You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* fix(launch): clarify confirmation prompt — show Role, remove Blocked, distinguish Y vs --yolo
The launch confirmation prompt was misleading: it showed "Blocked: (none)" for
providers that enforce restrictions natively (kiro-cli, q-cli), and the --yolo
hint didn't make clear that users need to exit and re-run. Now the prompt shows
Role and Allowed in CAO vocabulary, and clearly explains that [Y] keeps
restrictions while [--yolo] overrides everything.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(launch): add --auto-approve flag to skip confirmation prompt
Adds --auto-approve to skip the confirmation prompt while keeping tool
restrictions enforced. Useful for automated flows, scripted launches,
and agent-to-agent workflows where --yolo is too permissive.
Addresses review feedback on PR #146 re: automated flows hanging on
the Y/n prompt.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* docs: clarify TOOL_MAPPING role and why only 3 providers need it
Rewrite the "How Tool Restrictions Are Enforced" section to explain
why TOOL_MAPPING only covers Claude Code, Copilot CLI, and Gemini CLI
(they need translation to native tool names), while Kiro CLI, Q CLI,
Kimi CLI, and Codex accept CAO vocabulary directly.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(launch): clarify prompt hints — say "relaunch with" not bracket options
The prompt hints like [--auto-approve] and [--yolo] implied users could
type them at the Y/n prompt. Changed to "relaunch with --auto-approve"
and "relaunch with --yolo" to make clear these are CLI flags for the
next launch, not options at the current prompt.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Copy file name to clipboardExpand all lines: CHANGELOG.md
+4Lines changed: 4 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
8
8
## [Unreleased]
9
9
10
+
### Changed
11
+
12
+
-**Launch prompt clarity + `--auto-approve`** — Redesign the `cao launch` confirmation prompt to show `Role` instead of `Blocked`, clearly distinguish `[Y]` / `[--auto-approve]` / `[--yolo]`, and add `--auto-approve` flag to skip the prompt without removing restrictions (for automated flows, scripts, and agent-to-agent launches)
13
+
10
14
### Fixed
11
15
12
16
-**Kiro CLI new TUI support** — Add fallback detection patterns for the new Kiro CLI TUI prompt format (`ask a question, or describe a task`), ensuring CAO works even if `--legacy-ui` is removed in a future version
cao launch --agents code_supervisor # Uses role defaults
508
-
cao launch --agents code_supervisor --yolo # Unrestricted access (WARNING shown)
507
+
cao launch --agents code_supervisor # Uses role defaults (confirmation prompt shown)
508
+
cao launch --agents code_supervisor --auto-approve # Skip prompt (restrictions still enforced)
509
+
cao launch --agents code_supervisor --yolo # Unrestricted access (WARNING shown)
509
510
```
510
511
511
512
For the full reference — roles, tool vocabulary, custom roles, launch prompts, provider enforcement, and known limitations — see [docs/tool-restrictions.md](docs/tool-restrictions.md).
cao launch --agents my_agent --yolo # unrestricted — skips prompt AND removes restrictions
182
+
```
183
+
184
+
The confirmation prompt is a **review gate** — it shows the resolved role and allowed tools, then lets you proceed or cancel. `--auto-approve` skips this gate while keeping all restrictions enforced — useful for CAO flows, scripted launches, and agent-to-agent workflows. `--yolo` sits at the top of the override hierarchy — it **overrides both role and allowedTools**, grants unrestricted access (`["*"]`), and skips the prompt entirely.
185
+
186
+
### How Tool Restrictions Are Enforced (Implementation Detail)
187
+
188
+
CAO defines a universal tool vocabulary (`execute_bash`, `fs_read`, `fs_write`, `fs_list`). However, not all providers understand this vocabulary natively. There are two categories:
177
189
178
-
The confirmation prompt is a **review gate** — it shows you exactly what the agent can and cannot do, then lets you proceed or cancel. The restrictions listed in the summary are still enforced after you confirm. `--yolo` both **removes all restrictions** and **skips the review gate entirely**.
190
+
**Providers that need translation** — Claude Code, Copilot CLI, and Gemini CLI each have their own native tool names (e.g., Claude Code calls bash execution `Bash`, Copilot calls it `shell`). CAO uses an internal `TOOL_MAPPING` to translate the CAO vocabulary to provider-native names, then computes which native tools to block and passes them as CLI flags (e.g., `--disallowedTools Bash`, `--deny-tool shell`).
191
+
192
+
| CAO Tool | Claude Code | Copilot CLI | Gemini CLI |
**Providers that accept CAO vocabulary directly** — Kiro CLI and Q CLI accept `allowedTools` in the agent JSON at install time, using the same vocabulary as CAO. No translation needed. Kimi CLI and Codex use system prompt instructions to enforce restrictions. For all four, CAO passes the `allowedTools` list directly without translation — so no `TOOL_MAPPING` entry exists for them, and none is needed.
179
200
180
201
## How Overrides Work
181
202
@@ -191,12 +212,17 @@ Priority (highest to lowest):
191
212
5. (nothing set) → developer defaults
192
213
```
193
214
215
+
Note: `--auto-approve` is **not** in this priority chain — it only controls whether the confirmation prompt is shown, not what restrictions are applied.
216
+
194
217
Examples:
195
218
196
219
```bash
197
220
# Profile has role: supervisor → restricted to @cao-mcp-server + fs_read + fs_list
198
221
cao launch --agents code_supervisor
199
222
223
+
# Same, but skip the confirmation prompt (restrictions still enforced)
224
+
cao launch --agents code_supervisor --auto-approve
225
+
200
226
# CLI flag overrides the role
201
227
cao launch --agents code_supervisor --allowed-tools execute_bash --allowed-tools fs_read
202
228
@@ -206,7 +232,7 @@ cao launch --agents code_supervisor --yolo
206
232
207
233
## Provider Enforcement
208
234
209
-
CAO translates `allowedTools` to each provider's native restriction mechanism:
235
+
As described in [How Tool Restrictions Are Enforced](#how-tool-restrictions-are-enforced-implementation-detail), some providers require CAO to translate `allowedTools` to native tool names (via `TOOL_MAPPING`), while others accept the CAO vocabulary directly. The table below shows how each provider enforces restrictions:
210
236
211
237
| Provider | Enforcement | How it works |
212
238
|----------|------------|-------------|
@@ -281,8 +307,9 @@ Each agent is restricted based on its own profile, not its parent's permissions.
281
307
| Custom tool set |`allowedTools: ["fs_read", "execute_bash"]`|
282
308
| Reusable custom preset | Define in `settings.json``roles`, use `role: my_preset`|
283
309
| Override role at launch |`--allowed-tools fs_read --allowed-tools @cao-mcp-server`|
284
-
| No restrictions at all |`--yolo` or don't set role/allowedTools |
285
-
| Check what's allowed before launch | Launch without `--yolo` — the confirmation prompt shows the summary |
310
+
| Skip confirmation in scripts/automation |`--auto-approve` (restrictions still enforced) |
311
+
| No restrictions at all |`--yolo`|
312
+
| Check what's allowed before launch | Launch without `--yolo` or `--auto-approve` — the prompt shows the summary |
0 commit comments