Installation What Verifii Produces Navigating Your Results Use Cases Deployment & Privacy Architecture Reading a Claim FAQ

User Guide

Understanding your analysis · Reading your results · Getting answers

Every finding in a Verifii report is sourced to a specific file and line number in your codebase. Nothing is invented.

1. Installation

Windows users can download a ready-to-run desktop app — no Python install required. macOS, Linux, and developers who want to run from source can download the CLI source package.

Windows: download VerifiablyApp.exe — double-click to run. ⬇ Download for Windows (.exe)

macOS / Linux / source: download the Verifiably CLI source as a zip archive. ⬇ Download Verifiably (.zip)

Note: VerifiablyApp.exe isn't code-signed yet, so Windows SmartScreen may show a warning on first run. Click “More info” → “Run anyway” to continue.

1.1 Setup

Windows (.exe)

Double-click VerifiablyApp.exe. It opens a setup page in your browser.
Enter your licence key (from your trial or purchase email) and your LLM provider API key (BYOK), then optionally a folder or GitHub URL to start analysing immediately.

From source (.zip)

Unzip the downloaded verifiably-cli.zip archive.
Requires Python 3.10+. From the unzipped verifiably-cli folder, install the CLI into your environment:

pip install -e . installs the verifiably command

Run verifiably init-config and enter your licence key (from your trial or purchase email) plus your own LLM provider API key (BYOK).
Analyse a codebase and open the results in your browser:

verifiably analyze <path-or-github-url> --serve clones (if a URL), analyses, and opens localhost:8000 — all local

Early access: macOS and Linux packaged installers are still in progress — the source download works on any platform with Python 3.10+ in the meantime. Both downloads include the CLI orchestration code only — the analysis prompts (Verifii's core IP) are fetched at runtime via your licence key and are never bundled or stored on your machine.

2. What Verifii Produces

Verifii analyses a code repository and produces a structured, sourced description of what the code actually does. The output is a set of expert views, each aimed at a different audience, plus a browsable documentation site. Every claim links to an exact file and line number.

Output	What it answers
Role views (6)	Tailored analysis for Management, Product Owner, Engineer, Architect, Security, and Tester audiences
Architecture	How components are connected, which files are most depended on, and where the Zones of Pain are
Product overview	Plain-English capability description — no code knowledge required
Engineer view	File-by-file structural breakdown with dependencies and in-degree metrics
Spec vs Reality	Does the code do what the README or spec claims? What has drifted, what is undocumented?
Q&A	Ask free-form questions about the codebase — answers sourced to file:line

The core principle: Every claim Verifii makes references a specific file and line number. If you see sessions.py:L154, that is exactly where the behaviour was found. Click it. Verify it yourself.

3. Navigating Your Results

When you open a project, you land on the project hub. From there you can access all views: the six role views, the documentation sections, and the Q&A interface.

3.1 Role Views

Role views are the primary output of a Verifii analysis. Each one runs an agentic investigation — reading source files, following dependencies, and reasoning over the findings — then produces a structured report for a specific audience.

Role	Audience	Covers
🏢 Management	CTO, VP Engineering, Director	Capability inventory, key risks, architecture health, what leadership should know
📋 Product Owner	Product Manager, PO	Feature inventory with implementation status, spec gaps, undocumented product decisions
⚙ Engineer	Software Engineer, Tech Lead	Module map, design patterns, critical implementation details, entry points, known gotchas
🏗 Architect	Software Architect, Principal Engineer	Architecture style, Zones of Pain, coupling analysis, refactoring priorities
🔒 Security	Security Engineer, CISO, Pen Tester	Verified security findings — HIGH / MEDIUM / LOW / FALSE POSITIVE, all grounded in code reads
🧪 Tester	QA Engineer, SDET, Test Lead	Untested behaviours, edge cases, test gap inventory

How to use it: Pick the role that matches your question. Each view is independently generated — the Security view reads actual source code before rating any finding; it does not just list claims.

3.2 Architecture

The Architecture section shows how the codebase is structured: which modules exist, how they depend on each other, and which files are most central. It includes a Mermaid dependency diagram generated directly from the import graph.

In-degree is the key metric — it counts how many other files import a given file. High in-degree means high blast radius. A change to a file with in-degree 12 affects 12 other modules. Verifii flags these as Zones of Pain.

How to use it: Use the Architecture view to understand risk before making changes, and to identify where to focus a refactor.

3.3 The Spec vs Reality Report

This is the most important section for closing the gap between what the documentation claims and what the code actually does. It compares a README or specification document against the code and produces a per-feature verdict.

Coverage score (e.g. ████████░░ 13/16): how many features from the spec have confirmed code implementations.

Status	Meaning
✅ Implemented	Code evidence found. The feature works as described.
⚠️ Partial	Some evidence found, but implementation is incomplete or conditional.
❌ Not found	No code evidence. Either the feature is missing, or the spec is wrong.
🔵 Extended	The code does more than the spec describes.
❓ Unverifiable	The spec is too vague to compare against the code.

Three sub-sections within the report:

Hidden Behaviours — things the code does that the spec never mentioned. Implicit engineering decisions: security contracts, edge-case handling, undocumented constraints.
Security Observations — behaviours with security implications not in the spec. Undocumented security contracts sourced to file:line, rated HIGH / MEDIUM / LOW.
Questions for the Engineering Team — open questions that Verifii cannot answer from code alone.

3.4 Q&A

From any project page you can ask free-form questions about the codebase — for example: "How does authentication work?" or "Where are database transactions handled?". Verifii runs an agentic search across the findings and source files and returns a sourced answer with file:line citations.

How to use it: Use Q&A for targeted lookups when you know the question but not where to look in the report.

4. Use Cases

Verifii is built for people who have been given a system to understand. These are the most common situations.

🧭

Understanding an Unfamiliar Codebase

You have inherited a codebase, joined a new team, or been handed a repo with minimal documentation. You need to understand what it does before you touch it.

Start here

Management view — the plain-English capability overview
Architecture — what is central vs peripheral
Engineer view — module map, entry points, known gotchas

What to expect: A sourced, structured understanding within an hour — not days of code archaeology.

📐

Detecting Spec Drift

Your documentation or README was written in the past. You suspect the code has drifted — features promised but not built, or behaviours that crept in undocumented.

Start here

Go directly to the Spec vs Reality report
Focus on ⚠️ Partial and ❌ Not found entries — these are your drift
Read Hidden Behaviours — the undocumented additions

What to expect: A precise list of spec vs code, with file:line evidence for every discrepancy.

🔒

Security Posture Review

You need to understand security-relevant behaviours — not just known CVEs, but how auth flows, where credentials are handled, what trust boundaries exist.

Start here

Security role view — verified findings with code reads, not just claim lists
Every HIGH and MEDIUM finding with the file:line open in your editor
Spec vs Reality → Security Observations for the full undocumented behaviour list

What to expect: Undocumented security contracts surfaced automatically.

Verifii is not a SAST tool. It finds behavioural contracts — complementary to Semgrep / Snyk.

🚀

Pre-Migration Planning

You are planning a migration or rewrite. Before you start, you need a complete, provable picture of what the current system does.

Start here

Product Owner view — your full capability inventory
Architecture — high in-degree files = migration risk
Spec vs Reality → Hidden Behaviours and Security Observations

What to expect: A verifiable baseline that becomes the acceptance criteria for the new system.

🔍

Technical Due Diligence

You are acquiring a company or evaluating a system you do not own. You need to assess what the codebase actually does, quickly and verifiably.

Start here

Management view — plain-English capability and risk summary
Spec vs Reality coverage score — how complete is the implementation?
Security role view — verified security observations

What to expect: A sourced, evidence-based technical assessment ready for a diligence report.

🧑‍💻

Onboarding New Team Members

A new engineer is joining. You want them productive fast, without monopolising senior engineer time for weeks.

Start here

Engineer view — module map, entry points, design patterns
Architecture — structure and what matters
Q&A — let them ask questions as they explore the code

What to expect: System comprehension in week one, not month one.

5. Deployment & Data Privacy

The guarantee: Your source code never leaves your machine. The CLI runs entirely locally. The only calls made to Verifii's servers are license validation and fetching analysis logic — never your code.

Where your code goes during analysis is the most important question to answer before adopting any code intelligence tool. Verifii is designed from the ground up so that the answer is always: it stays on your machine.

CLI — Available Now

Your machine. Your LLM key.

For individuals, teams, and anyone with a private codebase.

Install the CLI, point it at any local directory or GitHub URL. Analysis runs entirely on your machine. LLM calls go directly from your machine to your chosen provider using your own API key. Verifii never sees your code.

Your code → CLI (local) → Your LLM API

The only Verifii API call: license validation. No code. No snippets. Auditable.

Self-hosted — Available Now

Your network. Full stop.

For financial services, healthcare, government, and defence.

Run the full Verifii platform — CLI, web interface, role views, Q&A — entirely on your own infrastructure. Your team browses findings at an internal URL. Nothing leaves your network: not code, not findings, not queries.

Your code → CLI (local) → Verifii server (your infra)

Enterprise license includes an offline token option for air-gapped environments.

What verifiablyai.com is

The live demos at verifiablyai.com/projects are public open-source repositories we have analysed ourselves — requests, joda-money, spring-boot and others. They are a showcase of what Verifii produces, not a platform for customer code. We run the CLI on our own machine and publish the findings.

Verifii does not offer hosted analysis of private repositories. The product is the CLI and the self-hosted platform.

Enterprise enquiries: Contact verifiiai@gmail.com to discuss self-hosted deployment, enterprise licensing, and supported LLM configurations for your environment.

6. Architecture

This section explains exactly how Verifii works under the hood — what calls are made, where your code goes, and how the analysis intelligence is delivered without your code ever leaving your machine.

6.1 The analysis pipeline

When you run verifiably analyze, the following happens entirely on your machine:

File discovery — the CLI walks the directory, classifies files (source, test, config), builds an AST for each source file using tree-sitter
Dependency graph — imports and call relationships are extracted, files are sorted in dependency-first order so each analysis gets the context of its dependencies
Prompt fetch — the CLI calls the Verifii gate API with your license token to fetch the analysis prompt for the current file type. Your code is not in this call.
LLM call — the CLI sends the file content and fetched prompt directly to your LLM provider using your own API key. Verifii is not in this path.
Claim extraction — the LLM returns structured JSON: a list of claims, each with text, category, confidence, and file:line citation
Verification pass — a second LLM call checks each claim against the cited source lines. Claims that fail verification are marked not_determined rather than published
Cross-cutting pass — after all files are analysed, a final pass looks for contradictions across files: "File A claims X, File B shows the opposite"
Results saved locally — findings are written to your local project registry. Nothing is sent to Verifii.

6.2 The checkpoint gate

The analysis intelligence — the prompts that instruct the LLM what to extract and how to reason — is Verifii's core IP. The checkpoint gate delivers prompts at runtime without baking them into the CLI binary.

Your machine

1. verifiably analyze

2. Validate license key

5. Decrypt prompt in memory

6. Send code + prompt → LLM

7. Save findings locally

license key →

← session token (2hr)

prompt ID →

← encrypted prompt

usage count →

Verifii gate API

3. Validate key, issue token

4. Return prompt (encrypted)

8. Log files analysed

Never receives code

Step 6: code + prompt → Your LLM API (your key) → findings

What travels	To whom	Contains code?
License key + machine fingerprint	Verifii gate API	No
Session token + prompt ID	Verifii gate API	No
File content + prompt	Your LLM provider (your key)	Yes — your relationship
Usage count (files analysed)	Verifii gate API	No
Findings JSON	Stays on your machine	N/A

6.3 Session tokens and revocation

Every session token is bound to the machine that requested it (a hash of hostname, OS, and CPU). Tokens expire after 2 hours and are signed with HMAC-SHA256. If a license key is revoked, the next session request returns LICENSE_REVOKED and analysis cannot proceed.

This means Verifii can revoke access instantly — no waiting for a binary to expire or a cache to clear.

6.4 Viewing results locally

After analysis, findings are saved to your local project registry (~/verifiably_projects/). Run verifiably web to start the full web interface at localhost:8000 — the same interface as verifiablyai.com, running entirely on your machine. Or use the --serve flag to launch it automatically:

verifiably analyze https://github.com/jhy/jsoup --serve clones, analyses, opens browser to localhost:8000 — all local

6.5 Self-hosted deployment

The self-hosted option runs the entire Verifii stack — the same CLI, the same web application, and a local gate API — on your own infrastructure. Engineers push findings from their machines to the internal Verifii server. The team browses results at an internal URL. The gate API runs locally so no internet connection is required after initial setup.

Engineer laptop (CLI) → findings JSON → Verifii server (your infra) ← browse ← Team

7. Reading a Claim

A claim is the atomic unit of Verifii analysis. Everything in the report is built from claims. Understanding what a claim is helps you assess confidence in any finding.

Additional analysis included automatically: Beyond LLM claim extraction, Verifii also runs Lizard for cyclomatic complexity and method length metrics, and Semgrep for static security patterns. These results feed into the analysis alongside the LLM claims.

Field	What it means	Example
`text`	The statement. What the code does.	"rebuild_proxies strips Proxy-Authorization for non-HTTPS schemes"
`category`	behavioral / structural / security / informational	security
`confidence`	high / medium / low	high
`file`	Which file the evidence is in	sessions.py
`start_line / end_line`	The exact lines	334–341

Confidence levels

high — The behaviour is unambiguous from the code. No interpretation required.
medium — The behaviour is likely but depends on a condition or context not fully resolved.
low — The behaviour is inferred. Treat it as a hypothesis to verify manually.

A note on NOT_DETERMINED: When Verifii cannot determine something with confidence, it outputs NOT_DETERMINED rather than guessing. This is honest abstention, not a failure.

8. Frequently Asked Questions

Why does Verifii sometimes get things wrong?

Verifii uses an LLM to extract claims from code. LLMs occasionally miss indirect usages — for example, a function called via a wrapper rather than directly. Every finding includes a file:line reference so you can verify it yourself. If Verifii says a feature is missing and you know it exists, look for how it is called indirectly.

What is the difference between Verifii and a linter or SAST tool?

Linters and SAST tools check code against known rules or vulnerability patterns. Verifii reads your code and describes what it does in plain language, sourced to file:line. It finds behaviours that do not match any rule — because they have never been written down. They are complementary, not competing.

Which programming languages does Verifii support?

Verifii currently provides full AST-level analysis for Python, Java, JavaScript, and TypeScript (including .jsx, .tsx, .mjs, .cjs variants). All four languages get structural parsing, method and class extraction, dependency graphing, and claim generation at the same level of depth. If your codebase mixes languages, Verifii analyses each file in the appropriate language.

What should I do with the Questions for the Engineering Team section?

These are open questions that Verifii surfaced but cannot answer from code alone. Use them in your next engineering review, architecture discussion, or sprint planning. They represent genuine uncertainty about behaviour or intent that a human needs to resolve.

How current is the analysis?

The analysis reflects the codebase at the time it was run. If the code changes, re-run the analysis. Verifii does not maintain a live connection to your repository.

Verifii is built on a simple belief: the code is the truth. Every other artefact — the README, the spec, the architecture diagram — is a claim about the code. Verifii finds out if those claims are true.