cd /news/ai-agents/intent-addressable-code-for-ai-codin… Β· home β€Ί topics β€Ί ai-agents β€Ί article
[ARTICLE Β· art-47769] src=github.com β†— pub= topic=ai-agents verified=true sentiment=↑ positive

Intent-addressable code for AI coding agents

Causari, an open-source tool from Croviatrust, records every action an AI agent takes on a codebase, including prompts, models, files read, and reasoning, without requiring agent permission. It uses a content-based join of LLM traffic and filesystem changes to provide provenance, enabling queries like 'why' and 'trace' for any line of code. The tool aims to solve the problem of untraceable AI-generated code changes and is available under BSL 1.1.

read16 min views1 publishedJul 4, 2026
Intent-addressable code for AI coding agents
Image: source

Intent-addressable code for AI agents.

causari.dev Β·

ReleasesΒ·

DiscussionsΒ·

MCPΒ·

License (BSL 1.1)

Causari(Latin, deponent verb):to plead a cause, to argue why.Because every line of AI-generated code deserves to be defended, traced, and understood.

Causari records every action an AI agent takes on your codebase β€” not just the bytes that changed, but the prompt that asked, the model that answered, the files it read, and the reasoning behind the change.

And it does so without asking the agent's permission: the built-in capture engine (re proxy

  • re watch

  • re hook

) observes the LLM traffic and the filesystem independently, then joins them by content β€” the code that appears in your files is found inside the completion that produced it seconds earlier. Provenance becomes a fact, not a self-report.

You can then ask questions no version control system has ever answered:

re proxy                      # local LLM proxy: every prompt, token and dollar
re watch                      # passive recorder + causal join: file changes get
re hook  claude-code          # native capture via agent lifecycle hooks
re why    src/auth.ts:42      # who/what produced this exact line?
re trace  src/auth.ts:42      # full UPSTREAM causal cone: every event that
re impact <event-id>          # full DOWNSTREAM cone: what flowed from this action,
re lens   src/auth.ts         # render a file with per-line provenance annotations
re find   "the JWT refactor"  # search every prompt, reasoning and message
re bisect --test "npm test"   # find the agent action that broke the build
re churn                      # measure AI code survival: how much survived vs
re report --open              # generate a shareable HTML dashboard of AI waste
re skill  distill             # turn verified events into signed, reusable skills
re skill  export <id>         # portable Ed25519 bundle for teammates
re skill  pull <team-dir>     # sync a shared folder (Dropbox, git, NFS β€” no server)
re skill  trust add <label>   # trust an org signing key; unknown signers rejected
re fork   experiment-claude   # branch into a parallel timeline
re revert <id>                # undo an action with causal preview of what else

When an agent touches 30 files and something breaks, you don't need to read 4 000 lines of chat. You ask Causari why and when.

Every provenance tool before Causari had the same fatal dependency: it only worked if the agent volunteered its own history. Agents don't. Harnesses don't expose reasoning. Nobody reports costs.

Causari removes the dependency. Two independent observation streams, one causal join:

   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”        β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
   β”‚        re proxy         β”‚        β”‚        re watch         β”‚
   β”‚                         β”‚        β”‚                         β”‚
   β”‚  sees every prompt,     β”‚        β”‚  sees every byte that   β”‚
   β”‚  completion, token and  β”‚        β”‚  changes on disk        β”‚
   β”‚  dollar (OpenAI- and    β”‚        β”‚  (snapshots, diffs)     β”‚
   β”‚  Anthropic-compatible)  β”‚        β”‚                         β”‚
   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜        β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                β”‚                                  β”‚
                β”‚         CONTENT-BASED JOIN       β”‚
                β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Ίβ—„β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                 the lines inserted in your files
                 are searched inside the completions
                 captured moments before β€” a match is
                 a causal fingerprint, with confidence

A real session, end to end:

$ re proxy
causari: LLM capture proxy listening on http://127.0.0.1:4242
  β€’ gpt-4o  42β†’18 tok  $0.0003  "Add JWT refresh logic that rotates every 24h"

$ re watch          # in another terminal
  β€’ 0d47599550  auth.py
    ↳ intent: "Add JWT refresh logic that rotates every 24h"  gpt-4o (confidence 100%, 3/3 lines)

$ re why auth.py:2
auth.py:2
      token = issue_token(user, scope="session")

introduced by 0d47599550
  agent:     cursor
  model:     gpt-4o
  prompt:    Add JWT refresh logic that rotates every 24h

Point any agent at the proxy and you're done:

OPENAI_BASE_URL=http://127.0.0.1:4242/openai/v1
ANTHROPIC_BASE_URL=http://127.0.0.1:4242/anthropic

Where the agent runtime exposes lifecycle hooks, capture is native and exact β€” no inference needed:

re hook claude-code   # wires UserPromptSubmit + PostToolUse into

Everything stays on your machine: .causari/capture/

is a local, append-only ledger. No cloud, no telemetry, no API keys touched.

Causari is the first production issuer of Crovia Seals β€” the open, IETF-drafted receipt format for AI outputs (

draft-crovia-seal-01). One flag turns the proxy into a sealing gateway:

$ re proxy --seal
causari: Crovia Seal issuer active β€” pubkey 3fa9c2…
  β€’ gpt-4o  42β†’18 tok  $0.0003  "Add JWT refresh logic"  πŸ” cs_2026_Q7RM2KJ3VWXA5YBN4CDEFGH2I6

Every completion gets an Ed25519-signed, hash-chained, offline-verifiable receipt in .causari/seal/seals.jsonl

. The seal commits to SHA-256 hashes of the exact request and response bytes β€” content never leaves your machine. Anyone holding your public key can verify the whole chain without a server, an account, or Causari itself:

$ re seal verify
βœ“ 128 seal(s) verified β€” every signature valid, chain contiguous from genesis

$ re seal issuer     # print the pubkey to share with auditors
$ re seal list       # browse issued receipts

The implementation is proven against the normative conformance vectors from croviatrust/crovia-seal (CSC-1 canonicalization, domain-separated payloads, fail-closed verification). When a regulator, a customer or a court asks "which model wrote this code, and can you prove it?" β€” the answer is one file and one public key.

Recording the past is half the job. The other half is making sure no agent ever pays for the same lesson twice.

re skill distill

walks the ledger and compresses every completed task β€” the prompt that triggered it, the steps that were taken, the files that changed β€” into a skill: a unit of experience an agent can recall before acting. Each skill is signed with the repository's Ed25519 key at the moment of distillation; edit one byte afterwards and re skill verify

exposes it.

Trust is earned, never claimed:

●  recorded   distilled from the ledger β€” no success signal yet
β—†  verified   evidence attached: exit code 0, or the work is still
              alive at the tip of the timeline (it survived)
β˜…  proven     verified AND recalled 3+ times by agents doing new work
bash
$ re skill distill
distill: 128 event(s) scanned, 7 new skill(s), 12 already distilled
  β—† verified 2ce0c7bbda  add retry with exponential backoff

$ re skill verify
  ok 2ce0c7bbda  add retry with exponential backoff
verify: 7 skill(s), every signature valid

The loop closes through MCP: when an agent calls causari_recall

, signed skills are returned first, ranked by trust (proven Γ—4, verified Γ—2), and every recall bumps the skill's use counter β€” which is exactly how a verified skill earns the β˜…. Agents get measurably cheaper over time, and re churn

shows you the savings in dollars.

One engineer's verified fix becomes every agent's instinct β€” without a central SaaS:

re skill export 2ce0c7bbda --output jwt-fix.json   # portable bundle
re skill trust pubkey                             # share your Ed25519 key
re skill trust add platform <their-pubkey>        # trust a teammate/org key
re skill import jwt-fix.json                      # verify signature + accept
re skill pull ~/Dropbox/causari-skills/           # sync a whole team folder

Skills signed by unknown keys are rejected, not imported. The mesh is cryptographic: Dropbox, git, NFS, S3 β€” any folder works. Causari verifies Ed25519 on every file; tampered bundles fail closed.

Like everything in Causari, skills are local files (.causari/skills/

), self-contained and portable. The signature means a skill can be shared and verified by anyone β€” across repos, teams, and orgs, with no central server.

Every repo can mint a signed proof of its AI provenance β€” how many agent actions, which agents and models, how much verified experience β€” bound to the exact ledger by a content digest and signed with the repo's Ed25519 key.

re proof generate            # β†’ causari-proof.json + causari-proof.svg badge
re proof verify              # checks the signature offline β€” no server, no account
re proof verify --against-repo   # …and confirms it still matches the live ledger

Anyone β€” a reviewer, an auditor, a stranger reading your PR β€” can run re proof verify

and confirm the proof was not altered after signing. No Causari account, no network call, no trust in us. Tamper with a single number and verification fails closed.

Drop the badge in your README and every visitor sees it:

[![AI provenance β€” verified by Causari](causari-proof.svg)](https://causari.dev/verify)

It is agent-agnostic by construction: the proof aggregates the ledger, so it covers every agent Causari captured β€” Claude Code, Cursor, Cline, Windsurf, a raw re proxy

β€” not just one runtime.

Free forever: generating and verifying proofs offline. Commercial (Trust Plane): the hosted public verification page on causari.dev

, the org-wide proof registry, RFC 3161 timestamp anchoring, and audit-grade compliance exports.

Existing tools either track text (git), track sessions (IDE checkpoints), or track conversations (LangSmith, Helicone). None of them connect a line of code to the intent that produced it β€” and none of them can do it without the agent's cooperation. Causari does both:

You ask… Causari answers…
re proxy + re watch
Zero-integration capture. Prompts, models, tokens and dollars joined to file changes by content correlation β€” no agent cooperation required.
re why src/auth.ts:42
The prompt, model, agent, tool, and reasoning that wrote that line.
re trace src/auth.ts:42
Upstream causal cone. Every prior event that contributed, transitively, through the files it read or wrote. The intellectual ancestry of a piece of code.
re impact <event>
Downstream causal cone. Every later event that depended, transitively, on what this one produced. The blast radius of an action.
re lens src/auth.ts
The file rendered with per-line provenance annotations: each line painted with the event id that introduced it.
re find "the JWT refactor"
Signed skills first, then every event β€” prompt, message, reasoning β€” ranked by trust and relevance.
re bisect --test "<cmd>"
The first agent action whose output fails your tests.
re churn
AI Waste Score. How much AI-written code survived vs was rewritten, per agent. With cost data: dollars spent on code that did not survive.
re report --open
A self-contained HTML dashboard you can paste into Slack, PRs, or board decks β€” zero external assets, zero cloud calls.
re skill distill
Signed experience. Verified past work compressed into Ed25519-signed skills, recalled by agents (trust-ranked) before they act β€” the same mistake is never paid twice.
re skill export / pull
Team skill mesh. Portable bundles + trusted org keys; sync any shared folder. Unknown signers and tampered files rejected.
re proof generate / verify
Trustless AI-provenance certificate. A signed, content-bound proof + embeddable badge that anyone can verify offline β€” no server, no account. Tampering fails closed.
re fork claude-attempt
A new timeline you can extend without touching the original.
re watch --session bot1
Concurrent multi-agent recording. One session per agent, lock-serialized commits, shared ancestry β€” no agent can orphan another's events.
re sessions / re switch <name>
The fleet overview: every session tip with agent and last activity; jump between timelines.
re log --all
The full event DAG across every session, with tip and fork-point markers.
re diff a..b
The exact file delta between two agent actions.
re revert <id>
Workspace snapped back to the pre-state of that action, with a causal preview of every downstream event you are implicitly undoing.

Most version control is one-dimensional: a chain of commits. Causari is two-dimensional:

                 PAST                            FUTURE
   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
   β”‚                          β”‚  β”‚                          β”‚
   β”‚   re trace foo.rs:42     β”‚  β”‚   re impact <event>      β”‚
   β”‚                          β”‚  β”‚                          β”‚
   β”‚   ← prompts & events     β”‚  β”‚   events & prompts β†’     β”‚
   β”‚   that produced this     β”‚  β”‚   that flowed from this  β”‚
   β”‚                          β”‚  β”‚                          β”‚
   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                  β”‚                            β”‚
                  β”‚       a single event       β”‚
                  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Ίβ—β—„β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

This unlocks a question nothing else can answer:

"If I revert this action, what else am I implicitly undoing?"

re revert

answers it before touching a single byte.

Git blame names one author. re why

names one event. ** re trace** reconstructs the

intellectual ancestryof a piece of code:

calc.js:2
  export function sum(a, b) { return a - b; }

trace: 3 causal contributors found

● 0b8424ee83  align calc.js with updated spec
   agent: gpt-4o
   prompt: the spec was updated, make calc.js match
   because: wrote calc.js:2
  └─ 45230e9cda  update spec to redefine sum
     agent: gpt-4o
     prompt: the team decided sum should compute a-b, update the spec
     because: wrote spec.md which event 0b8424ee83 read
  └─ 55a6dd9392  implement calc per spec
     agent: claude-3.5
     prompt: implement sum() following the spec in spec.md
     because: wrote calc.js which event 0b8424ee83 read

The buggy line is not the root cause β€” the prompt that asked the agent to redefine the spec is. Causari surfaces it. You can debug prompts, not just code.

Every event is a content-addressable object (BLAKE3) containing:

pre_snapshot

andpost_snapshot

β€” the workspace tree before and afteragent

,model

,tool

prompt

β€” the user task that triggered the actionreasoning

β€” the agent's chain-of-thought when exposedreads

,writes

,tokens_in

,tokens_out

,cost_usd

parent

β€” the previous event in the timeline

Snapshots are incremental (only changed files create new blobs, just like git's object store), so the storage cost is bounded by the delta, not the absolute size of the workspace.

[09:23:01]  re init
              β†’ .causari/ repository initialized

[09:24:33]  re record -m "Add JWT refresh logic"
              β†’ 12 lines in src/auth.ts
              β†’ agent: claude-3.5-sonnet
              β†’ prompt: "Add JWT refresh logic that rotates every 24h"

[09:25:12]  re guard
              ⚠ critical without test: src/auth.ts
              ⚠ 1 alert(s), 0 warning(s)

[09:25:45]  re why src/auth.ts:5
              β†’ introduced by a3f7b2c9
              β†’ prompt: "Add JWT refresh logic that rotates every 24h"
              β†’ reasoning: The spec calls for refresh tokens...
              β†’ 3 seconds

[09:26:18]  re trace src/auth.ts:5
              β†’ a3f7b2c9 "Add JWT refresh"
                └─ e112706e "Update auth spec"
                  └─ c13aa663 "Initial scaffold"

[09:27:03]  re guard --badge
              βœ“ .causari/guard-badge.svg generated

[09:27:44]  re impact a3f7b2c9
              β†’ downstream: 2 events depend on this
              β†’ c4d1e8f2 "Deploy to staging"
              β†’ d5e2a1b3 "Fix OAuth scope"

[09:28:19]  re churn
              causari churn: code survival across 1,284 events
                AGENT          INTRO  SURVIVED  WASTE    WASTED $
                claude-3.5     8,210    6,012   26.8%    $164.10
                gpt-4o         3,400    1,510   55.6%    $116.90
                cursor         1,120      980   12.5%      $5.50

              AI survival 66.8% Β· AI Waste Score 33.2%
              $286.50 of $866.90 spent on code that did not survive

[09:29:02]  re report --open
              βœ“ report written to causari-report.html
              β†’ opening in browser

[09:29:33]  re revert a3f7b2c9
              ⚠ preview: 2 downstream events will lose context
              β†’ confirm with --yes to proceed

Next on the roadmap:

βœ“ shipped:Verified skills (experience layer): events whose verification passed get promoted into signed, reusable skills the agent can recallbeforeactingre skill distill/list/show/verify

, Ed25519 signatures, trust ladder (● recorded β†’ β—† verified β†’ β˜… proven), trust-rankedcausari_recall

via MCPβœ“ shipped:Multi-agent DAG timelines: concurrent agents, true branching history--session

,re sessions

,re switch

,re log --all

βœ“ shipped:Team skill registry: share signed skills across an organization β€” one engineer's verified fix becomes every agent's instinctre skill export/import/pull

,re skill trust

β€” Ed25519 mesh, no serverβœ“ shipped:Verifiable provenance certificate: a signed, content-bound proof of a repo's AI provenance that anyone can verify offline, with an embeddable badgere proof generate/verify

, Ed25519, self-contained SVG, tamper-evident (fails closed)- Cryptographic timestamps (RFC 3161) + Ed25519-signed events for audit-grade timelines (EU AI Act, SOC2 for agentic development) β€” the paid Trust Plane on top ofre proof

Agent Provenance Protocol: an open spec for the signed, content-addressed event format, so any tool can produce or verify it- TUI Γ  la lazygit

for visual exploration - Cross-event semantic search over prompts and diffs (embeddings)

  • Counterfactual re replay --with <model>

(re-execute past events under different models)

Causari ships its own MCP server. Any agent runtime that speaks MCP (Claude Desktop, Claude Code, Cursor, Cline, Windsurf, …) can register Causari and get three new tools for free:

Tool What the agent uses it for
causari_record
Record one of its own actions into the ledger after each tool call.
causari_recall
Find past similar events before acting, to avoid repeating mistakes.
causari_why
Inspect the provenance of a line before modifying code it didn't write.

Get the JSON snippet to paste into your agent's config:

re mcp --install

Then in any conversation the agent can call those tools by name. Causari silently builds a complete, queryable, causally-linked history of the session.

Add the Causari Guard action to any repo and every pull request gets a risk summary β€” zero cloud, zero configuration:

name: Causari Guard
on:
  pull_request:

jobs:
  guard:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: croviatrust/causari-guard-action@v1

It installs re

, runs re guard --summary

, and posts a Markdown table of alerts directly into the PR thread. Block merges on risky patterns (bulk edits, auth without tests, missing tests, etc.).

Keep the badge green on main

:

re guard --badge   # .causari/guard-badge.svg

Linux & macOS:

curl -sSf https://causari.dev/install.sh | sh

Windows (PowerShell):

iwr -useb https://causari.dev/install.ps1 | iex

Installs a SHA256-verified, ~800 KB pre-built binary into ~/.local/bin

(or %LOCALAPPDATA%\Programs\causari

on Windows).

Prefer building from source?

cargo install --git https://github.com/croviatrust/causari
cargo build --release
./target/release/re --help

Scripted demos live in scripts/

:

β€” the capture engine end to end: mock LLM upstream,demo-capture.ps1

re proxy

,re watch

, content-based causal join (mock-llm.py

included)/demo.sh

β€” full happy-path withdemo.ps1

re why

andre bisect

/demo-trace.sh

β€” upstream causal cone (demo-trace.ps1

re trace

)/demo-bidir.sh

β€” bidirectional causality (demo-bidir.ps1

re impact

,re lens

, causality-awarere revert

)/demo-mcp.sh

β€” MCP server end-to-end via JSON-RPCdemo-mcp.ps1

Causari runs natively on Linux, macOS, and Windows β€” the binary is a single ~2 MB executable with no runtime dependencies.

Causari is released under the Business Source License 1.1 (see LICENSE

). In plain English:

Free for you, forever, in all of these cases:- personal use, including paid client work;

  • any organization's own internal development, in production and CI/CD, at any scale;
  • use by AI agents acting on infrastructure you control (laptop, server, CI runner) β€” this is the default way Causari is meant to be used;
  • academic research, teaching, non-commercial open-source projects;
  • redistribution of unmodified binaries via cargo / brew / apt / choco / nix / winget.

Not free if you want to resell Causari itself to third parties as a hosted or managed service whose primary value is version control, causality or provenance tracking for AI agents. For that, talk to us.Becomes Apache 2.0 automatically four years after each version is published. The change is mechanical: nothing the project maintainers can prevent or accelerate.

The experience layer (skills) is and will remain free in the re

binary β€” distillation, Ed25519 signing, verification and recall all run locally and cost nothing. What will be commercial is the Trust Plane built on top of it: organization-wide signed skill registries, RFC 3161 timestamping, fleet dashboards and audit-grade compliance exports. The free tool creates the experience; the paid plane lets a company trust it at scale.

Why BSL? Causari is meant to be widely used and modified, but we are not interested in subsidizing a future closed-source clone built by a better-distributed competitor. This is the same model that lets Sentry, HashiCorp and CockroachDB stay genuinely useful and contributable while sustaining the people who build them.

Contributing? See CLA.md

.

Causari is built by Croviatrust β€” the team behind Crovia, the cryptographically signed, Bitcoin-anchored public ledger of AI training-data transparency. Same DNA, different layer: Crovia proves what models learned; Causari proves what agents did.

── more in #ai-agents 4 stories Β· sorted by recency
── more on @causari 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain β€” perfect for shipping the agent you just read about.

$git push zahid main
β†’ Live at https://your-agent.zahid.host βœ“
Get free account β†’ Pricing
from €0/mo Β· no card required
LIVE [news/intent-addressable-c…] indexed:0 read:16min 2026-07-04 Β· β€”