Composite / Code
Sign in Try Composite Code →
Composite Intelligence for software development

Composite Code — production code, on tap.

One SDK call. Production-ready code with built-in security review, type safety, and a verifiable compliance trace. Generate, review, refactor, debug — five methods, one API key.

Start with 100k tokens free → Read the docs
generate.ts 
import Composite from '@compositellm/sdk'

const composite = new Composite({
  apiKey: process.env.COMPOSITE_API_KEY,
})

const { code, complianceTrace } =
  await composite.code.generate({
    task: 'Build a REST API with auth',
    language: 'typescript',
    compliance: ['owasp-top-10', 'soc2'],
  })

console.log(complianceTrace.rulesEnforced)
// ['no-eval', 'parameterized-queries',
//  'secrets-redacted', 'auth-required']
Capabilities

One SDK. Five outcomes.

Capability You call You ship
Generate composite.code.generate({ task, language }) Production code, linted, type-checked, security-reviewed.
Review composite.code.review({ diff, rules }) Inline PR comments, severity-graded, with fix suggestions.
Refactor composite.code.refactor({ file, goal }) Refactored code + diff explanation.
Debug composite.code.debug({ error, context }) Root cause + minimal patch.
Migrate composite.code.migrate({ from, to, project }) End-to-end migration plan + patches.
Compliance

Built-in compliance for software development.

Composite Code applies compliance frames during generation — not after. Every output ships with a verifiable trace of which rules were applied and which were enforced.

OWASP Top 10
Every output checked for injection, broken auth, insecure deserialization, and the rest.
Secret scanning
No API keys, tokens, or credentials in generated output. Ever.
License compatibility
Generated code's license posture matches your project's — MIT stays MIT-clean, GPL stays GPL-safe.
Custom policies
Pass your policy.yaml to enforce internal rules — coding standards, framework choices, package allow-lists.
complianceTrace.json
{
  "requestId": "req_8c2a1f",
  "capability": "generate",
  "vertical": "code",
  "rulesRequested": ["owasp-top-10", "soc2"],
  "rulesEnforced": [
    "no-eval",
    "parameterized-queries",
    "secrets-redacted",
    "auth-required",
    "rate-limit-applied"
  ],
  "checks": {
    "lint": "pass",
    "typecheck": "pass",
    "securityReview": "pass"
  },
  "latencyMs": 1840
}
Audit & observability

Every output, auditable.

  • Compliance trace on every call — verifiable record of what was applied.
  • Full request log exportable to S3, GCS, or R2.
  • SOC 2 Type II in audit. Target: Q3 2026.
  • Region pinning available on Enterprise.
Integrations

Drop into your workflow.

CI
GitHub Actions
Block PRs that fail compliance
CI
GitLab CI
Same checks, GitLab-native
IDE
VS Code · JetBrains
In-editor generation & review
CLI
composite-code CLI
Scriptable, CI-friendly

Start with 100k tokens free.

Get an API key →