This is a linter-as-context for AI code generation. It injects coding standards into your LLM's prompts before it writes code, enforcing patterns like DDD layers, SOLID principles, dependency injection, custom exceptions, and max line counts per method. Works via stdio with Cursor, VS Code, Claude Desktop, and other MCP clients. The value prop is reducing the AI slop that technically runs but fails code review. Instead of fixing generated code after the fact, you get repository interfaces, proper error types, and test scaffolding from the first output. Configure once in your MCP settings, optionally override rules in `.corbat.json`, and it auto-detects your stack to apply relevant guardrails.
Shared standards, context, and verification gates for agent-assisted software delivery.
Designed for MCP-compatible coding tools and multi-agent workflows. See compatibility notes.
⚡ Try it in 30 seconds — just add the config below and start coding.
AI-generated code often works locally but misses team-specific review expectations:
| Without Corbat | With Corbat |
|---|---|
| Methods with 50+ lines | Max 20 lines per method |
| No dependency injection | Proper DI with interfaces |
throw new Error('failed') | Custom exceptions with context |
| Missing or minimal tests | Tests included, TDD approach |
| God classes, mixed concerns | SOLID principles, clean layers |
| Works locally | Reviewable implementation with explicit checks |
Corbat helps by giving agents your team's standards before implementation and by providing validation tools before review or handoff.
1. Add to your MCP config:
{
"mcpServers": {
"corbat": {
"command": "npx",
"args": ["-y", "@corbat-tech/coding-standards-mcp"]
}
}
}
2. Config file location:
| Tool | Location |
|---|---|
| Cursor | .cursor/mcp.json |
| VS Code | .vscode/mcp.json |
| Windsurf | ~/.codeium/windsurf/mcp_config.json |
| JetBrains | Settings → AI Assistant → MCP |
| Claude Desktop | ~/.config/Claude/claude_desktop_config.json |
| Claude Code | claude mcp add corbat -- npx -y @corbat-tech/coding-standards-mcp |
Complete setup guide for common MCP-compatible tools
3. Done. Corbat can auto-detect your stack and return matching standards.
Zero overhead. Corbat runs locally and adds ~50ms to detect your stack. After that, it's just context for the AI.
Fully customizable. Don't like a rule? Override it in
.corbat.json. Jump to customization →
You: "Create a user registration service"
Without Corbat, you get:
class UserService {
private users: Map<string, User> = new Map();
register(name: string, email: string, password: string) {
if (!name || !email || !password) throw new Error('Invalid input');
const user = { id: crypto.randomUUID(), name, email, password };
this.users.set(user.id, user);
return user;
}
}
// ✗ Hardcoded storage ✗ Password in plain text ✗ Generic error ✗ No tests
With Corbat, you get:
// Domain
interface UserRepository {
save(user: User): Promise<void>;
findByEmail(email: string): Promise<User | null>;
}
class EmailAlreadyExistsError extends Error {
constructor(email: string) {
super(`Email already registered: ${email}`);
}
}
// Application
class RegisterUserUseCase {
constructor(
private readonly repository: UserRepository,
private readonly hasher: PasswordHasher
) {}
async execute(input: RegisterUserInput): Promise<User> {
const existing = await this.repository.findByEmail(input.email);
if (existing) throw new EmailAlreadyExistsError(input.email);
const user = User.create({
...input,
password: await this.hasher.hash(input.password)
});
await this.repository.save(user);
return user;
}
}
// ✓ Repository interface ✓ Password hashing ✓ Custom error ✓ Testable
// Test included
describe('RegisterUserUseCase', () => {
const repository = { save: vi.fn(), findByEmail: vi.fn() };
const hasher = { hash: vi.fn() };
const useCase = new RegisterUserUseCase(repository, hasher);
beforeEach(() => vi.clearAllMocks());
it('should hash password before saving', async () => {
repository.findByEmail.mockResolvedValue(null);
hasher.hash.mockResolvedValue('hashed_password');
await useCase.execute({ name: 'John', email: 'john@test.com', password: 'secret' });
expect(hasher.hash).toHaveBeenCalledWith('secret');
expect(repository.save).toHaveBeenCalledWith(
expect.objectContaining({ password: 'hashed_password' })
);
});
it('should reject duplicate emails', async () => {
repository.findByEmail.mockResolvedValue({ id: '1', email: 'john@test.com' });
await expect(
useCase.execute({ name: 'John', email: 'john@test.com', password: 'secret' })
).rejects.toThrow(EmailAlreadyExistsError);
});
});
This is the kind of structure Corbat asks agents to consider before handoff.
Corbat provides these guardrails before generation and validation checks during iteration:
| Rule | Why It Matters |
|---|---|
| Max 20 lines per method | Readable, testable, single-purpose functions |
| Max 200 lines per class | Single Responsibility Principle |
| Meaningful names | No data, info, temp, x |
| No magic numbers | Constants with descriptive names |
| Rule | Why It Matters |
|---|---|
| Interfaces for dependencies | Testable code, easy mocking |
| Layer separation | Domain logic isolated from infrastructure |
| Hexagonal/Clean patterns | Framework-agnostic business rules |
| Rule | Why It Matters |
|---|---|
| Custom exceptions | UserNotFoundError vs Error('not found') |
| Error context | Include IDs, values, state in errors |
| No empty catches | Every error handled or propagated |
| Rule | Why It Matters |
|---|---|
| Input validation | Reject bad data at boundaries |
| No hardcoded secrets | Environment variables only |
| Parameterized queries | Prevent SQL injection |
| Output encoding | Prevent XSS |
We evaluated Corbat across 15 scenarios in 6 languages. The primary benchmark report is mixed and should be read honestly: Corbat won 1/15 scenarios by the original aggregate score, while an alternative value analysis found stronger results for code compactness and maintainability.
The strongest observed signal is that Corbat-guided outputs are often smaller and more focused:
| Scenario | With Corbat | Without Corbat | What This Means |
|---|---|---|---|
| Kotlin Coroutines | 236 lines | 1,923 lines | Same functionality, 8x less to maintain |
| Java Hexagonal | 623 lines | 2,740 lines | Clean architecture without the bloat |
| Go Clean Arch | 459 lines | 2,012 lines | Idiomatic Go, not Java-in-Go |
| TypeScript NestJS | 395 lines | 1,554 lines | Right patterns, right size |
This is not enough to claim universal quality improvement. It is evidence that standards context can reduce over-generation in some workflows.
The value report reweights the same dataset toward efficiency and maintainability:
| Metric | Result | What It Means |
|---|---|---|
| Code Reduction | 67% | Less to maintain, review, and debug |
| Security checks | 100% | No issues detected by benchmark pattern checks |
| Maintainability | 93% win | Easier to understand and modify |
| Architecture Efficiency | 87% win | Better patterns per line of code |
| Cognitive Load | -59% | Faster onboarding for new developers |
Every scenario was analyzed using pattern checks inspired by OWASP Top 10 categories. This is not a replacement for SAST, DAST, dependency scanning, manual review, or threat modeling.
| Language | Scenarios | Patterns |
|---|---|---|
| ☕ Java | 5 | Spring Boot, DDD Aggregates, Hexagonal, Kafka Events, Saga |
| 📘 TypeScript | 4 | Express REST, NestJS Clean, React Components, Next.js Full-Stack |
| 🐍 Python | 2 | FastAPI CRUD, Repository Pattern |
| 🐹 Go | 2 | HTTP Handlers, Clean Architecture |
| 🦀 Rust | 1 | Axum with Repository Trait |
| 🟣 Kotlin | 1 | Coroutines + Strategy Pattern |
📖 Full benchmark methodology · Value analysis
Corbat auto-detects your stack and applies the right standards:
| Profile | Stack | What You Get |
|---|---|---|
java-spring-backend | Java 21 + Spring Boot 3 | Hexagonal + DDD, TDD with 80%+ coverage |
kotlin-spring | Kotlin + Spring Boot 3 | Coroutines, Kotest + MockK |
nodejs | Node.js + TypeScript | Clean Architecture, Vitest |
nextjs | Next.js 14+ | App Router patterns, Server Components |
react | React 18+ | Hooks, Testing Library, accessible components |
vue | Vue 3.5+ | Composition API, Vitest |
angular | Angular 19+ | Standalone components, Jest |
python | Python + FastAPI | Async patterns, pytest |
go | Go 1.22+ | Idiomatic Go, table-driven tests |
rust | Rust + Axum | Ownership patterns, proptest |
csharp-dotnet | C# 12 + ASP.NET Core 8 | Clean + CQRS, xUnit |
flutter | Dart 3 + Flutter | BLoC/Riverpod, widget tests |
Auto-detection: Corbat reads pom.xml, package.json, go.mod, Cargo.toml, etc.
| Use Case | Why Corbat Helps |
|---|---|
| Starting a new project | Correct architecture from day one |
| Multi-agent delivery | Planner, implementation, review, and security agents share the same policy context |
| Teams with mixed experience | Standards become explicit and repeatable |
| Strict code review standards | Agents can validate against the review bar before handoff |
| Regulated industries | Consistent security and documentation |
| Legacy modernization | New code follows modern patterns |
npx corbat-init
Detects your stack and generates a .corbat.json with sensible defaults.
Create .corbat.json in your project root:
{
"profile": "java-spring-backend",
"architecture": {
"pattern": "hexagonal",
"layers": ["domain", "application", "infrastructure", "api"]
},
"quality": {
"maxMethodLines": 20,
"maxClassLines": 200,
"minCoverage": 80
},
"rules": {
"always": [
"Use records for DTOs",
"Prefer Optional over null"
],
"never": [
"Use field injection",
"Catch generic Exception"
]
}
}
Browse 14 ready-to-use templates for Java, Python, Node.js, React, Go, Rust, and more.
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Your Prompt │────▶│ Corbat MCP │────▶│ AI + Rules │
└─────────────┘ └──────┬──────┘ └─────────────┘
│
┌──────────────┼──────────────┐
▼ ▼ ▼
┌────────────┐ ┌────────────┐ ┌────────────┐
│ 1. Detect │ │ 2. Load │ │ 3. Inject │
│ Stack │ │ Profile │ │ Guardrails │
└────────────┘ └────────────┘ └────────────┘
pom.xml hexagonal max 20 lines
package.json + DDD + interfaces
go.mod + SOLID + custom errors
Corbat does not modify AI output. It supplies context, standards, profiles, and validation feedback so agents can align with your review expectations.
Important: Actual code quality depends on the model, host tool, prompt, repository context, tests, and human review. Treat Corbat as a policy and verification layer, not as a guarantee of production readiness.
| Resource | Description |
|---|---|
| Setup Guide | Installation notes for common MCP-compatible tools |
| Templates | Ready-to-use .corbat.json configurations |
| Compatibility | Full list of supported AI tools |
| Benchmark Analysis | Detailed results from 15 scenarios |
| Multi-Agent Architecture | How Corbat fits planner/reviewer/security/release agent workflows |
| Security Model | Local execution model, threat model, and reporting |
| API Reference | Tools, prompts, and configuration options |
Add to your MCP config and you're done:
{ "mcpServers": { "corbat": { "command": "npx", "args": ["-y", "@corbat-tech/coding-standards-mcp"] }}}
Use Corbat as shared standards context plus a local quality gate.
Developed by corbat-tech