Why Veriva

Veriva is the verification layer for AI-generated code. AI assistants and reviewers shipped inside code generators have a structural conflict: they grade what their own model produced. Veriva is a separate product with a separate role — verify, not generate. The artifact Veriva produces is a graded PR with per-line per-agent attribution and a provenance trail you can defend, not a stream of comments you scroll past.

Independence is the architecture

The structural argument is one sentence. AI tools that ship code AND review it have an incentive to grade their own output favorably. Buyers want a second, independent opinion that does not share a model lineage with the generator. That is the role Veriva plays.

Three-tier finding routing

Every AI finding routes through one of three calibrated-confidence tiers before it reaches your PR comment thread:

Verified — high confidence, reachability confirmed from a public entry point. These are the findings the merge gate considers blocking-eligible.
Discovery — medium confidence or findings whose exploit path is theoretical. Visible to reviewers but never blocks.
Suppressed — low confidence or matches against your team's suppression knowledge base. Hidden by default.

This routing is what keeps the Verified tab high-precision over time. The suppression dashboard at /suppressions lets your team teach the system what counts as noise; clustering similar suppressions reduces future false positives.

Reachability validation

For every HIGH or CRITICAL finding, Veriva walks the call graph from public entry points (HTTP routes, queue handlers, cron jobs) to the cited line. If no path exists, the finding drops to Discovery. If one does, a verifier confirms whether the path is actually exploitable. Theoretical-only findings get suppressed before they reach the PR comment thread.

See The 10-stage pipeline for where reachability validation slots in.

Calibration learns from your reverts

A 14-day post-merge tracker watches for reverts and incident-linked commits. When a clean B-graded PR ships without issues, the calibration tightens. When an A-graded PR reverts, the model adjusts within 24 hours of the signal. The grade reflects your codebase's risk profile — not the average codebase.

Per-line, per-agent attribution

When Claude Code wrote lines 42-67 and Cursor wrote lines 70-89, Veriva tracks that. Every finding carries its author. Trust score updates are scoped to the agent that produced the change, so a finding from Cursor does not drag down Claude Code's history. This is the moat: AI tools that ship code AND review their own code cannot give you this granularity honestly.

Policy overrides AI

Hard gates beat AI confidence. Path deny rules and agent deny rules in your .veriva/policy.yml override the model verdict — if you do not want a model to be able to merge changes in src/auth/** regardless of grade, that's a single line in the policy file. See Merge policy for the full five-tier breakdown.

Getting Started