Google Antigravity and Gemini Stuck? Split Routing for Google APIs and CDNs in Clash (2026)

What Antigravity Pulls Across the Network

Treat Google Antigravity as a small distributed system wearing an IDE skin. At minimum you should expect account flows on google.com and accounts.google.com, consent and identity helpers on related Google hosts, model traffic on googleapis.com (including Generative Language endpoints used by Gemini), and static payloads from gstatic.com and siblings. Feature rollouts may also touch Google API surfaces you already recognize from other Google AI clients—quota, telemetry, or workspace linking—that still ride the same suffix families even when the UI labels change.

Because the product moves quickly, captures may also show IDE-specific names such as antigravity.google for updates, configuration, or experimentation endpoints. Do not treat those as “optional cosmetics.” If the IDE checks a manifest before it enables an agent panel, that check is on the critical path. A slow or inconsistently routed manifest lookup feels exactly like “Gemini is thinking forever,” even when the model service is healthy.

Finally, remember the inner IDE graph: language servers, task runners, git integrations, and a bundled terminal can each open their own TLS sessions. Clash evaluates every connection independently, which is powerful and unforgiving. Your goal is not to “enable proxy,” but to give every subprocess that participates in auth and inference the same coherent outbound story on networks where use is permitted.

Why “Spinning” Hides Three Different Legs

Users describe the same symptom with one word: spinning. Underneath, you usually have one of three families failing. The first is OAuth token exchange: the webview shows success, but a follow-up call to oauth2.googleapis.com or a token service host takes a different exit than the browser cookie jar expected, so the IDE never receives a usable access token. The second is model inference: requests to googleapis.com begin, stall mid-stream, or reset because the selected node is lossy, because QUIC falls back poorly, or because a middlebox kills long idle intervals on streaming responses. The third is CDN leg mismatch: a JS bundle or tiny JSON manifest loads from a geography that disagrees with the Google session implied by your proxy exit, so the client waits until a deadline triggers an API timeout message that points at the wrong subsystem.

The cruelty is that all three look identical from the user seat. Antigravity does not ship a packet diagram; it shows a progress halo. Your job as the network owner is to turn the spinner into evidence: hostname, policy hit, resolver answer, and TLS phase. That is where split routing discipline earns its keep—narrow vendor coverage placed above broad GEOIP catches, and an explicit policy group name that every Google leg shares for the duration of a session.

If you want the philosophical anchor, read Clash rule routing best practices and keep returning to one question: “Did any Google participant accidentally fall into a different bucket than its peers?” When the answer is yes, you will chase red herrings—new keys, new models, new reinstalls—until routing is corrected.

Hostnames to Watch: antigravity.google, Accounts, APIs, CDNs

You do not need clairvoyance; you need a repeatable capture habit. When Antigravity misbehaves, sort the hostnames you see into four buckets: accounts and consent (typically google.com, accounts.google.com), API and control plane (googleapis.com and product-specific subdomains), static delivery (gstatic.com and similar), and IDE distribution (often antigravity.google in 2026-era builds, plus whatever your logs reveal for update channels). Attach timestamps to each row so you can correlate UI phases with wire events.

Downloads and signed URLs may still appear under googleusercontent.com or shared storage domains. Extensions and marketplace-like flows may introduce additional Google properties; capture first, then decide whether a suffix rule or a temporary DOMAIN line is the honest representation of what you observed. Avoid lazy DOMAIN-KEYWORD,google shotgun rules—they age poorly and hide real traffic you will need to explain during the next incident.

If you already tuned browser-only Gemini flows, reuse the same vocabulary. Our Google AI Studio walkthrough explains how web clients stitch the same namespaces; Antigravity simply adds IDE-shaped processes that ignore your assumptions about “the browser.”

OAuth, Embedded WebViews, and Loopback Callbacks

OAuth inside an IDE almost always combines two worlds: a webview that behaves like a browser and native code that holds expectations about token freshness. If the webview authenticates through your proxy exit while a background refresh hits DIRECT, you can pass the visible login screen and still fail the moment the IDE exchanges codes. The fix is cohesion, not “more login attempts.”

Loopback callbacks deserve special care. Many OAuth flows return to http://127.0.0.1:… on an ephemeral port. If NO_PROXY is wrong, if a filter rewrites loopback, or if a secondary local proxy unintentionally captures the callback, the webview may appear hung while the terminal prints nothing useful. Keep loopback short: exclude it from upstream chains unless you are explicitly debugging—and if you are, draw the recursion on paper before you wire another tool in the middle.

When screenshots show “stuck at sign-in,” compare timestamps between webview completion and the first failing googleapis.com call. If the webview never finishes, broaden CDN coverage first; if it finishes instantly but APIs never authorize, scrutinize token exchange hostnames and their policy hits. The UI will not tell you which branch you are on; your logs must.

Gemini on googleapis.com: Latency, Streams, and API Timeouts

Gemini traffic is not a single ping. Agentic IDEs issue planner calls, tool proposals, retrieval phases, and long streaming completions that can remain open far longer than a typical REST request. That duration interacts badly with lossy exits, aggressive NAT timers, and middleboxes tuned for short web bursts. Clash cannot invent throughput on a dead node, but it can stop you from misrouting half of a session so the client misattributes node failure to “Gemini broke everywhere.”

Streaming failures often masquerade as generic API timeout strings. In logs, look for connections that establish TLS, exchange application data, then go idle until the client aborts. Compare that pattern to immediate SYN stalls, which usually scream routing or DNS rather than model health. If only streaming fails while short requests succeed, test another exit—but only after you confirm the hostname consistently hits your intended policy group and not a surprise DIRECT leak through rule starvation.

If you are also using terminal automation alongside the IDE, remember that shell tools may consult different proxy environment variables than the Electron shell. Our Gemini CLI article covers the terminal side in depth; Antigravity users frequently run both graphs simultaneously. The combined lesson is simple: one Google policy story for every process that touches tokens and inference.

CDN and Static Legs That Still Gate the IDE

Operators dismiss gstatic.com until it bites them. Antigravity is not “a website,” but it still downloads small assets that unblock larger features: manifest files, scripts, WASM chunks, or telemetry batches. Each item is tiny; together they gate progress. When these legs resolve to a region that mismatches your exit, you can watch perfect Google API health while the IDE waits on a static asset that path validation or regional routing effectively starved.

Treat static suffixes as first-class members of your CDN plan until evidence says you can narrow them. The conservative workflow never changes: widen suffix coverage, confirm the spinner disappears, then trim with captures—not the other way around. If you trim too aggressively after one lucky afternoon, you will reopen the ticket next week when Google shifts an edge.

For a parallel conversation on how static legs derail apparently “non-web” clients, compare notes with Gemini Mac app split routing. Different shell, same lesson: CDNs participate in auth-shaped journeys more often than marketing slides admit.

Designing One Policy Group for a Whole IDE Session

Name a explicit group—call it GOOGLE_ANTIGRAVITY, GOOGLE_AI_IDE, or reuse GOOGLE_AI if you already maintain one profile—and route the families that participate in a single Antigravity session through it. This is not the same as “proxy everything.” Domestic DIRECT lines, LAN bypasses, and corporate VPN prefixes should still appear above vendor catches so you do not exfiltrate internal address space through a public exit by accident.

Cohesion beats cleverness. Two narrowly tuned groups that disagree during token refresh will produce more incidents than one slightly broader group that stays consistent. If compliance demands separation, separate deliberately—with documentation—rather than letting historical YAML accidents define your architecture.

Choose clients with readable telemetry. If you are still deciding on a distribution, choosing the right Clash client remains relevant: agentic IDEs fail in ways that punish opaque UIs and reward operators who can read connection tables quickly.

Illustrative Suffix Rules (Clash / Mihomo)

The YAML fragment below is illustrative, not canonical law. Subscriptions may duplicate suffixes; compliance may forbid certain exits; your captures may reveal one-off endpoints that deserve temporary DOMAIN lines. Diff this against your live profile instead of pasting blindly.

Illustrative rules fragment

rules:
  - DOMAIN-SUFFIX,antigravity.google,GOOGLE_ANTIGRAVITY
  - DOMAIN-SUFFIX,google.com,GOOGLE_ANTIGRAVITY
  - DOMAIN-SUFFIX,googleapis.com,GOOGLE_ANTIGRAVITY
  - DOMAIN-SUFFIX,gstatic.com,GOOGLE_ANTIGRAVITY
  - DOMAIN-SUFFIX,googleusercontent.com,GOOGLE_ANTIGRAVITY
  - GEOIP,CN,DIRECT
  - MATCH,DIRECT

Notice the intent: IDE distribution, account surfaces, Gemini’s Google API namespaces, common CDN legs, and shared storage patterns ride together so OAuth and inference share one latency envelope. If logs show a new hostname during a preview channel update, add it with a dated comment, validate, then decide later whether it belongs in a suffix group.

Rule Order, Rule Providers, and Sneaky List Interactions

Mihomo and modern Clash cores make rule providers seductive: your lists stay fresh without manual edits—until the provider fetch itself breaks or a tracker list suddenly reclassifies a shared Google static hostname. When a midnight update coincides with new “Antigravity won’t load” reports, treat list diffs as first-class suspects. Roll forward deliberately: reproduce on a test machine with the suspect provider disabled, then restore once you understand the interaction.

Ordering remains the quiet killer. A broad GEOIP line or a zealous keyword rule placed above narrow DOMAIN-SUFFIX coverage can starve your Antigravity group in practice while your mental model still says “we proxy Google.” After each provider refresh, scan the effective configuration the way a compiler would: which rule wins first for accounts.google.com, googleapis.com, and gstatic.com?

For pattern vocabulary on “why did my catch-all fire,” revisit rule order and GEOIP priority alongside your IDE captures. The synergy between documentation and live evidence shortens what otherwise becomes a week of folklore.

System Proxy vs TUN: Capturing Electron, Terminals, and Extensions

Many users start with the macOS or Windows “system proxy” toggle. That works when every subprocess respects the OS proxy APIs. It fails when embedded runtimes, extension hosts, or bundled terminals open sockets that bypass the setting. In those cases, TUN mode becomes the honest hammer: traffic enters the stack where the kernel routes it, and your core sees connections env vars never touched.

TUN is not free. You must reconcile VPN stacking, corporate clients, and OS permission prompts. On macOS, our TUN versus system proxy guide covers practical stacking; the general trade space lives in the TUN deep dive. Read both before you declare env vars “good enough,” especially if Antigravity launches background helpers that inherit surprising environments.

Containers and remote dev environments add another hop. If you snapshot dependencies through Docker or remote builders, the same coherence rule applies: tokens and model calls must not take divergent paths simply because a container ignored HTTP_PROXY. When that shape shows up, Docker mixed-port wiring helps close the loop.

DNS, fake-ip, and Regional PoP Mismatch

Misaligned DNS is the invisible amplifier of split routing. macOS encrypted DNS, browser DoH, corporate split-horizon, and core-level DNS each believe they own truth. When fake-ip mapping disagrees with the outbound policy you ultimately apply, you get the worst UX: instant resolve, endless dial, user-visible API timeout.

Invest until boring: Clash Meta DNS: nameserver fallback and fake-ip filter explains how resolver policy, fallback chains, and filter lists interact. The goal is not “enable DoH everywhere,” but a single orchestrated story for the test window—document what you picked, revert on purpose when the test ends. Multiplexing resolvers without a diagram burns calendar time.

Regional PoP mismatch deserves explicit mention. Even “correct” proxying can feel wrong if static assets and API calls land in different regions with different TLS interception profiles or path validation quirks. Coordinated exits reduce that variance; scattered exits invite it.

Reading Logs: From TLS Handshake to Idle Stream Death

Treat your log as a sequence diagram. SYN stalls usually mean routing or DNS lies. TLS hangs after ClientHello may mean an incompatible exit or middlebox interference. Stable throughput followed by abrupt resets often points to brittle nodes rather than YAML mistakes—but only after you confirm the hostname hit the policy group you intended. Bucket rows into account surfaces, googleapis.com model calls, CDN static families, and IDE update hosts such as antigravity.google; if one bucket diverges, fix rules rather than swapping models.

For concrete timeout and TLS motifs, pair this article with connection logs: timeout and TLS patterns. For another IDE-shaped OAuth story, compare notes with Cursor login and AI timeouts—different vendor, same shape of failure when browser and API legs disagree behind a proxy.

When you escalate to node rotations, rotate with evidence: capture which exit showed loss, whether QUIC was in play, and whether streams died only after N minutes idle. That discipline prevents “random node roulette” from masquerading as engineering.

Checklist Before You Blame “The Model”

1. Confirm you are permitted to use Clash/Mihomo and Antigravity on this network.
2. Verify clock skew is negligible; pause HTTPS interception while testing.
3. Reproduce once with logging open; capture exact hostnames across the spinner window.
4. Map each hostname to your effective ruleset—did it hit GOOGLE_ANTIGRAVITY as intended?
5. Audit rule order for geography lines, tracker lists, or keywords that starve suffix coverage.
6. Align DNS mode with fake-ip and fallback; hunt for instant resolve without successful TCP.
7. Validate NO_PROXY and loopback behavior; remove surprise double proxies.
8. If system proxy looks ignored by subprocesses, test TUN after resolving VPN conflicts.
9. Confirm remote providers refresh—silent stale lists hurt more than editors admit.
10. Only after local variables are ruled out, rotate nodes or consult service dashboards.

Write the change log your future self deserves: what moved, when, and why. Incidents cost less when the next on-call inherits a diff instead of mythology.

Frequently Asked Questions

Does using an API key avoid OAuth splits?

Keys remove some user flows, but IDE integrations often still touch account surfaces for billing, workspace linking, or feature gates. Until captures say otherwise, keep OAuth-related suffixes in the same cohesive group as googleapis.com traffic.

Why would only IDE updates fail while chat works?

Update channels can live on different hostnames than chat frontends. If antigravity.google or a sibling endpoint falls into a default MATCH bucket you did not scrutinize, the IDE can stream models while failing to download the next channel manifest. Separate symptoms, single diagnosis: check host-level policy hits.

Is Mihomo mandatory?

No. Many users run Mihomo-based distributions for capability and ecosystem reasons, but the routing lesson transfers to any core that matches per connection. Focus on suffix discipline, DNS honesty, and capture mode—not the badge on the GUI.

What if corporate TLS inspection is in the path?

Inspection breaks assumptions for long streams and for clients with pinned trust stores. You may need explicit exemptions, alternate paths, or compliance-approved tooling—not an extra PROXY line typed in anger. Involve security stakeholders early rather than debugging “mystery timeouts” alone.

Wrap-Up: One Routing Story for Antigravity + Gemini

One-click “VPN apps” can mask complexity, but they also mask evidence. When something as multi-process as Antigravity fails, opaque tunnels turn every symptom into guesswork, and coarse policies struggle with legitimate split routing needs: you still want local RFC1918 traffic direct even while Gemini sessions exit consistently. Static hosts files rot weekly; they cannot track moving CDN edges or new antigravity.google endpoints without constant manual surgery.

Clash V.CORE keeps what power users need: suffix-first rules you can read and review, provider updates you can audit, DNS modes that align with TUN or mixed ports, and logs that show whether OAuth, googleapis.com, or static delivery failed first. That observability is the difference between debugging Google’s multi-leg IDE graph and chasing imaginary model outages while your policy table quietly disagrees with itself.

→ Download Clash for free and make Antigravity’s Google legs readable—then spend your night shipping agents, not packet trivia.