A context governor for coding agents. Graft enforces read policy so agents consume the smallest structurally correct view of a codebase instead of dumping raw files into their context window.
What it is: Graft sits between your AI coding agent and the filesystem. Instead of dumping entire files into the context window, it returns the minimum structurally correct view — full content for small files, AST-derived outlines for large ones, hard refusals for secrets and binaries. Tool responses carry receipts so agents know exactly how much context they've consumed.
Why you want it: Agents that read files naively fill their context window with lockfiles, minified output, and 2,000-line modules they only needed 10 lines of. Graft fixes that automatically.
# Install and bootstrap your repo
npx @flyingrobots/graft init --write-claude-hooks --write-codex-mcp
# Start serving (MCP over stdio — point your agent at this)
npx @flyingrobots/graft serve
# Or try a governed read from the CLI right now
npx @flyingrobots/graft read safe src/app.tsThat's it. init scaffolds .graftignore, appends agent read guidance, and writes the client config requested by the flags you pass. serve starts listening on stdio. Your agent calls safe_read instead of reading files directly, and Graft handles the rest.
AI coding agents read files the same way a first-year developer does: grab the whole thing, every time. A 2,000-line module goes straight into the context window. So does the lockfile. So does the compiled output. So does the .env.
Context windows are finite. Once they fill up, the agent starts forgetting what it already read. Performance degrades. Hallucinations increase. You burn tokens on noise.
Graft sits between the agent and the filesystem and enforces a simple rule: return the minimum structurally correct view.
- Small file? Full content.
- Large file? A structural outline — function names, signatures, line ranges. The agent can drill in with a range read if it needs a specific function body.
- Binary, secret, or lockfile? Hard refusal with a machine-readable reason code and a suggested alternative.
Tool responses carry receipts: bytes consumed, bytes avoided, session depth, policy decision. Agents can self-regulate. Operators can audit.
-
Parser-backed outlines. Outlines come from Tree-Sitter ASTs, not heuristic line-scanning. Function signatures, class hierarchies, and jump tables are structurally accurate across JavaScript, TypeScript, Rust, Python, Go, GraphQL, JSON, TOML, YAML, Markdown, and more.
-
Machine-readable contracts. Tool responses carry versioned
_schemametadata and decision receipts. Agents reason about outcomes without scraping prose. Receipts accumulate cumulative session stats so agents know when they're burning budget. -
Structural memory across Git history. WARP (Structural Worldline Memory) is the current git-warp-backed structural history layer. Query what changed structurally — which symbols were added, removed, or renamed — without dumping source into the agent context. Graft is converging on a
StructuralReadingPortboundary so Echo can become the primary causal-history substrate after parity is proven. -
Session governance. The
GovernorTrackerwatches for anti-patterns: runaway tool loops, late-session large reads, edit/bash thrash. Tripwire signals surface in receipts so agents and operators can act before context is exhausted. -
Industrial-grade daemon. A same-user local runtime manages multi-repo authorization, persistent monitors, and shared worker pools. Current git-warp contexts stay warm in memory across sessions, while the public contract is moving behind substrate-neutral structural-history ports.
Graft exposes capabilities through three official product entry points: CLI, MCP, and API. MCP has two runtimes: repo-local stdio for a single checkout and daemon-backed stdio for multi-repo sessions.
npx @flyingrobots/graft read safe src/app.ts
npx @flyingrobots/graft struct since HEAD~3
npx @flyingrobots/graft struct dead-symbols --limit 20
npx @flyingrobots/graft symbol history createUser --path src/users.ts
npx @flyingrobots/graft review --base HEAD~1
npx @flyingrobots/graft review cooldown --pr 48Stateless. Print and exit. Good for scripting, spot-checking policy decisions, and inspecting structural history.
The simplest path for single-repo agent work. The current checkout is the authority. No workspace binding required.
npx @flyingrobots/graft servePoint your MCP client at this process. Graft speaks JSON-RPC over stdin/stdout. The same binary auto-detects non-TTY stdio and enters serve mode automatically — so npx @flyingrobots/graft with no arguments works as an MCP server when piped.
A persistent same-user runtime for long-running or multi-repo agent work. Current git-warp contexts stay warm between sessions and persistent monitors can keep structural history current.
# Start the daemon explicitly
npx @flyingrobots/graft daemon
# Or let the stdio bridge auto-start/connect to the daemon
npx @flyingrobots/graft serve --runtime daemonDaemon sessions start unbound. The normal agent flow is:
workspace_openwith the target repo'scwd; in daemon mode this authorizes the workspace before opening it.- Optionally
workspace_list_openedto inspect active workspaces - Use repository-scoped tools:
safe_read,file_outline,graft_diff, etc.
When several agents share one daemon-backed MCP session, repo tools can
carry their own explicit route: pass cwd to safe_read,
file_outline, read_range, changed_since, graft_diff,
graft_since, graft_map, code_show, code_find, or code_refs to
resolve that call against the requested authorized workspace without
changing the active workspace.
For explicit control-plane posture, use workspace_authorize followed by workspace_bind.
See docs/SETUP.md for client-specific bootstrap and daemon control-plane configuration.
Embed Graft directly when you want structural reads or syntax data without spawning a subprocess or going through MCP transport.
Governed repo reads (same policy enforcement as MCP, no receipts):
import { createRepoWorkspace } from "@flyingrobots/graft";
const workspace = await createRepoWorkspace({ cwd: process.cwd() });
const result = await workspace.safeRead({ path: "src/app.ts" });
// result.projection: "content" | "outline" | "refused" | "cache_hit" | "diff"In-process tool calls with receipts (full MCP behavior, no subprocess):
import { createRepoLocalGraft, callGraftTool } from "@flyingrobots/graft";
const graft = createRepoLocalGraft({ cwd: process.cwd() });
const outline = await callGraftTool(graft, "file_outline", { path: "src/app.ts" });Editor-native syntax highlighting (Tree-Sitter WASM, no I/O, viewport-aware):
import { createProjectionBundle, ensureParserReady } from "@flyingrobots/graft";
await ensureParserReady();
const bundle = createProjectionBundle("src/app.tsx", liveEditorText, {
basis: { kind: "editor_head", headId: "head-42", tick: 17 },
viewport: {
start: { row: 0, column: 0 },
end: { row: 80, column: 0 },
},
});
// bundle.syntax.spans — highlight ranges for the visible viewport onlycreateProjectionBundle owns the WASM buffer lifecycle internally. Use createStructuredBuffer directly if you need to hold a buffer across multiple operations and manage dispose() yourself.
Edict projection bridge (dirty .edict buffer to syntax/Core/Target IR):
import {
createEdictCliProjectionProvider,
createProjectionProviderRegistry,
createStructuredBuffer,
} from "@flyingrobots/graft";
import { nodeProcessRunner } from "./your-process-runner.js";
const edictProjector = createEdictCliProjectionProvider({
processRunner: nodeProcessRunner,
cwd: process.cwd(),
target: {
coordinate: "echo.dpo@1",
profileDigest: "sha256:1111111111111111111111111111111111111111111111111111111111111111",
irDomain: "echo.span-ir/v1",
},
});
const projectionRegistry = createProjectionProviderRegistry().register({
language: "edict",
extensions: [".edict"],
provider: { kind: "edict", provider: edictProjector },
});
const buffer = createStructuredBuffer("demo.edict", liveEditorText, {
basis: { kind: "editor_head", headId: "head-42", tick: 18 },
projectionRegistry,
});
const syntax = buffer.syntaxSpans();
const edict = buffer.edictProjection();
// edict?.core and edict?.targetIr preserve available/blocked/failed slot truth.This bridge invokes Edict's projection CLI over stdin JSONL. It does not execute
Echo, admit bundles, or require the editor buffer to exist on disk.
Hosts may pass language: "edict" with a registry for synthetic dirty buffers
such as untitled editor tabs. Direct edictProjector injection remains
supported for single-language hosts.
# 1. Bootstrap the repo: scaffold .graftignore, seed agent instructions
npx @flyingrobots/graft init --write-claude-hooks --write-codex-mcp
# 2. Start serving (repo-local stdio MCP)
npx @flyingrobots/graft serveFor bugs, capability requests, and ideas, start at
GitHub Issues.
That queue is the public view for priorities and discussion. Internal execution and design rigor still lives in
docs/method/backlog/ and docs/design/ so details remain deterministic for contributors.
| Document | What it covers |
|---|---|
| Technical Teardown | Zero-to-hero deep dive: entry points, golden paths, data schemas, policy engine, WARP, session governance, trade-offs |
| Guide | Orientation, the fast path, and agent bootstrap |
| Setup Guide | Client-specific MCP setup, daemon posture, and workspace binding |
| Advanced Guide | Pipeline internals, worldlines, and daemon mechanics |
| Architecture | Authoritative structural reference: Ports, Adapters, WARP |
| Public API Contract | Semver-public root import surface and stability policy |
| Three-Surface Capability Matrix | API / CLI / MCP feature baseline and peer posture |
| Repo Topology | Where API, CLI, MCP, and core live in the source tree |
| Security Model | Same-user daemon trust boundaries, authz, and observability |
| Causal Provenance | Transport sessions, causal workspaces, strands, and handoff truth |
| North Star | Long-term stack position and Continuum-shaped direction |
| Vision | Core tenets and the provenance-aware mission |
| Method | Repo work doctrine and the cycle loop |
| Issue visibility and backlog mapping | Public issue triage plus internal backlog synchronization |
Built with precision by FLYING ROBOTS