ANTIGRAVITY LABJP
Articles/Agents & Manager
Agents & Manager/2026-05-29Advanced

Designing a Negative Spec for Antigravity Agents — The Forbidden-Territory List I Use Across 50M-Download Apps

Hand your Antigravity agents a list of things they must never touch — not just what they should do. Here is the FORBIDDEN.md template, subagent bootstrap, and reinjection script I run across 6 indie apps and 50M downloads.

antigravity435agents129negative-specguardrails4agents-md8production-safety

Premium Article

I'm Masaki Hirokawa, an artist and indie developer. I've been shipping personal apps since 2014, with about 50 million cumulative downloads across six wallpaper, calming, and manifestation apps that I currently run in parallel. In 2026 I started leaning heavily on Antigravity's Background Agents and subagents, routing most releases, asset swaps, and inventory chores through them.

Within the first few weeks I noticed something I hadn't expected. Handing the agent a "list of things to do" did not reduce accidents. The agent finishes the listed task, then immediately reaches toward the adjacent things that weren't listed — the things you implicitly assumed were off limits. The moment it crosses that line, a small scar appears on the revenue base. One character changed in an AdMob ad unit ID is enough to pin eCPM to zero for the day.

So I started writing a Negative Spec — a document that tells the agent which territories it must never enter. It is the counterpart to Antigravity's official AGENTS.md. AGENTS.md describes the role; the Negative Spec describes everything outside the role. This piece walks through the FORBIDDEN.md template I now run across six apps and four blog properties, the order in which Antigravity subagents must read it, the script that reinjects it into long-lived Background Agents, and five destructive operations actually blocked during a recent three-week stretch.

Why AGENTS.md alone isn't enough

AGENTS.md is a positive declaration: which test commands to run, which coding standards to follow, how to add dependencies. That part is fine. What breaks in production is the negative space around it. "While making tests pass, the agent decides to also write a DB migration." "The build fails, so the agent quietly loosens tsconfig." Things AGENTS.md never approved, but never explicitly forbade.

The root cause is how LLMs reason about scope. They do not treat "not authorized" as "forbidden." They treat "not forbidden" as "available to try." This is true across Antigravity, Claude in Chrome's Operator mode, and Gemini's autonomous execution mode. In my first week handing wallpaper releases to a subagent, it read the AGENTS.md instruction "preserve logs on build failure," then concluded "to preserve logs I need a Crashlytics API key" — and went to the Firebase console to mint a fresh one. That wasn't a malfunction. It was a reasonable inference that crossed a boundary I had never named.

A Negative Spec raises the cost of that inference and makes the boundary visible. If the agent has read "never mint a new Crashlytics API key under any circumstance," it stops at the same point and asks me, or finds another path. That shift, from optimistic exploration to bounded exploration, is the whole point.

Minimal FORBIDDEN.md

In my repos, FORBIDDEN.md sits at the root, next to AGENTS.md. Antigravity subagents are required to cat it before doing anything else. A minimal version looks like this.

# FORBIDDEN.md — Territory the agent must never touch in this repo
 
Read this together with AGENTS.md. Even if AGENTS.md says nothing about a given
file, if the action might touch the territories below, escalate to a human.
 
## 1. Auth & billing secrets
- .env.production, firebase-adminsdk*.json, GoogleService-Info.plist
- Stripe sk_live_*, AdMob ca-app-pub-*, Apple Connect API Key
- Never mint, re-issue, or rotate any of the above for any reason.
 
## 2. Destructive overwrite of shipped assets
- Anything under public/wallpapers/v3/ (currently sold assets)
- Live store metadata (description, screenshots) on App Store / Google Play
- Replacing already-released App Bundles
 
## 3. Database & migrations
- Editing existing files under migrations/
- Writing to production Cloudflare D1 / KV namespaces
- DROP / TRUNCATE / ALTER on existing tables
 
## 4. CI/CD pipelines
- Editing .github/workflows/release-*.yml
- Direct push to main
- Deleting or recreating protected tags (v*)
 
## 5. Legal, contracts, revenue share
- Editing LICENSE / NOTICE / TERMS / PRIVACY
- royalty.json (shares paid to asset rights holders)
- Anything under legal/

Three things matter here. First, organize by category rather than listing individual files — long file lists get skimmed. Second, do not include reasons. The moment you write "because X," the agent will rule "X doesn't apply here, so this is fine." Third, use concrete verbs. Not "don't touch" but "do not edit, do not mint, do not write."

Thank you for reading this far.

Continue Reading

What follows includes implementation code, benchmarks, and practical content we hope you'll find useful. This site runs without ads — server and development costs are supported entirely by members like you. If it's been helpful, we'd be truly grateful for your support.

WHAT YOU'LL LEARN
A minimal FORBIDDEN.md sitting next to AGENTS.md and the 12 forbidden categories I run across 6 production iOS/Android apps
The order in which Antigravity subagents must read FORBIDDEN.md, plus a 30-line reinjection script for Background Agents
Five destructive operations actually blocked during 3 weeks of letting agents drive 3 of my highest-earning apps, and the pre-incident signals
Secure payment via Stripe · Cancel anytime

Unlock This Article

Get full access to the rest of this article. Buy once, read anytime. This site is ad-free — your support goes directly toward keeping it running.

or
Unlock all articles with Membership →
Share

Thank You for Reading

Antigravity Lab is ad-free, supported entirely by members like you. We publish practical guides daily with implementation code, benchmarks, and production-ready patterns. If you've found it useful, we'd love to have you on board.

  • Copy-paste ready implementation code
  • New advanced guides published daily
  • $5/mo or $10 for lifetime access
View Membership →

Related Articles

Agents & Manager2026-05-13
Telling AI Agents 'Why' — 5 Context Design Principles to Prevent Misjudgment
When AI agents write correct code for the wrong job, the root cause is usually that you told them What but not Why. This guide covers 5 intent-context design principles for Antigravity agents, with practical patterns for AGENTS.md, task instructions, and error diagnostics.
Agents & Manager2026-04-22
Prompt Injection Defense in Antigravity — A Production Security Playbook for LLM Apps
A practical, code-first guide to defending LLM applications against prompt injection inside Antigravity. Covers direct, indirect, and multi-turn attacks with working Python implementations of a four-layer defense.
Agents & Manager2026-07-15
The File Is Right There in ls, and Your Agent Still Can't Open It
The agent says the file does not exist. Your terminal says it does. After three days of blaming cloud sync, the answer turned out to be that one voiced consonant mark was never a single character. Detection script and a three-layer gate included.
📚RECOMMENDED BOOKS
Build a Large Language Model (From Scratch)
Sebastian Raschka
LLM Dev
Prompt Engineering for LLMs
Berryman & Ziegler
Prompting
AI Engineering
Chip Huyen
AI Eng
* Contains affiliate links
See all →