DevTrust.
Open source · Apache 2.0 · 8 packages on PyPI

The trust stack
for AI-era engineering.

Eight small, opinionated, production-grade tools that give engineering teams a coherent answer to one question: as AI writes more of the code, how do we keep trust in what ships? Each tool stands alone. Together they're a platform — from PR to production.

Join Cloud waitlist Browse the code →

Eight packages. Three shipped waves.

Each one is free, open-source, and pip install-able today. Drop them into your CI, your GitHub Apps, your SDKs.

repox v0.4.0

Repo X-ray

A portable architecture model of any codebase. Files, imports, symbols, and function-call edges across Python + JavaScript + TypeScript via tree-sitter. The model every other DevTrust tool consumes.

Wave 1 — codebase understanding
sts v0.0.3

Smart Test Selector

Given a code change, decide which tests must run. Transitive-import-aware, framework-detection (pytest, jest, vitest, gotest, cargo), reads repox artifacts.

Wave 1
apr v0.2.0

Agent-PR Reviewer

Deterministic + AI-pattern review for pull requests. Python and JS/TS rule packs plus an opt-in LLM-backed diff-comprehension check and a deterministic hallucinated-symbol rule that walks the call graph.

Wave 1
sts-app v0.0.3

STS GitHub App

FastAPI service that runs sts on every PR. JWT-signed installation tokens, HMAC webhook verification, tarball clone (no git binary needed), sticky PR comments.

Wave 2 — ship surfaces
apr-app v0.0.1

APR GitHub App

Same shape as sts-app — webhook receiver, GitHub App auth, sticky PR comment with findings. Drives the apr engine on every pull request.

Wave 2
agtrace v0.0.2

Agent Trace SDK

Spans, events, and tool calls for LLM-driven workflows. ContextVar-based attribution that's safe across threads + async. JSONL append-only event store.

Wave 3 — open & run
whychanged v0.1.0

WhyChanged

Production diff-detective for incident response. Pluggable change providers (git history + GitHub Deployments shipped). Ranks the changes most likely to be your culprit.

Wave 3
tokencost v0.0.3

TokenCost

Financial-grade attribution for LLM spend. Capture every Anthropic / OpenAI call with team / user / feature attribution. Money in integer micro-USD — no float drift across millions of rows.

Wave 3

Install one. Or all eight.

Each package versions independently. Picking just one doesn't drag the rest in.

pip install devtrust-repox devtrust-sts devtrust-apr \
            devtrust-agtrace devtrust-whychanged devtrust-tokencost
# or just the GitHub Apps:
pip install devtrust-sts-app devtrust-apr-app

PyPI distribution names are namespaced under devtrust-; Python imports and CLI commands stay short (import repox, repox build .).

Self-host or let us run it.

Everything above is free, forever. DevTrust Cloud is the hosted version — same code, but we run the apps, aggregate across your whole org, and add the things teams need (auth, audit, alerting).

Open source — free

  • All 8 packages on PyPI
  • Run the GitHub Apps yourself
  • Per-repo .repox/.apr/.sts artifacts
  • JSONL stores you process yourself
  • CLI + library, full source
  • Apache-2.0, no usage caps
$0 / forever

DevTrust Cloud — coming soon

  • Hosted GitHub Apps — install in one click
  • Cross-repo trust dashboard for the whole org
  • Cross-service agtrace + tokencost aggregation
  • whychanged as a webhook receiver, posts to Slack
  • SSO, audit logs, role-based access
  • Premium rule packs + support SLA
Early access · waitlist pricing

Join the Cloud waitlist.

Early-access pricing being finalized. Waitlist members get the first 3 months free, plus first dibs on team / enterprise plans.

Why this exists.

AI is writing more of every codebase, every quarter. Reviewing diffs gets harder. Test suites get noisier. Cost attribution gets murky. Production incidents get harder to root-cause when "what changed?" includes "the model picked a different completion."

DevTrust is a single coherent answer to that. Eight tools, one design language, one trust narrative, all open-source. Run them yourself, or let us run them for you.