This document details the file system access control and security model implemented in Google Antigravity's Fast Prompt system. It covers workspace-based access restrictions, the special .gemini system directory, absolute path requirements, and security enforcement mechanisms that prevent unauthorized file operations.
For information about Antigravity's overall architecture and identity, see System Architecture and Identity. For details on Knowledge Items storage which utilizes the .gemini directory, see Knowledge Items (KI) Architecture.
Antigravity implements a strict workspace-based security model where file operations are restricted to explicitly authorized directories. Access is controlled through a workspace URI to CorpusName mapping system that defines permissible file system boundaries.
Each active workspace is defined by two components:
The mapping between URIs and CorpusNames is provided in the <user_information> section at session initialization:
The user has 1 active workspaces, each defined by a URI and a CorpusName.
Multiple URIs potentially map to the same CorpusName.
The mapping is shown as follows in the format [URI] -> [CorpusName]:
c:\Users\Lucas\OneDrive\Escritorio\antigravity -> c:/Users/Lucas/OneDrive/Escritorio/antigravity
This mapping defines the security boundary for all file system operations. Note that multiple URIs can map to the same CorpusName, allowing for flexible workspace configurations while maintaining consistent security enforcement.
Sources: Google/Antigravity/Fast Prompt.txt9-10
The system enforces the following strict rules defined in the <user_information> section:
| Rule | Description | Enforcement Level | Source Line |
|---|---|---|---|
| Workspace Restriction | "You are not allowed to access files not in active workspaces" | Mandatory | Line 12 |
| Read/Write Scope | "You may only read/write to the files in the workspaces listed above" | Mandatory | Line 12 |
.gemini Special Access | Access to C:\Users\Lucas\.gemini "but ONLY for for usage specified in your system instructions" | Restricted | Line 12 |
| Code Placement | "Avoid writing project code files to tmp, in the .gemini dir, or directly to the Desktop and similar folders unless explicitly asked" | Recommended | Line 13 |
| Multi-Workspace Support | "The user has 1 active workspaces, each defined by a URI and a CorpusName" | Supported | Line 9 |
| Path Normalization | "Multiple URIs potentially map to the same CorpusName" | Automatic | Line 9 |
These rules are enforced across all file system tools including view_file, write_to_file, replace_file_content, multi_replace_file_content, list_dir, find_by_name, codebase_search, and grep_search.
Sources: Google/Antigravity/Fast Prompt.txt9-14
This diagram shows how the <user_information> section defines security boundaries and how file system tools enforce them:
Sources: Google/Antigravity/Fast Prompt.txt7-609
The .gemini directory located at C:\Users\Lucas\.gemini represents a special security boundary. Unlike user workspaces, this directory is reserved exclusively for system-level operations and cannot be used for storing user project code.
The .gemini directory contains system-managed data organized by workspace CorpusName:
C:\Users\Lucas\.gemini\
└── antigravity\ # CorpusName-based directory
├── knowledge\ # Knowledge Items storage
│ ├── [KI-ID]\ # Individual KI directory
│ │ ├── metadata.json # KI summary, timestamps, references
│ │ └── artifacts\ # Related files and documentation
│ │ ├── architecture_overview.md
│ │ ├── implementation_patterns.md
│ │ └── ...
│ └── ...
└── brain\ # Conversation persistence
└── [conversation-id]\ # Individual conversation
└── .system_generated\
└── logs\ # Conversation logs
├── overview.txt
└── task_*.txt
The path C:\Users\Lucas\.gemini\antigravity\knowledge is referenced in the system instructions for Knowledge Items discovery.
Sources: Google/Antigravity/Fast Prompt.txt204-279
| Operation Type | Allowed | Restrictions |
|---|---|---|
| Read KI metadata | ✓ | For knowledge discovery only |
| Read KI artifacts | ✓ | Referenced by metadata paths |
| Read conversation logs | ✓ | For context retrieval |
| Write project code | ✗ | Explicitly forbidden |
| Write user files | ✗ | System usage only |
The system explicitly warns against writing project code to .gemini:
"Avoid writing project code files to tmp, in the .gemini dir, or directly to the Desktop and similar folders unless explicitly asked."
Sources: Google/Antigravity/Fast Prompt.txt12-204
This diagram shows how tools interact with the .gemini system directory and the validation rules from lines 12-13:
Sources: Google/Antigravity/Fast Prompt.txt12-609
All file operations in Antigravity must use absolute paths. Relative paths are not supported and will result in errors.
Tool Calling Guidance:
"When using tools that accept file path arguments, ALWAYS use the absolute file path."
Sources: Google/Antigravity/Fast Prompt.txt17
The absolute path requirement defined in the <tool_calling> section (line 17) applies to all file system tools. Each tool defines specific path parameters with type signatures from the namespace functions block:
| Tool Function | Path Parameter | Type | Line Reference | Additional Security Parameters |
|---|---|---|---|---|
view_file | AbsolutePath | string | 572-581 | StartLine?: number, EndLine?: number |
view_file_outline | AbsolutePath | string | 583-591 | ItemOffset?: number |
search_in_file | AbsolutePath | string | 534-542 | Query: string |
view_code_item | File | string | 552-559 | NodePaths: string[] |
write_to_file | TargetFile | string | 593-609 | Overwrite: boolean, EmptyFile: boolean |
replace_file_content | TargetFile | string | 462-488 | AllowMultiple: boolean, TargetLintErrorIds?: string[] |
multi_replace_file_content | TargetFile | string | 438-460 | ReplacementChunks: any[], TargetLintErrorIds?: string[] |
list_dir | DirectoryPath | string | 412-418 | None |
find_by_name | SearchDirectory | string | 360-380 | Pattern: string, MaxDepth?: number |
codebase_search | TargetDirectories | string[] | 338-346 | Query: string |
grep_search | SearchPath | string | 394-410 | Query: string, IsRegex?: boolean |
All tools also include waitForPreviousTools?: boolean for execution sequencing control.
Sources: Google/Antigravity/Fast Prompt.txt15-609
Absolute path requirements serve multiple security purposes:
../../etc/passwd)Sources: Google/Antigravity/Fast Prompt.txt17
Beyond workspace restrictions, Antigravity enforces additional rules about where project code may be written:
| Location | Status | Rationale |
|---|---|---|
| Active Workspaces | ✓ Allowed | Primary code storage |
/tmp or temp directories | ✗ Forbidden | Ephemeral, may be cleared |
.gemini directory | ✗ Forbidden | Reserved for system use |
| Desktop | ✗ Forbidden | User UI space, not project root |
| Similar user folders | ✗ Forbidden | Downloads, Documents, etc. |
Exception: These locations may be used only if the user explicitly requests it.
Sources: Google/Antigravity/Fast Prompt.txt13
Sources: Google/Antigravity/Fast Prompt.txt12-13
The file writing tools include multiple security-relevant parameters. These type definitions from namespace functions show the security controls:
| Parameter | Security Function | Tool(s) | Behavior |
|---|---|---|---|
TargetFile | Absolute path enforcement | All write tools | Must be absolute (line 17); validated against workspace boundaries (line 12) |
Overwrite | Accidental overwrite prevention | write_to_file | Must explicitly set to true to overwrite existing files |
EmptyFile | Empty file creation safety | write_to_file | When true, creates empty file without content |
AllowMultiple | Multi-occurrence control | replace_file_content | Controls whether to replace multiple occurrences |
TargetLintErrorIds | Lint integration | replace_file_content, multi_replace_file_content | Links edits to specific lint errors |
Complexity | Review importance | All write tools | 1-10 rating signals need for user review |
waitForPreviousTools | Sequencing control | All tools | Controls parallel vs sequential execution for safety |
Sources: Google/Antigravity/Fast Prompt.txt17-609
Antigravity implements defense in depth through multiple security layers:
Sources: Google/Antigravity/Fast Prompt.txt9-18
The multi-layer model provides these guarantees:
.gemini cannot be accessed.gemini) isolated from user codeSources: Google/Antigravity/Fast Prompt.txt12-17
Different tool categories enforce different aspects of the security model:
| Tool Category | Security Focus | Key Tools |
|---|---|---|
| Reading Tools | Workspace boundary validation | view_file, view_file_outline, search_in_file |
| Writing Tools | Overwrite protection, location validation | write_to_file, replace_file_content, multi_replace_file_content |
| Directory Tools | Traversal boundaries | list_dir, find_by_name |
| Search Tools | Scope limitation | codebase_search, grep_search |
Sources: Google/Antigravity/Fast Prompt.txt320-611
Each tool implements specific security parameters that enforce access control:
Sources: Google/Antigravity/Fast Prompt.txt338-609
The system uses the following logic to validate file access:
URI → CorpusName mappings.gemini, validate system usageSources: Google/Antigravity/Fast Prompt.txt9-17
The file system access control integrates with other Antigravity security features:
.gemini directory with read-only access for agents (Knowledge Items (KI) Architecture).gemini/antigravity/brain with read-only access (Conversation Logs and Persistent Context).agent/workflows follow workspace restrictions (Workflow System and Turbo Annotations)The run_command tool (lines 490-502) enforces working directory constraints consistent with file operation security:
The system prompt specifies the execution environment on line 490:
"PROPOSE a command to run on behalf of the user. Operating System: windows. Shell: powershell."
| Parameter | Security Function | Validation | Line Reference |
|---|---|---|---|
Cwd | Working directory restriction | Must be within active workspace URI from line 10 | Lines 12, 494 |
SafeToAutoRun | User approval bypass control | Only true for safe commands (reads, standard dev tools) | Line 496 |
WaitMsBeforeAsync | Background process control | Controls when command is backgrounded | Line 498 |
CommandLine | Command string | Executed in powershell on Windows | Lines 490, 492 |
The Cwd parameter is validated against workspace boundaries (line 12) before command execution, ensuring that commands execute within authorized directories only. Additionally, the command must not be run from within C:\Users\Lucas\.gemini if it's writing project code (line 13).
| Tool | Purpose | Line Reference |
|---|---|---|
command_status(CommandId, WaitDurationSeconds, OutputCharacterCount?) | Check status of background command | Lines 348-358 |
send_command_input(CommandId, Input?, Terminate?) | Interact with running command or terminate it | Lines 514-524 |
read_terminal(Name, ProcessID) | Read full terminal content | Lines 504-512 |
Sources: Google/Antigravity/Fast Prompt.txt12-524
Antigravity's file system access control implements a comprehensive security model based on:
.gemini) with restricted usageThis architecture ensures that file operations remain within authorized boundaries while maintaining flexibility for legitimate system operations like knowledge retrieval and context management.
Refresh this wiki