thumbgate 1.27.11 → 1.27.13

package/public/compare/arcjet.html

@@ -1,239 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-  <title>ThumbGate vs Arcjet | Agent-Outbound Gate Pairs With App-Inbound Firewall</title>
-  <meta name="description" content="Arcjet is a runtime SDK that protects your Node/Python application from inbound attacks (bots, rate-limit, prompt-injection, DLP). ThumbGate is a PreToolUse hook inside the AI coding agent that gates outbound tool calls before they fire. Different sides of the same agentic perimeter — use both at regulated firms." />
-  <meta property="og:title" content="ThumbGate vs Arcjet | Agent-Outbound Gate Pairs With App-Inbound Firewall" />
-  <meta property="og:description" content="Arcjet shields your application from what an agent might send IN. ThumbGate shields your engineering org from what the dev's AI coding agent might send OUT. Complementary, not competitive." />
-  <meta property="og:type" content="article" />
-  <meta property="og:url" content="https://thumbgate.ai/compare/arcjet" />
-  <link rel="canonical" href="https://thumbgate.ai/compare/arcjet" />
-  <link rel="llm-context" href="/llm-context.md" type="text/markdown" />
-  <link rel="icon" type="image/png" href="/thumbgate-icon.png" />
-  <link rel="apple-touch-icon" href="/assets/brand/thumbgate-mark.svg" />
-  <meta property="og:image" content="/og.png" />
-  <style>
-    :root { --bg: #0a0a0b; --bg-raised: #111113; --bg-card: #161618; --line: #222225; --text: #e8e8ec; --muted: #8b8b96; --cyan: #22d3ee; --green: #4ade80; --amber: #fbbf24; }
-    * { box-sizing: border-box; }
-    body { margin: 0; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; background: var(--bg); color: var(--text); line-height: 1.65; }
-    a { color: var(--cyan); text-decoration: none; }
-    a:hover { text-decoration: underline; }
-    .container { max-width: 980px; margin: 0 auto; padding: 0 24px; }
-    .topbar { position: sticky; top: 0; z-index: 20; backdrop-filter: blur(12px); background: rgba(10, 10, 11, 0.88); border-bottom: 1px solid var(--line); }
-    .topbar .container { display: flex; justify-content: space-between; align-items: center; padding-top: 14px; padding-bottom: 14px; }
-    .brand { font-weight: 700; color: var(--text); display: inline-flex; align-items: center; gap: 8px; text-decoration: none; }
-    .brand .logo-mark { width: 28px; height: 28px; display: block; }
-    .hero { padding: 72px 0 32px; }
-    .eyebrow { display: inline-flex; align-items: center; gap: 8px; padding: 6px 12px; border-radius: 999px; border: 1px solid rgba(34, 211, 238, 0.22); background: rgba(34, 211, 238, 0.1); color: var(--cyan); text-transform: uppercase; letter-spacing: 0.08em; font-size: 12px; font-weight: 700; }
-    h1 { font-size: clamp(34px, 5vw, 56px); line-height: 1.06; letter-spacing: -0.04em; margin: 16px 0; max-width: 860px; }
-    .hero p { max-width: 760px; color: var(--muted); font-size: 18px; }
-    .grid { display: grid; grid-template-columns: minmax(0, 2fr) minmax(280px, 1fr); gap: 24px; padding-bottom: 72px; }
-    .card, .detail-section, .sidebar-card { background: var(--bg-card); border: 1px solid var(--line); border-radius: 16px; }
-    .card { padding: 24px; }
-    .detail-section { padding: 24px; margin-bottom: 18px; }
-    .detail-section h2 { margin: 0 0 12px; font-size: 24px; letter-spacing: -0.03em; }
-    .detail-section p, .detail-section li, .sidebar-card p { color: var(--muted); }
-    .detail-section ul, .card ul { padding-left: 18px; color: var(--muted); }
-    .comparison-table { width: 100%; border-collapse: collapse; margin-top: 16px; font-size: 14px; }
-    .comparison-table th, .comparison-table td { border: 1px solid var(--line); padding: 12px; text-align: left; vertical-align: top; }
-    .comparison-table th { background: var(--bg-raised); color: var(--cyan); }
-    .pill-row { display: flex; flex-wrap: wrap; gap: 12px; margin-top: 24px; }
-    .pill { border: 1px solid var(--line); background: var(--bg-raised); border-radius: 999px; padding: 10px 14px; font-size: 14px; font-weight: 650; }
-    .pill.good { color: #b8f7c8; border-color: rgba(74, 222, 128, 0.28); background: rgba(74, 222, 128, 0.1); }
-    .pill.warn { color: #ffe2a4; border-color: rgba(251, 191, 36, 0.28); background: rgba(251, 191, 36, 0.1); }
-    .sidebar { display: flex; flex-direction: column; gap: 18px; }
-    .sidebar-card { padding: 20px; }
-    .sidebar-card:first-child { position: sticky; top: 84px; max-height: calc(100vh - 104px); overflow-y: auto; -webkit-overflow-scrolling: touch; }
-    .cta-button { display: inline-flex; align-items: center; justify-content: center; margin-top: 18px; padding: 12px 16px; border-radius: 10px; background: var(--cyan); color: #071116; font-weight: 700; text-decoration: none; }
-    .related-card { display: block; padding: 14px; border-radius: 12px; border: 1px solid var(--line); background: var(--bg-raised); margin-top: 12px; color: var(--text); }
-    .related-label { display: block; color: var(--muted); font-size: 12px; text-transform: uppercase; letter-spacing: 0.08em; margin-bottom: 4px; }
-    .faq-item { border-top: 1px solid var(--line); padding: 14px 0; }
-    .faq-item summary { cursor: pointer; font-weight: 600; }
-    .faq-item p { color: var(--muted); }
-    @media (max-width: 860px) { .grid { grid-template-columns: 1fr; } .sidebar-card:first-child { position: static; max-height: none; overflow: visible; } }
-  </style>
-  <script type="application/ld+json">
-{
-  "@context": "https://schema.org",
-  "@type": "TechArticle",
-  "headline": "ThumbGate vs Arcjet",
-  "description": "Arcjet is a runtime SDK that shields your Node/Python web application from inbound traffic — bots, rate-limit abuse, prompt-injection attempts, PII egress, WAF rules. ThumbGate is a PreToolUse hook inside the AI coding agent that gates outbound tool calls before they fire. Same agentic-perimeter story, opposite sides.",
-  "about": ["thumbgate vs arcjet", "AI agent security layer", "PreToolUse vs WAF SDK", "agent governance"],
-  "url": "https://thumbgate.ai/compare/arcjet",
-  "publisher": { "@type": "Organization", "name": "ThumbGate", "url": "https://thumbgate.ai" },
-  "mainEntityOfPage": "https://thumbgate.ai/compare/arcjet"
-}
-  </script>
-  <script type="application/ld+json">
-{
-  "@context": "https://schema.org",
-  "@type": "FAQPage",
-  "mainEntity": [
-    {
-      "@type": "Question",
-      "name": "Is Arcjet a ThumbGate competitor?",
-      "acceptedAnswer": {
-        "@type": "Answer",
-        "text": "No. They are adjacent on the agentic perimeter. Arcjet is a runtime SDK that installs in your Node, Python, Deno, or Bun web application and intercepts inbound traffic at the HTTP request entry — bot detection, rate-limit, prompt-injection in user input, PII detection, Shield WAF rules. It protects your application from what an external user or agent might send IN. ThumbGate runs at the PreToolUse hook inside an AI coding agent runtime (Claude Code, Cursor, Codex CLI, Gemini CLI, Amp, Cline, OpenCode, Claude Desktop) and intercepts the tool call the developer's agent is about to execute — bash, SQL, file write, MCP tool, outbound LLM call. It protects your engineering org from what the agent might send OUT. Different sides of the same perimeter."
-      }
-    },
-    {
-      "@type": "Question",
-      "name": "Can I use both Arcjet and ThumbGate?",
-      "acceptedAnswer": {
-        "@type": "Answer",
-        "text": "Yes. The integration shape is clean because the two products do not overlap: Arcjet runs as middleware in your production web servers; ThumbGate runs as a PreToolUse hook in your developers' agent runtimes. At a regulated firm, the dual-deploy story is: Arcjet enforces inbound rules on the application your customers and external agents reach. ThumbGate enforces outbound rules on the AI coding agents your engineers use. Neither layer can substitute for the other."
-      }
-    },
-    {
-      "@type": "Question",
-      "name": "Why doesn't Arcjet ship a PreToolUse hook for AI coding agents?",
-      "acceptedAnswer": {
-        "@type": "Answer",
-        "text": "Arcjet's product surface is application-side. Their SDK is designed to be added to a Next.js, Express, Fastify, Nuxt, or similar web framework. Their AI agent coverage is about protecting an application that hosts an AI agent (a chatbot, an MCP server, a tool-using endpoint) from external abuse. ThumbGate's product surface is the opposite end: inside the developer's IDE-agent process, before any tool call leaves the agent's memory. Two product surfaces, both correct, both needed."
-      }
-    },
-    {
-      "@type": "Question",
-      "name": "When would I pick ThumbGate over Arcjet?",
-      "acceptedAnswer": {
-        "@type": "Answer",
-        "text": "If the failure mode you are worried about is your AI coding agent running rm -rf in the wrong directory, force-pushing to main, dropping a table against staging-that-was-actually-prod, or sending a privileged document to an external LLM, ThumbGate is the layer. If the failure mode is your hosted application being scraped, prompt-injected, or rate-limit-abused by external traffic, Arcjet is the layer. Most firms with both kinds of risk install both."
-      }
-    },
-    {
-      "@type": "Question",
-      "name": "Does ThumbGate's PreToolUse hook overlap with Arcjet's prompt-injection detection?",
-      "acceptedAnswer": {
-        "@type": "Answer",
-        "text": "Different attack and different defender. Arcjet's prompt-injection detection inspects incoming user prompts to your hosted LLM endpoint and flags injection patterns before your model sees them. ThumbGate inspects the tool call your model decided to make after processing whatever input it received and blocks the call before the tool fires. One catches the attack on the way in; the other catches the consequence on the way out."
-      }
-    }
-  ]
-}
-  </script>
-</head>
-<body>
-  <header class="topbar">
-    <div class="container">
-      <a href="/" class="brand"><img src="/assets/brand/thumbgate-mark-inline.svg" alt="ThumbGate" class="logo-mark" width="28" height="28" /><span>ThumbGate</span></a>
-      <nav><a href="/learn">Learn</a> &nbsp; <a href="/pro">Pro</a> &nbsp; <a href="https://github.com/IgorGanapolsky/ThumbGate" target="_blank" rel="noopener">GitHub</a></nav>
-    </div>
-  </header>
-
-  <section class="hero">
-    <div class="container">
-      <span class="eyebrow">ThumbGate vs Arcjet</span>
-      <h1>One protects your app from inbound traffic. One protects your engineering org from outbound agent actions.</h1>
-      <p><strong>Arcjet</strong> is a runtime SDK that installs in your Node, Python, Deno, or Bun web application and intercepts inbound HTTP requests &mdash; bot detection, rate-limit, prompt-injection in user input, PII detection, Shield WAF rules. <strong>ThumbGate</strong> is a PreToolUse hook inside an AI coding agent (Claude Code, Cursor, Codex CLI, Gemini CLI, Sourcegraph Amp, Cline, OpenCode, Claude Desktop) that intercepts the tool call the developer's agent is about to execute &mdash; bash, SQL, file write, MCP, outbound LLM call. Different sides of the same agentic perimeter. Most regulated firms run both.</p>
-    </div>
-  </section>
-
-  <main class="container">
-    <div class="grid">
-      <div class="content">
-
-        <section class="detail-section">
-          <h2>Side-by-side scope comparison</h2>
-          <table class="comparison-table">
-            <thead>
-              <tr><th>Dimension</th><th>Arcjet</th><th>ThumbGate</th></tr>
-            </thead>
-            <tbody>
-              <tr><td><strong>Install surface</strong></td><td>Runtime SDK in your Node / Python / Deno / Bun web application</td><td>PreToolUse hook inside the developer's AI coding agent process</td></tr>
-              <tr><td><strong>Traffic direction</strong></td><td>Inbound &mdash; what reaches your application</td><td>Outbound &mdash; what the agent is about to do</td></tr>
-              <tr><td><strong>What it blocks</strong></td><td>Bots, rate-limit abuse, prompt-injection in user input, PII egress, WAF violations</td><td><code>rm -rf</code> traversal, destructive SQL against non-test, <code>git push --force</code>, MCP tool calls to untrusted hosts, secret-carrying file writes</td></tr>
-              <tr><td><strong>Framework coverage</strong></td><td>Next.js, Express, Fastify, NestJS, Nuxt, Astro, React Router, Remix, SvelteKit, Bun, Deno, Python</td><td>Claude Code, Cursor, OpenAI Codex CLI, Google Gemini CLI, Sourcegraph Amp, Cline, OpenCode, Claude Desktop</td></tr>
-              <tr><td><strong>Decision boundary</strong></td><td>HTTP request middleware in your web server</td><td>PreToolUse hook in the agent runtime, before tool API fires</td></tr>
-              <tr><td><strong>AI in the gate?</strong></td><td>No (Arcjet ships deterministic rules + their <em>Shield</em> WAF; prompt-injection detection is pattern-based)</td><td>No (deterministic PreToolUse rule match + lesson DB; no model in the enforcement path)</td></tr>
-              <tr><td><strong>Lesson promotion from feedback</strong></td><td>No &mdash; rules are configured by the developer</td><td>Yes &mdash; thumbs-down on a bad tool call promotes to a prevention rule via Thompson Sampling</td></tr>
-              <tr><td><strong>Best alongside</strong></td><td>ThumbGate at the dev-agent layer</td><td>Arcjet at the application-inbound layer</td></tr>
-            </tbody>
-          </table>
-        </section>
-
-        <section class="detail-section">
-          <h2>The shared architectural insight</h2>
-          <p>Both products land on the same core decision: <strong>the gate runs deterministically, in your runtime, with no LLM in the enforcement path</strong>. Arcjet says it about their Shield WAF and rate-limit rules. ThumbGate says it about the PreToolUse hook. Neither product asks an external "judge model" to decide if an action is safe &mdash; both run pattern-match + policy logic in-process, which is what makes them auditable, cheap, and survivable under load.</p>
-          <p>The vendors who put an LLM in the enforcement path lose on three axes at once: <em>latency</em> (every request waits for a model call), <em>cost</em> (every request pays for inference), and <em>auditability</em> (the model's decision is non-deterministic, so an audit log of "the model said it was fine" is not a defense). Arcjet and ThumbGate independently arrived at the same posture from opposite ends of the perimeter.</p>
-        </section>
-
-        <section class="detail-section">
-          <h2>The dual-deploy story for a regulated firm</h2>
-          <p>Take a fintech or law firm running its own customer-facing application <em>and</em> developing it with AI coding agents:</p>
-          <ul>
-            <li><strong>Arcjet on the customer-facing app.</strong> Bot detection on the signup endpoint, rate-limit on the chat endpoint, prompt-injection scoring on incoming user messages, PII detection on form submissions, WAF rules on every route.</li>
-            <li><strong>ThumbGate on the engineering team's AI coding agents.</strong> PreToolUse rules block destructive shell, enforce per-repo scope on the agent's tool calls, prevent privileged customer data from being sent to external LLMs during dev workflows, and turn each incident into a prevention rule the next sprint inherits automatically.</li>
-          </ul>
-          <p>Neither layer overlaps with the other. Together they cover both the application's attack surface and the developer-agent's action surface &mdash; which is what <a href="/ai-malpractice-prevention">our /ai-malpractice-prevention</a> page describes for the legal-vertical case.</p>
-        </section>
-
-        <section class="detail-section">
-          <h2>FAQ</h2>
-          <details class="faq-item" open>
-            <summary>Does Arcjet have a PreToolUse hook?</summary>
-            <p>Not at the IDE-agent layer. Arcjet's "For Agents" surface (MCP server support, Arcjet Guards, Plugin, Skills, AI app protection) protects an application that <em>hosts</em> an AI agent &mdash; a chatbot endpoint, an MCP server, a tool-using API &mdash; from external misuse. ThumbGate runs upstream of that, inside the developer's coding agent before any tool call leaves the agent's memory.</p>
-          </details>
-          <details class="faq-item">
-            <summary>Where does each one log evidence?</summary>
-            <p>Arcjet emits decisions to your application's logging pipeline and the Arcjet dashboard for analytics. ThumbGate writes structured allow/warn/block decisions to a local lesson DB and (optionally on the Pro tier) syncs anonymized rule patterns to a hosted evidence dashboard. Both are SIEM-pluggable.</p>
-          </details>
-          <details class="faq-item">
-            <summary>Can ThumbGate enforce policy on the application Arcjet protects?</summary>
-            <p>No, and that is the point. ThumbGate runs in the dev's local agent runtime, not in the production web server. If an attacker hits your production app, Arcjet is the layer that sees the request first. If your AI coding agent is about to push to production, ThumbGate is the layer that sees the action first.</p>
-          </details>
-          <details class="faq-item">
-            <summary>Pricing &mdash; what tier do I need from each?</summary>
-            <p>Arcjet has a free tier and paid tiers for production volume (see <a href="https://arcjet.com/pricing" target="_blank" rel="noopener">arcjet.com/pricing</a>). ThumbGate ships an open-source free tier with the full PreToolUse engine and prevention-rule promotion; Pro/Team adds hosted evidence sync, adapter coverage for all eight agent runtimes, and the audit-export endpoint we ship to procurement teams. The two pricing decisions are independent.</p>
-          </details>
-          <details class="faq-item">
-            <summary>Is this comparison sponsored or partnered?</summary>
-            <p>No. We don't have a partnership with Arcjet. We wrote this page because the same prospects evaluate both vendors &mdash; we want them to choose by scope, not by confusion. If anything here misrepresents Arcjet, open an issue at <a href="https://github.com/IgorGanapolsky/ThumbGate/issues" target="_blank" rel="noopener">our repo</a> and we will correct it.</p>
-          </details>
-        </section>
-
-      </div>
-
-      <aside class="sidebar">
-        <div class="sidebar-card">
-          <span class="related-label">Install ThumbGate</span>
-          <p style="font-size: 14px;">Get PreToolUse rules running in your dev's AI coding agent in two minutes.</p>
-          <a class="cta-button" href="https://github.com/IgorGanapolsky/ThumbGate" target="_blank" rel="noopener">npx thumbgate init &rarr;</a>
-        </div>
-
-        <div class="sidebar-card">
-          <span class="related-label">Try Arcjet too</span>
-          <p style="font-size: 13px;">If you need an application-inbound firewall, install Arcjet on the same project. <a href="https://docs.arcjet.com/" target="_blank" rel="noopener">docs.arcjet.com</a></p>
-        </div>
-
-        <div class="sidebar-card">
-          <span class="related-label">Related comparisons</span>
-          <a class="related-card" href="/compare/anthropic-containment">
-            <strong>ThumbGate vs Anthropic's Claude Containment</strong><br>
-            <span style="color: var(--muted); font-size: 13px;">IDE-agent extension of Anthropic's published architecture</span>
-          </a>
-          <a class="related-card" href="/compare/bumblebee">
-            <strong>ThumbGate vs Bumblebee</strong><br>
-            <span style="color: var(--muted); font-size: 13px;">Runtime enforcement vs Perplexity's static MCP inventory</span>
-          </a>
-          <a class="related-card" href="/compare/oak-and-sparrow-gatekeeper">
-            <strong>ThumbGate vs Gatekeeper (Oak &amp; Sparrow)</strong><br>
-            <span style="color: var(--muted); font-size: 13px;">Agent-action gate vs workforce-input gate</span>
-          </a>
-          <a class="related-card" href="/compare/anthropic-claude-for-legal">
-            <strong>ThumbGate vs Claude for Legal</strong><br>
-            <span style="color: var(--muted); font-size: 13px;">Runtime feedback-to-enforcement loop underneath Anthropic's legal bundle</span>
-          </a>
-        </div>
-
-        <div class="sidebar-card">
-          <span class="related-label">Sources</span>
-          <p style="font-size: 13px;">Arcjet product facts from <a href="https://docs.arcjet.com/" target="_blank" rel="noopener">docs.arcjet.com</a> and The New Stack's <a href="https://thenewstack.io/arcjet-wafs-guards-ai-agents-security/" target="_blank" rel="noopener">"The attack surface moved inside the agent. So did Arcjet."</a> as of 2026-05-27. If anything here misrepresents Arcjet, open an issue at <a href="https://github.com/IgorGanapolsky/ThumbGate/issues" target="_blank" rel="noopener">our repo</a> and we will correct it.</p>
-        </div>
-      </aside>
-    </div>
-  </main>
-</body>
-</html>

package/public/compare/bumblebee.html

@@ -1,307 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-<meta charset="UTF-8" />
-<meta name="viewport" content="width=device-width, initial-scale=1.0" />
-<title>ThumbGate vs Bumblebee | Runtime Enforcement Pairs With Static Inventory</title>
-<meta name="description" content="Perplexity's Bumblebee scans developer machines for installed MCP configs, extensions, and packages. ThumbGate blocks those installed agents from running bad tool calls at runtime. Same supply-chain surface — different halves of the answer. Use both." />
-<meta property="og:title" content="ThumbGate vs Bumblebee | Runtime Enforcement Pairs With Static Inventory" />
-<meta property="og:description" content="Bumblebee tells you what AI agents and MCP servers are wired up. ThumbGate stops those wired-up agents from doing bad things. Complementary, not competitive." />
-<meta property="og:type" content="article" />
-<meta property="og:url" content="https://thumbgate.ai/compare/bumblebee" />
-<link rel="canonical" href="https://thumbgate.ai/compare/bumblebee" />
-<link rel="llm-context" href="/llm-context.md" type="text/markdown" />
-<link rel="icon" type="image/png" href="/thumbgate-icon.png" />
-<link rel="apple-touch-icon" href="/assets/brand/thumbgate-mark.svg" />
-<meta property="og:image" content="/og.png" />
-<style>
-  :root { --bg: #0a0a0b; --bg-raised: #111113; --bg-card: #161618; --line: #222225; --text: #e8e8ec; --muted: #8b8b96; --cyan: #22d3ee; --green: #4ade80; --amber: #fbbf24; }
-  * { box-sizing: border-box; }
-  body { margin: 0; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; background: var(--bg); color: var(--text); line-height: 1.65; }
-  a { color: var(--cyan); text-decoration: none; }
-  a:hover { text-decoration: underline; }
-  .container { max-width: 980px; margin: 0 auto; padding: 0 24px; }
-  .topbar { position: sticky; top: 0; z-index: 20; backdrop-filter: blur(12px); background: rgba(10, 10, 11, 0.88); border-bottom: 1px solid var(--line); }
-  .topbar .container { display: flex; justify-content: space-between; align-items: center; padding-top: 14px; padding-bottom: 14px; }
-  .brand { font-weight: 700; color: var(--text); display: inline-flex; align-items: center; gap: 8px; text-decoration: none; }
-  .brand .logo-mark { width: 28px; height: 28px; display: block; }
-  .hero { padding: 72px 0 32px; }
-  .eyebrow { display: inline-flex; align-items: center; gap: 8px; padding: 6px 12px; border-radius: 999px; border: 1px solid rgba(34, 211, 238, 0.22); background: rgba(34, 211, 238, 0.1); color: var(--cyan); text-transform: uppercase; letter-spacing: 0.08em; font-size: 12px; font-weight: 700; }
-  h1 { font-size: clamp(34px, 5vw, 56px); line-height: 1.06; letter-spacing: -0.04em; margin: 16px 0; max-width: 820px; }
-  .hero p { max-width: 760px; color: var(--muted); font-size: 18px; }
-  .grid { display: grid; grid-template-columns: minmax(0, 2fr) minmax(280px, 1fr); gap: 24px; padding-bottom: 72px; }
-  .card, .detail-section, .sidebar-card { background: var(--bg-card); border: 1px solid var(--line); border-radius: 16px; }
-  .card { padding: 24px; }
-  .detail-section { padding: 24px; margin-bottom: 18px; }
-  .detail-section h2 { margin: 0 0 12px; font-size: 24px; letter-spacing: -0.03em; }
-  .detail-section p, .detail-section li, .sidebar-card p { color: var(--muted); }
-  .detail-section ul, .card ul { padding-left: 18px; color: var(--muted); }
-  .comparison-table { width: 100%; border-collapse: collapse; margin-top: 16px; font-size: 14px; }
-  .comparison-table th, .comparison-table td { border: 1px solid var(--line); padding: 12px; text-align: left; vertical-align: top; }
-  .comparison-table th { background: var(--bg-raised); color: var(--cyan); }
-  .pill-row { display: flex; flex-wrap: wrap; gap: 12px; margin-top: 24px; }
-  .pill { border: 1px solid var(--line); background: var(--bg-raised); border-radius: 999px; padding: 10px 14px; font-size: 14px; font-weight: 650; }
-  .pill.good { color: #b8f7c8; border-color: rgba(74, 222, 128, 0.28); background: rgba(74, 222, 128, 0.1); }
-  .pill.warn { color: #ffe2a4; border-color: rgba(251, 191, 36, 0.28); background: rgba(251, 191, 36, 0.1); }
-  .sidebar { display: flex; flex-direction: column; gap: 18px; }
-  .sidebar-card { padding: 20px; }
-  .sidebar-card:first-child { position: sticky; top: 84px; max-height: calc(100vh - 104px); overflow-y: auto; -webkit-overflow-scrolling: touch; }
-  .cta-button { display: inline-flex; align-items: center; justify-content: center; margin-top: 18px; padding: 12px 16px; border-radius: 10px; background: var(--cyan); color: #071116; font-weight: 700; text-decoration: none; }
-  .related-card { display: block; padding: 14px; border-radius: 12px; border: 1px solid var(--line); background: var(--bg-raised); margin-top: 12px; color: var(--text); }
-  .related-label { display: block; color: var(--muted); font-size: 12px; text-transform: uppercase; letter-spacing: 0.08em; margin-bottom: 4px; }
-  .faq-item { border-top: 1px solid var(--line); padding: 14px 0; }
-  .faq-item summary { cursor: pointer; font-weight: 600; }
-  .faq-item p { color: var(--muted); }
-  @media (max-width: 860px) { .grid { grid-template-columns: 1fr; } .sidebar-card:first-child { position: static; max-height: none; overflow: visible; } }
-</style>
-<script type="application/ld+json">
-{
-  "@context": "https://schema.org",
-  "@type": "TechArticle",
-  "headline": "ThumbGate vs Bumblebee",
-  "description": "Perplexity's Bumblebee is a read-only scanner that inventories MCP configs, editor extensions, and package lockfiles on developer machines. ThumbGate is a runtime PreToolUse firewall that blocks AI agents from making bad tool calls. Same supply-chain surface, different halves of the answer.",
-  "about": ["thumbgate vs bumblebee", "AI agent supply chain security", "MCP config inventory vs runtime enforcement", "PreToolUse hooks vs static scan"],
-  "url": "https://thumbgate.ai/compare/bumblebee",
-  "publisher": { "@type": "Organization", "name": "ThumbGate", "url": "https://thumbgate.ai" },
-  "mainEntityOfPage": "https://thumbgate.ai/compare/bumblebee"
-}
-</script>
-<script type="application/ld+json">
-{
-  "@context": "https://schema.org",
-  "@type": "FAQPage",
-  "mainEntity": [
-    {
-      "@type": "Question",
-      "name": "Is Bumblebee a ThumbGate competitor?",
-      "acceptedAnswer": {
-        "@type": "Answer",
-        "text": "No. Different layers of the same supply-chain story. Bumblebee (open-sourced by Perplexity 2026-05-23) is a static read-only scanner that inventories what is installed on a developer machine: MCP host configs, editor extensions, browser extensions, and package lockfiles across npm, PyPI, Go modules, RubyGems, and Composer. It answers 'when an advisory drops, which of my dev machines have the bad version installed right now?' ThumbGate is a runtime PreToolUse firewall that intercepts AI agent tool calls before they execute. Bumblebee tells you what an agent CAN reach; ThumbGate tells the agent what it CANNOT do with that reach. Use both."
-      }
-    },
-    {
-      "@type": "Question",
-      "name": "Can I use Bumblebee and ThumbGate together?",
-      "acceptedAnswer": {
-        "@type": "Answer",
-        "text": "Yes, and they compose cleanly. Bumblebee runs as a single Go binary on macOS and Linux, emits NDJSON to stdout, and exits — zero overlap with anything ThumbGate hooks. ThumbGate runs as the PreToolUse layer inside Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode, and Claude Desktop. Common dual-use pattern: run Bumblebee weekly to inventory which MCP servers are wired into each dev's agents, then use ThumbGate to enforce rules against the tool calls those wired-up agents try to make."
-      }
-    },
-    {
-      "@type": "Question",
-      "name": "Does ThumbGate ingest Bumblebee's NDJSON output?",
-      "acceptedAnswer": {
-        "@type": "Answer",
-        "text": "Not yet at the time of writing. Bumblebee's NDJSON format (one component record per line, scan_summary terminator) is well-suited to feed ThumbGate's agent-manager inventory. A `thumbgate import-bumblebee scan.ndjson` command is on the near-term roadmap. If you want it sooner, open an issue at github.com/IgorGanapolsky/ThumbGate."
-      }
-    },
-    {
-      "@type": "Question",
-      "name": "Bumblebee is from Perplexity. Why should I also use ThumbGate?",
-      "acceptedAnswer": {
-        "@type": "Answer",
-        "text": "Because Bumblebee answers a discovery question and ThumbGate answers an enforcement question. Bumblebee tells you 'developer machine X has Cursor wired to MCP server Y, which has the npm package Z installed and Z is on the malicious advisory list.' That is decision-grade information for incident response. ThumbGate's PreToolUse hook fires every time Cursor tries to invoke a tool on that machine and can block, replace, or log the call before it executes. Bumblebee is the X-ray; ThumbGate is the airport-security gate. Both, ideally."
-      }
-    }
-  ]
-}
-</script>
-</head>
-<body>
-<div class="topbar">
-  <div class="container">
-    <a class="brand" href="/"><img src="/assets/brand/thumbgate-mark-inline.svg" alt="ThumbGate" class="logo-mark" width="28" height="28"><span class="logo-text">ThumbGate</span></a>
-    <a href="https://github.com/IgorGanapolsky/ThumbGate/blob/main/docs/VERIFICATION_EVIDENCE.md" target="_blank" rel="noopener">Verification evidence</a>
-  </div>
-</div>
-
-<section class="hero">
-  <div class="container">
-    <span class="eyebrow">ThumbGate vs Bumblebee</span>
-    <h1>Bumblebee tells you what's installed. ThumbGate stops what's installed from doing bad things.</h1>
-    <p><strong>Bumblebee</strong> (open-sourced by <a href="https://www.perplexity.ai/hub/blog/perplexity-is-open-sourcing-bumblebee" target="_blank" rel="noopener">Perplexity on 2026-05-23</a>) is a read-only scanner that inventories MCP configs, editor extensions, browser extensions, and package lockfiles on developer endpoints. <strong>ThumbGate</strong> is the runtime PreToolUse firewall that blocks the agents Bumblebee discovered from executing bad tool calls. Different layers of the same supply-chain story. Use both.</p>
-    <div class="pill-row">
-      <span class="pill">Both open source</span>
-      <span class="pill">Both local-first</span>
-      <span class="pill">Both target the MCP/AI-agent surface</span>
-      <span class="pill good">Zero overlap</span>
-    </div>
-  </div>
-</section>
-
-<div class="container grid">
-  <main>
-    <article class="detail-section">
-      <h2>Side-by-side feature comparison</h2>
-      <table class="comparison-table">
-        <thead>
-          <tr>
-            <th>Capability</th>
-            <th>Bumblebee</th>
-            <th>ThumbGate</th>
-          </tr>
-        </thead>
-        <tbody>
-          <tr>
-            <td>What it does</td>
-            <td>Static read-only inventory of on-disk metadata</td>
-            <td>Runtime PreToolUse enforcement on AI agent tool calls</td>
-          </tr>
-          <tr>
-            <td>When it runs</td>
-            <td>On demand: weekly baseline, project scan, or deep incident-response sweep</td>
-            <td>Every tool call an agent attempts, in real time, before execution</td>
-          </tr>
-          <tr>
-            <td>What it covers</td>
-            <td>MCP host configs, editor extensions (VS Code family), browser extensions (Chromium + Firefox), npm/pnpm/Yarn/Bun, PyPI, Go modules, RubyGems, Composer lockfiles</td>
-            <td>Tool calls inside Claude Code, Cursor, OpenAI Codex CLI, Google Gemini CLI, Sourcegraph Amp, Cline, OpenCode, Claude Desktop (via MCP)</td>
-          </tr>
-          <tr>
-            <td>What it blocks</td>
-            <td>Nothing — pure observation. Read-only by design (no execution, no package-manager calls)</td>
-            <td>The actual tool call. Bash, file write, MCP tool, HTTP fetch — gate fires before the side effect</td>
-          </tr>
-          <tr>
-            <td>Output format</td>
-            <td>NDJSON to stdout, scan_summary terminator, pipeable into jq / SIEM / agentic workflows</td>
-            <td>Block/allow decision + audit log entry per gate firing. DPO preference pairs for fine-tuning</td>
-          </tr>
-          <tr>
-            <td>Distribution</td>
-            <td>Single Go binary (zero non-stdlib deps). <code>go install github.com/perplexityai/bumblebee/cmd/bumblebee@latest</code></td>
-            <td>npm package: <code>npx thumbgate init</code></td>
-          </tr>
-          <tr>
-            <td>Platforms</td>
-            <td>macOS, Linux</td>
-            <td>macOS, Linux, Windows (Node.js &gt;=18.18)</td>
-          </tr>
-          <tr>
-            <td>License</td>
-            <td>Apache 2.0</td>
-            <td>MIT (npm package); Pro/Team are hosted services</td>
-          </tr>
-          <tr>
-            <td>Built by</td>
-            <td>Perplexity AI (used internally to protect Perplexity dev machines behind their search product, Comet browser, and Computer AI agent)</td>
-            <td>Independent (MIT-licensed open source + hosted Pro/Team services)</td>
-          </tr>
-        </tbody>
-      </table>
-    </article>
-
-    <article class="detail-section">
-      <h2>Pick Bumblebee for</h2>
-      <ul>
-        <li>Supply-chain incident response: an advisory drops, you need to know which dev machines have the bad version installed RIGHT NOW.</li>
-        <li>MCP config inventory: which AI assistants on which machines are wired to which MCP servers, and which of those servers carry credentials in their env blocks.</li>
-        <li>Weekly baseline snapshots of dev-machine state, centralized so future incident response is a search instead of a phone call.</li>
-        <li>You want a single read-only Go binary that does not execute install scripts or trigger package managers.</li>
-      </ul>
-      <p>Bumblebee is the first open-source scanner to treat MCP configuration files as a first-class security surface. That's a genuinely new contribution to the supply-chain category and the right tool for the inventory job. Recommend installing it regardless of whether you use ThumbGate.</p>
-    </article>
-
-    <article class="detail-section">
-      <h2>Pick ThumbGate for</h2>
-      <ul>
-        <li>Stopping agent mistakes before they execute: bad bash, destructive DB query, unauthorized file write, privilege-violating LLM call.</li>
-        <li>Cross-agent enforcement: the same prevention rule fires inside Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode, and Claude Desktop with one config.</li>
-        <li>Operator-feedback learning: thumbs-down on a bad output becomes a real Pre-Action Check that blocks the repeat next time, with precision/recall gating before any rule auto-promotes.</li>
-        <li>Hosted lesson sync, dashboard, DPO export, adapter matrix maintenance, 24×7 ops on the rule engine (Pro/Team tiers).</li>
-      </ul>
-    </article>
-
-    <article class="detail-section">
-      <h2>The integration story: discovery feeds enforcement</h2>
-      <p>Bumblebee scan output looks like:</p>
-      <pre style="background: var(--bg-raised); border: 1px solid var(--line); border-radius: 8px; padding: 14px; overflow: auto; font-size: 13px; color: var(--soft);">{"kind":"mcp_server","host":"claude-code","name":"github","command":"npx","args":["-y","@modelcontextprotocol/server-github"],"env_keys":["GITHUB_TOKEN"]}
-{"kind":"mcp_server","host":"cursor","name":"linear","command":"npx","args":["@linear/mcp-server"],"env_keys":["LINEAR_API_KEY"]}
-{"kind":"npm_package","manifest":"package.json","name":"some-vulnerable-pkg","version":"1.2.3"}
-{"kind":"scan_summary","components":847,"duration_ms":1240}</pre>
-      <p>ThumbGate's agent-manager treats each <code>mcp_server</code> record as an attack-surface entry that gates can be written against. Each <code>npm_package</code> entry on the advisory list can become a check that blocks any agent tool call referencing it.</p>
-      <p>A first-pass integration is on the near-term roadmap: <code>thumbgate import-bumblebee scan.ndjson</code> will load Bumblebee inventory into ThumbGate's agent inventory + auto-seed gates from CVE-flagged components. Open an issue at <a href="https://github.com/IgorGanapolsky/ThumbGate/issues" target="_blank" rel="noopener">github.com/IgorGanapolsky/ThumbGate</a> if you want it sooner than later.</p>
-    </article>
-
-    <article class="detail-section">
-      <h2>FAQ</h2>
-      <details class="faq-item" open>
-        <summary>Is Bumblebee a ThumbGate competitor?</summary>
-        <p>No. Bumblebee answers 'what is installed on this dev machine right now' (static inventory). ThumbGate answers 'what is this agent about to do, and should we allow it' (runtime enforcement). Same supply-chain category, different halves of the answer. Use both.</p>
-      </details>
-      <details class="faq-item">
-        <summary>Can I use them together?</summary>
-        <p>Yes, and they compose cleanly with zero overlap. Bumblebee is a one-shot Go binary that scans and exits. ThumbGate is a persistent PreToolUse hook in every agent runtime you use. They don't see each other; they don't need to. The integration value is in feeding Bumblebee's MCP inventory into ThumbGate's agent dashboard so you can write gates against actual installed servers.</p>
-      </details>
-      <details class="faq-item">
-        <summary>Does ThumbGate already ingest Bumblebee output?</summary>
-        <p>Not yet. Bumblebee released 2026-05-23; the import command is on the near-term roadmap. NDJSON is a clean fit so the integration will land as a small CLI subcommand rather than a heavy adapter.</p>
-      </details>
-      <details class="faq-item">
-        <summary>Why should I use ThumbGate if Perplexity made Bumblebee?</summary>
-        <p>Bumblebee is read-only by design — it cannot block anything. Perplexity ships it to inventory developer machines, not to enforce policy on agent tool calls. ThumbGate fills the enforcement layer Bumblebee deliberately leaves to other tools. The two ship without conflict and your security posture is better with both than either alone.</p>
-      </details>
-      <details class="faq-item">
-        <summary>Where do I start?</summary>
-        <p>Both can install in under 60 seconds. Bumblebee: <code>go install github.com/perplexityai/bumblebee/cmd/bumblebee@latest</code> then <code>bumblebee self-test</code>. ThumbGate: <code>npx thumbgate init</code>. Run Bumblebee weekly for inventory; let ThumbGate run continuously inside your agent.</p>
-      </details>
-    </article>
-  </main>
-
-  <aside class="sidebar">
-    <div class="sidebar-card">
-      <h3 style="margin: 0 0 8px;">Install ThumbGate free</h3>
-      <p>10 captures/day, 3 active rules, PreToolUse blocking across Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode, Claude Desktop.</p>
-      <pre style="background: var(--bg-raised); border: 1px solid var(--line); border-radius: 8px; padding: 12px; font-size: 13px; overflow: auto;">npx thumbgate init</pre>
-      <a class="cta-button" href="/pricing">See Pro vs Team pricing →</a>
-      <p style="font-size: 12px; margin-top: 16px;">MIT licensed. No telemetry without opt-in. <code>THUMBGATE_NO_TELEMETRY=1</code> disables.</p>
-    </div>
-
-    <div class="sidebar-card">
-      <span class="related-label">Install Bumblebee too</span>
-      <p style="font-size: 13px;">Bumblebee is a great companion tool, not a competitor. Inventories on-disk MCP configs + extensions + lockfiles in read-only NDJSON.</p>
-      <pre style="background: var(--bg-raised); border: 1px solid var(--line); border-radius: 8px; padding: 10px; font-size: 12px; overflow: auto;">go install github.com/perplexityai/bumblebee/cmd/bumblebee@latest
-bumblebee self-test
-bumblebee scan profile baseline</pre>
-    </div>
-
-    <div class="sidebar-card">
-      <span class="related-label">Related comparisons</span>
-      <a class="related-card" href="/compare/anthropic-containment">
-        <strong>ThumbGate vs Anthropic's Claude Containment</strong><br>
-        <span style="color: var(--muted); font-size: 13px;">IDE-agent extension of Anthropic's published architecture</span>
-      </a>
-      <a class="related-card" href="/compare/claude-code-hooks">
-        <strong>ThumbGate vs claude-code-hooks</strong><br>
-        <span style="color: var(--muted); font-size: 13px;">Hosted sync vs local shell scripts</span>
-      </a>
-      <a class="related-card" href="/compare/heidi">
-        <strong>ThumbGate vs HEIDI</strong><br>
-        <span style="color: var(--muted); font-size: 13px;">Agent behavior vs dependency CVE scanning</span>
-      </a>
-      <a class="related-card" href="/compare/mem0">
-        <strong>ThumbGate vs Mem0</strong><br>
-        <span style="color: var(--muted); font-size: 13px;">Enforcement gates vs long-term agent memory</span>
-      </a>
-      <a class="related-card" href="/compare/oak-and-sparrow-gatekeeper">
-        <strong>ThumbGate vs Gatekeeper (Oak &amp; Sparrow)</strong><br>
-        <span style="color: var(--muted); font-size: 13px;">Agent-action gate vs workforce-input gate</span>
-      </a>
-      <a class="related-card" href="/compare/arcjet">
-        <strong>ThumbGate vs Arcjet</strong><br>
-        <span style="color: var(--muted); font-size: 13px;">Agent-outbound gate vs app-inbound firewall</span>
-      </a>
-      <a class="related-card" href="/compare/anthropic-claude-for-legal">
-        <strong>ThumbGate vs Claude for Legal</strong><br>
-        <span style="color: var(--muted); font-size: 13px;">Runtime feedback-to-enforcement loop underneath Anthropic's legal bundle</span>
-      </a>
-    </div>
-
-    <div class="sidebar-card">
-      <span class="related-label">Sources</span>
-      <p style="font-size: 13px;">Bumblebee data from <a href="https://github.com/perplexityai/bumblebee" target="_blank" rel="noopener">github.com/perplexityai/bumblebee</a> README, <a href="https://www.perplexity.ai/hub/blog/perplexity-is-open-sourcing-bumblebee" target="_blank" rel="noopener">Perplexity's release announcement</a>, and <a href="https://devops.com/perplexity-bumblebee-shakes-loose-hidden-threats-on-dev-desktops/" target="_blank" rel="noopener">DevOps.com coverage</a>. If anything here misrepresents Bumblebee, open an issue at <a href="https://github.com/IgorGanapolsky/ThumbGate/issues" target="_blank" rel="noopener">our repo</a> and we'll correct it.</p>
-    </div>
-  </aside>
-</div>
-</body>
-</html>