DEV Community: Soumya Debnath The latest articles on DEV Community by Soumya Debnath (@itsoumyad). https://dev.to/itsoumyad https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3823239%2F97cb289e-f877-4395-b36a-1f39d6a5ff62.png DEV Community: Soumya Debnath https://dev.to/itsoumyad en I built an open-source AI compliance agent platform — here's how the Gemini Computer Use integration works Soumya Debnath Sat, 14 Mar 2026 01:59:35 +0000 https://dev.to/itsoumyad/i-built-an-open-source-ai-compliance-agent-platform-heres-how-the-gemini-computer-use-11k2 https://dev.to/itsoumyad/i-built-an-open-source-ai-compliance-agent-platform-heres-how-the-gemini-computer-use-11k2 <p>Compliance is one of those problems that sounds boring until you're a week away from a SOC 2 audit and your team is drowning in spreadsheets, manual screenshots, and frantic Slack threads.</p> <p>I built <strong>CertiFlow AI</strong> to solve this — an open-source agentic GRC (Governance, Risk, Compliance) platform where AI agents continuously verify your controls so you never have to manually chase evidence again.</p> <p>In this post I'll walk through the most interesting technical decisions, especially the Gemini Computer Use agent integration and the SSE architecture for real-time agent status.</p> <p><strong>GitHub:</strong> <a href="https://github.com/itsoumya-d/certiflow-ai" rel="noopener noreferrer">itsoumya-d/certiflow-ai</a></p> <h2> The Core Idea: Agents That Actually Do the Work </h2> <p>Most compliance tools are glorified checklists. You still have to go verify things manually and upload proof. CertiFlow flips this — the agents do the verification and evidence collection for you.</p> <p>Here's what the agent execution loop looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/agents/computer-use.ts</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">executeComplianceWorkflow</span><span class="p">(</span><span class="nx">workflowId</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">workflow</span> <span class="o">=</span> <span class="nf">getWorkflow</span><span class="p">(</span><span class="nx">workflowId</span><span class="p">);</span> <span class="c1">// Gemini Computer Use agent navigates and verifies</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">gemini</span><span class="p">.</span><span class="nf">generateContent</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="dl">'</span><span class="s1">gemini-2.0-flash</span><span class="dl">'</span><span class="p">,</span> <span class="na">contents</span><span class="p">:</span> <span class="p">[{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">,</span> <span class="na">parts</span><span class="p">:</span> <span class="p">[{</span> <span class="na">text</span><span class="p">:</span> <span class="nx">workflow</span><span class="p">.</span><span class="nx">prompt</span><span class="p">,</span> <span class="p">}]</span> <span class="p">}],</span> <span class="na">tools</span><span class="p">:</span> <span class="p">[{</span> <span class="na">computerUse</span><span class="p">:</span> <span class="p">{}</span> <span class="p">}]</span> <span class="c1">// Enables Computer Use</span> <span class="p">});</span> <span class="k">return</span> <span class="nf">parseVerificationResult</span><span class="p">(</span><span class="nx">result</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The key insight: Gemini's Computer Use lets the agent actually navigate UIs — it can open the AWS console, check S3 bucket settings, screenshot the result, and return a structured verdict. No API keys for every service needed; it works the same way a human auditor would.</p> <h2> Real-Time Agent Status with SSE </h2> <p>I wanted the dashboard to show live agent activity — which agents are running, what they've checked, their current status. WebSockets felt like overkill for this one-directional data flow, so I used Server-Sent Events.</p> <p>The API route (<code>/api/agents/status</code>) streams updates using the Web Streams API built into Next.js 14:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/agents/status/route.ts</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">stream</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ReadableStream</span><span class="p">({</span> <span class="nf">start</span><span class="p">(</span><span class="nx">controller</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">encoder</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TextEncoder</span><span class="p">();</span> <span class="c1">// Subscribe to agent events</span> <span class="nx">agentEventEmitter</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">status</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="s2">`data: </span><span class="p">${</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">event</span><span class="p">)}</span><span class="s2">\n\n`</span><span class="p">;</span> <span class="nx">controller</span><span class="p">.</span><span class="nf">enqueue</span><span class="p">(</span><span class="nx">encoder</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="nx">data</span><span class="p">));</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="nx">stream</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">text/event-stream</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Cache-Control</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">no-cache</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Connection</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">keep-alive</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>On the client, the <code>AnimatedScoreRing</code> component subscribes and updates in real time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// components/AnimatedScoreRing.tsx</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">eventSource</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">EventSource</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/agents/status</span><span class="dl">'</span><span class="p">);</span> <span class="nx">eventSource</span><span class="p">.</span><span class="nx">onmessage</span> <span class="o">=</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">update</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">data</span><span class="p">);</span> <span class="nf">setAgentStatuses</span><span class="p">(</span><span class="nx">prev</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="p">...</span><span class="nx">prev</span><span class="p">,</span> <span class="p">[</span><span class="nx">update</span><span class="p">.</span><span class="nx">agentId</span><span class="p">]:</span> <span class="nx">update</span><span class="p">.</span><span class="nx">status</span> <span class="p">}));</span> <span class="nf">setScore</span><span class="p">(</span><span class="nf">calculateScore</span><span class="p">(</span><span class="nx">agentStatuses</span><span class="p">));</span> <span class="p">};</span> <span class="k">return </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">eventSource</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> <span class="p">},</span> <span class="p">[]);</span> </code></pre> </div> <p>The score ring animates smoothly as agents complete their checks — it genuinely feels alive.</p> <h2> Role-Based Access with NextAuth.js </h2> <p>Compliance tools need proper access control. Auditors should see everything but not change anything. Regular users can upload evidence but not manage agents. I used NextAuth.js with a custom credentials provider:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/auth/[...nextauth]/route.ts</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">authOptions</span><span class="p">:</span> <span class="nx">NextAuthOptions</span> <span class="o">=</span> <span class="p">{</span> <span class="na">providers</span><span class="p">:</span> <span class="p">[</span> <span class="nc">CredentialsProvider</span><span class="p">({</span> <span class="k">async</span> <span class="nf">authorize</span><span class="p">(</span><span class="nx">credentials</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">validateUser</span><span class="p">(</span><span class="nx">credentials</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="k">return</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">role</span> <span class="p">};</span> <span class="p">}</span> <span class="p">})</span> <span class="p">],</span> <span class="na">callbacks</span><span class="p">:</span> <span class="p">{</span> <span class="nf">jwt</span><span class="p">({</span> <span class="nx">token</span><span class="p">,</span> <span class="nx">user</span> <span class="p">})</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="nx">token</span><span class="p">.</span><span class="nx">role</span> <span class="o">=</span> <span class="nx">user</span><span class="p">.</span><span class="nx">role</span><span class="p">;</span> <span class="k">return</span> <span class="nx">token</span><span class="p">;</span> <span class="p">},</span> <span class="nf">session</span><span class="p">({</span> <span class="nx">session</span><span class="p">,</span> <span class="nx">token</span> <span class="p">})</span> <span class="p">{</span> <span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">role</span> <span class="o">=</span> <span class="nx">token</span><span class="p">.</span><span class="nx">role</span><span class="p">;</span> <span class="k">return</span> <span class="nx">session</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <p>Then the <code>RoleGate</code> component handles conditional rendering:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="p">&lt;</span><span class="nc">RoleGate</span> <span class="na">allowedRoles</span><span class="p">=</span><span class="si">{</span><span class="p">[</span><span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">]</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">AgentControls</span> <span class="p">/&gt;</span> // Only admins see this <span class="p">&lt;/</span><span class="nc">RoleGate</span><span class="p">&gt;</span> </code></pre> </div> <h2> Built-In Compliance Workflows </h2> <p>CertiFlow ships with four pre-built workflows you can run immediately — AWS S3 encryption checks, IAM policy audits, CloudTrail logging verification, and access control reviews. The prompt engineering here matters: you want structured, auditable output rather than free text.</p> <h2> What's Next </h2> <p>The platform is working and open for contributions. The most valuable additions would be more compliance frameworks (SOC 2 Type II, ISO 27001, HIPAA, PCI DSS), a custom workflow builder, CI/CD integration, and Slack/Teams alerts when a control drifts.</p> <p>If this is useful to you, a ⭐ on GitHub goes a long way, and PRs for new workflows are very welcome.</p> <p><strong>GitHub:</strong> <a href="https://github.com/itsoumya-d/certiflow-ai" rel="noopener noreferrer">itsoumya-d/certiflow-ai</a></p> <p><em>Questions about the Gemini Computer Use integration, the SSE architecture, or the RBAC design? Drop them in the comments.</em></p> nextjs ai typescript webdev