For teams using Cursor, Claude Code, and Copilot

Your AI writes the code.
Roam tells you what else it broke.

Free open-source command-line tool that maps every function, file, and dependency in your codebase. Plus a pull-request bot, a dashboard, and a self-hosted option for teams that need them.

Install the free CLI See what's in it

Apache 2.0 · Runs entirely on your machine · 27 languages · 459 stars · 6k+ installs/month

What's in the free CLI

Install once. Works on any Git repo. Indexes 100,000 lines of code in seconds. Asks the same questions a senior engineer would, before you merge.

190CLI commands
136tools your AI agent can call
27languages
2,489+community rules
54code-quality checks
5cross-language bridges
54releases shipped
0data sent back to us

pip install roam-code && roam init

Five commands cover most of what you'll do day-to-day. The other 185 are there when you need them.

roam understandGet a guided tour of an unfamiliar codebase.
roam retrievePull the right code spans for a task description.
roam contextList the exact files and line ranges to read.
roam preflightCheck what changing a function will affect.
roam critiqueVerify a patch against the dependency graph.

Your AI agent talks to Roam

Roam is also a Model Context Protocol server. Your coding agent — Claude Code, Cursor, Codex, Continue, anything that speaks MCP — can call Roam's 136 tools to understand your codebase before it edits it.

  1. 1 You install Roam locally. One command. The agent starts up alongside your editor or terminal.
  2. 2 Your AI agent asks structural questions. What else does this function affect? Where are the tests for this? Is this a clone of another implementation?
  3. 3 The agent writes better code. With the answers, the agent edits with the same blast-radius awareness a senior engineer would have.

Tested with Claude Code, Cursor, Windsurf, VS Code, Codex CLI, Gemini CLI. Drops into any MCP-aware editor.

PocketOS: the production database and three months of backups, gone in nine seconds. Thirty-hour outage. The AI agent was confident. The Register, April 2026

Amazon, March 2026: 6.3 million orders lost in a single outage traced to AI-assisted code. SVP Treadwell now requires senior-engineer signoff on every agent-generated change. — per CNBC, March 2026

Faros AI 2026 (22,000 developers): teams adopting AI saw bugs per developer rise +54% and incidents per PR rise +242.7%. Speed went up. So did the cleanup. Faros AI, 2026 telemetry analysis

What a Roam review looks like

Pipe a diff through roam critique and you get a verdict. BLOCK on high severity, REVIEW on medium, APPROVE on low. Plain output, exit codes for CI. 

$ git diff main..HEAD | roam critique
VERDICT: BLOCK  (1 high, 3 medium, 0 low)
  reason: clones-not-edited (high)
         AI updated src/api/users.py:create_user but left
         src/admin/users.py:create_user (95% similar) untouched.
         Both call db.commit(); behavior will diverge.

  reason: blast-radius (medium)
         UserService.authenticate has 47 callers across
         12 files. Add tests covering the new error path.

  reason: layer-violation (medium)
         Domain layer now imports HTTP layer (requests.post).
         Move side-effect to controller.

$ echo $?
5

Exit code 5 fails CI. Same engine powers Roam Review on every pull request.

For teams: three paid options

The free CLI is the engine. These are the places teams pay so the engine runs in the right places — on every PR, in a shared dashboard, or inside your own network.

Roam Review

A second opinion on every pull request.

  • Plain verdict on every PR: BLOCK, REVIEW, or APPROVE
  • Lists everything else the change touches — callers, tests, runtime hot spots
  • Catches when AI copied a function and only updated one of the copies
  • Inline severity, confidence score, and a one-click suggested fix
  • /roam re-review and /roam explain <file> slash commands
  • Exports SARIF for GitHub Code Scanning and any compatible CI
  • Two-click install from GitHub Marketplace
$25/dev/mo Annual · Free for open-source forever · 14-day Pro+ trial
Get early access

Roam Cloud

A dashboard for your code health over time. We never see your source.

  • Health, debt, and complexity tracked across every commit
  • Per-team and per-repo trend charts
  • One audit log across Cursor, Copilot, Claude Code, and Codex
  • Browse the EU AI Act Article 12 audit trail (paid tiers)
  • Stripe self-serve, no sales call
$19/repo/mo $99/mo Team (10 repos) · $299/mo Growth · 30-day money back
Get early access

Roam Self-Hosted

Roam running entirely inside your network.

  • The full Roam stack — Review, Cloud, Audit Trail — in your cluster
  • SSO/SAML, audit logs, custom rules
  • Maps cleanly to ISO 42001 and SOC 2 controls
  • EU AI Act Article 12 evidence pack ready out of the box
  • SLA, dedicated support, ready for a conformity assessment
from $15K/yr $25K Business · $50K-$100K Enterprise · for regulated buyers
Book a 30-min call
Apache 2.0 Free forever. GitHub · PyPI
The CLI sends nothing back to us No telemetry. No analytics. No API keys. After the August 2025 CodeRabbit security breach (write access to ~1M repos), this isn't a feature — it's the minimum bar.
27 languages, 5 cross-language bridges Python · TypeScript · PHP · Go · Rust · Java · C# · Kotlin · Scala · SQL · 17 more. Bridges resolve Salesforce Apex → Aura, REST front-end → back-end routes, Django ORM, .proto stubs, env var → config.
Compliance evidence built in Every analysis writes a tamper-evident log file plus signed records (in-toto v1, verifiable with cosign). Wired for the EU AI Act Article 12 deadline (Aug 2, 2026).

Common questions

How is Roam different from CodeRabbit, Greptile, or Qodo?

They review what the code does — semantics. Roam reviews what the code touches — structure: callers, layers, dependency cycles, copy-paste duplicates. Different layer, different findings. Most teams keep their existing reviewer and add Roam alongside it.

Two extras most teams care about: (1) the CLI runs entirely on your machine — no PR diff is uploaded anywhere from local use, and (2) every analysis emits an EU AI Act Article 12 audit-trail entry.

Will the CLI stay free?

Yes. Forever. Apache 2.0. Free for individuals, teams, and companies of any size. We charge for the hosted PR bot, the dashboard, and the self-hosted bundle — not the local engine.

What does "EU AI Act Article 12 audit-trail support" mean?

Article 12 of the EU AI Act (text here) takes effect on August 2, 2026 for high-risk AI systems. It requires automatic event logging built into the system. Penalties go up to €15M or 3% of global turnover.

On every analysis, Roam writes two things: a tamper-evident log file (each entry chained with a SHA-256 hash to the previous one) and signed records you can verify with cosign. That's the kind of evidence a conformity assessment will ask for.

Your own conformity assessment is still on you. Run roam article-12-check on your repo for a one-page readiness score.

Does any of my source code leave my machine?

From the CLI: no. It runs locally and only writes a SQLite file inside your repo's .roam/ directory.

From Roam Cloud: metrics only — health scores, complexity numbers, dependency counts. Never source code.

From Roam Review: the PR diff is processed in our cloud (or yours, if you self-host). Same scope as any other PR-bot product. The CodeRabbit August 2025 breach (Kudelski writeup) is a useful reminder: ask any PR-bot vendor what's in their threat model.

Does Roam fit into my CI?

Yes. roam --sarif health exports findings in the SARIF 2.1.0 format, which GitHub Code Scanning, GitLab, and most CI platforms understand natively. Ready-to-drop GitHub Actions templates ship with the package. roam critique returns exit code 5 on any high-severity finding so a CI step can gate on it.

Want help getting started?

Our AI Agent Readiness Audit walks your team through Roam adoption, threat-modelling for AI-assisted changes, and EU AI Act Article 12 readiness. Three tiers ($1.8K / $4.5K / $12K) depending on team size and depth. Email [email protected].