What Roam is for
Roam is the local codebase intelligence layer for developers and coding agents. It gives AI coding agents a map of your repo — callers, clones, tests, layers, hot paths, dependencies, git history, smells, security flows, and algorithmic patterns — compiled locally into a SQLite graph. AI agents write code; Roam gives them the structural context they do not have by default.
On top of that engine, Roam compiles trustworthy evidence for AI-assisted software change: who acted, what authority existed, what context was read, what changed, what could break, what policy applied, what verified it, who accepted risk. When the run ledger and proof-bundle flow is enabled, Roam writes tamper-evident audit-trail entries and verifiable evidence records, so a reviewer can replay the work after the fact. Roam maps to and supports evidence for SOC 2 CC8.1, ISO 42001, and internal AI-governance controls — it does not certify compliance with any framework.
One concrete differentiator is algorithmic risk
review (roam math, alias roam
algo): code that is correct but computationally wrong —
the class of patterns AI agents ship that pass tests and fail
at scale. Nested-loop O(n²) lookups, N+1 queries, regex
compiled inside hot loops, repeated JSON parsing, quadratic
string concatenation, branching recursion without memoisation.
Linters operate on tokens. Semantic AI reviewers operate on
diff text. Roam operates on the diff as a graph mutation, so
it catches the structural class those layers miss.
Roam complements existing review layers. Linters, SAST, and AI semantic reviewers (CodeRabbit, Greptile, Qodo) operate on the diff as text. Roam operates on the diff as a graph mutation. Different layer, different bugs. Most teams that ship serious AI-generated code want both signals — see how Roam compares to the semantic reviewers.
Why now
2025–2026 changed how teams ship code. Senior engineers stopped being the only people writing PRs; agents started shipping them too. The tooling kept up on the generate side and not on the verify side. Public reports show why teams are asking for stronger code-change gates:
- PocketOS — the founder reported that an AI coding agent deleted a production database and attached backups in seconds; the lesson is authorization and recovery controls, not "better prompts" (Zenity incident analysis, 2026).
- Amazon — Business Insider reported a 90-day reset of code-change controls after major outages; Amazon said only one reviewed incident was AI-related and not caused directly by generated code, which makes this a code-control example rather than an AI-causality claim (Business Insider, March 2026).
- Faros AI 2026 telemetry — a vendor report correlates high AI adoption with higher downstream review and quality pressure, including bugs per developer and incidents per PR; treat it as telemetry signal, not causal proof (Faros AI engineering report, 2026).
Roam's assurance layer is built on top of that local intelligence engine. The CLI runs locally under Apache 2.0 and stays free forever. Paid layers sit on top when teams want continuous review, hosted dashboards, or a paid audit of the last quarter: the PR Replay audit is the fastest path from "I'd like to know what Roam would have caught on my repo" to a written report.
- PR Replay audit — paid one-shot replay against your last 5 / 30 / 90 PRs. Free DIY sample, Team $2,500, Deep $6,000. 50% of the fee credits toward Roam Review.
- Agent Governance Evidence Pack — control mapping, sample audit report, and evidence checklist for SOC 2 / ISO 42001 / EU AI Act reviewers.
- Trust posture — data handling, retention, and processing locations per product surface.
Who built it
Roam is built by Dimitris (handle: Cranot), a sole-trader operating from Athens, Greece. Solo founder; the company structure is a Greek atomiki epicheirisi (sole proprietorship). Customer-funded, no external investors. No exit plan beyond "build something useful and stay independent."
Find me on GitHub, or email hello@roam-code.com.
What we believe
- Code stays on your machine by default. The CLI does not phone home. No telemetry, no analytics, no "anonymous usage data." Roam Cloud receives metrics only — never source code. Roam Review processes PR diffs ephemerally to render verdicts; private-deployment pilots are scoped separately when hosted processing is blocked by policy. See the privacy page for the full data-flow per product.
- Verifiable claims beat marketing copy. Every analysis Roam runs writes a tamper-evident audit-trail file plus signed records (in-toto v1, verifiable with cosign). The kind of evidence SOC 2, ISO 42001, and internal AI-governance policies want to see. We don't ask you to trust us; we give you the receipts.
- Open source is the default for the engine. Apache 2.0. Fork it, audit it, ship a competitor. The CLI will stay free forever — we make money from the hosted layers, not from gatekeeping the engine.
- Privacy is the floor, not a feature. Zero cookies, zero tracking, zero analytics on this site (see the receipt). After the August 2025 CodeRabbit RCE that leaked write access to ~1M repos, careful data-handling stopped being a differentiator and became the minimum bar.
- EU is home, not a market. Built in Athens. Made in the EU. GDPR-native. The EU AI Act is the regulation we'll feel first — even where the obligations don't apply directly, we'd rather build for the trajectory than retrofit later.
Funding model
Roam is customer-funded. The free CLI exists because it earns the right to charge for the paid layers — PR Replay engagements today, Roam Review (hosted continuous review) and Roam Cloud (shared metrics dashboard) as early-access products, and scoped private-deployment pilots when hosted processing is blocked by policy. No VC, no acquisition track. The company stays small enough to answer email personally. See pricing for the per-tier breakdown and /audit for the paid PR Replay engagement.
Roadmap
See the changelog for what's shipped. Near-term: GitHub App MVP for Roam Review, Cloud dashboard scaffold, more cross-language bridges. Each ships when it ships; we don't pre-announce roadmap items because plans are guesses until they're code.
Where to find us
- Site: roam-code.com
- Docs: roam-code.com/docs/
- GitHub (engine, Apache 2.0): github.com/Cranot/roam-code
- PyPI (free CLI): pypi.org/project/roam-code
- Paid PR Replay audit: /audit
- Governance evidence pack: /governance · trust posture: /trust
- Pricing: /pricing · compare with semantic reviewers: /compare
- Email: hello@roam-code.com
- Security disclosures: security@roam-code.com (see policy)
Want to write about Roam? See the press kit for logos and screenshots.