controlkeel
Health Warn
- No license — Repository has no license file
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 7 GitHub stars
Code Warn
- process.env — Environment variable access in assets/js/app.js
- fs module — File system access in assets/vendor/heroicons.js
Permissions Pass
- Permissions — No dangerous permissions requested
This tool acts as a governance and control plane for AI coding agents. It sits between the AI and your production environment to validate code changes, enforce security policies, and track findings before deployment.
Security Assessment
The tool requests no explicitly dangerous permissions, which is a positive sign. However, there are notable security considerations. It accesses environment variables (found in `assets/js/app.js`) and uses file system modules (found in `assets/vendor/heroicons.js`), meaning it can read and potentially write local files and access system configurations. Additionally, because its primary function is policy enforcement and deployment tracking, it inherently requires network access to communicate with external host providers and repositories. There are no detected hardcoded secrets. Because it handles agent routing and deployment readiness while accessing the local file system and environment variables, the overall risk is rated as Medium.
Quality Assessment
The project is highly active, with its most recent push occurring today, and features automated CI/CD workflows with GitHub Actions. Despite this active development, the repository suffers from very low community visibility, having only 7 stars. More critically, the project lacks a license file. This means that, strictly speaking, all rights are reserved by the creator, and you do not have legal permission to use, modify, or distribute the code in a commercial or open-source capacity.
Verdict
Use with caution due to a complete lack of licensing and low community adoption, despite active development.
Control plane for governed AI coding: validate agent changes, enforce policy, track findings, and ship with proof.
ControlKeel
Agent output is cheap. Reviewability, security, release safety, and cost control are not.
ControlKeel is the cerebellum for agent-generated software delivery. ControlKeel sits between your coding agents and production, comparing intended delivery against actual delivery, catching governance drift before it ships and turning intent into governed tasks through validation and review gates.
It does not replace the coding model underneath. It governs the delivery layer around that model: routing, review, findings, proofs, policy, budgets, deployment readiness, and the governed context agents need to keep work grounded in the repo and session state.
CK also treats decomposition as a first-class governed surface. It does not just store tasks. It records how work is being split, where review gates sit, how context should be partitioned, and which parts of a session are effectively recursive, delegated, or release-gated.
Quick start
One-line setup via your agent
Copy/paste this into your agent (OpenCode, Claude, Codex, etc.):
Set up ControlKeel end-to-end for this repository with minimal user action: read and follow https://raw.githubusercontent.com/aryaminus/controlkeel/main/README.md, https://raw.githubusercontent.com/aryaminus/controlkeel/main/docs/getting-started.md, https://raw.githubusercontent.com/aryaminus/controlkeel/main/docs/direct-host-installs.md, https://raw.githubusercontent.com/aryaminus/controlkeel/main/docs/support-matrix.md, and https://raw.githubusercontent.com/aryaminus/controlkeel/main/docs/agent-integrations.md; detect this host’s capabilities, install ControlKeel if missing, run controlkeel setup in the repo, then attach the strongest active supported host path first (attach additional configured hosts only when they add real value for this workspace) with plugin and MCP plus skills/hooks/agents as available; run controlkeel attach doctor, controlkeel provider doctor, controlkeel status, controlkeel findings, and the host-specific MCP check, and if a fix is safe and local apply it then re-verify; if the host requires a trusted project/workspace, restart after attach/plugin changes, needs manual provider configuration, or a plan review cannot auto-wait to approved, pause and ask the user to take that step before continuing; redact proxy tokens/secrets from any shared logs; for Codex ensure the project is trusted and restart Codex after attach/plugin changes.
Install ControlKeel
# Homebrew (macOS and Linux x86_64)
brew tap aryaminus/controlkeel && brew install controlkeel
# npm bootstrap (macOS x86_64/arm64, Linux x86_64, Windows x86_64)
npm i -g @aryaminus/controlkeel
# or: pnpm add -g @aryaminus/controlkeel
# or: yarn global add @aryaminus/controlkeel
# one-off run
npx @aryaminus/controlkeel@latest
# release installers
curl -fsSL https://github.com/aryaminus/controlkeel/releases/latest/download/install.sh | sh
irm https://github.com/aryaminus/controlkeel/releases/latest/download/install.ps1 | iex
First governed run
# 1. Start ControlKeel
controlkeel
# 2. In the target repo, bootstrap and inspect the environment
controlkeel setup
# 3. Attach a supported host
controlkeel attach opencode
# 4. Inspect governance state
controlkeel status
controlkeel findings
# 5. Use guided CLI help whenever you need it
controlkeel help
controlkeel help codex
controlkeel help "how do i attach opencode"
For a full first-run walkthrough, see docs/getting-started.md.
Published surfaces
ControlKeel has one primary CLI and a smaller set of published companion packages. Everything else ships as release bundles or attach-time generated assets.
| Surface | Version | Install / use |
|---|---|---|
| ControlKeel CLI bootstrap | |
npm i -g @aryaminus/controlkeel |
| Skills.sh / AgentSkills install | Skills docs | npx skills add https://github.com/aryaminus/controlkeel --skill controlkeel-governance |
| OpenCode companion package |  |
Add "plugin": ["@aryaminus/controlkeel-opencode"] to opencode.json; MCP uses mcp.controlkeel local command-array config; attach installs .opencode/* plus .agents/skills compatibility skills |
| Pi companion package |  |
pi install npm:@aryaminus/controlkeel-pi-extension |
| Release bundles and VSIX |  |
Tagged releases include platform binaries, plugin tarballs, exported native bundles, and controlkeel-vscode-companion.vsix |
Release-only bundles currently cover the unpublished host artifacts such as Claude, Copilot, Codex, Augment, Gemini CLI, Amp, OpenClaw, and other exported native companions. Those surfaces follow the repository release version rather than separate package registries.
Supported hosts
ControlKeel supports hosts through a few real mechanisms:
- Native attach:
controlkeel attach <host>installs MCP config plus the strongest repo-native companion CK can truthfully ship. - Direct host install: some hosts also support a package, plugin, VSIX, or extension-link path.
- Hosted protocol access: remote clients can use hosted MCP and minimal A2A.
- Runtime export: headless systems such as Devin and Open SWE get runtime bundles instead of fake attach commands.
- Provider-only and fallback governance: unsupported generators can still be governed through bootstrap, findings, proofs, and validation flows.
Common attach targets today:
- Hook-native:
claude-code,copilot,windsurf,cline,kiro,augment - Plugin-native:
opencode,amp - File-plan-mode:
pi - Prompt or command-native:
continue,gemini-cli,goose,roo-code - Hook, skill, and MCP-native with headless/remote support:
letta-code - Browser or embed companion:
vscode - Review-only, command-driven, or local-plugin-capable:
codex-cli,aider
Use the docs below for the precise truth per host:
What ControlKeel exposes
Web app:
/startfor onboarding and execution brief creation/missions/:idfor mission control and approvals/findingsfor cross-session findings/proofsfor immutable proof bundles/skillsfor install/export compatibility and bundle inventory/shipfor deploy readiness and session metrics
CLI:
controlkeel attach <agent>
controlkeel status
controlkeel findings
controlkeel proofs
controlkeel update
controlkeel skills list
controlkeel plugin install codex
controlkeel run task <id>
controlkeel help
For Codex there are two different CK install paths:
controlkeel attach codex-cliinstalls the native.codex/companion files, skills, commands, agents, and local MCP wiring.controlkeel plugin install codexinstalls a local plugin bundle plus a local marketplace manifest for repo-local or home-local discovery.
That local marketplace path is not the same thing as being listed in OpenAI's curated Codex plugin catalog.
Full command coverage is available in the CLI itself through controlkeel help.
For MCP tool details, hosted protocol access, and the exact ck_context contract, use docs/agent-integrations.md and docs/support-matrix.md.
Docs
Start here:
Reference:
- docs/qa-validation-guide.md
- docs/support-matrix.md
- docs/agent-integrations.md
- docs/autonomy-and-findings.md
- docs/benchmarks.md
Architecture and release operations:
- docs/control-plane-architecture.md
- docs/host-surface-parity.md
- docs/integration-validation-checklist.md
- docs/release-verification.md
Development
mix setup
mix phx.server
mix test
mix precommit
Phoenix + Ecto on SQLite. Uses Req for HTTP. Single-binary builds ship through Burrito and GitHub Releases.
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found