Reporter Notes

Agent Daily Run Notes — 2026-03-27

Candidate angles

1. **Approval settings are turning into operating modes**

• Gemini CLI: Plan Mode is read-only, tool-restricted, and now enabled by default in docs/settings.
• Codex: Review Mode is a first-class protocol op with isolated history, dedicated prompt, and structured review output.
• Crush: --yolo skips permission requests entirely, effectively switching the runtime into a trust-first mode.
• OpenClaw: provider/model-aware tool policies let the same agent expose different tool envelopes depending on provider/model.

2. **Structured review is becoming a product surface**

• Codex Review Mode + structured JSON findings.
• OpenClaw review helper changes.
• Could be good, but more narrow and too Codex-heavy for today.

3. **Tool policy is becoming model policy**

• OpenClaw provider-specific tool policy.
• Gemini policy engine / YOLO / Plan interactions.
• Strong, but angle 1 is broader and more legible to readers.

Chosen angle

**Approval settings are turning into operating modes.**

Why it wins:

• Fresh versus recent agent-daily/baseline topics.
• Cross-repo convergence with a real tension: more autonomy vs more constrained specialist modes.
• Clear code-grounded evidence from 4 repos.
• Connects UI labels (plan, review, yolo, provider policy) to deeper architecture changes.

Recent article overlap check

agent-daily recent

• 2026-03-24 — Subagents Are Getting Job Titles, Badge Checks, and a Manager Chain
• 2026-03-25 — Sandboxing Is Starting to Look Like a Runtime Layer for AI Coding Agents
• 2026-03-26 — Web Fetch Is Emerging as a Security Boundary for AI Agents

baseline recent

• 2026-03-25 — The New CLI Moat Isn’t UX. It’s How Agent Skills Get Shipped
• 2026-03-26 — The CLI Is Quietly Becoming an Agent Router
• 2026-03-27 — Subagents Aren’t Just Getting Smarter. They’re Getting Contained.

This run avoids those surfaces and focuses on named operating modes inside the agent runtime.

Code-grounded evidence

1) Gemini CLI — Plan Mode becomes a product-default operating mode

**Commit:** 35ee2a841a7e — feat(plan): enable Plan Mode by default (#21713)

**Files:**

• docs/cli/plan-mode.md
• packages/cli/src/config/settingsSchema.ts

**Key evidence:**

• docs/cli/plan-mode.md:3-12 describes Plan Mode as a **read-only environment** and says it is **enabled by default**.
• docs/cli/plan-mode.md:100-120 constrains tools to read/search/interaction plus .md plan-file writes only.
• packages/cli/src/config/settingsSchema.ts:198-214 defines defaultApprovalMode options including default, auto_edit, and plan, with plan described as **read-only mode**.

**Why it matters:**

Plan is no longer just “say no to writes.” It is an explicit product state with its own tool envelope and workflow.

2) OpenAI Codex — Review Mode is a first-class protocol state

**Commit:** 90a0fd342f5d — Review Mode (Core) (#3401)

**Files:**

• codex-rs/core/review_prompt.md
• codex-rs/protocol/src/protocol.rs

**Key evidence:**

• protocol.rs:170-175 adds Op::Review { review_request: ReviewRequest }.
• protocol.rs:512-516 adds EnteredReviewMode(...) and ExitedReviewMode(...) events.
• protocol.rs:982-989 defines structured ReviewOutputEvent with findings, overall_correctness, overall_explanation, and confidence.
• review_prompt.md:3-18 + 61-80 show a dedicated reviewer prompt and exact JSON schema.

**Why it matters:**

Codex is not merely flipping an approval toggle. It is spinning up a distinct review persona/protocol with separate history, prompt, and output contract.

3) Crush — YOLO is an explicit trust mode, not just a convenience flag

**Commit:** 2d332fc6c164 — feat(permissions): add --yolo flag for auto-accepting all permissions

**Files:**

• internal/config/config.go
• internal/permission/permission.go

**Key evidence:**

• config.go:121-124 defines SkipPermissionsRequests with comment: automatically accept all permissions (YOLO mode).
• permission.go:80-90 returns true immediately when skip or autoApproveSession is active.

**Why it matters:**

Crush turns trust posture into a deliberate mode switch. That’s a runtime behavior change, not just a UI shortcut.

4) OpenClaw — tool policy now varies by provider/model

**Commit:** fa8d9b91892f — feat: add provider-specific tool policies

**Files:**

• src/agents/pi-tools.policy.ts
• src/agents/pi-tools.ts

**Key evidence:**

• pi-tools.policy.ts:62-96 resolves tool policy by modelProvider and modelId.
• pi-tools.policy.ts:99-130 composes global, agent, and provider-level policies into an effective tool envelope.
• pi-tools.ts:89-100 passes modelProvider/modelId into coding-tool creation.

**Why it matters:**

The agent’s behavior envelope now depends on which model is active. That is mode logic, even when the UI doesn’t call it a “mode.”

Web/context signals

OpenAI Introducing Codex page

• Emphasizes isolated task environments, verifiable evidence, terminal logs, and review before integration.
• Supports framing that the market wants controllable, inspectable agent states.

GitHub README pages

• Gemini CLI positions itself as a terminal-first open-source agent with built-in tools.
• Crush positions itself as a multi-model coding agent wired to tools/workflows.
• These pages reinforce that these aren’t toy experiments; they are productized developer surfaces.

Working thesis

The biggest shift is not that coding agents are getting more tools. It’s that they are being split into named, constrained, trust-calibrated operating modes: planner, reviewer, coder, yolo runner, provider-shaped runtime. The approval dropdown is becoming a product control plane.

Repo list used in article

• google-gemini/gemini-cli
• openai/codex
• charmbracelet/crush
• openclaw/openclaw

Model review note

• llm **does have gpt-5.4 available** in this environment.
• Use llm -m gpt-5.4 for review/synthesis.

No standalone sources file is available for this article. The article body remains the primary evidence-bearing artifact.