DAIMON AI
Two governed interaction surfaces — @da###hi Chat Participant and Governed Chat Console — running identical harness: Effective Policy, Phase Machine, and 28+ governed tools. AI that your organisation controls.
Two Governed Surfaces
@da###hi inside GitHub Copilot Chat, and the standalone Governed Chat Console — both share identical harness, policy enforcement, and tool registry.
Phase Machine
Deterministic workflow orchestrator executing YAML Workflow DAGs — /wf-fix, /wf-feature, /wf-release, /wf-security, and more.
Effective Policy
Intersection of Platform Control Plane and Extension Governance Plane. Cryptographically signed. Seven-Day Last Known Good fallback.
DAIMON Castle (AFK)
Governed AFK execution in spoke CI runners via signed Castle Runner Image. Developer dispatches, Castle executes, outputs land as PRs.
System Architecture
AI in the Enterprise — Without Governance
Raw AI assistance creates five compounding risks that grow as adoption scales across companies.
AI knows nothing about your auth conventions, null-guard patterns, or internal standards. Every suggestion must be manually validated against your codebase before use.
No record of what AI generated, what files it accessed, or which model was used. Impossible to audit, reproduce, or attribute decisions when things go wrong.
Secrets, PII, and confidential code can be forwarded to external AI providers without interception. One developer mistake becomes a data exfiltration incident.
One-shot replies only. No multi-step implementation, no checkpoints, no scope control. A complex architectural change gets the same shallow treatment as a one-liner.
Each team configures AI differently — different models, different tools, different trust levels. The Central AI Team has no visibility, no control plane, and no way to enforce consistent standards across the group.
Who Is DAIMON AI For?
Three roles — each with a distinct entry point and a clear value proposition.
"I want AI that knows my codebase and company patterns — not just Stack Overflow."
"I want structured, auditable AI workflows my team can trust — with guardrails that protect our codebase."
"I want to govern AI use consistently across all our group companies — one policy layer, deployed everywhere."
Your Onboarding Journey
23 slides — from the problem statement to a production deployment. Navigate at your own pace with ← → arrow keys.
The problem · Who it's for · System architecture · Live scenario walkthrough · Two governed surfaces
Click 1: @da###hi /wf-fix · Click 2: Governed Chat Console with Turn Context Bar and live tool cards
Effective Policy · Phase Machine · Scope Tiers · Tool Cards · Knowledge Bundles · Integrations · Castle · Workbench · Policy Controls
For the Central AI Team · FAQ · Deployment steps — from install to first governed workflow in ~30 minutes
Raw AI vs Governed AI
Without DAIMON — Generic AI
🔎
🤖
⚙️
if (session !== null) {
audit.log(session.userId);
}
— No audit trail
— No workflow, no verification, no PR
— No knowledge of your company’s auth conventions
Two Governed Interaction Surfaces
Both surfaces share identical harness. Features, bug fixes, guardrails, and tool flows must be in parity across both.
@da###hi Chat Participant
Registered in GitHub Copilot Chat. Slash commands: /wf-fix, /wf-feature, /wf-release, /wf-security, /wf-spike, and more. Agentic loop via agenticLoop.ts.
harness
Governed Chat Console
Standalone WebView panel. Runs without Copilot Chat. Turn Context Bar, Tool Result Cards, Console Tool Posture (explore / act).
🔎
🤖
⚙️
Scope: Minimal · Model: Tier-2 · Policy: Effective v2.4.1
▶ Phase 1 — Understand Analysing session lifecycle…
✏️ editFile — sessionManager.ts
🔎
⬡
⚙️
🔍 searchFiles — "session.userId"
📄 readFile — userRoute.ts:85–94
✓ Fix verified. Only sessionManager.ts needed the guard.
A Day in the Life — With DAIMON AI
Follow a developer through a real security bug fix — from cold start to merged PR.
A security bug is filed: sessionManager.ts leaks a null pointer when token refresh fails. The developer has never touched this repo before. Deadline: today.
Developer types @da###hi /wf-fix. The Knowledge Bundle silently injects the company's auth token null-guard pattern. The agent already knows the convention — zero onboarding required.
Mid-workflow, the Chat Enforcement Interceptor detects an API key in the proposed diff. The turn is held. Developer clicks Redact — the key is replaced with [REDACTED] before anything leaves the network.
The workflow creates PR #142 on GitHub Enterprise. The PR body includes policy version applied, steps completed, files changed, and tool calls executed. The security reviewer gets a pre-populated summary — no copy-paste from AI chat.
How Governance Works
GitHub private repo — org policy
bundled-governance/policies/manifest.json
Intersection — cryptographically signed — enforced on every turn
Sensitive Data Scan Policy
28+ tools — policy + telemetry
Per-agent from manifest
Fallback on sync outage
RSA-SHA256 verification
Baseline + remote sync
Every governance manifest is verified with RSA-SHA256 before activation. A sync outage falls back to the Seven-Day Last Known Good (LKG), not to a permissive default. Policy degrades safely — it never silently expands.
Phase Machine + Workflow DAGs
- Deterministic — no LLM in the phase sequencer
- Steps declared in YAML, not source code
- Signal-Forced Steps override any tier
- Cross-step context flows via step.output
# bundled-governance/workflows-templates/workflow-bug-fix.yaml
name: Bug Fix
phases:
- id: understand
agent: analyst
tools: [readFile, searchFiles, getSymbols, findReferences]
- id: plan
agent: planner
tools: [readFile, searchFiles, askQuestion]
- id: implement
agent: implementer
tools: [readFile, writeFile, editFile, runCommand]
- id: verify
agent: verifier
tools: [runTests, getProblems, readFile]
- id: commit
agent: integrator
tools: [gitCommit, createBranch, runCommand]
The Scope Classifier analyses the request and proposes an Execution Scope Tier (Inline / Minimal / Full). Safety signals can force Signal-Forced Steps even if scope would skip them.
Execution Scope Tiers
The Scope Classifier proposes the appropriate tier based on request complexity and safety signals. Signal-Forced Steps override any tier when auth or PII signals fire.
No DAG
Single-turn response. No Phase Machine invocation. Used for questions, explanations, and trivial edits that need no workflow.
Core steps only
Phase Machine runs a reduced DAG — understand and implement, skipping optional verification and release phases.
All phases
Complete Workflow DAG execution — understand, plan, implement, verify, commit, release. Used for features, migrations, and security incidents.
Certain steps are inserted regardless of the selected tier when safety signals fire — for example, a PII-detection step is forced when the Chat Enforcement Interceptor flags sensitive patterns, and an auth-gate step is forced when an integration requires elevated credentials.
🔎
🤖
⚙️
✏️ writeFile — src/payment/paymentService.ts
⚙️ runCommand — npm test
Possible connection string detected in prompt. Redact before sending?
🔎
🤖
⚙️
Session Auth Pattern — null-guard convention for auth/sessionManager.ts
🔎
🤖
⚙️
🌿 createBranch — bugfix/session-null-guard
📬 createPullRequest — PR #142
DAIMON Castle — AFK Execution
Developer dispatches via castleDispatch in VS Code — a signed Castle Runner Image picks up the task in a spoke CI runner and outputs land as policy-attested PRs.
VS Code
castleDispatch
Detached execution
signed image
Spoke CI runner
outputs
+ Policy Attestation
askQuestion tools are denied (no one to answer). Sensitive content is flagged on the PR rather than silently proceeding.
Castle Runner pulls a specific, signed Immutable Policy Version at job start — not "latest". The exact version is recorded in the PR attestation.
🔎
🤖
⚙️
What tools should the payment reviewer have access to?
Suggest: readFile, searchFiles, getSymbols (explore-only for a reviewer)
Active under Author-Scoped Test Grant. Use
@da###hi @payment-reviewer now.Ready to promote via Joint Contribution PR when tested.
What Policy Controls, What Developers Do
- Agent iteration budgets (
agentIterationBudgets) - Tool tier assignments (
agentToolTiers) - Model routing overrides (
modelRouting.agentOverrides) - Sensitive data scan rules
- Execution Scope Tier defaults
- Castle AFK Posture rules
- Knowledge capture consent thresholds
- Author Local Agents with the Capability Workbench
- Extend with Local Skills and Local Standards
- Compose new Workflow DAGs in YAML
- Accept or dismiss Knowledge Capture proposals
- Dispatch Castle (AFK) tasks via
castleDispatch - Configure Integration Connections per workspace
- Promote Local Capabilities via Joint Contribution PR
Governance content is layered: Baseline (shipped in extension) + remote sync from the organisation's private governance repository. Remote wins where it overlaps. The baseline ensures DAIMON is functional even before any org-specific policy is published.
This extension is distributed to multiple group companies. All infrastructure coordinates (GitHub Enterprise URLs, org names, policy repository) must come from settings — never from source code literals.
For the Central AI Team
One governance manifest, published once, controlling AI behaviour across all group companies.
What You Control
How You Publish It
// governance/policies/manifest.json (excerpt) "agentToolTiers": { "security-reviewer": "full", "code-helper": "restricted" }, "agentIterationBudgets": { "wf-fix": 12, "wf-feature": 24 }, "modelRouting": { "agentOverrides": { "wf-security": "gpt-4o" } }
Frequently Asked Questions
No. DAIMON governs and extends Copilot Chat — it adds a governance layer on top of Copilot. The @da###hi Chat Participant runs inside Copilot Chat. Developers keep using Copilot exactly as before; DAIMON adds policy enforcement, Knowledge Bundles, and workflow orchestration alongside it.
That depends on your model configuration. DAIMON supports your own Azure OpenAI endpoints, Ollama, LM Studio, and any OpenAI-compatible API — keeping all data within your tenant. The Chat Enforcement Interceptor also blocks sensitive data from reaching any model endpoint before it can leave.
Three steps: install the VSIX (~5 min), configure your governance repository settings (~10 min), deploy the Castle Pipeline Template to your CI environment (~15 min). After initial setup the extension self-manages governance sync and Last Known Good fallback.
Yes — the Capability Workbench lets developers author local agents, skills, standards, and workflow DAGs using a conversational builder. New capabilities are immediately usable under an Author-Scoped Test Grant, then promoted to org-wide governance via a signed Joint Contribution PR.
Seven-Day Last Known Good (LKG) retains the last successfully verified policy for up to 7 days. DAIMON continues at the last known permission level — no silent permission expansion, no degraded experience. Sync resumes automatically when the repo becomes reachable.
DAIMON AI — Ready to Deploy
Governed AI gateway for VS Code. Two surfaces, one harness. Policy-enforced, audited, knowledge-grounded — from inline Q&A to full AFK execution via DAIMON Castle.
Install Extension
Install the VSIX into VS Code. Press F5 for Extension Development Host. Open @da###hi in Copilot Chat or launch the Governed Chat Console from the sidebar.
Configure Governance
Point the extension at your organisation's governance repository. Effective Policy syncs automatically. Seven-Day LKG ensures continuity during outages.
Deploy DAIMON Castle
Add the Castle Pipeline Template to your CI. Pull the signed Castle Runner Image. Dispatch AFK tasks from VS Code — outputs land as policy-attested PRs.