Every gate decision is logged with timestamp, actor, action, policy, and evidence — the artifact OMB M-24-10 and EO 14110 ask for, generated continuously. Agency-owned policy. Vendor-neutral across Claude Code, Cursor, Codex, Gemini CLI, Amp, Cline, OpenCode. On-prem or government cloud deployment via ThumbGate-Core gov mode.
ThumbGate is a behavioral enforcement layer between AI agents and the tools they invoke. It is not a model, not a model-output evaluator, and not a federal data RAG system. It is the gate that decides whether a tool call leaves the agent's environment.
Every gate decision is logged with the action attempted, the policy invoked, the evidence required, and the outcome. PII redaction is built in. Logs are exportable in JSON Lines for ingestion into the agency SIEM.
Generic LLM guardrails are vendor-controlled and opaque. ThumbGate policies live in version control inside the agency boundary, are written as code, and are enforced locally before a tool call leaves the dev environment.
A thumbs-down from an agency engineer becomes a permanent prevention rule. The same risky action never reaches the model on the next attempt — relevant for cost control and for documenting "we did not let the agent do X" in incident review.
Works with Claude Code, Cursor, Codex, Gemini CLI, Amp, Cline, OpenCode, and any MCP-compatible agent. No lock-in to a single model vendor. Bedrock GovCloud and Azure Government routing supported in gov mode.
Gate-decision telemetry produces a real-time inventory of which AI tools are actively used, by whom, on what — directly supporting OMB M-24-10 §5(a) and EO 14110 §10.1(b) inventory and risk-categorization requirements.
ThumbGate-Core gov mode runs without telemetry, without auto-update, and without any outbound call to thumbgate.ai. Agency keeps the data; ThumbGate provides the enforcement engine and the policy framework.
No FedRAMP marketing badge until authorization is real. Here is what is true today and what the path forward looks like.
| Item | Status | Notes |
|---|---|---|
| FedRAMP authorization | Not yet | Targeting Low baseline via agency sponsorship. Open to civilian agency sponsor conversations. |
| FISMA / NIST 800-53 Rev 5 | Partial mapping | 11 controls directly supported (see below). Public SaaS inherits Railway's controls; Core gov mode runs on-prem. |
| FIPS 140-2/3 validated crypto | In Core gov mode | Public ThumbGate uses Node.js native crypto; Core gov mode routes to a FIPS-validated provider on THUMBGATE_DEPLOY=gov. |
| Section 508 accessibility | Dashboard audit pending | CLI output and landing pages are screen-reader friendly; full WCAG 2.1 AA audit pending. |
| US persons + US data residency | Core gov deployments | Public SaaS runs in US Railway regions; Core gov mode is on-prem or government cloud only. |
| SBOM + supply chain provenance | Per release | SBOM and dependency report published with every npm release in proof/. |
| Third-party LLM calls | Public uses Claude directly | Core gov mode replaces direct Claude calls with Bedrock GovCloud / Azure Government routing. |
| Family | Control | How ThumbGate supports it |
|---|---|---|
| AC | AC-3 Access Enforcement | PreToolUse hook blocks tool calls that violate policy regardless of operator intent. |
| AC | AC-6 Least Privilege | Per-gate scopes bind agent actions to declared task scope. |
| AU | AU-2 / AU-3 / AU-12 Audit Logging | Every gate decision logged with full payload, PII-redacted, exportable to agency SIEM. |
| CM | CM-3 Configuration Change Control | Branch governance gate requires releaseVersion declaration before release/publish actions. |
| CM | CM-7 Least Functionality | MCP allowlists constrain reachable agent tools per deployment profile. |
| IR | IR-4 Incident Handling | Hallucination detector + claim verification produces evidence trails for post-incident review. |
| RA | RA-5 Vulnerability Monitoring | Security scan surfaces known-bad patterns from the prevention rule library. |
| SI | SI-4 / SI-7 System Integrity | Continuous gate telemetry + integrity-checkable prevention rule corpus. |
Federal capabilities are an additive Core deployment profile, not a fork. The open-source ThumbGate developers install from npm is byte-identical regardless of federal work — pinned by regression tests.
npm install thumbgate → local CLI enforcementTHUMBGATE_DEPLOY=govnpm i thumbgate on a fresh machine works with zero federal env vars set, public CI passes with Core absent, and no federal code path is reachable without explicit opt-in. Five architectural invariants are pinned by regression tests in tests/public-core-boundary.test.js.
A 30-minute scoping call. One agent workflow inside the agency. Two weeks of monitored gate decisions. A written report with captured behavior, blocked actions, and NIST control evidence. No procurement vehicle required for Phase 0 or Phase 1.
Public technical brief, NIST control mapping, this page. No agency commitment required. Read the docs, evaluate the open-source release.
One-page CIS tailored to the agency authorization boundary. SBOM walkthrough. Air-gapped install rehearsal in a clean VM.
Core gov mode install. Bedrock GovCloud / Azure Gov routing. FIPS crypto. Agency SIEM audit-log sink. Two-week monitored evaluation on one workflow.
FedRAMP Low baseline package preparation. 3PAO engagement. ATO documentation set.
Federal RAG over agency policy corpora. Multimodal retrieval for screenshot / PDF / diagram evidence. Built when an agency names the use case — not on speculation.
SBIR / STTR Phase I and II. Agency innovation pilots. Prime / SI partnership for inclusion in a larger AI governance offering. GSA Schedule path open under agency sponsorship.