NanoCo, the startup behind the open-source NanoClaw agent framework, announced a partnership with Vercel and OneCLI on April 17 to ship a standardized approval architecture for AI agents performing sensitive actions. The system surfaces interactive approval cards inside Slack, WhatsApp, Microsoft Teams, and 12 other messaging platforms, requiring a human tap before any high-stakes operation proceeds.
How the Architecture Works
The core technical shift is moving trust enforcement from the application layer to the infrastructure layer. In most agent frameworks, the model itself handles permission requests. NanoCo co-founder Gavriel Cohen described that design as fundamentally flawed in an interview with VentureBeat: “The agent could potentially be malicious or compromised. If the agent is generating the UI for the approval request, it could trick you by swapping the ‘Accept’ and ‘Reject’ buttons.”
NanoClaw 2.0 runs agents in isolated Docker or Apple Containers. The agent never sees real API keys. Instead, it uses placeholder credentials. When the agent attempts an outbound request, OneCLI’s Rust Gateway intercepts it and checks the action against user-defined policies. If the action is sensitive (making a payment, deleting a cloud resource, modifying calendar events), the gateway pauses the request and triggers an approval card via Vercel’s Chat SDK.
Only after the user taps “Approve” does the gateway inject the real, encrypted credential and allow the request to reach the external service. The credential is revoked immediately after execution. The agent has no mechanism to override this flow, regardless of how it is prompted.
15 Messaging Platforms From One Codebase
Vercel’s Chat SDK handles the integration complexity. According to VentureBeat, NanoClaw can deploy approval cards to 15 channels from a single TypeScript codebase: Slack, WhatsApp, Telegram, Microsoft Teams, Discord, Google Chat, iMessage, Facebook Messenger, Instagram, X, GitHub, Linear, Matrix, Email, and Webex.
The approval card appears as a native interactive element inside each platform. Cohen told SiliconAngle that the design targets a specific enterprise bottleneck: “We built NanoClaw to end that tradeoff. Because that trust layer exists, agents can do more, not less. They can add their own tools, expand their own capabilities and even modify their own configuration, all through the same approval flow.”
The Enterprise Bottleneck This Addresses
The timing connects to a broader pattern. A Cloud Security Alliance study published April 16 found that 53% of organizations have had AI agents exceed their intended permissions, and most enterprises have limited agent deployment to low-stakes tasks like email drafting and meeting summaries precisely because granting broad permissions is too risky.
The NanoClaw/Vercel/OneCLI approach offers a specific architectural answer: narrow permissions by default, confidence-based gating for routine actions, and human approval for anything flagged as high-consequence. For DevOps teams, that means an agent can propose a cloud infrastructure change that only goes live once a senior engineer taps “Approve” in Slack. For finance teams, an agent can prepare batch payments with the final disbursement requiring a human signature via WhatsApp.
The Competitive Context
NanoClaw positions itself as a security-first alternative to larger agent frameworks. Its core logic runs approximately 3,900 lines of TypeScript across 15 source files, compared to hundreds of thousands of lines in competing platforms, according to VentureBeat. The project uses MIT licensing and a “Skills over Features” philosophy where users only maintain the code required for their specific implementation.
The partnership with Docker, announced in March, already established MicroVM-based isolation for enterprise deployments. The Vercel and OneCLI integration adds the user-facing approval layer on top of that sandboxing foundation.