Frequently asked questions
Straight answers, receipts linked. If your question isn't here, email hello@dacip.dev — a human reads it.
What it is
How does DACIP work?
It reads both sides of a contract from source — the routes your backend serves and the calls your frontend makes, plus twenty other boundaries (env vars, GraphQL, migrations, feature flags, …) — links them into a contract graph, and reports mismatches. On a pull request it compares the graph across the PR's two commits and reports only what the change broke, with every affected caller at file:line and a runnable repro per finding. There is no language model anywhere in the analysis pipeline.
What does "deterministic" actually mean here?
Same two commits in, byte-identical verdict out — every run, every machine, six months from now. No model, no temperature, no drift. We prove it in public: the proof dashboard re-scans nine major OSS repos nightly at pinned commits, runs every scan twice, and byte-compares the artifacts. If two runs ever differ, the row turns red where everyone can see it.
What languages and frameworks are supported?
Backends: Flask, Flask-RESTX, Django/DRF (nested routers and re_path included), FastAPI (include_router prefix stacking), Flask-AppBuilder, Express. Frontends: React/Next.js fetch and axios calls in TypeScript/JavaScript, plus teachable custom clients via --client. Beyond HTTP, 22 deterministic analyzers cover env vars, GraphQL, Socket.io/Celery/Kafka, Django migrations, feature flags, i18n keys, internal links, compose ports, imports, and schedules — the full list is in What DACIP checks.
What does DACIP deliberately not do?
It won't review style, naming, or architecture — run it under whichever LLM reviewer you already use; they don't overlap. It won't guess: anything static analysis can't resolve is counted and labelled in the verdict, never filled in. And it won't spam: a clean PR gets a silent green check, and there's one comment per PR, edited in place.
Accuracy — the zero-false-positive claim
What does "zero false positives" mean, exactly?
Every asserted defect — the P1/P2 findings that carry a full evidence chain — was hand-verified against source across the nine-repo validation batch, and three were confirmed real by the upstream maintainers themselves (the receipts, including a fix Apache Superset merged the same day it was filed). It does not mean "finds every bug": coverage varies by repo and is reported honestly in every run.
How is that enforced, rather than just claimed?
Promotion gates in the pipeline. A finding is only asserted as a defect when extraction in that area was trustworthy enough to stand behind; everything below that bar ships as a labelled observation. The distinction is code, not editorial judgment. The full story — including how the claim died on first contact with a foreign repo and what fixed it — is in the validation write-up.
What if DACIP asserts something false on my repo?
Then you found a bug in DACIP and we want the report: hello@dacip.dev. The claim is falsifiable on purpose, and disputed findings get corrected in public. That isn't a risk to the brand — it is the brand.
Does it find every contract break?
No, and it tells you so. Dynamic route construction, unsupported frameworks, and custom client wrappers reduce what's comparable — all of it is counted and labelled in the coverage block of every report instead of being guessed at. See Coverage & the honest ceiling.
Security & privacy
Does my code leave my machine?
CLI on a public repo: never — analysis is fully offline. CLI on a private repo (free trial): the only thing sent is your GitHub username and an anonymous, non-reversible repo fingerprint to count trial usage — never source, file names, routes, or findings. Licensed binaries run offline against a local license file. The GitHub App clones shallow per job server-side and wipes the clone when the job ends.
Does any LLM ever see my code?
No — structurally, not just by policy. There is no LLM in the pipeline to send code to, and the trial sign-in uses an empty OAuth scope, so we couldn't read your repos even if we wanted to.
What do you store?
Content-derived finding fingerprints and coverage metadata (enough to keep one PR comment up to date and track finding lifecycle), and for billing, the GitHub usernames of PR authors on gated private repos. Never source. Details: privacy.
Pricing & licensing
What's free?
All public repos, forever, offline, no sign-up. One private repo after dacip login. The GitHub App's free tier gates public repos and one private repo too.
What's a paid "active contributor"?
Anyone whose pull requests DACIP actually gated that month — counted automatically from PR authorship, never self-reported, bots excluded. $15 per active contributor per month, unlimited private repos. Repos aren't the unit of value; people are.
What happens when we hit our seat limit?
Extra PRs are visibly ungated — the check says it didn't run — never silently skipped. You'll never mistake "not analyzed" for "passed."
Do licensed binaries phone home?
Only to renew the license (a 30-day certificate re-fetched by token; a 14-day grace period covers outages). Analysis itself never phones home.
Platforms & practicalities
Which platforms does the CLI support?
macOS arm64 and Linux x86_64 today, as SHA256-verified binaries. Something else? Email hello@dacip.dev and we'll prioritize it.
Why does a public repo sometimes get the "looks like a private repo" prompt?
The free path verifies your checkout's HEAD actually exists in the public remote (an anti-spoof measure). A stale checkout — for example, pinned to an old commit that's no longer any branch tip — fails that check. git pull, or run dacip login once.
My repo has TypeScript but DACIP extracted zero frontend calls. Why?
The TS analyzer needs Node plus a one-time toolchain install: dacip toolchain install-ts. The installers do this automatically; if it's missing, DACIP prints a loud hint rather than silently reporting less. See Troubleshooting.
How is DACIP different from CodeRabbit, Copilot review, or Cursor BugBot?
They're LLM reviewers: broad, probabilistic opinions about a diff. DACIP is a deterministic gate for one class of bug that survives green CI — broken contracts — with a repro per finding and zero overlap with your reviewer. Keep both. Side-by-side: comparison table.
Does it work on GitLab or Bitbucket?
The CLI works anywhere (it only needs a git checkout), and dacip diff emits SARIF for any CI. The native App is GitHub-first today; GitLab/Bitbucket apps come with demand — tell us if that's you.

