01 · Getting Started
First launch in 60 seconds
NexaVerify is a portable Windows executable. No installation required. Unzip and run.
1
Launch the app
Double-click NexaVerify.exe. The Control Center opens — a dark dashboard with all controls.
2
Add API keys
Click the gear icon → Providers tab. Paste at least one key. Groq and Gemini offer free tiers to start.
3
Select a project folder
Browse to the codebase you want to analyze. Supported: .py, .js, .ts, .jsx, .tsx, .php, .java, .cs, .cpp, .c, .go, .rb, .rs, .swift, .kt, .html, .css, .vue, .sql
4
Choose a mode and launch
Select Balanced (recommended), then click Analyze Project. Your first report opens automatically in the browser.
Tip: start with Groq + Gemini (both have generous free tiers). Add Claude or GPT for stronger consensus later.
02 · AI Providers
8 models, your own API keys
NexaVerify sends your code directly to each provider's API. No proxy. No telemetry. Your keys stay on your machine.
Claude
claude-3-5-haiku
Best at architecture, logic, and edge cases.
GPT-4o-mini
gpt-4o-mini
Best at security vulnerabilities and FinOps.
Gemini Flash
gemini-2.5-flash
Best at code smells & patterns. Free tier
Groq
llama-3.3-70b
Lightning fast, low-friction daily scans. Free tier
Cerebras
gpt-oss-120b
Fastest turnaround, speed-first CI gate. Free tier
Mistral
mistral-small
Affordable, strong on code smells and maintainability.
OpenRouter
openrouter/free
Free routing tier, fallback coverage. Free tier
Ollama
llama3.3:70b (local)
100% local, no cloud API calls, no key needed. Fully Free
Model override: set NEXAVERIFY_<PROVIDER>_MODEL env var to use a different model (e.g., NEXAVERIFY_CLAUDE_MODEL=claude-opus-4-6)
API key quick reference
| Provider | Key URL | Key prefix | Free tier |
| Claude | console.anthropic.com/settings/keys | sk-ant-... | — |
| GPT | platform.openai.com/api-keys | sk-... | — |
| Gemini | aistudio.google.com/app/apikey | AIza... | 32K tokens/day |
| Groq | console.groq.com/keys | gsk_... | 500K tokens/day |
| Cerebras | cloud.cerebras.ai | csk-... | 500K tokens/day |
| Mistral | console.mistral.ai/api-keys | mistral... | — |
| OpenRouter | openrouter.ai/keys | sk-or-... | 200 req/day |
| Ollama | (local, no key) | — | Unlimited |
03 · Scan Modes
Three depths, one workflow
Each mode controls how many providers are called and how thoroughly the code is analyzed.
Quick
Fastest sanity pass. 2 LLMs, 32KB chunks. Use as a pre-commit gate or daily surface check.
2 providers · 32 KB chunks
Balanced ★
Best default. 4 LLMs, 64KB chunks. Optimal tradeoff between speed, signal quality, and cost.
4 providers · 64 KB chunks
Deep
Full consensus. 7 LLMs, 96KB chunks. Use before deliveries, on critical code, or for client audits.
7 providers · 96 KB chunks
Free tier: limited to 3 providers per scan regardless of mode. Upgrade to Pro for full access.
04 · Workflow
From folder to validated report
Step 1
Map
Select your project. NexaVerify builds a local view: file tree, chunks, hotspots, stack context.
Step 2
Validate
All active providers analyze chunks in parallel. Each returns structured findings independently.
Step 3
JSON Repair
Truncated or malformed responses are automatically repaired before they reach the consensus engine.
Step 4
Consensus
The engine merges, deduplicates, and scores every issue. Only cross-provider agreement passes through.
Step 5
Arbiter
Meta-analysis: measures the reliability of the consensus. Assigns TRUST / PARTIAL / DO NOT TRUST.
Step 6
Deliver
HTML for humans. JSON for CI/CD. SARIF 2.1.0 for GitHub/GitLab integration.
05 · JSON Repair
Automatic recovery of broken LLM responses
LLMs sometimes truncate or malform JSON output — especially under token pressure. Instead of crashing, NexaVerify repairs the response automatically.
1
Strip markdown fences
Removes ```json / ``` wrappers that sometimes surround the JSON.
2
Full parse attempt
Runs json.loads() on the cleaned text. If it's a dict with an "issues" key, returns that list directly.
3
Bracket matching
If full parse fails, scans character-by-character tracking bracket depth. Extracts the first valid JSON array between matching [ … ], respecting string escapes.
4
Fallback
If no valid JSON array is found anywhere in the response, returns [] — the provider contributes zero issues instead of crashing the scan.
This is invisible to you. The repair runs silently before the consensus engine. You only see the result: a complete report instead of a failed scan.
06 · Reports
Three formats, one scan
Every scan generates all selected formats simultaneously. Choose what fits your workflow.
HTML
Visual report
Self-contained dark-themed report with Health Score, severity cards, confidence bars, conflict heatmaps, and share hooks. Opens automatically in your browser after each scan.
JSON
Structured data
Raw data for CI/CD pipelines, archiving, and run-to-run diffing. Contains issues, observations, conflicts, provider health, score formula, and baseline history.
SARIF 2.1.0
Standard format
Compatible with GitHub Advanced Security, GitLab SAST, and VS Code SARIF Viewer. Includes CWE/OWASP taxa, proof hashes, and prompt manifests.
Output location: reports are saved in the %APPDATA%/NexaVerify/reports/ folder. Files are written atomically via .tmp + os.replace() — no corruption on unexpected shutdown.
07 · Consensus Engine
Multi-provider agreement scoring
The core differentiator of NexaVerify. Instead of averaging scores, the engine uses weighted agreement to separate real bugs from hallucinations.
1
Normalize
All raw issues from all providers are tagged with their source provider.
2
Group similar issues
Issues are bucketed by (file, type), then fuzzy-matched via SequenceMatcher on description text + line proximity (within 5 lines).
3
Weighted confidence
Each provider has per-type weights (e.g., Claude weight 1.8 for "smell", GPT weight 1.6 for "security"). Confidence = agreed_weight / total_weight.
4
Severity adjustment
Confidence-adjusted severity. The highest reported severity is taken conservatively.
Health Score formula
Score starts at 100. Each validated issue deducts points:
| Severity | Deduction |
| Critical | −12 pts |
| High | −6 pts |
| Medium | −2 pts |
| Low | −0.5 pts |
Issues confirmed by 3+ providers receive a 1.8x consensus multiplier. Score has a soft floor of 35 to avoid overwhelming critical-heavy small reports.
08 · Arbiter Engine
Meta-analysis: TRUST / PARTIAL / DO NOT TRUST
The Arbiter measures the quality of the consensus itself. It detects when high agreement is misleading and when you should pause before acting.
| Verdict | Meaning |
| TRUST | The AIs agree, analysis conditions were good, result is reliable. Proceed normally. |
| PARTIAL | Conflicts or coverage gaps detected. Review the flagged areas before acting. |
| DO NOT TRUST | Strong signals of consensus illusion or multiple concurrent failures. Do not act on this report. |
The Arbiter evaluates 7 signals: consensus illusion, conflict, coverage gap, temporal flickering, temporal drifting, location divergence, and low reliability. Evaluated through 10 priority-ordered rules (R01-R10).
Output: each issue includes a ProofBundle containing the full decision trace — input hash, signal vector, rule trace, output hash, and chain hash.
09 · Proof of Determinism
Cryptographic audit trail
Every Arbiter decision produces a verifiable ProofBundle — a SHA-256 hash chain that guarantees the result was computed deterministically.
// ProofBundle structure
{
"input_hash": "sha256...", // all raw inputs
"signal_vector": [...], // 7 active signals with values
"rule_trace": [...], // which rule fired (R01-R10)
"output_hash": "sha256...", // final verdict hash
"proof_hash": "sha256..." // full chain hash
}
- Reproducible: same inputs → same proof_hash
- Falsifiable: tampering changes the proof_hash
- Auditable: rule_trace explains why a decision was made
- Compact: <2 KB per issue
CLI verification: --verify-proof report.sarif recomputes the hash chain and exits with 0 (valid) or 1 (tampered).
10 · Token Economics
Know your costs before you scan
NexaVerify estimates API costs before each scan and measures actual consumption afterward. No surprise bills.
| Provider | Input (per 1M tokens) | Output (per 1M tokens) |
| Claude | $0.80 | $4.00 |
| GPT-4o-mini | $0.15 | $0.60 |
| Gemini Flash | $0.075 | $0.30 |
| Groq | $0.05 | $0.08 |
| Cerebras | $0.06 | $0.06 |
| Mistral | $0.10 | $0.30 |
| OpenRouter | $0.00 | $0.00 |
| Ollama | $0.00 | $0.00 |
Typical scan costs:
- Quick PR check (Groq + Cerebras): ~$0.004
- Free balanced (Gemini + Groq + Cerebras): ~$0.022
- Pro balanced (4 providers): ~$0.145
- Pro deep (7 providers): ~$0.611
ROI comparison: at $120/h senior developer rate (20 min per 100 lines), a single scan costs less than 1% of manual review time. FP rate drops from ~35% (1 model) to ~4% (post-Arbiter).
11 · Licensing
Gumroad & offline activation
Two activation paths — standard online purchase and air-gapped offline activation.
Free tier
- 3 analyses per day — resets at local midnight based on PC date
- 10 files maximum per scan
- 3 AI providers (Gemini + Groq + Cerebras)
- No credit card required. Download from Gumroad, unzip, and run.
Pro tier (€19 one-time)
- Unlimited analyses per day
- 200 files per scan
- All 8 AI models — full consensus power
- Lifetime access. No subscription. Free updates.
Activation steps
G
Gumroad activation
After purchase, paste the license key in Settings → License. Verified online via Gumroad API. Cached for 14 days offline use.
O
Offline activation
For air-gapped PCs: user sends machine fingerprint → you sign an RSA-2048 offline code → user pastes it. Pro is unlocked indefinitely on that machine.
# Offline activation tool (separate from shipped app)
python offline_activation_tool.py issue \
--machine-id 0123456789abcdef0123456789abcdef \
--buyer "Customer name"
12 · Provider Profiles
6 presets for any workflow
Provider profiles reorder and filter providers to match your goal — speed, cost, reliability, or privacy.
| Profile | Best for |
| Custom | Use the exact provider order you configured |
| Fast | Tight feedback loops — Groq and Cerebras first |
| Cheap | Maximize free tiers — Gemini, Groq, Cerebras, OpenRouter, Ollama |
| Stable | Safe delivery — Claude, GPT, Gemini prioritized |
| Max Consensus | Strongest arbitration — all 8 providers |
| Privacy | Ollama only — no code ever leaves your machine |
Recommended model combos
| Combo | Providers |
| Speed Runner | Groq + Cerebras |
| Budget Sentinel | Gemini + Groq + OpenRouter |
| Logic Arbiter | Claude + GPT + Gemini |
| Client Delivery Gate | Claude + GPT + Cerebras + Gemini |
| Local Only | Ollama |
v1.6.0 Feature
Typed Prompts
Each provider now receives a role-specialized system prompt tuned to its strengths, instead of a generic template.
| Provider | Role |
| Claude | Security Auditor & Compliance Specialist |
| GPT | FinOps Analyst & Resource Risk Specialist |
| Gemini | Architecture & Design Quality Reviewer |
| Groq | Logic & Concurrency Bug Hunter |
| Cerebras | Fast First-Pass Reviewer |
| Mistral | Code Quality & Maintainability Specialist |
| OpenRouter | General Code Reviewer |
| Ollama | Local Privacy-First Reviewer |
Extended schema fields (per issue): cwe_hint, owasp_category, confidence_basis. Each prompt has a PROMPT_HASH = SHA-256(system_prompt + role_id).
Privacy & Security
What stays local
- Your code is sent only to the LLM providers you configured, using their official APIs. No code is stored by NexaVerify.
- Your API keys are stored locally, encrypted via DPAPI (Windows) or Fernet AES (Linux/macOS).
- Reports are generated locally and saved on your machine. Nothing is uploaded.
- No telemetry, no analytics, no tracking pixels.
- Settings are written atomically — no corruption on power loss.
- Ollama support means fully offline operation — no data ever leaves your machine.
Internet is required for cloud API calls only. With Ollama, you can run completely air-gapped.
Productivity
Keyboard shortcuts
| Shortcut | Action |
| Ctrl+O | Browse/Select project folder |
| Ctrl+Enter | Start analysis |
| Ctrl+, | Open Control Center (Settings) |
| F1 | Open user manual |
13 · FAQ
Common questions
Why 8 providers instead of one?
Single-model reviews hallucinate and miss things. Each model has different blind spots. Running 8 in parallel and surfacing only what survives cross-provider consensus reduces false positives drastically — from ~35% (1 model) to ~4% (post-Arbiter).
Do I need all 8 API keys to start?
No. NexaVerify works with just one provider. But consensus becomes meaningful with 2+ providers. Start with Groq or Gemini (both have free tiers) and add more as needed.
What happens if a provider fails mid-scan?
The scan continues with the providers that responded. The report is generated with a "Partial confidence" label. The scan never aborts unless all providers fail (which means check your keys).
How is this different from using ChatGPT to review code?
Three differences: (1) NexaVerify runs 8 models in parallel — not just one conversation. (2) The Consensus Engine cross-validates every finding. (3) The Arbiter tells you whether the results are trustworthy.
Can I use this in CI/CD?
Yes. The CLI supports --scan, --mode, --format sarif, --threshold, and --fail-on-illusion. Exit codes: 0 (pass), 1 (below threshold), 2 (illusion gate).
Linux or macOS support?
Windows 10/11 64-bit native. Wine on Linux (experimental). macOS not yet available.
What if I change PC?
The license is machine-bound. Contact nexadiag@gmail.com with proof of purchase for a reset. Offline activations require a new signed code.