Antigravity agent type plugin for mngr
Project description
imbue-mngr-antigravity
Plugin that registers the antigravity agent type for mngr.
Antigravity CLI is Google's terminal-based AI coding assistant, the successor to the legacy Gemini CLI. Google announced on 2026-05-19 that Gemini CLI is being replaced by Antigravity CLI, with the legacy request path turning off for paid-tier accounts on 2026-06-18. This plugin lets you run the new CLI (agy) as an mngr agent.
Authentication
Each agent runs agy under its own $HOME and reads its token from $HOME/.gemini/antigravity-cli/antigravity-oauth-token. By default mngr creates that per-agent token as a symlink to the shared ~/.gemini/antigravity-cli/antigravity-oauth-token — even when the shared token doesn't exist yet (a dangling symlink). Because agy writes the token in place, the result is "log in once, anywhere":
- If the shared token already exists, every agent's symlink resolves to it → agents are authenticated with no per-agent login.
- If it doesn't, the first agent you log into writes its token through the symlink to the shared path, which immediately authenticates every other agent pointing at it. Token refreshes propagate the same way.
This works on both Linux (no keychain — the file token is native) and macOS (where agy stores the token in the login keychain, which a relocated per-agent $HOME can't reliably read, so the file token is the cross-agent mechanism there too). Set symlink_oauth_token = false for full per-agent isolation (each agent authenticates independently; no sharing or propagation).
macOS popup during login is expected and harmless. When you sign in to an agent on macOS you may see a system dialog: "A keychain cannot be found to store "antigravity."" Because each agent runs under a relocated
$HOME, agy has no per-agent keychain to write to, so it falls back to writing the file token — which is exactly the mechanism mngr relies on (the file token is then shared across agents via the symlink, as above). Just dismiss the dialog; authentication still completes and propagates normally.
Usage
mngr create my-agent antigravity
Pass arguments to the agy command with --:
mngr create my-agent antigravity -- --help
Per-agent isolation
Each antigravity agent runs agy under its own $HOME (at <agent_state_dir>/plugin/antigravity/home/). agy resolves its entire config/permission/auth/session tree from $HOME/.gemini and has no config-dir override env var, so relocating $HOME is the only lever that gives an agent its own settings.json. This delivers, per agent:
- Permissions -- a per-agent allow/deny/ask policy (see below), instead of the all-or-nothing
--dangerously-skip-permissions. - Model -- a per-agent model selection.
- Isolated state -- the agent's own transcripts/conversations rather than sharing the user's global
~/.gemini.
This is unconditional: there is no "isolated vs non-isolated" mode. Whether an agent is locked down or open is purely data -- whether its settings.json carries a permissions block. Heavy caches (ms-playwright-go browser binaries) are shared across agents by symlinking each agent's home cache to the user's real host cache, so they are downloaded once.
Configuration
Define a custom variant in your mngr config (mngr config edit):
[agent_types.readonly_agy]
parent_type = "antigravity"
settings_overrides = { permissions = { allow = ["command(git)"], deny = ["command(rm -rf)"], ask = ["command(*)"] }, toolPermission = "proceed-in-sandbox", model = "Gemini 3.5 Flash (Medium)" }
Then create agents with your custom type:
mngr create my-agent readonly_agy
Fields
settings_overrides(dict, default{}) -- a free-form blob merged last into the per-agentsettings.json(mirrorsmngr_claude's field of the same name). Common keys:permissions--{allow, deny, ask}, each a list ofaction(target)resources. Actions:read_file,write_file,read_url,execute_url,command,unsandboxed,mcp. Precedence is Deny > Ask > Allow.command(...)matches a token-prefix/regex with no path scoping; file/url targets must be canonical (on macOS/tmp->/private/tmp) -- a wrong target fails open to Ask rather than erroring.toolPermission-- the global default mode, e.g."proceed-in-sandbox"or"request-review".model-- a display name exactly as listed byagy models, e.g."Gemini 3.5 Flash (Medium)".
sync_home_settings(bool, defaulttrue) -- base the per-agentsettings.jsonon a copy of the user's real~/.gemini/antigravity-cli/settings.json, withsettings_overrideslayered on top. Whenfalse, start from an empty base. This is a data-source choice, not a separate code path. Note that this copies only the globalsettings.jsonscope, which in practice holds theme/telemetry/trust; it does not capture the user's model, permission grants, or behavioral policies (fileAccessPolicy/internetPolicy/etc.), which agy persists in other scopes (config/config.jsonuserSettings, per-projectconfig/projects/<uuid>.json) that this copy intentionally does not read -- importing the user's grants would weaken per-agent isolation. Set an agent's model and permission policy explicitly viasettings_overrides.symlink_oauth_token(bool, defaulttrue) -- symlink the shared oauth token into each agent's home (so refreshes propagate) or copy it (false) for full isolation.auto_allow_permissions(bool, defaultfalse) -- auto-approve every tool call via agy's--dangerously-skip-permissionsflag. (It is not a hook: agy's documentedPreToolUse{"decision": "allow"}output does not gate therun_commandconfirmation dialog -- verified live against agy 1.0.3.) When combined with apermissionspolicy insettings_overrides, skip-permissions wins (the policy is moot), matchingmngr_claude.auto_dismiss_dialogs(bool, defaultfalse) -- silently trust the source repo without prompting (see Trust below).emit_common_transcript(bool, defaulttrue) -- start a background worker that streams agy's per-conversation JSONL transcripts intoevents/antigravity/common_transcript/events.jsonl.mngr transcript <agent>reads from there.
Conversation resume
Stopping an antigravity agent and starting it again (mngr stop / mngr start) resumes the agent's prior agy conversation, keeping its full context rather than starting fresh. This is automatic; there is no flag to set. The conversation resumed is the agent's main (root) one, tracked in the per-agent root_conversation file (written by the statusLine command, whose payload always reports the root conversation_id). It is deliberately not read from the conversation-ids file, whose entries also include the agent's subagents. (Cloning an agent does not yet carry the source's conversation forward -- that is a separate follow-up.)
Caveats
agyPATH shadowing: if the Antigravity 2.0 desktop app is installed, its bundledagyshim can shadow the standalone CLI inPATH. Remove the desktop app'sbin/agyor overridecommandwith an absolute path to the Go binary.- Workspace symlink workaround: agy refuses to add any path with a dot-prefixed segment as a workspace (logs
Failed to add workspace folder ... is hidden: ignore uriand falls back to the user's home dir). mngr'swork_dirlives under~/.mngr/worktrees/..., which trips this check. As a workaround,mngr_antigravitycreates a per-agent symlink at/tmp/mngr_antigravity_workspaces/<agent_id>that targets the realwork_dir, and launches agy with cwd set to the symlink. (HOME relocation does not change this: agy accepts a hidden config dir, just not a hidden workspace.) The symlink is recreated vialn -sfnon every launch;/tmpwipes are self-repairing. Symlinks aren't pruned when agents are destroyed (they're inert and small). Track the upstream agy bug report for when a flag-level fix lands; we can drop the workaround then. - Trust: agy suppresses its first-launch "Do you trust this folder?" dialog for any path in its
settings.jsontrustedWorkspaces. mngr seeds the agent's transient workspace path into the per-agentsettings.json(the running agy exact-matches its cwd), and additionally persists the durable source-repo path into the user's global~/.gemini/antigravity-cli/settings.jsonso trust isn't re-prompted across agents/worktrees of the same repo. The transient per-agent path is never written to the global file. Granting trust is gated (mngr never silently runs an agent on untrusted code):mngr create --yes(mngr_ctx.is_auto_approve) orauto_dismiss_dialogs = true: silent trust.- Interactive shell: mngr prompts via
click.confirmbefore writing. - Non-interactive shell without either opt-in, or a declined prompt: provisioning exits cleanly (
SystemExit). Re-run with--yesor setauto_dismiss_dialogs = true.
- Lifecycle via
statusLine: agy invokes a configuredstatusLinecommand on every agent-state change, piping a JSON payload (agent_state,conversation_id,model,context_window, ...) on stdin and rendering the command's stdout in the prompt's status row.mngr_antigravityseeds a mngr-ownedstatusLineinto the per-agentsettings.jsonpointing atstatusline.sh, which is the single source of truth for the agent's lifecycle. On each invocation it: (1) maintains theactivemarker that drives RUNNING (busy) vs WAITING (idle) -- active iffagent_stateis not in{idle, initializing, authenticating, ""}(a denylist, so any present/future busy state counts as RUNNING); (2) records the rootconversation_idinroot_conversationfor resume (the payload always reports the root, even while a subagent runs); and (3) firestmux wait-for -S "mngr-submit-<session>", the signalmngr messagewaits on to confirm the message was accepted. Crucially, agy's top-levelagent_statealready aggregates subagent activity: it staysworkingcontinuously while a subagent runs and returns toidleonly once root + subagents are all done (verified live against agy 1.0.6/1.0.7: 75 consecutiveworkingsamples spanning a ~29s subagent run, zero mid-turnidleblips), so a singleagent_statecheck captures the whole-turn busy/idle state without any per-conversation bookkeeping. ThisstatusLineis mngr-owned and applied last (aftersettings_overrides), because lifecycle correctness depends on it -- the agystatusLinemust be mngr's. mngr's use ofstatusLineis lifecycle-only: the side-effects (marker, root conversation, submission signal) are the point, and agy already shows working/idle in its own UI, sostatusline.shprints nothing of its own -- the status row looks exactly as it would without mngr. agy allows only onestatusLinecommand, so a user's own (insettings_overridesor the synced global settings) can't be the agystatusLine; instead it is composed -- the provisioner records its command andstatusline.shruns it (with the same payload on stdin, exactly as agy would deliver it) and emits only its output, so the user's statusline renders verbatim while mngr stays invisible. Only a runnable{"type": "command", "command": "<shell>"}block can be composed; a different shape is dropped with a warning. - Hooks (conversation capture):
mngr_antigravityalso writes a per-agenthooks.jsonto$HOME/.gemini/config/hooks.json(in the agent's relocated home); agy executes it directly with no trust prompt and no--add-dir. The lone hook is a singlePreInvocationhandler runningcapture_conversation_id.sh, which records every conversation ID the agent touches -- the root's and its subagents' -- into the conversation-ids file that scopes transcript streaming (the set of conversations to tail). This hook remains (rather than folding intostatusLine) precisely because thestatusLinepayload only ever reports the root conversation, so subagent ids surface only here. Note: the in-TUI/hookscommand writes to~/.gemini/antigravity-cli/hooks.json, which the hook execution engine never runs -- that path is loaded only for the TUI's display, while only~/.gemini/config/hooks.jsonand per-workspace.agents/hooks.jsonare actually executed (antigravity-cli#49). - No readiness sentinel: readiness is signalled purely by polling the rendered TUI banner. The
statusLineagent_stateis about the agent loop and can beidlebefore the input row is drawn, so it can't replace the banner poll -- which gates "input row drawn and able to receive a paste", the correct precondition for sending input. - No permission-specific WAITING reason: agy exposes no permission-dialog hook event, and no hook fires while the agent is blocked at the dialog, so mngr can't currently flag why an agent is waiting (as
mngr_claudedoes). Withauto_allow_permissions = truethere are no dialogs anyway; surfacing a permission-WAITING reason in supervised mode is left for a follow-up.
See the mngr agent types documentation for more details.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file imbue_mngr_antigravity-0.1.5.tar.gz.
File metadata
- Download URL: imbue_mngr_antigravity-0.1.5.tar.gz
- Upload date:
- Size: 97.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9ffefae6e34c663e93af3eaabd38369951dc964fbc18631550def8986c739333
|
|
| MD5 |
6dba21479a9ebd3f6c1a99b15264d16f
|
|
| BLAKE2b-256 |
6a4715277e15471899e3ab6a5bb422472c74f5ffa961397ccf8d9687bb9eccc8
|
Provenance
The following attestation bundles were made for imbue_mngr_antigravity-0.1.5.tar.gz:
Publisher:
publish.yml on imbue-ai/mngr
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
imbue_mngr_antigravity-0.1.5.tar.gz -
Subject digest:
9ffefae6e34c663e93af3eaabd38369951dc964fbc18631550def8986c739333 - Sigstore transparency entry: 1822644281
- Sigstore integration time:
-
Permalink:
imbue-ai/mngr@23dc987ee408eb8d8b0c6aef0f5a44f8c8079276 -
Branch / Tag:
refs/tags/v0.2.14 - Owner: https://github.com/imbue-ai
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@23dc987ee408eb8d8b0c6aef0f5a44f8c8079276 -
Trigger Event:
push
-
Statement type:
File details
Details for the file imbue_mngr_antigravity-0.1.5-py3-none-any.whl.
File metadata
- Download URL: imbue_mngr_antigravity-0.1.5-py3-none-any.whl
- Upload date:
- Size: 50.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ea24d8c26335a98344906217da72699aa806b8962055529b0902139e5ed2f85b
|
|
| MD5 |
df38b21cda5ed8260548886a565c835f
|
|
| BLAKE2b-256 |
83b86e0ba082726ca78fc358378528343f29aad92fb7218ca5192cacceac86e5
|
Provenance
The following attestation bundles were made for imbue_mngr_antigravity-0.1.5-py3-none-any.whl:
Publisher:
publish.yml on imbue-ai/mngr
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
imbue_mngr_antigravity-0.1.5-py3-none-any.whl -
Subject digest:
ea24d8c26335a98344906217da72699aa806b8962055529b0902139e5ed2f85b - Sigstore transparency entry: 1822645014
- Sigstore integration time:
-
Permalink:
imbue-ai/mngr@23dc987ee408eb8d8b0c6aef0f5a44f8c8079276 -
Branch / Tag:
refs/tags/v0.2.14 - Owner: https://github.com/imbue-ai
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@23dc987ee408eb8d8b0c6aef0f5a44f8c8079276 -
Trigger Event:
push
-
Statement type: