─ FOR AI-GENERATED CODE ─
An independent check on every PR — A–F grade, per-line attribution, merge blocked when your policy says so. Hand the veriva CLI to Claude Code, Cursor, or Copilot.
6 on the list
npm install -g @veriva/cliCalibrated against 14 days of post-merge outcomes.
─ FOUR SIGNALS ─
Every PR arrives with context — the diff, the repo's call graph, the ticket that motivates it, the author's track record.
@@ -40,6 +40,12 @@ function login(req)40// Rate-limited by middleware (max 5 req/min per IP)4142export async function login(req: Request) {43 const sql = `SELECT * FROM users WHERE id=${req.params.id}`;44 const result = await db.query(sql);
43 const sql = `SELECT * FROM users WHERE id=?`;44 const result = await db.query(sql, [req.params.id]);45 if (!result.length) {46 return res.status(401).json({ error: 'invalid' });
Audit log missing on 401 response. Ties to LIN-318
suggestion─ THE PIPELINE ─
Scroll to drive a real PR through five tiers. Findings, grade, and gate are what surface.
Sanitize · fetch context
Hallucinated pkgs · taint flow
Specialist agents
Policy · deny rules
14-day outcomes
Findings
0/ 9 scanned
Grade
Merge gate
Provenance · jsonl
─ FOUR OUTPUTS ─
What the pipeline produces — a calibrated grade, per-line attribution, the policy gate verdict, and a per-finding provenance trail.
Calibrated on 47 PRs · 14-day rolling outcomes window.
{"finding":"sql-injection","stage":"AI","rule":"specialist.security","prompt":"v23","call":"msg_01h…","reachable":true,"cite":"src/auth.ts:43"}{"finding":"audit-log-401","stage":"AI","rule":"judge.suggestion","agent":"CLAUDE_CODE","line":67,"verdict":"warn"}{"verdict":"merge-blocked","rule":"policy.path_deny","path":"src/auth/**","policy":".veriva/policy.yml:14"}
─ WHY IT HOLDS UP ─
Every AI reviewer reads the diff. We read the diff, the call graph, the ticket that motivates it, the author's track record, and fourteen days of post-merge outcomes.
Per-line attribution
Six agents tracked — Claude Code, Cursor, Copilot, Windsurf, Devin, human. When two agents touch the same file, every finding carries its author. Trust score updates per-agent, per-PR.
src/auth.ts · 247 lines
Reachability validation
We walk the call graph from your routes to each vulnerable line, then verify the exploit path. Theoretical-only findings get suppressed before they reach the PR.
path trace · public route → sink
Post-merge calibration
Fourteen-day post-merge tracker. Reverts pull scores down, clean merges pull them up — within 24 hours. The trust score reflects your codebase, not the average codebase.
calibration window · 14 days
47
PRs scored
312
findings
<24h
revert lag
Reverts pull scores down. Clean merges pull them up. ↑ 8 pts vs last week.
Policy overrides AI
Path deny rules, agent deny rules, custom shell + webhook hooks. AI grades are a signal — your policy.yml is the authority. Merge gate honors policy first, model second.
.veriva/policy.yml
thresholds: merge_gate: B+ path_deny: - src/auth/** - src/billing/** agent_deny: - auto-merge-bot
Also in the box · 10-stage governance pipeline · A–F per-PR trust score · 3-tier finding routing · hallucinated-package detection · prompt-injection sanitize · auto-fix proposals · per-PR audit trail (JSONL) · SARIF export · Slack notifications · GitHub App + Action · CLI · VS Code Extension · Linear and Jira ticket context · custom shell hooks · custom webhook hooks · veriva:skip and veriva:review label overrides.
FAQ
SQL injection via string interpolation. req.params.id flows unsanitized into db.query(). Suggest parameterized binding.