OverviewProviders OptimizerIntelligence BaselineTrace IssuesConflicts Logic WatchShare
_selftest_fixture
Mode: Balanced • 2 LLM(s) • 2026-04-27 20:17
Health
92
Score
0
Critical
1
High
4
Medium
0
Low
5
Total
Score based on provider consensus — 2 provider(s) counted for confidence
Reliability: Partial confidence • Useful signal, but not full-strength consensus.
Executive Readout
Review the hotspots and decide what ships next.
Built for a dev-facing handoff: fast signal up top, evidence below, ready-to-export detail.
1. Review critical and high findings first.
2. Check provider disagreements before making a final call.
3. Use Project Intelligence to spot hotspots before refactoring.
Jump to issues Open intelligence
LLM Providers
Runtime coverage, provider health, and confidence participation for this run.
✓ ollama (1 results) ✓ gemini (4 results) ✗ gpt — account
API Optimizer
Current provider lineup mapped to speed, budget posture, and strongest use case.

Active model fit

Ollama (Local)Speed: Variable • Budget: Free (local)
Best fit: Privacy-first review without any cloud API calls
Local benchmark: Steady, 204.78s/chunk avg, 100% success, signal Light
Gemini Flash (Google)Speed: Very fast • Budget: $
Best fit: Wide coverage and inexpensive parallel passes
Local benchmark: Steady, 17.32s/chunk avg, 100% success, signal Medium

Suggested combo

Recommended active combo: Local OnlyFull privacy — no data leaves your machine. Requires Ollama running locally.
Project Intelligence
Local architecture clues, stack signals, hotspots, and review guidance inferred before LLM consensus.

Architecture

Executable application
Primary languages: Python (3)

Coverage Signals

3 files / 3 chunks
24 lines scanned • 0 tests • 0 docs

Priority Review

3 local risk markers
1 entry point(s) • 0 skipped file(s)

Hotspots

runtime_bug.py11 lines • 0.2 KB
shell_risk.py7 lines • 0.2 KB
auth_bug.py6 lines • 0.2 KB

Executive Signals

No automated tests detectedThis project exposes code to AI review without an obvious test safety net.
Sensitive patterns deserve priority review3 local risk markers detected before any LLM call.
Clear execution entry points foundruntime_bug.py
Decision Trace
Why these findings are visible: provider participation, project rules, suppressions, and score inputs.

Providers

Requestedollama, gemini, gpt
Returned resultsollama: 1, gemini: 4
Failedgpt: Error code: 429 - {'error': {'message': 'You exceeded your current quota, please check your plan and billing details. For more information on this error, read the docs: https://platform.openai.com/docs/guides/error-codes
Coverage2/3 provider(s) returned usable results

Provider Health

gptAccount or billing issue • Check billing, credits, or plan status for this provider account.

Filtering

Visible findings5 findings • 0 observations
Project ignore rules0 findings • 0 observations • 0 conflicts • 0 logic hotspots
Suppressions0 findings • 0 observations • 0 active rules

Run Scope

Score92/100 visible review score
Score confidencePartial confidence — 2/3 provider(s) usable.
Useful signal, but not full-strength consensus.
Git diff modedisabled
Issues (5)
Validated findings ranked by severity, confidence, and provider agreement.
🔐 security HIGH shell_risk.py:5 Confirmed — 65%
Command injection vulnerability due to direct interpolation of user-controlled input (target_path) into a shell command executed with `shell=True`. An attacker can execute arbitrary commands by crafting a malicious target_path.
Detected by: ✓ gemini ×1.5 1/2 provider(s) agreed
🐛 bug MEDIUM auth_bug.py Partial consensus — 50%
Always returns true due to undefined behavior of bare string literal comparison.
Detected by: ✓ ollama ×0.9 1/2 provider(s) agreed
🐛 bug MEDIUM auth_bug.py:3 Partial consensus — 50%
The condition `if user_role == "admin" or "staff"` is always truthy because the string literal `"staff"` evaluates to `True` in a boolean context. This makes the `can_delete_account` function always return `True` when this branch is taken, effectively bypassing both the admin/staff check and rendering the owner check (`account_owner == actor` on line 5) unreachable. This is a critical authorization bypass vulnerability.
Detected by: ✓ gemini ×0.9 1/2 provider(s) agreed
🐛 bug MEDIUM runtime_bug.py:2 Partial consensus — 50%
Attempting to import a package 'not_a_real_package' that likely does not exist, leading to an ImportError.
Detected by: ✓ gemini ×0.9 1/2 provider(s) agreed
🐛 bug MEDIUM runtime_bug.py:5 Partial consensus — 50%
The 'divide_total' function does not handle cases where 'count' is zero, which will result in a ZeroDivisionError.
Detected by: ✓ gemini ×0.9 1/2 provider(s) agreed
Consensus Logic Watch
Subtle logical weak spots inferred from consensus and disagreement patterns.
Authorization driftauth_bug.py • confidence 55% • 2 source(s)
The condition `if user_role == "admin" or "staff"` is always truthy because the string literal `"staff"` evaluates to `True` in a boolean context. This makes the `can_delete_account` function always return `True` when this branch is taken, effectively bypassing both the admin/staff check and rendering the owner check (`account_owner == actor` on line 5) unreachable. This is a critical authorization bypass vulnerability. (providers disagree: ollama: high vs gemini: critical)
Authorization driftauth_bug.py:3 • confidence 50% • 1 source(s)
The condition `if user_role == "admin" or "staff"` is always truthy because the string literal `"staff"` evaluates to `True` in a boolean context. This makes the `can_delete_account` function always return `True` when this branch is taken, effectively bypassing both the admin/staff check and rendering the owner check (`account_owner == actor` on line 5) unreachable. This is a critical authorization bypass vulnerability.
AI Conflict Heatmap
Zones where providers disagree on severity and a human decision matters most.
auth_bug.pyThe condition `if user_role == "admin" or "staff"` is always truthy because the string literal `"staff"` evaluates to `True` in a boolean context. This makes the `can_delete_account` function always return `True` when this branch is taken, effectively bypassing both the admin/staff check and rendering the owner check (`account_owner == actor` on line 5) unreachable. This is a critical authorization bypass vulnerability.
ollama: highgemini: critical
Severity spread: 1 level(s)
Share Hooks
Built-in viral angles you can reuse in screenshots, launch posts, demos, and client updates.
Clean-run flex_selftest_fixture cleared a multi-model audit with a 92/100 health score.
Strong first-run win that is easy to screenshot and share.
AI disagreement revealNexaVerify found 1 places where models disagreed — exactly where human judgment still matters.
Disagreement zones are naturally curiosity-inducing and highly shareable.
Subtle logic catchThe consensus watchlist surfaced 2 subtle logic risks that a single-model pass could miss.
Highlights differentiated value beyond ordinary bug detection.
NexaVerify v1.8.0 — NEXADiag Ecosystem — Multi-AI Code Validation — Higher score = healthier codebase (100 = clean)