developer tools for shipping code that actually works in production
the reality layer for AI-generated code
AI code lives in a probabilistic world — tokens, predictions, completions. but production lives in a deterministic world — it compiles or it doesn't, tests pass or they fail, it handles 10k users or it crashes, an attacker gets in or they don't. these tools are the bridge between those two worlds. the convergence point where AI-generated code meets hard reality and either survives or gets hardened until it does.
live
tells you your next prompt
a local development coach and MCP server. guides developers through plan, build, ship, and grow phases with AI-powered analysis and smart prompt suggestions. orchestrates the entire inprod tool suite at the right moment in the lifecycle. pure methodology, zero cloud.
npx merlyn-mcp@latestin development
finds the bugs and slop in your code before you ship
CVE scanning via OSV, anti-pattern detection across languages, hallucinated package detection, dead code identification, complexity analysis, and a binary ship/no-ship verdict. the pre-commit gut check.
npx slopometer scan .live
tells you what's missing before production breaks
scores production readiness across 12+ categories and estimates max concurrent users. checks for rate limiting, connection pooling, structured logging, monitoring, alerting, health endpoints, CI/CD, and everything else you forget until it's too late.
npx orion-archi .live
AI tells you which security findings are real
scans source code for security vulnerabilities across 46 patterns. SQL injection, XSS, SSRF, auth bypass, path traversal, command injection. project-type awareness filters noise -- knows execSync is fine in a CLI but dangerous in Express. the --verify flag sends each finding through AI with full code context to confirm what's actually exploitable. zero config, runs in seconds.
npx pinata scan . --verifyin development
attacks your running app, fixes what breaks, hardens the whole class
sends real exploit payloads to your running app and proves what's broken with evidence. generates fixes, re-attacks to verify they hold. then escalates -- finds every endpoint with the same vulnerability class and applies an architectural fix instead of per-route patches. loop until nothing's exploitable.
npx whackamole attackin development
autonomous external pentest with zero source code knowledge
give it a URL. it crawls, fingerprints, discovers hidden endpoints, evades WAFs, and attacks with 20+ exploit plugins. zero prior knowledge. separate verification agent confirms every finding. full proof-of-concept reports with curl commands. the external attacker you hire, automated.
npx crowbar scan https://yoursite.comlive
proves AI-generated fixes are correct, not just test-passing
blind verification engine. the AI that generated the fix never sees the test implementations. it receives only pass/fail per domain -- safety, security, efficiency, functionality. iterates until all domains converge. generates compliance-ready audit trails for FDA, FINRA, and CMMC.
pip install convergencein development
documentation derived from running your code
builds a scope graph of your codebase via tree-sitter, maps tests to functions, overlays coverage data. every claim traceable to a line of code or a passing test. drift detection catches when code changes but docs don't. the verification index for agents, auditors, and compliance.
npx fossilize .from idea to production-hardened code
tells you what to do next, orchestrates the suite
finds bugs, bad patterns, hallucinated packages
checks what's missing from your infrastructure
AI-verified security scan, confirms what's real
exploits your running app, fixes it, hardens the class
autonomous external pentest, zero source code
proves fixes are correct via blind testing
generates evidence-backed docs from what survived
every tool in the suite is designed to find problems before users do. adversarial testing, blind verification, black-box pentesting. if your code survives this gauntlet, it survives production.
warnings are noise. every tool generates actionable fixes, runnable tests, or verified patches. the goal is code that works, not a report that sits in a drawer.
AI generates the code. AI attacks the code. AI fixes the code. but humans set the direction, define the properties, and make the decisions. the tools encode methodology, not just capability.
the full pipeline, copy and run
npx merlyn-mcp@latestnpx slopometer scan .npx orion-archi .npx pinata scan . --verifynpx whackamole attacknpx crowbar scan https://yoursite.compip install convergencenpx fossilize .