LLM Safe Workspace
A VS Code extension that creates redacted, container-safe workspaces for LLM agents and provides a host-only hydrate/run workflow for secrets and proprietary logic.
Table of Contents
Features
- Automatic secret redaction - Detects and masks 20+ types of secrets (API keys, JWTs, private keys, connection strings)
- Container isolation - Generates Dev Container configuration so LLMs only see redacted files
- Customizable rules - Configure redaction patterns, sensitive keywords, and file inclusion/exclusion via YAML
- Bidirectional sync - Sync changes between safe workspace and original repo
- Hydrate/run workflow - Restore secrets temporarily for test runs without exposing them to LLMs
Why This Approach
If your LLM can run terminal commands, any mounted file path is reachable. This extension avoids that risk by:
- Creating a redacted workspace for LLM use
- Generating a Dev Container setup so the LLM only sees the redacted files
- Keeping real secrets/logic outside the workspace, hydrated only for runs
Installation
From VSIX (Recommended)
- Download the latest
.vsix from Releases
- In VS Code: Extensions >
... > Install from VSIX
From Source
git clone https://github.com/MandruStack/LLM_safe_vs_extension.git
cd LLM_safe_vs_extension
npm install
npm run build
npx @vscode/vsce package
code --install-extension llm-safe-workspace-*.vsix
Quick Start
- Install the extension
- Open the repository you want to protect
- Run "LLM Safe: Open Settings UI" and review the defaults
- Run "LLM Safe: Create Redacted Workspace (Container Safe)"
- The extension creates
<source>_safe in the repo (or your configured redacted_workspace_dir)
- The extension opens the safe folder in a Dev Container automatically
- Use Claude Code/Codex inside the container
Configuration
Run "LLM Safe: Open Settings UI" to configure:
| Setting |
Description |
hidden |
File patterns to completely exclude from safe workspace |
redactions |
Rules for detecting and masking secrets |
include_patterns |
File patterns to scan for redaction |
sensitive_keywords |
Keywords that trigger redaction (e.g., password, token) |
disabled_redactions |
Rule names to disable |
max_file_size_kb |
Skip files larger than this (0 = no limit) |
redacted_workspace_dir |
Output directory name (auto = <source>_safe) |
container_extensions |
VS Code extensions to install in container |
source_root |
Subfolder to redact (. = entire repo) |
Default Protections
- Hidden files:
.env, .npmrc, .pypirc, .git-credentials, SSH keys, certificates, and common secret stores
- Built-in rules: Private keys, JWTs, AWS keys, GitHub/GitLab tokens, Slack/Discord webhooks, OpenAI/Anthropic API keys, connection strings, and more
- Sensitive keywords:
key, secret, token, password, credential, webhook (case-insensitive)
Commands
| Command |
Description |
| LLM Safe: Create Redacted Workspace |
Generate container-safe copy with secrets masked |
| LLM Safe: Open Settings UI |
Configure redaction rules and patterns |
| LLM Safe: Scan Redaction Preview |
Preview what will be redacted before generating |
| LLM Safe: Edit .llm-safe.yaml |
Open config file in editor |
| LLM Safe: Scaffold Hydrate & Run |
Generate runner scripts for secret restoration |
Hydrate and Run
The safe workspace includes a scaffolding_extension/ folder with runner scripts:
# Run a command with secrets temporarily restored
node scaffolding_extension/llm-safe-run.js -- npm test
The script will:
- Copy the redacted workspace to a temp directory
- Run your hydrate commands (e.g.,
sops, age)
- Overlay decrypted files into the temp workspace
- Run your command
- Delete the temp workspace
Edit scaffolding_extension/llm-safe-run.json to configure hydration.
Syncing Changes
Use the sync scripts to transfer changes between workspaces:
# Apply safe workspace edits back to original repo
node scaffolding_extension/llm-safe-sync.js --to-source
# Refresh safe workspace from original repo
node scaffolding_extension/llm-safe-sync.js --to-safe
Options:
--dry-run - Preview changes without applying--delete - Remove files missing on the other side--allow-redacted - Force sync even if redacted placeholders exist
Requirements
| Requirement |
Purpose |
| VS Code 1.85+ |
Extension host |
| Docker Desktop |
Container isolation |
| Dev Containers extension |
Required for container workflow |
Note: Without Docker, you can still create the redacted folder, but isolation is weaker.
Troubleshooting
Docker Not Running
Error: "Docker Desktop is not running"
Solution: Start Docker Desktop before running the extension.
Extension Not Found in Container
Some extensions (like Claude Code) may not be available for Linux ARM.
Solution: Remove unavailable extensions from container_extensions in your config.
Redactions Not Appearing
- Check
include_patterns covers your file types
- Run "Scan Redaction Preview" to verify detection
- Check
disabled_redactions list
Container Fails to Open
- Ensure Dev Containers extension is installed
- Try "Reopen in Container" manually from the Command Palette
- Check Docker has sufficient resources allocated
First Container Open is Slow
This is normal. VS Code Server and extensions need to download. Subsequent opens are faster.
Extension Development Host Limitations
When running via F5 (Extension Development Host), the container opens in a separate window without your dev extension. To test the full container flow, package and install the extension normally.
Sharing with Others
This workflow is shareable:
- Commit the redacted workspace (safe to share)
- Commit
.llm-safe.yaml and scaffolding_extension/
- Share decryption keys out-of-band
Each collaborator can hydrate locally without exposing secrets to LLMs.
Security Notes
- Do not mount your host home directory into the container
- Keep secrets and proprietary logic outside the workspace
- Use overlays to hydrate only for test runs
- The redacted workspace is intended to be your LLM-facing repo
Contributing
See CONTRIBUTING.md for development setup and guidelines.
Support
If you find this extension useful, consider supporting its development:
License
MIT - see LICENSE
