Understanding your analysis · Reading your results · Getting answers
Windows users can download a ready-to-run desktop app — no Python install required. macOS, Linux, and developers who want to run from source can download the CLI source package.
VerifiablyApp.exe — double-click to run.
⬇ Download for Windows (.exe)
VerifiablyApp.exe isn't code-signed yet, so Windows SmartScreen may show a warning on first run. Click “More info” → “Run anyway” to continue.
Windows (.exe)
VerifiablyApp.exe. It opens a setup page in your browser.From source (.zip)
verifiably-cli.zip archive.verifiably-cli folder, install the CLI into your environment:pip install -e .
installs the verifiably command
verifiably init-config and enter your licence key (from your trial or purchase email) plus your own LLM provider API key (BYOK).verifiably analyze <path-or-github-url> --serve
clones (if a URL), analyses, and opens localhost:8000 — all local
Verifii analyses a code repository and produces a structured, sourced description of what the code actually does. The output is a set of expert views, each aimed at a different audience, plus a browsable documentation site. Every claim links to an exact file and line number.
| Output | What it answers |
|---|---|
| Role views (6) | Tailored analysis for Management, Product Owner, Engineer, Architect, Security, and Tester audiences |
| Architecture | How components are connected, which files are most depended on, and where the Zones of Pain are |
| Product overview | Plain-English capability description — no code knowledge required |
| Engineer view | File-by-file structural breakdown with dependencies and in-degree metrics |
| Spec vs Reality | Does the code do what the README or spec claims? What has drifted, what is undocumented? |
| Q&A | Ask free-form questions about the codebase — answers sourced to file:line |
sessions.py:L154, that is exactly where the behaviour was found. Click it. Verify it yourself.
Verifii is built for people who have been given a system to understand. These are the most common situations.
You have inherited a codebase, joined a new team, or been handed a repo with minimal documentation. You need to understand what it does before you touch it.
What to expect: A sourced, structured understanding within an hour — not days of code archaeology.
Your documentation or README was written in the past. You suspect the code has drifted — features promised but not built, or behaviours that crept in undocumented.
What to expect: A precise list of spec vs code, with file:line evidence for every discrepancy.
You need to understand security-relevant behaviours — not just known CVEs, but how auth flows, where credentials are handled, what trust boundaries exist.
What to expect: Undocumented security contracts surfaced automatically.
Verifii is not a SAST tool. It finds behavioural contracts — complementary to Semgrep / Snyk.
You are planning a migration or rewrite. Before you start, you need a complete, provable picture of what the current system does.
What to expect: A verifiable baseline that becomes the acceptance criteria for the new system.
You are acquiring a company or evaluating a system you do not own. You need to assess what the codebase actually does, quickly and verifiably.
What to expect: A sourced, evidence-based technical assessment ready for a diligence report.
A new engineer is joining. You want them productive fast, without monopolising senior engineer time for weeks.
What to expect: System comprehension in week one, not month one.
Where your code goes during analysis is the most important question to answer before adopting any code intelligence tool. Verifii is designed from the ground up so that the answer is always: it stays on your machine.
For individuals, teams, and anyone with a private codebase.
Install the CLI, point it at any local directory or GitHub URL. Analysis runs entirely on your machine. LLM calls go directly from your machine to your chosen provider using your own API key. Verifii never sees your code.
The only Verifii API call: license validation. No code. No snippets. Auditable.
For financial services, healthcare, government, and defence.
Run the full Verifii platform — CLI, web interface, role views, Q&A — entirely on your own infrastructure. Your team browses findings at an internal URL. Nothing leaves your network: not code, not findings, not queries.
Enterprise license includes an offline token option for air-gapped environments.
The live demos at verifiablyai.com/projects are public open-source repositories we have analysed ourselves — requests, joda-money, spring-boot and others. They are a showcase of what Verifii produces, not a platform for customer code. We run the CLI on our own machine and publish the findings.
Verifii does not offer hosted analysis of private repositories. The product is the CLI and the self-hosted platform.
This section explains exactly how Verifii works under the hood — what calls are made, where your code goes, and how the analysis intelligence is delivered without your code ever leaving your machine.
When you run verifiably analyze, the following happens entirely on your machine:
not_determined rather than publishedThe analysis intelligence — the prompts that instruct the LLM what to extract and how to reason — is Verifii's core IP. The checkpoint gate delivers prompts at runtime without baking them into the CLI binary.
verifiably analyze| What travels | To whom | Contains code? |
|---|---|---|
| License key + machine fingerprint | Verifii gate API | No |
| Session token + prompt ID | Verifii gate API | No |
| File content + prompt | Your LLM provider (your key) | Yes — your relationship |
| Usage count (files analysed) | Verifii gate API | No |
| Findings JSON | Stays on your machine | N/A |
Every session token is bound to the machine that requested it (a hash of hostname, OS, and CPU). Tokens expire after 2 hours and are signed with HMAC-SHA256. If a license key is revoked, the next session request returns LICENSE_REVOKED and analysis cannot proceed.
This means Verifii can revoke access instantly — no waiting for a binary to expire or a cache to clear.
After analysis, findings are saved to your local project registry (~/verifiably_projects/). Run verifiably web to start the full web interface at localhost:8000 — the same interface as verifiablyai.com, running entirely on your machine. Or use the --serve flag to launch it automatically:
verifiably analyze https://github.com/jhy/jsoup --serve
clones, analyses, opens browser to localhost:8000 — all local
The self-hosted option runs the entire Verifii stack — the same CLI, the same web application, and a local gate API — on your own infrastructure. Engineers push findings from their machines to the internal Verifii server. The team browses results at an internal URL. The gate API runs locally so no internet connection is required after initial setup.
A claim is the atomic unit of Verifii analysis. Everything in the report is built from claims. Understanding what a claim is helps you assess confidence in any finding.
| Field | What it means | Example |
|---|---|---|
text | The statement. What the code does. | "rebuild_proxies strips Proxy-Authorization for non-HTTPS schemes" |
category | behavioral / structural / security / informational | security |
confidence | high / medium / low | high |
file | Which file the evidence is in | sessions.py |
start_line / end_line | The exact lines | 334–341 |
NOT_DETERMINED rather than guessing. This is honest abstention, not a failure.
Verifii uses an LLM to extract claims from code. LLMs occasionally miss indirect usages — for example, a function called via a wrapper rather than directly. Every finding includes a file:line reference so you can verify it yourself. If Verifii says a feature is missing and you know it exists, look for how it is called indirectly.
Linters and SAST tools check code against known rules or vulnerability patterns. Verifii reads your code and describes what it does in plain language, sourced to file:line. It finds behaviours that do not match any rule — because they have never been written down. They are complementary, not competing.
Verifii currently provides full AST-level analysis for Python, Java, JavaScript, and TypeScript (including .jsx, .tsx, .mjs, .cjs variants). All four languages get structural parsing, method and class extraction, dependency graphing, and claim generation at the same level of depth. If your codebase mixes languages, Verifii analyses each file in the appropriate language.
These are open questions that Verifii surfaced but cannot answer from code alone. Use them in your next engineering review, architecture discussion, or sprint planning. They represent genuine uncertainty about behaviour or intent that a human needs to resolve.
The analysis reflects the codebase at the time it was run. If the code changes, re-run the analysis. Verifii does not maintain a live connection to your repository.
Verifii is built on a simple belief: the code is the truth. Every other artefact — the README, the spec, the architecture diagram — is a claim about the code. Verifii finds out if those claims are true.
{% endblock %}