PRISM-AI

PRISM-AI is an autonomous decision layer for GitLab that analyzes code changes, maps dependencies, predicts risk, and automates review workflows before merge.

Comment

Inspiration

Every production incident has the same root cause in hindsight — someone merged code without knowing what would break downstream. We have all seen it: a two-line change to an auth module silently breaks the payment service three layers deep. Nobody caught it in review because nobody could see the blast radius.

We built PRISM-AI because the tooling to answer "what will this change break?" has never existed natively in the review workflow. Static analysis tools exist. Linters exist. But nothing automatically maps the full downstream impact of a change and puts that information in front of the reviewer before they approve.

GitLab has 30 million users. Every single one of them merges code without blast radius data. That is the problem we set out to solve.

What it does

PRISM-AI is an autonomous risk intelligence system that activates the moment a developer opens a merge request — no configuration, no manual triggers, zero friction.

In under 4 seconds it automatically:

  • Computes blast radius by parsing the codebase AST with tree-sitter and running BFS traversal on a NetworkX directed dependency graph to find every downstream module affected by the change
  • Calculates a deterministic 0-100 risk score across 6 signals: PR size, file churn rate, core module detection, test coverage delta, dependency depth, and author module experience
  • Generates an AI risk explanation using Groq LLM that names specific modules, explains why the risk is high or low, and gives a concrete reviewer recommendation
  • Posts a structured risk report directly to the GitLab MR as a comment before any human opens the diff
  • Auto-assigns reviewers based on git blame analysis of the changed modules
  • Updates a real-time dashboard with an interactive D3.js force-directed blast radius graph

The comment appears automatically. The dashboard updates in real time. The developer who opened the MR sees the risk before they even ping a reviewer.

How we built it

The architecture is event-driven and async-first throughout. GitLab fires a webhook when an MR opens. PRISM-AI returns 200 OK immediately and runs the full 7-agent pipeline as a background task.

The analysis pipeline:

  1. Change Agent — calls the GitLab diff API, extracts changed files, counts lines, detects critical module touches, checks for test file changes
  2. Dependency Agent — tree-sitter parses Python and JS/TS files into ASTs, resolves imports to file paths, builds a NetworkX DiGraph, runs BFS on the reversed graph to compute downstream blast radius
  3. History Agent — GitPython mines 30-day commit history for file churn rates, scans 500 commits for hotfix keywords to flag incident-prone files
  4. Risk Agent — pure deterministic scoring, 6 factors, additive, capped at 100, fully explainable
  5. Reviewer Agent — git blame analysis identifies engineers with the deepest context in changed modules
  6. Summary Agent — Groq LLM prompt engineered to name specific files and never produce vague output
  7. Orchestrator — sequences all stages, posts the GitLab comment, saves to PostgreSQL, applies risk labels

Stack: FastAPI, PostgreSQL, SQLAlchemy 2.0 async, tree-sitter, NetworkX, GitPython, Groq AI, Next.js 15, D3.js, NextAuth.js v5, Docker Compose, GitLab Webhooks API, GitLab Duo Agent Platform

Challenges we ran into

GitLab diff API truncation — GitLab silently truncates large file diffs and returns an empty string with too_large: true. Our line counting was returning zero for large files. We had to detect the flag and apply a fallback estimation strategy.

Async git operations — GitPython is fully synchronous and blocks the event loop. Every git operation had to be wrapped in loop.run_in_executor() to keep the pipeline non-blocking under concurrent webhook load.

tree-sitter version compatibility — The v0.21.3 API is completely different from v0.23+. We had to use Language(tsp.language(), 'python') rather than the newer constructor, and debug this from first principles since documentation for the older API is sparse.

Shallow clone tradeoffs — We use git clone --depth=100 for performance. Files untouched in the last 100 commits have incomplete blame data. We built graceful fallbacks throughout the history and reviewer agents so the pipeline never crashes on incomplete git data.

Protected branch push restrictions — The GitLab hackathon group has protected main branches. We had to build a branch-and-MR workflow into our deployment process rather than direct pushes.

Accomplishments that we're proud of

The moment PRISM-AI posted its first automatic comment on a real GitLab MR — before we had even switched browser tabs — was the moment we knew we had built something real. That comment contained a blast radius chain, a 6-factor risk breakdown table, a Groq AI summary naming specific modules, and suggested reviewers. All computed and posted in 3.8 seconds from webhook receipt.

We are proud that the risk score is fully deterministic and explainable. Every point traces to a specific fact. No black box. No guessing. An engineer can look at the breakdown table and understand exactly why PRISM-AI flagged this MR as high risk.

We are proud of the D3.js blast radius graph — a force-directed visualization where red nodes are critical, amber nodes are high risk, and edges represent real import dependencies extracted from AST analysis. It is the kind of visual that makes a reviewer immediately understand the scope of a change without reading a single line of code.

What we learned

The most important insight from building PRISM-AI is that the best AI applications are not the ones where AI makes every decision. They are the ones where deterministic algorithms do the analysis and AI handles the human communication layer.

The risk score is computed from git history and code structure. It is fast, explainable, and trustworthy. The AI summary translates those findings into plain English that a busy maintainer can act on in 10 seconds. Both layers are necessary. Neither replaces the other.

We also learned that event-driven architecture is the right pattern for developer tooling. The magic of PRISM-AI is not the analysis — it is the fact that the analysis appears without anyone asking for it. Zero friction is the product.

What's next for PRISM-AI

  • Multi-language support expansion — Go, Java, Rust import graph analysis
  • Incident correlation — connect PRISM-AI risk scores to actual production incidents over time to validate and improve the scoring model with real outcome data
  • Native GitLab integration — ship as a GitLab CI component so any project can add PRISM-AI with a single line in their pipeline configuration
  • ML-enhanced scoring — use accumulated incident data to train a model that improves factor weights based on which signals actually predicted real failures
  • PR-level chatbot — let reviewers ask PRISM-AI questions directly in the MR comment thread via the GitLab Duo Agent interface

Built With

Share this project:

Updates