thumbgate 1.3.0 → 1.4.1

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "thumbgate",
-  "version": "1.3.0",
-  "description": "ThumbGate — Make your AI coding agent self-improving. Every mistake becomes a prevention rule that physically blocks the agent from repeating it. Feedback-driven enforcement via PreToolUse hooks, Thompson Sampling for adaptive gates, SQLite+FTS5 lesson DB, and LanceDB vector search. Your agent gets smarter with every session.",
+  "version": "1.4.1",
+  "description": "ThumbGate: self-improving agent governance for engineering teams. Three-tier approval routing (block/approve/log), shared enforcement, CI gates, and audit trails. Every mistake becomes a prevention rule. PreToolUse hooks, Thompson Sampling, SQLite+FTS5 lesson DB, and LanceDB vector search.",
   "homepage": "https://thumbgate-production.up.railway.app",
   "repository": {
     "type": "git",
@@ -37,6 +37,8 @@
     "changeset:status": "changeset status",
     "changeset:check": "node scripts/changeset-check.js",
     "build:claude-mcpb": "node scripts/build-claude-mcpb.js",
+    "build:claude-review-zip": "node scripts/build-claude-mcpb.js --review-zip",
+    "build:codex-plugin": "node scripts/build-codex-plugin.js",
     "verify:quick": "node scripts/verify-run.js quick",
     "verify:full": "node scripts/verify-run.js full",
     "budget:status": "node scripts/budget-guard.js --status",
@@ -70,7 +72,7 @@
     "social:post-everywhere:dry": "node scripts/post-everywhere.js --dry-run",
     "social:reply-monitor": "node scripts/social-reply-monitor.js",
     "social:reply-monitor:dry": "node scripts/social-reply-monitor.js --dry-run",
-    "test": "npm run test:schema && npm run test:loop && npm run test:dpo && npm run test:kto && npm run test:api && npm run test:proof && npm run test:e2e && npm run test:rlaif && npm run test:attribution && npm run test:quality && npm run test:intelligence && npm run test:training-export && npm run test:deployment && npm run test:operational-integrity && npm run test:workflow && npm run test:billing && npm run test:cli && npm run test:watcher && npm run test:autoresearch && npm run test:ops && npm run test:tessl && npm run test:gates && npm run test:evoskill && npm run test:gates-hardening && npm run test:workers && npm run test:social-analytics && npm run test:memalign && npm run test:xmemory-lite && npm run test:filesystem-search && npm run test:zernio && npm run test:obsidian-export && npm run test:lesson-db && npm run test:lesson-rotation && npm run test:memory-dedup && npm run test:feedback-quality && npm run test:sync-version && npm run test:check-congruence && npm run test:tool-registry && npm run test:feedback-to-rules && npm run test:memory-firewall && npm run test:belief-update && npm run test:hosted-config && npm run test:cloudflare-sandbox && npm run test:mcp-config && npm run test:plan-gate && npm run test:pulse && npm run test:semantic-layer && npm run test:data-pipeline && npm run test:optimize-context && npm run test:principle-extractor && npm run test:analytics-window && npm run test:funnel-analytics && npm run test:experiment-tracker && npm run test:build-metadata && npm run test:context-engine && npm run test:hf-papers && npm run test:marketing-experiment && npm run test:seo-gsd && npm run test:verify-run && npm run test:export-dpo-pairs && npm run test:export-hf-dataset && npm run test:license && npm run test:bot-detector && npm run test:postinstall && npm run test:funnel-invariants && npm run test:cli-telemetry && npm run test:pro-parity && npm run test:model-tier-router && npm run test:computer-use-firewall && npm run test:skill-exporter && npm run test:statusline && npm run test:evolution && npm run test:org-dashboard && npm run test:multi-hop-recall && npm run test:synthetic-dpo && npm run test:thumbgate-skill && npm run test:learn-hub && npm run test:feedback-fallback && npm run test:metaclaw && npm run test:server-lock && npm run test:control-tower && npm run test:pii-scanner && npm run test:data-governance && npm run test:lesson-inference && npm run test:lesson-retrieval && npm run test:reflector-agent && npm run test:feedback-session && npm run test:feedback-history-distiller && npm run test:hallucination-detector && npm run test:history-distiller && npm run test:predictive-insights && npm run test:prove-predictive-insights && npm run test:statusbar-cli && npm run test:generate-instagram-card && npm run test:instagram-thumbgate-post && npm run test:publish-instagram-thumbgate && npm run test:lesson-synthesis && npm run test:background-governance && npm run test:memory-migration && npm run test:prompt-dlp && npm run test:ephemeral-store && npm run test:agent-security && npm run test:skill-progressive && npm run test:per-step-scoring && npm run test:weekly-auto-post && npm run test:social-quality-gate && npm run test:a2ui-engine && npm run test:gate-satisfy && npm run test:money-watcher && npm run test:utm && npm run test:product-feedback && npm run test:feedback-root-consolidator && npm run test:engagement-audit && npm run test:install-growth-automation && npm run test:publish-thumbgate-launch && npm run test:reconcile-thumbgate-campaign && npm run test:reddit-publisher && npm run test:schedule-thumbgate-campaign && npm run test:social-reply-monitor && npm run test:sync-launch-assets && npm run test:ai-search-visibility",
+    "test": "npm run test:schema && npm run test:loop && npm run test:dpo && npm run test:kto && npm run test:api && npm run test:proof && npm run test:e2e && npm run test:rlaif && npm run test:attribution && npm run test:quality && npm run test:intelligence && npm run test:training-export && npm run test:deployment && npm run test:operational-integrity && npm run test:workflow && npm run test:billing && npm run test:cli && npm run test:watcher && npm run test:autoresearch && npm run test:ops && npm run test:tessl && npm run test:gates && npm run test:evoskill && npm run test:gates-hardening && npm run test:workers && npm run test:social-analytics && npm run test:memalign && npm run test:xmemory-lite && npm run test:filesystem-search && npm run test:zernio && npm run test:obsidian-export && npm run test:lesson-db && npm run test:lesson-rotation && npm run test:memory-dedup && npm run test:feedback-quality && npm run test:sync-version && npm run test:check-congruence && npm run test:tool-registry && npm run test:feedback-to-rules && npm run test:memory-firewall && npm run test:belief-update && npm run test:hosted-config && npm run test:operational-summary && npm run test:cloudflare-sandbox && npm run test:mcp-config && npm run test:plan-gate && npm run test:pulse && npm run test:semantic-layer && npm run test:data-pipeline && npm run test:optimize-context && npm run test:principle-extractor && npm run test:analytics-window && npm run test:funnel-analytics && npm run test:experiment-tracker && npm run test:build-metadata && npm run test:context-engine && npm run test:hf-papers && npm run test:marketing-experiment && npm run test:seo-gsd && npm run test:verify-run && npm run test:export-dpo-pairs && npm run test:export-hf-dataset && npm run test:license && npm run test:bot-detector && npm run test:postinstall && npm run test:funnel-invariants && npm run test:cli-telemetry && npm run test:pro-parity && npm run test:model-tier-router && npm run test:computer-use-firewall && npm run test:skill-exporter && npm run test:statusline && npm run test:evolution && npm run test:org-dashboard && npm run test:multi-hop-recall && npm run test:synthetic-dpo && npm run test:thumbgate-skill && npm run test:learn-hub && npm run test:feedback-fallback && npm run test:metaclaw && npm run test:server-lock && npm run test:control-tower && npm run test:pii-scanner && npm run test:data-governance && npm run test:lesson-inference && npm run test:semantic-dedup && npm run test:fs-utils && npm run test:lesson-retrieval && npm run test:reflector-agent && npm run test:feedback-session && npm run test:feedback-history-distiller && npm run test:hallucination-detector && npm run test:history-distiller && npm run test:predictive-insights && npm run test:prove-predictive-insights && npm run test:statusbar-cli && npm run test:generate-instagram-card && npm run test:instagram-thumbgate-post && npm run test:publish-instagram-thumbgate && npm run test:lesson-synthesis && npm run test:background-governance && npm run test:memory-migration && npm run test:prompt-dlp && npm run test:ephemeral-store && npm run test:agent-security && npm run test:skill-progressive && npm run test:per-step-scoring && npm run test:weekly-auto-post && npm run test:social-post-hourly && npm run test:social-quality-gate && npm run test:a2ui-engine && npm run test:gate-satisfy && npm run test:money-watcher && npm run test:budget && npm run test:quick-start && npm run test:utm && npm run test:product-feedback && npm run test:feedback-root-consolidator && npm run test:engagement-audit && npm run test:install-growth-automation && npm run test:publish-thumbgate-launch && npm run test:reconcile-thumbgate-campaign && npm run test:reddit-publisher && npm run test:schedule-thumbgate-campaign && npm run test:social-reply-monitor && npm run test:sync-launch-assets && npm run test:ai-search-visibility && npm run test:security-scanner && npm run test:llm-client && npm run test:managed-lesson-agent && npm run test:self-distill && npm run test:meta-agent && npm run test:harness-selector && npm run test:seo-guides && npm run test:enforcement-loop",
     "test:feedback-fallback": "node --test tests/feedback-fallback.test.js",
     "test:metaclaw": "node --test tests/metaclaw-features.test.js",
     "test:server-lock": "node --test tests/server-stdio-lock.test.js",
@@ -91,6 +93,7 @@
     "test:memory-firewall": "node --test tests/memory-firewall.test.js",
     "test:belief-update": "node --test tests/belief-update.test.js",
     "test:hosted-config": "node --test tests/hosted-config.test.js",
+    "test:operational-summary": "node --test tests/operational-summary.test.js",
     "test:cloudflare-sandbox": "node --test tests/cloudflare-dynamic-sandbox.test.js tests/cloudflare-sandbox-api.test.js",
     "test:mcp-config": "node --test tests/mcp-config.test.js",
     "test:plan-gate": "node --test tests/plan-gate.test.js",
@@ -121,8 +124,8 @@
     "test:loop": "node scripts/feedback-loop.js --test",
     "test:dpo": "node scripts/export-dpo-pairs.js --test",
     "test:kto": "node --test tests/export-kto.test.js",
-    "test:api": "node --test --test-concurrency=1 tests/api-server.test.js tests/api-auth-config.test.js tests/mcp-server.test.js tests/adapters.test.js tests/openapi-parity.test.js tests/budget-guard.test.js tests/context-manager.test.js tests/contextfs.test.js tests/job-api.test.js tests/pack-templates.test.js tests/dashboard.test.js tests/dashboard-render-spec.test.js tests/dashboard-html.test.js tests/agent-readiness.test.js tests/mcp-policy.test.js tests/subagent-profiles.test.js tests/intent-router.test.js tests/internal-agent-bootstrap.test.js tests/lesson-search.test.js tests/thumbgate-search.test.js tests/rubric-engine.test.js tests/self-healing-check.test.js tests/self-heal.test.js tests/feedback-schema.test.js tests/thompson-sampling.test.js tests/feedback-sequences.test.js tests/diversity-tracking.test.js tests/vector-store.test.js tests/feedback-attribution.test.js tests/hybrid-feedback-context.test.js tests/loop-closure.test.js tests/code-reasoning.test.js tests/feedback-loop.test.js tests/feedback-inbox-read.test.js tests/feedback-to-memory.test.js tests/test-coverage.test.js tests/version-metadata.test.js tests/claude-mcpb.test.js tests/claude-codex-bridge.test.js tests/cursor-plugin.test.js tests/codex-plugin.test.js tests/telemetry-analytics.test.js tests/public-landing.test.js tests/lessons-page.test.js tests/pro-landing.test.js tests/local-model-profile.test.js tests/risk-scorer.test.js tests/context-compaction.test.js tests/reminder-engine.test.js tests/post-to-x.test.js tests/verification-loop.test.js tests/async-job-runner.test.js tests/commerce-quality.test.js tests/recall-limit.test.js tests/problem-detail.test.js tests/natural-language-harness.test.js tests/settings-hierarchy.test.js",
-    "test:proof": "node --test tests/prove-adapters.test.js tests/prove-attribution.test.js tests/prove-cloudflare-sandbox.test.js tests/prove-data-quality.test.js tests/prove-intelligence.test.js tests/prove-lancedb.test.js tests/prove-loop-closure.test.js tests/prove-subway-upgrades.test.js tests/prove-training-export.test.js tests/prove-local-intelligence.test.js tests/prove-workflow-contract.test.js tests/prove-autoresearch.test.js tests/prove-claim-verification.test.js tests/prove-data-pipeline.test.js tests/prove-evolution.test.js tests/prove-harnesses.test.js tests/prove-runtime.test.js tests/prove-seo-gsd.test.js tests/prove-settings.test.js tests/prove-xmemory.test.js && node --test tests/prove-automation.test.js",
+    "test:api": "node --test --test-concurrency=1 tests/api-server.test.js tests/api-auth-config.test.js tests/mcp-server.test.js tests/adapters.test.js tests/openapi-parity.test.js tests/budget-guard.test.js tests/context-manager.test.js tests/contextfs.test.js tests/job-api.test.js tests/pack-templates.test.js tests/dashboard.test.js tests/dashboard-render-spec.test.js tests/dashboard-html.test.js tests/agent-readiness.test.js tests/mcp-policy.test.js tests/subagent-profiles.test.js tests/intent-router.test.js tests/internal-agent-bootstrap.test.js tests/lesson-search.test.js tests/thumbgate-search.test.js tests/document-intake.test.js tests/rubric-engine.test.js tests/self-healing-check.test.js tests/self-heal.test.js tests/feedback-schema.test.js tests/thompson-sampling.test.js tests/feedback-sequences.test.js tests/diversity-tracking.test.js tests/vector-store.test.js tests/feedback-attribution.test.js tests/hybrid-feedback-context.test.js tests/loop-closure.test.js tests/code-reasoning.test.js tests/feedback-loop.test.js tests/feedback-inbox-read.test.js tests/feedback-to-memory.test.js tests/test-coverage.test.js tests/version-metadata.test.js tests/claude-mcpb.test.js tests/claude-codex-bridge.test.js tests/cursor-plugin.test.js tests/codex-plugin.test.js tests/telemetry-analytics.test.js tests/public-landing.test.js tests/lessons-page.test.js tests/pro-landing.test.js tests/local-model-profile.test.js tests/risk-scorer.test.js tests/context-compaction.test.js tests/reminder-engine.test.js tests/post-to-x.test.js tests/verification-loop.test.js tests/async-job-runner.test.js tests/commerce-quality.test.js tests/recall-limit.test.js tests/problem-detail.test.js tests/natural-language-harness.test.js tests/settings-hierarchy.test.js",
+    "test:proof": "node --test tests/prove-adapters.test.js tests/prove-attribution.test.js tests/prove-cloudflare-sandbox.test.js tests/prove-data-quality.test.js tests/prove-intelligence.test.js tests/prove-lancedb.test.js tests/prove-loop-closure.test.js tests/prove-subway-upgrades.test.js tests/prove-training-export.test.js tests/prove-local-intelligence.test.js tests/prove-workflow-contract.test.js tests/prove-autoresearch.test.js tests/prove-claim-verification.test.js tests/prove-data-pipeline.test.js tests/prove-evolution.test.js tests/prove-harnesses.test.js tests/prove-packaged-runtime.test.js tests/prove-runtime.test.js tests/prove-seo-gsd.test.js tests/prove-settings.test.js tests/prove-xmemory.test.js && node --test tests/prove-automation.test.js",
     "test:e2e": "node --test tests/e2e-pipeline.test.js tests/e2e-product-flows.test.js tests/e2e-coverage-contract.test.js",
     "test:rlaif": "node --test tests/rlaif-self-audit.test.js tests/dpo-optimizer.test.js tests/meta-policy.test.js",
     "test:attribution": "node --test tests/feedback-attribution.test.js tests/hybrid-feedback-context.test.js",
@@ -130,16 +133,17 @@
     "test:intelligence": "node --test tests/intelligence.test.js",
     "test:training-export": "node --test tests/training-export.test.js tests/databricks-export.test.js",
     "test:deployment": "node --test tests/deployment.test.js tests/deploy-policy.test.js tests/publish-decision.test.js tests/changeset-check.test.js tests/sonarcloud-workflow.test.js",
-    "test:operational-integrity": "node --test tests/operational-integrity.test.js",
-    "test:workflow": "node --test tests/workflow-contract.test.js tests/social-marketing-assets.test.js tests/social-pipeline.test.js tests/positioning-contract.test.js tests/workflow-runs.test.js tests/workflow-sprint-intake.test.js tests/gtm-revenue-loop.test.js tests/enterprise-story.test.js",
+    "test:operational-integrity": "node --test tests/operational-integrity.test.js tests/sync-branch-protection.test.js",
+    "test:workflow": "node --test tests/workflow-contract.test.js tests/social-marketing-assets.test.js tests/social-pipeline.test.js tests/positioning-contract.test.js tests/docs-claim-hygiene.test.js tests/workflow-runs.test.js tests/workflow-sprint-intake.test.js tests/gtm-revenue-loop.test.js tests/enterprise-story.test.js tests/ralph-loop.test.js",
     "test:billing": "node --test tests/billing.test.js",
     "test:cli": "node --test tests/analytics-report.test.js tests/creator-campaigns.test.js tests/cli.test.js tests/codex-bridge-script.test.js tests/dispatch-brief.test.js tests/feedback-normalize.test.js tests/install-mcp.test.js tests/pr-manager.test.js tests/pro-local-dashboard.test.js tests/published-cli.test.js tests/revenue-status.test.js",
     "test:evolution": "node --test tests/workspace-evolver.test.js",
     "test:watcher": "node --test tests/jsonl-watcher.test.js",
     "test:autoresearch": "node --test tests/autoresearch.test.js",
-    "test:ops": "node --test tests/adk-consolidator.test.js tests/anthropic-partner-strategy.test.js tests/auto-promote-gates.test.js tests/auto-wire-hooks.test.js tests/claude-skill.test.js tests/codegraph-context.test.js tests/commercial-signals.test.js tests/delegation-runtime.test.js tests/disagreement-mining.test.js tests/failure-diagnostics.test.js tests/gate-stats.test.js tests/github-billing.test.js tests/intervention-policy.test.js tests/markdown-escape.test.js tests/mcp-tools-gates.test.js tests/project-bayes-e2e.test.js tests/project-bayes.test.js tests/rate-limiter.test.js tests/schedule-manager.test.js tests/session-handoff.test.js tests/skill-generator.test.js tests/smart-learning.test.js tests/spike-and-sink.test.js tests/stripe-webhook-route.test.js tests/train-from-feedback.test.js tests/workflow-hardening-sprint.test.js tests/workflow-sentinel.test.js tests/test-suite-parity.test.js tests/a2ui-engine.test.js tests/webhook-delivery.test.js",
+    "test:ops": "node --test tests/adk-consolidator.test.js tests/anthropic-partner-strategy.test.js tests/auto-promote-gates.test.js tests/auto-wire-hooks.test.js tests/claude-skill.test.js tests/codegraph-context.test.js tests/commercial-signals.test.js tests/decision-journal.test.js tests/delegation-runtime.test.js tests/disagreement-mining.test.js tests/failure-diagnostics.test.js tests/gate-stats.test.js tests/github-billing.test.js tests/intervention-policy.test.js tests/markdown-escape.test.js tests/mcp-tools-gates.test.js tests/project-bayes-e2e.test.js tests/project-bayes.test.js tests/rate-limiter.test.js tests/schedule-manager.test.js tests/session-handoff.test.js tests/skill-generator.test.js tests/smart-learning.test.js tests/spike-and-sink.test.js tests/stripe-webhook-route.test.js tests/stripe-webhook-rotation.test.js tests/train-from-feedback.test.js tests/workflow-hardening-sprint.test.js tests/workflow-sentinel.test.js tests/test-suite-parity.test.js tests/a2ui-engine.test.js tests/webhook-delivery.test.js",
     "test:tessl": "node --test tests/tessl-export.test.js",
     "test:gates": "node --test tests/gate-templates.test.js tests/gates-engine.test.js tests/claim-verification.test.js tests/secret-scanner.test.js tests/prompt-guard.test.js tests/audit-trail.test.js tests/profile-router.test.js tests/workflow-sentinel.test.js tests/docker-sandbox-planner.test.js",
+    "test:budget": "node --test tests/budget-enforcer.test.js",
     "test:workers": "npm --prefix workers ci && npm --prefix workers test",
     "test:evoskill": "node --test tests/evoskill.test.js",
     "test:gates-hardening": "node --test tests/gates-hardening.test.js",
@@ -157,6 +161,8 @@
     "adk:consolidate": "node scripts/adk-consolidator.js",
     "adk:watch": "node scripts/adk-consolidator.js --watch",
     "pr:manage": "node scripts/pr-manager.js",
+    "branch-protection:check": "node scripts/sync-branch-protection.js --check",
+    "branch-protection:sync": "node scripts/sync-branch-protection.js",
     "self-heal:run": "node scripts/self-heal.js",
     "self-heal:check": "node scripts/self-healing-check.js",
     "skill:verify": "node scripts/tessl-export.js verify",
@@ -221,10 +227,12 @@
     "test:skill-progressive": "node --test tests/skill-progressive-disclosure.test.js",
     "test:per-step-scoring": "node --test tests/per-step-scoring.test.js",
     "test:weekly-auto-post": "node --test tests/weekly-auto-post.test.js",
+    "test:social-post-hourly": "node --test tests/social-post-hourly.test.js",
     "test:social-quality-gate": "node --test tests/social-quality-gate.test.js",
     "test:a2ui-engine": "node --test tests/a2ui-engine.test.js",
     "test:gate-satisfy": "node --test tests/gate-satisfy.test.js",
     "test:money-watcher": "node --test tests/money-watcher.test.js",
+    "test:quick-start": "node --test tests/quick-start.test.js",
     "test:utm": "node --test tests/utm.test.js",
     "test:product-feedback": "node --test tests/product-feedback.test.js",
     "test:feedback-root-consolidator": "node --test tests/feedback-root-consolidator.test.js",
@@ -242,7 +250,26 @@
     "test:sync-launch-assets": "node --test tests/sync-launch-assets.test.js",
     "test:reddit-publisher": "node --test tests/reddit-publisher.test.js",
     "test:engagement-audit": "node --test tests/engagement-audit.test.js",
-    "test:ai-search-visibility": "node --test tests/ai-search-visibility.test.js"
+    "test:enforcement-loop": "node --test tests/enforcement-loop-fixes.test.js",
+    "test:ai-search-visibility": "node --test tests/ai-search-visibility.test.js",
+    "test:security-scanner": "node --test tests/security-scanner.test.js",
+    "test:llm-client": "node --test tests/llm-client.test.js",
+    "test:managed-lesson-agent": "node --test tests/managed-lesson-agent.test.js",
+    "agent:run": "node scripts/managed-lesson-agent.js",
+    "agent:run:dry": "node scripts/managed-lesson-agent.js --dry-run",
+    "agent:schedule": "node scripts/schedule-manager.js install --label managed-lesson-agent --spec 'daily 02:00' --command 'npm run agent:run' --workingDirectory .",
+    "feedback:rules:llm": "node scripts/feedback-to-rules.js --llm",
+    "test:self-distill": "node --test tests/self-distill-agent.test.js",
+    "test:seo-guides": "node --test tests/seo-guides.test.js",
+    "self-distill:run": "node scripts/self-distill-agent.js",
+    "self-distill:dry": "node scripts/self-distill-agent.js --dry-run",
+    "meta-agent:run": "node scripts/meta-agent-loop.js",
+    "meta-agent:dry": "node scripts/meta-agent-loop.js --dry-run",
+    "meta-agent:status": "node scripts/meta-agent-loop.js --status",
+    "test:meta-agent": "node --test tests/meta-agent-loop.test.js",
+    "test:semantic-dedup": "node --test tests/semantic-dedup.test.js",
+    "test:fs-utils": "node --test tests/fs-utils.test.js",
+    "test:harness-selector": "node --test tests/harness-selector.test.js"
   },
   "keywords": [
     "mcp",
@@ -272,7 +299,14 @@
     "cursor",
     "codex",
     "safety",
-    "enforcement"
+    "enforcement",
+    "ai agent memory",
+    "repeated mistakes",
+    "agent error prevention",
+    "ai-authenticity",
+    "prevent-ai-slop",
+    "human-led-ai",
+    "ai-standards-enforcement"
   ],
   "author": "Igor Ganapolsky",
   "license": "MIT",
@@ -290,6 +324,7 @@
     "node": ">=18.18.0"
   },
   "dependencies": {
+    "@anthropic-ai/sdk": "^0.24.0",
     "@google/genai": "^1.48.0",
     "@huggingface/transformers": "^4.0.1",
     "@lancedb/lancedb": "^0.27.2",
@@ -308,6 +343,7 @@
   "devDependencies": {
     "@changesets/changelog-github": "^0.5.1",
     "@changesets/cli": "^2.30.0",
-    "c8": "^11.0.0"
+    "c8": "^11.0.0",
+    "undici": "^8.0.2"
   }
 }

package/plugins/claude-codex-bridge/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "codex-bridge",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "Run Codex review, adversarial review, and second-pass handoffs from Claude Code while keeping ThumbGate reliability memory in the loop.",
   "author": {
     "name": "Igor Ganapolsky",

package/plugins/claude-codex-bridge/.mcp.json

@@ -5,7 +5,7 @@
       "args": [
         "--yes",
         "--package",
-        "thumbgate@1.3.0",
+        "thumbgate@1.4.0",
         "thumbgate",
         "serve"
       ]

package/plugins/claude-codex-bridge/scripts/codex-bridge.js

@@ -3,6 +3,7 @@
 const fs = require('node:fs');
 const path = require('node:path');
 const { spawnSync } = require('node:child_process');
+const { ensureDir } = require('../../../scripts/fs-utils');
 
 function getPluginRoot() {
   return process.env.CLAUDE_PLUGIN_ROOT || path.resolve(__dirname, '..');
@@ -20,9 +21,6 @@ function getCodexBin() {
   return process.env.THUMBGATE_CODEX_BIN || 'codex';
 }
 
-function ensureDir(dirPath) {
-  fs.mkdirSync(dirPath, { recursive: true });
-}
 
 function readJson(filePath) {
   return JSON.parse(fs.readFileSync(filePath, 'utf8'));

package/plugins/codex-profile/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "codex-profile",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "ThumbGate for Codex: pre-action gates, skill packs, hallucination detection, PII scanning, progressive disclosure (82% token savings), and MCP-backed reliability memory.",
   "author": {
     "name": "Igor Ganapolsky",

package/plugins/codex-profile/.mcp.json

@@ -5,7 +5,7 @@
       "args": [
         "--yes",
         "--package",
-        "thumbgate@1.3.0",
+        "thumbgate@1.4.0",
         "thumbgate",
         "serve"
       ]

package/plugins/codex-profile/INSTALL.md

@@ -1,6 +1,29 @@
 # ThumbGate for Codex
 
-ThumbGate now ships a repo-local Codex app plugin surface plus the version-pinned MCP profile. Use the plugin files when you want a distributable Codex artifact, or copy the TOML block for a manual install.
+ThumbGate now ships a standalone Codex plugin bundle, a repo-local Codex app plugin surface, and the version-pinned MCP profile.
+
+## Option 1: Use the standalone release bundle
+
+Download the latest bundle:
+
+- `https://github.com/IgorGanapolsky/ThumbGate/releases/latest/download/thumbgate-codex-plugin.zip`
+
+Or build it from source:
+
+```bash
+npm run build:codex-plugin
+```
+
+After extracting `thumbgate-codex-plugin.zip`, the folder already contains:
+
+- `.codex-plugin/plugin.json`
+- `.mcp.json`
+- `.agents/plugins/marketplace.json`
+- `config.toml`
+
+The bundled marketplace catalog points at `./`, so the extracted directory is a self-contained plugin root instead of a repo-relative stub.
+
+## Option 2: Use the repo-local plugin files
 
 ## Shipped plugin files
 
@@ -9,7 +32,7 @@ ThumbGate now ships a repo-local Codex app plugin surface plus the version-pinne
 - Codex marketplace entry: `.agents/plugins/marketplace.json`
 - Manual install profile: `adapters/codex/config.toml`
 
-## One-Command Install
+## Option 3: Manual MCP install
 
 Add the MCP server block to your Codex config:
 
@@ -31,7 +54,7 @@ The following block is appended to `~/.codex/config.toml`:
 ```toml
 [mcp_servers.thumbgate]
 command = "npx"
-args = ["--yes", "--package", "thumbgate@1.3.0", "thumbgate", "serve"]
+args = ["--yes", "--package", "thumbgate@1.4.0", "thumbgate", "serve"]
 ```
 
 The repo-local Codex app plugin ships the same runtime path through `plugins/codex-profile/.mcp.json`, so the manual config and plugin metadata stay aligned.
@@ -59,7 +82,7 @@ Then restart Codex. The `thumbgate` MCP server will appear in the tool list.
 
 - Codex with MCP support
 - Node.js 18+ in PATH
-- Config file at `~/.codex/config.toml`
+- Config file at `~/.codex/config.toml` when using the manual MCP install path
 
 ## Uninstall
 

package/plugins/codex-profile/README.md

@@ -1,12 +1,14 @@
 # ThumbGate for Codex
 
-This directory is the repo-local Codex app plugin surface for ThumbGate.
+ThumbGate now ships a standalone Codex plugin bundle in GitHub Releases, alongside the repo-local Codex profile in this repository.
 
-It packages the same ThumbGate runtime you already use elsewhere:
+## Release surfaces
 
-- `plugins/codex-profile/.codex-plugin/plugin.json` for Codex plugin metadata
-- `plugins/codex-profile/.mcp.json` for the MCP server launcher
-- `adapters/codex/config.toml` for the version-pinned manual install path
+- Latest standalone bundle: `https://github.com/IgorGanapolsky/ThumbGate/releases/latest/download/thumbgate-codex-plugin.zip`
+- Versioned bundle pattern: `https://github.com/IgorGanapolsky/ThumbGate/releases/download/v<VERSION>/thumbgate-codex-plugin-v<VERSION>.zip`
+- Source plugin manifest: `plugins/codex-profile/.codex-plugin/plugin.json`
+- Source MCP config: `plugins/codex-profile/.mcp.json`
+- Manual install profile: `adapters/codex/config.toml`
 
 ## What it does
 
@@ -14,11 +16,25 @@ It packages the same ThumbGate runtime you already use elsewhere:
 - captures thumbs-up/down feedback that survives session boundaries
 - reuses the same local-first MCP runtime as Claude, Cursor, Gemini, Amp, and OpenCode
 
+## What's inside the standalone bundle
+
+- `.codex-plugin/plugin.json`
+- `.mcp.json`
+- `.agents/plugins/marketplace.json`
+- `config.toml`
+- `README.md`, `INSTALL.md`, and `AGENTS.md`
+
+The bundled marketplace catalog rewrites the plugin path to `./`, so the extracted folder can act as a self-contained plugin root instead of depending on this repository layout.
+
 ## Install paths
 
-### Codex app plugin
+### Standalone Codex plugin bundle
+
+Download the latest `thumbgate-codex-plugin.zip`, unzip it, and point Codex at the extracted `thumbgate-codex-plugin/` directory when you want a standalone plugin release surface.
+
+### Repo-local Codex app plugin
 
-Use the repo-local Codex plugin metadata and MCP config in this folder when Codex is loading plugin surfaces from the repository.
+Use the plugin metadata and MCP config in this folder when Codex is loading plugin surfaces directly from the repository.
 
 ### Manual install
 
@@ -29,9 +45,17 @@ That profile launches:
 ```toml
 [mcp_servers.thumbgate]
 command = "npx"
-args = ["--yes", "--package", "thumbgate@1.3.0", "thumbgate", "serve"]
+args = ["--yes", "--package", "thumbgate@1.4.0", "thumbgate", "serve"]
+```
+
+### Build from source
+
+Build the same standalone release bundle locally with:
+
+```bash
+npm run build:codex-plugin
 ```
 
 ## Why this exists
 
-The Codex support story is no longer just "copy this config block." This folder is the shipped Codex plugin artifact for ThumbGate, so the repo can truthfully claim a Codex app plugin surface alongside the Claude Desktop bundle and Cursor plugin.
+The Codex support story is no longer just "copy this config block." ThumbGate now has a direct-download Codex plugin bundle, a repo-local plugin surface, and a pinned manual MCP profile so release assets, install docs, and the runtime stay aligned.

package/plugins/cursor-marketplace/.cursor-plugin/plugin.json

@@ -2,7 +2,7 @@
   "name": "thumbgate",
   "displayName": "ThumbGate",
   "description": "👍👎 Thumbs down a mistake — your AI agent won't repeat it. Thumbs up good work — it remembers the pattern.",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "author": {
     "name": "Igor Ganapolsky"
   },

package/plugins/opencode-profile/INSTALL.md

@@ -25,7 +25,7 @@ The portable profile adds this MCP server entry:
   "mcp": {
     "thumbgate": {
       "type": "local",
-      "command": ["npx", "--yes", "--package", "thumbgate@1.3.0", "thumbgate", "serve"],
+      "command": ["npx", "--yes", "--package", "thumbgate@1.4.0", "thumbgate", "serve"],
       "enabled": true
     }
   }

package/public/blog.html

@@ -34,6 +34,12 @@
         "url": "https://thumbgate-production.up.railway.app/blog",
         "publisher": { "@type": "Organization", "name": "Max Smith KDP LLC" },
         "blogPost": [
+          {
+            "@type": "BlogPosting",
+            "headline": "Your AI agent is a supply chain attack surface. Here's how to gate it.",
+            "datePublished": "2026-04-10",
+            "keywords": "AI agent security, supply chain attack, pre-action gates, agent governance, ThumbGate"
+          },
           {
             "@type": "BlogPosting",
             "headline": "The Claude Code Leak Proves Why Pre-Action Gates Matter",
@@ -166,6 +172,73 @@
     </header>
 
     <div class="container">
+      <article class="post">
+        <div class="post-date">April 10, 2026</div>
+        <h2>Your AI agent is a supply chain attack surface. Here's how to gate it.</h2>
+
+        <p>
+          Your AI coding agent runs shell commands. It installs packages. It
+          modifies files, pushes commits, and calls external APIs &mdash; all
+          without requiring you to type a single character. That's the pitch.
+          That's also the attack surface.
+        </p>
+
+        <h3>The gap is pre-action enforcement</h3>
+        <p>
+          Static analysis catches known-bad patterns in code you've already
+          written. Dependency scanners audit lock files <em>after</em> packages
+          are installed. By the time your scanner flags a problem, the agent
+          already ran the command.
+        </p>
+        <p>
+          These tools operate on the <em>output</em> of agent actions. You need
+          something that operates on the <em>input</em> &mdash; before execution.
+        </p>
+
+        <h3>Pre-Action Gates via PreToolUse hooks</h3>
+        <p>
+          ThumbGate implements pre-action gates via <code>PreToolUse</code> hooks
+          &mdash; interception points that run before every tool invocation. No
+          action reaches execution without passing through the gate. Not Bash
+          commands, not file edits, not web fetches.
+        </p>
+        <p>
+          What makes this more than a static blocklist is the
+          <strong>feedback-to-enforcement pipeline</strong>. When something goes
+          wrong, you record a thumbs-down with context. That failure feeds a
+          promotion engine. One failure becomes a warning. Three confirmed
+          failures of the same pattern become a hard block.
+        </p>
+
+        <h3>Real examples</h3>
+        <ul>
+          <li>
+            <strong>Force-push to main</strong> &mdash; Gate fires, push never
+            happens. Agent is redirected to create a branch and open a PR.
+          </li>
+          <li>
+            <strong>Unknown dependency install</strong> &mdash; Flagged for human
+            review. Agent pauses until you approve.
+          </li>
+          <li>
+            <strong>Destructive shell command</strong> &mdash; Blocked by a
+            prevention rule learned from a prior incident.
+          </li>
+        </ul>
+
+        <h3>Five-minute setup</h3>
+        <p>
+          <code>npx thumbgate init</code> installs the PreToolUse hook and
+          generates a starter gate config. Gates are just JSON &mdash; commit
+          them, review them, share them across your team.
+        </p>
+        <p>
+          <strong>Human judgment leads. AI supports. ThumbGate enforces it.</strong>
+        </p>
+
+        <a class="cta" href="/guide">Full setup guide &rarr;</a>
+      </article>
+
       <article class="post">
         <div class="post-date">April 1, 2026</div>
         <h2>Dual-Signal Feedback: Why "What Failed" Isn't Enough</h2>