thumbgate 1.3.0 → 1.4.0

package/scripts/fs-utils.js

@@ -0,0 +1,104 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * Shared filesystem utilities.
+ *
+ * Consolidates ensureDir() and readJsonl() which were duplicated
+ * across 43 and 19 files respectively.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+/**
+ * Recursively create a directory if it does not exist.
+ * @param {string} dirPath
+ */
+function ensureDir(dirPath) {
+  if (!fs.existsSync(dirPath)) {
+    fs.mkdirSync(dirPath, { recursive: true });
+  }
+}
+
+/**
+ * Recursively create the parent directory for a file path.
+ * @param {string} filePath
+ */
+function ensureParentDir(filePath) {
+  ensureDir(path.dirname(filePath));
+}
+
+/**
+ * Read a JSONL (JSON Lines) file into an array of parsed objects.
+ * Silently skips malformed lines and returns [] if file is missing.
+ *
+ * @param {string} filePath
+ * @param {object} [options]
+ * @param {number} [options.maxLines] - Read at most N lines (from the end if reverse=true)
+ * @param {boolean} [options.reverse] - Read lines in reverse order (most recent first)
+ * @param {boolean} [options.tail] - Read from the end while preserving chronological order
+ * @returns {object[]}
+ */
+function readJsonl(filePath, options = {}) {
+  if (!filePath || !fs.existsSync(filePath)) return [];
+  const raw = fs.readFileSync(filePath, 'utf-8').trim();
+  if (!raw) return [];
+
+  const normalizedOptions = typeof options === 'number'
+    ? { maxLines: options, tail: true }
+    : (options || {});
+  let lines = raw.split('\n');
+
+  if (normalizedOptions.tail && normalizedOptions.maxLines > 0) {
+    lines = lines.slice(-normalizedOptions.maxLines);
+  }
+
+  if (normalizedOptions.reverse) {
+    lines = lines.reverse();
+  }
+
+  if (!normalizedOptions.tail && normalizedOptions.maxLines && normalizedOptions.maxLines > 0) {
+    lines = lines.slice(0, normalizedOptions.maxLines);
+  }
+
+  return lines
+    .map((line) => {
+      try {
+        return JSON.parse(line);
+      } catch {
+        return null;
+      }
+    })
+    .filter(Boolean);
+}
+
+/**
+ * Append a JSON object as a line to a JSONL file.
+ * Creates parent directories if they do not exist.
+ *
+ * @param {string} filePath
+ * @param {object} payload
+ */
+function appendJsonl(filePath, payload) {
+  ensureParentDir(filePath);
+  fs.appendFileSync(filePath, JSON.stringify(payload) + '\n');
+}
+
+/**
+ * Write a JSON object to a file with pretty-printing.
+ * Creates parent directories if they do not exist.
+ *
+ * @param {string} filePath
+ * @param {object} payload
+ */
+function writeJson(filePath, payload) {
+  ensureParentDir(filePath);
+  fs.writeFileSync(filePath, JSON.stringify(payload, null, 2) + '\n');
+}
+
+function readJsonlTail(filePath, limit) {
+  return readJsonl(filePath, { maxLines: limit, tail: true });
+}
+
+module.exports = { ensureDir, ensureParentDir, readJsonl, readJsonlTail, appendJsonl, writeJson };

package/scripts/gates-engine.js

@@ -14,6 +14,10 @@ const {
 const {
   evaluateWorkflowSentinel,
 } = require('./workflow-sentinel');
+const {
+  recordDecisionEvaluation,
+  recordDecisionOutcome,
+} = require('./decision-journal');
 
 /**
  * Computes the SHA-256 hash of an executable binary to prevent path-based bypasses.
@@ -47,6 +51,9 @@ const {
   buildSafeSummary,
   redactText,
 } = require('./secret-scanner');
+const {
+  evaluateSecurityScan,
+} = require('./security-scanner');
 const { getAutoGatesPath } = require('./auto-promote-gates');
 const { recordAuditEvent, auditToFeedback } = require('./audit-trail');
 
@@ -81,7 +88,7 @@ const HIGH_RISK_BASH_PATTERN = /\b(?:git\s+(?:add|commit|push)|gh\s+pr\s+(?:crea
 // Config loading
 // ---------------------------------------------------------------------------
 
-function loadGatesConfig(configPath) {
+function loadGatesConfig(configPath, harnessPath) {
   const primaryPath = configPath || process.env.THUMBGATE_GATES_CONFIG || DEFAULT_CONFIG_PATH;
 
   if (!fs.existsSync(primaryPath)) {
@@ -120,6 +127,15 @@ function loadGatesConfig(configPath) {
     mergedConfig.gates.push(...limitedAutoGates);
   }
 
+  // Load workflow-specific harness gates (always additive, never replaces default).
+  // Resolved by harness-selector based on tool name + command context.
+  const resolvedHarness = harnessPath || process.env.THUMBGATE_HARNESS_CONFIG;
+  if (resolvedHarness && fs.existsSync(resolvedHarness)) {
+    const harnessGates = (loadOne(resolvedHarness, false) || [])
+      .map(g => ({ ...g, layer: g.layer || 'Execution', source: g.source || 'harness' }));
+    mergedConfig.gates.push(...harnessGates);
+  }
+
   return mergedConfig;
 }
 
@@ -407,11 +423,15 @@ function recordStat(gateId, action, gate) {
   const stats = loadStats();
   if (action === 'block') stats.blocked = (stats.blocked || 0) + 1;
   else if (action === 'warn') stats.warned = (stats.warned || 0) + 1;
+  else if (action === 'approve') stats.pendingApproval = (stats.pendingApproval || 0) + 1;
+  else if (action === 'log') stats.logged = (stats.logged || 0) + 1;
   else stats.passed = (stats.passed || 0) + 1;
   if (!stats.byGate) stats.byGate = {};
-  if (!stats.byGate[gateId]) stats.byGate[gateId] = { blocked: 0, warned: 0 };
+  if (!stats.byGate[gateId]) stats.byGate[gateId] = { blocked: 0, warned: 0, pendingApproval: 0, logged: 0 };
   if (action === 'block') stats.byGate[gateId].blocked += 1;
   else if (action === 'warn') stats.byGate[gateId].warned += 1;
+  else if (action === 'approve') stats.byGate[gateId].pendingApproval = (stats.byGate[gateId].pendingApproval || 0) + 1;
+  else if (action === 'log') stats.byGate[gateId].logged = (stats.byGate[gateId].logged || 0) + 1;
   saveStats(stats);
   // Track lesson freshness when an auto-promoted gate fires
   if (gate && gate.sourceLessonId) {
@@ -997,6 +1017,47 @@ function buildSentinelGateResult(report) {
   };
 }
 
+function recordSentinelDecision(report, toolName, toolInput) {
+  if (!report) return null;
+  const entry = recordDecisionEvaluation(report, {
+    source: 'gates-engine',
+    toolName,
+    toolInput,
+    changedFiles: report && report.blastRadius && Array.isArray(report.blastRadius.affectedFiles)
+      ? report.blastRadius.affectedFiles
+      : [],
+  });
+  report.actionId = entry.actionId;
+  if (report.decisionControl && !report.decisionControl.actionId) {
+    report.decisionControl.actionId = entry.actionId;
+  }
+  return entry;
+}
+
+function recordMemoryGuardDecision(sentinelDecision, enrichedMemoryGuard) {
+  if (!sentinelDecision) return;
+  recordDecisionOutcome({
+    actionId: sentinelDecision.actionId,
+    outcome: 'blocked',
+    actualDecision: 'deny',
+    actor: 'system',
+    source: 'gates-engine',
+    notes: enrichedMemoryGuard.message,
+  });
+}
+
+function recordSentinelBlockDecision(sentinelDecision, sentinelResult) {
+  if (!sentinelDecision) return;
+  recordDecisionOutcome({
+    actionId: sentinelDecision.actionId,
+    outcome: sentinelResult.decision === 'deny' ? 'blocked' : 'warned',
+    actualDecision: sentinelResult.decision,
+    actor: 'system',
+    source: 'workflow-sentinel',
+    notes: sentinelResult.message,
+  });
+}
+
 function enrichResultWithSentinel(result, report) {
   if (!result || !report || report.decision === 'allow') {
     return result;
@@ -1036,7 +1097,12 @@ async function checkMetricCondition(metricCondition) {
 async function evaluateGatesAsync(toolName, toolInput, configPath) {
   let config;
   try {
-    config = loadGatesConfig(configPath);
+    let harnessPath;
+    try {
+      const { selectHarness } = require('./harness-selector');
+      harnessPath = selectHarness(toolName, toolInput);
+    } catch { /* harness-selector is optional */ }
+    config = loadGatesConfig(configPath, harnessPath);
   } catch {
     return null;
   }
@@ -1095,6 +1161,23 @@ async function evaluateGatesAsync(toolName, toolInput, configPath) {
       return result;
     }
 
+    if (gate.action === 'approve') {
+      recordStat(gate.id, 'approve', gate);
+      const result = { decision: 'approve', gate: gate.id, message, severity: gate.severity, reasoning, requiresApproval: true };
+      const auditRecord = recordAuditEvent({ toolName, toolInput, decision: 'approve', gateId: gate.id, message, severity: gate.severity, source: 'gates-engine' });
+      auditToFeedback(auditRecord);
+      return result;
+    }
+
+    if (gate.action === 'log') {
+      recordStat(gate.id, 'log', gate);
+      const result = { decision: 'log', gate: gate.id, message, severity: gate.severity, reasoning, logged: true };
+      const auditRecord = recordAuditEvent({ toolName, toolInput, decision: 'log', gateId: gate.id, message, severity: gate.severity, source: 'gates-engine' });
+      auditToFeedback(auditRecord);
+      // 'log' action allows the tool call to proceed — do not return early, continue to next gate
+      continue;
+    }
+
     if (gate.action === 'warn') {
       recordStat(gate.id, 'warn', gate);
       const result = { decision: 'warn', gate: gate.id, message, severity: gate.severity, reasoning };
@@ -1107,10 +1190,12 @@ async function evaluateGatesAsync(toolName, toolInput, configPath) {
   const sentinelReport = evaluateWorkflowSentinel(toolName, toolInput, {
     governanceState: loadGovernanceState(),
   });
+  const sentinelDecision = recordSentinelDecision(sentinelReport, toolName, toolInput);
   const memoryGuard = evaluateMemoryGuard(toolName, toolInput);
   if (memoryGuard) {
     const enrichedMemoryGuard = enrichResultWithSentinel(memoryGuard, sentinelReport);
     recordStat(enrichedMemoryGuard.gate, 'block');
+    recordMemoryGuardDecision(sentinelDecision, enrichedMemoryGuard);
     const auditRecord = recordAuditEvent({
       toolName,
       toolInput,
@@ -1127,6 +1212,7 @@ async function evaluateGatesAsync(toolName, toolInput, configPath) {
   if (sentinelReport && sentinelReport.decision !== 'allow') {
     const sentinelResult = buildSentinelGateResult(sentinelReport);
     recordStat(sentinelResult.gate, sentinelResult.decision === 'deny' ? 'block' : 'warn');
+    recordSentinelBlockDecision(sentinelDecision, sentinelResult);
     const auditRecord = recordAuditEvent({
       toolName,
       toolInput,
@@ -1148,7 +1234,12 @@ async function evaluateGatesAsync(toolName, toolInput, configPath) {
 function evaluateGates(toolName, toolInput, configPath) {
   let config;
   try {
-    config = loadGatesConfig(configPath);
+    let harnessPath;
+    try {
+      const { selectHarness } = require('./harness-selector');
+      harnessPath = selectHarness(toolName, toolInput);
+    } catch { /* harness-selector is optional */ }
+    config = loadGatesConfig(configPath, harnessPath);
   } catch {
     // If config can't be loaded, pass through
     return null;
@@ -1181,6 +1272,22 @@ function evaluateGates(toolName, toolInput, configPath) {
       return result;
     }
 
+    if (gate.action === 'approve') {
+      recordStat(gate.id, 'approve', gate);
+      const result = { decision: 'approve', gate: gate.id, message, severity: gate.severity, reasoning, requiresApproval: true };
+      const auditRecord = recordAuditEvent({ toolName, toolInput, decision: 'approve', gateId: gate.id, message, severity: gate.severity, source: 'gates-engine' });
+      auditToFeedback(auditRecord);
+      return result;
+    }
+
+    if (gate.action === 'log') {
+      recordStat(gate.id, 'log', gate);
+      const auditRecord = recordAuditEvent({ toolName, toolInput, decision: 'log', gateId: gate.id, message, severity: gate.severity, source: 'gates-engine' });
+      auditToFeedback(auditRecord);
+      // 'log' action allows the tool call to proceed — continue to next gate
+      continue;
+    }
+
     if (gate.action === 'warn') {
       recordStat(gate.id, 'warn', gate);
       const result = { decision: 'warn', gate: gate.id, message, severity: gate.severity, reasoning };
@@ -1193,10 +1300,12 @@ function evaluateGates(toolName, toolInput, configPath) {
   const sentinelReport = evaluateWorkflowSentinel(toolName, toolInput, {
     governanceState: loadGovernanceState(),
   });
+  const sentinelDecision = recordSentinelDecision(sentinelReport, toolName, toolInput);
   const memoryGuard = evaluateMemoryGuard(toolName, toolInput);
   if (memoryGuard) {
     const enrichedMemoryGuard = enrichResultWithSentinel(memoryGuard, sentinelReport);
     recordStat(enrichedMemoryGuard.gate, 'block');
+    recordMemoryGuardDecision(sentinelDecision, enrichedMemoryGuard);
     const auditRecord = recordAuditEvent({
       toolName,
       toolInput,
@@ -1213,6 +1322,7 @@ function evaluateGates(toolName, toolInput, configPath) {
   if (sentinelReport && sentinelReport.decision !== 'allow') {
     const sentinelResult = buildSentinelGateResult(sentinelReport);
     recordStat(sentinelResult.gate, sentinelResult.decision === 'deny' ? 'block' : 'warn');
+    recordSentinelBlockDecision(sentinelDecision, sentinelResult);
     const auditRecord = recordAuditEvent({
       toolName,
       toolInput,
@@ -1374,9 +1484,26 @@ async function runAsync(input) {
     return formatOutput(secretGuard);
   }
 
+  // Security vulnerability scan (Tier 1: pattern match, Tier 2: supply chain)
+  const securityScan = evaluateSecurityScan(input);
+  if (securityScan && securityScan.decision === 'deny') {
+    return formatOutput(securityScan);
+  }
+
   const toolName = input.tool_name || '';
   const toolInput = input.tool_input || {};
   const result = await evaluateGatesAsync(toolName, toolInput);
+
+  // Attach security warnings to allow/warn results
+  if (securityScan && securityScan.decision === 'warn') {
+    if (result) {
+      result.securityWarnings = securityScan.securityScan.findings;
+      result.reasoning = (result.reasoning || []).concat(securityScan.reasoning);
+    } else {
+      return formatOutput(securityScan);
+    }
+  }
+
   return formatOutput(result);
 }
 
@@ -1386,9 +1513,26 @@ function run(input) {
     return formatOutput(secretGuard);
   }
 
+  // Security vulnerability scan (Tier 1: pattern match, Tier 2: supply chain)
+  const securityScan = evaluateSecurityScan(input);
+  if (securityScan && securityScan.decision === 'deny') {
+    return formatOutput(securityScan);
+  }
+
   const toolName = input.tool_name || '';
   const toolInput = input.tool_input || {};
   const result = evaluateGates(toolName, toolInput);
+
+  // Attach security warnings to allow/warn results
+  if (securityScan && securityScan.decision === 'warn') {
+    if (result) {
+      result.securityWarnings = securityScan.securityScan.findings;
+      result.reasoning = (result.reasoning || []).concat(securityScan.reasoning);
+    } else {
+      return formatOutput(securityScan);
+    }
+  }
+
   return formatOutput(result);
 }
 
@@ -1580,6 +1724,7 @@ module.exports = {
   saveStats,
   recordStat,
   evaluateSecretGuard,
+  evaluateSecurityScan,
   buildSecretGuardResult,
   buildReasoning,
   matchesGate,

package/scripts/github-about.js

@@ -14,6 +14,9 @@ const LEGACY_REPOSITORY_URL = 'https://github.com/IgorGanapolsky/thumbgate';
 const GITHUB_API_BASE_URL = 'https://api.github.com';
 const DEFAULT_VERIFY_ATTEMPTS = 5;
 const DEFAULT_VERIFY_DELAY_MS = 2000;
+const MAX_GITHUB_DESCRIPTION_LENGTH = 160;
+const VERIFY_ATTEMPTS_ENV = 'THUMBGATE_GITHUB_ABOUT_VERIFY_ATTEMPTS';
+const VERIFY_DELAY_MS_ENV = 'THUMBGATE_GITHUB_ABOUT_VERIFY_DELAY_MS';
 
 function readText(root, relativePath) {
   return fs.readFileSync(path.join(root, relativePath), 'utf8');
@@ -63,11 +66,14 @@ function hasRepositoryUrl(text, targetUrl) {
 
 function loadGitHubAboutConfig(root = ROOT) {
   const about = readJson(root, CONFIG_RELATIVE_PATH);
+  const metaDescription = normalizeText(about.metaDescription || about.description);
+  const githubDescription = normalizeText(about.githubDescription || about.description);
   return {
     repo: normalizeText(about.repo),
     repositoryUrl: normalizeText(about.repositoryUrl),
     homepageUrl: normalizeText(about.homepageUrl),
-    description: normalizeText(about.description),
+    githubDescription,
+    metaDescription,
     topics: normalizeTopics(about.topics),
   };
 }
@@ -101,7 +107,7 @@ function compareGitHubAbout(expected, actual, label = 'Live GitHub About') {
   const actualHomepage = normalizeText(actual.homepageUrl || actual.homepage);
   const actualTopics = normalizeTopics(actual.topics);
 
-  if (actualDescription !== expected.description) {
+  if (actualDescription !== expected.githubDescription) {
     errors.push(`${label} description mismatch`);
   }
   if (actualHomepage !== expected.homepageUrl) {
@@ -135,8 +141,12 @@ function collectLocalGitHubAboutErrors(root = ROOT) {
   }
 
   check(
-    extractMetaDescription(landingHtml) === about.description,
-    'config/github-about.json description must match public/index.html meta description'
+    extractMetaDescription(landingHtml) === about.metaDescription,
+    'config/github-about.json metaDescription must match public/index.html meta description'
+  );
+  check(
+    about.githubDescription.length <= MAX_GITHUB_DESCRIPTION_LENGTH,
+    `config/github-about.json githubDescription must be ${MAX_GITHUB_DESCRIPTION_LENGTH} characters or fewer for GitHub repo metadata`
   );
   check(
     packageJson.homepage === about.homepageUrl,
@@ -179,7 +189,11 @@ function collectLocalGitHubAboutErrors(root = ROOT) {
     'docs/MARKETING_COPY_CONGRUENCE.md must reference config/github-about.json as the source of truth'
   );
   check(
-    marketingCopy.includes(about.description),
+    marketingCopy.includes(about.metaDescription),
+    'docs/MARKETING_COPY_CONGRUENCE.md must include the canonical landing meta description'
+  );
+  check(
+    marketingCopy.includes(about.githubDescription),
     'docs/MARKETING_COPY_CONGRUENCE.md must include the canonical GitHub About description'
   );
   check(
@@ -303,6 +317,13 @@ function normalizePositiveInteger(value, fallback) {
   return Number.isFinite(parsed) && parsed > 0 ? parsed : fallback;
 }
 
+function resolveVerifySetting(optionValue, envName, fallback) {
+  if (optionValue !== undefined) {
+    return normalizePositiveInteger(optionValue, fallback);
+  }
+  return normalizePositiveInteger(process.env[envName], fallback);
+}
+
 function sleep(delayMs) {
   return new Promise((resolve) => {
     setTimeout(resolve, delayMs);
@@ -314,8 +335,8 @@ async function verifyLiveGitHubAbout(options = {}) {
   const expected = options.expected || loadGitHubAboutConfig(root);
   const repo = normalizeText(options.repo) || expected.repo;
   const label = options.label || `Live GitHub About (${repo})`;
-  const attempts = normalizePositiveInteger(options.attempts, DEFAULT_VERIFY_ATTEMPTS);
-  const delayMs = normalizePositiveInteger(options.delayMs, DEFAULT_VERIFY_DELAY_MS);
+  const attempts = resolveVerifySetting(options.attempts, VERIFY_ATTEMPTS_ENV, DEFAULT_VERIFY_ATTEMPTS);
+  const delayMs = resolveVerifySetting(options.delayMs, VERIFY_DELAY_MS_ENV, DEFAULT_VERIFY_DELAY_MS);
   const fetcher = typeof options.fetcher === 'function' ? options.fetcher : fetchLiveGitHubAbout;
   const sleeper = typeof options.sleep === 'function' ? options.sleep : sleep;
   let actual = null;
@@ -362,7 +383,7 @@ async function updateLiveGitHubAbout(options = {}) {
     method: 'PATCH',
     headers: buildGitHubApiHeaders(token),
     body: JSON.stringify({
-      description: about.description,
+      description: about.githubDescription,
       homepage: about.homepageUrl,
     }),
   });
@@ -390,6 +411,9 @@ module.exports = {
   DEFAULT_VERIFY_ATTEMPTS,
   DEFAULT_VERIFY_DELAY_MS,
   LEGACY_REPOSITORY_URL,
+  MAX_GITHUB_DESCRIPTION_LENGTH,
+  VERIFY_ATTEMPTS_ENV,
+  VERIFY_DELAY_MS_ENV,
   buildCanonicalRepoUrls,
   collectLocalGitHubAboutErrors,
   compareGitHubAbout,

package/scripts/gtm-revenue-loop.js

@@ -6,6 +6,7 @@ const path = require('node:path');
 const { spawnSync } = require('node:child_process');
 const { resolveHostedBillingConfig } = require('./hosted-config');
 const { getOperationalBillingSummary } = require('./operational-summary');
+const { ensureDir } = require('./fs-utils');
 
 const COMMERCIAL_TRUTH_LINK = 'https://github.com/IgorGanapolsky/ThumbGate/blob/main/docs/COMMERCIAL_TRUTH.md';
 const VERIFICATION_EVIDENCE_LINK = 'https://github.com/IgorGanapolsky/ThumbGate/blob/main/docs/VERIFICATION_EVIDENCE.md';
@@ -65,11 +66,6 @@ function clampTargetCount(value) {
   return Math.max(1, Math.min(parsed, 12));
 }
 
-function ensureDir(dirPath) {
-  if (!dirPath) return;
-  fs.mkdirSync(dirPath, { recursive: true });
-}
-
 function normalizeText(value) {
   if (value === undefined || value === null) return '';
   return String(value).trim();

package/scripts/harness-selector.js

@@ -0,0 +1,148 @@
+'use strict';
+
+/**
+ * Harness Selector — Context-Aware Gate Harness Loading
+ *
+ * Auto Agent concept: instead of one monolithic gate config, select a
+ * specialized harness based on the workflow type detected from the tool call.
+ *
+ * Detection priority (first match wins):
+ *   1. THUMBGATE_HARNESS env var — explicit override
+ *   2. Tool-name heuristic (Edit/Write/MultiEdit → code-edit)
+ *   3. Command-text heuristic (deploy keywords → deploy, SQL keywords → db-write)
+ *   4. null → load only default.json + auto-promoted gates
+ *
+ * Each harness is ADDITIVE — default.json gates always load first.
+ */
+
+const path = require('path');
+
+const HARNESS_DIR = path.join(__dirname, '..', 'config', 'gates');
+
+const HARNESSES = Object.freeze({
+  deploy: path.join(HARNESS_DIR, 'deploy.json'),
+  'code-edit': path.join(HARNESS_DIR, 'code-edit.json'),
+  'db-write': path.join(HARNESS_DIR, 'db-write.json'),
+});
+
+// ---------------------------------------------------------------------------
+// Detection patterns
+// ---------------------------------------------------------------------------
+
+const DEPLOY_PATTERNS = [
+  /\brailway\s+(deploy|up|run)\b/i,
+  /\bdocker\s+(push|build)\b/i,
+  /\bnpm\s+publish\b/i,
+  /\byarn\s+publish\b/i,
+  /\bpnpm\s+publish\b/i,
+  /\bgit\s+push\b/i,
+  /\bgh\s+pr\s+(create|merge)\b/i,
+  /\bchangeset\s+(publish|version)\b/i,
+];
+
+const DB_WRITE_PATTERNS = [
+  /\b(DROP|TRUNCATE|DELETE|ALTER|INSERT|UPDATE)\s+(TABLE|FROM|INTO|COLUMN)\b/i,
+  /\b(sqlite3|better-sqlite3|knex|sequelize)\b.*\.(run|exec|query)\b/i,
+  /\brm\s+.*\.sqlite\b/i,
+  /\blancedb\b.*(?:create|delete|drop|truncate)/i,
+  /\.db\.exec\(|\.db\.prepare\(/i,
+];
+
+const CODE_EDIT_TOOL_NAMES = new Set(['Edit', 'Write', 'MultiEdit', 'NotebookEdit']);
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/**
+ * Given a tool name and input, return the path to the best matching
+ * specialized harness config, or null if none applies.
+ *
+ * @param {string} toolName  - e.g. "Bash", "Edit", "Write"
+ * @param {object|string} toolInput - raw tool input object or string
+ * @returns {string|null} absolute path to harness JSON, or null
+ */
+function selectHarness(toolName, toolInput) {
+  // 1. Explicit override
+  if (process.env.THUMBGATE_HARNESS) {
+    const override = process.env.THUMBGATE_HARNESS;
+    if (HARNESSES[override]) return HARNESSES[override];
+    // Allow absolute path override
+    if (path.isAbsolute(override)) return override;
+  }
+
+  // 2. Edit/Write tools always get code-edit harness
+  if (CODE_EDIT_TOOL_NAMES.has(toolName)) {
+    return HARNESSES['code-edit'];
+  }
+
+  // 3. Inspect command text for Bash tool
+  const commandText = extractCommandText(toolInput);
+  if (commandText) {
+    if (DB_WRITE_PATTERNS.some((p) => p.test(commandText))) {
+      return HARNESSES['db-write'];
+    }
+    if (DEPLOY_PATTERNS.some((p) => p.test(commandText))) {
+      return HARNESSES['deploy'];
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Return the harness name (e.g. "deploy") for a given tool call, or null.
+ */
+function selectHarnessName(toolName, toolInput) {
+  const harnessPath = selectHarness(toolName, toolInput);
+  if (!harnessPath) return null;
+  return Object.entries(HARNESSES).find(([, p]) => p === harnessPath)?.[0] ?? null;
+}
+
+/**
+ * Return the full list of available harness names.
+ */
+function listHarnesses() {
+  return Object.keys(HARNESSES);
+}
+
+/**
+ * Return the path for a harness by name.
+ */
+function getHarnessPath(name) {
+  return HARNESSES[name] ?? null;
+}
+
+// ---------------------------------------------------------------------------
+// Internal helpers
+// ---------------------------------------------------------------------------
+
+function extractCommandText(toolInput) {
+  if (!toolInput) return '';
+  if (typeof toolInput === 'string') return toolInput;
+  if (typeof toolInput === 'object') {
+    // Claude Code Bash tool: { command: "..." }
+    if (typeof toolInput.command === 'string') return toolInput.command;
+    // file_path for Edit/Write tools
+    if (typeof toolInput.file_path === 'string') return toolInput.file_path;
+    // Generic text fields
+    for (const key of ['input', 'text', 'content', 'query']) {
+      if (typeof toolInput[key] === 'string') return toolInput[key];
+    }
+    // Fall back to serialised form
+    try { return JSON.stringify(toolInput); } catch { return ''; }
+  }
+  return '';
+}
+
+module.exports = {
+  selectHarness,
+  selectHarnessName,
+  listHarnesses,
+  getHarnessPath,
+  extractCommandText,
+  HARNESSES,
+  DEPLOY_PATTERNS,
+  DB_WRITE_PATTERNS,
+  CODE_EDIT_TOOL_NAMES,
+};

package/scripts/hosted-job-launcher.js

@@ -6,6 +6,7 @@ const { spawn } = require('child_process');
 
 const runner = require('./async-job-runner');
 const { buildHarnessJob } = require('./natural-language-harness');
+const { ensureDir } = require('./fs-utils');
 
 const RUNNER_SCRIPT_PATH = path.join(__dirname, 'async-job-runner.js');
 const MANAGED_DPO_EXPORT_SCRIPT_PATH = path.join(__dirname, 'managed-dpo-export.js');
@@ -17,11 +18,6 @@ function nowIso() {
   return new Date().toISOString();
 }
 
-function ensureDir(dirPath) {
-  if (!fs.existsSync(dirPath)) {
-    fs.mkdirSync(dirPath, { recursive: true });
-  }
-}
 
 function shellQuote(value) {
   return `'${String(value).replace(/'/g, `'\\''`)}'`;