AFTERMATH — Autonomous Post-Mortem Agent

The graph remembers. Your team forgets. AFTERMATH bridges the gap.


The Problem

Post-mortems are broken.

After every production incident, engineers spend 4–12 hours doing archaeology — scrolling through Slack, digging through git blame, cross-referencing deployment logs, trying to reconstruct what happened. And even when they finish, the institutional memory lives in a Google Doc that nobody reads before the next incident.

The result: teams repeat the same incidents. The same code paths break again. The same reviewer concerns get dismissed again. The process has no memory.


The Insight

GitLab Orbit indexes your entire SDLC as a property graph — code, deployments, merge requests, reviews, incidents, vulnerabilities, all connected. Every causal relationship that causes an incident is already in the graph before the incident happens.

We asked: what if the graph could investigate itself?


What AFTERMATH Does

AFTERMATH is an autonomous post-mortem agent that activates the moment an incident is created. Mention @aftermath on any incident issue and it dispatches 7 specialized agents in sequence:

Agent Role
SENTINEL Triages the incident, extracts severity and affected service, posts acknowledgment
PATHFINDER Executes 6 Orbit graph traversals to build a structured Evidence Bundle
CORONER Reasons over the evidence to identify the moment of error and root cause
SCRIBE Generates a complete post-mortem MR with auto-built timeline from graph timestamps
WARDEN Writes YAML prevention rules to rules/aftermath.yml, committed to the repo
QUARTERMASTER Creates labeled GitLab issues for every contributing factor
ARCHIVIST Answers questions about incident history conversationally

Plus WATCHMAN — a CI job that enforces prevention rules on every future MR automatically.

Total time from incident to complete post-mortem: ~90 seconds. Human archaeology saved: ~12 hours per incident.


The Killer Technical Differentiator: Q5

AFTERMATH's most powerful capability is Q5 — a cross-domain Orbit traversal that is impossible without Orbit:

MergeRequestDiffFile (filter old_path contains <path>)
  → MergeRequestDiff  [HAS_FILE]
  → MergeRequest      [HAS_DIFF, state=merged]
  → WorkItem          [CLOSES, work_item_type=incident, state=closed]

This single query traverses from a changed file path all the way to past closed incidents that touched the same code — crossing the code domain and the SDLC domain in one graph walk. No SQL join. No manual correlation. The graph already knows.

In our live demo, Q5 surfaced INC-189 — an auth bypass incident from 4 months earlier — hitting the exact same file as INC-247. No human on the team remembered this. The graph did.

All 6 Orbit Queries (Pathfinder's Evidence Bundle)

Query Traversal Purpose
Q1 Project → Deployment via IN_PROJECT Find deployments in 2-hour window before incident
Q2 Deployment → MergeRequest via DEPLOYED_TO Identify the MR that triggered the deploy
Q3 MergeRequest → Note → User via HAS_NOTE, AUTHORED Extract reviewer concerns and dismissals
Q4a MergeRequest → MergeRequestDiff → MergeRequestDiffFile via HAS_DIFF, HAS_FILE Get changed file paths
Q4b Definition → ImportedSymbol via IMPORTS Map call graph and blast radius
Q5 MergeRequestDiffFile → MergeRequestDiff → MergeRequest → WorkItem via HAS_FILE, HAS_DIFF, CLOSES Find past incidents on same code paths
Q6 Vulnerability → Project via IN_PROJECT Surface open vulnerabilities on affected paths

The Prevention Loop

Every incident AFTERMATH investigates makes future incidents less likely:

  1. WARDEN writes specific, diff-detectable prevention rules to rules/aftermath.yml
  2. WATCHMAN runs as a CI job on every MR, checking the diff against accumulated rules
  3. The live dashboard (GitLab Pages) shows the growing rule set and protected code paths
  4. Each new incident adds institutional memory the team never loses
# Example rule written by WARDEN after INC-247
- rule_id: RULE-247-A
  source_incident: INC-247
  title: "Removal of fallback validator in auth code path"
  pattern:
    files_touched:
      - "src/auth/"
    diff_removes:
      - "fallback"
  action: require_security_approval
  severity: HIGH
  rationale: "INC-247: Auth outage caused by removing fallback validator without security review."
  status: active

After 10 incidents: AFTERMATH knows more about your codebase's failure patterns than any individual engineer.


How We Built It

Stack

  • GitLab Orbit — 6 graph traversals using glab orbit remote query with verified ontology edges
  • GitLab Duo Agent Platform — Custom flow YAML with 7 agents, conditional router, full toolset
  • Anthropic Claude — Powers all agents. Forensic investigator persona. Systems language, never blames individuals.
  • GitLab CI/CD — WATCHMAN runs as aftermath-watchman job on every MR pipeline
  • GitLab Pages — Live prevention dashboard showing active rules, incident graph, protected paths
  • Python CLIaftermath audit command for direct Orbit traversal

The Challenges We Faced

Understanding the Orbit ontology deeply. Q5 requires traversing MergeRequestDiffFile → MergeRequestDiff → MergeRequest → WorkItem. The edge directions are non-obvious: HAS_FILE goes snap → f, HAS_DIFF goes mr → snap, CLOSES goes mr → wi2. Getting these wrong returns empty results with no error. We verified every edge against the published ontology.

The conditional router syntax. The GitLab Duo Agent Platform compiler requires a specific conditional routing syntax for fan-out routers. Multiple from: triage_router entries cause a duplicate node error. The only valid approach is a single condition block with a routes map — which also happens to be the most elegant design.

The cold-start problem. AFTERMATH has no value on a fresh project with no incident history. We solved this with AFTERMATH Migrate — an agent that retroactively imports past incidents, runs Orbit traversals against them, and populates the institutional memory from day one.


What We Learned

Production incidents are not random. They cluster around the same code paths, the same process gaps, the same dismissed reviewer concerns. The signal is always in the graph — it just needs something that can read it.

The most powerful thing about Orbit is not any individual query. It's that code and SDLC live in the same graph. Q5 would require 3 separate database queries and manual correlation in any other system. In Orbit, it's one traversal.

AFTERMATH is the first system that treats your incident history as a first-class data source for preventing future incidents — automatically, at the speed of a graph walk.


What's Next

  • Multi-project Orbit traversal — Find past incidents across your entire org, not just one project
  • Severity prediction — Use past incident patterns to predict blast radius before merge
  • Slack/PagerDuty integration — Trigger AFTERMATH from existing incident management workflows
  • AFTERMATH Score — A live risk score for every MR based on historical incident patterns

Team

Built for the GitLab Transcend Hackathon 2026

AFTERMATH · Powered by GitLab Orbit + Anthropic Claude The graph has spoken.

Built With

  • anthropic-claude
  • click
  • gitlab-ci/cd
  • gitlab-duo-agent-platform
  • gitlab-orbit
  • gitlab-pages
  • gitlab-rest-api
  • glab
  • pytest
  • python
  • pyyaml
Share this project:

Updates