CreoWis Technologies © 2026
Crafted with passion by CreoWis
DevPilot: The AI That Codes AND Protects Your Production
DevPilot: The AI That Codes AND Protects Your Production Crafting an Intelligent AI Developer: From Concept to Deployment
Parthib Sarkar January 29, 2026 · 16 min read
🎯 The Problem: The Developer's Nightmare Trilogy
Act 1: The Feature Request From Hell
It's Monday morning. Your PM drops a 47-point issue in your lap:
"Add JWT authentication with OAuth2, password reset via email, rate limiting, and oh yeah, we need it by Friday."
You stare at your screen. Your coffee goes cold. You think:
"This will take 2 weeks. I have 4 days. I'm doomed."
Act 2: The Midnight Merge
It's 2 AM Friday. You've been coding for 18 hours straight. Your eyes are bloodshot. You type git push and...
BOOM. 💥
Production is down. Users are angry. Your phone is exploding. And you're sitting there thinking:
"Wait... did I just push that console.log('TODO: remove this') to production?"
Act 3: The Code Review Bottleneck
You submit your PR. It sits there. For 3 days. When someone finally reviews it:
"LGTM 👍"
(Translation: "I skimmed it, found nothing obvious, hope it works")
Then it breaks production anyway. 🤦
💡 The Solution: DevPilot - Your AI Developer + Guardian Angel
What if you had an AI that:
Writes the code FOR you (the boring stuff)
Analyzes EVERY change (the risky stuff)
Catches bugs BEFORE production (the nightmare stuff)
Never sleeps, never complains (the dream stuff)
That's
DevPilot.
Issue → AI Planning → Code Generation → Risk Analysis → Pull Request
DevPilot is TWO superpowers in one :
🎨 Interactive Plan & Build - AI writes your code
🛡️ AI-Powered Git Diff Analysis - AI protects your production
🎨 Feature 1: Interactive Plan & Build
The Problem It Solves
Spend 2 weeks implementing a feature
Write bugs along the way
Waste time on boilerplate code
Hope it works in production
Give AI the issue
Review the plan (30 seconds)
AI writes the code (2 minutes)
Get a PR with working code
How It Works
Step 1: Give DevPilot an Issue or write the issue in simple language
Step 2: Enter the URL of the repo
Step 3: AI Generates a Plan DevPilot analyzes your codebase and creates a detailed plan:
Step 4: You Review & Approve You see EXACTLY what DevPilot will do. No surprises. No "I didn't ask for this" code.
Click "Execute Implementation Plan" when ready.
Step 5: AI Writes the Code
Step 5: Get Your PR
Real Example: Authentication Feature
"Add JWT-based authentication with:
- Login endpoint (/api/auth/login)
- Token validation middleware
- Password hashing with bcrypt
- Refresh token support"
Output (2 minutes later):
import jwt
from datetime import datetime, timedelta
from passlib.hash import bcrypt
class JWTAuth :def __init__ (self, secret_key: str ):def generate_token (self, user_id: str ) -> str:'user_id' : user_id,
'exp' : datetime.utcnow() + timedelta(hours=24 )
}
return jwt.encode(payload, self.secret_key, algorithm='HS256' )
def validate_token (self, token: str ) -> dict:try :
return jwt.decode(token, self.secret_key, algorithms=['HS256' ])
except jwt.ExpiredSignatureError:
raise AuthError("Token expired" )
except jwt.InvalidTokenError:
raise AuthError("Invalid token" )
def hash_password (self, password: str ) -> str:return bcrypt.hash(password)
def verify_password (self, password: str, hashed: str ) -> bool:return bcrypt.verify(password, hashed)
Login endpoint implementation
Middleware for token validation
Unit tests (100% coverage)
Error handling
Documentation
Time saved: ~10 hours of coding
🛡️ Feature 2: AI-Powered Git Diff Analysis
The Problem It Solves
How It Works:
Step 1: Make Changes
Step 2: Run Analysis
Step 3: AI Analyzes Everything
Grabs your git diff (only what changed)
Runs static analysis (AST parsing, dependency graph)
Feeds to Gemini 2.5 Flash for deep analysis
Detects risks across 5 categories
Step 4: Get Risk Report
✅ AI-Powered Risk Analysis
Risk Score: 3.5/10 (MEDIUM)
Files Checked: 5
Total Risks: 2
🟡 MEDIUM Risk - Security Improvement
File: backend/db/queries.py
Line: 42
Description: Fixed SQL injection vulnerability
Impact: Prevents database compromise
Recommendation: Good fix! Consider adding input validation too.
🟢 LOW Risk - Code Quality
File: backend/db/queries.py
Line: 45
Description: Added error handling for database queries
Impact: Improves reliability
Recommendation: Add logging for failed queries
Recommendations:
- Changes look safe to merge
- Add unit tests for the new query logic
- Consider adding rate limiting to this endpoint
What DevPilot Detects
1. 🔴 Breaking Changes
- function getUserById(id) {
+ function getUserById(id, includeDeleted = false) {
⚠️ CRITICAL : Function signature changed. 47 files call this function. This will break production.
Fix : Add default parameter or create a new function.
2. 🔴 Security Vulnerabilities
- const password = req.body.password;
- const user = await User.create({ password });
+ const hashedPassword = await bcrypt.hash(req.body.password, 10);
+ const user = await User.create({ password: hashedPassword });
✅ GOOD : Fixed password storage vulnerability. Passwords are now hashed.
3. 🟡 Logic Bugs
- if (user.age > 18) {
+ if (user.age >= 18) {
🟡 MEDIUM : Edge case fix. 18-year-olds are now correctly allowed.
for (const user of users) {
- const posts = await db.query('SELECT * FROM posts WHERE user_id = ?', [user.id]);
+ // Moved to single query outside loop
}
+ const posts = await db.query('SELECT * FROM posts WHERE user_id IN (?)', [userIds]);
✅ EXCELLENT : Fixed N+1 query problem. Performance improved by 95%.
5. 🟢 Code Smells
- function doEverything(data) {
- // 500 lines of code
- }
+ function validateData(data) { ... }
+ function processData(data) { ... }
+ function saveData(data) { ... }
✅ GOOD : Refactored god function into smaller, testable units.
Smart Risk Scoring DevPilot gives you a risk score (0-10):
Score Level Meaning Action 0-3 LOW Safe to merge Ship it! 4-6 MEDIUM Review carefully Check recommendations 7-8 HIGH Risky changes Fix issues first 9-10 CRITICAL DO NOT MERGE Stop everything
🔧 Implementation Details: The Nerdy Stuff
Architecture: How It All Works
┌─────────────────────────────────────────────────────────┐
│ VS Code Extension │
│ ┌────────────────────┐ ┌──────────────────────────┐ │
│ │ Interactive Build │ │ Git Diff Analyzer │ │
│ │ Command │ │ Command │ │
│ └─────────┬──────────┘ └───────────┬──────────────┘ │
└────────────┼─────────────────────────┼──────────────────┘
│ │
│ HTTP/REST API │
│ │
┌────────────▼─────────────────────────▼──────────────────┐
│ FastAPI Backend │
│ ┌──────────────────────────────────────────────────┐ │
│ │ Unified DevPilot Service │ │
│ │ ┌────────────────┐ ┌──────────────────────┐ │ │
│ │ │ Plan Generator │ │ Code Generator │ │ │
│ │ └────────────────┘ └──────────────────────┘ │ │
│ └──────────────────────────────────────────────────┘ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ AI Risk Analyzer │ │
│ │ ┌────────────────┐ ┌──────────────────────┐ │ │
│ │ │ Diff Parser │ │ AI Analysis │ │ │
│ │ └────────────────┘ └──────────────────────┘ │ │
│ └──────────────────────────────────────────────────┘ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ AI Engine (Gemini 2.5 Flash) │ │
│ └──────────────────────────────────────────────────┘ │
│ ┌──────────────┐ ┌──────────────┐ ┌─────────────┐ │
│ │Git Automation│ │Static Analysis│ │Risk Scoring │ │
│ └──────────────┘ └──────────────┘ └─────────────┘ │
└──────────────────────────────────────────────────────────┘
Tech Stack
Python 3.12 + FastAPI - Lightning-fast API
Google Gemini 2.5 Flash - State-of-the-art AI
AST Parsing - Deep code analysis
GitPython - Git operations
Pydantic - Data validation
TypeScript - Type-safe extension code
VS Code API - Native IDE integration
WebView UI - Beautiful result panels
Axios - HTTP client
Key Components
1. Unified DevPilot Service The brain of the operation:
class UnifiedDevPilotService :"""
Orchestrates the entire workflow:
Issue → Plan → Code → Risk Analysis → PR
"""
async def generate_plan_only (self, request: PlanRequest ):await self._parse_issue(request)
repo = self.repo_manager.clone_repo(request.repo_url)
repo_context = self._analyze_repository(repo)
plan = await self._generate_plan(issue_info, repo_context)
return plan
async def execute_approved_plan (self, request: ExecuteRequest ):await self._generate_code(request.plan)
self.repo_manager.create_branch(request.branch_name)
self.repo_manager.apply_changes(code_changes)
self.repo_manager.commit_and_push()
pr = await self.pr_creator.create_pr()
return pr
2. AI Risk Analyzer
class AIRiskAnalyzer :"""
Analyzes git diffs for production risks using AI.
"""
async def analyze_diff (self, diff_text: str ) -> AIAnalysisResult:'changed_files' : self._extract_files(diff_text),
'function_changes' : self._detect_function_changes(diff_text),
'breaking_changes' : self._detect_breaking_changes(diff_text)
}
prompt = self._create_risk_detection_prompt(context)
response = await llm_client.generate(
prompt=prompt,
json_mode=True ,
temperature=0.2
)
risks = self._parse_llm_response(response)
return AIAnalysisResult(
summary=risks['summary' ],
risk_score=risks['risk_score' ],
risks=risks['risks' ],
recommendations=risks['recommendations' ]
)
3. Smart Prompt Engineering We don't just throw code at the AI. We give it context :
prompt = f"""
You are a senior software engineer reviewing code for production deployment.
REPOSITORY CONTEXT:
- Language: {repo_language}
- Framework: {framework}
- Total files: {file_count}
CHANGES SUMMARY:
- {len(changed_files)} files modified
- {len(function_changes)} functions changed
- Breaking changes detected: {has_breaking_changes}
GIT DIFF:
{diff_text}
ANALYZE FOR:
1. Breaking Changes - API signature changes, removed functions
2. Security Vulnerabilities - SQL injection, XSS, auth bypasses
3. Logic Bugs - Edge cases, race conditions, null pointers
4. Performance Issues - N+1 queries, memory leaks, infinite loops
5. Code Quality - Complexity, maintainability, test coverage
RETURN JSON:
{{
"summary": "Brief overview of changes",
"risk_score": 0-10,
"risks": [
{{
"severity": "CRITICAL|HIGH|MEDIUM|LOW",
"type": "breaking_change|security|logic_bug|performance|code_smell",
"file": "path/to/file.py",
"line": 42,
"description": "What's wrong",
"impact": "What could happen",
"suggestion": "How to fix it",
"confidence": 0.0-1.0
}}
],
"recommendations": ["Action items"]
}}
"""
The Secret Sauce: Why It Works 1. Diff-Only Analysis = Speed
2. AI + Static Analysis = Accuracy
3. Structured Output = Actionable
{
"severity" : "CRITICAL" ,
"description" : "SQL injection vulnerability" ,
"suggestion" : "Use parameterized queries"
}
Not just "there's a problem" - here's how to fix it .
📈 Impact: The Results
Before DevPilot:
Time to implement: 2 weeks
Bugs introduced: 5-10 per feature
Stress level: HIGH
Cost: $10,000 (developer time)
After DevPilot:
Time to implement: 2 minutes (AI) + 30 min (review)
Bugs introduced: 1-2 per feature (80% reduction!)
Stress level: LOW
Cost: $500 (review time only)
🚀 Future Scope: What's Next?
Phase 1: Enhanced Analysis (Q1 2026)
Visualize how changes ripple through your codebase
See which files/functions are affected
Predict downstream breakages
Define your own risk patterns
Team-specific security rules
Industry compliance checks
Phase 2: Team Features (Q2 2026)
See team-wide risk metrics
Track deployment safety over time
Identify training opportunities
🏆 "Bug Squasher" - Fixed 100 bugs
🛡️ "Security Guardian" - Prevented 10 vulnerabilities
⚡ "Speed Demon" - Shipped 50 features with AI
Phase 3: Advanced AI (Q3 2026)
Combine Gemini, Claude, and GPT-4
Ensemble voting for higher accuracy
Specialized models for different languages
"This change will likely cause issues in module X"
Predict future bugs before they happen
Suggest preventive refactoring
Phase 4: Integration Heaven (Q4 2026)
Auto-comment on PRs with risk analysis
Block merges above risk threshold
Auto-approve low-risk changes
Get risk alerts in Slack
Daily risk summaries
Team notifications
Weekly risk summaries
Monthly team metrics
Executive dashboards
The Big Vision: AI-Powered Development
AI reviews every commit in real-time
Security vulnerabilities are extinct
Deployment is stress-free
Developers sleep peacefully
Code quality is consistently high
Development costs drop 80%
That's the future we're building.
🎓 Lessons Learned
What Worked
Two-Phase Workflow - Plan first, execute second
Diff-Only Analysis - Speed matters
Structured AI Prompts - Garbage in, garbage out
Risk Scoring - Numbers + explanations
Developers understand "7/10" instantly
Color coding (🟢🟡🔴) is intuitive
Recommendations drive action
What Didn't Work
❌ Full Codebase Scanning - Too slow, too noisy
❌ Generic AI Prompts - Got generic results
"Analyze this code" → useless output
Added context, examples, structure
Now: Actionable insights
❌ Auto-Merge - Developers want control
❌ 4000 Token Limit - Truncated responses
JSON cut off mid-object
Parsing failed
Increased to 8000 tokens
Key Takeaways
Solve a real problem - Developers hate breaking production
AI is a tool, not magic - Combine with static analysis
Listen to users - They know what they need
Iterate fast - Ship, learn, improve
Measure impact - Data drives decisions
Safety first - Prevention > cure
🎬 Conclusion: Ship Fearlessly DevPilot isn't just a tool. It's peace of mind in a VS Code extension .
No More:
Just:
"DevPilot wrote it in 2 minutes"
"Risk score is 2/10, safe to merge"
"Deploying with confidence"
"Sleeping soundly"
"Shipping features daily"
The DevPilot Promise
Write code 100x faster - AI does the boring stuff
Catch bugs before production - AI guards your code
Sleep peacefully - No more 3 AM incidents
Ship with confidence - Know your risk score
🚀 Try It Yourself
Quick Start (5 minutes)
git clone https://github.com/yourusername/devpilot
cd devpilot
cd backend
pip install -r requirements.txt
echo "GITHUB_TOKEN=your_token" > .env
echo "AI_MODEL_PROVIDER=gemini" >> .env
echo "AI_MODEL_NAME=gemini-2.5-flash" >> .env
echo "AI_API_KEY=your_gemini_key" >> .env
uvicorn app.main:app --reload
cd ../vscode-extension
npm install
Your First Build
Press Ctrl+Shift+P
Run: DevPilot: Interactive Plan & Build
Enter: "Add a /health endpoint that returns server status"
Enter your repo URL
Review the plan
Click "Execute"
Watch the magic happen ✨
Your First Risk Analysis
Make some changes to your code
Press Ctrl+Shift+P
Run: DevPilot: Analyze Git Diff for Production Risks
Enter base branch: main / any branch you want
See your risk score
🙏 Acknowledgments
Google Gemini Team - For the incredible AI
FastAPI - For making Python backends fun
VS Code Team - For the amazing extension API
Open Source Community - For inspiration and support
Coffee - For existing ☕
📝 Final Thoughts Building DevPilot taught me that:
AI is powerful - But only when used right
Developer experience matters - Make it easy, make it fast
Prevention > Cure - Catch bugs before production
Trust is earned - Transparency builds confidence
Sleep is important - DevPilot helps with that
The best code is code that doesn't break production.
The second best code is code that DevPilot wrote and analyzed. 😉
P.S. - If DevPilot saves you from a production incident, you owe me a coffee. ☕
P.P.S. - If DevPilot writes a feature in 2 minutes that would have taken you 2 weeks, you owe me TWO coffees. ☕☕
We at CreoWis
This article is crafted by Parthib Sarkar , a passionate developer at CreoWis. You can reach out to him on X/Twitter , LinkedIn , and follow his work on the GitHub .
