Cerberus is a defensive code-quality and security firewall — it does not orchestrate agents (which is what LangGraph or CrewAI do), but rather validates, secures, and protects the code that humans and AI agents generate.
It acts as an automated, zero-trust gatekeeper that audits every single change before it is committed. Think of it as a relentless reviewer that:
- ✅ Validates that code works — catching silent runtime failures and dead code.
- ✅ Guarantees documentation and clarity — enforcing strict explanations for every change.
- ✅ Prevents bad coding habits — blocking patterns that lead to technical debt.
- ✅ Keeps projects synchronized — automatically propagating protocol updates across all satellite projects.
- ✅ Monitors tokenomics — tracking AI usage and execution costs locally.
Every time a change is saved or committed, Cerberus executes 15 distinct verification domains (D1 to D15) ensuring absolute compliance before allowing the code to be staged or pushed.
| Domain | What it audits |
|---|---|
| D1: Integrity | Ensures no "ghost" or undeclared files are present in the workspace. |
| D2: Completeness | Blocks empty placeholders, unresolved TODOs, and incomplete logic. |
| D3: Dead Code | Enforces clean codebases by detecting unused imports and dead definitions. |
| D4: Anti-Spaghetti | Controls cognitive complexity and deep nesting levels (max depth 4). |
| D5: Angry Path | Audits try-except blocks to ensure exceptions are correctly logged and propagated. |
| D6: Anti-Slop | Blocks AI hallucinations, formatting slop, and low-quality code structures. |
| D7: Data Security | Checks for hardcoded credentials, secrets, and dangerous system operations. |
| D8: Adversarial Coverage | Ensures active logic has corresponding unit/integration tests. |
| D9: Test Purity | Blocks fake tests, mocks that bypass checks, and asserts logic purity. |
| D10: Tokenomics | Metering and monitoring of token usage and developer costs. |
| D11: Dependency Security | Validates packages against supply-chain exploits and vulnerability catalogs. |
| D12: Drift Protection | Assures satellite repositories stay in strict lockstep with the core rules. |
| D13: Validation Debt | Tracks audit debt, remediation status, and post-mortem follow-up. |
| D14: Discourse Rigor | Audits agent prose for clarity, evidence, ambiguity, and chain-of-thought rigor. |
| D15: Agent Security | Mitigates agent hijackings and locks security boundaries. |
| System | Role | Integration with Cerberus |
|---|---|---|
| LangGraph | Orchestrates agent flows. | Cerberus validates the source code that LangGraph outputs. |
| CrewAI | Coordinates agent teams. | Cerberus audits the decisions and files created by the team. |
| MCP | Protocol standard for tools. | Cerberus protects MCP connections against silent failures and drift. |
| Your Workspace | The active repository you edit. | Cerberus hooks automatically run on every save/commit. |
Cerberus does not compete with orchestration systems; it protects them. While they build and automate, Cerberus is the immune system preventing failures from ever reaching production.
python scripts/Full_dimensions_audit.py .This runs the full suite of verifications and outputs:
- ✅ APPROVED — everything complies, you are safe to commit.
- ❌ REJECTED — violations detected; shows exactly what and where to fix.
python scripts/protocol_cli propagate --applyEnsures all active satellite projects adopt the same versioned standards as the core.
python scripts/protocol_cli check --incremental --preset coreAudits only the staged files and runs only the tests affected by local changes in under 3 seconds.
- Version: v0.6.
- Audit Verdict: APPROVED.
- Fast lane:
scripts/run_compliance_tests.py --preset fastis validated end-to-end and skips the heavy 12D and permission-audit steps. - Current satellite state: read-only
.protocol-core/rollout is complete;.protocol-inbox/is initialized; satellite naming template/guard are published. - Current remaining debt: Z2/D3 vendoring purge is still active, with Quenza and RED-Python pending.
- Cleanup:
deprecated/has been purged of 460 obsolete files, retaining only the minimal cleanup metadata.
- PLAN.md — Completed and upcoming sprints.
- STATUS.md — Living roadmap, latest changes, and next session details.
- AUDIT_TRAIL.md — Append-only chronological session retrospective.
- VibeCoding_GoldenStandard — Canonical rules catalog (independent repository).
- Clone this repository and navigate to the root directory.
- Install requirements:
pip install -r requirements.txt
- Execute the initial audit:
python scripts/Full_dimensions_audit.py . - Git Hooks: Once installed, pre-commit and pre-push hooks will validate your work automatically.
Does Cerberus block my workflow? No. It only blocks code that is guaranteed to cause failures later (incomplete logic, raw swallow exceptions, unverified imports). It is an immune system, not a bottleneck.
Can I bypass a validation?
Exceptions can be documented as justified exemptions in docs/rules.md, subject to 12D review.
Last Update: June 2026 Maintainer: Luis Casarin Repository: lcasarin-maker/Coder_Cerberus