Comparison
Roam is its own category:
local-CLI agent-assurance.
Cloud-IDE agents (Cursor, Cody, Windsurf, Continue, Sweep, Claude Code)
are human-first surfaces that log a session. Cloud semantic
reviewers (CodeRabbit, Greptile, Qodo) read the diff as text on a vendor
server. Roam is an agent-first CLI + MCP server that gates the change
and emits proof — credential-free, zero network egress by default (opt-in metrics-push is the only outbound surface), and a
portable tamper-evident ChangeEvidence packet (optionally
cosign-signed) answering eight evidence questions per AI-assisted change.
Among the products surveyed as of ,
we did not find a direct substitute for this trio. Vendor pages cited
under methodology.
Three categories, three different questions
Before comparing vendor tables, name the category. These three product shapes answer different questions for different consumers. Comparing across categories is apples to oranges to evidence packets.
Cloud-IDE agent
"Help me write code."
Cursor, Sourcegraph Cody Enterprise, Windsurf, Continue, Sweep,
Claude Code. Human-first IDE or CLI surface. Vendor account +
cloud LLM endpoint required. Audit logs answer who ran what.
Cloud semantic reviewer
"Does this PR make sense?"
CodeRabbit, Greptile, Qodo, SonarQube Cloud. Reads the diff as
text on a vendor server. Catches logic bugs, naming drift,
intent mismatches. Source uploaded; self-host is enterprise-tier.
Local-CLI agent-assurance
"Was this change structurally understood and recorded?"
Roam. Agent-first CLI + MCP server. Local SQLite
graph of symbols, callers, layers, runtime hot spots, clones;
preflight + blast-radius + critique gates; portable
ChangeEvidence packet answering eight evidence
questions per change.
Roam composes with the other two categories — keep your IDE agent
for code generation, keep your semantic reviewer for intent checks,
add Roam underneath for the structural + evidence layer.
A separate tier of MCP gateways (Lasso, Portkey, Interlock)
sits between the agent and its tools; Roam emits evidence
such gateways can consume — they are not direct comparisons.
See the trio end-to-end:
the canonical 5-minute demo
walks install → health → preflight → critique →
portable ChangeEvidence packet without leaving the laptop.
Inside review: four sub-layers, Roam owns two
Within the review half of the picture, four sub-layers answer different questions. A healthy setup runs all four; Roam covers the bottom two.
1. Semantic
Does the code make sense?
CodeRabbit, Greptile, Qodo. Reads the diff as text. Catches
logic bugs, missing error paths, intent drift.
2. Static
Does it violate rules?
SonarQube, Semgrep, ast-grep, ESLint. Insecure patterns, taint
violations, banned APIs. Rule-based and language-aware.
3. Structural
What else does it touch?
Roam. Reads the diff as a graph mutation:
callers, tests, clones, runtime hot spots, layer violations,
blast radius.
4. Algorithmic
Is it correct but slow?
Roam. Deterministic detectors for O(n²)
nested-loop lookups, N+1 queries, regex compiled in hot loops,
repeated JSON parses, quadratic string concat, branching
recursion without memoisation — patterns AI agents ship that
pass tests and fail at scale.
Roam adds structural + algorithmic review without replacing the semantic or static layers. The flat-tier pricing is intentional: add two review layers without a per-seat headcount conversation.
Side-by-side 1 of 2: against cloud semantic reviewers
CodeRabbit, Greptile, Qodo, and SonarQube focus on the cloud semantic reviewer category. Roam complements them with a local structural, algorithmic, and evidence layer. Each cell links to a vendor-page citation below; if we've mischaracterised a capability, email us and we'll update.
| Roam | CodeRabbit | Greptile | Qodo | SonarQube | |
|---|---|---|---|---|---|
| Reviews what the code touches (callers, layers, cycles) | Yes | Limited | Limited | Limited | Yes |
| Reviews what the code does (semantics) | Limited | Yes | Yes | Yes | Limited |
| Catches the clone-not-edited bug AI keeps shipping | Yes | Not advertised | Not advertised | Not advertised | Not advertised |
| Runs locally — source never uploaded | Yes | Cloud* | Cloud* | Cloud* | Yes (paid) |
| Tamper-evident review attestations (in-toto v1, cosign-verifiable) | Yes | Not advertised | Not advertised | Not advertised | Not advertised |
| Exposes the code graph to agents via MCP | Yes (server)*** | Consumes MCP*** | Consumes MCP*** | Enterprise tier*** | Yes (Oct 2025)*** |
| Open source | Apache 2.0 | No | No | No | Community ed. |
| Free tier for individuals | Yes, forever | Free tier | Trial + OSS | Developer tier | Community ed. |
| Starting price (team tier) | from $99/mo flat (additive to your semantic reviewer) | $24/dev/mo** | $30/seat/mo + usage | $30/user/mo** | from $32/mo (LOC-based) |
*self-host or private deployment is vendor-specific and generally enterprise-scoped; **annual billing where listed (Qodo lists $38 monthly / $30 annual); ***Roam exposes the code graph as an MCP server (agents call roam tools directly); CodeRabbit lists MCP connections, Greptile lists external-app connections, Qodo lists Enterprise MCP tools, and SonarQube ships an MCP server plus Cloud-native MCP.
Side-by-side 2 of 2: against cloud-IDE agents
Cursor, Cody, Aider, Windsurf, Continue, Sweep, and Claude Code focus on the cloud-IDE-agent category — they write code with the developer. Roam runs underneath as a local assurance layer. Three axes — credentials required, network egress required, and primary audience — differ between Roam and the products in this cohort based on each vendor's public documentation.
| Roam | Cursor | Cody | Aider | Windsurf | Continue | Sweep | Claude Code | |
|---|---|---|---|---|---|---|---|---|
| Primary surface | CLI + MCP | IDE | IDE + web | CLI | IDE + JetBrains | IDE-agnostic | JetBrains IDE | CLI agent |
| Credentials required | None | Account + LLM tokens | Enterprise contract1 | LLM API key (BYOK) | Account | BYOK + OAuth | Account | Anthropic API key |
| Network egress required | None | Cloud agents | Cloud or self-host + LLM | LLM endpoint | Optional (self-host)2 | LLM endpoint | Cloud-managed | LLM endpoint |
| Audience | AGENT-first (CLI fallback) | HUMAN-first | HUMAN-first | HUMAN-first | HUMAN-first | HUMAN-first | HUMAN-first | AGENT-first |
| Compliance certifications4 | Not currently certified; see /trust for posture3 | SOC 2 (vendor-stated) | SOC 2 + ISO 27001 (vendor portal) | None advertised | SOC 2 Type II + FedRAMP High + HIPAA (vendor-stated) | None advertised | SOC 2 (vendor-stated) | None advertised |
| Audit / evidence shape | HMAC run ledger + ChangeEvidence packet (8 questions) |
Enterprise audit logs | Activity audit log | git history only | SSO/SCIM/RBAC + session audit | None | None advertised | Session transcript |
| Structural depth | Cycles, PageRank, Louvain, spectral, dark matter, world model, N+1, taint — 28 langs | Embedding search | Precise xref + cross-repo | Tree-sitter repo map | Codemaps (visual) | Semantic search | None visible | Reads files |
| Roam relationship | — | Complementary | Complementary (enterprise tier) | Complementary | Complementary | Consumes Roam via MCP | Different surface (JetBrains) | Consumes Roam via MCP |
1Sourcegraph deprecated Cody Free + Pro on 2025-07-23. Cody now sits inside Sourcegraph's enterprise platform; the public pricing page lists an Enterprise plan starting at $16K rather than a self-serve seat price. Sourcegraph positions Amp as the consumer/team agentic successor. 2Windsurf supports cloud / hybrid / self-hosted deployment with offline install; the self-hosted path still contacts an LLM endpoint by default. 3Roam has no hosted service to certify: the CLI runs locally, and by default neither source, index, nor evidence leaves the developer's machine. Roam itself is not a substitute for a hosted vendor's compliance program — it can, however, produce artefacts that support evidence for SOC 2 CC8.1, ISO 42001, and similar AI-governance controls. 4Certification rows reflect each vendor's own public claims as of the verification date below — Roam has not independently audited any third-party certificate. Sources verified — see methodology below for full citations.
Methodology
Every cell in this table is a verifiable claim. Where we say "Limited" or "Not advertised", we mean we could not find the capability documented on the vendor's public pages as of the verification date below. If you're a vendor and we got something wrong, email hello@roam-code.com and we'll update.
Sources verified
- CodeRabbit: pricing — coderabbit.ai/pricing; product capabilities — coderabbit.ai. Pro tier: $24/user/mo annual; Free tier includes PR summarization and IDE/CLI reviews; Enterprise lists self-hosting, RBAC, SSO, and audit logging.
- Greptile: pricing — greptile.com/pricing; product — greptile.com. Pro tier: $30/seat/mo with 50 reviews included per seat and $1 additional reviews; Enterprise lists self-hosting.
- Qodo: pricing — qodo.ai/pricing; product — qodo.ai. Teams tier: $30/user/mo annual, $38 monthly; Enterprise lists MCP tools, on-prem, and air-gapped deployment.
- SonarQube: pricing — sonarsource.com/plans-and-pricing; MCP announcements — standalone MCP server and native Cloud MCP. Cloud Team starts at $32/mo for private projects up to 100k LOC.
- Cursor: pricing and enterprise feature list — cursor.com/pricing. Teams lists shared team context, SSO, privacy mode, analytics, and centralized billing; Enterprise lists SCIM, AI code tracking API, audit logs, granular admin controls, and pooled usage.
- Sourcegraph Cody / Amp: plan deprecation — sourcegraph.com/blog/changes-to-cody-free-pro-and-enterprise-starter-plans; enterprise pricing — sourcegraph.com/pricing; security portal — security.sourcegraph.com. Cody Free + Pro ended on 2025-07-23; Sourcegraph pricing now lists an Enterprise platform starting at $16K.
- Aider: homepage — aider.chat. v3.0 ships internal debugger + NL query interpretation; no native MCP, no governance surface; BYOK LLM.
- Windsurf: security — windsurf.com/security. SOC 2 Type II certification, FedRAMP High accreditation, HIPAA posture, Cloud / Hybrid / Self-hosted tiers, and detailed data-flow notes are documented there.
- Continue.dev: MCP transports — docs.continue.dev/customize/deep-dives/mcp; changelog — changelog.continue.dev. Stdio + SSE + streamable-http with OAuth on MCP servers.
- Sweep AI: product + pricing — sweep.dev, docs.sweep.dev/pricing. Current public surface is a JetBrains coding assistant with proprietary LLMs, zero third-party retention claims, MCP changelog entries, and SOC 2 compliance language.
- Claude Code: Anthropic's official CLI agent; consumes MCP servers including Roam.
- Roam: pricing — /pricing; product — homepage; source — github.com/Cranot/roam-code.
How we mark each cell
- Yes — capability documented on the vendor's marketing or docs page
- Limited — partial capability documented, or the capability appears on enterprise-only or undocumented surfaces
- Not advertised — we could not find the capability documented; this is verifiable via vendor pages above
Why "alongside", not "instead of"
Semantic review (CodeRabbit, Greptile, Qodo) reads the diff as text and asks does this make sense semantically?. Structural review (Roam) reads the diff as a graph mutation and asks what else does this touch?. Teams shipping AI-assisted changes often want both signals side by side.
Our pricing assumes you keep your existing reviewer: Roam Review at $99-$1,499/mo flat is additive to $24-30/dev/mo for the semantic reviewer, not a replacement. Flat tiers cap your Roam spend regardless of team size.
Try Roam alongside your current reviewer
Start with the canonical 5-minute demo —
install → health → preflight
→ critique → portable evidence packet, all locally.
Or run the free 5-PR DIY sample on your repo:
pip install roam-code && roam pr-replay --tier sample.
For a written report on your last 30 or 90 PRs scored against the current detector set, commission a paid PR Replay engagement — Team ($2,500) and Deep ($6,000) on /audit. 50% of the fee credits toward a Roam Review subscription within 60 days.