Daily Edition Sources +4

Agent Tools Are Moving Safety Into Boundaries

Gemini CLI, LangChain, and Codex landed fresh patches that put agent safety in filesystem checks, type gates, pending-tool waits, and permission-path parsing.

A rough zine-style Diagram Punk poster with Gemini CLI, LangChain, and Codex evidence cards pointing to a circled conclusion that safety moves into boundaries.
Diagram Punksafety moves into the code boundaries.
repos google-gemini/gemini-cli + 2 more evidence
4 source signals 3 repos 4 linked commits
Evidence: 4 linked commits / June 16, 2026 / Daily Edition
Open Edition Evidence below

google-gemini/gemini-cli merged commit bca5667 on June 15 to block path traversal during skill installation and uninstallation, adding tests for .., absolute-path names, unsafe subpaths, and sibling-directory deletion attempts.

Facts

  • Gemini CLI commit 0f8a157 makes the A2A server yield when tools are still waiting for approval and routes task configuration through explicit trust handling.
  • LangChain commit afff89a removes the disallow_any_generics = false mypy escape hatch and adjusts core message, prompt, and runnable types.
  • OpenAI Codex commit 46f1793 switches filesystem permission paths for the exec server to PathUri, a stricter boundary representation in core session tooling.

Evidence

The common move is guardrail work: sanitize the folder a skill can write to, pause while tools need user approval, make generic typing explicit, and normalize permission paths.

Context

For builders and operators, these are the places agent systems fail quietly: a skill archive escaping its directory, a pending tool continuing as if approved, a permissive type alias hiding shape, or a permission path being parsed loosely.

Limits

The commits are independent and mostly infrastructure-level. They do not prove one shared safety architecture, but they show active projects pushing safety out of policy language and into code boundaries readers can inspect.

Evidence Trail

Receipts below the story

The article above is the public narrative. This section keeps the source trail, limits, and reporting notes on the same page.

Edition
DateJune 16, 2026
LaneDaily Edition
Confidence78%
Sources4
Reposgoogle-gemini/gemini-cli, langchain-ai/langchain, openai/codex

Reporter Notes

  • Gemini CLI's skill patch is the strongest concrete fact because it names a vulnerable class of bug and shows tests that prevent directory escape during install, link, and uninstall flows.
  • Gemini CLI's pending-tools patch supplies the runtime approval dimension: when tools are not approved yet, the server yields instead of treating the turn as finished.
  • LangChain's typing change is a boundary in a different layer. It is not an agent runtime feature, but it matters because LangChain core is a shared library surface for message and runnable shapes.
  • Codex's PathUri patch adds another filesystem-boundary example without making OpenAI/Codex the dominant source set again.

Primary Evidence

Evidence Limits

  • The article does not claim the projects coordinated or adopted one shared safety architecture.
  • The evidence is implementation-level. It does not prove user-facing security posture, release timing, or exploit history.
  • The lead uses commit-level public evidence; it does not rely on private scanner output or local-only paths.

Atlas Context

Open Atlas ›
Agent AtlasChapter 7

The Approval Trap

Approval is useful only when it catches a meaningful change in authority, explains that change, and keeps the decision attached to the work.
Letters & Corrections

Send a note to the desk

Corrections, missing context, or a follow-up lead.

Same Edition

Open issue ›
Reported +4 Jun 16, 2026

Om Patel's Gemini Patch Kept Skills In Their Folder

google-gemini/gemini-cli evidence
4 sources 1 repo commit bca5667