thumbgate 1.4.3 → 1.4.5

package/.claude-plugin/marketplace.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate-marketplace",
-  "version": "1.4.3",
+  "version": "1.4.5",
   "owner": {
     "name": "Igor Ganapolsky",
     "email": "ig5973700@gmail.com"
@@ -13,7 +13,7 @@
         "source": "npm",
         "package": "thumbgate"
       },
-      "version": "1.4.3",
+      "version": "1.4.5",
       "author": {
         "name": "Igor Ganapolsky"
       },

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "thumbgate",
   "description": "Type 👍 or 👎 on any agent action. ThumbGate captures it, distills a lesson, and blocks the pattern from repeating. One thumbs-down = the agent physically cannot make that mistake again. 33 pre-action gates, budget enforcement, self-protection, and NIST/SOC2 compliance tags.",
-  "version": "1.4.3",
+  "version": "1.4.5",
   "author": {
     "name": "Igor Ganapolsky"
   },

package/.well-known/llms.txt

@@ -1,15 +1,17 @@
-# ThumbGate — Type 👍 or 👎 on any AI agent action. Blocks the pattern from repeating. One thumbs-down, never again.
+# ThumbGate — Stop AI agents before they make costly mistakes.
 # https://thumbgate-production.up.railway.app
 # https://github.com/IgorGanapolsky/ThumbGate
 # https://www.npmjs.com/package/thumbgate
 
-> ThumbGate makes AI coding agents self-improving. Every mistake becomes
-> a prevention rule that physically blocks the agent from repeating it.
-> Feedback-driven enforcement via PreToolUse hooks.
+> ThumbGate prevents expensive AI mistakes before they happen. It checks
+> risky commands, file edits, deploys, payments, API calls, and other agent
+> actions before execution. 👎 Thumbs down becomes a history-aware lesson and
+> a Pre-Action Gate; 👍 thumbs up reinforces safe patterns.
 
 ## What ThumbGate solves
 
-- AI coding agents repeat the same mistakes across sessions
+- AI coding agents repeat costly mistakes across sessions
+- Bad commands, destructive SQL, risky deploys, unsafe publishes, and API mistakes are expensive after execution
 - CLAUDE.md and .cursorrules files are suggestions agents can ignore
 - No memory between sessions means no learning from corrections
 - Teams have no shared safety rules across developers
@@ -27,6 +29,7 @@
 - Developers using Claude Code, Cursor, Codex, Gemini CLI, or any MCP-compatible agent
 - Engineering teams that need shared agent safety rules
 - Anyone tired of re-correcting their AI coding assistant
+- Solo operators who want Pro dashboard proof for blocked mistakes and DPO exports
 
 ## Install
 
@@ -36,9 +39,10 @@ npx thumbgate init --agent claude-code
 
 ## Pricing
 
-- Free: 3 feedback captures/day, 5 lesson searches/day, 5 built-in gates
-- Pro: $19/mo or $149/yr — unlimited everything, auto-gate promotion, multi-repo sync
-- Founding Member: $49 one-time, Pro forever
+- Free GPT: advice, checkpointing, and setup help in ChatGPT
+- Free local CLI: 3 feedback captures/day, 5 lesson searches/day, recall, and local Pre-Action Gates after install
+- Pro: $19/mo or $149/yr — personal enforcement proof, local dashboard, gate debugger, DPO export, and review-ready exports
+- Team: $99/seat/mo, 3-seat minimum after intake — shared lessons, org visibility, approval boundaries, and rollout proof
 
 ## Links
 

package/.well-known/mcp/server-card.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate",
-  "version": "1.4.3",
+  "version": "1.4.5",
   "description": "ThumbGate — 👍👎 feedback that teaches your AI agent. Thumbs down a mistake, it never happens again.",
   "homepage": "https://github.com/IgorGanapolsky/thumbgate",
   "transport": "stdio",

package/README.md

@@ -1,6 +1,8 @@
 # ThumbGate
 
-**Thumbs up or thumbs down — and your AI coding agent never makes the same mistake twice.**
+**Stop AI agents before they make costly mistakes.**
+
+ThumbGate checks risky commands, file edits, deploys, API calls, and other agent actions before they run. Thumbs-up/down feedback becomes remembered lessons, repeated failures become Pre-Action Gates, and the next bad action gets blocked instead of becoming another cleanup bill.
 
 [![CI](https://github.com/IgorGanapolsky/ThumbGate/actions/workflows/ci.yml/badge.svg)](https://github.com/IgorGanapolsky/ThumbGate/actions/workflows/ci.yml)
 [![npm](https://img.shields.io/npm/v/thumbgate)](https://www.npmjs.com/package/thumbgate)
@@ -18,7 +20,7 @@
 
 ## ThumbGate GPT: start here
 
-**Use ThumbGate in ChatGPT now:** **[Open the live ThumbGate GPT](https://chatgpt.com/g/g-69dcfd1cd5f881918ae31874631d6f08-thumbgate)**, paste the action your AI agent wants to run, and ask whether to allow, block, or checkpoint it.
+**Use ThumbGate in ChatGPT now:** **[Open the live ThumbGate GPT](https://chatgpt.com/g/g-69dcfd1cd5f881918ae31874631d6f08-thumbgate)**, paste the action your AI agent wants to run, and ask whether to allow, block, or checkpoint it before the mistake becomes expensive.
 
 Try this first prompt:
 
@@ -26,7 +28,7 @@ Try this first prompt:
 Check this agent action before it runs: git push --force --tags
 ```
 
-**No, users do not have to keep chatting inside the ThumbGate GPT to use ThumbGate.** The GPT is the fast demo, guided setup path, and thumbs-up/down memory surface for ChatGPT users. The hard enforcement layer still runs where the work happens: your local coding agent, CI workflow, or MCP-compatible runtime after `npx thumbgate init`.
+**No, users do not have to keep chatting inside the ThumbGate GPT to use ThumbGate.** The GPT is the fast demo, guided setup path, and thumbs-up/down memory surface for ChatGPT users. Think of the GPT as advice and checkpointing; the hard enforcement layer still runs where the work happens: your local coding agent, CI workflow, or MCP-compatible runtime after `npx thumbgate init`.
 
 Developers can import the prepared **[GPT Actions OpenAPI spec](adapters/chatgpt/openapi.yaml)** with the **[ChatGPT Actions setup guide](adapters/chatgpt/INSTALL.md)**. Regular ChatGPT users should just open the GPT and type what happened.
 
@@ -46,7 +48,13 @@ It scores deterministic GitHub, npm, database, Railway, shell, and filesystem sc
 
 ## What problem does this solve?
 
-AI agents repeat mistakes. You fix the same problem in session after session — force-push to main, broken migrations, unauthorized file edits — because the agent has no memory of your feedback.
+AI agents repeat expensive mistakes. You fix the same problem in session after session — force-push to main, broken migrations, unauthorized file edits, risky deploys — because the agent has no durable memory of your feedback and no gate before execution.
+
+ThumbGate sells three concrete outcomes:
+
+- **Prevent expensive AI mistakes** — catch bad commands, destructive database actions, unsafe publishes, and risky API calls before they run.
+- **Make AI stop repeating mistakes** — fix it once, turn the lesson into a rule, and block the repeat before the next tool call lands.
+- **Turn AI into a reliable operator** — move from a smart assistant that apologizes after damage to a production-ready operator with checkpoints, proof, and enforcement.
 
 ```
 ┌─────────────────────────────────────────────────────────────┐
@@ -64,7 +72,7 @@ AI agents repeat mistakes. You fix the same problem in session after session —
 └─────────────────────────────────────────────────────────────┘
 ```
 
-ThumbGate is the **control plane** for AI coding agents — turning your feedback into **enforced rules**, not suggestions.
+ThumbGate is the **Reliability Gateway** for AI coding agents — turning your feedback into **enforced rules**, not suggestions.
 
 ---
 
@@ -130,6 +138,8 @@ Session 3:                     │  Session 3+:
 
 **Paid path for individual operators:** [ThumbGate Pro](https://thumbgate-production.up.railway.app/pro?utm_source=github&utm_medium=readme&utm_campaign=pro_page) is the self-serve side lane for a personal dashboard and export-ready evidence.
 
+**Plain product line:** GPT preview = advice and checkpointing. Free local CLI (3 daily feedback captures, 5 daily lesson searches) = basic enforcement on one machine. Pro ($19/mo or $149/yr) = personal enforcement proof, dashboard, and exports. Team = shared hosted lesson DB, org dashboard, and shared enforcement so one correction protects every seat.
+
 ---
 
 ## Quick Start
@@ -265,9 +275,9 @@ Free and self-hosted users can invoke `search_lessons` directly through MCP, and
 **[Start Workflow Hardening Sprint](https://thumbgate-production.up.railway.app/?utm_source=github&utm_medium=readme&utm_campaign=top_cta#workflow-sprint-intake)** · **[Live Dashboard](https://thumbgate-production.up.railway.app/dashboard?utm_source=github&utm_medium=readme&utm_campaign=top_cta)** · **[See Pro](https://thumbgate-production.up.railway.app/pro?utm_source=github&utm_medium=readme&utm_campaign=pro_page)**
 
 **Where to start:**
-- **Teams:** Begin with the Workflow Hardening Sprint — qualify one real repeated failure before committing to a full rollout
-- **Solo operators:** ThumbGate Pro adds a personal dashboard and export-ready evidence
-- **Individuals & open source:** Free CLI tier, self-hosted
+- **Teams:** Begin with the Workflow Hardening Sprint — prove one costly repeat failure can be blocked before committing to a full rollout
+- **Solo operators:** ThumbGate Pro adds personal enforcement proof, a gate debugger, and export-ready evidence
+- **Individuals & open source:** Free CLI tier, self-hosted, with local Pre-Action Gates after install
 
 ---
 

package/adapters/README.md

@@ -3,7 +3,7 @@
 - `chatgpt/openapi.yaml`: import into GPT Actions.
 - `gemini/function-declarations.json`: Gemini function-calling definitions.
 - `mcp/server-stdio.js`: underlying local MCP stdio server implementation.
-- `claude/.mcp.json`: example Claude Code MCP config using `npx --yes --package thumbgate@1.4.3 thumbgate serve`.
+- `claude/.mcp.json`: example Claude Code MCP config using `npx --yes --package thumbgate@1.4.5 thumbgate serve`.
 - `codex/config.toml`: example Codex MCP profile section using the same version-pinned portable launcher.
 - `amp/skills/thumbgate-feedback/SKILL.md`: Amp skill template.
 - `opencode/opencode.json`: portable OpenCode MCP profile using the same version-pinned portable launcher.

package/adapters/claude/.mcp.json

@@ -2,13 +2,13 @@
   "mcpServers": {
     "thumbgate": {
       "command": "npx",
-      "args": ["--yes", "--package", "thumbgate@1.4.3", "thumbgate", "serve"]
+      "args": ["--yes", "--package", "thumbgate@1.4.5", "thumbgate", "serve"]
     }
   },
   "hooks": {
     "preToolUse": {
       "command": "npx",
-      "args": ["--yes", "--package", "thumbgate@1.4.3", "thumbgate", "gate-check"]
+      "args": ["--yes", "--package", "thumbgate@1.4.5", "thumbgate", "gate-check"]
     }
   }
 }

package/adapters/codex/config.toml

@@ -1,9 +1,9 @@
 # Codex MCP profile (copy into ~/.codex/config.toml or merge section)
 [mcp_servers.thumbgate]
 command = "npx"
-args = ["--yes", "--package", "thumbgate@1.4.3", "thumbgate", "serve"]
+args = ["--yes", "--package", "thumbgate@1.4.5", "thumbgate", "serve"]
 
 # Hard PreToolUse hook for Codex
 [hooks.pre_tool_use]
 command = "npx"
-args = ["--yes", "--package", "thumbgate@1.4.3", "thumbgate", "gate-check"]
+args = ["--yes", "--package", "thumbgate@1.4.5", "thumbgate", "gate-check"]

package/adapters/mcp/server-stdio.js

@@ -124,7 +124,7 @@ const {
   finalizeSession: finalizeFeedbackSession,
 } = require('../../scripts/feedback-session');
 
-const SERVER_INFO = { name: 'thumbgate-mcp', version: '1.4.3' };
+const SERVER_INFO = { name: 'thumbgate-mcp', version: '1.4.5' };
 const COMMERCE_CATEGORIES = [
   'product_recommendation',
   'brand_compliance',

package/adapters/opencode/opencode.json

@@ -7,7 +7,7 @@
         "npx",
         "--yes",
         "--package",
-        "thumbgate@1.4.3",
+        "thumbgate@1.4.5",
         "thumbgate",
         "serve"
       ],

package/config/github-about.json

@@ -2,8 +2,8 @@
   "repo": "IgorGanapolsky/ThumbGate",
   "repositoryUrl": "https://github.com/IgorGanapolsky/ThumbGate",
   "homepageUrl": "https://thumbgate-production.up.railway.app",
-  "githubDescription": "CLI-first agent governance for AI coding workflows: pre-action gates, shared lessons, and team safeguards that stop repeated agent mistakes.",
-  "metaDescription": "CLI-first agent governance for teams shipping AI-generated changes. \ud83d\udc4e Thumbs down distills history-aware lessons from up to 8 prior entries and stays linked to a 60-second feedback session. \ud83d\udc4d Thumbs up reinforces safe patterns. Pre-action gates, workflow governance, shared lessons and org visibility, release confidence, and isolated execution guidance turn vibe coding mistakes into shared enforcement and proof-ready rollout.",
+  "githubDescription": "Agent governance that stops costly AI mistakes before they run: pre-action gates, shared lessons, and team safeguards for AI coding workflows.",
+  "metaDescription": "Stop expensive AI agent mistakes before they happen. \ud83d\udc4e Thumbs down becomes history-aware lessons and Pre-Action Gates; \ud83d\udc4d thumbs up reinforces safe patterns. ThumbGate checks risky commands, deploys, API calls, and file edits across ChatGPT, Claude Code, Cursor, Codex, Gemini, Amp, and OpenCode with workflow governance, shared lessons and org visibility for safer vibe coding.",
   "topics": [
     "thumbgate",
     "pre-action-gates",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate",
-  "version": "1.4.3",
+  "version": "1.4.5",
   "description": "Self-improving agent governance: type thumbs-up or thumbs-down on any AI agent action. ThumbGate turns every mistake into a prevention rule and blocks the pattern from repeating. One thumbs-down, never again. 33 pre-action gates, budget enforcement, and self-protection for Claude Code, Cursor, Codex, Gemini CLI, and Amp.",
   "homepage": "https://thumbgate-production.up.railway.app",
   "repository": {
@@ -10,24 +10,172 @@
   "bugs": {
     "url": "https://github.com/IgorGanapolsky/ThumbGate/issues"
   },
-  "main": "scripts/feedback-loop.js",
+  "main": "src/index.js",
   "bin": {
     "thumbgate": "bin/cli.js"
   },
   "files": [
-    "bin/",
+    "bin/cli.js",
+    "bin/postinstall.js",
     "src/",
-    "scripts/",
-    "adapters/",
+    "adapters/mcp/server-stdio.js",
+    "adapters/chatgpt/openapi.yaml",
+    "adapters/gemini/function-declarations.json",
+    "adapters/claude/.mcp.json",
+    "adapters/codex/config.toml",
+    "adapters/opencode/opencode.json",
+    "adapters/amp/skills/thumbgate-feedback/SKILL.md",
+    "adapters/forge/forge.yaml",
     "config/",
-    "plugins/",
     "skills/",
     "openapi/",
-    "public/",
     ".well-known/",
-    ".claude-plugin/",
+    ".claude-plugin/plugin.json",
+    ".claude-plugin/marketplace.json",
+    ".claude-plugin/README.md",
     "README.md",
-    "LICENSE"
+    "LICENSE",
+    "scripts/agent-readiness.js",
+    "scripts/access-anomaly-detector.js",
+    "scripts/agentic-data-pipeline.js",
+    "scripts/analytics-report.js",
+    "scripts/analytics-window.js",
+    "scripts/async-job-runner.js",
+    "scripts/audit-trail.js",
+    "scripts/auto-promote-gates.js",
+    "scripts/auto-wire-hooks.js",
+    "scripts/belief-update.js",
+    "scripts/billing-setup.js",
+    "scripts/billing.js",
+    "scripts/bot-detector.js",
+    "scripts/build-metadata.js",
+    "scripts/claude-feedback-sync.js",
+    "scripts/cli-demo.js",
+    "scripts/cli-feedback.js",
+    "scripts/cli-schema.js",
+    "scripts/cli-status.js",
+    "scripts/cli-telemetry.js",
+    "scripts/cloudflare-dynamic-sandbox.js",
+    "scripts/code-reasoning.js",
+    "scripts/codegraph-context.js",
+    "scripts/commercial-offer.js",
+    "scripts/context-manager.js",
+    "scripts/contextfs.js",
+    "scripts/conversation-context.js",
+    "scripts/creator-campaigns.js",
+    "scripts/cross-encoder-reranker.js",
+    "scripts/daemon-manager.js",
+    "scripts/dashboard-render-spec.js",
+    "scripts/dashboard.js",
+    "scripts/decision-journal.js",
+    "scripts/delegation-runtime.js",
+    "scripts/dispatch-brief.js",
+    "scripts/distribution-surfaces.js",
+    "scripts/docker-sandbox-planner.js",
+    "scripts/document-intake.js",
+    "scripts/evolution-state.js",
+    "scripts/experiment-tracker.js",
+    "scripts/explore-subcommands.js",
+    "scripts/explore.js",
+    "scripts/export-databricks-bundle.js",
+    "scripts/export-dpo-pairs.js",
+    "scripts/export-hf-dataset.js",
+    "scripts/failure-diagnostics.js",
+    "scripts/feedback-attribution.js",
+    "scripts/feedback-history-distiller.js",
+    "scripts/feedback-loop.js",
+    "scripts/feedback-paths.js",
+    "scripts/feedback-quality.js",
+    "scripts/feedback-schema.js",
+    "scripts/feedback-session.js",
+    "scripts/feedback-to-rules.js",
+    "scripts/filesystem-search.js",
+    "scripts/fs-utils.js",
+    "scripts/funnel-analytics.js",
+    "scripts/gate-stats.js",
+    "scripts/gate-templates.js",
+    "scripts/gates-engine.js",
+    "scripts/harness-selector.js",
+    "scripts/history-distiller.js",
+    "scripts/hook-runtime.js",
+    "scripts/hook-thumbgate-cache-updater.js",
+    "scripts/hosted-config.js",
+    "scripts/hosted-job-launcher.js",
+    "scripts/hybrid-feedback-context.js",
+    "scripts/install-mcp.js",
+    "scripts/intent-router.js",
+    "scripts/internal-agent-bootstrap.js",
+    "scripts/intervention-policy.js",
+    "scripts/jsonl-watcher.js",
+    "scripts/lesson-db.js",
+    "scripts/lesson-inference.js",
+    "scripts/lesson-reranker.js",
+    "scripts/lesson-retrieval.js",
+    "scripts/lesson-rotation.js",
+    "scripts/lesson-search.js",
+    "scripts/lesson-synthesis.js",
+    "scripts/license.js",
+    "scripts/llm-client.js",
+    "scripts/local-model-profile.js",
+    "scripts/managed-lesson-agent.js",
+    "scripts/mcp-config.js",
+    "scripts/mcp-policy.js",
+    "scripts/memory-firewall.js",
+    "scripts/meta-agent-loop.js",
+    "scripts/natural-language-harness.js",
+    "scripts/obsidian-export.js",
+    "scripts/operational-dashboard.js",
+    "scripts/operational-integrity.js",
+    "scripts/operational-summary.js",
+    "scripts/optimize-context.js",
+    "scripts/org-dashboard.js",
+    "scripts/partner-orchestration.js",
+    "scripts/perplexity-client.js",
+    "scripts/predictive-insights.js",
+    "scripts/pro-local-dashboard.js",
+    "scripts/problem-detail.js",
+    "scripts/product-feedback.js",
+    "scripts/profile-router.js",
+    "scripts/prompt-guard.js",
+    "scripts/published-cli.js",
+    "scripts/pulse.js",
+    "scripts/rate-limiter.js",
+    "scripts/reflector-agent.js",
+    "scripts/risk-scorer.js",
+    "scripts/rlaif-self-audit.js",
+    "scripts/rubric-engine.js",
+    "scripts/secret-scanner.js",
+    "scripts/security-scanner.js",
+    "scripts/self-distill-agent.js",
+    "scripts/self-heal.js",
+    "scripts/semantic-dedup.js",
+    "scripts/semantic-layer.js",
+    "scripts/seo-gsd.js",
+    "scripts/settings-hierarchy.js",
+    "scripts/skill-generator.js",
+    "scripts/slo-alert-engine.js",
+    "scripts/statusline-cache-path.js",
+    "scripts/statusline-lesson.js",
+    "scripts/statusline-links.js",
+    "scripts/statusline-local-stats.js",
+    "scripts/statusline-meta.js",
+    "scripts/statusline.sh",
+    "scripts/statusline-tower.js",
+    "scripts/telemetry-analytics.js",
+    "scripts/thompson-sampling.js",
+    "scripts/thumbgate-search.js",
+    "scripts/tool-registry.js",
+    "scripts/tool-kpi-tracker.js",
+    "scripts/user-profile.js",
+    "scripts/validate-workflow-contract.js",
+    "scripts/vector-store.js",
+    "scripts/verification-loop.js",
+    "scripts/webhook-delivery.js",
+    "scripts/workflow-runs.js",
+    "scripts/workflow-sentinel.js",
+    "scripts/workflow-sprint-intake.js",
+    "scripts/workspace-evolver.js",
+    "scripts/xmemory-lite.js"
   ],
   "scripts": {
     "postinstall": "node bin/postinstall.js || true",
@@ -133,7 +281,7 @@
     "test:quality": "node --test tests/validate-feedback.test.js",
     "test:intelligence": "node --test tests/intelligence.test.js",
     "test:training-export": "node --test tests/training-export.test.js tests/databricks-export.test.js",
-    "test:deployment": "node --test tests/deployment.test.js tests/deploy-policy.test.js tests/publish-decision.test.js tests/changeset-check.test.js tests/sonarcloud-workflow.test.js tests/package-boundary.test.js",
+    "test:deployment": "node --test tests/deployment.test.js tests/deploy-policy.test.js tests/publish-decision.test.js tests/changeset-check.test.js tests/release-notes.test.js tests/sonarcloud-workflow.test.js tests/package-boundary.test.js",
     "test:operational-integrity": "node --test tests/operational-integrity.test.js tests/sync-branch-protection.test.js",
     "test:workflow": "node --test tests/workflow-contract.test.js tests/social-marketing-assets.test.js tests/social-pipeline.test.js tests/positioning-contract.test.js tests/docs-claim-hygiene.test.js tests/workflow-runs.test.js tests/workflow-sprint-intake.test.js tests/gtm-revenue-loop.test.js tests/enterprise-story.test.js tests/ralph-loop.test.js tests/ralph-mode-ci.test.js",
     "test:billing": "node --test tests/billing.test.js",

package/scripts/billing.js

@@ -2068,8 +2068,11 @@ function buildCheckoutSessionPayload({ successUrl, cancelUrl, customerEmail, che
       packId: pack ? pack.id : null,
       credits: pack ? pack.credits : null,
     }),
-    // 7-day free trial for subscriptions — reduces checkout abandonment
-    ...(pack ? {} : { subscription_data: { trial_period_days: 7 } }),
+    // 7-day free trial for subscriptions — don't require card upfront
+    ...(pack ? {} : {
+      subscription_data: { trial_period_days: 7 },
+      payment_method_collection: 'if_required',
+    }),
   };
 
   const normalizedCustomerEmail = normalizeText(customerEmail);

package/scripts/statusline.sh

@@ -155,6 +155,7 @@ osc_link() {
     *localhost*|*127.0.0.1*|"") printf '%s' "$label" ;;
     *) printf '\033]8;;%s\007%s\033]8;;\007' "$url" "$label" ;;
   esac
+  return 0
 }
 
 UP_ICON="👍"

package/src/api/server.js

@@ -1063,38 +1063,131 @@ function loadProPageHtml(runtimeConfig, pageContext = {}) {
   return loadPublicMarketingTemplateHtml(PRO_PAGE_PATH, runtimeConfig, pageContext);
 }
 
-function loadDashboardPageHtml(req, expectedApiKey) {
-  const template = fs.readFileSync(DASHBOARD_PAGE_PATH, 'utf-8');
+function readOptionalPublicTemplate(filePath) {
+  try {
+    return fs.readFileSync(filePath, 'utf-8');
+  } catch (error) {
+    if (error?.code === 'ENOENT') return null;
+    throw error;
+  }
+}
+
+function resolveLocalPageBootstrap(req, expectedApiKey) {
   const forwardedHost = req.headers['x-forwarded-host'];
   const hostHeader = Array.isArray(forwardedHost)
     ? forwardedHost[0]
     : forwardedHost || req.headers.host || '';
   const localProBootstrap = process.env.THUMBGATE_PRO_MODE === '1' && Boolean(expectedApiKey) && isLoopbackHost(hostHeader);
-  // Developer override: auth is disabled (expectedApiKey===null), auto-connect with dummy key
   const devOverride = expectedApiKey === null && isLoopbackHost(hostHeader);
   const bootstrapActive = localProBootstrap || devOverride;
   const serializedBootstrapKey = JSON.stringify(localProBootstrap ? expectedApiKey : devOverride ? 'dev-override' : '').replace(/</g, '\\u003c');
 
+  return {
+    bootstrapActive,
+    serializedBootstrapKey,
+  };
+}
+
+function renderPackagedDashboardHtml({ bootstrapActive, serializedBootstrapKey }) {
+  return `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>ThumbGate Dashboard</title>
+<style>
+:root { color-scheme: light dark; --bg:#0f172a; --panel:#111827; --text:#f8fafc; --muted:#94a3b8; --line:#334155; --accent:#22c55e; }
+body { margin:0; font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; background:linear-gradient(135deg,#020617,#111827); color:var(--text); }
+main { max-width:920px; margin:0 auto; padding:48px 20px; }
+.panel { border:1px solid var(--line); border-radius:20px; background:rgba(15,23,42,.86); padding:28px; box-shadow:0 24px 80px rgba(0,0,0,.32); }
+.eyebrow { color:var(--accent); font-size:13px; font-weight:700; letter-spacing:.12em; text-transform:uppercase; }
+h1 { font-size:clamp(32px,5vw,54px); line-height:1; margin:14px 0; }
+p { color:var(--muted); font-size:18px; line-height:1.6; }
+.grid { display:grid; grid-template-columns:repeat(auto-fit,minmax(220px,1fr)); gap:14px; margin-top:26px; }
+a { color:var(--text); text-decoration:none; }
+.card { display:block; border:1px solid var(--line); border-radius:16px; padding:18px; background:rgba(30,41,59,.7); }
+.card strong { display:block; margin-bottom:8px; }
+.card span { color:var(--muted); font-size:14px; line-height:1.5; }
+</style>
+<script>
+window.THUMBGATE_DASHBOARD_BOOTSTRAP = { enabled: ${bootstrapActive ? 'true' : 'false'}, apiKey: ${serializedBootstrapKey} };
+</script>
+</head>
+<body>
+<main>
+<section class="panel">
+<div class="eyebrow">Packaged runtime</div>
+<h1>ThumbGate is running locally.</h1>
+<p>This lightweight npm dashboard is bundled without marketing assets, so installs stay small while core feedback, lessons, and API routes remain available.</p>
+<div class="grid">
+<a class="card" href="/v1/dashboard"><strong>Dashboard JSON</strong><span>Inspect feedback totals, lesson counts, and Reliability Gateway health.</span></a>
+<a class="card" href="/lessons"><strong>Lessons</strong><span>Review remembered thumbs-up/down lessons and enforcement context.</span></a>
+<a class="card" href="/health"><strong>Health</strong><span>Verify the installed package version and runtime status.</span></a>
+</div>
+</section>
+</main>
+</body>
+</html>`;
+}
+
+function renderPackagedLessonsHtml({ bootstrapActive, serializedBootstrapKey }) {
+  return `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>ThumbGate Lessons</title>
+<style>
+:root { color-scheme: light dark; --bg:#0f172a; --panel:#111827; --text:#f8fafc; --muted:#94a3b8; --line:#334155; --accent:#38bdf8; }
+body { margin:0; font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; background:linear-gradient(135deg,#020617,#0f172a); color:var(--text); }
+main { max-width:920px; margin:0 auto; padding:48px 20px; }
+.panel { border:1px solid var(--line); border-radius:20px; background:rgba(15,23,42,.86); padding:28px; box-shadow:0 24px 80px rgba(0,0,0,.32); }
+.eyebrow { color:var(--accent); font-size:13px; font-weight:700; letter-spacing:.12em; text-transform:uppercase; }
+h1 { font-size:clamp(32px,5vw,54px); line-height:1; margin:14px 0; }
+p { color:var(--muted); font-size:18px; line-height:1.6; }
+.actions { display:flex; flex-wrap:wrap; gap:12px; margin-top:26px; }
+a { color:var(--text); text-decoration:none; border:1px solid var(--line); border-radius:999px; padding:12px 16px; background:rgba(30,41,59,.7); }
+</style>
+<script>
+window.THUMBGATE_LESSONS_BOOTSTRAP = { enabled: ${bootstrapActive ? 'true' : 'false'}, apiKey: ${serializedBootstrapKey} };
+</script>
+</head>
+<body>
+<main>
+<section class="panel">
+<div class="eyebrow">Packaged runtime</div>
+<h1>ThumbGate lessons are available.</h1>
+<p>The full hosted lessons UI is excluded from the npm tarball, but installed packages still expose the lesson APIs and detail pages needed for local agent feedback loops.</p>
+<div class="actions">
+<a href="/v1/lessons/search">Search lessons JSON</a>
+<a href="/v1/feedback/stats">Feedback stats JSON</a>
+<a href="/dashboard">Back to dashboard</a>
+</div>
+</section>
+</main>
+</body>
+</html>`;
+}
+
+function loadDashboardPageHtml(req, expectedApiKey) {
+  const bootstrap = resolveLocalPageBootstrap(req, expectedApiKey);
+  const template = readOptionalPublicTemplate(DASHBOARD_PAGE_PATH);
+  if (!template) return renderPackagedDashboardHtml(bootstrap);
+
   return fillTemplate(template, {
-    '__DASHBOARD_BOOTSTRAP_KEY__': serializedBootstrapKey,
-    '__DASHBOARD_BOOTSTRAP_ENABLED__': bootstrapActive ? 'true' : 'false',
+    '__DASHBOARD_BOOTSTRAP_KEY__': bootstrap.serializedBootstrapKey,
+    '__DASHBOARD_BOOTSTRAP_ENABLED__': bootstrap.bootstrapActive ? 'true' : 'false',
   });
 }
 
 function loadLessonsPageHtml(req, expectedApiKey) {
-  const template = fs.readFileSync(LESSONS_PAGE_PATH, 'utf-8');
-  const forwardedHost = req.headers['x-forwarded-host'];
-  const hostHeader = Array.isArray(forwardedHost)
-    ? forwardedHost[0]
-    : forwardedHost || req.headers.host || '';
-  const localProBootstrap = process.env.THUMBGATE_PRO_MODE === '1' && Boolean(expectedApiKey) && isLoopbackHost(hostHeader);
-  const devOverride = expectedApiKey === null && isLoopbackHost(hostHeader);
-  const bootstrapActive = localProBootstrap || devOverride;
-  const serializedBootstrapKey = JSON.stringify(localProBootstrap ? expectedApiKey : devOverride ? 'dev-override' : '').replace(/</g, '\\u003c');
+  const bootstrap = resolveLocalPageBootstrap(req, expectedApiKey);
+  const template = readOptionalPublicTemplate(LESSONS_PAGE_PATH);
+  if (!template) return renderPackagedLessonsHtml(bootstrap);
 
   return fillTemplate(template, {
-    '__LESSONS_BOOTSTRAP_KEY__': serializedBootstrapKey,
-    '__LESSONS_BOOTSTRAP_ENABLED__': bootstrapActive ? 'true' : 'false',
+    '__LESSONS_BOOTSTRAP_KEY__': bootstrap.serializedBootstrapKey,
+    '__LESSONS_BOOTSTRAP_ENABLED__': bootstrap.bootstrapActive ? 'true' : 'false',
   });
 }
 
@@ -5079,6 +5172,10 @@ module.exports = {
     getPosthogProxyPath,
     isAllowedPosthogProxyPath,
     renderSitemapXml,
+    renderPackagedDashboardHtml,
+    renderPackagedLessonsHtml,
+    readOptionalPublicTemplate,
+    resolveLocalPageBootstrap,
   },
 };
 

package/src/index.js

@@ -0,0 +1,3 @@
+'use strict';
+
+module.exports = require('../scripts/feedback-loop');

package/.claude-plugin/bundle/icon.svg

@@ -1,18 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" role="img" aria-labelledby="title desc">
-  <title>ThumbGate</title>
-  <desc>Gateway icon for the Claude Desktop workflow hardening extension.</desc>
-  <defs>
-    <linearGradient id="bg" x1="0%" x2="100%" y1="0%" y2="100%">
-      <stop offset="0%" stop-color="#111827"/>
-      <stop offset="100%" stop-color="#1f2937"/>
-    </linearGradient>
-    <linearGradient id="gate" x1="0%" x2="100%" y1="0%" y2="100%">
-      <stop offset="0%" stop-color="#f97316"/>
-      <stop offset="100%" stop-color="#fb7185"/>
-    </linearGradient>
-  </defs>
-  <rect width="512" height="512" rx="96" fill="url(#bg)"/>
-  <path fill="url(#gate)" d="M152 128h208c17.7 0 32 14.3 32 32v64h-64v-32H184v128h144v-32h64v64c0 17.7-14.3 32-32 32H152c-17.7 0-32-14.3-32-32V160c0-17.7 14.3-32 32-32Z"/>
-  <path fill="#fff4ed" d="M248 180h96v48h-48v56h48v48h-96z"/>
-  <circle cx="196" cy="256" r="26" fill="#fef3c7"/>
-</svg>