MCP server bridging the Antigravity (agy) and OpenAI Codex CLIs so Claude Code can drive them as sub-agents
Project description
Claude Code × Antigravity + Codex — MCP Bridge
Drive two external coding CLIs — Google's Antigravity (Gemini 3.5 Flash) and OpenAI Codex — as sub-agents inside Claude Code. Text answers, image generation, real repo work, and parallel swarms, on quota you already pay for.
One MCP server, two backends. It exposes Google Antigravity and OpenAI Codex to Claude Code as clean MCP tools so you can delegate work to a different model family mid-task — without leaving your terminal, and on the subscriptions you already have. Each backend is independent: install one or both.
- 🛰️ Antigravity (
agy, Gemini 3.5 Flash High). Fast, cheap tool-calling — and the only backend with an image model. Its headless print mode (agy -p) is broken: it authenticates, talks to the model, gets the answer… then writes it to the controlling terminal instead of its stdout, so anything capturing stdout gets nothing (and, under a TUI, agy's text leaks into the host's prompt). The bridge runsagy -panyway, detaches it from the terminal so it can't leak, and reads the answer straight out of agy's own transcript files. - 🤖 Codex (
codex exec, OpenAI). The well-behaved sibling and a stronger reasoner for real code/repo work. It writes its final message straight to a file the bridge asks for (no transcript-scraping), supports model selection, and has a real sandbox.
Both share the same niceties: a *_continue to resume a thread, a live "watch" window
to see the agent work, a unified agent_swarm that runs many tasks in parallel across
both backends at once, and *_status diagnostics that spend no quota.
[!WARNING] This runs unsandboxed code with your privileges.
agy -pauto-executes its tools (read/write files, run shell commands, reach the network) with no usable approval gate — its--sandboxblocks only shell commands, leaving file writes and network egress wide open.codex execalso runs autonomously, but itssandboxflag (defaultread-only) is a real boundary. In both cases theworkspaceargument is a starting context, not a security boundary. Only use these with trusted prompts on trusted content; for real isolation, run the bridge inside a container or VM. Full details →
Why you'd want this
| 🧠 Second opinion | Ask a different model family — Gemini or GPT — mid-task without switching tools. |
| 🎨 Image generation | Have Gemini draw an image and get the saved file back — no extra API key or image tool. |
| 🛠️ Real coding sub-agent | Hand a focused repo task to Codex with a real workspace-write sandbox. |
| 💸 Cheap delegation | Burn Antigravity / Codex quota on grunt work instead of Claude tokens. |
| 🐝 Parallel fan-out | Run N tasks at once, mixing Gemini and Codex workers in a single swarm. |
| 📁 Cross-repo reads | Point a worker at another project directory and let it read/answer there. |
| 🔌 Zero new auth | Piggybacks the logins you already did — no keys for the bridge to manage. |
The two backends at a glance
The bridge normalizes both CLIs into the same shape, but they differ where it matters. Pick per task:
🛰️ Antigravity (agy) |
🤖 Codex (codex exec) |
|
|---|---|---|
| Model | Gemini 3.5 Flash (High) — fixed (see Model & auth) | Selectable via model (codex's -m) |
| Best at | Fast, cheap tool-calling; quick answers | Heavier reasoning; real code/repo work |
| Image generation | ✅ antigravity_image (+ antigravity_image_swarm) |
❌ no image model |
| Sandbox | ❌ no real boundary (--sandbox blocks only shell) |
✅ real: read-only / workspace-write / danger-full-access |
| How the answer is read | Scraped from agy's transcript.jsonl (stdout is broken) |
Written to a file via -o/--output-last-message |
| Continue mechanism | Pins the workspace's conversation id (--conversation) |
Resumes the session id (codex exec resume <id>) |
| Auth | OS credential store (AI Pro session) | codex login (ChatGPT account or API key) |
| In a swarm | Runs with an isolated HOME to avoid state races |
Fresh one-shot — needs no isolation |
How it works
Both backends run headless and one-shot per call; the bridge's job is to get a clean answer out of each and hand it to Claude Code as a plain string.
flowchart LR
A([Claude Code]) -- "MCP tool call" --> B["bridge<br/>(server.py)"]
B -- "antigravity_*" --> C[agy -p]
B -- "codex_*" --> D[codex exec]
C -- "Gemini 3.5 Flash" --> M1((model))
D -- "GPT / Codex" --> M2((model))
M1 -. "stdout stays empty" .-> T[("transcript.jsonl")]
C -.-> T
B -- "reads final PLANNER_RESPONSE" --> T
M2 --> O[("output-last-message file")]
D --> O
B -- "reads last message" --> O
B -- "plain text" --> A
Antigravity. agy -p persists its real answer — the one it never sends to stdout — to:
~/.gemini/antigravity-cli/brain/<conv-id>/.system_generated/logs/transcript.jsonl
The bridge runs agy, locates the conversation via cache/last_conversations.json (falling back to
the newest brain/ directory touched since launch), streams the transcript, and returns the final
source=MODEL, status=DONE, type=PLANNER_RESPONSE entry — the answer, minus the intermediate
tool-calling steps. antigravity_continue pins the workspace's exact conversation id via
--conversation, so it never resumes the wrong thread. If agy wrote no JSONL (true for --sandbox
runs), the bridge falls back to reading the SQLite .db agy dual-writes for every conversation.
Codex. codex exec is well-behaved: the bridge passes -o/--output-last-message <file> and
codex writes its final message straight there — no scraping. Continue works by capturing the session
id from codex's own rollout files (~/.codex/sessions/.../rollout-*.jsonl) and resuming with
codex exec resume <id>, falling back to the newest on-disk session for that cwd after a server
restart.
Set up in 60 seconds
Prerequisites — install whichever backend(s) you want, and sign in once each:
- Antigravity: install
agyand sign in to Antigravity once (via the IDE oragy -i). - Codex: install
codexand runcodex loginonce (ChatGPT account or API key).
You don't need both — the tools for a missing CLI simply report "not found" via their *_status
tool.
Recommended — no clone, you control updates
With uv installed, register the bridge straight from
PyPI under mcpServers in ~/.claude.json — no
path to hardcode, no git pull to remember:
"agent-intern": {
"command": "uvx",
"args": ["agent-intern"]
}
uvx pins to the version it first caches and does not auto-upgrade, so you never run an update you didn't choose — important, since the bridge runs unsandboxed code: a surprise (or compromised) release can't execute until you opt in. When the startup check warns that a newer release is out, upgrade deliberately and restart Claude Code:
uvx agent-intern@latest # fetch + run the newest release (refreshes uv's cache)
[!TIP] Prefer hands-off auto-updates? Put
"args": ["agent-intern@latest"]in the config instead — every launch runs the newest release. Convenient, but it pulls new code without asking each time.
From source
Clone it instead if you want to hack on the bridge or pin a local copy:
git clone https://github.com/SinanTufekci/agent-intern.git
cd agent-intern
pip install fastmcp
python test_smoke.py # 4 real round-trips (ask, continue, image, swarm) — prints four PASS lines
[!NOTE] The smoke test costs a tiny bit of quota and takes ~30–60 s. It exercises the Antigravity path.
Then point Claude Code at the absolute path to server.py under mcpServers in ~/.claude.json:
| Windows | macOS / Linux |
|---|---|
"agent-intern": {
"command": "python",
"args": ["C:\\path\\to\\server.py"]
}
|
"agent-intern": {
"command": "python3",
"args": ["/path/to/server.py"]
}
|
Restart Claude Code. Nine tools appear, each prefixed mcp__agent-intern__:
- Antigravity (5):
antigravity_ask,antigravity_continue,antigravity_image,antigravity_image_swarm,antigravity_status - Codex (3):
codex_ask,codex_continue,codex_status - Shared (1):
agent_swarm— fans a list of tasks out across both backends in one run
The single-prompt tools — Antigravity and Codex — take a watch=true flag for the live
browser view (Watch mode).
"Use antigravity_ask to summarize the README of this repo in three bullets." → Claude routes the prompt through the bridge, agy reads the file under the workspace root, and the answer comes back as a plain string. Swap in
codex_askto have GPT do the same with aread-onlysandbox.
Tools
🛰️ Antigravity
| Tool | Purpose |
|---|---|
antigravity_ask(prompt, workspace?, timeout_s?=180, watch?=false) |
Start a new Antigravity conversation. watch=true opens the live browser view (Watch mode). |
antigravity_continue(prompt, workspace?, timeout_s?=180, watch?=false) |
Continue the conversation rooted at workspace (pinned by id). watch=true opens the live view. |
antigravity_image(prompt, output_path?, workspace?, timeout_s?=240, watch?=false) |
Generate an image; saves the file (extension corrected to the real bytes) and returns its path + format/size. watch=true streams progress and shows the image inline. |
antigravity_image_swarm(prompts, output_paths?, workspaces?, max_concurrency?=4, timeout_s?=240, watch?=false) |
Generate several images in parallel (one worker per prompt). |
antigravity_status() |
Setup diagnostics: the bridge's own version + whether a newer release is available, plus agy version/compat, state dirs, and newest-transcript readability. Spends no quota. |
🤖 Codex
| Tool | Purpose |
|---|---|
codex_ask(prompt, workspace?, sandbox?="read-only", model?, timeout_s?=180, watch?=false) |
Start a new Codex session. sandbox is a real boundary (see Codex bridge); model selects the model (-m). watch=true opens the live view, streaming codex's steps from its --json event stream. |
codex_continue(prompt, workspace?, timeout_s?=180, watch?=false) |
Continue the Codex session rooted at workspace — resumes the exact session id, falling back to the newest on-disk session for that cwd after a server restart. The resumed session keeps its original sandbox and model. watch=true opens the live view. |
codex_status() |
Setup diagnostics: codex version, login status (codex login status), sessions dir. Spends no quota. |
🐝 Shared
| Tool | Purpose |
|---|---|
agent_swarm(tasks, max_concurrency?=4, timeout_s?=180, watch?=false) |
Run several tasks in parallel across both backends — each task names its backend (antigravity or codex) plus a prompt (and, for Codex, sandbox/model). Every answer comes back in one block; watch=true opens the live dashboard (Swarm). |
workspace defaults to the MCP server's current working directory. Point it at a real project dir
for context-aware answers — both backends give the model access to files under that root (Codex
honoring its sandbox).
antigravity_image forces agy to save to an explicit absolute path — without one, agy
falls back to its own scratch dir (~/.gemini/antigravity-cli/scratch/). It then
corrects the file extension to match the real bytes: agy's image model picks the
format itself (JPEG for photo-like images, PNG for flat graphics), so a requested
out.png may come back as out.jpg. The returned path always reflects the true
format.
🤖 Codex bridge — the well-behaved sibling
Where agy -p is broken (it never writes to stdout, so the bridge scrapes transcript files),
codex exec is clean: it writes its final message to a file the bridge asks for via
-o/--output-last-message, so the answer comes back without scraping. Three things make Codex worth
reaching for over Antigravity:
- Real sandbox.
sandboxacceptsread-only(default — reads and answers, writes nothing),workspace-write(may edit files under the workspace), ordanger-full-access(no sandbox — avoid). Unlike agy's no-op--sandbox, codex's-sactually enforces this.codex exechas no interactive approval gate, so this flag is your safety boundary — opt into write access deliberately. - Model selection works.
modelmaps to codex's-m; agy hangs on a model switch in print mode, codex does not. - Stronger reasoning. Codex is a coding agent, not an image model — there's no
codex_image. Its strength is reasoning and real code/repo work; hand it the jobs that need a heavier model.
Auth. Uses your existing Codex login (ChatGPT account or API key). Run codex login once; check
with codex_status. No new keys for the bridge to manage.
[!WARNING]
codex execruns the model as an autonomous agent with no interactive approval gate. Thesandboxflag (defaultread-only) is the real boundary, butworkspace-write/danger-full-accesslet it modify files — and a swarm runs N agents at once. Only use it with trusted prompts on trusted content.
👁️ Watch mode — Agent Intern (experimental)
Pass watch=true to any single-prompt tool — antigravity_ask, antigravity_continue,
antigravity_image, codex_ask, or codex_continue — to watch the agent work live in a little
terminal-style browser window called Agent Intern. The agent still runs headless; alongside it
the bridge serves a tiny page on 127.0.0.1 and opens it in a small, chromeless app window that
streams the agent's steps — its planner narration (▸), the real commands it runs ($), and
completions (✓) — read live (from agy's transcript, or codex's --json event stream), with the
final answer rendered as Markdown (and, for antigravity_image with watch=true, the generated
image shown inline).
| text ask / continue (agy or codex) | antigravity_image — image inline |
$ commands · ✓ completions), then shows the final answer or image.
- Cross-platform & best-effort. Prefers a Chromium browser (
--appmode) for the windowed look; falls back to a normal browser window. If nothing can open, the run still completes and returns normally. - Window size. Set
AGY_WATCH_WINDOW_SIZE(e.g.AGY_WATCH_WINDOW_SIZE=480,700) to resize the window; default is560,760. Press Enter / Esc in the window to close it. - One window, reused. Repeated watch calls reuse the already-open window
instead of stacking a new one each time — the open page resets itself for the new
run (the swarm dashboard rebuilds for the new fan-out). If you closed the window, the
next run opens a fresh one. Set
AGY_WATCH_ALWAYS_NEW=1to force a new window every time. - Progress, keyboard & copy. Each panel shows a time progress bar (elapsed / timeout). The swarm dashboard adds an overall done/total bar and per-row time bars; use ↑/↓ to select a worker and ↵ to open its detail window. Answers render as Markdown with a copy button, and a "jump to latest" badge appears if you scroll up.
- Coarse, not token-level. Both backends flush their step stream in chunks, so you get a handful of live steps, not character streaming. The returned value is identical to the non-watch call. Nothing is sent anywhere but your own machine.
🐝 Swarm — run agents in parallel
agent_swarm fans a list of tasks out to workers that run truly
concurrently (capped at max_concurrency, default 4), then returns every
worker's result in one block. Each task names its own backend, so a single
swarm can mix Antigravity (Gemini) and Codex workers — hand the reasoning-heavy
jobs to Codex and the quick ones to Gemini, all at once. Good for independent
sub-tasks: summarise N files, ask the same question about N repos, fix N bugs.
(antigravity_image_swarm stays separate — it generates N images, and only agy
has an image model.)
agent_swarm(tasks=[
{"backend": "antigravity", "prompt": "Summarise src/auth.py in 2 bullets."},
{"backend": "antigravity", "prompt": "List the public functions in src/api.py."},
{"backend": "codex", "prompt": "Find and fix the failing test in tests/",
"sandbox": "workspace-write", "workspace": "./repo"},
])
agent_swarm(..., watch=true) — one row per worker (with a backend badge); the done/total bar climbs as workers finish. Click a row (or ↑/↓ then ↵) to pop that agent into its own window.
How it stays correct under concurrency. The single-agent agy tools serialize
through a lock because agy rewrites last_conversations.json on every call, so
concurrent runs sharing one state dir would race. The swarm sidesteps this: each
agy worker runs with its own isolated HOME/USERPROFILE, so agy's
brain/, cache/, and last_conversations.json never collide — no lock needed.
Auth still works because agy reads it from the OS credential store, not from
~/.gemini (verified on agy 1.0.9). Codex workers need no such isolation —
each is a fresh one-shot codex exec with its own -o output file. Each worker's
cwd is its real workspace, so file access is unchanged. Measured ~2.8×
speedup at 3 agy workers (the AI Pro backend does not serialize per-account);
higher max_concurrency trades quota/rate-limit pressure for wall-clock.
- Per-task fields —
backend(antigravity/codex) andpromptare required;workspacedefaults to the server cwd;sandboxandmodelapply to Codex only (ignored for Antigravity). Swarm workers are one-shot — there is no*_continuefor a swarm worker's session. - Error isolation — a worker that fails is reported in place; the others still return.
watch=true— opens a thin live Agent Swarm dashboard (one row per worker, with a backend badge, repo, prompt, and latest step). Click a row to pop that agent into its own window streaming its full step log.
[!WARNING] A swarm launches N unsandboxed agents at once — N× the prompt-injection "lethal trifecta" surface of a single call (see Security). Only use it with trusted prompts on trusted content. Codex workers honor their
sandbox; Antigravity workers have no real boundary.
Model & auth
| 🛰️ Antigravity | 🤖 Codex | |
|---|---|---|
| Model | Effectively Gemini 3.5 Flash (High) — whatever the "model" field in agy's settings.json is set to. Switching model in -p hangs the call (verified on 1.0.5: the active label returns in seconds, any other hangs >60 s), so the bridge stays single-model. Flash High is speed-optimized for tool-calling — best as a fast sub-agent for cheap work. |
Selectable via the model argument (codex's -m). codex does not hang on a switch, so model choice is a first-class knob. |
| Auth | Piggybacks whatever credential store agy uses on your OS (Windows Credential Manager, macOS Keychain, libsecret on Linux — the bridge never touches it directly). Log in once; every call silent-auths on the same AI Pro quota you already pay for. |
Uses your existing Codex login — ChatGPT account or API key. Run codex login once; verify with codex_status. |
⚠️ Security
Both backends run the model as an autonomous agent. The difference is whether you get a real boundary.
Antigravity — no usable boundary
agy -p auto-executes its own tools — reading and writing files, running shell commands, reaching
the network — with no approval gate and no opt-out. This isn't a choice the bridge makes; it's
how agy's print mode works. Re-verified empirically on agy 1.0.9 / Windows (all three checks
below still hold):
- Print mode runs out-of-workspace file writes and live network fetches even without
--dangerously-skip-permissions— that flag is a no-op for-p. There is no agy flag that disables tool execution in print mode. - agy 1.0.5 integrated a permission system (its logs show
toolPermission=request-review), but it still does not gate print-mode execution — a fresh-prun created a file outside the workspace with no prompt. agy 1.0.12 reshuffled how that permission config merges (per-project files under~/.gemini/config/projects/now take precedence over~/.gemini/antigravity-cli/settings.json), and 1.0.13 made "Always Approve" rule matching strict (non-regex) by default with aregex:opt-in and relaxed its redirection checks — but those are config/interactive-approval changes, they add no print-mode approval gate, and the bridge reads none of it. --sandboxis not a usable boundary. agy 1.0.6 fixed its propagation into-p(the 1.0.6/1.0.7 changelog calls this "sandbox isolation correctly enforced") and it now does block terminal/ shell command execution — but re-verified on 1.0.9 that it leaves thewrite_to_filetool and network wide open: under--sandboxthe model still wrote a file outside its workspace. agy 1.0.9 hardened the sandbox's command path (stricter exact-match command checks;.gitadded to its dangerous-paths list), but none of that closes the out-of-workspacewrite_to_filehole. On top of that, a--sandboxrun whose blocked terminal command halts it writes no JSONL transcript (only the SQLite.db, re-confirmed on 1.0.9). The bridge can now read that.db, but still never passes--sandbox— it's no boundary, with file writes and network left open.
Codex — a real sandbox you should use
codex exec also has no interactive approval gate, but its sandbox flag is a genuine boundary
that codex enforces:
read-only(default) — reads and answers; writes nothing. Safe for untrusted questions on trusted content.workspace-write— may edit files under the workspace. Opt in deliberately, per task.danger-full-access— no sandbox at all. Avoid.
Because there's no approval prompt, the flag you pass is the safety decision — choose it per call.
What that means for you
- The
workspaceargument is only a starting context, not a security boundary — Antigravity can and does act outside it; Codex is bounded only by itssandbox. - An Antigravity call effectively runs arbitrary code with your user privileges. A Codex call
does too unless you keep it at
read-only. - Only invoke these with trusted prompts on trusted content. Untrusted input here is the classic prompt-injection lethal trifecta: private-data access + code execution + network egress.
- For real isolation, run the whole bridge inside a container or VM.
The bridge itself does only cross-platform filesystem reads under ~/.gemini/antigravity-cli/ and
~/.codex/ — no private APIs, no token theft. The risk above is entirely in what the sub-agents are
allowed to do.
FAQ
Is this against Google's / OpenAI's Terms of Service?
It runs the official agy and codex CLIs under your own logins — no private APIs, no token
theft, no quota abuse. It just bridges what the CLIs already do. That said, your AI Pro / Antigravity
and OpenAI / Codex ToS apply, and you're responsible for staying within them.
Do I need both CLIs?
No. Each backend is independent — install only the CLI(s) you want. The tools for a missing backend
report "not found" via their *_status tool (antigravity_status / codex_status) and never crash
the server.
When should I use Antigravity vs Codex?
Use Antigravity for fast, cheap tool-calling, quick answers, and image generation (it's the
only backend with an image model). Use Codex for heavier reasoning, real code/repo work, when you
need to pick the model, or when you want a real workspace-write sandbox. In a swarm you can
mix both. See The two backends at a glance.
Will it break when agy updates?
Possibly — it reads agy's internal, undocumented state files, so a release can change paths or
schemas and break it silently. Re-verified working on 1.0.14 (transcript schema and -p JSONL
output unchanged; live ask round-trip + antigravity_status diagnostics pass). The big looming change
is agy's SQLite (.db) conversation format (added in 1.0.4, slated to become the default): agy
1.0.14 still dual-writes every conversation to ~/.gemini/antigravity-cli/conversations/<id>.db
alongside the JSONL transcript. The bridge is ready for it — _read_response reads the JSONL when
present and falls back to the .db (parsing the steps table's protobuf payload) when it isn't,
which already happens for --sandbox runs. Verified to match the JSONL answer across 100+ local
conversations. Still, the .db schema is undocumented and could change, so pin a known-good agy
version if you depend on this.
Why only Gemini 3.5 Flash for Antigravity?
agy 1.0.5 added a --model flag, but switching to a different model in -p hangs (print mode
waits on a step it never gets headless), so in practice you get whatever model agy's settings.json
selects — Gemini 3.5 Flash (High) by default. The Antigravity tools don't expose a model knob because
it would hang on any real switch. Codex does not have this limitation — its model argument
works.
Can it generate images?
Yes — that's the antigravity_image tool, on the Antigravity backend. agy's print mode generates
real images on your AI Pro quota; antigravity_image drives it, saves the file to a path you choose
(or a timestamped default in your workspace), fixes the extension to match the real bytes (agy picks
JPEG or PNG itself), and returns the path. Verified on agy 1.0.9 / Windows. Codex has no image
model — it's a coding agent.
Does it cost extra money?
No. It uses the same quota you already pay for — AI Pro for Antigravity, your Codex plan for Codex. The smoke test spends a negligible amount.
Does it stream responses?
The final answer is request/response — both CLIs return it all at once, so the tools return when the
agent finishes (each call typically takes 10–30 s). If you want to watch the agent work as it goes,
pass watch=true to any single-prompt tool: it opens the Agent Intern browser window and
live-streams the agent's steps — see Watch mode. It's coarse (a handful of steps, not
token-by-token), and the returned value is identical to the non-watch call.
Can I run several calls at once?
The single-agent tools are serialized inside the server: agy rewrites last_conversations.json
on every call, so concurrent runs sharing one state dir would race and could return the wrong
conversation. A threading.Lock makes extra requests queue rather than race.
For real parallelism use agent_swarm — each agy worker runs in its own isolated state
dir (and Codex workers need none), so they don't race and the lock isn't needed (~2.8× at 3 workers).
That's the supported way to run many calls at once, across either backend.
Status & caveats
- ✅ Verified on agy 1.0.14 — base dir,
last_conversations.json(still keyed by workspace path), thebrain/.../transcript.jsonlpath, the transcript schema, and the-p/-c/--print-timeoutflags are all unchanged; a live ask round-trip +antigravity_statusdiagnostics pass. 1.0.13 and 1.0.14 are interactive-TUI / plugin / skill / browser-task fixes plus permission-rule tweaks (strict-by-default "Always Approve" matching, aregex:opt-in, relaxed redirection checks) — none of which touch the print-mode path. 1.0.14's "MCP configuration path mismatch" fix is about agy loading custom MCP servers as a client, the opposite direction from this bridge (which drives agy via its CLI), and 1.0.13's removed exit-hint line doesn't matter — the bridge reads the transcript, never agy's stdout. - ✅ Verified on codex-cli 0.141.0 —
codex exec,-o/--output-last-message,codex exec resume, the--jsonevent stream, and the~/.codex/sessions/.../rollout-*.jsonllayout the continue path reads are all in place; a livecodex_askround-trip +codex_statuspass. - 🖥️ Console-detach — agy
-pwrites its progress/answer to the controlling terminal, not stdout; under a TUI that text leaks into the host's prompt (seen on 1.0.9 before the fix). The bridge spawns agy detached from the terminal (CREATE_NO_WINDOW/ a new POSIX session), so it can't leak; the answer is still read from the transcript. - 💾 SQLite migration — handled — agy 1.0.14 still dual-writes a
.dbper conversation; when the JSONL transcript is absent (already true for--sandboxruns, and the announced future default)_read_responsefalls back to reading the.db, verified to match across 100+ conversations. See the FAQ. - 🐛 agy stdout bug persists —
-pstill doesn't print the answer to stdout on 1.0.9 (the 1.0.9 "print-mode resumption" changelog fix did not change this for fresh-p). If a future release fixes stdout, this workaround becomes redundant but harmless. (Codex never had this problem.) - 👁️ Watch mode is experimental — pass
watch=trueto any single-prompt tool to open the Agent Intern window and watch the agent work live (coarse steps; image shown inline). Best-effort and cross-platform; see Watch mode. - 🔒 Sandbox — agy's
--sandbox(since 1.0.6) blocks only shell commands in-p; file writes and network egress stay open, so it's no boundary and the bridge never passes it. Codex'ssandboxis real — use it; default isread-only. See Security.
Requirements
- Python 3.10+
- For the Antigravity tools:
agy1.0.0+ onPATH(state-file layout re-verified on 1.0.14) and an active Antigravity / AI Pro session - For the Codex tools:
codexonPATHand logged in (codex login) — verified on codex-cli 0.141.0
Each backend is independent — install only the CLI(s) you plan to use; the other tools simply report "not found" via their *_status tool.
[!TIP] If
agyisn't reliably onPATH(e.g. a new terminal or reboot drops it on Windows), set theAGY_BINenv var to its full path and the bridge will use that instead of"agy"— e.g.AGY_BIN=%LOCALAPPDATA%\agy\bin\agy.exe. Likewise, setCODEX_BINifcodexisn't reliably onPATH(the native Windows installer puts it under%LOCALAPPDATA%\Programs\OpenAI\Codex\bin\).
The bridge uses only cross-platform Python (Path.home(), subprocess) and reads paths under
~/.gemini/antigravity-cli/ and ~/.codex/, which the CLIs write the same way on every OS.
Developed and verified on Windows; macOS and Linux should work unmodified provided the CLIs run
there. If you test it on those platforms, please open an issue / PR to confirm.
🌐 Community & Acknowledgments
- Qiita (Japan): A huge thanks to
@falloutand the Japanese developer community for featuring this project and providing invaluable feedback!
💡 Path Resolution Fix: Thanks to their community's real-world testing, we identified and resolved a Windows PATH edge case where the MCP server inherits a stale
PATHat startup and can't findagy. TheAGY_BINenvironment-variable fallback was implemented directly inspired by their report!
License
MIT. Do whatever you want with it.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file agent_intern-0.15.3.tar.gz.
File metadata
- Download URL: agent_intern-0.15.3.tar.gz
- Upload date:
- Size: 87.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
aaaab8034a755fd32e2b9b6cb2cfb187ca5c7d09fc6f812f667f9fd0715f2263
|
|
| MD5 |
f1024309c0d08fe81f6270432cdedd14
|
|
| BLAKE2b-256 |
47210960409db8dd2141e05e1ba2601b7103cdae4c6cebaec284b2653c648deb
|
Provenance
The following attestation bundles were made for agent_intern-0.15.3.tar.gz:
Publisher:
publish.yml on SinanTufekci/agent-intern
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
agent_intern-0.15.3.tar.gz -
Subject digest:
aaaab8034a755fd32e2b9b6cb2cfb187ca5c7d09fc6f812f667f9fd0715f2263 - Sigstore transparency entry: 2019460515
- Sigstore integration time:
-
Permalink:
SinanTufekci/agent-intern@ca46582d4e4c1947dfed2b31ca3564639ca737b8 -
Branch / Tag:
refs/tags/v0.15.3 - Owner: https://github.com/SinanTufekci
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@ca46582d4e4c1947dfed2b31ca3564639ca737b8 -
Trigger Event:
push
-
Statement type:
File details
Details for the file agent_intern-0.15.3-py3-none-any.whl.
File metadata
- Download URL: agent_intern-0.15.3-py3-none-any.whl
- Upload date:
- Size: 66.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
92ffb1bbc7c38020bd1671ab4910bd2c95439cdc8b8c621617d6769b65a9fd87
|
|
| MD5 |
ca96ab9a6f32f9a964049c516de8588c
|
|
| BLAKE2b-256 |
3f8c5daed19d4cd4d133797b795e780031e75309e3ebd69e9956738f71e30d2c
|
Provenance
The following attestation bundles were made for agent_intern-0.15.3-py3-none-any.whl:
Publisher:
publish.yml on SinanTufekci/agent-intern
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
agent_intern-0.15.3-py3-none-any.whl -
Subject digest:
92ffb1bbc7c38020bd1671ab4910bd2c95439cdc8b8c621617d6769b65a9fd87 - Sigstore transparency entry: 2019460592
- Sigstore integration time:
-
Permalink:
SinanTufekci/agent-intern@ca46582d4e4c1947dfed2b31ca3564639ca737b8 -
Branch / Tag:
refs/tags/v0.15.3 - Owner: https://github.com/SinanTufekci
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@ca46582d4e4c1947dfed2b31ca3564639ca737b8 -
Trigger Event:
push
-
Statement type: