Skip to content

Commit ae179a1

Browse files
haofeifclaude
andauthored
fix(launch): clarify prompt, add --auto-approve, document TOOL_MAPPING (#146)
* fix(launch): clarify confirmation prompt — show Role, remove Blocked, distinguish Y vs --yolo The launch confirmation prompt was misleading: it showed "Blocked: (none)" for providers that enforce restrictions natively (kiro-cli, q-cli), and the --yolo hint didn't make clear that users need to exit and re-run. Now the prompt shows Role and Allowed in CAO vocabulary, and clearly explains that [Y] keeps restrictions while [--yolo] overrides everything. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feat(launch): add --auto-approve flag to skip confirmation prompt Adds --auto-approve to skip the confirmation prompt while keeping tool restrictions enforced. Useful for automated flows, scripted launches, and agent-to-agent workflows where --yolo is too permissive. Addresses review feedback on PR #146 re: automated flows hanging on the Y/n prompt. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * docs: clarify TOOL_MAPPING role and why only 3 providers need it Rewrite the "How Tool Restrictions Are Enforced" section to explain why TOOL_MAPPING only covers Claude Code, Copilot CLI, and Gemini CLI (they need translation to native tool names), while Kiro CLI, Q CLI, Kimi CLI, and Codex accept CAO vocabulary directly. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(launch): clarify prompt hints — say "relaunch with" not bracket options The prompt hints like [--auto-approve] and [--yolo] implied users could type them at the Y/n prompt. Changed to "relaunch with --auto-approve" and "relaunch with --yolo" to make clear these are CLI flags for the next launch, not options at the current prompt. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 5c2faa5 commit ae179a1

4 files changed

Lines changed: 70 additions & 28 deletions

File tree

CHANGELOG.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
77

88
## [Unreleased]
99

10+
### Changed
11+
12+
- **Launch prompt clarity + `--auto-approve`** — Redesign the `cao launch` confirmation prompt to show `Role` instead of `Blocked`, clearly distinguish `[Y]` / `[--auto-approve]` / `[--yolo]`, and add `--auto-approve` flag to skip the prompt without removing restrictions (for automated flows, scripts, and agent-to-agent launches)
13+
1014
### Fixed
1115

1216
- **Kiro CLI new TUI support** — Add fallback detection patterns for the new Kiro CLI TUI prompt format (`ask a question, or describe a task`), ensuring CAO works even if `--legacy-ui` is removed in a future version

README.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -504,8 +504,9 @@ role: supervisor # @cao-mcp-server, fs_read, fs_list
504504
```
505505

506506
```bash
507-
cao launch --agents code_supervisor # Uses role defaults
508-
cao launch --agents code_supervisor --yolo # Unrestricted access (WARNING shown)
507+
cao launch --agents code_supervisor # Uses role defaults (confirmation prompt shown)
508+
cao launch --agents code_supervisor --auto-approve # Skip prompt (restrictions still enforced)
509+
cao launch --agents code_supervisor --yolo # Unrestricted access (WARNING shown)
509510
```
510511

511512
For the full reference — roles, tool vocabulary, custom roles, launch prompts, provider enforcement, and known limitations — see [docs/tool-restrictions.md](docs/tool-restrictions.md).

docs/tool-restrictions.md

Lines changed: 45 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -135,15 +135,16 @@ A warning is still displayed so you know what's happening:
135135

136136
## Launch Confirmation Prompt
137137

138-
When you run `cao launch` without `--yolo`, CAO shows a summary of the resolved tool restrictions and asks for confirmation:
138+
When you run `cao launch` without `--yolo` or `--auto-approve`, CAO shows a summary of the resolved tool restrictions and asks for confirmation:
139139

140140
```
141141
Agent 'code_supervisor' launching on kiro_cli:
142-
Allowed: @cao-mcp-server, fs_read, fs_list
143-
Blocked: Bash, Edit, Write
142+
Role: supervisor
143+
Allowed: @cao-mcp-server, fs_read, fs_list
144144
Directory: /home/user/my-project
145145
146-
To grant all permissions, re-run with --yolo.
146+
To skip this prompt next time, relaunch with --auto-approve
147+
To remove all restrictions, relaunch with --yolo
147148
148149
Proceed? [Y/n]
149150
```
@@ -152,30 +153,50 @@ If no `role` or `allowedTools` is set in the profile, the prompt includes an add
152153

153154
```
154155
Agent 'my_agent' launching on claude_code:
155-
Allowed: @builtin, fs_*, execute_bash, @cao-mcp-server
156-
Blocked: (none)
156+
Role: (not set — using developer defaults)
157+
Allowed: @builtin, fs_*, execute_bash, @cao-mcp-server
157158
Directory: /home/user/my-project
158159
159160
Note: No role or allowedTools set — defaulting to 'developer'.
160161
Add 'role' or 'allowedTools' to your agent profile to control tool access.
161162
Docs: https://github.com/awslabs/cli-agent-orchestrator/blob/main/docs/tool-restrictions.md
162163
163-
To grant all permissions, re-run with --yolo.
164+
To skip this prompt next time, relaunch with --auto-approve
165+
To remove all restrictions, relaunch with --yolo
164166
165167
Proceed? [Y/n]
166168
```
167169

168-
### Confirmation vs `--yolo`
170+
### `--auto-approve` vs `--yolo`
169171

170-
Answering **Y** to the confirmation prompt is **not** the same as `--yolo`:
172+
| | `Y` at prompt | `--auto-approve` | `--yolo` |
173+
|---|---|---|---|
174+
| **Confirmation prompt** | Shown | Skipped | Skipped |
175+
| **Tool restrictions** | Enforced | Enforced | Removed — `["*"]` |
176+
| **Use case** | Interactive launch | Automated flows, scripts, agent-to-agent | Unrestricted access |
171177

172-
| | Confirmation → Y | `--yolo` |
173-
|---|---|---|
174-
| **Tool restrictions** | Still enforced — agent is limited to the tools shown in "Allowed" | Removed — agent gets `["*"]` (all tools) |
175-
| **Blocked tools** | Still blocked — agent cannot use tools shown in "Blocked" | Nothing is blocked |
176-
| **What it means** | "I've reviewed these restrictions and want to proceed" | "Give the agent unrestricted access, no questions asked" |
178+
```bash
179+
cao launch --agents my_agent # interactive — shows prompt
180+
cao launch --agents my_agent --auto-approve # automated — skips prompt, keeps restrictions
181+
cao launch --agents my_agent --yolo # unrestricted — skips prompt AND removes restrictions
182+
```
183+
184+
The confirmation prompt is a **review gate** — it shows the resolved role and allowed tools, then lets you proceed or cancel. `--auto-approve` skips this gate while keeping all restrictions enforced — useful for CAO flows, scripted launches, and agent-to-agent workflows. `--yolo` sits at the top of the override hierarchy — it **overrides both role and allowedTools**, grants unrestricted access (`["*"]`), and skips the prompt entirely.
185+
186+
### How Tool Restrictions Are Enforced (Implementation Detail)
187+
188+
CAO defines a universal tool vocabulary (`execute_bash`, `fs_read`, `fs_write`, `fs_list`). However, not all providers understand this vocabulary natively. There are two categories:
177189

178-
The confirmation prompt is a **review gate** — it shows you exactly what the agent can and cannot do, then lets you proceed or cancel. The restrictions listed in the summary are still enforced after you confirm. `--yolo` both **removes all restrictions** and **skips the review gate entirely**.
190+
**Providers that need translation** — Claude Code, Copilot CLI, and Gemini CLI each have their own native tool names (e.g., Claude Code calls bash execution `Bash`, Copilot calls it `shell`). CAO uses an internal `TOOL_MAPPING` to translate the CAO vocabulary to provider-native names, then computes which native tools to block and passes them as CLI flags (e.g., `--disallowedTools Bash`, `--deny-tool shell`).
191+
192+
| CAO Tool | Claude Code | Copilot CLI | Gemini CLI |
193+
|----------|-------------|-------------|------------|
194+
| `execute_bash` | `Bash` | `shell` | `run_shell_command` |
195+
| `fs_read` | `Read` | `read` | `read_file`, `list_directory`, `search_file_content`, `glob` |
196+
| `fs_write` | `Edit`, `Write` | `write` | `write_file`, `replace` |
197+
| `fs_list` | `Glob`, `Grep` | `list`, `grep` | `list_directory`, `glob`, `search_file_content` |
198+
199+
**Providers that accept CAO vocabulary directly** — Kiro CLI and Q CLI accept `allowedTools` in the agent JSON at install time, using the same vocabulary as CAO. No translation needed. Kimi CLI and Codex use system prompt instructions to enforce restrictions. For all four, CAO passes the `allowedTools` list directly without translation — so no `TOOL_MAPPING` entry exists for them, and none is needed.
179200

180201
## How Overrides Work
181202

@@ -191,12 +212,17 @@ Priority (highest to lowest):
191212
5. (nothing set) → developer defaults
192213
```
193214

215+
Note: `--auto-approve` is **not** in this priority chain — it only controls whether the confirmation prompt is shown, not what restrictions are applied.
216+
194217
Examples:
195218

196219
```bash
197220
# Profile has role: supervisor → restricted to @cao-mcp-server + fs_read + fs_list
198221
cao launch --agents code_supervisor
199222

223+
# Same, but skip the confirmation prompt (restrictions still enforced)
224+
cao launch --agents code_supervisor --auto-approve
225+
200226
# CLI flag overrides the role
201227
cao launch --agents code_supervisor --allowed-tools execute_bash --allowed-tools fs_read
202228

@@ -206,7 +232,7 @@ cao launch --agents code_supervisor --yolo
206232

207233
## Provider Enforcement
208234

209-
CAO translates `allowedTools` to each provider's native restriction mechanism:
235+
As described in [How Tool Restrictions Are Enforced](#how-tool-restrictions-are-enforced-implementation-detail), some providers require CAO to translate `allowedTools` to native tool names (via `TOOL_MAPPING`), while others accept the CAO vocabulary directly. The table below shows how each provider enforces restrictions:
210236

211237
| Provider | Enforcement | How it works |
212238
|----------|------------|-------------|
@@ -281,8 +307,9 @@ Each agent is restricted based on its own profile, not its parent's permissions.
281307
| Custom tool set | `allowedTools: ["fs_read", "execute_bash"]` |
282308
| Reusable custom preset | Define in `settings.json` `roles`, use `role: my_preset` |
283309
| Override role at launch | `--allowed-tools fs_read --allowed-tools @cao-mcp-server` |
284-
| No restrictions at all | `--yolo` or don't set role/allowedTools |
285-
| Check what's allowed before launch | Launch without `--yolo` — the confirmation prompt shows the summary |
310+
| Skip confirmation in scripts/automation | `--auto-approve` (restrictions still enforced) |
311+
| No restrictions at all | `--yolo` |
312+
| Check what's allowed before launch | Launch without `--yolo` or `--auto-approve` — the prompt shows the summary |
286313

287314
## Security Recommendations
288315

src/cli_agent_orchestrator/cli/commands/launch.py

Lines changed: 18 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -31,13 +31,18 @@
3131
multiple=True,
3232
help="Override allowedTools (CAO format: execute_bash, fs_read, @cao-mcp-server). Repeatable.",
3333
)
34+
@click.option(
35+
"--auto-approve",
36+
is_flag=True,
37+
help="Skip confirmation prompt (restrictions still enforced).",
38+
)
3439
@click.option(
3540
"--yolo",
3641
is_flag=True,
3742
help="[DANGEROUS] Unrestricted tool access AND skip confirmation prompts. "
3843
"Agent can execute ANY command including aws, rm, curl.",
3944
)
40-
def launch(agents, session_name, headless, provider, allowed_tools, yolo):
45+
def launch(agents, session_name, headless, provider, allowed_tools, auto_approve, yolo):
4146
"""Launch cao session with specified agent profile."""
4247
try:
4348
# Validate provider
@@ -51,12 +56,12 @@ def launch(agents, session_name, headless, provider, allowed_tools, yolo):
5156
from cli_agent_orchestrator.utils.agent_profiles import load_agent_profile
5257
from cli_agent_orchestrator.utils.tool_mapping import (
5358
format_tool_summary,
54-
get_disallowed_tools,
5559
resolve_allowed_tools,
5660
)
5761

5862
resolved_allowed_tools = None
5963
no_role_set = False
64+
resolved_role = None
6065
if yolo:
6166
resolved_allowed_tools = ["*"]
6267
elif allowed_tools:
@@ -67,6 +72,7 @@ def launch(agents, session_name, headless, provider, allowed_tools, yolo):
6772
profile = load_agent_profile(agents)
6873
mcp_server_names = list(profile.mcpServers.keys()) if profile.mcpServers else None
6974
no_role_set = not profile.role and not profile.allowedTools
75+
resolved_role = profile.role
7076
resolved_allowed_tools = resolve_allowed_tools(
7177
profile.allowedTools, profile.role, mcp_server_names
7278
)
@@ -88,13 +94,14 @@ def launch(agents, session_name, headless, provider, allowed_tools, yolo):
8894
else:
8995
# Normal launch: show tool summary and confirm
9096
tool_summary = format_tool_summary(resolved_allowed_tools)
91-
blocked = get_disallowed_tools(provider, resolved_allowed_tools)
92-
blocked_summary = ", ".join(blocked) if blocked else "(none)"
97+
role_display = (
98+
resolved_role if resolved_role else "(not set — using developer defaults)"
99+
)
93100

94101
click.echo(
95102
f"\nAgent '{agents}' launching on {provider}:\n"
96-
f" Allowed: {tool_summary}\n"
97-
f" Blocked: {blocked_summary}\n"
103+
f" Role: {role_display}\n"
104+
f" Allowed: {tool_summary}\n"
98105
f" Directory: {working_directory}\n"
99106
)
100107
if no_role_set:
@@ -103,8 +110,11 @@ def launch(agents, session_name, headless, provider, allowed_tools, yolo):
103110
" Add 'role' or 'allowedTools' to your agent profile to control tool access.\n"
104111
" Docs: https://github.com/awslabs/cli-agent-orchestrator/blob/main/docs/tool-restrictions.md\n"
105112
)
106-
click.echo(" To grant all permissions, re-run with --yolo.\n")
107-
if not click.confirm("Proceed?", default=True):
113+
click.echo(
114+
" To skip this prompt next time, relaunch with --auto-approve\n"
115+
" To remove all restrictions, relaunch with --yolo\n"
116+
)
117+
if not auto_approve and not click.confirm("Proceed?", default=True):
108118
raise click.ClickException("Launch cancelled by user")
109119

110120
# Call API to create session

0 commit comments

Comments
 (0)