corbat
OfficialProvides coding standards and quality validation for AI coding agents, configurable in JetBrains IDEs via the AI Assistant MCP integration.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@corbatCheck this code for coding standards violations"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
CORBAT MCP
Policy and quality engine for AI coding agents
Shared standards, context, and verification gates for agent-assisted software delivery.
Designed for MCP-compatible coding tools and multi-agent workflows. See compatibility notes.
⚡ Try it in 30 seconds — just add the config below and start coding.
The Problem
AI-generated code often works locally but misses team-specific review expectations:
Without Corbat | With Corbat |
Methods with 50+ lines | Max 20 lines per method |
No dependency injection | Proper DI with interfaces |
| Custom exceptions with context |
Missing or minimal tests | Tests included, TDD approach |
God classes, mixed concerns | SOLID principles, clean layers |
Works locally | Reviewable implementation with explicit checks |
Corbat helps by giving agents your team's standards before implementation and by providing validation tools before review or handoff.
Related MCP server: standards-mcp
Quick Start
1. Add to your MCP config:
{
"mcpServers": {
"corbat": {
"command": "npx",
"args": ["-y", "@corbat-tech/coding-standards-mcp"]
}
}
}2. Config file location:
Tool | Location |
Cursor |
|
VS Code |
|
Windsurf |
|
JetBrains | Settings → AI Assistant → MCP |
Claude Desktop |
|
Claude Code |
|
Complete setup guide for common MCP-compatible tools
3. Done. Corbat can auto-detect your stack and return matching standards.
Zero overhead. Corbat runs locally and adds ~50ms to detect your stack. After that, it's just context for the AI.
Fully customizable. Don't like a rule? Override it in
.corbat.json. Jump to customization →
See It In Action
You: "Create a user registration service"Without Corbat, you get:
class UserService {
private users: Map<string, User> = new Map();
register(name: string, email: string, password: string) {
if (!name || !email || !password) throw new Error('Invalid input');
const user = { id: crypto.randomUUID(), name, email, password };
this.users.set(user.id, user);
return user;
}
}
// ✗ Hardcoded storage ✗ Password in plain text ✗ Generic error ✗ No testsWith Corbat, you get:
// Domain
interface UserRepository {
save(user: User): Promise<void>;
findByEmail(email: string): Promise<User | null>;
}
class EmailAlreadyExistsError extends Error {
constructor(email: string) {
super(`Email already registered: ${email}`);
}
}
// Application
class RegisterUserUseCase {
constructor(
private readonly repository: UserRepository,
private readonly hasher: PasswordHasher
) {}
async execute(input: RegisterUserInput): Promise<User> {
const existing = await this.repository.findByEmail(input.email);
if (existing) throw new EmailAlreadyExistsError(input.email);
const user = User.create({
...input,
password: await this.hasher.hash(input.password)
});
await this.repository.save(user);
return user;
}
}
// ✓ Repository interface ✓ Password hashing ✓ Custom error ✓ Testable// Test included
describe('RegisterUserUseCase', () => {
const repository = { save: vi.fn(), findByEmail: vi.fn() };
const hasher = { hash: vi.fn() };
const useCase = new RegisterUserUseCase(repository, hasher);
beforeEach(() => vi.clearAllMocks());
it('should hash password before saving', async () => {
repository.findByEmail.mockResolvedValue(null);
hasher.hash.mockResolvedValue('hashed_password');
await useCase.execute({ name: 'John', email: 'john@test.com', password: 'secret' });
expect(hasher.hash).toHaveBeenCalledWith('secret');
expect(repository.save).toHaveBeenCalledWith(
expect.objectContaining({ password: 'hashed_password' })
);
});
it('should reject duplicate emails', async () => {
repository.findByEmail.mockResolvedValue({ id: '1', email: 'john@test.com' });
await expect(
useCase.execute({ name: 'John', email: 'john@test.com', password: 'secret' })
).rejects.toThrow(EmailAlreadyExistsError);
});
});This is the kind of structure Corbat asks agents to consider before handoff.
What Corbat Provides
Corbat provides these guardrails before generation and validation checks during iteration:
Code Quality
Rule | Why It Matters |
Max 20 lines per method | Readable, testable, single-purpose functions |
Max 200 lines per class | Single Responsibility Principle |
Meaningful names | No |
No magic numbers | Constants with descriptive names |
Architecture
Rule | Why It Matters |
Interfaces for dependencies | Testable code, easy mocking |
Layer separation | Domain logic isolated from infrastructure |
Hexagonal/Clean patterns | Framework-agnostic business rules |
Error Handling
Rule | Why It Matters |
Custom exceptions |
|
Error context | Include IDs, values, state in errors |
No empty catches | Every error handled or propagated |
Security-Oriented Checks
Rule | Why It Matters |
Input validation | Reject bad data at boundaries |
No hardcoded secrets | Environment variables only |
Parameterized queries | Prevent SQL injection |
Output encoding | Prevent XSS |
Benchmark Results v3.0
We evaluated Corbat across 15 scenarios in 6 languages. The primary benchmark report is mixed and should be read honestly: Corbat won 1/15 scenarios by the original aggregate score, while an alternative value analysis found stronger results for code compactness and maintainability.
What The Data Supports
The strongest observed signal is that Corbat-guided outputs are often smaller and more focused:
Scenario | With Corbat | Without Corbat | What This Means |
Kotlin Coroutines | 236 lines | 1,923 lines | Same functionality, 8x less to maintain |
Java Hexagonal | 623 lines | 2,740 lines | Clean architecture without the bloat |
Go Clean Arch | 459 lines | 2,012 lines | Idiomatic Go, not Java-in-Go |
TypeScript NestJS | 395 lines | 1,554 lines | Right patterns, right size |
This is not enough to claim universal quality improvement. It is evidence that standards context can reduce over-generation in some workflows.
Value Metrics
The value report reweights the same dataset toward efficiency and maintainability:
Metric | Result | What It Means |
Code Reduction | 67% | Less to maintain, review, and debug |
Security checks | 100% | No issues detected by benchmark pattern checks |
Maintainability | 93% win | Easier to understand and modify |
Architecture Efficiency | 87% win | Better patterns per line of code |
Cognitive Load | -59% | Faster onboarding for new developers |
Security: No Benchmark Pattern Findings
Every scenario was analyzed using pattern checks inspired by OWASP Top 10 categories. This is not a replacement for SAST, DAST, dependency scanning, manual review, or threat modeling.
No SQL/NoSQL injection patterns detected
No XSS patterns detected
No hardcoded credentials detected
Input validation patterns present at boundaries
Error messages did not expose stack traces in the benchmark samples
Languages & Patterns Tested
Language | Scenarios | Patterns |
☕ Java | 5 | Spring Boot, DDD Aggregates, Hexagonal, Kafka Events, Saga |
📘 TypeScript | 4 | Express REST, NestJS Clean, React Components, Next.js Full-Stack |
🐍 Python | 2 | FastAPI CRUD, Repository Pattern |
🐹 Go | 2 | HTTP Handlers, Clean Architecture |
🦀 Rust | 1 | Axum with Repository Trait |
🟣 Kotlin | 1 | Coroutines + Strategy Pattern |
📖 Full benchmark methodology · Value analysis
Built-in Profiles
Corbat auto-detects your stack and applies the right standards:
Profile | Stack | What You Get |
| Java 21 + Spring Boot 3 | Hexagonal + DDD, TDD with 80%+ coverage |
| Kotlin + Spring Boot 3 | Coroutines, Kotest + MockK |
| Node.js + TypeScript | Clean Architecture, Vitest |
| Next.js 14+ | App Router patterns, Server Components |
| React 18+ | Hooks, Testing Library, accessible components |
| Vue 3.5+ | Composition API, Vitest |
| Angular 19+ | Standalone components, Jest |
| Python + FastAPI | Async patterns, pytest |
| Go 1.22+ | Idiomatic Go, table-driven tests |
| Rust + Axum | Ownership patterns, proptest |
| C# 12 + ASP.NET Core 8 | Clean + CQRS, xUnit |
| Dart 3 + Flutter | BLoC/Riverpod, widget tests |
Auto-detection: Corbat reads pom.xml, package.json, go.mod, Cargo.toml, etc.
When to Use Corbat
Use Case | Why Corbat Helps |
Starting a new project | Correct architecture from day one |
Multi-agent delivery | Planner, implementation, review, and security agents share the same policy context |
Teams with mixed experience | Standards become explicit and repeatable |
Strict code review standards | Agents can validate against the review bar before handoff |
Regulated industries | Consistent security and documentation |
Legacy modernization | New code follows modern patterns |
When Corbat Might Not Be Needed
Quick prototypes where quality doesn't matter
One-off scripts you'll throw away
Learning projects where you want to make mistakes
Customize
Option 1: Interactive Setup
npx corbat-initDetects your stack and generates a .corbat.json with sensible defaults.
Option 2: Manual Configuration
Create .corbat.json in your project root:
{
"profile": "java-spring-backend",
"architecture": {
"pattern": "hexagonal",
"layers": ["domain", "application", "infrastructure", "api"]
},
"quality": {
"maxMethodLines": 20,
"maxClassLines": 200,
"minCoverage": 80
},
"rules": {
"always": [
"Use records for DTOs",
"Prefer Optional over null"
],
"never": [
"Use field injection",
"Catch generic Exception"
]
}
}Option 3: Use a Template
Browse 14 ready-to-use templates for Java, Python, Node.js, React, Go, Rust, and more.
How It Works
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Your Prompt │────▶│ Corbat MCP │────▶│ AI + Rules │
└─────────────┘ └──────┬──────┘ └─────────────┘
│
┌──────────────┼──────────────┐
▼ ▼ ▼
┌────────────┐ ┌────────────┐ ┌────────────┐
│ 1. Detect │ │ 2. Load │ │ 3. Inject │
│ Stack │ │ Profile │ │ Guardrails │
└────────────┘ └────────────┘ └────────────┘
pom.xml hexagonal max 20 lines
package.json + DDD + interfaces
go.mod + SOLID + custom errorsCorbat does not modify AI output. It supplies context, standards, profiles, and validation feedback so agents can align with your review expectations.
Important: Actual code quality depends on the model, host tool, prompt, repository context, tests, and human review. Treat Corbat as a policy and verification layer, not as a guarantee of production readiness.
Documentation
Resource | Description |
Installation notes for common MCP-compatible tools | |
Ready-to-use | |
Full list of supported AI tools | |
Detailed results from 15 scenarios | |
How Corbat fits planner/reviewer/security/release agent workflows | |
Local execution model, threat model, and reporting | |
Tools, prompts, and configuration options |
Make agent output easier to review.
Add to your MCP config and you're done:
{ "mcpServers": { "corbat": { "command": "npx", "args": ["-y", "@corbat-tech/coding-standards-mcp"] }}}Use Corbat as shared standards context plus a local quality gate.
Developed by corbat-tech
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/corbat-tech/coding-standards-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server