{"id":51632903,"url":"https://github.com/joshuafuller/prism","last_synced_at":"2026-07-13T10:04:38.825Z","repository":{"id":361299888,"uuid":"1253597550","full_name":"joshuafuller/prism","owner":"joshuafuller","description":"AI code review on your Claude/Codex subscriptions — a diff refracts into specialized reviewers (security · code quality · performance), recombined into one verdict. GitHub-first, Docker-native.","archived":false,"fork":false,"pushed_at":"2026-05-30T02:04:11.000Z","size":3859,"stargazers_count":0,"open_issues_count":7,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-05-30T03:07:55.799Z","etag":null,"topics":["ai-code-review","claude","code-quality","code-review","codex","developer-tools","devops","docker","llm","python","static-analysis"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/joshuafuller.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-05-29T16:17:18.000Z","updated_at":"2026-05-30T02:04:15.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/joshuafuller/prism","commit_stats":null,"previous_names":["joshuafuller/prism"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/joshuafuller/prism","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joshuafuller%2Fprism","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joshuafuller%2Fprism/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joshuafuller%2Fprism/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joshuafuller%2Fprism/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/joshuafuller","download_url":"https://codeload.github.com/joshuafuller/prism/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joshuafuller%2Fprism/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35418232,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-13T02:00:06.543Z","response_time":119,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-code-review","claude","code-quality","code-review","codex","developer-tools","devops","docker","llm","python","static-analysis"],"created_at":"2026-07-13T10:04:38.068Z","updated_at":"2026-07-13T10:04:38.810Z","avatar_url":"https://github.com/joshuafuller.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Prism\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/assets/prism-banner.png\" alt=\"A code diff enters a prism and refracts into five reviewer wavelengths — security, code quality, performance, documentation, release — recombined into a single verdict\" width=\"100%\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg alt=\"status: alpha\" src=\"https://img.shields.io/badge/status-alpha-orange\"\u003e\n  \u003cimg alt=\"Python 3.12+\" src=\"https://img.shields.io/badge/python-3.12%2B-blue\"\u003e\n  \u003cimg alt=\"built with uv\" src=\"https://img.shields.io/badge/built%20with-uv-de5fe9\"\u003e\n  \u003cimg alt=\"runs on Claude + Codex subscriptions\" src=\"https://img.shields.io/badge/runs%20on-Claude%20%2B%20Codex%20subscriptions-111111\"\u003e\n  \u003cimg alt=\"reviews: AI-assisted\" src=\"https://img.shields.io/badge/reviews-AI--assisted-8957e5\"\u003e\n\u003c/p\u003e\n\n**AI code review orchestration that runs on your Claude/Codex subscriptions — not per-token API billing.**\n\nPrism splits a diff into specialized reviewer \"wavelengths\" (security, code quality, …),\nruns them concurrently, and recombines their findings through a coordinator that\ndeduplicates, filters false positives, and produces one structured verdict. It's modeled\non [Cloudflare's AI code review architecture](https://blog.cloudflare.com/ai-code-review/),\nadapted to drive the `claude` and `codex` CLIs so reviews run on subscriptions you\nalready pay for.\n\n\u003e [!NOTE]\n\u003e **Working MVP.** `prism local` reviews a diff end-to-end on your subscriptions, in\n\u003e Docker or locally, and posts to a GitHub PR. It even reviews its own repo — Prism caught\n\u003e real issues in its own Docker wrapper during development. Roadmap and remaining work live\n\u003e in [GitHub Issues](https://github.com/joshuafuller/prism/issues) and the\n\u003e [implementation plan](docs/superpowers/plans/2026-05-29-prism-mvp.md).\n\n## Why it exists\n\nNaive \"shove a git diff into a prompt and ask for bugs\" produces noise — hallucinated\nerrors and \"consider adding error handling\" on code that already has it. Prism instead\nuses **specialized reviewers with explicit \"what NOT to flag\" boundaries**, a **judge\npass**, and **structured findings**, biased hard toward signal over noise.\n\n## How it works\n\n```mermaid\nflowchart LR\n    IN[\"prism local --target main\"] --\u003e DIFF[\"DiffSource\u003cbr/\u003egit diff · gh pr diff\"]\n    DIFF --\u003e WS[\"filter noise\u003cbr/\u003e+ workspace · .prism/\"]\n    WS --\u003e COORD{{\"Coordinator\"}}\n\n    subgraph REV [\"reviewers · run concurrently · via claude / codex (subscriptions)\"]\n        direction TB\n        SEC[\"security\"]\n        CQ[\"code quality\"]\n        PERF[\"performance\"]\n    end\n\n    COORD --\u003e|\"fan out · risk-tiered\"| SEC \u0026 CQ \u0026 PERF\n    SEC \u0026 CQ \u0026 PERF --\u003e|\"structured findings\"| JUDGE{{\"judge pass\u003cbr/\u003ededupe · filter · decide\"}}\n    JUDGE --\u003e OUT[\"report.md + findings.json\u003cbr/\u003e+ GitHub PR comment\"]\n\n    classDef io fill:#30363d,stroke:#8b949e,color:#ffffff;\n    classDef coord fill:#6e40c9,stroke:#d2c5ff,color:#ffffff;\n    classDef sec fill:#cf222e,stroke:#ffb3ae,color:#ffffff;\n    classDef cq fill:#1f6feb,stroke:#b6d3ff,color:#ffffff;\n    classDef perf fill:#1a7f37,stroke:#aee0ba,color:#ffffff;\n    class IN,DIFF,WS,OUT io;\n    class COORD,JUDGE coord;\n    class SEC sec;\n    class CQ cq;\n    class PERF perf;\n```\n\n- **Engine** is the single LLM chokepoint. Default engines shell out to the subscription\n  CLIs; API-key engines are an opt-in fallback. Model versions are never hardcoded — the\n  CLI uses your subscription's current model (Opus 4.8 today).\n- **Reasoning effort** is a per-reviewer knob (cheap reviewers run low, the coordinator\n  runs high) — on a subscription, tokens are your rate-limit budget.\n- **Reviewer prompts are markdown** (`src/prism/agents/*.md` + a shared rules file). Add\n  or tune a reviewer by editing markdown — no core code change.\n\nSee the [design spec](docs/superpowers/specs/2026-05-29-prism-mvp-design.md), the\n[architecture decisions](docs/adr/), and the\n[lessons we built on](docs/reference/cloudflare-lessons.md).\n\n## Requirements\n\n\u003e [!IMPORTANT]\n\u003e Prism does not ship a model. It drives CLIs you authenticate with your **own**\n\u003e subscriptions — without a logged-in `claude` and/or `codex` CLI, it has nothing to run.\n\n- A **Claude subscription** (e.g. Max) with the [`claude` CLI](https://docs.anthropic.com/en/docs/claude-code)\n  logged in, and/or a **ChatGPT/Codex subscription** with the `codex` CLI. (API keys work\n  as an opt-in fallback, but the point is to avoid per-token billing.)\n- [`gh`](https://cli.github.com/) (or `glab` for GitLab) authenticated, to post to a PR/MR.\n- **Docker** (recommended) — or Python 3.12 + [uv](https://docs.astral.sh/uv/) to run on the host.\n\n## Quickstart\n\n\u003e [!TIP]\n\u003e Use the Docker path — it bundles the `claude`, `codex`, and `gh` CLIs, so you need\n\u003e nothing on your host but Docker and your existing logins.\n\n```bash\ncp prism.example.yaml prism.yaml     # configure once (see the Usage Guide)\ndocker build -t prism .              # build the image (once)\nbin/prism local --target main        # review the current branch against main\n```\n\nThe image is a multistage [Chainguard wolfi](https://www.chainguard.dev/) build —\n~1.1 GB with **zero known CVEs**. Prefer `docker compose`? `docker compose run --rm prism\nlocal --target main` works too (see the [Usage Guide](docs/usage.md#install)).\n\nPrism writes the verdict to two files:\n\n- **`.prism/report.md`** — the human-readable review (like the [example](#example-review) below)\n- **`.prism/findings.json`** — the same findings as structured JSON, for CI and AI agents\n\nAdd `--post-pr 42` (GitHub) or `--post-mr 77` (GitLab) to post the summary to a review\nthread. The exit code is nonzero only when the verdict reaches your `policy.fail_on`, so\n`prism local` drops straight into CI.\n\n\u003e [!NOTE]\n\u003e **Read these next.** The README is an overview; the real how-to lives here:\n\u003e - **[Usage Guide](docs/usage.md)** — configuration, the review workflow, reading the\n\u003e   output, CI, and posting to PRs/MRs.\n\u003e - **[Using Prism with AI Agents](docs/ai-agents.md)** — wire Prism in as a self-review\n\u003e   gate for Claude Code, Cursor, or Codex.\n\n### Example review\n\nAn illustrative review (the diff is fictional; the structure is what Prism produces).\nIndependent reviewers each flag their own domain, the verdict blocks on the critical\nfinding, and the coordinator drops a nitpick:\n\n\u003e ### Prism review: `significant_concerns`\n\u003e\n\u003e This change adds a public order-search endpoint. The security reviewer found a\n\u003e SQL-injection vector reachable without authentication — that blocks merge. Performance\n\u003e flagged an N+1 query that will degrade under load. A code-quality note about naming was\n\u003e dropped as not worth flagging.\n\u003e\n\u003e **Critical (1)**\n\u003e\n\u003e - **SQL injection in order search** — `api/orders.py:42` _(security, high confidence)_\n\u003e   - The handler formats the user-supplied `q` straight into the query (`... WHERE name LIKE '%{q}%'`). A value like `%' OR '1'='1` returns every row, and the route has no auth check, so anyone can reach it.\n\u003e   - **Fix:** use a parameterized query — `cursor.execute(sql, (f\"%{q}%\",))` — and never interpolate user input into SQL.\n\u003e\n\u003e **Warning (1)**\n\u003e\n\u003e - **N+1 query loads each customer in a loop** — `api/orders.py:55` _(performance, medium confidence)_\n\u003e   - For every order in the page the handler issues a separate `Customer.get(id)` query, so a 200-row response fires 201 queries. Fine in dev; falls over under load.\n\u003e   - **Fix:** load customers in one `IN (...)` query (or eager-load the relation) and map them in memory.\n\u003e\n\u003e ---\n\u003e\n\u003e _Prism is an AI first-pass, **not a replacement for human review** — it can miss architectural intent, cross-system impact, and subtle concurrency bugs._\n\nPrism also dogfoods on itself — during development it caught real bugs in its own code,\nincluding one in the change that added the example transcripts.\n\n## Add your own reviewer\n\nReviewers are markdown, not code (ADR-0009):\n\n1. Write `src/prism/agents/\u003cname\u003e.md` with `## What to Flag` / `## What NOT to Flag`\n   sections (copy an existing one like `security.md`).\n2. Add it to `prism.yaml` under `reviewers:` with an `engine` and `effort`.\n\nThat's it — no core code change. The shipped set is `security`, `code_quality`, and\n`performance`, plus optional `documentation` and `release` reviewers you can enable.\n\n## Developing\n\nPython 3.12, managed entirely with [uv](https://docs.astral.sh/uv/) — no pip, no manual venvs.\n\n```bash\nuv sync --dev          # set up the environment\nuv run pytest          # fast unit suite (LLMs are faked; no network, no cost)\nuv run pytest -m live  # opt-in: exercises the real subscription CLIs\nuv run ruff check .    # lint\nuv run mypy src        # types\n```\n\nA **pre-commit lint hook is enforced** (`git config core.hooksPath .githooks`) and a\npre-push hook runs the full gate locally. The GitHub Actions workflow runs ruff, mypy,\npytest, and semgrep; its `push`/`pull_request` triggers are enabled once the repo is\npublic (free Actions). Quality gates fail fast.\n\n## Roadmap \u0026 contributing\n\nPlanned work, known issues, and the roadmap live in\n[GitHub Issues](https://github.com/joshuafuller/prism/issues). Bug reports, ideas, and new\nreviewer prompts are welcome. The design rationale is in the\n[spec](docs/superpowers/specs/2026-05-29-prism-mvp-design.md) and\n[ADRs](docs/adr/).\n\n## Limitations\n\n\u003e [!CAUTION]\n\u003e Prism is **not** a replacement for human review. Like all AI reviewers it is weak at\n\u003e architectural intent (\"why was this designed this way\"), cross-system impact (it can\n\u003e flag an API-contract change but can't verify every consumer was updated), and subtle\n\u003e concurrency/race bugs that don't show up in a static diff.\n\nTreat it as a fast first pass that catches real bugs and clears clean code — not a gate\nyou stop thinking behind.\n\n## License\n\n[Apache License 2.0](LICENSE) — permissive, with an explicit patent grant. Use it,\nmodify it, embed it; just keep the notice. See [`NOTICE`](NOTICE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoshuafuller%2Fprism","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjoshuafuller%2Fprism","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoshuafuller%2Fprism/lists"}