diff --git a/.cursor-plugin/marketplace.json b/.cursor-plugin/marketplace.json index 49f6d8e..ca4d32f 100644 --- a/.cursor-plugin/marketplace.json +++ b/.cursor-plugin/marketplace.json @@ -72,6 +72,11 @@ "name": "pstack", "source": "pstack", "description": "if you want to go fast, go deep first. pstack helps you write less, but higher quality code. rigorous agent workflows you can parallelize with confidence." + }, + { + "name": "thumbgate", + "source": "thumbgate", + "description": "Capture thumbs feedback and enforce deterministic pre-action checks so Cursor agents stop repeating mistakes." } ] } diff --git a/README.md b/README.md index b3348e8..c2cb3ac 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ Official Cursor plugins for popular developer tools, frameworks, and SaaS produc | `cursor-sdk` | [Cursor SDK](cursor-sdk/) | Cursor | Developer Tools | Build apps, scripts, CI pipelines, and automations on top of the Cursor TypeScript SDK (@cursor/sdk) β€” runtime selection, auth, streaming, MCP, error handling, and ready-to-extend integration patterns. | | `orchestrate` | [Orchestrate](orchestrate/) | Cursor | Developer Tools | Fan large tasks out across parallel Cursor cloud agents with planners, workers, verifiers, and structured handoffs. | | `pstack` | [pstack](pstack/) | Lauren Tan | Developer Tools | if you want to go fast, go deep first. pstack helps you write less, but higher quality code. rigorous agent workflows you can parallelize with confidence. | +| `thumbgate` | [ThumbGate](thumbgate/) | Igor Ganapolsky | Developer Tools | Capture thumbs feedback and enforce deterministic pre-action checks so Cursor agents stop repeating mistakes. | Author values match each plugin’s `plugin.json` `author.name` (Cursor lists `plugins@cursor.com` in the manifest). diff --git a/thumbgate/.cursor-plugin/plugin.json b/thumbgate/.cursor-plugin/plugin.json new file mode 100644 index 0000000..753dfec --- /dev/null +++ b/thumbgate/.cursor-plugin/plugin.json @@ -0,0 +1,38 @@ +{ + "name": "thumbgate", + "displayName": "ThumbGate", + "description": "πŸ‘πŸ‘Ž Thumbs down a mistake β€” your AI agent won't repeat it. Thumbs up good work β€” it remembers the pattern.", + "version": "1.26.8", + "author": { + "name": "Igor Ganapolsky" + }, + "homepage": "https://thumbgate.ai", + "repository": "https://github.com/IgorGanapolsky/ThumbGate", + "license": "MIT", + "keywords": [ + "cursor", + "cursor-plugin", + "feedback", + "thumbs-up-down", + "thumbgate", + "ai-agent-memory", + "mistake-prevention", + "coding-agent", + "pre-action-gates", + "mcp" + ], + "logo": "assets/logo-400x400.png", + "category": "developer-tools", + "tags": [ + "agent-governance", + "feedback", + "mcp", + "pre-action-checks" + ], + "commands": "./commands/", + "agents": "./agents/", + "skills": "./skills/", + "rules": "./rules/", + "hooks": "./hooks/hooks.json", + "mcpServers": "./mcp.json" +} diff --git a/thumbgate/CHANGELOG.md b/thumbgate/CHANGELOG.md new file mode 100644 index 0000000..1f77787 --- /dev/null +++ b/thumbgate/CHANGELOG.md @@ -0,0 +1,37 @@ +# Changelog + +## 1.23.1 - 2026-05-25 + +- Added `interface` block to plugin.json (displayName, capabilities, brandColor, privacy/TOS URLs) +- Added UTM-tagged homepage URL +- Added MCP keyword to plugin keywords +- Version aligned with ThumbGate core + +## 0.8.1 - 2026-03-26 + +- Unified ThumbGate branding across all public surfaces (README, AGENTS.md, CLAUDE.md, GEMINI.md, landing page, package.json). +- Landing page SEO: "human-in-the-loop enforcement", "vibe coding" positioning, FAQPage JSON-LD schema for Google rich results. +- Added congruence CI check (`scripts/check-congruence.js`) β€” enforces version, branding, tech stack terms, and honest disclaimer across README and landing page on every PR. +- Performance: deferred non-critical side-effects in `captureFeedback` (contextFs, RLAIF self-audit) via `setImmediate`. +- Added `_captureMs` timing field to accepted feedback responses for observability. +- Added `mcpize.yaml` to version sync targets. +- Dead code removal: -1,551 lines (contract-audit.js, prove-rlaif.js, stale landing-page.html, 3 duplicate docs). +- Fixed GitGuardian incident #29200799: scrubbed hardcoded Google API key from git history. +- Social automation pipeline: post-everywhere CLI, reply monitor with AutoMod-safe Reddit posts. +- TDS article draft: "Beyond Prompt Rules: How Pre-Action Gates Stop AI Coding Agents From Repeating Mistakes". + +## 0.8.0 - 2026-03-25 + +- **Lesson DB:** SQLite + FTS5 full-text search replaces linear Jaccard token-overlap. Sub-millisecond ranked search indexed by signal, domain, tags, importance. +- **Corrective actions:** On negative feedback, `capture_feedback` returns `correctiveActions[]` β€” top 3 remediation steps inferred from similar past failures. +- **search_lessons MCP tool:** Exposes corrective actions, lifecycle state, linked rules, linked gates, and next harness fixes per lesson. +- **search_thumbgate MCP tool:** Searches raw ThumbGate state across feedback logs, ContextFS memory, and prevention rules. +- **Rejection ledger:** Tracks why vague feedback was rejected with revival conditions. +- **Bayesian belief updates:** Each memory carries a posterior that updates on new evidence; high-entropy contradictions auto-prune. + +## 0.7.4 - 2026-03-20 + +- Added `session_handoff` and `session_primer` MCP tools for seamless cross-session context continuity. +- New `session` namespace in ContextFS stores primer.json with auto-captured git state (branch, last 5 commits, modified files, working tree status), last completed task, next step, and blockers. +- `session_handoff` records provenance events for full audit trail of session transitions. +- Closes Layer 2 (primer.md) of the 5-layer memory stack β€” no manual primer file needed. diff --git a/thumbgate/LICENSE b/thumbgate/LICENSE new file mode 100644 index 0000000..be4fda0 --- /dev/null +++ b/thumbgate/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2026 Igor Ganapolsky + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/thumbgate/README.md b/thumbgate/README.md new file mode 100644 index 0000000..7ce7be4 --- /dev/null +++ b/thumbgate/README.md @@ -0,0 +1,123 @@ +# ThumbGate β€” for Cursor + +`ThumbGate` is the human-facing plugin name in Cursor listings. +`thumbgate` stays the plugin slug, npm package, and launcher target. + +The canonical short description is: + +> πŸ‘πŸ‘Ž Thumbs down a mistake β€” your AI agent won't repeat it. Thumbs up good work β€” it remembers the pattern. + +How it works: + +- πŸ‘Ž **Thumbs down** a mistake β€” it gets blocked from happening again +- πŸ‘ **Thumbs up** good work β€” the agent remembers the pattern +- **History-aware lesson distillation** β€” vague thumbs-down signals can be grounded in up to 8 prior recorded entries and the failed tool call +- **Cross-session memory** β€” lessons persist between conversations +- **Automatic enforcement** β€” repeated failures become prevention rules +- **Zero config** β€” install and start giving feedback + +## What's included + +### Rules + +| File | Always on | Description | +|------|-----------|-------------| +| `rules/pre-action-gates.mdc` | Yes | Before risky tool calls (git push, rm -rf, npm publish, deploy), check prevention rules via the thumbgate MCP server. Blocks and explains if a rule matches. | +| `rules/feedback-capture.mdc` | No | After any mistake or unexpected behavior, prompt to capture structured feedback with context and tags. | +| `rules/session-continuity.mdc` | No | At session start, recall past context; at session end, hand off state for next session. | + +### Skills + +| Skill | Description | +|-------|-------------| +| `recall-context` | Recall relevant past failures, prevention rules, and context packs before starting a coding task. | +| `capture-feedback` | Capture structured thumbs up/down feedback with context, tags, and optional rubric scores. | +| `search-lessons` | Search promoted lessons for corrective actions, lifecycle state, linked rules, and linked gates. | +| `prevention-rules` | Generate and review prevention rules auto-promoted from repeated failure patterns. | + +### Agent + +| Agent | Description | +|-------|-------------| +| `reliability-reviewer` | A reliability-focused reviewer that checks code changes against known failure patterns from the project's ThumbGate memory. | + +### Commands + +| Command | Description | +|---------|-------------| +| `/check-gates` | Run a Pre-Action Gate check against prevention rules before executing a risky action. | +| `/show-lessons` | Display promoted lessons and their corrective actions. | +| `/capture-feedback` | Quick feedback capture with structured signals. | + +### Hooks + +| Hook | Trigger | Description | +|------|---------|-------------| +| `beforeShellExecution` | `git push`, `rm -rf`, `npm publish`, `deploy` | Runs `scripts/gate-check.sh` to evaluate the command through ThumbGate `gate-check` before execution. | + +### MCP Server + +| Server | Command | +|--------|---------| +| `thumbgate` | `npx --yes --package thumbgate@latest thumbgate serve` | + +## Install + +Install from Cursor with: + +```text +/add-plugin thumbgate +``` + +You can also open Cursor's plugin marketplace, search for `ThumbGate`, and add the plugin from there. + +For private team rollouts before broad adoption, Cursor Teams and Enterprise admins can import a repository-backed plugin through `Dashboard -> Settings -> Plugins -> Team Marketplaces`. + +### Manual setup + +Use the existing project bootstrap: + +```bash +npx thumbgate init --agent cursor +``` + +Or copy the plugin MCP config into `.cursor/mcp.json`: + +```json +{ + "mcpServers": { + "thumbgate": { + "command": "npx", + "args": ["--yes", "--package", "thumbgate@latest", "thumbgate", "serve"] + } + } +} +``` + +Full setup guide: https://thumbgate-production.up.railway.app/guide + +## Update behavior + +- Runtime updates: the plugin asks npm for `thumbgate@latest`, so new npm releases can flow into the Cursor runtime without editing the plugin config. +- Metadata updates: `npm publish` does not refresh the marketplace description, screenshots, README, or directory listing copy. Republish the plugin bundle when those assets change. +- Guaranteed rollouts: if you need deterministic behavior for a specific release, pin a version manually in local config instead of relying on `@latest`. + +## Feedback + +Use the `/capture-feedback` command or the `capture_feedback` MCP tool to send structured feedback directly to the ThumbGate memory system. Feedback drives prevention rule generation β€” repeated failure patterns are auto-promoted into enforceable gates. + +When the user only gives a quick `thumbs_down`, `wrong`, or `correct`, the Cursor plugin should include up to 8 prior recorded entries and the failed tool call in `chatHistory` so ThumbGate can propose the lesson automatically. If the explanation comes later, reuse the earlier event with `relatedFeedbackId` so the linked 60-second follow-up session refines the same feedback record instead of creating an isolated duplicate. + +## What makes this useful in Cursor + +ThumbGate gives Cursor agents a practical guardrail layer: + +- **Pre-Action Gates** block known-bad actions before tool use +- **Prevention rules** auto-generated from repeated failures +- **Context packs** keep relevant project history in scope +- **Feedback capture** with structured up/down signals and history-aware lesson proposals +- **Reliability reviewer** checks changes against known failure patterns + +Verification evidence for shipped behavior lives in `docs/VERIFICATION_EVIDENCE.md`. +Release and promotion rules live in `docs/CURSOR_PLUGIN_OPERATIONS.md`. +Proof-backed setup path: https://thumbgate-production.up.railway.app/guide diff --git a/thumbgate/agents/reliability-reviewer.md b/thumbgate/agents/reliability-reviewer.md new file mode 100644 index 0000000..33d0576 --- /dev/null +++ b/thumbgate/agents/reliability-reviewer.md @@ -0,0 +1,31 @@ +--- +name: reliability-reviewer +description: A reliability-focused reviewer agent that checks code changes against known failure patterns from the project's ThumbGate memory. Prioritizes preventing repeated mistakes. +--- + +# Reliability Reviewer + +You are a reliability-focused code reviewer. Your job is to check proposed code changes against the project's known failure patterns stored in ThumbGate memory. + +## Review process + +1. **Recall context** β€” Use the `recall` MCP tool to retrieve relevant prevention rules and past failures for the files being changed. +2. **Search lessons** β€” Use the `search_lessons` MCP tool to find promoted lessons related to the components being modified. +3. **Cross-reference changes** β€” Compare the proposed changes against known failure patterns. Flag any changes that match or resemble past failures. +4. **Check gates** β€” Use the `prevention_rules` MCP tool to verify no active prevention rules are violated by the changes. +5. **Report findings** β€” Summarize which past failures are relevant, what risks exist, and what corrective actions should be applied. + +## Review priorities + +1. **Repeated mistakes** β€” Changes that match previously captured failure patterns are highest priority. +2. **Missing gate checks** β€” Risky operations without corresponding pre-action gate checks. +3. **Untested paths** β€” Changes to code paths that previously caused failures without new test coverage. +4. **Feedback gaps** β€” Changes in areas with no captured feedback history (unknown risk). + +## Output format + +For each finding, include: +- The matched failure pattern or prevention rule +- The specific code change that triggered the match +- The recommended corrective action +- Severity: critical (matches active prevention rule), warning (matches past failure), or info (no history) diff --git a/thumbgate/agents/sdk-run-governor.md b/thumbgate/agents/sdk-run-governor.md new file mode 100644 index 0000000..2508b09 --- /dev/null +++ b/thumbgate/agents/sdk-run-governor.md @@ -0,0 +1,35 @@ +--- +name: sdk-run-governor +description: Reviews Cursor SDK agent launch plans, cloud VM runs, subagent scopes, and auto-PR settings against ThumbGate gates. +--- + +# SDK Run Governor + +You review planned or completed Cursor SDK agent runs before their output is trusted. + +## Review process + +1. Identify the runtime: local, cloud VM, or self-hosted worker. +2. Identify write scope: repo, branch, files, commands, and whether `autoCreatePR` is enabled. +3. Use `search_lessons` and `prevention_rules` to retrieve relevant ThumbGate lessons and gates. +4. Check subagents for narrow ownership and non-overlapping responsibilities. +5. Require evidence: tests, screenshots, logs, PR URL, or run transcript. +6. Recommend capture feedback for any repeated miss, scope violation, skipped proof, or noisy PR. + +## Findings to flag + +- Agent can push, publish, deploy, or create PRs without a prior gate check +- Cloud run started from an ambiguous ref or reused a dirty workspace +- Subagent prompt owns too much of the codebase +- Verification is only a summary with no linked artifact +- Known failure pattern appears in the requested command, diff, or PR body + +## Output format + +Return: + +- Verdict: allow, require changes, or block +- Relevant lessons and gates +- Runtime and scope risks +- Required verification evidence +- Feedback that should be captured diff --git a/thumbgate/assets/logo-400x400.png b/thumbgate/assets/logo-400x400.png new file mode 100644 index 0000000..d89b6f4 Binary files /dev/null and b/thumbgate/assets/logo-400x400.png differ diff --git a/thumbgate/commands/capture-feedback.md b/thumbgate/commands/capture-feedback.md new file mode 100644 index 0000000..6d3fb78 --- /dev/null +++ b/thumbgate/commands/capture-feedback.md @@ -0,0 +1,33 @@ +--- +name: capture-feedback +description: Quick feedback capture with structured signals. +--- + +# Capture Feedback + +Quickly capture structured feedback about the current task or action. + +## Usage + +Invoke this command to record a feedback signal with context and tags. If the user only gives a quick `thumbs_down`, `wrong`, or `correct`, the command should still call `capture_feedback` and pass recent context through `chatHistory`. + +## Steps + +1. Specify signal: `thumbs_up` or `thumbs_down`. +2. If the user already gave a clear explanation, pass it as `context`. +3. If the explanation is vague or omitted, gather up to 8 prior recorded entries plus the failed tool call into `chatHistory`. +4. Add tags for categorization. +5. If this is a later clarification for an existing feedback event, include `relatedFeedbackId`. +6. Call the `capture_feedback` MCP tool and show the proposed lesson or corrective rule back to the user. + +## Example + +``` +/capture-feedback thumbs_down "Tests broke after migration" database,migration +``` + +``` +/capture-feedback thumbs_down +``` + +In the second example, the command should rely on history-aware distillation instead of refusing the signal outright. If the user adds more detail later, reuse `relatedFeedbackId` so the linked 60-second follow-up session updates the same record. diff --git a/thumbgate/commands/check-gates.md b/thumbgate/commands/check-gates.md new file mode 100644 index 0000000..2fe5f43 --- /dev/null +++ b/thumbgate/commands/check-gates.md @@ -0,0 +1,25 @@ +--- +name: check-gates +description: Run a Pre-Action Gate check against prevention rules before executing a risky action. +--- + +# Check Gates + +Run a pre-action gate check to verify if a planned action is safe to execute. + +## Usage + +Invoke this command before performing risky operations like deployments, force pushes, or destructive file operations. + +## Steps + +1. Describe the action you are about to take. +2. The command queries the `prevention_rules` MCP tool to check for matching rules. +3. If a match is found, the blocked action and corrective action are displayed. +4. If no match is found, the action is cleared to proceed. + +## Example + +``` +/check-gates git push --force origin main +``` diff --git a/thumbgate/commands/show-lessons.md b/thumbgate/commands/show-lessons.md new file mode 100644 index 0000000..efaf271 --- /dev/null +++ b/thumbgate/commands/show-lessons.md @@ -0,0 +1,27 @@ +--- +name: show-lessons +description: Display promoted lessons and their corrective actions. +--- + +# Show Lessons + +Display promoted lessons from the project's ThumbGate memory along with their corrective actions and linked prevention rules. + +## Usage + +Invoke this command to review what the system has learned from past failures. + +## Steps + +1. The command calls the `search_lessons` MCP tool to retrieve all active promoted lessons. +2. Results are displayed with: + - Lesson description + - Corrective action + - Linked prevention rules (if any) + - Lifecycle state (active, archived, superseded) + +## Example + +``` +/show-lessons +``` diff --git a/thumbgate/hooks/hooks.json b/thumbgate/hooks/hooks.json new file mode 100644 index 0000000..f2f2782 --- /dev/null +++ b/thumbgate/hooks/hooks.json @@ -0,0 +1,14 @@ +{ + "hooks": { + "beforeShellExecution": [ + { + "command": "./scripts/gate-check.sh", + "matcher": "git push|rm -rf|npm publish|deploy" + }, + { + "command": "./scripts/gate-check.sh", + "matcher": "@cursor/sdk|cursor-agent|autoCreatePR|create pull request|open PR" + } + ] + } +} diff --git a/thumbgate/mcp.json b/thumbgate/mcp.json new file mode 100644 index 0000000..79be29f --- /dev/null +++ b/thumbgate/mcp.json @@ -0,0 +1,14 @@ +{ + "mcpServers": { + "thumbgate": { + "command": "npx", + "args": [ + "--yes", + "--package", + "thumbgate@latest", + "thumbgate", + "serve" + ] + } + } +} diff --git a/thumbgate/rules/feedback-capture.mdc b/thumbgate/rules/feedback-capture.mdc new file mode 100644 index 0000000..00e3351 --- /dev/null +++ b/thumbgate/rules/feedback-capture.mdc @@ -0,0 +1,34 @@ +--- +description: After any mistake or unexpected behavior, prompt to capture structured feedback with context, history-aware lesson distillation, and tags. +alwaysApply: false +--- + +# Feedback Capture + +After any mistake, unexpected behavior, or completed task, prompt to capture structured feedback. + +## When to trigger + +- A tool call produces an unexpected error +- A test fails after code changes +- The user corrects an approach mid-task +- A task completes successfully (capture positive signal) + +## How to capture + +1. Call the `capture_feedback` MCP tool with: + - `signal`: "thumbs_up" or "thumbs_down" + - `context`: Brief description of what happened when the explanation is already explicit + - `tags`: Relevant tags (e.g., "test-failure", "wrong-approach", "deployment-error") + - `chatHistory`: up to 8 prior recorded entries plus the failed tool call when the thumbs-down signal is vague and the lesson should be inferred from recent conversation + - `relatedFeedbackId`: use for a later clarification that should refine an existing feedback event + - `rubric_scores`: Optional structured scores if a rubric applies + +2. Include enough context so the feedback is useful for future prevention rule generation. +3. If the user only gives a bare thumbs signal or short correction, still capture it and let ThumbGate propose `whatWentWrong` / `whatToChange` from recent history. If the explanation arrives later, reuse `relatedFeedbackId` so the linked 60-second follow-up session refines the same record. + +## Examples + +- Test failure after refactor: signal=thumbs_down, tags=["test-failure", "refactor"], context="Tests broke after extracting helper function β€” missed internal dependency" +- Successful deployment: signal=thumbs_up, tags=["deployment", "success"], context="Clean deploy after running gate checks" +- Vague correction after failed tool use: signal=thumbs_down, chatHistory=[up to 8 prior recorded entries + failed tool call], tags=["wrong-approach", "tool-failure"] diff --git a/thumbgate/rules/pre-action-gates.mdc b/thumbgate/rules/pre-action-gates.mdc new file mode 100644 index 0000000..abda822 --- /dev/null +++ b/thumbgate/rules/pre-action-gates.mdc @@ -0,0 +1,30 @@ +--- +description: Before risky tool calls (git push, rm -rf, npm publish, deploy), check prevention rules via the thumbgate MCP server. If a rule matches, STOP and explain why. +alwaysApply: true +--- + +# Pre-Action Gates + +Before executing any of these risky actions, query the `prevention_rules` MCP tool to check for matching prevention rules: + +- `git push` (especially force push) +- `rm -rf` or recursive file deletion +- `npm publish` +- `deploy` commands (any deployment target) +- Database migration commands +- Secret or credential changes + +## Enforcement flow + +1. Extract the command or action about to be executed. +2. Call `prevention_rules` with the action description to check for matching rules. +3. If a rule matches: + - **STOP** the action immediately. + - Display the matched rule's description and corrective action. + - Ask the user to confirm before proceeding. +4. If no rules match, proceed normally. + +## After a blocked action + +- Suggest the corrective action from the matched prevention rule. +- Offer to capture feedback if the block was incorrect (false positive). diff --git a/thumbgate/rules/session-continuity.mdc b/thumbgate/rules/session-continuity.mdc new file mode 100644 index 0000000..05dd147 --- /dev/null +++ b/thumbgate/rules/session-continuity.mdc @@ -0,0 +1,28 @@ +--- +description: At session start, recall past context. At session end, hand off state for next session. +alwaysApply: false +--- + +# Session Continuity + +Maintain context across coding sessions using the ThumbGate memory system. + +## Session start + +1. Call the `recall` MCP tool to retrieve: + - Recent prevention rules relevant to the current project + - Past failure patterns and corrective actions + - Active context packs from previous sessions +2. Summarize recalled context before starting work. + +## Session end + +1. Capture any new feedback from the session using `capture_feedback`. +2. Note any unfinished work or pending decisions as context for the next session. +3. If new failure patterns emerged, flag them for potential prevention rule promotion. + +## Between sessions + +- Prevention rules persist automatically via the MCP server. +- Lessons promoted during the session are available in future recalls. +- Context packs expire based on configured retention policies. diff --git a/thumbgate/scripts/gate-check.sh b/thumbgate/scripts/gate-check.sh new file mode 100755 index 0000000..69a40f4 --- /dev/null +++ b/thumbgate/scripts/gate-check.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash +# Pre-action gate check β€” runs before risky shell commands. +# Called by hooks/hooks.json beforeShellExecution hook. +# Delegates to the published ThumbGate gate-check entrypoint. + +set -euo pipefail + +INPUT=$(cat) +RESULT=$(echo "$INPUT" | npx --yes --package thumbgate@latest thumbgate gate-check 2>/dev/null) || true + +if [ -z "$RESULT" ]; then + exit 0 +fi + +echo "$RESULT" + +if echo "$RESULT" | grep -q '"permissionDecision":\s*"deny"'; then + exit 2 +fi + +exit 0 diff --git a/thumbgate/skills/capture-feedback/SKILL.md b/thumbgate/skills/capture-feedback/SKILL.md new file mode 100644 index 0000000..b141c65 --- /dev/null +++ b/thumbgate/skills/capture-feedback/SKILL.md @@ -0,0 +1,48 @@ +--- +name: capture-feedback +description: Capture structured thumbs up/down feedback with context, history-aware lesson distillation, tags, and optional rubric scores after completing a task. +--- + +# Capture Feedback + +Record structured feedback after completing a task or encountering an issue. + +## When to use + +- After completing a coding task (positive or negative outcome) +- When a tool call produces unexpected results +- After a test failure or deployment issue +- When the user explicitly wants to record feedback + +## How it works + +Use the `capture_feedback` MCP tool with: + +- **signal** β€” `"thumbs_up"` or `"thumbs_down"` +- **context** β€” Description of what happened and why when the user already said it clearly +- **tags** β€” Array of relevant tags for categorization (e.g., `["test-failure", "refactor"]`) +- **chatHistory** β€” Up to 8 prior recorded entries plus the failed tool call when the thumbs-down signal is vague and the lesson must be distilled from recent context +- **relatedFeedbackId** β€” Use when the user adds clarifying detail later and it should refine the existing feedback event +- **rubric_scores** β€” Optional object with structured quality scores + +## Example + +``` +Capture feedback: thumbs_down for the failed database migration. +Context: Migration script dropped the wrong index, causing query timeouts. +Tags: database, migration, production-incident +``` + +## Vague signal recovery + +If the user only says `thumbs_down`, `wrong`, `correct`, or `this failed`, do not stop there. Call `capture_feedback` with: + +- the signal +- any minimal context the user already gave +- `chatHistory` containing up to 8 prior recorded entries from the current correction thread +- the failed tool call or command when available +- `relatedFeedbackId` if the user is clarifying an already-open 60-second follow-up session + +That lets ThumbGate propose `whatWentWrong`, `whatToChange`, and a candidate rule automatically. + +Feedback feeds into the prevention rule promotion pipeline. Repeated failures with the same pattern are automatically promoted into enforceable prevention rules. diff --git a/thumbgate/skills/prevention-rules/SKILL.md b/thumbgate/skills/prevention-rules/SKILL.md new file mode 100644 index 0000000..399969b --- /dev/null +++ b/thumbgate/skills/prevention-rules/SKILL.md @@ -0,0 +1,31 @@ +--- +name: prevention-rules +description: Generate and review prevention rules auto-promoted from repeated failure patterns. +--- + +# Prevention Rules + +Manage prevention rules that are auto-generated from repeated failure patterns. + +## When to use + +- Reviewing current active prevention rules for the project +- Checking if a specific action is blocked by a prevention rule +- Understanding why an action was blocked +- Generating new prevention rules from observed patterns + +## How it works + +Use the `prevention_rules` MCP tool to: + +1. **List rules** β€” View all active prevention rules with their match patterns and corrective actions. +2. **Check rules** β€” Test if a specific action matches any prevention rule before execution. +3. **Review rule history** β€” See which feedback events led to a rule's promotion. + +## Example + +``` +Check prevention rules for "npm publish without running tests" to see if this action is blocked. +``` + +Prevention rules are auto-promoted when the same failure pattern appears multiple times in captured feedback. Each rule includes the original failure context and a corrective action. diff --git a/thumbgate/skills/programmatic-agent-runs/SKILL.md b/thumbgate/skills/programmatic-agent-runs/SKILL.md new file mode 100644 index 0000000..7822cc5 --- /dev/null +++ b/thumbgate/skills/programmatic-agent-runs/SKILL.md @@ -0,0 +1,42 @@ +--- +name: programmatic-agent-runs +description: Govern Cursor SDK local, cloud, self-hosted, and subagent coding runs before they create branches or PRs. +--- + +# Programmatic Agent Runs + +Use this skill before launching a coding agent through the Cursor SDK, Cursor cloud agents, self-hosted workers, or subagents. + +## When to use + +- A task starts from code, CI, a backend service, a kanban automation, or any unattended workflow +- The run can edit files, push a branch, create a PR, publish a package, deploy, or call shell tools +- The run delegates work to subagents with different prompts, models, or scopes + +## Launch checklist + +1. Recall lessons with `search_lessons` for the repo, branch, files, and intended action. +2. Check active gates with `prevention_rules` before enabling writes or `autoCreatePR`. +3. Use the narrowest runtime: local for developer-in-the-loop work, cloud for isolated async work, self-hosted for private network/data requirements. +4. Give each subagent a bounded file or responsibility scope. +5. Persist run metadata: runtime, repo URL, starting ref, run id, agent id, branch, PR URL, and linked ThumbGate evidence. +6. Require verification output before merge, publish, deploy, or customer-facing claims. + +## Cursor SDK guardrails + +- Attach ThumbGate MCP through the run environment so the agent can retrieve lessons and gates. +- Prefer a clean starting ref and a disposable branch for cloud VM runs. +- Do not set `autoCreatePR` for destructive, billing, release, or production tasks unless the gate check is clean. +- If a cloud run finishes while the developer is offline, inspect the run transcript and PR diff before treating the result as accepted. +- Capture `thumbs_down` feedback when a run violates scope, skips proof, repeats a known mistake, or opens a noisy PR. + +## Output + +For each governed run, report: + +- Runtime: local, cloud, or self-hosted +- Scope: files, modules, or workflow the agent may touch +- Gates checked and result +- Verification evidence +- Branch or PR URL +- Any feedback captured for future prevention diff --git a/thumbgate/skills/recall-context/SKILL.md b/thumbgate/skills/recall-context/SKILL.md new file mode 100644 index 0000000..23ba456 --- /dev/null +++ b/thumbgate/skills/recall-context/SKILL.md @@ -0,0 +1,30 @@ +--- +name: recall-context +description: Recall relevant past failures, prevention rules, and context packs before starting a coding task. +--- + +# Recall Context + +Retrieve relevant historical context before beginning work on a coding task. + +## When to use + +- Starting a new coding task or feature +- Before making changes to code that has failed before +- Resuming work from a previous session + +## How it works + +Use the `recall` MCP tool to retrieve: + +1. **Prevention rules** β€” Rules auto-promoted from repeated failure patterns that apply to the current task. +2. **Past failures** β€” Specific failure events with context, tags, and corrective actions. +3. **Context packs** β€” Bundled project context from previous sessions. + +## Example + +``` +Use the recall MCP tool to check for known issues with the authentication module before refactoring. +``` + +The tool returns structured context that helps avoid repeating past mistakes and surfaces corrective actions from promoted lessons. diff --git a/thumbgate/skills/search-lessons/SKILL.md b/thumbgate/skills/search-lessons/SKILL.md new file mode 100644 index 0000000..8fa30eb --- /dev/null +++ b/thumbgate/skills/search-lessons/SKILL.md @@ -0,0 +1,33 @@ +--- +name: search-lessons +description: Search promoted lessons for corrective actions, lifecycle state, linked rules, and linked gates. +--- + +# Search Lessons + +Search the promoted lessons database for corrective actions and guidance. + +## When to use + +- Looking for corrective actions for a specific failure pattern +- Checking if a known lesson applies to the current task +- Reviewing lifecycle state of lessons (active, archived, superseded) +- Finding linked prevention rules and gates for a topic + +## How it works + +Use the `search_lessons` MCP tool with a query string. The tool searches across: + +1. **Lesson descriptions** β€” What happened and why +2. **Corrective actions** β€” Specific steps to prevent recurrence +3. **Linked rules** β€” Prevention rules generated from the lesson +4. **Linked gates** β€” Pre-action gates that enforce the lesson +5. **Lifecycle state** β€” Whether the lesson is active, archived, or superseded + +## Example + +``` +Search lessons for "force push" to find corrective actions and prevention rules related to force pushing. +``` + +Results include the full lesson context, any linked enforcement rules, and the current lifecycle state.