I shipped thumbgate@1.27.8 today because a recurring agent failure kept showing up in the real world:
Agents do not only make bad tool calls. They also make confident business claims after weak or partial evidence.
Examples:
- "Checkout is working."
- "The charge is correct."
- "Sales tax is verified."
- "Inventory is accurate."
- "The customer-facing state is fixed."
Those claims are dangerous when the source of truth is Stripe, a database, an invoice, an inventory system, a permissions table, or a production UI.
The fix I shipped has two parts:
1. A commercial-truth claim gate
ThumbGate now flags money, checkout, tax, inventory, permission, billing, and customer-facing state claims unless the same turn includes source-of-truth evidence.
2. A Guardian/Ethicore-style policy-engine adapter
If an external policy engine returns allow, block, review, threat level, threat score, or reasoning, ThumbGate can normalize that verdict and enforce it locally before the shell, file write, browser action, or MCP tool call runs.
The point is not "trust my agent."
The point is:
Policy engines can reason. ThumbGate enforces. The local machine gets the final deterministic pre-action gate.
Verified release facts:
- npm:
thumbgate@1.27.8 - PR: https://github.com/IgorGanapolsky/ThumbGate/pull/2682
- CI, E2E, CodeQL, Sonar, GitGuardian, Socket: green
- Install:
npx thumbgate init
If your agent can touch money, production data, customer messaging, permissions, or deploys, "it said it checked" is not enough.
Make the claim produce evidence. Make the action pass a gate.
Top comments (0)