Know which PRs to worry about before you merge.
AI is shipping more pull requests than your team can carefully review. repowise flags the risky changes deterministically, on every PR, with no LLM in the loop. A green pull request gets no comment.
AI-generated PRs are flooding review. You cannot tell which ones are safe and which will quietly break production, and noisy LLM review bots have trained everyone to ignore the comments.
Your agents open more pull requests than any human can read line by line. The risky ones look exactly like the trivial ones in the list. Meanwhile the review bots that promise to help fire on every PR, contradict themselves run to run, and bill you per pull request, so the team learns to scroll past them. repowise scores risk the same way every time and stays silent unless there is something worth saying.
A risk read on every PR, not another bot to mute.
repowise turns your dependency graph and git history into a deterministic risk signal, then puts it where review happens: on the pull request, scored the same way every time.
A 0 to 10 risk score from the shape of the diff
Change-risk scoring reads the just-in-time signal in the change itself: how many files and subsystems it spans, the churn and complexity of where it lands, whether those files are hotspots, and whether co-change partners and tests came along. It returns one number with named drivers, using Kamei-style metrics and no LLM, so the same commit or pull request always scores the same.
- Score any commit or any base..head range, pre-merge or just-in-time
- Hotspots defined as the top 25% of both churn and complexity
- Named drivers, so the score is explainable, not a black box
- Fully deterministic: no model, no drift, no token bills
One comment per pull request, only when it matters
The Repowise PR Bot posts a single deterministic comment per pull request, and only when there is something worth saying. A green PR gets no comment, period. It flags hotspots, hidden coupling, declining health, and dead code. It makes zero LLM calls, so the same pull request twice yields the exact same comment, with no drift, no hallucinations, and no prompt-injection surface. Free for open source and public repos, Repowise Pro for private repos.
- The silence rule: a green pull request gets no comment
- Zero LLM calls: pure tree-sitter, dependency graph, and biomarker scorer
- Same PR twice gives the exact same comment
- Free on public repos, Pro for private-repo comments
Who a change touches, and who should review it
Every change has a blast radius: the dependents downstream of it in the two-tier graph of files and symbols. repowise surfaces that radius plus the owners of the affected code, so the right reviewers are pulled in instead of whoever is free. In PR mode get_risk returns directive flags so a reviewer knows immediately what to check.
- Dependents surfaced from the graph, not guessed
- Reviewer suggestions from real ownership history
- PR-mode directives: will_break, missing_cochanges, missing_tests
- Bus-factor and key-person risk surfaced before someone leaves
Coupling your imports never show
Two files that always change together but share no import are coupled, and static analysis cannot see it. repowise mines co-change pairs from git history and flags them, so a reviewer knows that editing one file usually means the other needs to change too. This is the omission that quietly ships bugs, caught before merge.
- Co-change pairs mined from your real git history
- Hidden coupling means co-change without an import link
- Flagged on the PR so the missing edit is caught in review
- Behavioral signal static analysis structurally cannot produce
From install to your first flagged PR in four steps.
Install
Add the Repowise PR Bot to your GitHub org or repo. Free for public repos, Repowise Pro for private.
Index
repowise builds the dependency graph, git history, and code-health layers from your repo, with zero LLM calls in scoring.
Open a PR
On every pull request the bot scores change risk and checks blast radius, hidden coupling, and declining health.
Review what matters
Risky PRs get one deterministic comment with drivers. Green PRs stay silent, so the signal stays trusted.
Wherever risk hides, your review sees it.
Triaging an AI PR flood
Change-risk scores rank the queue so review attention lands on the few pull requests that actually carry defect risk.
Catching a quiet breaker
Blast radius and the will_break directive surface the dependents a small-looking diff is about to break.
Spotting missing tests
The missing_tests directive flags changes to risky files that arrived without test coverage, before they merge.
Finding hidden coupling
Co-change pairs reveal the file that should have changed alongside this one but did not.
Watching health drift
Declining-health flags on a hotspot tell you a file is getting worse with each change, not better.
Routing to the right reviewer
Ownership history suggests who actually knows the affected code, instead of round-robin assignment.
LLM review bots are non-deterministic, noisy, and billed per pull request, so teams learn to ignore them. The Repowise PR Bot makes zero LLM calls, never drifts, has no prompt-injection surface, and stays silent on a green PR. When it speaks, your team listens.
Questions, answered
How does repowise decide a pull request is risky?
It scores the shape of the diff, not the prose. The change-risk model uses Kamei-style just-in-time metrics: how many files and subsystems the change touches, the churn and complexity of the files it lands in, whether those files are hotspots, and whether co-change partners and tests were left out. You get a single 0 to 10 score with named drivers. There is no LLM in the path, so the same diff always yields the same score.
Is the Repowise PR Bot just another noisy LLM review bot?
No. The bot makes zero LLM calls. It is tree-sitter plus a dependency graph plus the biomarker scorer, and it follows a silence rule: a green pull request gets no comment. When it does comment, there is exactly one comment per pull request, only when there is something worth saying, covering hotspots, hidden coupling, declining health, or dead code. The same pull request always produces the same comment, so your team stops tuning it out.
What does the bot cost, and does it work on private repos?
The Repowise PR Bot is a free GitHub App for open source and public repositories. Posting comments on private repositories requires Repowise Pro. The scoring engine is identical in both cases. The core engine is also open source under AGPL-3.0, so every heuristic the bot uses is public and inspectable.
What is blast radius, and how does it help reviewers?
Blast radius is the set of everything downstream of a change, computed from the two-tier dependency graph (files plus symbols). When a pull request lands, repowise can surface every dependent of the changed code plus the people who own those files, so the right reviewers see the change instead of whoever happens to be free. In PR mode the get_risk tool returns directive flags: will_break, missing_cochanges, and missing_tests.
How does repowise catch coupling that has no import edge?
Through co-change analysis on your git history. Hidden coupling is two files that keep changing together without any import linking them, which static analysis cannot see. repowise flags these co-change pairs so a reviewer knows that touching one file usually means the other needs to change too, before that omission ships a bug.
Why should I trust the code-health score the review is built on?
Because it is defect-validated. Against a leading commercial tool on the same 2,770 files across 9 languages, ranking by repowise health surfaced 2.3 times more defects under a fixed review budget, with a cross-project ROC AUC of 0.74 across 21 open source repositories. The score comes from 25 deterministic biomarkers with weights calibrated offline against a defect corpus, not hand-tuned, so the ranking reflects real bug risk rather than a vibe.
Will this slow down a team that is shipping AI-generated PRs quickly?
No. The bot runs on every pull request and the scoring is fast and deterministic, with no token bills and no rate-limited model in the loop. It is built for exactly the case where AI is opening more pull requests than a human can carefully read: it triages them so review attention lands on the changes that actually carry risk.
Does the bot send our code anywhere or have a prompt-injection surface?
The scoring path has no LLM, so there is nothing to prompt-inject and no model to hallucinate. The open-source engine self-hosts and your source is processed transiently and never persisted. On the hosted platform the bot reads the diff to score it, but the scorer is pure tree-sitter, a NetworkX graph, and the biomarker scorer, all deterministic and inspectable.