Blast Radius Impact Agent

Know what breaks before you merge — AI-powered blast radius analysis for GitLab MRs

Comment

🔴 Blast Radius Impact Agent

Know what breaks before you merge.

💡 Inspiration

Every developer has been there — you merge a "small change" and suddenly 3 services are down. Production is broken. Your team is debugging for hours. Why? Because no one knew that one file was being called by 3 other services across different repositories.

I built Blast Radius Impact Agent to solve this — an AI agent that automatically tells you the full impact of your code change before anyone reviews the Merge Request, and blocks merges that are too risky until they're properly reviewed.

🚀 What It Does

When a developer opens or updates a GitLab Merge Request, the agent automatically:

  1. Receives a GitLab webhook via FastAPI
  2. Queries GitLab Orbit knowledge graph for blast radius of changed files
  3. Checks cross-repository dependencies across the entire GitLab group
  4. Finds all callers, definitions, pipelines, and code owners affected
  5. Computes a risk level (LOW/MEDIUM/HIGH) and automatically escalates it if cross-repo callers exist
  6. Generates a structured Markdown impact report
  7. Posts the report as an MR comment — with a clear 🚫 MERGE BLOCKED warning if risk is HIGH

No manual work. No missed dependencies. No production surprises.

🏗️ How I Built It

GitLab MR Open

FastAPI Webhook (main.py)

OpenAI Agents SDK — 4 Function Tools

GitLab Orbit v0.76.0 — query_graph (in-repo + cross-repo)

Risk Computation — LOW/MEDIUM/HIGH + escalation

LLM Report Synthesis

GitLab REST API — MR Comment (HTTP 201)

Tech Stack:

  • FastAPI — webhook receiver
  • OpenAI Agents SDK — 4 function tools:
    • get_blast_radius() → in-repo Orbit query
    • get_cross_repo_impact() → cross-project ImportedSymbol traversal across the group
    • format_blast_radius_report() → Markdown + risk threshold messaging
    • post_impact_comment() → GitLab API
  • GitLab Orbit v0.76.0 — 29 node types, real knowledge graph queries via invoke_command
  • glab CLI — MCP transport for Orbit
  • httpx — async GitLab REST API calls
  • Python 3.11+

📊 Real Results from Live Testing

MR File Changed Orbit Result Risk Level
!1 TEST.md Clean — no callers ✅ LOW
!2 orbit_client.py 13 Python definitions extracted
Provisioned !1 orbit_client.py 15 definitions, 0 cross-repo ⚠️ MEDIUM
Provisioned !2 gitlab_api.py 4 definitions, cross-repo checked ✅ LOW

All comments posted automatically with HTTP 201. Full pipeline time: ~2.5 minutes end-to-end.

⚡ GitLab Orbit — The Key Differentiator

Traditional approach required 20+ separate API calls to understand code impact.

With Orbit's query_graph via invoke_command:

  • One call replaces 20+ API requests
  • Real CALLED_BY, TESTED_BY, OWNED_BY, and IMPORTS edge traversal
  • Cross-repo detection via ImportedSymbol nodes scoped across the entire GitLab group
  • 29 node types: File, Definition, Pipeline, MergeRequest, Vulnerability, and more
  • 11x faster responses

🧗 Challenges I Faced

1. Orbit DSL Corrections The initial DSL structure was wrong. Orbit uses nodes[] + relationships[] separately, not nested edges. Columns must be "*" not an array. Discovered through live debugging.

2. invoke_command vs direct REST Orbit is GraphQL-only for AI Catalog publishing and uses invoke_command with command_name: "query_graph" — not a direct REST POST.

3. Signing Token Validation GitLab's webhook security required HMAC-SHA256 validation of raw request body — not simple token comparison.

4. Cross-Repo Query Design Designing a query that traverses ImportedSymbolFileProject, filtered to the group, while excluding the file's own project, required careful DSL relationship chaining and deduplication by project.

5. Risk Escalation Logic Deciding how cross-repo impact should affect risk scoring — settled on a one-tier escalation (LOW→MEDIUM→HIGH→CRITICAL) so cross-repo changes are always treated as strictly riskier than same-repo changes.

🏆 Accomplishments

  • ✅ Real Orbit v0.76.0 connected and querying live
  • ✅ 13+ Python function definitions extracted live
  • ✅ 4 real MRs tested with automatic comments across 2 GitLab projects
  • ✅ Published to GitLab AI Catalog (public, on the official provisioned project)
  • Risk threshold blocking — automatic 🚫 MERGE BLOCKED / ⚠️ Review Recommended / ✅ Safe to Merge messaging
  • Cross-repo blast radius detection — traverses the entire GitLab group, not just one repository
  • ✅ Complete end-to-end pipeline in 5 Python files

📚 What I Learned

  • GitLab Orbit's knowledge graph architecture and DSL query language
  • MCP protocol and invoke_command pattern
  • OpenAI Agents SDK multi-tool orchestration (4 chained tools)
  • GitLab GraphQL schema introspection for AI Catalog publishing
  • Designing risk-scoring logic that scales across single-repo and multi-repo contexts
  • Real agentic engineering vs prompt engineering

🔮 What's Next

  • Historical trending — track which files consistently have high blast radius over time
  • Slack notifications — ping affected team owners directly, not just tag them in the comment
  • Security vulnerability integration — surface Vulnerability nodes (state, severity, report_type) from Orbit alongside blast radius
  • Configurable risk thresholds — let teams tune what counts as HIGH risk for their org
  • Self-hosted deployment — Docker + Kubernetes for always-on operation

Built With

  • agents
  • api
  • cli
  • fastapi
  • gitlab
  • glab
  • httpx
  • openai
  • orbit
  • python
  • sdk
  • uvicorn
  • wsl2
Share this project:

Updates