vericontext
Advanced tools
SHA-256 citations for docs that reference code.
One stale citation breaks the whole document. By design.
English · 한국어
AI agents scatter README.md and AGENTS.md across directories. It works great until the code changes and the docs don't. Files move, functions get rewritten, but the docs still say "handler logic lives in src/handler.ts at L30-L45."
Over time, docs become liars. Agents that trust stale docs make worse decisions.
VeriContext embeds a SHA-256 content hash into every code citation at write time. Verify later: hash matches or it doesn't. No fuzzy matching. No "close enough."
Write time: "handler logic" [ [vctx:src/handler.ts#L30-L45@a1b2c3d4] ]
After change: vericontext verify → ❌ hash_mismatch (a1b2c3d4 ≠ f5e6d7c8)
One broken citation → entire doc fails. Fail-closed by design.
Citations live in HTML comments — invisible in GitHub, VSCode, or any Markdown renderer.
Raw Markdown:
The auth module handles login.
<!-- [ [vctx:src/auth.ts#L1-L50@abcd1234] ] -->
├── src/ <!-- [ [vctx-exists-dir:src/] ] -->
├── tests/ <!-- [ [vctx-exists-dir:tests/] ] -->
Rendered:
The auth module handles login.
├── src/ ├── tests/
vericontext verify finds and checks every citation. If src/auth.ts changes, the hash breaks, the doc fails.
npx skills add amsminn/vericontext --skill vericontext-enforcer
Auto-detects your agent (Claude Code, Codex, Antigravity, Cursor, Windsurf, OpenCode, ...) and installs to the right path. Supports 40+ agents.
# uninstall
npx skills remove vericontext-enforcer
Once installed, the agent automatically:
[[vctx:...]] citations when referencing code in docsvctx_verify_workspace before commitsThe skill lives at skills/vericontext-enforcer/SKILL.md. Copy it to the right place:
| Agent | Skill path | MCP needed? |
|---|---|---|
| Claude Code | .claude/skills/vericontext-enforcer/ | No |
| Antigravity | ~/.gemini/antigravity/skills/vericontext-enforcer/ | No |
| Codex | .codex/skills/vericontext-enforcer/ | Yes |
| Cursor | .cursor/rules/vericontext.mdc | Yes |
| Windsurf | .windsurf/rules/vericontext.md | Yes |
| OpenCode | Project rules | Yes |
For agents that need MCP, add to your config:
{ "mcpServers": { "vericontext": { "command": "npx", "args": ["-y", "vericontext", "mcp"] } } }
MCP tools: vctx_cite, vctx_claim, vctx_verify_workspace
Three operations, one principle: hash it or it doesn't count.
cite claim verify
┌────────┐ ┌────────────┐ ┌───────────────────────┐
│ file │──→ │ [[vctx:.. │ │ for each token: │
│ +lines │ │ @hash8]] │ │ recompute hash │
└────────┘ └────────────┘ │ match? → ok : fail │
│ any fail → doc fails │
└───────────────────────┘
exists-dir, missing| Type | Token | Example |
|---|---|---|
| Code citation | [ [vctx:path#Lstart-Lend@hash8] ] | [ [vctx:src/cli.ts#L1-L10@a1b2c3d4] ] |
| Directory exists | [ [vctx-exists-dir:path/] ] | [ [vctx-exists-dir:src/] ] |
| Path missing | [ [vctx-missing:path] ] | [ [vctx-missing:tmp-output/] ] |
Files always get hashed. Any mention of a file — its role, code, or existence — uses
vctx_citeto hash the full file. Only directories useexists-dirclaims.
npm install -g vericontext # or use npx
cite — generate a code citationnpx vericontext cite --root <dir> --path <file> --start-line <n> --end-line <n> [--json]
claim — generate a structure claimnpx vericontext claim --root <dir> --kind <kind> --path <path> [--json]
--kind: exists | exists-file | exists-dir | missing
verify workspace — verify all claims in a documentnpx vericontext verify workspace --root <dir> (--in-path <doc> | --text <text>) [--json]
| Exit code | Meaning |
|---|---|
0 | All valid |
1 | One or more failures |
| Reason | Meaning |
|---|---|
hash_mismatch | Content changed since citation |
file_missing | File does not exist |
path_escape | Path escapes root jail |
range_invalid | Line range out of bounds |
binary_file | Binary file detected |
symlink_skipped | Symlink skipped for determinism |
invalid_input | Malformed input |
mcp — run as MCP servernpx vericontext mcp
Exposes vctx_cite, vctx_claim, vctx_verify_workspace over stdio.
- name: Verify docs
run: npx -y vericontext verify workspace --root . --in-path README.md --json
# .husky/pre-commit
npx vericontext verify workspace --root . --in-path README.md --json
This README contains hidden VeriContext claims. Verify it:
npx vericontext verify workspace --root . --in-path README.md --json
To see how claims look in raw source, view this file with cat README.md or click "Raw" on GitHub.
See CONTRIBUTING.md.
FAQs
Deterministic, hash-based verification for docs that reference code
We found that vericontext demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
Malicious packages published to npm, PyPI, Go Modules, crates.io, and Packagist impersonate developer tooling to fetch staged malware, steal credentials and wallets, and enable remote access.
Security News
Microsoft has released an open source toolkit for enforcing runtime security policies on AI agents as adoption accelerates faster than governance controls.
Security News
Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.