Intent-addressable code for AI agents.
causari.dev Β·
ReleasesΒ·
MCPΒ·
Causari(Latin, deponent verb):to plead a cause, to argue why.Because every line of AI-generated code deserves to be defended, traced, and understood.
Causari records every action an AI agent takes on your codebase β not just the bytes that changed, but the prompt that asked, the model that answered, the files it read, and the reasoning behind the change.
And it does so without asking the agent's permission: the built-in
capture engine (re proxy
-
re watch -
re hook
) observes the LLM traffic and the filesystem independently, then joins them by content β the code that appears in your files is found inside the completion that produced it seconds earlier. Provenance becomes a fact, not a self-report.
You can then ask questions no version control system has ever answered:
re proxy # local LLM proxy: every prompt, token and dollar
re watch # passive recorder + causal join: file changes get
re hook claude-code # native capture via agent lifecycle hooks
re why src/auth.ts:42 # who/what produced this exact line?
re trace src/auth.ts:42 # full UPSTREAM causal cone: every event that
re impact <event-id> # full DOWNSTREAM cone: what flowed from this action,
re lens src/auth.ts # render a file with per-line provenance annotations
re find "the JWT refactor" # search every prompt, reasoning and message
re bisect --test "npm test" # find the agent action that broke the build
re churn # measure AI code survival: how much survived vs
re report --open # generate a shareable HTML dashboard of AI waste
re skill distill # turn verified events into signed, reusable skills
re skill export <id> # portable Ed25519 bundle for teammates
re skill pull <team-dir> # sync a shared folder (Dropbox, git, NFS β no server)
re skill trust add <label> # trust an org signing key; unknown signers rejected
re fork experiment-claude # branch into a parallel timeline
re revert <id> # undo an action with causal preview of what else
When an agent touches 30 files and something breaks, you don't need to read 4 000 lines of chat. You ask Causari why and when.
Every provenance tool before Causari had the same fatal dependency: it only worked if the agent volunteered its own history. Agents don't. Harnesses don't expose reasoning. Nobody reports costs.
Causari removes the dependency. Two independent observation streams, one causal join:
βββββββββββββββββββββββββββ βββββββββββββββββββββββββββ
β re proxy β β re watch β
β β β β
β sees every prompt, β β sees every byte that β
β completion, token and β β changes on disk β
β dollar (OpenAI- and β β (snapshots, diffs) β
β Anthropic-compatible) β β β
ββββββββββββββ¬βββββββββββββ ββββββββββββββ¬βββββββββββββ
β β
β CONTENT-BASED JOIN β
ββββββββββββββββββΊββββββββββββββββββ
the lines inserted in your files
are searched inside the completions
captured moments before β a match is
a causal fingerprint, with confidence
A real session, end to end:
$ re proxy
causari: LLM capture proxy listening on http://127.0.0.1:4242
β’ gpt-4o 42β18 tok $0.0003 "Add JWT refresh logic that rotates every 24h"
$ re watch # in another terminal
β’ 0d47599550 auth.py
β³ intent: "Add JWT refresh logic that rotates every 24h" gpt-4o (confidence 100%, 3/3 lines)
$ re why auth.py:2
auth.py:2
token = issue_token(user, scope="session")
introduced by 0d47599550
agent: cursor
model: gpt-4o
prompt: Add JWT refresh logic that rotates every 24h
Point any agent at the proxy and you're done:
OPENAI_BASE_URL=http://127.0.0.1:4242/openai/v1
ANTHROPIC_BASE_URL=http://127.0.0.1:4242/anthropic
Where the agent runtime exposes lifecycle hooks, capture is native and exact β no inference needed:
re hook claude-code # wires UserPromptSubmit + PostToolUse into
Everything stays on your machine: .causari/capture/
is a local, append-only ledger. No cloud, no telemetry, no API keys touched.
Causari is the first production issuer of Crovia Seals β the open, IETF-drafted receipt format for AI outputs (
draft-crovia-seal-01). One flag turns the proxy into a sealing gateway:
$ re proxy --seal
causari: Crovia Seal issuer active β pubkey 3fa9c2β¦
β’ gpt-4o 42β18 tok $0.0003 "Add JWT refresh logic" π cs_2026_Q7RM2KJ3VWXA5YBN4CDEFGH2I6
Every completion gets an Ed25519-signed, hash-chained, offline-verifiable
receipt in .causari/seal/seals.jsonl
. The seal commits to SHA-256 hashes of the exact request and response bytes β content never leaves your machine. Anyone holding your public key can verify the whole chain without a server, an account, or Causari itself:
$ re seal verify
β 128 seal(s) verified β every signature valid, chain contiguous from genesis
$ re seal issuer # print the pubkey to share with auditors
$ re seal list # browse issued receipts
The implementation is proven against the normative conformance vectors from croviatrust/crovia-seal (CSC-1 canonicalization, domain-separated payloads, fail-closed verification). When a regulator, a customer or a court asks "which model wrote this code, and can you prove it?" β the answer is one file and one public key.
Recording the past is half the job. The other half is making sure no agent ever pays for the same lesson twice.
re skill distill
walks the ledger and compresses every completed task β
the prompt that triggered it, the steps that were taken, the files that
changed β into a skill: a unit of experience an agent can recall
before acting. Each skill is signed with the repository's Ed25519 key
at the moment of distillation; edit one byte afterwards and
re skill verify
exposes it.
Trust is earned, never claimed:
β recorded distilled from the ledger β no success signal yet
β verified evidence attached: exit code 0, or the work is still
alive at the tip of the timeline (it survived)
β
proven verified AND recalled 3+ times by agents doing new work
bash
$ re skill distill
distill: 128 event(s) scanned, 7 new skill(s), 12 already distilled
β verified 2ce0c7bbda add retry with exponential backoff
$ re skill verify
ok 2ce0c7bbda add retry with exponential backoff
verify: 7 skill(s), every signature valid
The loop closes through MCP: when an agent calls causari_recall
, signed
skills are returned first, ranked by trust (proven Γ4, verified Γ2), and
every recall bumps the skill's use counter β which is exactly how a
verified skill earns the β
. Agents get measurably cheaper over time, and
re churn
shows you the savings in dollars.
One engineer's verified fix becomes every agent's instinct β without a central SaaS:
re skill export 2ce0c7bbda --output jwt-fix.json # portable bundle
re skill trust pubkey # share your Ed25519 key
re skill trust add platform <their-pubkey> # trust a teammate/org key
re skill import jwt-fix.json # verify signature + accept
re skill pull ~/Dropbox/causari-skills/ # sync a whole team folder
Skills signed by unknown keys are rejected, not imported. The mesh is cryptographic: Dropbox, git, NFS, S3 β any folder works. Causari verifies Ed25519 on every file; tampered bundles fail closed.
Like everything in Causari, skills are local files (.causari/skills/
), self-contained and portable. The signature means a skill can be shared and verified by anyone β across repos, teams, and orgs, with no central server.
Every repo can mint a signed proof of its AI provenance β how many agent actions, which agents and models, how much verified experience β bound to the exact ledger by a content digest and signed with the repo's Ed25519 key.
re proof generate # β causari-proof.json + causari-proof.svg badge
re proof verify # checks the signature offline β no server, no account
re proof verify --against-repo # β¦and confirms it still matches the live ledger
Anyone β a reviewer, an auditor, a stranger reading your PR β can run
re proof verify
and confirm the proof was not altered after signing. No Causari account, no network call, no trust in us. Tamper with a single number and verification fails closed.
Drop the badge in your README and every visitor sees it:
[](https://causari.dev/verify)
It is agent-agnostic by construction: the proof aggregates the ledger, so it
covers every agent Causari captured β Claude Code, Cursor, Cline, Windsurf, a
raw re proxy
β not just one runtime.
Free forever: generating and verifying proofs offline. Commercial (Trust
Plane): the hosted public verification page on causari.dev
, the org-wide proof registry, RFC 3161 timestamp anchoring, and audit-grade compliance exports.
Existing tools either track text (git), track sessions (IDE checkpoints), or track conversations (LangSmith, Helicone). None of them connect a line of code to the intent that produced it β and none of them can do it without the agent's cooperation. Causari does both:
| You ask⦠| Causari answers⦠|
|---|---|
re proxy + re watch |
|
| Zero-integration capture. Prompts, models, tokens and dollars joined to file changes by content correlation β no agent cooperation required. | |
re why src/auth.ts:42 |
|
| The prompt, model, agent, tool, and reasoning that wrote that line. | |
re trace src/auth.ts:42 |
|
| Upstream causal cone. Every prior event that contributed, transitively, through the files it read or wrote. The intellectual ancestry of a piece of code. | |
re impact <event> |
|
| Downstream causal cone. Every later event that depended, transitively, on what this one produced. The blast radius of an action. | |
re lens src/auth.ts |
|
| The file rendered with per-line provenance annotations: each line painted with the event id that introduced it. | |
re find "the JWT refactor" |
|
| Signed skills first, then every event β prompt, message, reasoning β ranked by trust and relevance. | |
re bisect --test "<cmd>" |
|
| The first agent action whose output fails your tests. | |
re churn |
|
| AI Waste Score. How much AI-written code survived vs was rewritten, per agent. With cost data: dollars spent on code that did not survive. | |
re report --open |
|
| A self-contained HTML dashboard you can paste into Slack, PRs, or board decks β zero external assets, zero cloud calls. | |
re skill distill |
|
| Signed experience. Verified past work compressed into Ed25519-signed skills, recalled by agents (trust-ranked) before they act β the same mistake is never paid twice. | |
re skill export / pull |
|
| Team skill mesh. Portable bundles + trusted org keys; sync any shared folder. Unknown signers and tampered files rejected. | |
re proof generate / verify |
|
| Trustless AI-provenance certificate. A signed, content-bound proof + embeddable badge that anyone can verify offline β no server, no account. Tampering fails closed. | |
re fork claude-attempt |
|
| A new timeline you can extend without touching the original. | |
re watch --session bot1 |
|
| Concurrent multi-agent recording. One session per agent, lock-serialized commits, shared ancestry β no agent can orphan another's events. | |
re sessions / re switch <name> |
|
| The fleet overview: every session tip with agent and last activity; jump between timelines. | |
re log --all |
|
| The full event DAG across every session, with tip and fork-point markers. | |
re diff a..b |
|
| The exact file delta between two agent actions. | |
re revert <id> |
|
| Workspace snapped back to the pre-state of that action, with a causal preview of every downstream event you are implicitly undoing. |
Most version control is one-dimensional: a chain of commits. Causari is two-dimensional:
PAST FUTURE
ββββββββββββββββββββββββββββ ββββββββββββββββββββββββββββ
β β β β
β re trace foo.rs:42 β β re impact <event> β
β β β β
β β prompts & events β β events & prompts β β
β that produced this β β that flowed from this β
β β β β
ββββββββββββββββ¬ββββββββββββ βββββββββββββββ¬βββββββββββββ
β β
β a single event β
ββββββββββββββΊββββββββββββββββ
This unlocks a question nothing else can answer:
"If I revert this action, what else am I implicitly undoing?"
re revert
answers it before touching a single byte.
Git blame names one author. re why
names one event. ** re trace** reconstructs the
intellectual ancestryof a piece of code:
calc.js:2
export function sum(a, b) { return a - b; }
trace: 3 causal contributors found
β 0b8424ee83 align calc.js with updated spec
agent: gpt-4o
prompt: the spec was updated, make calc.js match
because: wrote calc.js:2
ββ 45230e9cda update spec to redefine sum
agent: gpt-4o
prompt: the team decided sum should compute a-b, update the spec
because: wrote spec.md which event 0b8424ee83 read
ββ 55a6dd9392 implement calc per spec
agent: claude-3.5
prompt: implement sum() following the spec in spec.md
because: wrote calc.js which event 0b8424ee83 read
The buggy line is not the root cause β the prompt that asked the agent to redefine the spec is. Causari surfaces it. You can debug prompts, not just code.
Every event is a content-addressable object (BLAKE3) containing:
pre_snapshot
andpost_snapshot
β the workspace tree before and afteragent
,model
,tool
prompt
β the user task that triggered the actionreasoning
β the agent's chain-of-thought when exposedreads
,writes
,tokens_in
,tokens_out
,cost_usd
parent
β the previous event in the timeline
Snapshots are incremental (only changed files create new blobs, just like git's object store), so the storage cost is bounded by the delta, not the absolute size of the workspace.
[09:23:01] re init
β .causari/ repository initialized
[09:24:33] re record -m "Add JWT refresh logic"
β 12 lines in src/auth.ts
β agent: claude-3.5-sonnet
β prompt: "Add JWT refresh logic that rotates every 24h"
[09:25:12] re guard
β critical without test: src/auth.ts
β 1 alert(s), 0 warning(s)
[09:25:45] re why src/auth.ts:5
β introduced by a3f7b2c9
β prompt: "Add JWT refresh logic that rotates every 24h"
β reasoning: The spec calls for refresh tokens...
β 3 seconds
[09:26:18] re trace src/auth.ts:5
β a3f7b2c9 "Add JWT refresh"
ββ e112706e "Update auth spec"
ββ c13aa663 "Initial scaffold"
[09:27:03] re guard --badge
β .causari/guard-badge.svg generated
[09:27:44] re impact a3f7b2c9
β downstream: 2 events depend on this
β c4d1e8f2 "Deploy to staging"
β d5e2a1b3 "Fix OAuth scope"
[09:28:19] re churn
causari churn: code survival across 1,284 events
AGENT INTRO SURVIVED WASTE WASTED $
claude-3.5 8,210 6,012 26.8% $164.10
gpt-4o 3,400 1,510 55.6% $116.90
cursor 1,120 980 12.5% $5.50
AI survival 66.8% Β· AI Waste Score 33.2%
$286.50 of $866.90 spent on code that did not survive
[09:29:02] re report --open
β report written to causari-report.html
β opening in browser
[09:29:33] re revert a3f7b2c9
β preview: 2 downstream events will lose context
β confirm with --yes to proceed
Next on the roadmap:
β shipped:Verified skills (experience layer): events whose verification passed get promoted into signed, reusable skills the agent can recallbeforeactingre skill distill/list/show/verify
, Ed25519 signatures, trust ladder (β recorded β β verified β β
proven), trust-rankedcausari_recall
via MCPβ shipped:Multi-agent DAG timelines: concurrent agents, true branching history--session
,re sessions
,re switch
,re log --all
β shipped:Team skill registry: share signed skills across an organization β one engineer's verified fix becomes every agent's instinctre skill export/import/pull
,re skill trust
β Ed25519 mesh, no serverβ shipped:Verifiable provenance certificate: a signed, content-bound proof of a repo's AI provenance that anyone can verify offline, with an embeddable badgere proof generate/verify
, Ed25519, self-contained SVG, tamper-evident (fails closed)- Cryptographic timestamps (RFC 3161) + Ed25519-signed events for
audit-grade timelines (EU AI Act, SOC2 for agentic development) β
the paid Trust Plane on top ofre proof
Agent Provenance Protocol: an open spec for the signed, content-addressed event format, so any tool can produce or verify it- TUI Γ la
lazygit
for visual exploration - Cross-event semantic search over prompts and diffs (embeddings)
- Counterfactual
re replay --with <model>
(re-execute past events under different models)
Causari ships its own MCP server. Any agent runtime that speaks MCP (Claude Desktop, Claude Code, Cursor, Cline, Windsurf, β¦) can register Causari and get three new tools for free:
| Tool | What the agent uses it for |
|---|---|
causari_record |
|
| Record one of its own actions into the ledger after each tool call. | |
causari_recall |
|
| Find past similar events before acting, to avoid repeating mistakes. | |
causari_why |
|
| Inspect the provenance of a line before modifying code it didn't write. |
Get the JSON snippet to paste into your agent's config:
re mcp --install
Then in any conversation the agent can call those tools by name. Causari silently builds a complete, queryable, causally-linked history of the session.
Add the Causari Guard action to any repo and every pull request gets a risk summary β zero cloud, zero configuration:
name: Causari Guard
on:
pull_request:
jobs:
guard:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: croviatrust/causari-guard-action@v1
It installs re
, runs re guard --summary
, and posts a Markdown table of alerts directly into the PR thread. Block merges on risky patterns (bulk edits, auth without tests, missing tests, etc.).
Keep the badge green on main
:
re guard --badge # .causari/guard-badge.svg
Linux & macOS:
curl -sSf https://causari.dev/install.sh | sh
Windows (PowerShell):
iwr -useb https://causari.dev/install.ps1 | iex
Installs a SHA256-verified, ~800 KB pre-built binary into ~/.local/bin
(or %LOCALAPPDATA%\Programs\causari
on Windows).
Prefer building from source?
cargo install --git https://github.com/croviatrust/causari
cargo build --release
./target/release/re --help
Scripted demos live in scripts/
:
β the capture engine end to end: mock LLM upstream,demo-capture.ps1
re proxy
,re watch
, content-based causal join (mock-llm.py
included)/demo.sh
β full happy-path withdemo.ps1
re why
andre bisect
/demo-trace.sh
β upstream causal cone (demo-trace.ps1
re trace
)/demo-bidir.sh
β bidirectional causality (demo-bidir.ps1
re impact
,re lens
, causality-awarere revert
)/demo-mcp.sh
β MCP server end-to-end via JSON-RPCdemo-mcp.ps1
Causari runs natively on Linux, macOS, and Windows β the binary is a single ~2 MB executable with no runtime dependencies.
Causari is released under the Business Source License 1.1 (see
LICENSE
). In plain English:
Free for you, forever, in all of these cases:- personal use, including paid client work;
- any organization's own internal development, in production and CI/CD, at any scale;
- use by AI agents acting on infrastructure you control (laptop, server, CI runner) β this is the default way Causari is meant to be used;
- academic research, teaching, non-commercial open-source projects;
- redistribution of unmodified binaries via cargo / brew / apt / choco / nix / winget.
Not free if you want to resell Causari itself to third parties as a hosted or managed service whose primary value is version control, causality or provenance tracking for AI agents. For that, talk to us.Becomes Apache 2.0 automatically four years after each version is published. The change is mechanical: nothing the project maintainers can prevent or accelerate.
The experience layer (skills) is and will remain free in the re
binary β distillation, Ed25519 signing, verification and recall all run locally and cost nothing. What will be commercial is the Trust Plane built on top of it: organization-wide signed skill registries, RFC 3161 timestamping, fleet dashboards and audit-grade compliance exports. The free tool creates the experience; the paid plane lets a company trust it at scale.
Why BSL? Causari is meant to be widely used and modified, but we are not interested in subsidizing a future closed-source clone built by a better-distributed competitor. This is the same model that lets Sentry, HashiCorp and CockroachDB stay genuinely useful and contributable while sustaining the people who build them.
Contributing? See CLA.md
.
Causari is built by Croviatrust β the team behind Crovia, the cryptographically signed, Bitcoin-anchored public ledger of AI training-data transparency. Same DNA, different layer: Crovia proves what models learned; Causari proves what agents did.