thumbgate 1.4.1 → 1.4.3

package/plugins/codex-profile/README.md

@@ -45,7 +45,7 @@ That profile launches:
 ```toml
 [mcp_servers.thumbgate]
 command = "npx"
-args = ["--yes", "--package", "thumbgate@1.4.0", "thumbgate", "serve"]
+args = ["--yes", "--package", "thumbgate@1.4.3", "thumbgate", "serve"]
 ```
 
 ### Build from source

package/plugins/cursor-marketplace/.cursor-plugin/plugin.json

@@ -2,7 +2,7 @@
   "name": "thumbgate",
   "displayName": "ThumbGate",
   "description": "👍👎 Thumbs down a mistake — your AI agent won't repeat it. Thumbs up good work — it remembers the pattern.",
-  "version": "1.4.0",
+  "version": "1.4.3",
   "author": {
     "name": "Igor Ganapolsky"
   },

package/plugins/opencode-profile/INSTALL.md

@@ -25,7 +25,7 @@ The portable profile adds this MCP server entry:
   "mcp": {
     "thumbgate": {
       "type": "local",
-      "command": ["npx", "--yes", "--package", "thumbgate@1.4.0", "thumbgate", "serve"],
+      "command": ["npx", "--yes", "--package", "thumbgate@1.4.3", "thumbgate", "serve"],
       "enabled": true
     }
   }

package/public/index.html

@@ -11,8 +11,8 @@
         Created with Perplexity Computer
         https://www.perplexity.ai/computer
 -->
-<meta name="generator" content="Perplexity Computer">
-<meta name="author" content="Perplexity Computer">
+<meta name="generator" content="ThumbGate">
+<meta name="author" content="Igor Ganapolsky">
 <meta property="og:see_also" content="https://www.perplexity.ai/computer">
 <link rel="author" href="https://www.perplexity.ai/computer">
 
@@ -59,6 +59,7 @@ __GA_BOOTSTRAP__
   },
   "featureList": [
     "Pre-Action Gates — block known-bad tool calls before execution",
+    "ThumbGate GPT for ChatGPT — check proposed agent actions, capture thumbs-up/down lessons, and route users into local enforcement",
     "Workflow Sentinel — score blast radius before PR, merge, release, and publish actions fire",
     "Docker Sandboxes routing — move high-risk local runs into isolated microVM-backed execution",
     "Hosted sandbox dispatch — signed isolated lane for team automations",
@@ -184,6 +185,14 @@ __GA_BOOTSTRAP__
         "text": "Claude Code, Cursor, Codex, Gemini CLI, Amp, OpenCode, and any MCP-compatible agent."
       }
     },
+    {
+      "@type": "Question",
+      "name": "Do I have to chat inside the ThumbGate GPT for enforcement?",
+      "acceptedAnswer": {
+        "@type": "Answer",
+        "text": "No. The ThumbGate GPT is the ChatGPT entrypoint for checking proposed actions, capturing thumbs-up/down lessons, and getting setup help. Hard enforcement still runs locally where the agent executes after npx thumbgate init."
+      }
+    },
     {
       "@type": "Question",
       "name": "How does ThumbGate reduce host blast radius for high-risk local runs?",
@@ -277,6 +286,8 @@ __GA_BOOTSTRAP__
   .hero-actions { display: flex; justify-content: center; flex-wrap: wrap; gap: 12px; margin: 0 auto 16px; max-width: 760px; }
   .btn-pro-page { display: inline-flex; align-items: center; justify-content: center; padding: 11px 18px; background: var(--cyan); color: var(--bg); border-radius: 999px; text-decoration: none; font-size: 14px; font-weight: 700; box-shadow: 0 0 0 1px rgba(34,211,238,0.28), 0 12px 32px rgba(34,211,238,0.18); transition: opacity 0.15s, transform 0.15s; }
   .btn-pro-page:hover { opacity: 0.9; transform: translateY(-1px); }
+  .btn-gpt-page { display: inline-flex; align-items: center; justify-content: center; padding: 14px 32px; background: var(--green); color: #06120a; border-radius: 8px; text-decoration: none; font-size: 16px; font-weight: 800; box-shadow: 0 0 0 1px rgba(74,222,128,0.32), 0 12px 32px rgba(74,222,128,0.18); transition: opacity 0.15s, transform 0.15s; }
+  .btn-gpt-page:hover { opacity: 0.92; transform: translateY(-1px); }
   .hero-paid-note { font-size: 14px; color: var(--text-muted); max-width: 720px; margin: 0 auto 24px; }
   .hero-paid-note strong { color: var(--text); }
   .hero-install { background: var(--bg-raised); border: 1px solid var(--border); border-radius: 10px; padding: 14px 24px; display: inline-flex; align-items: center; gap: 12px; font-family: var(--mono); font-size: 15px; margin-bottom: 40px; cursor: pointer; transition: border-color 0.2s; position: relative; max-width: 100%; overflow-x: auto; }
@@ -302,6 +313,18 @@ __GA_BOOTSTRAP__
   .compat-card p { font-size: 14px; color: var(--text-muted); line-height: 1.6; }
   .compat-card code { font-family: var(--mono); font-size: 12px; background: rgba(34,211,238,0.08); color: var(--cyan); padding: 2px 6px; border-radius: 4px; }
 
+  /* CHATGPT GPT PATH */
+  .gpt-path { padding: 0 0 80px; }
+  .gpt-panel { border: 1px solid rgba(74,222,128,0.32); background: linear-gradient(180deg, rgba(17,17,19,0.98) 0%, rgba(15,24,18,0.96) 100%); border-radius: 8px; padding: 28px; }
+  .gpt-panel h2 { font-size: clamp(24px, 3vw, 34px); line-height: 1.15; letter-spacing: -0.025em; margin-bottom: 12px; }
+  .gpt-panel > p { color: var(--text-muted); max-width: 780px; margin-bottom: 22px; }
+  .gpt-steps { display: grid; grid-template-columns: repeat(3, 1fr); gap: 14px; margin: 24px 0; }
+  .gpt-step { border: 1px solid var(--border); border-radius: 8px; background: rgba(10,10,11,0.58); padding: 18px; }
+  .gpt-step strong { display: block; color: var(--green); margin-bottom: 6px; }
+  .gpt-step p { color: var(--text-muted); font-size: 14px; line-height: 1.55; }
+  .gpt-note { font-size: 13px; color: var(--text-muted); border-top: 1px solid var(--border); padding-top: 16px; }
+  .gpt-note strong { color: var(--text); }
+
   /* SEO PAGES */
   .seo-pages { padding: 0 0 80px; }
   .seo-grid { display: grid; grid-template-columns: repeat(2, 1fr); gap: 20px; }
@@ -402,6 +425,13 @@ __GA_BOOTSTRAP__
   .final-cta p { font-size: 15px; color: var(--text-muted); margin-bottom: 28px; }
   .final-cta .btn-pro, .final-cta .btn-team { display: inline-block; padding: 12px 32px; font-size: 15px; border-radius: 8px; margin: 0 6px; }
 
+  /* STICKY BOTTOM CTA BAR */
+  .sticky-cta { position: fixed; bottom: 0; left: 0; right: 0; z-index: 999; background: rgba(10,10,10,0.96); border-top: 1px solid var(--border); padding: 12px 20px; display: flex; align-items: center; justify-content: center; gap: 12px; transform: translateY(100%); transition: transform 0.3s ease; backdrop-filter: blur(8px); }
+  .sticky-cta.visible { transform: translateY(0); }
+  .sticky-cta-text { font-size: 14px; color: var(--text-muted); }
+  .sticky-cta-text strong { color: var(--text); }
+  .sticky-cta .btn-pro, .sticky-cta .btn-gpt-page { padding: 8px 20px; font-size: 13px; border-radius: 6px; white-space: nowrap; }
+
   /* FOOTER */
   footer { border-top: 1px solid var(--border); padding: 32px 0; }
   footer .container { display: flex; justify-content: space-between; align-items: center; flex-wrap: wrap; gap: 12px; }
@@ -414,6 +444,7 @@ __GA_BOOTSTRAP__
   @media (max-width: 700px) {
     .steps { grid-template-columns: 1fr; }
     .compatibility-grid { grid-template-columns: 1fr; }
+    .gpt-steps { grid-template-columns: 1fr; }
     .seo-grid { grid-template-columns: 1fr; }
     .pricing-grid { grid-template-columns: 1fr; }
     .team-form { grid-template-columns: 1fr; }
@@ -429,9 +460,11 @@ __GA_BOOTSTRAP__
   <script>
     !function(t,e){var o,n,p,r;e.__SV||(window.posthog=e,e._i=[],e.init=function(i,s,a){function g(t,e){var o=e.split(".");2==o.length&&(t=t[o[0]],e=o[1]),t[e]=function(){t.push([e].concat(Array.prototype.slice.call(arguments,0)))}}(p=t.createElement("script")).type="text/javascript",p.crossOrigin="anonymous",p.async=!0,p.src=s.api_host.replace(".i.posthog.com","-assets.i.posthog.com")+"/static/array.js",(r=t.getElementsByTagName("script")[0]).parentNode.insertBefore(p,r);var u=e;for(void 0!==a?u=e[a]=[]:a=u._i.push([i,s,a]),u._i.push([i,s,a]),u.init=function(t,e,i){g(u,"capture"),u.push(["init",t,e,i])},u.capture=function(t,e,i,o){u.push(["capture",t,e,i,o])},u.identify=function(t,e,i){u.push(["identify",t,e,i])},u.alias=function(t,e){u.push(["alias",t,e])},u.people={set:function(t,e,i){u.push(["people.set",t,e,i])}},u.featureFlags={},u.onFeatureFlags=function(t){u.push(["onFeatureFlags",t])},u.toString=function(t){var e="posthog";return a&&a!==e&&(e+="."+a),t||(e+=" (stub)"),e},u.people.set_once=function(t,e,i){u.push(["people.set_once",t,e,i])},u.group=function(t,e,i){u.push(["group",t,e,i])},u.setPersonPropertiesForFlags=function(t){u.push(["setPersonPropertiesForFlags",t])},u.resetGroupPropertiesForFlags=function(t){u.push(["resetGroupPropertiesForFlags",t])},u.setGroupPropertiesForFlags=function(t){u.push(["setGroupPropertiesForFlags",t])},u.reloadFeatureFlags=function(){u.push(["reloadFeatureFlags"])},u.capture=function(t,e,i,o){u.push(["capture",t,e,i,o])},u.identify=function(t,e,i){u.push(["identify",t,e,i])},0===t.indexOf(".")){var s=t.substring(1);u=e[s]=[],u._i=[]}e._i.push([i,s,a])},e.__SV=1)}(document,window.posthog||[]);
   posthog.init('__POSTHOG_API_KEY__', {
-    api_host: 'https://us.i.posthog.com',
+    api_host: '/ingest',
+    ui_host: 'https://us.posthog.com',
     person_profiles: 'identified_only',
   });
+  posthog.capture('$pageview');
   </script>
 </head>
 <body>
@@ -451,7 +484,8 @@ __GA_BOOTSTRAP__
       <a href="/learn">Learn</a>
       <a href="/compare">Compare</a>
       <a href="/dashboard">Dashboard Demo</a>
-      <a href="#workflow-sprint-intake" onclick="posthog.capture('workflow_sprint')" class="nav-cta">Start Sprint</a>
+      <a href="#workflow-sprint-intake" onclick="posthog.capture('workflow_sprint')">Start Sprint</a>
+      <a href="https://chatgpt.com/g/g-69dcfd1cd5f881918ae31874631d6f08-thumbgate" target="_blank" rel="noopener" onclick="posthog.capture('nav_cta_click',{cta:'open_gpt'})" class="nav-cta">Open GPT</a>
     </div>
   </div>
 </nav>
@@ -460,9 +494,9 @@ __GA_BOOTSTRAP__
 <section class="hero">
   <div class="container">
     <div class="hero-thumbs">👍👎</div>
-    <div class="hero-badge">● Your AI agent just made that mistake again</div>
+    <div class="hero-badge">● Live ThumbGate GPT for ChatGPT</div>
     <h1>Your AI agent just made<br>that mistake again.<br><span style="color:var(--cyan)">One thumbs-down.<br>It never happens again.</span></h1>
-    <p style="font-size:18px;color:var(--text-muted);max-width:560px;margin:0 auto 20px;line-height:1.6;">Session 1: your agent force-pushes, skips tests, or runs a DROP on prod.<br>You give it a 👎.<br><strong style="color:var(--text)">Session 2: gate fires. Action blocked before execution.</strong></p>
+    <p style="font-size:18px;color:var(--text-muted);max-width:620px;margin:0 auto 20px;line-height:1.6;">Start in ChatGPT: paste the proposed action into the live ThumbGate GPT and get allow, block, or checkpoint guidance.<br><strong style="color:var(--text)">Then enforce locally with <code>npx thumbgate init</code> where your agent actually runs.</strong></p>
     <div class="hero-signals">
       <div class="signal-pill signal-down">👎 Repeated failure becomes enforcement before the next run</div>
       <div class="signal-pill signal-up">✅ Safe pattern reinforced across the shared workflow</div>
@@ -470,17 +504,18 @@ __GA_BOOTSTRAP__
     </div>
     <p class="hero-persona" style="display:none">For consultancies, platform teams, and AI product teams with one workflow owner, one repeated failure, and one buyer who needs proof before a wider rollout.</p>
     <div class="hero-actions" style="margin-top:32px;">
+      <a href="https://chatgpt.com/g/g-69dcfd1cd5f881918ae31874631d6f08-thumbgate" class="btn-gpt-page" target="_blank" rel="noopener" onclick="posthog.capture('hero_cta_click',{cta:'open_gpt'})">Open ThumbGate GPT</a>
       <div class="hero-install" onclick="copyInstall(this)" title="Click to copy" style="margin-bottom:0;">
         <span class="prompt">$</span>
         <span class="cmd">npx thumbgate init</span>
         <span class="copy-hint">click to copy</span>
       </div>
+      <a href="/checkout/pro?utm_source=website&utm_medium=hero_cta&utm_campaign=pro_trial&cta_id=hero_start_trial" onclick="posthog.capture('hero_cta_click',{cta:'start_trial'})" class="btn-pro-page" style="font-size:16px;padding:14px 24px;margin-bottom:4px;">Start 7-day free trial</a>
       <a href="https://github.com/IgorGanapolsky/ThumbGate" target="_blank" rel="noopener" class="btn-free" style="display:inline-flex;align-items:center;gap:6px;padding:11px 20px;border-radius:999px;">⭐ Star on GitHub</a>
-      <a href="https://github.com/IgorGanapolsky/ThumbGate/blob/main/adapters/chatgpt/INSTALL.md" class="btn-install-link" target="_blank" rel="noopener" style="font-size:13px;color:var(--text-muted);text-decoration:none;padding:8px 14px;">Use in ChatGPT →</a>
       <a href="https://github.com/IgorGanapolsky/ThumbGate/releases/latest/download/thumbgate-codex-plugin.zip" class="btn-install-link" target="_blank" rel="noopener" style="font-size:13px;color:var(--text-muted);text-decoration:none;padding:8px 14px;">Install Codex plugin →</a>
     </div>
-    <p style="font-size:13px;color:var(--text-muted);margin:16px auto 0;max-width:480px;">Free to install. No cloud account needed. Works in 30 seconds.</p>
-    <p style="font-size:13px;color:var(--text-muted);margin:8px auto 28px;max-width:480px;">Team plan is intake-first — one workflow, one repeat failure, proof before wider rollout. Stop vibe coding mistakes from repeating. <a href="#pricing" style="color:var(--cyan);text-decoration:none;">See pricing →</a></p>
+    <p style="font-size:13px;color:var(--text-muted);margin:16px auto 0;max-width:620px;">No, you do not have to chat inside the GPT forever. The GPT is the fastest demo and setup path; local hooks do the hard blocking for Claude Code, Cursor, Codex, Gemini, Amp, OpenCode, and MCP-compatible agents.</p>
+    <p style="font-size:13px;color:var(--text-muted);margin:8px auto 28px;max-width:480px;">Team plan is intake-first — one workflow, one repeat failure, proof before wider rollout. Pro stays the solo side lane for gate debugger, DPO export, and personal dashboard. <a href="#pricing" style="color:var(--cyan);text-decoration:none;">See all plans →</a></p>
     <div class="proof-bar">
       <a href="/guide" rel="noopener">CLI-first setup guide →</a>
       <span class="dot"></span>
@@ -490,7 +525,9 @@ __GA_BOOTSTRAP__
       <span class="dot"></span>
       <a href="https://github.com/IgorGanapolsky/ThumbGate/blob/main/.claude-plugin/README.md" target="_blank" rel="noopener">Claude marketplace install →</a>
       <span class="dot"></span>
-      <a href="https://github.com/IgorGanapolsky/ThumbGate/blob/main/adapters/chatgpt/INSTALL.md" target="_blank" rel="noopener">ChatGPT GPT Actions →</a>
+      <a href="https://chatgpt.com/g/g-69dcfd1cd5f881918ae31874631d6f08-thumbgate" target="_blank" rel="noopener">Open ThumbGate GPT →</a>
+      <span class="dot"></span>
+      <a href="https://github.com/IgorGanapolsky/ThumbGate/blob/main/adapters/chatgpt/INSTALL.md" target="_blank" rel="noopener">ChatGPT Actions setup →</a>
       <span class="dot"></span>
       <a href="https://github.com/IgorGanapolsky/ThumbGate/releases/latest/download/thumbgate-codex-plugin.zip" target="_blank" rel="noopener">Codex plugin download →</a>
       <span class="dot"></span>
@@ -502,12 +539,16 @@ __GA_BOOTSTRAP__
       <span class="dot"></span>
       <a href="https://cloud.google.com/blog/topics/healthcare-life-sciences/ensuring-safety-and-quality-in-healthcare-qa-agents" target="_blank" rel="noopener">Google Cloud safety framework architecture →</a>
       <span class="dot"></span>
+      <a href="https://www.nytimes.com/2026/04/06/technology/ai-cybersecurity.html" target="_blank" rel="noopener">NYT: AI agents as attack vectors (April 2026) →</a>
+      <span class="dot"></span>
       <a href="https://www.producthunt.com/products/thumbgate" target="_blank" rel="noopener">Product Hunt →</a>
       <span class="dot"></span>
       <a href="https://github.com/IgorGanapolsky/ThumbGate/actions" target="_blank" rel="noopener">Proof-backed CI →</a>
       <span class="dot"></span>
       <a href="https://github.com/IgorGanapolsky/ThumbGate/blob/main/docs/RELEASE_CONFIDENCE.md" target="_blank" rel="noopener">Release confidence →</a>
       <span class="dot"></span>
+      <a href="https://github.com/IgorGanapolsky/ThumbGate/blob/main/docs/THUMBGATE_BENCH.md" target="_blank" rel="noopener">ThumbGate Bench →</a>
+      <span class="dot"></span>
       <a href="https://github.com/IgorGanapolsky/ThumbGate/actions" target="_blank" rel="noopener">CI and proof lanes →</a>
       <span class="dot"></span>
       <a href="#compatibility">Claude Code · Cursor · Codex · Gemini · Amp · OpenCode</a>
@@ -515,6 +556,35 @@ __GA_BOOTSTRAP__
   </div>
 </section>
 
+<section class="gpt-path" id="thumbgate-gpt">
+  <div class="container">
+    <div class="gpt-panel">
+      <div class="section-label" style="text-align:left;">ChatGPT Entry Point</div>
+      <h2>Open the GPT. Check the action. Turn the lesson into a gate.</h2>
+      <p>ThumbGate should meet users where they already ask AI for help. The live GPT is the lowest-friction way to understand the product before installing anything.</p>
+      <div class="gpt-steps">
+        <div class="gpt-step">
+          <strong>1. Try the live GPT</strong>
+          <p>Paste a proposed command, file edit, merge, deploy, payment, email, or API call and ask what should happen next.</p>
+        </div>
+        <div class="gpt-step">
+          <strong>2. Save the signal</strong>
+          <p>Reply with <code>thumbs up:</code> or <code>thumbs down:</code> plus one concrete sentence. One signal becomes one remembered rule.</p>
+        </div>
+        <div class="gpt-step">
+          <strong>3. Enforce locally</strong>
+          <p>Run <code>npx thumbgate init</code> in the repo so Pre-Action Gates block repeated mistakes before the coding agent executes them.</p>
+        </div>
+      </div>
+      <div style="display:flex;gap:12px;flex-wrap:wrap;">
+        <a href="https://chatgpt.com/g/g-69dcfd1cd5f881918ae31874631d6f08-thumbgate" class="btn-gpt-page" target="_blank" rel="noopener" onclick="posthog.capture('gpt_path_cta_click',{cta:'open_gpt'})">Open ThumbGate GPT</a>
+        <a href="https://github.com/IgorGanapolsky/ThumbGate/blob/main/adapters/chatgpt/INSTALL.md" class="btn-free" target="_blank" rel="noopener" style="display:inline-flex;align-items:center;padding:12px 20px;border-radius:8px;">ChatGPT Actions setup</a>
+      </div>
+      <p class="gpt-note"><strong>Plain English rule:</strong> ChatGPT is the discovery and memory surface. The hard Reliability Gateway still runs in the local agent or CI lane.</p>
+    </div>
+  </div>
+</section>
+
 <section class="compatibility" id="compatibility">
   <div class="container">
     <div class="section-label">Compatibility</div>
@@ -530,10 +600,10 @@ __GA_BOOTSTRAP__
         <p>Codex ships with a published standalone ThumbGate plugin bundle plus a repo-local plugin profile. Download the zip, extract it, and install without wiring MCP by hand.</p>
         <div class="card-arrow">Get the Codex plugin →</div>
       </a>
-      <a class="compat-card" href="https://github.com/IgorGanapolsky/ThumbGate/blob/main/adapters/chatgpt/INSTALL.md" target="_blank" rel="noopener">
+      <a class="compat-card" href="https://chatgpt.com/g/g-69dcfd1cd5f881918ae31874631d6f08-thumbgate" target="_blank" rel="noopener">
         <h3>💬 ChatGPT GPT Actions</h3>
-        <p>Regular users reply with 👍/👎 or "thumbs up/down" on ChatGPT answers, save the lesson, prevent repeated bad answers, and reinforce the answer patterns that worked.</p>
-        <div class="card-arrow">Use in ChatGPT →</div>
+        <p>Open the ThumbGate GPT to check proposed AI actions, capture thumbs-up/down lessons, and get setup guidance. Real blocking for coding agents still runs locally after <code>npx thumbgate init</code>.</p>
+        <div class="card-arrow">Open ThumbGate GPT →</div>
       </a>
       <a class="compat-card" href="/guides/claude-desktop">
         <h3>🧩 Claude Desktop plugin</h3>
@@ -648,7 +718,7 @@ __GA_BOOTSTRAP__
 <!-- HOW IT WORKS -->
 <section class="how-it-works" id="how-it-works">
   <div class="container">
-    <div class="section-label">New in v1.4.0</div>
+    <div class="section-label">New in v1.4.3</div>
     <h2 class="section-title">Three steps to stop repeated AI failures</h2>
     <div class="steps">
       <div class="step">
@@ -838,12 +908,8 @@ __GA_BOOTSTRAP__
           <li>Personal local dashboard — every Pro user gets a localhost dashboard without extra cloud setup</li>
           <li>Review-ready workflow support — we help you wire the riskiest flows first: migrations, force-pushes, deploys, and CI</li>
         </ul>
-        <a href="/checkout/pro?utm_source=website&utm_medium=homepage_pricing&utm_campaign=pro_pack&cta_id=homepage_pricing_trial&cta_placement=pricing&plan_id=pro&landing_path=%2F" class="btn-pro" style="display:none" id="pro-checkout-link">Start Free Trial — then $19/mo</a>
         <div class="trial-badge" style="background:var(--cyan);color:#000;display:inline-block;padding:4px 12px;border-radius:12px;font-size:12px;font-weight:700;margin-bottom:12px;">7-DAY FREE TRIAL</div>
-        <div class="email-gate" style="margin-bottom:12px;">
-          <input type="email" id="pro-email" data-buyer-email placeholder="Your email to start trial" style="width:100%;padding:10px 14px;border:1px solid #333;border-radius:6px;background:#1a1a2e;color:#fff;font-size:14px;">
-        </div>
-        <button class="btn-pro" id="pro-trial-btn" onclick="handleProTrial()" style="width:100%;cursor:pointer;border:none;">Start 7-Day Free Trial</button>
+        <a href="/checkout/pro?utm_source=website&utm_medium=pricing_card&utm_campaign=pro_trial&cta_id=pricing_pro_trial&cta_placement=pricing&plan_id=pro&landing_path=%2F" class="btn-pro" onclick="posthog.capture('pricing_cta_click',{cta:'pro_trial',plan:'pro'})" style="display:block;width:100%;text-align:center;padding:12px;font-size:15px;">Start 7-Day Free Trial — $19/mo</a>
         <p style="font-size:11px;color:#666;margin-top:8px;">Solo Pro stays available for operators who want a personal dashboard and export-ready evidence without the team rollout motion.</p>
       </div>
       <div class="price-card team">
@@ -917,6 +983,10 @@ __GA_BOOTSTRAP__
         <div class="faq-q" role="button" tabindex="0" aria-expanded="false" onclick="toggleFaq(this)" onkeydown="handleFaqKeydown(event)">What AI agents and editors does this work with?</div>
         <div class="faq-a">ThumbGate works with Claude Code, Cursor, Codex, Gemini CLI, Amp, OpenCode, and any other MCP-compatible agent. Cursor ships with a plugin bundle in this repo. Codex now ships both a standalone plugin bundle and a repo-local app plugin profile, and the published download is linked directly from this page. VS Code works when you run an MCP-compatible agent inside it, but this repo does not ship a standalone VS Code extension today.</div>
       </div>
+      <div class="faq-item">
+        <div class="faq-q" role="button" tabindex="0" aria-expanded="false" onclick="toggleFaq(this)" onkeydown="handleFaqKeydown(event)">Do I have to chat inside the ThumbGate GPT for enforcement?</div>
+        <div class="faq-a">No. The ThumbGate GPT is the ChatGPT entrypoint for checking proposed actions, capturing thumbs-up/down lessons, and getting setup help. Hard enforcement still runs locally where the agent executes after <code>npx thumbgate init</code>.</div>
+      </div>
       <div class="faq-item">
         <button class="faq-q" type="button" aria-expanded="false" onclick="toggleFaq(this)" onkeydown="handleFaqKeydown(event)">How do we keep high-risk autonomous runs off the host?</button>
         <div class="faq-a">ThumbGate is the control plane, not just a prompt layer. Workflow Sentinel predicts blast radius before execution, and risky local autonomy can be routed into Docker Sandboxes instead of running directly on the host. Team workflows also have a signed hosted sandbox lane for isolated dispatch when local repo access is not required.</div>
@@ -962,9 +1032,11 @@ __GA_BOOTSTRAP__
 <!-- FINAL CTA -->
 <section class="final-cta">
   <div class="container">
-    <h2>Start with one workflow you actually need to defend.</h2>
-    <p>Use the workflow hardening sprint for team rollout. Install the free CLI if you are still evaluating alone. Pro remains the solo side lane for a personal dashboard and review-ready exports.</p>
+    <h2>Check the next agent action before it runs.</h2>
+    <p>Open the GPT for the fastest demo. Install the free CLI when you are ready to enforce the same lesson locally. Use the workflow hardening sprint for team rollout.</p>
     <div style="display:flex;gap:12px;justify-content:center;flex-wrap:wrap;">
+      <a href="https://chatgpt.com/g/g-69dcfd1cd5f881918ae31874631d6f08-thumbgate" target="_blank" rel="noopener" onclick="posthog.capture('final_cta_click',{cta:'open_gpt'})" class="btn-gpt-page">Open ThumbGate GPT</a>
+      <a href="/checkout/pro?utm_source=website&utm_medium=final_cta&utm_campaign=pro_trial&cta_id=final_pro_trial" onclick="posthog.capture('final_cta_click',{cta:'pro_trial'})" class="btn-pro" style="padding:12px 32px;font-size:15px;">Start 7-Day Free Trial — $19/mo</a>
       <a href="#workflow-sprint-intake" class="btn-team" style="background:var(--green);">Start Workflow Hardening Sprint</a>
       <a href="/guide?utm_source=website&utm_medium=homepage_final&utm_campaign=install_free" class="btn-pro btn-install-link">Install Free CLI</a>
     </div>
@@ -982,10 +1054,33 @@ __GA_BOOTSTRAP__
       <a href="https://www.linkedin.com/in/igorganapolsky" target="_blank" rel="noopener">LinkedIn</a>
       <a href="/blog">Blog</a>
     </div>
-    <span class="footer-copy">© 2026 Max Smith KDP LLC · MIT License · v1.4.0</span>
+    <span class="footer-copy">© 2026 Max Smith KDP LLC · MIT License · v1.4.3</span>
   </div>
 </footer>
 
+<!-- STICKY BOTTOM CTA -->
+<div class="sticky-cta" id="sticky-cta">
+  <span class="sticky-cta-text"><strong>Live ThumbGate GPT</strong> — check an agent action before it runs</span>
+  <a href="https://chatgpt.com/g/g-69dcfd1cd5f881918ae31874631d6f08-thumbgate" target="_blank" rel="noopener" onclick="posthog.capture('sticky_cta_click',{cta:'open_gpt'})" class="btn-gpt-page">Open GPT</a>
+</div>
+<script>
+(function() {
+  var stickyCta = document.getElementById('sticky-cta');
+  var heroSection = document.querySelector('.hero');
+  if (!stickyCta || !heroSection) return;
+  var observer = new IntersectionObserver(function(entries) {
+    entries.forEach(function(entry) {
+      if (entry.isIntersecting) {
+        stickyCta.classList.remove('visible');
+      } else {
+        stickyCta.classList.add('visible');
+      }
+    });
+  }, { threshold: 0 });
+  observer.observe(heroSection);
+})();
+</script>
+
 <script src="/js/buyer-intent.js"></script>
 <script>
 function initializeBuyerIntentForms() {
@@ -998,6 +1093,7 @@ function initializeBuyerIntentForms() {
 
 function resolvePricingClickTier(el) {
   if (el.classList.contains('btn-install-link')) return 'install';
+  if (el.classList.contains('btn-gpt-page')) return 'chatgpt_gpt';
   if (el.classList.contains('btn-pro')) return 'pro';
   if (el.classList.contains('btn-pro-page')) return 'pro_page';
   if (el.classList.contains('btn-team')) return 'team';
@@ -1041,16 +1137,17 @@ function copyInstall(el) {
 
   /* CTA clicks */
   trackClick('.btn-pro', 'checkout_start', { tier: 'pro', price: 19, billing: 'monthly' });
+  trackClick('.btn-gpt-page', 'chatgpt_gpt_click', { tier: 'free', source: 'homepage_gpt' });
   trackClick('.btn-pro-page:not(.btn-install-link)', 'pro_page_click', { tier: 'pro', source: 'hero' });
   trackClick('.btn-install-link', 'install_guide_click', { tier: 'free', source: 'homepage_cta' });
   trackClick('.btn-team', 'workflow_sprint_intake_click', { tier: 'team', offer: 'workflow_hardening_sprint' });
   trackClick('.btn-free', 'install_click', { tier: 'free' });
   trackClick('.btn-demo-link', 'demo_click', { source: 'homepage' });
-  trackClick('.nav-cta', 'workflow_sprint_intake_click', { tier: 'team', source: 'nav', offer: 'workflow_hardening_sprint' });
+  trackClick('.nav-cta', 'chatgpt_gpt_click', { tier: 'free', source: 'nav' });
 
   /* Pricing CTA conversion tracking — fires on every Get Started / Pro / Team button click
      with section context so we can distinguish pricing section vs final CTA section clicks */
-  document.querySelectorAll('.btn-pro, .btn-pro-page, .btn-install-link, .btn-team, .btn-free, .btn-demo-link, .nav-cta').forEach(function(el) {
+  document.querySelectorAll('.btn-pro, .btn-gpt-page, .btn-pro-page, .btn-install-link, .btn-team, .btn-free, .btn-demo-link, .nav-cta').forEach(function(el) {
     el.addEventListener('click', function() {
       var section = el.closest('section');
       var sectionId = section ? (section.id || section.className.split(' ')[0] || 'unknown') : 'unknown';

package/public/llm-context.md

@@ -137,4 +137,20 @@ The core thesis: AI slop happens when agents act without human judgment as a har
 
 **Positioning for authenticity-conscious audiences**: ThumbGate is the authenticity enforcement layer for AI coding agents. Where AI slop is the symptom, unconstrained agent autonomy is the cause. ThumbGate addresses the cause.
 
-*Last updated: 2026-04-09*
+## AI Agent Security Infrastructure
+
+In April 2026, Anthropic confirmed the first known AI-agent-driven cyberattack, where state-sponsored hackers used Claude to infiltrate over 30 organizations with only 10-20% human involvement (New York Times, April 6 2026). On the defensive side, Anthropic used its own AI to discover 500+ zero-day vulnerabilities in open-source software. The core conclusion: organizations that do not use AI defensively will be enormously vulnerable.
+
+ThumbGate is AI agent security infrastructure for coding workflows. The same PreToolUse hooks that prevent an agent from repeating a teammate's mistake also prevent an agent from executing a prompt-injected destructive command. The enforcement model is the same — evaluate every tool call against known-bad patterns before execution — whether the threat is an honest mistake or a malicious injection.
+
+Security-relevant capabilities in ThumbGate v1.4.0:
+
+- **Self-protection**: 4 gates prevent the governed agent from disabling ThumbGate, modifying gate rules, killing governance processes, or overriding enforcement environment variables. A compromised or prompt-injected agent cannot disable its own guardrails.
+- **Budget enforcement**: Action count and wall-clock time limits prevent runaway agent sessions from burning resources. Three profiles (strict/guided/autonomous) cap actions at 500/2000/5000 per session.
+- **Compliance mapping**: 13 gate rules carry NIST SP800-53, SOC2 Trust Services, OWASP Top 10, and CWE tags for enterprise security teams that require framework alignment.
+- **Append-only audit trail**: Every gate decision (block, approve, log) is recorded with timestamp, tool call, matched gate ID, severity, and human override status. The agent cannot modify or delete audit entries.
+- **Shared enforcement memory**: Prevention rules propagate across all team seats via a shared SQLite+FTS5 database. A pattern blocked on one seat is immediately enforced on every seat.
+
+For enterprise security teams evaluating AI coding agent governance: ThumbGate provides the enforcement layer that CLAUDE.md rules, prompt engineering, and post-hoc code review cannot — pre-execution blocking with full audit trail and compliance mapping.
+
+*Last updated: 2026-04-13*

package/scripts/ai-search-visibility.js

@@ -1,8 +1,8 @@
 'use strict';
 
-const https = require('node:https');
 const fs = require('node:fs');
 const path = require('node:path');
+const { PerplexityClient, extractChatText } = require('./perplexity-client');
 
 const PROMPTS = [
   'best pre-action gate tools for AI coding agents',
@@ -15,45 +15,19 @@ const PROMPTS = [
   'AI coding agent memory and learning',
 ];
 
-function queryPerplexity(prompt, apiKey) {
-  return new Promise((resolve, reject) => {
-    const body = JSON.stringify({
-      model: 'sonar',
-      messages: [{ role: 'user', content: prompt }],
-    });
-    const req = https.request(
-      {
-        hostname: 'api.perplexity.ai',
-        path: '/chat/completions',
-        method: 'POST',
-        headers: {
-          Authorization: `Bearer ${apiKey}`,
-          'Content-Type': 'application/json',
-          'Content-Length': Buffer.byteLength(body),
-        },
-      },
-      (res) => {
-        const chunks = [];
-        res.on('data', (c) => chunks.push(c));
-        res.on('end', () => {
-          try {
-            const json = JSON.parse(Buffer.concat(chunks).toString());
-            const content = json.choices?.[0]?.message?.content || '';
-            resolve(content);
-          } catch (e) {
-            reject(new Error(`Failed to parse Perplexity response: ${e.message}`));
-          }
-        });
-      }
-    );
-    req.on('error', reject);
-    req.write(body);
-    req.end();
+async function queryPerplexity(prompt, apiKey, opts = {}) {
+  const client = opts.client || new PerplexityClient({ apiKey });
+  const response = await client.chatCompletion({
+    model: 'sonar',
+    messages: [{ role: 'user', content: prompt }],
   });
+  return extractChatText(response);
 }
 
 async function runVisibilityCheck(opts = {}) {
-  const apiKey = opts.apiKey || process.env.PERPLEXITY_API_KEY;
+  const apiKey = Object.hasOwn(opts, 'apiKey')
+    ? opts.apiKey
+    : process.env.PERPLEXITY_API_KEY;
   const queryFn = opts.queryFn || (apiKey ? (p) => queryPerplexity(p, apiKey) : null);
 
   const results = [];

package/scripts/audit-trail.js

@@ -12,10 +12,12 @@
 
 const fs = require('fs');
 const path = require('path');
+const crypto = require('crypto');
 const { resolveFeedbackDir } = require('./feedback-paths');
 const { ensureDir } = require('./fs-utils');
 
 const AUDIT_LOG_FILENAME = 'audit-trail.jsonl';
+const GATE_EVENTS_LOG_FILENAME = 'gate-events-log.jsonl';
 
 // ---------------------------------------------------------------------------
 // Paths
@@ -98,27 +100,34 @@ function sanitizeToolInput(toolInput) {
 // ---------------------------------------------------------------------------
 
 /**
- * Converts deny/warn audit events into ThumbGate feedback signal.
- * This is the core OpenShell insight: policy decisions ARE training signal.
+ * Converts deny/warn audit events into a separate gate-events log.
+ *
+ * IMPORTANT: Gate denials are NOT user feedback. Writing them to the main
+ * feedback-log.jsonl inflated user-facing stats ~18x (1,943 synthetic entries
+ * vs ~300 real). Gate events are now logged to gate-events-log.jsonl for
+ * internal analytics only — they never pollute thumbs-up/thumbs-down counts.
  */
 function auditToFeedback(auditRecord) {
   if (auditRecord.decision === 'allow') return null;
 
   try {
-    const feedbackLoop = require('./feedback-loop');
-    const signal = auditRecord.decision === 'deny' ? 'down' : 'down';
-    const context = `Gate "${auditRecord.gateId}" ${auditRecord.decision === 'deny' ? 'blocked' : 'warned'} tool "${auditRecord.toolName}": ${auditRecord.message || 'no message'}`;
-
-    return feedbackLoop.captureFeedback({
-      signal,
-      context,
-      what_went_wrong: `Agent attempted action blocked by policy gate: ${auditRecord.gateId}`,
-      what_to_change: auditRecord.message || 'Follow safety policy before attempting this action',
-      tags: ['audit-trail', 'auto-capture', `gate:${auditRecord.gateId}`, auditRecord.source].filter(Boolean),
-      title: `MISTAKE: Policy violation — ${auditRecord.gateId}`,
-    });
+    const { getFeedbackPaths } = require('./feedback-paths');
+    const { FEEDBACK_DIR } = getFeedbackPaths();
+    const gateLogPath = path.join(FEEDBACK_DIR, GATE_EVENTS_LOG_FILENAME);
+    ensureDir(path.dirname(gateLogPath));
+    const entry = {
+      id: `gate_${crypto.randomUUID()}`,
+      gateId: auditRecord.gateId,
+      decision: auditRecord.decision,
+      toolName: auditRecord.toolName,
+      message: auditRecord.message || null,
+      source: auditRecord.source || null,
+      timestamp: new Date().toISOString(),
+    };
+    fs.appendFileSync(gateLogPath, JSON.stringify(entry) + '\n');
+    return entry;
   } catch {
-    // Feedback capture failure should never break the audit trail
+    // Gate event logging failure should never break the audit trail
     return null;
   }
 }
@@ -316,6 +325,7 @@ module.exports = {
   getAuditLogPath,
   sanitizeToolInput,
   AUDIT_LOG_FILENAME,
+  GATE_EVENTS_LOG_FILENAME,
   CACHE_TUNE_STATE_FILENAME,
 };