Gemini CLI

Operator Read

Gemini CLI is turning agent state into explicit, reviewable operating material: memory, trust, sessions, output contracts, and subagent boundaries are becoming things an operator can inspect, move, and police, while remote delegation and long-horizon intent remain unproven. The direction is consistent — make hidden context into named state — and the gap is where that state lives once it leaves the local process.

State Becomes Reviewable

Read what an agent wants to remember before it sticks. The Auto Memory inbox proposes durable updates as patches with a canonical contract surfaced through docs, settings schema, memory commands, inbox UI, local executor behavior, skill extraction, and evals. Private memory patches sit behind a tightened allowlist separating personal-scope memory from project-scope.

Move sessions between machines as data, not state. An operator can export a session to a file and import it via flag — session state is a serializable artifact, not ambient context. Session resume is now reliable for legacy session formats: legacy chat JSON appears in /resume and --list-sessions, and --resume <sessionId> failures surface an error instead of silently starting fresh. If you've archived sessions, the resume path now works on them; if you depended on silent-fresh-on-failure, your error path needs revisiting.

When you call Gemini CLI from CI or any non-interactive caller, parse the end-of-run signal. AgentExecutionStopped emits as structured JSON, giving callers a stable parse target instead of free-form output.

Authority Follows Headless And Delegated Runs

Non-interactive contexts no longer bypass workspace trust by being non-interactive. Workspace trust enforces in headless mode through a new trust-utility module and CI-workflow integration. If you've been relying on --non-interactive to silently skip the trust prompt, that path is closed — run the trust grant explicitly or fail loudly. Trust state is also visible in the MCP listing UX so the boundary is inspectable, not implicit.

Shell command execution carries safety evals on the path between the agent and the host, and shell validation now uses a core-tools allowlist in the policy engine — explicit allowed-tool mapping in addition to pattern-based evals.

Subagents Are A Boundary, And Now Have A Stable Remote Surface

Subagents are approval-mode aware — delegated work inherits the active approval posture rather than escaping it. As of v0.44.0 (stable, 2026-05-27), LocalSessionInvocation and RemoteSessionInvocation ship as the session-invocation protocols, replacing the prior preview-only state of the abstraction. The "tests but no observed remote target" gap from the 2026-05-11 finding closed at the protocol layer; where the remote target actually runs (Google-hosted, operator-hosted, both) remains undocumented. Agent registration also moves to first-wins prioritize-project — when the same agent name is defined at multiple scopes, project wins.

Treat delegated workflows as testable against v0.44.0 stable; do not yet depend on the remote path for production until Google documents where remote invocations run.

Default-On Autonomy

v0.44.0 collapses the prior fan of Auto variants into a single Auto mode and adds shell-redirect auto-approval in AUTO_EDIT. PolicyEngine integrates into ACP sessions (framed as a deadlock fix; the structural effect is that enforcement reaches the protocol-session layer). Operators on previous Auto variants must re-audit what the consolidated Auto mode treats as safe — the release notes do not enumerate which prior-mode constraint survived the merger. AUTO_EDIT users should explicitly decide whether shell-redirect auto-approval is acceptable for their environment; redirects are a write surface if the agent is steered toward sensitive paths.

Posture basis: 2026-05-07-gemini-reviewable-memory-and-trust, 2026-05-11-gemini-subagent-protocol-and-session-portability, 2026-05-12-gemini-session-resume-reliability, 2026-05-27-gemini-session-invocation-protocols-stable, 2026-05-27-gemini-auto-modes-merged-and-policy-engine-in-acp.

Open Questions

• Where do remote session invocations actually run? RemoteSessionInvocation is stable in v0.44.0 as a protocol but the runtime target — Google-hosted, operator-hosted, or both — is undocumented. Until Google names a destination, production callers cannot adopt the remote path with confidence.
• What is the PolicyEngine-in-ACP default posture? Per-session enforcement by default, or only when an operator has configured a policy? The "deadlock fix" framing in the release notes understates the structural shift.
• AUTO_EDIT shell-redirect auto-approval: is the new approval gated by workspace trust, by the existing shell-tools allowlist, or a separate decision?
• Does Gemini CLI offer a first-class long-horizon primitive (goal, mission, outcome) beyond in-session todos and memory? Memory captures facts, not intent. No accepted finding establishes such a primitive as of 2026-05-27. The 2026-05-13 → 2026-05-27 cycle did not produce a finding that resolves this either way; status remains open_question. Tracked in the claims: block as long-horizon-goal-primitive.
• What state crosses the wire on session export? The export commit introduces the file but does not document whether accepted memory patches, approval-mode state, or active MCP connections are included.

For research-lens-level open questions (preview/nightly harvest treatment, security advisory handling), see sources/gemini-cli.yml#discovery.

What To Watch Next

• The actual remote runtime target of RemoteSessionInvocation once one ships or is named.
• How PolicyEngine-in-ACP interacts with operators using Gemini CLI as an ACP server (e.g., behind OpenHands' ACP UI). Whether the PolicyEngine still applies when Gemini is being fronted is the composition question.
• Whether the AUTO_EDIT shell-redirect auto-approval expands to other shell verbs or remains bounded to redirects.
• Further structured non-interactive output beyond AgentExecutionStopped, especially for sub-agent lifecycle and approval prompts.
• Whether the memory-inbox pattern extends to other state classes (skills, goals, session recaps).
• Documentation or schema for the session-export file format.
• Stable-channel arrival of changes currently visible only in preview or nightly.
• Policy-engine work that changes how operators express trust beyond workspace-level grants.