Turns thumbs-down feedback into executable prevention rules that block AI agents from repeating mistakes before the tool call executes. The PreToolUse hook intercepts risky actions like force-pushes, destructive file operations, or API calls that match patterns learned from prior sessions. One thumbs-down creates a rule, next session the agent gets blocked with zero tokens spent. Ships with a context brain generator that consolidates lessons, guardrails, and gates into a single agent-readable markdown file your repo can version in git. Free tier gives you unlimited feedback capture and five active rules. Works with Claude Code, Cursor, Gemini CLI, Cline, and any MCP-compatible agent. Designed for workflows where one repeated mistake is a liability event or a token bill you don't want to pay twice.
Public tool metadata for what this MCP can expose to an agent.
capture_feedbackCapture an up/down signal plus one line of why. Vague feedback is logged, then returned with a clarification prompt instead of memory promotion.13 paramsCapture an up/down signal plus one line of why. Vague feedback is logged, then returned with a clarification prompt instead of memory promotion.
tagsarrayskillstringsignalstringup · downcontextstringguardrailsobjectwhatWorkedstringchatHistoryarrayfailureTypestringdecision · executionrubricScoresarraywhatToChangestringwhatWentWrongstringrelatedFeedbackIdstringconversationWindowarrayfeedback_summaryGet summary of recent feedback1 paramsGet summary of recent feedback
recentnumbersearch_lessonsSearch promoted lessons and show the corrective actions, lifecycle state, prevention rules, gates, and next harness fixes linked to each result.4 paramsSearch promoted lessons and show the corrective actions, lifecycle state, prevention rules, gates, and next harness fixes linked to each result.
tagsarraylimitnumberquerystringcategorystringerror · learning · preferenceretrieve_lessonsRetrieve the most relevant lessons for a given tool/action context. Use in PreToolUse hooks for per-action guidance.3 paramsRetrieve the most relevant lessons for a given tool/action context. Use in PreToolUse hooks for per-action guidance.
toolNamestringmaxResultsnumberactionContextstringsearch_thumbgateSearch raw ThumbGate state across feedback logs, ContextFS memory, prevention rules, and imported policy documents.4 paramsSearch raw ThumbGate state across feedback logs, ContextFS memory, prevention rules, and imported policy documents.
limitnumberquerystringsignalstringup · down · positive · negativesourcestringall · feedback · context · rules · documentsimport_documentImport a local policy or runbook document into ThumbGate, normalize it for search, and propose provenance-backed gate candidates.7 paramsImport a local policy or runbook document into ThumbGate, normalize it for search, and propose provenance-backed gate candidates.
tagsarraytitlestringcontentstringfilePathstringsourceUrlstringproposeGatesbooleansourceFormatstringmarkdown · text · yaml · json · htmllist_imported_documentsList imported policy and runbook documents stored in local ThumbGate state.3 paramsList imported policy and runbook documents stored in local ThumbGate state.
tagstringlimitnumberquerystringget_imported_documentRead a previously imported document with its proposed gate candidates and provenance.1 paramsRead a previously imported document with its proposed gate candidates and provenance.
documentIdstringfeedback_statsGet feedback stats and recommendationsGet feedback stats and recommendations
No parameter schema in public metadata yet.
diagnose_failureDiagnose a failed or suspect workflow step using MCP schema, workflow, gate, and approval constraints.13 paramsDiagnose a failed or suspect workflow step using MCP schema, workflow, gate, and approval constraints.
stepstringerrorstringoutputstringcontextstringapprovedbooleanexitCodenumberintentIdstringtoolArgsobjecttoolNamestringguardrailsobjectmcpProfilestringrubricScoresarrayverificationobjectinfer_lesson_from_historyPerform autonomous inference on chat history to identify why a failure occurred and what rule should be recorded.2 paramsPerform autonomous inference on chat history to identify why a failure occurred and what rule should be recorded.
lastActionobjectchatHistoryarraylist_intentsList available intent plans and whether each requires human approval in the active profile3 paramsList available intent plans and whether each requires human approval in the active profile
bundleIdstringmcpProfilestringpartnerProfilestringplan_intentGenerate an intent execution plan with policy checkpoints8 paramsGenerate an intent execution plan with policy checkpoints
contextstringapprovedbooleanbundleIdstringintentIdstringrepoPathstringmcpProfilestringdelegationModestringoff · auto · sequentialpartnerProfilestringstart_handoffStart a sequential delegation handoff from a delegation-eligible intent plan9 paramsStart a sequential delegation handoff from a delegation-eligible intent plan
contextstringapprovedbooleanbundleIdstringintentIdstringrepoPathstringmcpProfilestringplannedChecksarraypartnerProfilestringdelegateProfilestringcomplete_handoffComplete a sequential delegation handoff and record verification outcomes8 paramsComplete a sequential delegation handoff and record verification outcomes
outcomestringaccepted · rejected · abortedsummarystringattemptsnumberhandoffIdstringlatencyMsnumberresultContextstringtokenEstimatenumberviolationCountnumberdescribe_reliability_entityGet the definition and state of a business entity (Customer, Revenue, Funnel). Aliased to describe_semantic_entity.1 paramsGet the definition and state of a business entity (Customer, Revenue, Funnel). Aliased to describe_semantic_entity.
typestringCustomer · Revenue · Funnelget_reliability_rulesRetrieve active prevention rules and success patterns. Aliased to prevention_rules.Retrieve active prevention rules and success patterns. Aliased to prevention_rules.
No parameter schema in public metadata yet.
enforcement_matrixShow the full Enforcement Matrix: feedback pipeline stats, active pre-action gates, and rejection ledger with revival conditions.Show the full Enforcement Matrix: feedback pipeline stats, active pre-action gates, and rejection ledger with revival conditions.
No parameter schema in public metadata yet.
security_scanScan code for OWASP vulnerabilities (injection, XSS, path traversal, SSRF, prototype pollution) and supply chain risks (typosquatting, install script abuse, wildcard versions). Returns findings with severity, category, and line numbers.3 paramsScan code for OWASP vulnerabilities (injection, XSS, path traversal, SSRF, prototype pollution) and supply chain risks (typosquatting, install script abuse, wildcard versions). Returns findings with severity, category, and line numbers.
contentstringdiffModebooleanfilePathstringcapture_memory_feedbackCapture success/failure feedback to harden future workflows. Aliased to capture_feedback.3 paramsCapture success/failure feedback to harden future workflows. Aliased to capture_feedback.
tagsarraysignalstringup · downcontextstringbootstrap_internal_agentNormalize a GitHub/Slack/Linear trigger into startup context, construct a recall pack, prepare a git worktree sandbox, and emit an execution plus reviewer-lane plan.15 paramsNormalize a GitHub/Slack/Linear trigger into startup context, construct a recall pack, prepare a git worktree sandbox, and emit an execution plus reviewer-lane plan.
taskobjectsourcestringgithub · slack · linear · api · clithreadobjectcontextstringtriggerobjectapprovedbooleancommentsarrayintentIdstringmessagesarrayrepoPathstringmcpProfilestringsandboxRootstringdelegationModestringoff · auto · sequentialpartnerProfilestringprepareSandboxbooleanprevention_rulesGenerate prevention rules from repeated mistake patterns2 paramsGenerate prevention rules from repeated mistake patterns
outputPathstringminOccurrencesnumberexport_dpo_pairsExport DPO preference pairs from local memory log1 paramsExport DPO preference pairs from local memory log
memoryLogPathstringexport_hf_datasetExport ThumbGate agent traces and DPO preference pairs as a HuggingFace-compatible dataset. Produces traces.jsonl, preferences.jsonl, and dataset_info.json with PII-redacted paths. Ready for huggingface-cli upload.2 paramsExport ThumbGate agent traces and DPO preference pairs as a HuggingFace-compatible dataset. Produces traces.jsonl, preferences.jsonl, and dataset_info.json with PII-redacted paths. Ready for huggingface-cli upload.
outputDirstringincludeProvenancebooleanexport_databricks_bundleExport ThumbGate logs and proof artifacts as a Databricks-ready analytics bundle1 paramsExport ThumbGate logs and proof artifacts as a Databricks-ready analytics bundle
outputPathstringconstruct_context_packConstruct a bounded context pack from contextfs4 paramsConstruct a bounded context pack from contextfs
querystringmaxCharsnumbermaxItemsnumbernamespacesarrayevaluate_context_packRecord evaluation outcome for a context pack6 paramsRecord evaluation outcome for a context pack
notesstringpackIdstringsignalstringoutcomestringguardrailsobjectrubricScoresarraycontext_provenanceGet recent context/provenance events1 paramsGet recent context/provenance events
limitnumbergenerate_skillAuto-generate Claude skills from repeated feedback patterns. Clusters failure patterns by tags and produces SKILL.md files with DO/INSTEAD rules.2 paramsAuto-generate Claude skills from repeated feedback patterns. Clusters failure patterns by tags and produces SKILL.md files with DO/INSTEAD rules.
tagsarrayminOccurrencesnumberrecallRecall relevant past feedback, memories, and prevention rules for the current task. Call this at the start of any task to inject past learnings into the conversation.3 paramsRecall relevant past feedback, memories, and prevention rules for the current task. Call this at the start of any task to inject past learnings into the conversation.
limitnumberquerystringrepoPathstringunified_contextAssemble a complete, role-aware context object in one call. Combines session state, user profile, relevant lessons, prevention guards, context pack, and code-graph impact — with tiered graceful degradation (full → warm → cold). Replaces multiple recall/retrieve/session_primer...5 paramsAssemble a complete, role-aware context object in one call. Combines session state, user profile, relevant lessons, prevention guards, context pack, and code-graph impact — with tiered graceful degradation (full → warm → cold). Replaces multiple recall/retrieve/session_primer...
querystringrepoPathstringtoolNamestringagentTypestringclaude · cursor · forgecode · codextoolInputobjectsatisfy_gateSatisfy a gate condition with optional structured reasoning. Evidence is stored with a 5-minute TTL. When structuredReasoning is provided, the premise/evidence/conclusion chain is stored in the audit trail.3 paramsSatisfy a gate condition with optional structured reasoning. Evidence is stored with a 5-minute TTL. When structuredReasoning is provided, the premise/evidence/conclusion chain is stored in the audit trail.
gatestringevidencestringstructuredReasoningobjectset_task_scopeDeclare or clear the current task scope so ThumbGate can compare affected files and diffs against the approved path set.7 paramsDeclare or clear the current task scope so ThumbGate can compare affected files and diffs against the approved path set.
clearbooleantaskIdstringsummarystringrepoPathstringlocalOnlybooleanallowedPathsarrayprotectedPathsarrayget_scope_stateReturn the active task scope and any unexpired protected-file approvals.Return the active task scope and any unexpired protected-file approvals.
No parameter schema in public metadata yet.
set_branch_governanceDeclare or clear branch and release governance so PR, merge, release, and publish actions can be evaluated against explicit workflow state.11 paramsDeclare or clear branch and release governance so PR, merge, release, and publish actions can be evaluated against explicit workflow state.
clearbooleanprUrlstringprNumberstringlocalOnlybooleanbaseBranchstringbranchNamestringprRequiredbooleanqueueRequiredbooleanreleaseVersionstringreleaseEvidencestringreleaseSensitiveGlobsarrayget_branch_governanceReturn the active branch and release governance state.Return the active branch and release governance state.
No parameter schema in public metadata yet.
approve_protected_actionGrant a time-limited approval for edits or publish actions that touch protected files.5 paramsGrant a time-limited approval for edits or publish actions that touch protected files.
ttlMsnumberreasonstringtaskIdstringevidencestringpathGlobsarraytrack_actionRecord a verification action in the current session (for example figma_verified or tests_passed). Session actions expire after one hour.2 paramsRecord a verification action in the current session (for example figma_verified or tests_passed). Session actions expire after one hour.
actionIdstringmetadataobjectverify_claimCheck whether a claim has enough tracked evidence before the agent asserts it.1 paramsCheck whether a claim has enough tracked evidence before the agent asserts it.
claimstringcheck_operational_integrityEvaluate whether the current repo state is safe for PR, merge, release, and publish operations.5 paramsEvaluate whether the current repo state is safe for PR, merge, release, and publish operations.
commandstringrepoPathstringbaseBranchstringrequireVersionNotBehindBasebooleanrequirePrForReleaseSensitivebooleanworkflow_sentinelPredict pre-action workflow risk, blast radius, and remediations before a tool call executes.8 paramsPredict pre-action workflow risk, blast radius, and remediations before a tool call executes.
commandstringfilePathstringrepoPathstringtoolNamestringbaseBranchstringchangedFilesarrayrequireVersionNotBehindBasebooleanrequirePrForReleaseSensitivebooleanregister_claim_gateRegister a custom claim verification rule in local runtime state without editing tracked repo config.3 paramsRegister a custom claim verification rule in local runtime state without editing tracked repo config.
messagestringclaimPatternstringrequiredActionsarraygate_statsGet gate enforcement statistics -- blocked count, warned count, top gatesGet gate enforcement statistics -- blocked count, warned count, top gates
No parameter schema in public metadata yet.
dashboardGet full ThumbGate dashboard -- Harness Score, gate stats, prevention impact, proof, and system healthGet full ThumbGate dashboard -- Harness Score, gate stats, prevention impact, proof, and system health
No parameter schema in public metadata yet.
org_dashboardOrg-wide multi-agent dashboard — shows all active agents, gate decisions, adherence rates, risk agents, and top blocked gates across the organization. Team rollout: full visibility. Free preview: limited to 3 agents.1 paramsOrg-wide multi-agent dashboard — shows all active agents, gate decisions, adherence rates, risk agents, and top blocked gates across the organization. Team rollout: full visibility. Free preview: limited to 3 agents.
windowHoursnumbersettings_statusResolve managed, user, project, and local ThumbGate settings with per-field origin metadata for policy visibility.Resolve managed, user, project, and local ThumbGate settings with per-field origin metadata for policy visibility.
No parameter schema in public metadata yet.
commerce_recallRecall past feedback filtered by commerce categories (product_recommendation, brand_compliance, sizing, pricing, regulatory). Returns quality scores alongside memories for agentic commerce agents.3 paramsRecall past feedback filtered by commerce categories (product_recommendation, brand_compliance, sizing, pricing, regulatory). Returns quality scores alongside memories for agentic commerce agents.
limitnumberquerystringcategoriesarrayget_business_metricsRetrieve high-level business metrics (Revenue, Conversion, Customers) from the Semantic Layer.1 paramsRetrieve high-level business metrics (Revenue, Conversion, Customers) from the Semantic Layer.
windowstringdescribe_semantic_entityGet the canonical definition and state of a business entity (Customer, Revenue, Funnel).1 paramsGet the canonical definition and state of a business entity (Customer, Revenue, Funnel).
typestringCustomer · Revenue · Funnelestimate_uncertaintyEstimate Bayesian uncertainty for a set of tags based on past feedback.1 paramsEstimate Bayesian uncertainty for a set of tags based on past feedback.
tagsarraysession_handoffWrite a session handoff primer that auto-captures git state (branch, last 5 commits, modified files), last completed task, next step, and blockers. The next session reads this automatically for seamless context continuity.6 paramsWrite a session handoff primer that auto-captures git state (branch, last 5 commits, modified files), last completed task, next step, and blockers. The next session reads this automatically for seamless context continuity.
projectstringblockersarraylastTaskstringnextStepstringopenFilesarraycustomContextstringsession_primerRead the most recent session handoff primer to restore context from the previous session. Call at session start.Read the most recent session handoff primer to restore context from the previous session. Call at session start.
No parameter schema in public metadata yet.
list_harnessesList natural-language harness specs for portable workflow control, proof-backed verification, and GTM execution.1 paramsList natural-language harness specs for portable workflow control, proof-backed verification, and GTM execution.
tagstringrun_harnessExecute a natural-language harness through the async job runner with checkpoints, verification, and proof-backed outcomes.3 paramsExecute a natural-language harness through the async job runner with checkpoints, verification, and proof-backed outcomes.
jobIdstringinputsobjectharnessstringscheduleCreate, list, or delete scheduled tasks. Supports natural language scheduling like "daily 9:00", "weekly monday 8:30", "hourly". Installs as macOS LaunchAgent or Linux crontab.6 paramsCreate, list, or delete scheduled tasks. Supports natural language scheduling like "daily 9:00", "weekly monday 8:30", "hourly". Installs as macOS LaunchAgent or Linux crontab.
namestringactionstringcreate · list · deletecommandstringschedulestringdescriptionstringworkingDirectorystringuser_profileManage persistent user profile — preferences, style, domain knowledge that persists across sessions. Actions: add, remove, replace, view.3 paramsManage persistent user profile — preferences, style, domain knowledge that persists across sessions. Actions: add, remove, replace, view.
actionstringadd · remove · replace · viewcontentstringold_textstringsession_searchSearch past session notes and conversations using full-text search. Returns relevant sessions from the SQLite FTS5 index for cross-session recall.2 paramsSearch past session notes and conversations using full-text search. Returns relevant sessions from the SQLite FTS5 index for cross-session recall.
limitnumberquerystringopen_feedback_sessionOpen a feedback session after thumbs up/down. Follow-up messages will be captured for 60s.3 paramsOpen a feedback session after thumbs up/down. Follow-up messages will be captured for 60s.
signalstringup · downinitialContextstringfeedbackEventIdstringappend_feedback_contextAppend a follow-up message to an open feedback session. Call this when the user types additional context after giving thumbs up/down.3 paramsAppend a follow-up message to an open feedback session. Call this when the user types additional context after giving thumbs up/down.
rolestringuser · assistantdefault: usermessagestringsessionIdstringfinalize_feedback_sessionFinalize a feedback session and re-infer the lesson with all follow-up context.1 paramsFinalize a feedback session and re-infer the lesson with all follow-up context.
sessionIdstringwebhook_deliverSend a message to Teams, Slack, or Discord via webhook. Use for status reports, alerts, and notifications.4 paramsSend a message to Teams, Slack, or Discord via webhook. Use for status reports, alerts, and notifications.
titlestringmessagestringplatformstringteams · slack · discordwebhook_urlstringreflect_on_feedbackRun a post-mortem analysis on negative feedback. Returns a proposed rule and recurrence info.4 paramsRun a post-mortem analysis on negative feedback. Returns a proposed rule and recurrence info.
contextstringwhatWentWrongstringfeedbackEventIdstringconversationWindowarrayreport_product_issueReport a bug, suggestion, or complaint about ThumbGate itself (not project feedback). Auto-files a GitHub issue with system context. Use when the user expresses frustration or requests a feature for the thumbgate tool.3 paramsReport a bug, suggestion, or complaint about ThumbGate itself (not project feedback). Auto-files a GitHub issue with system context. Use when the user expresses frustration or requests a feature for the thumbgate tool.
bodystringtitlestringcategorystringbug · feature · questionrun_managed_lesson_agentRun the LLM-powered lesson inference and rule generation agent over accumulated feedback. Requires ANTHROPIC_API_KEY for LLM mode; falls back to heuristics if unavailable.3 paramsRun the LLM-powered lesson inference and rule generation agent over accumulated feedback. Requires ANTHROPIC_API_KEY for LLM mode; falls back to heuristics if unavailable.
limitnumbermodelstringdryRunbooleanmanaged_agent_statusShow status of the last managed lesson agent run: entries processed, lessons created, gates promoted, and total runs.Show status of the last managed lesson agent run: entries processed, lessons created, gates promoted, and total runs.
No parameter schema in public metadata yet.
run_self_distillRun the self-distillation agent to auto-evaluate recent agent sessions and generate improvement lessons without human feedback. Reads conversation logs, detects success/failure signals, and persists lessons.3 paramsRun the self-distillation agent to auto-evaluate recent agent sessions and generate improvement lessons without human feedback. Reads conversation logs, detects success/failure signals, and persists lessons.
limitnumbermodelstringdryRunbooleanself_distill_statusShow status of the last self-distillation run: sessions analyzed, lessons generated, signals detected.Show status of the last self-distillation run: sessions analyzed, lessons generated, signals detected.
No parameter schema in public metadata yet.
context_stuff_lessonsDump ALL prevention lessons into a single text block for context-window injection. Bypasses RAG/search — returns every lesson sorted by confidence. For most projects (20-200 lessons), fits in 1K-10K tokens.3 paramsDump ALL prevention lessons into a single text block for context-window injection. Bypasses RAG/search — returns every lesson sorted by confidence. For most projects (20-200 lessons), fits in 1K-10K tokens.
formatstringcompact · fullsignalstringpositive · negativemaxTokenBudgetnumberAI coding agents repeat mistakes — and one wrong tool call can wipe a directory, leak a key, or push broken code.
ThumbGate is the local-first Pre-Action Checks engine for AI coding agents. It runs in the PreToolUse hook on your machine: it evaluates a proposed tool call and logs the decision before tool execution. It hard-blocks detected secret leaks and two direct self-disable command classes by default — commands that terminate the ThumbGate gate process or enable its bypass environment override. Other high-risk classes, including destructive deletes (rm -rf), force-push, fetch-and-run, direct guardrail-file edits, off-scope edits, and deploys, warn and log by default. Set THUMBGATE_STRICT_ENFORCEMENT=1 to preserve deny decisions for every matched blocking rule. Works across configured Claude Code, Cursor, Codex, Gemini, Amp, Cline, and OpenCode integrations. No server is required on the local enforcement path. (Regulated-industry policy templates are roadmap directions, not shipped compliance claims.)
Accepted feedback is stored as local lessons. Repeated concrete failures can become prevention rules that flag or block matching tool calls according to policy.
Agent tries: rm -rf tests/
ThumbGate: ⚠️ WARN + LOG — "Never delete test directories"
Pattern matched: rm.*-rf.*tests
Source: your thumbs-down from last Tuesday
Strict mode: DENY before tool execution
npx thumbgate init # auto-detects the supported agent and wires its integration
Works with Claude Code, Cursor, Codex, Gemini CLI, Amp, Cline, OpenCode and MCP-compatible agents after their integration is configured. Free tier: 2 feedback captures/day (10 total) and up to 3 active auto-promoted prevention rules. Pro: $19/mo or $149/yr is the individual tier for unlimited rules, history-aware lessons, feedback sessions, a personal dashboard, and DPO export. Enterprise is custom and scoped after intake; hosted team sync and a hosted org dashboard are not in the current general-availability runtime.
"A better dashboard doesn't make the agents more reliable. The hard part isn't visibility. It's trust."
— Rob May, CEO & co-founder, Neurometric AI, quoted in The New Stack on Anthropic's Claude Code Agent View (May 2026).
ThumbGate is our open-source attempt at that trust problem: inspectable PreToolUse decisions, accepted feedback captured as lessons, and recurring failures promoted into reviewable rules.
Agentic development is becoming a loop: Guide → Generate → Verify → Solve. ThumbGate adds a pre-action decision point before tool execution.
In that stack, ThumbGate is the pre-action gate between generated intent and executed action.
Spec-driven agent frameworks like GSD (get-shit-done) and GitHub Spec Kit are great at planning and generating work — they expose dozens of discoverable /gsd-* / /specify commands in the agent command palette. ThumbGate is the guardrail layer for spec-driven agents: it sits after the plan, on the boundary between a generated tool call and its execution. It works alongside GSD / Spec-Kit, not instead of them — they decide what to build; configured ThumbGate policies evaluate the proposed actions used to build it.
npx thumbgate init installs these commands into your agent's palette (.claude/commands/, .gemini/commands/, .antigravitycli/commands/) so the enforcement layer is as browsable as the planning layer:
| Command | What it does | Wraps (existing capability) |
|---|---|---|
/thumbgate-guard | Turn the last agent mistake into a hard prevention rule | capture_feedback + thumbgate force-gate |
/thumbgate-rules | List the active prevention rules + lessons guarding this repo | prevention_rules, get_reliability_rules, search_lessons |
/thumbgate-blocked | Show what's actually been blocked — gate stats + enforcement matrix | gate_stats, enforcement_matrix |
/thumbgate-protect | Show branch/release governance; grant a scoped, expiring approval | get_branch_governance, approve_protected_action |
/thumbgate-doctor | Health-check the wiring (hooks, MCP, agent-readiness) | thumbgate doctor |
Each is a thin wrapper over an existing MCP tool or CLI command — no new enforcement logic, just discoverability.
Watch the force-push scenario: an agent proposes git push --force, the matching rule is flagged and logged by default, and the tool call is denied when you run with THUMBGATE_STRICT_ENFORCEMENT=1.
▶ Watch the 90-second demo · Script · ElevenLabs narration: npm run demo:voiceover
If someone is not already bought into ThumbGate, do not lead with architecture. Lead with one repeated mistake.
thumbs down: or thumbs up: with one concrete sentence. Native ChatGPT rating buttons are not the ThumbGate capture path; typed feedback is.npx thumbgate init where the agent executes so the lesson can become one of your Pre-Action Checks instead of another reminder.The buying question is simple: what repeated AI mistake would be worth catching before the tool executes?
The first high-value customer is an enterprise engineering, security, or platform leader whose team already uses AI coding agents in high-blast-radius workflows: finance, healthcare, insurance, public sector, critical infrastructure, manufacturing, or any audited software-delivery environment.
The pain is security and operational risk; the buying context is enterprise AI-agent governance. ThumbGate owns the enforcement boundary: known-bad agent actions are flagged or blocked before shell, repo, CI/CD, SaaS, or cloud tool calls execute.
For partners building detection or coordination layers, ThumbGate is the downstream enforcement surface. Detection systems identify drift, stale shared reality, or risky workflow intent; ThumbGate turns the approved finding into a PreToolUse prevention rule with auditable execution evidence.
When an agent repeats a failed action, the cost is not just the model call. It is also the attempted tool action, diagnosis, remediation, and review. ThumbGate records concrete corrections so recurring failures can become explicit checks instead of relying on the model to remember a prior session.
PreToolUse runs after the model has proposed a tool call and before the tool executes. ThumbGate therefore does not claim that a gate decision makes the model generation free. A denial can avoid downstream execution and remediation, while a warning gives the agent another chance to choose a safer plan.
The dashboard's token and dollar savings values are estimates, derived from recorded block counts and documented token/price assumptions. They are not measured provider usage or a guarantee of savings. Mark a review checkpoint once, and the dashboard narrows the next pass to the feedback, lessons, and check decisions added since the last review.
Coding-agent sessions do not automatically inherit ThumbGate's prior local lessons, rejected fixes, or repo rules. Without configured context and hooks, a later session can repeat a previously corrected failure.
ThumbGate gives your repo a context brain: a single, versioned, agent-readable artifact that consolidates everything the agent should know before it acts — the lessons it has learned, the guardrails it must not cross, the gates that are enforced, and the project's own instruction files.
npx thumbgate brain --write # → .thumbgate/BRAIN.md
Then point each agent at it — add Read .thumbgate/BRAIN.md first to the relevant CLAUDE.md / AGENTS.md integration. Sessions that honor that instruction can load the repo's institutional memory. The generated output is deterministic for the same inputs, so BRAIN.md can be reviewed like any other file.
# ThumbGate Context Brain
## What this codebase taught its agents (lessons)
- ⛔ Force-pushing to main was rejected — use --force-with-lease on feature branches only
## Guardrails — do NOT repeat these (prevention rules)
- Never run DROP on production tables
## Active enforcement (gates)
- `DROP.*production` → warn + log (hard-block under strict enforcement)
Same idea the SEO world is now calling a "client brain" — persistent context that AI reads before doing the work — applied to engineering: the institutional memory that stops your coding agent from relearning the same lesson on your dime.
npx thumbgate init # initializes local state; use --agent for an explicit integration
npx thumbgate capture down "Never run DROP on production tables"
That command stores a concrete negative lesson and applies promotion rules. If the pattern becomes an active prevention rule, configured agents in the same install scope can evaluate a later DROP attempt:
⚠️ Check fired: "Never run DROP on production tables"
Pattern: DROP.*production
Verdict: WARN + LOG (BLOCK when THUMBGATE_STRICT_ENFORCEMENT=1)
ThumbGate operates as a 4-layer enforcement stack between your AI agent and your codebase:
![]()
Concrete thumbs-up/down feedback can be captured through the MCP protocol, CLI, or a configured GPT Action. Accepted feedback is stored as a structured local lesson with the available context, timestamp, and severity.
The check engine can promote qualifying recurring lessons into rules. The runtime gate decision is deterministic — literal pattern match → AST match → scoped rule lookup. No LLM call runs on the enforcement path.
Where retrieval is needed (an agent is about to run a destructive command not on the literal block list, but semantically similar to a prior rule), ThumbGate uses local CPU-only bge-small embeddings via LanceDB's built-in pipeline. That path makes no external inference API call. So "no LLM in enforcement" holds: the gate decision uses no LLM; the rule corpus is searchable via local embeddings.
Thompson Sampling tunes per-rule confidence weights for soft-gating rules so high-noise rules quiet down and high-signal rules sharpen. It does not decide whether a hard pattern matches. A force-push pattern match is deterministic, while the public runtime warns by default and denies the matching action under strict enforcement.
Rules stay in local ThumbGate runtime state.
For agents wired to the hook, ThumbGate evaluates each proposed tool call against active checks before tool execution and records the resulting decision. Detected secret leaks and the self-protect process-kill/environment-override gates deny by default. Direct guardrail-file edits, rm -rf, force-push, and fetch-and-run warn and log by default; strict mode preserves matched deny decisions.
Claude Code already ships permissions.deny and PreToolUse hooks. Cursor and Codex have their own. So why ThumbGate over a hand-written hook?
Two things hand-written hooks structurally cannot do:
permissions.deny pattern lives in one agent's config and stays there. ThumbGate integrations configured to use the same local install scope can read the same lesson and rule store across Claude Code, Codex, Gemini CLI, Cline, OpenCode, and Amp.Hand-rolled hooks are the right tool for a small, static denylist you maintain by hand. ThumbGate is useful when configured agent integrations should evaluate the same local lessons and rules.
Prompt engineering still matters, but it is only the starting point. ThumbGate adds prompt evaluation on top: proof lanes, benchmarks, and self-heal checks produce reviewable evidence about whether a prompt and workflow held up under execution. Run npx thumbgate eval --from-feedback --write-report=.thumbgate/prompt-eval-proof.md to turn accepted thumbs-up/down feedback into reusable eval cases and a local proof report.
ThumbGate's latency advantage is structural, not a tuned cloud cluster: there is no retrieval service and no model on the enforcement path, so the gate decision never leaves your machine.
flowchart LR
A["Agent about to run<br/>a tool call"] --> B{"Literal / AST match<br/>on an active rule?"}
B -- "exact match" --> D["Deterministic gate decision<br/>(no model, on-device)"]
B -- "no exact match, but<br/>semantically near a<br/>blocked pattern" --> C["Local CPU embeddings<br/>bge-small via LanceDB<br/>(no external API)"]
C --> D
D -- "secret exfil / self-protect" --> E["⛔ Hard-block before execution"]
D -- "other known-bad" --> G["⚠️ Warn + log<br/>(hard-block under strict)"]
D -- "safe" --> F["✓ Allow"]
bge-small embeddings via LanceDB — still local, still no external API call.The enforcement decision is local: there is no cloud retrieval or model-inference hop on that path. Measure end-to-end latency in your own agent and machine configuration.
When a new managed model drops, do not swap ThumbGate over on vendor claims alone. Rank it against the actual ThumbGate workload first:
npx thumbgate model-candidates --workload=pretool-gating --json
npx thumbgate model-candidates --workload=long-trace-review --provider=openai-compatible --gateway=tinker --json
The catalog currently includes the April 23, 2026 Tinker additions:
tinker/qwen3.6-35b-a3b for pre-action gating, agentic coding, and tool-usetinker/qwen3.6-27b for the cheap fast-pathtinker/kimi-k2.6-128k for long-trace review and multi-agent sessionsEach recommendation ships with the benchmark commands to run next: feedback-derived prompt eval, gate-eval, and thumbgate bench. For whole-repo clone claims, add npx thumbgate bench --programbench-smoke to generate a ProgramBench-style cleanroom proof report without claiming an official ProgramBench score. That keeps model selection evidence-backed instead of hype-driven.


| Agent | Command |
|---|---|
| Claude Code | npx thumbgate init --agent claude-code |
| Cursor | npx thumbgate init --agent cursor |
| VS Code / Open VSX | plugins/vscode-extension/README.md |
| Antigravity-compatible | plugins/antigravity-extension/INSTALL.md |
| JetBrains | plugins/jetbrains-plugin/README.md |
| Codex | npx thumbgate init --agent codex |
| Gemini CLI | npx thumbgate init --agent gemini |
| Amp | npx thumbgate init --agent amp |
| Cline (Roo Code successor) | npx thumbgate init --agent cline |
| OpenCode | npx thumbgate init --agent opencode |
| Claude Desktop | Download extension bundle |
| Any MCP agent | npx thumbgate serve |
Works with Claude Code, Cursor, Codex, Gemini CLI, Amp, Cline, OpenCode, and any MCP-compatible agent. Migrating from Roo Code (sunsetting 2026-05-15)? See adapters/cline/INSTALL.md.
ThumbGate supports two install scopes. Pick once when you install — you can switch later by re-running with the other flag.
| Scope | Command | Settings file | Lesson DB + dashboard live in | When to use |
|---|---|---|---|---|
| Machine-wide (default) | npx thumbgate init | ~/.claude/settings.json | ~/.claude/memory/feedback/ | Solo operator — configured repos can use the same machine-local feedback store. Matching actions are evaluated according to the active policy; cross-repo blocking is not automatic without the relevant integration and rule. |
| Per-project | npx thumbgate init --project (in the repo root) | <repo>/.claude/settings.json | <repo>/.claude/memory/feedback/ | Client work, compliance, or multi-tenant — separate dashboard per repo, lessons stay isolated, audit trail belongs to the repo. |
Both scopes write mcpServers.thumbgate + the PreToolUse / UserPromptSubmit / PostToolUse / SessionStart hooks; the only difference is where. Machine-wide is the right default for most developers. Switch to --project only when you have a reason to keep lessons from bleeding between repos.
Per-project lesson DBs live under each repo's
.claude/memory/feedback/and must stay gitignored — they're a runtime store, not source. ThumbGate's bundled.gitignoretemplate handles this.
Claude renders the live ThumbGate footer today. npx thumbgate init --agent codex now installs the full Codex hook bundle and writes the ThumbGate statusLine target into ~/.codex/config.json so you can test it on your local Codex build immediately.
Open the Codex plugin install page or download the standalone bundle from GitHub Releases. The Codex launcher resolves thumbgate@latest when MCP and hooks start, so published npm fixes reach active Codex installs without hand-editing ~/.codex/config.toml.
ChatGPT is the advice, checkpointing, and typed-feedback surface; ThumbGate's hard enforcement still runs locally in Codex, Claude Code, Cursor, Gemini CLI, Amp, OpenCode, MCP, or CI after install.
STEP 1 STEP 2 STEP 3
──────── ──────── ────────
You react ThumbGate learns The check holds
👎 on a bad ──► Accepted feedback ──► A recurring failure
agent action becomes a lesson can become a rule:
👍 on a good ──► Good pattern gets 🚦 flagged + logged
agent action reinforced (hard-blocked for
secret exfil / strict
mode, or ✅ allowed)
Concrete feedback can reduce manual rule-writing while keeping the resulting lessons and rules inspectable.
ThumbGate sells three concrete outcomes:
thumbgate eval --from-feedback, proof lanes, ThumbGate Bench, and self-heal:check to evaluate whether prompts and workflows actually improved behavior.git push --force on protected branches before it runs, and hard-blocks it under THUMBGATE_STRICT_ENFORCEMENT=1These are policy-template directions on the roadmap, not customer-proven compliance capabilities. They build on the same gate engine:
Talk to us about regulated templates →
⛔ secret-exfiltration → hard-blocks detected secret exposure (default)
⛔ self-protect-kill → blocks direct process termination (default)
⛔ self-protect-env → blocks direct ThumbGate env override (default)
⚠️ force-push → flags git push --force (hard-block under strict)
⚠️ protected-branch → flags direct push to main (hard-block under strict)
⚠️ unresolved-threads → flags push with open reviews (hard-block under strict)
⚠️ package-lock-reset → flags destructive lock edits (hard-block under strict)
Configured hooks record decisions for evaluated calls. Detected secret leaks and
the process-kill/environment-override self-protect gates deny by default. Direct
guardrail-file edits, rm -rf, force-push, and fetch-and-run warn and log by
default; matched blocking rules deny under THUMBGATE_STRICT_ENFORCEMENT=1.
+ custom prevention rules for project-specific failures
npx thumbgate init # detect agent, wire hooks
npx thumbgate doctor # health check
npx thumbgate capture up|down "<text>" # capture a signal as a stored lesson (positional format)
npx thumbgate lessons # see what's been learned
npx thumbgate brain --write # build .thumbgate/BRAIN.md — the agent-readable context brain
npx thumbgate explore # terminal explorer for lessons, checks, stats
npx thumbgate background-governance # review background-agent run risk
npx thumbgate model-candidates --workload=dashboard-analysis --provider=openai --json # evaluate GPT-5.5 routing
npx thumbgate native-messaging-audit # inspect local browser bridges and extension hosts
npx thumbgate dashboard --open # open local project-scoped dashboard in browser
thumbgate-dashboard # standalone browser dashboard shortcut (run '/project:thumbgate-dashboard' in Claude/Grok)
npx thumbgate check-update # check if a new version is available on npm/GitHub
npx thumbgate self-update # update ThumbGate to the latest version globally
npx thumbgate serve # start MCP server on stdio
npx thumbgate bench # run reliability benchmark
npx thumbgate bench --programbench-smoke # include cleanroom whole-repo proof lane
npx thumbgate break-glass --reason="ThumbGate over-fired" # short TTL recovery for gate over-fire
ThumbGate should block repeated unsafe actions, not trap the operator. If a noisy rule or stale memory pattern blocks the hook/settings change you need to recover, open a short-lived break-glass window:
npx thumbgate break-glass --reason="ThumbGate over-fired and blocked operator recovery"
What this unlocks for up to 5 minutes:
.claude/settings.local.json, .claude/settings.json, .codex/config.toml, and the same files inside nested workspaces.pr_create_allowed and pr_threads_checked.What stays gated:
rm -rf, unsafe chmod, package publishes/releases, and local-only remote side effects.README.md, AGENTS.md, policy bundles, or credentials.Verify the recovery window and runtime health before continuing:
npx thumbgate break-glass --reason="verify recovery path" --json
npx thumbgate doctor
If you change MCP or hook settings, restart the affected agent session so Claude Code, Cursor, Codex, or another runtime reloads .mcp.json and local settings.
| Free | Pro ($19/mo) | Enterprise | |
|---|---|---|---|
| Local CLI + PreToolUse checks | ✅ | ✅ | Existing public runtime |
| Feedback captures | 2/day (10 total) | Unlimited | Scoped after intake |
| Active auto-promoted prevention rules | 3 | Unlimited | Scoped after intake |
| Configured agent integrations | ✅ | ✅ | Scoped after intake |
| Personal dashboard | — | ✅ | Reviewed during intake |
| DPO export (model fine-tuning data) | — | ✅ | Reviewed during intake |
| Lesson export/import | — | ✅ | Operator-managed bundles |
| Hosted team lesson sync | — | — | Not general availability |
| Hosted org dashboard | — | — | Not general availability |
| Approval boundaries + rollout proof | — | — | Scoped after intake |
The free tier gives you 2 feedback captures/day (10 total) and up to 3 active auto-promoted prevention rules. Documented integration paths for Claude Code, Cursor, Codex, Gemini, Amp, Cline, and OpenCode ship free; each agent must be configured through its hook or MCP setup.
Pro ($19/mo or $149/yr) is the individual tier: it removes the rule cap and adds history-aware lesson recall, lesson search, DPO export, and a personal dashboard. Enterprise is custom and scoped after intake around one workflow, its approval boundaries, rollback plan, evidence requirements, and rollout support. Hosted team lesson sync, hosted org dashboards, SSO, SIEM, and compliance packaging are not general-availability features in the current public runtime.
Enterprise intake path: the Workflow Hardening Sprint scopes one repeated failure before any broader rollout commitment. Start intake →
Local technical path: install the CLI and use init plus the documented setup for the agent you already use.
Paid path for individual operators: ThumbGate Pro is the self-serve side lane for a personal dashboard and export-ready evidence.
Start free · See Pro · Team Sprint intake
ThumbGate Pro can export lessons as portable bundles and import them into another operator-managed ThumbGate instance. This is an explicit export/import workflow, not automatic hosted sync or org-wide enforcement.
Export lessons from one project:
curl -X POST http://localhost:3456/v1/lessons/export \
-H "Authorization: Bearer $THUMBGATE_API_KEY" \
-H "Content-Type: application/json" \
-d '{"outputPath": "./lessons-export.json"}'
Filter by signal or tags:
curl -X POST http://localhost:3456/v1/lessons/export \
-H "Authorization: Bearer $THUMBGATE_API_KEY" \
-H "Content-Type: application/json" \
-d '{"signal": "down", "tags": ["push-notifications", "ci"]}'
Import into another operator-managed ThumbGate instance:
curl -X POST http://localhost:3456/v1/lessons/import \
-H "Authorization: Bearer $THUMBGATE_API_KEY" \
-H "Content-Type: application/json" \
-d @lessons-export.json
What happens on import:
team-import with original source project, export timestamp, and original IDThe export bundle includes full lesson metadata: signal, title, context, tags, failure type, skill, structured rules, and diagnosis. It's the same data you see in the lesson detail dashboard — portable as JSON.
Use cases:
Accepted thumbs-up and thumbs-down feedback can supply preference data. ThumbGate Pro exports eligible captured feedback as DPO (Direct Preference Optimization) pairs for a separate LoRA or other fine-tuning workflow. The export does not guarantee model behavior; training and evaluation remain operator responsibilities.
Export DPO pairs:
curl -X POST http://localhost:3456/v1/dpo/export \
-H "Authorization: Bearer $THUMBGATE_API_KEY" \
-o dpo-pairs.jsonl
What you get: JSONL where each line is a preference pair:
chosen — the agent action you thumbed uprejected — the action you thumbed down for the same task contextprompt — the originating user intentUse cases:
/v1/kto/export)Why this matters: Checks can deny matching actions under policy. Fine-tuning may reduce attempts, but only evaluation can establish whether behavior changed.
| Layer | Technology |
|---|---|
| Storage | SQLite + FTS5, LanceDB vectors, JSONL logs |
| Capture | 2/day, 10 total on Free; unlimited on Pro, Team, and Enterprise |
| Intelligence | MemAlign dual recall, Thompson Sampling |
| Enforcement | PreToolUse hook engine, Checks config |
| Interfaces | MCP stdio, HTTP API, CLI (Node.js >=18) |
| Billing | Stripe |
| Execution | Railway, Cloudflare Workers, Docker Sandboxes |
| Governance | Workflow Sentinel, control plane, Docker Sandboxes |
Every Changeset is tied to the exact main merge commit and generates Verification Evidence for Release Confidence.
Popular buyer questions: AI search topical presence · Relational knowledge and AI recommendations · Background agent governance · GPT-5.5 model evaluation · Stop repeated AI agent mistakes · Browser automation safety · Native messaging host security · Autoresearch agent safety · Cursor guardrails · Codex CLI guardrails · Gemini CLI memory + enforcement · Google Cloud MCP guardrails · Roo Code alternative: migrate to Cline
Conversational ad / AI-search answer assets: AI Mode ads for agent governance · MCP tool governance · AI agent pre-action approval gates
Workflow Hardening Sprint · Live Dashboard
.vscode/mcp.json fallback for VS Code-compatible IDEsthumbgate@latest runtimethumbgate-revenue-evidence --dashboard --out thumbgate-revenue-evidence-dashboard.json. Snapshot preparation is dry-run by default; network delivery requires both --send and THUMBGATE_GRAFANA_ZERO_SPEND_CONFIRMED=1. Dashboard observations never promote clicks, checkout starts, or intakes into payment or customer claims. Repository operators can use the full Grafana integration guide.Give the agent more context when a thumbs-down isn't enough:
👎 thumbs down
└─► open_feedback_session
└─► "you lied about deployment" (append_feedback_context)
└─► "tests were actually failing" (append_feedback_context)
└─► finalize_feedback_session
└─► lesson inferred from full conversation
Pro operators can invoke search_lessons through MCP and use npx thumbgate lessons from the CLI. History-aware feedback sessions and lesson search are Pro capabilities; Free does not include recall or search.
The package includes a local data-chat path over ThumbGate data using lesson retrieval, LanceDB-backed vectors, and an operator-configured LLM. Set THUMBGATE_LOCAL_LLM_ENDPOINT to an OpenAI-compatible local endpoint (Ollama, llama.cpp, vLLM, LM Studio, etc.) when you want generated answers without sending dashboard data to Google. This is a local package capability, not a hosted org-dashboard claim.
Google Cloud is an optional adapter, not a dashboard requirement. The package provides setup and guard-adapter code for operators who already use Vertex AI or Dialogflow CX; each deployment and data boundary must be configured and verified in that tenancy.
To wire local ThumbGate scoring to Vertex AI, run:
npx thumbgate setup-vertex
gcloud session and active project ID..env file.This command does not create or verify a live Dialogflow CX agent. Dialogflow is only relevant when a customer wants ThumbGate guard adapters in front of their own production DFCX agents. On current Google Cloud CLI installs, the old alpha gcloud CX command group is not available; verify Conversational Agents / Dialogflow CX with the Google Cloud console or the official Dialogflow CX REST API (projects.locations.agents) before claiming a live DFCX deployment.
Google Cloud budget alerts do not themselves stop API traffic. ThumbGate includes local budget-ledger and policy primitives, but a stop condition applies only to provider calls explicitly routed through the configured gate. It is not a cloud billing guarantee, and provider pricing or token usage must come from provider telemetry.
Is ThumbGate a model fine-tuning tool? No. ThumbGate does not update model weights. It captures feedback, stores lessons, injects context at runtime, and evaluates proposed tool calls before execution. Detected secret leaks and direct process-kill/environment-override self-disable commands deny by default; strict mode denies every matched blocking rule.
How is this different from CLAUDE.md or .cursorrules? Those are instructions in model context. A configured ThumbGate hook adds an external allow/warn/deny decision before tool execution. Detected secret leaks and direct process-kill/environment-override self-disable commands deny by default; other audited high-risk classes warn and log unless strict mode preserves the matched deny.
Does it work with my agent? ThumbGate ships configuration paths for Claude Code, Claude Desktop, Cursor, Codex, Gemini CLI, Amp, Cline, and OpenCode. The relevant MCP or hook integration must be configured before it evaluates tool calls.
Is it free? The free tier gives you 2 feedback captures/day, 10 total captures, and up to 3 active auto-promoted prevention rules — enough for a solo developer to verify a matching pre-action evaluation before upgrading. Supported MCP and hook integration files ship in the free package.
Pro ($19/mo or $149/yr) is for individual operators and adds history-aware lesson recall, lesson search, unlimited rules, exports, and a personal dashboard. Enterprise is custom and scoped after intake; hosted team sync and a hosted org dashboard are not general availability.
THUMBGATE_SILENT_FAILURE_CLUSTERING=0; only meaningfully active on workspaces with ≥ 50 tool calls/day)ThumbGate is free and MIT-licensed. The paid paths are intentionally separate:
Start Pro → · Start Enterprise intake →
I'm Igor Ganapolsky — I designed and maintain ThumbGate. If you're shipping payments, AI agents, or Android features and want them built by someone demonstrably careful with production and with money, I take a small number of freelance / contract engagements.
ThumbGate is the receipt, not the pitch: its default policy denies detected secret exfiltration and gate kill/bypass commands, strict mode also denies matching warning-mode checks, and the project publishes a threat model stating what the local evaluator does and cannot contain. Documenting where my own guardrails end is the standard I hold client work to.
$120–150/hr, 1099 · remote, US timezones → LinkedIn · thumbgate.ai
ThumbGate is free and MIT-licensed, and stays that way. If it saved you a costly mistake, the best thank-you is an intro to someone who needs an engineer who ships carefully.
MIT. See LICENSE.