A safety & control layer for AI coding agents.
Prevent Claude, Cursor, and AI agents from breaking your codebase.
CCG sits between AI agents and your repository to enforce safety, policy, and structure.
The Control Plane for AI Agents
CCG sits between AI and your code. Every action goes through safety checks.
Breaking changes
Verified changes
You stay in control.
What CCG Blocks
Real examples of dangerous AI actions that CCG prevented.
AI wanted to delete 42 files
Claude attempted to "clean up" by removing entire /src/core directory during refactoring.
Blocked execution. Generated risk report. Required human approval for each file.
AI rewrote database layer
Cursor attempted to change ORM from Prisma to Drizzle without migration plan.
Detected architectural change. Required migration plan before proceeding.
AI changed public API signature
Agent renamed exported functions without considering downstream consumers.
Flagged breaking change. Suggested deprecation path with versioning.
AI is powerful. Uncontrolled AI is dangerous.
CCG ensures every AI action is safe, reversible, and human-approved.
Real results from dogfooding CCG on itself
Safety Without Friction
Protection that fits into your existing workflow.
Zero-Config Protection
Run ccg quickstart and guard rails activate immediately. No configuration needed. Sensible defaults protect you from day one.
Works With Any AI Tool
Context Profiles auto-detect VSCode, Cursor, or CLI mode. CCG protects regardless of which AI agent you use.
Instant Risk Analysis
Analyze ~100k LOC in under a second. See risk scores before AI makes any changes. Real-time protection without slowdown.
How CCG Protects Your Code
Safety features organized by protection level.
Detect Risk Before AI Acts
Tech Debt Index (0-100, grade A-F) identifies structural risk. Hotspot detection flags files AI should never touch blindly.
Human-Reviewable Execution Plans
Latent Chain mode enforces Analysis → Plan → Impl → Review. Guard module blocks dangerous patterns before they execute.
Audit Trail & Rollback
Before/after metrics and checkpoint system. Every AI action is logged and reversible. Full session history for compliance.
CI/CD Safety Gates
GitHub Action blocks PRs that exceed risk threshold. Quality gates prevent unsafe code from reaching production.
Proof Pack & TDI Gates
Tamper-evident validation with SHA-256 hash chain. TDI budget gates block code that exceeds complexity thresholds.
Security & Threat Detection
STRIDE threat modeling built-in. Detect SQL injection, hardcoded secrets, and vulnerabilities before AI introduces them.
Real Results
From our own codebase analysis (yes, we dogfood).
| Rank | File | Score | Issue | Action |
|---|---|---|---|---|
| #1 | agents.service.ts | 90 | 542 lines, complexity 78 | split-module |
| #2 | workflow.service.ts | 89 | 518 lines, nesting 7 | split-module |
| #3 | commands.service.ts | 88 | 502 lines, complexity 72 | split-module |
| #4 | ccg.ts | 85 | 489 lines, nesting 6 | refactor |
| #5 | latent.service.ts | 83 | 467 lines, complexity 65 | refactor |
How It Works
From install to insights in 4 steps.
1. Install
One global install. Works on any Node.js project.
2. Run Quickstart
Scans repo, finds hotspots, generates local report in docs/reports/ (gitignored). Works offline.
3. Review & Refactor
Open the report in your editor. Start with worst-grade files. Use Claude Code + CCG MCP tools to refactor safely with Latent Chain.
4. Track Progress (Team)
Track TDI and hotspots over time. See trends across sessions.
Agent Collaboration Workflow
How CCG's specialized agents work together to solve complex tasks
For Open Source Maintainers
Automate code quality checks on every pull request.
Automatic PR Comments
Every PR gets a formatted comment showing top hotspots, TDI delta, and suggested fixes. No manual review needed.
Quality Gates
Set a TDI threshold and let CI fail on critical hotspots. Prevent complex code from being merged without review.
GitHub Actions Ready
Copy-paste our workflow file and start enforcing quality in minutes. Works with any Node.js project.
Coming soon to GitHub Marketplace
Pricing
Start free. Scale when ready.
Dev
For solo devs & side projects
- Core CLI & hotspot detection
- Tech Debt Index per run
- AST Analysis (JS/TS)
- Auto-migration & Onboarding Agent
- Context Profiles (IDE auto-detect)
- Fully local, no license
Team
For product teams & agencies
- Everything in Dev
- Latent Chain - Multi-phase reasoning
- AutoAgent - Task decomposition
- Thinking Models - Structured reasoning
- RAG Search - Semantic code search
- Advanced reports & trends
- Email support
Enterprise
For large orgs & compliance
- Everything in Team
- Unlimited repos
- SSO / SAML
- Audit logs
- Dedicated cloud backend
- SLA + dedicated support
FAQ
Why not just use SonarQube + Claude?
You could! But Code Guardian Studio gives you:
- Tech Debt Index — one number for codebase health (0-100, grade A-F)
- Trend tracking — see how TDI changes sprint over sprint
- Multi-session reports — before/after comparisons out of the box
- Claude-native workflow — Latent Chain mode, MCP integration, no glue code
SonarQube is great for static analysis. CCG adds the "what changed" and "what to do next" layers that turn analysis into action.
Does the free tier have limits?
No artificial limits. Dev tier includes full CLI, hotspot detection, Tech Debt Index, and basic reports. It runs 100% offline with no license key required.
Team tier adds trend tracking, advanced reports, PR comments, and VS Code integration for teams who want visibility into progress over time.
What languages are supported?
JavaScript/TypeScript have full AST-based analysis for precise complexity and function-level metrics. Python, Java, Go, Rust, and C/C++ work with basic metrics. Any language with recognizable syntax gets file-level analysis.
Is my code sent to any server?
No. CCG runs 100% locally. All analysis data (memories, tasks, reports, checkpoints) is stored in the .ccg/ folder in your project — never uploaded anywhere.
- Code analysis — processed locally, results saved to
.ccg/ - RAG embeddings — local TF-IDF by default (no external API)
- License verification — only your license key is sent (not your code)
- No telemetry — zero analytics, zero tracking
Even with a Team license, we only verify your license key. Your source code never leaves your machine.
What data does CCG store?
Everything is stored locally in .ccg/:
memory.db— decisions, patterns, notestasks/*.json— workflow trackingcheckpoints/— git-like restore pointsregistry/— document index
Add .ccg/ to .gitignore to keep this data private (we do this automatically on ccg init).
Ready to clean up your codebase?
ccg quickstart
That's it. Local report generated in docs/reports/ (gitignored).