The team behind the popular open-source, cross-platform password manager KeePassXC has provided a detailed explanation of how AI is utilized in its development workflow, addressing community concerns raised following a recent update to the project’s contribution policy, and, more specifically, in the AI-related aspects.
In its announcement, the team stresses that AI assists developers during the review and drafting process, but no AI-generated code is merged into the KeePassXC codebase. The application itself remains fully human-written and continues to follow the rigorous security standards that its users expect.
Here’s exactly how things happen. Five maintainers have the authority to merge pull requests, with two serving as core maintainers. Every contribution—whether written by a newcomer, long-time contributor, or maintainer—is submitted through GitHub, run through continuous integration, and reviewed line by line.
Merging is blocked until at least one maintainer signs off, and if a maintainer authored the change, another maintainer must review it. At the same time, the developers outline two narrow, controlled ways AI is used:
- As an additional reviewer, AI tools can summarize code changes and identify potential issues. These suggestions serve only as supplemental “eyes,” complementing existing CI checks such as unit tests, memory analysis, and static code analysis.
- For drafting trivial, tightly scoped pull requests, tools like GitHub Copilot may propose boilerplate code, simple bug fixes, or test scaffolding. Maintainers then refine these drafts with follow-up commits and review them with the same level of scrutiny as any other contribution.
According to devs, in both cases, AI never replaces human review. Every contribution is scrutinized, tested, and merged into a single commit before being pushed to the main branch. Reacting to speculation about broader AI integration, the KeePassXC team makes its position unmistakable: “There are no AI features inside KeePassXC and there never will be.”
To make things crystal clear, the team emphasizes that the project will not utilize AI to rewrite, refactor, or influence security-critical components. Sensitive areas such as cryptography remain strictly off-limits, and the team rejects any claim that KeePassXC is being “vibe-coded.” Instead, AI is used sparingly and only where it cannot negatively affect the security of the final product.
The article also touches on another interesting recurring concern: could AI generate malicious or deceptively clean-looking code? In light of this, KeePassXC’s position is more pragmatic. The maintainers argue that code quality is determined by correctness, not by the identity of the author.
According to them, a flawed snippet copied from a forum is no different from a flawed AI suggestion—but both are caught by the established review and testing process. Additionally, they note that a skilled human saboteur is far more dangerous than a general-purpose LLM, and recent supply-chain attacks reinforce that point.
For more details, refer to KeePassXC’s announcement itself.
