thumbgate 1.27.11 → 1.27.13

package/public/learn.html

@@ -115,18 +115,6 @@
       {
         "@type": "ListItem",
         "position": 13,
-        "url": "https://thumbgate.ai/learn/anthropomorphic-claim-gates",
-        "name": "Anthropomorphic Claim Gates for AI Agents"
-      },
-      {
-        "@type": "ListItem",
-        "position": 14,
-        "url": "https://thumbgate.ai/learn/agent-identity-connector-governance",
-        "name": "Agent Identity and Connector Governance"
-      },
-      {
-        "@type": "ListItem",
-        "position": 15,
         "url": "https://thumbgate.ai/learn/pretix-stripe-connect-marketplaces",
         "name": "Building a Pretix + Stripe Connect Plugin for Live-Music Venues"
       },
@@ -157,42 +145,54 @@
       {
         "@type": "ListItem",
         "position": 10,
+        "url": "https://thumbgate.ai/guides/hermes-agent-guardrails",
+        "name": "Hermes Agent Guardrails for Self-Improving Agents"
+      },
+      {
+        "@type": "ListItem",
+        "position": 11,
+        "url": "https://thumbgate.ai/guides/agent-context-governance",
+        "name": "Agent Context Governance for Long-Running Agents"
+      },
+      {
+        "@type": "ListItem",
+        "position": 12,
         "url": "https://thumbgate.ai/guides/roo-code-alternative-cline",
         "name": "Roo Code Alternative: Migrating to Cline with Portable Lesson Memory"
       },
       {
         "@type": "ListItem",
-        "position": 11,
+        "position": 13,
         "url": "https://thumbgate.ai/guides/browser-automation-safety",
         "name": "Browser Automation Safety for AI Agents"
       },
       {
         "@type": "ListItem",
-        "position": 12,
+        "position": 14,
         "url": "https://thumbgate.ai/guides/native-messaging-host-security",
         "name": "Native Messaging Host Security"
       },
       {
         "@type": "ListItem",
-        "position": 13,
+        "position": 15,
         "url": "https://thumbgate.ai/guides/ai-search-topical-presence",
         "name": "AI Search Topical Presence"
       },
       {
         "@type": "ListItem",
-        "position": 14,
+        "position": 16,
         "url": "https://thumbgate.ai/guides/relational-knowledge-ai-recommendations",
         "name": "Relational Knowledge in AI Recommendations"
       },
       {
         "@type": "ListItem",
-        "position": 15,
+        "position": 17,
         "url": "https://thumbgate.ai/guides/ai-deployment-readiness",
         "name": "AI Deployment Readiness Before Production Rollout"
       },
       {
         "@type": "ListItem",
-        "position": 16,
+        "position": 18,
         "url": "https://thumbgate.ai/guides/database-agent-safety",
         "name": "Database Safety for AI Agents"
       }
@@ -290,7 +290,7 @@
 <body>
 
 <nav>
-  <a href="/" class="brand"><img src="/assets/brand/thumbgate-mark-inline.svg" alt="ThumbGate" class="logo-mark" width="28" height="28"><span class="logo-text">ThumbGate</span></a>
+  <a href="/" class="brand"><img src="/assets/brand/thumbgate-mark-inline-v3.svg" alt="ThumbGate" class="logo-mark" width="28" height="28"><span class="logo-text">ThumbGate</span></a>
   <a href="/guide">Setup Guide</a>
   <a href="/learn">Learn</a>
   <a href="/dashboard">Dashboard</a>
@@ -421,22 +421,6 @@
       <span class="article-tag">Cost Control</span>
     </a>
 
-    <a href="/learn/anthropomorphic-claim-gates" class="article-card">
-      <h3>Anthropomorphic Claim Gates for AI Agents</h3>
-      <p>Do not let an agent say a model understands, knows, decides, or behaves human-like unless it can show the measurement criteria and evidence behind that claim.</p>
-      <span class="article-tag">Claim Verification</span>
-      <span class="article-tag">Research</span>
-      <span class="article-tag">Proof Gates</span>
-    </a>
-
-    <a href="/learn/agent-identity-connector-governance" class="article-card">
-      <h3>Agent Identity and Connector Governance</h3>
-      <p>Agents connected to Merge, Glean, MCP gateways, and enterprise apps are identities. Gate owner, credential, connector scope, DLP, audit, and purpose before they act.</p>
-      <span class="article-tag">Agent Identity</span>
-      <span class="article-tag">MCP Connectors</span>
-      <span class="article-tag">Least Privilege</span>
-    </a>
-
     <a href="/learn/from-prototype-to-production" class="article-card">
       <h3>From git init to v1.17.0 in 70 days: an honest ThumbGate build log</h3>
       <p>70 days, 112 commits, 17 minor releases, 6k npm downloads, $0 cold-traffic revenue. The unedited story of taking ThumbGate from a one-line repo init to live production — including the part that's still broken.</p>
@@ -473,6 +457,14 @@
       <span class="article-tag">Sprint</span>
     </a>
 
+    <a href="/guides/aws-blocks-agent-guardrails" class="article-card">
+      <h3>AWS Blocks Agent Guardrails</h3>
+      <p>Guard the local-to-cloud jump before AWS Blocks agents deploy, destroy resources, mutate data, expand IAM, or call Bedrock tools.</p>
+      <span class="article-tag">AWS Blocks</span>
+      <span class="article-tag">Cloud Safety</span>
+      <span class="article-tag">Pre-action Gates</span>
+    </a>
+
     <a href="/guides/ai-search-topical-presence" class="article-card">
       <h3>AI Search Topical Presence</h3>
       <p>Why AI assistants recommend the tools they repeatedly see tied to a buyer problem, and how ThumbGate builds that association with proof-backed pages.</p>
@@ -489,6 +481,14 @@
       <span class="article-tag">Governance</span>
     </a>
 
+    <a href="/guides/vllm-serving-guardrails" class="article-card">
+      <h3>vLLM Serving Guardrails</h3>
+      <p>Gate self-hosted inference changes before agents route production work through PagedAttention, batching, prefix-cache, or model-swap optimizations.</p>
+      <span class="article-tag">vLLM</span>
+      <span class="article-tag">LLM Serving</span>
+      <span class="article-tag">Runtime Safety</span>
+    </a>
+
     <a href="/guides/relational-knowledge-ai-recommendations" class="article-card">
       <h3>Relational Knowledge in AI Recommendations</h3>
       <p>How stored brand-to-problem associations shape AI answers, and why ThumbGate should own the pre-action-checks category in those retrieval paths.</p>
@@ -529,6 +529,30 @@
       <span class="article-tag">Enforcement</span>
     </a>
 
+    <a href="/guides/hermes-agent-guardrails" class="article-card">
+      <h3>Hermes Agent Guardrails for Self-Improving Agents</h3>
+      <p>Hermes-style agents bring persistent memory, generated skills, gateways, automations, and sandboxes. ThumbGate adds the pre-action firewall before those agents touch real systems.</p>
+      <span class="article-tag">Hermes Agent</span>
+      <span class="article-tag">Persistent Agents</span>
+      <span class="article-tag">Execution Firewall</span>
+    </a>
+
+    <a href="/guides/safe-self-evolution" class="article-card">
+      <h3>Safe Self-Evolution: Prompt Optimization without Regression</h3>
+      <p>Hermes-style autonomous agents learn by observing failures and rewriting skills. ThumbGate introduces Safe Self-Evolution: weakness mining, automated prompt optimization, verification suites, and atomic git rollbacks.</p>
+      <span class="article-tag">Self-Evolution</span>
+      <span class="article-tag">Harness Optimizer</span>
+      <span class="article-tag">Verification Gate</span>
+    </a>
+
+    <a href="/guides/agent-context-governance" class="article-card">
+      <h3>Agent Context Governance for Long-Running Agents</h3>
+      <p>AdaCoM, tokenmaxxing backlash, Managed Agents, lockdown modes, and model-provenance scares all point to one need: clean context and tool gates before agents act.</p>
+      <span class="article-tag">Context Governance</span>
+      <span class="article-tag">Tool Lockdown</span>
+      <span class="article-tag">Model Provenance</span>
+    </a>
+
     <a href="/guides/roo-code-alternative-cline" class="article-card">
       <h3>Roo Code Alternative: Migrate to Cline Without Losing Agent Memory</h3>
       <p>Use the Roo shutdown window to pitch portable lesson memory and local-first enforcement instead of making operators re-teach the same failures after they switch.</p>

package/public/lessons.html

@@ -211,7 +211,7 @@
 
 <nav>
   <div class="container">
-    <a href="/dashboard" class="nav-logo"><img src="/assets/brand/thumbgate-mark-inline.svg" alt="ThumbGate" class="logo-mark" width="28" height="28"><span class="logo-text">ThumbGate</span></a>
+    <a href="/dashboard" class="nav-logo"><img src="/assets/brand/thumbgate-mark-inline-v3.svg" alt="ThumbGate" class="logo-mark" width="28" height="28"><span class="logo-text">ThumbGate</span></a>
     <div class="nav-links">
       <a href="/dashboard">Dashboard</a>
       <a href="/lessons" class="active">Lessons</a>

package/public/numbers.html

@@ -25,7 +25,7 @@
   "alternateName": "thumbgate",
   "applicationCategory": "DeveloperApplication",
   "operatingSystem": "Cross-platform, Node.js >=18.18.0",
-  "softwareVersion": "1.27.7",
+  "softwareVersion": "1.27.8",
   "url": "https://thumbgate.ai/numbers",
   "dateModified": "2026-05-07",
   "creator": {
@@ -202,7 +202,7 @@
 <main class="container">
   <h1>The Numbers</h1>
   <p class="subtitle">Generated first-party operational snapshot from the ThumbGate runtime. This is not customer traction, install volume, revenue, or proof that a configured gate has fired.</p>
-  <div class="freshness">Updated: 2026-05-07 · Version 1.27.7</div>
+  <div class="freshness">Updated: 2026-05-07 · Version 1.27.8</div>
   <div class="truth-note"><strong>Read this first:</strong> configured checks are inventory. Recorded blocks and warnings are usage evidence. This snapshot currently reports 0 recorded hard-block event(s) and 0 recorded warning event(s).</div>
 
   <h2>Gate enforcement</h2>

package/public/pro.html

@@ -37,7 +37,7 @@ __GA_BOOTSTRAP__
 <script type="application/ld+json">
 {
   "@context": "https://schema.org",
-  "@type": "FAQPage", "mainEntity": [{ "@type": "Question", "name": "How is Pro different from the free install?", "acceptedAnswer": { "@type": "Answer", "text": "Free keeps local recall, checks, and MCP. Pro adds the personal dashboard, DPO export, auto-connect, and founder support." } }, { "@type": "Question", "name": "Does Pro require a cloud account?", "acceptedAnswer": { "@type": "Answer", "text": "No. Pro stays local-first; Team is the hosted rollout lane for shared lessons, org visibility, and reviews." } }, { "@type": "Question", "name": "What happens after checkout?", "acceptedAnswer": { "@type": "Answer", "text": "You activate Pro, connect the local dashboard, and inspect blocked actions, lessons, and exports." } }, { "@type": "Question", "name": "When should I choose Team instead of Pro?", "acceptedAnswer": { "@type": "Answer", "text": "Choose Team when one correction needs to protect multiple developers or agents across shared repositories." } }]
+  "@type": "FAQPage", "mainEntity": [{ "@type": "Question", "name": "How is Pro different from the free install?", "acceptedAnswer": { "@type": "Answer", "text": "Free keeps local recall, checks, and MCP. Pro adds the personal dashboard, DPO export, auto-connect, and founder support." } }, { "@type": "Question", "name": "Does Pro require a cloud account?", "acceptedAnswer": { "@type": "Answer", "text": "No. Pro stays local-first; Enterprise is the hosted rollout lane for shared lessons, org visibility, and reviews." } }, { "@type": "Question", "name": "What happens after checkout?", "acceptedAnswer": { "@type": "Answer", "text": "You activate Pro, connect the local dashboard, and inspect blocked actions, lessons, and exports." } }, { "@type": "Question", "name": "When should I choose Enterprise instead of Pro?", "acceptedAnswer": { "@type": "Answer", "text": "Choose Enterprise when one correction needs to protect multiple developers or agents across shared repositories." } }]
 }
 </script>
 
@@ -712,7 +712,7 @@ __GA_BOOTSTRAP__
 <body>
 <nav>
   <div class="container">
-    <a href="/" class="nav-logo"><img src="/assets/brand/thumbgate-mark-inline.svg" alt="ThumbGate" class="logo-mark" width="28" height="28"><span class="logo-text">ThumbGate Pro</span></a>
+    <a href="/" class="nav-logo"><img src="/assets/brand/thumbgate-mark-inline-v3.svg" alt="ThumbGate" class="logo-mark" width="28" height="28"><span class="logo-text">ThumbGate Pro</span></a>
     <div class="nav-links">
       <a href="#why-pay">Why Pro</a>
       <a href="#proof">Proof</a>
@@ -731,7 +731,7 @@ __GA_BOOTSTRAP__
       <h1>Buy the operator loop that proves your AI agent stopped repeating the mistake.</h1>
       <p style="font-size:13px;opacity:0.8;margin-bottom:0.5rem;">Updated: <time datetime="2026-04-20">2026-04-20</time> · by <a href="https://github.com/IgorGanapolsky" style="color:inherit;">Igor Ganapolsky</a></p>
       <p>ThumbGate Pro is for one operator who already hit a repeated AI-agent failure and now needs proof: what was blocked, why it was blocked, and what changed before the next risky run.</p>
-      <p>Start Pro when you want the local dashboard, DPO export, and a single proof lane for the repeated mistake you need to stop. Team diagnostics and custom services are handled through intake, not this buyer path.</p>
+      <p>Start Pro when you want the local dashboard, DPO export, and a single proof lane for the repeated mistake you need to stop. Enterprise diagnostics and custom services are handled through intake, not this buyer path.</p>
       <div class="hero-proof">
         <div class="proof-pill">Personal local dashboard</div>
         <div class="proof-pill">DPO export from real corrections</div>
@@ -951,15 +951,15 @@ __GA_BOOTSTRAP__
       </div>
       <div class="faq-item">
         <button class="faq-q" type="button" onclick="toggleFaq(this)" onkeydown="handleFaqKeydown(event)" aria-expanded="false">Does Pro require a cloud account?</button>
-        <div class="faq-a">No. Pro is still local-first for the individual operator lane. Team is the hosted rollout lane for shared lessons, org visibility, and hosted review views.</div>
+        <div class="faq-a">No. Pro is still local-first for the individual operator lane. Enterprise is the hosted rollout lane for shared lessons, org visibility, and hosted review views.</div>
       </div>
       <div class="faq-item">
         <button class="faq-q" type="button" onclick="toggleFaq(this)" onkeydown="handleFaqKeydown(event)" aria-expanded="false">What happens after checkout?</button>
         <div class="faq-a">You activate Pro, connect the personal local dashboard, and your running agents can appear automatically so you can inspect blocked actions, active lessons, and exportable DPO pairs without adding a separate cloud dashboard dependency.</div>
       </div>
       <div class="faq-item">
-        <button class="faq-q" type="button" onclick="toggleFaq(this)" onkeydown="handleFaqKeydown(event)" aria-expanded="false">When should I choose Team instead of Pro?</button>
-        <div class="faq-a">Choose Team when one thumbs-down should protect multiple people or agents across shared repositories, or when you need shared hosted lessons, org dashboard visibility, and a workflow hardening pilot with rollout review views.</div>
+        <button class="faq-q" type="button" onclick="toggleFaq(this)" onkeydown="handleFaqKeydown(event)" aria-expanded="false">When should I choose Enterprise instead of Pro?</button>
+        <div class="faq-a">Choose Enterprise when one thumbs-down should protect multiple people or agents across shared repositories, or when you need shared hosted lessons, org dashboard visibility, and a workflow hardening pilot with rollout review views.</div>
       </div>
     </div>
   </div>
@@ -987,7 +987,7 @@ __GA_BOOTSTRAP__
       <a href="__VERIFICATION_URL__" target="_blank" rel="noopener">Verification Evidence</a>
       <a href="https://github.com/IgorGanapolsky/ThumbGate" target="_blank" rel="noopener">GitHub</a>
     </div>
-    <div class="footer-copy">ThumbGate Pro for individual operators. Team stays intake-first.</div>
+    <div class="footer-copy">ThumbGate Pro for individual operators. Enterprise stays intake-first.</div>
   </div>
 </footer>
 

package/scripts/aws-blocks-guardrails.js

@@ -0,0 +1,228 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('node:fs');
+const path = require('node:path');
+
+const AWS_BLOCKS_DEPENDENCY_PATTERN = /(^|\/)@aws-blocks\/(?:blocks|[^/\s"']+)/;
+
+function toList(value) {
+  if (Array.isArray(value)) return value.map(String).map((entry) => entry.trim()).filter(Boolean);
+  if (typeof value === 'string') return value.split(',').map((entry) => entry.trim()).filter(Boolean);
+  return [];
+}
+
+function normalizeText(value) {
+  if (value == null) return '';
+  if (typeof value === 'string') return value;
+  try {
+    return JSON.stringify(value);
+  } catch {
+    return String(value);
+  }
+}
+
+function readPackageJson(projectDir) {
+  try {
+    return JSON.parse(fs.readFileSync(path.join(projectDir, 'package.json'), 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function packageUsesAwsBlocks(pkg) {
+  if (!pkg || typeof pkg !== 'object') return false;
+  const dependencyText = JSON.stringify({
+    dependencies: pkg.dependencies || {},
+    devDependencies: pkg.devDependencies || {},
+    peerDependencies: pkg.peerDependencies || {},
+    optionalDependencies: pkg.optionalDependencies || {},
+  });
+  const scriptsText = JSON.stringify(pkg.scripts || {});
+  return AWS_BLOCKS_DEPENDENCY_PATTERN.test(dependencyText) || /aws-blocks|blocks-app|cdk|sandbox/i.test(scriptsText);
+}
+
+function detectAwsBlocksProject(projectDir = process.cwd()) {
+  const pkg = readPackageJson(projectDir);
+  if (packageUsesAwsBlocks(pkg)) return true;
+  return fs.existsSync(path.join(projectDir, 'aws-blocks', 'index.ts'))
+    || fs.existsSync(path.join(projectDir, 'aws-blocks', 'index.js'))
+    || fs.existsSync(path.join(projectDir, 'blocks.spec.json'));
+}
+
+function detectAction(input = {}) {
+  const command = normalizeText(input.command || input.args || input.shell || input.toolInput);
+  const toolName = normalizeText(input.toolName || input.tool || input.name);
+  const code = normalizeText(input.code || input.file || input.diff || input.body);
+  const combined = `${toolName}\n${command}\n${code}`;
+  const lower = combined.toLowerCase();
+
+  const signals = [];
+  const add = (id, label, severity = 'medium') => signals.push({ id, label, severity });
+
+  if (/\b(cdk\s+deploy|npm\s+run\s+deploy|pnpm\s+deploy|yarn\s+deploy|sst\s+deploy|blocks?\s+deploy)\b/i.test(combined)) {
+    add('aws-blocks-production-deploy', 'production deploy from an AWS Blocks workflow', 'high');
+  }
+
+  if (/\b(cdk\s+destroy|npm\s+run\s+destroy|pnpm\s+destroy|yarn\s+destroy|sandbox\b.*--destroy|--destroy\b|aws\s+cloudformation\s+delete-stack)\b/i.test(combined)) {
+    add('aws-blocks-destroy', 'destroy command can remove AWS resources created from local Blocks code', 'critical');
+  }
+
+  if (/\b(drop\s+(table|database|schema|index|column)|truncate\s+table|delete\s+from\s+[\w".-]+(?:\s*;|\s*$)|update\s+[\w".-]+\s+set\b(?![\s\S]{0,160}\bwhere\b))/i.test(combined)) {
+    add('destructive-sql-or-ddl', 'destructive or unscoped SQL mutation', 'critical');
+  }
+
+  if (/\b(aws\s+dynamodb\s+delete-table|aws\s+rds\s+delete-db-instance|aws\s+s3\s+rm\b[\s\S]*--recursive|aws\s+lambda\s+delete-function|aws\s+bedrock-agent\s+delete-|aws\s+bedrock-agent-runtime\b)/i.test(combined)) {
+    add('destructive-aws-cli', 'destructive AWS CLI or Bedrock agent action', 'critical');
+  }
+
+  if (/\b(gcloud|aws)\b[\s\S]{0,220}\b(add-iam-policy-binding|put-role-policy|attach-role-policy|create-policy-version)\b/i.test(combined)
+      || /\b(AdministratorAccess|roles\/owner|iam:PassRole|serviceAccountTokenCreator)\b/i.test(combined)) {
+    add('iam-escalation', 'agent session attempts to grant broad IAM authority', 'critical');
+  }
+
+  if (/\b(new\s+Agent\s*\(|@aws-blocks\/(?:agent|blocks)|\bAgent\b[\s\S]{0,120}\btools?\b)/.test(combined)) {
+    add('blocks-agent-tool-call', 'AWS Blocks Agent or Bedrock-style tool action needs a tool boundary', 'medium');
+  }
+
+  if (/\b(npm\s+run\s+dev|npm\s+start|pnpm\s+dev|yarn\s+dev|create-blocks-app)\b/i.test(combined)) {
+    add('local-dev', 'local AWS Blocks development loop', 'low');
+  }
+
+  return {
+    command,
+    toolName,
+    code,
+    signals,
+    highRisk: signals.some((signal) => ['high', 'critical'].includes(signal.severity)),
+    localOnly: signals.some((signal) => signal.id === 'local-dev') && signals.every((signal) => signal.severity === 'low'),
+    lower,
+  };
+}
+
+function evaluateAwsBlocksAction(input = {}) {
+  const projectDir = input.projectDir || input.cwd || process.cwd();
+  const projectUsesAwsBlocks = Boolean(
+    input.projectUsesAwsBlocks
+    || input.awsBlocks
+    || input.blocksProject
+    || detectAwsBlocksProject(projectDir)
+  );
+  const evidence = new Set(toList(input.evidence || input.proof || input.receipts));
+  const action = detectAction(input);
+  const requiredEvidence = [];
+
+  const requireEvidence = (id, label) => {
+    if (!evidence.has(id)) requiredEvidence.push({ id, label });
+  };
+
+  if (projectUsesAwsBlocks && action.signals.some((signal) => signal.id === 'aws-blocks-production-deploy')) {
+    requireEvidence('local-tests-pass', 'local AWS Blocks tests pass against local implementations');
+    requireEvidence('cdk-diff-reviewed', 'CDK diff or synthesized CloudFormation change set reviewed');
+    requireEvidence('cost-blast-radius-reviewed', 'AWS cost and resource blast radius reviewed');
+  }
+
+  if (action.signals.some((signal) => signal.id === 'aws-blocks-destroy')) {
+    requireEvidence('resource-inventory-exported', 'resource inventory exported before destroy');
+    requireEvidence('human-destroy-approval', 'named human approval for destroy');
+  }
+
+  if (action.signals.some((signal) => signal.id === 'destructive-sql-or-ddl')) {
+    requireEvidence('backup-or-rollback-ready', 'backup, rollback, or restore point exists');
+    requireEvidence('bounded-row-count-reviewed', 'row/table impact was previewed before mutation');
+  }
+
+  if (action.signals.some((signal) => signal.id === 'destructive-aws-cli')) {
+    requireEvidence('aws-account-and-region-confirmed', 'target AWS account and region confirmed');
+    requireEvidence('rollback-plan-attached', 'rollback or recovery plan attached');
+  }
+
+  if (action.signals.some((signal) => signal.id === 'iam-escalation')) {
+    requireEvidence('least-privilege-review', 'least-privilege review completed');
+    requireEvidence('security-owner-approval', 'security owner approval captured');
+  }
+
+  if (action.signals.some((signal) => signal.id === 'blocks-agent-tool-call')) {
+    requireEvidence('agent-tool-allowlist', 'agent tool allowlist and data boundary declared');
+  }
+
+  const shouldBlock = projectUsesAwsBlocks && requiredEvidence.length > 0;
+  const status = shouldBlock ? 'blocked' : (action.highRisk ? 'needs-review' : 'allowed');
+
+  return {
+    name: 'thumbgate-aws-blocks-guardrails',
+    status,
+    projectUsesAwsBlocks,
+    signals: action.signals,
+    requiredEvidence,
+    enforcementBoundary: 'local AWS Blocks confidence must not automatically become production AWS authority',
+    gates: [
+      'allow local AWS Blocks dev loops without AWS credentials',
+      'require local test proof plus CDK diff before production deploy',
+      'block destroy and destructive data mutations until backup, blast-radius, and human approval evidence exists',
+      'block IAM escalation and Bedrock/Agent tool expansion until an owner approves the tool boundary',
+      'write a ThumbGate receipt for every allowed high-risk cloud action',
+    ],
+    nextActions: shouldBlock
+      ? requiredEvidence.map((item) => `Provide ${item.id}: ${item.label}`)
+      : ['Record an allow receipt when this action touches real AWS resources'],
+  };
+}
+
+function buildAwsBlocksHardeningOffer(input = {}) {
+  const workflow = String(input.workflow || input.name || 'AWS Blocks backend').trim();
+  const buyer = String(input.buyer || input.owner || 'platform owner').trim();
+  return {
+    name: 'thumbgate-aws-blocks-hardening-offer',
+    status: 'ready-for-positioning',
+    buyer,
+    workflow,
+    headline: 'AWS Blocks helps agents build the backend. ThumbGate stops them before unsafe cloud actions run.',
+    offer: 'AWS Blocks Agent Safety Review',
+    diagnosticPrice: '$499',
+    proofPlan: [
+      'map one AWS Blocks local-to-cloud workflow',
+      'install ThumbGate against the agent running that workflow',
+      'add gates for deploy, destroy, data mutation, IAM, Bedrock Agent, and cost-blast-radius actions',
+      'produce a receipt showing the first blocked repeat and the evidence required to allow it',
+    ],
+    cta: 'Send one AWS Blocks workflow that is about to deploy, mutate data, or call Bedrock tools.',
+  };
+}
+
+function parseArgs(argv = process.argv.slice(2)) {
+  const args = {};
+  for (const arg of argv) {
+    if (arg === '--json') args.json = true;
+    else if (arg === '--aws-blocks' || arg === '--project-uses-aws-blocks') args.projectUsesAwsBlocks = true;
+    else if (arg.startsWith('--command=')) args.command = arg.slice('--command='.length);
+    else if (arg.startsWith('--tool=')) args.toolName = arg.slice('--tool='.length);
+    else if (arg.startsWith('--code=')) args.code = arg.slice('--code='.length);
+    else if (arg.startsWith('--cwd=')) args.projectDir = arg.slice('--cwd='.length);
+    else if (arg.startsWith('--evidence=')) args.evidence = arg.slice('--evidence='.length);
+    else if (arg.startsWith('--workflow=')) args.workflow = arg.slice('--workflow='.length);
+    else if (arg.startsWith('--buyer=')) args.buyer = arg.slice('--buyer='.length);
+    else if (arg === 'offer') args.commandName = 'offer';
+  }
+  return args;
+}
+
+function runCli(args = parseArgs()) {
+  const report = args.commandName === 'offer'
+    ? buildAwsBlocksHardeningOffer(args)
+    : evaluateAwsBlocksAction(args);
+  if (args.json) console.log(JSON.stringify(report, null, 2));
+  else {
+    console.log(`${report.name}: ${report.status}`);
+    for (const action of report.nextActions || report.proofPlan || []) console.log(`- ${action}`);
+  }
+}
+
+if (require.main === module) runCli();
+
+module.exports = {
+  detectAwsBlocksProject,
+  detectAction,
+  evaluateAwsBlocksAction,
+  buildAwsBlocksHardeningOffer,
+};

package/scripts/cli-schema.js

@@ -123,16 +123,6 @@ const CLI_COMMANDS = [
       { name: 'remote', type: 'boolean', description: 'Fetch from hosted Railway instance' },
     ],
   },
-  {
-    name: 'community',
-    aliases: ['registry'],
-    description: 'Query or share verified prevention rules with the community knowledge registry',
-    group: 'discovery',
-    flags: [
-      { name: 'json',   type: 'boolean', description: 'Output as JSON' },
-      { name: 'remote', type: 'boolean', description: 'Fetch from community remote API' },
-    ],
-  },
   {
     name: 'gate-stats',
     description: 'Check engine statistics — active checks, blocks, warns, time saved',
@@ -515,6 +505,12 @@ const CLI_COMMANDS = [
     group: 'gates',
     flags: [],
   },
+  {
+    name: 'hermes-gate',
+    description: 'Hermes Agent pre_tool_call hook: gate runtime tool calls (incl. skill_manage) before they run',
+    group: 'gates',
+    flags: [],
+  },
   {
     name: 'force-gate',
     description: 'Immediately create a blocking gate from a pattern string',
@@ -660,6 +656,22 @@ const CLI_COMMANDS = [
       { name: 'json',        type: 'boolean', description: 'Output results as JSON' },
     ],
   },
+  {
+    name: 'check-update',
+    aliases: ['upgrade-check'],
+    description: 'Check for newer versions of ThumbGate from npm or GitHub',
+    group: 'ops',
+    flags: [
+      { name: 'json', type: 'boolean', description: 'Output results as JSON' },
+    ],
+  },
+  {
+    name: 'self-update',
+    aliases: ['upgrade-cli'],
+    description: 'Automatically install the latest version of ThumbGate globally',
+    group: 'ops',
+    flags: [],
+  },
 ];
 
 /**

package/scripts/dashboard-chat.js

@@ -317,7 +317,8 @@ async function answerDataQuestion(question, opts = {}) {
     if (isPerplexity) return await callPerplexityEndpoint({ apiKey, prompt, fetchImpl, sources });
     return await callGeminiEndpoint({ apiKey, model, prompt, fetchImpl, sources });
   } catch (err) {
-    return { ok: false, error: 'network', message: err?.message || String(err), sources };
+    const safeMessage = (err && err.message) ? String(err.message).split('\n')[0].slice(0, 100) : 'An unexpected error occurred.';
+    return { ok: false, error: 'network', message: safeMessage, sources };
   }
 }
 

package/scripts/document-intake.js

@@ -708,7 +708,6 @@ function buildDocumentSummary(document) {
     sourcePath: document.sourcePath || null,
     sourceName: document.sourceName || null,
     sourceFormat: document.sourceFormat,
-    sourceUrl: document.sourceUrl || null,
     importedAt: document.importedAt,
     tags: normalizeTags(document.tags),
     excerpt: document.excerpt,
@@ -769,11 +768,7 @@ function persistDocument(document, options = {}) {
   const summaries = listImportedDocuments({
     ...options,
     limit: MAX_SEARCH_SCAN,
-  }).documents.filter((entry) => {
-    if (entry.documentId === document.documentId) return false;
-    if (document.sourceUrl && entry.sourceUrl === document.sourceUrl) return false;
-    return true;
-  });
+  }).documents.filter((entry) => entry.documentId !== document.documentId);
   const nextSummaries = [
     buildDocumentSummary(document),
     ...summaries,
@@ -887,48 +882,6 @@ function importDocument(options = {}) {
     sourceFormat,
   });
   const fingerprint = sha256(`${title}\n${normalizedContent}`);
-  
-  // -- deduplication and RAG drift tracking ----------------------------------
-  const paths = getDocumentStorePaths(options);
-  let duplicate = null;
-  if (fs.existsSync(paths.catalogPath)) {
-    try {
-      const catalog = readJsonl(paths.catalogPath);
-      const urlMatch = options.sourceUrl ? String(options.sourceUrl).trim() : null;
-      const matchedSummary = catalog.find((summary) =>
-        (urlMatch && summary.sourceUrl === urlMatch) ||
-        (summary.fingerprint === fingerprint)
-      );
-      if (matchedSummary) {
-        const fullDoc = readImportedDocument(matchedSummary.documentId, options);
-        if (fullDoc) {
-          if (fullDoc.fingerprint === fingerprint) {
-            // Case A: Content is identical
-            const dedupReason = urlMatch && fullDoc.sourceUrl === urlMatch
-              ? 'url-and-content-unchanged'
-              : 'content-identical';
-            return {
-              ...fullDoc,
-              duplicate: true,
-              updated: false,
-              dedupReason,
-            };
-          } else {
-            // Case B: URL matches but content changed (RAG Drift!)
-            duplicate = {
-              previousDocumentId: fullDoc.documentId,
-              previousFingerprint: fullDoc.fingerprint,
-              updated: true,
-              dedupReason: 'url-content-updated',
-            };
-          }
-        }
-      }
-    } catch (err) {
-      // best-effort
-    }
-  }
-
   const importedAt = nowIso();
   const sourceName = sourcePath ? path.basename(sourcePath) : null;
   const documentId = `doc_${slugify(title || sourceName || 'document').slice(0, 24) || 'document'}_${fingerprint.slice(0, 12)}`;
@@ -948,7 +901,6 @@ function importDocument(options = {}) {
     contentBytes: Buffer.byteLength(normalizedContent, 'utf8'),
     lineCount: normalizedContent.split('\n').filter(Boolean).length,
     headings: extractHeadings(normalizedContent),
-    ...(duplicate || {}),
   };
   document.proposals = options.proposeGates === false
     ? []

package/scripts/durability/step.js

@@ -7,11 +7,11 @@
  * the full durable-execution runtime. Gives each external call (HTTP,
  * LanceDB, LLM) a uniform retry + idempotency wrapper:
  *
- *   const result = await runStep('zernio.publishPost', {
+ *   const result = await runStep('directSocial.publishPost', {
  *     retries: 3,
  *     idempotencyKey: idempotencyKey(content, platforms),
  *   }, async ({ attempt }) => {
- *     return zernioFetch('POST', '/posts', body, { idempotencyKey: ... });
+ *     return directSocialFetch('POST', '/posts', body, { idempotencyKey: ... });
  *   });
  *
  * Why a custom helper instead of Vercel Workflows / Temporal / Inngest?
@@ -98,7 +98,7 @@ function idempotencyKey(...parts) {
  * `fn` resolves to, or throws the last error after exhausting retries /
  * hitting a non-retryable verdict.
  *
- * @param {string} name          Step name, used in logs. e.g. 'zernio.publishPost'.
+ * @param {string} name          Step name, used in logs. e.g. 'directSocial.publishPost'.
  * @param {object|function} options  { retries, backoffMs, classify, onRetry, onFail, logger }
  *                                   (may be passed directly as the callback shorthand)
  * @param {function({attempt:number}):Promise} fn  The actual work.