('/use-cases/', ''));
-        const useCasePath = path.join(USE_CASES_DIR, `${slug}.html`);
-        if (!useCasePath.startsWith(USE_CASES_DIR)) { sendJson(res, 403, { error: 'Forbidden' }); return; }
-        const html = fs.readFileSync(useCasePath, 'utf-8');
+        const useCasePath = resolvePublicHtmlFile(USE_CASE_PAGE_PATHS_BY_SLUG, pathname.replace('/use-cases/', ''));
+        if (!useCasePath) { sendJson(res, 404, { error: 'Use case not found' }); return; }
+        const requestHost = getSafePublicRequestHost(req);
+        const html = normalizePublicMarketingHtml(fs.readFileSync(useCasePath, 'utf-8'), hostedConfig, requestHost);
         sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
       } catch { sendJson(res, 404, { error: 'Use case not found' }); }
       return;
@@ -5308,6 +5930,18 @@ async function addContext(){
       return;
     }
 
+    if (isGetLikeRequest && pathname.startsWith('/media/')) {
+      const rel = pathname.slice('/media/'.length);
+      const mediaDir = path.join(PUBLIC_DIR, 'media');
+      const resolved = path.resolve(mediaDir, rel);
+      if (!resolved.startsWith(mediaDir + path.sep) && resolved !== mediaDir) {
+        sendJson(res, 403, { error: 'Forbidden' });
+        return;
+      }
+      serveStaticFile(res, resolved, { headOnly: isHeadRequest });
+      return;
+    }
+
     if (isGetLikeRequest && (
       pathname === '/favicon.ico'
       || pathname === '/thumbgate-logo.png'
@@ -5389,8 +6023,70 @@ async function addContext(){
       // because no real crawler appends customer_email to discovered URLs.
       const hasCustomerEmailHint = !!parsed?.searchParams?.has('customer_email');
       const botShouldBypass = !botClassification.isBot || hasCustomerEmailHint;
-      const isConfirmedCheckout = req.method === 'POST'
+      // 2026-06-04 audit: after the POST-401 fix, 3 of 4 fresh /checkout/pro
+      // sessions had customer_email=null in Stripe (zombie sessions with no
+      // recovery surface). Root cause: POSTs were auto-confirmed regardless of
+      // whether the email query param was present. Require email on POSTs too
+      // so emails-less POSTs fall through to the interstitial form instead of
+      // creating an un-recoverable Stripe session.
+      const isConfirmedCheckout = (req.method === 'POST' && hasCustomerEmailHint)
         || (hasConfirmFlag && botShouldBypass);
+      // 2026-06-05 revenue bypass: env-gated direct-to-Stripe redirect.
+      // Live 30d billing showed 254 interstitial views → 1 Stripe click-through
+      // → 0 paid. When THUMBGATE_CHECKOUT_INTERSTITIAL_BYPASS=1 is set we
+      // route raw /checkout/pro GETs (no confirm=1, no POST) straight to the
+      // pro Stripe Payment Link, preserving UTM + attribution metadata via
+      // buildCheckoutFallbackUrl. Default-off; bot-deflection still applies
+      // (bot + no email hint still falls through to the existing interstitial).
+      const interstitialBypassEnabled = process.env.THUMBGATE_CHECKOUT_INTERSTITIAL_BYPASS === '1';
+      const interstitialSampleRate = normalizeCheckoutInterstitialSampleRate(
+        process.env.THUMBGATE_CHECKOUT_INTERSTITIAL_SAMPLE_RATE
+      );
+      const interstitialSampled = shouldSampleCheckoutInterstitial({
+        sampleRate: interstitialSampleRate,
+        traceId,
+        analyticsMetadata,
+      });
+      if (
+        !isConfirmedCheckout
+        && interstitialBypassEnabled
+        && req.method !== 'POST'
+        && botShouldBypass
+        && !interstitialSampled
+      ) {
+        // Always target the pro Stripe Payment Link directly. The
+        // hostedConfig.checkoutFallbackUrl (e.g. https://thumbgate.ai/go/pro)
+        // is a router that 302s back to /checkout/pro, which would create a
+        // redirect loop when bypass is on. Env override via
+        // THUMBGATE_CHECKOUT_PRO_STRIPE_URL is supported for future
+        // price-link rotation without a redeploy.
+        const bypassTarget = process.env.THUMBGATE_CHECKOUT_PRO_STRIPE_URL
+          || FIRST_FAILURE_RULE_CHECKOUT_URL;
+        appendBestEffortTelemetry(FEEDBACK_DIR, {
+          eventType: 'checkout_interstitial_bypass_redirect',
+          clientType: 'web',
+          traceId,
+          acquisitionId: analyticsMetadata.acquisitionId,
+          visitorId: analyticsMetadata.visitorId,
+          sessionId: analyticsMetadata.sessionId,
+          utmSource: analyticsMetadata.utmSource,
+          utmMedium: analyticsMetadata.utmMedium,
+          utmCampaign: analyticsMetadata.utmCampaign,
+          utmContent: analyticsMetadata.utmContent,
+          utmTerm: analyticsMetadata.utmTerm,
+          referrer: analyticsMetadata.referrer,
+          referrerHost: analyticsMetadata.referrerHost,
+          page: '/checkout/pro',
+          planId: analyticsMetadata.planId,
+          interstitialSampleRate,
+        }, req.headers, 'checkout_interstitial_bypass_redirect');
+        res.writeHead(302, {
+          ...responseHeaders,
+          Location: buildCheckoutFallbackUrl(bypassTarget, analyticsMetadata),
+        });
+        res.end();
+        return;
+      }
       // Plausible funnel event #1 of 3: page view. Fired before interstitial
       // deflection so we get the full top-of-funnel count, with isBot as a
       // prop so the dashboard can filter human vs. crawler traffic. Fire-and-forget.
@@ -5449,10 +6145,14 @@ async function addContext(){
           billingCycle: analyticsMetadata.billingCycle,
           landingPath: analyticsMetadata.landingPath,
           isBot: botClassification.isBot ? 'true' : 'false',
+          interstitialSampled: interstitialSampled ? 'true' : 'false',
+          interstitialSampleRate,
           reason: botClassification.reason,
         }, req.headers, eventType);
         const prefilledEmail = parsed?.searchParams?.get('customer_email') || '';
-        const html = renderCheckoutIntentPage(prefilledEmail);
+        const html = renderCheckoutIntentPage(prefilledEmail, parsed, {
+          includeHiddenAttribution: !botClassification.isBot,
+        });
         sendHtml(res, 200, html, responseHeaders);
         return;
       }
@@ -5715,12 +6415,13 @@ async function addContext(){
       // Public-facing broker lead-flow audit landing page. Wedge for the
       // real-estate broker outreach. Static HTML served from src/api/static.
       try {
+        const host = getSafePublicRequestHost(req);
         const html = normalizePublicMarketingHtml(fillTemplate(fs.readFileSync(
           path.resolve(__dirname, '../../assets/static/broker-audit.html'),
           'utf8'
         ), {
           '__POSTHOG_API_KEY__': hostedConfig.posthogApiKey || '',
-        }), hostedConfig);
+        }), hostedConfig, host);
         if (isHeadRequest) {
           sendHtml(res, 200, html, {}, { headOnly: true });
           return;
@@ -5772,9 +6473,9 @@ async function addContext(){
     // Authorization endpoint: GET renders consent, POST issues the code.
     if (pathname === '/oauth/authorize') {
       if (isGetLikeRequest) {
-        const q = parsed.searchParams;
-        const fields = ['client_id', 'redirect_uri', 'code_challenge', 'code_challenge_method', 'scope', 'state', 'resource'];
-        const hidden = fields.map((f) => `<input type="hidden" name="${f}" value="${escapeHtmlAttribute(q.get(f) || '')}">`).join('\n');
+        const authRequestToken = createPendingOauthAuthorizeRequest(
+          getOauthAuthorizeParamsFromQuery(parsed.searchParams)
+        );
         const html = `<!doctype html><html><head><meta charset="utf-8"><title>Authorize ThumbGate</title>
 <style>body{font:15px system-ui;margin:0;background:#0b0b0c;color:#eee;display:flex;min-height:100vh;align-items:center;justify-content:center}
 .card{background:#161618;border:1px solid #2a2a2e;border-radius:12px;padding:28px;max-width:420px}
@@ -5783,7 +6484,7 @@ button{width:100%;padding:11px;border-radius:8px;border:0;background:#10b981;col
 a{color:#8b9}</style></head><body><form class="card" method="post" action="/oauth/authorize">
 <h2>Authorize Claude → ThumbGate</h2>
 <p>Paste your ThumbGate API key to let this connector act as you. Get one with <code>npx thumbgate init</code> or from your <a href="/dashboard">dashboard</a>.</p>
-${hidden}
+<input type="hidden" name="auth_request_token" value="${escapeHtmlAttribute(authRequestToken)}">
 <input type="password" name="api_key" placeholder="ThumbGate API key" autocomplete="off" required>
 <button type="submit" name="approve" value="yes">Approve</button>
 </form></body></html>`;
@@ -5795,8 +6496,9 @@ ${hidden}
         req.on('data', (c) => { body += c; if (body.length > 16384) req.destroy(); });
         req.on('end', () => {
           const form = new URLSearchParams(body);
-          const redirectUri = form.get('redirect_uri') || '';
-          const state = form.get('state') || '';
+          const authorizationParams = getOauthAuthorizeParamsFromForm(form, hostedConfig);
+          const redirectUri = authorizationParams.redirectUri;
+          const state = authorizationParams.state;
           // Validate the presented ThumbGate key before issuing a code. When keys
           // are configured (production) the key MUST match a configured admin /
           // operator / reviewer key — otherwise OAuth would authenticate nobody.
@@ -5806,12 +6508,12 @@ ${hidden}
             return;
           }
           const issued = mcpOauth.createAuthorizationCode(oauthStore, {
-            clientId: form.get('client_id') || '',
+            clientId: authorizationParams.clientId,
             redirectUri,
-            codeChallenge: form.get('code_challenge') || '',
-            codeChallengeMethod: form.get('code_challenge_method') || '',
-            scope: form.get('scope') || undefined,
-            resource: form.get('resource') || buildPublicUrl(hostedConfig, '/mcp'),
+            codeChallenge: authorizationParams.codeChallenge,
+            codeChallengeMethod: authorizationParams.codeChallengeMethod,
+            scope: authorizationParams.scope,
+            resource: authorizationParams.resource || buildPublicUrl(hostedConfig, '/mcp'),
             boundKey: form.get('api_key') || '',
             state,
           });
@@ -6082,7 +6784,7 @@ ${hidden}
               evidence: [err?.message ? err.message : 'unknown_error'],
             },
           });
-        } catch (_) {
+        } catch {
           // Telemetry is best-effort and must never fail the caller.
         }
       }
@@ -6449,7 +7151,7 @@ ${hidden}
               context: 'failed to persist install-email capture to ledger',
               metadata: { error: err?.message || 'unknown' },
             });
-          } catch (_) {}
+          } catch {}
         }
 
         // Privacy-clean telemetry ping for funnel attribution (no email).
@@ -7216,7 +7918,9 @@ ${hidden}
 
     try {
       if (req.method === 'GET' && pathname === '/v1/feedback/stats') {
-        const stats = analyzeFeedback(requestFeedbackPaths.FEEDBACK_LOG_PATH);
+        const stats = shouldAggregateFeedback()
+          ? computeAggregateFeedbackStats({ feedbackDir: requestFeedbackPaths.FEEDBACK_DIR })
+          : analyzeFeedback(requestFeedbackPaths.FEEDBACK_LOG_PATH);
         try {
           const { getStatuslineMeta } = require('../../scripts/statusline-meta');
           const meta = getStatuslineMeta({ env: process.env });
@@ -7248,6 +7952,9 @@ ${hidden}
           stats.geminiKeyStatus = 'validated';
         }
         stats.hybridInferenceAvailable = !!(stats.geminiConfigured || stats.perplexityConfigured);
+        stats.localLlmConfigured = Boolean(process.env.THUMBGATE_LOCAL_LLM_ENDPOINT);
+        stats.localLlmEndpoint = process.env.THUMBGATE_LOCAL_LLM_ENDPOINT || null;
+        stats.localLlmModel = process.env.THUMBGATE_LOCAL_LLM_MODEL || null;
         sendJson(res, 200, stats);
         return;
       }
@@ -7843,11 +8550,13 @@ ${hidden}
         const signal = parsed.searchParams.get('signal') || null;
         let results;
         try {
+          const requestFeedbackPaths = getRequestFeedbackPaths(req, parsed);
           results = searchThumbgate({
             query,
             limit: Number.isFinite(limit) ? limit : 10,
             source,
             signal,
+            feedbackDir: requestFeedbackPaths.FEEDBACK_DIR,
           });
         } catch (err) {
           throw createHttpError(400, err.message || 'Invalid ThumbGate search request');
@@ -7865,11 +8574,13 @@ ${hidden}
         const body = await parseJsonBody(req);
         let results;
         try {
+          const requestFeedbackPaths = getRequestFeedbackPaths(req, parsed);
           results = searchThumbgate({
             query: body.query || body.q || '',
             limit: body.limit,
             source: body.source,
             signal: body.signal,
+            feedbackDir: requestFeedbackPaths.FEEDBACK_DIR,
           });
         } catch (err) {
           throw createHttpError(400, err.message || 'Invalid ThumbGate search request');
@@ -7895,11 +8606,14 @@ ${hidden}
       {
         const documentId = normalizeDocumentIdFromPath(pathname);
         if (req.method === 'GET' && documentId) {
+          if (!/^[a-zA-Z0-9-_]+$/.test(documentId)) {
+            throw createHttpError(400, 'Invalid document ID format');
+          }
           const document = readImportedDocument(documentId, {
             feedbackDir: requestFeedbackDir,
           });
           if (!document) {
-            throw createHttpError(404, `Imported document not found: ${documentId}`);
+            throw createHttpError(404, `Imported document not found: ${escapeHtml(documentId)}`);
           }
           sendJson(res, 200, { document });
           return;
@@ -7926,7 +8640,7 @@ ${hidden}
               feedbackDir: getSafeDataDir(),
               limit: 10,
             });
-          } catch (_) { /* best-effort — conversation window is optional */ }
+          } catch { /* best-effort — conversation window is optional */ }
         }
         const result = captureFeedback({
           signal: body.signal,
@@ -8995,6 +9709,8 @@ module.exports = {
     buildEnterpriseChatAnswer,
     answerEnterpriseDataChat,
     answerEnterpriseDialogflowChat,
+    buildLossAnalyticsResponse,
+    sanitizeHtmlUnsafeJsonValue,
   },
 };