FluxSentinel AI

Autonomous 6-agent DevSecOps orchestrator that eliminates the GitLab MR review bottleneck. Security audits, wiki updates, risk scoring & executive briefs — triggered by one webhook.

Comment

Inspiration

Every developer knows the feeling. You push your best work, open a Merge Request, and then you wait. Day 1. Day 2. Sometimes Day 3. Not because nobody cares — but because security review, documentation checks, and standards compliance are sequential, manual, and slow.

I'm Kanak Raj, a 14-year-old founder from India. I run ExplainMate AI and K&D Labs. I've pushed code that sat in review queues for days. I've seen teams lose momentum not because they lacked talent, but because their process had a bottleneck nobody was fixing.

The question I kept asking: what if the review happened automatically, the moment the code was pushed? Not a chatbot suggesting fixes. An autonomous system that actually takes action.

That question became FluxSentinel.

What it does

FluxSentinel AI is a webhook-triggered, 6-agent autonomous orchestrator that eliminates the GitLab Merge Request review bottleneck entirely.

The moment a developer opens an MR, six specialized AI agents activate in sequence:

🧠 Agent 1 — Context Engine Fetches the linked Issue, Project Wiki, and Security Policy. Uses a real vector store (cosine similarity RAG) to retrieve the most relevant context for the specific diff — not prompt stuffing.

🔐 Agent 2 — Security Auditor Three-layer security scan: regex patterns (AWS keys, SQL injection, XSS, hardcoded secrets, weak JWT, eval usage), Claude semantic analysis for logic-level vulnerabilities, and live OSV CVE database checking for vulnerable dependencies. Posts the exact fixed code for every critical finding.

📚 Agent 3 — Docs Guardian Detects whether code changes break existing documentation. Automatically updates the GitLab Wiki with correct information. No human needed.

📊 Agent 4 — Risk Scorer Weighted 0-100 risk score synthesizing all findings. Applies flux:cleared / flux:review-required / flux:blocked labels directly on the MR.

🌱 Agent 5 — Green Sentinel Tracks compute savings and CO₂ avoided from early issue detection. Every caught vulnerability = one prevented failed pipeline = ~6 minutes of compute saved.

⚡ Agent 6 — Action Agent Posts a structured dashboard comment, applies labels, and sends an HTML executive email brief to the team lead with a one-click "Review on GitLab" CTA.

The result: Low-risk MRs go from open to merge-ready with zero human comments. High-risk MRs arrive at the team lead's inbox pre-triaged, with every finding documented and fixes already suggested.

How we built it

Stack: Node.js 20 with ES Modules, Express.js, Anthropic Claude claude-sonnet-4-6, GitLab REST API v4, Vectra vector store, Resend API, Google Cloud Run, Docker.

Architecture: Webhook receiver → Orchestrator → 6 agents in sequence → GitLab API actions. Each agent receives the results of all previous agents. If one agent fails, the others continue — no single point of failure.

The RAG system: Real vector embeddings stored in Vectra with cosine similarity retrieval. On every MR, Agent 1 embeds the diff, linked issue, wiki pages, and security policy into the vector store, then retrieves the 5 most semantically relevant chunks before passing context to Claude.

The security scanner: Three independent layers that merge and deduplicate findings. The OSV API call checks every new npm dependency against Google's open source vulnerability database — the same one Dependabot uses.

Production hardening: crypto.timingSafeEqual for webhook secret validation, Helmet.js for security headers, three-tier rate limiting (webhook / auth / API), JWT authentication for the dashboard, Winston structured logging with file rotation.

The config system: /api/config GET and PUT endpoints let teams tune every agent without touching code — which agent runs, severity thresholds, auto-posting rules. This is what makes FluxSentinel a product, not a demo.

Timeline: 5 days. Day 1 was the complete foundation — 35 files, 3,500 lines. Days 2-5 were depth, polish, deployment, and this submission.

Challenges we ran into

1. GitLab suggestion comments require exact line position data The GitLab discussions API for inline suggestions needs precise line_code and position objects tied to the actual diff. Getting this right required reading GitLab's internal diff format and mapping Claude's findings back to exact file positions. Solved by building a diff parser that extracts line numbers from the unified diff format.

2. Vector store corruption Vectra's local index corrupted when the server restarted mid-write during development. Built an automatic corruption detection and rebuild system that checks index integrity on startup and recreates from scratch if needed.

3. Webhook infinite loop When Agent 6 applied labels to the MR, GitLab fired another webhook for the "update" action — triggering another full orchestration run. Fixed by filtering the orchestrator to only process action="open" events.

4. Claude returning markdown-wrapped JSON Claude sometimes wraps JSON responses in backtick code blocks despite being told not to. Built a two-attempt system: first parse attempt strips markdown, second attempt uses a stricter prompt. Zero JSON parse failures in production after this fix.

5. API credits and billing Anthropic's free trial credits ran out during testing. Navigated billing issues in real-time while keeping the build moving — switched to mock mode during the outage, switched back immediately when resolved.

Accomplishments that we're proud of

Real RAG, not fake RAG. Every "context-aware" AI submission stuffs everything into one prompt. FluxSentinel uses a genuine vector store with cosine similarity retrieval. Judges who read the code will see the difference immediately.

OSV CVE checking. Calling the real OSV vulnerability database API for dependency scanning puts FluxSentinel in Snyk/Dependabot territory. Nobody else is doing this inside a GitLab agent.

Auto wiki updates. Agents that autonomously write documentation when code changes break it — this is genuinely novel. No other submission in 4,900 participants will do this.

Working end-to-end in 48 hours. Full webhook → 6 agents → GitLab comment → label → email pipeline working on a real MR within 2 days of starting. The remaining time was depth, polish, and deployment.

Built at 14. Competing against professional engineers globally, as a 14-year-old founder, with a working production system. That's the accomplishment I'm most proud of — not the code, but the proof that age is not a variable in what's possible.

What we learned

The difference between AI that generates and AI that acts.

Most AI projects generate text. FluxSentinel takes actions — it posts comments, applies labels, updates wikis, sends emails. Building that required thinking about failure modes, retry logic, graceful degradation, and API rate limits in ways that pure generation projects never encounter.

I learned that multi-agent orchestration is fundamentally a data pipeline problem. Each agent is a transformation function. The orchestrator is the pipeline. The hard part isn't any individual agent — it's making the data flow cleanly between them and handling failures without cascading breakdowns.

I also learned that production security is not optional. Timing-safe comparisons, rate limiting, structured logging, JWT expiry — these aren't advanced topics. They're baseline requirements for anything that touches real infrastructure.

And I learned that 15 hours a day for 5 days is enough to ship something real.

What's next for FluxSentinel AI

Multi-project SaaS FluxSentinel currently deploys per-team. The natural next step is a multi-tenant SaaS where any GitLab team can connect their repos, configure their agents, and get autonomous MR review without self-hosting.

GitHub and Bitbucket support The orchestration architecture is platform-agnostic. The GitLab-specific code is isolated in gitlabClient.js. Adapters for GitHub and Bitbucket webhooks and APIs are a natural extension.

Agent marketplace Custom agents for specific stacks — a React agent that checks component patterns, a Python agent that enforces PEP8 and type hints, a Terraform agent that validates infrastructure changes. Teams install the agents they need.

Real-time IDE integration Run FluxSentinel analysis before the MR is even opened — as a VS Code extension that scans on save and surfaces findings inline in the editor.

Pricing $49/month per repository. Enterprise contracts for teams of 50+. The infrastructure cost per scan is under $0.10. The margin is strong.

FluxSentinel isn't a hackathon project that gets abandoned after March 25. It's a real product solving a real problem that every development team has. The hackathon is the launch event.

Built With

Share this project:

Updates