thumbgate 1.3.0 → 1.4.1

package/scripts/harness-selector.js

@@ -0,0 +1,148 @@
+'use strict';
+
+/**
+ * Harness Selector — Context-Aware Gate Harness Loading
+ *
+ * Auto Agent concept: instead of one monolithic gate config, select a
+ * specialized harness based on the workflow type detected from the tool call.
+ *
+ * Detection priority (first match wins):
+ *   1. THUMBGATE_HARNESS env var — explicit override
+ *   2. Tool-name heuristic (Edit/Write/MultiEdit → code-edit)
+ *   3. Command-text heuristic (deploy keywords → deploy, SQL keywords → db-write)
+ *   4. null → load only default.json + auto-promoted gates
+ *
+ * Each harness is ADDITIVE — default.json gates always load first.
+ */
+
+const path = require('path');
+
+const HARNESS_DIR = path.join(__dirname, '..', 'config', 'gates');
+
+const HARNESSES = Object.freeze({
+  deploy: path.join(HARNESS_DIR, 'deploy.json'),
+  'code-edit': path.join(HARNESS_DIR, 'code-edit.json'),
+  'db-write': path.join(HARNESS_DIR, 'db-write.json'),
+});
+
+// ---------------------------------------------------------------------------
+// Detection patterns
+// ---------------------------------------------------------------------------
+
+const DEPLOY_PATTERNS = [
+  /\brailway\s+(deploy|up|run)\b/i,
+  /\bdocker\s+(push|build)\b/i,
+  /\bnpm\s+publish\b/i,
+  /\byarn\s+publish\b/i,
+  /\bpnpm\s+publish\b/i,
+  /\bgit\s+push\b/i,
+  /\bgh\s+pr\s+(create|merge)\b/i,
+  /\bchangeset\s+(publish|version)\b/i,
+];
+
+const DB_WRITE_PATTERNS = [
+  /\b(DROP|TRUNCATE|DELETE|ALTER|INSERT|UPDATE)\s+(TABLE|FROM|INTO|COLUMN)\b/i,
+  /\b(sqlite3|better-sqlite3|knex|sequelize)\b.*\.(run|exec|query)\b/i,
+  /\brm\s+.*\.sqlite\b/i,
+  /\blancedb\b.*(?:create|delete|drop|truncate)/i,
+  /\.db\.exec\(|\.db\.prepare\(/i,
+];
+
+const CODE_EDIT_TOOL_NAMES = new Set(['Edit', 'Write', 'MultiEdit', 'NotebookEdit']);
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/**
+ * Given a tool name and input, return the path to the best matching
+ * specialized harness config, or null if none applies.
+ *
+ * @param {string} toolName  - e.g. "Bash", "Edit", "Write"
+ * @param {object|string} toolInput - raw tool input object or string
+ * @returns {string|null} absolute path to harness JSON, or null
+ */
+function selectHarness(toolName, toolInput) {
+  // 1. Explicit override
+  if (process.env.THUMBGATE_HARNESS) {
+    const override = process.env.THUMBGATE_HARNESS;
+    if (HARNESSES[override]) return HARNESSES[override];
+    // Allow absolute path override
+    if (path.isAbsolute(override)) return override;
+  }
+
+  // 2. Edit/Write tools always get code-edit harness
+  if (CODE_EDIT_TOOL_NAMES.has(toolName)) {
+    return HARNESSES['code-edit'];
+  }
+
+  // 3. Inspect command text for Bash tool
+  const commandText = extractCommandText(toolInput);
+  if (commandText) {
+    if (DB_WRITE_PATTERNS.some((p) => p.test(commandText))) {
+      return HARNESSES['db-write'];
+    }
+    if (DEPLOY_PATTERNS.some((p) => p.test(commandText))) {
+      return HARNESSES['deploy'];
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Return the harness name (e.g. "deploy") for a given tool call, or null.
+ */
+function selectHarnessName(toolName, toolInput) {
+  const harnessPath = selectHarness(toolName, toolInput);
+  if (!harnessPath) return null;
+  return Object.entries(HARNESSES).find(([, p]) => p === harnessPath)?.[0] ?? null;
+}
+
+/**
+ * Return the full list of available harness names.
+ */
+function listHarnesses() {
+  return Object.keys(HARNESSES);
+}
+
+/**
+ * Return the path for a harness by name.
+ */
+function getHarnessPath(name) {
+  return HARNESSES[name] ?? null;
+}
+
+// ---------------------------------------------------------------------------
+// Internal helpers
+// ---------------------------------------------------------------------------
+
+function extractCommandText(toolInput) {
+  if (!toolInput) return '';
+  if (typeof toolInput === 'string') return toolInput;
+  if (typeof toolInput === 'object') {
+    // Claude Code Bash tool: { command: "..." }
+    if (typeof toolInput.command === 'string') return toolInput.command;
+    // file_path for Edit/Write tools
+    if (typeof toolInput.file_path === 'string') return toolInput.file_path;
+    // Generic text fields
+    for (const key of ['input', 'text', 'content', 'query']) {
+      if (typeof toolInput[key] === 'string') return toolInput[key];
+    }
+    // Fall back to serialised form
+    try { return JSON.stringify(toolInput); } catch { return ''; }
+  }
+  return '';
+}
+
+module.exports = {
+  selectHarness,
+  selectHarnessName,
+  listHarnesses,
+  getHarnessPath,
+  extractCommandText,
+  HARNESSES,
+  DEPLOY_PATTERNS,
+  DB_WRITE_PATTERNS,
+  CODE_EDIT_TOOL_NAMES,
+};

package/scripts/hosted-config.js

@@ -123,6 +123,7 @@ function resolveHostedBillingConfig({ requestOrigin } = {}, env = process.env) {
   const proPriceDollars = normalizePriceDollars(env.THUMBGATE_PRO_PRICE_DOLLARS) || DEFAULT_PRO_PRICE_DOLLARS;
   const proPriceLabel = env.THUMBGATE_PRO_PRICE_LABEL || DEFAULT_PRO_PRICE_LABEL;
   const gaMeasurementId = normalizeTrackingId(env.THUMBGATE_GA_MEASUREMENT_ID, GA_MEASUREMENT_ID_PATTERN);
+  const posthogApiKey = env.POSTHOG_API_KEY || '';
   const googleSiteVerification = normalizeTrackingId(env.THUMBGATE_GOOGLE_SITE_VERIFICATION);
 
   return {
@@ -137,6 +138,7 @@ function resolveHostedBillingConfig({ requestOrigin } = {}, env = process.env) {
     proPriceLabel,
     gaMeasurementId,
     googleSiteVerification,
+    posthogApiKey,
   };
 }
 

package/scripts/hosted-job-launcher.js

@@ -6,6 +6,7 @@ const { spawn } = require('child_process');
 
 const runner = require('./async-job-runner');
 const { buildHarnessJob } = require('./natural-language-harness');
+const { ensureDir } = require('./fs-utils');
 
 const RUNNER_SCRIPT_PATH = path.join(__dirname, 'async-job-runner.js');
 const MANAGED_DPO_EXPORT_SCRIPT_PATH = path.join(__dirname, 'managed-dpo-export.js');
@@ -17,11 +18,6 @@ function nowIso() {
   return new Date().toISOString();
 }
 
-function ensureDir(dirPath) {
-  if (!fs.existsSync(dirPath)) {
-    fs.mkdirSync(dirPath, { recursive: true });
-  }
-}
 
 function shellQuote(value) {
   return `'${String(value).replace(/'/g, `'\\''`)}'`;

package/scripts/hybrid-feedback-context.js

@@ -17,6 +17,7 @@
 const fs = require('fs');
 const path = require('path');
 const { resolveFeedbackDir } = require('./feedback-paths');
+const { readJsonl } = require('./fs-utils');
 
 // ---------------------------------------------------------------------------
 // Paths
@@ -62,39 +63,12 @@ const POS = new Set([
   'success', 'pass', 'passed', 'great', 'excellent', 'perfect', 'works',
 ]);
 
+const HYBRID_JSONL_READ_LIMIT = 400;
+
 // ---------------------------------------------------------------------------
 // Low-level helpers
 // ---------------------------------------------------------------------------
 
-/**
- * Read last maxLines of a JSONL file in reverse, then re-reverse so oldest-first.
- */
-function readJsonl(filePath, maxLines) {
-  const limit = maxLines !== undefined ? maxLines : 400;
-  if (!fs.existsSync(filePath)) return [];
-  let raw;
-  try {
-    raw = fs.readFileSync(filePath, 'utf8').trimEnd();
-  } catch (_) {
-    return [];
-  }
-  if (!raw) return [];
-  const lines = raw.split('\n');
-  const slice = lines.slice(-limit);
-  const parsed = [];
-  for (let i = slice.length - 1; i >= 0; i--) {
-    const line = slice[i].trim();
-    if (!line) continue;
-    try {
-      parsed.push(JSON.parse(line));
-    } catch (_) {
-      // skip malformed
-    }
-  }
-  parsed.reverse(); // back to chronological order
-  return parsed;
-}
-
 /**
  * Normalize text: strip /Users/ paths, port numbers, lowercase.
  */
@@ -208,10 +182,10 @@ function buildHybridState(opts) {
   const pendingSyncPath = o.pendingSyncPath || process.env.THUMBGATE_PENDING_SYNC || paths.pendingSync;
   const attributedFeedbackPath = o.attributedFeedbackPath || process.env.THUMBGATE_ATTRIBUTED_FEEDBACK || paths.attributedFeedback;
 
-  const feedbackEntries = readJsonl(feedbackLogPath);
-  const inboxEntries = readJsonl(inboxPath);
-  const pendingSyncEntries = readJsonl(pendingSyncPath);
-  const attributedEntries = readJsonl(attributedFeedbackPath);
+  const feedbackEntries = readJsonl(feedbackLogPath, HYBRID_JSONL_READ_LIMIT);
+  const inboxEntries = readJsonl(inboxPath, HYBRID_JSONL_READ_LIMIT);
+  const pendingSyncEntries = readJsonl(pendingSyncPath, HYBRID_JSONL_READ_LIMIT);
+  const attributedEntries = readJsonl(attributedFeedbackPath, HYBRID_JSONL_READ_LIMIT);
 
   // Deduplicate by id across all sources
   const seen = new Set();
@@ -534,25 +508,21 @@ function evaluateCompiledGuards(artifact, toolName, toolInput) {
   const normTool = (toolName || '').toLowerCase();
 
   for (const guard of artifact.guards) {
-    // Check if tool context is relevant
     const guardText = normalize(guard.text || '');
     const toolMentioned = guardText.includes(normTool) || normTool === 'unknown';
 
-    if (hasTwoKeywordHits(normInput, guard.words || [])) {
-      return {
-        mode: guard.mode || 'warn',
-        reason: `Matched guard pattern (count: ${guard.count}): "${(guard.text || '').slice(0, 80)}"`,
-        source: 'compiled',
-        guardHash: guard.hash,
-        attributed: guard.attributed,
-      };
-    }
+    const keywordMatch = hasTwoKeywordHits(normInput, guard.words || []);
 
-    // Also check tool-level match when input is empty or short
-    if (normInput.length < 10 && toolMentioned && guard.count >= (artifact.blockThreshold || 3)) {
+    // Match if: keyword hits in input, OR tool mentioned + high count.
+    // Previously tool-name matching only worked for short inputs — this was
+    // a false-negative gap that let tool-specific patterns slip through.
+    if (keywordMatch || (toolMentioned && guard.count >= (artifact.blockThreshold || 3))) {
+      const reason = keywordMatch
+        ? `Matched guard pattern (count: ${guard.count}): "${(guard.text || '').slice(0, 80)}"`
+        : `Tool "${toolName}" has recurring negative patterns (count: ${guard.count})`;
       return {
         mode: guard.mode || 'warn',
-        reason: `Tool "${toolName}" has recurring negative patterns (count: ${guard.count})`,
+        reason,
         source: 'compiled',
         guardHash: guard.hash,
         attributed: guard.attributed,
@@ -622,6 +592,12 @@ function evaluatePretoolFromState(state, toolName, toolInput) {
  * @param {string} [opts.attributedFeedbackPath]
  * @returns {{ mode: 'block'|'warn'|'allow', reason: string, source: string }}
  */
+/**
+ * Max age (ms) before compiled guards are considered stale and live state
+ * is also consulted. Default: 1 hour.
+ */
+const GUARD_STALENESS_MS = 60 * 60 * 1000;
+
 function evaluatePretool(toolName, toolInput, opts) {
   const o = opts || {};
 
@@ -631,11 +607,18 @@ function evaluatePretool(toolName, toolInput, opts) {
   if (artifact) {
     const result = evaluateCompiledGuards(artifact, toolName, toolInput);
     if (result.mode !== 'allow') return result;
-    // Even if compiled says allow, we're done (trust compiled)
-    return result;
+
+    // Check staleness: if compiled artifact is fresh enough, trust it
+    const compiledAt = artifact.compiledAt ? Date.parse(artifact.compiledAt) : 0;
+    const age = Date.now() - compiledAt;
+    if (age < GUARD_STALENESS_MS) {
+      return result; // Fresh compiled artifact says allow — trust it
+    }
+    // Stale artifact said allow — fall through to live evaluation
+    // in case new feedback was captured since compilation
   }
 
-  // Slow path: build live state
+  // Slow path: build live state (also used when compiled guards are stale)
   const state = buildHybridState({
     feedbackLogPath: o.feedbackLogPath,
     attributedFeedbackPath: o.attributedFeedbackPath,
@@ -709,6 +692,7 @@ module.exports = {
   readJsonl,
   getHybridPaths,
   PATHS,
+  GUARD_STALENESS_MS,
 };
 
 if (require.main === module) {

package/scripts/intervention-policy.js

@@ -4,6 +4,7 @@
 const fs = require('fs');
 const path = require('path');
 const { resolveFeedbackDir } = require('./feedback-paths');
+const { getDecisionLogPath, readDecisionLog, collapseDecisionTimeline } = require('./decision-journal');
 
 const LABELS = ['allow', 'recall', 'verify', 'warn', 'deny'];
 const DAY_MS = 24 * 60 * 60 * 1000;
@@ -323,14 +324,64 @@ function buildDiagnosticExample(entry) {
   };
 }
 
+function deriveLabelFromDecisionOutcome(outcome) {
+  const status = normalizeText(outcome && outcome.outcome);
+  const actualDecision = normalizeText(outcome && outcome.actualDecision);
+  if (status === 'blocked' || status === 'rolled_back' || actualDecision === 'deny') return 'deny';
+  if (status === 'warned' || status === 'overridden' || actualDecision === 'warn') return 'warn';
+  if (status === 'accepted' || status === 'completed') return 'allow';
+  if (status === 'aborted') return 'warn';
+  return null;
+}
+
+function buildDecisionExample(action) {
+  const evaluation = action && action.evaluation ? action.evaluation : null;
+  const latestOutcome = action && Array.isArray(action.outcomes) && action.outcomes.length > 0
+    ? action.outcomes[action.outcomes.length - 1]
+    : null;
+  const label = deriveLabelFromDecisionOutcome(latestOutcome);
+  if (!evaluation || !latestOutcome || !label) return null;
+
+  const recommendation = evaluation.recommendation || {};
+  const blastRadius = evaluation.blastRadius || {};
+  const toolInput = evaluation.toolInput && typeof evaluation.toolInput === 'object' ? evaluation.toolInput : {};
+  const changedFiles = Array.isArray(evaluation.changedFiles) ? evaluation.changedFiles : [];
+  const tokens = buildFeatureTokens([
+    'kind:decision',
+    `tool:${evaluation.toolName || latestOutcome.toolName || 'unknown'}`,
+    `decision:${recommendation.decision || 'allow'}`,
+    `execution:${recommendation.executionMode || 'auto_execute'}`,
+    `owner:${recommendation.decisionOwner || 'agent'}`,
+    `reversibility:${recommendation.reversibility || 'reviewable'}`,
+    recommendation.riskBand ? `risk:${recommendation.riskBand}` : null,
+    blastRadius.severity ? `blast:${blastRadius.severity}` : null,
+    latestOutcome.outcome ? `outcome:${latestOutcome.outcome}` : null,
+    latestOutcome.actor ? `actor:${latestOutcome.actor}` : null,
+    ...extractCommandTokens(toolInput.command || ''),
+    ...changedFiles.flatMap((filePath) => extractFileTokens(filePath)),
+    ...tokenizeText([recommendation.summary, latestOutcome.notes].filter(Boolean).join(' '), 10).map((token) => `decisiontok:${token}`),
+  ]);
+
+  if (!tokens.length) return null;
+  return {
+    id: latestOutcome.actionId || evaluation.actionId || null,
+    source: 'decision',
+    label,
+    timestamp: latestOutcome.timestamp || evaluation.timestamp || new Date().toISOString(),
+    tokens,
+  };
+}
+
 function buildExamplesFromFeedbackDir(feedbackDir) {
   const resolvedDir = resolveFeedbackDir({ feedbackDir });
   const feedbackEntries = readJSONL(path.join(resolvedDir, 'feedback-log.jsonl'));
   const auditEntries = readJSONL(path.join(resolvedDir, 'audit-trail.jsonl'));
   const diagnosticEntries = readJSONL(path.join(resolvedDir, 'diagnostic-log.jsonl'));
+  const decisionEntries = readDecisionLog(getDecisionLogPath(resolvedDir));
+  const decisions = collapseDecisionTimeline(decisionEntries);
 
   const examples = [];
-  const sourceCounts = { feedback: 0, audit: 0, diagnostic: 0 };
+  const sourceCounts = { feedback: 0, audit: 0, diagnostic: 0, decision: 0 };
 
   for (const entry of feedbackEntries) {
     const example = buildFeedbackExample(entry);
@@ -350,6 +401,12 @@ function buildExamplesFromFeedbackDir(feedbackDir) {
     sourceCounts.diagnostic += 1;
     examples.push(example);
   }
+  for (const action of decisions) {
+    const example = buildDecisionExample(action);
+    if (!example) continue;
+    sourceCounts.decision += 1;
+    examples.push(example);
+  }
 
   examples.sort((left, right) => {
     return Date.parse(left.timestamp || 0) - Date.parse(right.timestamp || 0);

package/scripts/lesson-db.js

@@ -14,6 +14,7 @@
 
 const path = require('node:path');
 const fs = require('node:fs');
+const { readJsonl } = require('./fs-utils');
 
 const PROJECT_ROOT = path.join(__dirname, '..');
 const DEFAULT_DB_PATH = path.join(PROJECT_ROOT, '.claude', 'memory', 'lessons.sqlite');
@@ -495,8 +496,8 @@ function backfillFromJsonl(db, feedbackDir) {
   const feedbackLogPath = path.join(feedbackDir, 'feedback-log.jsonl');
   const memoryLogPath = path.join(feedbackDir, 'memory-log.jsonl');
 
-  const feedbackEntries = readJsonlSafe(feedbackLogPath);
-  const memoryEntries = readJsonlSafe(memoryLogPath);
+  const feedbackEntries = readJsonl(feedbackLogPath);
+  const memoryEntries = readJsonl(memoryLogPath);
 
   // Index memories by sourceFeedbackId for joining
   const memoryByFeedbackId = new Map();
@@ -581,22 +582,6 @@ function safeParseTags(tagsStr) {
   }
 }
 
-function readJsonlSafe(filePath) {
-  if (!fs.existsSync(filePath)) return [];
-  const raw = fs.readFileSync(filePath, 'utf-8').trim();
-  if (!raw) return [];
-  return raw
-    .split('\n')
-    .map((line) => {
-      try {
-        return JSON.parse(line);
-      } catch {
-        return null;
-      }
-    })
-    .filter(Boolean);
-}
-
 module.exports = {
   initDB,
   upsertLesson,