Safe Vibes, a new open-source Django application dropped on GitHub this week, tackles one of the most annoying problems plaguing modern enterprises: business teams vibe-coding reports with AI and creating chaotic shadow IT in the process. The tool provides a governed workspace where non-technical users can chat with an AI report builder, connect to approved databases, generate SQL and HTML output, preview results, and publish reports—all while engineering and IT maintain actual control over what data moves where.

The Shadow IT Problem Nobody Wants to Talk About

Business teams are already pasting raw SQL into random tools, passing around HTML files through email and Slack, and accidentally spinning up runaway API costs. Safe Vibes creator tanner49 frames it directly: 'Business teams are already vibe-coding reports with AI.' Rather than fighting that reality, this tool embraces it and builds guardrails around the chaos. The app uses a chat-style interface for report building, which means your sales ops team doesn't need to learn a CLI or beg engineering for a ticket—just describe what you want and the AI generates the query.

Supported Data Sources and AI Providers

The governance layer supports Postgres, SQLite (with bundled demo data), BigQuery via REST jobs.query with async polling, and Snowflake via their SQL API. Database secrets get encrypted using Fernet symmetric encryption with an environment-configured SECRET_ENCRYPTION_KEY. On the AI side, admins can configure OpenAI, Anthropic's Claude models, or Google Gemini through google-genai—then restrict which models users are allowed to touch. Query controls include timeouts, row count limits, raw byte limits, and optional cached report data with TTL settings.

Security Model: MVP Controls, Not Theater

Safe Vibes bundles practical security guardrails rather than marketing-speak compliance theater. Read-only SQL policy checks prevent accidental writes. Organization-level IP allowlists control who can access published reports. External URL whitelist/blacklist rules include CSP headers and runtime fetch/XMLHttpRequest guards in report previews—important when you're letting business users embed external data sources. SSO comes via handholding OIDC configuration: issuer URL, client ID/secret, scopes, and a 'Require SSO' toggle that blocks password login for non-staff users while preserving admin bootstrap access.

Deployment Paths: Docker Compose or Heroku

Docker Compose is the recommended deployment path, spinning up the Django app alongside Postgres in an ASGI/Gunicorn/Uvicorn configuration. The compose file runs database migrations and demo database setup automatically on startup—disabled via RUN_MIGRATIONS=false if your platform handles that as a separate release job. For teams already on Heroku, there's a prepared deployment with Procfile web and release processes, WhiteNoise static file serving, and all the environment variables documented for dj-database-url integration.

Key Takeaways

  • Safe Vibes targets the gap between 'business users using AI for reports' and 'IT having zero visibility into those workflows'
  • Chat-based report building lowers the barrier to entry while governance controls keep engineering sane
  • Fernet encryption protects database credentials, SSO configs, and AI provider keys at rest
  • Docker Compose or Heroku deployment options serve different operational preferences
  • Apache 2.0 license means enterprise teams can audit, fork, and self-host without vendor lock-in

The Bottom Line

Safe Vibes isn't trying to be the flashiest AI tool in the room—it's solving a boring but critical problem that costs real money when ignored. If your organization has any business teams experimenting with AI for data work (and they are), you need something like this before someone accidentally exposes customer PII through a Slack-shared HTML file. The source is on GitHub, the license is permissive, and the architecture actually makes sense.