ShipGate for VS Code
Optional editor companion.
Tier‑1 enforcement: GitHub PR + Next.js App Router + shipgate next in CI (often as a required check in consumer repos) — see Supported path.
Use the extension to run the same CLI from the IDE. Primary enforcement for buyers is still shipgate next in GitHub Actions on PRs (configure as a required check in your repo when ready). Specs, vibe, and multi-language flows are advanced — see footers below.
Dashboard uploads: With a stored PAT, the extension can POST scan summaries to the configured dashboard API. If the host sets CI-style env vars, uploads are skipped unless you enable shipgate.dashboard.uploadInAutomation (see repo docs/data-handling.md).
Out of scope (Tier‑1): VS Code is not the procurement story. If copy promises only one thing, it should be PR merge gating, not “AI safety in the editor.”
What's New in 4.0
- Production-ready API — All API calls, dashboard links, and Pro checkout now point to
https://app.shipgate.dev
- Webview redesign — Dark mission-control UI with score rings, verdict cards, and tabbed navigation (Overview / Actions / Findings / Files)
- CLI shim fix — No more "Cannot find module vscode" crash when the VSIX is invoked outside the extension host
- CLI resolver — Prefers workspace-local CLI over
npx for faster, more reliable verification
- Build improvements — Corrected esbuild externals and production minification
Note: Version 4.0.0 supersedes all previous releases. Please update to 4.0.0 or later.
What's New in 2.0
This is a major release. The sidebar has been completely rebuilt with an enterprise-grade design system, and 14 new commands bring the full power of the ShipGate CLI into your editor.
- Actions Panel — New sidebar tab with one-click access to every ShipGate workflow
shipgate go — One command: detect project, infer ISL specs, verify, gate (Cmd+Shift+Enter)- Vibe -> Ship — Describe what you want in English, get verified code (Cmd+Shift+V)
- Multi-language codegen — Generate TypeScript, Python, Rust, Go, GraphQL, or OpenAPI from ISL
- AI spec inference — Auto-generate behavioral specs from existing code
- Deep Scan — Thorough analysis mode with higher coverage targets
- Auto-Heal — One-click AI-powered violation fixes
- Enterprise UI — Glassmorphism cards, animated transitions, refined typography, custom scrollbar
Quick Start
1. Install
code --install-extension shipgate.shipgate-isl
Or search "ShipGate" in the Extensions panel.
Click the ShipGate icon in the Activity Bar. You'll see the onboarding screen with three steps.
3. Match what you run in CI
For Next.js, from the app root (terminal):
shipgate next . --strict
That is the same class of check to put on GitHub pull requests. The sidebar Go shortcut (Cmd+Shift+Enter) runs a broader shipgate go pipeline — useful, but not the Tier‑1 wedge unless you have validated it for your org.
Out of scope (Tier‑1): Polyglot detection, inferred ISL, vibe, and codegen are best-effort surfaces — not the Next.js PR commitment.
4. Write a spec (optional)
For precise control, write .isl specs by hand:
domain PaymentService {
entity Payment {
id: UUID [immutable, unique]
amount: Decimal [positive]
status: PaymentStatus
invariants {
amount > 0
status in ["pending", "completed", "failed"]
}
}
behavior ChargeCard {
input { cardToken: String, amount: Decimal, currency: String }
output {
success: { paymentId: UUID, chargedAt: DateTime }
errors { CARD_DECLINED, INSUFFICIENT_FUNDS }
}
preconditions {
input.amount > 0
input.currency.length == 3
}
postconditions {
success implies Payment.exists({ id: result.paymentId, status: "completed" })
}
temporal {
response within 3s (p99)
}
}
}
ShipGate verifies your implementation against this spec and produces:
✓ SHIP Trust Score: 94%
✓ Preconditions 3/3 passing
✓ Postconditions 2/2 passing
✓ Invariants 2/2 holding
✓ Error cases 2/2 correct
The ShipGate sidebar is your command center. Five tabs, each purpose-built:
Overview
Live verification dashboard with:
- Score ring — 0-100 trust score with animated fill and SHIP / WARN / NO_SHIP verdict
- Stats grid — Claims verified, coverage %, files scanned, open issues — each with sparkline trends
- Compliance readiness — SOC 2, HIPAA, and EU AI Act scores at a glance
- AI provenance — Breakdown of AI-generated vs. human-written vs. AI-assisted code
- Active findings — Top critical issues with severity indicators
Actions
One-click access to every ShipGate workflow:
| Action |
What it does |
| Vibe -> Ship |
English prompt -> ISL spec -> verified code |
| Go + Auto-Heal |
Scan project, then auto-fix violations |
| Deep Scan |
Thorough analysis with higher coverage target |
| Quick Scan |
Fast scan with gate verdict |
| Infer ISL Specs |
AI-generate behavioral specs from code |
| Heal All |
Auto-fix all violations across project |
| Code -> ISL |
Generate spec from current file |
| Format & Lint |
Auto-format all ISL spec files |
Plus a 6-language codegen grid: TypeScript, Python, Rust, Go, GraphQL, OpenAPI.
Out of scope (Tier‑1): Actions above include ISL-first and polyglot flows. They are optional; they do not widen the Next.js + GitHub PR support matrix.
Claims
Expandable verification claims with:
- Status indicators (Proven / Partial / Failed)
- Confidence percentages
- Evidence excerpts
- SOC 2 control mappings
Pipeline
CI/CD integration showing:
- Current run status with job progress dots
- Recent run history with verdicts and scores
- Deployment environment gates (Production, Staging, Preview)
- Blocker details for failed runs
Files
Per-file verdict breakdown with:
- Summary bar (passed / warnings / failed counts)
- Color-coded SHIP / WARN / NO_SHIP badges
- Score percentages
- Click to open file at violation line
ISL Language Support
Full language server integration for .isl files:
| Feature |
Details |
| Syntax Highlighting |
Full TextMate grammar — keywords, types, annotations, temporal expressions |
| Real-time Diagnostics |
Squiggles as you type — syntax errors, type mismatches, undefined references |
| Autocomplete |
Keywords, types, entity names, behavior names, field access |
| Hover Documentation |
Type info and constraint details |
| Go to Definition |
Jump to any entity or behavior declaration |
| Document Outline |
Full symbol tree in the Outline panel |
| Format on Save |
Consistent ISL formatting |
| Code Snippets |
domain, entity, behavior, scenario starter templates |
Out of scope (Tier‑1): Full ISL IDE support targets spec-driven teams — orthogonal to shipgate next merge gating.
Commands
All available via Cmd+Shift+P (Ctrl+Shift+P on Windows/Linux):
Core Workflows
| Command |
Shortcut |
Description |
| ShipGate: Go |
Cmd+Shift+Enter |
Scan + infer ISL + verify + gate |
| ShipGate: Go + Auto-Fix |
— |
Go with auto-heal |
| ShipGate: Go Deep Scan |
— |
Thorough scan with higher coverage |
| ShipGate: Vibe |
Cmd+Shift+V |
NL prompt -> ISL -> verified code |
| ShipGate: Scan Project |
— |
Quick scan with gate verdict |
Verification
| Command |
Description |
| ShipGate: Verify Current Project |
Full verification against all specs |
| ShipGate: Verify Current File |
Verify only the active file |
| ShipGate: Heal (AI Autofix) |
AI-fix violations in current file |
| ShipGate: Heal All Findings |
Fix all violations across workspace |
| ShipGate: Trust Score |
Print trust score to terminal |
| ShipGate: Coverage |
Show spec coverage report |
Code Generation
| Command |
Description |
| ShipGate: Generate TypeScript from ISL |
ISL -> TypeScript |
| ShipGate: Generate Python from ISL |
ISL -> Python (Pydantic + pytest) |
| ShipGate: Generate Rust from ISL |
ISL -> Rust (Serde + traits) |
| ShipGate: Generate Go from ISL |
ISL -> Go (structs + interfaces) |
| ShipGate: Generate GraphQL from ISL |
ISL -> GraphQL schema |
| ShipGate: Generate OpenAPI from ISL |
ISL -> OpenAPI 3.0 spec |
| Command |
Description |
| ShipGate: Infer ISL Specs from Code |
AI-generate specs from existing code |
| ShipGate: Generate ISL Spec |
Scaffold spec from active file |
| ShipGate: Init |
Initialize ShipGate config |
Reports & Compliance
| Command |
Description |
| ShipGate: Open Report |
View verification report |
| ShipGate: Export Report |
Export as PDF |
| ShipGate: View Latest Proof Bundle |
Inspect evidence bundle |
| ShipGate: Open Web Dashboard |
Open dashboard in browser |
Out of scope (Tier‑1): Command surface spans spec verification, codegen, and compliance views — broader than the Next.js PR gate alone.
Configuration
{
// Verification
"shipgate.scanOnSave": false, // Full verification on save (expensive)
"shipgate.defaultTarget": "typescript", // Codegen target: typescript | python | rust | go
// Language Server
"shipgate.languageServer.enabled": true,
"shipgate.formatOnSave": true,
"shipgate.lintOnSave": true,
"shipgate.validation.enabled": true,
"shipgate.trace.server": "off", // "off" | "messages" | "verbose"
// Firewall (lightweight on-save checks, < 100ms)
"shipgate.firewall.enabled": true,
"shipgate.firewall.runOnSave": true,
// Display
"shipgate.showCodeLens": true,
"shipgate.showInlineHints": true,
"shipgate.severity.minimum": "medium", // low | medium | high | critical
"shipgate.compliance.frameworks": ["soc2"],
// Dashboard
"shipgate.dashboardApiUrl": "https://app.shipgate.dev"
}
How ShipGate Works
Your Code ──> ISL Spec ──> Verify ──> SHIP / NO_SHIP
│ │ │ │
│ AI infers │ or you │ Checks pre/ │ With evidence
│ specs from │ write by │ postconditions│ bundle and
│ your code │ hand │ + invariants │ trust score
│ │ │ │
└────────────────┴──────────────┴───────────────┘
ISL (Intent Specification Language) is a declarative language for defining what your code must do — not how. It specifies:
- Entities — typed data models with field constraints and invariants
- Behaviors — function contracts with preconditions, postconditions, and error cases
- Temporal bounds — response time SLAs (e.g.,
response within 500ms (p99))
- Security annotations —
[secret], [pii], [immutable] field decorators
ShipGate verifies your running implementation against these specs and produces a trust score with full evidence trails.
Out of scope (Tier‑1): This diagram is the ISL / inference mental model — not the shipgate next journey (routes, env, specless checks on App Router).
The Vibe Pipeline
The Vibe -> Ship workflow lets you go from an English description to verified, production-ready code:
"Build me a todo app with auth and Stripe payments"
│
▼
ISL Spec (auto-generated, validated)
│
▼
Full-stack code (TypeScript/Python/Rust/Go)
│
▼
Verification against the ISL spec
│
▼
Auto-heal any violations
│
▼
SHIP ✓ (with evidence bundle)
Trigger it from the Actions tab or Cmd+Shift+V. You'll be prompted for a description and target language.
Out of scope (Tier‑1): Vibe → Ship is multi-language / spec-centric — best-effort per target, not the Next.js GitHub PR wedge.
Requirements
- VS Code 1.85+ (also works in Cursor and VSCodium)
- Node.js 18+
- The
shipgate CLI for full verification: npm install -g @shipgate.dev/cli (binary: shipgate)
The language server works standalone for syntax highlighting, diagnostics, and completions — no CLI required.
Supported Editors
Development
git clone https://github.com/Ship-Gate/ShipGate.git
cd ShipGate && pnpm install
cd packages/vscode
pnpm run build # Production build
pnpm run watch # Dev mode with hot reload
pnpm run package # Build .vsix
Debug the language server:
{ "shipgate.trace.server": "verbose" }
License
MIT — see LICENSE.
Changelog · Issues · shipgate.dev
Tier‑1: block risky merges on GitHub PRs for Next.js (shipgate next). Editor = optional.
