igorganapolsky/thumbgate-protect
skills/thumbgate-protect/SKILL.md
Inspect this repo's branch and release governance (protected branches, release rules, protected-file globs) and, only when the user explicitly approves, grant a scoped, time-limited exception so a protected-file edit or publish can proceed under audit. Reads posture via the get_branch_governance MCP tool and records a narrow, expiring approval via the approve_protected_action MCP tool. Use when the user says "is main protected", "show branch governance", "what am I blocked from editing", "approve this protected change", or "let me edit a protected file just this once". Do NOT use to disable protection wholesale, to grant broad or standing exceptions, or to diagnose hook wiring (use the thumbgate-doctor skill) — this skill is for narrow, temporary, audited approvals only.
$ install --global
skillsauthnpx skillsauth add igorganapolsky/rlhf-feedback-loop thumbgate-protectInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 12, 2026, 2:41 AM17.9s2 files scanned
SKILL.md
- name:
- thumbgate-protect
- description:
- Inspect this repo's branch and release governance (protected branches, release rules, protected-file globs) and, only when the user explicitly approves, grant a scoped, time-limited exception so a protected-file edit or publish can proceed under audit. Reads posture via the get_branch_governance MCP tool and records a narrow, expiring approval via the approve_protected_action MCP tool. Use when the user says "is main protected", "show branch governance", "what am I blocked from editing", "approve this protected change", or "let me edit a protected file just this once". Do NOT use to disable protection wholesale, to grant broad or standing exceptions, or to diagnose hook wiring (use the thumbgate-doctor skill) — this skill is for narrow, temporary, audited approvals only.
ThumbGate Protect
Inspect the protected-action posture for this project and, when the user explicitly approves, grant a scoped, expiring exception so a protected-file edit or publish can proceed under audit.
This skill wraps existing ThumbGate capability and adds no new logic — it reads governance state and records a time-boxed approval.
Workflow
- Read the posture with the
get_branch_governanceMCP tool: protected branches, release rules, and the protected-file globs in effect. - Report it plainly: what is protected, and what the agent is currently blocked from touching without approval.
- Only if the user explicitly asks to proceed, grant a scoped approval with the
approve_protected_actionMCP tool — keeppathGlobsto the smallest set the action needs andttlMsas short as the task requires (default ~1 hour). - Confirm the approval id, covered globs, and expiry. Approvals are temporary and audited; re-run for the next task.
The full approve_protected_action field contract (pathGlobs, reason, evidence, ttlMs) and
the audit model are in
references/governance-and-approvals.md.
Example
Input: "main is protected but I need to hotfix the changelog — approve it for this one edit"
Action:
get_branch_governance→ confirmmainis protected andCHANGELOG.mdis in a protected glob.approve_protected_action→pathGlobs: ["CHANGELOG.md"],reason: "hotfix changelog entry",evidence: "owner OK in thread",ttlMs: 900000(15 min).- Report: approval id + "CHANGELOG.md is editable for 15 minutes, then protection resumes."
Troubleshooting
get_branch_governancereturns nothing: no governance configured — say so; don't invent protected branches.- User wants a broad/standing exception: decline. Grant the smallest glob + shortest TTL, or suggest changing governance config deliberately instead.
- Approval granted but edit still blocked: the glob may not cover the file, or the TTL expired —
re-check
pathGlobs/expiry; if the MCP path is unreachable, run the thumbgate-doctor skill.
Quality checklist (self-verify before delivering)
- [ ] I read the live posture with
get_branch_governancebefore saying anything about protection. - [ ] I granted an approval ONLY after the user explicitly asked to proceed.
- [ ] I used the smallest
pathGlobsand the shortest workablettlMs, never a blanket exception. - [ ] I reported the approval id + covered globs + expiry, and noted protection resumes after.
- [ ] I added no new logic — only read governance and recorded an existing time-boxed approval.
Related Skills
igorganapolsky/thumbgate-rules
tools
VerifiedTrustedCommunity
List the active ThumbGate prevention rules, reliability rules, and the promoted lessons behind them, so the user can see which guardrails are currently protecting this project and WHY each one exists. Reads the live rule and lesson stores via the prevention_rules, get_reliability_rules, and search_lessons MCP tools (CLI fallback `npx thumbgate rules`). Use when the user says "what is ThumbGate protecting me from", "show my rules", "show my gates", "what has the agent learned", "list active guardrails", or "what's blocked here". Do NOT use to CREATE a new rule (use the thumbgate-guard skill), to see runtime enforcement counts of what actually fired (use the thumbgate-blocked skill), or to diagnose whether ThumbGate is wired up at all (use the thumbgate-doctor skill).
23SKILL.mdUpdated Jun 12, 2026
igorganapolsky/thumbgate-guard
tools
VerifiedTrustedCommunity
Turn the agent's most recent mistake into an enforced ThumbGate prevention rule (a PreToolUse block gate) so the same bad tool call is intercepted before it runs again, in this and every future session across Claude Code, Cursor, Codex, Gemini, Amp, and Cline. Captures the failure with the capture_feedback MCP tool, then force-promotes it via `npx thumbgate force-gate` so it is enforced, not just logged. Use when the user says "guard against this", "block this from happening again", "never do that again", "make that a rule", "stop the agent from repeating that", or right after a bad action or thumbs-down that should become a hard rule. Do NOT use to merely log a thumbs-up/down without enforcement (use the thumbgate-feedback skill), to recall prior context before starting work (use the Agent Memory skill), or to list rules that already exist (use the thumbgate-rules skill).
23SKILL.mdUpdated Jun 12, 2026
igorganapolsky/thumbgate-doctor
tools
VerifiedTrustedCommunity
Health-check whether ThumbGate is actually wired into this agent — PreToolUse/SessionStart hooks installed, MCP server reachable, lesson store present, statusline, and overall agent-readiness — then report exactly what to fix. Runs the existing `npx thumbgate doctor` audit and the check_operational_integrity MCP tool. Use when the user says "is ThumbGate wired up", "thumbgate doctor", "check my guardrails are installed", "why aren't my gates firing", "is the MCP server connected", or "agent readiness". Do NOT use to view rules (use the thumbgate-rules skill), to view what was blocked (use the thumbgate-blocked skill), or to capture a new rule (use the thumbgate-guard skill) — this skill only diagnoses setup and wiring.
23SKILL.mdUpdated Jun 12, 2026
igorganapolsky/thumbgate-blocked
tools
VerifiedTrustedCommunity
Show ThumbGate's enforcement record — how many risky actions were actually blocked versus warned, which gates fire most, the tokens/damage saved, and the full feedback to check to rejection pipeline. Reads live enforcement counters via the gate_stats and enforcement_matrix MCP tools (CLI fallback `npx thumbgate gate-stats`). Use when the user says "what has ThumbGate blocked", "show gate stats", "is enforcement working", "how many tokens did we save", "show the enforcement matrix", or "what got stopped". Do NOT use to list rule DEFINITIONS that exist (use the thumbgate-rules skill), to create a new rule (use the thumbgate-guard skill), or to check whether ThumbGate is installed and wired (use the thumbgate-doctor skill).
23SKILL.mdUpdated Jun 12, 2026