@codacy/verity-cli 0.20.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +87 -0
- package/bin/verity.js +15800 -0
- package/data/skills/verity-analyze/SKILL.md +214 -0
- package/data/skills/verity-feedback/SKILL.md +39 -0
- package/data/skills/verity-insights/SKILL.md +87 -0
- package/data/skills/verity-learn/SKILL.md +63 -0
- package/data/skills/verity-memory/SKILL.md +113 -0
- package/data/skills/verity-reflect/SKILL.md +47 -0
- package/data/skills/verity-setup/SKILL.md +443 -0
- package/data/skills/verity-setup/patterns-reference.yaml +586 -0
- package/data/skills/verity-setup/standard-template.yaml +153 -0
- package/data/skills/verity-status/SKILL.md +47 -0
- package/package.json +49 -0
|
@@ -0,0 +1,214 @@
|
|
|
1
|
+
# /verity-analyze — Run Verity analysis on demand
|
|
2
|
+
|
|
3
|
+
You are running an on-demand Verity analysis. This is like a "second opinion" — the user (or you) can invoke it at any point to get a quality and security review with rich context.
|
|
4
|
+
|
|
5
|
+
**Usage:**
|
|
6
|
+
- `/verity-analyze` — Curate files, write intent, select specs autonomously (deep review)
|
|
7
|
+
- `/verity-analyze src/api/routes.ts src/db.ts` — Analyze specific files (quick check)
|
|
8
|
+
- `/verity-analyze src/api/` — Analyze a directory and related files
|
|
9
|
+
- `/verity-analyze --full` — Sample the full codebase (20 most recently modified files)
|
|
10
|
+
- `/verity-analyze --intent "Implementing OAuth2 PKCE flow per spec/AUTH.md"` — User provides intent
|
|
11
|
+
|
|
12
|
+
---
|
|
13
|
+
|
|
14
|
+
## Step 1: Check configuration
|
|
15
|
+
|
|
16
|
+
1. Verify `.verity/standard.yaml` exists. If not: "Run `/verity-setup` first."
|
|
17
|
+
2. Verify `verity` CLI is available: `which verity`. If not: "Re-run the Verity installer: `curl -fsSL https://raw.githubusercontent.com/codacy/verity/main/install.sh | bash`"
|
|
18
|
+
3. Run `verity auth verify` to check token is valid. If it fails: "Verity not configured. Run `/verity-setup` first."
|
|
19
|
+
|
|
20
|
+
---
|
|
21
|
+
|
|
22
|
+
## Step 2: Determine files to analyze
|
|
23
|
+
|
|
24
|
+
### Quick mode (specific files or `--full`)
|
|
25
|
+
|
|
26
|
+
**Specific files** (paths or directories provided):
|
|
27
|
+
- Use the provided file paths directly. If a directory is given, include all analyzable files under it.
|
|
28
|
+
- Verify each file exists.
|
|
29
|
+
|
|
30
|
+
**`--full` flag** (full codebase sample):
|
|
31
|
+
```bash
|
|
32
|
+
FILES=$(git ls-files | grep -E '\.(ts|tsx|js|jsx|mjs|cjs|py|go|java|kt|rb|rs|c|cpp|h|hpp|cs|php)$')
|
|
33
|
+
```
|
|
34
|
+
If more than 20 files, select the 20 most recently modified:
|
|
35
|
+
```bash
|
|
36
|
+
echo "$FILES" | xargs ls -t | head -20
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
In quick mode, skip Steps 3 and 4 — go straight to Step 5.
|
|
40
|
+
|
|
41
|
+
### Deep mode (no arguments, or directory hints)
|
|
42
|
+
|
|
43
|
+
When no specific files are given, curate a comprehensive review scope:
|
|
44
|
+
|
|
45
|
+
#### 2a. Start with changed files
|
|
46
|
+
|
|
47
|
+
```bash
|
|
48
|
+
CHANGED=$(git diff --name-only HEAD 2>/dev/null; git diff --name-only --cached 2>/dev/null; git ls-files --others --exclude-standard 2>/dev/null)
|
|
49
|
+
CHANGED_CODE=$(echo "$CHANGED" | sort -u | grep -E '\.(ts|tsx|js|jsx|mjs|cjs|py|go|java|kt|rb|rs|c|cpp|h|hpp|cs|php)$')
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
Also check if the agent just committed (clean tree but recent HEAD):
|
|
53
|
+
```bash
|
|
54
|
+
# If working tree is clean, check what the last commit changed
|
|
55
|
+
git diff --name-only HEAD~1..HEAD 2>/dev/null
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
If the user provided directory hints (e.g., `/verity-analyze src/api/`), also include all files under those directories.
|
|
59
|
+
|
|
60
|
+
#### 2b. Add related files
|
|
61
|
+
|
|
62
|
+
For each changed file, identify and add:
|
|
63
|
+
|
|
64
|
+
1. **Direct dependencies** — files that the changed file imports. Read the import/require statements and resolve the paths.
|
|
65
|
+
2. **Reverse dependencies** — files that import the changed file. Grep for the module name across the codebase.
|
|
66
|
+
3. **Type/interface files** — shared type definitions, interfaces, or schemas referenced by the changes.
|
|
67
|
+
4. **Test files** — corresponding test files for changed modules (e.g., `foo.test.ts` for `foo.ts`, `test_foo.py` for `foo.py`).
|
|
68
|
+
|
|
69
|
+
#### 2c. Prioritize and cap
|
|
70
|
+
|
|
71
|
+
Rank files by relevance:
|
|
72
|
+
1. Changed files (always included first)
|
|
73
|
+
2. Direct dependencies that define interfaces/types being used
|
|
74
|
+
3. Test files for changed code
|
|
75
|
+
4. Reverse dependencies (consumers that might break)
|
|
76
|
+
|
|
77
|
+
**Cap at 20 files total.** If you need to cut, drop reverse dependencies first, then tests.
|
|
78
|
+
|
|
79
|
+
#### 2d. Track changed vs context
|
|
80
|
+
|
|
81
|
+
Keep two lists:
|
|
82
|
+
- **`changed_files`** — the files that were actually modified (git dirty or recently committed)
|
|
83
|
+
- **`all_files`** — all files to include in the analysis (changed + context)
|
|
84
|
+
|
|
85
|
+
If no analyzable files found: "No analyzable files found."
|
|
86
|
+
|
|
87
|
+
---
|
|
88
|
+
|
|
89
|
+
## Step 3: Write the intent description
|
|
90
|
+
|
|
91
|
+
Synthesize the conversation context into a clear intent description. This is NOT the raw user prompt — it's your understanding of what the work is trying to achieve.
|
|
92
|
+
|
|
93
|
+
**Template:**
|
|
94
|
+
|
|
95
|
+
```
|
|
96
|
+
I am [adding/modifying/fixing/refactoring] [feature/component name].
|
|
97
|
+
|
|
98
|
+
Goal: [What the user asked for, or the problem being solved.]
|
|
99
|
+
|
|
100
|
+
Approach: [Key architectural decisions. What patterns are being used?]
|
|
101
|
+
|
|
102
|
+
Trade-offs: [Anything you chose deliberately that could be questioned.]
|
|
103
|
+
|
|
104
|
+
Review focus: [Specific concerns you want the reviewer to evaluate.]
|
|
105
|
+
```
|
|
106
|
+
|
|
107
|
+
**Guidelines:**
|
|
108
|
+
- Cap at 2000 characters
|
|
109
|
+
- Be specific — "adding JWT auth with RS256 to /api/users" not "adding authentication"
|
|
110
|
+
- Include trade-offs and areas of uncertainty — the reviewer will focus there
|
|
111
|
+
- If the user provided `--intent`, use it as the base and augment with your understanding
|
|
112
|
+
- Skip this step entirely in quick mode (specific files or --full)
|
|
113
|
+
|
|
114
|
+
---
|
|
115
|
+
|
|
116
|
+
## Step 4: Select relevant specs
|
|
117
|
+
|
|
118
|
+
Identify spec/documentation files that provide context:
|
|
119
|
+
|
|
120
|
+
- Specs referenced in the user's request
|
|
121
|
+
- Specs that define interfaces or APIs being implemented
|
|
122
|
+
- Architecture docs relevant to the area being changed
|
|
123
|
+
|
|
124
|
+
**Read each spec file and prepare for inclusion.** Limits: max 10 files, 10KB per file, 30KB total.
|
|
125
|
+
|
|
126
|
+
Common spec locations to check:
|
|
127
|
+
- `spec/*.md`, `docs/*.md`
|
|
128
|
+
- `CLAUDE.md`, `AGENTS.md`, `CONTRIBUTING.md`
|
|
129
|
+
|
|
130
|
+
If no specs are relevant, skip this step.
|
|
131
|
+
|
|
132
|
+
---
|
|
133
|
+
|
|
134
|
+
## Step 5: Run the analysis
|
|
135
|
+
|
|
136
|
+
Use the `verity review` command with all the context you gathered:
|
|
137
|
+
|
|
138
|
+
```bash
|
|
139
|
+
verity review \
|
|
140
|
+
--files "src/auth/pkce.ts,src/auth/callback.ts,src/auth/types.ts,src/middleware/auth.ts" \
|
|
141
|
+
--changed "src/auth/pkce.ts,src/auth/callback.ts" \
|
|
142
|
+
--intent "I am adding OAuth2 PKCE authentication flow..." \
|
|
143
|
+
--specs "spec/AUTH.md,CLAUDE.md"
|
|
144
|
+
```
|
|
145
|
+
|
|
146
|
+
**Arguments:**
|
|
147
|
+
- `--files` (required): Comma-separated list of ALL files to include (changed + context)
|
|
148
|
+
- `--changed` (optional): Comma-separated list of actually-modified files (subset of --files). If omitted, all files are treated as changed.
|
|
149
|
+
- `--intent` (optional): Your synthesized intent description. Quote it.
|
|
150
|
+
- `--specs` (optional): Comma-separated list of spec file paths to include.
|
|
151
|
+
|
|
152
|
+
The CLI handles static analysis, file reading with size limits, payload construction, and the API call.
|
|
153
|
+
|
|
154
|
+
---
|
|
155
|
+
|
|
156
|
+
## Step 6: Display results
|
|
157
|
+
|
|
158
|
+
Parse the JSON response and format clearly:
|
|
159
|
+
|
|
160
|
+
```
|
|
161
|
+
=== Verity Analysis ===
|
|
162
|
+
Gate Decision: WARN
|
|
163
|
+
Quality: 7.5/10 | Security: 8.0/10 | Overall: 7.8/10
|
|
164
|
+
Trend: stable
|
|
165
|
+
|
|
166
|
+
--- Assessment ---
|
|
167
|
+
[narrative from assessment.narrative]
|
|
168
|
+
|
|
169
|
+
--- Findings (2) ---
|
|
170
|
+
|
|
171
|
+
[HIGH] Service Role Client for Non-Admin Operations
|
|
172
|
+
File: supabase/functions/webhook/index.ts:25
|
|
173
|
+
Pattern: access-control-checks (CWE-639)
|
|
174
|
+
Fix: Limit SELECT fields to only what's needed for the notification.
|
|
175
|
+
|
|
176
|
+
[MEDIUM] File Complexity Exceeds Threshold
|
|
177
|
+
File: supabase/functions/webhook/index.ts:1
|
|
178
|
+
Pattern: comprehensibility
|
|
179
|
+
Fix: Refactor into separate handler files per event type.
|
|
180
|
+
|
|
181
|
+
--- Intent Alignment ---
|
|
182
|
+
Score: 9/10 (aligned)
|
|
183
|
+
Goal: "Add webhook handlers for Stripe events"
|
|
184
|
+
Implementation matches intent. No gaps detected.
|
|
185
|
+
|
|
186
|
+
--- Quality Dimensions ---
|
|
187
|
+
Comprehensibility: 6.5/10 — webhook file is too large
|
|
188
|
+
Modularity: 7.0/10 — good separation except webhook handler
|
|
189
|
+
Type Safety: 9.0/10 — strict TypeScript throughout
|
|
190
|
+
Test Adequacy: 5.0/10 — missing webhook handler tests
|
|
191
|
+
|
|
192
|
+
--- Pending Items ---
|
|
193
|
+
1. [HIGH] Add tests for webhook event handlers
|
|
194
|
+
2. [MEDIUM] Refactor webhook into handler modules
|
|
195
|
+
|
|
196
|
+
View full report: https://verity.md/runs/run-20260327-...?token=verityview_...
|
|
197
|
+
```
|
|
198
|
+
|
|
199
|
+
---
|
|
200
|
+
|
|
201
|
+
## Step 7: Offer to fix
|
|
202
|
+
|
|
203
|
+
- **If FAIL or findings exist**: "The analysis found N issues. Would you like me to fix them?" If yes, apply fixes from findings, then re-run (iteration 2 max). If iteration 2 still fails, report remaining issues for human review.
|
|
204
|
+
- **If WARN**: "Non-blocking issues found. Would you like me to address them?"
|
|
205
|
+
- **If PASS**: "Code meets the Standard. No issues found."
|
|
206
|
+
|
|
207
|
+
---
|
|
208
|
+
|
|
209
|
+
## Important notes
|
|
210
|
+
|
|
211
|
+
- This does NOT replace the automatic stop hook. The hook still fires on every agent stop.
|
|
212
|
+
- Runs are tagged with `trigger: "review"` in the database.
|
|
213
|
+
- Size limits: 20 files max, 50KB per file, 200KB total code, 2000 char intent, 30KB specs.
|
|
214
|
+
- If the service is unreachable, static analysis still runs locally.
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
# /verity-feedback — Send feedback
|
|
2
|
+
|
|
3
|
+
## General feedback
|
|
4
|
+
|
|
5
|
+
If the user provided a message (e.g., `/verity-feedback the analysis is too slow`), use their **exact words** as the message. Do NOT rephrase, expand, add context, or editorialize. Send exactly what they typed, nothing more.
|
|
6
|
+
|
|
7
|
+
If they just typed `/verity-feedback` with no message, ask: "What feedback would you like to share?"
|
|
8
|
+
|
|
9
|
+
```bash
|
|
10
|
+
verity feedback message "<their exact message>"
|
|
11
|
+
```
|
|
12
|
+
|
|
13
|
+
On success: "Thanks, feedback sent!"
|
|
14
|
+
On error: "Couldn't send feedback right now. Your message: [repeat it so it's not lost]."
|
|
15
|
+
|
|
16
|
+
## Per-finding feedback
|
|
17
|
+
|
|
18
|
+
If the user wants to mark a specific finding (e.g., a false positive from a recent analysis run), use the finding sub-command.
|
|
19
|
+
|
|
20
|
+
Ask for the required info if not provided:
|
|
21
|
+
- **run-id**: from the most recent analysis run (check `verity status` or the run output)
|
|
22
|
+
- **pattern-id**: the Standard pattern that produced the finding (e.g., `no-hardcoded-secrets`, `file_length`)
|
|
23
|
+
- **action**: one of `false_positive`, `acknowledged`, `will_fix_later`, `wrong_severity`, `useful`
|
|
24
|
+
|
|
25
|
+
```bash
|
|
26
|
+
verity feedback finding <run-id> <pattern-id> <action> "optional note"
|
|
27
|
+
```
|
|
28
|
+
|
|
29
|
+
Optional flags:
|
|
30
|
+
- `--file <path>` — the file the finding applies to
|
|
31
|
+
- `--line <n>` — the line number
|
|
32
|
+
|
|
33
|
+
Example: marking a test file's fake JWT as a false positive:
|
|
34
|
+
```bash
|
|
35
|
+
verity feedback finding run-20260420-abc1 no-hardcoded-secrets false_positive "Fake JWT used in tests" --file src/auth/tokens.test.ts --line 42
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
On success: report whether auto-suppression is now active (requires ≥2 independent dismissals for the same pattern+file pattern).
|
|
39
|
+
On error: show the error message.
|
|
@@ -0,0 +1,87 @@
|
|
|
1
|
+
# /verity-insights — Project quality insights and Standard evolution
|
|
2
|
+
|
|
3
|
+
Surface metrics from accumulated run data and manage Standard evolution suggestions.
|
|
4
|
+
|
|
5
|
+
## Metrics overview
|
|
6
|
+
|
|
7
|
+
Gather data from multiple sources to give the user a quality health report:
|
|
8
|
+
|
|
9
|
+
```bash
|
|
10
|
+
# Knowledge base size — active lessons or memory nodes
|
|
11
|
+
curl -s -H "Authorization: Bearer $VERITY_TOKEN" \
|
|
12
|
+
"$(verity config service-url)/compound/lessons" | jq '.total_active'
|
|
13
|
+
|
|
14
|
+
# Memory graph stats (if graph enabled)
|
|
15
|
+
curl -s -H "Authorization: Bearer $VERITY_TOKEN" \
|
|
16
|
+
"$(verity config service-url)/compound/memory/nodes" | jq '.total'
|
|
17
|
+
|
|
18
|
+
# Run trends — use verity status for a quick summary
|
|
19
|
+
verity status
|
|
20
|
+
|
|
21
|
+
# Pending suggestions — Standard evolution candidates
|
|
22
|
+
curl -s -H "Authorization: Bearer $VERITY_TOKEN" \
|
|
23
|
+
"$(verity config service-url)/compound/standard-suggestions" | jq '.suggestions | length'
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
### What to surface
|
|
27
|
+
|
|
28
|
+
1. **Pattern signal/noise**: patterns with high FP rates (candidates for retirement or severity lowering)
|
|
29
|
+
2. **High-value patterns**: patterns with high TP rates (proving their worth)
|
|
30
|
+
3. **Active suppressions**: count of per-finding false-positive suppressions
|
|
31
|
+
4. **Knowledge base size**: lesson/node count by kind, recent additions
|
|
32
|
+
5. **Score trends**: quality and security scores over the last 10 runs
|
|
33
|
+
6. **Finding recurrence**: how often the same finding_key reappears (should decrease over time)
|
|
34
|
+
7. **Lesson injection rate**: % of recent runs where ≥1 lesson/node was injected
|
|
35
|
+
|
|
36
|
+
## Standard evolution suggestions
|
|
37
|
+
|
|
38
|
+
The system analyzes accumulated telemetry and suggests Standard changes:
|
|
39
|
+
|
|
40
|
+
### View pending suggestions
|
|
41
|
+
|
|
42
|
+
```bash
|
|
43
|
+
curl -s -H "Authorization: Bearer $VERITY_TOKEN" \
|
|
44
|
+
"$(verity config service-url)/compound/standard-suggestions" | jq '.suggestions[]'
|
|
45
|
+
```
|
|
46
|
+
|
|
47
|
+
Suggestion kinds:
|
|
48
|
+
- **retire_pattern**: Pattern had 90+ runs with zero findings — not earning its place
|
|
49
|
+
- **lower_severity**: Pattern has >50% false-positive rate — too noisy at current severity
|
|
50
|
+
- **sharpen**: Pattern has >80% true-positive rate over 50+ findings — consider raising severity
|
|
51
|
+
- **add_exclusion**: Pattern dismissed ≥3 times for same file pattern — add file-scope exclusion
|
|
52
|
+
- **promote_lesson**: High-confidence lesson cited ≥5 times — promote to custom Standard pattern
|
|
53
|
+
|
|
54
|
+
### Approve a suggestion
|
|
55
|
+
|
|
56
|
+
Approving creates a new Standard version automatically:
|
|
57
|
+
|
|
58
|
+
```bash
|
|
59
|
+
curl -s -X POST -H "Authorization: Bearer $VERITY_TOKEN" \
|
|
60
|
+
"$(verity config service-url)/compound/standard-suggestions/<suggestion-id>/approve"
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
### Reject a suggestion
|
|
64
|
+
|
|
65
|
+
Rejected suggestions won't resurface for 30 days:
|
|
66
|
+
|
|
67
|
+
```bash
|
|
68
|
+
curl -s -X POST -H "Authorization: Bearer $VERITY_TOKEN" \
|
|
69
|
+
"$(verity config service-url)/compound/standard-suggestions/<suggestion-id>/reject"
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
### Generate suggestions manually
|
|
73
|
+
|
|
74
|
+
Normally runs weekly. To trigger manually:
|
|
75
|
+
|
|
76
|
+
```bash
|
|
77
|
+
curl -s -X POST -H "Authorization: Bearer $VERITY_TOKEN" \
|
|
78
|
+
"$(verity config service-url)/compound/generate-suggestions"
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
## How evolution works
|
|
82
|
+
|
|
83
|
+
1. **Observe**: Every run accumulates pattern telemetry (signal vs noise) and finding feedback
|
|
84
|
+
2. **Aggregate**: Weekly job reads telemetry + feedback → produces evolution candidates
|
|
85
|
+
3. **Review**: User sees suggestions with evidence (run counts, FP rates, citation counts)
|
|
86
|
+
4. **Apply**: Approved suggestions become a new Standard version (immutable, rollback-safe)
|
|
87
|
+
5. **No autonomous changes** in v1 — every suggestion requires human approval
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
# /verity-learn — View and manage project knowledge
|
|
2
|
+
|
|
3
|
+
Project knowledge is durable insights extracted from analysis runs — decisions, patterns, gotchas, and conventions. When the memory graph is enabled (`memory_graph_enabled`), this skill delegates to the graph. Otherwise, it uses flat lessons.
|
|
4
|
+
|
|
5
|
+
## Graph mode (memory_graph_enabled = true)
|
|
6
|
+
|
|
7
|
+
When the memory graph is active, `/verity-learn` delegates to `/verity-memory`. Use these commands:
|
|
8
|
+
|
|
9
|
+
- **List nodes**: `ls .verity/memory/*/` or see `/verity-memory list`
|
|
10
|
+
- **Show a node**: `cat .verity/memory/<domain>/<slug>.md` or see `/verity-memory show <node_id>`
|
|
11
|
+
- **Walk the graph**: see `/verity-memory walk --files <files>`
|
|
12
|
+
- **Add knowledge**: see `/verity-memory add <kind> "<title>"`
|
|
13
|
+
|
|
14
|
+
For full documentation, use `/verity-memory`.
|
|
15
|
+
|
|
16
|
+
## Flat mode (memory_graph_enabled = false, default for existing projects)
|
|
17
|
+
|
|
18
|
+
### List lessons
|
|
19
|
+
|
|
20
|
+
```bash
|
|
21
|
+
curl -s -H "Authorization: Bearer $VERITY_TOKEN" \
|
|
22
|
+
"$(verity config service-url)/compound/lessons" | jq '.lessons[] | {id, kind, title, confidence}'
|
|
23
|
+
```
|
|
24
|
+
|
|
25
|
+
### Add a lesson (user-authored)
|
|
26
|
+
|
|
27
|
+
```bash
|
|
28
|
+
curl -s -X POST -H "Authorization: Bearer $VERITY_TOKEN" \
|
|
29
|
+
-H "Content-Type: application/json" \
|
|
30
|
+
"$(verity config service-url)/compound/lessons" \
|
|
31
|
+
-d '{
|
|
32
|
+
"kind": "gotcha",
|
|
33
|
+
"title": "RLS policies and cleanup cron are coupled",
|
|
34
|
+
"body": "Changing RLS policies without updating the cleanup cron will break retention.",
|
|
35
|
+
"file_globs": ["server/supabase/migrations/**"]
|
|
36
|
+
}'
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
Valid kinds: `bug_pattern`, `architectural_decision`, `gotcha`, `preferred_convention`, `false_positive_rule`, `intent_template`.
|
|
40
|
+
|
|
41
|
+
### Archive a lesson
|
|
42
|
+
|
|
43
|
+
```bash
|
|
44
|
+
curl -s -X PATCH -H "Authorization: Bearer $VERITY_TOKEN" \
|
|
45
|
+
-H "Content-Type: application/json" \
|
|
46
|
+
"$(verity config service-url)/compound/lessons/<lesson-id>" \
|
|
47
|
+
-d '{"status": "archived"}'
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
### Trigger extraction
|
|
51
|
+
|
|
52
|
+
```bash
|
|
53
|
+
curl -s -X POST -H "Authorization: Bearer $VERITY_TOKEN" \
|
|
54
|
+
-H "Content-Type: application/json" \
|
|
55
|
+
"$(verity config service-url)/compound/extract" \
|
|
56
|
+
-d '{"task_id": "<task-uuid>"}'
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
## How it works
|
|
60
|
+
|
|
61
|
+
1. **Extraction**: When a task closes or reaches 5 runs, an LLM extracts 0-3 durable knowledge items.
|
|
62
|
+
2. **Injection**: On each analysis run, the most relevant knowledge is scored and injected into the reviewer prompt.
|
|
63
|
+
3. **Compounding**: Knowledge that proves useful gets higher confidence. Unused knowledge is eventually archived.
|
|
@@ -0,0 +1,113 @@
|
|
|
1
|
+
# /verity-memory — Manage the project knowledge graph
|
|
2
|
+
|
|
3
|
+
The memory graph is a collection of markdown nodes at `.verity/memory/` organized into 8 domains. Each node has YAML frontmatter with typed edges that form a graph. The graph is the project's accumulated knowledge — decisions, patterns, gotchas, security constraints, and more.
|
|
4
|
+
|
|
5
|
+
## Commands
|
|
6
|
+
|
|
7
|
+
### List nodes
|
|
8
|
+
|
|
9
|
+
```bash
|
|
10
|
+
# List all active nodes
|
|
11
|
+
curl -s -H "Authorization: Bearer $VERITY_TOKEN" \
|
|
12
|
+
"$(verity config service-url)/compound/memory/nodes" | jq '.nodes[] | {node_id, kind, title, confidence}'
|
|
13
|
+
|
|
14
|
+
# Filter by kind
|
|
15
|
+
curl -s -H "Authorization: Bearer $VERITY_TOKEN" \
|
|
16
|
+
"$(verity config service-url)/compound/memory/nodes?kind=security" | jq '.nodes[]'
|
|
17
|
+
```
|
|
18
|
+
|
|
19
|
+
Or browse locally: `ls .verity/memory/*/`
|
|
20
|
+
|
|
21
|
+
### Show a node
|
|
22
|
+
|
|
23
|
+
```bash
|
|
24
|
+
curl -s -H "Authorization: Bearer $VERITY_TOKEN" \
|
|
25
|
+
"$(verity config service-url)/compound/memory/nodes/<node_id>" | jq '.'
|
|
26
|
+
```
|
|
27
|
+
|
|
28
|
+
Or read directly: `cat .verity/memory/decisions/<slug>.md`
|
|
29
|
+
|
|
30
|
+
### Walk the graph
|
|
31
|
+
|
|
32
|
+
Find related knowledge by seeding from files you're working on:
|
|
33
|
+
|
|
34
|
+
```bash
|
|
35
|
+
curl -s -X POST -H "Authorization: Bearer $VERITY_TOKEN" \
|
|
36
|
+
-H "Content-Type: application/json" \
|
|
37
|
+
"$(verity config service-url)/compound/memory/walk" \
|
|
38
|
+
-d '{"seed_files": ["src/auth/tokens.ts"], "max_hops": 2, "budget_tokens": 2000}'
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
### Add a node (user-authored)
|
|
42
|
+
|
|
43
|
+
User-authored nodes get `confidence: 1.0` and are never auto-archived:
|
|
44
|
+
|
|
45
|
+
```bash
|
|
46
|
+
curl -s -X POST -H "Authorization: Bearer $VERITY_TOKEN" \
|
|
47
|
+
-H "Content-Type: application/json" \
|
|
48
|
+
"$(verity config service-url)/compound/memory/nodes" \
|
|
49
|
+
-d '{
|
|
50
|
+
"kind": "gotcha",
|
|
51
|
+
"title": "RLS policies and cleanup cron are coupled",
|
|
52
|
+
"body": "Changing RLS policies without updating the cleanup cron will break retention.",
|
|
53
|
+
"file_globs": ["server/supabase/migrations/**"],
|
|
54
|
+
"domains": ["security", "database"]
|
|
55
|
+
}'
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
Valid kinds: `decision`, `quality`, `security`, `intent`, `gotcha`, `pattern`, `domain`, `integration`.
|
|
59
|
+
|
|
60
|
+
Or create the markdown file directly at `.verity/memory/<domain>/<slug>.md` with proper frontmatter (see `.verity/memory/SCHEMA.md` for the template).
|
|
61
|
+
|
|
62
|
+
### Edit a node
|
|
63
|
+
|
|
64
|
+
Edit the markdown file directly at `.verity/memory/<domain>/<slug>.md`. Changes sync to the cloud on the next analysis run. User edits are always preserved (repo wins for `source: user`).
|
|
65
|
+
|
|
66
|
+
### Archive a node
|
|
67
|
+
|
|
68
|
+
```bash
|
|
69
|
+
curl -s -X PATCH -H "Authorization: Bearer $VERITY_TOKEN" \
|
|
70
|
+
-H "Content-Type: application/json" \
|
|
71
|
+
"$(verity config service-url)/compound/memory/nodes/<node_id>" \
|
|
72
|
+
-d '{"status": "archived"}'
|
|
73
|
+
```
|
|
74
|
+
|
|
75
|
+
### Search nodes
|
|
76
|
+
|
|
77
|
+
Use full-text search via the list endpoint, or `grep -r "keyword" .verity/memory/` locally.
|
|
78
|
+
|
|
79
|
+
### Run lint
|
|
80
|
+
|
|
81
|
+
Check for orphan nodes, stale knowledge, missing backlinks, and contradictions:
|
|
82
|
+
|
|
83
|
+
```bash
|
|
84
|
+
curl -s -X POST -H "Authorization: Bearer $VERITY_TOKEN" \
|
|
85
|
+
"$(verity config service-url)/compound/memory/lint"
|
|
86
|
+
```
|
|
87
|
+
|
|
88
|
+
Results appear in `.verity/memory/log.md` after the next sync.
|
|
89
|
+
|
|
90
|
+
## How the graph works
|
|
91
|
+
|
|
92
|
+
1. **Extraction**: When tasks close or reach 5 runs, an LLM extracts 0-3 knowledge nodes with typed edges.
|
|
93
|
+
2. **Sync**: On every analysis run, the CLI sends a manifest of local files. The server returns new nodes as `memory_writes[]` that the CLI applies locally.
|
|
94
|
+
3. **Injection**: The reviewer prompt receives a graph-walk neighborhood (2 hops from changed files, budget-capped at 2000 tokens).
|
|
95
|
+
4. **Linking**: Nodes connect opportunistically via shared file_globs, keyword overlap, and shared evidence runs.
|
|
96
|
+
5. **Lint**: Weekly checks for orphans, stale nodes, contradictions, and missing backlinks.
|
|
97
|
+
|
|
98
|
+
## Domains
|
|
99
|
+
|
|
100
|
+
| Directory | Purpose |
|
|
101
|
+
|-----------|---------|
|
|
102
|
+
| `decisions/` | Architectural choices (WHY is it this way?) |
|
|
103
|
+
| `quality/` | Quality patterns (WHAT does "good" mean here?) |
|
|
104
|
+
| `security/` | Security constraints (WHAT must be protected?) |
|
|
105
|
+
| `intent/` | Intent templates (WHAT does the user expect?) |
|
|
106
|
+
| `gotchas/` | Footguns and surprises (WHAT will trip you up?) |
|
|
107
|
+
| `patterns/` | Code conventions (HOW should it be done?) |
|
|
108
|
+
| `domain/` | Business logic concepts (WHAT does this mean?) |
|
|
109
|
+
| `integrations/` | External system knowledge (WHAT's around us?) |
|
|
110
|
+
|
|
111
|
+
## Obsidian compatibility
|
|
112
|
+
|
|
113
|
+
The `.verity/memory/` directory is designed to open directly in Obsidian, Foam, or Logseq. Nodes use `[[wikilink]]` syntax for cross-references.
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
# /verity-reflect — Capture learnings after a task
|
|
2
|
+
|
|
3
|
+
Trigger knowledge extraction for the current task, or submit a human reflection that becomes a high-confidence knowledge node.
|
|
4
|
+
|
|
5
|
+
## Auto-reflection (extract from task history)
|
|
6
|
+
|
|
7
|
+
When called without `--user-input`, triggers the LLM extractor to review the current task's run history and produce 0-3 knowledge nodes:
|
|
8
|
+
|
|
9
|
+
```bash
|
|
10
|
+
verity reflect
|
|
11
|
+
```
|
|
12
|
+
|
|
13
|
+
This is the same extraction that runs automatically on task close and every 5 runs. Use this to manually trigger it mid-task if you've learned something significant.
|
|
14
|
+
|
|
15
|
+
## Human reflection (the compound moment)
|
|
16
|
+
|
|
17
|
+
When the user provides their own insight, it becomes a high-confidence node (`source: user`, `confidence: 1.0`) that is never auto-archived:
|
|
18
|
+
|
|
19
|
+
```bash
|
|
20
|
+
verity reflect --user-input "The Stripe retry logic needs idempotency keys or we double-charge"
|
|
21
|
+
```
|
|
22
|
+
|
|
23
|
+
The CLI will:
|
|
24
|
+
1. Call the extractor LLM to classify the reflection into a domain (decisions/, patterns/, gotchas/, etc.)
|
|
25
|
+
2. Set `source: 'user'` and `confidence: 1.0`
|
|
26
|
+
3. Opportunistically link to existing nodes
|
|
27
|
+
4. Write the node locally and sync to cloud
|
|
28
|
+
|
|
29
|
+
## When to reflect
|
|
30
|
+
|
|
31
|
+
The agent should ask for a reflection at natural task-completion moments:
|
|
32
|
+
|
|
33
|
+
- After creating a PR
|
|
34
|
+
- When the user says "done", "ship it", or "that's it"
|
|
35
|
+
- When a task is explicitly closed
|
|
36
|
+
|
|
37
|
+
The reflection prompt (installed in CLAUDE.md during setup):
|
|
38
|
+
|
|
39
|
+
> "Quick reflection for future agents: what's one thing you learned during this task that would help next time? A decision, a gotcha, a pattern — anything worth remembering. (Say 'skip' to skip.)"
|
|
40
|
+
|
|
41
|
+
If the user says "skip", do NOT call `verity reflect`. The reflection is optional.
|
|
42
|
+
|
|
43
|
+
## Examples of good reflections
|
|
44
|
+
|
|
45
|
+
- "The Stripe retry logic needs to use idempotency keys or we double-charge. Learned this the hard way." → `gotchas/stripe-idempotency-keys.md`
|
|
46
|
+
- "We decided to use advisory locks instead of optimistic locking because Supabase supports it natively." → `decisions/advisory-locks-for-versioning.md`
|
|
47
|
+
- "Don't touch the RLS policies without updating the cleanup cron job — they're coupled." → `gotchas/rls-cleanup-coupling.md`
|