AvaTrust

Local trust layer for AI-generated code changes.

AvaTrust watches selected workspace files while you code, flags risky trust patterns early, and helps you review changes before they ship.

Why AvaTrust

AI-assisted coding can produce changes that look reasonable but quietly introduce trust risks:

• preview or debug bypasses
• browser-reachable secret exposure
• client-side token leaks
• unsafe HTML rendering
• sensitive routes without explicit auth checks

AvaTrust focuses on these high-signal patterns without uploading your code anywhere.

How It Works

1. You open a trusted workspace in a supported editor.
2. AvaTrust watches active files locally.
3. When it sees a risky change, it adds:
   • inline diagnostics
   • Problems panel findings
   • Quick Fix actions
4. You review the finding, apply the safer pattern yourself, and re-check the file.

Main commands:

• AvaTrust: Review Current File
• AvaTrust: Review Current Changes

Supported Editors

AvaTrust v1 is built for VS Code-compatible editors.

Runtime smoke checks passed on this machine in:

• Visual Studio Code
• Visual Studio Code Insiders
• Cursor
• Windsurf
• VSCodium

JetBrains support is intentionally out of scope for this product track right now.

Codex Desktop is not yet a native inline surface for AvaTrust, so it should not be marketed as supported today.

Free Preview

This first version ships as a local-only Free Preview.

Included in Free Preview:

• local live trust hints
• current file review
• current changes review
• safer fix guidance

Preview limits:

• 20 live trust finding sessions / month
• 40 review actions / month

Limit behavior:

• a live trust finding session is one meaningful batch of new findings in the current file or change set, not one count per individual issue
• a review action is an explicit user action such as Review Current File, Review Current Changes, or opening a safer-fix guidance flow

Planned paid tiers:

• Solo - coming soon
• Pro - coming soon

Privacy

AvaTrust is designed to be local-first.

• no code upload
• no file contents sent to us
• no diffs sent to us
• no scan payload leaves your environment
• selected workspace scope only

Optional anonymous telemetry is planned, but the product should always work without telemetry.

Telemetry, when enabled, will be limited to product-behavior events such as:

• extension activation
• active day
• review opened
• quick fix opened
• extension version

AvaTrust will not collect:

• source code
• file contents
• diffs
• secrets
• scan bodies
• report bodies

Current Scope

This early version is intentionally focused on high-signal trust issues. It is not trying to replace a full semantic reviewer, a full security platform, or a general-purpose AI coding assistant.

It is best at catching:

• trust-sensitive bypasses
• exposed secret-like values
• client-side token leaks
• obviously risky frontend trust patterns
• missing auth signals on sensitive routes

Relationship to MunaTrust

MunaTrust and AvaTrust are related but intentionally separate.

MunaTrust:

• broader scanner / review / ship-gate product
• existing marketplace distribution

AvaTrust:

• dedicated live trust-layer product
• local-first workspace watcher behavior
• focused on early detection and safer-fix guidance

Feedback

If AvaTrust catches something important in your workflow, that is exactly the signal this product is built for.