thumbgate 1.3.0 → 1.4.0

package/scripts/operational-integrity.js

@@ -572,13 +572,24 @@ function runGh(args) {
   });
 }
 
-function findOpenPrForBranch({ branchName, runner = runGh } = {}) {
+function resolveGitHubRepository(env = process.env) {
+  const repository = String(env.GITHUB_REPOSITORY || '').trim();
+  return /^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+$/.test(repository) ? repository : null;
+}
+
+function findOpenPrForBranch({ branchName, runner = runGh, env = process.env } = {}) {
   const normalizedBranch = String(branchName || '').trim();
   if (!normalizedBranch) return null;
-  if (!process.env.GH_TOKEN && !process.env.GITHUB_TOKEN) {
+  if (!env.GH_TOKEN && !env.GITHUB_TOKEN) {
     return null;
   }
-  const result = runner(['pr', 'list', '--head', normalizedBranch, '--state', 'open', '--json', 'number,state,isDraft,url']);
+  const args = ['pr', 'list'];
+  const repository = resolveGitHubRepository(env);
+  if (repository) {
+    args.push('--repo', repository);
+  }
+  args.push('--head', normalizedBranch, '--state', 'open', '--json', 'number,state,isDraft,url');
+  const result = runner(args);
   if (!result || result.status !== 0) {
     return null;
   }
@@ -846,6 +857,7 @@ module.exports = {
   resolveGitBinary,
   resolveBaseRef,
   resolveCiBranchName,
+  resolveGitHubRepository,
   resolveRepoRoot,
   runCli,
   sanitizeGlobList,

package/scripts/org-dashboard.js

@@ -19,6 +19,11 @@ const path = require('path');
 const { resolveFeedbackDir } = require('./feedback-paths');
 const { readAuditLog, auditStats, skillAdherence } = require('./audit-trail');
 const { isProTier } = require('./rate-limiter');
+const {
+  PRO_MONTHLY_PAYMENT_LINK,
+  PRO_PRICE_LABEL,
+  TEAM_PRICE_LABEL,
+} = require('./commercial-offer');
 
 // ---------------------------------------------------------------------------
 // Agent Registry
@@ -181,7 +186,7 @@ function generateOrgDashboard(opts = {}) {
   };
 
   if (!pro) {
-    summary.upgradeMessage = 'Upgrade to Pro for full org visibility — all agents, all gates, all history. https://thumbgate-production.up.railway.app/checkout/pro';
+    summary.upgradeMessage = `Pro checkout: ${PRO_PRICE_LABEL} — ${PRO_MONTHLY_PAYMENT_LINK} | Team: ${TEAM_PRICE_LABEL} after workflow qualification.`;
   }
 
   return summary;

package/scripts/per-step-scoring.js

@@ -15,11 +15,9 @@
 const fs = require('fs');
 const path = require('path');
 const { resolveFeedbackDir } = require('./feedback-paths');
+const { ensureParentDir, readJsonl } = require('./fs-utils');
 
 function getFeedbackDir() { return resolveFeedbackDir(); }
-function ensureDir(fp) { const d = path.dirname(fp); if (!fs.existsSync(d)) fs.mkdirSync(d, { recursive: true }); }
-function readJsonl(fp) { if (!fs.existsSync(fp)) return []; const raw = fs.readFileSync(fp, 'utf-8').trim(); if (!raw) return []; return raw.split('\n').map((l) => { try { return JSON.parse(l); } catch { return null; } }).filter(Boolean); }
-
 const SCORES_FILE = 'step-scores.jsonl';
 function getScoresPath() { return path.join(getFeedbackDir(), SCORES_FILE); }
 
@@ -62,7 +60,7 @@ function scoreStep(auditEntry) {
 function scoreAuditTrail(auditEntries) {
   const scores = auditEntries.map(scoreStep);
   const scoresPath = getScoresPath();
-  ensureDir(scoresPath);
+  ensureParentDir(scoresPath);
   for (const s of scores) fs.appendFileSync(scoresPath, JSON.stringify(s) + '\n');
   return { scored: scores.length, scores };
 }

package/scripts/pr-manager.js

@@ -8,8 +8,19 @@
 
 'use strict';
 
-const { spawnSync } = require('child_process');
-const PR_FIELDS = 'number,state,mergeable,mergeStateStatus,statusCheckRollup,reviewDecision,isDraft,title';
+const fs = require('node:fs');
+const path = require('node:path');
+const { spawnSync } = require('node:child_process');
+const PR_FIELDS = 'number,state,mergeable,mergeStateStatus,statusCheckRollup,reviewDecision,isDraft,title,url,headRefOid,baseRefName,mergeCommit,mergedAt,mergedBy';
+const PR_CHECK_FIELDS = 'bucket,name,state,workflow,link,event';
+const MERGE_QUALITY_CHECKS = JSON.parse(
+  fs.readFileSync(path.join(__dirname, '..', 'config', 'merge-quality-checks.json'), 'utf8')
+);
+const FIXED_GH_BINARIES = [
+  '/usr/bin/gh',
+  '/usr/local/bin/gh',
+  '/opt/homebrew/bin/gh',
+];
 const SUCCESSFUL_CHECK_CONCLUSIONS = new Set(['SUCCESS', 'SKIPPED', 'NEUTRAL']);
 const FAILING_CHECK_CONCLUSIONS = new Set([
   'ACTION_REQUIRED',
@@ -19,9 +30,71 @@ const FAILING_CHECK_CONCLUSIONS = new Set([
   'STARTUP_FAILURE',
   'TIMED_OUT',
 ]);
+const PASSING_BUCKETS = new Set((MERGE_QUALITY_CHECKS.passingBuckets || []).map((value) => String(value || '').toLowerCase()));
+const PENDING_BUCKETS = new Set((MERGE_QUALITY_CHECKS.pendingBuckets || []).map((value) => String(value || '').toLowerCase()));
+const FAILING_BUCKETS = new Set((MERGE_QUALITY_CHECKS.failingBuckets || []).map((value) => String(value || '').toLowerCase()));
 
-function runGh(args) {
-  return spawnSync('gh', args, { encoding: 'utf-8' });
+function assertSafeGhArgs(args) {
+  if (!Array.isArray(args) || args.length === 0) {
+    throw new Error('GH CLI args must be a non-empty array.');
+  }
+
+  return args.map((arg) => {
+    const normalized = String(arg ?? '');
+    if (!normalized || /\0/.test(normalized)) {
+      throw new Error(`Unsafe GH CLI arg: ${arg}`);
+    }
+    return normalized;
+  });
+}
+
+function normalizePrNumber(prNumber, { allowEmpty = true } = {}) {
+  const normalized = String(prNumber ?? '').trim();
+  if (!normalized) {
+    if (allowEmpty) {
+      return '';
+    }
+    throw new Error('PR number is required.');
+  }
+
+  if (!/^[1-9]\d*$/.test(normalized)) {
+    throw new Error(`Unsafe PR number: ${prNumber}`);
+  }
+
+  return normalized;
+}
+
+function resolveGhBinary(options = {}) {
+  const accessSync = options.accessSync || fs.accessSync;
+  const candidates = [];
+  const configuredBinary = String(process.env.THUMBGATE_GH_BIN || '').trim();
+
+  if (configuredBinary) {
+    if (!path.isAbsolute(configuredBinary)) {
+      throw new Error(`Unsafe GH binary path: ${configuredBinary}`);
+    }
+    candidates.push(configuredBinary);
+  }
+
+  candidates.push(...FIXED_GH_BINARIES);
+
+  for (const candidate of candidates) {
+    try {
+      accessSync(candidate, fs.constants.X_OK);
+      return candidate;
+    } catch {
+      continue;
+    }
+  }
+
+  throw new Error(`Unable to locate GH CLI in fixed paths: ${candidates.join(', ')}`);
+}
+
+function runGh(args, options = {}) {
+  return spawnSync(resolveGhBinary(options), assertSafeGhArgs(args), {
+    encoding: 'utf-8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+  });
 }
 
 function formatGhError(result) {
@@ -40,13 +113,14 @@ function isMissingCurrentBranchPr(result, prNumber) {
  * Fetch granular PR status using GH CLI
  */
 function getPrStatus(prNumber = '', runner = runGh) {
+  const normalizedPrNumber = normalizePrNumber(prNumber);
   const args = ['pr', 'view'];
-  if (prNumber) args.push(prNumber);
+  if (normalizedPrNumber) args.push(normalizedPrNumber);
   args.push('--json', PR_FIELDS);
 
   const result = runner(args);
   if (result.status !== 0) {
-    if (isMissingCurrentBranchPr(result, prNumber)) {
+    if (isMissingCurrentBranchPr(result, normalizedPrNumber)) {
       return null;
     }
 
@@ -55,6 +129,16 @@ function getPrStatus(prNumber = '', runner = runGh) {
   return JSON.parse(result.stdout);
 }
 
+function getPrChecks(prNumber = '', runner = runGh) {
+  const normalizedPrNumber = normalizePrNumber(prNumber, { allowEmpty: false });
+  const result = runner(['pr', 'checks', normalizedPrNumber, '--json', PR_CHECK_FIELDS]);
+  if (result.status !== 0) {
+    throw new Error(`Failed to fetch PR checks: ${formatGhError(result)}`);
+  }
+
+  return JSON.parse(result.stdout || '[]');
+}
+
 function listOpenPrs(runner = runGh) {
   const result = runner(['pr', 'list', '--state', 'open', '--json', PR_FIELDS]);
   if (result.status !== 0) {
@@ -87,6 +171,23 @@ function summarizeChecks(checks = []) {
 
   for (const check of checks) {
     const name = check.name || 'unknown-check';
+    const bucket = String(check.bucket || '').toLowerCase();
+    if (bucket) {
+      if (FAILING_BUCKETS.has(bucket)) {
+        failing.push(name);
+        continue;
+      }
+
+      if (PENDING_BUCKETS.has(bucket)) {
+        pending.push(name);
+        continue;
+      }
+
+      if (PASSING_BUCKETS.has(bucket)) {
+        continue;
+      }
+    }
+
     const conclusion = check.conclusion || null;
     const status = check.status || (conclusion ? 'COMPLETED' : 'UNKNOWN');
 
@@ -108,6 +209,11 @@ function summarizeChecks(checks = []) {
   return { failing, pending };
 }
 
+function sleep(ms) {
+  if (!ms || ms <= 0) return;
+  Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, ms);
+}
+
 /**
  * Diagnose and resolve blockers autonomously
  */
@@ -140,17 +246,29 @@ async function resolveBlockers(pr, runner = runGh) {
   }
 
   // 3. Handle CI Failures
-  const checkSummary = summarizeChecks(pr.statusCheckRollup || []);
+  let checks = pr.statusCheckRollup || [];
+  let checkSource = 'statusCheckRollup';
+
+  if (pr.number) {
+    try {
+      checks = getPrChecks(pr.number, runner);
+      checkSource = 'gh pr checks';
+    } catch (error) {
+      console.warn(`[PR Manager] Falling back to statusCheckRollup for PR #${pr.number}: ${error.message}`);
+    }
+  }
+
+  const checkSummary = summarizeChecks(checks);
   const failingChecks = checkSummary.failing;
 
   if (failingChecks.length > 0) {
-    console.log(`[PR Manager] BLOCKED: ${failingChecks.length} failing CI checks.`);
-    return { status: 'blocked', reason: 'ci_failure', checks: failingChecks };
+    console.log(`[PR Manager] BLOCKED: ${failingChecks.length} failing quality checks via ${checkSource}.`);
+    return { status: 'blocked', reason: 'ci_failure', checks: failingChecks, checkSource };
   }
 
   if (checkSummary.pending.length > 0) {
-    console.log(`[PR Manager] BLOCKED: ${checkSummary.pending.length} CI checks still pending.`);
-    return { status: 'blocked', reason: 'ci_pending', checks: checkSummary.pending };
+    console.log(`[PR Manager] BLOCKED: ${checkSummary.pending.length} quality checks still pending via ${checkSource}.`);
+    return { status: 'blocked', reason: 'ci_pending', checks: checkSummary.pending, checkSource };
   }
 
   // 4. Handle Review Blockers
@@ -173,25 +291,74 @@ async function resolveBlockers(pr, runner = runGh) {
   return { status: 'pending', reason: 'unknown_state' };
 }
 
+function waitForMergeCommit(prNumber, runner = runGh, options = {}) {
+  const timeoutMs = Number.isFinite(options.timeoutMs) ? options.timeoutMs : 300000;
+  const intervalMs = Number.isFinite(options.intervalMs) ? options.intervalMs : 10000;
+  const startedAt = Date.now();
+
+  do {
+    const pr = getPrStatus(prNumber, runner);
+    if (pr && String(pr.state || '').toUpperCase() === 'MERGED' && pr.mergeCommit && pr.mergeCommit.oid) {
+      return {
+        finalized: true,
+        merged: true,
+        mergeCommit: pr.mergeCommit.oid,
+        mergedAt: pr.mergedAt || null,
+        mergedBy: pr.mergedBy && pr.mergedBy.login ? pr.mergedBy.login : null,
+        pr,
+      };
+    }
+
+    if (pr && String(pr.state || '').toUpperCase() === 'CLOSED') {
+      return {
+        finalized: true,
+        merged: false,
+        reason: 'closed_without_merge',
+        pr,
+      };
+    }
+
+    if (intervalMs <= 0) {
+      break;
+    }
+
+    if ((Date.now() - startedAt + intervalMs) > timeoutMs) {
+      break;
+    }
+
+    sleep(intervalMs);
+  } while ((Date.now() - startedAt) <= timeoutMs);
+
+  return {
+    finalized: false,
+    merged: false,
+    reason: 'merge_commit_pending',
+  };
+}
+
 /**
  * Perform autonomous merge
  */
-function performMerge(prNumber, runner = runGh) {
-  const args = ['pr', 'merge', prNumber.toString(), '--squash', '--delete-branch', '--auto'];
-  console.log(`[PR Manager] Initiating protected squash merge for PR #${prNumber}...`);
+function performMerge(prNumber, runner = runGh, options = {}) {
+  const normalizedPrNumber = normalizePrNumber(prNumber, { allowEmpty: false });
+  const args = ['pr', 'merge', normalizedPrNumber, '--squash', '--delete-branch'];
+  console.log(`[PR Manager] Initiating protected squash merge for PR #${normalizedPrNumber}...`);
   const result = runner(args);
   if (result.status === 0) {
     const output = `${result.stdout || ''}\n${result.stderr || ''}`;
-    const mode = /merge queue|queued|auto-merge/i.test(output) ? 'queued_or_auto' : 'merged';
-    console.log(`[PR Manager] Merge accepted for PR #${prNumber} (${mode}).`);
-    return { ok: true, mode, args };
+    const mode = /merge queue|queued/i.test(output) ? 'queued' : 'merged';
+    console.log(`[PR Manager] Merge accepted for PR #${normalizedPrNumber} (${mode}).`);
+    const mergeStatus = options.waitForMerge === false
+      ? { finalized: false, merged: false, reason: 'merge_commit_pending' }
+      : waitForMergeCommit(normalizedPrNumber, runner, options);
+    return { ok: true, mode, args, ...mergeStatus };
   } else {
     console.error(`[PR Manager] Merge failed: ${formatGhError(result)}`);
     return { ok: false, mode: 'failed', args, error: formatGhError(result) };
   }
 }
 
-async function managePrs(prNumber = '', runner = runGh) {
+async function managePrs(prNumber = '', runner = runGh, options = {}) {
   const prs = loadManagedPrs(prNumber, runner).filter(Boolean);
 
   if (prs.length === 0) {
@@ -203,9 +370,18 @@ async function managePrs(prNumber = '', runner = runGh) {
   for (const pr of prs) {
     const outcome = await resolveBlockers(pr, runner);
     if (outcome.status === 'ready') {
-      const mergeResult = performMerge(pr.number, runner);
+      const mergeResult = performMerge(pr.number, runner, options);
       outcome.mergeRequested = mergeResult.ok;
       outcome.mergeMode = mergeResult.mode;
+      if (mergeResult.mergeCommit) {
+        outcome.mergeCommit = mergeResult.mergeCommit;
+      }
+      if (mergeResult.finalized !== undefined) {
+        outcome.mergeFinalized = mergeResult.finalized;
+      }
+      if (mergeResult.reason) {
+        outcome.mergeResolution = mergeResult.reason;
+      }
     }
 
     results.push({
@@ -229,11 +405,17 @@ if (require.main === module) {
 }
 
 module.exports = {
+  assertSafeGhArgs,
   getPrStatus,
+  getPrChecks,
   listOpenPrs,
   isOpenPr,
   loadManagedPrs,
+  normalizePrNumber,
   resolveBlockers,
+  resolveGhBinary,
+  waitForMergeCommit,
   performMerge,
   managePrs,
+  summarizeChecks,
 };

package/scripts/pro-features.js

@@ -3,6 +3,7 @@ const { isProLicensed } = require('./license');
 const {
   PRO_MONTHLY_PAYMENT_LINK,
   PRO_PRICE_LABEL,
+  TEAM_PRICE_LABEL,
 } = require('./commercial-offer');
 
 const PRO_URL = PRO_MONTHLY_PAYMENT_LINK;
@@ -30,8 +31,8 @@ function requirePro(
   const desc = descriptions[featureName] || featureName;
   write(
     `\n  🔒 Pro Feature Required: ${desc}\n` +
-    `     Upgrade to ThumbGate Pro — ${PRO_PRICE_LABEL}:\n` +
-    `     ${PRO_URL}\n` +
+    `     Pro: ${PRO_PRICE_LABEL} — ${PRO_URL}\n` +
+    `     Team: ${TEAM_PRICE_LABEL} after workflow qualification\n` +
     `     Or run: npx thumbgate pro\n\n`
   );
   return false;

package/scripts/prompt-dlp.js

@@ -16,6 +16,7 @@ const { SECRET_PATTERNS } = require('./secret-scanner');
 const fs = require('fs');
 const path = require('path');
 const { resolveFeedbackDir } = require('./feedback-paths');
+const { ensureParentDir } = require('./fs-utils');
 
 const DLP_LOG_FILE = 'dlp-events.jsonl';
 const DEFAULT_MAX_SENSITIVITY = 'internal'; // block sensitive + restricted
@@ -24,7 +25,6 @@ function getDlpLogPath() {
   return path.join(resolveFeedbackDir(), DLP_LOG_FILE);
 }
 
-function ensureDir(fp) { const d = path.dirname(fp); if (!fs.existsSync(d)) fs.mkdirSync(d, { recursive: true }); }
 
 /**
  * Scan a tool call input for PII and secrets before execution.
@@ -75,7 +75,7 @@ function scanToolCallInput({ toolName, input, agentId, maxSensitivity } = {}) {
 
   // Log the event
   const logPath = getDlpLogPath();
-  ensureDir(logPath);
+  ensureParentDir(logPath);
   fs.appendFileSync(logPath, JSON.stringify(event) + '\n');
 
   return {
@@ -123,7 +123,7 @@ function detectShadowAction({ toolName, source, agentId } = {}) {
       gated: false,
     };
     const logPath = getShadowLogPath();
-    ensureDir(logPath);
+    ensureParentDir(logPath);
     fs.appendFileSync(logPath, JSON.stringify(event) + '\n');
     return { isShadow: true, event };
   }

package/scripts/prove-adapters.js

@@ -8,15 +8,11 @@ const { startServer } = require('../src/api/server');
 const { handleRequest } = require('../adapters/mcp/server-stdio');
 const { validateSubagentProfiles, listSubagentProfiles } = require('./subagent-profiles');
 const { getAllowedTools } = require('./mcp-policy');
+const { ensureDir } = require('./fs-utils');
 
 const ROOT = path.join(__dirname, '..');
 const DEFAULT_PROOF_DIR = path.join(ROOT, 'proof', 'compatibility');
 
-function ensureDir(dirPath) {
-  if (!fs.existsSync(dirPath)) {
-    fs.mkdirSync(dirPath, { recursive: true });
-  }
-}
 
 function check(condition, message) {
   if (!condition) {

package/scripts/prove-attribution.js

@@ -18,17 +18,13 @@ const path = require('path');
 const os = require('os');
 const { execSync } = require('child_process');
 const { escapeMarkdownTableCell } = require('./markdown-escape');
+const { ensureDir } = require('./fs-utils');
 
 const ROOT = path.join(__dirname, '..');
 
 // Phase 5 node-runner test baseline (before Phase 6 attribution tests)
 const PHASE5_BASELINE = 142;
 
-function ensureDir(dirPath) {
-  if (!fs.existsSync(dirPath)) {
-    fs.mkdirSync(dirPath, { recursive: true });
-  }
-}
 
 async function runProof(options = {}) {
   const proofDir = options.proofDir || process.env.THUMBGATE_PROOF_DIR || path.join(ROOT, 'proof');

package/scripts/prove-automation.js

@@ -22,13 +22,11 @@ const { traceForProofCheck, aggregateTraces } = require('./code-reasoning');
 const { runVerificationLoop } = require('./verification-loop');
 const { run: runGateCheck } = require('./gates-engine');
 const { evaluatePromptGuard } = require('./prompt-guard');
+const { ensureDir } = require('./fs-utils');
 
 const ROOT = path.join(__dirname, '..');
 const DEFAULT_PROOF_DIR = path.join(ROOT, 'proof', 'automation');
 
-function ensureDir(dirPath) {
-  if (!fs.existsSync(dirPath)) fs.mkdirSync(dirPath, { recursive: true });
-}
 
 function check(condition, message) {
   if (!condition) throw new Error(message);

package/scripts/prove-cloudflare-sandbox.js

@@ -4,6 +4,7 @@
 const fs = require('fs');
 const path = require('path');
 const { spawnSync } = require('child_process');
+const { ensureDir } = require('./fs-utils');
 
 const {
   buildCloudflareSandboxPlan,
@@ -17,9 +18,6 @@ function npmCommand() {
   return process.platform === 'win32' ? 'npm.cmd' : 'npm';
 }
 
-function ensureDir(dirPath) {
-  fs.mkdirSync(dirPath, { recursive: true });
-}
 
 function runCommand(command, args, cwd = ROOT) {
   const result = spawnSync(command, args, {

package/scripts/prove-data-pipeline.js

@@ -3,6 +3,7 @@
 const fs = require('node:fs');
 const os = require('node:os');
 const path = require('node:path');
+const { ensureDir } = require('./fs-utils');
 
 const ROOT = path.join(__dirname, '..');
 
@@ -400,9 +401,6 @@ async function run() {
   }
 }
 
-function ensureDir(dirPath) {
-  fs.mkdirSync(dirPath, { recursive: true });
-}
 
 run().catch((error) => {
   console.error(error.message);

package/scripts/prove-intelligence.js

@@ -13,15 +13,13 @@ const fs = require('fs');
 const os = require('os');
 const path = require('path');
 const { execSync } = require('child_process');
+const { ensureDir } = require('./fs-utils');
 
 const ROOT = path.join(__dirname, '..');
 function getProofDir() {
   return process.env.THUMBGATE_PROOF_DIR || path.join(ROOT, 'proof');
 }
 
-function ensureDir(d) {
-  if (!fs.existsSync(d)) fs.mkdirSync(d, { recursive: true });
-}
 
 // ---------------------------------------------------------------------------
 // Run test suite and parse results

package/scripts/prove-lancedb.js

@@ -17,6 +17,7 @@ const path = require('path');
 const os = require('os');
 const { execSync } = require('child_process');
 const { escapeMarkdownTableCell } = require('./markdown-escape');
+const { ensureDir } = require('./fs-utils');
 
 const ROOT = path.join(__dirname, '..');
 const PKG = JSON.parse(fs.readFileSync(path.join(ROOT, 'package.json'), 'utf-8'));
@@ -63,11 +64,6 @@ function createInMemoryLanceLoader() {
   });
 }
 
-function ensureDir(dirPath) {
-  if (!fs.existsSync(dirPath)) {
-    fs.mkdirSync(dirPath, { recursive: true });
-  }
-}
 
 function status(condition) {
   return condition ? 'pass' : 'fail';

package/scripts/prove-local-intelligence.js

@@ -5,13 +5,11 @@ const fs = require('fs');
 const os = require('os');
 const path = require('path');
 const { execSync } = require('child_process');
+const { ensureDir } = require('./fs-utils');
 
 const ROOT = path.join(__dirname, '..');
 const DEFAULT_PROOF_DIR = process.env.THUMBGATE_PROOF_DIR || path.join(ROOT, 'proof');
 
-function ensureDir(dirPath) {
-  if (!fs.existsSync(dirPath)) fs.mkdirSync(dirPath, { recursive: true });
-}
 
 function runTests() {
   try {