Agno 2.6.9 Fixes the Managed-Agent Boundary: Server-Side Tools Are Not Local Tool Calls

Agno 2.6.9 is a boundary fix disguised as a patch release. The headline is not “Gemini support improved,” because that would miss the useful lesson: when a managed agent runs inside Google’s server-side loop, its tool calls are evidence of what happened in that sandbox, not an invitation for your local framework to start dispatching random functions.

That distinction sounds pedantic until it breaks a production run. Agno’s release notes for v2.6.9, published May 21, list one new feature, six improvements, and two bug-fix sections. The important fix lands in Gemini Interactions: FunctionCallStep parsing is now gated to the ordinary model path, so Antigravity and Deep Research server-side tool activity no longer leaks into Agno’s local tool-calling loop.

The failure mode documented in PR #8045 is exactly the kind that makes agent systems feel haunted. On the Gemini Interactions agent path, FunctionCallSteps can describe tools the autonomous loop runs inside Google’s managed sandbox: file operations, browser actions, and other Antigravity machinery. Agno previously surfaced those steps as local model_response.tool_calls. The result was predictable in hindsight: Agno tried to run functions it did not own, produced Function <name> not found, and then sent client-injected function_result steps back to an API path that does not accept them, producing 400 invalid_request failures.

The managed-agent boundary is now a runtime contract

The fix is small in shape and large in implication. PR #8045 gates FunctionCallStep parsing on self.agent is None in both streaming and non-streaming paths. The ordinary model path — where a developer declares local tools and expects the framework to dispatch them — is unchanged. The managed-agent path still preserves content, reasoning, citations, and images. It just stops pretending every function-shaped trace is a local function call.

This is the right split. Managed agents make framework boundaries sharper, not softer. Google’s Antigravity and Deep Research loops are not just remote LLM calls with fancier names; they are provider-owned runtime surfaces with their own sandbox, tool semantics, state, and response contracts. A framework integrating them has to behave more like a router and auditor than a universal tool executor.

That matters because the next generation of agent frameworks will increasingly sit between four different control planes: local model calls, local tools, external service APIs, and managed provider sandboxes. If the framework cannot tell “the provider is describing a step it already ran” from “the provider is asking me to call my tool,” the integration will fail late and confusingly. Worse, it may fail after partial progress, where the trace looks plausible enough to waste an afternoon.

The practical advice for teams using Agno with Gemini managed agents is direct: upgrade, then add a regression test around the boundary. Run an Antigravity-backed interaction that produces internal file or browser steps. Confirm those steps are visible in traces but never dispatched through your local tool registry. Then test the inverse: ordinary Gemini model calls with developer-defined local tools should still dispatch normally. This is boring test coverage. That is why it belongs in CI.

Approvals are audit records, not UI state

The same release improves approval observability through PR #7366, which exposes the full resolved approval record to post-hooks and observability integrations via run_response.metadata["approval"]. That record includes fields such as resolved_by and resolved_at. Agno’s approval docs describe a run pausing when a tool requires confirmation, persisting a pending record, and resuming after an admin resolves it through AgentOS Control Panel or API.

That may look like metadata plumbing. It is actually governance plumbing. Human-in-the-loop is not a checkbox; it is an audit surface. For production data access, deployment actions, customer operations, finance workflows, or anything with compliance pressure, “approved” is not enough. Teams need to know who approved, when, through which path, and what context surrounded the decision.

Frameworks often market approvals as a safety feature, but safety only exists if the approval event survives into logs, hooks, traces, and downstream systems. If a post-hook can see only a status flag and some resolution data, operators are stuck reconstructing control decisions from UI screenshots and vibes. Exposing the resolved approval record is the less glamorous half of human-in-the-loop: making the human action durable enough to inspect later.

If you run Agno in anything resembling a governed environment, verify that approval metadata reaches your log sink, SIEM, trace store, or data warehouse. Do not stop at “the UI shows approved.” Build a test that resolves an approval and asserts that resolved_by and resolved_at are present in the emitted metadata. The agent world has enough fuzzy accountability already.

The tiny bugs are the reliability story

Agno 2.6.9 also fixes PgVector(prefix_match=True), which had been documented as full-text prefix search but silently routed through websearch_to_tsquery, where wildcard * was ignored or escaped. PR #8048 moves the implementation to to_tsquery(language, "tok:*") with tokenization and adds four unit tests. If you use vector-backed support search, retrieval typeahead, or internal knowledge lookup, this is the kind of bug that quietly trains users not to trust the product.

The Claude sampling fix in PR #8009 is another classic framework paper cut with outsized blast radius. Bare truthiness checks dropped explicit 0.0 values for temperature, top_p, and top_k across Anthropic, AWS, and VertexAI variants, causing APIs to fall back to defaults such as temperature around 1.0. The fix switches to is not None and adds 17 unit tests.

That is not an AI mystery. It is Python doing exactly what Python does. But once it lands inside an agent framework, it becomes a reproducibility bug. Determinism is a dependency for evals, regression tests, demos, and high-risk workflows where variance should be intentional. If you set temperature=0, the framework should not silently decide you meant “provider default.”

The thread running through this release is control-plane clarity. Server-side sandbox tools are not local tools. Approval events are not transient UI state. Prefix search should do what the flag says. Sampling parameters set to zero are still parameters. None of that is keynote material. All of it is what separates an agent framework you can demo from one you can operate.

Agno 2.6.9 is worth attention because it shows the framework layer learning a production rule: agent runtimes are made of boundaries, and boundaries need names. If you are building on Agno, upgrade and test the seams — managed-agent traces, approval metadata, prefix retrieval, and deterministic Claude calls. If you are evaluating frameworks more broadly, this is the rubric. Ignore the orchestration diagrams for a minute and ask whether the runtime knows which side of the boundary each action belongs to.

Sources: Agno v2.6.9 release notes, PR #8045, PR #7366, PR #8048, PR #8009, Agno approval docs