Introducing Hyrax

It is 11pm on a Tuesday. The PR queue is twenty deep. Half of them came from someone's Cursor session. Three have hallucinated imports the linter waved through because the packages technically exist on npm. One has a JWT signature check that compares strings with == instead of a constant-time function. Another sets an environment variable to a literal API key and the env file is in the repo.

Your code review tool flagged a missing JSDoc comment and a function that is two lines too long.

You catch the JWT thing on the fifth read. You catch the API key because your colleague pings you in Slack at 11:14pm. You miss the hallucinated import. So does your CI. So does production, until support gets a ticket the next morning.

This is the situation in roughly every engineering org we have talked to in the last twelve months. It is the reason Hyrax exists.

What actually broke#

Two years ago, the slow part of building software was typing it. AI assistants made typing free. Code now arrives faster than any team can read, in volumes and shapes nobody designed a review process to handle. The work of producing a diff got cheap. The work of trusting it did not move.

GitClear measured it. Copy-pasted code grew eight times faster than refactored code in 2024 as assistant adoption climbed. BetterUp and Stanford SML put the cost of cleaning up AI-generated work at about two hours per item. 51% of daily AI tool users report more code quality problems than they had before. 53% report more vulnerabilities.

The pile of PRs got bigger. The hours in the day did not. And the average senior engineer at a 200-person company now spends a meaningful share of every week as a human linter for a model that does not know about their constraints, their conventions, or the bug they fixed last quarter that the model is about to reintroduce.

That is the slop crisis. It is real. It is measurable. It is mostly invisible to leadership until something ships that should not have.

What the industry shipped in response#

Comments. More, better, slicker comments.

CodeRabbit reads your PR and writes you a thorough comment with a stack of LLMs underneath. Then you read it. You decide which findings are real. You write the fix. You submit a new PR. You close the ticket.

Qodo does the same with a tilt toward test generation. It suggests the tests you should have written and waits for you to write them. Copilot Code Review adds inline annotations from the same model that wrote half the PR you are reviewing. Augment brings repository context to its comment quality and stops at the comment. Baz ships an AI reviewer with a slightly different UX. Then you read each one, decide what is real, write the fix, submit a new PR, close the ticket.

SonarQube has been finding issues since long before any of this, and it still finds them. It reports. You fix. Snyk does the same on the security side. It alerts. You fix. (Snyk auto-files dependency bumps, which is closer to what we want, but a version bump is a mechanical edit. Application code stays your problem.)

You can see the shape. Seven tools, seven wedges, the same deliverable. A finding, a comment, a queue. The work of acting on the finding is still your work. A more articulate finder does not solve a throughput problem.

The reviewer was the bottleneck before any of these tools shipped. The reviewer is still the bottleneck.

What we did instead#

Hyrax does the work the tools handed back.

When Hyrax finds something worth fixing, it writes the fix in an isolated worktree using your repository's own conventions. It runs that patch through 13 verification steps: build, lint, unit tests, integration tests, scanner re-run, regression scan, diff sanity, test coverage, documentation, dependency audit, independent reviewer, post-fix audit, signed verification trace. If any step fails, the worktree gets discarded and Hyrax tries a different approach. If every step passes, it submits a pull request with a [Hyrax] prefix and a description naming the finding, the fix, and what was verified.

You review the PR. You merge it.

That is the loop. Find. Fix. Ship. Close. Not find and tell you to fix and ship and close.

The technical thesis behind each piece (why isolated worktrees, what is in each verification step, why we submit a PR rather than auto-merging) is in our companion post: How Hyrax reviews code.

What that feels like#

The day-to-day looks different. Your queue still has twenty PRs in it. Eight of them came from Hyrax overnight. Each one already passed your build, your lint, your tests, an independent reviewer, and a post-fix audit. The diff is small. The description names the finding and the fix. You read it like a PR from a teammate you trust, ask one question, get the answer, merge.

The other twelve PRs are from people. Hyrax has read those too and posted comments inline with the must-fix findings flagged so they block the merge until they are addressed.

Your job is to review and decide. Not to triage findings, write patches, chase down whether the lint config covers the latest framework upgrade, or write the ticket. That work is done. You are doing the work only you can do.

Two things up front#

Hyrax handles all code. Every PR, every commit, every file. Not just code an AI wrote. Mixed PRs are the norm now, and treating one class of code differently from another means missing problems in the merged result. The model that wrote a patch does not matter to us. The patch does.

Hyrax never auto-merges. It submits the PR and stops. The 13 verification steps catch the vast majority of regressions, but they do not catch every business-logic mistake. A human reviewer is the last gate for context, and we keep that gate on the PR. You keep the merge button.

Plans#

Free. One mini-audit per calendar month, about five verified fixes, one private repository. No card.

Pro. $30 per cycle. Full audit on demand across three repositories. PR review on every PR. $30 in plan credit.

Team. $200 per cycle for the whole workspace. Unlimited repositories. $200 shared credit. The Virtual Patches learn loop. Public repositories by URL.

Pay-as-you-go overage on every plan. No commitment, no contract, no sales call.

What we are asking for#

Install the GitHub App. Pick a repository you actually ship from. About 90 seconds to first findings. About 15 minutes to your first verified fix.

We have spent the last year building this and we know it works on real codebases. We also know it is not finished. If you try Hyrax and find a class of finding it misses, a fix it gets wrong, or a verification step we should add, we want to hear from you. We are reachable, and we are listening.

The Tuesday-night queue does not have to look like this anymore.

Sign in at hyrax.dev.