Mr Ninja Hackathon Submission

Project Title: Mr Ninja

Tagline: The Large Repository Merge Request Assistant — Intelligent chunking and multi-agent security analysis for massive codebases.

Elevator Pitch

Mr Ninja solves AI context limits by chunking massive merge requests for multi-agent security analysis, delivering unified risk reports for the largest monorepo codebases. It coordinates specialist agents—including a Security Analyst and Code Reviewer—to perform deep analysis before aggregating all findings into a single, high-signal risk report.

Inspiration

Many developers struggle with large repository merge requests where the sheer volume of code changes makes manual review exhaustive and error-prone. Modern AI agents often fail in these scenarios because they hit "context limits"—the maximum number of tokens they can process at once. Having seen developers face these hurdles firsthand, resulting in missed vulnerabilities or truncated reviews, We created Mr Ninja to bridge the gap between massive monorepo diffs and the limited context windows of AI specialists.

What it does

Mr Ninja is a large repository merge request assistant that intelligently "chunks" oversized MRs and runs multi-agent security and code analysis. While a single merge request in a monorepo can generate 500k–1M tokens of diff content, Mr Ninja decomposes these into priority-sorted segments. It utilizes specialist agents—a Security Analyst, Code Reviewer, and Dependency Analyzer—to scan for risks like hardcoded secrets, SQL injection, and unsafe dependencies. Finally, it aggregates all findings into a unified, high-signal Markdown report posted directly to the merge request.

How we built it

The system is built on a Python 3.11+ tech stack using FastAPI for its REST API and Pydantic v2 for robust data modeling. The architecture follows a phased pipeline:

• Detection & Estimation: A token estimator identifies when an MR exceeds the 150,000-token threshold using the heuristic $tokens \approx \frac{characters}{4}$.
• Intelligent Chunking: A chunking engine classifies files into six priority tiers ($P1$ to $P6$). It then uses a greedy first-fit bin-packing algorithm to group files into chunks of $\sim70,000$ tokens.
• Multi-Agent Orchestration: An orchestrator manages sequential calls to specialist agents, ensuring $P1$ security-critical files are analyzed first.
• Context Persistence: To maintain awareness across the entire MR, we implemented a summarizer that carries compact "cross-chunk context" forward, ensuring findings in one chunk are known to the next.
• Reporting: Findings are deduplicated and a risk score is calculated as: $$Score = \min(100, \sum (Count_{severity} \times Weight_{severity}))$$ where $Weight_{critical}=10, Weight_{high}=5, Weight_{medium}=2,$ and $Weight_{low}=1$.

Challenges we ran into

The biggest challenge was maintaining contextual continuity across separate analysis calls. When splitting a 1-million-token diff into ten chunks, an AI reviewing the final chunk might miss a critical security flaw if it lacks information about a dependency changed in an earlier chunk. We solved this by developing a specialized Context Summarizer that extracts only the most vital "carry-forward" information—like exported symbols and unresolved security questions—to stay under token limits. Additionally, building a zero-dependency GitLab and GitHub client using only the Python standard library was a rigorous exercise in API integration.

Accomplishments that we're proud of

We are particularly proud of our File Priority System, which ensures that high-risk files (like .env, Dockerfile, or auth/*) are always prioritized and never skipped if an analysis hits a hard limit. We also successfully implemented a Simulation Mode that allows users to test the entire 512-file analysis pipeline without needing live Git credentials, making the tool immediately accessible for demos.

What we learned

This project provided deep insights into multi-agent orchestration and the practical limitations of LLM tokenization. We learned how to design "stateful" conversations across "stateless" API calls by managing context as a first-class citizen. We also gained significant experience in building scalable, containerized microservices using FastAPI and Docker.

What's next for Mr Ninja

The next steps for Mr Ninja include:

• Platform Expansion: Extending support beyond GitLab and GitHub to platforms like Bitbucket and Azure DevOps.
• Advanced Agents: Adding a Documentation Analyst and a Performance Profiler to the specialist agent roster.
• Public Release: Finalizing PyPI publishing configuration to allow for one-command installation via pip install mr-ninja.
• Local Processing: Exploring local-first LLM integration to allow enterprises to run Mr Ninja without sending code to external APIs.

Built With

• python