When an agent error arrives, whose error is it?
That question used to sound like logging trivia. It stops being trivia when one workspace has concurrent prompts, background jobs, subagents, messaging gateways, a terminal, a desktop app, and remote controllers. A session-wide event is no longer precise enough. The runtime needs to know which run produced an error, which turn launched a tool, which session forwarded a message, which surface can answer a secret prompt, and which device still holds a controller grant.
The one-sentence map is simple: Hermes is building a correlation spine, Crush is pinning errors to runs, OpenClaw is preserving provenance across session handoffs, and Codex is identifying remote controller clients. These are independent implementations, not a shared standard. Together they show the same pressure: every important agent event needs a return address.
Hermes gives the runtime a correlation spine
Hermes Agent commit 0d9b7132f adds what its documentation calls observer-grade telemetry hooks. The important part is not simply that Hermes can emit more telemetry. It is the identity model attached to the events.
The observer contract names stable IDs for sessions, tasks, turns, API requests, tool calls, and parent-child subagent relationships. Tool completion events also carry outcomes such as ok, error, blocked, and cancelled. The docs tell consumers to prefer those explicit fields instead of guessing from callback order or parsing compound identifiers.
That turns a stream of callbacks into a reconstructable execution trail. An observer can link a provider attempt to the turn that caused it, close the span for a blocked tool, or connect delegated child work to the parent turn that spawned it. Hermes also gates expensive payload construction when no observer subscribes and sanitizes payloads for telemetry consumers, showing that provenance has to be useful without becoming an automatic raw-data leak.
Crush stops one prompt from inheriting another prompt's failure
Charmbracelet Crush commit a6a8459c0 shows the practical bug that appears when attribution is too coarse.
Crush command-line runs can share an event channel with asynchronous workspace activity. Before the patch, an agent error on that channel could abort the current command even when a different background prompt produced it. The fix carries the caller-supplied RunID through notifications and agent events. When an error arrives, the command treats that run ID as authoritative and ignores the failure if it belongs to another request. Older session-scoped errors remain supported as a compatibility fallback.
This is a small patch with a large systems lesson. "The session had an error" is not enough when several things can happen inside the session at once. Operational correctness depends on the narrower question: did this run have the error?
OpenClaw keeps the sender attached to a session handoff
OpenClaw commit 932d6ea8e applies the same pressure to messages moving between sessions.
A sessions_send handoff has two truths to preserve. In the transcript, the receiving agent needs user-role semantics because the forwarded text is an input. In WebChat, the human reader should not mistake that text for something they typed. The patch projects the message assistant-side with a "Forwarded from" sender label, preserves inter-session provenance, and strips the generated transfer envelope from display text.
That distinction matters because provenance serves both machines and people. The runtime needs the original role to behave correctly; the interface needs the source attribution to remain honest. One message can have stable execution semantics and a different reader-facing projection without losing its origin.
A prompt sent to the wrong surface is no prompt at all
A second Hermes commit, f66a929a6, shows that an event's destination is part of its identity.
Hermes Desktop handled clarification requests but previously dropped approval, sudo, and secret requests. The gateway could block the agent thread waiting for a decision for up to five minutes while the desktop showed nothing. The patch routes active-turn requests into inline approvals and request-ID-keyed overlays, clears prompts when the turn ends, and maps close actions to refusal so silence is not mistaken for consent.
It also distinguishes interactive desktop and TUI surfaces from messaging gateways. A messaging surface that cannot securely capture a secret stays on an unsupported-setup path instead of attempting an interactive prompt. The lesson is blunt: routing an event is not complete until it reaches a surface capable of answering it safely.
Codex makes remote controllers identifiable and revocable
OpenAI Codex commit 98a62a62c moves the same identity problem out to controller devices.
The experimental app-server RPCs let clients list and revoke remote-control grants by environment and client ID. The picker-facing response can include a display name, device type, platform, operating-system version, device model, app version, and last-seen time. The management operations work independently of relay enrollment state, so a stale grant can be identified and removed without first enabling the relay it once controlled.
Remote control changes the trust boundary. Once more than one device can steer an environment, "remote control is enabled" is too coarse. Operators need to know which client has the grant and revoke that client specifically.
The agent runtime is becoming a distributed system
The May 28 edition argued that agent UI is becoming the control room. These commits expose the infrastructure that control room now needs underneath it.
Hermes attaches lifecycle correlation IDs. Crush rejects errors from the wrong run. OpenClaw keeps a forwarded message's source visible. Hermes routes blocking prompts only to surfaces that can answer them. Codex identifies remote controller clients so their grants can be managed individually.
None of that proves a shared provenance standard or complete auditability. It does show a category consequence for agent infrastructure: as agent work spreads across more concurrent processes and more human surfaces, identity stops being optional metadata. It becomes the mechanism that keeps the right event attached to the right owner.