CLI-Based Context Engine

Assemble context. Ask with proof. Write with trust.

A Rust CLI that pulls artifacts into a git-tracked project, answers questions with citations, and writes back to systems of record — only after you approve every field.

Open Dashboard Install
Status v0.1.0 — Gmail, Salesforce, Postgres
License Apache-2.0

What it is

Context engine with a trust boundary.

Rust owns credentials and writes. Python never sees either. Every field decision is hash-chained and tamper-evident.

Rust Control Plane

Auth, sync, ask, apply, audit, serve — compiled. Python never touches credentials.

Encrypted Vault

Tokens in .yarrow/state.db under AES-256-GCM.

Cited Q&A

yarrow ask returns answers with citations to source artifacts.

Governed Writes

Per-field approve/skip/flag before any system-of-record write.

Hash-Chained Audit

Every decision in .yarrow/audit.jsonl with prior-record hash.

Stateless Sidecar

yarrow-extract invoked by Rust over stdio. No credentials, no state.

Live Demo

Real commands. Real output.

yarrow-cli 
$ yarrow doctor
 keyring secret
 project config        project_id=demo
 state store           .yarrow/state.db readable
 openrouter            OPENROUTER_API_KEY not set
 extract sidecar       yarrow-extract on PATH

$ yarrow gmail sync --filter "newer_than:30d" --limit 100
Synced 100 threads into context/gmail/threads/

$ yarrow ask "What stage is the Acme deal?"
Answer: Stage 3 — Proposal
Citations: context/gmail/threads/acme-deal.md

$ yarrow pipeline apply bindings/deals.yaml --verify-audit
Loading binding "deals"...
Extracting 7/7
Gate: 5 proposed, 2 abstained
Review: 5 approved, 2 skipped
Write: 5 written to Salesforce
Audit chain: verified (127 entries)

Architecture

Rust owns trust. Python owns scaffolding.

Rust Control Plane

Auth

OAuth in / tokens encrypted out

Sync

Gmail, Salesforce, Postgres, files

Q&A

retrieval in / cited answer out

Apply

binding → extract → review → write → audit

Audit

hash-chained .yarrow/audit.jsonl

Supporting

yarrow-dev

binding validation, offline evals

yarrow-extract

LLM extraction sidecar, stateless

bindings/*.yaml

governed write definitions

MCP / HTTP

yarrow mcp-serve, yarrow serve

Dashboard

Control plane, in the browser.

Monitor status, run dry-run pipelines, search audit trails — behind RBAC.

yarrowlabs.io/dashboard
Dashboard overview with metrics cards.
Open Dashboard Requires yarrow serve

Install

One line.

$ curl -sSL https://yarrowlabs.io/install.sh | bash

Or clone from GitHub and run make setup.