Intent-addressable code for AI coding agents
Causari is an open-source tool that provides verifiable provenance and causal tracing for AI-generated code by passively recording agent prompts, completions, and file changes—without requiring agent cooperation. It combines a local LLM proxy, file watcher, and causal join engine to answer questions like 'who wrote this line?' It also features skill distillation, team skill mesh, cryptographic sealing, and verifiable AI provenance proofs.
Notifications You must be signed in to change notification settings
Fork 0
Star 1
BranchesTags
Open more actions menu
Folders and files
NameName
Last commit message
Last commit date
Latest commit
History
39 Commits
39 Commits
.github
.github
assets
assets
scripts
scripts
site
site
src
src
tests/vectors
tests/vectors
.gitattributes
.gitattributes
.gitignore
.gitignore
CLA.md
CLA.md
CONTRIBUTING.md
CONTRIBUTING.md
Cargo.lock
Cargo.lock
Cargo.toml
Cargo.toml
LICENSE
LICENSE
NOTICE
NOTICE
README.md
README.md
wrangler.jsonc
wrangler.jsonc
Repository files navigation
Intent-addressable code for AI agents.
causari.dev · Releases · Discussions · MCP · License (BSL 1.1)
Causari (Latin, deponent verb): to plead a cause, to argue why. Because every line of AI-generated code deserves to be defended, traced, and understood.
Causari records every action an AI agent takes on your codebase — not just the bytes that changed, but the prompt that asked, the model that answered, the files it read, and the reasoning behind the change.
And it does so without asking the agent's permission: the built-in capture engine (re proxy + re watch + re hook) observes the LLM traffic and the filesystem independently, then joins them by content — the code that appears in your files is found inside the completion that produced it seconds earlier. Provenance becomes a fact, not a self-report.
You can then ask questions no version control system has ever answered:
re proxy # local LLM proxy: every prompt, token and dollar
flows through Causari on its way to the provider
re watch # passive recorder + causal join: file changes get
attributed to the real prompt, model and cost
re hook claude-code # native capture via agent lifecycle hooks re why src/auth.ts:42 # who/what produced this exact line? re trace src/auth.ts:42 # full UPSTREAM causal cone: every event that
contributed transitively, through reads/writes
re impact # full DOWNSTREAM cone: what flowed from this action,
transitively (causality-aware blast radius)
re lens src/auth.ts # render a file with per-line provenance annotations re find "the JWT refactor" # search every prompt, reasoning and message re bisect --test "npm test" # find the agent action that broke the build re churn # measure AI code survival: how much survived vs
was rewritten, per agent, with wasted spend
re report --open # generate a shareable HTML dashboard of AI waste re skill distill # turn verified events into signed, reusable skills re skill export # portable Ed25519 bundle for teammates re skill pull # sync a shared folder (Dropbox, git, NFS — no server) re skill trust add # trust an org signing key; unknown signers rejected re fork experiment-claude # branch into a parallel timeline re revert # undo an action with causal preview of what else
you are implicitly undoing
When an agent touches 30 files and something breaks, you don't need to read 4 000 lines of chat. You ask Causari why and when.
The Capture Engine — provenance without cooperation
Every provenance tool before Causari had the same fatal dependency: it only worked if the agent volunteered its own history. Agents don't. Harnesses don't expose reasoning. Nobody reports costs.
Causari removes the dependency. Two independent observation streams, one causal join:
┌─────────────────────────┐ ┌─────────────────────────┐ │ re proxy │ │ re watch │ │ │ │ │ │ sees every prompt, │ │ sees every byte that │ │ completion, token and │ │ changes on disk │ │ dollar (OpenAI- and │ │ (snapshots, diffs) │ │ Anthropic-compatible) │ │ │ └────────────┬────────────┘ └────────────┬────────────┘ │ │ │ CONTENT-BASED JOIN │ └────────────────►◄────────────────┘ the lines inserted in your files are searched inside the completions captured moments before — a match is a causal fingerprint, with confidence
A real session, end to end:
$ re proxy causari: LLM capture proxy listening on http://127.0.0.1:4242 • gpt-4o 42→18 tok $0.0003 "Add JWT refresh logic that rotates every 24h"
$ re watch # in another terminal • 0d47599550 auth.py ↳ intent: "Add JWT refresh logic that rotates every 24h" gpt-4o (confidence 100%, 3/3 lines)
$ re why auth.py:2 auth.py:2 token = issue_token(user, scope="session")
introduced by 0d47599550 agent: cursor model: gpt-4o prompt: Add JWT refresh logic that rotates every 24h
Point any agent at the proxy and you're done:
OPENAI_BASE_URL=http://127.0.0.1:4242/openai/v1 ANTHROPIC_BASE_URL=http://127.0.0.1:4242/anthropic
Where the agent runtime exposes lifecycle hooks, capture is native and exact — no inference needed:
re hook claude-code # wires UserPromptSubmit + PostToolUse into
.claude/settings.json: every prompt captured,
every edit recorded as a full Causari event
Everything stays on your machine: .causari/capture/ is a local, append-only ledger. No cloud, no telemetry, no API keys touched.
Crovia Seals — a cryptographic receipt for every completion
Causari is the first production issuer of Crovia Seals — the open, IETF-drafted receipt format for AI outputs (draft-crovia-seal-01). One flag turns the proxy into a sealing gateway:
$ re proxy --seal causari: Crovia Seal issuer active — pubkey 3fa9c2… • gpt-4o 42→18 tok $0.0003 "Add JWT refresh logic" 🔏 cs_2026_Q7RM2KJ3VWXA5YBN4CDEFGH2I6
Every completion gets an Ed25519-signed, hash-chained, offline-verifiable receipt in .causari/seal/seals.jsonl. The seal commits to SHA-256 hashes of the exact request and response bytes — content never leaves your machine. Anyone holding your public key can verify the whole chain without a server, an account, or Causari itself:
$ re seal verify ✓ 128 seal(s) verified — every signature valid, chain contiguous from genesis
$ re seal issuer # print the pubkey to share with auditors $ re seal list # browse issued receipts
The implementation is proven against the normative conformance vectors from croviatrust/crovia-seal (CSC-1 canonicalization, domain-separated payloads, fail-closed verification). When a regulator, a customer or a court asks "which model wrote this code, and can you prove it?" — the answer is one file and one public key.
The Experience Layer — skills with earned trust
Recording the past is half the job. The other half is making sure no agent ever pays for the same lesson twice.
re skill distill walks the ledger and compresses every completed task — the prompt that triggered it, the steps that were taken, the files that changed — into a skill: a unit of experience an agent can recall before acting. Each skill is signed with the repository's Ed25519 key at the moment of distillation; edit one byte afterwards and re skill verify exposes it.
Trust is earned, never claimed:
● recorded distilled from the ledger — no success signal yet ◆ verified evidence attached: exit code 0, or the work is still alive at the tip of the timeline (it survived) ★ proven verified AND recalled 3+ times by agents doing new work
$ re skill distill distill: 128 event(s) scanned, 7 new skill(s), 12 already distilled ◆ verified 2ce0c7bbda add retry with exponential backoff
$ re skill verify ok 2ce0c7bbda add retry with exponential backoff verify: 7 skill(s), every signature valid
The loop closes through MCP: when an agent calls causari_recall, signed skills are returned first, ranked by trust (proven ×4, verified ×2), and every recall bumps the skill's use counter — which is exactly how a verified skill earns the ★. Agents get measurably cheaper over time, and re churn shows you the savings in dollars.
Team skill mesh — no server, no accounts
One engineer's verified fix becomes every agent's instinct — without a central SaaS:
re skill export 2ce0c7bbda --output jwt-fix.json # portable bundle re skill trust pubkey # share your Ed25519 key re skill trust add platform # trust a teammate/org key re skill import jwt-fix.json # verify signature + accept re skill pull ~/Dropbox/causari-skills/ # sync a whole team folder
Skills signed by unknown keys are rejected, not imported. The mesh is cryptographic: Dropbox, git, NFS, S3 — any folder works. Causari verifies Ed25519 on every file; tampered bundles fail closed.
Like everything in Causari, skills are local files (.causari/skills/), self-contained and portable. The signature means a skill can be shared and verified by anyone — across repos, teams, and orgs, with no central server.
Causari Proof — verifiable AI provenance, trustless
Every repo can mint a signed proof of its AI provenance — how many agent actions, which agents and models, how much verified experience — bound to the exact ledger by a content digest and signed with the repo's Ed25519 key.
re proof generate # → causari-proof.json + causari-proof.svg badge re proof verify # checks the signature offline — no server, no account re proof verify --against-repo # …and confirms it still matches the live ledger
Anyone — a reviewer, an auditor, a stranger reading your PR — can run re proof verify and confirm the proof was not altered after signing. No Causari account, no network call, no trust in us. Tamper with a single number and verification fails closed.
Drop the badge in your README and every visitor sees it:
[](https://causari.dev/verify)
It is agent-agnostic by construction: the proof aggregates the ledger, so it covers every agent Causari captured — Claude Code, Cursor, Cline, Windsurf, a raw re proxy — not just one runtime.
Free forever: generating and verifying proofs offline. Commercial (Trust Plane): the hosted public verification page on causari.dev, the org-wide proof registry, RFC 3161 timestamp anchoring, and audit-grade compliance exports.
What makes it different
Existing tools either track text (git), track sessions (IDE checkpoints), or track conversations (LangSmith, Helicone). None of them connect a line of code to the intent that produced it — and none of them can do it without the agent's cooperation. Causari does both:
You ask… Causari answers…
re proxy + re watch Zero-integration capture. Prompts, models, tokens and dollars joined to file changes by content correlation — no agent cooperation required.
re why src/auth.ts:42 The prompt, model, agent, tool, and reasoning that wrote that line.
re trace src/auth.ts:42 Upstream causal cone. Every prior event that contributed, transitively, through the files it read or wrote. The intellectual ancestry of a piece of code.
re impact Downstream causal cone. Every later event that depended, transitively, on what this one produced. The blast radius of an action.
re lens src/auth.ts The file rendered with per-line provenance annotations: each line painted with the event id that introduced it.
re find "the JWT refactor" Signed skills first, then every event — prompt, message, reasoning — ranked by trust and relevance.
re bisect --test "" The first agent action whose output fails your tests.
re churn AI Waste Score. How much AI-written code survived vs was rewritten, per agent. With cost data: dollars spent on code that did not survive.
re report --open A self-contained HTML dashboard you can paste into Slack, PRs, or board decks — zero external assets, zero cloud calls.
re skill distill Signed experience. Verified past work compressed into Ed25519-signed skills, recalled by agents (trust-ranked) before they act — the same mistake is never paid twice.
re skill export / pull Team skill mesh. Portable bundles + trusted org keys; sync any shared folder. Unknown signers and tampered files rejected.
re proof generate / verify Trustless AI-provenance certificate. A signed, content-bound proof + embeddable badge that anyone can verify offline — no server, no account. Tampering fails closed.
re fork claude-attempt A new timeline you can extend without touching the original.
re watch --session bo
[truncated for AI cost control]