@microsoft/agent-governance-antigravity-cli — Antigravity CLI governance package¶
@microsoft/agent-governance-antigravity-cli is the production install surface for AGT-backed Antigravity CLI governance. It installs a packaged Antigravity extension into the user's Antigravity home, seeds a developer-protection policy, and provides explicit lifecycle commands for install, update, uninstall, and diagnostics.
What it is¶
- a first-party install surface for local Antigravity CLI governance
- a package that depends on
@microsoft/agent-governance-sdkand@modelcontextprotocol/sdk - an explicit
agt-antigravityCLI that mutates~/.antigravityonly when you ask it to
What it is not¶
- not a
postinstallpackage that silently writes into the user home directory - not an in-process Antigravity plugin API shim
- not a replacement for organization-wide governance controls
Install¶
The installer copies the extension into:
- Windows:
%USERPROFILE%\.antigravity\extensions\agt-global-policy - macOS/Linux:
~/.antigravity/extensions/agt-global-policy
It seeds the default policy at:
- Windows:
%USERPROFILE%\.antigravity\agt\policy.json - macOS/Linux:
~/.antigravity/agt/policy.json
Commands¶
agt-antigravity install
agt-antigravity install --force-policy
agt-antigravity update
agt-antigravity update --force-policy
agt-antigravity policy apply --profile balanced
agt-antigravity policy validate
agt-antigravity policy show
agt-antigravity uninstall
agt-antigravity uninstall --remove-policy
agt-antigravity doctor
agt-antigravity doctor --json
install writes a manifest so uninstall only removes AGT-managed installs. update refreshes an existing AGT-managed install in place and can reseed the packaged policy with --force-policy.
Policy management is handled through first-class CLI commands rather than through the custom commands:
agt-antigravity policy pathagt-antigravity policy showagt-antigravity policy validateagt-antigravity policy apply --file <path>agt-antigravity policy apply --profile <strict|balanced|advisory>
Antigravity CLI setup¶
The package does not auto-edit Antigravity CLI settings. AGT hooks and custom commands load on restart after the extension is installed. Then restart Antigravity CLI and confirm the extension is active:
Use /hooks panel or /hooks enable-all inside Antigravity CLI to confirm hook state.
Example usage¶
Once the extension is loaded, a simple verification flow is:
The first command should report policy source, prompt-defense grade, and audit health. The second should flag prompt-injection and secret-access cues based on the bundled policy.
Default developer-protection policy¶
The packaged default policy:
- fails closed on policy errors
- classifies unknown Antigravity tools as
reviewby default unless they are explicitly allow-listed - blocks downloaded script execution, credential reads, metadata endpoint access, and policy-bypass shell patterns
- denies risky shell, fetch-style, and persistence-oriented write operations in enforce mode because Antigravity hooks cannot pause for manual approval
- scans shell, file, and fetched-content output for poisoning and exfiltration cues
- exposes deterministic status and text-check helpers through a bundled MCP server
The installed extension still carries its own bundled default policy so it can fall back safely if the user policy file is missing or invalid.
If a custom policy becomes invalid, remove ~/.antigravity/agt/policy.json or point AGT_ANTIGRAVITY_POLICY_PATH at a valid replacement.
Package model¶
This package maps AGT behavior onto Antigravity CLI's native extension primitives:
antigravity-extension.jsonfor manifest, MCP registration, and extension settingshooks/hooks.jsonplus Node hook entrypoints for prompt/tool/tool-output enforcementcommands/agt/*.tomlfor/agt:statusand/agt:checkmcp/server.mjsfor deterministic status and text-check operations
Release model¶
GitHub Actions builds and tests the package in CI. Production npm publishing goes through the ESRP-backed Azure DevOps release pipeline alongside the other AGT npm packages.