agent-intern
This server bridges Claude Code to Google's Antigravity CLI (Gemini 3.5 Flash) and OpenAI Codex as sub-agents, enabling text Q&A, image generation, and coding tasks — all on your existing quota.
Antigravity (Gemini 3.5 Flash)
antigravity_ask: Start a new conversation for text-based Q&A, code help, file summarization, or any prompt-based task.antigravity_continue: Resume a prior conversation pinned to a specific workspace, maintaining context across follow-ups.antigravity_image: Generate images from a description; the file is saved locally and the path is returned.antigravity_swarm: Fan out multiple independent prompts to concurrent Gemini workers — useful for summarizing N files or querying N repos simultaneously.antigravity_image_swarm: Run N image generation tasks concurrently, returning all output paths in one result.watch=trueflag: Open a browser window that streams live steps (narration, commands, completions) with the final answer rendered as Markdown.antigravity_status: Check bridge version, update availability, and agy CLI health — without spending any quota.
OpenAI Codex
codex_ask: Initiate new coding sessions with real sandbox support (read-only,workspace-write,danger-full-access).codex_continue: Resume a specific prior Codex session.codex_ask_watch: Watch Codex's steps live in a browser during a new session.codex_swarm: Execute multiple Codex prompts in parallel.codex_status: Check Codex CLI compatibility and state directory health.
General
Specify a
workspaceparameter on any tool to provide file context from a specific project directory.In swarm mode, a failing worker is reported in place while others continue returning results.
Allows using Google's Antigravity (Gemini 3.5 Flash) as a sub-agent inside Claude Code for text answers and image generation, without additional API keys.
Claude Code × Antigravity + Codex + Copilot + Cursor — MCP Bridge
Drive four external coding CLIs — Google's Antigravity (Gemini 3.5 Flash), OpenAI Codex, the GitHub Copilot CLI, and Cursor — as sub-agents inside Claude Code. Text answers, image generation, real repo work, and parallel swarms, on quota you already pay for.
One MCP server, four backends. It exposes Google Antigravity, OpenAI Codex, the GitHub Copilot CLI, and Cursor to Claude Code as clean MCP tools so you can delegate work to a different model family mid-task — without leaving your terminal, and on the subscriptions you already have. Each backend is independent: install one, two, three, or all four.
🛰️ Antigravity (
agy, Gemini 3.5 Flash High). Fast, cheap tool-calling — and the only backend with an image model. Its headless print mode (agy -p) historically had a stdout bug: it wrote the answer to the controlling terminal instead of its stdout, so anything capturing stdout got nothing (and, under a TUI, agy's text leaked into the host's prompt). agy 1.0.15 fixed this on Windows —-pnow writes the clean answer to stdout — so the bridge prefers stdout and falls back to reading agy's own transcript files only when stdout is empty (older agy, non-Windows, or--sandboxruns). It still detaches agy from the terminal so older versions can't leak.🤖 Codex (
codex exec, OpenAI). A strong reasoner for real code/repo work. It writes its final message straight to a file the bridge asks for (no scraping), supports model selection, and has a real, enforced sandbox.🐙 Copilot (
copilot -p, GitHub). GitHub's agentic coder. Stdout-native like Codex (-sprints just the answer), with model selection (--model), a best-effort tool/path permission knob, and a deterministic resume mechanism (the bridge sets each session's UUID itself).✳️ Cursor (
cursor-agent -p, Cursor). Cursor's agentic coder, with the widest model menu — GPT, Claude, Grok, and Composer via--model(validated againstcursor-agent models). Stdout-native like Codex/Copilot (--output-format textprints just the answer), an agent-enforced sandbox (read-only via--mode ask), and a deterministic resume mechanism (the bridge mints each chat's id itself viacreate-chat). No image model.
All four share the same niceties: a *_continue to resume a thread, a live "watch" window
to see the agent work, a unified agent_swarm that runs many tasks in parallel across
all backends at once, and *_status diagnostics that spend no quota.
This runs unsandboxed code with your privileges. agy -p auto-executes its tools
(read/write files, run shell commands, reach the network) with no usable approval gate — its
--sandbox blocks only shell commands, leaving file writes and network egress wide open.
codex exec also runs autonomously, but its sandbox flag (default read-only) is a real,
enforced boundary. copilot -p runs headless with --allow-all-tools; its sandbox maps to
best-effort tool/path permissions (read-only denies the local write/shell tools) — safer than
agy, but not an OS sandbox like Codex's. cursor-agent -p runs headless with --trust (and
--force for writes); its sandbox is agent-enforced (read-only = --mode ask, which makes the
write/shell tools unavailable) — best-effort like Copilot, not an OS sandbox. In all four cases
the workspace argument is a starting context, not a security boundary. Only use these with trusted prompts on trusted
content; for real isolation, run the bridge inside a container or VM. Full details →
Why you'd want this
🧠 Second opinion | Ask a different model family — Gemini or GPT — mid-task without switching tools. |
🎨 Image generation | Have Gemini draw an image and get the saved file back — no extra API key or image tool. |
🛠️ Real coding sub-agent | Hand a focused repo task to Codex with a real |
💸 Cheap delegation | Burn Antigravity / Codex quota on grunt work instead of Claude tokens. |
🐝 Parallel fan-out | Run N tasks at once, mixing Gemini and Codex workers in a single swarm. |
📁 Cross-repo reads | Point a worker at another project directory and let it read/answer there. |
🔌 Zero new auth | Piggybacks the logins you already did — no keys for the bridge to manage. |
Related MCP server: AgentSpawnMCP
The four backends at a glance
The bridge normalizes all four CLIs into the same shape, but they differ where it matters. Pick per task:
🛰️ Antigravity ( | 🤖 Codex ( | 🐙 Copilot ( | ✳️ Cursor ( | |
Model | Selectable via | Selectable via | Selectable via | Selectable via |
Best at | Fast, cheap tool-calling; quick answers | Heavier reasoning; real code/repo work | Agentic coding; real code/repo work | Agentic coding; wide model menu (GPT/Claude/Grok/Composer) |
Image generation | ✅ | ❌ no image model | ❌ no image model | ❌ no image model |
Sandbox | ❌ no real boundary ( | ✅ real, enforced: | ⚠️ best-effort: tool/path permissions ( | ⚠️ agent-enforced: mode/force ( |
How the answer is read | stdout on agy 1.0.15+ (Windows); else scraped from | Written to a file via | stdout ( | stdout ( |
Continue mechanism | Pins the workspace's conversation id ( | Resumes the session id ( | Resumes a self-set session UUID ( | Mints a chat id ( |
Auth | OS credential store (AI Pro session) |
| OS credential store ( |
|
In a swarm | Runs with an isolated | Fresh one-shot — needs no isolation | Fresh one-shot — needs no isolation | Fresh one-shot — needs no isolation |
How it works
All four backends run headless and one-shot per call; the bridge's job is to get a clean answer out of each and hand it to Claude Code as a plain string.
flowchart LR
A([Claude Code]) -- "MCP tool call" --> B["bridge<br/>(server.py)"]
B -- "antigravity_*" --> C[agy -p]
B -- "codex_*" --> D[codex exec]
B -- "copilot_*" --> E[copilot -p]
B -- "cursor_*" --> F[cursor-agent -p]
C -- "stdout (1.0.15+)<br/>or transcript.jsonl / .db" --> B
D -- "output-last-message file" --> B
E -- "stdout (-s silent)" --> B
F -- "stdout (--output-format text)" --> B
B -- "plain text" --> AAntigravity. On agy 1.0.15+ (Windows), agy -p writes its clean final answer straight to
stdout, and the bridge returns that directly. On older agy — or non-Windows, or a --sandbox run —
stdout stays empty and the bridge falls back to agy's own transcript at:
~/.gemini/antigravity-cli/brain/<conv-id>/.system_generated/logs/transcript.jsonlFor the fallback it locates the conversation via cache/last_conversations.json (falling back to the
newest brain/ directory touched since launch), streams the transcript, and returns the final
source=MODEL, status=DONE, type=PLANNER_RESPONSE entry — the answer, minus the intermediate
tool-calling steps (or the SQLite .db agy dual-writes, when no JSONL exists). Either way,
antigravity_continue pins the workspace's exact conversation id via --conversation, so it
never resumes the wrong thread.
Codex. codex exec is well-behaved: the bridge passes -o/--output-last-message <file> and
codex writes its final message straight there — no scraping. Continue works by capturing the session
id from codex's own rollout files (~/.codex/sessions/.../rollout-*.jsonl) and resuming with
codex exec resume <id>, falling back to the newest on-disk session for that cwd after a server
restart.
Copilot. copilot -p "<prompt>" -s runs a prompt non-interactively and prints the clean final
answer to stdout — the bridge reads it there, no scraping. It runs headless with --allow-all-tools --no-ask-user --no-auto-update (so it never blocks on a prompt), and disables copilot's flaky
builtin GitHub-API MCP by default for predictable latency (COPILOT_GITHUB_MCP=1 re-enables it).
Continue is deterministic: copilot's --session-id <uuid> both sets a new session's id and
resumes an existing one, so the bridge generates the UUID itself, pins it to the workspace, and
resumes that exact session — falling back after a restart to the newest on-disk session
(~/.copilot/session-state/<id>/workspace.yaml) whose recorded cwd matches.
Cursor. cursor-agent -p --output-format text --trust "<prompt>" runs a prompt non-interactively
and writes the clean final answer straight to stdout — the bridge reads it there, no scraping
(--trust trusts the workspace so it never blocks on a prompt). Continue is deterministic and
race-free: cursor-agent create-chat mints a fresh chat and prints its id, so the bridge mints the
id itself, pins it to the workspace, and resumes that exact chat with -p --resume <chatId> — no
rollout-scraping. After a restart it falls back to the newest on-disk chat under
~/.cursor/chats/<md5(workspace)>/<chat-id>/ whose meta.json cwd matches (the chat-dir hash is
itself md5 of the workspace path).
Set up in 60 seconds
Prerequisites — install whichever backend(s) you want, and sign in once each:
Antigravity: install
agyand sign in to Antigravity once (via the IDE oragy -i).Codex: install
codexand runcodex loginonce (ChatGPT account or API key).Copilot: install
copilot(npm i -g @github/copilot, orwinget install GitHub.Copilot) and runcopilotthen/loginonce (or set aCOPILOT_GITHUB_TOKEN/GH_TOKENenv var).Cursor: install
cursor-agent(curl https://cursor.com/install -fsSL | bash) and runcursor-agent loginonce (or set aCURSOR_API_KEYenv var).
You don't need all four — the tools for a missing CLI simply report "not found" via their *_status
tool.
Recommended — no clone, you control updates
With uv installed, register the bridge straight from
PyPI under mcpServers in ~/.claude.json — no
path to hardcode, no git pull to remember:
"agent-intern": {
"command": "uvx",
"args": ["agent-intern"]
}uvx pins to the version it first caches and does not auto-upgrade, so you never run an update you didn't choose — important, since the bridge runs unsandboxed code: a surprise (or compromised) release can't execute until you opt in. When the startup check warns that a newer release is out, upgrade deliberately and restart Claude Code:
uvx agent-intern@latest # fetch + run the newest release (refreshes uv's cache)Prefer hands-off auto-updates? Put"args": ["agent-intern@latest"] in the config instead —
every launch runs the newest release. Convenient, but it pulls new code without asking each time.
From source
Clone it instead if you want to hack on the bridge or pin a local copy:
git clone https://github.com/SinanTufekci/agent-intern.git
cd agent-intern
pip install fastmcp
python test_smoke.py # 4 real round-trips (ask, continue, image, swarm) — prints four PASS linesThe smoke test costs a tiny bit of quota and takes ~30–60 s. It exercises the Antigravity path.
Then point Claude Code at the absolute path to server.py under mcpServers in ~/.claude.json:
"agent-intern": {
"command": "python",
"args": ["C:\\path\\to\\server.py"]
}"agent-intern": {
"command": "python3",
"args": ["/path/to/server.py"]
}Restart Claude Code. Fifteen tools appear, each prefixed mcp__agent-intern__:
Antigravity (5):
antigravity_ask,antigravity_continue,antigravity_image,antigravity_image_swarm,antigravity_statusCodex (3):
codex_ask,codex_continue,codex_statusCopilot (3):
copilot_ask,copilot_continue,copilot_statusCursor (3):
cursor_ask,cursor_continue,cursor_statusShared (1):
agent_swarm— fans a list of tasks out across all four backends in one run
The single-prompt tools — Antigravity, Codex, Copilot, and Cursor — take a watch=true flag
for the live browser view (Watch mode).
Your client learns how to use the bridge on its own. The server ships MCP instructions — a
short routing guide (when to reach for each tool, which backend to pick, and to pass workspace so
the sub-agent has repo context) that a client like Claude Code injects into the model's context on
connect, as an "MCP Server Instructions" block. So the host model knows how and when to drive these
tools without you explaining them — you can just ask for the result.
"Use antigravity_ask to summarize the README of this repo in three bullets." → Claude routes the prompt through the bridge, agy reads the file under the workspace root, and the answer comes back as a plain string. Swap in
codex_ask,copilot_ask, orcursor_askto have GPT, Copilot, or Cursor do the same.
Tools
🛰️ Antigravity
Tool | Purpose |
| Start a new Antigravity conversation. |
| Continue the conversation rooted at |
| Generate an image; saves the file (extension corrected to the real bytes) and returns its path + format/size. |
| Generate several images in parallel (one worker per prompt). |
| Setup diagnostics: the bridge's own version + whether a newer release is available, plus agy version/compat, state dirs, and newest-transcript readability. Spends no quota. |
🤖 Codex
Tool | Purpose |
| Start a new Codex session. |
| Continue the Codex session rooted at |
| Setup diagnostics: codex version, login status ( |
🐙 Copilot
Tool | Purpose |
| Start a new Copilot session. |
| Continue the Copilot session rooted at |
| Setup diagnostics: copilot version, an auth hint (no |
✳️ Cursor
Tool | Purpose |
| Start a new Cursor chat. |
| Continue the Cursor chat rooted at |
| Setup diagnostics: the bridge's own version + whether a newer release is available, plus cursor version and login status ( |
🐝 Shared
Tool | Purpose |
| Run several tasks in parallel across all four backends — each task names its |
workspace defaults to the MCP server's current working directory. Point it at a real project dir
for context-aware answers — every backend gives the model access to files under that root (Codex,
Copilot, and Cursor honoring their sandbox).
antigravity_image forces agy to save to an explicit absolute path — without one, agy
falls back to its own scratch dir (~/.gemini/antigravity-cli/scratch/). It then
corrects the file extension to match the real bytes: agy's image model picks the
format itself (JPEG for photo-like images, PNG for flat graphics), so a requested
out.png may come back as out.jpg. The returned path always reflects the true
format.
🤖 Codex bridge — the well-behaved sibling
codex exec writes its final message to a file the bridge asks for via -o/--output-last-message,
so the answer comes back without any scraping (where agy needed a transcript workaround before 1.0.15
fixed its stdout). Three things make Codex worth reaching for over Antigravity:
Real sandbox.
sandboxacceptsread-only(default — reads and answers, writes nothing),workspace-write(may edit files under the workspace), ordanger-full-access(no sandbox — avoid). Unlike agy's no-op--sandbox, codex's-sactually enforces this.codex exechas no interactive approval gate, so this flag is your safety boundary — opt into write access deliberately.Model selection works.
modelmaps to codex's-m. (agy's--modelworks in print mode too as of 1.0.16; all four backends now expose the samemodelknob.)Stronger reasoning. Codex is a coding agent, not an image model — there's no
codex_image. Its strength is reasoning and real code/repo work; hand it the jobs that need a heavier model.
Auth. Uses your existing Codex login (ChatGPT account or API key). Run codex login once; check
with codex_status. No new keys for the bridge to manage.
codex exec runs the model as an autonomous agent with no interactive approval gate. The
sandbox flag (default read-only) is the real boundary, but workspace-write /
danger-full-access let it modify files — and a swarm runs N agents at once. Only use it with
trusted prompts on trusted content.
🐙 Copilot bridge — GitHub's agentic coder
The GitHub Copilot CLI (copilot, from @github/copilot) is stdout-native like Codex:
copilot -p "<prompt>" -s runs a prompt non-interactively and prints just the final answer to
stdout, so the bridge reads it there — no scraping. What makes it worth reaching for:
Model selection.
modelmaps to copilot's--model(e.g.gpt-5.3-codex,claude-sonnet-4.6, orauto). An unavailable model errors immediately with a clear message.Deterministic, race-free continue. copilot's
--session-id <uuid>both sets a new session's id and resumes an existing one, so the bridge generates the UUID itself and pins it to the workspace — no rollout-scraping. After a restart it falls back to the newest on-disk session (~/.copilot/session-state/<id>/workspace.yaml) whose recordedcwdmatches.Fast by default. Runs with
--allow-all-tools --no-ask-user --no-auto-update, and disables copilot's builtin GitHub-API MCP (--disable-builtin-mcps) because its flaky HTTP connect can stall a call up to ~60 s. SetCOPILOT_GITHUB_MCP=1to keep it (for Copilot's issue/PR/repo tools).
Sandbox is best-effort, not enforced. Unlike Codex's OS sandbox, copilot's boundary is
tool/path permissions. The sandbox knob maps to copilot flags for a uniform cross-backend field:
read-only(default) — auto-approves tools so it runs headless, then denies the localwriteandshelltools (--deny-tool). Best-effort: it is not an OS sandbox, and network/MCP tools can still act. For a hard read-only boundary, usecodex_askinstead.workspace-write— writes allowed, but file access stays confined to the workspace (no--allow-all-paths).danger-full-access—--allow-all(tools + all paths + all URLs). Avoid.
Auth. Uses your existing Copilot login — run copilot then /login once (stored in the OS
credential store), or set COPILOT_GITHUB_TOKEN/GH_TOKEN/GITHUB_TOKEN for headless use. Check
with copilot_status. If copilot isn't on PATH (the winget install can land off a stale PATH),
set COPILOT_BIN to its full path — e.g.
%LOCALAPPDATA%\Microsoft\WinGet\Packages\GitHub.Copilot_*\copilot.exe.
copilot -p runs the model as an autonomous agent with --allow-all-tools (required to run
headless). Its sandbox is best-effort tool/path permissions, not an OS sandbox — safer than
agy, weaker than Codex's read-only. Only use it with trusted prompts on trusted content.
✳️ Cursor bridge — the widest model menu
Cursor's agent CLI (cursor-agent, from cursor.com/cli) is stdout-native
like Codex and Copilot: cursor-agent -p --output-format text --trust "<prompt>" runs a prompt
non-interactively and writes just the final answer to stdout, so the bridge reads it there — no
scraping (--trust trusts the workspace so it won't block on a prompt). What makes it worth reaching
for:
The widest model menu.
modelmaps to cursor's--model(e.g.gpt-5.2,sonnet-4-thinking,auto, and parameterized ids likeclaude-opus-4-8[context=1m]) — GPT, Claude, Grok, and Composer in one place. The bridge validates the label againstcursor-agent modelsand rejects a typo up front (like agy). Omitmodelto use your Cursor account default.Deterministic, race-free continue.
cursor-agent create-chatmints a fresh chat and prints its id, and-p --resume <chatId>resumes that exact chat — so the bridge mints the id itself, pins it to the workspace, and resumes deterministically (no rollout-scraping, same idea as Copilot's self-set session id). After a restart it falls back to the newest on-disk chat under~/.cursor/chats/<md5(workspace)>/<chat-id>/whosemeta.jsoncwdmatches (the chat-dir hash is itself md5 of the workspace path).
Sandbox is agent-enforced, not an OS sandbox. Like Copilot, cursor's boundary is which tools the
agent can reach, not an OS jail. The sandbox knob maps to cursor's mode/force flags for a uniform
cross-backend field:
read-only(default) —--mode ask: thewriteandshelltools are unavailable, so cursor analyzes and answers but makes no edits (verified: it refuses to write files). Agent-enforced and best-effort — it is not an OS sandbox. For a hard read-only boundary, usecodex_askinstead.workspace-write—--force: edits and commands allowed, file access rooted at--workspace.danger-full-access—--force --sandbox disabled(OS sandbox off). Avoid.
(Cursor also exposes an OS-level --sandbox enabled/disabled; the bridge drives the uniform field via
mode/force.)
Auth. Uses your existing Cursor login — run cursor-agent login once (OS credential store), or
set CURSOR_API_KEY for headless use. Check with cursor_status. If cursor-agent isn't reliably on
PATH (the installer drops a cursor-agent.CMD shim a bare name can't launch on Windows), set
CURSOR_BIN to its full path — mirrors the AGY_BIN/CODEX_BIN/COPILOT_BIN overrides.
cursor-agent -p runs the model as an autonomous agent with --trust (and --force when
writes are allowed). Its sandbox is agent-enforced (read-only makes the write/shell tools
unavailable), not an OS sandbox — safer than agy, weaker than Codex's read-only. Only use it with
trusted prompts on trusted content.
👁️ Watch mode — Agent Intern (experimental)
Pass watch=true to any single-prompt tool — antigravity_ask, antigravity_continue,
antigravity_image, codex_ask, codex_continue, copilot_ask, copilot_continue, cursor_ask,
or cursor_continue — to watch
the agent work live in a little chat-style browser window called Agent Intern. The agent
still runs headless; alongside it the bridge serves a tiny page on 127.0.0.1 and opens it in a
small, chromeless app window that renders the exchange as a conversation: your prompt shows as a
chat bubble, the agent's live steps stream in a collapsible "thinking" trace — its planner narration
(▸), the real commands it runs ($), and completions (✓), read live (from agy's transcript, or
codex's / copilot's JSON event stream, or cursor's --output-format stream-json) — and the final
answer arrives as a Markdown card (and, for
antigravity_image with watch=true, the generated image shown inline). A *_continue run
opens with the prior turns of the conversation shown as history, so it reads as one ongoing
thread rather than a blank new window. (A watched cursor_continue is the exception — Cursor stores
its transcript in an opaque SQLite blob, so its window opens without visible prior-turn history.)
Cross-platform & best-effort. Prefers a Chromium browser (
--appmode) for the windowed look; falls back to a normal browser window. If nothing can open, the run still completes and returns normally.Window size. Set
AGY_WATCH_WINDOW_SIZE(e.g.AGY_WATCH_WINDOW_SIZE=480,700) to resize the window; default is560,760. Press Enter / Esc in the window to close it.One window, reused — but concurrent runs stay separate. Repeated sequential watch calls reuse the already-open window instead of stacking a new one (the open page resets itself for the new run; the swarm dashboard rebuilds for the new fan-out). A run that starts while another watched run is still working gets its own window instead — so two concurrent single-worker runs (e.g. a
codex_askand acopilot_askat once) each stream into their own view and never clobber each other. If you closed the window, the next run opens a fresh one. SetAGY_WATCH_ALWAYS_NEW=1to force a new window every time.Chat layout & history. Prompts render as chat bubbles (labelled CLAUDE, since the MCP client writes them) — long ones clamp to a few lines with a show more / show less toggle — and answers as Markdown cards tagged with the backend (AGY / CODEX / COPILOT / CURSOR). A
*_continuerun seeds the window with the conversation's prior turns, read from each backend's own session store (agy's transcript, codex's rollout, copilot'sevents.jsonl; Cursor's store is opaque, so a watchedcursor_continueopens without visible history). The swarm's per-worker detail window uses the same chat design for its one task.Progress, keyboard & copy. Each panel shows a time progress bar (elapsed / timeout). The swarm dashboard adds an overall done/total bar and per-row time bars; use ↑/↓ to select a worker and ↵ to open its detail window. Answers render as Markdown with a copy button, and a "jump to latest" badge appears if you scroll up.
Coarse, not token-level. The backends flush their step stream in chunks, so you get a handful of live steps, not character streaming. The returned value is identical to the non-watch call. Nothing is sent anywhere but your own machine.
🐝 Swarm — run agents in parallel
agent_swarm fans a list of tasks out to workers that run truly
concurrently (capped at max_concurrency, default 4), then returns every
worker's result in one block. Each task names its own backend, so a single
swarm can mix Antigravity (Gemini), Codex, Copilot, and Cursor workers — hand the
reasoning-heavy jobs to Codex, Copilot, or Cursor and the quick ones to Gemini, all at
once. Good for independent sub-tasks: summarise N files, ask the same question
about N repos, fix N bugs. (antigravity_image_swarm stays separate — it
generates N images, and only agy has an image model.)
agent_swarm(tasks=[
{"backend": "antigravity", "prompt": "Summarise src/auth.py in 2 bullets."},
{"backend": "codex", "prompt": "Find and fix the failing test in tests/",
"sandbox": "workspace-write", "workspace": "./repo"},
{"backend": "copilot", "prompt": "Explain what src/api.py exposes.",
"sandbox": "read-only", "workspace": "./repo"},
{"backend": "cursor", "prompt": "Draft a docstring for src/utils.py.",
"model": "auto", "workspace": "./repo"},
])How it stays correct under concurrency. The single-agent agy tools serialize
through a lock because agy rewrites last_conversations.json on every call, so
concurrent runs sharing one state dir would race. The swarm sidesteps this: each
agy worker runs with its own isolated HOME/USERPROFILE, so agy's
brain/, cache/, and last_conversations.json never collide — no lock needed.
Auth still works because agy reads it from the OS credential store, not from
~/.gemini (verified on agy 1.0.9). Codex, Copilot, and Cursor workers need no such
isolation — each is a fresh one-shot (codex exec with its own -o file; copilot -p with its own self-set session id; cursor-agent -p with its own minted chat id). Each worker's cwd is its real workspace,
so file access is unchanged. Measured ~2.8× speedup at 3 agy workers (the AI Pro
backend does not serialize per-account); higher max_concurrency trades
quota/rate-limit pressure for wall-clock.
Per-task fields —
backend(antigravity/codex/copilot/cursor) andpromptare required;workspacedefaults to the server cwd;sandboxandmodelapply to Codex, Copilot, and Cursor (ignored for Antigravity). Swarm workers are one-shot — there is no*_continuefor a swarm worker's session.Error isolation — a worker that fails is reported in place; the others still return.
watch=true— opens a thin live Agent Swarm dashboard (one row per worker, with a backend badge, repo, prompt, and latest step). Click a row to pop that agent into its own window streaming its full step log.
A swarm launchesN unsandboxed agents at once — N× the prompt-injection
"lethal trifecta" surface of a single call (see Security). Only use
it with trusted prompts on trusted content. Codex workers honor their
enforced sandbox; Copilot and Cursor workers honor their best-effort sandbox;
Antigravity workers have no real boundary.
Model & auth
🛰️ Antigravity | 🤖 Codex | 🐙 Copilot | ✳️ Cursor | |
Model | Selectable via the | Selectable via the | Selectable via the | Selectable via the |
Auth | Piggybacks whatever credential store | Uses your existing Codex login — ChatGPT account or API key. Run | Uses your existing Copilot login — run | Uses your existing Cursor login — run |
⚠️ Security
All four backends run the model as an autonomous agent. The difference is whether you get a real boundary: Codex enforces one, Copilot and Cursor offer best-effort ones, Antigravity offers none.
Antigravity — no usable boundary
agy -p auto-executes its own tools — reading and writing files, running shell commands, reaching
the network — with no approval gate and no opt-out. This isn't a choice the bridge makes; it's
how agy's print mode works. Re-verified empirically on agy 1.0.9 / Windows (all three checks
below still hold):
Print mode runs out-of-workspace file writes and live network fetches even without
--dangerously-skip-permissions— that flag is a no-op for-p. There is no agy flag that disables tool execution in print mode.agy 1.0.5 integrated a permission system (its logs show
toolPermission=request-review), but it still does not gate print-mode execution — a fresh-prun created a file outside the workspace with no prompt. agy 1.0.12 reshuffled how that permission config merges (per-project files under~/.gemini/config/projects/now take precedence over~/.gemini/antigravity-cli/settings.json), and 1.0.13 made "Always Approve" rule matching strict (non-regex) by default with aregex:opt-in and relaxed its redirection checks — but those are config/interactive-approval changes, they add no print-mode approval gate, and the bridge reads none of it.--sandboxis not a usable boundary. agy 1.0.6 fixed its propagation into-p(the 1.0.6/1.0.7 changelog calls this "sandbox isolation correctly enforced") and it now does block terminal/ shell command execution — but re-verified on 1.0.9 that it leaves thewrite_to_filetool and network wide open: under--sandboxthe model still wrote a file outside its workspace. agy 1.0.9 hardened the sandbox's command path (stricter exact-match command checks;.gitadded to its dangerous-paths list), but none of that closes the out-of-workspacewrite_to_filehole. On top of that, a--sandboxrun whose blocked terminal command halts it writes no JSONL transcript (only the SQLite.db, re-confirmed on 1.0.9). The bridge can now read that.db, but still never passes--sandbox— it's no boundary, with file writes and network left open.
Codex — a real sandbox you should use
codex exec also has no interactive approval gate, but its sandbox flag is a genuine boundary
that codex enforces:
read-only(default) — reads and answers; writes nothing. Safe for untrusted questions on trusted content.workspace-write— may edit files under the workspace. Opt in deliberately, per task.danger-full-access— no sandbox at all. Avoid.
Because there's no approval prompt, the flag you pass is the safety decision — choose it per call.
Copilot — best-effort, not an OS sandbox
copilot -p runs headless with --allow-all-tools (required — otherwise it blocks on per-tool
permission prompts). Its sandbox maps to copilot's tool/path permission flags, which are a
real-ish but not enforced boundary:
read-only(default) — auto-approves tools to run headless, then denies the localwriteandshelltools (--deny-tool). Blocks local file edits and command execution, but it is not an OS sandbox: other tools (including network/MCP) can still act. Weaker than Codex'sread-only.workspace-write— writes allowed, but file access stays confined to the workspace (no--allow-all-paths).danger-full-access—--allow-all(tools + all paths + all URLs). Avoid.
For a hard read-only boundary, prefer codex_ask.
Cursor — best-effort, agent-enforced
cursor-agent -p runs headless with --trust (and --force when writes are allowed). Its sandbox
maps to cursor's mode/force flags — an agent-enforced, not OS-level, boundary:
read-only(default) —--mode ask: the localwriteandshelltools are unavailable, so cursor analyzes and answers but makes no edits (verified: it refuses to write files). Like Copilot, this is agent-enforced and not an OS sandbox. Weaker than Codex'sread-only.workspace-write—--force: edits and commands allowed, file access rooted at--workspace.danger-full-access—--force --sandbox disabled(OS sandbox off). Avoid.
For a hard read-only boundary, prefer codex_ask.
What that means for you
The
workspaceargument is only a starting context, not a security boundary — Antigravity can and does act outside it; Codex is bounded by its enforcedsandbox; Copilot by its best-effort tool/path permissions; Cursor by its agent-enforced mode/force.An Antigravity call effectively runs arbitrary code with your user privileges. A Copilot or Cursor call does too outside its best-effort denials; a Codex call does unless you keep it at
read-only.Only invoke these with trusted prompts on trusted content. Untrusted input here is the classic prompt-injection lethal trifecta: private-data access + code execution + network egress.
For real isolation, run the whole bridge inside a container or VM.
The bridge itself does only cross-platform filesystem reads under ~/.gemini/antigravity-cli/,
~/.codex/, ~/.copilot/, and ~/.cursor/ — no private APIs, no token theft. The risk above is
entirely in what the sub-agents are allowed to do.
FAQ
It runs the official agy, codex, copilot, and cursor-agent CLIs under your own logins — no
private APIs, no token theft, no quota abuse. It just bridges what the CLIs already do. That said, your
AI Pro / Antigravity, OpenAI / Codex, GitHub Copilot, and Cursor ToS apply, and you're responsible for
staying within them.
No. Each backend is independent — install only the CLI(s) you want. The tools for a missing backend
report "not found" via their *_status tool (antigravity_status / codex_status /
copilot_status / cursor_status) and never crash the server.
Use Antigravity for fast, cheap tool-calling, quick answers, and image generation (it's the
only backend with an image model) — and it now lets you pick the model too (agy's --model). Use
Codex for heavier reasoning, real code/repo work, or when you want a real, enforced
workspace-write sandbox. Use Copilot for agentic coding on your GitHub Copilot plan, or as a
second coding opinion alongside Codex — noting its sandbox is best-effort, not enforced. Use
Cursor for agentic coding on a Cursor plan, or when you want the widest model menu —
GPT, Claude, Grok, and Composer, all via model — noting its sandbox is agent-enforced, like
Copilot's. All four let you choose a model; in a swarm you can mix all four. See
The four backends at a glance.
Less likely now. As of agy 1.0.15 the bridge prefers agy's stdout on the happy path (1.0.15
fixed the print-mode stdout bug on Windows — -p now writes the clean answer there), which removes
its dependence on agy's undocumented transcript schema for normal runs. It still falls back to
reading the JSONL transcript, or the SQLite .db agy dual-writes, when stdout is empty (older agy,
non-Windows, or --sandbox runs) — so a schema change would only bite that fallback path. Re-verified
working on 1.0.15 (stdout answer clean under tool use; transcript/.db fallback intact; live ask
round-trip + antigravity_status diagnostics pass). Still, if you rely on the fallback, pin a
known-good agy version.
Yes. Pass model to antigravity_ask/antigravity_continue (or per task in agent_swarm) — it maps
to agy's --model, taking any label from agy models (e.g. "Gemini 3.1 Pro (High)",
"Claude Sonnet 4.6 (Thinking)"). Omit it to use the "model" field in agy's settings.json, which
defaults to Gemini 3.5 Flash (High) — speed-optimized for cheap tool-calling.
agy 1.0.5 added --model, but through ~1.0.14 switching to a different model in -p hung the
call, so earlier bridge versions stayed single-model. Re-verified on agy 1.0.16 that the hang is
fixed — a Claude label answers as Anthropic Claude, a Gemini label as Gemini, each in seconds. One
caveat the bridge handles for you: agy silently ignores an unknown label (it falls back to the
default with no error), so the bridge validates your label against agy models and rejects a typo up
front.
Yes — that's the antigravity_image tool, on the Antigravity backend. agy's print mode generates
real images on your AI Pro quota; antigravity_image drives it, saves the file to a path you choose
(or a timestamped default in your workspace), fixes the extension to match the real bytes (agy picks
JPEG or PNG itself), and returns the path. Verified on agy 1.0.9 / Windows. Codex has no image
model — it's a coding agent.
No. It uses the same quota you already pay for — AI Pro for Antigravity, your Codex plan for Codex, your GitHub Copilot plan for Copilot, your Cursor plan for Cursor. The smoke test spends a negligible amount.
The final answer is request/response — the CLIs return it all at once, so the tools return when the
agent finishes (each call typically takes 10–30 s; Copilot's reasoning models can run longer). If you
want to watch the agent work as it goes,
pass watch=true to any single-prompt tool: it opens the Agent Intern browser window and
live-streams the agent's steps — see Watch mode. It's coarse (a handful of steps, not
token-by-token), and the returned value is identical to the non-watch call.
The single-agent tools are serialized inside the server: agy rewrites last_conversations.json
on every call, so concurrent runs sharing one state dir would race and could return the wrong
conversation. A threading.Lock makes extra requests queue rather than race.
For real parallelism use agent_swarm — each agy worker runs in its own isolated state
dir (and Codex/Copilot/Cursor workers need none), so they don't race and the lock isn't needed (~2.8×
at 3 workers). That's the supported way to run many calls at once, across any backend.
Status & caveats
✅ Verified on agy 1.1.0 — base dir,
last_conversations.json(still keyed by workspace path), thebrain/.../transcript.jsonlpath, the transcript schema, and the-p/-c/--print-timeoutflags are all unchanged; a liveantigravity_ask+ conversation-pinnedantigravity_continueround-trip returns clean over stdout andantigravity_statusdiagnostics pass. 1.1.0 added an agent execution-mode system — a--modeflag (accept-edits|plan) and a new interactive request-review default that pauses before file writes — but it does not touch the bridge:-pis spawned with DEVNULL stdin, so the approval gate never engages and print mode still auto-executes (a file-writing task completed in ~36 s, exit 0, with and without--mode accept-edits).--sandboxbehavior is likewise unchanged (blocks the terminal, not file writes). The print-mode stdout path (fixed on 1.0.15, Windows) still applies; the transcript stays the fallback.✅ Verified on codex-cli 0.141.0 —
codex exec,-o/--output-last-message,codex exec resume, the--jsonevent stream, and the~/.codex/sessions/.../rollout-*.jsonllayout the continue path reads are all in place; a livecodex_askround-trip +codex_statuspass.✅ Verified on copilot 1.0.68 —
copilot -p -s(clean stdout answer),--session-idset-then-resume,--model,--output-format json(watch stream), and the~/.copilot/session-state/<id>/workspace.yamllayout the continue fallback reads are all in place; livecopilot_ask/copilot_continueround-trips + a mixedagent_swarmpass.✅ Verified on cursor-agent 2026.07.08 —
cursor-agent -p --output-format text --trust(clean stdout answer),create-chat+-p --resume <id>,--model(validated againstcursor-agent models),--output-format stream-json(watch stream), and the~/.cursor/chats/<md5(workspace)>/<chat-id>/meta.jsonlayout the continue fallback reads are all in place; livecursor_ask/cursor_continueround-trips + a mixedagent_swarmpass.🖥️ Console-detach — before 1.0.15 agy
-pwrote its answer to the controlling terminal, not stdout; under a TUI that text leaked into the host's prompt (seen on 1.0.9). 1.0.15 fixed this on Windows (stdout now carries the answer), but the bridge still spawns agy detached (CREATE_NO_WINDOW/ a new POSIX session), which prevents the leak on older/other platforms and is harmless on 1.0.15+.💾 SQLite migration — handled — agy still dual-writes a
.dbper conversation; on the fallback path, when the JSONL transcript is absent (already true for--sandboxruns, and the announced future default)_read_responsefalls back to reading the.db, verified to match across 100+ conversations. See the FAQ.🐛 agy stdout bug — fixed on 1.0.15 —
-pnow prints the clean answer to stdout in a non-TTY subprocess (Windows), so the bridge prefers stdout and only scrapes the transcript when stdout is empty (older agy, non-Windows, or--sandbox). (Codex and Copilot never had this problem — both are stdout-native.)👁️ Watch mode is experimental — pass
watch=trueto any single-prompt tool to open the Agent Intern window and watch the agent work live (coarse steps; image shown inline). Best-effort and cross-platform; see Watch mode.🔒 Sandbox — agy's
--sandboxblocks only shell commands, so it's no boundary and the bridge never passes it. Codex'ssandboxis real and enforced — use it; defaultread-only. Copilot'ssandboxis best-effort (tool/path denials, not an OS sandbox); defaultread-only. Cursor'ssandboxis agent-enforced (mode/force; read-only =--mode askmakes write/shell unavailable, not an OS sandbox); defaultread-only. See Security.
Requirements
Python 3.10+
For the Antigravity tools:
agy1.0.0+ onPATH(state-file layout re-verified on 1.0.15) and an active Antigravity / AI Pro sessionFor the Codex tools:
codexonPATHand logged in (codex login) — verified on codex-cli 0.141.0For the Copilot tools:
copilotonPATHand logged in (copilot→/login, or aCOPILOT_GITHUB_TOKEN/GH_TOKENenv) — verified on copilot 1.0.68For the Cursor tools:
cursor-agentonPATHand logged in (cursor-agent login, or aCURSOR_API_KEYenv) — verified on cursor-agent 2026.07.08
Each backend is independent — install only the CLI(s) you plan to use; the other tools simply report "not found" via their *_status tool.
Ifagy isn't reliably on PATH (e.g. a new terminal or reboot drops it on Windows), set the
AGY_BIN env var to its full path and the bridge will use that instead of "agy" — e.g.
AGY_BIN=%LOCALAPPDATA%\agy\bin\agy.exe. Likewise, set CODEX_BIN if codex isn't reliably on
PATH (the native Windows installer puts it under %LOCALAPPDATA%\Programs\OpenAI\Codex\bin\), and
**COPILOT_BIN** if copilot isn't (the winget install lands under
%LOCALAPPDATA%\Microsoft\WinGet\Packages\GitHub.Copilot_*\copilot.exe). Finally, set
**CURSOR_BIN** if cursor-agent isn't reliably on PATH (the installer drops a cursor-agent.CMD
shim a bare name can't launch on Windows).
The bridge uses only cross-platform Python (Path.home(), subprocess) and reads paths under
~/.gemini/antigravity-cli/, ~/.codex/, ~/.copilot/, and ~/.cursor/, which the CLIs write the
same way on every OS. Developed and verified on Windows; macOS and Linux should work unmodified
provided the CLIs run there. If you test it on those platforms, please open an issue / PR to confirm.
🌐 Community & Acknowledgments
Qiita (Japan): A huge thanks to
@falloutand the Japanese developer community for featuring this project and providing invaluable feedback!
💡 Path Resolution Fix: Thanks to their community's real-world testing, we identified and resolved a Windows PATH edge case where the MCP server inherits a stale
PATHat startup and can't findagy. TheAGY_BINenvironment-variable fallback was implemented directly inspired by their report!
License
MIT. Do whatever you want with it.
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/SinanTufekci/agent-intern'
If you have feedback or need assistance with the MCP directory API, please join our Discord server