thumbgate 1.17.0 → 1.19.0

package/public/federal.html

@@ -0,0 +1,375 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+__GOOGLE_SITE_VERIFICATION_META__
+<title>ThumbGate for Federal Agencies | Auditable pre-action gates for AI coding agents</title>
+<meta name="description" content="ThumbGate is a pre-action enforcement layer for AI coding agents used inside federal agencies. Auditable agent behavior, agency-owned policy, vendor-neutral. Pilot-ready posture mapped to NIST 800-53 and OMB M-24-10.">
+<meta property="og:title" content="ThumbGate for Federal Agencies">
+<meta property="og:description" content="Auditable pre-action gates for AI coding agents inside federal agencies. Maps to NIST 800-53 (AC-3, AU-2/3/12, CM-3, IR-4, SI-4) and OMB M-24-10. Air-gapped deployment via ThumbGate-Core gov mode.">
+<meta property="og:type" content="website">
+<meta property="og:url" content="__APP_ORIGIN__/federal">
+<link rel="canonical" href="__APP_ORIGIN__/federal">
+<link rel="icon" type="image/png" href="/thumbgate-icon.png">
+<link rel="apple-touch-icon" href="/assets/brand/thumbgate-mark.svg">
+<meta property="og:image" content="/og.png">
+<meta name="keywords" content="ThumbGate federal, AI agent governance federal, NIST 800-53 AI agent, OMB M-24-10, EO 14110, FedRAMP AI coding agent, federal AI use case inventory, agent audit log, agency AI policy enforcement, Bedrock GovCloud, Azure Government AI, SBIR AI governance">
+
+<script defer data-domain="thumbgate-production.up.railway.app" src="https://plausible.io/js/script.js"></script>
+__GA_BOOTSTRAP__
+
+<script>
+  const gaMeasurementId = '__GA_MEASUREMENT_ID__';
+  const serverVisitorId = '__SERVER_VISITOR_ID__';
+  const serverSessionId = '__SERVER_SESSION_ID__';
+  const serverAcquisitionId = '__SERVER_ACQUISITION_ID__';
+  const serverTelemetryCaptured = '__SERVER_TELEMETRY_CAPTURED__' === 'true';
+</script>
+
+<script type="application/ld+json">
+{
+  "@context": "https://schema.org",
+  "@type": "SoftwareApplication",
+  "name": "ThumbGate for Federal Agencies",
+  "applicationCategory": "DeveloperApplication",
+  "operatingSystem": "Cross-platform, Node.js >=18.18.0",
+  "description": "Pre-action enforcement layer for AI coding agents used inside federal agencies. Produces auditable agent behavior evidence mapped to NIST 800-53 Rev 5 and OMB M-24-10. Vendor-neutral across Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode.",
+  "url": "__APP_ORIGIN__/federal",
+  "dateModified": "2026-05-13",
+  "creator": { "@type": "Person", "name": "Igor Ganapolsky", "url": "https://github.com/IgorGanapolsky" },
+  "audience": { "@type": "Audience", "audienceType": "Federal agency AI use-case owners, CIOs, CTOs, SBIR program managers, federal systems integrators" }
+}
+</script>
+
+<script type="application/ld+json">
+{
+  "@context": "https://schema.org",
+  "@type": "FAQPage",
+  "mainEntity": [
+    { "@type": "Question", "name": "Is ThumbGate FedRAMP authorized?", "acceptedAnswer": { "@type": "Answer", "text": "Not yet. ThumbGate has a pilot-ready posture and is targeting FedRAMP Low baseline via agency sponsorship. ThumbGate-Core gov mode supports on-prem and government cloud deployment for pilot work in research enclaves and innovation labs." } },
+    { "@type": "Question", "name": "Does ThumbGate require sending agency data to a public LLM?", "acceptedAnswer": { "@type": "Answer", "text": "No. ThumbGate-Core gov mode routes all model calls through Bedrock GovCloud or Azure Government. Air-gapped installs are supported with no telemetry and no auto-update. The enforcement engine itself runs locally and does not require any model call to make a gate decision." } },
+    { "@type": "Question", "name": "Which NIST 800-53 controls does ThumbGate produce evidence for?", "acceptedAnswer": { "@type": "Answer", "text": "AC-3, AC-6, AU-2, AU-3, AU-12, CM-3, CM-7, IR-4, RA-5, SI-4, and SI-7. Full mapping is published in the public docs/FEDERAL.md document on GitHub." } },
+    { "@type": "Question", "name": "How does ThumbGate align with OMB M-24-10?", "acceptedAnswer": { "@type": "Answer", "text": "Gate-decision telemetry produces a continuous AI use-case inventory required under §5(a). Pre-action evidence gates enforce minimum risk-management practices required under §5(c) for safety- and rights-impacting AI. Structured audit logs are exportable for the §5(d) annual disclosure cycle." } },
+    { "@type": "Question", "name": "Does using ThumbGate inside an agency affect open-source contributors?", "acceptedAnswer": { "@type": "Answer", "text": "No. Federal capabilities are an additive Core deployment profile, not a fork. The open-source ThumbGate that developers install from npm is byte-identical regardless of any federal work happening in ThumbGate-Core. Five architectural invariants protecting the dev product are pinned by regression tests." } },
+    { "@type": "Question", "name": "What does a pilot look like?", "acceptedAnswer": { "@type": "Answer", "text": "A 30-minute scoping call to identify one agent workflow inside the agency. ThumbGate-Core gov mode installed in an isolated environment. Two weeks of monitored gate decisions on a real workflow. A written report covering captured behavior, blocked actions, and NIST control evidence produced. No procurement vehicle required for Phase 0/1." } },
+    { "@type": "Question", "name": "Is there a federal RAG product?", "acceptedAnswer": { "@type": "Answer", "text": "Not yet, and not on speculation. RAG over agency policy or document corpora will be built when a pilot agency names a specific use case. The supporting pieces (vector store, embeddings, reranker, hallucination detector) already exist as agency-neutral building blocks." } }
+  ]
+}
+</script>
+
+<style>
+  *, *::before, *::after { box-sizing: border-box; }
+  :root {
+    --bg: #0a0a0b;
+    --bg-raised: #111113;
+    --bg-card: #161618;
+    --border: #232327;
+    --text: #ececf1;
+    --text-muted: #9a9aa6;
+    --cyan: #22d3ee;
+    --cyan-dim: rgba(34, 211, 238, 0.12);
+    --cyan-glow: rgba(34, 211, 238, 0.22);
+    --green: #4ade80;
+    --green-dim: rgba(74, 222, 128, 0.12);
+    --amber: #fbbf24;
+    --amber-dim: rgba(251, 191, 36, 0.12);
+    --red: #f87171;
+    --font: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Inter', Roboto, sans-serif;
+    --mono: 'SF Mono', 'Cascadia Code', 'JetBrains Mono', 'Fira Code', Consolas, monospace;
+  }
+  html { scroll-behavior: smooth; }
+  body {
+    margin: 0;
+    font-family: var(--font);
+    background:
+      radial-gradient(circle at top, rgba(34, 211, 238, 0.16) 0%, rgba(34, 211, 238, 0) 28%),
+      linear-gradient(180deg, #0a0a0b 0%, #0d1016 48%, #0a0a0b 100%);
+    color: var(--text);
+    line-height: 1.6;
+    -webkit-font-smoothing: antialiased;
+  }
+  a { color: inherit; }
+  .container { max-width: 1040px; margin: 0 auto; padding: 0 24px; }
+  nav {
+    position: sticky; top: 0; z-index: 50;
+    backdrop-filter: blur(12px);
+    background: rgba(10, 10, 11, 0.86);
+    border-bottom: 1px solid rgba(35, 35, 39, 0.92);
+  }
+  nav .container { min-height: 68px; display: flex; align-items: center; justify-content: space-between; gap: 20px; }
+  .nav-logo { font-size: 15px; font-weight: 700; letter-spacing: -0.02em; text-decoration: none; display: inline-flex; align-items: center; gap: 8px; }
+  .nav-logo .logo-mark { width: 28px; height: 28px; display: block; }
+  .nav-logo span { color: var(--cyan); }
+  .nav-links { display: flex; gap: 18px; flex-wrap: wrap; align-items: center; }
+  .nav-links a { color: var(--text-muted); text-decoration: none; font-size: 13px; }
+  .nav-links a:hover { color: var(--text); }
+
+  header.hero { padding: 80px 0 56px; }
+  .eyebrow {
+    display: inline-block;
+    color: var(--cyan);
+    background: var(--cyan-dim);
+    border: 1px solid rgba(34, 211, 238, 0.3);
+    padding: 6px 12px;
+    border-radius: 999px;
+    font-size: 12px;
+    font-weight: 600;
+    letter-spacing: 0.04em;
+    text-transform: uppercase;
+    margin-bottom: 20px;
+  }
+  h1 { font-size: 44px; line-height: 1.1; letter-spacing: -0.02em; margin: 0 0 20px; }
+  h1 .accent { color: var(--cyan); }
+  .lede { font-size: 18px; color: var(--text-muted); max-width: 720px; margin: 0 0 28px; }
+  .cta-row { display: flex; gap: 12px; flex-wrap: wrap; }
+  .btn-primary, .btn-secondary {
+    display: inline-flex; align-items: center; gap: 8px;
+    padding: 12px 20px; border-radius: 8px; font-weight: 600; font-size: 14px;
+    text-decoration: none; transition: transform 80ms ease, box-shadow 80ms ease;
+  }
+  .btn-primary { background: var(--cyan); color: #001016; box-shadow: 0 8px 24px var(--cyan-glow); }
+  .btn-primary:hover { transform: translateY(-1px); }
+  .btn-secondary { border: 1px solid var(--border); color: var(--text); background: var(--bg-raised); }
+  .btn-secondary:hover { border-color: var(--cyan); color: var(--cyan); }
+
+  section { padding: 56px 0; border-top: 1px solid var(--border); }
+  section h2 { font-size: 28px; letter-spacing: -0.015em; margin: 0 0 12px; }
+  section h2 .accent { color: var(--cyan); }
+  section p.section-lede { color: var(--text-muted); font-size: 15px; max-width: 760px; margin: 0 0 28px; }
+
+  .grid-3 { display: grid; grid-template-columns: repeat(auto-fit, minmax(280px, 1fr)); gap: 16px; }
+  .card { background: var(--bg-card); border: 1px solid var(--border); border-radius: 12px; padding: 20px; }
+  .card h3 { font-size: 16px; margin: 0 0 8px; color: var(--cyan); letter-spacing: -0.01em; }
+  .card p { font-size: 14px; color: var(--text-muted); margin: 0; }
+
+  table.compliance { width: 100%; border-collapse: collapse; font-size: 14px; margin-top: 8px; }
+  table.compliance th, table.compliance td { text-align: left; padding: 10px 12px; border-bottom: 1px solid var(--border); vertical-align: top; }
+  table.compliance th { color: var(--text-muted); font-weight: 600; font-size: 12px; letter-spacing: 0.04em; text-transform: uppercase; background: var(--bg-raised); }
+  table.compliance code { font-family: var(--mono); color: var(--cyan); font-size: 12px; }
+  .status-ok { color: var(--green); font-weight: 600; }
+  .status-partial { color: var(--amber); font-weight: 600; }
+  .status-pending { color: var(--text-muted); font-weight: 600; }
+
+  .deployment-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 20px; }
+  @media (max-width: 720px) { .deployment-grid { grid-template-columns: 1fr; } h1 { font-size: 34px; } }
+  .deployment-card { background: var(--bg-card); border: 1px solid var(--border); border-radius: 12px; padding: 24px; }
+  .deployment-card.gov { border-color: rgba(34, 211, 238, 0.4); }
+  .deployment-card h3 { font-size: 18px; margin: 0 0 12px; }
+  .deployment-card ul { padding-left: 18px; color: var(--text-muted); font-size: 14px; margin: 0; }
+  .deployment-card li { margin: 6px 0; }
+
+  .callout {
+    background: var(--bg-raised);
+    border: 1px solid var(--border);
+    border-left: 3px solid var(--cyan);
+    border-radius: 8px;
+    padding: 18px 20px;
+    color: var(--text-muted);
+    font-size: 14px;
+  }
+  .callout strong { color: var(--text); }
+
+  footer { padding: 40px 0 80px; text-align: center; color: var(--text-muted); font-size: 13px; }
+  footer a { color: var(--cyan); text-decoration: none; }
+</style>
+</head>
+<body>
+
+<nav>
+  <div class="container">
+    <a class="nav-logo" href="/">
+      <img class="logo-mark" src="/assets/brand/thumbgate-mark.svg" alt="" />
+      ThumbGate <span>/ federal</span>
+    </a>
+    <div class="nav-links">
+      <a href="#capabilities">Capabilities</a>
+      <a href="#compliance">Compliance</a>
+      <a href="#deployment">Deployment</a>
+      <a href="#engage">Pilot</a>
+      <a href="https://github.com/IgorGanapolsky/ThumbGate/blob/main/docs/FEDERAL.md">Docs</a>
+    </div>
+  </div>
+</nav>
+
+<header class="hero">
+  <div class="container">
+    <span class="eyebrow">For Federal Agencies</span>
+    <h1>Auditable <span class="accent">pre-action gates</span> for AI coding agents inside federal agencies.</h1>
+    <p class="lede">
+      Every gate decision is logged with timestamp, actor, action, policy, and evidence — the artifact OMB M-24-10 and EO 14110 ask for, generated continuously. Agency-owned policy. Vendor-neutral across Claude Code, Cursor, Codex, Gemini CLI, Amp, Cline, OpenCode. On-prem or government cloud deployment via ThumbGate-Core gov mode.
+    </p>
+    <div class="cta-row">
+      <a class="btn-primary" href="mailto:iganapolsky@gmail.com?subject=ThumbGate%20federal%20pilot%20scoping">Start a 30-minute scoping call →</a>
+      <a class="btn-secondary" href="https://github.com/IgorGanapolsky/ThumbGate/blob/main/docs/FEDERAL.md">Read the technical brief</a>
+    </div>
+  </div>
+</header>
+
+<section id="capabilities">
+  <div class="container">
+    <h2>What an agency actually gets</h2>
+    <p class="section-lede">
+      ThumbGate is a behavioral enforcement layer between AI agents and the tools they invoke. It is not a model, not a model-output evaluator, and not a federal data RAG system. It is the gate that decides whether a tool call leaves the agent's environment.
+    </p>
+    <div class="grid-3">
+      <div class="card">
+        <h3>Auditable agent behavior</h3>
+        <p>Every gate decision is logged with the action attempted, the policy invoked, the evidence required, and the outcome. PII redaction is built in. Logs are exportable in JSON Lines for ingestion into the agency SIEM.</p>
+      </div>
+      <div class="card">
+        <h3>Agency-owned policy</h3>
+        <p>Generic LLM guardrails are vendor-controlled and opaque. ThumbGate policies live in version control inside the agency boundary, are written as code, and are enforced locally before a tool call leaves the dev environment.</p>
+      </div>
+      <div class="card">
+        <h3>Repeated-failure prevention</h3>
+        <p>A thumbs-down from an agency engineer becomes a permanent prevention rule. The same risky action never reaches the model on the next attempt — relevant for cost control and for documenting "we did not let the agent do X" in incident review.</p>
+      </div>
+      <div class="card">
+        <h3>Vendor-neutral</h3>
+        <p>Works with Claude Code, Cursor, Codex, Gemini CLI, Amp, Cline, OpenCode, and any MCP-compatible agent. No lock-in to a single model vendor. Bedrock GovCloud and Azure Government routing supported in gov mode.</p>
+      </div>
+      <div class="card">
+        <h3>Continuous AI use-case inventory</h3>
+        <p>Gate-decision telemetry produces a real-time inventory of which AI tools are actively used, by whom, on what — directly supporting OMB M-24-10 §5(a) and EO 14110 §10.1(b) inventory and risk-categorization requirements.</p>
+      </div>
+      <div class="card">
+        <h3>Air-gap supported</h3>
+        <p>ThumbGate-Core gov mode runs without telemetry, without auto-update, and without any outbound call to thumbgate.ai. Agency keeps the data; ThumbGate provides the enforcement engine and the policy framework.</p>
+      </div>
+    </div>
+  </div>
+</section>
+
+<section id="compliance">
+  <div class="container">
+    <h2>Compliance posture — <span class="accent">the honest current state</span></h2>
+    <p class="section-lede">
+      No FedRAMP marketing badge until authorization is real. Here is what is true today and what the path forward looks like.
+    </p>
+    <table class="compliance">
+      <thead>
+        <tr><th>Item</th><th>Status</th><th>Notes</th></tr>
+      </thead>
+      <tbody>
+        <tr><td>FedRAMP authorization</td><td class="status-pending">Not yet</td><td>Targeting Low baseline via agency sponsorship. Open to civilian agency sponsor conversations.</td></tr>
+        <tr><td>FISMA / NIST 800-53 Rev 5</td><td class="status-partial">Partial mapping</td><td>11 controls directly supported (see below). Public SaaS inherits Railway's controls; Core gov mode runs on-prem.</td></tr>
+        <tr><td>FIPS 140-2/3 validated crypto</td><td class="status-partial">In Core gov mode</td><td>Public ThumbGate uses Node.js native crypto; Core gov mode routes to a FIPS-validated provider on <code>THUMBGATE_DEPLOY=gov</code>.</td></tr>
+        <tr><td>Section 508 accessibility</td><td class="status-partial">Dashboard audit pending</td><td>CLI output and landing pages are screen-reader friendly; full WCAG 2.1 AA audit pending.</td></tr>
+        <tr><td>US persons + US data residency</td><td class="status-ok">Core gov deployments</td><td>Public SaaS runs in US Railway regions; Core gov mode is on-prem or government cloud only.</td></tr>
+        <tr><td>SBOM + supply chain provenance</td><td class="status-ok">Per release</td><td>SBOM and dependency report published with every npm release in <code>proof/</code>.</td></tr>
+        <tr><td>Third-party LLM calls</td><td class="status-partial">Public uses Claude directly</td><td>Core gov mode replaces direct Claude calls with Bedrock GovCloud / Azure Government routing.</td></tr>
+      </tbody>
+    </table>
+
+    <h2 style="margin-top:48px">NIST 800-53 Rev 5 — controls ThumbGate produces evidence for</h2>
+    <table class="compliance">
+      <thead>
+        <tr><th>Family</th><th>Control</th><th>How ThumbGate supports it</th></tr>
+      </thead>
+      <tbody>
+        <tr><td>AC</td><td><code>AC-3</code> Access Enforcement</td><td>PreToolUse hook blocks tool calls that violate policy regardless of operator intent.</td></tr>
+        <tr><td>AC</td><td><code>AC-6</code> Least Privilege</td><td>Per-gate scopes bind agent actions to declared task scope.</td></tr>
+        <tr><td>AU</td><td><code>AU-2 / AU-3 / AU-12</code> Audit Logging</td><td>Every gate decision logged with full payload, PII-redacted, exportable to agency SIEM.</td></tr>
+        <tr><td>CM</td><td><code>CM-3</code> Configuration Change Control</td><td>Branch governance gate requires <code>releaseVersion</code> declaration before release/publish actions.</td></tr>
+        <tr><td>CM</td><td><code>CM-7</code> Least Functionality</td><td>MCP allowlists constrain reachable agent tools per deployment profile.</td></tr>
+        <tr><td>IR</td><td><code>IR-4</code> Incident Handling</td><td>Hallucination detector + claim verification produces evidence trails for post-incident review.</td></tr>
+        <tr><td>RA</td><td><code>RA-5</code> Vulnerability Monitoring</td><td>Security scan surfaces known-bad patterns from the prevention rule library.</td></tr>
+        <tr><td>SI</td><td><code>SI-4 / SI-7</code> System Integrity</td><td>Continuous gate telemetry + integrity-checkable prevention rule corpus.</td></tr>
+      </tbody>
+    </table>
+  </div>
+</section>
+
+<section id="deployment">
+  <div class="container">
+    <h2>Two deployment profiles. <span class="accent">One codebase.</span></h2>
+    <p class="section-lede">
+      Federal capabilities are an additive Core deployment profile, not a fork. The open-source ThumbGate developers install from npm is byte-identical regardless of federal work — pinned by regression tests.
+    </p>
+    <div class="deployment-grid">
+      <div class="deployment-card">
+        <h3>Public ThumbGate <span style="color:var(--text-muted);font-size:13px">— open source</span></h3>
+        <ul>
+          <li><code>npm install thumbgate</code> → local CLI enforcement</li>
+          <li>Railway SaaS dashboard</li>
+          <li>Direct Claude API integration</li>
+          <li>Best for: SBIR Phase I prototyping, agency open-source experimentation, contractor evaluation</li>
+          <li>License: MIT</li>
+        </ul>
+      </div>
+      <div class="deployment-card gov">
+        <h3>ThumbGate-Core <span style="color:var(--cyan);font-size:13px">— gov mode</span></h3>
+        <ul>
+          <li>Activated by <code>THUMBGATE_DEPLOY=gov</code></li>
+          <li>On-prem, AWS GovCloud, or Azure Government install</li>
+          <li>Bedrock GovCloud / Azure Gov LLM routing — no public-internet model calls</li>
+          <li>FIPS-validated crypto provider</li>
+          <li>Audit log sink configurable to agency SIEM</li>
+          <li>Air-gapped install supported</li>
+          <li>Best for: production agency dev environments, ATO-bound deployments</li>
+        </ul>
+      </div>
+    </div>
+
+    <div class="callout" style="margin-top:24px">
+      <strong>Why the boundary matters.</strong> Federal expansion runs through ThumbGate-Core. The public open-source product is the protected invariant: <code>npm i thumbgate</code> on a fresh machine works with zero federal env vars set, public CI passes with Core absent, and no federal code path is reachable without explicit opt-in. Five architectural invariants are pinned by regression tests in <code>tests/public-core-boundary.test.js</code>.
+    </div>
+  </div>
+</section>
+
+<section id="engage">
+  <div class="container">
+    <h2>What a pilot actually looks like</h2>
+    <p class="section-lede">
+      A 30-minute scoping call. One agent workflow inside the agency. Two weeks of monitored gate decisions. A written report with captured behavior, blocked actions, and NIST control evidence. No procurement vehicle required for Phase 0 or Phase 1.
+    </p>
+    <div class="grid-3">
+      <div class="card">
+        <h3>Phase 0 — Now</h3>
+        <p>Public technical brief, NIST control mapping, this page. No agency commitment required. Read the docs, evaluate the open-source release.</p>
+      </div>
+      <div class="card">
+        <h3>Phase 1 — On first call</h3>
+        <p>One-page CIS tailored to the agency authorization boundary. SBOM walkthrough. Air-gapped install rehearsal in a clean VM.</p>
+      </div>
+      <div class="card">
+        <h3>Phase 2 — On signed pilot</h3>
+        <p>Core gov mode install. Bedrock GovCloud / Azure Gov routing. FIPS crypto. Agency SIEM audit-log sink. Two-week monitored evaluation on one workflow.</p>
+      </div>
+      <div class="card">
+        <h3>Phase 3 — On sponsor commitment</h3>
+        <p>FedRAMP Low baseline package preparation. 3PAO engagement. ATO documentation set.</p>
+      </div>
+      <div class="card">
+        <h3>Phase 4 — On named demand</h3>
+        <p>Federal RAG over agency policy corpora. Multimodal retrieval for screenshot / PDF / diagram evidence. Built when an agency names the use case — not on speculation.</p>
+      </div>
+      <div class="card">
+        <h3>Engagement vehicles</h3>
+        <p>SBIR / STTR Phase I and II. Agency innovation pilots. Prime / SI partnership for inclusion in a larger AI governance offering. GSA Schedule path open under agency sponsorship.</p>
+      </div>
+    </div>
+
+    <div style="margin-top:32px;display:flex;gap:12px;flex-wrap:wrap">
+      <a class="btn-primary" href="mailto:iganapolsky@gmail.com?subject=ThumbGate%20federal%20pilot%20scoping">Email for a scoping call →</a>
+      <a class="btn-secondary" href="https://github.com/IgorGanapolsky/ThumbGate/blob/main/docs/FEDERAL.md">Read the full technical brief</a>
+    </div>
+  </div>
+</section>
+
+<footer>
+  <div class="container">
+    ThumbGate is built and maintained by <a href="https://github.com/IgorGanapolsky">Igor Ganapolsky</a>.
+    Open source under MIT. Federal capabilities ship via the licensed ThumbGate-Core component.
+    <br>
+    <a href="/">← Back to thumbgate.ai</a>
+    &nbsp;·&nbsp;
+    <a href="https://github.com/IgorGanapolsky/ThumbGate">GitHub</a>
+    &nbsp;·&nbsp;
+    <a href="https://github.com/IgorGanapolsky/ThumbGate/blob/main/docs/FEDERAL.md">Federal docs</a>
+  </div>
+</footer>
+
+</body>
+</html>

package/public/guide.html

@@ -353,8 +353,8 @@ npx thumbgate init --agent gemini</code></pre>
 <pre><code>npx thumbgate init</code></pre>
 <p>One command. Works with Claude Code, Cursor, Codex, Gemini, Amp, and OpenCode. Claude Code can also call Codex for review, adversarial review, and second-pass handoffs through the repo-local bridge plugin.</p>
 <a href="https://thumbgate.ai/checkout/pro?utm_source=guide&utm_medium=cta_button&utm_campaign=pro_pack" class="cta">Get Pro — $19/mo or $149/yr</a>
-<a href="https://buy.stripe.com/00w14neyUcXA5pL5e33sI0e" class="cta cta-secondary">Pay $499 diagnostic</a>
-<a href="https://buy.stripe.com/fZu9AT76saPsg4pbCr3sI0f" class="cta cta-secondary">Pay $1500 sprint</a>
+<a rel="nofollow noopener noreferrer" target="_blank" href="https://buy.stripe.com/00w14neyUcXA5pL5e33sI0e" class="cta cta-secondary">Pay $499 diagnostic</a>
+<a rel="nofollow noopener noreferrer" target="_blank" href="https://buy.stripe.com/fZu9AT76saPsg4pbCr3sI0f" class="cta cta-secondary">Pay $1500 sprint</a>
 <a href="https://thumbgate.ai/#workflow-sprint-intake" class="cta cta-secondary">Send workflow first</a>
 <p style="color:var(--muted); font-size:0.85rem;">Free: unlimited captures, 5 active prevention rules, hook blocking. Pro: dashboard, recall, lesson search, unlimited rules, DPO export. Team: intake first, then $49/seat/mo with a 3-seat minimum.</p>
 

package/public/index.html

@@ -19,7 +19,7 @@ __GOOGLE_SITE_VERIFICATION_META__
 <meta property="og:image" content="https://thumbgate-production.up.railway.app/og.png">
 <meta name="twitter:card" content="summary_large_image">
 <meta name="twitter:image" content="https://thumbgate-production.up.railway.app/og.png">
-<meta name="thumbgate-version" content="1.17.0">
+<meta name="thumbgate-version" content="1.19.0">
 <meta name="keywords" content="ThumbGate, thumbgate, AI agent orchestration, AI experience orchestration, agent enforcement layer, save LLM tokens, reduce Claude API cost, reduce OpenAI cost, AI agent token savings, prevent LLM retries, prevent hallucination retries, stop AI token waste, pre-action checks, agent governance, Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode, workflow hardening, context engineering, AI authenticity, brand authenticity AI">
 <link rel="apple-touch-icon" href="/apple-touch-icon.png">
 
@@ -40,6 +40,28 @@ __GA_BOOTSTRAP__
   const workflowSprintPriceDollars = Number('__WORKFLOW_SPRINT_PRICE_DOLLARS__') || 1500;
 </script>
 
+<script type="application/ld+json">
+{
+  "@context": "https://schema.org",
+  "@type": "Organization",
+  "name": "ThumbGate",
+  "alternateName": "thumbgate",
+  "url": "https://thumbgate-production.up.railway.app",
+  "logo": "https://thumbgate-production.up.railway.app/assets/brand/thumbgate-logo-1200x360.png",
+  "description": "ThumbGate ships pre-action gates for AI coding agents. Open-source CLI plus PreToolUse hooks that capture feedback, promote it to memory, generate prevention rules, and block repeated mistakes before the next tool call across Claude Code, Cursor, Codex, Gemini, Amp, Cline, and OpenCode.",
+  "founder": {
+    "@type": "Person",
+    "name": "Igor Ganapolsky",
+    "url": "https://github.com/IgorGanapolsky"
+  },
+  "sameAs": [
+    "https://github.com/IgorGanapolsky/ThumbGate",
+    "https://www.npmjs.com/package/thumbgate",
+    "https://github.com/IgorGanapolsky"
+  ]
+}
+</script>
+
 <script type="application/ld+json">
 {
   "@context": "https://schema.org",
@@ -672,7 +694,8 @@ __GA_BOOTSTRAP__
     <a href="/" class="nav-logo"><img src="/assets/brand/thumbgate-mark-inline.svg" alt="ThumbGate" class="logo-mark" width="28" height="28"><span class="logo-text">ThumbGate</span></a>
     <div class="nav-links">
       <a href="#how-it-works">How It Works</a>
-      <a href="#pricing">Pricing</a>
+      <a href="/pricing">Pricing</a>
+      <a href="/case-studies">Case Studies</a>
       <a href="/guides/autoresearch-agent-safety">Autoresearch</a>
       <a href="#faq">FAQ</a>
       <a href="https://github.com/IgorGanapolsky/ThumbGate" target="_blank" rel="noopener">GitHub</a>
@@ -710,7 +733,7 @@ __GA_BOOTSTRAP__
         <span class="copy-hint">click to copy</span>
       </div>
       <a href="/go/install?utm_source=website&utm_medium=hero_cta&utm_campaign=install_free&cta_id=hero_install_cli&cta_placement=hero" onclick="event.preventDefault(); navigator.clipboard.writeText('npx thumbgate init'); this.textContent='Copied ✓ — paste in your repo'; setTimeout(()=>{this.textContent='Install Free CLI'},2000); try{posthog.capture('hero_install_click',{cta:'install_cli'})}catch(_){}" class="btn-gpt-page btn-install-hero" title="Click to copy: npx thumbgate init">Install Free CLI</a>
-      <a href="/go/pro?utm_source=website&amp;utm_medium=hero_cta&amp;utm_campaign=pro_upgrade&amp;cta_id=hero_go_pro&amp;cta_placement=hero&amp;plan_id=pro&amp;landing_path=%2F" onclick="try{posthog.capture('hero_pro_click',{cta:'go_pro'})}catch(_){};sendFirstPartyTelemetry('hero_pro_checkout_started',{ctaId:'hero_go_pro',ctaPlacement:'hero',planId:'pro',price:19});sendGa4Event('begin_checkout',{currency:'USD',value:19,items:[{item_id:'pro',item_name:'ThumbGate Pro'}]});" class="btn-pro-page hero-pro">Get Pro — $19/mo</a>
+      <a href="#workflow-sprint-intake" onclick="try{posthog.capture('hero_sprint_click',{cta:'sprint_intake'})}catch(_){};sendFirstPartyTelemetry('hero_sprint_intake_started',{ctaId:'hero_workflow_sprint',ctaPlacement:'hero',offer:'workflow_sprint'});" class="btn-pro-page hero-pro">Talk to me — Workflow Hardening Sprint →</a>
     </div>
 
     <div class="hero-trust-bar">
@@ -720,6 +743,10 @@ __GA_BOOTSTRAP__
       <span>Works with MCP-compatible agents</span>
       <span>Verification evidence in GitHub</span>
     </div>
+    <figure style="max-width:760px;margin:32px auto 0;padding:20px 24px;border-left:3px solid var(--cyan);background:rgba(34,211,238,0.04);border-radius:0 8px 8px 0;">
+      <blockquote style="margin:0;font-size:18px;line-height:1.5;color:var(--text);font-style:italic;">&ldquo;A better dashboard doesn&rsquo;t make the agents more reliable. The hard part isn&rsquo;t visibility. It&rsquo;s trust.&rdquo;</blockquote>
+      <figcaption style="margin-top:12px;font-size:13px;color:var(--text-muted);">— Rob May, CEO &amp; co-founder, Neurometric AI, in <a href="https://thenewstack.io/claude-code-agent-view/" target="_blank" rel="noopener" style="color:var(--cyan);">The New Stack</a> on Anthropic&rsquo;s Claude Code Agent View (May 2026). ThumbGate is the open-source layer that makes the trust part real: PreToolUse gates, thumbs-down to rule, audit trail on every interception.</figcaption>
+    </figure>
     <div class="first-check-card" id="first-check">
       <div class="section-label" style="text-align:left;margin-bottom:8px;">First-Dollar Activation Path</div>
       <h2>Block your first repeated AI mistake in 5 minutes.</h2>
@@ -995,6 +1022,7 @@ __GA_BOOTSTRAP__
     </div>
     <div style="display:flex;gap:12px;justify-content:center;flex-wrap:wrap;margin-top:18px;">
       <a class="btn-team" href="/compare/ai-experience-orchestration">Compare orchestration vs enforcement →</a>
+      <a class="btn-free" href="/guides/ai-deployment-readiness" style="display:inline-flex;align-items:center;">AI deployment readiness →</a>
       <a class="btn-free" href="/use-cases/platform-teams" style="display:inline-flex;align-items:center;">Platform team rollout →</a>
       <a class="btn-free" href="/use-cases/regulated-workflows" style="display:inline-flex;align-items:center;">Regulated workflow pattern →</a>
     </div>
@@ -1021,6 +1049,7 @@ __GA_BOOTSTRAP__
         <a href="/guides/claude-code-skills-guardrails">Claude Code skills</a>
         <a href="/guides/long-running-agent-context-management">Long-running agent context</a>
         <a href="/guides/reasoning-compression-guardrails">Reasoning compression</a>
+        <a href="/guides/ai-deployment-readiness">AI deployment readiness</a>
         <a href="/guides/browser-automation-safety">Browser automation safety</a>
         <a href="/guides/native-messaging-host-security">Native messaging host security</a>
         <a href="/guides/ai-search-topical-presence">AI search topical presence</a>
@@ -1231,26 +1260,26 @@ __GA_BOOTSTRAP__
         <a href="https://www.npmjs.com/package/thumbgate" target="_blank" rel="noopener" class="btn-free">Install Free</a>
       </div>
       <div class="price-card pro" data-price-dollars="19">
-        <div class="tier">Solo Pro</div>
+        <div class="tier">Pro</div>
         <div class="price">$19<span style="font-size:16px;color:var(--text-dim)">/mo</span></div>
-        <div class="price-sub">For builders who want proof, exports, and unlimited local learning.</div>
+        <div class="price-sub">Stop paying tokens to re-correct the same agent mistake across sessions.</div>
         <ul>
-          <li>Unlimited feedback captures and prevention rules</li>
-          <li>Lesson recall and search across sessions</li>
-          <li><a href="/dashboard#insights" style="color:var(--cyan);text-decoration:underline;">Visual check debugger</a> for every blocked action and the check that fired</li>
-          <li>Auto-connect so supported agents appear automatically after setup</li>
-          <li><a href="/dashboard#export" style="color:var(--cyan);text-decoration:underline;">DPO training data export</a> with ready-to-use preference pairs for fine-tuning</li>
-          <li>Personal local dashboard for the individual operator</li>
-          <li>Model Hardening Advisor plus HuggingFace dataset export</li>
-          <li>Review-ready workflow support and proof-ready lesson bundles</li>
-          <li>Team lesson export/import for handoff or migration</li>
+          <li><strong>Block every repeat mistake</strong> — unlimited feedback captures and prevention rules (Free caps at 5 active rules)</li>
+          <li><strong>Never re-explain a correction</strong> — lesson recall and search across sessions on every agent surface</li>
+          <li><strong>See exactly which rule fired</strong> — <a href="/dashboard#insights" style="color:var(--cyan);text-decoration:underline;">Visual check debugger</a> for every blocked action and the check that fired</li>
+          <li><strong>One install, every agent</strong> — Auto-connect so supported agents appear automatically after setup (Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode)</li>
+          <li><strong>Fine-tune your local model</strong> on what your team actually wants — <a href="/dashboard#export" style="color:var(--cyan);text-decoration:underline;">DPO training data export</a> with ready-to-use preference pairs for fine-tuning</li>
+          <li><strong>Audit-ready enforcement proof</strong> — Personal local dashboard for the individual operator with auditable block history</li>
+          <li><strong>Ship hardened agents to production</strong> — Model Hardening Advisor plus HuggingFace dataset export</li>
+          <li><strong>Hand a PR with proof</strong> — Review-ready workflow support and proof-ready lesson bundles a reviewer can verify in 30 seconds</li>
+          <li><strong>Hand off without re-onboarding</strong> — Team lesson export/import for handoff or migration</li>
         </ul>
         <div style="margin:12px 0 16px;padding:12px;border:1px solid rgba(34,211,238,0.25);border-radius:8px;background:rgba(34,211,238,0.06);">
           <div style="font-size:12px;color:var(--text-muted);margin-bottom:4px;">What your Pro dashboard looks like</div>
           <div style="font-family:var(--mono);font-size:12px;color:var(--cyan);line-height:1.6;">checks: 36 active<br>feedback: unlimited<br>exports: DPO + lessons</div>
         </div>
         <div style="font-size:11px;letter-spacing:0.08em;text-transform:uppercase;color:var(--cyan);font-weight:800;margin-bottom:8px;">PAY-NOW PRO</div>
-        <a href="/checkout/pro?confirm=1&utm_source=pricing&utm_medium=cta&utm_campaign=v2_landing&utm_content=pricing_pro" id="pro-checkout-link" class="btn-pro" onclick="handleProCheckout();return false;" style="display:block;width:100%;text-align:center;padding:12px;font-size:15px;">Upgrade to Pro — $19/mo</a>
+        <a href="/checkout/pro?utm_source=pricing&utm_medium=cta&utm_campaign=v2_landing&utm_content=pricing_pro&plan_id=pro" id="pro-checkout-link" class="btn-pro" onclick="handleProCheckout();return false;" style="display:block;width:100%;text-align:center;padding:12px;font-size:15px;">Upgrade to Pro — $19/mo</a>
         <p style="font-size:11px;color:var(--text-muted);margin-top:8px;text-align:center;">Billed today · cancel anytime.</p>
         <input type="email" id="pro-email" data-buyer-email placeholder="you@company.com" style="margin-top:10px;width:100%;padding:10px 12px;border:1px solid var(--border);border-radius:8px;background:var(--bg-raised);color:var(--text);font-size:14px;">
       </div>
@@ -1267,8 +1296,9 @@ __GA_BOOTSTRAP__
           <li>Workflow hardening sprint intake for approval boundaries and rollback safety</li>
           <li>Email support during pilot rollout</li>
         </ul>
-        <a href="#workflow-sprint-intake" class="btn-team" style="display:block;text-align:center;">Start Workflow Hardening Sprint</a>
-        <p style="font-size:11px;color:var(--text-muted);margin-top:8px;text-align:center;">No self-serve trial. Team is $49/seat/mo with a 3-seat minimum and starts with the Workflow Hardening Sprint intake, not a self-serve trial.</p>
+        <a href="/checkout/pro?plan_id=team&amp;seat_count=3&amp;confirm=1&amp;utm_source=website&amp;utm_medium=pricing&amp;utm_campaign=team_self_serve&amp;cta_id=pricing_team_self_serve&amp;cta_placement=pricing&amp;landing_path=%2F" onclick="try{posthog.capture('team_self_serve_click',{cta:'team_self_serve',seats:3,price:147})}catch(_){};sendFirstPartyTelemetry('team_self_serve_checkout_started',{ctaId:'pricing_team_self_serve',ctaPlacement:'pricing',planId:'team',seatCount:3,price:147});sendGa4Event('begin_checkout',{currency:'USD',value:147,items:[{item_id:'team_monthly',item_name:'ThumbGate Team (3 seats)',quantity:3}]});" class="btn-team" style="display:block;text-align:center;">Start 3-seat Team — $147/mo</a>
+        <a href="#workflow-sprint-intake" style="display:block;text-align:center;margin-top:8px;font-size:13px;color:var(--text-dim);text-decoration:none;">Or qualify first via Workflow Hardening Sprint intake →</a>
+        <p style="font-size:11px;color:var(--text-muted);margin-top:8px;text-align:center;">Team is $49/seat/mo with a 3-seat minimum. Self-serve checkout starts you at $147/mo for 3 seats; add more seats from the dashboard. Prefer to qualify the workflow before paying? Start with the intake.</p>
       </div>
     </div>
     <p style="text-align:center;color:var(--text-muted);font-size:13px;margin:40px 0;">Need a custom diagnostic, sprint, or setup? <a href="#workflow-sprint-intake" style="color:var(--cyan);text-decoration:none;">Send workflow first →</a></p>
@@ -1326,7 +1356,7 @@ __GA_BOOTSTRAP__
           </div>
           <div>
             <div class="team-paid-price">$97</div>
-            <a class="team-paid-link" href="https://buy.stripe.com/bJe14naiE9Lo7xT49Z3sI12" onclick="sendFirstPartyTelemetry('openclaw_governance_kit_checkout_started',{ctaId:'team_openclaw_governance_kit_checkout',ctaPlacement:'team_paid_path',planId:'digital_kit',offer:'openclaw_agent_governance_kit',price:97});sendGa4Event('begin_checkout',{currency:'USD',value:97,items:[{item_id:'openclaw_agent_governance_kit',item_name:'OpenClaw Agent Governance Kit'}]});">Buy kit</a>
+            <a rel="nofollow noopener noreferrer" target="_blank" class="team-paid-link" href="https://buy.stripe.com/bJe14naiE9Lo7xT49Z3sI12" onclick="sendFirstPartyTelemetry('openclaw_governance_kit_checkout_started',{ctaId:'team_openclaw_governance_kit_checkout',ctaPlacement:'team_paid_path',planId:'digital_kit',offer:'openclaw_agent_governance_kit',price:97});sendGa4Event('begin_checkout',{currency:'USD',value:97,items:[{item_id:'openclaw_agent_governance_kit',item_name:'OpenClaw Agent Governance Kit'}]});">Buy kit</a>
           </div>
         </div>
       </div>
@@ -1464,7 +1494,7 @@ __GA_BOOTSTRAP__
       <a href="https://www.linkedin.com/in/igorganapolsky" target="_blank" rel="noopener">LinkedIn</a>
       <a href="/blog">Blog</a>
     </div>
-    <span class="footer-copy">© 2026 ThumbGate · MIT License · npm v1.17.0</span>
+    <span class="footer-copy">© 2026 ThumbGate · MIT License · npm v1.19.0</span>
   </div>
 </footer>
 

package/public/learn.html

@@ -73,6 +73,12 @@
       {
         "@type": "ListItem",
         "position": 6,
+        "url": "https://thumbgate.ai/learn/from-prototype-to-production",
+        "name": "From git init to v1.17.0 in 70 days: an honest ThumbGate build log"
+      },
+      {
+        "@type": "ListItem",
+        "position": 7,
         "url": "https://thumbgate.ai/guides/stop-repeated-ai-agent-mistakes",
         "name": "How to Stop AI Coding Agents From Repeating Mistakes"
       },
@@ -123,6 +129,12 @@
         "position": 14,
         "url": "https://thumbgate.ai/guides/relational-knowledge-ai-recommendations",
         "name": "Relational Knowledge in AI Recommendations"
+      },
+      {
+        "@type": "ListItem",
+        "position": 15,
+        "url": "https://thumbgate.ai/guides/ai-deployment-readiness",
+        "name": "AI Deployment Readiness Before Production Rollout"
       }
     ]
   }
@@ -269,11 +281,27 @@
       <span class="article-tag">SQLite+FTS5</span>
       <span class="article-tag">Session Persistence</span>
     </a>
+
+    <a href="/learn/from-prototype-to-production" class="article-card">
+      <h3>From git init to v1.17.0 in 70 days: an honest ThumbGate build log</h3>
+      <p>70 days, 112 commits, 17 minor releases, 6k npm downloads, $0 cold-traffic revenue. The unedited story of taking ThumbGate from a one-line repo init to live production — including the part that's still broken.</p>
+      <span class="article-tag">Build Log</span>
+      <span class="article-tag">Indie SaaS</span>
+      <span class="article-tag">Shipping in Public</span>
+    </a>
   </div>
 
   <h2>Popular buyer questions</h2>
   <p class="section-intro">These are the high-intent guides for buyers who already know the pain and want to understand where ThumbGate fits fast.</p>
   <div class="article-grid">
+    <a href="/guides/ai-deployment-readiness" class="article-card">
+      <h3>AI Deployment Readiness Before Production Rollout</h3>
+      <p>Use one priority workflow to map tools, data, controls, pre-action gates, and proof before an AI deployment team ships into production.</p>
+      <span class="article-tag">Deployment</span>
+      <span class="article-tag">Readiness</span>
+      <span class="article-tag">Sprint</span>
+    </a>
+
     <a href="/guides/ai-search-topical-presence" class="article-card">
       <h3>AI Search Topical Presence</h3>
       <p>Why AI assistants recommend the tools they repeatedly see tied to a buyer problem, and how ThumbGate builds that association with proof-backed pages.</p>

package/public/numbers.html

@@ -25,7 +25,7 @@
   "alternateName": "thumbgate",
   "applicationCategory": "DeveloperApplication",
   "operatingSystem": "Cross-platform, Node.js >=18.18.0",
-  "softwareVersion": "1.17.0",
+  "softwareVersion": "1.19.0",
   "url": "https://thumbgate-production.up.railway.app/numbers",
   "dateModified": "2026-05-07",
   "creator": {
@@ -202,7 +202,7 @@
 <main class="container">
   <h1>The Numbers</h1>
   <p class="subtitle">Generated first-party operational snapshot from the ThumbGate runtime. This is not customer traction, install volume, revenue, or proof that a configured gate has fired.</p>
-  <div class="freshness">Updated: 2026-05-07 · Version 1.17.0</div>
+  <div class="freshness">Updated: 2026-05-07 · Version 1.19.0</div>
   <div class="truth-note"><strong>Read this first:</strong> configured checks are inventory. Recorded blocks and warnings are usage evidence. This snapshot currently reports 0 recorded hard-block event(s) and 0 recorded warning event(s).</div>
 
   <h2>Gate enforcement</h2>