Skip to content

feat(cli): detect Gemini managed-agent sandbox in detectAgentRuntime#1294

Open
jrusso1020 wants to merge 3 commits into
mainfrom
feat/cli-detect-gemini-managed-agent
Open

feat(cli): detect Gemini managed-agent sandbox in detectAgentRuntime#1294
jrusso1020 wants to merge 3 commits into
mainfrom
feat/cli-detect-gemini-managed-agent

Conversation

@jrusso1020

@jrusso1020 jrusso1020 commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

What

Adds Gemini managed-agent sandbox detection to the CLI's existing agent-runtime telemetry. Returns "gemini_managed_agent" from detectAgentRuntime() when the CLI is invoked inside a Google Gemini managed-agent sandbox; null elsewhere.

Why

The CLI already classifies invocations from Claude Code, Cursor, Codex, Replit, Hermes, openclaw, Pi, GitHub Copilot Agent (the existing VENDOR_RULES array in agent_runtime.ts). A Gemini managed-agent template is now using the hyperframes CLI internally for local renders (the dual-mode work in heygen-com/hyperframes-gemini-agent#1), and the team wants the same adoption signal for that surface.

How

Two changes in packages/cli/src/telemetry/agent_runtime.ts:

  1. Add "gemini_managed_agent" to the AgentRuntime type union.
  2. Add isGeminiManagedAgent() — a filesystem-based detector that returns true when both signals are present:
    • existsSync('/.agents/AGENTS.md')the uniqueness anchor. Definitionally a managed-agent artifact (the platform injects it per-run; its mtime tracks the interaction). Nothing in the generic Google-Cloud-on-gVisor universe (Cloud Run gen2, GKE Sandbox, Fly.io) mounts /.agents/. This single check carries essentially all uniqueness.
    • isGVisor()a guard, not a second uniqueness signal. gVisor itself is shared with GKE Sandbox + Cloud Run gen2 — it does not discriminate Antigravity. Its job here is to rule out a stray user-created /.agents/AGENTS.md on a non-sandbox host.
  3. detectAgentRuntime() checks isGeminiManagedAgent() ahead of the env-var-only VENDOR_RULES loop, since the Gemini signal is filesystem + kernel, not env.

GEMINI_API_KEY is deliberately NOT keyed on — it's user-settable on any host. Other signals explicitly excluded with documented reasons: gVisor alone, Google Compute Engine DMI (entire GCP reports this), job cgroup (Google-internal but broadly present), the egress-proxy env cluster (any MITM container sets these), /.google/ base-image overlay.

Empirical verification

Two independent verification passes by gemini-agent (introspection-based — env, /proc/version, /proc/1/cgroup, /proc/net/tcp, ip route, ip link, ls -la /, DMI, PID-1):

Stability — 3 independent fresh sandbox spins (the original spike, b9db4e56, d59d6361) all show both signals present. Full 3-spin matrix posted as a comment on this PR.

Uniqueness — FS-root + cgroup + netns + DMI + PID-1 introspection of d59d6361 to discriminate Antigravity-unique markers from the broader Google-Cloud-on-gVisor universe. Verdict:

  • /.agents/AGENTS.md carries essentially all uniqueness (definitional managed-agent mount).
  • gVisor is shared with GKE Sandbox + Cloud Run gen2 — guard only, not a discriminator.
  • Several hoped-for stronger markers don't exist in the empirical environment: no antigravity/managed-agent in any cgroup path; no ANTIGRAVITY_* / MANAGED_AGENT_* env var; no :8081 listener in /proc/net/tcp (proxy is the veth /30 gateway, not a local socket); no /credentials or service-account path.

Stability ≠ uniqueness; both are required for a correct detection rule. The 3-spin work confirms the signals are reliably present; the uniqueness analysis confirms they discriminate Antigravity from neighboring gVisor surfaces.

Test plan

4 new vitest cases in agent_runtime.test.ts:

  • Positive: /.agents/AGENTS.md exists + kernel is 4.19.0-gvisorgemini_managed_agent
  • Negative: gVisor alone (no /.agents/) → null (generic gVisor surface fallthrough)
  • Negative: /.agents/AGENTS.md exists on a non-gVisor kernel → null (dev-box false-positive guard)
  • Precedence: Gemini signal wins over a coincident CLAUDECODE env var
  • All 24 tests in agent_runtime.test.ts pass under vitest run (the CI runner)
  • bun run lint + bun run format:check repo-wide clean
  • Commit signed (GitHub verified)
  • Cross-spin empirical verification (stability)
  • Uniqueness empirical verification
  • Documentation updated — detectAgentRuntime()'s docstring updated inline; no separate docs surface

🤖 Signed off by Jerrai (hyperframes specialist)

@jrusso1020
feat(cli): detect Gemini managed-agent sandbox in detectAgentRuntime
16898b7 
Add `gemini_managed_agent` to the AgentRuntime union and a dedicated
isGeminiManagedAgent() detector. Empirical signal pair (from live-sandbox
introspection by gemini-agent, env_id b9db4e56, 2026-06-09):

  existsSync('/.agents/AGENTS.md')  AND  isGVisor()

The conjunction is what makes the rule safe:

  - `/.agents/AGENTS.md` excludes generic gVisor surfaces (GKE Sandbox,
    Cloud Run gen2) that don't mount the managed-agent layout.
  - The gVisor kernel check excludes a dev box that happens to have a
    stray `/.agents/` directory.

Implementation notes:

  - Filesystem-based check runs ahead of the env-var-only VENDOR_RULES
    loop. VENDOR_RULES is documented as "Only checks for the EXISTENCE
    of well-known env vars — never reads their values"; the Gemini
    signal is filesystem + kernel, not env, so it gets a dedicated
    branch rather than shoehorning into the rule list.

  - GEMINI_API_KEY is deliberately NOT keyed on — it's user-settable on
    any host. The filesystem + kernel pair is the actually-distinctive
    signal.

  - Reuses the existing isGVisor() helper for the kernel half of the
    conjunction; no duplication.

Tests (4 new, vitest):

  - Positive: /.agents/AGENTS.md + 4.19.0-gvisor → gemini_managed_agent
  - Negative: gVisor alone (no /.agents/) → null (generic gVisor surface)
  - Negative: /.agents/AGENTS.md alone (no gVisor) → null (dev box false-positive guard)
  - Precedence: Gemini signal wins over a coincident CLAUDECODE env var

Empirical caveat: signal was gathered from a single sandbox. Re-confirming
across additional sandbox spins is a follow-up; the rule is conservative
enough (conjunction of two independent signals) that a single-spin
false-positive is unlikely, but a single-spin variance bug (e.g. some
sandbox flavors omitting one of the two markers) would surface as
under-detection rather than over-detection.

Source for signals: introspection write-up at
/tmp/gemini-sandbox-detection-signals.md (gemini-agent, 2026-06-09).
@jrusso1020

jrusso1020 commented Jun 9, 2026

Copy link
Copy Markdown
Collaborator Author

Cross-spin confirmation for the detection rule — 3 independent fresh sandbox spins, all consistent with the conjunction this PR keys on:

Spin /.agents/AGENTS.md /proc/version
spike (original) present 4.19.0-gvisor
b9db4e56 (verification batch) present (+ skills/, workspace/) Linux version 4.19.0-gvisor
d59d6361 (heavy-render env) -rw-r--r-- … 4328 … /.agents/AGENTS.md gvisor

So the primary signal (exists('/.agents/AGENTS.md') AND isGVisor()) held on all three — the single-spin caveat in the PR body can be treated as closed for v1 adoption. — gemini-agent

jrusso1020 and others added 2 commits June 9, 2026 07:44
@jrusso1020
docs(cli): reframe Gemini-managed-agent detection rationale (load-bea…
785e6cb 
…ring vs guard)

gemini-agent's uniqueness analysis (FS-root + cgroup + netns + DMI + PID-1
introspection of env d59d6361, 2026-06-09) revealed the two signals are
NOT co-equal:

- /.agents/AGENTS.md is the uniqueness anchor — definitionally a
  managed-agent artifact, injected per-run by the platform, mtime
  tracks the interaction. Nothing in the generic Google-Cloud-on-gVisor
  universe (Cloud Run gen2, GKE Sandbox, Fly.io) mounts /.agents/.
- isGVisor() is a guard, not a second uniqueness signal. gVisor itself
  is shared with GKE Sandbox + Cloud Run gen2 — its real job here is
  ruling out a stray user-created /.agents/AGENTS.md on a non-sandbox
  host.

The original 3-spin work proved *stability* (signals consistent across
sandbox spins). This pass adds *uniqueness* — confirming the signals
discriminate Antigravity from the broader gVisor universe, not just
that they're reliably present. Stability ≠ uniqueness; both are
required for a correct detection rule.

Code unchanged (the AND-gate is sound). Docstring reframed so a future
reader doesn't mistake the conjunction for two independent uniqueness
signals. Also enumerated the markers NOT keyed on (with reasons), so
future contributors don't reach for them by naming inference.

Source: gemini-agent uniqueness analysis write-up.
@jrusso1020 @claude
fix(cli): key Gemini managed-agent detection on /.agents/ mount, not …
52d1947 
…optional AGENTS.md

The detector keyed on existsSync('/.agents/AGENTS.md'), but Google's Managed
Agents docs are explicit that AGENTS.md is OPTIONAL: an agent may declare its
instructions inline via system_instruction in agent.yaml and ship no AGENTS.md
file ("system_instruction and AGENTS.md are additive; both apply when present").
The platform auto-discovers the agent under the /.agents/ directory; skills
mount at /.agents/skills/ and AGENTS.md at /.agents/AGENTS.md only when shipped.

Keying on the file generalized only to templates that happen to bundle an
AGENTS.md (like HeyGen's own gemini-agent and Thor's reference). A managed agent
defined with inline instructions or a skills-only definition was a silent
false-negative. All three prior verification spins used our own AGENTS.md-bearing
template, so the gap was never exercised.

Broaden to the /.agents/ directory mount (still gVisor-guarded — false-positive
surface is unchanged) so skills-only and inline-instruction agents are detected.
Adds a regression test for the skills-but-no-AGENTS.md case. Documents the one
residual gap (pure inline-only, no skills/no AGENTS.md) that needs an empirical
spin to confirm.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@jrusso1020

jrusso1020 commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator Author

Generalizability fix pushed (52d1947)

Re-examined whether the detection generalizes across all Gemini managed agents, not just our own template. It did not, as originally written.

Finding: the detector keyed on existsSync('/.agents/AGENTS.md'), but Google's Managed Agents docs are explicit that AGENTS.md is optional — an agent can declare its instructions inline via system_instruction in agent.yaml and ship no AGENTS.md file ("the system_instruction and AGENTS.md are additive; both apply when present"). The platform auto-discovers the agent under the /.agents/ directory; skills mount at /.agents/skills/, workspace at /workspace/, and AGENTS.md at /.agents/AGENTS.md only when shipped.

So the file-based check generalized only to templates that happen to bundle an AGENTS.md — like our own hyperframes-gemini-agent and Thor's reference. A managed agent defined with inline instructions, or a skills-only definition, was a silent false-negative. All three verification spins used our AGENTS.md-bearing template, so this gap was never exercised — stability across spins ≠ generalizability across agent definitions.

Fix: key on the /.agents/ directory mount instead of the AGENTS.md file. Still gVisor-guarded, so the false-positive surface is unchanged (/.agents/ at filesystem root doesn't exist on Cloud Run gen2 / GKE Sandbox / Fly.io). Added a regression test for the skills-but-no-AGENTS.md case.

Residual gap (documented in-code): an agent defined with only inline system_instruction — no skills, no AGENTS.md — may not materialize a /.agents/ mount at all. That tail can't be closed from the docs; it needs an empirical spin of such an agent to confirm. The common case (skills and/or AGENTS.md present) is now covered.

Sources: Building Managed Agents, Managed Agents Quickstart.

@jrusso1020 jrusso1020 mentioned this pull request Jun 10, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jrusso1020