Blast Radius

Orbit-powered impact tracing for GitLab. One command ranks every caller, entrypoint, and fix order—then runs automatically as a Duo Flow on your merge requests.

Comment

Blast Radius — Devpost Submission

Devpost form (copy-paste)

Field Value
Project name Blast Radius
Elevator pitch (≤200 chars) Orbit-powered impact tracing for GitLab. One command ranks every caller, entrypoint, and fix order—then runs automatically as a Duo Flow on your merge requests.
Thumbnail submission/devpost-thumbnail.png (1500×1000, 3:2, PNG, <5 MB)
About the project Full story (Markdown + LaTeX): submission/DEVPOST_ABOUT.md

Regenerate thumbnail: .video-build-venv/bin/python scripts/build_devpost_thumbnail.py

Inspiration: the archaeology problem

Every developer has been there. You want to touch one function — rename it, fix a bug, swap out a dependency — and before you write a line you spend 20 minutes doing archaeology: grep for call sites, guess at transitive callers, scroll through CODEOWNERS, click through old MRs to figure out who last touched this path, wonder if any pipelines will break. Then you still ship the change, hold your breath, and hope you found everything.

A plain LLM can't help. It has no grounded, cross-file, cross-SDLC model of your repository. The context exists in GitLab Orbit (the Knowledge Graph). Nothing turned it into a one-shot, actionable answer — until now.

What it does

Blast Radius is a GitLab Duo Agent Platform Flow and Skill, backed by an MIT-licensed reference CLI, that traverses Orbit to answer:

"If I change this function — or if this component has a vulnerability — what is the full blast radius, who needs to review it, and in what order do I fix it?"

You give it a symbol name, a file path, or an imported dependency. It gives you back a ranked Impact Report:

  • Transitive impacted symbols, ranked by distance (closest blast first).
  • Public entrypoints that ultimately expose the change (handlers, APIs).
  • External/imported symbol usage — which local callers pull in a vulnerable primitive like hashlib.md5.
  • Suggested review / remediation order (leaves first, entrypoints last).
  • MRs, owners, at-risk pipelines via Orbit Remote (SDLC enrichment).

Two modes: change for pre-change impact analysis and vuln for vulnerability blast radius.

Real numbers from the demo

On the sample repository shipped with this project:

Change-impact trace on verify_token: login_handler and logout_handler both at distance 1 — both public entrypoints. A seemingly internal auth function directly exposes two request handlers.

Vulnerability blast radius on unsafe_md5 (a weak MD5 implementation): Five symbols impacted across three levels of depth: decode_jwt and legacy_login at Δ1, verify_token at Δ2, login_handler and logout_handler at Δ3. Three public entrypoints ultimately expose the vulnerable primitive. The fix order is obvious from the table.

Dependency pivot on hashlib: Blast Radius detects that hashlib is an imported symbol, pivots through the Definition → ImportedSymbol edges to find unsafe_md5 as the local caller, then runs the identical five-symbol blast radius from there. One command traces a dependency all the way to the public API surface.

How we built it

Ground truth first

Before writing a single query, we captured the real Orbit Local schema with glab orbit local schema --raw and documented every table and column in docs/ORBIT_SCHEMA.md. Every SQL query in the project references only columns verified against the live binary — nothing inferred.

A single recursive CTE does the heavy lifting

The entire blast radius is one DuckDB WITH RECURSIVE query that reverse-walks CALLS edges from the target symbol. UNION (not UNION ALL) deduplicates, so the query terminates even on cyclic call graphs. MIN(depth) gives each symbol its shortest distance. Scoping by project_id (from _orbit_manifest) prevents results from bleeding across repos in the shared local DB.

Orbit Local as the provable foundation

The demo runs entirely on Orbit Local — a local Rust binary that indexes any git repo into DuckDB. No GitLab credentials, no Duo subscription. This let us validate the traversal and the SQL against real indexed data before writing a line of agent code.

Flow + Skill + CLI as one coherent package

The same five-step procedure appears in all three artifacts:

  • The CLI (blast-radius trace) for terminal, CI, and scripting.
  • The Flow (flows/blast-radius/flow.yaml) for automatic MR comments via the AI Catalog.
  • The Skill (skills/blast-radius/SKILL.md) for Duo Chat on demand.

The CLI is the ground truth. The Flow and Skill embed the same procedure and the same SQL recipes. When the CLI proves a query works, the Skill references it directly.

Security by construction

No shell injection (list-argv subprocess), no SQL injection (lit()/int() escaping verified adversarially), no token logging, read-only SQL, prompt injection guardrails in both the Skill and Flow system prompt. Security review: 0 CRITICAL, 0 HIGH, 1 MEDIUM (prompt-injection guardrail — now hardened). See SECURITY.md.

What's next

  • CODEOWNERS integration — surface CODEOWNERS entries directly in the Impact Report for the impacted file paths.
  • Pipeline impact — join the blast radius to pipeline job definitions via CONTAINS edges on Remote.
  • MR comment bot — post the Markdown report automatically as a Flow trigger on merge-request-created, not just on mention.
  • Multi-language coverage — Orbit's indexer determines language support; as Orbit extends its language coverage, Blast Radius inherits it for free.
  • CI gate mode — exit non-zero when the blast radius exceeds a threshold, blocking large-impact changes until a reviewer approves.

Judging axis mapping

Technological Implementation

The recursive CTE over gl_edge + gl_definition is the correct primitive for this problem — it resolves semantic call-graph edges, not text matches. All queries are validated against the real Orbit Local binary schema. The CLI has 230 passing tests at 98% coverage. The Flow YAML validates against the Duo custom-flow v1 schema (version: "v1", environment: ambient, components, prompts, routers, flow.entry_point). SQL injection is blocked at the escaping layer verified adversarially.

Design & Usability

One command (make demo) runs the full end-to-end demo on any machine with glab and Python. The report is ranked: highest-impact items first, entrypoints called out explicitly, remediation order numbered. PUBLISH.md is a sequential copy-paste runbook. --format md produces a comment-ready Markdown report.

Potential Impact

Change-impact tracing and vulnerability blast-radius are universal SDLC problems. Any team using GitLab Orbit can replicate this approach. The Skill alone teaches any Duo agent to trace blast radius on demand without installing the CLI. The MIT license means teams can fork, extend, and embed this freely.

Quality of the Idea

The core insight is that Orbit already holds the code↔SDLC join — MRs, owners, pipelines, and the call graph are all in one graph database. Blast Radius exposes that join as a usable developer tool in one traversal. The dependency-pivot mode (tracing a library import all the way to public API entrypoints) is a non-obvious capability that grep + an LLM cannot replicate.

Links

  • Public repository: https://gitlab.com/sebaustin/orbit-blast-radius
  • Demo video (local file, upload to YouTube/Vimeo for Devpost): submission/blast-radius-demo.mp4 (~3:05, AI narration)
  • Regenerate video: make demo-video (macOS say + ffmpeg)
  • Flow published to AI Catalog: Blast Radius (see PUBLISH.md for the catalog URL)
  • License: MIT

Built With

Share this project:

Updates