Paid PR Replay audit · Free DIY sample
We replay today's structural detectors against your last
5 / 30 / 90 merged PRs and ship a written report plus a portable
evidence packet — what the detectors would have flagged
pre-merge, the patterns worth wiring into CI, and a signed
ChangeEvidence bundle answering the eight questions
a reviewer needs after an AI-assisted change.
Same engine as the free CLI · Apache 2.0 · Signed pr-bundle + HMAC run ledger · No code uploaded for the DIY sample · 50% credits toward Roam Review
Every report ships a ChangeEvidence JSON packet next
to the Markdown. The packet maps to the eight questions a
procurement reviewer, auditor, or post-incident analyst needs
after an AI-assisted change.
Who acted?
Human author, agent id, MCP client, tool id — captured per run.
What authority existed?
Mode, permits, leases, policy decision — recorded at edit time.
What context was read?
Files, symbols, commands, content hashes the agent consumed pre-edit.
What changed?
Diff hash, changed files, changed subjects — bound to the run.
What could break?
Blast radius, callers, tests, vulnerable paths — from the local graph.
What policy applied?
Rules, laws, controls, exceptions — with rule-config hash.
What verified it?
Tests run, gates passed, attestations — pr-bundle proof.
Who accepted risk?
Approval, accepted risk, reviewer, timestamp — when present.
Each packet is reproducible from the
audit-report template,
signed via a pr-bundle, and chained into the
roam runs HMAC ledger so any post-hoc edit is
detectable offline. For the framework mapping see
governance; for current
certification posture and target dates see trust.
Three steps from "I'd like a PR Replay" to "here is the report." Synchronous walk-through call closes the engagement.
roam pr-replay
across your range, founder reviews the top findings by hand and
drafts the narrative. Per-detector deep-dive added on Deep tier.
After delivery: temporary clone is deleted, the git ledger we kept of the engagement is yours on request, and the optional 50% credit toward Roam Review activates if you subscribe within 60 days.
Same engine across all three. The difference is window size, founder hours included, and the depth of the recommended-actions section.
Free · 5 PRs · self-serve
DIY 5-PR sample. Watermarked. No code uploaded — the CLI runs entirely on your machine. Same engine as the paid tiers, just with a smaller window and no founder review.
pip install roam-code && roam pr-replay --tier sample
No email needed. Run it on any repo you have a checkout of.
$2,500 · 30 PRs · 30-min walk-through
Thirty most-recent merged PRs scored against the current detector set. Aggregated detector-class breakdown, per-PR ranking, recommended CI gates, written narrative, founder walk-through. $1,250 credits toward Roam Review if you subscribe within 60 days. See sample output.
Buy Team — $2,500Self-serve checkout launches soon; email orders go through today.
$6,000 · 90 PRs · 90-min walk-through
Everything in Team plus a per-detector deep-dive section, a written 90-day remediation plan against the highest-impact CI gates, and a 90-minute walk-through call. $3,000 credits toward Roam Review if you subscribe within 60 days. See sample (Team format; Deep adds the deep-dive section).
Buy Deep — $6,000Self-serve checkout launches soon; email orders go through today.
Reports ship as Markdown + PDF. Turnaround: 5 business days for Team, 10 business days for Deep, both from kickoff. We never train on or reuse buyer code; the engagement runs against a temporary clone we delete on completion. A separate EU-conformant tax invoice (reverse-charge VAT for EU B2B buyers with a valid VAT-ID) is issued by our accountant within 30 days of payment; the Stripe receipt is not the legal invoice in the provider's billing jurisdiction. See the SOW, DPA, and security policy for details. Email hello@roam-code.com with questions before purchase.
Every paid report has the same skeleton. Section depth scales with tier; Deep adds the per-detector deep-dive.
Executive summary
Verdict line, % of PRs that would have been flagged, total high / medium counts.
Detector breakdown
Aggregated table: detector × total findings × ratio of PRs hit. Highlights the highest-impact class.
Per-PR ranking
Top PRs ranked high → medium → total severity, with date, SHA, subject, top hits.
Per-detector deep-dive
Deep tier only. One section per detector class with up to 5 example PRs each.
Recommended next steps
Top three detector classes to gate on first, plus concrete CLI commands for CI integration.
Roam Review credit
Explicit credit amount and 60-day window — surfaced inside the deliverable, not just the marketing page.
What's NOT covered
Semantic correctness, security audit, performance profiling, in-flight PR review — set out explicitly.
Methodology
What was measured, what wasn't, and how to reproduce on your own machine.
Markdown + PDF. You can preview the Team-tier shape on GitHub before commissioning.
Three buyer shapes recur across the engagements we'd quote.
Half of the engagement fee credits toward your first year of Roam Review if you subscribe within 60 days of report delivery.
| PR Replay tier | Fee | Credits toward Review | Net first-year cost on Review Team ($299/mo) |
|---|---|---|---|
| Team | $2,500 | $1,250 | $2,338 (was $3,588) |
| Deep | $6,000 | $3,000 | $588 (was $3,588) |
Mention the report when subscribing and we apply the credit to the first invoice. Credit is single-use and expires 60 days after report delivery.
Two paths: (1) you grant us a read-only deploy key on a
temporary clone we delete on completion, or (2) you run
roam pr-replay locally and send us the JSON
envelope plus the markdown — we add the founder review and
ship the polished deliverable. Both paths sign the
DPA
and a one-page SOW.
If a Team engagement surfaces zero findings worth wiring into CI, we'll either run it on a different range at no extra cost (if you want broader coverage) or refund 50% of the fee. The point is to know whether you'd have shipped the same incidents knowing what Roam would have flagged — if you wouldn't have, the engagement underdelivered and we own that.
Yes. The report is yours. You own the IP and can redistribute internally without restriction. External attribution (e.g., in a public post-mortem) is appreciated but not required.
roam critique ourselves?You can. The CLI is Apache 2.0 and free forever. The paid engagement adds: founder review of the patterns that matter for your codebase specifically, a ranked recommendation of which detector classes to wire into CI first, a polished narrative artefact you can hand to leadership or auditors, and a 30 or 90-minute walk-through call.
5 business days from kickoff for Team, 10 business days for Deep. Kickoff happens the day we receive payment confirmation and the agreed-on commit range or repo access. Smaller repos usually finish faster.
No. Contractually committed in the DPA. We never use buyer source code, diffs, comments, metrics, or any derived artefact to train, fine-tune, or evaluate any machine-learning model — ours, ours-via-third-party, or any third party's.
Yes. We default to "everyone you'd want in a code-review retrospective": eng lead, the engineers who shipped the flagged PRs, sometimes the security lead. We send the report a few minutes before the call so people can skim.
PR Replay is evidence-generation tooling, not a regulated service. The EU AI Act Article 12 (record-keeping) only attaches to providers of high-risk AI systems listed in Annex III; code-generation tooling is not in Annex III. If your own product is a high-risk AI system, the report's tamper-evident audit-trail entries are useful as Article 14 human-oversight evidence. The classification call is for you and your DPO.
Try the free sample first: See the tiers · or email hello@roam-code.com with questions before purchase.