thumbgate 1.27.6 → 1.27.7

package/src/api/server.js

@@ -3,6 +3,7 @@ const http = require('http');
 const https = require('https');
 const fs = require('fs');
 const path = require('path');
+const crypto = require('node:crypto');
 const { EventEmitter } = require('node:events');
 const pkg = require('../../package.json');
 const {
@@ -168,7 +169,13 @@ const {
   buildReviewSnapshot,
   readDashboardReviewState,
   writeDashboardReviewState,
+  collectAllFeedbackEntries,
 } = require('../../scripts/dashboard');
+const {
+  collectAggregateLogEntries,
+  computeAggregateFeedbackStats,
+  shouldAggregateFeedback,
+} = require('../../scripts/feedback-aggregate');
 const {
   guardDfcxWebhook,
 } = require('../../adapters/gcp/dfcx-webhook-gate');
@@ -209,6 +216,8 @@ const mcpOauth = require('../../scripts/mcp-oauth');
 // OAuth 2.1 (PKCE) authorization-server state for the remote MCP connector
 // (Claude Connectors Directory requires OAuth for authenticated services).
 const oauthStore = mcpOauth.createStore();
+const pendingOauthAuthorizeRequests = new Map();
+const OAUTH_AUTHORIZE_REQUEST_TTL_MS = 10 * 60 * 1000;
 const resendMailer = require('../../scripts/mailer/resend-mailer');
 const {
   buildContextFootprintReport,
@@ -231,12 +240,17 @@ const LEARN_PAGE_PATH = path.resolve(__dirname, '../../public/learn.html');
 const NUMBERS_PAGE_PATH = path.resolve(__dirname, '../../public/numbers.html');
 const FEDERAL_PAGE_PATH = path.resolve(__dirname, '../../public/federal.html');
 const PRICING_PAGE_PATH = path.resolve(__dirname, '../../public/pricing.html');
+const ABOUT_PAGE_PATH = path.resolve(__dirname, '../../public/about.html');
 const LEARN_DIR = path.resolve(__dirname, '../../public/learn');
 const GUIDES_DIR = path.resolve(__dirname, '../../public/guides');
 const COMPARE_DIR = path.resolve(__dirname, '../../public/compare');
 const USE_CASES_DIR = path.resolve(__dirname, '../../public/use-cases');
 const PUBLIC_DIR = path.resolve(__dirname, '../../public');
 const PUBLIC_ASSETS_DIR = path.resolve(__dirname, '../../public/assets');
+const LEARN_PAGE_PATHS_BY_SLUG = buildPublicHtmlFileMap(LEARN_DIR);
+const GUIDE_PAGE_PATHS_BY_SLUG = buildPublicHtmlFileMap(GUIDES_DIR);
+const COMPARE_PAGE_PATHS_BY_SLUG = buildPublicHtmlFileMap(COMPARE_DIR);
+const USE_CASE_PAGE_PATHS_BY_SLUG = buildPublicHtmlFileMap(USE_CASES_DIR);
 const BUYER_INTENT_SCRIPT_PATH = path.resolve(__dirname, '../../public/js/buyer-intent.js');
 const STATIC_MIME_BY_EXT = Object.freeze({
   '.png': 'image/png',
@@ -355,6 +369,7 @@ function serveStaticFile(res, filePath, { headOnly = false, cacheSeconds = 86400
   res.setHeader('Content-Type', contentType);
   res.setHeader('Content-Length', stat.size);
   res.setHeader('Cache-Control', `public, max-age=${cacheSeconds}, immutable`);
+  res.setHeader('Referrer-Policy', 'same-origin');
   if (headOnly) {
     res.end();
     return;
@@ -452,6 +467,36 @@ const TRACKED_LINK_TARGETS = Object.freeze({
     },
     allowCustomerEmail: true,
   },
+  diagnostic: {
+    configUrlKey: 'sprintDiagnosticCheckoutUrl',
+    fallbackHref: SPRINT_DIAGNOSTIC_CHECKOUT_URL,
+    external: true,
+    ctaId: 'go_diagnostic',
+    ctaPlacement: 'link_router',
+    eventType: 'cta_click',
+    defaults: {
+      utm_source: 'website',
+      utm_medium: 'link_router',
+      utm_campaign: 'sprint_diagnostic',
+      plan_id: 'sprint_diagnostic',
+    },
+    allowCustomerEmail: true,
+  },
+  sprint: {
+    configUrlKey: 'workflowSprintCheckoutUrl',
+    fallbackHref: WORKFLOW_SPRINT_CHECKOUT_URL,
+    external: true,
+    ctaId: 'go_sprint',
+    ctaPlacement: 'link_router',
+    eventType: 'cta_click',
+    defaults: {
+      utm_source: 'website',
+      utm_medium: 'link_router',
+      utm_campaign: 'workflow_sprint',
+      plan_id: 'workflow_sprint',
+    },
+    allowCustomerEmail: true,
+  },
   trial: {
     path: '/guide',
     ctaId: 'go_trial',
@@ -1564,7 +1609,10 @@ function classifyEnterpriseChatTopic(prompt) {
 // today?" with an actual filtered list instead of a canned total.
 function parseChatIntent(prompt) {
   const lower = String(prompt || '').toLowerCase();
-  const wantsList = /\bwhat\b|\bwhich\b|\blist\b|\bshow me\b|\bexamples?\b|\btell me about\b/.test(lower);
+  const terms = new Set(lower.split(/[^a-z0-9]+/).filter(Boolean));
+  const hasTerm = (term) => terms.has(term);
+  const wantsList = lower.includes('tell me about') ||
+    ['what', 'which', 'list', 'show', 'example', 'examples'].some(hasTerm);
   let windowMs = null;
   let windowLabel = 'across all time';
   if (/\btoday\b/.test(lower)) { windowMs = 24 * 60 * 60 * 1000; windowLabel = 'today'; }
@@ -1606,12 +1654,16 @@ function bestFeedbackDescription(row) {
 function readRecentFeedbackEntries(feedbackDir, signal, windowMs, limit = 5, opts = {}) {
   try {
     if (!feedbackDir) return [];
-    const fsLocal = require('node:fs');
-    const pathLocal = require('node:path');
-    const logPath = pathLocal.join(feedbackDir, 'feedback-log.jsonl');
-    if (!fsLocal.existsSync(logPath)) return [];
-    const { readJsonl } = require('../../scripts/fs-utils');
-    const rows = readJsonl(logPath) || [];
+    const rows = shouldAggregateFeedback()
+      ? collectAggregateLogEntries('feedback-log.jsonl', { feedbackDir }).entries
+      : (() => {
+          const fsLocal = require('node:fs');
+          const pathLocal = require('node:path');
+          const logPath = pathLocal.join(feedbackDir, 'feedback-log.jsonl');
+          if (!fsLocal.existsSync(logPath)) return [];
+          const { readJsonl } = require('../../scripts/fs-utils');
+          return readJsonl(logPath) || [];
+        })();
     const cutoff = windowMs ? Date.now() - windowMs : 0;
     const filtered = rows
       .filter((r) => !signal || r.signal === signal)
@@ -1622,7 +1674,11 @@ function readRecentFeedbackEntries(feedbackDir, signal, windowMs, limit = 5, opt
       })
       .reverse()
       .map((r) => {
-        const out = { timestamp: r.timestamp, context: bestFeedbackDescription(r) };
+        const out = {
+          timestamp: r.timestamp,
+          context: bestFeedbackDescription(r),
+          tags: Array.isArray(r.tags) ? r.tags : []
+        };
         if (opts.includeSignal) out.signal = r.signal;
         return out;
       });
@@ -1661,9 +1717,53 @@ const FEEDBACK_LIST_LABELS = Object.freeze({
   positive: 'Recent wins',
 });
 
+const FEEDBACK_OMITTED_TAGS = Object.freeze(['audit-trail', 'auto-capture']);
+
+function formatChatTimestamp(isoString) {
+  if (!isoString) return 'unknown time';
+  try {
+    const d = new Date(isoString);
+    if (Number.isNaN(d.getTime())) return isoString;
+    const pad = (n) => String(n).padStart(2, '0');
+    const yyyy = d.getFullYear();
+    const mm = pad(d.getMonth() + 1);
+    const dd = pad(d.getDate());
+    const hh = pad(d.getHours());
+    const min = pad(d.getMinutes());
+    const ss = pad(d.getSeconds());
+    return `${yyyy}-${mm}-${dd} ${hh}:${min}:${ss}`;
+  } catch {
+    return isoString;
+  }
+}
+
+function buildFeedbackEntries(windowed, signal) {
+  return (signal ? windowed.filter((r) => r.signal === signal) : windowed)
+    .filter((r) => r.context && !isPlaceholder(r.context))
+    .slice(0, 5);
+}
+
+function formatFeedbackEntry(entry) {
+  const tsFormatted = formatChatTimestamp(entry.timestamp);
+  const signalLabel = entry.signal ? ` [${entry.signal}]` : '';
+  const tagsList = Array.isArray(entry.tags)
+    ? entry.tags.filter((tag) => !FEEDBACK_OMITTED_TAGS.includes(tag))
+    : [];
+  const tagsStr = tagsList.length ? ` (${tagsList.join(', ')})` : '';
+  return `  • ${tsFormatted}${signalLabel}${tagsStr} — ${entry.context}`;
+}
+
+function appendFeedbackListLines(lines, { entries, signal, intent }) {
+  if (!entries.length) {
+    lines.push(`No ${signal || 'feedback'} entries found ${intent.windowLabel}.`);
+    return;
+  }
+  lines.push(`${FEEDBACK_LIST_LABELS[signal] || 'Recent feedback'} (${intent.windowLabel}):`);
+  lines.push(...entries.map(formatFeedbackEntry));
+}
+
 function buildFeedbackSection({ ctx, intent, feedbackDir, approval, lessonPipeline }) {
   const signal = detectFeedbackSignalFromPrompt(ctx.prompt);
-
   // One read of the time-windowed log, then in-memory counts + (signal-filtered,
   // placeholder-stripped) list. Counts include ALL entries (so "Feedback today: 5"
   // matches the dashboard tile); the list drops vague entries like literal "thumbs
@@ -1671,24 +1771,16 @@ function buildFeedbackSection({ ctx, intent, feedbackDir, approval, lessonPipeli
   const windowed = readRecentFeedbackEntries(feedbackDir, null, intent.windowMs, 10000, { includeSignal: true });
   const windowPos = windowed.filter((r) => r.signal === 'positive').length;
   const windowNeg = windowed.filter((r) => r.signal === 'negative').length;
-  const entries = (signal ? windowed.filter((r) => r.signal === signal) : windowed)
-    .filter((r) => r.context && !isPlaceholder(r.context))
-    .slice(0, 5);
+  const entries = buildFeedbackEntries(windowed, signal);
 
-  const lines = [];
-  lines.push(intent.windowMs
+  const lines = [
+    intent.windowMs
     ? `Feedback ${intent.windowLabel}: ${windowed.length} (${windowPos} positive, ${windowNeg} negative).`
-    : `Feedback total: ${compactNumber(approval.total)} (${compactNumber(approval.positive)} positive, ${compactNumber(approval.negative)} negative).`);
+    : `Feedback total: ${compactNumber(approval.total)} (${compactNumber(approval.positive)} positive, ${compactNumber(approval.negative)} negative).`,
+  ];
 
   if (intent.wantsList) {
-    if (entries.length) {
-      lines.push(`${FEEDBACK_LIST_LABELS[signal] || 'Recent feedback'} (${intent.windowLabel}):`);
-      for (const e of entries) {
-        lines.push(`  • ${(e.timestamp || '').slice(0, 10)} — ${e.context}`);
-      }
-    } else {
-      lines.push(`No ${signal || 'feedback'} entries found ${intent.windowLabel}.`);
-    }
+    appendFeedbackListLines(lines, { entries, signal, intent });
   } else {
     lines.push(`Lesson pipeline: ${compactNumber(lessonPipeline.lessons || lessonPipeline.generated || 0)} lessons visible in the current dashboard snapshot.`);
   }
@@ -1896,7 +1988,7 @@ async function answerEnterpriseDataChat({ prompt, feedbackDir, parsed }) {
 const answerEnterpriseDialogflowChat = answerEnterpriseDataChat;
 
 function buildLossAnalyticsResponse(data, summaryOptions) {
-  return {
+  return sanitizeHtmlUnsafeJsonValue({
     window: data.analytics.window || summaryOptions,
     lossAnalysis: data.analytics.lossAnalysis || null,
     buyerLoss: data.analytics.buyerLoss || null,
@@ -1908,13 +2000,50 @@ function buildLossAnalyticsResponse(data, summaryOptions) {
       ctas: data.analytics.telemetry && data.analytics.telemetry.ctas,
       visitors: data.analytics.telemetry && data.analytics.telemetry.visitors,
     },
-  };
+  });
 }
 
 function createJourneyId(prefix) {
   return createTraceId(prefix).replace(/^trace_/, `${prefix}_`);
 }
 
+function normalizeCheckoutInterstitialSampleRate(value) {
+  const parsed = Number.parseFloat(String(value || '').trim());
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    return 0;
+  }
+  if (parsed > 1) {
+    return Math.min(parsed / 100, 1);
+  }
+  return Math.min(parsed, 1);
+}
+
+function stableUnitInterval(value) {
+  const text = String(value || '');
+  let hash = 2166136261;
+  for (const character of text) {
+    hash ^= character.codePointAt(0);
+    hash = Math.imul(hash, 16777619);
+  }
+  return (hash >>> 0) / 4294967296;
+}
+
+function shouldSampleCheckoutInterstitial({ sampleRate, traceId, analyticsMetadata }) {
+  if (sampleRate <= 0) {
+    return false;
+  }
+  if (sampleRate >= 1) {
+    return true;
+  }
+  const seed = [
+    analyticsMetadata?.visitorId,
+    analyticsMetadata?.sessionId,
+    analyticsMetadata?.acquisitionId,
+    traceId,
+  ].filter(Boolean).join(':');
+  return stableUnitInterval(seed || traceId) < sampleRate;
+}
+
 function appendQueryParam(url, key, value) {
   const normalized = normalizeNullableText(value);
   if (normalized) {
@@ -1974,9 +2103,245 @@ function buildCheckoutIntentHref(baseUrl, metadata = {}, overrides = {}) {
   });
 }
 
-function renderCheckoutIntentPage(prefilledEmail = '') {
+const CHECKOUT_HIDDEN_ATTRIBUTION_KEYS = Object.freeze([
+  'trace_id',
+  'acquisition_id',
+  'visitor_id',
+  'session_id',
+  'visitor_session_id',
+  'install_id',
+  'utm_source',
+  'utm_medium',
+  'utm_campaign',
+  'utm_content',
+  'utm_term',
+  'creator',
+  'community',
+  'post_id',
+  'comment_id',
+  'campaign_variant',
+  'offer_code',
+  'cta_id',
+  'cta_placement',
+  'plan_id',
+  'billing_cycle',
+  'seat_count',
+  'landing_path',
+  'referrer_host',
+]);
+
+function normalizeHiddenAttributionValue(value) {
+  const normalized = normalizeNullableText(value);
+  if (!normalized) return '';
+  return normalized.slice(0, 512);
+}
+
+function buildCheckoutHiddenAttributionInputs(parsed = null) {
+  if (!parsed?.searchParams) return '';
+
+  const inputs = [];
+  for (const key of CHECKOUT_HIDDEN_ATTRIBUTION_KEYS) {
+    const value = normalizeHiddenAttributionValue(parsed.searchParams.get(key));
+    if (value) {
+      inputs.push(`<input type="hidden" name="${key}" value="${escapeHtmlAttribute(value)}">`);
+    }
+  }
+  return inputs.join('');
+}
+
+function prunePendingOauthAuthorizeRequests(now = Date.now()) {
+  for (const [token, entry] of pendingOauthAuthorizeRequests.entries()) {
+    if (!entry || entry.expiresAt <= now) {
+      pendingOauthAuthorizeRequests.delete(token);
+    }
+  }
+}
+
+function createPendingOauthAuthorizeRequest(params, now = Date.now()) {
+  prunePendingOauthAuthorizeRequests(now);
+  const token = crypto.randomBytes(32).toString('base64url');
+  pendingOauthAuthorizeRequests.set(token, {
+    params,
+    expiresAt: now + OAUTH_AUTHORIZE_REQUEST_TTL_MS,
+  });
+  return token;
+}
+
+function consumePendingOauthAuthorizeRequest(token, now = Date.now()) {
+  if (!token) return null;
+  prunePendingOauthAuthorizeRequests(now);
+  const entry = pendingOauthAuthorizeRequests.get(token);
+  if (!entry) return null;
+  pendingOauthAuthorizeRequests.delete(token);
+  return entry.params;
+}
+
+function getOauthAuthorizeParamsFromQuery(searchParams) {
+  return {
+    clientId: searchParams.get('client_id') || '',
+    redirectUri: searchParams.get('redirect_uri') || '',
+    codeChallenge: searchParams.get('code_challenge') || '',
+    codeChallengeMethod: searchParams.get('code_challenge_method') || '',
+    scope: searchParams.get('scope') || undefined,
+    state: searchParams.get('state') || '',
+    resource: searchParams.get('resource') || '',
+  };
+}
+
+function getOauthAuthorizeParamsFromForm(form, hostedConfig) {
+  const pending = consumePendingOauthAuthorizeRequest(form.get('auth_request_token') || '');
+  if (pending) return pending;
+  return {
+    clientId: form.get('client_id') || '',
+    redirectUri: form.get('redirect_uri') || '',
+    codeChallenge: form.get('code_challenge') || '',
+    codeChallengeMethod: form.get('code_challenge_method') || '',
+    scope: form.get('scope') || undefined,
+    state: form.get('state') || '',
+    resource: form.get('resource') || buildPublicUrl(hostedConfig, '/mcp'),
+  };
+}
+
+function renderCheckoutIntentPage(prefilledEmail = '', parsed = null, options = {}) {
   const plausibleDomain = escapeHtmlAttribute(resolvePlausibleDataDomain({ host: 'thumbgate.ai' }));
-  return `<!doctype html><html lang="en"><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>Confirm — ThumbGate Pro</title><script defer data-domain="${plausibleDomain}" src="https://plausible.io/js/script.tagged-events.js"></script><script>window.plausible=window.plausible||function(){(window.plausible.q=window.plausible.q||[]).push(arguments)};</script><style>body{background:#0a0a0a;color:#eee;font-family:system-ui,-apple-system,sans-serif;line-height:1.5}main{max-width:520px;margin:8vh auto;padding:0 20px}.brand{display:flex;align-items:center;gap:10px;margin-bottom:24px;font-size:14px;color:#94a3b8}.brand-mark{width:24px;height:24px;background:#22d3ee;border-radius:6px;display:inline-block}h1{font-size:24px;margin:0 0 8px;color:#fff}.price{font-size:32px;font-weight:700;color:#22d3ee;margin:8px 0 4px}.price small{font-size:14px;color:#94a3b8;font-weight:400}p{color:#cbd5e1;margin:8px 0}form{margin:0}input[type=email]{width:100%;box-sizing:border-box;padding:14px 16px;border:1px solid #374151;border-radius:8px;background:#111827;color:#fff;font-size:15px;margin:16px 0 0;outline:none}input[type=email]:focus{border-color:#22d3ee}input[type=email]::placeholder{color:#64748b}button.primary{background:#22d3ee;color:#000;padding:16px;text-align:center;border-radius:8px;font-weight:700;font-size:16px;margin:10px 0;border:none;cursor:pointer;width:100%}a{display:block;text-decoration:none}a.secondary{border:1px solid #374151;color:#cbd5e1;padding:12px;text-align:center;border-radius:8px;margin:8px 0 0;font-size:14px}.trust{margin:24px 0;padding:16px;border:1px solid #1f2937;border-radius:8px;background:#0f172a}.trust-item{font-size:13px;color:#cbd5e1;padding:4px 0;display:flex;gap:8px}.trust-item::before{content:"✓";color:#22d3ee;font-weight:700}.choice-note{font-size:13px;color:#94a3b8;margin-top:14px}.back{text-align:center;color:#64748b;font-size:12px;margin-top:24px}.back a{color:#64748b;display:inline}.email-note{font-size:12px;color:#64748b;margin:4px 0 0}</style><main><div class="brand"><span class="brand-mark"></span><span>ThumbGate</span></div><h1>Start ThumbGate Pro</h1><div class="price">$19<small>/mo</small></div><p>The npm package runs your gates locally. <strong>Pro</strong> is what keeps them working across every machine, every agent runtime, and every breaking-change week.</p><form action="/checkout/pro" method="GET" data-i="pro_checkout_confirmed"><input type="hidden" name="confirm" value="1"><input type="email" name="customer_email" value="${escapeHtmlAttribute(prefilledEmail)}" placeholder="you@company.com" required autocomplete="email"><p class="email-note">Pre-fills your Stripe receipt. We only email if you ask.</p><button type="submit" class="primary">Pay $19/mo with Stripe →</button></form><a class="secondary" data-i="workflow_sprint_intake" href="/#workflow-sprint-intake">Not sure yet? Send the workflow first</a><p class="choice-note">Cancel anytime. 7-day refund, no questions. Diagnostics and sprints have their own pages.</p><div class="trust"><div class="trust-item">Lessons synced across all your machines — no local SQLite to babysit</div><div class="trust-item">Adapter matrix kept current for Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode — version drift is our problem, not yours</div><div class="trust-item">Hosted dashboard: gate stats, DPO export, org-wide rule library</div><div class="trust-item">24×7 ops on the rule engine — SonarCloud regressions fixed in &lt;24h</div></div><p class="back"><a href="/">← Back to thumbgate.ai</a></p></main><script>document.querySelector('form').addEventListener('submit',e=>{if(navigator.sendBeacon)navigator.sendBeacon('/v1/telemetry/ping',new Blob([JSON.stringify({eventType:'checkout_interstitial_cta_clicked',clientType:'web',page:'/checkout/pro',ctaId:'pro_checkout_confirmed',ctaPlacement:'checkout_interstitial',customerEmail:document.querySelector('input[name=customer_email]').value})],{type:'application/json'}));try{window.plausible&&window.plausible('Checkout Pro Email Submitted',{props:{page:'/checkout/pro',source:'interstitial'}})}catch(_){}})</script></html>`;
+  const includeHiddenAttribution = options.includeHiddenAttribution === true;
+  const hiddenInputs = includeHiddenAttribution
+    ? buildCheckoutHiddenAttributionInputs(parsed)
+    : '';
+  return `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>Confirm - ThumbGate Pro</title>
+<script defer data-domain="${plausibleDomain}" src="https://plausible.io/js/script.tagged-events.js"></script>
+<script>window.plausible=window.plausible||function(){(window.plausible.q=window.plausible.q||[]).push(arguments)};</script>
+<style>
+body{background:#0a0a0a;color:#eee;font-family:system-ui,-apple-system,sans-serif;line-height:1.5}
+main{max-width:520px;margin:8vh auto;padding:0 20px}
+.brand{display:flex;align-items:center;gap:10px;margin-bottom:24px;font-size:14px;color:#94a3b8}
+.brand-mark{width:24px;height:24px;background:#22d3ee;border-radius:6px;display:inline-block}
+h1{font-size:24px;margin:0 0 8px;color:#fff}.price{font-size:32px;font-weight:700;color:#22d3ee;margin:8px 0 4px}.price small{font-size:14px;color:#94a3b8;font-weight:400}
+p{color:#cbd5e1;margin:8px 0}form{margin:0}
+input[type=email]{width:100%;box-sizing:border-box;padding:14px 16px;border:1px solid #374151;border-radius:8px;background:#111827;color:#fff;font-size:15px;margin:16px 0 0;outline:none}
+input[type=email]:focus{border-color:#22d3ee}input[type=email]::placeholder{color:#64748b}
+button.primary{background:#22d3ee;color:#000;padding:16px;text-align:center;border-radius:8px;font-weight:700;font-size:16px;margin:10px 0;border:none;cursor:pointer;width:100%}
+a{display:block;text-decoration:none}a.secondary{border:1px solid #374151;color:#cbd5e1;padding:12px;text-align:center;border-radius:8px;margin:8px 0 0;font-size:14px}
+.trust,.objection-box{margin:24px 0;padding:16px;border:1px solid #1f2937;border-radius:8px;background:#0f172a}
+.trust-item{font-size:13px;color:#cbd5e1;padding:4px 0;display:flex;gap:8px}.trust-item::before{content:"✓";color:#22d3ee;font-weight:700}
+.choice-note,.email-note,.objection-note{font-size:13px;color:#94a3b8;margin-top:10px}
+.objection-grid{display:grid;gap:8px;margin-top:12px}
+.objection-grid button{border:1px solid #374151;background:#111827;color:#e5e7eb;border-radius:8px;padding:10px 12px;text-align:left;cursor:pointer}
+.objection-grid button:hover,.objection-grid button:focus{border-color:#22d3ee;outline:none}
+.feedback-saved{display:none;color:#22d3ee;font-size:13px;margin-top:10px}
+.back{text-align:center;color:#64748b;font-size:12px;margin-top:24px}.back a{color:#64748b;display:inline}
+</style>
+</head>
+<body>
+<main>
+<div class="brand"><span class="brand-mark"></span><span>ThumbGate</span></div>
+<h1>Start ThumbGate Pro</h1>
+<div class="price">$19<small>/mo</small></div>
+<p>The npm package runs your gates locally. <strong>Pro</strong> is what keeps them working across every machine, every agent runtime, and every breaking-change week.</p>
+<form action="/checkout/pro" method="GET" data-i="pro_checkout_confirmed">
+${hiddenInputs}
+<input type="hidden" name="confirm" value="1">
+<input type="email" name="customer_email" value="${escapeHtmlAttribute(prefilledEmail)}" placeholder="you@company.com" autocomplete="email">
+<p class="email-note">Optional. Stripe can collect your email on the secure checkout page.</p>
+<button type="submit" class="primary">Pay $19/mo with Stripe →</button>
+</form>
+<a class="secondary" data-i="workflow_sprint_intake" href="/#workflow-sprint-intake">Not sure yet? Send the workflow first</a>
+<p class="choice-note">Cancel anytime. 7-day refund, no questions. Diagnostics and sprints have their own pages.</p>
+<div class="objection-box" aria-label="Checkout feedback">
+<strong>Not buying today?</strong>
+<p class="objection-note">Tap one reason so we know what to fix. This does not sign you up.</p>
+<div class="objection-grid">
+<button type="button" data-reason="price_unclear">Price or scope is unclear</button>
+<button type="button" data-reason="need_more_proof">Need more proof first</button>
+<button type="button" data-reason="need_team_plan">Need a team/workflow plan instead</button>
+<button type="button" data-reason="not_urgent">Not urgent right now</button>
+</div>
+<div class="feedback-saved" id="feedback-saved">Feedback saved.</div>
+</div>
+<div class="trust"><div class="trust-item">Lessons synced across all your machines — no local SQLite to babysit</div><div class="trust-item">Adapter matrix kept current for Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode — version drift is our problem, not yours</div><div class="trust-item">Hosted dashboard: gate stats, DPO export, org-wide rule library</div><div class="trust-item">24×7 ops on the rule engine — SonarCloud regressions fixed in &lt;24h</div></div>
+<p class="back"><a href="/">← Back to thumbgate.ai</a></p>
+</main>
+<script>
+(function(){
+  var params = new URLSearchParams(window.location.search);
+  var submitted = false;
+  var feedbackSent = false;
+  function pick(key, fallback) { return params.get(key) || fallback || null; }
+  function sendTelemetry(eventType, extra) {
+    var payload = Object.assign({
+      eventType: eventType,
+      clientType: 'web',
+      page: '/checkout/pro',
+      traceId: pick('trace_id'),
+      acquisitionId: pick('acquisition_id'),
+      visitorId: pick('visitor_id'),
+      sessionId: pick('visitor_session_id') || pick('session_id'),
+      installId: pick('install_id'),
+      source: pick('utm_source') || pick('source') || 'website',
+      utmSource: pick('utm_source') || pick('source') || 'website',
+      utmMedium: pick('utm_medium') || 'checkout_interstitial',
+      utmCampaign: pick('utm_campaign') || 'pro_pack',
+      utmContent: pick('utm_content'),
+      utmTerm: pick('utm_term'),
+      creator: pick('creator') || pick('creator_handle'),
+      community: pick('community') || pick('subreddit'),
+      postId: pick('post_id'),
+      commentId: pick('comment_id'),
+      campaignVariant: pick('campaign_variant'),
+      offerCode: pick('offer_code'),
+      ctaId: pick('cta_id') || 'pricing_pro',
+      ctaPlacement: pick('cta_placement') || 'checkout_interstitial',
+      planId: pick('plan_id') || 'pro',
+      billingCycle: pick('billing_cycle') || 'monthly',
+      landingPath: pick('landing_path') || '/',
+      referrerHost: pick('referrer_host'),
+      referrer: document.referrer || null
+    }, extra || {});
+    var body = JSON.stringify(payload);
+    if (navigator.sendBeacon) {
+      navigator.sendBeacon('/v1/telemetry/ping', new Blob([body], { type: 'application/json' }));
+      return;
+    }
+    fetch('/v1/telemetry/ping', { method:'POST', headers:{ 'content-type':'application/json' }, body: body, keepalive: true }).catch(function(){});
+  }
+  document.querySelector('form').addEventListener('submit', function(){
+    submitted = true;
+    var emailInput = document.querySelector('input[name=customer_email]');
+    sendTelemetry('checkout_interstitial_cta_clicked', {
+      ctaId: 'pro_checkout_confirmed',
+      ctaPlacement: 'checkout_interstitial',
+      customerEmail: emailInput ? emailInput.value : null
+    });
+    try { window.plausible && window.plausible('Checkout Pro Email Submitted', { props: { page:'/checkout/pro', source:'interstitial' } }); } catch(_) {}
+  });
+  document.querySelectorAll('[data-reason]').forEach(function(button) {
+    button.addEventListener('click', function(){
+      var reason = button.getAttribute('data-reason');
+      feedbackSent = true;
+      sendTelemetry('reason_not_buying', {
+        reasonCode: reason,
+        ctaId: 'checkout_interstitial_reason_' + reason,
+        ctaPlacement: 'checkout_interstitial_feedback'
+      });
+      try { window.plausible && window.plausible('Checkout Pro Reason Not Buying', { props: { page:'/checkout/pro', reasonCode: reason } }); } catch(_) {}
+      var saved = document.getElementById('feedback-saved');
+      if (saved) saved.style.display = 'block';
+    });
+  });
+  window.addEventListener('pagehide', function(){
+    if (!submitted && !feedbackSent) {
+      sendTelemetry('checkout_interstitial_abandoned', { reasonCode: 'left_without_confirming' });
+    }
+  });
+})();
+</script>
+</body>
+</html>`;
 }
 
 function buildCheckoutBootstrapBody(parsed, req, journeyState = resolveJourneyState(req, parsed)) {
@@ -2040,17 +2405,6 @@ function normalizeCheckoutCustomerEmail(value) {
   return email;
 }
 
-function renderCheckoutIntentGate(parsed, responseHeaders = {}) {
-  let hiddenInputs = '';
-  for (const [key, value] of parsed.searchParams.entries()) {
-    if (key !== 'confirm' && key !== 'customer_email') hiddenInputs += `<input type=hidden name=${escapeHtmlAttribute(key)} value=${escapeHtmlAttribute(value)}>`;
-  }
-  return {
-    html: `<!doctype html><h1>Email for Stripe receipt</h1><form action=/checkout/pro>${hiddenInputs}<input type=hidden name=confirm value=1><input name=customer_email type=email required><button>Continue</button></form>`,
-    headers: responseHeaders,
-  };
-}
-
 function normalizeTrackedLinkSlug(value) {
   return String(value || '').trim().toLowerCase().replace(/[^a-z0-9-]/g, '');
 }
@@ -2061,6 +2415,27 @@ function normalizePublicPageSlug(value) {
     .replace(/[^a-z0-9-]/g, '');
 }
 
+function buildPublicHtmlFileMap(directory) {
+  const entries = new Map();
+  try {
+    for (const fileName of fs.readdirSync(directory)) {
+      if (!/^[a-z0-9-]+\.html$/i.test(fileName)) continue;
+      const slug = normalizePublicPageSlug(fileName);
+      if (!slug) continue;
+      entries.set(slug, path.join(directory, fileName));
+    }
+  } catch (error) {
+    if (error?.code !== 'ENOENT') throw error;
+  }
+  return entries;
+}
+
+function resolvePublicHtmlFile(publicPageMap, rawSlug) {
+  const slug = normalizePublicPageSlug(rawSlug);
+  if (!slug) return null;
+  return publicPageMap.get(slug) || null;
+}
+
 function getTrackedLinkTarget(slug) {
   const normalizedSlug = normalizeTrackedLinkSlug(slug);
   return TRACKED_LINK_TARGETS[normalizedSlug]
@@ -2096,8 +2471,10 @@ function appendTrackedLinkQueryParams(destinationUrl, parsed, target) {
 }
 
 function buildTrackedLinkDestination(target, hostedConfig, parsed) {
-  const destinationUrl = target.href
-    ? new URL(target.href)
+  const configuredHref = target.configUrlKey ? hostedConfig[target.configUrlKey] : null;
+  const href = target.href || configuredHref || target.fallbackHref;
+  const destinationUrl = href
+    ? new URL(href)
     : new URL(target.path || '/', hostedConfig.appOrigin);
   appendTrackedLinkQueryParams(destinationUrl, parsed, target);
   return destinationUrl;
@@ -2224,6 +2601,7 @@ function sendJson(res, statusCode, payload, extraHeaders = {}, options = {}) {
   const body = JSON.stringify(payload);
   res.writeHead(statusCode, {
     'Content-Type': 'application/json; charset=utf-8',
+    'X-Content-Type-Options': 'nosniff',
     'Content-Length': Buffer.byteLength(body),
     ...extraHeaders,
   });
@@ -2317,8 +2695,9 @@ function chatgptActionEventType(integration, suffix) {
 }
 
 function getPublicOrigin(req) {
-  const proto = String(req.headers['x-forwarded-proto'] || '').split(',')[0].trim() || 'http';
-  const host = String(req.headers['x-forwarded-host'] || req.headers.host || '').split(',')[0].trim() || 'localhost';
+  const rawProto = String(req.headers['x-forwarded-proto'] || '').split(',')[0].trim().toLowerCase();
+  const proto = rawProto === 'https' ? 'https' : 'http';
+  const host = getSafePublicRequestHost(req) || 'localhost';
   return `${proto}://${host}`;
 }
 
@@ -2337,6 +2716,47 @@ function getRequestHostHeader(req) {
   return forwardedHost || req.headers.host || '';
 }
 
+function normalizePublicRequestHost(value) {
+  const rawHost = String(value || '').split(',')[0].trim().toLowerCase();
+  if (!rawHost || rawHost.length > 253) return '';
+
+  const hostWithoutPort = rawHost.startsWith('[')
+    ? rawHost.slice(1).split(']')[0]
+    : rawHost.split(':')[0];
+  const port = rawHost.startsWith('[')
+    ? rawHost.split(']:')[1] || ''
+    : rawHost.split(':')[1] || '';
+
+  if (!isAllowedPublicHostName(hostWithoutPort)) {
+    return '';
+  }
+  if (port && !/^\d{1,5}$/.test(port)) return '';
+  if (port && Number(port) > 65535) return '';
+  return port ? `${hostWithoutPort}:${port}` : hostWithoutPort;
+}
+
+function isAllowedPublicHostName(hostname) {
+  return hostname === 'localhost'
+    || hostname === '::1'
+    || isIpv4Host(hostname)
+    || isDnsHostName(hostname);
+}
+
+function isIpv4Host(hostname) {
+  const parts = hostname.split('.');
+  return parts.length === 4 && parts.every((part) => /^\d{1,3}$/.test(part));
+}
+
+function isDnsHostName(hostname) {
+  return hostname
+    .split('.')
+    .every((label) => /^[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?$/.test(label));
+}
+
+function getSafePublicRequestHost(req) {
+  return normalizePublicRequestHost(getRequestHostHeader(req));
+}
+
 function isLoopbackHost(hostValue) {
   const rawHost = String(hostValue || '').split(',')[0].trim();
   if (!rawHost) {
@@ -2382,7 +2802,7 @@ function stripTrailingSlashes(value) {
   return input.slice(0, end);
 }
 
-function normalizePublicMarketingHtml(html, runtimeConfig) {
+function normalizePublicMarketingHtml(html, runtimeConfig, requestHost) {
   const appOrigin = runtimeConfig?.appOrigin
     ? stripTrailingSlashes(runtimeConfig.appOrigin)
     : '';
@@ -2391,11 +2811,14 @@ function normalizePublicMarketingHtml(html, runtimeConfig) {
   let output = String(html);
   output = output.replaceAll(DEFAULT_PUBLIC_APP_ORIGIN, appOrigin);
   try {
-    const host = new URL(appOrigin).host;
+    const host = normalizePublicRequestHost(requestHost) || new URL(appOrigin).host;
     const plausibleDomain = resolvePlausibleDataDomain({ host });
     output = output.replaceAll(
       'data-domain="thumbgate-production.up.railway.app"',
       `data-domain="${escapeHtmlAttribute(plausibleDomain)}"`
+    ).replaceAll(
+      'data-domain="thumbgate.ai"',
+      `data-domain="${escapeHtmlAttribute(plausibleDomain)}"`
     );
   } catch {
     // appOrigin is normalized by hosted-config; leave static analytics domains
@@ -2444,7 +2867,7 @@ function loadPublicMarketingTemplateHtml(templatePath, runtimeConfig, pageContex
     '__GTM_PLAN_URL__': 'https://github.com/IgorGanapolsky/ThumbGate/blob/main/docs/GO_TO_MARKET_REVENUE_WEDGE_2026-03.md',
     '__GITHUB_URL__': 'https://github.com/IgorGanapolsky/ThumbGate',
     '__POSTHOG_API_KEY__': runtimeConfig.posthogApiKey || '',
-  }), runtimeConfig);
+  }), runtimeConfig, pageContext.requestHost);
 }
 
 function loadLandingPageHtml(runtimeConfig, pageContext = {}) {
@@ -2459,6 +2882,18 @@ function loadPricingPageHtml(runtimeConfig, pageContext = {}) {
   return loadPublicMarketingTemplateHtml(PRICING_PAGE_PATH, runtimeConfig, pageContext);
 }
 
+function loadAboutPageHtml(runtimeConfig, pageContext = {}) {
+  return loadPublicMarketingTemplateHtml(ABOUT_PAGE_PATH, runtimeConfig, pageContext);
+}
+
+function loadGuidePageHtml(runtimeConfig, pageContext = {}) {
+  return loadPublicMarketingTemplateHtml(GUIDE_PAGE_PATH, runtimeConfig, pageContext);
+}
+
+function loadLearnPageHtml(runtimeConfig, pageContext = {}) {
+  return loadPublicMarketingTemplateHtml(LEARN_PAGE_PATH, runtimeConfig, pageContext);
+}
+
 function readOptionalPublicTemplate(filePath) {
   try {
     return fs.readFileSync(filePath, 'utf-8');
@@ -3091,6 +3526,7 @@ function renderSitemapXml(runtimeConfig) {
     { path: '/learn/codex-role-plugins-need-governance', changefreq: 'weekly', priority: '0.85' },
     { path: '/learn/agentic-os-team-governance', changefreq: 'weekly', priority: '0.85' },
     { path: '/learn/cost-aware-agent-gate-routing', changefreq: 'weekly', priority: '0.85' },
+    { path: '/learn/pretix-stripe-connect-marketplaces', changefreq: 'weekly', priority: '0.9' },
     { path: '/compare/claude-code-hooks', changefreq: 'weekly', priority: '0.85' },
     { path: '/compare/bumblebee', changefreq: 'weekly', priority: '0.85' },
     { path: '/compare/anthropic-containment', changefreq: 'weekly', priority: '0.85' },
@@ -3099,6 +3535,30 @@ function renderSitemapXml(runtimeConfig) {
     { path: '/compare/anthropic-claude-for-legal', changefreq: 'weekly', priority: '0.9' },
     ...THUMBGATE_SEO_SITEMAP_ENTRIES,
   ];
+  // Auto-include every hand-written SEO page so /sitemap.xml can never drift out
+  // of sync with public/compare/*.html or public/guides/*.html. Crawlers and AI
+  // answer engines only surface pages they can discover, so a buyer-intent page
+  // missing from the sitemap is invisible on its query. De-duped against entries
+  // already declared above (e.g. seo-gsd specs), which keep explicit priorities.
+  const declaredPaths = new Set(entries.map((entry) => entry.path));
+  try {
+    const seoDirectories = [
+      { dir: 'compare', route: '/compare', priority: '0.85' },
+      { dir: 'guides', route: '/guides', priority: '0.85' },
+    ];
+    for (const catalog of seoDirectories) {
+      const files = fs.readdirSync(path.join(PUBLIC_DIR, catalog.dir)).sort((a, b) => a.localeCompare(b));
+      for (const file of files) {
+        if (!file.endsWith('.html')) continue;
+        const publicPath = `${catalog.route}/${file.replace(/\.html$/, '')}`;
+        if (declaredPaths.has(publicPath)) continue;
+        declaredPaths.add(publicPath);
+        entries.push({ path: publicPath, changefreq: 'weekly', priority: catalog.priority });
+      }
+    }
+  } catch {
+    // SEO directories absent in a stripped bundle — fall back to static entries.
+  }
   return [
     '<?xml version="1.0" encoding="UTF-8"?>',
     '<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">',
@@ -3224,11 +3684,13 @@ function servePublicMarketingPage({
     }, req.headers, 'seo_landing_view');
   }
 
+  const requestHost = getSafePublicRequestHost(req);
   const html = renderHtml(hostedConfig, {
     serverVisitorId: journeyState.visitorId,
     serverSessionId: journeyState.sessionId,
     serverAcquisitionId: journeyState.acquisitionId,
     serverTelemetryCaptured: landingTelemetryCaptured,
+    requestHost,
   });
 
   sendHtml(
@@ -4307,6 +4769,42 @@ function normalizeJobIdFromPath(pathname, suffix = '') {
   return match ? decodeURIComponent(match[1]) : null;
 }
 
+function escapeHtml(value) {
+  return String(value)
+    .replaceAll('&', '&amp;')
+    .replaceAll('<', '&lt;')
+    .replaceAll('>', '&gt;')
+    .replaceAll('"', '&quot;')
+    .replaceAll("'", '&#39;');
+}
+
+function escapeHtmlUnsafeJsonString(value) {
+  return String(value)
+    .replaceAll('<', String.raw`\u003c`)
+    .replaceAll('>', String.raw`\u003e`)
+    .replaceAll('&', String.raw`\u0026`)
+    .replaceAll('\u2028', String.raw`\u2028`)
+    .replaceAll('\u2029', String.raw`\u2029`);
+}
+
+function sanitizeHtmlUnsafeJsonValue(value) {
+  if (typeof value === 'string') {
+    return escapeHtmlUnsafeJsonString(value);
+  }
+  if (Array.isArray(value)) {
+    return value.map((entry) => sanitizeHtmlUnsafeJsonValue(entry));
+  }
+  if (!value || typeof value !== 'object') {
+    return value;
+  }
+  return Object.fromEntries(
+    Object.entries(value).map(([key, entry]) => [
+      escapeHtmlUnsafeJsonString(key),
+      sanitizeHtmlUnsafeJsonValue(entry),
+    ])
+  );
+}
+
 function normalizeDocumentIdFromPath(pathname) {
   const match = pathname.match(/^\/v1\/documents\/([^/]+)$/);
   return match ? decodeURIComponent(match[1]) : null;
@@ -5078,12 +5576,40 @@ async function addContext(){
       return;
     }
 
+    if (isGetLikeRequest && (pathname === '/about' || pathname === '/about.html')) {
+      try {
+        servePublicMarketingPage({
+          req,
+          res,
+          parsed,
+          hostedConfig,
+          isHeadRequest,
+          renderHtml: loadAboutPageHtml,
+          extraTelemetry: {
+            pageType: 'about',
+          },
+        });
+      } catch (err) {
+        sendText(res, 500, err.message || 'About page unavailable');
+      }
+      return;
+    }
+
     if (isGetLikeRequest && (pathname === '/guide' || pathname === '/guide.html')) {
       try {
-        const html = fs.readFileSync(GUIDE_PAGE_PATH, 'utf-8');
-        sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
-      } catch {
-        sendJson(res, 404, { error: 'Guide page not found' });
+        servePublicMarketingPage({
+          req,
+          res,
+          parsed,
+          hostedConfig,
+          isHeadRequest,
+          renderHtml: loadGuidePageHtml,
+          extraTelemetry: {
+            pageType: 'guide',
+          },
+        });
+      } catch (err) {
+        sendText(res, 500, err.message || 'Guide page unavailable');
       }
       return;
     }
@@ -5143,10 +5669,19 @@ async function addContext(){
 
     if (isGetLikeRequest && (pathname === '/learn' || pathname === '/learn.html')) {
       try {
-        const html = fs.readFileSync(LEARN_PAGE_PATH, 'utf-8');
-        sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
-      } catch {
-        sendJson(res, 404, { error: 'Learn page not found' });
+        servePublicMarketingPage({
+          req,
+          res,
+          parsed,
+          hostedConfig,
+          isHeadRequest,
+          renderHtml: loadLearnPageHtml,
+          extraTelemetry: {
+            pageType: 'learn',
+          },
+        });
+      } catch (err) {
+        sendText(res, 500, err.message || 'Learn page unavailable');
       }
       return;
     }
@@ -5337,13 +5872,13 @@ async function addContext(){
 
     if (isGetLikeRequest && pathname.startsWith('/learn/')) {
       try {
-        const slug = normalizePublicPageSlug(pathname.replace('/learn/', ''));
-        const articlePath = path.join(LEARN_DIR, `${slug}.html`);
-        if (!articlePath.startsWith(LEARN_DIR)) {
-          sendJson(res, 403, { error: 'Forbidden' });
+        const articlePath = resolvePublicHtmlFile(LEARN_PAGE_PATHS_BY_SLUG, pathname.replace('/learn/', ''));
+        if (!articlePath) {
+          sendJson(res, 404, { error: 'Article not found' });
           return;
         }
-        const html = fs.readFileSync(articlePath, 'utf-8');
+        const requestHost = getSafePublicRequestHost(req);
+        const html = normalizePublicMarketingHtml(fs.readFileSync(articlePath, 'utf-8'), hostedConfig, requestHost);
         sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
       } catch {
         sendJson(res, 404, { error: 'Article not found' });
@@ -5353,10 +5888,10 @@ async function addContext(){
 
     if (isGetLikeRequest && pathname.startsWith('/guides/')) {
       try {
-        const slug = normalizePublicPageSlug(pathname.replace('/guides/', ''));
-        const guidePath = path.join(GUIDES_DIR, `${slug}.html`);
-        if (!guidePath.startsWith(GUIDES_DIR)) { sendJson(res, 403, { error: 'Forbidden' }); return; }
-        const html = fs.readFileSync(guidePath, 'utf-8');
+        const guidePath = resolvePublicHtmlFile(GUIDE_PAGE_PATHS_BY_SLUG, pathname.replace('/guides/', ''));
+        if (!guidePath) { sendJson(res, 404, { error: 'Guide not found' }); return; }
+        const requestHost = getSafePublicRequestHost(req);
+        const html = normalizePublicMarketingHtml(fs.readFileSync(guidePath, 'utf-8'), hostedConfig, requestHost);
         sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
       } catch { sendJson(res, 404, { error: 'Guide not found' }); }
       return;
@@ -5364,10 +5899,10 @@ async function addContext(){
 
     if (isGetLikeRequest && pathname.startsWith('/compare/') && pathname !== '/compare') {
       try {
-        const slug = normalizePublicPageSlug(pathname.replace('/compare/', ''));
-        const comparePath = path.join(COMPARE_DIR, `${slug}.html`);
-        if (!comparePath.startsWith(COMPARE_DIR)) { sendJson(res, 403, { error: 'Forbidden' }); return; }
-        const html = fs.readFileSync(comparePath, 'utf-8');
+        const comparePath = resolvePublicHtmlFile(COMPARE_PAGE_PATHS_BY_SLUG, pathname.replace('/compare/', ''));
+        if (!comparePath) { sendJson(res, 404, { error: 'Comparison not found' }); return; }
+        const requestHost = getSafePublicRequestHost(req);
+        const html = normalizePublicMarketingHtml(fs.readFileSync(comparePath, 'utf-8'), hostedConfig, requestHost);
         sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
       } catch { sendJson(res, 404, { error: 'Comparison not found' }); }
       return;
@@ -5375,10 +5910,10 @@ async function addContext(){
 
     if (isGetLikeRequest && pathname.startsWith('/use-cases/')) {
       try {
-        const slug = normalizePublicPageSlug(pathname.replace('/use-cases/', ''));
-        const useCasePath = path.join(USE_CASES_DIR, `${slug}.html`);
-        if (!useCasePath.startsWith(USE_CASES_DIR)) { sendJson(res, 403, { error: 'Forbidden' }); return; }
-        const html = fs.readFileSync(useCasePath, 'utf-8');
+        const useCasePath = resolvePublicHtmlFile(USE_CASE_PAGE_PATHS_BY_SLUG, pathname.replace('/use-cases/', ''));
+        if (!useCasePath) { sendJson(res, 404, { error: 'Use case not found' }); return; }
+        const requestHost = getSafePublicRequestHost(req);
+        const html = normalizePublicMarketingHtml(fs.readFileSync(useCasePath, 'utf-8'), hostedConfig, requestHost);
         sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
       } catch { sendJson(res, 404, { error: 'Use case not found' }); }
       return;
@@ -5395,6 +5930,18 @@ async function addContext(){
       return;
     }
 
+    if (isGetLikeRequest && pathname.startsWith('/media/')) {
+      const rel = pathname.slice('/media/'.length);
+      const mediaDir = path.join(PUBLIC_DIR, 'media');
+      const resolved = path.resolve(mediaDir, rel);
+      if (!resolved.startsWith(mediaDir + path.sep) && resolved !== mediaDir) {
+        sendJson(res, 403, { error: 'Forbidden' });
+        return;
+      }
+      serveStaticFile(res, resolved, { headOnly: isHeadRequest });
+      return;
+    }
+
     if (isGetLikeRequest && (
       pathname === '/favicon.ico'
       || pathname === '/thumbgate-logo.png'
@@ -5476,8 +6023,70 @@ async function addContext(){
       // because no real crawler appends customer_email to discovered URLs.
       const hasCustomerEmailHint = !!parsed?.searchParams?.has('customer_email');
       const botShouldBypass = !botClassification.isBot || hasCustomerEmailHint;
-      const isConfirmedCheckout = req.method === 'POST'
+      // 2026-06-04 audit: after the POST-401 fix, 3 of 4 fresh /checkout/pro
+      // sessions had customer_email=null in Stripe (zombie sessions with no
+      // recovery surface). Root cause: POSTs were auto-confirmed regardless of
+      // whether the email query param was present. Require email on POSTs too
+      // so emails-less POSTs fall through to the interstitial form instead of
+      // creating an un-recoverable Stripe session.
+      const isConfirmedCheckout = (req.method === 'POST' && hasCustomerEmailHint)
         || (hasConfirmFlag && botShouldBypass);
+      // 2026-06-05 revenue bypass: env-gated direct-to-Stripe redirect.
+      // Live 30d billing showed 254 interstitial views → 1 Stripe click-through
+      // → 0 paid. When THUMBGATE_CHECKOUT_INTERSTITIAL_BYPASS=1 is set we
+      // route raw /checkout/pro GETs (no confirm=1, no POST) straight to the
+      // pro Stripe Payment Link, preserving UTM + attribution metadata via
+      // buildCheckoutFallbackUrl. Default-off; bot-deflection still applies
+      // (bot + no email hint still falls through to the existing interstitial).
+      const interstitialBypassEnabled = process.env.THUMBGATE_CHECKOUT_INTERSTITIAL_BYPASS === '1';
+      const interstitialSampleRate = normalizeCheckoutInterstitialSampleRate(
+        process.env.THUMBGATE_CHECKOUT_INTERSTITIAL_SAMPLE_RATE
+      );
+      const interstitialSampled = shouldSampleCheckoutInterstitial({
+        sampleRate: interstitialSampleRate,
+        traceId,
+        analyticsMetadata,
+      });
+      if (
+        !isConfirmedCheckout
+        && interstitialBypassEnabled
+        && req.method !== 'POST'
+        && botShouldBypass
+        && !interstitialSampled
+      ) {
+        // Always target the pro Stripe Payment Link directly. The
+        // hostedConfig.checkoutFallbackUrl (e.g. https://thumbgate.ai/go/pro)
+        // is a router that 302s back to /checkout/pro, which would create a
+        // redirect loop when bypass is on. Env override via
+        // THUMBGATE_CHECKOUT_PRO_STRIPE_URL is supported for future
+        // price-link rotation without a redeploy.
+        const bypassTarget = process.env.THUMBGATE_CHECKOUT_PRO_STRIPE_URL
+          || FIRST_FAILURE_RULE_CHECKOUT_URL;
+        appendBestEffortTelemetry(FEEDBACK_DIR, {
+          eventType: 'checkout_interstitial_bypass_redirect',
+          clientType: 'web',
+          traceId,
+          acquisitionId: analyticsMetadata.acquisitionId,
+          visitorId: analyticsMetadata.visitorId,
+          sessionId: analyticsMetadata.sessionId,
+          utmSource: analyticsMetadata.utmSource,
+          utmMedium: analyticsMetadata.utmMedium,
+          utmCampaign: analyticsMetadata.utmCampaign,
+          utmContent: analyticsMetadata.utmContent,
+          utmTerm: analyticsMetadata.utmTerm,
+          referrer: analyticsMetadata.referrer,
+          referrerHost: analyticsMetadata.referrerHost,
+          page: '/checkout/pro',
+          planId: analyticsMetadata.planId,
+          interstitialSampleRate,
+        }, req.headers, 'checkout_interstitial_bypass_redirect');
+        res.writeHead(302, {
+          ...responseHeaders,
+          Location: buildCheckoutFallbackUrl(bypassTarget, analyticsMetadata),
+        });
+        res.end();
+        return;
+      }
       // Plausible funnel event #1 of 3: page view. Fired before interstitial
       // deflection so we get the full top-of-funnel count, with isBot as a
       // prop so the dashboard can filter human vs. crawler traffic. Fire-and-forget.
@@ -5536,10 +6145,14 @@ async function addContext(){
           billingCycle: analyticsMetadata.billingCycle,
           landingPath: analyticsMetadata.landingPath,
           isBot: botClassification.isBot ? 'true' : 'false',
+          interstitialSampled: interstitialSampled ? 'true' : 'false',
+          interstitialSampleRate,
           reason: botClassification.reason,
         }, req.headers, eventType);
         const prefilledEmail = parsed?.searchParams?.get('customer_email') || '';
-        const html = renderCheckoutIntentPage(prefilledEmail);
+        const html = renderCheckoutIntentPage(prefilledEmail, parsed, {
+          includeHiddenAttribution: !botClassification.isBot,
+        });
         sendHtml(res, 200, html, responseHeaders);
         return;
       }
@@ -5802,12 +6415,13 @@ async function addContext(){
       // Public-facing broker lead-flow audit landing page. Wedge for the
       // real-estate broker outreach. Static HTML served from src/api/static.
       try {
+        const host = getSafePublicRequestHost(req);
         const html = normalizePublicMarketingHtml(fillTemplate(fs.readFileSync(
           path.resolve(__dirname, '../../assets/static/broker-audit.html'),
           'utf8'
         ), {
           '__POSTHOG_API_KEY__': hostedConfig.posthogApiKey || '',
-        }), hostedConfig);
+        }), hostedConfig, host);
         if (isHeadRequest) {
           sendHtml(res, 200, html, {}, { headOnly: true });
           return;
@@ -5859,9 +6473,9 @@ async function addContext(){
     // Authorization endpoint: GET renders consent, POST issues the code.
     if (pathname === '/oauth/authorize') {
       if (isGetLikeRequest) {
-        const q = parsed.searchParams;
-        const fields = ['client_id', 'redirect_uri', 'code_challenge', 'code_challenge_method', 'scope', 'state', 'resource'];
-        const hidden = fields.map((f) => `<input type="hidden" name="${f}" value="${escapeHtmlAttribute(q.get(f) || '')}">`).join('\n');
+        const authRequestToken = createPendingOauthAuthorizeRequest(
+          getOauthAuthorizeParamsFromQuery(parsed.searchParams)
+        );
         const html = `<!doctype html><html><head><meta charset="utf-8"><title>Authorize ThumbGate</title>
 <style>body{font:15px system-ui;margin:0;background:#0b0b0c;color:#eee;display:flex;min-height:100vh;align-items:center;justify-content:center}
 .card{background:#161618;border:1px solid #2a2a2e;border-radius:12px;padding:28px;max-width:420px}
@@ -5870,7 +6484,7 @@ button{width:100%;padding:11px;border-radius:8px;border:0;background:#10b981;col
 a{color:#8b9}</style></head><body><form class="card" method="post" action="/oauth/authorize">
 <h2>Authorize Claude → ThumbGate</h2>
 <p>Paste your ThumbGate API key to let this connector act as you. Get one with <code>npx thumbgate init</code> or from your <a href="/dashboard">dashboard</a>.</p>
-${hidden}
+<input type="hidden" name="auth_request_token" value="${escapeHtmlAttribute(authRequestToken)}">
 <input type="password" name="api_key" placeholder="ThumbGate API key" autocomplete="off" required>
 <button type="submit" name="approve" value="yes">Approve</button>
 </form></body></html>`;
@@ -5882,8 +6496,9 @@ ${hidden}
         req.on('data', (c) => { body += c; if (body.length > 16384) req.destroy(); });
         req.on('end', () => {
           const form = new URLSearchParams(body);
-          const redirectUri = form.get('redirect_uri') || '';
-          const state = form.get('state') || '';
+          const authorizationParams = getOauthAuthorizeParamsFromForm(form, hostedConfig);
+          const redirectUri = authorizationParams.redirectUri;
+          const state = authorizationParams.state;
           // Validate the presented ThumbGate key before issuing a code. When keys
           // are configured (production) the key MUST match a configured admin /
           // operator / reviewer key — otherwise OAuth would authenticate nobody.
@@ -5893,12 +6508,12 @@ ${hidden}
             return;
           }
           const issued = mcpOauth.createAuthorizationCode(oauthStore, {
-            clientId: form.get('client_id') || '',
+            clientId: authorizationParams.clientId,
             redirectUri,
-            codeChallenge: form.get('code_challenge') || '',
-            codeChallengeMethod: form.get('code_challenge_method') || '',
-            scope: form.get('scope') || undefined,
-            resource: form.get('resource') || buildPublicUrl(hostedConfig, '/mcp'),
+            codeChallenge: authorizationParams.codeChallenge,
+            codeChallengeMethod: authorizationParams.codeChallengeMethod,
+            scope: authorizationParams.scope,
+            resource: authorizationParams.resource || buildPublicUrl(hostedConfig, '/mcp'),
             boundKey: form.get('api_key') || '',
             state,
           });
@@ -7303,7 +7918,9 @@ ${hidden}
 
     try {
       if (req.method === 'GET' && pathname === '/v1/feedback/stats') {
-        const stats = analyzeFeedback(requestFeedbackPaths.FEEDBACK_LOG_PATH);
+        const stats = shouldAggregateFeedback()
+          ? computeAggregateFeedbackStats({ feedbackDir: requestFeedbackPaths.FEEDBACK_DIR })
+          : analyzeFeedback(requestFeedbackPaths.FEEDBACK_LOG_PATH);
         try {
           const { getStatuslineMeta } = require('../../scripts/statusline-meta');
           const meta = getStatuslineMeta({ env: process.env });
@@ -7335,6 +7952,9 @@ ${hidden}
           stats.geminiKeyStatus = 'validated';
         }
         stats.hybridInferenceAvailable = !!(stats.geminiConfigured || stats.perplexityConfigured);
+        stats.localLlmConfigured = Boolean(process.env.THUMBGATE_LOCAL_LLM_ENDPOINT);
+        stats.localLlmEndpoint = process.env.THUMBGATE_LOCAL_LLM_ENDPOINT || null;
+        stats.localLlmModel = process.env.THUMBGATE_LOCAL_LLM_MODEL || null;
         sendJson(res, 200, stats);
         return;
       }
@@ -7930,11 +8550,13 @@ ${hidden}
         const signal = parsed.searchParams.get('signal') || null;
         let results;
         try {
+          const requestFeedbackPaths = getRequestFeedbackPaths(req, parsed);
           results = searchThumbgate({
             query,
             limit: Number.isFinite(limit) ? limit : 10,
             source,
             signal,
+            feedbackDir: requestFeedbackPaths.FEEDBACK_DIR,
           });
         } catch (err) {
           throw createHttpError(400, err.message || 'Invalid ThumbGate search request');
@@ -7952,11 +8574,13 @@ ${hidden}
         const body = await parseJsonBody(req);
         let results;
         try {
+          const requestFeedbackPaths = getRequestFeedbackPaths(req, parsed);
           results = searchThumbgate({
             query: body.query || body.q || '',
             limit: body.limit,
             source: body.source,
             signal: body.signal,
+            feedbackDir: requestFeedbackPaths.FEEDBACK_DIR,
           });
         } catch (err) {
           throw createHttpError(400, err.message || 'Invalid ThumbGate search request');
@@ -7982,11 +8606,14 @@ ${hidden}
       {
         const documentId = normalizeDocumentIdFromPath(pathname);
         if (req.method === 'GET' && documentId) {
+          if (!/^[a-zA-Z0-9-_]+$/.test(documentId)) {
+            throw createHttpError(400, 'Invalid document ID format');
+          }
           const document = readImportedDocument(documentId, {
             feedbackDir: requestFeedbackDir,
           });
           if (!document) {
-            throw createHttpError(404, `Imported document not found: ${documentId}`);
+            throw createHttpError(404, `Imported document not found: ${escapeHtml(documentId)}`);
           }
           sendJson(res, 200, { document });
           return;
@@ -9082,6 +9709,8 @@ module.exports = {
     buildEnterpriseChatAnswer,
     answerEnterpriseDataChat,
     answerEnterpriseDialogflowChat,
+    buildLossAnalyticsResponse,
+    sanitizeHtmlUnsafeJsonValue,
   },
 };