PRism — Documentation

1. What Is PRism?

PRism is an AI-powered pre-deployment risk gate that analyses every pull request before it ships. It runs 4 specialist agents in parallel:

Agent	What It Checks	Example Finding
Diff Analyst	Code changes — removed safety nets, risky patterns	"Retry logic removed from payment_service.py"
History Agent	Past incidents on the same files	"payment_service.py caused 3 P1 incidents in the last 90 days"
Coverage Agent	Test coverage impact of the PR	"Net coverage delta: −12% — tests were deleted"
Timing Agent	Deploy window risk (Friday 5 PM, holidays, etc.)	"Deployment scheduled for Friday 4:50 PM — high incident window"

These agent scores are weighted and combined into a Deployment Confidence Score (0–100):

≥ 70 → ✅ Greenlight — safe to deploy
< 70 or any agent returns critical → 🚫 Blocked — risk brief + rollback playbook generated

PRism surfaces results in three places:

GitHub PR comment — automated via GitHub Actions
VS Code sidebar — live risk assessment in the IDE
API endpoint — programmatic access for custom integrations

2. Architecture Overview

PRism consists of a Setup Platform (this portal) and an Orchestrator that coordinates a set of specialised AI agents. The platform is a standalone FastAPI app that handles onboarding; the orchestrator is an independent service that processes webhook events.

┌──────────────────────────────────────────────────┐
│                 GitHub Repository                │
│   PR opened / updated ──► GitHub Actions fires   │
└────────────────────────┬─────────────────────────┘
                         │ POST /analyze
                         ▼
┌──────────────────────────────────────────────────┐
│              PRism FastAPI Backend                │
│         (Azure Container Apps or local)           │
│                                                  │
│  ┌────────────┐ ┌──────────────┐ ┌────────────┐ │
│  │Diff Analyst│ │History Agent │ │Coverage Agt│ │
│  └─────┬──────┘ └──────┬───────┘ └─────┬──────┘ │
│        │    ┌──────────┐│               │        │
│        │    │Timing Agt││               │        │
│        │    └─────┬────┘│               │        │
│        └──────┬───┴─────┴───────────────┘        │
│               ▼                                  │
│        ┌─────────────┐                           │
│        │Verdict Agent│ ── Azure OpenAI (optional)│
│        └─────┬───────┘                           │
│              │                                   │
│  ┌───────────┴────────────────────────────────┐  │
│  │ Foundry Governance (optional)              │  │
│  │  ∘ Content Safety  ∘ Tracing  ∘ Guardrails │  │
│  └────────────────────────────────────────────┘  │
└────────────────────────┬─────────────────────────┘
                         │ VerdictReport JSON
              ┌──────────┼──────────┐
              ▼          ▼          ▼
        PR Comment   VS Code    API Consumer
                     Sidebar

Note: The setup platform and the orchestrator are completely decoupled. The platform knows the orchestrator only as an external URL configured via PRISM_ORCHESTRATOR_URL.

3. Prerequisites

Requirement	Minimum Version	Purpose
Python	3.12+	Backend server
pip	Latest	Package management
Git	2.x	Clone repo, detect branches
Node.js	18+	VS Code extension build (optional)
Azure CLI	2.x	Azure resource provisioning (optional)
Docker	20+	Container deployment (optional)

Optional (for full Azure integration): An Azure subscription with permissions to create resources and a GitHub account with repo admin access (for Actions workflows).

4. Quick Start (5 Minutes — No Azure)

PRism is designed to work without any Azure resources. All Azure features degrade gracefully — the pipeline never crashes due to missing credentials.

4.1 — Clone and Install

git clone https://github.com/soni-ishan/PRism.git
cd PRism
pip install -r requirements.txt

4.2 — Create a Minimal `.env`

# Only needed if you want live GitHub data fetching
GITHUB_TOKEN=ghp_your_token_here

4.3 — Start the Server

uvicorn agents.orchestrator.server:app --reload --port 8000

4.4 — Test It

# Health check
curl http://localhost:8000/health
# → {"status": "ok", "service": "prism"}

# Run an analysis
curl -X POST http://localhost:8000/analyze \
  -H "Content-Type: application/json" \
  -d '{
    "pr_number": 46,
    "repo": "your-org/your-repo",
    "changed_files": ["payment_service.py", "utils/retry.py"],
    "diff": "- retry_count=3\n+ pass",
    "timestamp": "2026-03-07T16:50:00Z"
  }'

What Works Without Azure

Feature	Without Azure	With Azure
4-agent parallel analysis	✅ Full	✅ Full
Confidence scoring	✅ Full	✅ Full
Greenlight/Blocked decision	✅ Full	✅ Full
Risk brief	✅ Deterministic template	✅ LLM-enhanced (GPT-4o)
Rollback playbook	✅ Deterministic template	✅ LLM-enhanced
Content safety filtering	⬜ Skipped	✅ Azure Content Safety
Observability / tracing	⬜ Skipped	✅ Application Insights
Audit trail	⬜ Skipped	✅ AI Foundry evaluation API
History Agent (past incidents)	✅ Mock data	✅ Azure AI Search

5. Azure Resource Provisioning

Resource Summary

#	Resource	SKU / Pricing	What It Enables
1	Azure OpenAI	Pay-as-you-go	LLM-enhanced risk briefs and rollback playbooks
2	AI Foundry Project	Free (hub/container)	Central project client, audit trail, evaluation API
3	Content Safety	Free tier: 5K txns/month	Filters harmful/hallucinated LLM output
4	Application Insights	Free tier: 5 GB/month	Per-agent latency tracing, live dashboard
5	Azure AI Search	Free tier: 50 MB	History Agent incident lookup
6	Container Apps	Pay-per-use, scale-to-zero	Production hosting for the FastAPI backend
7	Container Registry	Basic ~$5/month	Store Docker images for ACA

Estimated monthly cost for a small team: $5–15/month (mostly Container Registry + minimal OpenAI token usage). Scale-to-zero ACA means you pay nothing when idle.

Manual Provisioning (Azure Portal)

Azure CLI Login: az login
Create Resource Group: az group create --name rg-prism --location eastus
Azure OpenAI: Create via portal, deploy gpt-4o-mini model, copy endpoint and key
AI Foundry Project: Create at ai.azure.com, copy project connection string
Content Safety: Create via portal, same region as OpenAI, copy endpoint and key
Application Insights: Create workspace-based instance, copy connection string
Azure AI Search: Create free-tier instance, copy endpoint and admin key

Automated Provisioning (Bicep / IaC)

az deployment group create \
  --resource-group rg-prism \
  --template-file infra/main.bicep \
  --parameters environmentName=prod location=eastus

6. Environment Variables Reference

Complete `.env` File

# ─── Required for live GitHub data ───
GITHUB_TOKEN=ghp_xxxxxxxxxxxx

# ─── Azure OpenAI (LLM-enhanced risk briefs) ───
AZURE_OPENAI_ENDPOINT=https://your-resource.openai.azure.com/
AZURE_OPENAI_API_KEY=your-key-here
AZURE_OPENAI_DEPLOYMENT=gpt-4o-mini

# ─── Azure AI Foundry (audit trail, evaluation) ───
AZURE_FOUNDRY_PROJECT_CONNECTION_STRING=your-connection-string

# ─── Azure Content Safety (LLM output filtering) ───
AZURE_CONTENT_SAFETY_ENDPOINT=https://your-cs.cognitiveservices.azure.com/
AZURE_CONTENT_SAFETY_KEY=your-key-here

# ─── Application Insights (tracing) ───
APPLICATIONINSIGHTS_CONNECTION_STRING=InstrumentationKey=xxx

# ─── Azure AI Search (History Agent) ───
AZURE_AI_SEARCH_ENDPOINT=https://your-search.search.windows.net
AZURE_AI_SEARCH_KEY=your-admin-key

Which Vars Are Actually Required?

None of them are strictly required. The system works with zero env vars — every feature degrades gracefully:

Variable	If Missing	Impact
`GITHUB_TOKEN`	Can't fetch live PR diffs	Must provide diff in request body
`AZURE_OPENAI_*`	LLM enhancement skipped	Deterministic risk brief template used
`AZURE_FOUNDRY_*`	Foundry client returns `None`	Audit trail and evaluation skipped
`AZURE_CONTENT_SAFETY_*`	Returns safe-by-default	No LLM output filtering
`APPLICATIONINSIGHTS_*`	Tracing is a no-op	No latency dashboards
`AZURE_AI_SEARCH_*`	Mock data used	No real incident lookups

"14 Env Vars Seems Like a Lot" — For local dev you need 1 env var (GITHUB_TOKEN). For basic deployment, 4 vars. For production, use Managed Identities (Section 10) — zero API keys.

7. GitHub Actions Integration (PR Comments)

This is how PRism automatically comments on every PR with a risk assessment.

7.1 — Add the Workflow File

Create .github/workflows/prism-gate.yml in your repository:

name: PRism Risk Gate

on:
  pull_request:
    types: [opened, synchronize, reopened]

jobs:
  prism-analysis:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
      statuses: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Get PR diff
        id: diff
        run: |
          DIFF=$(gh pr diff ${{ github.event.pull_request.number }} \
            --repo ${{ github.repository }})
          echo "diff<<EOF" >> $GITHUB_OUTPUT
          echo "$DIFF" >> $GITHUB_OUTPUT
          echo "EOF" >> $GITHUB_OUTPUT
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Get changed files
        id: files
        run: |
          FILES=$(gh pr view ${{ github.event.pull_request.number }} \
            --json files -q '.files[].path' \
            --repo ${{ github.repository }})
          echo "files=$FILES" >> $GITHUB_OUTPUT
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Call PRism API
        id: prism
        run: |
          RESPONSE=$(curl -s -X POST \
            "${{ vars.PRISM_API_URL }}/analyze" \
            -H "Content-Type: application/json" \
            -d '{
              "pr_number": ${{ github.event.pull_request.number }},
              "repo": "${{ github.repository }}",
              "changed_files": ${{ steps.files.outputs.files }},
              "diff": ${{ toJSON(steps.diff.outputs.diff) }},
              "timestamp": "'$(date -u +%Y-%m-%dT%H:%M:%SZ)'"    
            }')
          echo "response=$RESPONSE" >> $GITHUB_OUTPUT

      - name: Post PR Comment
        run: |
          SCORE=$(echo '${{ steps.prism.outputs.response }}' \
            | jq -r '.confidence_score')
          DECISION=$(echo '${{ steps.prism.outputs.response }}' \
            | jq -r '.decision')
          BRIEF=$(echo '${{ steps.prism.outputs.response }}' \
            | jq -r '.risk_brief')
          gh pr comment ${{ github.event.pull_request.number }} \
            --repo ${{ github.repository }} \
            --body "## 🔬 PRism Deployment Risk Assessment
          **Confidence Score:** $SCORE / 100
          **Decision:** $DECISION
          $BRIEF"
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Set commit status
        run: |
          DECISION=$(echo '${{ steps.prism.outputs.response }}' \
            | jq -r '.decision')
          if [ "$DECISION" = "greenlight" ]; then
            STATE="success"
            DESC="PRism: Deploy approved"
          else
            STATE="failure"
            DESC="PRism: Deploy blocked"
          fi
          gh api repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }} \
            -f state="$STATE" -f description="$DESC" \
            -f context="PRism Risk Gate"
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

7.2 — Configure Repository Variables

Go to your repo → Settings → Secrets and variables → Actions → Variables tab:

Variable	Value	Example
`PRISM_API_URL`	Your PRism backend URL	`https://prism-api.blueocean-abc123.eastus.azurecontainerapps.io`

7.3 — What the PR Comment Looks Like

🔬 PRism Deployment Risk Assessment
Confidence Score: 21 / 100
Decision: blocked

• Diff Analyst: Retry logic removed from payment_service.py
• History Agent: 3 P1 incidents in the last 90 days
• Coverage Agent: Net coverage delta −12%
• Timing Agent: Friday 4:50 PM — high incident window

Recommendation: Delay deployment. Add retry logic back, restore tests.

A commit status check is also set, which can be made required in branch protection rules to physically prevent merging blocked PRs.

8. VS Code Extension

The PRism VS Code extension provides a sidebar panel showing the Deployment Confidence Score, per-agent findings, and rollback playbook — directly in the IDE. Publisher: thegooddatalab (VS Code Marketplace).

Special offer for AI Dev Days Hackathon judges: The extension ships pre-configured against PRism's hosted backend. You get 500 free analysis runs powered by PRism's own Azure OpenAI model deployed on Microsoft Foundry — no Azure subscription needed.

8.1 — Install

From the Marketplace (recommended):

Search "PRism" in the VS Code Extensions view, or install via the command line:

code --install-extension thegooddatalab.prism

From source (development):

cd vscode_extension
npm install
npm run compile
# Press F5 to launch the Extension Development Host

8.2 — GitHub Authorization (First-Time Setup)

On first activation, the extension prompts you to authorize your GitHub account via VS Code's built-in GitHub authentication. This is optional but strongly recommended.

Two modes of operation based on your choice:

Scenario A — GitHub not authorized

The extension performs a local analysis using VS Code's git extension helpers to extract the current diff and changed files. This means:

Diff Analyst and Coverage Agent work using local git diff HEAD~1 data
Timing Agent always works (it only needs the current timestamp)
History Agent is skipped — it requires GitHub repository context to look up past incidents in Azure AI Search
The extension calls /analyze on the PRism backend, consuming one free-tier analysis run

Scenario B — GitHub authorized (recommended)

The extension connects to your GitHub account and looks up the open PR for your current branch. It then reads the existing PRism deployment analysis comment directly from the PR — no new analysis is triggered.

Benefits of this approach:

Zero free-tier runs consumed — just reading an existing comment
Most accurate results — the PR comment analysis has full repo context, including incident history from the History Agent
Consistent view — you see exactly the same assessment as team members looking at the PR on GitHub

8.3 — When Does Analysis Run?

Event	Behavior
Extension opens on a new repo/folder	Runs once (Scenario A) or reads PR comment (Scenario B)
You make a `git commit`	Auto-refreshes the sidebar via VS Code git commit events
Re-run button clicked	Forces a fresh analysis immediately
Timer / polling	❌ Disabled — the extension never polls on a timer

Why no timer? Polling every 30 seconds was burning through the free-tier quota in minutes without any user action. Analysis now only triggers on meaningful events.

8.4 — Configuration

Open VS Code Settings (Ctrl+,) and search for "PRism":

Setting	Default	Description
`prism.serverUrl`	Hosted PRism backend on Azure Container Apps	URL of the PRism FastAPI orchestrator. Override for self-hosted deployments.
`prism.githubToken`	(uses VS Code built-in GitHub auth)	Optional GitHub PAT with `repo` scope. Overrides the VS Code built-in auth prompt.

8.5 — Features

Activity bar icon — click the PRism icon in the left sidebar
Score gauge — color-coded (green ≥70, yellow 40–69, red <40)
Agent cards — each agent shows status badge, risk modifier, and specific findings
Rollback playbook drawer — expandable section with step-by-step rollback instructions when deploy is blocked
Freemium credit meter — shows remaining free-tier analysis runs out of 500
Re-run button — toolbar button triggers immediate fresh analysis
Full Report panel — PRism: Show Full Report command opens a detailed panel
HTTP 402 handling — when free-tier credits are exhausted, a notification appears with an "Open Settings" link to configure a self-hosted backend

9. Production Deployment (Azure Container Apps)

Why Azure Container Apps?

Scale-to-zero — no cost when idle (perfect for PR-driven workloads)
Serverless containers — no VM management, no Kubernetes complexity
Built-in HTTPS — automatic TLS certificates
Azure RBAC + Managed Identity — zero API keys in production
Qualifies for Azure Integration Prize — deep Azure service integration

Build & Deploy

# Build locally
docker build -t prism-api .
docker run -p 8000:8000 --env-file .env prism-api

# Or deploy to Azure
az acr create --name prismacr --resource-group rg-prism \
  --sku Basic --admin-enabled true

az acr build --registry prismacr --image prism-api:latest .

az containerapp create --name prism-api \
  --resource-group rg-prism --environment prism-env \
  --image prismacr.azurecr.io/prism-api:latest \
  --target-port 8000 --ingress external \
  --min-replicas 0 --max-replicas 3

Get Your Public URL

az containerapp show --name prism-api \
  --resource-group rg-prism \
  --query "properties.configuration.ingress.fqdn" \
  --output tsv

Use this URL as PRISM_API_URL in GitHub Actions and prism.serverUrl in the VS Code extension.

10. Production: Managed Identity (Zero API Keys)

In production on Azure, use Managed Identities and RBAC role assignments instead of API keys. The Container App gets an identity that Azure trusts — no secrets to manage, rotate, or leak.

Enable & Assign Roles

# Enable system-assigned identity
az containerapp identity assign --name prism-api \
  --resource-group rg-prism --system-assigned

# Assign RBAC roles
az role assignment create --assignee $IDENTITY \
  --role "Cognitive Services OpenAI User" --scope <openai-scope>

az role assignment create --assignee $IDENTITY \
  --role "Cognitive Services User" --scope <content-safety-scope>

az role assignment create --assignee $IDENTITY \
  --role "Search Index Data Reader" --scope <search-scope>

Dev vs Production Auth

Environment	Auth Method	API Keys	Env Vars
Local dev	`az login` → DefaultAzureCredential	Optional	1 required
CI/CD	GitHub Actions secrets	2–4 secrets	Stored in GitHub
Production (ACA)	Managed Identity → RBAC	Zero	Only endpoints (non-secret)

11. Verifying the Setup

Health Check

curl https://your-prism-url/health
# Expected: {"status": "ok", "service": "prism"}

Run an Analysis

curl -X POST https://your-prism-url/analyze \
  -H "Content-Type: application/json" \
  -d '{
    "pr_number": 1,
    "repo": "your-org/your-repo",
    "changed_files": ["src/main.py"],
    "diff": "- old_code\n+ new_code",
    "timestamp": "2026-03-10T10:00:00Z"
  }'

Expected response:

{
  "confidence_score": 67,
  "decision": "blocked",
  "risk_brief": "...",
  "rollback_playbook": "...",
  "agent_results": [
    {"agent_name": "Diff Analyst", "risk_score_modifier": 20, "status": "warning", ...},
    {"agent_name": "History Agent", "risk_score_modifier": 15, "status": "warning", ...},
    {"agent_name": "Coverage Agent", "risk_score_modifier": 10, "status": "pass", ...},
    {"agent_name": "Timing Agent", "risk_score_modifier": 0, "status": "pass", ...}
  ]
}

VS Code Extension

Install the extension from the Marketplace (publisher: thegooddatalab)
Open a Git repository in VS Code
On first activation, approve the GitHub authorization prompt (optional but recommended)
Click the PRism icon in the activity bar
If GitHub is authorized and the repo has an open PR with a PRism comment: you'll see the score from that PR comment
If not authorized (or no open PR): the extension runs a local analysis — you should see the score gauge, per-agent cards, and (if deploy is blocked) the rollback playbook
Make a commit to verify the sidebar auto-refreshes

GitHub Actions

Add PRISM_API_URL as a repository variable
Open a new PR
The prism-gate.yml workflow should fire
A PR comment should appear with the risk assessment
A commit status check should appear (success or failure)

12. FAQ / Troubleshooting

Do I need all the Azure resources to use PRism?

No. PRism works with zero Azure resources — all features degrade gracefully. Start with the Quick Start (Section 4) and add Azure resources incrementally as needed.

What if I only want the GitHub PR comment, not the VS Code extension?

That's fine — each delivery channel is independent. Just set up the GitHub Actions workflow (Section 7) and skip the VS Code extension.

Can I use a different LLM provider?

The core scoring engine does not use any LLM. LLMs are only used for enhancing the human-readable risk brief and rollback playbook. To swap providers, modify foundry/deployment_config/__init__.py — specifically the get_instrumented_openai_client() function.

How do I add my own incident history?

The History Agent queries Azure AI Search. Create an index, upload your incident documents (JSON with fields: file_path, severity, description, date), and set the AZURE_AI_SEARCH_* env vars. Without AI Search, mock data is used.

Can I customize the agent weights?

Yes. Edit agents/orchestrator/__init__.py — the AGENT_WEIGHTS dictionary. Weights must sum to 1.0:

AGENT_WEIGHTS = {
    "Diff Analyst":   0.30,  # Code change risk
    "History Agent":  0.25,  # Past incident risk
    "Coverage Agent": 0.25,  # Test coverage impact
    "Timing Agent":   0.20,  # Deploy window risk
}

VS Code shows "Server unreachable — showing mock data"

This means the extension can't reach the backend at the configured prism.serverUrl. Check:

Is the backend running? (curl http://localhost:8000/health)
Is the URL correct in VS Code settings? (search "PRism" in Settings)
If using Azure Container Apps, is the container app running? (az containerapp show ...)

If you're authorized with GitHub and your branch has an open PR with a PRism comment, the extension reads the comment directly and does not call the backend — so this error won't appear in that case.

The extension used up my free-tier credits without me doing anything

This was a known issue with the earlier polling design (the extension used to re-analyze every 30 seconds). It is fixed. The extension now only runs analysis when:

You open it on a new repo/folder (once)
You make a git commit
You click the Re-run button

The free tier is 500 runs, which is more than enough for thorough evaluation.

Workflow installation fails

Ensure your PAT has the repo scope and that you have write access to the target repository. If the repo already contains .github/workflows/prism.yml, the installer will update it in place.

How to make the PRism check required for merging?

Go to your repo → Settings → Branches → Branch protection rules
Edit the rule for your main branch
Under "Require status checks to pass", add "PRism Risk Gate"
Now PRs with a blocked verdict cannot be merged

Setup Complexity Summary

Tier	Time	What You Get	What You Need
Local dev	5 min	Full scoring engine, mock data, API	Python + `pip install`
+ GitHub Actions	15 min	Automated PR comments + merge blocking	1 workflow file + 1 repo variable (auto-installed by Setup Wizard)
+ VS Code extension	2 min	Live score in IDE, auto-refresh on commit, PR comment parsing	Install from Marketplace — 500 free runs included
+ Azure OpenAI	25 min	LLM-enhanced risk briefs + rollback playbooks	3 env vars
+ Full Azure	45 min	Tracing, content safety, AI Search	All env vars (or Bicep one-liner)
Production (ACA)	1 hr	Scale-to-zero, zero API keys, HTTPS	Managed Identity + RBAC

PRism scales from a zero-config local tool to a fully governed enterprise deployment — incrementally, with no breaking changes at any step.

API Reference

The setup platform exposes a RESTful API documented with OpenAPI. Visit /api/docs for the interactive Swagger UI, or /api/redoc for ReDoc.

PRism — Client / Vendor Setup Guide