Releases: awslabs/cli-agent-orchestrator
Release list
v2.3.0
Highlights
This is a substantial release. CAO 2.3 introduces cao workflow — a script-tier orchestration engine that lets a supervisor author multi-agent runs as plain JavaScript (agent() / parallel() / pipeline()), with a durable run journal, resumable execution, and a linter + run-step env guard for safety (#312, Bolts 1–4). Alongside it: CAO memory federation and portability — cross-project FEDERATED scope, Open Knowledge Format (OKF) export/import, and self-healing wiki repair (cao memory heal); a major event-driven architecture rebase (#273) that removes polling from inbox delivery across the terminal/session stack; a new cross-node fleet coordinator + web control panel for managing many CAO nodes from one place; and a broad kiro-cli 2.11 compatibility pass that fixes a supervisor deadlock plus several TUI status-detection regressions. New providers this release: Cursor CLI, Antigravity CLI (agy), Kimi CLI, and Hermes/herdr backends; Amazon Q CLI and Gemini CLI providers were removed. (cao profile and the graph rendering layer are in progress on main and will ship in a following minor release, not 2.3.0.)
Added
-
cao workflow— script-tier orchestration engine (#312, Bolts 1–4) — A new way to author multi-agent runs as a plain JS script instead of prose instructions to a supervisor. Ships incrementally across this release:- Spec grammar +
run_agent_stepsubstrate (Bolt 1) by @fanhongy in #320 - Authoring, persistence & structured returns (Bolt 2) by @fanhongy in #326
- Orchestration run engine (Bolt 3 / N5) by @fanhongy in #329
- Durable run journal + resume — a crashed or killed workflow can resume from its last completed step (N6) by @fanhongy in #372
- Script-tier journal extension (C3/U3) by @fanhongy in #391
- Script linter + run-step
envguard (B2: U1+U2) — catches unsafe scripts before they run by @fanhongy in #394 - Script-tier execution engine, U4 runner by @fanhongy in #396
- Spec grammar +
-
CAO memory: cross-project federation —
FEDERATEDscope (Phase 4 U3) — A new scope that lets memories be shared and recalled across projects rather than pinned to one, closing a gap flagged during Phase 2.5 hardening by @fanhongy in #314 -
CAO memory: Open Knowledge Format (OKF) export/import (Phase 4 U2) —
cao memory export/cao memory importCLI commands plus a read-scopedGET /memory/exportAPI endpoint stream a memory scope as a portable tar.gz bundle, enabling memory migration and backup by @fanhongy in #384 -
CAO memory: wiki self-healing —
cao memory heal(Phase 4 U1) — Detects and repairs structural drift in the memory wiki (orphaned entries, broken cross-references, stale index) without a full rebuild by @fanhongy in #306 -
CAO memory Phase 3 — LLM wiki compile, cross-references, lint, audit log, scoring — Compiles raw memory entries into a browsable wiki via LLM summarization, adds cross-reference linking, a lint pass for wiki health, a daily audit log, and a memory-quality scoring pass by @fanhongy in #285
-
CAO memory: Web UI support — Browse, search, and manage stored memories from the Web UI dashboard by @fanhongy in #290
-
CAO memory: bundle built-in memory plugins for Claude Code, Kiro, and Codex — Ships ready-to-use memory-injection plugins for the three most common providers so
memory.enabledworks out of the box without custom wiring by @fanhongy in #269 -
CAO memory: docs — per-scope store samples, on-disk comparison, SQLite architecture diagram by @fanhongy in #355
-
Enable/disable an agent-profile directory (closes #280, #281) — A profile directory's profiles can now be toggled out of the active set without removing the directory from config by @call-me-ram in #368
-
Scope the per-agent skill catalog via a profile allowlist — Optional
skillsfield onAgentProfilerestricts which skills a given agent can see, via an fnmatch allowlist; runtime-prompt providers only by @vprudnikoff in #351 -
Discover skills from
extra_skill_dirs— Mirrors the existingextra_agent_dirspattern so custom skill directories are picked up the same way custom agent directories are by @vprudnikoff in #277 -
Event-driven architecture (rebase onto main + green suite) — Replaces polling-based inbox delivery with an event-driven model across the terminal/session stack by @call-me-ram in #273
-
cao-mcp-serveroperations tools + orchestration worker profiles — Adds worker status/output MCP tools and bundled worker profiles tuned for the ops MCP server by @call-me-ram in #324 -
Gate network egress behind a
web_fetchtool category (closes #310) — Network-fetch capability is now an explicit, allowlist-gated tool category rather than implicit access, tightening the default security posture by @call-me-ram in #311 -
pyte rendered-screen status detection (closes #287) — Uses a virtual terminal screen buffer (pyte) instead of raw-buffer regex matching for provider status detection, reducing false IDLE/PROCESSING reads by @call-me-ram in #293
-
Herdr terminal backend with event-driven inbox delivery — A new terminal backend option with native event-driven message delivery by @anilkmr-a2z in #271
-
Hermes provider support — Adds Hermes Agent as a supported provider by @NorethSea in #272
-
Cursor CLI provider — Adds Cursor CLI as a first-class provider by @ThePlenkov in #296
-
Antigravity CLI (
agy) provider — Adds Google's terminal-native coding agent, the successor to the Gemini CLI after its free "Login with Google" path was retired by @MarkusWohlmuth in #323 -
codexConfigfield onAgentProfile— Optional per-agent config overrides for the codex provider by @vprudnikoff in #278 -
Web UI: optional Session Name field on the Spawn Agent dialog — Lets operators name a session at spawn time instead of only after the fact by @vprudnikoff in #279
-
Configurable server timeouts + file-based Claude Code prompt delivery by @jitendrasinghsankhwar in #318
-
cao flowrenamed tocao schedule— Avoids confusion with the newcao workflowfeature.cao flowremains as a hidden, deprecated alias that warns on stderr; flow files,~/.cao/flows, stored schedules, and the/flowsREST API are unchanged by @fanhongy in #380 -
cao-mcp-apps: canonical-source fidelity + host-delegated dogfooding by @plauzy in #347 -
Sandboxed host-rendered fleet UI (SEP-1865) by @plauzy in #332
-
examples/fleet— cross-node fleet coordinator — Manages many CAO nodes from one place: one-command node bootstrap, afleetcontrol helper (list/show/exec against any node), and an AI conductor wired to onecao-ops-mcp-serverper node. Purely additive underexamples/; each node stays a stateless client of the existingcao-serverAPI by @SparkyWen in #365, plus a web control panel + live console (#366) and a coordinator guide (docs/fleet_instructions.md, #367) -
examples/aws— cloud-ops agent examples with config by @sujoydc in #377
Changed
- Unify CAO configuration into a single source of truth — Consolidates config resolution that was previously spread across multiple layers/files by @fanhongy in #381
Removed
- Amazon Q CLI and Gemini CLI providers removed — Q CLI is superseded by
kiro_cli; Gemini CLI's free "Login with Google" path was retired (see the new Antigravity CLI provider above) by @gutosantos82 in #353
Deprecated
cao flow— usecao scheduleinstead; the alias will be removed in a future release (#380)
Fixed
-
kiro-cli 2.11 compatibility — unblock multi-agent orchestration — A multi-part fix for a supervisor deadlock and detection regressions introduced by kiro-cli 2.11: bracketed paste now sends 2 Enters with a submit delay (2.11's TUI swallowed the single-Enter used by older versions);
TUI_PROCESSING_PATTERNmatches both the pre-2.11 and 2.11+ processing strings; the no-Credits completion check now requires a full bordered response box instead of any idle-prompt match; andkiro-cli chatalways launches with--trust-all-toolsso the new "subagent requires approval" dialog doesn't deadlock headless orchestration (CAO still enforces tool scoping at its own layers) by @haofeif in #390 -
claude_code: backgrounded task no longer reads as COMPLETED (fixes #392) — The "✻ Waiting for N workflows" wait line has no spinner ellipsis and can look like a finished turn; both the raw-buffer and pyte screen paths now correctly report PROCESSING until a real completion signal appears by @call-me-ram in #393 -
memory: validate user-derived path components, closing CodeQL path-injection alerts — Every user-derived path component (key,scope,scope_id) is now validated as a single safe path segment and confined under the memory base directory viarealpath+ containment guard, closing 11 CodeQLpy/path-injectionalerts by @gutosantos82 in #401 -
mcp: launch bundledcao-mcp-serverwithout a per-launch network fetch by @tedswinyar in #403 -
fifo: non-blocking reader loop + event-loop-safe session teardown (fixes #382) — Reader threads could be stranded in a blocking FIFOopen()by a stop/reopen race;DELETE /sessionsnow runs teardown in a worker thread so repeated create/delete cycles can't wedgecao-serverby @call-me-ram in #383 -
cli: auto-detect server backend + herdr reconcile fixes by @anilkmr-a2z in #309 -
providers: read herdr native status in all providers (#359) by @fanhongy in #361 -
providers: harden Claude and OpenCode status detection by @aygnep in #327 -
kiro: detect TUI idle state without falling back to--legacy-uiby @haofeif in #330 -
claude_code: echoed system prompt false-matches idle, blocking the workspace-trust dialog by @cdrury526 in #319 -
Allow
permissionModeto override yolo in theclaude_codeprovider by @zz3...
v2.2.0
v2.2.0 — 2026-06-04
Highlights
CAO 2.2 introduces persistent agent memory — agents can now store and recall knowledge across sessions through memory_store / memory_recall / memory_forget MCP tools, with global / project / session / agent scoping, BM25 fallback retrieval over a SQLite index, file-lock-safe concurrent writes, per-scope caps, and stable project identity via git remote. Memories auto-inject as <cao-memory> context at session start. Plus a new external-tool integration path that lets CAO orchestrate non-CAO CLI agents (OpenClaw, Hermes Agent, etc.) as first-class workers, handoff terminals that auto-delete after completion with snapshot-based restore, eager inbox delivery for providers that buffer input mid-turn, --env forwarding through cao launch to supervisors and children, codex / claude_code profile fields (codexProfile, permission_mode), an official devcontainer feature, and a stack of TUI-detection, security, and dependency fixes.
Added
-
CAO memory (Phase 1 + 2 + 2.5 hardening) — Three-phase build of a persistent agent memory system. Phase 1 lays down the storage foundation:
memory_store/memory_recall/memory_forgetMCP tools, scope-based partitioning under~/.aws/cli-agent-orchestrator/memory/, and a CLI surface (cao memory list/show/delete/clear). Phase 2 adds SQLite metadata, BM25 fallback retrieval, and<cao-memory>context injection at session start via a context manager. Phase 2.5 hardens the system with per-scope caps (10 entries / 1000 chars), an ISO-8601 Z round-trip lock onindex.md, real-multiprocess flock contention tests, amemory.enabledshort-circuit on recall, and stable project identity via canonicalized git remote (with cwd-hash alias for repos without a remote). See docs/memory.md by @fanhongy in #245, #254, #262 -
External tool integration (OpenClaw, Hermes Agent) — A new external-tool-integration skill lets CAO orchestrate non-CAO CLI agents as first-class workers. Hermes Agent is shipped as a worked end-to-end example — see docs/external-tool-integration.md by @anilkmr-a2z and @haofeif in #241, #253
-
CAO operations MCP server (
cao-mcp-server) — Exposes CAO's session/terminal/launch operations to LLM agents as MCP tools, so a supervisor can drivecao launch,cao session list, etc. via tool calls instead of shell invocations by @patricka3125 in #166 -
Auto-delete handoff terminals with snapshot-based restore —
handoffworkers now self-delete on completion. The supervisor still sees the worker's final output through a captured snapshot, so cross-provider handoff results survive cleanup by @anilkmr-a2z in #233 -
Shell command tracking, flow recycling, inbox delivery reliability — Tracks shell commands per terminal for diagnostics; recycles flow records to avoid unbounded growth; and tightens inbox delivery so messages don't get stuck in PENDING when the receiver was briefly busy by @anilkmr-a2z in #230
-
Eager inbox delivery for buffering providers — Providers like Gemini CLI that buffer pasted input during processing now receive inbox messages eagerly the moment they reach a deliverable state, instead of waiting for a polling tick by @anilkmr-a2z in #251
-
cao launch --envforwarding to supervisor and child agents — Operators can now forward env vars throughcao launch --env; the values travel in the JSON request body (not the URL) so secrets don't land incao-serveraccess logs and propagate to every worker spawned in the session by @call-me-ram in #259 -
codexProfilefield on AgentProfile (codex provider) — OptionalcodexProfilefrontmatter key lets codex agent profiles select a named codex profile at launch by @kjanoudi in #250 -
permission_modefield on AgentProfile (claude_code provider) — Optionalpermission_modefrontmatter key for fine-grained Claude Code permission control beyond the universalallowedToolsvocabulary by @kjanoudi in #244 -
Official devcontainer feature — A reusable devcontainer feature for CAO so contributors can spin up a fully-provisioned dev environment with one click by @ThePlenkov in #260
-
Web UI: filtering, sorting, grouping, and session deletion — Dashboard home gains client-side filter/sort/group, plus a session-delete action so stale sessions can be cleaned up from the browser by @gutosantos82 in #200
-
OpenCode provider label in Web UI —
opencode_clinow appears in the Web UI's provider pickers and/agents/providersresponse, with a friendly "OpenCode" source label by @patricka3125 in #217 -
Auto-derive CORS origins from
cao-server --host/--port— CORS allowlist is now built from the bind address by default, so the Web UI works out of the box on remote hosts without manualCAO_CORS_ORIGINSconfiguration by @call-me-ram in #261
Fixed
-
Codex: detect v0.136+ TUI footer (
model · pathwithoutN% left) — codex 0.136 dropped theN% leftsegment from the status bar, soTUI_FOOTER_PATTERNnever matched andget_status()couldn't tell the suggestion-hint line apart from a real user message. Handoff and assign workers were pinning at IDLE forever. Pattern extended to anchor on the path component shared across v0.111 and v0.136 footers by @haofeif -
Codex: skip
• Called <tool>(...)MCP tool-call markers during last-message extraction — the extractor anchored on the first•after the user prompt, which can be a tool-call marker; the tool output that follows (e.g. thecao-worker-protocolsskill body containing[CAO Handoff]) leaked into the extracted response. The extractor now iterates•matches and skips MCP tool-call markers;ASSISTANT_PREFIX_PATTERNwas also tightened from\s*•to[^\S\n]*•so the match anchors on the bullet line itself, not a preceding blank line by @haofeif -
Kiro CLI: paste-into-boot-screen race that dropped the first message after launch — kiro shows a
M of N mcp servers initializedline before the idle prompt becomes interactive, so a paste arriving in this window was silently absorbed by the boot screen.TUI_INITIALIZING_PATTERNextended to match this line, and Check 3 (shell-baseline = IDLE) gated onself._initializedsoget_status()no longer returns IDLE while kiro is still exec'ing by @haofeif in #268 -
CI: stop TestPyPI squats breaking the release smoke test — the publish workflow's
--extra-index-urlto TestPyPI let a squattedFASTAPI 1.0package outrank realfastapiand break the build. The smoke test now installs our package from TestPyPI with--no-depsand resolves dependencies from PyPI alone, with a fail-fast chain by @haofeif in #270 -
Always honor
profile.providerat launch (yolo + allowed-tools paths) —resolve_providerpreviously lived inside one branch of the permission-resolution conditional inlaunch.py, so--yoloand--allowed-toolspaths silently dropped the profile'sprovider:frontmatter field. Cross-provider workflows where each profile pins a specific CLI now work in every launch path by @call-me-ram in #257 -
Resolve
profile.providerincreate_session()—POST /sessionspassed the caller-supplied provider straight through, so the Web UI and any HTTP client ignoredprofile.provider. The fix preserves explicit--providerover the profile (CLI flag wins) by @gutosantos82 in #198 -
MCP worker provider resolution + ops MCP profile provider — Two related fixes ensuring spawned MCP workers and ops MCP sessions honor the agent profile's declared provider instead of falling back to the supervisor's CLI by @patricka3125 in #224, #229
-
MCP: reject
send_messagewhenreceiver_idequals sender — Prevents an agent from accidentally messaging itself, which produced infinite forwarding loops on some providers by @call-me-ram in #263 -
Wait for IDLE before tmux attach (non-headless launch) — Non-headless
cao launchattached the moment the API returned, racing the provider's TUI init and silently dropping early keystrokes. Mirrors the headless path'swait_until_terminal_status(IDLE/COMPLETED)with a warn-and-attach fallback on timeout by @haofeif in #221 (resolves #220) -
Kiro CLI: false-IDLE during
Initializing...— The new TUI renders the idle-prompt placeholder before init completes; CAO matched the placeholder and dropped the first user message.TUI_INITIALIZING_PATTERNnow unconditionally returns PROCESSING during the init phase by @haofeif in #215 (resolves #211)
...
v2.1.1
What's Changed
- fix(launch): honour profile.provider when --provider flag is not given by @gutosantos82 in #196
- fix(claude-code): eliminate PROCESSING false-positives from compaction and /exit by @gutosantos82 in #199
- feat: Add OpenCode CLI provider support by @patricka3125 in #193
- fix(kiro_cli): honor --yolo and profile.model at launch by @haofeif in #201
- fix(copilot_cli): recognise Copilot v1.0.31+ status bar and breadcrumb as footer lines for idle detection by @wahidzzz in #184
- feat(ci): add PyPI publish workflow and update pyproject.toml by @fanhongy in #123
- Feat/publish cao to pypi by @fanhongy in #209
- build(deps-dev): bump postcss from 8.5.8 to 8.5.12 in /web by @dependabot[bot] in #208
- Fix git cliff timeout issue to unblock the release action by @fanhongy in #212
- switch to deploy key to bypass commit to main by @fanhongy in #213
Full Changelog: v2.1.0...v2.1.1
v2.1.0
v2.1.0 — 2026-04-22
Highlights
CAO 2.1 adds a cao session CLI for driving running sessions from the shell, an external-plugin extension point (pip-installable observer/hook plugins), a first-class skills system with managed skills auto-seeded at cao init, Kiro CLI full-TUI support, agent-profile env-var injection, a universal allowedTools vocabulary translated per-provider, and the Web UI now ships inside the Python wheel. Plus a stack of TUI-detection and session-lifecycle fixes across Claude Code, Kiro CLI, and terminal-service.
Added
cao sessioncommand group — Newcao session list | status | sendlets you inspect and drive running sessions from the shell without attaching to tmux.cao shutdownandcao launchnow go through the HTTP API so a local CLI can drive a remotecao-server.cao launchalso gains--working-directoryand an optional trailingmessageargument for one-shot headless task execution. A newcao-session-managementskill documents the command group for LLM-driven operators by @anilkmr-a2z in #187- External plugins — Observer/hook plugins can now be installed via pip and auto-discovered through the
cao.pluginsentry point group. Plugins subclassCaoPluginand register handlers with the@hookdecorator. Ships with lifecycle tests and a documented install flow atdocs/plugins.mdby @patricka3125 in #172 - Skills system — Native support for reusable agent skills installed to
~/.cao/skills/viacao skill add. Newcao-providerskill guides contributors through adding new CLI agent providers end-to-end;cao-supervisor-protocolsandcao-worker-protocolsseeded viacao init. Managed-skills section added to the README by @patricka3125 and @haofeif in #145, #154, #170 - Kiro CLI full TUI mode +
--legacy-uifallback — Support for Kiro CLI's new full-screen TUI alongside the legacy prompt;--legacy-uiflag preserved for compatibility by @haofeif in #138, #163 - Agent-profile environment variable injection — Agent profiles can declare
enventries loaded into the agent process at launch, with secret-aware handling via~/.cao/.envby @patricka3125 in #156 - Universal
allowedToolsvocabulary — Unified CAO tool-restriction vocabulary translated per-provider, replacing provider-specific allow/deny flags. Child agents now honor explicitallowedTools=["*"]instead of silently inheriting parent restrictions by @haofeif in #125, #144 - Web UI bundled in the wheel — Built Web UI assets now ship inside the Python wheel, so a plain
uv tool installgives you the dashboard with no extra build steps by @patricka3125 in #169 - Clearer launch confirmation +
--auto-approve— Redesigned thecao launchconfirmation prompt to showRoleinstead ofBlocked, clearly distinguish[Y]/[--auto-approve]/[--yolo], and added--auto-approveto skip the prompt without removing restrictions by @haofeif in #146
Fixed
- Cleanup guard on terminal creation —
_create_terminalno longer kills sessions it didn't create during rollback; the cleanup path now tracks whether this call actually created the tmux session by @gutosantos82 in #191 - Graceful handling of missing agent profiles —
terminal_servicereturns a clear error instead of tracebacking when an agent profile can't be found in the CAO store by @anilkmr-a2z in #186 - Profile-level
modelhonored at terminal creation — Providers now passprofile.modelthrough to the CLI at launch, so per-agent model selection works end-to-end by @patricka3125 in #189 - Claude Code: false-positive IDLE on pre-existing shell prompt — Initialize-time status check could return IDLE against the pre-existing zsh/bash
❯prompt before Claude Code actually started. Added pre-launch pane snapshot + Claude-specific startup markers to confirm the CLI is actually running before accepting IDLE by @gutosantos82 in #190 - Claude Code: structural PROCESSING detection —
get_status()now uses structural detection for PROCESSING instead of relying on❯position, eliminating a race where the spinner and prompt interleaved mid-capture by @gutosantos82 in #177 - Claude Code: stale processing spinners no longer block inbox delivery — by @haofeif in #106
- Kiro CLI: 2.0 credits-before-separator layout — Status detection updated for the new Kiro TUI layout where the credits line appears before the separator by @anilkmr-a2z in #188
- Kiro CLI: position-aware "Kiro is working" check — Stale scrollback could leave "Kiro is working" in the capture after completion and block handoffs with a false PROCESSING; detection is now position-aware to the latest interaction by @wahidzzz in #185
- Kiro CLI: new-TUI fallback patterns +
FileNotFoundErrorhandling — Added fallback detection patterns for the new Kiro CLI TUI prompt format (ask a question, or describe a task). Fixedload_agent_profile()wrappingFileNotFoundErrorasRuntimeError, which causedassign()to fail for JSON-only agent profiles by @haofeif in #140 (resolves #137) - Web UI: missing providers in dropdown — Added
gemini_cli,kimi_cli, andcopilot_clito the/agents/providersendpoint and frontend fallback list so all 7 providers appear by @haofeif in #158 (resolves #157) - Web UI: terminal scroll and paste reliability — Fixes for scrollback drift and multi-line paste handling in the browser terminal by @gosmonso96 in #162
- WAITING_USER_ANSWER false positives from stale scrollback — Regex hardened so historical
confirm? [y/n]lines in scrollback don't get re-detected as active prompts by @patricka3125 in #142 - Gemini skill-catalog test assertion — Test reads
GEMINI.mdrather than a hardcoded fixture so the catalog assertion tracks the live skill set by @haofeif in #180
Security
- Bump authlib 1.6.9 → 1.6.11 by @dependabot in #178
- Bump cryptography 46.0.5 → 46.0.7 by @dependabot in #135, #165
- Bump fastmcp 2.14.5 → 3.2.0 by @dependabot in #139
- Bump pygments 2.19.2 → 2.20.0 by @dependabot in #136
- Bump python-dotenv 1.1.1 → 1.2.2 by @dependabot in #194
- Bump python-multipart 0.0.22 → 0.0.26 by @dependabot in #175
- Bump pytest (dev) 8.4.2 → 9.0.3 by @dependabot in #173
- Bump vite 6.4.1 → 6.4.2 by @dependabot in #160
New Contributors
- @gosmonso96 made their first contribution in #162
- @wahidzzz made their first contribution in #185
Upgrade
uv tool install git+https://github.com/awslabs/cli-agent-orchestrator.git@v2.1.0 --upgradeNo breaking changes to existing CLI invocations. New features are additive; the HTTP refactor of cao shutdown / cao launch preserves the old argument shapes.
Full Changelog: v2.0.0...v2.1.0
v2.0.2
What's Changed
- feat(security): Support agent-profile environment variable injection and loading by @patricka3125 in #156
- feat: add cao-provider skill for new CLI agent providers by @haofeif in #154
- Fix/providers endpoint missing entries by @haofeif in #158
- build(deps-dev): bump vite from 6.4.1 to 6.4.2 in /web by @dependabot[bot] in #160
- fix: improve Web UI terminal scroll and paste reliability by @gosmonso96 in #162
- build(deps): bump cryptography from 46.0.6 to 46.0.7 by @dependabot[bot] in #165
- feat(kiro_cli): add full TUI mode support with --legacy-ui fallback (#159) by @haofeif in #163
New Contributors
- @gosmonso96 made their first contribution in #162
Full Changelog: v2.0.1...v2.0.2
v2.0.1
What's Changed
- build(deps): bump cryptography from 46.0.5 to 46.0.6 by @dependabot[bot] in #135
- build(deps): bump pygments from 2.19.2 to 2.20.0 by @dependabot[bot] in #136
- feat(security): add allowedTools — universal tool restriction across … by @haofeif in #125
- fix(kiro_cli): add --legacy-ui flag for new Kiro CLI TUI compatibility by @haofeif in #138
- build(deps): bump fastmcp from 2.14.5 to 3.2.0 by @dependabot[bot] in #139
- fix(kiro_cli): add new TUI fallback patterns + fix #137 exception handling by @haofeif in #140
- fix: replace WAITING_USER_ANSWER regex to prevent stale scrollback false positives by @patricka3125 in #142
- fix(security): honor child allowedTools=["*"] instead of inheriting p… by @haofeif in #144
- fix(launch): clarify prompt, add --auto-approve, document TOOL_MAPPING by @haofeif in #146
Full Changelog: v2.0.0...v2.0.1
v2.0.0
v2.0.0 — 2026-03-28
Highlights
CAO 2.0 adds 3 new providers (Gemini CLI, Kimi CLI, Copilot CLI), a Web UI dashboard, cross-provider orchestration, and significant security hardening — bringing the total supported providers to 7.
Added
- Gemini CLI provider — Full integration with Google's Gemini CLI, including status detection, message extraction, and E2E tests by @haofeif in #102
- Kimi CLI provider — Support for Moonshot's Kimi CLI with agent profiles and MCP server integration by @haofeif in #113
- Copilot CLI provider — Native GitHub Copilot CLI provider by @aziz0220 in #82
- Web UI dashboard — React-based web interface for managing sessions, spawning agents, viewing live terminal status, configuring agent directories, and interacting with agents from the browser by @abdullahoff in #108
- Provider override in agent profiles — Agent profiles can now specify a
providerfield to override the default provider, enabling cross-provider workflows by @patricka3125 in #101 - Auto-inject sender terminal ID — New
CAO_ENABLE_SENDER_ID_INJECTIONenv var automatically appends sender terminal ID and callback instructions toassignandsend_messagemessages by @patricka3125 in #98 - Cross-provider example profiles and documentation by @haofeif in #109
- v2.0.0 changelog, Web UI docs (
web/README.md,docs/settings.md), cross-provider examples, Claude Code auth fix by @haofeif in #132
Fixed
- Claude Code bypass permissions prompt — Auto-set
skipDangerousModePermissionPromptand handle bypass prompt on startup by @haofeif in #120 - Terminal init status — Accept both IDLE and COMPLETED during terminal initialization for providers with initial prompts by @fanhongy in #111
- 400 Bad Request on non-home directories — Fix launching agents in directories outside
~/(e.g.,/Volumes/workplaceon macOS) by @haofeif in #110 - Gemini CLI extraction retry — Add extraction retry for TUI-based providers where premature COMPLETED status can occur by @haofeif in #117
- Path traversal in agent profile loading — Validate agent names to reject
/,\, and..before path construction by @haofeif in #129 - Claude Code Processing spinner — Fix regex to catch newer spinner format (#92)
- Codex TUI footer detection — Update detection for Codex v0.111.0 (#99)
- Q CLI unit tests — Fix failing tests due to working directory validation changes (#94)
Security
- Add DNS rebinding protection via Host header validation by @fanhongy in #124
- Add CodeQL SafeAccessCheck guard for path injection in API by @haofeif in #121
- Pin trivy-action to SHA instead of mutable
masterref in CI by @haofeif in #126 - Bump vite 5→6.4.1 and vitest 2→3.2.4 to fix esbuild vulnerability by @haofeif in #129
- Bump requests 2.32.5→2.33.0 for CVE-2026-25645 by @dependabot in #130
- Bump authlib 1.6.7→1.6.9 by @dependabot in #122
- Bump pyjwt 2.11.0→2.12.0 by @dependabot in #118
- Bump black 25.9.0→26.3.1 by @dependabot in #114
New Contributors
- @fanhongy made their first contribution in #111
- @aziz0220 made their first contribution in #82
- @abdullahoff made their first contribution in #108
Full Changelog: v1.1.1...v2.0.0
v1.1.1
What's Changed
- fix: Fix regex to catch Claude Code Processing spinner by @patricka3125 in #92
- build(deps): bump authlib from 1.6.6 to 1.6.7 by @dependabot[bot] in #97
- fix: Update failing Q CLI unit tests due to working directory validation by @patricka3125 in #94
- fix: Update Codex TUI footer detection for v0.111.0 by @haofeif in #99
New Contributors
- @patricka3125 made their first contribution in #92
Full Changelog: v1.1.0...v1.1.1
v1.1.0
Highlights
- Codex CLI provider rewrite with full TUI-aware status detection and response extraction
- Claude Code --dangerously-skip-permissions and workspace trust prompt handling
- 511 unit tests / 84% coverage (up from ~180 / ~60%)
- Security: path traversal fix, shell injection fixes, CVE-2026-26007 patch
Added
cao launch --yolo— skip workspace trust promptscao info— display DB path, active sessions, terminal countcao mcp-server— start MCP server directly from CLI- Codex provider: agent profile injection, MCP server support, --no-alt-screen, trust prompt handling
- Claude Code: --dangerously-skip-permissions, CAO_TERMINAL_ID forwarding to MCP servers
- Immediate inbox delivery on POST (no more waiting for watchdog)
- Bracketed paste (paste-buffer -p) for all providers — bypasses TUI hotkey interception
- E2E test suite: 15 tests across handoff, assign, send_message for codex/claude_code/kiro_cli
- CI pipelines: main CI + provider-specific workflows (Python 3.10/3.11/3.12, black/isort/mypy, Trivy)
Fixed
- Permission prompt detection: line-based counting for active vs stale [y/n/t]: prompts (#71)
- Inbox delivery for TUI providers: tail lines 5 → 100
- Claude Code bracketed paste 0.3s delay (TUI swallowing Enter)
- Shell injection: shlex.join() in kiro_cli and q_cli providers
- Codex: idle prompt, trust prompt, TUI footer/spinner, extraction, tool_timeout_sec float
- Claude Code: PROCESSING_PATTERN for 2.x spinner, IDLE_PROMPT_PATTERN for ❯
Security
- Path traversal prevention via os.path.normpath + home directory containment (CodeQL py/path-injection)
- cryptography 46.0.1 → 46.0.5 (CVE-2026-26007)
Dependencies
- fastmcp 2.12.2 → 2.14.0, mcp>=1.23.0, libtmux>=0.51.0
- Default provider: q_cli → kiro_cli
What's Changed
- build(deps): bump cryptography from 46.0.1 to 46.0.5 by @dependabot in #72
- fix: detect active permission prompts using line-based counting by @sriharshaarangi in #71
- fix(claude-code): add --dangerously-skip-permissions, --yolo flag, and dependency upgrades by @haofeif in #76
- feat(codex): rewrite Codex provider, framework improvements, security fix, and docs by @haofeif in #77
- test: add comprehensive unit tests, E2E tests, and CI workflows by @haofeif in #81
- feat: add CLI commands, shell safety fixes, agent profiles, and docs by @haofeif in #83
Full Changelog: v1.0.3...v1.1.0
v1.0.3
What's Changed
- fix: Synchronize status detection with response completion by @anilkmr-a2z in #62
- fix: update IDLE_PROMPT_PATTERN_LOG to match actual kiro-cli ANSI output by @sriharshaarangi in #65
- fix: prevent permission prompt pattern from matching stale prompts by @sriharshaarangi in #69
- perf(tmux): replace chunked send_keys with paste-buffer for instant delivery by @sriharshaarangi in #67
New Contributors
- @sriharshaarangi made their first contribution in #65
Full Changelog: v1.0.2...v1.0.3