Skip to content

zanetworker/highstakes

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

31 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation


HighStakes treemap view
AI writes code faster than you can review it. See where you're needed and where AI can handle the rest.

HighStakes

Know which code would hurt the most if it broke.
LLM-assisted blast radius analysis for every file in your repo.

Quick Start Β· How It Works Β· Commands Β· Models

Point it at any codebase. In under 2 minutes, you know:

  • Where to focus: "sandbox.py handles isolation. Breakage causes container escapes." (score: 73, HIGH)
  • What's safe: "theme.rs sets terminal colors. Breakage causes cosmetic issues." (score: 6, LOW)
  • What to do: 2 senior reviewers + security scan, or auto-merge OK

Static analysis alone can't do this. A complexity counter sees auth.rs and theme.rs as "both Rust files." The LLM reads the code and understands that one is a security boundary and the other formats colors.

Quick Start

1. Install and set up:

go install github.com/zanetworker/highstakes/cmd/heatmap@latest
export OPENROUTER_API_KEY="sk-or-..."

2. Analyze:

cd /path/to/repo
highstakes init && highstakes analyze
Heatmap generated: .heatmap/heatmap.json (305 files)

Heat Distribution:
  πŸ”₯πŸ”₯πŸ”₯ CRITICAL: 0 files
  πŸ”₯πŸ”₯  HIGH:     30 files
  πŸ”₯   MEDIUM:   141 files
  🟒   LOW:      134 files

3. See results:

highstakes dashboard     # Visual treemap + file explorer (opens browser)
highstakes               # Terminal TUI
highstakes list --tier high

Terminal TUI

Navigate the file tree with colored tier indicators. Select any file to see blast radius, impact dimensions, and review requirements.

Terminal TUI with file tree, blast radius detail, and impact dimension bars

Dashboard

Two views, one detail panel. Click any file to see blast radius reasoning, impact dimensions, and review requirements.

Treemap β€” blocks sized by code volume, colored by heat. Your eye goes to the big red blocks first.

Explorer β€” collapsible file tree sorted hottest-first, with heat bars and reasoning inline.

Explorer view with file tree, heat scores, and blast radius reasoning

Both views respond to tier filters (Critical / High / Medium / Low), search, and size toggle (Lines vs Heat).

How It Works

  1. Static analysis scans every source file for complexity, dependency centrality, import graph
  2. Git analysis measures change frequency, contributor count, commit patterns
  3. LLM assessment sends each file to an LLM: "if this code has a bug, what breaks?"
  4. Scoring combines LLM blast radius (40%) with static signals into a 0-100 heat score
  5. Tiering maps scores to review requirements

The LLM returns structured scores across four dimensions:

Dimension What It Measures
Security Auth boundaries, crypto, sandbox isolation, access control
Data PII handling, persistence, data integrity, schema
Availability Service lifecycle, infrastructure, single points of failure
User User-facing paths, API contracts, UX-critical flows

Scoring Weights

Factor Weight Source
LLM Blast Radius 40% Max of four impact dimensions
Dependency Centrality 15% Import graph analysis
Complexity 15% Cyclomatic + cognitive
Test Coverage Risk 10% Inverse of coverage
Incident History 10% Manual records
Change Frequency 10% Git churn

Tier System

Tier Score Review Required
πŸ”₯πŸ”₯πŸ”₯ CRITICAL 86-100 2 senior reviewers + security scan
πŸ”₯πŸ”₯ HIGH 61-85 2 reviewers + integration tests
πŸ”₯ MEDIUM 31-60 1 reviewer
🟒 LOW 0-30 Auto-review safe

Commands

Analyze

highstakes init                                         # Create .heatmap/ config
highstakes analyze                                      # Full LLM analysis (~$0.15)
highstakes analyze --model z-ai/glm-5.2                 # Different model
highstakes analyze --no-llm                             # Static only, no API key

Visualize

highstakes dashboard                                    # HTML dashboard (browser)
heatmap                                              # Terminal TUI

Query

highstakes get <file>                                   # Score + reasoning
highstakes list --tier high --limit 10                  # Filter files
highstakes report                                       # Distribution report

All commands support --json for machine-readable output.

Example: heatmap get
$ highstakes get python/openshell/sandbox.py

python/openshell/sandbox.py  πŸ”₯πŸ”₯ HIGH  (score: 73)

Blast Radius (LLM-assessed):
  Sandbox management and execution failures could compromise
  isolation, leading to security breaches or service outage.
  Reason: Sandbox isolation is a security boundary.
  Security: 95  Data: 90  Availability: 90  User: 90

Risk Factors:
  Dependency Centrality:  8 (1 imports)
  Change Frequency:       0 (0 commits/90d)
  Complexity:             100 (cyclomatic: 53)

Review: 2 reviewers, ~45 min, auto-merge blocked
Example: highstakes list --tier high
$ highstakes list --tier high --limit 5

πŸ”₯πŸ”₯  73  python/openshell/sandbox.py       Sandbox isolation breach risk
πŸ”₯πŸ”₯  72  python/openshell/_proto/...       Import failures in security-critical logic
πŸ”₯πŸ”₯  69  crates/.../runtime.rs             Host network misconfiguration, VM failures
πŸ”₯πŸ”₯  67  crates/.../disposition.rs         Corrupted security event values
πŸ”₯πŸ”₯  65  crates/.../embedded_runtime.rs    Complete loss of VM functionality

PR Risk

highstakes pr check                                     # Score diff vs main
highstakes pr check --base dev --json                   # For CI pipelines

Incidents

highstakes incident create --file src/auth.rs \
  --severity high --description "Token bypass"
highstakes incident list

CI / PR Integration

Run highstakes github install to generate the workflow, or add it manually:

GitHub Action: PR triage comments
# .github/workflows/heatmap-triage.yml
name: HighStakes Triage
on:
  pull_request:
    types: [opened, synchronize, reopened]

permissions:
  pull-requests: write
  contents: read

jobs:
  triage:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: actions/setup-go@v5
        with:
          go-version: '1.25'

      - name: Install heatmap
        run: go install github.com/zanetworker/highstakes/cmd/heatmap@latest

      - name: Analyze and check PR
        env:
          OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
        run: |
          highstakes init
          highstakes analyze
          highstakes pr check --base origin/${{ github.base_ref }} --json > pr-risk.json

      - name: Post risk comment
        uses: actions/github-script@v7
        with:
          script: |
            const risk = JSON.parse(require('fs').readFileSync('pr-risk.json','utf8'));
            const e = {critical:'πŸ”₯πŸ”₯πŸ”₯',high:'πŸ”₯πŸ”₯',medium:'πŸ”₯',low:'🟒'};
            let body = '## '+e[risk.tier]+' HighStakes: '+risk.tier.toUpperCase()+'\n\n';
            body += '| File | Score | Tier | Lines |\n|------|-------|------|-------|\n';
            for (const f of risk.files_changed.sort((a,b)=>b.heat_score-a.heat_score))
              body += '| '+f.path+' | '+f.heat_score+' | '+e[f.tier]+' '+f.tier+' | +'+f.lines_added+'/-'+f.lines_deleted+' |\n';
            body += '\n**Review:** '+risk.review_requirements.min_reviewers+' reviewers';
            if (risk.review_requirements.requires_senior) body += ' (senior)';
            body += ', auto-merge: '+(risk.review_requirements.auto_merge?'βœ…':'❌')+'\n';
            const comments = await github.rest.issues.listComments({
              owner:context.repo.owner, repo:context.repo.repo, issue_number:context.issue.number});
            const existing = comments.data.find(c=>c.body.includes('HighStakes:'));
            if (existing) await github.rest.issues.updateComment({
              owner:context.repo.owner, repo:context.repo.repo, comment_id:existing.id, body});
            else await github.rest.issues.createComment({
              owner:context.repo.owner, repo:context.repo.repo, issue_number:context.issue.number, body});
Block merge on HIGH/CRITICAL files

Add a required status check that fails when the PR touches high-risk files:

      - name: Gate on risk tier
        run: |
          TIER=$(jq -r .tier pr-risk.json)
          if [ "$TIER" = "critical" ] || [ "$TIER" = "high" ]; then
            echo "::error::PR touches $TIER-tier files. Requires senior review before merge."
            exit 1
          fi

Then in Settings > Branches > Branch protection rules, add triage as a required status check. PRs touching critical or high files cannot merge until the check passes (i.e., a senior reviewer approves and the step is skipped or overridden).

Use in any CI (GitLab, Jenkins, etc.)

The CLI is the interface. Any CI that can run a binary works:

# Install
go install github.com/zanetworker/highstakes/cmd/heatmap@latest

# Analyze (uses cache, only re-assesses changed files)
export OPENROUTER_API_KEY="$OPENROUTER_KEY"
highstakes init && highstakes analyze

# Check PR risk (exit code reflects tier)
highstakes pr check --base origin/main --json > risk.json

# Use the output
TIER=$(jq -r .tier risk.json)
SCORE=$(jq -r .heat_score risk.json)
FILES=$(jq -r '.files_changed | length' risk.json)

echo "PR risk: $TIER ($SCORE), $FILES files changed"

# Fail pipeline on high/critical
if [ "$TIER" = "critical" ] || [ "$TIER" = "high" ]; then
  echo "Requires human review"
  exit 1
fi

What the PR comment looks like:

## πŸ”₯πŸ”₯ HighStakes: HIGH

| File | Heat | Tier | Lines |
|------|------|------|-------|
| ⚠️ src/auth/oidc.rs | 63 | πŸ”₯πŸ”₯ HIGH | +45/-12 |
| ⚠️ src/sandbox/proxy.rs | 63 | πŸ”₯πŸ”₯ HIGH | +8/-3 |
| βœ“ src/tui/theme.rs | 6 | 🟒 LOW | +2/-1 |

### ⚠️ Circuit Breaker Signals
- Large diff (>500 lines)

### Review Requirements
- **Reviewers**: 2 (senior)
- **Security Scan**: Required
- **Auto-Merge**: ❌ Blocked
- **Est. Review Time**: 60 min

Agent Introspection

highstakes agent-context

Machine-readable JSON of all commands, flags, exit codes, and models. Built for AI agents to discover the CLI surface programmatically.

Models

One OpenRouter API key, any model. Assessments cached by content hash; re-runs only re-assess changed files.

Model Cost / 500 files Best For
deepseek/deepseek-v4-flash ~$0.15 Default, cheapest
deepseek/deepseek-v4-pro ~$0.50 Best accuracy/dollar
z-ai/glm-5.2 ~$3-5 Frontier open-weights
openai/gpt-5.4-mini ~$0.90 Safest JSON
google/gemini-3-flash ~$0.50 Fastest

Exit Codes

Code Meaning
0 Success
1 Internal error
2 Invalid input
3 External dependency failure
4 Not found

Requirements

  • Go 1.25+
  • Git
  • OPENROUTER_API_KEY (optional with --no-llm)

Related

License

MIT

About

AI writes code faster than you can review it. HighStakes reads your codebase, scores every file by blast radius, and tells you where human review matters and where AI can handle the rest.

Topics

Resources

License

Stars

10 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages