Bug
Antigravity reviewer runs in headless --print mode can fail before producing a review when the model uses its native read_file or write_file tools.
The reviewer backend injects toolPermission: strict and replaces the permission allowlist with shell read commands such as git diff, rg, and sed. It also strips --dangerously-skip-permissions for reviewer and repair roles. As a result, native file-tool requests resolve to an interactive permission prompt, which headless mode cannot answer:
jetski: no output produced - a tool required the "read_file" permission that headless mode cannot prompt for, so it was auto-denied.
The same occurs for command and write_file requests. This has caused repeated Antigravity review failures in llm-dialectic#391.
Expected behavior
Reviewer and repair sessions should remain restricted and non-destructive, but native file inspection should work within the assigned checkout. A failed permission request should not silently become an empty review response.
Proposed fix
- Preserve the strict reviewer policy and continue denying writes outside the assigned checkout.
- Inject narrowly scoped
read_file(<assigned-checkout>) rules for reviewer sessions.
- Add
write_file(<assigned-checkout>) only for roles that are explicitly allowed to modify files, or keep it denied for reviewers and repairs as appropriate.
- Do not enable unrestricted
--dangerously-skip-permissions for reviewer sessions by default.
- Emit a clear diagnostic when a native tool is denied in headless mode.
Acceptance criteria
- A headless Antigravity reviewer can inspect files using native
read_file within its assigned checkout.
- Reviewer sessions cannot write files or execute commands outside their existing policy.
- Repair and reviewer permission policies remain distinct and tested.
- A denied native tool produces a categorized, actionable failure rather than an empty response.
- Tests cover permission injection, restoration of the user settings file, and concurrent agent-loop sessions.
-- Human Reviewer
Bug
Antigravity reviewer runs in headless
--printmode can fail before producing a review when the model uses its nativeread_fileorwrite_filetools.The reviewer backend injects
toolPermission: strictand replaces the permission allowlist with shell read commands such asgit diff,rg, andsed. It also strips--dangerously-skip-permissionsfor reviewer and repair roles. As a result, native file-tool requests resolve to an interactive permission prompt, which headless mode cannot answer:The same occurs for
commandandwrite_filerequests. This has caused repeated Antigravity review failures in llm-dialectic#391.Expected behavior
Reviewer and repair sessions should remain restricted and non-destructive, but native file inspection should work within the assigned checkout. A failed permission request should not silently become an empty review response.
Proposed fix
read_file(<assigned-checkout>)rules for reviewer sessions.write_file(<assigned-checkout>)only for roles that are explicitly allowed to modify files, or keep it denied for reviewers and repairs as appropriate.--dangerously-skip-permissionsfor reviewer sessions by default.Acceptance criteria
read_filewithin its assigned checkout.-- Human Reviewer