Skip to content
| Marketplace
Sign in
Visual Studio Code>Other>Halting GuardNew to Visual Studio Code? Get it now.
Halting Guard

Halting Guard

chigelu onyedika

|
1 install
| (0) | Free
Analyze AI-suggested code/commands before accepting them — shows risk level and a plain-English summary.
Installation
Launch VS Code Quick Open (Ctrl+P), paste the following command, and press enter.
Copied to clipboard
More Info

Halting

Halting reviews every AI-suggested command or code snippet before it runs — giving you a plain-English risk summary and a risk level so you can make an informed decision.


How it works

Automatic command analysis (hooks)

Once set up, Halting intercepts shell commands that your AI coding assistant tries to run and shows you a risk analysis before it executes:

🛑  Halting — Pre-flight Analysis
─────────────────────────────────────
⚠️  Risk: Warning
📋  This command installs packages from the npm registry and modifies node_modules/. It does not delete files or access the network beyond npm.
─────────────────────────────────────

Local rules layer

Before any command reaches the AI, it's checked against a local, offline rules layer: a denylist of unambiguously dangerous patterns (rm -rf /, fork bombs, piping remote scripts into a shell, etc.) that block immediately with no network call, and a conservative allowlist of read-only commands (ls, git status, pwd, …) that are allowed immediately, also with no network call. Only commands that fall through both lists — and commands flagged as obfuscated or referencing a sensitive path — get sent to the LLM, and a denylist/obfuscation verdict can never be overridden by what the model comes back with.

Automatic, blocking review is supported for:

Assistant Support
Claude Code Full — installs into ~/.claude/settings.json, auto-blocks Dangerous commands
Cursor Full — installs a project-level .cursor/hooks.json, auto-blocks Dangerous commands
Windsurf Full — installs a project-level .windsurf/hooks.json, auto-blocks Dangerous commands
Antigravity Full — installs a project-level .agents/hooks.json, auto-blocks Dangerous commands
GitHub Copilot Not supported — Copilot's agent mode has no third-party API for blocking a command before it runs.

Unlike Claude Code, Cursor/Windsurf/Antigravity have no field in their hook config for storing secrets — after installing their hooks you'll still need OPENROUTER_API_KEY set as a real environment variable (the setup command tells you how).


Getting started

Halting walks you through setup automatically on first launch:

  1. Get a free API key from openrouter.ai/keys
  2. Paste the key when prompted — it is stored securely in your system keychain, never in plain text
  3. Install hooks — run Halting: Setup Hooks (Choose Tools)… and pick the assistant(s) you use
  4. Reload VS Code (or restart your assistant) — done

Commands

Command Description
Halting: Setup Hooks (Choose Tools)… Pick which assistant(s) to install hooks for
Halting: Setup Claude Code Hooks Install hooks into Claude Code
Halting: Setup Cursor Hooks Install hooks into Cursor (project-level)
Halting: Setup Windsurf Hooks Install hooks into Windsurf (project-level)
Halting: Setup Antigravity Hooks Install hooks into Antigravity (project-level)
Halting: Set API Key Store or update your OpenRouter API key
Halting: Reset Setup Clear stored key and re-run onboarding

Requirements

  • One of Claude Code, Cursor, Windsurf, or Antigravity
  • A free OpenRouter API key

Settings

Setting Default Description
halting.model anthropic/claude-haiku-4-5 OpenRouter model used for analysis
halting.failMode open What happens when the AI risk analysis can't complete (timeout, network error, bad response): open allows with a loud warning, closed blocks. Local rules always apply regardless of this setting.
halting.timeout 5000 Milliseconds to wait for the AI risk analysis before treating it as failed and falling back to halting.failMode.
halting.redactSecrets true Redact known secret formats (API keys, bearer tokens, export KEY=...) from a command before sending it to OpenRouter or writing it to the decision log. Best-effort, not a guarantee.

Risk levels

Level Meaning
✅ Safe Command is read-only or low impact
⚠️ Warning Command modifies files or installs packages — review before proceeding
🚫 Dangerous Command deletes files, alters system config, or has high destructive potential

Privacy

Commands that the local rules layer can't classify on its own are sent to OpenRouter for analysis — this can include file paths, arguments, and other command content. Read-only commands matched by the local allowlist (ls, git status, etc.) never leave your machine. Known secret formats are redacted before anything is sent, by default (halting.redactSecrets) — this is best-effort and won't catch every possible secret shape, so don't rely on it as a guarantee. Onboarding shows this notice explicitly and requires you to acknowledge it before setup finishes.

Your API key is stored in your OS keychain (Windows Credential Manager / macOS Keychain) and is never written to any settings file.

Every non-trivial decision (command, which rule or AI risk level decided it, and the action taken) is appended to ~/.claude/halting-decisions.log as JSON lines, regardless of which assistant triggered it — useful for auditing or tuning the rules layer.

  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2026 Microsoft