[email protected]

Release Links

• npm: https://www.npmjs.com/package/thumbgate/v/1.19.0
• GitHub Release: https://github.com/IgorGanapolsky/ThumbGate/releases/tag/v1.19.0
• Compare: https://github.com/IgorGanapolsky/ThumbGate/compare/v1.18.0...v1.19.0
• Publish workflow: https://github.com/IgorGanapolsky/ThumbGate/actions/runs/26004328547
• npm published at: 2026-05-17T22:19:12.204Z
• npm shasum: 3c08a37aeba06cd2be434b90a5eeeaced2a91d7a
• npm tarball: https://registry.npmjs.org/thumbgate/-/thumbgate-1.19.0.tgz
• Release ref: 62c88ac09343286d26d010ec451c79fffbd62290

npm Email Companion

npm controls the native "Successfully published" email template, so the email itself stays short. Treat this generated artifact as the full release-note companion for that email: it carries the Changeset summaries, CHANGELOG entry, publish workflow, npm tarball, and shasum when available.

Full Changeset Release Notes

Minor Changes

.changeset/case-studies-surface.md

Add /case-studies public surface — first proof page for thumbgate.ai. Until now visitors landed on CLI install commands with zero evidence that anyone actually got value from the product. First entry is the Aiventyx Teams integration: real third-party CTR signal (62%, 5 clicks on 8 views), concrete fix description (added teams to TRACKED_LINK_TARGETS), and verification quote from the partner's own incognito test. Live /go/teams?utm_source=case-study link lets buyers reproduce the redirect themselves. Cross-links to /pricing/, /privacy/, /terms/, /support/ make this a buyer-trust hub.

.changeset/compare-heidi.md

Add /compare/heidi deep-dive page positioning ThumbGate as the behavior-enforcement layer (PreToolUse hook + lesson DB) next to Meterian's HEIDI as the supply-chain layer (manifest scanning + MCP-served vuln data). Honest framing: not a competitor, complementary stack. Adds a third comparison card on /compare linking to the page. Both tools are free at base, both local-first, run on the same machine without conflict. Pre-empts the buyer confusion that will land when "AI coding security" googlers see both products on the same search-result page.

.changeset/eval-gate-classifier-pipeline.md

Add scripts/eval_gate_classifier.py — the first end-to-end ML pipeline in the repo. Loads .thumbgate/feedback-log.jsonl, builds features (TF-IDF on context + bag-of-tags + bag-of-categories), stratified train/test split, fits LogisticRegression(class_weight='balanced'), scores precision/recall/F1 (per-class + macro), ROC-AUC, PR-AUC, and full classification_report, then serializes the fitted pipeline with joblib.dump and writes a metrics card to <feedback-dir>/eval/. Run via npm run eval:classifier. sklearn / joblib / scipy are intentionally NOT runtime deps of the npm package — install via pip install scikit-learn joblib to enable. Pinned by tests/eval-gate-classifier.test.js (skips gracefully if sklearn isn't installed in CI).

.changeset/pricing-surface.md

Add /pricing as the canonical buyer-facing pricing surface. Resolves the "pricing schizophrenia" the audit flagged: sales/pricing.json said $49/$299, docs/COMMERCIAL_TRUTH.md said $19/$149, and no buyer-facing page existed to reconcile. The page lays out four tiers in priority order — Sprint ($499 one-time, sales-led, hero CTA), Free CLI ($0, npm install), Pro ($19/mo or $149/yr, self-serve recurring after the 5-rule free wall), Team ($49/seat/mo after qualification). Each CTA routes to canonical /go/* paths so the funnel collapses to a single source of truth. Sprint CTA is a mailto: with a structured intake template so partner-led conversations have an actionable handoff.

Patch Changes

.changeset/bayesian-conversion-stats.md

Add scripts/conversion-rate-stats.js — honest Bayesian beta-binomial conversion-rate estimation for low-N revenue data.

The audit on 2026-05-15 surfaced the right ML investment given ThumbGate's data volume: with only 3 lifetime orders and ~200 visitors per surface, frequentist conversion = charges/visitors produces dishonest rankings ("/pricing converts at 100%!" from one lucky charge on 1 visitor). The fix is a Bayesian beta-binomial model with a weakly-informative prior (Beta(1, 19), reflecting "most dev-tool surfaces convert at ~5% with broad uncertainty"). The posterior gives a credible interval that gets narrower as N grows: wide and honest at N=0, tight around the empirical rate at N=10k. Same code path, no need to switch models when data finally arrives.

The module exports:

• posteriorParameters({successes, trials, priorAlpha, priorBeta}) — pure stats
• estimateConversionRate(...) — returns posterior mean, mode, 95% credible interval, and a verdict (insufficient_data / wide_uncertainty / credible)
• rankSurfaces(surfaces, opts) — ranks by lower-bound of credible interval (pessimistic ranking) by default. Prevents allocating traffic to a surface whose point estimate is high but whose lower bound is near zero.
• renderConversionMarkdown(ranked) — produces a markdown table ready to drop into the unified revenue rollup once #2090 lands.

Implementation includes a Lanczos approximation of log Γ, a Lentz continued-fraction evaluator for the regularized incomplete beta (CDF), and bisection on the CDF for the quantile function. No external dependencies — all pure-JS math.

20 unit tests cover: known logΓ values, CDF identity at Beta(1,1) = uniform, Beta(2,2) symmetry, quantile/CDF round-trip, prior + observation accumulation, N=0 returns the pure prior, N=10k tightens to the empirical rate, the "N=2 trap" (1 conversion of 2 visitors maps to ~9% posterior, NOT 50%), verdict cutoffs, pessimistic-ranking ordering, and markdown render.

Standalone for now; will fold into the unified revenue rollup as a follow-up after #2090 lands so we don't fight merge conflicts on the same file. Also reusable by scripts/thompson-sampling.js for adaptive surface allocation when transaction volume justifies it.

.changeset/external-customer-audit.md

Add scripts/external-customer-audit.js — Stripe truth filtered by owner email.

Background: The unified revenue rollup (#2090) shipped raw Stripe totals: lifetime net, MRR, active subscription count. Those numbers count the operator's own purchases and subscriptions as if they were external customers. On a small operator-run product that's a meaningful confound — the difference between "1 active subscription" and "0 real customers" is whether the operator subscribed to test billing.

This script splits Stripe activity into owner vs external buckets and reports external-only counts as the headline number. Owner emails come from THUMBGATE_OWNER_EMAILS (comma-separated env var) with a default of [email protected],[email protected]. Wired into the Daily Revenue Loop workflow as a separate step alongside the unified rollup; outputs reports/revenue/external-audit.{md,json} plus a GitHub job-summary section.

The script's headline always reports three external-only numbers explicitly so they cannot be confused with owner-inclusive totals:

• Real, non-owner paying customers lifetime
• Real, non-owner net revenue lifetime
• Real, non-owner active subscriptions (+ MRR)

11 unit tests with an injected fake Stripe client cover: missing-secret gap, owner/external partitioning by email match, case-insensitivity, refunded-charge exclusion, billing_details fallback when customer object has no email, subscription MRR split, checkout completion split, and the headline markdown rendering.

.changeset/hero-cta-sprint-and-buyer-list.md

chore(landing): flip the hero CTA on public/index.html from "Get Pro — $19/mo" to "Talk to me — Workflow Hardening Sprint →" pointing at the existing #workflow-sprint-intake anchor. Pro/Team tiers below the fold are untouched and still convert via /checkout/pro. Aligns the highest-traffic landing surface with the actual buyer ICP (platform / devex leaders who buy fixed-scope engagements, not $19/mo self-serve).

Adds docs/marketing/buyer-list-real-humans-2026-05-14.md, docs/marketing/buyer-list-send-ready-2026-05-14.md, docs/marketing/bluesky-quote-tns-2026-05-14.md — outreach drafts, not runtime files.

.changeset/organization-entity-jsonld.md

Add top-level Organization JSON-LD block to the landing page so Google's TurboQuant entity index (and AI Overviews) can recognize ThumbGate as a distinct entity with founder, logo, and canonical sameAs profiles (GitHub repo, npm package, founder profile). Previously the only Organization markup was embedded as provider inside the Workflow Sprint Service block — embedded providers are less reliable entity signals than a standalone Organization node.

Conservative sameAs — only verified, ThumbGate-owned URLs (no speculative social profile claims).

.changeset/pricing-alignment.md

Fix /pricing contradiction: the previously shipped page collapsed two distinct products ("Sprint Diagnostic" $499 and "Workflow Hardening Sprint" $1500) into a single "$499 Sprint" card. Buyer arriving from the homepage hero — which correctly distinguishes "$499 diagnostic, $1500 sprint, $3,997 governance setup" — would see different numbers on adjacent pages.

This rewrites /pricing as the single source of truth with all six paid paths visible:

• $1,500 Workflow Hardening Sprint (full engagement, hero card)
• $499 Sprint Diagnostic (proof-pack on-ramp)
• $0 Free CLI
• $19/mo · $149/yr Pro
• $49/seat/mo Team (3-seat min, $147/mo)
• Micro-purchase row: $1 first failure rule, $19 quick read, $99 workflow teardown

Each card has a direct Stripe Payment Link (or /go/* tracked-link router) so a buyer landing from any inbound channel can complete checkout in one click without leaving the pricing page.

.changeset/readme-honest-positioning.md

README + LAUNCH_POSTS docs honesty pass triggered by r/ClaudeCode comment thread. Three corrections:

1. "No LLM in enforcement" needs the qualifier. Layer 2 description now distinguishes the deterministic runtime gate decision (literal pattern + AST + scoped lookup, zero LLM) from offline retrieval (local CPU-only bge-small embeddings via LanceDB — a model, but no external API call and no inference cost beyond CPU).
2. Thompson Sampling does NOT select rules. Old framing said "Thompson Sampling for adaptive rule selection" / "multi-armed bandit rule selection" which implied the bandit decides whether a rule fires. Corrected: TS tunes per-rule confidence weights for soft-gating rules. Hard rules ("block force-push to main") always fire deterministically — bandit exploration would be terrifying for hard rules.
3. Cross-agent propagation + learning loop is the lead differentiator vs hand-rolled hooks. Layer 4 description now explicitly answers "why ThumbGate over Claude Code's permissions.deny or a custom PreToolUse script": (a) checks propagate cross-agent over MCP — thumbs-down on Cursor blocks the same pattern on Claude Code, Codex, Gemini in the next session; (b) every feedback event becomes a fresh rule and tunes existing ones, so the corpus sharpens without an operator hand-writing patterns for every new mistake shape.

.changeset/readme-stop-paying-placeholder.md

Fix broken README hero line. The README has shown **Stop paying $ for the same AI mistake.** since 2026-04-26 — a stray $ placeholder that was never filled in. The canonical product line elsewhere on the site is Stop paying for the same AI mistake twice (matches <title> tag on the homepage). This PR aligns the README hero to that exact phrasing.

Caught by a self-critique pass during a bug-hunt session. The placeholder had been live on the public GitHub README for almost three weeks.

.changeset/spec-driven-learn-page.md

Ship /learn/spec-driven-development — landing page positioning ThumbGate as the runtime enforcement layer for spec-driven development. The spec-driven workflow (mission.md / tech-stack.md / roadmap.md constitution plus per-feature plan / requirements / validation) is rising as an alternative to vibe coding, but the spec only works if the agent cannot drift outside it. Page makes that gap explicit and positions ThumbGate as the "bailiff" enforcing the spec at the PreToolUse hook layer.

SEO angle: "spec-driven development" + "AI agent spec enforcement" are growing search terms with low competition for the enforcement-layer framing.

.changeset/swap-bootstrapped-buy-stripe-urls.md

Swap the 5 hardcoded buy.stripe.com/* URLs in src/api/server.js to the new Payment Links generated by today's catalog-bootstrap dispatch (run 25883541719). The previous links resolved to ad-hoc Stripe-created products with no consistent naming; the new ones are wired to the persistent ThumbGate-branded products (metadata.thumbgate_tier=*) with per-tier thumbnails, so buyers landing on the Stripe page now see "ThumbGate — Workflow Sprint" with the ThumbGate icon instead of an unbranded $1,500 line item.

.changeset/telemetry-export-endpoint.md

Add GET /v1/telemetry/export — operator-key-gated endpoint that returns recent raw telemetry-pings + funnel-events rows so the Daily Revenue Loop CI can pull first-party event data off the Railway container and join CTA-click attribution into the unified revenue rollup. Closes the third gap surfaced in the 2026-05-15 audit (Plausible reports pageview→pageview, Stripe reports charges, but the pageview→CTA-click handoff lives in .thumbgate/telemetry-pings.jsonl on Railway with no export path).

Endpoint contract:

• Auth: THUMBGATE_OPERATOR_KEY or the admin THUMBGATE_API_KEY (same auth shape as /v1/billing/summary).
• Query params: since (ISO8601, default last 24h), limit (default 1000, hard cap 10000), source (telemetry | funnel | both, default both).
• Returns { generatedAt, since, limit, source, telemetry: { rows, truncated, totalAfterSince }, funnel: { rows, truncated, totalAfterSince } }.
• Truncation keeps the MOST RECENT rows (slice(-limit)) and signals via truncated: true.
• Graceful: missing JSONL files return rows: [], never a crash.

12 integration tests cover both auth paths, both rejection paths, every query parameter, the since-window filter, the truncation behavior, the hard-cap clamp, the negative-limit fallback, and the stable response schema.

.changeset/unified-revenue-rollup.md

Add scripts/unified-revenue-rollup.js — single script that joins Stripe live status (cash, MRR, lifetime revenue, checkout completion) with Plausible web analytics (visitors, pageviews, traffic sources) and projects the join onto the seven public revenue surfaces (/, /pricing, /case-studies, /compare/heidi, /learn/spec-driven-development, /pro, /go/teams).

Closes the audit gap surfaced on 2026-05-15 where the previous revenue-status.js only did a binary "is Plausible installed on the page" check and analytics-latest.md had gone two days stale. The new rollup is wired into the Daily Revenue Loop workflow (.github/workflows/daily-revenue-loop.yml) so a fresh reports/revenue/unified-rollup-latest.md is produced every run, and the markdown is also surfaced into the GitHub Actions job summary for at-a-glance review.

The script degrades gracefully when STRIPE_SECRET_KEY or PLAUSIBLE_API_KEY are missing — every absence becomes a labelled gap line, never a crash — so the same script is safe to run locally or in CI with partial secrets.

Diagnostics flag "funnel leak" patterns: traffic-on-/pricing-with-$0-balance and traffic-on-/case-studies-with-zero-checkouts. These are info-level signals, not warnings — they describe state, they do not claim revenue.

14 tests cover: surface list completeness, arg parsing, Plausible-page-to-surface join with zero-fill, diagnostics-firing-rules, markdown rendering (positive and degraded paths), and the gather/build wiring with a fake Plausible API + injected stripe-live-status module.

.changeset/verify-deploy-comment-workflow.md

Add .github/workflows/verify-deploy-comment.yml which runs after the Deploy to Railway workflow finishes for main pushes. It polls /health for up to 8 minutes waiting for the production buildSha to match the merge commit, probes /, /health, /dashboard, and every newly added public/learn/*.html or public/guides/*.html route in the merge diff, then posts a single comment back on the PR that introduced the merge — with the buildSha match, the /health JSON snapshot, and the per-route HTTP codes. Codifies the CLAUDE.md deployment-verification gate (no claiming "deployed" without /health evidence) as automation rather than a human checklist.

.changeset/wire-nav-pricing-case-studies.md

Wire /pricing and /case-studies into the homepage top-nav so buyers landing on thumbgate.ai can reach the canonical pricing and proof surfaces in one click. Previously the "Pricing" link pointed to an in-page anchor (#pricing) — the dedicated /pricing page shipped in PR #2068 was reachable only via direct URL. /case-studies (PR #2067, currently Aiventyx-only) had no entry at all.

CHANGELOG.md Entry

1.19.0

Minor Changes

• #1982 994fa11 Thanks @IgorGanapolsky! - Add AI deployment readiness positioning, SEO guide, and sprint conversion surfaces for production agent rollout buyers.

• #1936 1d9786a Thanks @IgorGanapolsky! - Add a Branch Contamination Guard (workflow + scripts/audit-pr-bot-contamination.js) that fails fast when a PR contains commits authored by the bare [email protected] identity (NOT the registered github-actions[bot]) that drop > 100 lines of new files onto a non-automation branch. Catches the failure mode that turned PR #1910 (a 21-line /go/teams redirector fix) into a 4-hour pipeline grind: a 693-line scripts/feedback_quality_eval.py got committed onto its branch by off-script tooling and tanked SonarCloud's coverage gate (9% on new code). Skips audit cleanly on automation-owned branches (auto/, agent/, claude/, codex/, dependabot/, renovate/). 7 regression tests including one that re-plays the actual bee4938a commit.

• #1989 e87299d Thanks @IgorGanapolsky! - Eliminate zombie Stripe sessions: render the /checkout/pro interstitial for every non-confirmed GET (bot OR human), not only bot traffic. Before this change a raw GET on /checkout/pro 302'd straight to a fresh cs_live_* Stripe session — which is what created the 50-zombie-sessions / 0-paid pattern surfaced 2026-05-13 (every crawler, every link-preview fetcher, every confused human GET generated a real Stripe session before any context, email, or button click). After: only POST or ?confirm=1 creates a Stripe session. Humans clicking the "Pay $19/mo with Stripe →" button on the interstitial supply confirm=1 on the next hop, so the conversion path is preserved — they just see what they're paying for before Stripe asks for the card. Telemetry change: when the visitor is not bot-classified, the event fires as checkout_interstitial_view instead of checkout_bot_deflected, so funnel reports can distinguish bot deflection from intentional human views.

• #1982 994fa11 Thanks @IgorGanapolsky! - Add tokenizer-brittleness model benchmarking for byte-level robustness across malformed JSONL, Unicode confusables, stack traces, SQL, secrets, paths, and code-symbol-heavy inputs.

• #1972 a4a1267 Thanks @IgorGanapolsky! - Add federal agency positioning surface (docs/FEDERAL.md, public/federal.html, /federal route) so SBIR / agency / SI evaluators land on a dedicated page rather than the developer-focused home page. Page is pilot-ready posture only — no FedRAMP claim, no speculative compliance badges. The technical brief maps existing ThumbGate capabilities to NIST 800-53 Rev 5 controls (AC-3, AC-6, AU-2/3/12, CM-3, CM-7, IR-4, RA-5, SI-4, SI-7) and to OMB M-24-10 / EO 14110 inventory and risk-management requirements; defines a two-profile deployment model (public open source unchanged, THUMBGATE_DEPLOY=gov mode in ThumbGate-Core for on-prem / GovCloud / Azure Government installs); pins five architectural invariants protecting the developer install path. Two new regression tests added to tests/public-core-boundary.test.js: federal lead-gen files must exist, and federal behavior must gate on THUMBGATE_DEPLOY=gov only (no env-var sprawl). Route accepts /federal, /federal.html, /government, /gov and flows through servePublicMarketingPage for UTM attribution on agency arrivals.

• #1884 a46b371 Thanks @IgorGanapolsky! - /health and /healthz no longer return status: 'ok' unconditionally. Each endpoint now probes the relevant downstream subsystem and returns HTTP 503 + status: 'degraded' with a per-check breakdown when any probe fails. /health verifies feedback-dir writability, hosted-config app-origin, and build-metadata SHA presence. /healthz verifies feedback-log + memory-log directories are writable. Backward-compatible payload shape: existing fields preserved, checks: {} added. Uptime monitors now detect real service degradation instead of just process liveness.

• #1981 d3d3257 Thanks @IgorGanapolsky! - Ship the high-ROI bundle from the 2026-05-13 revenue-ROI critique. Four code-side improvements ranked by revenue ROI, plus one positioning doc:

  • #4 Deploy-verification GitHub Action (.github/workflows/deploy-verify.yml) — triggers on push to main, waits 180s for Railway rebuild, curls /health for expected version, curls /dashboard for sentinel string, samples any public/learn|guides|compare/*.html routes added in the diff, posts a green/red comment on the merging PR. Ends the recurring "did it actually deploy?" trust-burn pattern. The Deployment Verification Gate from CLAUDE.md was manual; now it's automated.

  • #2 Plausible custom funnel events (scripts/plausible-server-events.js + 3 server-side fires in src/api/server.js) — emits Checkout Pro Viewed / Checkout Pro Email Submitted / Checkout Pro Stripe Redirect Started to the Plausible events API alongside the existing JSONL telemetry. Fire-and-forget, 2s timeout, opt-out via THUMBGATE_PLAUSIBLE_DISABLE=1 or DO_NOT_TRACK=1. Closes the "0/50 checkouts and we don't know why" visibility gap — the three transitions now show up in the same dashboard where pageviews already live, exposing exactly where the funnel drops (landing → email → Stripe → paid).

  • #1 Activation telemetry (scripts/activation-tracker.js + hook in scripts/feedback-loop.js) — anonymous activation_first_rule_promoted ping the first time a prevention rule auto-promotes for an install. Payload: installId + daysToFirstRule + visitorType (ci|owner|real_user) + promotionCount + totalGates. Idempotent via marker file under ~/.thumbgate/activation/. Critical metric for the v1.17.0 free-tier-opening experiment: % of npx thumbgate init runs that produce a first auto-promoted rule within 24h. Respects existing telemetry opt-outs.

  • #5 Anti-claim Stop hook (scripts/hook-stop-anti-claim.js registered in .claude/settings.json) — scans the assistant's most recent turn for completion-claim wording ("is live", "deployed", "fixed", "ready", "shipped"). If the same turn lacks a proof tool call (curl, gh pr view, gh api, npm test, node --test, Bash(...), Read(...)), prints a system reminder for the next turn. ThumbGate-on-ThumbGate dogfood — the harness now enforces the anti-lying directive that CLAUDE.md asks for but didn't enforce. Informational (never hard-blocks), so the agent corrects mid-conversation rather than losing the turn.

  • Databricks positioning brief (docs/DATABRICKS.md) — composition map showing how ThumbGate composes with MLflow / Unity Catalog / Mosaic AI / Vector Search without claiming integration. Cheap pre-LOI artifact so "they call out Databricks exposure" RFP / recruiter conversations have a credible answer. Same pulled-by-demand sequencing as docs/FEDERAL.md.

  New tests: tests/plausible-server-events.test.js (10), tests/activation-tracker.test.js (5), tests/hook-stop-anti-claim.test.js (10). All pass locally.

• #1982 994fa11 Thanks @IgorGanapolsky! - Add an interaction-model runtime layer with normalized event JSONL, replayable workflow state, foreground claim gates, and background verification recommendations.

• #2062 7e3bbff Thanks @IgorGanapolsky! - refactor(python): elevate Thompson feedback logic with OOP and pytest. Migrates the Bayesian reliability model to use Python dataclasses and adds a comprehensive `pytest` suite.

• #1919 aba7c4e Thanks @IgorGanapolsky! - Add scripts/stripe-bootstrap-saas-catalog.js + dispatch workflow that idempotently creates the full ThumbGate paid catalog in Stripe Live: persistent ThumbGate Pro / Team / Free SaaS products plus the 5 one-off SKUs currently sold via hardcoded buy.stripe.com URLs in src/api/server.js (First Failure Rule $1, Quick Read $19, Workflow Teardown $99, Sprint Diagnostic $499, Workflow Sprint $1,500). Each one-off also gets an auto-generated Payment Link (active=true, metadata.thumbgate_lookup_key keyed for idempotency), and the workflow summary prints the new buy.stripe.com/... URLs so a follow-up PR can swap the hardcoded constants in server.js. Why: the dashboard Product Catalog currently shows only legacy consulting SKUs — no ThumbGate-branded rows — which blocks the Stripe Customer Portal plan-switcher and prevents Payment Links from sitting on stable prices. Keyed by metadata.thumbgate_tier + lookup_keys; re-runs converge. Workflow is workflow_dispatch-only with a dry_run input that defaults to true.

• #1925 fc1a21a Thanks @IgorGanapolsky! - Add /terms and /support public HTML pages (sibling to existing /privacy). Required so Stripe's Business → Public details form can be fully populated — "Terms of service URL" and "Customer support URL" both currently 401 on thumbgate.ai. The terms page covers payment, refunds (7-day Pro/Team window, refund-on-request for one-offs), acceptable use, warranty disclaimer, limitation of liability, and governing law. The support page surfaces email, GitHub Issues, the /health status path, refund instructions, and a security-disclosure note. Both pages cross-link to each other and /privacy to keep the legal triangle navigable.

Patch Changes

• #1982 994fa11 Thanks @IgorGanapolsky! - Add agent-native memory scope readiness checks that require entity, project, process, and session identifiers before multi-user memory retrieval.

• #1946 2b72f9c Thanks @IgorGanapolsky! - Add /learn/from-prototype-to-production build-log article (70-day init→v1.17.0 timeline with real npm download numbers, five hard-won lessons, and an honest $0 cold-traffic revenue admission). Listed in the /learn article grid and Schema.org ItemList at position 6 so the new post is discoverable from the Learn index and reachable through structured-data crawlers.

• #1981 d3d3257 Thanks @IgorGanapolsky! - Emit a stripe_redirect_started telemetry event in src/api/server.js immediately before the 302 to a real Stripe Checkout URL fires, carrying the same attribution payload (installId, acquisitionId, visitorId, sessionId, traceId, stripeSessionId, UTM + creator + community + offer/cta context) as checkout_bootstrap. Closes the funnel-observability gap between checkout_bootstrap (intent declared) and /success (payment completed): a buyer who reaches checkout_bootstrap but never produces stripe_redirect_started means the Stripe session create failed; one who reaches stripe_redirect_started but never /success means they bounced from the Stripe-hosted page. Both drops are now individually measurable.

• #1846 b793a66 Thanks @dependabot! - Bump @anthropic-ai/sdk from 0.92.0 to 0.95.2 to keep the shipped runtime dependency set current under ThumbGate's audited release flow.

• #1981 d3d3257 Thanks @IgorGanapolsky! - scripts/hook-stop-verify-deploy.sh now hard-blocks the agent's turn when the response contains a deploy claim ("deployed", "shipped", "live in production", "in prod", "production-ready", etc.) without evidence in the same message — a curl to the production host, a buildSha string, a /health JSON-style version field, an HTTP 200 from the production host, or the verify-deploy-comment workflow's "Deploy verified" sentinel. Previously the hook only printed a warning, which was repeatedly ignored. The block contract matches hook-stop-pr-thread-check.sh: a JSON decision: block is emitted on stdout. Adds tests/hook-stop-verify-deploy.test.js (14 cases) to pin the regex + evidence patterns.

• #1904 9d575e5 Thanks @IgorGanapolsky! - Stop crawler / link-preview traffic from inflating the checkout-start metric and creating zombie Stripe sessions. Stripe API shows 50 sessions created in last 24h, 0 paid, 0 email captured — a signature of bot/preview fetches not human buyers. Two fixes: (a) add rel="nofollow noopener noreferrer" target="_blank" to all <a href="https://buy.stripe.com/..."> anchors on landing surfaces (7 anchors updated across public/index.html, public/guide.html, public/pro.html), so search engines + social-preview fetchers stop following them and creating sessions; (b) add Disallow: /checkout/ and Disallow: /v1/billing/ to robots.txt for both default User-agent: * and the explicit AI-crawler stanzas. Real humans still reach checkout via JS-driven button clicks, which crawlers don't execute.

• #1974 6402631 Thanks @IgorGanapolsky! - Patch protobufjs security advisories and sanitize social publisher log output.

• #1982 994fa11 Thanks @IgorGanapolsky! - Tighten CLI log sanitization for social publishing and revenue watcher output.

• #2053 b17d18f Thanks @IgorGanapolsky! - Drop the hardcoded Stripe-Version: 2025-09-30.acacia header from scripts/stripe-bootstrap-saas-catalog.js. That version doesn't exist — Stripe rejected every request with HTTP 400 "Invalid Stripe API version" when the freshly-merged catalog bootstrap was first dispatched. Removing the explicit header so requests use the version pinned to the account, which is Stripe's documented correct default.

• #2065 dc9e4c1 Thanks @IgorGanapolsky! - feat(marketing): surface Rob May / The New Stack social proof on the hero + README.

  Adds a <figure> blockquote on public/index.html and a matching quote block under the badges in README.md. Quote is from Rob May (CEO, Neurometric AI), as published in The New Stack — May 2026 — on Anthropic's Claude Code Agent View. Pure third-party validation of ThumbGate's thesis on a high-credibility outlet read by our buyer ICP.

Verification Standard

• Publish only runs from main after version sync, tests, and runtime proof pass.
• The npm package is smoke-tested after publish by installing thumbgate@VERSION in a clean runtime.
• GitHub Release notes are generated from Changesets, not only GitHub auto-generated PR titles.