thumbgate-protectlisted

# ThumbGate Protect Inspect the protected-action posture for this project and, when the user explicitly approves, grant a scoped, expiring exception so a protected-file edit or publish can proceed under audit. This skill wraps existing ThumbGate capability and adds **no new logic** — it reads governance state and records a time-boxed approval. ## Workflow 1. **Read the posture** with the `get_branch_governance` MCP tool: protected branches, release rules, and the protected-file globs in effect. 2. **Report it plainly:** what is protected, and what the agent is currently blocked from touching without approval. 3. **Only if the user explicitly asks to proceed,** grant a scoped approval with the `approve_protected_action` MCP tool — keep `pathGlobs` to the smallest set the action needs and `ttlMs` as short as the task requires (default ~1 hour). 4. **Confirm** the approval id, covered globs, and expiry. Approvals are temporary and audited; re-run for the next task. The full `approve_protected_action` field contract (`pathGlobs`, `reason`, `evidence`, `ttlMs`) and the audit model are in [references/governance-and-approvals.md](references/governance-and-approvals.md). ## Example Input: "main is protected but I need to hotfix the changelog — approve it for this one edit" Action: 1. `get_branch_governance` → confirm `main` is protected and `CHANGELOG.md` is in a protected glob. 2. `approve_protected_action` → `pathGlobs: ["CHANGELOG.md"]`, `reason: "hotfix cha