Know which changes will break things before you merge.
A 0 to 10 defect-risk score for any commit or base..head range, computed from the shape of the diff with Kamei-style just-in-time metrics. Deterministic, no LLM, surfaced right where review happens.
Every reviewer is guessing which pull requests are dangerous. The risky ones look the same as the safe ones until something breaks in production.
A diff does not tell you what it might break, what usually changes alongside it, or whether the tests went missing. repowise reads the shape of the change and the dependency graph and turns that into a single risk score with a checklist of exactly what to look at, deterministically, right where review happens.
A risk score, and the checklist behind it.
Deterministic, computed from the diff and the graph, and surfaced where review already happens.
Score the change, not just the file
Kamei-style just-in-time metrics score the change itself rather than a static snapshot. Size, entropy, how scattered the edits are, and the history of the files involved fold into one repo-relative review-priority band, so a high score means the same thing everywhere.
- Change size, entropy, and scattered-edit dispersion
- History of the files being touched, including prior defects
- One repo-relative 0 to 10 review-priority band
- Same diff scores the same every time, zero LLM
Tell reviewers exactly what to check
In PR mode the score comes with a directive block, so a review is a checklist instead of a guess. Each directive points at a concrete thing to verify before the merge button.
- will_break: dependents the change is likely to affect
- missing_cochanges: files that usually move together but did not
- missing_tests: risky code with no accompanying test changes
- governance_risk: edits to decision-governed or ungoverned hotspots
Every dependent, and the right reviewers
Risk is not just the lines you changed, it is everything downstream of them. repowise computes the blast radius from the real dependency graph, then uses that same graph to suggest who should review.
- Blast radius: every dependent of the change, from the graph
- Reviewer suggestions derived from the blast-radius file list
- Co-change partners surfaced as hidden coupling
- Available over MCP via get_risk in PR mode
The same signal, on every pull request
The same deterministic score powers the Repowise PR Bot. It posts one comment per pull request, and only when there is something worth saying. A green PR gets no comment.
- One deterministic comment per pull request
- Silence rule: a green PR gets no comment
- Zero LLM calls, so the same PR twice gives the same comment
- Free for public and OSS repos, Pro for private repos
From a diff to a review checklist.
Read the diff
repowise takes any commit or base..head range and reads the shape of the change against the dependency graph. No code is sent anywhere.
Score
Kamei-style just-in-time metrics fold size, entropy, scatter, and history into one deterministic 0 to 10 band, no LLM.
Direct
In PR mode it returns directives: will_break, missing_cochanges, missing_tests, and governance_risk, plus the blast radius and reviewers.
Comment
The Repowise PR Bot posts a single deterministic comment, only when there is something worth saying.
One signal, everywhere review happens.
On every PR
The Repowise PR Bot comments with the risk score and directives, deterministically, with zero LLM calls.
In your AI agent
get_risk in PR mode returns the score, the directive block, dependents, and reviewers over MCP.
On a single commit
Score any commit or base..head range from the CLI, before you ever open a pull request.
Blast radius view
Every dependent of a change, traced through the real dependency graph, not guessed.
Reviewer routing
The right reviewers suggested from the blast-radius file list, so the PR lands on the right desk.
For leaders
A deterministic, auditable risk signal tied to ownership, decisions, and the defect-validated health score.
LLM review bots are non-deterministic, noisy, billed per pull request, and carry a prompt-injection surface. repowise scores risk deterministically from the diff and the dependency graph, so the same change always gets the same score, and the bot only speaks when there is something worth saying.
Questions, answered
How is change risk scored?
Every commit or base..head range gets a single 0 to 10 defect-risk score computed from the shape of the diff using Kamei-style just-in-time metrics: the size of the change, its entropy, how scattered the edits are across files, and the history of the files being touched. The result is a repo-relative review-priority band, so a 7 on one codebase means the same thing as a 7 on another.
Does it use an LLM?
No. Scoring is fully deterministic. It is computed from the diff and the dependency graph with Kamei-style just-in-time metrics, no model in the loop. The same diff produces the same score every time, with no drift, no token bills, and no prompt-injection surface.
What are the PR directives?
In PR mode the score comes with a directive block that tells reviewers exactly what to check: will_break flags dependents that the change is likely to affect, missing_cochanges flags files that usually change together but were left out, missing_tests flags risky code with no accompanying test changes, and governance_risk flags edits to files governed by an architectural decision or to ungoverned hotspots.
How does change risk relate to the Repowise PR Bot?
The same deterministic signal powers the Repowise PR Bot. The bot posts one comment per pull request, only when there is something worth saying. A green PR gets no comment. There are zero LLM calls in the path, so the same PR twice produces the exact same comment.
Is it free?
Yes for public and open-source repositories. The Repowise PR Bot is a free GitHub App for public repos, and the change-risk scoring ships in the open-source repowise package under AGPL-3.0. Private-repo PR comments require Repowise Pro.
What is blast radius?
Blast radius is the full set of dependents of a change: every file, module, and symbol that could be affected by what you touched, derived from the real dependency graph rather than guessed. repowise uses the same graph to suggest the right reviewers for the change.
Can I run it on a commit, not just a PR?
Yes. Change risk scores any commit or any base..head range, not only pull requests. Run it locally over MCP or the CLI on a single commit, on a feature branch before you open a PR, or on a range to triage what changed since a release.
How is this different from an LLM review bot?
LLM review bots are non-deterministic, noisy, billed per pull request, and carry a prompt-injection surface. repowise scores risk deterministically from the diff and the dependency graph, returns the same score for the same change every time, and only speaks when the signal warrants it.