AI code reviewer with SonarQube simulation, blast radius analysis, and smart model routing
Project description
cascade-review
AI-powered code reviewer that catches what others miss.
Build-breaker prevention. SonarQube-grade checks. Blast radius analysis.
Works with 8 LLM providers. Zero cost to start.
pip install cascade-review
git diff | cascade
What it does
Most AI code reviewers give you comments. Cascade gives you impact — and catches builds that would break in CI before you push.
──────────────────────────────────────────────────────────
cascade-review github.com/vyshakhgnair/cascade-review
CHANGE SUMMARY
Added token refresh logic to authenticate_user(). Extends
session handling with a new remember_me parameter.
Type: LOGIC ⚠ Auth path changed — affects all logged-in users
⛔ SECRETS DETECTED
CRITICAL [API Key] in config/settings.py
api_key = "sk-proj-xxxxxxxxxxxxxxxxxxx..."
REGRESSION RISK
8/10 ████████░░ CRITICAL
› Security-sensitive file: auth/login.py
› 3 files depend on authenticate_user()
BLAST RADIUS
Changed: authenticate_user, refresh_token
Risk: HIGH
→ routes/dashboard.py uses authenticate_user
→ middleware/guard.py uses authenticate_user
→ api/v2/token.py uses refresh_token
SONARQUBE SIMULATION
CRITICAL S2077 SQL built from user input — use parameterised queries [30min]
MAJOR S3776 Cognitive complexity 18 exceeds threshold of 15 [1h]
MINOR S1481 Variable "tmp" assigned but never used [2min]
🚧 BUILD BREAKERS
HIGH [MISSING_DEP] 'redis' imported but not in requirements.txt
CRITICAL [CASE_SENSITIVITY] Import 'Utils' — actual file is 'utils.py' (breaks on Linux CI)
WARNING [LOCKFILE_DRIFT] package.json changed but lock file not updated
──────────────────────────────────────────────────────────
Why Cascade is different
| Feature | Cascade | CodeRabbit | PR-Agent | SonarQube |
|---|---|---|---|---|
| Build-breaker prevention | ✅ 8 checks | ❌ | ❌ | ❌ |
| Code redaction (privacy) | ✅ | ❌ | ❌ | n/a |
| Blast radius analysis | ✅ | ❌ | ❌ | ❌ |
| SonarQube rule simulation | ✅ | ❌ | ❌ | ✅ paid |
| Regression risk score | ✅ | ❌ | ❌ | ❌ |
| AI-generated code detection | ✅ | ❌ | ❌ | ❌ |
| Architecture drift check | ✅ | ❌ | ❌ | ❌ |
| Version conflict detection | ✅ | ❌ | ❌ | ❌ |
| Review policy as code | ✅ | ✅ | ❌ | ✅ |
| Works fully offline | ✅ | ❌ | ❌ | ❌ |
| Pre-commit hook | ✅ | ❌ | ❌ | ❌ |
| Audit trail (SOC 2) | ✅ | ❌ | ❌ | ✅ |
| Cost | $0 | $24/mo | Self-host | Enterprise |
| Supports 8 LLM providers | ✅ | ❌ | Partial | ❌ |
Cascade catches builds that would break in CI — no other code reviewer does this.
Quick start
pip install cascade-review
# Review current changes (static only, no API key needed)
git diff | cascade --no-llm
# Review staged changes
cascade --staged
# Full review with LLM (free with Groq)
export GROQ_API_KEY=your-key-here
git diff | cascade
# Use a specific provider
cascade --provider anthropic --model claude-sonnet-4-6
# Output as markdown (for PR comments)
git diff | cascade --output markdown
# HTML dashboard report
git diff | cascade --output html > report.html
# Privacy mode — redact code before sending to LLM
git diff | cascade --redact
# CI mode — fail if critical findings exist
git diff | cascade --no-llm --severity-gate high
Build-breaker prevention
Cascade's unique feature — catches things that pass code review but explode in CI:
| Check | What it catches |
|---|---|
MISSING_DEP |
Imported package not in requirements.txt / package.json |
DEV_IN_PROD |
devDependency used in production code |
CASE_SENSITIVITY |
File imports that work on Mac/Windows but break on Linux CI |
DELETED_SYMBOL |
Function/class removed but still imported elsewhere |
PLATFORM_PATH |
Hardcoded C:\ or /Users/ paths |
LOCKFILE_DRIFT |
package.json changed but lock file not updated |
LARGE_FILE |
Binary or data file accidentally committed |
MISSING_ENV_VAR |
Env var used in code but not in .env.example |
Code redaction (privacy)
Don't trust your LLM provider with proprietary code? Use --redact:
# Before redaction:
api_key = "sk-prod-abc123"
price = 99.99
# What the LLM sees:
api_key = "STR_1"
price = NUM_2
Structure is preserved for accurate review. Values never leave your machine.
Supported providers
cascade --list-providers # See all providers and their status
| Provider | Free tier | Privacy | Notes |
|---|---|---|---|
| Ollama | ✅ Free (local) | ✅ Local | Offline, private, no quota |
| Groq | ✅ 30K TPM | ⚠ Check ToS | Fastest cloud inference |
| OpenRouter | ✅ 29 free models | ⚠ Check ToS | Frontier models at no cost |
| DeepSeek | ✅ Free tier | ⚠ Check ToS | Strong reasoning |
| Gemini | ✅ Free tier | ⚠ Check ToS | Gemini Flash / Pro |
| Mistral | ✅ Free tier | ✅ No-train | Fast, European |
| Anthropic | Paid | ✅ No-train | Claude Sonnet / Opus |
| OpenAI | Paid | ✅ No-train | GPT-4o, o1 |
Privacy labels: local = nothing leaves your machine, no-train = provider won't train on your inputs, check ToS = free tier may use inputs for training.
Cascade warns you when using providers with unclear privacy policies.
Configuration
cascade --init # Creates .cascade.yml in your repo
.cascade.yml:
models:
local:
provider: ollama
model: qwen2.5-coder:3b
mid:
provider: groq
model: llama-3.3-70b-versatile
api_key_env: GROQ_API_KEY
frontier:
provider: anthropic
model: claude-sonnet-4-6
api_key_env: ANTHROPIC_API_KEY
routing:
local_max_lines: 50 # < 50 lines → local model
mid_max_lines: 200 # 50-200 lines → mid tier
force_tier: auto # or: local / mid / frontier
review:
severity_threshold: warning
exclude: [migrations/, vendor/, node_modules/]
Team config inheritance (monorepos)
Place a root .cascade.yml at the repo root, then override per-package:
my-monorepo/
.cascade.yml ← root config (shared settings)
packages/
api/
.cascade.yml ← overrides for API package
frontend/
.cascade.yml ← overrides for frontend
Package configs deep-merge with root — you only override what's different.
Review policy as code
Create .cascade-rules.yml to enforce team standards:
rules:
- name: no-console-log
message: "Remove console.log before merging"
files: "\\.(js|ts|tsx)$"
pattern: "console\\.log\\("
severity: WARNING
- name: no-debugger
message: "Debugger statement left in code"
pattern: "\\bdebugger\\b"
severity: HIGH
- name: no-axios-in-services
message: "Use the shared HTTP client, not raw axios"
files: "services/"
forbidden_imports: ["axios"]
severity: WARNING
- name: max-file-size
message: "File too large — consider splitting"
max_lines: 500
severity: WARNING
- name: tests-required
message: "Test file should include at least one assertion"
files: "(test_|spec\\.|__test)"
require: "(assert|expect|should)"
severity: HIGH
See examples/cascade-rules.yml for more.
Pre-commit hook
cascade --hook install # Install pre-commit hook
cascade --hook uninstall # Remove it
Runs static analysis on staged changes before every commit. Blocks commits with high-severity findings.
Audit trail (SOC 2)
git diff | cascade --audit # Log to .cascade/audit.jsonl
git diff | cascade --audit --audit-path logs/reviews.jsonl # Custom path
Every review is logged as a JSON line:
{
"timestamp": "2026-06-25T18:19:08Z",
"version": "0.2.0",
"provider": "groq",
"model": "llama-3.3-70b-versatile",
"redacted": false,
"files_reviewed": ["auth/login.py"],
"findings": {"secrets": 0, "sonar": 3, "build_breakers": 1, "bugs": 0},
"severities": {"CRITICAL": 1, "MAJOR": 2},
"regression_risk": {"score": 6, "level": "HIGH"}
}
CI / GitHub Action
# .github/workflows/cascade.yml
name: Cascade Review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
permissions:
pull-requests: write
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: vyshakhgnair/cascade-review@v1
with:
groq_api_key: ${{ secrets.GROQ_API_KEY }}
output_format: markdown
severity_gate: high
fail_on_secrets: true
Add GROQ_API_KEY to repo secrets (free at console.groq.com).
Other CI platforms
Output formats
| Format | Flag | Use case |
|---|---|---|
| Terminal | --output terminal |
Local development (default) |
| Markdown | --output markdown |
PR comments |
| HTML | --output html |
Shareable dashboard report |
| SARIF | --output sarif |
GitHub Security tab |
| JSON | --output json |
Programmatic consumption |
Smart routing
< 50 lines → local Ollama 3B (instant, private, zero quota)
50–200 lines → Groq 70B (fast, free tier)
200+ lines → OpenRouter/Claude (full context, deepest reasoning)
Auto-fallback when quotas run out. Override anytime: cascade --tier frontier
What Cascade checks
Static analysis — instant, works offline, no API key:
- SonarQube rule simulation (Python + JS/TS — S1192, S2077, S3776, S1481, S106 and more)
- Secret / credential detection (15+ patterns — API keys, AWS, Stripe, GitHub, SSH keys)
- Blast radius — which files break if this change fails
- Regression risk score (1–10)
- Architecture drift (naming, layer violations, broad exceptions, god classes, circular imports)
- Build-breaker prevention (8 checks)
- Version conflict detection (cross-workspace / monorepo)
- Review policy enforcement (.cascade-rules.yml)
LLM analysis — requires a model:
- Plain English change summary (LOGIC / REFACTOR / FEATURE / BUGFIX / CONFIG / TEST / DOCS)
- Bug and logic error detection
- AI-generated code detection
- Fix suggestions with effort estimates
Exit codes
| Code | Meaning |
|---|---|
0 |
Clean — no blocking findings |
1 |
Error — could not parse diff |
2 |
Secrets detected |
3 |
Severity gate failed |
All CLI flags
cascade --version # Show version
cascade --staged # Review staged changes only
cascade --no-llm # Static analysis only
cascade --redact # Strip literals before sending to LLM
cascade --provider groq # Override LLM provider
cascade --model llama-3.3-70b # Override model
cascade --tier frontier # Force model tier
cascade --output html # terminal / markdown / sarif / json / html
cascade --severity-gate high # Fail if findings >= severity
cascade --audit # Write audit trail
cascade --audit-path path/log.jsonl # Custom audit log path
cascade --hook install # Install pre-commit hook
cascade --hook uninstall # Remove pre-commit hook
cascade --list-providers # Show providers and key status
cascade --init # Create .cascade.yml
Contributing
git clone https://github.com/vyshakhgnair/cascade-review
cd cascade-review
pip install -e ".[dev]"
pytest
License
MIT — use it, fork it, build on it.
Built by Vyshakh G Nair — cascade-review
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cascade_review-0.2.1.tar.gz.
File metadata
- Download URL: cascade_review-0.2.1.tar.gz
- Upload date:
- Size: 42.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bb6df9c1ff830073d2651e5799bf8d3635d2751d00ed0ef9d7fc75569bd0b009
|
|
| MD5 |
1857ca2271b37cd46121436844e28612
|
|
| BLAKE2b-256 |
aac4ccfecda03ab3a64b862a6b0cf86730c1c59beaffcb39ae915dccb960c719
|
File details
Details for the file cascade_review-0.2.1-py3-none-any.whl.
File metadata
- Download URL: cascade_review-0.2.1-py3-none-any.whl
- Upload date:
- Size: 47.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
50e906d7c7225cb0e1a780a6e5ac8022051f6e1af1425679b7eb0da5507f6715
|
|
| MD5 |
5bcebbb23d243aeac141f85639b6e323
|
|
| BLAKE2b-256 |
f5508321352eb1e626db50ad3fefc4c17cc49b104ff36136e9a37ed6531362ee
|