Why Antigravity Needs an AI Governance Layer

Antigravity is a capable agentic platform. That capability is exactly what creates risk. Without explicit behavioral constraints, an Antigravity agent can be manipulated into executing chained shell commands, writing credentials to disk, connecting to unauthorized external domains, or accepting instructions embedded in fetched URLs.

These are not theoretical threats. Prompt injection, credential exfiltration, and path traversal are the attack patterns most frequently observed against agentic AI systems in production. An agent that reads from the web and writes to the filesystem is an attack surface — regardless of how well-designed the underlying platform is.

The AI governance plugin for Antigravity closes that exposure at the tool call layer, with deterministic enforcement code that runs outside the LLM entirely.

The governance-enforcer Plugin — One Command, Permanent Coverage

The governance-enforcer plugin installs directly into Antigravity’s native plugin discovery directory. It carries “autoLoad”: true in its manifest, which means Antigravity loads governance constraints before every session — no manual setup, no relying on the agent to read a policy file, no per-project configuration.

Install it once:

.\config\install-option1-plugin.ps1

Verify the enforcement layer is live:

node smoke_test.js

Restart Antigravity after install. When the 🛡️ indicator appears in session initialization, the AI governance plugin for Antigravity is active.

The plugin loads a complete system governance block covering:

• Identity lock — the agent cannot be renamed or assigned an alternative persona mid-session
• Hard security limits — no credential writes, no chained shell commands, no unauthorized domain connections
• Tool authorization whitelist — auto-authorized, requires confirmation, or denied outright
• Human-in-the-loop requirements — step-by-step confirmation for destructive or outbound operations
• Memory governance — injection pattern scan before any memory write is persisted

How the Three-Layer Architecture Works

The AI governance plugin for Antigravity operates inside a three-layer security model. Understanding the layers matters for deployment.

Layer 1 is Antigravity’s own platform enforcement — built-in system prompts and tool safety controls. Always active, not part of this package.

Layer 2 is the governance injection layer. The governance-enforcer plugin loads AI SAFE² identity constraints, behavioral limits, and tool authorization rules into the agent’s context window before any user message or tool call. Without this layer, the governance files in core/ are documentation on disk, not active enforcement.

Layer 3 is the external enforcement layer — safe_gateway.js, circuit_breaker.js, and audit_logger.js. These run entirely outside the LLM, intercepting every tool call before execution. A session compromised by prompt injection still gets its tool calls blocked. This layer is active regardless of whether Layer 2 loaded.

The combination is the point. Layer 2 aligns the agent before it acts. Layer 3 enforces the boundary regardless of what the agent says. Detection is not the strategy here — certainty is.

13 Adversarial Tests — What Gets Blocked

The test suite runs 13 high-fidelity attack scenarios across three tiers. All 13 pass.

Tier 1 — Core controls: prompt injection filtering, outbound exfiltration blocking, shell command chain injection, credential leak prevention in write streams, and the runaway loop circuit breaker.

Tier 2 — Adversarial paths and network: path traversal via ../ sequences, encoded traversal via %2e%2e, Windows device path abuse, loopback SSRF to 127.0.0.1, RFC 1918 private IP blocking, domain confusion attacks, and non-HTTP scheme abuse via file://.

Tier 3 — Governance and subagent boundaries: interactive and privileged command blocking (sudo, bash, powershell), subagent privilege escalation denial, and memory poisoning prevention.

Run the full suite any time:

node smoke_test.js

Evidence-Grade Compliance, Not Just Assertions

The compliance reporting in this release is evidence-based. Controls are only marked verified when the implementation file is present and contains the required keywords at generation time. Every verified control gets a SHA-256 hash.

Three output files are generated on every run:

• Markdown compliance report — human-readable summary with verified/unverified status per control
• JSON evidence ledger — structured output with SHA-256 hashes, loaded_at_runtime status, and evidence summaries per control
• SARIF 2.1.0 report — uploads directly to GitHub Security / CodeQL for CI integration

Each control in controls/policy.yaml carries an honest loaded_at_runtime field. Enforcement layer controls show runtime_enforced. Governance document controls show static_file_check_only — until the plugin is confirmed active, at which point they upgrade to tested maturity.

Get the AI Governance Plugin for Antigravity

The AI governance plugin for Antigravity is available now in the AI SAFE² framework examples directory. The full package includes the plugin, two complementary wiring fallbacks, a 13-scenario adversarial test suite, evidence-grade compliance reporting, and a machine-readable policy manifest with full gap documentation.

→ Get the plugin and installation guide

→ Read the integration guide

→ AI SAFE² Framework

One install. All sessions covered. AI governance for Antigravity ships in 30 seconds.