thumbgate 1.27.6 → 1.27.8

package/adapters/policy-engine/thumbgate-policy-engine-adapter.js

@@ -0,0 +1,260 @@
+#!/usr/bin/env node
+'use strict';
+
+const { normalizeProviderAction } = require('../../scripts/provider-action-normalizer');
+
+const BLOCK_DECISIONS = new Set([
+  'block',
+  'blocked',
+  'deny',
+  'denied',
+  'disallow',
+  'disallowed',
+  'fail',
+  'failed',
+  'forbid',
+  'forbidden',
+  'reject',
+  'rejected',
+  'unsafe',
+  'violation',
+]);
+
+const REVIEW_DECISIONS = new Set([
+  'approval',
+  'approval-required',
+  'approval_required',
+  'approve',
+  'human-review',
+  'human_review',
+  'manual-review',
+  'manual_review',
+  'review',
+  'requires-approval',
+  'requires_approval',
+  'requires-review',
+  'requires_review',
+]);
+
+const ALLOW_DECISIONS = new Set([
+  'accept',
+  'accepted',
+  'allow',
+  'allowed',
+  'ok',
+  'pass',
+  'passed',
+  'permit',
+  'permitted',
+  'safe',
+]);
+
+function asObject(value) {
+  return value && typeof value === 'object' && !Array.isArray(value) ? value : {};
+}
+
+function asArray(value) {
+  return Array.isArray(value) ? value : [];
+}
+
+function firstString(...values) {
+  for (const value of values) {
+    const text = String(value || '').trim();
+    if (text) return text;
+  }
+  return '';
+}
+
+function normalizeDecisionToken(value) {
+  return String(value || '')
+    .trim()
+    .toLowerCase()
+    .replace(/\s+/g, '-');
+}
+
+function normalizeEvidence(value) {
+  const direct = asArray(value.evidence);
+  const citations = asArray(value.citations);
+  const violations = asArray(value.violations);
+  const reasons = asArray(value.reasons);
+  const reasoning = asArray(value.reasoning);
+  const threatTypes = asArray(value.threat_types || value.threatTypes)
+    .map((threatType) => ({
+      code: String(threatType || '').trim(),
+      message: `Threat type: ${String(threatType || '').trim()}`,
+      source: 'guardian',
+      severity: firstString(value.threat_level, value.threatLevel),
+    }));
+  return [...direct, ...citations, ...violations, ...reasons, ...reasoning, ...threatTypes]
+    .map((entry) => {
+      if (typeof entry === 'string') return { text: entry };
+      const object = asObject(entry);
+      if (!Object.keys(object).length) return null;
+      return {
+        id: firstString(object.id, object.ruleId, object.rule_id, object.code),
+        text: firstString(object.text, object.reason, object.message, object.description, object.title),
+        source: firstString(object.source, object.provider, object.policy),
+        severity: firstString(object.severity, object.level),
+        raw: object,
+      };
+    })
+    .filter(Boolean);
+}
+
+function extractPolicyDecision(input = {}) {
+  const event = asObject(input);
+  for (const candidate of [
+    event.policyDecision,
+    event.policy_decision,
+    event.guardrailResult,
+    event.guardrail_result,
+    event.result,
+  ]) {
+    const object = asObject(candidate);
+    if (Object.keys(object).length) return object;
+  }
+  return event;
+}
+
+function classifyPolicyDecision(input = {}) {
+  const value = extractPolicyDecision(input);
+  const token = normalizeDecisionToken(firstString(
+    value.decision,
+    value.action,
+    value.status,
+    value.result,
+    value.verdict,
+    value.outcome,
+    value.effect,
+    value.recommended_action,
+    value.recommendedAction,
+  ));
+
+  if (
+    value.allowed === false
+    || value.is_safe === false
+    || value.isSafe === false
+    || value.accepted === false
+    || value.blocked === true
+    || value.denied === true
+    || BLOCK_DECISIONS.has(token)
+  ) {
+    return 'block';
+  }
+  if (
+    value.requiresApproval === true
+    || value.requires_approval === true
+    || value.reviewRequired === true
+    || value.review_required === true
+    || REVIEW_DECISIONS.has(token)
+  ) {
+    return 'approval_required';
+  }
+  if (
+    value.allowed === true
+    || value.is_safe === true
+    || value.isSafe === true
+    || value.accepted === true
+    || ALLOW_DECISIONS.has(token)
+  ) {
+    return 'allow';
+  }
+  return 'unknown';
+}
+
+function normalizePolicyDecision(input = {}, options = {}) {
+  const value = extractPolicyDecision(input);
+  const decision = classifyPolicyDecision(value);
+  const source = firstString(
+    options.source,
+    value.source,
+    value.provider,
+    value.engine,
+    value.policyEngine,
+    value.policy_engine,
+    'policy-engine'
+  );
+  const reason = firstString(
+    value.reason,
+    value.message,
+    value.explanation,
+    value.summary,
+    asArray(value.reasoning).join('; '),
+    asArray(value.reasons).join('; '),
+    decision === 'unknown' ? 'Policy engine returned an unknown decision; approval required before execution.' : ''
+  );
+
+  return {
+    allowed: decision === 'allow',
+    blocked: decision === 'block',
+    approvalRequired: decision === 'approval_required' || decision === 'unknown',
+    decision,
+    reason,
+    source,
+    confidence: Number.isFinite(Number(value.confidence)) ? Number(value.confidence) : null,
+    policyId: firstString(value.policyId, value.policy_id, value.ruleId, value.rule_id, value.id),
+    severity: firstString(value.severity, value.level, value.threat_level, value.threatLevel),
+    score: Number.isFinite(Number(value.score))
+      ? Number(value.score)
+      : (Number.isFinite(Number(value.threat_score)) ? Number(value.threat_score) : null),
+    evidence: normalizeEvidence(value),
+    raw: value,
+  };
+}
+
+function normalizePolicyAction(input = {}) {
+  const event = asObject(input);
+  return {
+    ...normalizeProviderAction({
+      ...event,
+      provider: firstString(event.provider, event.agentRuntime, event.runtime, 'policy-engine'),
+      toolName: firstString(event.toolName, event.tool_name, event.name),
+      input: asObject(event.toolInput || event.input || event.arguments || event.args),
+    }),
+    policyContext: asObject(event.policyContext || event.policy_context),
+  };
+}
+
+function createPolicyEngineGuard({
+  policyCheck,
+  executeTool,
+  gateCheck,
+  onDecision,
+  source = 'policy-engine',
+} = {}) {
+  if (typeof policyCheck !== 'function') {
+    throw new TypeError('createPolicyEngineGuard requires a policyCheck function');
+  }
+  if (typeof executeTool !== 'function') {
+    throw new TypeError('createPolicyEngineGuard requires an executeTool function');
+  }
+
+  return async function guardedPolicyTool(input = {}) {
+    const normalizedAction = normalizePolicyAction(input);
+    const policyDecision = normalizePolicyDecision(await policyCheck(normalizedAction), { source });
+    const gateDecision = typeof gateCheck === 'function'
+      ? normalizePolicyDecision(await gateCheck({ normalizedAction, policyDecision }), { source: 'thumbgate' })
+      : null;
+    const effectiveDecision = gateDecision && !gateDecision.allowed ? gateDecision : policyDecision;
+
+    if (typeof onDecision === 'function') {
+      await onDecision({ normalizedAction, policyDecision, gateDecision, effectiveDecision });
+    }
+
+    if (!effectiveDecision.allowed) {
+      const error = new Error(effectiveDecision.reason || 'ThumbGate blocked this action before execution.');
+      error.code = effectiveDecision.approvalRequired ? 'THUMBGATE_APPROVAL_REQUIRED' : 'THUMBGATE_BLOCKED';
+      error.thumbgate = { normalizedAction, policyDecision, gateDecision, effectiveDecision };
+      throw error;
+    }
+
+    return executeTool(input, { normalizedAction, policyDecision, gateDecision, effectiveDecision });
+  };
+}
+
+module.exports = {
+  createPolicyEngineGuard,
+  extractPolicyDecision,
+  normalizePolicyAction,
+  normalizePolicyDecision,
+};

package/bench/observability-eval-suite.json

@@ -0,0 +1,26 @@
+{
+  "cases": [
+    {
+      "id": "checkout-link-grounding",
+      "traceId": "trace_checkout_001",
+      "question": "Is the Pro checkout link working?",
+      "response": "The Pro checkout link is working because the checkout diagnostic confirms Stripe Pro checkout is reachable.",
+      "retrievedContexts": [
+        "Stripe Pro checkout diagnostic confirms the Pro checkout link is reachable and returns a valid checkout target.",
+        "The workflow sprint checkout is intake-led and should not expose a stale payment link."
+      ],
+      "reference": "The Pro checkout link is reachable when the Stripe diagnostic passes."
+    },
+    {
+      "id": "letta-tool-gate",
+      "traceId": "trace_letta_001",
+      "question": "Should Letta execute a force push tool call?",
+      "response": "ThumbGate blocks force push before execution for Letta tool calls.",
+      "retrievedContexts": [
+        "ThumbGate's Letta adapter wraps Letta tool calls and runs gate-check before the executor is called.",
+        "Force push to main is a blocked high-risk git action."
+      ],
+      "reference": "ThumbGate blocks high-risk Letta tool calls before execution."
+    }
+  ]
+}

package/bin/cli.js

@@ -61,14 +61,19 @@ const TRIAL_DAYS = 7;
 
 function checkoutUrlFor(source, content) {
   try {
-    const url = new URL(PRO_CHECKOUT_URL);
+    const base = content === 'capture_feedback'
+      ? 'https://buy.stripe.com/7sYfZhaiE1eSbO99uj3sI0d'
+      : PRO_CHECKOUT_URL;
+    const url = new URL(base);
     url.searchParams.set('utm_source', source || 'cli');
     url.searchParams.set('utm_medium', 'cli');
     url.searchParams.set('utm_campaign', 'pro_conversion');
     if (content) url.searchParams.set('utm_content', content);
     return url.toString();
   } catch (_) {
-    return PRO_CHECKOUT_URL;
+    return content === 'capture_feedback'
+      ? 'https://buy.stripe.com/7sYfZhaiE1eSbO99uj3sI0d'
+      : PRO_CHECKOUT_URL;
   }
 }
 
@@ -852,6 +857,14 @@ function quickStart() {
   console.log('');
 }
 
+// Activation walkthrough (guided first rule + live demonstrated block).
+// Implementation lives in scripts/activation-quickstart.js so it can be unit
+// tested without executing the CLI's top-level command switch. `init` is
+// deliberately untouched — this is an additive, separate command.
+function quickstart() {
+  return require(path.join(PKG_ROOT, 'scripts', 'activation-quickstart')).quickstart();
+}
+
 function init(cliArgs = parseArgs(process.argv.slice(3))) {
   const args = { ...cliArgs };
   if (args.help || args.h) {
@@ -1856,6 +1869,7 @@ function modelCandidatesCmd() {
   const maxCandidates = args.max ? Number(args.max) : undefined;
   const { reportPath, report } = writeModelCandidatesReport(undefined, {
     workload: args.workload,
+    workloadFile: args['workload-file'] || args.workloadFile,
     provider: args.provider,
     family: args.family,
     gateway: args.gateway,
@@ -2174,6 +2188,26 @@ function pulse() {
   });
 }
 
+function checkUpdateCmd() {
+  const { checkUpdate } = require(path.join(PKG_ROOT, 'scripts', 'check-update'));
+  const args = parseArgs(process.argv.slice(3));
+  checkUpdate({ verbose: !args.json, force: args.force }).then((res) => {
+    if (args.json) {
+      console.log(JSON.stringify(res, null, 2));
+    }
+    process.exit(0);
+  }).catch((err) => {
+    console.error(err && err.message ? err.message : err);
+    process.exit(1);
+  });
+}
+
+function selfUpdateCmd() {
+  const { selfUpdate } = require(path.join(PKG_ROOT, 'scripts', 'check-update'));
+  const success = selfUpdate();
+  process.exit(success ? 0 : 1);
+}
+
 function dispatchBrief() {
   const args = parseArgs(process.argv.slice(3));
   const {
@@ -3137,6 +3171,7 @@ const SUBCOMMAND_HELP = {
   lessons:       'Usage: npx thumbgate lessons [--query="..."] [--limit=N]\n\nSearch the lesson database (Pro feature).',
   search:        'Usage: npx thumbgate search <query>\n\nSearch ThumbGate knowledge base (Pro feature).',
   'gate-check':  'Usage: npx thumbgate gate-check\n\nPreToolUse hook interface: reads tool call JSON from stdin, outputs gate verdict.',
+  'hermes-gate': 'Usage: npx thumbgate hermes-gate\n\nNous Research Hermes Agent pre_tool_call shell hook: reads Hermes tool-call JSON from stdin, runs the ThumbGate gate pipeline (strict by default), and outputs {"decision":"block","reason":...} to veto or {} to allow. Gates terminal/patch/skill_manage etc. See adapters/hermes/config.yaml.',
   'break-glass': 'Usage: npx thumbgate break-glass --reason="why" [--ttl=5m] [--json]\n\nShort-lived recovery path for over-firing gates. Allows hook settings edits and satisfies PR-create/thread-check gates without disabling core destructive-action protections.',
   serve:         'Usage: npx thumbgate serve\n\nStart the MCP stdio server. This is for agent runtimes, not the local HTTP dashboard.',
   mcp:           'Usage: npx thumbgate mcp\n\nAlias for `thumbgate serve`.',
@@ -3153,6 +3188,7 @@ const SUBCOMMAND_HELP = {
   'setup-vertex': 'Usage: npx thumbgate setup-vertex [--dry-run]\n\nAuto-enable Vertex AI API on GCP and write local Vertex routing config to .env. With --dry-run, only detect the active account/project and print the planned changes. This does not create or verify a Dialogflow CX agent; use the Dialogflow CX REST API or console for live-agent evidence.',
   'ai-inventory': 'Usage: npx thumbgate ai-inventory [--root <dir>] [--format=summary|json|cyclonedx] [--output <path>] [--max-files=N]\n\nScan source/manifests/model artifacts for AI, ML, agent-framework, vector DB, Vertex, Gemini, and Dialogflow CX components. Use --format=cyclonedx to produce exportable ML-BOM evidence for enterprise reviews.',
   brain: 'Usage: npx thumbgate brain [--write] [--json] [--limit=N]\n\nBuild the agent-readable "context brain" — a single artifact consolidating this\nrepo\'s lessons, prevention rules, active gates, and project context for a coding\nagent to read BEFORE acting. --write saves it to .thumbgate/BRAIN.md (versioned,\ndeterministic). --json emits the structured model. --limit caps lessons (default 15).',
+  'team-sync': 'Usage: npx thumbgate team-sync\n\nSynchronize prevention rules and context brain with your team\'s git repository (git pull --rebase & git push), then auto-rebuild the local brain.',
 };
 
 if (_wantsHelp && COMMAND && SUBCOMMAND_HELP[COMMAND]) {
@@ -3282,7 +3318,90 @@ function cmdBrain(args = {}) {
   return 0;
 }
 
+async function teamSync() {
+  const { execSync } = require('child_process');
+
+  // Verify we are in a Git repo
+  try {
+    execSync('git rev-parse --is-inside-work-tree', { stdio: 'ignore', cwd: CWD });
+  } catch (err) {
+    console.error('❌ Error: The current directory is not a Git repository.');
+    process.exit(1);
+  }
+
+  console.log('🔄 Checking shared prevention rules status...');
+
+  const rulesRelative = '.thumbgate/prevention-rules.md';
+  const brainRelative = '.thumbgate/BRAIN.md';
+  const rulesPath = path.join(CWD, rulesRelative);
+
+  if (!fs.existsSync(rulesPath)) {
+    console.log('⚠️  No local prevention rules file found to sync.');
+  }
+
+  let statusOutput = '';
+  try {
+    statusOutput = execSync('git status --porcelain', { encoding: 'utf8', cwd: CWD }) || '';
+  } catch (_) {}
+  const hasLocalChanges = statusOutput.includes(rulesRelative) || statusOutput.includes(brainRelative) || statusOutput.includes('.thumbgate/');
+
+  if (hasLocalChanges) {
+    console.log('📝 Local changes detected in prevention rules. Committing locally...');
+    try {
+      const filesToAdd = [rulesRelative, brainRelative].filter(f => fs.existsSync(path.join(CWD, f)));
+      if (filesToAdd.length > 0) {
+        const filesStr = filesToAdd.map(f => `"${f}"`).join(' ');
+        execSync(`git add -f ${filesStr}`, { cwd: CWD });
+        execSync('git commit -m "chore(thumbgate): update shared prevention rules [skip ci]"', { cwd: CWD });
+        console.log('✅ Local rules committed successfully.');
+      } else {
+        console.log('✨ No local rules files exist to commit.');
+      }
+    } catch (e) {
+      console.log('✨ No changes to commit (already staged/clean).');
+    }
+  } else {
+    console.log('✨ No local rules changes to commit.');
+  }
+
+  // Pull from remote
+  console.log('📥 Pulling rules from teammate remote (git pull --rebase)...');
+  try {
+    execSync('git pull --rebase', { stdio: 'inherit', cwd: CWD });
+  } catch (pullErr) {
+    console.error('❌ Git pull failed. Please resolve conflicts manually.');
+    process.exit(1);
+  }
+
+  // Push to remote
+  console.log('📤 Pushing rules to teammate remote (git push)...');
+  try {
+    execSync('git push', { stdio: 'inherit', cwd: CWD });
+  } catch (pushErr) {
+    console.error('❌ Git push failed. You may need to run git push manually.');
+    process.exit(1);
+  }
+
+  // Rebuild the context brain (.thumbgate/BRAIN.md) from the newly merged rules
+  console.log('🧠 Rebuilding local context brain from merged rules...');
+  try {
+    const brainArgs = { write: true };
+    cmdBrain(brainArgs);
+  } catch (brainErr) {
+    console.warn(`⚠️  Failed to rebuild context brain: ${brainErr.message}`);
+  }
+
+  console.log('\n🚀 Team rules synchronization complete! Your agents now share team-wide learning.');
+}
+
 switch (COMMAND) {
+  case 'team-sync':
+  case 'git-sync':
+    teamSync().catch((err) => {
+      console.error(err && err.message ? err.message : err);
+      process.exit(1);
+    });
+    break;
   case '--version':
   case '-v':
   case 'version':
@@ -3292,6 +3411,10 @@ switch (COMMAND) {
     init();
     upgradeNudge();
     break;
+  case 'quickstart':
+  case 'first-rule':
+    quickstart();
+    break;
   case 'quick-start':
     quickStart();
     break;
@@ -3740,6 +3863,14 @@ switch (COMMAND) {
   case 'pulse':
     pulse();
     break;
+  case 'check-update':
+  case 'upgrade-check':
+    checkUpdateCmd();
+    break;
+  case 'self-update':
+  case 'upgrade-cli':
+    selfUpdateCmd();
+    break;
   case 'dispatch':
   case 'dispatch-brief':
     dispatchBrief();
@@ -3765,6 +3896,53 @@ switch (COMMAND) {
     });
     break;
   }
+  case 'hermes-gate': {
+    // Nous Research Hermes Agent `pre_tool_call` shell hook.
+    // Hermes pipes each pending tool call as JSON to stdin and reads a decision from stdout;
+    // {"decision":"block","reason":...} vetoes the call. We reuse the SAME gate pipeline as
+    // `gate-check` (runAsync → secret guard, security scan, force-push / skill_manage / learned
+    // prevention rules) and translate the verdict into Hermes's format.
+    //
+    // Hermes `pre_tool_call` is binary (block or allow) with no warn channel, and the whole point
+    // of wiring it is to gate, so we run STRICT enforcement by default — otherwise ThumbGate's
+    // warn-by-default posture would pass every deny through and the hook would block nothing.
+    // Opt out with THUMBGATE_HERMES_WARN_ONLY=1; THUMBGATE_HOTFIX_BYPASS=1 still disables checks.
+    // Wire it in ~/.hermes/config.yaml — see adapters/hermes/config.yaml.
+    if (process.env.THUMBGATE_HERMES_WARN_ONLY !== '1' && process.env.THUMBGATE_HOTFIX_BYPASS !== '1') {
+      process.env.THUMBGATE_STRICT_ENFORCEMENT = '1';
+    }
+    const { runAsync: hermesGateRun } = require(path.join(PKG_ROOT, 'scripts', 'gates-engine'));
+    let hermesStdin = '';
+    process.stdin.setEncoding('utf8');
+    process.stdin.on('data', (chunk) => { hermesStdin += chunk; });
+    process.stdin.on('end', async () => {
+      try {
+        const payload = JSON.parse(hermesStdin);
+        // Hermes sends snake_case tool_name/tool_input — gates-engine reads these directly.
+        const verdict = await hermesGateRun({ tool_name: payload.tool_name, tool_input: payload.tool_input });
+        let parsed = {};
+        try { parsed = JSON.parse(verdict); } catch (_e) { parsed = {}; }
+        const hso = parsed.hookSpecificOutput || {};
+        if (hso.permissionDecision === 'deny') {
+          process.stdout.write(JSON.stringify({
+            decision: 'block',
+            reason: hso.permissionDecisionReason || 'Blocked by ThumbGate prevention rule.',
+          }) + '\n');
+        } else {
+          // warn / no match → allow. The gate engine already logged the decision.
+          process.stdout.write(JSON.stringify({}) + '\n');
+        }
+        process.exit(0);
+      } catch (err) {
+        // Hermes hooks fail OPEN on error/timeout — emit an explicit allow so a gate fault
+        // never wedges the agent (reliability ≈ enforcement; keep this fast).
+        process.stderr.write(`hermes-gate error: ${err.message}\n`);
+        process.stdout.write(JSON.stringify({}) + '\n');
+        process.exit(0);
+      }
+    });
+    break;
+  }
   case 'gate-stats':
     gateStats();
     break;

package/bin/postinstall.js

@@ -31,7 +31,7 @@ process.stderr.write(`
   │  Start now:  npx thumbgate init                     │
   │  Updates:    npx thumbgate subscribe you@company.com│
   │                                                     │
-  │  Free after trial: 3 rules, 5 captures/day.        │
+  │  Free after trial: 3 rules, 2 captures/day.        │
   │  Pro ($19/mo): unlimited everything.                │
   ╰─────────────────────────────────────────────────────╯
 

package/config/gate-templates.json

@@ -157,6 +157,18 @@
       "roi": "Connects prevention with remediation: what credential lived where, who touched it, and whether rotation is required.",
       "rollout": "Use with incident-response runbooks and secrets scanner output from GitGuardian or internal tooling."
     },
+    {
+      "id": "require-local-dependency-vulnerability-scan",
+      "name": "Require local dependency vulnerability scan before installation",
+      "category": "Supply Chain Safety",
+      "signal": "👎",
+      "defaultAction": "block",
+      "severity": "high",
+      "pattern": "(npm install|pnpm add|yarn add|bun add|npm i|pnpm i|yarn i).*(vulnerable|cve|high|critical|osv|cve-lite)",
+      "problem": "Blocks package installations that introduce dependencies containing known high-severity or critical vulnerabilities (CVEs) before they are written to the lockfile.",
+      "roi": "Prevents AI agents from introducing vulnerable packages into the workspace. Complements zero-egress local-first scanning toolings (like OWASP CVE Lite CLI) directly at the terminal level.",
+      "rollout": "Enable on every repo where agents can install dependencies or modify lockfiles."
+    },
     {
       "id": "require-section-tree-before-multimodal-answer",
       "name": "Require section tree before multimodal answers",
@@ -576,6 +588,78 @@
       "problem": "Claw agents have broad device-level (local/shared) file system access. Must be strictly gated, especially in on-prem/air-gapped enterprise environments where most data lives.",
       "roi": "Directly supports the hybrid/on-prem reality emphasized in EnterpriseClaw coverage. Prevents broad access from becoming broad exfil or corruption. Ties to ThumbGate's existing path globs and protected files.",
       "rollout": "Use existing protected-paths + new claw-specific rules. Start with read-only for most, explicit approval for writes on sensitive dirs."
+    },
+    {
+      "id": "block-unauthorized-multi-channel-posts",
+      "name": "Block unauthorized multi-channel posts by Hermes Agent",
+      "category": "Nous Research Hermes Agent Governance",
+      "signal": "👎",
+      "defaultAction": "block",
+      "severity": "high",
+      "pattern": "(slack|telegram|discord|signal|whatsapp|send_message|post_message|channel_post).*(credentials|api_key|token|auth|password|unreviewed|unapproved)",
+      "problem": "Hermes Agent can post directly to messaging platforms. This gate prevents leaked credentials or unapproved messages from being posted publicly.",
+      "roi": "High: Prevents public-facing compliance violations, credential leaks, and messaging spam across Telegram, Slack, and Discord.",
+      "rollout": "Enable by default for agents connected to external communication channels."
+    },
+    {
+      "id": "prevent-infinite-skill-synthesis-loops",
+      "name": "Prevent infinite skill synthesis loops",
+      "category": "Nous Research Hermes Agent Governance",
+      "signal": "👎",
+      "defaultAction": "block",
+      "severity": "medium",
+      "pattern": "(hermes|skill synthesis|write skill|synthesize skill|evolve skill|self-improve).*(loop|repeated|stuck|regenerate|no progress)",
+      "problem": "Hermes Agent can get stuck repeatedly rewriting or generating the same skills in Markdown format without resolving the user's core task.",
+      "roi": "Reduces token burn and infinite loop execution loops by gating repeated skill write attempts.",
+      "rollout": "Warn/block when skill edits occur more than 3 times within the same session context."
+    },
+    {
+      "id": "validate-synthesized-skills-against-rules",
+      "name": "Validate synthesized skills against prevention rules",
+      "category": "Nous Research Hermes Agent Governance",
+      "signal": "👎",
+      "defaultAction": "block",
+      "severity": "critical",
+      "pattern": "(write skill|synthesize skill|create skill|update skill).*(override|bypass|ignore|violate).*(prevention rule|gate|thumbgate)",
+      "problem": "Hermes Agent's self-improvement loop can write new skills that conflict with or attempt to bypass established ThumbGate prevention rules.",
+      "roi": "Preserves security invariants by ensuring that synthesized skills never write code patterns blocked by active ThumbGate rules.",
+      "rollout": "Scan synthesized skill markdown content for pattern overlap with active prevention rules before writing to the skills directory."
+    },
+    {
+      "id": "require-human-in-the-loop-pause",
+      "name": "Enforce Human-in-the-Loop pause for critical decisions",
+      "category": "AI Engineering Stack Safety",
+      "signal": "👎",
+      "defaultAction": "block",
+      "severity": "high",
+      "pattern": "(agent_sdk|openrouter_sdk|human_in_loop|auto_resolve).*(auto_resolve|bypass|skip_pause|critical_action)",
+      "problem": "Prevents autonomous agents using the Agent SDK from auto-resolving critical decisions (such as model migration, credential rotations, or financial transactions) without pausing for explicit human approval.",
+      "roi": "Ensures human oversight remains functional on highest-risk actions, preventing the agent from acting entirely unsupervised on critical gates.",
+      "rollout": "Turn on for all production deployments utilizing OpenRouter or other Agent SDKs with auto-resolve capabilities."
+    },
+    {
+      "id": "careful-mode",
+      "name": "Enforce careful mode for destructive commands",
+      "category": "On-Demand Dynamic Gating",
+      "signal": "👎",
+      "defaultAction": "block",
+      "severity": "critical",
+      "pattern": "(rm\\s+-rf|drop\\s+table|force-push|git\\s+push\\s+-[fF]|git\\s+push\\s+--force|kubectl\\s+delete)",
+      "problem": "Blocks dangerous or destructive command sequences (rm -rf, DROP TABLE, force-push, kubectl delete) during sessions where careful mode is activated.",
+      "roi": "Protects production environments and main branches from accidental destructive commands executed by autonomous agents.",
+      "rollout": "Enable dynamically on-demand using /careful or env overrides when executing in sensitive or production workspaces."
+    },
+    {
+      "id": "freeze-mode",
+      "name": "Freeze directory edits",
+      "category": "On-Demand Dynamic Gating",
+      "signal": "👎",
+      "defaultAction": "block",
+      "severity": "high",
+      "pattern": "^freeze_edit_outside_path.*",
+      "problem": "Blocks any file edit or write tool call that is not within a specified active/target directory.",
+      "roi": "Restricts agent edits to a controlled workspace, preventing scope drift, accidental modification of configuration or source files, and unwanted global refactors during focused task debugging.",
+      "rollout": "Enable dynamically on-demand using /freeze to specify the only path(s) the agent is allowed to write to during the session."
     }
   ]
 }

package/config/gates/claim-verification.json

@@ -30,6 +30,12 @@
       "requiredActions": ["github_metadata_verified"],
       "message": "You claimed GitHub repository metadata was updated or verified without source-of-truth evidence. Read it back with gh api/gh repo view and rendered HTML, then call track_action('github_metadata_verified').",
       "createdAt": 1780677400000
+    },
+    {
+      "pattern": "(money|payment|charge|checkout|revenue|price|pricing|invoice|billing|tax|sales tax|inventory|stock|permission|access|customer-facing|customer facing).*(correct|accurate|verified|valid|matches|working|fixed|resolved|calculated|configured)|(correct|accurate|verified|valid|matches|working|fixed|resolved|calculated|configured).*(money|payment|charge|checkout|revenue|price|pricing|invoice|billing|tax|sales tax|inventory|stock|permission|access|customer-facing|customer facing)",
+      "requiredActions": ["commercial_truth_verified"],
+      "message": "You claimed a commercial-data fact (money, tax, inventory, permissions, or customer-facing state) without external source-of-truth evidence. Read the authoritative system first, then call track_action('commercial_truth_verified').",
+      "createdAt": 1781640000000
     }
   ]
 }