thumbgate 1.3.0 → 1.4.0

package/config/gates/default.json

@@ -10,6 +10,15 @@
       "message": "User requested local-only work. Git writes, PR operations, and release actions are blocked.",
       "severity": "critical"
     },
+    {
+      "id": "raw-gh-auto-merge-blocked",
+      "layer": "Execution",
+      "toolNames": ["Bash"],
+      "pattern": "gh\\s+pr\\s+merge\\b[^\\n]*--auto",
+      "action": "block",
+      "message": "Raw GitHub auto-merge is blocked. Use npm run pr:manage after all critical quality checks have terminal success.",
+      "severity": "critical"
+    },
     {
       "id": "task-scope-required",
       "layer": "Decisions",
@@ -134,7 +143,8 @@
       "pattern": "git\\s+push\\s+(--force|-f)",
       "action": "block",
       "message": "Force push blocked. This is destructive and irreversible.",
-      "severity": "critical"
+      "severity": "critical",
+      "compliance": ["NIST-CM-5", "SOC2-CC8.1", "CWE-863"]
     },
     {
       "id": "protected-branch-push",
@@ -152,7 +162,8 @@
       "pattern": "\\.env",
       "action": "warn",
       "message": "Editing .env file — verify you are not deleting existing tokens",
-      "severity": "medium"
+      "severity": "medium",
+      "compliance": ["NIST-IA-5", "SOC2-CC6.1", "CWE-798"]
     },
     {
       "id": "deny-network-egress",
@@ -161,7 +172,8 @@
       "action": "warn",
       "unless": "egress_approved",
       "message": "Potential unauthorized network egress detected.",
-      "severity": "medium"
+      "severity": "medium",
+      "compliance": ["NIST-SC-7", "SOC2-CC6.6", "OWASP-A10"]
     },
     {
       "id": "unverified-skill-use",
@@ -174,6 +186,16 @@
       "message": "Skill provenance check failed. Run 'npm run skill:verify' or satisfy 'skill_verified' with a valid signature to proceed.",
       "severity": "high"
     },
+    {
+      "id": "supply-chain-dep-add",
+      "layer": "Supply Chain",
+      "toolNames": ["Edit", "Write"],
+      "pattern": "package\\.json$",
+      "action": "warn",
+      "message": "Dependency mutation detected in package.json. Security scanner will audit for typosquatting, wildcard versions, and suspicious install scripts.",
+      "severity": "high",
+      "compliance": ["NIST-SA-12", "OWASP-A06", "CWE-1357"]
+    },
     {
       "id": "blocked-npx-content",
       "layer": "Supply Chain",
@@ -184,6 +206,135 @@
       "action": "block",
       "message": "Blocked npx execution by content hash. Renaming the binary does not bypass this gate.",
       "severity": "critical"
+    },
+    {
+      "id": "production-deploy-approval",
+      "layer": "Execution",
+      "toolNames": ["Bash"],
+      "pattern": "(?:railway|fly|heroku|vercel|render|kubectl|helm)\\s+(?:deploy|up|apply|release|push|rollout)",
+      "action": "approve",
+      "message": "Production deploy detected. Human approval required before this action can proceed.",
+      "severity": "high",
+      "compliance": ["NIST-CM-3", "SOC2-CC8.1", "OWASP-A05"]
+    },
+    {
+      "id": "schema-migration-approval",
+      "layer": "Execution",
+      "toolNames": ["Bash"],
+      "pattern": "(?:npx\\s+(?:sequelize|typeorm|prisma|knex|drizzle|flyway|liquibase)|alembic\\s+upgrade|rails\\s+db:migrate|php\\s+artisan\\s+migrate)\\b",
+      "action": "approve",
+      "message": "Database schema migration detected. Human approval required before this action can proceed.",
+      "severity": "high",
+      "compliance": ["NIST-CM-3", "SOC2-CC8.1", "CWE-89"]
+    },
+    {
+      "id": "permission-change-approval",
+      "layer": "Execution",
+      "toolNames": ["Bash"],
+      "pattern": "(?:chmod|chown|setfacl|iam|policy|role|grant|revoke)\\s+",
+      "action": "approve",
+      "message": "Permission or IAM change detected. Human approval required before this action can proceed.",
+      "severity": "high",
+      "compliance": ["NIST-AC-6", "SOC2-CC6.1", "CWE-732"]
+    },
+    {
+      "id": "style-violation-log",
+      "layer": "Decisions",
+      "toolNames": ["Edit", "Write", "MultiEdit"],
+      "pattern": ".*",
+      "action": "log",
+      "when": { "constraints": { "THUMBGATE_STYLE_AUDIT": true } },
+      "message": "Style audit mode active. Action recorded for review but allowed to proceed.",
+      "severity": "low"
+    },
+    {
+      "id": "large-file-creation-log",
+      "layer": "Execution",
+      "toolNames": ["Write"],
+      "pattern": ".*",
+      "action": "log",
+      "when": { "constraints": { "THUMBGATE_LARGE_FILE_AUDIT": true } },
+      "message": "Large file write detected. Action recorded for audit trail but allowed to proceed.",
+      "severity": "low"
+    },
+    {
+      "id": "non-critical-warning-log",
+      "layer": "Decisions",
+      "toolNames": ["Bash"],
+      "pattern": "(?:console\\.log|debugger|TODO|FIXME|HACK|XXX)",
+      "action": "log",
+      "message": "Non-critical code pattern detected. Action recorded for audit trail but allowed to proceed.",
+      "severity": "low"
+    },
+    {
+      "id": "mcp-sql-delete-block",
+      "layer": "Execution",
+      "toolNames": ["delete_record"],
+      "pattern": ".*",
+      "requireTaskScope": true,
+      "action": "block",
+      "message": "SQL MCP delete_record requires explicit task scope. Destructive database operations must be scoped to prevent accidental data loss.",
+      "severity": "critical",
+      "compliance": ["NIST-AC-3", "SOC2-CC6.1", "CWE-89"]
+    },
+    {
+      "id": "mcp-sql-execute-warn",
+      "layer": "Execution",
+      "toolNames": ["execute_entity"],
+      "pattern": "(?:drop|truncate|alter|grant|revoke)",
+      "action": "warn",
+      "message": "SQL MCP execute_entity matches a potentially destructive DDL pattern. Review before proceeding.",
+      "severity": "high"
+    },
+    {
+      "id": "mcp-sql-bulk-update-warn",
+      "layer": "Execution",
+      "toolNames": ["update_record"],
+      "pattern": "(?:WHERE\\s+1\\s*=\\s*1|WHERE\\s+true|WITHOUT\\s+WHERE)",
+      "action": "block",
+      "message": "SQL MCP bulk update without a safe WHERE clause. This could modify all records in the table.",
+      "severity": "critical",
+      "compliance": ["NIST-AC-3", "CWE-89"]
+    },
+    {
+      "id": "self-protect-config",
+      "layer": "Execution",
+      "toolNames": ["Edit", "Write", "MultiEdit"],
+      "pattern": "(?:config/gates/|config/budget\\.json|\\.thumbgate/|thumbgate\\.json)",
+      "action": "block",
+      "message": "Self-protection: agent cannot modify ThumbGate configuration, gate rules, or budget settings.",
+      "severity": "critical",
+      "compliance": ["NIST-AC-3", "OWASP-A01", "SOC2-CC6.1"]
+    },
+    {
+      "id": "self-protect-kill",
+      "layer": "Execution",
+      "toolNames": ["Bash"],
+      "pattern": "(?:kill|pkill|killall)\\s+.*(?:thumbgate|gates-engine|budget-enforcer)",
+      "action": "block",
+      "message": "Self-protection: agent cannot terminate ThumbGate processes.",
+      "severity": "critical",
+      "compliance": ["NIST-AC-3", "OWASP-A01"]
+    },
+    {
+      "id": "self-protect-env-override",
+      "layer": "Execution",
+      "toolNames": ["Bash"],
+      "pattern": "(?:export|unset)\\s+(?:THUMBGATE_|LANEKEEP_)",
+      "action": "block",
+      "message": "Self-protection: agent cannot modify ThumbGate environment variables.",
+      "severity": "critical",
+      "compliance": ["NIST-AC-3", "SOC2-CC6.1"]
+    },
+    {
+      "id": "self-protect-hooks-disable",
+      "layer": "Execution",
+      "toolNames": ["Edit", "Write", "Bash"],
+      "pattern": "(?:settings\\.json|settings\\.local\\.json).*(?:hooks|PreToolUse|PostToolUse)",
+      "action": "block",
+      "message": "Self-protection: agent cannot modify hook registrations.",
+      "severity": "critical",
+      "compliance": ["NIST-AC-3", "OWASP-A01", "SOC2-CC6.1"]
     }
   ]
 }

package/config/gates/deploy.json

@@ -0,0 +1,61 @@
+{
+  "version": 1,
+  "harness": "deploy",
+  "description": "Specialized gates for deployment operations. Loaded when tool context matches deploy patterns (Railway, Docker, npm publish, git push to main).",
+  "gates": [
+    {
+      "id": "deploy-unverified-claim",
+      "layer": "Execution",
+      "pattern": "(?:deployed|live|shipped|pushed to prod)",
+      "toolNames": ["Bash"],
+      "action": "warn",
+      "severity": "critical",
+      "message": "Deployment claim detected. Run the verification gate first: curl -s $PROD_URL/health | grep version"
+    },
+    {
+      "id": "deploy-force-push-main",
+      "layer": "Execution",
+      "pattern": "git\\s+push\\s+.*--force(?!-with-lease)|git\\s+push\\s+--force(?!-with-lease).*main|git\\s+push\\s+--force(?!-with-lease).*master",
+      "toolNames": ["Bash"],
+      "action": "block",
+      "severity": "critical",
+      "message": "Force-push to a protected branch is blocked. Use --force-with-lease if you need to force-push a feature branch."
+    },
+    {
+      "id": "deploy-skip-ci",
+      "layer": "Execution",
+      "pattern": "--no-verify|--no-gpg-sign|-c\\s+commit\\.gpgsign=false",
+      "toolNames": ["Bash"],
+      "action": "block",
+      "severity": "critical",
+      "message": "Bypassing commit hooks or signing is blocked. Fix the underlying issue instead."
+    },
+    {
+      "id": "deploy-publish-without-test",
+      "layer": "Execution",
+      "pattern": "npm\\s+publish|yarn\\s+publish|pnpm\\s+publish",
+      "toolNames": ["Bash"],
+      "action": "warn",
+      "severity": "high",
+      "message": "Publishing to npm. Confirm tests pass (npm test) and version is synced (node scripts/sync-version.js --check) before proceeding."
+    },
+    {
+      "id": "deploy-version-drift-risk",
+      "layer": "Execution",
+      "pattern": "railway\\s+(deploy|up|run)|docker\\s+(push|build\\s+.*&&\\s*.*push)",
+      "toolNames": ["Bash"],
+      "action": "warn",
+      "severity": "medium",
+      "message": "Deploying to Railway/Docker. Verify version sync: node scripts/sync-version.js --check"
+    },
+    {
+      "id": "deploy-env-secret-exposure",
+      "layer": "Execution",
+      "pattern": "(?:ANTHROPIC_API_KEY|STRIPE_SECRET|JWT_SECRET|DATABASE_URL|RAILWAY_TOKEN)\\s*=",
+      "toolNames": ["Bash", "Edit", "Write"],
+      "action": "block",
+      "severity": "critical",
+      "message": "Secret value detected in command or file edit. Use environment variables or secret managers instead."
+    }
+  ]
+}

package/config/github-about.json

@@ -2,7 +2,8 @@
   "repo": "IgorGanapolsky/ThumbGate",
   "repositoryUrl": "https://github.com/IgorGanapolsky/ThumbGate",
   "homepageUrl": "https://thumbgate-production.up.railway.app",
-  "description": "Pre-action gates, a learned intervention policy, and workflow governance for self-improving AI coding agents. 👎 Thumbs down distills history-aware lessons from up to 8 prior entries and stays linked to a 60-second feedback session. 👍 Thumbs up reinforces safe patterns. Team adds shared lessons and org visibility.",
+  "githubDescription": "CLI-first agent governance for AI coding workflows: pre-action gates, shared lessons, and team safeguards that stop repeated agent mistakes.",
+  "metaDescription": "CLI-first agent governance for teams shipping AI-generated changes. 👎 Thumbs down distills history-aware lessons from up to 8 prior entries and stays linked to a 60-second feedback session. 👍 Thumbs up reinforces safe patterns. Pre-action gates, workflow governance, shared lessons and org visibility, release confidence, and isolated execution guidance turn vibe coding mistakes into shared enforcement and proof-ready rollout.",
   "topics": [
     "thumbgate",
     "pre-action-gates",

package/config/merge-quality-checks.json

@@ -0,0 +1,23 @@
+{
+  "requiredStatusCheckContexts": [
+    "test",
+    "CodeQL",
+    "Analyze JavaScript (javascript-typescript)",
+    "Verify changeset",
+    "SonarCloud Code Analysis",
+    "GitGuardian Security Checks",
+    "Socket Security: Project Report",
+    "Socket Security: Pull Request Alerts"
+  ],
+  "passingBuckets": [
+    "pass",
+    "skipping"
+  ],
+  "pendingBuckets": [
+    "pending"
+  ],
+  "failingBuckets": [
+    "fail",
+    "cancel"
+  ]
+}

package/openapi/openapi.yaml

@@ -814,6 +814,98 @@ paths:
           description: Invalid dashboard render view or query
         '401':
           description: Unauthorized
+  /v1/decisions/evaluate:
+    post:
+      operationId: evaluateDecision
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required: [toolName]
+              properties:
+                toolName:
+                  type: string
+                command:
+                  type: string
+                filePath:
+                  type: string
+                changedFiles:
+                  type: array
+                  items:
+                    type: string
+                repoPath:
+                  type: string
+                baseBranch:
+                  type: string
+                requirePrForReleaseSensitive:
+                  type: boolean
+                requireVersionNotBehindBase:
+                  type: boolean
+      responses:
+        '200':
+          description: Persisted workflow-sentinel recommendation with decision-control metadata and actionId
+          content:
+            application/json:
+              schema:
+                type: object
+                additionalProperties: true
+        '400':
+          description: Invalid decision evaluation request
+        '401':
+          description: Unauthorized
+  /v1/decisions/outcome:
+    post:
+      operationId: recordDecisionOutcome
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required: [actionId, outcome]
+              properties:
+                actionId:
+                  type: string
+                outcome:
+                  type: string
+                actualDecision:
+                  type: string
+                actor:
+                  type: string
+                notes:
+                  type: string
+                latencyMs:
+                  type: number
+                metadata:
+                  type: object
+                  additionalProperties: true
+      responses:
+        '200':
+          description: Recorded a decision override, rollback, completion, or block outcome
+          content:
+            application/json:
+              schema:
+                type: object
+                additionalProperties: true
+        '400':
+          description: Invalid decision outcome request
+        '401':
+          description: Unauthorized
+  /v1/decisions/metrics:
+    get:
+      operationId: getDecisionMetrics
+      responses:
+        '200':
+          description: Decision-loop metrics derived from recorded evaluations and outcomes
+          content:
+            application/json:
+              schema:
+                type: object
+                additionalProperties: true
+        '401':
+          description: Unauthorized
   /v1/settings/status:
     get:
       operationId: getSettingsStatus
@@ -1115,6 +1207,82 @@ paths:
           description: DPO export accepted as a hosted background job
         '401':
           description: Unauthorized
+  /v1/documents:
+    get:
+      operationId: listImportedDocuments
+      parameters:
+        - in: query
+          name: query
+          schema:
+            type: string
+        - in: query
+          name: q
+          schema:
+            type: string
+        - in: query
+          name: tag
+          schema:
+            type: string
+        - in: query
+          name: limit
+          schema:
+            type: integer
+            default: 20
+      responses:
+        '200':
+          description: Imported policy and runbook documents
+        '401':
+          description: Unauthorized
+  /v1/documents/import:
+    post:
+      operationId: importDocument
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              properties:
+                filePath:
+                  type: string
+                content:
+                  type: string
+                title:
+                  type: string
+                sourceFormat:
+                  type: string
+                  enum: [markdown, text, yaml, json, html]
+                sourceUrl:
+                  type: string
+                tags:
+                  type: array
+                  items:
+                    type: string
+                proposeGates:
+                  type: boolean
+      responses:
+        '201':
+          description: Document imported
+        '400':
+          description: Invalid document import request
+        '401':
+          description: Unauthorized
+  /v1/documents/{documentId}:
+    get:
+      operationId: getImportedDocument
+      parameters:
+        - in: path
+          name: documentId
+          required: true
+          schema:
+            type: string
+      responses:
+        '200':
+          description: Imported document with proposed gates
+        '401':
+          description: Unauthorized
+        '404':
+          description: Imported document not found
   /v1/jobs:
     get:
       operationId: listHostedJobs

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "thumbgate",
-  "version": "1.3.0",
-  "description": "ThumbGate — Make your AI coding agent self-improving. Every mistake becomes a prevention rule that physically blocks the agent from repeating it. Feedback-driven enforcement via PreToolUse hooks, Thompson Sampling for adaptive gates, SQLite+FTS5 lesson DB, and LanceDB vector search. Your agent gets smarter with every session.",
+  "version": "1.4.0",
+  "description": "ThumbGate: self-improving agent governance for engineering teams. Three-tier approval routing (block/approve/log), shared enforcement, CI gates, and audit trails. Every mistake becomes a prevention rule. PreToolUse hooks, Thompson Sampling, SQLite+FTS5 lesson DB, and LanceDB vector search.",
   "homepage": "https://thumbgate-production.up.railway.app",
   "repository": {
     "type": "git",
@@ -37,6 +37,7 @@
     "changeset:status": "changeset status",
     "changeset:check": "node scripts/changeset-check.js",
     "build:claude-mcpb": "node scripts/build-claude-mcpb.js",
+    "build:codex-plugin": "node scripts/build-codex-plugin.js",
     "verify:quick": "node scripts/verify-run.js quick",
     "verify:full": "node scripts/verify-run.js full",
     "budget:status": "node scripts/budget-guard.js --status",
@@ -70,7 +71,7 @@
     "social:post-everywhere:dry": "node scripts/post-everywhere.js --dry-run",
     "social:reply-monitor": "node scripts/social-reply-monitor.js",
     "social:reply-monitor:dry": "node scripts/social-reply-monitor.js --dry-run",
-    "test": "npm run test:schema && npm run test:loop && npm run test:dpo && npm run test:kto && npm run test:api && npm run test:proof && npm run test:e2e && npm run test:rlaif && npm run test:attribution && npm run test:quality && npm run test:intelligence && npm run test:training-export && npm run test:deployment && npm run test:operational-integrity && npm run test:workflow && npm run test:billing && npm run test:cli && npm run test:watcher && npm run test:autoresearch && npm run test:ops && npm run test:tessl && npm run test:gates && npm run test:evoskill && npm run test:gates-hardening && npm run test:workers && npm run test:social-analytics && npm run test:memalign && npm run test:xmemory-lite && npm run test:filesystem-search && npm run test:zernio && npm run test:obsidian-export && npm run test:lesson-db && npm run test:lesson-rotation && npm run test:memory-dedup && npm run test:feedback-quality && npm run test:sync-version && npm run test:check-congruence && npm run test:tool-registry && npm run test:feedback-to-rules && npm run test:memory-firewall && npm run test:belief-update && npm run test:hosted-config && npm run test:cloudflare-sandbox && npm run test:mcp-config && npm run test:plan-gate && npm run test:pulse && npm run test:semantic-layer && npm run test:data-pipeline && npm run test:optimize-context && npm run test:principle-extractor && npm run test:analytics-window && npm run test:funnel-analytics && npm run test:experiment-tracker && npm run test:build-metadata && npm run test:context-engine && npm run test:hf-papers && npm run test:marketing-experiment && npm run test:seo-gsd && npm run test:verify-run && npm run test:export-dpo-pairs && npm run test:export-hf-dataset && npm run test:license && npm run test:bot-detector && npm run test:postinstall && npm run test:funnel-invariants && npm run test:cli-telemetry && npm run test:pro-parity && npm run test:model-tier-router && npm run test:computer-use-firewall && npm run test:skill-exporter && npm run test:statusline && npm run test:evolution && npm run test:org-dashboard && npm run test:multi-hop-recall && npm run test:synthetic-dpo && npm run test:thumbgate-skill && npm run test:learn-hub && npm run test:feedback-fallback && npm run test:metaclaw && npm run test:server-lock && npm run test:control-tower && npm run test:pii-scanner && npm run test:data-governance && npm run test:lesson-inference && npm run test:lesson-retrieval && npm run test:reflector-agent && npm run test:feedback-session && npm run test:feedback-history-distiller && npm run test:hallucination-detector && npm run test:history-distiller && npm run test:predictive-insights && npm run test:prove-predictive-insights && npm run test:statusbar-cli && npm run test:generate-instagram-card && npm run test:instagram-thumbgate-post && npm run test:publish-instagram-thumbgate && npm run test:lesson-synthesis && npm run test:background-governance && npm run test:memory-migration && npm run test:prompt-dlp && npm run test:ephemeral-store && npm run test:agent-security && npm run test:skill-progressive && npm run test:per-step-scoring && npm run test:weekly-auto-post && npm run test:social-quality-gate && npm run test:a2ui-engine && npm run test:gate-satisfy && npm run test:money-watcher && npm run test:utm && npm run test:product-feedback && npm run test:feedback-root-consolidator && npm run test:engagement-audit && npm run test:install-growth-automation && npm run test:publish-thumbgate-launch && npm run test:reconcile-thumbgate-campaign && npm run test:reddit-publisher && npm run test:schedule-thumbgate-campaign && npm run test:social-reply-monitor && npm run test:sync-launch-assets && npm run test:ai-search-visibility",
+    "test": "npm run test:schema && npm run test:loop && npm run test:dpo && npm run test:kto && npm run test:api && npm run test:proof && npm run test:e2e && npm run test:rlaif && npm run test:attribution && npm run test:quality && npm run test:intelligence && npm run test:training-export && npm run test:deployment && npm run test:operational-integrity && npm run test:workflow && npm run test:billing && npm run test:cli && npm run test:watcher && npm run test:autoresearch && npm run test:ops && npm run test:tessl && npm run test:gates && npm run test:evoskill && npm run test:gates-hardening && npm run test:workers && npm run test:social-analytics && npm run test:memalign && npm run test:xmemory-lite && npm run test:filesystem-search && npm run test:zernio && npm run test:obsidian-export && npm run test:lesson-db && npm run test:lesson-rotation && npm run test:memory-dedup && npm run test:feedback-quality && npm run test:sync-version && npm run test:check-congruence && npm run test:tool-registry && npm run test:feedback-to-rules && npm run test:memory-firewall && npm run test:belief-update && npm run test:hosted-config && npm run test:cloudflare-sandbox && npm run test:mcp-config && npm run test:plan-gate && npm run test:pulse && npm run test:semantic-layer && npm run test:data-pipeline && npm run test:optimize-context && npm run test:principle-extractor && npm run test:analytics-window && npm run test:funnel-analytics && npm run test:experiment-tracker && npm run test:build-metadata && npm run test:context-engine && npm run test:hf-papers && npm run test:marketing-experiment && npm run test:seo-gsd && npm run test:verify-run && npm run test:export-dpo-pairs && npm run test:export-hf-dataset && npm run test:license && npm run test:bot-detector && npm run test:postinstall && npm run test:funnel-invariants && npm run test:cli-telemetry && npm run test:pro-parity && npm run test:model-tier-router && npm run test:computer-use-firewall && npm run test:skill-exporter && npm run test:statusline && npm run test:evolution && npm run test:org-dashboard && npm run test:multi-hop-recall && npm run test:synthetic-dpo && npm run test:thumbgate-skill && npm run test:learn-hub && npm run test:feedback-fallback && npm run test:metaclaw && npm run test:server-lock && npm run test:control-tower && npm run test:pii-scanner && npm run test:data-governance && npm run test:lesson-inference && npm run test:semantic-dedup && npm run test:fs-utils && npm run test:lesson-retrieval && npm run test:reflector-agent && npm run test:feedback-session && npm run test:feedback-history-distiller && npm run test:hallucination-detector && npm run test:history-distiller && npm run test:predictive-insights && npm run test:prove-predictive-insights && npm run test:statusbar-cli && npm run test:generate-instagram-card && npm run test:instagram-thumbgate-post && npm run test:publish-instagram-thumbgate && npm run test:lesson-synthesis && npm run test:background-governance && npm run test:memory-migration && npm run test:prompt-dlp && npm run test:ephemeral-store && npm run test:agent-security && npm run test:skill-progressive && npm run test:per-step-scoring && npm run test:weekly-auto-post && npm run test:social-post-hourly && npm run test:social-quality-gate && npm run test:a2ui-engine && npm run test:gate-satisfy && npm run test:money-watcher && npm run test:budget && npm run test:quick-start && npm run test:utm && npm run test:product-feedback && npm run test:feedback-root-consolidator && npm run test:engagement-audit && npm run test:install-growth-automation && npm run test:publish-thumbgate-launch && npm run test:reconcile-thumbgate-campaign && npm run test:reddit-publisher && npm run test:schedule-thumbgate-campaign && npm run test:social-reply-monitor && npm run test:sync-launch-assets && npm run test:ai-search-visibility && npm run test:security-scanner && npm run test:llm-client && npm run test:managed-lesson-agent && npm run test:self-distill && npm run test:meta-agent && npm run test:harness-selector && npm run test:seo-guides",
     "test:feedback-fallback": "node --test tests/feedback-fallback.test.js",
     "test:metaclaw": "node --test tests/metaclaw-features.test.js",
     "test:server-lock": "node --test tests/server-stdio-lock.test.js",
@@ -121,8 +122,8 @@
     "test:loop": "node scripts/feedback-loop.js --test",
     "test:dpo": "node scripts/export-dpo-pairs.js --test",
     "test:kto": "node --test tests/export-kto.test.js",
-    "test:api": "node --test --test-concurrency=1 tests/api-server.test.js tests/api-auth-config.test.js tests/mcp-server.test.js tests/adapters.test.js tests/openapi-parity.test.js tests/budget-guard.test.js tests/context-manager.test.js tests/contextfs.test.js tests/job-api.test.js tests/pack-templates.test.js tests/dashboard.test.js tests/dashboard-render-spec.test.js tests/dashboard-html.test.js tests/agent-readiness.test.js tests/mcp-policy.test.js tests/subagent-profiles.test.js tests/intent-router.test.js tests/internal-agent-bootstrap.test.js tests/lesson-search.test.js tests/thumbgate-search.test.js tests/rubric-engine.test.js tests/self-healing-check.test.js tests/self-heal.test.js tests/feedback-schema.test.js tests/thompson-sampling.test.js tests/feedback-sequences.test.js tests/diversity-tracking.test.js tests/vector-store.test.js tests/feedback-attribution.test.js tests/hybrid-feedback-context.test.js tests/loop-closure.test.js tests/code-reasoning.test.js tests/feedback-loop.test.js tests/feedback-inbox-read.test.js tests/feedback-to-memory.test.js tests/test-coverage.test.js tests/version-metadata.test.js tests/claude-mcpb.test.js tests/claude-codex-bridge.test.js tests/cursor-plugin.test.js tests/codex-plugin.test.js tests/telemetry-analytics.test.js tests/public-landing.test.js tests/lessons-page.test.js tests/pro-landing.test.js tests/local-model-profile.test.js tests/risk-scorer.test.js tests/context-compaction.test.js tests/reminder-engine.test.js tests/post-to-x.test.js tests/verification-loop.test.js tests/async-job-runner.test.js tests/commerce-quality.test.js tests/recall-limit.test.js tests/problem-detail.test.js tests/natural-language-harness.test.js tests/settings-hierarchy.test.js",
-    "test:proof": "node --test tests/prove-adapters.test.js tests/prove-attribution.test.js tests/prove-cloudflare-sandbox.test.js tests/prove-data-quality.test.js tests/prove-intelligence.test.js tests/prove-lancedb.test.js tests/prove-loop-closure.test.js tests/prove-subway-upgrades.test.js tests/prove-training-export.test.js tests/prove-local-intelligence.test.js tests/prove-workflow-contract.test.js tests/prove-autoresearch.test.js tests/prove-claim-verification.test.js tests/prove-data-pipeline.test.js tests/prove-evolution.test.js tests/prove-harnesses.test.js tests/prove-runtime.test.js tests/prove-seo-gsd.test.js tests/prove-settings.test.js tests/prove-xmemory.test.js && node --test tests/prove-automation.test.js",
+    "test:api": "node --test --test-concurrency=1 tests/api-server.test.js tests/api-auth-config.test.js tests/mcp-server.test.js tests/adapters.test.js tests/openapi-parity.test.js tests/budget-guard.test.js tests/context-manager.test.js tests/contextfs.test.js tests/job-api.test.js tests/pack-templates.test.js tests/dashboard.test.js tests/dashboard-render-spec.test.js tests/dashboard-html.test.js tests/agent-readiness.test.js tests/mcp-policy.test.js tests/subagent-profiles.test.js tests/intent-router.test.js tests/internal-agent-bootstrap.test.js tests/lesson-search.test.js tests/thumbgate-search.test.js tests/document-intake.test.js tests/rubric-engine.test.js tests/self-healing-check.test.js tests/self-heal.test.js tests/feedback-schema.test.js tests/thompson-sampling.test.js tests/feedback-sequences.test.js tests/diversity-tracking.test.js tests/vector-store.test.js tests/feedback-attribution.test.js tests/hybrid-feedback-context.test.js tests/loop-closure.test.js tests/code-reasoning.test.js tests/feedback-loop.test.js tests/feedback-inbox-read.test.js tests/feedback-to-memory.test.js tests/test-coverage.test.js tests/version-metadata.test.js tests/claude-mcpb.test.js tests/claude-codex-bridge.test.js tests/cursor-plugin.test.js tests/codex-plugin.test.js tests/telemetry-analytics.test.js tests/public-landing.test.js tests/lessons-page.test.js tests/pro-landing.test.js tests/local-model-profile.test.js tests/risk-scorer.test.js tests/context-compaction.test.js tests/reminder-engine.test.js tests/post-to-x.test.js tests/verification-loop.test.js tests/async-job-runner.test.js tests/commerce-quality.test.js tests/recall-limit.test.js tests/problem-detail.test.js tests/natural-language-harness.test.js tests/settings-hierarchy.test.js",
+    "test:proof": "node --test tests/prove-adapters.test.js tests/prove-attribution.test.js tests/prove-cloudflare-sandbox.test.js tests/prove-data-quality.test.js tests/prove-intelligence.test.js tests/prove-lancedb.test.js tests/prove-loop-closure.test.js tests/prove-subway-upgrades.test.js tests/prove-training-export.test.js tests/prove-local-intelligence.test.js tests/prove-workflow-contract.test.js tests/prove-autoresearch.test.js tests/prove-claim-verification.test.js tests/prove-data-pipeline.test.js tests/prove-evolution.test.js tests/prove-harnesses.test.js tests/prove-packaged-runtime.test.js tests/prove-runtime.test.js tests/prove-seo-gsd.test.js tests/prove-settings.test.js tests/prove-xmemory.test.js && node --test tests/prove-automation.test.js",
     "test:e2e": "node --test tests/e2e-pipeline.test.js tests/e2e-product-flows.test.js tests/e2e-coverage-contract.test.js",
     "test:rlaif": "node --test tests/rlaif-self-audit.test.js tests/dpo-optimizer.test.js tests/meta-policy.test.js",
     "test:attribution": "node --test tests/feedback-attribution.test.js tests/hybrid-feedback-context.test.js",
@@ -130,16 +131,17 @@
     "test:intelligence": "node --test tests/intelligence.test.js",
     "test:training-export": "node --test tests/training-export.test.js tests/databricks-export.test.js",
     "test:deployment": "node --test tests/deployment.test.js tests/deploy-policy.test.js tests/publish-decision.test.js tests/changeset-check.test.js tests/sonarcloud-workflow.test.js",
-    "test:operational-integrity": "node --test tests/operational-integrity.test.js",
-    "test:workflow": "node --test tests/workflow-contract.test.js tests/social-marketing-assets.test.js tests/social-pipeline.test.js tests/positioning-contract.test.js tests/workflow-runs.test.js tests/workflow-sprint-intake.test.js tests/gtm-revenue-loop.test.js tests/enterprise-story.test.js",
+    "test:operational-integrity": "node --test tests/operational-integrity.test.js tests/sync-branch-protection.test.js",
+    "test:workflow": "node --test tests/workflow-contract.test.js tests/social-marketing-assets.test.js tests/social-pipeline.test.js tests/positioning-contract.test.js tests/docs-claim-hygiene.test.js tests/workflow-runs.test.js tests/workflow-sprint-intake.test.js tests/gtm-revenue-loop.test.js tests/enterprise-story.test.js",
     "test:billing": "node --test tests/billing.test.js",
     "test:cli": "node --test tests/analytics-report.test.js tests/creator-campaigns.test.js tests/cli.test.js tests/codex-bridge-script.test.js tests/dispatch-brief.test.js tests/feedback-normalize.test.js tests/install-mcp.test.js tests/pr-manager.test.js tests/pro-local-dashboard.test.js tests/published-cli.test.js tests/revenue-status.test.js",
     "test:evolution": "node --test tests/workspace-evolver.test.js",
     "test:watcher": "node --test tests/jsonl-watcher.test.js",
     "test:autoresearch": "node --test tests/autoresearch.test.js",
-    "test:ops": "node --test tests/adk-consolidator.test.js tests/anthropic-partner-strategy.test.js tests/auto-promote-gates.test.js tests/auto-wire-hooks.test.js tests/claude-skill.test.js tests/codegraph-context.test.js tests/commercial-signals.test.js tests/delegation-runtime.test.js tests/disagreement-mining.test.js tests/failure-diagnostics.test.js tests/gate-stats.test.js tests/github-billing.test.js tests/intervention-policy.test.js tests/markdown-escape.test.js tests/mcp-tools-gates.test.js tests/project-bayes-e2e.test.js tests/project-bayes.test.js tests/rate-limiter.test.js tests/schedule-manager.test.js tests/session-handoff.test.js tests/skill-generator.test.js tests/smart-learning.test.js tests/spike-and-sink.test.js tests/stripe-webhook-route.test.js tests/train-from-feedback.test.js tests/workflow-hardening-sprint.test.js tests/workflow-sentinel.test.js tests/test-suite-parity.test.js tests/a2ui-engine.test.js tests/webhook-delivery.test.js",
+    "test:ops": "node --test tests/adk-consolidator.test.js tests/anthropic-partner-strategy.test.js tests/auto-promote-gates.test.js tests/auto-wire-hooks.test.js tests/claude-skill.test.js tests/codegraph-context.test.js tests/commercial-signals.test.js tests/decision-journal.test.js tests/delegation-runtime.test.js tests/disagreement-mining.test.js tests/failure-diagnostics.test.js tests/gate-stats.test.js tests/github-billing.test.js tests/intervention-policy.test.js tests/markdown-escape.test.js tests/mcp-tools-gates.test.js tests/project-bayes-e2e.test.js tests/project-bayes.test.js tests/rate-limiter.test.js tests/schedule-manager.test.js tests/session-handoff.test.js tests/skill-generator.test.js tests/smart-learning.test.js tests/spike-and-sink.test.js tests/stripe-webhook-route.test.js tests/train-from-feedback.test.js tests/workflow-hardening-sprint.test.js tests/workflow-sentinel.test.js tests/test-suite-parity.test.js tests/a2ui-engine.test.js tests/webhook-delivery.test.js",
     "test:tessl": "node --test tests/tessl-export.test.js",
     "test:gates": "node --test tests/gate-templates.test.js tests/gates-engine.test.js tests/claim-verification.test.js tests/secret-scanner.test.js tests/prompt-guard.test.js tests/audit-trail.test.js tests/profile-router.test.js tests/workflow-sentinel.test.js tests/docker-sandbox-planner.test.js",
+    "test:budget": "node --test tests/budget-enforcer.test.js",
     "test:workers": "npm --prefix workers ci && npm --prefix workers test",
     "test:evoskill": "node --test tests/evoskill.test.js",
     "test:gates-hardening": "node --test tests/gates-hardening.test.js",
@@ -157,6 +159,8 @@
     "adk:consolidate": "node scripts/adk-consolidator.js",
     "adk:watch": "node scripts/adk-consolidator.js --watch",
     "pr:manage": "node scripts/pr-manager.js",
+    "branch-protection:check": "node scripts/sync-branch-protection.js --check",
+    "branch-protection:sync": "node scripts/sync-branch-protection.js",
     "self-heal:run": "node scripts/self-heal.js",
     "self-heal:check": "node scripts/self-healing-check.js",
     "skill:verify": "node scripts/tessl-export.js verify",
@@ -221,10 +225,12 @@
     "test:skill-progressive": "node --test tests/skill-progressive-disclosure.test.js",
     "test:per-step-scoring": "node --test tests/per-step-scoring.test.js",
     "test:weekly-auto-post": "node --test tests/weekly-auto-post.test.js",
+    "test:social-post-hourly": "node --test tests/social-post-hourly.test.js",
     "test:social-quality-gate": "node --test tests/social-quality-gate.test.js",
     "test:a2ui-engine": "node --test tests/a2ui-engine.test.js",
     "test:gate-satisfy": "node --test tests/gate-satisfy.test.js",
     "test:money-watcher": "node --test tests/money-watcher.test.js",
+    "test:quick-start": "node --test tests/quick-start.test.js",
     "test:utm": "node --test tests/utm.test.js",
     "test:product-feedback": "node --test tests/product-feedback.test.js",
     "test:feedback-root-consolidator": "node --test tests/feedback-root-consolidator.test.js",
@@ -242,7 +248,25 @@
     "test:sync-launch-assets": "node --test tests/sync-launch-assets.test.js",
     "test:reddit-publisher": "node --test tests/reddit-publisher.test.js",
     "test:engagement-audit": "node --test tests/engagement-audit.test.js",
-    "test:ai-search-visibility": "node --test tests/ai-search-visibility.test.js"
+    "test:ai-search-visibility": "node --test tests/ai-search-visibility.test.js",
+    "test:security-scanner": "node --test tests/security-scanner.test.js",
+    "test:llm-client": "node --test tests/llm-client.test.js",
+    "test:managed-lesson-agent": "node --test tests/managed-lesson-agent.test.js",
+    "agent:run": "node scripts/managed-lesson-agent.js",
+    "agent:run:dry": "node scripts/managed-lesson-agent.js --dry-run",
+    "agent:schedule": "node scripts/schedule-manager.js install --label managed-lesson-agent --spec 'daily 02:00' --command 'npm run agent:run' --workingDirectory .",
+    "feedback:rules:llm": "node scripts/feedback-to-rules.js --llm",
+    "test:self-distill": "node --test tests/self-distill-agent.test.js",
+    "test:seo-guides": "node --test tests/seo-guides.test.js",
+    "self-distill:run": "node scripts/self-distill-agent.js",
+    "self-distill:dry": "node scripts/self-distill-agent.js --dry-run",
+    "meta-agent:run": "node scripts/meta-agent-loop.js",
+    "meta-agent:dry": "node scripts/meta-agent-loop.js --dry-run",
+    "meta-agent:status": "node scripts/meta-agent-loop.js --status",
+    "test:meta-agent": "node --test tests/meta-agent-loop.test.js",
+    "test:semantic-dedup": "node --test tests/semantic-dedup.test.js",
+    "test:fs-utils": "node --test tests/fs-utils.test.js",
+    "test:harness-selector": "node --test tests/harness-selector.test.js"
   },
   "keywords": [
     "mcp",
@@ -272,7 +296,14 @@
     "cursor",
     "codex",
     "safety",
-    "enforcement"
+    "enforcement",
+    "ai agent memory",
+    "repeated mistakes",
+    "agent error prevention",
+    "ai-authenticity",
+    "prevent-ai-slop",
+    "human-led-ai",
+    "ai-standards-enforcement"
   ],
   "author": "Igor Ganapolsky",
   "license": "MIT",
@@ -290,6 +321,7 @@
     "node": ">=18.18.0"
   },
   "dependencies": {
+    "@anthropic-ai/sdk": "^0.24.0",
     "@google/genai": "^1.48.0",
     "@huggingface/transformers": "^4.0.1",
     "@lancedb/lancedb": "^0.27.2",

package/plugins/claude-codex-bridge/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "codex-bridge",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "Run Codex review, adversarial review, and second-pass handoffs from Claude Code while keeping ThumbGate reliability memory in the loop.",
   "author": {
     "name": "Igor Ganapolsky",