We Built An Autonomous Code Guardian in a Weekend

We entered JacHacks with a wild goal.

Build a tool that watches a repository. It must spot shady dependency changes. It must run those dependencies in a sandbox to prove they are malicious. Then, it must write a fix and open a pull request. No humans involved until the end.

We called it GhostWatch. It took 2nd place in the agentic track.

Here is how we built it and what we learned.

The Problem

Standard code reviews have two major flaws:

  • Tools cannot see the blast radius. A change in one function can break files far away. Most tools do not look at the connections.
  • Supply chain attacks bypass reviews. An attacker can push a poisoned version directly to a registry. There is no pull request to review. You only find out after the damage is done.

Our Solution

We built a system with spatial awareness. We used Jac to model the codebase as a graph.

In this graph:

  • Files are nodes.
  • Imports are edges.

To find the blast radius, we do not guess. We perform a graph walk. This makes the security logic deterministic and explainable.

The Tech Stack

We used Jac instead of raw Python and manual LLM calls. This changed how we worked:

  • The codebase is the data structure.
  • Persistence is built-in. Our repo graph survives restarts without a separate database.
  • LLM integration is seamless. We use a single keyword to turn a function into an LLM call that returns typed objects.

The Hard Parts

It was not easy. We faced several hurdles:

  • New syntax: Jac uses semicolons, braces, and specific keywords like "has" instead of Python's "self." We spent the first few hours fixing parse errors.
  • React pitfalls: I tried to mutate lists in place. This prevented the frontend from updating. I had to switch to reassigning lists to trigger re-renders.
  • Documentation gaps: Setting up the environment took longer than expected because some documentation was thin.

Why it matters

Most agent systems require you to manage state, orchestration, and serialization manually. With Jac, the graph is a language construct. The system architecture matches the problem we were solving.

The project is not perfect. The sandbox uses local subprocesses instead of cloud microVMs. We left these gaps visible because hackathon polish should not be a lie.

Watch the demo: https://www.youtube.com/watch?v=ZN0UVnNUpRs

Check the code: https://github.com/ayushmk7/GhostWatch

Source: https://dev.to/ayushmk/we-built-an-autonomous-code-guardian-in-a-weekend-heres-what-happened-4982

Optional learning community: https://t.me/GyaanSetuAi