AI Code Governance

Over the last few months I've been tinkering with a small side project for my own AI-coding workflow.

I use Claude Code, Cursor, Copilot, etc. a lot outside work, and one thing kept annoying me: I'd ask for a small change, then get back a huge diff touching things I definitely didn't think I'd asked for.

• A tooltip becomes a database write.
• A UI change touches auth.
• A small refactor quietly changes part of the sign-up flow.

So I made this VS Code extension to help flag when AI-written code seems to drift away from the prompt or touches sensitive areas like auth, secrets, database writes, or infra.

It's not meant to be perfect, and when it can't confidently judge something it says "not evaluable" rather than making up a verdict. I mostly built it because I wanted a second pair of eyes while vibe-coding.

What it does

Every prompt you type to your AI assistant lands on a timeline. When the diff looks like it's drifting from those prompts, you see a verdict in the sidebar — typically within ~90 seconds, no button click needed.

Six honest verdict states: aligned / revert / refine intent / separate concern / small side-effect / not evaluable. The last one is what shows when the model isn't sure — I refused to fabricate a verdict just to fill the space.

There's also a pre-write check the AI can call itself: "would this proposed change drift from what was asked?" — useful for catching scope creep before the code is even written.

Works with

Claude Code, Cursor, Copilot, Windsurf, Augment — anything that loads VS Code Language Model Tools or speaks MCP.

Setup

1. Install from the Marketplace
2. Cmd+Shift+P → "Setup"
3. Enter your API URL + Workspace ID — there's a small backend you'll need to run yourself (the code is in the repo)

Settings

A handful of knobs under "AI Code Governance" in VS Code settings — capture mode, daily cost cap, verdict-fire interval. Defaults are sensible.

Privacy

Source code never leaves your machine. The extension only sees capability types, file paths, and diff summaries. Prompts are scrubbed of likely secrets (API keys, JWTs, AWS access keys, etc.) before being stored. The 🧹 button clears the timeline if you pasted something sensitive.

Feedback?

If you use AI coding tools regularly and try this, I'd love to know whether it's actually useful in your workflow — or just my own particular paranoia.

Open an issue on GitHub.

License

MIT