The important trust decision in an agent session is not always the dramatic one where a model asks to run a command.
This morning's strongest code trail sits earlier. Pi is adding project trust decisions before project-local instructions, settings, packages, and extensions are loaded. OpenClaw is refusing to send local approval-runtime authority to gateways that might be remote or environment-selected. Codex is pairing thread working directory and environment settings so the next turn does not inherit a half-updated execution context.
Together, the commits describe a practical shift: agent systems are moving trust into preflight state. Before the first tool call, the runtime has to know which local files are allowed to shape the agent, which endpoint is allowed to receive local approval tokens, and which environment belongs to the thread.
Pi puts project trust before project inputs
Pi's new project-trust work is the clearest version of the pattern. In commit 718215bd, the coding-agent docs and resource loader introduce an explicit rule: before a project is trusted, Pi loads only user/global extensions and command-line extensions that can participate in the trust decision. Project-local extensions, package-managed extensions, project settings, and project instructions wait until the project has been trusted.
That boundary matters because a coding agent's first "context" is not neutral. Files such as `AGENTS.md`, `.pi` settings, skills, packages, and local extensions can all steer the model or runtime. If those inputs load before the user or a trusted policy extension has decided whether the folder is safe, the trust prompt arrives too late.
The follow-up commit d8aef0fe makes the trust API more composable. Project-trust handlers can return yes, no, or undecided. That lets one extension defer to another handler or to the built-in trust flow instead of forcing every policy hook to become the final authority.
The safety line is narrow on purpose
Pi's security documentation keeps the claim honest. Commit ce3a7244 documents the local coding agent's security model: Pi runs with the permissions of the user account. Project trust controls whether project-local inputs are loaded; it is not a sandbox for commands, filesystem access, network access, or credentials.
That distinction is the useful part. Pi is not pretending a trust prompt can replace OS isolation. The v0.79.0 release commit c10fb95f presents project trust as a local-input gate and extension surface, not as a universal permission system.
So the claim is precise: Pi is moving trust earlier in the input-loading path. The hard isolation boundary still belongs to an external sandbox, container, micro-VM, remote runner, or policy layer.
OpenClaw fences the approval runtime
OpenClaw shows the same preflight problem from a different angle. Commit 43acf3a4 changes gateway behavior so local approval-runtime tokens are only sent to local targets. The commit message and tests focus on an easy-to-miss case: an environment-selected gateway URL may point to a tunnel or another remote gateway even if the local process is the one making the call.
The code responds by resolving a gateway target as local or remote before deciding whether to attach local approval authority. Remote or explicitly configured gateway calls do not receive the local approval-runtime token; environment-selected calls get device identity instead.
That is not a new model capability. It is a runtime guardrail around where authority is allowed to travel. The trust question is answered before the request is sent.
Old approvals need a session boundary
Another OpenClaw fix, commit 2ffbea20, catches stale approval follow-ups after a session rebind. The bug shape is familiar to anyone building long-running agent interfaces: an approval request is made in one session, the user starts or resets into another session, and the resolved follow-up can land in the wrong place if it is routed only by a broad session key.
The fix captures the expected session id when the approval request is made and drops the follow-up if that key has been rebound. It is another early binding decision. Before carrying approval output forward, the runtime checks whether the session identity still matches.
Codex pairs the execution context
Codex's f3c1283 commit is less visibly about security, but it belongs in the same article because it protects the shape of the next turn. The commit explains that thread working directory and environment selections are one logical setting in core; updating one without the other can silently desynchronize the next-turn execution context.
The change moves the pair through internal thread settings, preserving the public parameter shape while aligning the core state that subsequent turns inherit. In agent systems, "where am I running?" and "which environment am I using?" are not cosmetic labels. They decide what files, tools, and assumptions a model sees when it acts.
The pattern is preflight state
The common thread is not that Pi, OpenClaw, and Codex have adopted one shared standard. They have not. The code shows independent repairs in different layers: local project loading, gateway authority, approval follow-ups, and thread environment state.
The pattern is that agent trust is becoming less like a single pop-up and more like a chain of early bindings. Which project inputs may load? Which extension may decide trust? Which gateway can receive approval authority? Which session owns this follow-up? Which environment belongs to this thread?
Those questions sound mundane until they fail. Then the model can be steered by local files it should not have loaded, an approval token can travel to the wrong endpoint, a stale action can appear in a new session, or the next turn can run in an environment the user did not mean to select.
That is why today's edition pairs this lead with a long-form Pi companion. Pi is now on the watchlist not just because it is a coding agent, but because its source makes this preflight trust layer unusually visible.