Security Architecture

The technical truth. No marketing fluff.

🔒 Zero Telemetry 🏠 Local-Only Execution ✈️ Air-Gap Ready 👁️ Fully Auditable Source 🛡️ Fail-Closed Design

1. How It Works

Instant Approve uses two engines depending on your VS Code version. Both are 100% local — no servers, no proxies, no cloud.

Engine	VS Code Version	How It Works
Agent Hooks (primary)	≥ 1.109	`PreToolUse` hook intercepts agent tool calls before execution
CDP (fallback)	< 1.109, Cursor, Windsurf	Chrome DevTools Protocol monitors and clicks approval buttons via `localhost:9000`

Agent Hooks Flow

┌─────────────────────────────────────────────────────┐
│  VS Code ≥ 1.109                                    │
│                                                     │
│  Agent invokes tool (Bash, Edit, MCP, etc.)         │
│        │                                            │
│        ▼                                            │
│  ┌──────────────────┐    stdin     ┌─────────────┐  │
│  │  PreToolUse Hook  │────JSON────▶│  Checker     │  │
│  │  (VS Code native) │◀───JSON────│  (Node.js)   │  │
│  └──────────────────┘    stdout    └─────────────┘  │
│        │                                            │
│        ▼                                            │
│  allow / deny decision (before tool runs)           │
└─────────────────────────────────────────────────────┘

CDP Flow

┌─────────────────────────────────────────────────────┐
│  YOUR MACHINE (localhost only)                      │
│                                                     │
│  ┌────────────┐    WebSocket     ┌───────────────┐  │
│  │  Extension  │─── 127.0.0.1 ──▶│  IDE Renderer  │  │
│  │  (Node.js)  │    :9000       │  (Chromium)     │  │
│  └────────────┘                 └───────────────┘  │
│        │                              │             │
│        │ inject dom_observer.js       │ scan DOM    │
│        │ via Runtime.evaluate   ┌─────┘             │
│        │                        ▼                   │
│        │                  ┌──────────┐              │
│        │                  │  Click    │              │
│        │                  │  "Accept" │              │
│        │                  └──────────┘              │
│        │                                            │
│  ══════╪════════════════════════════════════════     │
│        │  Network boundary (nothing crosses)        │
└────────┼────────────────────────────────────────────┘
         │
         ▼ (Only outbound request)
   ┌──────────────┐
   │ LemonSqueezy │  License key validation only.
   │   API        │  No code, no file paths, no telemetry.
   └──────────────┘

2. What We Protect Against

Threat	Mitigation
Destructive commands	26+ banned patterns (`rm -rf /`, `drop database`, `format c:`, etc.) with configurable regex support
Command obfuscation	Evasion detection catches `base64 -d \| sh`, hex encoding, `eval(atob())`, and other encoded payloads
Config file tampering	Blocks agent edits to `.vscode/settings.json`, `.github/hooks/`, `.claude/settings.json` (CVE-2025-53773)
MCP tool misuse	Checks `mcp__*` pattern tools against banned commands
Silent approval on error	Fail-closed design — parse errors deny the action instead of approving

What We Don't Protect Against

Novel zero-day attack patterns not in the blocklist
Logical errors in agent-generated code (correct syntax, wrong logic)
Supply chain attacks in dependencies the agent installs
Social engineering via agent-suggested workflows

Windows-Specific Risks

Important: Windows has no native terminal sandboxing for AI agents. macOS and Linux have partial sandboxing via VS Code's terminal profiles, but Windows does not. Instant Approve is your only safety layer on Windows.

3. What We Access

Resource	Read	Write	Transmit
Your source code	Never	Never	Never
File system	Own scripts only	Hooks config, audit log	Never
IDE DOM (CDP only)	Button text only	Click events	Never
Tool invocations (Hooks)	Tool name + input	Allow/deny decision	Never
Terminal content	Nearby command text	Never	Never
Network	—	—	License key only
Clipboard	Never	Never	Never

4. Guardrails

Banned Command Detection

Before auto-approving any action, both engines scan for banned patterns. The default blocklist includes 26+ destructive commands (rm -rf, drop database, format c:, shutdown, etc.) plus 10 evasion pattern regexes. Supports custom regex rules via configuration.

Evasion Pattern Detection

Goes beyond simple string matching. Catches obfuscation techniques that bypass native auto-approve modes: base64 decoding piped to shell, hex-encoded payloads, eval(atob()), Python exec()/os.system(), and curl-to-shell pipes.

Config File Protection (CVE-2025-53773)

Blocks agent modification of security-critical configuration files:

.vscode/settings.json — prevents disabling security features
.vscode/extensions.json — prevents altering extension recommendations
.github/hooks/ — prevents agents from modifying their own safety rules
.claude/settings.json / .claude/settings.local.json — prevents changing Claude Code permissions

MCP Tool Detection

Tools following the mcp__server__tool naming pattern are automatically checked against the banned command list, preventing MCP-based evasion of safety guardrails.

Fail-Closed Design

If the safety checker encounters an error (malformed input, parse failure, timeout), it denies the action rather than silently approving. A security tool that fails open is worse than no security at all.

Context Menu / Dropdown Exclusion

The CDP observer explicitly skips Monaco editor context menus, dropdowns, and quick-pick lists. Only standalone buttons matching the accept pattern are clicked.

Reject Patterns

Buttons containing "cancel", "delete", "remove", "skip", "deny", "close", or "never" are always rejected, even if they also contain an accept keyword.

Emergency Stop

Press Ctrl+Shift+X (or Cmd+Shift+X on macOS) to immediately halt all auto-approval. The status bar toggle also stops instantly.

Dry-Run Mode

Enable instantApprove.dryRun in settings to log what would be auto-approved without actually clicking. Review the Activity Log before trusting the extension in a new environment.

5. Audit Trail

Every allow/deny decision is logged to .instant-approve/audit.jsonl in your workspace:

{"ts":"2026-02-14T22:00:00Z","tool":"Bash","command":"npm test","decision":"allow","engine":"cdp"}
{"ts":"2026-02-14T22:00:01Z","tool":"Bash","command":"rm -rf /","decision":"deny","reason":"banned","engine":"cdp"}

Logs rotate at 10MB with 3 backups retained. Agent Hooks decisions are additionally visible in VS Code's hook output panel.

6. Policy-as-Code for Teams

Commit .github/hooks/instant-approve.json to your repository. Every developer using Instant Approve gets the same safety rules automatically:

your-repo/
  .github/
    hooks/
      instant-approve.json   ← Team-wide safety policy

Generated by the extension on first install. Customizable per-project. Changes take effect on the next agent session.

7. What We Don't Do

We do not read your source files
We do not send any telemetry, analytics, or crash reports
We do not modify your code, git history, or terminal state
We do not intercept HTTP traffic or proxy connections
We do not run in the background when disabled
We do not phone home for feature flags or remote config

8. Audit the Code

Plain JavaScript. No build step, no minification, no bundler. Read every line at github.com/PromptMeToTheMoon/instant-approve.

File	Lines	Purpose
extension.js	~580	Activation, commands, status bar, dual-engine orchestration
dom_observer.js	~395	CDP DOM scanning, button detection, banned command check
src/hooks_checker.js	~175	PreToolUse hook script — safety checker for Agent Hooks engine
src/hooks_service.js	~120	Hooks config generation, install/uninstall
src/banned_commands.js	~95	Shared banned command list and evasion pattern detection
src/cdp_service.js	~215	WebSocket CDP connections and script injection
src/audit_service.js	~110	JSONL audit logger with 10MB rotation
src/license_service.js	~320	LemonSqueezy license validation (the only network call)

One dependency: ws (WebSocket client). That's it.