Skip to content

thumbgate@1.27.20

Choose a tag to compare

@github-actions github-actions released this 09 Jul 00:49
adfbcec

thumbgate@1.27.20

Release Links

npm Email Companion

npm controls the native "Successfully published" email template, so the email itself stays short. Treat this generated artifact as the full release-note companion for that email: it carries the Changeset summaries, CHANGELOG entry, publish workflow, npm tarball, and shasum when available.

Full Changeset Release Notes

Minor Changes

.changeset/autonomous-fail-closed-gates.md

Add opt-in autonomous fail-closed mode for approval gates. When THUMBGATE_AUTONOMOUS=1, an approve (human-in-the-loop) gate now fails CLOSED (deny) instead of deferring — because in an autonomous agent loop there is no human to sign off, and the actions that most need approval must not slip through unattended. Interactive and existing CI behavior is unchanged (opt-in only); applies to both the sync and async evaluation paths.

Patch Changes

.changeset/andy-martin-hardening.md

Ship all runtime files in the npm bundle and self-protect ThumbGate's own governance files.

  • Adds a pack-integrity test that fails if any runtime require() reachable from the shipped entrypoints is missing from the tarball — the class of bug that broke 1.27.19 (missing feedback-sanitizer.js crashed the prompt hook for every user).
  • Adds scripts/self-protection.js: edits to ThumbGate's own kill-switch files (.claude/settings.json, hook scripts, config/gates/**) now WARN by default and hard-block under THUMBGATE_STRICT_ENFORCEMENT=1, with a THUMBGATE_ALLOW_SELF_EDIT=1 escape hatch that preserves the repair path.

Prompted by Andy Martin's review.

.changeset/checkout-bypass-fix.md

Fix broken checkout: 99 visitors hit /checkout/pro in 30 days, 0 converted. The interstitial form posted back to itself instead of redirecting to Stripe. Now bypasses the broken createCheckoutSession path and routes directly to the Stripe Payment Link. Bypass is enabled by default.

.changeset/checkout-email-optional-before-stripe.md

Reduce Pro checkout friction by letting confirmed human clicks reach Stripe without requiring an email on the ThumbGate interstitial, while keeping bot deflection and adding a revenue doctor guard for deployed required-email drift.

.changeset/checkout-email-recovery-gate.md

Require a valid buyer email before creating Pro Stripe Checkout Sessions so abandoned checkouts keep a recoverable contact path instead of generating unpaid no-contact sessions.

.changeset/deploy-scope-prod-drift.md

Fix deploy-scope silently skipping deploys when production has drifted behind main. A push with no runtime-serving file changes now still triggers a catch-up deploy when the live /health build SHA is positively confirmed behind HEAD; unknown/unreachable preserves the historical skip (fail-safe). Prevents production freezing many commits behind main (root cause of the /diagnostic 404 — prod was sitting 86 commits behind).

.changeset/diagnostic-conversion-page.md

Add a focused Workflow Hardening Diagnostic page with a tracked $499 diagnostic checkout path and deploy-gated route verification.

.changeset/diagnostic-real-logo.md

Fix the /diagnostic page header logo. It rendered a placeholder CSS letter-"T" monogram (<span class="mark">T</span>) — the only page on the site doing so — which read as unfinished on the paid $499 diagnostic landing page. Replace it with the real brand mark (/assets/brand/thumbgate-mark-inline-v3.svg), matching every other page, and simplify the .mark style to a self-framed 28×28 image.

.changeset/fix-checkout-dead-end.md

Fix checkout conversion bug: 99 visitors hit /checkout/pro in 30 days, 0 paid. The server-side Stripe session creation was failing silently (env var not configured on Railway), causing the form to loop back to the interstitial instead of redirecting to Stripe. Changed the form action to link directly to the Stripe Payment Link, bypassing the broken server-side flow entirely.

.changeset/install-buyer-path.md

Add an owned /install buyer path that consolidates live ThumbGate distribution surfaces, verified install commands, marketplace status, and the paid Workflow Hardening Diagnostic CTA.

.changeset/leash-beta-founding-landing.md

Serve the Hermes founding beta / Leash Pro pricing landing at /leash-beta with deploy-verify sentinel coverage.

.changeset/lesson-supersede-filter.md

Add a retrieval-time superseding filter to lesson retrieval. Same-topic lessons are now collapsed before final selection: duplicates drop to the higher-ranked one, and contradictions (opposite signal on the same rule/topic) keep the most recent — which supersedes the stale one. This prevents "context poisoning," where an agent could be handed two contradictory lessons (e.g. "never force-push" and "force-push is fine") at equal relevance. Conservative by design (distinct lessons are never merged); affects only lesson retrieval, not the hard gate rules.

.changeset/license-env-scan-and-bot-module-consolidation.md

Trust hardening of the published npm artifact. verifyLicense() now only considers THUMBGATE_-prefixed env vars as license candidates — it previously scanned every *_API_KEY / *_PRO_KEY env var, so an unrelated vendor's secret could be picked up as a license key — and its result object no longer carries the raw key value (callers only ever needed the boolean/source). The owner-email allowlist is no longer hardcoded in the shipped bundle: set THUMBGATE_OWNER_EMAILS (comma-separated) to classify owner traffic, matching the existing convention in external-customer-audit. The near-duplicate scripts/bot-detector.js is consolidated into scripts/bot-detection.js, which now also exports classifyVisitor, shouldExcludeFromAnalytics, and botFilterMiddleware, with the legacy crawler patterns merged into the unified BOT_PATTERNS list.

.changeset/mcp-serve-fast-start.md

fix(mcp): stop reinstalling thumbgate@latest on every MCP server launch. The serve entry now fast-starts from the installed runtime and resolves @latest via npx only when the runtime is absent — matching the hook commands. Removes a per-launch blocking npm install that could hang or fail server startup on slow/offline networks (agents saw the server / capture "time out").

.changeset/npm-diagnostic-conversion.md

Add npx thumbgate diagnostic so npm/CLI users can reach the $499 Workflow Hardening Diagnostic intake and checkout paths directly from the package.

.changeset/nucleus-lesson-retrieval.md

Add Memora-style nucleus (top-P) "decide when to stop" filtering to per-action lesson retrieval. Operators can set THUMBGATE_RETRIEVAL_TOP_P (or pass options.topP) to trim the low-relevance tail so a single dominant lesson isn't padded out to maxResults — fewer tokens stuffed into each PreToolUse warning and retrieve_lessons call. Off by default (topP=1.0 is a no-op, so existing behaviour is unchanged). Also fixes the previously dead, mis-normalized filterTopP (now scale-free with a minKeep floor) and removes a duplicate calculateRetrievalEntropy definition.

.changeset/pro-tier-readme.md

Add ThumbGate Pro tier section to README with Stripe payment link. Lists Pro features (team-wide policies, centralized feedback memory, budget monitoring, priority support) and links to the $19/month payment page.

.changeset/readme-hiring-cta.md

docs(readme): add a "Who builds ThumbGate — and hiring me" section that routes the repo's qualified readers to the maintainer's freelance/contract availability (payments, AI agents, Android). Repositions ThumbGate's credibility as a lead source per the Option-C monetization analysis; no code or runtime behavior change.

.changeset/readonly-tools-exempt-pr-thread-gate.md

Never block read-only observability tools on the pending PR-thread-resolution gate. After any PR-branch commit, the gate previously denied every subsequent tool call — including pure reads like get_business_metrics, dashboard, and describe_semantic_entity — with "a git commit was made on a PR branch." That blinded operators to their own revenue/metrics mid-PR while doing nothing for safety (a read cannot advance a readiness claim or mutate state). Read-only tools (sourced from the canonical readonly MCP profile) are now exempt; mutating tools and file edits stay gated.

.changeset/release-1-27-20.md

Release 1.27.20 — ship a complete npm tarball.

Published 1.27.19 was cut from an untracked working directory and omitted 32 files (including scripts/feedback-sanitizer.js), which crashed the UserPromptSubmit hook on every prompt. This release publishes the full file set from main through CI (tagged, provenance-signed) and includes the pack-integrity regression guard so an incomplete tarball can never publish again.

.changeset/remove-budget-gates-self-lockout.md

Remove budget gates from the PreToolUse hook path (self-lockout fix). A stale ~/.thumbgate/budget-state.json (session_start never reset across sessions) permanently blocked every Bash/Edit/Write call — including the edits needed to repair the gate itself. The hook no longer consults budget gates at all; spend tracking remains advisory-only. evaluateBudget() is now advisory by default (deny requires explicit THUMBGATE_BUDGET_ENFORCE=1), auto-resets state older than 2× the time cap, and scopes state to a sessionId when provided. Regression test tests/hook-no-budget-lockout.test.js spawns the real hook with poisoned budget state and asserts it can never block.

.changeset/remove-internal-operator-reports.md

Remove internal operator report, proof-artifact, and memory-log directories from the public repository, and extend the leak gate (gitignore, pre-commit hook, CI test) so they cannot return. Public guide/compare pages and the pro/landing templates now point their evidence links at docs/VERIFICATION_EVIDENCE.md instead of tracked proof-report JSON files.

.changeset/safe-billing-setup-redaction.md

Redact billing:setup operator keys by default so revenue readback setup no longer leaks live secrets into agent transcripts or shell logs.

.changeset/thumbgate-12715-marketplace-repair.md

Repair ThumbGate 1.27.15 plugin distribution metadata across Cursor, Codex, Claude, OpenCode, VS Code, MCP server cards, and public version surfaces. Add a Cursor Marketplace doctor that separates local bundle readiness from public listing approval, document the current non-live Cursor listing truth, reinstall the repo-local Codex plugin at 1.27.15, remove obsolete Zernio-only tests from the aggregate release suite, and add Z.ai helper exports used by the revenue automation smoke checks.

CHANGELOG.md Entry

No CHANGELOG.md section was found for 1.27.20; the release notes above were generated from the changed Changeset files.

Verification Standard

  • Publish only runs from main after version sync, tests, and runtime proof pass.
  • The npm package is smoke-tested after publish by installing thumbgate@VERSION in a clean runtime.
  • GitHub Release notes are generated from Changesets, not only GitHub auto-generated PR titles.