Graft: Let Agents Run Long Pipelines in Relay — Not From Zero Every Session

Engineers work across two ends every day — heavy Agent analysis runs in the cloud, code lives in local IDE. Graft bridges both ends so your local IDE can query cloud KBs as RAG, graft outputs from existing sessions, and dispatch tasks back to long-lived cloud sessions asynchronously.

Back

A session shouldn't be an island. After an engineer finishes an ASPICE traceability analysis and produces a list of 178 change impacts, the next session for "regression test derivation" should directly reuse the previous session's output — not re-run everything from scratch. Graft makes "relay" a first-class platform capability.

The Problem It Solves

Engineers' daily work spans two ends:

  • Cloud combo agent: Run heavy analysis tasks — ASPICE traceability, requirements audits, cross-baseline change analysis, novelty searches — and accumulate results into cloud KBs
  • Local IDE (Cursor / Claude Code / Codex / Trae): Write code, run tests, submit PRs, write docs

Bridging the two is more than "copy-paste a session summary." Graft packages this into three distinct use cases:

Use CaseSolvesTypical Scenario
A · KB RetrievalLet local agent use cloud KB as a RAG source — query docs/chunks directly without needing an active cloud sessionLooking up team coding standards while writing code; checking historical project design docs
B · Session GraftingPull cloud session digest / rounds / artifacts into local context to continue workUse a colleague's ASPICE traceability output to guide local code changes
C · Task DispatchSend a new instruction back to a cloud long-lived session for async execution (heavy compute / toolchain not available locally)Trigger a full coverage re-audit from local IDE

Type A is pure RAG (no session opened); Type B is read-only graft; Type C is the only write entry point — it cannot create or delete sessions or files, only triggers an additional round on an existing session.

Architecture

Rendering diagram…
  • Server: api/apps/graft_app.py exposes user-level endpoints
  • Auth: Reuses the web UI's itsdangerous signed access token; login through the platform's existing /v1/user/login
  • Client: 4 Python scripts (login / whoami / logout / call) + single public key file
  • Write guard: Double-layer intercept at both client and server; only dispatch_task is the single allowed write path

Three Use Cases in Detail

A · KB Retrieval: Local Agent Uses Cloud KB as RAG

An engineer is modifying code in Cursor and encounters an unfamiliar module. They ask AI:

"What is the team's ASPICE traceability standard? How should this file annotate req-Id comments?"

The local agent calls the graft-comboagent skill:

# List available KBs
python scripts/call.py list_kbs
 
# Semantic search within a specific KB
python scripts/call.py search --source document \
  --kb-id <kb_id> \
  --query "ASPICE traceability standard req-Id annotation"

Returns relevant chunks; local agent answers directly based on this evidence — no need to open the web UI, no need to start a new cloud session.

ScenarioValue
Look up team coding standardsStay in local IDE without context switching
Check historical project design docsQuery on the fly while coding
Look up customer contracts / preferencesSecond-level retrieval during quotation
Reference ASPICE / 26262 / 21434 standard clausesCompliance check while coding

B · Session Grafting: Continue a Colleague's Session

Scenario: a colleague ran an ASPICE traceability analysis in the cloud and generated a 178-item change impact list. You need that list to guide your local code changes.

# List all sessions you have access to
python scripts/call.py list_sessions
 
# Pull a session's digest (summary)
python scripts/call.py get_digest --session-id <session_id>
 
# Pull a specific round's full content
python scripts/call.py get_round --session-id <session_id> --round-id <round_id>
 
# Download an artifact (e.g., the 178-item change list xlsx)
python scripts/call.py download --session-id <session_id> --file-id <file_id> \
  --output ./change_impact.xlsx

The local agent has the real data and can directly use the actual change list to modify code, run tests, and open PRs — not just "paste a summary paragraph."

ScenarioValue
Take over a colleague's ASPICE traceability outputNo re-running the analysis
Reuse requirements understanding from last weekContext continuity
Follow up on a long project across weeksHistory always accessible

C · Task Dispatch: Send Heavy Work Back to the Cloud

Scenario: local IDE code changes are done, and a full ASPICE coverage re-audit is needed — this can't run locally (requires heavy index + cross-ALM data pulls + heavy model).

# Dispatch task to an existing long-lived cloud session
python scripts/call.py dispatch_task \
  --session-id <coverage_audit_session> \
  --prompt "Code updated to commit abc1234. Re-run full coverage audit, grouped by ASIL level."

The cloud session runs asynchronously; pull results locally with get_round when done.

Hard constraints:

  • dispatch_task is the only allowed write entry point
  • Cannot create new sessions
  • Cannot delete sessions / files
  • Can only trigger an additional round on an existing session

This design ensures: a local agent cannot perform destructive operations in the cloud via prompt injection.

Security Design

DimensionDesign
AuthenticationRSA-encrypted password login → signed token; token file permissions 0600
Tenant isolation_verify_graft_access enforces same-tenant check; cross-tenant access blocked
VisibilityOnly sessions / KBs / files you have permission to see
Write guard (double layer)Client-side intercept + server-side intercept
Audit logEvery graft call records timestamp + user + action

Versus "Copy-Paste Session Summary"

DimensionCopy-Paste SummaryGraft
Data volumeLimited by LLM context windowQuery any amount of data on demand
FidelitySummary may drop key detailsRaw data downloadable
FreshnessSummary goes stale immediatelyAlways pulls latest
DirectionOne-way (local → local)Bidirectional (local ↔ cloud)
SecurityCopy-paste may inadvertently expose dataEnforced through auth chain

Installation & First Use

# 1. Copy skill to IDE host
cp -r skills/graft-comboagent ~/.cursor/skills/   # or ~/.claude/skills/
 
# 2. Install Python dependencies
pip install requests pycryptodome
 
# 3. Log in
cd ~/.cursor/skills/graft-comboagent
python scripts/login.py
# Enter server URL + email + password
 
# 4. Restart IDE for skill discovery

Full installation and configuration: graft-comboagent Skill Page.

Typical Workflow: ASPICE Local-Cloud Integration

Rendering diagram…

FAQ

Q: Is the local agent safe? Does it upload my code to the cloud? A: The local agent does not upload code by default. Requests are only made when the engineer explicitly invokes a graft action (like KB search or session graft), and each request's content is visible to the engineer.

Q: Can Graft be used in production CI pipelines? A: Yes. Use a dedicated service account for login rather than a personal token.

Q: Can dispatch_task run arbitrary commands? A: It can run any prompt, but only within the context of an existing session and inherits that session's permissions. Effectively it's like the engineer typing one more message in their own session.

Q: How is this different from Cursor's built-in docs indexing? A: Cursor docs is one-directional static documents. Graft additionally covers: dynamic session grafting (Type B), async task dispatch (Type C), and multi-language KB retrieval (Type A).

Q: Does private deployment support Graft? A: Yes. Just point the server URL to the customer's intranet address.

Full action list and SKILL.md: graft-comboagent Skill Page; underlying mechanics: Core Concept · Graft.

Written by

Nox-Lumen Tech-team

Published

May 14, 2026