Agent Debugger & Stability Monitor for AI-Assisted Development
Local-first safety for AI coding assistants.
Marketplace Categories: Machine Learning, Testing, Visualization
FailSafe Pro is the desktop-native, higher-tier application for full-stack AI governance. Where this open extension guards your editor, FailSafe Pro guards your entire SDLC — OS-level enforcement, file locking, team workflows, remote orchestration, and managed runtime operations that go beyond the editor boundary.
→ Learn more about FailSafe Pro · Download FailSafe Pro
FailSafe v5.5 turns the editor into a governance hub for the tools your AI agents actually use. Every integration is local-first, opt-in, and routed through the same deterministic policy engine that guards your edits — so connecting a tool never widens your attack surface or sends data anywhere by default. Each integration ships with its own README (src/integrations/<name>/README.md) and the external API names it depends on are back-cited to official docs in docs/integrations/INTEGRATION_DOCS_INDEX.md.
Govern the agents themselves — run a headless coding agent through FailSafe and gate what it does:
| Integration | What it does | Why it matters |
|---|---|---|
🤖 Continue (cn) governed wrapper |
Run a Continue headless prompt through FailSafe with a tool allowlist; the produced diff is risk-classified and L3-risk changes route to human approval (FailSafe: Run Continue (governed)). |
The agent runs argv-form (no shell), the API key never leaves the child env, and a shell/write allowlist is escalated before it can act. |
| 🔧 Aider git-gate wrapper | Run Aider with auto-commit off, capture the uncommitted diff, and route high-risk changes to L3 (FailSafe: Run Aider (governed)). |
A dirty worktree is refused so the captured diff is unambiguously the agent's — your commit gate, not the agent's. |
| 👁️ OpenHands run observer | Map an exported OpenHands run into FailSafe transparency records, version-gated and read-only (FailSafe: Import OpenHands Run (observe)). |
See what a full agent-loop runtime actually did, scored by risk — without ever mutating a live run. |
| 🔎 Cline / Roo / Kilo policy audit | Scan workspace MCP/tool config and flag risky posture — remote MCP servers, wildcard auto-approval, shell-capable tools (FailSafe: Audit Agent MCP Policy). |
Catch an over-permissioned agent before it bites; secrets in the config are redacted before any finding is recorded. |
Connect your issue tracker, security, and team tooling — govern the whole toolchain:
| Integration | What it does | Why it matters |
|---|---|---|
| 📥 Linear / Jira issue import | Resolve a Linear or Jira issue URL/key to an uncommitted intent preview — read-only (FailSafe: Import Linear/Jira Issue (preview)). |
Your tracker is the intent source; FailSafe pulls the ticket context so you never retype it — and nothing is created or synced without you. |
| ✅ GitHub PR checks | Publish FailSafe SHIELD verdicts (PASS/WARN/VETO) as GitHub Check Runs at the merge gate (FailSafe: Publish SHIELD Verdict to GitHub Check). |
Your governance verdict shows up where the merge happens, not just in the local console; fork PRs degrade to local-only. |
| 🐞 Sentry regression correlation | Pull a Sentry project's unresolved issues into the risk register as runtime-regression risks (FailSafe: Import Sentry Regressions). |
Production failures become governed risk records tied to project / environment / release — no raw event payloads stored. |
| 🛡️ SARIF security ingestion | Import Semgrep / CodeQL / any SARIF 2.1.0 scanner output into the risk register (FailSafe: Import SARIF Findings). |
Your security scanner stops being a separate silo — every finding becomes a governed risk in the same audit trail as agent decisions. |
| 📣 Slack / Microsoft Teams notifications | Post VETO / L3-approval / drift events to a Slack or Teams webhook. Notify-only, off by default. | Governance becomes a team signal: when FailSafe blocks a risky action or queues a human approval, the right people see it in their channel. |
| 🧮 MCP Registry risk scoring | Score any MCP server locally — read-only, with field sanitization — before you trust it. | The MCP ecosystem is exploding and anything can claim to be a tool server. Adopt servers on evidence, not vibes. |
| 📦 MCP Catalog installers | One-click, risk-scored installs of Context7, Mermaid Chart, and Playwright MCP into your .mcp.json (FailSafe: Install MCP Integration (governed)). |
Governed installs of tools that make your agents measurably better, with the trust check built in. |
| 🧠 Bicameral MCP | Detect, connect, and ratify architecture decision records and their drift inline. | Every Bicameral tool call passes through FailSafe's universal interceptor — the reasoning behind your system stays as governed as the code. |
| 🎨 Open Design | Observe Open Design agent runs and act on them via the L3-gated create_artifact. |
Design tooling gets the same human-in-the-loop guarantee as everything else FailSafe touches. |
| 🧰 Agent Governance Toolkit installer | Auto-detect your workspace environment and serve the matching, registry-verified AGT installer. | One governed entry point to instrument whatever stack you actually run. |
Under the hood, a Tier 1 supply-chain CI baseline (least-privilege workflow tokens, SHA-pinned Actions, dependency review, CODEOWNERS) hardens the repository itself against Shai-Hulud-class attacks.
Everything above is disabled by default and runs locally — no network call until you turn one on. Open the Integrations tab to connect.
Current Release: v5.6.4 (2026-06-08)
If this project helps you, please star it! It helps others discover FailSafe.
- 🔗 PR↔issue linkage governance — a Check Run catches the
Closes #1, #2footgun (GitHub closes only the first; the rest silently stay open). Off by default. - 📊 Governed tracker source — build the Development Tracker from your governance ledger (META_LEDGER + FEATURE_INDEX), not just PR history.
- 🧬 Shadow-genome consumer — read qor-logic's causal governance graph (foundation for decision-traceability views). See CHANGELOG.md.
- 📊 Development Tracker loading + freshness — a loading skeleton replaces the brief blank while the tracker builds, with a "last refreshed" time and a manual ↻ Refresh. See CHANGELOG.md.
- 📊 Development Tracker now works on any repo — repositories with no semantic-version releases (PR-incremental history) no longer show an empty dashboard; the tracker detects the release cadence and renders a merged-PR timeline with full detail.
- 🧱 Generate a tracker from your history — the new
FailSafe: Generate Tracker Manifestcommand scaffolds the tracker from your merged PRs + CHANGELOG. - ✋ You own the categories — generated programs and verticals are yours to keep / drop / rename / fold before they're written; the tracker reflects how you slice your work, not a commit-message guess.
- 🔗 Bicameral decision enrichment — when the Bicameral integration is connected, the tracker deepens with decision-aware verticals and a governed-decisions ledger. See CHANGELOG.md.
- 🤝 Govern any Agent Client Protocol (ACP) agent — FailSafe speaks ACP, the open editor↔agent standard used by Devin Desktop, Zed, JetBrains and more; an agent's tool calls, file writes, terminal commands, and permission requests route through FailSafe's enforcement engine.
- 🛡️ Standalone ACP enforce-proxy — mediates an ACP agent through FailSafe's real governance engine (enforce blocks out-of-scope writes + denies dangerous permissions; observe/assist record). Verified end-to-end against the live protocol.
- ⚡ One-click governed install for Devin Desktop + first-class Devin Desktop host detection (rebranded Windsurf).
- 📊 Tracker handles non-semver repos — PR-incremental repositories are discovered and rendered with automatic cadence detection. See CHANGELOG.md.
Maintenance patch. CI Actions bumped to their Node.js 24 runtimes (checkout/setup-node/upload-artifact/download-artifact, SHA-pinned — download-artifact v8 now fails closed on a digest mismatch). Development Tracker now surfaces the server's actual error instead of a bare "HTTP 500". See CHANGELOG.md.
Integration suite expansion — FailSafe becomes a governance hub for your whole AI toolchain. New governed CLI agent wrappers run Continue and Aider through FailSafe (argv-form, allowlist + produced-diff risk classification, L3 escalation, API key in the child env only); new agent observe/audit adapters cover the OpenHands run observer and the Cline/Roo/Kilo MCP-policy audit (flags remote MCP / wildcard auto-approval / shell-capable tools, secrets redacted). Plus read-only Linear + Jira issue→intent-preview import, GitHub PR checks (SHIELD verdicts → Check Runs at the merge gate), Sentry runtime-regression correlation, Microsoft Teams notifications, Playwright MCP in the catalog, and a Tier 1 supply-chain CI baseline. Every external API name was verified against official docs (the cycle's review caught and fixed four real defects), every integration ships its own README, and everything is off by default. See CHANGELOG.md for full notes.
Development Tracker + Agent Governance Toolkit installer. The Development Tracker is a premium, data-driven status dashboard embedded in the Workspace tab (with a Pop out ↗ and the FailSafe: Open Development Tracker command): it discovers your complete release history from the CHANGELOG, zooms the timeline from major anchors down to minor/patch, makes every release a traceable record, and tiers program-progress to where the data is meaningful. The AGT installer auto-detects your workspace environment and serves the matching, registry-verified Agent Governance Toolkit installer. See CHANGELOG.md for full notes.
Release-gate hotfix that finally ships the v5.4.0 integration batch. Two prior tags died in the release pipeline: v5.4.0 on a stale UI test (fixed in v5.4.1), then v5.4.1 when VS Code stable auto-updated mid-release (1.122.1 → 1.123.0) and its newer Electron broke a native module rebuild. v5.4.2 pins the test gate to a known-good VS Code version so editor auto-updates can't break releases. All v5.4.0 features below ship in v5.4.2. See CHANGELOG.md for full notes.
Integration + governance expansion. The integration research gate is cleared and FailSafe ships its first governed third-party integrations: SARIF finding ingestion into the risk register, MCP Registry local risk scoring, Slack notify-only governance notifications (VETO / L3 / drift → your incoming webhook, off by default), and one-click governed MCP installers for Context7 and Mermaid Chart under a new Integrations → MCP Catalog tab. Plus the new Development Tracker — an evidence-enforced, always-current status board served alongside the console — and substrate hardening (a dependency-admission cooling-period lint + a seal auto-hook that runs the governance substrate on every seal). See CHANGELOG.md for full notes.
Integration-surface batch. Open Design integration enters beta with its first write path: create_artifact admitted through L3 human approval (Buffer & auto-execute) — the daemon executes the call only after you approve it in the Governance L3 queue; destructive write tools stay rejected. Plus a Section-4 razor + clobber-guard cleanup across the Bicameral / Marketplace / TabGroup surfaces (zero behavioral change) and a transparency audit date-filter fix that no longer hides evening records. See CHANGELOG.md for full notes.
Internal-quality release bundling two post-v5.3.1 integration-surface refactors. The Integrations tab now presents one sub-view per integration via a sub-tab pill switcher (Bicameral · Open Design), matching the Agents/Governance/Workspace tabs — replacing the former stacked-card panel. Under the hood, the Bicameral and Open Design MCP clients now share a single McpClientHost substrate. No marketplace-feature change beyond the Integrations tab layout. A /qor-debug sweep caught and fixed one event-routing regression in the new sub-tab switcher before release (test-first). See CHANGELOG.md for full notes.
Hotfix release. v5.3.0 was tagged but its Release Pipeline failed at Build & Test — integrations-tab.test.ts hardcoded "Bicameral is the only card" which became outdated when v5.3.0 added the Open Design Settings card; the VS Code Marketplace + Open VSX publish jobs were skipped, so v5.3.0 was never installable. v5.3.1 is the first v5.3.x build that actually ships to the marketplaces.
Zero feature changes from v5.3.0 — the Open Design integration and WARN-only governance substrate below ship verbatim. The hotfix only updates the test to assert v5.3.0's reality.
Feature release. v5.3.0 doubles FailSafe's integration surface — Open Design joins Bicameral as a first-class MCP peer — and adds a WARN-only governance substrate (secret scanning, FEATURE_INDEX coverage, model-pinning lint) for substantiate-time signals.
- Open Design integration — file-path provenance attribution on agent runs that touch Open Design artifacts + MCP adapter + per-run SSE attach + daemon-liveness probe against the local daemon at
127.0.0.1:7456. Read-only this release; write tools deferred to v1.2. - Governance substrate (WARN-only) — new
FailSafe: Run Governance Substrate Checkscommand runs gitleaks-backed secret scanning, FEATURE_INDEX coverage verification, and model-pinning lint on demand. Findings surface in a dedicated Output channel + summary toast; never blocks operator workflow. - Both integrations are opt-in and default
false— no behavior change for operators who don't configure them.
See CHANGELOG.md for the full v5.3.0 release notes.
Hotfix release. v5.2.1 was tagged but its publish pipeline failed at Build & Test on a latent Playwright harness regression — popout-ui.spec.ts's legacy static-file harness couldn't resolve the cross-directory ESM imports introduced by LearnRenderer in v5.2.0. The marketplace publish jobs were skipped, so v5.2.1 was never installable either. v5.2.2 is the first v5.2.x build that actually ships to the marketplaces.
Zero feature changes from v5.2.1 (or v5.2.0) — the FailSafe Learn rebuild, the Ollama probe fix, and the global a11y baseline below ship verbatim. The hotfix migrates popout-ui.spec.ts to serveConsoleServerUI — the same harness used by every other v5.2.0+ Playwright spec. See CHANGELOG.md for the full v5.2.2 release notes.
Hotfix release. v5.2.0 was tagged but its publish pipeline failed at Build & Test (5 unit-test failures from three orphaned SHIELD-anchor lesson literals + an FX615 tag-filter test race); the VS Code Marketplace + Open VSX publish jobs were skipped, so v5.2.0 was never installable. v5.2.1 was the next attempt — also failed (see v5.2.2 above for the harness regression).
Zero feature changes from v5.2.0 — the FailSafe Learn rebuild, the Ollama probe fix, and the global a11y baseline below ship verbatim. The hotfix only resolves the test regressions that blocked publish. See CHANGELOG.md for the full v5.2.1 release notes.
The v5.2.0 release delivers on the learning promise: a Learn tab that teaches the software-development craft to non-traditional builders, with a redesigned visual surface and accessibility baseline.
- Learn tab is now a two-sub-tab
TabGroup:[Read][Glossary]. Read is default active. - Read sub-view: sectioned essays with per-essay accent rail, inline-SVG icon, read-time chip, pull-quote callout, H4 sub-sections. Sticky horizontal jump-strip (FX619) for at-a-glance navigation + relevant-now dots. Acceptance-criteria template gains a Copy button.
- Glossary sub-view (renamed from Reference): search input + tag-filter buttons + A-Z/Z-A sort. ~60 unified terms (48 SWE-craft + 12 FailSafe + 1 Bicameral integration partner).
- Global a11y baseline in
command-center.css:prefers-reduced-motionhonored, global:focus-visibleon interactive surfaces,.visually-hiddenSR-label utility, prosemax-width: min(68ch, 100%). Closes WCAG 2.3.3 + 2.4.7 + 1.4.4. - Fixed: Mindmap "Ollama (Server)" false-positive "Connected" — the panel previously hardcoded a Connected status with no probe. Now actually probes
http://localhost:11434/api/tagswith 30s TTL and reflects reality (Connected ✓/Not Running/Checking…/Unavailable).
See CHANGELOG.md for the full v5.2.0 release notes and docs/EDUCATION.md / docs/LEARN_TAB.md for component documentation.
- Bicameral Advanced-tools surface (B-INT-1): the 11 remaining Bicameral MCP tools (
ingest,search,brief,judgeGaps,resolveCompliance,linkCommit,update,reset,dashboard,validateSymbols,getNeighbors) are now reachable —POST /api/actions/bicameral-<tool>routes plus a styled, collapsible "Advanced tools" card section with query/mutation tool grouping, per-row loading state, and labelled success/error results. - Sentinel-evaluator vs Governance-mode UI disambiguation (B-EM-1): five UI sites that rendered the Sentinel evaluator mode are relabelled to avoid confusion with the governance mode; the invalid
'observe'fallback is corrected. - Brainstorm node-label truncation feedback (B132): a dismissible inline notice when a node label is shortened to the 200-character cap — no more silent truncation.
- B199 test-coverage epic closed: the CRITICAL Playwright + integration-coverage epic is verified complete and closed.
- Activation-test regression fix: a latent v5.1.7 async-timing test regression is fixed; the full
vscode-testsuite is restored to green.
See CHANGELOG.md for the full v5.1.8 release notes.
- Universal governance interceptor (B151): an
IGovernanceInterceptorsingle-evaluateseam —EngineBackedInterceptormaps engine verdicts to receipts,McpInterceptoradapts MCP envelopes;BicameralRouteis migrated through it with behavioural-parity proof. Opens the B190 → B151 → B152 → B153 architecture chain. - Bicameral preflight → L3 (B-INT-2): drifted-decision evidence attaches to queued tier-3 L3 approvals; a preflight-conflict line surfaces on the approval card before you approve.
- Subscribe-without-mutate UI remediation (B198): a shared accessible modal helper, event-driven Skills-cache invalidation, and TabGroup sub-view lifecycle cleanup.
- Bicameral hardening: install-detector symlink-containment + extra-roots allowlist (B-BIC-6/7); decision-row UX — open-binding, capability hint, composite sync, overflow clamp (B-BIC-12/13/14/15); drift verdict events feed Sentinel + the Risks Register (B-BIC-17/18).
- Test-coverage hardening (B-B199-3/4/5/6): per-file-scoped E2E coverage-gate overrides, cross-host install-record coverage, and documented voice/stub trade-offs.
See CHANGELOG.md for the full v5.1.7 release notes.
- Bicameral MCP — HIGH cluster: 11 typed wrappers for the deferred bicameral tools (ingest, search, brief, judgeGaps, resolveCompliance, linkCommit, update, reset, dashboard, validateSymbols, getNeighbors) +
callRawpublic surface + per-tool runtime guards (B-BIC-19). - Live-subprocess integration test: vendored TypeScript echo-mcp-server spawned via
process.execPathexercises the real@modelcontextprotocol/sdktransport handshake (B-BIC-20). - DriftToL3Mediator: bicameral drift status-edges enqueue L3 approvals; L3 decisions ratify upstream (APPROVED →
ratify, REJECTED →reject, DEFERRED/EXPIRED no-op) (B-BIC-16). - Upstream awareness: pip floor pin
bicameral-mcp>=0.14,<0.16+UpstreamMonitorservice (24h poll, SSRF-allowlisted owner/repo slug, fail-closed before any fetch) +GET /api/integrations/bicameral/upstreamlocal-only route + Settings card upstream row (B-INT-3). - B-B199-2 Replay + Genome behavioral E2E: 14 new Playwright cases cover the Agents-tab Replay and Genome sub-views (empty state, list/detail nav, WS-event refresh, slice caps).
- B-EM-2/B-EM-3 enforcement-mode polish:
ModeTransitionHistory.hydrateFromLedgerreplays governance.modeChanged on activation;FirstRunModePickerquickpick on initial install.
See CHANGELOG.md for the full v5.1.6 release notes.
- Bicameral MCP — Integrations tab: full v1 surface (install bridge, settings card, history/preflight/drift/ratify) plus 5 quick-win hardening fixes (B-BIC-1..5): ratify → META_LEDGER USER_OVERRIDE; extension-deactivate disposer; transport.onclose crash recovery; capability cache; install stdout/stderr ANSI sanitizer.
- B199 Command Center E2E coverage: structural Playwright specs for all 6 top-level tabs (Settings, Overview, Skills, Agents, Workspace, Governance) + 16-broadcast WebSocket matrix + real-disk META_LEDGER → /api/hub → Monitor renderer end-to-end (FX511-FX525).
- B197 qor-logic version-floor surfacing: hub payload carries
installedVersion+meetsFloor; Settings card surfaces a floor warning when belowMIN_QOR_LOGIC_VERSION. - B194 enforcement-mode escalation UX: observe-mode advisory banner + Governance tab "Mode Transitions" feed with reverse-chronological history.
- B193 SentinelDaemon governance-file coverage: governance markdown/yaml/json watched; canonical fs paths;
.failsafe/governance/blanket-prefix match. - B192 stale-cache remediation:
WorkspaceMutationBussubstrate routes filesystem mutations to PlanManager + HubSnapshotService + TrustEngine + ConsoleLifecycleService subscribers. - B195 voice substrate extraction: heavy vendor binaries moved out of base VSIX into separate voice-pack companion download.
See CHANGELOG.md for the full v5.1.5 release notes.
- Model-sourced Risk Register: coding agents author risks via the MCP tool
failsafe.create_risk, the@failsafe /riskchat subcommand, or FailSafe auto-derives them from SHIELD lifecycle (GATE VETOs, DEBUG entries, Shadow-Genome failure events). The manual "Add Risk" wizard is removed. - Install Skills UX expansion: live-progress modal, per-host skill picker, dry-run preview, operator-editable host registry, and a workspace
LiveProgressInvariantdoctrine. - SRE panel: now attributes the Microsoft Agent Governance Toolkit (data source) and Qortara.
- Release pipeline safety gate: both VS Code Marketplace and OpenVSX publish jobs now sit behind a
productionGitHub environment requiring reviewer approval. - OpenVSX alignment: VS Code Marketplace and OpenVSX are both at v5.0.0 baseline; v5.1.0 publishes to both.
See CHANGELOG.md for the full v5.1.0 release notes.
FailSafe is the open-source VS Code and Cursor extension for local AI coding governance — audits, skills, checkpoints, and editor-visible safety workflows. Skills are sourced from the qor-logic PyPI package.
FailSafe Pro is the desktop native application for SDLC visibility and governance — OS-level enforcement, file locking, team workflows, and remote connections beyond the editor boundary.
Use FailSafe when you want local editor guardrails. Use FailSafe Pro when you need full SDLC visibility and managed runtime operations.
Learn more: https://mythologiq.studio/products/failsafe-pro Download: https://mythologiq.studio/products/failsafe-download
Quick Start | Documentation | VS Code Extension | Open VSX | Roadmap
FailSafe is open source. Fork it, open issues, and submit pull requests.
FailSafe transitioned from beta to stable release on 2026-02-28. We expect even greater things to come Thank you for being part of our journey. See Terms and Conditions.
Create or edit .failsafe/config/policies/risk_grading.json to tune risk classification:
{
"filePathTriggers": {
"L3": ["auth", "payment", "credential"]
},
"contentTriggers": {
"L3": ["DROP TABLE", "api_key"]
}
}Result: Risk grading overrides are loaded on startup when this JSON file is present. Defaults apply when it is missing. Top-level sections replace defaults, so include full sections if you want to preserve them.
FailSafe is an open-source VS Code extension and stability monitoring framework for AI-assisted development. It adds intent-gated saves, Sentinel audits, and a ledgered audit trail so risky changes are surfaced and controlled.
FailSafe separates system awareness from system control.
The Monitor provides real-time visibility into system health, governance posture, and operational risk. It is designed for continuous, low-effort awareness.
The Command Center is the primary control surface where teams plan, execute, and govern AI workflows. All configuration, orchestration, and audits originate here.
This separation reduces cognitive load and mirrors real-world operations environments: observe first, act deliberately.
Primary UI surfaces in the current release:
FailSafe Monitor(compact)FailSafe Command Center(extended)
Prompt-based safety asks the LLM to follow rules. The LLM decides whether to comply.
Kernel-style safety evaluates actions at the editor boundary using policies, heuristics, and optional LLM analysis.
graph TD
A[User Actions] --> B[Intent Service]
B --> C{Enforcement}
C -- Allowed --> D[File System]
C -- Blocked --> E[User Approval]
F[AI Agent] --> G[MCP Server]
G --> H[Sentinel Audit]
H --> I[SOA Ledger]
I --> J[FailSafe Command Center]
H --> J
FailSafe uses a Physical Isolation model to separate workspace governance from application development.
/ (root)
+-- .agent/ # Active workspace workflows
+-- .claude/ # Active commands + secure tokens
+-- .qorelogic/ # Workspace configuration (locked)
+-- docs/ # Workspace governance (Ledger, State, Spec)
+-- FAILSAFE_SPECIFICATION.md -> docs/FAILSAFE_SPECIFICATION.md
/FailSafe/ (container)
+-- extension/ # VS Code Extension TypeScript Project
+-- build/ # Build & validation tooling
Note: A single extension publishes to both VS Code Marketplace and Open VSX via GitHub Actions. Claude Code skills are located at .claude/skills/qor-*/SKILL.md.
| System | Layer | Description |
|---|---|---|
| Genesis | Experience | FailSafe Monitor + FailSafe Command Center |
| Qor-Logic | Governance | Intent gating, policies, ledger, and trust |
| Sentinel | Enforcement | File watcher audits and verdicts |
FailSafe supports three governance modes to match your workflow needs:
| Mode | Behavior | Best For |
|---|---|---|
| Observe | No blocking, just visibility and logging. Zero friction. | New users, exploration, learning |
| Assist | Smart defaults, auto-intent creation, gentle prompts. Recommended. | Most development workflows |
| Enforce | Full control, intent-gated saves, L3 approvals. | Compliance, regulated industries |
Switch modes via the FailSafe: Set Governance Mode command or the failsafe.governance.mode setting.
Qor-Logic is two things working as one: the deterministic governance engine that enforces safety policies at the editor boundary, and the SHIELD skill corpus — sourced from the qor-logic PyPI package — that drives a governed plan → audit → implement → substantiate → deliver lifecycle for AI-assisted work. Both rest on one principle: governance decisions are made by code, not by asking an LLM to follow rules.
| Aspect | Prompt-Based Safety | Qor-Logic Deterministic Governance |
|---|---|---|
| Decision Maker | LLM interprets rules | TypeScript code executes rules |
| Consistency | Varies with context, temperature, model | Identical output for identical input |
| Auditability | Opaque reasoning chain | Explicit code path, logged decisions |
| Bypass Risk | LLM can ignore or reinterpret | Code cannot be persuaded |
| Speed | Network latency + inference | Sub-millisecond local execution |
-
Risk Classification — Files are classified as L1 (low), L2 (medium), or L3 (high) risk based on:
- File path triggers (e.g.,
auth/,payment/,credential→ L3) - Content triggers (e.g.,
DROP TABLE,api_key,private_key→ L3) - Configurable via
.failsafe/config/policies/risk_grading.json
- File path triggers (e.g.,
-
Policy Evaluation — Each risk grade has deterministic requirements:
- L1: Heuristic check, 10% sampling, auto-approve
- L2: Full Sentinel pass, no auto-approve
- L3: Formal verification + human approval required
-
Ledger Recording — Every governance decision is recorded to an append-only SOA ledger with:
- Agent identity and trust score
- Artifact path and risk grade
- Timestamp and decision rationale
-
Trust Dynamics — Agent trust scores evolve based on outcomes:
- Approved L3 actions → trust increase
- Rejected or failed actions → trust decrease
- Trust scores influence future routing decisions
-
Universal Interception — The same deterministic boundary governs more than file edits. Every MCP tool call from a connected integration (Bicameral, Open Design, MCP Catalog servers) is routed through a single
IGovernanceInterceptorseam, so a risky tool invocation is classified, gated, and ledgered exactly like a risky edit. Governance follows the agent wherever it acts.
When an LLM is asked to enforce safety rules, it can:
- Reinterpret rules based on context
- Produce inconsistent decisions across similar inputs
- Be influenced by prompt engineering attacks
Qor-Logic avoids these risks by executing deterministic TypeScript code at the governance boundary. The policy engine uses simple string matching and path analysis—no LLM inference required for governance decisions.
Example: A file containing api_key will always trigger L3 classification. No prompt can persuade the code to ignore this trigger.
| Extension | Description |
|---|---|
| VS Code | Save-time governance, audits, and dashboards |
FailSafe provides governance for multiple AI development environments:
Install the FailSafe extension for real-time governance, audits, and dashboards.
VS Code Marketplace:
ext install MythologIQ.mythologiq-failsafe
Or: https://marketplace.visualstudio.com/items?itemName=MythologIQ.mythologiq-failsafe
Open VSX (VSCodium, Gitpod, etc.):
ext install MythologIQ.mythologiq-failsafe
Or: https://open-vsx.org/extension/MythologIQ/mythologiq-failsafe
Install from Open VSX (VSCodium, Gitpod, Cursor, etc.):
ext install MythologIQ.mythologiq-failsafe
Or: https://open-vsx.org/extension/MythologIQ/mythologiq-failsafe
The Antigravity extension includes:
- Gemini/Antigravity workflows (
.agent/workflows/) - Claude Code skills (
.claude/skills/qor-*/SKILL.md) - Qor-Logic personas (Governor, Judge, Specialist)
- Stability monitoring configuration and skills
Install from VS Code Marketplace:
ext install MythologIQ.mythologiq-failsafe
Or: https://marketplace.visualstudio.com/items?itemName=MythologIQ.mythologiq-failsafe
The VSCode extension includes:
- Copilot prompt files (
.github/prompts/) - Claude Code skills (
.claude/skills/qor-*/SKILL.md) - Agent personas (
.github/copilot-instructions/) - Stability monitoring configuration and skills
Both extensions include Claude Code slash commands that map to the physical SHIELD governance lifecycle:
- S - SECURE INTENT (
/qor-bootstrap): Seed project DNA. Document the Why, encode the architecture, initialize the Merkle chain. - H - HYPOTHESIZE (
/qor-plan): Create implementation blueprints with risk grades, file contracts, and Section 4 complexity limits. - I - INTERROGATE (
/qor-audit): Adversarial tribunal. The Judge audits the plan for security, correctness, and drift. PASS or VETO. - E - EXECUTE (
/qor-implement): Build under KISS constraints after a PASS verdict. Functions under 40 lines. Nesting under 3 levels. - L - LOCK PROOF (
/qor-substantiate): Verify Reality matches Promise. Cryptographically seal the session with Merkle hash verification. - D - DELIVER (
/qor-release): Deploy, inspect packaged artifacts before publish, hand off with traceability, and monitor for operational drift.
# Run FailSafe locally
cd FailSafe/extension
npm install
npm run compileAgent debugging, execution replay, and cross-agent skill portability.
- Agent Run Replay and Execution Timeline - Step-by-step replay of AI agent execution traces with a filterable event timeline and severity indicators for rapid root-cause analysis.
- Risk and Stability Indicators - Composite health score displayed in the status bar, combining risk grade distribution, Sentinel verdicts, and trust dynamics into a single signal.
- Shadow Genome and DiffGuard Panels - Failure pattern analysis (Shadow Genome) and AI diff risk analysis (DiffGuard) surfaced as dedicated debugging panels in the Command Center.
- Cross-Agent Skill Propagation - Skills defined once propagate across Claude Code, Codex CLI, GitHub Copilot, Gemini, Cursor, and Windsurf via standardized adapters.
We'd love your review! If FailSafe is useful to you, please leave a review on the VS Code Marketplace or Open VSX. Your feedback helps other developers discover FailSafe and directly shapes its roadmap. Bug reports and feature requests welcome on GitHub Issues.
- CI/CD Pipeline Enforcer: Headless Judge verification validating
failsafe_checkpointsvia cryptography during PRs. - Shared "Core Axioms": IDE startup synchronization of enterprise-level Policy and Axioms to enforce team-wide Q-DNA compliance.
- Air-Gapped Judge Verification: Support for routing L3 architectural audits to local LLMs (Ollama, LM Studio, etc.) for zero-leak compliance.
- CLI Overseer Lite: Lightweight CLI-compatible FailSafe for direct website integration.
FailSafe is a stable release. While we strive for reliability and completeness, all software carries inherent risks.
FailSafe is provided "as is" without warranties of any kind, express or implied. While we have made every effort to ensure the software's reliability and security, you acknowledge that you use this software at your own risk.
By using FailSafe, you agree to the following:
-
Use at Your Own Risk: FailSafe is designed to assist with debugging and stability monitoring for AI-assisted development, but it cannot guarantee complete protection against all risks. You remain responsible for reviewing and validating all AI-generated code and decisions.
-
No Warranty: MythologIQ provides no warranties, express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, or non-infringement.
-
Limitation of Liability: MythologIQ shall not be liable for any direct, indirect, incidental, special, consequential, or punitive damages arising from use of FailSafe, including but not limited to loss of data, downtime, business interruption, or any other damages.
-
Data Backups: You are responsible for maintaining appropriate backups of your work. FailSafe includes governance and checkpoint features, but these do not replace proper backup practices.
-
Compliance: You are responsible for ensuring your use of FailSafe complies with applicable laws, regulations, and organizational policies.
-
Updates and Changes: FailSafe may receive updates that include new features, bug fixes, or changes to existing functionality. You are responsible for reviewing release notes and understanding how updates may affect your workflow.
-
Feedback and Contributions: We welcome feedback, bug reports, and contributions. By contributing, you agree to license your contributions under the project's Apache License 2.0.
Thank you for being part of our journey. Your trust and feedback help us improve FailSafe for everyone.
git clone https://github.com/MythologIQ/FailSafe.git
cd FailSafe
npm installApache License 2.0 - See LICENSE
FailSafe tracks more than Git state. It records governance checkpoints as signed metadata records, then stores Sentinel observations in a local retrieval store so operators can recover the what, why, and how of runtime decisions.
- Git readiness is enforced at bootstrap (
ensureGitRepositoryReady), including optional auto-install andgit initwhen needed. - Governance events are checkpointed into
failsafe_checkpointswith run/phase/status context and deterministic hashes. - Each checkpoint carries
git_hash,payload_hash,entry_hash, andprev_hashso chain integrity can be recomputed. - Hub and API surfaces expose both summary and recent checkpoint records for operational visibility.
- Sentinel writes local memory records to
.failsafe/rag/sentinel-rag.db(or JSONL fallback), includingpayload_json,metadata_json, and retrieval text.
- Tamper evidence via hash-chained checkpoint records.
- Git-linked governance state for repository-correlated audit trails.
- Local-first memory retention for security and low-latency recall.
- Deterministic fallback paths when SQLite is unavailable.
| Claim | Status | Source |
|---|---|---|
Checkpoints persist in failsafe_checkpoints with typed governance fields. |
implemented | FailSafe/extension/src/roadmap/RoadmapServer.ts |
Checkpoint records include hash-chain material (payload_hash, entry_hash, prev_hash). |
implemented | FailSafe/extension/src/roadmap/RoadmapServer.ts |
| Each checkpoint captures current Git head/hash context. | implemented | FailSafe/extension/src/roadmap/RoadmapServer.ts |
| Checkpoint history and chain validity are exposed over API. | implemented | FailSafe/extension/src/roadmap/RoadmapServer.ts |
Hub snapshot includes checkpointSummary and recentCheckpoints. |
implemented | FailSafe/extension/src/roadmap/RoadmapServer.ts |
| Sentinel local RAG persists observation payload + metadata + retrieval text. | implemented | FailSafe/extension/src/sentinel/SentinelRagStore.ts |
| Sentinel RAG can fall back to JSONL when SQLite is unavailable. | implemented | FailSafe/extension/src/sentinel/SentinelRagStore.ts |
RAG writes are controlled by failsafe.sentinel.ragEnabled (default true). |
implemented | FailSafe/extension/src/sentinel/SentinelDaemon.ts |
| Checkpoint and Sentinel RAG tables are independent (no foreign-key link). | false | Confirmed: failsafe_checkpoints (ledger DB) and sentinel_observations (RAG DB) are in separate databases with no shared keys. evidenceRefs is always []. |