Marcin Brzozka

Posted on Jun 26

I built a local risk gate for AI-agent code changes

#ai #codequality #devops #security

AI coding agents are now good enough to create a lot of code quickly. That also means they are good enough to create a lot of risky changes quickly.

The failure mode I keep seeing is not “the agent writes obviously broken code.” The harder problem is quieter:

a dependency or lockfile changes without anyone noticing,
auth/payment/config files are touched in a broad refactor,
source files change but tests do not,
generated-looking rewrites bury a small important change,
a secret-like literal appears in a diff,
the final report says “tests passed” but the evidence is thin.

So I built a small local CLI workflow: AI Agent Change Risk Auditor.

It reads a unified diff/patch file and returns a risk score before merge.

git diff > change.patch
python src/agent_change_risk_auditor.py audit --diff change.patch

Example output:

AI Agent Change Risk Audit
Risk level: high
Risk score: 63/100
Files changed: 2
Lines: +3 / -1

Flags:
- DEPENDENCY_CHANGE:package.json
- SOURCE_CHANGED_WITHOUT_TEST_CHANGE
- POSSIBLE_SECRET_LITERAL_IN_DIFF

Recommendations:
- Add or update tests for changed source files before merge.
- Remove secret-like literals and rotate exposed credentials if real.
- Review dependency changes manually and run lockfile/security checks.

What it checks

dependency and lockfile changes,
auth/payment/security/config paths,
source changes without test changes,
large or generated-looking rewrites,
secret-like literals in the diff.

What it does not do

It is not a security guarantee. It is not a replacement for tests, code review, or proper SCA.

It is just a cheap local guardrail that catches “slow down and review this” signals before an AI-agent patch gets merged.

Why local-first?

Teams often do not want to upload private diffs to a third-party service just to get a basic risk score.

A local script is easy to inspect, easy to modify, and easy to run in private CI.

Who it is for

founders using AI coding tools,
agencies reviewing AI-generated client changes,
small teams that need a pre-merge safety checklist,
anyone who wants a simple local guardrail before a human review.

The minimal checklist

If you want the idea without any tool, start here:

Did dependencies change?
Did auth/payment/security/config files change?
Did source change without tests?
Did a large generated file change?
Are there secret-like literals in the diff?
Can the agent’s “tests passed” claim be tied to actual output?

That checklist alone catches a surprising amount.

Demo assets

I made two public demo pages for the workflow:

Sample audit report: http://152.239.117.170/sample-audit-report.html
ROI calculator: http://152.239.117.170/roi-calculator.html

Commercial note

I packaged this as a small paid starter kit with source, tests, docs, CI templates, and a commercial-use summary.

Basic Kit: $5 one-time — https://marcnova48.gumroad.com/l/cakkb
Pro Pack: $19 one-time — https://marcnova48.gumroad.com/l/bdyklr

Product page and demos: http://152.239.117.170/

The goal is not to promise perfect security. The goal is to save reviewer attention and reduce obvious AI-agent change risk.

Question for other teams using coding agents: what additional risk category would you add?

DEV Community