veriskit 0.2.0 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +21 -0
- package/README.md +163 -109
- package/dist/index.js +1028 -80
- package/package.json +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,26 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 0.4.0 — 2026-07-10
|
|
4
|
+
|
|
5
|
+
### Added
|
|
6
|
+
- Evidence System. Every `veris verify` and `veris affected` run writes a canonical, git-anchored `.veris/runs/<id>/evidence.json` (schema `veriskit/evidence@1`) with a sha256 integrity digest over the whole record and a sha256 of each per-check log. No new runtime dependencies.
|
|
7
|
+
- `veris evidence verify <file>` recomputes and checks a record or a bundle, and states plainly what an integrity digest does and does not prove.
|
|
8
|
+
- `veris evidence bundle` packages the latest run (record, report, and logs, each digested) into one portable proof file under `.veris/evidence/`.
|
|
9
|
+
- `veris evidence show` prints the latest record's key facts.
|
|
10
|
+
|
|
11
|
+
### Changed
|
|
12
|
+
- The report and terminal output now show the git commit and whether the tree was clean, plus the evidence digest in the report.
|
|
13
|
+
- `evidence.json` replaces the older `metadata.json`. `veris init` now also gitignores `evidence/`.
|
|
14
|
+
|
|
15
|
+
## 0.3.0 — 2026-07-10
|
|
16
|
+
|
|
17
|
+
### Added
|
|
18
|
+
- `veris scan` — import-graph map + untested areas, built from the project's own TypeScript (with a dep-free scanner fallback); writes `.veris/graph.json`.
|
|
19
|
+
- `veris plan` — prioritized recommendations (high-impact untested files, weak verification, risky changes). Analysis only — no code generation.
|
|
20
|
+
|
|
21
|
+
### Changed
|
|
22
|
+
- `veris affected` / `veris watch` are now graph-based: the unit run is narrowed to only the test files that transitively import your changes, with a conservative full-suite fallback (config/global change, unresolved file, or untested change) so an affected test is never skipped. No new runtime dependencies.
|
|
23
|
+
|
|
3
24
|
## 0.2.0 — 2026-07-09
|
|
4
25
|
|
|
5
26
|
### Added
|
package/README.md
CHANGED
|
@@ -1,11 +1,28 @@
|
|
|
1
|
-
|
|
1
|
+
<p align="center">
|
|
2
|
+
<img src="assets/veriskit-icon.svg" alt="VerisKit" width="96" height="96">
|
|
3
|
+
</p>
|
|
2
4
|
|
|
3
|
-
|
|
5
|
+
<h1 align="center">VerisKit</h1>
|
|
4
6
|
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
7
|
+
<p align="center"><strong>The fastest way to prove your software works.</strong></p>
|
|
8
|
+
|
|
9
|
+
<p align="center">
|
|
10
|
+
<a href="https://www.npmjs.com/package/veriskit"><img src="https://img.shields.io/npm/v/veriskit?color=14b8a6&label=npm" alt="npm version"></a>
|
|
11
|
+
<img src="https://img.shields.io/badge/deps-cac%20%2B%20picocolors-14b8a6" alt="two runtime dependencies">
|
|
12
|
+
<img src="https://img.shields.io/badge/license-MIT-14b8a6" alt="MIT license">
|
|
13
|
+
</p>
|
|
14
|
+
|
|
15
|
+
<p align="center">
|
|
16
|
+
<img src="assets/veriskit-affected.gif" alt="veris affected narrowing the unit run to only the tests that reach a change" width="760">
|
|
17
|
+
</p>
|
|
18
|
+
|
|
19
|
+
<p align="center"><em>Change a file. VerisKit runs only the tests that reach it (2 of 28 here), then gives an honest verdict.</em></p>
|
|
20
|
+
|
|
21
|
+
---
|
|
22
|
+
|
|
23
|
+
VerisKit runs the test and quality tools your project already has (TypeScript, Vitest, Jest, `node:test`, ESLint, Biome), then turns their results into one honest verdict with a Markdown report you can paste into a pull request. There is no config to write and no new test framework to learn.
|
|
24
|
+
|
|
25
|
+
It answers the question a wall of green checkmarks leaves open: **is this change safe enough to trust?**
|
|
9
26
|
|
|
10
27
|
## Install
|
|
11
28
|
|
|
@@ -19,8 +36,7 @@ Or add it to a project:
|
|
|
19
36
|
npm install --save-dev veriskit
|
|
20
37
|
```
|
|
21
38
|
|
|
22
|
-
|
|
23
|
-
> existing package). The installed command is still **`veris`**.
|
|
39
|
+
You install the package `veriskit`. The command it gives you is `veris`. (The bare name `veris` was already too close to another npm package.)
|
|
24
40
|
|
|
25
41
|
## Quickstart
|
|
26
42
|
|
|
@@ -30,17 +46,16 @@ veris verify # run the configured checks, print a verdict, write a report
|
|
|
30
46
|
veris report # print the latest report
|
|
31
47
|
```
|
|
32
48
|
|
|
33
|
-
`veris doctor` and `veris test`
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
`verify`.
|
|
49
|
+
Two more commands round out the basics. `veris doctor` prints a read-only capability report: what will run, what will be skipped, and why. `veris test` runs just the detected unit test runner with the same summarized output as `verify`.
|
|
50
|
+
|
|
51
|
+
## The verdict
|
|
37
52
|
|
|
38
|
-
|
|
53
|
+
`veris verify` runs your checks and prints one result. Here is a passing run:
|
|
39
54
|
|
|
40
55
|
```text
|
|
41
|
-
|
|
56
|
+
VerisKit
|
|
42
57
|
|
|
43
|
-
Project
|
|
58
|
+
Project veriskit
|
|
44
59
|
Risk —
|
|
45
60
|
|
|
46
61
|
Checks
|
|
@@ -51,54 +66,27 @@ Checks
|
|
|
51
66
|
Result
|
|
52
67
|
✓ Verified
|
|
53
68
|
|
|
69
|
+
Commit 4fa33a9 · tree clean
|
|
70
|
+
|
|
54
71
|
Report
|
|
55
|
-
.veris/reports/verify-2026-07-
|
|
72
|
+
.veris/reports/verify-2026-07-10T09-04-52-076Z-1.md
|
|
56
73
|
```
|
|
57
74
|
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
tests), and ESLint or Biome (lint) — whichever your project already has
|
|
70
|
-
configured. Playwright is *detected* and reported as available; it is not
|
|
71
|
-
run.
|
|
72
|
-
- **Does not** run browser tests, and does not build or ship a native test
|
|
73
|
-
execution engine. Those are explicit non-goals for v0.1 (see the design
|
|
74
|
-
spec linked below).
|
|
75
|
-
- **Does not** impose a linter, a test runner, or any new config format —
|
|
76
|
-
detection is read-only and `init` never overwrites an existing
|
|
77
|
-
`.veris/config.json`.
|
|
78
|
-
|
|
79
|
-
### The verdict is three states, not two
|
|
80
|
-
|
|
81
|
-
- **`verified`** — every configured capability ran and passed.
|
|
82
|
-
- **`failed`** — at least one check failed. Exit code `1`.
|
|
83
|
-
- **`partial`** — no failures, but at least one configured capability was
|
|
84
|
-
skipped or its result is unknown (e.g. a runner wasn't installed). Exit
|
|
85
|
-
code `2` by default.
|
|
86
|
-
|
|
87
|
-
**`partial` is not a pass.** Veris never folds a skipped check into
|
|
88
|
-
"verified" — that would manufacture confidence CI shouldn't have. Teams that
|
|
89
|
-
want partial results to pass CI can opt in explicitly with
|
|
90
|
-
`veris verify --partial-ok` (exits `0` on partial).
|
|
91
|
-
|
|
92
|
-
| Verdict | Exit code | Meaning |
|
|
93
|
-
|----------|-----------|--------------------------------------------|
|
|
94
|
-
| verified | `0` | every configured check passed |
|
|
95
|
-
| failed | `1` | at least one check failed |
|
|
96
|
-
| partial | `2` (`0` with `--partial-ok`) | no failures, but something was skipped |
|
|
75
|
+
The verdict has three states, not two:
|
|
76
|
+
|
|
77
|
+
| Verdict | Exit code | Meaning |
|
|
78
|
+
|---|---|---|
|
|
79
|
+
| `verified` | `0` | every configured check ran and passed |
|
|
80
|
+
| `failed` | `1` | at least one check failed |
|
|
81
|
+
| `partial` | `2` (`0` with `--partial-ok`) | no failures, but a check was skipped or its result is unknown |
|
|
82
|
+
|
|
83
|
+
A partial verdict is not a pass. A check can end up skipped when its runner is not installed, or when nothing in your change reaches it. VerisKit lists that check as skipped and lowers the verdict rather than folding it into "verified", because a folded skip hands CI confidence it did not earn. If your team wants partial runs to pass CI, opt in with `veris verify --partial-ok`.
|
|
84
|
+
|
|
85
|
+
VerisKit orchestrates the tools you already run. It shells out to `tsc`, Vitest, Jest, `node:test`, ESLint, and Biome, reads their exit codes and output, and reports one result. It does not run browser tests, and it does not ship its own test engine. Detection stays read-only, and `init` never overwrites an existing `.veris/config.json`.
|
|
97
86
|
|
|
98
87
|
## Developer loop
|
|
99
88
|
|
|
100
|
-
|
|
101
|
-
of always running the full set.
|
|
89
|
+
While you work, scope the checks to what you touched instead of running everything.
|
|
102
90
|
|
|
103
91
|
### `veris affected`
|
|
104
92
|
|
|
@@ -107,74 +95,140 @@ veris affected # checks affected by working-tree changes vs HEAD
|
|
|
107
95
|
veris affected --base main # checks affected by the diff against another ref (PR/CI)
|
|
108
96
|
```
|
|
109
97
|
|
|
110
|
-
`affected`
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
|
115
|
-
|
|
116
|
-
|
|
|
117
|
-
|
|
|
118
|
-
|
|
|
119
|
-
|
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
file
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
|
|
98
|
+
`affected` reads which files changed (your working tree plus untracked files against `HEAD`, or against `--base <ref>` for a PR/CI diff) and maps each one to the check categories it can touch:
|
|
99
|
+
|
|
100
|
+
| Changed file | Checks run |
|
|
101
|
+
|---|---|
|
|
102
|
+
| test file | unit, lint |
|
|
103
|
+
| TypeScript file | types, lint, unit |
|
|
104
|
+
| JavaScript file | lint, unit |
|
|
105
|
+
| config (`tsconfig`, biome/eslint config, `package.json`, `veris.config.*`) | every available check |
|
|
106
|
+
| docs and assets (`.md`, images, `LICENSE`) | nothing |
|
|
107
|
+
| anything else unrecognized | every available check (a safe default) |
|
|
108
|
+
|
|
109
|
+
That table picks the check categories. Inside the `unit` category, `affected` goes further: it builds the same import graph that [`veris scan` and `veris plan`](#project-intelligence) use, then runs only the test files that transitively import your changed files.
|
|
110
|
+
|
|
111
|
+
The narrowing stays conservative. It runs the full unit suite whenever it cannot prove a smaller set is safe:
|
|
112
|
+
|
|
113
|
+
- a changed file matches a config or global pattern (`tsconfig*.json`, `package.json`, a `*.config.*` or `*.setup.*` file, biome/eslint config)
|
|
114
|
+
- a changed file is not a node in the import graph (it sits under an ignored directory like `node_modules` or `.veris`, or it is not a recognized code extension)
|
|
115
|
+
- no test file reaches any changed file, so the change has no tests to run
|
|
116
|
+
- the graph came from the relative-imports scanner rather than TypeScript, which can miss aliased imports
|
|
117
|
+
|
|
118
|
+
The output says when a run was narrowed, and when it ran in full and why:
|
|
119
|
+
|
|
120
|
+
```text
|
|
121
|
+
unit narrowed to 3 of 41 test file(s) via typescript graph
|
|
122
|
+
unit ran in full — global/config change (package.json)
|
|
123
|
+
```
|
|
124
|
+
|
|
125
|
+
An `affected` run never prints a bare "Verified". The terminal and report say "Affected checks passed" (or "failed", or "Affected: partial"), and every available-but-unaffected capability is listed as skipped with the reason `not affected by changes`. Touch only a doc and VerisKit prints "Nothing affected" and exits `0`, which is a no-op and not a verified result: no checks ran.
|
|
138
126
|
|
|
139
127
|
### `veris watch`
|
|
140
128
|
|
|
141
129
|
```bash
|
|
142
130
|
veris watch # re-run affected checks as files change
|
|
143
|
-
veris watch --poll
|
|
131
|
+
veris watch --poll # use mtime polling instead of native fs.watch
|
|
144
132
|
```
|
|
145
133
|
|
|
146
|
-
`watch` runs a full baseline over every available check once, then
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
134
|
+
`watch` runs a full baseline over every available check once, then re-runs only the checks affected by whatever changed since the last tick. It uses Node's built-in recursive `fs.watch`, so it adds no dependency. On a platform where recursive `fs.watch` is unavailable, or a filesystem where native events are unreliable (some containers and network mounts), pass `--poll` to diff file mtimes on an interval instead.
|
|
135
|
+
|
|
136
|
+
Each tick reprints the full board and rebuilds the graph fresh, so narrowing reflects the file you just saved. A capability the latest change did not touch keeps its last real result, marked `⟳ cached`. A cached failure stays a failure (`✗`); VerisKit never hides it just because it did not rerun this tick. Press Ctrl-C to stop, and the watcher (or poll loop) closes cleanly with exit `0`.
|
|
137
|
+
|
|
138
|
+
## Project intelligence
|
|
139
|
+
|
|
140
|
+
`veris scan` and `veris plan` map your codebase's import graph and turn it into recommendations: what to test, where verification is thin, and which of your changes carry risk. Both are read-only analysis. Neither writes or generates any code.
|
|
141
|
+
|
|
142
|
+
### `veris scan`
|
|
143
|
+
|
|
144
|
+
```bash
|
|
145
|
+
veris scan
|
|
146
|
+
```
|
|
153
147
|
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
148
|
+
`scan` finds every source and test file, builds the import graph between them, and lists the source files with the most dependents that no test reaches. It writes the graph to `.veris/graph.json`, a derived cache rebuilt on every run.
|
|
149
|
+
|
|
150
|
+
`scan` always names the resolver that built the graph, because the two differ in accuracy:
|
|
151
|
+
|
|
152
|
+
- **`typescript`** runs when your project has a `tsconfig.json` and a `typescript` package that exposes the classic compiler API. VerisKit loads your project's own TypeScript at run time, so it adds no dependency, and it resolves imports the way `tsc` does: `tsconfig` path aliases, extension-mapped specifiers, index resolution.
|
|
153
|
+
- **`scanner`** is the fallback for a project with no TypeScript, no `tsconfig.json`, or a TypeScript 7.x native build that drops the classic compiler API. The scanner reads relative imports only. It follows `./foo` and `../bar/baz` but does not resolve `tsconfig` path aliases or computed dynamic imports, so on an alias-heavy project it can miss edges. `scan` labels the resolver it used, and VerisKit never treats a scanner graph as equal to the TypeScript one. This is also why graph-based narrowing in `affected` and `watch` runs the full suite in scanner mode.
|
|
154
|
+
|
|
155
|
+
### `veris plan`
|
|
156
|
+
|
|
157
|
+
```bash
|
|
158
|
+
veris plan # recommendations from the current graph
|
|
159
|
+
veris plan --base main # also factor in changes vs another ref
|
|
160
|
+
```
|
|
161
|
+
|
|
162
|
+
`plan` reads the graph and prioritizes:
|
|
163
|
+
|
|
164
|
+
- the highest-impact untested files to cover first (the most dependents, reached by no test)
|
|
165
|
+
- gaps in your setup, such as a missing linter or type-check
|
|
166
|
+
- with `--base <ref>`, the changed files that carry risk: high blast radius, and either untested or freshly changed
|
|
167
|
+
|
|
168
|
+
`plan` recommends. It never writes or generates test code. Generation is a later goal, not something VerisKit does today.
|
|
159
169
|
|
|
160
170
|
## Evidence
|
|
161
171
|
|
|
162
|
-
Every `veris verify` run
|
|
172
|
+
Every `veris verify` and `veris affected` run leaves a canonical, git-anchored
|
|
173
|
+
evidence record you can check later or hand to someone else as proof.
|
|
174
|
+
|
|
175
|
+
- `.veris/runs/<run-id>/evidence.json` is the machine-readable record: schema
|
|
176
|
+
`veriskit/evidence@1`, the verdict, per-check results, the environment, the
|
|
177
|
+
git commit and whether the tree was clean, and a sha256 integrity digest over
|
|
178
|
+
the whole record.
|
|
179
|
+
- `.veris/reports/verify-<run-id>.md` is the human-readable report, now showing
|
|
180
|
+
the commit and the digest. Paste it into a PR.
|
|
181
|
+
- Raw per-check logs live under `.veris/runs/<run-id>/`, and the record carries
|
|
182
|
+
a sha256 of each one.
|
|
183
|
+
|
|
184
|
+
Check a record:
|
|
185
|
+
|
|
186
|
+
```bash
|
|
187
|
+
veris evidence verify .veris/runs/<run-id>/evidence.json
|
|
188
|
+
```
|
|
189
|
+
|
|
190
|
+
This recomputes the digest and reports whether the record was edited or
|
|
191
|
+
corrupted since it was written. An integrity digest is not forgery-proof on its
|
|
192
|
+
own. To prove authorship, publish the digest separately (a CI log or PR) or sign
|
|
193
|
+
it. Cryptographic signing is planned for a later release.
|
|
194
|
+
|
|
195
|
+
Package a run as a single portable file (the record, its report, and its logs,
|
|
196
|
+
each with a digest, plus a bundle digest over everything):
|
|
197
|
+
|
|
198
|
+
```bash
|
|
199
|
+
veris evidence bundle # writes .veris/evidence/<run-id>.bundle.json
|
|
200
|
+
veris evidence verify <bundle> # checks the record, every log, and the report
|
|
201
|
+
```
|
|
202
|
+
|
|
203
|
+
`veris evidence show` prints the latest record's key facts.
|
|
204
|
+
|
|
205
|
+
Commit `.veris/config.json` and `.veris/.gitignore`. `veris init` keeps `runs/`,
|
|
206
|
+
`reports/`, `cache/`, `graph.json`, and `evidence/` out of your history.
|
|
207
|
+
|
|
208
|
+
## What VerisKit does not do yet
|
|
209
|
+
|
|
210
|
+
VerisKit says what it cannot do as plainly as what it can:
|
|
211
|
+
|
|
212
|
+
- **No framework route or endpoint detection.** The graph understands imports, not that a file is an Express route or a Next.js page, so it flags an untested module but not an untested endpoint. Planned next.
|
|
213
|
+
- **No test generation.** `plan` tells you what to test. Writing the tests is a later release.
|
|
214
|
+
- **One project root.** A monorepo with several `tsconfig.json` files is not modeled yet. Resolution runs against the root project.
|
|
215
|
+
- **Scanner fallback on plain-JS or TS 7.x-native projects.** The accurate resolver needs the classic TypeScript compiler API. Without it you get the labeled, relative-imports-only graph described above, and no dependency is added to paper over the gap.
|
|
216
|
+
- **No cryptographic signing.** Evidence carries an integrity digest, not a signature. Keyless signing is planned.
|
|
217
|
+
|
|
218
|
+
## Part of Baseframe Labs
|
|
219
|
+
|
|
220
|
+
VerisKit is one of four developer tools from [Baseframe Labs](https://www.baseframelabs.com), each answering a different question about your work:
|
|
163
221
|
|
|
164
|
-
-
|
|
165
|
-
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
- Raw per-check logs and run metadata under `.veris/runs/<run-id>/`.
|
|
222
|
+
- **[ProjScan](https://www.baseframelabs.com/apps/projscan)** asks: is the repository healthy?
|
|
223
|
+
- **[AgentLoopKit](https://www.baseframelabs.com/apps/agentloopkit)** asks: what should the agent do next?
|
|
224
|
+
- **[AgentFlight](https://www.baseframelabs.com/apps/agentflight)** asks: what did the agent actually do?
|
|
225
|
+
- **VerisKit** asks: can we trust the result?
|
|
169
226
|
|
|
170
|
-
|
|
171
|
-
`.veris/runs/`, `.veris/reports/`, and `.veris/cache/` are gitignored by
|
|
172
|
-
`veris init`.
|
|
227
|
+
Each works on its own. VerisKit needs none of the others to verify a change.
|
|
173
228
|
|
|
174
229
|
## Design
|
|
175
230
|
|
|
176
|
-
|
|
177
|
-
spec: [`docs/superpowers/specs/2026-07-08-veris-v0.1-design.md`](docs/superpowers/specs/2026-07-08-veris-v0.1-design.md).
|
|
231
|
+
The design specs, locked decisions, and roadmap live in [`docs/superpowers/specs`](docs/superpowers/specs).
|
|
178
232
|
|
|
179
233
|
## License
|
|
180
234
|
|