Deterministic guardrails

Your AI agent just broke production.
It didn't know.

mati blocks Claude Code and Codex from touching critical files until they've read the rules that protect them, and logs every decision your auditors will ask for.

System · Live
 
Languages
 
Imports resolved
 
Init
 
LLM calls
Enforcement

Hard enforcement,
not suggestions.

mati intercepts the read at the agent's hook. The agent can't touch the file until it has consulted the rule attached to it. No skip path.

01Agent issues a read
02mati denies, rule not yet read
03Agent calls mem_get(path)
04mati allows, context loaded
mati hook·Read request
Agent
~
mati
File
charges.rs
$ Agent issues Read on src/billing/charges.rs
What it prevents

The failure mode
is always the same.

Someone changed code they didn't understand, and the one fact that would have stopped them was in Slack, a stale doc, or nobody's head. mati puts that fact in the agent's way.

Scenarios01/ 04
Without mati

Contractor makes a 'minor performance fix' to a data pipeline. No one flags it as HIPAA-covered. Audit exposure 6 months later.

With mati

mati blocks the read. The agent consults the gotcha: 'Every read/write to patient_records must call audit_log::record_phi_access.' The audit trail logs the consultation.

For regulated teams

Built for teams
handling PHI.

mati generates the audit trail your auditors will ask for. Every deny, consultation, and bypass it catches is logged and timestamped, ready to export.

On-premZero network calls · no telemetry
For auditors

What your
auditor sees.

Every enforcement decision, cryptographically signed and tamper-evident. Your audit trail started the day you installed mati.

Local hash-chained logs and signed exports ship today; off-host, audit-grade evidence custody is in active development.

mati · enforcement audit
Enforcement Audit Report
Signed
Project
acme-health / patient-api
Period
2026-03-24 → 2026-04-24
Hash chain
valid (intact) · head → genesis
Every event cryptographically linked to the previous. Tamper-evident by design.
License
Enterprise · 12-seat
33
Events
7
Denials
9
Allowed
0
Bypasses
Signed·fingerprint a27ea8528f81a45cRSA-2048 · CMS/PKCS#7
Live output

The briefing your agent reads first.

~ mati explain src/billing/charges.rs
 
Purpose
Confidence
Staleness
Blast radius
Cluster
 
[critical]idempotency-key
[high]zero-amount-validation
verifying record00/15sha · a8e4f1c
~ mati diff main
 
[critical]src/billing/charges.rs 2 gotchas
[critical]src/data/patient_records.rs 2 gotchas
[high]src/auth/session.rs 1 gotcha
[normal]src/api/handlers.rs documented
[normal]src/config/database.rs documented
? [unknown]src/utils/helpers.rs no record
 
scanning diff00/10branch · main
Language coverage

12 languages.
Real codebases.

Every resolution rate is verified against a real-world open-source project, each one linked below. No toy fixtures, no synthetic benchmarks. Measured on mati v0.1.1.

LanguageResolutionVerified againstEdges
Rust97%ripgrep342
Python100%httpx124
TypeScript97%vitest2,147
Go98%hcl190
Java95%jsoup740
C100%mimalloc129
C++95%nlohmann/json619
Ruby/Railsstructuraldiscourse2,622
Haskellmeaningfulaeson223
Scalapartialzio-json21
JavaScriptsharedvitest
ElixirfixtureMix

The 97% headline figure is the average across the 7 languages with a measured numeric rate; the remaining 5 are supported structurally and not yet fully benchmarked.

File-level intelligence

What your agent can't see on its own.

Blast radius

diagram
direct: 18 · transitive: 12 · tier: high

Co-change clusters

diagram
billing (5 files · cohesion 0.87)

Staleness propagation

diagram
from session.rs · +0.15 d1 · +0.05 d2
How it compares

Not a memory tool.
Not a linter.

mati answers a different question: has this actor proven they understand what's dangerous about this file, and can we prove it to an auditor?

CapabilitymatiAI memoryLintersADRs
Block reads until knowledge consulted
Tamper-evident audit trail
On-prem, zero network calls
Per-file gotchas with confidence scoring
Works without any LLM calls

Your AI agent just refactored a payment flow and removed the fraud check. With mati, that's blocked by default. The agent can't read the file until it proves it knows about the fraud check.

The problem mati was built to solve
Enterprise

Free for developers.
Paid for compliance teams.

Cloud compliance tools automate paperwork. mati enforces the rules at the code level, before the code ships.

Open source
Free
MIT licensed · No telemetry
  • 01Full enforcement engine
  • 0212-language import resolution
  • 03Blast radius & co-change clusters
  • 04Enforcement event recording
  • 05365-day event retention
  • 06Claude Code & Codex support
View on GitHub
Enterprise
SIGNED AUDIT EXPORTON-PREM
Enterprise
For compliance teams at regulated companies
  • 01Signed audit PDF export
  • 02Cryptographic chain of custody
  • 03License-verified enforcement reports
  • 04Extended retention controlsIn development
  • 05Direct support from the founder

Signed, hash-chained audit export. Every agent decision, tamper-evident.

Priced per engineering team, not per seat.
Get a demo
Get started

Running in your repo in 15 minutes.

~ install
# Homebrew (macOS + Linux)
$ brew install ioni-dev/tap/mati

# Cargo (builds from source)
$ cargo install mati

# Cargo (prebuilt binary, no compile)
$ cargo binstall mati
~ quickstart
# Scan your repo (zero AI calls, <1s)
$ mati init --claude

# See what mati knows about a file
$ mati explain src/billing/charges.rs

# Add a gotcha
$ mati gotcha add src/billing/charges.rs \
    -r "Never remove the idempotency_key"
FAQ

Questions, answered.

The short version of how mati works, what it touches, and why it's different.

What is mati?

mati gives you deterministic guardrails for AI coding agents. It blocks Claude Code and Codex from reading or editing critical files until they've consulted the per-file constraints ("gotchas") that protect them, and records every enforcement decision in a tamper-evident local audit trail. mati runs on-prem with zero network calls and works without any LLM calls.

How does mati stop AI agents from breaking production code?

mati intercepts file reads at the hook level and denies access until the agent consults the verified knowledge record for that file. For example, before editing a payments file the agent must acknowledge a constraint such as keeping an idempotency check that was added after a fraud incident, so it cannot silently remove safeguards.

Does mati make LLM calls or send code to the cloud?

No. mati works without any LLM calls and makes zero network calls. It runs entirely on-prem, which is what makes it suitable for regulated environments handling sensitive or compliance-covered code such as HIPAA data.

What programming languages does mati support?

mati supports 12 languages: Rust, Python, TypeScript, Go, Java, C, C++, Ruby/Rails, Haskell, Scala, JavaScript, and Elixir, with knowledge-resolution rates up to 100%.

How is mati different from agent memory, linters, or ADRs?

Unlike agent memory, linters, or ADRs, mati hard-blocks file reads until the required knowledge is consulted, produces a compliance audit trail, and scores per-file gotchas by confidence, all on-prem with zero network calls. Memory and ADRs are passive; mati is enforcement.

Does mati provide a compliance audit trail?

Yes. Every time an agent consults a gotcha before editing a file, mati logs the consultation. Compliance teams get a verifiable audit trail showing exactly what the agent knew before it made each change.

Is mati open source, and what does it cost?

mati is open source under the MIT license, and the full product is free for individual developers: the enforcement engine, the 12-language scan, and the local audit log are all included from the first run. Paid plans add team features like signed audit export and governance.

Which AI coding agents does mati work with?

mati enforces at the hook level with Claude Code and Codex (mati hooks --claude or --codex), so it intercepts file operations before the agent acts. It also exposes its knowledge to any MCP client via mati serve (MCP over stdio).

What is a "gotcha"?

A gotcha is a confirmed, structured rule attached to a specific file: what an agent must do or avoid there, like "never remove the idempotency key." When an agent touches a file that has a confirmed gotcha, mati's hook surfaces it and can block the operation until it has been consulted.

How does mati learn my codebase?

On mati init, it runs a Layer 0 scan with zero LLM calls: tree-sitter parsing across 12 languages, import-graph construction, and co-change clustering from your git history. You confirm the gotchas that matter, and those activate hook enforcement.

What does mati record, and where does it live?

Every enforcement decision is written to a local, hash-chained, append-only log: deny decisions, allow-after-consultation decisions, and consultation receipts. The log stays on your machine and is yours; Enterprise adds a signed export for handing to auditors.