thumbgate 1.27.4 → 1.27.7

package/scripts/seo-gsd.js

@@ -105,6 +105,11 @@ const HIGH_ROI_QUERY_SEEDS = [
     93,
     'Fresh Slack engineering pattern where ThumbGate can gate director journals, critic reviews, credibility scoring, and timelines for long-running agents.',
   ),
+  querySeed(
+    'agent context governance',
+    95,
+    'Fresh AdaCoM, tokenmaxxing, and Claude Managed Agents demand where ThumbGate can govern context hygiene, session logs, sandbox boundaries, credential separation, and pre-action proof.',
+  ),
   querySeed(
     'reasoning compression guardrails',
     92,
@@ -170,6 +175,16 @@ const HIGH_ROI_QUERY_SEEDS = [
     95,
     'Bottom-of-funnel query for teams ready to add human approval and evidence requirements before AI agents touch risky tools.',
   ),
+  querySeed(
+    'agentic web governance',
+    94,
+    'Fresh Cloudflare bot-majority demand: buyers need machine-readable pages and pre-action governance now that AI agents can create more web actions than humans.',
+  ),
+  querySeed(
+    'database safety for ai agents',
+    96,
+    'Fresh database-agent risk query from the 2026 DB/AI conversation: agents can hallucinate UI, but SQL writes, migrations, and role grants can destroy production data.',
+  ),
   {
     query: 'thumbs up thumbs down feedback for ai coding agents',
     businessValue: 95,
@@ -224,6 +239,12 @@ const HIGH_ROI_QUERY_SEEDS = [
     source: 'seed',
     notes: 'Integration page for Gemini CLI users who need memory plus enforcement.',
   },
+  {
+    query: 'hermes agent guardrails',
+    businessValue: 84,
+    source: 'seed',
+    notes: 'Integration page for Hermes Agent users who need pre-action gates around persistent memory, generated skills, messaging gateways, scheduled automations, and sandboxed execution.',
+  },
   {
     query: 'roo code alternative cline',
     businessValue: 83,
@@ -495,6 +516,69 @@ const GOVERN_CLAUDE_FOR_LEGAL_GUIDE_SPEC = Object.freeze({
   relatedPaths: ['/guides/ai-coding-agent-zero-trust', '/guides/pre-action-checks'],
 });
 
+// Targets the Cycode-owned IDE-security lexicon (Feb 2026 blog popularized
+// PreToolUse / beforeMCPExecution / beforeReadFile as enterprise hook names) —
+// fills the indie/MIT slot beneath funded vendors when LLM answer engines
+// (Perplexity/ChatGPT/Gemini/Claude/Grok) cite for "how do I stop Claude Code
+// from running dangerous commands" buyer-intent queries. See the verified-
+// absence finding in the 2026-06-05 deep-research report.
+const PRETOOLUSE_HOOK_GUIDE_SPEC = Object.freeze({
+  slug: 'claude-code-pretooluse-hook',
+  meta: {
+    query: 'claude code pretooluse hook block mcp tool calls',
+    title: 'Claude Code PreToolUse Hook | Block MCP Tool Calls Before They Run',
+    heroTitle: 'Claude Code PreToolUse Hook: Block MCP Tool Calls Before They Run',
+    heroSummary: 'The PreToolUse hook is the boundary where you intercept what a Claude Code, Cursor, or Codex agent is about to do — before the rm -rf, before the bad git push, before the destructive SQL. ThumbGate is the local-first, MIT-licensed CLI that ships production-grade PreToolUse, beforeMCPExecution, and beforeReadFile gating with one npx command, and learns from every thumbs-down so the same mistake never reaches the tool call twice.',
+  },
+  takeaways: [
+    'PreToolUse is the only hook point where you can stop a destructive agent action — by the time PostToolUse fires, the damage is done.',
+    'ThumbGate ships PreToolUse, beforeMCPExecution, and beforeReadFile gates out of the box for Claude Code, Cursor, Codex, Gemini CLI, Amp, Cline, and any MCP-compatible agent — no hand-written hook scripts to maintain per machine.',
+    'A thumbs-down on a blocked action becomes an auto-promoted prevention rule that holds across every session, model, and agent — the part DIY hook repos cannot do.',
+  ],
+  sections: [
+    ['paragraphs', 'What the PreToolUse hook actually is', [
+      'In the Model Context Protocol agent loop, every tool the model calls — Bash, Edit, Write, a custom MCP server method — flows through a PreToolUse phase before execution. That phase is the only place where an external policy can intercept the call, inspect its arguments, and decide whether to allow, modify, warn, or deny it. PostToolUse fires after the side effect has already happened, which is too late for destructive actions.',
+      'beforeMCPExecution, beforeReadFile, and beforeSubmitPrompt are the same idea applied at the MCP and IDE layers. Cycode\'s February 2026 IDE-security blog popularized this naming for enterprise customers; ThumbGate ships the same hook surface as an open-source CLI you can install in 30 seconds.',
+    ]],
+    ['bullets', 'What ThumbGate blocks at PreToolUse out of the box', [
+      'Catastrophic shell: rm -rf at home/root, sudo wrapping a dangerous command, find -delete on sensitive paths.',
+      'Secret exfiltration: writes that contain API keys, tokens, or .env contents heading to the wrong directory.',
+      'Workflow-scope violations: edits outside the declared task scope, off-branch git push, accidental main commits.',
+      'Repeated mistakes from this team: anything you\'ve already given a thumbs-down in a past session — auto-promoted to a hard prevention rule.',
+      'MCP tool calls flagged by your project\'s gate config — pattern, severity, or learned-from-feedback rules.',
+    ]],
+    ['paragraphs', 'Why DIY PreToolUse scripts stop working past week two', [
+      'A hand-rolled hook script starts simple: a regex on the Bash command, a list of forbidden paths. By week two it has six edge cases, no test coverage, and lives in one machine\'s .claude directory — invisible to the rest of the team. By week four someone deletes it because it false-positived once on a legitimate command and nobody documented why.',
+      'ThumbGate ships the rules as a versioned config, the feedback loop as a CLI, the learning as cross-session prevention rules, and the proof as an audit trail your dashboard renders. The work you would do by hand on hooks, done once and shared.',
+    ]],
+  ],
+  faq: [
+    [
+      'Is the PreToolUse hook the same as beforeMCPExecution?',
+      'Conceptually yes — both are the pre-execution interception point. PreToolUse is the Claude Code / Anthropic CLI term for the hook in the agent loop. beforeMCPExecution (and beforeReadFile, beforeSubmitPrompt) is the IDE-security framing popularized by Cycode for the same boundary at the MCP layer. ThumbGate implements all of them as one local-first gate engine.',
+    ],
+    [
+      'Do I need this if Claude Code already has native hooks?',
+      'Native hooks give you the hook point. They do not give you the rule set, the cross-session learning, the team-wide rule sharing, or the audit trail. ThumbGate ships those on top of the hook so you stop maintaining bespoke scripts and start blocking the repeat mistakes specifically your agents make.',
+    ],
+    [
+      'Does this run locally or call a cloud service?',
+      'Local-first. The PreToolUse decision happens in the hook process on your machine in milliseconds — no network round-trip, no cloud dependency, no data leaving the laptop. Optional hosted sync exists for teams that want to share rules across seats.',
+    ],
+  ],
+  relatedPaths: ['/guides/mcp-tool-governance', '/guides/ai-agent-pre-action-approval-gates', '/guides/ai-coding-agent-zero-trust'],
+});
+
+function buildPretooluseHookGuide() {
+  return preActionGuide(PRETOOLUSE_HOOK_GUIDE_SPEC.slug, {
+    ...PRETOOLUSE_HOOK_GUIDE_SPEC.meta,
+    takeaways: PRETOOLUSE_HOOK_GUIDE_SPEC.takeaways,
+    sections: PRETOOLUSE_HOOK_GUIDE_SPEC.sections.map(([kind, heading, entries]) => buildSectionFromSpec(kind, heading, entries)),
+    faq: PRETOOLUSE_HOOK_GUIDE_SPEC.faq.map(([question, text]) => answer(question, text)),
+    relatedPaths: PRETOOLUSE_HOOK_GUIDE_SPEC.relatedPaths,
+  });
+}
+
 function buildGovernClaudeForLegalGuide() {
   return preActionGuide(GOVERN_CLAUDE_FOR_LEGAL_GUIDE_SPEC.slug, {
     ...GOVERN_CLAUDE_FOR_LEGAL_GUIDE_SPEC.meta,
@@ -1546,6 +1630,68 @@ function buildAiRecommendationVisibilityGuide(spec) {
 }
 
 const PAGE_BLUEPRINTS = [
+  {
+    query: 'snowflake cortex agent governance vs local coding agent guardrails',
+    path: '/compare/snowflake-cortex-agent-governance',
+    pageType: 'comparison',
+    pillar: 'comparison',
+    title: 'ThumbGate vs Snowflake Cortex Agent Governance | Two Different Layers',
+    heroTitle: 'ThumbGate vs Snowflake Cortex Agent Governance',
+    heroSummary: 'At Snowflake Summit 2026, agent governance became headline infrastructure: Cortex CoCo runs under your existing RBAC inside Snowflake\'s perimeter, and the Natoma acquisition adds a permission gateway built to freeze out rogue agents. That is the right model for agents operating inside the data cloud. But the coding agent in your terminal acts earlier and lower in the stack: Claude Code, Cursor, and Codex run rm -rf, force-push to main, and write secrets to disk on your own machine, under your own credentials, before any platform RBAC ever sees the request. ThumbGate is the local-first PreToolUse layer for exactly that surface. They are not competitors — they are different layers of the same defense.',
+    takeaways: [
+      'Snowflake Cortex and Natoma govern what an agent does inside the enterprise data perimeter — server-side, under RBAC, with a full audit trail. The right tool when the agent\'s actions are SQL and data access inside Snowflake.',
+      'ThumbGate governs what a coding agent does on the developer\'s machine — rm -rf, force-push, secret writes, off-scope edits — in the PreToolUse hook, before execution, before any platform sees the request.',
+      'The two compose. A coding agent that force-pushes broken code or leaks a key never reached Snowflake\'s perimeter to be governed there; that failure happens in the dev loop, which is the layer ThumbGate owns.',
+    ],
+    sections: [
+      {
+        heading: 'The boundary in one sentence',
+        paragraphs: [
+          'Snowflake Cortex governs what an agent is allowed to do once it is operating inside Snowflake — querying tables, accessing data, taking actions under your RBAC, with prompt-injection guardrails and an audit trail. Natoma extends that to a permission gateway across enterprise apps.',
+          'ThumbGate governs what a coding agent does on the developer\'s machine, in the PreToolUse hook, before the tool call executes — the rm -rf, the git push --force, the secret written to disk. That happens in the terminal, under the developer\'s own credentials, before any platform boundary exists to enforce it.',
+        ],
+      },
+      {
+        heading: 'Choose Snowflake Cortex / Natoma governance when',
+        bullets: [
+          'Your agents operate inside the Snowflake data cloud and the risk you manage is data access and SQL under enterprise RBAC.',
+          'You need centralized, server-side policy and audit across enterprise applications and identities.',
+          'Your buyer is a data or platform team standardizing agent access at the organization level.',
+        ],
+      },
+      {
+        heading: 'Choose ThumbGate when',
+        bullets: [
+          'Your risk is a coding agent on a developer\'s machine — Claude Code, Cursor, Codex, Gemini, Amp, Cline, OpenCode — running destructive shell, git, or filesystem actions.',
+          'You want enforcement in the PreToolUse hook, before execution, with zero server and zero rollout — npx thumbgate init in 30 seconds.',
+          'You want a learning loop: a thumbs-down on a blocked action becomes an auto-promoted prevention rule that holds across every session and every agent.',
+          'You want least-privilege task scope and a local audit trail of every blocked action — not only inside one platform\'s perimeter.',
+        ],
+      },
+      {
+        heading: 'Why the two layers do not overlap',
+        paragraphs: [
+          'Snowflake validated the thesis the whole category now agrees on: agents need a control layer that decides what they can do before they do it, not an audit log after the damage. At Summit 2026 they made it headline infrastructure and acquired Natoma to enforce it across the enterprise.',
+          'But platform governance can only act on requests that reach the platform. A coding agent that force-pushes broken code, deletes a directory, or commits a secret has already done the damage on the developer\'s machine — that action never traveled to Snowflake to be governed. ThumbGate is the enforcement point for that earlier, lower layer. If you run AI coding agents and AI inside your data cloud, you want both: ThumbGate at the dev loop, platform governance at the data layer.',
+        ],
+      },
+    ],
+    faq: [
+      {
+        question: 'Is ThumbGate an alternative to Snowflake Cortex agent governance?',
+        answer: 'Not exactly — they govern different layers. Snowflake Cortex and Natoma govern agents operating inside the enterprise data cloud under RBAC. ThumbGate governs coding agents on the developer\'s machine in the PreToolUse hook, before any action reaches a platform. If your risk is a coding agent running rm -rf or force-pushing to main, ThumbGate is the right layer; if your risk is data access inside Snowflake, Cortex is. Most teams running both AI coding agents and AI in their data cloud want both.',
+      },
+      {
+        question: 'Does ThumbGate require a server or enterprise rollout like Natoma?',
+        answer: 'No. ThumbGate is local-first: npx thumbgate init wires the PreToolUse hook on your machine in about 30 seconds, with no server, no gateway, and no platform rollout. Natoma is a server-side permission gateway for enterprise applications; ThumbGate runs entirely in the developer\'s local agent loop. That is the deliberate difference in surface.',
+      },
+      {
+        question: 'Snowflake says agentic security needs a fundamentally different approach. Does ThumbGate agree?',
+        answer: 'Yes — and ThumbGate has been built on that premise from day one. The shared thesis is that you enforce before the action, not after: a deterministic pre-action gate, not a model reviewing its own output. Snowflake applies that inside the data perimeter; ThumbGate applies it at the coding-agent layer on the developer\'s machine. The agreement on the model is exactly why the two compose rather than compete.',
+      },
+    ],
+    relatedPaths: ['/compare/claude-code-hooks-mastery', '/guides/ai-agent-pre-action-approval-gates', '/guides/background-agent-governance'],
+  },
   {
     query: 'thumbgate vs speclock',
     path: '/compare/speclock',
@@ -1649,6 +1795,7 @@ const PAGE_BLUEPRINTS = [
   buildSemanticPseoGuide(),
   buildZeroTrustGuide(),
   buildGovernClaudeForLegalGuide(),
+  buildPretooluseHookGuide(),
   buildProxyPointerRagGuide(),
   buildRagPrecisionTuningGuide(),
   buildAiEngineeringStackGuide(),
@@ -1709,6 +1856,136 @@ const PAGE_BLUEPRINTS = [
     ],
     relatedPaths: ['/guides/code-knowledge-graph-guardrails', '/guides/agent-harness-optimization', '/guides/pre-action-checks'],
   },
+  {
+    query: 'thumbgate vs cycode ai coding agent guardrails',
+    path: '/compare/cycode',
+    pageType: 'comparison',
+    pillar: 'comparison',
+    title: 'ThumbGate vs Cycode | Local-First MIT Alternative for AI Agent Guardrails',
+    heroTitle: 'ThumbGate vs Cycode',
+    heroSummary: 'Cycode ships IDE-native security guardrails for enterprise AppSec teams — agent-time scanning, beforeMCPExecution / beforeReadFile / beforeSubmitPrompt hooks, and integration with their broader code-security platform. ThumbGate is the local-first, MIT-licensed CLI that ships the same PreToolUse / MCP-tool-call gating surface as an open-source npm install — and adds a learning loop where every thumbs-down becomes an auto-promoted prevention rule the team shares.',
+    takeaways: [
+      'Cycode is enterprise IDE security: agent-time scanning + hook interception + platform integration with their broader AppSec suite.',
+      'ThumbGate ships the same PreToolUse / beforeMCPExecution surface as an MIT-licensed CLI you install in 30 seconds — no platform contract, no procurement cycle.',
+      'The decision is mostly company-shape: enterprise security teams take Cycode; solo devs, OSS maintainers, and small teams take ThumbGate. The learning-loop (thumbs-down → prevention rule across sessions) is something Cycode does not advertise.',
+    ],
+    sections: [
+      {
+        heading: 'The product difference in one sentence',
+        paragraphs: [
+          'Cycode is "IDE security for the enterprise" — its February 2026 announcement positions the agent-time hooks (beforeSubmitPrompt, beforeReadFile, beforeMCPExecution) as one module of a broader AppSec platform that also covers secrets, SAST, SCA, and supply chain.',
+          'ThumbGate is a single-purpose, open-source, local-first CLI for the same hook surface. The lexicon is the same; the buyer is different. ThumbGate optimizes for a developer who can `npx thumbgate init` and have working PreToolUse gating before lunch.',
+        ],
+      },
+      {
+        heading: 'Choose Cycode when',
+        bullets: [
+          'You have an enterprise AppSec team that needs a unified vendor across secrets, SAST, SCA, supply-chain, and the new agent-time hook layer.',
+          'You need centralized policy management, RBAC, SIEM integration, and a procurement-ready contract with SOC2 / ISO-grade artifacts.',
+          'Your security org wants one dashboard for IDE-time and CI/CD-time security posture across the whole repo footprint.',
+        ],
+      },
+      {
+        heading: 'Choose ThumbGate when',
+        bullets: [
+          'You want PreToolUse / beforeMCPExecution gating working in 30 seconds via `npx thumbgate init` — no contract, no platform install, no procurement.',
+          'You want a learning loop: a thumbs-down on a blocked action becomes an auto-promoted prevention rule that holds across every session, model, and agent.',
+          'You are a solo developer, OSS maintainer, or small team that wants MIT-licensed code you can read, fork, and verify — not a closed-source SaaS.',
+          'You want the gating engine to run entirely on the developer machine with zero network egress for the hook decision itself.',
+        ],
+      },
+      {
+        heading: 'What the two products share',
+        paragraphs: [
+          'Both put the enforcement boundary at the same place — the agent\'s tool call, before execution — and both name the hooks the same way (PreToolUse / beforeMCPExecution / beforeReadFile). The category lexicon is the same because the underlying agent loop is the same.',
+          'The disagreement is on packaging. Cycode wraps it in an enterprise platform contract; ThumbGate ships it as an MIT-licensed CLI. If you are an enterprise security team buying a platform, you are not the ThumbGate buyer. If you are a developer who wants to type `npx thumbgate init` and have agent gating running before the next standup, Cycode is over-scoped for you.',
+        ],
+      },
+    ],
+    faq: [
+      {
+        question: 'Is ThumbGate a direct replacement for Cycode\'s agent-time hooks?',
+        answer: 'For the hook surface itself — PreToolUse, beforeMCPExecution, beforeReadFile — yes. For the broader Cycode AppSec platform (secrets scanning, SAST, SCA, supply chain), no. ThumbGate is single-purpose: agent-time tool-call gating with a learning loop. If you only need that, ThumbGate replaces the Cycode agent-time module at zero license cost.',
+      },
+      {
+        question: 'Why would I pick MIT-licensed local-first over a funded enterprise vendor?',
+        answer: 'Three reasons. (1) Cost: no per-seat license. (2) Speed of adoption: `npx thumbgate init` is faster than enterprise procurement. (3) Auditability: you can read the gate-engine code, modify it, and run it offline. The trade-off is you do not get a platform contract, RBAC, or a single vendor for all your AppSec needs. That is a fine trade-off for a solo dev or small team; it is the wrong trade-off for a regulated enterprise.',
+      },
+      {
+        question: 'Does Cycode have the cross-session learning loop?',
+        answer: 'Not advertised on their public materials as of the February 2026 announcement. Cycode\'s hooks are policy-driven; ThumbGate adds a feedback-to-rules pipeline where a thumbs-down on a blocked action becomes an auto-promoted prevention rule that holds across every session and every agent on the same install.',
+      },
+      {
+        question: 'Can I use both?',
+        answer: 'Technically yes — Cycode at the enterprise platform layer, ThumbGate as the developer-local fast loop — but most teams will pick one. They occupy the same hook surface, so running both means resolving who wins on conflicts. The simpler pattern is to pick by buyer profile: enterprise security team buys Cycode, individual developer / small team installs ThumbGate.',
+      },
+    ],
+    relatedPaths: ['/guides/claude-code-pretooluse-hook', '/guides/mcp-tool-governance', '/guides/ai-coding-agent-zero-trust'],
+  },
+  {
+    query: 'thumbgate vs disler claude code hooks mastery',
+    path: '/compare/claude-code-hooks-mastery',
+    pageType: 'comparison',
+    pillar: 'comparison',
+    title: 'ThumbGate vs disler/claude-code-hooks-mastery | When to Pick the OSS Tool',
+    heroTitle: 'ThumbGate vs disler/claude-code-hooks-mastery',
+    heroSummary: 'disler/claude-code-hooks-mastery is the most-starred community repo for Claude Code hooks — a comprehensive, free, MIT-licensed example library you can copy-paste into your own .claude/ config. ThumbGate is a published npm CLI that does the same gating work plus a learning loop where every thumbs-down becomes an auto-promoted prevention rule that holds across sessions, models, and agents. The disler repo is where you START; ThumbGate is what you USE when you stop wanting to maintain hook scripts by hand.',
+    takeaways: [
+      'disler/claude-code-hooks-mastery is a free reference repo of hook examples — you copy them into .claude/, edit, and maintain per-machine, per-project.',
+      'ThumbGate ships the same gating engine as one `npx thumbgate init` install — versioned config, cross-session prevention rules, dashboard, audit trail.',
+      'The right path: start with the disler repo to learn what is possible; move to ThumbGate when you find yourself maintaining hook scripts in three projects.',
+    ],
+    sections: [
+      {
+        heading: 'The product difference in one sentence',
+        paragraphs: [
+          'disler/claude-code-hooks-mastery is a GitHub repository of high-quality example hooks you read, learn from, and copy into your own setup. ThumbGate is a published CLI that ships the gating engine as a runnable tool with cross-session learning, a dashboard, and an audit trail.',
+          'Both are MIT-licensed. Both run locally. The disagreement is whether you want to read example scripts and own the maintenance, or install a tool that does the work and stays in sync.',
+        ],
+      },
+      {
+        heading: 'Choose disler/claude-code-hooks-mastery when',
+        bullets: [
+          'You want to learn how Claude Code hooks actually work by reading well-written examples.',
+          'You are happy maintaining your own .claude/ config per project and per machine.',
+          'You only need static pattern-matching — no need for cross-session learning, dashboard, or audit history.',
+          'You explicitly do not want any installed dependency beyond what you author yourself.',
+        ],
+      },
+      {
+        heading: 'Choose ThumbGate when',
+        bullets: [
+          'You want PreToolUse gating working in 30 seconds via `npx thumbgate init` — no copy-paste, no per-machine setup.',
+          'You want the learning loop: a thumbs-down on a blocked action becomes an auto-promoted prevention rule that holds across every session and every agent on the install.',
+          'You want a dashboard showing what was blocked, why, and which feedback became which rule — auditable evidence, not just hook scripts on disk.',
+          'You want one gate engine that works across Claude Code, Cursor, Codex, Gemini CLI, Amp, Cline, and OpenCode — not a separate copy-paste exercise per agent.',
+          'You operate on more than one project and do not want to maintain N copies of the same hook scripts.',
+        ],
+      },
+      {
+        heading: 'What the disler repo does brilliantly',
+        paragraphs: [
+          'It is the best public reference for what a Claude Code PreToolUse hook can do — clear examples, real patterns, MIT-licensed code you can read end-to-end in an afternoon. If you are evaluating the category, that repo is required reading. It also has 3,000+ stars at the time of writing for a reason: the examples are good.',
+          'ThumbGate is not trying to replace that learning resource. The disler repo is where you understand the surface; ThumbGate is what you use when you decide to ship gating in production and want the cross-session learning, the dashboard, and the team-shared rule library that copy-paste cannot give you.',
+        ],
+      },
+    ],
+    faq: [
+      {
+        question: 'Why pay $19/mo for ThumbGate Pro when disler hooks are free?',
+        answer: 'Free disler hooks are static patterns you maintain per machine — re-copying them when they change, debugging false positives alone, and re-applying them in every new project. ThumbGate Pro adds the learning loop (thumbs-down → cross-session prevention rule), the dashboard, hosted sync across machines, and adapter maintenance across the weekly breaking-change cycle of Claude Code, Cursor, and Cline. Free disler is the right answer if you only ever work in one project on one machine and never want to learn from past mistakes. Pro is the right answer when those assumptions stop holding.',
+      },
+      {
+        question: 'Is ThumbGate just a packaged version of disler/claude-code-hooks-mastery?',
+        answer: 'No. ThumbGate ships its own gate engine, feedback-to-rules pipeline, dashboard, and audit trail. The disler repo is a reference of well-written hook scripts you copy into your config; ThumbGate is a runnable CLI that ships the gate engine and adds a learning layer on top. Both are MIT-licensed and both rely on the same Claude Code PreToolUse hook surface — that is where the similarity ends.',
+      },
+      {
+        question: 'Should I start with disler or ThumbGate?',
+        answer: 'If you want to understand the category, read the disler repo first — it is the best public reference for what hooks can do. If you want gating working now without authoring scripts, run `npx thumbgate init`. Most users end up doing both: read disler to learn, install ThumbGate when they decide they would rather use a tool than maintain scripts.',
+      },
+    ],
+    relatedPaths: ['/guides/claude-code-pretooluse-hook', '/compare/cycode', '/guides/pre-action-checks'],
+  },
   buildClaudeCodeSkillsGuide(),
   buildLongRunningAgentContextGuide(),
   buildReasoningCompressionGuide(),
@@ -1825,6 +2102,68 @@ const PAGE_BLUEPRINTS = [
     ],
     relatedPaths: ['/guides/pre-action-checks', '/guides/agent-harness-optimization', '/guides/ai-search-topical-presence'],
   },
+  {
+    query: 'database safety for ai agents',
+    path: '/guides/database-agent-safety',
+    pageType: 'guide',
+    pillar: 'pre-action-checks',
+    title: 'Database Safety for AI Agents | ThumbGate Guide',
+    heroTitle: 'Database Safety for AI Agents',
+    heroSummary: 'AI agents can write code quickly, but database actions need stricter gates: a hallucinated SQL write, migration, role grant, or production config change can destroy data before review.',
+    takeaways: [
+      'Databases are the highest-blast-radius tool surface for autonomous coding agents.',
+      'The winning pattern is not an AI DBA autopilot alone; it is a pre-action approval boundary before SQL, migrations, and privilege changes run.',
+      'ThumbGate turns repeated database mistakes into rules that block or pause the next risky query before execution.',
+    ],
+    sections: [
+      {
+        heading: 'Why database work is the final boss for agents',
+        paragraphs: [
+          'A bad UI component is visible and usually reversible. A bad production query can delete rows, lock writes, leak data, or change privileges before anyone reviews the pull request.',
+          'That is why database-agent safety belongs at the tool-call boundary. The agent should be stopped before it runs DROP, TRUNCATE, unbounded UPDATE/DELETE, production migrations, or role grants.',
+        ],
+      },
+      {
+        heading: 'The high-ROI gate pack',
+        bullets: [
+          'Block DROP, TRUNCATE, DROP DATABASE, and DROP SCHEMA unless human approval and rollback evidence are attached.',
+          'Block UPDATE and DELETE without a restrictive WHERE clause, including WHERE 1=1 and WHERE TRUE.',
+          'Require backup, snapshot, or reversible migration proof before production schema changes.',
+          'Require dry-run or EXPLAIN evidence before production writes and migrations.',
+          'Warn on CREATE INDEX without CONCURRENTLY and CROSS JOINs that can create performance incidents.',
+          'Block role creation, role alteration, and broad grants from autonomous agents.',
+        ],
+      },
+      {
+        heading: 'Where ThumbGate fits',
+        paragraphs: [
+          'ThumbGate is not trying to replace Postgres, MySQL, Prisma, Rails migrations, or a DBA. It is the pre-action control plane that checks the agent before those tools execute.',
+          'The feedback loop matters: when a human gives a thumbs-down on an unsafe migration or query, ThumbGate can promote the failure pattern into a prevention rule so the next agent run cannot repeat it silently.',
+        ],
+      },
+      {
+        heading: 'First workflow to gate',
+        paragraphs: [
+          'Start with one production migration path. Require the agent to show target environment, dry-run output, backup or snapshot evidence, rollback plan, and human approval before it can run the command. That single workflow makes the value visible to engineering leaders immediately.',
+        ],
+      },
+    ],
+    faq: [
+      {
+        question: 'Should AI agents be allowed to run production database migrations?',
+        answer: 'Only behind an approval gate. Production migrations should require target verification, dry-run output, backup or snapshot evidence, rollback plan, and human approval before the command executes.',
+      },
+      {
+        question: 'What database actions should be blocked by default?',
+        answer: 'DROP, TRUNCATE, DROP DATABASE, DROP SCHEMA, role or grant changes, unbounded UPDATE or DELETE, and production migrations without rollback and dry-run evidence should be blocked or paused before execution.',
+      },
+      {
+        question: 'Is this an AI DBA replacement?',
+        answer: 'No. ThumbGate is the governance layer before an agent touches database tooling. It blocks known-bad actions and requires proof for risky actions; DBAs and platform teams still own database design and operations.',
+      },
+    ],
+    relatedPaths: ['/guides/pre-action-checks', '/guides/ai-agent-pre-action-approval-gates', '/guides/best-tools-stop-ai-agents-breaking-production'],
+  },
   buildHarnessOptimizationGuide(),
   buildCodeKnowledgeGraphGuardrailsGuide(),
   buildDeveloperMachineSupplyChainGuardrailsGuide(),
@@ -2074,6 +2413,234 @@ const PAGE_BLUEPRINTS = [
     ],
     relatedPaths: ['/compare/mem0', '/guides/stop-repeated-ai-agent-mistakes'],
   },
+  {
+    query: 'hermes agent guardrails',
+    path: '/guides/hermes-agent-guardrails',
+    pageType: 'integration',
+    pillar: 'agent-workflows',
+    title: 'Hermes Agent Guardrails | Firewall for Self-Improving Agents',
+    heroTitle: 'Hermes Agent can grow with you. ThumbGate keeps the growing agent safe.',
+    heroSummary: 'Hermes Agent points at the next wave: persistent memory, generated skills, messaging gateways, scheduled automations, and sandboxed execution. ThumbGate is the enforcement layer those workflows need before a remembered mistake becomes another real tool call.',
+    takeaways: [
+      'Hermes validates the market shift toward long-running, self-improving agents.',
+      'Memory and generated skills increase leverage, but they also increase the blast radius of repeated mistakes.',
+      'ThumbGate should be positioned as the local-first pre-action firewall for Hermes-style agents, not as a general agent clone.',
+    ],
+    sections: [
+      {
+        heading: 'Why Hermes-style agents need a separate execution gate',
+        paragraphs: [
+          'A persistent agent can remember projects, generate its own skills, run scheduled automations, and accept instructions from messaging gateways. That is powerful, but it also means one bad habit can persist longer and reach more surfaces.',
+          'The safety problem is not only whether the agent remembers. It is whether remembered lessons can stop the next risky shell command, git action, database write, deploy, browser click, or payment workflow before execution.',
+        ],
+      },
+      {
+        heading: 'What ThumbGate adds to Hermes-style workflows',
+        bullets: [
+          'Pre-action checks before risky tool calls execute.',
+          'Thumbs-down feedback that becomes explicit prevention rules.',
+          'Evidence requirements for deploys, migrations, API calls, and production-facing changes.',
+          'Audit trails that show which lesson, rule, and workflow context allowed or blocked the action.',
+          'A local-first path for teams that want agent memory without handing every correction to a hosted black box.',
+        ],
+      },
+      {
+        heading: 'The buyer message',
+        paragraphs: [
+          'Hermes can be the agent that grows with you. ThumbGate is the firewall that makes sure growth does not mean repeating expensive mistakes faster across more surfaces.',
+          'For teams evaluating persistent agents, the practical first step is not another prompt. It is one enforced rule from one real failure, proven locally, then expanded into Pro or a workflow hardening sprint when the risk is recurring.',
+        ],
+      },
+    ],
+    faq: [
+      {
+        question: 'Does ThumbGate replace Hermes Agent?',
+        answer: 'No. Hermes is a general self-improving agent surface. ThumbGate is the enforcement layer that can sit around Hermes-style workflows so risky actions are checked before execution.',
+      },
+      {
+        question: 'What Hermes features create the biggest need for guardrails?',
+        answer: 'Persistent memory, generated skills, messaging gateways, scheduled automations, browser and tool control, and sandbox backends all increase the value of pre-action gates because the agent can act longer, faster, and from more entry points.',
+      },
+      {
+        question: 'What should teams implement first?',
+        answer: 'Start with one repeated failure pattern: force-push, destructive SQL, unsafe deploy, risky browser action, or off-scope file edit. Capture it once, convert it into a prevention rule, and require evidence before the next similar action runs.',
+      },
+    ],
+    relatedPaths: ['/guides/long-running-agent-context-management', '/guides/background-agent-governance', '/guides/browser-automation-safety'],
+  },
+  {
+    query: 'safe self evolution',
+    path: '/guides/safe-self-evolution',
+    pageType: 'guide',
+    pillar: 'agent-workflows',
+    title: 'Safe Self-Evolution | Autonomous Prompt Optimization without Regression',
+    heroTitle: 'Self-Evolution is Polarizing. Make It Safe with Execution Gates.',
+    heroSummary: 'Hermes-style autonomous agents learn by observing their own execution failures and automatically rewriting their skills or instructions. But critics warn that blind self-evolution can overwrite stable patterns and introduce silent regressions. ThumbGate introduces the Safe Self-Evolution loop: weakness mining from explicit thumbs-down feedback, automated prompt optimization, local verification suites, and atomic git rollbacks.',
+    takeaways: [
+      'Self-improving agents need execution guardrails so a synthesized skill cannot bypass safety constraints.',
+      'Blind self-evolution is unstable; ThumbGate ensures prompt changes are verified against a local holdout suite before committing.',
+      'Rollback capability is mandatory: if validation fails, the evolution engine immediately reverts prompts to the last known-good state.',
+      'Explicit feedback is the anchor: optimize based on real thumbs-down signals, not hallucinatory failure guesses.'
+    ],
+    sections: [
+      {
+        heading: 'The self-evolution dilemma',
+        paragraphs: [
+          'Nous Research’s Hermes Agent points at a future where developers do not write static instructions like CLAUDE.md. Instead, the agent learns from its execution failures and modifies its own SKILL.md files in real-time. This dynamic adaptation yields massive speedups and handles custom codebase quirks autonomously.',
+          'However, the critics are correct: when an agent has the power to edit its own rules without a verification gate, it will eventually overwrite a perfectly stable skill. This introduces regressions, makes debugging impossible, and can lead to security loops where the agent modifies its own guardrails to make a failing task pass.'
+        ]
+      },
+      {
+        heading: 'Safe self-evolution with ThumbGate',
+        paragraphs: [
+          'ThumbGate implements a Safe Self-Evolution loop (based on the Self-Harness paradigm) that gives you the speed of self-improving agents without the instability:',
+          '1. Explicit Weakness Mining: ThumbGate captures structured thumbs-up/down signals on agent actions and compiles them into a JSON log, avoiding random self-diagnosis.',
+          '2. Harness Proposal: The self-harness-optimizer automatically formats these rules and injects them directly into the agent’s prompt instructions (AGENTS.md, GEMINI.md).',
+          '3. Verification Gate: Before the updated prompts are committed, the optimizer runs a local quick verification suite and holdout tests.',
+          '4. Atomic Rollback: If any test fails, the optimizer instantly reverts the workspace prompts and restores the previous snapshot. If they pass, it commits the update to Git.'
+        ]
+      },
+      {
+        heading: 'Competing with blind self-improvement',
+        paragraphs: [
+          'To compete with agents like Hermes, you do not need to give up control of your codebase. You need a pre-action firewall and a prompt optimizer that treats rule generation as code changes—complete with tests, verification, and rollbacks.',
+          'This keeps your agent fast, keeps your instructions dynamic, and ensures your production-facing surfaces remain secure.'
+        ]
+      }
+    ],
+    faq: [
+      {
+        question: 'Does ThumbGate prevent the agent from changing its own rules?',
+        answer: 'Yes. ThumbGate scans newly generated skills and prompt updates against established rules to prevent the agent from bypassing safety gates or deleting security constraints.'
+      },
+      {
+        question: 'How does the rollback mechanism work?',
+        answer: 'When the self-harness optimizer proposes new prompt sections, it saves a snapshot of the current prompt files. It then runs the verification commands. If the status is non-zero, it restores the backup files.'
+      },
+      {
+        question: 'Is this compatible with Hermes Agent?',
+        answer: 'Yes. You can use ThumbGate as the pre-action gate around a Hermes Agent deployment to secure the skills it generates and the messaging channels it posts to.'
+      }
+    ],
+    relatedPaths: ['/guides/hermes-agent-guardrails', '/guides/agent-context-governance', '/guides/stop-repeated-ai-agent-mistakes'],
+  },
+  {
+    query: 'agent context governance',
+    path: '/guides/agent-context-governance',
+    pageType: 'guide',
+    pillar: 'pre-action-checks',
+    title: 'Agent Context Governance | Stop Tokenmaxxing Drift Before Agents Act',
+    heroTitle: 'More Context Is Not Governance. Clean Context Plus Action Gates Is.',
+    heroSummary: 'AdaCoM-style context managers, the tokenmaxxing backlash, Claude Managed Agents, anti-rubber-stamp response prompts, model-provenance scares, ChatGPT Lockdown Mode, MCP routing attacks, resilient graph architectures, rising AI-authored code volume, AI email assistants, platform-agent orchestration, on-device QAT models, and backprop-style failure attribution all point to the same buyer need: long-running agents need structured intent, cleaner context, durable session logs, approved models, isolated execution, credential boundaries, tool lockdown, direct pushback, distributed gates, provenance, and pre-action checks before they touch real systems.',
+    takeaways: [
+      'Long-context agents get better when a separate manager rewrites, preserves, prunes, or merges working context before the next step.',
+      'Tokenmaxxing creates uncontrolled spend and weak governance when teams cannot prove which agent work returned value.',
+      'Managed-agent architectures decouple the brain, hands, sessions, credentials, and sandboxes; ThumbGate adds the local-first action gate around those boundaries.',
+      'Response customization should become a gate too: no padded agreement, no vague completion claims, and no confident answer without evidence or blind-spot checks.',
+      'Lockdown modes validate the egress-control story: sensitive workflows need tool-surface limits, not just better prompts.',
+      'Model leaks and proxy resale scares make approved-provider checks a governance requirement, especially when frontier model cost is high.',
+      'MCP security research makes local config integrity a first-class control: endpoint rewrites and token-routing changes must be monitored before agents act.',
+      'Random-graph infrastructure suggests a governance architecture: use many small local gates that degrade proportionally instead of one central approval bottleneck.',
+      'As AI-authored code volume rises, teams need provenance and evidence gates so generated diffs are attributable, tested, and owned before merge.',
+      'AI customer-response assistants need draft governance: retrieved sources, prompt variables, category routing, and feedback should improve drafts without letting the agent send unsupported claims.',
+      'Enterprise agent platforms need one shared execution contract: structured specs, approved tools, scoped permissions, retries, evals, and traceability instead of 100 fragile team-specific agents.',
+      'On-device QAT models can reduce cost and preserve privacy for first-pass risk classification, but they should escalate rather than approve high-risk actions.',
+      'Backpropagation suggests a useful product metaphor: trace the agent run graph, score local risk at each edge, and cache the blame path so the same failure is blocked faster next time.',
+    ],
+    sections: [
+      {
+        heading: 'Why this matters now',
+        paragraphs: [
+          'The market is moving away from prompt-only agents. New research shows that a separate context manager can improve long-horizon work without retraining the main agent. At the same time, developer teams are realizing that simply buying more tokens does not create accountable engineering process.',
+          'Claude Managed Agents adds the production vocabulary buyers now expect: agents, environments, sessions, sandbox isolation, credential separation, event logs, observability, permission policies, outcomes, and webhooks. ThumbGate should attach to that vocabulary as the pre-action governance layer.',
+        ],
+      },
+      {
+        heading: 'What ThumbGate should enforce',
+        bullets: [
+          'Context hygiene gate: block high-risk actions when the agent is acting from raw chat history, stale memory, or unresolved contradictions.',
+          'Session evidence gate: require an append-only event log, resumable session ID, and proof links before long-running work can deploy, charge, message, or mutate production data.',
+          'Sandbox boundary gate: require isolated execution and explicit network or filesystem scope before generated code runs.',
+          'Credential boundary gate: block actions where tool credentials live beside generated code or where the action lacks user/on-behalf-of attribution.',
+          'Token ROI gate: flag tokenmaxxing workflows that spend heavily without a defined outcome, eval, or proof of returned value.',
+          'Response quality gate: require the agent to lead with the useful answer, call out weak assumptions, and avoid completion claims unless the evidence is attached.',
+          'Model provenance gate: require approved provider domains, known model IDs, expected price ceilings, and no shadow API proxy before routing frontier work.',
+          'Tool lockdown gate: disable or require explicit approval for browsing, downloads, agent mode, generated-code networking, and other outbound paths when sensitive data is in context.',
+          'MCP config integrity gate: alert on ~/.claude.json routing changes, unfamiliar MCP endpoints, localhost proxy additions, OAuth refresh anomalies, and dependency postinstall hooks.',
+          'Distributed gate mesh: keep enforcement close to each repo, tool, and workflow so one failed gate reduces coverage locally instead of collapsing the entire governance path.',
+          'AI-authored code gate: require generated-diff provenance, human owner, tests, risk label, and rollback evidence once agent-authored changes cross a team-defined threshold.',
+          'Customer-response draft gate: require retrieved source links, customer objective, response category, human approval, and no unsupported pricing/security claims before an email leaves draft mode.',
+          'Structured intent gate: require scope, out-of-scope systems, ordered steps, allowed tools, acceptance criteria, and rollback expectations before async agent execution starts.',
+          'Tool contract gate: require versioned schemas, explicit read/write permissions, stable error codes, observability hooks, and audit logging for every MCP tool call.',
+          'Evaluation gate: require golden tasks, regression checks, build/test evidence, and traceable PR or artifact output before a repeated workflow is promoted to platform automation.',
+          'Local classifier gate: run low-cost on-device models for first-pass risk labels, sensitive-data detection, and route selection, then escalate uncertain or high-blast-radius actions to stronger checks.',
+          'Failure attribution graph: record intent, retrieved context, tool choice, local risk score, evidence, and outcome for each step so future gates reuse the causal path instead of starting from scratch.',
+        ],
+      },
+      {
+        heading: 'The buyer message',
+        paragraphs: [
+          'The pitch is not "use fewer tokens" or "summarize harder." The pitch is: keep the agent productive by feeding it the right context, then stop it before risky actions unless the session, sandbox, credentials, and evidence are clean.',
+          'This turns ThumbGate into the practitioner-led governance layer teams can adopt before top-down AI policy arrives. Start with one workflow, prove the gates locally, then expand to Pro or a hardening sprint once the same failure pattern recurs.',
+        ],
+      },
+    ],
+    faq: [
+      {
+        question: 'Is agent context governance just summarization?',
+        answer: 'No. Summarization compresses. Context governance decides what to preserve, prune, merge, verify, or block based on the agent, task, risk, and evidence required before the next action.',
+      },
+      {
+        question: 'Does this compete with Claude Managed Agents?',
+        answer: 'No. Managed Agents provide production infrastructure. ThumbGate can sit beside managed or self-hosted agents as the local-first gate that turns session history, permissions, prior feedback, and evidence requirements into action-level enforcement.',
+      },
+      {
+        question: 'What should teams implement first?',
+        answer: 'Start with one high-cost workflow: deployments, billing, browser automation, database changes, or customer messaging. Require clean context, isolated execution, credential separation, and evidence before that workflow can run.',
+      },
+      {
+        question: 'How does this apply to Claude custom instructions?',
+        answer: 'Treat directness instructions as a policy, not a vibe. ThumbGate can turn them into checks that flag rubber-stamp agreement, missing pushback, and success claims that are not grounded in command output or artifacts.',
+      },
+      {
+        question: 'How does ChatGPT Lockdown Mode help ThumbGate positioning?',
+        answer: 'It validates the category. Lockdown Mode limits high-risk tools to reduce exfiltration paths; ThumbGate brings the same idea to coding and automation agents with local pre-action checks, scoped approvals, and audit evidence.',
+      },
+      {
+        question: 'How should teams handle leaked or proxy-sold model claims?',
+        answer: 'Do not route production work to unapproved proxy endpoints. Require provider provenance, expected model IDs, price ceilings, and security review before an agent can use a new frontier model route.',
+      },
+      {
+        question: 'What is the first MCP security control to add?',
+        answer: 'Watch the local MCP routing configuration for endpoint changes, new proxy addresses, and unexpected OAuth refresh behavior. Then rotate connected tokens only after the malicious hook or config rewrite has been removed.',
+      },
+      {
+        question: 'Why mention random graph architecture in agent governance?',
+        answer: 'Because centralized approval paths become bottlenecks. ThumbGate should use a mesh of local gates across repos, tools, agents, and workflows so control is resilient, inspectable, and does not require one fragile platform migration.',
+      },
+      {
+        question: 'What changes when most new code is AI-authored?',
+        answer: 'Review moves from typing every line to governing provenance, tests, ownership, and rollback. ThumbGate can require evidence before AI-authored diffs merge or touch production workflows.',
+      },
+      {
+        question: 'How does this apply to AI email assistants?',
+        answer: 'Treat every generated reply as a draft until it has source-backed context, a known category, customer-specific constraints, and human approval. Feedback from edited drafts should become retrieval and wording rules, not permission to send automatically.',
+      },
+      {
+        question: 'What does platform ownership change?',
+        answer: 'It prevents every team from building a slightly different unsafe agent loop. A shared platform defines intent shape, approved tools, retries, sandboxing, evals, logging, and gates while teams keep control over domain judgment.',
+      },
+      {
+        question: 'Where do on-device QAT models fit?',
+        answer: 'Use them for cheap private triage: classify risk, detect sensitive context, choose a route, or decide whether to escalate. Do not let a small local classifier silently approve destructive or external actions.',
+      },
+      {
+        question: 'How does backpropagation help agent governance?',
+        answer: 'Use the chain-rule idea as an audit pattern. Break the run into steps, score each local decision, multiply risk through the path, and cache the attribution so the next similar workflow is blocked or escalated earlier.',
+      },
+    ],
+    relatedPaths: ['/guides/long-running-agent-context-management', '/guides/background-agent-governance', '/guides/hermes-agent-guardrails'],
+  },
   {
     query: 'roo code alternative cline',
     path: '/guides/roo-code-alternative-cline',
@@ -2231,6 +2798,74 @@ const PAGE_BLUEPRINTS = [
     ],
     relatedPaths: ['/guides/pre-action-checks', '/guides/mcp-tool-governance', '/guides/ai-agent-governance-sprint'],
   },
+  {
+    query: 'agentic web governance',
+    path: '/guides/agentic-web-governance',
+    pageType: 'guide',
+    pillar: 'pre-action-checks',
+    title: 'Agentic Web Governance | Pre-Action Checks When Bots Outnumber Humans',
+    heroTitle: 'Bots already outnumber humans on the web. AI agents need pre-action governance.',
+    heroSummary: 'Cloudflare says automated requests now make up the majority of HTML traffic. ThumbGate turns that agentic-web shift into a buyer-ready governance story: machine-readable proof for AI search and pre-action checks before agents touch real systems.',
+    takeaways: [
+      'The promotion hook is immediate: the web is becoming agent-first, so AI-agent actions need governance before execution.',
+      'AI search and AI browsers reward machine-readable, authoritative, proof-backed pages instead of vague product copy.',
+      'ThumbGate should own the bridge between agentic traffic, MCP tool calls, and pre-action checks for code, deploys, data, money, and customer systems.',
+    ],
+    sections: [
+      {
+        heading: 'Why the bot-majority milestone matters',
+        paragraphs: [
+          'Search Engine Land reported on June 5, 2026 that Cloudflare data showed automated traffic at about 57.3% of worldwide HTTP requests to HTML content, versus 42.7% for humans. That is not the same as human attention, but it is a real signal that AI agents and bots are becoming the default way the web is requested, summarized, and acted on.',
+          'For ThumbGate promotion, the lesson is not "get more bot traffic." The lesson is that every company will need controls for agent actions that happen before a human click, before a dashboard session, and before a normal attribution path records intent.',
+        ],
+      },
+      {
+        heading: 'The buyer problem this creates',
+        bullets: [
+          'AI crawlers and agents can visit far more pages than a human researcher, increasing load without creating normal referral or checkout signals.',
+          'Agentic search can summarize the answer before the buyer ever lands on the site, so content must be structured enough for LLMs to cite accurately.',
+          'Internal AI agents can also multiply actions: file edits, shell commands, API calls, database reads, deploy attempts, and customer-system writes.',
+          'More agent actions without a pre-action boundary means more repeated mistakes, more hidden cost, and weaker auditability.',
+        ],
+      },
+      {
+        heading: 'Where ThumbGate fits the agentic web',
+        paragraphs: [
+          'ThumbGate is the pre-action governance layer for the same agentic shift. The public website gives AI systems machine-readable context, proof links, FAQ schema, and canonical pages. The product then gives engineering teams runtime gates before agents act.',
+          'That lets the promotion story stay concrete: bots and AI agents already outnumber humans in web requests; ThumbGate makes sure your own AI agents do not behave like unmanaged bots inside your repo, browser, database, CI, payment flow, or customer systems.',
+        ],
+        bullets: [
+          'Use /llm-context.md and /.well-known/llms.txt to make ThumbGate easy for ChatGPT, Claude, Perplexity, Gemini, Grok, and Google AI features to summarize.',
+          'Use pre-action checks to govern MCP tool calls, browser automation, database writes, publish commands, and payment/customer-system actions.',
+          'Use feedback capture so a thumbs-down on one bad agent pattern becomes a repeat-blocking rule across the next session and team workflow.',
+        ],
+      },
+      {
+        heading: 'High-ROI promotion moves',
+        bullets: [
+          'Publish this page as the canonical "agentic web governance" explainer and link it from the homepage, learn hub, llms.txt, and sitemap.',
+          'Pitch the line: "Bots already outnumber humans on the web. ThumbGate keeps AI agents from acting like unmanaged bots in your codebase."',
+          'Target buyer prompts such as "how do I govern AI agents before they call tools?", "AI crawler visibility for developer tools", and "pre-action checks for MCP tools."',
+          'Measure success in Search Console AI reports, first-party landing events, and checkout/intake paths instead of raw traffic alone.',
+        ],
+      },
+    ],
+    faq: [
+      {
+        question: 'What is agentic web governance?',
+        answer: 'Agentic web governance is the content, policy, approval, and runtime-control layer needed when AI agents browse, summarize, and act on behalf of users or teams. For ThumbGate, it means machine-readable public proof plus pre-action checks before internal agents touch real systems.',
+      },
+      {
+        question: 'Does bot traffic mean ThumbGate should block AI crawlers?',
+        answer: 'No. For promotion, ThumbGate should allow legitimate AI discovery while publishing clear llms.txt, schema, canonical pages, and proof links. The product should block risky internal agent actions, not useful AI-search discovery.',
+      },
+      {
+        question: 'How does this create revenue?',
+        answer: 'It gives ThumbGate a timely category narrative for buyers: as agent actions multiply, teams need pre-action controls before code, data, deploys, payments, or customers are touched. The page routes that demand into Pro checkout and the Team workflow hardening sprint.',
+      },
+    ],
+    relatedPaths: ['/guides/ai-search-topical-presence', '/guides/mcp-tool-governance', '/guides/ai-agent-pre-action-approval-gates'],
+  },
   guideBlueprint({
     query: 'autoresearch agent safety',
     path: '/guides/autoresearch-agent-safety',