scarlet sovereign systems products · crimson analyst
Sovereign code forensics

Read your code the way it actually works.

One 12 MB static binary that does what semgrep, CodeScene and Sonar need three separate tools and a running JVM server for. It maps your codebase, grades its health, and signs the report — no install ceremony, no account, nothing leaves your machine.

One file, not a stackA single 12 MB static binary. No server, no JVM, no daemon
30+ analysis modesTree-sitter structure, complexity, coupling, churn, audits — or one full-exam pass
Signed gradingEvery report ends in a SHA-256 certificate you can stand behind
Reads models tooA forensic tier that drills into ML weights — work nobody else ships
Crimson Analyst — source tree into a certified grade An abstract diagram: a fan of code paths on the left converges through a single analysis core into a SHA-256-signed health grade on the right. rust c · c++ python js · go cuda 30+ modes grade A− sha256:9f2a… tree-sitter ast → topology · complexity · coupling · churn · audits → one signed report
source in, certified grade out — one binary, no server, ~2s on 23k lines

Get your codebase's health grade free — one letter, your top 3 risks, in seconds. Then buy the full suite once for $99 one-time: 30+ deep analysis modes, the SHA-256-certified report, and model-weight forensics (GGUF layout, quant fidelity, stability proofs) nobody else ships. Local, owned, no subscription, no telemetry.

What it actually is

Crimson Analyst parses your real source — not regex guesses — using Tree-sitter, the same parser tech that powers modern editors. It understands Rust, C, C++, Python, JavaScript, Go and CUDA, builds the true structure of your code, and runs the measurements that tell you where the risk lives:

  • Structure & topology — how the pieces actually connect, which modules touch everything (the high-blast-radius surface)
  • Complexity — cyclomatic and cognitive complexity per function, with the hotspots ranked
  • Coupling & churn-risk — the code that's both tangled and changes constantly: where the next bug is most likely to land
  • Dead code — unreachable and unused surface you can safely delete
  • Audits — every unsafe block, error-handling gaps, and the transitively-risky dependencies
  • Health grade — all of it rolled into one composite letter grade you can put in a PR or hand to a client

Thirty-plus modes, each doing one thing well. Run one, or run them all into a single full-exam pass. Output is structured JSON for tooling and plain markdown for humans — no proprietary format, no lock-in.

A report you can actually trust

Every composite report ends with a grade and a SHA-256 certificate over its own contents. That means a health report can't be quietly edited after the fact — the hash won't match. Show a client an "A−" and they can verify it's the report your tool produced, byte for byte. Code-quality scoring you can sign and stand behind.

And it's fast: a full 23,000-line report runs in about two seconds at roughly 10 MB of RAM. No warm-up server, no background daemon, no waiting.

How it compares

semgrep, SonarQube and CodeScene are good tools. The honest difference is shape and ownership, not a leaderboard:

  • One file, not a stack. The usual setup is a few tools plus a running server (and a JVM for SonarQube). Crimson Analyst is a single 12 MB static binary — download it, run it, done.
  • Sovereign and local-first. Your code never leaves the machine. No upload, no account, no telemetry, no "sign in to continue." That matters for proprietary code and regulated work.
  • Signed grading. The SHA-256-certified health report is something the others don't ship — a quality score you can verify wasn't tampered with.
  • It also reads models. No general code scanner drills into ML model weights. Crimson Analyst does, on the paid tier.

If you already run semgrep for security rules, keep it — they sit happily side by side. This is for structure, health, and the forensic work the others simply don't do.

The forensic tier — what nobody else ships

The paid tier turns the same binary on machine-learning models themselves: GGUF and model-weight drill-down, quant-fidelity checks, stability proofs, and live training diagnostics. When your model is silently wrong and you've been chasing it for weeks, this is the tool.

A real case from our own lab: a BitNet inference engine had a Q5_K bit-plane bug hiding for months behind a lucky weight merge. Stock Qwen3.5-4B weights came out as garbage; from the outside everything looked fine. The forensic drill caught it in one session:

  • layer-0 in-projection dump showed qkv_mixed at L2 = 111 vs reference 207.84 → 82% delta on a single op
  • traced to a one-bit-mask error in the Q5_K dequantisation kernel (a <<1 where it needed <<2, dropping 4 of 8 bit-planes)
  • one-line-class fix, re-verified parity-clean: 207.69 vs 207.84 — delta down to 0.93%
  • fixed on both CPU and GPU dequant paths; the original merge still works, no regression
Engine parity at layer 0, qkv_mixed L2 norm Before fix: our engine measured 111, reference 207.84 — 82 percent delta. After a one-line fix: 207.69 vs 207.84 — 0.93 percent delta. The bug went from drowning the model to parity-clean. L0 qkv_mixed · L2 norm vs reference (lower delta = closer to truth) before 82.0% delta measured: 111 · reference: 207.84 after 0.93% delta measured: 207.69 · reference: 207.84 forensic drill output · single-line fix between rows · CPU + GPU paths verified
forensic drill output before and after the Q5_K fix — same call, same engine, two states of correctness

Hours of work, not months. The full write-up is in the journal.

Try it free — get your grade

Run one command, get your codebase's health grade free — a letter and your top 3 risks. No telemetry, no upload, no sign-in: 

crimson-analyst grade   ./my-repo   # free: letter grade + your top 3 risks

Like what it sees? The full suite — 30+ deep modes, the certified report, and the model-weight forensics — comes with one license key.

Pricing

One tool, one binary. The health grade is free — your taste to see if it's worth it. Everything else is paid; pick the tier that fits.

  • Free — health grade + your top 3 risks. The hook.
  • Individual — $99 one-time — the full suite: all 30+ analysis modes, the SHA-256-certified report, and the model-weight forensic tier (drill, quant fidelity, stability proofs, training diagnostics). One key, yours to keep.
  • Team / Enterprise — subscription — multi-seat keys, CI integration, priority updates. (Contact for pricing.)
  • Forensic consulting — done-for-you — we run the deep model audit on your weights and hand you the certified report. (Custom quote.)

Checkout via Polar; key by email. No telemetry, ever.

Who this is for

  • Engineers and teams who want one fast, local tool for structure, complexity and code-health — without standing up a server
  • Consultants and reviewers who need a health grade they can sign and hand to a client
  • ML engineers shipping inference engines — the forensic tier catches Q5_K-shaped silent failures before release
  • Researchers debugging quantisation corner-cases where a model "kind of works" except on one weight class
  • Anyone working on proprietary or regulated code that can't be uploaded to a cloud scanner

If you've spent two weeks chasing a bug that turned out to be a single-line error, Crimson Analyst is for you.

Source + contact

crimson-analyst · 12 MB static binary · 30+ modes · tree-sitter · SHA-256-certified reports · sovereign Rust