AI Agent Recovery and Permission Controls Move Down the Stack
Today’s strongest new evidence comes from runtime mechanics: whether an agent can restore the correct capabilities after hibernation, preserve approval boundaries while unattended, and keep browser activity within authorized domains is becoming a production threshold.
How the RISC Machine Works
RISC = the four systems of a production-grade agent / robotic body
A truly production-grade agent needs more than a brain. It must run continuously, reason and act, withstand errors, attacks, and poisoning, and participate in real-world networks of collaboration.
ALUX Daily Radar
Recovery Semantics Are Becoming a Public Product Capability
Hibernation, OAuth, capability advertisement, and thread recovery are no longer internal implementation details; they are becoming trust thresholds for agent platforms.
Application-Layer Policies Could Take Over the Runtime Narrative
Frameworks have already absorbed domain allowlists, parameter-level permissions, and headless approval controls; ALUX must prove that these constraints cannot be bypassed and that their enforcement can be replayed.
Capability Recovery Trace v0
Bring authentication, capability advertisement, hibernation points, resume handshakes, approvals, tool results, and policy versions into one body of evidence.
Key Signals
Cloudflare Agents 0.17.4 Brings MCP Capability Advertisement, Hibernation Recovery, and Tool Auditing into One Runtime
What happened: Cloudflare Agents 0.17.4 fixes MCP capability recovery after Durable Object hibernation and requires elicitation modes to be advertised only when their handlers are actually configured. It also adds persistent tool-call logs to proxied tool output, covering the call name, arguments, result, approval requirement, and execution status.
Why it matters to ALUX: This update connects three hard requirements for production-grade agents: capability semantics must survive recovery, protocol advertisements must not exceed actual handler capacity, and tool actions must leave visible evidence. It directly validates ALUX’s body-and-immune-system thesis, although Cloudflare remains a vendor-controlled cloud execution plane.
Recommended action and deliverable: Produce MCP Capability Recovery Trace v0, linking capability advertisement, OAuth state, the hibernation point, resume handshake, approvals, and tool results into one evidence chain. Deliverable: MCP Capability Recovery Trace v0.
This signal primarily affects the machine’s Resilience / Body: after a Durable Object hibernates, an MCP connection must restore the correct capabilities and authentication state. Security / Immune System is the secondary dimension because capability advertisement and tool auditing determine whether an agent exceeds its authority and whether responsibility can be assigned.
Qwen Code Desktop 0.0.5 Adds Parameter-Level Tool Permissions, Isolated Plan Sessions, and Subagent Concurrency Limits
What happened: The official comparison record shows that Desktop 0.0.5 adds the Tool(param:value) syntax for parameter-level permissions, startup controls over tool visibility, a separately named session for every scheduled task, and a maxSubAgents concurrency limit. It also fixes rewind after history compaction and AutoMemory cursor advancement.
Why it matters to ALUX: China’s open-source coding agents are moving beyond feature accumulation toward permission granularity, session isolation, and correct recovery. ALUX does not need to reproduce the CLI product surface; it should move parameter-level authorization, session state, concurrency quotas, and rollback records down into runtime capabilities.
Recommended action and deliverable: Develop Tool Capability Schema v0 with, at minimum, tool, parameter constraint, scope, session owner, subagent budget, and revoke event. Deliverable: Tool Capability Schema v0.
This signal primarily affects the machine’s Security / Immune System: parameter-level permissions and tool visibility directly tighten an agent’s action boundary. Resilience / Body is the secondary dimension because isolated plan sessions, rewind, and concurrency limits affect recovery and stable operation.
Stagehand 3.7 Turns Browser-Agent Domain Allowlists and Blocklists into Execution-Context Policy
What happened: Stagehand 3.7 adds context.setDomainPolicy for configuring allowed and blocked domains. Pop-ups that violate policy are closed automatically. The release also fixes CUA keyboard shortcuts, screenshot media types, MCP Client log serialization, and session-event cleanup.
Why it matters to ALUX: Browser agents are among the easiest ways for a model error to become a real external action. Domain policy shows security boundaries moving out of prompt rules and down into the execution context. ALUX can go further by expressing domains, actions, arguments, authorizers, and revocation conditions as object capabilities.
Recommended action and deliverable: Create a Browser Capability Policy example covering domain, path, action type, argument range, credentials, human approval, and revocation. Deliverable: Browser Capability Policy example.
This signal primarily affects the machine’s Security / Immune System: the browser agent is restricted to allowed domains, and noncompliant pop-ups are closed automatically. It does not demonstrate resilient recovery or cross-company collaboration.
MCP TypeScript SDK 2.0 beta.4 Unifies a Shared Schema Graph and Preloads Validation Structures for Isolated Runtimes
What happened: Beta.4 consolidates protocol, OAuth, and constant schemas in @modelcontextprotocol/core so that multiple packages share one schema graph. It adds preloadSchemas and automatically preloads them in Cloudflare Workers builds, while changing Ajv and schemas for different protocol revisions to be constructed on demand.
Why it matters to ALUX: This is not a major feature announcement, but it is body-level engineering for a protocol entering multiple runtimes: shared object identity, cold-start cost, and validation structures must remain consistent across Node, browsers, and isolates. ALUX can use this to emphasize that persistent state, permissions, and replayable execution are still required beyond the protocol schema.
Recommended action and deliverable: Add a three-layer boundary diagram covering Protocol Schema / Runtime State / Audit Evidence. Deliverable: MCP three-layer boundary diagram.
This signal primarily affects the machine’s Resilience / Body: protocol packages need consistent schema identity and controlled startup costs across runtimes. Security / Immune System is the secondary dimension because schema validation defines the input boundary.
Deep Agents Code 0.1.37 Adds Thread Recovery and Prevents Headless Mode from Bypassing Automatic-Approval Boundaries
What happened: Version 0.1.37 adds thread recovery through /threads -r, a /tools command, more model providers, and expanded MCP configuration. It also explicitly rejects --auto-approve in headless mode and loads MCP servers concurrently during graph build.
Why it matters to ALUX: Agent products are turning recovery, tool visibility, and unattended approval boundaries into default behavior. ALUX has an opportunity to elevate these UI and CLI constraints into runtime policies that cannot be bypassed and to provide evidence of state continuity before and after recovery.
Recommended action and deliverable: Define a Headless Agent Policy: which capabilities are disabled by default in unattended mode, which actions require human approval, and how work resumes after recovery. Deliverable: Headless Agent Policy v0.
This signal primarily affects the machine’s Resilience / Body: recoverable threads, concurrent MCP loading, and fixes for startup stalls improve continuity of work. Security / Immune System is the secondary dimension because automatic approval is explicitly prohibited in headless mode.
StepFun Officially Launches STEPX, Step AOS, and an Agentic Smartphone as Device Entry Points Begin to Carry Agent State
What happened: Multiple media outlets report that StepFun has officially unveiled STEPX, a foundation-model-native device brand; Step AOS; and its first agentic smartphone, STEPX Neo. The company is also advancing Step Edge models for on-device use, targeting phones, vehicles, and other endpoints.
Why it matters to ALUX: Yesterday this was still a launch preview; today it has moved into the product and system layers. Device agents bring cross-application permissions, edge-cloud state, offline recovery, user confirmation, and persistent identity into the physical world. ALUX can treat device actions as capability-constrained endpoints in a long-running transaction.
Recommended action and deliverable: Develop a Device Agent Responsibility Map defining the state and responsibility boundaries of the device, cloud model, application, user, and enterprise. Deliverable: Device Agent Responsibility Map.
This signal primarily affects the machine’s Connectivity / Society: agents are moving from cloud applications into phones, in-vehicle systems, and device ecosystems. Security / Immune System is the secondary dimension because cross-application and device permissions determine the radius of real-world action.
31 Chinese Companies Sign a Self-Regulatory Convention on Personal Information Protection for AI Agents, Moving Data Accountability into Industry Coordination
What happened: Reports say that the Self-Regulatory Convention on Personal Information Protection for AI Agents was released at a forum associated with the 2026 China Internet Conference. Baidu, Tencent, Alibaba, Volcano Engine, and others were among the first 31 signatories, seeking to establish industry self-governance boundaries for how agents collect, use, and transfer personal information.
Why it matters to ALUX: Personal-information protection is not merely a front-end privacy notice. Every capability grant, data access, cross-tool transfer, and revocation must be provable. ALUX can turn policy versions, data capabilities, authorization chains, and audit evidence into enterprise compliance infrastructure.
Recommended action and deliverable: Create a Personal Data Capability Ledger example with purpose, scope, holder, delegate, expiry, revocation, and evidence hash. Deliverable: Personal Data Capability Ledger example.
This signal primarily affects the machine’s Security / Immune System: the industry is beginning to place shared constraints on agents’ collection, use, and transfer of personal information. Connectivity / Society is the secondary dimension because 31 companies need responsibility boundaries across principals.
Funding / Partnership Opportunities
Technical / Product Implications
Risk Boundaries
ALUX should not be described as a fully delivered agent platform. More precisely, the underlying TVM already provides key foundations including concurrency, durable execution, capability security, execution records, and bit-for-bit replay auditing. The agent product layer, observability, dashboards, tracing, and evaluation tools remain priorities for development and financing.
Nor should TVM be said to make the LLM itself deterministic. More precisely, TVM records model outputs and inputs from the runtime environment, making orchestration, permissions, state transitions, and auditing replayable and verifiable. Public sources from Cloudflare, Qwen, Stagehand, and Deep Agents demonstrate capabilities at their respective product layers; they do not amount to a vendor-neutral, cross-company runtime. The technical implementation details behind StepFun’s launch and the industry convention still require further verification.
Sources
- Cloudflare Agents: Cloudflare Agents 0.17.4 Brings MCP Capability Advertisement, Hibernation Recovery, and Tool Auditing into One Runtime Official GitHub
- Alibaba Qwen Code: Qwen Code Desktop 0.0.5 Adds Parameter-Level Tool Permissions, Isolated Plan Sessions, and Subagent Concurrency Limits Official GitHub
- Browserbase Stagehand: Stagehand 3.7 Turns Browser-Agent Domain Allowlists and Blocklists into Execution-Context Policy Official GitHub
- Model Context Protocol: MCP TypeScript SDK 2.0 beta.4 Unifies a Shared Schema Graph and Preloads Validation Structures for Isolated Runtimes Official GitHub
- LangChain Deep Agents: Deep Agents Code 0.1.37 Adds Thread Recovery and Prevents Headless Mode from Bypassing Automatic-Approval Boundaries Official GitHub
- StepFun STEPX / Step AOS: StepFun Officially Launches STEPX, Step AOS, and an Agentic Smartphone as Device Entry Points Begin to Carry Agent State Reliable Media
- Baidu / Tencent / Alibaba / Volcano Engine, et al.: 31 Chinese Companies Sign a Self-Regulatory Convention on Personal Information Protection for AI Agents, Moving Data Accountability into Industry Coordination Reliable Media