PR Impact Analyzer

---
description: Analyze PR changes and generate a risk assessment report
allowed-tools: Bash(git *), Read, Glob, Grep, Write
---

# PR Impact Analyzer

Analyze the current branch's changes against the base branch, evaluating test coverage, dependency impact, API surface changes, and security implications. Generate an HTML risk assessment report to support informed merge decisions.

## Arguments

- `$ARGUMENTS` — the base branch to compare against (default: `main`)

## Steps

1. **Identify changed files.** Run:
   ```
   git diff ${ARGUMENTS:-main}...HEAD --name-only
   ```
   Categorize each changed file: source code, tests, config, docs, migrations, CI/CD.

2. **Analyze test coverage impact.** For each changed source file:
   - Check if a corresponding test file exists
   - If it does, check whether the test file was also modified in this PR (tests updated for the change)
   - Flag changed source files with no corresponding test changes as "untested changes"
   - Run `git diff ${ARGUMENTS:-main}...HEAD -- <test-files>` to see if any test assertions were removed (coverage regression)

3. **Trace dependency impact.** For each changed file:
   - Find all files that import/require the changed file (grep for the import path)
   - Build a "blast radius" — the transitive set of files that depend on the changed code
   - Flag if the blast radius includes critical paths (auth, payments, data models)

4. **Check API surface changes.** Look for:
   - New or modified route handlers (endpoint additions/changes)
   - Changed request/response types or validation schemas
   - Modified middleware (affects all routes)
   - Changed database models or migration files
   - Modified GraphQL schemas or resolvers
   - Changed public exports from library modules

5. **Security assessment.** Flag if changes touch:
   - Authentication or authorization code
   - Cryptography or token generation
   - Input validation or sanitization
   - SQL queries or database access patterns
   - File system operations with user-provided paths
   - Environment variable handling
   - CORS or CSP configuration
   - Dependencies (check for new deps, version changes)

6. **Size and complexity metrics.** Calculate:
   - Total lines added / removed / modified
   - Number of files changed
   - Largest single-file diff (potential review bottleneck)
   - Number of new dependencies introduced

7. **Generate HTML report.** Create `pr-impact-report.html` with:

   ### Header
   - Branch name, base branch, commit count, overall risk score (Low/Medium/High/Critical)

   ### Risk Dashboard
   - Four cards: Test Coverage Risk, Blast Radius, API Surface Changes, Security Flags
   - Each card has a color-coded indicator and a count of findings

   ### Detailed Findings
   - **Untested Changes**: table of changed files missing test coverage
   - **Blast Radius**: tree visualization showing changed files → direct dependents → transitive dependents
   - **API Changes**: before/after comparison of any modified endpoints or types
   - **Security Flags**: each finding with severity, file location, and what to verify during review

   ### Review Checklist
   - Auto-generated checklist of things the reviewer should verify, based on the findings
   - E.g., "Verify the new /api/users endpoint requires authentication" or "Confirm the database migration is reversible"

   ### Summary
   - One-paragraph executive summary suitable for pasting into the PR description

8. **Open the report.** Run `open pr-impact-report.html`.

## Rules

- Use `git diff ...HEAD` (three-dot) to compare only the PR's changes, not unrelated changes on the base branch.
- Do not flag test-only changes as risky — they improve the codebase.
- Weight security-related changes higher than other changes of the same size.
- If the PR is a pure refactor (no behavior change), note this and lower the risk score accordingly.
- The auto-generated review checklist should be specific to THIS PR, not generic boilerplate.