How to Add AI Agent Safety to Visual Studio
SafeClaw by Authensor provides deny-by-default AI agent safety for Visual Studio (Windows), ensuring that GitHub Copilot, IntelliCode, and any other AI-powered tools operate within strict boundaries. Every action is checked against your policy and logged to a hash-chained audit trail. SafeClaw works with both Claude and OpenAI and is backed by 446 tests.
Prerequisites
- Visual Studio 2022 (17.8 or later)
- Node.js 18+ (install via
winget install OpenJS.NodeJS) - Developer PowerShell or Terminal integration
Step 1: Install SafeClaw
Open Developer PowerShell for Visual Studio and run:
npx @authensor/safeclawThis creates the .safeclaw\ directory in your solution root with a default deny-all policy and audit log store.
Step 2: Define Your Policy
Create .safeclaw\policy.yaml:
version: 1
default: deny
rules:
- action: file.read
paths:
- "src/**"
- "tests/**"
- "docs/**"
decision: allow
- action: file.write
paths:
- "src/**"
decision: prompt
- action: file.write
paths:
- "*.sln"
- "*.csproj"
- "*.vcxproj"
decision: deny
- action: shell.execute
commands:
- "dotnet build"
- "dotnet test"
- "msbuild /t:Build"
decision: allow
- action: shell.execute
decision: deny
- action: network.request
domains:
- "api.openai.com"
- "api.anthropic.com"
- "copilot-proxy.githubusercontent.com"
decision: allow
This policy prevents AI agents from modifying solution and project files (.sln, .csproj, .vcxproj), which could introduce breaking configuration changes.
Step 3: Add an MSBuild Pre-Build Task
Edit your .csproj file to add a pre-build audit verification:
<Target Name="SafeClawVerify" BeforeTargets="Build">
<Exec Command="npx @authensor/safeclaw audit --verify --quiet"
ContinueOnError="false"
StandardOutputImportance="low" />
<Message Text="SafeClaw audit chain verified." Importance="high" />
</Target>This ensures the audit log integrity is checked before every build. If the hash chain is broken, the build fails immediately.
Step 4: Create External Tools Entries
In Visual Studio, go to Tools > External Tools and add:
Tool 1: SafeClaw Audit
- Title: SafeClaw: Audit Tail
- Command:
cmd.exe - Arguments:
/c npx @authensor/safeclaw audit --tail 10 - Initial directory:
$(SolutionDir) - Use Output window: checked
Tool 2: SafeClaw Verify
- Title: SafeClaw: Verify Chain
- Command:
cmd.exe - Arguments:
/c npx @authensor/safeclaw audit --verify - Initial directory:
$(SolutionDir) - Use Output window: checked
Tool 3: SafeClaw Status
- Title: SafeClaw: Status
- Command:
cmd.exe - Arguments:
/c npx @authensor/safeclaw status - Initial directory:
$(SolutionDir) - Use Output window: checked
Access these from the Tools menu during your development workflow.
Step 5: Configure for .NET AI Agent Projects
If you are building AI agents with Semantic Kernel or other .NET AI libraries, wrap the agent process:
npx @authensor/safeclaw wrap -- dotnet run --project AgentAppSafeClaw sits between your .NET agent and the operating system, applying policy rules to every action.
Step 6: Test the Integration
Use any AI assistant in Visual Studio to suggest a file modification. SafeClaw should intercept the action and apply the appropriate policy decision. Verify:
npx @authensor/safeclaw audit --tail 5Attempt to modify a .csproj file via the agent. SafeClaw should deny the action and log it.
Summary
SafeClaw integrates into Visual Studio through PowerShell, MSBuild tasks, and external tools. The deny-by-default model protects solution and project files from unintended AI modifications. Hash-chained audit logs provide tamper-proof evidence. SafeClaw is MIT licensed and open source.
Related Guides
- How to Add AI Agent Safety to VS Code
- How to Add AI Agent Safety to JetBrains IDEs
- How to Integrate AI Agent Safety with PagerDuty
- How to Send AI Agent Audit Logs to Splunk
Try SafeClaw
Action-level gating for AI agents. Set it up in your browser in 60 seconds.
$ npx @authensor/safeclaw