I built a GitLab flow that tells you what a diff actually means

Every code review starts the same way. You open a diff and try to figure out
what it actually means - not just what changed, but what depends on it,
whether it breaks something downstream, and whether someone else is about to
step on the same code. That investigation usually falls on the reviewer,
by hand, every single time.

I spent the last two weeks building something to change that.

What I built

Orbit Change Passport is a GitLab Duo Agent Platform flow that fires
automatically when a merge request is marked ready for review. It queries
GitLab Orbit's Knowledge Graph and posts a structured comment before anyone
reads a single line of the diff.

Here is what the comment covers:

• Changed Surface - the exact functions and methods the diff touched, identified by name, not line numbers
• Dependency graph - a live Mermaid diagram of everything that imports the changed modules, rendered inline in GitLab
• Conflict Radar - every other open MR right now that touches the same code, caught before merge instead of at it
• Cross-project blast radius - files in other projects in the group that depend on what changed. This one is only possible because Orbit's graph spans the whole group, not just one repo
• Test gaps - test files that import the changed module but were not touched in this MR
• Suggested reviewers - based on recent authorship of dependent files
• Reviewer Brief - a second shorter comment posted immediately after: one paragraph with the single most important thing before reading the diff

A companion Duo Chat agent lets reviewers keep asking questions against the
same graph after the passport posts - "what else calls this?",
"who imports this file?" - answered live, not restated from the comment.

A concrete example

Here is what the impact line looks like on a real run:

Impact: HIGH - 2 definitions changed - 2 within-project dependents -
cross-project blast radius (3 projects) - 1 conflict

That single line tells me: this change has dependents outside this repo,
and another open MR is already touching the same functions. Both of those
things would normally take 10 minutes to find manually. They showed up
automatically before I opened the diff.

The cross-project result is the one that surprised me most. A docstring
change to engine/orbit_client.py surfaced 14 dependent files across three
other projects in the group. Nobody catches that by scrolling through a diff.

How it works

The flow uses a three-tier strategy to identify which functions a diff
actually touched:

1. DEFINES traversal in the Orbit graph (File to Definition edge)
2. fqn-fragment query as a fallback for Rust crates
3. Bounded page scan as a last resort

Each tier produces a different confidence level in the output. This redundancy
matters because query availability on the live Orbit instance is not guaranteed.
DEFINES, IMPORTS, CALLS, and Definition filtering have each independently been
unavailable within a two-hour window during testing. A flow that only works
when one specific query is live is not useful.

For dependents, the flow runs ImportedSymbol lookups in both FQN and
crate-relative forms for Rust, and by identifier_name stem for Python files.
That last one took a while to figure out. Python relative imports
(from . import module) are stored in Orbit with import_path set to the
package name and identifier_name set to the module stem, not as a dotted
path. We found that by reading the actual graph data.

The Reviewer Brief is a second call to create_merge_request_note within the
same agent turn. We arrived at this after two other approaches failed: a
router-chained second AgentComponent that never started, and a second ambient
flow that turned out to share the trigger silently with the first. Only the
most-recently-enabled one fires - that was not documented anywhere and took a
while to diagnose.

What is in the repo

flows/change-passport/change-passport.yaml   - the Duo Agent Platform flow
skills/ask-orbit-passport/SKILL.md           - companion Duo Chat agent
engine/passport_runner.py                    - CLI runner, posts to any MR
engine/orbit_client.py                       - Orbit query layer
research/findings.md                         - every query pattern confirmed
                                               against the live graph

Try it

The flow is live in the AI Catalog. The repo is public and MIT licensed.

• Repo: https://gitlab.com/gitlab-ai-hackathon/transcend/38491653
• Flow: https://gitlab.com/gitlab-ai-hackathon/transcend/38491653/-/automate/flows/1011552/
• Agent: https://gitlab.com/gitlab-ai-hackathon/transcend/38491653/-/automate/agents/1011562
• Demo MR: https://gitlab.com/gitlab-ai-hackathon/transcend/38491653/-/merge_requests/5

Built for the GitLab Transcend Hackathon.

A diff shows what changed. Orbit Change Passport shows what that change means.