Devlog

Today we're launching Axiomo on Product Hunt. We've been building in public for about a month, shipping fast and iterating on real feedback.

Since our first commit, we've shipped a full analysis pipeline, GitHub App integration with Check Runs, multi-provider OAuth, a public showcase of 1500+ real PR signals, and a CLI. All built by a solo developer with AI pair programming.

Axiomo doesn't review your code. It gives you the context to review it yourself: contributor history, risk drivers, intent analysis, and focus files. Every score has an explanation. Nothing is a black box.

Free for all public repos. No limits. No signup required. Just paste a PR URL.

The GitHub App now creates Check Runs on every PR. Install axiomo-app on your repo and every opened or updated PR gets an "Axiomo Signal" check with a pass/neutral/fail conclusion mapped from the review recommendation. A PR comment with the full signal summary is posted alongside.

Made it always-on for installed repos. If the app is installed on your org but you haven't configured anything, it just works with sensible defaults. No setup required beyond clicking Install.

Rewired webhook processing to run synchronously for Vercel serverless compatibility - background tasks get killed after the response is sent. Web scans now use a two-request pattern through a progress page to stay within serverless constraints.

Also consolidated the codebase: merged route files, removed dead code, and cut about 400 lines. Fewer files, same functionality.

Added global rate limiting middleware across all non-webhook endpoints. Redis-backed, per-IP, with sensible defaults. Webhooks are exempt so GitHub App events always get processed.

Improved the batch analysis script for loading showcase PRs. Added retry logic for flaky connections, a --max-new flag to stop after N new analyses, and automatic resume so it skips already-stored PRs. About 460 of 1500 showcase PRs are loaded so far.

Two new structural heuristics in the analyzer pipeline. The first detects cross-concern spread: when a single PR touches three or more unrelated functional domains like authentication, payments, and documentation. The signal tells you what domains are involved so you can decide if the PR should be split.

The second flags large vendored or copy-pasted code blocks. If a file has 200+ consecutive added lines and no test file was changed anywhere in the PR, that's a risk driver. It catches bulk-pasted code that slipped in without coverage.

Both feed into the risk scorer with 0.15 weight each. Complementary to the existing directory-spread and test-gap checks - these look at semantic domains and contiguous block size rather than raw file counts.

The CLI now has a store command. Run axiomo analyze <pr-url> --store and the signal gets saved permanently to your account, same as a web scan. Useful for CI pipelines and scripted workflows.

Consolidated intent analysis into a single LLM call. Previously we made separate calls for goal extraction, acceptance criteria, and criteria evaluation. Now it's one structured prompt that returns everything at once - faster, cheaper, and more coherent results. The Intent section is also visually highlighted in the signal view.

Refreshed the homepage example scans with more interesting real-world PRs and updated risk labels.

Hunted down N+1 query patterns across the app and added missing database indexes. History page, dashboard, and scan list all load noticeably faster now.

Improved site responsiveness across the board - better mobile layouts, tighter spacing on small screens, smoother transitions.

Removed Cloudflare Turnstile CAPTCHA. It was adding friction to the analyze flow without meaningful spam protection at our current scale. We'll revisit if abuse becomes an issue.

Axiomo now has a proper API. Generate keys from Settings, then hit POST /api/analyze with your PR URL. Returns the same structured signal as JSON. Works with private repos too - we use your connected provider tokens.

New public /status page shows real-time health of all services: database, cache, LLM providers, git providers, and external integrations. Green means healthy.

Public repo scans no longer count against your monthly limit. Analyze as many open source PRs as you want. Scan deduplication means re-analyzing the same commit returns cached results instantly.

Migrated the entire UI to a GitHub-inspired design system. Pure white backgrounds in light mode, GitHub's blue-tinted dark in dark mode. Higher density, cleaner borders, no shadows.

Feels native to developers who live in GitHub all day. The goal is to blend in with your workflow, not stand out from it.

New /review-requests page shows all PRs where you're requested as a reviewer. One place to see what needs your attention across all connected providers. No more hunting through separate GitHub, GitLab, and Bitbucket inboxes.

Signal views now show dynamic provider icons - GitHub's octocat, GitLab's tanuki, or Bitbucket's logo depending on where the PR lives. Small polish that makes multi-provider workflows clearer at a glance.

Also improved account linking: if you sign in with GitHub and later add GitLab using the same email, your accounts merge automatically. One Axiomo account, multiple connected providers.

Axiomo now supports sign-in with GitHub, GitLab, and Bitbucket. Use whichever platform hosts your code. The sign-in dropdown in the nav bar shows all three options.

Each provider uses OAuth 2.0 with proper state validation and secure token handling. Your access token is stored encrypted and used only to fetch PR data from your repositories. We request minimal scopes - just enough to read PRs and user info.

Also moved all service credentials from environment variables to database storage. The only env var needed now is DATABASE_URL. Everything else - API keys, OAuth secrets, feature flags - lives in the app_settings table with in-memory caching.

Code review is broken. Not the tooling - GitHub, GitLab, and the rest have excellent diff UIs. The problem is humans.

We've all been there: a 50-file PR lands in your queue. The author is someone you've never worked with. CI is green, but you don't know what the tests actually cover. You should review it properly. You won't.

AI-assisted development made this worse. Copilot, Cursor, Claude - they're all producing more code, faster, than any human can meaningfully inspect. The result? Approvals driven by fatigue. Rubber-stamped reviews. Bugs and security holes that slip through because nobody had time to look carefully.

Existing "AI code review" tools don't solve this. They summarize diffs. They leave style comments. Most are noise. They try to replace your judgment instead of informing it.

Axiomo takes a different approach. We don't review your code - we give you the context to review it yourself. Who is this contributor? What's their track record? What are they trying to do? What's the risk? What evidence exists? Where should you focus?

Every risk score has explicit drivers. Every recommendation has a rationale. Nothing is a black box. You still make the decision - you just make it with actual information instead of vibes and fatigue.

We're building this in public because we believe the best tools are shaped by their users. Follow along, give us feedback, and help us build something that actually works.

Big release today. Axiomo now supports GitHub webhooks for automatic PR analysis. Configure a webhook on your repo, and every PR gets analyzed the moment it's opened or updated. No more manual URL pasting.

Also shipped the policy engine. Define governance rules in a simple DSL - require tests for large PRs, flag changes to sensitive paths, warn when CI is missing. Policies are stored per-user and can be attached to any repo configuration.

The analyzer pipeline now runs eight analyzers in dependency order: metadata extraction, contributor context, diff analysis, sensitive path detection, evidence extraction, supply chain analysis, risk scoring, and policy evaluation. All wired together with a proper DAG executor.

Added the ability to configure sensitive paths per repository. Mark paths like src/auth/, *.env*, or infrastructure/** as high-risk, and the analyzer will flag any PRs that touch them.

The settings page now has a full repo configuration UI. Toggle auto-analysis, add sensitive path patterns, assign policies. Everything persists to Postgres and gets loaded when analyzing PRs from authenticated users.

Shipped the user dashboard. See your recent scans, usage stats, and quick actions all in one place. The dashboard shows PRs analyzed this month, breakdown by repository, and recent signal history with one-click access.

Added usage tracking under the hood. Every scan increments counters in the database, and we track monthly usage against plan limits. Free tier gets 25 scans per month. The groundwork for paid plans is in place.

Authentication is live. Sign in with GitHub to save your scan history and configure repositories. OAuth flow handles token exchange securely, and sessions are stored in encrypted cookies.

User data lives in Postgres on Neon. The schema tracks users, sessions, signals, and repo configurations. Everything is tied together with proper foreign keys and cascade deletes. No orphaned data.

Axiomo is live. Paste any public GitHub PR URL and get a structured analysis in seconds. The core pipeline extracts metadata, analyzes contributor history, computes risk scores, and identifies focus files.

Built with FastAPI, Jinja2, HTMX, and Tailwind. The signal view renders all the analysis in a clean, scannable format. Risk drivers are explicit, contributor context is surfaced, and the top files to review are highlighted.

No signup required for public repos. Just paste a URL and go.