PR review bot

The Repowise PR bot is a GitHub App that runs the same intelligence layers as the CLI and dashboard against every pull request, and posts one deterministic comment — only when there is something worth saying. No prompts, no hallucinations, no per-PR tokens. It is free forever for public / OSS repos; private repos need the Pro plan.

Install

Permissions requested: Contents: Read · Pull requests: Write · Metadata: Read · Issues: Write (GitHub treats PR comments as issue comments). The optional merge gate additionally needs Checks: Write — existing installs re-consent when you turn it on.

The silence rule

Most PR bots are noise. This one stays silent unless there is a measurable signal worth interrupting a reviewer for. A green PR with no findings gets no comment at all. When the bot does comment, improvements are shown alongside problems so cleanup gets credit. It posts when any of these fire:

• net repo health degrades, or any modified file's score drops;
• a hotspot file (high churn + many dependents) is touched;
• a top co-change partner of a modified file is missing from the PR;
• new dead code is introduced (or removed — that is a win);
• a modified file is on a declining-health trajectory.

The bot edits its existing comment when new commits land rather than posting a wall of duplicates; if the silence rule fires after an earlier comment, the stale comment is deleted.

What's in the comment

Each section is independent and only renders when it has something to say:

Every finding is deterministic: health scoring is tree-sitter + git + the calibrated biomarker scorer, and refactoring suggestions are template strings keyed off the biomarker type. Nothing is generated by an LLM, so every comment is reproducible.

The merge gate

Beyond commenting, the bot can post a GitHub Check Run that a branch protection rule can require — turning code health into a merge gate. It is off by default and configured per repo (health_gate.mode):

• off — no check is created.
• advisory — always concludes neutral: the verdict is visible on the PR but never blocks. The safe default to start with.
• blocking — concludes failure when a rule trips, which a required check will block the merge on.

The rules (evaluated only in blocking mode) let you adopt a clean-as-you-code policy without forking any constants:

Configuration

Two ways to configure, with the dashboard taking precedence:

1. In-repo .repowise/bot.yaml (committed, versioned with the code):

bot:
  enabled: true
  comment_mode: on_signal      # or "always" to post a clean bill of health
  show_dead_code: true
  show_change_risk: true
  ignore_paths:
    - "vendor/**"
    - "**/*.generated.*"
  health_gate:
    mode: advisory             # off | advisory | blocking
    repo_drop_block: 0.3
    min_new_file_score: 7.0
    block_on_introduced: false
    block_ai_regression: false

You can toggle any section (show_health, show_hotspots, show_ownership, show_coupling, show_dead_code, show_refactoring, show_declining_alert, show_change_risk, show_review_priority), set the comment threshold, and ignore paths.

2. The hosted dashboard (Settings → PR Bot). The dashboard config overlays the YAML: any field set there wins, fields it omits keep the YAML/default value, and ignore_paths is unioned (the dashboard can only add scope, never silently un-ignore a path the repo author chose to skip). A malformed value is skipped, never wedging the analyzer.

Pricing

Free forever for public / OSS repos — no LLM tokens, no PR cap. Private repos require the Pro plan (it matches the rest of Repowise hosted). Private installs still index on connect, so the snapshot is ready the moment you upgrade. See the pricing page.

How it relates to the rest of Repowise

Same engine, different surface. The bot reads the code-health, git-intelligence, and dependency-graph layers, and every comment links to the live dashboard snapshot — where the same data is queryable by humans (the web UI) and by AI agents (the MCP tools, including get_health for a pre-PR self-check).