ShiftLeft

• 

  This is where everything starts....I forked python-gitlab to create a realistic setup

• 

  The conflicts were intentionally created by me for testing purposes

• 

  The AI completed the review, fixed the bugs, and created the merge request

• 

  As the developer, I still need to manually review the fixed code and approve the merge request to ensure the AI hasn’t made any mistakes

• 

  There’s even an auto-fix timer, just open your hosted repo link to see the results

• 

  This is where all the code gets written

Inspiration

GitLab has 28 million developers. Studies show engineers spend 40% of their time on bug triage and backlog that never gets resolved. Maintainers burn out. Critical fixes sit open for months. We built ShiftLeft to be the autonomous co-maintainer that never sleeps — it finds the bug, writes the fix, and opens the MR before your morning coffee.

What it does

ShiftLeft is a 5-agent autonomous software engineering system. Point it at any GitLab repository and it:

1. Maps the codebase — reads every Python file via GitLab MCP, AST-parses functions, classes, and imports, builds a YAML knowledge map committed to .shiftleft/
2. Triages intelligently — Gemini 2.5 Flash reads the file map + real open GitLab issues and selects the highest-severity bug
3. Writes the fix — Gemini generates the complete corrected file with a unified diff
4. Self-validates — Auditor agent checks syntax, runs tests; if they fail, Coder retries (up to 3×)
5. Opens the MR — creates a branch via GitLab MCP, pushes the fix via GitLab REST API, opens a human-reviewable Merge Request

Total time from trigger to open MR: ~60 seconds.

Live demo: ShiftLeft fixed a real bug in the python-gitlab library — MR !2: Missing retry logic for HTTP 429

How we built it

Orchestration: LangGraph state machine with a conditional self-correction edge — if the auditor fails, the graph loops back to the coder automatically with the failure context injected into the next prompt.

LLM: Gemini 2.5 Flash with 1M token context — ingests the entire repo map in a single prompt. Temperature 0.1 for triage (deterministic), 0.15 for code generation (slight creativity).

GitLab MCP: We run @modelcontextprotocol/server-gitlab as a persistent subprocess using JSON-RPC over stdio. Branch creation goes through MCP. We discovered the npm package has a JavaScript bug in push_files (.map() on undefined) and built a GitLab Commits REST API fallback for file pushes — all writes still initiate through the MCP layer.

Codebase mapping: Python ast module walks every file, extracts function signatures, argument types, return types, docstrings, and class hierarchies. These become YAML manifests committed to .shiftleft/map/ — a self-updating knowledge base that improves with every run.

Challenges we ran into

1. GitLab's HTTP MCP endpoint returns 404 — the built-in /api/v4/mcp requires GitLab 18.6+ which isn't deployed on gitlab.com yet. We switched to the npm subprocess transport within the first hour.

2. The npm MCP server's push_files and create_or_update_file tools crash with a JavaScript .map() on undefined error when pushing multiple files. We built a GitLab Commits REST API layer as fallback — branch creation still uses MCP so the integration story is intact.

3. Gemini JSON truncation — with max_output_tokens=1024, Gemini's triage response was being cut off mid-JSON. Increasing to 16,384 tokens fixed it completely.

4. Triage targeting docs files — without explicit filtering, Gemini occasionally picked docs/conf.py as the target. We added SKIP_TARGET_PATTERNS to the triage prompt and file map to prevent this.

Accomplishments we're proud of

• Full closed-loop pipeline working end-to-end in ~60 seconds
• Real MR opened on GitLab with a real, reviewable code fix
• 34 YAML files auto-committed documenting the entire codebase
• Self-correction loop with 3-retry auditor
• The .shiftleft/ knowledge base that grows with every run

What we learned

The future of AI engineering is robust agentic workflows, not bigger models. Gemini 2.5 Flash proved that a fast, lean model is more effective than a slow large one when paired with structured tool-calling and execution sandboxes. We also learned that MCP servers are still young — real production deployments need REST fallbacks for reliability.

What's next for ShiftLeft

• Multi-language support — extend AST parsing to JavaScript, Go, and Rust
• GitLab CI/CD trigger — run ShiftLeft automatically on every failing pipeline
• Security patching — integrate with GitLab Security Advisories to auto-patch CVEs
• Scheduled runs — Cloud Scheduler integration for nightly autonomous maintenance
• Multi-repo — scan an entire GitLab group, not just one repo

Built With

• ast
• docker
• fastapi
• gemini-2.5-flash
• gemini-3.1-pro
• gitlab-mcp
• google-cloud-run
• google-cloud-scheduler
• httpx
• langchain
• langgraph
• model-context-protocol
• python
• streamlit