Skip to content

feat: rebuild Verric into a production evidence-grounded document engine#6

Merged
Edneam merged 1 commit into
mainfrom
feat/evidence-grounded-engine
Jun 9, 2026
Merged

feat: rebuild Verric into a production evidence-grounded document engine#6
Edneam merged 1 commit into
mainfrom
feat/evidence-grounded-engine

Conversation

@Edneam

@Edneam Edneam commented Jun 9, 2026

Copy link
Copy Markdown
Owner

What this is

Transforms the hackathon MVP into a production-grade, self-hostable, open-source Evidence-Grounded Document Engine. Verric is now the engine; pentest is the flagship template, with postmortem and ADR templates proving it generalizes.

The trust contract holds across every surface: real provider or honest failure (no mock fallback), claim→evidence provenance, an independent grounding pass + NLI-blended confidence, adversarial canaries, schema-validated LLM I/O, and signed cryptographic receipts.

Architecture — monorepo (pnpm + Turborepo)

Packages

  • @verric/core — pure-TS engine: provider abstraction (OpenAI / Anthropic / Ollama, BYO-key), zod-validated LLM output with one repair retry, prompt-injection defense + adversarial canary (fails closed), HMAC-SHA-256 receipts, deterministic CVSS, NLI-blended claim.confidence, pluggable Importer / ReportTemplate / NliScorer interfaces. 3 templates (pentest, postmortem, ADR) + 9 importers (nmap, burp, nessus, nuclei, zap, openvas, slack, pagerduty, github).
  • @verric/storage — Node built-in node:sqlite, schema v4: projects, runs, chunks, artifacts, reports, run_events, report_versions, claim_edits, finding_library, report_branding, template_registry. Async run queue + event log + versioned reports.
  • @verric/cliverric report / verric verify, bundled single-file binary.
  • @verric/sdk — typed REST + SSE client (Node + browser).
  • @verric/mcp-server — MCP stdio server exposing runs/reports/receipts as tools for coding agents.
  • @verric/desktop — Tauri 2 native shell (thin client over the local server); .deb + .AppImage build verified on Linux.

Apps

  • apps/web — Next 16 studio: async pipeline + SSE live progress, claim editor (accept / reject / re-ground), version history + claim-level diff, finding library + branding UIs, PDF/DOCX/TXT export with branding.

Surfaces

Web · CLI · REST/SDK · GitHub Action · GitHub App (fires the engine on verric:postmortem issues and verric:adr PR merges) · MCP server · desktop.

Tooling

  • 215 tests (Vitest) across core/storage/cli/sdk
  • ESLint + Prettier, GitHub Actions CI (format · lint · typecheck · test · build)
  • Docker / docker-compose for self-host

Verification

pnpm format:check · lint · typecheck (6 packages) · test (215) · build (4 outputs) — all green. Key flows live-tested end-to-end (SSE progress, async runs, editor + diff, GitHub webhook dispatch, MCP handshake, branding→PDF, Tauri .deb/.AppImage).

Notes / out of scope by design

  • Postgres adapter + multi-tenant auth/billing (single-team self-host by design)
  • Transformer-backed NLI model — a deterministic lexical-entailment scorer ships; the NliScorer interface is ready for a drop-in
  • Hosted template marketplace — the registry primitive ships

Migration note

This moves the app from repo root into apps/web and extracts the engine into packages/*. The old root src/ is removed. No real secrets committed; build artifacts (.next, dist, target, node_modules) are gitignored.

Summary by CodeRabbit

  • New Features
    • Desktop application for offline report generation
    • PDF and DOCX export formats alongside plain text
    • Custom report branding profiles
    • Reusable finding library for templates
    • Report version history with diff viewer
    • GitHub webhook integration for automated incident reporting
    • Command-line interface for verification and report generation
    • Multiple LLM provider support (OpenAI, Anthropic, Ollama)
    • New report templates: postmortem and architecture decision records
    • Cryptographic receipt verification for report integrity

Transform the hackathon MVP into a self-hostable, open-source engine.
Verric is now the engine; pentest is the flagship template.

Monorepo (pnpm + Turborepo), 6 packages + 2 apps:
- @verric/core — pure-TS engine: provider abstraction (OpenAI/Anthropic/
  Ollama, BYO-key, no mock fallback), zod-validated LLM I/O with repair
  retry, prompt-injection defense + adversarial canary, cryptographic
  HMAC receipts, deterministic CVSS, NLI-blended claim confidence,
  pluggable Importer/ReportTemplate/NliScorer interfaces, and 3 templates
  (pentest, postmortem, ADR) + 9 importers (nmap/burp/nessus/nuclei/zap/
  openvas/slack/pagerduty/github)
- @verric/storage — node:sqlite, schema v4, async run queue + events +
  versioned reports + claim-edit audit + finding library + branding +
  template registry
- @verric/cli — `verric report` / `verric verify` (bundled binary)
- @verric/sdk — typed REST + SSE client
- @verric/mcp-server — MCP stdio server (runs/reports/receipts as tools)
- @verric/desktop — Tauri 2 native shell (deb + AppImage verified)
- apps/web — Next 16 studio: async pipeline + SSE progress, claim editor
  (accept/reject/re-ground), version history + claim-level diff, finding
  library + branding UIs, PDF/DOCX/TXT export with branding

Surfaces: web, CLI, REST/SDK, GitHub Action, GitHub App (fires the engine
on verric:postmortem issues and verric:adr PR merges), MCP, desktop.

Tooling: Vitest (215 tests), ESLint/Prettier, GitHub Actions CI, Docker.
Trust contract holds across every surface: real provider or honest
failure, claim->evidence provenance, independent grounding + NLI
confidence, signed receipts.
@coderabbitai

coderabbitai Bot commented Jun 9, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1f2a4f95-c2a8-4eea-9023-7f006bc773ce

📥 Commits

Reviewing files that changed from the base of the PR and between ccbe796 and ee2d5e3.

⛔ Files ignored due to path filters (52)
  • apps/desktop/src-tauri/Cargo.lock is excluded by !**/*.lock
  • apps/desktop/src-tauri/icons/128x128.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/128x128@2x.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/32x32.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/64x64.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/Square107x107Logo.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/Square142x142Logo.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/Square150x150Logo.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/Square284x284Logo.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/Square30x30Logo.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/Square310x310Logo.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/Square44x44Logo.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/Square71x71Logo.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/Square89x89Logo.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/StoreLogo.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/android/mipmap-hdpi/ic_launcher.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/android/mipmap-hdpi/ic_launcher_foreground.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/android/mipmap-hdpi/ic_launcher_round.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/android/mipmap-mdpi/ic_launcher.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/android/mipmap-mdpi/ic_launcher_foreground.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/android/mipmap-mdpi/ic_launcher_round.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/android/mipmap-xhdpi/ic_launcher.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/android/mipmap-xhdpi/ic_launcher_foreground.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/android/mipmap-xhdpi/ic_launcher_round.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/android/mipmap-xxhdpi/ic_launcher.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/android/mipmap-xxhdpi/ic_launcher_foreground.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/android/mipmap-xxhdpi/ic_launcher_round.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/android/mipmap-xxxhdpi/ic_launcher.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/android/mipmap-xxxhdpi/ic_launcher_foreground.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/android/mipmap-xxxhdpi/ic_launcher_round.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/icon.ico is excluded by !**/*.ico
  • apps/desktop/src-tauri/icons/icon.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/ios/AppIcon-20x20@1x.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/ios/AppIcon-20x20@2x-1.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/ios/AppIcon-20x20@2x.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/ios/AppIcon-20x20@3x.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/ios/AppIcon-29x29@1x.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/ios/AppIcon-29x29@2x-1.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/ios/AppIcon-29x29@2x.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/ios/AppIcon-29x29@3x.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/ios/AppIcon-40x40@1x.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/ios/AppIcon-40x40@2x-1.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/ios/AppIcon-40x40@2x.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/ios/AppIcon-40x40@3x.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/ios/AppIcon-512@2x.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/ios/AppIcon-60x60@2x.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/ios/AppIcon-60x60@3x.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/ios/AppIcon-76x76@1x.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/ios/AppIcon-76x76@2x.png is excluded by !**/*.png
  • apps/desktop/src-tauri/icons/ios/AppIcon-83.5x83.5@2x.png is excluded by !**/*.png
  • package-lock.json is excluded by !**/package-lock.json
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (138)
  • .env.local.example
  • .github/actions/verric/README.md
  • .github/actions/verric/action.yml
  • .github/apps/verric/README.md
  • .github/workflows/ci.yml
  • .gitignore
  • .npmrc
  • .prettierignore
  • .prettierrc.json
  • Dockerfile
  • apps/desktop/README.md
  • apps/desktop/package.json
  • apps/desktop/src-tauri/Cargo.toml
  • apps/desktop/src-tauri/build.rs
  • apps/desktop/src-tauri/icons/android/mipmap-anydpi-v26/ic_launcher.xml
  • apps/desktop/src-tauri/icons/android/values/ic_launcher_background.xml
  • apps/desktop/src-tauri/icons/icon.icns
  • apps/desktop/src-tauri/src/main.rs
  • apps/desktop/src-tauri/tauri.conf.json
  • apps/web/.env.local.example
  • apps/web/next-env.d.ts
  • apps/web/next.config.mjs
  • apps/web/package.json
  • apps/web/postcss.config.mjs
  • apps/web/src/app/api/branding/[id]/route.ts
  • apps/web/src/app/api/branding/route.ts
  • apps/web/src/app/api/export-docx/route.ts
  • apps/web/src/app/api/export-pdf/route.tsx
  • apps/web/src/app/api/export-txt/route.ts
  • apps/web/src/app/api/generate-report/route.ts
  • apps/web/src/app/api/github/webhook/route.ts
  • apps/web/src/app/api/health/route.ts
  • apps/web/src/app/api/library/findings/[id]/route.ts
  • apps/web/src/app/api/library/findings/route.ts
  • apps/web/src/app/api/runs/[id]/claims/[claimId]/route.ts
  • apps/web/src/app/api/runs/[id]/diff/route.ts
  • apps/web/src/app/api/runs/[id]/route.ts
  • apps/web/src/app/api/runs/[id]/stream/route.ts
  • apps/web/src/app/api/runs/[id]/versions/route.ts
  • apps/web/src/app/api/runs/route.ts
  • apps/web/src/app/api/templates/route.ts
  • apps/web/src/app/branding/page.tsx
  • apps/web/src/app/globals.css
  • apps/web/src/app/layout.tsx
  • apps/web/src/app/library/page.tsx
  • apps/web/src/app/page.tsx
  • apps/web/src/app/runs/[id]/page.tsx
  • apps/web/src/app/runs/page.tsx
  • apps/web/src/lib/db.ts
  • apps/web/src/lib/github.ts
  • apps/web/src/lib/run-bus.ts
  • apps/web/src/lib/worker.ts
  • apps/web/tailwind.config.ts
  • apps/web/tsconfig.json
  • docker-compose.yml
  • eslint.config.mjs
  • next.config.mjs
  • package.json
  • packages/cli/package.json
  • packages/cli/scripts/build.mjs
  • packages/cli/src/args.ts
  • packages/cli/src/cli.test.ts
  • packages/cli/src/commands/report.ts
  • packages/cli/src/commands/verify.ts
  • packages/cli/src/index.ts
  • packages/cli/src/io.ts
  • packages/cli/src/main.ts
  • packages/cli/src/provider.ts
  • packages/cli/tsconfig.json
  • packages/core/package.json
  • packages/core/src/adr.test.ts
  • packages/core/src/chunks.test.ts
  • packages/core/src/chunks.ts
  • packages/core/src/cvss.test.ts
  • packages/core/src/cvss.ts
  • packages/core/src/engine.test.ts
  • packages/core/src/engine.ts
  • packages/core/src/importers/burp.ts
  • packages/core/src/importers/github.ts
  • packages/core/src/importers/importers.test.ts
  • packages/core/src/importers/index.ts
  • packages/core/src/importers/nessus.ts
  • packages/core/src/importers/nmap.ts
  • packages/core/src/importers/nuclei.ts
  • packages/core/src/importers/openvas.ts
  • packages/core/src/importers/pagerduty.ts
  • packages/core/src/importers/postmortem-importers.test.ts
  • packages/core/src/importers/slack.ts
  • packages/core/src/importers/types.ts
  • packages/core/src/importers/zap.ts
  • packages/core/src/index.ts
  • packages/core/src/json.test.ts
  • packages/core/src/json.ts
  • packages/core/src/nli.test.ts
  • packages/core/src/nli.ts
  • packages/core/src/nmap.test.ts
  • packages/core/src/nmap.ts
  • packages/core/src/plain-text.ts
  • packages/core/src/postmortem.test.ts
  • packages/core/src/prompts.ts
  • packages/core/src/providers.test.ts
  • packages/core/src/providers.ts
  • packages/core/src/receipts.test.ts
  • packages/core/src/receipts.ts
  • packages/core/src/samples.ts
  • packages/core/src/schema.test.ts
  • packages/core/src/schema.ts
  • packages/core/src/templates-adr.ts
  • packages/core/src/templates-postmortem.ts
  • packages/core/src/templates.ts
  • packages/core/src/types.ts
  • packages/core/src/validate.test.ts
  • packages/core/src/validate.ts
  • packages/core/tsconfig.json
  • packages/mcp-server/README.md
  • packages/mcp-server/package.json
  • packages/mcp-server/scripts/build.mjs
  • packages/mcp-server/src/index.ts
  • packages/mcp-server/src/main.ts
  • packages/mcp-server/tsconfig.json
  • packages/sdk/package.json
  • packages/sdk/src/index.ts
  • packages/sdk/src/sdk.test.ts
  • packages/sdk/tsconfig.json
  • packages/storage/package.json
  • packages/storage/src/index.ts
  • packages/storage/src/repository.test.ts
  • packages/storage/src/repository.ts
  • packages/storage/src/schema.ts
  • packages/storage/src/sqlite.ts
  • packages/storage/tsconfig.json
  • pnpm-workspace.yaml
  • src/app/api/export-pdf/route.tsx
  • src/app/api/generate-report/route.ts
  • src/app/page.tsx
  • src/lib/report.ts
  • turbo.json
  • vitest.config.ts

📝 Walkthrough

Walkthrough

Adds workspace tooling, a core report-processing library, storage/CLI/MCP/SDK packages, and a Next.js app with APIs for runs, branding, exports, health, and webhook handling.

Changes

Monorepo feature stack

Layer / File(s) Summary
Workspace setup
package.json, package-lock*, .gitignore, .npmrc, .prettierignore, .prettierrc.json, eslint.config.mjs, Dockerfile, docker-compose.yml, .github/*, apps/desktop/*, apps/web/*/package.json, packages/*/package.json, packages/*/tsconfig.json
Repository-wide config, packaging, ignore rules, Docker, CI, and app scaffolding files are added or updated.
Core report primitives and processing
packages/core/src/{types.ts,cvss.ts,json.ts,nli.ts,nmap.ts,chunks.ts,providers.ts,receipts.ts,schema.ts,templates*.ts,validate.ts,plain-text.ts,samples.ts}, packages/core/src/*.test.ts
Core report types, parsing, validation, prompts, providers, receipts, scoring, and rendering are added.
Evidence importers
packages/core/src/importers/*, packages/core/src/importers/*.test.ts
Importer registry support and the Burp, GitHub, Nessus, Nmap, Nuclei, OpenVAS, PagerDuty, Slack, and ZAP importers and tests are added.
SQLite storage and repository
packages/storage/src/{sqlite.ts,schema.ts,repository.ts,index.ts}, packages/storage/src/repository.test.ts
SQLite access, schema migration, repository CRUD, and storage tests are added.
CLI, MCP, and SDK
packages/{cli,mcp-server,sdk}/**
The command-line tools, MCP server, and SDK client are added together with their package manifests, build scripts, and tests.
Web API, run flow, and UI
apps/web/src/**
The Next.js app adds branding, library, run, export, webhook, health, and studio pages and routes, plus the web-side database, GitHub, run-bus, and worker helpers.

Sequence Diagram(s)

sequenceDiagram
  participant HomePage
  participant GenerateReportRoute
  participant ProcessRunWorker
  participant RunBus
  participant RunDetailPage
  HomePage->>GenerateReportRoute: POST /api/generate-report
  GenerateReportRoute->>ProcessRunWorker: processRun(db, input)
  ProcessRunWorker->>RunBus: emitRunEvent / emitRunTerminal
  RunDetailPage->>GenerateReportRoute: GET /api/runs/:id/versions and /diff
  RunDetailPage->>RunBus: subscribeToRun(runId, listener)
Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Poem

🐰 I hop through configs, routes, and code,
A carrot-bright monorepo takes the load.
Receipts now sparkle, runs now stream,
In every burrow, a careful dream.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/evidence-grounded-engine

@Edneam Edneam merged commit 0680d0e into main Jun 9, 2026
0 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant