ANTIGRAVITY LABJP
Articles/Agents & Manager
Agents & Manager/2026-07-12Advanced

The Scarier Permission Was Reach, Not Write: Locking an Agent's Outbound Traffic to an Allowlist

When I hand real work to an agent, the thing I guard most isn't file edits, it's where it connects. Here is an 80-line deny-by-default egress gate, plus what 21 nights of unattended runs revealed about the traffic I never saw.

Antigravity322agents124permission design2networkingindie development15

Premium Article

One morning, reading through the previous night's scheduled run, I stopped on a hostname I didn't recognize. A dependency's postinstall hook was quietly pinging a telemetry endpoint I'd never heard of. The agent hadn't done anything wrong. It had run the npm install I asked for, and something two layers down reached out.

I had approval gates on file writes through the unified permission system. But on where things connect, I had nothing. Since I started running agents unattended as an indie developer, this is the spot I've come to see as the real soft underbelly. Anything that gets edited, I can diff and revert. A request that has already left the machine, I cannot.

I was only watching write permissions

When people talk about delegating real work to an agent, the conversation almost always turns to what it can change: delete files, commit, deploy. Every one of those can be stopped at an approval dialog, and the unified permission system made managing them much cleaner.

But half the risk of delegation lives on the reach side. The builds, tests, package installs, and tool calls an agent runs all carry outbound traffic, and those destinations never surface in an approval dialog. In my own setup, the following were passing straight through in silence.

Origin of the callExample destinationShows in approval dialog?
Dependency postinstall hookVendor analytics beaconNo
Telemetry bundled in a toolAnalytics collection endpointNo
Verification script the agent wroteAny external APINo
Real calls to billing endpointsAds / store / payment APIsNo

The row I cared about most is the last one. Running iOS and Android apps solo, there are moments when the agent's shell holds keys — as environment variables — that can hit ad-serving or store-management APIs. I want the nightly automation to use those keys, but the one thing I can't tolerate is those keys pointing at an unexpected host. I decided the boundary to draw isn't the write; it's the destination.

Constraining reach, deny-by-default

The policy is a single sentence. Route all traffic under the agent through a local gate, and let that gate pass only hosts on an allowlist, denying everything else by default. Deny-by-default is the whole point: a host you forgot to list simply doesn't get through. The opposite posture — allow by default, block the scary ones — leaves you chasing destinations that grew without you noticing.

The implementation trick is to not decrypt TLS. I don't need to read the payload. All I want to know is which host something tried to reach, and that's visible in the hostname of an HTTPS CONNECT request. Because the gate never touches the body, legitimate traffic keeps its privacy.

Thank you for reading this far.

Continue Reading

What follows includes implementation code, benchmarks, and practical content we hope you'll find useful. This site runs without ads — server and development costs are supported entirely by members like you. If it's been helpful, we'd be truly grateful for your support.

WHAT YOU'LL LEARN
An 80-line deny-by-default egress gate that only tunnels CONNECT to allowlisted hosts (working code)
A procedure for growing a per-project allowlist from empty, driven by the denial log
Measured results from 21 unattended nights: 41 denials across 9 hosts, and the trade-off of not decrypting TLS
Secure payment via Stripe · Cancel anytime

Unlock This Article

Get full access to the rest of this article. Buy once, read anytime. This site is ad-free — your support goes directly toward keeping it running.

or
Unlock all articles with Membership →
Share

Thank You for Reading

Antigravity Lab is ad-free, supported entirely by members like you. We publish practical guides daily with implementation code, benchmarks, and production-ready patterns. If you've found it useful, we'd love to have you on board.

  • Copy-paste ready implementation code
  • New advanced guides published daily
  • $5/mo or $10 for lifetime access
View Membership →

Related Articles

Agents & Manager2026-07-01
Detecting and Fixing Drift Between a Guide Skill and Your Code
Pin a procedure into a built-in Guide skill and it gets left behind when the code later changes. Here is an operational design that machine-checks the things a Guide references, catches drift early, and keeps the Guide thin.
Agents & Manager2026-07-01
Keeping Naming and Formatting Stable When Your Model Falls Back
When a model falls back mid-run, an agent's naming conventions and formatting drift quietly. Here is how I enforce a model-independent style contract plus a drift probe to keep output consistent.
Agents & Manager2026-06-29
When Your Antigravity-Written Tests Only Look Green: Measuring Effectiveness with Mutation Testing
Tests written by an Antigravity agent can pass and still fail to catch the bug that matters. Here is how to measure their real effectiveness with mutation testing and only adopt tests after they kill the surviving mutants — with working code.
📚RECOMMENDED BOOKS
Build a Large Language Model (From Scratch)
Sebastian Raschka
LLM Dev
Prompt Engineering for LLMs
Berryman & Ziegler
Prompting
AI Engineering
Chip Huyen
AI Eng
* Contains affiliate links
See all →