thumbgate 1.27.11 → 1.27.13

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "thumbgate",
   "description": "One 👎 becomes a hard rule the agent cannot bypass. Captures thumbs-down feedback, distills it into PreToolUse Pre-Action Checks, enforced across every future Claude Code session.",
-  "version": "1.27.7",
+  "version": "1.27.8",
   "author": {
     "name": "Igor Ganapolsky",
     "email": "ig5973700@gmail.com",

package/.well-known/llms.txt

@@ -64,10 +64,11 @@ npx thumbgate init --agent claude-code
 - Agent discovery: https://thumbgate.ai/.well-known/mcp.json
 - Progressive tool index: https://thumbgate.ai/.well-known/mcp/tools.json
 - Context footprint report: https://thumbgate.ai/.well-known/mcp/footprint.json
+- Headroom context compression guardrails: https://thumbgate.ai/guides/headroom-context-compression-guardrails
+- Sovereign coding model guardrails: https://thumbgate.ai/guides/sovereign-coding-model-guardrails
 - Agentic web governance: https://thumbgate.ai/guides/agentic-web-governance
 - AI Mode ads and agent governance: https://thumbgate.ai/guides/ai-mode-ads-agent-governance
 - MCP tool governance: https://thumbgate.ai/guides/mcp-tool-governance
-- Policy engines need pre-action gates: https://thumbgate.ai/guides/policy-engine-pre-action-gates
 - AI agent pre-action approval gates: https://thumbgate.ai/guides/ai-agent-pre-action-approval-gates
 - Agent skills: https://thumbgate.ai/.well-known/mcp/skills.json
 - MCP applications: https://thumbgate.ai/.well-known/mcp/applications.json

package/.well-known/mcp/server-card.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate",
-  "version": "1.27.7",
+  "version": "1.27.8",
   "description": "ThumbGate — 👍👎 feedback that teaches your AI agent. Thumbs down a mistake, it never happens again.",
   "homepage": "https://thumbgate.ai",
   "transport": "stdio",

package/README.md

@@ -16,10 +16,6 @@ The product is a self-improving enforcement layer: thumbs-down feedback, prompt
   <img src="docs/media/thumbgate-demo.gif" alt="ThumbGate blocking an AI agent's dangerous commands (rm -rf, force-push, chmod 777) in real time, while letting safe commands through" width="820" />
 </p>
 
-<p align="center">
-  <img src="docs/diagrams/pre-action-gate-loop.svg" alt="ThumbGate pre-action gate loop: agent intent, PreToolUse gate, block or allow with audit receipt" width="920" />
-</p>
-
 ```
   Agent tries:   rm -rf tests/
   ThumbGate:     ⛔ BLOCKED — "Never delete test directories"
@@ -388,6 +384,8 @@ npx thumbgate model-candidates --workload=dashboard-analysis --provider=openai -
 npx thumbgate native-messaging-audit  # inspect local browser bridges and extension hosts
 npx thumbgate dashboard --open                                  # open local project-scoped dashboard in browser
 thumbgate-dashboard                                             # standalone browser dashboard shortcut (run '/project:thumbgate-dashboard' in Claude/Grok)
+npx thumbgate check-update                                      # check if a new version is available on npm/GitHub
+npx thumbgate self-update                                       # update ThumbGate to the latest version globally
 npx thumbgate serve      # start MCP server on stdio
 npx thumbgate bench      # run reliability benchmark
 npx thumbgate bench --programbench-smoke  # include cleanroom whole-repo proof lane

package/adapters/claude/.mcp.json

@@ -2,13 +2,13 @@
   "mcpServers": {
     "thumbgate": {
       "command": "npx",
-      "args": ["--yes", "--package", "thumbgate@1.27.7", "thumbgate", "serve"]
+      "args": ["--yes", "--package", "thumbgate@1.27.8", "thumbgate", "serve"]
     }
   },
   "hooks": {
     "preToolUse": {
       "command": "npx",
-      "args": ["--yes", "--package", "thumbgate@1.27.7", "thumbgate", "gate-check"]
+      "args": ["--yes", "--package", "thumbgate@1.27.8", "thumbgate", "gate-check"]
     }
   }
 }

package/adapters/mcp/server-stdio.js

@@ -231,7 +231,7 @@ const {
   finalizeSession: finalizeFeedbackSession,
 } = require('../../scripts/feedback-session');
 
-const SERVER_INFO = { name: 'thumbgate-mcp', version: '1.27.7' };
+const SERVER_INFO = { name: 'thumbgate-mcp', version: '1.27.8' };
 const COMMERCE_CATEGORIES = [
   'product_recommendation',
   'brand_compliance',

package/adapters/opencode/opencode.json

@@ -7,7 +7,7 @@
         "npx",
         "--yes",
         "--package",
-        "thumbgate@1.27.7",
+        "thumbgate@1.27.8",
         "thumbgate",
         "serve"
       ],

package/adapters/policy-engine/ethicore-guardian-client.js

@@ -0,0 +1,68 @@
+#!/usr/bin/env node
+'use strict';
+
+const DEFAULT_ENDPOINT = 'https://api.oraclestechnologies.com/v1/guardian/analyze';
+
+function requireApiKey(env = process.env) {
+  const key = env.ETHICORE_API_KEY || env.GUARDIAN_API_KEY || env.ORACLES_GUARDIAN_API_KEY;
+  if (!key) {
+    throw new Error('ETHICORE_API_KEY env var is required');
+  }
+  return key;
+}
+
+async function analyzeText(text, options = {}) {
+  if (!String(text || '').trim()) {
+    throw new Error('analyzeText requires text');
+  }
+
+  const env = options.env || process.env;
+  const endpoint = options.endpoint || env.ETHICORE_GUARDIAN_ENDPOINT || DEFAULT_ENDPOINT;
+  const apiKey = options.apiKey || requireApiKey(env);
+  const fetchImpl = options.fetch || fetch;
+
+  const response = await fetchImpl(endpoint, {
+    method: 'POST',
+    headers: {
+      Authorization: `Bearer ${apiKey}`,
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({ text }),
+  });
+
+  const bodyText = await response.text();
+  let body = bodyText;
+  try {
+    body = bodyText ? JSON.parse(bodyText) : {};
+  } catch {
+    // Keep non-JSON body for diagnostics.
+  }
+
+  if (!response.ok) {
+    throw new Error(`Ethicore Guardian API ${response.status}: ${typeof body === 'string' ? body : JSON.stringify(body)}`);
+  }
+
+  return body;
+}
+
+function createEthicorePolicyCheck(options = {}) {
+  return async function ethicorePolicyCheck(action = {}) {
+    const toolText = [
+      action.toolName,
+      action.actionType,
+      action.command,
+      action.path,
+      action.url,
+      action.input ? JSON.stringify(action.input) : '',
+    ].filter(Boolean).join('\n');
+
+    return analyzeText(toolText || JSON.stringify(action), options);
+  };
+}
+
+module.exports = {
+  DEFAULT_ENDPOINT,
+  analyzeText,
+  createEthicorePolicyCheck,
+  requireApiKey,
+};

package/adapters/policy-engine/thumbgate-policy-engine-adapter.js

@@ -0,0 +1,260 @@
+#!/usr/bin/env node
+'use strict';
+
+const { normalizeProviderAction } = require('../../scripts/provider-action-normalizer');
+
+const BLOCK_DECISIONS = new Set([
+  'block',
+  'blocked',
+  'deny',
+  'denied',
+  'disallow',
+  'disallowed',
+  'fail',
+  'failed',
+  'forbid',
+  'forbidden',
+  'reject',
+  'rejected',
+  'unsafe',
+  'violation',
+]);
+
+const REVIEW_DECISIONS = new Set([
+  'approval',
+  'approval-required',
+  'approval_required',
+  'approve',
+  'human-review',
+  'human_review',
+  'manual-review',
+  'manual_review',
+  'review',
+  'requires-approval',
+  'requires_approval',
+  'requires-review',
+  'requires_review',
+]);
+
+const ALLOW_DECISIONS = new Set([
+  'accept',
+  'accepted',
+  'allow',
+  'allowed',
+  'ok',
+  'pass',
+  'passed',
+  'permit',
+  'permitted',
+  'safe',
+]);
+
+function asObject(value) {
+  return value && typeof value === 'object' && !Array.isArray(value) ? value : {};
+}
+
+function asArray(value) {
+  return Array.isArray(value) ? value : [];
+}
+
+function firstString(...values) {
+  for (const value of values) {
+    const text = String(value || '').trim();
+    if (text) return text;
+  }
+  return '';
+}
+
+function normalizeDecisionToken(value) {
+  return String(value || '')
+    .trim()
+    .toLowerCase()
+    .replace(/\s+/g, '-');
+}
+
+function normalizeEvidence(value) {
+  const direct = asArray(value.evidence);
+  const citations = asArray(value.citations);
+  const violations = asArray(value.violations);
+  const reasons = asArray(value.reasons);
+  const reasoning = asArray(value.reasoning);
+  const threatTypes = asArray(value.threat_types || value.threatTypes)
+    .map((threatType) => ({
+      code: String(threatType || '').trim(),
+      message: `Threat type: ${String(threatType || '').trim()}`,
+      source: 'guardian',
+      severity: firstString(value.threat_level, value.threatLevel),
+    }));
+  return [...direct, ...citations, ...violations, ...reasons, ...reasoning, ...threatTypes]
+    .map((entry) => {
+      if (typeof entry === 'string') return { text: entry };
+      const object = asObject(entry);
+      if (!Object.keys(object).length) return null;
+      return {
+        id: firstString(object.id, object.ruleId, object.rule_id, object.code),
+        text: firstString(object.text, object.reason, object.message, object.description, object.title),
+        source: firstString(object.source, object.provider, object.policy),
+        severity: firstString(object.severity, object.level),
+        raw: object,
+      };
+    })
+    .filter(Boolean);
+}
+
+function extractPolicyDecision(input = {}) {
+  const event = asObject(input);
+  for (const candidate of [
+    event.policyDecision,
+    event.policy_decision,
+    event.guardrailResult,
+    event.guardrail_result,
+    event.result,
+  ]) {
+    const object = asObject(candidate);
+    if (Object.keys(object).length) return object;
+  }
+  return event;
+}
+
+function classifyPolicyDecision(input = {}) {
+  const value = extractPolicyDecision(input);
+  const token = normalizeDecisionToken(firstString(
+    value.decision,
+    value.action,
+    value.status,
+    value.result,
+    value.verdict,
+    value.outcome,
+    value.effect,
+    value.recommended_action,
+    value.recommendedAction,
+  ));
+
+  if (
+    value.allowed === false
+    || value.is_safe === false
+    || value.isSafe === false
+    || value.accepted === false
+    || value.blocked === true
+    || value.denied === true
+    || BLOCK_DECISIONS.has(token)
+  ) {
+    return 'block';
+  }
+  if (
+    value.requiresApproval === true
+    || value.requires_approval === true
+    || value.reviewRequired === true
+    || value.review_required === true
+    || REVIEW_DECISIONS.has(token)
+  ) {
+    return 'approval_required';
+  }
+  if (
+    value.allowed === true
+    || value.is_safe === true
+    || value.isSafe === true
+    || value.accepted === true
+    || ALLOW_DECISIONS.has(token)
+  ) {
+    return 'allow';
+  }
+  return 'unknown';
+}
+
+function normalizePolicyDecision(input = {}, options = {}) {
+  const value = extractPolicyDecision(input);
+  const decision = classifyPolicyDecision(value);
+  const source = firstString(
+    options.source,
+    value.source,
+    value.provider,
+    value.engine,
+    value.policyEngine,
+    value.policy_engine,
+    'policy-engine'
+  );
+  const reason = firstString(
+    value.reason,
+    value.message,
+    value.explanation,
+    value.summary,
+    asArray(value.reasoning).join('; '),
+    asArray(value.reasons).join('; '),
+    decision === 'unknown' ? 'Policy engine returned an unknown decision; approval required before execution.' : ''
+  );
+
+  return {
+    allowed: decision === 'allow',
+    blocked: decision === 'block',
+    approvalRequired: decision === 'approval_required' || decision === 'unknown',
+    decision,
+    reason,
+    source,
+    confidence: Number.isFinite(Number(value.confidence)) ? Number(value.confidence) : null,
+    policyId: firstString(value.policyId, value.policy_id, value.ruleId, value.rule_id, value.id),
+    severity: firstString(value.severity, value.level, value.threat_level, value.threatLevel),
+    score: Number.isFinite(Number(value.score))
+      ? Number(value.score)
+      : (Number.isFinite(Number(value.threat_score)) ? Number(value.threat_score) : null),
+    evidence: normalizeEvidence(value),
+    raw: value,
+  };
+}
+
+function normalizePolicyAction(input = {}) {
+  const event = asObject(input);
+  return {
+    ...normalizeProviderAction({
+      ...event,
+      provider: firstString(event.provider, event.agentRuntime, event.runtime, 'policy-engine'),
+      toolName: firstString(event.toolName, event.tool_name, event.name),
+      input: asObject(event.toolInput || event.input || event.arguments || event.args),
+    }),
+    policyContext: asObject(event.policyContext || event.policy_context),
+  };
+}
+
+function createPolicyEngineGuard({
+  policyCheck,
+  executeTool,
+  gateCheck,
+  onDecision,
+  source = 'policy-engine',
+} = {}) {
+  if (typeof policyCheck !== 'function') {
+    throw new TypeError('createPolicyEngineGuard requires a policyCheck function');
+  }
+  if (typeof executeTool !== 'function') {
+    throw new TypeError('createPolicyEngineGuard requires an executeTool function');
+  }
+
+  return async function guardedPolicyTool(input = {}) {
+    const normalizedAction = normalizePolicyAction(input);
+    const policyDecision = normalizePolicyDecision(await policyCheck(normalizedAction), { source });
+    const gateDecision = typeof gateCheck === 'function'
+      ? normalizePolicyDecision(await gateCheck({ normalizedAction, policyDecision }), { source: 'thumbgate' })
+      : null;
+    const effectiveDecision = gateDecision && !gateDecision.allowed ? gateDecision : policyDecision;
+
+    if (typeof onDecision === 'function') {
+      await onDecision({ normalizedAction, policyDecision, gateDecision, effectiveDecision });
+    }
+
+    if (!effectiveDecision.allowed) {
+      const error = new Error(effectiveDecision.reason || 'ThumbGate blocked this action before execution.');
+      error.code = effectiveDecision.approvalRequired ? 'THUMBGATE_APPROVAL_REQUIRED' : 'THUMBGATE_BLOCKED';
+      error.thumbgate = { normalizedAction, policyDecision, gateDecision, effectiveDecision };
+      throw error;
+    }
+
+    return executeTool(input, { normalizedAction, policyDecision, gateDecision, effectiveDecision });
+  };
+}
+
+module.exports = {
+  createPolicyEngineGuard,
+  extractPolicyDecision,
+  normalizePolicyAction,
+  normalizePolicyDecision,
+};