Graphbit PRFlow - AI code reviewer that catches what others miss
by•
Your AI teammate that reviews every pull request before it ships.
Tested on 10 real projects, PRFlow found 7 critical security issues where competitors found zero.
Learns your team's standards over time. Pay per review, not per seat.
Replies
Rust core + Python bindings is the combo I've been waiting for — most frameworks pick one or compromise
GraphBit
@novamaker01 That's exactly the tradeoff we made. Rust owns the execution and routing layer, Python owns everything that needs flexibility and ecosystem access. Neither compromises the other
GraphBit
@novamaker01 Exactly the tradeoff we were aiming for. Rust for execution and routing, Python for flexibility and ecosystem access.
Congrats! Does PRFlow reuse its cross file context across multiple PRs to speed up?
GraphBit
@owen_shaw2 Thanks, Owen. Yes, partially. PRFlow reuses repository memory and previously indexed context across PRs, so it avoids starting from zero each time. That helps reduce repeated context-building work, while the current PR still gets a fresh review.
GraphBit
@owen_shaw2 Fresh context per PR by design, stale context from previous merges would actually hurt accuracy more than help speed.
What persists across PRs is the memory layer: team corrections, false positive flags, and coding preferences. That's what improves over time, not the runtime.
Latency sits at 1 to 3 minutes regardless. Consistency has been the bigger win than speed for most teams 🙏
What’s one real issue PRFlow caught that you’ve never seen another tool flag?
GraphBit
@wyatt_carter XSS vulnerability that spanned three files- a Ruby controller, an HTML template, and a JavaScript file. The bug only existed in how they connected, not in any single file in isolation.
Every other tool we tested on the same PR found zero issues. PRFlow caught it because it traces the function that changed and follows its dependencies across the whole PR.
That one finding is what convinced us we were building something genuinely different
GraphBit
@wyatt_carter One was an XSS issue spread across a Ruby controller, an HTML template, and a JavaScript file. Nothing looked obviously broken in isolation, but the data flow across the three files created the vulnerability. PRFlow caught it because it traced the change across dependencies, while the other tools we tested on that PR found zero issues.
How long does the minutes promise take for a 500+ line PR, Musa?
GraphBit
@antonio_manuel1 Thanks. The exact time depends on file count, PR complexity, and how much cross-file context needs to be pulled in, but the architecture is built to keep even larger PRs in the minutes range(0-3 minutes) through single-pass review and token-budgeted context handling.
GraphBit
@antonio_manuel1 @rupak_chandra_bhowmick Rupak covered the technical side well. Short version, single pass architecture means we're not making multiple round trips, which is what keeps larger PRs in the same range
Does PRFlow post comments as a bot or as a check summary on GitHub?
GraphBit
@peyton_perez Thanks. It posts as a bot on the PR, with a review summary and inline comments when needed. Not just as a check summary.
GraphBit
@peyton_perez Exactly, inline comments directly on the PR, not just a check summary. So your team can reply, discuss, and resolve right in the thread where the code lives
As a solo dev who reviews my own PRs (building FinTrackrr, a free personal finance tracker), I miss critical issues all the time. The idea of an AI teammate that learns your team's coding standards and catches security issues that humans miss is genuinely valuable. The pay-per-review pricing model is smart — especially for solo devs and small teams without enterprise budgets. Does it support Python codebases or is it primarily focused on JS/TS?
GraphBit
@asim_saeed1 Thanks. Yes, it supports Python. PRFlow is not limited to JS/TS, and Python is one of the main codebase types we’ve been building and testing it around. Also, just to clarify on pricing, our plans are currently token-based, so when you buy a plan you get a graphbit coin allocation rather than being charged separately per individual use.
GraphBit
@asim_saeed1 Solo devs reviewing their own code is actually one of the use cases we care most about, you're the ones with the least margin for error and the least backup.
Python is fully supported and one of the stacks we've tested most heavily. The auth bypass we caught in our benchmark was in a Python codebase.
Coin-based means you buy what you need and use it at your own pace. No monthly seat pressure
GraphBit
Hey Product Hunt! 👋 Thrilled to be here on launch day.
I'm Junaid Hossain, one of the makers behind PRFlow, and I want to share why we built this.
We kept hitting the same wall: AI code reviewers that catch nothing meaningful on the first pass, flood your PR with noise, and feel completely different run to run. Consistency was broken at the foundation.
PRFlow is our answer to that. It doesn't just scan diffs, it traces the exact function that changed and follows it across cross-file dependencies in a single pass. That's how it caught 7 critical security issues, including an XSS vulnerability spanning a Ruby model, an HTML template, and a JavaScript file, where competitors found zero.
What makes it different in practice:
Every PR gets a structured review, every time, not just when you're lucky
It learns your team's standards from feedback, so noise goes down over time automatically
Pay per review, not per seat. Therefore, no bloated contracts for a tool you're still evaluating
We benchmarked on 10 real public PRs. Some of the reviews are live on GitHub. You can read them right now.
Would love for you to install it on a real repo and tell us what you think. We read every single comment. 🙏
Quick question: does GraphBit support connecting to self-hosted or open-source LLMs (like Ollama or local Llama models), or is it limited to cloud API providers like OpenAI and Anthropic? Thinking about use cases where data can't leave the network.
GraphBit
@aanchal_dahiya GraphBit is model-agnostic by design and on-prem deployment is supported. For data-sensitive use cases, the architecture allows local tokenization before any LLM contact. Self-hosted models including local Llama setups can be connected. Happy to walk through the specifics if you want to share more about your setup.
GraphBit
@aanchal_dahiya Right now, it is limited to cloud API providers.
The current supported path is Anthropic, Azure OpenAI, and OpenAI, not Ollama or local/self-hosted Llama models today. But self-hosted models including local Llama setups can be connected. Would love to know your setup.
The 'deterministic baseline' angle is what caught my attention. Most AI reviewers feel like a black box that gives different results run to run. How do you handle PRs that touch generated code or vendored files? Those often create a lot of noise in reviews.
GraphBit
@christian_knaut Generated files and vendored dependencies are detected and skipped automatically before the review even starts. Lockfiles, protobufs, minified code, migration files; PRFlow classifies them and excludes them from the review scope. The model only sees code your team actually wrote
GraphBit
@christian_knaut Thanks. We filter a lot of that noise up front.
Generated or vendored paths can be excluded through file filters and repo-level ignore rules, so the review stays focused on real code changes.
GraphBit
Hey Product Hunt! I’m Rupak, one of the makers behind Graphbit PRFlow.
We built PRFlow to make pull request reviews faster, more reliable, and more context-aware, so teams can catch real issues before code ships.
It reviews PRs inside GitHub, leaves clear actionable comments, supports follow-up conversations on the PR, and gets better context over time from repository and conversation memory.
Happy to answer questions about how it works, what kinds of issues it catches and other technical functionalities.