thumbgate 1.3.0 → 1.4.1

package/scripts/fs-utils.js

@@ -0,0 +1,104 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * Shared filesystem utilities.
+ *
+ * Consolidates ensureDir() and readJsonl() which were duplicated
+ * across 43 and 19 files respectively.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+/**
+ * Recursively create a directory if it does not exist.
+ * @param {string} dirPath
+ */
+function ensureDir(dirPath) {
+  if (!fs.existsSync(dirPath)) {
+    fs.mkdirSync(dirPath, { recursive: true });
+  }
+}
+
+/**
+ * Recursively create the parent directory for a file path.
+ * @param {string} filePath
+ */
+function ensureParentDir(filePath) {
+  ensureDir(path.dirname(filePath));
+}
+
+/**
+ * Read a JSONL (JSON Lines) file into an array of parsed objects.
+ * Silently skips malformed lines and returns [] if file is missing.
+ *
+ * @param {string} filePath
+ * @param {object} [options]
+ * @param {number} [options.maxLines] - Read at most N lines (from the end if reverse=true)
+ * @param {boolean} [options.reverse] - Read lines in reverse order (most recent first)
+ * @param {boolean} [options.tail] - Read from the end while preserving chronological order
+ * @returns {object[]}
+ */
+function readJsonl(filePath, options = {}) {
+  if (!filePath || !fs.existsSync(filePath)) return [];
+  const raw = fs.readFileSync(filePath, 'utf-8').trim();
+  if (!raw) return [];
+
+  const normalizedOptions = typeof options === 'number'
+    ? { maxLines: options, tail: true }
+    : (options || {});
+  let lines = raw.split('\n');
+
+  if (normalizedOptions.tail && normalizedOptions.maxLines > 0) {
+    lines = lines.slice(-normalizedOptions.maxLines);
+  }
+
+  if (normalizedOptions.reverse) {
+    lines = lines.reverse();
+  }
+
+  if (!normalizedOptions.tail && normalizedOptions.maxLines && normalizedOptions.maxLines > 0) {
+    lines = lines.slice(0, normalizedOptions.maxLines);
+  }
+
+  return lines
+    .map((line) => {
+      try {
+        return JSON.parse(line);
+      } catch {
+        return null;
+      }
+    })
+    .filter(Boolean);
+}
+
+/**
+ * Append a JSON object as a line to a JSONL file.
+ * Creates parent directories if they do not exist.
+ *
+ * @param {string} filePath
+ * @param {object} payload
+ */
+function appendJsonl(filePath, payload) {
+  ensureParentDir(filePath);
+  fs.appendFileSync(filePath, JSON.stringify(payload) + '\n');
+}
+
+/**
+ * Write a JSON object to a file with pretty-printing.
+ * Creates parent directories if they do not exist.
+ *
+ * @param {string} filePath
+ * @param {object} payload
+ */
+function writeJson(filePath, payload) {
+  ensureParentDir(filePath);
+  fs.writeFileSync(filePath, JSON.stringify(payload, null, 2) + '\n');
+}
+
+function readJsonlTail(filePath, limit) {
+  return readJsonl(filePath, { maxLines: limit, tail: true });
+}
+
+module.exports = { ensureDir, ensureParentDir, readJsonl, readJsonlTail, appendJsonl, writeJson };

package/scripts/gates-engine.js

@@ -14,6 +14,10 @@ const {
 const {
   evaluateWorkflowSentinel,
 } = require('./workflow-sentinel');
+const {
+  recordDecisionEvaluation,
+  recordDecisionOutcome,
+} = require('./decision-journal');
 
 /**
  * Computes the SHA-256 hash of an executable binary to prevent path-based bypasses.
@@ -47,6 +51,9 @@ const {
   buildSafeSummary,
   redactText,
 } = require('./secret-scanner');
+const {
+  evaluateSecurityScan,
+} = require('./security-scanner');
 const { getAutoGatesPath } = require('./auto-promote-gates');
 const { recordAuditEvent, auditToFeedback } = require('./audit-trail');
 
@@ -81,7 +88,7 @@ const HIGH_RISK_BASH_PATTERN = /\b(?:git\s+(?:add|commit|push)|gh\s+pr\s+(?:crea
 // Config loading
 // ---------------------------------------------------------------------------
 
-function loadGatesConfig(configPath) {
+function loadGatesConfig(configPath, harnessPath) {
   const primaryPath = configPath || process.env.THUMBGATE_GATES_CONFIG || DEFAULT_CONFIG_PATH;
 
   if (!fs.existsSync(primaryPath)) {
@@ -120,6 +127,15 @@ function loadGatesConfig(configPath) {
     mergedConfig.gates.push(...limitedAutoGates);
   }
 
+  // Load workflow-specific harness gates (always additive, never replaces default).
+  // Resolved by harness-selector based on tool name + command context.
+  const resolvedHarness = harnessPath || process.env.THUMBGATE_HARNESS_CONFIG;
+  if (resolvedHarness && fs.existsSync(resolvedHarness)) {
+    const harnessGates = (loadOne(resolvedHarness, false) || [])
+      .map(g => ({ ...g, layer: g.layer || 'Execution', source: g.source || 'harness' }));
+    mergedConfig.gates.push(...harnessGates);
+  }
+
   return mergedConfig;
 }
 
@@ -407,11 +423,15 @@ function recordStat(gateId, action, gate) {
   const stats = loadStats();
   if (action === 'block') stats.blocked = (stats.blocked || 0) + 1;
   else if (action === 'warn') stats.warned = (stats.warned || 0) + 1;
+  else if (action === 'approve') stats.pendingApproval = (stats.pendingApproval || 0) + 1;
+  else if (action === 'log') stats.logged = (stats.logged || 0) + 1;
   else stats.passed = (stats.passed || 0) + 1;
   if (!stats.byGate) stats.byGate = {};
-  if (!stats.byGate[gateId]) stats.byGate[gateId] = { blocked: 0, warned: 0 };
+  if (!stats.byGate[gateId]) stats.byGate[gateId] = { blocked: 0, warned: 0, pendingApproval: 0, logged: 0 };
   if (action === 'block') stats.byGate[gateId].blocked += 1;
   else if (action === 'warn') stats.byGate[gateId].warned += 1;
+  else if (action === 'approve') stats.byGate[gateId].pendingApproval = (stats.byGate[gateId].pendingApproval || 0) + 1;
+  else if (action === 'log') stats.byGate[gateId].logged = (stats.byGate[gateId].logged || 0) + 1;
   saveStats(stats);
   // Track lesson freshness when an auto-promoted gate fires
   if (gate && gate.sourceLessonId) {
@@ -575,10 +595,18 @@ function extractAffectedFiles(toolName, toolInput = {}) {
 }
 
 function isHighRiskAction(toolName, toolInput = {}, affectedFiles = []) {
-  if (EDIT_LIKE_TOOLS.has(toolName) && affectedFiles.length > 0) return true;
+  if (EDIT_LIKE_TOOLS.has(toolName)) return true;
   if (toolName !== 'Bash') return false;
   const command = String(toolInput.command || '');
-  return HIGH_RISK_BASH_PATTERN.test(command);
+  // Original high-risk pattern (git writes, publishes, destructive ops)
+  if (HIGH_RISK_BASH_PATTERN.test(command)) return true;
+  // Broadened: any Bash command that modifies files or has side effects.
+  // Excludes pure read/analysis commands (node --test, cat, ls, echo, etc.)
+  // to avoid false positives on benign operations.
+  if (/\b(sed|awk|mv|cp|chmod|chown|truncate|tee|patch)\b/.test(command)) return true;
+  if (/\b(npm\s+(?:run|exec|install)|yarn|pnpm)\b/.test(command)) return true;
+  if (/\b(curl|wget)\b/.test(command)) return true;
+  return false;
 }
 
 function isScopeEnforcedAction(toolName, toolInput = {}, affectedFiles = []) {
@@ -997,6 +1025,47 @@ function buildSentinelGateResult(report) {
   };
 }
 
+function recordSentinelDecision(report, toolName, toolInput) {
+  if (!report) return null;
+  const entry = recordDecisionEvaluation(report, {
+    source: 'gates-engine',
+    toolName,
+    toolInput,
+    changedFiles: report && report.blastRadius && Array.isArray(report.blastRadius.affectedFiles)
+      ? report.blastRadius.affectedFiles
+      : [],
+  });
+  report.actionId = entry.actionId;
+  if (report.decisionControl && !report.decisionControl.actionId) {
+    report.decisionControl.actionId = entry.actionId;
+  }
+  return entry;
+}
+
+function recordMemoryGuardDecision(sentinelDecision, enrichedMemoryGuard) {
+  if (!sentinelDecision) return;
+  recordDecisionOutcome({
+    actionId: sentinelDecision.actionId,
+    outcome: 'blocked',
+    actualDecision: 'deny',
+    actor: 'system',
+    source: 'gates-engine',
+    notes: enrichedMemoryGuard.message,
+  });
+}
+
+function recordSentinelBlockDecision(sentinelDecision, sentinelResult) {
+  if (!sentinelDecision) return;
+  recordDecisionOutcome({
+    actionId: sentinelDecision.actionId,
+    outcome: sentinelResult.decision === 'deny' ? 'blocked' : 'warned',
+    actualDecision: sentinelResult.decision,
+    actor: 'system',
+    source: 'workflow-sentinel',
+    notes: sentinelResult.message,
+  });
+}
+
 function enrichResultWithSentinel(result, report) {
   if (!result || !report || report.decision === 'allow') {
     return result;
@@ -1036,7 +1105,12 @@ async function checkMetricCondition(metricCondition) {
 async function evaluateGatesAsync(toolName, toolInput, configPath) {
   let config;
   try {
-    config = loadGatesConfig(configPath);
+    let harnessPath;
+    try {
+      const { selectHarness } = require('./harness-selector');
+      harnessPath = selectHarness(toolName, toolInput);
+    } catch { /* harness-selector is optional */ }
+    config = loadGatesConfig(configPath, harnessPath);
   } catch {
     return null;
   }
@@ -1095,6 +1169,23 @@ async function evaluateGatesAsync(toolName, toolInput, configPath) {
       return result;
     }
 
+    if (gate.action === 'approve') {
+      recordStat(gate.id, 'approve', gate);
+      const result = { decision: 'approve', gate: gate.id, message, severity: gate.severity, reasoning, requiresApproval: true };
+      const auditRecord = recordAuditEvent({ toolName, toolInput, decision: 'approve', gateId: gate.id, message, severity: gate.severity, source: 'gates-engine' });
+      auditToFeedback(auditRecord);
+      return result;
+    }
+
+    if (gate.action === 'log') {
+      recordStat(gate.id, 'log', gate);
+      const result = { decision: 'log', gate: gate.id, message, severity: gate.severity, reasoning, logged: true };
+      const auditRecord = recordAuditEvent({ toolName, toolInput, decision: 'log', gateId: gate.id, message, severity: gate.severity, source: 'gates-engine' });
+      auditToFeedback(auditRecord);
+      // 'log' action allows the tool call to proceed — do not return early, continue to next gate
+      continue;
+    }
+
     if (gate.action === 'warn') {
       recordStat(gate.id, 'warn', gate);
       const result = { decision: 'warn', gate: gate.id, message, severity: gate.severity, reasoning };
@@ -1107,10 +1198,12 @@ async function evaluateGatesAsync(toolName, toolInput, configPath) {
   const sentinelReport = evaluateWorkflowSentinel(toolName, toolInput, {
     governanceState: loadGovernanceState(),
   });
+  const sentinelDecision = recordSentinelDecision(sentinelReport, toolName, toolInput);
   const memoryGuard = evaluateMemoryGuard(toolName, toolInput);
   if (memoryGuard) {
     const enrichedMemoryGuard = enrichResultWithSentinel(memoryGuard, sentinelReport);
     recordStat(enrichedMemoryGuard.gate, 'block');
+    recordMemoryGuardDecision(sentinelDecision, enrichedMemoryGuard);
     const auditRecord = recordAuditEvent({
       toolName,
       toolInput,
@@ -1127,6 +1220,7 @@ async function evaluateGatesAsync(toolName, toolInput, configPath) {
   if (sentinelReport && sentinelReport.decision !== 'allow') {
     const sentinelResult = buildSentinelGateResult(sentinelReport);
     recordStat(sentinelResult.gate, sentinelResult.decision === 'deny' ? 'block' : 'warn');
+    recordSentinelBlockDecision(sentinelDecision, sentinelResult);
     const auditRecord = recordAuditEvent({
       toolName,
       toolInput,
@@ -1148,7 +1242,12 @@ async function evaluateGatesAsync(toolName, toolInput, configPath) {
 function evaluateGates(toolName, toolInput, configPath) {
   let config;
   try {
-    config = loadGatesConfig(configPath);
+    let harnessPath;
+    try {
+      const { selectHarness } = require('./harness-selector');
+      harnessPath = selectHarness(toolName, toolInput);
+    } catch { /* harness-selector is optional */ }
+    config = loadGatesConfig(configPath, harnessPath);
   } catch {
     // If config can't be loaded, pass through
     return null;
@@ -1181,6 +1280,22 @@ function evaluateGates(toolName, toolInput, configPath) {
       return result;
     }
 
+    if (gate.action === 'approve') {
+      recordStat(gate.id, 'approve', gate);
+      const result = { decision: 'approve', gate: gate.id, message, severity: gate.severity, reasoning, requiresApproval: true };
+      const auditRecord = recordAuditEvent({ toolName, toolInput, decision: 'approve', gateId: gate.id, message, severity: gate.severity, source: 'gates-engine' });
+      auditToFeedback(auditRecord);
+      return result;
+    }
+
+    if (gate.action === 'log') {
+      recordStat(gate.id, 'log', gate);
+      const auditRecord = recordAuditEvent({ toolName, toolInput, decision: 'log', gateId: gate.id, message, severity: gate.severity, source: 'gates-engine' });
+      auditToFeedback(auditRecord);
+      // 'log' action allows the tool call to proceed — continue to next gate
+      continue;
+    }
+
     if (gate.action === 'warn') {
       recordStat(gate.id, 'warn', gate);
       const result = { decision: 'warn', gate: gate.id, message, severity: gate.severity, reasoning };
@@ -1193,10 +1308,12 @@ function evaluateGates(toolName, toolInput, configPath) {
   const sentinelReport = evaluateWorkflowSentinel(toolName, toolInput, {
     governanceState: loadGovernanceState(),
   });
+  const sentinelDecision = recordSentinelDecision(sentinelReport, toolName, toolInput);
   const memoryGuard = evaluateMemoryGuard(toolName, toolInput);
   if (memoryGuard) {
     const enrichedMemoryGuard = enrichResultWithSentinel(memoryGuard, sentinelReport);
     recordStat(enrichedMemoryGuard.gate, 'block');
+    recordMemoryGuardDecision(sentinelDecision, enrichedMemoryGuard);
     const auditRecord = recordAuditEvent({
       toolName,
       toolInput,
@@ -1213,6 +1330,7 @@ function evaluateGates(toolName, toolInput, configPath) {
   if (sentinelReport && sentinelReport.decision !== 'allow') {
     const sentinelResult = buildSentinelGateResult(sentinelReport);
     recordStat(sentinelResult.gate, sentinelResult.decision === 'deny' ? 'block' : 'warn');
+    recordSentinelBlockDecision(sentinelDecision, sentinelResult);
     const auditRecord = recordAuditEvent({
       toolName,
       toolInput,
@@ -1338,9 +1456,16 @@ function evaluateSecretGuard(input = {}) {
 // PreToolUse hook interface (stdin/stdout JSON)
 // ---------------------------------------------------------------------------
 
-function formatOutput(result) {
+function formatOutput(result, behavioralContext) {
   if (!result) {
-    // No gate matched — pass through
+    // No gate matched — inject behavioral context if available
+    if (behavioralContext) {
+      return JSON.stringify({
+        hookSpecificOutput: {
+          additionalContext: behavioralContext,
+        },
+      });
+    }
     return JSON.stringify({});
   }
 
@@ -1358,9 +1483,10 @@ function formatOutput(result) {
   }
 
   if (result.decision === 'warn') {
+    const extra = behavioralContext ? `\n${behavioralContext}` : '';
     return JSON.stringify({
       hookSpecificOutput: {
-        additionalContext: `[GATE:${result.gate}] WARNING: ${result.message}${reasoningSuffix}`,
+        additionalContext: `[GATE:${result.gate}] WARNING: ${result.message}${reasoningSuffix}${extra}`,
       },
     });
   }
@@ -1368,16 +1494,58 @@ function formatOutput(result) {
   return JSON.stringify({});
 }
 
+/**
+ * Build behavioral context string from recurring feedback patterns.
+ * Injected as additionalContext on EVERY tool call so the AI constantly
+ * sees its failure patterns — even when no gate blocks.
+ */
+function buildBehavioralContext() {
+  const hybrid = getHybridFeedbackModule();
+  if (!hybrid || typeof hybrid.buildHybridState !== 'function') return null;
+
+  try {
+    const state = hybrid.buildHybridState({});
+    if (!state || !state.recurringNegativePatterns || state.recurringNegativePatterns.length === 0) {
+      return null;
+    }
+
+    const constraints = hybrid.deriveConstraints(state, 3);
+    if (constraints.length === 0) return null;
+
+    return `[ThumbGate] Recurring failure patterns (enforce these):\n${constraints.map(c => `  - ${c}`).join('\n')}`;
+  } catch {
+    return null;
+  }
+}
+
 async function runAsync(input) {
   const secretGuard = evaluateSecretGuard(input);
   if (secretGuard) {
     return formatOutput(secretGuard);
   }
 
+  // Security vulnerability scan (Tier 1: pattern match, Tier 2: supply chain)
+  const securityScan = evaluateSecurityScan(input);
+  if (securityScan && securityScan.decision === 'deny') {
+    return formatOutput(securityScan);
+  }
+
   const toolName = input.tool_name || '';
   const toolInput = input.tool_input || {};
   const result = await evaluateGatesAsync(toolName, toolInput);
-  return formatOutput(result);
+
+  // Attach security warnings to allow/warn results
+  if (securityScan && securityScan.decision === 'warn') {
+    if (result) {
+      result.securityWarnings = securityScan.securityScan.findings;
+      result.reasoning = (result.reasoning || []).concat(securityScan.reasoning);
+    } else {
+      return formatOutput(securityScan);
+    }
+  }
+
+  const behavioralContext = buildBehavioralContext();
+  return formatOutput(result, behavioralContext);
 }
 
 function run(input) {
@@ -1386,10 +1554,28 @@ function run(input) {
     return formatOutput(secretGuard);
   }
 
+  // Security vulnerability scan (Tier 1: pattern match, Tier 2: supply chain)
+  const securityScan = evaluateSecurityScan(input);
+  if (securityScan && securityScan.decision === 'deny') {
+    return formatOutput(securityScan);
+  }
+
   const toolName = input.tool_name || '';
   const toolInput = input.tool_input || {};
   const result = evaluateGates(toolName, toolInput);
-  return formatOutput(result);
+
+  // Attach security warnings to allow/warn results
+  if (securityScan && securityScan.decision === 'warn') {
+    if (result) {
+      result.securityWarnings = securityScan.securityScan.findings;
+      result.reasoning = (result.reasoning || []).concat(securityScan.reasoning);
+    } else {
+      return formatOutput(securityScan);
+    }
+  }
+
+  const behavioralContext = buildBehavioralContext();
+  return formatOutput(result, behavioralContext);
 }
 
 // ---------------------------------------------------------------------------
@@ -1580,6 +1766,7 @@ module.exports = {
   saveStats,
   recordStat,
   evaluateSecretGuard,
+  evaluateSecurityScan,
   buildSecretGuardResult,
   buildReasoning,
   matchesGate,
@@ -1608,6 +1795,8 @@ module.exports = {
   SESSION_ACTION_TTL_MS,
   PROTECTED_APPROVAL_TTL_MS,
   DEFAULT_PROTECTED_FILE_GLOBS,
+  buildBehavioralContext,
+  isHighRiskAction,
 };
 
 // ---------------------------------------------------------------------------

package/scripts/github-about.js

@@ -14,6 +14,9 @@ const LEGACY_REPOSITORY_URL = 'https://github.com/IgorGanapolsky/thumbgate';
 const GITHUB_API_BASE_URL = 'https://api.github.com';
 const DEFAULT_VERIFY_ATTEMPTS = 5;
 const DEFAULT_VERIFY_DELAY_MS = 2000;
+const MAX_GITHUB_DESCRIPTION_LENGTH = 160;
+const VERIFY_ATTEMPTS_ENV = 'THUMBGATE_GITHUB_ABOUT_VERIFY_ATTEMPTS';
+const VERIFY_DELAY_MS_ENV = 'THUMBGATE_GITHUB_ABOUT_VERIFY_DELAY_MS';
 
 function readText(root, relativePath) {
   return fs.readFileSync(path.join(root, relativePath), 'utf8');
@@ -63,11 +66,14 @@ function hasRepositoryUrl(text, targetUrl) {
 
 function loadGitHubAboutConfig(root = ROOT) {
   const about = readJson(root, CONFIG_RELATIVE_PATH);
+  const metaDescription = normalizeText(about.metaDescription || about.description);
+  const githubDescription = normalizeText(about.githubDescription || about.description);
   return {
     repo: normalizeText(about.repo),
     repositoryUrl: normalizeText(about.repositoryUrl),
     homepageUrl: normalizeText(about.homepageUrl),
-    description: normalizeText(about.description),
+    githubDescription,
+    metaDescription,
     topics: normalizeTopics(about.topics),
   };
 }
@@ -101,7 +107,7 @@ function compareGitHubAbout(expected, actual, label = 'Live GitHub About') {
   const actualHomepage = normalizeText(actual.homepageUrl || actual.homepage);
   const actualTopics = normalizeTopics(actual.topics);
 
-  if (actualDescription !== expected.description) {
+  if (actualDescription !== expected.githubDescription) {
     errors.push(`${label} description mismatch`);
   }
   if (actualHomepage !== expected.homepageUrl) {
@@ -135,8 +141,12 @@ function collectLocalGitHubAboutErrors(root = ROOT) {
   }
 
   check(
-    extractMetaDescription(landingHtml) === about.description,
-    'config/github-about.json description must match public/index.html meta description'
+    extractMetaDescription(landingHtml) === about.metaDescription,
+    'config/github-about.json metaDescription must match public/index.html meta description'
+  );
+  check(
+    about.githubDescription.length <= MAX_GITHUB_DESCRIPTION_LENGTH,
+    `config/github-about.json githubDescription must be ${MAX_GITHUB_DESCRIPTION_LENGTH} characters or fewer for GitHub repo metadata`
   );
   check(
     packageJson.homepage === about.homepageUrl,
@@ -179,7 +189,11 @@ function collectLocalGitHubAboutErrors(root = ROOT) {
     'docs/MARKETING_COPY_CONGRUENCE.md must reference config/github-about.json as the source of truth'
   );
   check(
-    marketingCopy.includes(about.description),
+    marketingCopy.includes(about.metaDescription),
+    'docs/MARKETING_COPY_CONGRUENCE.md must include the canonical landing meta description'
+  );
+  check(
+    marketingCopy.includes(about.githubDescription),
     'docs/MARKETING_COPY_CONGRUENCE.md must include the canonical GitHub About description'
   );
   check(
@@ -303,6 +317,13 @@ function normalizePositiveInteger(value, fallback) {
   return Number.isFinite(parsed) && parsed > 0 ? parsed : fallback;
 }
 
+function resolveVerifySetting(optionValue, envName, fallback) {
+  if (optionValue !== undefined) {
+    return normalizePositiveInteger(optionValue, fallback);
+  }
+  return normalizePositiveInteger(process.env[envName], fallback);
+}
+
 function sleep(delayMs) {
   return new Promise((resolve) => {
     setTimeout(resolve, delayMs);
@@ -314,8 +335,8 @@ async function verifyLiveGitHubAbout(options = {}) {
   const expected = options.expected || loadGitHubAboutConfig(root);
   const repo = normalizeText(options.repo) || expected.repo;
   const label = options.label || `Live GitHub About (${repo})`;
-  const attempts = normalizePositiveInteger(options.attempts, DEFAULT_VERIFY_ATTEMPTS);
-  const delayMs = normalizePositiveInteger(options.delayMs, DEFAULT_VERIFY_DELAY_MS);
+  const attempts = resolveVerifySetting(options.attempts, VERIFY_ATTEMPTS_ENV, DEFAULT_VERIFY_ATTEMPTS);
+  const delayMs = resolveVerifySetting(options.delayMs, VERIFY_DELAY_MS_ENV, DEFAULT_VERIFY_DELAY_MS);
   const fetcher = typeof options.fetcher === 'function' ? options.fetcher : fetchLiveGitHubAbout;
   const sleeper = typeof options.sleep === 'function' ? options.sleep : sleep;
   let actual = null;
@@ -362,7 +383,7 @@ async function updateLiveGitHubAbout(options = {}) {
     method: 'PATCH',
     headers: buildGitHubApiHeaders(token),
     body: JSON.stringify({
-      description: about.description,
+      description: about.githubDescription,
       homepage: about.homepageUrl,
     }),
   });
@@ -390,6 +411,9 @@ module.exports = {
   DEFAULT_VERIFY_ATTEMPTS,
   DEFAULT_VERIFY_DELAY_MS,
   LEGACY_REPOSITORY_URL,
+  MAX_GITHUB_DESCRIPTION_LENGTH,
+  VERIFY_ATTEMPTS_ENV,
+  VERIFY_DELAY_MS_ENV,
   buildCanonicalRepoUrls,
   collectLocalGitHubAboutErrors,
   compareGitHubAbout,

package/scripts/gtm-revenue-loop.js

@@ -6,6 +6,7 @@ const path = require('node:path');
 const { spawnSync } = require('node:child_process');
 const { resolveHostedBillingConfig } = require('./hosted-config');
 const { getOperationalBillingSummary } = require('./operational-summary');
+const { ensureDir } = require('./fs-utils');
 
 const COMMERCIAL_TRUTH_LINK = 'https://github.com/IgorGanapolsky/ThumbGate/blob/main/docs/COMMERCIAL_TRUTH.md';
 const VERIFICATION_EVIDENCE_LINK = 'https://github.com/IgorGanapolsky/ThumbGate/blob/main/docs/VERIFICATION_EVIDENCE.md';
@@ -65,11 +66,6 @@ function clampTargetCount(value) {
   return Math.max(1, Math.min(parsed, 12));
 }
 
-function ensureDir(dirPath) {
-  if (!dirPath) return;
-  fs.mkdirSync(dirPath, { recursive: true });
-}
-
 function normalizeText(value) {
   if (value === undefined || value === null) return '';
   return String(value).trim();