QXProveIt Research Report

Your Code Already Knows

The requirements, test cases, security vulnerabilities, and compliance evidence you've been creating by hand have been embedded in your codebase the entire time. Nothing needed to be invented. Something just needed to read it.

📖 11 min read 🔬 Technical analysis 🎯 For CTOs & Engineering Leaders

Consider a function. Any function in your codebase. It accepts certain inputs. It rejects others. It transforms data according to specific rules. It handles errors in defined ways. It calls external services with particular expectations. It returns results in a documented shape.

Every one of those behaviors is a requirement. Every boundary between valid and invalid input is a test case. Every external call is an integration point that needs verification. Every error path is a negative test scenario. Every data transformation that touches user information is a compliance surface.

This information isn't hidden. It's right there — in the function signatures, the type annotations, the conditional branches, the error handlers, the import statements, the database queries. It's expressed in the most precise language humans have ever created: code.

And yet, for the past three decades, the software industry has employed teams of people to look at this code and then manually re-express what it already says — in natural language requirements documents, in hand-written test cases, in spreadsheet-based compliance evidence, in manually assembled traceability matrices.

The question isn't why someone finally built a tool to extract this information automatically. The question is why it took this long.

What Your Code Is Already Telling You

To understand why manual requirements writing and test authoring are fundamentally redundant, you have to look at what code actually contains. Not what it does at runtime — what it declares about its own behavior at rest.

The Information Embedded in 30 Lines of Code

A routine API endpoint. Nothing unusual. Look at what it already contains.

async def create_invoice(
    customer_id: UUID,
    line_items: List[LineItem],
    due_date: Optional[date] = None,
    currency: str = "USD",
) -> Invoice:
    if not line_items:
        raise ValidationError("Invoice must have at least one line item")
    if currency not in SUPPORTED_CURRENCIES:
        raise ValidationError(f"Unsupported currency: {currency}")

    customer = await get_customer(customer_id)
    if not customer:
        raise NotFoundError("Customer not found")
    if customer.status == "suspended":
        raise BusinessRuleError("Cannot invoice suspended customer")

    total = sum(item.quantity * item.unit_price for item in line_items)
    tax = await calculate_tax(customer.region, total)

    invoice = await db.insert(Invoice(
        customer_id=customer_id,
        line_items=line_items,
        subtotal=total, tax=tax, total=total + tax,
        currency=currency,
        due_date=due_date or default_due_date(),
    ))
    await emit_event("invoice.created", invoice)
    return invoice

📋

7 requirements are embedded here: input types, required fields, currency validation, customer existence check, customer status check, tax calculation, default due date behavior. A human would take 30–60 minutes to write these as formal requirements. The code already states them precisely.

🧪

15–25 test cases are implied: valid creation, empty line items, invalid currency, missing customer, suspended customer, tax calculation by region, default due date, event emission, total calculation accuracy, multi-item totals, zero-quantity items, negative prices, boundary values for each parameter. A human would take 2–4 hours to write these. The code defines them.

🔒

3 security surfaces are visible: customer_id input (injection risk), currency string input (validation boundary), database write operation (authorization check needed). A security review would take 15–30 minutes to identify these. The code structure reveals them.

⚖️

2 compliance touchpoints exist: customer data access (GDPR data processing), financial transaction creation (PCI DSS if payment-linked, SOX if publicly traded). A compliance review would take 20–45 minutes. The code's data flows declare them.

Thirty lines of code. Seven requirements. Up to 25 test cases. Three security surfaces. Two compliance touchpoints. All of it already expressed in the code itself, in a language more precise and less ambiguous than any requirements document ever written.

And somewhere, in an office or a home office, a human being is looking at those 30 lines and manually typing out what the code already says — translating it into English, formatting it into templates, entering it into a test management tool, cross-referencing it against a compliance spreadsheet. They're doing translation work. The source material is right in front of them. They're converting it from one precise language to a less precise one, by hand, at a cost of $120–$180 per hour.

The Five Layers of Embedded Knowledge

What a code-reading system can extract goes far beyond individual functions. The codebase, taken as a whole, is a comprehensive declaration of the system's intended behavior, its architectural constraints, its security posture, and its compliance obligations.

What Your Codebase Already Contains

Function Contracts

Input types, output types, validation rules, error conditions, default values. Every function signature is a formal specification of acceptable behavior.

Extractable today

Data Flow Paths

Where data enters the system, how it's transformed, where it's stored, who can access it. Every import, query, and API call maps data movement.

Extractable today

Error Boundaries

Every try/catch, every validation guard, every error type defines what can go wrong and how the system responds. These are the negative test cases, already enumerated.

Extractable today

Dependency Graph

Which services call which other services. Which modules depend on shared libraries. Which functions touch the database. The blast radius of any change is calculable from the code.

Extractable today

Compliance Surface

PII fields, encryption usage, authentication checks, audit log entries, data retention patterns. Compliance obligations are expressed in code patterns — not in policy documents.

Extractable today

Every layer in that table has been extractable for years. The parsing technology exists. Abstract syntax trees have been a solved problem since the 1970s. Type analysis, data flow analysis, dependency graphing — these are undergraduate computer science concepts. The building blocks were never the bottleneck.

What was missing was the synthesis layer: the ability to take the structured information extracted from code and combine it with the contextual understanding needed to generate useful artifacts — requirements documents that read like a human wrote them, test cases that follow ISTQB standards, security findings that map to CVE databases, compliance evidence that matches auditor expectations.

That synthesis layer is what large language models made possible. Not the extraction — the expression.

The Redundancy Nobody Questioned

Step back and look at what most engineering organizations do today. The developer writes code that precisely defines system behavior. Then a separate person — or often the same person wearing a different hat — reads that code and manually produces a series of documents that restate what the code already says.

What humans manually create

Requirements Document
"The system shall accept a customer ID (UUID format) and a list of one or more line items..."

Test Case
"Given an empty line items list, when create_invoice is called, then a ValidationError should be raised..."

Security Review
"The customer_id parameter should be validated as a UUID to prevent injection. Currency input should be restricted to an allowlist..."

Compliance Evidence
"Customer data is accessed via get_customer(). Data processing is limited to invoice creation context. GDPR basis: contractual necessity..."

Traceability Matrix
"REQ-047 → TC-112, TC-113, TC-114. REQ-048 → TC-115. Coverage: 78%..."

←

What the code already declares

Function signature + types
customer_id: UUID, line_items: List[LineItem], currency: str = "USD" → Invoice

Validation guard
if not line_items: raise ValidationError("Invoice must have at least one line item")

Input boundaries + DB write
UUID type constraint, currency ∈ SUPPORTED_CURRENCIES, await db.insert(...)

Data flow path
get_customer(customer_id) → customer.region → calculate_tax() → db.insert(Invoice(...))

Call graph + assertion map
create_invoice → get_customer, calculate_tax, db.insert, emit_event. Each path = traceable requirement.

The arrows point from left to right, but the information flows from right to left. Every document on the left side is a human-mediated transcription of information that exists on the right side. The code is the source of truth. The documents are copies — imperfect, often outdated, and extraordinarily expensive to produce and maintain.

$1.2M–$2.4M

Annual cost of manually transcribing what code already declares, for a 50-engineer organization

Requirements writing + test authoring + security review + compliance evidence + traceability maintenance

The dollar figure is striking, but the real waste is more subtle. It's not just that the work is expensive — it's that the work is inherently lossy. Every translation from code to English introduces imprecision. The code says currency not in SUPPORTED_CURRENCIES. The requirements document says "the system shall validate that the provided currency is supported." A tester reading that requirement might test with one invalid currency. The code implies testing with every value outside the set. The precision was there. The translation lost it.

Why It Took This Long

If the information was always in the code, why did the industry spend 30 years manually extracting it? The answer isn't that nobody noticed. It's that two technological gaps had to close simultaneously.

The Two Gaps That Had to Close

1970s–90s

Parsing existed, but languages were too diverse. Compilers could parse code into ASTs, but every language needed its own parser. Building a multi-language analysis tool meant building dozens of parsers from scratch — a years-long effort with constant maintenance.

2018

Tree-sitter solved multi-language parsing. A single parsing framework that could handle dozens of languages with consistent output. For the first time, you could build a tool that read Python, Rust, Java, TypeScript, and C++ with one codebase. The extraction gap closed.

2020–23

Large language models solved the synthesis gap. Extracted code structure could now be combined with contextual understanding to produce human-quality requirements, ISTQB-compliant test cases, CVE-mapped security findings, and framework-specific compliance evidence. The expression gap closed.

Now

Both gaps are closed. The information was always there. Code parsing extracts the structural knowledge. AI synthesizes it into the artifacts the organization needs. The manual transcription layer — the one that costs millions and produces imperfect copies — is no longer necessary.

This is why the answer to "why didn't this exist before?" is straightforward: it required the convergence of precise code parsing across all major languages and the ability to synthesize structured data into contextually appropriate documents. Neither technology alone was sufficient. Together, they make the manual transcription workflow obsolete.

"When someone showed me a requirements document generated directly from our codebase — one I would have assigned an analyst to write over two weeks — my first thought wasn't 'this is impressive.' It was 'why have we been doing this by hand?' The information was in the code. We were paying people to copy it into Word documents."

— VP Engineering, Enterprise Software Company

What Changes When You Stop Transcribing

When the manual transcription layer is removed — when requirements, test cases, security findings, and compliance evidence are generated directly from the code that already contains them — the effects propagate through the entire engineering organization.

Documents are never out of date. The requirements document can't drift from the code because it's generated from the code. When the code changes, the documents regenerate. The traceability matrix is always current because it's computed, not maintained.

Precision increases. The machine reads every branch, every guard clause, every error path. It doesn't summarize or paraphrase. It doesn't skip the edge case because it seems unlikely. The generated artifacts reflect the code as it is, not as someone remembers it being.

Coverage becomes comprehensive. A human analyst reads code selectively — focusing on the parts they think matter most. A parser reads all of it. Every function gets requirements. Every branch gets test cases. Every data flow gets compliance analysis. The coverage isn't heroic — it's systematic.

The source of truth is singular. There's no longer a question of whether the requirements document matches the code, or whether the test cases reflect the current implementation, or whether the compliance evidence is stale. The code is the single source. Everything else is a derived view.

The Realization

2–3 weeks

Minutes

Requirements Generation

Manual transcription

Direct extraction

Source of Artifacts

Stale on arrival

Always current

Document Accuracy

Lossy translation

Precise derivation

Information Fidelity

The Bottom Line

Your code has always contained its own requirements, its own test specifications, its own security surfaces, and its own compliance obligations. This was never a secret. It was an observation waiting for the right tools to act on it.

The manual processes that grew up around quality assurance — the requirements analysts, the test authors, the compliance evidence gatherers — were never creating information. They were transcribing it. Translating it from the precise language of code into the imprecise language of documents, at enormous cost, with unavoidable information loss, and at a pace that guaranteed the documents were outdated before they were finished.

The technology to stop doing this now exists. Not as a prototype. Not as a research project. As operational tooling that reads your code, extracts the knowledge embedded in it, and produces the artifacts your organization needs — with more precision, more coverage, and more consistency than any human transcription process can achieve.

The information was always there. The question is how much longer you want to pay people to copy it by hand.

Let Your Code Speak for Itself.

QXProveIt uses code-level parsing across 20 languages to extract requirements, generate test cases, scan for vulnerabilities, and verify compliance — directly from what your code already declares. No manual transcription. No information loss.

See What Your Code Already Knows Read: The Automation Paradox

Back to blog Work with us