Score the reach and risk of a code diff before you merge it. Flags diffs that touch auth, commit secrets, delete tests, change CI/CD, or widen dependencies -- offline, as a pre-merge gate or a Claude Code skill.
Keywords: code review, AI code review, diff risk, pre-merge gate, secret detection, CI security, blast radius, change risk, DevSecOps, Claude Code, Codex, agent guardrails, pull request automation.
An agent stops when the diff looks done, and a plausible-looking diff is the most common way a real problem slips through (the trust-then-verify gap). The danger of a change is not its size. A two-line edit to authentication, an accidentally committed key, or a quietly deleted test outranks a large mechanical refactor. Reviewers and gates need the reach measured, not assumed.
blast-radius reads a unified diff and reports which high-reach signals fired, the overall scope, and a severity, so review effort matches actual risk and an unattended run can refuse to merge a dangerous change on its own.
- Secrets committed in the diff (AWS keys, private keys, GitHub tokens,
api_key/token/passwordassignments) -- critical. - Authentication / session / OAuth paths -- high.
- Deleted or gutted tests (removing tests to make a build pass) -- high.
- CI/CD, Dockerfiles, deploy changes -- high.
- Database migrations and infrastructure as code -- high.
- Dependency manifests and lockfiles -- medium (supply-chain reach).
- Large changes (many files or lines) raise the scope to service or global.
No dependencies. Python 3.10+.
git clone https://github.com/aharwelik/blast-radius
cd blast-radiusgit diff | python -m blastradius score
# or a saved diff:
python -m blastradius score examples/risky.diffOutput on the bundled risky example:
blast-radius: severity=critical scope=service
files=3 dirs=3 lines=9
high-reach signals:
- secret committed in diff (src/auth/login.py)
- touches authentication (src/auth/login.py)
- deletes a test file (tests/test_login.py)
- changes a dependency manifest or lockfile (requirements.txt)
Exit code is 1 when severity meets the --fail-on threshold (default high),
so it gates a merge. Verify a diff as a change receipt:
git diff | python -m blastradius score --receipt | python -m pco verify -mkdir -p ~/.claude/skills/blast-radius
cp skill/SKILL.md ~/.claude/skills/blast-radius/SKILL.mdThen ask Claude to "score the blast radius of this diff before merging."
This implements the Blast-Radius declaration of the proof-carrying-ops model: the reach of a change must be measured before the change is accepted, because the same request can produce a local or a global edit and the cost of accepting an unmeasured global one is not proportional to the agent's average quality.
The signals are transparent rules, not a verdict that the change is wrong. A high score means "look closely", not "reject"; a low score is not a correctness guarantee. Pair it with tests. Example diffs use documentation-only placeholder secrets.
Standard library only, tested on Python 3.10 through 3.13, no-emoji guard in CI.
Anthony Harwelik -- [email protected] -- https://github.com/aharwelik
MIT. See LICENSE.