Who's Allowed to Say Yes

Before June 13, Hermes Agent would stop an agent from writing to your SSH keys the obvious way and wave it through the side door. A safety rule denied the agent from redirecting output into ~/.ssh/authorized_keys. It said nothing about copying a file there. So cp evil ~/.ssh/authorized_keys, an SSH-key implant and a foothold on the operator's machine, sailed past a guardrail that on paper existed. When a maintainer closed the gap, the commit message put it plainly: an unpaired write deny is "theater."

That word could stand over the whole fortnight. Across ten coding-agent makers, the most consequential pattern of the last two weeks was not another capability. It was authority catching up to one: who is allowed to do what, and whether the rule a provider had written was the rule its runtime enforced. Nine of the ten shipped work in that register. Several of the sharpest fixes are not yet in a tagged release, which turns out to be its own story.

What is driving it is depth. Agents stopped being a single assistant taking a single turn. Claude Code agents began spawning their own subagents five levels deep. OpenHands turned into a multi-tenant platform where the first person to log in owns the organization. Paperclip started routing untrusted pull requests and comments to agents that can be prompt-injected, and Codex extended real desktop control to Europe. Each of those is a new way for an agent to exceed what its operator meant to allow, and the per-action permission prompt the whole field was built on does not scale to a five-deep delegation tree or a shared tenant pool. So the providers spent the window building something sturdier, and auditing what they already had.

Security advisories: know what your build contains

The window's security work splits into what to patch now and, more awkwardly, what is not yet in a binary you can run. Several of the sharpest fixes sit on a default branch, not in a tagged release. The difference is the difference between being protected and believing you are.

OpenHands: two frontend CVEs and a plaintext-credentials-at-rest fix, on two different channels. OpenHands closed CVE-2026-42342 in react-router, which shipped in release 1.8.0 (uncredited, under "Many UI bug fixes"). The moderate XSS CVE-2026-41305 in postcss is on main and unreleased. So is the sharper item, which carries no CVE: a PluginSpec.source containing an embedded git token (https://oauth2:token@...) was being persisted to the database in plaintext because the conversation object was serialized whole. New writes are redacted; rotate any token that was embedded in a repo URL before the fix lands in your build.

Gemini CLI: three path-traversal holes in skill installation, fix on main only. A malicious or corrupted skill package could write outside the .gemini/skills directory or, through a metadata-driven uninstall fallback, delete sibling directories. The fix replaces fragile prefix checks with proper traversal validation. It is the clearest confirmation this window that agent skill packages are an untrusted-input boundary, and as of June 16 it is in no tagged release, stable or preview. Treat third-party skill installs as untrusted until the carrying version ships.

Hermes Agent: a fail-closed wave the release binary does not have. Hermes v0.16.0 (June 6) is a major release, but the security wave that fixes its own guardrail gaps landed on main a week later. Besides the cp-into-.ssh fix above, June 13 commits stop an unauthenticated /api/status endpoint from leaking host paths and the gateway PID on network-exposed binds, and make own-policy chat adapters (WhatsApp, WeCom and others) fail closed when enabled without an allowlist instead of trusting the entire external network, which the project's own security policy already forbade. The v0.16.0 release does not protect you. Run main or wait for the next tag.

Paperclip: a multi-tenant privilege escalation, fixed but unreleased. In Paperclip's cloud_tenant auth mode, every tenant on a shared pool was silently granted instance-admin. Any paying customer was an administrator of the whole instance, with reach into every other tenant's data. The fix removes the grant and purges stale admin rows at the auth boundary; a companion change gives each company its own derived JWT signing key and cuts the token lifetime from 48 hours to one. Both are merged to Paperclip's master branch, not a tagged release. Shared-pool operators should provision a separate non-cloud-tenant admin identity before upgrading, because the purge is destructive by design.

Claude Code: trust-boundary fixes. Upgrading past 2.1.172 closes two of them: untrusted project settings could set OTEL client-certificate paths without a trust prompt (2.1.169), and pre-warmed background workers could read another directory's .mcp.json approvals and trust state (2.1.172). A separate line of work, in 2.1.175 and 2.1.176, made org model allowlists actually binding, which matters more this week than usual and is covered below.

The authority build-out

Strip the window down and the same enforcement gap appears at provider after provider: a control that used to be a prompt, a default, or an honor-system check is being turned into enforced, inspectable state. It shows up along four fault lines, all of them consequences of agents getting deeper.

Recursion. Claude Code agents can now spawn subagents that spawn subagents, five levels deep. That is real new capability, and it immediately became a governance problem: a great-grandchild agent could request an action the operator's policy would have blocked at the top. So the same release line taught the auto-mode classifier to evaluate a spawn before it launches, added a Tool(param:value) permission grammar so a rule can finally match a tool's arguments (Agent(model:opus) blocks Opus subagents), and fixed server-level MCP denials being silently ignored inside a subagent's tool restrictions. It also stopped a relayed SendMessage from a peer session carrying user authority, the multi-session version of the same confused-deputy risk. Hermes pushed from the other side, shipping fire-and-forget background subagents whose results re-enter the conversation as a new turn, though it also removed the default ten-minute worker timeout, leaving runaway detection to heartbeats.

Tenancy. OpenHands spent the window becoming a tenant-provisioning system. A new default-organization bootstrap makes the first user to sign in the owner, keyed to a database flag; on top of it sit per-org and per-user concurrency limits enforced with HTTP 429, and a BYOK gate that lets an admin lock the whole org to a curated, proxy-served model set and hide the custom-key fields. OpenHands was also unusually candid about a limit: its new hide-personal-workspaces flag is UI-only and, the docs say explicitly, "not an access-control boundary." Paperclip's tenant work was the privilege-escalation fix above, plus plugin-table tenant isolation and a fix for HTTP error logs that had been writing plaintext passwords and bearer tokens to disk.

Untrusted input. As agents start reading code and messages they did not author, providers are drawing a trust boundary around the input itself. Paperclip shipped the clearest version: a deny-by-default "low-trust review" authority preset that gives an agent reviewing a hostile pull request narrower authority than a normal agent and quarantines its output so it cannot flow into higher-trust context. Pi added a project-trust system that refuses to load a repo's local settings, instructions, and packages until the operator approves them. Hermes closed two ways a skill could turn on its owner: skills were poisoning every connected memory store with their raw body, and an agent-triggered skill delete could escape its directory and wipe the working tree, a fix ported from an incident that did exactly that to another tool's user. And Gemini CLI's skill path-traversal fix, in the advisories above, is the same lesson learned at the install step.

The theater thread. The most telling commits were the ones where a provider caught its own guardrail not holding. Hermes's "theater" line is the motto, and it had company. OpenClaw shipped a security boundary sweep across a dozen surfaces whose load-bearing item is that exec approvals now "fail closed on timeout," so a pending dangerous command that times out denies rather than proceeds. Paperclip found that its review-approval gate matched negated phrasings, so a comment reading "NOT APPROVED" could auto-complete an issue, and that the comment and the status change were not even atomic. Agent Zero tightened the trust set on its public Tailscale tunnel to only the active origin. Codex made remote controllers listable and revocable and bound permission approvals to an environment identity. None is a headline feature. Together they are the field auditing the gap between the authority it advertised and the authority it enforced.

A separate pattern: the market starts to move

Underneath the authority work, the agent-CLI market spent the window repositioning. Three of the moves are vendors going after each other's users directly, and a fourth is a model crossing all their borders at once.

Google started routing Gemini CLI users to a different product. A transition banner, cherry-picked into the stable v0.45.2 release, was made exempt from the usual five-times display cap, so "Antigravity is coming to town" now shows every session it is active. Behind it, a preview build added in-product migration commands and a built-in skill pointing users to "Antigravity CLI," a separate Google agent CLI with its own binary, installer domain, and docs, described in the bundled skill as a "next-generation terminal interface." The marketing is already in stable; the migration tooling is a preview away. Read together, it looks less like a feature than the start of a managed succession for Gemini CLI itself.

OpenAI came at switching costs from the other direction. Codex app 26.608 added Migrate-to-Codex flows for importing supported setup from Claude Code and Claude Cowork, including during onboarding, an on-ramp off Anthropic's coding agents. And Paperclip quietly retired its "zero-human companies" tagline for "the app people use to manage AI agents for work." The new line is backed by the same fortnight's engineering, which added human board visibility, an audited recovery action for stuck agents, and the approval gates above. The autonomous-company dream is being repriced as human-in-the-loop operating software.

The model layer crossed borders. Anthropic launched Claude Fable 5, a "Mythos-class" model, in Claude Code 2.1.170, and within days at least two other harnesses, OpenClaw and Pi, added support, Pi with xhigh reasoning effort. Claude Code also tightened the governance around which models run: an enforceAvailableModels setting and a cluster of fixes that finally make an org's model allowlist binding, even against the default model and env-var overrides, which is exactly the lever an enterprise needs to decide whether a model like Fable 5 is reachable. Gemini, separately, began moving flash workloads to gemini-3.5-flash in its stable v0.46.0, gated behind an experiment flag and auth-type access logic, so the same binary can route different users to different models. Anyone with cost or eval assumptions pinned to the old flash should re-baseline.

Computer use grows up, and gets metered

Authority showed up as capability governance most visibly in computer use, where Codex pushed real desktop control further into the mainstream and wrapped it in controls at the same time. Codex app 26.609 added Developer mode for the browser, giving the agent "controlled" Chrome DevTools Protocol access. That is a far larger surface than clicking and typing: CDP can read network traffic, run arbitrary JavaScript in the page, and drive the debugger. The same build added per-app access controls for computer use on Windows and extended computer use to Enterprise users, and on June 16 Codex made computer use available in the EEA, the UK, and Switzerland, putting desktop control in front of a European operator base it had been walled off from. It also previewed Chronicle, an opt-in feature that builds the agent's memory from recent screen context, a new and sensitive data-capture surface to default off on confidential machines. Agent Zero, the window's other real-computer source, spent its single active day hardening the tunnel that exposes its desktop rather than expanding it. Here the capability and the governance lever arrived in the same release, not a quarter apart.

The humane surface

The week was not only about locking things down. A counter-current kept widening who can reach an agent and on what terms, led by OpenClaw, with Codex and Hermes opening access from other angles. OpenClaw shipped a measured WCAG 2.1 AA pass on its browser dashboard: muted text lifted above the 4.5-to-1 contrast floor it had been failing in dark mode, a real keyboard focus ring, and a 12-pixel font floor across 136 elements that had been smaller. An agent harness treating legibility for low-vision and keyboard-only users as real work, not a someday, is worth noting; the catch is that it is implemented in a beta build, not yet stable. OpenClaw also made a sharper, quieter choice on a stable release: it stopped auto-selecting key-free web search providers, trading a bit of zero-config convenience to force an explicit choice about where a user's search queries go. Consent over default, in the same fortnight as the authority work, is the same instinct pointed at the user instead of the agent.

The reach widened in plainer ways too. Codex brought /goal, branch and worktree selection, and inline code review to the iPhone, putting long-horizon work and real code review on the smallest surface there is. Hermes shipped a native desktop app and a browser admin panel, collapsing install-to-first-message to seconds, though the panel is a new authority boundary whose hardening, as above, is still unreleased. Each of these narrows the gap between frontier capability and an ordinary operator, which is the half of the frontier that decides whether any of the authority work above ever gets used.

Provider notes

Claude Code (2.1.163 to 2.1.178) shipped the Fable 5 launch, nested subagent spawning with the auto-mode spawn gate, the Tool(param:value) permission grammar, and SendMessage authority hardening. It also made the enforceAvailableModels allowlist binding and fixed trust isolation for background workers and OTEL certs. The most active and most authority-focused provider of the window.

Codex (CLI 0.137.0 to 0.140.0, app 26.602 to 26.609, iOS 1.2026.153) expanded computer use (CDP developer mode, Windows per-app controls, the EEA, UK and Switzerland, Chronicle), shipped the Claude Code and Cowork import flow, and brought /goal and worktrees to iOS. The CLI added listable and revocable remote-control grants, a /usage view, permanent session deletion, and managed Bedrock encrypted auth.

Gemini CLI (v0.45.2 to v0.48.0-nightly) is the Antigravity story: an uncapped transition banner in stable and migration commands in preview, both steering users to a separate successor CLI. It also routed Flash 3.5 GA to stable behind an experiment flag, fixed a main-only skill path-traversal, made MCP tool discovery atomic, and hardened its CI against fork-PR injection.

OpenHands (1.8.0 plus heavy main activity) became a multi-tenant platform: default-org bootstrap, concurrency limits, BYOK model gating, a deployment-mode flag, org LLM profiles in the UI, per-user Jira OAuth injection, ACP model switching reaching Docker and cloud, and the credential and CVE fixes above. The 1.8.0 release mostly consolidated May work; the enterprise cluster is on main, later.

Hermes Agent (v0.16.0 plus post-release main) shipped "The Surface Release" (desktop app, browser admin, remote-gateway connect) and then, on main, the fail-closed security wave, async background subagents, the skill memory-poisoning and recursive-delete fixes, and credential and SSL resilience work.

Paperclip (v2026.609.0 plus post-release master) shipped Company Artifacts and structured approvals in the release, then, on master, the multi-tenant authority cluster (cloud-tenant deprivileging, per-company JWT keys, approval atomicity, plugin isolation, log redaction), a Skills Store and Teams catalog, a self-hostable Kubernetes sandbox, and the "manage AI agents for work" repositioning.

Pi coding agent (v0.78.1 to v0.79.5) added the project-trust system, Fable 5 support with xhigh effort, standalone-binary checksums, provider-scoped API-key environments and global HTTP proxy settings, two billing-accuracy fixes (Codex 272k context limits, Anthropic 1-hour cache-write pricing), and an HTML-export XSS fix.

OpenClaw (v2026.6.5 to v2026.6.8 plus betas) is the accessibility headliner: the WCAG 2.1 AA pass in beta, plain-language mobile provider states, pinned-commit ClawHub skill installs, the key-free-search consent change, an Apple Watch action surface, the security boundary sweep with fail-closed exec approvals, admin-gated HTTP overrides, and OpenRouter OAuth onboarding.

Agent Zero (v1.20) spent a single active maintenance day on the Tailscale Remote Control CSRF and WebSocket-origin hardening, OAuth credential-surface hygiene, and an editable file browser. No capability expansion landed in-window.

Flue (Tier 2; 0.10.0 to 1.0.0-beta.1) reached its leading 1.0 beta with a migration-heavy stabilization (valibot tool schemas, opaque run IDs, run-introspection exports) and made durable, recoverable agent execution work against a built-in SQLite store. It also swapped WebSocket and SSE for a proprietary Durable Streams transport, which narrows how easily run events can be consumed from outside the SDK.

What to try

• Claude Code: upgrade past 2.1.178, then add Agent(model:opus)-style argument rules to cap model tiers inside subagent trees, and re-audit any background-agent workflow for the pre-warmed-worker trust-bleed fix.
• Codex: drive a /goal from the iOS app and confirm worktree isolation; separately, keep Developer-mode CDP off by default and use the Windows per-app controls to allowlist apps rather than blanket-enabling computer use.
• OpenHands: turn on BYOK gating in a test org and confirm members lose the custom model and key fields; do not rely on hide-personal-workspaces as an access boundary.
• Pi: open an untrusted repo and confirm the project-trust system refuses to load its local resources until you approve.
• Paperclip: if you run a shared multi-tenant pool, plan the cloud-tenant deprivileging upgrade and provision a non-cloud-tenant admin identity first.
• OpenClaw: verify your dashboard against the new contrast and focus behavior, and confirm web search now requires an explicit provider choice.

What remains uncertain

• Codex Developer-mode CDP scope: "controlled" CDP access is granted, but the changelog does not define the boundary, and CDP is a network-interception and arbitrary-JavaScript surface.
• Hermes runaway-worker detection: with the default subagent timeout removed the same week background subagents shipped, a stuck worker is now caught only by heartbeat staleness.
• OpenHands tenant isolation depth: hide-personal-workspaces is UI-only by design; the real boundary is the membership model, and operators must verify it rather than the screen.
• Gemini CLI's future: the Antigravity migration push raises whether Gemini CLI is entering managed decline, and whether trust and policy semantics carry over to the successor.
• OpenClaw accessibility reaching stable: the WCAG pass is in a beta tag; whether it ships to stable is unconfirmed.
• Unreleased security fixes: Hermes's fail-closed wave and Gemini's skill path-traversal fix are on main, and Paperclip's cloud-tenant fix is on its master branch; none is in a tagged release as of June 16. The protection exists in the source, not yet in the binary most operators run.