Vellma — AI Security Audit Engine

Draft — my notes. Edit before publishing.

Context

Vorpal Engineering is my Web3 technology company. Vellma is its core product: an AI engine that performs automated smart-contract security analysis.

The problem

The central problem is not prompt quality — it’s that you cannot trust anything an agent decides to run. Giving a model tools means it will, eventually, execute arbitrary code. The design assumes the agent is hostile and contains it.

Approach

• Each run gets a fresh, network-isolated Docker workspace; tool calls (Foundry, Slither, …) go through a broker that owns the allowlist and timeouts — the agent never touches the host.
• A Go API with JWT/OAuth, API keys, and RBAC fronts a Postgres + Neo4j knowledge graph with keyword and semantic (pgvector) search.
• Next.js console/admin apps with knowledge-graph visualization and an AI-assisted ingestion pipeline; a Homebrew-distributed Go CLI.

Outcome

A production blockchain-intelligence platform on self-hosted infra (Docker Compose, nginx/TLS, automated CI/CD). The useful engineering is the boring layer — broker, allowlist, teardown — not the model.