Renatus · audit-grade LLM code changes
Four agents, one engine, signed audit.
Renatus runs migrations, refactors, security audits, and codebase Q&A on the same cartographer → surgeon → examiner → auditor pipeline. Every run emits an append-only event log. The Auditor signs the report with an ed25519 key — anyone with the public key (returned with the report) can verify the bytes weren't tampered.
Run an agent
Migrate
tier-1Cross-version code migration. Bundled rule packs, or feed in a changelog / diff / upgrade guide.
Open form →
Refactor
tier-1Codebase-wide refactor from a natural-language intent. No rules needed.
Open form →
Security Audit
tier-1CVE-driven patching. Provide a CVE id (fetched from NVD) or paste an advisory.
Open form →
Q&A
read-onlyRead-only natural-language Q&A across the codebase. Cited, signed transcripts.
Open form →
Install as an MCP server
Renatus is also a Model Context Protocol server — drop the snippet below into your Bob, Claude Code, or Cursor MCP config and the four tier-1 tools (migrate_repository, refactor_repository, security_audit_repository, query_codebase) show up alongside your other tools.
{
"mcpServers": {
"renatus": {
"command": "npx",
"args": ["-y", "@renatus/mcp-server"],
"env": {}
}
}
}Public key & signature
Renatus generates a fresh ed25519 keypair per job. The private key stays on the server (encrypted with RENATUS_KEK when configured); the public key is embedded in the signed report and surfaced at /audit/[jobId]. Verify locally with /verify or click Verify signature on any audit page — the widget re-canonicalizes the report, recomputes the SHA-256 hash, and runs ed25519 in the browser.
Built solo for the IBM Bob Hackathon (May 15–17, 2026). Submission deadline 17 May 2026. See STATE-OF-RENATUS.md in the repo for the full deliverable inventory, or run an agent now.