What is the AC/DC framework?

AC/DC stands for Agent Centric Development Cycle. It is a four-stage governance framework published by Sonar (the company behind SonarCloud and SonarQube) for teams running AI coding agents. The stages are Guide (hand the agent your standards, architecture, and constraints before it writes code), Generate (the LLM writes code), Verify (mandatory verification of the generated code, primarily through static analysis), and Solve (fix the issues Verify surfaces). Each stage feeds the next, and outputs from Verify and Solve loop back into Guide so future iterations improve. AC/DC is a code-quality lifecycle for agentic development.

Does AC/DC cover runtime safety?

Not directly. AC/DC's Verify stage inspects generated code — typically after the agent has produced a diff or pull request. Many of the highest-blast-radius agent failures never become code that Verify can inspect. A destructive shell command like rm -rf, a DROP TABLE against the wrong database, a git push --force to main, a leaked environment variable through an MCP tool call, or an outbound LLM call to an unauthorized endpoint all happen between Generate and the next Guide loop as runtime actions. They produce no committed source code. Runtime enforcement at the PreToolUse hook is the layer that catches them before execution.

Does runtime enforcement replace AC/DC's Verify stage?

No. They cover different surfaces and compose cleanly. AC/DC's Verify stage catches problems in committed code. Runtime enforcement catches problems in proposed tool calls before the tool fires. A correct deployment of both means: PreToolUse hooks block destructive or unauthorized actions before execution, Verify catches quality and security issues in the code the agent did write, and Solve fixes what Verify surfaces. The two layers add up to coverage of both the action surface and the code surface.

Where does ThumbGate fit into AC/DC?

ThumbGate fits at two AC/DC stages. At Guide, ThumbGate's prevention-rules.md and context packs hand the agent local, learned constraints before it writes code — generated from prior failures captured by feedback hooks. At Verify, ThumbGate adds a runtime-action verification layer that operates on the tool call the agent is about to make, not on the code it already wrote. This closes the pre-execution gap between Generate and the next Guide iteration that pure-static Verify cannot reach.

Is Sonar a ThumbGate competitor?

No. Sonar runs at the code-quality layer (static analysis of committed code, security hotspots, coverage, duplications). ThumbGate runs at the runtime-action layer (PreToolUse hooks in Claude Code, Cursor, Codex CLI, Gemini CLI, Amp, Cline, OpenCode, Claude Desktop). The two layers are complementary. Regulated teams already running Sonar can keep Sonar at Verify-of-code and add ThumbGate at Verify-of-action to close the runtime gap AC/DC does not explicitly name.

AC/DC governs the code agents write. Runtime enforcement governs what agents do.

6 min read · For engineering leaders adopting Sonar's Agent Centric Development Cycle

TL;DR: Sonar's AC/DC framework (Guide → Generate → Verify → Solve) is a code-quality lifecycle for agentic development. It has no Pre-Execution Gate stage. The highest-blast-radius agent failures — destructive shell, unauthorized MCP calls, force-push to main, secret exfiltration — never become committed code. They are runtime actions that happen between Generate and the next Guide loop. PreToolUse runtime enforcement is the layer that closes that gap. The two compose: AC/DC verifies the code, runtime enforcement verifies the action.

What AC/DC is

Sonar published the Agent Centric Development Cycle (AC/DC) in early 2026 as a framework for teams shipping AI coding agents at scale. The New Stack covered it as the governance framework teams should reach for. Four stages, each feeding the next, with outputs from Verify and Solve looping back into Guide:

Stage	What happens	What it inspects
Guide	Hand the agent your standards, architecture, and constraints before it writes a line of code.	Prompts, context packs, conventions.
Generate	The LLM produces the code it believes will achieve the desired outcome.	Nothing yet — pure generation.
Verify	Mandatory verification of the generated code — static analysis, security hotspots, coverage, duplication.	Committed source code.
Solve	Fix the issues Verify surfaces, so the next iteration is cleaner.	Issues, lessons.

"In an agentic development model, the primary challenge is no longer writing code; it is creating a system that makes generated code trustworthy." — Sonar, on AC/DC

That's a correct framing for the code-quality slice of agentic governance. It is also the slice Sonar happens to own. The framework is honest about that — it is explicitly a code-trust framework, not an action-trust framework.

The structural gap: no Pre-Execution Gate

Look at the four stages again. Verify inspects code the agent already wrote. Solve fixes that code. Guide informs the next generation. Nowhere in the loop is there a stage that intercepts an action the agent is about to take.

That matters because the failures that wake operators at 2 a.m. are rarely "the committed code had a bug Verify missed." They are:

An agent ran rm -rf node_modules ../ with a path that traversed out of the workspace.
An agent ran DROP TABLE users against the staging connection because the staging connection happened to point at prod.
An agent ran git push --force to main to "clean up history" and erased two days of work.
An MCP tool was given an outbound URL the agent improvised — and the URL was a credential-stealing endpoint hidden in a doc the agent ingested.
An agent committed .env with live keys, pushed, and the leak detector caught it ninety seconds later.

None of those produce committed source code that Verify can read. They are runtime actions that happen between Generate and the next Guide loop. By the time AC/DC's Verify stage runs, the damage is done.

The gap in plain terms: AC/DC governs what the agent writes. The unsolved layer is what the agent does — tool calls, shell commands, file writes, MCP invocations, outbound network calls — before any of those actions become text that a static analyzer can see.

Where runtime enforcement plugs into AC/DC

ThumbGate operates at the PreToolUse boundary inside the agent runtime — Claude Code, Cursor, OpenAI Codex CLI, Google Gemini CLI, Sourcegraph Amp, Cline, OpenCode, Claude Desktop. When the agent is about to execute a tool call, ThumbGate inspects the proposed call and returns allow, warn, block, or route-to-human. The boundary is the runtime, not the file system.

Mapped onto AC/DC, that lands in two stages:

AC/DC stage	What runtime enforcement adds
Guide	Local prevention rules promoted from prior failures (auto-generated from feedback hooks) become part of the context handed to the agent. The agent doesn't just see "your team's standards" — it sees "your team's standards plus a list of specific tool-call patterns that have caused incidents here."
Verify (runtime)	A second Verify pass runs at PreToolUse: before the agent's proposed tool call executes, ThumbGate checks it against the local lesson DB, allowlists, and policy bundles. Allow, warn, block, or route. Evidence is logged structurally so reviewers can audit decisions later.

Verify of code

Static analysis on committed source code. Catches quality, security, and duplication issues after the diff exists. This is what Sonar does well, and what AC/DC's Verify stage maps to.

Verify of action

Runtime inspection of the proposed tool call before it fires. Catches destructive shell, unauthorized MCP, secret exfiltration, force-push, and out-of-scope file writes — before they become incidents.

The two-layer deployment for an AC/DC team

If your team already runs Sonar (or any static-analysis Verify stage), the integration story is short and additive:

Keep AC/DC's Verify on code. Sonar, SonarQube, or your existing static-analysis pipeline continues to inspect the source the agent produces. Nothing changes there.
Add a Verify-of-action layer at the PreToolUse boundary. Install ThumbGate in the agent runtimes your developers actually use. The runtime now inspects every proposed tool call against your local rules and the prevention-rules.md generated from prior failures.
Wire the feedback loop back into Guide. Every blocked action becomes a lesson. Lessons promote to prevention rules. Prevention rules become part of the context the next Guide iteration hands to the agent. AC/DC's loop closes one stage earlier.

Sales line: If your team adopted AC/DC and stopped at Verify-of-code, you are governing what the agent wrote and not what the agent did. Add the Pre-Execution Gate before the next blast-radius incident teaches you which half of the loop was missing.

What this looks like in a buyer demo

One AC/DC iteration where Sonar's Verify catches a real code-quality issue in generated code. Good. That's what AC/DC promises.
One proposed tool call (git push --force origin main) blocked at PreToolUse before execution. Evidence logged.
The blocked call promoted to a prevention rule. The next agent run sees that rule in its Guide context.
An export a reviewer or risk officer can inspect: allowed calls, blocked calls, overrides, rule-promotion history.

FAQ

Why doesn't AC/DC name a Pre-Execution Gate stage?

AC/DC is framed by Sonar, whose product surface ends at static analysis of code. Naming a runtime-action stage that Sonar doesn't ship would be marketing against itself. The framework is internally consistent for the slice it owns; it just doesn't claim coverage of runtime actions. That's the gap a runtime-enforcement layer fills.

Can I run ThumbGate without Sonar, or vice versa?

Yes to both. ThumbGate adds runtime-action Verify regardless of what static-analysis tool runs alongside it. AC/DC's Verify stage can be filled by any static-analysis pipeline. They are independent layers.

Where do prevention rules come from?

From your team's own incidents and feedback. ThumbGate captures thumbs-down events via feedback hooks, promotes recurring failures to the local lesson DB, and synthesizes prevention rules that survive model upgrades and prompt resets. The rules are local to your team — they encode your specific failure patterns, not generic SOC2 boilerplate.

Does ThumbGate work with Claude Code only?

No. The PreToolUse boundary exists in Claude Code, Cursor, OpenAI Codex CLI, Google Gemini CLI, Sourcegraph Amp, Cline, OpenCode, and Claude Desktop. ThumbGate's adapter matrix covers all of them. One rule set, every agent runtime.

Close the pre-execution gap in AC/DC

Install runtime enforcement at the PreToolUse boundary across every agent your team uses. Local rules, hosted evidence, no static-analyzer in the path.

$ npx thumbgate init

AC/DC governs the code agents write. Runtime enforcement governs what agents do.

What AC/DC is

The structural gap: no Pre-Execution Gate

Where runtime enforcement plugs into AC/DC

Verify of code

Verify of action

The two-layer deployment for an AC/DC team

What this looks like in a buyer demo

FAQ

Close the pre-execution gap in AC/DC

Related articles