Veridyn

An autonomous AI agent that catches code reaching main faster than humans can review it, explains the root cause in plain English, and drafts the GitLab fix ticket for one-click approval.

Comment

Inspirations

AI coding assistants made writing code almost free. Reviewing it did not get any faster, because humans still do that and human attention has not scaled. So a new blind spot opened up: code reaching main faster than anyone can meaningfully review it. We kept seeing it ourselves, with large merge requests landing in minutes with zero review comments, failing pipelines merged anyway, and "who reviewed this?" quietly becoming "nobody, really."

Engineering leaders feel this risk but cannot point to where it lives or why it is happening, because no dashboard connects the signals. The Rapid Agent Hackathon pushed us toward an autonomous agent rather than another chart: something that does the watching, the reasoning, and the paperwork, and only asks a human for the final yes.

What it does

Veridyn connects to a GitLab organization and answers one governance question: is code reaching main faster than humans can meaningfully review it?

It pulls the signals a reviewer would (merge requests, reviews, pipelines, commit cadence), correlates them, and surfaces a "review deficit", the count of changes that are simultaneously large, unreviewed, and fast-merged:

$$\text{ReviewDeficit} = \sum_{mr}\; \mathbb{1}!\left[\text{size}(mr) > L\right]\cdot \mathbb{1}!\left[\text{reviews}(mr) = 0\right]\cdot \mathbb{1}!\left[\text{mergeTime}(mr) < T\right]$$

Then it diagnoses the root cause in plain English with Gemini 3 (single-approver bottleneck, rubber-stamp reviews, skipped scans), and drafts a fix ticket. Approve it, and Veridyn files a real GitLab issue. A Demo mode shows a curated, pre-computed report for instant, risk-free exploration; Live mode runs a real analysis on your own repositories.

How we built it

  • Agent + API: A FastAPI app mounted inside Google ADK's get_fast_api_app, deployed to Cloud Run. The agent (root_agent) runs on Gemini 3 Flash via Vertex AI.
  • Tools: The agent reads GitLab through the GitLab MCP server (@zereight/mcp-gitlab), which gives it clean, tool-shaped access to merge requests, reviews, pipelines, and issues.
  • Reasoning: A six-stage chain, normalize -> detect -> correlate -> diagnose -> prescribe -> rank. Stage one is pure, deterministic Python; the Gemini stages produce structured output. Severity comes from a policy table (category x repo profile) with temperature = 0 and a fixed seed, so the LLM writes the prose but policy decides the severity. The result is reproducible and auditable.
  • State: Firestore for reports, per-tenant org configs, and OAuth tokens; Secret Manager for the OAuth client secret. It is compute-once, store, serve-many.
  • Auth: Multi-tenant GitLab OAuth (authorization-code with rotating refresh tokens), so anyone can connect their own org.
  • Frontend: React 19 + Vite on GitLab Pages, shipped through GitLab CI/CD that gates tests before every deploy.

Challenges we ran into

  • A silent CSRF guard. ADK's origin-check middleware blocked every cross-origin state-changing POST with a 403 until we set the allowed origins correctly on Cloud Run. It was invisible until you hit it.
  • Two-hour tokens. GitLab OAuth access tokens expire in two hours, so a live analysis would die mid-session. We implemented rotating refresh-token handling, persisted per tenant, with auto-refresh on a small expiry buffer.
  • Non-determinism. Two runs once produced different severities. We fixed it with temperature = 0, a fixed seed, and a code-side severity policy table, so the model explains and never decides.
  • Free-tier reality. The GitLab approvals API is unavailable on the free tier, so we re-derived the "unreviewed" signal from instant-merge behavior for honesty. The MCP server also required a classic api-scoped token; fine-grained tokens were rejected.
  • Local-dev lockout. The OAuth callback hard-coded a production redirect, so teammates could not test locally. We carried an allowlisted return origin inside the HMAC-signed OAuth state to fix it without opening a redirect hole.

Accomplishments that we're proud of

  • A genuinely autonomous agent, not a dashboard: it collects, reasons, and acts, with a human approving every write.
  • A real smoking-gun finding on real repositories, with no seeded data.
  • Deterministic, auditable severity, where the same inputs always produce the same ranking.
  • Shipped end-to-end on Google's agent stack (ADK + Gemini 3 + Vertex AI) wired to GitLab via MCP, deployed live through CI/CD.
  • True multi-tenancy: connect your own GitLab org in two clicks.

What we learned

  • MCP makes giving an agent real tools surprisingly clean, and keeps the blast radius small.
  • Trust comes from determinism: let the LLM explain, never let it decide severity.
  • OAuth and token lifecycle are the genuinely hard part of a multi-tenant agent, not the model calls.
  • "Compute once, store, serve many" is what keeps an agent demo fast, cheap, and reliable.

What's next for Veridyn

  • Server-side finding lifecycle (a real dismiss/resolve endpoint, not client-only state).
  • More governance panels: review-SLA, resolution rate, and a formula-driven cost-of-delay simulation.
  • Scheduled autonomous runs via Cloud Scheduler with digest notifications.
  • Cross-repo root-cause analysis, bus-factor, and security-scan coverage trends.
  • Plug-and-play sinks: GCS exports and BigQuery persistence behind the existing interfaces.

Built With

  • cloud-logging
  • cloud-run
  • fastapi
  • firestore
  • gemini-3
  • gitlab
  • gitlab-ci
  • gitlab-mcp
  • gitlab-pages
  • google-adk
  • model-context-protocol
  • python
  • react
  • recharts
  • secret-manager
  • tailwindcss
  • typescript
  • vertex-ai
  • vite
  • zod
  • zustand
Share this project:

Updates