Agent Runtimes Are Learning to Audit Their Own Tools

Reporter Notes

The final angle is a runtime-governance story rather than a feature-launch story.

Codex's ToolLifecycleContributor work matters because it gives extensions a host-owned observation point for tool execution. The notable detail is the split between observation and control: the PR says lifecycle contributors can observe accepted starts and finishes, while policy hooks and tool handlers still own blocking, rewriting, and execution. That is a trust architecture move, not just a logging addition.

Codex's plugin MCP metadata work complements that lifecycle hook. If a tool call comes from plugin-backed MCP, the host can carry plugin provenance in request metadata. That is a small field, but it answers a hard operational question: when several layers can provide tools, which layer was responsible for this one?

Gemini CLI's LocalSessionInvocation points at the same pressure from the subagent side. It turns local subagent execution into a session-backed invocation, publishes activity through a message bus, records running/completed/error/cancelled states, sanitizes activity content, and wires abort behavior. The companion flag, experimental.adk.agentSessionSubagentEnabled, frames this as a path away from legacy executors and toward AgentSession protocol routing.

Gemini's MCP environment documentation adds the security edge: the project is making explicit which host environment variables should not leak to arbitrary MCP servers, and how a user should intentionally pass a token when a server really needs it.

Taken together, the evidence supports a cautious claim: the next agent CLI layer is less about raw tool count and more about auditable boundaries around tools and subagents.

Primary Evidence

• OpenAI Codex commit c69cde3547c87c3423434ff37273dcadbcce8817, Add tool lifecycle extension contributor (#23309): https://github.com/openai/codex/commit/c69cde3547c87c3423434ff37273dcadbcce8817
• Evidence used: adds ToolLifecycleContributor, typed tool start and finish callbacks, source metadata for direct and code-mode calls, and outcomes for completed, blocked, failed, and aborted tool calls.
• OpenAI Codex PR #23309, Add tool lifecycle extension contributor: https://github.com/openai/codex/pull/23309
• Evidence used: PR framing that lifecycle contributors observe accepted tool starts and finishes while other runtime layers remain responsible for policy and execution.
• OpenAI Codex commit a66e0e9c4b2978121ed1cd4242f7f62dd027423f, Include plugin id in plugin MCP tool metadata (#23353): https://github.com/openai/codex/commit/a66e0e9c4b2978121ed1cd4242f7f62dd027423f
• Evidence used: plugin-backed MCP tool calls now carry plugin provenance in request metadata, with test coverage for MCP_TOOL_PLUGIN_ID_META_KEY.
• Google Gemini CLI commit 6973b963aebf3397d53c8c42eb0357b2d9eb5edb, feat(core): add LocalSessionInvocation (#26665): https://github.com/google-gemini/gemini-cli/commit/6973b963aebf3397d53c8c42eb0357b2d9eb5edb
• Evidence used: adds session-backed local subagent invocation, subagent activity events, sanitized activity display, result formatting, cancellation/error states, abort wiring, and parent observer cleanup tests.
• Google Gemini CLI commit 5611ff40e7ace8157fbeee97d459178e988862f3, feat(core): add adk.agentSessionSubagentEnabled flag (#26947): https://github.com/google-gemini/gemini-cli/commit/5611ff40e7ace8157fbeee97d459178e988862f3
• Evidence used: adds agentSessionSubagentEnabled configuration support and documents routing subagent invocations through the AgentSession protocol instead of legacy executors.
• Google Gemini CLI PR #26947, feat(core): add adk.agentSessionSubagentEnabled flag: https://github.com/google-gemini/gemini-cli/pull/26947
• Evidence used: merged PR and changed files tying the new setting to ADK AgentSession-based subagent execution.
• Google Gemini CLI commit 0c0d88d90b2878e34126737ef9218f9e7e3dec3e, docs(extensions): clarify env var sanitization policy for MCP and ext... (#22854): https://github.com/google-gemini/gemini-cli/commit/0c0d88d90b2878e34126737ef9218f9e7e3dec3e
• Evidence used: clarifies that sensitive host environment variables are redacted before third-party MCP servers receive environment data, with explicit configuration as the trusted override path.
• Google Gemini CLI MCP server documentation: https://github.com/google-gemini/gemini-cli/blob/main/docs/tools/mcp-server.md
• Evidence used: public documentation for MCP server environment handling and sensitive variable redaction.

Evidence Limits

• The article does not claim Codex and Gemini share an implementation, standard, or coordinated roadmap.
• The article treats lifecycle contributors, plugin metadata, session-backed subagents, and MCP environment redaction as evidence of convergent runtime-governance pressure, not as proof of feature parity.
• The Gemini AgentSession subagent setting is explicit rollout plumbing; this evidence does not prove that AgentSession-backed subagents are the default path for all users.
• Commit and PR evidence can show what changed in source, but it does not prove release timing, downstream adoption, or how every end-user installation behaves.

Open Questions

• Whether Codex's lifecycle contributor API becomes a general extension contract or remains focused on specific internal contributors such as goal progress accounting.
• Whether Gemini CLI makes AgentSession-backed subagents the default after the experimental flag proves stable.
• Whether the two ecosystems converge on similar names for tool provenance, lifecycle outcomes, and subagent activity, or keep incompatible host-specific contracts.
• Whether readers care more about the security angle, the debugging angle, or the product UX angle. Letters & Corrections should ask for that feedback.