Does ThumbGate use any of the same primitives Anthropic uses?

Different layer, different primitives. Anthropic relies on OS sandboxes (Seatbelt, bubblewrap, gVisor, hypervisors) because they ship the runtime. ThumbGate runs as a PreToolUse hook inside agent runtimes that don't expose those OS primitives to third parties, so ThumbGate's enforcement layer is pure JavaScript pattern matching against intercepted tool calls — fast, auditable, no LLM on the path. The architectural model is the same; the implementation is what each layer can reach.

ThumbGate vs Anthropic's Claude Containment | IDE-Agent Extension of a Published Architecture

Q: Is ThumbGate a competitor to Anthropic's Claude containment?

No. Anthropic's published containment architecture (gVisor ephemeral containers on claude.ai, Seatbelt on macOS and bubblewrap on Linux for Claude Code, hypervisor VMs for Claude Cowork, MITM egress proxy) covers what they ship. It stops at the Claude Code process boundary. ThumbGate runs the same three-layer model (environment → permission gate → egress) at the IDE-agent layer for the agents Anthropic does not own: Cursor, OpenAI Codex CLI, Google Gemini CLI, Sourcegraph Amp, Cline, OpenCode, and Claude Desktop. Same architectural model, extended to the agents your team actually uses alongside Claude Code.

Q: What does Anthropic's article tell us about agent containment?

Three lessons we operationalize: (1) Design for containment at the environment layer first, then steer behavior at the model layer. (2) Tool output is an attack surface even when the tool is trusted — a system prompt cannot prevent an exfiltration that the tool itself returns. (3) Battle-tested primitives (hypervisors, seccomp, gVisor) are more reliable than custom proxy components. ThumbGate's PreToolUse hook is the IDE-agent analogue of Anthropic's permission gate; the planned PostToolUse output inspection is the IDE-agent analogue of Anthropic's tool-output check before context insertion.

Q: Where does Anthropic's containment stop and ThumbGate begin?

Anthropic's containment lives inside the products they ship (claude.ai, Claude Code, Claude Cowork). The moment your developer opens Cursor with the Anthropic API key, or runs an OpenAI Codex CLI session against a local repo, or wires up an MCP server in any agent runtime, you've left Anthropic's containment boundary. ThumbGate runs the same PreToolUse-gating model inside those non-Anthropic-owned runtimes. The two compose: Anthropic contains Claude inside their products, ThumbGate contains the agents your team uses outside them.

Q: Why should I use a third-party tool instead of writing my own bubblewrap rules?

Anthropic's own conclusion: 'the software you build yourself is often the weakest.' Their early custom MITM proxy failed in real incidents involving credential exfiltration and allowlist bypasses; they rebuilt on hypervisor primitives. ThumbGate's gate engine, lesson DB, Thompson Sampling auto-promotion, and adapter matrix across eight agent runtimes is the same argument: maintained infrastructure beats per-team shell scripts that go stale the moment Claude Code, Cursor, or Codex ship a breaking change to their hook API.

Anthropic's published architecture, mapped to ThumbGate

Anthropic layer (published practice)	Where ThumbGate fits
Ephemeral gVisor containers (claude.ai per-session filesystem; "no code runs on the local machine")	Out of scope — Anthropic's hosted product. ThumbGate is local-first by design.
OS-level sandbox (Seatbelt on macOS, bubblewrap on Linux for Claude Code; 84% reduction in permission prompts)	Direct analogue. ThumbGate's PreToolUse hook is the cross-agent version: same "evaluate before execution" model, but works inside Cursor, Codex, Gemini, Amp, Cline, OpenCode where bubblewrap/Seatbelt don't apply.
Hypervisor VM isolation (Claude Cowork; "the agent loop ran inside the guest…executed as an ordinary Linux user with no awareness it was sandboxed")	Out of scope — Anthropic's managed VM offering. ThumbGate's adjacent value: deterministic rule enforcement that follows the agent across whichever machine you run it on.
MITM egress proxy (intercepts API traffic, validates VM-provisioned session tokens after credential exfiltration was discovered through approved domains)	Roadmap analogue. ThumbGate's egress-rule gates can block external LLM calls when privilege markers or restricted hostnames appear in the outbound payload — same defense, IDE-agent layer.
Tool output inspection pre-context ("tool output is an attack surface even when the tool is trusted")	Direct roadmap item. PostToolUse output inspection is the natural extension of ThumbGate's PreToolUse model. Same logic, applied to the returned payload before it enters agent context.
Model-layer behavioral guidance (system prompts, model tuning)	Not us. ThumbGate is deterministic enforcement, not steering. We assume the model will sometimes try the wrong thing; the gate is what stops it from succeeding.

Three lessons from Anthropic that operationalize for non-Anthropic agents

1. Environment first, behavior second. Anthropic writes:

"Design for containment at the environment layer first, then steer behavior at the model layer."

This is exactly why ThumbGate is a PreToolUse hook rather than a system-prompt addition. The gate fires regardless of what the model "tries to do" — it acts on the actual tool-call payload, not on the model's intent.

2. Tool output is an attack surface. Anthropic writes:

"Tool output is an attack surface even when the tool is trusted."

This is the architectural justification for ThumbGate's roadmapped PostToolUse output-inspection layer. A trusted internal tool returning poisoned data is the same threat as an untrusted external one — both flow into the model's context window with the same authority.

3. Battle-tested primitives beat custom proxies. Anthropic writes:

"The software you build yourself is often the weakest."

Their early custom MITM proxy failed in real incidents involving credential exfiltration and allowlist bypasses; they rebuilt on hypervisor primitives. The same argument applies one layer up: a maintained third-party gate engine, lesson DB, and adapter matrix across eight agent runtimes is more reliable than per-team shell scripts that go stale the moment Claude Code, Cursor, or Codex ship a breaking change to their hook API.

When you should rely on Anthropic's containment vs ThumbGate

You only use claude.ai: Anthropic's containment is doing the work. ThumbGate adds nothing.
You only use Claude Code on macOS or Linux: Anthropic's bubblewrap/Seatbelt covers the bash + filesystem surface. ThumbGate adds value for repeated-mistake prevention (the "thumbs down → blocked next time" loop) and for any MCP servers wired into Claude Code that bubblewrap doesn't gate.
You use Cursor, Codex CLI, Gemini CLI, Amp, Cline, OpenCode, or Claude Desktop: Anthropic's sandboxes do not apply. ThumbGate is the only PreToolUse layer that covers all of them with one configuration.
You use Claude Cowork: Anthropic's hypervisor VM contains the execution surface. ThumbGate's enforcement persists across whichever VM or machine the agent runs on, useful when you want the same rule to fire in dev + production.

FAQ

Is ThumbGate a competitor to Anthropic's Claude containment?

No. Anthropic's containment stops at the Claude Code / claude.ai / Claude Cowork product boundary. ThumbGate runs the same three-layer model at the IDE-agent layer — Cursor, Codex, Gemini, Amp, Cline, OpenCode, Claude Desktop — where Anthropic's sandbox does not reach.

What does Anthropic's article tell us about agent containment?

Three lessons we operationalize: environment first then behavior, tool output is an attack surface, battle-tested primitives beat custom proxies. ThumbGate's PreToolUse hook is the IDE-agent analogue of Anthropic's permission gate; the planned PostToolUse output inspection is the analogue of Anthropic's tool-output check before context insertion.

Why use a third-party tool instead of writing my own bubblewrap rules?

Anthropic's own conclusion: "the software you build yourself is often the weakest." Their early custom MITM proxy failed in real incidents; they rebuilt on hypervisor primitives. ThumbGate's maintained gate engine + lesson DB + adapter matrix is the same argument one layer up: maintained infrastructure beats per-team shell scripts that go stale the moment Claude Code, Cursor, or Codex ship a breaking change to their hook API.

Where does Anthropic's containment stop and ThumbGate begin?

Inside Anthropic's products: Anthropic. The moment your dev opens Cursor with the Anthropic API key, or runs Codex against a local repo, or wires up an MCP server in any agent runtime: ThumbGate. The two compose without overlap.

Where do I start?

If you use Claude Code: keep using it as-is, install ThumbGate alongside (npx thumbgate init) for the repeated-mistake prevention loop and for the MCP servers Anthropic's sandbox doesn't reach. If you use any other agent runtime: ThumbGate is the only deterministic PreToolUse layer for them.

Anthropic contains Claude inside their products. ThumbGate contains every other agent your team uses.

Anthropic's published architecture, mapped to ThumbGate

Three lessons from Anthropic that operationalize for non-Anthropic agents

When you should rely on Anthropic's containment vs ThumbGate

FAQ