Black box edits
Cursor touched 30 files in 4 minutes. Which prompt wrote that suspicious regex on line 84? You don't know. Nobody does.
The first content-addressable ledger for AI agents. Every prompt, model, read, write and reasoning becomes an immutable causal event — captured at the wire and on disk, without the agent's cooperation, queryable like git, but for the intent behind every line of code.
A real re churn session — how much of your AI spend survived.
·
R to replay
The problem
Cursor touched 30 files in 4 minutes. Which prompt wrote that suspicious regex on line 84? You don't know. Nobody does.
You revert one of yesterday's agent changes. Three other agent decisions silently lose the context they were built on. CI is green. Production isn't.
A test breaks 200 prompts later. Bisect through chat logs? You read for an hour, give up, and rewrite the feature from scratch.
The thesis
Git tracks bytes.
LangSmith tracks conversations.
IDE checkpoints track snapshots.
None of them connect a line of code to the intent that produced it.
Causari does. We call it intent-addressable code.
The capture engine
Every provenance tool before Causari only worked if the agent volunteered its own history. Agents don't. So Causari observes two independent streams — and joins them by content.
A local, OpenAI- and Anthropic-compatible LLM proxy. Point your agent's BASE_URL at it and every prompt, completion, token and dollar flows through Causari on its way to the provider. Streaming passes through live.
A passive filesystem recorder. Every change becomes a snapshot. Then the causal join: the lines inserted in your files are searched inside the completions captured moments before. A match is a causal fingerprint — with a confidence score.
Where the agent exposes lifecycle hooks (Claude Code today), capture is native and exact: re hook claude-code wires UserPromptSubmit and PostToolUse so every prompt and every edit is recorded at the source. No inference needed.
The experience layer
Recording the past is half the job. Causari distills every completed task into a signed skill — proven experience your agents recall before they act. Trust is earned, never claimed.
One command walks the ledger and compresses each task — the prompt that triggered it, the steps taken, the files changed — into a portable skill file. Idempotent, local, instant. Signed with the repo's Ed25519 key at the moment of creation.
● recorded — distilled, no success signal yet. ◆ verified — evidence attached: exit code 0, or the work survived at the tip of the timeline. ★ proven — verified and recalled 3+ times by agents doing new work. Edit one byte and re skill verify exposes it.
Through MCP, agents query their own past before acting: signed skills come first, ranked by trust (proven ×4, verified ×2). Every recall bumps the use counter — the loop that turns a verified skill into a proven one. Agents get measurably cheaper over time.
Causari Proof
Mint a signed certificate of your repo's AI provenance — how many agent actions, which agents and models, how much verified experience — bound to the exact ledger by a content digest. Anyone can verify it offline: no server, no account, no trust in us.
One command signs your provenance with the repo's Ed25519 key and emits a self-contained SVG badge — zero external assets. It's agent-agnostic by design: the proof aggregates the whole capture ledger, so it covers every agent — Claude Code, Cursor, Cline, Windsurf, a raw proxy — not one runtime.
A reviewer, an auditor, a stranger reading your PR runs one command and confirms the proof was not altered after signing. No network call. Tamper with a single number and verification fails closed. --against-repo also confirms it still matches the live ledger.
Drop the badge in your README and every visitor sees it. Each repo that adopts a verified proof advertises trust — and Causari — to everyone who reads it. Generating and verifying are free forever; the hosted public verifier, org registry, RFC 3161 anchoring and compliance exports are the commercial Trust Plane.
The difference
Continuous assurance
One command generates a live badge. Paste it into your README and every visitor sees the health of your causal ledger.
Clean ledger. No risky patterns in the last 20 events.
Source files edited without tests. Review recommended.
Critical file modified without test coverage. Block merge.
Your rules
No cloud console. No YAML. One file, checked into your repo, readable by humans and machines.
[rules]
# Catch bulk edits that are easy to miss
[[rules]]
name = "bulk-edit"
when = "*.rs"
threshold = 10
# Security files must have tests
[[rules]]
name = "auth-needs-test"
when = "auth"
threshold = 1
# Schema changes are high-risk
[[rules]]
name = "schema-change"
when = "migrate"
threshold = 1
✓ scanning last 20 events…
| Event | Agent | Status | Rule | Detail |
|------------|--------|--------|------------------|---------------------------------|
| a3f7b2c9 | claude | 🔴 | auth-needs-test | modified auth.rs, no test |
| d5e2a1b3 | claude | 🟡 | schema-change | touched 2 migrate files |
| e112706e | claude | ✅ | — | clean |
2 alert(s), 1 warning(s) found.
Review with: re show <id> re diff <id> re trace <file>
What you get
15+ commands. One binary. Zero cloud. Built in Rust, content-addressed with BLAKE3, queryable in microseconds.
re proxy sees every prompt and dollar at the wire. re watch sees every byte on disk. The content-based join attributes each file change to the real prompt, model and cost — no agent integration required.
re trace walks upstream — every event that contributed to a line, transitively. re impact walks downstream — every event that depended on a change. The full blast radius, before you click revert.
One flag — re mcp — and Claude Desktop, Cursor, Cline and Windsurf can read and write the ledger. Tools: causari_record, causari_recall, causari_why.
Restore the full workspace to the state before any event in the timeline. Combine with re bisect --test to binary-search the agent action that broke the build.
re lens src/auth.ts renders the file with per-line attribution — agent, model, prompt, snippet — like git blame, but for intent. The first hour of onboarding any AI-touched codebase, solved.
re guard scans recent events for risky patterns only a causal ledger can see. --badge generates an SVG shield for your README. --summary emits a Markdown table ready to paste into PR comments. Catches what linters and git hooks miss.
Revert isn't free. Causari shows you the downstream events that would lose their context, then asks. No more silent regressions hidden in three layers of agent reasoning.
Everything lives in .causari/ next to your code. BLAKE3 content-addressed. Your prompts, models and reasoning never leave your machine. No telemetry. No accounts. Ever.
Versus the world
There are great tools for source control, observability, and agent monitoring. None of them sit at the intersection where AI codebases actually break.
| Capability | git | LangSmith | IDE checkpoints | Causari |
|---|---|---|---|---|
| Tracks code | ✓ | ✗ | ✓ | ✓ |
| Tracks the prompt | ✗ | ✓ | ✗ | ✓ |
| Works without agent cooperation | bytes only | ✗ | IDE only | ✓ |
| Tracks the model | ✗ | ✓ | ✗ | ✓ |
| Tracks reads (context) | ✗ | partial | ✗ | ✓ |
| Causal graph (upstream) | ✗ | ✗ | ✗ | ✓ |
| Causal graph (downstream) | ✗ | ✗ | ✗ | ✓ |
| Per-line provenance lens | blame | ✗ | ✗ | ✓ |
| Bisect on any predicate | ✓ | ✗ | ✗ | ✓ |
| MCP server (universal agents) | ✗ | ✗ | ✗ | ✓ |
| Local-first, no cloud | ✓ | ✗ | depends | ✓ |
| Open source | ✓ | SDK only | depends | BSL 1.1 |
MCP integration
Causari speaks Model Context Protocol natively. Drop the snippet into your agent's settings and Causari shows up as three callable tools — causari_record, causari_recall, causari_why.
Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%/Claude/claude_desktop_config.json (Windows).
{
"mcpServers": {
"causari": {
"command": "re",
"args": ["mcp"],
"cwd": "/absolute/path/to/your/project"
}
}
}
Run once in your project directory:
claude mcp add causari -- re mcp
Add to .cursor/mcp.json in your project (or in ~/.cursor/mcp.json globally).
{
"mcpServers": {
"causari": { "command": "re", "args": ["mcp"] }
}
}
Same config shape as Cursor — Windsurf surfaces the tools automatically.
{
"mcpServers": {
"causari": { "command": "re", "args": ["mcp"] }
}
}
Add to VS Code's cline_mcp_settings.json.
{
"mcpServers": {
"causari": { "command": "re", "args": ["mcp"] }
}
}
Tip: have the agent call causari_record after every tool call.
Causari builds a complete, queryable history of the session for you, automatically.
Code gallery
No mockups. This is the actual re CLI on a real session.
$ re why src/auth.ts:42
src/auth.ts:42 → introduced by event a3f7b2c9
agent: claude-3.5-sonnet
prompt: "Add JWT refresh logic that rotates every 24h"
reads: spec/auth.md, package.json
writes: src/auth.ts (lines 38-52)
reasoning:
The spec calls for refresh tokens with a 24h expiry.
I extracted the verify() helper to keep the rotation
logic testable in isolation.
$ re trace src/calc.ts:7
upstream causal cone of src/calc.ts:7 → 4 events:
├─ a1b2c3d4 align calc with new spec
│ agent: gpt-4o · prompt: "the spec changed, update calc"
│ because: writes calc.ts which is line 7's last edit
│
├─ 99f0c961 redefine sum to be a-b
│ agent: gpt-4o · prompt: "team decided sum = a-b"
│ because: edits spec.md that a1b2c3d4 read
│
└─ 6d698c97 create initial spec
agent: human · prompt: "draft spec.md"
because: created spec.md, the seed
$ re impact a1b2c3d4
downstream causal cone (blast radius): 3 events depend on a1b2c3d4
↓ 5fe6f47e align tests with new calc
reads: src/calc.ts (your event's output)
↓ 31bed399 add benchmarks for sum/diff
reads: src/calc.ts (your event's output)
↓ 0b5ae15e README: document calc API
reads: src/calc.ts (your event's output)
→ reverting a1b2c3d4 will silently invalidate the reasoning of 3 later events.
$ re bisect --good 439c5c19 --bad dbc483f9 --test "node test.js"
causari: bisecting 7 events between 439c5c19 (good) and dbc483f9 (bad)
→ step 1 — testing dbc483f9 FAIL
→ step 2 — testing 17cbc28d FAIL
→ step 3 — testing 88ec0712 OK
found: first bad event: 17cbc28d
agent: gpt-4o
prompt: "refactor sum to be more elegant"
tool: edit_file
Quick start
One line. Linux & macOS:
curl -sSf https://causari.dev/install.sh | sh
Windows (PowerShell):
iwr -useb https://causari.dev/install.ps1 | iex
SHA256-verified, ~800 KB download, installs to ~/.local/bin (or %LOCALAPPDATA%\Programs\causari on Windows). Prefer source? cargo install --git https://github.com/croviatrust/causari.
Inside any project (Rust, JS, Python — Causari is language-agnostic):
re init
Start the capture engine — the proxy sees the prompts, the watcher sees the disk, the join connects them:
re proxy # terminal 1 — point OPENAI_BASE_URL / ANTHROPIC_BASE_URL at it
re watch # terminal 2 — file changes get attributed to real prompts
Now any tool that touches the workspace is recorded — with the prompt, model, tokens and cost that caused it. Using Claude Code? re hook claude-code gives you native capture too. MCP fans: re mcp --install.
Every completed task becomes signed, reusable experience — free, local, Ed25519-verified:
re skill distill # events → signed skills (idempotent)
re skill verify # Ed25519 check the whole library
re find "jwt refresh" # skills first, then raw events
Agents recall skills automatically via MCP (causari_recall) — proven experience ranks above raw history. The same mistake is never paid twice.
Mint a signed certificate of your repo's AI provenance and a badge anyone can verify offline. No server, no account:
re proof generate # → causari-proof.json + causari-proof.svg badge
re proof verify # offline signature check — tamper fails closed
Drop the badge in your README; every visitor sees verified provenance. Generating and verifying are free forever — hosted public verification and audit-grade exports are the commercial Trust Plane.
re log
re why src/auth.ts:42
re trace src/calc.ts:7
re impact <event-id>
re bisect --test "npm test"
License & fairness
Causari is licensed under Business Source License 1.1, automatically converting to Apache 2.0 four years after each release. The rules are short and human-readable.
Yes — completely free, with no time limit. The BSL only restricts one specific use: reselling Causari itself as a hosted "causality-as-a-service". Everything else, including all internal commercial use, is permitted from day one.
Yes. Fork it, study it, ship internal forks, send PRs. The CLA keeps Croviatrust able to dual-license in the future, but every line of code you read here will become Apache 2.0 four years from its release date — written into the license itself.
Yes — completely free in the re binary. Distillation, Ed25519 signing, verification, and MCP recall all run locally at zero cost. What will be commercial is the Trust Plane on top: organization-wide signed skill registries, RFC 3161 timestamping, fleet dashboards and audit-grade compliance exports. The free tool creates the experience; the paid plane lets a company trust it at scale.
Causari is local-first by design. The ledger lives in .causari/ in your repo. No telemetry. No accounts. No phoning home. If your reasoning leaks, it's because you committed .causari/ to a public repo — and you can prevent that by adding it to .gitignore.
Because we'd rather be honest. We want to keep building Causari as the category-defining tool, and the BSL is the cleanest legal way to do that without spending the next two years on a permissive license while a hyperscaler ships a managed clone. The four-year auto-conversion makes that promise enforceable: every version eventually becomes Apache 2.0, no matter what we do.
One binary. Zero cloud. The first ten minutes will change how you ship code with agents.
curl -sSf https://causari.dev/install.sh | sh