PRISM-AI

Maps every merge request’s dependency blast radius in 4 seconds. PRISM stops production incidents by showing exactly what breaks before you merge.

Comment

Inspiration Large engineering teams merge hundreds of pull requests every week. Each one is a gamble. We’ve watched production incidents caused by a single line change that rippled through 30 files no one knew were connected. Code owners files are stale. Manual dependency tracing takes hours. And even the best reviewers miss hidden impacts.

We wanted a tool that actually understands code structure—not just guesses risk with an LLM. That’s why we built PRISM: to give every merge request a precise blast radius map, in under 4 seconds.

What it does PRISM is an autonomous intelligence layer for GitLab. When a developer opens a merge request, PRISM automatically:

Parses the diff with tree‑sitter to build an AST of changed files.

Constructs a dependency graph (NetworkX) and runs BFS to compute the exact blast radius—every file and downstream service that would be affected.

Analyzes Git blame to recommend the most qualified reviewers based on actual commit history to the changed lines.

Scores risk (0‑100) using six deterministic factors: change size, file churn, core module touches, test coverage, dependency depth, and author experience.

Generates a plain‑English summary with Groq’s Llama 3.3 and posts it directly to the MR as a comment.

All results are also visualized in a real‑time dashboard with an interactive D3.js blast graph.

Result: developers merge with confidence, reviewers get instant context, and incidents are caught before they ever happen.

How we built it Backend: Python 3.12 + FastAPI for async webhook processing, with HMAC validation and background tasks.

Code analysis: tree‑sitter for language‑aware AST parsing; NetworkX for graph construction and BFS traversal.

AI: Groq (llama‑3.3‑70b) for fast, low‑latency summaries (<1 second).

Database: PostgreSQL + SQLAlchemy to persist analysis results.

Frontend: Next.js 15 + TypeScript with D3.js for interactive blast radius graphs.

Auth: NextAuth.js (GitLab OAuth).

Deployment: Docker Compose for local dev; live on Vercel (frontend) and Railway (backend).

We used GitLab webhooks to trigger the pipeline, and the PRISM bot posts comments back to the MR using the GitLab API.

Challenges we ran into Building a dependency graph that’s fast enough for large repos. We started with a naive approach that parsed the whole codebase; we optimized by limiting traversal to changed files and using cached graph snapshots.

Handling GitLab webhook payloads reliably. We implemented HMAC validation and idempotent processing to avoid duplicate analyses.

Making the AI summary actually useful. We found that giving Llama structured data (risk score, blast radius, reviewer list) produced far better comments than just feeding it the diff.

Frontend graph performance. D3.js force simulations needed careful tuning to handle hundreds of nodes without lag.

Accomplishments that we’re proud of End‑to‑end automation: PRISM runs in under 4 seconds from webhook to comment, with no manual intervention.

Structural intelligence: The AST + BFS blast radius is deterministic and provable—not a black‑box guess.

Real‑world speed: Using Groq’s LPUs, the AI summary adds <1 second of latency, making the tool truly usable in CI/CD.

Live demo: We deployed a fully working instance that any GitLab user can try (link in “Try it out”).

What we learned Deterministic metrics beat pure LLM guesses for risk assessment. Combining AST analysis with a small, focused AI prompt yields more trustworthy results.

Graph algorithms (BFS) are perfect for blast radius—they’re fast and mathematically correct.

Groq’s LPUs are a game‑changer for real‑time AI in developer tools; latency matters more than model size.

A clean dashboard matters as much as the backend—judges and users need to see the value at a glance.

What’s next for PRISM‑AI Support for more languages (currently Python and JavaScript/TypeScript; add Go, Rust, Java).

CI/CD integration – allow teams to block merges automatically if risk score exceeds a threshold.

Historical learning – track incidents to refine risk scoring based on past production failures.

Self‑hosted GitLab support – provide a one‑click deployment option for enterprises.

Pull request summaries – extend from GitLab to GitHub and Bitbucket.

Built With

Share this project:

Updates