The practical question for agent builders is no longer just "what is the policy?" It is "where does the human touch the policy while the agent is already moving?"
Today's code answers from several directions. OpenClaw turns Google Chat approval prompts into native cards with callback tokens. Crush adds a grace period so a stray keystroke cannot accidentally resolve a permission dialog the instant it appears. Hermes gives desktop users a steering control for a live run, then hardens the prompt path so the model can trust that mid-turn message without mistaking it for tool-output injection. Codex improves TUI configuration errors so the operator sees the actionable cause, not just the wrapper.
The one-sentence map is this: agent control is becoming a live interface problem. The important surface is not only the settings file or the sandbox policy; it is the button, keypress, inline transcript note, and error message that decide whether a person can safely steer, approve, deny, or repair an agent at the right moment.
Approvals are becoming native chat objects
OpenClaw commit d7759c6a adds native Google Chat approval cards for exec and plugin approvals that originate in Google Chat spaces or threads. The docs say those cards appear when a stable users/<id> approver is configured, and that the card buttons use opaque callback tokens while manual /approve text remains the fallback when native delivery is unavailable.
That sounds like channel polish until you look at the risk surface. The new runtime code binds a token to the account, approval id, approval kind, allowed decisions, space, message, optional thread, and expiry. The click handler rejects unknown, expired, account-mismatched, space-mismatched, message-mismatched, unauthorized, and duplicate in-flight clicks before resolving the approval through the gateway.
In other words, the approval moved closer to the user without becoming a dumb button. The interface is doing provenance work. The human sees "Allow Once" in the place where the request started, while the runtime still has to know who clicked, which message they clicked, which decision was allowed, and whether the card is still valid.
A keypress can be a safety bug
Crush commit 7da9695f is much smaller, but it carries the same lesson. Permission dialogs now open with an input grace period. For a short window, the overlay absorbs keypresses that may have been meant for the previously focused component. Each absorbed key resets the quiet timer, and a maximum delay prevents auto-repeat from keeping the dialog disarmed forever.
The commit applies that grace path to permission and authentication dialogs. Tests separately confirm which keys resolve permissions, then cover the dialog behavior around remote grants, denies, and pending notifications.
This is the kind of change that tells you an agent product has left the happy-path demo. In a terminal agent, a single keystroke can mean "type another character" or "allow the tool." The boundary between those meanings is user interface timing, not abstract policy. If the dialog appears asynchronously, the product has to defend the approval surface from input that was already in flight.
Steering is becoming a first-class mid-run lane
Hermes Agent commit 40aef6af adds an explicit desktop affordance for steering a live run. When the agent is busy and the draft is text-only, the composer can show a steering-wheel button. Cmd/Ctrl+Enter sends the draft through session.steer, and plain Enter still queues the message for the next turn. If the gateway rejects the steer because there is no live tool window, the words are re-queued so the user does not lose them.
That is an important distinction. Queueing says "use this later." Steering says "change course now, without interrupting." For long-running agent work, that can be the difference between letting a bad path finish and nudging the agent before the next tool call.
Minutes later, Hermes commit 0f45509d hardens the model side of that lane. A mid-turn steer has to ride inside a tool result because that is the role-alternation-safe slot. A bare "User guidance" line was being treated as untrusted tool content. The patch wraps the steer in an explicit out-of-band user-message marker, adds a system-prompt note telling the model to trust that exact marker and ignore lookalikes in tool, web, or file output, and changes the desktop acknowledgement from a toast to an inline transcript note.
The useful pattern is not "Hermes added a button." It is that a new live-control surface needed UI affordance, fallback behavior, transcript evidence, prompt-channel attribution, and injection caveats. A control that reaches the model mid-turn has to be treated as interface and security boundary at the same time.
Repair has to show the cause
OpenAI Codex commit 3acd71fe is about configuration errors rather than approvals. The TUI already wrapped app-server failures with local context such as a batch-write failure. The problem was that user-visible paths could show only the wrapper, hiding the actionable source message.
The patch adds a formatter for the error source chain and uses it across model persistence, feature persistence, project trust, status line writes, hook trust, and hook enablement. New snapshots cover chained errors in chat history and trust-directory onboarding.
This belongs in the same story because live control fails if the operator cannot tell what went wrong. A permission button, a steering action, and a config update all need a repair loop. If the interface shows only "failed," the human is present but powerless. If it shows the validation constraint or read-only home cause, the operator has a next action.
The control plane is becoming touchable
Recent editions covered adjacent layers: failure states becoming instructions, events getting return addresses, and identity becoming runtime infrastructure. Today's movement is more tactile. It is about the last inch between the running agent and the person responsible for it.
OpenClaw is bringing approvals into the chat surface where the run began. Crush is making sure the permission dialog does not inherit accidental keystrokes. Hermes is making live steering reachable, attributed, and visible in the transcript. Codex is turning hidden error causes into operator-facing diagnostics.
This does not prove a shared interface standard, and it does not prove every project will choose the same chat cards, keyboard grace periods, steering markers, or error formatters. It does show a category consequence for agent products: safety and usability are converging in the live control surface. The system can have the right policy on paper and still fail the human if the approval arrives in the wrong place, the wrong key resolves it, the mid-turn instruction looks like tool injection, or the repair message hides the cause.
The next thing to watch is whether these live controls become auditable records. Once a human can steer, approve, deny, or repair an agent mid-run, the product has to preserve not just what the agent did, but which interface let the human change it.