The era of “Vibe Coding” has fundamentally changed the physics of shipping software. We aren’t just typing anymore; we are conducting. Between Cursor’s Composer, the Claude CLI, and GitHub Copilot, the friction of writing syntax has evaporated. You describe the feature, the AI handles the implementation, and you stay in the flow state.

But this velocity has a silent tax.

When you are tab-completing entire functions at 100mph, you aren’t auditing line 42 of that generated boilerplate. You are optimizing for “Does it run?”, not " Is it safe?".

The reality is that LLMs are trained on public repositories, which means they are trained on other people’s bad habits. They love to hallucinate secrets or suggest “dummy keys” that look dangerously real. You hit Tab -> Accept, and suddenly, a const STRIPE_KEY = "sk_live_51M..." is buried in your commit history.

Most teams rely on tools like gitleaks to catch this. The problem? Those run at the commit stage. By the time the scanner screams at you, the secret is already in your git history, and you are forced to break your flow to rewrite the SHA tree.

I didn’t want a scanner that nags me after the fact. I wanted a bodyguard for my clipboard—a tool that catches secrets milliseconds after they hit the editor, without ever sending my code to the cloud.

So, I built Entropy Sentinel. Here is the architecture of a local-first security tool.

📉 The ‘Why’ (The Vibe Coding Gap)

When we embrace tools like Cursor or Copilot, we are already making a massive compromise: we are sending snippets of our codebase to an inference provider (OpenAI, Anthropic, Google, or Microsoft). We accept this trade-off for the 10x speed boost.

But we should not double down on that risk.

If I am installing a tool specifically designed to catch secrets—AWS keys, Stripe tokens, database passwords—the absolute last thing I want that tool to do is send those secrets to a third-party server for “analysis.”

I designed Entropy Sentinel around two non-negotiable constraints to solve this:

Constraint 1: The “Air-Gap” Simulation (Trust)

Standard security tools often act like “Cloud bouncers”—they intercept your data, check it against a list on a server, and let you know if you’re safe.

I wanted this extension to function like a biological immune system: entirely self-contained.

  • Zero API Calls: The extension has no internet permission. It cannot “phone home.”

  • Zero Database: There is no “known bad list” downloaded from a server. It relies purely on the mathematical properties of the strings themselves.

If the tool finds a secret, it stays in RAM. If you close VS Code, the memory is flushed. Nothing is logged. Nothing leaves localhost.

Constraint 2: The “Vibe” Requirement (Latency)

“Vibe Coding” is fragile. It relies on instant feedback loops. If an extension introduces even 200ms of input latency because it’s waiting for a REST API to return a 200 OK, the “Vibe” dies. The editor feels sluggish.

To maintain the flow state, the scanner had to run faster than human typing speed (approx 50-100ms per keystroke).

  • Cloud Architecture: Keystroke -> Network -> Server Logic -> Network -> Alert. (Too slow).

  • Local Architecture: Keystroke -> CPU Math -> Alert. (Instant).

The Stack

To achieve this, I had to reject the modern “SaaS” toolkit and go back to basics:

  • Core: VS Code Extension API (TypeScript).

  • Engine: Pure JavaScript Math (Shannon Entropy calculations running on the CPU).

  • Storage: Your local filesystem (.env files).

We aren’t building a platform here. We are building a utility

🏗️ The Architecture (The Build)

The core logic relies on Shannon Entropy—a mathematical measure of randomness. English text (or code variables like const userIndex) has low entropy because it is predictable. Cryptographic keys (like x8_99!aZ$) have high entropy.

However, a raw entropy check isn’t enough. A random Git Hash is safe; an AWS Secret Key is not. To solve this, I architected a Context-Aware Engine.

The “Smart Scanner” Logic

We couldn’t just use a single global threshold. We analyze the variable name assigning the value to dynamically adjust the sensitivity of the scanner.

  • High Sensitivity Mode: If the variable is named api_keysecret, or password, we lower the shields. A string with even moderate randomness (Threshold 3.2) triggers an alert.

  • Low Sensitivity Mode: If the variable is named page_idcolor, or uuid, we assume it’s safe. We require extreme randomness (Threshold 4.8) to interrupt the user.

Here is the simplified logic used in the scanner.ts engine:

TypeScript

// The "Physics" of the scan
function calculateRisk(variableName: string, value: string): RiskLevel {
  const baseEntropy = getShannonEntropy(value);
  
  // Contextual weighting
  let threshold = 4.5; // Default high bar
  
  if (/key|secret|token|auth/i.test(variableName)) {
    threshold = 3.2; // Lower bar for suspicious names
  } else if (/color|hash|id/i.test(variableName)) {
    threshold = 5.0; // Raise bar for safe names
  }

  return baseEntropy > threshold ? RiskLevel.HIGH : RiskLevel.SAFE;
}

The mathematical foundation for the entropy calculation is standard, but applying it conditionally based on AST (Abstract Syntax Tree) context is what stops the tool from being annoying.

H(X) = -∑ P(xᵢ) log₂ P(xᵢ)

Where P(xᵢ) is the probability of character xᵢ appearing in the string.

⚡ The “Killer Feature”: The One-Click Vault

Developers aren’t lazy; they are efficient. Creating a .env file, defining the variable, and swapping the code takes about 45 seconds of context switching. That is 44 seconds too long.

I built an automated refactor action into the extension using the VS Code CodeActionProvider API.

  1. Detection: The scanner underlines the string in red.

  2. Action: The user clicks the Lightbulb 💡 (or hits Cmd+.).

  3. Execution:

    • The extension reads the .env file in the root.

    • It appends VARIABLE_NAME=the_secret_string.

    • It rewrites the editor line to process.env.VARIABLE_NAME.

The result? You go from insecure to production-ready in one click, without ever leaving the file.

Visual Note: Imagine a UI where the red squiggly line turns into a clean process.env variable instantly. That is the dopamine hit of secure engineering.

⚠️ The Reality Check (The Constraints)

Marketing will tell you this tool is “AI-Powered.” Physics tells you it’s a regex loop running on the main thread. Here is where we hit the wall.

  1. The Performance Tax

In v0.1, I hooked the scanner into the onDidChangeTextDocument event. This meant the extension ran the entropy math on the entire file every time I pressed a key. VS Code immediately flagged the extension for high CPU usage.

The Fix: I implemented a Debounce pattern. The scanner now waits for 500ms of idle time (user stops typing) before scanning only the changed range, not the whole file.

  1. The “CSS” Problem (False Positives)

My initial entropy algorithm hated frontend developers. It flagged every hex color code (e.g., #5D3A9B) as a potential secret. The Fix: We had to implement “Ignore Lists” for specific file extensions (.css.scss.lock) and specific patterns (strings starting with # and length < 8).

  1. Visuals vs. Diagnostics

I started by painting red boxes using createTextEditorDecorationType. This looked cool but was functionally dumb—it didn’t integrate with VS Code’s native “Problems” tab. I had to refactor the entire rendering engine to use DiagnosticCollection. This allowed the native “Quick Fix” lightbulb to appear, which was critical for the user experience.

🛡️ Open Source & Trust

Because this tool reads your clipboard and scans your active editor, trust is binary. You either have it, or you don’t.

If this were a closed-source SaaS, I wouldn’t install it, and neither should you. That is why Entropy Sentinel is 100% Open Source. You can audit the scanner.ts file yourself to verify that no fetch() calls are sending your API keys to my server.

💬 Let’s Argue

We talk a lot about “Shift Left” in security. But are we giving developers the tools to actually do it, or just giving them more homework?

Does your team rely on pre-commit hooks, or do you have a way to catch secrets during the vibe coding phase? Let me know in the comments.

I learn as much from the debate as I do from the documentation.

🌱 Want more experiments? This is just one plant in my digital garden. I’m constantly breaking things, hitting limits, and documenting the fixes over at my personal site.

If you like deep dives into the “Real World” of Enterprise AI (minus the marketing fluff), go check it out:👉 Pavan’s Digital Garden