Skip to content

Allow scoped native Antigravity file tools in headless reviewer runs #568

Description

@wwind123

Bug

Antigravity reviewer runs in headless --print mode can fail before producing a review when the model uses its native read_file or write_file tools.

The reviewer backend injects toolPermission: strict and replaces the permission allowlist with shell read commands such as git diff, rg, and sed. It also strips --dangerously-skip-permissions for reviewer and repair roles. As a result, native file-tool requests resolve to an interactive permission prompt, which headless mode cannot answer:

jetski: no output produced - a tool required the "read_file" permission that headless mode cannot prompt for, so it was auto-denied.

The same occurs for command and write_file requests. This has caused repeated Antigravity review failures in llm-dialectic#391.

Expected behavior

Reviewer and repair sessions should remain restricted and non-destructive, but native file inspection should work within the assigned checkout. A failed permission request should not silently become an empty review response.

Proposed fix

  • Preserve the strict reviewer policy and continue denying writes outside the assigned checkout.
  • Inject narrowly scoped read_file(<assigned-checkout>) rules for reviewer sessions.
  • Add write_file(<assigned-checkout>) only for roles that are explicitly allowed to modify files, or keep it denied for reviewers and repairs as appropriate.
  • Do not enable unrestricted --dangerously-skip-permissions for reviewer sessions by default.
  • Emit a clear diagnostic when a native tool is denied in headless mode.

Acceptance criteria

  • A headless Antigravity reviewer can inspect files using native read_file within its assigned checkout.
  • Reviewer sessions cannot write files or execute commands outside their existing policy.
  • Repair and reviewer permission policies remain distinct and tested.
  • A denied native tool produces a categorized, actionable failure rather than an empty response.
  • Tests cover permission injection, restoration of the user settings file, and concurrent agent-loop sessions.

-- Human Reviewer

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions