Add ThumbGate plugin

.cursor-plugin/marketplace.json

@@ -72,6 +72,11 @@
       "name": "pstack",
       "source": "pstack",
       "description": "if you want to go fast, go deep first. pstack helps you write less, but higher quality code. rigorous agent workflows you can parallelize with confidence."
+    },
+    {
+      "name": "thumbgate",
+      "source": "thumbgate",
+      "description": "Capture thumbs feedback and enforce deterministic pre-action checks so Cursor agents stop repeating mistakes."
     }
   ]
 }

README.md

@@ -17,6 +17,7 @@ Official Cursor plugins for popular developer tools, frameworks, and SaaS produc
 | `cursor-sdk` | [Cursor SDK](cursor-sdk/) | Cursor | Developer Tools | Build apps, scripts, CI pipelines, and automations on top of the Cursor TypeScript SDK (@cursor/sdk) — runtime selection, auth, streaming, MCP, error handling, and ready-to-extend integration patterns. |
 | `orchestrate` | [Orchestrate](orchestrate/) | Cursor | Developer Tools | Fan large tasks out across parallel Cursor cloud agents with planners, workers, verifiers, and structured handoffs. |
 | `pstack` | [pstack](pstack/) | Lauren Tan | Developer Tools | if you want to go fast, go deep first. pstack helps you write less, but higher quality code. rigorous agent workflows you can parallelize with confidence. |
+| `thumbgate` | [ThumbGate](thumbgate/) | Igor Ganapolsky | Developer Tools | Capture thumbs feedback and enforce deterministic pre-action checks so Cursor agents stop repeating mistakes. |
 
 Author values match each plugin’s `plugin.json` `author.name` (Cursor lists `plugins@cursor.com` in the manifest).
 

thumbgate/.cursor-plugin/plugin.json

@@ -0,0 +1,38 @@
+{
+  "name": "thumbgate",
+  "displayName": "ThumbGate",
+  "description": "👍👎 Thumbs down a mistake — your AI agent won't repeat it. Thumbs up good work — it remembers the pattern.",
+  "version": "1.26.8",
+  "author": {
+    "name": "Igor Ganapolsky"
+  },
+  "homepage": "https://thumbgate.ai",
+  "repository": "https://github.com/IgorGanapolsky/ThumbGate",
+  "license": "MIT",
+  "keywords": [
+    "cursor",
+    "cursor-plugin",
+    "feedback",
+    "thumbs-up-down",
+    "thumbgate",
+    "ai-agent-memory",
+    "mistake-prevention",
+    "coding-agent",
+    "pre-action-gates",
+    "mcp"
+  ],
+  "logo": "assets/logo-400x400.png",
+  "category": "developer-tools",
+  "tags": [
+    "agent-governance",
+    "feedback",
+    "mcp",
+    "pre-action-checks"
+  ],
+  "commands": "./commands/",
+  "agents": "./agents/",
+  "skills": "./skills/",
+  "rules": "./rules/",
+  "hooks": "./hooks/hooks.json",
+  "mcpServers": "./mcp.json"
+}

thumbgate/CHANGELOG.md

@@ -0,0 +1,37 @@
+# Changelog
+
+## 1.23.1 - 2026-05-25
+
+- Added `interface` block to plugin.json (displayName, capabilities, brandColor, privacy/TOS URLs)
+- Added UTM-tagged homepage URL
+- Added MCP keyword to plugin keywords
+- Version aligned with ThumbGate core
+
+## 0.8.1 - 2026-03-26
+
+- Unified ThumbGate branding across all public surfaces (README, AGENTS.md, CLAUDE.md, GEMINI.md, landing page, package.json).
+- Landing page SEO: "human-in-the-loop enforcement", "vibe coding" positioning, FAQPage JSON-LD schema for Google rich results.
+- Added congruence CI check (`scripts/check-congruence.js`) — enforces version, branding, tech stack terms, and honest disclaimer across README and landing page on every PR.
+- Performance: deferred non-critical side-effects in `captureFeedback` (contextFs, RLAIF self-audit) via `setImmediate`.
+- Added `_captureMs` timing field to accepted feedback responses for observability.
+- Added `mcpize.yaml` to version sync targets.
+- Dead code removal: -1,551 lines (contract-audit.js, prove-rlaif.js, stale landing-page.html, 3 duplicate docs).
+- Fixed GitGuardian incident #29200799: scrubbed hardcoded Google API key from git history.
+- Social automation pipeline: post-everywhere CLI, reply monitor with AutoMod-safe Reddit posts.
+- TDS article draft: "Beyond Prompt Rules: How Pre-Action Gates Stop AI Coding Agents From Repeating Mistakes".
+
+## 0.8.0 - 2026-03-25
+
+- **Lesson DB:** SQLite + FTS5 full-text search replaces linear Jaccard token-overlap. Sub-millisecond ranked search indexed by signal, domain, tags, importance.
+- **Corrective actions:** On negative feedback, `capture_feedback` returns `correctiveActions[]` — top 3 remediation steps inferred from similar past failures.
+- **search_lessons MCP tool:** Exposes corrective actions, lifecycle state, linked rules, linked gates, and next harness fixes per lesson.
+- **search_thumbgate MCP tool:** Searches raw ThumbGate state across feedback logs, ContextFS memory, and prevention rules.
+- **Rejection ledger:** Tracks why vague feedback was rejected with revival conditions.
+- **Bayesian belief updates:** Each memory carries a posterior that updates on new evidence; high-entropy contradictions auto-prune.
+
+## 0.7.4 - 2026-03-20
+
+- Added `session_handoff` and `session_primer` MCP tools for seamless cross-session context continuity.
+- New `session` namespace in ContextFS stores primer.json with auto-captured git state (branch, last 5 commits, modified files, working tree status), last completed task, next step, and blockers.
+- `session_handoff` records provenance events for full audit trail of session transitions.
+- Closes Layer 2 (primer.md) of the 5-layer memory stack — no manual primer file needed.

thumbgate/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Igor Ganapolsky
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

thumbgate/README.md

@@ -0,0 +1,123 @@
+# ThumbGate — for Cursor
+
+`ThumbGate` is the human-facing plugin name in Cursor listings.
+`thumbgate` stays the plugin slug, npm package, and launcher target.
+
+The canonical short description is:
+
+> 👍👎 Thumbs down a mistake — your AI agent won't repeat it. Thumbs up good work — it remembers the pattern.
+
+How it works:
+
+- 👎 **Thumbs down** a mistake — it gets blocked from happening again
+- 👍 **Thumbs up** good work — the agent remembers the pattern
+- **History-aware lesson distillation** — vague thumbs-down signals can be grounded in up to 8 prior recorded entries and the failed tool call
+- **Cross-session memory** — lessons persist between conversations
+- **Automatic enforcement** — repeated failures become prevention rules
+- **Zero config** — install and start giving feedback
+
+## What's included
+
+### Rules
+
+| File | Always on | Description |
+|------|-----------|-------------|
+| `rules/pre-action-gates.mdc` | Yes | Before risky tool calls (git push, rm -rf, npm publish, deploy), check prevention rules via the thumbgate MCP server. Blocks and explains if a rule matches. |
+| `rules/feedback-capture.mdc` | No | After any mistake or unexpected behavior, prompt to capture structured feedback with context and tags. |
+| `rules/session-continuity.mdc` | No | At session start, recall past context; at session end, hand off state for next session. |
+
+### Skills
+
+| Skill | Description |
+|-------|-------------|
+| `recall-context` | Recall relevant past failures, prevention rules, and context packs before starting a coding task. |
+| `capture-feedback` | Capture structured thumbs up/down feedback with context, tags, and optional rubric scores. |
+| `search-lessons` | Search promoted lessons for corrective actions, lifecycle state, linked rules, and linked gates. |
+| `prevention-rules` | Generate and review prevention rules auto-promoted from repeated failure patterns. |
+
+### Agent
+
+| Agent | Description |
+|-------|-------------|
+| `reliability-reviewer` | A reliability-focused reviewer that checks code changes against known failure patterns from the project's ThumbGate memory. |
+
+### Commands
+
+| Command | Description |
+|---------|-------------|
+| `/check-gates` | Run a Pre-Action Gate check against prevention rules before executing a risky action. |
+| `/show-lessons` | Display promoted lessons and their corrective actions. |
+| `/capture-feedback` | Quick feedback capture with structured signals. |
+
+### Hooks
+
+| Hook | Trigger | Description |
+|------|---------|-------------|
+| `beforeShellExecution` | `git push`, `rm -rf`, `npm publish`, `deploy` | Runs `scripts/gate-check.sh` to evaluate the command through ThumbGate `gate-check` before execution. |
+
+### MCP Server
+
+| Server | Command |
+|--------|---------|
+| `thumbgate` | `npx --yes --package thumbgate@latest thumbgate serve` |
+
+## Install
+
+Install from Cursor with:
+
+```text
+/add-plugin thumbgate
+```
+
+You can also open Cursor's plugin marketplace, search for `ThumbGate`, and add the plugin from there.
+
+For private team rollouts before broad adoption, Cursor Teams and Enterprise admins can import a repository-backed plugin through `Dashboard -> Settings -> Plugins -> Team Marketplaces`.
+
+### Manual setup
+
+Use the existing project bootstrap:
+
+```bash
+npx thumbgate init --agent cursor
+```
+
+Or copy the plugin MCP config into `.cursor/mcp.json`:
+
+```json
+{
+  "mcpServers": {
+    "thumbgate": {
+      "command": "npx",
+      "args": ["--yes", "--package", "thumbgate@latest", "thumbgate", "serve"]
+    }
+  }
+}
+```
+
+Full setup guide: https://thumbgate-production.up.railway.app/guide
+
+## Update behavior
+
+- Runtime updates: the plugin asks npm for `thumbgate@latest`, so new npm releases can flow into the Cursor runtime without editing the plugin config.
+- Metadata updates: `npm publish` does not refresh the marketplace description, screenshots, README, or directory listing copy. Republish the plugin bundle when those assets change.
+- Guaranteed rollouts: if you need deterministic behavior for a specific release, pin a version manually in local config instead of relying on `@latest`.
+
+## Feedback
+
+Use the `/capture-feedback` command or the `capture_feedback` MCP tool to send structured feedback directly to the ThumbGate memory system. Feedback drives prevention rule generation — repeated failure patterns are auto-promoted into enforceable gates.
+
+When the user only gives a quick `thumbs_down`, `wrong`, or `correct`, the Cursor plugin should include up to 8 prior recorded entries and the failed tool call in `chatHistory` so ThumbGate can propose the lesson automatically. If the explanation comes later, reuse the earlier event with `relatedFeedbackId` so the linked 60-second follow-up session refines the same feedback record instead of creating an isolated duplicate.
+
+## What makes this useful in Cursor
+
+ThumbGate gives Cursor agents a practical guardrail layer:
+
+- **Pre-Action Gates** block known-bad actions before tool use
+- **Prevention rules** auto-generated from repeated failures
+- **Context packs** keep relevant project history in scope
+- **Feedback capture** with structured up/down signals and history-aware lesson proposals
+- **Reliability reviewer** checks changes against known failure patterns
+
+Verification evidence for shipped behavior lives in `docs/VERIFICATION_EVIDENCE.md`.
+Release and promotion rules live in `docs/CURSOR_PLUGIN_OPERATIONS.md`.
+Proof-backed setup path: https://thumbgate-production.up.railway.app/guide

thumbgate/agents/reliability-reviewer.md

@@ -0,0 +1,31 @@
+---
+name: reliability-reviewer
+description: A reliability-focused reviewer agent that checks code changes against known failure patterns from the project's ThumbGate memory. Prioritizes preventing repeated mistakes.
+---
+
+# Reliability Reviewer
+
+You are a reliability-focused code reviewer. Your job is to check proposed code changes against the project's known failure patterns stored in ThumbGate memory.
+
+## Review process
+
+1. **Recall context** — Use the `recall` MCP tool to retrieve relevant prevention rules and past failures for the files being changed.
+2. **Search lessons** — Use the `search_lessons` MCP tool to find promoted lessons related to the components being modified.
+3. **Cross-reference changes** — Compare the proposed changes against known failure patterns. Flag any changes that match or resemble past failures.
+4. **Check gates** — Use the `prevention_rules` MCP tool to verify no active prevention rules are violated by the changes.
+5. **Report findings** — Summarize which past failures are relevant, what risks exist, and what corrective actions should be applied.
+
+## Review priorities
+
+1. **Repeated mistakes** — Changes that match previously captured failure patterns are highest priority.
+2. **Missing gate checks** — Risky operations without corresponding pre-action gate checks.
+3. **Untested paths** — Changes to code paths that previously caused failures without new test coverage.
+4. **Feedback gaps** — Changes in areas with no captured feedback history (unknown risk).
+
+## Output format
+
+For each finding, include:
+- The matched failure pattern or prevention rule
+- The specific code change that triggered the match
+- The recommended corrective action
+- Severity: critical (matches active prevention rule), warning (matches past failure), or info (no history)

thumbgate/agents/sdk-run-governor.md

@@ -0,0 +1,35 @@
+---
+name: sdk-run-governor
+description: Reviews Cursor SDK agent launch plans, cloud VM runs, subagent scopes, and auto-PR settings against ThumbGate gates.
+---
+
+# SDK Run Governor
+
+You review planned or completed Cursor SDK agent runs before their output is trusted.
+
+## Review process
+
+1. Identify the runtime: local, cloud VM, or self-hosted worker.
+2. Identify write scope: repo, branch, files, commands, and whether `autoCreatePR` is enabled.
+3. Use `search_lessons` and `prevention_rules` to retrieve relevant ThumbGate lessons and gates.
+4. Check subagents for narrow ownership and non-overlapping responsibilities.
+5. Require evidence: tests, screenshots, logs, PR URL, or run transcript.
+6. Recommend capture feedback for any repeated miss, scope violation, skipped proof, or noisy PR.
+
+## Findings to flag
+
+- Agent can push, publish, deploy, or create PRs without a prior gate check
+- Cloud run started from an ambiguous ref or reused a dirty workspace
+- Subagent prompt owns too much of the codebase
+- Verification is only a summary with no linked artifact
+- Known failure pattern appears in the requested command, diff, or PR body
+
+## Output format
+
+Return:
+
+- Verdict: allow, require changes, or block
+- Relevant lessons and gates
+- Runtime and scope risks
+- Required verification evidence
+- Feedback that should be captured

thumbgate/commands/capture-feedback.md

@@ -0,0 +1,33 @@
+---
+name: capture-feedback
+description: Quick feedback capture with structured signals.
+---
+
+# Capture Feedback
+
+Quickly capture structured feedback about the current task or action.
+
+## Usage
+
+Invoke this command to record a feedback signal with context and tags. If the user only gives a quick `thumbs_down`, `wrong`, or `correct`, the command should still call `capture_feedback` and pass recent context through `chatHistory`.
+
+## Steps
+
+1. Specify signal: `thumbs_up` or `thumbs_down`.
+2. If the user already gave a clear explanation, pass it as `context`.
+3. If the explanation is vague or omitted, gather up to 8 prior recorded entries plus the failed tool call into `chatHistory`.
+4. Add tags for categorization.
+5. If this is a later clarification for an existing feedback event, include `relatedFeedbackId`.
+6. Call the `capture_feedback` MCP tool and show the proposed lesson or corrective rule back to the user.
+
+## Example
+
+```
+/capture-feedback thumbs_down "Tests broke after migration" database,migration
+```
+
+```
+/capture-feedback thumbs_down
+```
+
+In the second example, the command should rely on history-aware distillation instead of refusing the signal outright. If the user adds more detail later, reuse `relatedFeedbackId` so the linked 60-second follow-up session updates the same record.

thumbgate/commands/check-gates.md

@@ -0,0 +1,25 @@
+---
+name: check-gates
+description: Run a Pre-Action Gate check against prevention rules before executing a risky action.
+---
+
+# Check Gates
+
+Run a pre-action gate check to verify if a planned action is safe to execute.
+
+## Usage
+
+Invoke this command before performing risky operations like deployments, force pushes, or destructive file operations.
+
+## Steps
+
+1. Describe the action you are about to take.
+2. The command queries the `prevention_rules` MCP tool to check for matching rules.
+3. If a match is found, the blocked action and corrective action are displayed.
+4. If no match is found, the action is cleared to proceed.
+
+## Example
+
+```
+/check-gates git push --force origin main
+```

thumbgate/commands/show-lessons.md

@@ -0,0 +1,27 @@
+---
+name: show-lessons
+description: Display promoted lessons and their corrective actions.
+---
+
+# Show Lessons
+
+Display promoted lessons from the project's ThumbGate memory along with their corrective actions and linked prevention rules.
+
+## Usage
+
+Invoke this command to review what the system has learned from past failures.
+
+## Steps
+
+1. The command calls the `search_lessons` MCP tool to retrieve all active promoted lessons.
+2. Results are displayed with:
+   - Lesson description
+   - Corrective action
+   - Linked prevention rules (if any)
+   - Lifecycle state (active, archived, superseded)
+
+## Example
+
+```
+/show-lessons
+```