feat: rebuild Verric into a production evidence-grounded document engine#6
Merged
Conversation
Transform the hackathon MVP into a self-hostable, open-source engine. Verric is now the engine; pentest is the flagship template. Monorepo (pnpm + Turborepo), 6 packages + 2 apps: - @verric/core — pure-TS engine: provider abstraction (OpenAI/Anthropic/ Ollama, BYO-key, no mock fallback), zod-validated LLM I/O with repair retry, prompt-injection defense + adversarial canary, cryptographic HMAC receipts, deterministic CVSS, NLI-blended claim confidence, pluggable Importer/ReportTemplate/NliScorer interfaces, and 3 templates (pentest, postmortem, ADR) + 9 importers (nmap/burp/nessus/nuclei/zap/ openvas/slack/pagerduty/github) - @verric/storage — node:sqlite, schema v4, async run queue + events + versioned reports + claim-edit audit + finding library + branding + template registry - @verric/cli — `verric report` / `verric verify` (bundled binary) - @verric/sdk — typed REST + SSE client - @verric/mcp-server — MCP stdio server (runs/reports/receipts as tools) - @verric/desktop — Tauri 2 native shell (deb + AppImage verified) - apps/web — Next 16 studio: async pipeline + SSE progress, claim editor (accept/reject/re-ground), version history + claim-level diff, finding library + branding UIs, PDF/DOCX/TXT export with branding Surfaces: web, CLI, REST/SDK, GitHub Action, GitHub App (fires the engine on verric:postmortem issues and verric:adr PR merges), MCP, desktop. Tooling: Vitest (215 tests), ESLint/Prettier, GitHub Actions CI, Docker. Trust contract holds across every surface: real provider or honest failure, claim->evidence provenance, independent grounding + NLI confidence, signed receipts.
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (52)
📒 Files selected for processing (138)
📝 WalkthroughWalkthroughAdds workspace tooling, a core report-processing library, storage/CLI/MCP/SDK packages, and a Next.js app with APIs for runs, branding, exports, health, and webhook handling. ChangesMonorepo feature stack
Sequence Diagram(s)sequenceDiagram
participant HomePage
participant GenerateReportRoute
participant ProcessRunWorker
participant RunBus
participant RunDetailPage
HomePage->>GenerateReportRoute: POST /api/generate-report
GenerateReportRoute->>ProcessRunWorker: processRun(db, input)
ProcessRunWorker->>RunBus: emitRunEvent / emitRunTerminal
RunDetailPage->>GenerateReportRoute: GET /api/runs/:id/versions and /diff
RunDetailPage->>RunBus: subscribeToRun(runId, listener)
Estimated code review effort🎯 5 (Critical) | ⏱️ ~120 minutes Poem
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this is
Transforms the hackathon MVP into a production-grade, self-hostable, open-source Evidence-Grounded Document Engine. Verric is now the engine; pentest is the flagship template, with postmortem and ADR templates proving it generalizes.
The trust contract holds across every surface: real provider or honest failure (no mock fallback), claim→evidence provenance, an independent grounding pass + NLI-blended confidence, adversarial canaries, schema-validated LLM I/O, and signed cryptographic receipts.
Architecture — monorepo (pnpm + Turborepo)
Packages
@verric/core— pure-TS engine: provider abstraction (OpenAI / Anthropic / Ollama, BYO-key), zod-validated LLM output with one repair retry, prompt-injection defense + adversarial canary (fails closed), HMAC-SHA-256 receipts, deterministic CVSS, NLI-blendedclaim.confidence, pluggableImporter/ReportTemplate/NliScorerinterfaces. 3 templates (pentest, postmortem, ADR) + 9 importers (nmap, burp, nessus, nuclei, zap, openvas, slack, pagerduty, github).@verric/storage— Node built-innode:sqlite, schema v4: projects, runs, chunks, artifacts, reports, run_events, report_versions, claim_edits, finding_library, report_branding, template_registry. Async run queue + event log + versioned reports.@verric/cli—verric report/verric verify, bundled single-file binary.@verric/sdk— typed REST + SSE client (Node + browser).@verric/mcp-server— MCP stdio server exposing runs/reports/receipts as tools for coding agents.@verric/desktop— Tauri 2 native shell (thin client over the local server);.deb+.AppImagebuild verified on Linux.Apps
apps/web— Next 16 studio: async pipeline + SSE live progress, claim editor (accept / reject / re-ground), version history + claim-level diff, finding library + branding UIs, PDF/DOCX/TXT export with branding.Surfaces
Web · CLI · REST/SDK · GitHub Action · GitHub App (fires the engine on
verric:postmortemissues andverric:adrPR merges) · MCP server · desktop.Tooling
Verification
pnpm format:check · lint · typecheck (6 packages) · test (215) · build (4 outputs)— all green. Key flows live-tested end-to-end (SSE progress, async runs, editor + diff, GitHub webhook dispatch, MCP handshake, branding→PDF, Tauri.deb/.AppImage).Notes / out of scope by design
NliScorerinterface is ready for a drop-inMigration note
This moves the app from repo root into
apps/weband extracts the engine intopackages/*. The old rootsrc/is removed. No real secrets committed; build artifacts (.next,dist,target,node_modules) are gitignored.Summary by CodeRabbit