thumbgate 1.27.12 → 1.27.13

package/bin/cli.js

@@ -2188,6 +2188,26 @@ function pulse() {
   });
 }
 
+function checkUpdateCmd() {
+  const { checkUpdate } = require(path.join(PKG_ROOT, 'scripts', 'check-update'));
+  const args = parseArgs(process.argv.slice(3));
+  checkUpdate({ verbose: !args.json, force: args.force }).then((res) => {
+    if (args.json) {
+      console.log(JSON.stringify(res, null, 2));
+    }
+    process.exit(0);
+  }).catch((err) => {
+    console.error(err && err.message ? err.message : err);
+    process.exit(1);
+  });
+}
+
+function selfUpdateCmd() {
+  const { selfUpdate } = require(path.join(PKG_ROOT, 'scripts', 'check-update'));
+  const success = selfUpdate();
+  process.exit(success ? 0 : 1);
+}
+
 function dispatchBrief() {
   const args = parseArgs(process.argv.slice(3));
   const {
@@ -3151,6 +3171,7 @@ const SUBCOMMAND_HELP = {
   lessons:       'Usage: npx thumbgate lessons [--query="..."] [--limit=N]\n\nSearch the lesson database (Pro feature).',
   search:        'Usage: npx thumbgate search <query>\n\nSearch ThumbGate knowledge base (Pro feature).',
   'gate-check':  'Usage: npx thumbgate gate-check\n\nPreToolUse hook interface: reads tool call JSON from stdin, outputs gate verdict.',
+  'hermes-gate': 'Usage: npx thumbgate hermes-gate\n\nNous Research Hermes Agent pre_tool_call shell hook: reads Hermes tool-call JSON from stdin, runs the ThumbGate gate pipeline (strict by default), and outputs {"decision":"block","reason":...} to veto or {} to allow. Gates terminal/patch/skill_manage etc. See adapters/hermes/config.yaml.',
   'break-glass': 'Usage: npx thumbgate break-glass --reason="why" [--ttl=5m] [--json]\n\nShort-lived recovery path for over-firing gates. Allows hook settings edits and satisfies PR-create/thread-check gates without disabling core destructive-action protections.',
   serve:         'Usage: npx thumbgate serve\n\nStart the MCP stdio server. This is for agent runtimes, not the local HTTP dashboard.',
   mcp:           'Usage: npx thumbgate mcp\n\nAlias for `thumbgate serve`.',
@@ -3168,11 +3189,6 @@ const SUBCOMMAND_HELP = {
   'ai-inventory': 'Usage: npx thumbgate ai-inventory [--root <dir>] [--format=summary|json|cyclonedx] [--output <path>] [--max-files=N]\n\nScan source/manifests/model artifacts for AI, ML, agent-framework, vector DB, Vertex, Gemini, and Dialogflow CX components. Use --format=cyclonedx to produce exportable ML-BOM evidence for enterprise reviews.',
   brain: 'Usage: npx thumbgate brain [--write] [--json] [--limit=N]\n\nBuild the agent-readable "context brain" — a single artifact consolidating this\nrepo\'s lessons, prevention rules, active gates, and project context for a coding\nagent to read BEFORE acting. --write saves it to .thumbgate/BRAIN.md (versioned,\ndeterministic). --json emits the structured model. --limit caps lessons (default 15).',
   'team-sync': 'Usage: npx thumbgate team-sync\n\nSynchronize prevention rules and context brain with your team\'s git repository (git pull --rebase & git push), then auto-rebuild the local brain.',
-  dream: 'Usage: npx thumbgate dream [--min=N] [--feedback-dir=DIR] [--json]\n\nConsolidate raw history and lessons ("Silicon Dreaming"), merge duplicates, promote recurring failures to gates, and rebuild prevention rules + BRAIN.md.',
-  consolidate: 'Usage: npx thumbgate consolidate\n\nAlias for npx thumbgate dream.',
-  triage: 'Usage: npx thumbgate triage [--schedule="daily 9:00"] [--json]\n\nRun git updates, test verification, and memory consolidation, or schedule it on a cron.',
-  hygiene: 'Usage: npx thumbgate hygiene\n\nAlias for npx thumbgate triage.',
-  community: 'Usage: npx thumbgate community query <error> | share <rule-id>\n\nQuery or share verified prevention rules with the community knowledge registry.',
 };
 
 if (_wantsHelp && COMMAND && SUBCOMMAND_HELP[COMMAND]) {
@@ -3275,31 +3291,6 @@ function renderBrainMarkdown(model) {
   return out.join('\n');
 }
 
-function autoWireInstructionFile(fileName) {
-  const filePath = path.join(CWD, fileName);
-  if (!fs.existsSync(filePath)) return;
-  try {
-    let content = fs.readFileSync(filePath, 'utf8');
-    const blockStart = '<!-- ThumbGate -->';
-    const blockEnd = '<!-- End ThumbGate -->';
-    const block = `${blockStart}\nIMPORTANT: Read .thumbgate/BRAIN.md first for lessons, prevention rules, and active gates in this repo.\n${blockEnd}\n`;
-
-    if (content.includes(blockStart)) {
-      const startIdx = content.indexOf(blockStart);
-      const endIdx = content.indexOf(blockEnd);
-      if (endIdx !== -1) {
-        content = content.slice(0, startIdx) + block + content.slice(endIdx + blockEnd.length).replace(/^\n+/, '');
-      }
-    } else {
-      content = block + '\n' + content;
-    }
-    fs.writeFileSync(filePath, content);
-    console.error(`   Auto-wired agent pointer into ${fileName}`);
-  } catch (err) {
-    console.warn(`⚠️  Failed to auto-wire agent pointer in ${fileName}: ${err.message}`);
-  }
-}
-
 function cmdBrain(args = {}) {
   const model = buildBrainModel({ limit: args.limit });
   if (args.json) { console.log(JSON.stringify(model, null, 2)); return 0; }
@@ -3319,120 +3310,14 @@ function cmdBrain(args = {}) {
     const lt = (model.lessons && model.lessons.total) || 0;
     const rt = (model.rules && model.rules.total) || 0;
     const gt = (model.gates && model.gates.total) || 0;
-    console.error(`\u{1f9e0} Wrote context brain to .thumbgate/BRAIN.md (${lt} lessons · ${rt} rules · ${gt} gates).`);
-    
-    // Auto-inject pointer block into CLAUDE.md / AGENTS.md
-    autoWireInstructionFile('CLAUDE.md');
-    autoWireInstructionFile('AGENTS.md');
-    
+    console.log(`\u{1f9e0} Wrote context brain to .thumbgate/BRAIN.md (${lt} lessons · ${rt} rules · ${gt} gates).`);
+    console.log('   Point your agent at it: add "Read .thumbgate/BRAIN.md first" to CLAUDE.md / AGENTS.md.');
     return 0;
   }
   process.stdout.write(md);
   return 0;
 }
 
-function brain() {
-  const args = parseArgs(process.argv.slice(3));
-  const subcommand = process.argv.slice(3).find((arg) => !arg.startsWith('--')) || 'status';
-  const {
-    buildContextPack,
-    checkNeverDo,
-    cleanupReport,
-    ensureBrain,
-    formatContextPack,
-    recordMemory,
-    refreshNeverDoGates,
-  } = require(path.join(PKG_ROOT, 'scripts', 'brain'));
-
-  if (subcommand === 'init' || subcommand === 'status') {
-    const result = ensureBrain(CWD);
-    const gates = refreshNeverDoGates(CWD);
-    const payload = { ...result, gateCount: gates.gateCount };
-    if (args.json) {
-      console.log(JSON.stringify(payload, null, 2));
-      return;
-    }
-    console.log('ThumbGate brain');
-    console.log('='.repeat(15));
-    console.log(`Brain dir : ${path.relative(CWD, result.brainDir)}`);
-    console.log(`Created   : ${result.created.length}`);
-    console.log(`Soul files: ${result.soulFiles.length}`);
-    console.log(`Memory dirs: ${result.memoryDirs.length}`);
-    console.log(`Never-do gates: ${gates.gateCount}`);
-    return;
-  }
-
-  if (subcommand === 'context') {
-    const task = args.task || process.argv.slice(4).find((arg) => !arg.startsWith('--')) || '';
-    const pack = buildContextPack(CWD, { task });
-    if (args.json) {
-      console.log(JSON.stringify(pack, null, 2));
-      return;
-    }
-    process.stdout.write(formatContextPack(pack));
-    return;
-  }
-
-  if (subcommand === 'remember') {
-    const title = args.title || process.argv.slice(4).find((arg) => !arg.startsWith('--')) || '';
-    const result = recordMemory(CWD, {
-      type: args.type,
-      title,
-      content: args.content || title,
-      reason: args.reason,
-      source: args.source,
-      tags: args.tags,
-      date: args.date,
-    });
-    if (args.json) {
-      console.log(JSON.stringify(result, null, 2));
-      return;
-    }
-    if (!result.ok) {
-      console.error(result.error);
-      process.exit(1);
-    }
-    console.log(`Stored brain memory: ${result.path}`);
-    return;
-  }
-
-  if (subcommand === 'check') {
-    const text = args.text || args.action || readStdinText();
-    const result = checkNeverDo(CWD, { text });
-    if (args.json) {
-      console.log(JSON.stringify(result, null, 2));
-      if (!result.ok) process.exit(2);
-      return;
-    }
-    console.log(`ThumbGate brain decision: ${result.decision.toUpperCase()}`);
-    for (const rule of result.blocked) console.log(`- ${rule.text}`);
-    if (!result.ok) process.exit(2);
-    return;
-  }
-
-  if (subcommand === 'cleanup') {
-    const report = cleanupReport(CWD, args);
-    if (args.json) {
-      console.log(JSON.stringify(report, null, 2));
-      return;
-    }
-    console.log('ThumbGate brain cleanup report');
-    console.log('='.repeat(31));
-    console.log(`Memory files: ${report.total}`);
-    console.log(`Unsourced   : ${report.unsourced.length}`);
-    console.log(`Stale       : ${report.stale.length}`);
-    console.log(`Duplicates  : ${report.duplicates.length}`);
-    if (report.unsourced.length) {
-      console.log('\nUnsourced files:');
-      for (const filePath of report.unsourced) console.log(`- ${filePath}`);
-    }
-    return;
-  }
-
-  console.error('Usage: npx thumbgate brain init|context|remember|check|cleanup [--json]');
-  process.exit(1);
-}
-
 async function teamSync() {
   const { execSync } = require('child_process');
 
@@ -3611,127 +3496,6 @@ switch (COMMAND) {
     }
     break;
   }
-  case 'dream':
-  case 'consolidate': {
-    const args = parseArgs(process.argv.slice(3));
-    const { dream } = require(path.join(PKG_ROOT, 'scripts', 'dream-consolidation'));
-    dream({
-      pkgRoot: PKG_ROOT,
-      feedbackDir: args['feedback-dir'] || args.feedbackDir || CWD,
-      rulesPath: args.output || path.join(CWD, '.thumbgate', 'prevention-rules.md'),
-      minOccurrences: args.min || 2,
-    }).then(async (result) => {
-      try {
-        await cmdBrain({ write: true });
-      } catch (brainErr) {
-        console.warn(`⚠️  Failed to rebuild context brain: ${brainErr.message}`);
-      }
-      if (args.json) {
-        console.log(JSON.stringify(result, null, 2));
-      } else {
-        console.log(`✨ [Dreaming] Consolidation complete! Merged ${result.consolidated} duplicate(s) into ${result.lessonsCount} lessons.`);
-      }
-      process.exit(0);
-    }).catch((err) => {
-      console.error('❌ Error during memory consolidation:', err && err.message ? err.message : err);
-      process.exit(1);
-    });
-    break;
-  }
-  case 'triage':
-  case 'hygiene': {
-    const args = parseArgs(process.argv.slice(3));
-    const { runTriageLoop } = require(path.join(PKG_ROOT, 'scripts', 'triage-loop'));
-    
-    if (args.schedule) {
-      const { createSchedule } = require(path.join(PKG_ROOT, 'scripts', 'schedule-manager'));
-      const scheduleResult = createSchedule({
-        id: 'thumbgate-triage-hygiene',
-        name: 'ThumbGate Triage & Hygiene Loop',
-        description: 'Run autonomous git checks, test suite verification, and Silicon Dreaming memory consolidation.',
-        schedule: args.schedule,
-        command: `const { runTriageLoop } = require('${path.join(PKG_ROOT, 'scripts', 'triage-loop')}'); runTriageLoop({ cwd: '${CWD}', pkgRoot: '${PKG_ROOT}' }).catch(console.error);`,
-        workingDirectory: CWD,
-      });
-      if (args.json) {
-        console.log(JSON.stringify(scheduleResult, null, 2));
-      } else {
-        if (scheduleResult.success) {
-          console.log(`✅ [Triage] Scheduled triage hygiene loop: ${scheduleResult.message}`);
-        } else {
-          console.error(`❌ [Triage] Failed to schedule: ${scheduleResult.error}`);
-          process.exit(1);
-        }
-      }
-      break;
-    }
-
-    runTriageLoop({
-      cwd: CWD,
-      pkgRoot: PKG_ROOT,
-    }).then(async (result) => {
-      try {
-        await cmdBrain({ write: true });
-      } catch (brainErr) {
-        console.warn(`⚠️  Failed to rebuild context brain: ${brainErr.message}`);
-      }
-      if (args.json) {
-        console.log(JSON.stringify(result, null, 2));
-      } else {
-        console.log(result.log);
-      }
-      process.exit(0);
-    }).catch((err) => {
-      console.error('❌ Error during triage loop execution:', err && err.message ? err.message : err);
-      process.exit(1);
-    });
-    break;
-  }
-  case 'community': {
-    const args = parseArgs(process.argv.slice(3));
-    const sub = process.argv.slice(3).find((arg) => !arg.startsWith('--'));
-    const { queryCommunity, shareRule } = require(path.join(PKG_ROOT, 'scripts', 'community-knowledge'));
-
-    if (sub === 'query') {
-      const queryIdx = process.argv.indexOf('query');
-      const queryText = process.argv.slice(queryIdx + 1).filter(arg => !arg.startsWith('--')).join(' ');
-      const result = queryCommunity(queryText, { remote: args.remote });
-      if (args.json) {
-        console.log(JSON.stringify(result, null, 2));
-      } else {
-        console.log(`🔍 Found ${result.resultsCount} community rule(s) matching "${result.query}":`);
-        for (const r of result.results) {
-          console.log(`\n- [${r.id}] ${r.rule}`);
-          console.log(`  Remedy:      ${r.remedy}`);
-          console.log(`  Explanation: ${r.explanation}`);
-        }
-      }
-      process.exit(0);
-    } else if (sub === 'share') {
-      const shareIdx = process.argv.indexOf('share');
-      const ruleId = process.argv.slice(shareIdx + 1).find(arg => !arg.startsWith('--'));
-      if (!ruleId) {
-        console.error('❌ Error: rule ID is required for share subcommand.');
-        process.exit(1);
-      }
-      const result = shareRule(ruleId, { feedbackDir: CWD });
-      if (args.json) {
-        console.log(JSON.stringify(result, null, 2));
-      } else {
-        if (result.ok) {
-          console.log(`✨ Successfully shared rule "${ruleId}" to community registry.`);
-        } else {
-          console.error(`❌ Failed to share rule: ${result.error}`);
-          process.exit(1);
-        }
-      }
-      process.exit(0);
-    } else {
-      console.error('Usage: npx thumbgate community query <error> | share <rule-id> [--json]');
-      process.exit(1);
-    }
-    break;
-  }
   case 'billing:setup':
     require(path.join(PKG_ROOT, 'scripts', 'billing-setup'));
     break;
@@ -4099,6 +3863,14 @@ switch (COMMAND) {
   case 'pulse':
     pulse();
     break;
+  case 'check-update':
+  case 'upgrade-check':
+    checkUpdateCmd();
+    break;
+  case 'self-update':
+  case 'upgrade-cli':
+    selfUpdateCmd();
+    break;
   case 'dispatch':
   case 'dispatch-brief':
     dispatchBrief();
@@ -4124,6 +3896,53 @@ switch (COMMAND) {
     });
     break;
   }
+  case 'hermes-gate': {
+    // Nous Research Hermes Agent `pre_tool_call` shell hook.
+    // Hermes pipes each pending tool call as JSON to stdin and reads a decision from stdout;
+    // {"decision":"block","reason":...} vetoes the call. We reuse the SAME gate pipeline as
+    // `gate-check` (runAsync → secret guard, security scan, force-push / skill_manage / learned
+    // prevention rules) and translate the verdict into Hermes's format.
+    //
+    // Hermes `pre_tool_call` is binary (block or allow) with no warn channel, and the whole point
+    // of wiring it is to gate, so we run STRICT enforcement by default — otherwise ThumbGate's
+    // warn-by-default posture would pass every deny through and the hook would block nothing.
+    // Opt out with THUMBGATE_HERMES_WARN_ONLY=1; THUMBGATE_HOTFIX_BYPASS=1 still disables checks.
+    // Wire it in ~/.hermes/config.yaml — see adapters/hermes/config.yaml.
+    if (process.env.THUMBGATE_HERMES_WARN_ONLY !== '1' && process.env.THUMBGATE_HOTFIX_BYPASS !== '1') {
+      process.env.THUMBGATE_STRICT_ENFORCEMENT = '1';
+    }
+    const { runAsync: hermesGateRun } = require(path.join(PKG_ROOT, 'scripts', 'gates-engine'));
+    let hermesStdin = '';
+    process.stdin.setEncoding('utf8');
+    process.stdin.on('data', (chunk) => { hermesStdin += chunk; });
+    process.stdin.on('end', async () => {
+      try {
+        const payload = JSON.parse(hermesStdin);
+        // Hermes sends snake_case tool_name/tool_input — gates-engine reads these directly.
+        const verdict = await hermesGateRun({ tool_name: payload.tool_name, tool_input: payload.tool_input });
+        let parsed = {};
+        try { parsed = JSON.parse(verdict); } catch (_e) { parsed = {}; }
+        const hso = parsed.hookSpecificOutput || {};
+        if (hso.permissionDecision === 'deny') {
+          process.stdout.write(JSON.stringify({
+            decision: 'block',
+            reason: hso.permissionDecisionReason || 'Blocked by ThumbGate prevention rule.',
+          }) + '\n');
+        } else {
+          // warn / no match → allow. The gate engine already logged the decision.
+          process.stdout.write(JSON.stringify({}) + '\n');
+        }
+        process.exit(0);
+      } catch (err) {
+        // Hermes hooks fail OPEN on error/timeout — emit an explicit allow so a gate fault
+        // never wedges the agent (reliability ≈ enforcement; keep this fast).
+        process.stderr.write(`hermes-gate error: ${err.message}\n`);
+        process.stdout.write(JSON.stringify({}) + '\n');
+        process.exit(0);
+      }
+    });
+    break;
+  }
   case 'gate-stats':
     gateStats();
     break;

package/config/gate-templates.json

@@ -37,18 +37,6 @@
       "roi": "Raises trust in autonomous runs and reduces manual re-checking.",
       "rollout": "Use for every workflow where proof matters more than speed."
     },
-    {
-      "id": "block-empty-positive-feedback-closeout",
-      "name": "Block empty closeouts after positive feedback",
-      "category": "Agent Honesty",
-      "signal": "👍",
-      "defaultAction": "block",
-      "severity": "medium",
-      "pattern": "positive_feedback_followed_by_low_value_social_closeout",
-      "problem": "Prevents agents from treating thumbs-up or thanks as permission to send filler instead of staying quiet, showing a compact evidence checkpoint, or naming the next state.",
-      "roi": "Turns positive feedback into better operational discipline instead of extra conversational noise.",
-      "rollout": "Enable on conversational Stop hooks for autonomous operators, CEO loops, release closeouts, and evidence-sensitive client work."
-    },
     {
       "id": "protect-production-sql",
       "name": "Protect production SQL",
@@ -589,198 +577,6 @@
       "roi": "Critical for compliance, forensics, and feedback loops. Enables proper capture of agent-specific lessons and prevention rules. Matches industry push (Okta, etc.).",
       "rollout": "Block any claw or autonomous agent action that authenticates as a human user. Require dedicated agent service accounts / identities with scoped permissions."
     },
-    {
-      "id": "require-agent-identity-inventory",
-      "name": "Require agent identity inventory before privileged action",
-      "category": "Agent Identity Governance",
-      "signal": "👎",
-      "defaultAction": "block",
-      "severity": "critical",
-      "pattern": "(agent|assistant|ai).*(credential|service account|identity|permission|access|owner|invoker).*(unknown|missing|unmapped|unreviewed|not inventoried|broad|admin)",
-      "problem": "Agents become privileged identities when they connect to Salesforce, Snowflake, GitHub, Jira, production databases, cloud environments, and MCP connectors. Broad or unknown identity scope turns them into invisible attack paths.",
-      "roi": "High: one inventory gate creates the evidence buyers need for owner, invoker, credentials, connected systems, and read/write/delete/execute permissions before the agent acts.",
-      "rollout": "Require an identity inventory receipt before privileged agent actions. Start with GitHub, Jira, Slack, Salesforce, Snowflake, cloud, database, and payment connectors."
-    },
-    {
-      "id": "enforce-agent-purpose-permission-match",
-      "name": "Enforce agent purpose-permission match",
-      "category": "Agent Identity Governance",
-      "signal": "👎",
-      "defaultAction": "block",
-      "severity": "critical",
-      "pattern": "(agent|assistant|ai).*(purpose|intended use|job|scope).*(permission|access|write|delete|execute|admin).*(mismatch|exceeds|too broad|outside|unneeded)",
-      "problem": "Permission-only governance is not enough for agents. A sales-prep agent may need read-only CRM access; it should not delete records, create privileged users, or mutate production systems.",
-      "roi": "High: maps agent purpose to allowed verbs so scope creep is caught before a connector or service account becomes a lateral movement path.",
-      "rollout": "Define one purpose statement per agent and map it to read/write/delete/execute permissions. Warn first for read actions, block write/delete/execute outside purpose."
-    },
-    {
-      "id": "block-connector-toolpack-scope-drift",
-      "name": "Block connector Tool Pack scope drift",
-      "category": "Agent Identity Governance",
-      "signal": "👎",
-      "defaultAction": "block",
-      "severity": "high",
-      "pattern": "(mcp|connector|tool pack|toolpack|remote mcp|agent handler|mcp gateway).*(add|enable|import|authenticate|connect).*(tool|connector|system|scope|permission).*(without|unreviewed|missing|no).*(owner|purpose|dlp|audit|approval|inventory)",
-      "problem": "Production MCP connector platforms make it easy to add hundreds of tools. The risk is scope drift: agents see tools they do not need, or connectors become authenticated without owner, DLP, audit, and purpose receipts.",
-      "roi": "High: keeps Merge Agent Handler, Glean MCP Gateway, and raw MCP tool packs in the same governance lane as local tools.",
-      "rollout": "Require owner, purpose, allowed tools, auth identity, DLP/logging mode, and audit receipt before adding or importing connector tool packs."
-    },
-    {
-      "id": "require-agent-access-review-freshness",
-      "name": "Require continuous agent access review freshness",
-      "category": "Agent Identity Governance",
-      "signal": "👎",
-      "defaultAction": "warn",
-      "severity": "high",
-      "pattern": "(agent|assistant|ai).*(access review|permission review|identity review|connector review).*(stale|expired|older than|not current|point-in-time)",
-      "problem": "Agent instructions, users, credentials, integrations, and tool scopes drift over time. A one-time access review becomes false confidence.",
-      "roi": "Medium-high: protects buyers from slow permission creep without forcing every low-risk action through a hard block.",
-      "rollout": "Set review freshness windows by connector risk tier. Promote stale high-risk write/delete/execute surfaces from warn to block."
-    },
-    {
-      "id": "block-shadow-agent-without-registration",
-      "name": "Block shadow agent without registration",
-      "category": "Agent Identity Governance",
-      "signal": "👎",
-      "defaultAction": "block",
-      "severity": "critical",
-      "pattern": "(agent|assistant|ai|mcp server|remote mcp).*(unregistered|shadow ai|unknown owner|not in control plane|not inventoried|unapproved).*(connect|authenticate|tool|credential|system|app)",
-      "problem": "Shadow AI agents and unregistered MCP servers bypass identity teams, control planes, and lifecycle reviews while still reaching real business systems.",
-      "roi": "High: catches the exact compliance failure Okta highlights — agents acting before registration, owner, and lifecycle controls exist.",
-      "rollout": "Block privileged tool calls from unregistered agents. Require registration, owner, purpose, credential source, and lifecycle policy before allowing write/delete/execute tools."
-    },
-    {
-      "id": "require-vaulted-agent-token",
-      "name": "Require vaulted agent token before connector use",
-      "category": "Agent Identity Governance",
-      "signal": "👎",
-      "defaultAction": "block",
-      "severity": "critical",
-      "pattern": "(agent|assistant|ai|connector|mcp).*(token|api[_-]?key|credential|secret).*(raw|plaintext|env|hardcoded|unvaulted|not vaulted|local file)",
-      "problem": "Agents using raw or hardcoded connector credentials bypass token vaulting, fine-grained authorization, revocation, and audit controls.",
-      "roi": "High: prevents the fastest way an agent identity becomes a persistent secret-sprawl problem.",
-      "rollout": "Require vault-backed or brokered credentials for connector actions. Allow local development exceptions only with explicit scope, TTL, and audit evidence."
-    },
-    {
-      "id": "block-orphaned-agent-standing-privilege",
-      "name": "Block orphaned agent standing privilege",
-      "category": "Agent Identity Governance",
-      "signal": "👎",
-      "defaultAction": "block",
-      "severity": "critical",
-      "pattern": "(agent|assistant|ai|automation|script).*(owner left|orphaned|no living owner|unknown owner|standing privilege|permanent access|stale token).*(access|credential|token|database|repo|source code|production)",
-      "problem": "Orphaned agents and standing privileges keep access after the human owner leaves or the workflow changes. Security teams cannot revoke or review what they cannot map to a living owner.",
-      "roi": "High: directly addresses hidden access risk, stale AI tokens, and offboarding gaps before the next privileged action touches source code, databases, or production systems.",
-      "rollout": "Require living owner, credential source, last review time, offboarding status, and revocation path before allowing privileged actions from long-running agents."
-    },
-    {
-      "id": "block-agentjacking-embedded-instructions",
-      "name": "Block agentjacking from embedded instructions",
-      "category": "Agent Runtime Attack Defense",
-      "signal": "👎",
-      "defaultAction": "block",
-      "severity": "critical",
-      "pattern": "(email|document|log|database|ticket|webpage|comment).*(ignore previous|override|exfiltrate|run command|deploy|delete|create user|change permissions|send secret|agent instruction|tool instruction)",
-      "problem": "Agentjacking hides malicious instructions inside data the agent reads. Because the agent often has valid permissions, traditional controls may see the later action as legitimate.",
-      "roi": "Critical: blocks the attack path Tenet described before embedded instructions become shell, browser, database, or connector actions.",
-      "rollout": "Treat untrusted content as data, not instructions. Require source classification, instruction-stripping, and human approval before executing tool calls derived from external content."
-    },
-    {
-      "id": "require-next-action-simulation-proof",
-      "name": "Require next-action simulation proof for risky agent actions",
-      "category": "Agent Runtime Attack Defense",
-      "signal": "👎",
-      "defaultAction": "warn",
-      "severity": "high",
-      "pattern": "(agent|assistant|ai).*(next action|likely action|simulation|simulate|predict).*(missing|no proof|not run|unverified).*(write|delete|execute|deploy|database|payment|connector|production)",
-      "problem": "High-risk agents should not jump straight from intent to execution. The likely next action, downstream system, and rollback or approval path should be checked before live systems are touched.",
-      "roi": "High: converts agent-side simulation from marketecture into a practical pre-action proof receipt for the exact tool call about to run.",
-      "rollout": "Start in warn mode for write/delete/execute actions. Promote to block for production databases, payments, deploys, privileged connectors, and customer data."
-    },
-    {
-      "id": "gate-vibe-app-before-retool-deploy",
-      "name": "Gate vibe-coded app before Retool deployment",
-      "category": "AI-Built App Deployment Governance",
-      "signal": "👎",
-      "defaultAction": "block",
-      "severity": "high",
-      "pattern": "(retool|app builder|mcp|claude code|cursor|codex|chatgpt|kiro|react import|zip import).*(deploy|ship|sync|production data|go live).*(without|missing|no).*(auth|rbac|audit|permission|data source|owner|test)",
-      "problem": "Retool and similar platforms make AI-built internal apps easy to import and deploy into governed environments. The gap is proving the generated app's data writes, owners, tests, and permission model before it reaches production data.",
-      "roi": "High: positions ThumbGate as the pre-deploy enforcement layer for AI-built apps that later inherit Retool auth, RBAC, audit logs, and resource permissions.",
-      "rollout": "Require owner, data sources, write actions, auth/RBAC mapping, audit logging, smoke test, and rollback receipt before AI-generated apps are deployed or imported."
-    },
-    {
-      "id": "require-implicit-rule-capture",
-      "name": "Require implicit organizational rule capture",
-      "category": "Organizational Rule Governance",
-      "signal": "👎",
-      "defaultAction": "warn",
-      "severity": "high",
-      "pattern": "(agent|assistant|ai).*(workflow|process|approval|routing|handoff|client|customer|beneficiary|finance|legal).*(implicit rule|tribal knowledge|unwritten rule|exception|relationship context|special handling|not documented|outside formal system)",
-      "problem": "Agentic systems fail when formal workflow steps are correct but unwritten organizational judgment is missing. Important exceptions, relationship context, and escalation norms often live outside process docs.",
-      "roi": "High: turns HBR's implicit-rule warning into a capture gate so hidden operating knowledge becomes explicit, reviewable, and enforceable before automation scales it.",
-      "rollout": "Start with warn mode on client, finance, legal, healthcare, HR, and beneficiary workflows. Promote repeated implicit-rule misses into named pre-action checks."
-    },
-    {
-      "id": "require-self-improvement-regression-proof",
-      "name": "Require regression proof before self-improving harness changes",
-      "category": "Self-Improving Agent Release Governance",
-      "signal": "👎",
-      "defaultAction": "block",
-      "severity": "high",
-      "pattern": "(self[- ]?improv|auto[- ]?improv|harness|model|agent runtime|agent product).*(ship|release|update|change|optimize|promote).*(without|missing|no).*(regression|eval|rollback|proof|baseline|canary)",
-      "problem": "If AI products, harnesses, and models start shipping faster because limited self-improvement works, unverified harness updates can regress safety faster too.",
-      "roi": "High: protects the exact cadence shift Mollick highlighted by requiring eval baselines, canaries, rollback, and proof receipts before self-improving agent changes ship.",
-      "rollout": "Require baseline evals and canary receipts before agent harness, routing, model, or auto-promotion changes are released. Block production promotion without rollback proof."
-    },
-    {
-      "id": "require-public-llm-prompt-sanitization",
-      "name": "Require prompt sanitization before public LLM use",
-      "category": "AI Data Privacy Governance",
-      "signal": "👎",
-      "defaultAction": "block",
-      "severity": "critical",
-      "pattern": "(chatgpt|claude|perplexity|copilot|public llm|hosted model|external ai).*(pii|email|phone|api[_-]?key|secret|token|customer|client|contract|repo url|database schema|financial).*(paste|send|upload|prompt|share)",
-      "problem": "Public LLM prompts can become durable third-party records. Raw PII, secrets, repo identifiers, customer records, contracts, schemas, and financials must be stripped, generalized, or routed to a private endpoint first.",
-      "roi": "Critical: prevents the cheapest and most common AI data-leak path while producing a simple policy a founder or contractor can actually follow.",
-      "rollout": "Block red-data prompts to public tools. Require redaction, tokenization, or a private endpoint receipt before external model use."
-    },
-    {
-      "id": "require-ai-data-classification",
-      "name": "Require green/yellow/red AI data classification",
-      "category": "AI Data Privacy Governance",
-      "signal": "👎",
-      "defaultAction": "warn",
-      "severity": "high",
-      "pattern": "(ai|llm|agent|embedding|rag).*(ingest|upload|prompt|index|log|store).*(without|missing|no).*(green|yellow|red|classification|data class|privacy tier)",
-      "problem": "Teams make bad AI privacy decisions when every prompt is judged ad hoc. A green/yellow/red policy makes tool choice, retention, and routing explicit before ingestion.",
-      "roi": "High: converts privacy advice into repeatable enforcement and keeps contractors from guessing under deadline pressure.",
-      "rollout": "Define green public data, yellow internal/anonymized data, and red sensitive data. Require the classification on prompts, embeddings, logs, and agent inputs."
-    },
-    {
-      "id": "require-ai-log-retention-policy",
-      "name": "Require AI log retention and deletion policy",
-      "category": "AI Data Privacy Governance",
-      "signal": "👎",
-      "defaultAction": "warn",
-      "severity": "medium",
-      "pattern": "(prompt|completion|embedding|agent log|llm log|trace|conversation).*(retain|retention|delete|bucket|database|archive).*(missing|none|forever|unknown|not set)",
-      "problem": "Prompt, completion, embedding, and trace logs silently accumulate sensitive data unless raw retention windows and deletion jobs are explicit.",
-      "roi": "Medium-high: reduces long-tail breach risk and turns privacy cleanup into an auditable operational habit.",
-      "rollout": "Set default retention windows, separate aggregates from raw logs, and require scheduled deletion or anonymization receipts."
-    },
-    {
-      "id": "require-evidence-pass-through-receipt",
-      "name": "Require evidence pass-through receipt",
-      "category": "AI Trust Layer Evidence",
-      "signal": "👎",
-      "defaultAction": "block",
-      "severity": "high",
-      "pattern": "(trust layer|appia|conformity|assurance|safety claim|compliance claim|evidence pass[- ]?through).*(without|missing|no).*(who|what|criteria|when|receipt|attestation|provenance)",
-      "problem": "AI assurance falls apart when each downstream party has to trust or recreate upstream work. Evidence must state who demonstrated what, against which criteria, and when.",
-      "roi": "High: maps the Appia Foundation trust-layer signal into ThumbGate's strongest asset: portable proof receipts tied to exact actions and criteria.",
-      "rollout": "Require self-describing receipts for safety claims, model-routing claims, connector claims, and workflow-hardening claims before buyer-facing assertions or downstream handoff."
-    },
     {
       "id": "gate-claw-file-system-access",
       "name": "Gate claw-style agent file system access",
@@ -829,30 +625,6 @@
       "roi": "Preserves security invariants by ensuring that synthesized skills never write code patterns blocked by active ThumbGate rules.",
       "rollout": "Scan synthesized skill markdown content for pattern overlap with active prevention rules before writing to the skills directory."
     },
-    {
-      "id": "require-hermes-okf-skill-receipt",
-      "name": "Require OKF-style receipt before Hermes skill promotion",
-      "category": "Nous Research Hermes Agent Governance",
-      "signal": "👎",
-      "defaultAction": "warn",
-      "severity": "high",
-      "pattern": "(hermes|skill|knowledge bundle|open knowledge format|okf).*(promote|share|publish|load|reuse).*(without|missing|no).*(type|source|owner|timestamp|citation|constraint|receipt)",
-      "problem": "Hermes can synthesize reusable skills, but portable agent knowledge becomes dangerous when it lacks source, owner, freshness, constraints, and a receipt tying the skill to evidence.",
-      "roi": "High: turns Google's Open Knowledge Format signal into a practical Hermes upgrade — skills become portable markdown concepts, but ThumbGate blocks or warns when provenance and constraints are missing.",
-      "rollout": "Start in warn mode for synthesized skills. Require an OKF-style markdown concept with YAML frontmatter, type, source or citation, owner, timestamp, constraints, and gate receipt before team-wide promotion."
-    },
-    {
-      "id": "block-stale-hermes-knowledge-promotion",
-      "name": "Block stale Hermes knowledge promotion",
-      "category": "Nous Research Hermes Agent Governance",
-      "signal": "👎",
-      "defaultAction": "block",
-      "severity": "high",
-      "pattern": "(hermes|skill|knowledge|okf|open knowledge format).*(stale|expired|conflicting|contradicts|unknown timestamp|unverified source).*(promote|share|publish|reuse|load)",
-      "problem": "A self-improving Hermes agent can keep reusing obsolete internal knowledge after the underlying workflow, API, metric, or policy has changed.",
-      "roi": "High: prevents portable knowledge from becoming portable drift. This makes Hermes safer for long-running local agents and team-shared skill libraries.",
-      "rollout": "Block promotion when a skill has no freshness window, conflicts with active ThumbGate rules, or cites stale source material. Require log.md or equivalent change-history evidence for refreshed bundles."
-    },
     {
       "id": "require-human-in-the-loop-pause",
       "name": "Enforce Human-in-the-Loop pause for critical decisions",