thumbgate 1.5.8 → 1.6.0

package/scripts/mailer/resend-mailer.js

@@ -0,0 +1,350 @@
+'use strict';
+
+/**
+ * scripts/mailer/resend-mailer.js
+ *
+ * Resend-backed transactional email sender for ThumbGate.
+ *
+ * Design goals:
+ *  - Zero-dep: uses global `fetch` (Node 18+) to hit https://api.resend.com/emails.
+ *  - Gracefully optional: if RESEND_API_KEY is unset, sends are skipped with a
+ *    logged warning and the caller receives `{ sent: false, reason: 'no_api_key' }`.
+ *    This prevents the Stripe webhook from failing when email is not configured.
+ *  - Testable: accepts an injectable `fetch` implementation via opts.fetchImpl.
+ *  - CAN-SPAM compliant: every commercial email carries business name, physical
+ *    address, and a functional unsubscribe method.
+ */
+
+const PRODUCT_NAME = 'ThumbGate Pro';
+const DASHBOARD_URL = 'https://thumbgate-production.up.railway.app/dashboard';
+const SUPPORT_EMAIL = 'hello@thumbgate.app';
+const DEFAULT_FROM = 'onboarding@resend.dev';
+const DEFAULT_REPLY_TO = 'hello@thumbgate.app';
+const DEFAULT_UNSUBSCRIBE_EMAIL = 'unsubscribe@thumbgate.app';
+const DEFAULT_BUSINESS_NAME = 'Max Smith KDP LLC';
+// CAN-SPAM requires a physical mailing address. Override via THUMBGATE_BUSINESS_ADDRESS.
+const DEFAULT_BUSINESS_ADDRESS = '2261 Market Street #4242, San Francisco, CA 94114';
+// Hosted PNG that email clients (Gmail, Outlook) will proxy. SVG is stripped from most email HTML.
+const BRAND_MARK_URL = 'https://thumbgate-production.up.railway.app/thumbgate-icon.png';
+const RESEND_ENDPOINT = 'https://api.resend.com/emails';
+const TRIAL_LENGTH_DAYS = 7;
+
+function getApiKey() {
+  return process.env.RESEND_API_KEY || '';
+}
+
+function getFromAddress() {
+  return process.env.THUMBGATE_TRIAL_EMAIL_FROM || process.env.RESEND_FROM_EMAIL || DEFAULT_FROM;
+}
+
+function getReplyTo() {
+  return process.env.THUMBGATE_TRIAL_EMAIL_REPLY_TO || DEFAULT_REPLY_TO;
+}
+
+function getUnsubscribeEmail() {
+  return process.env.THUMBGATE_UNSUBSCRIBE_EMAIL || DEFAULT_UNSUBSCRIBE_EMAIL;
+}
+
+function getBusinessName() {
+  return process.env.THUMBGATE_BUSINESS_NAME || DEFAULT_BUSINESS_NAME;
+}
+
+function getBusinessAddress() {
+  return process.env.THUMBGATE_BUSINESS_ADDRESS || DEFAULT_BUSINESS_ADDRESS;
+}
+
+function isNonEmptyString(value) {
+  return typeof value === 'string' && value.trim().length > 0;
+}
+
+/**
+ * Low-level send. Posts to the Resend API or no-ops when RESEND_API_KEY is
+ * missing. Never throws on network errors; returns a structured result instead.
+ */
+async function sendEmail({ to, subject, html, text, from, replyTo, fetchImpl } = {}) {
+  if (!isNonEmptyString(to)) throw new Error('sendEmail: `to` is required');
+  if (!isNonEmptyString(subject)) throw new Error('sendEmail: `subject` is required');
+  if (!isNonEmptyString(html) && !isNonEmptyString(text)) {
+    throw new Error('sendEmail: at least one of `html` or `text` is required');
+  }
+
+  const apiKey = getApiKey();
+  if (!apiKey) {
+    // eslint-disable-next-line no-console
+    console.warn('[mailer] RESEND_API_KEY not set — skipping send to', to);
+    return { sent: false, reason: 'no_api_key' };
+  }
+
+  const payload = {
+    from: from || getFromAddress(),
+    to: Array.isArray(to) ? to : [to],
+    subject,
+    reply_to: replyTo || getReplyTo(),
+  };
+  if (isNonEmptyString(html)) payload.html = html;
+  if (isNonEmptyString(text)) payload.text = text;
+
+  const fetcher = fetchImpl || globalThis.fetch;
+  if (typeof fetcher !== 'function') {
+    // eslint-disable-next-line no-console
+    console.warn('[mailer] global fetch not available — skipping send');
+    return { sent: false, reason: 'no_fetch' };
+  }
+
+  try {
+    const res = await fetcher(RESEND_ENDPOINT, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        Authorization: `Bearer ${apiKey}`,
+      },
+      body: JSON.stringify(payload),
+    });
+
+    const bodyText = typeof res.text === 'function' ? await res.text() : '';
+    let bodyJson = null;
+    if (bodyText) {
+      try { bodyJson = JSON.parse(bodyText); } catch (_) { /* leave as text */ }
+    }
+
+    if (!res.ok) {
+      // eslint-disable-next-line no-console
+      console.warn(`[mailer] Resend returned ${res.status}:`, bodyText);
+      return { sent: false, reason: 'api_error', status: res.status, body: bodyJson || bodyText };
+    }
+
+    return { sent: true, id: bodyJson && bodyJson.id ? bodyJson.id : null, status: res.status };
+  } catch (err) {
+    // eslint-disable-next-line no-console
+    console.warn('[mailer] send failed:', err && err.message ? err.message : err);
+    return { sent: false, reason: 'exception', error: err && err.message ? err.message : String(err) };
+  }
+}
+
+function escapeHtml(value) {
+  return String(value)
+    .replace(/&/g, '&')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;');
+}
+
+function firstName(full) {
+  if (!isNonEmptyString(full)) return '';
+  const trimmed = full.trim();
+  const first = trimmed.split(/\s+/)[0] || '';
+  // Never use email-looking strings as a name.
+  if (/@/.test(first)) return '';
+  return first;
+}
+
+function formatTrialEndDate(trialEndAt) {
+  let d;
+  if (trialEndAt instanceof Date) d = trialEndAt;
+  else if (typeof trialEndAt === 'number') d = new Date(trialEndAt);
+  else if (typeof trialEndAt === 'string' && trialEndAt) d = new Date(trialEndAt);
+  else {
+    d = new Date();
+    d.setUTCDate(d.getUTCDate() + TRIAL_LENGTH_DAYS);
+  }
+  if (Number.isNaN(d.getTime())) {
+    d = new Date();
+    d.setUTCDate(d.getUTCDate() + TRIAL_LENGTH_DAYS);
+  }
+  // Render as "Apr 24, 2026" (UTC) — avoids locale surprises on server.
+  const months = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'];
+  const month = months[d.getUTCMonth()];
+  const day = d.getUTCDate();
+  const year = d.getUTCFullYear();
+  return `${month} ${day}, ${year}`;
+}
+
+function renderTrialWelcomeBodies({ licenseKey, customerId, customerName, trialEndAt } = {}) {
+  const activationCommand = `npx thumbgate pro --activate --key=${licenseKey}`;
+  const name = firstName(customerName);
+  const greeting = name ? `Hi ${name},` : 'Hi there,';
+  const trialEndLabel = formatTrialEndDate(trialEndAt);
+  const headline = 'Your ThumbGate Pro trial is live.';
+  const subhead = `You have 7 days of Pro access. Trial ends ${trialEndLabel}.`;
+  const description =
+    'ThumbGate turns thumbs up/down feedback into Pre-Action Gates that stop repeated AI coding mistakes ' +
+    'before the next tool call. Lessons stay on your machine. Repeated failures become Reliability Gateway blocks.';
+  const exampleFeedback =
+    'thumbs down: the answer skipped exact files and tests; next time include paths, commands, and verification evidence.';
+  const proofUrl = 'https://github.com/IgorGanapolsky/ThumbGate/blob/main/docs/VERIFICATION_EVIDENCE.md';
+  const unsubscribeEmail = getUnsubscribeEmail();
+  const businessName = getBusinessName();
+  const businessAddress = getBusinessAddress();
+  const unsubscribeMailto = `mailto:${unsubscribeEmail}?subject=unsubscribe&body=Please%20remove%20me%20from%20ThumbGate%20emails.`;
+  const postscript =
+    `P.S. The first 10 minutes are the best time to catch your agent's most-repeated failure. ` +
+    `Open the dashboard, give one concrete thumbs down on a mistake you've seen twice, and watch ThumbGate build the gate.`;
+
+  const text = [
+    greeting,
+    '',
+    headline,
+    subhead,
+    '',
+    description,
+    '',
+    'Your first 10 minutes',
+    '1. Activate Pro locally:',
+    `   ${activationCommand}`,
+    '',
+    `2. Open your dashboard: ${DASHBOARD_URL}`,
+    '',
+    '3. Give one concrete thumbs up or thumbs down:',
+    `   ${exampleFeedback}`,
+    '',
+    'Your trial key (save this):',
+    `   ${licenseKey}`,
+    '',
+    `Verification evidence: ${proofUrl}`,
+    '',
+    postscript,
+    '',
+    `Questions? Just reply to this email or write ${SUPPORT_EMAIL}.`,
+    '',
+    '— Igor, founder of ThumbGate',
+    '',
+    '---',
+    `You're getting this because you started a ${PRODUCT_NAME} trial. Don't want these emails? Unsubscribe: ${unsubscribeEmail}`,
+    `${businessName} · ${businessAddress}`,
+  ].join('\n');
+
+  const safeKey = escapeHtml(licenseKey);
+  const safeCmd = escapeHtml(activationCommand);
+  const safeGreeting = escapeHtml(greeting);
+  const safeSubhead = escapeHtml(subhead);
+  const safeHeadline = escapeHtml(headline);
+  const safeDescription = escapeHtml(description);
+  const safeExample = escapeHtml(exampleFeedback);
+  const safePostscript = escapeHtml(postscript);
+  const safeBusinessName = escapeHtml(businessName);
+  const safeBusinessAddress = escapeHtml(businessAddress);
+  const safeUnsubscribeEmail = escapeHtml(unsubscribeEmail);
+  const safeUnsubscribeMailto = escapeHtml(unsubscribeMailto);
+  const safeCustomer = customerId ? escapeHtml(customerId) : '';
+
+  const html = `<!doctype html>
+<html>
+  <body style="margin:0;background:#f5f7fb;padding:28px 12px;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,Arial,sans-serif;color:#17212b;">
+    <div style="display:none;max-height:0;overflow:hidden;opacity:0;color:transparent;">Activate Pro in one command, open the dashboard, and start blocking repeated AI coding mistakes.</div>
+    <table role="presentation" width="100%" cellspacing="0" cellpadding="0" style="border-collapse:collapse;">
+      <tr>
+        <td align="center">
+          <table role="presentation" width="100%" cellspacing="0" cellpadding="0" style="border-collapse:collapse;max-width:640px;background:#ffffff;border:1px solid #d8e2ea;border-radius:10px;overflow:hidden;">
+            <tr>
+              <td style="background:#071115;padding:24px 28px;color:#e7fbff;">
+                <table role="presentation" cellpadding="0" cellspacing="0" style="border-collapse:collapse;">
+                  <tr>
+                    <td style="vertical-align:middle;padding-right:12px;">
+                      <img src="${BRAND_MARK_URL}" width="40" height="40" alt="ThumbGate" style="display:block;border-radius:8px;">
+                    </td>
+                    <td style="vertical-align:middle;">
+                      <div style="font-size:13px;font-weight:700;letter-spacing:0.02em;text-transform:uppercase;color:#73d4e9;">${escapeHtml(PRODUCT_NAME)}</div>
+                    </td>
+                  </tr>
+                </table>
+                <h1 style="margin:16px 0 8px;font-size:26px;line-height:1.2;color:#ffffff;">${safeHeadline}</h1>
+                <p style="margin:0;font-size:14px;line-height:1.5;color:#9cbac4;">${safeSubhead}</p>
+              </td>
+            </tr>
+            <tr>
+              <td style="padding:26px 28px 6px;">
+                <p style="margin:0 0 12px;font-size:15px;line-height:1.6;color:#17212b;">${safeGreeting}</p>
+                <p style="margin:0 0 18px;font-size:15px;line-height:1.6;color:#344451;">${safeDescription}</p>
+                <p style="margin:0 0 24px;">
+                  <a href="${DASHBOARD_URL}" style="display:inline-block;background:#45bfd8;color:#061015;text-decoration:none;font-weight:700;padding:12px 22px;border-radius:6px;font-size:15px;">Open your dashboard</a>
+                </p>
+              </td>
+            </tr>
+            <tr>
+              <td style="padding:0 28px 10px;">
+                <h2 style="margin:0 0 10px;font-size:17px;line-height:1.3;color:#17212b;">Your first 10 minutes</h2>
+                <p style="margin:0 0 8px;font-size:14px;line-height:1.55;color:#344451;"><strong>1. Activate Pro locally</strong></p>
+                <pre style="margin:0 0 20px;background:#081016;color:#d8f7e4;border:1px solid #23343d;border-radius:6px;padding:14px;font-size:13px;line-height:1.45;white-space:pre-wrap;word-break:break-word;"><code>${safeCmd}</code></pre>
+
+                <p style="margin:0 0 8px;font-size:14px;line-height:1.55;color:#344451;"><strong>2. Save your trial key</strong></p>
+                <pre style="margin:0 0 20px;background:#eef6f7;color:#0b343c;border:1px solid #c7e2e7;border-radius:6px;padding:14px;font-size:13px;line-height:1.45;white-space:pre-wrap;word-break:break-word;"><code>${safeKey}</code></pre>
+
+                <p style="margin:0 0 8px;font-size:14px;line-height:1.55;color:#344451;"><strong>3. Give one concrete thumbs up or thumbs down</strong></p>
+                <p style="margin:0 0 8px;font-size:13px;line-height:1.55;color:#526273;">Start with the failure you most want your agent to stop repeating.</p>
+                <pre style="margin:0 0 22px;background:#f1fff2;color:#22602b;border:1px solid #bae7c0;border-radius:6px;padding:14px;font-size:13px;line-height:1.45;white-space:pre-wrap;word-break:break-word;"><code>${safeExample}</code></pre>
+              </td>
+            </tr>
+            <tr>
+              <td style="padding:6px 28px 22px;">
+                <p style="margin:0 0 14px;font-size:14px;line-height:1.6;color:#344451;font-style:italic;">${safePostscript}</p>
+                <p style="margin:0 0 4px;font-size:14px;line-height:1.6;color:#17212b;">— Igor, founder of ThumbGate</p>
+                <p style="margin:0;font-size:13px;line-height:1.55;color:#526273;">
+                  Questions? Just reply to this email or write
+                  <a href="mailto:${SUPPORT_EMAIL}" style="color:#087a91;">${SUPPORT_EMAIL}</a>.
+                </p>
+              </td>
+            </tr>
+            <tr>
+              <td style="padding:16px 28px 22px;border-top:1px solid #e2e8ec;background:#fafbfc;">
+                <p style="margin:0 0 6px;font-size:12px;line-height:1.5;color:#7a8790;">
+                  You're getting this one-time email because you started a ${escapeHtml(PRODUCT_NAME)} trial.
+                  <a href="${safeUnsubscribeMailto}" style="color:#7a8790;text-decoration:underline;">Unsubscribe</a>
+                  (${safeUnsubscribeEmail}).
+                </p>
+                <p style="margin:0;font-size:12px;line-height:1.5;color:#7a8790;">
+                  ${safeBusinessName} &middot; ${safeBusinessAddress}
+                </p>
+                ${safeCustomer ? `<p style="margin:8px 0 0;font-size:11px;color:#a0abb2;">Customer ID (for support): <code>${safeCustomer}</code></p>` : ''}
+              </td>
+            </tr>
+          </table>
+        </td>
+      </tr>
+    </table>
+  </body>
+</html>`;
+
+  return { html, text, activationCommand, trialEndLabel, greeting, unsubscribeEmail, businessName, businessAddress };
+}
+
+/**
+ * High-level helper: send the trial / checkout welcome email with the license key.
+ *
+ * Accepts optional `customerName` (used for greeting) and `trialEndAt`
+ * (Date | number | ISO string — used to display the exact expiry date).
+ *
+ * Never throws on send failures (beyond input validation); the Stripe webhook
+ * must keep working even if email breaks.
+ */
+async function sendTrialWelcomeEmail({ to, licenseKey, customerId, customerName, trialEndAt, fetchImpl } = {}) {
+  if (!isNonEmptyString(to)) throw new Error('sendTrialWelcomeEmail: `to` is required');
+  if (!isNonEmptyString(licenseKey)) throw new Error('sendTrialWelcomeEmail: `licenseKey` is required');
+
+  const { html, text } = renderTrialWelcomeBodies({ licenseKey, customerId, customerName, trialEndAt });
+  const name = firstName(customerName);
+  const subject = name
+    ? `${name}, your ThumbGate Pro key is inside`
+    : 'Your ThumbGate Pro key is inside';
+
+  return sendEmail({ to, subject, html, text, replyTo: getReplyTo(), fetchImpl });
+}
+
+module.exports = {
+  sendEmail,
+  sendTrialWelcomeEmail,
+  renderTrialWelcomeBodies,
+  _constants: {
+    PRODUCT_NAME,
+    DASHBOARD_URL,
+    SUPPORT_EMAIL,
+    DEFAULT_FROM,
+    DEFAULT_REPLY_TO,
+    DEFAULT_UNSUBSCRIBE_EMAIL,
+    DEFAULT_BUSINESS_NAME,
+    DEFAULT_BUSINESS_ADDRESS,
+    BRAND_MARK_URL,
+    RESEND_ENDPOINT,
+    TRIAL_LENGTH_DAYS,
+  },
+};

package/scripts/mcp-config.js

@@ -106,6 +106,17 @@ function portableMcpEntry(pkgVersion) {
   };
 }
 
+function codexAutoUpdateCliEntry(commandArgs = []) {
+  return {
+    command: 'sh',
+    args: ['-lc', publishedCliShellCommand('latest', commandArgs, { preferInstalled: false })],
+  };
+}
+
+function codexAutoUpdateMcpEntry() {
+  return codexAutoUpdateCliEntry(['serve']);
+}
+
 function localMcpEntry(pkgRoot, scope = 'project') {
   return {
     command: 'node',
@@ -201,4 +212,6 @@ module.exports = {
   resolveLocalServerPath,
   resolveMcpEntry,
   resolveStableSourceRoot,
+  codexAutoUpdateCliEntry,
+  codexAutoUpdateMcpEntry,
 };

package/scripts/published-cli.js

@@ -37,6 +37,14 @@ function publishedCliShellCommand(pkgVersion, commandArgs = [], options = {}) {
   const escapedArgs = commandArgs.map(shellQuote).join(' ');
   const fastPath = `[ -x ${shellQuote(runtimeBin)} ] && exec ${shellQuote(runtimeBin)}${escapedArgs ? ` ${escapedArgs}` : ''}`;
   const installPath = `mkdir -p ${shellQuote(prefixDir)} && exec npm ${publishedCliArgs(pkgVersion, commandArgs, { prefixDir }).map(shellQuote).join(' ')}`;
+  if (options.preferInstalled === false) {
+    const packageSpec = `thumbgate@${pkgVersion}`;
+    return [
+      `mkdir -p ${shellQuote(prefixDir)}`,
+      `npm "install" "--prefix" ${shellQuote(prefixDir)} "--no-save" "--omit=dev" ${shellQuote(packageSpec)} >/dev/null 2>&1`,
+      `exec ${shellQuote(runtimeBin)}${escapedArgs ? ` ${escapedArgs}` : ''}`,
+    ].join(' && ');
+  }
   return `${fastPath} || ${installPath}`;
 }
 

package/scripts/seo-gsd.js

@@ -61,6 +61,12 @@ const HIGH_ROI_QUERY_SEEDS = [
     source: 'seed',
     notes: 'Broader category demand that feeds comparison and guide pages.',
   },
+  {
+    query: 'autoresearch agent safety',
+    businessValue: 89,
+    source: 'seed',
+    notes: 'Emerging self-improving agent query where ThumbGate can own the safety and proof-control wedge.',
+  },
   {
     query: 'stop ai coding agents from repeating mistakes',
     businessValue: 88,
@@ -93,6 +99,45 @@ const HIGH_ROI_QUERY_SEEDS = [
   },
 ];
 
+function guideBlueprint({
+  query,
+  path,
+  pillar,
+  title,
+  heroTitle,
+  heroSummary,
+  takeaways,
+  sections,
+  faq,
+  relatedPaths,
+}) {
+  return {
+    query,
+    path,
+    pageType: 'guide',
+    pillar,
+    title,
+    heroTitle,
+    heroSummary,
+    takeaways,
+    sections,
+    faq,
+    relatedPaths,
+  };
+}
+
+function paragraphs(heading, entries) {
+  return { heading, paragraphs: entries };
+}
+
+function bullets(heading, entries) {
+  return { heading, bullets: entries };
+}
+
+function answer(question, text) {
+  return { question, answer: text };
+}
+
 const PAGE_BLUEPRINTS = [
   {
     query: 'thumbgate vs speclock',
@@ -484,6 +529,54 @@ const PAGE_BLUEPRINTS = [
     ],
     relatedPaths: ['/compare/mem0', '/guides/stop-repeated-ai-agent-mistakes'],
   },
+  guideBlueprint({
+    query: 'autoresearch agent safety',
+    path: '/guides/autoresearch-agent-safety',
+    pillar: 'pre-action-gates',
+    title: 'Autoresearch Agent Safety | Gates for Self-Improving Coding Agents',
+    heroTitle: 'Autoresearch Agent Safety for Self-Improving Coding Agents',
+    heroSummary: 'Autoresearch-style loops can search for better code, but they need gates for holdout tests, proof trails, reward hacking, and unsafe self-improvement.',
+    takeaways: [
+      'Self-improving coding loops need a control plane before they promote their own wins.',
+      'ThumbGate turns failed experiment reviews into prevention rules and pre-action gates.',
+      'The sales wedge is concrete: let the agent search, but gate the evidence before it accepts a variant.',
+    ],
+    sections: [
+      paragraphs(
+        'Why Autoresearch creates a new buying moment',
+        [
+          'Autoresearch-style systems run experiments, inspect results, and keep the variants that look better. That makes them powerful, but it also creates a trust gap for engineering teams.',
+          'If the loop can edit the benchmark, skip a holdout, hide a failed run, or promote without proof, the buyer needs enforcement before autonomy expands.',
+        ],
+      ),
+      bullets(
+        'Where ThumbGate fits',
+        [
+          'Block promotion when required primary and holdout checks are missing.',
+          'Require commands, changed files, logs, and verification evidence before a claimed improvement lands.',
+          'Capture thumbs-down reviews when an experiment cheats the metric, then promote the pattern into a prevention rule.',
+          'Use ContextFS packs and Thompson Sampling so recurring research failures get stricter over time.',
+        ],
+      ),
+      paragraphs(
+        'Starter harnesses that make the value visible',
+        [
+          'The first pack should wrap checks buyers already understand: npm test, lint, Playwright duration, bundle size, and CI status. Each one becomes a gate the buyer can see firing.',
+        ],
+      ),
+    ],
+    faq: [
+      answer(
+        'Why do Autoresearch-style agents need gates?',
+        'A self-improving loop can optimize the wrong signal, skip holdout tests, or promote a cherry-picked run. ThumbGate blocks known-bad promotion patterns before the agent accepts the variant.',
+      ),
+      answer(
+        'What does ThumbGate add to an Autoresearch loop?',
+        'ThumbGate adds structured thumbs-up/down feedback, prevention rules, Thompson Sampling, ContextFS proof packs, and pre-action gates for risky experiment and promotion steps.',
+      ),
+    ],
+    relatedPaths: ['/guides/pre-action-gates', '/guides/codex-cli-guardrails'],
+  }),
   {
     query: 'claude desktop extension plugin thumbgate',
     path: '/guides/claude-desktop',
@@ -651,6 +744,7 @@ function classifyIntent(query) {
   if (!normalized) return 'informational';
   if (/\b(vs|versus|alternative|compare|comparison|better than)\b/.test(normalized)) return 'comparison';
   if (/\b(price|pricing|buy|checkout|purchase|cost)\b/.test(normalized)) return 'transactional';
+  if (/\b(autoresearch|self-improving|benchmark|reward hacking|agent safety)\b/.test(normalized)) return 'commercial';
   if (/\b(claude code|cursor|codex|gemini|amp|opencode|integration|plugin|setup|install)\b/.test(normalized)) {
     return 'commercial';
   }
@@ -665,6 +759,7 @@ function inferPillar(query) {
   const normalized = normalizeText(query).toLowerCase();
   if (/\b(speclock|mem0|alternative|vs|compare|comparison)\b/.test(normalized)) return 'comparison';
   if (/\b(thumbs up|thumbs down|feedback|reinforce|mistake)\b/.test(normalized)) return 'feedback-loop';
+  if (/\b(autoresearch|self-improving|benchmark|reward hacking)\b/.test(normalized)) return 'pre-action-gates';
   if (/\b(pre-action gates|guardrails|block|prevent repeated mistakes|repeating mistakes)\b/.test(normalized)) return 'pre-action-gates';
   if (/\b(claude code|cursor|codex|gemini|amp|opencode|integration|plugin)\b/.test(normalized)) return 'agent-workflows';
   return 'ai-agent-reliability';
@@ -676,6 +771,7 @@ function inferPersona(query) {
   if (normalized.includes('cursor')) return 'cursor-builder';
   if (normalized.includes('codex')) return 'codex-builder';
   if (normalized.includes('gemini')) return 'gemini-builder';
+  if (normalized.includes('autoresearch') || normalized.includes('self-improving')) return 'ai-research-engineer';
   if (/\b(vs|alternative|compare)\b/.test(normalized)) return 'tool-evaluator';
   if (/\b(guardrails|pre-action gates)\b/.test(normalized)) return 'engineering-lead';
   return 'ai-engineer';
@@ -841,8 +937,8 @@ function createPageSpec(blueprint, row) {
     faq: blueprint.faq,
     relatedPages,
     cta: {
-      label: 'See ThumbGate Pro',
-      href: `/pro?utm_source=website&utm_medium=seo_page&utm_campaign=${blueprint.path.split('/').filter(Boolean).join('_')}`,
+      label: 'Go Pro — $19/mo',
+      href: `/checkout/pro?utm_source=website&utm_medium=seo_page&utm_campaign=${blueprint.path.split('/').filter(Boolean).join('_')}&cta_placement=seo_brief&plan_id=pro`,
     },
     proofLinks: [
       { label: 'Verification evidence', href: PRODUCT.verificationUrl },
@@ -1043,6 +1139,9 @@ function renderSeoPageHtml(page, runtimeConfig = {}) {
   <meta property="og:type" content="article" />
   <meta property="og:url" content="${escapeHtml(canonicalUrl)}" />
   <link rel="canonical" href="${escapeHtml(canonicalUrl)}" />
+  <link rel="icon" type="image/svg+xml" href="/thumbgate-icon.png" />
+  <link rel="apple-touch-icon" href="/assets/brand/thumbgate-mark.svg" />
+  <meta property="og:image" content="/og.png" />
   <style>
     :root {
       --bg: #0a0a0b;
@@ -1084,7 +1183,12 @@ function renderSeoPageHtml(page, runtimeConfig = {}) {
     .brand {
       font-weight: 700;
       color: var(--text);
+      display: inline-flex;
+      align-items: center;
+      gap: 8px;
+      text-decoration: none;
     }
+    .brand .logo-mark { width: 28px; height: 28px; display: block; }
     .hero { padding: 72px 0 32px; }
     .eyebrow {
       display: inline-flex;
@@ -1163,8 +1267,16 @@ function renderSeoPageHtml(page, runtimeConfig = {}) {
     }
     .sidebar-card {
       padding: 20px;
+    }
+    /* Only the first sidebar card sticks. Stacking multiple stickies at the
+       same top offset makes them overlap each other on scroll. The related-
+       pages card flows normally below. */
+    .sidebar-card:first-child {
       position: sticky;
       top: 84px;
+      max-height: calc(100vh - 104px);
+      overflow-y: auto;
+      -webkit-overflow-scrolling: touch;
     }
     .proof-links {
       display: flex;
@@ -1216,8 +1328,10 @@ function renderSeoPageHtml(page, runtimeConfig = {}) {
       .grid {
         grid-template-columns: 1fr;
       }
-      .sidebar-card {
+      .sidebar-card:first-child {
         position: static;
+        max-height: none;
+        overflow: visible;
       }
     }
   </style>
@@ -1229,7 +1343,7 @@ ${renderWebPageJsonLd(page, { appOrigin })}
 <body>
   <div class="topbar">
     <div class="container">
-      <a class="brand" href="/">👍👎 ThumbGate</a>
+      <a class="brand" href="/"><img src="/assets/brand/thumbgate-mark-inline.svg" alt="ThumbGate" class="logo-mark" width="28" height="28"><span class="logo-text">ThumbGate</span></a>
       <a href="${escapeHtml(PRODUCT.verificationUrl)}" target="_blank" rel="noopener">Verification evidence</a>
     </div>
   </div>

package/scripts/statusline.sh

@@ -151,6 +151,14 @@ esac
 osc_link() {
   local url="$1"
   local label="$2"
+  # THUMBGATE_STATUSLINE_PLAIN=1 suppresses OSC 8 hyperlinks. Consumers that embed
+  # ThumbGate as a non-last row in a multi-line statusline should set this, because
+  # some agents (Claude Code) silently drop downstream rows when a preceding row
+  # contains OSC 8 sequences.
+  if [ "${THUMBGATE_STATUSLINE_PLAIN:-0}" = "1" ]; then
+    printf '%s' "$label"
+    return 0
+  fi
   case "$url" in
     "") printf '%s' "$label" ;;
     *) printf '\033]8;;%s\007%s\033]8;;\007' "$url" "$label" ;;

package/scripts/vector-store.js

@@ -8,6 +8,7 @@ const {
   writeModelFitReport,
   resolveFeedbackDir,
 } = require('./local-model-profile');
+const { runStep } = require('./durability/step');
 
 const DEFAULT_FEEDBACK_DIR = resolveFeedbackDir();
 const DEFAULT_LANCE_DIR = path.join(DEFAULT_FEEDBACK_DIR, 'lancedb');
@@ -125,6 +126,9 @@ async function upsertFeedback(feedbackEvent) {
     feedbackEvent.whatWorked || '',
   ].filter(Boolean).join('. ');
 
+  // Embed is pure CPU/model work (transformers.js or stub) — deterministic
+  // for a given input, so no retry is needed here. Retry wraps the table
+  // write below, which is the actual I/O failure surface.
   const vector = await embed(textForEmbedding);
 
   const record = {
@@ -137,13 +141,23 @@ async function upsertFeedback(feedbackEvent) {
     context: feedbackEvent.context || '',
   };
 
-  const tableNames = await db.tableNames();
-  if (tableNames.includes(TABLE_NAME)) {
-    const table = await db.openTable(TABLE_NAME);
-    await table.add([record]);
-  } else {
-    await db.createTable(TABLE_NAME, [record]);
-  }
+  // Wrap the actual LanceDB write with retry. LanceDB is local-disk in our
+  // deployment but can fail on transient fs contention (EBUSY on Windows,
+  // lock timeouts on WSL, disk-full edge cases). `feedbackEvent.id` already
+  // acts as a stable row identity — re-running this step with the same
+  // event produces the same row, so retries are safe.
+  await runStep('vector-store.upsertFeedback', {
+    retries: 2,
+    logger: (msg) => console.warn(msg),
+  }, async () => {
+    const tableNames = await db.tableNames();
+    if (tableNames.includes(TABLE_NAME)) {
+      const table = await db.openTable(TABLE_NAME);
+      await table.add([record]);
+    } else {
+      await db.createTable(TABLE_NAME, [record]);
+    }
+  });
 }
 
 async function searchSimilar(queryText, limit = 5) {