Veris
Veris is a behavioral verification infrastructure for autonomous coding agents that analyzes codebases, detects risk, and guides verification — locally with no cloud or telemetry.
Repository Analysis: Parse the repository AST for file/entity counts, export the full behavioral graph (nodes, edges: DependsOn + Invokes, workflow domain coloring), and auto-cluster code into semantic workflow domains (Authentication, Billing, Checkout, etc.).
Change Impact & Risk Assessment: Compute real git-worktree diffs vs a base ref, identify impacted workflows, and score risks by blast radius, fragility, and runtime criticality.
Verification Planning: Generate Tier 1/2/3 verification directives keyed to impacted nodes, with Tier 3 producing adversarial test hypotheses (concurrency, idempotency, retry storms, replay attacks, cache stampedes, etc.).
Budget Allocation: Greedily select the highest-leverage verification targets given a time budget using
(tier × criticality × risk) / cost.Counterfactual Simulation: Simulate reverting specific nodes (
what_if_revert) to see which behaviors recover and how risk changes.Confidence Tracking: Report execution results (pass/fail/flaky/skipped) per node/tier/directive; confidence scores update via half-life decay over real execution history.
Drift Detection: Compare current workflow fingerprints against historical state to catch silent rewrites, topology expansion/contraction, and oscillating refactors.
History & Insights: Review confidence/execution-depth trends over time and inspect per-node execution/risk history across runs.
Onboarding Export: Generate workflow-first onboarding markdown packages (one file per workflow + index) in
veris-reports/onboarding/.Cross-Repo Management: Register multiple repositories and get a fleet-wide confidence and drift snapshot across all registered repos.
Plugin Extensibility: Add custom workflow rules and runtime risks via JavaScript plugins.
Veris is the verification intelligence layer that sits between AI coding agents and production reliability. It does not run your tests. It tells any MCP-compatible coding agent or CI pipeline what behaviors are at risk, what to verify, and how confident the result actually is — backed by a behavioral graph, semantic workflow grouping, persistent run history, drift detection, and explainable confidence math.
Today: TypeScript + JavaScript repos. Python and Go adapters on the roadmap.
Works with any MCP client. CLI works standalone. Fully open source. Local-first. No cloud. No telemetry. No paid tier.
Plug-and-play install
Option A — As an MCP server (one config line)
Veris speaks the Model Context Protocol. Drop this into any MCP-compatible client config:
{
"mcpServers": {
"veris": {
"command": "npx",
"args": ["-y", "veris-core", "mcp"]
}
}
}Restart the client. 17 tools light up: analyze_pr_behavior, list_workflows, detect_drift, generate_adversarial_probes, allocate_budget, what_if_revert, report_execution, and more.
Option B — As a CLI
npx veris-core . # analyze current repo
npx veris-core . --base-ref=origin/main # explicit git base ref
npx veris-core . --budget=10 --onboarding # 10-min verification plan + onboarding map
npx veris-core init # scaffold .veris/ with plugin slot
npx veris-core doctor # health checkReports land in veris-reports/:
veris-dashboard.html— interactive single-file dashboard (graph, heatmap, drift, probes, budget, history)veris-report.md— markdown executive summaryonboarding/— workflow-first markdown package for new engineers (with--onboarding)
Option C — From source
git clone https://github.com/vighriday/Veris
cd Veris
npm install && npm run build
node dist/cli.js .What it gives you
Surface | What lands |
Behavioral graph | Classes, methods, functions linked by |
Semantic workflows | Auto-clustered into 25 domains (Authentication, Billing, Checkout, Caching, Queue, Webhooks, AI, ...) |
Real git diff | Worktree-based diff vs any base ref. Not a placeholder |
Risk scoring | Blast radius, fragility, runtime criticality + plain-English explanations |
Confidence math | Half-life decay over real execution history. Failed runs reduce confidence; flaky = half credit |
Drift detection | SHA-256 workflow fingerprints. Silent rewrites caught (same members, different topology) |
Counterfactual mode |
|
Adversarial probes | Concrete Tier 3 hypotheses per workflow kind (idempotency, replay, retry storms, cache stampede) |
Budget allocator | Knapsack on |
Knowledge transfer | Workflow-first onboarding markdown package |
Cross-repo view | Register multiple services; one MCP call for fleet-wide confidence |
Interactive dashboard | Single-file HTML. Vis-network graph. Click workflow → filter everything. ESC to clear. Click-to-copy directives |
Example agent prompts
Any MCP-compatible agent can drive Veris with prompts like these:
veris: analyze_pr_behavior with baseRef=origin/main
veris: list_workflows then detect_drift
veris: generate_adversarial_probes for the highest-risk workflow, then allocate_budget minutes=15
veris: what_if_revert nodeIds=[...]After your agent runs the verifications it executed externally, close the loop:
veris: report_execution executions=[{nodeId:..., tier:'Tier 3', result:'pass'}, ...]Confidence math now reflects what actually ran.
Privacy
Local-first. Everything runs on your machine.
No telemetry. Veris does not phone home.
Zero-retention mode.
VERIS_STATE_DISABLED=1skips all.veris/state.dbwrites.No network calls. The MCP server speaks only over stdio.
Plugins
Drop a .js file into .veris/plugins/:
module.exports.register = function (api) {
api.addWorkflowRule({
kind: 'Payments',
importTokens: ['stripe', '@yourorg/billing-sdk'],
weight: 3
});
api.addRuntimeRisks('Payments', [
'3DS challenge response lost on tab close'
]);
};Full plugin API: docs/PLUGINS.md. Example: examples/plugin-fintech.js.
MCP tool reference
17 tools across categories: ingest, diff, plan, semantic, drift, counterfactual, verification, feedback, history, fleet.
See docs/MCP_TOOLS.md for the full reference with recommended flows.
Architecture
Source -> AST (ts-morph)
-> Behavioral Graph (DependsOn + Invokes)
-> Real git-worktree diff vs base ref
-> Risk model (blast / fragility / criticality + explanations)
-> Workflow classifier (25 semantic kinds, plugin-extensible)
-> Fingerprints -> Drift detector (vs SQLite history)
-> Adversarial probe generator
-> Verification plan (Tier 1/2/3)
-> Budget allocator (leverage / cost)
-> Confidence engine (half-life decay over execution history)
-> Reports + interactive dashboard
-> MCP (17 tools) -> autonomous agents close the loop via report_executionSee ARCHITECTURE.md for the deep dive.
Roadmap
What is coming next, where help moves the needle: ROADMAP.md.
Active bugs and fixes land in CHANGELOG.md per patch release.
Contributing
PRs welcome. See CONTRIBUTING.md. Security reports: SECURITY.md.
OSS, sponsor-supported. No paid tier. No gated features.
License
MIT. See LICENSE.
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/vighriday/Veris'
If you have feedback or need assistance with the MCP directory API, please join our Discord server