-
-
Command center: the full blast radius of one change, mapped from GitLab Orbit
-
70+ passing tests across the risk engine, CLI, and demo backend
-
Available cli commands for Aftermath
-
One consolidated, auditable report posted automatically on the merge request
-
Aftermath autonomously opened a CRITICAL review issue with a remediation checklist
-
Six tool-scoped agents running in sequence, querying Orbit's knowledge graph
-
Tests catch that a number changed — Aftermath explains what it means downstream
-
Flow Published to the GitLab AI Catalog, public and reusable
Aftermath — The Autonomous Change-Consequence Engine
Don't just see what breaks. Defuse it — before the merge button is ever clicked.
Inspiration
Every team has shipped a change that looked safe and wasn't. One small edit, approved in seconds — and three days later, production breaks. The post-mortem always asks the same question: how did this get past review? The answer is always the same — when the merge button was clicked, nobody had the full picture.
Picture the smallest possible change: a developer swaps Math.round for Math.floor in
one pricing function. A reviewer approves it in two seconds — it's one line. What nobody
sees is that this single function is used three different ways: to charge a customer's
card, to generate a legal tax invoice, and to calculate refunds. That one-line change
quietly under-charges the processor, understates tax on a legal document, and under-refunds
the customer — three defects, three legal jurisdictions, from one line nobody thought twice
about.
The change itself is rarely the problem. The problem is consequence blindness: a reviewer sees a diff, not the fact that a function is the single source of truth for money, or the chokepoint every authenticated request flows through, or that two callers use it for legally different purposes. GitLab Orbit finally gives us the full map — a queryable knowledge graph of the entire codebase. But a graph is not a teammate. Nobody reads it, reasons about what a change means, and acts on it.
We built Aftermath to be that missing actor. It is change-type agnostic — a rounding tweak, a loosened auth check, a renamed API, a config change — the engine maps the blast radius and reasons about the consequence for any of them.
What it does
When you mention Aftermath on a merge request, it runs a six-agent autonomous pipeline on the GitLab Duo Agent Platform:
- Orchestrator classifies the change and decides what needs deep analysis (early-exits trivial changes to save compute).
- Cartographer queries GitLab Orbit's knowledge graph for the complete blast radius — every caller, importer, and transitive dependency, sourced entirely from real graph data.
- Consequence Oracle (Claude) reasons about what the change actually means — the risk a human review misses.
- Owner Diplomat finds the real owners from the graph and notifies only them. If the graph has no ownership data, it reports none rather than inventing names.
- Remediation Engineer autonomously opens a fix MR for deterministic breaks, or a review issue with a remediation checklist for risky ones — and never merges without a human.
- Scribe posts one consolidated, auditable report on the merge request.
The demonstration: we change one line in a shared pricing function — Math.round
becomes Math.floor. The test suite catches the regression and the pipeline goes red —
but a red pipeline only says a number changed. Aftermath goes further: it finds that the
function's three callers are divergent consumers with different legal obligations —
checkout() decides what's charged to a card, generateInvoice() produces a legal tax
invoice, and processRefund() decides what's returned to a customer. The same rounding
change under-charges the processor, understates tax on a legal invoice, and under-refunds
the customer — three simultaneous defects across three legal domains, from one line.
That is the gap between knowing what broke and understanding what it means — and it's
the same gap for any change, not just rounding.
It's not just a flow — it's a product
Aftermath ships as three real, installable pieces, not just an agent definition:
aftermathCLI — run the full analysis locally, before you even open an MR. Commands include:aftermath analyze— run blast-radius + consequence analysis on a changeaftermath simulate <function>— a what-if simulator: see the blast radius of changing a function before you touch a line of codeaftermath validate— validate the agent and flow configurationaftermath policy— inspect the policy-as-code risk weightsaftermath export— export a deterministic analysis result (the same shape the dashboard renders)
- Policy-as-code risk engine — deterministic, auditable scoring with tunable weights in YAML (no magic numbers), plus a carbon estimator for every run.
- React command-center dashboard — an interactive force-directed blast map, animated risk gauge, and consequence breakdown.
All of it is backed by 70+ passing tests — across the risk engine, the CLI, and the demo backend. In a hackathon, that test count is the clearest signal that this behaves like a product you'd actually install, not a prototype that works once for the demo.
How we built it
- GitLab Orbit (
query_graph,get_graph_schema,get_query_dsl,get_response_format) for all dependency traversal — reverseCALLSandIMPORTSedges to find what breaks, multi-hop traversal for transitive impact, and ownership queries. Every relationship in a report is sourced from the graph; nothing is fabricated. - GitLab Duo Agent Platform — six strictly tool-scoped agents chained by a flow, with structured-JSON contracts between every stage and an early-exit gate for trivial changes.
- Anthropic Claude for the semantic reasoning a graph cannot do alone.
- Python risk engine +
aftermathCLI — deterministic, policy-as-code scoring (tunable in YAML) running alongside the agents for reproducible, auditable numbers, plus a carbon estimator. The CLI lets a developer run the entire analysis locally without opening an MR. - React 19 + Vite 8 + d3 command-center dashboard.
- A real demo backend (auth + a financial primitive with three divergent consumers) so the blast radius Orbit indexes is genuine, not staged.
- 70+ passing tests across the engine, CLI, and demo backend — run in CI on every push.
Challenges we ran into
The flow kept hitting a max-step limit and dying mid-run. Chained agents were looping — re-calling tools, retrying failed reads — until the workflow exhausted its step budget. We fixed it by adding explicit "step discipline" guardrails to every agent prompt: never call the same tool twice, never retry a failed read, stop once you have enough to produce your output.
Silent prompt/tool mismatches caused cascading failures. One agent had another agent's system prompt pasted in by mistake, and a tool an agent's prompt relied on (
read_files) was missing from its toolset in the flow YAML. The agent kept trying to call tools it didn't have, which fed the retry loop above. We had to align every agent's prompt strictly with its actual toolset.A missing-file retry loop. The Remediation Engineer kept trying to open a file that didn't exist in the repo, retrying endlessly ("not found", "not found"). We added a hard rule: on a "File not found" error, stop immediately and open an issue instead of retrying.
Keeping the agents honest. On the real run the Orbit graph had no ownership data, so the Owner Diplomat had to report none rather than invent a plausible owner name — fabrication is the worst failure for a tool like this.
Accomplishments that we're proud of
- 70+ passing tests across the risk engine, the
aftermathCLI, and the demo backend. The whole thing runs green in CI on every push — this is the single biggest signal that Aftermath is a product, not a one-shot demo. - A real CLI you can run locally.
aftermath simulate <function>shows the blast radius of a change before you write it — analysis isn't locked inside the cloud flow. - A genuinely autonomous loop: MR → blast-radius mapping → consequence reasoning → owner notification → fix MR or review issue → one consolidated report, with no human in the loop until approval.
- The non-obvious finding: Aftermath surfaces a tri-domain financial and compliance defect from a one-line change that the diff alone never reveals.
- It refuses to fabricate. On the real run, the ownership graph was empty, so it notified no one and said so — exactly the behavior that makes an automated reviewer trustworthy.
What we learned
- A dependency graph tells you what connects; the value is reasoning about what it means. That reasoning layer is the product — and it generalizes across change types.
- Precision beats coverage. Notifying only the true owners — and notifying no one when the data isn't there — is what makes an automated reviewer trustworthy instead of ignorable.
- Honesty is a feature. A tool that invents an owner or a consequence to look smart is worse than one that admits the graph is empty.
What's next for Aftermath
- Cross-project blast radius using Orbit Remote at organization scale.
- IDE integration — surface the blast radius before the MR is even opened.
- Learning from override decisions to tune the risk policy automatically.
- Expanding demonstrated change-types beyond financial: auth, schema migrations, and API contract changes, each with its own consequence reasoning.

Log in or sign up for Devpost to join the conversation.