thumbgate 1.27.6 → 1.27.7

package/scripts/operational-integrity.js

@@ -580,17 +580,51 @@ function resolveGitHubRepository(env = process.env) {
 function findOpenPrForBranch({ branchName, runner = runGh, env = process.env } = {}) {
   const normalizedBranch = String(branchName || '').trim();
   if (!normalizedBranch) return null;
-  if (!env.GH_TOKEN && !env.GITHUB_TOKEN) {
+  const token = env.GH_TOKEN || env.GITHUB_TOKEN;
+  if (!token) {
     return null;
   }
-  const args = ['pr', 'list'];
   const repository = resolveGitHubRepository(env);
-  if (repository) {
-    args.push('--repo', repository);
+  if (!repository) return null;
+
+  // Try REST API first as it is much more robust and doesn't rely on gh CLI's GraphQL auth
+  try {
+    const owner = repository.split('/')[0];
+    const url = `https://api.github.com/repos/${repository}/pulls?head=${encodeURIComponent(owner + ':' + normalizedBranch)}&state=open`;
+    const curlConfig = `header = "Authorization: token ${token}"\nheader = "User-Agent: ThumbGate-CI"`;
+    const curlResult = spawnSync('curl', [
+      '-s',
+      '-K', '-',
+      url
+    ], {
+      encoding: 'utf8',
+      input: curlConfig
+    });
+
+    if (curlResult && curlResult.status === 0) {
+      const prs = JSON.parse(curlResult.stdout || '[]');
+      if (Array.isArray(prs) && prs.length > 0) {
+        return {
+          number: prs[0].number,
+          state: prs[0].state,
+          isDraft: prs[0].draft || false,
+          url: prs[0].html_url
+        };
+      }
+    }
+  } catch (err) {
+    console.warn(`[findOpenPrForBranch] REST fallback failed: ${err.message}`);
   }
-  args.push('--head', normalizedBranch, '--state', 'open', '--json', 'number,state,isDraft,url');
+
+  // Fall back to gh CLI
+  const args = ['pr', 'list', '--repo', repository, '--head', normalizedBranch, '--state', 'open', '--json', 'number,state,isDraft,url'];
   const result = runner(args);
   if (!result || result.status !== 0) {
+    if (result) {
+      console.warn(`[findOpenPrForBranch] gh command failed with status ${result.status}. Stderr: ${result.stderr || ''}`);
+    } else {
+      console.warn(`[findOpenPrForBranch] gh command failed to spawn.`);
+    }
     return null;
   }
   try {

package/scripts/plausible-domain-config.js

@@ -14,9 +14,11 @@ function normalizeDomain(value) {
   const input = String(value || '').trim();
   if (!input) return '';
   try {
-    return new URL(input.includes('://') ? input : `https://${input}`).host.toLowerCase();
+    return new URL(input.includes('://') ? input : `https://${input}`).hostname.toLowerCase();
   } catch {
-    return input.replace(/^https?:\/\//i, '').replace(/\/.*$/, '').toLowerCase();
+    const withoutProtocol = input.replace(/^https?:\/\//i, '');
+    const hostnameAndPort = withoutProtocol.split('/')[0];
+    return hostnameAndPort.toLowerCase().split(':')[0];
   }
 }
 

package/scripts/rate-limiter.js

@@ -17,8 +17,8 @@ const USAGE_FILE = path.join(process.env.HOME || '/tmp', '.thumbgate', 'usage-li
 // hit the wall within the first week, not the first quarter.
 // ──────────────────────────────────────────────────────────
 const FREE_TIER_LIMITS = {
-  capture_feedback:   { daily: 5,        lifetime: 25,       label: 'feedback captures (5/day, 25 total on free)' },
-  prevention_rules:   { daily: 2,        lifetime: 6,        label: 'prevention rules generated (2/day on free)' },
+  capture_feedback:   { daily: 2,        lifetime: 10,       label: 'feedback captures (2/day, 10 total on free)' },
+  prevention_rules:   { daily: 2,        lifetime: 3,        label: 'prevention rules generated (2/day on free)' },
   recall:             { daily: 0,        lifetime: 0,        label: 'recall queries (Pro only)' },
   search_lessons:     { daily: 0,        lifetime: 0,        label: 'lesson searches (Pro only)' },
   search_thumbgate:   { daily: 0,        lifetime: 0,        label: 'ThumbGate searches (Pro only)' },
@@ -29,12 +29,12 @@ const FREE_TIER_LIMITS = {
 };
 
 const FREE_TIER_MAX_GATES = 3; // 3 active prevention rules on free; Pro is unlimited
-const FREE_TIER_DAILY_BLOCKS = 3; // 3 gate blocks/day on free; after limit, deny → warn + upgrade CTA
+const FREE_TIER_DAILY_BLOCKS = 2; // 3 gate blocks/day on free; after limit, deny → warn + upgrade CTA
 
 const UPGRADE_MESSAGE = `Pro: ${PRO_PRICE_LABEL} — unlimited rules, recall, lesson search, dashboard, and exports: ${PRO_MONTHLY_PAYMENT_LINK}\n  Enterprise: ${ENTERPRISE_PRICE_LABEL} after workflow qualification.`;
 
 const PAYWALL_MESSAGES = {
-  capture_feedback: 'Free tier: 5 captures/day (25 total). Your feedback is stored locally — upgrade to capture unlimited.',
+  capture_feedback: 'Free tier: 2 captures/day (10 total). Your feedback is stored locally — upgrade to capture unlimited.',
   prevention_rules: 'Free tier includes 3 active prevention rules and 2 rule generations/day. Upgrade to Pro for unlimited rules.',
   recall: 'Recall is a Pro feature. Your past feedback is stored locally — upgrade to search and reuse it.',
   search_lessons: 'Lesson search is a Pro feature. Upgrade to find patterns in your agent\'s mistakes.',
@@ -153,12 +153,18 @@ function checkLimit(action, authContext) {
   const dailyCurrent = usage.counts[action] || 0;
   const lifetimeCurrent = usage.lifetime[action] || 0;
 
+  const isCapture = action === 'capture_feedback';
+  const monthlyLink = isCapture
+    ? 'https://buy.stripe.com/7sYfZhaiE1eSbO99uj3sI0d'
+    : PRO_MONTHLY_PAYMENT_LINK;
+  const upgradeMessage = `Pro: ${PRO_PRICE_LABEL} — unlimited rules, recall, lesson search, dashboard, and exports: ${monthlyLink}\n  Enterprise: ${ENTERPRISE_PRICE_LABEL} after workflow qualification.`;
+
   // Check lifetime limit first (the hard wall)
   if (lifetimeLimit !== Infinity && lifetimeCurrent >= lifetimeLimit) {
     const paywallMsg = PAYWALL_MESSAGES[action] || PAYWALL_MESSAGES.default;
     return {
       allowed: false,
-      message: `${paywallMsg}\n\n${UPGRADE_MESSAGE}`,
+      message: `${paywallMsg}\n\n${upgradeMessage}`,
       used: lifetimeCurrent,
       limit: lifetimeLimit,
       limitType: 'lifetime',
@@ -170,7 +176,7 @@ function checkLimit(action, authContext) {
     const paywallMsg = PAYWALL_MESSAGES[action] || PAYWALL_MESSAGES.default;
     return {
       allowed: false,
-      message: `Daily limit reached. ${paywallMsg}\n\n${UPGRADE_MESSAGE}`,
+      message: `Daily limit reached. ${paywallMsg}\n\n${upgradeMessage}`,
       used: dailyCurrent,
       limit: dailyLimit,
       limitType: 'daily',

package/scripts/secret-redaction.js

@@ -0,0 +1,166 @@
+'use strict';
+
+/**
+ * secret-redaction.js — the single, canonical secret-redaction helper.
+ *
+ * WHY THIS EXISTS
+ * On 2026-06-10 a live Stripe `sk_live_` key was found in plaintext inside a captured
+ * `.thumbgate/conversation-window.jsonl`. ThumbGate must never become a secret-leak vector:
+ * secrets must be redacted (a) before any conversation/feedback/memory record lands on disk,
+ * and (b) before any training/analytics dataset is exported or shared.
+ *
+ * This module is the ONE place that owns redaction-at-rest. Capture writers and dataset
+ * exporters all call into it instead of each rolling their own. It is intentionally separate
+ * from `secret-scanner.js`: that module is the PreToolUse *scan/block* layer and deliberately
+ * tolerates `sk_test_`/`test_token` inside commands. For data persisted to disk we redact
+ * test-mode secrets too — a `sk_test_` key is still a credential we should not store.
+ *
+ * NOT REDACTED ON PURPOSE
+ *   - Stripe publishable keys (`pk_live_`, `pk_test_`) are public by design. No pattern matches
+ *     them, and the generic `key=value` pattern keys on `api_key|secret|token|...`, never on a
+ *     bare `publishable_key`, so they are preserved verbatim.
+ *
+ * Properties:
+ *   - Idempotent: re-redacting already-redacted text is a no-op (the `[REDACTED:id]` marker
+ *     contains characters outside every value charset).
+ *   - Non-mutating: `redactSecretsDeep` returns a redacted copy; inputs are untouched.
+ */
+
+const REDACTED = (id) => `[REDACTED:${id}]`;
+
+// Identifier names that denote a credential, used by the generic `key = value` pattern. Kept as
+// two small matchers (instead of one mega-alternation) so the assignment regex stays simple.
+const SECRET_KEY_NAME = /(?:api[_-]?key|secret|token|password|passwd|credential|private[_-]?key|access[_-]?token|client[_-]?secret)/i;
+// Public identifiers whose values are not secrets (e.g. Stripe publishable `pk_*` keys). Excluded
+// so `publishable_key = pk_live_…` is preserved verbatim.
+const PUBLIC_KEY_NAME = /publishable|public/i;
+
+/**
+ * Ordered list of redaction patterns. Order matters: the most specific provider patterns run
+ * before the broad `key=value` fallback so a known secret keeps its precise label. Every regex
+ * is `g` (and case-insensitive where appropriate) so all occurrences are replaced.
+ *
+ * `replace` may be a string or a function `(match, ...groups) => string`.
+ */
+const SECRET_REDACTION_PATTERNS = [
+  // PEM / OpenSSH private key blocks — redact the whole block.
+  {
+    id: 'private_key_block',
+    label: 'Private key block',
+    regex: /-----BEGIN (?:RSA |EC |OPENSSH |DSA |PGP )?PRIVATE KEY-----[\s\S]+?-----END (?:RSA |EC |OPENSSH |DSA |PGP )?PRIVATE KEY-----/g,
+  },
+
+  // Stripe secret-bearing keys. Publishable keys (pk_*) are intentionally absent.
+  { id: 'stripe_live_secret', label: 'Stripe live secret key', regex: /\bsk_live_[A-Za-z0-9]{8,}/g },
+  { id: 'stripe_test_secret', label: 'Stripe test secret key', regex: /\bsk_test_[A-Za-z0-9]{8,}/g },
+  { id: 'stripe_restricted_live', label: 'Stripe restricted live key', regex: /\brk_live_[A-Za-z0-9]{8,}/g },
+  { id: 'stripe_restricted_test', label: 'Stripe restricted test key', regex: /\brk_test_[A-Za-z0-9]{8,}/g },
+  { id: 'stripe_webhook_secret', label: 'Stripe webhook signing secret', regex: /\bwhsec_[A-Za-z0-9]{8,}/g },
+
+  // Anthropic / OpenAI. Run before the legacy `sk-` pattern so the precise label wins.
+  { id: 'anthropic_api_key', label: 'Anthropic API key', regex: /\bsk-ant-[A-Za-z0-9_-]{16,}/g },
+  { id: 'openai_project_key', label: 'OpenAI project key', regex: /\bsk-proj-[A-Za-z0-9_-]{16,}/g },
+  { id: 'openai_api_key', label: 'OpenAI API key', regex: /\bsk-[A-Za-z0-9]{20,}/g },
+
+  // GitHub tokens.
+  { id: 'github_pat', label: 'GitHub personal access token', regex: /\b(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9]{16,}/g },
+  { id: 'github_fine_grained_pat', label: 'GitHub fine-grained token', regex: /\bgithub_pat_\w{20,}/g },
+
+  // Slack tokens.
+  { id: 'slack_token', label: 'Slack token', regex: /\bxox[abprs]-[A-Za-z0-9-]{10,}/g },
+
+  // Google API key.
+  { id: 'google_api_key', label: 'Google API key', regex: /\bAIza[0-9A-Za-z_-]{35}/g },
+
+  // AWS access key id (long-lived AKIA + temporary ASIA).
+  { id: 'aws_access_key', label: 'AWS access key id', regex: /\b(?:AKIA|ASIA)[0-9A-Z]{16}\b/g },
+
+  // JSON Web Tokens.
+  {
+    id: 'jwt',
+    label: 'JSON Web Token',
+    regex: /\beyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9._-]{8,}\.[A-Za-z0-9._-]{8,}/g,
+  },
+
+  // `Authorization: Bearer <token>` style. Keep the scheme word, redact the credential.
+  {
+    id: 'bearer_token',
+    label: 'Bearer token',
+    regex: /\b(Bearer|Token)\s+[a-z0-9._~+/=-]{16,}/gi,
+    replace: (_m, scheme) => `${scheme} ${REDACTED('bearer_token')}`,
+  },
+
+  // Generic `<name> = <value>` / `<name>: "<value>"` assignment with a 16+ char whitespace-free
+  // value. A simple matcher finds every assignment; the replace fn redacts only when the name is a
+  // credential (SECRET_KEY_NAME) and not a public identifier (PUBLIC_KEY_NAME), so `publishable_key`
+  // is preserved. Runs last so provider-specific labels are preferred.
+  {
+    id: 'secret_assignment',
+    label: 'Secret assignment',
+    regex: /\b([\w.-]{2,40})(\s*[:=]\s*["']?)([A-Za-z0-9._+=~/-]{16,})(["']?)/g,
+    replace: (match, key, pre, _value, post) =>
+      (SECRET_KEY_NAME.test(key) && !PUBLIC_KEY_NAME.test(key))
+        ? `${key}${pre}${REDACTED('secret_assignment')}${post}`
+        : match,
+  },
+];
+
+/**
+ * Redact secrets from a single string. Returns the input unchanged when it is not a non-empty
+ * string. Each pattern's lastIndex is reset before use so the module-level (stateful, `g`-flag)
+ * regexes are safe to reuse across calls.
+ *
+ * @param {string} text
+ * @returns {string}
+ */
+function redactSecrets(text) {
+  if (typeof text !== 'string' || text.length === 0) return text;
+  let out = text;
+  for (const pattern of SECRET_REDACTION_PATTERNS) {
+    pattern.regex.lastIndex = 0;
+    const replacement = pattern.replace || REDACTED(pattern.id);
+    out = out.replace(pattern.regex, replacement);
+  }
+  return out;
+}
+
+/**
+ * Returns true if `text` contains at least one redactable secret.
+ * @param {string} text
+ * @returns {boolean}
+ */
+function containsSecret(text) {
+  if (typeof text !== 'string' || text.length === 0) return false;
+  return SECRET_REDACTION_PATTERNS.some((pattern) => {
+    pattern.regex.lastIndex = 0;
+    return pattern.regex.test(text);
+  });
+}
+
+/**
+ * Recursively redact every string contained in `value`. Objects and arrays are deep-copied so
+ * the input is never mutated; non-string primitives pass through untouched. Object keys are left
+ * as-is (only values are redacted).
+ *
+ * @param {*} value
+ * @returns {*} redacted copy
+ */
+function redactSecretsDeep(value) {
+  if (typeof value === 'string') return redactSecrets(value);
+  if (Array.isArray(value)) return value.map((item) => redactSecretsDeep(item));
+  if (value && typeof value === 'object') {
+    const out = {};
+    for (const [key, val] of Object.entries(value)) {
+      out[key] = redactSecretsDeep(val);
+    }
+    return out;
+  }
+  return value;
+}
+
+module.exports = {
+  SECRET_REDACTION_PATTERNS,
+  redactSecrets,
+  redactSecretsDeep,
+  containsSecret,
+};

package/scripts/security-scanner.js

@@ -37,6 +37,7 @@ const VULN_PATTERNS = [
     label: 'Command injection via unsanitized input',
     regex: /\bexec(?:Sync)?\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+\s*(?:req\.|input|args|params|query|body|user))/g,
     fileTypes: ['.js', '.ts', '.mjs', '.cjs'],
+    remediation: 'Avoid passing unsanitized input to child_process.exec/execSync. Use execFile or spawn with args passed as an array.',
   },
   {
     id: 'shell-interpolation',
@@ -45,6 +46,7 @@ const VULN_PATTERNS = [
     label: 'Shell command with string interpolation',
     regex: /\bexec(?:Sync)?\s*\(\s*`[^`]*\$\{[^}]*(?:req\.|input|args|params|query|body|user|process\.env)/g,
     fileTypes: ['.js', '.ts', '.mjs', '.cjs'],
+    remediation: 'Use child_process.execFile or child_process.spawn with an array of arguments to avoid shell command interpolation.',
   },
   {
     id: 'sql-injection',
@@ -53,6 +55,7 @@ const VULN_PATTERNS = [
     label: 'Potential SQL injection via string concatenation',
     regex: /(?:query|execute|run|all|get)\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+\s*(?:req\.|input|args|params|query|body|user))/g,
     fileTypes: ['.js', '.ts', '.mjs', '.cjs', '.py'],
+    remediation: 'Use parameterized queries or prepared statements instead of dynamic SQL string concatenation.',
   },
   {
     id: 'eval-usage',
@@ -61,6 +64,7 @@ const VULN_PATTERNS = [
     label: 'Dynamic code execution (eval/Function constructor)',
     regex: /\b(?:eval|new\s+Function)\s*\([^)]*(?:req\.|input|args|params|query|body|user)/g,
     fileTypes: ['.js', '.ts', '.mjs', '.cjs'],
+    remediation: 'Use JSON.parse() or a safe parser library instead of eval() or dynamic Function constructors.',
   },
 
   // XSS
@@ -71,6 +75,7 @@ const VULN_PATTERNS = [
     label: 'Potential XSS via innerHTML assignment',
     regex: /\.innerHTML\s*=\s*(?!['"]<(?:div|span|p|br|hr)\s*\/?>['"])/g,
     fileTypes: ['.js', '.ts', '.jsx', '.tsx', '.mjs'],
+    remediation: 'Use element.textContent or element.innerText instead of innerHTML to prevent cross-site scripting (XSS).',
   },
   {
     id: 'xss-dangerously-set',
@@ -79,6 +84,7 @@ const VULN_PATTERNS = [
     label: 'React dangerouslySetInnerHTML with dynamic content',
     regex: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*(?!['"])/g,
     fileTypes: ['.jsx', '.tsx', '.js', '.ts'],
+    remediation: 'Ensure dynamic content passed to dangerouslySetInnerHTML is sanitized using DOMPurify or equivalent.',
   },
 
   // Path traversal
@@ -89,6 +95,7 @@ const VULN_PATTERNS = [
     label: 'Path traversal via unsanitized user input',
     regex: /path\.(?:join|resolve)\s*\([^)]*(?:req\.|input|args|params|query|body|user)/g,
     fileTypes: ['.js', '.ts', '.mjs', '.cjs'],
+    remediation: 'Sanitize path input using path.basename() or validate the path against an explicit list of allowed directories.',
   },
   {
     id: 'path-traversal-direct',
@@ -97,6 +104,7 @@ const VULN_PATTERNS = [
     label: 'Direct file read with user-controlled path',
     regex: /fs\.(?:readFile(?:Sync)?|createReadStream)\s*\(\s*(?:req\.|input|args|params|query|body|user)/g,
     fileTypes: ['.js', '.ts', '.mjs', '.cjs'],
+    remediation: 'Validate input paths and restrict file system access to a sandboxed directory.',
   },
 
   // Prototype pollution
@@ -107,6 +115,7 @@ const VULN_PATTERNS = [
     label: 'Potential prototype pollution via recursive merge',
     regex: /(?:__proto__|constructor\s*\[\s*['"]prototype['"]\s*\]|Object\.assign\s*\(\s*\{\s*\})/g,
     fileTypes: ['.js', '.ts', '.mjs', '.cjs'],
+    remediation: 'Avoid recursive object mergers without checking for __proto__ or constructor keys, or use Object.create(null).',
   },
 
   // Insecure crypto
@@ -117,6 +126,7 @@ const VULN_PATTERNS = [
     label: 'Weak hash algorithm (MD5/SHA1) for security use',
     regex: /createHash\s*\(\s*['"](?:md5|sha1)['"]\s*\)/gi,
     fileTypes: ['.js', '.ts', '.mjs', '.cjs'],
+    remediation: 'Use SHA-256 or SHA-512 (e.g. crypto.createHash("sha256")) instead of MD5 or SHA-1 for security use cases.',
   },
   {
     id: 'hardcoded-secret',
@@ -125,6 +135,7 @@ const VULN_PATTERNS = [
     label: 'Hardcoded secret/password in source code',
     regex: /(?:password|secret|apiKey|api_key|token)\s*[:=]\s*['"][A-Za-z0-9+/=_-]{12,}['"]/g,
     fileTypes: ['.js', '.ts', '.mjs', '.cjs', '.py', '.go', '.java'],
+    remediation: 'Move hardcoded secrets to environment variables or use a secure secrets manager.',
   },
 
   // SSRF
@@ -135,6 +146,7 @@ const VULN_PATTERNS = [
     label: 'Potential SSRF via user-controlled URL',
     regex: /(?:fetch|axios|got|request|https?\.(?:get|request))\s*\(\s*(?:`[^`]*\$\{|(?:req\.|input|args|params|query|body|user))/g,
     fileTypes: ['.js', '.ts', '.mjs', '.cjs'],
+    remediation: 'Validate the destination host against a strict whitelist of allowed domains and block requests to internal IPs.',
   },
 
   // Insecure deserialization
@@ -145,6 +157,7 @@ const VULN_PATTERNS = [
     label: 'Unsafe deserialization of untrusted data',
     regex: /(?:unserialize|yaml\.load\s*\((?!.*Loader\s*=\s*yaml\.SafeLoader)|pickle\.loads?|Marshal\.load)/g,
     fileTypes: ['.js', '.ts', '.py', '.rb'],
+    remediation: 'Use safe parsing libraries or options (such as yaml.safeLoad) instead of unsafe deserialization/eval-like loaders.',
   },
   {
     id: 'badhost-url-confusion',
@@ -153,6 +166,7 @@ const VULN_PATTERNS = [
     label: 'Potential BadHost-style host or URL confusion in AI service',
     regex: /\b(?:request\.url(?:\.path)?|url_for\s*\([^)]*_external\s*=\s*True|headers\s*\[\s*['"](?:host|x-forwarded-host)['"]\s*\])/gi,
     fileTypes: ['.py'],
+    remediation: 'Verify Host and X-Forwarded-Host headers against an approved whitelist before using them for routing or URL generation.',
   },
 ];
 
@@ -166,6 +180,7 @@ const SUPPLY_CHAIN_PATTERNS = [
     category: 'supply-chain',
     severity: 'high',
     label: 'Potentially typosquatted package name',
+    remediation: 'Verify spelling and authenticity of package name. If typosquatted, run: npm uninstall <package>.',
     // Common typosquat indicators: single-char substitutions of popular packages
     knownSafe: new Set([
       'express', 'lodash', 'axios', 'react', 'vue', 'angular', 'moment',
@@ -179,6 +194,7 @@ const SUPPLY_CHAIN_PATTERNS = [
     category: 'supply-chain',
     severity: 'critical',
     label: 'Suspicious install script in package.json',
+    remediation: 'Remove the pre/postinstall script, or run package installation with --ignore-scripts.',
     regex: /["'](?:pre|post)?install["']\s*:\s*["'](?:.*(?:curl|wget|nc\s|bash\s|sh\s|eval|exec|child_process))/g,
   },
   {
@@ -186,10 +202,79 @@ const SUPPLY_CHAIN_PATTERNS = [
     category: 'supply-chain',
     severity: 'medium',
     label: 'Wildcard or latest version in dependency',
+    remediation: 'Specify a concrete version constraint (e.g., "^1.0.0") instead of a wildcard or latest.',
     regex: /["'](?:dependencies|devDependencies|peerDependencies)["'][\s\S]{0,500}?["'][^"']+["']\s*:\s*["'](?:\*|latest|>=)/g,
   },
 ];
 
+/**
+ * Simple static analysis check (reachability/usage check) to see if a package is imported.
+ * @param {string} pkg - The package name to search for
+ * @param {string} rootDir - Root directory to walk
+ * @returns {boolean}
+ */
+function isPackageImported(pkg, rootDir = process.cwd()) {
+  const IGNORED_DIRS = new Set([
+    'node_modules', '.git', 'dist', 'coverage', '.planning', '.artifacts', '.gemini', '.antigravitycli'
+  ]);
+  const FILE_EXTS = new Set(['.js', '.ts', '.jsx', '.tsx', '.mjs', '.cjs', '.py']);
+  
+  // Escape package name for regex
+  const escapedPkg = pkg.replace(/[-\/\\^$*+?.()|[\]{}]/g, '\\$&');
+  const importRegex = new RegExp(
+    `(?:require\\s*\\(\\s*['"]${escapedPkg}['"]\\s*\\)|from\\s*['"]${escapedPkg}['"]|import\\s*\\(\\s*['"]${escapedPkg}['"]\\s*\\)|import\\s+['"]${escapedPkg}['"])`,
+    'i'
+  );
+
+  let found = false;
+  let fileCount = 0;
+  const maxFiles = 200; // safety limit to keep it fast (<50ms)
+
+  function walk(dir) {
+    if (found || fileCount >= maxFiles) return;
+    let files;
+    try {
+      files = fs.readdirSync(dir);
+    } catch {
+      return;
+    }
+
+    for (const file of files) {
+      if (found || fileCount >= maxFiles) return;
+      const fullPath = path.join(dir, file);
+      let stat;
+      try {
+        stat = fs.statSync(fullPath);
+      } catch {
+        continue;
+      }
+
+      if (stat.isDirectory()) {
+        if (!IGNORED_DIRS.has(file)) {
+          walk(fullPath);
+        }
+      } else if (stat.isFile()) {
+        const ext = path.extname(file).toLowerCase();
+        if (FILE_EXTS.has(ext)) {
+          fileCount++;
+          try {
+            const content = fs.readFileSync(fullPath, 'utf8');
+            if (importRegex.test(content)) {
+              found = true;
+              return;
+            }
+          } catch {
+            // ignore read errors
+          }
+        }
+      }
+    }
+  }
+
+  walk(rootDir);
+  return found;
+}
+
 // ---------------------------------------------------------------------------
 // Core scanning functions
 // ---------------------------------------------------------------------------
@@ -227,6 +312,7 @@ function scanCode(content, filePath = '') {
         line: lineNumber,
         match: match[0].slice(0, 120),
         path: filePath,
+        remediation: pattern.remediation,
       });
       // Only report first match per pattern per file to avoid noise
       break;
@@ -287,6 +373,10 @@ function scanDependencyChange(oldContent, newContent) {
 
     for (const [pkg, version] of Object.entries(newDeps)) {
       if (!oldDeps[pkg]) {
+        // Run usage check (reachability)
+        const reachable = isPackageImported(pkg);
+        const reachability = reachable ? 'imported' : 'unimported';
+
         // New dependency added — check for red flags
         if (version === '*' || version === 'latest' || version.startsWith('>=')) {
           findings.push({
@@ -295,6 +385,9 @@ function scanDependencyChange(oldContent, newContent) {
             severity: 'medium',
             label: `Wildcard version for new dependency: ${pkg}@${version}`,
             path: 'package.json',
+            remediation: `Specify a concrete version constraint (e.g., "^${version === '*' || version === 'latest' ? '1.0.0' : version}") instead of a wildcard.`,
+            reachable,
+            reachability,
           });
         }
 
@@ -306,6 +399,9 @@ function scanDependencyChange(oldContent, newContent) {
             severity: 'high',
             label: `Suspiciously short package name: "${pkg}"`,
             path: 'package.json',
+            remediation: 'Double-check spelling and verify this package is not a typosquatting attempt.',
+            reachable,
+            reachability,
           });
         }
 
@@ -318,6 +414,9 @@ function scanDependencyChange(oldContent, newContent) {
             severity: slopsquatFinding.severity,
             label: slopsquatFinding.label,
             path: 'package.json',
+            remediation: `Verify spelling and authenticity of package "${pkg}". If typosquatted, run: npm uninstall ${pkg}.`,
+            reachable,
+            reachability,
           });
         }
       }
@@ -335,6 +434,7 @@ function scanDependencyChange(oldContent, newContent) {
         severity: 'critical',
         label: `Suspicious install script: ${name} → ${cmd.slice(0, 80)}`,
         path: 'package.json',
+        remediation: 'Remove the suspicious pre/postinstall script, or run package installation with --ignore-scripts.',
       });
     }
   }

package/scripts/self-distill-agent.js

@@ -26,6 +26,7 @@ const { resolveFeedbackDir } = require('./feedback-paths');
 const { createLesson, inferStructuredLesson } = require('./lesson-inference');
 const { buildStableId } = require('./conversation-context');
 const { ensureParentDir, readJsonl } = require('./fs-utils');
+const { redactSecretsDeep } = require('./secret-redaction');
 
 const HOME = process.env.HOME || process.env.USERPROFILE || os.homedir() || '';
 const SELF_DISTILL_RUNS_PATH = path.join(HOME, '.thumbgate', 'self-distill-runs.jsonl');
@@ -383,7 +384,8 @@ async function generateLlmLessons(conversationWindow, model) {
 
 function writeRunManifest(manifest) {
   ensureParentDir(SELF_DISTILL_RUNS_PATH);
-  fs.appendFileSync(SELF_DISTILL_RUNS_PATH, JSON.stringify(manifest) + '\n');
+  // Redact secrets — the manifest embeds lesson triggers/actions distilled from conversation text.
+  fs.appendFileSync(SELF_DISTILL_RUNS_PATH, JSON.stringify(redactSecretsDeep(manifest)) + '\n');
 }
 
 function readRunManifests() {