Skip to main content

AI code reviewer with SonarQube simulation, blast radius analysis, and smart model routing

Project description

cascade-review

AI-powered code reviewer that catches what others miss.
Build-breaker prevention. SonarQube-grade checks. Blast radius analysis.
Works with 8 LLM providers. Zero cost to start.

PyPI License: MIT Python 3.9+

pip install cascade-review
git diff | cascade

What it does

Most AI code reviewers give you comments. Cascade gives you impact — and catches builds that would break in CI before you push.

──────────────────────────────────────────────────────────
  cascade-review  github.com/vyshakhgnair/cascade-review

  CHANGE SUMMARY
  Added token refresh logic to authenticate_user(). Extends
  session handling with a new remember_me parameter.
  Type: LOGIC  ⚠ Auth path changed — affects all logged-in users

  ⛔ SECRETS DETECTED
  CRITICAL  [API Key] in config/settings.py
  api_key = "sk-proj-xxxxxxxxxxxxxxxxxxx..."

  REGRESSION RISK
  8/10  ████████░░  CRITICAL
  › Security-sensitive file: auth/login.py
  › 3 files depend on authenticate_user()

  BLAST RADIUS
  Changed: authenticate_user, refresh_token
  Risk: HIGH
  → routes/dashboard.py   uses authenticate_user
  → middleware/guard.py   uses authenticate_user
  → api/v2/token.py       uses refresh_token

  SONARQUBE SIMULATION
  CRITICAL   S2077  SQL built from user input — use parameterised queries  [30min]
  MAJOR      S3776  Cognitive complexity 18 exceeds threshold of 15        [1h]
  MINOR      S1481  Variable "tmp" assigned but never used                 [2min]

  🚧 BUILD BREAKERS
  HIGH       [MISSING_DEP]      'redis' imported but not in requirements.txt
  CRITICAL   [CASE_SENSITIVITY] Import 'Utils' — actual file is 'utils.py' (breaks on Linux CI)
  WARNING    [LOCKFILE_DRIFT]   package.json changed but lock file not updated
──────────────────────────────────────────────────────────

Why Cascade is different

Feature Cascade CodeRabbit PR-Agent SonarQube
Build-breaker prevention ✅ 8 checks
Code redaction (privacy) n/a
Blast radius analysis
SonarQube rule simulation ✅ paid
Regression risk score
AI-generated code detection
Architecture drift check
Version conflict detection
Review policy as code
Works fully offline
Pre-commit hook
Audit trail (SOC 2)
Cost $0 $24/mo Self-host Enterprise
Supports 8 LLM providers Partial

Cascade catches builds that would break in CI — no other code reviewer does this.


Quick start

pip install cascade-review

# Review current changes (static only, no API key needed)
git diff | cascade --no-llm

# Review staged changes
cascade --staged

# Full review with LLM (free with Groq)
export GROQ_API_KEY=your-key-here
git diff | cascade

# Use a specific provider
cascade --provider anthropic --model claude-sonnet-4-6

# Output as markdown (for PR comments)
git diff | cascade --output markdown

# HTML dashboard report
git diff | cascade --output html > report.html

# Privacy mode — redact code before sending to LLM
git diff | cascade --redact

# CI mode — fail if critical findings exist
git diff | cascade --no-llm --severity-gate high

Build-breaker prevention

Cascade's unique feature — catches things that pass code review but explode in CI:

Check What it catches
MISSING_DEP Imported package not in requirements.txt / package.json
DEV_IN_PROD devDependency used in production code
CASE_SENSITIVITY File imports that work on Mac/Windows but break on Linux CI
DELETED_SYMBOL Function/class removed but still imported elsewhere
PLATFORM_PATH Hardcoded C:\ or /Users/ paths
LOCKFILE_DRIFT package.json changed but lock file not updated
LARGE_FILE Binary or data file accidentally committed
MISSING_ENV_VAR Env var used in code but not in .env.example

Code redaction (privacy)

Don't trust your LLM provider with proprietary code? Use --redact:

# Before redaction:
api_key = "sk-prod-abc123"
price = 99.99

# What the LLM sees:
api_key = "STR_1"
price = NUM_2

Structure is preserved for accurate review. Values never leave your machine.


Supported providers

cascade --list-providers   # See all providers and their status
Provider Free tier Privacy Notes
Ollama ✅ Free (local) ✅ Local Offline, private, no quota
Groq ✅ 30K TPM ⚠ Check ToS Fastest cloud inference
OpenRouter ✅ 29 free models ⚠ Check ToS Frontier models at no cost
DeepSeek ✅ Free tier ⚠ Check ToS Strong reasoning
Gemini ✅ Free tier ⚠ Check ToS Gemini Flash / Pro
Mistral ✅ Free tier ✅ No-train Fast, European
Anthropic Paid ✅ No-train Claude Sonnet / Opus
OpenAI Paid ✅ No-train GPT-4o, o1

Privacy labels: local = nothing leaves your machine, no-train = provider won't train on your inputs, check ToS = free tier may use inputs for training.

Cascade warns you when using providers with unclear privacy policies.


Configuration

cascade --init   # Creates .cascade.yml in your repo

.cascade.yml:

models:
  local:
    provider: ollama
    model: qwen2.5-coder:3b

  mid:
    provider: groq
    model: llama-3.3-70b-versatile
    api_key_env: GROQ_API_KEY

  frontier:
    provider: anthropic
    model: claude-sonnet-4-6
    api_key_env: ANTHROPIC_API_KEY

routing:
  local_max_lines: 50    # < 50 lines → local model
  mid_max_lines: 200     # 50-200 lines → mid tier
  force_tier: auto       # or: local / mid / frontier

review:
  severity_threshold: warning
  exclude: [migrations/, vendor/, node_modules/]

Team config inheritance (monorepos)

Place a root .cascade.yml at the repo root, then override per-package:

my-monorepo/
  .cascade.yml           ← root config (shared settings)
  packages/
    api/
      .cascade.yml       ← overrides for API package
    frontend/
      .cascade.yml       ← overrides for frontend

Package configs deep-merge with root — you only override what's different.


Review policy as code

Create .cascade-rules.yml to enforce team standards:

rules:
  - name: no-console-log
    message: "Remove console.log before merging"
    files: "\\.(js|ts|tsx)$"
    pattern: "console\\.log\\("
    severity: WARNING

  - name: no-debugger
    message: "Debugger statement left in code"
    pattern: "\\bdebugger\\b"
    severity: HIGH

  - name: no-axios-in-services
    message: "Use the shared HTTP client, not raw axios"
    files: "services/"
    forbidden_imports: ["axios"]
    severity: WARNING

  - name: max-file-size
    message: "File too large  consider splitting"
    max_lines: 500
    severity: WARNING

  - name: tests-required
    message: "Test file should include at least one assertion"
    files: "(test_|spec\\.|__test)"
    require: "(assert|expect|should)"
    severity: HIGH

See examples/cascade-rules.yml for more.


Pre-commit hook

cascade --hook install     # Install pre-commit hook
cascade --hook uninstall   # Remove it

Runs static analysis on staged changes before every commit. Blocks commits with high-severity findings.


Audit trail (SOC 2)

git diff | cascade --audit                          # Log to .cascade/audit.jsonl
git diff | cascade --audit --audit-path logs/reviews.jsonl  # Custom path

Every review is logged as a JSON line:

{
  "timestamp": "2026-06-25T18:19:08Z",
  "version": "0.2.0",
  "provider": "groq",
  "model": "llama-3.3-70b-versatile",
  "redacted": false,
  "files_reviewed": ["auth/login.py"],
  "findings": {"secrets": 0, "sonar": 3, "build_breakers": 1, "bugs": 0},
  "severities": {"CRITICAL": 1, "MAJOR": 2},
  "regression_risk": {"score": 6, "level": "HIGH"}
}

CI / GitHub Action

# .github/workflows/cascade.yml
name: Cascade Review
on:
  pull_request:
    types: [opened, synchronize]

jobs:
  review:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
      contents: read
      security-events: write

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: vyshakhgnair/cascade-review@v1
        with:
          groq_api_key: ${{ secrets.GROQ_API_KEY }}
          output_format: markdown
          severity_gate: high
          fail_on_secrets: true

Add GROQ_API_KEY to repo secrets (free at console.groq.com).

Other CI platforms


Output formats

Format Flag Use case
Terminal --output terminal Local development (default)
Markdown --output markdown PR comments
HTML --output html Shareable dashboard report
SARIF --output sarif GitHub Security tab
JSON --output json Programmatic consumption

Smart routing

< 50 lines   → local Ollama 3B    (instant, private, zero quota)
50–200 lines → Groq 70B           (fast, free tier)
200+ lines   → OpenRouter/Claude  (full context, deepest reasoning)

Auto-fallback when quotas run out. Override anytime: cascade --tier frontier


What Cascade checks

Static analysis — instant, works offline, no API key:

  • SonarQube rule simulation (Python + JS/TS — S1192, S2077, S3776, S1481, S106 and more)
  • Secret / credential detection (15+ patterns — API keys, AWS, Stripe, GitHub, SSH keys)
  • Blast radius — which files break if this change fails
  • Regression risk score (1–10)
  • Architecture drift (naming, layer violations, broad exceptions, god classes, circular imports)
  • Build-breaker prevention (8 checks)
  • Version conflict detection (cross-workspace / monorepo)
  • Review policy enforcement (.cascade-rules.yml)

LLM analysis — requires a model:

  • Plain English change summary (LOGIC / REFACTOR / FEATURE / BUGFIX / CONFIG / TEST / DOCS)
  • Bug and logic error detection
  • AI-generated code detection
  • Fix suggestions with effort estimates

Exit codes

Code Meaning
0 Clean — no blocking findings
1 Error — could not parse diff
2 Secrets detected
3 Severity gate failed

All CLI flags

cascade --version                    # Show version
cascade --staged                     # Review staged changes only
cascade --no-llm                     # Static analysis only
cascade --redact                     # Strip literals before sending to LLM
cascade --provider groq              # Override LLM provider
cascade --model llama-3.3-70b        # Override model
cascade --tier frontier              # Force model tier
cascade --output html                # terminal / markdown / sarif / json / html
cascade --severity-gate high         # Fail if findings >= severity
cascade --audit                      # Write audit trail
cascade --audit-path path/log.jsonl  # Custom audit log path
cascade --hook install               # Install pre-commit hook
cascade --hook uninstall             # Remove pre-commit hook
cascade --list-providers             # Show providers and key status
cascade --init                       # Create .cascade.yml

Contributing

git clone https://github.com/vyshakhgnair/cascade-review
cd cascade-review
pip install -e ".[dev]"
pytest

License

MIT — use it, fork it, build on it.


Built by Vyshakh G Naircascade-review

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cascade_review-0.2.1.tar.gz (42.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cascade_review-0.2.1-py3-none-any.whl (47.5 kB view details)

Uploaded Python 3

File details

Details for the file cascade_review-0.2.1.tar.gz.

File metadata

  • Download URL: cascade_review-0.2.1.tar.gz
  • Upload date:
  • Size: 42.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.10

File hashes

Hashes for cascade_review-0.2.1.tar.gz
Algorithm Hash digest
SHA256 bb6df9c1ff830073d2651e5799bf8d3635d2751d00ed0ef9d7fc75569bd0b009
MD5 1857ca2271b37cd46121436844e28612
BLAKE2b-256 aac4ccfecda03ab3a64b862a6b0cf86730c1c59beaffcb39ae915dccb960c719

See more details on using hashes here.

File details

Details for the file cascade_review-0.2.1-py3-none-any.whl.

File metadata

  • Download URL: cascade_review-0.2.1-py3-none-any.whl
  • Upload date:
  • Size: 47.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.10

File hashes

Hashes for cascade_review-0.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 50e906d7c7225cb0e1a780a6e5ac8022051f6e1af1425679b7eb0da5507f6715
MD5 5bcebbb23d243aeac141f85639b6e323
BLAKE2b-256 f5508321352eb1e626db50ad3fefc4c17cc49b104ff36136e9a37ed6531362ee

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page