원클릭으로
virgo-injection-guard
Protocol for high-integrity conversational AI injections and sensory parity in the Virgo extension.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Protocol for high-integrity conversational AI injections and sensory parity in the Virgo extension.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
| name | virgo_injection_guard |
| description | Protocol for high-integrity conversational AI injections and sensory parity in the Virgo extension. |
[!IMPORTANT] Current State (v2.5.10): The MCP server has ONE core function —
say_this_loud. It runs as a stdio standalone process (dist/mcp-standalone.js) — not an HTTP service. The auto-SITREP loop,autoInjectSITREPflag, and protocol-reading boot sequence were aspirational and are not reliably triggered. Do NOT assume these work automatically. The agent must callsay_this_loudexplicitly when it wants to surface content in the sidebar.
The Virgo MCP server is a stdio standalone process (dist/mcp-standalone.js) — not an HTTP service. It runs outside VS Code and communicates with the extension via file-based polling (McpWatcher). Its sole production mission:
Agent calls say_this_loud (via stdio → mcp-standalone.js)
→ PendingInjectionStore.save() writes <timestamp>.<name>.md to sessions/<id>/
→ McpWatcher [McpWatcher.ts] detects new file:
PRIMARY: vscode.workspace.createFileSystemWatcher (VS Code FileSystemWatcher)
SUPPLEMENTAL: fs.watch on antigravityRoot (for paths outside VS Code workspace)
→ McpWatcher._handleInboundSnippet() fires
→ onSnippetLoaded callbacks notify SpeechProvider
→ DocumentLoadController.loadSnippet() → StateStore updates → UI syncs
No other behavior is guaranteed to be active.
say_this_loud{
"tool": "say_this_loud",
"arguments": {
"content": "# Markdown content here...",
"snippet_name": "my_sitrep",
"sessionId": "<active-session-id>",
"session_title": "Optional human-readable title",
"turnIndex": 42
}
}
Rules:
content + snippet_name + sessionId are requiredsession_title and turnIndex are optional (omit if uncertain)turnIndex lower than the current one — it will be rejected. Omit it to auto-increment safely.~/.gemini/antigravity/virgo/sessions/<sessionId>/<timestamp>_<safe_name>.mdSuccess response:
Injected Turn 5 into session abc123 successfully at /path/to/file.md
say_this_loud (Strategic Triggers)Canonical SSOT: GEMINI.md §12.2 — this section summarizes; defer to GEMINI.md if they diverge.
Fire say_this_loud only on these 5 triggers — NOT every turn:
| # | Trigger | Example |
|---|---|---|
| 1 | Turn-ending SITREPs and session summaries | End of a major work block |
| 2 | Implementation plan proposals | Before requesting GO from the user |
| 3 | Phase completions | Handoff to user at end of a plan phase |
| 4 | Major milestones or blocking questions | Strategic decision required |
| 5 | Post-Install Coaching / Behavioral Suggestions | Agent proactive setup of user preferences |
Never fire for:
The agent must supply the correct sessionId. The canonical session ID is:
loom.json)virgo://session/{sessionId}/state resource (if SSE is connected)~/.gemini/antigravity/virgo/sessions/[!WARNING] The
protocols/directory (virgo://protocols/...) is served by the MCP resource layer but theprotocolsresource is scheduled for removal (see MCP audit). Do not depend on it as a boot mechanism.
When you inject content, it will be read aloud by the extension. Therefore:
say_this_loud MUST be meaningful and readable as prose — not raw JSON, file paths, or internal telemetry.isError: true), do NOT report it as success. Alert the user.say_this_loud MUST also appear verbatim as plain text in your chat response. The agent cannot narrate content it does not display. This lets the user read along with the audio. A response that narrates hidden content is a parity violation.Every say_this_loud injection must follow this template structure:
## 🎯 [Descriptive Title] — [Version or Context]
### What Shipped
- **Feature name** — one sentence describing what it does and why it matters.
- **Feature name** — one sentence.
### How It Works
One short paragraph (2–4 sentences max) explaining the mechanism in plain language.
### What's Next
- **T-036** — Short description of next thread.
- Or: The core work is done. Remaining threads are optional.
---
> **Version:** vX.Y.Z | **Tests:** N/N passing | **Status:** Installed ✅
Formatting rules:
| Rule | Requirement |
|---|---|
Always start with ## heading | Never start with raw prose |
Use ### sections to group | What Shipped / How It Works / What's Next |
| Bullet each shipped item | One bullet = one feature, one sentence |
| End with a metadata footer | Version, test count, status |
| Max paragraph length | 3–4 sentences before a new section or bullet |
| No raw paths or JSON | Human-readable names only |
The ~/.gemini/antigravity/virgo/protocols/ directory contains .md files that were intended to be read by the agent on boot via the virgo://protocols/ MCP resource, enforcing automatic SITREP injection every turn.
Current status: The auto-boot mechanism (via the virgo_boot MCP prompt + boot.md protocol) does not fire reliably because MCP prompts are not auto-executed by Gemini on connection. The vision is sound — the execution layer is still maturing.
What the protocols say (for reference):
| File | Intent |
|---|---|
boot.md | Identifies session, loads vitals, initializes SITREP |
manifest.md | Overview of the "Standalone" architecture |
orchestrator.md | Turn-by-turn injection loop |
injection_guard.md | Verbatim parity rules |
sensory_integrity.md | No truncation in injections |
These files remain as aspirational documentation. When the agent-boot mechanism is stabilized, they will become the active runtime protocol.
say_this_loud tool call (via stdio → dist/mcp-standalone.js)
↓
PendingInjectionStore.save() [sharedStore.ts]
↓ writes <timestamp>.<name>.md to sessions/<id>/
McpWatcher [McpWatcher.ts]
├─ PRIMARY: vscode.workspace.createFileSystemWatcher (** /*.md glob)
└─ SUPPLEMENTAL: fs.watch on antigravityRoot {recursive:true} (Windows/external path fallback)
↓ both call _handleInboundSnippet(uri)
↓ ownership check via .workspace_claim (XOR gate — rejects sibling IDE sessions)
↓ calls
DocumentLoadController.loadSnippet() [documentLoadController.ts]
↓
StateStore.setActiveDocument() + setActiveMode('SNIPPET')
↓
onSnippetLoaded callbacks → SpeechProvider [speechProvider.ts]
↓ calls
_getSnippetHistory() — scans sessions/<id>/*.md only
↓
StateStore.setSnippetHistory()
↓ emits 'change'
SyncManager — hash includes snippetHistory
↓
DashboardRelay.sync() → UI_SYNC packet → Webview sidebar updates
Key invariants:
.md/.markdown files are discovered (non-markdown files are filtered)extension_state.json does NOT appear in the sidebar (filtered by extension)| Name | Type | Status | Use |
|---|---|---|---|
say_this_loud | Tool | ✅ Active | Inject content into sidebar |
self_diagnostic | Tool | ✅ Active | Health check (pid, path, version) |
get_injection_status | Tool | ✅ Active | Store size + persistence path |
native-logs | Resource | ✅ Active | VS Code output channel logs |
debug-logs | Resource | ✅ Active | Extension diagnostic log file |
injected-snippets | Resource | ✅ Active | Read back injected .md files |
session-state | Resource | ⚠️ Stale | Returns extension_state.json — scheduled for removal |
protocols | Resource | ⚠️ Deprecated | Returns protocol .md files — scheduled for removal |
virgo_boot | Prompt | ❌ Unreliable | Not auto-triggered; noop in practice |
# Dev Cycle Protocol: CDP Shell Sovereignty (v2.5.1)
Protocol for high-density, symmetrical shorthand logging in VS Code extensions.
Protocol for local session metadata persistence in the Virgo extension.
Architectural map and development guidelines for the Virgo extension. Mandatory reference for all agent modifications.
Governance protocol and automated scripts for packaging and publishing the Virgo MCP standalone server to the public NPM registry. Enforces safety gates and clean extraction logic.
Unified Release Authority — Single Source of Truth for all release lifecycle actions. Merges release_prestige and version_sentinel into one sovereign skill covering: semantic versioning rules, authorization gates, pipeline execution, artifact verification, git history auditing, SemVer enforcement, and post-release validation.