thumbgate 1.3.0 → 1.4.1

package/scripts/workflow-sentinel.js

@@ -705,6 +705,11 @@ function buildReasoning(report) {
     `Workflow sentinel risk ${report.band} (${report.riskScore}) for ${report.toolName}.`,
     `Blast radius: ${report.blastRadius.summary}.`,
   ];
+  if (report.decisionControl) {
+    lines.push(
+      `Decision control: ${report.decisionControl.decisionOwner} owns a ${report.decisionControl.reversibility} action via ${report.decisionControl.executionMode}.`
+    );
+  }
   if (report.learnedPolicy && report.learnedPolicy.enabled && report.learnedPolicy.prediction) {
     lines.push(
       `Learned policy predicted ${report.learnedPolicy.prediction.label} (${report.learnedPolicy.prediction.confidence}).`
@@ -732,6 +737,80 @@ function getSentinelActionType(toolName) {
   return '';
 }
 
+function classifyReversibility({ command, blastRadius, integrity, protectedSurface }) {
+  const text = String(command || '');
+  const blockers = integrity && Array.isArray(integrity.blockers) ? integrity.blockers : [];
+  const destructiveCommand = /\bgit\s+push\b.*(?:--force|-f)\b/i.test(text)
+    || /\bgh\s+pr\s+merge\b.*--admin\b/i.test(text)
+    || /\brm\s+-rf\b/i.test(text)
+    || /\b(?:npm|yarn|pnpm)\s+publish\b/i.test(text)
+    || /\bgh\s+release\s+create\b/i.test(text)
+    || /\bgit\s+tag\b/i.test(text);
+  const releaseSensitive = blastRadius && Array.isArray(blastRadius.releaseSensitiveFiles)
+    ? blastRadius.releaseSensitiveFiles.length > 0
+    : false;
+  const unapprovedProtected = protectedSurface && Array.isArray(protectedSurface.unapprovedProtectedFiles)
+    ? protectedSurface.unapprovedProtectedFiles.length > 0
+    : false;
+  const hardBlockers = blockers.some((blocker) => /publish|merge|release|protected/i.test(String(blocker.code || '')));
+
+  if (destructiveCommand || releaseSensitive || unapprovedProtected || hardBlockers) {
+    return 'one_way_door';
+  }
+  if ((blastRadius && blastRadius.fileCount >= 4) || (blastRadius && blastRadius.surfaceCount >= 2)) {
+    return 'reviewable';
+  }
+  return 'two_way_door';
+}
+
+function buildDecisionControl({
+  decision,
+  risk,
+  command,
+  blastRadius,
+  integrity,
+  protectedSurface,
+}) {
+  const reversibility = classifyReversibility({
+    command,
+    blastRadius,
+    integrity,
+    protectedSurface,
+  });
+  const hasOperationalBlockers = Boolean(integrity && Array.isArray(integrity.blockers) && integrity.blockers.length > 0);
+  const requiresCheckpoint = decision === 'warn'
+    || (decision === 'allow' && (reversibility !== 'two_way_door' || hasOperationalBlockers));
+  const executionMode = decision === 'deny'
+    ? 'blocked'
+    : requiresCheckpoint
+      ? 'checkpoint_required'
+      : 'auto_execute';
+  const decisionOwner = executionMode === 'blocked'
+    ? 'human'
+    : executionMode === 'checkpoint_required'
+      ? reversibility === 'two_way_door' && !hasOperationalBlockers
+        ? 'shared'
+        : 'human'
+      : 'agent';
+
+  return {
+    executionMode,
+    decisionOwner,
+    reversibility,
+    requiresHumanApproval: executionMode === 'checkpoint_required' && decisionOwner !== 'agent',
+    recommendedAction: executionMode === 'blocked'
+      ? 'halt'
+      : executionMode === 'checkpoint_required'
+        ? 'review'
+        : 'proceed',
+    summary: executionMode === 'blocked'
+      ? 'Do not proceed until the remediation steps are completed.'
+      : executionMode === 'checkpoint_required'
+        ? 'Pause for explicit review before executing this action.'
+        : 'Safe to execute quickly with standard evidence capture.',
+  };
+}
+
 function chooseDecision({ riskScore, integrity, memoryGuard, learnedPolicy, blastRadius, command }) {
   const hasOperationalBlockers = Boolean(integrity && Array.isArray(integrity.blockers) && integrity.blockers.length > 0);
   const destructiveBypass = /\bgit\s+push\b.*(?:--force|-f)\b/i.test(command) || /\bgh\s+pr\s+merge\b.*--admin\b/i.test(command);
@@ -923,11 +1002,23 @@ function evaluateWorkflowSentinel(toolName, toolInput = {}, options = {}) {
       commandInfo: integrity.commandInfo,
     },
   };
+  report.decisionControl = buildDecisionControl({
+    decision,
+    risk,
+    command: toolInput.command || '',
+    blastRadius: {
+      ...blastRadius,
+      unapprovedProtectedFiles: protectedSurfaceForRisk.unapprovedProtectedFiles.length,
+    },
+    integrity,
+    protectedSurface: protectedSurfaceForRisk,
+  });
   report.reasoning = buildReasoning(report);
   return report;
 }
 
 module.exports = {
+  buildDecisionControl,
   DEFAULT_PROTECTED_FILE_GLOBS,
   buildBlastRadius,
   buildEvidence,

package/skills/thumbgate/SKILL.md

@@ -92,7 +92,7 @@ Bounded retrieval of relevant feedback history for the current task. The agent g
 | Dashboard | - | Yes | Yes |
 | DPO export | - | Yes | Yes |
 | Seats | 1 | 1 | Per-seat |
-| Price | $0 | $19/mo | $12/seat/mo |
+| Price | $0 | $19/mo | $99/seat/mo |
 
 Start a 7-day free trial of Pro: <https://buy.stripe.com/fZu9AT3Ug6zcdWh0XN3sI08>
 

package/src/api/server.js

@@ -108,6 +108,14 @@ const {
 const {
   evaluateOperationalIntegrity,
 } = require('../../scripts/operational-integrity');
+const {
+  evaluateWorkflowSentinel,
+} = require('../../scripts/workflow-sentinel');
+const {
+  recordDecisionEvaluation,
+  recordDecisionOutcome,
+  computeDecisionMetrics,
+} = require('../../scripts/decision-journal');
 const {
   generateDashboard,
 } = require('../../scripts/dashboard');
@@ -152,6 +160,11 @@ const {
   appendWorkflowSprintLead,
   advanceWorkflowSprintLead,
 } = require('../../scripts/workflow-sprint-intake');
+const {
+  importDocument,
+  listImportedDocuments,
+  readImportedDocument,
+} = require('../../scripts/document-intake');
 const {
   checkLimit,
   UPGRADE_MESSAGE: RATE_LIMIT_MESSAGE,
@@ -172,6 +185,8 @@ const GUIDE_PAGE_PATH = path.resolve(__dirname, '../../public/guide.html');
 const COMPARE_PAGE_PATH = path.resolve(__dirname, '../../public/compare.html');
 const LEARN_PAGE_PATH = path.resolve(__dirname, '../../public/learn.html');
 const LEARN_DIR = path.resolve(__dirname, '../../public/learn');
+const GUIDES_DIR = path.resolve(__dirname, '../../public/guides');
+const COMPARE_DIR = path.resolve(__dirname, '../../public/compare');
 const BUYER_INTENT_SCRIPT_PATH = path.resolve(__dirname, '../../public/js/buyer-intent.js');
 const VISITOR_COOKIE_NAME = 'thumbgate_visitor_id';
 const SESSION_COOKIE_NAME = 'thumbgate_session_id';
@@ -1005,6 +1020,7 @@ function loadPublicMarketingTemplateHtml(templatePath, runtimeConfig, pageContex
     '__AUTOMATION_REPORT_URL__': 'https://github.com/IgorGanapolsky/ThumbGate/blob/main/proof/automation/report.json',
     '__GTM_PLAN_URL__': 'https://github.com/IgorGanapolsky/ThumbGate/blob/main/docs/GO_TO_MARKET_REVENUE_WEDGE_2026-03.md',
     '__GITHUB_URL__': 'https://github.com/IgorGanapolsky/ThumbGate',
+    '__POSTHOG_API_KEY__': runtimeConfig.posthogApiKey || '',
   });
 }
 
@@ -1345,6 +1361,32 @@ function renderRobotsTxt(runtimeConfig) {
   return [
     'User-agent: *',
     'Allow: /',
+    '',
+    '# AI crawler access — allow all major LLM crawlers',
+    'User-agent: GPTBot',
+    'Allow: /',
+    '',
+    'User-agent: ClaudeBot',
+    'Allow: /',
+    '',
+    'User-agent: PerplexityBot',
+    'Allow: /',
+    '',
+    'User-agent: Googlebot',
+    'Allow: /',
+    '',
+    'User-agent: Bingbot',
+    'Allow: /',
+    '',
+    'User-agent: anthropic-ai',
+    'Allow: /',
+    '',
+    'User-agent: Google-Extended',
+    'Allow: /',
+    '',
+    '# LLM context document — clean declarative content for AI retrieval',
+    `# ${runtimeConfig.appOrigin}/llm-context.md`,
+    '',
     `Sitemap: ${runtimeConfig.appOrigin}/sitemap.xml`,
   ].join('\n');
 }
@@ -1353,6 +1395,7 @@ function renderSitemapXml(runtimeConfig) {
   const entries = [
     { path: '/', changefreq: 'weekly', priority: '1.0' },
     { path: '/pro', changefreq: 'weekly', priority: '0.9' },
+    { path: '/llm-context.md', changefreq: 'weekly', priority: '0.8' },
     ...THUMBGATE_SEO_SITEMAP_ENTRIES,
   ];
   return [
@@ -2111,6 +2154,11 @@ function getExpectedApiKey() {
   return configured;
 }
 
+function getExpectedOperatorKey() {
+  const key = String(process.env.THUMBGATE_OPERATOR_KEY || '').trim();
+  return key || null;
+}
+
 function isAuthorized(req, expected) {
   if (!expected) return true;
   const token = extractApiKey(req);
@@ -2162,6 +2210,19 @@ function isStaticAdminAuthorized(req, expected) {
   return extractApiKey(req) === expected;
 }
 
+/**
+ * Billing summary guard: accepts either the static admin key OR the operator key.
+ * The operator key (THUMBGATE_OPERATOR_KEY) allows read-only billing data access
+ * without exposing the full admin key to CLI clients.
+ */
+function isBillingSummaryAuthorized(req, expectedAdminKey, expectedOperatorKey) {
+  if (!expectedAdminKey && !expectedOperatorKey) return true;
+  const token = extractApiKey(req);
+  if (expectedAdminKey && token === expectedAdminKey) return true;
+  if (expectedOperatorKey && token === expectedOperatorKey) return true;
+  return false;
+}
+
 function extractTags(input) {
   if (Array.isArray(input)) return input;
   if (typeof input === 'string') {
@@ -2240,8 +2301,43 @@ function normalizeJobIdFromPath(pathname, suffix = '') {
   return match ? decodeURIComponent(match[1]) : null;
 }
 
+function normalizeDocumentIdFromPath(pathname) {
+  const match = pathname.match(/^\/v1\/documents\/([^/]+)$/);
+  return match ? decodeURIComponent(match[1]) : null;
+}
+
+function isWithinDir(targetPath, baseDir) {
+  if (!baseDir) return false;
+  const resolvedBase = path.resolve(baseDir);
+  const resolvedTarget = path.resolve(targetPath);
+  const relative = path.relative(resolvedBase, resolvedTarget);
+  return relative === '' || (!relative.startsWith('..') && !path.isAbsolute(relative));
+}
+
+function resolveDocumentImportFilePath(inputPath, options = {}) {
+  const normalized = normalizeNullableText(inputPath);
+  if (!normalized) return null;
+
+  const { req, parsed, safeDataDir } = options;
+  if (!isLoopbackHost(getRequestHostHeader(req))) {
+    throw createHttpError(400, 'filePath import is only available on localhost requests; use content for hosted imports');
+  }
+
+  const projectDir = resolveRequestProjectDir(req, parsed) || process.cwd();
+  const resolved = path.resolve(projectDir, normalized);
+  const allowed = isWithinDir(resolved, projectDir) || isWithinDir(resolved, safeDataDir);
+  if (!allowed) {
+    throw createHttpError(400, `Path must stay within ${projectDir} or ${safeDataDir}`);
+  }
+  if (!fs.existsSync(resolved)) {
+    throw createHttpError(400, `Path does not exist: ${resolved}`);
+  }
+  return resolved;
+}
+
 function createApiServer() {
   const expectedApiKey = getExpectedApiKey();
+  const expectedOperatorKey = getExpectedOperatorKey();
 
   return http.createServer(async (req, res) => {
     const parsed = new URL(req.url, 'http://localhost');
@@ -2516,6 +2612,17 @@ function createApiServer() {
       return;
     }
 
+    if (isGetLikeRequest && pathname === '/.well-known/llms.txt') {
+      const llmsTxtPath = path.join(__dirname, '..', '..', '.well-known', 'llms.txt');
+      try {
+        const content = fs.readFileSync(llmsTxtPath, 'utf8');
+        sendText(res, 200, content, { 'Content-Type': 'text/plain; charset=utf-8', 'Cache-Control': 'public, max-age=86400' }, { headOnly: isHeadRequest });
+      } catch {
+        sendJson(res, 404, { error: 'llms.txt not found' });
+      }
+      return;
+    }
+
     if (isGetLikeRequest && pathname === '/sitemap.xml') {
       sendText(res, 200, renderSitemapXml(hostedConfig), {
         'Content-Type': 'application/xml; charset=utf-8',
@@ -2525,6 +2632,22 @@ function createApiServer() {
       return;
     }
 
+    if (isGetLikeRequest && pathname === '/llm-context.md') {
+      const llmContextPath = path.resolve(__dirname, '../../public/llm-context.md');
+      try {
+        const content = fs.readFileSync(llmContextPath, 'utf8');
+        sendText(res, 200, content, {
+          'Content-Type': 'text/markdown; charset=utf-8',
+          'X-Robots-Tag': 'all',
+        }, {
+          headOnly: isHeadRequest,
+        });
+      } catch (_err) {
+        sendJson(res, 404, { error: 'Not found' });
+      }
+      return;
+    }
+
     // Quick feedback capture via GET — for statusline clickable links
     if (isGetLikeRequest && pathname === '/feedback/quick') {
       const signal = parsed.searchParams.get('signal');
@@ -2852,6 +2975,28 @@ async function addContext(){
       return;
     }
 
+    if (isGetLikeRequest && pathname.startsWith('/guides/')) {
+      try {
+        const slug = pathname.replace('/guides/', '').replace(/[^a-z0-9-]/g, '');
+        const guidePath = path.join(GUIDES_DIR, `${slug}.html`);
+        if (!guidePath.startsWith(GUIDES_DIR)) { sendJson(res, 403, { error: 'Forbidden' }); return; }
+        const html = fs.readFileSync(guidePath, 'utf-8');
+        sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
+      } catch { sendJson(res, 404, { error: 'Guide not found' }); }
+      return;
+    }
+
+    if (isGetLikeRequest && pathname.startsWith('/compare/') && pathname !== '/compare') {
+      try {
+        const slug = pathname.replace('/compare/', '').replace(/[^a-z0-9-]/g, '');
+        const comparePath = path.join(COMPARE_DIR, `${slug}.html`);
+        if (!comparePath.startsWith(COMPARE_DIR)) { sendJson(res, 403, { error: 'Forbidden' }); return; }
+        const html = fs.readFileSync(comparePath, 'utf-8');
+        sendHtml(res, 200, html, {}, { headOnly: isHeadRequest });
+      } catch { sendJson(res, 404, { error: 'Comparison not found' }); }
+      return;
+    }
+
     if (isGetLikeRequest && pathname === '/') {
       if (wantsJson(req, parsed)) {
         sendJson(res, 200, {
@@ -2859,7 +3004,7 @@ async function addContext(){
           version: pkg.version,
           status: 'ok',
           docs: 'https://github.com/IgorGanapolsky/ThumbGate',
-          endpoints: ['/health', '/dashboard', '/guide', '/compare', '/learn', '/pro', '/v1/feedback/capture', '/v1/feedback/stats', '/v1/feedback/summary', '/v1/lessons/search', '/v1/search', '/v1/dashboard', '/v1/dashboard/render-spec', '/v1/settings/status', '/v1/dpo/export', '/v1/jobs', '/v1/jobs/harness', '/v1/analytics/databricks/export'],
+          endpoints: ['/health', '/dashboard', '/guide', '/compare', '/learn', '/pro', '/v1/feedback/capture', '/v1/feedback/stats', '/v1/feedback/summary', '/v1/lessons/search', '/v1/search', '/v1/documents', '/v1/documents/import', '/v1/documents/{documentId}', '/v1/dashboard', '/v1/dashboard/render-spec', '/v1/decisions/evaluate', '/v1/decisions/outcome', '/v1/decisions/metrics', '/v1/settings/status', '/v1/dpo/export', '/v1/jobs', '/v1/jobs/harness', '/v1/analytics/databricks/export'],
         }, {}, {
           headOnly: isHeadRequest,
         });
@@ -4054,6 +4199,34 @@ async function addContext(){
         return;
       }
 
+      if (req.method === 'GET' && pathname === '/v1/documents') {
+        const limit = Number(parsed.searchParams.get('limit') || 20);
+        const query = parsed.searchParams.get('q') || parsed.searchParams.get('query') || '';
+        const tag = parsed.searchParams.get('tag') || '';
+        const results = listImportedDocuments({
+          feedbackDir: requestFeedbackDir,
+          limit: Number.isFinite(limit) ? limit : 20,
+          query,
+          tag,
+        });
+        sendJson(res, 200, results);
+        return;
+      }
+
+      {
+        const documentId = normalizeDocumentIdFromPath(pathname);
+        if (req.method === 'GET' && documentId) {
+          const document = readImportedDocument(documentId, {
+            feedbackDir: requestFeedbackDir,
+          });
+          if (!document) {
+            throw createHttpError(404, `Imported document not found: ${documentId}`);
+          }
+          sendJson(res, 200, { document });
+          return;
+        }
+      }
+
       if (req.method === 'POST' && pathname === '/v1/feedback/capture') {
         const captureLimit = checkLimit('capture_feedback');
         if (!captureLimit.allowed) {
@@ -4127,6 +4300,31 @@ async function addContext(){
         return;
       }
 
+      if (req.method === 'POST' && pathname === '/v1/documents/import') {
+        const body = await parseJsonBody(req, 2 * 1024 * 1024);
+        const document = importDocument({
+          filePath: body.filePath
+            ? resolveDocumentImportFilePath(body.filePath, {
+              req,
+              parsed,
+              safeDataDir: requestSafeDataDir,
+            })
+            : null,
+          content: normalizeNullableText(body.content),
+          title: normalizeNullableText(body.title),
+          sourceFormat: normalizeNullableText(body.sourceFormat),
+          sourceUrl: normalizeNullableText(body.sourceUrl),
+          tags: extractTags(body.tags),
+          proposeGates: body.proposeGates !== false,
+          feedbackDir: requestFeedbackDir,
+        });
+        sendJson(res, 201, {
+          ok: true,
+          document,
+        });
+        return;
+      }
+
       if (req.method === 'POST' && pathname === '/v1/dpo/export') {
         const body = await parseJsonBody(req);
         const paths = resolveDpoExportPaths(body, {
@@ -4362,14 +4560,14 @@ async function addContext(){
         return;
       }
 
-      // GET /v1/billing/summary — admin-only operational billing summary
+      // GET /v1/billing/summary — operator billing summary (admin key or operator key)
       if (req.method === 'GET' && pathname === '/v1/billing/summary') {
-        if (!isStaticAdminAuthorized(req, expectedApiKey)) {
+        if (!isBillingSummaryAuthorized(req, expectedApiKey, expectedOperatorKey)) {
           sendProblem(res, {
             type: PROBLEM_TYPES.FORBIDDEN,
             title: 'Forbidden',
             status: 403,
-            detail: 'Admin API key required for this endpoint.',
+            detail: 'Admin or operator API key required for this endpoint.',
           });
           return;
         }
@@ -4569,6 +4767,85 @@ async function addContext(){
         return;
       }
 
+      if (req.method === 'POST' && pathname === '/v1/decisions/evaluate') {
+        const body = await parseJsonBody(req);
+        if (!body.toolName) {
+          sendProblem(res, {
+            type: PROBLEM_TYPES.BAD_REQUEST,
+            title: 'Bad Request',
+            status: 400,
+            detail: 'toolName is required.',
+          });
+          return;
+        }
+
+        const report = evaluateWorkflowSentinel(body.toolName, {
+          command: body.command,
+          path: body.filePath,
+          changed_files: Array.isArray(body.changedFiles) ? body.changedFiles : [],
+          repoPath: body.repoPath,
+          baseBranch: body.baseBranch,
+        }, {
+          repoPath: body.repoPath,
+          baseBranch: body.baseBranch,
+          affectedFiles: Array.isArray(body.changedFiles) ? body.changedFiles : undefined,
+          requirePrForReleaseSensitive: body.requirePrForReleaseSensitive === true,
+          requireVersionNotBehindBase: body.requireVersionNotBehindBase === true,
+          governanceState: getScopeState(),
+          feedbackDir: requestFeedbackDir,
+        });
+        const evaluation = recordDecisionEvaluation(report, {
+          source: 'api',
+          toolName: body.toolName,
+          toolInput: {
+            command: body.command,
+            filePath: body.filePath,
+            changedFiles: Array.isArray(body.changedFiles) ? body.changedFiles : [],
+            repoPath: body.repoPath,
+            baseBranch: body.baseBranch,
+          },
+          changedFiles: Array.isArray(body.changedFiles) ? body.changedFiles : [],
+        }, {
+          feedbackDir: requestFeedbackDir,
+        });
+        report.actionId = evaluation.actionId;
+        if (report.decisionControl) report.decisionControl.actionId = evaluation.actionId;
+        sendJson(res, 200, report);
+        return;
+      }
+
+      if (req.method === 'POST' && pathname === '/v1/decisions/outcome') {
+        const body = await parseJsonBody(req);
+        if (!body.actionId || !body.outcome) {
+          sendProblem(res, {
+            type: PROBLEM_TYPES.BAD_REQUEST,
+            title: 'Bad Request',
+            status: 400,
+            detail: 'actionId and outcome are required.',
+          });
+          return;
+        }
+        const outcome = recordDecisionOutcome({
+          actionId: body.actionId,
+          outcome: body.outcome,
+          actualDecision: body.actualDecision,
+          actor: body.actor,
+          notes: body.notes,
+          metadata: body.metadata,
+          latencyMs: body.latencyMs,
+          source: 'api',
+        }, {
+          feedbackDir: requestFeedbackDir,
+        });
+        sendJson(res, 200, outcome);
+        return;
+      }
+
+      if (req.method === 'GET' && pathname === '/v1/decisions/metrics') {
+        sendJson(res, 200, computeDecisionMetrics(requestFeedbackDir));
+        return;
+      }
+
       // GET /v1/settings/status -- Resolved settings hierarchy with origin metadata
       if (req.method === 'GET' && pathname === '/v1/settings/status') {
         sendJson(res, 200, getSettingsStatus());
@@ -4599,9 +4876,9 @@ async function addContext(){
         return;
       }
 
-      // POST /webhook/stripe — Track Stripe subscription events (checkout, subscription changes)
-      // TODO: Add STRIPE_WEBHOOK_SECRET to .env and enable signature verification via
-      // verifyWebhookSignature() once the webhook endpoint is registered in the Stripe Dashboard.
+      // POST /webhook/stripe — legacy Stripe event log bridge kept for backward compatibility.
+      // When STRIPE_WEBHOOK_SECRET is configured, verify the same Stripe signature used by
+      // the /v1/billing/webhook route before touching any payload.
       if (req.method === 'POST' && pathname === '/webhook/stripe') {
         try {
           const rawBody = await new Promise((resolve, reject) => {
@@ -4610,6 +4887,18 @@ async function addContext(){
             req.on('end', () => resolve(Buffer.concat(chunks)));
             req.on('error', reject);
           });
+
+          const sig = req.headers['stripe-signature'] || '';
+          if (!verifyWebhookSignature(rawBody, sig)) {
+            sendProblem(res, {
+              type: PROBLEM_TYPES.WEBHOOK_INVALID,
+              title: 'Invalid webhook signature',
+              status: 400,
+              detail: 'The webhook signature could not be verified.',
+            });
+            return;
+          }
+
           let event;
           try {
             event = JSON.parse(rawBody.toString('utf-8'));