thumbgate 1.3.0 → 1.4.0

package/scripts/sync-branch-protection.js

@@ -0,0 +1,340 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('node:fs');
+const path = require('node:path');
+const { spawnSync } = require('node:child_process');
+const MERGE_QUALITY_CHECKS = require('../config/merge-quality-checks.json');
+
+const DEFAULT_REPO = process.env.GITHUB_REPOSITORY || 'IgorGanapolsky/ThumbGate';
+const DEFAULT_BRANCH = process.env.DEFAULT_BRANCH || 'main';
+const FIXED_GH_BINARIES = [
+  '/usr/bin/gh',
+  '/usr/local/bin/gh',
+  '/opt/homebrew/bin/gh',
+];
+
+function assertSafeGhArgs(args) {
+  if (!Array.isArray(args) || args.length === 0) {
+    throw new Error('GH CLI args must be a non-empty array.');
+  }
+
+  return args.map((arg) => {
+    const normalized = String(arg ?? '');
+    if (!normalized || /\0/.test(normalized)) {
+      throw new Error(`Unsafe GH CLI arg: ${arg}`);
+    }
+    return normalized;
+  });
+}
+
+function resolveGhBinary(options = {}) {
+  const accessSync = options.accessSync || fs.accessSync;
+  const candidates = [];
+  const configuredBinary = String(process.env.THUMBGATE_GH_BIN || '').trim();
+
+  if (configuredBinary) {
+    if (!path.isAbsolute(configuredBinary)) {
+      throw new Error(`Unsafe GH binary path: ${configuredBinary}`);
+    }
+    candidates.push(configuredBinary);
+  }
+
+  candidates.push(...FIXED_GH_BINARIES);
+
+  for (const candidate of candidates) {
+    try {
+      accessSync(candidate, fs.constants.X_OK);
+      return candidate;
+    } catch {
+      continue;
+    }
+  }
+
+  throw new Error(`Unable to locate GH CLI in fixed paths: ${candidates.join(', ')}`);
+}
+
+function runGh(args, options = {}) {
+  const env = { ...process.env };
+  if (!env.GITHUB_ACTIONS && env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    delete env.GITHUB_TOKEN;
+  }
+
+  return spawnSync(resolveGhBinary(options), assertSafeGhArgs(args), {
+    encoding: 'utf8',
+    env,
+    stdio: ['ignore', 'pipe', 'pipe'],
+  });
+}
+
+function formatGhError(result) {
+  return (result.stderr || result.stdout || 'Unknown GH CLI failure').trim();
+}
+
+function parseArgs(argv = process.argv.slice(2)) {
+  const options = {
+    check: false,
+    json: false,
+    repo: DEFAULT_REPO,
+    branch: DEFAULT_BRANCH,
+  };
+
+  for (let index = 0; index < argv.length; index += 1) {
+    const arg = argv[index];
+    if (arg === '--check') {
+      options.check = true;
+    } else if (arg === '--json') {
+      options.json = true;
+    } else if (arg === '--repo' && argv[index + 1]) {
+      options.repo = argv[index + 1];
+      index += 1;
+    } else if (arg === '--branch' && argv[index + 1]) {
+      options.branch = argv[index + 1];
+      index += 1;
+    }
+  }
+
+  return options;
+}
+
+function assertSafeRepoSegment(value, label) {
+  const normalized = String(value || '').trim();
+  if (!/^[A-Za-z0-9_.-]+$/.test(normalized)) {
+    throw new Error(`Unsafe repository ${label}: ${value}`);
+  }
+  return normalized;
+}
+
+function splitRepo(repo) {
+  const [owner, name] = String(repo || '').trim().split('/');
+  if (!owner || !name) {
+    throw new Error(`Invalid repository "${repo}". Expected owner/name.`);
+  }
+  return {
+    owner: assertSafeRepoSegment(owner, 'owner'),
+    name: assertSafeRepoSegment(name, 'name'),
+  };
+}
+
+function assertSafeBranchPattern(branch) {
+  const normalized = String(branch || '').trim();
+  if (!normalized) {
+    throw new Error('Branch pattern is required.');
+  }
+  if (normalized.startsWith('-') || normalized.includes('..') || normalized.includes('//') || normalized.includes('@{')) {
+    throw new Error(`Unsafe branch pattern: ${branch}`);
+  }
+  if (normalized.endsWith('.') || normalized.endsWith('/')) {
+    throw new Error(`Unsafe branch pattern: ${branch}`);
+  }
+  if (!/^[A-Za-z0-9._/-]+$/.test(normalized)) {
+    throw new Error(`Unsafe branch pattern: ${branch}`);
+  }
+  return normalized;
+}
+
+function assertSafeRuleId(ruleId) {
+  const normalized = String(ruleId || '').trim();
+  if (!/^[A-Za-z0-9_=-]+$/.test(normalized)) {
+    throw new Error(`Unsafe branch protection rule id: ${ruleId}`);
+  }
+  return normalized;
+}
+
+function assertSafeStatusContext(context) {
+  const normalized = String(context || '').trim();
+  if (!normalized || /[\0\r\n]/.test(normalized)) {
+    throw new Error(`Unsafe status check context: ${context}`);
+  }
+  return normalized;
+}
+
+function normalizeContexts(contexts = []) {
+  return [...new Set((Array.isArray(contexts) ? contexts : []).map((value) => {
+    const normalized = String(value || '').trim();
+    return normalized ? assertSafeStatusContext(normalized) : '';
+  }).filter(Boolean))].sort((left, right) => left.localeCompare(right));
+}
+
+function loadBranchProtectionRule(repo, runner = runGh) {
+  const { owner, name } = splitRepo(repo);
+  const query = `
+    query BranchProtectionRules($owner: String!, $name: String!) {
+      repository(owner: $owner, name: $name) {
+        branchProtectionRules(first: 50) {
+          nodes {
+            id
+            pattern
+            requiresStatusChecks
+            requiredStatusCheckContexts
+            requiresApprovingReviews
+            requiresConversationResolution
+          }
+        }
+      }
+    }
+  `;
+
+  const result = runner([
+    'api',
+    'graphql',
+    '-f',
+    `query=${query}`,
+    '-f',
+    `owner=${owner}`,
+    '-f',
+    `name=${name}`,
+  ]);
+
+  if (result.status !== 0) {
+    throw new Error(`Failed to load branch protection: ${formatGhError(result)}`);
+  }
+
+  const payload = JSON.parse(result.stdout || '{}');
+  return payload.data?.repository?.branchProtectionRules?.nodes || [];
+}
+
+function findBranchProtectionRule(rules, branch) {
+  return (Array.isArray(rules) ? rules : []).find((rule) => rule.pattern === branch) || null;
+}
+
+function diffContexts(actual, expected) {
+  const actualSet = new Set(normalizeContexts(actual));
+  const expectedSet = new Set(normalizeContexts(expected));
+
+  return {
+    missing: [...expectedSet].filter((value) => !actualSet.has(value)),
+    unexpected: [...actualSet].filter((value) => !expectedSet.has(value)),
+  };
+}
+
+function updateBranchProtectionRule(ruleId, requiredStatusCheckContexts, runner = runGh) {
+  const safeRuleId = assertSafeRuleId(ruleId);
+  const contexts = normalizeContexts(requiredStatusCheckContexts);
+  const mutation = `
+    mutation UpdateBranchProtectionRule($ruleId: ID!, $contexts: [String!]) {
+      updateBranchProtectionRule(input: {
+        branchProtectionRuleId: $ruleId
+        requiresStatusChecks: true
+        requiredStatusCheckContexts: $contexts
+      }) {
+        branchProtectionRule {
+          id
+          pattern
+          requiresStatusChecks
+          requiredStatusCheckContexts
+        }
+      }
+    }
+  `;
+
+  const args = [
+    'api',
+    'graphql',
+    '-f',
+    `query=${mutation}`,
+    '-f',
+    `ruleId=${safeRuleId}`,
+  ];
+  for (const context of contexts) {
+    args.push('-F', `contexts[]=${context}`);
+  }
+
+  const result = runner(args);
+
+  if (result.status !== 0) {
+    throw new Error(`Failed to update branch protection: ${formatGhError(result)}`);
+  }
+
+  return JSON.parse(result.stdout || '{}').data?.updateBranchProtectionRule?.branchProtectionRule || null;
+}
+
+function syncBranchProtection(options = {}, runner = runGh) {
+  const repo = options.repo || DEFAULT_REPO;
+  const branch = assertSafeBranchPattern(options.branch || DEFAULT_BRANCH);
+  const expectedContexts = normalizeContexts(MERGE_QUALITY_CHECKS.requiredStatusCheckContexts);
+  const rules = loadBranchProtectionRule(repo, runner);
+  const rule = findBranchProtectionRule(rules, branch);
+
+  if (!rule) {
+    throw new Error(`No branch protection rule found for ${repo}#${branch}.`);
+  }
+
+  const actualContexts = normalizeContexts(rule.requiredStatusCheckContexts);
+  const diff = diffContexts(actualContexts, expectedContexts);
+  const inSync = diff.missing.length === 0 && diff.unexpected.length === 0 && rule.requiresStatusChecks === true;
+
+  if (options.check) {
+    return {
+      ok: inSync,
+      repo,
+      branch,
+      ruleId: rule.id,
+      actualContexts,
+      expectedContexts,
+      diff,
+    };
+  }
+
+  const updatedRule = inSync
+    ? rule
+    : updateBranchProtectionRule(rule.id, expectedContexts, runner);
+  const finalContexts = normalizeContexts(updatedRule.requiredStatusCheckContexts);
+  const finalDiff = diffContexts(finalContexts, expectedContexts);
+
+  return {
+    ok: true,
+    repo,
+    branch,
+    ruleId: rule.id,
+    actualContexts: finalContexts,
+    expectedContexts,
+    diff: finalDiff,
+    updated: !inSync,
+  };
+}
+
+function runCli(argv = process.argv.slice(2), runner = runGh) {
+  const options = parseArgs(argv);
+  const result = syncBranchProtection(options, runner);
+
+  if (options.json) {
+    console.log(JSON.stringify(result, null, 2));
+  } else if (options.check) {
+    const status = result.ok ? 'ok' : 'drift';
+    console.log(`Branch protection ${status}: ${result.repo} ${result.branch}`);
+    if (!result.ok) {
+      if (result.diff.missing.length > 0) {
+        console.log(`Missing contexts: ${result.diff.missing.join(', ')}`);
+      }
+      if (result.diff.unexpected.length > 0) {
+        console.log(`Unexpected contexts: ${result.diff.unexpected.join(', ')}`);
+      }
+    }
+  } else {
+    console.log(`Branch protection synced: ${result.repo} ${result.branch}`);
+  }
+
+  return options.check ? (result.ok ? 0 : 1) : 0;
+}
+
+if (process.argv[1] && path.resolve(process.argv[1]) === __filename) {
+  process.exitCode = runCli();
+}
+
+module.exports = {
+  assertSafeBranchPattern,
+  assertSafeGhArgs,
+  assertSafeRuleId,
+  assertSafeStatusContext,
+  diffContexts,
+  findBranchProtectionRule,
+  loadBranchProtectionRule,
+  normalizeContexts,
+  parseArgs,
+  resolveGhBinary,
+  runCli,
+  splitRepo,
+  syncBranchProtection,
+  updateBranchProtectionRule,
+};

package/scripts/tessl-export.js

@@ -4,6 +4,7 @@
 const fs = require('node:fs');
 const os = require('node:os');
 const path = require('node:path');
+const { ensureDir } = require('./fs-utils');
 
 const ROOT = path.join(__dirname, '..');
 const DEFAULT_CONFIG_PATH = path.join(ROOT, 'config', 'tessl-tiles.json');
@@ -14,9 +15,6 @@ function readJson(filePath) {
   return JSON.parse(fs.readFileSync(filePath, 'utf8'));
 }
 
-function ensureDir(dirPath) {
-  fs.mkdirSync(dirPath, { recursive: true });
-}
 
 function cleanDir(dirPath) {
   fs.rmSync(dirPath, { recursive: true, force: true });

package/scripts/thumbgate-search.js

@@ -6,8 +6,11 @@ const {
   searchContextFs,
   searchPreventionRulesSync,
 } = require('./filesystem-search');
+const {
+  searchImportedDocuments,
+} = require('./document-intake');
 
-const VALID_SOURCES = ['all', 'feedback', 'context', 'rules'];
+const VALID_SOURCES = ['all', 'feedback', 'context', 'rules', 'documents'];
 const SIGNAL_ALIASES = {
   up: 'up',
   positive: 'up',
@@ -118,6 +121,27 @@ function mapRuleResult(record) {
   };
 }
 
+function mapDocumentResult(record) {
+  return {
+    id: record.documentId || null,
+    source: 'document',
+    score: clampScore(record._score),
+    signal: null,
+    tags: safeArray(record.tags),
+    timestamp: record.importedAt || null,
+    title: record.title || null,
+    context: excerpt(record.excerpt || record.content || ''),
+    correctiveAction: safeArray(record.proposals)[0]
+      ? safeArray(record.proposals)[0].title || safeArray(record.proposals)[0].evidence || null
+      : null,
+    matchedTokens: safeArray(record._matchedTokens),
+    documentId: record.documentId || null,
+    proposalCount: safeArray(record.proposals).length,
+    matchedTemplateIds: safeArray(record.matchedTemplateIds),
+    sourceFormat: record.sourceFormat || null,
+  };
+}
+
 function sortResults(results) {
   return [...results].sort((left, right) => {
     if ((right.score || 0) !== (left.score || 0)) {
@@ -144,6 +168,10 @@ function getRuleResults(query, limit) {
   return searchPreventionRulesSync(query, limit).map(mapRuleResult);
 }
 
+function getDocumentResults(query, limit) {
+  return searchImportedDocuments({ query, limit }).map(mapDocumentResult);
+}
+
 function searchThumbgate({ query, source = 'all', limit = 10, signal = null } = {}) {
   const trimmedQuery = String(query || '').trim();
   if (!trimmedQuery) {
@@ -161,11 +189,14 @@ function searchThumbgate({ query, source = 'all', limit = 10, signal = null } =
     results = getContextResults(trimmedQuery, normalizedLimit);
   } else if (normalizedSource === 'rules') {
     results = getRuleResults(trimmedQuery, normalizedLimit);
+  } else if (normalizedSource === 'documents') {
+    results = getDocumentResults(trimmedQuery, normalizedLimit);
   } else {
     results = sortResults([
       ...getFeedbackResults(trimmedQuery, normalizedLimit, normalizedSignal),
       ...getContextResults(trimmedQuery, normalizedLimit),
       ...getRuleResults(trimmedQuery, normalizedLimit),
+      ...getDocumentResults(trimmedQuery, normalizedLimit),
     ]).slice(0, normalizedLimit);
   }
 

package/scripts/tool-kpi-tracker.js

@@ -3,8 +3,8 @@
 const fs = require('fs');
 const path = require('path');
 const { resolveFeedbackDir } = require('./feedback-paths');
+const { readJsonl } = require('./fs-utils');
 function getKpiLogPath() { return path.join(resolveFeedbackDir(), 'tool-kpi.jsonl'); }
-function readJsonl(fp) { if (!fs.existsSync(fp)) return []; const raw = fs.readFileSync(fp, 'utf-8').trim(); if (!raw) return []; return raw.split('\n').map((l) => { try { return JSON.parse(l); } catch { return null; } }).filter(Boolean); }
 function recordToolCall({ toolName, serverName, latencyMs, success, agentId, metadata } = {}) { const lp = getKpiLogPath(); const dir = path.dirname(lp); if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true }); const e = { id: `kpi_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`, timestamp: new Date().toISOString(), toolName: toolName || 'unknown', serverName: serverName || 'default', latencyMs: typeof latencyMs === 'number' ? latencyMs : 0, success: success !== false, agentId: agentId || 'unknown', metadata: metadata || {} }; fs.appendFileSync(lp, JSON.stringify(e) + '\n'); return e; }
 function percentile(sorted, p) { if (sorted.length === 0) return 0; const idx = Math.ceil((p / 100) * sorted.length) - 1; return sorted[Math.max(0, idx)]; }
 function computeToolKpis({ periodHours = 24 } = {}) { const entries = readJsonl(getKpiLogPath()); const cutoff = Date.now() - periodHours * 60 * 60 * 1000; const recent = entries.filter((e) => new Date(e.timestamp).getTime() > cutoff); const byTool = {}; for (const e of recent) { const k = e.toolName; if (!byTool[k]) byTool[k] = { toolName: k, calls: [], successes: 0, failures: 0 }; byTool[k].calls.push(e.latencyMs); if (e.success) byTool[k].successes++; else byTool[k].failures++; } const tools = Object.values(byTool).map((t) => { const sorted = t.calls.slice().sort((a, b) => a - b); const total = t.successes + t.failures; return { toolName: t.toolName, requestCount: total, successRate: total > 0 ? Math.round((t.successes / total) * 1000) / 10 : 100, p50: Math.round(percentile(sorted, 50)), p90: Math.round(percentile(sorted, 90)), p95: Math.round(percentile(sorted, 95)), successes: t.successes, failures: t.failures }; }).sort((a, b) => b.requestCount - a.requestCount); const byServer = {}; for (const e of recent) { const k = e.serverName; if (!byServer[k]) byServer[k] = { serverName: k, total: 0, successes: 0 }; byServer[k].total++; if (e.success) byServer[k].successes++; } const servers = Object.values(byServer).map((s) => ({ serverName: s.serverName, totalCalls: s.total, successRate: s.total > 0 ? Math.round((s.successes / s.total) * 1000) / 10 : 100 })); return { periodHours, totalCalls: recent.length, tools, servers }; }

package/scripts/tool-registry.js

@@ -122,18 +122,57 @@ const TOOLS = [
   }),
   readOnlyTool({
     name: 'search_thumbgate',
-    description: 'Search raw ThumbGate state across feedback logs, ContextFS memory, and prevention rules.',
+    description: 'Search raw ThumbGate state across feedback logs, ContextFS memory, prevention rules, and imported policy documents.',
     inputSchema: {
       type: 'object',
       required: ['query'],
       properties: {
         query: { type: 'string', description: 'Search query for ThumbGate state.' },
         limit: { type: 'number', description: 'Maximum results to return (default 10)' },
-        source: { type: 'string', enum: ['all', 'feedback', 'context', 'rules'], description: 'Restrict search to a single ThumbGate source.' },
+        source: { type: 'string', enum: ['all', 'feedback', 'context', 'rules', 'documents'], description: 'Restrict search to a single ThumbGate source.' },
         signal: { type: 'string', enum: ['up', 'down', 'positive', 'negative'], description: 'Optional feedback-signal filter when searching feedback data.' },
       },
     },
   }),
+  destructiveTool({
+    name: 'import_document',
+    description: 'Import a local policy or runbook document into ThumbGate, normalize it for search, and propose provenance-backed gate candidates.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        filePath: { type: 'string', description: 'Local file path inside the active workspace or ThumbGate runtime.' },
+        content: { type: 'string', description: 'Inline document content for hosted or generated imports.' },
+        title: { type: 'string', description: 'Optional display title override.' },
+        sourceFormat: { type: 'string', enum: ['markdown', 'text', 'yaml', 'json', 'html'], description: 'Optional source format override when importing inline content.' },
+        sourceUrl: { type: 'string', description: 'Optional external URL or provenance label for the imported document.' },
+        tags: { type: 'array', items: { type: 'string' }, description: 'Optional tags such as policy, runbook, or team.' },
+        proposeGates: { type: 'boolean', description: 'When true (default), derive reviewable gate proposals from the document.' },
+      },
+    },
+  }),
+  readOnlyTool({
+    name: 'list_imported_documents',
+    description: 'List imported policy and runbook documents stored in local ThumbGate state.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        query: { type: 'string', description: 'Optional title or excerpt filter.' },
+        tag: { type: 'string', description: 'Optional tag or matched template id filter.' },
+        limit: { type: 'number', description: 'Maximum documents to return (default 20).' },
+      },
+    },
+  }),
+  readOnlyTool({
+    name: 'get_imported_document',
+    description: 'Read a previously imported document with its proposed gate candidates and provenance.',
+    inputSchema: {
+      type: 'object',
+      required: ['documentId'],
+      properties: {
+        documentId: { type: 'string', description: 'Imported document id.' },
+      },
+    },
+  }),
   readOnlyTool({
     name: 'feedback_stats',
     description: 'Get feedback stats and recommendations',
@@ -296,6 +335,19 @@ const TOOLS = [
       properties: {},
     },
   }),
+  readOnlyTool({
+    name: 'security_scan',
+    description: 'Scan code for OWASP vulnerabilities (injection, XSS, path traversal, SSRF, prototype pollution) and supply chain risks (typosquatting, install script abuse, wildcard versions). Returns findings with severity, category, and line numbers.',
+    inputSchema: {
+      type: 'object',
+      required: ['content'],
+      properties: {
+        content: { type: 'string', description: 'Code content to scan' },
+        filePath: { type: 'string', description: 'File path for language-aware scanning' },
+        diffMode: { type: 'boolean', description: 'When true, treats content as git diff output' },
+      },
+    },
+  }),
   readOnlyTool({
     name: 'capture_memory_feedback',
     description: 'Capture success/failure feedback to harden future workflows. Aliased to capture_feedback.',
@@ -949,6 +1001,58 @@ const TOOLS = [
       },
     },
   }),
+  destructiveTool({
+    name: 'run_managed_lesson_agent',
+    description: 'Run the LLM-powered lesson inference and rule generation agent over accumulated feedback. Requires ANTHROPIC_API_KEY for LLM mode; falls back to heuristics if unavailable.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        dryRun: { type: 'boolean', description: 'Preview what would be written without persisting' },
+        limit: { type: 'number', description: 'Max feedback entries to process (default: 20)' },
+        model: { type: 'string', description: 'Override the Claude model (default: claude-haiku-4-5)' },
+      },
+    },
+  }),
+  readOnlyTool({
+    name: 'managed_agent_status',
+    description: 'Show status of the last managed lesson agent run: entries processed, lessons created, gates promoted, and total runs.',
+    inputSchema: {
+      type: 'object',
+      properties: {},
+    },
+  }),
+  destructiveTool({
+    name: 'run_self_distill',
+    description: 'Run the self-distillation agent to auto-evaluate recent agent sessions and generate improvement lessons without human feedback. Reads conversation logs, detects success/failure signals, and persists lessons.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        dryRun: { type: 'boolean', description: 'If true, analyzes but does not persist lessons' },
+        limit: { type: 'number', description: 'Max conversation logs to process (default 20)' },
+        model: { type: 'string', description: 'LLM model to use for analysis (requires ANTHROPIC_API_KEY)' },
+      },
+    },
+  }),
+  readOnlyTool({
+    name: 'self_distill_status',
+    description: 'Show status of the last self-distillation run: sessions analyzed, lessons generated, signals detected.',
+    inputSchema: {
+      type: 'object',
+      properties: {},
+    },
+  }),
+  readOnlyTool({
+    name: 'context_stuff_lessons',
+    description: 'Dump ALL prevention lessons into a single text block for context-window injection. Bypasses RAG/search — returns every lesson sorted by confidence. For most projects (20-200 lessons), fits in 1K-10K tokens.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        maxTokenBudget: { type: 'number', description: 'Approximate token budget (default: 10000)' },
+        signal: { type: 'string', enum: ['positive', 'negative'], description: 'Filter by signal type' },
+        format: { type: 'string', enum: ['compact', 'full'], description: 'Output format (default: compact)' },
+      },
+    },
+  }),
 ];
 
 module.exports = {

package/scripts/vector-store.js

@@ -2,6 +2,7 @@
 
 const fs = require('fs');
 const path = require('path');
+const { ensureDir } = require('./fs-utils');
 const {
   resolveEmbeddingProfile,
   writeModelFitReport,
@@ -35,11 +36,6 @@ function getLanceDir() {
   return path.join(getFeedbackDir(), 'lancedb');
 }
 
-function ensureDir(dirPath) {
-  if (!fs.existsSync(dirPath)) {
-    fs.mkdirSync(dirPath, { recursive: true });
-  }
-}
 
 function truncateForEmbedding(text, maxChars) {
   const raw = String(text || '');

package/scripts/weekly-auto-post.js

@@ -14,10 +14,10 @@ const path = require('path');
 const os = require('os');
 const { generateWeeklyStatsPost } = require('./daily-digest');
 const { createSchedule } = require('./schedule-manager');
+const { ensureDir } = require('./fs-utils');
 
 const POSTS_DIR = path.join(os.homedir(), '.thumbgate', 'weekly-posts');
 
-function ensureDir(p) { if (!fs.existsSync(p)) fs.mkdirSync(p, { recursive: true }); }
 
 /**
  * Generate a weekly stats post file in post-everywhere format.