Premium User Guide — v1.6.0

NexaVerify v1.6.0

A complete guide for using NexaVerify — the multi-AI code validation tool that runs your code through 8 world-class models simultaneously. Only signals that survive cross-provider consensus reach your report.
v1.6.0 at a glance
8 AI models · 1 verdict
8 providers · 3 scan modes · 3 report formats · 6 profiles · offline support
JSON Repair Proof of Determinism Typed Prompts SARIF 2.1.0
01. Getting Started First launch, Control Center, quick setup 02. AI Providers All 8 models, free tiers, API keys 03. Scan Modes Quick, Balanced, Deep 04. Workflow Map → Validate → JSON Repair → Deliver 05. JSON Repair How truncated responses are recovered 06. Reports HTML · JSON · SARIF 2.1.0 07. Consensus Engine Multi-provider agreement scoring 08. Arbiter Engine TRUST / PARTIAL / DO NOT TRUST 09. Proof of Determinism Cryptographic audit trail 10. Token Economics Cost estimation & ROI 11. Licensing Gumroad & offline activation 12. Provider Profiles 6 presets for any workflow 13. FAQ

First launch in 60 seconds

NexaVerify is a portable Windows executable. No installation required. Unzip and run.

1
Launch the app
Double-click NexaVerify.exe. The Control Center opens — a dark dashboard with all controls.
2
Add API keys
Click the gear icon → Providers tab. Paste at least one key. Groq and Gemini offer free tiers to start.
3
Select a project folder
Browse to the codebase you want to analyze. Supported: .py, .js, .ts, .jsx, .tsx, .php, .java, .cs, .cpp, .c, .go, .rb, .rs, .swift, .kt, .html, .css, .vue, .sql
4
Choose a mode and launch
Select Balanced (recommended), then click Analyze Project. Your first report opens automatically in the browser.
Tip: start with Groq + Gemini (both have generous free tiers). Add Claude or GPT for stronger consensus later.

8 models, your own API keys

NexaVerify sends your code directly to each provider's API. No proxy. No telemetry. Your keys stay on your machine.

Claude
claude-3-5-haiku
Best at architecture, logic, and edge cases.
GPT-4o-mini
gpt-4o-mini
Best at security vulnerabilities and FinOps.
Gemini Flash
gemini-2.5-flash
Best at code smells & patterns. Free tier
Groq
llama-3.3-70b
Lightning fast, low-friction daily scans. Free tier
Cerebras
gpt-oss-120b
Fastest turnaround, speed-first CI gate. Free tier
Mistral
mistral-small
Affordable, strong on code smells and maintainability.
OpenRouter
openrouter/free
Free routing tier, fallback coverage. Free tier
Ollama
llama3.3:70b (local)
100% local, no cloud API calls, no key needed. Fully Free
Model override: set NEXAVERIFY_<PROVIDER>_MODEL env var to use a different model (e.g., NEXAVERIFY_CLAUDE_MODEL=claude-opus-4-6)

API key quick reference

ProviderKey URLKey prefixFree tier
Claudeconsole.anthropic.com/settings/keyssk-ant-...
GPTplatform.openai.com/api-keyssk-...
Geminiaistudio.google.com/app/apikeyAIza...32K tokens/day
Groqconsole.groq.com/keysgsk_...500K tokens/day
Cerebrascloud.cerebras.aicsk-...500K tokens/day
Mistralconsole.mistral.ai/api-keysmistral...
OpenRouteropenrouter.ai/keyssk-or-...200 req/day
Ollama(local, no key)Unlimited

Three depths, one workflow

Each mode controls how many providers are called and how thoroughly the code is analyzed.

Quick

Fastest sanity pass. 2 LLMs, 32KB chunks. Use as a pre-commit gate or daily surface check.

2 providers · 32 KB chunks
Balanced ★

Best default. 4 LLMs, 64KB chunks. Optimal tradeoff between speed, signal quality, and cost.

4 providers · 64 KB chunks
Deep

Full consensus. 7 LLMs, 96KB chunks. Use before deliveries, on critical code, or for client audits.

7 providers · 96 KB chunks
Free tier: limited to 3 providers per scan regardless of mode. Upgrade to Pro for full access.

From folder to validated report

Step 1
Map
Select your project. NexaVerify builds a local view: file tree, chunks, hotspots, stack context.
Step 2
Validate
All active providers analyze chunks in parallel. Each returns structured findings independently.
Step 3
JSON Repair
Truncated or malformed responses are automatically repaired before they reach the consensus engine.
Step 4
Consensus
The engine merges, deduplicates, and scores every issue. Only cross-provider agreement passes through.
Step 5
Arbiter
Meta-analysis: measures the reliability of the consensus. Assigns TRUST / PARTIAL / DO NOT TRUST.
Step 6
Deliver
HTML for humans. JSON for CI/CD. SARIF 2.1.0 for GitHub/GitLab integration.

Automatic recovery of broken LLM responses

LLMs sometimes truncate or malform JSON output — especially under token pressure. Instead of crashing, NexaVerify repairs the response automatically.

1
Strip markdown fences
Removes ```json / ``` wrappers that sometimes surround the JSON.
2
Full parse attempt
Runs json.loads() on the cleaned text. If it's a dict with an "issues" key, returns that list directly.
3
Bracket matching
If full parse fails, scans character-by-character tracking bracket depth. Extracts the first valid JSON array between matching [], respecting string escapes.
4
Fallback
If no valid JSON array is found anywhere in the response, returns [] — the provider contributes zero issues instead of crashing the scan.
This is invisible to you. The repair runs silently before the consensus engine. You only see the result: a complete report instead of a failed scan.

Three formats, one scan

Every scan generates all selected formats simultaneously. Choose what fits your workflow.

HTML
Visual report
Self-contained dark-themed report with Health Score, severity cards, confidence bars, conflict heatmaps, and share hooks. Opens automatically in your browser after each scan.
JSON
Structured data
Raw data for CI/CD pipelines, archiving, and run-to-run diffing. Contains issues, observations, conflicts, provider health, score formula, and baseline history.
SARIF 2.1.0
Standard format
Compatible with GitHub Advanced Security, GitLab SAST, and VS Code SARIF Viewer. Includes CWE/OWASP taxa, proof hashes, and prompt manifests.
Output location: reports are saved in the %APPDATA%/NexaVerify/reports/ folder. Files are written atomically via .tmp + os.replace() — no corruption on unexpected shutdown.
→ View a real v1.6.0 scan report (NexaVerify scanning itself)

Multi-provider agreement scoring

The core differentiator of NexaVerify. Instead of averaging scores, the engine uses weighted agreement to separate real bugs from hallucinations.

1
Normalize
All raw issues from all providers are tagged with their source provider.
2
Group similar issues
Issues are bucketed by (file, type), then fuzzy-matched via SequenceMatcher on description text + line proximity (within 5 lines).
3
Weighted confidence
Each provider has per-type weights (e.g., Claude weight 1.8 for "smell", GPT weight 1.6 for "security"). Confidence = agreed_weight / total_weight.
4
Severity adjustment
Confidence-adjusted severity. The highest reported severity is taken conservatively.

Health Score formula

Score starts at 100. Each validated issue deducts points:

SeverityDeduction
Critical−12 pts
High−6 pts
Medium−2 pts
Low−0.5 pts

Issues confirmed by 3+ providers receive a 1.8x consensus multiplier. Score has a soft floor of 35 to avoid overwhelming critical-heavy small reports.

Meta-analysis: TRUST / PARTIAL / DO NOT TRUST

The Arbiter measures the quality of the consensus itself. It detects when high agreement is misleading and when you should pause before acting.

VerdictMeaning
TRUSTThe AIs agree, analysis conditions were good, result is reliable. Proceed normally.
PARTIALConflicts or coverage gaps detected. Review the flagged areas before acting.
DO NOT TRUSTStrong signals of consensus illusion or multiple concurrent failures. Do not act on this report.

The Arbiter evaluates 7 signals: consensus illusion, conflict, coverage gap, temporal flickering, temporal drifting, location divergence, and low reliability. Evaluated through 10 priority-ordered rules (R01-R10).

Output: each issue includes a ProofBundle containing the full decision trace — input hash, signal vector, rule trace, output hash, and chain hash.

Cryptographic audit trail

Every Arbiter decision produces a verifiable ProofBundle — a SHA-256 hash chain that guarantees the result was computed deterministically.

// ProofBundle structure { "input_hash": "sha256...", // all raw inputs "signal_vector": [...], // 7 active signals with values "rule_trace": [...], // which rule fired (R01-R10) "output_hash": "sha256...", // final verdict hash "proof_hash": "sha256..." // full chain hash }
  • Reproducible: same inputs → same proof_hash
  • Falsifiable: tampering changes the proof_hash
  • Auditable: rule_trace explains why a decision was made
  • Compact: <2 KB per issue
CLI verification: --verify-proof report.sarif recomputes the hash chain and exits with 0 (valid) or 1 (tampered).

Know your costs before you scan

NexaVerify estimates API costs before each scan and measures actual consumption afterward. No surprise bills.

ProviderInput (per 1M tokens)Output (per 1M tokens)
Claude$0.80$4.00
GPT-4o-mini$0.15$0.60
Gemini Flash$0.075$0.30
Groq$0.05$0.08
Cerebras$0.06$0.06
Mistral$0.10$0.30
OpenRouter$0.00$0.00
Ollama$0.00$0.00

Typical scan costs:

  • Quick PR check (Groq + Cerebras): ~$0.004
  • Free balanced (Gemini + Groq + Cerebras): ~$0.022
  • Pro balanced (4 providers): ~$0.145
  • Pro deep (7 providers): ~$0.611
ROI comparison: at $120/h senior developer rate (20 min per 100 lines), a single scan costs less than 1% of manual review time. FP rate drops from ~35% (1 model) to ~4% (post-Arbiter).

Gumroad & offline activation

Two activation paths — standard online purchase and air-gapped offline activation.

Free tier

  • 3 analyses per day — resets at local midnight based on PC date
  • 10 files maximum per scan
  • 3 AI providers (Gemini + Groq + Cerebras)
  • No credit card required. Download from Gumroad, unzip, and run.

Pro tier (€19 one-time)

  • Unlimited analyses per day
  • 200 files per scan
  • All 8 AI models — full consensus power
  • Lifetime access. No subscription. Free updates.

Activation steps

G
Gumroad activation
After purchase, paste the license key in Settings → License. Verified online via Gumroad API. Cached for 14 days offline use.
O
Offline activation
For air-gapped PCs: user sends machine fingerprint → you sign an RSA-2048 offline code → user pastes it. Pro is unlocked indefinitely on that machine.
# Offline activation tool (separate from shipped app) python offline_activation_tool.py issue \ --machine-id 0123456789abcdef0123456789abcdef \ --buyer "Customer name"

6 presets for any workflow

Provider profiles reorder and filter providers to match your goal — speed, cost, reliability, or privacy.

ProfileBest for
CustomUse the exact provider order you configured
FastTight feedback loops — Groq and Cerebras first
CheapMaximize free tiers — Gemini, Groq, Cerebras, OpenRouter, Ollama
StableSafe delivery — Claude, GPT, Gemini prioritized
Max ConsensusStrongest arbitration — all 8 providers
PrivacyOllama only — no code ever leaves your machine

Recommended model combos

ComboProviders
Speed RunnerGroq + Cerebras
Budget SentinelGemini + Groq + OpenRouter
Logic ArbiterClaude + GPT + Gemini
Client Delivery GateClaude + GPT + Cerebras + Gemini
Local OnlyOllama

Typed Prompts

Each provider now receives a role-specialized system prompt tuned to its strengths, instead of a generic template.

ProviderRole
ClaudeSecurity Auditor & Compliance Specialist
GPTFinOps Analyst & Resource Risk Specialist
GeminiArchitecture & Design Quality Reviewer
GroqLogic & Concurrency Bug Hunter
CerebrasFast First-Pass Reviewer
MistralCode Quality & Maintainability Specialist
OpenRouterGeneral Code Reviewer
OllamaLocal Privacy-First Reviewer

Extended schema fields (per issue): cwe_hint, owasp_category, confidence_basis. Each prompt has a PROMPT_HASH = SHA-256(system_prompt + role_id).

What stays local

  • Your code is sent only to the LLM providers you configured, using their official APIs. No code is stored by NexaVerify.
  • Your API keys are stored locally, encrypted via DPAPI (Windows) or Fernet AES (Linux/macOS).
  • Reports are generated locally and saved on your machine. Nothing is uploaded.
  • No telemetry, no analytics, no tracking pixels.
  • Settings are written atomically — no corruption on power loss.
  • Ollama support means fully offline operation — no data ever leaves your machine.
Internet is required for cloud API calls only. With Ollama, you can run completely air-gapped.

Keyboard shortcuts

ShortcutAction
Ctrl+OBrowse/Select project folder
Ctrl+EnterStart analysis
Ctrl+,Open Control Center (Settings)
F1Open user manual

Common questions

Why 8 providers instead of one?

Single-model reviews hallucinate and miss things. Each model has different blind spots. Running 8 in parallel and surfacing only what survives cross-provider consensus reduces false positives drastically — from ~35% (1 model) to ~4% (post-Arbiter).

Do I need all 8 API keys to start?

No. NexaVerify works with just one provider. But consensus becomes meaningful with 2+ providers. Start with Groq or Gemini (both have free tiers) and add more as needed.

What happens if a provider fails mid-scan?

The scan continues with the providers that responded. The report is generated with a "Partial confidence" label. The scan never aborts unless all providers fail (which means check your keys).

How is this different from using ChatGPT to review code?

Three differences: (1) NexaVerify runs 8 models in parallel — not just one conversation. (2) The Consensus Engine cross-validates every finding. (3) The Arbiter tells you whether the results are trustworthy.

Can I use this in CI/CD?

Yes. The CLI supports --scan, --mode, --format sarif, --threshold, and --fail-on-illusion. Exit codes: 0 (pass), 1 (below threshold), 2 (illusion gate).

Linux or macOS support?

Windows 10/11 64-bit native. Wine on Linux (experimental). macOS not yet available.

What if I change PC?

The license is machine-bound. Contact nexadiag@gmail.com with proof of purchase for a reset. Offline activations require a new signed code.


CLI quick reference

nexaverify --scan ./my-project --mode balanced --providers claude,gpt,gemini,groq --format html,json,sarif nexaverify --scan ./my-project --mode deep --threshold 75 --fail-on-illusion high nexaverify --scan ./my-project --use-typed-prompts --format sarif nexaverify --verify-proof report.sarif

Exit codes: 0 = pass · 1 = below threshold · 2 = illusion gate triggered · 3 = quota exceeded


Get Pro — €19 Try Free ← Back to landing Support