Skip to content

IgorGanapolsky/mcp-memory-gateway

v1.8.0 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 1mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

agent-reliability ai-agents ai-cost-optimization ai-safety amp claude-code
+14 more
codex cursor developer-tools feedback-loop gemini guardrails mcp mcp-server opencode pre-action-checks reduce-llm-cost save-llm-tokens thompson-sampling thumbgate

Affected surfaces

auth rbac

Summary

AI summary

Adds three MCP leader‑agent coordination tools (evidence gate, swarm coordinator, observability report) and fixes mailer fallback handling.

Full changelog

[email protected]

Release Links

  • npm: https://www.npmjs.com/package/thumbgate/v/1.8.0
  • GitHub Release: https://github.com/IgorGanapolsky/ThumbGate/releases/tag/v1.8.0
  • Compare: https://github.com/IgorGanapolsky/ThumbGate/compare/v1.7.0...v1.8.0
  • Publish workflow: https://github.com/IgorGanapolsky/ThumbGate/actions/runs/24643992529
  • npm published at: 2026-04-20T01:18:26.894Z
  • npm shasum: 84d565fb5fb27831df7e098e79d1d9e7dd0906ee
  • npm tarball: https://registry.npmjs.org/thumbgate/-/thumbgate-1.8.0.tgz
  • Release ref: 4c383a8e7d2e9b19e0798995d8fe9d52f3b11ecc

npm Email Companion

npm controls the native "Successfully published" email template, so the email itself stays short. Treat this generated artifact as the full release-note companion for that email: it carries the Changeset summaries, CHANGELOG entry, publish workflow, npm tarball, and shasum when available.

Full Changeset Release Notes

Minor Changes

.changeset/agentic-engineering-leader-endpoints.md

Agentic-engineering Leader Agent endpoints: completion gate, swarm coordinator, and unified observability.

Adds three MCP tools that lift ThumbGate from a bag of primitives into a Leader-Agent coordination layer (per the LangChain agentic-engineering framing — worker agents consume, leader endpoints coordinate and verify):

  • require_evidence_for_claim — completion gate. Wraps verifyClaimEvidence with a first-class blocking boolean and mode (blocking default, advisory). Records the decision to the audit trail under gateId: completion_claim. Agents call this before declaring done/fixed/shipped; hooks honor the blocking flag to stop evidence-free completion claims.
  • distribute_context_to_agents — swarm coordinator. Constructs one context pack via constructContextPack and records a context_pack_distributed provenance event per named agent (dedup'd, capped at MAX_AGENTS=32, TTL defaults to 15 minutes). Replaces N independent context derivations by auto-agents (perplexity-bug-resolver, codex-reviewer, grok-x-intelligence, etc.) with one shared pack.
  • session_report — unified observability rollup. Aggregates feedback stats, gate stats, and windowed provenance into a single LangSmith-style report. windowHours clamps to [1, 720]; invalid/missing input falls back to the 24h default. Errors in any section are isolated via a per-section errors map so one broken source doesn't sink the report.

Exposed in default, essential, readonly, and dispatch MCP profiles. No OpenAPI surface changes (MCP-only). Ships with 24 new tests across tests/swarm-coordinator.test.js, tests/session-report.test.js, and tests/require-evidence-gate.test.js; regression runs clean across test:api (834), test:gates (198), test:tool-registry (11), test:proof (96), test:deployment (55), test:e2e (29), test:workflow (98), test:schema (8), and test:mcp-config (9).

Patch Changes

.changeset/dependabot-protobufjs-7.5.5.md

Bump transitive dependency protobufjs from 7.5.4 to 7.5.5 (security/bugfix release). Lockfile-only change via Dependabot.

.changeset/mailer-env-harmonize.md

Mailer module now accepts THUMBGATE_RESEND_API_KEY as a fallback for the bare RESEND_API_KEY, matching the dual-read behavior already implemented in scripts/billing.js. Prevents a silent "skipped: no_api_key" regression if an operator sets only the prefixed variable name. Adds a positive unit test that sends with only the prefixed variant set.

CHANGELOG.md Entry

1.8.0

Minor Changes

  • #954 d48608e Thanks @IgorGanapolsky! - Enforcement teeth: move ThumbGate's PreToolUse path from advisory to preventive.

    • capture_feedback now surfaces correctiveActions as a top-level <system-reminder> block in the MCP response (content[1]) alongside the JSON body (content[0]), so prior lessons reach the calling agent as first-class context instead of buried JSON.
    • Replaces the no-op scripts/hook-verify-before-done.sh with scripts/hook-pre-tool-use.js (matcher expanded to Bash|Edit|Write). The new hook: (1) preserves the existing curl-to-prod timestamp tracking; (2) calls retrieveWithRerankingSync against the about-to-run tool and injects matched lessons via hookSpecificOutput.additionalContext; (3) opt-in via THUMBGATE_HOOKS_ENFORCE=1, blocks tool calls with decision:"block" when a matched lesson carries a high-risk tag at/above threshold (default 5, configurable via THUMBGATE_HOOKS_ENFORCE_THRESHOLD); (4) opt-in via THUMBGATE_AUTOGATE_PR_COMMITS=1, auto-registers a thread-resolution-verified claim gate when git commit runs on a non-main branch.
    • bin/cli.js session-start now emits top ThumbGate hard-block rules and top high-risk tags as a structured hookSpecificOutput.additionalContext reminder (with stderr fallback for older Claude Code versions), so session start forces the agent to see current enforcement state rather than relying on opt-in recall.
    • Every enforcement path fails open: malformed hook stdin, missing risk model, or any uncaught exception in the hook exits 0 with no block, ensuring a bug never deadlocks the agent. Flags default to OFF so the first misfiring regex can be corrected in the same session that shipped it.

  • Add a canonical autonomous control-plane workflow to ThumbGate itself.

    • Add scripts/autonomous-workflow.js, a durable intent -> plan -> execute -> verify -> report runner built on top of the existing async job runtime, workflow checkpoints, and proof-backed workflow logs.
    • Extend scripts/workflow-gate-checkpoint.js so checkpoints can persist workflow phase, status, plan, intent, evidence, report metadata, and merged workflow-level metadata across restarts.
    • Persist evidence-backed workflow artifacts under .thumbgate/autonomous-workflows/<workflowId>/ and record proof-backed workflow runs only when verification accepts the output and artifacts exist.
    • Wire package scripts and package contents so the autonomous runner ships in the npm tarball and stays covered by high-ROI and workflow checkpoint tests.

Patch Changes

  • #951 3270c2a Thanks @IgorGanapolsky! - Hard-enforce pre-tool prevention signals: matching high-risk boosted tags now block risky actions, PR-branch git commits register a required thread-resolution verification gate before the next unsafe tool call, and corrective actions surface as top-level reminders instead of being buried in JSON.

Verification Standard

  • Publish only runs from main after version sync, tests, and runtime proof pass.
  • The npm package is smoke-tested after publish by installing thumbgate@VERSION in a clean runtime.
  • GitHub Release notes are generated from Changesets, not only GitHub auto-generated PR titles.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track IgorGanapolsky/mcp-memory-gateway

Get notified when new releases ship.

Sign up free

About IgorGanapolsky/mcp-memory-gateway

Pre-action gates that prevent AI coding agents from repeating known mistakes. Captures explicit feedback, auto-promotes failures into prevention rules, and enforces them via hooks.

All releases →

Related context

Beta — feedback welcome: [email protected]