Risk Assessment System

Automatically evaluates code changes in pull requests by analyzing the scope of modifications and detecting touches to sensitive files. Assigns a risk level (low, medium, or high) that informs both human reviewers and the judge agent about the complexity and potential impact of proposed changes.

Key source files:

server/services/riskScoring.ts — core scoring logic
server/mcp/tools/createPr.ts — risk computed on PR creation
app/components/RiskBadge.vue — UI rendering

How It Works

Risk Scoring Algorithm

Risk level is determined by thresholds:

Condition	Level
Touches sensitive paths OR lines > 100 OR files > 8	HIGH
Lines > 20 OR files > 3	MEDIUM
Otherwise	LOW

Sensitive path patterns (default):

**/database/** — Database files
**/migrate* — Migration files
**/*.config.* — Configuration files
**/auth/** — Authentication logic
**/security/** — Security-sensitive code
**/.env* — Environment files

Customization Per Project

Risk thresholds are configurable per project in the project config:

json

{
  "riskThresholds": {
    "lowLines": 20,
    "highLines": 100,
    "lowFiles": 3,
    "highFiles": 8,
    "sensitivePaths": ["**/database/**", "..."]
  }
}

Thresholds are loaded when create_pr is called and passed to calculateRisk(). They can be set via the configure_project MCP tool.

Key Components

File	Responsibility
`server/services/riskScoring.ts`	Core scoring logic: `calculateRisk()`, `parseFileStatsFromDiff()`
`server/mcp/tools/createPr.ts`	MCP tool invoked by agents; computes risk on PR creation
`server/api/projects/[projectId]/issues/[issueId]/pr/index.get.ts`	Returns PR with embedded riskScore
`app/components/RiskBadge.vue`	Renders risk level as color-coded badge with tooltip
`app/components/IssueCard.vue`	Displays risk badge on kanban cards (via latestPrRiskScore)
`app/pages/p/[slug]/issues/[identifier].vue`	Shows risk badge in PR review section of issue detail
`server/database/schema.ts`	`RiskScore` type and `pull_requests.riskScore` JSON column

Design Decisions

Why parse diff instead of using git CLI during PR creation?

Agents operate in isolated worktrees with constrained MCP tools — they pass diff as a string to MCP create_pr
Parsing is deterministic and doesn't require filesystem access
Diff snapshot is preserved for audit/reproducibility

Why store thresholds in project config, not as global constants?

Different projects have different risk tolerances (infrastructure vs feature projects)
Allows ops teams to adjust sensitivity without code changes
Thresholds are mutable via configure_project MCP tool

Why include sensitivePaths in risk score output?

Provides audit trail of which sensitive files were touched
Helps judge decide if code review should focus on specific areas
Enables risk-aware dispatch decisions (e.g., escalate if auth/ was modified)

Known Gaps

Risk assessment is static (based on diff only) — doesn't account for code quality metrics or test coverage
Escalation system (server/orchestrator/escalation.ts) handles phase transitions but doesn't currently trigger based on PR risk level
No time-series risk tracking or trend analysis for projects

Risk Assessment System ​

How It Works ​

Risk Scoring Algorithm ​

Customization Per Project ​

Key Components ​

Design Decisions ​