thumbgate 1.16.2 → 1.16.4

package/.claude-plugin/marketplace.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate-marketplace",
-  "version": "1.16.2",
+  "version": "1.16.4",
   "owner": {
     "name": "Igor Ganapolsky",
     "email": "ig5973700@gmail.com"
@@ -13,7 +13,7 @@
         "source": "npm",
         "package": "thumbgate"
       },
-      "version": "1.16.2",
+      "version": "1.16.4",
       "author": {
         "name": "Igor Ganapolsky"
       },

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "thumbgate",
   "description": "Type 👍 or 👎 on any agent action. ThumbGate captures it, distills a lesson, and blocks the pattern from repeating. One thumbs-down = the agent physically cannot make that mistake again. 33 pre-action checks, budget enforcement, self-protection, and NIST/SOC2 compliance tags.",
-  "version": "1.16.2",
+  "version": "1.16.4",
   "author": {
     "name": "Igor Ganapolsky"
   },

package/.well-known/mcp/server-card.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate",
-  "version": "1.16.2",
+  "version": "1.16.4",
   "description": "ThumbGate — 👍👎 feedback that teaches your AI agent. Thumbs down a mistake, it never happens again.",
   "homepage": "https://thumbgate-production.up.railway.app",
   "transport": "stdio",

package/adapters/claude/.mcp.json

@@ -2,13 +2,13 @@
   "mcpServers": {
     "thumbgate": {
       "command": "npx",
-      "args": ["--yes", "--package", "thumbgate@1.16.2", "thumbgate", "serve"]
+      "args": ["--yes", "--package", "thumbgate@1.16.4", "thumbgate", "serve"]
     }
   },
   "hooks": {
     "preToolUse": {
       "command": "npx",
-      "args": ["--yes", "--package", "thumbgate@1.16.2", "thumbgate", "gate-check"]
+      "args": ["--yes", "--package", "thumbgate@1.16.4", "thumbgate", "gate-check"]
     }
   }
 }

package/adapters/mcp/server-stdio.js

@@ -201,7 +201,7 @@ const {
   finalizeSession: finalizeFeedbackSession,
 } = require('../../scripts/feedback-session');
 
-const SERVER_INFO = { name: 'thumbgate-mcp', version: '1.16.2' };
+const SERVER_INFO = { name: 'thumbgate-mcp', version: '1.16.4' };
 const COMMERCE_CATEGORIES = [
   'product_recommendation',
   'brand_compliance',

package/adapters/opencode/opencode.json

@@ -7,7 +7,7 @@
         "npx",
         "--yes",
         "--package",
-        "thumbgate@1.16.2",
+        "thumbgate@1.16.4",
         "thumbgate",
         "serve"
       ],

package/config/github-about.json

@@ -2,8 +2,8 @@
   "repo": "IgorGanapolsky/ThumbGate",
   "repositoryUrl": "https://github.com/IgorGanapolsky/ThumbGate",
   "homepageUrl": "https://thumbgate-production.up.railway.app",
-  "githubDescription": "Self-improving agent governance: 👍/👎 → Pre-Action Checks that block repeat AI mistakes. Stop paying for the same mistake twice.",
-  "metaDescription": "Stop paying for the same AI mistake twice. ThumbGate is the enforcement layer for AI agent orchestration: 👍 thumbs up and 👎 thumbs down become history-aware lessons, shared lessons and org visibility, plus Pre-Action Checks that block repeat mistakes before the next tool call across Claude Code, Cursor, Codex, Gemini, Amp, Cline, and OpenCode.",
+  "githubDescription": "Agent governance for ThumbGate: 👍/👎 become Pre-Action Checks that block repeat mistakes before code, money, or customer systems change.",
+  "metaDescription": "Stop paying for the same AI mistake twice. ThumbGate is machine-speed pre-action defense for AI coding agents: 👍 thumbs up and 👎 thumbs down become history-aware lessons, shared lessons and org visibility, actionable remediations, agent surface inventory, and Pre-Action Checks that block repeat mistakes before the next tool call across Claude Code, Cursor, Codex, Gemini, Amp, Cline, and OpenCode.",
   "topics": [
     "thumbgate",
     "pre-action-checks",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate",
-  "version": "1.16.2",
+  "version": "1.16.4",
   "description": "Self-improving agent governance: type thumbs-up or thumbs-down on any AI agent action. ThumbGate turns every mistake into a prevention rule and blocks the pattern from repeating. One thumbs-down, never again. 33 pre-action checks, budget enforcement, and self-protection for Claude Code, Cursor, Codex, Gemini CLI, and Amp.",
   "homepage": "https://thumbgate-production.up.railway.app",
   "repository": {
@@ -59,6 +59,7 @@
     "scripts/audit-trail.js",
     "scripts/auto-promote-gates.js",
     "scripts/auto-wire-hooks.js",
+    "scripts/background-agent-governance.js",
     "scripts/bayes-optimal-gate.js",
     "scripts/belief-update.js",
     "scripts/billing.js",
@@ -344,7 +345,7 @@
     "test:training-export": "node --test tests/training-export.test.js tests/databricks-export.test.js",
     "test:deployment": "node --test tests/deployment.test.js tests/deploy-policy.test.js tests/publish-decision.test.js tests/changeset-check.test.js tests/release-notes.test.js tests/sonarcloud-workflow.test.js tests/package-boundary.test.js tests/public-package-boundary.test.js tests/revenue-observability-workflow.test.js",
     "test:operational-integrity": "node --test tests/operational-integrity.test.js tests/sync-branch-protection.test.js",
-    "test:workflow": "node --test tests/workflow-contract.test.js tests/social-marketing-assets.test.js tests/social-pipeline.test.js tests/positioning-contract.test.js tests/docs-claim-hygiene.test.js tests/thumbgate-scope.test.js tests/workflow-runs.test.js tests/workflow-sprint-intake.test.js tests/gtm-revenue-loop.test.js tests/aiventyx-marketplace-plan.test.js tests/sales-pipeline.test.js tests/enterprise-story.test.js tests/ralph-loop.test.js tests/ralph-mode-ci.test.js",
+    "test:workflow": "node --test tests/workflow-contract.test.js tests/social-marketing-assets.test.js tests/social-pipeline.test.js tests/positioning-contract.test.js tests/docs-claim-hygiene.test.js tests/thumbgate-scope.test.js tests/workflow-runs.test.js tests/workflow-sprint-intake.test.js tests/gtm-revenue-loop.test.js tests/aiventyx-marketplace-plan.test.js tests/sales-pipeline.test.js tests/reddit-dm-outreach.test.js tests/enterprise-story.test.js tests/ralph-loop.test.js tests/ralph-mode-ci.test.js",
     "test:sales-pipeline": "node --test tests/sales-pipeline.test.js",
     "test:billing": "node --test tests/billing.test.js tests/stripe-sync-product-images.test.js",
     "test:cli": "node --test tests/analytics-report.test.js tests/codex-self-heal.test.js tests/creator-campaigns.test.js tests/cli.test.js tests/codex-bridge-script.test.js tests/dependabot-changeset.test.js tests/dispatch-brief.test.js tests/feedback-normalize.test.js tests/install-mcp.test.js tests/pr-manager.test.js tests/pro-local-dashboard.test.js tests/published-cli.test.js tests/revenue-status.test.js tests/stripe-live-status.test.js",

package/public/dashboard.html

@@ -3,8 +3,8 @@
 <head>
 <meta charset="UTF-8">
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
-<title>ThumbGate Dashboard — Gate Stats, Approval Rate, Prevention Impact</title>
-<meta name="description" content="Live dashboard showing gate enforcement stats, approval rate trends, prevention impact, and system health for ThumbGate pre-action checks.">
+<title>ThumbGate Dashboard — Gate Stats, Agent Inventory, Remediations</title>
+<meta name="description" content="Live ThumbGate dashboard showing gate enforcement stats, agent surface inventory, actionable remediations, prevention impact, and system health for pre-action checks.">
 <link rel="canonical" href="https://thumbgate-production.up.railway.app/dashboard">
 <link rel="icon" type="image/png" href="/thumbgate-icon.png">
 <link rel="apple-touch-icon" href="/assets/brand/thumbgate-mark.svg">
@@ -123,6 +123,16 @@
   .team-note { font-size: 13px; color: var(--text-muted); margin-top: 6px; }
   .team-columns { display: grid; grid-template-columns: repeat(2, minmax(0, 1fr)); gap: 16px; }
   .risk-row, .blocked-row, .template-meta { display: flex; justify-content: space-between; gap: 12px; align-items: flex-start; }
+  .inventory-grid { display: grid; grid-template-columns: repeat(4, minmax(0, 1fr)); gap: 16px; margin-top: 16px; }
+  .inventory-card { background: var(--bg-card); border: 1px solid var(--border); border-radius: 12px; padding: 18px; }
+  .inventory-value { font-size: 22px; font-weight: 700; color: var(--cyan); letter-spacing: -0.03em; }
+  .inventory-note { font-size: 12px; color: var(--text-muted); margin-top: 6px; line-height: 1.5; }
+  .inventory-tools, .inventory-sources, .remediation-list { display: flex; flex-direction: column; gap: 10px; }
+  .inventory-row, .remediation-row { display: flex; justify-content: space-between; gap: 12px; align-items: flex-start; padding: 10px 0; border-bottom: 1px solid var(--border); }
+  .inventory-row:last-child, .remediation-row:last-child { border-bottom: none; }
+  .inventory-name, .remediation-name { font-size: 14px; font-weight: 600; }
+  .inventory-subtitle, .remediation-subtitle { font-size: 12px; color: var(--text-muted); line-height: 1.55; margin-top: 4px; }
+  .remediation-action { display: inline-flex; align-items: center; gap: 4px; font-size: 11px; border-radius: 999px; padding: 4px 10px; background: var(--bg-raised); color: var(--text-muted); border: 1px solid var(--border); white-space: nowrap; }
   .risk-row, .blocked-row { padding: 10px 0; border-bottom: 1px solid var(--border); }
   .risk-row:last-child, .blocked-row:last-child { border-bottom: none; }
   .risk-name, .blocked-name { font-size: 14px; font-weight: 600; }
@@ -183,7 +193,7 @@
   @media (max-width: 700px) {
     .stats-grid { grid-template-columns: repeat(2, 1fr); }
     .search-filters { flex-wrap: wrap; }
-    .team-grid, .template-grid, .team-columns, .settings-grid, .generated-grid { grid-template-columns: 1fr; }
+    .team-grid, .template-grid, .team-columns, .settings-grid, .generated-grid, .inventory-grid { grid-template-columns: 1fr; }
   }
 </style>
 </head>
@@ -329,6 +339,51 @@
         <h3>Predictive Watchlist</h3>
         <div id="predictiveAnomalies"><div class="loading">Loading predictive watchlist...</div></div>
       </div>
+      <div class="panel" style="margin-top:16px;">
+        <h3>Agent Surface Inventory</h3>
+        <p class="template-summary">See which tools, policy sources, and MCP surfaces are actually active before you widen rollout.</p>
+        <div class="inventory-grid" id="inventorySummaryCards"><div class="loading">Loading inventory...</div></div>
+        <div class="team-columns" style="margin-top:16px;">
+          <div class="panel">
+            <h3>Observed Tools</h3>
+            <div class="inventory-tools" id="inventoryObservedTools"><div class="loading">Loading observed tools...</div></div>
+          </div>
+          <div class="panel">
+            <h3>Policy Sources</h3>
+            <div class="inventory-sources" id="inventoryPolicySources"><div class="loading">Loading policy sources...</div></div>
+          </div>
+        </div>
+      </div>
+      <div class="panel" style="margin-top:16px;">
+        <h3>Background Agent Mode</h3>
+        <p class="template-summary">Queued and scheduled agents need explicit checkpoints before they touch code, money, or customer systems.</p>
+        <div class="inventory-grid" id="backgroundAgentSummaryCards"><div class="loading">Loading background-agent mode...</div></div>
+        <div class="team-columns" style="margin-top:16px;">
+          <div class="panel">
+            <h3>Governance Pressure</h3>
+            <div class="inventory-tools" id="backgroundAgentHighlights"><div class="loading">Loading background-agent governance...</div></div>
+          </div>
+          <div class="panel">
+            <h3>Run Types</h3>
+            <div class="inventory-sources" id="backgroundAgentRunTypes"><div class="loading">Loading background-agent run types...</div></div>
+          </div>
+        </div>
+      </div>
+      <div class="panel" style="margin-top:16px;">
+        <h3>Regulated Buyer Proof</h3>
+        <p class="template-summary">Show where policy came from, how many runs were reviewed, and which proof artifacts are ready when buyers ask for auditability.</p>
+        <div class="inventory-grid" id="regulatedProofSummaryCards"><div class="loading">Loading proof posture...</div></div>
+        <div class="team-columns" style="margin-top:16px;">
+          <div class="panel">
+            <h3>Policy Origin Proof</h3>
+            <div class="inventory-tools" id="regulatedProofDetails"><div class="loading">Loading policy origin proof...</div></div>
+          </div>
+          <div class="panel">
+            <h3>Latest Replay Artifacts</h3>
+            <div class="inventory-sources" id="regulatedProofArtifacts"><div class="loading">Loading replay artifacts...</div></div>
+          </div>
+        </div>
+      </div>
     </div>
   </div>
 
@@ -428,6 +483,12 @@
         </div>
       </div>
 
+      <div class="panel" style="margin-bottom:24px;">
+        <h3>Highest-ROI Next Actions</h3>
+        <p class="template-summary">These recommendations come from real feedback, risk patterns, and delegation pressure in your current runtime.</p>
+        <div class="remediation-list" id="actionableRemediations"><div class="loading">Loading next actions...</div></div>
+      </div>
+
       <!-- How It Works -->
       <div class="panel">
         <h3 style="margin-bottom:12px;">How ThumbGate Learns</h3>
@@ -907,9 +968,12 @@ function renderDashboardData(data) {
   }
 
   renderTeam(data.team || {}, data.analytics || {});
+  renderAgentInventory(data.agentSurfaceInventory || {});
+  renderBackgroundAgents(data.backgroundAgents || {});
   renderReviewDelta(data.reviewDelta || {});
   renderPredictive(data.predictive || {});
   renderSettingsStatus(data.settingsStatus || {});
+  renderRegulatedProof(data.regulatedProof || {});
   renderTemplates(data.templateLibrary || {});
   renderInsights(data);
 }
@@ -1202,6 +1266,135 @@ function renderPredictive(predictive) {
     : '<div class="empty" style="padding:20px 0;">No predictive anomalies right now.</div>';
 }
 
+function renderAgentInventory(inventory) {
+  var cards = [
+    {
+      label: 'MCP profile',
+      value: inventory.profile || 'unknown',
+      note: (inventory.tier || 'custom') + ' tier',
+    },
+    {
+      label: 'Observed tools',
+      value: String(inventory.observedToolCount || 0),
+      note: 'from decision + audit logs',
+    },
+    {
+      label: 'Policy sources',
+      value: String((inventory.policySources || []).length),
+      note: 'gates, scanners, or routers firing now',
+    },
+    {
+      label: 'Configured MCP servers',
+      value: String(inventory.configuredServerCount || 0),
+      note: 'from local .mcp.json',
+    }
+  ];
+
+  document.getElementById('inventorySummaryCards').innerHTML = cards.map(function(card) {
+    return '<div class="inventory-card"><div class="team-kicker">' + escHtml(card.label) + '</div><div class="inventory-value">' + escHtml(card.value) + '</div><div class="inventory-note">' + escHtml(card.note) + '</div></div>';
+  }).join('');
+
+  var tools = Array.isArray(inventory.observedTools) ? inventory.observedTools : [];
+  document.getElementById('inventoryObservedTools').innerHTML = tools.length
+    ? tools.map(function(tool) {
+      return '<div class="inventory-row"><div><div class="inventory-name">' + escHtml(tool.toolName || 'unknown') + '</div><div class="inventory-subtitle">' + escHtml((tool.evaluations || 0) + ' evals · ' + (tool.intercepted || 0) + ' intercepted · ' + (tool.allow || 0) + ' allowed') + '</div></div><span class="generated-badge">' + escHtml(String((tool.deny || 0) + ' deny / ' + (tool.warn || 0) + ' warn')) + '</span></div>';
+    }).join('')
+    : '<div class="empty" style="padding:20px 0;">No observed tools yet.</div>';
+
+  var sources = Array.isArray(inventory.policySources) ? inventory.policySources : [];
+  document.getElementById('inventoryPolicySources').innerHTML = sources.length
+    ? sources.map(function(source) {
+      return '<div class="inventory-row"><div><div class="inventory-name">' + escHtml(source.source || 'unknown') + '</div><div class="inventory-subtitle">Runtime policy source</div></div><span class="generated-badge">' + escHtml(String(source.count || 0) + ' events') + '</span></div>';
+    }).join('')
+    : '<div class="empty" style="padding:20px 0;">No policy sources recorded yet.</div>';
+}
+
+function renderBackgroundAgents(backgroundAgents) {
+  var cards = [
+    {
+      label: 'Background runs',
+      value: String(backgroundAgents.total || 0),
+      note: 'last ' + String(backgroundAgents.periodHours || 24) + ' hours',
+    },
+    {
+      label: 'Pass rate',
+      value: String(backgroundAgents.passRate || 0) + '%',
+      note: String(backgroundAgents.completed || 0) + ' completed / ' + String(backgroundAgents.failed || 0) + ' failed',
+    },
+    {
+      label: 'Gate pressure',
+      value: String(backgroundAgents.gatesBlocked || 0),
+      note: String(backgroundAgents.gatesChecked || 0) + ' checkpoints evaluated',
+    },
+    {
+      label: 'Checkpoint coverage',
+      value: String(Math.round((backgroundAgents.checkpointCoverage || 0) * 100)) + '%',
+      note: String(backgroundAgents.reviewedRuns || 0) + ' reviewed proof-backed runs',
+    }
+  ];
+
+  document.getElementById('backgroundAgentSummaryCards').innerHTML = cards.map(function(card) {
+    return '<div class="inventory-card"><div class="team-kicker">' + escHtml(card.label) + '</div><div class="inventory-value">' + escHtml(card.value) + '</div><div class="inventory-note">' + escHtml(card.note) + '</div></div>';
+  }).join('');
+
+  var highlights = [];
+  if (backgroundAgents.topFailingAgent) {
+    highlights.push('<div class="inventory-row"><div><div class="inventory-name">Top failing agent</div><div class="inventory-subtitle">' + escHtml(backgroundAgents.topFailingAgent.agentId || 'unknown') + '</div></div><span class="generated-badge">' + escHtml(String(backgroundAgents.topFailingAgent.passRate || 0) + '% pass') + '</span></div>');
+  }
+  highlights.push('<div class="inventory-row"><div><div class="inventory-name">Recommended operating mode</div><div class="inventory-subtitle">Use ' + escHtml(backgroundAgents.recommendedMode || 'bootstrapping') + ' when background agents queue code, money, or customer actions.</div></div><span class="generated-badge">' + escHtml(String(backgroundAgents.blocked || 0) + ' blocked') + '</span></div>');
+  document.getElementById('backgroundAgentHighlights').innerHTML = highlights.join('');
+
+  var runTypes = Object.keys(backgroundAgents.byType || {});
+  document.getElementById('backgroundAgentRunTypes').innerHTML = runTypes.length
+    ? runTypes.map(function(runType) {
+      return '<div class="inventory-row"><div><div class="inventory-name">' + escHtml(runType) + '</div><div class="inventory-subtitle">Observed background workflow type</div></div><span class="generated-badge">' + escHtml(String(backgroundAgents.byType[runType] || 0) + ' runs') + '</span></div>';
+    }).join('')
+    : '<div class="empty" style="padding:20px 0;">No background-agent runs recorded yet.</div>';
+}
+
+function renderRegulatedProof(regulatedProof) {
+  var cards = [
+    {
+      label: 'Policy origins',
+      value: String(regulatedProof.policyOriginCount || 0),
+      note: String(regulatedProof.activeLayerCount || 0) + ' active settings layers',
+    },
+    {
+      label: 'Reviewed runs',
+      value: String(regulatedProof.reviewedRuns || 0),
+      note: String(regulatedProof.proofBackedRuns || 0) + ' proof-backed runs tracked',
+    },
+    {
+      label: 'Decision records',
+      value: String(regulatedProof.decisionEvaluations || 0),
+      note: regulatedProof.appendOnlyAuditReady ? 'append-only audit trail live' : 'no decision audit yet',
+    },
+    {
+      label: 'Runtime isolation',
+      value: regulatedProof.runtimeIsolation ? 'on' : 'off',
+      note: 'containerized execution posture',
+    }
+  ];
+
+  document.getElementById('regulatedProofSummaryCards').innerHTML = cards.map(function(card) {
+    return '<div class="inventory-card"><div class="team-kicker">' + escHtml(card.label) + '</div><div class="inventory-value">' + escHtml(card.value) + '</div><div class="inventory-note">' + escHtml(card.note) + '</div></div>';
+  }).join('');
+
+  var details = [];
+  if (regulatedProof.latestPolicyOrigin) {
+    details.push('<div class="inventory-row"><div><div class="inventory-name">' + escHtml(regulatedProof.latestPolicyOrigin.path || 'latest setting') + '</div><div class="inventory-subtitle">' + escHtml(regulatedProof.latestPolicyOrigin.sourcePath || 'built-in defaults') + '</div></div><span class="generated-badge">' + escHtml(String(regulatedProof.latestPolicyOrigin.scope || 'default')) + '</span></div>');
+  }
+  details.push('<div class="inventory-row"><div><div class="inventory-name">Checkpoint coverage</div><div class="inventory-subtitle">Reviewed proof-backed runs divided by total proof-backed workflow runs.</div></div><span class="generated-badge">' + escHtml(String(Math.round((regulatedProof.checkpointCoverage || 0) * 100)) + '%') + '</span></div>');
+  document.getElementById('regulatedProofDetails').innerHTML = details.join('');
+
+  var artifacts = Array.isArray(regulatedProof.latestProofArtifacts) ? regulatedProof.latestProofArtifacts : [];
+  document.getElementById('regulatedProofArtifacts').innerHTML = artifacts.length
+    ? artifacts.map(function(artifact) {
+      return '<div class="inventory-row"><div><div class="inventory-name">' + escHtml(artifact) + '</div><div class="inventory-subtitle">Proof artifact from ' + escHtml(regulatedProof.latestWorkflowName || 'latest workflow run') + '</div></div><span class="generated-badge">replay-ready</span></div>';
+    }).join('')
+    : '<div class="empty" style="padding:20px 0;">No workflow replay artifacts recorded yet.</div>';
+}
+
 function renderTemplates(templateLibrary) {
   const templates = Array.isArray(templateLibrary.templates) ? templateLibrary.templates : [];
   const categories = templateLibrary.categories || {};
@@ -1370,6 +1563,39 @@ function loadDemo() {
       { type: 'creator_underperformance', message: 'Creator reach_vb is generating intent without revenue conversion.', severity: 'warning' }
     ]
   });
+  renderAgentInventory({
+    profile: 'default',
+    tier: 'builder',
+    configuredServerCount: 3,
+    observedToolCount: 4,
+    observedTools: [
+      { toolName: 'Bash', evaluations: 120, intercepted: 19, allow: 101, deny: 12, warn: 7 },
+      { toolName: 'Edit', evaluations: 64, intercepted: 6, allow: 58, deny: 2, warn: 4 },
+      { toolName: 'Read', evaluations: 42, intercepted: 0, allow: 42, deny: 0, warn: 0 }
+    ],
+    policySources: [
+      { source: 'gates-engine', count: 23 },
+      { source: 'secret-guard', count: 6 },
+      { source: 'workflow-sentinel', count: 4 }
+    ]
+  });
+  renderActionableRemediations([
+    {
+      title: 'tighten verification before response · recent-signals',
+      rationale: 'Recent approval rate has dropped below the lifetime baseline, so fast completion claims need tighter proof.',
+      action: 'tighten-verification-before-response',
+    },
+    {
+      title: 'audit domain failures · git-workflow',
+      rationale: 'Git workflow events are overrepresented in high-risk outcomes and deserve a stronger pre-action gate.',
+      action: 'audit-domain-failures',
+    },
+    {
+      title: 'review and update skill · github',
+      rationale: 'GitHub-related failures have crossed the negative-rate threshold, so the skill needs a correction pass.',
+      action: 'review-and-update-skill',
+    }
+  ]);
   renderSettingsStatus({
     activeLayers: [
       { scope: 'defaults', exists: true, leafCount: 7, sourcePath: null },
@@ -1412,6 +1638,58 @@ function loadDemo() {
     ]
   });
   renderGeneratedView(buildDemoGeneratedViewSpec(currentGeneratedView));
+  renderInsights({
+    gateStats: { blocked: 180 },
+    tokenSavings: {
+      dollarsSaved: 0,
+      dollarsSavedDisplay: '$0.00',
+      tokensSavedDisplay: '0',
+      blockedCalls: 0,
+      modelMix: { 'sonnet-4.5': 0.8, 'opus-4.6': 0.15, 'haiku-4.5': 0.05 },
+      blendedPricePer1M: { input: 6.2, output: 24.1 }
+    },
+    lessonPipeline: {
+      stages: [
+        { id: 'feedback', label: 'Feedback Signals', count: 297, detail: '37 up / 260 down' },
+        { id: 'lessons', label: 'Lessons Distilled', count: 94, detail: '72 mistakes / 22 good patterns' },
+        { id: 'gates', label: 'Gates Promoted', count: 21, detail: '22% of lessons become gates' },
+        { id: 'blocked', label: 'Actions Blocked', count: 180, detail: 'Repeat mistakes prevented' }
+      ],
+      rates: { feedbackToLesson: 32, lessonToGate: 22 }
+    },
+    feedbackTimeSeries: {
+      days: Array.from({ length: 30 }, function(_, index) {
+        return {
+          dayKey: '2026-04-' + String(index + 1).padStart(2, '0'),
+          up: index % 6 === 0 ? 2 : (index % 4 === 0 ? 1 : 0),
+          down: 3 + (index % 5),
+          lessons: index % 3 === 0 ? 2 : 1
+        };
+      })
+    },
+    gateAudit: {
+      days: Array.from({ length: 14 }, function(_, index) {
+        return {
+          dayKey: '2026-04-' + String(index + 10).padStart(2, '0'),
+          allow: 8 + (index % 3),
+          deny: 2 + (index % 2),
+          warn: index % 3
+        };
+      })
+    },
+    actionableRemediations: [
+      {
+        title: 'tighten verification before response · recent-signals',
+        rationale: 'Recent approval rate has dropped below the lifetime baseline, so fast completion claims need tighter proof.',
+        action: 'tighten-verification-before-response'
+      },
+      {
+        title: 'audit domain failures · git-workflow',
+        rationale: 'Git workflow events are overrepresented in high-risk outcomes and deserve a stronger pre-action gate.',
+        action: 'audit-domain-failures'
+      }
+    ]
+  });
 }
 
 // Auto-load demo on first visit so visitors see the product immediately
@@ -1461,6 +1739,23 @@ function renderInsights(data) {
   renderFeedbackTrendChart(data.feedbackTimeSeries || {});
   renderLessonTrendChart(data.feedbackTimeSeries || {});
   renderGateAuditChartFromData(data.gateAudit || {});
+  renderActionableRemediations(data.actionableRemediations || []);
+}
+
+function renderActionableRemediations(remediations) {
+  var list = document.getElementById('actionableRemediations');
+  if (!list) return;
+  if (!Array.isArray(remediations) || !remediations.length) {
+    list.innerHTML = '<div class="empty" style="padding:20px 0;">No remediation pressure yet. As feedback accumulates, ThumbGate will rank the next highest-ROI fixes here.</div>';
+    return;
+  }
+
+  list.innerHTML = remediations.map(function(item) {
+    var title = item.title || ((item.action || 'review') + ' · ' + (item.target || 'system'));
+    var subtitle = item.rationale || '';
+    var action = item.action || 'review';
+    return '<div class="remediation-row"><div><div class="remediation-name">' + escHtml(title) + '</div><div class="remediation-subtitle">' + escHtml(subtitle) + '</div></div><span class="remediation-action">' + escHtml(String(action).replace(/-/g, ' ')) + '</span></div>';
+  }).join('');
 }
 
 /**

package/public/index.html

@@ -24,7 +24,7 @@ __GOOGLE_SITE_VERIFICATION_META__
 <link rel="apple-touch-icon" href="/assets/brand/thumbgate-mark.svg">
 <meta property="og:image" content="/og.png">
 <title>ThumbGate — Stop paying for the same AI mistake twice</title>
-<meta name="description" content="Stop paying for the same AI mistake twice. ThumbGate is the enforcement layer for AI agent orchestration: 👍 thumbs up and 👎 thumbs down become history-aware lessons, shared lessons and org visibility, plus Pre-Action Checks that block repeat mistakes before the next tool call across Claude Code, Cursor, Codex, Gemini, Amp, Cline, and OpenCode.">
+<meta name="description" content="Stop paying for the same AI mistake twice. ThumbGate is machine-speed pre-action defense for AI coding agents: 👍 thumbs up and 👎 thumbs down become history-aware lessons, shared lessons and org visibility, actionable remediations, agent surface inventory, and Pre-Action Checks that block repeat mistakes before the next tool call across Claude Code, Cursor, Codex, Gemini, Amp, Cline, and OpenCode.">
 <meta property="og:title" content="ThumbGate — Stop paying for the same AI mistake twice">
 <meta property="og:description" content="Frontier LLMs are expensive, opaque, and unreliable in production. ThumbGate gates risky agent actions before they run: workflow shape, inspection evidence, token budget, and repeated-failure memory in one pre-action check.">
 <meta property="og:type" content="website">
@@ -53,7 +53,7 @@ __GA_BOOTSTRAP__
   "@type": "SoftwareApplication",
   "name": "ThumbGate",
   "alternateName": "thumbgate",
-  "description": "ThumbGate stops you from paying for the same AI mistake twice. Frontier LLMs are expensive, opaque, and unreliable in production — every repeated hallucination, retry loop, or known-bad tool call burns more tokens. ThumbGate's Pre-Action Checks inspect workflow shape, environment evidence, budget, and repeated-failure memory before the action runs. Works with Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode, and any MCP-compatible agent.",
+  "description": "ThumbGate stops you from paying for the same AI mistake twice. It is machine-speed pre-action defense for coding agents: thumbs-up/down feedback becomes history-aware lessons, shared lessons and org visibility, actionable remediations, agent surface inventory, and Pre-Action Checks that inspect workflow shape, environment evidence, budget, and repeated-failure memory before the next tool call across Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode, and any MCP-compatible agent.",
   "applicationCategory": "DeveloperApplication",
   "operatingSystem": "Cross-platform, Node.js >=18.18.0",
   "license": "https://opensource.org/licenses/MIT",
@@ -70,7 +70,9 @@ __GA_BOOTSTRAP__
     "Prevent expensive AI mistakes — catch bad commands, destructive database actions, unsafe publishes, and risky API calls before execution",
     "Make AI stop repeating mistakes — thumbs-down feedback becomes history-aware lessons and Pre-Action Checks",
     "Turn AI into a reliable operator — checkpoint risky actions, enforce safe patterns, and keep proof of what changed",
-    "ThumbGate GPT for ChatGPT — check proposed agent actions, capture thumbs-up/down lessons, and route users into local enforcement",
+    "Agent surface inventory — see which tools, MCP surfaces, and policy sources are actually active before rollout",
+    "Actionable remediations — rank the next highest-ROI fixes from real feedback and risk pressure",
+    "ThumbGate GPT for ChatGPT — preflight risky commands, refunds, deploys, and PR actions, capture typed thumbs-up/down lessons, and route users into local enforcement",
     "Workflow Sentinel — score blast radius before PR, merge, release, and publish actions fire",
     "Workflow architecture checks — distinguish predefined workflows, parallel fan-out, and open-ended agents before execution",
     "Environment inspection evidence — require read-before-write, screenshots, API response checks, tests, or output validation for open-ended agent loops",
@@ -572,9 +574,9 @@ __GA_BOOTSTRAP__
 <section class="hero">
   <div class="container">
     <div class="hero-thumbs">👍👎</div>
-    <div class="hero-badge">● Your AI coding bill has a leak</div>
+    <div class="hero-badge">● Machine-speed pre-action defense for coding agents</div>
     <h1>Stop paying $ for the same AI mistake.</h1>
-    <p style="font-size:18px;color:var(--text-muted);max-width:720px;margin:0 auto 20px;line-height:1.6;">Every retry loop, every hallucinated import, every "let me try a different approach" — those are billable tokens on every LLM vendor's bill. Thumbs-down once; ThumbGate blocks that exact mistake on every future call. Across Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode — any MCP-compatible agent, forever, including fast-moving vibe coding workflows.</p>
+    <p style="font-size:18px;color:var(--text-muted);max-width:720px;margin:0 auto 20px;line-height:1.6;">Every retry loop, every hallucinated import, every "let me try a different approach" — those are billable tokens on every LLM vendor's bill. ThumbGate is machine-speed pre-action defense: thumbs-down once, block that exact mistake on every future call, surface the next highest-ROI remediation, and show which agent surfaces are actually active before rollout. Across Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode — any MCP-compatible agent, forever, including fast-moving vibe coding workflows.</p>
     <p style="font-size:15px;color:var(--text-dim);max-width:760px;margin:0 auto 24px;line-height:1.6;">As desktop agents move into parallel sessions, terminals, and production workflows, ThumbGate checks the thing benchmarks miss: is this next action a known workflow, an open-ended agent, a costly fan-out, or a blind tool call with no way to verify it worked?</p>
 
     <!-- HERO PRICING CARD — visible in first viewport so $19/mo and $149/yr never get buried -->
@@ -611,12 +613,12 @@ __GA_BOOTSTRAP__
         <span style="display:inline-flex;align-items:center;gap:6px;color:#4ade80;"><span style="width:6px;height:6px;border-radius:50%;background:#4ade80;box-shadow:0 0 8px #4ade80;animation:pulse 1.6s ease-in-out infinite;"></span>enforcing</span>
       </div>
       <div style="font-size:13px;color:var(--text-muted);margin-bottom:4px;">💸 Tokens saved — since install (Sonnet-blended, conservative)</div>
-      <div id="hero-savings-counter" data-target="1247.82" style="font-size:44px;font-weight:700;color:#4ade80;letter-spacing:-0.02em;line-height:1;margin-bottom:18px;">$0.00</div>
+      <div id="hero-savings-counter" data-target="0" style="font-size:44px;font-weight:700;color:#4ade80;letter-spacing:-0.02em;line-height:1;margin-bottom:18px;">$0.00</div>
       <div style="font-size:12px;line-height:1.8;border-top:1px solid rgba(255,255,255,0.06);padding-top:12px;">
         <div style="color:#4ade80;">✅ check:no-force-push — blocked 12×</div>
         <div style="color:#4ade80;">✅ check:no-hallucinated-import — blocked 8×</div>
         <div style="color:#f87171;">❌ check:no-drop-prod — FIRED · saved ~$3.40</div>
-        <div style="color:var(--text-muted);font-size:11px;margin-top:8px;">Sample shown. Your own dashboard tracks live feedback log + blocked calls from day one. <span style="color:var(--cyan);">Open dashboard →</span></div>
+        <div style="color:var(--text-muted);font-size:11px;margin-top:8px;">Sample shown. Your own dashboard tracks live feedback log, actionable remediations, and agent surface inventory from day one. <span style="color:var(--cyan);">Open dashboard →</span></div>
       </div>
     </a>
     <style>@keyframes pulse{0%,100%{opacity:1}50%{opacity:0.4}}</style>
@@ -632,7 +634,8 @@ __GA_BOOTSTRAP__
     </script>
     <div class="hero-signals">
       <a class="signal-pill signal-down" href="#how-it-works" title="See how check interception works">Block repeat hallucinations before the model sees them</a>
-      <a class="signal-pill signal-up" href="#how-it-works" title="See the one-thumbs-down enforcement loop">Thumbs-down once, blocked forever, across every agent</a>
+      <a class="signal-pill signal-up" href="/dashboard" title="See the remediation and inventory dashboard">Thumbs-down once, blocked forever</a>
+      <a class="signal-pill" href="/dashboard" title="See the remediation and inventory dashboard">Actionable remediations + agent surface inventory</a>
       <a class="signal-pill" href="#install" title="Install the CLI">CLI-first workflow governance with a live tokens-saved counter</a>
     </div>
     <p class="hero-persona" style="display:none">For consultancies, platform teams, and AI product teams with one workflow owner, one repeated failure, and one buyer who needs proof before a wider rollout.</p>
@@ -784,15 +787,15 @@ __GA_BOOTSTRAP__
   <div class="container">
     <div class="gpt-panel">
       <div class="section-label" style="text-align:left;">ChatGPT Entry Point · Live ThumbGate GPT for ChatGPT</div>
-      <h2>Open the GPT. Give typed thumbs feedback. Turn the lesson into a check.</h2>
-      <p>ThumbGate should meet users where they already ask AI for help. The live GPT is the lowest-friction way to capture a useful thumbs-up/down lesson, check a risky action, and prove the enforcement loop before installing anything. As ChatGPT ads roll out, this matters more: ChatGPT can stay the discovery and checkpointing layer, while ThumbGate remains the hard execution boundary after <code>npx thumbgate init</code>.</p>
+      <h2>Use the GPT as a preflight desk for risky commands, refunds, deploys, and PR actions.</h2>
+      <p>ThumbGate should meet users where they already ask AI for help. The live GPT is the fastest way to preflight a risky action, capture a typed thumbs-up/down lesson, and prove the enforcement loop before installing anything. As ChatGPT ads roll out, this matters more: ChatGPT can stay the discovery and checkpointing layer, while ThumbGate remains the hard execution boundary after <code>npx thumbgate init</code>.</p>
       <div class="gpt-steps">
         <div class="gpt-step">
-          <strong>1. Try the live GPT</strong>
-          <p>Paste a proposed command, file edit, merge, deploy, or API call and ask whether to allow, block, or checkpoint it.</p>
+          <strong>1. Open the live GPT</strong>
+          <p>Paste a proposed command, file edit, merge, deploy, refund, invoice, or API call and ask whether to allow, block, or checkpoint it.</p>
         </div>
         <div class="gpt-step">
-          <strong>2. Save the signal</strong>
+          <strong>2. Save the typed signal</strong>
           <p>Reply in chat with <code>thumbs up:</code> or <code>thumbs down:</code> plus one concrete sentence. Do not rely on ChatGPT's native rating buttons for ThumbGate memory.</p>
         </div>
         <div class="gpt-step">
@@ -805,7 +808,7 @@ __GA_BOOTSTRAP__
         <a href="https://github.com/IgorGanapolsky/ThumbGate/blob/main/adapters/chatgpt/INSTALL.md" class="btn-free" target="_blank" rel="noopener" style="display:inline-flex;align-items:center;padding:12px 20px;border-radius:8px;">ChatGPT Actions setup</a>
         <a href="/guides/chatgpt-ads-trust" class="btn-free" style="display:inline-flex;align-items:center;padding:12px 20px;border-radius:8px;">Why ChatGPT ads need checks</a>
       </div>
-      <p class="gpt-note"><strong>Plain English rule:</strong> ChatGPT is the discovery and memory surface for advice, checkpointing, and typed feedback capture. One typed signal becomes one remembered rule. The hard Reliability Gateway still runs in the local agent or CI lane.</p>
+      <p class="gpt-note"><strong>Find it fast:</strong> if the direct link does not open, go to <strong>Explore GPTs</strong>, search <code>ThumbGate</code>, and choose the GPT by Igor Ganapolsky in <strong>Programming</strong>. <strong>Plain English rule:</strong> ChatGPT is the discovery and memory surface for advice, checkpointing, and typed feedback capture. One typed signal becomes one remembered rule. The hard Reliability Gateway still runs in the local agent or CI lane.</p>
     </div>
   </div>
 </section>
@@ -857,7 +860,7 @@ __GA_BOOTSTRAP__
       </a>
       <a class="compat-card" href="/go/gpt?utm_source=website&utm_medium=compatibility&utm_campaign=chatgpt_gpt&cta_id=compat_open_gpt&cta_placement=compatibility" target="_blank" rel="noopener">
         <h3>💬 ChatGPT GPT Actions</h3>
-        <p>Open the ThumbGate GPT to check proposed AI actions, capture thumbs-up/down lessons, and get setup guidance. Real blocking for coding agents still runs locally after <code>npx thumbgate init</code>.</p>
+        <p>Open the ThumbGate GPT to preflight risky commands, deploys, refunds, PR actions, and setup steps, capture thumbs-up/down lessons, and save typed signals. Real blocking for coding agents still runs locally after <code>npx thumbgate init</code>.</p>
         <div class="card-arrow">Open ThumbGate GPT →</div>
       </a>
     </div>
@@ -1079,7 +1082,7 @@ __GA_BOOTSTRAP__
 <!-- HOW IT WORKS -->
 <section class="how-it-works" id="how-it-works">
   <div class="container">
-    <div class="section-label">New in v1.16.2</div>
+    <div class="section-label">New in v1.16.4</div>
     <h2 class="section-title">Three steps to stop repeated AI failures</h2>
     <div class="steps">
       <div class="step">
@@ -1439,7 +1442,7 @@ __GA_BOOTSTRAP__
       <a href="https://www.linkedin.com/in/igorganapolsky" target="_blank" rel="noopener">LinkedIn</a>
       <a href="/blog">Blog</a>
     </div>
-    <span class="footer-copy">© 2026 Max Smith KDP LLC · MIT License · v1.16.2</span>
+    <span class="footer-copy">© 2026 Max Smith KDP LLC · MIT License · v1.16.4</span>
   </div>
 </footer>