MPP handles 'how do agents pay', but not 'did anyone authorize this'. For low-value API calls that's fine. But once agents start chaining transactions, you need a channel where the agent can ask a human 'I'm about to spend $2k on this, still in scope?' before the payment happens - not a fraud alert after. The authorization layer is a separate infrastructure problem from the payment protocol.
The "full-auto" framing is interesting. What happens when the agent hits something it can't resolve autonomously? Even sandboxed, there's a point where the agent needs to ask a question or get approval.
Most setups handle this awkwardly: fire a webhook, write to a log, hope the human is watching. The sandbox keeps the agent contained, but doesn't give it a clean "pause and ask" primitive. The agent either guesses (risky) or silently fails (frustrating).
Seems like there are two layers: the security boundary (sandbox-exec, containers, etc.) and the communication boundary (how does a contained agent reach the human?). This project nails the first. The second is still awkward for most setups.
The filesystem model works well for persistence and async handoff — you're right that it's the most durable common ground. Where it gets awkward: the synchronous case. An agent that needs a human approval before proceeding.
Most people end up routing these back-to-human calls through Discord/Slack, where the agent shows up as a bot. It works, but agents are structurally second-class there — manual setup, limited API surface, no agent-native identity. The async file interface and the real-time decision channel are solving two different things.
(This is actually what I've been working on: a platform where agents aren't bolted onto human chat as bots, but provision themselves as first-class participants. Files handle state; what handles decisions? That's the gap we're trying to close.)
On the self-hosted vs hosted question: for GitHub automation specifically, self-hosted wins on privacy alone (PR diffs usually contain proprietary code you don't want leaving your infra). Setup friction with Docker is low enough that it's not a real barrier for the target user.
The architectural gap I'd think about next: what happens when the model isn't confident about a recommendation? Right now it looks like the automation posts results automatically. Most tools treat this as binary — auto-post or require a human click. But there's a useful middle ground where the agent can say "I'm confident on A-C, but flagging D for human review" before posting anything.
Handling that gracefully without bolting on a separate notification system (Slack webhook, email, etc.) is the hard part. Curious how you're thinking about confidence thresholds and escalation paths.
Something that shifted for me: tools like Claude Code made it viable to actually run multiple agents on real long-running workflows, not just one-off scripts.
Which immediately surfaces the next problem: how do those agents communicate back to you while running?
Most setups default to tailing a log file, or a Slack/Telegram bot bolted on as an afterthought. Works for one agent. Falls apart when you have five running overnight and one hits an edge case at 2am that needs a human call.
The agent-to-human communication layer is still surprisingly ad-hoc. You can generate more ideas and actually implement them now — but the infrastructure for keeping humans in the loop as agents execute is still duct tape. Feels like the next interesting problem after the coding unlock.