{"slug": "intent-addressable-code-for-ai-coding-agents", "title": "Intent-addressable code for AI coding agents", "summary": "Causari, an open-source tool from Croviatrust, records every action an AI agent takes on a codebase, including prompts, models, files read, and reasoning, without requiring agent permission. It uses a content-based join of LLM traffic and filesystem changes to provide provenance, enabling queries like 'why' and 'trace' for any line of code. The tool aims to solve the problem of untraceable AI-generated code changes and is available under BSL 1.1.", "body_md": "*Intent-addressable code for AI agents.*\n\n[ causari.dev](https://causari.dev)\n·\n\n[Releases](https://github.com/croviatrust/causari/releases)·\n\n[Discussions](https://github.com/croviatrust/causari/discussions)·\n\n[MCP](#mcp-server)·\n\n[License (BSL 1.1)](/croviatrust/causari/blob/main/LICENSE)\n\nCausari(Latin, deponent verb):to plead a cause, to argue why.Because every line of AI-generated code deserves to be defended, traced, and understood.\n\nCausari records every action an AI agent takes on your codebase — not just\nthe bytes that changed, but the **prompt that asked**, the **model that\nanswered**, the **files it read**, and the **reasoning behind the change**.\n\nAnd it does so **without asking the agent's permission**: the built-in\ncapture engine (`re proxy`\n\n+ `re watch`\n\n+ `re hook`\n\n) observes the LLM\ntraffic and the filesystem independently, then joins them by *content* —\nthe code that appears in your files is found inside the completion that\nproduced it seconds earlier. Provenance becomes a fact, not a self-report.\n\nYou can then ask questions no version control system has ever answered:\n\n```\nre proxy                      # local LLM proxy: every prompt, token and dollar\n                              #   flows through Causari on its way to the provider\nre watch                      # passive recorder + causal join: file changes get\n                              #   attributed to the real prompt, model and cost\nre hook  claude-code          # native capture via agent lifecycle hooks\nre why    src/auth.ts:42      # who/what produced this exact line?\nre trace  src/auth.ts:42      # full UPSTREAM causal cone: every event that\n                              #   contributed transitively, through reads/writes\nre impact <event-id>          # full DOWNSTREAM cone: what flowed from this action,\n                              #   transitively (causality-aware blast radius)\nre lens   src/auth.ts         # render a file with per-line provenance annotations\nre find   \"the JWT refactor\"  # search every prompt, reasoning and message\nre bisect --test \"npm test\"   # find the agent action that broke the build\nre churn                      # measure AI code survival: how much survived vs\n                              #   was rewritten, per agent, with wasted spend\nre report --open              # generate a shareable HTML dashboard of AI waste\nre skill  distill             # turn verified events into signed, reusable skills\nre skill  export <id>         # portable Ed25519 bundle for teammates\nre skill  pull <team-dir>     # sync a shared folder (Dropbox, git, NFS — no server)\nre skill  trust add <label>   # trust an org signing key; unknown signers rejected\nre fork   experiment-claude   # branch into a parallel timeline\nre revert <id>                # undo an action with causal preview of what else\n                              #   you are implicitly undoing\n```\n\nWhen an agent touches 30 files and something breaks, you don't need to read\n4 000 lines of chat. You ask Causari *why* and *when*.\n\nEvery provenance tool before Causari had the same fatal dependency: it only worked if the agent volunteered its own history. Agents don't. Harnesses don't expose reasoning. Nobody reports costs.\n\nCausari removes the dependency. Two independent observation streams, one causal join:\n\n```\n   ┌─────────────────────────┐        ┌─────────────────────────┐\n   │        re proxy         │        │        re watch         │\n   │                         │        │                         │\n   │  sees every prompt,     │        │  sees every byte that   │\n   │  completion, token and  │        │  changes on disk        │\n   │  dollar (OpenAI- and    │        │  (snapshots, diffs)     │\n   │  Anthropic-compatible)  │        │                         │\n   └────────────┬────────────┘        └────────────┬────────────┘\n                │                                  │\n                │         CONTENT-BASED JOIN       │\n                └────────────────►◄────────────────┘\n                 the lines inserted in your files\n                 are searched inside the completions\n                 captured moments before — a match is\n                 a causal fingerprint, with confidence\n```\n\nA real session, end to end:\n\n``` bash\n$ re proxy\ncausari: LLM capture proxy listening on http://127.0.0.1:4242\n  • gpt-4o  42→18 tok  $0.0003  \"Add JWT refresh logic that rotates every 24h\"\n\n$ re watch          # in another terminal\n  • 0d47599550  auth.py\n    ↳ intent: \"Add JWT refresh logic that rotates every 24h\"  gpt-4o (confidence 100%, 3/3 lines)\n\n$ re why auth.py:2\nauth.py:2\n      token = issue_token(user, scope=\"session\")\n\nintroduced by 0d47599550\n  agent:     cursor\n  model:     gpt-4o\n  prompt:    Add JWT refresh logic that rotates every 24h\n```\n\nPoint any agent at the proxy and you're done:\n\n```\nOPENAI_BASE_URL=http://127.0.0.1:4242/openai/v1\nANTHROPIC_BASE_URL=http://127.0.0.1:4242/anthropic\n```\n\nWhere the agent runtime exposes lifecycle hooks, capture is native and exact — no inference needed:\n\n```\nre hook claude-code   # wires UserPromptSubmit + PostToolUse into\n                      # .claude/settings.json: every prompt captured,\n                      # every edit recorded as a full Causari event\n```\n\nEverything stays on your machine: `.causari/capture/`\n\nis a local,\nappend-only ledger. No cloud, no telemetry, no API keys touched.\n\nCausari is the **first production issuer of\nCrovia Seals** — the open,\nIETF-drafted receipt format for AI outputs\n(\n\n[draft-crovia-seal-01](https://datatracker.ietf.org/doc/draft-crovia-seal/)). One flag turns the proxy into a sealing gateway:\n\n``` bash\n$ re proxy --seal\ncausari: Crovia Seal issuer active — pubkey 3fa9c2…\n  • gpt-4o  42→18 tok  $0.0003  \"Add JWT refresh logic\"  🔏 cs_2026_Q7RM2KJ3VWXA5YBN4CDEFGH2I6\n```\n\nEvery completion gets an Ed25519-signed, hash-chained, offline-verifiable\nreceipt in `.causari/seal/seals.jsonl`\n\n. The seal commits to SHA-256 hashes\nof the exact request and response bytes — **content never leaves your\nmachine**. Anyone holding your public key can verify the whole chain\nwithout a server, an account, or Causari itself:\n\n``` bash\n$ re seal verify\n✓ 128 seal(s) verified — every signature valid, chain contiguous from genesis\n\n$ re seal issuer     # print the pubkey to share with auditors\n$ re seal list       # browse issued receipts\n```\n\nThe implementation is proven against the normative conformance vectors\nfrom [croviatrust/crovia-seal](https://github.com/croviatrust/crovia-seal)\n(CSC-1 canonicalization, domain-separated payloads, fail-closed\nverification). When a regulator, a customer or a court asks *\"which model\nwrote this code, and can you prove it?\"* — the answer is one file and one\npublic key.\n\nRecording the past is half the job. The other half is making sure no agent ever pays for the same lesson twice.\n\n`re skill distill`\n\nwalks the ledger and compresses every completed task —\nthe prompt that triggered it, the steps that were taken, the files that\nchanged — into a **skill**: a unit of experience an agent can recall\n*before* acting. Each skill is signed with the repository's **Ed25519 key**\nat the moment of distillation; edit one byte afterwards and\n`re skill verify`\n\nexposes it.\n\nTrust is earned, never claimed:\n\n```\n●  recorded   distilled from the ledger — no success signal yet\n◆  verified   evidence attached: exit code 0, or the work is still\n              alive at the tip of the timeline (it survived)\n★  proven     verified AND recalled 3+ times by agents doing new work\nbash\n$ re skill distill\ndistill: 128 event(s) scanned, 7 new skill(s), 12 already distilled\n  ◆ verified 2ce0c7bbda  add retry with exponential backoff\n\n$ re skill verify\n  ok 2ce0c7bbda  add retry with exponential backoff\nverify: 7 skill(s), every signature valid\n```\n\nThe loop closes through MCP: when an agent calls `causari_recall`\n\n, **signed\nskills are returned first, ranked by trust** (proven ×4, verified ×2), and\nevery recall bumps the skill's use counter — which is exactly how a\nverified skill earns the ★. Agents get measurably cheaper over time, and\n`re churn`\n\nshows you the savings in dollars.\n\nOne engineer's verified fix becomes every agent's instinct — without a central SaaS:\n\n```\nre skill export 2ce0c7bbda --output jwt-fix.json   # portable bundle\nre skill trust pubkey                             # share your Ed25519 key\nre skill trust add platform <their-pubkey>        # trust a teammate/org key\nre skill import jwt-fix.json                      # verify signature + accept\nre skill pull ~/Dropbox/causari-skills/           # sync a whole team folder\n```\n\nSkills signed by unknown keys are **rejected**, not imported. The mesh is\ncryptographic: Dropbox, git, NFS, S3 — any folder works. Causari verifies\nEd25519 on every file; tampered bundles fail closed.\n\nLike everything in Causari, skills are local files (`.causari/skills/`\n\n),\nself-contained and portable. The signature means a skill can be shared and\n*verified by anyone* — across repos, teams, and orgs, with no central server.\n\nEvery repo can mint a **signed proof of its AI provenance** — how many agent\nactions, which agents and models, how much *verified* experience — bound to the\nexact ledger by a content digest and signed with the repo's Ed25519 key.\n\n```\nre proof generate            # → causari-proof.json + causari-proof.svg badge\nre proof verify              # checks the signature offline — no server, no account\nre proof verify --against-repo   # …and confirms it still matches the live ledger\n```\n\nAnyone — a reviewer, an auditor, a stranger reading your PR — can run\n`re proof verify`\n\nand confirm the proof was **not altered after signing**. No\nCausari account, no network call, no trust in us. Tamper with a single number\nand verification fails closed.\n\nDrop the badge in your README and every visitor sees it:\n\n```\n[![AI provenance — verified by Causari](causari-proof.svg)](https://causari.dev/verify)\n```\n\nIt is agent-agnostic by construction: the proof aggregates the *ledger*, so it\ncovers every agent Causari captured — Claude Code, Cursor, Cline, Windsurf, a\nraw `re proxy`\n\n— not just one runtime.\n\n**Free forever:** generating and verifying proofs offline. **Commercial (Trust\nPlane):** the hosted public verification page on `causari.dev`\n\n, the org-wide\nproof registry, RFC 3161 timestamp anchoring, and audit-grade compliance\nexports.\n\nExisting tools either track text (git), track sessions (IDE checkpoints), or\ntrack conversations (LangSmith, Helicone). **None of them connect a line of\ncode to the intent that produced it** — and none of them can do it without\nthe agent's cooperation. Causari does both:\n\n| You ask… | Causari answers… |\n|---|---|\n`re proxy` + `re watch` |\nZero-integration capture. Prompts, models, tokens and dollars joined to file changes by content correlation — no agent cooperation required. |\n`re why src/auth.ts:42` |\nThe prompt, model, agent, tool, and reasoning that wrote that line. |\n`re trace src/auth.ts:42` |\nUpstream causal cone. Every prior event that contributed, transitively, through the files it read or wrote. The intellectual ancestry of a piece of code. |\n`re impact <event>` |\nDownstream causal cone. Every later event that depended, transitively, on what this one produced. The blast radius of an action. |\n`re lens src/auth.ts` |\nThe file rendered with per-line provenance annotations: each line painted with the event id that introduced it. |\n`re find \"the JWT refactor\"` |\nSigned skills first, then every event — prompt, message, reasoning — ranked by trust and relevance. |\n`re bisect --test \"<cmd>\"` |\nThe first agent action whose output fails your tests. |\n`re churn` |\nAI Waste Score. How much AI-written code survived vs was rewritten, per agent. With cost data: dollars spent on code that did not survive. |\n`re report --open` |\nA self-contained HTML dashboard you can paste into Slack, PRs, or board decks — zero external assets, zero cloud calls. |\n`re skill distill` |\nSigned experience. Verified past work compressed into Ed25519-signed skills, recalled by agents (trust-ranked) before they act — the same mistake is never paid twice. |\n`re skill export` / `pull` |\nTeam skill mesh. Portable bundles + trusted org keys; sync any shared folder. Unknown signers and tampered files rejected. |\n`re proof generate` / `verify` |\nTrustless AI-provenance certificate. A signed, content-bound proof + embeddable badge that anyone can verify offline — no server, no account. Tampering fails closed. |\n`re fork claude-attempt` |\nA new timeline you can extend without touching the original. |\n`re watch --session bot1` |\nConcurrent multi-agent recording. One session per agent, lock-serialized commits, shared ancestry — no agent can orphan another's events. |\n`re sessions` / `re switch <name>` |\nThe fleet overview: every session tip with agent and last activity; jump between timelines. |\n`re log --all` |\nThe full event DAG across every session, with tip and fork-point markers. |\n`re diff a..b` |\nThe exact file delta between two agent actions. |\n`re revert <id>` |\nWorkspace snapped back to the pre-state of that action, with a causal preview of every downstream event you are implicitly undoing. |\n\nMost version control is one-dimensional: a chain of commits. Causari is two-dimensional:\n\n```\n                 PAST                            FUTURE\n   ┌──────────────────────────┐  ┌──────────────────────────┐\n   │                          │  │                          │\n   │   re trace foo.rs:42     │  │   re impact <event>      │\n   │                          │  │                          │\n   │   ← prompts & events     │  │   events & prompts →     │\n   │   that produced this     │  │   that flowed from this  │\n   │                          │  │                          │\n   └──────────────┬───────────┘  └─────────────┬────────────┘\n                  │                            │\n                  │       a single event       │\n                  └────────────►●◄─────────────┘\n```\n\nThis unlocks a question nothing else can answer:\n\n\"If I revert this action, what else am I implicitly undoing?\"\n\n`re revert`\n\nanswers it before touching a single byte.\n\nGit blame names one author. `re why`\n\nnames one event. ** re trace** reconstructs\nthe\n\n*intellectual ancestry*of a piece of code:\n\n```\ncalc.js:2\n  export function sum(a, b) { return a - b; }\n\ntrace: 3 causal contributors found\n\n● 0b8424ee83  align calc.js with updated spec\n   agent: gpt-4o\n   prompt: the spec was updated, make calc.js match\n   because: wrote calc.js:2\n  └─ 45230e9cda  update spec to redefine sum\n     agent: gpt-4o\n     prompt: the team decided sum should compute a-b, update the spec\n     because: wrote spec.md which event 0b8424ee83 read\n  └─ 55a6dd9392  implement calc per spec\n     agent: claude-3.5\n     prompt: implement sum() following the spec in spec.md\n     because: wrote calc.js which event 0b8424ee83 read\n```\n\nThe buggy line is not the root cause — the *prompt that asked the agent to\nredefine the spec* is. Causari surfaces it. **You can debug prompts, not just\ncode.**\n\nEvery event is a content-addressable object (BLAKE3) containing:\n\n`pre_snapshot`\n\nand`post_snapshot`\n\n— the workspace tree before and after`agent`\n\n,`model`\n\n,`tool`\n\n`prompt`\n\n— the user task that triggered the action`reasoning`\n\n— the agent's chain-of-thought when exposed`reads`\n\n,`writes`\n\n,`tokens_in`\n\n,`tokens_out`\n\n,`cost_usd`\n\n`parent`\n\n— the previous event in the timeline\n\nSnapshots are incremental (only changed files create new blobs, just like\ngit's object store), so the storage cost is bounded by the *delta*, not the\nabsolute size of the workspace.\n\n```\n[09:23:01]  re init\n              → .causari/ repository initialized\n\n[09:24:33]  re record -m \"Add JWT refresh logic\"\n              → 12 lines in src/auth.ts\n              → agent: claude-3.5-sonnet\n              → prompt: \"Add JWT refresh logic that rotates every 24h\"\n\n[09:25:12]  re guard\n              ⚠ critical without test: src/auth.ts\n              ⚠ 1 alert(s), 0 warning(s)\n\n[09:25:45]  re why src/auth.ts:5\n              → introduced by a3f7b2c9\n              → prompt: \"Add JWT refresh logic that rotates every 24h\"\n              → reasoning: The spec calls for refresh tokens...\n              → 3 seconds\n\n[09:26:18]  re trace src/auth.ts:5\n              → a3f7b2c9 \"Add JWT refresh\"\n                └─ e112706e \"Update auth spec\"\n                  └─ c13aa663 \"Initial scaffold\"\n\n[09:27:03]  re guard --badge\n              ✓ .causari/guard-badge.svg generated\n\n[09:27:44]  re impact a3f7b2c9\n              → downstream: 2 events depend on this\n              → c4d1e8f2 \"Deploy to staging\"\n              → d5e2a1b3 \"Fix OAuth scope\"\n\n[09:28:19]  re churn\n              causari churn: code survival across 1,284 events\n                AGENT          INTRO  SURVIVED  WASTE    WASTED $\n                claude-3.5     8,210    6,012   26.8%    $164.10\n                gpt-4o         3,400    1,510   55.6%    $116.90\n                cursor         1,120      980   12.5%      $5.50\n\n              AI survival 66.8% · AI Waste Score 33.2%\n              $286.50 of $866.90 spent on code that did not survive\n\n[09:29:02]  re report --open\n              ✓ report written to causari-report.html\n              → opening in browser\n\n[09:29:33]  re revert a3f7b2c9\n              ⚠ preview: 2 downstream events will lose context\n              → confirm with --yes to proceed\n```\n\nNext on the roadmap:\n\n✓ shipped:**Verified skills (experience layer)**: events whose verification passed get promoted into signed, reusable skills the agent can recall*before*acting`re skill distill/list/show/verify`\n\n, Ed25519 signatures, trust ladder (● recorded → ◆ verified → ★ proven), trust-ranked`causari_recall`\n\nvia MCP✓ shipped:**Multi-agent DAG timelines**: concurrent agents, true branching history`--session`\n\n,`re sessions`\n\n,`re switch`\n\n,`re log --all`\n\n✓ shipped:**Team skill registry**: share signed skills across an organization — one engineer's verified fix becomes every agent's instinct`re skill export/import/pull`\n\n,`re skill trust`\n\n— Ed25519 mesh, no server✓ shipped:**Verifiable provenance certificate**: a signed, content-bound proof of a repo's AI provenance that anyone can verify offline, with an embeddable badge`re proof generate/verify`\n\n, Ed25519, self-contained SVG, tamper-evident (fails closed)- Cryptographic timestamps (RFC 3161) + Ed25519-signed events for\naudit-grade timelines (EU AI Act, SOC2 for agentic development) —\n*the paid Trust Plane on top of*`re proof`\n\n**Agent Provenance Protocol**: an open spec for the signed, content-addressed event format, so any tool can produce or verify it- TUI à la\n`lazygit`\n\nfor visual exploration - Cross-event semantic search over prompts and diffs (embeddings)\n- Counterfactual\n`re replay --with <model>`\n\n(re-execute past events under different models)\n\nCausari ships its own MCP server. Any agent runtime that speaks MCP (Claude Desktop, Claude Code, Cursor, Cline, Windsurf, …) can register Causari and get three new tools for free:\n\n| Tool | What the agent uses it for |\n|---|---|\n`causari_record` |\nRecord one of its own actions into the ledger after each tool call. |\n`causari_recall` |\nFind past similar events before acting, to avoid repeating mistakes. |\n`causari_why` |\nInspect the provenance of a line before modifying code it didn't write. |\n\nGet the JSON snippet to paste into your agent's config:\n\n```\nre mcp --install\n```\n\nThen in any conversation the agent can call those tools by name. Causari silently builds a complete, queryable, causally-linked history of the session.\n\nAdd the Causari Guard action to any repo and every pull request gets a risk summary — zero cloud, zero configuration:\n\n```\n# .github/workflows/guard.yml\nname: Causari Guard\non:\n  pull_request:\n\njobs:\n  guard:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - uses: croviatrust/causari-guard-action@v1\n```\n\nIt installs `re`\n\n, runs `re guard --summary`\n\n, and posts a Markdown table\nof alerts directly into the PR thread. Block merges on risky patterns\n(bulk edits, auth without tests, missing tests, etc.).\n\nKeep the badge green on `main`\n\n:\n\n```\nre guard --badge   # .causari/guard-badge.svg\n```\n\nLinux & macOS:\n\n```\ncurl -sSf https://causari.dev/install.sh | sh\n```\n\nWindows (PowerShell):\n\n```\niwr -useb https://causari.dev/install.ps1 | iex\n```\n\nInstalls a SHA256-verified, ~800 KB pre-built binary into `~/.local/bin`\n\n(or `%LOCALAPPDATA%\\Programs\\causari`\n\non Windows).\n\nPrefer building from source?\n\n```\ncargo install --git https://github.com/croviatrust/causari\n# or, with a local clone:\ncargo build --release\n./target/release/re --help\n```\n\nScripted demos live in `scripts/`\n\n:\n\n— the capture engine end to end: mock LLM upstream,`demo-capture.ps1`\n\n`re proxy`\n\n,`re watch`\n\n, content-based causal join (`mock-llm.py`\n\nincluded)/`demo.sh`\n\n— full happy-path with`demo.ps1`\n\n`re why`\n\nand`re bisect`\n\n/`demo-trace.sh`\n\n— upstream causal cone (`demo-trace.ps1`\n\n`re trace`\n\n)/`demo-bidir.sh`\n\n— bidirectional causality (`demo-bidir.ps1`\n\n`re impact`\n\n,`re lens`\n\n, causality-aware`re revert`\n\n)/`demo-mcp.sh`\n\n— MCP server end-to-end via JSON-RPC`demo-mcp.ps1`\n\nCausari runs natively on **Linux, macOS, and Windows** — the binary is a\nsingle ~2 MB executable with no runtime dependencies.\n\nCausari is released under the **Business Source License 1.1** (see\n`LICENSE`\n\n). In plain English:\n\n**Free for you, forever**, in all of these cases:- personal use, including paid client work;\n- any organization's own internal development, in production and CI/CD, at any scale;\n- use by AI agents acting on infrastructure you control (laptop, server, CI runner) — this is the default way Causari is meant to be used;\n- academic research, teaching, non-commercial open-source projects;\n- redistribution of unmodified binaries via cargo / brew / apt / choco / nix / winget.\n\n**Not free** if you want to resell Causari itself to third parties as a hosted or managed service whose primary value is version control, causality or provenance tracking for AI agents. For that, talk to us.**Becomes Apache 2.0 automatically** four years after each version is published. The change is mechanical: nothing the project maintainers can prevent or accelerate.\n\n**The experience layer (skills) is and will remain free** in the `re`\n\nbinary — distillation, Ed25519 signing, verification and recall all run\nlocally and cost nothing. What will be commercial is the **Trust Plane**\nbuilt on top of it: organization-wide signed skill registries, RFC 3161\ntimestamping, fleet dashboards and audit-grade compliance exports. The\nfree tool creates the experience; the paid plane lets a company trust it\nat scale.\n\nWhy BSL? Causari is meant to be widely used and modified, but we are not interested in subsidizing a future closed-source clone built by a better-distributed competitor. This is the same model that lets Sentry, HashiCorp and CockroachDB stay genuinely useful and contributable while sustaining the people who build them.\n\nContributing? See `CLA.md`\n\n.\n\nCausari is built by [Croviatrust](https://croviatrust.com) — the team behind\n**Crovia**, the cryptographically signed, Bitcoin-anchored public ledger of\nAI training-data transparency. Same DNA, different layer: Crovia proves what\nmodels learned; **Causari proves what agents did.**", "url": "https://wpnews.pro/news/intent-addressable-code-for-ai-coding-agents", "canonical_source": "https://github.com/croviatrust/causari", "published_at": "2026-07-04 09:19:00+00:00", "updated_at": "2026-07-04 09:49:54.704169+00:00", "lang": "en", "topics": ["ai-agents", "developer-tools", "ai-tools", "ai-ethics", "ai-safety"], "entities": ["Causari", "Croviatrust", "OpenAI", "Anthropic", "MCP", "Ed25519"], "alternates": {"html": "https://wpnews.pro/news/intent-addressable-code-for-ai-coding-agents", "markdown": "https://wpnews.pro/news/intent-addressable-code-for-ai-coding-agents.md", "text": "https://wpnews.pro/news/intent-addressable-code-for-ai-coding-agents.txt", "jsonld": "https://wpnews.pro/news/intent-addressable-code-for-ai-coding-agents.jsonld"}}