What Roam is for
Roam is the local codebase intelligence layer for developers and coding agents. It gives every AI coding agent a map of your repo — callers, clones, tests, layers, hot paths, dependencies, git history, smells, security flows, and algorithmic patterns — compiled locally into a SQLite graph. AI agents write code; Roam gives them the structural context they do not have by default.
On top of that engine, Roam compiles trustworthy evidence for AI-assisted software change: who acted, what authority existed, what context was read, what changed, what could break, what policy applied, what verified it, who accepted risk. Every analysis writes a tamper-evident audit-trail entry plus signed in-toto v1 records, so a reviewer can replay the work after the fact. Roam maps to and supports evidence for SOC 2 CC8.1, ISO 42001, and internal AI-governance controls — it does not certify compliance with any framework.
One concrete differentiator is algorithmic risk
review (roam math, alias roam
algo): code that is correct but computationally wrong —
the class of patterns AI agents ship that pass tests and fail
at scale. Nested-loop O(n²) lookups, N+1 queries, regex
compiled inside hot loops, repeated JSON parsing, quadratic
string concatenation, branching recursion without memoisation.
Linters operate on tokens. Semantic AI reviewers operate on
diff text. Roam operates on the diff as a graph mutation, so
it catches the structural class those layers miss.
Roam complements existing review layers. Linters, SAST, and AI semantic reviewers (CodeRabbit, Greptile, Qodo) operate on the diff as text. Roam operates on the diff as a graph mutation. Different layer, different bugs. Most teams that ship serious AI-generated code want both signals — see how Roam compares to the semantic reviewers.
Why now
2025–2026 changed how teams ship code. Senior engineers stopped being the only people writing PRs; agents started shipping them too. The tooling kept up on the generate side and not on the verify side. We saw the bills come in:
- PocketOS — production database plus three months of backups deleted in nine seconds by an over-confident agent (incident discussion, Hacker News).
- Amazon — outages including one linked to an internal AI coding tool; SVP Dave Treadwell ordered a 90-day reset on internal code controls (Business Insider, March 2026).
- Faros AI 2026 telemetry — bugs per developer up 54%, incidents per PR up 242.7% on AI-adopting teams (Faros AI engineering benchmarks, 2026).
Roam's assurance layer is built on top of that local intelligence engine. The CLI runs locally under Apache 2.0 and stays free forever. Paid layers sit on top when teams want continuous review, hosted dashboards, or a paid audit of the last quarter: the PR Replay audit is the fastest path from "I'd like to know what Roam would have caught on my repo" to a written report.
- PR Replay audit — paid one-shot replay against your last 5 / 30 / 90 PRs. Free DIY sample, Team $2,500, Deep $6,000. 50% of the fee credits toward Roam Review.
- Agent Governance Evidence Pack — control mapping, sample audit report, and evidence checklist for SOC 2 / ISO 42001 / EU AI Act reviewers.
- Trust posture — data handling, retention, and processing locations per product surface.
Who built it
Roam is built by Dimitris (handle: Cranot), a sole-trader operating from Athens, Greece. Solo founder; the company structure is a Greek atomiki epicheirisi (sole proprietorship). Customer-funded, no external investors. No exit plan beyond "build something useful and stay independent."
Find me on GitHub, or email hello@roam-code.com.
What we believe
- Code stays on your machine by default. The CLI does not phone home. No telemetry, no analytics, no "anonymous usage data." Roam Cloud receives metrics only — never source code. Roam Review processes PR diffs ephemerally to render verdicts; private-deployment pilots are scoped separately when hosted processing is blocked by policy. See the privacy page for the full data-flow per product.
- Verifiable claims beat marketing copy. Every analysis Roam runs writes a tamper-evident audit-trail file plus signed records (in-toto v1, verifiable with cosign). The kind of evidence SOC 2, ISO 42001, and internal AI-governance policies want to see. We don't ask you to trust us; we give you the receipts.
- Open source is the default for the engine. Apache 2.0. Fork it, audit it, ship a competitor. The CLI will stay free forever — we make money from the hosted layers, not from gatekeeping the engine.
- Privacy is the floor, not a feature. Zero cookies, zero tracking, zero analytics on this site (see the receipt). After the August 2025 CodeRabbit RCE that leaked write access to ~1M repos, careful data-handling stopped being a differentiator and became the minimum bar.
- EU is home, not a market. Built in Athens. Made in the EU. GDPR-native. The EU AI Act is the regulation we'll feel first — even where the obligations don't apply directly, we'd rather build for the trajectory than retrofit later.
Funding model
Roam is customer-funded. The free CLI exists because it earns the right to charge for the paid layers — PR Replay engagements today, Roam Review (hosted continuous review) and Roam Cloud (shared metrics dashboard) as early-access products, and scoped private-deployment pilots when hosted processing is blocked by policy. No VC, no acquisition track. The company stays small enough to answer email personally. See pricing for the per-tier breakdown and /audit for the paid PR Replay engagement.
Roadmap
See the changelog for what's shipped. Near-term: GitHub App MVP for Roam Review, Cloud dashboard scaffold, more cross-language bridges. Each ships when it ships; we don't pre-announce roadmap items because plans are guesses until they're code.
Where to find us
- Site: roam-code.com
- Docs: roam-code.com/docs/
- GitHub (engine, Apache 2.0): github.com/Cranot/roam-code
- PyPI (free CLI): pypi.org/project/roam-code
- Paid PR Replay audit: /audit
- Governance evidence pack: /governance · trust posture: /trust
- Pricing: /pricing · compare with semantic reviewers: /compare
- Email: hello@roam-code.com
- Security disclosures: security@roam-code.com (see policy)
Want to write about Roam? See the press kit for logos and screenshots.