Agent Runtimes Are Learning to Audit Their Own Tools

The next serious feature in coding agents may not look like a new button. It may look like a receipt.

In the last week of watched changes, OpenAI Codex and Google Gemini CLI both moved in that direction. Codex added a typed lifecycle interface so extensions can observe when host-owned tools start and finish. Gemini CLI added a session-backed path for local subagents, plus a flag to route subagent invocations through the AgentSession protocol. A nearby Gemini documentation change spells out how sensitive host environment variables are redacted before MCP servers see them.

The pattern is bigger than any one API name. Agent runtimes are starting to answer operational questions that early demos could leave vague: who supplied this tool, what invoked it, did it finish or fail, did a user cancel it, and which secrets crossed the boundary?

Codex makes tool execution observable

The clearest Codex change is PR #23309, committed as c69cde3, which adds a ToolLifecycleContributor trait to the extension API. The new contract gives contributors on_tool_start and on_tool_finish callbacks. The companion tool_lifecycle.rs file defines host-visible inputs such as turn_id, call_id, tool_name, and a source enum that distinguishes direct model tool calls from code-mode nested tool calls.

The outcome enum is the tell. Codex now gives lifecycle observers typed endings: completed, blocked, failed, or aborted. That makes tool execution a runtime event with a beginning, an owner-visible source, and a classified ending.

Another Codex commit, a66e0e9, adds plugin provenance to MCP tool metadata. The test plugin_mcp_tool_call_request_meta_includes_plugin_id proves that plugin-backed MCP calls can carry a plugin id in request metadata. In a world where tools can come from built-ins, user MCP servers, plugins, or connectors, that tiny field matters. It lets the host say not only "a tool ran," but "this layer supplied it."

Gemini moves subagents into sessions

Gemini CLI's matching evidence is PR #26665, committed as 6973b96. It adds LocalSessionInvocation, a new local subagent invocation class built around LocalSubagentSession. The implementation publishes SUBAGENT_ACTIVITY events, streams thought and tool-call activity, tracks running, completed, error, and cancelled states, sanitizes displayed thought/tool/error content, and wires abort signals into the subagent session.

That is not just delegation. It is delegation with a transcript surface. The tests cover thought streaming, tool start and end handling, rejected tool calls, cancellation, config updates before query messages, and cleanup of observers and abort listeners.

PR #26947 makes the direction explicit by adding experimental.adk.agentSessionSubagentEnabled. Gemini's configuration docs describe the flag as routing subagent invocations through the AgentSession protocol instead of legacy executors. That is a migration sentence disguised as a settings entry.

MCP is becoming a boundary, too

The security side appears in Gemini CLI PR #22854. The docs now clarify that the CLI redacts sensitive host environment variables before passing environment data to third-party MCP servers, and that explicit env entries in settings.json or mcp_config.json are the trusted path when a server really needs a token.

This is the same story from another angle. MCP servers are useful because they widen what an agent can do. They are risky for the same reason. The runtime has to decide what crosses from the user's machine into that server process, and the docs now make that boundary legible.

What changed in the story

Early agent coverage often asked whether a system had tools, memory, or subagents. The fresher question is whether the runtime can govern those pieces once they exist. Codex is adding lifecycle and provenance hooks around tool calls. Gemini is moving subagents into a session protocol with activity and cancellation semantics. Gemini's MCP docs are making environment handling explicit.

That does not prove a shared standard is forming. It does show convergent pressure. As coding agents become less like single prompts and more like operating environments, tool execution needs audit trails, not just output text.

Watch the next round of changes for three things: whether lifecycle hooks become public extension contracts, whether session-backed subagents become the default path, and whether MCP provenance becomes visible enough for users to understand which tool actually touched their work.