thumbgate 1.27.8 → 1.27.10

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "thumbgate",
   "description": "One 👎 becomes a hard rule the agent cannot bypass. Captures thumbs-down feedback, distills it into PreToolUse Pre-Action Checks, enforced across every future Claude Code session.",
-  "version": "1.27.8",
+  "version": "1.27.7",
   "author": {
     "name": "Igor Ganapolsky",
     "email": "ig5973700@gmail.com",

package/.well-known/llms.txt

@@ -64,11 +64,10 @@ npx thumbgate init --agent claude-code
 - Agent discovery: https://thumbgate.ai/.well-known/mcp.json
 - Progressive tool index: https://thumbgate.ai/.well-known/mcp/tools.json
 - Context footprint report: https://thumbgate.ai/.well-known/mcp/footprint.json
-- Headroom context compression guardrails: https://thumbgate.ai/guides/headroom-context-compression-guardrails
-- Sovereign coding model guardrails: https://thumbgate.ai/guides/sovereign-coding-model-guardrails
 - Agentic web governance: https://thumbgate.ai/guides/agentic-web-governance
 - AI Mode ads and agent governance: https://thumbgate.ai/guides/ai-mode-ads-agent-governance
 - MCP tool governance: https://thumbgate.ai/guides/mcp-tool-governance
+- Policy engines need pre-action gates: https://thumbgate.ai/guides/policy-engine-pre-action-gates
 - AI agent pre-action approval gates: https://thumbgate.ai/guides/ai-agent-pre-action-approval-gates
 - Agent skills: https://thumbgate.ai/.well-known/mcp/skills.json
 - MCP applications: https://thumbgate.ai/.well-known/mcp/applications.json

package/.well-known/mcp/server-card.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate",
-  "version": "1.27.8",
+  "version": "1.27.7",
   "description": "ThumbGate — 👍👎 feedback that teaches your AI agent. Thumbs down a mistake, it never happens again.",
   "homepage": "https://thumbgate.ai",
   "transport": "stdio",

package/README.md

@@ -16,6 +16,10 @@ The product is a self-improving enforcement layer: thumbs-down feedback, prompt
   <img src="docs/media/thumbgate-demo.gif" alt="ThumbGate blocking an AI agent's dangerous commands (rm -rf, force-push, chmod 777) in real time, while letting safe commands through" width="820" />
 </p>
 
+<p align="center">
+  <img src="docs/diagrams/pre-action-gate-loop.svg" alt="ThumbGate pre-action gate loop: agent intent, PreToolUse gate, block or allow with audit receipt" width="920" />
+</p>
+
 ```
   Agent tries:   rm -rf tests/
   ThumbGate:     ⛔ BLOCKED — "Never delete test directories"
@@ -384,8 +388,6 @@ npx thumbgate model-candidates --workload=dashboard-analysis --provider=openai -
 npx thumbgate native-messaging-audit  # inspect local browser bridges and extension hosts
 npx thumbgate dashboard --open                                  # open local project-scoped dashboard in browser
 thumbgate-dashboard                                             # standalone browser dashboard shortcut (run '/project:thumbgate-dashboard' in Claude/Grok)
-npx thumbgate check-update                                      # check if a new version is available on npm/GitHub
-npx thumbgate self-update                                       # update ThumbGate to the latest version globally
 npx thumbgate serve      # start MCP server on stdio
 npx thumbgate bench      # run reliability benchmark
 npx thumbgate bench --programbench-smoke  # include cleanroom whole-repo proof lane

package/adapters/claude/.mcp.json

@@ -2,13 +2,13 @@
   "mcpServers": {
     "thumbgate": {
       "command": "npx",
-      "args": ["--yes", "--package", "thumbgate@1.27.8", "thumbgate", "serve"]
+      "args": ["--yes", "--package", "thumbgate@1.27.7", "thumbgate", "serve"]
     }
   },
   "hooks": {
     "preToolUse": {
       "command": "npx",
-      "args": ["--yes", "--package", "thumbgate@1.27.8", "thumbgate", "gate-check"]
+      "args": ["--yes", "--package", "thumbgate@1.27.7", "thumbgate", "gate-check"]
     }
   }
 }

package/adapters/mcp/server-stdio.js

@@ -231,7 +231,7 @@ const {
   finalizeSession: finalizeFeedbackSession,
 } = require('../../scripts/feedback-session');
 
-const SERVER_INFO = { name: 'thumbgate-mcp', version: '1.27.8' };
+const SERVER_INFO = { name: 'thumbgate-mcp', version: '1.27.7' };
 const COMMERCE_CATEGORIES = [
   'product_recommendation',
   'brand_compliance',

package/adapters/opencode/opencode.json

@@ -7,7 +7,7 @@
         "npx",
         "--yes",
         "--package",
-        "thumbgate@1.27.8",
+        "thumbgate@1.27.7",
         "thumbgate",
         "serve"
       ],

package/bin/cli.js

@@ -2188,26 +2188,6 @@ function pulse() {
   });
 }
 
-function checkUpdateCmd() {
-  const { checkUpdate } = require(path.join(PKG_ROOT, 'scripts', 'check-update'));
-  const args = parseArgs(process.argv.slice(3));
-  checkUpdate({ verbose: !args.json, force: args.force }).then((res) => {
-    if (args.json) {
-      console.log(JSON.stringify(res, null, 2));
-    }
-    process.exit(0);
-  }).catch((err) => {
-    console.error(err && err.message ? err.message : err);
-    process.exit(1);
-  });
-}
-
-function selfUpdateCmd() {
-  const { selfUpdate } = require(path.join(PKG_ROOT, 'scripts', 'check-update'));
-  const success = selfUpdate();
-  process.exit(success ? 0 : 1);
-}
-
 function dispatchBrief() {
   const args = parseArgs(process.argv.slice(3));
   const {
@@ -3171,7 +3151,6 @@ const SUBCOMMAND_HELP = {
   lessons:       'Usage: npx thumbgate lessons [--query="..."] [--limit=N]\n\nSearch the lesson database (Pro feature).',
   search:        'Usage: npx thumbgate search <query>\n\nSearch ThumbGate knowledge base (Pro feature).',
   'gate-check':  'Usage: npx thumbgate gate-check\n\nPreToolUse hook interface: reads tool call JSON from stdin, outputs gate verdict.',
-  'hermes-gate': 'Usage: npx thumbgate hermes-gate\n\nNous Research Hermes Agent pre_tool_call shell hook: reads Hermes tool-call JSON from stdin, runs the ThumbGate gate pipeline (strict by default), and outputs {"decision":"block","reason":...} to veto or {} to allow. Gates terminal/patch/skill_manage etc. See adapters/hermes/config.yaml.',
   'break-glass': 'Usage: npx thumbgate break-glass --reason="why" [--ttl=5m] [--json]\n\nShort-lived recovery path for over-firing gates. Allows hook settings edits and satisfies PR-create/thread-check gates without disabling core destructive-action protections.',
   serve:         'Usage: npx thumbgate serve\n\nStart the MCP stdio server. This is for agent runtimes, not the local HTTP dashboard.',
   mcp:           'Usage: npx thumbgate mcp\n\nAlias for `thumbgate serve`.',
@@ -3189,6 +3168,11 @@ const SUBCOMMAND_HELP = {
   'ai-inventory': 'Usage: npx thumbgate ai-inventory [--root <dir>] [--format=summary|json|cyclonedx] [--output <path>] [--max-files=N]\n\nScan source/manifests/model artifacts for AI, ML, agent-framework, vector DB, Vertex, Gemini, and Dialogflow CX components. Use --format=cyclonedx to produce exportable ML-BOM evidence for enterprise reviews.',
   brain: 'Usage: npx thumbgate brain [--write] [--json] [--limit=N]\n\nBuild the agent-readable "context brain" — a single artifact consolidating this\nrepo\'s lessons, prevention rules, active gates, and project context for a coding\nagent to read BEFORE acting. --write saves it to .thumbgate/BRAIN.md (versioned,\ndeterministic). --json emits the structured model. --limit caps lessons (default 15).',
   'team-sync': 'Usage: npx thumbgate team-sync\n\nSynchronize prevention rules and context brain with your team\'s git repository (git pull --rebase & git push), then auto-rebuild the local brain.',
+  dream: 'Usage: npx thumbgate dream [--min=N] [--feedback-dir=DIR] [--json]\n\nConsolidate raw history and lessons ("Silicon Dreaming"), merge duplicates, promote recurring failures to gates, and rebuild prevention rules + BRAIN.md.',
+  consolidate: 'Usage: npx thumbgate consolidate\n\nAlias for npx thumbgate dream.',
+  triage: 'Usage: npx thumbgate triage [--schedule="daily 9:00"] [--json]\n\nRun git updates, test verification, and memory consolidation, or schedule it on a cron.',
+  hygiene: 'Usage: npx thumbgate hygiene\n\nAlias for npx thumbgate triage.',
+  community: 'Usage: npx thumbgate community query <error> | share <rule-id>\n\nQuery or share verified prevention rules with the community knowledge registry.',
 };
 
 if (_wantsHelp && COMMAND && SUBCOMMAND_HELP[COMMAND]) {
@@ -3291,6 +3275,31 @@ function renderBrainMarkdown(model) {
   return out.join('\n');
 }
 
+function autoWireInstructionFile(fileName) {
+  const filePath = path.join(CWD, fileName);
+  if (!fs.existsSync(filePath)) return;
+  try {
+    let content = fs.readFileSync(filePath, 'utf8');
+    const blockStart = '<!-- ThumbGate -->';
+    const blockEnd = '<!-- End ThumbGate -->';
+    const block = `${blockStart}\nIMPORTANT: Read .thumbgate/BRAIN.md first for lessons, prevention rules, and active gates in this repo.\n${blockEnd}\n`;
+
+    if (content.includes(blockStart)) {
+      const startIdx = content.indexOf(blockStart);
+      const endIdx = content.indexOf(blockEnd);
+      if (endIdx !== -1) {
+        content = content.slice(0, startIdx) + block + content.slice(endIdx + blockEnd.length).replace(/^\n+/, '');
+      }
+    } else {
+      content = block + '\n' + content;
+    }
+    fs.writeFileSync(filePath, content);
+    console.error(`   Auto-wired agent pointer into ${fileName}`);
+  } catch (err) {
+    console.warn(`⚠️  Failed to auto-wire agent pointer in ${fileName}: ${err.message}`);
+  }
+}
+
 function cmdBrain(args = {}) {
   const model = buildBrainModel({ limit: args.limit });
   if (args.json) { console.log(JSON.stringify(model, null, 2)); return 0; }
@@ -3310,14 +3319,120 @@ function cmdBrain(args = {}) {
     const lt = (model.lessons && model.lessons.total) || 0;
     const rt = (model.rules && model.rules.total) || 0;
     const gt = (model.gates && model.gates.total) || 0;
-    console.log(`\u{1f9e0} Wrote context brain to .thumbgate/BRAIN.md (${lt} lessons · ${rt} rules · ${gt} gates).`);
-    console.log('   Point your agent at it: add "Read .thumbgate/BRAIN.md first" to CLAUDE.md / AGENTS.md.');
+    console.error(`\u{1f9e0} Wrote context brain to .thumbgate/BRAIN.md (${lt} lessons · ${rt} rules · ${gt} gates).`);
+    
+    // Auto-inject pointer block into CLAUDE.md / AGENTS.md
+    autoWireInstructionFile('CLAUDE.md');
+    autoWireInstructionFile('AGENTS.md');
+    
     return 0;
   }
   process.stdout.write(md);
   return 0;
 }
 
+function brain() {
+  const args = parseArgs(process.argv.slice(3));
+  const subcommand = process.argv.slice(3).find((arg) => !arg.startsWith('--')) || 'status';
+  const {
+    buildContextPack,
+    checkNeverDo,
+    cleanupReport,
+    ensureBrain,
+    formatContextPack,
+    recordMemory,
+    refreshNeverDoGates,
+  } = require(path.join(PKG_ROOT, 'scripts', 'brain'));
+
+  if (subcommand === 'init' || subcommand === 'status') {
+    const result = ensureBrain(CWD);
+    const gates = refreshNeverDoGates(CWD);
+    const payload = { ...result, gateCount: gates.gateCount };
+    if (args.json) {
+      console.log(JSON.stringify(payload, null, 2));
+      return;
+    }
+    console.log('ThumbGate brain');
+    console.log('='.repeat(15));
+    console.log(`Brain dir : ${path.relative(CWD, result.brainDir)}`);
+    console.log(`Created   : ${result.created.length}`);
+    console.log(`Soul files: ${result.soulFiles.length}`);
+    console.log(`Memory dirs: ${result.memoryDirs.length}`);
+    console.log(`Never-do gates: ${gates.gateCount}`);
+    return;
+  }
+
+  if (subcommand === 'context') {
+    const task = args.task || process.argv.slice(4).find((arg) => !arg.startsWith('--')) || '';
+    const pack = buildContextPack(CWD, { task });
+    if (args.json) {
+      console.log(JSON.stringify(pack, null, 2));
+      return;
+    }
+    process.stdout.write(formatContextPack(pack));
+    return;
+  }
+
+  if (subcommand === 'remember') {
+    const title = args.title || process.argv.slice(4).find((arg) => !arg.startsWith('--')) || '';
+    const result = recordMemory(CWD, {
+      type: args.type,
+      title,
+      content: args.content || title,
+      reason: args.reason,
+      source: args.source,
+      tags: args.tags,
+      date: args.date,
+    });
+    if (args.json) {
+      console.log(JSON.stringify(result, null, 2));
+      return;
+    }
+    if (!result.ok) {
+      console.error(result.error);
+      process.exit(1);
+    }
+    console.log(`Stored brain memory: ${result.path}`);
+    return;
+  }
+
+  if (subcommand === 'check') {
+    const text = args.text || args.action || readStdinText();
+    const result = checkNeverDo(CWD, { text });
+    if (args.json) {
+      console.log(JSON.stringify(result, null, 2));
+      if (!result.ok) process.exit(2);
+      return;
+    }
+    console.log(`ThumbGate brain decision: ${result.decision.toUpperCase()}`);
+    for (const rule of result.blocked) console.log(`- ${rule.text}`);
+    if (!result.ok) process.exit(2);
+    return;
+  }
+
+  if (subcommand === 'cleanup') {
+    const report = cleanupReport(CWD, args);
+    if (args.json) {
+      console.log(JSON.stringify(report, null, 2));
+      return;
+    }
+    console.log('ThumbGate brain cleanup report');
+    console.log('='.repeat(31));
+    console.log(`Memory files: ${report.total}`);
+    console.log(`Unsourced   : ${report.unsourced.length}`);
+    console.log(`Stale       : ${report.stale.length}`);
+    console.log(`Duplicates  : ${report.duplicates.length}`);
+    if (report.unsourced.length) {
+      console.log('\nUnsourced files:');
+      for (const filePath of report.unsourced) console.log(`- ${filePath}`);
+    }
+    return;
+  }
+
+  console.error('Usage: npx thumbgate brain init|context|remember|check|cleanup [--json]');
+  process.exit(1);
+}
+
 async function teamSync() {
   const { execSync } = require('child_process');
 
@@ -3496,6 +3611,127 @@ switch (COMMAND) {
     }
     break;
   }
+  case 'dream':
+  case 'consolidate': {
+    const args = parseArgs(process.argv.slice(3));
+    const { dream } = require(path.join(PKG_ROOT, 'scripts', 'dream-consolidation'));
+    dream({
+      pkgRoot: PKG_ROOT,
+      feedbackDir: args['feedback-dir'] || args.feedbackDir || CWD,
+      rulesPath: args.output || path.join(CWD, '.thumbgate', 'prevention-rules.md'),
+      minOccurrences: args.min || 2,
+    }).then(async (result) => {
+      try {
+        await cmdBrain({ write: true });
+      } catch (brainErr) {
+        console.warn(`⚠️  Failed to rebuild context brain: ${brainErr.message}`);
+      }
+      if (args.json) {
+        console.log(JSON.stringify(result, null, 2));
+      } else {
+        console.log(`✨ [Dreaming] Consolidation complete! Merged ${result.consolidated} duplicate(s) into ${result.lessonsCount} lessons.`);
+      }
+      process.exit(0);
+    }).catch((err) => {
+      console.error('❌ Error during memory consolidation:', err && err.message ? err.message : err);
+      process.exit(1);
+    });
+    break;
+  }
+  case 'triage':
+  case 'hygiene': {
+    const args = parseArgs(process.argv.slice(3));
+    const { runTriageLoop } = require(path.join(PKG_ROOT, 'scripts', 'triage-loop'));
+    
+    if (args.schedule) {
+      const { createSchedule } = require(path.join(PKG_ROOT, 'scripts', 'schedule-manager'));
+      const scheduleResult = createSchedule({
+        id: 'thumbgate-triage-hygiene',
+        name: 'ThumbGate Triage & Hygiene Loop',
+        description: 'Run autonomous git checks, test suite verification, and Silicon Dreaming memory consolidation.',
+        schedule: args.schedule,
+        command: `const { runTriageLoop } = require('${path.join(PKG_ROOT, 'scripts', 'triage-loop')}'); runTriageLoop({ cwd: '${CWD}', pkgRoot: '${PKG_ROOT}' }).catch(console.error);`,
+        workingDirectory: CWD,
+      });
+      if (args.json) {
+        console.log(JSON.stringify(scheduleResult, null, 2));
+      } else {
+        if (scheduleResult.success) {
+          console.log(`✅ [Triage] Scheduled triage hygiene loop: ${scheduleResult.message}`);
+        } else {
+          console.error(`❌ [Triage] Failed to schedule: ${scheduleResult.error}`);
+          process.exit(1);
+        }
+      }
+      break;
+    }
+
+    runTriageLoop({
+      cwd: CWD,
+      pkgRoot: PKG_ROOT,
+    }).then(async (result) => {
+      try {
+        await cmdBrain({ write: true });
+      } catch (brainErr) {
+        console.warn(`⚠️  Failed to rebuild context brain: ${brainErr.message}`);
+      }
+      if (args.json) {
+        console.log(JSON.stringify(result, null, 2));
+      } else {
+        console.log(result.log);
+      }
+      process.exit(0);
+    }).catch((err) => {
+      console.error('❌ Error during triage loop execution:', err && err.message ? err.message : err);
+      process.exit(1);
+    });
+    break;
+  }
+  case 'community': {
+    const args = parseArgs(process.argv.slice(3));
+    const sub = process.argv.slice(3).find((arg) => !arg.startsWith('--'));
+    const { queryCommunity, shareRule } = require(path.join(PKG_ROOT, 'scripts', 'community-knowledge'));
+
+    if (sub === 'query') {
+      const queryIdx = process.argv.indexOf('query');
+      const queryText = process.argv.slice(queryIdx + 1).filter(arg => !arg.startsWith('--')).join(' ');
+      const result = queryCommunity(queryText, { remote: args.remote });
+      if (args.json) {
+        console.log(JSON.stringify(result, null, 2));
+      } else {
+        console.log(`🔍 Found ${result.resultsCount} community rule(s) matching "${result.query}":`);
+        for (const r of result.results) {
+          console.log(`\n- [${r.id}] ${r.rule}`);
+          console.log(`  Remedy:      ${r.remedy}`);
+          console.log(`  Explanation: ${r.explanation}`);
+        }
+      }
+      process.exit(0);
+    } else if (sub === 'share') {
+      const shareIdx = process.argv.indexOf('share');
+      const ruleId = process.argv.slice(shareIdx + 1).find(arg => !arg.startsWith('--'));
+      if (!ruleId) {
+        console.error('❌ Error: rule ID is required for share subcommand.');
+        process.exit(1);
+      }
+      const result = shareRule(ruleId, { feedbackDir: CWD });
+      if (args.json) {
+        console.log(JSON.stringify(result, null, 2));
+      } else {
+        if (result.ok) {
+          console.log(`✨ Successfully shared rule "${ruleId}" to community registry.`);
+        } else {
+          console.error(`❌ Failed to share rule: ${result.error}`);
+          process.exit(1);
+        }
+      }
+      process.exit(0);
+    } else {
+      console.error('Usage: npx thumbgate community query <error> | share <rule-id> [--json]');
+      process.exit(1);
+    }
+    break;
+  }
   case 'billing:setup':
     require(path.join(PKG_ROOT, 'scripts', 'billing-setup'));
     break;
@@ -3863,14 +4099,6 @@ switch (COMMAND) {
   case 'pulse':
     pulse();
     break;
-  case 'check-update':
-  case 'upgrade-check':
-    checkUpdateCmd();
-    break;
-  case 'self-update':
-  case 'upgrade-cli':
-    selfUpdateCmd();
-    break;
   case 'dispatch':
   case 'dispatch-brief':
     dispatchBrief();
@@ -3896,53 +4124,6 @@ switch (COMMAND) {
     });
     break;
   }
-  case 'hermes-gate': {
-    // Nous Research Hermes Agent `pre_tool_call` shell hook.
-    // Hermes pipes each pending tool call as JSON to stdin and reads a decision from stdout;
-    // {"decision":"block","reason":...} vetoes the call. We reuse the SAME gate pipeline as
-    // `gate-check` (runAsync → secret guard, security scan, force-push / skill_manage / learned
-    // prevention rules) and translate the verdict into Hermes's format.
-    //
-    // Hermes `pre_tool_call` is binary (block or allow) with no warn channel, and the whole point
-    // of wiring it is to gate, so we run STRICT enforcement by default — otherwise ThumbGate's
-    // warn-by-default posture would pass every deny through and the hook would block nothing.
-    // Opt out with THUMBGATE_HERMES_WARN_ONLY=1; THUMBGATE_HOTFIX_BYPASS=1 still disables checks.
-    // Wire it in ~/.hermes/config.yaml — see adapters/hermes/config.yaml.
-    if (process.env.THUMBGATE_HERMES_WARN_ONLY !== '1' && process.env.THUMBGATE_HOTFIX_BYPASS !== '1') {
-      process.env.THUMBGATE_STRICT_ENFORCEMENT = '1';
-    }
-    const { runAsync: hermesGateRun } = require(path.join(PKG_ROOT, 'scripts', 'gates-engine'));
-    let hermesStdin = '';
-    process.stdin.setEncoding('utf8');
-    process.stdin.on('data', (chunk) => { hermesStdin += chunk; });
-    process.stdin.on('end', async () => {
-      try {
-        const payload = JSON.parse(hermesStdin);
-        // Hermes sends snake_case tool_name/tool_input — gates-engine reads these directly.
-        const verdict = await hermesGateRun({ tool_name: payload.tool_name, tool_input: payload.tool_input });
-        let parsed = {};
-        try { parsed = JSON.parse(verdict); } catch (_e) { parsed = {}; }
-        const hso = parsed.hookSpecificOutput || {};
-        if (hso.permissionDecision === 'deny') {
-          process.stdout.write(JSON.stringify({
-            decision: 'block',
-            reason: hso.permissionDecisionReason || 'Blocked by ThumbGate prevention rule.',
-          }) + '\n');
-        } else {
-          // warn / no match → allow. The gate engine already logged the decision.
-          process.stdout.write(JSON.stringify({}) + '\n');
-        }
-        process.exit(0);
-      } catch (err) {
-        // Hermes hooks fail OPEN on error/timeout — emit an explicit allow so a gate fault
-        // never wedges the agent (reliability ≈ enforcement; keep this fast).
-        process.stderr.write(`hermes-gate error: ${err.message}\n`);
-        process.stdout.write(JSON.stringify({}) + '\n');
-        process.exit(0);
-      }
-    });
-    break;
-  }
   case 'gate-stats':
     gateStats();
     break;