AFTERMATH — Autonomous Post-Mortem Agent
The graph remembers. Your team forgets. AFTERMATH bridges the gap.
The Problem
Post-mortems are broken.
After every production incident, engineers spend 4–12 hours doing archaeology — scrolling through Slack, digging through git blame, cross-referencing deployment logs, trying to reconstruct what happened. And even when they finish, the institutional memory lives in a Google Doc that nobody reads before the next incident.
The result: teams repeat the same incidents. The same code paths break again. The same reviewer concerns get dismissed again. The process has no memory.
The Insight
GitLab Orbit indexes your entire SDLC as a property graph — code, deployments, merge requests, reviews, incidents, vulnerabilities, all connected. Every causal relationship that causes an incident is already in the graph before the incident happens.
We asked: what if the graph could investigate itself?
What AFTERMATH Does
AFTERMATH is an autonomous post-mortem agent that activates the moment an incident is created. Mention @aftermath on any incident issue and it dispatches 7 specialized agents in sequence:
| Agent | Role |
|---|---|
| SENTINEL | Triages the incident, extracts severity and affected service, posts acknowledgment |
| PATHFINDER | Executes 6 Orbit graph traversals to build a structured Evidence Bundle |
| CORONER | Reasons over the evidence to identify the moment of error and root cause |
| SCRIBE | Generates a complete post-mortem MR with auto-built timeline from graph timestamps |
| WARDEN | Writes YAML prevention rules to rules/aftermath.yml, committed to the repo |
| QUARTERMASTER | Creates labeled GitLab issues for every contributing factor |
| ARCHIVIST | Answers questions about incident history conversationally |
Plus WATCHMAN — a CI job that enforces prevention rules on every future MR automatically.
Total time from incident to complete post-mortem: ~90 seconds. Human archaeology saved: ~12 hours per incident.
The Killer Technical Differentiator: Q5
AFTERMATH's most powerful capability is Q5 — a cross-domain Orbit traversal that is impossible without Orbit:
MergeRequestDiffFile (filter old_path contains <path>)
→ MergeRequestDiff [HAS_FILE]
→ MergeRequest [HAS_DIFF, state=merged]
→ WorkItem [CLOSES, work_item_type=incident, state=closed]
This single query traverses from a changed file path all the way to past closed incidents that touched the same code — crossing the code domain and the SDLC domain in one graph walk. No SQL join. No manual correlation. The graph already knows.
In our live demo, Q5 surfaced INC-189 — an auth bypass incident from 4 months earlier — hitting the exact same file as INC-247. No human on the team remembered this. The graph did.
All 6 Orbit Queries (Pathfinder's Evidence Bundle)
| Query | Traversal | Purpose |
|---|---|---|
| Q1 | Project → Deployment via IN_PROJECT |
Find deployments in 2-hour window before incident |
| Q2 | Deployment → MergeRequest via DEPLOYED_TO |
Identify the MR that triggered the deploy |
| Q3 | MergeRequest → Note → User via HAS_NOTE, AUTHORED |
Extract reviewer concerns and dismissals |
| Q4a | MergeRequest → MergeRequestDiff → MergeRequestDiffFile via HAS_DIFF, HAS_FILE |
Get changed file paths |
| Q4b | Definition → ImportedSymbol via IMPORTS |
Map call graph and blast radius |
| Q5 | MergeRequestDiffFile → MergeRequestDiff → MergeRequest → WorkItem via HAS_FILE, HAS_DIFF, CLOSES |
Find past incidents on same code paths |
| Q6 | Vulnerability → Project via IN_PROJECT |
Surface open vulnerabilities on affected paths |
The Prevention Loop
Every incident AFTERMATH investigates makes future incidents less likely:
- WARDEN writes specific, diff-detectable prevention rules to
rules/aftermath.yml - WATCHMAN runs as a CI job on every MR, checking the diff against accumulated rules
- The live dashboard (GitLab Pages) shows the growing rule set and protected code paths
- Each new incident adds institutional memory the team never loses
# Example rule written by WARDEN after INC-247
- rule_id: RULE-247-A
source_incident: INC-247
title: "Removal of fallback validator in auth code path"
pattern:
files_touched:
- "src/auth/"
diff_removes:
- "fallback"
action: require_security_approval
severity: HIGH
rationale: "INC-247: Auth outage caused by removing fallback validator without security review."
status: active
After 10 incidents: AFTERMATH knows more about your codebase's failure patterns than any individual engineer.
How We Built It
Stack
- GitLab Orbit — 6 graph traversals using
glab orbit remote querywith verified ontology edges - GitLab Duo Agent Platform — Custom flow YAML with 7 agents, conditional router, full toolset
- Anthropic Claude — Powers all agents. Forensic investigator persona. Systems language, never blames individuals.
- GitLab CI/CD — WATCHMAN runs as
aftermath-watchmanjob on every MR pipeline - GitLab Pages — Live prevention dashboard showing active rules, incident graph, protected paths
- Python CLI —
aftermath auditcommand for direct Orbit traversal
The Challenges We Faced
Understanding the Orbit ontology deeply. Q5 requires traversing MergeRequestDiffFile → MergeRequestDiff → MergeRequest → WorkItem. The edge directions are non-obvious: HAS_FILE goes snap → f, HAS_DIFF goes mr → snap, CLOSES goes mr → wi2. Getting these wrong returns empty results with no error. We verified every edge against the published ontology.
The conditional router syntax. The GitLab Duo Agent Platform compiler requires a specific conditional routing syntax for fan-out routers. Multiple from: triage_router entries cause a duplicate node error. The only valid approach is a single condition block with a routes map — which also happens to be the most elegant design.
The cold-start problem. AFTERMATH has no value on a fresh project with no incident history. We solved this with AFTERMATH Migrate — an agent that retroactively imports past incidents, runs Orbit traversals against them, and populates the institutional memory from day one.
What We Learned
Production incidents are not random. They cluster around the same code paths, the same process gaps, the same dismissed reviewer concerns. The signal is always in the graph — it just needs something that can read it.
The most powerful thing about Orbit is not any individual query. It's that code and SDLC live in the same graph. Q5 would require 3 separate database queries and manual correlation in any other system. In Orbit, it's one traversal.
AFTERMATH is the first system that treats your incident history as a first-class data source for preventing future incidents — automatically, at the speed of a graph walk.
What's Next
- Multi-project Orbit traversal — Find past incidents across your entire org, not just one project
- Severity prediction — Use past incident patterns to predict blast radius before merge
- Slack/PagerDuty integration — Trigger AFTERMATH from existing incident management workflows
- AFTERMATH Score — A live risk score for every MR based on historical incident patterns
Team
Built for the GitLab Transcend Hackathon 2026
AFTERMATH · Powered by GitLab Orbit + Anthropic Claude The graph has spoken.
Built With
- anthropic-claude
- click
- gitlab-ci/cd
- gitlab-duo-agent-platform
- gitlab-orbit
- gitlab-pages
- gitlab-rest-api
- glab
- pytest
- python
- pyyaml
Log in or sign up for Devpost to join the conversation.