High AI cost
SRP Review
Single-Responsibility violations pinpointed; AI-proposed abstractions with generated test contracts.
Architectural review · v2.0.2
ArchReview
Ship architectural changes with confidence.
Seven review modes, twenty compliance frameworks, six-persona fan-out. CKB-grounded deterministic checks plus LLM semantic reasoning. MIT-licensed, 221 tests passing, works with any Git repository.
Review modes
7
Compliance frameworks
20
CKB quality checks
131
Tests passing
221
Code smell recall
86.7 %
Zero-LLM modes
3 / 7
One tool, seven lenses
Most tools check style. ArchReview checks architecture.
Each mode combines CKB's deterministic code intelligence with optional LLM semantic reasoning. Three modes don't call a model at all — offline-friendly, reproducible, free to run.
Low AI cost
PR Review
Twenty structural checks on branch diffs in ~5 s. Smart early exit on clean PRs, suggested reviewers, effort estimation.
Zero AI cost
Risk Audit
Eight risk factors scored against twenty frameworks — GDPR, HIPAA, ISO 27001, SOC 2, PCI DSS, EU AI Act, DORA.
Zero AI cost
Health Check
Dead code, test gaps, complexity hotspots, coupling, secrets, circular dependencies — one score.
Medium AI cost
Refactor Plan
Hotspots, temporal coupling, bus factor, six-persona fan-out via SwarmWire, code smells at 86.7 % recall, phased roadmaps with a What-If simulator.
Medium AI cost
Code X-Ray
Unwired code, semantic duplicates, misplaced responsibility, pattern inconsistencies, API design, unnecessary complexity — per-check quality sections.
Medium AI cost
Perf Leak
N+1 queries, memory leaks, O(n²) hot loops, blocking I/O, over-fetching. Hot-path identification via CKB hotspots; impact estimates plus fix suggestions.
One scan, cross-mapped
A hardcoded credential shouldn’t fail twenty audits separately.
Every finding maps automatically to every regulation it violates. PCI DSS, NIST 800-53, SOC 2, OWASP ASVS, ISO 27001 — one finding, one audit trail, every jurisdiction.
| Category | Frameworks |
|---|---|
| Privacy | GDPR · CCPA · ISO 27701 |
| AI Governance | EU AI Act |
| Security | ISO 27001 · NIST 800-53 · OWASP ASVS · SOC 2 · HIPAA |
| Industry | PCI DSS · DORA · NIS2 · FDA 21 CFR 11 · EU CRA |
| Supply Chain | SBOM / SLSA |
| Safety | IEC 61508 · ISO 26262 · DO-178C |
| Standards | MISRA · IEC 62443 |
Parallel review, one merge
Six specialists run at once. Output contracts catch hallucinations.
The Refactor Plan mode fans a single input out to six named personas via SwarmWire. Each one returns a typed findings object; a post-merge contract validates file paths, severity, and description quality before anything reaches the dashboard.
Security Architect
AuthZ boundaries, secrets, SBOM hygiene
Performance Engineer
Hot paths, allocation, I/O concurrency
Junior Developer
Readability, naming, onboarding frictions
API Designer
Surface area, versioning, idempotency
Test Engineer
Coverage gaps, flake, determinism
Data Engineer
Schema coupling, migrations, lineage
Backed by the nyxCore persona engine. Budget enforced; dry-run before every fan-out.
Meet the team where they work
CLI, CI, editor, or API. Pick the seam that fits.
GitHub Actions
Auto-post review comments on pull requests, upload SARIF 2.1.0 to GitHub Code Scanning.
CLI / CI
archreview --mode pr-review --ci in any pipeline. Exit codes, streaming progress, deterministic gates.
VS Code Extension
Inline diagnostics, sidebar tree, status-bar health score. Review without leaving the editor.
Webhook API
POST to trigger, poll for status. Integrate with any review or ticket tool. Budgets enforced.
What this is not
The adversary’s disclosure. Read before you install.
Ipcha Mistabra wrote this section. Before you spin ArchReview up in CI, know what it will and will not do for you.
Disclosure
Not a replacement for human review.
ArchReview changes the signal-to-noise ratio; a senior still sets the bar. Clean PRs exit in seconds, but the interesting ones still land in your queue — and a flagged finding is a prompt for a human, never a verdict.
Disclosure
Compliance findings are evidence, not certification.
The 20-framework mapping tells your auditor where to look, not what to conclude. ArchReview outputs prepare an audit; they do not replace a human-signed attestation. If your compliance team expects a PDF that closes a control, this is not that tool.
Disclosure
Tests cover the pipeline, not the findings.
The 226 passing tests prove the engine runs without crashing. They do not prove every reported SRP violation, coupling bridge, or dead-code candidate is correct. Treat flagged items as prompts for a senior, not as signal you can merge on.
Quick start
One command. No config, no database.
Node 20+, CKB on PATH, one API key for the mode you pick (Risk Audit and Health Check need zero keys). That is the whole setup.
# Global install npm install -g archreview # Or run without installing npx archreview --mode health-check . # Or from source git clone https://github.com/SimplyLiz/archreview cd archreview && npm install python3 launch.py # server + web, auto-finds free ports
Before you push it into CI
Start with the Health Check mode on a representative branch. Calibrate thresholds, pin the review-persona set you actually want, then enable the quality gate. Skipping the calibration turns the tool into a drive-by noise generator — which is exactly the outcome we built it to replace.
Metis says: the first week is calibration, not blame.