Veridict
Sumit Vekariya
Veridict is a merge gate for AI-synthesized code that decouples qualified-reviewer-ness from identity. A natural-language spec is sent to Claude, which generates an implementation, a pytest suite, and a Z3 invariant file. The issuer mints a Longfellow ZK credential only after all three formal layers pass, and N anonymous proofs from credentialed reviewers flip the GitHub branch-protection gate that authorizes the merge. Built end-to-end on a live public repo with active branch protection; same Google ZK primitive used for anonymous age verification on mobile driver's licences, repurposed for code review.
While the GitHub integration and overall user experience are well executed, the core AI security design needs more work to be done. The current Z3 check only validates that the specification is internally consistent; it does not prove that the generated Python code actually follows that specification. This leaves room for incorrect or even malicious code to pass review. In addition, the trust model around zero-knowledge proofs is weakened by server-side key generation and the absence of nullifiers, which could allow duplicate or spoofed approvals. Strengthening the system would require true code-to-spec verification and moving all ZK proof generation fully to the client side.
This is a cool project and very timely. My main feedback would be that this could be better integrated with Git (as opposed to GitHub) and existing infrastructure like Sign-offs. Anyways, this is good work.
Cite this work
@misc {
title={
(HckPrj) Veridict
},
author={
Sumit Vekariya
},
date={
},
organization={Apart Research},
note={Research submission to the research sprint hosted by Apart.},
howpublished={https://apartresearch.com}
}


