Control Plane

June 2026

1. 2026-06-03 · Claude Code

   Permission and deny rules now enforced as written across WebFetch, Windows paths, and Glob/Grep

   Control Plane
   • Three distinct gaps where a configured permission/deny rule silently failed to apply are closed in the 2.1.160-2.1.162 line: custom WebFetch rules now override built-in preapproved domains, Windows rules with backslashes or case-variant paths now match, and Read deny rules now hide files from Glob and Grep results.
   • Operators who wrote allow/deny policy and assumed it was enforced were running with a false sense of coverage; the fix is gated purely on upgrading past these versions, so the operator action is 'upgrade, then re-audit whether any policy was silently bypassed in the prior window.'
   • The Read-deny-vs-Glob/Grep gap is the sharpest: a file an operator denied for Read was still discoverable (and its path/contents surfaceable) via search tools, defeating the access-control intent.

   Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

2. 2026-06-03 · Claude Code

   Agent view exposes why a session is blocked and fan-out progress for scripted supervision

   Control Plane
   • claude agents --json now includes a waitingFor field naming what a blocked session is waiting on (e.g. a permission prompt), and claude agents rows now show done/total progress before detail when work is fanned out.
   • Operators scripting or monitoring agent fleets can now programmatically distinguish 'stuck on a permission prompt' from other waits and read parallel-task completion, which is the difference between a watchdog that can unblock a session and one that can only detect silence.
   • The operator action is to wire waitingFor and the progress counter into supervision tooling so stuck-agent triage stops requiring a human to open each session.

   Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

3. 2026-06-03 · Codex

   ChatGPT iOS 1.2026.146 adds optional Face ID / passcode lock for Codex

   Control Plane
   • An operator running Codex on iOS can now require Face ID or a passcode to open Codex, adding a device-level authority gate that did not exist before.
   • It is optional, so the operator decision is whether to enable it as policy for mobile-deployed Codex access.
   • Verification path: update to 1.2026.146, enable the lock, confirm Codex requires biometric/passcode on foreground before trusting mobile as an access surface.

   Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

4. 2026-06-03 · Gemini CLI

   Policy file survives cross-device mounts and corruption via EBUSY fallback and TOML recovery

   Control Plane
   • Operators running in containers with cross-device mounts no longer hit silent policy-update failures - atomic rename now falls back to copy-then-unlink on EBUSY/EXDEV.
   • A corrupted policy TOML is auto-backed-up to .bak and rebuilt from scratch rather than blocking on a syntax error, removing a manual-intervention failure mode.
   • Verification path: packages/core/src/policy/config.ts adds the fallback and recovery; persistence.test.ts covers both paths.
   • Single operator class (operator persisting policy/permission config), single consequence (policy persistence no longer fails silently).

   Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

5. 2026-06-03 · Gemini CLI

   Gemini 3.5 Flash GA routes to flagged users via backend experiment flag, no client update

   Control Plane
   • Operators auditing which model their CLI calls cannot rely on client version alone - model selection is now gated server-side by experiment flag GEMINI_3_5_FLASH_GA_LAUNCHED (ID 45780819) via hasGemini35FlashGAAccess().
   • Auto-routing logic silently switches to Flash GA when the flag is enabled for a user cohort, so the same binary can route to different models across users.
   • Verification path: Config.hasGemini35FlashGAAccess() and the registered experiment flag determine routing; the model in use is no longer fully determined by local config.
   • Single decision: operators must treat backend flag state as part of the model-routing audit surface.

   Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

6. 2026-06-03 · Hermes Agent

   Docker dashboard insecure binding now requires explicit HERMES_DASHBOARD_INSECURE=1 opt-in

   Control Plane
   • The dashboard no longer infers insecure mode from bind host, so operators whose Docker setups relied on that inference must add HERMES_DASHBOARD_INSECURE=1 explicitly or the dashboard will not bind insecurely.
   • Existing Docker and hosted deployments must update env configuration before upgrading to v0.15.1 to avoid a broken or unexpectedly-secured dashboard.
   • Verification path: upgrade to v0.15.1, set HERMES_DASHBOARD_INSECURE=1 only where intended, and confirm the dashboard binds as expected without falling back to host-derived inference.

   Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

7. 2026-06-03 · Hermes Agent

   Bitwarden Secrets Manager integration replaces per-provider API keys

   Control Plane
   • Operators managing credentials must decide whether to migrate from per-provider API keys to centralized Bitwarden Secrets Manager, changing where secrets live and how they rotate.
   • Centralized secret management enables rotation and revocation that scattered per-provider keys did not; an operator wiring CI/automation must re-point credential sourcing.
   • Verification path: configure Bitwarden Secrets Manager on v0.15.0, confirm the agent resolves credentials from it, and test a rotation to verify the agent picks up the new secret.

   Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

8. 2026-06-03 · Hermes Agent

   Kanban becomes a multi-agent orchestration platform with auto-decomposition, swarm topology, and worktree-per-task

   Control Plane
   • Operators who ran Kanban as a task board must now decide whether to adopt orchestrator auto-decomposition and swarm topology, which turn a queue into a self-spawning multi-agent fleet with new operating state to supervise.
   • Per-task model overrides and worktree-per-task change the cost and isolation profile of every queued task; an operator must re-plan budget and concurrency.
   • Verification path: deploy v0.15.0, queue a decomposable task, and confirm the orchestrator spawns the expected sub-agents in isolated worktrees before trusting it with real work.

   Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

9. 2026-06-03 · OpenClaw

   Skill Workshop adds a pending-proposal approval workflow with CLI/Gateway review and a skill_workshop agent tool

   Control Plane
   • Skill Workshop introduces a new pending-proposal lifecycle that an operator must approve or reject via CLI or Gateway before a skill takes effect, inserting a human-in-the-loop gate into skill provisioning.
   • The skill_workshop agent tool lets agents themselves file proposals, expanding the automation surface; operators must decide who may review and who may self-approve.
   • Decision is for the control-plane admin/skill-author: configure the review path and authority for skill proposals.

   Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

10. 2026-06-03 · Paperclip

    Unclaimed self-hosted deployments get a one-time browser claim to bootstrap the first admin

    Control Plane
    • Operators standing up a private self-hosted deployment now have a defined bootstrap path to create the first admin before any invite exists, replacing ad-hoc seeding.
    • Whoever completes the one-time browser claim becomes the first admin, so an operator must claim a freshly deployed instance promptly to avoid a race for control.
    • This changes the deployment runbook: the claim step is now the gate that establishes ownership of the control plane.

    Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

11. 2026-06-03 · Paperclip

    Company skills become first-class resources with an install/reset/audit/export/assign CLI

    Control Plane
    • Skills move from implicit configuration to governed resources: an operator can now audit which skills are installed and assigned, and export the catalog for review or provenance tracking.
    • The CLI verbs (install, reset, audit, export, assign) give platform operators a programmatic path to manage agent capabilities across a company instead of clicking through a board.
    • Assignment is a distinct authority action — an operator decides which agents get which skills — so capability grants become reviewable operating state rather than ambient defaults.

    Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

12. 2026-06-03 · Agent Zero

    Office, Desktop, and Editor plugins become toggleable behind a protected plugin-state API

    Control Plane
    • Operators can disable Office, Desktop, or Editor plugins (Desktop computer-use especially) on deployments that should not hold those capabilities, via the v1.19 plugin-toggle endpoint.
    • The endpoint is described as 'protected' but the release note documents no auth model or role-based capability management, so treat it as a disable lever, not yet an audited capability register.

    Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

13. 2026-06-03 · OpenHands

    ACP provider credentials now route through cipher-protected agent_context.secrets, not acp_env

    Control Plane
    • Operators running ACP agents must understand provider API keys/base URLs now flow through the cipher-protected secrets channel; the deprecated acp_env channel no longer carries credentials.
    • Changes the persistence and exposure surface for agent provider credentials, with SDK gap-fill logic specifically preventing re-folding into the insecure acp_env channel.
    • Verification path: confirm ACP provider creds appear via agent_context.secrets and are absent from acp_env in agent context.

    Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

14. 2026-06-03 · OpenHands

    DELETE /api/organizations now cascade-deletes the sole-org requester (personal org)

    Control Plane
    • Operators must understand that deleting a personal org now also deletes the requesting user account, enabling re-onboarding on next login — a destructive identity-state change behind one endpoint.
    • Changes operating-state semantics of an existing destructive API: requires backup discipline before org deletion; multi-org members are protected by preflight orphan detection.
    • Verification path: test DELETE /api/organizations against a sole-org account vs a multi-org member and confirm orphan-rejection behavior.

    Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

15. 2026-06-03 · Flue

    v0.9.2 adds an activate_skill tool letting agents load skills autonomously

    Control Plane
    • Operators configuring skills now get a new agent-facing `activate_skill` tool: agents load full skill instructions on demand before matching work, shifting skill loading from operator-orchestrated to agent-initiated — a proactivity/authority change the operator should be aware of when scoping which skills are available.
    • Workspace skills are reread on activation, so edits during an active session take effect (lazy loading preserved); verification is concrete (configure a skill, confirm the agent self-activates it and picks up an edit mid-session).

    Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

May 2026

1. 2026-05-30 · Claude Code

   Auto Mode now available on Bedrock, Vertex, and Foundry for Opus 4.7 / 4.8

   Control Plane
   • Auto Mode's permission-handling posture, previously tied to first-party Anthropic auth, now extends to the cloud provider APIs (AWS Bedrock, Google Vertex, Foundry) for Opus 4.7 and 4.8, opt-in via CLAUDE_CODE_ENABLE_AUTO_MODE=1.
   • The operator decision is governance-shaped: teams running Claude Code through a cloud-provider procurement path can now deploy the reduced-prompt autonomy posture they could not before, which changes what consent ceremony exists on those deployments.
   • Because Auto Mode shifts permission decisioning away from per-action prompts, an operator enabling it on a Bedrock/Vertex deployment must confirm their managed-settings deny rules carry the governance weight the prompts used to.

   Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

2. 2026-05-27 · Claude Code

   Auto mode becomes the default permission posture

   Control Plane
   • Operators with managed Claude Code deployments must re-audit what Auto mode classifies as safe by default — the consent gate is gone.
   • Admins relying on the opt-in consent dialog as a visible posture check have lost that surface; equivalent visibility now comes from managed-settings policy, not from a runtime prompt.
   • Skill authors should evaluate `disallowed-tools` for skills that should run with a reduced tool surface.
   • Hook authors should consider whether `MessageDisplay` is a governance gain or a censorship hazard for their deployment.

   Run: 2026-05-27-weekly-digest-2026-05-13_2026-05-27-frontier-v0

3. 2026-05-27 · Codex

   Goal mode graduates default-on; remote computer use after lock ships

   Control Plane
   • Operators using Codex must decide whether goal mode is permitted as a baseline or constrained via permission profiles — the inheritance + managed-requirements features are the right tool for this.
   • Evaluators of remote computer use after Mac lock should treat the locked-host surface as a new authority decision, not a default; short-lived authorization and relock-on-input are sensible defaults, but the policy for which tasks may operate against a locked host is still an operator choice.
   • Plugin-marketplace evaluators (ChatGPT Business; Enterprise coming soon) should treat plugin distribution-by-marketplace as a new supply-chain surface to govern.

   Run: 2026-05-27-weekly-digest-2026-05-13_2026-05-27-frontier-v0

4. 2026-05-27 · Codex

   Permission profiles get inheritance and an org-managed enforcement file

   Control Plane
   • Enterprise operators should restructure permission policy: stop maintaining flat profile lists; build a base profile plus per-team derivations using inheritance.
   • Decide where `requirements.toml` lives (repo-rooted, org-rooted, signed) before depending on enforcement — the distribution and trust model are not yet documented.
   • Migrate off legacy profile configs; 0.134.0 rejects them with migration guidance.
   • Normalize permission selection on `--profile` as the canonical handle; flag-soup approaches are now legacy.

   Run: 2026-05-27-weekly-digest-2026-05-13_2026-05-27-frontier-v0

5. 2026-05-27 · Gemini CLI

   Auto modes collapse and PolicyEngine reaches into ACP sessions

   Control Plane
   • Operators on previous Auto variants must re-audit which behaviors the consolidated Auto mode treats as safe — the merger may have loosened or tightened constraints; release notes do not enumerate.
   • `AUTO_EDIT` operators should explicitly decide whether shell-redirect auto-approval is acceptable for their environment.
   • Operators evaluating Gemini ACP integration should treat PolicyEngine-in-ACP as the new enforcement boundary; the 'deadlock fix' framing understates the structural shift.

   Run: 2026-05-27-weekly-digest-2026-05-13_2026-05-27-frontier-v0

6. 2026-05-27 · Hermes Agent

   `hermes proxy`: local OpenAI-compatible endpoint backed by operator OAuth

   Control Plane

   composes with Aider , Cline , Codex , Continue

   • Operators running `hermes proxy` on the documented loopback default (`--host 127.0.0.1`) inherit a low-risk posture; the proxy accepts client `Authorization` headers and strips them before attaching the Hermes OAuth upstream. Operators changing the bind to a non-loopback address must place their own auth in front of the port — the proxy itself does not authenticate local callers.

   Run: 2026-05-27-weekly-digest-2026-05-13_2026-05-27-frontier-v0

7. 2026-05-27 · Hermes Agent

   Honcho identity mapping and credential-pool isolation

   Control Plane

   composes with Aider , Cline , Codex , Continue

   • Multi-user gateway operators should upgrade past the Honcho commits (week of 2026-05-21) and the credential-pool isolation commit (2026-05-27) before running shared-thread deployments — these are quiet correctness fixes for cross-user contamination.

   Run: 2026-05-27-weekly-digest-2026-05-13_2026-05-27-frontier-v0

8. 2026-05-27 · Paperclip

   Scoped agent permissions, layered routine secrets, document locks

   Control Plane
   • Multi-agent operators: re-evaluate Paperclip's authz model. The principal-access backfill means pre-existing data is being normalized to the new model — confirm any operator action needed for older versions.
   • Secret-handling operators: read PR #6212 before configuring routine env in a deployment where secrets matter — the `agent < project < routine` precedence is a structural operator concept.
   • Approval-discipline operators: migrate to lock-backed approval; document locks give approval a persistent surface.
   • ACPX-Claude operators: confirm `~/.claude/settings.json` is configured as the source of truth for Claude permissions — the Paperclip control plane defers to it.

   Run: 2026-05-27-weekly-digest-2026-05-13_2026-05-27-frontier-v0

9. 2026-05-13 · OpenClaw

   Per-sender tool policies via channel-scoped sender keys

   Control Plane
   • Operators running OpenClaw with public-facing channels can now restrict dangerous tools by requester identity rather than only by agent. Review your tool surfaces and decide whether the broader trust model (per-channel × per-sender) belongs in your deployment.
   • Authority restriction now extends across global, agent, group, core, bundled, and plugin tool surfaces — operators should re-audit which surfaces hold authority decisions in their deployment and whether the requester-level layer makes some prior per-agent restrictions redundant.
   • Three claim-level updates land in the same release: memory-wiki ingest now requires admin scope, Obsidian search requires write scope, and `openclaw models auth login --provider openai` defaults to ChatGPT/Codex login (API-key setup is now behind `--method api-key`). Setup scripts assuming read-only or API-key-first paths need to be updated.

   Run: 2026-05-13-partial-cycle-openclaw-refresh-2026-05-13-frontier-v0

10. 2026-05-12 · Paperclip

    Secrets provider vaults (AWS Secrets Manager), host env isolation fix, cursor_cloud adapter

    Control Plane
    • Operators running SSH-managed execution environments should upgrade immediately: the host env isolation fix (PR #5142) closes a path where host environment variables (API keys, tokens, paths) were being forwarded to remote execution targets.
    • Operators managing credentials at scale should evaluate the AWS Secrets Manager import path in Secrets settings UI — this enables rotation-aware credential management with an access-event audit trail.
    • Operators using Cursor as an adapter can now configure the new `cursor_cloud` adapter for cloud-hosted Cursor routing with session reuse, streaming, and cancellation.

    Run: 2026-05-12-partial-cycle-paperclip-2026-05-07_2026-05-12-frontier-v0

11. 2026-05-12 · OpenHands

    Sub-agent delegation (opt-in) and critic evaluation GUI

    Control Plane
    • Operators running multi-task sessions can now enable sub-agent delegation via `enable_sub_agents`. Built-in sub-agents (bash-runner, code-explorer, general-purpose, web-researcher) handle scoped tasks with restricted tool surfaces. Default is off -- enable deliberately.
    • Operators should configure `CRITIC_API_KEY` to route critic evaluation spend separately from the primary model key if centralized cost control matters.
    • The critic display is deployment-controlled via `OH_ENABLE_CRITIC_BY_DEFAULT` (disabled by default). Deployments that want it enabled should set that flag; per-deployment toggle is `verification.critic_enabled`.

    Run: 2026-05-12-partial-cycle-openhands-2026-05-07_2026-05-12-frontier-v0

12. 2026-05-12 · OpenClaw

    Per-agent message restrictions, gated code install, and onboarding wayfinding

    Control PlanePlatform
    • Operators deploying public-facing or sandboxed agents should evaluate `tools.message.crossContext` and `tools.message.actions.allow` overrides to restrict agent message sends to the current conversation without changing the global bot policy.
    • Operators running long-horizon OpenClaw sessions should know that session memory is now bounded: the memory dreaming promotion cap compacts oldest auto-promoted sections while preserving user-authored notes. Unbounded auto-memory growth is no longer the default behavior.
    • Operators deploying OpenClaw for new users should test the improved CLI onboarding wayfinding: setup, onboarding, configure, and channel commands now explain the next useful command at each step.

    Run: 2026-05-12-partial-cycle-openclaw-2026-05-07_2026-05-12-frontier-v0

13. 2026-05-12 · Hermes Agent

    Durable Kanban with hallucination gate, redaction-on-by-default, channel allowlists

    Control Plane
    • Operators upgrading existing Hermes deployments must verify that secret redaction is now ON by default. Log pipelines that relied on unredacted output will see sanitized logs after upgrade.
    • Discord operators with role-gated access (`DISCORD_ALLOWED_ROLES`) should re-verify their role-scoping configuration: the guild-scoped fix (CVSS 8.1) may change behavior in cross-guild bot deployments.
    • Operators building multi-agent workflows on Hermes should evaluate the Kanban board's reliability primitives (heartbeat reclaim, zombie detection, hallucination gate, per-task retries) before building a custom coordination layer.
    • Operators using cron should evaluate `no_agent` mode for script-only automation that does not require LLM invocation.

    Run: 2026-05-12-partial-cycle-hermes-agent-2026-05-07_2026-05-12-frontier-v0

14. 2026-05-12 · Gemini CLI

    Session resume now surfaces errors and finds legacy sessions

    Control Plane
    • Operators using --resume with legacy session formats should re-test: prior to this fix, resume failures silently started new sessions. Verify the behavior after upgrade.

    Run: 2026-05-12-partial-cycle-gemini-refresh-2026-05-12-frontier-v0

15. 2026-05-12 · Codex

    PreToolUse hooks can now rewrite tool inputs before execution

    Control Plane
    • Hook authors who returned updatedInput in PreToolUse hooks expecting rewrites to apply should re-test: prior to this fix, the original input was used; after this fix, the rewritten input is used. Verify existing hooks behave as intended after upgrade.
    • Operators can now build input-sanitizing PreToolUse hooks that modify tool arguments before dispatch -- path normalization, argument masking, destination redirection.

    Run: 2026-05-12-partial-cycle-codex-refresh-2026-05-12-frontier-v0

16. 2026-05-12 · Claude Code

    Agent view, goal completion, and governance hardening

    Control Plane
    • `claude agents` is the new canonical surface for multi-session supervision; operators running parallel Claude Code sessions should evaluate it now as their primary management interface.
    • /goal changes how long-running autonomous work is structured; operators should test goal-based termination against their most common multi-turn workflows.
    • `continueOnBlock` enables advisory governance hooks; existing PostToolUse blocks should be redesigned to pass rejection reasons so Claude can adapt rather than just stop.
    • `x-claude-code-agent-id` / `x-claude-code-parent-agent-id` headers and OTel span attributes enable call-tree attribution; logging pipelines receiving Anthropic API calls should start capturing these to distinguish parent sessions from subagents.
    • API key auth now disables Remote Control, /schedule, and claude.ai MCP connectors; operators using API key should audit reliance on these surfaces before upgrading.

    Run: 2026-05-12-partial-cycle-claude-code-2026-05-07_2026-05-12-frontier-v0

17. 2026-05-11 · Codex

    Permissions glance surface and role-aware plugin sharing

    Control Plane
    • Bitter receipts should record permission posture + approval mode as standard fields.
    • Plugin share role-awareness affects whether Bitter can share configs across roles.
    • Authority visibility in the TUI is a worked example of governance ergonomics worth borrowing.

    Run: 2026-05-11-partial-cycle-codex-2026-05-08_2026-05-11-frontier-v0

18. 2026-05-11 · Gemini CLI

    Subagents become pluggable; sessions become portable

    Control Plane
    • Capability-profile assumption "subagents inherit approval mode" is now under-specified.
    • Run-contract design should record which subagent protocol variant a run used.
    • Adapter work should distinguish local from remote subagent execution.
    • Session export/import gives operators and Bitter a stable serialization point.

    Run: 2026-05-11-partial-cycle-2026-05-08_2026-05-11-frontier-v0

19. 2026-05-07 · Paperclip

    Agent labor needs operating state, not just parallelism.

    Control Plane

    Run: 2026-05-07-expanded-watchlist-dry-run

20. 2026-05-07 · Codex · Gemini CLI · Hermes Agent · OpenClaw

    Persistent agent state is becoming a product surface

    Control Plane
    • Developers need to know which goals, memory patches, recaps, sessions, and skill maintenance loops shaped a serious run.

    Run: 2026-05-07-commit-harvest-2026-04-23_2026-05-07-frontier-v1

21. 2026-05-07 · Codex · Gemini CLI · OpenHands · OpenClaw · Paperclip · Agent Zero

    Permissions, secrets, and sandboxes are moving into the foreground

    Control Plane
    • The harness must make trust state visible: what can be read, what can be changed, which credentials are exposed, and where execution happens.

    Run: 2026-05-07-commit-harvest-2026-04-23_2026-05-07-frontier-v1

22. 2026-05-07 · Paperclip · OpenHands · Hermes Agent · Codex · OpenClaw

    Agent systems are growing control planes

    Control Plane
    • Once agents coordinate across tasks, runtimes, gateways, and integrations, operators need liveness, cost, role, session, and recovery controls.

    Run: 2026-05-07-commit-harvest-2026-04-23_2026-05-07-frontier-v1

23. 2026-05-06 · Codex

    Worker-native goals unlock longer horizons.

    Control Plane
    • Operators now need to ask which durable objective the worker is pursuing, whether it is still aligned with the operator's charter, and how it maps to the current run mandate.
    • Treat worker goals as first-class receipt fields: goal id, goal text, creation source, last update, status, scope, originating run, mapped charter, mapped mandate, and settlement status.

    Run: 2026-05-06-manual-2026-04-22_2026-05-06-frontier-v0

24. 2026-05-06 · Claude Code · Gemini CLI · Hermes Agent

    Worker-native state is becoming a memory layer.

    Control Plane
    • Recaps, memory patches, skill curators, and task state are moving into worker tools. Operators should use them, but should preserve an operator-owned record of what state governed each run.
    • Add worker-native state fields to adapter receipts: recap handles, memory patch ids, curator reports, skill reports, and resume state.

    Run: 2026-05-06-manual-2026-04-22_2026-05-06-frontier-v0

25. 2026-05-06 · Codex · Claude Code · Gemini CLI · Pi Coding Agent

    Authority semantics are explicit but fragmented.

    Control Plane
    • Permission profiles, workspace trust, env loading, hooks, MCP behavior, extension schemas, and provider transports differ by worker and release.
    • Bitter capability profiles should record worker-native permission and trust semantics instead of assuming a uniform authorization model.

    Run: 2026-05-06-manual-2026-04-22_2026-05-06-frontier-v0

26. 2026-05-06 · Claude Code · Codex · Gemini CLI · Hermes Agent

    Verification is becoming a worker capability.

    Control Plane
    • Provider-native review, multi-agent execution, subagent evals, curator reports, and QA-like cloud fleets can catch useful issues, but their verdicts are not automatically the operator's truth.
    • Treat worker verification as evidence inputs. BitterQA or the run contract should still own the final evidence standard and settlement.

    Run: 2026-05-06-manual-2026-04-22_2026-05-06-frontier-v0

27. 2026-05-06 · Codex · Claude Code · Gemini CLI · Hermes Agent

    Provider-native long-horizon state is now table stakes.

    Control Plane

    Run: 2026-05-06-candidate-2026-04-22_2026-05-06-frontier-v1