thumbgate 1.3.0 → 1.4.0

package/scripts/ephemeral-agent-store.js

@@ -14,16 +14,9 @@
 const fs = require('fs');
 const path = require('path');
 const { resolveFeedbackDir } = require('./feedback-paths');
+const { ensureDir, readJsonl } = require('./fs-utils');
 
 function getFeedbackDir() { return resolveFeedbackDir(); }
-function ensureDir(p) { if (!fs.existsSync(p)) fs.mkdirSync(p, { recursive: true }); }
-
-function readJsonl(fp) {
-  if (!fs.existsSync(fp)) return [];
-  const raw = fs.readFileSync(fp, 'utf-8').trim();
-  if (!raw) return [];
-  return raw.split('\n').map((l) => { try { return JSON.parse(l); } catch { return null; } }).filter(Boolean);
-}
 
 // ---------------------------------------------------------------------------
 // 1. Per-Agent Namespace Isolation

package/scripts/evolution-state.js

@@ -3,6 +3,7 @@
 const fs = require('node:fs');
 const path = require('node:path');
 const { resolveFeedbackDir } = require('./feedback-paths');
+const { ensureDir } = require('./fs-utils');
 
 const DEFAULT_SETTINGS = Object.freeze({
   half_life_days: 7,
@@ -12,11 +13,6 @@ const DEFAULT_SETTINGS = Object.freeze({
   dpo_beta: 0.1,
 });
 
-function ensureDir(dirPath) {
-  if (!fs.existsSync(dirPath)) {
-    fs.mkdirSync(dirPath, { recursive: true });
-  }
-}
 
 function appendJSONL(filePath, record) {
   ensureDir(path.dirname(filePath));

package/scripts/experiment-tracker.js

@@ -18,6 +18,7 @@
 const fs = require('fs');
 const path = require('path');
 const { getFeedbackPaths, readJSONL } = require('./feedback-loop');
+const { ensureDir } = require('./fs-utils');
 
 // ---------------------------------------------------------------------------
 // Paths
@@ -31,11 +32,6 @@ function getExperimentPaths() {
   };
 }
 
-function ensureDir(dirPath) {
-  if (!fs.existsSync(dirPath)) {
-    fs.mkdirSync(dirPath, { recursive: true });
-  }
-}
 
 function appendJSONL(filePath, record) {
   ensureDir(path.dirname(filePath));

package/scripts/export-databricks-bundle.js

@@ -5,6 +5,7 @@ const fs = require('fs');
 const path = require('path');
 
 const { getFeedbackPaths } = require('./feedback-loop');
+const { ensureDir } = require('./fs-utils');
 
 const PROJECT_ROOT = path.join(__dirname, '..');
 const DEFAULT_PROOF_DIR = process.env.THUMBGATE_PROOF_DIR
@@ -20,11 +21,6 @@ function parseArgs(argv) {
   return args;
 }
 
-function ensureDir(dirPath) {
-  if (!fs.existsSync(dirPath)) {
-    fs.mkdirSync(dirPath, { recursive: true });
-  }
-}
 
 function readJSONL(filePath) {
   if (!fs.existsSync(filePath)) return [];

package/scripts/export-hf-dataset.js

@@ -26,6 +26,7 @@ const path = require('path');
 const { resolveFeedbackDir } = require('./feedback-paths');
 const { exportDpoFromMemories } = require('./export-dpo-pairs');
 const { getProvenance } = require('./contextfs');
+const { ensureDir } = require('./fs-utils');
 
 // ---------------------------------------------------------------------------
 // Helpers
@@ -43,11 +44,6 @@ function readJSONL(filePath) {
     .filter(Boolean);
 }
 
-function ensureDir(dirPath) {
-  if (!fs.existsSync(dirPath)) {
-    fs.mkdirSync(dirPath, { recursive: true });
-  }
-}
 
 function writeJSONL(filePath, rows) {
   const content = rows.map((row) => JSON.stringify(row)).join('\n');

package/scripts/export-training.js

@@ -17,6 +17,7 @@
 const fs = require('fs');
 const path = require('path');
 const { resolveFeedbackDir } = require('./feedback-paths');
+const { ensureDir } = require('./fs-utils');
 
 const SEQUENCE_WINDOW = 10;
 
@@ -40,11 +41,6 @@ function readJSONL(filePath) {
     .filter(Boolean);
 }
 
-function ensureDir(dirPath) {
-  if (!fs.existsSync(dirPath)) {
-    fs.mkdirSync(dirPath, { recursive: true });
-  }
-}
 
 // ---------------------------------------------------------------------------
 // XPRT-04: validateMemoryStructure

package/scripts/feedback-attribution.js

@@ -4,6 +4,7 @@
 const fs = require('fs');
 const path = require('path');
 const { resolveFeedbackDir } = require('./feedback-paths');
+const { readJsonl } = require('./fs-utils');
 
 function getAttributionPaths(options = {}) {
   const feedbackDir = resolveFeedbackDir({
@@ -30,22 +31,6 @@ const STOPWORDS = new Set([
   'where', 'which', 'while', 'with', 'without', 'would', 'thumbs', 'down', 'up', 'please', 'avoid',
 ]);
 
-function readJsonl(filePath, maxLines = 500) {
-  if (!filePath || !fs.existsSync(filePath)) return [];
-  const lines = fs.readFileSync(filePath, 'utf8').split('\n');
-  const out = [];
-  for (let i = lines.length - 1; i >= 0 && out.length < maxLines; i -= 1) {
-    const line = lines[i].trim();
-    if (!line) continue;
-    try {
-      out.push(JSON.parse(line));
-    } catch {
-      // ignore malformed jsonl lines
-    }
-  }
-  return out.reverse();
-}
-
 function appendJsonl(filePath, obj) {
   fs.mkdirSync(path.dirname(filePath), { recursive: true });
   fs.appendFileSync(filePath, `${JSON.stringify(obj)}\n`);

package/scripts/feedback-history-distiller.js

@@ -3,6 +3,7 @@
 const fs = require('fs');
 const path = require('path');
 const { resolveFeedbackDir: resolveSharedFeedbackDir } = require('./feedback-paths');
+const { readJsonlTail } = require('./fs-utils');
 
 const DEFAULT_HISTORY_LIMIT = 10;
 
@@ -62,22 +63,6 @@ function appendJsonl(filePath, record) {
   fs.appendFileSync(filePath, `${JSON.stringify(record)}\n`);
 }
 
-function readJsonlTail(filePath, limit = DEFAULT_HISTORY_LIMIT) {
-  if (!filePath || !fs.existsSync(filePath)) return [];
-  const lines = fs.readFileSync(filePath, 'utf8').split('\n');
-  const records = [];
-  for (let index = lines.length - 1; index >= 0 && records.length < limit; index -= 1) {
-    const line = lines[index].trim();
-    if (!line) continue;
-    try {
-      records.push(JSON.parse(line));
-    } catch {
-      // ignore malformed lines
-    }
-  }
-  return records.reverse();
-}
-
 function resolveFeedbackDir(feedbackDir) {
   if (feedbackDir) {
     return resolveSharedFeedbackDir({ feedbackDir });

package/scripts/feedback-loop.js

@@ -36,6 +36,7 @@ const {
   aggregateFailureDiagnostics,
 } = require('./failure-diagnostics');
 const { getEffectiveSetting } = require('./evolution-state');
+const { ensureDir } = require('./fs-utils');
 const {
   buildFeedbackPathsFromDir,
   getFeedbackPaths: resolveFeedbackPaths,
@@ -204,11 +205,6 @@ function getMemoryFirewallModule() {
   }
 }
 
-function ensureDir(dirPath) {
-  if (!fs.existsSync(dirPath)) {
-    fs.mkdirSync(dirPath, { recursive: true });
-  }
-}
 
 function appendJSONL(filePath, record) {
   ensureDir(path.dirname(filePath));

package/scripts/feedback-root-consolidator.js

@@ -3,6 +3,7 @@
 
 const fs = require('fs');
 const path = require('path');
+const { ensureParentDir, readJsonl } = require('./fs-utils');
 const {
   getThumbgateFeedbackDir,
   listFeedbackArtifactPaths,
@@ -42,10 +43,6 @@ function getScopedProjectOptions(options = {}) {
   };
 }
 
-function ensureParentDir(filePath) {
-  fs.mkdirSync(path.dirname(filePath), { recursive: true });
-}
-
 function readJsonFile(filePath, fallbackFactory) {
   if (!filePath || !fs.existsSync(filePath)) return fallbackFactory();
   try {
@@ -56,22 +53,6 @@ function readJsonFile(filePath, fallbackFactory) {
   }
 }
 
-function readJsonlFile(filePath) {
-  if (!filePath || !fs.existsSync(filePath)) return [];
-  const raw = fs.readFileSync(filePath, 'utf8').trim();
-  if (!raw) return [];
-  return raw
-    .split('\n')
-    .map((line) => {
-      try {
-        return JSON.parse(line);
-      } catch {
-        return null;
-      }
-    })
-    .filter(Boolean);
-}
-
 function stableArtifactTimestamp(record = {}) {
   return String(
     record.timestamp ||
@@ -176,7 +157,7 @@ function consolidateJsonArtifact(fileName, primaryPath, sourcePaths, write) {
 }
 
 function consolidateJsonlArtifact(fileName, primaryPath, sourcePaths, write) {
-  const merged = dedupeJsonlRows(sourcePaths.flatMap((candidate) => readJsonlFile(candidate)));
+  const merged = dedupeJsonlRows(sourcePaths.flatMap((candidate) => readJsonl(candidate)));
   const initializedEmpty = sourcePaths.length === 0;
   const writeResult = writeIfChanged(primaryPath, serializeJsonl(merged), write);
 

package/scripts/feedback-session.js

@@ -161,6 +161,11 @@ function finalizeSession(sessionId) {
     persistSession(result);
   } catch (_err) { /* non-critical */ }
 
+  // Auto-infer lesson from the enriched session context (LangChain continual learning)
+  try {
+    autoInferLesson(result);
+  } catch (_err) { /* non-critical — lesson inference is best-effort */ }
+
   // Clean up from active sessions after a delay (allow reads)
   scheduleTimer(() => activeSessions.delete(sessionId), 5000);
 
@@ -261,6 +266,49 @@ function getActiveSession() {
   return null;
 }
 
+/**
+ * Auto-infer a lesson from a finalized feedback session.
+ *
+ * Implements the Context-layer continual learning pattern identified by
+ * LangChain's three-layer framework (Model / Harness / Context):
+ * when a session finalizes, the enriched follow-up context is fed to
+ * lesson-inference so the next agent session starts with the new lesson
+ * already in recall — no retraining required.
+ */
+function autoInferLesson(finalizedResult) {
+  const { inferFromSurroundingMessages, createLesson } = require('./lesson-inference');
+
+  const priorMessages = (finalizedResult.followUpMessages || []).map((m) => ({
+    role: m.role,
+    content: m.content,
+  }));
+
+  const inference = inferFromSurroundingMessages({
+    priorMessages,
+    followingMessages: [],
+    signal: finalizedResult.signal === 'up' || finalizedResult.signal === 'positive' ? 'positive' : 'negative',
+    feedbackContext: finalizedResult.enrichedContext || '',
+  });
+
+  if (!inference || !inference.inferredLesson) return null;
+
+  return createLesson({
+    feedbackId: finalizedResult.feedbackEventId,
+    signal: inference.signal,
+    inferredLesson: inference.inferredLesson,
+    triggerMessage: inference.triggerMessage,
+    priorSummary: inference.priorSummary,
+    confidence: inference.confidence,
+    tags: ['auto-inferred', 'session-finalize'],
+    metadata: {
+      sessionId: finalizedResult.sessionId,
+      followUpCount: finalizedResult.followUpCount,
+      duration: finalizedResult.duration,
+      source: 'auto-lesson-inference',
+    },
+  });
+}
+
 /**
  * Persist finalized session to disk
  */
@@ -278,6 +326,7 @@ module.exports = {
   getSession,
   getActiveSession,
   extractComplaints,
+  autoInferLesson,
   SESSION_TIMEOUT_MS,
   MAX_FOLLOWUP_MESSAGES,
   scheduleTimer,

package/scripts/feedback-to-rules.js

@@ -4,6 +4,7 @@ const fs = require('fs');
 const path = require('path');
 const { getAutoGatesPath } = require('./auto-promote-gates');
 const { resolveFeedbackDir } = require('./feedback-paths');
+const { deduplicateFeedback } = require('./semantic-dedup');
 
 const DEFAULT_LOG = path.join(resolveFeedbackDir(), 'feedback-log.jsonl');
 const NEG = new Set(['negative', 'negative_strong', 'down', 'thumbs_down']);
@@ -51,19 +52,23 @@ function analyze(entries) {
     if (cls === 'negative') {
       const tool = e.tool_name || 'unknown';
       toolBuckets[tool] = (toolBuckets[tool] || 0) + 1;
-      const key = normalize(e.context);
-      if (key.length > 10) {
-        if (!contextCounts[key]) {
-          contextCounts[key] = { 
-            raw: e.context, 
-            count: 0, 
-            tool, 
-            tags: e.tags || [],
-            hasHighRisk: (e.tags || []).some(t => HIGH_RISK_TAGS.has(t))
-          };
-        }
-        contextCounts[key].count++;
-      }
+    }
+  }
+
+  // Semantic dedup: cluster near-duplicate negatives into weighted "feedback tokens"
+  const negEntries = entries.filter((e) => classifySignal(e) === 'negative');
+  const dedupedNeg = deduplicateFeedback(negEntries);
+  for (const d of dedupedNeg) {
+    const key = normalize(d.context);
+    if (key.length > 10 && !contextCounts[key]) {
+      const tags = d._mergedTags || d.tags || [];
+      contextCounts[key] = {
+        raw: d.context,
+        count: d._clusterCount || 1,
+        tool: d.tool_name || 'unknown',
+        tags,
+        hasHighRisk: tags.some(t => HIGH_RISK_TAGS.has(t)),
+      };
     }
   }
 
@@ -138,27 +143,182 @@ function toRules(report) {
   const lines = ['# Suggested Rules from Feedback Analysis', `# Generated: ${report.generatedAt}`, ''];
   lines.push(`# Negative rate: ${report.negativeRate} (${report.negativeCount}/${report.totalFeedback})`);
   lines.push('');
+
+  if (!report.recurringIssues.length) {
+    lines.push('- No recurring issues detected.');
+    return lines.join('\n');
+  }
+
+  // Group by severity: critical → high → medium
+  const ORDER = ['critical', 'high', 'medium'];
+  const bySeverity = { critical: [], high: [], medium: [] };
   for (const issue of report.recurringIssues) {
-    lines.push(`- [${issue.severity.toUpperCase()}] (${issue.count}x) ${issue.suggestedRule}`);
+    const sev = issue.severity || 'medium';
+    (bySeverity[sev] || bySeverity.medium).push(issue);
   }
-  if (!report.recurringIssues.length) lines.push('- No recurring issues detected.');
+
+  for (const sev of ORDER) {
+    const issues = bySeverity[sev];
+    if (!issues || !issues.length) continue;
+    lines.push(`## ${sev.toUpperCase()}`);
+    for (const issue of issues) {
+      const action = issue.action ? ` [${issue.action.toUpperCase()}]` : '';
+      lines.push(`- [${sev.toUpperCase()}]${action} (${issue.count}x) ${issue.suggestedRule}`);
+      if (issue.reasoning) lines.push(`  > ${issue.reasoning}`);
+    }
+    lines.push('');
+  }
+
   return lines.join('\n');
 }
 
-if (require.main === module) {
+// ---------------------------------------------------------------------------
+// LLM-Powered Rule Analysis
+// ---------------------------------------------------------------------------
+
+const LLM_RULES_SYSTEM_PROMPT = `You are a senior security engineer and AI agent safety architect at ThumbGate, responsible for creating prevention rules that block dangerous or unwanted AI agent behaviors before they execute.
+
+<role>
+You analyze patterns of developer frustration and AI agent failures to generate precise, actionable prevention rules. Your rules are loaded into a real-time PreToolUse gate that intercepts tool calls before they run. A bad rule that over-blocks degrades agent usefulness; a weak rule that under-blocks causes production incidents.
+</role>
+
+<chain_of_thought>
+Before generating each rule, reason through:
+1. What is the root-cause pattern across similar failures?
+2. What is the minimum-specific regex that catches it without over-blocking legitimate use?
+3. Is this action irreversible (→ block) or risky-but-recoverable (→ warn)?
+4. What message explains WHY this is dangerous, not just what is blocked?
+</chain_of_thought>
+
+<examples>
+Example 1 — Direct push to main:
+Input: Multiple failures where agent pushed directly to main without a PR
+Output rule:
+{
+  "pattern": "push.*(?:main|master)(?!.*--dry-run)",
+  "action": "block",
+  "message": "Direct push to main is forbidden — create a PR and get CI green first",
+  "severity": "critical",
+  "reasoning": "Bypasses code review and CI gates; irreversible without force-push"
+}
+
+Example 2 — Deleting secrets:
+Input: Agent ran rm -rf on production config files
+Output rule:
+{
+  "pattern": "rm\\\\s+-rf?\\\\s+(?:\\\\.env|config|credentials|secrets)",
+  "action": "block",
+  "message": "Deleting config/secrets files is blocked — use git checkout or restore instead",
+  "severity": "critical",
+  "reasoning": "Permanent deletion of secrets/config causes immediate production outage"
+}
+</examples>
+
+Return ONLY a valid JSON array of rule objects:
+[
+  {
+    "pattern": "<valid JavaScript regex string to match against tool call input>",
+    "action": "block" | "warn",
+    "message": "<explain WHY this is dangerous, not just what is blocked>",
+    "severity": "critical" | "high" | "medium",
+    "reasoning": "<root cause and risk analysis from the chain-of-thought>"
+  }
+]
+
+Constraints:
+- Pattern must be a valid JavaScript regex (used with new RegExp(pattern, 'i')).
+- Prefer specific patterns: "force.*push.*main" beats "push".
+- Use "block" for destructive/irreversible actions, "warn" for risky-but-recoverable.
+- Deduplicate: one rule can cover multiple related failures.
+- Return at most 10 rules, sorted by severity (critical first).
+- Return ONLY the JSON array — no markdown, no explanation outside the array.`;
+
+async function analyzeWithLLM(entries) {
+  const { isAvailable, callClaude, MODELS } = require('./llm-client');
+  if (!isAvailable()) return null;
+
+  const negativeEntries = entries
+    .filter((e) => classifySignal(e) === 'negative')
+    .filter((e) => (e.context || '').length > 20)
+    .slice(0, 30);
+
+  if (negativeEntries.length === 0) return null;
+
+  const batch = negativeEntries.map((e, i) => {
+    const ctx = (e.context || '').slice(0, 200);
+    const tool = e.tool_name || 'unknown';
+    const tags = (e.tags || []).join(', ');
+    const wentWrong = (e.what_went_wrong || e.whatWentWrong || '').slice(0, 150);
+    const toChange = (e.what_to_change || e.whatToChange || '').slice(0, 100);
+    let entry = `${i + 1}. [tool:${tool}] context: ${ctx}`;
+    if (wentWrong) entry += `\n   what_went_wrong: ${wentWrong}`;
+    if (toChange) entry += `\n   what_to_change: ${toChange}`;
+    if (tags) entry += `\n   tags: ${tags}`;
+    return entry;
+  }).join('\n\n');
+
+  const raw = await callClaude({
+    systemPrompt: LLM_RULES_SYSTEM_PROMPT,
+    userPrompt: `Analyze these ${negativeEntries.length} negative feedback entries and generate prevention rules:\n\n${batch}`,
+    model: MODELS.SMART,
+    maxTokens: 2048,
+  });
+
+  if (!raw) return null;
+
   try {
-    const logPath = process.argv[2] && !process.argv[2].startsWith('--') ? process.argv[2] : DEFAULT_LOG;
-    const entries = parseFeedbackFile(logPath);
-    const report = analyze(entries);
-    if (process.argv.includes('--rules')) {
-      console.log(toRules(report));
-    } else {
-      console.log(JSON.stringify(report, null, 2));
-    }
-  } catch (err) {
-    console.error('Warning:', err.message);
+    const parsed = JSON.parse(raw);
+    if (!Array.isArray(parsed)) return null;
+
+    return parsed
+      .filter((r) => r.pattern && r.action && r.message && r.severity)
+      .slice(0, 10)
+      .map((r) => ({
+        pattern: r.pattern,
+        count: negativeEntries.length,
+        severity: ['critical', 'high', 'medium'].includes(r.severity) ? r.severity : 'medium',
+        hasHighRisk: r.severity === 'critical',
+        suggestedRule: r.message,
+        reasoning: r.reasoning || '',
+        source: 'llm-analysis',
+      }));
+  } catch {
+    return null;
   }
-  process.exit(0);
 }
 
-module.exports = { parseFeedbackFile, classifySignal, analyze, toRules, normalize };
+if (require.main === module) {
+  (async () => {
+    try {
+      const logPath = process.argv[2] && !process.argv[2].startsWith('--') ? process.argv[2] : DEFAULT_LOG;
+      const entries = parseFeedbackFile(logPath);
+      const useLLM = process.argv.includes('--llm');
+
+      let report;
+      if (useLLM) {
+        const llmIssues = await analyzeWithLLM(entries);
+        if (llmIssues) {
+          promoteToGates(llmIssues);
+          const heuristicReport = analyze(entries);
+          report = { ...heuristicReport, recurringIssues: llmIssues, source: 'llm' };
+        } else {
+          report = analyze(entries);
+          report.source = 'heuristic-fallback';
+        }
+      } else {
+        report = analyze(entries);
+      }
+
+      if (process.argv.includes('--rules')) {
+        console.log(toRules(report));
+      } else {
+        console.log(JSON.stringify(report, null, 2));
+      }
+    } catch (err) {
+      console.error('Warning:', err.message);
+    }
+    process.exit(0);
+  })();
+}
+
+module.exports = { parseFeedbackFile, classifySignal, analyze, analyzeWithLLM, promoteToGates, toRules, normalize };

package/scripts/filesystem-search.js

@@ -20,6 +20,7 @@ const fs = require('node:fs');
 const path = require('node:path');
 const crypto = require('node:crypto');
 const { resolveFeedbackDir } = require('./feedback-paths');
+const { readJsonl } = require('./fs-utils');
 
 const PROJECT_ROOT = path.join(__dirname, '..');
 const DEFAULT_FEEDBACK_DIR = resolveFeedbackDir();
@@ -37,15 +38,6 @@ function getContextFsDir() {
   return process.env.THUMBGATE_CONTEXTFS_DIR || path.join(getFeedbackDir(), 'contextfs');
 }
 
-function readJsonl(filePath) {
-  if (!fs.existsSync(filePath)) return [];
-  const raw = fs.readFileSync(filePath, 'utf-8').trim();
-  if (!raw) return [];
-  return raw.split('\n').map((line) => {
-    try { return JSON.parse(line); } catch { return null; }
-  }).filter(Boolean);
-}
-
 function listJsonFiles(dirPath) {
   if (!fs.existsSync(dirPath)) return [];
   const results = [];