Evidence Trail

Agent Runtimes Are Making Their Limits Explicit

May 22, 2026 / Daily Edition / 8 source signals.

repo charmbracelet/crush main

8 source signals 2 repos 96728b1

> 96728b1 / May 22, 2026 / Daily Edition

Reporter Notes

The strongest story is not "permissions got better" or "context windows are hard" in isolation. The shared pattern is that agent boundaries are becoming inspectable runtime facts:

Crush distinguishes a safe-looking shell read from a composed shell expression and routes the latter through permission prompting.
Crush also hardens the permission service state that makes those prompts meaningful under concurrent runtime conditions.
LangChain makes prompt-too-long failures catchable under a standard context-overflow abstraction and moves OpenAI context-size lookup toward model profiles.

This gives the article a practical builder consequence: explicit runtime contracts make it possible to ask, deny, summarize, retry, and explain instead of failing as an opaque side effect.

Primary Evidence

Charmbracelet Crush commit 96728b15, feat(permissions): require a permission prompt for chained commands: https://github.com/charmbracelet/crush/commit/96728b15d037f187424db63cd6bdb20a01fbe08f
Evidence used: modifies internal/agent/tools/bash.go, internal/agent/tools/safe.go, internal/agent/tools/bash_test.go, and internal/agent/tools/safe_test.go; adds chained-command detection and prevents chained shell commands from being treated as safe read-only.
Charmbracelet Crush commit 6b312bee, fix: potential data race on permissionService (#2964): https://github.com/charmbracelet/crush/commit/6b312bee06bf3ca90ba587035a7287594b97e186
Evidence used: modifies internal/permission/permission.go and internal/permission/permission_test.go; introduces atomic skip-state handling, mutex-protected auto-approve session state, and a concurrent skip-mode test.
LangChain commit 40c515c7b, fix(fireworks): raise ContextOverflowError on prompt-too-long (#37458): https://github.com/langchain-ai/langchain/commit/40c515c7b18830460672b455b74e9d7140d2a03b
Evidence used: modifies the Fireworks chat model and unit tests so prompt-too-long invalid requests become FireworksContextOverflowError while remaining catchable as ContextOverflowError.
LangChain commit 2259d292, fix(openai): broaden condition for ContextOverflowError to accommodate other providers (#37457): https://github.com/langchain-ai/langchain/commit/2259d29231633bb8baae76bf1c8f16367002397b
Evidence used: broadens OpenAI context-overflow detection to include additional provider phrasing, including "prompt is too long."
LangChain commit 992c613b, fix(openai): source LLM context size from model profiles (#37489): https://github.com/langchain-ai/langchain/commit/992c613b51fb40213dc1e0156ce0d66db6771055
Evidence used: changes BaseOpenAI.modelname_to_contextsize to prefer profile max_input_tokens, marks the helper deprecated, and keeps a legacy fallback mapping.
LangChain commit 36c381b, fix(langchain): alias Bedrock providers in summarization token check (#37453): https://github.com/langchain-ai/langchain/commit/36c381b1496827db4405e49918e64cfda87ae701
Evidence used: adds provider alias matching for Bedrock summarization token checks, supporting the broader context-control theme.
Crush permissions documentation: https://charmbracelet-crush.mintlify.app/configuration/permissions
Evidence used: public docs state that Crush prompts before tool calls by default and supports configuring allowed or disabled tools.
LangChain Deep Agents context-engineering documentation: https://docs.langchain.com/oss/python/deepagents/context-engineering
Evidence used: public docs describe standard ContextOverflowError handling as a trigger for summarization and retry in deep-agent workflows.

Evidence Limits

This article does not claim Crush and LangChain share an implementation or standard.
The article relies only on the cited Crush and LangChain public artifacts and does not make claims about watched projects that are not represented in the evidence above.
The article treats commits and public docs as evidence of current direction, not as a guarantee of released package behavior in every downstream installation.
The LangChain context-overflow evidence supports catchability and profile-backed limits; it does not prove that every provider integration now normalizes context errors the same way.

Open Questions

Whether Crush will expose richer permission history or audit views around these boundaries.
Whether LangChain will normalize context-overflow behavior across more providers beyond the commits cited here.
Whether users respond more strongly to permission-boundary stories, context-control stories, or the combined runtime-contract framing.