Prove your code before you hand it over.
Your client, your buyer, your next customer can't read the code — they take your word for it. Watchdog is the independent surveyor for C#/.NET: one reproducible 0–100 Codebase Assurance Index, issued as a signed report you can share. A measurement, not an opinion.
Point us at your repo — nothing to install, no CI step, no SDK, no lock-in. Sign in with GitHub · no card · C#/.NET · the first full report on any repo is €0 — depth is never gated.
A sample evidence artifact — dated, signed, verifiable. Not editable by the party who shares it.
What Watchdog is — and isn't.
What it is not
- Not a CI scanner or linterNever scores a line or blocks a merge.
- Not a SAST / dataflow engineReads their signal; doesn't out-depth one.
- Not a coding agentNever edits, commits, pushes or opens a PR.
- Not a certifierRecords the evidence; a named human signs.
What it is
- An independent surveyorOne altitude above your scanners.
- One reproducible CAISigned, commit-pinned — re-runs to the same number.
- A read-only oracleServes every finding to your agent over MCP.
- A whole-system surveyArchitecture, maturity, compliance & risk in one report.
Graded by the open CAI standard — across ten lenses.
Five are always on; five light up with your architecture. Every finding is located to file:line, every lens trended scan over scan — and the standard is open: each lens links to its dimensions on cai.canine.dev.
Code health
Complexity, duplication, code shape and naming — how maintainable the code itself is.
Dimensions →Architecture
Module boundaries, coupling, cohesion and dependency direction — whether structure holds up as the repo grows.
Dimensions →Maturity
Docs, ADRs, comments and process signals — how well the project explains and governs itself.
Dimensions →Readiness
Tests, CI gates, observability, resilience and rollback — readiness to run in production.
Dimensions →Security & Compliance
Secrets, dependency CVEs, SAST and licence/PII posture — the deep-scan security lens.
Dimensions →Domain Modelling
DDD tactical health — aggregates, value objects and the invariants your business rules depend on.
Dimensions →Event-Driven
Messaging and integration discipline — outbox, async handlers and contract coupling.
Dimensions →Event Sourcing
Event-store correctness — immutable events, deterministic folds and PII-in-events.
Dimensions →Accessibility
Text alternatives, labels, keyboard semantics, ARIA and a11y enforcement.
Dimensions →Performance
Benchmarks, allocation-aware APIs and async hygiene.
Dimensions →The full vocabulary — every dimension, its evaluator and rubric version — lives on the open standard. Browse the catalog →
The CAI plus the deductions — what's wrong, what it means, what to do.
A survey isn't a dashboard you log into. It's the number and the reading — handed over as artifacts a deal can stand on.
A reproducible report
The CAI and every finding in a content-addressed PDF + JSON, pinned to a commit and a frozen rubric hash — re-runnable by either side.
Evidence you can share
Every scan is an Ed25519-signed, tamper-evident CAI package. Share it with a client or buyer — they get a free copy they can verify, and it can't be edited by whoever shares it.
How sharing works →An agent-ready fix list, over MCP
Every finding is a briefed task — the rule that fired, the file and line, the score-impact — served to your coding agent over Watchdog's Model Context Protocol server, ranked by impact ÷ effort. The next survey proves the number moved.
Agents & MCP →A standing inspection
Weekly full surveys plus a daily security watch, on a calendar — your code rots even when nobody commits; the quiet months are watched, not skipped.
For teams →A changelog every survey
What moved since last time — CAI & per-lens deltas, findings resolved vs raised, features & fixes landed, added and removed API endpoints. A sprint-ready record, derived facts only.
Living documentation
A C4 architecture map, a CycloneDX SBOM + licence inventory, and ADR-conformance — derived from the code on every survey, current by construction.
Commissioned by one side. Trusted by both — because the method is open.
A survey is only worth something because the surveyor is independent and paid the same either way, *and* because you can check the work.
Structurally neutral
The same versioned rubric scores you whoever pays; pin it frozen for a contract. Watchdog builds nobody's software, never touches yours — and there are no success fees. We're paid to measure, never to make the number go up.
Open verdict, calibrated instrument
The CAI *verdict* is an open, reproducible standard — algorithm, lenses and rubric public, reference scorer open source. The *evidence engine* that feeds it is ours: calibrated against a real .NET corpus to fire truly and rarely falsely.
What we measure →Verify any number yourself
We publish the evidence behind a score. Take a survey, run the open scorer over its evidence, and you get the same number — or you've found a discrepancy.
Reproduce a survey →Start where you stand. I'm a…
Pick the hat you're wearing — each page frames the survey for your situation.
Freelancer or solo dev
Prove my code to a client who can't read it — an independent score for the proposal and the hand-over. Single seat.
For freelancers →Engineering team
Catch the drift between sprints — a scheduled audit I can trend before it compounds. Never a PR gate.
For teams →Provider or consultancy
Prove my quality and win the bid — an independent number no slide deck can match.
For consultancies →Role hubs: Builders · Leads. Buying or appraising software, not building it? That's Assay's job → assay.canine.dev
Real reports, fully open — not a logo wall.
Every card below is a real repository whose owner chose to publish — the entire survey is open to read: every lens, every finding, and the exact rule each number was scored by. No cherry-picked mock-ups.
Every number above is from a real, opted-in published survey — and the first → best arc is the anti-slop ratchet at work. Browse the public record →
Your code never leaves your control.
EU data residency
Processed only on hardware we own in Denmark — no cloud provider in the path.
No third-party AI
The language model is self-hosted; your code is never sent to OpenAI, Anthropic or Google.
Source never persisted
Each scan clones, analyses, then deletes the working copy — and we never train on your code.
Read-only by doctrine
We measure and advise; we never commit, push, or edit your code.
Read-only by doctrine. Honest about what a tool can claim.
Compliance evidence with a gate you can't quietly pass.
A catalog of ten frameworks (WCAG 2.2, NIS2, DORA, SSDF, SLSA, OWASP ASVS and more). We measure the automatable slice and gate it: a control we caught failing can't be silently passed — overriding it is recorded, in full, in the artifact. You declare the rest, and a named person signs. We measure; you declare; we never certify.
Run the whole survey inside your own network.
Watchdog deploys self-hosted: your code never leaves your perimeter, the language model runs on your hardware, and the SOC 2 / data-residency question goes away. EU data residency, no third-party AI, source never persisted — on infrastructure you control.
Put a number on your code. The first full report on any repo is €0.
Depth is never gated — every survey computes the full CAI, all dimensions, all lenses.
Sign in with GitHub · no card · C#/.NET native.