developer tools for shipping code that actually works in production
the reality layer for AI-generated code
AI code lives in a probabilistic world — tokens, predictions, completions. but production lives in a deterministic world — it compiles or it doesn't, tests pass or they fail, it handles 10k users or it crashes, an attacker gets in or they don't. these tools are the bridge between those two worlds. the convergence point where AI-generated code meets hard reality and either survives or gets hardened until it does.
live
tells you your next prompt
a local development coach and MCP server. guides developers through plan, build, ship, and grow phases with AI-powered analysis and smart prompt suggestions. orchestrates the entire inprod tool suite at the right moment in the lifecycle. pure methodology, zero cloud.
npx merlyn-mcp@latestin development
finds the bugs and slop in your code before you ship
CVE scanning via OSV, anti-pattern detection across languages, hallucinated package detection, dead code identification, complexity analysis, and a binary ship/no-ship verdict. the pre-commit gut check.
npx slopometer scan .live
tells you what's missing before production breaks
scores production readiness across 12+ categories and estimates max concurrent users. checks for rate limiting, connection pooling, structured logging, monitoring, alerting, health endpoints, CI/CD, and everything else you forget until it's too late.
npx orion-archi .live
generates adversarial tests that target your code's specific security gaps
reads your source code, identifies risk patterns via AST analysis, and generates runnable test files. SQL injection, XSS, auth bypass, path traversal, input validation -- pinata writes the tests that try to break your code. not a scanner. a test generator.
npx pinata .in development
attacks your running app, fixes what it breaks, hardens the whole class
dynamic security hardening. sends real attack payloads to your running app, proves exploits with evidence, generates AI fixes, and verifies fixes blindly. then identifies every endpoint with the same vulnerability class and applies architectural fixes. loop until equilibrium.
npx whackamole attackin development
autonomous external pentest with zero source code knowledge
give it a URL. it crawls, fingerprints, discovers hidden endpoints, evades WAFs, and attacks with 20+ exploit plugins. zero prior knowledge. separate verification agent confirms every finding. full proof-of-concept reports with curl commands. the external attacker you hire, automated.
npx crowbar scan https://yoursite.comlive
proves AI-generated fixes are correct, not just test-passing
blind verification engine. the AI that generated the fix never sees the test implementations. it receives only pass/fail per domain -- safety, security, efficiency, functionality. iterates until all domains converge. generates compliance-ready audit trails for FDA, FINRA, and CMMC.
pip install convergencein development
documentation derived from running your code
builds a scope graph of your codebase via tree-sitter, maps tests to functions, overlays coverage data. every claim traceable to a line of code or a passing test. drift detection catches when code changes but docs don't. the verification index for agents, auditors, and compliance.
npx fossilize .from idea to production-hardened code
tells you what to do next, orchestrates the suite
finds bugs, bad patterns, hallucinated packages
checks what's missing from your infrastructure
writes adversarial tests targeting your specific gaps
attacks your running app, fixes and hardens
autonomous external pentest, zero source code
proves fixes are correct via blind testing
generates evidence-backed docs from what survived
every tool in the suite is designed to find problems before users do. adversarial testing, blind verification, black-box pentesting. if your code survives this gauntlet, it survives production.
warnings are noise. every tool generates actionable fixes, runnable tests, or verified patches. the goal is code that works, not a report that sits in a drawer.
AI generates the code. AI attacks the code. AI fixes the code. but humans set the direction, define the properties, and make the decisions. the tools encode methodology, not just capability.
the full pipeline, copy and run
npx merlyn-mcp@latestnpx slopometer scan .npx orion-archi .npx pinata .npx whackamole attacknpx crowbar scan https://yoursite.compip install convergencenpx fossilize .