# roam-code > Give every AI coding agent a map of your repo before it edits — and a tamper-evident record of what it did. Roam parses a repo into a local SQLite-backed graph, then turns that graph into retrieval, algorithmic judgment, change-safety checks, and portable `ChangeEvidence` packets. **Maps before agents edit. Gates before they merge. Evidence after every run.** Source and evidence stay on the machine unless the user explicitly sends them elsewhere. roam-code (`pip install roam-code`, Python 3.10+) is a local code-graph engine. It parses your repo once, stores structural facts in a local SQLite graph (symbols, dependencies, call graphs, architecture layers, git history, runtime traces), and exposes the graph through 241 CLI commands and 227 MCP tools (57 in the default `core` preset) across 28 languages. AI agents (Claude Code, Cursor, Codex, Aider, your own) call it before, during, and after every change. Every AI-assisted change compiles into one portable `ChangeEvidence` packet (HMAC-chained run ledger + signed Code Graph Attestation + signed PR bundle) that answers the eight evidence questions: *who acted, what authority existed, what context was read, what changed, what could break, what policy applied, what verified it, who accepted risk*. Cursor logs the run; Roam proves the change. The senses Roam gives an agent — each tied to one engineering question agents miss: - **Codebase sight**: "What does this repo do? What should I read?" -> understand, map, tour, describe, minimap - **Context retrieval**: "Pull the exact spans I need." -> retrieve, context, search-semantic, agent-context - **Change safety**: "What breaks if I edit this?" -> preflight, impact, affected-tests, diff, guard - **PR review**: "Did the AI miss a clone, a caller, a test?" -> critique, pr-analyze, pr-risk, pr-comment-render - **Algorithmic judgment** (the differentiator): "Is this correct but slow?" -> math/algo, n1, missing-index, hotspots - **Architecture governance**: "Is the architecture drifting?" -> layers, clusters, spectral, health, budget, fitness, dark-matter, architecture-drift - **Refactor safety**: "Can I simulate this first?" -> simulate, mutate, safe-delete, closure, plan-refactor - **Multi-agent coordination**: "Can agents work in parallel?" -> fleet, partition, orchestrate, agent-plan - **Evidence + compliance**: "Can we prove what was checked?" -> attest, cga, audit-trail-export, audit-trail-verify, --sarif The differentiator: roam math (alias roam algo) detects code that is "correct but computationally wrong" — accidental O(n^2) nested-loop lookups, N+1 queries, regex compiled inside hot loops, repeated JSON parsing, Django QuerySet count/existence misses, pandas row loops, quadratic string concatenation, branching recursion without memoisation, expensive work in request/render loops. The built-in runtime surface is 58 detectors (34 catalog tasks + 24 Python idioms), with plugin detectors included in discovery when registered. This is exactly the class of pattern AI agents ship that pass tests and fail at scale, and nothing else in the AI-code-review space catches it deterministically. Roam complements linters, SAST, and AI semantic reviewers — it answers graph-aware change questions they don't. Evidence stays on your machine and hash-verifies offline. No telemetry; 100% local by default (opt-in `metrics-push` is the only outbound surface). Apache 2.0. 28 languages supported. ## Products Status as of 2026-05-18: the Free CLI is live (PyPI). PR Replay is available via email while checkout is being finalized. Roam Review and Roam Cloud are early access / planned hosted layers. Roam Self-Hosted is a customer-pulled private-deployment pilot path, not a packaged GA product. See https://roam-code.com/status for the operational state. - [Free CLI](https://pypi.org/project/roam-code/) — `pip install roam-code`. The full engine. Always free, forever. **Live today.** - [Roam Review](https://roam-code.com/#review) — flat tiers from $99/mo (Starter $99, Team $299, Business $799, Scale $1,499). PR bot that posts a structural-risk verdict on every pull request. Usage caps with no surprise overage. **Early access.** - [Roam Cloud](https://roam-code.com/#cloud) — from $19/repo/mo (Team $99/mo, Growth $299/mo). Hosted dashboard for code-health metrics over time. Source code never uploaded; metrics-only payload. **Early access.** - [Roam Self-Hosted](https://roam-code.com/#self-hosted) — private-deployment pilots scoped by SOW for regulated buyers that cannot use hosted Review or Cloud. **Customer-pulled.** - [PR Replay](https://roam-code.com/audit) — one-shot paid audit. Sample (free / DIY) · Team ($2,500) · Deep ($6,000). 50% credits toward a Roam Review subscription within 60 days. **Available today via email**; self-serve checkout launches with Review. ## Key links - Docs: https://roam-code.com/docs/ - GitHub: https://github.com/Cranot/roam-code - PyPI: https://pypi.org/project/roam-code/ - Landing page: https://roam-code.com/ - Setup (agent integration): https://roam-code.com/setup - Pricing: https://roam-code.com/pricing - PR Replay (paid audit): https://roam-code.com/audit - Compare vs CodeRabbit/Greptile/Qodo: https://roam-code.com/compare - Status: https://roam-code.com/status - MCP server card: https://roam-code.com/.well-known/mcp-server-card.json ## Compliance - Tamper-evident audit trail: every analysis can emit in-toto v1 attestations and a SHA-256-chained audit-trail JSONL file. Designed as supporting evidence for SOC 2 CC8.1 (change management), ISO 42001 (AI management system), and internal AI-governance review. - `roam article-12-check` is a scoping/readiness assessment for buyers who actually fall under EU AI Act Article 12 (Annex III high-risk AI providers). Code-generation tooling itself is not Annex III — Article 12 applies to Roam's outputs only when the buyer's product is in scope. - License: Apache-2.0 ## Differentiation Roam reviews what code *touches* (callers, layers, dependency cycles, copy-paste duplicates). Other AI code reviewers (CodeRabbit, Greptile, Qodo) review what code *does* (semantics). Different layer; most teams use both. The CLI running entirely on the user's machine is load-bearing for trust after the August 2025 CodeRabbit RCE that exposed write access to ~1M repos.