I'm a Developer Using AI Coding Tools

You use Claude Code, Cursor, GitHub Copilot, or similar AI coding assistants. This 5-minute workflow secures your project from credential leaks, governance gaps, and common AI agent vulnerabilities.

Time to complete: approximately 5 minutes.

Step 1: See What AI Tools Are Running

Start by discovering which AI agents and MCP servers are active on your machine. This gives you visibility into tools that have access to your code and credentials.

npx opena2a-cli detect

Shadow AI Discovery
===================

Scanning processes, configs, and network...

Found 3 AI agents:
  claude-code     v1.0.32   PID 4821   MCP: 2 servers
  cursor          v0.48.1   PID 5102   MCP: 1 server
  copilot-agent   v1.2.0    PID 3901   MCP: 0 servers

Found 3 MCP servers:
  filesystem      stdio     claude-code
  postgres-mcp    stdio     claude-code
  web-search      sse       cursor

Governance gaps:
  - No SOUL.md governance file found
  - 2 MCP servers lack signed configs
  - No credential protection detected

Step 2: Register Your Project Identity

Create a cryptographic identity for your project. This generates an Ed25519 key pair used to sign configurations and establish trust with the OpenA2A Registry.

npx opena2a-cli identity create --name my-project

Identity created:
  Name:        my-project
  Key:         Ed25519
  Fingerprint: SHA256:k8x2mP...nQ8wR
  Stored:      .opena2a/identity.json

Use 'opena2a self-register' to publish to the trust registry.

Step 3: Set Governance Rules

Generate a SOUL.md governance file that defines what AI agents can and cannot do in your project. This file is machine-readable and enforced by compatible AI tools.

npx opena2a-cli harden-soul

Soul Hardening
==============

Analyzing project structure...

Generated SOUL.md with:
  - File access boundaries (src/, tests/ only)
  - Network restrictions (no external calls without approval)
  - Credential handling rules (env vars only, no hardcoding)
  - MCP server allow-list (2 approved servers)

Written to: ./SOUL.md
Signed with: my-project (SHA256:k8x2mP...nQ8wR)

Step 4: Protect Credentials from AI Context

Secretless prevents your API keys and tokens from being exposed in AI tool contexts. It blocks file reads, redacts outputs, and enforces environment variable usage for all credentials.

npx secretless-ai init

Secretless AI initialized.

Protected files:
  .env              (3 credentials detected)
  .env.local        (1 credential detected)

Blocked patterns added to AI tool configs:
  - Claude Code:  .claude/settings.json updated
  - Cursor:       .cursor/settings.json updated

Verify: npx secretless-ai verify

Step 5: Scan for Vulnerabilities

Run HackMyAgent to check 147 security controls across credential exposure, MCP configuration, AI governance, and supply chain integrity.

npx hackmyagent secure

HackMyAgent Security Scan
=========================

Scanning 147 checks across 8 categories...

Results:
  PASS  142    WARN  3    FAIL  2

Findings:
  FAIL  CRED-007  AWS credentials in .aws/credentials readable by AI
  FAIL  MCP-012   postgres-mcp server missing input validation
  WARN  GOV-003   SOUL.md missing data-retention policy

Auto-fixable: 2 of 2 failures
Run 'npx hackmyagent secure --fix' to apply fixes.

What You Now Have

Full visibility into AI agents and MCP servers in your environment
A cryptographic project identity linked to the OpenA2A trust registry
Machine-readable governance rules in SOUL.md
Credential protection that blocks AI tools from reading secrets
A vulnerability scan baseline with actionable fix recommendations

Next Steps

Add security gates to your CI/CD pipeline -- automate these checks on every pull request.
Publish your MCP server to the trust registry -- if you maintain custom MCP servers.
Run a full 6-phase security review -- deeper assessment beyond the quick scan.