thumbgate 0.9.9

package/plugins/gemini-extension/INSTALL.md

@@ -0,0 +1,92 @@
+# Gemini: ThumbGate Function Declarations Install
+
+Import the ThumbGate function declarations into your Gemini agent in under 60 seconds.
+
+## One-Command Install (Node.js)
+
+```bash
+# Copy declarations to your project
+cp adapters/gemini/function-declarations.json .gemini/rlhf-tools.json
+```
+
+## Import in Your Agent Code
+
+```javascript
+const fs = require('fs');
+
+// Load ThumbGate tool declarations
+const rlhfTools = JSON.parse(
+  fs.readFileSync('adapters/gemini/function-declarations.json', 'utf8')
+);
+
+// Pass to Gemini SDK
+const model = genAI.getGenerativeModel({
+  model: 'gemini-pro',
+  tools: [{ functionDeclarations: rlhfTools.tools }],
+});
+```
+
+## Available Functions
+
+| Function | Description |
+|---|---|
+| `capture_memory_feedback` | Capture success/failure feedback — POST `/v1/feedback/capture` |
+| `get_reliability_rules` | Retrieve active prevention rules — POST `/v1/feedback/rules` |
+| `get_business_metrics` | Retrieve high-level metrics — GET `/v1/billing/summary` |
+| `describe_reliability_entity` | Get canonical definitions — GET `/v1/semantic/describe` |
+
+## Point to Your API
+
+Set the base URL in your Gemini function handler:
+
+```javascript
+const THUMBGATE_API_URL = process.env.THUMBGATE_API_URL || 'http://localhost:3000';
+const THUMBGATE_API_KEY = process.env.THUMBGATE_API_KEY;
+
+async function callRlhfTool(name, params) {
+  const endpoints = {
+    capture_memory_feedback:    { method: 'POST', path: '/v1/feedback/capture' },
+    get_reliability_rules:      { method: 'POST', path: '/v1/feedback/rules' },
+    get_business_metrics:       { method: 'GET',  path: '/v1/billing/summary' },
+    describe_reliability_entity: { method: 'GET',  path: '/v1/semantic/describe' },
+    plan_intent:                { method: 'POST', path: '/v1/intents/plan' },
+  };
+  const { method, path } = endpoints[name];
+  
+  const url = new URL(`${THUMBGATE_API_URL}${path}`);
+  if (method === 'GET' && params) {
+    Object.keys(params).forEach(key => url.searchParams.append(key, params[key]));
+  }
+
+  const res = await fetch(url.toString(), {
+    method,
+    headers: { Authorization: `Bearer ${THUMBGATE_API_KEY}`, 'Content-Type': 'application/json' },
+    body: method === 'POST' ? JSON.stringify(params) : undefined,
+  });
+  return res.json();
+}
+```
+
+## Requirements
+
+- Google Gemini SDK (`@google/generative-ai`)
+- Node.js 18+ or Python 3.9+
+- ThumbGate API running (local or hosted)
+
+## Branding Alignment (Google Cloud)
+
+When setting up your Google Cloud Project for this extension:
+1.  **Project Name:** Use `mcp-reliability-gateway` or similar. Avoid placeholder names.
+2.  **OAuth Consent Screen:**
+    - **App Name:** Enter `MCP Reliability Gateway`.
+    - **Support Email:** Use your professional email.
+    - **Logo:** Use the provided asset in `docs/logo-400x400.png`.
+
+This ensures that the "App Asking for Consent" matches the product name, providing a professional experience for the CEO and users.
+
+## Verify
+
+```bash
+node -e "const t = require('./adapters/gemini/function-declarations.json'); console.log('Tools:', t.tools.map(x=>x.name))"
+# Expected: Tools: [ 'capture_memory_feedback', 'get_reliability_rules', 'get_business_metrics', 'describe_reliability_entity', ... ]
+```

package/plugins/gemini-extension/gemini_prompt.txt

@@ -0,0 +1,14 @@
+You are integrated with the MCP Reliability Gateway. Your goal is to ensure 100% reliable execution by following project-specific rules and business metrics.
+
+When the user gives success/failure signal (thumbs up/down):
+- call `capture_memory_feedback` with rich context.
+- include tags for entities involved (e.g. 'entity:Revenue', 'entity:Customer').
+- do not accept vague feedback without asking for detail.
+
+Before starting a significant task:
+- call `get_reliability_rules` to retrieve prevention rules derived from past mistakes.
+- respect these rules as foundational constraints.
+
+When reasoning about the business:
+- use `get_business_metrics` for hard revenue and conversion data.
+- use `describe_reliability_entity` to understand how business concepts are defined.

package/plugins/gemini-extension/tool_contract.json

@@ -0,0 +1,45 @@
+{
+  "tools": [
+    {
+      "name": "capture_memory_feedback",
+      "description": "Capture success/failure feedback to harden future workflows and prevent repeated mistakes.",
+      "input_schema": {
+        "type": "object",
+        "properties": {
+          "signal": { "type": "string", "enum": ["up", "down"], "description": "Success (up) or failure (down) signal" },
+          "context": { "type": "string", "description": "Specific detail about what was achieved or what went wrong" },
+          "what_went_wrong": { "type": "string" },
+          "what_to_change": { "type": "string" },
+          "what_worked": { "type": "string" },
+          "tags": { "type": "array", "items": { "type": "string" }, "description": "Keywords like 'revenue', 'deployment', 'refactor'" }
+        },
+        "required": ["signal", "context"]
+      }
+    },
+    {
+      "name": "get_reliability_rules",
+      "description": "Retrieve active prevention rules and success patterns to ensure high-quality task execution."
+    },
+    {
+      "name": "get_business_metrics",
+      "description": "Retrieve canonical business metrics (Revenue, Conversion, Customers) from the Reliability Gateway.",
+      "input_schema": {
+        "type": "object",
+        "properties": {
+          "window": { "type": "string", "enum": ["today", "7d", "30d", "lifetime"], "default": "30d" }
+        }
+      }
+    },
+    {
+      "name": "describe_reliability_entity",
+      "description": "Get the definition and state of a business entity (Customer, Revenue, Funnel).",
+      "input_schema": {
+        "type": "object",
+        "properties": {
+          "type": { "type": "string", "enum": ["Customer", "Revenue", "Funnel"] }
+        },
+        "required": ["type"]
+      }
+    }
+  ]
+}

package/plugins/opencode-profile/INSTALL.md

@@ -0,0 +1,57 @@
+# OpenCode: ThumbGate MCP Profile Install
+
+This repo already ships a project-scoped `opencode.json` for local work inside the source tree.
+
+If you want the same MCP server in another OpenCode project or in your global OpenCode config, use the portable adapter profile below.
+
+## One-Command Install
+
+Create a global OpenCode config if you do not have one yet:
+
+```bash
+mkdir -p ~/.config/opencode
+cp adapters/opencode/opencode.json ~/.config/opencode/opencode.json
+```
+
+If you already have `~/.config/opencode/opencode.json`, merge in the `mcp.thumbgate` block from `adapters/opencode/opencode.json` instead of overwriting your config.
+
+## What Gets Added
+
+The portable profile adds this MCP server entry:
+
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "mcp": {
+    "rlhf": {
+      "type": "local",
+      "command": ["npx", "-y", "thumbgate@0.9.9", "serve"],
+      "enabled": true
+    }
+  }
+}
+```
+
+## Verify
+
+Run OpenCode in any project and confirm the `rlhf` MCP server is available:
+
+```bash
+opencode
+```
+
+For this repository specifically, the committed `opencode.json` also enables:
+
+- repo-local worktree-safe permissions
+- a read-only `rlhf-review` subagent in `.opencode/agents/rlhf-review.md`
+- concise workflow instructions in `.opencode/instructions/rlhf-workflow.md`
+
+## Requirements
+
+- OpenCode with MCP support
+- Node.js 18+ in PATH
+- `npx` available in PATH
+
+## Uninstall
+
+Remove the `mcp.thumbgate` entry from your OpenCode config.

package/public/blog.html

@@ -0,0 +1,400 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>ThumbGate Blog — Agent Governance Engineering</title>
+    <meta
+      name="description"
+      content="Technical breakdowns, release notes, and agent governance insights from the ThumbGate team."
+    />
+    <link
+      rel="canonical"
+      href="https://thumbgate-production.up.railway.app/blog"
+    />
+    <meta
+      property="og:title"
+      content="ThumbGate Blog — Agent Governance Engineering"
+    />
+    <meta
+      property="og:description"
+      content="Technical breakdowns, release notes, and agent governance insights from the ThumbGate team."
+    />
+    <meta property="og:type" content="website" />
+    <meta
+      property="og:url"
+      content="https://thumbgate-production.up.railway.app/blog"
+    />
+    <script type="application/ld+json">
+      {
+        "@context": "https://schema.org",
+        "@type": "Blog",
+        "name": "ThumbGate Blog",
+        "url": "https://thumbgate-production.up.railway.app/blog",
+        "publisher": { "@type": "Organization", "name": "Max Smith KDP LLC" },
+        "blogPost": [
+          {
+            "@type": "BlogPosting",
+            "headline": "The Claude Code Leak Proves Why Pre-Action Gates Matter",
+            "datePublished": "2026-04-01",
+            "keywords": "Claude Code security, Claude Code guardrails, AI agent safety, pre-action gates"
+          },
+          {
+            "@type": "BlogPosting",
+            "headline": "v0.8.5: Gate Reasoning Chains, Org Dashboard, and the Checkout Funnel That Didn't Exist",
+            "datePublished": "2026-03-31"
+          }
+        ]
+      }
+    </script>
+    <style>
+      :root {
+        --bg: #0a0a0a;
+        --surface: #141414;
+        --border: #2a2a2a;
+        --text: #e0e0e0;
+        --text-dim: #888;
+        --cyan: #00d4aa;
+      }
+      * {
+        margin: 0;
+        padding: 0;
+        box-sizing: border-box;
+      }
+      body {
+        font-family:
+          -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+        background: var(--bg);
+        color: var(--text);
+        line-height: 1.7;
+      }
+      .container {
+        max-width: 720px;
+        margin: 0 auto;
+        padding: 0 24px;
+      }
+      header {
+        padding: 24px 0;
+        border-bottom: 1px solid var(--border);
+      }
+      header a {
+        color: var(--cyan);
+        text-decoration: none;
+        font-weight: 600;
+      }
+      h1 {
+        font-size: 18px;
+        font-weight: 700;
+      }
+      .post {
+        padding: 48px 0;
+        border-bottom: 1px solid var(--border);
+      }
+      .post-date {
+        font-size: 13px;
+        color: var(--text-dim);
+        margin-bottom: 8px;
+      }
+      .post h2 {
+        font-size: 24px;
+        font-weight: 700;
+        margin-bottom: 16px;
+        letter-spacing: -0.02em;
+      }
+      .post h3 {
+        font-size: 18px;
+        font-weight: 600;
+        margin: 24px 0 8px;
+      }
+      .post p {
+        margin-bottom: 16px;
+        color: var(--text-dim);
+      }
+      .post ul {
+        margin: 0 0 16px 24px;
+        color: var(--text-dim);
+      }
+      .post li {
+        margin-bottom: 6px;
+      }
+      .post code {
+        background: var(--surface);
+        padding: 2px 6px;
+        border-radius: 4px;
+        font-size: 14px;
+      }
+      .post strong {
+        color: var(--text);
+      }
+      .cta {
+        display: inline-block;
+        margin-top: 16px;
+        padding: 10px 20px;
+        background: var(--cyan);
+        color: #000;
+        border-radius: 6px;
+        text-decoration: none;
+        font-weight: 600;
+        font-size: 14px;
+      }
+      footer {
+        padding: 48px 0 24px;
+        text-align: center;
+        color: var(--text-dim);
+        font-size: 13px;
+      }
+      footer a {
+        color: var(--cyan);
+        text-decoration: none;
+      }
+    </style>
+  </head>
+  <body>
+    <header>
+      <div
+        class="container"
+        style="
+          display: flex;
+          justify-content: space-between;
+          align-items: center;
+        "
+      >
+        <h1><a href="/">ThumbGate</a> / Blog</h1>
+        <a href="/">Back to home</a>
+      </div>
+    </header>
+
+    <div class="container">
+      <article class="post">
+        <div class="post-date">April 1, 2026</div>
+        <h2>Dual-Signal Feedback: Why "What Failed" Isn't Enough</h2>
+
+        <p>
+          Standard thumbs-down tells you <em>something</em> went wrong. But was
+          it a bad decision (wrong tool) or bad execution (right tool, wrong
+          parameters)?
+        </p>
+
+        <p>
+          Inspired by
+          <a
+            href="https://huggingface.co/papers/2603.28767"
+            style="color: var(--cyan)"
+            >Gen-Searcher's dual reward system</a
+          >, ThumbGate now supports an optional <code>failureType</code> field
+          on <code>capture_feedback</code>:
+        </p>
+
+        <ul>
+          <li>
+            <strong><code>"decision"</code></strong> — the agent chose the wrong
+            action entirely
+          </li>
+          <li>
+            <strong><code>"execution"</code></strong> — right action, bad
+            parameters or output
+          </li>
+        </ul>
+
+        <p>
+          Thompson Sampling creates separate sub-arms (e.g.,
+          <code>git:decision</code> and <code>git:execution</code>) so
+          reliability scores diverge per dimension. An agent might be great at
+          choosing git commands but bad at parameterizing them — now you can see
+          that distinction.
+        </p>
+
+        <p>
+          Backward compatible. Existing feedback without
+          <code>failureType</code> works unchanged.
+        </p>
+
+        <a class="cta" href="https://www.npmjs.com/package/thumbgate"
+          >Try it now</a
+        >
+      </article>
+
+      <article class="post">
+        <div class="post-date">April 1, 2026</div>
+        <h2>The Claude Code Leak Proves Why Pre-Action Gates Matter</h2>
+
+        <p>
+          Anthropic accidentally shipped 512,000 lines of Claude Code source
+          inside an npm package. A missing <code>.npmignore</code> exposed the
+          full agent architecture: tool-call loops, permission models, retry
+          logic, 44 unreleased feature flags.
+        </p>
+
+        <p>
+          Within 24 hours, a clean rewrite called Claw-code hit 100K GitHub
+          stars — the fastest-growing repo in GitHub history.
+        </p>
+
+        <h3>What the leak revealed about agent security</h3>
+        <p>
+          Claude Code has a sophisticated permission model and tool-calling
+          pipeline. What it does <strong>not</strong> have is feedback-driven
+          enforcement — the ability to learn from past mistakes and physically
+          block the agent from repeating them.
+        </p>
+
+        <p>
+          That's exactly what ThumbGate does. Every Claude Code user — and every
+          Claw-code user — can add pre-action gates today:
+        </p>
+
+        <ul>
+          <li>
+            <strong>Thumbs-down a mistake</strong> — it auto-generates a
+            prevention rule
+          </li>
+          <li>
+            <strong>Gates enforce</strong> — PreToolUse hooks block the action
+            before execution
+          </li>
+          <li>
+            <strong>Reasoning chains explain</strong> — every block tells you
+            WHY
+          </li>
+          <li>
+            <strong>Thompson Sampling adapts</strong> — confidence tiers prevent
+            false blocks
+          </li>
+        </ul>
+
+        <h3>Install in 30 seconds</h3>
+        <p>
+          <code>npx thumbgate init</code> works with Claude Code,
+          Claw-code, Cursor, Codex, Gemini, Amp, and any MCP-compatible agent.
+        </p>
+
+        <p>
+          The leak proves agents are powerful but fallible software. Memory
+          without enforcement is a suggestion.
+          <strong>ThumbGate is a guarantee.</strong>
+        </p>
+
+        <a class="cta" href="https://www.npmjs.com/package/thumbgate"
+          >Install ThumbGate</a
+        >
+      </article>
+
+      <article class="post">
+        <div class="post-date">March 31, 2026</div>
+        <h2>
+          v0.8.5: Gate Reasoning Chains, Org Dashboard, and the Checkout Funnel
+          That Didn't Exist
+        </h2>
+
+        <p>
+          ThumbGate v0.8.5 is our biggest release yet. Here's what shipped and
+          why.
+        </p>
+
+        <h3>The problem we didn't see</h3>
+        <p>
+          ~1,700 developers install ThumbGate via npm every month.
+          <strong>Zero of them ever saw a checkout button.</strong> They find
+          the GitHub README, run <code>npx thumbgate init</code>, use
+          it for free, and never visit the landing page. The checkout flow
+          nobody reaches is irrelevant. We were optimizing a storefront in a
+          building with no door.
+        </p>
+
+        <h3>Gate reasoning chains</h3>
+        <p>
+          Every gate block and warning now explains <strong>WHY</strong> it
+          fired. When ThumbGate blocks a <code>git push --force</code>, the
+          response includes:
+        </p>
+        <ul>
+          <li>Which pattern matched and what it matched against</li>
+          <li>Gate identity: ID, action, layer, severity</li>
+          <li>Source: manual policy rule vs auto-promoted from feedback</li>
+          <li>
+            How to bypass: <code>satisfy_gate("pr_threads_checked")</code>
+          </li>
+          <li>Historical fire count: "blocked 23x, warned 15x"</li>
+        </ul>
+        <p>
+          This was inspired by the neuro-symbolic explainability trend in
+          production AI systems. Gates are the symbolic rules; Thompson Sampling
+          provides the statistical confidence. The reasoning chain bridges both.
+        </p>
+
+        <h3>Multi-agent org dashboard</h3>
+        <p>
+          "I'm not going to have 10,000 agents running in the environment that I
+          don't know what they're doing." — CIO.com, March 2026
+        </p>
+        <p>
+          The new <code>org_dashboard</code> MCP tool aggregates gate decisions
+          across all registered agent sessions. CIOs and team leads see: total
+          active agents, org-wide adherence rate, top blocked gates, and risk
+          agents (those with the lowest adherence). Free tier shows 3 agents;
+          Pro shows the full org.
+        </p>
+
+        <h3>Multi-hop agentic retrieval</h3>
+        <p>
+          Inspired by Chroma's Context-1,
+          <code>constructMultiHopPack</code> iteratively retrieves context,
+          prunes weak chunks, refines the query with expansion terms, and checks
+          coverage — stopping when the coverage threshold (60%) is met or max
+          hops are reached. Each hop is logged.
+        </p>
+
+        <h3>Thompson Sampling calibration</h3>
+        <p>
+          <code>MIN_SAMPLES_THRESHOLD</code> (5) prevents low-sample
+          overconfidence. <code>getCalibration()</code> reports per-category
+          confidence tiers: none (0 samples), low (1-4), medium (5-19), high
+          (20+). Callers know when to trust the statistical arm vs fall back to
+          rules.
+        </p>
+
+        <h3>The funnel fix</h3>
+        <p>
+          Four touchpoints now put the checkout URL where 100% of npm users
+          actually are:
+        </p>
+        <ul>
+          <li>
+            <strong>Post-install banner</strong> — prints after
+            <code>npm install</code> (stderr, CI-safe)
+          </li>
+          <li>
+            <strong>Free-tier rate limits</strong> — power features capped,
+            upgrade URL in error
+          </li>
+          <li>
+            <strong>MCP enforceLimit</strong> — agents surface the checkout URL
+            when limits hit
+          </li>
+          <li>
+            <strong>CLI upgrade nudge</strong> — after <code>init</code>,
+            <code>capture</code>, <code>stats</code>
+          </li>
+        </ul>
+        <p>
+          13 funnel invariant CI tests prevent this blindspot from ever
+          regressing.
+        </p>
+
+        <a class="cta" href="https://www.npmjs.com/package/thumbgate"
+          >Install v0.8.5 on npm</a
+        >
+      </article>
+    </div>
+
+    <footer>
+      <div class="container">
+        <a href="/">Home</a> ·
+        <a href="https://github.com/IgorGanapolsky/ThumbGate">GitHub</a> ·
+        <a href="https://x.com/IgorGanapolsky">X</a> ·
+        <a href="https://www.linkedin.com/in/igorganapolsky">LinkedIn</a>
+        <br /><br />© 2026 Max Smith KDP LLC · MIT License
+      </div>
+    </footer>
+  </body>
+</html>