{{ embers }}
KEYSTONE
Git sees files · Orbit sees relationships · Keystone blocks the merge

Merge requests
that break
together

Two safe-looking merge requests. Different files. No Git conflict. They still break production together - because one changes a function the other depends on.

Git sees files. Orbit (GitLab's code knowledge graph) sees the call graph. Keystone vetoes the merge before it breaks - and logs the decision in a tamper-evident ledger.

Proof, live backend & how it works - deterministic, no LLM, 165 tests
New capability
The first merge gate for AI coding agents. When a bot opens an MR, Orbit's call graph (not a text diff) decides ALLOW / HOLD / BLOCK.
Why it matters
Every silent collision caught is a 2am production incident that never happens: no rollback, no hotfix, no incident review.
no signup · runs in your browser Built for the age of AI coding agents: when bots open merge requests faster than humans can cross-review, the call graph is the only surface that catches what breaks together.
● Real Orbit graph ● Deterministic gate ● No LLM on the verdict ● 165 tests green ● Proven on pallets/click {{ backendBadge.text }}
First 90 seconds - judge demo
  1. Click Try the live demo (button above).
  2. Read the silent collision: compute_blast_radius × verify, 5 shared dependents.
  3. Open for the blast-radius graph.
  4. Open and hit Simulate tamper - watch the hash chain break.
  5. Optional: - same engine, a repo we didn't write.
Verify this is real
No trust required. The verdict is a deterministic graph computation - no model decides anything. Every number is computed from a real orbit index and cross-checked by Orbit's own orbit sql (120/120 match). 165 tests pass.
Test + cross-check evidence →
{{ backendProofStatus }} /api/status →
Source mode
{{ backendProofSrcV }}
Definitions
{{ backendProofDefsV }}
Audit chain
{{ backendProofChainV }}
LLM on verdict
none
{{ backendProofNote }}
Not tuned to our own repo
We indexed pallets/click with GitLab Orbit - 1,841 definitions, 6,305 call edges, a library we did not write. The same engine finds real cross-MR collisions there: Context × echo share 14 runtime dependents (HOLD), and echo × make_context is a directional BLOCK.
Why Git and GitLab can't catch this
Git diff / conflict sees text overlap in the same file. Two MRs in different files raise no flag.
CODEOWNERS / approvals route review by file ownership. Each MR looks fine to its own owners.
Branch protection / merge trains serialize merges and re-run CI. CI passes for each unless a test already exercises the shared dependent.
Keystone reads the Orbit call graph for the transitive intersection of two open MRs' blast radii, and remembers a prior rejection of the same blast signature. The graph is the only surface that sees it.
Why it matters: a silent collision is the change class that passes review and fails in production. Industry incident data (DORA) puts change-failure remediation in the hours-to-days range per incident, and autonomous coding agents now author these MRs faster than humans can carefully cross-review.
Run in your terminal
$ python skills/keystone/run_review.py shadow-merge

No account needed for the demo - Keystone analyzes real public repos in your browser.

What Git can't see
In Keystone's own Orbit index, two MRs change compute_blast_radius() in core/impact.py and verify() in core/audit.py - different files, zero Git conflict, both pass review and CODEOWNERS. Yet 5 functions depend on both. Merge both and those 5 break together. Keystone holds the merge and hands you the safe order - exactly the demo below.

This in-browser demo parses the call graph client-side (Python today). The production engine reads the live GitLab Orbit graph (gl_definition / gl_edge) and drives glab orbit local. The blast-radius logic is language-agnostic - it runs on Orbit's symbol graph, not on any one language's syntax, so it covers every language Orbit indexes. See the repo + demo video.

Run it on your own Orbit graph
$ glab orbit local index .            # build the call graph
$ python -m uvicorn backend.app:app   # start the engine
$ open keystone - sign in, scan, review
View on GitHub →
Cross-checked 120/120 symbols against GitLab Orbit CLI (v0.74.0) - exact match › run a live query
▶ 90-SECOND DEMO
{{ heroArt }}
See Everything · Impact Nothing
AUTO-DEMO {{ tourCaption }}
SE
Real-time impact intelligence

Command Center

repo {{ repo }} INDEXED
{{ s.label }}
{{ s.value }}
{{ s.sub }}
SILENT COLLISION FOUND {{ repo }}

Changing {{ findA }} and {{ findB }} - different files, no Git conflict - both ripple into {{ findShared }} shared runtime dependents. Two merge requests that pass review and break together.

How to resolve
{{ r.n }} {{ r.text }}
Merge verdict
{{ v.label }}

Two pending MRs share {{ findShared }} runtime dependents. Resolve the overlap before either merges.

{{ colCount }}× COLLISION
Keystone scanned every pair of high-risk changes, not just one. Safe merge order → {{ safeOrderStr }}
{{ rg.label }}
{{ rg.count }}
All silent collisions · {{ colCount }} found
ranked by shared runtime dependents · every pair grep-verifiable
{{ c.a }} × {{ c.b }}
{{ c.files }}
{{ c.shared }} shared
Safe merge order {{ safeOrderStr }}
Blast Radius
{{ findA }} × {{ findB }}
{{ affected }}
BREAK TOGETHER
{{ graph }}
direct dependents · grep-verifiable
Impacted Entities
symbol · impact
{{ row.sym }}
{{ row.type }}
{{ row.impact }}
Impact Over Time
blast radius per scan · last 12
Dependency Chain
{{ c.sym }}
{{ c.file }} · {{ c.type }}
Recent Events
{{ e.text }}
{{ e.t }}
Deep dive · blast-radius graph

Reviewer Cockpit

symbol {{ findA }} × {{ findB }}
Blast Radius
{{ findA }} × {{ findB }}
{{ affected }}
BREAK TOGETHER
{{ graphCockpit }}
direct dependents · grep-verifiable
Symbols in scope
{{ s.sym }}
{{ s.file }} · {{ s.kind }}
{{ s.dep }}
Impact rings
{{ rg.label }}
{{ rg.count }}
Verdict
{{ v.label }}

Hold the merge: two pending MRs share {{ findShared }} runtime dependents. Stack them into a single review before either lands.
AI agents · merge governance

Engineering Harness

Coding agents can write patches. Keystone decides whether they are safe to merge - running every bot MR through the same blast-radius pipeline a human reviewer gets.

copilot-workspace
MR !482 · feat/refactor-{{ findA }}-and-{{ findB }}
BOT MR
{{ p.mark }}
{{ p.name }}
{{ p.detail }}
{{ p.tag }}
Overall verdict
BLOCK

Auto-merge denied. The patch introduces a silent collision a reviewer must resolve first.

Per-symbol result
{{ b.sym }}
{{ b.file }} · blast {{ b.blast }}
{{ b.res }}

Agent fix plan

ADVISORY · GATE IS DETERMINISTIC

Blocked because {{ fixPlanWhy }}

{{ s.n }} {{ s.text }}
{{ fixPlanStatus }}
Tamper-evident decision log

Audit Ledger

{{ chainBadgeText }} DEMO HASH · FNV-1a · prod: HMAC-SHA256
#TimeChangeBlastReviewerDecisionHash · prev → this
{{ r.n }} {{ r.time }} {{ r.change }} {{ r.blast }} {{ r.reviewer }} {{ r.decision }} {{ r.prev }} {{ r.hash }}
Each row is hash-chained to the one before it. These hashes are computed live in your browser, so Simulate Tamper genuinely recomputes the chain and every hash after the edited row changes. The demo uses a fast FNV-1a hash to show the mechanism; the production ledger uses keyed HMAC-SHA256 (see core/audit.py).
Guided walkthrough · future-merge simulator

Live Demo

{{ demoStepNum }}
Step {{ demoStepNum }} of 5
future-merge simulator
{{ demoCur.title }}

{{ demoCur.text }}

Storyboard
{{ s.n }} {{ s.title }}
See Everything · Impact Nothing
keystone - auth
$ keystone auth --connect github
Read-only permissions requested
{{ p }}
This static demo does no real GitHub sign-in - it previews the read-only scopes the production GitHub App would request, then opens the in-browser command center on public-repo data. Private-repo access requires a deployed backend.