thumbgate 1.27.7 → 1.27.9

package/src/api/server.js

@@ -3,7 +3,6 @@ const http = require('http');
 const https = require('https');
 const fs = require('fs');
 const path = require('path');
-const crypto = require('node:crypto');
 const { EventEmitter } = require('node:events');
 const pkg = require('../../package.json');
 const {
@@ -216,8 +215,6 @@ const mcpOauth = require('../../scripts/mcp-oauth');
 // OAuth 2.1 (PKCE) authorization-server state for the remote MCP connector
 // (Claude Connectors Directory requires OAuth for authenticated services).
 const oauthStore = mcpOauth.createStore();
-const pendingOauthAuthorizeRequests = new Map();
-const OAUTH_AUTHORIZE_REQUEST_TTL_MS = 10 * 60 * 1000;
 const resendMailer = require('../../scripts/mailer/resend-mailer');
 const {
   buildContextFootprintReport,
@@ -247,10 +244,6 @@ const COMPARE_DIR = path.resolve(__dirname, '../../public/compare');
 const USE_CASES_DIR = path.resolve(__dirname, '../../public/use-cases');
 const PUBLIC_DIR = path.resolve(__dirname, '../../public');
 const PUBLIC_ASSETS_DIR = path.resolve(__dirname, '../../public/assets');
-const LEARN_PAGE_PATHS_BY_SLUG = buildPublicHtmlFileMap(LEARN_DIR);
-const GUIDE_PAGE_PATHS_BY_SLUG = buildPublicHtmlFileMap(GUIDES_DIR);
-const COMPARE_PAGE_PATHS_BY_SLUG = buildPublicHtmlFileMap(COMPARE_DIR);
-const USE_CASE_PAGE_PATHS_BY_SLUG = buildPublicHtmlFileMap(USE_CASES_DIR);
 const BUYER_INTENT_SCRIPT_PATH = path.resolve(__dirname, '../../public/js/buyer-intent.js');
 const STATIC_MIME_BY_EXT = Object.freeze({
   '.png': 'image/png',
@@ -467,36 +460,6 @@ const TRACKED_LINK_TARGETS = Object.freeze({
     },
     allowCustomerEmail: true,
   },
-  diagnostic: {
-    configUrlKey: 'sprintDiagnosticCheckoutUrl',
-    fallbackHref: SPRINT_DIAGNOSTIC_CHECKOUT_URL,
-    external: true,
-    ctaId: 'go_diagnostic',
-    ctaPlacement: 'link_router',
-    eventType: 'cta_click',
-    defaults: {
-      utm_source: 'website',
-      utm_medium: 'link_router',
-      utm_campaign: 'sprint_diagnostic',
-      plan_id: 'sprint_diagnostic',
-    },
-    allowCustomerEmail: true,
-  },
-  sprint: {
-    configUrlKey: 'workflowSprintCheckoutUrl',
-    fallbackHref: WORKFLOW_SPRINT_CHECKOUT_URL,
-    external: true,
-    ctaId: 'go_sprint',
-    ctaPlacement: 'link_router',
-    eventType: 'cta_click',
-    defaults: {
-      utm_source: 'website',
-      utm_medium: 'link_router',
-      utm_campaign: 'workflow_sprint',
-      plan_id: 'workflow_sprint',
-    },
-    allowCustomerEmail: true,
-  },
   trial: {
     path: '/guide',
     ctaId: 'go_trial',
@@ -1717,8 +1680,6 @@ const FEEDBACK_LIST_LABELS = Object.freeze({
   positive: 'Recent wins',
 });
 
-const FEEDBACK_OMITTED_TAGS = Object.freeze(['audit-trail', 'auto-capture']);
-
 function formatChatTimestamp(isoString) {
   if (!isoString) return 'unknown time';
   try {
@@ -1737,33 +1698,9 @@ function formatChatTimestamp(isoString) {
   }
 }
 
-function buildFeedbackEntries(windowed, signal) {
-  return (signal ? windowed.filter((r) => r.signal === signal) : windowed)
-    .filter((r) => r.context && !isPlaceholder(r.context))
-    .slice(0, 5);
-}
-
-function formatFeedbackEntry(entry) {
-  const tsFormatted = formatChatTimestamp(entry.timestamp);
-  const signalLabel = entry.signal ? ` [${entry.signal}]` : '';
-  const tagsList = Array.isArray(entry.tags)
-    ? entry.tags.filter((tag) => !FEEDBACK_OMITTED_TAGS.includes(tag))
-    : [];
-  const tagsStr = tagsList.length ? ` (${tagsList.join(', ')})` : '';
-  return `  • ${tsFormatted}${signalLabel}${tagsStr} — ${entry.context}`;
-}
-
-function appendFeedbackListLines(lines, { entries, signal, intent }) {
-  if (!entries.length) {
-    lines.push(`No ${signal || 'feedback'} entries found ${intent.windowLabel}.`);
-    return;
-  }
-  lines.push(`${FEEDBACK_LIST_LABELS[signal] || 'Recent feedback'} (${intent.windowLabel}):`);
-  lines.push(...entries.map(formatFeedbackEntry));
-}
-
 function buildFeedbackSection({ ctx, intent, feedbackDir, approval, lessonPipeline }) {
   const signal = detectFeedbackSignalFromPrompt(ctx.prompt);
+
   // One read of the time-windowed log, then in-memory counts + (signal-filtered,
   // placeholder-stripped) list. Counts include ALL entries (so "Feedback today: 5"
   // matches the dashboard tile); the list drops vague entries like literal "thumbs
@@ -1771,16 +1708,30 @@ function buildFeedbackSection({ ctx, intent, feedbackDir, approval, lessonPipeli
   const windowed = readRecentFeedbackEntries(feedbackDir, null, intent.windowMs, 10000, { includeSignal: true });
   const windowPos = windowed.filter((r) => r.signal === 'positive').length;
   const windowNeg = windowed.filter((r) => r.signal === 'negative').length;
-  const entries = buildFeedbackEntries(windowed, signal);
+  const entries = (signal ? windowed.filter((r) => r.signal === signal) : windowed)
+    .filter((r) => r.context && !isPlaceholder(r.context))
+    .slice(0, 5);
 
-  const lines = [
-    intent.windowMs
+  const lines = [];
+  lines.push(intent.windowMs
     ? `Feedback ${intent.windowLabel}: ${windowed.length} (${windowPos} positive, ${windowNeg} negative).`
-    : `Feedback total: ${compactNumber(approval.total)} (${compactNumber(approval.positive)} positive, ${compactNumber(approval.negative)} negative).`,
-  ];
+    : `Feedback total: ${compactNumber(approval.total)} (${compactNumber(approval.positive)} positive, ${compactNumber(approval.negative)} negative).`);
 
   if (intent.wantsList) {
-    appendFeedbackListLines(lines, { entries, signal, intent });
+    if (entries.length) {
+      lines.push(`${FEEDBACK_LIST_LABELS[signal] || 'Recent feedback'} (${intent.windowLabel}):`);
+      for (const e of entries) {
+        const tsFormatted = formatChatTimestamp(e.timestamp);
+        const signalLabel = e.signal ? ` [${e.signal}]` : '';
+        const tagsList = Array.isArray(e.tags)
+          ? e.tags.filter(t => !['audit-trail', 'auto-capture'].includes(t))
+          : [];
+        const tagsStr = tagsList.length ? ` (${tagsList.join(', ')})` : '';
+        lines.push(`  • ${tsFormatted}${signalLabel}${tagsStr} — ${e.context}`);
+      }
+    } else {
+      lines.push(`No ${signal || 'feedback'} entries found ${intent.windowLabel}.`);
+    }
   } else {
     lines.push(`Lesson pipeline: ${compactNumber(lessonPipeline.lessons || lessonPipeline.generated || 0)} lessons visible in the current dashboard snapshot.`);
   }
@@ -1988,7 +1939,7 @@ async function answerEnterpriseDataChat({ prompt, feedbackDir, parsed }) {
 const answerEnterpriseDialogflowChat = answerEnterpriseDataChat;
 
 function buildLossAnalyticsResponse(data, summaryOptions) {
-  return sanitizeHtmlUnsafeJsonValue({
+  return {
     window: data.analytics.window || summaryOptions,
     lossAnalysis: data.analytics.lossAnalysis || null,
     buyerLoss: data.analytics.buyerLoss || null,
@@ -2000,7 +1951,7 @@ function buildLossAnalyticsResponse(data, summaryOptions) {
       ctas: data.analytics.telemetry && data.analytics.telemetry.ctas,
       visitors: data.analytics.telemetry && data.analytics.telemetry.visitors,
     },
-  });
+  };
 }
 
 function createJourneyId(prefix) {
@@ -2103,111 +2054,17 @@ function buildCheckoutIntentHref(baseUrl, metadata = {}, overrides = {}) {
   });
 }
 
-const CHECKOUT_HIDDEN_ATTRIBUTION_KEYS = Object.freeze([
-  'trace_id',
-  'acquisition_id',
-  'visitor_id',
-  'session_id',
-  'visitor_session_id',
-  'install_id',
-  'utm_source',
-  'utm_medium',
-  'utm_campaign',
-  'utm_content',
-  'utm_term',
-  'creator',
-  'community',
-  'post_id',
-  'comment_id',
-  'campaign_variant',
-  'offer_code',
-  'cta_id',
-  'cta_placement',
-  'plan_id',
-  'billing_cycle',
-  'seat_count',
-  'landing_path',
-  'referrer_host',
-]);
-
-function normalizeHiddenAttributionValue(value) {
-  const normalized = normalizeNullableText(value);
-  if (!normalized) return '';
-  return normalized.slice(0, 512);
-}
-
-function buildCheckoutHiddenAttributionInputs(parsed = null) {
-  if (!parsed?.searchParams) return '';
-
-  const inputs = [];
-  for (const key of CHECKOUT_HIDDEN_ATTRIBUTION_KEYS) {
-    const value = normalizeHiddenAttributionValue(parsed.searchParams.get(key));
-    if (value) {
-      inputs.push(`<input type="hidden" name="${key}" value="${escapeHtmlAttribute(value)}">`);
-    }
-  }
-  return inputs.join('');
-}
-
-function prunePendingOauthAuthorizeRequests(now = Date.now()) {
-  for (const [token, entry] of pendingOauthAuthorizeRequests.entries()) {
-    if (!entry || entry.expiresAt <= now) {
-      pendingOauthAuthorizeRequests.delete(token);
-    }
-  }
-}
-
-function createPendingOauthAuthorizeRequest(params, now = Date.now()) {
-  prunePendingOauthAuthorizeRequests(now);
-  const token = crypto.randomBytes(32).toString('base64url');
-  pendingOauthAuthorizeRequests.set(token, {
-    params,
-    expiresAt: now + OAUTH_AUTHORIZE_REQUEST_TTL_MS,
-  });
-  return token;
-}
-
-function consumePendingOauthAuthorizeRequest(token, now = Date.now()) {
-  if (!token) return null;
-  prunePendingOauthAuthorizeRequests(now);
-  const entry = pendingOauthAuthorizeRequests.get(token);
-  if (!entry) return null;
-  pendingOauthAuthorizeRequests.delete(token);
-  return entry.params;
-}
-
-function getOauthAuthorizeParamsFromQuery(searchParams) {
-  return {
-    clientId: searchParams.get('client_id') || '',
-    redirectUri: searchParams.get('redirect_uri') || '',
-    codeChallenge: searchParams.get('code_challenge') || '',
-    codeChallengeMethod: searchParams.get('code_challenge_method') || '',
-    scope: searchParams.get('scope') || undefined,
-    state: searchParams.get('state') || '',
-    resource: searchParams.get('resource') || '',
-  };
-}
-
-function getOauthAuthorizeParamsFromForm(form, hostedConfig) {
-  const pending = consumePendingOauthAuthorizeRequest(form.get('auth_request_token') || '');
-  if (pending) return pending;
-  return {
-    clientId: form.get('client_id') || '',
-    redirectUri: form.get('redirect_uri') || '',
-    codeChallenge: form.get('code_challenge') || '',
-    codeChallengeMethod: form.get('code_challenge_method') || '',
-    scope: form.get('scope') || undefined,
-    state: form.get('state') || '',
-    resource: form.get('resource') || buildPublicUrl(hostedConfig, '/mcp'),
-  };
-}
-
 function renderCheckoutIntentPage(prefilledEmail = '', parsed = null, options = {}) {
   const plausibleDomain = escapeHtmlAttribute(resolvePlausibleDataDomain({ host: 'thumbgate.ai' }));
   const includeHiddenAttribution = options.includeHiddenAttribution === true;
-  const hiddenInputs = includeHiddenAttribution
-    ? buildCheckoutHiddenAttributionInputs(parsed)
-    : '';
+  let hiddenInputs = '';
+  if (includeHiddenAttribution && parsed?.searchParams) {
+    for (const [key, value] of parsed.searchParams.entries()) {
+      if (key !== 'confirm' && key !== 'customer_email') {
+        hiddenInputs += `<input type="hidden" name="${escapeHtmlAttribute(key)}" value="${escapeHtmlAttribute(value)}">`;
+      }
+    }
+  }
   return `<!doctype html>
 <html lang="en">
 <head>
@@ -2405,6 +2262,17 @@ function normalizeCheckoutCustomerEmail(value) {
   return email;
 }
 
+function renderCheckoutIntentGate(parsed, responseHeaders = {}) {
+  let hiddenInputs = '';
+  for (const [key, value] of parsed.searchParams.entries()) {
+    if (key !== 'confirm' && key !== 'customer_email') hiddenInputs += `<input type=hidden name=${escapeHtmlAttribute(key)} value=${escapeHtmlAttribute(value)}>`;
+  }
+  return {
+    html: `<!doctype html><h1>Email for Stripe receipt</h1><form action=/checkout/pro>${hiddenInputs}<input type=hidden name=confirm value=1><input name=customer_email type=email required><button>Continue</button></form>`,
+    headers: responseHeaders,
+  };
+}
+
 function normalizeTrackedLinkSlug(value) {
   return String(value || '').trim().toLowerCase().replace(/[^a-z0-9-]/g, '');
 }
@@ -2415,27 +2283,6 @@ function normalizePublicPageSlug(value) {
     .replace(/[^a-z0-9-]/g, '');
 }
 
-function buildPublicHtmlFileMap(directory) {
-  const entries = new Map();
-  try {
-    for (const fileName of fs.readdirSync(directory)) {
-      if (!/^[a-z0-9-]+\.html$/i.test(fileName)) continue;
-      const slug = normalizePublicPageSlug(fileName);
-      if (!slug) continue;
-      entries.set(slug, path.join(directory, fileName));
-    }
-  } catch (error) {
-    if (error?.code !== 'ENOENT') throw error;
-  }
-  return entries;
-}
-
-function resolvePublicHtmlFile(publicPageMap, rawSlug) {
-  const slug = normalizePublicPageSlug(rawSlug);
-  if (!slug) return null;
-  return publicPageMap.get(slug) || null;
-}
-
 function getTrackedLinkTarget(slug) {
   const normalizedSlug = normalizeTrackedLinkSlug(slug);
   return TRACKED_LINK_TARGETS[normalizedSlug]
@@ -2471,10 +2318,8 @@ function appendTrackedLinkQueryParams(destinationUrl, parsed, target) {
 }
 
 function buildTrackedLinkDestination(target, hostedConfig, parsed) {
-  const configuredHref = target.configUrlKey ? hostedConfig[target.configUrlKey] : null;
-  const href = target.href || configuredHref || target.fallbackHref;
-  const destinationUrl = href
-    ? new URL(href)
+  const destinationUrl = target.href
+    ? new URL(target.href)
     : new URL(target.path || '/', hostedConfig.appOrigin);
   appendTrackedLinkQueryParams(destinationUrl, parsed, target);
   return destinationUrl;
@@ -2601,7 +2446,6 @@ function sendJson(res, statusCode, payload, extraHeaders = {}, options = {}) {
   const body = JSON.stringify(payload);
   res.writeHead(statusCode, {
     'Content-Type': 'application/json; charset=utf-8',
-    'X-Content-Type-Options': 'nosniff',
     'Content-Length': Buffer.byteLength(body),
     ...extraHeaders,
   });
@@ -2695,9 +2539,8 @@ function chatgptActionEventType(integration, suffix) {
 }
 
 function getPublicOrigin(req) {
-  const rawProto = String(req.headers['x-forwarded-proto'] || '').split(',')[0].trim().toLowerCase();
-  const proto = rawProto === 'https' ? 'https' : 'http';
-  const host = getSafePublicRequestHost(req) || 'localhost';
+  const proto = String(req.headers['x-forwarded-proto'] || '').split(',')[0].trim() || 'http';
+  const host = String(req.headers['x-forwarded-host'] || req.headers.host || '').split(',')[0].trim() || 'localhost';
   return `${proto}://${host}`;
 }
 
@@ -2716,47 +2559,6 @@ function getRequestHostHeader(req) {
   return forwardedHost || req.headers.host || '';
 }
 
-function normalizePublicRequestHost(value) {
-  const rawHost = String(value || '').split(',')[0].trim().toLowerCase();
-  if (!rawHost || rawHost.length > 253) return '';
-
-  const hostWithoutPort = rawHost.startsWith('[')
-    ? rawHost.slice(1).split(']')[0]
-    : rawHost.split(':')[0];
-  const port = rawHost.startsWith('[')
-    ? rawHost.split(']:')[1] || ''
-    : rawHost.split(':')[1] || '';
-
-  if (!isAllowedPublicHostName(hostWithoutPort)) {
-    return '';
-  }
-  if (port && !/^\d{1,5}$/.test(port)) return '';
-  if (port && Number(port) > 65535) return '';
-  return port ? `${hostWithoutPort}:${port}` : hostWithoutPort;
-}
-
-function isAllowedPublicHostName(hostname) {
-  return hostname === 'localhost'
-    || hostname === '::1'
-    || isIpv4Host(hostname)
-    || isDnsHostName(hostname);
-}
-
-function isIpv4Host(hostname) {
-  const parts = hostname.split('.');
-  return parts.length === 4 && parts.every((part) => /^\d{1,3}$/.test(part));
-}
-
-function isDnsHostName(hostname) {
-  return hostname
-    .split('.')
-    .every((label) => /^[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?$/.test(label));
-}
-
-function getSafePublicRequestHost(req) {
-  return normalizePublicRequestHost(getRequestHostHeader(req));
-}
-
 function isLoopbackHost(hostValue) {
   const rawHost = String(hostValue || '').split(',')[0].trim();
   if (!rawHost) {
@@ -2811,7 +2613,7 @@ function normalizePublicMarketingHtml(html, runtimeConfig, requestHost) {
   let output = String(html);
   output = output.replaceAll(DEFAULT_PUBLIC_APP_ORIGIN, appOrigin);
   try {
-    const host = normalizePublicRequestHost(requestHost) || new URL(appOrigin).host;
+    const host = requestHost || new URL(appOrigin).host;
     const plausibleDomain = resolvePlausibleDataDomain({ host });
     output = output.replaceAll(
       'data-domain="thumbgate-production.up.railway.app"',
@@ -2852,8 +2654,13 @@ function loadPublicMarketingTemplateHtml(templatePath, runtimeConfig, pageContex
     '__PRO_PRICE_LABEL__': runtimeConfig.proPriceLabel,
     '__SPRINT_DIAGNOSTIC_CHECKOUT_URL__': runtimeConfig.sprintDiagnosticCheckoutUrl || SPRINT_DIAGNOSTIC_CHECKOUT_URL,
     '__WORKFLOW_SPRINT_CHECKOUT_URL__': runtimeConfig.workflowSprintCheckoutUrl || WORKFLOW_SPRINT_CHECKOUT_URL,
+    '__PAYPAL_DIAGNOSTIC_CHECKOUT_URL__': runtimeConfig.paypalDiagnosticCheckoutUrl || '',
+    '__PAYPAL_WORKFLOW_SPRINT_CHECKOUT_URL__': runtimeConfig.paypalWorkflowSprintCheckoutUrl || '',
+    '__MOR_SNAPSHOT_CHECKOUT_URL__': runtimeConfig.morSnapshotCheckoutUrl || '',
+    '__MOR_PROVIDER__': runtimeConfig.morProvider || 'Lemon Squeezy or Paddle',
     '__SPRINT_DIAGNOSTIC_PRICE_DOLLARS__': runtimeConfig.sprintDiagnosticPriceDollars || 499,
     '__WORKFLOW_SPRINT_PRICE_DOLLARS__': runtimeConfig.workflowSprintPriceDollars || 1500,
+    '__SNAPSHOT_PRICE_DOLLARS__': runtimeConfig.snapshotPriceDollars || 97,
     '__GA_MEASUREMENT_ID__': runtimeConfig.gaMeasurementId || '',
     '__GA_BOOTSTRAP__': gaBootstrap,
     '__GOOGLE_SITE_VERIFICATION_META__': googleSiteVerificationMeta,
@@ -3526,6 +3333,7 @@ function renderSitemapXml(runtimeConfig) {
     { path: '/learn/codex-role-plugins-need-governance', changefreq: 'weekly', priority: '0.85' },
     { path: '/learn/agentic-os-team-governance', changefreq: 'weekly', priority: '0.85' },
     { path: '/learn/cost-aware-agent-gate-routing', changefreq: 'weekly', priority: '0.85' },
+    { path: '/learn/databricks-unity-ai-gateway-runtime-governance', changefreq: 'weekly', priority: '0.85' },
     { path: '/learn/pretix-stripe-connect-marketplaces', changefreq: 'weekly', priority: '0.9' },
     { path: '/compare/claude-code-hooks', changefreq: 'weekly', priority: '0.85' },
     { path: '/compare/bumblebee', changefreq: 'weekly', priority: '0.85' },
@@ -3535,30 +3343,30 @@ function renderSitemapXml(runtimeConfig) {
     { path: '/compare/anthropic-claude-for-legal', changefreq: 'weekly', priority: '0.9' },
     ...THUMBGATE_SEO_SITEMAP_ENTRIES,
   ];
-  // Auto-include every hand-written SEO page so /sitemap.xml can never drift out
-  // of sync with public/compare/*.html or public/guides/*.html. Crawlers and AI
-  // answer engines only surface pages they can discover, so a buyer-intent page
-  // missing from the sitemap is invisible on its query. De-duped against entries
-  // already declared above (e.g. seo-gsd specs), which keep explicit priorities.
+  // Auto-include every hand-written comparison and guide page so /sitemap.xml can
+  // never drift out of sync with public/compare/*.html or public/guides/*.html.
+  // Crawlers and AI answer engines (Google AI Overviews/AI Mode, ChatGPT,
+  // Perplexity) only surface pages they can discover, so a page missing from the
+  // sitemap is invisible on its buyer-intent query. De-duped against entries
+  // already declared above (e.g. the seo-gsd specs), which keep their explicit
+  // priorities.
   const declaredPaths = new Set(entries.map((entry) => entry.path));
-  try {
-    const seoDirectories = [
-      { dir: 'compare', route: '/compare', priority: '0.85' },
-      { dir: 'guides', route: '/guides', priority: '0.85' },
-    ];
-    for (const catalog of seoDirectories) {
-      const files = fs.readdirSync(path.join(PUBLIC_DIR, catalog.dir)).sort((a, b) => a.localeCompare(b));
+  const includePublicHtmlPages = (dirName, publicPrefix, priority) => {
+    try {
+      const files = fs.readdirSync(path.join(PUBLIC_DIR, dirName)).sort((a, b) => a.localeCompare(b));
       for (const file of files) {
         if (!file.endsWith('.html')) continue;
-        const publicPath = `${catalog.route}/${file.replace(/\.html$/, '')}`;
-        if (declaredPaths.has(publicPath)) continue;
-        declaredPaths.add(publicPath);
-        entries.push({ path: publicPath, changefreq: 'weekly', priority: catalog.priority });
+        const pagePath = `${publicPrefix}/${file.replace(/\.html$/, '')}`;
+        if (declaredPaths.has(pagePath)) continue;
+        declaredPaths.add(pagePath);
+        entries.push({ path: pagePath, changefreq: 'weekly', priority });
       }
+    } catch {
+      // Directory absent in a stripped bundle — fall back to the static entries.
     }
-  } catch {
-    // SEO directories absent in a stripped bundle — fall back to static entries.
-  }
+  };
+  includePublicHtmlPages('compare', '/compare', '0.85');
+  includePublicHtmlPages('guides', '/guides', '0.82');
   return [
     '<?xml version="1.0" encoding="UTF-8"?>',
     '<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">',
@@ -3684,7 +3492,7 @@ function servePublicMarketingPage({
     }, req.headers, 'seo_landing_view');
   }
 
-  const requestHost = getSafePublicRequestHost(req);
+  const requestHost = String(req.headers['x-forwarded-host'] || req.headers.host || '').split(',')[0].trim();
   const html = renderHtml(hostedConfig, {
     serverVisitorId: journeyState.visitorId,
     serverSessionId: journeyState.sessionId,
@@ -4063,15 +3871,34 @@ function renderCheckoutCancelledPage(runtimeConfig) {
   const workflowSprintCheckoutUrl = runtimeConfig.workflowSprintCheckoutUrl
     ? escapeHtmlAttribute(runtimeConfig.workflowSprintCheckoutUrl)
     : '';
+  const paypalDiagnosticCheckoutUrl = runtimeConfig.paypalDiagnosticCheckoutUrl
+    ? escapeHtmlAttribute(runtimeConfig.paypalDiagnosticCheckoutUrl)
+    : '';
+  const paypalWorkflowSprintCheckoutUrl = runtimeConfig.paypalWorkflowSprintCheckoutUrl
+    ? escapeHtmlAttribute(runtimeConfig.paypalWorkflowSprintCheckoutUrl)
+    : '';
+  const morSnapshotCheckoutUrl = runtimeConfig.morSnapshotCheckoutUrl
+    ? escapeHtmlAttribute(runtimeConfig.morSnapshotCheckoutUrl)
+    : '';
   const sprintDiagnosticPriceDollars = runtimeConfig.sprintDiagnosticPriceDollars || 499;
   const workflowSprintPriceDollars = runtimeConfig.workflowSprintPriceDollars || 1500;
+  const snapshotPriceDollars = runtimeConfig.snapshotPriceDollars || 97;
   const workflowSprintIntakeUrl = `${escapeHtmlAttribute(runtimeConfig.appOrigin)}/#workflow-sprint-intake`;
   const recoveryOfferLinks = [
     diagnosticCheckoutUrl
-      ? `<a href="${diagnosticCheckoutUrl}" data-recovery-offer="sprint_diagnostic" data-offer-price="${sprintDiagnosticPriceDollars}">Book $${sprintDiagnosticPriceDollars} diagnostic</a>`
+      ? `<a href="${diagnosticCheckoutUrl}" data-recovery-offer="sprint_diagnostic_stripe" data-offer-price="${sprintDiagnosticPriceDollars}">Book $${sprintDiagnosticPriceDollars} diagnostic by Stripe</a>`
+      : '',
+    paypalDiagnosticCheckoutUrl
+      ? `<a href="${paypalDiagnosticCheckoutUrl}" data-recovery-offer="sprint_diagnostic_paypal" data-offer-price="${sprintDiagnosticPriceDollars}">Book $${sprintDiagnosticPriceDollars} diagnostic by PayPal</a>`
       : '',
     workflowSprintCheckoutUrl
-      ? `<a href="${workflowSprintCheckoutUrl}" data-recovery-offer="workflow_sprint" data-offer-price="${workflowSprintPriceDollars}">Start $${workflowSprintPriceDollars} sprint</a>`
+      ? `<a href="${workflowSprintCheckoutUrl}" data-recovery-offer="workflow_sprint_stripe" data-offer-price="${workflowSprintPriceDollars}">Start $${workflowSprintPriceDollars} sprint by Stripe</a>`
+      : '',
+    paypalWorkflowSprintCheckoutUrl
+      ? `<a href="${paypalWorkflowSprintCheckoutUrl}" data-recovery-offer="workflow_sprint_paypal" data-offer-price="${workflowSprintPriceDollars}">Start $${workflowSprintPriceDollars} sprint by PayPal</a>`
+      : '',
+    morSnapshotCheckoutUrl
+      ? `<a href="${morSnapshotCheckoutUrl}" data-recovery-offer="snapshot_mor" data-offer-price="${snapshotPriceDollars}">Buy $${snapshotPriceDollars} snapshot</a>`
       : '',
     `<a href="${workflowTeardownCheckoutUrl}" data-recovery-offer="workflow_teardown" data-offer-price="99">Pay $99 teardown</a>`,
     `<a href="${quickReadCheckoutUrl}" data-recovery-offer="quick_read" data-offer-price="19">Pay $19 quick read</a>`,
@@ -4769,42 +4596,6 @@ function normalizeJobIdFromPath(pathname, suffix = '') {
   return match ? decodeURIComponent(match[1]) : null;
 }
 
-function escapeHtml(value) {
-  return String(value)
-    .replaceAll('&', '&amp;')
-    .replaceAll('<', '&lt;')
-    .replaceAll('>', '&gt;')
-    .replaceAll('"', '&quot;')
-    .replaceAll("'", '&#39;');
-}
-
-function escapeHtmlUnsafeJsonString(value) {
-  return String(value)
-    .replaceAll('<', String.raw`\u003c`)
-    .replaceAll('>', String.raw`\u003e`)
-    .replaceAll('&', String.raw`\u0026`)
-    .replaceAll('\u2028', String.raw`\u2028`)
-    .replaceAll('\u2029', String.raw`\u2029`);
-}
-
-function sanitizeHtmlUnsafeJsonValue(value) {
-  if (typeof value === 'string') {
-    return escapeHtmlUnsafeJsonString(value);
-  }
-  if (Array.isArray(value)) {
-    return value.map((entry) => sanitizeHtmlUnsafeJsonValue(entry));
-  }
-  if (!value || typeof value !== 'object') {
-    return value;
-  }
-  return Object.fromEntries(
-    Object.entries(value).map(([key, entry]) => [
-      escapeHtmlUnsafeJsonString(key),
-      sanitizeHtmlUnsafeJsonValue(entry),
-    ])
-  );
-}
-
 function normalizeDocumentIdFromPath(pathname) {
   const match = pathname.match(/^\/v1\/documents\/([^/]+)$/);
   return match ? decodeURIComponent(match[1]) : null;
@@ -5872,12 +5663,13 @@ async function addContext(){
 
     if (isGetLikeRequest && pathname.startsWith('/learn/')) {
       try {
-        const articlePath = resolvePublicHtmlFile(LEARN_PAGE_PATHS_BY_SLUG, pathname.replace('/learn/', ''));
-        if (!articlePath) {
-          sendJson(res, 404, { error: 'Article not found' });
+        const slug = normalizePublicPageSlug(pathname.replace('/learn/', ''));
+        const articlePath = path.join(LEARN_DIR, `${slug}.html`);
+        if (!articlePath.startsWith(LEARN_DIR)) {
+          sendJson(res, 403, { error: 'Forbidden' });
           return;
         }
-        const requestHost = getSafePublicRequestHost(req);
+        const requestHost = String(req.headers['x-forwarded-host'] || req.headers.host || '').split(',')[0].trim();
         const html = normalizePublicMarketingHtml(fs.readFileSync(articlePath, 'utf-8'), hostedConfig, requestHost);
         sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
       } catch {
@@ -5888,9 +5680,10 @@ async function addContext(){
 
     if (isGetLikeRequest && pathname.startsWith('/guides/')) {
       try {
-        const guidePath = resolvePublicHtmlFile(GUIDE_PAGE_PATHS_BY_SLUG, pathname.replace('/guides/', ''));
-        if (!guidePath) { sendJson(res, 404, { error: 'Guide not found' }); return; }
-        const requestHost = getSafePublicRequestHost(req);
+        const slug = normalizePublicPageSlug(pathname.replace('/guides/', ''));
+        const guidePath = path.join(GUIDES_DIR, `${slug}.html`);
+        if (!guidePath.startsWith(GUIDES_DIR)) { sendJson(res, 403, { error: 'Forbidden' }); return; }
+        const requestHost = String(req.headers['x-forwarded-host'] || req.headers.host || '').split(',')[0].trim();
         const html = normalizePublicMarketingHtml(fs.readFileSync(guidePath, 'utf-8'), hostedConfig, requestHost);
         sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
       } catch { sendJson(res, 404, { error: 'Guide not found' }); }
@@ -5899,9 +5692,10 @@ async function addContext(){
 
     if (isGetLikeRequest && pathname.startsWith('/compare/') && pathname !== '/compare') {
       try {
-        const comparePath = resolvePublicHtmlFile(COMPARE_PAGE_PATHS_BY_SLUG, pathname.replace('/compare/', ''));
-        if (!comparePath) { sendJson(res, 404, { error: 'Comparison not found' }); return; }
-        const requestHost = getSafePublicRequestHost(req);
+        const slug = normalizePublicPageSlug(pathname.replace('/compare/', ''));
+        const comparePath = path.join(COMPARE_DIR, `${slug}.html`);
+        if (!comparePath.startsWith(COMPARE_DIR)) { sendJson(res, 403, { error: 'Forbidden' }); return; }
+        const requestHost = String(req.headers['x-forwarded-host'] || req.headers.host || '').split(',')[0].trim();
         const html = normalizePublicMarketingHtml(fs.readFileSync(comparePath, 'utf-8'), hostedConfig, requestHost);
         sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
       } catch { sendJson(res, 404, { error: 'Comparison not found' }); }
@@ -5910,9 +5704,10 @@ async function addContext(){
 
     if (isGetLikeRequest && pathname.startsWith('/use-cases/')) {
       try {
-        const useCasePath = resolvePublicHtmlFile(USE_CASE_PAGE_PATHS_BY_SLUG, pathname.replace('/use-cases/', ''));
-        if (!useCasePath) { sendJson(res, 404, { error: 'Use case not found' }); return; }
-        const requestHost = getSafePublicRequestHost(req);
+        const slug = normalizePublicPageSlug(pathname.replace('/use-cases/', ''));
+        const useCasePath = path.join(USE_CASES_DIR, `${slug}.html`);
+        if (!useCasePath.startsWith(USE_CASES_DIR)) { sendJson(res, 403, { error: 'Forbidden' }); return; }
+        const requestHost = String(req.headers['x-forwarded-host'] || req.headers.host || '').split(',')[0].trim();
         const html = normalizePublicMarketingHtml(fs.readFileSync(useCasePath, 'utf-8'), hostedConfig, requestHost);
         sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
       } catch { sendJson(res, 404, { error: 'Use case not found' }); }
@@ -6415,7 +6210,7 @@ async function addContext(){
       // Public-facing broker lead-flow audit landing page. Wedge for the
       // real-estate broker outreach. Static HTML served from src/api/static.
       try {
-        const host = getSafePublicRequestHost(req);
+        const host = String(req.headers['x-forwarded-host'] || req.headers.host || '').split(',')[0].trim();
         const html = normalizePublicMarketingHtml(fillTemplate(fs.readFileSync(
           path.resolve(__dirname, '../../assets/static/broker-audit.html'),
           'utf8'
@@ -6473,9 +6268,9 @@ async function addContext(){
     // Authorization endpoint: GET renders consent, POST issues the code.
     if (pathname === '/oauth/authorize') {
       if (isGetLikeRequest) {
-        const authRequestToken = createPendingOauthAuthorizeRequest(
-          getOauthAuthorizeParamsFromQuery(parsed.searchParams)
-        );
+        const q = parsed.searchParams;
+        const fields = ['client_id', 'redirect_uri', 'code_challenge', 'code_challenge_method', 'scope', 'state', 'resource'];
+        const hidden = fields.map((f) => `<input type="hidden" name="${f}" value="${escapeHtmlAttribute(q.get(f) || '')}">`).join('\n');
         const html = `<!doctype html><html><head><meta charset="utf-8"><title>Authorize ThumbGate</title>
 <style>body{font:15px system-ui;margin:0;background:#0b0b0c;color:#eee;display:flex;min-height:100vh;align-items:center;justify-content:center}
 .card{background:#161618;border:1px solid #2a2a2e;border-radius:12px;padding:28px;max-width:420px}
@@ -6484,7 +6279,7 @@ button{width:100%;padding:11px;border-radius:8px;border:0;background:#10b981;col
 a{color:#8b9}</style></head><body><form class="card" method="post" action="/oauth/authorize">
 <h2>Authorize Claude → ThumbGate</h2>
 <p>Paste your ThumbGate API key to let this connector act as you. Get one with <code>npx thumbgate init</code> or from your <a href="/dashboard">dashboard</a>.</p>
-<input type="hidden" name="auth_request_token" value="${escapeHtmlAttribute(authRequestToken)}">
+${hidden}
 <input type="password" name="api_key" placeholder="ThumbGate API key" autocomplete="off" required>
 <button type="submit" name="approve" value="yes">Approve</button>
 </form></body></html>`;
@@ -6496,9 +6291,8 @@ a{color:#8b9}</style></head><body><form class="card" method="post" action="/oaut
         req.on('data', (c) => { body += c; if (body.length > 16384) req.destroy(); });
         req.on('end', () => {
           const form = new URLSearchParams(body);
-          const authorizationParams = getOauthAuthorizeParamsFromForm(form, hostedConfig);
-          const redirectUri = authorizationParams.redirectUri;
-          const state = authorizationParams.state;
+          const redirectUri = form.get('redirect_uri') || '';
+          const state = form.get('state') || '';
           // Validate the presented ThumbGate key before issuing a code. When keys
           // are configured (production) the key MUST match a configured admin /
           // operator / reviewer key — otherwise OAuth would authenticate nobody.
@@ -6508,12 +6302,12 @@ a{color:#8b9}</style></head><body><form class="card" method="post" action="/oaut
             return;
           }
           const issued = mcpOauth.createAuthorizationCode(oauthStore, {
-            clientId: authorizationParams.clientId,
+            clientId: form.get('client_id') || '',
             redirectUri,
-            codeChallenge: authorizationParams.codeChallenge,
-            codeChallengeMethod: authorizationParams.codeChallengeMethod,
-            scope: authorizationParams.scope,
-            resource: authorizationParams.resource || buildPublicUrl(hostedConfig, '/mcp'),
+            codeChallenge: form.get('code_challenge') || '',
+            codeChallengeMethod: form.get('code_challenge_method') || '',
+            scope: form.get('scope') || undefined,
+            resource: form.get('resource') || buildPublicUrl(hostedConfig, '/mcp'),
             boundKey: form.get('api_key') || '',
             state,
           });
@@ -8606,14 +8400,11 @@ a{color:#8b9}</style></head><body><form class="card" method="post" action="/oaut
       {
         const documentId = normalizeDocumentIdFromPath(pathname);
         if (req.method === 'GET' && documentId) {
-          if (!/^[a-zA-Z0-9-_]+$/.test(documentId)) {
-            throw createHttpError(400, 'Invalid document ID format');
-          }
           const document = readImportedDocument(documentId, {
             feedbackDir: requestFeedbackDir,
           });
           if (!document) {
-            throw createHttpError(404, `Imported document not found: ${escapeHtml(documentId)}`);
+            throw createHttpError(404, `Imported document not found: ${documentId}`);
           }
           sendJson(res, 200, { document });
           return;
@@ -9709,8 +9500,6 @@ module.exports = {
     buildEnterpriseChatAnswer,
     answerEnterpriseDataChat,
     answerEnterpriseDialogflowChat,
-    buildLossAnalyticsResponse,
-    sanitizeHtmlUnsafeJsonValue,
   },
 };