veriskit 0.3.0 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -1,5 +1,25 @@
1
1
  # Changelog
2
2
 
3
+ ## 0.4.1 — 2026-07-10
4
+
5
+ ### Added
6
+ - Signed evidence. `veris evidence keygen` creates an Ed25519 keypair (via Node's built-in crypto, no new dependency); `veris evidence sign <evidence.json>` writes a detached signature; `veris evidence verify` checks a sibling signature automatically and can assert the signer with `--pubkey` or `--key-id`. Bundles carry the signature. Signing is opt-in; unsigned evidence still verifies for integrity. `VERISKIT_SIGNING_KEY` supplies the key in CI.
7
+
8
+ ### Changed
9
+ - `veris init` now gitignores `keys/`.
10
+
11
+ ## 0.4.0 — 2026-07-10
12
+
13
+ ### Added
14
+ - Evidence System. Every `veris verify` and `veris affected` run writes a canonical, git-anchored `.veris/runs/<id>/evidence.json` (schema `veriskit/evidence@1`) with a sha256 integrity digest over the whole record and a sha256 of each per-check log. No new runtime dependencies.
15
+ - `veris evidence verify <file>` recomputes and checks a record or a bundle, and states plainly what an integrity digest does and does not prove.
16
+ - `veris evidence bundle` packages the latest run (record, report, and logs, each digested) into one portable proof file under `.veris/evidence/`.
17
+ - `veris evidence show` prints the latest record's key facts.
18
+
19
+ ### Changed
20
+ - The report and terminal output now show the git commit and whether the tree was clean, plus the evidence digest in the report.
21
+ - `evidence.json` replaces the older `metadata.json`. `veris init` now also gitignores `evidence/`.
22
+
3
23
  ## 0.3.0 — 2026-07-10
4
24
 
5
25
  ### Added
package/README.md CHANGED
@@ -1,11 +1,28 @@
1
- # veris
1
+ <p align="center">
2
+ <img src="assets/veriskit-icon.svg" alt="VerisKit" width="96" height="96">
3
+ </p>
2
4
 
3
- The fastest way to prove your software works.
5
+ <h1 align="center">VerisKit</h1>
4
6
 
5
- Veris is a zero-config verification CLI. It detects the tools already in your
6
- project — TypeScript, Vitest, Jest, `node:test`, ESLint, Biome — runs them,
7
- and turns the results into one honest verdict with a reviewable Markdown
8
- report. No config to write, no new test framework to learn.
7
+ <p align="center"><strong>The fastest way to prove your software works.</strong></p>
8
+
9
+ <p align="center">
10
+ <a href="https://www.npmjs.com/package/veriskit"><img src="https://img.shields.io/npm/v/veriskit?color=14b8a6&label=npm" alt="npm version"></a>
11
+ <img src="https://img.shields.io/badge/deps-cac%20%2B%20picocolors-14b8a6" alt="two runtime dependencies">
12
+ <img src="https://img.shields.io/badge/license-MIT-14b8a6" alt="MIT license">
13
+ </p>
14
+
15
+ <p align="center">
16
+ <img src="assets/veriskit-affected.gif" alt="veris affected narrowing the unit run to only the tests that reach a change" width="760">
17
+ </p>
18
+
19
+ <p align="center"><em>Change a file. VerisKit runs only the tests that reach it (2 of 28 here), then gives an honest verdict.</em></p>
20
+
21
+ ---
22
+
23
+ VerisKit runs the test and quality tools your project already has (TypeScript, Vitest, Jest, `node:test`, ESLint, Biome), then turns their results into one honest verdict with a Markdown report you can paste into a pull request. There is no config to write and no new test framework to learn.
24
+
25
+ It answers the question a wall of green checkmarks leaves open: **is this change safe enough to trust?**
9
26
 
10
27
  ## Install
11
28
 
@@ -19,8 +36,7 @@ Or add it to a project:
19
36
  npm install --save-dev veriskit
20
37
  ```
21
38
 
22
- > Published on npm as **`veriskit`** (the bare name `veris` was too similar to an
23
- > existing package). The installed command is still **`veris`**.
39
+ You install the package `veriskit`. The command it gives you is `veris`. (The bare name `veris` was already too close to another npm package.)
24
40
 
25
41
  ## Quickstart
26
42
 
@@ -30,17 +46,16 @@ veris verify # run the configured checks, print a verdict, write a report
30
46
  veris report # print the latest report
31
47
  ```
32
48
 
33
- `veris doctor` and `veris test` are also available: `doctor` is a read-only
34
- capability report (what will run, what will be skipped, and why); `test` runs
35
- just the detected unit test runner with the same summarized output as
36
- `verify`.
49
+ Two more commands round out the basics. `veris doctor` prints a read-only capability report: what will run, what will be skipped, and why. `veris test` runs just the detected unit test runner with the same summarized output as `verify`.
37
50
 
38
- ## Sample output
51
+ ## The verdict
52
+
53
+ `veris verify` runs your checks and prints one result. Here is a passing run:
39
54
 
40
55
  ```text
41
- Veris
56
+ VerisKit
42
57
 
43
- Project veris
58
+ Project veriskit
44
59
  Risk —
45
60
 
46
61
  Checks
@@ -51,56 +66,78 @@ Checks
51
66
  Result
52
67
  ✓ Verified
53
68
 
69
+ Commit 4fa33a9 · tree clean
70
+
54
71
  Report
55
- .veris/reports/verify-2026-07-08T22-41-03-000Z-1.md
72
+ .veris/reports/verify-2026-07-10T09-04-52-076Z-1.md
73
+ ```
74
+
75
+ The verdict has three states, not two:
76
+
77
+ | Verdict | Exit code | Meaning |
78
+ |---|---|---|
79
+ | `verified` | `0` | every configured check ran and passed |
80
+ | `failed` | `1` | at least one check failed |
81
+ | `partial` | `2` (`0` with `--partial-ok`) | no failures, but a check was skipped or its result is unknown |
82
+
83
+ A partial verdict is not a pass. A check can end up skipped when its runner is not installed, or when nothing in your change reaches it. VerisKit lists that check as skipped and lowers the verdict rather than folding it into "verified", because a folded skip hands CI confidence it did not earn. If your team wants partial runs to pass CI, opt in with `veris verify --partial-ok`.
84
+
85
+ VerisKit orchestrates the tools you already run. It shells out to `tsc`, Vitest, Jest, `node:test`, ESLint, and Biome, reads their exit codes and output, and reports one result. It does not run browser tests, and it does not ship its own test engine. Detection stays read-only, and `init` never overwrites an existing `.veris/config.json`.
86
+
87
+ ## Developer loop
88
+
89
+ While you work, scope the checks to what you touched instead of running everything.
90
+
91
+ ### `veris affected`
92
+
93
+ ```bash
94
+ veris affected # checks affected by working-tree changes vs HEAD
95
+ veris affected --base main # checks affected by the diff against another ref (PR/CI)
96
+ ```
97
+
98
+ `affected` reads which files changed (your working tree plus untracked files against `HEAD`, or against `--base <ref>` for a PR/CI diff) and maps each one to the check categories it can touch:
99
+
100
+ | Changed file | Checks run |
101
+ |---|---|
102
+ | test file | unit, lint |
103
+ | TypeScript file | types, lint, unit |
104
+ | JavaScript file | lint, unit |
105
+ | config (`tsconfig`, biome/eslint config, `package.json`, `veris.config.*`) | every available check |
106
+ | docs and assets (`.md`, images, `LICENSE`) | nothing |
107
+ | anything else unrecognized | every available check (a safe default) |
108
+
109
+ That table picks the check categories. Inside the `unit` category, `affected` goes further: it builds the same import graph that [`veris scan` and `veris plan`](#project-intelligence) use, then runs only the test files that transitively import your changed files.
110
+
111
+ The narrowing stays conservative. It runs the full unit suite whenever it cannot prove a smaller set is safe:
112
+
113
+ - a changed file matches a config or global pattern (`tsconfig*.json`, `package.json`, a `*.config.*` or `*.setup.*` file, biome/eslint config)
114
+ - a changed file is not a node in the import graph (it sits under an ignored directory like `node_modules` or `.veris`, or it is not a recognized code extension)
115
+ - no test file reaches any changed file, so the change has no tests to run
116
+ - the graph came from the relative-imports scanner rather than TypeScript, which can miss aliased imports
117
+
118
+ The output says when a run was narrowed, and when it ran in full and why:
119
+
120
+ ```text
121
+ unit narrowed to 3 of 41 test file(s) via typescript graph
122
+ unit ran in full — global/config change (package.json)
123
+ ```
124
+
125
+ An `affected` run never prints a bare "Verified". The terminal and report say "Affected checks passed" (or "failed", or "Affected: partial"), and every available-but-unaffected capability is listed as skipped with the reason `not affected by changes`. Touch only a doc and VerisKit prints "Nothing affected" and exits `0`, which is a no-op and not a verified result: no checks ran.
126
+
127
+ ### `veris watch`
128
+
129
+ ```bash
130
+ veris watch # re-run affected checks as files change
131
+ veris watch --poll # use mtime polling instead of native fs.watch
56
132
  ```
57
133
 
58
- `Risk` is shown as `—` in v0.1 risk scoring is not built yet; the column
59
- exists so the layout is stable across future versions and never fakes a
60
- number.
61
-
62
- ## What v0.1 does — and does not do
63
-
64
- Veris v0.1 is an **orchestrator**, not a test engine. It shells out to
65
- tools you already have installed and turns their exit codes and output into
66
- one verdict:
67
-
68
- - **Orchestrates:** `tsc` (types), Vitest, Jest, and `node:test` (unit
69
- tests), and ESLint or Biome (lint) — whichever your project already has
70
- configured. Playwright is *detected* and reported as available; it is not
71
- run.
72
- - **Does not** run browser tests, and does not build or ship a native test
73
- execution engine. Those are explicit non-goals for v0.1 (see the design
74
- spec linked below).
75
- - **Does not** impose a linter, a test runner, or any new config format —
76
- detection is read-only and `init` never overwrites an existing
77
- `.veris/config.json`.
78
-
79
- ### The verdict is three states, not two
80
-
81
- - **`verified`** — every configured capability ran and passed.
82
- - **`failed`** — at least one check failed. Exit code `1`.
83
- - **`partial`** — no failures, but at least one configured capability was
84
- skipped or its result is unknown (e.g. a runner wasn't installed). Exit
85
- code `2` by default.
86
-
87
- **`partial` is not a pass.** Veris never folds a skipped check into
88
- "verified" — that would manufacture confidence CI shouldn't have. Teams that
89
- want partial results to pass CI can opt in explicitly with
90
- `veris verify --partial-ok` (exits `0` on partial).
91
-
92
- | Verdict | Exit code | Meaning |
93
- |----------|-----------|--------------------------------------------|
94
- | verified | `0` | every configured check passed |
95
- | failed | `1` | at least one check failed |
96
- | partial | `2` (`0` with `--partial-ok`) | no failures, but something was skipped |
134
+ `watch` runs a full baseline over every available check once, then re-runs only the checks affected by whatever changed since the last tick. It uses Node's built-in recursive `fs.watch`, so it adds no dependency. On a platform where recursive `fs.watch` is unavailable, or a filesystem where native events are unreliable (some containers and network mounts), pass `--poll` to diff file mtimes on an interval instead.
135
+
136
+ Each tick reprints the full board and rebuilds the graph fresh, so narrowing reflects the file you just saved. A capability the latest change did not touch keeps its last real result, marked `⟳ cached`. A cached failure stays a failure (`✗`); VerisKit never hides it just because it did not rerun this tick. Press Ctrl-C to stop, and the watcher (or poll loop) closes cleanly with exit `0`.
97
137
 
98
138
  ## Project intelligence
99
139
 
100
- `veris scan` and `veris plan` map your codebase's import graph and turn it
101
- into recommendations — what to test, where verification is weak, and (with
102
- `--base`) which of your changes are risky. Both are **read-only analysis**;
103
- neither generates or writes any code.
140
+ `veris scan` and `veris plan` map your codebase's import graph and turn it into recommendations: what to test, where verification is thin, and which of your changes carry risk. Both are read-only analysis. Neither writes or generates any code.
104
141
 
105
142
  ### `veris scan`
106
143
 
@@ -108,31 +145,12 @@ neither generates or writes any code.
108
145
  veris scan
109
146
  ```
110
147
 
111
- `scan` discovers every source and test file in the project, builds an import
112
- graph between them, and reports the source files with the most dependents
113
- that no test transitively reaches ("untested, by impact"). It writes the
114
- graph to `.veris/graph.json` — a derived cache, rebuilt on every run and not
115
- meant to be committed.
116
-
117
- **`scan` always states which resolver built the graph**, because the two
118
- have very different accuracy:
119
-
120
- - **`typescript`** — used when the project has a `tsconfig.json` and its own
121
- `typescript` package exposes the classic compiler API
122
- (`preProcessFile`/`resolveModuleName`/`readConfigFile`/…). Veris loads
123
- *your project's own* TypeScript at run time — **no new dependency is added
124
- for this** — and resolves imports the way `tsc` would: `tsconfig` path
125
- aliases, extension-mapped specifiers, index resolution, and so on.
126
- - **`scanner`** — the fallback when there's no TypeScript, no
127
- `tsconfig.json`, or the installed `typescript` package is a 7.x
128
- native/Go-ported build that doesn't expose the classic compiler API veris
129
- needs. The scanner is a dependency-free, **relative-imports-only** reader:
130
- it follows `./foo` and `../bar/baz` but does not understand `tsconfig`
131
- path aliases or computed (non-string-literal) dynamic imports. On a
132
- project that relies on aliases, this can miss real edges and undercount a
133
- file's blast radius.
134
- `scan` says plainly when this fallback is active — it is never presented
135
- as equivalent to the TypeScript-accurate graph.
148
+ `scan` finds every source and test file, builds the import graph between them, and lists the source files with the most dependents that no test reaches. It writes the graph to `.veris/graph.json`, a derived cache rebuilt on every run.
149
+
150
+ `scan` always names the resolver that built the graph, because the two differ in accuracy:
151
+
152
+ - **`typescript`** runs when your project has a `tsconfig.json` and a `typescript` package that exposes the classic compiler API. VerisKit loads your project's own TypeScript at run time, so it adds no dependency, and it resolves imports the way `tsc` does: `tsconfig` path aliases, extension-mapped specifiers, index resolution.
153
+ - **`scanner`** is the fallback for a project with no TypeScript, no `tsconfig.json`, or a TypeScript 7.x native build that drops the classic compiler API. The scanner reads relative imports only. It follows `./foo` and `../bar/baz` but does not resolve `tsconfig` path aliases or computed dynamic imports, so on an alias-heavy project it can miss edges. `scan` labels the resolver it used, and VerisKit never treats a scanner graph as equal to the TypeScript one. This is also why graph-based narrowing in `affected` and `watch` runs the full suite in scanner mode.
136
154
 
137
155
  ### `veris plan`
138
156
 
@@ -141,141 +159,98 @@ veris plan # recommendations from the current graph
141
159
  veris plan --base main # also factor in changes vs another ref
142
160
  ```
143
161
 
144
- `plan` reads the same graph and turns it into prioritized recommendations:
162
+ `plan` reads the graph and prioritizes:
145
163
 
146
- - the highest-impact untested files to test first (most dependents, no test
147
- reaches them);
148
- - gaps in your verification setup (e.g. no lint or type-check configured);
149
- - with `--base <ref>`, which files that changed since that ref are "risky" —
150
- high blast radius and either untested or actually changed.
164
+ - the highest-impact untested files to cover first (the most dependents, reached by no test)
165
+ - gaps in your setup, such as a missing linter or type-check
166
+ - with `--base <ref>`, the changed files that carry risk: high blast radius, and either untested or freshly changed
151
167
 
152
- **`plan` only recommends it never generates or writes any code.** Test
153
- generation is a separate, later goal (v0.8), not something v0.3 does.
168
+ `plan` recommends. It never writes or generates test code. Generation is a later goal, not something VerisKit does today.
154
169
 
155
- ### What's still deferred
156
-
157
- - **No framework route/endpoint detection.** The graph understands imports
158
- only; it doesn't know a file is an Express route, a Next.js page, or an
159
- API handler, so it can't flag "this endpoint has no test" the way it flags
160
- "this module has no test." Planned as a v0.3.x follow-up, not v0.3.0.
161
- - **No test generation.** `plan` recommends what to test; it does not write
162
- test files. That's v0.8.
163
- - **Single tsconfig, single root.** Monorepos with multiple `tsconfig.json`
164
- files aren't modeled yet — resolution runs against the root project only.
165
- - **Plain JS / TS 7.x-native projects degrade to the scanner.** There's no
166
- new dependency added to compensate — the classic TypeScript compiler API
167
- is what makes the accurate resolver possible, and projects without it get
168
- the honestly-labeled, relative-imports-only fallback described above.
170
+ ## Evidence
169
171
 
170
- ## Developer loop
172
+ Every `veris verify` and `veris affected` run leaves a canonical, git-anchored
173
+ evidence record you can check later or hand to someone else as proof.
171
174
 
172
- For fast local iteration, veris can scope checks to what you changed instead
173
- of always running the full set.
175
+ - `.veris/runs/<run-id>/evidence.json` is the machine-readable record: schema
176
+ `veriskit/evidence@1`, the verdict, per-check results, the environment, the
177
+ git commit and whether the tree was clean, and a sha256 integrity digest over
178
+ the whole record.
179
+ - `.veris/reports/verify-<run-id>.md` is the human-readable report, now showing
180
+ the commit and the digest. Paste it into a PR.
181
+ - Raw per-check logs live under `.veris/runs/<run-id>/`, and the record carries
182
+ a sha256 of each one.
174
183
 
175
- ### `veris affected`
184
+ Check a record:
176
185
 
177
186
  ```bash
178
- veris affected # checks affected by working-tree changes vs HEAD
179
- veris affected --base main # checks affected by the diff against another ref (PR/CI)
187
+ veris evidence verify .veris/runs/<run-id>/evidence.json
180
188
  ```
181
189
 
182
- `affected` looks at which files changed working tree + untracked files
183
- against `HEAD`, or against `--base <ref>` for PR/CI diffs and maps each
184
- changed file to the check categories it plausibly touches:
185
-
186
- | Changed file | Checks run |
187
- |----------------------|-------------------------------|
188
- | test file | unit, lint |
189
- | TypeScript file | types, lint, unit |
190
- | JavaScript file | lint, unit |
191
- | config (tsconfig, biome/eslint config, `package.json`, `veris.config.*`) | every available check |
192
- | docs/assets (`.md`, images, `LICENSE`) | nothing |
193
- | anything else unrecognized | every available check (safe default) |
194
-
195
- The table above decides *which check categories* run — that part is still a
196
- coarse, file-extension-based mapping. **What changed in v0.3 is what happens
197
- inside the `unit` category.** Instead of running every unit test in the
198
- project, `affected` builds the same import graph that
199
- [`veris scan`/`veris plan`](#project-intelligence) use and narrows the unit
200
- run to only the test files that **transitively import** your changed files.
201
-
202
- That narrowing is deliberately conservative — it **falls back to running the
203
- full test suite** rather than ever risk hiding an affected test:
204
-
205
- - any changed file matches a config/global pattern (`tsconfig*.json`,
206
- `package.json`, a `*.config.*` or `*.setup.*` file, biome/eslint config, …);
207
- - a changed file isn't a node in the import graph at all (e.g. it's under an
208
- ignored directory like `node_modules` or `.veris`, or it's not a
209
- recognized code extension);
210
- - no test file transitively reaches any of the changed files (an untested
211
- change).
212
-
213
- The output says when a run was narrowed and why it wasn't:
190
+ This recomputes the digest and reports whether the record was edited or
191
+ corrupted since it was written. An integrity digest is not forgery-proof on its
192
+ own. To prove authorship, publish the digest separately (a CI log or PR) or sign
193
+ the record with an Ed25519 key (see Signing below).
214
194
 
215
- ```text
216
- unit narrowed to 3 of 41 test file(s) via typescript graph
217
- unit ran in full — global/config change (package.json)
195
+ Package a run as a single portable file (the record, its report, and its logs,
196
+ each with a digest, plus a bundle digest over everything):
197
+
198
+ ```bash
199
+ veris evidence bundle # writes .veris/evidence/<run-id>.bundle.json
200
+ veris evidence verify <bundle> # checks the record, every log, and the report
218
201
  ```
219
202
 
220
- Today it will still sometimes run more than the minimal ideal set (a config
221
- change reruns everything, an unresolved file falls back to full), but it
222
- never silently skips work it can't prove is safe to skip.
203
+ `veris evidence show` prints the latest record's key facts.
223
204
 
224
- **The verdict is honestly scoped.** An `affected` run never prints a bare
225
- "Verified" — the terminal output and report say "Affected checks passed" (or
226
- "Affected checks failed" / "Affected: partial") instead, and any
227
- available-but-unaffected capability is listed as `skipped — not affected by
228
- changes` rather than being folded into the pass. If nothing is affected (for
229
- example you only touched a doc file), veris prints "Nothing affected" and
230
- exits `0` — but that is explicitly **not** a verified result: no checks ran
231
- at all.
205
+ ### Signing (optional)
232
206
 
233
- ### `veris watch`
207
+ An integrity digest proves a record was not edited. A signature proves a
208
+ specific key vouched for it. VerisKit signs with Ed25519 from Node's built-in
209
+ crypto, so signing adds no dependency and works offline.
234
210
 
235
211
  ```bash
236
- veris watch # re-run affected checks as files change
237
- veris watch --poll # use mtime polling instead of native fs.watch
212
+ veris evidence keygen # writes .veris/keys/veriskit-signing.key(.pub)
213
+ veris evidence sign .veris/runs/<id>/evidence.json --key .veris/keys/veriskit-signing.key
214
+ veris evidence verify .veris/runs/<id>/evidence.json --pubkey .veris/keys/veriskit-signing.key.pub
238
215
  ```
239
216
 
240
- `watch` runs a full baseline over every available check once, then watches
241
- the working tree and re-runs only the checks affected by whatever changed
242
- since the last tick using Node's built-in `fs.watch` (recursive). **No new
243
- dependency was added for this.** On platforms where recursive `fs.watch`
244
- isn't supported, or on filesystems (containers, some network mounts) where
245
- native change events are unreliable, pass `--poll` to fall back to an
246
- interval-based scan that diffs file mtimes instead.
247
-
248
- Every tick after the baseline uses the same graph-based `unit` narrowing (and
249
- conservative full-suite fallback) described above for `affected` — the graph
250
- is rebuilt fresh each tick, so it always reflects the file you just saved,
251
- not a stale snapshot.
252
-
253
- Each tick reprints the full check board. A capability that wasn't affected by
254
- the latest change keeps showing its last real result, marked `⟳ cached` — a
255
- cached **failure stays a failure** (✗); it is never hidden or silently
256
- dropped just because it didn't rerun this tick. Press Ctrl-C to stop; veris
257
- closes the watcher (or poll loop) cleanly and exits `0`.
217
+ `sign` writes a detached `<evidence.json>.sig` next to the record. `verify`
218
+ picks it up automatically and checks it. In CI, pass the key through the
219
+ `VERISKIT_SIGNING_KEY` environment variable instead of a file.
258
220
 
259
- ## Evidence
221
+ A signature proves that whoever holds the private key signed the record. It
222
+ does not prove who that is. VerisKit prints the key fingerprint; to bind it to
223
+ a person or system, compare that fingerprint to one you already trust, or
224
+ assert it with `--pubkey` or `--key-id`. Keep the private key secret; `keygen`
225
+ writes it into `.veris/keys/`, which `veris init` gitignores.
226
+
227
+ Commit `.veris/config.json` and `.veris/.gitignore`. `veris init` keeps `runs/`,
228
+ `reports/`, `cache/`, `graph.json`, and `evidence/` out of your history.
229
+
230
+ ## What VerisKit does not do yet
231
+
232
+ VerisKit says what it cannot do as plainly as what it can:
233
+
234
+ - **No framework route or endpoint detection.** The graph understands imports, not that a file is an Express route or a Next.js page, so it flags an untested module but not an untested endpoint. Planned next.
235
+ - **No test generation.** `plan` tells you what to test. Writing the tests is a later release.
236
+ - **One project root.** A monorepo with several `tsconfig.json` files is not modeled yet. Resolution runs against the root project.
237
+ - **Scanner fallback on plain-JS or TS 7.x-native projects.** The accurate resolver needs the classic TypeScript compiler API. Without it you get the labeled, relative-imports-only graph described above, and no dependency is added to paper over the gap.
238
+ - **No keyless or identity-bound signing.** Evidence can be signed with a local Ed25519 key (see Signing), but sigstore-style keyless signing that ties a signature to an identity is not built yet.
239
+
240
+ ## Part of Baseframe Labs
260
241
 
261
- Every `veris verify` run writes:
242
+ VerisKit is one of four developer tools from [Baseframe Labs](https://www.baseframelabs.com), each answering a different question about your work:
262
243
 
263
- - A Markdown report under `.veris/reports/verify-<run-id>.md` — project and
264
- environment metadata, per-check status/timing/summary, the verdict with
265
- its skipped list and reasons, and log references. Paste it straight into a
266
- PR.
267
- - Raw per-check logs and run metadata under `.veris/runs/<run-id>/`.
244
+ - **[ProjScan](https://www.baseframelabs.com/apps/projscan)** asks: is the repository healthy?
245
+ - **[AgentLoopKit](https://www.baseframelabs.com/apps/agentloopkit)** asks: what should the agent do next?
246
+ - **[AgentFlight](https://www.baseframelabs.com/apps/agentflight)** asks: what did the agent actually do?
247
+ - **VerisKit** asks: can we trust the result?
268
248
 
269
- `.veris/config.json` and `.veris/.gitignore` are meant to be committed;
270
- `.veris/runs/`, `.veris/reports/`, and `.veris/cache/` are gitignored by
271
- `veris init`. `.veris/graph.json` (written by [`veris scan`](#project-intelligence))
272
- is a separate derived cache, rebuilt on every scan — treat it the same way
273
- and don't commit it.
249
+ Each works on its own. VerisKit needs none of the others to verify a change.
274
250
 
275
251
  ## Design
276
252
 
277
- Full rationale, locked decisions, and the v0.2+ roadmap live in the design
278
- spec: [`docs/superpowers/specs/2026-07-08-veris-v0.1-design.md`](docs/superpowers/specs/2026-07-08-veris-v0.1-design.md).
253
+ The design specs, locked decisions, and roadmap live in [`docs/superpowers/specs`](docs/superpowers/specs).
279
254
 
280
255
  ## License
281
256