Securie for Cline — security review for autonomous-agent code edits

roadmap

Cline is the autonomous-agent VS Code extension that executes file edits + shell commands without per-step approval. The blast radius is correspondingly larger than autocomplete-only tools. Securie's role: post-edit review of every Cline-touched commit, sandbox-verified replay of any AuthAuthz / secret-leak finding, and per-PR re-validation that the autonomous edits didn't widen the system's attack surface.

Updated

What it does

Autonomous agents introduce two distinct security problems: (1) the agent itself may execute unsafe operations, and (2) the code the agent generates carries the same AI-generated-code bug rate as any other tool. Securie addresses (2) directly via the same specialist fleet that runs on Cursor / Claude Code output. For (1), Securie's agent-scope crate enforces compile-time guards on the agent's allowed operations — the OffensiveRoe-style newtype pattern that prevents an agent from receiving destructive scope unless explicitly granted.

When to use it

Teams using Cline in production-adjacent repos. Especially teams where Cline has access to production credentials.

Limitations

Roadmap status. Cline-internal session integration (real-time scoping decisions) is post-GA.

Install

  1. Install Securie GitHub App on the repo Cline operates on
  2. Configure Cline's auto-approve list to exclude destructive operations (drop, truncate, delete, rm -rf)
  3. Add `.cline/` to .gitignore + .npmignore
  4. Set per-session spend caps on Cline's underlying inference provider
  5. Push any Cline-committed change; Securie reviews + sandbox-verifies on the PR

Listed on

VS Code Marketplace