thumbgate 1.5.3 → 1.5.8

package/.claude-plugin/marketplace.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate-marketplace",
-  "version": "1.5.3",
+  "version": "1.5.8",
   "owner": {
     "name": "Igor Ganapolsky",
     "email": "ig5973700@gmail.com"
@@ -13,7 +13,7 @@
         "source": "npm",
         "package": "thumbgate"
       },
-      "version": "1.5.3",
+      "version": "1.5.8",
       "author": {
         "name": "Igor Ganapolsky"
       },

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "thumbgate",
   "description": "Type 👍 or 👎 on any agent action. ThumbGate captures it, distills a lesson, and blocks the pattern from repeating. One thumbs-down = the agent physically cannot make that mistake again. 33 pre-action gates, budget enforcement, self-protection, and NIST/SOC2 compliance tags.",
-  "version": "1.5.3",
+  "version": "1.5.8",
   "author": {
     "name": "Igor Ganapolsky"
   },

package/.well-known/mcp/server-card.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate",
-  "version": "1.5.3",
+  "version": "1.5.8",
   "description": "ThumbGate — 👍👎 feedback that teaches your AI agent. Thumbs down a mistake, it never happens again.",
   "homepage": "https://github.com/IgorGanapolsky/thumbgate",
   "transport": "stdio",

package/adapters/README.md

@@ -3,7 +3,7 @@
 - `chatgpt/openapi.yaml`: import into GPT Actions.
 - `gemini/function-declarations.json`: Gemini function-calling definitions.
 - `mcp/server-stdio.js`: underlying local MCP stdio server implementation.
-- `claude/.mcp.json`: example Claude Code MCP config using `npx --yes --package thumbgate@1.5.3 thumbgate serve`.
+- `claude/.mcp.json`: example Claude Code MCP config using `npx --yes --package thumbgate@1.5.8 thumbgate serve`.
 - `codex/config.toml`: example Codex MCP profile section using the same version-pinned portable launcher.
 - `amp/skills/thumbgate-feedback/SKILL.md`: Amp skill template.
 - `opencode/opencode.json`: portable OpenCode MCP profile using the same version-pinned portable launcher.

package/adapters/claude/.mcp.json

@@ -2,13 +2,13 @@
   "mcpServers": {
     "thumbgate": {
       "command": "npx",
-      "args": ["--yes", "--package", "thumbgate@1.5.3", "thumbgate", "serve"]
+      "args": ["--yes", "--package", "thumbgate@1.5.8", "thumbgate", "serve"]
     }
   },
   "hooks": {
     "preToolUse": {
       "command": "npx",
-      "args": ["--yes", "--package", "thumbgate@1.5.3", "thumbgate", "gate-check"]
+      "args": ["--yes", "--package", "thumbgate@1.5.8", "thumbgate", "gate-check"]
     }
   }
 }

package/adapters/codex/config.toml

@@ -3,9 +3,9 @@
 # ~/.codex/config.json with the ThumbGate hooks and status line.
 [mcp_servers.thumbgate]
 command = "npx"
-args = ["--yes", "--package", "thumbgate@1.5.3", "thumbgate", "serve"]
+args = ["--yes", "--package", "thumbgate@1.5.8", "thumbgate", "serve"]
 
 # Hard PreToolUse hook for Codex
 [hooks.pre_tool_use]
 command = "npx"
-args = ["--yes", "--package", "thumbgate@1.5.3", "thumbgate", "gate-check"]
+args = ["--yes", "--package", "thumbgate@1.5.8", "thumbgate", "gate-check"]

package/adapters/mcp/server-stdio.js

@@ -146,7 +146,7 @@ const {
   finalizeSession: finalizeFeedbackSession,
 } = require('../../scripts/feedback-session');
 
-const SERVER_INFO = { name: 'thumbgate-mcp', version: '1.5.3' };
+const SERVER_INFO = { name: 'thumbgate-mcp', version: '1.5.8' };
 const COMMERCE_CATEGORIES = [
   'product_recommendation',
   'brand_compliance',

package/adapters/opencode/opencode.json

@@ -7,7 +7,7 @@
         "npx",
         "--yes",
         "--package",
-        "thumbgate@1.5.3",
+        "thumbgate@1.5.8",
         "thumbgate",
         "serve"
       ],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate",
-  "version": "1.5.3",
+  "version": "1.5.8",
   "description": "Self-improving agent governance: type thumbs-up or thumbs-down on any AI agent action. ThumbGate turns every mistake into a prevention rule and blocks the pattern from repeating. One thumbs-down, never again. 33 pre-action gates, budget enforcement, and self-protection for Claude Code, Cursor, Codex, Gemini CLI, and Amp.",
   "homepage": "https://thumbgate-production.up.railway.app",
   "repository": {
@@ -35,11 +35,14 @@
     "bin/postinstall.js",
     "config/",
     "openapi/",
+    "public/blog.html",
     "public/compare.html",
     "public/dashboard.html",
     "public/guide.html",
     "public/index.html",
+    "public/learn.html",
     "public/lessons.html",
+    "public/pro.html",
     "scripts/access-anomaly-detector.js",
     "scripts/agent-readiness.js",
     "scripts/agentic-data-pipeline.js",
@@ -245,7 +248,7 @@
     "trace:eval": "node scripts/decision-trace.js eval",
     "social:reply-monitor": "node scripts/social-reply-monitor.js",
     "social:reply-monitor:dry": "node scripts/social-reply-monitor.js --dry-run",
-    "test": "npm run test:schema && npm run test:loop && npm run test:dpo && npm run test:kto && npm run test:api && npm run test:proof && npm run test:e2e && npm run test:rlaif && npm run test:attribution && npm run test:quality && npm run test:intelligence && npm run test:training-export && npm run test:deployment && npm run test:operational-integrity && npm run test:workflow && npm run test:billing && npm run test:cli && npm run test:watcher && npm run test:autoresearch && npm run test:ops && npm run test:session-analyzer && npm run test:tessl && npm run test:gates && npm run test:evoskill && npm run test:gates-hardening && npm run test:workers && npm run test:social-analytics && npm run test:memalign && npm run test:xmemory-lite && npm run test:filesystem-search && npm run test:zernio && npm run test:post-video && npm run test:post-everywhere-instagram && npm run test:obsidian-export && npm run test:lesson-db && npm run test:lesson-rotation && npm run test:memory-dedup && npm run test:feedback-quality && npm run test:sync-version && npm run test:check-congruence && npm run test:tool-registry && npm run test:feedback-to-rules && npm run test:memory-firewall && npm run test:belief-update && npm run test:hosted-config && npm run test:operational-summary && npm run test:operator-key-auth && npm run test:cloudflare-sandbox && npm run test:mcp-config && npm run test:plan-gate && npm run test:pulse && npm run test:semantic-layer && npm run test:data-pipeline && npm run test:optimize-context && npm run test:principle-extractor && npm run test:analytics-window && npm run test:funnel-analytics && npm run test:experiment-tracker && npm run test:build-metadata && npm run test:context-engine && npm run test:hf-papers && npm run test:marketing-experiment && npm run test:seo-gsd && npm run test:verify-run && npm run test:export-dpo-pairs && npm run test:export-hf-dataset && npm run test:license && npm run test:bot-detector && npm run test:postinstall && npm run test:funnel-invariants && npm run test:cli-telemetry && npm run test:pro-parity && npm run test:model-tier-router && npm run test:computer-use-firewall && npm run test:skill-exporter && npm run test:statusline && npm run test:evolution && npm run test:org-dashboard && npm run test:multi-hop-recall && npm run test:synthetic-dpo && npm run test:thumbgate-skill && npm run test:learn-hub && npm run test:feedback-fallback && npm run test:metaclaw && npm run test:server-lock && npm run test:control-tower && npm run test:pii-scanner && npm run test:data-governance && npm run test:lesson-inference && npm run test:semantic-dedup && npm run test:fs-utils && npm run test:cli-schema && npm run test:explore && npm run test:lesson-reranker && npm run test:lesson-retrieval && npm run test:cross-encoder && npm run test:reflector-agent && npm run test:feedback-session && npm run test:feedback-history-distiller && npm run test:hallucination-detector && npm run test:history-distiller && npm run test:predictive-insights && npm run test:prove-predictive-insights && npm run test:statusbar-cli && npm run test:generate-instagram-card && npm run test:instagram-thumbgate-post && npm run test:publish-instagram-thumbgate && npm run test:lesson-synthesis && npm run test:background-governance && npm run test:memory-migration && npm run test:prompt-dlp && npm run test:ephemeral-store && npm run test:agent-security && npm run test:skill-progressive && npm run test:per-step-scoring && npm run test:weekly-auto-post && npm run test:social-post-hourly && npm run test:social-quality-gate && npm run test:a2ui-engine && npm run test:gate-satisfy && npm run test:money-watcher && npm run test:budget && npm run test:quick-start && npm run test:utm && npm run test:product-feedback && npm run test:feedback-root-consolidator && npm run test:engagement-audit && npm run test:install-growth-automation && npm run test:publish-thumbgate-launch && npm run test:reconcile-thumbgate-campaign && npm run test:reddit-publisher && npm run test:schedule-thumbgate-campaign && npm run test:social-reply-monitor && npm run test:sync-launch-assets && npm run test:ai-search-visibility && npm run test:perplexity && npm run test:security-scanner && npm run test:llm-client && npm run test:managed-lesson-agent && npm run test:self-distill && npm run test:meta-agent && npm run test:harness-selector && npm run test:thumbgate-bench && npm run test:seo-guides && npm run test:enforcement-loop && npm run test:cli-agent-experience && npm run test:bot-detection && npm run test:checkout-bot-guard && npm run test:session-health && npm run test:session-episodes && npm run test:spec-gate && npm run test:decision-trace && npm run test:dashboard-insights && npm run test:prompt-eval && npm run test:demo-voiceover && npm run test:gate-coherence && npm run test:gate-eval && npm run test:high-roi && npm run test:public-static-assets && npm run test:token-savings && npm run test:workflow-gate-checkpoint && npm run test:lesson-export-import && npm run test:landing-page-claims && npm run test:dashboard-deeplink-e2e",
+    "test": "npm run test:schema && npm run test:loop && npm run test:dpo && npm run test:kto && npm run test:api && npm run test:proof && npm run test:e2e && npm run test:rlaif && npm run test:attribution && npm run test:quality && npm run test:intelligence && npm run test:training-export && npm run test:deployment && npm run test:operational-integrity && npm run test:workflow && npm run test:billing && npm run test:cli && npm run test:watcher && npm run test:autoresearch && npm run test:ops && npm run test:session-analyzer && npm run test:tessl && npm run test:gates && npm run test:evoskill && npm run test:gates-hardening && npm run test:workers && npm run test:social-analytics && npm run test:memalign && npm run test:xmemory-lite && npm run test:filesystem-search && npm run test:zernio && npm run test:post-video && npm run test:post-everywhere-instagram && npm run test:obsidian-export && npm run test:lesson-db && npm run test:lesson-rotation && npm run test:memory-dedup && npm run test:feedback-quality && npm run test:sync-version && npm run test:check-congruence && npm run test:tool-registry && npm run test:feedback-to-rules && npm run test:memory-firewall && npm run test:belief-update && npm run test:hosted-config && npm run test:operational-summary && npm run test:operator-key-auth && npm run test:cloudflare-sandbox && npm run test:mcp-config && npm run test:plan-gate && npm run test:pulse && npm run test:semantic-layer && npm run test:data-pipeline && npm run test:optimize-context && npm run test:principle-extractor && npm run test:analytics-window && npm run test:funnel-analytics && npm run test:experiment-tracker && npm run test:build-metadata && npm run test:context-engine && npm run test:hf-papers && npm run test:marketing-experiment && npm run test:seo-gsd && npm run test:verify-run && npm run test:export-dpo-pairs && npm run test:export-hf-dataset && npm run test:license && npm run test:bot-detector && npm run test:postinstall && npm run test:funnel-invariants && npm run test:cli-telemetry && npm run test:pro-parity && npm run test:model-tier-router && npm run test:computer-use-firewall && npm run test:skill-exporter && npm run test:statusline && npm run test:evolution && npm run test:org-dashboard && npm run test:multi-hop-recall && npm run test:synthetic-dpo && npm run test:thumbgate-skill && npm run test:learn-hub && npm run test:feedback-fallback && npm run test:metaclaw && npm run test:server-lock && npm run test:control-tower && npm run test:pii-scanner && npm run test:data-governance && npm run test:lesson-inference && npm run test:semantic-dedup && npm run test:fs-utils && npm run test:cli-schema && npm run test:explore && npm run test:lesson-reranker && npm run test:lesson-retrieval && npm run test:cross-encoder && npm run test:reflector-agent && npm run test:feedback-session && npm run test:feedback-history-distiller && npm run test:hallucination-detector && npm run test:history-distiller && npm run test:predictive-insights && npm run test:prove-predictive-insights && npm run test:statusbar-cli && npm run test:generate-instagram-card && npm run test:instagram-thumbgate-post && npm run test:publish-instagram-thumbgate && npm run test:lesson-synthesis && npm run test:background-governance && npm run test:memory-migration && npm run test:prompt-dlp && npm run test:ephemeral-store && npm run test:agent-security && npm run test:skill-progressive && npm run test:per-step-scoring && npm run test:weekly-auto-post && npm run test:social-post-hourly && npm run test:social-quality-gate && npm run test:a2ui-engine && npm run test:gate-satisfy && npm run test:money-watcher && npm run test:budget && npm run test:quick-start && npm run test:utm && npm run test:product-feedback && npm run test:feedback-root-consolidator && npm run test:engagement-audit && npm run test:install-growth-automation && npm run test:publish-thumbgate-launch && npm run test:reconcile-thumbgate-campaign && npm run test:reddit-publisher && npm run test:schedule-thumbgate-campaign && npm run test:social-reply-monitor && npm run test:sync-launch-assets && npm run test:ai-search-visibility && npm run test:perplexity && npm run test:security-scanner && npm run test:llm-client && npm run test:managed-lesson-agent && npm run test:self-distill && npm run test:meta-agent && npm run test:harness-selector && npm run test:thumbgate-bench && npm run test:seo-guides && npm run test:enforcement-loop && npm run test:cli-agent-experience && npm run test:bot-detection && npm run test:checkout-bot-guard && npm run test:session-health && npm run test:session-episodes && npm run test:spec-gate && npm run test:decision-trace && npm run test:dashboard-insights && npm run test:prompt-eval && npm run test:demo-voiceover && npm run test:gate-coherence && npm run test:gate-eval && npm run test:high-roi && npm run test:public-static-assets && npm run test:token-savings && npm run test:workflow-gate-checkpoint && npm run test:lesson-export-import && npm run test:landing-page-claims && npm run test:dashboard-deeplink-e2e && npm run test:public-package-parity && npm run test:token-savings-dashboard && npm run test:cursor-wiring",
     "test:session-health": "node --test tests/session-health-sensor.test.js",
     "test:session-episodes": "node --test tests/session-episode-store.test.js",
     "test:spec-gate": "node --test tests/spec-gate.test.js",
@@ -481,7 +484,12 @@
     "test:workflow-gate-checkpoint": "node --test tests/workflow-gate-checkpoint.test.js",
     "test:lesson-export-import": "node --test tests/lesson-export-import.test.js",
     "test:landing-page-claims": "node --test tests/landing-page-claims.test.js",
-    "test:dashboard-deeplink-e2e": "node --test tests/dashboard-deeplink-e2e.test.js"
+    "test:dashboard-deeplink-e2e": "node --test tests/dashboard-deeplink-e2e.test.js",
+    "test:public-package-parity": "node --test tests/public-package-parity.test.js",
+    "prepare": "bash bin/install-hooks.sh >/dev/null 2>&1 || true",
+    "install:hooks": "bash bin/install-hooks.sh",
+    "test:token-savings-dashboard": "node --test tests/token-savings-dashboard.test.js",
+    "test:cursor-wiring": "node --test tests/cursor-wiring.test.js"
   },
   "keywords": [
     "mcp",

package/public/blog.html

@@ -0,0 +1,474 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>ThumbGate Blog — Agent Governance Engineering</title>
+    <script defer data-domain="thumbgate-production.up.railway.app" src="https://plausible.io/js/script.js"></script>
+    <meta
+      name="description"
+      content="Technical breakdowns, release notes, and agent governance insights from the ThumbGate team."
+    />
+    <link
+      rel="canonical"
+      href="https://thumbgate-production.up.railway.app/blog"
+    />
+    <meta
+      property="og:title"
+      content="ThumbGate Blog — Agent Governance Engineering"
+    />
+    <meta
+      property="og:description"
+      content="Technical breakdowns, release notes, and agent governance insights from the ThumbGate team."
+    />
+    <meta property="og:type" content="website" />
+    <meta
+      property="og:url"
+      content="https://thumbgate-production.up.railway.app/blog"
+    />
+    <script type="application/ld+json">
+      {
+        "@context": "https://schema.org",
+        "@type": "Blog",
+        "name": "ThumbGate Blog",
+        "url": "https://thumbgate-production.up.railway.app/blog",
+        "publisher": { "@type": "Organization", "name": "Max Smith KDP LLC" },
+        "blogPost": [
+          {
+            "@type": "BlogPosting",
+            "headline": "Your AI agent is a supply chain attack surface. Here's how to gate it.",
+            "datePublished": "2026-04-10",
+            "keywords": "AI agent security, supply chain attack, pre-action gates, agent governance, ThumbGate"
+          },
+          {
+            "@type": "BlogPosting",
+            "headline": "The Claude Code Leak Proves Why Pre-Action Gates Matter",
+            "datePublished": "2026-04-01",
+            "keywords": "Claude Code security, Claude Code guardrails, AI agent safety, pre-action gates"
+          },
+          {
+            "@type": "BlogPosting",
+            "headline": "v0.8.5: Gate Reasoning Chains, Org Dashboard, and the Checkout Funnel That Didn't Exist",
+            "datePublished": "2026-03-31"
+          }
+        ]
+      }
+    </script>
+    <style>
+      :root {
+        --bg: #0a0a0a;
+        --surface: #141414;
+        --border: #2a2a2a;
+        --text: #e0e0e0;
+        --text-dim: #888;
+        --cyan: #00d4aa;
+      }
+      * {
+        margin: 0;
+        padding: 0;
+        box-sizing: border-box;
+      }
+      body {
+        font-family:
+          -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+        background: var(--bg);
+        color: var(--text);
+        line-height: 1.7;
+      }
+      .container {
+        max-width: 720px;
+        margin: 0 auto;
+        padding: 0 24px;
+      }
+      header {
+        padding: 24px 0;
+        border-bottom: 1px solid var(--border);
+      }
+      header a {
+        color: var(--cyan);
+        text-decoration: none;
+        font-weight: 600;
+      }
+      h1 {
+        font-size: 18px;
+        font-weight: 700;
+      }
+      .post {
+        padding: 48px 0;
+        border-bottom: 1px solid var(--border);
+      }
+      .post-date {
+        font-size: 13px;
+        color: var(--text-dim);
+        margin-bottom: 8px;
+      }
+      .post h2 {
+        font-size: 24px;
+        font-weight: 700;
+        margin-bottom: 16px;
+        letter-spacing: -0.02em;
+      }
+      .post h3 {
+        font-size: 18px;
+        font-weight: 600;
+        margin: 24px 0 8px;
+      }
+      .post p {
+        margin-bottom: 16px;
+        color: var(--text-dim);
+      }
+      .post ul {
+        margin: 0 0 16px 24px;
+        color: var(--text-dim);
+      }
+      .post li {
+        margin-bottom: 6px;
+      }
+      .post code {
+        background: var(--surface);
+        padding: 2px 6px;
+        border-radius: 4px;
+        font-size: 14px;
+      }
+      .post strong {
+        color: var(--text);
+      }
+      .cta {
+        display: inline-block;
+        margin-top: 16px;
+        padding: 10px 20px;
+        background: var(--cyan);
+        color: #000;
+        border-radius: 6px;
+        text-decoration: none;
+        font-weight: 600;
+        font-size: 14px;
+      }
+      footer {
+        padding: 48px 0 24px;
+        text-align: center;
+        color: var(--text-dim);
+        font-size: 13px;
+      }
+      footer a {
+        color: var(--cyan);
+        text-decoration: none;
+      }
+    </style>
+  </head>
+  <body>
+    <header>
+      <div
+        class="container"
+        style="
+          display: flex;
+          justify-content: space-between;
+          align-items: center;
+        "
+      >
+        <h1><a href="/">ThumbGate</a> / Blog</h1>
+        <a href="/">Back to home</a>
+      </div>
+    </header>
+
+    <div class="container">
+      <article class="post">
+        <div class="post-date">April 10, 2026</div>
+        <h2>Your AI agent is a supply chain attack surface. Here's how to gate it.</h2>
+
+        <p>
+          Your AI coding agent runs shell commands. It installs packages. It
+          modifies files, pushes commits, and calls external APIs &mdash; all
+          without requiring you to type a single character. That's the pitch.
+          That's also the attack surface.
+        </p>
+
+        <h3>The gap is pre-action enforcement</h3>
+        <p>
+          Static analysis catches known-bad patterns in code you've already
+          written. Dependency scanners audit lock files <em>after</em> packages
+          are installed. By the time your scanner flags a problem, the agent
+          already ran the command.
+        </p>
+        <p>
+          These tools operate on the <em>output</em> of agent actions. You need
+          something that operates on the <em>input</em> &mdash; before execution.
+        </p>
+
+        <h3>Pre-Action Gates via PreToolUse hooks</h3>
+        <p>
+          ThumbGate implements pre-action gates via <code>PreToolUse</code> hooks
+          &mdash; interception points that run before every tool invocation. No
+          action reaches execution without passing through the gate. Not Bash
+          commands, not file edits, not web fetches.
+        </p>
+        <p>
+          What makes this more than a static blocklist is the
+          <strong>feedback-to-enforcement pipeline</strong>. When something goes
+          wrong, you record a thumbs-down with context. That failure feeds a
+          promotion engine. One failure becomes a warning. Three confirmed
+          failures of the same pattern become a hard block.
+        </p>
+
+        <h3>Real examples</h3>
+        <ul>
+          <li>
+            <strong>Force-push to main</strong> &mdash; Gate fires, push never
+            happens. Agent is redirected to create a branch and open a PR.
+          </li>
+          <li>
+            <strong>Unknown dependency install</strong> &mdash; Flagged for human
+            review. Agent pauses until you approve.
+          </li>
+          <li>
+            <strong>Destructive shell command</strong> &mdash; Blocked by a
+            prevention rule learned from a prior incident.
+          </li>
+        </ul>
+
+        <h3>Five-minute setup</h3>
+        <p>
+          <code>npx thumbgate init</code> installs the PreToolUse hook and
+          generates a starter gate config. Gates are just JSON &mdash; commit
+          them, review them, share them across your team.
+        </p>
+        <p>
+          <strong>Human judgment leads. AI supports. ThumbGate enforces it.</strong>
+        </p>
+
+        <a class="cta" href="/guide">Full setup guide &rarr;</a>
+      </article>
+
+      <article class="post">
+        <div class="post-date">April 1, 2026</div>
+        <h2>Dual-Signal Feedback: Why "What Failed" Isn't Enough</h2>
+
+        <p>
+          Standard thumbs-down tells you <em>something</em> went wrong. But was
+          it a bad decision (wrong tool) or bad execution (right tool, wrong
+          parameters)?
+        </p>
+
+        <p>
+          Inspired by
+          <a
+            href="https://huggingface.co/papers/2603.28767"
+            style="color: var(--cyan)"
+            >Gen-Searcher's dual reward system</a
+          >, ThumbGate now supports an optional <code>failureType</code> field
+          on <code>capture_feedback</code>:
+        </p>
+
+        <ul>
+          <li>
+            <strong><code>"decision"</code></strong> — the agent chose the wrong
+            action entirely
+          </li>
+          <li>
+            <strong><code>"execution"</code></strong> — right action, bad
+            parameters or output
+          </li>
+        </ul>
+
+        <p>
+          Thompson Sampling creates separate sub-arms (e.g.,
+          <code>git:decision</code> and <code>git:execution</code>) so
+          reliability scores diverge per dimension. An agent might be great at
+          choosing git commands but bad at parameterizing them — now you can see
+          that distinction.
+        </p>
+
+        <p>
+          Backward compatible. Existing feedback without
+          <code>failureType</code> works unchanged.
+        </p>
+
+        <a class="cta" href="https://www.npmjs.com/package/thumbgate"
+          >Try it now</a
+        >
+      </article>
+
+      <article class="post">
+        <div class="post-date">April 1, 2026</div>
+        <h2>The Claude Code Leak Proves Why Pre-Action Gates Matter</h2>
+
+        <p>
+          Anthropic accidentally shipped 512,000 lines of Claude Code source
+          inside an npm package. A missing <code>.npmignore</code> exposed the
+          full agent architecture: tool-call loops, permission models, retry
+          logic, 44 unreleased feature flags.
+        </p>
+
+        <p>
+          Within 24 hours, a clean rewrite called Claw-code hit 100K GitHub
+          stars — the fastest-growing repo in GitHub history.
+        </p>
+
+        <h3>What the leak revealed about agent security</h3>
+        <p>
+          Claude Code has a sophisticated permission model and tool-calling
+          pipeline. What it does <strong>not</strong> have is feedback-driven
+          enforcement — the ability to learn from past mistakes and physically
+          block the agent from repeating them.
+        </p>
+
+        <p>
+          That's exactly what ThumbGate does. Every Claude Code user — and every
+          Claw-code user — can add pre-action gates today:
+        </p>
+
+        <ul>
+          <li>
+            <strong>Thumbs-down a mistake</strong> — it auto-generates a
+            prevention rule
+          </li>
+          <li>
+            <strong>Gates enforce</strong> — PreToolUse hooks block the action
+            before execution
+          </li>
+          <li>
+            <strong>Reasoning chains explain</strong> — every block tells you
+            WHY
+          </li>
+          <li>
+            <strong>Thompson Sampling adapts</strong> — confidence tiers prevent
+            false blocks
+          </li>
+        </ul>
+
+        <h3>Install in 30 seconds</h3>
+        <p>
+          <code>npx thumbgate init</code> works with Claude Code,
+          Claw-code, Cursor, Codex, Gemini, Amp, and any MCP-compatible agent.
+        </p>
+
+        <p>
+          The leak proves agents are powerful but fallible software. Memory
+          without enforcement is a suggestion.
+          <strong>ThumbGate is a guarantee.</strong>
+        </p>
+
+        <a class="cta" href="https://www.npmjs.com/package/thumbgate"
+          >Install ThumbGate</a
+        >
+      </article>
+
+      <article class="post">
+        <div class="post-date">March 31, 2026</div>
+        <h2>
+          v0.8.5: Gate Reasoning Chains, Org Dashboard, and the Checkout Funnel
+          That Didn't Exist
+        </h2>
+
+        <p>
+          ThumbGate v0.8.5 is our biggest release yet. Here's what shipped and
+          why.
+        </p>
+
+        <h3>The problem we didn't see</h3>
+        <p>
+          ~1,700 developers install ThumbGate via npm every month.
+          <strong>Zero of them ever saw a checkout button.</strong> They find
+          the GitHub README, run <code>npx thumbgate init</code>, use
+          it for free, and never visit the landing page. The checkout flow
+          nobody reaches is irrelevant. We were optimizing a storefront in a
+          building with no door.
+        </p>
+
+        <h3>Gate reasoning chains</h3>
+        <p>
+          Every gate block and warning now explains <strong>WHY</strong> it
+          fired. When ThumbGate blocks a <code>git push --force</code>, the
+          response includes:
+        </p>
+        <ul>
+          <li>Which pattern matched and what it matched against</li>
+          <li>Gate identity: ID, action, layer, severity</li>
+          <li>Source: manual policy rule vs auto-promoted from feedback</li>
+          <li>
+            How to bypass: <code>satisfy_gate("pr_threads_checked")</code>
+          </li>
+          <li>Historical fire count: "blocked 23x, warned 15x"</li>
+        </ul>
+        <p>
+          This was inspired by the neuro-symbolic explainability trend in
+          production AI systems. Gates are the symbolic rules; Thompson Sampling
+          provides the statistical confidence. The reasoning chain bridges both.
+        </p>
+
+        <h3>Multi-agent org dashboard</h3>
+        <p>
+          "I'm not going to have 10,000 agents running in the environment that I
+          don't know what they're doing." — CIO.com, March 2026
+        </p>
+        <p>
+          The new <code>org_dashboard</code> MCP tool aggregates gate decisions
+          across all registered agent sessions. CIOs and team leads see: total
+          active agents, org-wide adherence rate, top blocked gates, and risk
+          agents (those with the lowest adherence). Free tier shows 3 agents;
+          Pro shows the full org.
+        </p>
+
+        <h3>Multi-hop agentic retrieval</h3>
+        <p>
+          Inspired by Chroma's Context-1,
+          <code>constructMultiHopPack</code> iteratively retrieves context,
+          prunes weak chunks, refines the query with expansion terms, and checks
+          coverage — stopping when the coverage threshold (60%) is met or max
+          hops are reached. Each hop is logged.
+        </p>
+
+        <h3>Thompson Sampling calibration</h3>
+        <p>
+          <code>MIN_SAMPLES_THRESHOLD</code> (5) prevents low-sample
+          overconfidence. <code>getCalibration()</code> reports per-category
+          confidence tiers: none (0 samples), low (1-4), medium (5-19), high
+          (20+). Callers know when to trust the statistical arm vs fall back to
+          rules.
+        </p>
+
+        <h3>The funnel fix</h3>
+        <p>
+          Four touchpoints now put the checkout URL where 100% of npm users
+          actually are:
+        </p>
+        <ul>
+          <li>
+            <strong>Post-install banner</strong> — prints after
+            <code>npm install</code> (stderr, CI-safe)
+          </li>
+          <li>
+            <strong>Free-tier rate limits</strong> — power features capped,
+            upgrade URL in error
+          </li>
+          <li>
+            <strong>MCP enforceLimit</strong> — agents surface the checkout URL
+            when limits hit
+          </li>
+          <li>
+            <strong>CLI upgrade nudge</strong> — after <code>init</code>,
+            <code>capture</code>, <code>stats</code>
+          </li>
+        </ul>
+        <p>
+          13 funnel invariant CI tests prevent this blindspot from ever
+          regressing.
+        </p>
+
+        <a class="cta" href="https://www.npmjs.com/package/thumbgate"
+          >Install v0.8.5 on npm</a
+        >
+      </article>
+    </div>
+
+    <footer>
+      <div class="container">
+        <a href="/">Home</a> ·
+        <a href="https://github.com/IgorGanapolsky/ThumbGate">GitHub</a> ·
+        <a href="https://x.com/IgorGanapolsky">X</a> ·
+        <a href="https://www.linkedin.com/in/igorganapolsky">LinkedIn</a>
+        <br /><br />© 2026 Max Smith KDP LLC · MIT License
+      </div>
+    </footer>
+  </body>
+</html>