[email protected]

Release Links

• npm: https://www.npmjs.com/package/thumbgate/v/1.15.0
• GitHub Release: https://github.com/IgorGanapolsky/ThumbGate/releases/tag/v1.15.0
• Compare: https://github.com/IgorGanapolsky/ThumbGate/compare/v1.14.1...v1.15.0
• Publish workflow: https://github.com/IgorGanapolsky/ThumbGate/actions/runs/24779973766
• npm published at: 2026-04-22T13:07:50.822Z
• npm shasum: 0e97bf812b479c1e070f9aa2b58f6cee32a72de8
• npm tarball: https://registry.npmjs.org/thumbgate/-/thumbgate-1.15.0.tgz
• Release ref: ac2e60dd82e28dff43678e71735f2b8ca4ae341e

npm Email Companion

npm controls the native "Successfully published" email template, so the email itself stays short. Treat this generated artifact as the full release-note companion for that email: it carries the Changeset summaries, CHANGELOG entry, publish workflow, npm tarball, and shasum when available.

Full Changeset Release Notes

No changed .changeset/*.md entries were detected for this release range.

CHANGELOG.md Entry

1.15.0

Minor Changes

• #1121 bc32329 Thanks @IgorGanapolsky! - Add one-shot integration bridge for agent-architect-kit per-role memory directories.

  scripts/integrations/architect-kit-memory-bridge.js parses agents/state/memory/<role>.md files (Mistakes / Learnings / Stakeholder Feedback / Session Log sections) and emits ThumbGate feedback entries: Mistakes → thumbs-down with whatWentWrong, Learnings → thumbs-up with whatWorked, Stakeholder Feedback polarity-flipped on negative keywords, Session Log skipped. Every entry tagged architect-kit + role:<name> + source section for auditable rollback. Ingested entries flow through the standard lesson-DB / Thompson Sampling / prevention-rule pipeline, so architect-kit users can promote their markdown memory into PreToolUse-enforced hooks.

  CLI: npm run integrations:architect-kit:import -- --dir=<path> [--role=<name>] [--dry-run] [--json].

  Also harvests six high-ROI patterns from architect-kit's annotated CLAUDE.md into a new Hard-Won Lessons section (fix-on-fix signal, rapid-push batching, ZERO/ALWAYS behavioral thresholds, memory-instructions coupling, post-deploy-gate nuance, require.main === module path-resolve fix) each with an explicit # WHY tying to a specific incident class.

  Test coverage: 16 dependency-injected unit tests pinned into npm test via the test-suite parity guard.

• #1100 f3e40ca Thanks @IgorGanapolsky! - Expand the Bayes-optimal gate's loss matrix to 49 falseAllow tiers (self-protect, kill-gate, hooks-disable, db-drop-production, deploy-env-secret-exposure, mcp-sql-delete, supply-chain, network-egress, …) and 5 falseBlock tiers, so cost-weighted decisions cover the full blast-radius spectrum instead of bucketing everything under default.

  Add cross-session canonical-hash lesson dedup. scripts/lesson-canonical.js normalizes lessons via lowercase → punctuation strip → stop-word drop → trailing-s stem → sort → SHA-256, so two lessons that differ only in phrasing collapse to the same 16-hex hash. Wired into captureFeedback (stamps canonicalHash on each memory record), findSimilarLesson (canonical match short-circuits Jaccard with matchType: 'canonical'), and lesson-db.findDuplicate (canonical fallback when exact-text miss).

  Add a summarize-then-expand pack assembly strategy to ContextFS. Opt in via summarizeThenExpand: true / strategy: 'summarize-then-expand' on constructContextPack. Pass 1 reserves ~35% of maxChars for a wide roster of title + one-line hint summaries; pass 2 walks top-down upgrading to full structuredContext while the remaining budget can absorb the delta. Under tight budgets the pack surfaces more of the corpus (broad recall) while still spending depth on the top-ranked hits.

• #1092 a137117 Thanks @IgorGanapolsky! - feat(public): first-party numbers page + freshness markers for SEO 2026 trust signals

  Ships /numbers — a live first-party-data page rendered from the same local
  scripts that power the CLI (scripts/gate-stats.js, scripts/token-savings.js,
  scripts/bayes-optimal-gate.js). Every number links back to its source script
  so AI retrievers can cite with provenance.

  The page surfaces:

  • Active gates (manual + auto-promoted)
  • Actions blocked / warned
  • Top blocked gate + last promotion
  • Estimated hours saved, LLM dollars saved, tokens not spent
  • Bayes error rate of the intervention scorer

  JSON-LD includes SoftwareApplication, Dataset with variableMeasured
  PropertyValue entries, and stable Person authorship with sameAs links
  (GitHub, LinkedIn). Regenerate via npm run numbers:generate.

  Also stamps consistent authorship + visible Updated: markers +
  dateModified JSON-LD on five public pages that previously lacked them:
  learn.html, lessons.html, codex-plugin.html, pro.html,
  dashboard.html.

  Rationale: the 2026-04 SEJ "What Search Engines Trust Now" analysis ranks
  first-party data, freshness, and extractability as the signals most durable
  against AI-synthesis ambiguity. ThumbGate's operational metrics are unique —
  nobody else can fake "180 blocks last month" because they don't run the
  gates. Publishing them as schema-marked-up Dataset + SoftwareApplication on a
  page dated the same day it's regenerated hits all three signals at once.

  Regression guards: tests/numbers-page.test.js pins JSON-LD contract,
  authorship, source-link provenance, and freshness markers on all five pages.

• #1103 d7101d4 Thanks @IgorGanapolsky! - Add a pre-promotion rule validator (scripts/rule-validator.js) that gates
  every auto-promoted prevention rule before it lands in
  synthesized-rules.jsonl. Inspired by the Autogenesis self-evolving agent
  protocol (arxiv 2604.15034): we already had capability-gap identification,
  candidate generation, and integration — this plugs the missing "validate
  before integrate" phase.

  A proposed rule is now promotable iff it fires on the seed lesson that
  triggered promotion AND its precision on recent overlapping-tag events
  clears a floor (default 0.8). Rules that fail either invariant are parked
  in a new rejected-rules.jsonl side log with a machine-readable reason
  (rule_does_not_match_seed_lesson, precision_below_floor,
  insufficient_sample, no_firings_in_sample, invalid_rule_shape) so
  operators can audit silent rejections. Thresholds are overridable; the
  validator is a pure function (no IO) and covered by 15 new tests.

Patch Changes

• #1118 70adc79 Thanks @IgorGanapolsky! - Route every outbound checkout link through the existing /go/pro tracked-link redirector and lock its behavior with tests.

  The /go/:slug redirector in src/api/server.js (serveTrackedLinkRedirect, line ~1305) already handled attribution — forwarding utm_source/utm_medium/utm_campaign/utm_content to /checkout/:plan and writing first-party telemetry via buildTrackedLinkAttribution. The problem was that README, SKILL docs, dashboard CTAs, postinstall banner, Reddit/dev.to autopilot posts, and scripts/commercial-offer.js all linked directly at https://buy.stripe.com/7sY..., bypassing the redirector. Result: Plausible saw referrer but not campaign; Stripe saw conversions but not source; attribution was structurally impossible.

  Replaces the raw buy.stripe.com CTA across 10 surfaces with https://thumbgate-production.up.railway.app/go/pro?utm_source=<channel> (and &utm_campaign=autopilot on scheduled posts): three SKILL.md copies (.agents/, .claude/, skills/), public/dashboard.html (demo + live CTAs), public/lessons.html, .github/workflows/marketing-autopilot.yml (Reddit + dev.to posts), scripts/ralph-mode-ci.js, and scripts/commercial-offer.js (PRO_MONTHLY_PAYMENT_LINK).

  Adds three tests/api-server.test.js cases that pin the redirector's public contract: param-preserving 302 for /go/pro?utm_source=…, default attribution for bare /go/pro, and 404 JSON for unregistered slugs. Updates tests/cli.test.js, tests/postinstall.test.js, and tests/thumbgate-skill.test.js to match the new canonical URL surface.

• #1126 a75511c Thanks @IgorGanapolsky! - fix(social): never publish "blocked 0 mistakes, saving ~0 hours" stats posts

  When getMeteredUsageSummary returns zero blocks AND zero warnings AND zero active agents for the period, generateWeeklyStatsPost now sets suppressed: true with a human-readable suppressedReason. scripts/weekly-auto-post.js refuses to write the markdown file or call any publisher when suppressed. scripts/social-post-hourly.js routes the stats angle (and the default branch) through an evergreen fallback chain (educational / hot-take / tip) so the daily post cron never ships raw zero-stats text.

  Triggered by a 2026-04-21 CEO thumbs-down on a Bluesky post reading "This week ThumbGate blocked 0 mistakes, saving ~0 hours. Pre-action gates > post-mortem fixes." The two existing offending posts were deleted live via com.atproto.repo.deleteRecord; this patch prevents the pattern from ever publishing again and adds regression tests in tests/metaclaw-features.test.js, tests/weekly-auto-post.test.js, and tests/social-post-hourly.test.js.

• #1115 ddcbffd Thanks @IgorGanapolsky! - Wire Bluesky reply monitoring into Ralph Loop (hourly CI) as a draft-only step.

  Zernio exposes no inbound/comments API as of 2026-04-21 (probed — /inbox, /comments, /conversations, /messages, /dms, /threads, /engagements, /replies all return 404 with HTML shell while /accounts returns 200 JSON). The Zernio Inbox add-on visible on the billing dashboard is a human-only surface. Reply monitoring for Bluesky therefore uses direct AT Protocol: scripts/social-reply-monitor-bluesky.js polls app.bsky.notification.listNotifications on the user's PDS and queues drafts to .thumbgate/reply-drafts.jsonl. The monitor never auto-posts — a draft-only posture was made mandatory after a CEO thumbs-down on AI-pitch reply voice.

  New reply-monitor-bluesky step in scripts/ralph-loop.js gated on requiredEnvAll: ['BLUESKY_HANDLE','BLUESKY_APP_PASSWORD']. Workflow env block in .github/workflows/ralph-loop.yml passes the new repo secrets. Tests in tests/ralph-loop.test.js pin the step list and skip-reason contract.

  Also ships two one-shot operator tools: scripts/bluesky-list-actionable.js dumps un-replied notifications for human triage, scripts/bluesky-delete-replies.js rolls back via com.atproto.repo.deleteRecord. The skills/bluesky-engagement/SKILL.md is the authoritative reference for credential rotation and the voice guardrail lesson.

• #1123 2c17f45 Thanks @IgorGanapolsky! - Add the ThumbGate native messaging audit CLI and browser bridge safety guides for browser automation safety and native messaging host security.

• #1119 6e28801 Thanks @IgorGanapolsky! - Adopt Git 2.54 local config hooks for ThumbGate installs, keep older Git clients on core.hooksPath, and harden proof/test temp repos against ambient operator hooks.

• #1119 6e28801 Thanks @IgorGanapolsky! - fix(installer): harden git-hook-installer.js against SonarCloud quality-gate findings

  • Tighten hook file permissions from 0o755 to 0o700. Git runs hooks as the
    same user that invoked the git command, so group/other execute bits served
    no purpose and only widened the attack surface (SonarCloud S2612).
  • Replace require.main === module with an explicit isCliEntrypoint() helper
    comparing require.main.filename against __filename. The strict-equality
    idiom tripped SonarCloud S3403 ("this check will always be false") under its
    TypeScript flow analyzer; the filename-based check has no such ambiguity and
    also makes the CLI-detection path unit-testable.
  • Document why spawnSync('git', …) is safe with a NOSONAR annotation
    (S4036 hotspot review). The installer must honor the developer's PATH
    because git ships from a dozen different locations (brew, apt, scoop,
    Xcode, Git-for-Windows); args is always an array, so no shell interpolation
    risk; and the command literal is hard-coded, not user-supplied.

  Adds regression tests covering the new owner-only permission bits and the
  new isCliEntrypoint helper.

• #1105 56370d5 Thanks @IgorGanapolsky! - Hard-block destructive local shell actions in default gates and render CLI thumbs-down feedback with the correct label.

• #1106 9843fdc Thanks @IgorGanapolsky! - Add the ThumbGate harness optimization audit CLI and a proof-linked SEO guide for AI agent harness optimization.

• #1004 e7dc1c6 Thanks @IgorGanapolsky! - Route main-targeting PR manager merges through /trunk merge comments so autonomous merge requests work under Enterprise Managed User accounts without falling back to blocked GraphQL merge mutations.

• #1095 78b45f5 Thanks @IgorGanapolsky! - Pin the runtime protobuf dependency to a patched release so clean ThumbGate installs avoid the protobufjs critical advisory.

• #1111 fa777d1 Thanks @IgorGanapolsky! - fix(social): route social CTAs through tracked landing page

  404 posts published via Zernio over the last 30 days produced 0 rows in
  .claude/memory/feedback/funnel-events.jsonl because every post CTA
  linked to github.com/IgorGanapolsky/ThumbGate, which never touches the
  funnel tracker. Attribution blindness: 4 lifetime installs across 404
  posts was the result.

  Primary CTA in every Zernio-published angle/caption now routes through
  https://thumbgate-production.up.railway.app/numbers. tagUrlsInText
  auto-injects utm_source=zernio&utm_medium=social&utm_campaign=organic
  because the landing domain is already in TRACKABLE_DOMAINS. GitHub is
  retained as a secondary "Source (MIT)" reference for credibility.

  Covers:

  • scripts/social-post-hourly.js — daily LinkedIn/X poster, 7 content
    angles. horror-story, tip, product-demo now lead with the
    tracked landing URL.
  • scripts/social-analytics/post-video.js — TikTok/YouTube/Instagram
    captions. TikTok and YouTube now lead with the tracked landing URL;
    Instagram unchanged (uses "link in bio" — no inline URLs).

  Regression guards in tests/social-post-hourly.test.js and
  tests/post-video.test.js fail if any angle/caption regresses to a
  github-only CTA.

  Also wires the /numbers handler in src/api/server.js through
  servePublicMarketingPage so the landing_page_view telemetry and a
  discovery/landing_view entry in funnel-events.jsonl are both
  captured with the UTM metadata attached to the inbound request. Before
  this wire, /numbers views wrote only to telemetry-pings.jsonl
  (invisible to npm run feedback:summary and bin/cli.js cfo --today),
  leaving the funnel ledger empty despite 404 published Zernio posts.
  Other marketing pages (/, /dashboard) already routed through
  servePublicMarketingPage and now automatically inherit the
  funnel-ledger write as well.

• #1102 186caf5 Thanks @IgorGanapolsky! - Accept the Socket Security Pull Request Alerts context in branch-protection congruence checks.

Verification Standard

• Publish only runs from main after version sync, tests, and runtime proof pass.
• The npm package is smoke-tested after publish by installing thumbgate@VERSION in a clean runtime.
• GitHub Release notes are generated from Changesets, not only GitHub auto-generated PR titles.