thumbgate 1.3.0 → 1.4.0

package/adapters/mcp/server-stdio.js

@@ -84,6 +84,11 @@ const {
 const {
   searchThumbgate,
 } = require('../../scripts/thumbgate-search');
+const {
+  importDocument,
+  listImportedDocuments,
+  readImportedDocument,
+} = require('../../scripts/document-intake');
 const { checkLimit, UPGRADE_MESSAGE } = require('../../scripts/rate-limiter');
 const { generateOrgDashboard } = require('../../scripts/org-dashboard');
 const {
@@ -119,7 +124,7 @@ const {
   finalizeSession: finalizeFeedbackSession,
 } = require('../../scripts/feedback-session');
 
-const SERVER_INFO = { name: 'thumbgate-mcp', version: '1.3.0' };
+const SERVER_INFO = { name: 'thumbgate-mcp', version: '1.4.0' };
 const COMMERCE_CATEGORIES = [
   'product_recommendation',
   'brand_compliance',
@@ -145,6 +150,28 @@ function resolveSafePath(targetPath, { mustExist = false } = {}) {
   return resolved;
 }
 
+function resolveImportDocumentPath(targetPath) {
+  const workspaceRoot = path.resolve(process.cwd());
+  const resolved = path.resolve(workspaceRoot, String(targetPath || ''));
+  const allowedRoots = [workspaceRoot, SAFE_DATA_DIR]
+    .filter(Boolean)
+    .map((root) => path.resolve(root));
+  const allowed = allowedRoots.some((root) => {
+    const relative = path.relative(root, resolved);
+    return relative === '' || (!relative.startsWith('..') && !path.isAbsolute(relative));
+  });
+
+  if (!allowed) {
+    throw new Error(`Path must stay within ${workspaceRoot} or ${SAFE_DATA_DIR}`);
+  }
+
+  if (!fs.existsSync(resolved)) {
+    throw new Error(`Path does not exist: ${resolved}`);
+  }
+
+  return resolved;
+}
+
 function toTextResult(payload) {
   const text = typeof payload === 'string' ? payload : JSON.stringify(payload, null, 2);
   return {
@@ -421,6 +448,29 @@ async function callToolInner(name, args) {
         source: args.source,
         signal: args.signal,
       }));
+    case 'import_document':
+      return toTextResult(importDocument({
+        filePath: args.filePath ? resolveImportDocumentPath(args.filePath) : null,
+        content: typeof args.content === 'string' ? args.content : null,
+        title: args.title,
+        sourceFormat: args.sourceFormat,
+        sourceUrl: args.sourceUrl,
+        tags: Array.isArray(args.tags) ? args.tags : [],
+        proposeGates: args.proposeGates !== false,
+      }));
+    case 'list_imported_documents':
+      return toTextResult(listImportedDocuments({
+        query: args.query || '',
+        tag: args.tag || null,
+        limit: Number(args.limit || 20),
+      }));
+    case 'get_imported_document': {
+      const document = readImportedDocument(args.documentId);
+      if (!document) {
+        throw new Error(`Imported document not found: ${args.documentId}`);
+      }
+      return toTextResult(document);
+    }
     case 'feedback_stats':
       return toTextResult(analyzeFeedback());
     case 'diagnose_failure':
@@ -489,6 +539,19 @@ async function callToolInner(name, args) {
       }));
     case 'enforcement_matrix':
       return toTextResult(listEnforcementMatrix());
+    case 'security_scan': {
+      const { scanCode, scanDependencyChange, scanGitDiff } = require('../../scripts/security-scanner');
+      if (args.diffMode) {
+        return toTextResult(scanGitDiff(args.content));
+      }
+      const codeResult = scanCode(args.content, args.filePath || '');
+      if (args.filePath && args.filePath.endsWith('package.json')) {
+        const supplyResult = scanDependencyChange('', args.content);
+        codeResult.findings = (codeResult.findings || []).concat(supplyResult.findings || []);
+        codeResult.detected = codeResult.detected || supplyResult.detected;
+      }
+      return toTextResult(codeResult);
+    }
     case 'prevention_rules': {
       const outputPath = args.outputPath ? resolveSafePath(args.outputPath) : undefined;
       return toTextResult(writePreventionRules(outputPath, Number(args.minOccurrences || 2)));
@@ -680,6 +743,26 @@ async function callToolInner(name, args) {
       return toTextResult(appendFeedbackContext(args.sessionId, args.message, args.role));
     case 'finalize_feedback_session':
       return toTextResult(finalizeFeedbackSession(args.sessionId));
+    case 'run_managed_lesson_agent': {
+      const { runManagedAgent } = require('../../scripts/managed-lesson-agent');
+      return toTextResult(await runManagedAgent({ dryRun: args.dryRun, limit: args.limit, model: args.model }));
+    }
+    case 'managed_agent_status': {
+      const { getManagedAgentStatus } = require('../../scripts/managed-lesson-agent');
+      return toTextResult(getManagedAgentStatus() || { message: 'No managed agent runs recorded yet.' });
+    }
+    case 'run_self_distill': {
+      const { runSelfDistill } = require('../../scripts/self-distill-agent');
+      return toTextResult(await runSelfDistill({ dryRun: args.dryRun, limit: args.limit, model: args.model }));
+    }
+    case 'self_distill_status': {
+      const { getSelfDistillStatus } = require('../../scripts/self-distill-agent');
+      return toTextResult(getSelfDistillStatus() || { message: 'No self-distill runs found.' });
+    }
+    case 'context_stuff_lessons': {
+      const { getAllLessonsForContext } = require('../../scripts/lesson-inference');
+      return toTextResult(getAllLessonsForContext({ maxTokenBudget: args.maxTokenBudget, signal: args.signal, format: args.format }));
+    }
     default:
       throw new Error(`Unsupported tool: ${name}`);
   }

package/adapters/opencode/opencode.json

@@ -7,7 +7,7 @@
         "npx",
         "--yes",
         "--package",
-        "thumbgate@1.3.0",
+        "thumbgate@1.4.0",
         "thumbgate",
         "serve"
       ],

package/bin/cli.js

@@ -8,11 +8,12 @@
  *   npx thumbgate init --agent claude-code   # scaffold + wire hooks for specific agent
  *   npx thumbgate gate-check    # PreToolUse hook: pipe tool JSON via stdin, get verdict
  *   npx thumbgate capture       # capture feedback
+ *   npx thumbgate import-doc    # import a local policy/runbook document and propose gates
  *   npx thumbgate export-dpo    # export DPO training pairs
  *   npx thumbgate export-databricks   # export Databricks-ready analytics bundle
  *   npx thumbgate stats         # feedback analytics + Revenue-at-Risk
  *   npx thumbgate cfo           # local operational billing summary
- *   npx thumbgate pro           # upgrade to Context Gateway
+ *   npx thumbgate pro           # solo dashboard + exports side lane
  */
 
 'use strict';
@@ -49,7 +50,9 @@ function upgradeNudge() {
     if (isProTier()) return;
   } catch (_) { return; }
   process.stderr.write(
-    `\n  Unlock Pro: unlimited gates, DPO export, searchable dashboard — ${PRO_PRICE_LABEL}\n` +
+    '\n  Team rollout: start with the Workflow Hardening Sprint\n' +
+    '  https://thumbgate-production.up.railway.app/#workflow-sprint-intake\n' +
+    `\n  Solo side lane: Pro — ${PRO_PRICE_LABEL}\n` +
     `  ${PRO_CHECKOUT_URL}\n\n`
   );
 }
@@ -456,8 +459,78 @@ function setupForge() {
   return true;
 }
 
-function init() {
-  const args = parseArgs(process.argv.slice(3));
+function detectAgent(projectDir) {
+  if (fs.existsSync(path.join(projectDir, '.claude'))) return 'claude-code';
+  if (fs.existsSync(path.join(projectDir, '.cursorrules'))) return 'cursor';
+  if (fs.existsSync(path.join(projectDir, '.cursor'))) return 'cursor';
+  if (fs.existsSync(path.join(projectDir, '.codex'))) return 'codex';
+  if (fs.existsSync(path.join(projectDir, '.gemini'))) return 'gemini';
+  if (fs.existsSync(path.join(projectDir, '.amp'))) return 'amp';
+  return null;
+}
+
+function quickStart() {
+  const qsArgs = parseArgs(process.argv.slice(3));
+  const projectDir = process.cwd();
+  const detectedAgent = detectAgent(projectDir);
+  const agent = qsArgs.agent || detectedAgent || 'claude-code';
+  const thumbgateDir = path.join(projectDir, '.thumbgate');
+  const configPath = path.join(thumbgateDir, 'config.json');
+  const agentSource = qsArgs.agent ? 'specified' : (detectedAgent ? 'auto-detected' : 'default');
+
+  console.log(`\nthumbgate quick-start v${pkgVersion()}`);
+  console.log(`Agent: ${agent} (${agentSource})`);
+  console.log('');
+
+  // 1. Run init with the resolved agent so hook wiring uses the same target.
+  init({ ...qsArgs, agent });
+
+  // 2. Copy default gates
+  const defaultGates = path.join(PKG_ROOT, 'config', 'gates', 'default.json');
+  const targetGates = path.join(thumbgateDir, 'gates.json');
+  if (fs.existsSync(defaultGates)) {
+    fs.mkdirSync(thumbgateDir, { recursive: true });
+    fs.copyFileSync(defaultGates, targetGates);
+    console.log('  Copied default gates to .thumbgate/gates.json');
+  }
+
+  // 3. Write config
+  let baseConfig = {};
+  if (fs.existsSync(configPath)) {
+    try {
+      baseConfig = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+    } catch (_) {
+      baseConfig = {};
+    }
+  }
+  const config = {
+    ...baseConfig,
+    selfDistillation: true,
+    contextStuffing: true,
+    maxTokenBudget: 10000,
+    autoGatePromotion: true,
+    agent,
+    version: pkgVersion(),
+    installId: baseConfig.installId || require('crypto').randomBytes(8).toString('hex'),
+    quickStart: true,
+    createdAt: baseConfig.createdAt || new Date().toISOString(),
+  };
+  fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + '\n');
+  console.log('  Created .thumbgate/config.json');
+
+  console.log('\n  Enforcement setup complete:');
+  console.log('    Self-distillation: ON (agent auto-learns from outcomes)');
+  console.log('    Context-stuffing:  ON (all lessons injected at session start)');
+  console.log('    Auto-gate promotion: ON (recurring failures become hard blocks)');
+  console.log('    Default gates: ' + (fs.existsSync(targetGates) ? 'loaded' : 'not found'));
+  console.log('\n  Next steps:');
+  console.log('    npx thumbgate capture --feedback=down --context="what failed"');
+  console.log('    npx thumbgate stats');
+  console.log('');
+}
+
+function init(cliArgs = parseArgs(process.argv.slice(3))) {
+  const args = { ...cliArgs };
 
   // --wire-hooks only mode: skip scaffolding, just wire hooks
   if (args['wire-hooks']) {
@@ -582,11 +655,11 @@ function init() {
   trackEvent('cli_init', { command: 'init' });
   proNudge();
   console.log('');
-  console.log('  ┌─────────────────────────────────────────────────────┐');
-  console.log('  │  Unlock unlimited captures, searches & dashboard:   │');
-  console.log('  │  https://thumbgate-production.up.railway.app/pro    │');
-  console.log('  │  Pro starts at $19/mo — 7-day free trial included   │');
-  console.log('  └─────────────────────────────────────────────────────┘');
+  console.log('  ┌──────────────────────────────────────────────────────────┐');
+  console.log('  │  Teams: shared enforcement, CI gates, audit trails      │');
+  console.log('  │  One correction protects every agent on your team.      │');
+  console.log('  │  https://thumbgate-production.up.railway.app/pro        │');
+  console.log('  └──────────────────────────────────────────────────────────┘');
 
   try {
     const { appendFunnelEvent } = require(path.join(PKG_ROOT, 'scripts', 'billing'));
@@ -696,8 +769,9 @@ function stats() {
     console.log(`  Repeated Failures detected: ${data.totalNegative}`);
     console.log(`  Estimated Operational Loss: $${revenueAtRisk}`);
     console.log('  Action Required: Run "npx thumbgate rules" to generate guardrails.');
-    console.log('  Strategic Recommendation: Upgrade to Context Gateway to sync these rules across your team.');
-    console.log('  Run: npx thumbgate pro');
+    console.log('  Strategic Recommendation: if this is a shared workflow problem, start the Workflow Hardening Sprint.');
+    console.log('  Team intake: https://thumbgate-production.up.railway.app/#workflow-sprint-intake');
+    console.log('  Solo side lane: npx thumbgate pro');
   } else {
     console.log('\n✅ System is currently high-reliability. No immediate revenue loss detected.');
   }
@@ -804,11 +878,11 @@ function pro() {
     const truthUrl = 'https://github.com/IgorGanapolsky/ThumbGate/blob/main/docs/COMMERCIAL_TRUTH.md';
     console.log('\nThumbGate Pro — Local Dashboard');
     console.log('─'.repeat(50));
-    console.log('Self-serve offer today: Pro ($19/mo or $149/yr).');
+    console.log('Self-serve side lane today: Pro ($19/mo or $149/yr).');
     console.log('Every licensed Pro user gets a personal local dashboard on localhost.');
     console.log('\nWhat is available:');
     console.log('  - Local Pro dashboard: your own browser dashboard for search, gates, and DPO export');
-    console.log('  - Optional hosted API key: shared lesson DB for teams and multi-agent workflows');
+    console.log('  - Team rollout path: shared hosted lessons, org visibility, and workflow proof');
     console.log('  - Commercial truth doc: source of truth for traction, pricing, and proof claims');
     console.log('\nLinks:');
     console.log(`  Buy Pro         : ${PRO_CHECKOUT_URL}`);
@@ -1038,6 +1112,67 @@ function exportDatabricks() {
   }
 }
 
+function importDoc() {
+  syncActiveProjectContext();
+  const args = parseArgs(process.argv.slice(3));
+  const positionalFilePath = process.argv.slice(3).find((arg) => !arg.startsWith('--'));
+  const filePath = positionalFilePath || args.file || args.path || null;
+  const inlineContent = typeof args.content === 'string' && args.content.trim()
+    ? args.content
+    : (!filePath ? readStdinText().trim() : '');
+  const tags = String(args.tags || args.tag || '')
+    .split(',')
+    .map((tag) => tag.trim())
+    .filter(Boolean);
+
+  if (!filePath && !inlineContent) {
+    console.error('Error: import-doc requires a file path, --content, or stdin text');
+    process.exit(1);
+  }
+
+  try {
+    const { importDocument: importDocumentLocal } = require(path.join(PKG_ROOT, 'scripts', 'document-intake'));
+    const document = importDocumentLocal({
+      filePath,
+      content: inlineContent || null,
+      title: args.title || null,
+      sourceFormat: args.format || args['source-format'] || null,
+      sourceUrl: args.url || args['source-url'] || null,
+      tags,
+      proposeGates: args['no-proposals'] ? false : args.proposeGates !== 'false',
+    });
+    trackEvent('cli_import_doc', {
+      command: 'import-doc',
+      documentId: document.documentId,
+      sourceFormat: document.sourceFormat,
+      proposalCount: Array.isArray(document.proposals) ? document.proposals.length : 0,
+    });
+
+    const payload = {
+      ok: true,
+      document,
+    };
+    if (args.json) {
+      console.log(JSON.stringify(payload, null, 2));
+      return;
+    }
+
+    console.log(`Imported document: ${document.title}`);
+    console.log(`  ID: ${document.documentId}`);
+    console.log(`  Format: ${document.sourceFormat}`);
+    console.log(`  Proposals: ${Array.isArray(document.proposals) ? document.proposals.length : 0}`);
+    if (Array.isArray(document.proposals) && document.proposals.length > 0) {
+      console.log('\nProposed gates:');
+      for (const proposal of document.proposals.slice(0, 6)) {
+        console.log(`  - [${proposal.type}] ${proposal.title} (${proposal.action}/${proposal.severity})`);
+      }
+    }
+  } catch (err) {
+    console.error(err && err.message ? err.message : err);
+    process.exit(1);
+  }
+}
+
 function obsidianExport() {
   const args = parseArgs(process.argv.slice(3));
   const { exportAll } = require(path.join(PKG_ROOT, 'scripts', 'obsidian-export'));
@@ -1295,6 +1430,20 @@ function sessionStart() {
   const { analyzeFeedback } = require(path.join(PKG_ROOT, 'scripts', 'feedback-loop'));
   const { refreshStatuslineCache } = require(path.join(PKG_ROOT, 'scripts', 'hook-thumbgate-cache-updater'));
   refreshStatuslineCache(analyzeFeedback());
+
+  // Surface gate-program.md active rules so the agent starts aware of what is blocked.
+  try {
+    const { readGateProgram, extractBlockPatterns } = require(path.join(PKG_ROOT, 'scripts', 'meta-agent-loop'));
+    const gateProgram = readGateProgram();
+    if (gateProgram) {
+      const blockPatterns = extractBlockPatterns(gateProgram);
+      if (blockPatterns.length > 0) {
+        process.stderr.write('\n[ThumbGate] Active hard-block rules from gate-program.md:\n');
+        blockPatterns.forEach((p, i) => process.stderr.write(`  ${i + 1}. ${p}\n`));
+        process.stderr.write('\n');
+      }
+    }
+  } catch (_) { /* gate-program awareness is best-effort */ }
 }
 
 function installMcp() {
@@ -1365,6 +1514,7 @@ function help() {
   console.log('  risk [flags]          Train or query the boosted local risk scorer');
   console.log('  doctor                Audit runtime isolation, bootstrap context, and permission tier');
   console.log('  dispatch              Print a Dispatch-safe remote ops brief for phone-driven review sessions');
+  console.log('  import-doc            Import a local policy/runbook and propose reviewable gate candidates');
   console.log('  export-dpo            Export DPO training pairs (prompt/chosen/rejected JSONL)');
   console.log('  export-databricks     Export feedback logs + proof artifacts as a Databricks-ready analytics bundle');
   console.log('  obsidian-export       Export all feedback data as interlinked Obsidian markdown notes');
@@ -1373,6 +1523,9 @@ function help() {
   console.log('  rules                 Generate prevention rules from repeated failures');
   console.log('  optimize              [PRO] Prune CLAUDE.md and migrate manual rules to Pre-Action Gates');
   console.log('  force-gate <PATTERN>  Immediately create a blocking gate from a pattern');
+  console.log('  meta-agent            Run meta-agent loop: generate + evaluate + promote prevention rules');
+  console.log('    --dry-run           Preview rules without writing');
+  console.log('    --status            Show last run summary');
   console.log('  self-heal             Run self-healing check and auto-fix');
   console.log('  activate <KEY>        Activate a Pro license key (from Stripe checkout)');
   console.log('  pro                   Show Pro plan ($19/mo) + hosted pilot info');
@@ -1394,6 +1547,7 @@ function help() {
   console.log('  npx thumbgate init');
   console.log('  npx thumbgate stats');
   console.log('  npx thumbgate cfo');
+  console.log('  npx thumbgate import-doc docs/release-policy.md --json');
   console.log('  npx thumbgate repair-github-marketplace --write');
   console.log('  npx thumbgate lessons --query="verification" --limit=5');
   console.log('  npx thumbgate model-fit');
@@ -1414,6 +1568,9 @@ switch (COMMAND) {
     init();
     upgradeNudge();
     break;
+  case 'quick-start':
+    quickStart();
+    break;
   case 'install':
     install();
     break;
@@ -1559,6 +1716,10 @@ switch (COMMAND) {
   case 'obsidian-export':
     obsidianExport();
     break;
+  case 'import-doc':
+  case 'import-document':
+    importDoc();
+    break;
   case 'rules':
     rules();
     break;
@@ -1577,6 +1738,32 @@ switch (COMMAND) {
     console.log(`Total auto-promoted gates: ${result.totalGates}`);
     break;
   }
+  case 'meta-agent': {
+    const metaArgs = parseArgs(process.argv.slice(3));
+    if (metaArgs.status) {
+      const { getMetaAgentStatus } = require(path.join(PKG_ROOT, 'scripts', 'meta-agent-loop'));
+      const status = getMetaAgentStatus();
+      if (!status) {
+        console.log('No meta-agent runs recorded yet. Run: npx thumbgate meta-agent');
+      } else {
+        console.log(JSON.stringify(status, null, 2));
+      }
+    } else {
+      const { runMetaAgentLoop } = require(path.join(PKG_ROOT, 'scripts', 'meta-agent-loop'));
+      runMetaAgentLoop({ dryRun: Boolean(metaArgs['dry-run']), verbose: true })
+        .then((manifest) => {
+          console.log(`\nMeta-agent run complete.`);
+          console.log(`  Promoted : ${manifest.promotedCount} rule(s)`);
+          console.log(`  Reverted : ${manifest.revertedCount} candidate(s)`);
+          if (manifest.dryRun) console.log('  [DRY RUN] No rules written.');
+        })
+        .catch((err) => {
+          console.error('Meta-agent failed:', err.message);
+          process.exit(1);
+        });
+    }
+    break;
+  }
   case 'self-heal':
     selfHeal();
     break;

package/bin/postinstall.js

@@ -15,7 +15,9 @@ if (isCI || isQuiet) process.exit(0);
 const {
   PRO_MONTHLY_PAYMENT_LINK,
   PRO_PRICE_LABEL,
+  TEAM_PRICE_LABEL,
 } = require('../scripts/commercial-offer');
+const WORKFLOW_SPRINT_URL = 'https://thumbgate-production.up.railway.app/#workflow-sprint-intake';
 
 process.stderr.write(`
   ┌─────────────────────────────────────────────────────┐
@@ -26,9 +28,13 @@ process.stderr.write(`
   │     npx thumbgate init                     │
   │     npx thumbgate stats                    │
   │                                                     │
-  │   Unlock Pro (personal local dashboard, DPO export, │
-  │   optional hosted API key) — ${PRO_PRICE_LABEL}:      │
+  │   Team rollout starts with the Workflow Hardening   │
+  │   Sprint: ${WORKFLOW_SPRINT_URL} │
+  │                                                     │
+  │   Solo side lane: Pro (personal local dashboard,    │
+  │   DPO export) — ${PRO_PRICE_LABEL}: │
   │     ${PRO_MONTHLY_PAYMENT_LINK}       │
+  │   Team: ${TEAM_PRICE_LABEL} after intake. │
   │                                                     │
   │   Or run: npx thumbgate pro                │
   │                                                     │

package/config/budget.json

@@ -0,0 +1,18 @@
+{
+  "max_actions": 2000,
+  "max_time_minutes": 600,
+  "profiles": {
+    "strict": {
+      "max_actions": 500,
+      "max_time_minutes": 150
+    },
+    "guided": {
+      "max_actions": 2000,
+      "max_time_minutes": 600
+    },
+    "autonomous": {
+      "max_actions": 5000,
+      "max_time_minutes": 1200
+    }
+  }
+}

package/config/gates/code-edit.json

@@ -0,0 +1,61 @@
+{
+  "version": 1,
+  "harness": "code-edit",
+  "description": "Specialized gates for code editing operations. Loaded when tool context involves Edit, Write, or MultiEdit tools.",
+  "gates": [
+    {
+      "id": "edit-env-direct",
+      "layer": "Execution",
+      "toolNames": ["Edit", "Write", "MultiEdit"],
+      "pattern": "\\.env$|\\.env\\.local$|\\.env\\.production$",
+      "action": "warn",
+      "severity": "high",
+      "message": "Editing a .env file directly. Ensure you are editing .env.example instead, and that no real secrets are committed."
+    },
+    {
+      "id": "edit-lockfile-manual",
+      "layer": "Execution",
+      "toolNames": ["Edit", "Write"],
+      "pattern": "package-lock\\.json$|yarn\\.lock$|pnpm-lock\\.yaml$",
+      "action": "warn",
+      "severity": "medium",
+      "message": "Manually editing a lockfile is not recommended. Run npm install / yarn / pnpm install to regenerate it."
+    },
+    {
+      "id": "edit-generated-file",
+      "layer": "Execution",
+      "toolNames": ["Edit", "Write"],
+      "pattern": "dist/|build/|\\.min\\.js$|\\.min\\.css$",
+      "action": "warn",
+      "severity": "medium",
+      "message": "Editing a generated/built file. Edit the source instead and rebuild."
+    },
+    {
+      "id": "edit-test-skip",
+      "layer": "Execution",
+      "toolNames": ["Edit", "Write", "MultiEdit"],
+      "pattern": "\\.skip\\(|test\\.skip|describe\\.skip|it\\.skip|xit\\(|xdescribe\\(",
+      "action": "warn",
+      "severity": "high",
+      "message": "Skipping a test. Only skip tests intentionally and document why — never skip to pass CI."
+    },
+    {
+      "id": "edit-console-log-commit",
+      "layer": "Execution",
+      "toolNames": ["Edit", "Write"],
+      "pattern": "console\\.log\\(.*password|console\\.log\\(.*secret|console\\.log\\(.*token|console\\.log\\(.*api.?key",
+      "action": "block",
+      "severity": "critical",
+      "message": "Logging a secret value to console is blocked. Remove the log or redact the value."
+    },
+    {
+      "id": "edit-version-file-without-sync",
+      "layer": "Execution",
+      "toolNames": ["Edit", "Write"],
+      "pattern": "\"version\"\\s*:\\s*\"",
+      "action": "warn",
+      "severity": "medium",
+      "message": "Editing a version field. Run node scripts/sync-version.js after changing package.json version to propagate to all targets."
+    }
+  ]
+}

package/config/gates/db-write.json

@@ -0,0 +1,61 @@
+{
+  "version": 1,
+  "harness": "db-write",
+  "description": "Specialized gates for database write operations. Loaded when tool context involves SQL mutations, SQLite writes, or ORM model changes.",
+  "gates": [
+    {
+      "id": "db-drop-table-production",
+      "layer": "Execution",
+      "pattern": "DROP\\s+TABLE(?!.*test|.*tmp|.*temp|.*_test|.*staging)",
+      "toolNames": ["Bash"],
+      "action": "block",
+      "severity": "critical",
+      "message": "DROP TABLE on a non-test table is blocked. Use a migration with a rollback path or confirm this is against a test/staging database."
+    },
+    {
+      "id": "db-delete-without-where",
+      "layer": "Execution",
+      "pattern": "DELETE\\s+FROM\\s+\\w+\\s*;|DELETE\\s+FROM\\s+\\w+\\s*$",
+      "toolNames": ["Bash"],
+      "action": "block",
+      "severity": "critical",
+      "message": "DELETE without a WHERE clause deletes all rows. Add a WHERE clause or use TRUNCATE deliberately."
+    },
+    {
+      "id": "db-truncate-production",
+      "layer": "Execution",
+      "pattern": "TRUNCATE\\s+(?!.*test|.*tmp|.*temp)",
+      "toolNames": ["Bash"],
+      "action": "warn",
+      "severity": "critical",
+      "message": "TRUNCATE detected. Confirm this is against a test or staging table, not production data."
+    },
+    {
+      "id": "db-raw-sql-no-migration",
+      "layer": "Execution",
+      "pattern": "ALTER\\s+TABLE|ADD\\s+COLUMN|DROP\\s+COLUMN|RENAME\\s+COLUMN",
+      "toolNames": ["Bash"],
+      "action": "warn",
+      "severity": "high",
+      "message": "Schema change detected outside a migration file. Create a versioned migration instead of running raw DDL."
+    },
+    {
+      "id": "db-sqlite-delete-runtime",
+      "layer": "Execution",
+      "pattern": "rm\\s+.*\\.sqlite|unlink\\s+.*\\.sqlite|fs\\.rmSync.*\\.sqlite",
+      "toolNames": ["Bash"],
+      "action": "warn",
+      "severity": "high",
+      "message": "Deleting a SQLite database file. Confirm this is not the production lesson DB (.claude/memory/lessons.sqlite)."
+    },
+    {
+      "id": "db-lancedb-wipe",
+      "layer": "Execution",
+      "pattern": "rm\\s+-rf\\s+.*lancedb|rmSync.*lancedb",
+      "toolNames": ["Bash"],
+      "action": "warn",
+      "severity": "high",
+      "message": "Wiping the LanceDB vector store. This deletes all embedded feedback memories. Confirm intent."
+    }
+  ]
+}