Building Cryptographic Guardrails for AI-Assisted Coding

Bewaker AI — Tue, 07 Oct 2025 21:32:53 +0000

Bewaker: local-first cryptographic guardrails for critical code (VS Code + git hooks)

AI coding assistants are great! That is until a tiny diff lands in the wrong place. For things like infrastructure-as-code, authorization paths, or payment logic, even subtle changes can carry real risk.

Bewaker is an open-source, local-first tool that helps you lock down the sensitive parts of your repo and prove they weren’t changed without an explicit unlock. It runs inside VS Code and enforces integrity with git pre-commit/pre-push hooks. No backend, no telemetry; keys and audit stay on your machine. Apache-2.0.

Website: https://www.bewaker.ai
GitHub: https://github.com/bewakerai/bewaker
Marketplace: https://marketplace.visualstudio.com/items?itemName=BewakerAI.Bewaker

What it does

Policy-driven protection — define a simple YAML policy that lists what to protect.
Cryptographic lockfile — Bewaker writes a Merkle-rooted, Ed25519-signed lock that represents the expected state.
Editor + hooks enforcement — VS Code surfaces guardrails as you edit; pre-commit/pre-push hooks block unapproved changes.
Tamper-evident audit — events are chained locally so you have a verifiable trail.

Works alongside Copilot/Cursor—goal is secure AI-assisted dev, not blocking AI.

Quickstart (90 seconds)

Install the VS Code extension

Marketplace: https://marketplace.visualstudio.com/items?itemName=BewakerAI.Bewaker

Create a policy

In VS Code, open the Command Palette and run "Bewaker: Recommend Policy" (or create .guardpolicy.yml).

# .guardpolicy.yml (minimal example)
protect:
  - path: "infra/**"
  - path: "src/auth/**"
  - path: ".github/workflows/**"

Lock the repository

Command Palette → "Bewaker: Lock Repository"

This writes .guardlock (Merkle + Ed25519) to represent the expected state.
Install git hooks

Command Palette → "Bewaker: Install Git Hooks"

This adds pre-commit / pre-push verification.
Try it

Edit a protected file and attempt a commit. The hook will block it until you explicitly unlock in the extension.

How it works

Policy → .guardpolicy.yml tells Bewaker which files/paths are considered sensitive.
Lockfile → .guardlock stores a Merkle root and signature so drift is detectable and the lock itself is tamper-evident.
Hooks → pre-commit / pre-push recompute hashes for protected paths and compare against the lockfile before a commit/push is allowed.
Audit → local JSONL keeps an append-only, tamper-evident record of locks/unlocks/verification events.

Local-first by design: no server, no telemetry, keys stay on your machine.

How this differs from CODEOWNERS

CODEOWNERS is great for review workflows, but it triggers during PR, after a commit exists.

Bewaker focuses on pre-commit, on the developer’s machine. It’s a guardrail while editing, not just during review.

Use both: CODEOWNERS for review gates; Bewaker for local cryptographic integrity.

Threat model & limitations

Local enforcement: disables “it was the bot” surprises; hooks still run even if the editor is bypassed.
No network: reduces data exfil/telemetry risks.
Language-agnostic: path/policy-based across text files.

Known gaps / roadmap:

Heuristics are intentionally simple today; “adaptive/ML-ready” risk scoring is in progress.
Org-wide controls (e.g., server-side pre-receive checks) and multi-approver unlocks are part of a future Team Edition.

Call for feedback

Does the UX make sense?
Any obvious bypasses or threat-model blind spots?
What policy shapes would make this easier to adopt in monorepos?

If this scratches an itch for your team, I’d love to hear how you’d extend it.

GitHub issues: https://github.com/bewakerai/bewaker/issues
Website: https://www.bewaker.ai

Appendix: tiny policy + what happens

# .guardpolicy.yml
protect:
  - path: "infra/**"
  - path: "src/auth/**"
  - path: ".github/workflows/**"

Save the file, Lock Repository, Install Git Hooks.
Change infra/terraform.tf and try git commit.
The pre-commit hook verifies the hash against .guardlock and rejects the commit until you unlock in VS Code (events show up in the local audit).

Forem: Bewaker AI