Agent OS for VS Code¶
Part of Agent OS - Kernel-level governance for AI agents
Kernel-level safety for AI coding assistants.

The Problem¶
AI coding assistants (GitHub Copilot, Cursor, Claude) generate code without safety guarantees. They can suggest: - DROP TABLE users - deleting production data - Hardcoded API keys and secrets - rm -rf / - destructive file operations - Code with SQL injection vulnerabilities
73% of developers are hesitant to trust AI for critical code.
The Solution¶
Agent OS wraps your AI assistant with a kernel that provides:
- ๐ก๏ธ Real-time policy enforcement - Block destructive operations before they execute
- ๐ Multi-model code review (CMVK) - Verify code with GPT-4, Claude, and Gemini
- ๐ Complete audit trail - Log every AI suggestion and your decisions
- ๐ฅ Team-shared policies - Consistent safety across your organization
- ๐ข Enterprise ready - SSO, RBAC, compliance frameworks
What's New in v1.0.0 (GA Release)¶
Policy Management Studio¶
Visual interface for creating, editing, and testing policies with: - Syntax highlighting and validation - Policy template library (SOC 2, GDPR, HIPAA, PCI DSS) - Real-time testing against sample scenarios - Import/export support (YAML, JSON, Rego)
Workflow Designer¶
Drag-and-drop canvas for building agent workflows: - Visual workflow builder - Policy attachment at workflow/step level - Simulation and dry-run capabilities - Code export (Python, TypeScript, Go)
Enhanced IntelliSense¶
AI-powered development assistance: - Context-aware code completion for AgentOS APIs - Real-time diagnostics with quick fixes - 14+ code snippets for common patterns - Inline policy suggestions
Metrics Dashboard¶
Real-time monitoring of agent activity: - Policy violation tracking - Activity visualization by hour - Compliance reporting - Export to JSON/CSV
Enterprise Features¶
- SSO Integration: Azure AD, Okta, Google, GitHub
- Role-Based Access Control: Granular permissions
- CI/CD Integration: GitHub Actions, GitLab CI, Jenkins, Azure Pipelines
- Compliance Frameworks: SOC 2, GDPR, HIPAA, PCI DSS templates
What's New in v1.1.0¶
Governance Visualization Hub¶
Unified dashboard for real-time governance monitoring: - SLO Dashboard -- Availability, latency P50/P95/P99, policy compliance, trust scores with error budgets and burn rates - Agent Topology -- Force-directed graph of agent mesh, trust rings, bridge status, delegation chains - Audit Stream -- Filterable event log with drill-down - 3-Slot Sidebar -- Configurable panel system with 8 available views, panel picker for slot assignment - Scanning Mode -- Auto-rotates visual focus through slots (4s cadence), pauses on hover/focus, respects prefers-reduced-motion - Priority Engine -- Auto-reorders slots by health urgency in Auto mode (critical > warning > healthy) - Attention Toggle -- Manual/Auto switch in sidebar header; manual locks to user config - Browser Experience -- Open dashboard in external browser via local server
Server Security Hardening¶
The Governance Server that powers the browser dashboard includes defense-in-depth security controls: - Session token authentication -- WebSocket connections require a cryptographically random token generated per server session. Connections without a valid token are rejected with close code 4001. - Rate limiting -- HTTP requests are limited to 100 per minute per client IP. Excess requests receive HTTP 429 with Retry-After header. - Local asset bundling -- D3.js and Chart.js vendored locally (no CDN dependency). Eliminates supply-chain risk from external script loading. - Content Security Policy (CSP) -- Restricts script execution to nonce-only ('nonce-...'). No CDN allowlisting, no unsafe-eval. WebSocket connect-src explicitly scoped to ws://127.0.0.1:*. - HTML escaping -- Shared escapeHtml utility applied to all dynamic data in innerHTML assignments across legacy panels. Prevents XSS from agent DIDs, policy names, and audit data. - Loopback-only binding -- Server binds exclusively to 127.0.0.1. Remote connections are structurally impossible. - Python path validation -- Rejects shell metacharacters before subprocess spawn to prevent command injection. - Dependency pinning -- Production dependencies (axios, ws) pinned to exact versions for reproducible builds.
For the full security model, threat analysis, and accepted risks, see SECURITY.md.
Live Governance Data¶
The extension automatically detects and starts agent-failsafe to populate dashboards with real governance data: - On first activation, the extension checks for agent-failsafe and offers to install it if missing (pip install agent-failsafe[server]) - Once installed, a local REST server starts automatically on 127.0.0.1:9377 โ no manual configuration required - SLO dashboard, agent topology, and audit stream populate with live policy compliance, fleet health, and audit events - Status bar shows connection state: Live (green), Stale (yellow), Disconnected (red) - All REST responses validated with type checking, size caps, and string truncation - Advanced: override with agentOS.governance.endpoint to connect to an existing server
Policy Diagnostics¶
- Real-time governance rule validation on Python/TypeScript/YAML files
- Code actions: safe alternatives for flagged patterns
- Status bar with governance mode and execution ring indicator
Report Export¶
- Export governance snapshot as self-contained HTML report
- Metrics exporter pushes dashboard data to configured observability endpoints
Quick Start¶
- Install from VS Code Marketplace
- Run "Agent OS: Getting Started" from command palette
- Start coding - Agent OS protects you automatically
โ ๏ธ Agent OS Warning
Blocked: Destructive SQL operation detected
The AI suggested: DELETE FROM users WHERE ...
This violates your safety policy.
[Review Policy] [Allow Once] [Suggest Alternative]
Features¶
1. Real-Time Code Safety¶
Agent OS analyzes code as you type/paste and blocks dangerous patterns:
| Policy | Default | Description |
|---|---|---|
| Destructive SQL | โ On | Block DROP, DELETE, TRUNCATE |
| File Deletes | โ On | Block rm -rf, unlink, rmtree |
| Secret Exposure | โ On | Block hardcoded API keys, passwords |
| Privilege Escalation | โ On | Block sudo, chmod 777 |
| Unsafe Network | โ Off | Block HTTP (non-HTTPS) calls |
2. CMVK Multi-Model Review¶
Right-click on code and select "Agent OS: Review Code with CMVK" to get a consensus review from multiple AI models:
๐ก๏ธ Agent OS Code Review
Consensus: 66% Agreement
โ
GPT-4: No issues
โ
Claude: No issues
โ ๏ธ Gemini: Potential SQL injection (Line 42)
Recommendations:
1. Use parameterized queries to prevent SQL injection
3. Audit Log Sidebar¶
Click the shield icon in the activity bar to see: - Blocked operations today/this week - Warning history - CMVK review results - Export capability for compliance
4. Team Policies¶
Share policies via .vscode/agent-os.json:
{
"policies": {
"blockDestructiveSQL": true,
"blockFileDeletes": true,
"blockSecretExposure": true
},
"customRules": [
{
"name": "no_console_log",
"pattern": "console\\.log",
"message": "Remove console.log before committing",
"severity": "low"
}
]
}
Commands¶
| Command | Description |
|---|---|
Agent OS: Getting Started | Interactive onboarding tutorial |
Agent OS: Open Policy Editor | Visual policy management studio |
Agent OS: Open Workflow Designer | Drag-and-drop workflow builder |
Agent OS: Show Metrics Dashboard | Real-time monitoring |
Agent OS: Review Code with CMVK | Multi-model code review |
Agent OS: Toggle Safety Mode | Enable/disable protection |
Agent OS: Configure Policies | Open policy configuration |
Agent OS: Export Audit Log | Export logs to JSON |
Agent OS: Setup CI/CD Integration | Generate CI/CD configuration |
Agent OS: Check Compliance | Run compliance validation |
Agent OS: Sign In (Enterprise) | Enterprise SSO authentication |
Agent OS: SLO Dashboard (Visual) | Rich webview SLO dashboard |
Agent OS: Agent Topology Graph | Force-directed agent topology graph |
Agent OS: Refresh SLO Data | Refresh SLO metrics |
Agent OS: Refresh Agent Topology | Refresh topology data |
Agent OS: Open Governance Hub | Unified governance dashboard |
Agent OS: Open SLO Dashboard in Browser | SLO dashboard in external browser |
Agent OS: Open Topology Graph in Browser | Topology graph in external browser |
Agent OS: Open Governance Hub in Browser | Governance Hub in external browser |
Agent OS: Export Governance Report | Export HTML governance report |
Configuration¶
Open Settings (Ctrl+,) and search for "Agent OS":
| Setting | Default | Description |
|---|---|---|
agentOS.enabled | true | Enable/disable Agent OS |
agentOS.mode | basic | basic, enhanced (CMVK), enterprise |
agentOS.cmvk.enabled | false | Enable multi-model verification |
agentOS.cmvk.models | ["gpt-4", "claude-sonnet-4", "gemini-pro"] | Models for CMVK |
agentOS.audit.retentionDays | 7 | Days to keep audit logs |
agentOS.diagnostics.enabled | true | Real-time diagnostics |
agentOS.enterprise.sso.enabled | false | Enterprise SSO |
agentOS.enterprise.compliance.framework | - | Default compliance framework |
agentOS.export.localPath | "" | Local directory for exported reports |
agentOS.observability.endpoint | "" | Metrics push endpoint (OTEL compatible) |
agentOS.diagnostics.severity | "warning" | Minimum diagnostic severity |
agentOS.governance.pythonPath | "python" | Python interpreter with agent-failsafe installed |
agentOS.governance.endpoint | "" | Override: connect to existing agent-failsafe server (auto-start if empty) |
agentOS.governance.refreshIntervalMs | 10000 | Polling interval for governance data (minimum 5000ms) |
Pricing¶
| Tier | Price | Features |
|---|---|---|
| Free | $0 | Local policies, 7-day audit, 10 CMVK/day |
| Pro | $9/mo | Unlimited CMVK, 90-day audit, priority support |
| Enterprise | Custom | Self-hosted, SSO, RBAC, compliance reports |
Privacy and Security¶
- Local-first: Policy checks run entirely in the extension
- No network: Basic mode never sends code anywhere
- Opt-in CMVK: You choose when to use cloud verification
- Loopback server: The browser dashboard server binds to
127.0.0.1only and requires session token authentication - No telemetry: The Governance Server does not send data to external endpoints unless you explicitly configure an observability endpoint
- Open source: Inspect the code yourself
See SECURITY.md for the full server security model and threat analysis.
Requirements¶
- VS Code 1.85.0 or later
- Node.js 18+ (for development)
- Python 3.10+ (for Agent OS SDK)
Contributing¶
We welcome contributions! See CONTRIBUTING.md.
License¶
MIT License - see LICENSE.
Made with ๐ก๏ธ by the Agent OS team