VerisKit / Docs
Get started fast.
VerisKit runs the test and quality tools your project already has, then returns one honest verdict with a Markdown report you can paste into a pull request. The package is `veriskit` and the command is `veris`. This guide takes you from install through your first verdict, then covers the three states and exit codes, the developer loop (affected and watch), project intelligence (scan and plan), and the evidence system. Everything lives under `.veris/` in your repo. Nothing uploads, and VerisKit never calls an LLM.
Install
Run
VerisKit needs Node.js 20 or newer, a git repository, and npm / npx. There is no account, no API key, and no install script.
Run init from the repo root. It detects your stack and writes .veris/config.json. Detection is read-only and never overwrites an existing config.
npx veriskit init
The package is veriskit; the command it installs is veris. To keep veris on your PATH, add it as a dev dependency:
npm install -D veriskit
Then every command runs as veris <command>.
Detect the stack
Add as a dev dependency
Quickstart
Run
From an initialized repo, prove a change and write the report in two commands.
veris verify
veris report
verify runs every configured check in parallel and prints the verdict. report writes a Markdown summary to .veris/reports/ that you paste straight into the pull request. A clean run reads like this:
VerisKit
Project veriskit
Checks
✓ types 1.2s
✓ unit 2.4s
✓ lint 0.6s
Result
✓ Verified
Commit 4fa33a9 · tree clean
Report
.veris/reports/verify-20260710-153000.md
veris doctor checks your environment and detected stack if a command behaves unexpectedly, and veris test runs the detected test tool on its own.
Prove the change
Write the PR report
Check the setup
The verdict and exit codes
Run
VerisKit returns one verdict with three states, not two. A wall of green checkmarks does not tell you whether a change is safe, so VerisKit reads the real exit codes and output of each check and never folds a skipped or unknown result into verified.
| Verdict | Exit code | Meaning |
|---|---|---|
verified |
0 |
every configured check ran and passed |
failed |
1 |
at least one check failed |
partial |
2 (0 with --partial-ok) |
no failures, but a check was skipped or its result is unknown |
A partial verdict is not a pass. It means a check could not run or its result is unknown, for example a tool that is configured but missing, or a suite that reported nothing. Use --partial-ok when you want to accept a partial on purpose; it exits 0 while still labeling the run partial in the output and the report. The exit codes are stable, so a pull request or CI job can gate on them directly.
Developer loop
Run
Running the whole suite on every save is slow enough that people skip it. VerisKit narrows the run to what your change actually reached.
veris affected
veris affected --base main
veris watch
affected runs only the checks, and only the test files, reached by your changes, using an import graph built from the project's own TypeScript. Pass --base <ref> to scope it to a PR or CI diff. watch re-runs the affected checks as files change, with native fs.watch and a --poll fallback.
Narrowing is conservative. When VerisKit cannot prove a smaller set is safe, it runs the full suite, so an affected test is never skipped. affected and watch never report a bare Verified either: a scoped run says so, so you always know whether the verdict covered everything or only the slice you touched.
Only what changed
Against a base ref
Re-run on save
Project intelligence
Run
Coverage percentages hide the risk. VerisKit maps how the code connects, then points at the files that matter and have no tests behind them.
veris scan
veris plan
scan maps the import graph from the project's own TypeScript, with a dependency-free scanner fallback, writes .veris/graph.json, and surfaces untested high-impact files. plan turns that into prioritized recommendations: high-impact untested files, weak verification, and risky changes.
Both are read-only and analysis only. VerisKit recommends what to test; it does not generate tests or edit your code.
Map the import graph
Recommend what to test
Evidence system
Run
Every verify and affected run writes a canonical, git-anchored record, so a verdict is something you can recompute later rather than a line in a log.
veris evidence show
veris evidence bundle
veris evidence verify .veris/evidence/<bundle>.json
Each run writes .veris/runs/<id>/evidence.json (schema veriskit/evidence@1) with a sha256 integrity digest over the whole record and a sha256 of each per-check log. evidence show prints the latest record's key facts. evidence bundle packages the latest run, the record, report, and logs, each digested, into one portable proof file under .veris/evidence/. evidence verify <file> recomputes the digests and checks a record or a bundle.
Be honest about what this proves. An integrity digest detects later edits and corruption. It is not forgery-proof on its own, so publish the digest separately or sign it if you need stronger guarantees. Cryptographic signing is planned.
Print the latest record
Bundle a portable proof
Recompute and check
What it does not do yet
VerisKit names its edges instead of hiding them. Today it does not:
- Detect framework routes or endpoints. It verifies the checks your project runs, not live HTTP surfaces.
- Generate tests.
scanandplanrecommend what to test; writing the tests is yours. - Model monorepos. It works from one project root. Multiple packages under one repo are not modeled yet.
- Fully analyze every project. On plain-JS projects, or TypeScript 7.x native-compiler projects, it uses a dependency-free scanner fallback instead of the full graph.
- Sign evidence cryptographically. The evidence digest detects edits and corruption; it is not a signature yet. Cryptographic signing is planned.
Everything runs locally with two dependencies, cac and picocolors, and Node built-ins.
Command reference
The full surface, compact.
initdetects the stack and writes.veris/config.json. Read-only detection; never overwrites an existing config.doctorchecks your environment and the detected stack.testruns the detected test tool on its own.verifyruns every configured check in parallel and returns verified, failed, or partial, with exit codes 0, 1, and 2.reportwrites a Markdown summary of the latest run under.veris/reports/.affectedruns only the checks and test files reached by your changes.--base <ref>scopes it to a diff.watchre-runs affected checks as files change.--pollfor filesystems that need it.scanmaps the import graph and finds untested high-impact files.planrecommends what to test from the scan.evidence verify | bundle | showrecomputes a record, packages a portable proof file, or prints the latest record.
Everything is local and read-mostly. VerisKit runs your configured checks only when you invoke verify, affected, watch, or test.
More from the studio
ProjScan
ProjScan tells reviewers when to bootstrap, prove, or stop. Review Gate returns one decision; bootstrap is explicit. Local proof, no code upload.
ViewAgentLoopKit
The local control plane for low-token, verifiable agent loops. It owns scope, gates, and completion decisions, with a token receipt on every step.
ViewAgentFlight
agentflight guard watches local trust while your coding agent works; agentflight finish writes the Review Passport that proves the result.
View