Inspiration
Every engineering team has the same bottleneck: AI can write code in seconds, but shipping that code safely still takes hours of manual security reviews, compliance checks, pipeline debugging, and incident response. We watched talented engineers burn hours on toil that should be automated β and realized that the GitLab Duo Agent Platform gave us the building blocks to fix this permanently.
What it does
CommandCenter is a multi-agent DevSecOps platform that deploys a team of 5 autonomous AI agents directly inside your GitLab workflow:
- π‘οΈ PR Governor β Reviews every merge request against organizational policies, blocks critical violations, and explains why and how to fix issues. Think of it as a senior engineer that never sleeps and cannot be bullied.
- π ShipSafe β Runs automated compliance checks (SOC2, GDPR, HIPAA, PCI-DSS), validates license compatibility, and generates audit-ready evidence packages. Zero manual compliance work.
- π¨ Incident Commander β Classifies production incidents in real-time, auto-reverts to the last known green SHA for code regressions, and executes infrastructure runbooks for infra issues. It's already fixing the problem before your on-call engineer opens their laptop.
- β‘ PipelineOS β Performs root cause analysis on pipeline failures, auto-fixes common issues (dependencies, flaky tests, config errors), and quarantines flaky tests.
- π± GreenOps β Estimates COβ per pipeline run, identifies pipeline waste, and generates sustainability reports with a Green Score (AβF).
These agents don't just suggest β they enforce, fix, revert, and certify.
How we built it
We built CommandCenter entirely on the GitLab Duo Agent Platform using:
- Agent Definitions (YAML) β Each of the 5 agents is defined as a standalone
.ymlfile with a detailed system prompt, decision framework, and specific tool assignments following the principle of least privilege. - Flow Orchestrations β We created 3 multi-agent flows (MR Lifecycle, Pipeline Healer, Incident Response) that chain agents together into intelligent workflows. For example, the MR Lifecycle flow routes a merge request through PR Governor β ShipSafe β GreenOps sequentially.
- Policy-as-Code β All enforcement rules (security, performance, architecture, compliance) are defined as YAML policies that agents read and enforce, making them fully customizable per team.
- Event-Driven Triggers β Agents activate on GitLab events (MR creation, pipeline failure, incident assignment) for zero-touch automation.
The entire platform is config-driven β no custom backend, no external services, just YAML definitions and GitLab's native agent infrastructure.
Challenges we ran into
- Sandbox Environment Permissions (403 Forbidden) β A major technical hurdle was the
403 insufficient_scopeerror encountered in the shared hackathon environment. We successfully built and validated the structural correctness of the GitLab Duo Agent Platform v1 schemas (including router inputs and project context bindings), but the service account tokens lacked theapiandread_apiscopes required to hit endpoints like/api/v4/version. We pivoted to focus on validating the architectural plumbing and prompt engineering, ensuring the team is ready to go as soon as the correct scopes are applied. - Prompt Engineering at Scale β Getting 5 distinct agents to make consistent, high-quality decisions required extensive iteration. We had to carefully tune the system prompts so that PR Governor (Security) and GreenOps (Sustainability) wouldn't contradict each other, but instead work as a unified squad.
- Agent Authority Boundaries β Defining clear authority levels was a balancing act. We had to decide who has the power to actually block a merge vs. who is just reporting data. This involved mapping "Decision Authority" as a core pillar of our multi-agent orchestration.
- Flow Orchestration Design β Chaining agents sequentially while keeping the flow resilient was tough. We spent a lot of time on "context passing," ensuring that the Incident Commanderβs output was correctly parsed and handed off to GreenOps so the carbon footprint of the recovery could be calculated accurately.
- Policy Granularity β Designing the "Policy-as-Code" YAML files required finding the sweet spot: they needed to be specific enough to catch local security flaws like SQL injection, but general enough to function across any project in the CommandCenter ecosystem.
Accomplishments that we're proud of
- Zero-config deployment β CommandCenter ships with sensible defaults. Teams can start using it immediately and customize later.
- Real authority, not just suggestions β Agents can actually block merges, revert production, and gate deployments β giving them teeth.
- Sustainability built in β GreenOps brings ESG (Environmental, Social, Governance) into the DevOps pipeline, something most teams don't track at all.
- Policy-as-code architecture β Every rule is a YAML file that teams can version, review, and customize through merge requests.
What we learned
- The GitLab Duo Agent Platform is powerful enough to build production-grade multi-agent systems with nothing but YAML and well-crafted prompts.
- Agent orchestration (flows) is where the real value lives β individual agents are useful, but chaining them creates exponential impact.
- Giving AI agents real authority (not just advisory roles) changes how teams interact with automation.
What's next for CommandCenter
- Learning from history β Agents that improve their decisions based on past reviews and incident patterns.
- Cross-project intelligence β Sharing policy violations and best practices across an entire organization.
- Custom agent builder β A UI for teams to create their own specialized agents using CommandCenter's framework.
- Integration with external monitoring β Connecting Incident Commander to PagerDuty, Datadog, and Grafana for richer incident context.
Built With
- git
- gitlab
- gitlab-duo-agent-platform
- gitlab-duo-flows
- yaml
Log in or sign up for Devpost to join the conversation.