How do you stay aware of what your AI coding agents are doing?

by

I've been running Claude Code, Cursor, and Codex pretty heavily for the last few months and I keep hitting the same loop:

1. Start a task in one agent

2. Switch to something else (Slack, Twitter, another terminal)

3. Come back 30-40 minutes later

4. Agent finished 35 minutes ago. Or worse, it's been waiting for my approval the entire time.

The more agents I run, the worse it gets. There's no unified way to know what's happening across them.

Curious what other people's setups look like:

- Do you just keep terminals visible and check manually?

- Built any custom notification scripts?

- Use something like ntfy or Pushover?

- Just... accept the wasted time?

I've been building something in this space (push notifications + approval flows for AI agents) and I'm trying to understand if everyone's workflow is as janky as mine, or if some of you have figured out something clever.

Would love to hear what's working and what's not.

4.1K views

Add a comment

Replies

Best

Same loop here, exactly. The approval-waiting one is the worst because coming back to find it stalled 35 min ago on a yes/no I'd have answered instantly.

 

That specific sting, "stalled 35 minutes on a yes/no I'd have answered instantly," is the one that should be illegal, and the reason it hurts more than a slow task is the mismatch. The cost of answering was one second. The cost of not being asked was 35 minutes. When the gap between the effort and the waste is that lopsided, it doesn't feel like a delay, it feels like waste, because nothing hard happened, you just weren't in the room for a trivial question.

And the trivial part is exactly why it's so dangerous. A scary approval at least justifies the wait, you'd want to think about that one. But the instant yes/no slips through because it doesn't look like it matters, so nothing flags it, so it sits. The cheapest decisions cause the most expensive stalls, precisely because they're cheap enough to be invisible until you walk back and find the whole thing parked on one.

That's the entire reason to get the question off the terminal and onto your phone, a one-second answer should cost one second, not half an hour of you being elsewhere. Approve from the lock screen, it unparks immediately, the trivial stays trivial. Question, since you've clearly lived this: when you come back to one of these, is it usually a genuine judgment call, or is it stuff the agent could've just done if you'd pre-authorized it? Because if it's mostly the latter, the real fix is letting it not ask at all for the safe stuff, and only pinging you for the few that actually need a human.

Keeping multiple terminals open works with one agent. Once you're running three or four it gets messy fast.

 

That's the exact breakpoint, and it's worth being precise about why three or four is where it snaps rather than some gradual decline. With one agent, watching is basically free, it's one glance, one source of truth, your attention isn't really divided. The cost doesn't scale linearly as you add agents, it scales worse, because now you're not just watching more screens, you're context-switching between them, holding which agent is doing what, and the misses compound: while you're checking agent one, two finished and three got stuck, and you find out about both late. Manual watching has a hard ceiling, and three or four is where most people hit it.

The deeper reason is that keeping terminals visible is a pull system, you have to go look for the information, and pull systems don't survive parallelism. Push does. Instead of you checking four terminals on some interval that's always wrong, the agents tell you when one actually needs you, done, blocked, or waiting on a decision. Then four agents costs the same attention as one, because you're not allocating a watch-budget per terminal, you're just receiving the one alert that matters. Three silent agents are free. The stuck one taps you.

That's the whole jump Pushary is built for, exactly the point where visible-terminals stops scaling. Question, since you're clearly at or near that breakpoint: when it gets messy at three or four, what actually breaks first for you, missing that one finished, or losing track of which agent is doing what in the first place? I'm trying to figure out whether the core pain is the missed alert or the lost mental map, because they need slightly different fixes.

How are you thinking about prioritization? For example, I'd want a different notification for ''task completed'' versus ''agent is blocked and needs approval''. The second one is far more urgent.

 

You're exactly right that they're different urgencies, and the way I think about it is that the two events aren't even the same type of thing. "Task completed" is informational, the work is safe, nothing is waiting, you can read it whenever, it's a receipt. "Blocked and needs approval" is a live cost, the agent is frozen and burning idle time until you respond, and on a parallel setup it might be holding up everything downstream of it. One is a record. The other is a bill that's actively running. They should not look, sound, or feel the same on your phone.

So the prioritization isn't a nice-to-have ranking, it's the core design, and I'd actually go further than two tiers. There's a third that's sneakily the most urgent: "blocked and has been waiting X minutes." Freshly blocked is a heads-up. Blocked for 20 minutes is the thing you'd pay to never let happen again, because that's the silent-stall everyone in this thread keeps describing. So the model is roughly: completed is low and silent-ish, needs-approval is high and unmissable, and time-in-blocked escalates the urgency the longer it sits. The clock is part of the priority, not just the event.

The other half of prioritization is the part people forget: it's not only how loudly you alert, it's whether you alert at all. The fastest way to ruin the urgent tier is to fire the boring one too often, because then the channel gets muted and the urgent one dies with it. So "task completed" probably shouldn't even be a push for most people, it's a thing you check, while "blocked, needs you" is the one that's allowed to interrupt. Protecting the urgent signal means being stingy with the routine one.

Question back, since you've clearly thought about the tiers: for the completed case, would you even want a push, or would you rather it sit silently in a list you glance at, and reserve actual interruptions purely for the blocked-needs-you case? I keep going back and forth on whether "done" earns a notification at all, or whether pushing it just trains people to ignore the channel.

You can copy agent's answear and ask gpt or claude to summarize changes. Of course, it's still not as good as seeing all the changes yourself, but sometimes it's okay to do this when the updates aren't too serious.

 

That's a legit pragmatic move, and the instinct underneath it is the right one: matching how much you trust the review to how much the change actually matters. For low-stakes updates, a quick LLM summary is plenty, and reading the full diff yourself would be over-verifying something that didn't need it. You're triaging your own attention, spending it where the risk is and saving it where there isn't. Most people either review everything or nothing, and you've found the sane middle.

The one place I'd flag caution, and it's the exact spot this trick is weakest: an LLM summarizing the agent's own answer is asking one model to vouch for another, and it inherits the original's blind spots. If the agent quietly skipped a check or made a wrong assumption, the summarizer often won't catch it, because it's summarizing the narrative, not auditing the actual diff. It's great at "what does this say it did" and unreliable at "did it actually do that, and what did it leave out." So it works precisely because you're applying it to non-serious updates, the moment it touches something risky, summarizing the claim instead of inspecting the change is how the quiet-wrong slips through.

Which is why I'd point the summarizer at the diff, not the agent's answer. Same effort, but now it's reading what changed rather than what the agent said about what changed, and it can flag "this also touched a file you didn't mention." That's the difference between a summary of the testimony and a summary of the evidence. Your workflow is the right shape, just feed it the artifact instead of the narration.

Question, since you've clearly tuned the effort-to-stakes ratio: how do you decide an update is "not too serious" before you've reviewed it? That's the chicken-and-egg I keep hitting, you need to know the stakes to pick the review depth, but knowing the stakes kind of requires the review. Curious whether you go by what you asked for, which files it touched, or just gut.

Something that helped me: giving each agent its own dedicated email address. Instead of tab-switching to check on them, the agent just mails you when it hits a blocker or finishes. Sounds simple but it removes most of the "what happened while I was gone" loop.

The harder one I've hit is agents needing credentials mid-task — no safe way to hand those off without hardcoding something sketchy.

For those running multiple agents: is the bigger pain losing track of what they're doing, or not knowing what they've already touched?

 

Per-agent email is genuinely clever, and the reason it works is smarter than it looks: you didn't build a notification system, you repurposed one that already solves the hard parts. Email is already async, already on your phone, already threaded per sender, already searchable later. Giving each agent an address means each one gets its own thread, so "what happened while I was gone" becomes an inbox you scan instead of a context you reconstruct. You routed around the whole problem with infrastructure that already existed. Respect.

The ceiling it hits is the one email always hits: it's one-directional and it's noisy at scale. The agent can mail you "I'm blocked on this approval," but you can't cleanly mail back "yes, proceed" and have it act, email wasn't built to be an approval channel with a structured response. And per-agent addresses are elegant at three agents and a flood at fifteen, plus a "done" email and a "blocked, need you now" email land in the same inbox with the same weight, so the urgent one drowns. It's a great read-only awareness layer. It strains as a control layer.

But the credentials problem you raised is the actually hard one, and it's a different beast entirely, so I want to be careful not to hand-wave it. Hardcoding secrets or pasting them into a prompt is exactly the sketchy thing everyone does and nobody should, because now the credential lives in context, in logs, in the model's history. The right shape is the agent never holds the secret, it requests an action that needs the credential, and something outside the agent, a broker you control, injects it at execution time and hands back only the result. The agent gets capabilities, not keys. That's adjacent to the approval problem, actually, "agent needs to do a privileged thing" is the same gate whether the privilege is a risky action or a secret, the human or the policy authorizes, the credential never touches the agent.

That's honestly where this whole space is heading and where my head's at with Pushary, the approval gate and the credential gate are the same primitive: the agent asks, a layer it doesn't control decides and supplies. Question, since you've hit the credential wall directly: when an agent needs creds mid-task, is it usually the same few services over and over, or genuinely unpredictable each time? Because if it's a known set, you can pre-broker those and the agent never has to ask, but if it's unpredictable, you need a real-time hand-off-with-approval flow, and those are very different things to build.

I think the same issue shows up beyond coding agents too. Once an agent is doing real work, visibility becomes part of trust. I would want three layers: what the agent is trying to do, what it actually changed, and where it needs human approval.

For coding, that might be plans, diffs, tests, and logs. For business agents, it might be CRM updates, customer-facing drafts, handoffs, and escalation reasons. Without that trail, the agent may be productive, but the human still carries all the risk.

 

"Without that trail, the agent may be productive, but the human still carries all the risk" is the sentence that should anchor this whole category, because it names the asymmetry everyone feels and few articulate. The agent gets the productivity, the human keeps the liability, and visibility is the only thing that closes that gap. It's not a convenience feature, it's how the risk gets transferred back to where the authority actually is. An invisible productive agent is just a way to launder accountability away from the person who'll answer for it.

And you're right that this generalizes past code, but the sharper version of your point is that your three layers are domain-independent while their contents aren't. Intent, change, and approval-point is the universal skeleton, that's true whether it's an agent writing code or updating a CRM. What swaps out is the artifact: plans/diffs/tests for code, CRM-updates/customer-drafts/escalation-reasons for business. So the visibility layer that wins isn't coding-specific or CRM-specific, it's the one that nails the skeleton and lets the artifact type plug in. Most tools are building the skeleton hardcoded to one domain, which is why they don't travel.

Your middle layer is the one I'd argue carries the most weight, too: "what it actually changed," emphasis on actually. Intent is the agent's claim about what it'll do, approval is your decision, but the change is the ground truth, and it's the only one of the three that can't lie. An agent can intend well and act badly. So the trail has to privilege the diff over the narration, what happened, not what the agent said would happen.

That's exactly the shape I'm building Pushary around, the universal skeleton with the coding artifacts plugged in first, intent, real diff, approval point, delivered so the human reclaims the risk instead of carrying it blind. Question, since you've clearly thought across domains: of your three layers, which is hardest to capture honestly for business agents? For code it's mechanical, diffs and tests are concrete. But "what a CRM agent actually changed" or "why it escalated" feels squishier and easier to fake, and I'm curious whether the trail is genuinely harder to trust the further you get from code, or if that's just my coding bias talking.

The useful signal for me is not just done vs blocked. It is done, and here is what changed, what was approved, and what still needs a human.

Otherwise notifications fix timing, but not trust. Do you persist approvals as part of the run record, or only use them to unblock the session?

 

Direct answer: persisted, as part of the run record, not just used to unblock and discarded. And I'd argue the discard-after-unblock version isn't even a lesser version of the product, it's a different product that happens to share a button. An approval you only use to release the session is a keystroke, it does its job and evaporates. An approval you persist, with who decided, when, at what scope, against which proposed action, is a record you can answer for later. The first fixes flow. The second is the only one that touches trust, which is exactly the line you drew.

Because you're right that notifications alone fix timing, not trust, and the reason is structural: a notification is ephemeral by nature. It fires at the moment of need and then it's gone, so a pure notify tool inherits amnesia, it tells you faster and remembers nothing. The instant the terminal closes, "what was approved and why" is gone, and three weeks later when something breaks you're back to reverse-engineering from vibes. Persisting the approval is what converts a momentary "yes" into a durable "this person authorized this specific thing for this reason," and that's the artifact trust is actually built from.

The piece I'd add, because it's where persisted approvals earn their keep: persist the approval bound to what it authorized, not floating on its own. An approval is a decision about a proposed action, so the record has to hold both, "human approved X" next to "agent then did Y," so you can later check that Y actually matched X. Approve "deploy to staging," agent deploys to prod, the persisted-and-bound approval is the thing that catches the divergence. An approval stored without the action it was attached to is auditable in theory and useless in practice, because you can't tell if the agent honored it.

So the run record I want is a timeline per action: agent proposed this and flagged it risky, human approved at this scope at this time, agent then did exactly this, tests said that. Notification is just the delivery mechanism for the approval step, the persistence is what makes the whole thing trustworthy after the fact.

Question back, since you're clearly thinking about this at the record level: would you want the persisted approval to be queryable as its own thing, "show me everything I approved this week and what happened to it," or is it enough that it lives in the run's history for forensics when something breaks? Because the first is a real trust-calibration tool, you'd actually see your own rubber-stamp rate, and the second is just an audit log, and I keep wondering whether people want the mirror or just the receipts.

@aadilghani Queryable as its own thing feels more useful.

The run history is for forensics. The approval history is for trust calibration: what did I approve, what happened after, and am I rubber-stamping one agent or workflow too often. I’d still bind both to the same decision/action id so the approval view does not become a second source of truth.

 

You picked the mirror over the receipts, and your reason is the right one: the two views answer questions about different subjects. Forensics is about the agent and the incident, "what happened, in what order, why did it break." Calibration is about you, "how am I deciding, and am I deciding well." That's the part almost every tool in this space misses, they all audit the agent, and you want to audit your own approval behavior. The subject of the trust-calibration view isn't the system, it's the human holding the gavel. Rare instinct, and the correct one, because the rubber-stamp problem is a human failure mode, not an agent one.

And your binding caveat is the sharp engineering call that keeps this from rotting. Same decision/action id, approval-history as a projection over the canonical events, never its own store. The moment the approval view holds its own copy of the facts, it drifts from the run history and now you have two truths that disagree, which is worse than having one incomplete one. One write path, many read lenses. The approval view is a query, not a second source. You said it in one sentence and it's the thing I'd have spent a paragraph getting wrong.

Here's the piece that makes the calibration view actually work, and it's the part that's harder than it looks: "what happened after" means the outcome has to be bound to that same id too, not just the approval. The id has to thread through three events, proposed, approved, and resolved, because rubber-stamp detection isn't "I approved a lot," it's "I approved a lot of things that later got reverted or broke." Approval volume alone is a useless metric, it'll nag you for being efficient on a workflow you've correctly learned to trust. The signal you actually want is approval paired with bad outcome, and that only exists if the downstream result joins back on the decision id. Otherwise the mirror shows you how often you said yes, which isn't the same as how often you were wrong to.

Which surfaces the real design tension in the calibration view: you need it to distinguish healthy high-approval (this workflow earned your trust, approving fast is correct) from dangerous high-approval (you stopped reading and got lucky until now). Outcome-binding catches it retroactively, after something fails. But there's a cheaper leading signal I keep eyeing: approval latency. A one-second approval on a high-risk action is a rubber-stamp tell before you know the outcome, because it means you didn't look. Pair latency with risk-tier and you can flag "you approved a high-risk change in under two seconds" in the moment, not three weeks later in the post-mortem.

So the question back, since you're clearly modeling this properly: would you want the calibration view to surface scrutiny proxies like approval latency, or does that feel like surveillance of yourself that you'd resent? I genuinely go back and forth, because the latency signal is the earliest possible rubber-stamp detector, but a tool that says "you didn't look hard enough at that one" is also the kind of thing people turn off. Curious whether you'd want the mirror to be that honest, or whether outcome-bound-after-the-fact is the most self-scrutiny anyone actually wants to live with.

 I’d want it, but only as a soft warning, not a scolding metric.

Latency by itself is noisy. Fast approval on a low-risk trusted workflow is healthy. Fast approval on a high-risk or unusual action should create a tiny “are you sure you looked?” pause. Then the real calibration comes later by joining latency, risk tier, and outcome. Would you let users tune which risk tiers get that mirror?

Know this all to well! My boss offered to build me a little device to solve this, perhaps more people would be interested 😅

 

Ha, the fact that your boss looked at this and went "I'll just build you a physical device" tells you everything, that's not a niche annoyance, that's a problem painful enough that someone's first instinct is hardware. People don't fabricate gadgets for minor inconveniences. The little-device impulse is the same one that gave this thread a desktop aquarium and a menu-bar edge-glow, the pain keeps independently reinventing the same fix, which is usually the sign of a real market and not just a personal quirk.

The thing I'd gently flag, and it's the ceiling every physical version hits: a device lives on your desk, and the whole pain is the thirty minutes you weren't at your desk. A blinking box is great while you're in the room and useless the moment you walk away, which is exactly when the agent goes quiet on you. Ambient hardware solves "at my desk in another window." It can't solve "away from keyboard," because you have to be looking at it. So the device scratches the itch right up until lunch.

Which is the long way of saying yes, more people are absolutely interested, and the version that travels is the one in your pocket you already carry. Same idea as your boss's gadget, minus the constraint that you have to be standing next to it. Genuine question, since your boss clearly spec'd this in his head: what was the device going to actually do, just light up when an agent needs you, or did he have it answering back somehow? I'm curious what shape the hardware instinct takes, because what people imagine building by hand is usually the cleanest statement of what they actually want.

What I'd love is a single activity feed across Claude Code, Cursor, Codex, and other agents with statuses like Running, Waiting, Completed, and Failed. That visibility alone would save a lot of context switching.

 

We provide this at pushary.com, once you have connected your device you get a notification, you click on it and you see your activity feed across your connected agents - we call it the fleet board, give it a shot.

I just modify the claude.json file and allow to bypass all permissions, and I think that with claude cowork you can create custom notifications

 

Two different moves there, worth pulling apart because one's a real fix and one's a loaded gun.

Bypassing all permissions in the config does solve the waiting problem, by deleting the thing that makes it wait. No approval gate, no stall. But you didn't remove the risk, you removed the brakes. Now the agent never pauses, which is great until the one time it confidently does something you'd absolutely have wanted to catch, deletes the wrong thing, force-pushes, touches prod, and there was no gate to stop it. "Allow everything" trades a time problem for a blast-radius problem, and the blast-radius one is the expensive kind because you find out after. It's the right setting for a sandbox where failure is free, and the wrong one the moment the agent can touch anything you can't cheaply undo.

The better shape isn't all-or-nothing, it's tiered: auto-allow the safe, reversible stuff so you're not babysitting trivia, and gate only the genuinely risky calls, auth, payments, migrations, destructive commands. That way you get the no-waiting speed on 90 percent of actions and keep a human on the 10 percent that can actually hurt you. Bypass-all is that idea with the dial cranked to a place I wouldn't leave it on anything that matters.

On the Cowork custom notifications, you're right that you can wire something up, and that's the DIY version of exactly this. The gap is it's per-tool and lives on that machine, so it doesn't follow you to your phone and doesn't span Claude Code plus Cursor plus Codex in one place. Fine for one tool at your desk, strains the moment you're away or running several.

Question, since you've gone full-bypass: has it ever actually bitten you, an agent doing something unattended you wish it had stopped to ask about? Curious whether bypass-all is working because your tasks are genuinely low-stakes, or whether it's been fine so far and the bad day just hasn't happened yet. The answer tells you whether you want the tiered version or you're honestly fine as-is.

First
Previous
•••
8910
•••
Next
Last