ThumbGate / Blog

Your AI agent is a supply chain attack surface. Here's how to gate it.

Your AI coding agent runs shell commands. It installs packages. It modifies files, pushes commits, and calls external APIs — all without requiring you to type a single character. That's the pitch. That's also the attack surface.

The gap is pre-action enforcement

Static analysis catches known-bad patterns in code you've already written. Dependency scanners audit lock files after packages are installed. By the time your scanner flags a problem, the agent already ran the command.

These tools operate on the output of agent actions. You need something that operates on the input — before execution.

Pre-Action Checks via PreToolUse hooks

ThumbGate implements pre-action checks via PreToolUse hooks — interception points that run before every tool invocation. No action reaches execution without passing through the gate. Not Bash commands, not file edits, not web fetches.

What makes this more than a static blocklist is the feedback-to-enforcement pipeline. When something goes wrong, you record a thumbs-down with context. That failure feeds a promotion engine. One failure becomes a warning. Three confirmed failures of the same pattern become a hard block.

Real examples

• Force-push to main — Gate fires, push never happens. Agent is redirected to create a branch and open a PR.
• Unknown dependency install — Flagged for human review. Agent pauses until you approve.
• Destructive shell command — Blocked by a prevention rule learned from a prior incident.

Five-minute setup

npx thumbgate init installs the PreToolUse hook and generates a starter gate config. Gates are just JSON — commit them, review them, share them across your team.

Human judgment leads. AI supports. ThumbGate enforces it.

Dual-Signal Feedback: Why "What Failed" Isn't Enough

Standard thumbs-down tells you something went wrong. But was it a bad decision (wrong tool) or bad execution (right tool, wrong parameters)?

Inspired by Gen-Searcher's dual reward system, ThumbGate now supports an optional failureType field on capture_feedback:

• "decision" — the agent chose the wrong action entirely
• "execution" — right action, bad parameters or output

Thompson Sampling creates separate sub-arms (e.g., git:decision and git:execution) so reliability scores diverge per dimension. An agent might be great at choosing git commands but bad at parameterizing them — now you can see that distinction.

Backward compatible. Existing feedback without failureType works unchanged.

The Claude Code Leak Proves Why Pre-Action Checks Matter

A public Claude Code packaging incident showed why local agent guardrails need to be evaluated as runtime behavior, not only as documentation. When implementation details move quickly, teams need a way to verify what their agents are allowed to do before the next tool call runs.

The lesson for agent builders is practical: permissions, hooks, retry loops, and local memory are product surfaces. Treat them as governed workflow boundaries, not as invisible plumbing.

What the leak revealed about agent security

Claude Code has a sophisticated permission model and tool-calling pipeline. What it does not have is feedback-driven enforcement — the ability to learn from past mistakes and physically block the agent from repeating them.

That's exactly what ThumbGate does. Every Claude Code user — and every Claw-code user — can add pre-action checks today:

• Thumbs-down a mistake — it auto-generates a prevention rule
• Gates enforce — PreToolUse hooks block the action before execution
• Reasoning chains explain — every block tells you WHY
• Thompson Sampling adapts — confidence tiers prevent false blocks

Install in 30 seconds

npx thumbgate init works with Claude Code, Claw-code, Cursor, Codex, Gemini, Amp, and any MCP-compatible agent.

Agents are powerful but fallible software. Memory without enforcement is a suggestion. ThumbGate adds a pre-action check layer so repeated mistakes can be caught before execution.

v0.8.5: Gate Reasoning Chains, Org Dashboard, and the Checkout Funnel That Didn't Exist

ThumbGate v0.8.5 is our biggest release yet. Here's what shipped and why.

The problem we didn't see

The problem we missed was structural: users can arrive through npm or the GitHub README, run npx thumbgate init, use the free local install, and never visit the landing page. A checkout flow that only exists on the website is easy for CLI-first users to miss.

Gate reasoning chains

Every gate block and warning now explains WHY it fired. When ThumbGate blocks a git push --force, the response includes:

• Which pattern matched and what it matched against
• Gate identity: ID, action, layer, severity
• Source: manual policy rule vs auto-promoted from feedback
• How to bypass: satisfy_gate("pr_threads_checked")
• Historical fire count: "blocked 23x, warned 15x"

This was inspired by the neuro-symbolic explainability trend in production AI systems. Gates are the symbolic rules; Thompson Sampling provides the statistical confidence. The reasoning chain bridges both.

Multi-agent org dashboard

"I'm not going to have 10,000 agents running in the environment that I don't know what they're doing." — CIO.com, March 2026

The new org_dashboard MCP tool aggregates gate decisions across all registered agent sessions. CIOs and team leads see: total active agents, org-wide adherence rate, top blocked gates, and risk agents (those with the lowest adherence). Free tier shows 3 agents; Pro shows the full org.

Multi-hop agentic retrieval

Inspired by Chroma's Context-1, constructMultiHopPack iteratively retrieves context, prunes weak chunks, refines the query with expansion terms, and checks coverage — stopping when the coverage threshold (60%) is met or max hops are reached. Each hop is logged.

Thompson Sampling calibration

MIN_SAMPLES_THRESHOLD (5) prevents low-sample overconfidence. getCalibration() reports per-category confidence tiers: none (0 samples), low (1-4), medium (5-19), high (20+). Callers know when to trust the statistical arm vs fall back to rules.

The funnel fix

Four touchpoints now put the checkout URL closer to the CLI workflow:

• Post-install banner — prints after npm install (stderr, CI-safe)
• Free-tier rate limits — power features capped, upgrade URL in error
• MCP enforceLimit — agents surface the checkout URL when limits hit
• CLI upgrade nudge — after init, capture, stats

13 funnel invariant CI tests prevent this blindspot from ever regressing.