cogitocv 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +97 -0
- package/dist/cli.js +8102 -0
- package/package.json +34 -0
package/LICENSE
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 Cogito (CogitoAgency)
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
package/README.md
ADDED
|
@@ -0,0 +1,97 @@
|
|
|
1
|
+
# CogitoCV — Continuous Verification for AI-agent-written code
|
|
2
|
+
|
|
3
|
+
Your agents write. We verify.
|
|
4
|
+
|
|
5
|
+
AI generates code faster than humans can review it. CogitoCV is the machine gate:
|
|
6
|
+
it verifies every PR diff for **compliance** (your repo's declared rules), **quality**
|
|
7
|
+
(does it actually do what it claims), and **security** (leaked secrets, vulnerable
|
|
8
|
+
patterns) — and gates the merge with an evidence-backed verdict.
|
|
9
|
+
|
|
10
|
+
CI tests that the code runs. CV verifies the agent was right.
|
|
11
|
+
|
|
12
|
+
## Quick start
|
|
13
|
+
|
|
14
|
+
```yaml
|
|
15
|
+
# .github/workflows/verify.yml
|
|
16
|
+
name: CogitoCV
|
|
17
|
+
on: pull_request
|
|
18
|
+
permissions:
|
|
19
|
+
contents: read
|
|
20
|
+
pull-requests: write
|
|
21
|
+
jobs:
|
|
22
|
+
verify:
|
|
23
|
+
runs-on: ubuntu-latest
|
|
24
|
+
steps:
|
|
25
|
+
- uses: actions/checkout@v4
|
|
26
|
+
with: { fetch-depth: 0 }
|
|
27
|
+
- uses: CogitoAgency/verify@v1
|
|
28
|
+
env:
|
|
29
|
+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
30
|
+
# only needed for `ask` (LLM judge) checks:
|
|
31
|
+
CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
Make the job a required check in branch protection and CogitoCV gates the merge.
|
|
35
|
+
No `.cogito/verify.yaml` in your repo? A zero-config pipeline runs: secret scan +
|
|
36
|
+
two generic reasoning checks over the diff.
|
|
37
|
+
|
|
38
|
+
Also available as a CLI: `npx cogitocv` from any git branch. On a Mac with
|
|
39
|
+
[Claude Code](https://claude.com/claude-code) installed, judge checks use your
|
|
40
|
+
existing Claude login — no API key setup.
|
|
41
|
+
|
|
42
|
+
## Rules — `.cogito/verify.yaml`
|
|
43
|
+
|
|
44
|
+
```yaml
|
|
45
|
+
version: 1
|
|
46
|
+
|
|
47
|
+
compliance:
|
|
48
|
+
- name: repo-rules
|
|
49
|
+
ask: >
|
|
50
|
+
Does this diff follow the conventions in the context files?
|
|
51
|
+
Cite the violated rule if not.
|
|
52
|
+
context: [CLAUDE.md, "docs/**/*.md"]
|
|
53
|
+
|
|
54
|
+
quality:
|
|
55
|
+
- name: tests
|
|
56
|
+
run: npm test # any command; exit 0 = PASS
|
|
57
|
+
timeout: 240 # seconds (default 30 run / 120 ask, max 300)
|
|
58
|
+
- name: claim-matches-code
|
|
59
|
+
ask: >
|
|
60
|
+
Does the diff do what the PR claims? Flag stubs, swallowed errors,
|
|
61
|
+
hardcoded fake results presented as working.
|
|
62
|
+
|
|
63
|
+
security:
|
|
64
|
+
- name: secrets
|
|
65
|
+
builtin: secret-scan # gitleaks-derived scanner over added lines
|
|
66
|
+
- name: vulnerable-patterns
|
|
67
|
+
ask: >
|
|
68
|
+
Any string-built SQL, unsanitized shell of user input, committed
|
|
69
|
+
credentials, or disabled auth checks?
|
|
70
|
+
severity: warn # block (default) fails the job; warn only reports
|
|
71
|
+
```
|
|
72
|
+
|
|
73
|
+
Three check kinds:
|
|
74
|
+
|
|
75
|
+
| kind | what it is | provenance |
|
|
76
|
+
|---|---|---|
|
|
77
|
+
| `run` | a shell command — exit 0 = PASS (evidence-as-code) | deterministic |
|
|
78
|
+
| `builtin` | shipped checks (`secret-scan`) | deterministic |
|
|
79
|
+
| `ask` | an adversarial LLM judge over the diff + context — defaults to GAP on uncertainty | LLM-judged |
|
|
80
|
+
|
|
81
|
+
Deterministic checks need no LLM and no key. `ask` checks run through the Claude
|
|
82
|
+
Code CLI: set `CLAUDE_CODE_OAUTH_TOKEN` (from `claude setup-token`) or
|
|
83
|
+
`ANTHROPIC_API_KEY` on CI; if neither is present they report SKIPPED — never a
|
|
84
|
+
false PASS. Every claimed secret in the report is redacted before rendering.
|
|
85
|
+
|
|
86
|
+
## Inputs & environment
|
|
87
|
+
|
|
88
|
+
| input / var | purpose |
|
|
89
|
+
|---|---|
|
|
90
|
+
| `base` input / `COGITOCV_BASE` | base ref to diff against (default: PR base) |
|
|
91
|
+
| `model` input / `COGITOCV_MODEL` | judge model, e.g. `haiku` for cheap/fast |
|
|
92
|
+
| `COGITOCV_CONFIG` | alternate rules file (also `--config <path>`) |
|
|
93
|
+
| `--no-diff` | probe mode: run checks without a diff (deploy health gates) |
|
|
94
|
+
| `GITHUB_TOKEN` | enables the sticky PR comment |
|
|
95
|
+
|
|
96
|
+
---
|
|
97
|
+
Built by [Cogito](https://cogito.cv). CogitoCV — Continuous Verification.
|