Ofofo: AI Code Governance & Security

Professional linter and rule engine for VS Code, Cursor, Windsurf, and Antigravity. Advanced ESLint alternative with real-time code quality validation, security scanning, and compliance enforcement. Perfect for TypeScript, JavaScript, Python, React, and Next.js projects. Features comprehensive linting, secret detection, vulnerability scanning, SBOM generation, and AI-powered code governance with SOC2-ready standards.

🎯 What Makes This Different?

Comprehensive Linting & Code Quality: Real-time validation for TypeScript, JavaScript, Python, React, and Next.js with 14 categories of coding standards. ESLint-compatible with enhanced rule engine capabilities.

Security-First Approach: Built-in secret scanning, vulnerability detection, and Software Composition Analysis (SCA) using OSV API. Automatically detects hardcoded API keys, passwords, tokens, and dependency vulnerabilities.

AI-Powered Governance: Integrates with Cursor AI, Windsurf, and Antigravity to enforce coding standards, track code provenance, and provide AI-assisted remediation suggestions.

Enterprise-Ready: SOC2-compliant with automated evidence generation, comprehensive audit trails, and policy-as-code enforcement.

Supply Chain Security: All downloads include SHA-256 checksums for verification to prevent tampering and supply chain attacks.

🚀 Quick Start

1. Install from VS Code Marketplace: Search for "Ofofo" or "linter" in VS Code Extensions
2. Or Download from Website: Visit ofofo.ai to download the .vsix file manually
3. Start Using: Extension activates automatically and installs default rules

✨ Core Features

📋 Linting & Code Quality Engine

Real-Time Linting: Instant feedback in Problems panel for TypeScript, JavaScript, Python, React, and Next.js code. ESLint-compatible validation with enhanced rule capabilities.

Comprehensive Rule Validation: Validate .mdc rule files and AGENTS.md against schemas and best practices. Automatic validation on save with detailed error messages.

Rule Generation & Management:

• Scaffold new rule files from 14 category templates
• Migrate legacy .cursorrules JSON files to modern .mdc format
• Visual rule explorer with tree view of all workspace rules
• Context-aware rule recommendations based on file content

Code Actions & Quick Fixes: One-click fixes for common rule violations and code quality issues.

Status Bar Integration: Real-time display of rule violations, security issues, and vulnerability counts.

🔒 Security & Vulnerability Management

Real-Time Secret Scanning:

• Automatically detect hardcoded passwords, API keys, tokens, and credentials
• Rust WASM-powered high-performance scanning
• False positive management with rationale tracking
• Status bar alerts for detected secrets

Software Composition Analysis (SCA):

• Comprehensive dependency vulnerability scanning using OSV (Open Source Vulnerabilities) API
• Detailed per-package vulnerability reporting with severity breakdown (Critical, High, Medium, Low)
• Automatic fetching of full vulnerability descriptions when batch queries return minimal data
• Vulnerability links and references for each finding
• Fixed version recommendations when available
• CVSS scores and CWE IDs for risk assessment
• Real-time scanning with file watchers (auto-scans on dependency changes)
• 24-hour intelligent caching for performance optimization

SBOM Generation:

• Generate Software Bill of Materials in CycloneDX and SPDX formats
• Command palette integration for easy generation
• Format selection (Both, CycloneDX only, or SPDX only)
• Automatic cleanup of old timestamped SBOM files

AI Chat Integration: Send vulnerability and secret scan results directly to Cursor AI chat, Windsurf, or Antigravity for remediation assistance.

🤖 AI Code Governance

Code Provenance Tracking: Track AI-generated code with ISO 8601 timestamps. Enforce AI writes only executable code with comments in .md files.

Secret Access Blocking: Prevent AI from accessing secret files and sensitive data.

Human-in-the-Loop: Require approval for AI-generated changes to critical files.

Policy Enforcement: Policy-as-code with automated compliance checking for SOC2, NIST SSDF, and other standards.

⚡ Performance & Reliability

High-Performance WASM: Rust-based secret scanning, SBOM parsing, and validation for maximum speed.

Intelligent Caching: 24-hour vulnerability cache to minimize API calls and improve response times.

Batch Processing: Efficient batch queries to OSV API for multiple packages simultaneously.

Auto-Scanning: File watchers trigger scans automatically on dependency changes (package.json, package-lock.json, requirements.txt, etc.).

📦 Installation

Option 1: VS Code Marketplace (Recommended)

1. Open VS Code (or Cursor, Windsurf, Antigravity)
2. Go to Extensions (Ctrl+Shift+X / Cmd+Shift+X)
3. Search for "Ofofo" or "linter"
4. Click Install

Marketplace Link: VS Code Marketplace - Ofofo Extension

Option 2: Manual Download from Website

1. Visit ofofo.ai and download the .vsix file
2. Verify Checksum (Recommended for security):

   # On macOS/Linux
   shasum -a 256 ofofo-ai-1.4.0.vsix
   
   # On Windows (PowerShell)
   Get-FileHash -Algorithm SHA256 ofofo-ai-1.4.0.vsix
   
   # Expected SHA-256 checksum:
   1669a9221db43844c34eb864093ed62ac478cf2d283c30c0880b3a11e45a8e7a
   

3. In VS Code (or compatible IDE), press Ctrl+Shift+P (Cmd+Shift+P on Mac)
4. Type "Install from VSIX..."
5. Select the downloaded .vsix file

Download URL: https://ofofo.ai/downloads/ofofo-ai-1.4.0.vsix
SHA-256 Checksum: 1669a9221db43844c34eb864093ed62ac478cf2d283c30c0880b3a11e45a8e7a
(Verify checksum before installation to prevent supply chain attacks)

Command Line Installation (Alternative)

If you've downloaded the .vsix file:

# For VS Code
code --install-extension ofofo-ai-1.4.0.vsix

# For Cursor (if cursor command is in PATH)
cursor --install-extension ofofo-ai-1.4.0.vsix

# For Windsurf (if windsurf command is in PATH)
windsurf --install-extension ofofo-ai-1.4.0.vsix

Note: The extension works with VS Code, Cursor, Windsurf, and Antigravity. For Cursor users, you can install the VSIX file manually even though Cursor uses Open VSX Registry.

🎯 Usage

Getting Started

1. Automatic Setup: On first activation, Ofofo installs default rules to .cursor/rules/
2. Status Bar: Check the status bar for "Ofofo: OK" or security alerts
3. Problems Panel: View rule violations and secret detections in Problems panel

Commands

Access commands via Command Palette (Ctrl+Shift+P / Cmd+Shift+P):

• Ofofo: Enable Rules - Enable diagnostics and install default rules
• Ofofo: Disable Rules - Disable diagnostics (with option to remove rule files)
• Ofofo: Scan Workspace for Secrets - Scan for hardcoded secrets
• Ofofo: Scan for Vulnerabilities - Perform Software Composition Analysis (SCA) on dependencies
  • Analyzes SBOM files for known vulnerabilities
  • Shows detailed per-package results with severity breakdown
  • Displays vulnerability links, CVSS scores, and fix recommendations
  • Option to send results to AI chat for remediation help
• Ofofo: Generate SBOM - Generate Software Bill of Materials (CycloneDX/SPDX)
  • Interactive format selection
  • Automatic file cleanup
  • Option to run SCA scan after generation
• Ofofo: Show Problems - Open Problems panel
• Ofofo: Add to Chat - Send problems/errors directly to Cursor chat
  • When invoked via Command Palette: Sends all diagnostics (errors, warnings, secrets, vulnerabilities) directly to the active Cursor chat window, or opens a new chat if none exists
  • When invoked via code action (right-click on error in Problems panel): Sends specific error context with code snippet to chat
  • When invoked from Debug Console or other contexts: Opens chat and sends message
  • Automatically opens chat panel if not already open, with fallback to clipboard if chat cannot be opened

Enable/Disable Behavior

Important: The Ofofo extension controls diagnostics (Problems panel, secret scanning, vulnerability detection), but Cursor's AI agent reads .cursor/rules/ files independently.

• Enable: Installs default rules to .cursor/rules/ and enables diagnostics
• Disable: Gives you two options:
  1. Disable diagnostics only - Stops showing Problems panel, but keeps rule files (Cursor will still use them)
  2. Disable and remove rules - Removes Ofofo-installed rule files from .cursor/rules/

Note: If you manually added rules to .cursor/rules/, they won't be removed when disabling. Only rules installed by Ofofo are tracked and can be removed.

Secret Management Workflow

1. Scan for Secrets: Run Ofofo: Scan Workspace for Secrets
2. Review Detections: Check Problems panel for detected secrets
3. Mark False Positives: Right-click → "Mark as False Positive" → Add rationale
4. Status Updates: Status bar updates automatically when all secrets are resolved
5. AI Chat Integration: Secret scan results can be sent to AI chat for assistance

Software Composition Analysis (SCA) Workflow

1. Generate SBOM: Run Ofofo: Generate SBOM to create dependency inventory
   • Select format: Both (CycloneDX + SPDX), CycloneDX only, or SPDX only
   • SBOM files saved to sbom/ directory
2. Scan for Vulnerabilities: Run Ofofo: Scan for Vulnerabilities
   • Automatically detects SBOM files in sbom/ directory
   • Queries OSV API for known vulnerabilities
   • Shows detailed results:
     • All packages analyzed
     • Per-package vulnerability count
     • Severity breakdown (Critical, High, Medium, Low, Unknown)
     • Vulnerability IDs, descriptions, CVSS scores, CWE IDs
     • Reference links to advisories
     • Fixed version recommendations
3. View Results:
   • Check Output channel for detailed analysis
   • Problems panel shows vulnerabilities as diagnostics
   • Status bar displays total vulnerability count
4. AI Chat Integration: Click "Send to AI Chat" in notification to get remediation help
5. Auto-Scanning: Extension automatically scans when dependency files change (package.json, package-lock.json, requirements.txt, etc.)

Rule Management Workflow

• Validate Rules: Rules are automatically validated on save
• Generate Rules: Use Command Palette → "Generate Rule File"
• View Rules: Check .cursor/rules/ directory for installed rules

Complete Security Workflow Example

1. Generate SBOM: Ofofo: Generate SBOM → Select format → Files created in sbom/
2. Scan for Vulnerabilities: Ofofo: Scan for Vulnerabilities → Review detailed results
3. Review Findings:
   • Check Output channel for full analysis
   • Problems panel shows vulnerabilities as diagnostics
   • Click vulnerability links to view advisories
4. Get AI Help: Click "Send to AI Chat" to get remediation recommendations
5. Update Dependencies: Fix vulnerabilities by upgrading packages
6. Re-scan: Extension auto-scans when you update package.json/package-lock.json

⚙️ Configuration

Configure the extension in VS Code settings:

• cursor-rules.enabled: Enable or disable Cursor Rules (default: true)
• cursor-rules.validateOnSave: Automatically validate rules on file save (default: true)
• cursor-rules.autoScanSecrets: Automatically scan for secrets on save (default: false)
• cursor-rules.enableDiagnostics: Enable diagnostic messages (default: true)
• cursor-rules.enableGreenRedZones: Enable Green/Red Zone categorization (default: false)
• cursor-rules.enforceCodeOnly: Enforce AI code-only rule (default: true)
• cursor-rules.autoExtractComments: Automatically extract AI comments to .md files (default: true)
• cursor-rules.blockSecretAccess: Block AI access to secret files (default: true)
• cursor-rules.requireHumanApproval: Require human approval for AI changes (default: true)

📚 Rules Database Categories

The extension includes 14 comprehensive categories of SOC2-ready coding standards:

1. Reliability & Code Quality: Idempotency, immutability, pure functions, atomic operations
2. Security & Privacy: Secrets management, OWASP Top 10, input validation, least privilege
3. Coding Style & Workflow: KISS principle, type safety, error handling, naming conventions
4. Architecture & Scalability: Modular monolith first, service extraction, API design
5. Resilience & Failure Handling: Exponential backoff, circuit breakers, timeouts
6. Observability & Monitoring: RED/USE metrics, OpenTelemetry, structured logging
7. CI/CD & Progressive Delivery: SLSA-2, test pyramid, feature flags, canary deployments
8. Software Supply Chain Security: SBOM, signed provenance, dependency scanning
9. Policy Enforcement: Policy as Code, Terraform policies, Kubernetes policies
10. Metrics, SLOs & Alerting: Service level indicators, error budgets
11. Developer Culture & Workflow: Blameless postmortems, Green/Red zones
12. Compliance & Regulatory: SOC 2, NIST SSDF alignment
13. Framework-Specific: TypeScript, React, Python patterns
14. Anti-Patterns: Common mistakes and how to avoid them

📋 Requirements

• VS Code 1.80.0 or higher
• Cursor IDE (for full Cursor rules support)
• Node.js 18+ (for SBOM generation)

📝 Release Notes

1.4.0

• UI Consistency: Updated "Send to Chat" action to "Add to Chat" to match native VS Code/Cursor Problems panel context menu
• Improved Chat Integration: Enhanced fallback logic to better handle chat opening and message sending
• Better User Feedback: Clearer success/failure messages when sending to chat

1.1.0

• Production Release: First production-ready version
• Security Enhancements:
  • Secret values are NEVER sent to AI chat - only metadata (file paths, line numbers, pattern types)
  • Code snippets excluded for secret detections to prevent exposure
• Add to Chat Enhancement: "Add to Chat" command now sends messages directly to Cursor chat window (like native Cursor features)
  • Automatically sends all problems/diagnostics when invoked via Command Palette
  • Opens new chat if none is active
  • Includes errors, warnings, secrets (metadata only), and vulnerabilities with full context
  • Falls back to clipboard if chat integration unavailable

0.1.3

• Security Update: Dependency updates and security improvements
• Dependency Updates: Updated dependencies to latest secure versions

0.1.2

• SEO Optimization: Improved marketplace discoverability with enhanced keywords and descriptions
• Documentation Cleanup: Removed unnecessary files from build, streamlined installation instructions
• Codebase Organization: Archived development documentation, created internal AI context file

0.1.1

• Comprehensive Linting Engine: Real-time code quality validation for TypeScript, JavaScript, Python, React, and Next.js
• 14 Categories of Rules: SOC2-ready coding standards covering reliability, security, architecture, and more
• Rust WASM Performance: High-performance secret scanning and SBOM parsing
• Software Composition Analysis (SCA):
  • OSV API integration for vulnerability detection
  • Detailed per-package vulnerability reporting
  • Automatic fetching of full vulnerability descriptions
  • Severity breakdown and fix recommendations
  • Reference links and CVSS scores
  • 24-hour caching for performance
• SBOM Generation:
  • CycloneDX and SPDX format support
  • Command palette integration
  • Automatic cleanup of old files
• AI Chat Integration: Send vulnerability and secret scan results to Cursor AI chat
• Real-Time Monitoring: Auto-scan on dependency file changes
• SOC2 Compliance: Automated evidence generation support
• False Positive Management: Mark secrets as false positives with rationale

🐛 Known Issues

None currently. Please report issues on GitHub.

📄 License

MIT

🔗 Links

• Marketplace: VS Code Marketplace
• Download: ofofo.ai (Manual VSIX download)
• Homepage: https://ofofo.ai
• Report Issues: GitHub Issues