Agents write the code.
The graph keeps the truth.
AI agents now produce a huge share of the world's new code — and every hour saved writing it is being spent wondering whether to trust it. We're building the missing layer: one local code graph that helps an agent write, merges what it wrote, and proves what it did — on the pull request, where trust is actually decided.
The bottleneck moved.
For seventy years the scarce resource in software was writing it. That era just ended. An agent drafts in minutes what a team used to ship in a sprint — and the cost didn't disappear, it moved downstream. Now the questions pile up at review time: What did it actually change? What does that change touch? Did anything test it? Why is there a CI file in this diff?
The industry's answer so far has been to point a second model at the output of the first and ask it to vibe-check the work. We think reviewers deserve better than vibes.
Your codebase already contains the truth. Every function knows its callers. Every test knows what it exercises. Every change has a blast radius that is a fact of structure, not a matter of opinion. Grove turns that structure into a persistent, local graph — and everything we build follows from one idea:
If the graph is good enough to help an agent write code, it's good enough to merge that code — and to explain it to the human who has to say yes.
Prism · write with context
A task hits a codebase the way white light hits glass. Prism refracts it: definitions, callers, structurally related tests, coverage gaps — ranked by the graph, budgeted in tokens, delivered before the agent writes a line.
The agent stops grepping and starts knowing. Better context in; fewer hallucinated edits out; and a session that costs less because the graph did the searching.
Every token spent re-discovering the codebase is a token not spent on the change.
Fuse · merge with confidence
Parallel agents collide where parallel humans always have: at merge time. But agents collide more often, at higher speed, in the same files. Line-based merging was never built for this.
Fuse merges at the symbol level — it resolves what is structurally compatible and trips safely on what isn't, handing the conflict to an agent with the full context of both sides. Like its electrical namesake: when something's wrong, it breaks the circuit before the circuit burns. Every merge leaves drift evidence behind.
Two lines touching the same region isn't a conflict. Two changes breaking the same contract is.
Shale · review with evidence
A session settles into strata: the intent that was declared, the files that were touched, the checks that ran, the gaps that remain. Shale compacts a messy agent session into thin, readable layers on the pull request — evidence, not summary.
It is deliberately honest about uncertainty. It shows what it observed and admits what it didn't, because a trust tool that overclaims is worse than no tool at all. Advisory, never gatekeeping. No server, no account, no transcript ever leaving the machine.
Every AI-agent PR should explain itself.
One graph. The whole loop.
Plenty of tools do one of these things. Context retrieval is a feature. Merge tooling is a feature. PR summaries are a feature. The product is the loop: the same graph that delivers context to the agent verifies the merge and renders the evidence — so provenance survives from the first token the agent reads to the moment a human clicks approve. And the entire loop runs on your machine. No server. No account. No code leaving home.
The road to the proof layer.
The three moments, covered.
Prism delivers graph-ranked context. Fuse is a registered git merge
driver doing symbol-aware three-way merges. Shale renders intent,
evidence, checks, and gaps as a PR card. Grove holds the graph under
all of it. One brew tap, one init per repo, Apache-2.0 everywhere.
The PR card learns to read the graph.
Shale's card stops listing files and starts explaining structure (RFC #5):
- Changed symbols, not just changed files — and their blast radius in callers, handlers, and middleware.
- Structurally related tests, matched against the checks the agent actually ran locally.
- Out-of-neighborhood changes — the deploy workflow edited in an auth PR with no structural link to the rest of the diff — surfaced as review focus, not buried on page four.
- Risk badges grounded in facts: exported API changed, sensitive path, no related tests found, git-fallback evidence only.
Every change carries its own proof.
The end state we're building toward: a development loop where provenance is continuous. The context an agent consumed (Prism), the merges its work survived (Fuse), and the evidence of what it did (Shale) chain together into a record that travels with the code — reviewable by a human in thirty seconds, auditable by a machine forever. Fleets of agents working in parallel on one repo, merging without fear, opening PRs that argue their own case. The reviewer's job stops being archaeology and becomes judgment.
Prova + sign: agent work that can prove itself. That's not a feature on a roadmap. It's the point.
Written by agents.
Trusted by structure.
Proven on the PR.
All of it open source. All of it local-first. All of it five minutes
from brew tap provasign/shale to your first evidence card.