DEV Community: Arun Shinde

New Year, New You: Architecting a High-Performance AI Portfolio using Python and Gemini

Arun Shinde — Sun, 01 Feb 2026 02:58:53 +0000

This is a submission for the New Year, New You Portfolio Challenge Presented by Google AI

About Me

I am a Principal Product Architect and Google Developer Expert (Cloud) with over 12 years of experience in designing scalable, security-first cloud ecosystems. My goal with this portfolio was to move beyond a static résumé and create a "System Architect’s Console"—a live, gamified environment that reflects my expertise in migrating complex monoliths to containerized, AI-driven architectures. I wanted to show how a senior-level perspective can leverage Google AI to solve enterprise-scale problems like compliance and developer productivity.

Portfolio

How I Built It

My development process leveraged a minimal dependency surface area and advanced AI-driven workflows:

1. The "AI-First" Development Process
This project was developed in partnership with Antigravity, an agentic AI assistant:

Iterative Design: I used Antigravity for the dynamic creation and refinement of the "Obsidian" CSS theme and responsive layouts.
Automated Verification: I utilized Antigravity's browser sub-agents to perform real-time testing of custom logic, such as popover positioning and chat accuracy.
Architectural Guardrails: Antigravity assisted in implementing the Firestore caching layer and serverless deployment pipelines.

2. The Tech Stack

Backend: Zero-Framework Python using the standard http.server library to minimize container size (under 150MB) and reduce cold start latency.
Frontend: Premium Obsidian-Style UI built with Vanilla HTML/CSS/JS (no heavy frameworks).
Database: Firestore (Datastore Mode) using a Cache-Aside Pattern with raw REST API calls.
Cloud Infrastructure: Hosted on Google Cloud Run
CI/CD: Deployed via Google Cloud Build, pushing images to Artifact Registry.

3. Google AI Integration
AI is at the core of the user experience:

Vertex AI (Gemini 3.0 Flash Preview): Powers the "AI Chat Consultant" and profile summarizer.
Grounding & Data Fencing: The AI is grounded using a PDF resume on Google Cloud Storage (GCS) and uses "Hard Boundary" prompts to prevent information cross-contamination.
Prompting Strategies: Integrated "Strict Data Fencing" and an "Agentic Professionalism" executive persona for the AI consultant to ensure PII security.

What I'm Most Proud Of

I am most proud of the Standard Library Power and Cost Efficiency achieved in this build.

By avoiding heavy frameworks and using Firestore to cache AI responses at the edge, I reduced potential API costs by over 80% for common navigation paths. Furthermore, the Intelligent Positioning logic in Vanilla JS—which dynamically calculates viewport boundaries to prevent content clipping—proves that professional, high-fidelity UX can be achieved through pure engineering without the overhead of modern frontend frameworks.

How Gemini, Antigravity, and BigQuery Help Create a License Compliance Checker

Arun Shinde — Thu, 22 Jan 2026 18:42:16 +0000

Automate software supply chain auditing using Gemini’s semantic reasoning and BigQuery’s (deps_dev_v1) massive open-source dataset.

Whenever we start a new project, we add many library dependencies to it. Usually, there is no time to check the licenses or compliance rules for every single one of these libraries. This is also true when adding a new library into an existing project — sometimes the compliance issues are missed entirely. If the project is large, manual checking is a very tedious and time-taking process.

Checking license types and compliance is usually a manual task. While security scanning (VAPT) is a standard for security, license checking is still often done by hand. Most of the time, the licenses of “transitive dependencies” (the libraries your libraries use) are not checked. A single “copyleft” license hidden deep inside a transitive dependency can create big legal risks for proprietary software. Expensive tools are available in the market for this, but we all cannot afford them.

To solve this, the License Compliance Agent was created by leveraging Google Open Source Insights (deps.dev) via BigQuery and the reasoning power of Gemini and Vertex AI.

Development Spotlight: From Requirements to Reality with Antigravity

To build this agent, I leveraged Antigravity to move from idea to execution at lightning speed.

Verified Coding: I provided the requirements, and Antigravity handled the implementation, verifying every logic gate and recursive scan along the way to ensure perfection.
Browser-Led Debugging: Instead of standard log-chasing, the agent used its built-in browser tools to interact with the UI and backend, catching complex cloud integration errors in real-time.
Reduced Friction: It turned a complex multi-file architecture into a working reality, allowing me to focus on the overall strategy while it handled the technical heavy lifting.

Tech Stack & Tools

Technical Stack:

Runtime: Python 3.12, Flask, Hypercorn (HTTP/2)
Frontend: Vanilla JS, HTML5, CSS3 (No frameworks)
AI Engine: Google Vertex AI (Gemini 3.0 Flash — Preview)
Data Source: Google BigQuery (Public Dataset: deps_dev_v1) & Cloud Datastore for caching
Infrastructure: Cloud Run (Serverless), Github Actions, Cloud Build, Artifact Registry
Security (Optional): Hybrid Model (IAP + API Key), Secret Manager, and Workload Identity Federation (Keyless Auth)

Development Tools:

Antigravity: The agentic IDE used for autonomous planning, multi-file coding, and browser-based debugging.
IntelliJ IDEA: The primary IDE for Java/Python development and project management.

Project Architecture: How the Agent Works

The system is designed to be a “Sentinel” that watches over your code. Users can interact with the system via a standalone web dashboard to perform deep analysis of their projects.

A Strict Policy Enforcement Checker:
1. A central** policy.json file acts as a strict gatekeeper. It contains a list of allowed and banned** licenses.
2. Users can add more license types into the respective categories as per their requirements. The code relies on this list to decide whether to process the build, ensuring non-compliant code never reaches production.
3. Cost Optimization:** By keeping this file, the system reduces AI costs by skipping known license types.
Using BigQuery to Solve the Dependency Problem: The system uses the deps_dev_v1 dataset in BigQuery. In the code written for bq_service.py, batch queries find the full list of dependencies, including transitive ones. This removes the need for manual checking.
Gemini + Vertex AI as a “Legal Brain”: For “Unknown” or “non-standard” licenses, Gemini 3.0 Flash reads messy legal text and identifies the correct license name using smart reasoning. It includes a** Self-Healing** feature to fix its own data if the format is wrong.
A Special Scanner for “Fat JARs”: Java developers often pack hundreds of libraries inside a single “Fat JAR,” which standard tools miss. A special scanner in jar_checker.py goes deep into hidden folders like BOOT-INF/lib/ to find the correct metadata.
Secure and Fast GCP Infrastructure:
1. While portable across any containerized environment, the system is optimized for Google Cloud Run to provide serverless scaling. It utilizes Workload Identity Federation (WIF) for a secure, keyless connection to GitHub Actions, eliminating the risk of long-lived service account keys.
2. To ensure high-performance execution, the system employs a persistent caching layer via Cloud Datastore that stores AI-generated compliance results for a configurable duration (defaulting to 30 days). This strategy significantly reduces operational costs by reusing previous analyses and provides a lightning-fast experience for recurring dependency scans.

Deployment Options

The License Compliance Agent supports a variety of deployment methods to fit any environment:

CI/CD Integration : Seamlessly integrate with GitHub Actions , Docker , or Cloud Build to block non-compliant releases.

Standalone Web Dashboard : Host a visual interface for manual uploads and quick audits.

Local Use : Run locally via localhost or Docker for pre-commit verification.
Interactive Deployment : Utilize a “Zero-Config” script for rapid setup and configuration.

Key Use cases

SBOM Generation: Automatically generates a full Software Bill of Materials for any project.
Legacy Auditing: Deep-scan older projects or compiled JARs to identify forgotten risks.
Pre-Release Compliance: Acts as a final CI/CD checkpoint to prevent restricted licenses from entering production builds.
Policy Control: Enforce uniform licensing standards across the entire organization.

A Note on AI Reliability

While AI is a sophisticated “Legal Brain,” LLMs can occasionally struggle with highly ambiguous legal language. By leveraging BigQuery to provide the vast majority of verified license data and using AI specifically for “edge cases,” this tool transforms an manual audit into a manageable final human review.

Future Improvements

Enhanced Memory Banking: Implementing a vector-based memory bank to “remember” and associate similar license snippets without re-running full analysis.
Cost-Optimized Predictive Pre-Fetching: Implementing logic to scan top-level manifests early, allowing for batch processing and early-exit strategies that reduce overall API and compute costs.
Enhanced PDF/Excel Reporting: Automated generation of formal compliance certificates and legal reports.
Real-time IDE Integration: Developing plugins for IntelliJ IDEA or VS Code to flag licenses during active coding.
Security Scanning Integration: Merging license compliance with CVE vulnerability data for holistic risk analysis.

Conclusion

By combining BigQuery’s massive data with Gemini’s intelligence and Antigravity’s rapid development, this project turns a difficult manual task into a smooth, automated part of the development workflow.

Explore the project on GitHub : arunshinde/license-compliance-agent

This project was architected and built with the assistance of Antigravity, an advanced AI coding agent.

Enhancing Web Application Security with Cloud Run Sidecar Containers

Arun Shinde — Mon, 27 Jan 2025 03:02:01 +0000

Cloud Run offers a robust serverless platform for deploying containerized applications. By utilizing sidecar containers, developers gain enhanced control over security, resource optimization, and application architecture. This article explores a practical use case of leveraging sidecar containers to strengthen a web application’s security posture.

The Challenge: Securing Monolithic Applications

Traditional web applications often bundle frontend and backend components into a single deployable unit, leading to:

Tight Coupling: Frontend and backend are packaged together (e.g., in a single JAR file).
Large Deployment Size: The combined size of the backend code and static assets can be significant
Inefficient Resource Usage: The backend, often a full-fledged application server like Spring Boot with Tomcat, is used to serve both dynamic content and static files.
Security Risks: Security rules applied at the backend might not be optimal for the frontend, potentially leaving it vulnerable.

The Solution: Sidecar Containers

Cloud Run sidecar containers provide a powerful approach to decouple frontend and backend components, enhancing security and efficiency.

Development Environment:

The following development environment was used for this project:

Operating System: macOS
IDE: Eclipse
JDK: OpenJDK 23
Node.js: v20.11.0

Deployment to Cloud Run:

The application will be deployed using the Cloud Run dashboard within the Google Cloud Console. The image is getting pushed into the Container Registry and not in the Artifact Registry.

Use Case: Separating Static Content and Business Logic

To demonstrate this approach, let’s consider a web application with a Java backend and a frontend composed of static files. I have created a GitHub repository with the code for a Cloud Run multi-container application.

Implementing Sidecar Containers:

A sample Java Spring Boot application with the following structure demonstrates this approach:

Nginx Sidecar Deployment

The static folder contains only index.html. The Nginx configuration files located in the code repository at below locations.

src/main/resources/docker-files/frontend-container/default.conf
src/main/resources/docker-files/frontend-container/nginx.conf
src/main/resources/docker-files/frontend-container/Dockerfile

To create the Nginx sidecar container image, use the following commands:

docker buildx build -t gcr.io/{project_name}/{project_name}-frontend:latest -f src/main/resources/docker-files/frontend-container/Dockerfile --platform linux/amd64 .
docker push gcr.io/{project_name}/{project_name}-frontend:latest

Java Sidecar Deployment

To prepare the Java backend for deployment, create a JAR with excluding static content from application using a Maven profile. This profile is already created in the pom.xml called exclude-static. Execute following command from the terminal.

mvn clean package -P exclude-static

The Dockerfile for the backend container utilizes this JAR file to build the container image. To create the Java sidecar container image, use the following commands:

docker buildx build -t gcr.io/{project_name}/{project_name}-backend:latest -f src/main/resources/docker-files/backend-container/Dockerfile --platform linux/amd64
docker push gcr.io/{project_name}/{project_name}-backend:latest

Deploying to Cloud Run

Navigate to Cloud Run: In the Google Cloud Console, go to the Cloud Run dashboard.

Create a New Service: Click “Create Service” to deploy the application as a new service. (You can also deploy to an existing service if needed.)

Nginx Container:

Select the Nginx image you pushed to Container Registry (or Artifact Registry, the recommended replacement).
Set Memory to 512 MB and CPU to 1.
Leave other values at their defaults.
Click Done.

Java Backend Container:

Click “Add Container.”
Select the Java image you pushed to Container Registry (or Artifact Registry)
Set Memory to 512 MB and CPU to 1.
Container startup order: Select the Nginx container as the main container to ensure it starts first.
Health Check: Configure a startup probe with the following values Initial delay (10 seconds), Timeout (5 seconds), Failure threshold(3)
Leave other values at their defaults.
Click Done.

Deploy: Click “Deploy” to deploy the service with both containers.

Test Out:

After deploying the application, you can test it out by:

Accessing the Cloud Run Service URL: This will display the content from index.html, served by the Nginx sidecar container.

Request served from the Nginx server

Appending Servlet Paths: Add /hello-servlet-1 or /hello-servlet-2 to the URL to access the respective content from those servlets. These requests will be served by the Java backend container.

Request served from the HelloServlet1 servlet

Request served from the HelloServlet2 servlet

Now check what security configs applied by the server when those requests served.

Response Headers — All added security configs in the default.conf has been applied.

No security configs added by Nginx server on Java Servlet response. We can add rules if required.

Security Benefits of Container Separation

Improved Security: Isolating components minimizes the impact of potential vulnerabilities.
Enhanced Performance: Optimizes resource usage.
Faster Deployments: Smaller container images result in quicker deployments.
Increased Scalability: Independently scale components.
Simplified Maintenance: Decoupled components are easier to maintain.

Beyond Static Content

Sidecar containers can also be used for:

Monitoring, logging, Observability
Asynchronous tasks
Security scanning
API management
Data transformation

Conclusion

Cloud Run sidecar containers provide a powerful tool for enhancing the security and performance of your web applications. By decoupling components and applying targeted security measures, you can significantly improve your application’s overall security posture and user experience.