gemini-plugin-cc

Run Google's Antigravity CLI (agy, the successor to Gemini CLI) from inside a Claude Code session. Get a second-opinion code review, an adversarial pass that tries to break the design, or delegate a long-form research task to the Gemini-family model behind agy — all without leaving the editor.

v0.6.0 migration note. Google announced on 2026-05-19 that the consumer-tier gemini CLI sunsets on 2026-06-18; the new CLI is the Go-based agy. Versions ≥ v0.6.0 of this plugin spawn agy. Enterprise Gemini Code Assist Standard/Enterprise customers who need to stay on the old CLI should pin to v0.5.x.

Why this exists

Claude is good at the code in front of it. But the same model has the same blind spots: same training, same style, same assumptions. A second model with different training catches things the first one missed.

agy is backed by a Gemini-family model with a 1M-token context window, so handing it a whole subdirectory and asking "what's the failure mode here?" is a real workflow this plugin makes one slash command.

This project's own CHANGELOG records review rounds where exactly that loop — Claude wrote, Gemini (and Codex) reviewed, real bugs were found — drove the code.

Quick start

Step 1 — install Antigravity CLI (this is a prerequisite; the plugin does not install agy for you):

# macOS / Linux
curl -fsSL https://antigravity.google/cli/install.sh | bash

# Windows PowerShell
irm https://antigravity.google/cli/install.ps1 | iex

Then run agy install once to configure your shell PATH, and run agy (with no arguments) to trigger the browser sign-in. agy stores credentials in the OS keyring; nothing on disk that the plugin can read. To verify, agy --version should print 1.0.0 (or later).

Step 2 — install the plugin in Claude Code:

/plugin marketplace add https://github.com/taibaran/gemini-plugin-cc
/plugin install gemini@gemini-plugin-cc
/gemini:setup

/gemini:setup verifies that agy is on PATH, runs a tiny auth probe, and reports ✅ ready when both checks pass. If it reports not installed, return to Step 1.

Note on the install URL. Use the full HTTPS URL above, not the shorter <user>/<repo> form. The shorter form defaults to SSH (git@github.com:...) and fails with Host key verification failed unless you've already added github.com to ~/.ssh/known_hosts.

What you get

Slash command	What it does
/gemini:setup	Verify the local agy binary, Node, and authentication.
/gemini:ask <question>	Ask agy a one-off question (read-only).
/gemini:review	Review uncommitted changes (working-tree, staged, or branch diff). Foreground or background.
/gemini:adversarial-review	Like /gemini:review, but agy is told to challenge the design and surface failure modes.
/gemini:rescue <task>	Delegate investigation, debugging, or a substantial task to agy via the gemini-rescue subagent.
/gemini:status [job-id] [--all]	List active and recent agy jobs in this workspace.
/gemini:result [job-id]	Show the stored output of a finished job.
/gemini:cancel [job-id]	Cancel an active background job.
/gemini:purge [--older-than 30d]	Delete recorded job metadata + log files from disk.

Example: review vs. adversarial-review

Same diff, two different framings. From this project's own history (v0.5.4 added a --timeout flag):

/gemini:review — reads like a code review:

The new --timeout flag is wired through cmdAsk, cmdReview, and cmdTask consistently. parseDuration accepts the documented forms (s/m/h/d). Tests cover the typical paths. Looks good.

/gemini:adversarial-review — reads like an attacker:

BLOCKING. Node's setTimeout silently truncates delays exceeding 2³¹−1 ms (~24.85 days) to ~1ms, with only a TimeoutOverflowWarning. parseDuration("30d") returns 2.59B ms, so a user passing --timeout 30d wraps to ~1ms and the timer fires immediately — the job is mislabeled timed-out before it could even start. Clamp to MAX_SETTIMEOUT_MS = 2_147_483_647 in resolveTimeoutMs before passing to setTimeout.

Both pass through the same plugin. The prompt template frames the model differently — adversarial mode is in prompts/adversarial-review.md and explicitly tells Gemini to default to skepticism, prioritize trust-boundary and concurrency failures, and not give credit for partial fixes or good intent.

The bug above was real. v0.5.5 closes it.

Try it locally before installing

git clone https://github.com/taibaran/gemini-plugin-cc.git
claude --plugin-dir ./gemini-plugin-cc/plugins/gemini

Note the /plugins/gemini suffix — --plugin-dir expects the path that contains .claude-plugin/plugin.json, not the repo root.

Requirements

• macOS or Linux (Windows: agy ships a PowerShell installer, but the plugin's process-tree teardown uses POSIX signals and has not been tested on Win32)
• Node.js 20+ (matches CI matrix; package.json declares engines.node). npm is no longer required at runtime — only for local development.
• Antigravity CLI 1.0+: install from https://antigravity.google/cli/ using the official one-liner installer
• Authentication: run !agy once and complete the Google sign-in flow in the browser. agy stores credentials in the OS keyring. GEMINI_API_KEY (from https://aistudio.google.com/app/apikey) is honored as a fallback for enterprise setups that still rely on it.

Model

agy 1.0 binds its underlying Gemini-family model internally — there is no --model flag to override. /gemini:setup reports the active model id reported by agy (and any user override from GEMINI_PLUGIN_MODEL or workspace config.activeModel), but those overrides are informational only in v0.6.0; they no longer reach the CLI. Plug-in maintainers may drop the override surface in a future release.

Timeouts

Every per-call subcommand accepts --timeout <duration>:

/gemini:ask --timeout 90s explain monads
/gemini:review --timeout 30m
/gemini:rescue --timeout 0 investigate slow build      # disable

Defaults: ask = 5 min, review = 20 min, rescue/task = unbounded (rescue work is open-ended; cancel with /gemini:cancel <job-id> if it overshoots). Accepted forms: 300s / 5m / 1h / 500ms / bare integer (ms).

Exit code on timeout is 124 (matches timeout(1)), distinguishable from policy refusals (2) and missing-binary (127). Durations exceeding Node's max setTimeout (~24.85 days) are clamped with a stderr warning so the timer doesn't silently wrap to ~1ms.

Privacy & security

This plugin runs agy against your local code. Be deliberate about what you send and where it goes.

What gets sent to Google

• /gemini:ask — your literal question text.
• /gemini:review and /gemini:adversarial-review — the local git diff (working-tree / staged / branch — depending on --scope), capped at 4 MB. Whatever is in that diff is what agy (and Google's model behind it) sees.
• /gemini:rescue and /gemini:task — your prompt text. agy may also read files in the workspace itself (it has its own file-tools); the plugin does not pre-load files for it.
• The stop-review-gate hook (when enabled) — the working-tree diff plus a short summary of Claude's last message.

What stays local

• ${CLAUDE_PLUGIN_DATA}/state/<workspace>/jobs/<id>.{stdout,stderr}.log — full agy output for every backgrounded job. These files contain whatever agy said back, which can include excerpts of your code. Use /gemini:purge to delete them; /gemini:purge --older-than 30d to delete only old ones.
• ${CLAUDE_PLUGIN_DATA}/state/<workspace>/jobs/<id>.json — job metadata (timestamps, exit codes, the prompt text, the model used).
• ${CLAUDE_PLUGIN_DATA}/state/<workspace>/config.json — review-gate toggle
  • persisted fallback model (if any).

Environment scrubbing

The spawned agy process receives an allowlisted subset of the parent environment, not the full env. The allowlist covers PATH, HOME, locale, terminal, temp/XDG dirs, Gemini/Google auth vars, proxy settings, and NODE_EXTRA_CA_CERTS (for corporate TLS-intercepting proxies). Everything else — ANTHROPIC_API_KEY, GITHUB_TOKEN, OPENAI_API_KEY, AWS_*, SSH_AUTH_SOCK, NODE_OPTIONS, npm internals — is dropped. If agy (or any future supply-chain attack against its install path) is ever compromised, the blast radius is limited to what agy actually needs.

Write mode

--write (only on /gemini:rescue / task) passes --dangerously-skip-permissions to agy — agy can then modify files and run shell commands in this workspace without per-action confirmation. The plugin refuses --write unless GEMINI_PLUGIN_ALLOW_WRITE=1 is set in the environment. Set it intentionally, ideally per-workspace via ~/.claude/settings.json's env field, only in trees where you accept that an agent can edit files.

Sandbox mode (opt-in, v0.6.1+)

Read-only invocations (/gemini:ask, /gemini:review, the stop-review-gate hook) accept agy without any restrictions by default. To run agy with its own --sandbox flag (which "Runs in a sandbox with terminal restrictions enabled"), set GEMINI_PLUGIN_SANDBOX=1 in the env. This hardens against a prompt-injected review or stop-gate run reaching agy's unsandboxed terminal/tool surface.

Tradeoff: false-positives (sandbox wrongly restricts a legitimate read that needs a shell tool) become invisible failures; the default is off until agy 1.x's sandbox semantics stabilize. The flag is ignored for --write paths — write mode is already an explicit user opt-in to the opposite policy (--dangerously-skip-permissions).

Stop-review-gate strict mode

By default the stop hook fails open on infrastructure errors (agy missing, auth failed, timeout, parse error) so a broken agy install does not strand your session. To make those failures block stop instead, set GEMINI_REVIEW_GATE_STRICT=1 in the env. Useful for environments where "the gate could not run" should be treated as "do not stop yet."

The stop-hook timeout uses terminateProcessTree (SIGTERM the process group, escalate to SIGKILL after 2 s) so an agy child that ignores SIGTERM doesn't strand the hook.

Terminal-output sanitization

agy's stdout is piped through a sanitizer that strips ANSI/OSC escape sequences (cursor moves, OSC title bars, OSC 52 clipboard writes) and dangerous C0 control bytes before reaching your terminal. The sanitizer is stream-aware — escape sequences split across chunk boundaries are held back until they complete. The on-disk log keeps raw bytes for debugging.

Concurrent config writes

config.json (review-gate toggle, persisted active model) is protected by an O_EXCL-based file lock with stale-lock recovery, so two concurrent /gemini:setup invocations from different shells can't lose each other's updates.

Architecture

gemini-plugin-cc/
├── .claude-plugin/marketplace.json   ← marketplace metadata at repo root
├── plugins/gemini/                   ← the plugin itself
│   ├── .claude-plugin/plugin.json    ← plugin manifest
│   ├── agents/  commands/  hooks/
│   ├── prompts/  schemas/  scripts/
│   └── skills/
├── tests/                            ← unit tests (node:test, no devDeps)
├── .github/workflows/ci.yml          ← CI matrix Node 20/22 + smoke job
├── CHANGELOG.md  CONTRIBUTING.md  SECURITY.md
└── package.json  README.md  LICENSE

The two-level layout (marketplace at repo root, plugin in plugins/gemini/) mirrors the convention used by openai/codex-plugin-cc and is what Claude Code's marketplace schema expects.

All slash commands invoke node "${CLAUDE_PLUGIN_ROOT}/scripts/companion.mjs" <subcommand>. ${CLAUDE_PLUGIN_ROOT} resolves to wherever the plugin is installed (~/.claude/plugins/<plugin-id>/), so the path stays consistent across local-dev and installed setups. The companion handles:

• subprocess management of the agy CLI
• diff capture (working-tree / staged / branch)
• review prompt construction (standard vs adversarial)
• background job tracking under ${CLAUDE_PLUGIN_DATA}/state/<workspace>/jobs/
• auth-failure classification with actionable hints
• timeout management (Node-side SIGTERM → SIGKILL escalation; agy-side --print-timeout complement)

See CONTRIBUTING.md for how to run tests locally and the quick rules for adding a slash command, and SECURITY.md for the threat surfaces that have explicit hardening and how to report issues.

License

Apache-2.0 (see LICENSE).