FlowState

Inspiration

The "Security Tax" is real. We noticed that every time a developer opens a Pull Request, their creative flow is interrupted by a gauntlet of manual checks: dependency vulnerabilities, compliance gaps, and risk assessments. We wanted to build a world where the "boring but critical" parts of the SDLC happen autonomously, allowing developers to stay in their FlowState.

What it does

FlowState is a reactive AI agent built in Google AI Studio that acts as a 24/7 member of your engineering team.

Triggers on Code: Using webhooks, it "wakes up" the moment a PR is opened.

Auto-Heals: It doesn't just flag a vulnerable library; it uses Gemini 3.1 Flash to find the non-breaking patch, runs a test suite, and pushes the fix-commit.

Compliance on Autopilot: It analyzes code diffs against SOC2/GDPR standards and generates a downloadable Compliance Delta Report.

Risk Intelligence: It identifies "high-blast-radius" changes (like auth logic) and automatically summons the right human reviewers.

How we built it

We leveraged the cutting-edge 2026 Google AI Studio ecosystem:

The Brain: We used Gemini 3.1 Pro for complex reasoning and Gemini 3.1 Flash for high-speed analysis of code diffs.

The Agent: Built using the new Antigravity coding agent framework to maintain deep context across the entire project structure.

Function Calling: We connected the agent to the GitHub API and a custom Compliance Engine using the revamped "Custom Tool" endpoint.

The UI: We used the Stitch infinite canvas to visualize the agent's decision-making process, showing exactly how it moves from "Trigger" to "Fix."

Challenges we ran into

Context Preservation: Initially, the agent would lose track of the codebase structure. We solved this by migrating to the Antigravity agent, which handles multi-step code edits with a much deeper "project memory."

Tool Collision: We had to carefully manage "Parallel Function Calling" to ensure the agent didn't try to patch a file while simultaneously generating a report on it.

The "Hallucination" Guardrail: We implemented a "Thinking Signature" check to ensure the agent's logic was grounded in the actual PR diff before it executed any Git commands.

Accomplishments that we're proud of

Zero-Touch Patching: Successfully demonstrating an agent that can see a CVE, find a solution, and verify it with a "Dry Run" without human intervention.

Multi-Modality: Using the new Multimodal Embedding model to compare visual UI changes in the PR against branding compliance guidelines.

Reactive Speed: Achieving a "Trigger-to-Action" latency of under 10 seconds.

What we learned

Building agents in 2026 isn't about writing code; it's about "Problem Shaping." We learned that the quality of an agent's output depends entirely on how well you define its "Boundary Conditions" and "Success Criteria." We also realized that "Vibe Coding" isn't just a trend—it's a high-velocity way to move from a prompt to a production-ready Firebase backend.

What's next for FlowState

Workspace Integration: Moving FlowState into Google Workspace so it can automatically update Jira tickets and Slack channels based on PR status.

Self-Healing Infrastructure: Expanding beyond code to monitor Cloud Run logs and automatically adjust resource limits or roll back "flapping" deployments.

Multi-Agent Collaboration: Introducing a "Security Critic" agent that reviews the "Fixer" agent's patches to create a double-blind safety layer.

Built With

• cloud
• githubapi
• theagent
• theframework
• tools
• triggers