thumbgate 1.5.8 → 1.7.0

package/bin/cli.js

@@ -22,7 +22,14 @@ const fs = require('fs');
 const path = require('path');
 const crypto = require('crypto');
 const { execSync, execFileSync } = require('child_process');
-const { resolveMcpEntry } = require(path.join(__dirname, '..', 'scripts', 'mcp-config'));
+const {
+  codexAutoUpdateCliEntry,
+  codexAutoUpdateMcpEntry,
+  isSourceCheckout,
+  publishedCliAvailable,
+  localMcpEntry,
+  resolveMcpEntry,
+} = require(path.join(__dirname, '..', 'scripts', 'mcp-config'));
 const { trackEvent } = require(path.join(__dirname, '..', 'scripts', 'cli-telemetry'));
 const {
   cacheUpdateHookCommand,
@@ -215,11 +222,40 @@ function canonicalMcpEntry(scope = 'project') {
   });
 }
 
+function canonicalCodexMcpEntry() {
+  const version = pkgVersion();
+  if (isSourceCheckout(PKG_ROOT) && !publishedCliAvailable(version)) {
+    return localMcpEntry(PKG_ROOT, 'home');
+  }
+  return codexAutoUpdateMcpEntry();
+}
+
+function canonicalCodexCliEntry(commandArgs) {
+  const version = pkgVersion();
+  if (isSourceCheckout(PKG_ROOT) && !publishedCliAvailable(version)) {
+    return {
+      command: 'node',
+      args: [path.join(PKG_ROOT, 'bin', 'cli.js'), ...commandArgs],
+    };
+  }
+  return codexAutoUpdateCliEntry(commandArgs);
+}
+
 function mcpSectionBlock(name = MCP_SERVER_NAME, scope = 'project') {
   const entry = canonicalMcpEntry(scope);
   return `[mcp_servers.${name}]\ncommand = "${entry.command}"\nargs = ${formatTomlStringArray(entry.args)}\n`;
 }
 
+function codexMcpSectionBlock(name = MCP_SERVER_NAME) {
+  const entry = canonicalCodexMcpEntry();
+  return `[mcp_servers.${name}]\ncommand = "${entry.command}"\nargs = ${formatTomlStringArray(entry.args)}\n`;
+}
+
+function codexPreToolHookSectionBlock() {
+  const entry = canonicalCodexCliEntry(['gate-check']);
+  return `[hooks.pre_tool_use]\ncommand = "${entry.command}"\nargs = ${formatTomlStringArray(entry.args)}\n`;
+}
+
 function mcpSectionRegex(name) {
   return new RegExp(
     `^\\[mcp_servers\\.${escapeRegExp(name)}\\]\\n(?:^(?!\\[).*(?:\\n|$))*`,
@@ -227,8 +263,16 @@ function mcpSectionRegex(name) {
   );
 }
 
+function tomlSectionRegex(name) {
+  return new RegExp(
+    `^\\[${escapeRegExp(name)}\\]\\n(?:^(?!\\[).*(?:\\n|$))*`,
+    'm'
+  );
+}
+
 function upsertCodexServerConfig(content) {
-  const canonicalBlock = mcpSectionBlock(MCP_SERVER_NAME, 'home');
+  const canonicalBlock = codexMcpSectionBlock(MCP_SERVER_NAME);
+  const canonicalHookBlock = codexPreToolHookSectionBlock();
   const sections = MCP_SERVER_NAMES.map((name) => ({
     name,
     regex: mcpSectionRegex(name),
@@ -241,7 +285,7 @@ function upsertCodexServerConfig(content) {
     const prefix = content.trimEnd();
     return {
       changed: true,
-      content: `${prefix}${prefix ? '\n\n' : ''}${canonicalBlock}`,
+      content: `${prefix}${prefix ? '\n\n' : ''}${canonicalBlock}\n${canonicalHookBlock}`,
     };
   }
 
@@ -272,6 +316,19 @@ function upsertCodexServerConfig(content) {
     changed = true;
   }
 
+  const hookRegex = tomlSectionRegex('hooks.pre_tool_use');
+  if (hookRegex.test(nextContent)) {
+    const current = nextContent.match(hookRegex)[0];
+    if (current !== canonicalHookBlock) {
+      nextContent = nextContent.replace(hookRegex, canonicalHookBlock);
+      changed = true;
+    }
+  } else {
+    const prefix = nextContent.trimEnd();
+    nextContent = `${prefix}${prefix ? '\n\n' : ''}${canonicalHookBlock}`;
+    changed = true;
+  }
+
   return {
     changed,
     content: nextContent.endsWith('\n') ? nextContent : `${nextContent}\n`,
@@ -387,11 +444,10 @@ function setupClaude() {
 
 function setupCodex() {
   const configPath = path.join(HOME, '.codex', 'config.toml');
-  const block = mcpSectionBlock(MCP_SERVER_NAME, 'home');
   let configChanged = false;
   if (!fs.existsSync(configPath)) {
     fs.mkdirSync(path.dirname(configPath), { recursive: true });
-    fs.writeFileSync(configPath, block);
+    fs.writeFileSync(configPath, upsertCodexServerConfig('').content);
     console.log('  Codex: created ~/.codex/config.toml');
     configChanged = true;
   } else {
@@ -1535,19 +1591,53 @@ function sessionStart() {
   const { refreshStatuslineCache } = require(path.join(PKG_ROOT, 'scripts', 'hook-thumbgate-cache-updater'));
   refreshStatuslineCache(analyzeFeedback());
 
-  // Surface gate-program.md active rules so the agent starts aware of what is blocked.
+  // Build a top-level <system-reminder> block that Claude Code's SessionStart
+  // hook surfaces to the agent as first-class context — not buried stderr.
+  // Contract: emit JSON `{hookSpecificOutput:{hookEventName:"SessionStart",
+  // additionalContext:"..."}}` to stdout. Supported by Claude Code v0.4+.
+  const reminderLines = [];
+
+  // Active hard-block rules from gate-program.md
   try {
     const { readGateProgram, extractBlockPatterns } = require(path.join(PKG_ROOT, 'scripts', 'meta-agent-loop'));
     const gateProgram = readGateProgram();
     if (gateProgram) {
       const blockPatterns = extractBlockPatterns(gateProgram);
       if (blockPatterns.length > 0) {
-        process.stderr.write('\n[ThumbGate] Active hard-block rules from gate-program.md:\n');
-        blockPatterns.forEach((p, i) => process.stderr.write(`  ${i + 1}. ${p}\n`));
-        process.stderr.write('\n');
+        reminderLines.push('Active ThumbGate hard-block rules:');
+        blockPatterns.forEach((p, i) => reminderLines.push(`  ${i + 1}. ${p}`));
       }
     }
-  } catch (_) { /* gate-program awareness is best-effort */ }
+  } catch (_) { /* non-critical */ }
+
+  // Top high-risk tags — force agent to see them at session start, not opt-in
+  try {
+    const { getRiskSummary } = require(path.join(PKG_ROOT, 'scripts', 'risk-scorer'));
+    const summary = getRiskSummary();
+    if (summary && Array.isArray(summary.highRiskTags) && summary.highRiskTags.length > 0) {
+      if (reminderLines.length > 0) reminderLines.push('');
+      reminderLines.push('Top high-risk tags from prior failures:');
+      summary.highRiskTags.slice(0, 5).forEach((bucket, i) => {
+        const key = bucket && (bucket.key || bucket.tag);
+        const score = bucket && (bucket.risk || bucket.score || bucket.riskScore);
+        if (key) reminderLines.push(`  ${i + 1}. ${key} (risk=${score || '?'})`);
+      });
+    }
+  } catch (_) { /* non-critical */ }
+
+  if (reminderLines.length > 0) {
+    const additionalContext = ['<system-reminder>', ...reminderLines, '</system-reminder>'].join('\n');
+    try {
+      process.stdout.write(JSON.stringify({
+        hookSpecificOutput: {
+          hookEventName: 'SessionStart',
+          additionalContext,
+        },
+      }));
+    } catch (_) { /* stdout write failure is non-critical */ }
+    // Legacy stderr fallback for older Claude Code versions
+    process.stderr.write('\n[ThumbGate] ' + reminderLines.join('\n[ThumbGate] ') + '\n');
+  }
 }
 
 function installMcp() {

package/openapi/openapi.yaml

@@ -779,6 +779,31 @@ paths:
                 additionalProperties: true
         '401':
           description: Unauthorized
+  /v1/dashboard/review-state:
+    get:
+      operationId: getDashboardReviewState
+      responses:
+        '200':
+          description: Persisted dashboard review checkpoint and the current delta since that checkpoint
+          content:
+            application/json:
+              schema:
+                type: object
+                additionalProperties: true
+        '401':
+          description: Unauthorized
+    post:
+      operationId: markDashboardReviewed
+      responses:
+        '200':
+          description: Persist and return the current dashboard review checkpoint
+          content:
+            application/json:
+              schema:
+                type: object
+                additionalProperties: true
+        '401':
+          description: Unauthorized
   /v1/dashboard/render-spec:
     get:
       operationId: getDashboardRenderSpec

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thumbgate",
-  "version": "1.5.8",
+  "version": "1.7.0",
   "description": "Self-improving agent governance: type thumbs-up or thumbs-down on any AI agent action. ThumbGate turns every mistake into a prevention rule and blocks the pattern from repeating. One thumbs-down, never again. 33 pre-action gates, budget enforcement, and self-protection for Claude Code, Cursor, Codex, Gemini CLI, and Amp.",
   "homepage": "https://thumbgate-production.up.railway.app",
   "repository": {
@@ -36,6 +36,7 @@
     "config/",
     "openapi/",
     "public/blog.html",
+    "public/codex-plugin.html",
     "public/compare.html",
     "public/dashboard.html",
     "public/guide.html",
@@ -126,6 +127,8 @@
     "scripts/lesson-synthesis.js",
     "scripts/license.js",
     "scripts/llm-client.js",
+    "scripts/mailer/index.js",
+    "scripts/mailer/resend-mailer.js",
     "scripts/local-model-profile.js",
     "scripts/managed-lesson-agent.js",
     "scripts/mcp-config.js",
@@ -248,7 +251,7 @@
     "trace:eval": "node scripts/decision-trace.js eval",
     "social:reply-monitor": "node scripts/social-reply-monitor.js",
     "social:reply-monitor:dry": "node scripts/social-reply-monitor.js --dry-run",
-    "test": "npm run test:schema && npm run test:loop && npm run test:dpo && npm run test:kto && npm run test:api && npm run test:proof && npm run test:e2e && npm run test:rlaif && npm run test:attribution && npm run test:quality && npm run test:intelligence && npm run test:training-export && npm run test:deployment && npm run test:operational-integrity && npm run test:workflow && npm run test:billing && npm run test:cli && npm run test:watcher && npm run test:autoresearch && npm run test:ops && npm run test:session-analyzer && npm run test:tessl && npm run test:gates && npm run test:evoskill && npm run test:gates-hardening && npm run test:workers && npm run test:social-analytics && npm run test:memalign && npm run test:xmemory-lite && npm run test:filesystem-search && npm run test:zernio && npm run test:post-video && npm run test:post-everywhere-instagram && npm run test:obsidian-export && npm run test:lesson-db && npm run test:lesson-rotation && npm run test:memory-dedup && npm run test:feedback-quality && npm run test:sync-version && npm run test:check-congruence && npm run test:tool-registry && npm run test:feedback-to-rules && npm run test:memory-firewall && npm run test:belief-update && npm run test:hosted-config && npm run test:operational-summary && npm run test:operator-key-auth && npm run test:cloudflare-sandbox && npm run test:mcp-config && npm run test:plan-gate && npm run test:pulse && npm run test:semantic-layer && npm run test:data-pipeline && npm run test:optimize-context && npm run test:principle-extractor && npm run test:analytics-window && npm run test:funnel-analytics && npm run test:experiment-tracker && npm run test:build-metadata && npm run test:context-engine && npm run test:hf-papers && npm run test:marketing-experiment && npm run test:seo-gsd && npm run test:verify-run && npm run test:export-dpo-pairs && npm run test:export-hf-dataset && npm run test:license && npm run test:bot-detector && npm run test:postinstall && npm run test:funnel-invariants && npm run test:cli-telemetry && npm run test:pro-parity && npm run test:model-tier-router && npm run test:computer-use-firewall && npm run test:skill-exporter && npm run test:statusline && npm run test:evolution && npm run test:org-dashboard && npm run test:multi-hop-recall && npm run test:synthetic-dpo && npm run test:thumbgate-skill && npm run test:learn-hub && npm run test:feedback-fallback && npm run test:metaclaw && npm run test:server-lock && npm run test:control-tower && npm run test:pii-scanner && npm run test:data-governance && npm run test:lesson-inference && npm run test:semantic-dedup && npm run test:fs-utils && npm run test:cli-schema && npm run test:explore && npm run test:lesson-reranker && npm run test:lesson-retrieval && npm run test:cross-encoder && npm run test:reflector-agent && npm run test:feedback-session && npm run test:feedback-history-distiller && npm run test:hallucination-detector && npm run test:history-distiller && npm run test:predictive-insights && npm run test:prove-predictive-insights && npm run test:statusbar-cli && npm run test:generate-instagram-card && npm run test:instagram-thumbgate-post && npm run test:publish-instagram-thumbgate && npm run test:lesson-synthesis && npm run test:background-governance && npm run test:memory-migration && npm run test:prompt-dlp && npm run test:ephemeral-store && npm run test:agent-security && npm run test:skill-progressive && npm run test:per-step-scoring && npm run test:weekly-auto-post && npm run test:social-post-hourly && npm run test:social-quality-gate && npm run test:a2ui-engine && npm run test:gate-satisfy && npm run test:money-watcher && npm run test:budget && npm run test:quick-start && npm run test:utm && npm run test:product-feedback && npm run test:feedback-root-consolidator && npm run test:engagement-audit && npm run test:install-growth-automation && npm run test:publish-thumbgate-launch && npm run test:reconcile-thumbgate-campaign && npm run test:reddit-publisher && npm run test:schedule-thumbgate-campaign && npm run test:social-reply-monitor && npm run test:sync-launch-assets && npm run test:ai-search-visibility && npm run test:perplexity && npm run test:security-scanner && npm run test:llm-client && npm run test:managed-lesson-agent && npm run test:self-distill && npm run test:meta-agent && npm run test:harness-selector && npm run test:thumbgate-bench && npm run test:seo-guides && npm run test:enforcement-loop && npm run test:cli-agent-experience && npm run test:bot-detection && npm run test:checkout-bot-guard && npm run test:session-health && npm run test:session-episodes && npm run test:spec-gate && npm run test:decision-trace && npm run test:dashboard-insights && npm run test:prompt-eval && npm run test:demo-voiceover && npm run test:gate-coherence && npm run test:gate-eval && npm run test:high-roi && npm run test:public-static-assets && npm run test:token-savings && npm run test:workflow-gate-checkpoint && npm run test:lesson-export-import && npm run test:landing-page-claims && npm run test:dashboard-deeplink-e2e && npm run test:public-package-parity && npm run test:token-savings-dashboard && npm run test:cursor-wiring",
+    "test": "npm run test:schema && npm run test:loop && npm run test:dpo && npm run test:kto && npm run test:api && npm run test:proof && npm run test:e2e && npm run test:rlaif && npm run test:attribution && npm run test:quality && npm run test:intelligence && npm run test:training-export && npm run test:deployment && npm run test:operational-integrity && npm run test:workflow && npm run test:billing && npm run test:cli && npm run test:watcher && npm run test:autoresearch && npm run test:ops && npm run test:session-analyzer && npm run test:tessl && npm run test:gates && npm run test:evoskill && npm run test:gates-hardening && npm run test:workers && npm run test:social-analytics && npm run test:memalign && npm run test:xmemory-lite && npm run test:filesystem-search && npm run test:zernio && npm run test:platform-limits && npm run test:post-video && npm run test:post-everywhere-instagram && npm run test:obsidian-export && npm run test:lesson-db && npm run test:lesson-rotation && npm run test:memory-dedup && npm run test:feedback-quality && npm run test:sync-version && npm run test:check-congruence && npm run test:tool-registry && npm run test:feedback-to-rules && npm run test:memory-firewall && npm run test:belief-update && npm run test:hosted-config && npm run test:operational-summary && npm run test:operator-key-auth && npm run test:cloudflare-sandbox && npm run test:mcp-config && npm run test:plan-gate && npm run test:pulse && npm run test:semantic-layer && npm run test:data-pipeline && npm run test:optimize-context && npm run test:principle-extractor && npm run test:analytics-window && npm run test:funnel-analytics && npm run test:experiment-tracker && npm run test:build-metadata && npm run test:context-engine && npm run test:hf-papers && npm run test:marketing-experiment && npm run test:seo-gsd && npm run test:verify-run && npm run test:export-dpo-pairs && npm run test:export-hf-dataset && npm run test:license && npm run test:bot-detector && npm run test:postinstall && npm run test:funnel-invariants && npm run test:cli-telemetry && npm run test:pro-parity && npm run test:model-tier-router && npm run test:computer-use-firewall && npm run test:skill-exporter && npm run test:statusline && npm run test:evolution && npm run test:org-dashboard && npm run test:multi-hop-recall && npm run test:synthetic-dpo && npm run test:thumbgate-skill && npm run test:learn-hub && npm run test:feedback-fallback && npm run test:metaclaw && npm run test:server-lock && npm run test:control-tower && npm run test:pii-scanner && npm run test:data-governance && npm run test:lesson-inference && npm run test:semantic-dedup && npm run test:fs-utils && npm run test:cli-schema && npm run test:explore && npm run test:lesson-reranker && npm run test:lesson-retrieval && npm run test:cross-encoder && npm run test:reflector-agent && npm run test:feedback-session && npm run test:feedback-history-distiller && npm run test:hallucination-detector && npm run test:history-distiller && npm run test:predictive-insights && npm run test:prove-predictive-insights && npm run test:statusbar-cli && npm run test:generate-instagram-card && npm run test:instagram-thumbgate-post && npm run test:publish-instagram-thumbgate && npm run test:lesson-synthesis && npm run test:background-governance && npm run test:memory-migration && npm run test:prompt-dlp && npm run test:ephemeral-store && npm run test:agent-security && npm run test:skill-progressive && npm run test:per-step-scoring && npm run test:weekly-auto-post && npm run test:social-post-hourly && npm run test:social-quality-gate && npm run test:a2ui-engine && npm run test:gate-satisfy && npm run test:money-watcher && npm run test:budget && npm run test:quick-start && npm run test:utm && npm run test:product-feedback && npm run test:feedback-root-consolidator && npm run test:engagement-audit && npm run test:install-growth-automation && npm run test:publish-thumbgate-launch && npm run test:reconcile-thumbgate-campaign && npm run test:reddit-publisher && npm run test:schedule-thumbgate-campaign && npm run test:social-reply-monitor && npm run test:sync-launch-assets && npm run test:ai-search-visibility && npm run test:perplexity && npm run test:security-scanner && npm run test:llm-client && npm run test:managed-lesson-agent && npm run test:self-distill && npm run test:meta-agent && npm run test:harness-selector && npm run test:thumbgate-bench && npm run test:seo-guides && npm run test:enforcement-loop && npm run test:cli-agent-experience && npm run test:bot-detection && npm run test:checkout-bot-guard && npm run test:session-health && npm run test:session-episodes && npm run test:spec-gate && npm run test:decision-trace && npm run test:dashboard-insights && npm run test:prompt-eval && npm run test:demo-voiceover && npm run test:gate-coherence && npm run test:gate-eval && npm run test:high-roi && npm run test:public-static-assets && npm run test:token-savings && npm run test:workflow-gate-checkpoint && npm run test:lesson-export-import && npm run test:landing-page-claims && npm run test:dashboard-deeplink-e2e && npm run test:public-package-parity && npm run test:token-savings-dashboard && npm run test:cursor-wiring && npm run test:pretooluse-injection && npm run test:recent-corrective-context && npm run test:durability-step && npm run test:mailer && npm run test:brand-assets && npm run test:enforcement-teeth",
     "test:session-health": "node --test tests/session-health-sensor.test.js",
     "test:session-episodes": "node --test tests/session-episode-store.test.js",
     "test:spec-gate": "node --test tests/spec-gate.test.js",
@@ -380,6 +383,8 @@
     "social:poll:zernio": "node scripts/social-analytics/pollers/zernio.js",
     "social:publish:zernio": "node scripts/social-analytics/publishers/zernio.js",
     "test:zernio": "node --test tests/zernio-integration.test.js",
+    "test:platform-limits": "node --test tests/platform-limits.test.js",
+    "test:durability-step": "node --test tests/durability-step.test.js",
     "test:post-video": "node --test tests/post-video.test.js",
     "test:post-everywhere-instagram": "node --test tests/post-everywhere-instagram.test.js",
     "test:license": "node --test tests/license.test.js",
@@ -489,7 +494,12 @@
     "prepare": "bash bin/install-hooks.sh >/dev/null 2>&1 || true",
     "install:hooks": "bash bin/install-hooks.sh",
     "test:token-savings-dashboard": "node --test tests/token-savings-dashboard.test.js",
-    "test:cursor-wiring": "node --test tests/cursor-wiring.test.js"
+    "test:cursor-wiring": "node --test tests/cursor-wiring.test.js",
+    "test:pretooluse-injection": "node --test tests/pretooluse-lesson-injection.test.js",
+    "test:recent-corrective-context": "node --test tests/recent-corrective-actions-context.test.js",
+    "test:mailer": "node --test tests/mailer.test.js tests/billing-webhook-email.test.js",
+    "test:brand-assets": "node --test tests/brand-assets.test.js",
+    "test:enforcement-teeth": "node --test tests/enforcement-teeth.test.js"
   },
   "keywords": [
     "mcp",

package/public/codex-plugin.html

@@ -0,0 +1,277 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>ThumbGate for Codex - Auto-Updating MCP Plugin</title>
+<script defer data-domain="thumbgate-production.up.railway.app" src="https://plausible.io/js/script.js"></script>
+<meta name="description" content="Install ThumbGate for Codex with an auto-updating MCP plugin, Pre-Action Gates, thumbs-up/down feedback memory, and a local-first Reliability Gateway.">
+<meta name="keywords" content="ThumbGate Codex plugin, Codex MCP server, Codex pre-action gates, Codex guardrails, thumbgate latest, AI coding agent reliability">
+<meta property="og:title" content="ThumbGate for Codex">
+<meta property="og:description" content="Auto-updating MCP and hook launcher for Codex. One install, then ThumbGate resolves the latest npm runtime when Codex starts.">
+<meta property="og:type" content="website">
+<meta property="og:url" content="https://thumbgate-production.up.railway.app/codex-plugin">
+<link rel="canonical" href="https://thumbgate-production.up.railway.app/codex-plugin">
+<link rel="llm-context" href="/public/llm-context.md" type="text/markdown">
+
+<script type="application/ld+json">
+{
+  "@context": "https://schema.org",
+  "@type": "SoftwareApplication",
+  "name": "ThumbGate for Codex",
+  "applicationCategory": "DeveloperApplication",
+  "operatingSystem": "macOS, Linux, Windows with Node.js",
+  "description": "ThumbGate for Codex installs an MCP server and hook launcher that resolves thumbgate@latest at startup, captures thumbs-up/down feedback, and enforces Pre-Action Gates before risky agent actions run.",
+  "url": "https://thumbgate-production.up.railway.app/codex-plugin",
+  "downloadUrl": "https://github.com/IgorGanapolsky/ThumbGate/releases/latest/download/thumbgate-codex-plugin.zip",
+  "installUrl": "https://thumbgate-production.up.railway.app/codex-plugin",
+  "license": "https://opensource.org/licenses/MIT",
+  "creator": {
+    "@type": "Person",
+    "name": "Igor Ganapolsky",
+    "url": "https://github.com/IgorGanapolsky"
+  },
+  "offers": {
+    "@type": "Offer",
+    "price": "0",
+    "priceCurrency": "USD",
+    "description": "Free local Codex MCP setup with optional Pro dashboard upgrade."
+  }
+}
+</script>
+
+<script type="application/ld+json">
+{
+  "@context": "https://schema.org",
+  "@type": "FAQPage",
+  "mainEntity": [
+    {
+      "@type": "Question",
+      "name": "Does the ThumbGate Codex MCP server update automatically?",
+      "acceptedAnswer": {
+        "@type": "Answer",
+        "text": "The Codex MCP and hook launcher resolves thumbgate@latest when Codex starts. After a new npm release is published, restarting Codex lets the launcher install the latest runtime into the local ThumbGate runtime cache before it serves MCP or checks gates."
+      }
+    },
+    {
+      "@type": "Question",
+      "name": "Do Codex thumbs-up and thumbs-down signals work by default?",
+      "acceptedAnswer": {
+        "@type": "Answer",
+        "text": "ThumbGate works when the MCP server and hooks are enabled in Codex settings. The Codex settings page should show the thumbgate MCP server toggled on. Typed thumbs-up/down feedback with concrete context can then be captured and promoted into prevention rules."
+      }
+    },
+    {
+      "@type": "Question",
+      "name": "What is the fastest Codex install path?",
+      "acceptedAnswer": {
+        "@type": "Answer",
+        "text": "Run npx thumbgate init --agent codex for the automatic local setup, or use the standalone Codex plugin bundle if you want a portable plugin surface."
+      }
+    }
+  ]
+}
+</script>
+
+<style>
+  *, *::before, *::after { box-sizing: border-box; }
+  :root {
+    --bg: #090a0d;
+    --panel: #12141a;
+    --panel-2: #171a21;
+    --line: #2b313c;
+    --text: #f1f5f9;
+    --muted: #9aa4b2;
+    --cyan: #22d3ee;
+    --green: #4ade80;
+    --red: #fb7185;
+    --yellow: #facc15;
+  }
+  body {
+    margin: 0;
+    background: var(--bg);
+    color: var(--text);
+    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+    line-height: 1.65;
+  }
+  a { color: var(--cyan); }
+  nav {
+    display: flex;
+    align-items: center;
+    justify-content: space-between;
+    gap: 16px;
+    padding: 18px 28px;
+    border-bottom: 1px solid var(--line);
+    background: rgba(9, 10, 13, 0.88);
+    position: sticky;
+    top: 0;
+    z-index: 10;
+    backdrop-filter: blur(12px);
+  }
+  nav a { color: var(--muted); text-decoration: none; font-size: 14px; }
+  nav .brand { color: var(--text); font-weight: 800; }
+  .nav-links { display: flex; gap: 14px; flex-wrap: wrap; justify-content: flex-end; }
+  .wrap { width: min(1120px, calc(100% - 32px)); margin: 0 auto; }
+  .hero { padding: 72px 0 42px; }
+  .eyebrow { color: var(--green); font: 700 13px ui-monospace, SFMono-Regular, Menlo, monospace; text-transform: uppercase; letter-spacing: 0.08em; margin-bottom: 14px; }
+  h1 { font-size: clamp(38px, 7vw, 76px); line-height: 1.02; margin: 0 0 22px; letter-spacing: 0; max-width: 980px; }
+  .sub { color: var(--muted); font-size: 20px; max-width: 820px; margin: 0 0 28px; }
+  .actions { display: flex; gap: 12px; flex-wrap: wrap; align-items: center; }
+  .button {
+    display: inline-flex;
+    align-items: center;
+    justify-content: center;
+    border-radius: 8px;
+    padding: 13px 18px;
+    min-height: 48px;
+    text-decoration: none;
+    font-weight: 800;
+    border: 1px solid var(--line);
+  }
+  .button.primary { background: var(--cyan); color: #061014; border-color: var(--cyan); }
+  .button.secondary { background: var(--panel); color: var(--text); }
+  .terminal {
+    background: #050608;
+    border: 1px solid var(--line);
+    border-radius: 8px;
+    padding: 18px;
+    color: var(--green);
+    font: 14px ui-monospace, SFMono-Regular, Menlo, monospace;
+    overflow-x: auto;
+    margin: 28px 0 0;
+  }
+  .grid { display: grid; grid-template-columns: repeat(3, 1fr); gap: 18px; margin: 38px 0; }
+  .tile, .proof, .step, .faq {
+    background: var(--panel);
+    border: 1px solid var(--line);
+    border-radius: 8px;
+    padding: 22px;
+  }
+  .tile h3, .step h3, .faq h3 { margin: 0 0 10px; font-size: 19px; }
+  .tile p, .step p, .faq p { color: var(--muted); margin: 0; }
+  .split { display: grid; grid-template-columns: 1.1fr 0.9fr; gap: 28px; align-items: center; margin: 54px 0; }
+  .proof img { width: 100%; height: auto; display: block; border-radius: 8px; border: 1px solid var(--line); background: #050608; }
+  .caption { color: var(--muted); font-size: 14px; margin-top: 10px; }
+  h2 { font-size: 32px; line-height: 1.15; margin: 0 0 16px; letter-spacing: 0; }
+  .steps { display: grid; grid-template-columns: repeat(3, 1fr); gap: 18px; margin: 24px 0 44px; }
+  code {
+    background: rgba(34, 211, 238, 0.1);
+    border: 1px solid rgba(34, 211, 238, 0.2);
+    border-radius: 6px;
+    padding: 2px 6px;
+    color: var(--text);
+  }
+  .status { color: var(--yellow); }
+  .faq-list { display: grid; gap: 14px; margin: 24px 0 54px; }
+  footer { border-top: 1px solid var(--line); padding: 28px 0 42px; color: var(--muted); }
+  @media (max-width: 820px) {
+    nav { align-items: flex-start; flex-direction: column; }
+    .grid, .split, .steps { grid-template-columns: 1fr; }
+    .hero { padding-top: 44px; }
+    h1 { font-size: 38px; }
+    .sub { font-size: 18px; }
+  }
+</style>
+</head>
+<body>
+<nav>
+  <a class="brand" href="/">ThumbGate</a>
+  <div class="nav-links">
+    <a href="/guide">Setup Guide</a>
+    <a href="/dashboard">Dashboard</a>
+    <a href="https://github.com/IgorGanapolsky/ThumbGate" target="_blank" rel="noopener">GitHub</a>
+    <a href="https://www.npmjs.com/package/thumbgate" target="_blank" rel="noopener">npm</a>
+  </div>
+</nav>
+
+<main>
+  <section class="hero">
+    <div class="wrap">
+      <div class="eyebrow">Codex MCP plugin + Pre-Action Gates</div>
+      <h1>Give Codex a thumbs-down once. Block the repeat before it runs again.</h1>
+      <p class="sub">ThumbGate wires Codex into local-first feedback memory, MCP tools, and hook enforcement. The launcher resolves <code>thumbgate@latest</code> when Codex starts, so published npm fixes reach your active MCP server after a restart.</p>
+      <div class="actions">
+        <a class="button primary" href="https://github.com/IgorGanapolsky/ThumbGate/releases/latest/download/thumbgate-codex-plugin.zip" target="_blank" rel="noopener" onclick="if(typeof plausible==='function')plausible('codex_plugin_download')">Download Codex plugin</a>
+        <a class="button secondary" href="https://github.com/IgorGanapolsky/ThumbGate/blob/main/plugins/codex-profile/INSTALL.md" target="_blank" rel="noopener">Read install docs</a>
+        <a class="button secondary" href="/guide">Use CLI setup</a>
+      </div>
+      <pre class="terminal">$ npx thumbgate init --agent codex
+# Writes ~/.codex/config.toml and ~/.codex/config.json
+# MCP + hooks install thumbgate@latest before serving or checking gates</pre>
+    </div>
+  </section>
+
+  <section class="wrap grid" aria-label="Codex install promises">
+    <div class="tile">
+      <h3>Always-on when enabled</h3>
+      <p>If Codex settings show the <code>thumbgate</code> MCP server toggled on, Codex can call the local ThumbGate tools. Typed feedback still needs useful context before it becomes a durable rule.</p>
+    </div>
+    <div class="tile">
+      <h3>Latest runtime on restart</h3>
+      <p>The Codex launcher installs <code>thumbgate@latest</code> into <code>~/.thumbgate/runtime</code> before running MCP or gate checks. A new npm publish reaches Codex after the app restarts.</p>
+    </div>
+    <div class="tile">
+      <h3>Hard stop before action</h3>
+      <p>Pre-Action Gates evaluate commands, file edits, publishes, merges, and other high-risk actions before execution. Bad repeats get blocked before they burn time or tokens.</p>
+    </div>
+  </section>
+
+  <section class="wrap split">
+    <div>
+      <div class="eyebrow">What Codex gets</div>
+      <h2>MCP memory, hook checks, and a dashboard lane in the same install path.</h2>
+      <p>Use the standalone plugin when you want a portable Codex bundle. Use <code>npx thumbgate init --agent codex</code> when you want the shortest path on this machine. Both paths point at the same Reliability Gateway and the same npm runtime.</p>
+      <p class="status">The Codex launcher checks npm on startup. Restart Codex after a ThumbGate publish to let the MCP server and hook bundle pick up the latest runtime.</p>
+    </div>
+    <figure class="proof">
+      <img src="/assets/codex-thumbgate-statusbar-test.svg" alt="Codex terminal footer test lane with ThumbGate status and enforcement proof.">
+      <figcaption class="caption">Codex test lane after ThumbGate writes MCP, PreToolUse, UserPromptSubmit, PostToolUse, SessionStart, and the status line target.</figcaption>
+    </figure>
+  </section>
+
+  <section class="wrap">
+    <div class="eyebrow">Install flow</div>
+    <h2>Three paths. Same local gateway.</h2>
+    <div class="steps">
+      <div class="step">
+        <h3>1. Automatic setup</h3>
+        <p>Run <code>npx thumbgate init --agent codex</code>. ThumbGate writes the MCP server block and hook bundle into your Codex config files.</p>
+      </div>
+      <div class="step">
+        <h3>2. Standalone plugin</h3>
+        <p>Use the release bundle when Codex loads plugin surfaces directly. The bundle includes the manifest, MCP config, marketplace entry, and install docs.</p>
+      </div>
+      <div class="step">
+        <h3>3. Verify in Codex</h3>
+        <p>Open Codex settings, confirm <code>thumbgate</code> is toggled on, then restart Codex after npm releases to pick up the latest runtime.</p>
+      </div>
+    </div>
+  </section>
+
+  <section class="wrap">
+    <div class="eyebrow">Operator questions</div>
+    <h2>What happens when I click thumbs up or thumbs down?</h2>
+    <div class="faq-list">
+      <div class="faq">
+        <h3>Is the MCP server always on?</h3>
+        <p>It is on when the Codex MCP settings toggle is enabled and the configured command can start successfully. In the Codex app, the blue toggle next to <code>thumbgate</code> is the visible check.</p>
+      </div>
+      <div class="faq">
+        <h3>Does bare feedback become a rule?</h3>
+        <p>No. Bare "thumbs down" is intentionally too vague for memory promotion. Add one concrete sentence about what went wrong, the file, command, or behavior to block next time.</p>
+      </div>
+      <div class="faq">
+        <h3>Where is the direct asset?</h3>
+        <p>The standalone zip remains available at <a href="https://github.com/IgorGanapolsky/ThumbGate/releases/latest/download/thumbgate-codex-plugin.zip" target="_blank" rel="noopener">GitHub Releases</a>. This page is the human install surface so users do not land on an unexplained file download.</p>
+      </div>
+    </div>
+  </section>
+</main>
+
+<footer>
+  <div class="wrap">
+    ThumbGate MIT License. Pre-Action Gates, DPO-ready feedback, and local-first Codex enforcement.
+  </div>
+</footer>
+</body>
+</html>