Protected on Paper

A control can exist in three places that are not the same as your machine. It can be merged to a default branch you are not running. It can be in a version one release newer than yours. Or it can be written down -- a permission rule, a depth cap, a documented guarantee -- without actually being enforced by the code. In all three cases the protection is real somewhere, and absent where it counts.

That gap is the dominant story of this window. Last window the field built authority machinery -- argument-aware permissions, classifiers that gate subagent spawns, deny-by-default review containment, per-tenant isolation. This week, across ten coding-agent makers, the recurring event was the discovery of how much of that machinery is not yet in force: stranded on a branch, deferred to a later tag, or shipped as a rule that did not bind. The uncomfortable punctuation came from Hermes, whose own commit log describes an apparent persistence campaign against exposed agent control planes -- with the mitigation, once again, on main and not in the binary most operators run.

This is not a story about negligence. It is the predictable cost of agents getting deeper -- recursion, multi-tenancy, real computer access -- faster than the release and enforcement plumbing around them can keep up. The work is being done. The question this week forces is the operator's, not the vendor's: is the protection you believe you have actually running where you are?

Security advisories: what your build does not contain

The sharpest items this window are not new holes. They are fixes that exist but have not reached the channel you run. Stating "X is fixed" when X is on main tells an operator they are protected when they are not, so each of these is scoped to its channel explicitly.

OpenHands: an entire enterprise and security build-out, two windows unreleased. The only mainline release is still 1.8.0 from June 10. Everything since -- the org-bootstrap and tenancy work, the BYOK model gating, the API-key identity changes, and two security fixes that matter to anyone on a build from main -- is in no tag. Those two: the moderate postcss XSS, CVE-2026-41305, and a fix that stops a PluginSpec.source containing an embedded git token from being written to the database in plaintext. New writes are redacted; rotate any token that was embedded in a repo URL. Operators on 1.8.0 have none of this. Operators on main should know the platform also reverted last window's per-org concurrency limits outright -- migration 124 drops the columns -- so the 429-based quota some were waiting for is gone from current main after the revert, and will not arrive via that implementation.

Gemini CLI: the security fix stayed in preview; the marketing shipped. The skill install/link/uninstall path-traversal fix -- a malicious .skill package writing outside the skills directory -- is, for the second straight week, in no stable release. It exists only in v0.48.0-preview.0; stable v0.47.0 does not contain it. In the same release that left the fix in preview, Google shipped to stable a built-in antigravity-support skill that hands users a curl ... | bash install of a successor CLI, and removed the five-show cap on its "Antigravity is coming to town" banner so it now shows every session for free- and unpaid-tier users. A security fix and a growth funnel went through the same release gate; only one came out the stable side.

Hermes Agent: one wave tagged, a fresh campaign-framed one already back on main. v0.17.0 (June 19) is the binary that finally contains the June-13 fail-closed wave that sat unreleased past v0.16.0 last window -- the cp-into-~/.ssh gate a maintainer had called "theater," the /api/status host-path leak fix, and the fail-closed own-policy adapters. Good. But days later, June 21-22, a fresh security wave landed on main and is not in that tag: a guard that rejects MCP entries writing shell payloads into OS persistence surfaces (authorized_keys, cron, sudoers), an IOC blocklist enforced at save and spawn time, an API-key entropy floor raised from 8 to 16, and a startup posture audit that warns when a gateway is running as root or exposing an unauthenticated API server. Per the commit narrative, this wave responds to an in-the-wild campaign (see the caveat below). Either way, the v0.17.0 binary does not contain it. If you expose a Hermes dashboard or API server, run main or wait for the next tag.

Paperclip: the upgrade that finally closes last window's hole. Inverting the pattern, Paperclip's v2026.618.0 (June 18) is the tag that finally contains the multi-tenant authority cluster that sat on master last window -- the cloud-tenant instance-admin deprivileging (every tenant on a shared pool was an instance admin), per-company JWT signing keys, plugin tenant isolation, the negated-phrasing review fix (a comment reading "NOT APPROVED" could auto-complete an issue), and HTTP-log credential redaction. Shared-pool operators should upgrade -- and provision a separate non-cloud-tenant admin identity first, because the deprivileging purges stale admin rows by design.

A caveat on the Hermes campaign

The Hermes mitigation commits, their dates, and their unreleased channel status are all verified. The claim that an exploitation campaign is live in the wild is not independently confirmed: its only source is the project's own commit narrative, which cites a Reddit thread and a self-named instance. Read the mechanism as real and the fix as real; read "actively exploited" as the maintainer's account until a second source corroborates it. The operator action -- do not expose an unauthenticated control plane, and get onto the mitigations -- is the same regardless.

The authority that didn't bind

Channel is one way a control fails to protect you. Enforcement is the other, and Claude Code spent the window being unusually candid about it. Two of last window's headline authority features turned out not to have been doing their job.

The five-level cap on nested subagent spawning, shipped at 2.1.178, did not apply to foreground spawns: a foreground subagent could spawn unbounded nested chains until 2.1.181 made it "respect the same 5-level depth limit as background subagents." And the argument-aware permission grammar -- the ability to write Agent(type) deny rules and Agent(x,y) allowed-types restrictions -- was not being enforced for named subagent spawns until 2.1.186. An operator who wrote either rule when it was announced was, in the interim, unprotected by it. The fixes are the good news; the disclosure is the lesson, and it generalizes past Claude Code: a permission feature is not a permission boundary until something refuses the disallowed action, and the only way to know is to test it. Claude Code also enumerated the specific destructive commands its auto-mode classifier now refuses unless the operator explicitly asked to discard the work -- git reset --hard, git clean -fd, terraform/pulumi/cdk destroy among them (2.1.183) -- and, in the same release, fixed scheduled-task and webhook triggers whose inputs could slip an action past auto-mode classification.

Where enforcement did land cleanly, it landed on the right things. Codex's CLI 0.142.0 made command and network approvals environment-scoped: an approval granted in one execution environment no longer leaks to another, and Codex now "denies when active-call attribution is ambiguous" and fails closed if an environment-specific proxy cannot be prepared. The same release gave rollout token budgets the ability to abort turns on exhaustion -- a hard spend cap rather than a warning, though one that lands at the next accounting boundary rather than interrupting an in-flight call. These are tagged, in a stable release, and they are the shape of authority that actually protects: a default that fails closed, in a binary you can run today.

Control Plane

Beyond the enforcement-gap story, the window's operating-state work concentrated on identity and budget -- who an agent is, and how much it is allowed to spend.

The clearest direction is the separation of machine identity from human SSO. OpenHands decoupled API-key authentication from Keycloak sessions -- "API-key authentication performs zero Keycloak round-trips" -- so a revoked or expired IdP session no longer invalidates a machine key. The convenience is real (headless clients stop hitting opaque 401s); the catch is a changed revocation contract, named plainly: Keycloak session revocation is no longer a kill switch for API keys, and operators who relied on it must revoke at the key store instead. Hermes moved the same axis from the other end, adding a managed /etc/hermes scope: a root-owned, user-immutable layer of config and secrets that wins per-key over a user's own files. It is Hermes's first centralized, OS-backed policy pin -- notable for a tool whose posture had been "governs through allowlists, not identity services."

On budget as enforced state, Paperclip's next tag will move it from surfacing to enforcement, with preflight caps that cancel queued work before an adapter starts, a watchdog whose recovery and status actors structurally cannot mutate approvals, and centralized CEO-agent authorization regression-locked at the company boundary -- all on master, none tagged yet. Against that build-out, OpenHands' concurrency revert is a marker of the opposite motion: a quota mechanism withdrawn rather than enforced. And OpenClaw supplied the window's one clear loosening -- automatic Codex plugin approvals in stable v2026.6.9, a gate opened in a window when nearly everyone else was closing them.

Runtime

Execution-environment work was quieter but pointed in a consistent direction: the sandbox is becoming a configurable, server-driven surface rather than a fixed preset.

OpenHands moved sandbox-spec authority off a hardcoded list and onto a runtime-api control plane (GET /api/warm-runtime-configs), the foundation for custom and per-tenant execution images -- with a companion guardrail that refuses a custom image whose agent-server SDK version does not match. It also generalized a per-user secret enricher that injects a user's linked third-party OAuth token into the sandbox from any conversation start path, not just the originating integration -- a credential that now follows the user into the runtime, with the blast radius that implies. Pi made the runtime's context management legible from the outside: extension compaction events now carry a reason and a willRetry flag, so a harness can tell a manual /compact from a threshold auto-compaction from an overflow retry. Flue staged the most opinionated runtime move -- workflow runs going private by default, with the flue logs command removed in favor of typed SDK access -- but it sits in an Unreleased changelog section, not a tag, so it is direction, not yet a shipped default. Agent Zero, the window's other real-computer source, was silent on its release channel: zero commits reached its default branch, though 23 landed on a staging branch that has not tagged.

Platform

Adoption-surface movement split between a market in motion and a genuine accessibility win.

The market story is Google steering Gemini CLI users toward a successor. The Antigravity migration funnel -- an in-product skill that installs a separate agy binary, plus an uncapped every-session banner aimed at free and unpaid tiers -- is now in stable, the clearest sign yet that Gemini CLI may be entering a managed succession. That this shipped to stable in the same release that kept a security fix in preview is the window's sharpest illustration of channel priorities.

The accessibility win is OpenClaw's, and it is the cleanest "reached the operator" event of the week: last window's WCAG 2.1 AA pass -- dark-mode contrast lifted to the 4.5-to-1 floor, real keyboard focus rings, a 12-pixel font floor across 136 elements -- reached stable v2026.6.8, having been beta-only last week. A capability that becomes reachable to low-vision and keyboard-only operators, on the default channel, with the authority surfaces still visible, is exactly the half of the frontier that decides whether any of the authority work above ever gets used. It is worth holding up against the same vendor's plugin-approval loosening: even a tool with real accessibility discipline relaxes a gate when convenience pushes.

Provider notes

Claude Code (2.1.179 to 2.1.186) disclosed and fixed two enforcement gaps in last window's marquee authority features (foreground subagent depth cap at 2.1.181; Agent() argument rules at 2.1.186), enumerated auto-mode's destructive- command denylist (2.1.183), hardened scheduled-task/webhook trigger classification, moved background-subagent prompts to the main session, and added claude mcp login/logout. The most authority-candid provider of the window.

Codex (CLI 0.141.0-0.142.0; 0.143.0 alpha) shipped environment-scoped command and network approvals and turn-aborting token budgets in stable 0.142.0, plus a multi-agent delegation-authority mode. Its computer-use frontier did not advance: Chronicle remains an opt-in macOS research preview (merely regionalized to the EEA, UK, and Switzerland on June 16), and the Developer-mode CDP boundary was not clarified. 0.143.0 is alpha-only, so nothing in it shipped.

Gemini CLI (stable v0.47.0; v0.48.0-preview.0) put the Antigravity migration funnel and an uncapped upgrade banner into stable while leaving the skill path-traversal security fix in preview for a second window.

Hermes Agent (v0.17.0, "The Reach Release") tagged last window's fail-closed wave and new reach channels (iMessage via Photon, WhatsApp Cloud API, SimpleX, Raft), shipped background fire-and-forget fan-out subagents with the default wall-clock timeout still removed, added the managed /etc/hermes scope, and then landed a fresh MCP-persistence security wave back on main.

OpenHands (1.8.0 release; heavy main activity) went a second window with its entire enterprise/security cluster unreleased: API-key/Keycloak decoupling, the per-user conversation secret enricher, the dynamic sandbox-spec control plane, two unreleased CVE/credential fixes, and a revert of last window's concurrency limits. hide_personal_workspaces is confirmed still UI-only.

Paperclip (v2026.618.0 plus post-tag master) tagged the multi-tenant authority cluster that was master-only last window (mandatory for shared-pool operators), then immediately moved its newest controls -- preflight budget enforcement, a recovery watchdog, centralized CEO-agent authorization -- back onto master, unreleased.

Pi coding agent (v0.79.6-v0.79.10) made compaction self-describing from the extension surface, added selective provider base entry points for leaner embeds, continued its billing-accuracy cadence, and added no new core governance surface.

OpenClaw (stable v2026.6.8-v2026.6.9 plus betas) promoted its WCAG 2.1 AA accessibility pass to stable, persisted and surfaced ClawHub skill-install provenance, and -- cutting the other way -- shipped automatic Codex plugin approvals.

Flue (Tier 2; v1.0.0-beta.1-beta.2) staged a private-by-default run- observability rewrite and the removal of flue logs in an Unreleased changelog section, alongside an Actions orchestration primitive and a large first-party connector ecosystem -- direction, not yet a tagged default.

Agent Zero (v1.20) was silent on its default branch in-window; work is staging on a non-default branch that has not tagged.

What to try

• Claude Code: after upgrading past 2.1.186, write an Agent(type) deny rule and confirm a named subagent spawn is actually refused -- do not assume the rule binds; test it.
• Codex: on CLI 0.142.0, confirm a command approval granted in a local workspace does not carry into a remote executor environment, and set a rollout token budget to watch a long run abort at the accounting boundary.
• OpenHands: if you run a build from main, rotate any git token that was embedded in a repo source URL, and do not treat hide_personal_workspaces as an access boundary.
• Paperclip: upgrade shared/cloud pools to v2026.618.0, provisioning a non-cloud-tenant admin identity first (the deprivileging purges admin rows).
• OpenClaw: verify your dashboard against the stable WCAG AA build, and audit the new automatic Codex plugin approvals against your trust posture.
• Gemini CLI: treat third-party skill installs as untrusted on stable until the path-traversal fix leaves preview.

What remains uncertain

• Whether "merged" and "shipped" keep diverging. Five of ten providers had their sharpest work sitting off the release channel this window. If this is structural rather than incidental, an operator's real security posture depends on which channel they run, and the digest's job includes saying so every week.
• The Hermes campaign's reality. The mechanism and the fix are verified; the in-the-wild exploitation claim is single-source (the maintainer's commit narrative) and awaits corroboration.
• How tight Codex's token-budget abort is. It is a hard cap that lands at the next accounting boundary, with no cross-thread interrupt; its behavior under real multi-agent load is undocumented.
• Where the new credential planes leak. OpenHands' per-user secret enricher and machine-identity decoupling, and Hermes's managed scope, all move credentials into new paths; which start paths carry which secrets into a sandbox is something operators must now reason about explicitly.
• Whether Hermes re-introduces a spend bound. Background fan-out delegation with no wall-clock or cost ceiling on a busy worker is a runaway exposure that this window widened rather than closed.
• What Agent Zero is staging. The release-channel silence is real; the 23 off-branch commits are not yet legible as shipped change.