Find the files you're
afraid to touch.

Every codebase has load-bearing code nobody wants to touch. Fragile finds it, scores it, and tells you why — before you find out the hard way.

Add to your repo
FRAGILE.md
🔴 auth/session.js 92

Touched 47 times in the last 6 months, referenced by 23 files, and has zero test coverage. This is the single riskiest file in the codebase.

🟠 db/migrations.js 78

High change frequency with multiple contributors. Last 3 changes introduced regressions that were caught in production.

🟡 api/middleware.js 64

Central request handler with 31 dependents. Well-tested but any change ripples through the entire API surface.

How it works

Three steps. Zero guesswork.

Drop two lines of YAML into your workflow. Fragile analyzes your repo and generates a risk report automatically.

Step 01

Add to your workflow

Two lines of YAML. Point it at your repo, give it your OpenAI key, and you're done.

Step 02

Fragile analyzes signals

Git history, file references, test coverage — all analyzed locally. No source code sent anywhere.

Step 03

FRAGILE.md lands in your repo

A ranked list of your riskiest files with scores and plain-English explanations for each one.

The output

A risk report that actually explains itself.

Not just a list of files — Fragile tells you why each file is dangerous so you know what to do about it.

FRAGILE.md
🔴 auth/session.js 92

Touched 47 times in the last 6 months, referenced by 23 files, and has zero test coverage. This is the single riskiest file in the codebase.

🔴 lib/cache.js 87

Core caching layer with complex invalidation logic. 8 different contributors have touched this file, and the last two changes caused cache poisoning bugs.

🟠 db/migrations.js 78

High change frequency with multiple contributors. Last 3 changes introduced regressions that were caught in production.

🟠 api/middleware.js 71

Central request handler with 31 dependents. Well-tested but any change ripples through the entire API surface.

🟡 utils/date.js 58

Used by 44 files across the codebase. Low change frequency but timezone edge cases have caused bugs twice this quarter.

Pricing

Start free. Upgrade when you need private repos.

Public repos are always free. Private repo support requires a license key.

Free

$0

For open source and public repos

  • Unlimited public repos
  • Full FRAGILE.md report
  • Unlimited runs
  • Bring your own OpenAI key
Install now
Most popular

Indie

$9/mo

For solo devs with private repos

  • Private repos
  • Everything in Free
  • License key via email
  • Cancel anytime
Get Indie

Teams

$29/mo

For organizations

  • Everything in Indie
  • Up to 10 repos
  • Org-wide license key
  • Cancel anytime
Get Teams

Get a license key at usefragile.dev

Bring your own key

Your OpenAI key. Your usage.

Billed directly to you. No middleman, no markup, no usage caps from us.

How it works: Fragile sends analysis prompts directly to OpenAI using your API key. We never see your key, your code, or your usage. Typical repo costs $0.01–0.05 per run depending on codebase size.

Quick start

Two lines of YAML.

Add the following workflow file to your repo. Fragile will generate a risk report on every push to main.

.github/workflows/fragile.yml 
name: Fragile
on:
  push:
    branches: [main]
  workflow_dispatch:

jobs:
  fragile:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # REQUIRED - Fragile needs full git history

      - uses: patchwork-eng/fragile@v1
        with:
          openai_key: ${{ secrets.OPENAI_KEY }}
          # license_key: ${{ secrets.FRAGILE_LICENSE_KEY }}  # Required for private repos

Add your OpenAI API key to Settings → Secrets and variables → Actions as OPENAI_KEY. That's it.

Also from patchwork-eng

Difflog

Reads your git commits when you ship and writes a human-readable changelog automatically. Same BYOK model.

Check out Difflog →

AutoPR

Reads your diff when a PR opens and writes the description for you — what changed, what to test, what broke.

Check out AutoPR →