[email protected]

Release Links

• npm: https://www.npmjs.com/package/thumbgate/v/1.7.0
• GitHub Release: https://github.com/IgorGanapolsky/ThumbGate/releases/tag/v1.7.0
• Compare: https://github.com/IgorGanapolsky/ThumbGate/compare/v1.6.0...v1.7.0
• Publish workflow: https://github.com/IgorGanapolsky/ThumbGate/actions/runs/24617269043
• npm published at: 2026-04-19T00:31:13.596Z
• npm shasum: 5f6501bc691fe119c7636ac0fc4ef2ebc03a689a
• npm tarball: https://registry.npmjs.org/thumbgate/-/thumbgate-1.7.0.tgz
• Release ref: d48608ea2f7956aa4d513878b8d5e7d82596f213

npm Email Companion

npm controls the native "Successfully published" email template, so the email itself stays short. Treat this generated artifact as the full release-note companion for that email: it carries the Changeset summaries, CHANGELOG entry, publish workflow, npm tarball, and shasum when available.

Full Changeset Release Notes

Minor Changes

.changeset/enforcement-teeth.md

Enforcement teeth: move ThumbGate's PreToolUse path from advisory to preventive.

• capture_feedback now surfaces correctiveActions as a top-level <system-reminder> block in the MCP response (content[1]) alongside the JSON body (content[0]), so prior lessons reach the calling agent as first-class context instead of buried JSON.
• Replaces the no-op scripts/hook-verify-before-done.sh with scripts/hook-pre-tool-use.js (matcher expanded to Bash|Edit|Write). The new hook: (1) preserves the existing curl-to-prod timestamp tracking; (2) calls retrieveWithRerankingSync against the about-to-run tool and injects matched lessons via hookSpecificOutput.additionalContext; (3) opt-in via THUMBGATE_HOOKS_ENFORCE=1, blocks tool calls with decision:"block" when a matched lesson carries a high-risk tag at/above threshold (default 5, configurable via THUMBGATE_HOOKS_ENFORCE_THRESHOLD); (4) opt-in via THUMBGATE_AUTOGATE_PR_COMMITS=1, auto-registers a thread-resolution-verified claim gate when git commit runs on a non-main branch.
• bin/cli.js session-start now emits top ThumbGate hard-block rules and top high-risk tags as a structured hookSpecificOutput.additionalContext reminder (with stderr fallback for older Claude Code versions), so session start forces the agent to see current enforcement state rather than relying on opt-in recall.
• Every enforcement path fails open: malformed hook stdin, missing risk model, or any uncaught exception in the hook exits 0 with no block, ensuring a bug never deadlocks the agent. Flags default to OFF so the first misfiring regex can be corrected in the same session that shipped it.

Patch Changes

.changeset/hard-pretool-enforcement.md

Hard-enforce pre-tool prevention signals: matching high-risk boosted tags now block risky actions, PR-branch git commits register a required thread-resolution verification gate before the next unsafe tool call, and corrective actions surface as top-level reminders instead of being buried in JSON.

CHANGELOG.md Entry

No CHANGELOG.md section was found for 1.7.0; the release notes above were generated from the changed Changeset files.

Verification Standard

• Publish only runs from main after version sync, tests, and runtime proof pass.
• The npm package is smoke-tested after publish by installing thumbgate@VERSION in a clean runtime.
• GitHub Release notes are generated from Changesets, not only GitHub auto-generated PR titles.