\n
\nStop AI Coding Drift before it becomes production technical debt. PreFlight is a local-first safety gate for AI-generated code, built to catch unsafe auth, RLS, SQL, SSRF, command execution, dependency, and secret-handling changes before they get committed.
\nWebsite: https:\/\/preflight-vibe.vercel.app
\nChoose Your Remediation Depth
\nPreFlight runs in two distinct tiers depending on what your codebase needs.
\nFree Tier: PreFlight Guardian<\/p>\n
What it does: Unlimited local scanning plus 10 free patch applications across local deterministic fixes and proxy-backed AI fixes.
\nSetup: Zero config for scanning. A Pro key is only required after the 10 free patches are used.
\nCommands:<\/p>\n
npm install -g preflight-pro
\npreflight init
\npreflight scan . –fix
\nInstalling preflight-pro exposes the universal preflight command in your shell.<\/p>\n
What it does: Unlimited scans and unlimited fixes, including deep reasoning remediation for complex multi-file architectural flaws, tenant isolation logic, and parametric SQL injections.
\nSetup: Requires an active PREFLIGHT_PRO_KEY or a saved key from preflight auth.
\nPowerShell:<\/p>\n
$env:PREFLIGHT_PRO_KEY=”PREFLIGHT-BETA-XXXXX”
\npreflight scan . –fix<\/p>\n
export PREFLIGHT_PRO_KEY=”PREFLIGHT-BETA-XXXXX”
\npreflight scan . –fix<\/p>\n
PreFlight supports both a terminal-first workflow and an IDE-first workflow. Both paths end with preflight init, because that wizard connects your editor, MCP clients, and Pro\/Beta key in one place.<\/p>\n
npm install -g preflight-pro
\npreflight init
\nThen scan any project from its root:<\/p>\n
Install the global CLI command. The VSIX gives you the in-editor UI, but the extension still uses the global preflight command to start The Eye daemon and run fixes.<\/p>\n
npm install -g preflight-pro<\/p>\n
Download and install the PreFlight Companion VSIX extension:<\/p>\n
Run the setup wizard once:<\/p>\n
Open your project in the IDE. The extension starts The Eye automatically, watches file saves, and surfaces PreFlight alerts in-editor.<\/p>\n
The Eye: The VS Code\/Cursor extension starts PreFlight’s local daemon automatically. It watches file saves and raises in-editor alerts when AI-generated code introduces a hard-block issue.
\nMCP bridge: preflight init can also wire preflight mcp into supported AI editors so agents can call PreFlight tools without leaving the coding flow.<\/p>\n
Free users get unlimited scans and 10 total patches across local fixes and proxy-backed AI fixes. After the 10 free patches are used, unlimited fixes require a Pro\/Beta key.
\nYou can add your key during preflight init, or activate it directly:
\npreflight auth PREFLIGHT-BETA-XXXXX
\nFor one terminal session, you can also set it manually:
\n$env:PREFLIGHT_PRO_KEY=”PREFLIGHT-BETA-XXXXX”
\nexport PREFLIGHT_PRO_KEY=”PREFLIGHT-BETA-XXXXX”<\/p>\n
Free Tier: Unlimited scans, 10 Free Patches (Local + Deep-Reasoning AI).
\nSolo Pro: $19\/mo for unlimited scans and fixes.
\nTeams: $49\/seat\/mo for team rollout, shared onboarding, and unlimited scans and fixes.<\/p>\n
PreFlight is now powered by deeper local analysis primitives:<\/p>\n
Micro-Fuzzer: Generates focused security payloads for risky data-flow paths, such as SQL injection, command injection, auth bypass, SSRF, and path traversal.
\nQuantized CPG (Code Property Graph): Builds a compact in-memory graph of syntax, control flow, and data flow so PreFlight can trace untrusted input into dangerous sinks instead of relying on brittle string matching.
\nThe Eye daemon: Runs locally through the CLI\/extension workflow and watches file saves so issues appear while the AI coding session is still active.<\/p>\n
Tri-State Risk Score Engine
\nThis is the core PreFlight signal. Every scan resolves into one of three clear outcomes so you know whether to stop, review, or ship.<\/p>\n
Score
\nMeaning
\nWhat It Catches<\/p>\n
\ud83d\udd34 Hard Block
\nStop immediately. This change is unsafe to ship.
\nExposed frontend secrets, leaking database service roles, command execution, SQL injection, or missing Supabase Row Level Security (RLS).<\/p>\n
\ud83d\udfe1 High-Risk Drift
\nReview carefully. The code may be structurally wrong even if it runs.
\nStructural state inconsistencies, un-idempotent webhooks, weak validation, or open CORS contexts.<\/p>\n
\ud83d\udfe2 Pass
\nSafe to continue. No blocking structural risk was detected.
\nStandard local edits matching your expected stack rules.<\/p>\n
PreFlight runs fixes in a strict sequence:<\/p>\n
Phase 1: Offline Local AST Sweep
\nPreFlight completes an ultra-fast offline structural pass first and applies any deterministic local fixes it can resolve safely.
\nPhase 2: PreFlight Pro Deep Reasoning Handoff
\nRemaining SQL, fuzzer, and complex architectural flaws are handed off through the secure proxy-backed reasoning path when a patch requires deeper context.<\/p>\n
The first 10 patch applications are free across both phases. After that, a PREFLIGHT_PRO_KEY is required.<\/p>\n
PreFlight can run directly in the terminal, through the VS Code\/Cursor extension, or as an MCP server for AI-native editors.
\nStart the MCP server locally:<\/p>\n
Available MCP tools include:<\/p>\n
scan_project
\npreflight_fix
\naudit_dependencies<\/p>\n
scan_project remains free and unlimited. preflight_fix shares the global 10-patch free allowance before a PREFLIGHT_PRO_KEY is required.
\nPost-Fix Verification Loop
\nPreFlight is designed to be used as a closed loop, not a one-shot scanner:<\/p>\n
Generate or modify code with your AI coding assistant.
\nRun preflight scan . to classify the change under the Tri-State Risk Score.
\nIf PreFlight returns Hard Block, stop and repair the structural issue before moving forward.
\nIf PreFlight returns High-Risk Drift, run preflight scan . –fix and inspect every proposed fix before applying it.
\nRe-run preflight scan . after each accepted fix to confirm the repository settles into Pass.
\nShip only after the final verification pass is green and the structural receipt matches the architecture boundary you intended.<\/p>\n