ANTIGRAVITY LABJP
Articles/Integrations
Integrations/2026-07-18Advanced

Turning Silent Auto-Approvals into Allow Rules, One Soft-Deny at a Time

In Antigravity CLI 1.1.3, headless -p stops silently auto-approving confirmation-required tools and instead soft-denies them, printing the required allow-rule name to stderr. This piece uses that output as a discovery source to build least privilege from an empty allow set upward, with a working harness and real numbers from a personal automation.

Antigravity CLI14headless3least-privilege2permissionsautomation84security17

Premium Article

The nightly job that pushes my articles returned "success" every night for three months. Exit code 0, and every morning the diff was in place. Nothing looked wrong.

Then I read the 1.1.3 changelog and stopped. "Fixed an issue where headless execution (-p) would hang on tools requiring confirmation, or silently auto-approve them." Which means that for three months, my job had been approving confirmation-required tool calls on my behalf, without a word. It hadn't been succeeding so much as I'd had no way to know what it approved.

This piece turns that 1.1.3 behavior change to my advantage. The allow-rule names a soft-deny leaves on stderr become a discovery source, so instead of paring an allow set down from full access, I build the minimum up from empty. Here is the workflow and the harness, alongside the numbers from actually running it.

Three months of only being able to say "it succeeded"

The danger of an unattended job isn't failure. It's not being able to see what a success contained.

When you drive an agent interactively, confirmation dialogs look like friction. But that momentary "run this?" was also a chance to see the permission boundary with your own eyes. Go headless and that chance disappears. Before 1.1.3, -p passed confirmation-required tools silently. The job never stalled, and no record of the boundary was left anywhere either.

I ran something close to always-proceed: nobody is awake at 3 a.m., so approve everything. It works, in the sense that it runs. But I couldn't reconstruct, after the fact, which tools the job had invoked against which paths tonight. I couldn't, and I didn't even register that I couldn't.

From silent approval to soft-deny in 1.1.3

The 1.1.3 change quietly, but decisively, inverts that premise.

Headless execution now soft-denies a confirmation-required tool instead of passing it, and prints the allow-rule name needed to permit that operation to stderr. On top of that, a bug where always-proceed mode incorrectly auto-approved file writes outside the workspace was closed.

The key point is that a soft-deny is a dialogue, not an error. The job stops, but why it stopped and what you'd have to allow for it to proceed come out on stderr in machine-readable form. What the old dialog asked a human out loud, it now hands back to your automation as text.

AspectBefore 1.1.31.1.3 onward
Confirmation-required toolsSilently auto-approvedSoft-denied + allow-rule name on stderr
Job behaviorNever stalls (contents unknown)Stops on missing permission (reason recorded)
Out-of-workspace writesCould be approved under always-proceedClosed
After-the-fact auditHard (no record)stderr becomes the discovery source

Most people will read this as "it got stricter." And true, a job that passed until last night may stop tonight. But I see it less as a tightening and more as something invisible becoming visible. The stop itself is the outline of an operation that used to be approved in silence.

Thank you for reading this far.

Continue Reading

What follows includes implementation code, benchmarks, and practical content we hope you'll find useful. This site runs without ads — server and development costs are supported entirely by members like you. If it's been helpful, we'd be truly grateful for your support.

WHAT YOU'LL LEARN
A reversed workflow that uses 1.1.3's soft-deny stderr as a discovery source, building minimal allow rules up from empty instead of paring down from full access
An audit harness that surfaces the out-of-workspace writes always-proceed used to approve silently, going back over past runs
A CI drift gate that watches for an allow set quietly widening back out
Secure payment via Stripe · Cancel anytime

Unlock This Article

Get full access to the rest of this article. Buy once, read anytime. This site is ad-free — your support goes directly toward keeping it running.

or
Unlock all articles with Membership →
Share

Thank You for Reading

Antigravity Lab is ad-free, supported entirely by members like you. We publish practical guides daily with implementation code, benchmarks, and production-ready patterns. If you've found it useful, we'd love to have you on board.

  • Copy-paste ready implementation code
  • New advanced guides published daily
  • $5/mo or $10 for lifetime access
View Membership →

Related Articles

Integrations2026-06-13
Running Antigravity CLI Headless: Design Before It Hits CI and cron
The Antigravity CLI was rewritten in Go. Here is how to run it unattended in CI and cron, covering exit codes, idempotency, timeouts, and output parsing.
Integrations2026-07-08
Antigravity Now Saves OAuth Tokens to the OS Keyring — Keeping Auth Alive in Headless Runs
In v2.2.1, refreshed OAuth tokens are saved to the OS keyring automatically. Pleasant on the desktop, but on headless scheduled runs the vault itself may not exist and auth quietly breaks. We design explicit backend selection, a safe file fallback, and per-location liveness checks.
Integrations2026-07-01
Distribution-Path-Agnostic Antigravity CLI Automation: Betting on Both the Consumer and Google Cloud Editions
The 7/1 announcement began offering the Antigravity CLI via the Gemini Enterprise Agent Platform too. Here is a design that abstracts your personal automation to run on either the consumer or Cloud edition, laid out with a wrapper and capability-detection scripts.
📚RECOMMENDED BOOKS
Build a Large Language Model (From Scratch)
Sebastian Raschka
LLM Dev
Prompt Engineering for LLMs
Berryman & Ziegler
Prompting
AI Engineering
Chip Huyen
AI Eng
* Contains affiliate links
See all →