Mault
Ship fast. Without the chaos. End-to-end governance for AI-assisted development — works out of the box, no configuration required.
3-Panel Custom Pane:
- Agent Workflows — orchestrate AI agents with 7 specialized roles, worktree isolation, and runtime enforcement
- Production Readiness — 9-step journey from "runs locally" to production-ready
- Findings — optional technical debt detection across your codebase (add
docs/mault.yamlto activate)
Physics, not policy. Hooks that block, not prompts that suggest.
Requires VS Code + Claude Code for multi-agent workflows. Detectors and Production Readiness Kit work with any AI assistant.
The Problem
You can ship a fleet of AI agents at your codebase. But without guardrails, they collide (two agents edit the same file, one overwrites the other), drift (agents ignore architectural conventions the moment context expires), and escalate (an agent merges its own PR, ships untested code, and moves on).
The fix isn't better prompts. Agents ignore documentation. The fix is enforcement at the tool level: hooks that block file writes outside declared zones, gates that prevent merging without CI, and budgets that cap how much any single agent can change.
Installation
1. Install Mault from the VS Code Marketplace
2. Open a workspace — Mault activates automatically. All three panels are available immediately. No configuration required.
3. Choose your path:
- Multi-Agent Workflows — click "Turn On" in the Agent Workflows panel. Hooks deploy automatically. Click a role to start.
- Production Readiness — run
Mault: Open Production Readiness Kit (Pro)for the 9-step journey - Technical Debt Detection — add
docs/mault.yaml(version: 1) to activate detectors in the Findings panel
Requirements
| VS Code | 1.96 or later |
| Workspace | Must be trusted for full functionality |
| Claude Code | Required for multi-agent workflows and runtime hooks |
| docs/mault.yaml | Required only for technical debt detection |
| Account | A Mault account is created automatically on first use |
Technical Debt Detection Core + Pro
Real-time architectural detectors that surface violations in the VS Code Problems panel. Each finding includes a context-rich AI prompt you can copy into any assistant. Detectors work with any AI coding assistant.
Detectors are polyglot by default (file/folder pattern matching). Advanced detectors use import analysis (JS/TS) or AST analysis (JS/TS, Python) for deeper inspection.
What it catches
| Detector | What It Catches |
|---|---|
| Directory Reinforcement | Files placed in wrong directories |
| Legacy Path Prevention | Deprecated libraries or APIs still in use |
| Convention Reinforcement | Inconsistent naming (camelCase vs snake_case in same folder) |
| Environment Reinforcement | OS-specific paths that break cross-platform |
| Flat Architecture | Too many files in source root without layers |
| Configuration Chaos | Missing or misplaced config files |
| File Proliferation | Versioned duplicates (_v1, _backup, _old) |
| Overcrowded Folders | Directories with too many files |
| Temporary Files | Scratch/temp files cluttering workspace |
| Scattered Utilities | Utility files not centralized |
| Monolith Detection | Files/functions exceeding LOC thresholds |
| Test Pyramid Enforcement | Source files without tests in correct layer |
| Dependency Health Pro | Vulnerable or outdated npm packages |
| Structural Governance Pro | AST-based pattern enforcement |
14 detectors across 3 levels: Gentle (3 detectors), Balanced (10 detectors), or Full (14 detectors).
Enforcement Levels
Mault escalates enforcement from gentle nudges to hard blocks. Choose your level: Gentle (3 detectors), Balanced (10 detectors), or Full (all detectors).
| Level | Behavior |
|---|---|
| warn | Surfaces in the Problems Panel. Agent can continue. |
| error | Blocks the save. Must resolve before proceeding. |
| CI block | Code is written but the PR cannot merge until gates pass. |
| hook deny | Intercepted before the file is written. Agent cannot proceed. |
Ratchets ensure quality only improves. Existing issues are grandfathered, new issues are blocked.
Runtime Enforcement — 47 Hooks
47 governance hooks run automatically during managed agent sessions. They are the "physics" layer — agents cannot bypass them, ignore them, or reason their way around them. All hooks fail-open outside managed sessions.
| Hook | Trigger | What It Enforces |
|---|---|---|
| Agent Bootstrap | SessionStart | Injects task boundaries, fix-first warnings, preauth claim flow |
| Zone Boundary | PreToolUse | Blocks file writes outside declared zone |
| Budget Gate | PostToolUse | Warns at 80%, blocks at 100% of file/LOC budget |
| Role Permission | PreToolUse | Workers can't merge, orchestrators can't push, planners can't write code |
| Receipt Gate | Stop | Blocks session end without structured completion receipt |
| Review Merge Gate | PreToolUse | Blocks merge without bot-triage-complete and CI green |
| Sprint Gates | PreToolUse | Capacity, scope, label, activation, and completion enforcement |
| Step Complete Gate | PreToolUse | Per-role completion validation |
| Worktree Guards | SessionStart | CWD ownership, occupancy check, cleanup on exit |
| CrossWorkstation | PreToolUse | Prevents agents on different machines from merging each other's PRs |
Core vs Pro Hooks
| Feature | Core (Free) | Pro |
|---|---|---|
| Implementation | 3 bash one-liners | 5 Node.js scripts with layer awareness |
| Test Gate | Blocks edits if no test file exists | Routes to correct pyramid layer |
| Size Gate | Blocks files over 600 LOC | Warn at 300, fail at 600, functions over 75 LOC, files over 20KB |
| Stop Gate | Runs test suite at session end | Parses transcript, verifies every modified file has correct test type |
| Session Context | — | Injects full testing pyramid convention table |
| Hard-Coded Values | — | Scans for hard-coded URLs, IPs, ports, semver |
Works with any AI assistant. Claude Code gets hook enforcement. Cursor, Copilot, Windsurf, and ChatGPT get equivalent enforcement through the Problems Panel via Monolith Detection and Missing Test Detection.
The Monolith Detection and Missing Test Detection detectors provide equivalent enforcement through the Problems Panel, ensuring that testing rules Mault helps you write (Steps 5 and 9) are enforced regardless of which AI coding assistant you use.
Multi-Agent Flows Pro
Guided multi-agent workflows with role separation, worktree isolation, and automatic task scheduling. Each role has minimum-permission allowlists enforced by Claude Code's hooks system — agents can only do what their role permits.
Tested for TypeScript/JavaScript and Python. Requires VS Code + Claude Code with bypass permissions enabled.
Who this is for
Developers who want AI to do the heavy lifting but don't trust fully autonomous flows. Teams that require code reviews before anything hits main. Non-technical founders who need guided testing and verification. Solo developers who want to ship faster without sacrificing quality.
The 7-Role Handoff Chain
PLANNER ──► ORCHESTRATOR ──► WORKER(s) ──► REVIEW ──► TESTER ──► COMPLIANCE SUPERVISOR — Escape hatch. Unrestricted access for blocked workflows (mault-escalation).
Click a role in the Mault Panel. Settings are written, a Claude Code tab opens with the prompt auto-submitted. Zero friction — no manual config, no copy-pasting prompts.
| Role | What It Does | Cannot Do |
|---|---|---|
| Planner | Builds a plan with you — you approve every decision | Write code, create issues, modify files outside .mault/ |
| Orchestrator | Creates atomic GitHub issues with zones, budgets, and dependency ordering | Write code, create PRs, push branches |
| Worker | Picks up issues, writes code via TDD, creates PRs labeled mault-ready | Merge PRs, push to main, exceed zone/budget |
| Review Agent | Merges PRs when all CI passes, routes failures back to Worker | Create PRs, write code |
| Tester | Runs tests, generates manual test plans, verifies merged work | Modify source code, install packages |
| Compliance | Audits the completed cycle for policy adherence and retention | Modify code or merge PRs |
| Supervisor | Escalation handler — unrestricted access for blocked workflows | N/A (escape hatch) |
The Full Flow
Click "Step 1: Planner" in Mault Panel
│
▼
PLANNER ── builds plan with you ── writes .mault/plan.md
│ 🔔 Chime → "Next: Step 2 Orchestrator"
▼
ORCHESTRATOR ── creates GitHub issues from plan
│ 🔔 Chime → "Next: Step 3 Worker"
▼
WORKER ── picks up issues, writes code, creates PRs
│ 🔔 Chime → "Next: Step 4 Review Agent"
▼
REVIEW AGENT ── merges PRs when CI is green
│
├── Open tasks remain? → "Go back to Step 3: Worker"
└── All done? → "Next: Step 5 Tester"
│
▼
TESTER ── runs tests, verifies everything works
│
├── Tests pass? → COMPLIANCE ── audits the cycle → 🎉 Done!
└── Tests fail? → Loop: Worker → Review → Tester
Completion Chime
Switch focus while agents work on 10-20 minute tasks. When a step completes, you hear a system beep and see a VS Code notification with which role just finished, a brief summary of what was accomplished, and which step to click next. Works on Windows (PowerShell), macOS (osascript), and Linux (paplay/spd-say). Disable with mault.sound.enabled in VS Code settings.
Completion Chime
Switch focus while agents work on 10-20 minute tasks. When a step completes, you hear a system beep and see a VS Code notification with which role just finished, a brief summary of what was accomplished, and which step to click next. Works on Windows (PowerShell), macOS (osascript), and Linux (paplay/spd-say). Disable with mault.sound.enabled in VS Code settings.
Fully-Autonomous Mode — Coming Soon
Same roles, same isolation, same enforcement. Agents hand off automatically without human clicks — including chain staleness detection (15-min timeout), failure notifications, and supervisor escalation. Semi-autonomous (click-to-advance) is production-ready today.
Agent Isolation
Five layers prevent agent collision:
| Layer | Mechanism | What It Prevents |
|---|---|---|
| Atomic Tasking | One issue = one branch = one PR | Scope creep, tangled changes |
| Worktree Sharding | Each worker gets its own git worktree | File-level collisions between agents |
| PID Identity | .mault/sessions/{pid}.json per agent | State corruption between concurrent sessions |
| Preauth Sessions | Sessions created before tabs open | Race conditions during agent startup |
| Pull-Based Queue | Workers self-select from shared issue pool | Static assignment bottlenecks |
The orchestrator assigns sequence numbers for dependency ordering. Workers scan seq-0 first, then seq-1 when all seq-0 tasks close, and so on.
Worktree Sharding
MAIN WORKSPACE WORKTREE SLOTS
┌─────────────────┐
│ main branch │ ┌──────────────────────────────┐
│ .mault/ │ │ ../mault-worker-a/ │
│ .claude/ │ │ feat/101-sprint-state │
│ │ │ (Worker 1's branch) │
│ NOT for coding │ └──────────────────────────────┘
│ Orchestrator & │ ┌──────────────────────────────┐
│ Review Agent │ │ ../mault-worker-b/ │
│ work here │ │ feat/102-toggle-ux │
└─────────────────┘ │ (Worker 2's branch) │
└──────────────────────────────┘
Workers CANNOT interfere. Each has its own git working tree.
Worker and review tabs automatically route to their worktree CWD.
Pull-Queue Model (Self-Balancing)
No static task assignment. Workers pull from a shared issue pool on GitHub, gated by dependency ordering:
SHARED ISSUE POOL (GitHub)
seq-0: #101 [open] #102 [open] ← Workers pick these first
seq-1: #103 [open] ← Blocked until all seq-0 close
seq-2: #104 [open] ← Blocked until all seq-1 close
│ │
WORKER A WORKER B
pulls #101 pulls #102
FINISHES → FINISHES →
pulls #105 pulls #103
SELF-BALANCING: Fastest worker gets next task. No static assignment.
Race conditions are handled by post-claim verification.
Production Readiness Kit Pro
A structured 9-step journey that takes your project from "runs locally" to production-ready. AI reads the spec and generates language-specific scripts for your stack.
Production Readiness Levels
| Level | Name | What It Means |
|---|---|---|
| 0 | Runs locally | Just code — works on your machine |
| 1 | Reproducible | Someone else can run it |
| 2 | Portable | Runs in a container |
| 3 | Deployed | Runs in the cloud |
| 4 | Reliable | Stays running (health checks, logging, rollback) |
The 9 Steps
| Step | Category | What It Creates |
|---|---|---|
| 1 | Infrastructure | Git repository, .gitignore, branch conventions |
| 2 | Infrastructure | .env.example, secrets management |
| 3 | Infrastructure | Dockerfile, docker-compose.yml |
| 4 | Infrastructure | CI/CD pipeline (GitHub Actions) |
| 5 | Testing | TDD framework (Jest/pytest/go test/JUnit) |
| 6 | Hooks | Pre-commit hooks (up to 9 layers) |
| 7 | Enforcement | Mault polyglot detectors + drift detection |
| 8 | Governance | AI-generated governance scripts + baselines |
| 9 | Testing Rules | AI coder testing rules |
Steps 1-3 and Step 9 are available free in Core. Steps 4-8 require Pro.
Language support: Fully tested with TypeScript/JavaScript and Python. Pro step templates available for Go, Rust, Java, .NET, C++, Swift, and Julia.
Getting Started
- Purchase Pro via the extension or mault.ai/billing
- Run command
Mault: Open Production Readiness Kit (Pro) - Copy the setup prompt into your AI coding assistant (Claude Code, Cursor, Copilot, ChatGPT)
- Watch progress in the Problems Panel (
Ctrl+Shift+M) — each step clears as it completes - Use Quick Fix actions (lightbulb /
Ctrl+.) on each step for AI-ready prompts
For Existing Projects
Same setup process, but AI detects what already exists. Has Git? Skip Step 1. Has Dockerfile? Skip Step 3. Has pre-commit? Skip Step 6. The Rising Tide model grandfathers existing issues while blocking new ones — you're never flooded with historical violations.
Philosophy Guides (14 included)
Battle-tested guides that explain the reasoning behind enforcement. AI coders read these and generate language-specific governance scripts:
Rising Tide — tests must exceed 2x source size. Mock tax triggers conversion to integration tests. Iron Dome — type-safety holes (any, type: ignore) can only decrease, never increase. TDD — red-green-refactor with Pure Core pattern for testable business logic. Ratchet Strategy — count violations, set baseline, block increases. Quality only improves.
Governance Gate CI Pro
A GitHub Actions workflow that enforces Mault governance rules in CI. It runs automatically on pull requests and blocks merges that introduce architectural violations.
Detects your project's language stack (9 stacks supported), runs Mault detectors as CI checks, blocks PRs that introduce new violations (rising-tide model), and integrates with branch protection rules. Configured automatically during Step 8 of the Production Readiness Kit.
Commands
All available via the Command Palette (Ctrl+Shift+P / Cmd+Shift+P).
| Command | Description |
|---|---|
Mault: Initialize | Initialize Mault in the workspace |
Mault: Set Detection Level | Choose Gentle (1), Balanced (2), or Full (3) |
Mault: Copy Prompt to Fix | Copy AI-ready prompt for selected finding |
Mault: Refresh Mault Panel | Re-run all detectors and refresh findings |
Mault: Open Production Readiness Kit (Pro) | Open the 9-step production-ready journey |
Mault: Create Test File (Testing Pyramid) | Create test file with correct layer routing |
Mault: Generate Architecture Diagram (Pro) | Visualize dependency graph |
Mault: Analyze dependency health | Check for vulnerable packages |
Mault: Audit Configuration | Validate mault.yaml |
Mault: Open AI Coder Guide | Setup guide for AI assistants |
Pricing
| Tier | Price | Includes |
|---|---|---|
| Core | Free forever | Architectural detectors, AI prompts, quick fixes, basic runtime hooks |
| Pro | $99 + $7.99/mo | All Core + Multi-Agent Flows, Production Readiness Kit, advanced hooks, Governance Gate CI |
| Enterprise | Custom | All Pro + custom governance rules, org-wide enforcement, dedicated support. Talk to us. |
- $99 one-time activation unlocks Pro features
- 30-day grace period included
- $7.99/month subscription required after grace period
- If subscription lapses, you return to Core Free — no lock-in
Data & Privacy
Mault performs core governance and integrity analysis locally within VS Code.
What connects to the internet
Authentication: Email/OAuth for account creation. Payments: Processed securely via Stripe (Mault never stores card details). Entitlement checks: Subscription validation. Error reporting: Crash diagnostics, no code content. Usage analytics: Feature metrics, opt-out via mault.usage.enabled.
AI-powered features (optional, user-invoked only)
Code snippets may be processed to generate semantic embeddings. Embeddings are stored for search functionality. Raw code is not stored. Embeddings cannot reconstruct source code.
What Mault does not do
No user code is stored on external servers. No data is used for AI model training. No payment card details are stored by Mault.
Important Disclosures
Backend Connection: This extension connects to Mault's backend service for authentication and Pro license management. Account Required: A Mault account is created automatically on first use. Mault Core: Technical debt detection (with rulebook) and basic runtime hooks are free forever. Multi-agent enforcement and Production Readiness Kit require Pro. Mault Pro: $99 activation + $7.99/month for Production Readiness Kit, advanced hooks, and multi-agent enforcement.
For full details, see our Privacy Policy and Terms of Service.